home/shoarma
Archived
2
0
Fork 0
Code Issues 5 Pull requests Projects Releases Packages Wiki Activity

committed to wrong branch #9

Merged
pim merged 6 commits from dns into master 2023-06-15 11:18:34 +00:00
Conversation 0 Commits 6 Files changed 19 +296 -65
19 changed files with 296 additions and 65 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

34
ansible/inventory/group_vars/all.yml
View file

@ -1,2 +1,36 @@
data_directory_base: /mnt/data data_directory_base: /mnt/data
git_ssh_port: 56287 git_ssh_port: 56287
nfs_shares:
- name: nextcloud_data
path: /mnt/data/nextcloud/data
- name: radicale
path: /mnt/data/radicale
- name: freshrss_data
path: /mnt/data/freshrss/data
- name: freshrss_extensions
path: /mnt/data/freshrss/extensions
- name: pihole_data
path: /mnt/data/pihole/data
- name: pihole_dnsmasq
path: /mnt/data/pihole/dnsmasq
- name: hedgedoc_uploads
path: /mnt/data/hedgedoc/uploads
database_passwords:
nextcloud: !vault |
$ANSIBLE_VAULT;1.1;AES256
66326230303135303930363761316534313439383365376231623661316635393839336431313262
3832626365376533646561653863316364313135343366330a356136343938666133356532613263
39663037623232363266376335643834353735363431636535386566643763386463353962663930
3466343563353162320a376437353933656166323364323166376663323531373338656563653463
33346263626430616164613937363836343430383233393061643231346661656539623938333631
3632373964346139316637663364646132636636373461613534
hedgedoc: !vault |
$ANSIBLE_VAULT;1.1;AES256
63363464666633663762393135333362613966636338623533393132376338343339653431396465
6634643863623163366235393434343662313735363438610a373065363361326565633766633835
38383637343230363031636634623930666365333739323162313937656239646166613738393965
3533666462303563360a313233306335396234393932396331313238376464363964363839396164
66366662356135343035363935616664613831626131376330643133313530636431613266636165
6265613666616164373637356235396165383662333561393939

2
ansible/inventory/hosts.yml
View file

@ -2,6 +2,8 @@ all:
hosts: hosts:
manager: manager:
ansible_host: maestro.dmz ansible_host: maestro.dmz
thecloud:
ansible_host: thecloud.dmz
children: children:
workers: workers:
hosts: hosts:

4
ansible/playbooks/setup.yml
View file

@ -1,12 +1,12 @@
--- ---
- name: Wait for Cloud-init to finish - name: Wait for Cloud-init to finish
hosts: all hosts: manager, workers
gather_facts: no gather_facts: no
roles: roles:
- cloudinit_wait - cloudinit_wait
- name: Initialize Docker Swarm nodes - name: Initialize Docker Swarm nodes
hosts: all hosts: manager, workers
pre_tasks: pre_tasks:
- name: Delete externally managed environment file - name: Delete externally managed environment file
shell: shell:

2
ansible/playbooks/stacks.yml
View file

@ -17,4 +17,4 @@
- {role: shephard, tags: shephard} - {role: shephard, tags: shephard}
- {role: jitsi, tags: jitsi} - {role: jitsi, tags: jitsi}
- {role: pihole, tags: pihole} - {role: pihole, tags: pihole}
- {role: discourse, tags: discourse} - {role: nextcloud, tags: nextcloud}

24
ansible/playbooks/thecloud.yml Normal file
View file

@ -0,0 +1,24 @@
---
- name: Create databases and NFS shares
hosts: thecloud
handlers:
- name: reload nfs
systemd:
name: nfs-kernel-server
state: restarted
tasks:
- name: Create nfs shares
with_items: "{{ nfs_shares }}"
copy:
dest: "/etc/exports.d/{{ item.name }}.exports"
content: "{{ item.path }} *(rw,sync,no_subtree_check,no_root_squash)"
notify: reload nfs
- name: Create databases
with_items: "{{ database_passwords | dict2items }}"
include_role:
name: database
vars:
database_name: "{{ item.key }}"
database_password: "{{ item.value }}"

