From 5884585b3aa89ba82d0ae1dc207079dcc6010ac0 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Mon, 1 Jan 2024 13:16:11 +0100 Subject: [PATCH] migrate data from thecloud.dmz to lewis.dmz install tcpdump --- .../ansible/inventory/group_vars/all.yml | 18 +++++++++++++ .../ansible/roles/ampache/docker-stack.yml.j2 | 6 ++--- .../ansible/roles/forgejo/docker-stack.yml.j2 | 4 +-- .../roles/freshrss/docker-stack.yml.j2 | 4 +-- .../roles/hedgedoc/docker-stack.yml.j2 | 6 ++--- .../roles/kitchenowl/docker-stack.yml.j2 | 4 +-- .../roles/mastodon/docker-stack.yml.j2 | 10 +++---- .../roles/monitoring/docker-stack.yml.j2 | 6 ++--- .../roles/nextcloud/docker-stack.yml.j2 | 6 ++--- .../roles/overleaf/docker-stack.yml.j2 | 6 ++--- .../ansible/roles/pihole/docker-stack.yml.j2 | 8 +++--- .../roles/radicale/docker-stack.yml.j2 | 4 +-- .../ansible/roles/seafile/docker-stack.yml.j2 | 4 +-- .../roles/syncthing/docker-stack.yml.j2 | 8 +++--- .../ansible/roles/traefik/docker-stack.yml.j2 | 4 +-- nixos/default.nix | 1 + nixos/machines/default.nix | 2 +- .../{thecloud.nix => data-sharing.nix} | 27 ++++++++++++++----- nixos/modules/default.nix | 2 +- nixos/modules/networking.nix | 4 +++ 20 files changed, 86 insertions(+), 48 deletions(-) rename nixos/modules/{thecloud.nix => data-sharing.nix} (68%) diff --git a/legacy/projects/docker_swarm/ansible/inventory/group_vars/all.yml b/legacy/projects/docker_swarm/ansible/inventory/group_vars/all.yml index ad72b04..24ae052 100644 --- a/legacy/projects/docker_swarm/ansible/inventory/group_vars/all.yml +++ b/legacy/projects/docker_swarm/ansible/inventory/group_vars/all.yml @@ -3,3 +3,21 @@ git_ssh_port: 56287 elasticsearch_port: 14653 fluent_forward_port: 24224 concourse_public_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBSVLcr617iJt+hqLFSsOQy1JeueLIAj1eRfuI+KeZAu pim@x260" + +database_passwords: + nextcloud: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 66326230303135303930363761316534313439383365376231623661316635393839336431313262 + 3832626365376533646561653863316364313135343366330a356136343938666133356532613263 + 39663037623232363266376335643834353735363431636535386566643763386463353962663930 + 3466343563353162320a376437353933656166323364323166376663323531373338656563653463 + 33346263626430616164613937363836343430383233393061643231346661656539623938333631 + 3632373964346139316637663364646132636636373461613534 + hedgedoc: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 63363464666633663762393135333362613966636338623533393132376338343339653431396465 + 6634643863623163366235393434343662313735363438610a373065363361326565633766633835 + 38383637343230363031636634623930666365333739323162313937656239646166613738393965 + 3533666462303563360a313233306335396234393932396331313238376464363964363839396164 + 66366662356135343035363935616664613831626131376330643133313530636431613266636165 + 6265613666616164373637356235396165383662333561393939 diff --git a/legacy/projects/docker_swarm/ansible/roles/ampache/docker-stack.yml.j2 b/legacy/projects/docker_swarm/ansible/roles/ampache/docker-stack.yml.j2 index 0b5a2e7..315f639 100644 --- a/legacy/projects/docker_swarm/ansible/roles/ampache/docker-stack.yml.j2 +++ b/legacy/projects/docker_swarm/ansible/roles/ampache/docker-stack.yml.j2 @@ -9,17 +9,17 @@ volumes: ampache_mysql: driver_opts: type: "nfs" - o: "addr=192.168.30.10,nolock,soft,rw" + o: "addr=lewis.dmz,nolock,soft,rw" device: ":/mnt/data/ampache/mysql" ampache_config: driver_opts: type: "nfs" - o: "addr=192.168.30.10,nolock,soft,rw" + o: "addr=lewis.dmz,nolock,soft,rw" device: ":/mnt/data/ampache/config" music: driver_opts: type: "nfs" - o: "addr=192.168.30.10,nolock,soft,rw" + o: "addr=lewis.dmz,nolock,soft,rw" device: ":/mnt/data/nextcloud/data/data/pim/files/Music" services: diff --git a/legacy/projects/docker_swarm/ansible/roles/forgejo/docker-stack.yml.j2 b/legacy/projects/docker_swarm/ansible/roles/forgejo/docker-stack.yml.j2 index fe4dd53..1fa6ec6 100644 --- a/legacy/projects/docker_swarm/ansible/roles/forgejo/docker-stack.yml.j2 +++ b/legacy/projects/docker_swarm/ansible/roles/forgejo/docker-stack.yml.j2 @@ -14,8 +14,8 @@ volumes: forgejo: driver_opts: type: "nfs" - o: "addr=192.168.30.10,nolock,soft,rw" - device: ":/mnt/data/forgejo" + o: "addr=lewis.dmz,nolock,soft,rw" + device: ":/mnt/data/nfs/forgejo" services: forgejo: diff --git a/legacy/projects/docker_swarm/ansible/roles/freshrss/docker-stack.yml.j2 b/legacy/projects/docker_swarm/ansible/roles/freshrss/docker-stack.yml.j2 index 2a23a77..bf341fd 100644 --- a/legacy/projects/docker_swarm/ansible/roles/freshrss/docker-stack.yml.j2 +++ b/legacy/projects/docker_swarm/ansible/roles/freshrss/docker-stack.yml.j2 @@ -9,12 +9,12 @@ volumes: data: driver_opts: type: "nfs" - o: "addr=192.168.30.10,nolock,soft,rw" + o: "addr=lewis.dmz,nolock,soft,rw" device: ":/mnt/data/freshrss/data" extensions: driver_opts: type: "nfs" - o: "addr=192.168.30.10,nolock,soft,rw" + o: "addr=lewis.dmz,nolock,soft,rw" device: ":/mnt/data/freshrss/extensions" services: diff --git a/legacy/projects/docker_swarm/ansible/roles/hedgedoc/docker-stack.yml.j2 b/legacy/projects/docker_swarm/ansible/roles/hedgedoc/docker-stack.yml.j2 index 346ec26..d2a0193 100644 --- a/legacy/projects/docker_swarm/ansible/roles/hedgedoc/docker-stack.yml.j2 +++ b/legacy/projects/docker_swarm/ansible/roles/hedgedoc/docker-stack.yml.j2 @@ -9,14 +9,14 @@ volumes: uploads: driver_opts: type: "nfs" - o: "addr=192.168.30.10,nolock,soft,rw" - device: ":/mnt/data/hedgedoc/uploads" + o: "addr=lewis.dmz,nolock,soft,rw" + device: ":/mnt/data/nfs/hedgedoc/uploads" services: hedgedoc: image: quay.io/hedgedoc/hedgedoc:1.9.7 environment: - - CMD_DB_URL=postgres://hedgedoc:{{ database_passwords.hedgedoc }}@192.168.30.10:5432/hedgedoc + - CMD_DB_URL=postgres://hedgedoc:{{ database_passwords.hedgedoc }}@lewis.dmz:5432/hedgedoc - CMD_DOMAIN=md.kun.is - CMD_PORT=3000 - CMD_URL_ADDPORT=false diff --git a/legacy/projects/docker_swarm/ansible/roles/kitchenowl/docker-stack.yml.j2 b/legacy/projects/docker_swarm/ansible/roles/kitchenowl/docker-stack.yml.j2 index a8dc1d5..1b3b4a2 100644 --- a/legacy/projects/docker_swarm/ansible/roles/kitchenowl/docker-stack.yml.j2 +++ b/legacy/projects/docker_swarm/ansible/roles/kitchenowl/docker-stack.yml.j2 @@ -10,8 +10,8 @@ volumes: data: driver_opts: type: "nfs" - o: "addr=192.168.30.10,nolock,soft,rw" - device: ":/mnt/data/kitchenowl/data" + o: "addr=lewis.dmz,nolock,soft,rw" + device: ":/mnt/data/nfs/kitchenowl/data" services: kitchenowl-front: diff --git a/legacy/projects/docker_swarm/ansible/roles/mastodon/docker-stack.yml.j2 