Compare commits
1 Commits
dockerbox_
...
mediawiki
| Author | SHA1 | Date | |
|---|---|---|---|
| db8bb672d3 |
39
.github/workflows/vagrant.yml
vendored
39
.github/workflows/vagrant.yml
vendored
@@ -1,39 +0,0 @@
|
|||||||
name: homelab-ci
|
|
||||||
|
|
||||||
on:
|
|
||||||
push:
|
|
||||||
branches:
|
|
||||||
- main
|
|
||||||
- testing
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
homelab-ci:
|
|
||||||
runs-on: macos-latest
|
|
||||||
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@v3
|
|
||||||
|
|
||||||
- name: Cache Vagrant boxes
|
|
||||||
uses: actions/cache@v3
|
|
||||||
with:
|
|
||||||
path: ~/.vagrant.d/boxes
|
|
||||||
key: ${{ runner.os }}-vagrant-${{ hashFiles('Vagrantfile') }}
|
|
||||||
restore-keys: |
|
|
||||||
${{ runner.os }}-vagrant-
|
|
||||||
|
|
||||||
- name: Install Ansible
|
|
||||||
run: brew install ansible@7
|
|
||||||
|
|
||||||
- name: Software Versions
|
|
||||||
run: |
|
|
||||||
printf "VirtualBox "
|
|
||||||
vboxmanage --version
|
|
||||||
vagrant --version
|
|
||||||
export PATH="/usr/local/opt/ansible@7/bin:$PATH"
|
|
||||||
ansible --version
|
|
||||||
|
|
||||||
- name: Vagrant Up with Dockerbox Playbook
|
|
||||||
run: |
|
|
||||||
export PATH="/usr/local/opt/ansible@7/bin:$PATH"
|
|
||||||
PLAYBOOK=dockerbox vagrant up
|
|
||||||
vagrant ssh -c "docker ps"
|
|
||||||
14
.gitignore
vendored
14
.gitignore
vendored
@@ -1,4 +1,12 @@
|
|||||||
|
.vagrant
|
||||||
.playbook
|
.playbook
|
||||||
.vagrant*
|
/*.yml
|
||||||
.vscode
|
/*.yaml
|
||||||
/environments/
|
!backup.yml
|
||||||
|
!moxie.yml
|
||||||
|
!docker.yml
|
||||||
|
!dockerbox.yml
|
||||||
|
!hypervisor.yml
|
||||||
|
!minecraft.yml
|
||||||
|
!unifi.yml
|
||||||
|
/environments/
|
||||||
|
|||||||
10
Makefile
10
Makefile
@@ -1,10 +0,0 @@
|
|||||||
.PHONY: clean install
|
|
||||||
|
|
||||||
all: install
|
|
||||||
|
|
||||||
install:
|
|
||||||
vagrant up --no-destroy-on-error
|
|
||||||
sudo ./forward-ssh.sh
|
|
||||||
|
|
||||||
clean:
|
|
||||||
vagrant destroy -f && rm -rf .vagrant
|
|
||||||
69
README.md
69
README.md
@@ -1,76 +1,41 @@
|
|||||||
# Homelab
|
# Project Moxie
|
||||||
|
|
||||||
This project is my personal IT homelab initiative for self-hosting and
|
Project Moxie is a personal IT homelab project written in Ansible and executed by Jenkins. It is a growing collection of infrastructure as code (IaC) I write out of curiosity and for reference purposes, keeping a handful of beneficial projects managed and secured.
|
||||||
exploring Free and Open Source Software (FOSS) infrastructure. As a technology
|
|
||||||
enthusiast and professional, this project is primarily a practical tool for
|
|
||||||
hosting services. It serves as a playground for engaging with systems
|
|
||||||
technology in functional, intriguing, and gratifying ways. Self-hosting
|
|
||||||
empowers individuals to govern their digital space, ensuring that their online
|
|
||||||
environments reflect personal ethics rather than centralized entities' opaque
|
|
||||||
policies.
|
|
||||||
|
|
||||||
Built on Debian Stable, this project utilizes Ansible and Vagrant, providing
|
|
||||||
relatively easy-to-use reproducible ephemeral environments to test
|
|
||||||
infrastructure automation before pushing to live systems.
|
|
||||||
|
|
||||||
## Quick Start
|
## Quick Start
|
||||||
|
|
||||||
To configure a local virtual machine for testing, follow these simple steps.
