From 34885e6231957293c4405cf41e08445c0e072497 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sat, 22 Jul 2023 12:05:05 +0200 Subject: [PATCH 01/36] add forwarded for header for pihole --- ansible/roles/pihole/docker-stack.yml.j2 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ansible/roles/pihole/docker-stack.yml.j2 b/ansible/roles/pihole/docker-stack.yml.j2 index 8bfbd93..6681b02 100644 --- a/ansible/roles/pihole/docker-stack.yml.j2 +++ b/ansible/roles/pihole/docker-stack.yml.j2 @@ -51,4 +51,6 @@ services: - traefik.http.routers.pihole.tls.certresolver=letsencrypt - traefik.http.routers.pihole.service=pihole - traefik.http.services.pihole.loadbalancer.server.port=80 + - traefik.http.middlewares.set-forwarded-for.headers.hostsProxyHeaders=X-Forwarded-For + - traefik.http.routers.pihole.middlewares=set-forwarded-for - traefik.docker.network=traefik From 1a527394b395811282ede1e8db6885186f588b43 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sat, 22 Jul 2023 12:06:06 +0200 Subject: [PATCH 02/36] add concourse public key to swarm manager authorized hosts --- ansible/inventory/group_vars/all.yml | 1 + ansible/playbooks/setup.yml | 10 ++++------ 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/ansible/inventory/group_vars/all.yml b/ansible/inventory/group_vars/all.yml index 515a1b5..e522520 100644 --- a/ansible/inventory/group_vars/all.yml +++ b/ansible/inventory/group_vars/all.yml @@ -1,5 +1,6 @@ data_directory_base: /mnt/data git_ssh_port: 56287 +concourse_public_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBSVLcr617iJt+hqLFSsOQy1JeueLIAj1eRfuI+KeZAu pim@x260" nfs_shares: - name: nextcloud_data diff --git a/ansible/playbooks/setup.yml b/ansible/playbooks/setup.yml index 7daa6ba..a731fd3 100644 --- a/ansible/playbooks/setup.yml +++ b/ansible/playbooks/setup.yml @@ -49,9 +49,7 @@ - hosts: manager tasks: - - name: Add labels to Docker Swarm - docker_node: - hostname: "{{ item.hostname }}" - labels: "{{ item.labels }}" - labels_state: replace - loop: "{{ docker_node_labels }}" + - name: Add concourse to authorized keys + authorized_key: + user: root + key: "{{ concourse_public_key }}" From 3887b9979b598cb73743a50505884b90af668fb9 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sat, 22 Jul 2023 12:06:49 +0200 Subject: [PATCH 03/36] change VM architecture --- ansible/inventory/host_vars/manager.yml | 25 ------ ansible/inventory/hosts.yml | 10 +-- terraform/dns.tf | 2 +- terraform/main.tf | 112 ++++++++++++++---------- 4 files changed, 69 insertions(+), 80 deletions(-) delete mode 100644 ansible/inventory/host_vars/manager.yml diff --git a/ansible/inventory/host_vars/manager.yml b/ansible/inventory/host_vars/manager.yml deleted file mode 100644 index 5edb04a..0000000 --- a/ansible/inventory/host_vars/manager.yml +++ /dev/null @@ -1,25 +0,0 @@ -docker_node_labels: - - hostname: maestro - labels: {} - - hostname: swarmpub1 - labels: - public: "true" - mastodon: "true" - - hostname: swarmpub2 - labels: - public: "true" - jitsi: "true" - - hostname: swarmpriv1 - labels: - private: "true" - overleaf: "true" - syncthing: "true" - hedgedoc: "true" - radicale: "true" - - hostname: swarmpriv2 - labels: - private: "true" - seafile: "true" - freshrss: "true" - pihole: "true" - discourse: "true" diff --git a/ansible/inventory/hosts.yml b/ansible/inventory/hosts.yml index aea4b94..b7bce70 100644 --- a/ansible/inventory/hosts.yml +++ b/ansible/inventory/hosts.yml @@ -7,11 +7,5 @@ all: children: workers: hosts: - swarmpub1: - ansible_host: swarmpub1.dmz - swarmpub2: - ansible_host: swarmpub2.dmz - swarmpriv1: - ansible_host: swarmpriv1.dmz - swarmpriv2: - ansible_host: swarmpriv2.dmz + bancomart: + ansible_host: bancomart.dmz diff --git a/terraform/dns.tf b/terraform/dns.tf index 66dca31..9668446 100644 --- a/terraform/dns.tf +++ b/terraform/dns.tf @@ -8,7 +8,7 @@ provider "powerdns" { } resource "powerdns_record" "subdomain_pim" { - for_each = toset(["dav", "git", "meet", "rss", "latex", "md", "swarm", "traefik", "syncthing", "cloud", "pihole", "ntfy", "apprise", "uptime", "concourse", "discourse"]) + for_each = toset(["dav", "git", "meet", "rss", "latex", "md", "swarm", "traefik", "syncthing", "cloud", "pihole", "ntfy", "apprise", "uptime", "concourse"]) zone = "pim.kunis.nl." name = "${each.key}.pim.kunis.nl." type = "CNAME" diff --git a/terraform/main.tf b/terraform/main.tf index 4dc810a..bc82e01 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -1,7 +1,6 @@ terraform { backend "pg" { schema_name = "shoarma" - conn_str = "postgres://terraform@10.42.0.1/terraform_state" } required_providers { @@ -25,58 +24,79 @@ provider "libvirt" { uri = "qemu+ssh://root@jefke.hyp/system" } -module "manager" { - source = "git::https://git.kun.is/home/tf-modules.git//debian" - name = "maestro" - domain_name = "tf-maestro" - memory = 1024 - mac = "CA:FE:C0:FF:EE:08" - hypervisor_host = "atlas.hyp" +module "maestro" { + source = "../../tf-modules/debian" + name = "maestro" + domain_name = "tf-maestro" + memory = 1024 * 10 + mac = "CA:FE:C0:FF:EE:08" providers = { libvirt = libvirt } } -module "swarmpub1" { - source = "git::https://git.kun.is/home/tf-modules.git//debian" - name = "swarmpub1" - domain_name = "tf-swarmpub1" - memory = 1024 * 5 - hypervisor_host = "atlas.hyp" - providers = { - libvirt = libvirt - } -} - -module "swarmpriv1" { - source = "git::https://git.kun.is/home/tf-modules.git//debian" - name = "swarmpriv1" - domain_name = "tf-swarmpriv1" - memory = 1024 * 5 - hypervisor_host = "atlas.hyp" - providers = { - libvirt = libvirt - } -} - -module "swarmpub2" { - source = "git::https://git.kun.is/home/tf-modules.git//debian" - name = "swarmpub2" - domain_name = "tf-swarmpub2" - memory = 1024 * 3 - hypervisor_host = "jefke.hyp" +module "bancomart" { + source = "../../tf-modules/debian" + name = "bancomart" + domain_name = "tf-bancomart" + memory = 1024 * 10 providers = { libvirt = libvirt.jefke } } -module "swarmpriv2" { - source = "git::https://git.kun.is/home/tf-modules.git//debian" - name = "swarmpriv2" - domain_name = "tf-swarmpriv2" - memory = 1024 * 3 - hypervisor_host = "jefke.hyp" - providers = { - libvirt = libvirt.jefke - } -} +#module "manager" { +# source = "git::https://git.kun.is/home/tf-modules.git//debian" +# name = "maestro" +# domain_name = "tf-maestro" +# memory = 1024 +# mac = "CA:FE:C0:FF:EE:08" +# hypervisor_host = "atlas.hyp" +# providers = { +# libvirt = libvirt +# } +#} +# +#module "swarmpub1" { +# source = "git::https://git.kun.is/home/tf-modules.git//debian" +# name = "swarmpub1" +# domain_name = "tf-swarmpub1" +# memory = 1024 * 5 +# hypervisor_host = "atlas.hyp" +# providers = { +# libvirt = libvirt +# } +#} +# +#module "swarmpriv1" { +# source = "git::https://git.kun.is/home/tf-modules.git//debian" +# name = "swarmpriv1" +# domain_name = "tf-swarmpriv1" +# memory = 1024 * 5 +# hypervisor_host = "atlas.hyp" +# providers = { +# libvirt = libvirt +# } +#} +# +#module "swarmpub2" { +# source = "git::https://git.kun.is/home/tf-modules.git//debian" +# name = "swarmpub2" +# domain_name = "tf-swarmpub2" +# memory = 1024 * 3 +# hypervisor_host = "jefke.hyp" +# providers = { +# libvirt = libvirt.jefke +# } +#} +# +#module "swarmpriv2" { +# source = "git::https://git.kun.is/home/tf-modules.git//debian" +# name = "swarmpriv2" +# domain_name = "tf-swarmpriv2" +# memory = 1024 * 3 +# hypervisor_host = "jefke.hyp" +# providers = { +# libvirt = libvirt.jefke +# } +#} From 9a4a00c4e740bac6e1155021dfb5b7f80e33ff6b Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sat, 22 Jul 2023 12:24:27 +0200 Subject: [PATCH 04/36] clean up terraform --- terraform/main.tf | 64 +++-------------------------------------------- 1 file changed, 4 insertions(+), 60 deletions(-) diff --git a/terraform/main.tf b/terraform/main.tf index bc82e01..1c9cd32 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -25,10 +25,10 @@ provider "libvirt" { } module "maestro" { - source = "../../tf-modules/debian" + source = "git::https://git.kun.is/home/tf-modules.git//debian" name = "maestro" domain_name = "tf-maestro" - memory = 1024 * 10 + memory = 10240 mac = "CA:FE:C0:FF:EE:08" providers = { libvirt = libvirt @@ -36,67 +36,11 @@ module "maestro" { } module "bancomart" { - source = "../../tf-modules/debian" + source = "git::https://git.kun.is/home/tf-modules.git//debian" name = "bancomart" domain_name = "tf-bancomart" - memory = 1024 * 10 + memory = 10240 providers = { libvirt = libvirt.jefke } } - -#module "manager" { -# source = "git::https://git.kun.is/home/tf-modules.git//debian" -# name = "maestro" -# domain_name = "tf-maestro" -# memory = 1024 -# mac = "CA:FE:C0:FF:EE:08" -# hypervisor_host = "atlas.hyp" -# providers = { -# libvirt = libvirt -# } -#} -# -#module "swarmpub1" { -# source = "git::https://git.kun.is/home/tf-modules.git//debian" -# name = "swarmpub1" -# domain_name = "tf-swarmpub1" -# memory = 1024 * 5 -# hypervisor_host = "atlas.hyp" -# providers = { -# libvirt = libvirt -# } -#} -# -#module "swarmpriv1" { -# source = "git::https://git.kun.is/home/tf-modules.git//debian" -# name = "swarmpriv1" -# domain_name = "tf-swarmpriv1" -# memory = 1024 * 5 -# hypervisor_host = "atlas.hyp" -# providers = { -# libvirt = libvirt -# } -#} -# -#module "swarmpub2" { -# source = "git::https://git.kun.is/home/tf-modules.git//debian" -# name = "swarmpub2" -# domain_name = "tf-swarmpub2" -# memory = 1024 * 3 -# hypervisor_host = "jefke.hyp" -# providers = { -# libvirt = libvirt.jefke -# } -#} -# -#module "swarmpriv2" { -# source = "git::https://git.kun.is/home/tf-modules.git//debian" -# name = "swarmpriv2" -# domain_name = "tf-swarmpriv2" -# memory = 1024 * 3 -# hypervisor_host = "jefke.hyp" -# providers = { -# libvirt = libvirt.jefke -# } -#} From 5bb39c4491392f9fb06d490af2c73d49439c29a1 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sat, 22 Jul 2023 12:31:45 +0200 Subject: [PATCH 05/36] remove unused dns records --- terraform/dns.tf | 17 ----------------- 1 file changed, 17 deletions(-) diff --git a/terraform/dns.tf b/terraform/dns.tf index 