b/legacy/projects/docker_swarm/ansible/roles/mastodon/docker-stack.yml.j2 index c00ecd9..f40c944 100644 --- a/legacy/projects/docker_swarm/ansible/roles/mastodon/docker-stack.yml.j2 +++ b/legacy/projects/docker_swarm/ansible/roles/mastodon/docker-stack.yml.j2 @@ -10,12 +10,12 @@ volumes: system: driver_opts: type: "nfs" - o: "addr=192.168.30.10,nolock,soft,rw" + o: "addr=lewis.dmz,nolock,soft,rw" device: ":/mnt/data/mastodon/system" redis: driver_opts: type: "nfs" - o: "addr=192.168.30.10,nolock,soft,rw" + o: "addr=lewis.dmz,nolock,soft,rw" device: ":/mnt/data/mastodon/redis" services: @@ -40,7 +40,7 @@ services: - 'OTP_SECRET={{ otp_secret }}' - 'SECRET_KEY_BASE={{ secret_key_base }}' - 'REDIS_HOST=redis' - - 'DB_HOST=192.168.30.10' + - 'DB_HOST=lewis.dmz' - 'DB_USER=mastodon' - 'DB_NAME=mastodon' - 'DB_PASS={{ database_passwords.mastodon }}' @@ -83,7 +83,7 @@ services: environment: - 'REDIS_HOST=redis' - 'LOCAL_DOMAIN=social.pizzapim.nl' - - 'DB_HOST=192.168.30.10' + - 'DB_HOST=lewis.dmz' - 'DB_USER=mastodon' - 'DB_NAME=mastodon' - 'DB_PASS={{ database_passwords.mastodon }}' @@ -113,7 +113,7 @@ services: - 'OTP_SECRET={{ otp_secret }}' - 'SECRET_KEY_BASE={{ secret_key_base }}' - 'REDIS_HOST=redis' - - 'DB_HOST=192.168.30.10' + - 'DB_HOST=lewis.dmz' - 'DB_USER=mastodon' - 'DB_NAME=mastodon' - 'DB_PASS={{ database_passwords.mastodon }}' diff --git a/legacy/projects/docker_swarm/ansible/roles/monitoring/docker-stack.yml.j2 b/legacy/projects/docker_swarm/ansible/roles/monitoring/docker-stack.yml.j2 index b6adf49..3fbd2e2 100644 --- a/legacy/projects/docker_swarm/ansible/roles/monitoring/docker-stack.yml.j2 +++ b/legacy/projects/docker_swarm/ansible/roles/monitoring/docker-stack.yml.j2 @@ -18,17 +18,17 @@ volumes: escerts: driver_opts: type: "nfs" - o: "addr=192.168.30.10,nolock,soft,rw" + o: "addr=lewis.dmz,nolock,soft,rw" device: ":/mnt/data/elasticsearch/certs" esdata: driver_opts: type: "nfs" - o: "addr=192.168.30.10,nolock,soft,rw" + o: "addr=lewis.dmz,nolock,soft,rw" device: ":/mnt/data/elasticsearch/data" grafanadata: driver_opts: type: "nfs" - o: "addr=192.168.30.10,nolock,soft,rw" + o: "addr=lewis.dmz,nolock,soft,rw" device: ":/mnt/data/grafana/data" services: diff --git a/legacy/projects/docker_swarm/ansible/roles/nextcloud/docker-stack.yml.j2 b/legacy/projects/docker_swarm/ansible/roles/nextcloud/docker-stack.yml.j2 index 6519069..a80d291 100644 --- a/legacy/projects/docker_swarm/ansible/roles/nextcloud/docker-stack.yml.j2 +++ b/legacy/projects/docker_swarm/ansible/roles/nextcloud/docker-stack.yml.j2 @@ -9,8 +9,8 @@ volumes: data: driver_opts: type: "nfs" - o: "addr=192.168.30.10,nolock,soft,rw" - device: ":/mnt/data/nextcloud/data" + o: "addr=lewis.dmz,nolock,soft,rw" + device: ":/mnt/data/nfs/nextcloud/data" services: nextcloud: @@ -25,7 +25,7 @@ services: - POSTGRES_USER=nextcloud - POSTGRES_DB=nextcloud - POSTGRES_PASSWORD={{ database_passwords.nextcloud }} - - POSTGRES_HOST=192.168.30.10 + - POSTGRES_HOST=lewis.dmz networks: - traefik deploy: diff --git a/legacy/projects/docker_swarm/ansible/roles/overleaf/docker-stack.yml.j2 b/legacy/projects/docker_swarm/ansible/roles/overleaf/docker-stack.yml.j2 index 76904a8..033bbb8 100644 --- a/legacy/projects/docker_swarm/ansible/roles/overleaf/docker-stack.yml.j2 +++ b/legacy/projects/docker_swarm/ansible/roles/overleaf/docker-stack.yml.j2 @@ -9,17 +9,17 @@ volumes: data: driver_opts: type: "nfs" - o: "addr=192.168.30.10,nolock,soft,rw" + o: "addr=lewis.dmz,nolock,soft,rw" device: ":/mnt/data/overleaf/data" redis: driver_opts: type: "nfs" - o: "addr=192.168.30.10,nolock,soft,rw" + o: "addr=lewis.dmz,nolock,soft,rw" device: ":/mnt/data/overleaf/redis" mongodb: driver_opts: type: "nfs" - o: "addr=192.168.30.10,nolock,soft,rw" + o: "addr=lewis.dmz,nolock,soft,rw" device: ":/mnt/data/overleaf/mongodb" services: diff --git a/legacy/projects/docker_swarm/ansible/roles/pihole/docker-stack.yml.j2 b/legacy/projects/docker_swarm/ansible/roles/pihole/docker-stack.yml.j2 index 9581831..5f87bd3 100644 --- a/legacy/projects/docker_swarm/ansible/roles/pihole/docker-stack.yml.j2 +++ b/legacy/projects/docker_swarm/ansible/roles/pihole/docker-stack.yml.j2 @@ -10,13 +10,13 @@ volumes: data: driver_opts: type: "nfs" - o: "addr=192.168.30.10,nolock,soft,rw" - device: ":/mnt/data/pihole/data" + o: "addr=lewis.dmz,nolock,soft,rw" + device: ":/mnt/data/nfs/pihole/data" dnsmasq: driver_opts: type: "nfs" - o: "addr=192.168.30.10,nolock,soft,rw" - device: ":/mnt/data/pihole/dnsmasq" + o: "addr=lewis.dmz,nolock,soft,rw" + device: ":/mnt/data/nfs/pihole/dnsmasq" services: pihole: diff --git a/legacy/projects/docker_swarm/ansible/roles/radicale/docker-stack.yml.j2 b/legacy/projects/docker_swarm/ansible/roles/radicale/docker-stack.yml.j2 index 61fba13..6f49c64 100644 --- a/legacy/projects/docker_swarm/ansible/roles/radicale/docker-stack.yml.j2 +++ b/legacy/projects/docker_swarm/ansible/roles/radicale/docker-stack.yml.j2 @@ -17,8 +17,8 @@ volumes: data: driver_opts: type: "nfs" - o: "addr=192.168.30.10,nolock,soft,rw" - device: ":/mnt/data/radicale" + o: "addr=lewis.dmz,nolock,soft,rw" + device: ":/mnt/data/nfs/radicale" services: radicale: diff --git a/legacy/projects/docker_swarm/ansible/roles/seafile/docker-stack.yml.j2 b/legacy/projects/docker_swarm/ansible/roles/seafile/docker-stack.yml.j2 index b510050..c7fc2ac 100644 --- a/legacy/projects/docker_swarm/ansible/roles/seafile/docker-stack.yml.j2 +++ b/legacy/projects/docker_swarm/ansible/roles/seafile/docker-stack.yml.j2 @@ -10,12 +10,12 @@ volumes: data: driver_opts: type: "nfs" - o: "addr=192.168.30.10,nolock,soft,rw" + o: "addr=lewis.dmz,nolock,soft,rw" device: ":/mnt/data/seafile/data" db: driver_opts: type: "nfs" - o: "addr=192.168.30.10,nolock,soft,rw" + o: "addr=lewis.dmz,nolock,soft,rw" device: ":/mnt/data/seafile/db" services: diff --git a/legacy/projects/docker_swarm/ansible/roles/syncthing/docker-stack.yml.j2 b/legacy/projects/docker_swarm/ansible/roles/syncthing/docker-stack.yml.j2 index d8af3ba..fdcf42e 100644 --- a/legacy/projects/docker_swarm/ansible/roles/syncthing/docker-stack.yml.j2 +++ b/legacy/projects/docker_swarm/ansible/roles/syncthing/docker-stack.yml.j2 @@ -9,13 +9,13 @@ volumes: config: driver_opts: type: "nfs" - o: "addr=192.168.30.10,nolock,soft,rw" - device: ":/mnt/data/syncthing/config" + o: "addr=lewis.dmz,nolock,soft,rw" + device: ":/mnt/data/nfs/syncthing/config" nextcloud_data: driver_opts: type: "nfs" - o: "addr=192.168.30.10,nolock,soft,rw" - device: ":/mnt/data/nextcloud/data" + o: "addr=lewis.dmz,nolock,soft,rw" + device: ":/mnt/data/nfs/nextcloud/data" services: syncthing: diff --git a/legacy/projects/docker_swarm/ansible/roles/traefik/docker-stack.yml.j2 b/legacy/projects/docker_swarm/ansible/roles/traefik/docker-stack.yml.j2 index a865683..804b55d 100644 --- a/legacy/projects/docker_swarm/ansible/roles/traefik/docker-stack.yml.j2 +++ b/legacy/projects/docker_swarm/ansible/roles/traefik/docker-stack.yml.j2 @@ -14,8 +14,8 @@ volumes: acme: driver_opts: type: "nfs" - o: "addr=192.168.30.10,nolock,soft,rw" - device: ":/mnt/data/traefik/acme" + o: "addr=lewis.dmz,nolock,soft,rw" + device: ":/mnt/data/nfs/traefik/acme" services: traefik: diff --git a/nixos/default.nix b/nixos/default.nix index 6511d73..f2b74a4 100644 --- a/nixos/default.nix +++ b/nixos/default.nix @@ -109,6 +109,7 @@ dig tree file + tcpdump ]; diff --git a/nixos/machines/default.nix b/nixos/machines/default.nix index e272f71..c161060 100644 --- a/nixos/machines/default.nix +++ b/nixos/machines/default.nix @@ -40,7 +40,7 @@ disko.osDiskDevice = "/dev/sda"; backups.enable = true; networking.allowDMZConnectivity = true; - thecloud.enable = true; + data-sharing.enable = true; dataDisk = { enable = true; diff --git a/nixos/modules/thecloud.nix b/nixos/modules/data-sharing.nix similarity index 68% rename from nixos/modules/thecloud.nix rename to nixos/modules/data-sharing.nix index e62b8a1..71f6f49 100644 --- a/nixos/modules/thecloud.nix +++ b/nixos/modules/data-sharing.nix @@ -1,8 +1,18 @@ { pkgs, lib, config, ... }: let - cfg = config.lab.thecloud; + cfg = config.lab.data-sharing; nfsShares = [ - "/ancient" + "/nextcloud/data" + "/radicale" + "/freshrss/data" + "/freshrss/extensions" + "/pihole/data" + "/pihole/dnsmasq" + "/hedgedoc/uploads" + "/traefik/acme" + "/forgejo" + "/kitchenowl/data" + "/syncthing/config" ]; nfsExports = lib.strings.concatLines ( builtins.map @@ -13,17 +23,17 @@ let ); in { - options.lab.thecloud = { + options.lab.data-sharing = { enable = lib.mkOption { default = false; type = lib.types.bool; description = '' - Experimental: migrate thecloud.dmz to hypervisor. + Configure this server to serve our data using NFS and PostgreSQL. ''; }; nfsRoot = lib.mkOption { - default = "/mnt/data"; + default = "/mnt/data/nfs"; type = lib.types.str; description = '' Root directory of NFS data. @@ -40,7 +50,12 @@ in }; config = lib.mkIf cfg.enable { - networking.firewall.allowedTCPPorts = [ 2049 5432 ]; + networking.firewall.allowedTCPPorts = [ + 2049 # NFS + 5432 # PostgeSQL + 111 # NFS + 20048 # NFS + ]; services = { nfs.server = { diff --git a/nixos/modules/default.nix b/nixos/modules/default.nix index 00d077f..5762b09 100644 --- a/nixos/modules/default.nix +++ b/nixos/modules/default.nix @@ -7,6 +7,6 @@ ./disko.nix ./backups.nix ./networking.nix - ./thecloud.nix + ./data-sharing.nix ]; } diff --git a/nixos/modules/networking.nix b/nixos/modules/networking.nix index 47dd296..1dd2ae9 100644 --- a/nixos/modules/networking.nix +++ b/nixos/modules/networking.nix @@ -33,6 +33,10 @@ in { netdevConfig = { Kind = "bridge"; Name = "bridgedmz"; + # TODO: This does not seem to work? Unsure what the problem is. + # We don't necessary need this though: we simply use DNS as the host. + # MACAddress = lib.mkIf cfg.allowDMZConnectivity "CA:FE:C0:FF:EE:0A"; + # MACAddress = "ca:fe:c0:ff:ee:0a"; }; }; };