4
ansible/roles/database/handlers/main.yml Normal file
View file

@ -0,0 +1,4 @@
- name: restart postgres
systemd:
name: postgresql
state: restarted

36
ansible/roles/database/tasks/main.yml Normal file
View file

@ -0,0 +1,36 @@
- name: Create database user
postgresql_user:
name: "{{ database_name }}"
password: "{{ database_password }}"
become: true
become_user: postgres
- name: Create database
postgresql_db:
name: "{{ database_name }}"
owner: "{{ database_name }}"
become: true
become_user: postgres
- name: Grant access to database
postgresql_privs:
type: database
database: "{{ database_name }}"
role: "{{ database_name }}"
grant_option: no
privs: all
become: true
become_user: postgres
notify: restart postgres
- name: Allow remote access to database
postgresql_pg_hba:
dest: /etc/postgresql/15/main/pg_hba.conf
contype: host
databases: "{{ database_name }}"
users: "{{ database_name }}"
address: all
create: true
become: true
become_user: postgres
notify: restart postgres

29
ansible/roles/freshrss/docker-stack.yml.j2
View file

@ -5,18 +5,34 @@ networks:
traefik: traefik:
external: true external: true
volumes:
data:
driver_opts:
type: "nfs"
o: "addr=192.168.30.10,nolock,soft,rw"
device: ":/mnt/data/freshrss/data"
extensions:
driver_opts:
type: "nfs"
o: "addr=192.168.30.10,nolock,soft,rw"
device: ":/mnt/data/freshrss/extensions"
services: services:
freshrss: freshrss:
image: freshrss/freshrss:edge image: freshrss/freshrss:edge
networks: networks:
- traefik - traefik
volumes: volumes:
- type: bind - type: volume
source: /mnt/data/freshrss/data source: data
target: /var/www/FreshRSS/data target: /var/www/FreshRSS/data
- type: bind volume:
source: /mnt/data/freshrss/extensions nocopy: true
- type: volume
source: extensions
target: /var/www/FreshRSS/extensions target: /var/www/FreshRSS/extensions
volume:
nocopy: true
environment: environment:
TZ: Europe/Amsterdam TZ: Europe/Amsterdam
CRON_MIN: '2,32' CRON_MIN: '2,32'
@ -25,13 +41,10 @@ services:
ADMIN_API_PASSWORD: {{ admin_password }} ADMIN_API_PASSWORD: {{ admin_password }}
PUBLISHED_PORT: 443 PUBLISHED_PORT: 443
deploy: deploy:
placement:
constraints:
- "node.labels.freshrss == true"
labels: labels:
- traefik.enable=true - traefik.enable=true
- traefik.http.routers.freshrss.entrypoints=websecure - traefik.http.routers.freshrss.entrypoints=websecure
- traefik.http.routers.freshrss.rule=Host(`rss.pim.kunis.nl`) - traefik.http.routers.freshrss.rule=Host(`rss.kun.is`)
- traefik.http.routers.freshrss.tls=true - traefik.http.routers.freshrss.tls=true
- traefik.http.routers.freshrss.tls.certresolver=letsencrypt - traefik.http.routers.freshrss.tls.certresolver=letsencrypt
- traefik.http.routers.freshrss.service=freshrss - traefik.http.routers.freshrss.service=freshrss

