From 111bf68a0a05af06afd7cdbe9d6965a452b92f49 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Mon, 25 Dec 2023 19:22:22 +0100 Subject: [PATCH] manage lewis with nix move docker swarm ansible to this repo move thecloud ansible to this repo support data disks in terraform --- .../projects/docker_swarm/ansible/README.md | 5 + .../projects/docker_swarm/ansible/ansible.cfg | 9 + .../ansible/inventory/group_vars/all.yml | 81 ++++++++ .../docker_swarm/ansible/inventory/hosts.yml | 13 ++ .../ansible/playbooks/remove_stack.yml | 9 + .../docker_swarm/ansible/playbooks/setup.yml | 72 +++++++ .../docker_swarm/ansible/playbooks/stacks.yml | 23 +++ .../ansible/playbooks/thecloud.yml | 25 +++ .../docker_swarm/ansible/requirements.yml | 14 ++ .../ansible/roles/ampache/docker-stack.yml.j2 | 56 ++++++ .../ansible/roles/ampache/tasks/main.yml | 5 + .../roles/cyberchef/docker-stack.yml.j2 | 20 ++ .../ansible/roles/cyberchef/tasks/main.yml | 5 + .../roles/discourse/docker-stack.yml.j2 | 106 ++++++++++ .../ansible/roles/discourse/tasks/main.yml | 5 + .../ansible/roles/discourse/vars/main.yml | 7 + .../ansible/roles/forgejo/app.ini.j2 | 109 ++++++++++ .../ansible/roles/forgejo/docker-stack.yml.j2 | 56 ++++++ .../ansible/roles/forgejo/tasks/main.yml | 13 ++ .../ansible/roles/forgejo/vars/main.yml | 23 +++ .../roles/freshrss/docker-stack.yml.j2 | 52 +++++ .../ansible/roles/freshrss/tasks/main.yml | 5 + .../ansible/roles/freshrss/vars/main.yml | 8 + .../roles/hedgedoc/docker-stack.yml.j2 | 44 ++++ .../ansible/roles/hedgedoc/tasks/main.yml | 5 + .../ansible/roles/hedgedoc/vars/main.yml | 10 + .../roles/inbucket/docker-stack.yml.j2 | 24 +++ .../ansible/roles/inbucket/tasks/main.yml | 5 + .../ansible/roles/jitsi/docker-stack.yml.j2 | 87 ++++++++ .../ansible/roles/jitsi/tasks/main.yml | 5 + .../ansible/roles/jitsi/vars/main.yml | 8 + .../roles/kitchenowl/docker-stack.yml.j2 | 45 +++++ .../ansible/roles/kitchenowl/tasks/main.yml | 5 + .../ansible/roles/kitchenowl/vars/main.yml | 7 + .../ansible/roles/kms/docker-stack.yml.j2 | 8 + .../ansible/roles/kms/tasks/main.yml | 5 + .../roles/mastodon/docker-stack.yml.j2 | 131 ++++++++++++ .../ansible/roles/mastodon/tasks/main.yml | 5 + .../ansible/roles/mastodon/vars/main.yml | 42 ++++ .../roles/monitoring/docker-stack.yml.j2 | 132 ++++++++++++ .../roles/monitoring/elasticsearch.yml.j2 | 35 ++++ .../ansible/roles/monitoring/fluent.conf.j2 | 35 ++++ .../ansible/roles/monitoring/tasks/main.yml | 21 ++ .../ansible/roles/monitoring/vars/main.yml | 8 + .../roles/nextcloud/docker-stack.yml.j2 | 40 ++++ .../ansible/roles/nextcloud/tasks/main.yml | 5 + .../roles/overleaf/docker-stack.yml.j2 | 112 +++++++++++ .../ansible/roles/overleaf/tasks/main.yml | 5 + .../ansible/roles/pihole/docker-stack.yml.j2 | 57 ++++++ .../ansible/roles/pihole/tasks/main.yml | 5 + .../ansible/roles/pihole/vars/main.yml | 8 + .../roles/radicale/docker-stack.yml.j2 | 61 ++++++ .../ansible/roles/radicale/radicale.conf | 24 +++ .../ansible/roles/radicale/tasks/main.yml | 21 ++ .../docker_swarm/ansible/roles/radicale/users | 1 + .../ansible/roles/seafile/docker-stack.yml.j2 | 73 +++++++ .../ansible/roles/seafile/tasks/main.yml | 5 + .../ansible/roles/seafile/vars/main.yml | 18 ++ .../roles/shephard/docker-stack.yml.j2 | 60 ++++++ .../ansible/roles/shephard/tasks/main.yml | 5 + .../ansible/roles/shephard/vars/main.yml | 1 + .../roles/swarm_dashboard/docker-stack.yml.j2 | 31 +++ .../roles/swarm_dashboard/tasks/main.yml | 5 + .../ansible/roles/syncthing/cert.pem | 45 +++++ .../ansible/roles/syncthing/config.xml.j2 | 189 ++++++++++++++++++ .../roles/syncthing/docker-stack.yml.j2 | 62 ++++++ .../ansible/roles/syncthing/key.pem | 20 ++ .../ansible/roles/syncthing/tasks/main.yml | 29 +++ .../ansible/roles/syncthing/vars/main.yml | 34 ++++ .../ansible/roles/traefik/docker-stack.yml.j2 | 135 +++++++++++++ .../ansible/roles/traefik/services.yml | 26 +++ .../ansible/roles/traefik/tasks/main.yml | 18 ++ legacy/projects/docker_swarm/{ => vm}/main.tf | 8 +- legacy/projects/hermes/vm/main.tf | 2 +- legacy/projects/thecloud/ansible/ansible.cfg | 8 + .../ansible/inventory/host_vars/thecloud.yml | 19 ++ .../thecloud/ansible/inventory/hosts.yml | 5 + .../thecloud/ansible/requirements.yml | 6 + .../roles/postgresql/handlers/main.yml | 4 + .../ansible/roles/postgresql/tasks/main.yml | 15 ++ legacy/projects/thecloud/ansible/thecloud.yml | 31 +++ legacy/projects/thecloud/data/main.tf | 32 +++ legacy/projects/thecloud/vm/main.tf | 40 ++++ legacy/terraform_modules/README.md | 2 +- .../debian/files/cloud_init.cfg.tftpl | 16 +- legacy/terraform_modules/debian/main.tf | 9 + legacy/terraform_modules/debian/variables.tf | 5 + legacy/terraform_modules/setup/data/main.tf | 13 ++ machines/default.nix | 32 +-- secrets/lewis_host_ed25519.age | Bin 0 -> 611 bytes secrets/lewis_user_ed25519.age | 9 + secrets/secrets.nix | 17 +- 92 files changed, 2730 insertions(+), 26 deletions(-) create mode 100644 legacy/projects/docker_swarm/ansible/README.md create mode 100644 legacy/projects/docker_swarm/ansible/ansible.cfg create mode 100644 legacy/projects/docker_swarm/ansible/inventory/group_vars/all.yml create mode 100644 legacy/projects/docker_swarm/ansible/inventory/hosts.yml create mode 100644 legacy/projects/docker_swarm/ansible/playbooks/remove_stack.yml create mode 100644 legacy/projects/docker_swarm/ansible/playbooks/setup.yml create mode 100644 legacy/projects/docker_swarm/ansible/playbooks/stacks.yml create mode 100644 legacy/projects/docker_swarm/ansible/playbooks/thecloud.yml create mode 100644 legacy/projects/docker_swarm/ansible/requirements.yml create mode 100644 legacy/projects/docker_swarm/ansible/roles/ampache/docker-stack.yml.j2 create mode 100644 legacy/projects/docker_swarm/ansible/roles/ampache/tasks/main.yml create mode 100644 legacy/projects/docker_swarm/ansible/roles/cyberchef/docker-stack.yml.j2 create mode 100644 legacy/projects/docker_swarm/ansible/roles/cyberchef/tasks/main.yml create mode 100644 legacy/projects/docker_swarm/ansible/roles/discourse/docker-stack.yml.j2 create mode 100644 legacy/projects/docker_swarm/ansible/roles/discourse/tasks/main.yml create mode 100644 legacy/projects/docker_swarm/ansible/roles/discourse/vars/main.yml create mode 100644 legacy/projects/docker_swarm/ansible/roles/forgejo/app.ini.j2 create mode 100644 legacy/projects/docker_swarm/ansible/roles/forgejo/docker-stack.yml.j2 create mode 100644 legacy/projects/docker_swarm/ansible/roles/forgejo/tasks/main.yml create mode 100644 legacy/projects/docker_swarm/ansible/roles/forgejo/vars/main.yml create mode 100644 legacy/projects/docker_swarm/ansible/roles/freshrss/docker-stack.yml.j2 create mode 100644 legacy/projects/docker_swarm/ansible/roles/freshrss/tasks/main.yml create mode 100644 legacy/projects/docker_swarm/ansible/roles/freshrss/vars/main.yml create mode 100644 legacy/projects/docker_swarm/ansible/roles/hedgedoc/docker-stack.yml.j2 create mode 100644 legacy/projects/docker_swarm/ansible/roles/hedgedoc/tasks/main.yml create mode 100644 legacy/projects/docker_swarm/ansible/roles/hedgedoc/vars/main.yml create mode 100644 legacy/projects/docker_swarm/ansible/roles/inbucket/docker-stack.yml.j2 create mode 100644 legacy/projects/docker_swarm/ansible/roles/inbucket/tasks/main.yml create mode 100644 legacy/projects/docker_swarm/ansible/roles/jitsi/docker-stack.yml.j2 create mode 100644 legacy/projects/docker_swarm/ansible/roles/jitsi/tasks/main.yml create mode 100644 legacy/projects/docker_swarm/ansible/roles/jitsi/vars/main.yml create mode 100644 legacy/projects/docker_swarm/ansible/roles/kitchenowl/docker-stack.yml.j2 create mode 100644 legacy/projects/docker_swarm/ansible/roles/kitchenowl/tasks/main.yml create mode 100644 legacy/projects/docker_swarm/ansible/roles/kitchenowl/vars/main.yml create mode 100644 legacy/projects/docker_swarm/ansible/roles/kms/docker-stack.yml.j2 create mode 100644 legacy/projects/docker_swarm/ansible/roles/kms/tasks/main.yml create mode 100644 legacy/projects/docker_swarm/ansible/roles/mastodon/docker-stack.yml.j2 create mode 100644 legacy/projects/docker_swarm/ansible/roles/mastodon/tasks/main.yml create mode 100644 legacy/projects/docker_swarm/ansible/roles/mastodon/vars/main.yml create mode 100644 legacy/projects/docker_swarm/ansible/roles/monitoring/docker-stack.yml.j2 create mode 100644 legacy/projects/docker_swarm/ansible/roles/monitoring/elasticsearch.yml.j2 create mode 100644 legacy/projects/docker_swarm/ansible/roles/monitoring/fluent.conf.j2 create mode 100644 legacy/projects/docker_swarm/ansible/roles/monitoring/tasks/main.yml create mode 100644 legacy/projects/docker_swarm/ansible/roles/monitoring/vars/main.yml create mode 100644 legacy/projects/docker_swarm/ansible/roles/nextcloud/docker-stack.yml.j2 create mode 100644 legacy/projects/docker_swarm/ansible/roles/nextcloud/tasks/main.yml create mode 100644 legacy/projects/docker_swarm/ansible/roles/overleaf/docker-stack.yml.j2 create mode 100644 legacy/projects/docker_swarm/ansible/roles/overleaf/tasks/main.yml create mode 100644 legacy/projects/docker_swarm/ansible/roles/pihole/docker-stack.yml.j2 create mode 100644 legacy/projects/docker_swarm/ansible/roles/pihole/tasks/main.yml create mode 100644 legacy/projects/docker_swarm/ansible/roles/pihole/vars/main.yml create mode 100644 legacy/projects/docker_swarm/ansible/roles/radicale/docker-stack.yml.j2 create mode 100644 legacy/projects/docker_swarm/ansible/roles/radicale/radicale.conf create mode 100644 legacy/projects/docker_swarm/ansible/roles/radicale/tasks/main.yml create mode 100644 legacy/projects/docker_swarm/ansible/roles/radicale/users create mode 100644 legacy/projects/docker_swarm/ansible/roles/seafile/docker-stack.yml.j2 create mode 100644 legacy/projects/docker_swarm/ansible/roles/seafile/tasks/main.yml create mode 100644 legacy/projects/docker_swarm/ansible/roles/seafile/vars/main.yml create mode 100644 legacy/projects/docker_swarm/ansible/roles/shephard/docker-stack.yml.j2 create mode 100644 legacy/projects/docker_swarm/ansible/roles/shephard/tasks/main.yml create mode 100644 legacy/projects/docker_swarm/ansible/roles/shephard/vars/main.yml create mode 100644 legacy/projects/docker_swarm/ansible/roles/swarm_dashboard/docker-stack.yml.j2 create mode 100644 legacy/projects/docker_swarm/ansible/roles/swarm_dashboard/tasks/main.yml create mode 100644 legacy/projects/docker_swarm/ansible/roles/syncthing/cert.pem create mode 100644 legacy/projects/docker_swarm/ansible/roles/syncthing/config.xml.j2 create mode 100644 legacy/projects/docker_swarm/ansible/roles/syncthing/docker-stack.yml.j2 create mode 100644 legacy/projects/docker_swarm/ansible/roles/syncthing/key.pem create mode 100644 legacy/projects/docker_swarm/ansible/roles/syncthing/tasks/main.yml create mode 100644 legacy/projects/docker_swarm/ansible/roles/syncthing/vars/main.yml create mode 100644 legacy/projects/docker_swarm/ansible/roles/traefik/docker-stack.yml.j2 create mode 100644 legacy/projects/docker_swarm/ansible/roles/traefik/services.yml create mode 100644 legacy/projects/docker_swarm/ansible/roles/traefik/tasks/main.yml rename legacy/projects/docker_swarm/{ => vm}/main.tf (84%) create mode 100644 legacy/projects/thecloud/ansible/ansible.cfg create mode 100644 legacy/projects/thecloud/ansible/inventory/host_vars/thecloud.yml create mode 100644 legacy/projects/thecloud/ansible/inventory/hosts.yml create mode 100644 legacy/projects/thecloud/ansible/requirements.yml create mode 100644 legacy/projects/thecloud/ansible/roles/postgresql/handlers/main.yml create mode 100644 legacy/projects/thecloud/ansible/roles/postgresql/tasks/main.yml create mode 100644 legacy/projects/thecloud/ansible/thecloud.yml create mode 100644 legacy/projects/thecloud/data/main.tf create mode 100644 legacy/projects/thecloud/vm/main.tf create mode 100644 legacy/terraform_modules/setup/data/main.tf create mode 100644 secrets/lewis_host_ed25519.age create mode 100644 secrets/lewis_user_ed25519.age diff --git a/legacy/projects/docker_swarm/ansible/README.md b/legacy/projects/docker_swarm/ansible/README.md new file mode 100644 index 0000000..3be06a4 --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/README.md @@ -0,0 +1,5 @@ +# shoarma ansible + +This requires a rootless docker daemon on the Ansible host. +See: https://docs.docker.com/engine/security/rootless/ +Also you need jsondiff for docker stack. diff --git a/legacy/projects/docker_swarm/ansible/ansible.cfg b/legacy/projects/docker_swarm/ansible/ansible.cfg new file mode 100644 index 0000000..2411e3a --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/ansible.cfg @@ -0,0 +1,9 @@ +[defaults] +roles_path=~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles:roles +inventory=inventory +interpreter_python=/usr/bin/python3 +remote_user = root +vault_password_file=$HOME/.config/home/ansible-vault-secret + +[diff] +always = True diff --git a/legacy/projects/docker_swarm/ansible/inventory/group_vars/all.yml b/legacy/projects/docker_swarm/ansible/inventory/group_vars/all.yml new file mode 100644 index 0000000..ad74503 --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/inventory/group_vars/all.yml @@ -0,0 +1,81 @@ +data_directory_base: /mnt/data +git_ssh_port: 56287 +elasticsearch_port: 14653 +fluent_forward_port: 24224 +concourse_public_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBSVLcr617iJt+hqLFSsOQy1JeueLIAj1eRfuI+KeZAu pim@x260" + +nfs_shares: + - name: nextcloud_data + path: /mnt/data/nextcloud/data + - name: radicale + path: /mnt/data/radicale + - name: freshrss_data + path: /mnt/data/freshrss/data + - name: freshrss_extensions + path: /mnt/data/freshrss/extensions + - name: pihole_data + path: /mnt/data/pihole/data + - name: pihole_dnsmasq + path: /mnt/data/pihole/dnsmasq + - name: hedgedoc_uploads + path: /mnt/data/hedgedoc/uploads + - name: traefik_acme + path: /mnt/data/traefik/acme + - name: seafile_data + path: /mnt/data/seafile/data + - name: seafile_db + path: /mnt/data/seafile/db + - name: mastodon_system + path: /mnt/data/mastodon/system + - name: mastodon_redis + path: /mnt/data/mastodon/redis + - name: forgejo + path: /mnt/data/forgejo + - name: overleaf + path: /mnt/data/overleaf/data + - name: overleaf_redis + path: /mnt/data/overleaf/redis + - name: overleaf_mongodb + path: /mnt/data/overleaf/mongodb + - name: prometheus_data + path: /mnt/data/prometheus/data + - name: elasticsearch_certs + path: /mnt/data/elasticsearch/certs + - name: elasticsearch_data + path: /mnt/data/elasticsearch/data + - name: grafana_data + path: /mnt/data/grafana/data + - name: kitchenowl_data + path: /mnt/data/kitchenowl/data + - name: ampache_mysql + path: /mnt/data/ampache/mysql + - name: ampache_config + path: /mnt/data/ampache/config + - name: music + path: /mnt/data/nextcloud/data/data/pim/files/Music + +database_passwords: + nextcloud: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 66326230303135303930363761316534313439383365376231623661316635393839336431313262 + 3832626365376533646561653863316364313135343366330a356136343938666133356532613263 + 39663037623232363266376335643834353735363431636535386566643763386463353962663930 + 3466343563353162320a376437353933656166323364323166376663323531373338656563653463 + 33346263626430616164613937363836343430383233393061643231346661656539623938333631 + 3632373964346139316637663364646132636636373461613534 + hedgedoc: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 63363464666633663762393135333362613966636338623533393132376338343339653431396465 + 6634643863623163366235393434343662313735363438610a373065363361326565633766633835 + 38383637343230363031636634623930666365333739323162313937656239646166613738393965 + 3533666462303563360a313233306335396234393932396331313238376464363964363839396164 + 66366662356135343035363935616664613831626131376330643133313530636431613266636165 + 6265613666616164373637356235396165383662333561393939 + mastodon: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 63616366396665663161376161373735626466353464393963333136336335376662326232613639 + 6166333137376131633761623163306165386562666639640a313136386431373161306331626638 + 34643433396232383962643964386631313632393161316261353331346163333261336666646563 + 6232666231653732630a396638396462323464613033306662313463663262626430363432663465 + 63623935303861663565633739363539326435623561396535623034663735373232336633303037 + 6266323136316238343963613332396261346337646264646162 diff --git a/legacy/projects/docker_swarm/ansible/inventory/hosts.yml b/legacy/projects/docker_swarm/ansible/inventory/hosts.yml new file mode 100644 index 0000000..68ec87a --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/inventory/hosts.yml @@ -0,0 +1,13 @@ +all: + hosts: + manager: + ansible_host: maestro.dmz + thecloud: + ansible_host: thecloud.dmz + children: + workers: + hosts: + bancomart: + ansible_host: bancomart.dmz + vpay: + ansible_host: vpay.dmz diff --git a/legacy/projects/docker_swarm/ansible/playbooks/remove_stack.yml b/legacy/projects/docker_swarm/ansible/playbooks/remove_stack.yml new file mode 100644 index 0000000..3f505ce --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/playbooks/remove_stack.yml @@ -0,0 +1,9 @@ +--- +- name: Remove a Docker swarm stack + hosts: manager + + tasks: + - name: Remove the stack + docker_stack: + name: "{{ stack }}" + state: absent diff --git a/legacy/projects/docker_swarm/ansible/playbooks/setup.yml b/legacy/projects/docker_swarm/ansible/playbooks/setup.yml new file mode 100644 index 0000000..56ae015 --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/playbooks/setup.yml @@ -0,0 +1,72 @@ +--- +- name: Wait for Cloud-init to finish + hosts: manager, workers + gather_facts: no + roles: + - cloudinit_wait + +- name: Initialize Docker Swarm nodes + hosts: manager, workers + pre_tasks: + - name: Delete externally managed environment file + shell: + cmd: "rm /usr/lib/python*/EXTERNALLY-MANAGED" + register: rm + changed_when: "rm.rc == 0" + failed_when: "false" + + roles: + - setup_apt + + post_tasks: + - name: Install Docker + include_role: + name: docker + vars: + docker_daemon_config: {} + # log-driver: fluentd + # log-opts: + # fluentd-address: "localhost:22222" + # tag: "docker.{{ '{{' }}.Name{{ '}}' }}" + +- name: Setup Docker Swarm manager + hosts: manager + tasks: + - name: Install pip packages + pip: + name: + - jsondiff + - pyyaml + + - name: Create Docker Swarm + docker_swarm: + + - name: Get Docker Swarm manager info + docker_swarm_info: + nodes: yes + nodes_filters: + name: manager + register: swarm_info + +- hosts: workers + tasks: + - name: Join Docker Swarm + docker_swarm: + state: join + join_token: "{{ hostvars.manager.swarm_info.swarm_facts.JoinTokens.Worker }}" + remote_addrs: + - "{{ hostvars.manager.ansible_default_ipv4.address }}" + +- hosts: manager + tasks: + - name: Add concourse to authorized keys + authorized_key: + user: root + key: "{{ concourse_public_key }}" + +- hosts: manager, workers + tasks: + - name: Increase vm.max_map_count + sysctl: + name: vm.max_map_count + value: 262144 diff --git a/legacy/projects/docker_swarm/ansible/playbooks/stacks.yml b/legacy/projects/docker_swarm/ansible/playbooks/stacks.yml new file mode 100644 index 0000000..f931587 --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/playbooks/stacks.yml @@ -0,0 +1,23 @@ +--- +- name: Start Docker stacks + hosts: manager + roles: + - {role: traefik, tags: traefik} + - {role: forgejo, tags: forgejo} + # - {role: seafile, tags: seafile} + - {role: radicale, tags: radicale} + # - {role: mastodon, tags: mastodon} + - {role: freshrss, tags: freshrss} + - {role: hedgedoc, tags: hedgedoc} + # - {role: overleaf, tags: overleaf} + - {role: cyberchef, tags: cyberchef} + - {role: inbucket, tags: inbucket} + - {role: kms, tags: kms} + - {role: swarm_dashboard, tags: swarm_dashboard} + # - {role: shephard, tags: shephard} + - {role: pihole, tags: pihole} + - {role: nextcloud, tags: nextcloud} + - {role: syncthing, tags: syncthing} + # - {role: monitoring, tags: monitoring} + - {role: kitchenowl, tags: kitchenowl} + # - {role: ampache, tags: ampache} diff --git a/legacy/projects/docker_swarm/ansible/playbooks/thecloud.yml b/legacy/projects/docker_swarm/ansible/playbooks/thecloud.yml new file mode 100644 index 0000000..7957bf8 --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/playbooks/thecloud.yml @@ -0,0 +1,25 @@ +--- +- name: Create databases and NFS shares + hosts: thecloud + handlers: + - name: reload nfs + systemd: + name: nfs-kernel-server + state: restarted + + tasks: + - name: Create nfs shares + with_items: "{{ nfs_shares }}" + copy: + dest: "/etc/exports.d/{{ item.name }}.exports" + content: "{{ item.path }} *(rw,sync,no_subtree_check,no_root_squash)" + notify: reload nfs + + - name: Create databases + with_items: "{{ database_passwords | dict2items }}" + include_role: + name: postgresql_database + vars: + database_name: "{{ item.key }}" + database_user: "{{ item.key }}" + database_password: "{{ item.value }}" diff --git a/legacy/projects/docker_swarm/ansible/requirements.yml b/legacy/projects/docker_swarm/ansible/requirements.yml new file mode 100644 index 0000000..eb97f58 --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/requirements.yml @@ -0,0 +1,14 @@ +--- +roles: + - name: setup_apt + src: https://github.com/sunscrapers/ansible-role-apt.git + scm: git + - name: docker + src: https://git.kun.is/pim/ansible-role-docker + scm: git + - name: cloudinit_wait + src: https://git.kun.is/pim/ansible-role-cloudinit-wait + scm: git + - name: postgresql_database + src: https://git.kun.is/home/ansible-role-postgresql-database + scm: git diff --git a/legacy/projects/docker_swarm/ansible/roles/ampache/docker-stack.yml.j2 b/legacy/projects/docker_swarm/ansible/roles/ampache/docker-stack.yml.j2 new file mode 100644 index 0000000..0b5a2e7 --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/roles/ampache/docker-stack.yml.j2 @@ -0,0 +1,56 @@ +# vi: ft=yaml +version: '3.7' + +networks: + traefik: + external: true + +volumes: + ampache_mysql: + driver_opts: + type: "nfs" + o: "addr=192.168.30.10,nolock,soft,rw" + device: ":/mnt/data/ampache/mysql" + ampache_config: + driver_opts: + type: "nfs" + o: "addr=192.168.30.10,nolock,soft,rw" + device: ":/mnt/data/ampache/config" + music: + driver_opts: + type: "nfs" + o: "addr=192.168.30.10,nolock,soft,rw" + device: ":/mnt/data/nextcloud/data/data/pim/files/Music" + +services: + ampache: + image: ampache/ampache:6 + volumes: + - type: volume + source: ampache_mysql + target: /var/lib/mysql + volume: + nocopy: true + - type: volume + source: ampache_config + target: /var/www/config + volume: + nocopy: true + - type: volume + source: music + target: /media + read_only: true + volume: + nocopy: true + networks: + - traefik + deploy: + labels: + - traefik.enable=true + - traefik.http.routers.ampache.entrypoints=websecure + - traefik.http.routers.ampache.rule=Host(`music.kun.is`) + - traefik.http.routers.ampache.tls=true + - traefik.http.routers.ampache.tls.certresolver=letsencrypt + - traefik.http.routers.ampache.service=ampache + - traefik.http.services.ampache.loadbalancer.server.port=80 + - traefik.docker.network=traefik diff --git a/legacy/projects/docker_swarm/ansible/roles/ampache/tasks/main.yml b/legacy/projects/docker_swarm/ansible/roles/ampache/tasks/main.yml new file mode 100644 index 0000000..3e730ce --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/roles/ampache/tasks/main.yml @@ -0,0 +1,5 @@ +- name: Deploy Docker stack + docker_stack: + name: ampache + compose: + - "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}" diff --git a/legacy/projects/docker_swarm/ansible/roles/cyberchef/docker-stack.yml.j2 b/legacy/projects/docker_swarm/ansible/roles/cyberchef/docker-stack.yml.j2 new file mode 100644 index 0000000..209b2b3 --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/roles/cyberchef/docker-stack.yml.j2 @@ -0,0 +1,20 @@ +# vi: ft=yaml +version: "3.7" + +networks: + traefik: + external: true + +services: + cyberchef: + image: mpepping/cyberchef + networks: + - traefik + deploy: + labels: + - traefik.enable=true + - traefik.http.routers.cyberchef.entrypoints=websecure + - traefik.http.services.cyberchef.loadbalancer.server.port=8000 + - traefik.http.routers.cyberchef.rule=Host(`cyberchef.geokunis2.nl`) + - traefik.http.routers.cyberchef.tls=true + - traefik.http.routers.cyberchef.tls.certresolver=letsencrypt diff --git a/legacy/projects/docker_swarm/ansible/roles/cyberchef/tasks/main.yml b/legacy/projects/docker_swarm/ansible/roles/cyberchef/tasks/main.yml new file mode 100644 index 0000000..553f2e8 --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/roles/cyberchef/tasks/main.yml @@ -0,0 +1,5 @@ +- name: Deploy Docker stack + docker_stack: + name: cyberchef + compose: + - "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}" diff --git a/legacy/projects/docker_swarm/ansible/roles/discourse/docker-stack.yml.j2 b/legacy/projects/docker_swarm/ansible/roles/discourse/docker-stack.yml.j2 new file mode 100644 index 0000000..4736a50 --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/roles/discourse/docker-stack.yml.j2 @@ -0,0 +1,106 @@ +# vi: ft=yaml +version: '3' + +networks: + traefik: + external: true + discourse: + +services: + discourse-app: + image: tiredofit/discourse:latest + deploy: + placement: + constraints: + - "node.labels.discourse == true" + labels: + - traefik.enable=true + - traefik.http.routers.discourse.entrypoints=localsecure + - traefik.http.routers.discourse.rule=Host(`tuindersweijde.geokunis2.nl`) + - traefik.http.services.discourse.loadbalancer.server.port=3000 + - traefik.http.routers.discourse.tls=true + - traefik.http.routers.discourse.tls.certresolver=letsencrypt + volumes: + - type: bind + source: /mnt/data/discourse/logs + target: /data/logs + - type: bind + source: /mnt/data/discourse/uploads + target: /data/uploads + - type: bind + source: /mnt/data/discourse/backups + target: /data/backups + environment: + - TIMEZONE=Europe/Amsterdam + - CONTAINER_NAME=discourse-app + + - DB_HOST=discourse-db + - DB_NAME=discourse + - DB_USER=discourse + - DB_PASS={{ database_password }} + + - REDIS_HOST=discourse-redis + - SITE_HOSTNAME=discourse.pim.kunis.nl + + - SMTP_PORT=25 + - SMTP_HOST=smtp.tweak.nl + + - DEVELOPER_EMAILS=niels@kunis.nl + networks: + - traefik + - discourse + + discourse-db: + image: tiredofit/postgres:15-latest + deploy: + placement: + constraints: + - "node.labels.discourse == true" + volumes: + - type: bind + source: /mnt/data/discourse/database + target: /var/lib/postgresql/data + environment: + - TIMEZONE=Europe/Amsterdam + - CONTAINER_NAME=discourse-db + + - POSTGRES_DB=discourse + - POSTGRES_USER=discourse + - POSTGRES_PASSWORD={{ database_password }} + - SUPERUSER_PASS={{ database_password }} + networks: + - discourse + + discourse-redis: + image: tiredofit/redis:7 + deploy: + placement: + constraints: + - "node.labels.discourse == true" + volumes: + - type: bind + source: /mnt/data/discourse/redis + target: /var/lib/redis + environment: + - TIMEZONE=Europe/Amsterdam + - CONTAINER_NAME=discourse-redis + networks: + - discourse + + # discourse-db-backup: + # image: tiredofit/db-backup + # volumes: + # - ./dbbackup:/backup + # environment: + # - TIMEZONE=America/Vancouver + # - CONTAINER_NAME=discourse-db-backup + # - DB_HOST=discourse-db + # - DB_TYPE=postgres + # - DB_NAME=discourse + # - DB_USER=discourse + # - DB_PASS=password + # - DB_DUMP_FREQ=1440 + # - DB_DUMP_BEGIN=0000 + # - DB_CLEANUP_TIME=8640 + # networks: + # - discourse \ No newline at end of file diff --git a/legacy/projects/docker_swarm/ansible/roles/discourse/tasks/main.yml b/legacy/projects/docker_swarm/ansible/roles/discourse/tasks/main.yml new file mode 100644 index 0000000..c7c9a16 --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/roles/discourse/tasks/main.yml @@ -0,0 +1,5 @@ +- name: Deploy Docker stack + docker_stack: + name: discourse + compose: + - "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}" diff --git a/legacy/projects/docker_swarm/ansible/roles/discourse/vars/main.yml b/legacy/projects/docker_swarm/ansible/roles/discourse/vars/main.yml new file mode 100644 