README.md

@@ -1,8 +1,8 @@
 # Ansible scripts for our private Intel NUC servers
 ## TODO
-
 ### nsd
 
+- Change IPv6 addresses
 - ZSK rollover.
 - I always resign the zone, even if nothing has changed.
 I could check whether the zone has changed or new keys were generated but that is kind of difficult.

inventory/group_vars/nucs.yml

@@ -1,2 +1 @@
-base_data_dir: /data
+# Group variables for nucs group
-base_service_dir: /srv

roles/common/files/resolv.conf

@@ -1,4 +1,3 @@
-nameserver 192.168.30.1
 nameserver 1.1.1.1
 nameserver 1.0.0.1
 search lan

roles/common/tasks/main.yml

@@ -5,13 +5,13 @@
     state: latest
     update_cache: yes
     cache_valid_time: 86400 # One day
-- name: Create base data directory
+- name: Create /data directory
   file:
-    path: "{{ base_data_dir }}"
+    path: /data
     state: directory
-- name: Create base service directory
+- name: Create /apps directory
   file:
-    path: "{{ base_service_dir }}"
+    path: /apps
     state: directory
 - name: Disable systemd-resolved
   systemd:

roles/docker/tasks/main.yml

@@ -29,8 +29,3 @@
     name:
       - docker
       - docker-compose
-- name: Start Docker
-  systemd:
-    name: docker
-    enabled: true
-    state: started

roles/forgejo/files/docker-compose.yml

@@ -15,8 +15,8 @@ services:
     networks:
       - traefik
     volumes:
-      - {{ data_dir }}:/data
+      - /data/forgejo:/data
-      - {{ service_dir }}/conf:/data/gitea/conf
+      - /apps/forgejo/conf:/data/gitea/conf
       - /etc/timezone:/etc/timezone:ro
       - /etc/localtime:/etc/localtime:ro
     labels:

roles/forgejo/tasks/main.yml

@@ -1,31 +1,31 @@
 - name: Create app directory
   file:
-    path: "{{ service_dir }}"
+    path: /apps/forgejo
     state: directory
 - name: Copy Docker Compose script
-  template:
+  copy:
-    src: "{{ role_path }}/templates/docker-compose.yml.j2"
+    src: "{{ role_path }}/files/docker-compose.yml"
-    dest: "{{ service_dir }}/docker-compose.yml"
+    dest: /apps/forgejo/docker-compose.yml
 - name: Create data directory
   file:
-    path: "{{ data_dir }}"
+    path: /data/forgejo
     state: directory
     owner: 1000
     group: 1000
 - name: Copy conf directory
   file:
-    path: "{{ service_dir }}/conf"
+    path: /apps/forgejo/conf
     state: directory
     owner: 1000
     group: 1000
 - name: Copy app.ini
   template:
     src: "{{ role_path }}/templates/app.ini"
-    dest: "{{ service_dir }}/conf/app.ini"
+    dest: /apps/forgejo/conf/app.ini
   register: config
 - name: Start the Docker Compose
-  docker_compose:
+  community.docker.docker_compose:
-    project_src: "{{ service_dir }}"
+    project_src: /apps/forgejo
     pull: true
     remove_orphans: true
     restarted: "{{ config.changed }}"

roles/forgejo/vars/main.yml

@@ -1,7 +1,3 @@
-service_name: forgejo
-data_dir: "{{ base_data_dir }}/{{ service_name }}"
-service_dir: "{{ base_service_dir }}/{{ service_name }}"
-
 forgejo:
   root_url: "https://git.pizzapim.nl"
   mailer_host: "smtp.tweak.nl"

roles/kms/tasks/main.yml

@@ -1,14 +1,14 @@
 - name: Create app directory
   file:
-    path: "{{ service_dir }}"
+    path: /apps/kms
     state: directory
 - name: Copy Docker Compose script
   copy:
     src: "{{ role_path }}/files/docker-compose.yml"
-    dest: "{{ service_dir }}/docker-compose.yml"
+    dest: /apps/kms/docker-compose.yml
 - name: Start the Docker Compose
-  docker_compose:
+  community.docker.docker_compose:
-    project_src: "{{ service_dir }}"
+    project_src: /apps/kms
     pull: true
     remove_orphans: true
 

