testing

2024-03-05 00:00:53 -05:00
10 changed files with 166 additions and 132 deletions
--- a/dev/dockerbox.yml
+++ b/dev/dockerbox.yml
@@ -6,7 +6,8 @@
  roles:
    - base
    - docker
-    - mariadb
    - traefik
    - nextcloud
-    - proxy
+    - jenkins
+    - prometheus
+    - nginx
--- a/dev/host_vars/dockerbox.yml
+++ b/dev/host_vars/dockerbox.yml
@@ -2,47 +2,44 @@
 allow_reboot: false
 manage_network: false

-# Import my GPG key for git signature verification
-root_gpgkeys:
-  - name: kris@lamoureux.io
-    id: FBF673CEEC030F8AECA814E73EDA9C3441EDA925
-
-# proxy
-proxy:
-  servers:
-    - domain: cloud.local.krislamo.org
-      proxy_pass: http://127.0.0.1:8000
-
 # docker
-docker_official: true # docker's apt repos
 docker_users:
  - vagrant

-docker_compose_env_nolog: false # dev only setting
-docker_compose_deploy:
-  # Traefik
-  - name: traefik
-    url: https://github.com/krislamo/traefik
-    version: d62bd06b37ecf0993962b0449a9d708373f9e381
-    enabled: true
-    accept_newhostkey: true # Consider verifying manually instead
-    trusted_keys:
-      - FBF673CEEC030F8AECA814E73EDA9C3441EDA925
-    env:
-      DASHBOARD: true
-  # Nextcloud
-  - name: nextcloud
-    url: https://github.com/krislamo/nextcloud
-    version: 0abc5cc6ba64ed94b7ddc6fd934f0fd62b8a6d11
-    env:
-      DATA: ./data
-
 # traefik
-traefik:
-  ENABLE: true
+traefik_version: latest
+traefik_dashboard: true
+traefik_domain: traefik.local.krislamo.org
+traefik_auth: admin:$apr1$T1l.BCFz$Jyg8msXYEAUi3LLH39I9d1 # admin:admin
+traefik_web_entry: 0.0.0.0:80
+traefik_websecure_entry: 0.0.0.0:443
+#traefik_acme_email: realemail@example.com # Let's Encrypt settings
+#traefik_production: true
+#traefik_http_only: true # if behind reverse-proxy

 # nextcloud
-nextcloud:
-  DOMAIN: cloud.local.krislamo.org
-  DB_PASSWD: password
-  ADMIN_PASSWD: password
+nextcloud_version: stable
+nextcloud_admin: admin
+nextcloud_pass: password
+nextcloud_domain: cloud.local.krislamo.org
+
+nextcloud_dbversion: latest
+nextcloud_dbpass: password
+
+# jenkins
+jenkins_version: lts
+jenkins_domain: jenkins.local.krislamo.org
+
+# prometheus (includes grafana)
+prom_version: latest
+prom_domain: prom.local.krislamo.org
+grafana_version: latest
+grafana_domain: grafana.local.krislamo.org
+prom_targets: "['10.0.2.15:9100']"
+
+# nginx
+nginx_domain: nginx.local.krislamo.org
+nginx_name: staticsite
+nginx_repo_url: https://git.krislamo.org/kris/example-website/
+nginx_auth: admin:$apr1$T1l.BCFz$Jyg8msXYEAUi3LLH39I9d1 # admin:admin
+nginx_version: latest
--- a/forward-ssh.sh
+++ b/forward-ssh.sh
@@ -28,7 +28,6 @@ fi

 # Clean environment
 unset PRIVATE_KEY
-unset HOST_IP
 unset MATCH_PATTERN
 unset PKILL_ANSWER

@@ -78,12 +77,17 @@ else
 fi

 # Grab first IP or use whatever HOST_IP_FIELD is set to and check that the guest is up
-HOST_IP="$(sudo -u "$SUDO_USER" vagrant ssh -c "hostname -I | cut -d' ' -f${HOST_IP_FIELD:-1}" "${1:-default}" 2>/dev/null)"
 if [ -z "$HOST_IP" ]; then
+  HOST_IP="$(sudo -u "$SUDO_USER" vagrant ssh -c "hostname -I | cut -d' ' -f${HOST_IP_FIELD:-1}" "${1:-default}" 2>/dev/null)"
+
+  if [ -z "$HOST_IP" ]; then
    echo "[ERROR]: Failed to find ${1:-default}'s IP"
    exit 1
+  fi
+  HOST_IP="${HOST_IP::-1}" # trim
+else
+  echo "[INFO]: HOST_IP configured by the shell environment"
 fi
-HOST_IP="${HOST_IP::-1}" # trim

