From 46dd504b43f806e1a13981d3870e773e7698287c Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Wed, 12 Apr 2023 15:43:59 +0200 Subject: [PATCH 01/23] common + docker working --- .gitignore | 37 +++++++++++++++++++++++++++++++++ ansible.cfg | 1 - data/main.tf | 30 +++++++++++++++++++++++++++ inventory/hosts.yml | 10 ++++----- main.tf | 25 ++++++++++++++++++++++ max.yml | 38 ++++++++++++++++++++-------------- roles/common/files/resolv.conf | 5 ----- roles/common/tasks/main.yml | 10 --------- roles/docker/tasks/main.yml | 13 ++++++------ 9 files changed, 126 insertions(+), 43 deletions(-) create mode 100644 data/main.tf create mode 100644 main.tf delete mode 100644 roles/common/files/resolv.conf diff --git a/.gitignore b/.gitignore index b593a85..33b954c 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,38 @@ +# Local .terraform directories +**/.terraform/* + +# .tfstate files +*.tfstate +*.tfstate.* + +# Crash log files +crash.log +crash.*.log + +# Exclude all .tfvars files, which are likely to contain sensitive data, such as +# password, private keys, and other secrets. These should not be part of version +# control as they are data points which are potentially sensitive and subject +# to change depending on the environment. +*.tfvars +*.tfvars.json + +# Ignore override files as they are usually used to override resources locally and so +# are not checked in +override.tf +override.tf.json +*_override.tf +*_override.tf.json + +# Include override files you do wish to add to version control using negated pattern +# !example_override.tf + +# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan +# example: *tfplan* + +# Ignore CLI configuration files +.terraformrc +terraform.rc +.terraform.lock.hcl +*.tfbackend + .vault_password diff --git a/ansible.cfg b/ansible.cfg index b598c64..5f42fc7 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,5 +1,4 @@ [defaults] -# (pathspec) Colon separated paths in which Ansible will search for Roles. roles_path=~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles:roles inventory=inventory vault_password_file=util/secret-service-client.sh diff --git a/data/main.tf b/data/main.tf new file mode 100644 index 0000000..1961de5 --- /dev/null +++ b/data/main.tf @@ -0,0 +1,30 @@ +terraform { + backend "pg" { + schema_name = "max-data" + conn_str = "postgres://terraform@10.42.0.1/terraform_state" + } + + required_providers { + libvirt = { + source = "dmacvicar/libvirt" + } + } +} + +provider "libvirt" { + uri = "qemu+ssh://root@atlas.lan/system" +} + +resource "libvirt_volume" "data" { + name = "max-data" + pool = "data" + size = 1024 * 1024 * 1024 * 65 + + lifecycle { + prevent_destroy = true + } +} + +output "data_disk_id" { + value = libvirt_volume.data.id +} diff --git a/inventory/hosts.yml b/inventory/hosts.yml index b0f8f06..5a70e6a 100644 --- a/inventory/hosts.yml +++ b/inventory/hosts.yml @@ -1,7 +1,5 @@ all: - children: - homeserver: - hosts: - max: - ansible_user: root - ansible_host: max.dmz + hosts: + max: + ansible_user: root + ansible_host: max2.dmz diff --git a/main.tf b/main.tf new file mode 100644 index 0000000..5837283 --- /dev/null +++ b/main.tf @@ -0,0 +1,25 @@ +terraform { + backend "pg" { + schema_name = "max" + conn_str = "postgres://terraform@10.42.0.1/terraform_state" + } + + required_providers { + libvirt = { + source = "dmacvicar/libvirt" + } + } +} + +provider "libvirt" { + uri = "qemu+ssh://root@atlas.lan/system" +} + +module "tf-datatest" { + source = "git::https://git.pim.kunis.nl/home/tf-modules.git//debian" + name = "max2" + domain_name = "tf-max" + data_disk = "/kvm/data/max-data" + fixed_address = "192.168.30.66/24" + ansible_command = "ansible-playbook max.yml" +} diff --git a/max.yml b/max.yml index bf406dd..ca7fd87 100644 --- a/max.yml +++ b/max.yml @@ -1,17 +1,25 @@ - name: Setup homeserver - hosts: homeserver + hosts: max + gather_facts: no + + pre_tasks: + - name: Wait for host to come up + wait_for: + state: started + port: 22 + host: max2.dmz + timeout: 10 + connect_timeout: 300 + search_regex: OpenSSH + delegate_to: localhost + - name: Wait for cloud-init to finish + command: + cmd: cloud-init status --wait + register: cloudinit + changed_when: "'..' in cloudinit.stdout" + - name: Gather facts + setup: + roles: - - {role: 'ssh', tags: 'ssh'} - - {role: 'watchtower', tags: 'watchtower'} - - {role: 'forgejo', tags: 'forgejo'} - - {role: 'syncthing', tags: 'syncthing'} - - {role: 'kms', tags: 'kms'} - - {role: 'cyberchef', tags: 'cyberchef'} - - {role: 'radicale', tags: 'radicale'} - - {role: 'mastodon', tags: 'mastodon'} - - {role: 'seafile', tags: 'seafile'} - - {role: 'jitsi', tags: 'jitsi'} - - {role: 'freshrss', tags: 'freshrss'} - - {role: 'static', tags: 'static'} - - {role: 'inbucket', tags: 'inbucket'} - - {role: 'prometheus', tags: 'prometheus'} + - {role: 'common', tags: 'common'} + - {role: 'docker', tags: 'docker'} diff --git a/roles/common/files/resolv.conf b/roles/common/files/resolv.conf deleted file mode 100644 index cf23f28..0000000 --- a/roles/common/files/resolv.conf +++ /dev/null @@ -1,5 +0,0 @@ -nameserver 192.168.30.7 -nameserver 192.168.30.1 -nameserver 1.1.1.1 -nameserver 1.0.0.1 -search lan diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index c32e911..713ba70 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -9,13 +9,3 @@ file: path: "{{ base_service_dir }}" state: directory -- name: Disable systemd-resolved - systemd: - name: systemd-resolved - enabled: false - state: stopped -- name: Copy resolv.conf - copy: - src: "{{ role_path }}/files/resolv.conf" - dest: /etc/resolv.conf - follow: true diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index 3acc420..d62b241 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -12,7 +12,7 @@ keyring: /etc/apt/keyrings/docker.gpg - name: Add Docker repository apt_repository: - repo: "deb [signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable" + repo: "deb [signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable" register: apt_repository - name: Update APT cache apt: @@ -25,11 +25,12 @@ - docker-ce-cli - containerd.io - docker-compose-plugin -- name: Install Docker modules for Python - pip: - name: - - docker - - docker-compose +# Do we need this? pip doesn't like it +# - name: Install Docker modules for Python +# pip: +# name: +# - docker +# - docker-compose - name: Copy daemon.json copy: src: "{{ role_path }}/files/daemon.json" From b21fc40a38dfe4e4fe2c001b4ef8cadca02f0ded Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Wed, 12 Apr 2023 16:24:01 +0200 Subject: [PATCH 02/23] traefik works --- max.yml | 2 +- roles/common/tasks/main.yml | 6 ++++++ roles/docker/tasks/main.yml | 11 +++++------ 3 files changed, 12 insertions(+), 7 deletions(-) diff --git a/max.yml b/max.yml index ca7fd87..b99e777 100644 --- a/max.yml +++ b/max.yml @@ -21,5 +21,5 @@ setup: roles: - - {role: 'common', tags: 'common'} - {role: 'docker', tags: 'docker'} + - {role: 'traefik', tags: 'traefik'} diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 713ba70..b8f79d0 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -9,3 +9,9 @@ file: path: "{{ base_service_dir }}" state: directory +- name: Delete externally managed environment file + shell: + cmd: "rm /usr/lib/python*/EXTERNALLY-MANAGED" + register: rm + changed_when: "rm.rc == 0" + failed_when: "false" diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index d62b241..7b7b88b 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -25,12 +25,11 @@ - docker-ce-cli - containerd.io - docker-compose-plugin -# Do we need this? pip doesn't like it -# - name: Install Docker modules for Python -# pip: -# name: -# - docker -# - docker-compose +- name: Install Docker modules for Python + pip: + name: + - docker + - docker-compose - name: Copy daemon.json copy: src: "{{ role_path }}/files/daemon.json" From c1ff6a06121dbe257542660dfa8283873d1f03e9 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Wed, 12 Apr 2023 18:19:10 +0200 Subject: [PATCH 03/23] tweaks --- inventory/host_vars/max.yml | 2 +- main.tf | 14 ++++++++------ max.yml | 21 ++++++++++++++++----- roles/static/vars/main.yml | 2 +- 4 files changed, 26 insertions(+), 13 deletions(-) diff --git a/inventory/host_vars/max.yml b/inventory/host_vars/max.yml index 11aa49f..55ff4c3 100644 --- a/inventory/host_vars/max.yml +++ b/inventory/host_vars/max.yml @@ -1,4 +1,4 @@ -base_data_dir: /data +base_data_dir: /mnt/data base_service_dir: /srv # Additional open ports diff --git a/main.tf b/main.tf index 5837283..3743886 100644 --- a/main.tf +++ b/main.tf @@ -16,10 +16,12 @@ provider "libvirt" { } module "tf-datatest" { - source = "git::https://git.pim.kunis.nl/home/tf-modules.git//debian" - name = "max2" - domain_name = "tf-max" - data_disk = "/kvm/data/max-data" - fixed_address = "192.168.30.66/24" - ansible_command = "ansible-playbook max.yml" + source = "git::https://git.pim.kunis.nl/home/tf-modules.git//debian" + name = "max2" + domain_name = "tf-max" + data_disk = "/kvm/data/max-data" + fixed_address = "192.168.30.66/24" + ansible_command = "ansible-playbook max.yml" + insecure_password = true + memory = 1024 * 8 } diff --git a/max.yml b/max.yml index b99e777..bd06bd8 100644 --- a/max.yml +++ b/max.yml @@ -8,18 +8,29 @@ state: started port: 22 host: max2.dmz - timeout: 10 + timeout: 300 connect_timeout: 300 search_regex: OpenSSH delegate_to: localhost - name: Wait for cloud-init to finish - command: - cmd: cloud-init status --wait + shell: + cmd: "cloud-init status --wait" register: cloudinit changed_when: "'..' in cloudinit.stdout" - name: Gather facts setup: roles: - - {role: 'docker', tags: 'docker'} - - {role: 'traefik', tags: 'traefik'} + - {role: 'watchtower', tags: 'watchtower'} + - {role: 'forgejo', tags: 'forgejo'} + # - {role: 'syncthing', tags: 'syncthing'} + - {role: 'kms', tags: 'kms'} + - {role: 'cyberchef', tags: 'cyberchef'} + #- {role: 'radicale', tags: 'radicale'} + - {role: 'mastodon', tags: 'mastodon'} + - {role: 'seafile', tags: 'seafile'} + - {role: 'jitsi', tags: 'jitsi'} + - {role: 'freshrss', tags: 'freshrss'} + - {role: 'static', tags: 'static'} + - {role: 'inbucket', tags: 'inbucket'} + - {role: 'prometheus', tags: 'prometheus'} diff --git a/roles/static/vars/main.yml b/roles/static/vars/main.yml index 8838234..912dd02 100644 --- a/roles/static/vars/main.yml +++ b/roles/static/vars/main.yml @@ -1,3 +1,3 @@ service_name: static service_dir: "{{ base_service_dir }}/{{ service_name }}" -git_origin: "http://localhost:{{ internal_forgejo_port }}/pim/static.git" +git_origin: "http://git.pim.kunis.nl/pim/static.git" From 74a4de161563e3007777b19771438eec22f0ff18 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Wed, 12 Apr 2023 21:26:46 +0000 Subject: [PATCH 04/23] virtualize (#3) Reviewed-on: https://git.pim.kunis.nl/home/max/pulls/3 --- .gitignore | 37 ++++++++++++++++++++++++++++++++++ ansible.cfg | 1 - data/main.tf | 30 +++++++++++++++++++++++++++ inventory/host_vars/max.yml | 2 +- inventory/hosts.yml | 10 ++++----- main.tf | 26 ++++++++++++++++++++++++ max.yml | 25 ++++++++++++++++++++--- roles/common/files/resolv.conf | 5 ----- roles/common/tasks/main.yml | 16 ++++++--------- roles/docker/tasks/main.yml | 2 +- roles/static/vars/main.yml | 2 +- 11 files changed, 128 insertions(+), 28 deletions(-) create mode 100644 data/main.tf create mode 100644 main.tf delete mode 100644 roles/common/files/resolv.conf diff --git a/.gitignore b/.gitignore index b593a85..33b954c 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,38 @@ +# Local .terraform directories +**/.terraform/* + +# .tfstate files +*.tfstate +*.tfstate.