roles/kms/vars/main.yml

@@ -1,2 +0,0 @@
-service_name: kms
-service_dir: "{{ base_service_dir }}/{{ service_name }}"

roles/mastodon/tasks/main.yml

@@ -1,22 +1,22 @@
 - name: Create Mastodon app directory
   file:
-    path: "{{ service_dir }}"
+    path: /apps/mastodon
     state: directory
 - name: Copy .env.production
   copy:
     src: "{{ role_path }}/files/.env.production"
-    dest: "{{ service_dir }}.env.production"
+    dest: /apps/mastodon/.env.production
 - name: Copy Docker Compose script
   template:
     src: "{{ role_path }}/templates/docker-compose.yml.j2"
-    dest: "{{ service_dir }}/docker-compose.yml"
+    dest: /apps/mastodon/docker-compose.yml
 - name: Create Mastodon data directory
   file:
-    path: "{{ data_dir }}"
+    path: /data/mastodon
     state: directory
     mode: 0777
 - name: Start Docker Compose
   docker_compose:
-    project_src: "{{ service_dir }}"
+    project_src: /apps/mastodon
     pull: true
     remove_orphans: true

roles/mastodon/templates/docker-compose.yml.j2

@@ -9,7 +9,7 @@ services:
     healthcheck:
       test: ['CMD', 'pg_isready', '-U', 'postgres']
     volumes:
-      - {{ data_dir }}/postgres14:/var/lib/postgresql/data
+      - /data/mastodon/postgres14:/var/lib/postgresql/data
     environment:
       - 'POSTGRES_HOST_AUTH_METHOD=trust'
       - 'POSTGRES_PASSWORD={{ mastodon_postgres_password }}'
@@ -24,7 +24,7 @@ services:
     healthcheck:
       test: ['CMD', 'redis-cli', 'ping']
     volumes:
-      - {{ data_dir }}/redis:/data
+      - /data/mastodon/redis:/data
     environment:
       - 'REDIS_PASSWORD={{ mastodon_redis_password }}'
 
@@ -46,7 +46,7 @@ services:
       - db
       - redis
     volumes:
-      - {{ data_dir }}/public/system:/mastodon/public/system
+      - /data/mastodon/public/system:/mastodon/public/system
     labels:
       - traefik.http.routers.mastodon.entrypoints=websecure
       - traefik.http.routers.mastodon.rule=Host(`social.pizzapim.nl`)
@@ -91,7 +91,7 @@ services:
     networks:
       - default
     volumes:
-      - {{ data_dir }}/public/system:/mastodon/public/system
+      - /data/mastodon/public/system:/mastodon/public/system
     healthcheck:
       test: ['CMD-SHELL', "ps aux | grep '[s]idekiq\ 6' || false"]
 

roles/mastodon/vars/main.yml

@@ -1,7 +1,3 @@
-service_name: mastodon
-data_dir: "{{ base_data_dir }}/{{ service_name }}"
-service_dir: "{{ base_service_dir }}/{{ service_name }}"
-
 mastodon_postgres_password: !vault |
           $ANSIBLE_VAULT;1.1;AES256
           34643131323762373635383736636432643161646130373565333432323337646435656233383131

roles/nsd/files/docker-compose.yml

@@ -0,0 +1,18 @@
+version: '3.7'
+
+services:
+  nsd:
+    container_name: nsd
+    restart: always
+    image: ghcr.io/the-kube-way/nsd:v4.6.0
+    read_only: true
+    tmpfs:
+      - /tmp
+      - /var/db/nsd
+    volumes:
+      - /apps/nsd/conf:/etc/nsd:ro
+      - /apps/nsd/zones:/zones
+      - /apps/nsd/keys:/keys
+    ports:
+      - 53:53
+      - 53:53/udp

