From b638cd7310bed3274339a876641a117c02262587 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sat, 25 Feb 2023 15:06:17 +0100 Subject: [PATCH 01/41] WIP: matrix --- README.md | 2 + inventory/group_vars/homeserver.yml | 2 + playbooks/all.yml | 1 + roles/forgejo/templates/docker-compose.yml.j2 | 2 + roles/matrix/files/matrix.log.config | 32 +++++++++++++++ roles/matrix/files/matrix.signing.key | 8 ++++ roles/matrix/tasks/main.yml | 31 ++++++++++++++ roles/matrix/templates/docker-compose.yml.j2 | 41 +++++++++++++++++++ roles/matrix/templates/homeserver.yaml.j2 | 35 ++++++++++++++++ roles/matrix/vars/main.yml | 41 +++++++++++++++++++ roles/nsd/files/zones/pim.kunis.nl | 3 +- roles/static/files/matrix/client | 5 +++ roles/static/files/matrix/server | 3 ++ roles/static/files/security.txt | 1 - roles/static/tasks/main.yml | 6 +-- roles/static/templates/docker-compose.yml.j2 | 11 ++++- roles/static/templates/nginx.conf.j2 | 34 +++++++++++---- roles/static/vars/main.yml | 2 +- roles/traefik/templates/docker-compose.yml.j2 | 1 + roles/traefik/templates/traefik.toml.j2 | 2 + util/secret-service-client.sh | 0 21 files changed, 249 insertions(+), 14 deletions(-) create mode 100644 roles/matrix/files/matrix.log.config create mode 100644 roles/matrix/files/matrix.signing.key create mode 100644 roles/matrix/tasks/main.yml create mode 100644 roles/matrix/templates/docker-compose.yml.j2 create mode 100644 roles/matrix/templates/homeserver.yaml.j2 create mode 100644 roles/matrix/vars/main.yml create mode 100644 roles/static/files/matrix/client create mode 100644 roles/static/files/matrix/server delete mode 100644 roles/static/files/security.txt mode change 100644 => 100755 util/secret-service-client.sh diff --git a/README.md b/README.md index caa852b..fd87e3e 100644 --- a/README.md +++ b/README.md @@ -40,6 +40,8 @@ All services below are running under Docker, except NSD and Borg. - move Mastodon to pim.kunis.nl - Podman - Replace watchtower with Podman features +- Move nginx static content server to this repo +- Move dataserver to its own repo ### NSD diff --git a/inventory/group_vars/homeserver.yml b/inventory/group_vars/homeserver.yml index 3f33826..3df3da5 100644 --- a/inventory/group_vars/homeserver.yml +++ b/inventory/group_vars/homeserver.yml @@ -6,5 +6,7 @@ jitsi_videobridge_port: 54562 git_ssh_port: 56287 prometheus_port: 8081 traefik_api_port: 8080 +internal_forgejo_port: 3000 # Needed to pull from a repository from another docker container. +internal_matrix_port: 3001 # Needed for proxying through NGINX domain_name_pim: pim.kunis.nl diff --git a/playbooks/all.yml b/playbooks/all.yml index 8add242..05468b3 100644 --- a/playbooks/all.yml +++ b/playbooks/all.yml @@ -16,6 +16,7 @@ - {role: 'static', tags: 'static'} - {role: 'inbucket', tags: 'inbucket'} - {role: 'prometheus', tags: 'prometheus'} + - {role: 'matrix', tags: 'matrix'} - name: Setup dataserver hosts: dataserver roles: diff --git a/roles/forgejo/templates/docker-compose.yml.j2 b/roles/forgejo/templates/docker-compose.yml.j2 index 91ecb6d..921dc80 100644 --- a/roles/forgejo/templates/docker-compose.yml.j2 +++ b/roles/forgejo/templates/docker-compose.yml.j2 @@ -12,6 +12,8 @@ services: - USER_UID=1000 - USER_GID=1000 restart: always + ports: + - "{{ internal_forgejo_port }}:3000" networks: - traefik volumes: diff --git a/roles/matrix/files/matrix.log.config b/roles/matrix/files/matrix.log.config new file mode 100644 index 0000000..e5cc93a --- /dev/null +++ b/roles/matrix/files/matrix.log.config @@ -0,0 +1,32 @@ +version: 1 + +formatters: + precise: + + format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s' + + +handlers: + + + console: + class: logging.StreamHandler + formatter: precise + + + +loggers: + synapse.storage.SQL: + # beware: increasing this to DEBUG will make synapse log sensitive + # information such as access tokens. + level: INFO + + +root: + level: INFO + + + handlers: [console] + + +disable_existing_loggers: false \ No newline at end of file diff --git a/roles/matrix/files/matrix.signing.key b/roles/matrix/files/matrix.signing.key new file mode 100644 index 0000000..84cc79b --- /dev/null +++ b/roles/matrix/files/matrix.signing.key @@ -0,0 +1,8 @@ +$ANSIBLE_VAULT;1.1;AES256 +38363633306139626564313833363364653037613238396266303133663231643739373237666662 +6639636136303666353639353632373530326263633264350a616465313137663731393464383263 +65373565343462633733366636343766656666396531383638363232363565646364663035353333 +3236383136353065660a353631326630623165366631666639343864633531383238643131373363 +64303565363439343064393039323265623364633738373163373339376134643966333032326564 +61646536633335633938336438663430643461623230666163636561303430393732663062393461 +346332333463636566326364663465306565 diff --git a/roles/matrix/tasks/main.yml b/roles/matrix/tasks/main.yml new file mode 100644 index 0000000..4ce0826 --- /dev/null +++ b/roles/matrix/tasks/main.yml @@ -0,0 +1,31 @@ +- name: Create app directory + file: + path: "{{ service_dir }}" + state: directory +- name: Copy signing key + copy: + src: "{{ role_path }}/files/matrix.log.config" + dest: "{{ service_dir }}/matrix.log.config" +- name: Copy Docker Compose script + template: + src: "{{ role_path }}/templates/docker-compose.yml.j2" + dest: "{{ service_dir }}/docker-compose.yml" +- name: Copy homeserver.yaml + template: + src: "{{ role_path }}/templates/homeserver.yaml.j2" + dest: "{{ service_dir }}/homeserver.yaml" + register: homeserver +- name: Copy signing key + copy: + src: "{{ role_path }}/files/matrix.signing.key" + dest: "{{ service_dir }}/matrix.signing.key" +- name: Create data directory + file: + path: "{{ data_dir }}" + state: directory +- name: Start the Docker Compose + docker_compose: + project_src: "{{ service_dir }}" + pull: true + remove_orphans: true + restarted: "{{ homeserver.changed }}" diff --git a/roles/matrix/templates/docker-compose.yml.j2 b/roles/matrix/templates/docker-compose.yml.j2 new file mode 100644 index 0000000..0449299 --- /dev/null +++ b/roles/matrix/templates/docker-compose.yml.j2 @@ -0,0 +1,41 @@ +version: '3' + +services: + synapse: + image: docker.io/matrixdotorg/synapse:v1.77.0 + restart: unless-stopped + environment: + - SYNAPSE_CONFIG_PATH=/data/homeserver.yaml + volumes: + - /data/matrix/uploads:/data/uploads + - /data/matrix/media:/data/media + - /srv/matrix/homeserver.yaml:/data/homeserver.yaml + - /srv/matrix/matrix.log.config:/data/matrix.log.config + - /srv/matrix/matrix.signing.key:/data/matrix.signing.key + depends_on: + - db + networks: + - traefik + ports: + - "{{ internal_matrix_port }}:8008" + labels: + - traefik.enable=true + - traefik.http.routers.matrix.entryPoints=websecure + - traefik.http.routers.matrix.rule=Host(`{{ matrix_domain }}`) + - traefik.http.routers.matrix.tls=true + - traefik.http.routers.matrix.tls.certResolver=letsencrypt + - traefik.http.routers.matrix.service=matrix + - traefik.http.services.matrix.loadbalancer.server.port=8008 + + db: + image: docker.io/postgres:12-alpine + environment: + - POSTGRES_USER=synapse + - POSTGRES_PASSWORD={{ database_password }} + - POSTGRES_INITDB_ARGS=--encoding=UTF-8 --lc-collate=C --lc-ctype=C + volumes: + - /data/matrix/schemas:/var/lib/postgresql/data + +networks: + traefik: + external: true diff --git a/roles/matrix/templates/homeserver.yaml.j2 b/roles/matrix/templates/homeserver.yaml.j2 new file mode 100644 index 0000000..0b84c3c --- /dev/null +++ b/roles/matrix/templates/homeserver.yaml.j2 @@ -0,0 +1,35 @@ +# Configuration file for Synapse. +# +# For more information on how to configure Synapse, including a complete accounting of +# each option, go to docs/usage/configuration/config_documentation.md or +# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html +server_name: "{{ matrix_domain }}" +pid_file: /data/homeserver.pid +listeners: + - port: 8008 + tls: false + type: http + x_forwarded: true + resources: + - names: [client, federation] + compress: false +database: + name: psycopg2 + args: + user: synapse + password: "{{ database_password }}" + host: db + cp_min: 5 + cp_max: 10 +log_config: "/data/matrix.log.config" +media_store_path: "/data/media" +registration_shared_secret: "{{ registration_shared_secret }}" +report_stats: false +macaroon_secret_key: "{{ macaroon_secret_key }}" +form_secret: "{{ form_secret }}" +signing_key_path: "/data/matrix.signing.key" +trusted_key_servers: + - server_name: "matrix.org" + + +# vim:ft=yaml diff --git a/roles/matrix/vars/main.yml b/roles/matrix/vars/main.yml new file mode 100644 index 0000000..637e90c --- /dev/null +++ b/roles/matrix/vars/main.yml @@ -0,0 +1,41 @@ +service_name: matrix +data_dir: "{{ base_data_dir }}/{{ service_name }}" +service_dir: "{{ base_service_dir }}/{{ service_name }}" + +matrix_domain: "matrix.{{ domain_name_pim }}" + +registration_shared_secret: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 66643364393432353763666361383331316635356431636530663162643134653939306438366533 + 3463393262623364336430363638356439393461393237650a626630633963343530643565323633 + 35613636386365393035666366636534306266613935653136666430366330323032653164363066 + 6531323364383131360a616465336164303030643132336264646333346666626138386331636164 + 65366438356238383234386662363631316334613439613739303165613363636261643934656665 + 32653764373939373739666263653261343036636365316566623934343261653436613962343335 + 343132326461336338323938326264666630 +macaroon_secret_key: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 61656638626162383134356238393031346464623930363636376136633038623836323737633463 + 3733383661663339313965636134373037366235613562340a376334666266623438313066346166 + 64333564613438313861396632633464386236356236313461373461613632346538343837343264 + 3363623135613063300a333932363036353063653931616361363934633239653732343737373536 + 31366265383939303664623565633435626530316430323036663261353334336264306162653361 + 38306437616333316638396161393164393766356566323362343565663630306465663133333733 + 343039623366313961393136356239373837 +form_secret: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 38646165646636353331323565343033396431623338633734653838633032363930323637656637 + 3931643733343537343534386137313737383562346534300a353535633239626332393831613661 + 39366230313234663930363962386336646639393566356437623937393062353134303138363734 + 6430653164656339660a613234313464653138313331333137646331323338346230643630636466 + 35383837356633303061663362626439653030333063383532373663316330373737323736326562 + 37313034363262346333343166343231316264303934366565643466396164333166643561373365 + 656533393033356363303933353231376466 +database_password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 38393732313834343631626234353261653536646434343561613264626162363839303432333133 + 3635333330626263666430353931666635393738643163300a633231343334666331373936333565 + 36376164396464623233613033636562626630623730633730666333363437613234636638356630 + 3336373235336232630a353732653331623963313865333765633965353630363733386534313639 + 38643839323733393031373139376662326134653965646366663631396464393861636538313563 + 3934363539366139346633626433396438663739393332663030 diff --git a/roles/nsd/files/zones/pim.kunis.nl b/roles/nsd/files/zones/pim.kunis.nl index f68d70d..3c61f54 100644 --- a/roles/nsd/files/zones/pim.kunis.nl +++ b/roles/nsd/files/zones/pim.kunis.nl @@ -1,7 +1,7 @@ $ORIGIN pim.kunis.nl. $TTL 60 -pim.kunis.nl. IN SOA ns.pim.kunis.nl. pim.kunis.nl. 2023020800 1800 3600 1209600 3600 +pim.kunis.nl. IN SOA ns.pim.kunis.nl. pim.kunis.nl. 2023022500 1800 3600 1209600 3600 NS ns.pim.kunis.nl. A 84.245.14.149 @@ -17,3 +17,4 @@ dav IN CNAME www.pim.kunis.nl. git IN CNAME www.pim.kunis.nl. meet IN CNAME www.pim.kunis.nl. rss IN CNAME www.pim.kunis.nl. +matrix IN CNAME www.pim.kunis.nl. diff --git a/roles/static/files/matrix/client b/roles/static/files/matrix/client new file mode 100644 index 0000000..4db647f --- /dev/null +++ b/roles/static/files/matrix/client @@ -0,0 +1,5 @@ +{ + "m.homeserver": { + "base_url": "https://matrix.pim.kunis.nl" + } +} diff --git a/roles/static/files/matrix/server b/roles/static/files/matrix/server new file mode 100644 index 0000000..341190b --- /dev/null +++ b/roles/static/files/matrix/server @@ -0,0 +1,3 @@ +{ + "m.server": "matrix.pim.kunis.nl:443" +} diff --git a/roles/static/files/security.txt b/roles/static/files/security.txt deleted file mode 100644 index b1800e5..0000000 --- a/roles/static/files/security.txt +++ /dev/null @@ -1 +0,0 @@ -testje diff --git a/roles/static/tasks/main.yml b/roles/static/tasks/main.yml index 5f0cba5..ec53b20 100644 --- a/roles/static/tasks/main.yml +++ b/roles/static/tasks/main.yml @@ -17,10 +17,10 @@ cmd: "docker run --rm --volume=\"{{ service_dir }}/git:/srv/jekyll:Z\" -it jekyll/minimal jekyll build" chdir: "{{ service_dir }}" when: repo.changed -- name: Copy security.txt +- name: Copy Matrix static files copy: - src: "{{ role_path }}/files/security.txt" - dest: "{{ service_dir }}/security.txt" + src: "{{ role_path }}/files/matrix/" + dest: "{{ service_dir }}/matrix/" - name: Copy docker compose file template: src: "{{ role_path }}/templates/docker-compose.yml.j2" diff --git a/roles/static/templates/docker-compose.yml.j2 b/roles/static/templates/docker-compose.yml.j2 index 773d584..ebaa0c0 100644 --- a/roles/static/templates/docker-compose.yml.j2 +++ b/roles/static/templates/docker-compose.yml.j2 @@ -12,15 +12,24 @@ services: - {{ service_dir }}/security.txt:/var/www/blog/security.txt networks: - traefik + extra_hosts: + - "host.docker.internal:host-gateway" labels: - traefik.enable=true - traefik.http.routers.blog.entrypoints=websecure - - "traefik.http.routers.blog.rule=(Host(`{{ domain_name_pim }}`) || Path(`/security.txt`, `/.well-known/security.txt`))" + - "traefik.http.routers.blog.rule=(Host(`{{ domain_name_pim }}`) || Path(`/security.txt`, `/.well-known/security.txt`, `/_matrix`, `/.well-known/matrix/`))" - traefik.http.routers.blog.tls=true - traefik.http.routers.blog.tls.certresolver=letsencrypt - traefik.http.routers.blog.service=blog - traefik.http.services.blog.loadbalancer.server.port=80 + - traefik.http.routers.matrix-fed.entrypoints=matrix + - traefik.http.routers.matrix-fed.rule=Host(`matrix.pim.kunis.nl`) + - traefik.http.routers.matrix-fed.tls=true + - traefik.http.routers.matrix-fed.tls.certresolver=letsencrypt + - traefik.http.routers.matrix-fed.service=matrix-fed + - traefik.http.services.matrix-fed.loadbalancer.server.port=8448 + networks: traefik: external: true diff --git a/roles/static/templates/nginx.conf.j2 b/roles/static/templates/nginx.conf.j2 index 5267742..e626efd 100644 --- a/roles/static/templates/nginx.conf.j2 +++ b/roles/static/templates/nginx.conf.j2 @@ -2,19 +2,39 @@ server { listen 80 default_server; location /security.txt { - return 301 https://$host/.well-known/security.txt; + return 301 https://{{ domain_name_pim }}/.well-known/security.txt; } location /.well-known/security.txt { - add_header Content-Type 'text/plain'; - add_header Cache-Control 'no-cache, no-store, must-revalidate'; - add_header Pragma 'no-cache'; - add_header Expires '0'; - add_header Vary '*'; - return 200 "Contact: mailto:pim@kunis.nl\nExpires: 1970-01-01T00:00:00.000Z\nPreferred-Languages: en,nl\n"; + return 301 https://{{ domain_name_pim }}/.well-known/security.txt; } } +server { + # For the federation port + listen 8448 http2 default_server; + listen [::]:8448 http2 default_server; + + server_name matrix.pim.kunis.nl; + + location ~ ^(/_matrix|/_synapse/client) { + # note: do not add a path (even a single /) after the port in `proxy_pass`, + # otherwise nginx will canonicalise the URI and cause signature verification + # errors. + proxy_pass http://host.docker.internal:{{ internal_matrix_port }}; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $host; + + # Nginx by default only allows file uploads up to 1M in size + # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml + client_max_body_size 50M; + + # Synapse responses may be chunked, which is an HTTP/1.1 feature. + proxy_http_version 1.1; + } +} + server { listen 80; server_name {{ domain_name_pim }}; diff --git a/roles/static/vars/main.yml b/roles/static/vars/main.yml index d0ee1bc..8838234 100644 --- a/roles/static/vars/main.yml +++ b/roles/static/vars/main.yml @@ -1,3 +1,3 @@ service_name: static service_dir: "{{ base_service_dir }}/{{ service_name }}" -git_origin: https://git.pim.kunis.nl/pim/static.git +git_origin: "http://localhost:{{ internal_forgejo_port }}/pim/static.git" diff --git a/roles/traefik/templates/docker-compose.yml.j2 b/roles/traefik/templates/docker-compose.yml.j2 index 36c32b8..6740d71 100644 --- a/roles/traefik/templates/docker-compose.yml.j2 +++ b/roles/traefik/templates/docker-compose.yml.j2 @@ -14,6 +14,7 @@ services: - "80:80" - "{{ git_ssh_port }}:{{ git_ssh_port }}" - "{{ traefik_api_port }}:{{ traefik_api_port }}" + - "8448:8448" volumes: - /var/run/docker.sock:/var/run/docker.sock - {{ service_dir }}/traefik.toml:/etc/traefik/traefik.toml diff --git a/roles/traefik/templates/traefik.toml.j2 b/roles/traefik/templates/traefik.toml.j2 index 4f265c7..f3e592b 100644 --- a/roles/traefik/templates/traefik.toml.j2 +++ b/roles/traefik/templates/traefik.toml.j2 @@ -15,6 +15,8 @@ loglevel = "DEBUG" address = ":{{ jitsi_videobridge_port }}/udp" [entryPoints.internal] address = ":{{ traefik_api_port }}" + [entryPoints.matrix] + address = ":8448" [api] insecure = false diff --git a/util/secret-service-client.sh b/util/secret-service-client.sh old mode 100644 new mode 100755 From b9f923787eb0fdebcdd126939c4942345c81d801 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sat, 25 Feb 2023 15:14:32 +0100 Subject: [PATCH 02/41] fix static website git pull --- inventory/group_vars/homeserver.yml | 1 + roles/forgejo/templates/docker-compose.yml.j2 | 2 ++ roles/static/templates/nginx.conf.j2 | 9 ++------- roles/static/vars/main.yml | 2 +- util/secret-service-client.sh | 0 5 files changed, 6 insertions(+), 8 deletions(-) mode change 100644 => 100755 util/secret-service-client.sh