Compare commits

..

61 commits

Author SHA1 Message Date
a57d59ac04 remove data volume 2023-04-26 16:07:40 +02:00
c25e4ca41d fix terraform module source 2023-04-26 14:59:04 +02:00
8a634be9ab move to virtiofs shared directory 2023-04-26 14:53:57 +02:00
37fe3937e5 save LE certificates on data disk
closes #25
2023-04-24 13:47:18 +02:00
e6f64d4f4d rename TF module
closes #18
2023-04-24 13:31:27 +02:00
2cc35feebb increase disk size in Terraform as well 2023-04-24 13:07:54 +02:00
bf094a02d6 put docker role in separate repo 2023-04-17 19:35:33 +02:00
69cf0a1d4b cleanup 2023-04-17 19:01:42 +02:00
72d07aac36 change hedgedoc container names
closes #24
2023-04-16 12:21:10 +02:00
aa0987593e change overleaf container names
closes #23
2023-04-16 12:15:39 +02:00
58aeaacc67 add hedgedoc service
close #9
2023-04-15 13:04:33 +02:00
fef821f770 update readme
fixed #8
2023-04-14 20:10:14 +02:00
cd224321df add overleaf service 2023-04-14 20:08:18 +02:00
b8adaee9d4 use cloudinit-wait role from git 2023-04-14 09:38:34 +02:00
723bc7ed33 update README.md 2023-04-13 17:45:11 +02:00
9eb52229f1 change directory structure 2023-04-13 17:24:01 +02:00
b89713643d fix unable to scope ansible to tags
fixes #4
2023-04-13 17:21:48 +02:00
f8bd422451 fix freshrss data location (#3) 2023-04-13 13:00:19 +02:00
7c220a5501 fix #2 2023-04-13 11:43:42 +02:00
74a4de1615 virtualize (#3)
Reviewed-on: https://git.pim.kunis.nl/home/max/pulls/3
2023-04-12 21:26:46 +00:00
72f2cc91f6 remove makefile 2023-04-12 14:59:56 +02:00
da13d96bf7 Merge branch 'master' of ssh://git.pim.kunis.nl:56287/home/max 2023-04-11 22:41:27 +02:00
73921cdd57 remove backup functionality 2023-04-11 22:41:18 +02:00
3988a26d93 Update 'README.md' 2023-04-10 09:53:27 +00:00
a8b63203d8 Update 'README.md' 2023-04-03 20:07:57 +00:00
6587dea614 Update 'README.md' 2023-04-03 20:07:07 +00:00
d87705fdad Update 'README.md' 2023-04-03 20:06:45 +00:00
5d454bee04 Update 'README.md' 2023-04-03 20:05:49 +00:00
69a520b70a Update 'README.md' 2023-04-03 20:04:58 +00:00
4d4ed08ce6 Update 'README.md' 2023-04-03 20:03:35 +00:00
d81bcbaba2 added cyberchef.geokunis2.nl 2023-04-03 21:31:57 +02:00
3865e57f9a remove authoritative DNS server 2023-03-19 11:44:16 +01:00
cc4704b2b9 fix esrom ip address 2023-03-17 21:06:47 +01:00
a1713233c5 set dns to dmz vm 2023-03-14 23:06:10 +01:00
c65dc64aaa change hostnames 2023-03-14 22:44:41 +01:00
bb2a4ecbcc Update 'README.md' 2023-03-14 21:11:24 +00:00
0bf2ffdb8f change forgejo default branch to master 2023-03-11 11:25:23 +01:00
a364830b10 correctie op ipv adres van wireguard 2023-03-05 13:57:58 +01:00
e105fef482 remove echo from vault password prompt 2023-02-25 18:12:17 +01:00
5ed08e0f1a move dataserver to seperate repo 2023-02-25 15:42:28 +01:00
b9f923787e fix static website git pull 2023-02-25 15:14:32 +01:00
cb861223ea take vault password from secret service 2023-02-24 22:18:50 +01:00
a8df259081 remove vault.geokunis2.nl from dns 2023-02-17 16:04:50 +01:00
f3c7b1d8fe add dns record for vault.geokunis2.nl 2023-02-16 23:54:15 +01:00
1e3ff3d4e6 Merge branch 'master' of ssh://git.pim.kunis.nl:56287/pim/homeservers 2023-02-11 19:46:45 +01:00
3a38405455 Add os3 desktop to syncthing 2023-02-11 19:46:30 +01:00
8949169b6a updated zone version number 2023-02-10 11:40:07 +01:00
35c1c75a3e change blog role to static
add security.txt
2023-02-09 22:57:41 +01:00
1bd61091a1 move from pizzapim.nl to pim.kunis.nl 2023-02-08 08:27:30 +01:00
4d8f9e816c by default disable traefik service for docker container 2023-02-07 23:25:30 +01:00
c5ad2aab9f Merge branch 'master' of ssh://git.pizzapim.nl:56287/pim/homeservers 2023-02-07 22:55:19 +01:00
9cc5fba042 add prometheus
don't publish traefik api
2023-02-07 22:54:07 +01:00
9cf2de65ac Update 'README.md' 2023-02-07 13:25:06 +00:00
1d6e52adf4 watchtower flags 2023-02-06 21:22:01 +01:00
a875bd7846 added watchtower flags: --include-restarting --cleanup --include-stopped 2023-02-06 21:10:47 +01:00
919fa74fe0 set watchtower restart:always 2023-02-06 20:57:43 +01:00
32efb21f49 Update 'README.md' 2023-02-06 13:04:47 +00:00
46c89400b2 added label to Syncthing for exclusion by Watchtower:
labels:
      - "com.centurylinklabs.watchtower.enable=false"
2023-02-05 17:37:38 +01:00
444400ada5 syncthing tag verwijderd, gings stuk 2023-02-05 17:33:02 +01:00
1110b667bc fixated syncthing on version 1.23 in docker compose 2023-02-05 17:27:28 +01:00
5afc14edf4 add watchtower container. elke dag om 5 uur worden de containers ge-update door watchtower indien nodig. 2023-02-05 17:08:54 +01:00
131 changed files with 704 additions and 819 deletions

37
.gitignore vendored
View file

@ -1 +1,38 @@
# Local .terraform directories
**/.terraform/*
# .tfstate files
*.tfstate
*.tfstate.*
# Crash log files
crash.log
crash.*.log
# Exclude all .tfvars files, which are likely to contain sensitive data, such as
# password, private keys, and other secrets. These should not be part of version
# control as they are data points which are potentially sensitive and subject
# to change depending on the environment.
*.tfvars
*.tfvars.json
# Ignore override files as they are usually used to override resources locally and so
# are not checked in
override.tf
override.tf.json
*_override.tf
*_override.tf.json
# Include override files you do wish to add to version control using negated pattern
# !example_override.tf
# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
# example: *tfplan*
# Ignore CLI configuration files
.terraformrc
terraform.rc
.terraform.lock.hcl
*.tfbackend
.vault_password

