Compare commits
1 Commits
bitwarden
...
da3b0cb28b
| Author | SHA1 | Date | |
|---|---|---|---|
| da3b0cb28b |
@@ -6,4 +6,5 @@
|
||||
roles:
|
||||
- base
|
||||
- docker
|
||||
- mariadb
|
||||
- gitea
|
||||
|
||||
@@ -2,6 +2,12 @@
|
||||
allow_reboot: false
|
||||
manage_network: false
|
||||
|
||||
users:
|
||||
git:
|
||||
uid: 1001
|
||||
gid: 1001
|
||||
home: true
|
||||
|
||||
# Import my GPG key for git signature verification
|
||||
root_gpgkeys:
|
||||
- name: kris@lamoureux.io
|
||||
@@ -16,10 +22,24 @@ docker_compose_deploy:
|
||||
# Traefik
|
||||
- name: traefik
|
||||
url: https://github.com/krislamo/traefik
|
||||
version: 31ee724feebc1d5f91cb17ffd6892c352537f194
|
||||
version: 398eb48d311db78b86abf783f903af4a1658d773
|
||||
enabled: true
|
||||
accept_newhostkey: true # Consider verifying manually instead
|
||||
accept_newhostkey: true
|
||||
trusted_keys:
|
||||
- FBF673CEEC030F8AECA814E73EDA9C3441EDA925
|
||||
env:
|
||||
ENABLE: true
|
||||
# Gitea
|
||||
- name: gitea
|
||||
url: https://github.com/krislamo/gitea
|
||||
version: b0ce66f6a1ab074172eed79eeeb36d7e9011ef8f
|
||||
env:
|
||||
USER_UID: "{{ users.git.uid }}"
|
||||
USER_GID: "{{ users.git.gid }}"
|
||||
DB_PASSWD: "{{ gitea.DB_PASSWD }}"
|
||||
|
||||
# gitea
|
||||
gitea:
|
||||
DB_NAME: gitea
|
||||
DB_USER: gitea
|
||||
DB_PASSWD: password
|
||||
|
||||
@@ -23,9 +23,10 @@ function ssh_connect {
|
||||
[yY])
|
||||
printf "[INFO]: Starting new vagrant SSH tunnel on PID "
|
||||
sudo -u "$USER" ssh -fNT -i "$PRIVATE_KEY" \
|
||||
-L 8443:localhost:8443 \
|
||||
-L 22:localhost:22 \
|
||||
-L 80:localhost:80 \
|
||||
-L 443:localhost:443 \
|
||||
-L 8443:localhost:8443 \
|
||||
-o UserKnownHostsFile=/dev/null \
|
||||
-o StrictHostKeyChecking=no \
|
||||
vagrant@"$HOST_IP" 2>/dev/null
|
||||
|
||||
@@ -27,4 +27,4 @@
|
||||
ansible.builtin.service:
|
||||
name: smbd
|
||||
state: restarted
|
||||
listen: restart_samba
|
||||
listen: restart_samba
|
||||
|
||||
@@ -66,13 +66,27 @@
|
||||
mode: 0400
|
||||
when: authorized_keys is defined
|
||||
|
||||
- name: Create system user groups
|
||||
ansible.builtin.group:
|
||||
name: "{{ item.key }}"
|
||||
gid: "{{ item.value.gid }}"
|
||||
state: present
|
||||
loop: "{{ users | dict2items }}"
|
||||
loop_control:
|
||||
label: "{{ item.key }}"
|
||||
when: users is defined
|
||||
|
||||
- name: Create system users
|
||||
ansible.builtin.user:
|
||||
name: "{{ item.name }}"
|
||||
name: "{{ item.key }}"
|
||||
state: present
|
||||
shell: "{{ item.shell | default('/bin/bash') }}"
|
||||
create_home: "{{ item.home | default(false) }}"
|
||||
loop: "{{ users }}"
|
||||
uid: "{{ item.value.uid }}"
|
||||
group: "{{ item.value.gid }}"
|
||||
shell: "{{ item.value.shell | default('/bin/bash') }}"
|
||||
create_home: "{{ item.value.home | default(false) }}"
|
||||
loop: "{{ users | dict2items }}"
|
||||
loop_control:
|
||||
label: "{{ item.key }}"
|
||||
when: users is defined
|
||||
|
||||
- name: Set authorized_keys for system users
|
||||
@@ -80,7 +94,9 @@
|
||||
user: "{{ item.key }}"
|
||||
key: "{{ item.value.key }}"
|
||||
state: present
|
||||
loop: "{{ users }}"
|
||||
loop: "{{ users | dict2items }}"
|
||||
loop_control:
|
||||
label: "{{ item.key }}"
|
||||
when: users is defined and item.value.key is defined
|
||||
|
||||
- name: Manage filesystem mounts
|
||||
|
||||
@@ -1,38 +1,23 @@
|
||||
- name: Create Gitea directory
|
||||
ansible.builtin.file:
|
||||
path: "{{ gitea_root }}"
|
||||
state: directory
|
||||