diff --git a/inventory/group_vars/homeserver.yml b/inventory/group_vars/homeserver.yml index 3f33826..11aa49f 100644 --- a/inventory/group_vars/homeserver.yml +++ b/inventory/group_vars/homeserver.yml @@ -6,5 +6,6 @@ jitsi_videobridge_port: 54562 git_ssh_port: 56287 prometheus_port: 8081 traefik_api_port: 8080 +internal_forgejo_port: 3000 # Needed to pull from a repository from another docker container. domain_name_pim: pim.kunis.nl diff --git a/roles/forgejo/templates/docker-compose.yml.j2 b/roles/forgejo/templates/docker-compose.yml.j2 index 91ecb6d..fcd41f5 100644 --- a/roles/forgejo/templates/docker-compose.yml.j2 +++ b/roles/forgejo/templates/docker-compose.yml.j2 @@ -14,6 +14,8 @@ services: restart: always networks: - traefik + ports: + - "{{ internal_forgejo_port }}:3000" volumes: - {{ data_dir }}:/data - {{ service_dir }}/conf:/data/gitea/conf diff --git a/roles/static/templates/nginx.conf.j2 b/roles/static/templates/nginx.conf.j2 index 5267742..10a84d1 100644 --- a/roles/static/templates/nginx.conf.j2 +++ b/roles/static/templates/nginx.conf.j2 @@ -2,16 +2,11 @@ server { listen 80 default_server; location /security.txt { - return 301 https://$host/.well-known/security.txt; + return 301 https://{{ domain_name_pim }}/.well-known/security.txt; } location /.well-known/security.txt { - add_header Content-Type 'text/plain'; - add_header Cache-Control 'no-cache, no-store, must-revalidate'; - add_header Pragma 'no-cache'; - add_header Expires '0'; - add_header Vary '*'; - return 200 "Contact: mailto:pim@kunis.nl\nExpires: 1970-01-01T00:00:00.000Z\nPreferred-Languages: en,nl\n"; + return 301 https://{{ domain_name_pim }}/.well-known/security.txt; } } diff --git a/roles/static/vars/main.yml b/roles/static/vars/main.yml index d0ee1bc..8838234 100644 --- a/roles/static/vars/main.yml +++ b/roles/static/vars/main.yml @@ -1,3 +1,3 @@ service_name: static service_dir: "{{ base_service_dir }}/{{ service_name }}" -git_origin: https://git.pim.kunis.nl/pim/static.git +git_origin: "http://localhost:{{ internal_forgejo_port }}/pim/static.git" diff --git a/util/secret-service-client.sh b/util/secret-service-client.sh old mode 100644 new mode 100755 From 5ed08e0f1ad84b1f2e96daf1e6f01d07a3092d5f Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sat, 25 Feb 2023 15:42:28 +0100 Subject: [PATCH 03/41] move dataserver to seperate repo --- inventory/group_vars/dataserver.yml | 1 - inventory/hosts.yml | 5 --- playbooks/all.yml | 4 -- roles/dataserver/files/ssh_host_ed25519_key | 25 ----------- roles/dataserver/tasks/main.yml | 44 ------------------- .../templates/ssh_host_ed25519_key.pub.j2 | 1 - 6 files changed, 80 deletions(-) delete mode 100644 inventory/group_vars/dataserver.yml delete mode 100644 roles/dataserver/files/ssh_host_ed25519_key delete mode 100644 roles/dataserver/tasks/main.yml delete mode 100644 roles/dataserver/templates/ssh_host_ed25519_key.pub.j2 diff --git a/inventory/group_vars/dataserver.yml b/inventory/group_vars/dataserver.yml deleted file mode 100644 index 813eb06..0000000 --- a/inventory/group_vars/dataserver.yml +++ /dev/null @@ -1 +0,0 @@ -kingston1tb_uuid: "622a8d81-aa2f-460b-a563-c3cdb6285609" diff --git a/inventory/hosts.yml b/inventory/hosts.yml index 6391b99..4803701 100644 --- a/inventory/hosts.yml +++ b/inventory/hosts.yml @@ -5,8 +5,3 @@ all: max: ansible_user: root ansible_host: max.lan - dataserver: - hosts: - lewis: - ansible_user: root - ansible_host: lewis.lan diff --git a/playbooks/all.yml b/playbooks/all.yml index 8add242..c27e7d6 100644 --- a/playbooks/all.yml +++ b/playbooks/all.yml @@ -16,7 +16,3 @@ - {role: 'static', tags: 'static'} - {role: 'inbucket', tags: 'inbucket'} - {role: 'prometheus', tags: 'prometheus'} -- name: Setup dataserver - hosts: dataserver - roles: - - {role: 'dataserver', tags: 'dataserver'} diff --git a/roles/dataserver/files/ssh_host_ed25519_key b/roles/dataserver/files/ssh_host_ed25519_key deleted file mode 100644 index 1629458..0000000 --- a/roles/dataserver/files/ssh_host_ed25519_key +++ /dev/null @@ -1,25 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -38633038656332643033396338303864343332636434633331366266383235316235313236646361 -6634313931303637616535373966316165656564366437330a393465356237626631303063363061 -62323737343635316139636664663937333233323737376238656566633037613938383737306132 -6237633230623962320a643433323532646261366532346234653332323336653162366433626465 -31386461393535303730333865356364646137386634643630353831383039353763396536313439 -30333335623364306166346232303862633636633066323062313531363234396362653232316261 -36666132623030323332623334323632636639646239363032626364646334643461346662616366 -39656266643937663531656137353031353130366238326535383261333539353439353566313537 -38353632353039643530613766313033313063333331333733613939383731663262623766626266 -64363061306166353633333634363332633461346538316661666364626639366132356434343631 -61373432633863643237386435386633366161393934646562343261386335353638353033343932 -62393633366163613064393966663830646237613265396462376238396639363566363865303861 -36343666326632626166323430303137323236346137346131623636653236353061343633383437 -61396534636166353038626162376335363137636164616631646261366332303135306237356432 -61626261656332666536343039316333303431653931666233363366613166663266663130656633 -39316363326532653665626136393135373863383234326638303466353930653038303433643536 -30666237363230306634333162396562623034386232666465343631306433373764626634613635 -63343965623163356536626162613863373033396565366361353538323933656165653932653937 -34666538353139636366333765363733336134396566613134303530633666326165306131353535 -33653133663166333964326330366530643730363861626261666366383334613661303762636663 -34376531343732346630643466616638323537633665373333346162306361393836326533636630 -61656335306337643930613662613832626530653630343566643661356666313331316438366538 -37333166636639363838303665626137643731626338356662656338393335343239376635303633 -35663237653238313133 diff --git a/roles/dataserver/tasks/main.yml b/roles/dataserver/tasks/main.yml deleted file mode 100644 index 8d5d72e..0000000 --- a/roles/dataserver/tasks/main.yml +++ /dev/null @@ -1,44 +0,0 @@ -- name: Add admins' authorized keys - authorized_key: - key: "{{ item }}" - user: "{{ ansible_user_id }}" - loop: "{{ admin_public_keys }}" -- name: Copy host public key - template: - src: "{{ role_path }}/templates/ssh_host_ed25519_key.pub.j2" - dest: "/etc/ssh/ssh_host_ed25519_key.pub" - mode: 0644 -- name: Copy host private key - copy: - src: "{{ role_path }}/files/ssh_host_ed25519_key" - dest: "/etc/ssh/ssh_host_ed25519_key" - mode: 0600 -- name: APT upgrade - apt: - autoremove: true - upgrade: yes - state: latest - update_cache: yes - cache_valid_time: 86400 # One day -- name: Create extra disk moint point - file: - path: "{{ kingston1tb_mount_point }}" - state: directory -- name: Mount extra disk - ansible.posix.mount: - path: "{{kingston1tb_mount_point }}" - src: "UUID={{ kingston1tb_uuid }}" - fstype: ext4 - passno: 1 - state: present -- name: Install borg - apt: - name: borgbackup -- name: Add Borg public key - authorized_key: - key: "ssh-ed25519 {{ borg_public_key }} root@max" - user: "{{ ansible_user_id }}" -- name: Create Borg repository - command: - cmd: "borg init -e none {{ backup_location }}" - creates: "{{ backup_location }}" diff --git a/roles/dataserver/templates/ssh_host_ed25519_key.pub.j2 b/roles/dataserver/templates/ssh_host_ed25519_key.pub.j2 deleted file mode 100644 index 08b6b21..0000000 --- a/roles/dataserver/templates/ssh_host_ed25519_key.pub.j2 +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 {{ dataserver_public_key }} root@lewis From e105fef48212328cdb491caa8a448d7fd36ceefc Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sat, 25 Feb 2023 18:12:17 +0100 Subject: [PATCH 04/41] remove echo from vault password prompt --- util/secret-service-client.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/util/secret-service-client.sh b/util/secret-service-client.sh index 37c9a82..cb1a98c 100755 --- a/util/secret-service-client.sh +++ b/util/secret-service-client.sh @@ -4,7 +4,6 @@ pass=`secret-tool lookup ansible_vault homeservers` retval=$? if [ $retval -ne 0 ]; then - echo Provide password: read -s pass fi echo $pass From a364830b102404ba90a63e54b818c8e22fa762db Mon Sep 17 00:00:00 2001 From: pizzaniels Date: Sun, 5 Mar 2023 13:57:58 +0100 Subject: [PATCH 05/41] correctie op ipv adres van wireguard --- roles/nsd/files/zones/geokunis2.nl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/nsd/files/zones/geokunis2.nl b/roles/nsd/files/zones/geokunis2.nl index 9a7279e..8d7bf7d 100644 --- a/roles/nsd/files/zones/geokunis2.nl +++ b/roles/nsd/files/zones/geokunis2.nl @@ -1,7 +1,7 @@ $ORIGIN geokunis2.nl. $TTL 60 -geokunis2.nl. IN SOA ns.geokunis2.nl. niels.kunis.nl. 2023021700 1800 3600 1209600 3600 +geokunis2.nl. IN SOA ns.geokunis2.nl. niels.kunis.nl. 2023030500 1800 3600 1209600 3600 NS ns.geokunis2.nl. NS ns0.transip.net. NS ns1.transip.nl. @@ -15,9 +15,9 @@ mail IN A 84.245.14.149 MX 10 mail.geokunis2.nl jenl IN A 217.123.41.225 wg IN A 84.245.14.149 -wg IN AAAA 2a02:58:19a:f710:45aa:5179:2b45:376d +wg IN AAAA 2a02:58:1:e::1afb wg4 IN A 84.245.14.149 -wg6 IN AAAA 2a02:58:19a:f710:45aa:5179:2b45:376d +wg6 IN AAAA 2a02:58:1:e::1afb kms IN A 84.245.14.149 files IN A 84.245.14.149 files IN AAAA 2a02:58:19a:f730:b62e:99ff:fe77:1bda From 0bf2ffdb8f7155b32dd9bb7fdd20c44b0cd146a9 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sat, 11 Mar 2023 11:25:23 +0100 Subject: [PATCH 06/41] change forgejo default branch to master --- roles/forgejo/templates/app.ini.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/forgejo/templates/app.ini.j2 b/roles/forgejo/templates/app.ini.j2 index d0ef2ec..3220c38 100644 --- a/roles/forgejo/templates/app.ini.j2 +++ b/roles/forgejo/templates/app.ini.j2 @@ -4,6 +4,7 @@ RUN_USER = git [repository] ROOT = /data/git/repositories +DEFAULT_BRANCH = master [repository.local] LOCAL_COPY_PATH = /data/gitea/tmp/local-repo From bb2a4ecbcc347312a320952424d7b66a9a44dc9e Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Tue, 14 Mar 2023 21:11:24 +0000 Subject: [PATCH 07/41] Update 'README.md' --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index caa852b..4216704 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ -# Homeservers +# Max -This repository contains Ansible scripts to setup our home servers. +This repository contains Ansible scripts to setup our main home server `max`. The `common` role executes some common OS tasks. The `docker` role installs Docker. The other roles are specifically for the various services we run. From c65dc64aaa75c6d0cf173effd64f511d596543b8 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Tue, 14 Mar 2023 22:44:41 +0100 Subject: [PATCH 08/41] change hostnames --- inventory/hosts.yml | 2 +- roles/borg/templates/backup.yml.j2 | 2 +- roles/common/tasks/main.yml | 4 ++-- roles/traefik/templates/docker-compose.yml.j2 | 2 +- roles/watchtower/files/docker-compose.yml | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) diff --git a/inventory/hosts.yml b/inventory/hosts.yml index 4803701..b0f8f06 100644 --- a/inventory/hosts.yml +++ b/inventory/hosts.yml @@ -4,4 +4,4 @@ all: hosts: max: ansible_user: root - ansible_host: max.lan + ansible_host: max.dmz diff --git a/roles/borg/templates/backup.yml.j2 b/roles/borg/templates/backup.yml.j2 index 1e7a9a1..4f5013f 100644 --- a/roles/borg/templates/backup.yml.j2 +++ b/roles/borg/templates/backup.yml.j2 @@ -2,7 +2,7 @@ location: source_directories: - {{ base_data_dir }} repositories: - - ssh://root@lewis.lan/{{ backup_location }} + - ssh://root@lewis.dmz/{{ backup_location }} retention: keep_daily: 7 keep_weekly: 4 diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 4639a90..bb8292d 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -21,6 +21,6 @@ follow: true - name: Add dataserver to known hosts known_hosts: - name: "lewis.lan" - key: "lewis.lan ssh-ed25519 {{ dataserver_public_key }}" + name: "lewis.dmz" + key: "lewis.dmz ssh-ed25519 {{ dataserver_public_key }}" state: present diff --git a/roles/traefik/templates/docker-compose.yml.j2 b/roles/traefik/templates/docker-compose.yml.j2 index 36c32b8..9b18732 100644 --- a/roles/traefik/templates/docker-compose.yml.j2 +++ b/roles/traefik/templates/docker-compose.yml.j2 @@ -30,6 +30,6 @@ services: - traefik.http.routers.esrom.tls=true - traefik.http.routers.esrom.tls.certresolver=letsencrypt - - traefik.http.routers.traefik.rule=Host(`max.lan`) + - traefik.http.routers.traefik.rule=Host(`max.dmz`) - traefik.http.routers.traefik.entrypoints=internal - traefik.http.routers.traefik.service=api@internal diff --git a/roles/watchtower/files/docker-compose.yml b/roles/watchtower/files/docker-compose.yml index 28f892e..6811cf2 100644 --- a/roles/watchtower/files/docker-compose.yml +++ b/roles/watchtower/files/docker-compose.yml @@ -4,5 +4,5 @@ services: image: containrrr/watchtower volumes: - /var/run/docker.sock:/var/run/docker.sock - command: --schedule "0 0 4 * * *" --include-restarting --cleanup --include-stopped --no-startup-message + command: --schedule "0 0 4 * * *" --cleanup --include-stopped --no-startup-message restart: always From a1713233c5c10f15e62e56ee622e9c44b9bdd4aa Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Tue, 14 Mar 2023 23:06:10 +0100 Subject: [PATCH 09/41] set dns to dmz vm --- roles/common/files/resolv.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/common/files/resolv.conf b/roles/common/files/resolv.conf index 863bc57..cf23f28 100644 --- a/roles/common/files/resolv.conf +++ b/roles/common/files/resolv.conf @@ -1,3 +1,4 @@ +nameserver 192.168.30.7 nameserver 192.168.30.1 nameserver 1.1.1.1 nameserver 1.0.0.1 From cc4704b2b9760e1884d0b4f6e0eff2eafe3a81cb Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Fri, 17 Mar 2023 21:06:47 +0100 Subject: [PATCH 10/41] fix esrom ip address --- roles/traefik/files/services.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/traefik/files/services.toml b/roles/traefik/files/services.toml index ca5bb05..6dbc3b5 100644 --- a/roles/traefik/files/services.toml +++ b/roles/traefik/files/services.toml @@ -3,4 +3,4 @@ [http.services.esrom] [http.services.esrom.loadBalancer] [[http.services.esrom.loadBalancer.servers]] - url = "http://192.168.30.2:80/" + url = "http://esrom.dmz:80/" From 3865e57f9a51b08c13d182f47336fece9321675c Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sun, 19 Mar 2023 11:44:16 +0100 Subject: [PATCH 11/41] remove authoritative DNS server --- README.md | 1 - playbooks/all.yml | 1 - roles/nsd/files/keys/Kgeokunis2.nl.ksk.key | 1 - .../nsd/files/keys/Kgeokunis2.nl.ksk.private | 10 --- roles/nsd/files/keys/Kpizzapim.nl.ksk.key | 1 - roles/nsd/files/keys/Kpizzapim.nl.ksk.private | 10 --- roles/nsd/files/nsd.conf | 24 ------- roles/nsd/files/zones/geokunis2.nl | 26 ------- roles/nsd/files/zones/pim.kunis.nl | 19 ----- roles/nsd/files/zones/pizzapim.nl | 19 ----- roles/nsd/meta/main.yml | 2 - roles/nsd/tasks/main.yml | 70 ------------------- roles/nsd/vars/main.yml | 3 - 13 files changed, 187 deletions(-) delete mode 100644 roles/nsd/files/keys/Kgeokunis2.nl.ksk.key delete mode 100644 roles/nsd/files/keys/Kgeokunis2.nl.ksk.private delete mode 100644 roles/nsd/files/keys/Kpizzapim.nl.ksk.key delete mode 100644 roles/nsd/files/keys/Kpizzapim.nl.ksk.private delete mode 100644 roles/nsd/files/nsd.conf delete mode 100644 roles/nsd/files/zones/geokunis2.nl delete mode 100644 roles/nsd/files/zones/pim.kunis.nl delete mode 100644 roles/nsd/files/zones/pizzapim.nl delete mode 100644 roles/nsd/meta/main.yml delete mode 100644 roles/nsd/tasks/main.yml delete mode 100644 roles/nsd/vars/main.yml diff --git a/README.md b/README.md index 4216704..0f9e51d 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,6 @@ The other roles are specifically for the various services we run. All services below are running under Docker, except NSD and Borg. -- Authoritative DNS using [NSD](https://www.nlnetlabs.nl/projects/nsd/about/) (ns.pizzapim.nl) - Reverse proxy using [Traefik](https://doc.traefik.io/traefik/) - Git server using [Forgejo](https://forgejo.org/) ([git.pizzapim.nl](https://git.pizzapim.nl)) - Static website using [Jekyll](https://jekyllrb.com/) ([pizzapim.nl](https://pizzapim.nl)) diff --git a/playbooks/all.yml b/playbooks/all.yml index c27e7d6..913f1f5 100644 --- a/playbooks/all.yml +++ b/playbooks/all.yml @@ -4,7 +4,6 @@ - {role: 'ssh', tags: 'ssh'} - {role: 'watchtower', tags: 'watchtower'} - {role: 'borg', tags: 'borg'} - - {role: 'nsd', tags: 'nsd'} - {role: 'forgejo', tags: 'forgejo'} - {role: 'syncthing', tags: 'syncthing'} - {role: 'kms', tags: 'kms'} diff --git a/roles/nsd/files/keys/Kgeokunis2.nl.ksk.key b/roles/nsd/files/keys/Kgeokunis2.nl.ksk.key deleted file mode 100644 index 26bd681..0000000 --- a/roles/nsd/files/keys/Kgeokunis2.nl.ksk.key +++ /dev/null @@ -1 +0,0 @@ -geokunis2.nl. IN DNSKEY 257 3 15 8DFshejNxv4d9ZkSRY53kEay06aOhHm77EOYNSZFp/w= ;{id = 64014 (ksk), size = 256b} diff --git a/roles/nsd/files/keys/Kgeokunis2.nl.ksk.private b/roles/nsd/files/keys/Kgeokunis2.nl.ksk.private deleted file mode 100644 index 4b74954..0000000 --- a/roles/nsd/files/keys/Kgeokunis2.nl.ksk.private +++ /dev/null @@ -1,10 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -33306239336639653065343862633935396534373739613332356638343037646530333331343835 -6464303336356534653431663938383732383863366238320a663430613133363134336264343734 -31343731373239613330633935636137646133616334353565663061356566666465326261306362 -3463633863626666330a383461656632346361646365383234653963333561366463373331346539 -30633237346532633634636537663936353337353331393663363363363566663738643632363761 -66323032383862306635656130366261303161636232633561313630316537626262356532313131 -63616437633333346431303539306433613130373934393036356563316365373966346536353764 -39343038373162303933653335393432636332613038366531353432346332333936656464626536 -64633030353336616561656539313863306534633863633835333531306533313930 