From 74a4de161563e3007777b19771438eec22f0ff18 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Wed, 12 Apr 2023 21:26:46 +0000 Subject: [PATCH 1/2] virtualize (#3) Reviewed-on: https://git.pim.kunis.nl/home/max/pulls/3 --- .gitignore | 37 ++++++++++++++++++++++++++++++++++ ansible.cfg | 1 - data/main.tf | 30 +++++++++++++++++++++++++++ inventory/host_vars/max.yml | 2 +- inventory/hosts.yml | 10 ++++----- main.tf | 26 ++++++++++++++++++++++++ max.yml | 25 ++++++++++++++++++++--- roles/common/files/resolv.conf | 5 ----- roles/common/tasks/main.yml | 16 ++++++--------- roles/docker/tasks/main.yml | 2 +- roles/static/vars/main.yml | 2 +- 11 files changed, 128 insertions(+), 28 deletions(-) create mode 100644 data/main.tf create mode 100644 main.tf delete mode 100644 roles/common/files/resolv.conf diff --git a/.gitignore b/.gitignore index b593a85..33b954c 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,38 @@ +# Local .terraform directories +**/.terraform/* + +# .tfstate files +*.tfstate +*.tfstate.* + +# Crash log files +crash.log +crash.*.log + +# Exclude all .tfvars files, which are likely to contain sensitive data, such as +# password, private keys, and other secrets. These should not be part of version +# control as they are data points which are potentially sensitive and subject +# to change depending on the environment. +*.tfvars +*.tfvars.json + +# Ignore override files as they are usually used to override resources locally and so +# are not checked in +override.tf +override.tf.json +*_override.tf +*_override.tf.json + +# Include override files you do wish to add to version control using negated pattern +# !example_override.tf + +# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan +# example: *tfplan* + +# Ignore CLI configuration files +.terraformrc +terraform.rc +.terraform.lock.hcl +*.tfbackend + .vault_password diff --git a/ansible.cfg b/ansible.cfg index b598c64..5f42fc7 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,5 +1,4 @@ [defaults] -# (pathspec) Colon separated paths in which Ansible will search for Roles. roles_path=~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles:roles inventory=inventory vault_password_file=util/secret-service-client.sh diff --git a/data/main.tf b/data/main.tf new file mode 100644 index 0000000..1961de5 --- /dev/null +++ b/data/main.tf @@ -0,0 +1,30 @@ +terraform { + backend "pg" { + schema_name = "max-data" + conn_str = "postgres://terraform@10.42.0.1/terraform_state" + } + + required_providers { + libvirt = { + source = "dmacvicar/libvirt" + } + } +} + +provider "libvirt" { + uri = "qemu+ssh://root@atlas.lan/system" +} + +resource "libvirt_volume" "data" { + name = "max-data" + pool = "data" + size = 1024 * 1024 * 1024 * 65 + + lifecycle { + prevent_destroy = true + } +} + +output "data_disk_id" { + value = libvirt_volume.data.id +} diff --git a/inventory/host_vars/max.yml b/inventory/host_vars/max.yml index 11aa49f..55ff4c3 100644 --- a/inventory/host_vars/max.yml +++ b/inventory/host_vars/max.yml @@ -1,4 +1,4 @@ -base_data_dir: /data +base_data_dir: /mnt/data base_service_dir: /srv # Additional open ports diff --git a/inventory/hosts.yml b/inventory/hosts.yml index b0f8f06..bf163f0 100644 --- a/inventory/hosts.yml +++ b/inventory/hosts.yml @@ -1,7 +1,5 @@ all: - children: - homeserver: - hosts: - max: - ansible_user: root - ansible_host: max.dmz + hosts: + max: + ansible_user: root + ansible_host: max.dmz diff --git a/main.tf b/main.tf new file mode 100644 index 0000000..a4f49fb --- /dev/null +++ b/main.tf @@ -0,0 +1,26 @@ +terraform { + backend "pg" { + schema_name = "max" + conn_str = "postgres://terraform@10.42.0.1/terraform_state" + } + + required_providers { + libvirt = { + source = "dmacvicar/libvirt" + } + } +} + +provider "libvirt" { + uri = "qemu+ssh://root@atlas.lan/system" +} + +module "tf-datatest" { + source = "git::https://git.pim.kunis.nl/home/tf-modules.git//debian" + name = "max" + domain_name = "tf-max" + data_disk = "/kvm/data/max-data" + #ansible_command = "ansible-playbook max.yml" + memory = 1024 * 8 + mac = "CA:FE:C0:FF:EE:03" +} diff --git a/max.yml b/max.yml index bf406dd..eb6771f 100644 --- a/max.yml +++ b/max.yml @@ -1,13 +1,32 @@ - name: Setup homeserver - hosts: homeserver + hosts: max + gather_facts: no + + pre_tasks: + - name: Wait for host to come up + wait_for: + state: started + port: 22 + host: max.dmz + timeout: 300 + connect_timeout: 300 + search_regex: OpenSSH + delegate_to: localhost + - name: Wait for cloud-init to finish + shell: + cmd: "cloud-init status --wait" + register: cloudinit + changed_when: "'..' in cloudinit.stdout" + - name: Gather facts + setup: + roles: - - {role: 'ssh', tags: 'ssh'} - {role: 'watchtower', tags: 'watchtower'} - {role: 'forgejo', tags: 'forgejo'} - {role: 'syncthing', tags: 'syncthing'} - {role: 'kms', tags: 'kms'} - {role: 'cyberchef', tags: 