index 0000000..05d4fef --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/roles/discourse/vars/main.yml @@ -0,0 +1,7 @@ +database_password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 32323538323136633363393961343364363933396431376437633361333232383938336531396537 + 3730306164303364363739376633633431383534646135380a326663396338396461623037613637 + 37666630333433393764373864346262383536656664343631386234386438333263626166363633 + 3735633562323361330a353735366562663631363634343438326562646533663839383932343263 + 38366538336466373733313130616330326238653966623037343336326132356565 diff --git a/legacy/projects/docker_swarm/ansible/roles/forgejo/app.ini.j2 b/legacy/projects/docker_swarm/ansible/roles/forgejo/app.ini.j2 new file mode 100644 index 0000000..f33b650 --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/roles/forgejo/app.ini.j2 @@ -0,0 +1,109 @@ +APP_NAME = Forgejo: Beyond coding. We forge. +RUN_MODE = prod +RUN_USER = git +WORK_PATH=/data/gitea + +[repository] +ROOT = /data/git/repositories +DEFAULT_BRANCH = master + +[repository.local] +LOCAL_COPY_PATH = /data/gitea/tmp/local-repo + +[repository.upload] +TEMP_PATH = /data/gitea/uploads + +[server] +APP_DATA_PATH = /data/gitea +DOMAIN = {{ git_domain }} +SSH_DOMAIN = {{ git_domain }} +HTTP_PORT = 3000 +ROOT_URL = {{ root_url }} +DISABLE_SSH = false +SSH_PORT = {{ git_ssh_port }} +SSH_LISTEN_PORT = 22 +LFS_START_SERVER = true +LFS_JWT_SECRET = {{ lfs_jwt_secret }} +OFFLINE_MODE = false + +[database] +PATH = /data/gitea/gitea.db +DB_TYPE = sqlite3 +HOST = localhost:3306 +NAME = gitea +USER = root +PASSWD = +LOG_SQL = false +SCHEMA = +SSL_MODE = disable +CHARSET = utf8 + +[indexer] +ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve +ISSUE_INDEXER_TYPE = db + +[session] +PROVIDER_CONFIG = /data/gitea/sessions +PROVIDER = file + +[picture] +AVATAR_UPLOAD_PATH = /data/gitea/avatars +REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars +ENABLE_FEDERATED_AVATAR = false + +[attachment] +PATH = /data/gitea/attachments + +[log] +MODE = console +LEVEL = info +logger.router.MODE = console +ROOT_PATH = /data/gitea/log +logger.access.MODE=console + +[security] +INSTALL_LOCK = true +SECRET_KEY = +REVERSE_PROXY_LIMIT = 1 +REVERSE_PROXY_TRUSTED_PROXIES = * +INTERNAL_TOKEN = {{ internal_token }} +PASSWORD_HASH_ALGO = pbkdf2 + +[service] +DISABLE_REGISTRATION = true +REQUIRE_SIGNIN_VIEW = false +REGISTER_EMAIL_CONFIRM = false +ENABLE_NOTIFY_MAIL = false +ALLOW_ONLY_EXTERNAL_REGISTRATION = false +ENABLE_CAPTCHA = false +DEFAULT_KEEP_EMAIL_PRIVATE = true +DEFAULT_ALLOW_CREATE_ORGANIZATION = true +DEFAULT_ENABLE_TIMETRACKING = true +NO_REPLY_ADDRESS = noreply.localhost + +[lfs] +PATH = /data/git/lfs + +[mailer] +ENABLED = true +SMTP_ADDR = {{ mailer_host }} +SMTP_PORT = 587 +FROM = {{ mailer_from }} +USER = +PASSWD = + +[openid] +ENABLE_OPENID_SIGNIN = true +ENABLE_OPENID_SIGNUP = false + +[repository.pull-request] +DEFAULT_MERGE_STYLE = merge + +[repository.signing] +DEFAULT_TRUST_MODEL = committer + +[ui] +DEFAULT_THEME = forgejo-light + +[oauth2] +ENABLE=false diff --git a/legacy/projects/docker_swarm/ansible/roles/forgejo/docker-stack.yml.j2 b/legacy/projects/docker_swarm/ansible/roles/forgejo/docker-stack.yml.j2 new file mode 100644 index 0000000..fe4dd53 --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/roles/forgejo/docker-stack.yml.j2 @@ -0,0 +1,56 @@ +# vi: ft=yaml +version: "3" + +networks: + traefik: + external: true + +configs: + config: + external: true + name: "{{ config.config_name }}" + +volumes: + forgejo: + driver_opts: + type: "nfs" + o: "addr=192.168.30.10,nolock,soft,rw" + device: ":/mnt/data/forgejo" + +services: + forgejo: + image: codeberg.org/forgejo/forgejo:1.20 + environment: + - USER_UID=1000 + - USER_GID=1000 + networks: + - traefik + ports: + - "{{ git_ssh_port }}:22" + volumes: + - type: volume + source: forgejo + target: /data + volume: + nocopy: true + - /etc/timezone:/etc/timezone:ro + - /etc/localtime:/etc/localtime:ro + deploy: + placement: + constraints: + - node.role == manager + labels: + - traefik.port=443 + - traefik.enable=true + - traefik.http.routers.forgejo.entrypoints=websecure + - traefik.http.routers.forgejo.rule=Host(`{{ git_domain }}`) + - traefik.http.routers.forgejo.tls=true + - traefik.http.routers.forgejo.tls.certresolver=letsencrypt + - traefik.http.routers.forgejo.service=forgejo + - traefik.http.services.forgejo.loadbalancer.server.port=3000 + - traefik.docker.network=traefik + - traefik.http.middlewares.set-forwarded-for.headers.hostsProxyHeaders=X-Forwarded-For + - traefik.http.routers.forgejo.middlewares=set-forwarded-for + configs: + - source: config + target: /data/gitea/conf/app.ini diff --git a/legacy/projects/docker_swarm/ansible/roles/forgejo/tasks/main.yml b/legacy/projects/docker_swarm/ansible/roles/forgejo/tasks/main.yml new file mode 100644 index 0000000..0e47f9e --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/roles/forgejo/tasks/main.yml @@ -0,0 +1,13 @@ +- name: Create Docker config + docker_config: + name: forgejo_config + data: "{{ lookup('template', '{{ role_path }}/app.ini.j2') }}" + use_ssh_client: true + rolling_versions: true + register: config + +- name: Deploy Docker stack + docker_stack: + name: forgejo + compose: + - "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}" diff --git a/legacy/projects/docker_swarm/ansible/roles/forgejo/vars/main.yml b/legacy/projects/docker_swarm/ansible/roles/forgejo/vars/main.yml new file mode 100644 index 0000000..20376a9 --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/roles/forgejo/vars/main.yml @@ -0,0 +1,23 @@ +git_domain: "git.kun.is" +root_url: "https://{{ git_domain }}" +mailer_host: "smtp.tweak.nl" +mailer_from: "git@kunis.nl" +lfs_jwt_secret: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 66613032363837346461326131303839646332646233633736623865346135623739343233396165 + 6530326162323466623939393133623336366466343837620a613532616365646137326138383235 + 32313264653262656564336531646662323039623865393366616536633531306430336137313862 + 3361373539373561390a653236306433393737616561306236343362396438366134313032656233 + 35626364373961613361366138383566353463626136393861383934326263383336393766623063 + 3434656437663165376635326139383065383861386133623765 +internal_token: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 62633334656235613035343830326237633637626639363465313861323734393766636464303862 + 3936306561343863316630616164616537323537333262650a336337303232623832636666353038 + 64313134383330646537356432383332386238373835656663313431373939373630373566396339 + 6561643037383666340a643464326531623731303564646464376239613263643761643766623930 + 37623362326561346262306331376663313661633635323435333339396138383134303364306532 + 37353264363737643965643932356336633734316534303262336461313038626538396536333964 + 36353635323731353061393430656166363263366437313434336139616666326335633037663336 + 37353665613938613731316330396461343632643039643864343164303937613263343262623964 + 33366364636339623633653035313736653563363064646233383437373431373232 diff --git a/legacy/projects/docker_swarm/ansible/roles/freshrss/docker-stack.yml.j2 b/legacy/projects/docker_swarm/ansible/roles/freshrss/docker-stack.yml.j2 new file mode 100644 index 0000000..2a23a77 --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/roles/freshrss/docker-stack.yml.j2 @@ -0,0 +1,52 @@ +# vi: ft=yaml +version: "3" + +networks: + traefik: + external: true + +volumes: + data: + driver_opts: + type: "nfs" + o: "addr=192.168.30.10,nolock,soft,rw" + device: ":/mnt/data/freshrss/data" + extensions: + driver_opts: + type: "nfs" + o: "addr=192.168.30.10,nolock,soft,rw" + device: ":/mnt/data/freshrss/extensions" + +services: + freshrss: + image: freshrss/freshrss:edge + networks: + - traefik + volumes: + - type: volume + source: data + target: /var/www/FreshRSS/data + volume: + nocopy: true + - type: volume + source: extensions + target: /var/www/FreshRSS/extensions + volume: + nocopy: true + environment: + TZ: Europe/Amsterdam + CRON_MIN: '2,32' + ADMIN_EMAIL: pim@kunis.nl + ADMIN_PASSWORD: {{ admin_password }} + ADMIN_API_PASSWORD: {{ admin_password }} + PUBLISHED_PORT: 443 + deploy: + labels: + - traefik.enable=true + - traefik.http.routers.freshrss.entrypoints=websecure + - traefik.http.routers.freshrss.rule=Host(`rss.kun.is`) + - traefik.http.routers.freshrss.tls=true + - traefik.http.routers.freshrss.tls.certresolver=letsencrypt + - traefik.http.routers.freshrss.service=freshrss + - traefik.http.services.freshrss.loadbalancer.server.port=80 + - traefik.docker.network=traefik diff --git a/legacy/projects/docker_swarm/ansible/roles/freshrss/tasks/main.yml b/legacy/projects/docker_swarm/ansible/roles/freshrss/tasks/main.yml new file mode 100644 index 0000000..ac6c8bd --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/roles/freshrss/tasks/main.yml @@ -0,0 +1,5 @@ +- name: Deploy Docker stack + docker_stack: + name: freshrss + compose: + - "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}" diff --git a/legacy/projects/docker_swarm/ansible/roles/freshrss/vars/main.yml b/legacy/projects/docker_swarm/ansible/roles/freshrss/vars/main.yml new file mode 100644 index 0000000..0a4891c --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/roles/freshrss/vars/main.yml @@ -0,0 +1,8 @@ +admin_password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 38363734333534376665616439306566613632303739373661333338356533653334323366326130 + 3031316133383432366639613565656134666338326639360a633263363066613964643665316334 + 63373830663239393137653131326630326465343333346430376536393162383836333130353562 + 3336306561636134650a646433633063316431643466326161303666313765323034343233646566 + 66613330616463346561343561616438643763643465373839303861356133313831303338356430 + 6634653635383833303265316662663631376163636134666565 diff --git a/legacy/projects/docker_swarm/ansible/roles/hedgedoc/docker-stack.yml.j2 b/legacy/projects/docker_swarm/ansible/roles/hedgedoc/docker-stack.yml.j2 new file mode 100644 index 0000000..346ec26 --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/roles/hedgedoc/docker-stack.yml.j2 @@ -0,0 +1,44 @@ +# vi: ft=yaml +version: '3' + +networks: + traefik: + external: true + +volumes: + uploads: + driver_opts: + type: "nfs" + o: "addr=192.168.30.10,nolock,soft,rw" + device: ":/mnt/data/hedgedoc/uploads" + +services: + hedgedoc: + image: quay.io/hedgedoc/hedgedoc:1.9.7 + environment: + - CMD_DB_URL=postgres://hedgedoc:{{ database_passwords.hedgedoc }}@192.168.30.10:5432/hedgedoc + - CMD_DOMAIN=md.kun.is + - CMD_PORT=3000 + - CMD_URL_ADDPORT=false + - CMD_ALLOW_ANONYMOUS=true + - CMD_ALLOW_EMAIL_REGISTER=false + - CMD_PROTOCOL_USESSL=true + - CMD_SESSION_SECRET={{ session_secret }} + volumes: + - type: volume + source: uploads + target: /hedgedoc/public/uploads + volume: + nocopy: true + networks: + - traefik + deploy: + labels: + - traefik.enable=true + - traefik.http.routers.hedgedoc.entrypoints=websecure + - traefik.http.routers.hedgedoc.rule=Host(`md.kun.is`) + - traefik.http.routers.hedgedoc.tls=true + - traefik.http.routers.hedgedoc.tls.certresolver=letsencrypt + - traefik.http.routers.hedgedoc.service=hedgedoc + - traefik.http.services.hedgedoc.loadbalancer.server.port=3000 + - traefik.docker.network=traefik diff --git a/legacy/projects/docker_swarm/ansible/roles/hedgedoc/tasks/main.yml b/legacy/projects/docker_swarm/ansible/roles/hedgedoc/tasks/main.yml new file mode 100644 index 0000000..e3ca514 --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/roles/hedgedoc/tasks/main.yml @@ -0,0 +1,5 @@ +- name: Deploy Docker stack + docker_stack: + name: hedgedoc + compose: + - "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}" diff --git a/legacy/projects/docker_swarm/ansible/roles/hedgedoc/vars/main.yml b/legacy/projects/docker_swarm/ansible/roles/hedgedoc/vars/main.yml new file mode 100644 index 0000000..56fb537 --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/roles/hedgedoc/vars/main.yml @@ -0,0 +1,10 @@ +session_secret: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 30633835386265643561343033326536653166343630396139303137613138383233666565666330 + 3032613865333836656566626435383165396539323837350a376331306464643766373839386638 + 65653865343539633636323833343964636332636461386434386432306230343833343431363134 + 6563373138626637650a633932313862326231666330343662343765666166373961376237396434 + 33396131353830323063326266623862353731653665626466653335656434303033353333353164 + 61613535373037646565386131383631366338616565373261396136616433393462313537313861 + 35313661616365373231373963323865393635626132343138363230313431636333363130346239 + 32656335333635613736 diff --git a/legacy/projects/docker_swarm/ansible/roles/inbucket/docker-stack.yml.j2 b/legacy/projects/docker_swarm/ansible/roles/inbucket/docker-stack.yml.j2 new file mode 100644 index 0000000..4a35d2a --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/roles/inbucket/docker-stack.yml.j2 @@ -0,0 +1,24 @@ +# vi: ft=yaml +version: "3.7" + +networks: + traefik: + external: true + +services: + inbucket: + image: inbucket/inbucket + networks: + - traefik + ports: + - 2500:2500 + deploy: + labels: + - traefik.enable=true + - traefik.http.routers.inbucket.entrypoints=localsecure + - traefik.http.routers.inbucket.rule=Host(`inbucket.geokunis2.nl`) + - traefik.http.routers.inbucket.service=inbucket + - traefik.http.routers.inbucket.tls=true + - traefik.http.routers.inbucket.tls.certresolver=letsencrypt + - traefik.docker.network=traefik + - traefik.http.services.inbucket.loadbalancer.server.port=9000 diff --git a/legacy/projects/docker_swarm/ansible/roles/inbucket/tasks/main.yml b/legacy/projects/docker_swarm/ansible/roles/inbucket/tasks/main.yml new file mode 100644 index 0000000..ffcad7e --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/roles/inbucket/tasks/main.yml @@ -0,0 +1,5 @@ +- name: Deploy Docker stack + docker_stack: + name: inbucket + compose: + - "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}" diff --git