diff --git a/roles/nsd/files/keys/Kpizzapim.nl.ksk.key b/roles/nsd/files/keys/Kpizzapim.nl.ksk.key deleted file mode 100644 index 92f07c1..0000000 --- a/roles/nsd/files/keys/Kpizzapim.nl.ksk.key +++ /dev/null @@ -1 +0,0 @@ -pizzapim.nl. IN DNSKEY 257 3 15 PL2LJmmaooqVFVIrvdFzS+X0YiEgz+fLlr7jm54nX/E= ;{id = 47515 (ksk), size = 256b} diff --git a/roles/nsd/files/keys/Kpizzapim.nl.ksk.private b/roles/nsd/files/keys/Kpizzapim.nl.ksk.private deleted file mode 100644 index bc136ed..0000000 --- a/roles/nsd/files/keys/Kpizzapim.nl.ksk.private +++ /dev/null @@ -1,10 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -36343534663736653462386238363734646238306365393233633530663039656335623961663131 -6436373566336464336330326438656137646536656333370a386539613239343962373562653264 -66616530343235333964343332386234666266643933393531323066666164623862633962376666 -3230333539393335630a653532396665383536633164643534303461636135653737616137313034 -33653838653538623934353631393636363937333831313036643334343261363836393235313235 -36613966343431333364336437393430653366643263643130376437663164353361633735616332 -35656666353037643739356133303064633166323535323265323134363963316566323165643165 -36656264353962346530323830623432616238653966613433616235336539396461376162316564 -61643465323165643961303639653466663961333531663133636666643437333233 diff --git a/roles/nsd/files/nsd.conf b/roles/nsd/files/nsd.conf deleted file mode 100644 index 60c65a4..0000000 --- a/roles/nsd/files/nsd.conf +++ /dev/null @@ -1,24 +0,0 @@ -server: - ip-address: enp3s0 - server-count: 1 - verbosity: 1 - hide-version: yes - zonesdir: "/etc/nsd/zones" - ip-transparent: yes - ip-freebind: yes - -zone: - name: pizzapim.nl - zonefile: pizzapim.nl.signed - provide-xfr: 87.253.155.96/27 NOKEY - provide-xfr: 157.97.168.160/27 NOKEY - -zone: - name: geokunis2.nl - zonefile: geokunis2.nl.signed - provide-xfr: 87.253.155.96/27 NOKEY - provide-xfr: 157.97.168.160/27 NOKEY - -zone: - name: pim.kunis.nl - zonefile: pim.kunis.nl diff --git a/roles/nsd/files/zones/geokunis2.nl b/roles/nsd/files/zones/geokunis2.nl deleted file mode 100644 index 8d7bf7d..0000000 --- a/roles/nsd/files/zones/geokunis2.nl +++ /dev/null @@ -1,26 +0,0 @@ -$ORIGIN geokunis2.nl. -$TTL 60 - -geokunis2.nl. IN SOA ns.geokunis2.nl. niels.kunis.nl. 2023030500 1800 3600 1209600 3600 - NS ns.geokunis2.nl. - NS ns0.transip.net. - NS ns1.transip.nl. - NS ns2.transip.eu. - A 84.245.14.149 - AAAA 2a02:58:19a:f730:b62e:99ff:fe77:1bda -; MX 0 . -; TXT "v=spf1 -all" - CAA 0 issue "letsencrypt.org" -mail IN A 84.245.14.149 - MX 10 mail.geokunis2.nl -jenl IN A 217.123.41.225 -wg IN A 84.245.14.149 -wg IN AAAA 2a02:58:1:e::1afb -wg4 IN A 84.245.14.149 -wg6 IN AAAA 2a02:58:1:e::1afb -kms IN A 84.245.14.149 -files IN A 84.245.14.149 -files IN AAAA 2a02:58:19a:f730:b62e:99ff:fe77:1bda -_dmarc IN TXT "v=DMARC1; p=reject; fo=0; adkim=s; aspf=s; pct=100; rf=afrf; sp=reject" -ns A 84.245.14.149 - AAAA 2a02:58:19a:f730:b62e:99ff:fe77:1bda diff --git a/roles/nsd/files/zones/pim.kunis.nl b/roles/nsd/files/zones/pim.kunis.nl deleted file mode 100644 index f68d70d..0000000 --- a/roles/nsd/files/zones/pim.kunis.nl +++ /dev/null @@ -1,19 +0,0 @@ -$ORIGIN pim.kunis.nl. -$TTL 60 - -pim.kunis.nl. IN SOA ns.pim.kunis.nl. pim.kunis.nl. 2023020800 1800 3600 1209600 3600 - - NS ns.pim.kunis.nl. - A 84.245.14.149 - TXT "v=spf1 ~all" - -_dmarc IN TXT "v=DMARC1; p=reject; aspf=s; adkim=s; rua=mailto:wpux1bq8@ag.eu.dmarcian.com;" - -www IN A 84.245.14.149 -ns IN A 84.245.14.149 - -social IN CNAME www.pim.kunis.nl. -dav IN CNAME www.pim.kunis.nl. -git IN CNAME www.pim.kunis.nl. -meet IN CNAME www.pim.kunis.nl. -rss IN CNAME www.pim.kunis.nl. diff --git a/roles/nsd/files/zones/pizzapim.nl b/roles/nsd/files/zones/pizzapim.nl deleted file mode 100644 index 3892920..0000000 --- a/roles/nsd/files/zones/pizzapim.nl +++ /dev/null @@ -1,19 +0,0 @@ -$ORIGIN pizzapim.nl. -$TTL 60 - -pizzapim.nl. IN SOA ns.pizzapim.nl. pim.kunis.nl. 2023020900 1800 3600 1209600 3600 - - NS ns.pizzapim.nl. - NS ns0.transip.net. - NS ns1.transip.nl. - NS ns2.transip.eu. - A 84.245.14.149 - TXT "v=spf1 ~all" - CAA 0 issue "letsencrypt.org" - -_dmarc IN TXT "v=DMARC1; p=reject; aspf=s; adkim=s; rua=mailto:wpux1bq8@ag.eu.dmarcian.com;" - -social IN A 84.245.14.149 - AAAA 2a02:58:19a:f730:b62e:99ff:fe77:1bda -ns IN A 84.245.14.149 - AAAA 2a02:58:19a:f730:b62e:99ff:fe77:1bda diff --git a/roles/nsd/meta/main.yml b/roles/nsd/meta/main.yml deleted file mode 100644 index 9711b33..0000000 --- a/roles/nsd/meta/main.yml +++ /dev/null @@ -1,2 +0,0 @@ -dependencies: - - role: common diff --git a/roles/nsd/tasks/main.yml b/roles/nsd/tasks/main.yml deleted file mode 100644 index 9f556d4..0000000 --- a/roles/nsd/tasks/main.yml +++ /dev/null @@ -1,70 +0,0 @@ -- name: Install nsd - apt: - pkg: - - nsd - - ldnsutils -- name: Copy nsd.conf - copy: - src: "{{ role_path }}/files/nsd.conf" - dest: /etc/nsd/nsd.conf -- name: Create zones directory - file: - path: /etc/nsd/zones - state: directory -- name: Copy zone files - copy: - src: "{{ role_path }}/files/zones/" - dest: /etc/nsd/zones -- name: Create keys directory - file: - path: /etc/nsd/keys - state: directory -- name: Copy KSK private keys - template: - src: "{{ item }}" - dest: "/etc/nsd/keys/{{ item | basename }}" - with_fileglob: - - "{{ role_path }}/files/keys/*.ksk.private" -- name: Copy KSK keys - copy: - src: "{{ item }}" - dest: "/etc/nsd/keys/{{ item | basename }}" - with_fileglob: - - "{{ role_path }}/files/keys/*.ksk.key" -- name: Check if ZSKs exist - stat: - path: "/etc/nsd/keys/K{{ item | basename }}.zsk.key" - register: zsks_exists - with_fileglob: - - "{{ role_path }}/files/zones/*" -- name: Create ZSK - command: - cmd: "ldns-keygen -a ED25519 {{ item.item | basename }}" - chdir: /etc/nsd/keys - register: create_zsk - when: not item.stat.exists and (item.item | basename) in sign_zones - with_items: "{{ zsks_exists.results }}" -- name: Rename ZSK key - command: - cmd: "mv {{ item.stdout }}.key K{{ item.item.item | basename }}.zsk.key" - chdir: /etc/nsd/keys - when: item.changed and (item.item | basename) in sign_zones - with_items: "{{ create_zsk.results }}" -- name: Rename ZSK private key - command: - cmd: "mv {{ item.stdout }}.private K{{ item.item.item | basename }}.zsk.private" - chdir: /etc/nsd/keys - when: item.changed and (item.item | basename) in sign_zones - with_items: "{{ create_zsk.results }}" -- name: Sign zones - command: - cmd: "ldns-signzone {{ item | basename }} /etc/nsd/keys/K{{ item | basename }}.zsk /etc/nsd/keys/K{{ item | basename }}.ksk" - chdir: /etc/nsd/zones - when: (item | basename) in sign_zones - with_fileglob: - - "{{ role_path }}/files/zones/*" -- name: Restart NSD - systemd: - name: nsd - enabled: true - state: reloaded diff --git a/roles/nsd/vars/main.yml b/roles/nsd/vars/main.yml deleted file mode 100644 index 45cb37c..0000000 --- a/roles/nsd/vars/main.yml +++ /dev/null @@ -1,3 +0,0 @@ -sign_zones: - - geokunis2.nl - - pizzapim.nl From d81bcbaba2c90b73c21e4df2f161a45c8c755261 Mon Sep 17 00:00:00 2001 From: pizzaniels Date: Mon, 3 Apr 2023 21:31:57 +0200 Subject: [PATCH 12/41] added cyberchef.geokunis2.nl --- playbooks/all.yml | 1 + roles/cyberchef/files/docker-compose.yml | 22 ++++++++++++++++++++++ roles/cyberchef/meta/main.yml | 4 ++++ roles/cyberchef/tasks/main.yml | 14 ++++++++++++++ roles/cyberchef/vars/main.yml | 2 ++ 5 files changed, 43 insertions(+) create mode 100644 roles/cyberchef/files/docker-compose.yml create mode 100644 roles/cyberchef/meta/main.yml create mode 100644 roles/cyberchef/tasks/main.yml create mode 100644 roles/cyberchef/vars/main.yml diff --git a/playbooks/all.yml b/playbooks/all.yml index 913f1f5..c7c63cb 100644 --- a/playbooks/all.yml +++ b/playbooks/all.yml @@ -7,6 +7,7 @@ - {role: 'forgejo', tags: 'forgejo'} - {role: 'syncthing', tags: 'syncthing'} - {role: 'kms', tags: 'kms'} + - {role: 'cyberchef', tags: 'cyberchef'} - {role: 'radicale', tags: 'radicale'} - {role: 'mastodon', tags: 'mastodon'} - {role: 'seafile', tags: 'seafile'} diff --git a/roles/cyberchef/files/docker-compose.yml b/roles/cyberchef/files/docker-compose.yml new file mode 100644 index 0000000..8fc3dca --- /dev/null +++ b/roles/cyberchef/files/docker-compose.yml @@ -0,0 +1,22 @@ +version: "3.7" + +services: + cyberchef-server: + image: mpepping/cyberchef + container_name: cyberchef + restart: always + labels: + - traefik.enable=true + - traefik.http.routers.cyberchef.entrypoints=websecure + - traefik.http.routers.cyberchef.rule=Host(`cyberchef.geokunis2.nl`) + - traefik.http.routers.cyberchef.tls=true + - traefik.http.routers.cyberchef.tls.certresolver=letsencrypt + - traefik.http.services.cyberchef.loadbalancer.server.port=8000 + - traefik.http.routers.cyberchef.service=cyberchef + - traefik.docker.network=traefik + networks: + - traefik + +networks: + traefik: + external: true diff --git a/roles/cyberchef/meta/main.yml b/roles/cyberchef/meta/main.yml new file mode 100644 index 0000000..7f5b1d3 --- /dev/null +++ b/roles/cyberchef/meta/main.yml @@ -0,0 +1,4 @@ +dependencies: + - role: common + - role: docker + \ No newline at end of file diff --git a/roles/cyberchef/tasks/main.yml b/roles/cyberchef/tasks/main.yml new file mode 100644 index 0000000..2518ba7 --- /dev/null +++ b/roles/cyberchef/tasks/main.yml @@ -0,0 +1,14 @@ +- name: Create app directory + file: + path: "{{ service_dir }}" + state: directory +- name: Copy Docker Compose script + copy: + src: "{{ role_path }}/files/docker-compose.yml" + dest: "{{ service_dir }}/docker-compose.yml" +- name: Start the Docker Compose + docker_compose: + project_src: "{{ service_dir }}" + pull: true + remove_orphans: true + diff --git a/roles/cyberchef/vars/main.yml b/roles/cyberchef/vars/main.yml new file mode 100644 index 0000000..471684a --- /dev/null +++ b/roles/cyberchef/vars/main.yml @@ -0,0 +1,2 @@ +service_name: cyberchef +service_dir: "{{ base_service_dir }}/{{ service_name }}" From 4d4ed08ce60223a99347b6d38e3d8782eb1af2b0 Mon Sep 17 00:00:00 2001 From: niels Date: Mon, 3 Apr 2023 20:03:35 +0000 Subject: [PATCH 13/41] Update 'README.md' --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 0f9e51d..152e6b2 100644 --- a/README.md +++ b/README.md @@ -18,6 +18,7 @@ All services below are running under Docker, except NSD and Borg. - KMS server using [vlmcsd](https://github.com/Wind4/vlmcsd) - Cloud file storage using [Seafile](https://www.seafile.com) - Inbucket disposable webmail, Mailinator alternative (https://inbucket.org) +- [Cyberchef](https://gchq.github.io/) - Jitsi Meet (https://meet.jit.si) - Backups using [Borg](https://www.borgbackup.org/) and [Borgmatic](https://torsion.org/borgmatic/) - RSS feed reader using [FreshRSS](https://miniflux.app/) From 69a520b70a09a9596cc0254476371b842ad39ed3 Mon Sep 17 00:00:00 2001 From: niels Date: Mon, 3 Apr 2023 20:04:58 +0000 Subject: [PATCH 14/41] Update 'README.md' --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 152e6b2..863c44c 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,7 @@ All services below are running under Docker, except NSD and Borg. - KMS server using [vlmcsd](https://github.com/Wind4/vlmcsd) - Cloud file storage using [Seafile](https://www.seafile.com) - Inbucket disposable webmail, Mailinator alternative (https://inbucket.org) -- [Cyberchef](https://gchq.github.io/) +- Cyberchef [https://gchq.github.io](https://gchq.github.io) - Jitsi Meet (https://meet.jit.si) - Backups using [Borg](https://www.borgbackup.org/) and [Borgmatic](https://torsion.org/borgmatic/) - RSS feed reader using [FreshRSS](https://miniflux.app/) From 5d454bee046f9611d5d6b0436497dd93a7321e80 Mon Sep 17 00:00:00 2001 From: niels Date: Mon, 3 Apr 2023 20:05:49 +0000 Subject: [PATCH 15/41] Update 'README.md' --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 863c44c..b4530ec 100644 --- a/README.md +++ b/README.md @@ -17,7 +17,7 @@ All services below are running under Docker, except NSD and Borg. - Calendar and contact synchronisation using [Radicale](https://radicale.org/v3.html) ([dav.pizzapim.nl](https://dav.pizzapim.nl)) - KMS server using [vlmcsd](https://github.com/Wind4/vlmcsd) - Cloud file storage using [Seafile](https://www.seafile.com) -- Inbucket disposable webmail, Mailinator alternative (https://inbucket.org) +- Inbucket disposable webmail, Mailinator alternative [inbucket](https://inbucket.org) - Cyberchef [https://gchq.github.io](https://gchq.github.io) - Jitsi Meet (https://meet.jit.si) - Backups using [Borg](https://www.borgbackup.org/) and [Borgmatic](https://torsion.org/borgmatic/) From d87705fdadc69e53c0e0f41c20b9e2cdd4dad78c Mon Sep 17 00:00:00 2001 From: niels Date: Mon, 3 Apr 2023 20:06:45 +0000 Subject: [PATCH 16/41] Update 'README.md' --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index b4530ec..e4b8811 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,7 @@ All services below are running under Docker, except NSD and Borg. - KMS server using [vlmcsd](https://github.com/Wind4/vlmcsd) - Cloud file storage using [Seafile](https://www.seafile.com) - Inbucket disposable webmail, Mailinator alternative [inbucket](https://inbucket.org) -- Cyberchef [https://gchq.github.io](https://gchq.github.io) +- Cyberchef (https://gchq.github.io) - Jitsi Meet (https://meet.jit.si) - Backups using [Borg](https://www.borgbackup.org/) and [Borgmatic](https://torsion.org/borgmatic/) - RSS feed reader using [FreshRSS](https://miniflux.app/) From 6587dea614d98698421d66a68e3f164949b776b4 Mon Sep 17 00:00:00 2001 From: niels Date: Mon, 3 Apr 2023 20:07:07 +0000 Subject: [PATCH 17/41] Update 'README.md' --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index e4b8811..aca80e0 100644 --- a/README.md +++ b/README.md @@ -17,7 +17,7 @@ All services below are running under Docker, except NSD and Borg. - Calendar and contact synchronisation using [Radicale](https://radicale.org/v3.html) ([dav.pizzapim.nl](https://dav.pizzapim.nl)) - KMS server using [vlmcsd](https://github.com/Wind4/vlmcsd) - Cloud file storage using [Seafile](https://www.seafile.com) -- Inbucket disposable webmail, Mailinator alternative [inbucket](https://inbucket.org) +- Inbucket disposable webmail, Mailinator alternative (https://inbucket.org) - Cyberchef (https://gchq.github.io) - Jitsi Meet (https://meet.jit.si) - Backups using [Borg](https://www.borgbackup.org/) and [Borgmatic](https://torsion.org/borgmatic/) From a8b63203d82d736d6367bac6780a996cf86ad731 Mon Sep 17 00:00:00 2001 From: niels Date: Mon, 3 Apr 2023 20:07:57 +0000 Subject: [PATCH 18/41] Update 'README.md' --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index aca80e0..7e9db00 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,7 @@ All services below are running under Docker, except NSD and Borg. - KMS server using [vlmcsd](https://github.com/Wind4/vlmcsd) - Cloud file storage using [Seafile](https://www.seafile.com) - Inbucket disposable webmail, Mailinator alternative (https://inbucket.org) -- Cyberchef (https://gchq.github.io) +- Cyberchef (https://cyberchef.geokunis2.nl) - Jitsi Meet (https://meet.jit.si) - Backups using [Borg](https://www.borgbackup.org/) and [Borgmatic](https://torsion.org/borgmatic/) - RSS feed reader using [FreshRSS](https://miniflux.app/) From 3988a26d93013747854a6883b3ab15375b87e11d Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Mon, 10 Apr 2023 09:53:27 +0000 Subject: [PATCH 19/41] Update 'README.md' --- README.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/README.md b/README.md index 7e9db00..3a811e4 100644 --- a/README.md +++ b/README.md @@ -24,6 +24,19 @@ All services below are running under Docker, except NSD and Borg. - RSS feed reader using [FreshRSS](https://miniflux.app/) - Metrics using [Prometheus](https://prometheus.io/) +## Virtualization + +Currently this repository is ran as a physical server, but we intend to virtualize it. +First, the whole server should be virtualized on a single virtual machine. +After that, it will be split up into several virtual machines. +The services on each virtual machine should have similar services/security properties. + +Provisional split of services on virtual machines: +- "public web" VM: Mastodon, static HTML server, cyberchef, jitsi meet, inbucket +- "data" VM: seafile, radicale, syncthing, freshrss +- "management" VM: reverse proxy, prometheus, kms +- "git" VM: forgejo. Because forgejo is a somewhat single point of failure, it should have its own VM. + ## Possible future services - matrix From 73921cdd57b41c125cde14c703ebb8fba953503d Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Tue, 11 Apr 2023 22:41:18 +0200 Subject: [PATCH 20/41] remove backup functionality --- README.md | 1 - inventory/group_vars/all.yml | 8 ---- .../homeserver.yml => host_vars/max.yml} | 0 playbooks/all.yml => max.yml | 1 - playbooks/backup.yml | 7 ---- roles/borg/files/backup.timer | 10 ----- roles/borg/files/id_ed25519 | 25 ------------ roles/borg/meta/main.yml | 2 - roles/borg/tasks/main.yml | 38 ------------------- roles/borg/templates/backup.service.j2 | 6 --- roles/borg/templates/backup.yml.j2 | 17 --------- roles/borg/vars/main.yml | 2 - roles/common/tasks/main.yml | 5 --- 13 files changed, 122 deletions(-) delete mode 100644 inventory/group_vars/all.yml rename inventory/{group_vars/homeserver.yml => host_vars/max.yml} (100%) rename playbooks/all.yml => max.yml (94%) delete mode 100644 playbooks/backup.yml delete mode 100644 roles/borg/files/backup.timer delete mode 100644 roles/borg/files/id_ed25519 delete mode 100644 roles/borg/meta/main.yml delete mode 100644 roles/borg/tasks/main.yml delete mode 100644 roles/borg/templates/backup.service.j2 delete mode 100644 roles/borg/templates/backup.yml.j2 delete mode 100644 roles/borg/vars/main.yml diff --git a/README.md b/README.md index 0f9e51d..1aabffa 100644 --- a/README.md +++ b/README.md @@ -19,7 +19,6 @@ All services below are running under Docker, except NSD and Borg. - Cloud file storage using [Seafile](https://www.seafile.com) - Inbucket disposable webmail, Mailinator alternative (https://inbucket.org) - Jitsi Meet (https://meet.jit.si) -- Backups using [Borg](https://www.borgbackup.org/) and [Borgmatic](https://torsion.org/borgmatic/) - RSS feed reader using [FreshRSS](https://miniflux.app/) - Metrics using [Prometheus](https://prometheus.io/) diff --git a/inventory/group_vars/all.yml b/inventory/group_vars/all.yml deleted file mode 100644 index 80201a8..0000000 --- a/inventory/group_vars/all.yml +++ /dev/null @@ -1,8 +0,0 @@ -borg_public_key: "AAAAC3NzaC1lZDI1NTE5AAAAIBTag7YToG5W+H2kEUz40kOH+7cs0Lp3owFFKkmHBiWM" -dataserver_public_key: "AAAAC3NzaC1lZDI1NTE5AAAAIJsLVptkoOwmxs6DnenN8u7Q1Tm/Psh0QdI6vjrTgb6D" -kingston1tb_mount_point: "/mnt/kingston1TB" -backup_location: "{{ kingston1tb_mount_point }}/homeserver_backup" - -admin_public_keys: - - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINUZp4BCxf7uLa1QWonx/Crf8tYZ5MKIZ+EuaBa82LrV user@user-laptop" - - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOodpLr+FDRyKyHjucHizNLVFHZ5AQmE9GmxMnOsSoaw pimkunis@thinkpadpim" diff --git a/inventory/group_vars/homeserver.yml b/inventory/host_vars/max.yml similarity index 100% rename from inventory/group_vars/homeserver.yml rename to inventory/host_vars/max.yml diff --git a/playbooks/all.yml b/max.yml similarity index 94% rename from playbooks/all.yml rename to max.yml index 913f1f5..03f786a 100644 --- a/playbooks/all.yml +++ b/max.yml @@ -3,7 +3,6 @@ roles: - {role: 'ssh', tags: 'ssh'} - {role: 'watchtower', tags: 'watchtower'} - - {role: 'borg', tags: 'borg'} - {role: 'forgejo', tags: 'forgejo'} - {role: 'syncthing', tags: 'syncthing'} - {role: 'kms', tags: 'kms'} diff --git a/playbooks/backup.yml b/playbooks/backup.yml deleted file mode 100644 index 23e7a72..0000000 --- a/playbooks/backup.