|
To configure a local virtual machine for testing, follow these simple steps.
|
||||||
|
|
||||||
|
### Prerequisites
|
||||||
|
|
||||||
|
Vagrant and VirtualBox are used to develop Project Moxie. You will need to install these before continuing.
|
||||||
|
|
||||||
### Installation
|
### Installation
|
||||||
|
|
||||||
1. Clone this repository
|
1. Clone this repository
|
||||||
```
|
```
|
||||||
git clone https://git.krislamo.org/kris/homelab
|
git clone https://github.com/krislamo/moxie
|
||||||
```
|
|
||||||
Optionally clone from the GitHub mirror instead:
|
|
||||||
```
|
|
||||||
git clone https://github.com/krislamo/homelab
|
|
||||||
```
|
```
|
||||||
2. Set the `PLAYBOOK` environmental variable to a development playbook name in the `dev/` directory
|
2. Set the `PLAYBOOK` environmental variable to a development playbook name in the `dev/` directory
|
||||||
|
|
||||||
To list available options in the `dev/` directory and choose a suitable PLAYBOOK, run:
|
The following `PLAYBOOK` names are available: `dockerbox`, `hypervisor`, `minecraft`, `bitwarden`, `nextcloud`, `nginx`
|
||||||
```
|
|
||||||
ls dev/*.yml | xargs -n 1 basename -s .yml
|
|
||||||
```
|
|
||||||
Export the `PLAYBOOK` variable
|
|
||||||
```
|
```
|
||||||
export PLAYBOOK=dockerbox
|
export PLAYBOOK=dockerbox
|
||||||
```
|
```
|
||||||
3. Clean up any previous provision and build the VM
|
3. Bring the Vagrant box up
|
||||||
```
|
```
|
||||||
make clean && make
|
vagrant up
|
||||||
```
|
```
|
||||||
|
|
||||||
## Vagrant Settings
|
#### Copyright and License
|
||||||
The Vagrantfile configures the environment based on settings from `.vagrant.yml`,
|
Copyright (C) 2020-2021 Kris Lamoureux
|
||||||
with default values including:
|
|
||||||
|
|
||||||
- PLAYBOOK: `default`
|
|
||||||
- Runs a `default` playbook that does nothing.
|
|
||||||
- You can set this by an environmental variable with the same name.
|
|
||||||
- VAGRANT_BOX: `debian/bookworm64`
|
|
||||||
- Current Debian Stable codename
|
|
||||||
- VAGRANT_CPUS: `2`
|
|
||||||
- Threads or cores per node, depending on CPU architecture
|
|
||||||
- VAGRANT_MEM: `2048`
|
|
||||||
- Specifies the amount of memory (in MB) allocated
|
|
||||||
- SSH_FORWARD: `false`
|
|
||||||
- Enable this if you need to forward SSH agents to the Vagrant machine
|
|
||||||
|
|
||||||
|
|
||||||
## Copyright and License
|
|
||||||
Copyright (C) 2019-2023 Kris Lamoureux
|
|
||||||
|
|
||||||
[](https://www.gnu.org/licenses/gpl-3.0)
|
[](https://www.gnu.org/licenses/gpl-3.0)
|
||||||
|
|
||||||
This program is free software: you can redistribute it and/or modify it under
|
|
||||||
the terms of the GNU General Public License as published by the Free Software
|
|
||||||
Foundation, version 3 of the License.
|
|
||||||
|
|
||||||
This program is distributed in the hope that it will be useful, but WITHOUT ANY
|
This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
|
||||||
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
|
|
||||||
PARTICULAR PURPOSE. See the GNU General Public License for more details.
|
|
||||||
|
|
||||||
You should have received a copy of the GNU General Public License along with
|
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
|
||||||
this program. If not, see <https://www.gnu.org/licenses/>.
|
|
||||||
|
You should have received a copy of the GNU General Public License along with this program. If not, see <https://www.gnu.org/licenses/>.