41
ansible/roles/hedgedoc/docker-stack.yml.j2
View file

@ -4,32 +4,19 @@ version: '3'
networks: networks:
traefik: traefik:
external: true external: true
hedgedoc:
volumes:
uploads:
driver_opts:
type: "nfs"
o: "addr=192.168.30.10,nolock,soft,rw"
device: ":/mnt/data/hedgedoc/uploads"
services: services:
hedgedoc-db:
image: postgres:13.4-alpine
environment:
- POSTGRES_USER=hedgedoc
- POSTGRES_PASSWORD=password
- POSTGRES_DB=hedgedoc
volumes:
- type: bind
source: /mnt/data/hedgedoc/database
target: /var/lib/postgresql/data
networks:
hedgedoc:
aliases:
- database
deploy:
placement:
constraints:
- "node.labels.hedgedoc == true"
hedgedoc-app: hedgedoc-app:
image: quay.io/hedgedoc/hedgedoc:1.9.7 image: quay.io/hedgedoc/hedgedoc:1.9.7
environment: environment:
- CMD_DB_URL=postgres://hedgedoc:password@database:5432/hedgedoc - CMD_DB_URL=postgres://hedgedoc:{{ database_passwords.hedgedoc }}@192.168.30.10:5432/hedgedoc
- CMD_DOMAIN=md.pim.kunis.nl - CMD_DOMAIN=md.pim.kunis.nl
- CMD_PORT=3000 - CMD_PORT=3000
- CMD_URL_ADDPORT=false - CMD_URL_ADDPORT=false
@ -38,18 +25,14 @@ services:
- CMD_PROTOCOL_USESSL=true - CMD_PROTOCOL_USESSL=true
- CMD_SESSION_SECRET={{ session_secret }} - CMD_SESSION_SECRET={{ session_secret }}
volumes: volumes:
- type: bind - type: volume
source: /mnt/data/hedgedoc/uploads source: uploads
target: /hedgedoc/public/uploads target: /hedgedoc/public/uploads
depends_on: volume:
- hedgedoc-db nocopy: true
networks: networks:
- traefik - traefik
- hedgedoc
deploy: deploy:
placement:
constraints:
- "node.labels.hedgedoc == true"
labels: labels:
- traefik.enable=true - traefik.enable=true
- traefik.http.routers.hedgedoc.entrypoints=websecure - traefik.http.routers.hedgedoc.entrypoints=websecure

3
ansible/roles/hedgedoc/tasks/main.yml
View file

@ -1,3 +1,6 @@
- name: asdfasdf
debug:
msg: "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}"
- name: Deploy Docker stack - name: Deploy Docker stack
docker_stack: docker_stack:
name: hedgedoc name: hedgedoc

40
ansible/roles/nextcloud/docker-stack.yml.j2 Normal file
View file

@ -0,0 +1,40 @@
# vi: ft=yaml
version: '3.8'
networks:
traefik:
external: true
volumes:
data:
driver_opts:
type: "nfs"
o: "addr=192.168.30.10,nolock,soft,rw"
device: ":/mnt/data/nextcloud/data"
services:
app:
image: nextcloud:26
volumes:
- type: volume
source: data
target: /var/www/html
volume:
nocopy: true
environment:
- POSTGRES_USER=swarm
- POSTGRES_DB=nextcloud
- POSTGRES_PASSWORD={{ database_passwords.nextcloud }}
- POSTGRES_HOST=192.168.30.10
networks:
- traefik
deploy:
labels:
- traefik.enable=true
- traefik.http.routers.nextcloud.entrypoints=websecure
- traefik.http.routers.nextcloud.rule=Host(`cloud.kun.is`)
- traefik.http.routers.nextcloud.tls=true
- traefik.http.routers.nextcloud.tls.certresolver=letsencrypt
- traefik.http.routers.nextcloud.service=nextcloud
- traefik.http.services.nextcloud.loadbalancer.server.port=80
- traefik.docker.network=traefik

5
ansible/roles/nextcloud/tasks/main.yml Normal file
View file

@ -0,0 +1,5 @@
- name: Deploy Docker stack
docker_stack:
name: nextcloud
compose:
- "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}"