a/legacy/projects/docker_swarm/ansible/roles/jitsi/docker-stack.yml.j2 b/legacy/projects/docker_swarm/ansible/roles/jitsi/docker-stack.yml.j2 new file mode 100644 index 0000000..0eaa9ac --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/roles/jitsi/docker-stack.yml.j2 @@ -0,0 +1,87 @@ +# vi: ft=yaml +version: '3.5' + +networks: + traefik: + external: true + jitsi: + +services: + web: + image: jitsi/web:stable-8218 + environment: + - DISABLE_HTTPS=1 + - ENABLE_AUTH=0 + - ENABLE_GUESTS=1 + - ENABLE_IPV6=1 + - ENABLE_LETSENCRYPT=0 + - PUBLIC_URL=https://meet.pim.kunis.nl + - TZ=Europe/Amsterdam + networks: + - jitsi + - traefik + deploy: + labels: + - traefik.enable=true + - traefik.http.routers.jitsi-web.entrypoints=websecure + - traefik.http.routers.jitsi-web.rule=Host(`meet.pim.kunis.nl`) + - traefik.http.routers.jitsi-web.tls=true + - traefik.http.routers.jitsi-web.tls.certresolver=letsencrypt + - traefik.http.services.jitsi-web.loadbalancer.server.port=80 + - traefik.http.routers.jitsi-web.service=jitsi-web + - traefik.docker.network=traefik + + prosody: + image: jitsi/prosody:stable-8218 + expose: + - '5222' + - '5347' + - '5280' + environment: + - AUTH_TYPE=internal + - ENABLE_AUTH=0 + - ENABLE_GUESTS=1 + - ENABLE_IPV6=1 + - ENABLE_LOBBY=1 + - JIBRI_RECORDER_PASSWORD={{ jitsi_password }} + - JIBRI_XMPP_PASSWORD={{ jitsi_password }} + - JICOFO_AUTH_PASSWORD={{ jitsi_password }} + - JIGASI_XMPP_PASSWORD={{ jitsi_password }} + - JVB_AUTH_PASSWORD={{ jitsi_password }} + - PUBLIC_URL=https://meet.pim.kunis.nl + - TZ=Europe/Amsterdam + networks: + jitsi: + aliases: + - xmpp.meet.jitsi + + jicofo: + image: jitsi/jicofo:stable-8218 + environment: + - AUTH_TYPE=internal + - ENABLE_AUTH=0 + - JICOFO_AUTH_PASSWORD={{ jitsi_password }} + - SENTRY_DSN=0 + - TZ=Europe/Amsterdam + depends_on: + - prosody + networks: + - jitsi + + jvb: + image: jitsi/jvb:stable-8218 + ports: + - '54562:54562/udp' + environment: + - JVB_ADVERTISE_IPS=84.245.14.149,192.168.30.8 + - JVB_AUTH_PASSWORD={{ jitsi_password }} + - JVB_PORT=54562 + - PUBLIC_URL=https://meet.pim.kunis.nl + - SENTRY_DSN=0 + - COLIBRI_REST_ENABLED=0 + - TZ=Europe/Amsterdam + depends_on: + - prosody + networks: + - jitsi + - traefik diff --git a/legacy/projects/docker_swarm/ansible/roles/jitsi/tasks/main.yml b/legacy/projects/docker_swarm/ansible/roles/jitsi/tasks/main.yml new file mode 100644 index 0000000..1e46217 --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/roles/jitsi/tasks/main.yml @@ -0,0 +1,5 @@ +- name: Deploy Docker stack + docker_stack: + name: jitsi + compose: + - "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}" diff --git a/legacy/projects/docker_swarm/ansible/roles/jitsi/vars/main.yml b/legacy/projects/docker_swarm/ansible/roles/jitsi/vars/main.yml new file mode 100644 index 0000000..090d3aa --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/roles/jitsi/vars/main.yml @@ -0,0 +1,8 @@ +jitsi_password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 66633139653639396435333239316536326366613338646531373063306333383562613462316561 + 6630373435326631376362643961343936626238663332630a623631613532366539633637333032 + 35383031306566613466643066366361663039633864643733356366386339366265326237653739 + 3062313832313638330a636131393130646564366563626430346436656236333961306363633435 + 39353934386631633132306562396430303738393235656363356666663934626161363365343162 + 6130346338333734653961633037386133396332643831363939 diff --git a/legacy/projects/docker_swarm/ansible/roles/kitchenowl/docker-stack.yml.j2 b/legacy/projects/docker_swarm/ansible/roles/kitchenowl/docker-stack.yml.j2 new file mode 100644 index 0000000..1f4a57e --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/roles/kitchenowl/docker-stack.yml.j2 @@ -0,0 +1,45 @@ +# vi: ft=yaml +version: '3.7' + +networks: + traefik: + external: true + kitchenowl: + +volumes: + data: + driver_opts: + type: "nfs" + o: "addr=192.168.30.10,nolock,soft,rw" + device: ":/mnt/data/kitchenowl/data" + +services: + front: + image: tombursch/kitchenowl-web:v0.4.17 + depends_on: + - back + networks: + - traefik + - kitchenowl + deploy: + labels: + - traefik.enable=true + - traefik.http.routers.kitchenowl.entrypoints=websecure + - traefik.http.routers.kitchenowl.rule=Host(`boodschappen.kun.is`) + - traefik.http.routers.kitchenowl.tls=true + - traefik.http.routers.kitchenowl.tls.certresolver=letsencrypt + - traefik.http.routers.kitchenowl.service=kitchenowl + - traefik.http.services.kitchenowl.loadbalancer.server.port=80 + - traefik.docker.network=traefik + back: + image: tombursch/kitchenowl:v88 + networks: + - kitchenowl + environment: + - JWT_SECRET_KEY={{ jwt_secret_key }} + volumes: + - type: volume + source: data + target: /data + volume: + nocopy: true diff --git a/legacy/projects/docker_swarm/ansible/roles/kitchenowl/tasks/main.yml b/legacy/projects/docker_swarm/ansible/roles/kitchenowl/tasks/main.yml new file mode 100644 index 0000000..67a45e9 --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/roles/kitchenowl/tasks/main.yml @@ -0,0 +1,5 @@ +- name: Deploy Docker stack + docker_stack: + name: kitchenowl + compose: + - "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}" diff --git a/legacy/projects/docker_swarm/ansible/roles/kitchenowl/vars/main.yml b/legacy/projects/docker_swarm/ansible/roles/kitchenowl/vars/main.yml new file mode 100644 index 0000000..4317036 --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/roles/kitchenowl/vars/main.yml @@ -0,0 +1,7 @@ +jwt_secret_key: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 37376338663532376135613331303737626633666138643132316336306164393134633639303865 + 3134613830323335663466373262316262353464323535300a636163633439323035643033623363 + 36316361656133663235333834343233363134313938656664356538366166653336656562623664 + 3332393330616636630a646139393937313932373963623764346134323635336539346562346635 + 36613637396133383664323561666464346336386233363434653765356334633831 diff --git a/legacy/projects/docker_swarm/ansible/roles/kms/docker-stack.yml.j2 b/legacy/projects/docker_swarm/ansible/roles/kms/docker-stack.yml.j2 new file mode 100644 index 0000000..a42d741 --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/roles/kms/docker-stack.yml.j2 @@ -0,0 +1,8 @@ +# vi: ft=yaml +version: '3.7' + +services: + kms: + image: teddysun/kms + ports: + - 1688:1688 diff --git a/legacy/projects/docker_swarm/ansible/roles/kms/tasks/main.yml b/legacy/projects/docker_swarm/ansible/roles/kms/tasks/main.yml new file mode 100644 index 0000000..9e1738c --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/roles/kms/tasks/main.yml @@ -0,0 +1,5 @@ +- name: Deploy Docker stack + docker_stack: + name: kms + compose: + - "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}" diff --git a/legacy/projects/docker_swarm/ansible/roles/mastodon/docker-stack.yml.j2 b/legacy/projects/docker_swarm/ansible/roles/mastodon/docker-stack.yml.j2 new file mode 100644 index 0000000..c00ecd9 --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/roles/mastodon/docker-stack.yml.j2 @@ -0,0 +1,131 @@ +# vi: ft=yaml +version: '3' + +networks: + traefik: + external: true + mastodon: + +volumes: + system: + driver_opts: + type: "nfs" + o: "addr=192.168.30.10,nolock,soft,rw" + device: ":/mnt/data/mastodon/system" + redis: + driver_opts: + type: "nfs" + o: "addr=192.168.30.10,nolock,soft,rw" + device: ":/mnt/data/mastodon/redis" + +services: + redis: + image: redis:7-alpine + networks: + mastodon: + aliases: + - redis + healthcheck: + test: ['CMD', 'redis-cli', 'ping'] + volumes: + - type: volume + source: redis + target: /data + volume: + nocopy: true + + web: + image: tootsuite/mastodon:v4.1 + environment: + - 'OTP_SECRET={{ otp_secret }}' + - 'SECRET_KEY_BASE={{ secret_key_base }}' + - 'REDIS_HOST=redis' + - 'DB_HOST=192.168.30.10' + - 'DB_USER=mastodon' + - 'DB_NAME=mastodon' + - 'DB_PASS={{ database_passwords.mastodon }}' + - 'VAPID_PRIVATE_KEY={{ vapid_private_key }}' + - 'VAPID_PUBLIC_KEY=BDcpOP2ThgD13i2ENjnlVXG7QH-m3xuNE4rySx6_NBYQz34UxSM3N4nT7GUxN5zBF-Kehlv0CpqBDDa78QFiS0g=' + - 'SMTP_SERVER=smtp.tweak.nl' + - 'SMTP_PORT=587' + - 'SMTP_LOGIN=' + - 'SMTP_PASSWORD=' + - 'SMTP_FROM_ADDRESS=mastodon@kunis.nl' + - 'LOCAL_DOMAIN=social.pizzapim.nl' + command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 3000" + networks: + - mastodon + - traefik + healthcheck: + test: ['CMD-SHELL', 'wget -q --spider --proxy=off localhost:3000/health || exit 1'] + volumes: + - type: volume + source: system + target: /mastodon/public/system + volume: + nocopy: true + deploy: + labels: + - traefik.enable=true + - traefik.http.routers.mastodon.entrypoints=websecure + - traefik.http.routers.mastodon.rule=Host(`social.pizzapim.nl`) + - traefik.http.routers.mastodon.tls=true + - traefik.http.routers.mastodon.tls.certresolver=letsencrypt + - traefik.http.services.mastodon.loadbalancer.server.port=3000 + - traefik.http.routers.mastodon.service=mastodon + - traefik.docker.network=traefik + depends_on: + - redis + + streaming: + image: tootsuite/mastodon:v4.1 + command: node ./streaming + environment: + - 'REDIS_HOST=redis' + - 'LOCAL_DOMAIN=social.pizzapim.nl' + - 'DB_HOST=192.168.30.10' + - 'DB_USER=mastodon' + - 'DB_NAME=mastodon' + - 'DB_PASS={{ database_passwords.mastodon }}' + networks: + - mastodon + - traefik + healthcheck: + # prettier-ignore + test: ['CMD-SHELL', 'wget -q --spider --proxy=off localhost:4000/api/v1/streaming/health || exit 1'] + deploy: + labels: + - traefik.enable=true + - traefik.http.routers.mastodon-streaming.entrypoints=websecure + - "traefik.http.routers.mastodon-streaming.rule=(Host(`social.pizzapim.nl`) && PathPrefix(`/api/v1/streaming`))" + - traefik.http.routers.mastodon-streaming.service=mastodon-streaming + - traefik.http.services.mastodon-streaming.loadbalancer.server.port=4000 + - traefik.http.routers.mastodon-streaming.tls=true + - traefik.http.routers.mastodon-streaming.tls.certresolver=letsencrypt + - traefik.docker.network=traefik + depends_on: + - redis + + sidekiq: + image: tootsuite/mastodon:v4.1 + command: bundle exec sidekiq + environment: + - 'OTP_SECRET={{ otp_secret }}' + - 'SECRET_KEY_BASE={{ secret_key_base }}' + - 'REDIS_HOST=redis' + - 'DB_HOST=192.168.30.10' + - 'DB_USER=mastodon' + - 'DB_NAME=mastodon' + - 'DB_PASS={{ database_passwords.mastodon }}' + networks: + - mastodon + volumes: + - type: volume + source: system + target: /mastodon/public/system + volume: + nocopy: true + healthcheck: + test: ['CMD-SHELL', "ps aux | grep '[s]idekiq\ 6' || false"] + depends_on: + - redis diff --git a/legacy/projects/docker_swarm/ansible/roles/mastodon/tasks/main.yml b/legacy/projects/docker_swarm/ansible/roles/mastodon/tasks/main.yml new file mode 100644 index 0000000..531e13e --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/roles/mastodon/tasks/main.yml @@ -0,0 +1,5 @@ +- name: Deploy Docker stack + docker_stack: + name: mastodon + compose: + - "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}" diff --git a/legacy/projects/docker_swarm/ansible/roles/mastodon/vars/main.yml b/legacy/projects/docker_swarm/ansible/roles/mastodon/vars/main.yml new file mode 100644 index 0000000..eed2d71 --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/roles/mastodon/vars/main.yml @@ -0,0 +1,42 @@ +mastodon_postgres_password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 34643131323762373635383736636432643161646130373565333432323337646435656233383131 + 3066353734373938353162656335666536323265643162620a663562303636383737393061396331 + 30353538326333393031373736363933666636383866373763303237376561333061323131303062 + 3532316632613062310a343566393237363364613931353062636537663864383839623930383836 + 32613634616335616462336261303632646266326663383166366236643438616538626263343835 + 6539616439636364626466333163316164633631616132623665 +otp_secret: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 33303436663063313039636335623937343530323636346363306234333135306138653337313034 + 3337363432363734353363623738653630373536653433350a356336383235383430613934623937 + 36316638343439376134383635336630313065623138326630303131333136626636386361313661 + 6134613862366463300a313765366136343431343838363230363134613164373931623564626466 + 32623137666364326234383264396336636561313132313930383964656434656535663861343337 + 65316331323335626464626231653236313932663334316134633837646330303563633162373036 + 66326135656531393839343138376666623337616162653137393764306265323065356431343162 + 36373135303339356366356263623334373361326561396562353332323363623738626132303738 + 38383638616363386536386461353465353765366234353862653765376330663661326138626266 + 30633134643632393630323834323538326339373361363235666133303761323261336637663862 + 326633383933663530653230336364653461 +secret_key_base: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 32373731376166613238303535646633326162613137366165643037643966643637316265653832 + 3035393061616431666162373133393666653634386338350a376136653961646239656534336230 + 33366235343365653234333866393965643131306636373566623665646562353234323065393262 + 6264313430333262390a626338333932363137356338636132636133613239633537623064666438 + 32343063653664393530353536643963353364373830303563346163613862653161343165363062 + 61396630353036333634313033663962613930336637323461313731633136366365623732306337 + 37646265613639306133373736353365366461373264356665623236313836633565343764626238 + 38353637613064306162393430323662616231623965643933383339616561353963663366396363 + 33346332343336386266636165616135343732353365336630653334383533633831636138623733 + 34396266643166386130383334666565303865396135613863336261656135343564376537383634 + 353635336365613765363931373636363465 +vapid_private_key: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 33376430313539346137343237313061653164343861623563656638306539373837393364326235 + 3435396264613533633138346231303137663763323361360a356137306330343939353732356535 + 33396336633966623266396265356435343633373766363637616635326563623130653039343665 + 3465306562306261660a303131666436333137306139366636646232333061383935353263396534 + 