View file

@ -1,8 +0,0 @@
all:
ansible-playbook playbooks/all.yml
backup:
ansible-playbook playbooks/backup.yml
%:
ansible-playbook playbooks/all.yml --tags "$@"

View file

@ -1,54 +1,23 @@
# Homeservers
# Max
This repository contains Ansible scripts to setup our home servers.
The `common` role executes some common OS tasks.
The `docker` role installs Docker.
The other roles are specifically for the various services we run.
Max is our VM running all of our web servers, provisioned with Terraform and configured with Ansible.
## Running services
All services below are running under Docker, except NSD and Borg.
All services below are implemented using Docker:
- Authoritative DNS using [NSD](https://www.nlnetlabs.nl/projects/nsd/about/) (ns.pizzapim.nl)
- Reverse proxy using [Traefik](https://doc.traefik.io/traefik/)
- Git server using [Forgejo](https://forgejo.org/) ([git.pizzapim.nl](https://git.pizzapim.nl))
- Static website using [Jekyll](https://jekyllrb.com/) ([pizzapim.nl](https://pizzapim.nl))
- Git server using [Forgejo](https://forgejo.org/) ([git.pim.kunis.nl](https://git.pim.kunis.nl))
- Static website using [Jekyll](https://jekyllrb.com/) ([pim.kunis.nl](https://pim.kunis.nl))
- File sychronisation using [Syncthing](https://syncthing.net/)
- Microblogging server using [Mastodon](https://joinmastodon.org/) ([social.pizzapim.nl](https://social.pizzapim.nl))
- Calendar and contact synchronisation using [Radicale](https://radicale.org/v3.html) ([dav.pizzapim.nl](https://dav.pizzapim.nl))
- Calendar and contact synchronisation using [Radicale](https://radicale.org/v3.html) ([dav.pim.kunis.nl](https://dav.pim.kunis.nl))
- KMS server using [vlmcsd](https://github.com/Wind4/vlmcsd)
- Cloud file storage using [Seafile](https://www.seafile.com)
- Inbucket disposable webmail, Mailinator alternative (https://inbucket.org)
- Disposable mail server using [Inbucket](https://inbucket.org)
- Digital toolbox using [Cyberchef](https://cyberchef.geokunis2.nl)
- Jitsi Meet (https://meet.jit.si)
- Backups using [Borg](https://www.borgbackup.org/) and [Borgmatic](https://torsion.org/borgmatic/)
- RSS feed reader using [FreshRSS](https://miniflux.app/)
## Possible future services
- matrix
- peertube?
- Pixelfed?
- Prometheus
- Concourse CI?
## TODO
- Clear view of what services + which versions we are running. This way, we can track security updates better.
- Delegate pim.kunis.nl to my server
- Host tobb website?
- Move from Ubuntu to Debian
### NSD
#### ZSK Rollover
Could make automatic key rollovers with cron or some other tool.
#### Idempotency
Currently I always resign zones.
But for idempotency I should probably only do it if the zone has changed or the keys have changed.
### Firewall
A little more difficult because of docker networking but probably doable.
- Metrics using [Prometheus](https://prometheus.io/)
- Latex editor using [Overleaf](https://www.overleaf.com/) ([latex.pim.kunis.nl](https://latex.pim.kunis.nl))
- Markdown editor using [Hedgedoc](https://hedgedoc.org/)

View file

@ -1,5 +0,0 @@
[defaults]
# (pathspec) Colon separated paths in which Ansible will search for Roles.
roles_path=~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles:roles
vault_password_file=./.vault_password
inventory=inventory

8
ansible/ansible.cfg Normal file
View file

@ -0,0 +1,8 @@
[defaults]
roles_path=~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles:roles
inventory=inventory
vault_password_file=util/secret-service-client.sh
interpreter_python=/usr/bin/python3
[diff]
always = True

View file

@ -0,0 +1,15 @@
base_data_dir: /mnt/data
base_service_dir: /srv
domain_name_pim: pim.kunis.nl
# Additional open ports
jitsi_videobridge_port: 54562
git_ssh_port: 56287
prometheus_port: 8081
traefik_api_port: 8080
internal_forgejo_port: 3000 # Needed to pull from a repository from another docker container.
docker_daemon_config:
default-address-pools:
- base: "10.204.0.0/16"
size: 24

View file

@ -0,0 +1,5 @@
all:
hosts:
max:
ansible_user: root
ansible_host: max.dmz

36
ansible/max.yml Normal file
View file

@ -0,0 +1,36 @@
- name: Wait for servers to come up
hosts: max
gather_facts: no
roles:
- 'cloudinit-wait'
- name: Start services
hosts: max
pre_tasks:
- name: Create base service directory
file:
path: "{{ base_service_dir }}"
state: directory
- name: Delete externally managed environment file
shell:
cmd: "rm /usr/lib/python*/EXTERNALLY-MANAGED"
register: rm
changed_when: "rm.rc == 0"
failed_when: "false"
roles:
- {role: 'setup-apt', tags: 'setup-apt'}
- {role: 'watchtower', tags: 'watchtower'}
- {role: 'forgejo', tags: 'forgejo'}
- {role: 'syncthing', tags: 'syncthing'}
- {role: 'kms', tags: 'kms'}
- {role: 'cyberchef', tags: 'cyberchef'}
- {role: 'radicale', tags: 'radicale'}
- {role: 'mastodon', tags: 'mastodon'}
- {role: 'seafile', tags: 'seafile'}
- {role: 'jitsi', tags: 'jitsi'}
- {role: 'freshrss', tags: 'freshrss'}
- {role: 'static', tags: 'static'}
- {role: 'inbucket', tags: 'inbucket'}
- {role: 'prometheus', tags: 'prometheus'}
- {role: 'overleaf', tags: 'overleaf'}
- {role: 'hedgedoc', tags: 'hedgedoc'}

9
ansible/requirements.yml Normal file
View file

@ -0,0 +1,9 @@
- name: setup-apt
src: https://github.com/sunscrapers/ansible-role-apt.git
scm: git
- name: cloudinit-wait
src: https://git.pim.kunis.nl/pim/ansible-role-cloudinit-wait
scm: git
- name: docker
src: https://git.pim.kunis.nl/pim/ansible-role-docker
scm: git

View file

@ -0,0 +1,22 @@
version: "3.7"
services:
cyberchef-server:
image: mpepping/cyberchef
container_name: cyberchef
restart: always
labels:
- traefik.enable=true
- traefik.http.routers.cyberchef.entrypoints=websecure
- traefik.http.routers.cyberchef.rule=Host(`cyberchef.geokunis2.nl`)
- traefik.http.routers.cyberchef.tls=true
- traefik.http.routers.cyberchef.tls.certresolver=letsencrypt
- traefik.http.services.cyberchef.loadbalancer.server.port=8000
- traefik.http.routers.cyberchef.service=cyberchef
- traefik.docker.network=traefik
networks:
- traefik
networks:
traefik:
external: true