'cyberchef'} - - {role: 'radicale', tags: 'radicale'} + # - {role: 'radicale', tags: 'radicale'} - {role: 'mastodon', tags: 'mastodon'} - {role: 'seafile', tags: 'seafile'} - {role: 'jitsi', tags: 'jitsi'} diff --git a/roles/common/files/resolv.conf b/roles/common/files/resolv.conf deleted file mode 100644 index cf23f28..0000000 --- a/roles/common/files/resolv.conf +++ /dev/null @@ -1,5 +0,0 @@ -nameserver 192.168.30.7 -nameserver 192.168.30.1 -nameserver 1.1.1.1 -nameserver 1.0.0.1 -search lan diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index c32e911..b8f79d0 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -9,13 +9,9 @@ file: path: "{{ base_service_dir }}" state: directory -- name: Disable systemd-resolved - systemd: - name: systemd-resolved - enabled: false - state: stopped -- name: Copy resolv.conf - copy: - src: "{{ role_path }}/files/resolv.conf" - dest: /etc/resolv.conf - follow: true +- name: Delete externally managed environment file + shell: + cmd: "rm /usr/lib/python*/EXTERNALLY-MANAGED" + register: rm + changed_when: "rm.rc == 0" + failed_when: "false" diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index 3acc420..7b7b88b 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -12,7 +12,7 @@ keyring: /etc/apt/keyrings/docker.gpg - name: Add Docker repository apt_repository: - repo: "deb [signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable" + repo: "deb [signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable" register: apt_repository - name: Update APT cache apt: diff --git a/roles/static/vars/main.yml b/roles/static/vars/main.yml index 8838234..912dd02 100644 --- a/roles/static/vars/main.yml +++ b/roles/static/vars/main.yml @@ -1,3 +1,3 @@ service_name: static service_dir: "{{ base_service_dir }}/{{ service_name }}" -git_origin: "http://localhost:{{ internal_forgejo_port }}/pim/static.git" +git_origin: "http://git.pim.kunis.nl/pim/static.git" From 7c220a5501de082800ae4acce6ced817945d3107 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Thu, 13 Apr 2023 11:43:42 +0200 Subject: [PATCH 2/2] fix #2 --- max.yml | 4 +-- roles/radicale/files/radicale.conf | 2 +- roles/radicale/tasks/main.yml | 2 +- .../radicale/templates/docker-compose.yml.j2 | 32 +++++++++++++------ 4 files changed, 27 insertions(+), 13 deletions(-) diff --git a/max.yml b/max.yml index eb6771f..a17d2e2 100644 --- a/max.yml +++ b/max.yml @@ -26,11 +26,11 @@ - {role: 'syncthing', tags: 'syncthing'} - {role: 'kms', tags: 'kms'} - {role: 'cyberchef', tags: 'cyberchef'} - # - {role: 'radicale', tags: 'radicale'} + - {role: 'radicale', tags: 'radicale'} - {role: 'mastodon', tags: 'mastodon'} - {role: 'seafile', tags: 'seafile'} - {role: 'jitsi', tags: 'jitsi'} - - {role: 'freshrss', tags: 'freshrss'} + # - {role: 'freshrss', tags: 'freshrss'} - {role: 'static', tags: 'static'} - {role: 'inbucket', tags: 'inbucket'} - {role: 'prometheus', tags: 'prometheus'} diff --git a/roles/radicale/files/radicale.conf b/roles/radicale/files/radicale.conf index 360d314..eb9df16 100644 --- a/roles/radicale/files/radicale.conf +++ b/roles/radicale/files/radicale.conf @@ -9,7 +9,7 @@ stock = utf-8 [auth] realm = Radicale - Password Required type = htpasswd -htpasswd_filename = /radicale/users +htpasswd_filename = /config/users htpasswd_encryption = md5 [rights] diff --git a/roles/radicale/tasks/main.yml b/roles/radicale/tasks/main.yml index 48afa89..5ac19d6 100644 --- a/roles/radicale/tasks/main.yml +++ b/roles/radicale/tasks/main.yml @@ -13,7 +13,7 @@ - name: Copy radicale.conf copy: src: "{{ role_path }}/files/radicale.conf" - dest: "{{ service_dir }}/config/radicale.conf" + dest: "{{ service_dir }}/config/config" - name: Copy users file copy: src: "{{ role_path }}/files/users" diff --git a/roles/radicale/templates/docker-compose.yml.j2 b/roles/radicale/templates/docker-compose.yml.j2 index e8a51fd..70e0b29 100644 --- a/roles/radicale/templates/docker-compose.yml.j2 +++ b/roles/radicale/templates/docker-compose.yml.j2 @@ -1,18 +1,28 @@ -version: '3' - -networks: - traefik: - external: true +version: '3.7' services: radicale: - restart: always - image: mailu/radicale:1.9 + image: tomsquest/docker-radicale container_name: radicale + init: true + read_only: true + security_opt: + - no-new-privileges:true + cap_drop: + - ALL + cap_add: + - SETUID + - SETGID + - CHOWN + - KILL + healthcheck: + test: curl -f http://127.0.0.1:5232 || exit 1 + interval: 30s + retries: 3 + restart: unless-stopped volumes: - {{ data_dir }}:/data - - {{ service_dir }}/config:/radicale - command: radicale -S -C /radicale/radicale.conf + - {{ service_dir }}/config:/config:ro networks: - traefik labels: @@ -23,3 +33,7 @@ services: - traefik.http.routers.radicale.tls.certresolver=letsencrypt - traefik.http.routers.radicale.service=radicale - traefik.http.services.radicale.loadbalancer.server.port=5232 + +networks: + traefik: + external: true