|
||||||
|
|||||||
51
Vagrantfile
vendored
51
Vagrantfile
vendored
@@ -1,41 +1,42 @@
|
|||||||
# -*- mode: ruby -*-
|
# -*- mode: ruby -*-
|
||||||
# vi: set ft=ruby :
|
# vi: set ft=ruby :
|
||||||
|
|
||||||
require 'yaml'
|
SSH_FORWARD=ENV["SSH_FORWARD"]
|
||||||
settings_path = '.vagrant.yml'
|
if !(SSH_FORWARD == "true")
|
||||||
settings = {}
|
SSH_FORWARD = false
|
||||||
|
|
||||||
if File.exist?(settings_path)
|
|
||||||
settings = YAML.load_file(settings_path)
|
|
||||||
end
|
end
|
||||||
|
|
||||||
VAGRANT_BOX = settings['VAGRANT_BOX'] || 'debian/bookworm64'
|
|
||||||
VAGRANT_CPUS = settings['VAGRANT_CPUS'] || 2
|
|
||||||
VAGRANT_MEM = settings['VAGRANT_MEM'] || 2048
|
|
||||||
SSH_FORWARD = settings['SSH_FORWARD'] || false
|
|
||||||
|
|
||||||
# Default to shell environment variable: PLAYBOOK (priority #1)
|
|
||||||
PLAYBOOK=ENV["PLAYBOOK"]
|
PLAYBOOK=ENV["PLAYBOOK"]
|
||||||
if !PLAYBOOK || PLAYBOOK.empty?
|
if !PLAYBOOK
|
||||||
# PLAYBOOK setting in .vagrant.yml (priority #2)
|
if File.exist?('.playbook')
|
||||||
PLAYBOOK = settings['PLAYBOOK'] || 'default'
|
PLAYBOOK = IO.read('.playbook').split("\n")[0]
|
||||||
|
end
|
||||||
|
|
||||||
|
if !PLAYBOOK || PLAYBOOK.empty?
|
||||||
|
PLAYBOOK = "\nERROR: Set env PLAYBOOK"
|
||||||
|
end
|
||||||
|
else
|
||||||
|
File.write(".playbook", PLAYBOOK)
|
||||||
end
|
end
|
||||||
|
|
||||||
Vagrant.configure("2") do |config|
|
Vagrant.configure("2") do |config|
|
||||||
config.vm.box = VAGRANT_BOX
|
config.vm.box = "debian/bullseye64"
|
||||||
config.vm.network "private_network", type: "dhcp"
|
config.vm.network "private_network", type: "dhcp"
|
||||||
|
config.vm.synced_folder ".", "/vagrant", disabled: true
|
||||||
|
config.vm.synced_folder "./scratch", "/vagrant/scratch"
|
||||||
config.ssh.forward_agent = SSH_FORWARD
|
config.ssh.forward_agent = SSH_FORWARD
|
||||||
|
|
||||||
# Libvrit provider
|
# Machine Name
|
||||||
config.vm.provider :libvirt do |libvirt|
|
config.vm.define :moxie do |moxie| #
|
||||||
libvirt.cpus = VAGRANT_CPUS
|
|
||||||
libvirt.memory = VAGRANT_MEM
|
|
||||||
end
|
end
|
||||||
|
|
||||||
# Virtualbox provider
|
# Disable Machine Name Prefix
|
||||||
config.vm.provider :virtualbox do |vbox|
|
config.vm.provider :libvirt do |libvirt|
|
||||||
vbox.cpus = VAGRANT_CPUS
|
libvirt.default_prefix = ""
|
||||||
vbox.memory = VAGRANT_MEM
|
end
|
||||||
|
|
||||||
|
config.vm.provider "virtualbox" do |vbox|
|
||||||
|
vbox.memory = 4096
|
||||||
end
|
end
|
||||||
|
|
||||||
# Provision with Ansible
|
# Provision with Ansible
|
||||||
@@ -43,6 +44,6 @@ Vagrant.configure("2") do |config|
|
|||||||
ENV['ANSIBLE_ROLES_PATH'] = File.dirname(__FILE__) + "/roles"
|
ENV['ANSIBLE_ROLES_PATH'] = File.dirname(__FILE__) + "/roles"
|
||||||
ansible.compatibility_mode = "2.0"
|
ansible.compatibility_mode = "2.0"
|
||||||
ansible.playbook = "dev/" + PLAYBOOK + ".yml"
|
ansible.playbook = "dev/" + PLAYBOOK + ".yml"
|
||||||
ansible.raw_arguments = ["--diff"]
|
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|||||||