View file

@ -0,0 +1,2 @@
dependencies:
- role: traefik

View file

@ -0,0 +1,13 @@
- name: Create app directory
file:
path: "{{ service_dir }}"
state: directory
- name: Copy Docker Compose script
copy:
src: "{{ role_path }}/files/docker-compose.yml"
dest: "{{ service_dir }}/docker-compose.yml"
- name: Start the Docker Compose
docker_compose:
project_src: "{{ service_dir }}"
pull: true
remove_orphans: true

View file

@ -1,2 +1,2 @@
service_name: borg
service_name: cyberchef
service_dir: "{{ base_service_dir }}/{{ service_name }}"

View file

@ -0,0 +1,2 @@
dependencies:
- role: traefik

View file

@ -4,6 +4,7 @@ RUN_USER = git
[repository]
ROOT = /data/git/repositories
DEFAULT_BRANCH = master
[repository.local]
LOCAL_COPY_PATH = /data/gitea/tmp/local-repo
@ -13,8 +14,8 @@ TEMP_PATH = /data/gitea/uploads
[server]
APP_DATA_PATH = /data/gitea
DOMAIN = git.pizzapim.nl
SSH_DOMAIN = git.pizzapim.nl
DOMAIN = {{ git_domain }}
SSH_DOMAIN = {{ git_domain }}
HTTP_PORT = 3000
ROOT_URL = {{ forgejo.root_url }}
DISABLE_SSH = false
@ -38,6 +39,7 @@ CHARSET = utf8
[indexer]
ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
ISSUE_INDEXER_TYPE = db
[session]
PROVIDER_CONFIG = /data/gitea/sessions

View file

@ -14,17 +14,20 @@ services:
restart: always
networks:
- traefik
ports:
- "{{ internal_forgejo_port }}:3000"
volumes:
- {{ data_dir }}:/data
- {{ service_dir }}/conf:/data/gitea/conf
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
labels:
- traefik.enable=true
- traefik.http.routers.forgejo.entrypoints=websecure
- traefik.http.routers.forgejo.rule=Host(`git.pizzapim.nl`)
- traefik.http.routers.forgejo.rule=Host(`{{ git_domain }}`)
- traefik.http.routers.forgejo.tls=true
- traefik.http.routers.forgejo.tls.certresolver=pizzapim
- traefik.tcp.routers.forgejo.service=forgejo
- traefik.http.routers.forgejo.tls.certresolver=letsencrypt
- traefik.http.routers.forgejo.service=forgejo
- traefik.http.services.forgejo.loadbalancer.server.port=3000
- traefik.tcp.routers.forgejo-ssh.rule=HostSNI(`*`)

View file

@ -1,9 +1,10 @@
service_name: forgejo
data_dir: "{{ base_data_dir }}/{{ service_name }}"
service_dir: "{{ base_service_dir }}/{{ service_name }}"
git_domain: "git.{{ domain_name_pim }}"
forgejo:
root_url: "https://git.pizzapim.nl"
root_url: "https://{{ git_domain }}"
mailer_host: "smtp.tweak.nl"
mailer_from: "git@kunis.nl"
lfs_jwt_secret: !vault |

View file

@ -0,0 +1,2 @@
dependencies:
- role: traefik

View file

@ -11,10 +11,8 @@ services:
options:
max-size: 10m
volumes:
# Recommended volume for FreshRSS persistent data such as configuration and SQLite databases
- /data/freshrss/data:/var/www/FreshRSS/data
# Optional volume for storing third-party extensions
- /data/freshrss/extensions:/var/www/FreshRSS/extensions
- {{ data_dir }}/data:/var/www/FreshRSS/data
- {{ data_dir }}/extensions:/var/www/FreshRSS/extensions
environment:
TZ: Europe/Amsterdam
CRON_MIN: '2,32'
@ -24,11 +22,13 @@ services:
ADMIN_API_PASSWORD: {{ admin_password }}
PUBLISHED_PORT: 443
labels:
- traefik.enable=true
- traefik.http.routers.freshrss.entrypoints=websecure
- traefik.http.routers.freshrss.rule=Host(`rss.pizzapim.nl`)
- traefik.http.routers.freshrss.rule=Host(`{{ rss_domain }}`)
- traefik.http.routers.freshrss.tls=true
- traefik.http.routers.freshrss.tls.certresolver=pizzapim
- traefik.tcp.routers.freshrss.service=freshrss
- traefik.http.routers.freshrss.tls.certresolver=letsencrypt
- traefik.http.routers.freshrss.service=freshrss
- traefik.http.services.freshrss.loadbalancer.server.port=80
networks:
traefik:

View file

@ -1,6 +1,7 @@
service_name: freshrss
service_dir: "{{ base_service_dir }}/{{ service_name }}"
data_dir: "{{ base_data_dir }}/{{ service_name }}"
rss_domain: "rss.{{ domain_name_pim }}"
admin_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
38363734333534376665616439306566613632303739373661333338356533653334323366326130

View file

@ -0,0 +1,2 @@
dependencies:
- role: traefik

View file

@ -0,0 +1,22 @@
- name: Create service directory
file:
path: "{{ service_dir }}"
state: directory
- name: Copy Docker Compose script
template:
src: "{{ role_path }}/templates/docker-compose.yml.j2"
dest: "{{ service_dir }}/docker-compose.yml"
- name: Create data directory
file:
path: "{{ data_dir }}"
state: directory
- name: Create uploads directory
file:
path: "{{ data_dir }}/uploads"
state: directory
mode: 0777
- name: Start the Docker Compose
docker_compose:
project_src: "{{ service_dir }}"
pull: true
remove_orphans: true

View file

@ -0,0 +1,51 @@
version: '3'
networks:
traefik:
external: true
internal:
external: false
services:
database:
image: postgres:13.4-alpine
container_name: hedgedoc-database
environment:
- POSTGRES_USER=hedgedoc
- POSTGRES_PASSWORD=password
- POSTGRES_DB=hedgedoc
volumes:
- {{ data_dir }}/database:/var/lib/postgresql/data
restart: always
networks:
- internal
app:
image: quay.io/hedgedoc/hedgedoc:1.9.7
container_name: hedgedoc
environment:
- CMD_DB_URL=postgres://hedgedoc:password@database:5432/hedgedoc
- CMD_DOMAIN={{ hedgedoc_domain }}
- CMD_PORT=3000
- CMD_URL_ADDPORT=false
- CMD_ALLOW_ANONYMOUS=true
- CMD_ALLOW_EMAIL_REGISTER=false
- CMD_PROTOCOL_USESSL=true
- CMD_SESSION_SECRET={{ session_secret }}
volumes:
- {{ data_dir }}/uploads:/hedgedoc/public/uploads
restart: always
depends_on:
- database
networks:
- traefik
- internal
labels:
- traefik.enable=true
- traefik.http.routers.hedgedoc.entrypoints=websecure
- traefik.http.routers.hedgedoc.rule=Host(`{{ hedgedoc_domain }}`)
- traefik.http.routers.hedgedoc.tls=true
- traefik.http.routers.hedgedoc.tls.certresolver=letsencrypt
- treafik.http.routers.hedgedoc.service=hedgedoc
- traefik.http.services.hedgedoc.loadbalancer.server.port=3000
- traefik.docker.network=traefik