63376635393966653636316236316538656361393631626465383233386136313366363531363663 + 3436326431353435653666356266333835303061616436323061 diff --git a/legacy/projects/docker_swarm/ansible/roles/monitoring/docker-stack.yml.j2 b/legacy/projects/docker_swarm/ansible/roles/monitoring/docker-stack.yml.j2 new file mode 100644 index 0000000..b6adf49 --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/roles/monitoring/docker-stack.yml.j2 @@ -0,0 +1,132 @@ +# vi: ft=yaml +version: "3.8" + +networks: + traefik: + external: true + grafana: + +configs: + esdatasource: + external: true + name: "{{ esdatasource.config_name }}" + fluentconf: + external: true + name: "{{ fluentconf.config_name }}" + +volumes: + escerts: + driver_opts: + type: "nfs" + o: "addr=192.168.30.10,nolock,soft,rw" + device: ":/mnt/data/elasticsearch/certs" + esdata: + driver_opts: + type: "nfs" + o: "addr=192.168.30.10,nolock,soft,rw" + device: ":/mnt/data/elasticsearch/data" + grafanadata: + driver_opts: + type: "nfs" + o: "addr=192.168.30.10,nolock,soft,rw" + device: ":/mnt/data/grafana/data" + +services: + elasticsearch: + image: docker.elastic.co/elasticsearch/elasticsearch:8.8.1 + volumes: + - type: volume + source: escerts + target: /usr/share/elasticsearch/config/certs + volume: + nocopy: true + - type: volume + source: esdata + target: /usr/share/elasticsearch/data + volume: + nocopy: true + ports: + - {{ elasticsearch_port }}:9200 + environment: + - node.name=es01 + - cluster.name=shoarma + - discovery.type=single-node + - bootstrap.memory_lock=true + - xpack.security.enabled=false + - xpack.security.http.ssl.enabled=false + - xpack.security.http.ssl.key=certs/es01/es01.key + - xpack.security.http.ssl.certificate=certs/es01/es01.crt + - xpack.security.http.ssl.certificate_authorities=certs/ca/ca.crt + - xpack.security.transport.ssl.enabled=false + - xpack.security.transport.ssl.key=certs/es01/es01.key + - xpack.security.transport.ssl.certificate=certs/es01/es01.crt + - xpack.security.transport.ssl.certificate_authorities=certs/ca/ca.crt + - xpack.security.transport.ssl.verification_mode=certificate + - xpack.license.self_generated.type=basic + ulimits: + memlock: + soft: -1 + hard: -1 + healthcheck: + test: + [ + "CMD-SHELL", + "curl http://localhost:9200 | grep -q 'You Know, for Search'", + ] + interval: 10s + timeout: 10s + retries: 120 + + grafana: + image: grafana/grafana-oss + depends_on: + - elasticsearch + networks: + - traefik + - grafana + deploy: + labels: + - traefik.enable=true + - traefik.http.routers.grafana.entrypoints=localsecure + - traefik.http.routers.grafana.rule=Host(`grafana.kun.is`) + - traefik.http.routers.grafana.tls=true + - traefik.http.routers.grafana.tls.certresolver=letsencrypt + - traefik.http.routers.grafana.service=grafana + - traefik.http.services.grafana.loadbalancer.server.port=3000 + - traefik.docker.network=traefik + volumes: + - type: volume + source: grafanadata + target: /var/lib/grafana + volume: + nocopy: true + configs: + - source: esdatasource + target: /etc/grafana/provisioning/datasources/elasticsearch.yaml + + grafana-ntfy: + image: kittyandrew/grafana-to-ntfy:master + depends_on: + - grafana + ports: + - 8080:8080 + networks: + grafana: + aliases: + - grafana-ntfy + environment: + - NTFY_URL=https://ntfy.kun.is/alerts + - NTFY_BAUTH_USER=pim + - NTFY_BAUTH_PASS={{ ntfy_password }} + - BAUTH_USER=admin + - BAUTH_PASS=test + + fluentd: + image: git.kun.is/pim/fluentd:1.0.3 + depends_on: + - elasticsearch + ports: + - {{ fluent_forward_port }}:24224 + configs: + - source: fluentconf + target: /fluentd/etc/fluent.conf diff --git a/legacy/projects/docker_swarm/ansible/roles/monitoring/elasticsearch.yml.j2 b/legacy/projects/docker_swarm/ansible/roles/monitoring/elasticsearch.yml.j2 new file mode 100644 index 0000000..90fee48 --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/roles/monitoring/elasticsearch.yml.j2 @@ -0,0 +1,35 @@ +# vi: ft=yaml +apiVersion: 1 + +datasources: + - name: cpu + type: elasticsearch + access: proxy + url: http://maestro.dmz:{{ elasticsearch_port }} + jsonData: + index: 'fluentd.cpu-*' + timeField: '@timestamp' + + - name: memory + type: elasticsearch + access: proxy + url: http://maestro.dmz:{{ elasticsearch_port }} + jsonData: + index: 'fluentd.memory-*' + timeField: '@timestamp' + + - name: diskfree + type: elasticsearch + access: proxy + url: http://maestro.dmz:{{ elasticsearch_port }} + jsonData: + index: 'fluentd.diskfree-*' + timeField: '@timestamp' + + - name: traefik_access + type: elasticsearch + access: proxy + url: http://maestro.dmz:{{ elasticsearch_port }} + jsonData: + index: 'fluentd.access.traefik-*' + timeField: '@timestamp' diff --git a/legacy/projects/docker_swarm/ansible/roles/monitoring/fluent.conf.j2 b/legacy/projects/docker_swarm/ansible/roles/monitoring/fluent.conf.j2 new file mode 100644 index 0000000..dd030ba --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/roles/monitoring/fluent.conf.j2 @@ -0,0 +1,35 @@ +# vi: ft=yaml +# Receive events from 24224/tcp +# This is used by log forwarding and the fluent-cat command + + @type forward + port {{ fluent_forward_port }} + + + + @type geoip + geoip_lookup_keys host + backend_library geoip2_c + + latitude ${location.latitude["host"]} + longitude ${location.longitude["host"]} + + skip_adding_null_record true + + + + @type elasticsearch + host maestro.dmz + port {{ elasticsearch_port }} + include_timestamp true + logstash_format true + logstash_prefix fluentd.${tag} + + + + @type null + + + + log_level info + diff --git a/legacy/projects/docker_swarm/ansible/roles/monitoring/tasks/main.yml b/legacy/projects/docker_swarm/ansible/roles/monitoring/tasks/main.yml new file mode 100644 index 0000000..191f846 --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/roles/monitoring/tasks/main.yml @@ -0,0 +1,21 @@ +- name: Create fluentd config + docker_config: + name: fluentconf + data: "{{ lookup('template', '{{ role_path }}/fluent.conf.j2') }}" + use_ssh_client: true + rolling_versions: true + register: fluentconf + +- name: Create elasticsearch data source config + docker_config: + name: esdatasource + data: "{{ lookup('template', '{{ role_path }}/elasticsearch.yml.j2') }}" + use_ssh_client: true + rolling_versions: true + register: esdatasource + +- name: Deploy Docker stack + docker_stack: + name: monitoring + compose: + - "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}" diff --git a/legacy/projects/docker_swarm/ansible/roles/monitoring/vars/main.yml b/legacy/projects/docker_swarm/ansible/roles/monitoring/vars/main.yml new file mode 100644 index 0000000..326b722 --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/roles/monitoring/vars/main.yml @@ -0,0 +1,8 @@ +ntfy_password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 36333232393635383732336630626463633038353862333430396437333733376239343531663339 + 6364643930636566326463393963316263323061613032350a383930376537373437633333623639 + 66613439636531393761366534333134383231303637643063633537393535356536636530666665 + 6537653731666130610a346135373562333931646237396233613065353165623336373935386137 + 36313830623931313238333430346238626562353661616465333736346230396162386137363435 + 3362636565336639643832626165613236643466633537633236 diff --git a/legacy/projects/docker_swarm/ansible/roles/nextcloud/docker-stack.yml.j2 b/legacy/projects/docker_swarm/ansible/roles/nextcloud/docker-stack.yml.j2 new file mode 100644 index 0000000..6519069 --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/roles/nextcloud/docker-stack.yml.j2 @@ -0,0 +1,40 @@ +# vi: ft=yaml +version: '3.8' + +networks: + traefik: + external: true + +volumes: + data: + driver_opts: + type: "nfs" + o: "addr=192.168.30.10,nolock,soft,rw" + device: ":/mnt/data/nextcloud/data" + +services: + nextcloud: + image: nextcloud:27 + volumes: + - type: volume + source: data + target: /var/www/html + volume: + nocopy: true + environment: + - POSTGRES_USER=nextcloud + - POSTGRES_DB=nextcloud + - POSTGRES_PASSWORD={{ database_passwords.nextcloud }} + - POSTGRES_HOST=192.168.30.10 + networks: + - traefik + deploy: + labels: + - traefik.enable=true + - traefik.http.routers.nextcloud.entrypoints=websecure + - traefik.http.routers.nextcloud.rule=Host(`cloud.kun.is`) + - traefik.http.routers.nextcloud.tls=true + - traefik.http.routers.nextcloud.tls.certresolver=letsencrypt + - traefik.http.routers.nextcloud.service=nextcloud + - traefik.http.services.nextcloud.loadbalancer.server.port=80 + - traefik.docker.network=traefik diff --git a/legacy/projects/docker_swarm/ansible/roles/nextcloud/tasks/main.yml b/legacy/projects/docker_swarm/ansible/roles/nextcloud/tasks/main.yml new file mode 100644 index 0000000..9b3430e --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/roles/nextcloud/tasks/main.yml @@ -0,0 +1,5 @@ +- name: Deploy Docker stack + docker_stack: + name: nextcloud + compose: + - "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}" diff --git a/legacy/projects/docker_swarm/ansible/roles/overleaf/docker-stack.yml.j2 b/legacy/projects/docker_swarm/ansible/roles/overleaf/docker-stack.yml.j2 new file mode 100644 index 0000000..76904a8 --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/roles/overleaf/docker-stack.yml.j2 @@ -0,0 +1,112 @@ +# vi: ft=yaml +version: '3' +networks: + traefik: + external: true + overleaf: + +volumes: + data: + driver_opts: + type: "nfs" + o: "addr=192.168.30.10,nolock,soft,rw" + device: ":/mnt/data/overleaf/data" + redis: + driver_opts: + type: "nfs" + o: "addr=192.168.30.10,nolock,soft,rw" + device: ":/mnt/data/overleaf/redis" + mongodb: + driver_opts: + type: "nfs" + o: "addr=192.168.30.10,nolock,soft,rw" + device: ":/mnt/data/overleaf/mongodb" + +services: + sharelatex: + image: sharelatex/sharelatex:3 + networks: + - traefik + - overleaf + depends_on: + - overleaf-mongodb + - overleaf-redis + stop_grace_period: 60s + volumes: + - type: volume + source: data + target: /var/lib/sharelatex + volume: + nocopy: true + deploy: + labels: + - traefik.enable=true + - traefik.http.routers.overleaf.entrypoints=websecure + - traefik.http.routers.overleaf.rule=Host(`latex.kun.is`) + - traefik.http.routers.overleaf.tls=true + - traefik.http.routers.overleaf.tls.certresolver=letsencrypt + - traefik.http.routers.overleaf.service=overleaf + - traefik.http.services.overleaf.loadbalancer.server.port=80 + - traefik.docker.network=traefik + environment: + SHARELATEX_APP_NAME: Overleaf Community Edition + + SHARELATEX_MONGO_URL: mongodb://overleaf-mongodb:27017/sharelatex + + # Same property, unfortunately with different names in + # different locations + SHARELATEX_REDIS_HOST: overleaf-redis + REDIS_HOST: overleaf-redis + + ENABLED_LINKED_FILE_TYPES: 'project_file,project_output_file' + + # Enables Thumbnail generation using ImageMagick + ENABLE_CONVERSIONS: 'true' + + # Disables email confirmation requirement + EMAIL_CONFIRMATION_DISABLED: 'true' + + # temporary fix for LuaLaTex compiles + # see https://github.com/overleaf/overleaf/issues/695 + TEXMFVAR: /var/lib/sharelatex/tmp/texmf-var + + SHARELATEX_SITE_URL: https://latex.kun.is + SHARELATEX_ADMIN_EMAIL: pim@kunis.nl + + SHARELATEX_EMAIL_FROM_ADDRESS: "noreply@kunis.nl" + + SHARELATEX_EMAIL_SMTP_HOST: "smtp.tweak.nl" + SHARELATEX_EMAIL_SMTP_PORT: 587 + SHARELATEX_EMAIL_SMTP_USER: "" + SHARELATEX_EMAIL_SMTP_PASS: "" + + overleaf-mongodb: + image: mongo:4.4 + networks: + - overleaf + expose: + - 27017 + volumes: + - type: volume + source: mongodb + target: /data/db + volume: + nocopy: true + healthcheck: + test: echo 'db.stats().ok' | mongo localhost:27017/test --quiet + interval: 10s + timeout: 10s + retries: 5 + + overleaf-redis: + image: redis:5 + networks: + - overleaf + expose: + - 6379 + volumes: + - type: volume + source: redis + target: /data + volume: + nocopy: true diff --git a/legacy/projects/docker_swarm/ansible/roles/overleaf/tasks/main.yml b/legacy/projects/docker_swarm/ansible/roles/overleaf/tasks/main.yml new file mode 100644 index 0000000..fc3a917 --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/roles/overleaf/tasks/main.yml @@ -0,0 +1,5 @@ +- name: Deploy Docker stack + docker_stack: + name: overleaf + compose: + - "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}" diff --git a/legacy/projects/docker_swarm/ansible/roles/pihole/docker-stack.yml.j2 b/legacy/projects/docker_swarm/ansible/roles/pihole/docker-stack.yml.j2 new file mode 100644 index 0000000..9581831 --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/roles/pihole/docker-stack.yml.j2 @@ -0,0 +1,57 @@ +# vi: ft=yaml +version: "3.8" + +networks: + traefik: + external: true + pihole: + +volumes: + data: + driver_opts: + type: "nfs" + o: "addr=192.168.30.10,nolock,soft,rw" + device: ":/mnt/data/pihole/data" + dnsmasq: + driver_opts: + type: "nfs" + o: "addr=192.168.30.10,nolock,soft,rw" + device: ":/mnt/data/pihole/dnsmasq" + +services: + pihole: + image: pihole/pihole:latest + ports: + - "53:53/tcp" + - "53:53/udp" + network_mode: "host" + environment: + TZ: 'Europe/Amsterdam' + WEBPASSWORD: {{ pihole_password }} + PIHOLE_DNS_: '192.168.30.1' + volumes: + - type: volume + source: data + target: /etc/pihole + volume: + nocopy: true + - type: volume + source: dnsmasq + target: /etc/dnsmasq.d + volume: + nocopy: true + networks: + - traefik + deploy: + labels: + - traefik.enable=true + - traefik.http.routers.pihole.entrypoints=localsecure + - traefik.http.routers.pihole.rule=Host(`pihole.kun.is`) + - traefik.http.routers.pihole.tls=true + - traefik.http.routers.pihole.tls.certresolver=letsencrypt + - traefik.http.routers.pihole.service=pihole + - traefik.http.services.pihole.loadbalancer.server.port=80 + - traefik.docker.network=traefik + placement: + constraints: + - node.role == manager diff --git a/legacy/projects/docker_swarm/ansible/roles/pihole/tasks/main.yml b/legacy/projects/docker_swarm/ansible/roles/pihole/tasks/main.yml new file mode 100644 index 0000000..999eb7d --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/roles/pihole/tasks/main.yml @@ -0,0 +1,5 @@ +- name: Deploy Docker stack + docker_stack: + name: pihole + compose: + - "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}" diff --git a/legacy/projects/docker_swarm/ansible/roles/pihole/vars/main.yml b/legacy/projects/docker_swarm/ansible/roles/pihole/vars/main.yml new file mode 100644 index 0000000..8bb3b29 --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/roles/pihole/vars/main.yml @@ -0,0 +1,8 @@ +pihole_password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 38616134666661363535303137373633613063613731383766303633336533373233363736333263 + 3461336138663861623134633031663631633666393939340a396561643132333665373430343466 + 36626633366232376236383434336166353638653733666566336266373739663236636334373866 + 3261303962613966610a643765613762396335643233383432613737316361386234663365656566 + 30336535326437336437383336393838306161333662346165333262383735616137653766653165 + 3361333436346130376261316133323963393338633838303031 diff --git a/legacy/projects/docker_swarm/ansible/roles/radicale/docker-stack.yml.j2 b/legacy/projects/docker_swarm/ansible/roles/radicale/docker-stack.yml.j2 new file mode 100644 index 0000000..61fba13 --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/roles/radicale/docker-stack.yml.j2 @@ -0,0 +1,61 @@ +# vi: ft=yaml +version: '3.7' + +networks: + traefik: + external: true + +configs: + config: + external: true + name: "{{ config.config_name }}" + users: + external: true + name: "{{ users.config_name }}" + +volumes: + data: + driver_opts: + type: "nfs" + o: "addr=192.168.30.10,nolock,soft,rw" + device: ":/mnt/data/radicale" + +services: + radicale: + image: tomsquest/docker-radicale + init: true + read_only: true + cap_drop: + - ALL + cap_add: + - SETUID + - SETGID + - CHOWN + - KILL + healthcheck: + test: curl -f http://127.0.0.1:5232 || exit 1 + interval: 30s + retries: 3 + volumes: + - type: volume + source: data + target: /data + volume: + nocopy: true + networks: + - traefik + deploy: + labels: + - traefik.enable=true + - traefik.http.routers.radicale.entrypoints=websecure + - traefik.http.routers.radicale.rule=Host(`dav.kun.is`) + - traefik.http.routers.radicale.tls=true + - traefik.http.routers.radicale.tls.certresolver=letsencrypt + - traefik.http.routers.radicale.service=radicale + - traefik.http.services.radicale.loadbalancer.server.port=5232 + - traefik.docker.network=traefik + configs: + - source: config + target: /config/config + - source: users + target: /config/users diff --git a/legacy/projects/docker_swarm/ansible/roles/radicale/radicale.conf b/legacy/projects/docker_swarm/ansible/roles/radicale/radicale.conf new file mode 100644 index 0000000..eb9df16 --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/roles/radicale/radicale.conf @@ -0,0 +1,24 @@ +[server] +hosts = 0.0.0.0:5232, [::]:5232 +ssl = False + +[encoding] +request = utf-8 +stock = utf-8 + +[auth] +realm = Radicale - Password Required +type = htpasswd +htpasswd_filename = /config/users +htpasswd_encryption = md5 + +[rights] +type = owner_only + +[storage] +type = multifilesystem +filesystem_folder = /data + +[logging] + +[headers] diff --git a/legacy/projects/docker_swarm/ansible/roles/radicale/tasks/main.yml b/legacy/projects/docker_swarm/ansible/roles/radicale/tasks/main.yml new file mode 100644 index 0000000..eb07f13 --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/roles/radicale/tasks/main.yml @@ -0,0 +1,21 @@ +- name: Create radicale config + docker_config: + name: radicale_config + data: "{{ lookup('file', '{{ role_path }}/radicale.conf') }}" + use_ssh_client: true + rolling_versions: true + register: config + +- name: Create radicale users + docker_config: + name: radicale_users + data: "{{ lookup('file', '{{ role_path }}/users') }}" + use_ssh_client: true + rolling_versions: true + register: users + +- name: Deploy Docker stack + docker_stack: + name: radicale + compose: + - "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}" diff --git a/legacy/projects/docker_swarm/ansible/roles/radicale/users b/legacy/projects/docker_swarm/ansible/roles/radicale/users new file mode 100644 index 0000000..edbdb46 --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/roles/radicale/users @@ -0,0 +1 @@ +pim:$apr1$GUiTihkS$dDCkaUxFx/O86m6NCy/yQ. diff --git a/legacy/projects/docker_swarm/ansible/roles/seafile/docker-stack.yml.j2 b/legacy/projects/docker_swarm/ansible/roles/seafile/docker-stack.yml.j2 new file mode 100644 index 0000000..b510050 --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/roles/seafile/docker-stack.yml.j2 @@ -0,0 +1,73 @@ +# vi: ft=yaml +version: '3' + +networks: + traefik: + external: true + seafile: + +volumes: + data: + driver_opts: + type: "nfs" + o: "addr=192.168.30.10,nolock,soft,rw" + device: ":/mnt/data/seafile/data" + db: + driver_opts: + type: "nfs" + o: "addr=192.168.30.10,nolock,soft,rw" + device: ":/mnt/data/seafile/db" + +services: + db: + image: mariadb:10.5 + environment: + - MYSQL_ROOT_PASSWORD={{ db_root_passwd }} + - MYSQL_LOG_CONSOLE=true + volumes: + - type: volume + source: db + target: /var/lib/mysql + volume: + nocopy: true + networks: + - seafile + + memcached: + image: memcached:1.6 + entrypoint: memcached -m 256 + networks: + - seafile + + seafile: + image: seafileltd/seafile-mc:9.0.10 + volumes: + - type: volume + source: data + target: /shared + volume: + nocopy: true + environment: + - DB_HOST=db + - DB_ROOT_PASSWD={{ db_root_passwd }} + - TIME_ZONE=Europe/Amsterdam + - SEAFILE_ADMIN_EMAIL={{ seafile_admin_email }} + - SEAFILE_ADMIN_PASSWORD={{ seafile_admin_password }} + - SEAFILE_SERVER_LETSENCRYPT=false + - SEAFILE_SERVER_HOSTNAME={{ seafile_domain }} + deploy: + labels: + - traefik.enable=true + - traefik.http.routers.seafile.entrypoints=websecure + - traefik.http.routers.seafile.rule=Host(`{{ seafile_domain }}`) + - traefik.http.routers.seafile.tls=true + - traefik.http.routers.seafile.tls.certresolver=letsencrypt + - traefik.http.services.seafile.loadbalancer.server.port=80 + - traefik.http.routers.seafile.service=seafile + - traefik.docker.network=traefik + depends_on: + - db + - memcached + networks: + - traefik + - seafile diff --git a/legacy/projects/docker_swarm/ansible/roles/seafile/tasks/main.yml b/legacy/projects/docker_swarm/ansible/roles/seafile/tasks/main.yml new file mode 100644 index 0000000..c63c02d --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/roles/seafile/tasks/main.yml @@ -0,0 +1,5 @@ +- name: Deploy Docker stack + docker_stack: + name: seafile + compose: + - "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}" diff --git a/legacy/projects/docker_swarm/ansible/roles/seafile/vars/main.yml b/legacy/projects/docker_swarm/ansible/roles/seafile/vars/main.yml new file mode 100644 index 0000000..3245d42 --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/roles/seafile/vars/main.yml @@ -0,0 +1,18 @@ +db_root_passwd: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 62376163363033396161363264613836623734623835316439666331356464636633393237313236 + 3731383961393939366165393537663435356166643966650a353132616166353630333733636639 + 63616163346566336461313264326562393964643661613831316233326165623463613865636637 + 6363363331333430320a366661356232393036383765353066623334656133313661636130666238 + 32336561323431303730373262343534326539383932613533623232376330646230363363636135 + 3266336663623037663838643936366437663831356634333930 +seafile_admin_email: niels@kunis.nl +seafile_admin_password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 34366163396632343065636232363435633039373236363461383563363162626561653763383438 + 3263393539663030363532353238633262616339343436370a613631323064303637623266653832 + 64323834356664316265376132633863666136316239623862643962366637306238343933386134 + 6237396238383232360a386637303639646136653134643737393735383661626539386134643333 + 35313536323963303734353338636162666236343430623062373464653531353230366238326231 + 6661363038393534373861643261383561386536613337396539 +seafile_domain: files.geokunis2.nl diff --git a/legacy/projects/docker_swarm/ansible/roles/shephard/docker-stack.yml.j2 b/legacy/projects/docker_swarm/ansible/roles/shephard/docker-stack.yml.j2 new file mode 100644 index 0000000..2ac91e8 --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/roles/shephard/docker-stack.yml.j2 @@ -0,0 +1,60 @@ +# vi: ft=yaml +version: "3" + +networks: + shephard: + +services: + app: + image: mazzolino/shepherd + networks: + - shephard + environment: + TZ: 'Europe/Amsterdam' + FILTER_SERVICES: '' + IGNORELIST_SERVICES: "" + RUN_ONCE_AND_EXIT: "true" + APPRISE_SIDECAR_URL: apprise:5000 + volumes: + - type: bind + source: /var/run/docker.sock + target: /var/run/docker.sock + read_only: true + deploy: + replicas: 0 + restart_policy: + condition: none + labels: + - swarm.cronjob.enable=true + - "swarm.cronjob.schedule=0 2 * * *" + - swarm.cronjob.skip-running=true + placement: + constraints: + - node.role == manager + + scheduler: + image: crazymax/swarm-cronjob:latest + volumes: + - type: bind + source: /var/run/docker.sock + target: /var/run/docker.sock + read_only: true + environment: + - "TZ=Europe/Amsterdam" + - "LOG_LEVEL=info" + - "LOG_JSON=false" + deploy: + placement: + constraints: + - node.role == manager + + apprise: + image: mazzolino/apprise-microservice:0.1 + environment: + NOTIFICATION_URLS: {{ apprise_urls }} + networks: + - shephard + deploy: + placement: + constraints: + - node.role == manager diff --git a/legacy/projects/docker_swarm/ansible/roles/shephard/tasks/main.yml b/legacy/projects/docker_swarm/ansible/roles/shephard/tasks/main.yml new file mode 100644 index 0000000..41bf642 --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/roles/shephard/tasks/main.yml @@ -0,0 +1,5 @@ +- name: Deploy Docker stack + docker_stack: + name: shephard + compose: + - "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}" diff --git a/legacy/projects/docker_swarm/ansible/roles/shephard/vars/main.yml b/legacy/projects/docker_swarm/ansible/roles/shephard/vars/main.yml new file mode 100644 index 0000000..f02cab7 --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/roles/shephard/vars/main.yml @@ -0,0 +1 @@ +apprise_urls: "apprises://apprise.kun.is:444/shephard" diff --git a/legacy/projects/docker_swarm/ansible/roles/swarm_dashboard/docker-stack.yml.j2 b/legacy/projects/docker_swarm/ansible/roles/swarm_dashboard/docker-stack.yml.j2 new file mode 100644 index 0000000..217376d --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/roles/swarm_dashboard/docker-stack.yml.j2 @@ -0,0 +1,31 @@ +# vi: ft=yaml +version: "3" + +networks: + traefik: + external: true + +services: + swarm-dashboard: + image: charypar/swarm-dashboard + volumes: + - type: bind + source: /var/run/docker.sock + target: /var/run/docker.sock + environment: + PORT: 80 + networks: + - traefik + deploy: + placement: + constraints: + - node.role == manager + labels: + - traefik.enable=true + - traefik.http.routers.swarm-dashboard.entrypoints=localsecure + - traefik.http.routers.swarm-dashboard.rule=Host(`swarm.kun.is`) + - traefik.http.routers.swarm-dashboard.tls=true + - traefik.http.routers.swarm-dashboard.tls.certresolver=letsencrypt + - traefik.http.routers.swarm-dashboard.service=swarm-dashboard + - traefik.http.services.swarm-dashboard.loadbalancer.server.port=80 + - traefik.docker.network=traefik diff --git a/legacy/projects/docker_swarm/ansible/roles/swarm_dashboard/tasks/main.yml b/legacy/projects/docker_swarm/ansible/roles/swarm_dashboard/tasks/main.yml new file mode 100644 index 0000000..bb1f97c --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/roles/swarm_dashboard/tasks/main.yml @@ -0,0 +1,5 @@ +- name: Deploy Docker stack + docker_stack: + name: swarm_dashboard + compose: + - "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}" diff --git a/legacy/projects/docker_swarm/ansible/roles/syncthing/cert.pem b/legacy/projects/docker_swarm/ansible/roles/syncthing/cert.pem new file mode 100644 index 0000000..eeb08f2 --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/roles/syncthing/cert.pem @@ -0,0 +1,45 @@ +$ANSIBLE_VAULT;1.1;AES256 +37326262373466303939623263623234616338316165316466656131326339306233303834396263 +3139663539356264323038306635363934363364653437350a666438396563643339353765306131 +39653434373966346166323938666364323562313334323262643666373463623536363635643163 +3430353230326634320a643532663765663632623031313463653765643134313538633131613663 +64393533636138323833343630363639656539376163353239313231646662316532666631623734 +31343364393363623164336339303631366162376131613736636131396165663835653433303134 +62323265633039633865326366613366653435653261633662613737353463633663383635303562 +39303933343139363132393035336332363438656333646136333330326533623763393263663563 +36343038393264383639346436316134386531383338386461363538613135663863363434623339 +31373236353337653838396333643638343232653066313662393165343062396137326630646430 +31646566356565386532626433383163643635643930326164353766323263616665636435323339 +38373837393035343737356134373831303831316464666637333231343434316632316464356564 +31613464633761306330303637386230333430396665383262333530336137336236623838326333 +30393861666439623536336231616563303764646563393065353432313965343330633463313564 +66373539373265353765636438393633613839393830366135323139666533393165653736666335 +35303736623534653635343636383662316134376332393239633262363939396263363264616637 +35396261346264373930396462393638316335363833333132393061633337626331323439363131 +39306264386133316137633039366638356130616438373433333635666231366136613363626133 +31316230336534616430633232623430666234643836636338613730356335623434373433643935 +62623266313834353163623439616533623135396134346164373363643364373939396163363837 +36313432393965653664633231393564323936323933313565323337346333313233396666626361 +65383031326630313263343862653063613839373131643265656237623232663761383665333939 +33376531623665653037333563333034363363333435343439663761633734616461353961323434 +66643833353539623265616262383265396237636631346433386638643436383230333438653462 +37383235316634353262316436653163316164356261353663663565396630613434396231353538 +38633330326266303838346365663839646163623264633934363938666234393131356138656439 +31333161643136633836343262326136393964393635623634316532393837376162383835303435 +30643339356434386264643163316165396534373064346334636132316230346437363665636563 +38333835306666626637386562306433373031366136616635623765393630383939353335393930 +61663832383239643363626137343661366436653864643339316537383738323335333866633537 +39316339383239323131653232633833363536313431643364313937633037336564386339383433 +38303939303835386263633430383061336436383062663462353762376666613530313663623261 +66616266373136326433363338303365653230663763636630353034383832633239383932616365 +37373236396631623866656330623632313538326330626363316262653566383633666531383738 +34353830373137343236343765393665356534356238353861326165303939363236626130626363 +64623164383866393630656232373164343163363433643835396236363132346235356134613564 +66383364623962316564373564363631356234386535653465633864313365396438356235313163 +35633366663836666337653537336334353935323364306635383238373664613530353365323366 +31373831383336336237633064313938393637636231356165656631386132313734333439643733 +62666435363535303530323866623139653138643831623838316432366539316236306133393764 +63386133333832356365396137623332643539633236343762353138386434303632373932336139 +39396364653864316435356434383761306238633164643939363864356362633135623438363861 +64626339663931383133383862313031383638653266306539643061316238616266656136656530 +63666239303034396133 diff --git a/legacy/projects/docker_swarm/ansible/roles/syncthing/config.xml.j2 b/legacy/projects/docker_swarm/ansible/roles/syncthing/config.xml.j2 new file mode 100644 index 0000000..1920a68 --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/roles/syncthing/config.xml.j2 @@ -0,0 +1,189 @@ + + {% for folder in st.folders %} + + basic + {% for device in folder.devices %} + + + + {% endfor %} + + + + 1 + + 3600 + + basic + + 0 + 0 + 0 + random + false + 0 + 0 + 10 + false + false + false + 25 + .stfolder + false + 0 + 2 + false + standard + standard + false + false + false + false + false + false + + 1024 + 4096 + + + {% endfor %} + {% for peer in st.peers %} + +
dynamic
+ false + false + 0 + 0 + 0 + false + 0 + + {% endfor %} + +
dynamic
+ false + false + 0 + 0 + 0 + false + 0 + + +
{{ st.gui.address }}
+ {{ st.gui.user }} + {{ st.gui.password }} + {{ st.gui.apikey }} + {{ st.gui.theme }} + + + + default + default + true + true + 21027 + [ff12::8384]:21027 + 0 + 0 + 60 + true + 10 + true + true + 60 + 30 + 10 + 3 + 3 + + https://data.syncthing.net/newdata + false + 1800 + 12 + false + 24 + false + 5 + false + 1 + https://upgrades.syncthing.net/meta.json + false + 10 + 0 + true + 0 + https://crash.syncthing.net/newcrash + true + 180 + 20 + default + auto + 0 + true + false + 0 + 0 + false + 10 + 20 + 30 + 40 + 50 + 0 + + + + basic + + + + 1 + + 3600 + + basic + + 0 + 0 + 0 + random + false + 0 + 0 + 10 + false + false + false + 25 + .stfolder + false + 0 + 2 + false + standard + standard + false + false + false + false + false + false + + 1024 + 4096 + + + +
dynamic
+ false + false + 0 + 0 + 0 + false + 0 + + + + diff --git a/legacy/projects/docker_swarm/ansible/roles/syncthing/docker-stack.yml.j2 b/legacy/projects/docker_swarm/ansible/roles/syncthing/docker-stack.yml.j2 new file mode 100644 index 0000000..6701dd2 --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/roles/syncthing/docker-stack.yml.j2 @@ -0,0 +1,62 @@ +# vi: ft=yaml +version: "3" + +networks: + traefik: + external: true + +configs: + config: + external: true + name: "{{ config.config_name }}" + private_key: + external: true + name: "{{ key.config_name }}" + certificate: + external: true + name: "{{ cert.config_name }}" + +volumes: + nextcloud_data: + driver_opts: + type: "nfs" + o: "addr=192.168.30.10,nolock,soft,rw" + device: ":/mnt/data/nextcloud/data" + +services: + syncthing: + image: lscr.io/linuxserver/syncthing:1.23.6 + networks: + - traefik + deploy: + labels: + - traefik.enable=true + - traefik.docker.network=traefik + + - traefik.http.routers.syncthing.entrypoints=localsecure + - traefik.http.routers.syncthing.rule=Host(`sync.kun.is`) + - traefik.http.routers.syncthing.service=syncthing + - traefik.http.routers.syncthing.tls=true + - traefik.http.routers.syncthing.tls.certresolver=letsencrypt + - traefik.http.services.syncthing.loadbalancer.server.port=8384 + environment: + - PUID=33 + - PGID=33 + - TZ=Europe/Amsterdam + volumes: + - type: volume + source: nextcloud_data + target: /data + volume: + nocopy: true + configs: + - source: config + target: /config/config.xml + - source: private_key + target: /config/key.pem + uid: '33' + gid: '33' + - source: certificate + target: /config/cert.pem + uid: '33' + gid: '33' diff --git a/legacy/projects/docker_swarm/ansible/roles/syncthing/key.pem b/legacy/projects/docker_swarm/ansible/roles/syncthing/key.pem new file mode 100644 index 0000000..d858202 --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/roles/syncthing/key.pem @@ -0,0 +1,20 @@ +$ANSIBLE_VAULT;1.1;AES256 +31373963666334633437386361353532396162653439373964333935643065383836383537336238 +3065306235363835343330393366326630383163633664300a653635653932663566376165623030 +33666262643032383764343134326439363536353439363134353432373263316164373139633838 +6336363735333862360a386235366434656336333762343330633030613437626262353934636163 +38376431343934373637343631373962653262613766393561383631303563383935616630663833 +62363533616235303834376233663033373531666632313237303661653265613061373131646266 +31643839386134383934623632336538386462626261613039306432366564616162366435363331 +34663464386630373134346264386334376334336363623137363831326338323234373662653932 +33373331663065336230313731303139653036646261643535393662633165356632306536393530 +30363066373064353936313461663235386465323734636263323063333365633066633736336436 +38623966353634356636343833653131646131633536383339663433306130386461303735323632 +64646465373533306266353932653561623363396137383532373734653462346239646562353136 +64313539383566663939663734333565643637376239383337363066373639613934303633343762 +37646565666635363231396139326536356533343065333731656363613731333136636561376430 +35356432373537363034653231636465303135363534323766333530353433663462653837643162 +39616664636464343435643039646362336634333561356438386262653231323033343662383138 +66633534336232663438666632373966613335396639383836666333656235376339343538313838 +39356165323361386535306664643537363764393365363639366637343332306537653962396339 +323030323036393662646636303330666561 diff --git a/legacy/projects/docker_swarm/ansible/roles/syncthing/tasks/main.yml b/legacy/projects/docker_swarm/ansible/roles/syncthing/tasks/main.yml new file mode 100644 index 0000000..af3b970 --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/roles/syncthing/tasks/main.yml @@ -0,0 +1,29 @@ +- name: Create cert.pem config + docker_config: + name: syncthing_cert + data: "{{ lookup('file', '{{ role_path }}/cert.pem') }}" + use_ssh_client: true + rolling_versions: true + register: cert + +- name: Create key.pem config + docker_config: + name: syncthing_key + data: "{{ lookup('file', '{{ role_path }}/key.pem') }}" + use_ssh_client: true + rolling_versions: true + register: key + +- name: Create config.xml config + docker_config: + name: syncthing_config + data: "{{ lookup('template', '{{ role_path }}/config.xml.j2') }}" + use_ssh_client: true + rolling_versions: true + register: config + +- name: Deploy Docker stack + docker_stack: + name: syncthing + compose: + - "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}" diff --git a/legacy/projects/docker_swarm/ansible/roles/syncthing/vars/main.yml b/legacy/projects/docker_swarm/ansible/roles/syncthing/vars/main.yml new file mode 100644 index 0000000..1e1abcb --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/roles/syncthing/vars/main.yml @@ -0,0 +1,34 @@ +st: + server: + id: "IGS4TYV-TQ6X2CG-OE3M2RE-DKZWKQZ-HEKIGHT-C6EIGHL-CBP2ULE-M3WZ7QC" + name: "dd219859eab5" + gui: + address: "127.0.0.1:8384" + user: pim + password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 66383234373561373935313863393338623331393233626635653637383734623539376633326561 + 3464633966383864306131383334633633356363636163300a393562383730613934613439663431 + 63653465316130626232663132626466643164313830613933363535336634313164386162643839 + 6235303662633931390a313230363636656639653531636131333862356363663535313133663138 + 38356566656161646636313766353937373433663631636265303464633437303464396537663264 + 66326530313661636264336634613633316462343034386134636365383736636436613065323236 + 323933363666353232393635376136363239 + apikey: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 31633162323338303133353838613336623961626635623165626335353263336130393166666535 + 3763336662326336333436333635656230393838366163660a393737303132373466633265306433 + 66336636666132373235646638653130633263343532353831653533656538663038326463306232 + 3132646634376166620a663339346239643561616362333036633363396263323761663134373630 + 30613730373131636262636266623363663561363863323938613832393864396633656664356534 + 3563626633643766643339316132383434303538636666623934 + theme: default + peers: + - id: "B4Y7T5D-PHHDOFH-ZZ4VGOK-YNJINJG-VCYC272-PIE24XA-XJ5HSOD-DF3T6AJ" + name: "Pixel 4a" + folders: + - id: "rthas-wdjsw" + label: "pim" + path: "/data/data/pim/files" + devices: + - "B4Y7T5D-PHHDOFH-ZZ4VGOK-YNJINJG-VCYC272-PIE24XA-XJ5HSOD-DF3T6AJ" diff --git a/legacy/projects/docker_swarm/ansible/roles/traefik/docker-stack.yml.j2 b/legacy/projects/docker_swarm/ansible/roles/traefik/docker-stack.yml.j2 new file mode 100644 index 0000000..a865683 --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/roles/traefik/docker-stack.yml.j2 @@ -0,0 +1,135 @@ +# vi: ft=yaml +version: "3.7" + +networks: + traefik: + external: true + +configs: + services: + external: true + name: "{{ services.config_name }}" + +volumes: + acme: + driver_opts: + type: "nfs" + o: "addr=192.168.30.10,nolock,soft,rw" + device: ":/mnt/data/traefik/acme" + +services: + traefik: + image: traefik:3.0.0-beta2 + networks: + - traefik + ports: + - mode: host + protocol: tcp + published: 443 + target: 443 + - mode: host + protocol: tcp + published: 80 + target: 80 + - mode: host + protocol: tcp + published: 444 + target: 444 + deploy: + placement: + constraints: + - node.role == manager + labels: + - traefik.enable=true + - traefik.http.routers.dashboard.entrypoints=localsecure + - traefik.http.routers.dashboard.rule=Host(`traefik.kun.is`) + - traefik.http.routers.dashboard.service=api@internal + - traefik.http.services.dashboard.loadbalancer.server.port=8080 + - traefik.http.routers.dashboard.tls=true + - traefik.http.routers.dashboard.tls.certresolver=letsencrypt + - traefik.docker.network=traefik + + - traefik.http.routers.esrom.entrypoints=websecure + - traefik.http.routers.esrom.service=esrom@file + - traefik.http.routers.esrom.rule=Host(`geokunis2.nl`) + - traefik.http.routers.esrom.tls=true + - traefik.http.routers.esrom.tls.certresolver=letsencrypt + + - traefik.http.routers.uptime.entrypoints=localsecure + - traefik.http.routers.uptime.rule=Host(`uptime.kun.is`) + - traefik.http.routers.uptime.service=uptime@file + - traefik.http.routers.uptime.tls=true + - traefik.http.routers.uptime.tls.certresolver=letsencrypt + + - traefik.http.routers.ntfy.entrypoints=websecure + - traefik.http.routers.ntfy.rule=Host(`ntfy.kun.is`) + - traefik.http.routers.ntfy.service=ntfy@file + - traefik.http.routers.ntfy.tls=true + - traefik.http.routers.ntfy.tls.certresolver=letsencrypt + + - traefik.http.routers.apprise.entrypoints=localsecure + - traefik.http.routers.apprise.rule=Host(`apprise.kun.is`) + - traefik.http.routers.apprise.service=apprise@file + - traefik.http.routers.apprise.tls=true + - traefik.http.routers.apprise.tls.certresolver=letsencrypt + + - traefik.http.routers.concourse.entrypoints=websecure + - traefik.http.routers.concourse.rule=Host(`ci.kun.is`) + - traefik.http.routers.concourse.service=concourse@file + - traefik.http.routers.concourse.tls=true + - traefik.http.routers.concourse.tls.certresolver=letsencrypt + + - traefik.http.routers.discourse.entrypoints=websecure + - traefik.http.routers.discourse.rule=Host(`tuindersweijde.geokunis2.nl`) + - traefik.http.routers.discourse.service=discourse@file + - traefik.http.routers.discourse.tls=true + - traefik.http.routers.discourse.tls.certresolver=letsencrypt + volumes: + - type: bind + source: /var/run/docker.sock + target: /var/run/docker.sock + - type: volume + source: acme + target: /acme + volume: + nocopy: true + configs: + - source: services + target: /etc/traefik/services.yml + command: + - --providers.docker + - --providers.docker.swarmmode + - --providers.docker.watch + - --providers.docker.exposedbydefault=false + + - --providers.file.filename=/etc/traefik/services.yml + + - --api + - --api.insecure=false + - --api.dashboard=true + + - --entrypoints.web.address=:80 + - --entrypoints.web.http.redirections.entrypoint=true + - --entrypoints.web.http.redirections.entrypoint.to=websecure + - --entrypoints.web.http.redirections.entrypoint.scheme=https + - --entrypoints.web.http.redirections.entrypoint.permanent=true + + - --entrypoints.websecure.address=:443 + + - --entrypoints.localsecure.address=:444 + + - --certificatesresolvers.letsencrypt.acme=true + - --certificatesresolvers.letsencrypt.acme.email=pim@kunis.nl + - --certificatesresolvers.letsencrypt.acme.storage=/acme/acme.json + - --certificatesresolvers.letsencrypt.acme.httpchallenge=true + - --certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web + + - --serversTransport.insecureSkipVerify=true + + - --accesslog=true + - --accesslog.fields.defaultmode=keep + - --accesslog.fields.names.ClientUsername=drop + - --accesslog.fields.headers.defaultmode=keep + - --accesslog.fields.headers.names.User-Agent=keep + - --accesslog.fields.headers.names.Authorization=drop + - --accesslog.fields.headers.names.Content-Type=keep diff --git a/legacy/projects/docker_swarm/ansible/roles/traefik/services.yml