@@ -1,7 +1,3 @@
|
|||||||
[defaults]
|
[defaults]
|
||||||
inventory = ./environments/development
|
inventory = ./environments/development
|
||||||
interpreter_python = /usr/bin/python3
|
interpreter_python = /usr/bin/python3
|
||||||
roles_path = ./roles
|
|
||||||
|
|
||||||
[connection]
|
|
||||||
pipelining = true
|
|
||||||
|
|||||||
@@ -1,4 +0,0 @@
|
|||||||
- name: Install 'default' aka nothing
|
|
||||||
hosts: all
|
|
||||||
become: true
|
|
||||||
tasks: []
|
|
||||||
@@ -1,8 +0,0 @@
|
|||||||
- name: Install Docker Server
|
|
||||||
hosts: all
|
|
||||||
become: true
|
|
||||||
vars_files:
|
|
||||||
- host_vars/docker.yml
|
|
||||||
roles:
|
|
||||||
- base
|
|
||||||
- docker
|
|
||||||
@@ -1,4 +1,4 @@
|
|||||||
- name: Install Dockerbox Server
|
- name: Install Docker Box Server
|
||||||
hosts: all
|
hosts: all
|
||||||
become: true
|
become: true
|
||||||
vars_files:
|
vars_files:
|
||||||
@@ -6,7 +6,9 @@
|
|||||||
roles:
|
roles:
|
||||||
- base
|
- base
|
||||||
- docker
|
- docker
|
||||||
- mariadb
|
|
||||||
- traefik
|
- traefik
|
||||||
- nextcloud
|
- nextcloud
|
||||||
- proxy
|
- gitea
|
||||||
|
- jenkins
|
||||||
|
- prometheus
|
||||||
|
- nginx
|
||||||
|
|||||||
@@ -1,10 +0,0 @@
|
|||||||
- name: Install Gitea Server
|
|
||||||
hosts: all
|
|
||||||
become: true
|
|
||||||
vars_files:
|
|
||||||
- host_vars/gitea.yml
|
|
||||||
roles:
|
|
||||||
- base
|
|
||||||
- docker
|
|
||||||
- mariadb
|
|
||||||
- gitea
|
|
||||||
@@ -9,14 +9,14 @@ docker_users:
|
|||||||
# traefik
|
# traefik
|
||||||
traefik_version: latest
|
traefik_version: latest
|
||||||
traefik_dashboard: true
|
traefik_dashboard: true
|
||||||
traefik_domain: traefik.local.krislamo.org
|
traefik_domain: traefik.vm.krislamo.org
|
||||||
traefik_auth: admin:$apr1$T1l.BCFz$Jyg8msXYEAUi3LLH39I9d1 # admin:admin
|
traefik_auth: admin:$apr1$T1l.BCFz$Jyg8msXYEAUi3LLH39I9d1 # admin:admin
|
||||||
#traefik_acme_email: realemail@example.com # Let's Encrypt settings
|
#traefik_acme_email: realemail@example.com # Let's Encrypt settings
|
||||||
#traefik_production: true
|
#traefik_production: true
|
||||||
|
|
||||||
# bitwarden
|
# bitwarden
|
||||||
# Get Installation ID & Key at https://bitwarden.com/host/
|
# Get Installation ID & Key at https://bitwarden.com/host/
|
||||||
bitwarden_domain: vault.local.krislamo.org
|
bitwarden_domain: vault.vm.krislamo.org
|
||||||
bitwarden_dbpass: password
|
bitwarden_dbpass: password
|
||||||
bitwarden_install_id: 4ea840a3-532e-4cb6-a472-abd900728b23
|
bitwarden_install_id: 4ea840a3-532e-4cb6-a472-abd900728b23
|
||||||
bitwarden_install_key: 1yB3Z2gRI0KnnH90C6p
|
bitwarden_install_key: 1yB3Z2gRI0KnnH90C6p
|
||||||
|
|||||||
@@ -1,48 +0,0 @@
|
|||||||
# base
|
|
||||||
allow_reboot: false
|
|
||||||
manage_network: false
|
|
||||||
|
|
||||||
# Import my GPG key for git signature verification
|
|
||||||
root_gpgkeys:
|
|
||||||
- name: kris@lamoureux.io
|
|
||||||
id: FBF673CEEC030F8AECA814E73EDA9C3441EDA925
|
|