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: Create backup - hosts: homeserver - - tasks: - - name: Create backup - command: - cmd: systemctl start backup.service diff --git a/roles/borg/files/backup.timer b/roles/borg/files/backup.timer deleted file mode 100644 index cc54943..0000000 --- a/roles/borg/files/backup.timer +++ /dev/null @@ -1,10 +0,0 @@ -[Unit] -Description=Backup data daily - -[Timer] -OnCalendar=*-*-* 3:00:00 -Persistent=true -RandomizedDelaySec=1h - -[Install] -WantedBy=timers.target diff --git a/roles/borg/files/id_ed25519 b/roles/borg/files/id_ed25519 deleted file mode 100644 index 1dd2cb2..0000000 --- a/roles/borg/files/id_ed25519 +++ /dev/null @@ -1,25 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -39646436383433653539316135323332303832633864366363313031636534353531386638323037 -6364366663313964633239613261373733333736316534390a306262373634303536353365396138 -35626433353935633534353636613232623531303765636139363139646265653361353164656363 -3465316438373734330a636563346263633332353962353033336565356435353739646263343339 -38633832343230393631633434323231313438336537383930646562356264346534663235323035 -31643861306134663662353938643861393861333838633338613131363136333766353131313666 -30393437616539643263386331343166636434323435666636386562353239373330336462653636 -38306161393634356636613334323038366365626138326365303063313564653365313063643432 -66306664356662326638363736366462343636393466303432323661323431393337306132386531 -65663736643565363634373461666631356439373935353734636535636538626630666462653636 -33363730626662313336633132393437666533363136643464653462646561393861376464366238 -35383136333939653265366336356234613166353162366365346462633639396335653432353964 -35303964633339356531343437393231303936623465383265666134316335666531636337383563 -30326530396439363438396439313264643765366663343439646333326664633231626662666463 -38616235353730346239396265306230623135626332636330666461333864306664346637396233 -61343535396230363938306162313938363063353934323764656538666337656431363634333739 -62373234356131373931333736373136343166636465643065643337386539376361383965343762 -33633837626637393832366332343332303361306230626131346539323538383365316535666532 -30666439643263653835666430393439396239333464336133316264323234643361336434343763 -61306133373335353563646331303562326139613133356139366632363738316461633739333161 -33666531653239626362363364346566373430656538356166346363333531656433393034333232 -65353139623435383330353864336132313031656362386538626464313264333231653831373834 -33363632616430303763616366356131323265313337323836396264623539316436616333383933 -62653865623831626330 diff --git a/roles/borg/meta/main.yml b/roles/borg/meta/main.yml deleted file mode 100644 index 9711b33..0000000 --- a/roles/borg/meta/main.yml +++ /dev/null @@ -1,2 +0,0 @@ -dependencies: - - role: common diff --git a/roles/borg/tasks/main.yml b/roles/borg/tasks/main.yml deleted file mode 100644 index 052fa2f..0000000 --- a/roles/borg/tasks/main.yml +++ /dev/null @@ -1,38 +0,0 @@ -- name: Install borg - apt: - pkg: - - borgbackup - - borgmatic -- name: Create borg service directory - file: - path: "{{ service_dir }}" - state: directory -- name: Copy borg backup configuration - template: - src: "{{ role_path }}/templates/backup.yml.j2" - dest: "{{ service_dir }}/backup.yml" -- name: Copy private key - copy: - src: "{{ role_path }}/files/id_ed25519" - dest: "{{ service_dir }}/id_ed25519" - mode: 0600 -- name: Copy systemd timer backup service - template: - src: "{{ role_path }}/templates/backup.service.j2" - dest: "/etc/systemd/system/backup.service" - register: service -- name: Copy systemd timer backup timer - copy: - src: "{{ role_path }}/files/backup.timer" - dest: "/etc/systemd/system/backup.timer" - register: timer -- name: Enable systemd timer - systemd: - name: backup.timer - enabled: true - state: started - daemon_reload: "{{ 'yes' if service.changed or timer.changed else 'no' }}" -- name: Restore backup - command: - cmd: "borgmatic extract --archive latest --destination / --config {{ service_dir }}/backup.yml" - creates: /data diff --git a/roles/borg/templates/backup.service.j2 b/roles/borg/templates/backup.service.j2 deleted file mode 100644 index 99fb1b3..0000000 --- a/roles/borg/templates/backup.service.j2 +++ /dev/null @@ -1,6 +0,0 @@ -[Unit] -Description=Backup data using borgmatic - -[Service] -ExecStart=/usr/bin/borgmatic --config {{ service_dir }}/backup.yml -Type=oneshot diff --git a/roles/borg/templates/backup.yml.j2 b/roles/borg/templates/backup.yml.j2 deleted file mode 100644 index 4f5013f..0000000 --- a/roles/borg/templates/backup.yml.j2 +++ /dev/null @@ -1,17 +0,0 @@ -location: - source_directories: - - {{ base_data_dir }} - repositories: - - ssh://root@lewis.dmz/{{ backup_location }} -retention: - keep_daily: 7 - keep_weekly: 4 - keep_monthly: 6 -storage: - ssh_command: ssh -i {{ service_dir }}/id_ed25519 - unknown_unencrypted_repo_access_is_ok: true -hooks: - before_everything: - - systemctl stop docker docker.socket - after_everything: - - systemctl start docker diff --git a/roles/borg/vars/main.yml b/roles/borg/vars/main.yml deleted file mode 100644 index 63faed1..0000000 --- a/roles/borg/vars/main.yml +++ /dev/null @@ -1,2 +0,0 @@ -service_name: borg -service_dir: "{{ base_service_dir }}/{{ service_name }}" diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index bb8292d..c32e911 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -19,8 +19,3 @@ src: "{{ role_path }}/files/resolv.conf" dest: /etc/resolv.conf follow: true -- name: Add dataserver to known hosts - known_hosts: - name: "lewis.dmz" - key: "lewis.dmz ssh-ed25519 {{ dataserver_public_key }}" - state: present From 72f2cc91f6b8131669408bb374719cc941b6017c Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Wed, 12 Apr 2023 14:59:56 +0200 Subject: [PATCH 21/41] remove makefile --- Makefile | 8 -------- 1 file changed, 8 deletions(-) delete mode 100644 Makefile diff --git a/Makefile b/Makefile deleted file mode 100644 index 3e7c747..0000000 --- a/Makefile +++ /dev/null @@ -1,8 +0,0 @@ -all: - ansible-playbook playbooks/all.yml - -backup: - ansible-playbook playbooks/backup.yml - -%: - ansible-playbook playbooks/all.yml --tags "$@" From 74a4de161563e3007777b19771438eec22f0ff18 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Wed, 12 Apr 2023 21:26:46 +0000 Subject: [PATCH 22/41] virtualize (#3) Reviewed-on: https://git.pim.kunis.nl/home/max/pulls/3 --- .gitignore | 37 ++++++++++++++++++++++++++++++++++ ansible.cfg | 1 - data/main.tf | 30 +++++++++++++++++++++++++++ inventory/host_vars/max.yml | 2 +- inventory/hosts.yml | 10 ++++----- main.tf | 26 ++++++++++++++++++++++++ max.yml | 25 ++++++++++++++++++++--- roles/common/files/resolv.conf | 5 ----- roles/common/tasks/main.yml | 16 ++++++--------- roles/docker/tasks/main.yml | 2 +- roles/static/vars/main.yml | 2 +- 11 files changed, 128 insertions(+), 28 deletions(-) create mode 100644 data/main.tf create mode 100644 main.tf delete mode 100644 roles/common/files/resolv.conf diff --git a/.gitignore b/.gitignore index b593a85..33b954c 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,38 @@ +# Local .terraform directories +**/.terraform/* + +# .tfstate files +*.tfstate +*.tfstate.* + +# Crash log files +crash.log +crash.*.log + +# Exclude all .tfvars files, which are likely to contain sensitive data, such as +# password, private keys, and other secrets. These should not be part of version +# control as they are data points which are potentially sensitive and subject +# to change depending on the environment. +*.tfvars +*.tfvars.json + +# Ignore override files as they are usually used to override resources locally and so +# are not checked in +override.tf +override.tf.json +*_override.tf +*_override.tf.json + +# Include override files you do wish to add to version control using negated pattern +# !example_override.tf + +# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan +# example: *tfplan* + +# Ignore CLI configuration files +.terraformrc +terraform.rc +.terraform.lock.hcl +*.tfbackend + .vault_password diff --git a/ansible.cfg b/ansible.cfg index b598c64..5f42fc7 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,5 +1,4 @@ [defaults] -# (pathspec) Colon separated paths in which Ansible will search for Roles. roles_path=~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles:roles inventory=inventory vault_password_file=util/secret-service-client.sh diff --git a/data/main.tf b/data/main.tf new file mode 100644 index 0000000..1961de5 --- /dev/null +++ b/data/main.tf @@ -0,0 +1,30 @@ +terraform { + backend "pg" { + schema_name = "max-data" + conn_str = "postgres://terraform@10.42.0.1/terraform_state" + } + + required_providers { + libvirt = { + source = "dmacvicar/libvirt" + } + } +} + +provider "libvirt" { + uri = "qemu+ssh://root@atlas.lan/system" +} + +resource "libvirt_volume" "data" { + name = "max-data" + pool = "data" + size = 1024 * 1024 * 1024 * 65 + + lifecycle { + prevent_destroy = true + } +} + +output "data_disk_id" { + value = libvirt_volume.data.id +} diff --git a/inventory/host_vars/max.yml b/inventory/host_vars/max.yml index 11aa49f..55ff4c3 100644 --- a/inventory/host_vars/max.yml +++ b/inventory/host_vars/max.yml @@ -1,4 +1,4 @@ -base_data_dir: /data +base_data_dir: /mnt/data base_service_dir: /srv # Additional open ports diff --git a/inventory/hosts.yml b/inventory/hosts.yml index b0f8f06..bf163f0 100644 --- a/inventory/hosts.yml +++ b/inventory/hosts.yml @@ -1,7 +1,5 @@ all: - children: - homeserver: - hosts: - max: - ansible_user: root - ansible_host: max.dmz + hosts: + max: + ansible_user: root + ansible_host: max.dmz diff --git a/main.tf b/main.tf new file mode 100644 index 0000000..a4f49fb --- /dev/null +++ b/main.tf @@ -0,0 +1,26 @@ +terraform { + backend "pg" { + schema_name = "max" + conn_str = "postgres://terraform@10.42.0.1/terraform_state" + } + + required_providers { + libvirt = { + source = "dmacvicar/libvirt" + } + } +} + +provider "libvirt" { + uri = "qemu+ssh://root@atlas.lan/system" +} + +module "tf-datatest" { + source = "git::https://git.pim.kunis.nl/home/tf-modules.git//debian" + name = "max" + domain_name = "tf-max" + data_disk = "/kvm/data/max-data" + #ansible_command = "ansible-playbook max.yml" + memory = 1024 * 8 + mac = "CA:FE:C0:FF:EE:03" +} diff --git a/max.yml b/max.yml index bf406dd..eb6771f 100644 --- a/max.yml +++ b/max.yml @@ -1,13 +1,32 @@ - name: Setup homeserver - hosts: homeserver + hosts: max + gather_facts: no + + pre_tasks: + - name: Wait for host to come up + wait_for: + state: started + port: 22 + host: max.dmz + timeout: 300 + connect_timeout: 300 + search_regex: OpenSSH + delegate_to: localhost + - name: Wait for cloud-init to finish + shell: + cmd: "cloud-init status --wait" + register: cloudinit + changed_when: "'..' in cloudinit.stdout" + - name: Gather facts + setup: + roles: - - {role: 'ssh', tags: 'ssh'} - {role: 'watchtower', tags: 'watchtower'} - {role: 'forgejo', tags: 'forgejo'} - {role: 'syncthing', tags: 'syncthing'} - {role: 'kms', tags: 'kms'} - {role: 'cyberchef', tags: 'cyberchef'} - - {role: 'radicale', tags: 'radicale'} + # - {role: 'radicale', tags: 'radicale'} - {role: 'mastodon', tags: 'mastodon'} - {role: 'seafile', tags: 'seafile'} - {role: 'jitsi', tags: 'jitsi'} diff --git a/roles/common/files/resolv.conf b/roles/common/files/resolv.conf deleted file mode 100644 index cf23f28..0000000 --- a/roles/common/files/resolv.conf +++ /dev/null @@ -1,5 +0,0 @@ -nameserver 192.168.30.7 -nameserver 192.168.30.1 -nameserver 1.1.1.1 -nameserver 1.0.0.1 -search lan diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index c32e911..b8f79d0 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -9,13 +9,9 @@ file: path: "{{ base_service_dir }}" state: directory -- name: Disable systemd-resolved - systemd: - name: systemd-resolved - enabled: false - state: stopped -- name: Copy resolv.conf - copy: - src: "{{ role_path }}/files/resolv.conf" - dest: /etc/resolv.conf - follow: true +- name: Delete externally managed environment file + shell: + cmd: "rm /usr/lib/python*/EXTERNALLY-MANAGED" + register: rm + changed_when: "rm.rc == 0" + failed_when: "false" diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index 3acc420..7b7b88b 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -12,7 +12,7 @@ keyring: /etc/apt/keyrings/docker.gpg - name: Add Docker repository apt_repository: - repo: "deb [signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable" + repo: "deb [signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable" register: apt_repository - name: Update APT cache apt: diff --git a/roles/static/vars/main.yml b/roles/static/vars/main.yml index 8838234..912dd02 100644 --- a/roles/static/vars/main.yml +++ b/roles/static/vars/main.yml @@ -1,3 +1,3 @@ service_name: static service_dir: "{{ base_service_dir }}/{{ service_name }}" -git_origin: "http://localhost:{{ internal_forgejo_port }}/pim/static.git" +git_origin: "http://git.pim.kunis.nl/pim/static.git" From 7c220a5501de082800ae4acce6ced817945d3107 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Thu, 13 Apr 2023 11:43:42 +0200 Subject: [PATCH 23/41] fix #2 --- max.yml | 4 +-- roles/radicale/files/radicale.conf | 2 +- roles/radicale/tasks/main.yml | 2 +- .../radicale/templates/docker-compose.yml.j2 | 32 +++++++++++++------ 4 files changed, 27 insertions(+), 13 deletions(-) diff --git a/max.yml b/max.yml index eb6771f..a17d2e2 100644 --- a/max.yml +++ b/max.yml @@ -26,11 +26,11 @@ - {role: 'syncthing', tags: 'syncthing'} - {role: 'kms', tags: 'kms'} - {role: 'cyberchef', tags: 'cyberchef'} - # - {role: 'radicale', tags: 'radicale'} + - {role: 'radicale', tags: 'radicale'} - {role: 'mastodon', tags: 'mastodon'} - {role: 'seafile', tags: 'seafile'} - {role: 'jitsi', tags: 'jitsi'} - - {role: 'freshrss', tags: 'freshrss'} + # - {role: 'freshrss', tags: 'freshrss'} - {role: 'static', tags: 'static'} - {role: 'inbucket', tags: 'inbucket'} - {role: 'prometheus', tags: 'prometheus'} diff --git a/roles/radicale/files/radicale.conf b/roles/radicale/files/radicale.conf index 360d314..eb9df16 100644 --- a/roles/radicale/files/radicale.conf +++ b/roles/radicale/files/radicale.conf @@ -9,7 +9,7 @@ stock = utf-8 [auth] realm = Radicale - Password Required type = htpasswd -htpasswd_filename = /radicale/users +htpasswd_filename = /config/users htpasswd_encryption = md5 [rights] diff --git a/roles/radicale/tasks/main.yml b/roles/radicale/tasks/main.yml index 48afa89..5ac19d6 100644 --- a/roles/radicale/tasks/main.yml +++ b/roles/radicale/tasks/main.yml @@ -13,7 +13,7 @@ - name: Copy radicale.conf copy: src: "{{ role_path }}/files/radicale.conf" - dest: "{{ service_dir }}/config/radicale.conf" + dest: "{{ service_dir }}/config/config" - name: Copy users file copy: src: "{{ role_path }}/files/users" diff --git a/roles/radicale/templates/docker-compose.yml.j2 b/roles/radicale/templates/docker-compose.yml.j2 index e8a51fd..70e0b29 100644 --- a/roles/radicale/templates/docker-compose.yml.j2 +++ b/roles/radicale/templates/docker-compose.yml.j2 @@ -1,18 +1,28 @@ -version: '3' - -networks: - traefik: - external: true +version: '3.7' services: radicale: - restart: always - image: mailu/radicale:1.9 + image: tomsquest/docker-radicale container_name: radicale + init: true + read_only: true + security_opt: + - no-new-privileges:true + cap_drop: + - ALL + cap_add: + - SETUID + - SETGID + - CHOWN + - KILL + healthcheck: + test: curl -f http://127.0.0.1:5232 || exit 1 + interval: 30s + retries: 3 + restart: unless-stopped volumes: - {{ data_dir }}:/data - - {{ service_dir }}/config:/radicale - command: radicale -S -C /radicale/radicale.conf + - {{ service_dir }}/config:/config:ro networks: - traefik labels: @@ -23,3 +33,7 @@ services: - traefik.http.routers.radicale.tls.certresolver=letsencrypt - traefik.http.routers.radicale.service=radicale - traefik.http.services.radicale.loadbalancer.server.port=5232 + +networks: + traefik: + external: true From f8bd4224517aed6385a24b0d1ff1fe5ca929dfdd Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Thu, 13 Apr 2023 13:00:19 +0200 Subject: [PATCH 24/41] fix freshrss data location (#3) --- max.yml | 2 +- roles/freshrss/templates/docker-compose.yml.j2 | 6 ++---- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/max.yml b/max.yml index a17d2e2..aeefb99 