View file

@ -0,0 +1,14 @@
service_name: hedgedoc
data_dir: "{{ base_data_dir }}/{{ service_name }}"
service_dir: "{{ base_service_dir }}/{{ service_name }}"
hedgedoc_domain: "md.{{ domain_name_pim }}"
session_secret: !vault |
$ANSIBLE_VAULT;1.1;AES256
30633835386265643561343033326536653166343630396139303137613138383233666565666330
3032613865333836656566626435383165396539323837350a376331306464643766373839386638
65653865343539633636323833343964636332636461386434386432306230343833343431363134
6563373138626637650a633932313862326231666330343662343765666166373961376237396434
33396131353830323063326266623862353731653665626466653335656434303033353333353164
61613535373037646565386131383631366338616565373261396136616433393462313537313861
35313661616365373231373963323865393635626132343138363230313431636333363130346239
32656335333635613736

View file

@ -1,3 +1,2 @@
dependencies:
- role: common
- role: docker

View file

@ -0,0 +1,2 @@
dependencies:
- role: traefik

View file

@ -21,10 +21,11 @@ services:
- meet.jitsi
- traefik
labels:
- traefik.enable=true
- traefik.http.routers.jitsi-web.entrypoints=websecure
- traefik.http.routers.jitsi-web.rule=Host(`{{ public_domain }}`)
- traefik.http.routers.jitsi-web.tls=true
- traefik.http.routers.jitsi-web.tls.certresolver=pizzapim
- traefik.http.routers.jitsi-web.tls.certresolver=letsencrypt
- traefik.http.services.jitsi-web.loadbalancer.server.port=80
- traefik.http.routers.jitsi-web.service=jitsi-web
- traefik.docker.network=traefik
@ -96,6 +97,7 @@ services:
networks:
meet.jitsi:
labels:
- traefik.enable=true
- traefik.udp.routers.jitsi-videobridge.rule=HostSNI(`*`)
- traefik.udp.routers.jitsi-videobridge.entrypoints=video
- traefik.udp.routers.jitsi-videobridge.service=jitsi-videobridge

View file

@ -2,7 +2,7 @@ service_name: jitsi
service_dir: "{{ base_service_dir }}/{{ service_name }}"
data_dir: "{{ base_data_dir }}/{{ service_name }}"
public_domain: "meet.pizzapim.nl"
public_domain: "meet.{{ domain_name_pim }}"
jvb_advertise_ips: "84.245.14.149,192.168.30.3"
jvb_auth_password: !vault |

View file

@ -1,3 +1,2 @@
dependencies:
- role: common
- role: docker

View file

@ -0,0 +1,2 @@
dependencies:
- role: traefik

View file

@ -49,10 +49,11 @@ services:
- {{ data_dir }}/public/system:/mastodon/public/system
- {{ service_dir }}/cache:/mastodon/public/system/cache
labels:
- traefik.enable=true
- traefik.http.routers.mastodon.entrypoints=websecure
- traefik.http.routers.mastodon.rule=Host(`social.pizzapim.nl`)
- traefik.http.routers.mastodon.tls=true
- traefik.http.routers.mastodon.tls.certresolver=pizzapim
- traefik.http.routers.mastodon.tls.certresolver=letsencrypt
- traefik.http.services.mastodon.loadbalancer.server.port=3000
- traefik.http.routers.mastodon.service=mastodon
- traefik.docker.network=traefik
@ -73,6 +74,7 @@ services:
- db
- redis
labels:
- traefik.enable=true
- traefik.http.routers.mastodon-streaming.entrypoints=websecure
- "traefik.http.routers.mastodon-streaming.rule=(Host(`social.pizzapim.nl`) && PathPrefix(`/api/v1/streaming`))"
- traefik.http.routers.mastodon-streaming.service=mastodon-streaming

View file

@ -0,0 +1,2 @@
dependencies:
- role: traefik

View file

@ -1,4 +1,4 @@
- name: Create app directory
- name: Create service directory
file:
path: "{{ service_dir }}"
state: directory
@ -6,10 +6,6 @@
template:
src: "{{ role_path }}/templates/docker-compose.yml.j2"
dest: "{{ service_dir }}/docker-compose.yml"
- name: Create data directory
file:
path: "{{ data_dir }}"
state: directory
- name: Start the Docker Compose
docker_compose:
project_src: "{{ service_dir }}"