2
ansible/roles/overleaf/docker-stack.yml.j2
View file

@ -7,7 +7,7 @@ networks:
services: services:
sharelatex: sharelatex:
image: sharelatex/sharelatex image: sharelatex/sharelatex:3
networks: networks:
- traefik - traefik
- overleaf - overleaf

29
ansible/roles/pihole/docker-stack.yml.j2
View file

@ -1,11 +1,23 @@
# vi: ft=yaml # vi: ft=yaml
version: "3" version: "3.8"
networks: networks:
traefik: traefik:
external: true external: true
pihole: pihole:
volumes:
data:
driver_opts:
type: "nfs"
o: "addr=192.168.30.10,nolock,soft,rw"
device: ":/mnt/data/pihole/data"
dnsmasq:
driver_opts:
type: "nfs"
o: "addr=192.168.30.10,nolock,soft,rw"
device: ":/mnt/data/pihole/dnsmasq"
services: services:
pihole: pihole:
image: pihole/pihole:latest image: pihole/pihole:latest
@ -18,18 +30,19 @@ services:
WEBPASSWORD: {{ pihole_password }} WEBPASSWORD: {{ pihole_password }}
PIHOLE_DNS_: '192.168.30.1' PIHOLE_DNS_: '192.168.30.1'
volumes: volumes:
- type: bind - type: volume
source: /mnt/data/pihole/data source: data
target: /etc/pihole target: /etc/pihole
- type: bind volume:
source: /mnt/data/pihole/dnsmasq nocopy: true
- type: volume
source: dnsmasq
target: /etc/dnsmasq.d target: /etc/dnsmasq.d
volume:
nocopy: true
networks: networks:
- traefik - traefik
deploy: deploy:
placement:
constraints:
- "node.labels.pihole == true"
labels: labels:
- traefik.enable=true - traefik.enable=true
- traefik.http.routers.pihole.entrypoints=localsecure - traefik.http.routers.pihole.entrypoints=localsecure

18
ansible/roles/radicale/docker-stack.yml.j2
View file

@ -13,6 +13,13 @@ configs:
external: true external: true
name: "{{ users.config_name }}" name: "{{ users.config_name }}"
volumes:
data:
driver_opts:
type: "nfs"
o: "addr=192.168.30.10,nolock,soft,rw"
device: ":/mnt/data/radicale"
services: services:
radicale: radicale:
image: tomsquest/docker-radicale image: tomsquest/docker-radicale
@ -30,19 +37,18 @@ services:
interval: 30s interval: 30s
retries: 3 retries: 3
volumes: volumes:
- type: bind - type: volume
source: /mnt/data/radicale source: data
target: /data target: /data
volume:
nocopy: true
networks: networks:
- traefik - traefik
deploy: deploy:
placement:
constraints:
- "node.labels.radicale == true"
labels: labels:
- traefik.enable=true - traefik.enable=true
- traefik.http.routers.radicale.entrypoints=websecure - traefik.http.routers.radicale.entrypoints=websecure
- traefik.http.routers.radicale.rule=Host(`dav.pim.kunis.nl`) - traefik.http.routers.radicale.rule=Host(`dav.kun.is`)
- traefik.http.routers.radicale.tls=true - traefik.http.routers.radicale.tls=true
- traefik.http.routers.radicale.tls.certresolver=letsencrypt - traefik.http.routers.radicale.tls.certresolver=letsencrypt
- traefik.http.routers.radicale.service=radicale - traefik.http.routers.radicale.service=radicale