100644 --- a/max.yml +++ b/max.yml @@ -30,7 +30,7 @@ - {role: 'mastodon', tags: 'mastodon'} - {role: 'seafile', tags: 'seafile'} - {role: 'jitsi', tags: 'jitsi'} - # - {role: 'freshrss', tags: 'freshrss'} + - {role: 'freshrss', tags: 'freshrss'} - {role: 'static', tags: 'static'} - {role: 'inbucket', tags: 'inbucket'} - {role: 'prometheus', tags: 'prometheus'} diff --git a/roles/freshrss/templates/docker-compose.yml.j2 b/roles/freshrss/templates/docker-compose.yml.j2 index 8876319..5c15b8f 100644 --- a/roles/freshrss/templates/docker-compose.yml.j2 +++ b/roles/freshrss/templates/docker-compose.yml.j2 @@ -11,10 +11,8 @@ services: options: max-size: 10m volumes: - # Recommended volume for FreshRSS persistent data such as configuration and SQLite databases - - /data/freshrss/data:/var/www/FreshRSS/data - # Optional volume for storing third-party extensions - - /data/freshrss/extensions:/var/www/FreshRSS/extensions + - {{ data_dir }}/data:/var/www/FreshRSS/data + - {{ data_dir }}/extensions:/var/www/FreshRSS/extensions environment: TZ: Europe/Amsterdam CRON_MIN: '2,32' From b89713643d28601e93e15ae3f4ca462f3ddbc47c Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Thu, 13 Apr 2023 17:21:48 +0200 Subject: [PATCH 25/41] fix unable to scope ansible to tags fixes #4 --- main.tf | 1 - max.yml | 33 ++++++++++++++++++--------------- 2 files changed, 18 insertions(+), 16 deletions(-) diff --git a/main.tf b/main.tf index a4f49fb..c8b495b 100644 --- a/main.tf +++ b/main.tf @@ -20,7 +20,6 @@ module "tf-datatest" { name = "max" domain_name = "tf-max" data_disk = "/kvm/data/max-data" - #ansible_command = "ansible-playbook max.yml" memory = 1024 * 8 mac = "CA:FE:C0:FF:EE:03" } diff --git a/max.yml b/max.yml index aeefb99..cc056f1 100644 --- a/max.yml +++ b/max.yml @@ -4,21 +4,24 @@ pre_tasks: - name: Wait for host to come up - wait_for: - state: started - port: 22 - host: max.dmz - timeout: 300 - connect_timeout: 300 - search_regex: OpenSSH - delegate_to: localhost - - name: Wait for cloud-init to finish - shell: - cmd: "cloud-init status --wait" - register: cloudinit - changed_when: "'..' in cloudinit.stdout" - - name: Gather facts - setup: + tags: always + block: + - name: Wait for SSH connection + wait_for: + state: started + port: 22 + host: max.dmz + timeout: 300 + connect_timeout: 300 + search_regex: OpenSSH + delegate_to: localhost + - name: Wait for cloud-init to finish + shell: + cmd: "cloud-init status --wait" + register: cloudinit + changed_when: "'..' in cloudinit.stdout" + - name: Gather facts + setup: roles: - {role: 'watchtower', tags: 'watchtower'} From 9eb52229f1c8e0e55de9f5876d0ec7ccf1463262 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Thu, 13 Apr 2023 17:24:01 +0200 Subject: [PATCH 26/41] change directory structure --- ansible.cfg => ansible/ansible.cfg | 0 {inventory => ansible/inventory}/host_vars/max.yml | 0 {inventory => ansible/inventory}/hosts.yml | 0 max.yml => ansible/max.yml | 0 {roles => ansible/roles}/common/tasks/main.yml | 0 {roles => ansible/roles}/cyberchef/files/docker-compose.yml | 0 {roles => ansible/roles}/cyberchef/meta/main.yml | 0 {roles => ansible/roles}/cyberchef/tasks/main.yml | 0 {roles => ansible/roles}/cyberchef/vars/main.yml | 0 {roles => ansible/roles}/docker/files/daemon.json | 0 {roles => ansible/roles}/docker/tasks/main.yml | 0 {roles => ansible/roles}/firewall/tasks/main.yml | 0 {roles => ansible/roles}/forgejo/meta/main.yml | 0 {roles => ansible/roles}/forgejo/tasks/main.yml | 0 {roles => ansible/roles}/forgejo/templates/app.ini.j2 | 0 {roles => ansible/roles}/forgejo/templates/docker-compose.yml.j2 | 0 {roles => ansible/roles}/forgejo/vars/main.yml | 0 {roles => ansible/roles}/freshrss/meta/main.yml | 0 {roles => ansible/roles}/freshrss/tasks/main.yml | 0 {roles => ansible/roles}/freshrss/templates/docker-compose.yml.j2 | 0 {roles => ansible/roles}/freshrss/vars/main.yml | 0 {roles => ansible/roles}/inbucket/files/docker-compose.yml | 0 {roles => ansible/roles}/inbucket/meta/main.yml | 0 {roles => ansible/roles}/inbucket/tasks/main.yml | 0 {roles => ansible/roles}/inbucket/vars/main.yml | 0 {roles => ansible/roles}/jitsi/meta/main.yml | 0 {roles => ansible/roles}/jitsi/tasks/main.yml | 0 {roles => ansible/roles}/jitsi/templates/docker-compose.yml.j2 | 0 {roles => ansible/roles}/jitsi/vars/main.yml | 0 {roles => ansible/roles}/kms/files/docker-compose.yml | 0 {roles => ansible/roles}/kms/meta/main.yml | 0 {roles => ansible/roles}/kms/tasks/main.yml | 0 {roles => ansible/roles}/kms/vars/main.yml | 0 {roles => ansible/roles}/mastodon/files/.env.production | 0 {roles => ansible/roles}/mastodon/meta/main.yml | 0 {roles => ansible/roles}/mastodon/tasks/main.yml | 0 {roles => ansible/roles}/mastodon/templates/docker-compose.yml.j2 | 0 {roles => ansible/roles}/mastodon/vars/main.yml | 0 {roles => ansible/roles}/prometheus/meta/main.yml | 0 {roles => ansible/roles}/prometheus/tasks/main.yml | 0 .../roles}/prometheus/templates/docker-compose.yml.j2 | 0 {roles => ansible/roles}/prometheus/templates/prometheus.yml.j2 | 0 {roles => ansible/roles}/prometheus/vars/main.yml | 0 {roles => ansible/roles}/radicale/files/radicale.conf | 0 {roles => ansible/roles}/radicale/files/users | 0 {roles => ansible/roles}/radicale/meta/main.yml | 0 {roles => ansible/roles}/radicale/tasks/main.yml | 0 {roles => ansible/roles}/radicale/templates/docker-compose.yml.j2 | 0 {roles => ansible/roles}/radicale/vars/main.yml | 0 {roles => ansible/roles}/seafile/meta/main.yml | 0 {roles => ansible/roles}/seafile/tasks/main.yml | 0 {roles => ansible/roles}/seafile/templates/docker-compose.yml.j2 | 0 {roles => ansible/roles}/seafile/vars/main.yml | 0 {roles => ansible/roles}/ssh/files/ssh_config | 0 {roles => ansible/roles}/ssh/files/sshd_config | 0 {roles => ansible/roles}/ssh/meta/main.yml | 0 {roles => ansible/roles}/ssh/tasks/main.yml | 0 {roles => ansible/roles}/static/files/security.txt | 0 {roles => ansible/roles}/static/meta/main.yml | 0 {roles => ansible/roles}/static/tasks/main.yml | 0 {roles => ansible/roles}/static/templates/docker-compose.yml.j2 | 0 {roles => ansible/roles}/static/templates/nginx.conf.j2 | 0 {roles => ansible/roles}/static/vars/main.yml | 0 {roles => ansible/roles}/syncthing/files/cert.pem | 0 {roles => ansible/roles}/syncthing/files/key.pem | 0 {roles => ansible/roles}/syncthing/meta/main.yml | 0 {roles => ansible/roles}/syncthing/tasks/main.yml | 0 {roles => ansible/roles}/syncthing/templates/config.xml.j2 | 0 .../roles}/syncthing/templates/docker-compose.yml.j2 | 0 {roles => ansible/roles}/syncthing/vars/main.yml | 0 {roles => ansible/roles}/traefik/files/services.toml | 0 {roles => ansible/roles}/traefik/meta/main.yml | 0 {roles => ansible/roles}/traefik/tasks/main.yml | 0 {roles => ansible/roles}/traefik/templates/docker-compose.yml.j2 | 0 {roles => ansible/roles}/traefik/templates/traefik.toml.j2 | 0 {roles => ansible/roles}/traefik/vars/main.yml | 0 {roles => ansible/roles}/watchtower/files/docker-compose.yml | 0 {roles => ansible/roles}/watchtower/meta/main.yml | 0 {roles => ansible/roles}/watchtower/tasks/main.yml | 0 {roles => ansible/roles}/watchtower/vars/main.yml | 0 {util => ansible/util}/secret-service-client.sh | 0 {data => terraform/data}/main.tf | 0 main.tf => terraform/main.tf | 0 83 files changed, 0 insertions(+), 0 deletions(-) rename ansible.cfg => ansible/ansible.cfg (100%) rename {inventory => ansible/inventory}/host_vars/max.yml (100%) rename {inventory => ansible/inventory}/hosts.yml (100%) rename max.yml => ansible/max.yml (100%) rename {roles => ansible/roles}/common/tasks/main.yml (100%) rename {roles => ansible/roles}/cyberchef/files/docker-compose.yml (100%) rename {roles => ansible/roles}/cyberchef/meta/main.yml (100%) rename {roles => ansible/roles}/cyberchef/tasks/main.yml (100%) rename {roles => ansible/roles}/cyberchef/vars/main.yml (100%) rename {roles => ansible/roles}/docker/files/daemon.json (100%) rename {roles => ansible/roles}/docker/tasks/main.yml (100%) rename {roles => ansible/roles}/firewall/tasks/main.yml (100%) rename {roles => ansible/roles}/forgejo/meta/main.yml (100%) rename {roles => ansible/roles}/forgejo/tasks/main.yml (100%) rename {roles => ansible/roles}/forgejo/templates/app.ini.j2 (100%) rename {roles => ansible/roles}/forgejo/templates/docker-compose.yml.j2 (100%) rename {roles => ansible/roles}/forgejo/vars/main.yml (100%) rename {roles => ansible/roles}/freshrss/meta/main.yml (100%) rename {roles => ansible/roles}/freshrss/tasks/main.yml (100%) rename {roles => ansible/roles}/freshrss/templates/docker-compose.yml.j2 (100%) rename {roles => ansible/roles}/freshrss/vars/main.yml (100%) rename {roles => ansible/roles}/inbucket/files/docker-compose.yml (100%) rename {roles => ansible/roles}/inbucket/meta/main.yml (100%) rename {roles => ansible/roles}/inbucket/tasks/main.yml (100%) rename {roles => ansible/roles}/inbucket/vars/main.yml (100%) rename {roles => ansible/roles}/jitsi/meta/main.yml (100%) rename {roles => ansible/roles}/jitsi/tasks/main.yml (100%) rename {roles => ansible/roles}/jitsi/templates/docker-compose.yml.j2 (100%) rename {roles => ansible/roles}/jitsi/vars/main.yml (100%) rename {roles => ansible/roles}/kms/files/docker-compose.yml (100%) rename {roles => ansible/roles}/kms/meta/main.yml (100%) rename {roles => ansible/roles}/kms/tasks/main.yml (100%) rename {roles => ansible/roles}/kms/vars/main.yml (100%) rename {roles => ansible/roles}/mastodon/files/.env.production (100%) rename {roles => ansible/roles}/mastodon/meta/main.yml (100%) rename {roles => ansible/roles}/mastodon/tasks/main.yml (100%) rename {roles => ansible/roles}/mastodon/templates/docker-compose.yml.j2 (100%) rename {roles => ansible/roles}/mastodon/vars/main.yml (100%) rename {roles => ansible/roles}/prometheus/meta/main.yml (100%) rename {roles => ansible/roles}/prometheus/tasks/main.yml (100%) rename {roles => ansible/roles}/prometheus/templates/docker-compose.yml.j2 (100%) rename {roles => ansible/roles}/prometheus/templates/prometheus.yml.j2 (100%) rename {roles => ansible/roles}/prometheus/vars/main.yml (100%) rename {roles => ansible/roles}/radicale/files/radicale.conf (100%) rename {roles => ansible/roles}/radicale/files/users (100%) rename {roles => ansible/roles}/radicale/meta/main.yml (100%) rename {roles => ansible/roles}/radicale/tasks/main.yml (100%) rename {roles => ansible/roles}/radicale/templates/docker-compose.yml.j2 (100%) rename {roles => ansible/roles}/radicale/vars/main.yml (100%) rename {roles => ansible/roles}/seafile/meta/main.yml (100%) rename {roles => ansible/roles}/seafile/tasks/main.yml (100%) rename {roles => ansible/roles}/seafile/templates/docker-compose.yml.j2 (100%) rename {roles => ansible/roles}/seafile/vars/main.yml (100%) rename {roles => ansible/roles}/ssh/files/ssh_config (100%) rename {roles => ansible/roles}/ssh/files/sshd_config (100%) rename {roles => ansible/roles}/ssh/meta/main.yml (100%) rename {roles => ansible/roles}/ssh/tasks/main.yml (100%) rename {roles => ansible/roles}/static/files/security.txt (100%) rename {roles => ansible/roles}/static/meta/main.yml (100%) rename {roles => ansible/roles}/static/tasks/main.yml (100%) rename {roles => ansible/roles}/static/templates/docker-compose.yml.j2 (100%) rename {roles => ansible/roles}/static/templates/nginx.conf.j2 (100%) rename {roles => ansible/roles}/static/vars/main.yml (100%) rename {roles => ansible/roles}/syncthing/files/cert.pem (100%) rename {roles => ansible/roles}/syncthing/files/key.pem (100%) rename {roles => ansible/roles}/syncthing/meta/main.yml (100%) rename {roles => ansible/roles}/syncthing/tasks/main.yml (100%) rename {roles => ansible/roles}/syncthing/templates/config.xml.j2 (100%) rename {roles => ansible/roles}/syncthing/templates/docker-compose.yml.j2 (100%) rename {roles => ansible/roles}/syncthing/vars/main.yml (100%) rename {roles => ansible/roles}/traefik/files/services.toml (100%) rename {roles => ansible/roles}/traefik/meta/main.yml (100%) rename {roles => ansible/roles}/traefik/tasks/main.yml (100%) rename {roles => ansible/roles}/traefik/templates/docker-compose.yml.j2 (100%) rename {roles => ansible/roles}/traefik/templates/traefik.toml.j2 (100%) rename {roles => ansible/roles}/traefik/vars/main.yml (100%) rename {roles => ansible/roles}/watchtower/files/docker-compose.yml (100%) rename {roles => ansible/roles}/watchtower/meta/main.yml (100%) rename {roles => ansible/roles}/watchtower/tasks/main.yml (100%) rename {roles => ansible/roles}/watchtower/vars/main.yml (100%) rename {util => ansible/util}/secret-service-client.sh (100%) rename {data => terraform/data}/main.tf (100%) rename main.tf => terraform/main.tf (100%) diff --git a/ansible.cfg b/ansible/ansible.cfg similarity index 100% rename from ansible.cfg rename to ansible/ansible.cfg diff --git a/inventory/host_vars/max.yml b/ansible/inventory/host_vars/max.yml similarity index 100% rename from inventory/host_vars/max.yml rename to ansible/inventory/host_vars/max.yml diff --git a/inventory/hosts.yml b/ansible/inventory/hosts.yml similarity index 100% rename from inventory/hosts.yml rename to ansible/inventory/hosts.yml diff --git a/max.yml b/ansible/max.yml similarity index 100% rename from max.yml rename to ansible/max.yml diff --git a/roles/common/tasks/main.yml b/ansible/roles/common/tasks/main.yml similarity index 100% rename from roles/common/tasks/main.yml rename to ansible/roles/common/tasks/main.yml diff --git a/roles/cyberchef/files/docker-compose.yml b/ansible/roles/cyberchef/files/docker-compose.yml similarity index 100% rename from roles/cyberchef/files/docker-compose.yml rename to ansible/roles/cyberchef/files/docker-compose.yml diff --git a/roles/cyberchef/meta/main.yml b/ansible/roles/cyberchef/meta/main.yml similarity index 100% rename from roles/cyberchef/meta/main.yml rename to ansible/roles/cyberchef/meta/main.yml diff --git a/roles/cyberchef/tasks/main.yml b/ansible/roles/cyberchef/tasks/main.yml similarity index 100% rename from roles/cyberchef/tasks/main.yml rename to ansible/roles/cyberchef/tasks/main.yml diff --git a/roles/cyberchef/vars/main.yml b/ansible/roles/cyberchef/vars/main.yml similarity index 100% rename from roles/cyberchef/vars/main.yml rename to ansible/roles/cyberchef/vars/main.yml diff --git a/roles/docker/files/daemon.json b/ansible/roles/docker/files/daemon.json similarity index 100% rename from roles/docker/files/daemon.json rename to ansible/roles/docker/files/daemon.json diff --git a/roles/docker/tasks/main.yml b/ansible/roles/docker/tasks/main.yml similarity index 100% rename from roles/docker/tasks/main.yml rename to ansible/roles/docker/tasks/main.yml diff --git a/roles/firewall/tasks/main.yml b/ansible/roles/firewall/tasks/main.yml similarity index 100% rename from roles/firewall/tasks/main.yml rename to ansible/roles/firewall/tasks/main.yml diff --git a/roles/forgejo/meta/main.yml b/ansible/roles/forgejo/meta/main.yml similarity index 100% rename from roles/forgejo/meta/main.yml rename to ansible/roles/forgejo/meta/main.yml diff --git a/roles/forgejo/tasks/main.yml b/ansible/roles/forgejo/tasks/main.yml similarity index 100% rename from roles/forgejo/tasks/main.yml rename to ansible/roles/forgejo/tasks/main.yml diff --git a/roles/forgejo/templates/app.ini.j2 b/ansible/roles/forgejo/templates/app.ini.j2 similarity index 100% rename from roles/forgejo/templates/app.ini.j2 rename to ansible/roles/forgejo/templates/app.ini.j2 diff --git a/roles/forgejo/templates/docker-compose.yml.j2 b/ansible/roles/forgejo/templates/docker-compose.yml.j2 similarity index 100% rename from roles/forgejo/templates/docker-compose.yml.j2 rename to ansible/roles/forgejo/templates/docker-compose.yml.j2 diff --git a/roles/forgejo/vars/main.yml b/ansible/roles/forgejo/vars/main.yml similarity index 100% rename from roles/forgejo/vars/main.yml rename to ansible/roles/forgejo/vars/main.yml diff --git a/roles/freshrss/meta/main.yml b/ansible/roles/freshrss/meta/main.yml similarity index 100% rename from roles/freshrss/meta/main.yml rename to ansible/roles/freshrss/meta/main.yml diff --git a/roles/freshrss/tasks/main.yml b/ansible/roles/freshrss/tasks/main.yml similarity index 100% rename from roles/freshrss/tasks/main.yml rename to ansible/roles/freshrss/tasks/main.yml diff --git a/roles/freshrss/templates/docker-compose.yml.j2 b/ansible/roles/freshrss/templates/docker-compose.yml.j2 similarity index 100% rename from roles/freshrss/templates/docker-compose.yml.j2 rename to ansible/roles/freshrss/templates/docker-compose.yml.j2 diff --git a/roles/freshrss/vars/main.yml b/ansible/roles/freshrss/vars/main.yml similarity index 100% rename from roles/freshrss/vars/main.yml rename to ansible/roles/freshrss/vars/main.yml diff --git a/roles/inbucket/files/docker-compose.yml b/ansible/roles/inbucket/files/docker-compose.yml similarity index 100% rename from roles/inbucket/files/docker-compose.yml rename to ansible/roles/inbucket/files/docker-compose.yml diff --git a/roles/inbucket/meta/main.yml b/ansible/roles/inbucket/meta/main.yml similarity index 100% rename from roles/inbucket/meta/main.yml rename to ansible/roles/inbucket/meta/main.yml diff --git a/roles/inbucket/tasks/main.yml b/ansible/roles/inbucket/tasks/main.yml similarity index 100% rename from roles/inbucket/tasks/main.yml rename to ansible/roles/inbucket/tasks/main.yml diff --git a/roles/inbucket/vars/main.yml b/ansible/roles/inbucket/vars/main.yml similarity index 100% rename from roles/inbucket/vars/main.yml rename to ansible/roles/inbucket/vars/main.yml diff --git a/roles/jitsi/meta/main.yml b/ansible/roles/jitsi/meta/main.yml similarity index 100% rename from roles/jitsi/meta/main.yml rename to ansible/roles/jitsi/meta/main.yml diff --git a/roles/jitsi/tasks/main.yml b/ansible/roles/jitsi/tasks/main.yml similarity index 100% rename from roles/jitsi/tasks/main.yml rename to ansible/roles/jitsi/tasks/main.yml diff --git a/roles/jitsi/templates/docker-compose.yml.j2 b/ansible/roles/jitsi/templates/docker-compose.yml.j2 similarity index 100% rename from