 if ! ping -c 1 "$HOST_IP" &>/dev/null; then
  echo "[ERROR]: Cannot ping the host IP '$HOST_IP'"
--- a/roles/mariadb/tasks/main.yml
+++ b/roles/mariadb/tasks/main.yml
@@ -17,10 +17,6 @@
    line: "bind-address            = {{ ansible_facts.docker0.ipv4.address }}"
  notify: restart_mariadb

- name: Flush handlers to ensure MariaDB restarts immediately
-  ansible.builtin.meta: flush_handlers
-  tags: restart_mariadb
-
 - name: Allow database connections from Docker
  community.general.ufw:
    rule: allow
--- a/roles/nextcloud/defaults/main.yml
+++ b/roles/nextcloud/defaults/main.yml
@@ -1 +1,11 @@
-nextcloud_name: nextcloud
+# container names
+nextcloud_container: nextcloud
+nextcloud_dbcontainer: "{{ nextcloud_container }}-db"
+
+# database settings
+nextcloud_dbname: "{{ nextcloud_container }}"
+nextcloud_dbuser: "{{ nextcloud_dbname }}"
+
+# host mounts
+nextcloud_root: "/opt/{{ nextcloud_container }}/public_html"
+nextcloud_dbroot: "/opt/{{ nextcloud_container }}/database"
--- a/roles/nextcloud/handlers/main.yml
+++ b/roles/nextcloud/handlers/main.yml
@@ -1,25 +0,0 @@
- name: Set Nextcloud's Trusted Proxy
-  ansible.builtin.command: >
-    docker exec --user www-data "{{ nextcloud_name }}"
-      php occ config:system:set trusted_proxies 0 --value="{{ traefik_name }}"
-  register: nextcloud_trusted_proxy
-  changed_when: "nextcloud_trusted_proxy.stdout == 'System config value trusted_proxies => 0 set to string ' ~ traefik_name"
-  listen: install_nextcloud
-
- name: Set Nextcloud's Trusted Domain
-  ansible.builtin.command: >
-    docker exec --user www-data "{{ nextcloud_name }}"
-      php occ config:system:set trusted_domains 0 --value="{{ nextcloud.DOMAIN }}"
-  register: nextcloud_trusted_domains
-  changed_when: "nextcloud_trusted_domains.stdout == 'System config value trusted_domains => 0 set to string ' ~ nextcloud.DOMAIN"
-  listen: install_nextcloud
-
- name: Preform Nextcloud database maintenance
-  ansible.builtin.command: >
-    docker exec --user www-data "{{ nextcloud_name }}" {{ item }}
-  loop:
-    - "php occ maintenance:mode --on"
-    - "php occ db:add-missing-indices"
-    - "php occ db:convert-filecache-bigint"
-    - "php occ maintenance:mode --off"
-  listen: install_nextcloud
--- a/roles/nextcloud/tasks/main.yml
+++ b/roles/nextcloud/tasks/main.yml
@@ -1,62 +1,109 @@
- name: Install MySQL module for Ansible
-  ansible.builtin.apt:
-    name: python3-pymysql
-    state: present
+- name: Create Nextcloud network
+  community.general.docker_network:
+    name: "{{ nextcloud_container }}"