9668446..eabc8bf 100644 --- a/terraform/dns.tf +++ b/terraform/dns.tf @@ -7,23 +7,6 @@ provider "powerdns" { api_key = data.external.secrets.result.powerdns_api_key } -resource "powerdns_record" "subdomain_pim" { - for_each = toset(["dav", "git", "meet", "rss", "latex", "md", "swarm", "traefik", "syncthing", "cloud", "pihole", "ntfy", "apprise", "uptime", "concourse"]) - zone = "pim.kunis.nl." - name = "${each.key}.pim.kunis.nl." - type = "CNAME" - records = ["www.pim.kunis.nl."] - ttl = 60 -} - -resource "powerdns_record" "social_pim_kunis_nl_a" { - zone = "pim.kunis.nl." - name = "social.pim.kunis.nl." - type = "A" - records = ["84.245.14.149"] - ttl = 60 -} - resource "powerdns_record" "kms_geokunis2_nl_a" { zone = "geokunis2.nl." name = "kms.geokunis2.nl." From b40c6ca579ba07286c73d0b533f9a7b9e1fdf9c6 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sat, 22 Jul 2023 12:38:12 +0200 Subject: [PATCH 06/36] add playbook to remove docker swarm stack --- ansible/playbooks/remove_stack.yml | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 ansible/playbooks/remove_stack.yml diff --git a/ansible/playbooks/remove_stack.yml b/ansible/playbooks/remove_stack.yml new file mode 100644 index 0000000..3f505ce --- /dev/null +++ b/ansible/playbooks/remove_stack.yml @@ -0,0 +1,9 @@ +--- +- name: Remove a Docker swarm stack + hosts: manager + + tasks: + - name: Remove the stack + docker_stack: + name: "{{ stack }}" + state: absent From dad67c873162de4bba18bb7e93c12b10fbd5a40a Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sun, 23 Jul 2023 11:28:43 +0200 Subject: [PATCH 07/36] add prometheus service --- ansible/inventory/group_vars/all.yml | 2 ++ ansible/playbooks/stacks.yml | 1 + ansible/requirements.yml | 26 +++++++------- ansible/roles/prometheus/docker-stack.yml.j2 | 36 ++++++++++++++++++++ ansible/roles/prometheus/tasks/main.yml | 13 +++++++ 5 files changed, 66 insertions(+), 12 deletions(-) create mode 100644 ansible/roles/prometheus/docker-stack.yml.j2 create mode 100644 ansible/roles/prometheus/tasks/main.yml diff --git a/ansible/inventory/group_vars/all.yml b/ansible/inventory/group_vars/all.yml index e522520..c5716bf 100644 --- a/ansible/inventory/group_vars/all.yml +++ b/ansible/inventory/group_vars/all.yml @@ -35,6 +35,8 @@ nfs_shares: path: /mnt/data/overleaf/redis - name: overleaf_mongodb path: /mnt/data/overleaf/mongodb + - name: prometheus_data + path: /mnt/data/prometheus/data database_passwords: nextcloud: !vault | diff --git a/ansible/playbooks/stacks.yml b/ansible/playbooks/stacks.yml index 08378d8..a46c7d8 100644 --- a/ansible/playbooks/stacks.yml +++ b/ansible/playbooks/stacks.yml @@ -19,3 +19,4 @@ - {role: pihole, tags: pihole} - {role: nextcloud, tags: nextcloud} - {role: syncthing, tags: syncthing} + - {role: prometheus, tags: prometheus} diff --git a/ansible/requirements.yml b/ansible/requirements.yml index ed3bd2b..eb97f58 100644 --- a/ansible/requirements.yml +++ b/ansible/requirements.yml @@ -1,12 +1,14 @@ -- name: setup_apt - src: https://github.com/sunscrapers/ansible-role-apt.git - scm: git -- name: docker - src: https://git.kun.is/pim/ansible-role-docker - scm: git -- name: cloudinit_wait - src: https://git.kun.is/pim/ansible-role-cloudinit-wait - scm: git -- name: postgresql_database - src: https://git.kun.is/home/ansible-role-postgresql-database - scm: git +--- +roles: + - name: setup_apt + src: https://github.com/sunscrapers/ansible-role-apt.git + scm: git + - name: docker + src: https://git.kun.is/pim/ansible-role-docker + scm: git + - name: cloudinit_wait + src: https://git.kun.is/pim/ansible-role-cloudinit-wait + scm: git + - name: postgresql_database + src: https://git.kun.is/home/ansible-role-postgresql-database + scm: git diff --git a/ansible/roles/prometheus/docker-stack.yml.j2 b/ansible/roles/prometheus/docker-stack.yml.j2 new file mode 100644 index 0000000..a381d30 --- /dev/null +++ b/ansible/roles/prometheus/docker-stack.yml.j2 @@ -0,0 +1,36 @@ +# vi: ft=yaml + +version: "3" + +networks: + traefik: + external: true + +volumes: + data: + driver_opts: + type: "nfs" + o: "addr=192.168.30.10,nolock,soft,rw" + device: ":/mnt/data/prometheus/data" + +services: + prometheus: + image: quay.io/prometheus/prometheus + networks: + - traefik + # volumes: + # - type: volume + # source: data + # target: /prometheus + # volume: + # nocopy: true + deploy: + labels: + - traefik.enable=true + - traefik.http.routers.prometheus.entrypoints=localsecure + - traefik.http.routers.prometheus.rule=Host(`metrics.kun.is`) + - traefik.http.routers.prometheus.tls=true + - traefik.http.routers.prometheus.tls.certresolver=letsencrypt + - traefik.http.routers.prometheus.service=prometheus + - traefik.http.services.prometheus.loadbalancer.server.port=9090 + - traefik.docker.network=traefik diff --git a/ansible/roles/prometheus/tasks/main.yml b/ansible/roles/prometheus/tasks/main.yml new file mode 100644 index 0000000..dda2a32 --- /dev/null +++ b/ansible/roles/prometheus/tasks/main.yml @@ -0,0 +1,13 @@ +#- name: Create prometheus config +# docker_config: +# name: prometheus_config +# data: "{{ lookup('file', '{{ role_path }}/prometheus.yml') }}" +# use_ssh_client: true +# rolling_versions: true +# register: config + +- name: Deploy Docker stack + docker_stack: + name: prometheus + compose: + - "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}" From 882578e8380bcd9a83ac99cdf365f3896f6502ab Mon Sep 17 00:00:00 2001 From: Niels Kunis Date: Sun, 23 Jul 2023 13:34:38 +0200 Subject: [PATCH 08/36] added records for VERP/smtp2go --- terraform/dns.tf | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/terraform/dns.tf b/terraform/dns.tf index eabc8bf..91e51bf 100644 --- a/terraform/dns.tf +++ b/terraform/dns.tf @@ -54,3 +54,27 @@ resource "powerdns_record" "inbucket_geokunis2_nl_a" { records = ["84.245.14.149"] ttl = 60 } + +resource "powerdns_record" "smtp2go_1_geokunis2_nl_cname" { + zone = "geokunis2.nl." + name = "em670271.geokunis2.nl." + type = "CNAME" + records = ["return.smtp2go.net"] + ttl = 60 +} + +resource "powerdns_record" "smtp2go_2_geokunis2_nl_cname" { + zone = "geokunis2.nl." + name = "s670271._domainkey.geokunis2.nl." + type = "CNAME" + records = ["dkim.smtp2go.net"] + ttl = 60 +} + +resource "powerdns_record" "smtp2go_3_geokunis2_nl_cname" { + zone = "geokunis2.nl." + name = "link.geokunis2.nl." + type = "CNAME" + records = ["track.smtp2go.net"] + ttl = 60 +} \ No newline at end of file From 251399887b39be29fbf70a9342a286a1998ac284 Mon Sep 17 00:00:00 2001 From: Niels Kunis Date: Sun, 23 Jul 2023 13:44:03 +0200 Subject: [PATCH 09/36] corrected typo --- terraform/dns.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/terraform/dns.tf b/terraform/dns.tf index 91e51bf..d9b24a4 100644 --- a/terraform/dns.tf +++ b/terraform/dns.tf @@ -59,7 +59,7 @@ resource "powerdns_record" "smtp2go_1_geokunis2_nl_cname" { zone = "geokunis2.nl." name = "em670271.geokunis2.nl." type = "CNAME" - records = ["return.smtp2go.net"] + records = ["return.smtp2go.net."] ttl = 60 } @@ -67,7 +67,7 @@ resource "powerdns_record" "smtp2go_2_geokunis2_nl_cname" { zone = "geokunis2.nl." name = "s670271._domainkey.geokunis2.nl." type = "CNAME" - records = ["dkim.smtp2go.net"] + records = ["dkim.smtp2go.net."] ttl = 60 } @@ -75,6 +75,6 @@ resource "powerdns_record" "smtp2go_3_geokunis2_nl_cname" { zone = "geokunis2.nl." name = "link.geokunis2.nl." type = "CNAME" - records = ["track.smtp2go.net"] + records = ["track.smtp2go.net."] ttl = 60 } \ No newline at end of file From 853213505409065f0e5a24fdf353e28bca22b1b9 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sun, 23 Jul 2023 15:27:31 +0200 Subject: [PATCH 10/36] enable remote writes to prometheus fix prometheus volume --- ansible/roles/prometheus/docker-stack.yml.j2 | 57 +++++++++++++++++--- ansible/roles/prometheus/prometheus.yml | 29 ++++++++++ ansible/roles/prometheus/tasks/main.yml | 14 ++--- 3 files changed, 87 insertions(+), 13 deletions(-) create mode 100644 ansible/roles/prometheus/prometheus.yml diff --git a/ansible/roles/prometheus/docker-stack.yml.j2 b/ansible/roles/prometheus/docker-stack.yml.j2 index a381d30..3da42ee 100644 --- a/ansible/roles/prometheus/docker-stack.yml.j2 +++ b/ansible/roles/prometheus/docker-stack.yml.j2 @@ -18,12 +18,57 @@ services: image: quay.io/prometheus/prometheus networks: - traefik - # volumes: - # - type: volume - # source: data - # target: /prometheus - # volume: - # nocopy: true + volumes: + - type: volume + source: data + target: /prometheus + volume: + nocopy: true + command: + - '--alertmanager.notification-queue-capacity=10000' + - '--alertmanager.timeout=' + - '--config.file=/etc/prometheus/prometheus.yml' + - '--enable-feature=' + - '--log.format=logfmt' + - '--log.level=info' + - '--query.lookback-delta=5m' + - '--query.max-concurrency=20' + - '--query.max-samples=50000000' + - '--query.timeout=2m' + - '--rules.alert.for-grace-period=10m' + - '--rules.alert.for-outage-tolerance=1h' + - '--rules.alert.resend-delay=1m' + - '--scrape.adjust-timestamps' + - '--scrape.discovery-reload-interval=5s' + - '--scrape.timestamp-tolerance=2ms' + - '--storage.remote.flush-deadline=1m' + - '--storage.remote.read-concurrent-limit=10' + - '--storage.remote.read-max-bytes-in-frame=1048576' + - '--storage.remote.read-sample-limit=50000000' + - '--storage.tsdb.allow-overlapping-blocks' + - '--storage.tsdb.head-chunks-write-queue-size=0' + - '--storage.tsdb.max-block-chunk-segment-size=0B' + - '--storage.tsdb.max-block-duration=1d12h' + - '--storage.tsdb.min-block-duration=2h' + - '--storage.tsdb.path=/prometheus' + - '--storage.tsdb.retention=0s' + - '--storage.tsdb.retention.size=0B' + - '--storage.tsdb.retention.time=0s' + - '--storage.tsdb.samples-per-chunk=120' + - '--storage.tsdb.wal-compression' + - '--storage.tsdb.wal-segment-size=0B' + - '--web.config.file=' + - '--web.console.libraries=/usr/share/prometheus/console_libraries' + - '--web.console.templates=/usr/share/prometheus/consoles' + - '--web.cors.origin=.