roles/nsd/files/nsd.conf

@@ -1,11 +1,8 @@
 server:
-        ip-address: enp3s0
         server-count: 1
         verbosity: 1
         hide-version: yes
-        zonesdir: "/etc/nsd/zones"
+        zonesdir: "/zones"
-        ip-transparent: yes
-        ip-freebind: yes
 
 zone:
         name: pizzapim.nl

roles/nsd/files/zones/geokunis2.nl

@@ -1,18 +1,19 @@
 $ORIGIN geokunis2.nl.
 $TTL 60
 
-geokunis2.nl.	IN	SOA	ns.geokunis2.nl. niels.kunis.nl. 2023010601 1800 3600 1209600 3600
+geokunis2.nl.	IN	SOA	ns.geokunis2.nl. niels.kunis.nl. 2022103001 1800 3600 1209600 3600
 			NS	ns.geokunis2.nl.
 			NS	ns0.transip.net.
 			NS	ns1.transip.nl.
 			NS	ns2.transip.eu.
-			A	84.245.14.149
+			A	82.197.212.198
-			AAAA	2a02:58:19a:f730:b62e:99ff:fe77:1bda
+			AAAA	2a02:58:19a:f730:da5e:d3ff:fe47:336e
 			MX	0 .
 			TXT	"v=spf1 -all"
 			CAA	0 issue "letsencrypt.org"
 jenl		IN	A	217.123.41.225
-kms			IN	A	84.245.14.149
+kms		IN	A	82.197.212.198
+ovh		IN	A	57.128.45.138
 _dmarc		IN	TXT	"v=DMARC1; p=reject; fo=0; adkim=s; aspf=s; pct=100; rf=afrf; sp=reject"
-ns			A	84.245.14.149
+ns			A	82.197.212.198
-			AAAA	2a02:58:19a:f730:b62e:99ff:fe77:1bda
+			AAAA	2a02:58:19a:f730:da5e:d3ff:fe47:336e

roles/nsd/files/zones/pizzapim.nl

@@ -1,24 +1,26 @@
 $ORIGIN pizzapim.nl.
 $TTL 60
 
-pizzapim.nl.	IN 	SOA	ns.pizzapim.nl. pim.kunis.nl. 2023010701 1800 3600 1209600 3600
+pizzapim.nl.	IN 	SOA	ns.pizzapim.nl. pim.kunis.nl. 2022122900 1800 3600 1209600 3600
 
 			NS	ns.pizzapim.nl.
 			NS	ns0.transip.net.
 			NS	ns1.transip.nl.
 			NS	ns2.transip.eu.
-			A	84.245.14.149
+			A	82.197.212.198
-			AAAA	2a02:58:19a:f730:b62e:99ff:fe77:1bda
+			AAAA	2a02:58:19a:f730:da5e:d3ff:fe47:336e
 			TXT	"v=spf1 ~all"
 			CAA	0 issue "letsencrypt.org"
 
+www		IN	CNAME	@
+ns		IN	A	82.197.212.198
+			AAAA	2a02:58:19a:f730:da5e:d3ff:fe47:336e
 _dmarc		IN	TXT	"v=DMARC1; p=reject; aspf=s; adkim=s; rua=mailto:wpux1bq8@ag.eu.dmarcian.com;"
-
+cloud		IN	A	82.197.212.198
-www		IN	A	84.245.14.149
+			AAAA	2a02:58:19a:f730:da5e:d3ff:fe47:336e
-			AAAA	2a02:58:19a:f730:b62e:99ff:fe77:1bda
+social		IN	A	82.197.212.198
-ns		IN	A	84.245.14.149
+			AAAA	2a02:58:19a:f730:da5e:d3ff:fe47:336e
-			AAAA	2a02:58:19a:f730:b62e:99ff:fe77:1bda
+dav		IN	A	82.197.212.198
-cloud		IN	CNAME	www.pizzapim.nl.
+			AAAA	2a02:58:19a:f730:da5e:d3ff:fe47:336e
-social		IN	CNAME	www.pizzapim.nl.
+git		IN	A	82.197.212.198
-dav		IN	CNAME	www.pizzapim.nl.
+			AAAA	2a02:58:19a:f730:da5e:d3ff:fe47:336e
-git		IN	CNAME	www.pizzapim.nl.