- name: Create Nextcloud database
-  community.mysql.mysql_db:
-    name: "{{ nextcloud.DB_NAME | default('nextcloud') }}"
-    state: present
-    login_unix_socket: /var/run/mysqld/mysqld.sock
-
- name: Create Nextcloud database user
-  community.mysql.mysql_user:
-    name: "{{ nextcloud.DB_USER | default('nextcloud') }}"
-    password: "{{ nextcloud.DB_PASSWD }}"
-    host: '%'
-    state: present
-    priv: "{{ nextcloud.DB_NAME | default('nextcloud') }}.*:ALL"
-    login_unix_socket: /var/run/mysqld/mysqld.sock
-
- name: Start Nextcloud service and enable on boot
-  ansible.builtin.service:
-    name: "{{ docker_compose_service }}@{{ nextcloud_name }}"
+- name: Start Nextcloud's database container
+  community.general.docker_container:
+    name: "{{ nextcloud_dbcontainer }}"
+    image: mariadb:{{ nextcloud_dbversion }}
    state: started
-    enabled: true
-  when: nextcloud.ENABLE | default('false')
+    restart_policy: always
+    volumes: "{{ nextcloud_dbroot }}:/var/lib/mysql"
+    networks_cli_compatible: true
+    networks:
+      - name: "{{ nextcloud_container }}"
+    env:
+      MYSQL_RANDOM_ROOT_PASSWORD: "true"
+      MYSQL_DATABASE: "{{ nextcloud_dbname }}"
+      MYSQL_USER: "{{ nextcloud_dbuser }}"
+      MYSQL_PASSWORD: "{{ nextcloud_dbpass }}"
+
+- name: Start Nextcloud container
+  community.general.docker_container:
+    name: "{{ nextcloud_container }}"
+    image: nextcloud:{{ nextcloud_version }}
+    state: started
+    restart_policy: always
+    volumes: "{{ nextcloud_root }}:/var/www/html"
+    networks_cli_compatible: true
+    networks:
+      - name: "{{ nextcloud_container }}"
+      - name: traefik
+    env:
+      PHP_MEMORY_LIMIT: 1024M
+    labels:
+      traefik.http.routers.nextcloud.rule: "Host(`{{ nextcloud_domain }}`)"
+      traefik.http.routers.nextcloud.entrypoints: websecure
+      traefik.http.routers.nextcloud.tls.certresolver: letsencrypt
+      traefik.http.routers.nextcloud.middlewares: "securehttps@file,nextcloud-webdav"
+      traefik.http.middlewares.nextcloud-webdav.redirectregex.regex: "https://(.*)/.well-known/(card|cal)dav"
+      traefik.http.middlewares.nextcloud-webdav.redirectregex.replacement: "https://${1}/remote.php/dav/"
+      traefik.http.middlewares.nextcloud-webdav.redirectregex.permanent: "true"
+      traefik.docker.network: traefik
+      traefik.enable: "true"
+
+- name: Grab Nextcloud database container information
+  community.general.docker_container_info:
+    name: "{{ nextcloud_dbcontainer }}"
+  register: nextcloud_dbinfo

 - name: Grab Nextcloud container information
  community.general.docker_container_info:
-    name: "{{ nextcloud_name }}"
+    name: "{{ nextcloud_container }}"
  register: nextcloud_info

 - name: Wait for Nextcloud to become available
  ansible.builtin.wait_for:
    host: "{{ nextcloud_info.container.NetworkSettings.Networks.traefik.IPAddress }}"
-    delay: 10
    port: 80

 - name: Check Nextcloud status
-  ansible.builtin.command: >
-    docker exec --user www-data "{{ nextcloud_name }}" php occ status
+  ansible.builtin.command: "docker exec --user www-data {{ nextcloud_container }}
+            php occ status"
  register: nextcloud_status
-  changed_when: false
+  args:
+    removes: "{{ nextcloud_root }}/config/CAN_INSTALL"
+
+- name: Wait for Nextcloud database to become available
+  ansible.builtin.wait_for:
+    host: "{{ nextcloud_dbinfo.container.NetworkSettings.Networks.nextcloud.IPAddress }}"
+    port: 3306