6
ansible/roles/traefik/docker-stack.yml.j2
View file

@ -39,12 +39,6 @@ services:
- traefik.http.routers.esrom.tls=true - traefik.http.routers.esrom.tls=true
- traefik.http.routers.esrom.tls.certresolver=letsencrypt - traefik.http.routers.esrom.tls.certresolver=letsencrypt
- traefik.http.routers.nextcloud.entrypoints=websecure
- traefik.http.routers.nextcloud.service=nextcloud@file
- traefik.http.routers.nextcloud.rule=Host(`cloud.pim.kunis.nl`)
- traefik.http.routers.nextcloud.tls=true
- traefik.http.routers.nextcloud.tls.certresolver=letsencrypt
- traefik.http.routers.uptime.entrypoints=localsecure - traefik.http.routers.uptime.entrypoints=localsecure
- traefik.http.routers.uptime.rule=Host(`uptime.pim.kunis.nl`) - traefik.http.routers.uptime.rule=Host(`uptime.pim.kunis.nl`)
- traefik.http.routers.uptime.service=uptime@file - traefik.http.routers.uptime.service=uptime@file

4
ansible/roles/traefik/services.yml
View file

@ -4,10 +4,6 @@ http:
loadBalancer: loadBalancer:
servers: servers:
- url: http://esrom.dmz:80/ - url: http://esrom.dmz:80/
nextcloud:
loadBalancer:
servers:
- url: http://nextcloud.dmz:80/
uptime: uptime:
loadBalancer: loadBalancer:
servers: servers:

73
terraform/dns.tf Normal file
View file

@ -0,0 +1,73 @@
data "external" "secrets" {
program = ["cat", pathexpand("~/.tfvars.json")]
}
provider "powerdns" {
server_url = "http://192.168.30.108:3000"
api_key = data.external.secrets.result.powerdns_api_key
}
resource "powerdns_record" "subdomain_pim" {
for_each = toset(["dav", "git", "meet", "rss", "latex", "md", "swarm", "traefik", "syncthing", "cloud", "pihole", "ntfy", "apprise", "uptime", "concourse", "discourse"])
zone = "pim.kunis.nl."
name = "${each.key}.pim.kunis.nl."
type = "CNAME"
records = ["www.pim.kunis.nl."]
ttl = 60
}
resource "powerdns_record" "social_pim_kunis_nl_a" {
zone = "pim.kunis.nl."
name = "social.pim.kunis.nl."
type = "A"
records = ["84.245.14.149"]
ttl = 60
}
resource "powerdns_record" "kms_geokunis2_nl_a" {
zone = "geokunis2.nl."
name = "kms.geokunis2.nl."
type = "A"
records = ["84.245.14.149"]
ttl = 60
}
resource "powerdns_record" "files_geokunis2_nl_a" {
zone = "geokunis2.nl."
name = "files.geokunis2.nl."
type = "A"
records = ["84.245.14.149"]
ttl = 60
}
resource "powerdns_record" "files_geokunis2_nl_aaaa" {
zone = "geokunis2.nl."
name = "files.geokunis2.nl."
type = "AAAA"
records = ["2a02:58:19a:f730:b62e:99ff:fe77:1bda"]
ttl = 60
}
resource "powerdns_record" "cyberchef_geokunis2_nl_a" {
zone = "geokunis2.nl."
name = "cyberchef.geokunis2.nl."
type = "A"
records = ["84.245.14.149"]
ttl = 60
}
resource "powerdns_record" "cyberchef_geokunis2_nl_aaaa" {
zone = "geokunis2.nl."
name = "cyberchef.geokunis2.nl."
type = "AAAA"
records = ["2a02:58:19a:f730:c8fe:c0ff:feff:ee03"]
ttl = 60
}
resource "powerdns_record" "inbucket_geokunis2_nl_a" {
zone = "geokunis2.nl."
name = "inbucket.geokunis2.nl."
type = "A"
records = ["84.245.14.149"]
ttl = 60
}

5
terraform/main.tf
View file

@ -8,6 +8,11 @@ terraform {
libvirt = { libvirt = {
source = "dmacvicar/libvirt" source = "dmacvicar/libvirt"
} }
powerdns = {
source = "pan-net/powerdns"
version = "1.5.0"
}
} }
} }