roles/jitsi/templates/docker-compose.yml.j2 rename to ansible/roles/jitsi/templates/docker-compose.yml.j2 diff --git a/roles/jitsi/vars/main.yml b/ansible/roles/jitsi/vars/main.yml similarity index 100% rename from roles/jitsi/vars/main.yml rename to ansible/roles/jitsi/vars/main.yml diff --git a/roles/kms/files/docker-compose.yml b/ansible/roles/kms/files/docker-compose.yml similarity index 100% rename from roles/kms/files/docker-compose.yml rename to ansible/roles/kms/files/docker-compose.yml diff --git a/roles/kms/meta/main.yml b/ansible/roles/kms/meta/main.yml similarity index 100% rename from roles/kms/meta/main.yml rename to ansible/roles/kms/meta/main.yml diff --git a/roles/kms/tasks/main.yml b/ansible/roles/kms/tasks/main.yml similarity index 100% rename from roles/kms/tasks/main.yml rename to ansible/roles/kms/tasks/main.yml diff --git a/roles/kms/vars/main.yml b/ansible/roles/kms/vars/main.yml similarity index 100% rename from roles/kms/vars/main.yml rename to ansible/roles/kms/vars/main.yml diff --git a/roles/mastodon/files/.env.production b/ansible/roles/mastodon/files/.env.production similarity index 100% rename from roles/mastodon/files/.env.production rename to ansible/roles/mastodon/files/.env.production diff --git a/roles/mastodon/meta/main.yml b/ansible/roles/mastodon/meta/main.yml similarity index 100% rename from roles/mastodon/meta/main.yml rename to ansible/roles/mastodon/meta/main.yml diff --git a/roles/mastodon/tasks/main.yml b/ansible/roles/mastodon/tasks/main.yml similarity index 100% rename from roles/mastodon/tasks/main.yml rename to ansible/roles/mastodon/tasks/main.yml diff --git a/roles/mastodon/templates/docker-compose.yml.j2 b/ansible/roles/mastodon/templates/docker-compose.yml.j2 similarity index 100% rename from roles/mastodon/templates/docker-compose.yml.j2 rename to ansible/roles/mastodon/templates/docker-compose.yml.j2 diff --git a/roles/mastodon/vars/main.yml b/ansible/roles/mastodon/vars/main.yml similarity index 100% rename from roles/mastodon/vars/main.yml rename to ansible/roles/mastodon/vars/main.yml diff --git a/roles/prometheus/meta/main.yml b/ansible/roles/prometheus/meta/main.yml similarity index 100% rename from roles/prometheus/meta/main.yml rename to ansible/roles/prometheus/meta/main.yml diff --git a/roles/prometheus/tasks/main.yml b/ansible/roles/prometheus/tasks/main.yml similarity index 100% rename from roles/prometheus/tasks/main.yml rename to ansible/roles/prometheus/tasks/main.yml diff --git a/roles/prometheus/templates/docker-compose.yml.j2 b/ansible/roles/prometheus/templates/docker-compose.yml.j2 similarity index 100% rename from roles/prometheus/templates/docker-compose.yml.j2 rename to ansible/roles/prometheus/templates/docker-compose.yml.j2 diff --git a/roles/prometheus/templates/prometheus.yml.j2 b/ansible/roles/prometheus/templates/prometheus.yml.j2 similarity index 100% rename from roles/prometheus/templates/prometheus.yml.j2 rename to ansible/roles/prometheus/templates/prometheus.yml.j2 diff --git a/roles/prometheus/vars/main.yml b/ansible/roles/prometheus/vars/main.yml similarity index 100% rename from roles/prometheus/vars/main.yml rename to ansible/roles/prometheus/vars/main.yml diff --git a/roles/radicale/files/radicale.conf b/ansible/roles/radicale/files/radicale.conf similarity index 100% rename from roles/radicale/files/radicale.conf rename to ansible/roles/radicale/files/radicale.conf diff --git a/roles/radicale/files/users b/ansible/roles/radicale/files/users similarity index 100% rename from roles/radicale/files/users rename to ansible/roles/radicale/files/users diff --git a/roles/radicale/meta/main.yml b/ansible/roles/radicale/meta/main.yml similarity index 100% rename from roles/radicale/meta/main.yml rename to ansible/roles/radicale/meta/main.yml diff --git a/roles/radicale/tasks/main.yml b/ansible/roles/radicale/tasks/main.yml similarity index 100% rename from roles/radicale/tasks/main.yml rename to ansible/roles/radicale/tasks/main.yml diff --git a/roles/radicale/templates/docker-compose.yml.j2 b/ansible/roles/radicale/templates/docker-compose.yml.j2 similarity index 100% rename from roles/radicale/templates/docker-compose.yml.j2 rename to ansible/roles/radicale/templates/docker-compose.yml.j2 diff --git a/roles/radicale/vars/main.yml b/ansible/roles/radicale/vars/main.yml similarity index 100% rename from roles/radicale/vars/main.yml rename to ansible/roles/radicale/vars/main.yml diff --git a/roles/seafile/meta/main.yml b/ansible/roles/seafile/meta/main.yml similarity index 100% rename from roles/seafile/meta/main.yml rename to ansible/roles/seafile/meta/main.yml diff --git a/roles/seafile/tasks/main.yml b/ansible/roles/seafile/tasks/main.yml similarity index 100% rename from roles/seafile/tasks/main.yml rename to ansible/roles/seafile/tasks/main.yml diff --git a/roles/seafile/templates/docker-compose.yml.j2 b/ansible/roles/seafile/templates/docker-compose.yml.j2 similarity index 100% rename from roles/seafile/templates/docker-compose.yml.j2 rename to ansible/roles/seafile/templates/docker-compose.yml.j2 diff --git a/roles/seafile/vars/main.yml b/ansible/roles/seafile/vars/main.yml similarity index 100% rename from roles/seafile/vars/main.yml rename to ansible/roles/seafile/vars/main.yml diff --git a/roles/ssh/files/ssh_config b/ansible/roles/ssh/files/ssh_config similarity index 100% rename from roles/ssh/files/ssh_config rename to ansible/roles/ssh/files/ssh_config diff --git a/roles/ssh/files/sshd_config b/ansible/roles/ssh/files/sshd_config similarity index 100% rename from roles/ssh/files/sshd_config rename to ansible/roles/ssh/files/sshd_config diff --git a/roles/ssh/meta/main.yml b/ansible/roles/ssh/meta/main.yml similarity index 100% rename from roles/ssh/meta/main.yml rename to ansible/roles/ssh/meta/main.yml diff --git a/roles/ssh/tasks/main.yml b/ansible/roles/ssh/tasks/main.yml similarity index 100% rename from roles/ssh/tasks/main.yml rename to ansible/roles/ssh/tasks/main.yml diff --git a/roles/static/files/security.txt b/ansible/roles/static/files/security.txt similarity index 100% rename from roles/static/files/security.txt rename to ansible/roles/static/files/security.txt diff --git a/roles/static/meta/main.yml b/ansible/roles/static/meta/main.yml similarity index 100% rename from roles/static/meta/main.yml rename to ansible/roles/static/meta/main.yml diff --git a/roles/static/tasks/main.yml b/ansible/roles/static/tasks/main.yml similarity index 100% rename from roles/static/tasks/main.yml rename to ansible/roles/static/tasks/main.yml diff --git a/roles/static/templates/docker-compose.yml.j2 b/ansible/roles/static/templates/docker-compose.yml.j2 similarity index 100% rename from roles/static/templates/docker-compose.yml.j2 rename to ansible/roles/static/templates/docker-compose.yml.j2 diff --git a/roles/static/templates/nginx.conf.j2 b/ansible/roles/static/templates/nginx.conf.j2 similarity index 100% rename from roles/static/templates/nginx.conf.j2 rename to ansible/roles/static/templates/nginx.conf.j2 diff --git a/roles/static/vars/main.yml b/ansible/roles/static/vars/main.yml similarity index 100% rename from roles/static/vars/main.yml rename to ansible/roles/static/vars/main.yml diff --git a/roles/syncthing/files/cert.pem b/ansible/roles/syncthing/files/cert.pem similarity index 100% rename from roles/syncthing/files/cert.pem rename to ansible/roles/syncthing/files/cert.pem diff --git a/roles/syncthing/files/key.pem b/ansible/roles/syncthing/files/key.pem similarity index 100% rename from roles/syncthing/files/key.pem rename to ansible/roles/syncthing/files/key.pem diff --git a/roles/syncthing/meta/main.yml b/ansible/roles/syncthing/meta/main.yml similarity index 100% rename from roles/syncthing/meta/main.yml rename to ansible/roles/syncthing/meta/main.yml diff --git a/roles/syncthing/tasks/main.yml b/ansible/roles/syncthing/tasks/main.yml similarity index 100% rename from roles/syncthing/tasks/main.yml rename to ansible/roles/syncthing/tasks/main.yml diff --git a/roles/syncthing/templates/config.xml.j2 b/ansible/roles/syncthing/templates/config.xml.j2 similarity index 100% rename from roles/syncthing/templates/config.xml.j2 rename to ansible/roles/syncthing/templates/config.xml.j2 diff --git a/roles/syncthing/templates/docker-compose.yml.j2 b/ansible/roles/syncthing/templates/docker-compose.yml.j2 similarity index 100% rename from roles/syncthing/templates/docker-compose.yml.j2 rename to ansible/roles/syncthing/templates/docker-compose.yml.j2 diff --git a/roles/syncthing/vars/main.yml b/ansible/roles/syncthing/vars/main.yml similarity index 100% rename from roles/syncthing/vars/main.yml rename to ansible/roles/syncthing/vars/main.yml diff --git a/roles/traefik/files/services.toml b/ansible/roles/traefik/files/services.toml similarity index 100% rename from roles/traefik/files/services.toml rename to ansible/roles/traefik/files/services.toml diff --git a/roles/traefik/meta/main.yml b/ansible/roles/traefik/meta/main.yml similarity index 100% rename from roles/traefik/meta/main.yml rename to ansible/roles/traefik/meta/main.yml diff --git a/roles/traefik/tasks/main.yml b/ansible/roles/traefik/tasks/main.yml similarity index 100% rename from roles/traefik/tasks/main.yml rename to ansible/roles/traefik/tasks/main.yml diff --git a/roles/traefik/templates/docker-compose.yml.j2 b/ansible/roles/traefik/templates/docker-compose.yml.j2 similarity index 100% rename from roles/traefik/templates/docker-compose.yml.j2 rename to ansible/roles/traefik/templates/docker-compose.yml.j2 diff --git a/roles/traefik/templates/traefik.toml.j2 b/ansible/roles/traefik/templates/traefik.toml.j2 similarity index 100% rename from roles/traefik/templates/traefik.toml.j2 rename to ansible/roles/traefik/templates/traefik.toml.j2 diff --git a/roles/traefik/vars/main.yml b/ansible/roles/traefik/vars/main.yml similarity index 100% rename from roles/traefik/vars/main.yml rename to ansible/roles/traefik/vars/main.yml diff --git a/roles/watchtower/files/docker-compose.yml b/ansible/roles/watchtower/files/docker-compose.yml similarity index 100% rename from roles/watchtower/files/docker-compose.yml rename to ansible/roles/watchtower/files/docker-compose.yml diff --git a/roles/watchtower/meta/main.yml b/ansible/roles/watchtower/meta/main.yml similarity index 100% rename from roles/watchtower/meta/main.yml rename to ansible/roles/watchtower/meta/main.yml diff --git a/roles/watchtower/tasks/main.yml b/ansible/roles/watchtower/tasks/main.yml similarity index 100% rename from roles/watchtower/tasks/main.yml rename to ansible/roles/watchtower/tasks/main.yml diff --git a/roles/watchtower/vars/main.yml b/ansible/roles/watchtower/vars/main.yml similarity index 100% rename from roles/watchtower/vars/main.yml rename to ansible/roles/watchtower/vars/main.yml diff --git a/util/secret-service-client.sh b/ansible/util/secret-service-client.sh similarity index 100% rename from util/secret-service-client.sh rename to ansible/util/secret-service-client.sh diff --git a/data/main.tf b/terraform/data/main.tf similarity index 100% rename from data/main.tf rename to terraform/data/main.tf diff --git a/main.tf b/terraform/main.tf similarity index 100% rename from main.tf rename to terraform/main.tf From 723bc7ed33f43fa2b6b34a6ec54005132d427742 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Thu, 13 Apr 2023 17:45:11 +0200 Subject: [PATCH 27/41] update README.md --- README.md | 56 ++++--------------------------------------------------- 1 file changed, 4 insertions(+), 52 deletions(-) diff --git a/README.md b/README.md index 48ba78e..b28be77 100644 --- a/README.md +++ b/README.md @@ -1,13 +1,10 @@ # Max -This repository contains Ansible scripts to setup our main home server `max`. -The `common` role executes some common OS tasks. -The `docker` role installs Docker. -The other roles are specifically for the various services we run. +Max is our VM running all of our web servers, provisioned with Terraform and configured with Ansible. ## Running services -All services below are running under Docker, except NSD and Borg. +All services below are implemented using Docker: - Reverse proxy using [Traefik](https://doc.traefik.io/traefik/) - Git server using [Forgejo](https://forgejo.org/) ([git.pizzapim.nl](https://git.pizzapim.nl)) @@ -17,53 +14,8 @@ All services below are running under Docker, except NSD and Borg. - Calendar and contact synchronisation using [Radicale](https://radicale.org/v3.html) ([dav.pizzapim.nl](https://dav.pizzapim.nl)) - KMS server using [vlmcsd](https://github.com/Wind4/vlmcsd) - Cloud file storage using [Seafile](https://www.seafile.com) -- Inbucket disposable webmail, Mailinator alternative (https://inbucket.org) -- Cyberchef (https://cyberchef.geokunis2.nl) +- Disposable mail server using [Inbucket](https://inbucket.org) +- Digital toolbox using [Cyberchef](https://cyberchef.geokunis2.nl) - Jitsi Meet (https://meet.jit.si) - RSS feed reader using [FreshRSS](https://miniflux.app/) - Metrics using [Prometheus](https://prometheus.io/) - -## Virtualization - -Currently this repository is ran as a physical server, but we intend to virtualize it. -First, the whole server should be virtualized on a single virtual machine. -After that, it will be split up into several virtual machines. -The services on each virtual machine should have similar services/security properties. - -Provisional split of services on virtual machines: -- "public web" VM: Mastodon, static HTML server, cyberchef, jitsi meet, inbucket -- "data" VM: seafile, radicale, syncthing, freshrss -- "management" VM: reverse proxy, prometheus, kms -- "git" VM: forgejo. Because forgejo is a somewhat single point of failure, it should have its own VM. - -## Possible future services - -- matrix -- peertube? -- Pixelfed? -- Prometheus -- Concourse CI? - -## TODO - -- Clear view of what services + which versions we are running. This way, we can track security updates better. -- Host tobb website? -- Move from Ubuntu to Debian -- move Mastodon to pim.kunis.nl -- Podman -- Replace watchtower with Podman features - -### NSD - -#### ZSK Rollover - -Could make automatic key rollovers with cron or some other tool. - -#### Idempotency - -Currently I always resign zones. -But for idempotency I should probably only do it if the zone has changed or the keys have changed. - -### Firewall - -A little more difficult because of docker networking but probably doable. From b8adaee9d46582d7ce57b92451ffb3f0c4f1bdbe Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Fri, 14 Apr 2023 09:38:34 +0200 Subject: [PATCH 28/41] use cloudinit-wait role from git --- ansible/max.yml | 27 +++++---------------------- ansible/requirements.yml | 3 +++ 2 files changed, 8 insertions(+), 22 deletions(-) create mode 100644 ansible/requirements.yml diff --git a/ansible/max.yml b/ansible/max.yml index cc056f1..2d677ff 100644 --- a/ansible/max.yml +++ b/ansible/max.yml @@ -1,28 +1,11 @@ -- name: Setup homeserver +- name: Wait for servers to come up hosts: max gather_facts: no + roles: + - 'cloudinit-wait' - pre_tasks: - - name: Wait for host to come up - tags: always - block: - - name: Wait for SSH connection - wait_for: - state: started - port: 22 - host: max.dmz - timeout: 300 - connect_timeout: 300 - search_regex: OpenSSH - delegate_to: localhost - - name: Wait for cloud-init to finish - shell: - cmd: "cloud-init status --wait" - register: cloudinit - changed_when: "'..' in cloudinit.stdout" - - name: Gather facts - setup: - +- name: Start services + hosts: max roles: - {role: 'watchtower', tags: 'watchtower'} - {role: 'forgejo', tags: 'forgejo'} diff --git a/ansible/requirements.yml b/ansible/requirements.yml new file mode 100644 index 0000000..5530c9f --- /dev/null +++ b/ansible/requirements.yml @@ -0,0 +1,3 @@ +- name: cloudinit-wait + src: https://git.pim.kunis.nl/pim/ansible-role-cloudinit-wait + scm: git From cd224321df7d01357bc3e3f72a9542ad1bcbef6e Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Fri, 14 Apr 2023 20:06:29 +0200 Subject: [PATCH 29/41] add overleaf service --- README.md | 1 + ansible/max.yml | 1 + ansible/roles/overleaf/meta/main.yml | 4 + ansible/roles/overleaf/tasks/main.yml | 13 +++ .../overleaf/templates/docker-compose.yml.j2 | 107 ++++++++++++++++++ ansible/roles/overleaf/vars/main.yml | 3 + 6 files changed, 129 insertions(+) create mode 100644 ansible/roles/overleaf/meta/main.yml create mode 100644 ansible/roles/overleaf/tasks/main.yml create mode 100644 ansible/roles/overleaf/templates/docker-compose.yml.j2 create mode 100644 ansible/roles/overleaf/vars/main.yml diff --git a/README.md b/README.md index b28be77..a59720e 100644 --- a/README.md +++ b/README.md @@ -19,3 +19,4 @@ All services below are implemented using Docker: - Jitsi Meet (https://meet.jit.si) - RSS feed reader using [FreshRSS](https://miniflux.app/) - Metrics using [Prometheus](https://prometheus.io/) +- Latex editor using [Overleaf](https://www.overleaf.com/) diff --git a/ansible/max.yml b/ansible/max.yml index 2d677ff..3bf7cec 100644 --- a/ansible/max.yml +++ b/ansible/max.yml @@ -20,3 +20,4 @@ - {role: 'static', tags: 'static'} - {role: 'inbucket', tags: 'inbucket'} - {role: 'prometheus', tags: 'prometheus'} + - {role: 'overleaf', tags: 'overleaf'} diff --git a/ansible/roles/overleaf/meta/main.yml b/ansible/roles/overleaf/meta/main.yml new file mode 100644 index 0000000..6b03734 --- /dev/null +++ b/ansible/roles/overleaf/meta/main.yml @@ -0,0 +1,4 @@ +dependencies: + - role: common + - role: docker + - role: traefik diff --git a/ansible/roles/overleaf/tasks/main.yml b/ansible/roles/overleaf/tasks/main.yml new file mode 100644 index 0000000..84256ce --- /dev/null +++ b/ansible/roles/overleaf/tasks/main.yml @@ -0,0 +1,13 @@ +- name: Create service directory + file: + path: "{{ service_dir }}" + state: directory +- name: Copy Docker Compose script + template: + src: "{{ role_path }}/templates/docker-compose.yml.j2" + dest: "{{ service_dir }}/docker-compose.yml" +- name: Start the Docker Compose + docker_compose: + project_src: "{{ service_dir }}" + pull: true + remove_orphans: true diff --git a/ansible/roles/overleaf/templates/docker-compose.yml.j2 b/ansible/roles/overleaf/templates/docker-compose.yml.j2 new file mode 100644 index 0000000..20a3096 --- /dev/null +++ b/ansible/roles/overleaf/templates/docker-compose.yml.j2 @@ -0,0 +1,107 @@ +version: '2.2' + +networks: + traefik: + external: true + internal: + external: false + +services: + sharelatex: + restart: always + image: sharelatex/sharelatex + container_name: sharelatex + networks: + - traefik + - internal + depends_on: + mongo: + condition: service_healthy + redis: + condition: service_started + links: + - mongo + - redis + stop_grace_period: 60s + volumes: + - {{ data_dir }}/overleaf/sharelatex_data:/var/lib/sharelatex + labels: + - traefik.enable=true + - traefik.http.routers.overleaf.entrypoints=websecure + - traefik.http.routers.overleaf.rule=Host(`latex.pim.kunis.nl`) + - traefik.http.routers.overleaf.tls=true + - traefik.http.routers.overleaf.tls.certresolver=letsencrypt + - treafik.http.routers.overleaf.service=overleaf + - traefik.http.services.overleaf.loadbalancer.server.port=80 + - traefik.docker.network=traefik + environment: + SHARELATEX_APP_NAME: Overleaf Community Edition + + SHARELATEX_MONGO_URL: mongodb://mongo:27017/sharelatex + + # Same property, unfortunately with different names in + # different locations + SHARELATEX_REDIS_HOST: redis + REDIS_HOST: redis + + ENABLED_LINKED_FILE_TYPES: 'project_file,project_output_file' + + # Enables Thumbnail generation using ImageMagick + ENABLE_CONVERSIONS: 'true' + + # Disables email confirmation requirement + EMAIL_CONFIRMATION_DISABLED: 'true' + + # temporary fix for LuaLaTex compiles + # see https://github.com/overleaf/overleaf/issues/695 + TEXMFVAR: /var/lib/sharelatex/tmp/texmf-var + + ## Set for SSL via nginx-proxy + #VIRTUAL_HOST: 103.112.212.22 + + SHARELATEX_SITE_URL: https://latex.pim.kunis.nl + # SHARELATEX_NAV_TITLE: Our ShareLaTeX Instance + # SHARELATEX_HEADER_IMAGE_URL: http://somewhere.com/mylogo.png + SHARELATEX_ADMIN_EMAIL: pim@kunis.nl + + # SHARELATEX_LEFT_FOOTER: '[{"text": "Powered by ShareLaTeX 2016"},{"text": "Another page I want to link to can be found here"} ]' + # SHARELATEX_RIGHT_FOOTER: '[{"text": "Hello I am on the Right"} ]' + + SHARELATEX_EMAIL_FROM_ADDRESS: "noreply@kunis.nl" + + SHARELATEX_EMAIL_SMTP_HOST: "smtp.tweak.nl" + SHARELATEX_EMAIL_SMTP_PORT: 587 + SHARELATEX_EMAIL_SMTP_USER: "" + SHARELATEX_EMAIL_SMTP_PASS: "" + # SHARELATEX_EMAIL_SMTP_TLS_REJECT_UNAUTH: true + # SHARELATEX_EMAIL_SMTP_IGNORE_TLS: false + # SHARELATEX_EMAIL_SMTP_NAME: '127.0.0.1' + # SHARELATEX_EMAIL_SMTP_LOGGER: true + # SHARELATEX_CUSTOM_EMAIL_FOOTER: "This system is run by department x" + + mongo: + restart: always + image: mongo:4.4 + container_name: mongo + networks: + - internal + expose: + - 27017 + volumes: + - {{ data_dir }}/overleaf/mongo_data:/data/db + healthcheck: + test: echo 'db.stats().ok' | mongo localhost:27017/test --quiet + interval: 10s + timeout: 10s + retries: 5 + + redis: + restart: always + image: redis:5 + container_name: redis + networks: + - internal + expose: + - 6379 + volumes: + - {{ data_dir }}/overleaf/redis_data:/data diff --git a/ansible/roles/overleaf/vars/main.yml b/ansible/roles/overleaf/vars/main.yml new file mode 100644 index 0000000..927a1e8 --- /dev/null +++ b/ansible/roles/overleaf/vars/main.yml @@ -0,0 +1,3 @@ +service_name: overleaf +data_dir: "{{ base_data_dir}}/{{service_name}}" +service_dir: "{{ base_service_dir}}/{{service_name}}" From fef821f770fa8175973d6814baa45dfa3c2765de Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Fri, 14 Apr 2023 20:10:14 +0200 Subject: [PATCH 30/41] update readme fixed #8 --- README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index a59720e..e5d820f 100644 --- a/README.md +++ b/README.md @@ -7,11 +7,11 @@ Max is our VM running all of our web servers, provisioned with Terraform and con All services below are implemented using Docker: - Reverse proxy using [Traefik](https://doc.traefik.io/traefik/) -- Git server using [Forgejo](https://forgejo.org/) ([git.pizzapim.nl](https://git.pizzapim.nl)) -- Static website using [Jekyll](https://jekyllrb.com/) ([pizzapim.nl](https://pizzapim.nl)) +- Git server using [Forgejo](https://forgejo.org/) ([git.pim.kunis.nl](https://git.pim.kunis.nl)) +- Static website using [Jekyll](https://jekyllrb.com/) ([pim.kunis.nl](https://pim.kunis.nl)) - File sychronisation using [Syncthing](https://syncthing.net/) - Microblogging server using [Mastodon](https://joinmastodon.org/) ([social.pizzapim.nl](https://social.pizzapim.nl)) -- Calendar and contact synchronisation using [Radicale](https://radicale.org/v3.html) ([dav.pizzapim.nl](https://dav.pizzapim.nl)) +- Calendar and contact synchronisation using [Radicale](https://radicale.org/v3.html) ([dav.pim.kunis.nl](https://dav.pim.kunis.nl)) - KMS server using [vlmcsd](https://github.com/Wind4/vlmcsd) - Cloud file storage using [Seafile](https://www.seafile.com) - Disposable mail server using [Inbucket](https://inbucket.org) @@ -19,4 +19,4 @@ All services below are implemented using Docker: - Jitsi Meet (https://meet.jit.si) - RSS feed reader using [FreshRSS](https://miniflux.app/) - Metrics using [Prometheus](https://prometheus.io/) -- Latex editor using [Overleaf](https://www.overleaf.com/) +- Latex editor using [Overleaf](https://www.overleaf.com/) ([latex.pim.kunis.nl](https://latex.pim.kunis.nl)) From 58aeaacc67b7edb9d59b08b1c58b2302a570caa3 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sat, 15 Apr 2023 13:04:24 +0200 Subject: [PATCH 31/41] add hedgedoc service close #9 --- README.md | 1 + ansible/max.yml | 1 + ansible/roles/cyberchef/tasks/main.yml | 1 - ansible/roles/forgejo/vars/main.yml | 1 - ansible/roles/hedgedoc/meta/main.yml | 4 ++ ansible/roles/hedgedoc/tasks/main.yml | 22 +++++++++ .../hedgedoc/templates/docker-compose.yml.j2 | 48 +++++++++++++++++++ ansible/roles/hedgedoc/vars/main.yml | 14 ++++++ 8 files changed, 90 insertions(+), 2 deletions(-) create mode 100644 ansible/roles/hedgedoc/meta/main.yml create mode 100644 ansible/roles/hedgedoc/tasks/main.yml create mode 100644 ansible/roles/hedgedoc/templates/docker-compose.yml.j2 create mode 100644 ansible/roles/hedgedoc/vars/main.yml diff --git a/README.md b/README.md index e5d820f..4888ae3 100644 --- a/README.md +++ b/README.md @@ -20,3 +20,4 @@ All services below are implemented using Docker: - RSS feed reader using [FreshRSS](https://miniflux.app/) - Metrics using [Prometheus](https://prometheus.io/) - Latex editor using [Overleaf](https://www.overleaf.com/) ([latex.pim.kunis.nl](https://latex.pim.kunis.nl)) +- Markdown editor using [Hedgedoc](https://hedgedoc.org/) diff --git a/ansible/max.yml b/ansible/max.yml index 3bf7cec..f2e06e0 100644 --- a/ansible/max.yml +++ b/ansible/max.yml @@ -21,3 +21,4 @@ - {role: 'inbucket', tags: 'inbucket'} - {role: 'prometheus', tags: 'prometheus'} - {role: 'overleaf', tags: 'overleaf'} + - {role: 'hedgedoc', tags: 'hedgedoc'} diff --git a/ansible/roles/cyberchef/tasks/main.yml b/ansible/roles/cyberchef/tasks/main.yml index 2518ba7..34ec717 100644 --- a/ansible/roles/cyberchef/tasks/main.yml +++ b/ansible/roles/cyberchef/tasks/main.yml @@ -11,4 +11,3 @@ project_src: "{{ service_dir }}" pull: true remove_orphans: true - diff --git a/ansible/roles/forgejo/vars/main.yml b/ansible/roles/forgejo/vars/main.yml index 38d58cc..7cad12e 100644 --- a/ansible/roles/forgejo/vars/main.yml +++ b/ansible/roles/forgejo/vars/main.yml @@ -3,7 +3,6 @@ data_dir: "{{ base_data_dir }}/{{ service_name }}" service_dir: "{{ base_service_dir }}/{{ service_name }}" git_domain: "git.{{ domain_name_pim }}" - forgejo: root_url: "https://{{ git_domain }}" mailer_host: "smtp.tweak.nl" diff --git a/ansible/roles/hedgedoc/meta/main.yml b/ansible/roles/hedgedoc/meta/main.yml new file mode 100644 index 0000000..6b03734 --- /dev/null +++ b/ansible/roles/hedgedoc/meta/main.yml @@ -0,0 +1,4 @@ +dependencies: + - role: common + - role: docker + - role: traefik diff --git a/ansible/roles/hedgedoc/tasks/main.yml b/ansible/roles/hedgedoc/tasks/main.yml new file mode 100644 index 0000000..aa5d846 --- /dev/null +++ b/ansible/roles/hedgedoc/tasks/main.yml @@ -0,0 +1,22 @@ +- name: Create service directory + file: + path: "{{ service_dir }}" + state: directory +- name: Copy Docker Compose script + template: + src: "{{ role_path }}/templates/docker-compose.yml.j2" + dest: "{{ service_dir }}/docker-compose.yml" +- name: Create data directory + file: + path: "{{ data_dir }}" + state: directory +- name: Create uploads directory + file: + path: "{{ data_dir }}/uploads" + state: directory + mode: 0777 +- name: Start the Docker Compose + docker_compose: + project_src: "{{ service_dir }}" + pull: true + remove_orphans: true diff --git a/ansible/roles/hedgedoc/templates/docker-compose.yml.j2 b/ansible/roles/hedgedoc/templates/docker-compose.yml.j2 new file mode 100644 index 0000000..bc7f6f5 --- /dev/null +++ b/ansible/roles/hedgedoc/templates/docker-compose.yml.j2 @@ -0,0 +1,48 @@ +version: '3' + +networks: + traefik: + external: true + internal: + external: false + +services: + database: + image: postgres:13.4-alpine + environment: + - POSTGRES_USER=hedgedoc + - POSTGRES_PASSWORD=password + - POSTGRES_DB=hedgedoc + volumes: + - {{ data_dir }}/database:/var/lib/postgresql/data + restart: always + networks: + - internal + app: + image: quay.io/hedgedoc/hedgedoc:1.9.7 + environment: + - CMD_DB_URL=postgres://hedgedoc:password@database:5432/hedgedoc + - CMD_DOMAIN={{ hedgedoc_domain }} + - CMD_PORT=3000 + - CMD_URL_ADDPORT=false + - CMD_ALLOW_ANONYMOUS=true + - CMD_ALLOW_EMAIL_REGISTER=false + - CMD_PROTOCOL_USESSL=true + - CMD_SESSION_SECRET={{ session_secret }} + volumes: + - {{ data_dir }}/uploads:/hedgedoc/public/uploads + restart: always + depends_on: + - database + networks: + - traefik + - internal + labels: + - traefik.enable=true + - traefik.http.routers.hedgedoc.entrypoints=websecure + - traefik.http.routers.hedgedoc.rule=Host(`{{ hedgedoc_domain }}`) + - traefik.http.routers.hedgedoc.tls=true + - traefik.http.routers.hedgedoc.tls.certresolver=letsencrypt + - treafik.http.routers.hedgedoc.service=hedgedoc + - traefik.http.services.hedgedoc.loadbalancer.server.port=3000 + - traefik.docker.network=traefik diff --git a/ansible/roles/hedgedoc/vars/main.yml b/ansible/roles/hedgedoc/vars/main.yml new file mode 100644 index 0000000..10f93d8 --- /dev/null +++ b/ansible/roles/hedgedoc/vars/main.yml @@ -0,0 +1,14 @@ +service_name: hedgedoc +data_dir: "{{ base_data_dir }}/{{ service_name }}" +service_dir: "{{ base_service_dir }}/{{ service_name }}" +hedgedoc_domain: "md.{{ domain_name_pim }}" +session_secret: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 30633835386265643561343033326536653166343630396139303137613138383233666565666330 + 3032613865333836656566626435383165396539323837350a376331306464643766373839386638 + 65653865343539633636323833343964636332636461386434386432306230343833343431363134 + 6563373138626637650a633932313862326231666330343662343765666166373961376237396434 + 33396131353830323063326266623862353731653665626466653335656434303033353333353164 + 61613535373037646565386131383631366338616565373261396136616433393462313537313861 + 35313661616365373231373963323865393635626132343138363230313431636333363130346239 + 32656335333635613736 From aa0987593e5fdde0a32586ded38dffe801b42efe Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sun, 16 Apr 2023 12:15:39 +0200 Subject: [PATCH 32/41] change overleaf container names closes #23 --- .../overleaf/templates/docker-compose.yml.j2 | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/ansible/roles/overleaf/templates/docker-compose.yml.j2 b/ansible/roles/overleaf/templates/docker-compose.yml.j2 index 20a3096..d4c9546 100644 --- a/ansible/roles/overleaf/templates/docker-compose.yml.j2 +++ b/ansible/roles/overleaf/templates/docker-compose.yml.j2 @@ -10,18 +10,18 @@ services: sharelatex: restart: always image: sharelatex/sharelatex - container_name: sharelatex + container_name: overleaf networks: - traefik - internal depends_on: - mongo: + overleaf-mongodb: condition: service_healthy - redis: + overleaf-redis: condition: service_started links: - - mongo - - redis + - overleaf-mongodb + - overleaf-redis stop_grace_period: 60s volumes: - {{ data_dir }}/overleaf/sharelatex_data:/var/lib/sharelatex @@ -37,12 +37,12 @@ services: environment: SHARELATEX_APP_NAME: Overleaf Community Edition - SHARELATEX_MONGO_URL: mongodb://mongo:27017/sharelatex + SHARELATEX_MONGO_URL: mongodb://overleaf-mongodb:27017/sharelatex # Same property, unfortunately with different names in # different locations - SHARELATEX_REDIS_HOST: redis - REDIS_HOST: redis + SHARELATEX_REDIS_HOST: overleaf-redis + REDIS_HOST: overleaf-redis ENABLED_LINKED_FILE_TYPES: 'project_file,project_output_file' @@ -79,10 +79,10 @@ services: # SHARELATEX_EMAIL_SMTP_LOGGER: true # SHARELATEX_CUSTOM_EMAIL_FOOTER: "This system is run by department x" - mongo: + overleaf-mongodb: restart: always image: mongo:4.4 - container_name: mongo + container_name: overleaf-mongodb networks: - internal expose: @@ -95,10 +95,10 @@ services: timeout: 10s retries: 5 - redis: + overleaf-redis: restart: always image: redis:5 - container_name: redis + container_name: overleaf-redis networks: - internal expose: From 72d07aac36323b83584a64dd9cd18f8ae07a1631 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sun, 16 Apr 2023 12:21:10 +0200 Subject: [PATCH 33/41] change hedgedoc container names closes #24 --- ansible/roles/hedgedoc/templates/docker-compose.yml.j2 | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ansible/roles/hedgedoc/templates/docker-compose.yml.j2 b/ansible/roles/hedgedoc/templates/docker-compose.yml.j2 index bc7f6f5..2926b4a 100644 --- a/ansible/roles/hedgedoc/templates/docker-compose.yml.j2 +++ b/ansible/roles/hedgedoc/templates/docker-compose.yml.j2 @@ -9,6 +9,7 @@ networks: services: database: image: postgres:13.4-alpine + container_name: hedgedoc-database environment: - POSTGRES_USER=hedgedoc - POSTGRES_PASSWORD=password @@ -18,8 +19,10 @@ services: restart: always networks: - internal + app: image: quay.io/hedgedoc/hedgedoc:1.9.7 + container_name: hedgedoc environment: - CMD_DB_URL=postgres://hedgedoc:password@database:5432/hedgedoc - CMD_DOMAIN={{ hedgedoc_domain }} From 69cf0a1d4b6a3f3bdf115b1c157ebf9fd4dc4d0e Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Mon, 17 Apr 2023 19:01:42 +0200 Subject: [PATCH 34/41] cleanup --- ansible/max.yml | 12 ++++++ ansible/requirements.yml | 4 +- ansible/roles/common/tasks/main.yml | 17 -------- ansible/roles/cyberchef/meta/main.yml | 4 +- ansible/roles/firewall/tasks/main.yml | 16 -------- ansible/roles/forgejo/meta/main.yml | 2 - ansible/roles/freshrss/meta/main.yml | 2 - ansible/roles/hedgedoc/meta/main.yml | 2 - ansible/roles/inbucket/meta/main.yml | 2 - ansible/roles/jitsi/meta/main.yml | 2 - ansible/roles/kms/meta/main.yml | 2 - ansible/roles/mastodon/meta/main.yml | 2 - ansible/roles/overleaf/meta/main.yml | 2 - ansible/roles/prometheus/meta/main.yml | 1 - ansible/roles/radicale/meta/main.yml | 2 - ansible/roles/seafile/meta/main.yml | 2 - ansible/roles/ssh/files/ssh_config | 54 -------------------------- ansible/roles/ssh/files/sshd_config | 41 ------------------- ansible/roles/ssh/meta/main.yml | 2 - ansible/roles/ssh/tasks/main.yml | 16 -------- ansible/roles/static/meta/main.yml | 2 - ansible/roles/syncthing/meta/main.yml | 1 - ansible/roles/traefik/meta/main.yml | 1 - ansible/roles/watchtower/meta/main.yml | 2 - 24 files changed, 15 insertions(+), 178 deletions(-) delete mode 100644 ansible/roles/common/tasks/main.yml delete mode 100644 ansible/roles/firewall/tasks/main.yml delete mode 100644 ansible/roles/ssh/files/ssh_config delete mode 100644 ansible/roles/ssh/files/sshd_config delete mode 100644 ansible/roles/ssh/meta/main.yml delete mode 100644 ansible/roles/ssh/tasks/main.yml diff --git a/ansible/max.yml b/ansible/max.yml index f2e06e0..b45bdd2 100644 --- a/ansible/max.yml +++ b/ansible/max.yml @@ -6,7 +6,19 @@ - name: Start services hosts: max + pre_tasks: + - name: Create base service directory + file: + path: "{{ base_service_dir }}" + state: directory + - name: Delete externally managed environment file + shell: + cmd: "rm /usr/lib/python*/EXTERNALLY-MANAGED" + register: rm + changed_when: "rm.rc == 0" + failed_when: "false" roles: + - {role: 'setup-apt', tags: 'setup-apt'} - {role: 'watchtower', tags: 'watchtower'} - {role: 'forgejo', tags: 'forgejo'} - {role: 'syncthing', tags: 'syncthing'} diff --git a/ansible/requirements.yml b/ansible/requirements.yml index 5530c9f..971722f 100644 --- a/ansible/requirements.yml +++ b/ansible/requirements.yml @@ -1,3 +1,3 @@ -- name: cloudinit-wait - src: https://git.pim.kunis.nl/pim/ansible-role-cloudinit-wait +- name: setup-apt + src: https://github.com/sunscrapers/ansible-role-apt.git scm: git diff --git a/ansible/roles/common/tasks/main.yml b/ansible/roles/common/tasks/main.yml deleted file mode 100644 index b8f79d0..0000000 --- a/ansible/roles/common/tasks/main.yml +++ /dev/null @@ -1,17 +0,0 @@ -- name: APT upgrade - apt: - autoremove: true - upgrade: yes - state: latest - update_cache: yes - cache_valid_time: 86400 # One day -- name: Create base service directory - file: - path: "{{ base_service_dir }}" - state: directory -- name: Delete externally managed environment file - shell: - cmd: "rm /usr/lib/python*/EXTERNALLY-MANAGED" - register: rm - changed_when: "rm.rc == 0" - failed_when: "false" diff --git a/ansible/roles/cyberchef/meta/main.yml b/ansible/roles/cyberchef/meta/main.yml index 7f5b1d3..cb0cd84 100644 --- a/ansible/roles/cyberchef/meta/main.yml +++ b/ansible/roles/cyberchef/meta/main.yml @@ -1,4 +1,2 @@ dependencies: - - role: common - - role: docker - \ No newline at end of file + - role: traefik diff --git a/ansible/roles/firewall/tasks/main.yml b/ansible/roles/firewall/tasks/main.yml deleted file mode 100644 index 6b6bcb4..0000000 --- a/ansible/roles/firewall/tasks/main.yml +++ /dev/null @@ -1,16 +0,0 @@ -- name: Install firewalld - apt: - pkg: - - firewalld - state: latest - update_cache: true -- name: Allow SSH - firewalld: - service: ssh - permanent: yes - state: enabled -- name: Start firewalld - systemd: - enabled: true - name: sshd - state: started diff --git a/ansible/roles/forgejo/meta/main.yml b/ansible/roles/forgejo/meta/main.yml index 6b03734..cb0cd84 100644 --- a/ansible/roles/forgejo/meta/main.yml +++ b/ansible/roles/forgejo/meta/main.yml @@ -1,4 +1,2 @@ dependencies: - - role: common - - role: docker - role: traefik diff --git a/ansible/roles/freshrss/meta/main.yml b/ansible/roles/freshrss/meta/main.yml index 6b03734..cb0cd84 100644 --- a/ansible/roles/freshrss/meta/main.yml +++ b/ansible/roles/freshrss/meta/main.yml @@ -1,4 +1,2 @@ dependencies: - - role: common - - role: docker - role: traefik diff --git a/ansible/roles/hedgedoc/meta/main.yml b/ansible/roles/hedgedoc/meta/main.yml index 6b03734..cb0cd84 100644 --- a/ansible/roles/hedgedoc/meta/main.yml +++ b/ansible/roles/hedgedoc/meta/main.yml @@ -1,4 +1,2 @@ dependencies: - - role: common - - role: docker - role: traefik diff --git a/ansible/roles/inbucket/meta/main.yml b/ansible/roles/inbucket/meta/main.yml index 7f5b1d3..6ad37f8 100644 --- a/ansible/roles/inbucket/meta/main.yml +++ b/ansible/roles/inbucket/meta/main.yml @@ -1,4 +1,2 @@ dependencies: - - role: common - role: docker - \ No newline at end of file diff --git a/ansible/roles/jitsi/meta/main.yml b/ansible/roles/jitsi/meta/main.yml index 6b03734..cb0cd84 100644 --- a/ansible/roles/jitsi/meta/main.yml +++ b/ansible/roles/jitsi/meta/main.yml @@ -1,4 +1,2 @@ dependencies: - - role: common - - role: docker - role: traefik diff --git a/ansible/roles/kms/meta/main.yml b/ansible/roles/kms/meta/main.yml index 7f5b1d3..6ad37f8 100644 --- a/ansible/roles/kms/meta/main.yml +++ b/ansible/roles/kms/meta/main.yml @@ -1,4 +1,2 @@ dependencies: - - role: common - role: docker - \ No newline at end of file diff --git a/ansible/roles/mastodon/meta/main.yml b/ansible/roles/mastodon/meta/main.yml index 6b03734..cb0cd84 100644 --- a/ansible/roles/mastodon/meta/main.yml +++ b/ansible/roles/mastodon/meta/main.yml @@ -1,4 +1,2 @@ dependencies: - - role: common - - role: docker - role: traefik diff --git a/ansible/roles/overleaf/meta/main.yml b/ansible/roles/overleaf/meta/main.yml index 6b03734..cb0cd84 100644 --- a/ansible/roles/overleaf/meta/main.yml +++ b/ansible/roles/overleaf/meta/main.yml @@ -1,4 +1,2 @@ dependencies: - - role: common - - role: docker - role: traefik diff --git a/ansible/roles/prometheus/meta/main.yml b/ansible/roles/prometheus/meta/main.yml index 090690b..6ad37f8 100644 --- a/ansible/roles/prometheus/meta/main.yml +++ b/ansible/roles/prometheus/meta/main.yml @@ -1,3 +1,2 @@ dependencies: - - role: common - role: docker diff --git a/ansible/roles/radicale/meta/main.yml b/ansible/roles/radicale/meta/main.yml index 6b03734..cb0cd84 100644 --- a/ansible/roles/radicale/meta/main.yml +++ b/ansible/roles/radicale/meta/main.yml @@ -1,4 +1,2 @@ dependencies: - - role: common - - role: docker - role: traefik diff --git a/ansible/roles/seafile/meta/main.yml b/ansible/roles/seafile/meta/main.yml index 6b03734..cb0cd84 100644 --- a/ansible/roles/seafile/meta/main.yml +++ b/ansible/roles/seafile/meta/main.yml @@ -1,4 +1,2 @@ dependencies: - - role: common - - role: docker - role: traefik diff --git a/ansible/roles/ssh/files/ssh_config b/ansible/roles/ssh/files/ssh_config deleted file mode 100644 index 9ea50e1..0000000 --- a/ansible/roles/ssh/files/ssh_config +++ /dev/null @@ -1,54 +0,0 @@ -# This is the ssh client system-wide configuration file. See -# ssh_config(5) for more information. This file provides defaults for -# users, and the values can be changed in per-user configuration files -# or on the command line. - -# Configuration data is parsed as follows: -# 1. command line options -# 2. user-specific file -# 3. system-wide file -# Any configuration value is only changed the first time it is set. -# Thus, host-specific definitions should be at the beginning of the -# configuration file, and defaults at the end. - -# Site-wide defaults for some commonly used options. For a comprehensive -# list of available options, their meanings and defaults, please see the -# ssh_config(5) man page. - -Include /etc/ssh/ssh_config.d/*.conf - -Host * -# ForwardAgent no -# ForwardX11 no -# ForwardX11Trusted yes -# PasswordAuthentication yes -# HostbasedAuthentication no -# GSSAPIAuthentication no -# GSSAPIDelegateCredentials no -# GSSAPIKeyExchange no -# GSSAPITrustDNS no -# BatchMode no -# CheckHostIP yes -# AddressFamily any -# ConnectTimeout 0 -# StrictHostKeyChecking ask -# IdentityFile ~/.ssh/id_rsa -# IdentityFile ~/.ssh/id_dsa -# IdentityFile ~/.ssh/id_ecdsa -# IdentityFile ~/.ssh/id_ed25519 -# Port 22 -# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc -# MACs hmac-md5,hmac-sha1,umac-64@openssh.com -# EscapeChar ~ -# Tunnel no -# TunnelDevice any:any -# PermitLocalCommand no -# VisualHostKey no -# ProxyCommand ssh -q -W %h:%p gateway.example.com -# RekeyLimit 1G 1h -# UserKnownHostsFile ~/.ssh/known_hosts.d/%k - SendEnv LANG LC_* - -# set HashKnownHosts to no to make known_hosts human readable and reviewable. -# HashKnownHosts yes -# GSSAPIAuthentication yes diff --git a/ansible/roles/ssh/files/sshd_config b/ansible/roles/ssh/files/sshd_config deleted file mode 100644 index e532138..0000000 --- a/ansible/roles/ssh/files/sshd_config +++ /dev/null @@ -1,41 +0,0 @@ -Include /etc/ssh/sshd_config.d/*.conf - -HostKey /etc/ssh/ssh_host_ed25519_key - -# Ciphers and keying -HostKeyAlgorithms ssh-ed25519 -CASignatureAlgorithms ssh-ed25519 -HostbasedAcceptedKeyTypes ssh-ed25519 -HostKeyAlgorithms ssh-ed25519 -KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org -Ciphers chacha20-poly1305@openssh.com -MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com - -# To disable tunneled clear text passwords, change to no here! -PasswordAuthentication no -PermitEmptyPasswords no - -# Change to yes to enable challenge-response passwords (beware issues with -# some PAM modules and threads) -KbdInteractiveAuthentication no - -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will -# be allowed through the KbdInteractiveAuthentication and -# PasswordAuthentication. Depending on your PAM configuration, -# PAM authentication via KbdInteractiveAuthentication may bypass -# the setting of "PermitRootLogin without-password". -# If you just want the PAM account and session checks to run without -# PAM authentication, then enable this but set PasswordAuthentication -# and KbdInteractiveAuthentication to 'no'. -UsePAM yes - -X11Forwarding yes -PrintMotd no - -# Allow client to pass locale environment variables -AcceptEnv LANG LC_* - -# override default of no subsystems -Subsystem sftp /usr/lib/openssh/sftp-server - diff --git a/ansible/roles/ssh/meta/main.yml b/ansible/roles/ssh/meta/main.yml deleted file mode 100644 index 9711b33..0000000 --- a/ansible/roles/ssh/meta/main.yml +++ /dev/null @@ -1,2 +0,0 @@ -dependencies: - - role: common diff --git a/ansible/roles/ssh/tasks/main.yml b/ansible/roles/ssh/tasks/main.yml deleted file mode 100644 index 9c7311c..0000000 --- a/ansible/roles/ssh/tasks/main.yml +++ /dev/null @@ -1,16 +0,0 @@ -- name: Copy sshd config - copy: - src: "{{ role_path }}/files/sshd_config" - dest: /etc/ssh/sshd_config - register: sshd_config -- name: Copy ssh config - copy: - src: "{{ role_path }}/files/ssh_config" - dest: /etc/ssh/ssh_config - register: ssh_config -- name: Restart SSH service - systemd: - enabled: true - name: sshd - state: reloaded - when: sshd_config.changed diff --git a/ansible/roles/static/meta/main.yml b/ansible/roles/static/meta/main.yml index 6b03734..cb0cd84 100644 --- a/ansible/roles/static/meta/main.yml +++ b/ansible/roles/static/meta/main.yml @@ -1,4 +1,2 @@ dependencies: - - role: common - - role: docker - role: traefik diff --git a/ansible/roles/syncthing/meta/main.yml b/ansible/roles/syncthing/meta/main.yml index 090690b..6ad37f8 100644 --- a/ansible/roles/syncthing/meta/main.yml +++ b/ansible/roles/syncthing/meta/main.yml @@ -1,3 +1,2 @@ dependencies: - - role: common - role: docker diff --git a/ansible/roles/traefik/meta/main.yml b/ansible/roles/traefik/meta/main.yml index 090690b..6ad37f8 100644 --- a/ansible/roles/traefik/meta/main.yml +++ b/ansible/roles/traefik/meta/main.yml @@ -1,3 +1,2 @@ dependencies: - - role: common - role: docker diff --git a/ansible/roles/watchtower/meta/main.yml b/ansible/roles/watchtower/meta/main.yml index 7f5b1d3..6ad37f8 100644 --- a/ansible/roles/watchtower/meta/main.yml +++ b/ansible/roles/watchtower/meta/main.yml @@ -1,4 +1,2 @@ dependencies: - - role: common - role: docker - \ No newline at end of file From bf094a02d668d185f4554fa2dab6b10c9e7664da Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Mon, 17 Apr 2023 19:35:33 +0200 Subject: [PATCH 35/41] put docker role in separate repo --- ansible/inventory/host_vars/max.yml | 6 +++- ansible/requirements.yml | 6 ++++ ansible/roles/docker/files/daemon.json | 7 ----- ansible/roles/docker/tasks/main.yml | 41 -------------------------- 4 files changed, 11 insertions(+), 49 deletions(-) delete mode 100644 ansible/roles/docker/files/daemon.json delete mode 100644 ansible/roles/docker/tasks/main.yml diff --git a/ansible/inventory/host_vars/max.yml b/ansible/inventory/host_vars/max.yml index 55ff4c3..d77112b 100644 --- a/ansible/inventory/host_vars/max.yml +++ b/ansible/inventory/host_vars/max.yml @@ -1,5 +1,6 @@ base_data_dir: /mnt/data base_service_dir: /srv +domain_name_pim: pim.kunis.nl # Additional open ports jitsi_videobridge_port: 54562 @@ -8,4 +9,7 @@ prometheus_port: 8081 traefik_api_port: 8080 internal_forgejo_port: 3000 # Needed to pull from a repository from another docker container. -domain_name_pim: pim.kunis.nl +docker_daemon_config: + default-address-pools: + - base: "10.204.0.0/16" + size: 24 diff --git a/ansible/requirements.yml b/ansible/requirements.yml index 971722f..b799430 100644 --- a/ansible/requirements.yml +++ b/ansible/requirements.yml @@ -1,3 +1,9 @@ - name: setup-apt src: https://github.com/sunscrapers/ansible-role-apt.git scm: git +- name: cloudinit-wait + src: https://git.pim.kunis.nl/pim/ansible-role-cloudinit-wait + scm: git +- name: docker + src: https://git.pim.kunis.nl/pim/ansible-role-docker + scm: git diff --git a/ansible/roles/docker/files/daemon.json b/ansible/roles/docker/files/daemon.json deleted file mode 100644 index 10fc298..0000000 --- a/ansible/roles/docker/files/daemon.json +++ /dev/null @@ -1,7 +0,0 @@ -{ -"default-address-pools": -[ -{"base":"10.204.0.0/16","size":24} - -] -} diff --git a/ansible/roles/docker/tasks/main.yml b/ansible/roles/docker/tasks/main.yml deleted file mode 100644 index 7b7b88b..0000000 --- a/ansible/roles/docker/tasks/main.yml +++ /dev/null @@ -1,41 +0,0 @@ -- name: Install Docker prerequisites - apt: - pkg: - - ca-certificates - - curl - - gnupg - - lsb-release - - python3-pip -- name: Add Docker APT key - apt_key: - url: https://download.docker.com/linux/ubuntu/gpg - keyring: /etc/apt/keyrings/docker.gpg -- name: Add Docker repository - apt_repository: - repo: "deb [signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable" - register: apt_repository -- name: Update APT cache - apt: - update_cache: true - when: apt_repository.changed -- name: Install Docker packages - apt: - pkg: - - docker-ce - - docker-ce-cli - - containerd.io - - docker-compose-plugin -- name: Install Docker modules for Python - pip: - name: - - docker - - docker-compose -- name: Copy daemon.json - copy: - src: "{{ role_path }}/files/daemon.json" - dest: /etc/docker/daemon.json -- name: Start Docker - systemd: - name: docker - enabled: true - state: started From 2cc35feebbcae9af1ad09d5488e84265ab66b34b Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Mon, 24 Apr 2023 13:07:54 +0200 Subject: [PATCH 36/41] increase disk size in Terraform as well --- terraform/main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/main.tf b/terraform/main.tf index c8b495b..07ed2a7 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -22,4 +22,5 @@ module "tf-datatest" { data_disk = "/kvm/data/max-data" memory = 1024 * 8 mac = "CA:FE:C0:FF:EE:03" + disk_size = 1024 * 1024 * 1024 * 30 } From e6f64d4f4decefa90255cf30569ef6e2defaf45c Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Mon, 24 Apr 2023 13:31:27 +0200 Subject: [PATCH 37/41] rename TF module closes #18 --- terraform/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/main.tf b/terraform/main.tf index 07ed2a7..569d5b1 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -15,7 +15,7 @@ provider "libvirt" { uri = "qemu+ssh://root@atlas.lan/system" } -module "tf-datatest" { +module "tf-max" { source = "git::https://git.pim.kunis.nl/home/tf-modules.git//debian" name = "max" domain_name = "tf-max" From 37fe3937e57d5454cb3c20c8f39fe8d91438b2a5 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Mon, 24 Apr 2023 13:47:18 +0200 Subject: [PATCH 38/41] save LE certificates on data disk closes #25 --- ansible/roles/traefik/tasks/main.yml | 6 +++++- ansible/roles/traefik/templates/docker-compose.yml.j2 | 2 +- ansible/roles/traefik/vars/main.yml | 1 + 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/ansible/roles/traefik/tasks/main.yml b/ansible/roles/traefik/tasks/main.yml index 9ba3f0f..0341de3 100644 --- a/ansible/roles/traefik/tasks/main.yml +++ b/ansible/roles/traefik/tasks/main.yml @@ -2,10 +2,14 @@ file: path: "{{ service_dir }}" state: directory +- name: Create data directory + file: + path: "{{ data_dir }}" + state: directory - name: Create acme file copy: content: "" - dest: "{{ service_dir }}/acme.json" + dest: "{{ data_dir }}/acme.json" force: no mode: 0600 - name: Copy Docker Compose script diff --git a/ansible/roles/traefik/templates/docker-compose.yml.j2 b/ansible/roles/traefik/templates/docker-compose.yml.j2 index 9b18732..6306437 100644 --- a/ansible/roles/traefik/templates/docker-compose.yml.j2 +++ b/ansible/roles/traefik/templates/docker-compose.yml.j2 @@ -18,7 +18,7 @@ services: - /var/run/docker.sock:/var/run/docker.sock - {{ service_dir }}/traefik.toml:/etc/traefik/traefik.toml - {{ service_dir }}/services.toml:/etc/traefik/services.toml - - {{ service_dir }}/acme.json:/acme.json + - {{ data_dir }}/acme.json:/acme.json networks: - traefik labels: diff --git a/ansible/roles/traefik/vars/main.yml b/ansible/roles/traefik/vars/main.yml index 2e1116f..0569770 100644 --- a/ansible/roles/traefik/vars/main.yml +++ b/ansible/roles/traefik/vars/main.yml @@ -1,2 +1,3 @@ service_name: traefik service_dir: "{{ base_service_dir }}/{{ service_name }}" +data_dir: "{{ base_data_dir }}/{{ service_name }}" From 8a634be9ab41cc75a61d59a2842e3e350aab238f Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Wed, 26 Apr 2023 14:53:57 +0200 Subject: [PATCH 39/41] move to virtiofs shared directory --- ansible/roles/forgejo/templates/app.ini.j2 | 1 + terraform/data/main.tf | 2 +- terraform/main.tf | 17 ++++++++--------- 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/ansible/roles/forgejo/templates/app.ini.j2 b/ansible/roles/forgejo/templates/app.ini.j2 index 3220c38..b427df5 100644 --- a/ansible/roles/forgejo/templates/app.ini.j2 +++ b/ansible/roles/forgejo/templates/app.ini.j2 @@ -39,6 +39,7 @@ CHARSET = utf8 [indexer] ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve +ISSUE_INDEXER_TYPE = db [session] PROVIDER_CONFIG = /data/gitea/sessions diff --git a/terraform/data/main.tf b/terraform/data/main.tf index 1961de5..e0e6f62 100644 --- a/terraform/data/main.tf +++ b/terraform/data/main.tf @@ -12,7 +12,7 @@ terraform { } provider "libvirt" { - uri = "qemu+ssh://root@atlas.lan/system" + uri = "qemu+ssh://root@atlas.hyp/system" } resource "libvirt_volume" "data" { diff --git a/terraform/main.tf b/terraform/main.tf index 569d5b1..4f9e7e2 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -12,15 +12,14 @@ terraform { } provider "libvirt" { - uri = "qemu+ssh://root@atlas.lan/system" + uri = "qemu+ssh://root@atlas.hyp/system" } -module "tf-max" { - source = "git::https://git.pim.kunis.nl/home/tf-modules.git//debian" - name = "max" - domain_name = "tf-max" - data_disk = "/kvm/data/max-data" - memory = 1024 * 8 - mac = "CA:FE:C0:FF:EE:03" - disk_size = 1024 * 1024 * 1024 * 30 +module "debian" { + source = "/home/pim/repos/tf-modules/debian" + name = "max" + domain_name = "tf-max" + memory = 1024 * 8 + mac = "CA:FE:C0:FF:EE:03" + disk_size = 1024 * 1024 * 1024 * 30 } From c25e4ca41dfead2db5fc8acac48c147cafdec5b1 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Wed, 26 Apr 2023 14:59:04 +0200 Subject: [PATCH 40/41] fix terraform module source --- terraform/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/main.tf b/terraform/main.tf index 4f9e7e2..9239f9d 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -16,7 +16,7 @@ provider "libvirt" { } module "debian" { - source = "/home/pim/repos/tf-modules/debian" + source = "git::https://git.pim.kunis.nl/home/tf-modules.git//debian" name = "max" domain_name = "tf-max" memory = 1024 * 8 From a57d59ac04ef9f6432efd95349b1156b65e88117 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Wed, 26 Apr 2023 16:07:40 +0200 Subject: [PATCH 41/41] remove data volume --- terraform/data/main.tf | 30 ------------------------------ 1 file changed, 30 deletions(-) delete mode 100644 terraform/data/main.tf diff --git a/terraform/data/main.tf b/terraform/data/main.tf deleted file mode 100644 index e0e6f62..0000000 --- a/terraform/data/main.tf +++ /dev/null @@ -1,30 +0,0 @@ -terraform { - backend "pg" { - schema_name = "max-data" - conn_str = "postgres://terraform@10.42.0.1/terraform_state" - } - - required_providers { - libvirt = { - source = "dmacvicar/libvirt" - } - } -} - -provider "libvirt" { - uri = "qemu+ssh://root@atlas.hyp/system" -} - -resource "libvirt_volume" "data" { - name = "max-data" - pool = "data" - size = 1024 * 1024 * 1024 * 65 - - lifecycle { - prevent_destroy = true - } -} - -output "data_disk_id" { - value = libvirt_volume.data.id -}