- name: Install MySQL module for Ansible
|
||||
ansible.builtin.apt:
|
||||
name: python3-pymysql
|
||||
state: present
|
||||
|
||||
- name: Create Gitea database
|
||||
community.mysql.mysql_db:
|
||||
name: "{{ gitea_dbname }}"
|
||||
name: "{{ gitea.DB_NAME }}"
|
||||
state: present
|
||||
login_unix_socket: /var/run/mysqld/mysqld.sock
|
||||
|
||||
- name: Create Gitea database user
|
||||
community.mysql.mysql_user:
|
||||
name: "{{ gitea_dbuser }}"
|
||||
password: "{{ gitea_dbpass }}"
|
||||
name: "{{ gitea.DB_USER }}"
|
||||
password: "{{ gitea.DB_PASSWD }}"
|
||||
host: '%'
|
||||
state: present
|
||||
priv: "{{ gitea_dbname }}.*:ALL"
|
||||
priv: "{{ gitea.DB_NAME }}.*:ALL"
|
||||
login_unix_socket: /var/run/mysqld/mysqld.sock
|
||||
|
||||
- name: Create git user
|
||||
ansible.builtin.user:
|
||||
name: git
|
||||
state: present
|
||||
|
||||
- name: Git user uid
|
||||
ansible.builtin.getent:
|
||||
database: passwd
|
||||
key: git
|
||||
|
||||
- name: Git user gid
|
||||
ansible.builtin.getent:
|
||||
database: group
|
||||
key: git
|
||||
|
||||
- name: Create git's .ssh directory
|
||||
ansible.builtin.file:
|
||||
path: /home/git/.ssh
|
||||
@@ -70,28 +55,11 @@
|
||||
dest: /usr/local/bin/gitea
|
||||
mode: 0755
|
||||
|
||||
- name: Install Gitea's docker-compose file
|
||||
ansible.builtin.template:
|
||||
src: docker-compose.yml.j2
|
||||
dest: "{{ gitea_root }}/docker-compose.yml"
|
||||
notify: restart_gitea
|
||||
|
||||
- name: Install Gitea's docker-compose variables
|
||||
ansible.builtin.template:
|
||||
src: compose-env.j2
|
||||
dest: "{{ gitea_root }}/.env"
|
||||
notify: restart_gitea
|
||||
|
||||
- name: Create Gitea's logging directory
|
||||
ansible.builtin.file:
|
||||
name: /var/log/gitea
|
||||
state: directory
|
||||
|
||||
- name: Create Gitea's initial log file
|
||||
ansible.builtin.file:
|
||||
name: /var/log/gitea/gitea.log
|
||||
state: touch
|
||||
|
||||
- name: Install Gitea's Fail2ban filter
|
||||
ansible.builtin.template:
|
||||
src: fail2ban-filter.conf.j2
|
||||
|
||||
@@ -1,3 +0,0 @@
|
||||
mariadb_trust:
|
||||
- "172.16.0.0/12"
|
||||
- "192.168.0.0/16"
|
||||
5
roles/mariadb/handlers/main.yml
Normal file
5
roles/mariadb/handlers/main.yml
Normal file
@@ -0,0 +1,5 @@
|
||||
- name: Restart MariaDB
|
||||
ansible.builtin.service:
|
||||
name: mariadb
|
||||
state: restarted
|
||||
listen: restart_mariadb
|
||||
@@ -3,23 +3,20 @@
|
||||
name: mariadb-server
|
||||
state: present
|
||||
|
||||
- name: Change the bind-address to allow Docker
|
||||
- name: Regather facts for the potentially new docker0 interface
|
||||
ansible.builtin.setup:
|
||||
|
||||
- name: Change the bind-address to allow from docker0
|
||||
ansible.builtin.lineinfile:
|
||||
path: /etc/mysql/mariadb.conf.d/50-server.cnf
|
||||
regex: "^bind-address"
|
||||
line: "bind-address = 0.0.0.0"
|
||||
register: mariadb_conf
|
||||
line: "bind-address = {{ ansible_facts.docker0.ipv4.address }}"
|
||||
notify: restart_mariadb
|
||||
|
||||
- name: Restart MariaDB
|
||||
ansible.builtin.service:
|
||||
name: mariadb
|
||||
state: restarted
|
||||
when: mariadb_conf.changed
|
||||
|
||||
- name: Allow database connections
|
||||
- name: Allow database connections from Docker
|
||||
community.general.ufw:
|
||||
rule: allow
|
||||
port: "3306"
|
||||
proto: tcp
|
||||
src: "{{ item }}"
|
||||
loop: "{{ mariadb_trust }}"
|
||||
loop: "{{ mariadb_trust | default(['172.16.0.0/12']) }}"
|
||||
|
||||
Reference in New Issue
Block a user