* + +# Crash log files +crash.log +crash.*.log + +# Exclude all .tfvars files, which are likely to contain sensitive data, such as +# password, private keys, and other secrets. These should not be part of version +# control as they are data points which are potentially sensitive and subject +# to change depending on the environment. +*.tfvars +*.tfvars.json + +# Ignore override files as they are usually used to override resources locally and so +# are not checked in +override.tf +override.tf.json +*_override.tf +*_override.tf.json + +# Include override files you do wish to add to version control using negated pattern +# !example_override.tf + +# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan +# example: *tfplan* + +# Ignore CLI configuration files +.terraformrc +terraform.rc +.terraform.lock.hcl +*.tfbackend + .vault_password diff --git a/ansible.cfg b/ansible.cfg index b598c64..5f42fc7 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,5 +1,4 @@ [defaults] -# (pathspec) Colon separated paths in which Ansible will search for Roles. roles_path=~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles:roles inventory=inventory vault_password_file=util/secret-service-client.sh diff --git a/data/main.tf b/data/main.tf new file mode 100644 index 0000000..1961de5 --- /dev/null +++ b/data/main.tf @@ -0,0 +1,30 @@ +terraform { + backend "pg" { + schema_name = "max-data" + conn_str = "postgres://terraform@10.42.0.1/terraform_state" + } + + required_providers { + libvirt = { + source = "dmacvicar/libvirt" + } + } +} + +provider "libvirt" { + uri = "qemu+ssh://root@atlas.lan/system" +} + +resource "libvirt_volume" "data" { + name = "max-data" + pool = "data" + size = 1024 * 1024 * 1024 * 65 + + lifecycle { + prevent_destroy = true + } +} + +output "data_disk_id" { + value = libvirt_volume.data.id +} diff --git a/inventory/host_vars/max.yml b/inventory/host_vars/max.yml index 11aa49f..55ff4c3 100644 --- a/inventory/host_vars/max.yml +++ b/inventory/host_vars/max.yml @@ -1,4 +1,4 @@ -base_data_dir: /data +base_data_dir: /mnt/data base_service_dir: /srv # Additional open ports diff --git a/inventory/hosts.yml b/inventory/hosts.yml index b0f8f06..bf163f0 100644 --- a/inventory/hosts.yml +++ b/inventory/hosts.yml @@ -1,7 +1,5 @@ all: - children: - homeserver: - hosts: - max: - ansible_user: root - ansible_host: max.dmz + hosts: + max: + ansible_user: root + ansible_host: max.dmz diff --git a/main.tf b/main.tf new file mode 100644 index 0000000..a4f49fb --- /dev/null +++ b/main.tf @@ -0,0 +1,26 @@ +terraform { + backend "pg" { + schema_name = "max" + conn_str = "postgres://terraform@10.42.0.1/terraform_state" + } + + required_providers { + libvirt = { + source = "dmacvicar/libvirt" + } + } +} + +provider "libvirt" { + uri = "qemu+ssh://root@atlas.lan/system" +} + +module "tf-datatest" { + source = "git::https://git.pim.kunis.nl/home/tf-modules.git//debian" + name = "max" + domain_name = "tf-max" + data_disk = "/kvm/data/max-data" + #ansible_command = "ansible-playbook max.yml" + memory = 1024 * 8 + mac = "CA:FE:C0:FF:EE:03" +} diff --git a/max.yml b/max.yml index bf406dd..eb6771f 100644 --- a/max.yml +++ b/max.yml @@ -1,13 +1,32 @@ - name: Setup homeserver - hosts: homeserver + hosts: max + gather_facts: no + + pre_tasks: + - name: Wait for host to come up + wait_for: + state: started + port: 22 + host: max.dmz + timeout: 300 + connect_timeout: 300 + search_regex: OpenSSH + delegate_to: localhost + - name: Wait for cloud-init to finish + shell: + cmd: "cloud-init status --wait" + register: cloudinit + changed_when: "'..' in cloudinit.stdout" + - name: Gather facts + setup: + roles: - - {role: 'ssh', tags: 'ssh'} - {role: 'watchtower', tags: 'watchtower'} - {role: 'forgejo', tags: 'forgejo'} - {role: 'syncthing', tags: 'syncthing'} - {role: 'kms', tags: 'kms'} - {role: 'cyberchef', tags: 'cyberchef'} - - {role: 'radicale', tags: 'radicale'} + # - {role: 'radicale', tags: 'radicale'} - {role: 'mastodon', tags: 'mastodon'} - {role: 'seafile', tags: 'seafile'} - {role: 'jitsi', tags: 'jitsi'} diff --git a/roles/common/files/resolv.conf b/roles/common/files/resolv.conf deleted file mode 100644 index cf23f28..0000000 --- a/roles/common/files/resolv.conf +++ /dev/null @@ -1,5 +0,0 @@ -nameserver 192.168.30.7 -nameserver 192.168.30.1 -nameserver 1.1.1.1 -nameserver 1.0.0.1 -search lan diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index c32e911..b8f79d0 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -9,13 +9,9 @@ file: path: "{{ base_service_dir }}" state: directory -- name: Disable systemd-resolved - systemd: - name: systemd-resolved - enabled: false - state: stopped -- name: Copy resolv.conf - copy: - src: "{{ role_path }}/files/resolv.conf" - dest: /etc/resolv.conf - follow: true +- name: Delete externally managed environment file + shell: + cmd: "rm /usr/lib/python*/EXTERNALLY-MANAGED" + register: rm + changed_when: "rm.rc == 0" + failed_when: "false" diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index 3acc420..7b7b88b 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -12,7 +12,7 @@ keyring: /etc/apt/keyrings/docker.gpg - name: Add Docker repository apt_repository: - repo: "deb [signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable" + repo: "deb [signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable" register: apt_repository - name: Update APT cache apt: diff --git a/roles/static/vars/main.yml b/roles/static/vars/main.yml index 8838234..912dd02 100644 --- a/roles/static/vars/main.yml +++ b/roles/static/vars/main.yml @@ -1,3 +1,3 @@ service_name: static service_dir: "{{ base_service_dir }}/{{ service_name }}" -git_origin: "http://localhost:{{ internal_forgejo_port }}/pim/static.git" +git_origin: "http://git.pim.kunis.nl/pim/static.git" From 7c220a5501de082800ae4acce6ced817945d3107 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Thu, 13 Apr 2023 11:43:42 +0200 Subject: [PATCH 05/23] fix #2 --- max.yml | 4 +-- roles/radicale/files/radicale.conf | 2 +- roles/radicale/tasks/main.yml | 2 +- .../radicale/templates/docker-compose.yml.j2 | 32 +++++++++++++------ 4 files changed, 27 insertions(+), 13 deletions(-) diff --git a/max.yml b/max.yml index eb6771f..a17d2e2 100644 --- a/max.yml +++ b/max.yml @@ -26,11 +26,11 @@ - {role: 'syncthing', tags: 'syncthing'} - {role: 'kms', tags: 'kms'} - {role: 'cyberchef', tags: 'cyberchef'} - # - {role: 'radicale', tags: 'radicale'} + - {role: 'radicale', tags: 'radicale'} - {role: 'mastodon', tags: 'mastodon'} - {role: 'seafile', tags: 'seafile'} - {role: 'jitsi', tags: 'jitsi'} - - {role: 'freshrss', tags: 'freshrss'} + # - {role: 'freshrss', tags: 'freshrss'} - {role: 'static', tags: 'static'} - {role: 'inbucket', tags: 'inbucket'} - {role: 'prometheus', tags: 'prometheus'} diff --git a/roles/radicale/files/radicale.conf b/roles/radicale/files/radicale.conf index 360d314..eb9df16 100644 --- a/roles/radicale/files/radicale.conf +++ b/roles/radicale/files/radicale.conf @@ -9,7 +9,7 @@ stock = utf-8 [auth] realm = Radicale - Password Required type = htpasswd -htpasswd_filename = /radicale/users +htpasswd_filename = /config/users htpasswd_encryption = md5 [rights] diff --git a/roles/radicale/tasks/main.yml b/roles/radicale/tasks/main.yml index 48afa89..5ac19d6 100644 --- a/roles/radicale/tasks/main.yml +++ b/roles/radicale/tasks/main.yml @@ -13,7 +13,7 @@ - name: Copy radicale.conf copy: src: "{{ role_path }}/files/radicale.conf" - dest: "{{ service_dir }}/config/radicale.conf" + dest: "{{ service_dir }}/config/config" - name: Copy users file copy: src: "{{ role_path }}/files/users" diff --git a/roles/radicale/templates/docker-compose.yml.j2 b/roles/radicale/templates/docker-compose.yml.j2 index e8a51fd..70e0b29 100644 --- a/roles/radicale/templates/docker-compose.yml.j2 +++ b/roles/radicale/templates/docker-compose.yml.j2 @@ -1,18 +1,28 @@ -version: '3' - -networks: - traefik: - external: true +version: '3.7' services: radicale: - restart: always - image: mailu/radicale:1.9 + image: tomsquest/docker-radicale container_name: radicale + init: true + read_only: true + security_opt: + - no-new-privileges:true + cap_drop: + - ALL + cap_add: + - SETUID + - SETGID + - CHOWN + - KILL + healthcheck: + test: curl -f http://127.0.0.1:5232 || exit 1 + interval: 30s + retries: 3 + restart: unless-stopped volumes: - {{ data_dir }}:/data - - {{ service_dir }}/config:/radicale - command: radicale -S -C /radicale/radicale.conf + - {{ service_dir }}/config:/config:ro networks: - traefik labels: @@ -23,3 +33,7 @@ services: - traefik.http.routers.radicale.tls.certresolver=letsencrypt - traefik.http.routers.radicale.service=radicale - traefik.http.services.radicale.loadbalancer.server.port=5232 + +networks: + traefik: + external: true From f8bd4224517aed6385a24b0d1ff1fe5ca929dfdd Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Thu, 13 Apr 2023 13:00:19 +0200 Subject: [PATCH 06/23] fix freshrss data location (#3) --- max.yml | 2 +- roles/freshrss/templates/docker-compose.yml.j2 | 6 ++---- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/max.yml b/max.yml index a17d2e2..aeefb99 100644 --- a/max.yml +++ b/max.yml @@ -30,7 +30,7 @@ - {role: 'mastodon', tags: 'mastodon'} - {role: 'seafile', tags: 'seafile'} - {role: 'jitsi', tags: 'jitsi'} - # - {role: 'freshrss', tags: 'freshrss'} + - {role: 'freshrss', tags: 'freshrss'} - {role: 'static', tags: 'static'} - {role: 'inbucket', tags: 'inbucket'} - {role: 'prometheus', tags: 'prometheus'} diff --git a/roles/freshrss/templates/docker-compose.yml.j2 b/roles/freshrss/templates/docker-compose.yml.j2 index 8876319..5c15b8f 100644 --- a/roles/freshrss/templates/docker-compose.yml.j2 +++ b/roles/freshrss/templates/docker-compose.yml.j2 @@ -11,10 +11,8 @@ services: options: max-size: 10m volumes: - # Recommended volume for FreshRSS persistent data such as configuration and SQLite databases - - /data/freshrss/data:/var/www/FreshRSS/data - # Optional volume for storing third-party extensions - - /data/freshrss/extensions:/var/www/FreshRSS/extensions + - {{ data_dir }}/data:/var/www/FreshRSS/data + - {{ data_dir }}/extensions:/var/www/FreshRSS/extensions environment: TZ: Europe/Amsterdam CRON_MIN: '2,32' From b89713643d28601e93e15ae3f4ca462f3ddbc47c Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Thu, 13 Apr 2023 17:21:48 +0200 Subject: [PATCH 07/23] fix unable to scope ansible to tags fixes #4 --- main.tf | 1 - max.yml | 33 ++++++++++++++++++--------------- 2 files changed, 18 insertions(+), 16 deletions(-) diff --git a/main.tf b/main.tf index a4f49fb..c8b495b 100644 --- a/main.tf +++ b/main.tf @@ -20,7 +20,6 @@ module "tf-datatest" { name = "max" domain_name = "tf-max" data_disk = "/kvm/data/max-data" - #ansible_command = "ansible-playbook max.yml" memory = 1024 * 8 mac = "CA:FE:C0:FF:EE:03" } diff --git a/max.yml b/max.yml index aeefb99..cc056f1 100644 --- a/max.yml +++ b/max.yml @@ -4,21 +4,24 @@ pre_tasks: - name: Wait for host to come up - wait_for: - state: started - port: 22 - host: max.dmz - timeout: 300 - connect_timeout: 300 - search_regex: OpenSSH - delegate_to: localhost - - name: Wait for cloud-init to finish - shell: - cmd: "cloud-init status --wait" - register: cloudinit - changed_when: "'..' in cloudinit.stdout" - - name: Gather facts - setup: + tags: always + block: + - name: Wait for SSH connection + wait_for: + state: started + port: 22 + host: max.dmz + timeout: 300 + connect_timeout: 300 + search_regex: OpenSSH + delegate_to: localhost + - name: Wait for cloud-init to finish + shell: + cmd: "cloud-init status --wait" + register: cloudinit + changed_when: "'..' in cloudinit.stdout" + - name: Gather