diff --git a/.gitignore b/.gitignore index 33b954c..b593a85 100644 --- a/.gitignore +++ b/.gitignore @@ -1,38 +1 @@ -# Local .terraform directories -**/.terraform/* - -# .tfstate files -*.tfstate -*.tfstate.* - -# Crash log files -crash.log -crash.*.log - -# Exclude all .tfvars files, which are likely to contain sensitive data, such as -# password, private keys, and other secrets. These should not be part of version -# control as they are data points which are potentially sensitive and subject -# to change depending on the environment. -*.tfvars -*.tfvars.json - -# Ignore override files as they are usually used to override resources locally and so -# are not checked in -override.tf -override.tf.json -*_override.tf -*_override.tf.json - -# Include override files you do wish to add to version control using negated pattern -# !example_override.tf - -# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan -# example: *tfplan* - -# Ignore CLI configuration files -.terraformrc -terraform.rc -.terraform.lock.hcl -*.tfbackend - .vault_password diff --git a/ansible.cfg b/ansible.cfg index 5f42fc7..b598c64 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,4 +1,5 @@ [defaults] +# (pathspec) Colon separated paths in which Ansible will search for Roles. roles_path=~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles:roles inventory=inventory vault_password_file=util/secret-service-client.sh diff --git a/data/main.tf b/data/main.tf deleted file mode 100644 index 1961de5..0000000 --- a/data/main.tf +++ /dev/null @@ -1,30 +0,0 @@ -terraform { - backend "pg" { - schema_name = "max-data" - conn_str = "postgres://terraform@10.42.0.1/terraform_state" - } - - required_providers { - libvirt = { - source = "dmacvicar/libvirt" - } - } -} - -provider "libvirt" { - uri = "qemu+ssh://root@atlas.lan/system" -} - -resource "libvirt_volume" "data" { - name = "max-data" - pool = "data" - size = 1024 * 1024 * 1024 * 65 - - lifecycle { - prevent_destroy = true - } -} - -output "data_disk_id" { - value = libvirt_volume.data.id -} diff --git a/inventory/host_vars/max.yml b/inventory/host_vars/max.yml index 55ff4c3..11aa49f 100644 --- a/inventory/host_vars/max.yml +++ b/inventory/host_vars/max.yml @@ -1,4 +1,4 @@ -base_data_dir: /mnt/data +base_data_dir: /data base_service_dir: /srv # Additional open ports diff --git a/inventory/hosts.yml b/inventory/hosts.yml index bf163f0..b0f8f06 100644 --- a/inventory/hosts.yml +++ b/inventory/hosts.yml @@ -1,5 +1,7 @@ all: - hosts: - max: - ansible_user: root - ansible_host: max.dmz + children: + homeserver: + hosts: + max: + ansible_user: root + ansible_host: max.dmz diff --git a/main.tf b/main.tf deleted file mode 100644 index a4f49fb..0000000 --- a/main.tf +++ /dev/null @@ -1,26 +0,0 @@ -terraform { - backend "pg" { - schema_name = "max" - conn_str = "postgres://terraform@10.42.0.1/terraform_state" - } - - required_providers { - libvirt = { - source = "dmacvicar/libvirt" - } - } -} - -provider "libvirt" { - uri = "qemu+ssh://root@atlas.lan/system" -} - -module "tf-datatest" { - source = "git::https://git.pim.kunis.nl/home/tf-modules.git//debian" - name = "max" - domain_name = "tf-max" - data_disk = "/kvm/data/max-data" - #ansible_command = "ansible-playbook max.yml" - memory = 1024 * 8 - mac = "CA:FE:C0:FF:EE:03" -} diff --git a/max.yml b/max.yml index a17d2e2..bf406dd 100644 --- a/max.yml +++ b/max.yml @@ -1,26 +1,7 @@ - name: Setup homeserver - hosts: max - gather_facts: no - - pre_tasks: - - name: Wait for host to come up - wait_for: - state: started - port: 22 - host: max.dmz - timeout: 300 - connect_timeout: 300 - search_regex: OpenSSH - delegate_to: localhost - - name: Wait for cloud-init to finish - shell: - cmd: "cloud-init status --wait" - register: cloudinit - changed_when: "'..' in cloudinit.stdout" - - name: Gather facts - setup: - + hosts: homeserver roles: + - {role: 'ssh', tags: 'ssh'} - {role: 'watchtower', tags: 'watchtower'} - {role: 'forgejo', tags: 'forgejo'} - {role: 'syncthing', tags: 'syncthing'} @@ -30,7 +11,7 @@ - {role: 'mastodon', tags: 'mastodon'} - {role: 'seafile', tags: 'seafile'} - {role: 'jitsi', tags: 'jitsi'} - # - {role: 'freshrss', tags: 'freshrss'} + - {role: 'freshrss', tags: 'freshrss'} - {role: 'static', tags: 'static'} - {role: 'inbucket', tags: 'inbucket'} - {role: 'prometheus', tags: 'prometheus'} diff --git a/roles/common/files/resolv.conf b/roles/common/files/resolv.conf new file mode 100644 index 0000000..cf23f28 --- /dev/null +++ b/roles/common/files/resolv.conf @@ -0,0 +1,5 @@ +nameserver 192.168.30.7 +nameserver 192.168.30.1 +nameserver 1.1.1.1 +nameserver 1.0.0.1 +search lan diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index b8f79d0..c32e911 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -9,9 +9,13 @@ file: path: "{{ base_service_dir }}" state: directory -- name: Delete externally managed environment file - shell: - cmd: "rm /usr/lib/python*/EXTERNALLY-MANAGED" - register: rm - changed_when: "rm.rc == 0" - failed_when: "false" +- name: Disable systemd-resolved + systemd: + name: systemd-resolved + enabled: false + state: stopped +- name: Copy resolv.conf + copy: + src: "{{ role_path }}/files/resolv.conf" + dest: /etc/resolv.conf + follow: true diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index 7b7b88b..3acc420 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -12,7 +12,7 @@ keyring: /etc/apt/keyrings/docker.gpg - name: Add Docker repository apt_repository: - repo: "deb [signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable" + repo: "deb [signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable" register: apt_repository - name: Update APT cache apt: diff --git a/roles/radicale/files/radicale.conf b/roles/radicale/files/radicale.conf index eb9df16..360d314 100644 --- a/roles/radicale/files/radicale.conf +++ b/roles/radicale/files/radicale.conf @@ -9,7 +9,7 @@ stock = utf-8 [auth] realm = Radicale - Password Required type = htpasswd -htpasswd_filename = /config/users +htpasswd_filename = /radicale/users htpasswd_encryption = md5 [rights] diff --git a/roles/radicale/tasks/main.yml b/roles/radicale/tasks/main.yml index 5ac19d6..48afa89 100644 --- a/roles/radicale/tasks/main.yml +++ b/roles/radicale/tasks/main.yml @@ -13,7 +13,7 @@ - name: Copy radicale.conf copy: src: "{{ role_path }}/files/radicale.conf" - dest: "{{ service_dir }}/config/config" + dest: "{{ service_dir }}/config/radicale.conf" - name: Copy users file copy: src: "{{ role_path }}/files/users" diff --git a/roles/radicale/templates/docker-compose.yml.j2 b/roles/radicale/templates/docker-compose.yml.j2 index 70e0b29..e8a51fd 100644 --- a/roles/radicale/templates/docker-compose.yml.j2 +++ b/roles/radicale/templates/docker-compose.yml.j2 @@ -1,28 +1,18 @@ -version: '3.7' +version: '3' + +networks: + traefik: + external: true services: radicale: - image: tomsquest/docker-radicale + restart: always + image: mailu/radicale:1.9 container_name: radicale - init: true - read_only: true - security_opt: - - no-new-privileges:true - cap_drop: - - ALL - cap_add: - - SETUID - - SETGID - - CHOWN - - KILL - healthcheck: - test: curl -f http://127.0.0.1:5232 || exit 1 - interval: 30s - retries: 3 - restart: unless-stopped volumes: - {{ data_dir }}:/data - - {{ service_dir }}/config:/config:ro + - {{ service_dir }}/config:/radicale + command: radicale -S -C /radicale/radicale.conf networks: - traefik labels: @@ -33,7 +23,3 @@ services: - traefik.http.routers.radicale.tls.certresolver=letsencrypt - traefik.http.routers.radicale.service=radicale - traefik.http.services.radicale.loadbalancer.server.port=5232 - -networks: - traefik: - external: true diff --git a/roles/static/vars/main.yml b/roles/static/vars/main.yml index 912dd02..8838234 100644 --- a/roles/static/vars/main.yml +++ b/roles/static/vars/main.yml @@ -1,3 +1,3 @@ service_name: static service_dir: "{{ base_service_dir }}/{{ service_name }}" -git_origin: "http://git.pim.kunis.nl/pim/static.git" +git_origin: "http://localhost:{{ internal_forgejo_port }}/pim/static.git"