roles/nsd/meta/main.yml

@@ -0,0 +1,3 @@
+dependencies:
+  - role: common
+  - role: docker

roles/nsd/tasks/main.yml

@@ -1,69 +1,86 @@
-- name: Install nsd
+- name: Create nsd app directory
-  apt:
+  file:
-    pkg:
+    path: /apps/nsd
-      - nsd
+    state: directory
-      - ldnsutils
+- name: Create nsd configuration directory
+  file:
+    path: /apps/nsd/conf
+    state: directory
+    owner: 991
+    group: 991
 - name: Copy nsd.conf
   copy:
     src: "{{ role_path }}/files/nsd.conf"
-    dest: /etc/nsd/nsd.conf
+    dest: /apps/nsd/conf/nsd.conf
-- name: Create zones directory
+- name: Create nsd zones directory
   file:
-    path: /etc/nsd/zones
+    path: /apps/nsd/zones
     state: directory
+    owner: 991
+    group: 991
 - name: Copy zone files
   copy:
     src: "{{ role_path }}/files/zones/"
-    dest: /etc/nsd/zones
+    dest: /apps/nsd/zones
-- name: Create keys directory
+- name: Create nsd keys directory
   file:
-    path: /etc/nsd/keys
+    path: /apps/nsd/keys
     state: directory
+    owner: 991
+    group: 991
 - name: Copy KSK private keys
   template:
     src: "{{ item }}"
-    dest: "/etc/nsd/keys/{{ item | basename }}"
+    dest: "/apps/nsd/keys/{{ item | basename }}"
   with_fileglob:
     - "{{ role_path }}/files/keys/*.ksk.private"
 - name: Copy KSK keys
   copy:
     src: "{{ item }}"
-    dest: "/etc/nsd/keys/{{ item | basename }}"
+    dest: "/apps/nsd/keys/{{ item | basename }}"
   with_fileglob:
     - "{{ role_path }}/files/keys/*.ksk.key"
+- name: Copy Docker Compose script
+  copy:
+    src: "{{ role_path }}/files/docker-compose.yml"
+    dest: /apps/nsd/docker-compose.yml
+- name: Start Docker Compose
+  docker_compose:
+    project_src: /apps/nsd
+    pull: true
+    remove_orphans: true
 - name: Check if ZSKs exist
   stat:
-    path: "/etc/nsd/keys/K{{ item | basename }}.zsk.key"
+    path: "/apps/nsd/keys/K{{ item | basename }}.zsk.key"
   register: zsks_exists
   with_fileglob:
     - "{{ role_path }}/files/zones/*"
 - name: Create ZSK
   command:
-    cmd: "ldns-keygen -a ED25519 {{ item.item | basename }}"
+    cmd: "docker-compose exec -w /keys nsd ldns-keygen -a ED25519 {{ item.item | basename }}"
-    chdir: /etc/nsd/keys
+    chdir: /apps/nsd
   register: create_zsk
   when: not item.stat.exists
   with_items: "{{ zsks_exists.results }}"
 - name: Rename ZSK key
   command:
-    cmd: "mv {{ item.stdout }}.key K{{ item.item.item | basename }}.zsk.key"
+    cmd: "docker-compose exec -w /keys nsd mv {{ item.stdout }}.key K{{ item.item.item | basename }}.zsk.key"
-    chdir: /etc/nsd/keys
+    chdir: /apps/nsd
   when: item.changed
   with_items: "{{ create_zsk.results }}"
 - name: Rename ZSK private key
   command:
-    cmd: "mv {{ item.stdout }}.private K{{ item.item.item | basename }}.zsk.private"
+    cmd: "docker-compose exec -w /keys nsd mv {{ item.stdout }}.private K{{ item.item.item | basename }}.zsk.private"
-    chdir: /etc/nsd/keys
+    chdir: /apps/nsd
   when: item.changed
   with_items: "{{ create_zsk.results }}"
 - name: Sign zones
   command:
-    cmd: "ldns-signzone {{ item | basename }} /etc/nsd/keys/K{{ item | basename }}.zsk /etc/nsd/keys/K{{ item | basename }}.ksk"
+    cmd: 'docker-compose exec -w /zones nsd ldns-signzone {{ item | basename }} /keys/K{{ item | basename }}.zsk /keys/K{{ item | basename }}.ksk'
-    chdir: /etc/nsd/zones
+    chdir: /apps/nsd
   with_fileglob:
     - "{{ role_path }}/files/zones/*"
-- name: Restart NSD
+- name: Restart Docker Compose
-  systemd:
+  docker_compose:
-    name: nsd
+    project_src: /apps/nsd
-    enabled: true
+    restarted: true
-    state: reloaded