*' + - '--web.enable-remote-write-receiver' + - '--web.external-url=' + - '--web.listen-address=0.0.0.0:9090' + - '--web.max-connections=512' + - '--web.page-title=Prometheus Time Series Collection and Processing Server' + - '--web.read-timeout=5m' + - '--web.route-prefix=/' + - '--web.user-assets=' deploy: labels: - traefik.enable=true diff --git a/ansible/roles/prometheus/prometheus.yml b/ansible/roles/prometheus/prometheus.yml new file mode 100644 index 0000000..312b578 --- /dev/null +++ b/ansible/roles/prometheus/prometheus.yml @@ -0,0 +1,29 @@ +# my global config +global: + scrape_interval: 15s # Set the scrape interval to every 15 seconds. Default is every 1 minute. + evaluation_interval: 15s # Evaluate rules every 15 seconds. The default is every 1 minute. + # scrape_timeout is set to the global default (10s). + +# Alertmanager configuration +alerting: + alertmanagers: + - static_configs: + - targets: + # - alertmanager:9093 + +# Load rules once and periodically evaluate them according to the global 'evaluation_interval'. +rule_files: + # - "first_rules.yml" + # - "second_rules.yml" + +# A scrape configuration containing exactly one endpoint to scrape: +# Here it's Prometheus itself. +scrape_configs: + # The job name is added as a label `job=` to any timeseries scraped from this config. + - job_name: "prometheus" + + # metrics_path defaults to '/metrics' + # scheme defaults to 'http'. + + static_configs: + - targets: ["localhost:9090"] diff --git a/ansible/roles/prometheus/tasks/main.yml b/ansible/roles/prometheus/tasks/main.yml index dda2a32..b5c1883 100644 --- a/ansible/roles/prometheus/tasks/main.yml +++ b/ansible/roles/prometheus/tasks/main.yml @@ -1,10 +1,10 @@ -#- name: Create prometheus config -# docker_config: -# name: prometheus_config -# data: "{{ lookup('file', '{{ role_path }}/prometheus.yml') }}" -# use_ssh_client: true -# rolling_versions: true -# register: config +- name: Create prometheus config + docker_config: + name: prometheus_config + data: "{{ lookup('file', '{{ role_path }}/prometheus.yml') }}" + use_ssh_client: true + rolling_versions: true + register: config - name: Deploy Docker stack docker_stack: From af2ee0a0766a228ed0eadb4f93bf22453ebc475d Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Tue, 1 Aug 2023 16:22:24 +0200 Subject: [PATCH 11/36] add virtual machine on lewis to swarm --- ansible/inventory/hosts.yml | 2 ++ terraform/main.tf | 15 +++++++++++++++ 2 files changed, 17 insertions(+) diff --git a/ansible/inventory/hosts.yml b/ansible/inventory/hosts.yml index b7bce70..a0e4d38 100644 --- a/ansible/inventory/hosts.yml +++ b/ansible/inventory/hosts.yml @@ -9,3 +9,5 @@ all: hosts: bancomart: ansible_host: bancomart.dmz + handjecontantje: + ansible_host: handjecontantje.dmz diff --git a/terraform/main.tf b/terraform/main.tf index 1c9cd32..ccb2133 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -24,6 +24,11 @@ provider "libvirt" { uri = "qemu+ssh://root@jefke.hyp/system" } +provider "libvirt" { + alias = "lewis" + uri = "qemu+ssh://root@lewis.hyp/system" +} + module "maestro" { source = "git::https://git.kun.is/home/tf-modules.git//debian" name = "maestro" @@ -44,3 +49,13 @@ module "bancomart" { libvirt = libvirt.jefke } } + +module "handjecontantje" { + source = "git::https://git.kun.is/home/tf-modules.git//debian" + name = "handjecontantje" + domain_name = "tf-handjecontantje" + memory = 3 * 1024 + providers = { + libvirt = libvirt.lewis + } +} From 3c4f505413c05dd1c25176a60ea2b2108893ed87 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Tue, 1 Aug 2023 16:24:00 +0200 Subject: [PATCH 12/36] add monitoring stack --- ansible/inventory/group_vars/all.yml | 7 ++ ansible/playbooks/setup.yml | 7 ++ ansible/playbooks/stacks.yml | 1 + ansible/roles/monitoring/docker-stack.yml.j2 | 98 ++++++++++++++++++++ ansible/roles/monitoring/elasticsearch.yml | 12 +++ ansible/roles/monitoring/tasks/main.yml | 13 +++ 6 files changed, 138 insertions(+) create mode 100644 ansible/roles/monitoring/docker-stack.yml.j2 create mode 100644 ansible/roles/monitoring/elasticsearch.yml create mode 100644 ansible/roles/monitoring/tasks/main.yml diff --git a/ansible/inventory/group_vars/all.yml b/ansible/inventory/group_vars/all.yml index c5716bf..0734c92 100644 --- a/ansible/inventory/group_vars/all.yml +++ b/ansible/inventory/group_vars/all.yml @@ -1,5 +1,6 @@ data_directory_base: /mnt/data git_ssh_port: 56287 +elasticsearch_port: 14653 concourse_public_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBSVLcr617iJt+hqLFSsOQy1JeueLIAj1eRfuI+KeZAu pim@x260" nfs_shares: @@ -37,6 +38,12 @@ nfs_shares: path: /mnt/data/overleaf/mongodb - name: prometheus_data path: /mnt/data/prometheus/data + - name: elasticsearch_certs + path: /mnt/data/elasticsearch/certs + - name: elasticsearch_data + path: /mnt/data/elasticsearch/data + - name: grafana_data + path: /mnt/data/grafana/data database_passwords: nextcloud: !vault | diff --git a/ansible/playbooks/setup.yml b/ansible/playbooks/setup.yml index a731fd3..7b06092 100644 --- a/ansible/playbooks/setup.yml +++ b/ansible/playbooks/setup.yml @@ -53,3 +53,10 @@ authorized_key: user: root key: "{{ concourse_public_key }}" + +- hosts: manager, workers + tasks: + - name: Increase vm.max_map_count + sysctl: + name: vm.max_map_count + value: 262144 diff --git a/ansible/playbooks/stacks.yml b/ansible/playbooks/stacks.yml index a46c7d8..5453fd0 100644 --- a/ansible/playbooks/stacks.yml +++ b/ansible/playbooks/stacks.yml @@ -20,3 +20,4 @@ - {role: nextcloud, tags: nextcloud} - {role: syncthing, tags: syncthing} - {role: prometheus, tags: prometheus} + - {role: monitoring, tags: monitoring} diff --git a/ansible/roles/monitoring/docker-stack.yml.j2 b/ansible/roles/monitoring/docker-stack.yml.j2 new file mode 100644 index 0000000..bf8f9db --- /dev/null +++ b/ansible/roles/monitoring/docker-stack.yml.j2 @@ -0,0 +1,98 @@ +# vi: ft=yaml +version: "3.8" + +networks: + traefik: + external: true + +configs: + esdatasource: + external: true + name: "{{ esdatasource.config_name }}" + +volumes: + escerts: + driver_opts: + type: "nfs" + o: "addr=192.168.30.10,nolock,soft,rw" + device: ":/mnt/data/elasticsearch/certs" + esdata: + driver_opts: + type: "nfs" + o: "addr=192.168.30.10,nolock,soft,rw" + device: ":/mnt/data/elasticsearch/data" + grafanadata: + driver_opts: + type: "nfs" + o: "addr=192.168.30.10,nolock,soft,rw" + device: ":/mnt/data/grafana/data" + +services: + elasticsearch: + image: docker.elastic.co/elasticsearch/elasticsearch:8.8.1 + volumes: + - type: volume + source: escerts + target: /usr/share/elasticsearch/config/certs + volume: + nocopy: true + - type: volume + source: esdata + target: /usr/share/elasticsearch/data + volume: + nocopy: true + ports: + - {{ elasticsearch_port }}:9200 + environment: + - node.name=es01 + - cluster.name=shoarma + - cluster.initial_master_nodes=es01 + - bootstrap.memory_lock=true + - xpack.security.enabled=false + - xpack.security.http.ssl.enabled=false + - xpack.security.http.ssl.key=certs/es01/es01.key + - xpack.security.http.ssl.certificate=certs/es01/es01.crt + - xpack.security.http.ssl.certificate_authorities=certs/ca/ca.crt + - xpack.security.transport.ssl.enabled=false + - xpack.security.transport.ssl.key=certs/es01/es01.key + - xpack.security.transport.ssl.certificate=certs/es01/es01.crt + - xpack.security.transport.ssl.certificate_authorities=certs/ca/ca.crt + - xpack.security.transport.ssl.verification_mode=certificate + - xpack.license.self_generated.type=basic + ulimits: + memlock: + soft: -1 + hard: -1 + healthcheck: + test: + [ + "CMD-SHELL", + "curl http://localhost:9200 | grep -q 'You Know, for Search'", + ] + interval: 10s + timeout: 10s + retries: 120 + + grafana: + image: grafana/grafana-oss + networks: + - traefik + deploy: + labels: + - traefik.enable=true + - traefik.http.routers.grafana.entrypoints=localsecure + - traefik.http.routers.grafana.rule=Host(`grafana.kun.is`) + - traefik.http.routers.grafana.tls=true + - traefik.http.routers.grafana.tls.certresolver=letsencrypt + - traefik.http.routers.grafana.service=grafana + - traefik.http.services.grafana.loadbalancer.server.port=3000 + - traefik.docker.network=traefik + volumes: + - type: volume + source: grafanadata + target: /var/lib/grafana + volume: + nocopy: true + configs: + - source: esdatasource + target: /etc/grafana/provisioning/datasources/elasticsearch.yaml diff --git a/ansible/roles/monitoring/elasticsearch.yml b/ansible/roles/monitoring/elasticsearch.yml new file mode 100644 index 0000000..a898f3e --- /dev/null +++ b/ansible/roles/monitoring/elasticsearch.yml @@ -0,0 +1,12 @@ +apiVersion: 1 + +datasources: + - name: Elasticsearch + type: elasticsearch + access: proxy + url: http://maestro.dmz:14653 + jsonData: + # index: '[metrics-]YYYY.MM.DD' + interval: Daily + timeField: '@timestamp' + diff --git a/ansible/roles/monitoring/tasks/main.yml b/ansible/roles/monitoring/tasks/main.yml new file mode 100644 index 0000000..c5958c3 --- /dev/null +++ b/ansible/roles/monitoring/tasks/main.yml @@ -0,0 +1,13 @@ +- name: Create elasticsearch data source config + docker_config: + name: esdatasource + data: "{{ lookup('template', '{{ role_path }}/elasticsearch.yml') }}" + use_ssh_client: true + rolling_versions: true + register: esdatasource + +- name: Deploy Docker stack + docker_stack: + name: monitoring + compose: + - "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}" From 1a745bfa22a5efaa164225f14b87409c5c0a0b16 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Wed, 2 Aug 2023 18:07:24 +0200 Subject: [PATCH 13/36] add fluentd service --- ansible/roles/monitoring/docker-stack.yml.j2 | 11 +++++++++++ ...