b/legacy/projects/docker_swarm/ansible/roles/traefik/services.yml new file mode 100644 index 0000000..648519a --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/roles/traefik/services.yml @@ -0,0 +1,26 @@ +http: + services: + esrom: + loadBalancer: + servers: + - url: http://esrom.dmz:80/ + uptime: + loadBalancer: + servers: + - url: http://iris.dmz:3001 + ntfy: + loadBalancer: + servers: + - url: http://iris.dmz:3002 + apprise: + loadBalancer: + servers: + - url: http://iris.dmz:3003 + concourse: + loadBalancer: + servers: + - url: http://concourse.dmz:3000 + discourse: + loadBalancer: + servers: + - url: http://forum.dmz:80 diff --git a/legacy/projects/docker_swarm/ansible/roles/traefik/tasks/main.yml b/legacy/projects/docker_swarm/ansible/roles/traefik/tasks/main.yml new file mode 100644 index 0000000..462bf49 --- /dev/null +++ b/legacy/projects/docker_swarm/ansible/roles/traefik/tasks/main.yml @@ -0,0 +1,18 @@ +- name: Create Traefik network + docker_network: + name: traefik + driver: overlay + +- name: Create Docker config + docker_config: + name: traefik_services + data: "{{ lookup('file', '{{ role_path }}/services.yml') }}" + use_ssh_client: true + rolling_versions: true + register: services + +- name: Deploy Docker stack + docker_stack: + name: traefik + compose: + - "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}" diff --git a/legacy/projects/docker_swarm/main.tf b/legacy/projects/docker_swarm/vm/main.tf similarity index 84% rename from legacy/projects/docker_swarm/main.tf rename to legacy/projects/docker_swarm/vm/main.tf index 7dfc05c..02b1002 100644 --- a/legacy/projects/docker_swarm/main.tf +++ b/legacy/projects/docker_swarm/vm/main.tf @@ -24,14 +24,14 @@ provider "libvirt" { } module "setup_jefke" { - source = "../../terraform_modules/setup" + source = "../../../terraform_modules/setup" providers = { libvirt = libvirt.jefke } } module "bancomart" { - source = "../../terraform_modules/debian" + source = "../../../terraform_modules/debian" name = "bancomart" ram = 4096 storage = 25 @@ -41,14 +41,14 @@ module "bancomart" { } module "setup_atlas" { - source = "../../terraform_modules/setup" + source = "../../../terraform_modules/setup" providers = { libvirt = libvirt.atlas } } module "maestro" { - source = "../../terraform_modules/debian" + source = "../../../terraform_modules/debian" name = "maestro" ram = 8192 storage = 35 diff --git a/legacy/projects/hermes/vm/main.tf b/legacy/projects/hermes/vm/main.tf index ba4b00f..a77bfd8 100644 --- a/legacy/projects/hermes/vm/main.tf +++ b/legacy/projects/hermes/vm/main.tf @@ -19,7 +19,7 @@ provider "libvirt" { } module "hermes" { - source = "../../terraform_modules/debian" + source = "../../../terraform_modules/debian" name = "hermes" ram = 1024 storage = 25 diff --git a/legacy/projects/thecloud/ansible/ansible.cfg b/legacy/projects/thecloud/ansible/ansible.cfg new file mode 100644 index 0000000..1cf41a8 --- /dev/null +++ b/legacy/projects/thecloud/ansible/ansible.cfg @@ -0,0 +1,8 @@ +[defaults] +roles_path=~/.ansible/roles:roles:/usr/share/ansible/roles:/etc/ansible/roles +inventory=inventory +vault_password_file=$HOME/.config/home/ansible-vault-secret +interpreter_python=/usr/bin/python3 + +[diff] +always = True diff --git a/legacy/projects/thecloud/ansible/inventory/host_vars/thecloud.yml b/legacy/projects/thecloud/ansible/inventory/host_vars/thecloud.yml new file mode 100644 index 0000000..04c7e52 --- /dev/null +++ b/legacy/projects/thecloud/ansible/inventory/host_vars/thecloud.yml @@ -0,0 +1,19 @@ +apt_install_packages: + - postgresql + - python3-psycopg2 + - nfs-kernel-server + - qemu-guest-agent + +nfs_exports: [] + +redis_bind_interface: 0.0.0.0 +redis_requirepass: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 37323965303638333264653936616563323235363463396330363836653865393835346263383838 + 3030386166316365633538353539623066626434313332390a616131303434373264633934356361 + 30356335643638656433326230363462373533396533366261346630353163353137333865303132 + 3536636165366631310a643538353331366130663464386565343331653031333061333330613532 + 34663932653734336239303536323331396435386332666133343033373566386562326136656330 + 63393766353063646361643565323238376334333637363232626139333664643065613237666532 + 31623032613763303136353232323837376637336431306534306336356165363039666634336433 + 30376464323862373833 diff --git a/legacy/projects/thecloud/ansible/inventory/hosts.yml b/legacy/projects/thecloud/ansible/inventory/hosts.yml new file mode 100644 index 0000000..19e626d --- /dev/null +++ b/legacy/projects/thecloud/ansible/inventory/hosts.yml @@ -0,0 +1,5 @@ +all: + hosts: + thecloud: + ansible_user: root + ansible_host: thecloud.dmz diff --git a/legacy/projects/thecloud/ansible/requirements.yml b/legacy/projects/thecloud/ansible/requirements.yml new file mode 100644 index 0000000..866196a --- /dev/null +++ b/legacy/projects/thecloud/ansible/requirements.yml @@ -0,0 +1,6 @@ +- name: apt + src: https://github.com/sunscrapers/ansible-role-apt.git + scm: git +- name: cloudinit_wait + src: https://git.kun.is/pim/ansible-role-cloudinit-wait + scm: git diff --git a/legacy/projects/thecloud/ansible/roles/postgresql/handlers/main.yml b/legacy/projects/thecloud/ansible/roles/postgresql/handlers/main.yml new file mode 100644 index 0000000..a09812e --- /dev/null +++ b/legacy/projects/thecloud/ansible/roles/postgresql/handlers/main.yml @@ -0,0 +1,4 @@ +- name: restart postgres + systemd: + name: postgresql + state: restarted diff --git a/legacy/projects/thecloud/ansible/roles/postgresql/tasks/main.yml b/legacy/projects/thecloud/ansible/roles/postgresql/tasks/main.yml new file mode 100644 index 0000000..d3e811e --- /dev/null +++ b/legacy/projects/thecloud/ansible/roles/postgresql/tasks/main.yml @@ -0,0 +1,15 @@ +- name: Open postgres port + ini_file: + path: /etc/postgresql/15/main/postgresql.conf + section: null + option: listen_addresses + value: "'*'" + notify: restart postgres + +- name: Change data directory + ini_file: + path: /etc/postgresql/15/main/postgresql.conf + section: null + option: data_directory + value: "'/mnt/data/postgresql'" + notify: restart postgres diff --git a/legacy/projects/thecloud/ansible/thecloud.yml b/legacy/projects/thecloud/ansible/thecloud.yml new file mode 100644 index 0000000..f019457 --- /dev/null +++ b/legacy/projects/thecloud/ansible/thecloud.yml @@ -0,0 +1,31 @@ +--- +- name: Wait for Cloud-Init to finish + hosts: all + gather_facts: no + roles: + - cloudinit_wait + +- name: Setup NFS + hosts: thecloud + + roles: + - {role: apt, tags: apt} + - {role: postgresql, tags: postgresql} + + post_tasks: + - name: Ensure NFS exports directory exists + file: + path: /etc/exports.d + state: directory + + - name: Start NFS + systemd: + name: nfs-kernel-server + state: started + enabled: true + + - name: Enable Qemu guest agent + systemd: + name: qemu-guest-agent + state: started + enabled: true diff --git a/legacy/projects/thecloud/data/main.tf b/legacy/projects/thecloud/data/main.tf new file mode 100644 index 0000000..cf09328 --- /dev/null +++ b/legacy/projects/thecloud/data/main.tf @@ -0,0 +1,32 @@ +terraform { + backend "pg" { + schema_name = "thecloud-data" + conn_str = "postgresql://terraform@jefke.hyp/terraformstates" + } + + required_providers { + libvirt = { + source = "dmacvicar/libvirt" + version = "0.7.1" # https://github.com/dmacvicar/terraform-provider-libvirt/issues/1040 + } + } +} + +# https://libvirt.org/uri.html#libssh-and-libssh2-transport +provider "libvirt" { + uri = "qemu+ssh://root@lewis.hyp/system?known_hosts=/etc/ssh/ssh_known_hosts" +} + +module "data_pool" { + source = "../../../terraform_modules/setup/data" +} + +resource "libvirt_volume" "data" { + name = "thecloud-data.qcow2" + pool = "data" + size = 1024 * 1024 * 1024 * 150 +} + +output "data_disk_id" { + value = libvirt_volume.data.id +} diff --git a/legacy/projects/thecloud/vm/main.tf b/legacy/projects/thecloud/vm/main.tf new file mode 100644 index 0000000..25307cb --- /dev/null +++ b/legacy/projects/thecloud/vm/main.tf @@ -0,0 +1,40 @@ +terraform { + backend "pg" { + schema_name = "thecloud" + conn_str = "postgresql://terraform@jefke.hyp/terraformstates" + } + + required_providers { + libvirt = { + source = "dmacvicar/libvirt" + version = "0.7.1" # https://github.com/dmacvicar/terraform-provider-libvirt/issues/1040 + } + } +} + +# https://libvirt.org/uri.html#libssh-and-libssh2-transport +provider "libvirt" { + alias = "lewis" + uri = "qemu+ssh://root@lewis.hyp/system?known_hosts=/etc/ssh/ssh_known_hosts" +} + +module "setup_lewis" { + source = "../../../terraform_modules/setup" + providers = { + libvirt = libvirt.lewis + } +} + +module "thecloud" { + source = "../../../terraform_modules/debian" + name = "thecloud" + ram = 1024 + storage = 25 + mac = "CA:FE:C0:FF:EE:0A" + data_disk = "/mnt/data/volumes/thecloud-data.qcow2" + providers = { + libvirt = libvirt.lewis + } + + depends_on = [ module.setup_lewis ] +} diff --git a/legacy/terraform_modules/README.md b/legacy/terraform_modules/README.md index 70e2b7d..8d90a18 100644 --- a/legacy/terraform_modules/README.md +++ b/legacy/terraform_modules/README.md @@ -4,4 +4,4 @@ Terraform modules we use for the virtual machines in our home network. These are all personalized and probably of little use outside our network. The modules are currently: - `debian`: Personalized Debian VM using Terraform's `libvirt` provider -- `invariants`: Invariants for our home network we use in multiple places. +- `setup`: Prepares the physical machine with required libvirt pools and other prerequisites. diff --git a/legacy/terraform_modules/debian/files/cloud_init.cfg.tftpl b/legacy/terraform_modules/debian/files/cloud_init.cfg.tftpl index 1df897e..6523220 100644 --- a/legacy/terraform_modules/debian/files/cloud_init.cfg.tftpl +++ b/legacy/terraform_modules/debian/files/cloud_init.cfg.tftpl @@ -13,7 +13,21 @@ ssh_authorized_keys: - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOodpLr+FDRyKyHjucHizNLVFHZ5AQmE9GmxMnOsSoaw pimkunis@thinkpadpim" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINUZp4BCxf7uLa1QWonx/Crf8tYZ5MKIZ+EuaBa82LrV user@user-laptop" -ssh_pwauth: false +%{ if data_disk != null } +device_aliases: + data: /dev/vdb +disk_setup: + data: + table_type: 'gpt' + layout: true + overwrite: false +fs_type: + - label: 'data' + filesystem: 'ext4' + overwrite: false +mounts: + - ["data.1", "/mnt/data"] +%{ endif } # TODO: Do we need this? runcmd: diff --git a/legacy/terraform_modules/debian/main.tf b/legacy/terraform_modules/debian/main.tf index fd8597c..c806519 100644 --- a/legacy/terraform_modules/debian/main.tf +++ b/legacy/terraform_modules/debian/main.tf @@ -25,6 +25,7 @@ resource "libvirt_cloudinit_disk" "main" { pool = "cloudinit" user_data = templatefile("${path.module}/files/cloud_init.cfg.tftpl", { hostname = var.name + data_disk = var.data_disk }) network_config = templatefile("${path.module}/files/network_config.cfg.tftpl", { static_ip = var.static_ip @@ -41,6 +42,14 @@ resource "libvirt_domain" "main" { volume_id = libvirt_volume.os.id } + dynamic "disk" { + for_each = var.data_disk != null ? [1] : [] + + content { + volume_id = var.data_disk + } + } + network_interface { bridge = "bridgedmz" hostname = var.name diff --git a/legacy/terraform_modules/debian/variables.tf b/legacy/terraform_modules/debian/variables.tf index db7ab43..23cc02d 100644 --- a/legacy/terraform_modules/debian/variables.tf +++ b/legacy/terraform_modules/debian/variables.tf @@ -22,3 +22,8 @@ variable "static_ip" { type = string default = null } + +variable "data_disk" { + type = string + default = null +} diff --git a/legacy/terraform_modules/setup/data/main.tf b/legacy/terraform_modules/setup/data/main.tf new file mode 100644 index 0000000..974029d --- /dev/null +++ b/legacy/terraform_modules/setup/data/main.tf @@ -0,0 +1,13 @@ +terraform { + required_providers { + libvirt = { + source = "dmacvicar/libvirt" + } + } +} + +resource "libvirt_pool" "data" { + name = "data" + type = "dir" + path = "/mnt/data/volumes" +} diff --git a/machines/default.nix b/machines/default.nix index 36e9fe5..ece24b4 100644 --- a/machines/default.nix +++ b/machines/default.nix @@ -32,23 +32,23 @@ }; }; - # lewis = { - # name = "lewis"; - # hostName = "lewis.hyp"; + lewis = { + name = "lewis"; + hostName = "lewis.hyp"; - # nixosModule.custom = { - # disko.osDiskDevice = "/dev/sda"; + nixosModule.custom = { + disko.osDiskDevice = "/dev/sda"; - # dataDisk = { - # enable = true; - # devicePath = "/dev/nvme0n1p1"; - # }; + dataDisk = { + enable = true; + devicePath = "/dev/nvme0n1p1"; + }; - # ssh = { - # useCertificates = true; - # hostCert = builtins.readFile ./atlas_host_ed25519-cert.pub; - # userCert = builtins.readFile ./atlas_user_ed25519-cert.pub; - # }; - # }; - # }; + ssh = { + useCertificates = true; + hostCert = builtins.readFile ./lewis_host_ed25519-cert.pub; + userCert = builtins.readFile ./lewis_user_ed25519-cert.pub; + }; + }; + }; } diff --git a/secrets/lewis_host_ed25519.age b/secrets/lewis_host_ed25519.age new file mode 100644 index 0000000000000000000000000000000000000000..78333f6853e4441cca297db9d0069f4bb0c6aa9a GIT binary patch literal 611 zcmV-p0-XI}XJsvAZewzJaCB*JZZ2VMkGPV{l|eMp;WUS9)hycv4h#P*pE_VOnc-V_IZ0aA#IYXH^PSdSY&GHZo5& zGhu5nIAJR=Qg<>!N=Y_$aW_d!I4?OlWj8ZPYDQT?PG<@&EiE8!RzzhqZDvt9VsSZb zY+`D1L1a~MMR+qXT2xm?I5#;@No-=mGF@-fy3M=<10bTA=;E;m+%4y&M=rc zOEJa}7Wiae^sclS+(>di5?GVmD%F-Sx^yM|9gAMOP@oheUG_VVvl(Y+J9x`8`Ed5w zgvR1Xd02v$W_7h-DdryhkfcBYnxLJfCfXl(jpqsE$2EY|CN#W1!0CS}(4=em6EymV zAG(&b+04!NE=@?@#cbZoL@d!IycDV$%b<`all{gX*A6TGFIXmx2R@`&zz0^p4SOAl zppWpYfZ{S8&oyasAt(%#U@Mwd^35Ck4B8S1@*XU_wx0Yd+2lg%snJvr0cnD+IZf8O zb5i6Z?mO3ZOBi%xv4e=)&$CmI^OS3fkiCq{CCT$=m-9HA7Qw_+c5`YpJeyCOrRoC^ z4uk?R6k#t8U3MNZ1)lNDZrY+LrFra9-xM;m-OcCV+Gl ssh-ed25519 aqswPA eCaomN/OCSet7JteG5GE1xArpi+zLdVjD415HRSa1hE +lgBm3ZCSzQlSOxLtLR6NW33TQcWgmU0nIMzZXpaTdsQ +--- z8b1blOyH3Ne62B4YO0UcwgGorWXHtguz453oHYUEV0 + +"]kRqї+f*/# ܢ,U,5ЈūQ9K><%/P@%#;0+Te ?󔴺 "S +)bYZ}-ܙ7U%:i +2;T1jN#sYԑdR檸}W?ؠZ0*UQdrɪu]ۏ $E#=hA k+Z"sɑ_5%( ˪W1GƀdҰw!WpȿJ2 _. +x%G/'PdWI