roles/pizzeria/tasks/main.yml

@@ -1,9 +1,9 @@
 - name: Clone pizzeria repository
   git:
-    repo: "{{ git_origin }}"
+    repo: https://github.com/pizzapim/pizzeria
-    dest: "{{ service_dir }}"
+    dest: /apps/pizzeria
 - name: Start the Docker Compose
-  docker_compose:
+  community.docker.docker_compose:
-    project_src: "{{ service_dir }}"
+    project_src: /apps/pizzeria
     pull: true
     remove_orphans: true

roles/pizzeria/vars/main.yml

@@ -1,4 +0,0 @@
-service_name: pizzeria
-data_dir: "{{ base_data_dir }}/{{ service_name }}"
-service_dir: "{{ base_service_dir }}/{{ service_name }}"
-git_origin: https://git.pizzapim.nl/pim/pizzeria.git

roles/radicale/files/docker-compose.yml

@@ -9,8 +9,8 @@ services:
     restart: always
     image: mailu/radicale:1.9
     volumes:
-      - {{ data_dir }}:/data
+      - /data/radicale:/data
-      - {{ service_dir }}/config:/radicale
+      - /apps/radicale/config:/radicale
     command: radicale -S -C /radicale/radicale.conf
     networks:
       - traefik

roles/radicale/tasks/main.yml

@@ -1,29 +1,29 @@
 - name: Create Radicale app directory
   file:
-    path: "{{ service_dir }}"
+    path: /apps/radicale
     state: directory
 - name: Copy docker-compose.yml file
-  template:
+  copy:
-    src: "{{ role_path }}/templates/docker-compose.yml.j2"
+    src: "{{ role_path }}/files/docker-compose.yml"
-    dest: "{{ service_dir }}/docker-compose.yml"
+    dest: /apps/radicale/docker-compose.yml
 - name: Create Radicale config directory
   file:
-    path: "{{ service_dir }}/config"
+    path: /apps/radicale/config
     state: directory
 - name: Copy radicale.conf
   copy:
     src: "{{ role_path }}/files/radicale.conf"
-    dest: "{{ service_dir }}/config/radicale.conf"
+    dest: /apps/radicale/config/radicale.conf
 - name: Copy users file
   copy:
     src: "{{ role_path }}/files/users"
-    dest: "{{ service_dir }}/config/users"
+    dest: /apps/radicale/config/users
 - name: Create Radicale data directory
   file:
-    path: "{{ data_dir }}"
+    path: /data/radicale
     state: directory
 - name: Start Docker Compose
   docker_compose:
-    project_src: "{{ service_dir }}"
+    project_src: /apps/radicale
     pull: true
     remove_orphans: true

roles/radicale/vars/main.yml

@@ -1,3 +0,0 @@
-service_name: radicale
-data_dir: "{{ base_data_dir }}/{{ service_name }}"
-service_dir: "{{ base_service_dir }}/{{ service_name }}"

roles/syncthing/files/docker-compose.yml

@@ -10,8 +10,8 @@ services:
       - PGID=1000
       - TZ=Europe/Amsterdam
     volumes:
-      - {{ service_dir }}/config:/config
+      - /apps/syncthing/config:/config
-      - {{ data_dir }}:/data
+      - /data/syncthing:/data
     ports:
       - 8384:8384
       - 22000:22000/tcp