View file

@ -0,0 +1,107 @@
version: '2.2'
networks:
traefik:
external: true
internal:
external: false
services:
sharelatex:
restart: always
image: sharelatex/sharelatex
container_name: overleaf
networks:
- traefik
- internal
depends_on:
overleaf-mongodb:
condition: service_healthy
overleaf-redis:
condition: service_started
links:
- overleaf-mongodb
- overleaf-redis
stop_grace_period: 60s
volumes:
- {{ data_dir }}/overleaf/sharelatex_data:/var/lib/sharelatex
labels:
- traefik.enable=true
- traefik.http.routers.overleaf.entrypoints=websecure
- traefik.http.routers.overleaf.rule=Host(`latex.pim.kunis.nl`)
- traefik.http.routers.overleaf.tls=true
- traefik.http.routers.overleaf.tls.certresolver=letsencrypt
- treafik.http.routers.overleaf.service=overleaf
- traefik.http.services.overleaf.loadbalancer.server.port=80
- traefik.docker.network=traefik
environment:
SHARELATEX_APP_NAME: Overleaf Community Edition
SHARELATEX_MONGO_URL: mongodb://overleaf-mongodb:27017/sharelatex
# Same property, unfortunately with different names in
# different locations
SHARELATEX_REDIS_HOST: overleaf-redis
REDIS_HOST: overleaf-redis
ENABLED_LINKED_FILE_TYPES: 'project_file,project_output_file'
# Enables Thumbnail generation using ImageMagick
ENABLE_CONVERSIONS: 'true'
# Disables email confirmation requirement
EMAIL_CONFIRMATION_DISABLED: 'true'
# temporary fix for LuaLaTex compiles
# see https://github.com/overleaf/overleaf/issues/695
TEXMFVAR: /var/lib/sharelatex/tmp/texmf-var
## Set for SSL via nginx-proxy
#VIRTUAL_HOST: 103.112.212.22
SHARELATEX_SITE_URL: https://latex.pim.kunis.nl
# SHARELATEX_NAV_TITLE: Our ShareLaTeX Instance
# SHARELATEX_HEADER_IMAGE_URL: http://somewhere.com/mylogo.png
SHARELATEX_ADMIN_EMAIL: pim@kunis.nl
# SHARELATEX_LEFT_FOOTER: '[{"text": "Powered by <a href=\"https://www.sharelatex.com\">ShareLaTeX</a> 2016"},{"text": "Another page I want to link to can be found <a href=\"here\">here</a>"} ]'
# SHARELATEX_RIGHT_FOOTER: '[{"text": "Hello I am on the Right"} ]'
SHARELATEX_EMAIL_FROM_ADDRESS: "noreply@kunis.nl"
SHARELATEX_EMAIL_SMTP_HOST: "smtp.tweak.nl"
SHARELATEX_EMAIL_SMTP_PORT: 587
SHARELATEX_EMAIL_SMTP_USER: ""
SHARELATEX_EMAIL_SMTP_PASS: ""
# SHARELATEX_EMAIL_SMTP_TLS_REJECT_UNAUTH: true
# SHARELATEX_EMAIL_SMTP_IGNORE_TLS: false
# SHARELATEX_EMAIL_SMTP_NAME: '127.0.0.1'
# SHARELATEX_EMAIL_SMTP_LOGGER: true
# SHARELATEX_CUSTOM_EMAIL_FOOTER: "This system is run by department x"
overleaf-mongodb:
restart: always
image: mongo:4.4
container_name: overleaf-mongodb
networks:
- internal
expose:
- 27017
volumes:
- {{ data_dir }}/overleaf/mongo_data:/data/db
healthcheck:
test: echo 'db.stats().ok' | mongo localhost:27017/test --quiet
interval: 10s
timeout: 10s
retries: 5
overleaf-redis:
restart: always
image: redis:5
container_name: overleaf-redis
networks:
- internal
expose:
- 6379
volumes:
- {{ data_dir }}/overleaf/redis_data:/data

View file

@ -0,0 +1,3 @@
service_name: overleaf
data_dir: "{{ base_data_dir}}/{{service_name}}"
service_dir: "{{ base_service_dir}}/{{service_name}}"

View file

@ -1,4 +1,2 @@
dependencies:
- role: common
- role: docker

View file

@ -0,0 +1,19 @@
- name: Create app directory
file:
path: "{{ service_dir }}"
state: directory
- name: Copy Docker Compose script
template:
src: "{{ role_path }}/templates/docker-compose.yml.j2"
dest: "{{ service_dir }}/docker-compose.yml"
- name: Copy prometheus.yml
template:
src: "{{ role_path }}/templates/prometheus.yml.j2"
dest: "{{ service_dir }}/prometheus.yml"
register: config
- name: Start Docker Compose
docker_compose:
project_src: "{{ service_dir }}"
pull: true
remove_orphans: true
restarted: "{{ config.changed }}"

View file

@ -0,0 +1,13 @@
version: "3.8"
services:
prometheus:
image: prom/prometheus
container_name: prometheus
restart: always
volumes:
- "{{ service_dir }}/prometheus.yml:/etc/prometheus/prometheus.yml"
extra_hosts:
- "host.docker.internal:host-gateway"
ports:
- "{{ prometheus_port }}:9090"

View file

@ -0,0 +1,14 @@
global:
scrape_interval: 15s
scrape_configs:
- job_name: 'prometheus'
scrape_interval: 5s
static_configs:
- targets: ['localhost:9090']
- job_name: 'traefik'
scrape_interval: 5s
static_configs:
- targets: ['host.docker.internal:{{ traefik_api_port }}']

View file

@ -0,0 +1,3 @@
service_name: prometheus
data_dir: "{{ base_data_dir }}/{{ service_name }}"
service_dir: "{{ base_service_dir }}/{{ service_name }}"

View file

@ -9,7 +9,7 @@ stock = utf-8
[auth]
realm = Radicale - Password Required
type = htpasswd
htpasswd_filename = /radicale/users
htpasswd_filename = /config/users
htpasswd_encryption = md5
[rights]

View file

@ -0,0 +1,2 @@
dependencies:
- role: traefik

View file

@ -13,7 +13,7 @@
- name: Copy radicale.conf
copy:
src: "{{ role_path }}/files/radicale.conf"
dest: "{{ service_dir }}/config/radicale.conf"
dest: "{{ service_dir }}/config/config"
- name: Copy users file
copy:
src: "{{ role_path }}/files/users"

View file

@ -0,0 +1,39 @@
version: '3.7'
services:
radicale:
image: tomsquest/docker-radicale
container_name: radicale
init: true
read_only: true
security_opt:
- no-new-privileges:true
cap_drop:
- ALL
cap_add:
- SETUID
- SETGID
- CHOWN
- KILL
healthcheck:
test: curl -f http://127.0.0.1:5232 || exit 1
interval: 30s
retries: 3
restart: unless-stopped
volumes:
- {{ data_dir }}:/data
- {{ service_dir }}/config:/config:ro
networks:
- traefik
labels:
- traefik.enable=true
- traefik.http.routers.radicale.entrypoints=websecure
- traefik.http.routers.radicale.rule=Host(`{{ dav_domain }}`)
- traefik.http.routers.radicale.tls=true
- traefik.http.routers.radicale.tls.certresolver=letsencrypt
- traefik.http.routers.radicale.service=radicale
- traefik.http.services.radicale.loadbalancer.server.port=5232
networks:
traefik:
external: true

View file

@ -0,0 +1,5 @@
service_name: radicale
data_dir: "{{ base_data_dir }}/{{ service_name }}"
service_dir: "{{ base_service_dir }}/{{ service_name }}"
dav_domain: "dav.{{ domain_name_pim }}"

View file

@ -0,0 +1,2 @@
dependencies:
- role: traefik

View file

@ -35,10 +35,11 @@ services:
- SEAFILE_SERVER_LETSENCRYPT=false # Whether to use https or not.
- SEAFILE_SERVER_HOSTNAME={{ seafile_domain }} # Specifies your host name if https is enabled.
labels:
- traefik.enable=true
- traefik.http.routers.seafile.entrypoints=websecure
- traefik.http.routers.seafile.rule=Host(`files.geokunis2.nl`)
- traefik.http.routers.seafile.tls=true
- traefik.http.routers.seafile.tls.certresolver=geokunis
- traefik.http.routers.seafile.tls.certresolver=letsencrypt
- traefik.http.services.seafile.loadbalancer.server.port=80
- traefik.http.routers.seafile.service=seafile
- traefik.docker.network=traefik