||||||
|
|
||||||
# docker
|
|
||||||
docker_users:
|
|
||||||
- vagrant
|
|
||||||
|
|
||||||
#docker_login_url: https://myregistry.example.com
|
|
||||||
#docker_login_user: myuser
|
|
||||||
#docker_login_pass: YOUR_PASSWD
|
|
||||||
|
|
||||||
docker_compose_env_nolog: false # dev only setting
|
|
||||||
docker_compose_deploy:
|
|
||||||
# Traefik
|
|
||||||
- name: traefik
|
|
||||||
url: https://github.com/krislamo/traefik
|
|
||||||
version: 31ee724feebc1d5f91cb17ffd6892c352537f194
|
|
||||||
enabled: true
|
|
||||||
accept_newhostkey: true # Consider verifying manually instead
|
|
||||||
trusted_keys:
|
|
||||||
- FBF673CEEC030F8AECA814E73EDA9C3441EDA925
|
|
||||||
env:
|
|
||||||
ENABLE: true
|
|
||||||
|
|
||||||
# Traefik 2 (no other external compose to test currently)
|
|
||||||
- name: traefik2
|
|
||||||
url: https://github.com/krislamo/traefik
|
|
||||||
version: 31ee724feebc1d5f91cb17ffd6892c352537f194
|
|
||||||
enabled: true
|
|
||||||
accept_newhostkey: true # Consider verifying manually instead
|
|
||||||
trusted_keys:
|
|
||||||
- FBF673CEEC030F8AECA814E73EDA9C3441EDA925
|
|
||||||
env:
|
|
||||||
ENABLE: true
|
|
||||||
VERSION: "2.10"
|
|
||||||
DOMAIN: traefik2.local.krislamo.org
|
|
||||||
NAME: traefik2
|
|
||||||
ROUTER: traefik2
|
|
||||||
NETWORK: traefik2
|
|
||||||
WEB_PORT: 127.0.0.1:8000:80
|
|
||||||
WEBSECURE_PORT: 127.0.0.1:4443:443
|
|
||||||
LOCAL_PORT: 127.0.0.1:8444:8443
|
|
||||||
@@ -2,47 +2,47 @@
|
|||||||
allow_reboot: false
|
allow_reboot: false
|
||||||
manage_network: false
|
manage_network: false
|
||||||
|
|
||||||
# Import my GPG key for git signature verification
|
|
||||||
root_gpgkeys:
|
|
||||||
- name: kris@lamoureux.io
|
|
||||||
id: FBF673CEEC030F8AECA814E73EDA9C3441EDA925
|
|
||||||
|
|
||||||
# proxy
|
|
||||||
proxy:
|
|
||||||
servers:
|
|
||||||
- domain: cloud.local.krislamo.org
|
|
||||||
proxy_pass: http://127.0.0.1:8000
|
|
||||||
|
|
||||||
# docker
|
# docker
|
||||||
docker_official: true # docker's apt repos
|
|
||||||
docker_users:
|
docker_users:
|
||||||
- vagrant
|
- vagrant
|
||||||
|
|
||||||
docker_compose_env_nolog: false # dev only setting
|
|
||||||
docker_compose_deploy:
|
|
||||||
# Traefik
|
|
||||||
- name: traefik
|
|
||||||
url: https://github.com/krislamo/traefik
|
|
||||||
version: d62bd06b37ecf0993962b0449a9d708373f9e381
|
|
||||||
enabled: true
|
|
||||||
accept_newhostkey: true # Consider verifying manually instead
|
|
||||||
trusted_keys:
|
|
||||||
- FBF673CEEC030F8AECA814E73EDA9C3441EDA925
|
|
||||||
env:
|
|
||||||
DASHBOARD: true
|
|
||||||
# Nextcloud
|
|
||||||
- name: nextcloud
|
|
||||||
url: https://github.com/krislamo/nextcloud
|
|
||||||
version: 0abc5cc6ba64ed94b7ddc6fd934f0fd62b8a6d11
|
|
||||||
env:
|
|
||||||
DATA: ./data
|
|
||||||
|
|
||||||
# traefik
|
# traefik
|
||||||
traefik:
|
traefik_version: latest
|
||||||
ENABLE: true
|
traefik_dashboard: true
|
||||||
|
traefik_domain: traefik.vm.krislamo.org
|
||||||
|
traefik_auth: admin:$apr1$T1l.BCFz$Jyg8msXYEAUi3LLH39I9d1 # admin:admin