facts + setup: roles: - {role: 'watchtower', tags: 'watchtower'} From 9eb52229f1c8e0e55de9f5876d0ec7ccf1463262 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Thu, 13 Apr 2023 17:24:01 +0200 Subject: [PATCH 08/23] change directory structure --- ansible.cfg => ansible/ansible.cfg | 0 {inventory => ansible/inventory}/host_vars/max.yml | 0 {inventory => ansible/inventory}/hosts.yml | 0 max.yml => ansible/max.yml | 0 {roles => ansible/roles}/common/tasks/main.yml | 0 {roles => ansible/roles}/cyberchef/files/docker-compose.yml | 0 {roles => ansible/roles}/cyberchef/meta/main.yml | 0 {roles => ansible/roles}/cyberchef/tasks/main.yml | 0 {roles => ansible/roles}/cyberchef/vars/main.yml | 0 {roles => ansible/roles}/docker/files/daemon.json | 0 {roles => ansible/roles}/docker/tasks/main.yml | 0 {roles => ansible/roles}/firewall/tasks/main.yml | 0 {roles => ansible/roles}/forgejo/meta/main.yml | 0 {roles => ansible/roles}/forgejo/tasks/main.yml | 0 {roles => ansible/roles}/forgejo/templates/app.ini.j2 | 0 {roles => ansible/roles}/forgejo/templates/docker-compose.yml.j2 | 0 {roles => ansible/roles}/forgejo/vars/main.yml | 0 {roles => ansible/roles}/freshrss/meta/main.yml | 0 {roles => ansible/roles}/freshrss/tasks/main.yml | 0 {roles => ansible/roles}/freshrss/templates/docker-compose.yml.j2 | 0 {roles => ansible/roles}/freshrss/vars/main.yml | 0 {roles => ansible/roles}/inbucket/files/docker-compose.yml | 0 {roles => ansible/roles}/inbucket/meta/main.yml | 0 {roles => ansible/roles}/inbucket/tasks/main.yml | 0 {roles => ansible/roles}/inbucket/vars/main.yml | 0 {roles => ansible/roles}/jitsi/meta/main.yml | 0 {roles => ansible/roles}/jitsi/tasks/main.yml | 0 {roles => ansible/roles}/jitsi/templates/docker-compose.yml.j2 | 0 {roles => ansible/roles}/jitsi/vars/main.yml | 0 {roles => ansible/roles}/kms/files/docker-compose.yml | 0 {roles => ansible/roles}/kms/meta/main.yml | 0 {roles => ansible/roles}/kms/tasks/main.yml | 0 {roles => ansible/roles}/kms/vars/main.yml | 0 {roles => ansible/roles}/mastodon/files/.env.production | 0 {roles => ansible/roles}/mastodon/meta/main.yml | 0 {roles => ansible/roles}/mastodon/tasks/main.yml | 0 {roles => ansible/roles}/mastodon/templates/docker-compose.yml.j2 | 0 {roles => ansible/roles}/mastodon/vars/main.yml | 0 {roles => ansible/roles}/prometheus/meta/main.yml | 0 {roles => ansible/roles}/prometheus/tasks/main.yml | 0 .../roles}/prometheus/templates/docker-compose.yml.j2 | 0 {roles => ansible/roles}/prometheus/templates/prometheus.yml.j2 | 0 {roles => ansible/roles}/prometheus/vars/main.yml | 0 {roles => ansible/roles}/radicale/files/radicale.conf | 0 {roles => ansible/roles}/radicale/files/users | 0 {roles => ansible/roles}/radicale/meta/main.yml | 0 {roles => ansible/roles}/radicale/tasks/main.yml | 0 {roles => ansible/roles}/radicale/templates/docker-compose.yml.j2 | 0 {roles => ansible/roles}/radicale/vars/main.yml | 0 {roles => ansible/roles}/seafile/meta/main.yml | 0 {roles => ansible/roles}/seafile/tasks/main.yml | 0 {roles => ansible/roles}/seafile/templates/docker-compose.yml.j2 | 0 {roles => ansible/roles}/seafile/vars/main.yml | 0 {roles => ansible/roles}/ssh/files/ssh_config | 0 {roles => ansible/roles}/ssh/files/sshd_config | 0 {roles => ansible/roles}/ssh/meta/main.yml | 0 {roles => ansible/roles}/ssh/tasks/main.yml | 0 {roles => ansible/roles}/static/files/security.txt | 0 {roles => ansible/roles}/static/meta/main.yml | 0 {roles => ansible/roles}/static/tasks/main.yml | 0 {roles => ansible/roles}/static/templates/docker-compose.yml.j2 | 0 {roles => ansible/roles}/static/templates/nginx.conf.j2 | 0 {roles => ansible/roles}/static/vars/main.yml | 0 {roles => ansible/roles}/syncthing/files/cert.pem | 0 {roles => ansible/roles}/syncthing/files/key.pem | 0 {roles => ansible/roles}/syncthing/meta/main.yml | 0 {roles => ansible/roles}/syncthing/tasks/main.yml | 0 {roles => ansible/roles}/syncthing/templates/config.xml.j2 | 0 .../roles}/syncthing/templates/docker-compose.yml.j2 | 0 {roles => ansible/roles}/syncthing/vars/main.yml | 0 {roles => ansible/roles}/traefik/files/services.toml | 0 {roles => ansible/roles}/traefik/meta/main.yml | 0 {roles => ansible/roles}/traefik/tasks/main.yml | 0 {roles => ansible/roles}/traefik/templates/docker-compose.yml.j2 | 0 {roles => ansible/roles}/traefik/templates/traefik.toml.j2 | 0 {roles => ansible/roles}/traefik/vars/main.yml | 0 {roles => ansible/roles}/watchtower/files/docker-compose.yml | 0 {roles => ansible/roles}/watchtower/meta/main.yml | 0 {roles => ansible/roles}/watchtower/tasks/main.yml | 0 {roles => ansible/roles}/watchtower/vars/main.yml | 0 {util => ansible/util}/secret-service-client.sh | 0 {data => terraform/data}/main.tf | 0 main.tf => terraform/main.tf | 0 83 files changed, 0 insertions(+), 0 deletions(-) rename ansible.cfg => ansible/ansible.cfg (100%) rename {inventory => ansible/inventory}/host_vars/max.yml (100%) rename {inventory => ansible/inventory}/hosts.yml (100%) rename max.yml => ansible/max.yml (100%) rename {roles => ansible/roles}/common/tasks/main.yml (100%) rename {roles => ansible/roles}/cyberchef/files/docker-compose.yml (100%) rename {roles => ansible/roles}/cyberchef/meta/main.yml (100%) rename {roles => ansible/roles}/cyberchef/tasks/main.yml (100%) rename {roles => ansible/roles}/cyberchef/vars/main.yml (100%) rename {roles => ansible/roles}/docker/files/daemon.json (100%) rename {roles => ansible/roles}/docker/tasks/main.yml (100%) rename {roles => ansible/roles}/firewall/tasks/main.yml (100%) rename {roles => ansible/roles}/forgejo/meta/main.yml (100%) rename {roles => ansible/roles}/forgejo/tasks/main.yml (100%) rename {roles => ansible/roles}/forgejo/templates/app.ini.j2 (100%) rename {roles => ansible/roles}/forgejo/templates/docker-compose.yml.j2 (100%) rename {roles => ansible/roles}/forgejo/vars/main.yml (100%) rename {roles => ansible/roles}/freshrss/meta/main.yml (100%) rename {roles => ansible/roles}/freshrss/tasks/main.yml (100%) rename {roles => ansible/roles}/freshrss/templates/docker-compose.yml.j2 (100%) rename {roles => ansible/roles}/freshrss/vars/main.yml (100%) rename {roles => ansible/roles}/inbucket/files/docker-compose.yml (100%) rename {roles => ansible/roles}/inbucket/meta/main.yml (100%) rename {roles => ansible/roles}/inbucket/tasks/main.yml (100%) rename {roles => ansible/roles}/inbucket/vars/main.yml (100%) rename {roles => ansible/roles}/jitsi/meta/main.yml (100%) rename {roles => ansible/roles}/jitsi/tasks/main.yml (100%) rename {roles => ansible/roles}/jitsi/templates/docker-compose.yml.j2 (100%) rename {roles => ansible/roles}/jitsi/vars/main.yml (100%) rename {roles => ansible/roles}/kms/files/docker-compose.yml (100%) rename {roles => ansible/roles}/kms/meta/main.yml (100%) rename {roles => ansible/roles}/kms/tasks/main.yml (100%) rename {roles => ansible/roles}/kms/vars/main.yml (100%) rename {roles => ansible/roles}/mastodon/files/.env.production (100%) rename {roles => ansible/roles}/mastodon/meta/main.yml (100%) rename {roles => ansible/roles}/mastodon/tasks/main.yml (100%) rename {roles => ansible/roles}/mastodon/templates/docker-compose.yml.j2 (100%) rename {roles => ansible/roles}/mastodon/vars/main.yml (100%) rename {roles => ansible/roles}/prometheus/meta/main.yml (100%) rename {roles => ansible/roles}/prometheus/tasks/main.yml (100%) rename {roles => ansible/roles}/prometheus/templates/docker-compose.yml.j2 (100%) rename {roles => ansible/roles}/prometheus/templates/prometheus.yml.j2 (100%) rename {roles => ansible/roles}/prometheus/vars/main.yml (100%) rename {roles => ansible/roles}/radicale/files/radicale.conf (100%) rename {roles => ansible/roles}/radicale/files/users (100%) rename {roles => ansible/roles}/radicale/meta/main.yml (100%) rename {roles => ansible/roles}/radicale/tasks/main.yml (100%) rename {roles => ansible/roles}/radicale/templates/docker-compose.yml.j2 (100%) rename {roles => ansible/roles}/radicale/vars/main.yml (100%) rename {roles => ansible/roles}/seafile/meta/main.yml (100%) rename {roles => ansible/roles}/seafile/tasks/main.yml (100%) rename {roles => ansible/roles}/seafile/templates/docker-compose.yml.j2 (100%) rename {roles => ansible/roles}/seafile/vars/main.yml (100%) rename {roles => ansible/roles}/ssh/files/ssh_config (100%) rename {roles => ansible/roles}/ssh/files/sshd_config (100%) rename {roles => ansible/roles}/ssh/meta/main.yml (100%) rename {roles => ansible/roles}/ssh/tasks/main.yml (100%) rename {roles => ansible/roles}/static/files/security.txt (100%) rename {roles => ansible/roles}/static/meta/main.yml (100%) rename {roles => ansible/roles}/static/tasks/main.yml (100%) rename {roles => ansible/roles}/static/templates/docker-compose.yml.j2 (100%) rename {roles => ansible/roles}/static/templates/nginx.conf.j2 (100%) rename {roles => ansible/roles}/static/vars/main.yml (100%) rename {roles => ansible/roles}/syncthing/files/cert.pem (100%) rename {roles => ansible/roles}/syncthing/files/key.pem (100%) rename {roles => ansible/roles}/syncthing/meta/main.yml (100%) rename {roles => ansible/roles}/syncthing/tasks/main.yml (100%) rename {roles => ansible/roles}/syncthing/templates/config.xml.j2 (100%) rename {roles => ansible/roles}/syncthing/templates/docker-compose.yml.j2 (100%) rename {roles => ansible/roles}/syncthing/vars/main.yml (100%) rename {roles => ansible/roles}/traefik/files/services.toml (100%) rename {roles => ansible/roles}/traefik/meta/main.yml (100%) rename {roles => ansible/roles}/traefik/tasks/main.yml (100%) rename {roles => ansible/roles}/traefik/templates/docker-compose.yml.j2 (100%) rename {roles => ansible/roles}/traefik/templates/traefik.toml.j2 (100%) rename {roles => ansible/roles}/traefik/vars/main.yml (100%) rename {roles => ansible/roles}/watchtower/files/docker-compose.yml (100%) rename {roles => ansible/roles}/watchtower/meta/main.yml (100%) rename {roles => ansible/roles}/watchtower/tasks/main.yml (100%) rename {roles => ansible/roles}/watchtower/vars/main.yml (100%) rename {util => ansible/util}/secret-service-client.sh (100%) rename {data => terraform/data}/main.tf (100%) rename main.tf => terraform/main.tf (100%) diff --git a/ansible.cfg b/ansible/ansible.cfg similarity index 100% rename from ansible.cfg rename to ansible/ansible.cfg diff --git a/inventory/host_vars/max.yml b/ansible/inventory/host_vars/max.yml similarity index 100% rename from inventory/host_vars/max.yml rename to ansible/inventory/host_vars/max.yml diff --git a/inventory/hosts.yml b/ansible/inventory/hosts.yml similarity index 100% rename from inventory/hosts.yml rename to ansible/inventory/hosts.yml diff --git a/max.yml b/ansible/max.yml similarity index 100% rename from max.yml rename to ansible/max.yml diff --git a/roles/common/tasks/main.yml b/ansible/roles/common/tasks/main.yml similarity index 100% rename from roles/common/tasks/main.yml rename to ansible/roles/common/tasks/main.yml diff --git a/roles/cyberchef/files/docker-compose.yml b/ansible/roles/cyberchef/files/docker-compose.yml similarity index 100% rename from roles/cyberchef/files/docker-compose.yml rename to ansible/roles/cyberchef/files/docker-compose.yml diff --git a/roles/cyberchef/meta/main.yml b/ansible/roles/cyberchef/meta/main.yml similarity index 100% rename from roles/cyberchef/meta/main.yml rename to ansible/roles/cyberchef/meta/main.yml diff --git a/roles/cyberchef/tasks/main.yml b/ansible/roles/cyberchef/tasks/main.yml similarity index 100% rename from roles/cyberchef/tasks/main.yml rename to ansible/roles/cyberchef/tasks/main.yml diff --git a/roles/cyberchef/vars/main.yml b/ansible/roles/cyberchef/vars/main.yml