{elasticsearch.yml => elasticsearch.yml.j2} | 1 + ansible/roles/monitoring/fluent.conf.j2 | 18 ++++++++++++++++++ ansible/roles/monitoring/tasks/main.yml | 10 +++++++++- 4 files changed, 39 insertions(+), 1 deletion(-) rename ansible/roles/monitoring/{elasticsearch.yml => elasticsearch.yml.j2} (94%) create mode 100644 ansible/roles/monitoring/fluent.conf.j2 diff --git a/ansible/roles/monitoring/docker-stack.yml.j2 b/ansible/roles/monitoring/docker-stack.yml.j2 index bf8f9db..7d15a4d 100644 --- a/ansible/roles/monitoring/docker-stack.yml.j2 +++ b/ansible/roles/monitoring/docker-stack.yml.j2 @@ -9,6 +9,9 @@ configs: esdatasource: external: true name: "{{ esdatasource.config_name }}" + fluentconf: + external: true + name: "{{ fluentconf.config_name }}" volumes: escerts: @@ -96,3 +99,11 @@ services: configs: - source: esdatasource target: /etc/grafana/provisioning/datasources/elasticsearch.yaml + + fluentd: + image: git.kun.is/pim/fluentd:1.0.1 + ports: + - 24224:24224 + configs: + - source: fluentconf + target: /fluentd/etc/fluent.conf diff --git a/ansible/roles/monitoring/elasticsearch.yml b/ansible/roles/monitoring/elasticsearch.yml.j2 similarity index 94% rename from ansible/roles/monitoring/elasticsearch.yml rename to ansible/roles/monitoring/elasticsearch.yml.j2 index a898f3e..7d710c7 100644 --- a/ansible/roles/monitoring/elasticsearch.yml +++ b/ansible/roles/monitoring/elasticsearch.yml.j2 @@ -1,3 +1,4 @@ +# vi: ft=yaml apiVersion: 1 datasources: diff --git a/ansible/roles/monitoring/fluent.conf.j2 b/ansible/roles/monitoring/fluent.conf.j2 new file mode 100644 index 0000000..84895d9 --- /dev/null +++ b/ansible/roles/monitoring/fluent.conf.j2 @@ -0,0 +1,18 @@ +# vi: ft=yaml +# Receive events from 24224/tcp +# This is used by log forwarding and the fluent-cat command + + @type forward + port 24224 + + + + @type elasticsearch + host maestro.dmz + port {{ elasticsearch_port }} + include_timestamp true + + + + log_level info + diff --git a/ansible/roles/monitoring/tasks/main.yml b/ansible/roles/monitoring/tasks/main.yml index c5958c3..191f846 100644 --- a/ansible/roles/monitoring/tasks/main.yml +++ b/ansible/roles/monitoring/tasks/main.yml @@ -1,7 +1,15 @@ +- name: Create fluentd config + docker_config: + name: fluentconf + data: "{{ lookup('template', '{{ role_path }}/fluent.conf.j2') }}" + use_ssh_client: true + rolling_versions: true + register: fluentconf + - name: Create elasticsearch data source config docker_config: name: esdatasource - data: "{{ lookup('template', '{{ role_path }}/elasticsearch.yml') }}" + data: "{{ lookup('template', '{{ role_path }}/elasticsearch.yml.j2') }}" use_ssh_client: true rolling_versions: true register: esdatasource From a7872afdd801ed5efc889d07bf3de8441cef9779 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Mon, 7 Aug 2023 22:46:53 +0200 Subject: [PATCH 14/36] optimize fluentd --- ansible/inventory/group_vars/all.yml | 1 + ansible/roles/monitoring/docker-stack.yml.j2 | 2 +- ansible/roles/monitoring/elasticsearch.yml.j2 | 12 +++++++++--- ansible/roles/monitoring/fluent.conf.j2 | 5 +++-- 4 files changed, 14 insertions(+), 6 deletions(-) diff --git a/ansible/inventory/group_vars/all.yml b/ansible/inventory/group_vars/all.yml index 0734c92..edaf58b 100644 --- a/ansible/inventory/group_vars/all.yml +++ b/ansible/inventory/group_vars/all.yml @@ -1,6 +1,7 @@ data_directory_base: /mnt/data git_ssh_port: 56287 elasticsearch_port: 14653 +fluent_forward_port: 24224 concourse_public_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBSVLcr617iJt+hqLFSsOQy1JeueLIAj1eRfuI+KeZAu pim@x260" nfs_shares: diff --git a/ansible/roles/monitoring/docker-stack.yml.j2 b/ansible/roles/monitoring/docker-stack.yml.j2 index 7d15a4d..c8639bc 100644 --- a/ansible/roles/monitoring/docker-stack.yml.j2 +++ b/ansible/roles/monitoring/docker-stack.yml.j2 @@ -103,7 +103,7 @@ services: fluentd: image: git.kun.is/pim/fluentd:1.0.1 ports: - - 24224:24224 + - {{ fluent_forward_port }}:24224 configs: - source: fluentconf target: /fluentd/etc/fluent.conf diff --git a/ansible/roles/monitoring/elasticsearch.yml.j2 b/ansible/roles/monitoring/elasticsearch.yml.j2 index 7d710c7..ce36414 100644 --- a/ansible/roles/monitoring/elasticsearch.yml.j2 +++ b/ansible/roles/monitoring/elasticsearch.yml.j2 @@ -2,12 +2,18 @@ apiVersion: 1 datasources: - - name: Elasticsearch + - name: cpu type: elasticsearch access: proxy url: http://maestro.dmz:14653 jsonData: - # index: '[metrics-]YYYY.MM.DD' - interval: Daily + index: 'fluentd.cpu' timeField: '@timestamp' + - name: memory + type: elasticsearch + access: proxy + url: http://maestro.dmz:14653 + jsonData: + index: 'fluentd.memory' + timeField: '@timestamp' diff --git a/ansible/roles/monitoring/fluent.conf.j2 b/ansible/roles/monitoring/fluent.conf.j2 index 84895d9..f25f89e 100644 --- a/ansible/roles/monitoring/fluent.conf.j2 +++ b/ansible/roles/monitoring/fluent.conf.j2 @@ -3,14 +3,15 @@ # This is used by log forwarding and the fluent-cat command @type forward - port 24224 + port {{ fluent_forward_port }} - + @type elasticsearch host maestro.dmz port {{ elasticsearch_port }} include_timestamp true + index_name fluentd.${tag} From 06c3fc56abe9b57728e1521489cdba2cbc0758de Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Tue, 8 Aug 2023 12:52:47 +0200 Subject: [PATCH 15/36] parameterize elasticsearch port --- ansible/roles/monitoring/elasticsearch.yml.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ansible/roles/monitoring/elasticsearch.yml.j2 b/ansible/roles/monitoring/elasticsearch.yml.j2 index ce36414..508bbc0 100644 --- a/ansible/roles/monitoring/elasticsearch.yml.j2 +++ b/ansible/roles/monitoring/elasticsearch.yml.j2 @@ -5,7 +5,7 @@ datasources: - name: cpu type: elasticsearch access: proxy - url: http://maestro.dmz:14653 + url: http://maestro.dmz:{{ elasticsearch_port }} jsonData: index: 'fluentd.cpu' timeField: '@timestamp' @@ -13,7 +13,7 @@ datasources: - name: memory type: elasticsearch access: proxy - url: http://maestro.dmz:14653 + url: http://maestro.dmz:{{ elasticsearch_port }} jsonData: index: 'fluentd.memory' timeField: '@timestamp' From 8d1fdc443b74435f8bdbe5dc046f73d4a058e171 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Wed, 9 Aug 2023 01:07:24 +0200 Subject: [PATCH 16/36] create ES index every day --- ansible/roles/monitoring/elasticsearch.yml.j2 | 4 +- ansible/roles/monitoring/fluent.conf.j2 | 7 +++- terraform/elasticsearch/main.tf | 40 +++++++++++++++++++ 3 files changed, 48 insertions(+), 3 deletions(-) create mode 100644 terraform/elasticsearch/main.tf diff --git a/ansible/roles/monitoring/elasticsearch.yml.j2 b/ansible/roles/monitoring/elasticsearch.yml.j2 index 508bbc0..780acb9 100644 --- a/ansible/roles/monitoring/elasticsearch.yml.j2 +++ b/ansible/roles/monitoring/elasticsearch.yml.j2 @@ -7,7 +7,7 @@ datasources: access: proxy url: http://maestro.dmz:{{ elasticsearch_port }} jsonData: - index: 'fluentd.cpu' + index: 'fluentd.cpu.*' timeField: '@timestamp' - name: memory @@ -15,5 +15,5 @@ datasources: access: proxy url: http://maestro.dmz:{{ elasticsearch_port }} jsonData: - index: 'fluentd.memory' + index: 'fluentd.memory.*' timeField: '@timestamp' diff --git a/ansible/roles/monitoring/fluent.conf.j2 b/ansible/roles/monitoring/fluent.conf.j2 index f25f89e..2504554 100644 --- a/ansible/roles/monitoring/fluent.conf.j2 +++ b/ansible/roles/monitoring/fluent.conf.j2 @@ -11,7 +11,12 @@ host maestro.dmz port {{ elasticsearch_port }} include_timestamp true - index_name fluentd.${tag} + index_name fluentd.${tag}.%Y%m%d + + timekey 1d + flush_mode interval + flush_interval 1s + diff --git a/terraform/elasticsearch/main.tf b/terraform/elasticsearch/main.tf new file mode 100644 index 0000000..a1fbe06 --- /dev/null +++ b/terraform/elasticsearch/main.tf @@ -0,0 +1,40 @@ +terraform { + backend "pg" { + schema_name = "shoarma-elasticsearch" + } + + required_providers { + elasticstack = { + source = "elastic/elasticstack" + version = "0.6.2" + } + } +} + +provider "elasticstack" { + elasticsearch { + endpoints = ["http://maestro.dmz:14653"] + } +} + +resource "elasticstack_elasticsearch_index_lifecycle" "metrics_ilm" { + name = "metrics_ilm" + + delete { + min_age = "7d" + delete {} + } +} + +resource "elasticstack_elasticsearch_index_template" "metrics_template" { + name = "metrics_template" + + priority = 42 + index_patterns = ["fluentd.cpu*", "fluentd.memory*"] + + template { + settings = jsonencode({ + "index.lifecycle.name" = elasticstack_elasticsearch_index_lifecycle.metrics_ilm.name + }) + } +} From 8398975132e7128d7afd13c3b444b7717a8ef51b Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Wed, 9 Aug 2023 11:04:15 +0200 Subject: [PATCH 17/36] fix fluentd buffering change ES index format to logstash format --- ansible/roles/monitoring/elasticsearch.yml.j2 | 4 ++-- ansible/roles/monitoring/fluent.conf.j2 | 8 ++------ 2 files changed, 4 insertions(+), 8 deletions(-) diff --git a/ansible/roles/monitoring/elasticsearch.yml.j2 b/ansible/roles/monitoring/elasticsearch.yml.j2 index 780acb9..c2aa853 100644 --- a/ansible/roles/monitoring/elasticsearch.yml.j2 +++ b/ansible/roles/monitoring/elasticsearch.yml.j2 @@ -7,7 +7,7 @@ datasources: access: proxy url: http://maestro.dmz:{{ elasticsearch_port }} jsonData: - index: 'fluentd.cpu.*' + index: 'fluentd.cpu-*' timeField: '@timestamp' - name: memory @@ -15,5 +15,5 @@ datasources: access: proxy url: http://maestro.dmz:{{ elasticsearch_port }} jsonData: - index: 'fluentd.memory.*' + index: 'fluentd.memory-*' timeField: '@timestamp' diff --git a/ansible/roles/monitoring/fluent.conf.j2 b/ansible/roles/monitoring/fluent.conf.j2 index 2504554..61b52b3 100644 --- a/ansible/roles/monitoring/fluent.conf.j2 +++ b/ansible/roles/monitoring/fluent.conf.j2 @@ -11,12 +11,8 @@ host maestro.dmz port {{ elasticsearch_port }} include_timestamp true - index_name fluentd.${tag}.%Y%m%d - - timekey 1d - flush_mode interval - flush_interval 1s - + logstash_format true + logstash_prefix fluentd.