roles/syncthing/tasks/main.yml

@@ -1,34 +1,34 @@
 - name: Create Syncthing app directory
   file:
-    path: "{{ service_dir }}"
+    path: /apps/syncthing
     state: directory
 - name: Create Syncthing configuration directory
   file:
-    path: "{{ service_dir }}/config"
+    path: /apps/syncthing/config
     state: directory
 - name: Copy Syncthing private key
   copy:
     src: "{{ role_path }}/files/key.pem"
-    dest: "{{ service_dir }}/config/key.pem"
+    dest: /apps/syncthing/config/key.pem
 - name: Copy Syncthing certificate
   copy:
     src: "{{ role_path }}/files/cert.pem"
-    dest: "{{ service_dir }}/config/cert.pem"
+    dest: /apps/syncthing/config/cert.pem
 - name: Copy Syncthing configuration
   template:
     src: "{{ role_path }}/templates/config.xml.j2"
-    dest: "{{ service_dir }}/config/config.xml"
+    dest: /apps/syncthing/config/config.xml
 - name: Create Syncthing data directory
   file:
-    path: "{{ data_dir }}"
+    path: /data/syncthing
     state: directory
     mode: 0777
 - name: Copy Docker Compose script
-  template:
+  copy:
-    src: "{{ role_path }}/templates/docker-compose.yml.j2"
+    src: "{{ role_path }}/files/docker-compose.yml"
-    dest: "{{ service_dir }}/docker-compose.yml"
+    dest: /apps/syncthing/docker-compose.yml
 - name: Start Docker Compose
   docker_compose:
-    project_src: "{{ service_dir }}"
+    project_src: /apps/syncthing
     pull: true
     remove_orphans: true

roles/syncthing/vars/main.yml

@@ -1,7 +1,3 @@
-service_name: syncthing
-data_dir: "{{ base_data_dir }}/{{ service_name }}"
-service_dir: "{{ base_service_dir }}/{{ service_name }}"
-
 syncthing:
   apikey: !vault |
           $ANSIBLE_VAULT;1.1;AES256

roles/traefik/files/docker-compose.yml

@@ -20,9 +20,9 @@ services:
       - "56287:56287"
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
-      - {{ service_dir }}/traefik.toml:/etc/traefik/traefik.toml
+      - /apps/traefik/traefik.toml:/etc/traefik/traefik.toml
-      - {{ service_dir }}/services.toml:/etc/traefik/services.toml
+      - /apps/traefik/services.toml:/etc/traefik/services.toml
-      - {{ service_dir }}/acme.json:/acme.json
+      - /apps/traefik/acme.json:/acme.json
     networks:
       - traefik
     labels:

roles/traefik/tasks/main.yml

@@ -1,30 +1,30 @@
 - name: Create traefik app directory
   file:
-    path: "{{ service_dir }}"
+    path: /apps/traefik
     state: directory
 - name: Create acme file
   copy:
     content: ""
-    dest: "{{ service_dir }}/acme.json"
+    dest: /apps/traefik/acme.json
     force: no
     mode: 0600
 - name: Copy Docker Compose script
-  template:
+  copy:
-    src: "{{ role_path }}/templates/docker-compose.yml.j2"
+    src: "{{ role_path }}/files/docker-compose.yml"
-    dest: "{{ service_dir }}/docker-compose.yml"
+    dest: /apps/traefik/docker-compose.yml
 - name: Copy traefik.toml
   copy:
     src: "{{ role_path }}/files/traefik.toml"
-    dest: "{{ service_dir }}/traefik.toml"
+    dest: /apps/traefik/traefik.toml
 - name: Copy services.toml
   copy:
     src: "{{ role_path }}/files/services.toml"
-    dest: "{{ service_dir }}/services.toml"
+    dest: /apps/traefik/services.toml
 - name: Create traefik network
   docker_network:
     name: "traefik"
 - name: Start Docker Compose
   docker_compose:
-    project_src: "{{ service_dir }}"
+    project_src: /apps/traefik
     pull: true
     remove_orphans: true

roles/traefik/vars/main.yml

@@ -1,2 +0,0 @@
-service_name: traefik
-service_dir: "{{ base_service_dir }}/{{ service_name }}"