similarity index 100% rename from roles/cyberchef/vars/main.yml rename to ansible/roles/cyberchef/vars/main.yml diff --git a/roles/docker/files/daemon.json b/ansible/roles/docker/files/daemon.json similarity index 100% rename from roles/docker/files/daemon.json rename to ansible/roles/docker/files/daemon.json diff --git a/roles/docker/tasks/main.yml b/ansible/roles/docker/tasks/main.yml similarity index 100% rename from roles/docker/tasks/main.yml rename to ansible/roles/docker/tasks/main.yml diff --git a/roles/firewall/tasks/main.yml b/ansible/roles/firewall/tasks/main.yml similarity index 100% rename from roles/firewall/tasks/main.yml rename to ansible/roles/firewall/tasks/main.yml diff --git a/roles/forgejo/meta/main.yml b/ansible/roles/forgejo/meta/main.yml similarity index 100% rename from roles/forgejo/meta/main.yml rename to ansible/roles/forgejo/meta/main.yml diff --git a/roles/forgejo/tasks/main.yml b/ansible/roles/forgejo/tasks/main.yml similarity index 100% rename from roles/forgejo/tasks/main.yml rename to ansible/roles/forgejo/tasks/main.yml diff --git a/roles/forgejo/templates/app.ini.j2 b/ansible/roles/forgejo/templates/app.ini.j2 similarity index 100% rename from roles/forgejo/templates/app.ini.j2 rename to ansible/roles/forgejo/templates/app.ini.j2 diff --git a/roles/forgejo/templates/docker-compose.yml.j2 b/ansible/roles/forgejo/templates/docker-compose.yml.j2 similarity index 100% rename from roles/forgejo/templates/docker-compose.yml.j2 rename to ansible/roles/forgejo/templates/docker-compose.yml.j2 diff --git a/roles/forgejo/vars/main.yml b/ansible/roles/forgejo/vars/main.yml similarity index 100% rename from roles/forgejo/vars/main.yml rename to ansible/roles/forgejo/vars/main.yml diff --git a/roles/freshrss/meta/main.yml b/ansible/roles/freshrss/meta/main.yml similarity index 100% rename from roles/freshrss/meta/main.yml rename to ansible/roles/freshrss/meta/main.yml diff --git a/roles/freshrss/tasks/main.yml b/ansible/roles/freshrss/tasks/main.yml similarity index 100% rename from roles/freshrss/tasks/main.yml rename to ansible/roles/freshrss/tasks/main.yml diff --git a/roles/freshrss/templates/docker-compose.yml.j2 b/ansible/roles/freshrss/templates/docker-compose.yml.j2 similarity index 100% rename from roles/freshrss/templates/docker-compose.yml.j2 rename to ansible/roles/freshrss/templates/docker-compose.yml.j2 diff --git a/roles/freshrss/vars/main.yml b/ansible/roles/freshrss/vars/main.yml similarity index 100% rename from roles/freshrss/vars/main.yml rename to ansible/roles/freshrss/vars/main.yml diff --git a/roles/inbucket/files/docker-compose.yml b/ansible/roles/inbucket/files/docker-compose.yml similarity index 100% rename from roles/inbucket/files/docker-compose.yml rename to ansible/roles/inbucket/files/docker-compose.yml diff --git a/roles/inbucket/meta/main.yml b/ansible/roles/inbucket/meta/main.yml similarity index 100% rename from roles/inbucket/meta/main.yml rename to ansible/roles/inbucket/meta/main.yml diff --git a/roles/inbucket/tasks/main.yml b/ansible/roles/inbucket/tasks/main.yml similarity index 100% rename from roles/inbucket/tasks/main.yml rename to ansible/roles/inbucket/tasks/main.yml diff --git a/roles/inbucket/vars/main.yml b/ansible/roles/inbucket/vars/main.yml similarity index 100% rename from roles/inbucket/vars/main.yml rename to ansible/roles/inbucket/vars/main.yml diff --git a/roles/jitsi/meta/main.yml b/ansible/roles/jitsi/meta/main.yml similarity index 100% rename from roles/jitsi/meta/main.yml rename to ansible/roles/jitsi/meta/main.yml diff --git a/roles/jitsi/tasks/main.yml b/ansible/roles/jitsi/tasks/main.yml similarity index 100% rename from roles/jitsi/tasks/main.yml rename to ansible/roles/jitsi/tasks/main.yml diff --git a/roles/jitsi/templates/docker-compose.yml.j2 b/ansible/roles/jitsi/templates/docker-compose.yml.j2 similarity index 100% rename from roles/jitsi/templates/docker-compose.yml.j2 rename to ansible/roles/jitsi/templates/docker-compose.yml.j2 diff --git a/roles/jitsi/vars/main.yml b/ansible/roles/jitsi/vars/main.yml similarity index 100% rename from roles/jitsi/vars/main.yml rename to ansible/roles/jitsi/vars/main.yml diff --git a/roles/kms/files/docker-compose.yml b/ansible/roles/kms/files/docker-compose.yml similarity index 100% rename from roles/kms/files/docker-compose.yml rename to ansible/roles/kms/files/docker-compose.yml diff --git a/roles/kms/meta/main.yml b/ansible/roles/kms/meta/main.yml similarity index 100% rename from roles/kms/meta/main.yml rename to ansible/roles/kms/meta/main.yml diff --git a/roles/kms/tasks/main.yml b/ansible/roles/kms/tasks/main.yml similarity index 100% rename from roles/kms/tasks/main.yml rename to ansible/roles/kms/tasks/main.yml diff --git a/roles/kms/vars/main.yml b/ansible/roles/kms/vars/main.yml similarity index 100% rename from roles/kms/vars/main.yml rename to ansible/roles/kms/vars/main.yml diff --git a/roles/mastodon/files/.env.production b/ansible/roles/mastodon/files/.env.production similarity index 100% rename from roles/mastodon/files/.env.production rename to ansible/roles/mastodon/files/.env.production diff --git a/roles/mastodon/meta/main.yml b/ansible/roles/mastodon/meta/main.yml similarity index 100% rename from roles/mastodon/meta/main.yml rename to ansible/roles/mastodon/meta/main.yml diff --git a/roles/mastodon/tasks/main.yml b/ansible/roles/mastodon/tasks/main.yml similarity index 100% rename from roles/mastodon/tasks/main.yml rename to ansible/roles/mastodon/tasks/main.yml diff --git a/roles/mastodon/templates/docker-compose.yml.j2 b/ansible/roles/mastodon/templates/docker-compose.yml.j2 similarity index 100% rename from roles/mastodon/templates/docker-compose.yml.j2 rename to ansible/roles/mastodon/templates/docker-compose.yml.j2 diff --git a/roles/mastodon/vars/main.yml b/ansible/roles/mastodon/vars/main.yml similarity index 100% rename from roles/mastodon/vars/main.yml rename to ansible/roles/mastodon/vars/main.yml diff --git a/roles/prometheus/meta/main.yml b/ansible/roles/prometheus/meta/main.yml similarity index 100% rename from roles/prometheus/meta/main.yml rename to ansible/roles/prometheus/meta/main.yml diff --git a/roles/prometheus/tasks/main.yml b/ansible/roles/prometheus/tasks/main.yml similarity index 100% rename from roles/prometheus/tasks/main.yml rename to ansible/roles/prometheus/tasks/main.yml diff --git a/roles/prometheus/templates/docker-compose.yml.j2 b/ansible/roles/prometheus/templates/docker-compose.yml.j2 similarity index 100% rename from roles/prometheus/templates/docker-compose.yml.j2 rename to ansible/roles/prometheus/templates/docker-compose.yml.j2 diff --git a/roles/prometheus/templates/prometheus.yml.j2 b/ansible/roles/prometheus/templates/prometheus.yml.j2 similarity index 100% rename from roles/prometheus/templates/prometheus.yml.j2 rename to ansible/roles/prometheus/templates/prometheus.yml.j2 diff --git a/roles/prometheus/vars/main.yml b/ansible/roles/prometheus/vars/main.yml similarity index 100% rename from roles/prometheus/vars/main.yml rename to ansible/roles/prometheus/vars/main.yml diff --git a/roles/radicale/files/radicale.conf b/ansible/roles/radicale/files/radicale.conf similarity index 100% rename from roles/radicale/files/radicale.conf rename to ansible/roles/radicale/files/radicale.conf diff --git a/roles/radicale/files/users b/ansible/roles/radicale/files/users similarity index 100% rename from roles/radicale/files/users rename to ansible/roles/radicale/files/users diff --git a/roles/radicale/meta/main.yml b/ansible/roles/radicale/meta/main.yml similarity index 100% rename from roles/radicale/meta/main.yml rename to ansible/roles/radicale/meta/main.yml diff --git a/roles/radicale/tasks/main.yml b/ansible/roles/radicale/tasks/main.yml similarity index 100% rename from roles/radicale/tasks/main.yml rename to ansible/roles/radicale/tasks/main.yml diff --git a/roles/radicale/templates/docker-compose.yml.j2 b/ansible/roles/radicale/templates/docker-compose.yml.j2 similarity index 100% rename from roles/radicale/templates/docker-compose.yml.j2 rename to ansible/roles/radicale/templates/docker-compose.yml.j2 diff --git a/roles/radicale/vars/main.yml b/ansible/roles/radicale/vars/main.yml similarity index 100% rename from roles/radicale/vars/main.yml rename to ansible/roles/radicale/vars/main.yml diff --git a/roles/seafile/meta/main.yml b/ansible/roles/seafile/meta/main.yml similarity index 100% rename from roles/seafile/meta/main.yml rename to ansible/roles/seafile/meta/main.yml diff --git a/roles/seafile/tasks/main.yml b/ansible/roles/seafile/tasks/main.yml similarity index 100% rename from roles/seafile/tasks/main.yml rename to ansible/roles/seafile/tasks/main.yml diff --git a/roles/seafile/templates/docker-compose.yml.j2 b/ansible/roles/seafile/templates/docker-compose.yml.j2 similarity index 100% rename from roles/seafile/templates/docker-compose.yml.j2 rename to ansible/roles/seafile/templates/docker-compose.yml.j2 diff --git a/roles/seafile/vars/main.yml b/ansible/roles/seafile/vars/main.yml similarity index 100% rename from roles/seafile/vars/main.yml rename to ansible/roles/seafile/vars/main.yml diff --git a/roles/ssh/files/ssh_config b/ansible/roles/ssh/files/ssh_config similarity index 100% rename from roles/ssh/files/ssh_config rename to ansible/roles/ssh/files/ssh_config diff --git a/roles/ssh/files/sshd_config b/ansible/roles/ssh/files/sshd_config similarity index 100% rename from roles/ssh/files/sshd_config rename to ansible/roles/ssh/files/sshd_config diff --git a/roles/ssh/meta/main.yml b/ansible/roles/ssh/meta/main.yml similarity index 100% rename from roles/ssh/meta/main.yml rename to ansible/roles/ssh/meta/main.yml diff --git a/roles/ssh/tasks/main.yml b/ansible/roles/ssh/tasks/main.yml similarity index 100% rename from roles/ssh/tasks/main.yml rename to ansible/roles/ssh/tasks/main.yml diff --git a/roles/static/files/security.txt b/ansible/roles/static/files/security.txt similarity index 100% rename from roles/static/files/security.txt rename to ansible/roles/static/files/security.txt diff --git a/roles/static/meta/main.yml b/ansible/roles/static/meta/main.yml similarity index 100% rename from roles/static/meta/main.yml rename to ansible/roles/static/meta/main.yml diff --git a/roles/static/tasks/main.yml b/ansible/roles/static/tasks/main.yml similarity index 100% rename from roles/static/tasks/main.yml rename to ansible/roles/static/tasks/main.yml diff --git a/roles/static/templates/docker-compose.yml.j2 b/ansible/roles/static/templates/docker-compose.yml.j2 similarity index 100% rename from roles/static/templates/docker-compose.yml.j2 rename to ansible/roles/static/templates/docker-compose.yml.j2 diff --git a/roles/static/templates/nginx.conf.j2 b/ansible/roles/static/templates/nginx.conf.j2 similarity index 100% rename from roles/static/templates/nginx.conf.j2 rename to ansible/roles/static/templates/nginx.conf.j2 diff --git a/roles/static/vars/main.yml b/ansible/roles/static/vars/main.yml similarity index 100% rename from roles/static/vars/main.yml rename to ansible/roles/static/vars/main.yml diff --git a/roles/syncthing/files/cert.pem b/ansible/roles/syncthing/files/cert.pem similarity index 100% rename from roles/syncthing/files/cert.pem rename to ansible/roles/syncthing/files/cert.pem diff --git a/roles/syncthing/files/key.pem b/ansible/roles/syncthing/files/key.pem similarity index 100% rename from roles/syncthing/files/key.pem rename to ansible/roles/syncthing/files/key.pem diff --git a/roles/syncthing/meta/main.yml b/ansible/roles/syncthing/meta/main.yml similarity index 100% rename