 - name: Install Nextcloud
-  ansible.builtin.command: >
-    docker exec --user www-data {{ nextcloud_name }}
+  ansible.builtin.command: 'docker exec --user www-data {{ nextcloud_container }}
            php occ maintenance:install
              --database "mysql"
-        --database-host "{{ nextcloud.DB_HOST | default('host.docker.internal') }}"
-        --database-name "{{ nextcloud.DB_NAME | default('nextcloud') }}"
-        --database-user "{{ nextcloud.DB_USER | default('nextcloud') }}"
-        --database-pass "{{ nextcloud.DB_PASSWD }}"
-        --admin-user "{{ nextcloud.ADMIN_USER | default('admin') }}"
-        --admin-pass "{{ nextcloud.ADMIN_PASSWD }}"
+              --database-host "{{ nextcloud_dbcontainer }}"
+              --database-name "{{ nextcloud_dbname }}"
+              --database-user "{{ nextcloud_dbuser }}"
+              --database-pass "{{ nextcloud_dbpass }}"
+              --admin-user "{{ nextcloud_admin }}"
+              --admin-pass "{{ nextcloud_pass }}"'
  register: nextcloud_install
-  when: nextcloud_status.stderr[:26] == "Nextcloud is not installed"
-  changed_when: nextcloud_install.stdout == "Nextcloud was successfully installed"
-  notify: install_nextcloud
+  when:
+    - nextcloud_status.stdout[:26] == "Nextcloud is not installed"
+    - nextcloud_domain is defined
+
+- name: Set Nextcloud's Trusted Proxy
+  ansible.builtin.command: 'docker exec --user www-data {{ nextcloud_container }}
+            php occ config:system:set trusted_proxies 0
+              --value="{{ traefik_name }}"'
+  when: nextcloud_install.changed
+
+- name: Set Nextcloud's Trusted Domain
+  ansible.builtin.command: 'docker exec --user www-data {{ nextcloud_container }}
+            php occ config:system:set trusted_domains 0
+              --value="{{ nextcloud_domain }}"'
+  when: nextcloud_install.changed
+
+- name: Preform Nextcloud database maintenance
+  ansible.builtin.command: "docker exec --user www-data {{ nextcloud_container }} {{ item }}"
+  loop:
+    - "php occ maintenance:mode --on"
+    - "php occ db:add-missing-indices"
+    - "php occ db:convert-filecache-bigint"
+    - "php occ maintenance:mode --off"
+  when: nextcloud_install.changed

 - name: Install Nextcloud background jobs cron
  ansible.builtin.cron:
@@ -64,3 +111,8 @@
    minute: "*/5"
    job: "/usr/bin/docker exec -u www-data nextcloud /usr/local/bin/php -f /var/www/html/cron.php"
    user: root
+
+- name: Remove Nextcloud's CAN_INSTALL file
+  ansible.builtin.file:
+    path: "{{ nextcloud_root }}/config/CAN_INSTALL"
+    state: absent
--- a/roles/proxy/defaults/main.yml
+++ b/roles/proxy/defaults/main.yml
@@ -1 +0,0 @@
-cached_dhparams_pem: /vagrant/scratch/dhparams.pem
--- a/roles/proxy/tasks/main.yml
+++ b/roles/proxy/tasks/main.yml
@@ -10,19 +10,6 @@
    state: started
    enabled: true

- name: Check for cached dhparams.pem file
-  ansible.builtin.stat:
-    path: "{{ cached_dhparams_pem }}"
-  register: dhparams_file
-
- name: Copy cached dhparams.pem to /etc/ssl/
-  ansible.builtin.copy:
-    src: "{{ cached_dhparams_pem }}"
-    dest: /etc/ssl/dhparams.pem
-    mode: "600"
-    remote_src: true
-  when: dhparams_file.stat.exists
-
 - name: Generate DH Parameters
  community.crypto.openssl_dhparam:
    path: /etc/ssl/dhparams.pem
--- a/roles/traefik/tasks/main.yml
+++ b/roles/traefik/tasks/main.yml
@@ -21,6 +21,20 @@
  loop: "{{ traefik_external }}"
  when: traefik_external is defined

+- name: Install Traefik's docker-compose file
+  ansible.builtin.template:
+    src: docker-compose.yml.j2
+    dest: "{{ traefik_root }}/docker-compose.yml"
+    mode: 0400
+  notify: restart_traefik
+
+- name: Install Traefik's docker-compose variables
+  ansible.builtin.template:
+    src: compose-env.j2
+    dest: "{{ traefik_root }}/.env"
+    mode: 0400
+  notify: restart_traefik
+
 - name: Install static Traefik configuration
  ansible.builtin.template:
    src: traefik.yml.j2
@@ -28,9 +42,8 @@
    mode: 0400
  notify: restart_traefik

- name: Start Traefik service and enable on boot
+- name: Start and enable Traefik service
  ansible.builtin.service:
    name: "{{ docker_compose_service }}@{{ traefik_name }}"
    state: started
    enabled: true
-  when: traefik.ENABLED | default('false')
				`@@ -1 +0,0 @@`
				`cached_dhparams_pem: /vagrant/scratch/dhparams.pem`