${tag} From cfa1a623c095c7b2740b9692d0cb774d55934de6 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Wed, 9 Aug 2023 20:43:50 +0200 Subject: [PATCH 18/36] remove prometheus and jitsi stack --- ansible/playbooks/stacks.yml | 2 - ansible/roles/prometheus/docker-stack.yml.j2 | 81 -------------------- ansible/roles/prometheus/prometheus.yml | 29 ------- ansible/roles/prometheus/tasks/main.yml | 13 ---- 4 files changed, 125 deletions(-) delete mode 100644 ansible/roles/prometheus/docker-stack.yml.j2 delete mode 100644 ansible/roles/prometheus/prometheus.yml delete mode 100644 ansible/roles/prometheus/tasks/main.yml diff --git a/ansible/playbooks/stacks.yml b/ansible/playbooks/stacks.yml index 5453fd0..770cd12 100644 --- a/ansible/playbooks/stacks.yml +++ b/ansible/playbooks/stacks.yml @@ -15,9 +15,7 @@ - {role: kms, tags: kms} - {role: swarm_dashboard, tags: swarm_dashboard} - {role: shephard, tags: shephard} - # - {role: jitsi, tags: jitsi} - {role: pihole, tags: pihole} - {role: nextcloud, tags: nextcloud} - {role: syncthing, tags: syncthing} - - {role: prometheus, tags: prometheus} - {role: monitoring, tags: monitoring} diff --git a/ansible/roles/prometheus/docker-stack.yml.j2 b/ansible/roles/prometheus/docker-stack.yml.j2 deleted file mode 100644 index 3da42ee..0000000 --- a/ansible/roles/prometheus/docker-stack.yml.j2 +++ /dev/null @@ -1,81 +0,0 @@ -# vi: ft=yaml - -version: "3" - -networks: - traefik: - external: true - -volumes: - data: - driver_opts: - type: "nfs" - o: "addr=192.168.30.10,nolock,soft,rw" - device: ":/mnt/data/prometheus/data" - -services: - prometheus: - image: quay.io/prometheus/prometheus - networks: - - traefik - volumes: - - type: volume - source: data - target: /prometheus - volume: - nocopy: true - command: - - '--alertmanager.notification-queue-capacity=10000' - - '--alertmanager.timeout=' - - '--config.file=/etc/prometheus/prometheus.yml' - - '--enable-feature=' - - '--log.format=logfmt' - - '--log.level=info' - - '--query.lookback-delta=5m' - - '--query.max-concurrency=20' - - '--query.max-samples=50000000' - - '--query.timeout=2m' - - '--rules.alert.for-grace-period=10m' - - '--rules.alert.for-outage-tolerance=1h' - - '--rules.alert.resend-delay=1m' - - '--scrape.adjust-timestamps' - - '--scrape.discovery-reload-interval=5s' - - '--scrape.timestamp-tolerance=2ms' - - '--storage.remote.flush-deadline=1m' - - '--storage.remote.read-concurrent-limit=10' - - '--storage.remote.read-max-bytes-in-frame=1048576' - - '--storage.remote.read-sample-limit=50000000' - - '--storage.tsdb.allow-overlapping-blocks' - - '--storage.tsdb.head-chunks-write-queue-size=0' - - '--storage.tsdb.max-block-chunk-segment-size=0B' - - '--storage.tsdb.max-block-duration=1d12h' - - '--storage.tsdb.min-block-duration=2h' - - '--storage.tsdb.path=/prometheus' - - '--storage.tsdb.retention=0s' - - '--storage.tsdb.retention.size=0B' - - '--storage.tsdb.retention.time=0s' - - '--storage.tsdb.samples-per-chunk=120' - - '--storage.tsdb.wal-compression' - - '--storage.tsdb.wal-segment-size=0B' - - '--web.config.file=' - - '--web.console.libraries=/usr/share/prometheus/console_libraries' - - '--web.console.templates=/usr/share/prometheus/consoles' - - '--web.cors.origin=.*' - - '--web.enable-remote-write-receiver' - - '--web.external-url=' - - '--web.listen-address=0.0.0.0:9090' - - '--web.max-connections=512' - - '--web.page-title=Prometheus Time Series Collection and Processing Server' - - '--web.read-timeout=5m' - - '--web.route-prefix=/' - - '--web.user-assets=' - deploy: - labels: - - traefik.enable=true - - traefik.http.routers.prometheus.entrypoints=localsecure - - traefik.http.routers.prometheus.rule=Host(`metrics.kun.is`) - - traefik.http.routers.prometheus.tls=true - - traefik.http.routers.prometheus.tls.certresolver=letsencrypt - - traefik.http.routers.prometheus.service=prometheus - - traefik.http.services.prometheus.loadbalancer.server.port=9090 - - traefik.docker.network=traefik diff --git a/ansible/roles/prometheus/prometheus.yml b/ansible/roles/prometheus/prometheus.yml deleted file mode 100644 index 312b578..0000000 --- a/ansible/roles/prometheus/prometheus.yml +++ /dev/null @@ -1,29 +0,0 @@ -# my global config -global: - scrape_interval: 15s # Set the scrape interval to every 15 seconds. Default is every 1 minute. - evaluation_interval: 15s # Evaluate rules every 15 seconds. The default is every 1 minute. - # scrape_timeout is set to the global default (10s). - -# Alertmanager configuration -alerting: - alertmanagers: - - static_configs: - - targets: - # - alertmanager:9093 - -# Load rules once and periodically evaluate them according to the global 'evaluation_interval'. -rule_files: - # - "first_rules.yml" - # - "second_rules.yml" - -# A scrape configuration containing exactly one endpoint to scrape: -# Here it's Prometheus itself. -scrape_configs: - # The job name is added as a label `job=` to any timeseries scraped from this config. - - job_name: "prometheus" - - # metrics_path defaults to '/metrics' - # scheme defaults to 'http'. - - static_configs: - - targets: ["localhost:9090"] diff --git a/ansible/roles/prometheus/tasks/main.yml b/ansible/roles/prometheus/tasks/main.yml deleted file mode 100644 index b5c1883..0000000 --- a/ansible/roles/prometheus/tasks/main.yml +++ /dev/null @@ -1,13 +0,0 @@ -- name: Create prometheus config - docker_config: - name: prometheus_config - data: "{{ lookup('file', '{{ role_path }}/prometheus.yml') }}" - use_ssh_client: true - rolling_versions: true - register: config - -- name: Deploy Docker stack - docker_stack: - name: prometheus - compose: - - "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}" From e4fec5dd4e941e204cd67703ee99fcb3715e56ab Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Fri, 11 Aug 2023 17:42:40 +0200 Subject: [PATCH 19/36] add support for diskfree add sidecar for ntfy alerts for grafana --- ansible/roles/monitoring/docker-stack.yml.j2 | 17 +++++++++++++++++ ansible/roles/monitoring/elasticsearch.yml.j2 | 8 ++++++++ ansible/roles/monitoring/vars/main.yml | 8 ++++++++ terraform/elasticsearch/main.tf | 2 +- 4 files changed, 34 insertions(+), 1 deletion(-) create mode 100644 ansible/roles/monitoring/vars/main.yml diff --git a/ansible/roles/monitoring/docker-stack.yml.j2 b/ansible/roles/monitoring/docker-stack.yml.j2 index c8639bc..0457191 100644 --- a/ansible/roles/monitoring/docker-stack.yml.j2 +++ b/ansible/roles/monitoring/docker-stack.yml.j2 @@ -4,6 +4,7 @@ version: "3.8" networks: traefik: external: true + grafana: configs: esdatasource: @@ -80,6 +81,7 @@ services: image: grafana/grafana-oss networks: - traefik + - grafana deploy: labels: - traefik.enable=true @@ -100,6 +102,21 @@ services: - source: esdatasource target: /etc/grafana/provisioning/datasources/elasticsearch.yaml + grafana-ntfy: + image: kittyandrew/grafana-to-ntfy:master + ports: + - 8080:8080 + networks: + grafana: + aliases: + - grafana-ntfy + environment: + - NTFY_URL=https://ntfy.kun.is/alerts + - NTFY_BAUTH_USER=pim + - NTFY_BAUTH_PASS={{ ntfy_password }} + - BAUTH_USER=admin + - BAUTH_PASS=test + fluentd: image: git.kun.is/pim/fluentd:1.0.1 ports: diff --git a/ansible/roles/monitoring/elasticsearch.yml.j2 b/ansible/roles/monitoring/elasticsearch.yml.j2 index c2aa853..aeb30af 100644 --- a/ansible/roles/monitoring/elasticsearch.yml.j2 +++ b/ansible/roles/monitoring/elasticsearch.yml.j2 @@ -17,3 +17,11 @@ datasources: jsonData: index: 'fluentd.memory-*' timeField: '@timestamp' + + - name: diskfree + type: elasticsearch + access: proxy + url: http://maestro.dmz:{{ elasticsearch_port }} + jsonData: + index: 'fluentd.diskfree-*' + timeField: '@timestamp' diff --git a/ansible/roles/monitoring/vars/main.yml b/ansible/roles/monitoring/vars/main.yml new file mode 100644 index 0000000..326b722 --- /dev/null +++ b/ansible/roles/monitoring/vars/main.yml @@ -0,0 +1,8 @@ +ntfy_password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 36333232393635383732336630626463633038353862333430396437333733376239343531663339 + 6364643930636566326463393963316263323061613032350a383930376537373437633333623639 + 66613439636531393761366534333134383231303637643063633537393535356536636530666665 + 6537653731666130610a346135373562333931646237396233613065353165623336373935386137 + 36313830623931313238333430346238626562353661616465333736346230396162386137363435 + 3362636565336639643832626165613236643466633537633236 diff --git a/terraform/elasticsearch/main.tf b/terraform/elasticsearch/main.tf index a1fbe06..818dba0 100644 --- a/terraform/elasticsearch/main.tf +++ b/terraform/elasticsearch/main.tf @@ -30,7 +30,7 @@ resource "elasticstack_elasticsearch_index_template" "metrics_template" { name = "metrics_template" priority = 42 - index_patterns = ["fluentd.cpu*", "fluentd.memory*"] + index_patterns = ["fluentd.cpu-*", "fluentd.memory-*", "fluentd.diskfree-*"] template { settings = jsonencode({ From ccd1343798f2099241dd180ef892fd35d216a041 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sat, 19 Aug 2023 11:24:36 +0200 Subject: [PATCH 20/36] run elasticsearch in single-node mode create container dependencies for monitoring stack --- ansible/roles/monitoring/docker-stack.yml.j2 | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/ansible/roles/monitoring/docker-stack.yml.j2 b/ansible/roles/monitoring/docker-stack.yml.j2 index 0457191..04730f8 100644 --- a/ansible/roles/monitoring/docker-stack.yml.j2 +++ b/ansible/roles/monitoring/docker-stack.yml.j2 @@ -50,7 +50,7 @@ services: environment: - node.name=es01 - cluster.name=shoarma - - cluster.initial_master_nodes=es01 + - discovery.type=single-node - bootstrap.memory_lock=true - xpack.security.enabled=false - xpack.security.http.ssl.enabled=false @@ -79,6 +79,8 @@ services: grafana: image: grafana/grafana-oss + depends_on: + - elasticsearch networks: - traefik - grafana @@ -104,6 +106,8 @@ services: grafana-ntfy: image: kittyandrew/grafana-to-ntfy:master + depends_on: + - grafana ports: - 8080:8080 networks: @@ -119,6 +123,8 @@ services: fluentd: image: git.kun.is/pim/fluentd:1.0.1 + depends_on: + - elasticsearch ports: - {{ fluent_forward_port }}:24224 configs: From 5db9f9f254c42eecf21a1197825498210a1b5dfe Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sat, 19 Aug 2023 11:28:31 +0200 Subject: [PATCH 21/36] add kitchenowl stack --- ansible/inventory/group_vars/all.yml | 2 + ansible/playbooks/stacks.yml | 1 + ansible/roles/kitchenowl/docker-stack.yml.j2 | 45 ++++++++++++++++++++ ansible/roles/kitchenowl/tasks/main.yml | 5 +++ ansible/roles/kitchenowl/vars/main.yml | 7 +++ 5 files changed, 60 insertions(+) create mode 100644 ansible/roles/kitchenowl/docker-stack.yml.j2 create mode 100644 ansible/roles/kitchenowl/tasks/main.yml create mode 100644 ansible/roles/kitchenowl/vars/main.yml diff --git a/ansible/inventory/group_vars/all.yml b/ansible/inventory/group_vars/all.yml index edaf58b..4d994f0 100644 --- a/ansible/inventory/group_vars/all.yml +++ b/ansible/inventory/group_vars/all.yml @@ -45,6 +45,8 @@ nfs_shares: path: /mnt/data/elasticsearch/data - name: grafana_data path: /mnt/data/grafana/data + - name: kitchenowl_data + path: /mnt/data/kitchenowl/data database_passwords: nextcloud: !vault | diff --git a/ansible/playbooks/stacks.yml b/ansible/playbooks/stacks.yml index 770cd12..2c1b813 100644 --- a/ansible/playbooks/stacks.yml +++ b/ansible/playbooks/stacks.yml @@ -19,3 +19,4 @@ - {role: nextcloud, tags: nextcloud} - {role: syncthing, tags: syncthing} - {role: monitoring, tags: monitoring} + - {role: kitchenowl, tags: kitchenowl} diff --git a/ansible/roles/kitchenowl/docker-stack.yml.j2 b/ansible/roles/kitchenowl/docker-stack.yml.j2 new file mode 100644 index 0000000..a4117ba --- /dev/null +++ b/ansible/roles/kitchenowl/docker-stack.yml.j2 @@ -0,0 +1,45 @@ +# vi: ft=yaml +version: '3.7' + +networks: + traefik: + external: true + kitchenowl: + +volumes: + data: + driver_opts: + type: "nfs" + o: "addr=192.168.30.10,nolock,soft,rw" + device: ":/mnt/data/kitchenowl/data" + +services: + front: + image: tombursch/kitchenowl-web:v0.4.8 + depends_on: + - back + networks: + - traefik + - kitchenowl + deploy: + labels: + - traefik.enable=true + - traefik.http.routers.kitchenowl.entrypoints=websecure + - traefik.http.routers.kitchenowl.rule=Host(`boodschappen.kun.is`) + - traefik.http.routers.kitchenowl.tls=true + - traefik.http.routers.kitchenowl.tls.certresolver=letsencrypt + - traefik.http.routers.kitchenowl.service=kitchenowl + - traefik.http.services.kitchenowl.loadbalancer.server.port=80 + - traefik.docker.network=traefik + back: + image: tombursch/kitchenowl:v75 + networks: + - kitchenowl + environment: + - JWT_SECRET_KEY={{ jwt_secret_key }} + volumes: + - type: volume + source: data + target: /data + volume: + nocopy: true diff --git a/ansible/roles/kitchenowl/tasks/main.yml b/ansible/roles/kitchenowl/tasks/main.yml new file mode 100644 index 0000000..67a45e9 --- /dev/null +++ b/ansible/roles/kitchenowl/tasks/main.yml @@ -0,0 +1,5 @@ +- name: Deploy Docker stack + docker_stack: + name: kitchenowl + compose: + - "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}" diff --git a/ansible/roles/kitchenowl/vars/main.yml b/ansible/roles/kitchenowl/vars/main.yml new file mode 100644 index 0000000..4317036 --- /dev/null +++ b/ansible/roles/kitchenowl/vars/main.yml @@ -0,0 +1,7 @@ +jwt_secret_key: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 37376338663532376135613331303737626633666138643132316336306164393134633639303865 + 3134613830323335663466373262316262353464323535300a636163633439323035643033623363 + 36316361656133663235333834343233363134313938656664356538366166653336656562623664 + 3332393330616636630a646139393937313932373963623764346134323635336539346562346635 + 36613637396133383664323561666464346336386233363434653765356334633831 From 5253c66b1cdb99695f45e5ef38935ddde089ef47 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sun, 20 Aug 2023 17:18:49 +0200 Subject: [PATCH 22/36] attempt to standardize container names somewhat --- ansible/roles/forgejo/docker-stack.yml.j2 | 2 +- ansible/roles/hedgedoc/docker-stack.yml.j2 | 2 +- ansible/roles/inbucket/docker-stack.yml.j2 | 2 +- ansible/roles/kms/docker-stack.yml.j2 | 2 +- ansible/roles/nextcloud/docker-stack.yml.j2 | 2 +- ansible/roles/seafile/docker-stack.yml.j2 | 2 +- ansible/roles/swarm_dashboard/docker-stack.yml.j2 | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/ansible/roles/forgejo/docker-stack.yml.j2 b/ansible/roles/forgejo/docker-stack.yml.j2 index b901d02..be29805 100644 --- a/ansible/roles/forgejo/docker-stack.yml.j2 +++ b/ansible/roles/forgejo/docker-stack.yml.j2 @@ -18,7 +18,7 @@ volumes: device: ":/mnt/data/forgejo" services: - server: + forgejo: image: codeberg.org/forgejo/forgejo:1.18 environment: - USER_UID=1000 diff --git a/ansible/roles/hedgedoc/docker-stack.yml.j2 b/ansible/roles/hedgedoc/docker-stack.yml.j2 index 2af951b..346ec26 100644 --- a/ansible/roles/hedgedoc/docker-stack.yml.j2 +++ b/ansible/roles/hedgedoc/docker-stack.yml.j2 @@ -13,7 +13,7 @@ volumes: device: ":/mnt/data/hedgedoc/uploads" services: - hedgedoc-app: + hedgedoc: image: quay.io/hedgedoc/hedgedoc:1.9.7 environment: - CMD_DB_URL=postgres://hedgedoc:{{ database_passwords.hedgedoc }}@192.168.30.10:5432/hedgedoc diff --git a/ansible/roles/inbucket/docker-stack.yml.j2 b/ansible/roles/inbucket/docker-stack.yml.j2 index 6dec761..4a35d2a 100644 --- a/ansible/roles/inbucket/docker-stack.yml.j2 +++ b/ansible/roles/inbucket/docker-stack.yml.j2 @@ -6,7 +6,7 @@ networks: external: true services: - kms-server: + inbucket: image: inbucket/inbucket networks: - traefik diff --git a/ansible/roles/kms/docker-stack.yml.j2 b/ansible/roles/kms/docker-stack.yml.j2 index aeb7460..a42d741 100644 --- a/ansible/roles/kms/docker-stack.yml.j2 +++ b/ansible/roles/kms/docker-stack.yml.j2 @@ -2,7 +2,7 @@ version: '3.7' services: - kms-server: + kms: image: teddysun/kms ports: - 1688:1688 diff --git a/ansible/roles/nextcloud/docker-stack.yml.j2 b/ansible/roles/nextcloud/docker-stack.yml.j2 index 9a75fbc..6519069 100644 --- a/ansible/roles/nextcloud/docker-stack.yml.j2 +++ b/ansible/roles/nextcloud/docker-stack.yml.j2 @@ -13,7 +13,7 @@ volumes: device: ":/mnt/data/nextcloud/data" services: - app: + nextcloud: image: nextcloud:27 volumes: - type: volume diff --git a/ansible/roles/seafile/docker-stack.yml.j2 b/ansible/roles/seafile/docker-stack.yml.j2 index 7886247..aaf9611 100644 --- a/ansible/roles/seafile/docker-stack.yml.j2 +++ b/ansible/roles/seafile/docker-stack.yml.j2 @@ -19,7 +19,7 @@ volumes: device: ":/mnt/data/seafile/db" services: - db: + mariadb: image: mariadb:10.5 environment: - MYSQL_ROOT_PASSWORD={{ db_root_passwd }} diff --git a/ansible/roles/swarm_dashboard/docker-stack.yml.j2 b/ansible/roles/swarm_dashboard/docker-stack.yml.j2 index 06571e6..217376d 100644 --- a/ansible/roles/swarm_dashboard/docker-stack.yml.j2 +++ b/ansible/roles/swarm_dashboard/docker-stack.yml.j2 @@ -6,7 +6,7 @@ networks: external: true services: - dashboard: + swarm-dashboard: image: charypar/swarm-dashboard volumes: - type: bind From 689fbd39867eb7ac7ec3a376d9c3f1c8c0f70f99 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sun, 20 Aug 2023 17:22:25 +0200 Subject: [PATCH 23/36] disable overleaf because it's borked --- ansible/playbooks/stacks.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/playbooks/stacks.yml b/ansible/playbooks/stacks.yml index 2c1b813..1ade0ac 100644 --- a/ansible/playbooks/stacks.yml +++ b/ansible/playbooks/stacks.yml @@ -9,7 +9,7 @@ - {role: mastodon, tags: mastodon} - {role: freshrss, tags: freshrss} - {role: hedgedoc, tags: hedgedoc} - - {role: overleaf, tags: overleaf} + # - {role: overleaf, tags: overleaf} - {role: cyberchef, tags: cyberchef} - {role: inbucket, tags: inbucket} - {role: kms, tags: kms} From 6b126e3baa1ed07b688f89dfe20f175a5c482665 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Tue, 22 Aug 2023 22:50:27 +0200 Subject: [PATCH 24/36] upgrade forgejo --- ansible/roles/forgejo/app.ini.j2 | 7 ++++++- ansible/roles/forgejo/docker-stack.yml.j2 | 2 +- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/ansible/roles/forgejo/app.ini.j2 b/ansible/roles/forgejo/app.ini.j2 index 9641715..f33b650 100644 --- a/ansible/roles/forgejo/app.ini.j2 +++ b/ansible/roles/forgejo/app.ini.j2 @@ -1,6 +1,7 @@ APP_NAME = Forgejo: Beyond coding. We forge. RUN_MODE = prod RUN_USER = git +WORK_PATH=/data/gitea [repository] ROOT = /data/git/repositories @@ -56,8 +57,9 @@ PATH = /data/gitea/attachments [log] MODE = console LEVEL = info -ROUTER = console +logger.router.MODE = console ROOT_PATH = /data/gitea/log +logger.access.MODE=console [security] INSTALL_LOCK = true @@ -102,3 +104,6 @@ DEFAULT_TRUST_MODEL = committer [ui] DEFAULT_THEME = forgejo-light + +[oauth2] +ENABLE=false diff --git a/ansible/roles/forgejo/docker-stack.yml.j2 b/ansible/roles/forgejo/docker-stack.yml.j2 index be29805..43acade 100644 --- a/ansible/roles/forgejo/docker-stack.yml.j2 +++ b/ansible/roles/forgejo/docker-stack.yml.j2 @@ -19,7 +19,7 @@ volumes: services: forgejo: - image: codeberg.org/forgejo/forgejo:1.18 + image: codeberg.org/forgejo/forgejo:1.20 environment: - USER_UID=1000 - USER_GID=1000 From c59dcbeaae9a15da5c91692562601fb17843ef05 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Tue, 22 Aug 2023 22:52:51 +0200 Subject: [PATCH 25/36] revert seafile naming changes --- ansible/roles/seafile/docker-stack.yml.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ansible/roles/seafile/docker-stack.yml.j2 b/ansible/roles/seafile/docker-stack.yml.j2 index aaf9611..b510050 100644 --- a/ansible/roles/seafile/docker-stack.yml.j2 +++ b/ansible/roles/seafile/docker-stack.yml.j2 @@ -19,7 +19,7 @@ volumes: device: ":/mnt/data/seafile/db" services: - mariadb: + db: image: mariadb:10.5 environment: - MYSQL_ROOT_PASSWORD={{ db_root_passwd }} @@ -48,7 +48,7 @@ services: volume: nocopy: true environment: - - DB_HOST=db + - DB_HOST=db - DB_ROOT_PASSWD={{ db_root_passwd }} - TIME_ZONE=Europe/Amsterdam - SEAFILE_ADMIN_EMAIL={{ seafile_admin_email }} From db38d9c6bb27104db3a943422ec3f25eeb4a0830 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Tue, 22 Aug 2023 22:53:40 +0200 Subject: [PATCH 26/36] collect docker logs using fluent --- ansible/playbooks/setup.yml | 12 ++++++++++- ansible/roles/monitoring/docker-stack.yml.j2 | 2 +- ansible/roles/monitoring/fluent.conf.j2 | 2 +- terraform/elasticsearch/main.tf | 22 ++++++++++++++++++++ 4 files changed, 35 insertions(+), 3 deletions(-) diff --git a/ansible/playbooks/setup.yml b/ansible/playbooks/setup.yml index 7b06092..f6130d3 100644 --- a/ansible/playbooks/setup.yml +++ b/ansible/playbooks/setup.yml @@ -17,7 +17,17 @@ roles: - setup_apt - - docker + + post_tasks: + - name: Install Docker + include_role: + name: docker + vars: + docker_daemon_config: + log-driver: fluentd + log-opts: + fluentd-address: "localhost:22222" + tag: "docker.