from roles/syncthing/meta/main.yml rename to ansible/roles/syncthing/meta/main.yml diff --git a/roles/syncthing/tasks/main.yml b/ansible/roles/syncthing/tasks/main.yml similarity index 100% rename from roles/syncthing/tasks/main.yml rename to ansible/roles/syncthing/tasks/main.yml diff --git a/roles/syncthing/templates/config.xml.j2 b/ansible/roles/syncthing/templates/config.xml.j2 similarity index 100% rename from roles/syncthing/templates/config.xml.j2 rename to ansible/roles/syncthing/templates/config.xml.j2 diff --git a/roles/syncthing/templates/docker-compose.yml.j2 b/ansible/roles/syncthing/templates/docker-compose.yml.j2 similarity index 100% rename from roles/syncthing/templates/docker-compose.yml.j2 rename to ansible/roles/syncthing/templates/docker-compose.yml.j2 diff --git a/roles/syncthing/vars/main.yml b/ansible/roles/syncthing/vars/main.yml similarity index 100% rename from roles/syncthing/vars/main.yml rename to ansible/roles/syncthing/vars/main.yml diff --git a/roles/traefik/files/services.toml b/ansible/roles/traefik/files/services.toml similarity index 100% rename from roles/traefik/files/services.toml rename to ansible/roles/traefik/files/services.toml diff --git a/roles/traefik/meta/main.yml b/ansible/roles/traefik/meta/main.yml similarity index 100% rename from roles/traefik/meta/main.yml rename to ansible/roles/traefik/meta/main.yml diff --git a/roles/traefik/tasks/main.yml b/ansible/roles/traefik/tasks/main.yml similarity index 100% rename from roles/traefik/tasks/main.yml rename to ansible/roles/traefik/tasks/main.yml diff --git a/roles/traefik/templates/docker-compose.yml.j2 b/ansible/roles/traefik/templates/docker-compose.yml.j2 similarity index 100% rename from roles/traefik/templates/docker-compose.yml.j2 rename to ansible/roles/traefik/templates/docker-compose.yml.j2 diff --git a/roles/traefik/templates/traefik.toml.j2 b/ansible/roles/traefik/templates/traefik.toml.j2 similarity index 100% rename from roles/traefik/templates/traefik.toml.j2 rename to ansible/roles/traefik/templates/traefik.toml.j2 diff --git a/roles/traefik/vars/main.yml b/ansible/roles/traefik/vars/main.yml similarity index 100% rename from roles/traefik/vars/main.yml rename to ansible/roles/traefik/vars/main.yml diff --git a/roles/watchtower/files/docker-compose.yml b/ansible/roles/watchtower/files/docker-compose.yml similarity index 100% rename from roles/watchtower/files/docker-compose.yml rename to ansible/roles/watchtower/files/docker-compose.yml diff --git a/roles/watchtower/meta/main.yml b/ansible/roles/watchtower/meta/main.yml similarity index 100% rename from roles/watchtower/meta/main.yml rename to ansible/roles/watchtower/meta/main.yml diff --git a/roles/watchtower/tasks/main.yml b/ansible/roles/watchtower/tasks/main.yml similarity index 100% rename from roles/watchtower/tasks/main.yml rename to ansible/roles/watchtower/tasks/main.yml diff --git a/roles/watchtower/vars/main.yml b/ansible/roles/watchtower/vars/main.yml similarity index 100% rename from roles/watchtower/vars/main.yml rename to ansible/roles/watchtower/vars/main.yml diff --git a/util/secret-service-client.sh b/ansible/util/secret-service-client.sh similarity index 100% rename from util/secret-service-client.sh rename to ansible/util/secret-service-client.sh diff --git a/data/main.tf b/terraform/data/main.tf similarity index 100% rename from data/main.tf rename to terraform/data/main.tf diff --git a/main.tf b/terraform/main.tf similarity index 100% rename from main.tf rename to terraform/main.tf From 723bc7ed33f43fa2b6b34a6ec54005132d427742 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Thu, 13 Apr 2023 17:45:11 +0200 Subject: [PATCH 09/23] update README.md --- README.md | 56 ++++--------------------------------------------------- 1 file changed, 4 insertions(+), 52 deletions(-) diff --git a/README.md b/README.md index 48ba78e..b28be77 100644 --- a/README.md +++ b/README.md @@ -1,13 +1,10 @@ # Max -This repository contains Ansible scripts to setup our main home server `max`. -The `common` role executes some common OS tasks. -The `docker` role installs Docker. -The other roles are specifically for the various services we run. +Max is our VM running all of our web servers, provisioned with Terraform and configured with Ansible. ## Running services -All services below are running under Docker, except NSD and Borg. +All services below are implemented using Docker: - Reverse proxy using [Traefik](https://doc.traefik.io/traefik/) - Git server using [Forgejo](https://forgejo.org/) ([git.pizzapim.nl](https://git.pizzapim.nl)) @@ -17,53 +14,8 @@ All services below are running under Docker, except NSD and Borg. - Calendar and contact synchronisation using [Radicale](https://radicale.org/v3.html) ([dav.pizzapim.nl](https://dav.pizzapim.nl)) - KMS server using [vlmcsd](https://github.com/Wind4/vlmcsd) - Cloud file storage using [Seafile](https://www.seafile.com) -- Inbucket disposable webmail, Mailinator alternative (https://inbucket.org) -- Cyberchef (https://cyberchef.geokunis2.nl) +- Disposable mail server using [Inbucket](https://inbucket.org) +- Digital toolbox using [Cyberchef](https://cyberchef.geokunis2.nl) - Jitsi Meet (https://meet.jit.si) - RSS feed reader using [FreshRSS](https://miniflux.app/) - Metrics using [Prometheus](https://prometheus.io/) - -## Virtualization - -Currently this repository is ran as a physical server, but we intend to virtualize it. -First, the whole server should be virtualized on a single virtual machine. -After that, it will be split up into several virtual machines. -The services on each virtual machine should have similar services/security properties. - -Provisional split of services on virtual machines: -- "public web" VM: Mastodon, static HTML server, cyberchef, jitsi meet, inbucket -- "data" VM: seafile, radicale, syncthing, freshrss -- "management" VM: reverse proxy, prometheus, kms -- "git" VM: forgejo. Because forgejo is a somewhat single point of failure, it should have its own VM. - -## Possible future services - -- matrix -- peertube? -- Pixelfed? -- Prometheus -- Concourse CI? - -## TODO - -- Clear view of what services + which versions we are running. This way, we can track security updates better. -- Host tobb website? -- Move from Ubuntu to Debian -- move Mastodon to pim.kunis.nl -- Podman -- Replace watchtower with Podman features - -### NSD - -#### ZSK Rollover - -Could make automatic key rollovers with cron or some other tool. - -#### Idempotency - -Currently I always resign zones. -But for idempotency I should probably only do it if the zone has changed or the keys have changed. - -### Firewall - -A little more difficult because of docker networking but probably doable. From b8adaee9d46582d7ce57b92451ffb3f0c4f1bdbe Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Fri, 14 Apr 2023 09:38:34 +0200 Subject: [PATCH 10/23] use cloudinit-wait role from git --- ansible/max.yml | 27 +++++---------------------- ansible/requirements.yml | 3 +++ 2 files changed, 8 insertions(+), 22 deletions(-) create mode 100644 ansible/requirements.yml diff --git a/ansible/max.yml b/ansible/max.yml index cc056f1..2d677ff 100644 --- a/ansible/max.yml +++ b/ansible/max.yml @@ -1,28 +1,11 @@ -- name: Setup homeserver +- name: Wait for servers to come up hosts: max gather_facts: no + roles: + - 'cloudinit-wait' - pre_tasks: - - name: Wait for host to come up - tags: always - block: - - name: Wait for SSH connection - wait_for: - state: started - port: 22 - host: max.dmz - timeout: 300 - connect_timeout: 300 - search_regex: OpenSSH - delegate_to: localhost - - name: Wait for cloud-init to finish - shell: - cmd: "cloud-init status --wait" - register: cloudinit - changed_when: "'..' in cloudinit.stdout" - - name: Gather facts - setup: - +- name: Start services + hosts: max roles: - {role: 'watchtower', tags: 'watchtower'} - {role: 'forgejo', tags: 'forgejo'} diff --git a/ansible/requirements.yml b/ansible/requirements.yml new file mode 100644 index 0000000..5530c9f --- /dev/null +++ b/ansible/requirements.yml @@ -0,0 +1,3 @@ +- name: cloudinit-wait + src: https://git.pim.kunis.nl/pim/ansible-role-cloudinit-wait + scm: git From cd224321df7d01357bc3e3f72a9542ad1bcbef6e Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Fri, 14 Apr 2023 20:06:29 +0200 Subject: [PATCH 11/23] add overleaf service --- README.md | 1 + ansible/max.yml | 1 + ansible/roles/overleaf/meta/main.yml | 4 + ansible/roles/overleaf/tasks/main.yml | 13 +++ .../overleaf/templates/docker-compose.yml.j2 | 107 ++++++++++++++++++ ansible/roles/overleaf/vars/main.yml | 3 + 6 files changed, 129 insertions(+) create mode 100644 ansible/roles/overleaf/meta/main.yml create mode 100644 ansible/roles/overleaf/tasks/main.yml create mode 100644 ansible/roles/overleaf/templates/docker-compose.yml.j2 create mode 100644 ansible/roles/overleaf/vars/main.yml diff --git a/README.md b/README.md index b28be77..a59720e 100644 --- a/README.md +++ b/README.md @@ -19,3 +19,4 @@ All services below are implemented using Docker: - Jitsi Meet (https://meet.jit.si) - RSS feed reader using [FreshRSS](https://miniflux.app/) - Metrics using [Prometheus](https://prometheus.io/) +- Latex editor using [Overleaf](https://www.overleaf.com/) diff --git a/ansible/max.yml b/ansible/max.yml index 2d677ff..3bf7cec 100644 --- a/ansible/max.yml +++ b/ansible/max.yml @@ -20,3 +20,4 @@ - {role: 'static', tags: 'static'} - {role: 'inbucket', tags: 'inbucket'} - {role: 'prometheus', tags: 'prometheus'} + - {role: 'overleaf', tags: 'overleaf'} diff --git a/ansible/roles/overleaf/meta/main.yml b/ansible/roles/overleaf/meta/main.yml new file mode 100644 index 0000000..6b03734 --- /dev/null +++ b/ansible/roles/overleaf/meta/main.yml @@ -0,0 +1,4 @@ +dependencies: + - role: common + - role: docker + - role: traefik diff --git a/ansible/roles/overleaf/tasks/main.yml b/ansible/roles/overleaf/tasks/main.yml new file mode 100644 index 0000000..84256ce --- /dev/null +++ b/ansible/roles/overleaf/tasks/main.yml @@ -0,0 +1,13 @@ +- name: Create service directory + file: + path: "{{ service_dir }}" + state: directory +- name: Copy Docker Compose script + template: + src: "{{ role_path }}/templates/docker-compose.yml.j2" + dest: "{{ service_dir }}/docker-compose.yml" +- name: Start the Docker Compose + docker_compose: + project_src: "{{ service_dir }}" + pull: true + remove_orphans: true diff --git a/ansible/roles/overleaf/templates/docker-compose.yml.j2 b/ansible/roles/overleaf/templates/docker-compose.yml.j2 new file mode 100644 index 0000000..20a3096 --- /dev/null +++ b/ansible/roles/overleaf/templates/docker-compose.yml.j2 @@ -0,0 +1,107 @@ +version: '2.2' + +networks: + traefik: + external: true + internal: + external: false + +services: + sharelatex: + restart: always + image: sharelatex/sharelatex + container_name: sharelatex + networks: + - traefik + - internal + depends_on: + mongo: + condition: service_healthy + redis: + condition: service_started + links: + - mongo + - redis + stop_grace_period: 60s + volumes: + - {{ data_dir }}/overleaf/sharelatex_data:/var/lib/sharelatex + labels: + - traefik.enable=true + - traefik.http.routers.overleaf.entrypoints=websecure + - traefik.http.routers.overleaf.rule=Host(`latex.pim.kunis.nl`) + - traefik.http.routers.overleaf.tls=true + - traefik.http.routers.overleaf.tls.certresolver=letsencrypt + - treafik.http.routers.overleaf.service=overleaf + - traefik.http.services.overleaf.loadbalancer.server.port=80 + - traefik.docker.network=traefik + environment: + SHARELATEX_APP_NAME: Overleaf Community Edition + + SHARELATEX_MONGO_URL: mongodb://mongo:27017/sharelatex + + # Same property, unfortunately with different names in + # different locations + SHARELATEX_REDIS_HOST: redis + REDIS_HOST: redis + + ENABLED_LINKED_FILE_TYPES: 'project_file,project_output_file' + + # Enables Thumbnail generation using ImageMagick + ENABLE_CONVERSIONS: 'true' + + # Disables email confirmation requirement + EMAIL_CONFIRMATION_DISABLED: 'true' + + # temporary fix for LuaLaTex compiles + # see https://github.com/overleaf/overleaf/issues/695 + TEXMFVAR: /var/lib/sharelatex/tmp/texmf-var + + ## Set for SSL via nginx-proxy + #VIRTUAL_HOST: 103.112.212.22 + + SHARELATEX_SITE_URL: https://latex.pim.kunis.nl + # SHARELATEX_NAV_TITLE: Our ShareLaTeX Instance + # SHARELATEX_HEADER_IMAGE_URL: http://somewhere.com/mylogo.png + SHARELATEX_ADMIN_EMAIL: pim@kunis.nl + + # SHARELATEX_LEFT_FOOTER: '[{"text": "Powered by ShareLaTeX 2016"},{"text": "Another page I want to link to can be found here"} ]' + # SHARELATEX_RIGHT_FOOTER: '[{"text": "Hello I am on the Right"} ]' + + SHARELATEX_EMAIL_FROM_ADDRESS: "noreply@kunis.nl" + + SHARELATEX_EMAIL_SMTP_HOST: "smtp.tweak.nl" + SHARELATEX_EMAIL_SMTP_PORT: 587 + SHARELATEX_EMAIL_SMTP_USER: "" + SHARELATEX_EMAIL_SMTP_PASS: "" + # SHARELATEX_EMAIL_SMTP_TLS_REJECT_UNAUTH: true + # SHARELATEX_EMAIL_SMTP_IGNORE_TLS: false + # SHARELATEX_EMAIL_SMTP_NAME: '127.0.0.1' + # SHARELATEX_EMAIL_SMTP_LOGGER: true + # SHARELATEX_CUSTOM_EMAIL_FOOTER: "This system is run by department x" + + mongo: + restart: always + image: mongo:4.4 + container_name: mongo + networks: + - internal + expose: + - 27017 + volumes: + - {{ data_dir }}/overleaf/mongo_data:/data/db + healthcheck: + test: echo 'db.stats().ok' | mongo localhost:27017/test --quiet + interval: 10s + timeout: 10s + retries: 5 + + redis: + restart: always + image: redis:5 + container_name: redis + networks: + - internal + expose: + - 6379 + volumes: + - {{ data_dir }}/overleaf/redis_data:/data diff --git a/ansible/roles/overleaf/vars/main.yml b/ansible/roles/overleaf/vars/main.yml new file mode 100644 index 0000000..927a1e8 --- /dev/null +++ b/ansible/roles/overleaf/vars/main.yml @@ -0,0 +1,3 @@ +service_name: overleaf +data_dir: "{{ base_data_dir}}/{{service_name}}" +service_dir: "{{ base_service_dir}}/{{service_name}}" From fef821f770fa8175973d6814baa45dfa3c2765de Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Fri, 14 Apr 2023 20:10:14 +0200 Subject: [PATCH 12/23] update readme fixed #8 --- README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index a59720e..e5d820f 100644 --- a/README.md +++ b/README.md @@ -7,11 +7,11 @@ Max is our VM running all of our web servers, provisioned with Terraform and con All services below are implemented using Docker: - Reverse proxy using [Traefik](https://doc.traefik.io/traefik/) -- Git server using [Forgejo](https://forgejo.org/) ([git.pizzapim.nl](https://git.pizzapim.nl)) -- Static website using [Jekyll](https://jekyllrb.com/) ([pizzapim.nl](https://pizzapim.nl)) +- Git server using [Forgejo](https://forgejo.org/) ([git.pim.kunis.nl](https://git.pim.kunis.nl)) +- Static website using [Jekyll](https://jekyllrb.com/) ([pim.kunis.nl](https://pim.kunis.nl)) - File sychronisation using [Syncthing](https://syncthing.net/) - Microblogging server using [Mastodon](https://joinmastodon.org/) ([social.pizzapim.nl](https://social.pizzapim.nl)) -- Calendar and contact synchronisation using [Radicale](https://radicale.org/v3.html) ([dav.pizzapim.nl](https://dav.pizzapim.nl)) +- Calendar and contact synchronisation using [Radicale](https://radicale.org/v3.html) ([dav.pim.kunis.nl](https://dav.pim.kunis.nl)) - KMS server using [vlmcsd](https://github.com/Wind4/vlmcsd) - Cloud file storage using [Seafile](https://www.seafile.com) - Disposable mail server using [Inbucket](https://inbucket.org) @@ -19,4 +19,4 @@ All services below are implemented using Docker: - Jitsi Meet (https://meet.jit.si) - RSS feed reader using [FreshRSS](https://miniflux.app/) - Metrics using [Prometheus](https://prometheus.io/) -- Latex editor using [Overleaf](https://www.overleaf.com/) +- Latex editor using [Overleaf](https://www.overleaf.com/) ([latex.pim.kunis.nl](https://latex.pim.kunis.nl)) From 58aeaacc67b7edb9d59b08b1c58b2302a570caa3 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sat, 15 Apr 2023 13:04:24 +0200 Subject: [PATCH 13/23] add hedgedoc service close #9 --- README.md | 1 + ansible/max.yml | 1 + ansible/roles/cyberchef/tasks/main.yml | 1 - ansible/roles/forgejo/vars/main.yml | 1 - ansible/roles/hedgedoc/meta/main.yml | 4 ++ ansible/roles/hedgedoc/tasks/main.yml | 22 +++++++++ .../hedgedoc/templates/docker-compose.yml.j2 | 48 +++++++++++++++++++ ansible/roles/hedgedoc/vars/main.yml | 14 ++++++ 8 files changed, 90 insertions(+), 2 deletions(-) create mode 100644 ansible/roles/hedgedoc/meta/main.yml create mode 100644 ansible/roles/hedgedoc/tasks/main.yml create mode 100644 ansible/roles/hedgedoc/templates/docker-compose.yml.j2 create mode 100644 ansible/roles/hedgedoc/vars/main.yml diff --git a/README.md b/README.md index e5d820f..4888ae3 100644 --- a/README.md +++ b/README.md @@ -20,3 +20,4 @@ All services below are implemented using Docker: - RSS feed reader using [FreshRSS](https://miniflux.app/) - Metrics using [Prometheus](https://prometheus.io/) - Latex editor using [Overleaf](https://www.overleaf.com/) ([latex.pim.kunis.nl](https://latex.pim.kunis.nl)) +- Markdown editor using [Hedgedoc](https://hedgedoc.org/) diff --git a/ansible/max.yml b/ansible/max.yml index 3bf7cec..f2e06e0 100644 --- a/ansible/max.yml +++ b/ansible/max.yml @@ -21,3 +21,4 @@ - {role: 'inbucket', tags: 'inbucket'} - {role: 'prometheus', tags: 'prometheus'} - {role: 'overleaf', tags: 'overleaf'} + - {role: 'hedgedoc', tags: 'hedgedoc'} diff --git a/ansible/roles/cyberchef/tasks/main.yml b/ansible/roles/cyberchef/tasks/main.yml index 2518ba7..34ec717 100644 --- a/ansible/roles/cyberchef/tasks/main.yml +++ b/ansible/roles/cyberchef/tasks/main.yml @@ -11,4 +11,3 @@ project_src: "{{ service_dir }}" pull: true remove_orphans: true - diff --git a/ansible/roles/forgejo/vars/main.yml b/ansible/roles/forgejo/vars/main.yml index 38d58cc..7cad12e 100644 --- a/ansible/roles/forgejo/vars/main.yml +++ b/ansible/roles/forgejo/vars/main.yml @@ -3,7 +3,6 @@ data_dir: "{{ base_data_dir }}/{{ service_name }}" service_dir: "{{ base_service_dir }}/{{ service_name }}" git_domain: "git.{{ domain_name_pim }}" - forgejo: root_url: "https://{{ git_domain }}" mailer_host: "smtp.tweak.nl" diff --git a/ansible/roles/hedgedoc/meta/main.yml b/ansible/roles/hedgedoc/meta/main.yml new file mode 100644 index 0000000..6b03734 --- /dev/null +++ b/ansible/roles/hedgedoc/meta/main.yml @@ -0,0 +1,4 @@ +dependencies: + - role: common + - role: docker + - role: traefik diff --git a/ansible/roles/hedgedoc/tasks/main.yml b/ansible/roles/hedgedoc/tasks/main.yml new file mode 100644 index 0000000..aa5d846 --- /dev/null +++ b/ansible/roles/hedgedoc/tasks/main.yml @@ -0,0 +1,22 @@ +- name: Create service directory + file: + path: "{{ service_dir }}" + state: directory +- name: Copy Docker Compose script + template: + src: "{{ role_path }}/templates/docker-compose.yml.j2" + dest: "{{ service_dir }}/docker-compose.yml" +- name: Create data directory + file: + path: "{{ data_dir }}" + state: directory +- name: Create uploads directory + file: + path: "{{ data_dir }}/uploads" + state: directory + mode: 0777 +- name: Start the Docker Compose + docker_compose: + project_src: "{{ service_dir }}" + pull: true + remove_orphans: true diff --git a/ansible/roles/hedgedoc/templates/docker-compose.yml.j2 b/ansible/roles/hedgedoc/templates/docker-compose.yml.j2 new file mode 100644 index 0000000..bc7f6f5 --- /dev/null +++ b/ansible/roles/hedgedoc/templates/docker-compose.yml.j2 @@ -0,0 +1,48 @@ +version: '3' + +networks: + traefik: + external: true + internal: + external: false + +services: + database: + image: postgres:13.4-alpine + environment: + - POSTGRES_USER=hedgedoc + - POSTGRES_PASSWORD=password + - POSTGRES_DB=hedgedoc + volumes: + - {{ data_dir }}/database:/var/lib/postgresql/data + restart: always + networks: + - internal + app: + image: quay.io/hedgedoc/hedgedoc:1.9.7 + environment: + - CMD_DB_URL=postgres://hedgedoc:password@database:5432/hedgedoc + - CMD_DOMAIN={{ hedgedoc_domain }} + - CMD_PORT=3000 + - CMD_URL_ADDPORT=false + - CMD_ALLOW_ANONYMOUS=true + - CMD_ALLOW_EMAIL_REGISTER=false + - CMD_PROTOCOL_USESSL=true + - CMD_SESSION_SECRET={{ session_secret }} + volumes: + - {{ data_dir }}/uploads:/hedgedoc/public/uploads + restart: always + depends_on: + - database + networks: + - traefik + - internal + labels: + - traefik.enable=true + - traefik.http.routers.hedgedoc.entrypoints=websecure + - traefik.http.routers.hedgedoc.rule=Host(`{{ hedgedoc_domain }}`) + - traefik.http.routers.hedgedoc.tls=true + - traefik.http.routers.hedgedoc.tls.certresolver=letsencrypt + - treafik.http.routers.hedgedoc.service=hedgedoc + - traefik.http.services.hedgedoc.loadbalancer.server.port=3000 + - traefik.docker.network=traefik diff --git a/ansible/roles/hedgedoc/vars/main.yml b/ansible/roles/hedgedoc/vars/main.yml new file mode 100644 index 0000000..10f93d8 --- /dev/null +++ b/ansible/roles/hedgedoc/vars/main.yml @@ -0,0 +1,14 @@ +service_name: hedgedoc +data_dir: "{{ base_data_dir }}/{{ service_name }}" +service_dir: "{{ base_service_dir }}/{{ service_name }}" +hedgedoc_domain: "md.{{ domain_name_pim }}" +session_secret: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 30633835386265643561343033326536653166343630396139303137613138383233666565666330 + 3032613865333836656566626435383165396539323837350a376331306464643766373839386638 + 65653865343539633636323833343964636332636461386434386432306230343833343431363134 + 6563373138626637650a633932313862326231666330343662343765666166373961376237396434 + 33396131353830323063326266623862353731653665626466653335656434303033353333353164 + 61613535373037646565386131383631366338616565373261396136616433393462313537313861 + 35313661616365373231373963323865393635626132343138363230313431636333363130346239 + 32656335333635613736 From aa0987593e5fdde0a32586ded38dffe801b42efe Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sun, 16 Apr 2023 12:15:39 +0200 Subject: [PATCH 14/23] change overleaf container names closes #23 --- .../overleaf/templates/docker-compose.yml.j2 | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/ansible/roles/overleaf/templates/docker-compose.yml.j2 b/ansible/roles/overleaf/templates/docker-compose.yml.j2 index 20a3096..d4c9546 100644 --- a/ansible/roles/overleaf/templates/docker-compose.yml.j2 +++ b/ansible/roles/overleaf/templates/docker-compose.yml.j2 @@ -10,18 +10,18 @@ services: sharelatex: restart: always image: sharelatex/sharelatex - container_name: sharelatex + container_name: overleaf networks: - traefik - internal depends_on: - mongo: + overleaf-mongodb: condition: service_healthy - redis: + overleaf-redis: condition: service_started links: - - mongo - - redis + - overleaf-mongodb + - overleaf-redis stop_grace_period: 60s volumes: - {{ data_dir }}/overleaf/sharelatex_data:/var/lib/sharelatex @@ -37,12 +37,12 @@ services: environment: SHARELATEX_APP_NAME: Overleaf Community Edition - SHARELATEX_MONGO_URL: mongodb://mongo:27017/sharelatex + SHARELATEX_MONGO_URL: mongodb://overleaf-mongodb:27017/sharelatex # Same property, unfortunately with different names in # different locations - SHARELATEX_REDIS_HOST: redis - REDIS_HOST: redis + SHARELATEX_REDIS_HOST: overleaf-redis + REDIS_HOST: overleaf-redis ENABLED_LINKED_FILE_TYPES: 'project_file,project_output_file' @@ -79,10 +79,10 @@ services: # SHARELATEX_EMAIL_SMTP_LOGGER: true # SHARELATEX_CUSTOM_EMAIL_FOOTER: "This system is run by department x" - mongo: + overleaf-mongodb: restart: always image: mongo:4.4 - container_name: mongo + container_name: overleaf-mongodb networks: - internal expose: @@ -95,10 +95,10 @@ services: timeout: 10s retries: 5 - redis: + overleaf-redis: restart: always image: redis:5 - container_name: redis + container_name: overleaf-redis networks: - internal expose: From 72d07aac36323b83584a64dd9cd18f8ae07a1631 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sun, 16 Apr 2023 12:21:10 +0200 Subject: [PATCH 15/23] change hedgedoc container names closes #24 --- ansible/roles/hedgedoc/templates/docker-compose.yml.j2 | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ansible/roles/hedgedoc/templates/docker-compose.yml.j2 b/ansible/roles/hedgedoc/templates/docker-compose.yml.j2 index bc7f6f5..2926b4a 100644 --- a/ansible/roles/hedgedoc/templates/docker-compose.yml.j2 +++ b/ansible/roles/hedgedoc/templates/docker-compose.yml.j2 @@ -9,6 +9,7 @@ networks: services: database: image: postgres:13.4-alpine + container_name: hedgedoc-database environment: - POSTGRES_USER=hedgedoc - POSTGRES_PASSWORD=password @@ -18,8 +19,10 @@ services: restart: always networks: - internal + app: image: quay.io/hedgedoc/hedgedoc:1.9.7 + container_name: hedgedoc environment: - CMD_DB_URL=postgres://hedgedoc:password@database:5432/hedgedoc - CMD_DOMAIN={{ hedgedoc_domain }} From 69cf0a1d4b6a3f3bdf115b1c157ebf9fd4dc4d0e Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Mon, 17 Apr 2023 19:01:42 +0200 Subject: [PATCH 16/23] cleanup --- ansible/max.yml | 12 ++++++ ansible/requirements.yml | 4 +- ansible/roles/common/tasks/main.yml | 17 -------- ansible/roles/cyberchef/meta/main.yml | 4 +- ansible/roles/firewall/tasks/main.yml | 16 -------- ansible/roles/forgejo/meta/main.yml | 2 - ansible/roles/freshrss/meta/main.yml | 2 - ansible/roles/hedgedoc/meta/main.yml | 2 - ansible/roles/inbucket/meta/main.yml | 2 - ansible/roles/jitsi/meta/main.yml | 2 - ansible/roles/kms/meta/main.yml | 2 - ansible/roles/mastodon/meta/main.yml | 2 - ansible/roles/overleaf/meta/main.yml | 2 - ansible/roles/prometheus/meta/main.yml | 1 - ansible/roles/radicale/meta/main.yml | 2 - ansible/roles/seafile/meta/main.yml | 2 - ansible/roles/ssh/files/ssh_config | 54 -------------------------- ansible/roles/ssh/files/sshd_config | 41 ------------------- ansible/roles/ssh/meta/main.yml | 2 - ansible/roles/ssh/tasks/main.yml | 16 -------- ansible/roles/static/meta/main.yml | 2 - ansible/roles/syncthing/meta/main.yml | 1 - ansible/roles/traefik/meta/main.yml | 1 - ansible/roles/watchtower/meta/main.yml | 2 - 24 files changed, 15 insertions(+), 178 deletions(-) delete mode 100644 ansible/roles/common/tasks/main.yml delete mode 100644 ansible/roles/firewall/tasks/main.yml delete mode 100644 ansible/roles/ssh/files/ssh_config delete mode 100644 ansible/roles/ssh/files/sshd_config delete mode 100644 ansible/roles/ssh/meta/main.yml delete mode 100644 ansible/roles/ssh/tasks/main.yml diff --git a/ansible/max.yml b/ansible/max.yml index f2e06e0..b45bdd2 100644 --- a/ansible/max.yml +++ b/ansible/max.yml @@ -6,7 +6,19 @@ - name: Start services hosts: max + pre_tasks: + - name: Create base service directory + file: + path: "{{ base_service_dir }}" + state: directory + - name: Delete externally managed environment file + shell: + cmd: "rm /usr/lib/python*/EXTERNALLY-MANAGED" + register: rm + changed_when: "rm.rc == 0" + failed_when: "false" roles: + - {role: 'setup-apt', tags: 'setup-apt'} - {role: 'watchtower', tags: 'watchtower'} - {role: 'forgejo', tags: 'forgejo'} - {role: 'syncthing', tags: 'syncthing'} diff --git a/ansible/requirements.yml b/ansible/requirements.yml index 5530c9f..971722f 100644 --- a/ansible/requirements.yml +++ b/ansible/requirements.yml @@ -1,3 +1,3 @@ -- name: cloudinit-wait - src: https://git.pim.kunis.nl/pim/ansible-role-cloudinit-wait +- name: setup-apt + src: https://github.com/sunscrapers/ansible-role-apt.git scm: git diff --git a/ansible/roles/common/tasks/main.yml b/ansible/roles/common/tasks/main.yml deleted file mode 100644 index b8f79d0..0000000 --- a/ansible/roles/common/tasks/main.yml +++ /dev/null @@ -1,17 +0,0 @@ -- name: APT upgrade - apt: - autoremove: true - upgrade: yes - state: latest - update_cache: yes - cache_valid_time: 86400 # One day -- name: Create base service directory - file: - path: "{{ base_service_dir }}" - state: directory -- name: Delete externally managed environment file - shell: - cmd: "rm /usr/lib/python*/EXTERNALLY-MANAGED" - register: rm - changed_when: "rm.rc == 0" - failed_when: "false" diff --git a/ansible/roles/cyberchef/meta/main.yml b/ansible/roles/cyberchef/meta/main.yml index 7f5b1d3..cb0cd84 100644 --- a/ansible/roles/cyberchef/meta/main.yml +++ b/ansible/roles/cyberchef/meta/main.yml @@ -1,4 +1,2 @@ dependencies: - - role: common - - role: docker - \ No newline at end of file + - role: traefik diff --git a/ansible/roles/firewall/tasks/main.yml b/ansible/roles/firewall/tasks/main.yml deleted file mode 100644 index 6b6bcb4..0000000 --- a/ansible/roles/firewall/tasks/main.yml +++ /dev/null @@ -1,16 +0,0 @@ -- name: Install firewalld - apt: - pkg: - - firewalld - state: latest - update_cache: true -- name: Allow SSH - firewalld: - service: ssh - permanent: yes - state: enabled -- name: Start firewalld - systemd: - enabled: true - name: sshd - state: started diff --git a/ansible/roles/forgejo/meta/main.yml b/ansible/roles/forgejo/meta/main.yml index 6b03734..cb0cd84 100644 --- a/ansible/roles/forgejo/meta/main.yml +++ b/ansible/roles/forgejo/meta/main.yml @@ -1,4 +1,2 @@ dependencies: - - role: common - - role: docker - role: traefik diff --git a/ansible/roles/freshrss/meta/main.yml b/ansible/roles/freshrss/meta/main.yml index 6b03734..cb0cd84 100644 --- a/ansible/roles/freshrss/meta/main.yml +++ b/ansible/roles/freshrss/meta/main.yml @@ -1,4 +1,2 @@ dependencies: - - role: common - - role: docker - role: traefik diff --git a/ansible/roles/hedgedoc/meta/main.yml b/ansible/roles/hedgedoc/meta/main.yml index 6b03734..cb0cd84 100644 --- a/ansible/roles/hedgedoc/meta/main.yml +++ b/ansible/roles/hedgedoc/meta/main.yml @@ -1,4 +1,2 @@ dependencies: - - role: common - - role: docker - role: traefik diff --git a/ansible/roles/inbucket/meta/main.yml b/ansible/roles/inbucket/meta/main.yml index 7f5b1d3..6ad37f8 100644 --- a/ansible/roles/inbucket/meta/main.yml +++ b/ansible/roles/inbucket/meta/main.yml @@ -1,4 +1,2 @@ dependencies: - - role: common - role: docker - \ No newline at end of file diff --git a/ansible/roles/jitsi/meta/main.yml b/ansible/roles/jitsi/meta/main.yml index 6b03734..cb0cd84 100644 --- a/ansible/roles/jitsi/meta/main.yml +++ b/ansible/roles/jitsi/meta/main.yml @@ -1,4 +1,2 @@ dependencies: - - role: common - - role: docker - role: traefik diff --git a/ansible/roles/kms/meta/main.yml b/ansible/roles/kms/meta/main.yml index 7f5b1d3..6ad37f8 100644 --- a/ansible/roles/kms/meta/main.yml +++ b/ansible/roles/kms/meta/main.yml @@ -1,4 +1,2 @@ dependencies: - - role: common - role: docker - \ No newline at end of file diff --git a/ansible/roles/mastodon/meta/main.yml b/ansible/roles/mastodon/meta/main.yml index 6b03734..cb0cd84 100644 --- a/ansible/roles/mastodon/meta/main.yml +++ b/ansible/roles/mastodon/meta/main.yml @@ -1,4 +1,2 @@ dependencies: - - role: common - - role: docker - role: traefik diff --git a/ansible/roles/overleaf/meta/main.yml b/ansible/roles/overleaf/meta/main.yml index 6b03734..cb0cd84 100644 --- a/ansible/roles/overleaf/meta/main.yml +++ b/ansible/roles/overleaf/meta/main.yml @@ -1,4 +1,2 @@ dependencies: - - role: common - - role: docker - role: traefik diff --git a/ansible/roles/prometheus/meta/main.yml b/ansible/roles/prometheus/meta/main.yml index 090690b..6ad37f8 100644 --- a/ansible/roles/prometheus/meta/main.yml +++ b/ansible/roles/prometheus/meta/main.yml @@ -1,3 +1,2 @@ dependencies: - - role: common - role: docker diff --git a/ansible/roles/radicale/meta/main.yml b/ansible/roles/radicale/meta/main.yml index 6b03734..cb0cd84 100644 --- a/ansible/roles/radicale/meta/main.yml +++ b/ansible/roles/radicale/meta/main.yml @@ -1,4 +1,2 @@ dependencies: - - role: common - - role: docker - role: traefik diff --git a/ansible/roles/seafile/meta/main.yml b/ansible/roles/seafile/meta/main.yml index 6b03734..cb0cd84 100644 --- a/ansible/roles/seafile/meta/main.yml +++ b/ansible/roles/seafile/meta/main.yml @@ -1,4 +1,2 @@ dependencies: - - role: common - - role: docker - role: traefik diff --git a/ansible/roles/ssh/files/ssh_config b/ansible/roles/ssh/files/ssh_config deleted file mode 100644 index 9ea50e1..0000000 --- a/ansible/roles/ssh/files/ssh_config +++ /dev/null @@ -1,54 +0,0 @@ -# This is the ssh client system-wide configuration file. See -# ssh_config(5) for more information. This file provides defaults for -# users, and the values can be changed in per-user configuration files -# or on the command line. - -# Configuration data is parsed as follows: -# 1. command line options -# 2. user-specific file -# 3. system-wide file -# Any configuration value is only changed the first time it is set. -# Thus, host-specific definitions should be at the beginning of the -# configuration file, and defaults at the end. - -# Site-wide defaults for some commonly used options. For a comprehensive -# list of available options, their meanings and defaults, please see the -# ssh_config(5) man page. - -Include /etc/ssh/ssh_config.d/*.conf - -Host * -# ForwardAgent no -# ForwardX11 no -# ForwardX11Trusted yes -# PasswordAuthentication yes -# HostbasedAuthentication no -# GSSAPIAuthentication no -# GSSAPIDelegateCredentials no -# GSSAPIKeyExchange no -# GSSAPITrustDNS no -# BatchMode no -# CheckHostIP yes -# AddressFamily any -# ConnectTimeout 0 -# StrictHostKeyChecking ask -# IdentityFile ~/.ssh/id_rsa -# IdentityFile ~/.ssh/id_dsa -# IdentityFile ~/.ssh/id_ecdsa -# IdentityFile ~/.ssh/id_ed25519 -# Port 22 -# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc -# MACs hmac-md5,hmac-sha1,umac-64@openssh.com -# EscapeChar ~ -# Tunnel no -# TunnelDevice any:any -# PermitLocalCommand no -# VisualHostKey no -# ProxyCommand ssh -q -W %h:%p gateway.example.com -# RekeyLimit 1G 1h -# UserKnownHostsFile ~/.ssh/known_hosts.d/%k - SendEnv LANG LC_* - -# set HashKnownHosts to no to make known_hosts human readable and reviewable. -# HashKnownHosts yes -# GSSAPIAuthentication yes diff --git a/ansible/roles/ssh/files/sshd_config b/ansible/roles/ssh/files/sshd_config deleted file mode 100644 index e532138..0000000 --- a/ansible/roles/ssh/files/sshd_config +++ /dev/null @@ -1,41 +0,0 @@ -Include /etc/ssh/sshd_config.d/*.conf - -HostKey /etc/ssh/ssh_host_ed25519_key - -# Ciphers and keying -HostKeyAlgorithms ssh-ed25519 -CASignatureAlgorithms ssh-ed25519 -HostbasedAcceptedKeyTypes ssh-ed25519 -HostKeyAlgorithms ssh-ed25519 -KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org -Ciphers chacha20-poly1305@openssh.com -MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com - -# To disable tunneled clear text passwords, change to no here! -PasswordAuthentication no -PermitEmptyPasswords no - -# Change to yes to enable challenge-response passwords (beware issues with -# some PAM modules and threads) -KbdInteractiveAuthentication no - -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will -# be allowed through the KbdInteractiveAuthentication and -# PasswordAuthentication. Depending on your PAM configuration, -# PAM authentication via KbdInteractiveAuthentication may bypass -# the setting of "PermitRootLogin