View file

@ -0,0 +1 @@
testje

View file

@ -0,0 +1,2 @@
dependencies:
- role: traefik

View file

@ -17,13 +17,17 @@
cmd: "docker run --rm --volume=\"{{ service_dir }}/git:/srv/jekyll:Z\" -it jekyll/minimal jekyll build"
chdir: "{{ service_dir }}"
when: repo.changed
- name: Copy security.txt
copy:
src: "{{ role_path }}/files/security.txt"
dest: "{{ service_dir }}/security.txt"
- name: Copy docker compose file
template:
src: "{{ role_path }}/templates/docker-compose.yml.j2"
dest: "{{ service_dir }}/docker-compose.yml"
- name: Copy nginx config
copy:
src: "{{ role_path }}/files/nginx.conf"
template:
src: "{{ role_path }}/templates/nginx.conf.j2"
dest: "{{ service_dir }}/nginx.conf"
register: nginx_conf
- name: Start docker compose

View file

@ -9,13 +9,15 @@ services:
- {{ service_dir }}/git/templates:/etc/nginx/templates
- {{ service_dir }}/git/_site:/var/www/blog
- {{ service_dir }}/nginx.conf:/etc/nginx/conf.d/default.conf
- {{ service_dir }}/security.txt:/var/www/blog/security.txt
networks:
- traefik
labels:
- traefik.enable=true
- traefik.http.routers.blog.entrypoints=websecure
- traefik.http.routers.blog.rule=Host(`pizzapim.nl`)
- "traefik.http.routers.blog.rule=(Host(`{{ domain_name_pim }}`) || Path(`/security.txt`, `/.well-known/security.txt`))"
- traefik.http.routers.blog.tls=true
- traefik.http.routers.blog.tls.certresolver=pizzapim
- traefik.http.routers.blog.tls.certresolver=letsencrypt
- traefik.http.routers.blog.service=blog
- traefik.http.services.blog.loadbalancer.server.port=80

View file

@ -0,0 +1,43 @@
server {
listen 80 default_server;
location /security.txt {
return 301 https://{{ domain_name_pim }}/.well-known/security.txt;
}
location /.well-known/security.txt {
return 301 https://{{ domain_name_pim }}/.well-known/security.txt;
}
}
server {
listen 80;
server_name {{ domain_name_pim }};
index index.html index.htm;
root /var/www/blog;
location /security.txt {
return 301 https://$host/.well-known/security.txt;
}
location /.well-known/security.txt {
add_header Content-Type 'text/plain';
add_header Cache-Control 'no-cache, no-store, must-revalidate';
add_header Pragma 'no-cache';
add_header Expires '0';
add_header Vary '*';
return 200 "Contact: mailto:pim@kunis.nl\nExpires: 1970-01-01T00:00:00.000Z\nPreferred-Languages: en,nl\n";
}
location / {
try_files $uri $uri/ /index.html;
}
location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
expires 30d;
add_header Pragma public;
add_header Cache-Control "public";
}
error_page 404 /404.html;
}

View file

@ -0,0 +1,3 @@
service_name: static
service_dir: "{{ base_service_dir }}/{{ service_name }}"
git_origin: "http://git.pim.kunis.nl/pim/static.git"

View file

@ -1,4 +1,2 @@
dependencies:
- role: common
- role: docker

View file

@ -90,6 +90,53 @@
<maxTotalSize>4096</maxTotalSize>
</xattrFilter>
</folder>
<folder id="sjpmp-qavt4" label="Uni" path="/data/uni" type="sendreceive" rescanIntervalS="3600" fsWatcherEnabled="true" fsWatcherDelayS="10" ignorePerms="false" autoNormalize="true">
<filesystemType>basic</filesystemType>
<device id="IGS4TYV-TQ6X2CG-OE3M2RE-DKZWKQZ-HEKIGHT-C6EIGHL-CBP2ULE-M3WZ7QC" introducedBy="">
<encryptionPassword></encryptionPassword>
</device>
<device id="QW4NXKY-Y56F7ON-SIABMBI-EHMQANC-AVWEREO-B6WNTCN-NP2O7VI-6SGYMQS" introducedBy="">
<encryptionPassword></encryptionPassword>
</device>
<device id="VL7HPMP-CKHKLPH-MHSN6PG-MFGKPYP-RBEMD3R-RLXT2ZI-KU36NKF-TRK5JAU" introducedBy="">
<encryptionPassword></encryptionPassword>
</device>
<minDiskFree unit="%">1</minDiskFree>
<versioning>
<cleanupIntervalS>3600</cleanupIntervalS>
<fsPath></fsPath>
<fsType>basic</fsType>
</versioning>
<copiers>0</copiers>
<pullerMaxPendingKiB>0</pullerMaxPendingKiB>
<hashers>0</hashers>
<order>random</order>
<ignoreDelete>false</ignoreDelete>
<scanProgressIntervalS>0</scanProgressIntervalS>
<pullerPauseS>0</pullerPauseS>
<maxConflicts>10</maxConflicts>
<disableSparseFiles>false</disableSparseFiles>
<disableTempIndexes>false</disableTempIndexes>
<paused>false</paused>
<weakHashThresholdPct>25</weakHashThresholdPct>
<markerName>.stfolder</markerName>
<copyOwnershipFromParent>false</copyOwnershipFromParent>
<modTimeWindowS>0</modTimeWindowS>
<maxConcurrentWrites>2</maxConcurrentWrites>
<disableFsync>false</disableFsync>
<blockPullOrder>standard</blockPullOrder>
<copyRangeMethod>standard</copyRangeMethod>
<caseSensitiveFS>false</caseSensitiveFS>
<junctionsAsDirs>false</junctionsAsDirs>
<syncOwnership>false</syncOwnership>
<sendOwnership>false</sendOwnership>
<syncXattrs>false</syncXattrs>
<sendXattrs>false</sendXattrs>
<xattrFilter>
<maxSingleEntrySize>1024</maxSingleEntrySize>
<maxTotalSize>4096</maxTotalSize>
</xattrFilter>
</folder>
<folder id="tj35a-felne" label="Keepass" path="/data/keepass" type="sendreceive" rescanIntervalS="3600" fsWatcherEnabled="true" fsWatcherDelayS="10" ignorePerms="false" autoNormalize="true">
<filesystemType>basic</filesystemType>
<device id="B4Y7T5D-PHHDOFH-ZZ4VGOK-YNJINJG-VCYC272-PIE24XA-XJ5HSOD-DF3T6AJ" introducedBy="">
@ -101,6 +148,9 @@
<device id="QW4NXKY-Y56F7ON-SIABMBI-EHMQANC-AVWEREO-B6WNTCN-NP2O7VI-6SGYMQS" introducedBy="">
<encryptionPassword></encryptionPassword>
</device>
<device id="VL7HPMP-CKHKLPH-MHSN6PG-MFGKPYP-RBEMD3R-RLXT2ZI-KU36NKF-TRK5JAU" introducedBy="">
<encryptionPassword></encryptionPassword>
</device>
<minDiskFree unit="%">1</minDiskFree>
<versioning>
<cleanupIntervalS>3600</cleanupIntervalS>
@ -167,6 +217,16 @@
<untrusted>false</untrusted>
<remoteGUIPort>0</remoteGUIPort>
</device>
<device id="VL7HPMP-CKHKLPH-MHSN6PG-MFGKPYP-RBEMD3R-RLXT2ZI-KU36NKF-TRK5JAU" name="OS3" compression="metadata" introducer="false" skipIntroductionRemovals="false" introducedBy="">
<address>dynamic</address>
<paused>false</paused>
<autoAcceptFolders>false</autoAcceptFolders>
<maxSendKbps>0</maxSendKbps>
<maxRecvKbps>0</maxRecvKbps>
<maxRequestKiB>0</maxRequestKiB>
<untrusted>false</untrusted>
<remoteGUIPort>0</remoteGUIPort>
</device>
<gui enabled="true" tls="false" debugging="false">
<address>0.0.0.0:8384</address>
<apikey>{{ syncthing.apikey }}</apikey>