|
||||||
|
#traefik_acme_email: realemail@example.com # Let's Encrypt settings
|
||||||
|
#traefik_production: true
|
||||||
|
|
||||||
# nextcloud
|
# nextcloud
|
||||||
nextcloud:
|
nextcloud_version: stable
|
||||||
DOMAIN: cloud.local.krislamo.org
|
nextcloud_admin: admin
|
||||||
DB_PASSWD: password
|
nextcloud_pass: password
|
||||||
ADMIN_PASSWD: password
|
nextcloud_domain: cloud.vm.krislamo.org
|
||||||
|
|
||||||
|
nextcloud_dbversion: latest
|
||||||
|
nextcloud_dbpass: password
|
||||||
|
|
||||||
|
# gitea
|
||||||
|
gitea_domain: git.vm.krislamo.org
|
||||||
|
gitea_version: 1
|
||||||
|
gitea_dbversion: latest
|
||||||
|
gitea_dbpass: password
|
||||||
|
|
||||||
|
# jenkins
|
||||||
|
jenkins_version: lts
|
||||||
|
jenkins_domain: jenkins.vm.krislamo.org
|
||||||
|
|
||||||
|
# prometheus (includes grafana)
|
||||||
|
prom_version: latest
|
||||||
|
prom_domain: prom.vm.krislamo.org
|
||||||
|
grafana_version: latest
|
||||||
|
grafana_domain: grafana.vm.krislamo.org
|
||||||
|
prom_targets: "['10.0.2.15:9100']"
|
||||||
|
|
||||||
|
# nginx
|
||||||
|
nginx_domain: nginx.vm.krislamo.org
|
||||||
|
nginx_name: staticsite
|
||||||
|
nginx_repo_url: https://git.krislamo.org/kris/example-website/
|
||||||
|
nginx_auth: admin:$apr1$T1l.BCFz$Jyg8msXYEAUi3LLH39I9d1 # admin:admin
|
||||||
|
nginx_version: latest
|
||||||
|
|||||||
@@ -1,50 +0,0 @@
|
|||||||
# base
|
|
||||||
allow_reboot: false
|
|
||||||
manage_network: false
|
|
||||||
|
|
||||||
users:
|
|
||||||
git:
|
|
||||||
uid: 1001
|
|
||||||
gid: 1001
|
|
||||||
home: true
|
|
||||||
system: true
|
|
||||||
|
|
||||||
# Import my GPG key for git signature verification
|
|
||||||
root_gpgkeys:
|
|
||||||
- name: kris@lamoureux.io
|
|
||||||
id: FBF673CEEC030F8AECA814E73EDA9C3441EDA925
|
|
||||||
|
|
||||||
# docker
|
|
||||||
docker_official: true # docker's apt repos
|
|
||||||
docker_users:
|
|
||||||
- vagrant
|
|
||||||
|
|
||||||
docker_compose_env_nolog: false # dev only setting
|
|
||||||
docker_compose_deploy:
|
|
||||||
# Traefik
|
|
||||||
- name: traefik
|
|
||||||
url: https://github.com/krislamo/traefik
|
|
||||||
version: 398eb48d311db78b86abf783f903af4a1658d773
|
|
||||||
enabled: true
|
|
||||||
accept_newhostkey: true
|
|
||||||
trusted_keys:
|
|
||||||
- FBF673CEEC030F8AECA814E73EDA9C3441EDA925
|
|
||||||
env:
|
|
||||||
ENABLE: true
|
|
||||||
# Gitea
|
|
||||||
- name: gitea
|
|
||||||
url: https://github.com/krislamo/gitea
|
|
||||||
version: b0ce66f6a1ab074172eed79eeeb36d7e9011ef8f
|
|
||||||
enabled: true
|
|
||||||
trusted_keys:
|
|
||||||
- FBF673CEEC030F8AECA814E73EDA9C3441EDA925
|
|
||||||
env:
|
|
||||||
USER_UID: "{{ users.git.uid }}"
|
|
||||||
USER_GID: "{{ users.git.gid }}"
|
|
||||||
DB_PASSWD: "{{ gitea.DB_PASSWD }}"
|
|
||||||
|
|
||||||
# gitea
|
|
||||||
gitea:
|
|
||||||
DB_NAME: gitea
|
|
||||||
DB_USER: gitea
|
|
||||||
DB_PASSWD: password
|
|
||||||
@@ -1,61 +0,0 @@
|
|||||||
base_domain: local.krislamo.org
|
|
||||||
|
|