without-password". -# If you just want the PAM account and session checks to run without -# PAM authentication, then enable this but set PasswordAuthentication -# and KbdInteractiveAuthentication to 'no'. -UsePAM yes - -X11Forwarding yes -PrintMotd no - -# Allow client to pass locale environment variables -AcceptEnv LANG LC_* - -# override default of no subsystems -Subsystem sftp /usr/lib/openssh/sftp-server - diff --git a/ansible/roles/ssh/meta/main.yml b/ansible/roles/ssh/meta/main.yml deleted file mode 100644 index 9711b33..0000000 --- a/ansible/roles/ssh/meta/main.yml +++ /dev/null @@ -1,2 +0,0 @@ -dependencies: - - role: common diff --git a/ansible/roles/ssh/tasks/main.yml b/ansible/roles/ssh/tasks/main.yml deleted file mode 100644 index 9c7311c..0000000 --- a/ansible/roles/ssh/tasks/main.yml +++ /dev/null @@ -1,16 +0,0 @@ -- name: Copy sshd config - copy: - src: "{{ role_path }}/files/sshd_config" - dest: /etc/ssh/sshd_config - register: sshd_config -- name: Copy ssh config - copy: - src: "{{ role_path }}/files/ssh_config" - dest: /etc/ssh/ssh_config - register: ssh_config -- name: Restart SSH service - systemd: - enabled: true - name: sshd - state: reloaded - when: sshd_config.changed diff --git a/ansible/roles/static/meta/main.yml b/ansible/roles/static/meta/main.yml index 6b03734..cb0cd84 100644 --- a/ansible/roles/static/meta/main.yml +++ b/ansible/roles/static/meta/main.yml @@ -1,4 +1,2 @@ dependencies: - - role: common - - role: docker - role: traefik diff --git a/ansible/roles/syncthing/meta/main.yml b/ansible/roles/syncthing/meta/main.yml index 090690b..6ad37f8 100644 --- a/ansible/roles/syncthing/meta/main.yml +++ b/ansible/roles/syncthing/meta/main.yml @@ -1,3 +1,2 @@ dependencies: - - role: common - role: docker diff --git a/ansible/roles/traefik/meta/main.yml b/ansible/roles/traefik/meta/main.yml index 090690b..6ad37f8 100644 --- a/ansible/roles/traefik/meta/main.yml +++ b/ansible/roles/traefik/meta/main.yml @@ -1,3 +1,2 @@ dependencies: - - role: common - role: docker diff --git a/ansible/roles/watchtower/meta/main.yml b/ansible/roles/watchtower/meta/main.yml index 7f5b1d3..6ad37f8 100644 --- a/ansible/roles/watchtower/meta/main.yml +++ b/ansible/roles/watchtower/meta/main.yml @@ -1,4 +1,2 @@ dependencies: - - role: common - role: docker - \ No newline at end of file From bf094a02d668d185f4554fa2dab6b10c9e7664da Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Mon, 17 Apr 2023 19:35:33 +0200 Subject: [PATCH 17/23] put docker role in separate repo --- ansible/inventory/host_vars/max.yml | 6 +++- ansible/requirements.yml | 6 ++++ ansible/roles/docker/files/daemon.json | 7 ----- ansible/roles/docker/tasks/main.yml | 41 -------------------------- 4 files changed, 11 insertions(+), 49 deletions(-) delete mode 100644 ansible/roles/docker/files/daemon.json delete mode 100644 ansible/roles/docker/tasks/main.yml diff --git a/ansible/inventory/host_vars/max.yml b/ansible/inventory/host_vars/max.yml index 55ff4c3..d77112b 100644 --- a/ansible/inventory/host_vars/max.yml +++ b/ansible/inventory/host_vars/max.yml @@ -1,5 +1,6 @@ base_data_dir: /mnt/data base_service_dir: /srv +domain_name_pim: pim.kunis.nl # Additional open ports jitsi_videobridge_port: 54562 @@ -8,4 +9,7 @@ prometheus_port: 8081 traefik_api_port: 8080 internal_forgejo_port: 3000 # Needed to pull from a repository from another docker container. -domain_name_pim: pim.kunis.nl +docker_daemon_config: + default-address-pools: + - base: "10.204.0.0/16" + size: 24 diff --git a/ansible/requirements.yml b/ansible/requirements.yml index 971722f..b799430 100644 --- a/ansible/requirements.yml +++ b/ansible/requirements.yml @@ -1,3 +1,9 @@ - name: setup-apt src: https://github.com/sunscrapers/ansible-role-apt.git scm: git +- name: cloudinit-wait + src: https://git.pim.kunis.nl/pim/ansible-role-cloudinit-wait + scm: git +- name: docker + src: https://git.pim.kunis.nl/pim/ansible-role-docker + scm: git diff --git a/ansible/roles/docker/files/daemon.json b/ansible/roles/docker/files/daemon.json deleted file mode 100644 index 10fc298..0000000 --- a/ansible/roles/docker/files/daemon.json +++ /dev/null @@ -1,7 +0,0 @@ -{ -"default-address-pools": -[ -{"base":"10.204.0.0/16","size":24} - -] -} diff --git a/ansible/roles/docker/tasks/main.yml b/ansible/roles/docker/tasks/main.yml deleted file mode 100644 index 7b7b88b..0000000 --- a/ansible/roles/docker/tasks/main.yml +++ /dev/null @@ -1,41 +0,0 @@ -- name: Install Docker prerequisites - apt: - pkg: - - ca-certificates - - curl - - gnupg - - lsb-release - - python3-pip -- name: Add Docker APT key - apt_key: - url: https://download.docker.com/linux/ubuntu/gpg - keyring: /etc/apt/keyrings/docker.gpg -- name: Add Docker repository - apt_repository: - repo: "deb [signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable" - register: apt_repository -- name: Update APT cache - apt: - update_cache: true - when: apt_repository.changed -- name: Install Docker packages - apt: - pkg: - - docker-ce - - docker-ce-cli - - containerd.io - - docker-compose-plugin -- name: Install Docker modules for Python - pip: - name: - - docker - - docker-compose -- name: Copy daemon.json - copy: - src: "{{ role_path }}/files/daemon.json" - dest: /etc/docker/daemon.json -- name: Start Docker - systemd: - name: docker - enabled: true - state: started From 2cc35feebbcae9af1ad09d5488e84265ab66b34b Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Mon, 24 Apr 2023 13:07:54 +0200 Subject: [PATCH 18/23] increase disk size in Terraform as well --- terraform/main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/main.tf b/terraform/main.tf index c8b495b..07ed2a7 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -22,4 +22,5 @@ module "tf-datatest" { data_disk = "/kvm/data/max-data" memory = 1024 * 8 mac = "CA:FE:C0:FF:EE:03" + disk_size = 1024 * 1024 * 1024 * 30 } From e6f64d4f4decefa90255cf30569ef6e2defaf45c Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Mon, 24 Apr 2023 13:31:27 +0200 Subject: [PATCH 19/23] rename TF module closes #18 --- terraform/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/main.tf b/terraform/main.tf index 07ed2a7..569d5b1 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -15,7 +15,7 @@ provider "libvirt" { uri = "qemu+ssh://root@atlas.lan/system" } -module "tf-datatest" { +module "tf-max" { source = "git::https://git.pim.kunis.nl/home/tf-modules.git//debian" name = "max" domain_name = "tf-max" From 37fe3937e57d5454cb3c20c8f39fe8d91438b2a5 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Mon, 24 Apr 2023 13:47:18 +0200 Subject: [PATCH 20/23] save LE certificates on data disk closes #25 --- ansible/roles/traefik/tasks/main.yml | 6 +++++- ansible/roles/traefik/templates/docker-compose.yml.j2 | 2 +- ansible/roles/traefik/vars/main.yml | 1 + 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/ansible/roles/traefik/tasks/main.yml b/ansible/roles/traefik/tasks/main.yml index 9ba3f0f..0341de3 100644 --- a/ansible/roles/traefik/tasks/main.yml +++ b/ansible/roles/traefik/tasks/main.yml @@ -2,10 +2,14 @@ file: path: "{{ service_dir }}" state: directory +- name: Create data directory + file: + path: "{{ data_dir }}" + state: directory - name: Create acme file copy: content: "" - dest: "{{ service_dir }}/acme.json" + dest: "{{ data_dir }}/acme.json" force: no mode: 0600 - name: Copy Docker Compose script diff --git a/ansible/roles/traefik/templates/docker-compose.yml.j2 b/ansible/roles/traefik/templates/docker-compose.yml.j2 index 9b18732..6306437 100644 --- a/ansible/roles/traefik/templates/docker-compose.yml.j2 +++ b/ansible/roles/traefik/templates/docker-compose.yml.j2 @@ -18,7 +18,7 @@ services: - /var/run/docker.sock:/var/run/docker.sock - {{ service_dir }}/traefik.toml:/etc/traefik/traefik.toml - {{ service_dir }}/services.toml:/etc/traefik/services.toml - - {{ service_dir }}/acme.json:/acme.json + - {{ data_dir }}/acme.json:/acme.json networks: - traefik labels: diff --git a/ansible/roles/traefik/vars/main.yml b/ansible/roles/traefik/vars/main.yml index 2e1116f..0569770 100644 --- a/ansible/roles/traefik/vars/main.yml +++ b/ansible/roles/traefik/vars/main.yml @@ -1,2 +1,3 @@ service_name: traefik service_dir: "{{ base_service_dir }}/{{ service_name }}" +data_dir: "{{ base_data_dir }}/{{ service_name }}" From 8a634be9ab41cc75a61d59a2842e3e350aab238f Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Wed, 26 Apr 2023 14:53:57 +0200 Subject: [PATCH 21/23] move to virtiofs shared directory --- ansible/roles/forgejo/templates/app.ini.j2 | 1 + terraform/data/main.tf | 2 +- terraform/main.tf | 17 ++++++++--------- 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/ansible/roles/forgejo/templates/app.ini.j2 b/ansible/roles/forgejo/templates/app.ini.j2 index 3220c38..b427df5 100644 --- a/ansible/roles/forgejo/templates/app.ini.j2 +++ b/ansible/roles/forgejo/templates/app.ini.j2 @@ -39,6 +39,7 @@ CHARSET = utf8 [indexer] ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve +ISSUE_INDEXER_TYPE = db [session] PROVIDER_CONFIG = /data/gitea/sessions diff --git a/terraform/data/main.tf b/terraform/data/main.tf index 1961de5..e0e6f62 100644 --- a/terraform/data/main.tf +++ b/terraform/data/main.tf @@ -12,7 +12,7 @@ terraform { } provider "libvirt" { - uri = "qemu+ssh://root@atlas.lan/system" + uri = "qemu+ssh://root@atlas.hyp/system" } resource "libvirt_volume" "data" { diff --git a/terraform/main.tf b/terraform/main.tf index 569d5b1..4f9e7e2 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -12,15 +12,14 @@ terraform { } provider "libvirt" { - uri = "qemu+ssh://root@atlas.lan/system" + uri = "qemu+ssh://root@atlas.hyp/system" } -module "tf-max" { - source = "git::https://git.pim.kunis.nl/home/tf-modules.git//debian" - name = "max" - domain_name = "tf-max" - data_disk = "/kvm/data/max-data" - memory = 1024 * 8 - mac = "CA:FE:C0:FF:EE:03" - disk_size = 1024 * 1024 * 1024 * 30 +module "debian" { + source = "/home/pim/repos/tf-modules/debian" + name = "max" + domain_name = "tf-max" + memory = 1024 * 8 + mac = "CA:FE:C0:FF:EE:03" + disk_size = 1024 * 1024 * 1024 * 30 } From c25e4ca41dfead2db5fc8acac48c147cafdec5b1 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Wed, 26 Apr 2023 14:59:04 +0200 Subject: [PATCH 22/23] fix terraform module source --- terraform/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/main.tf b/terraform/main.tf index 4f9e7e2..9239f9d 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -16,7 +16,7 @@ provider "libvirt" { } module "debian" { - source = "/home/pim/repos/tf-modules/debian" + source = "git::https://git.pim.kunis.nl/home/tf-modules.git//debian" name = "max" domain_name = "tf-max" memory = 1024 * 8 From a57d59ac04ef9f6432efd95349b1156b65e88117 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Wed, 26 Apr 2023 16:07:40 +0200 Subject: [PATCH 23/23] remove data volume --- terraform/data/main.tf | 30 ------------------------------ 1 file changed, 30 deletions(-) delete mode 100644 terraform/data/main.tf diff --git a/terraform/data/main.tf b/terraform/data/main.tf deleted file mode 100644 index e0e6f62..0000000 --- a/terraform/data/main.tf +++ /dev/null @@ -1,30 +0,0 @@ -terraform { - backend "pg" { - schema_name = "max-data" - conn_str = "postgres://terraform@10.42.0.1/terraform_state" - } - - required_providers { - libvirt = { - source = "dmacvicar/libvirt" - } - } -} - -provider "libvirt" { - uri = "qemu+ssh://root@atlas.hyp/system" -} - -resource "libvirt_volume" "data" { - name = "max-data" - pool = "data" - size = 1024 * 1024 * 1024 * 65 - - lifecycle { - prevent_destroy = true - } -} - -output "data_disk_id" { - value = libvirt_volume.data.id -}