View file

@ -4,6 +4,8 @@ services:
syncthing:
image: lscr.io/linuxserver/syncthing:latest
container_name: syncthing
labels:
- "com.centurylinklabs.watchtower.enable=false"
hostname: syncthing
environment:
- PUID=1000

View file

@ -3,4 +3,4 @@
[http.services.esrom]
[http.services.esrom.loadBalancer]
[[http.services.esrom.loadBalancer.servers]]
url = "http://192.168.30.2:80/"
url = "http://esrom.dmz:80/"

View file

@ -0,0 +1,2 @@
dependencies:
- role: docker

View file

@ -2,10 +2,14 @@
file:
path: "{{ service_dir }}"
state: directory
- name: Create data directory
file:
path: "{{ data_dir }}"
state: directory
- name: Create acme file
copy:
content: ""
dest: "{{ service_dir }}/acme.json"
dest: "{{ data_dir }}/acme.json"
force: no
mode: 0600
- name: Copy Docker Compose script
@ -16,10 +20,12 @@
template:
src: "{{ role_path }}/templates/traefik.toml.j2"
dest: "{{ service_dir }}/traefik.toml"
register: traefik
- name: Copy services.toml
copy:
src: "{{ role_path }}/files/services.toml"
dest: "{{ service_dir }}/services.toml"
register: services
- name: Create traefik network
docker_network:
name: "traefik"
@ -28,3 +34,4 @@
project_src: "{{ service_dir }}"
pull: true
remove_orphans: true
restarted: "{{ traefik.changed or services.changed }}"

View file

@ -13,11 +13,12 @@ services:
- "443:443"
- "80:80"
- "{{ git_ssh_port }}:{{ git_ssh_port }}"
- "{{ traefik_api_port }}:{{ traefik_api_port }}"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- {{ service_dir }}/traefik.toml:/etc/traefik/traefik.toml
- {{ service_dir }}/services.toml:/etc/traefik/services.toml
- {{ service_dir }}/acme.json:/acme.json
- {{ data_dir }}/acme.json:/acme.json
networks:
- traefik
labels:
@ -27,12 +28,8 @@ services:
- traefik.http.routers.esrom.service=esrom@file
- traefik.http.routers.esrom.rule=Host(`geokunis2.nl`)
- traefik.http.routers.esrom.tls=true
- traefik.http.routers.esrom.tls.certresolver=geokunis
- traefik.http.routers.esrom.tls.certresolver=letsencrypt
- traefik.http.routers.traefik.rule=Host(`traefik.pizzapim.nl`)
- traefik.http.routers.traefik.entrypoints=websecure
- traefik.http.routers.traefik.tls=true
- traefik.http.routers.traefik.tls.certresolver=pizzapim
- traefik.http.routers.traefik.rule=Host(`max.dmz`)
- traefik.http.routers.traefik.entrypoints=internal
- traefik.http.routers.traefik.service=api@internal
- traefik.http.routers.traefik.middlewares=whitelist-local
- "traefik.http.middlewares.whitelist-local.ipwhitelist.sourcerange=127.0.0.1/32,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,::1,fc00::/7"

View file

@ -13,25 +13,26 @@ loglevel = "DEBUG"
address = ":{{ git_ssh_port }}"
[entryPoints.video]
address = ":{{ jitsi_videobridge_port }}/udp"
[entryPoints.internal]
address = ":{{ traefik_api_port }}"
[api]
insecure = false
dashboard = true
[metrics]
[metrics.prometheus]
entryPoint = "internal"
[providers.docker]
endpoint = "unix:///var/run/docker.sock"
exposedByDefault = false
[providers.file]
filename = "/etc/traefik/services.toml"
[certificatesResolvers.geokunis.acme]
[certificatesResolvers.letsencrypt.acme]
email = "pim@kunis.nl"
storage = "acme.json"
[certificatesResolvers.geokunis.acme.httpChallenge]
entryPoint = "web"
[certificatesResolvers.pizzapim.acme]
email = "pim@kunis.nl"
storage = "acme.json"
[certificatesResolvers.pizzapim.acme.httpChallenge]
[certificatesResolvers.letsencrypt.acme.httpChallenge]
entryPoint = "web"

View file

@ -1,3 +1,3 @@
service_name: radicale
data_dir: "{{ base_data_dir }}/{{ service_name }}"
service_name: traefik
service_dir: "{{ base_service_dir }}/{{ service_name }}"
data_dir: "{{ base_data_dir }}/{{ service_name }}"

View file

@ -0,0 +1,8 @@
version: "3"
services:
watchtower:
image: containrrr/watchtower
volumes:
- /var/run/docker.sock:/var/run/docker.sock
command: --schedule "0 0 4 * * *" --cleanup --include-stopped --no-startup-message
restart: always

View file

@ -0,0 +1,2 @@
dependencies:
- role: docker

View file

@ -0,0 +1,14 @@
- name: Create app directory
file:
path: "{{ service_dir }}"
state: directory
- name: Copy Docker Compose script
copy:
src: "{{ role_path }}/files/docker-compose.yml"
dest: "{{ service_dir }}/docker-compose.yml"
- name: Start the Docker Compose
docker_compose:
project_src: "{{ service_dir }}"
pull: true
remove_orphans: true

View file

@ -1,2 +1,2 @@
service_name: traefik
service_name: watchtower
service_dir: "{{ base_service_dir }}/{{ service_name }}"