||||||
# base
|
|
||||||
allow_reboot: false
|
|
||||||
manage_network: false
|
|
||||||
|
|
||||||
users:
|
|
||||||
jellyfin:
|
|
||||||
uid: 1001
|
|
||||||
gid: 1001
|
|
||||||
shell: /usr/sbin/nologin
|
|
||||||
home: false
|
|
||||||
system: true
|
|
||||||
|
|
||||||
samba:
|
|
||||||
users:
|
|
||||||
- name: jellyfin
|
|
||||||
password: jellyfin
|
|
||||||
shares:
|
|
||||||
- name: jellyfin
|
|
||||||
path: /srv/jellyfin
|
|
||||||
owner: jellyfin
|
|
||||||
group: jellyfin
|
|
||||||
valid_users: jellyfin
|
|
||||||
firewall:
|
|
||||||
- 10.0.0.0/8
|
|
||||||
- 172.16.0.0/12
|
|
||||||
- 192.168.0.0/16
|
|
||||||
|
|
||||||
# proxy
|
|
||||||
proxy:
|
|
||||||
#production: true
|
|
||||||
dns_cloudflare:
|
|
||||||
opts: --test-cert
|
|
||||||
#email: realemail@example.com
|
|
||||||
#api_token: CLOUDFLARE_DNS01_API_TOKEN
|
|
||||||
wildcard_domains:
|
|
||||||
- "{{ base_domain }}"
|
|
||||||
servers:
|
|
||||||
- domain: "{{ traefik_domain }}"
|
|
||||||
proxy_pass: "http://127.0.0.1:8000"
|
|
||||||
- domain: "{{ jellyfin_domain }}"
|
|
||||||
proxy_pass: "http://127.0.0.1:8000"
|
|
||||||
|
|
||||||
# docker
|
|
||||||
docker_users:
|
|
||||||
- vagrant
|
|
||||||
|
|
||||||
# traefik
|
|
||||||
traefik_version: latest
|
|
||||||
traefik_dashboard: true
|
|
||||||
traefik_domain: "traefik.{{ base_domain }}"
|
|
||||||
traefik_auth: admin:$apr1$T1l.BCFz$Jyg8msXYEAUi3LLH39I9d1 # admin:admin
|
|
||||||
#traefik_acme_email: realemail@example.com # Let's Encrypt settings
|
|
||||||
#traefik_production: true
|
|
||||||
traefik_http_only: true # if behind reverse-proxy
|
|
||||||
|
|
||||||
# jellyfin
|
|
||||||
jellyfin_domain: "jellyfin.{{ base_domain }}"
|
|
||||||
jellyfin_version: latest
|
|
||||||
jellyfin_media: /srv/jellyfin
|
|
||||||
17
dev/host_vars/mediawiki.yml
Normal file
17
dev/host_vars/mediawiki.yml
Normal file
@@ -0,0 +1,17 @@
|
|||||||
|
# base
|
||||||
|
allow_reboot: false
|
||||||
|
manage_network: false
|
||||||
|
|
||||||
|
# docker
|
||||||
|
docker_users:
|
||||||
|
- vagrant
|
||||||
|
|
||||||
|
# traefik
|
||||||
|
traefik_version: latest
|
||||||
|
traefik_dashboard: true
|
||||||
|
traefik_domain: traefik.vm.krislamo.org
|
||||||
|
traefik_auth: admin:$apr1$T1l.BCFz$Jyg8msXYEAUi3LLH39I9d1 # admin:admin
|
||||||
|
#traefik_acme_email: realemail@example.com # Let's Encrypt settings
|
||||||
|
#traefik_production: true
|
||||||
|
|
||||||
|
# mediawiki
|
||||||
@@ -5,14 +5,14 @@ docker_users:
|
|||||||
# traefik
|
# traefik
|
||||||
traefik_version: latest
|
traefik_version: latest
|
||||||
traefik_dashboard: true
|
traefik_dashboard: true
|
||||||
traefik_domain: traefik.local.krislamo.org
|
traefik_domain: traefik.vm.krislamo.org
|
||||||
traefik_auth: admin:$apr1$T1l.BCFz$Jyg8msXYEAUi3LLH39I9d1 # admin:admin
|
traefik_auth: admin:$apr1$T1l.BCFz$Jyg8msXYEAUi3LLH39I9d1 # admin:admin
|
||||||
|
|
||||||
# container settings
|
# container settings
|
||||||
nextcloud_version: stable
|
nextcloud_version: stable
|
||||||
nextcloud_admin: admin