{{ '{{' }}.Name{{ '}}' }}" - name: Setup Docker Swarm manager hosts: manager diff --git a/ansible/roles/monitoring/docker-stack.yml.j2 b/ansible/roles/monitoring/docker-stack.yml.j2 index 04730f8..9a61c12 100644 --- a/ansible/roles/monitoring/docker-stack.yml.j2 +++ b/ansible/roles/monitoring/docker-stack.yml.j2 @@ -122,7 +122,7 @@ services: - BAUTH_PASS=test fluentd: - image: git.kun.is/pim/fluentd:1.0.1 + image: git.kun.is/pim/fluentd:1.0.2 depends_on: - elasticsearch ports: diff --git a/ansible/roles/monitoring/fluent.conf.j2 b/ansible/roles/monitoring/fluent.conf.j2 index 61b52b3..63d2f5a 100644 --- a/ansible/roles/monitoring/fluent.conf.j2 +++ b/ansible/roles/monitoring/fluent.conf.j2 @@ -6,7 +6,7 @@ port {{ fluent_forward_port }} - + @type elasticsearch host maestro.dmz port {{ elasticsearch_port }} diff --git a/terraform/elasticsearch/main.tf b/terraform/elasticsearch/main.tf index 818dba0..b6d0e4f 100644 --- a/terraform/elasticsearch/main.tf +++ b/terraform/elasticsearch/main.tf @@ -38,3 +38,25 @@ resource "elasticstack_elasticsearch_index_template" "metrics_template" { }) } } + +resource "elasticstack_elasticsearch_index_lifecycle" "logs_ilm" { + name = "logs_ilm" + + delete { + min_age = "2d" + delete {} + } +} + +resource "elasticstack_elasticsearch_index_template" "logs_template" { + name = "logs_template" + + priority = 42 + index_patterns = ["fluentd.docker.**"] + + template { + settings = jsonencode({ + "index.lifecycle.name" = elasticstack_elasticsearch_index_lifecycle.logs_ilm.name + }) + } +} From 60c4f1721918005e01a374eba17b9a4b6b2e03df Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Wed, 23 Aug 2023 17:42:03 +0200 Subject: [PATCH 27/36] only accept forgejo logs for now --- ansible/roles/monitoring/fluent.conf.j2 | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/ansible/roles/monitoring/fluent.conf.j2 b/ansible/roles/monitoring/fluent.conf.j2 index 63d2f5a..b8e8cd4 100644 --- a/ansible/roles/monitoring/fluent.conf.j2 +++ b/ansible/roles/monitoring/fluent.conf.j2 @@ -6,7 +6,7 @@ port {{ fluent_forward_port }} - + @type elasticsearch host maestro.dmz port {{ elasticsearch_port }} @@ -15,6 +15,10 @@ logstash_prefix fluentd.${tag} + + @type null + + log_level info From 84521ec8a94bff014cb32357e83c89f915d369a9 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Wed, 23 Aug 2023 18:04:32 +0200 Subject: [PATCH 28/36] use host ports for traefik which allows to see the real client's IP --- ansible/roles/traefik/docker-stack.yml.j2 | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/ansible/roles/traefik/docker-stack.yml.j2 b/ansible/roles/traefik/docker-stack.yml.j2 index 7761c6b..95e8b60 100644 --- a/ansible/roles/traefik/docker-stack.yml.j2 +++ b/ansible/roles/traefik/docker-stack.yml.j2 @@ -23,9 +23,18 @@ services: networks: - traefik ports: - - 443:443 - - 80:80 - - 444:444 + - mode: host + protocol: tcp + published: 443 + target: 443 + - mode: host + protocol: tcp + published: 80 + target: 80 + - mode: host + protocol: tcp + published: 444 + target: 444 deploy: placement: constraints: From 59db3b2fb7d2ea29c1f67c7cf478d9e183f9258b Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Wed, 23 Aug 2023 18:05:07 +0200 Subject: [PATCH 29/36] add forwarded-for header for forgejo --- ansible/roles/forgejo/docker-stack.yml.j2 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ansible/roles/forgejo/docker-stack.yml.j2 b/ansible/roles/forgejo/docker-stack.yml.j2 index 43acade..fe4dd53 100644 --- a/ansible/roles/forgejo/docker-stack.yml.j2 +++ b/ansible/roles/forgejo/docker-stack.yml.j2 @@ -49,6 +49,8 @@ services: - traefik.http.routers.forgejo.service=forgejo - traefik.http.services.forgejo.loadbalancer.server.port=3000 - traefik.docker.network=traefik + - traefik.http.middlewares.set-forwarded-for.headers.hostsProxyHeaders=X-Forwarded-For + - traefik.http.routers.forgejo.middlewares=set-forwarded-for configs: - source: config target: /data/gitea/conf/app.ini From 44e3bd672989d59f1040de47b4afc1327a6587cf Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Fri, 25 Aug 2023 14:40:47 +0200 Subject: [PATCH 30/36] add forgejo access logs and geo ip enrichment --- ansible/roles/monitoring/docker-stack.yml.j2 | 2 +- ansible/roles/monitoring/elasticsearch.yml.j2 | 8 ++++++++ ansible/roles/monitoring/fluent.conf.j2 | 11 +++++++++++ 3 files changed, 20 insertions(+), 1 deletion(-) diff --git a/ansible/roles/monitoring/docker-stack.yml.j2 b/ansible/roles/monitoring/docker-stack.yml.j2 index 9a61c12..b6adf49 100644 --- a/ansible/roles/monitoring/docker-stack.yml.j2 +++ b/ansible/roles/monitoring/docker-stack.yml.j2 @@ -122,7 +122,7 @@ services: - BAUTH_PASS=test fluentd: - image: git.kun.is/pim/fluentd:1.0.2 + image: git.kun.is/pim/fluentd:1.0.3 depends_on: - elasticsearch ports: diff --git a/ansible/roles/monitoring/elasticsearch.yml.j2 b/ansible/roles/monitoring/elasticsearch.yml.j2 index aeb30af..81a0d2e 100644 --- a/ansible/roles/monitoring/elasticsearch.yml.j2 +++ b/ansible/roles/monitoring/elasticsearch.yml.j2 @@ -25,3 +25,11 @@ datasources: jsonData: index: 'fluentd.diskfree-*' timeField: '@timestamp' + + - name: forgejo_access + type: elasticsearch + access: proxy + url: http://maestro.dmz:{{ elasticsearch_port }} + jsonData: + index: 'fluentd.docker.forgejo_forgejo.**' + timeField: '@timestamp' diff --git a/ansible/roles/monitoring/fluent.conf.j2 b/ansible/roles/monitoring/fluent.conf.j2 index b8e8cd4..1dd5f70 100644 --- a/ansible/roles/monitoring/fluent.conf.j2 +++ b/ansible/roles/monitoring/fluent.conf.j2 @@ -6,6 +6,17 @@ port {{ fluent_forward_port }} + + @type geoip + geoip_lookup_keys host + backend_library geoip2_c + + latitude ${location.latitude["host"]} + longitude ${location.longitude["host"]} + + skip_adding_null_record true + + @type elasticsearch host maestro.dmz From 833b1a2b5e8a24cd58a784a6feb69ac3702bb8f7 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Fri, 25 Aug 2023 19:53:36 +0200 Subject: [PATCH 31/36] collect traefik access logs remove forgejo access logs --- ansible/roles/monitoring/elasticsearch.yml.j2 | 4 ++-- ansible/roles/monitoring/fluent.conf.j2 | 4 ++-- ansible/roles/traefik/docker-stack.yml.j2 | 8 ++++++++ terraform/elasticsearch/main.tf | 2 +- 4 files changed, 13 insertions(+), 5 deletions(-) diff --git a/ansible/roles/monitoring/elasticsearch.yml.j2 b/ansible/roles/monitoring/elasticsearch.yml.j2 index 81a0d2e..90fee48 100644 --- a/ansible/roles/monitoring/elasticsearch.yml.j2 +++ b/ansible/roles/monitoring/elasticsearch.yml.j2 @@ -26,10 +26,10 @@ datasources: index: 'fluentd.diskfree-*' timeField: '@timestamp' - - name: forgejo_access + - name: traefik_access type: elasticsearch access: proxy url: http://maestro.dmz:{{ elasticsearch_port }} jsonData: - index: 'fluentd.docker.forgejo_forgejo.**' + index: 'fluentd.access.traefik-*' timeField: '@timestamp' diff --git a/ansible/roles/monitoring/fluent.conf.j2 b/ansible/roles/monitoring/fluent.conf.j2 index 1dd5f70..dd030ba 100644 --- a/ansible/roles/monitoring/fluent.conf.j2 +++ b/ansible/roles/monitoring/fluent.conf.j2 @@ -6,7 +6,7 @@ port {{ fluent_forward_port }} - + @type geoip geoip_lookup_keys host backend_library geoip2_c @@ -17,7 +17,7 @@ skip_adding_null_record true - + @type elasticsearch host maestro.dmz port {{ elasticsearch_port }} diff --git a/ansible/roles/traefik/docker-stack.yml.j2 b/ansible/roles/traefik/docker-stack.yml.j2 index 95e8b60..a865683 100644 --- a/ansible/roles/traefik/docker-stack.yml.j2 +++ b/ansible/roles/traefik/docker-stack.yml.j2 @@ -125,3 +125,11 @@ services: - --certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web - --serversTransport.insecureSkipVerify=true + + - --accesslog=true + - --accesslog.fields.defaultmode=keep + - --accesslog.fields.names.ClientUsername=drop + - --accesslog.fields.headers.defaultmode=keep + - --accesslog.fields.headers.names.User-Agent=keep + - --accesslog.fields.headers.names.Authorization=drop + - --accesslog.fields.headers.names.Content-Type=keep diff --git a/terraform/elasticsearch/main.tf b/terraform/elasticsearch/main.tf index b6d0e4f..8709975 100644 --- a/terraform/elasticsearch/main.tf +++ b/terraform/elasticsearch/main.tf @@ -52,7 +52,7 @@ resource "elasticstack_elasticsearch_index_template" "logs_template" { name = "logs_template" priority = 42 - index_patterns = ["fluentd.docker.**"] + index_patterns = ["fluentd.access.