View file

@ -0,0 +1,9 @@
#!/bin/bash
pass=`secret-tool lookup ansible_vault homeservers`
retval=$?
if [ $retval -ne 0 ]; then
read -s pass
fi
echo $pass

View file

@ -1,8 +0,0 @@
borg_public_key: "AAAAC3NzaC1lZDI1NTE5AAAAIBTag7YToG5W+H2kEUz40kOH+7cs0Lp3owFFKkmHBiWM"
dataserver_public_key: "AAAAC3NzaC1lZDI1NTE5AAAAIJsLVptkoOwmxs6DnenN8u7Q1Tm/Psh0QdI6vjrTgb6D"
kingston1tb_mount_point: "/mnt/kingston1TB"
backup_location: "{{ kingston1tb_mount_point }}/homeserver_backup"
admin_public_keys:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINUZp4BCxf7uLa1QWonx/Crf8tYZ5MKIZ+EuaBa82LrV user@user-laptop"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOodpLr+FDRyKyHjucHizNLVFHZ5AQmE9GmxMnOsSoaw pimkunis@thinkpadpim"

View file

@ -1 +0,0 @@
kingston1tb_uuid: "622a8d81-aa2f-460b-a563-c3cdb6285609"

View file

@ -1,5 +0,0 @@
base_data_dir: /data
base_service_dir: /srv
jitsi_videobridge_port: 54562
git_ssh_port: 56287

View file

@ -1,12 +0,0 @@
all:
children:
homeserver:
hosts:
max:
ansible_user: root
ansible_host: max.lan
dataserver:
hosts:
lewis:
ansible_user: root
ansible_host: lewis.lan

View file

@ -1,20 +0,0 @@
- name: Setup homeserver
hosts: homeserver
roles:
- {role: 'ssh', tags: 'ssh'}
- {role: 'borg', tags: 'borg'}
- {role: 'nsd', tags: 'nsd'}
- {role: 'forgejo', tags: 'forgejo'}
- {role: 'syncthing', tags: 'syncthing'}
- {role: 'kms', tags: 'kms'}
- {role: 'radicale', tags: 'radicale'}
- {role: 'mastodon', tags: 'mastodon'}
- {role: 'seafile', tags: 'seafile'}
- {role: 'jitsi', tags: 'jitsi'}
- {role: 'freshrss', tags: 'freshrss'}
- {role: 'blog', tags: 'blog'}
- {role: 'inbucket', tags: 'inbucket'}
- name: Setup dataserver
hosts: dataserver
roles:
- {role: 'dataserver', tags: 'dataserver'}

View file

@ -1,7 +0,0 @@
- name: Create backup
hosts: homeserver
tasks:
- name: Create backup
command:
cmd: systemctl start backup.service

View file

@ -1,18 +0,0 @@
server {
listen 80;
server_name pizzapim.nl;
index index.html index.htm;
root /var/www/blog;
location / {
try_files $uri $uri/ /index.html;
}
location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
expires 30d;
add_header Pragma public;
add_header Cache-Control "public";
}
error_page 404 /404.html;
}

View file

@ -1,4 +0,0 @@
dependencies:
- role: common
- role: docker
- role: traefik

View file

@ -1,3 +0,0 @@
service_name: blog
service_dir: "{{ base_service_dir }}/{{ service_name }}"
git_origin: https://git.pizzapim.nl/pim/blog.git

View file

@ -1,10 +0,0 @@
[Unit]
Description=Backup data daily
[Timer]
OnCalendar=*-*-* 3:00:00
Persistent=true
RandomizedDelaySec=1h
[Install]
WantedBy=timers.target

View file

@ -1,25 +0,0 @@
$ANSIBLE_VAULT;1.1;AES256
39646436383433653539316135323332303832633864366363313031636534353531386638323037
6364366663313964633239613261373733333736316534390a306262373634303536353365396138
35626433353935633534353636613232623531303765636139363139646265653361353164656363
3465316438373734330a636563346263633332353962353033336565356435353739646263343339
38633832343230393631633434323231313438336537383930646562356264346534663235323035
31643861306134663662353938643861393861333838633338613131363136333766353131313666
30393437616539643263386331343166636434323435666636386562353239373330336462653636
38306161393634356636613334323038366365626138326365303063313564653365313063643432
66306664356662326638363736366462343636393466303432323661323431393337306132386531
65663736643565363634373461666631356439373935353734636535636538626630666462653636
33363730626662313336633132393437666533363136643464653462646561393861376464366238
35383136333939653265366336356234613166353162366365346462633639396335653432353964
35303964633339356531343437393231303936623465383265666134316335666531636337383563
30326530396439363438396439313264643765366663343439646333326664633231626662666463
38616235353730346239396265306230623135626332636330666461333864306664346637396233
61343535396230363938306162313938363063353934323764656538666337656431363634333739
62373234356131373931333736373136343166636465643065643337386539376361383965343762
33633837626637393832366332343332303361306230626131346539323538383365316535666532
30666439643263653835666430393439396239333464336133316264323234643361336434343763
61306133373335353563646331303562326139613133356139366632363738316461633739333161
33666531653239626362363364346566373430656538356166346363333531656433393034333232
65353139623435383330353864336132313031656362386538626464313264333231653831373834
33363632616430303763616366356131323265313337323836396264623539316436616333383933
62653865623831626330

View file

@ -1,2 +0,0 @@
dependencies:
- role: common

View file

@ -1,38 +0,0 @@
- name: Install borg
apt:
pkg:
- borgbackup
- borgmatic
- name: Create borg service directory
file:
path: "{{ service_dir }}"
state: directory
- name: Copy borg backup configuration
template:
src: "{{ role_path }}/templates/backup.yml.j2"
dest: "{{ service_dir }}/backup.yml"
- name: Copy private key
copy:
src: "{{ role_path }}/files/id_ed25519"
dest: "{{ service_dir }}/id_ed25519"
mode: 0600
- name: Copy systemd timer backup service
template:
src: "{{ role_path }}/templates/backup.service.j2"
dest: "/etc/systemd/system/backup.service"
register: service
- name: Copy systemd timer backup timer
copy:
src: "{{ role_path }}/files/backup.timer"
dest: "/etc/systemd/system/backup.timer"
register: timer
- name: Enable systemd timer
systemd:
name: backup.timer
enabled: true
state: started
daemon_reload: "{{ 'yes' if service.changed or timer.changed else 'no' }}"
- name: Restore backup
command:
cmd: "borgmatic extract --archive latest --destination / --config {{ service_dir }}/backup.yml"
creates: /data

View file

@ -1,6 +0,0 @@
[Unit]
Description=Backup data using borgmatic
[Service]
ExecStart=/usr/bin/borgmatic --config {{ service_dir }}/backup.yml
Type=oneshot

Some files were not shown because too many files have changed in this diff Show more