**"] template { settings = jsonencode({ From c7ddefaa3de621ba48f1f5977378e3e9d3f64b5f Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Thu, 14 Sep 2023 12:08:56 +0200 Subject: [PATCH 32/36] add ampache stack --- ansible/inventory/group_vars/all.yml | 6 +++ ansible/playbooks/stacks.yml | 1 + ansible/roles/ampache/docker-stack.yml.j2 | 56 +++++++++++++++++++++++ ansible/roles/ampache/tasks/main.yml | 5 ++ 4 files changed, 68 insertions(+) create mode 100644 ansible/roles/ampache/docker-stack.yml.j2 create mode 100644 ansible/roles/ampache/tasks/main.yml diff --git a/ansible/inventory/group_vars/all.yml b/ansible/inventory/group_vars/all.yml index 4d994f0..ad74503 100644 --- a/ansible/inventory/group_vars/all.yml +++ b/ansible/inventory/group_vars/all.yml @@ -47,6 +47,12 @@ nfs_shares: path: /mnt/data/grafana/data - name: kitchenowl_data path: /mnt/data/kitchenowl/data + - name: ampache_mysql + path: /mnt/data/ampache/mysql + - name: ampache_config + path: /mnt/data/ampache/config + - name: music + path: /mnt/data/nextcloud/data/data/pim/files/Music database_passwords: nextcloud: !vault | diff --git a/ansible/playbooks/stacks.yml b/ansible/playbooks/stacks.yml index 1ade0ac..eacabcb 100644 --- a/ansible/playbooks/stacks.yml +++ b/ansible/playbooks/stacks.yml @@ -20,3 +20,4 @@ - {role: syncthing, tags: syncthing} - {role: monitoring, tags: monitoring} - {role: kitchenowl, tags: kitchenowl} + - {role: ampache, tags: ampache} diff --git a/ansible/roles/ampache/docker-stack.yml.j2 b/ansible/roles/ampache/docker-stack.yml.j2 new file mode 100644 index 0000000..0b5a2e7 --- /dev/null +++ b/ansible/roles/ampache/docker-stack.yml.j2 @@ -0,0 +1,56 @@ +# vi: ft=yaml +version: '3.7' + +networks: + traefik: + external: true + +volumes: + ampache_mysql: + driver_opts: + type: "nfs" + o: "addr=192.168.30.10,nolock,soft,rw" + device: ":/mnt/data/ampache/mysql" + ampache_config: + driver_opts: + type: "nfs" + o: "addr=192.168.30.10,nolock,soft,rw" + device: ":/mnt/data/ampache/config" + music: + driver_opts: + type: "nfs" + o: "addr=192.168.30.10,nolock,soft,rw" + device: ":/mnt/data/nextcloud/data/data/pim/files/Music" + +services: + ampache: + image: ampache/ampache:6 + volumes: + - type: volume + source: ampache_mysql + target: /var/lib/mysql + volume: + nocopy: true + - type: volume + source: ampache_config + target: /var/www/config + volume: + nocopy: true + - type: volume + source: music + target: /media + read_only: true + volume: + nocopy: true + networks: + - traefik + deploy: + labels: + - traefik.enable=true + - traefik.http.routers.ampache.entrypoints=websecure + - traefik.http.routers.ampache.rule=Host(`music.kun.is`) + - traefik.http.routers.ampache.tls=true + - traefik.http.routers.ampache.tls.certresolver=letsencrypt + - traefik.http.routers.ampache.service=ampache + - traefik.http.services.ampache.loadbalancer.server.port=80 + - traefik.docker.network=traefik diff --git a/ansible/roles/ampache/tasks/main.yml b/ansible/roles/ampache/tasks/main.yml new file mode 100644 index 0000000..3e730ce --- /dev/null +++ b/ansible/roles/ampache/tasks/main.yml @@ -0,0 +1,5 @@ +- name: Deploy Docker stack + docker_stack: + name: ampache + compose: + - "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}" From 1acb61716e93dcdb00dc0f38cc8006b9701c0927 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Thu, 26 Oct 2023 21:08:19 +0200 Subject: [PATCH 33/36] add nix flake for dev env rename handjecontantje to vpay disable fluentd logging --- .envrc | 1 + .gitignore | 1 + ansible/ansible.cfg | 2 +- ansible/inventory/hosts.yml | 4 +- ansible/playbooks/setup.yml | 10 ++--- ansible/util/secret-service-client.sh | 9 ---- flake.lock | 61 +++++++++++++++++++++++++++ flake.nix | 20 +++++++++ terraform/dns.tf | 4 +- terraform/main.tf | 14 +++--- 10 files changed, 101 insertions(+), 25 deletions(-) create mode 100644 .envrc create mode 100644 .gitignore delete mode 100755 ansible/util/secret-service-client.sh create mode 100644 flake.lock create mode 100644 flake.nix diff --git a/.envrc b/.envrc new file mode 100644 index 0000000..3550a30 --- /dev/null +++ b/.envrc @@ -0,0 +1 @@ +use flake diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..92b2793 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.direnv diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg index 4322702..2411e3a 100644 --- a/ansible/ansible.cfg +++ b/ansible/ansible.cfg @@ -3,7 +3,7 @@ roles_path=~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles:roles inventory=inventory interpreter_python=/usr/bin/python3 remote_user = root -vault_password_file=util/secret-service-client.sh +vault_password_file=$HOME/.config/home/ansible-vault-secret [diff] always = True diff --git a/ansible/inventory/hosts.yml b/ansible/inventory/hosts.yml index a0e4d38..68ec87a 100644 --- a/ansible/inventory/hosts.yml +++ b/ansible/inventory/hosts.yml @@ -9,5 +9,5 @@ all: hosts: bancomart: ansible_host: bancomart.dmz - handjecontantje: - ansible_host: handjecontantje.dmz + vpay: + ansible_host: vpay.dmz diff --git a/ansible/playbooks/setup.yml b/ansible/playbooks/setup.yml index f6130d3..56ae015 100644 --- a/ansible/playbooks/setup.yml +++ b/ansible/playbooks/setup.yml @@ -23,11 +23,11 @@ include_role: name: docker vars: - docker_daemon_config: - log-driver: fluentd - log-opts: - fluentd-address: "localhost:22222" - tag: "docker.{{ '{{' }}.Name{{ '}}' }}" + docker_daemon_config: {} + # log-driver: fluentd + # log-opts: + # fluentd-address: "localhost:22222" + # tag: "docker.{{ '{{' }}.Name{{ '}}' }}" - name: Setup Docker Swarm manager hosts: manager diff --git a/ansible/util/secret-service-client.sh b/ansible/util/secret-service-client.sh deleted file mode 100755 index b4c9bb5..0000000 --- a/ansible/util/secret-service-client.sh +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/bash - -pass=`secret-tool lookup ansible_vault shoarma` -retval=$? - -if [ $retval -ne 0 ]; then - read -s pass -fi -echo $pass diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..fc5227d --- /dev/null +++ b/flake.lock @@ -0,0 +1,61 @@ +{ + "nodes": { + "flake-utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1694529238, + "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1698266953, + "narHash": "sha256-jf72t7pC8+8h8fUslUYbWTX5rKsRwOzRMX8jJsGqDXA=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "75a52265bda7fd25e06e3a67dee3f0354e73243c", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "flake-utils": "flake-utils", + "nixpkgs": "nixpkgs" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..eca5ab1 --- /dev/null +++ b/flake.nix @@ -0,0 +1,20 @@ +{ + description = "A basic flake with a shell"; + inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; + inputs.flake-utils.url = "github:numtide/flake-utils"; + + outputs = { self, nixpkgs, flake-utils }: + flake-utils.lib.eachDefaultSystem (system: let + pkgs = nixpkgs.legacyPackages.${system}; + in { + devShells.default = pkgs.mkShell { + packages = with pkgs; [ + bashInteractive + opentofu + jq + cdrtools + ansible + ]; + }; + }); +} diff --git a/terraform/dns.tf b/terraform/dns.tf index d9b24a4..e31dc4a 100644 --- a/terraform/dns.tf +++ b/terraform/dns.tf @@ -1,5 +1,5 @@ data "external" "secrets" { - program = ["cat", pathexpand("~/.tfvars.json")] + program = ["cat", pathexpand("~/.config/home/powerdns-api-key.json")] } provider "powerdns" { @@ -77,4 +77,4 @@ resource "powerdns_record" "smtp2go_3_geokunis2_nl_cname" { type = "CNAME" records = ["track.smtp2go.net."] ttl = 60 -} \ No newline at end of file +} diff --git a/terraform/main.tf b/terraform/main.tf index ccb2133..8a3c948 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -6,6 +6,7 @@ terraform { required_providers { libvirt = { source = "dmacvicar/libvirt" + version = "0.7.1" # https://github.com/dmacvicar/terraform-provider-libvirt/issues/1040 } powerdns = { @@ -16,17 +17,18 @@ terraform { } provider "libvirt" { - uri = "qemu+ssh://root@atlas.hyp/system" + # https://libvirt.org/uri.html#libssh-and-libssh2-transport + uri = "qemu+ssh://root@atlas.hyp/system?known_hosts=/etc/ssh/ssh_known_hosts" } provider "libvirt" { alias = "jefke" - uri = "qemu+ssh://root@jefke.hyp/system" + uri = "qemu+ssh://root@jefke.hyp/system?known_hosts=/etc/ssh/ssh_known_hosts" } provider "libvirt" { alias = "lewis" - uri = "qemu+ssh://root@lewis.hyp/system" + uri = "qemu+ssh://root@lewis.hyp/system?known_hosts=/etc/ssh/ssh_known_hosts" } module "maestro" { @@ -50,10 +52,10 @@ module "bancomart" { } } -module "handjecontantje" { +module "vpay" { source = "git::https://git.kun.is/home/tf-modules.git//debian" - name = "handjecontantje" - domain_name = "tf-handjecontantje" + name = "vpay" + domain_name = "tf-vpay" memory = 3 * 1024 providers = { libvirt = libvirt.lewis From a476680b82495330f005764b96f53000f7723b39 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sun, 29 Oct 2023 18:28:15 +0100 Subject: [PATCH 34/36] update terraform for jefke --- terraform/main.tf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/terraform/main.tf b/terraform/main.tf index 8a3c948..34b16b0 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -47,6 +47,11 @@ module "bancomart" { name = "bancomart" domain_name = "tf-bancomart" memory = 10240 + disk_pool = "disks" + cloudinit_pool = "cloudinit" + disk_base_pool = "images" + bridge_name = "bridgedmz" + providers = { libvirt = libvirt.jefke } From 4c7a21418d0b407164ead69708dfb1c5790959e5 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Mon, 27 Nov 2023 09:59:40 +0100 Subject: [PATCH 35/36] update kitchenowl to latest version --- ansible/roles/kitchenowl/docker-stack.yml.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ansible/roles/kitchenowl/docker-stack.yml.j2 b/ansible/roles/kitchenowl/docker-stack.yml.j2 index a4117ba..1f4a57e 100644 --- a/ansible/roles/kitchenowl/docker-stack.yml.j2 +++ b/ansible/roles/kitchenowl/docker-stack.yml.j2 @@ -15,7 +15,7 @@ volumes: services: front: - image: tombursch/kitchenowl-web:v0.4.8 + image: tombursch/kitchenowl-web:v0.4.17 depends_on: - back networks: @@ -32,7 +32,7 @@ services: - traefik.http.services.kitchenowl.loadbalancer.server.port=80 - traefik.docker.network=traefik back: - image: tombursch/kitchenowl:v75 + image: tombursch/kitchenowl:v88 networks: - kitchenowl environment: From abd649a1ec6e2c0f29afb45eac7ddda022c03d8d Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Tue, 26 Dec 2023 10:49:19 +0100 Subject: [PATCH 36/36] add assimiliation warning --- README.md | 2 ++ ansible/roles/pihole/docker-stack.yml.j2 | 3 +++ 2 files changed, 5 insertions(+) diff --git a/README.md b/README.md index 71ff836..ffc8d9c 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,6 @@ # shoarma +⚠️ Code in this repository has been assimilated by the [home/nixos-servers](https://git.kun.is/home/nixos-servers/src/branch/master/legacy) repository. + Docker Swarm for our home servers. Includes both Terraform and Ansible code to provision and configure the swarm. diff --git a/ansible/roles/pihole/docker-stack.yml.j2 b/ansible/roles/pihole/docker-stack.yml.j2 index 8bfbd93..9581831 100644 --- a/ansible/roles/pihole/docker-stack.yml.j2 +++ b/ansible/roles/pihole/docker-stack.yml.j2 @@ -52,3 +52,6 @@ services: - traefik.http.routers.pihole.service=pihole - traefik.http.services.pihole.loadbalancer.server.port=80 - traefik.docker.network=traefik + placement: + constraints: + - node.role == manager