|
nextcloud_admin: admin
|
||||||
nextcloud_pass: password
|
nextcloud_pass: password
|
||||||
nextcloud_domain: cloud.local.krislamo.org
|
nextcloud_domain: cloud.vm.krislamo.org
|
||||||
|
|
||||||
# database settings
|
# database settings
|
||||||
nextcloud_dbversion: latest
|
nextcloud_dbversion: latest
|
||||||
|
|||||||
@@ -9,13 +9,13 @@ docker_users:
|
|||||||
# traefik
|
# traefik
|
||||||
traefik_version: latest
|
traefik_version: latest
|
||||||
traefik_dashboard: true
|
traefik_dashboard: true
|
||||||
traefik_domain: traefik.local.krislamo.org
|
traefik_domain: traefik.vm.krislamo.org
|
||||||
traefik_auth: admin:$apr1$T1l.BCFz$Jyg8msXYEAUi3LLH39I9d1 # admin:admin
|
traefik_auth: admin:$apr1$T1l.BCFz$Jyg8msXYEAUi3LLH39I9d1 # admin:admin
|
||||||
#traefik_acme_email: realemail@example.com # Let's Encrypt settings
|
#traefik_acme_email: realemail@example.com # Let's Encrypt settings
|
||||||
#traefik_production: true
|
#traefik_production: true
|
||||||
|
|
||||||
# nginx
|
# nginx
|
||||||
nginx_domain: nginx.local.krislamo.org
|
nginx_domain: nginx.vm.krislamo.org
|
||||||
nginx_name: staticsite
|
nginx_name: staticsite
|
||||||
nginx_repo_url: https://git.krislamo.org/kris/example-website/
|
nginx_repo_url: https://git.krislamo.org/kris/example-website/
|
||||||
nginx_auth: admin:$apr1$T1l.BCFz$Jyg8msXYEAUi3LLH39I9d1 # admin:admin
|
nginx_auth: admin:$apr1$T1l.BCFz$Jyg8msXYEAUi3LLH39I9d1 # admin:admin
|
||||||
|
|||||||
@@ -1,79 +0,0 @@
|
|||||||
base_domain: local.krislamo.org
|
|
||||||
|
|
||||||
# base
|
|
||||||
allow_reboot: false
|
|
||||||
manage_network: false
|
|
||||||
|
|
||||||
users:
|
|
||||||
git:
|
|
||||||
uid: 1001
|
|
||||||
gid: 1001
|
|
||||||
home: true
|
|
||||||
system: true
|
|
||||||
|
|
||||||
# Import my GPG key for git signature verification
|
|
||||||
root_gpgkeys:
|
|
||||||
- name: kris@lamoureux.io
|
|
||||||
id: FBF673CEEC030F8AECA814E73EDA9C3441EDA925
|
|
||||||
|
|
||||||
# proxy
|
|
||||||
proxy:
|
|
||||||
#production: true
|
|
||||||
dns_cloudflare:
|
|
||||||
opts: --test-cert
|
|
||||||
#email: realemail@example.com
|
|
||||||
#api_token: CLOUDFLARE_DNS01_API_TOKEN
|
|
||||||
wildcard_domains:
|
|
||||||
- "{{ base_domain }}"
|
|
||||||
servers:
|
|
||||||
- domain: "{{ bitwarden_domain }}"
|
|
||||||
proxy_pass: "http://127.0.0.1"
|
|
||||||
- domain: "{{ gitea_domain }}"
|
|
||||||
proxy_pass: "http://127.0.0.1"
|
|
||||||
|
|
||||||
# docker
|
|
||||||
docker_official: true # docker's apt repos
|
|
||||||
docker_users:
|
|
||||||
- vagrant
|
|
||||||
|
|
||||||
docker_compose_env_nolog: false # dev only setting
|
|
||||||
docker_compose_deploy:
|
|
||||||
# Traefik
|
|
||||||
- name: traefik
|
|
||||||
url: https://github.com/krislamo/traefik
|
|
||||||
version: e97db75e2e214582fac5f5e495687ab5cdf855ad
|
|
||||||
path: docker-compose.web.yml
|
|
||||||
enabled: true
|
|
||||||
accept_newhostkey: true
|
|
||||||
trusted_keys:
|
|
||||||
- FBF673CEEC030F8AECA814E73EDA9C3441EDA925
|
|
||||||
env:
|
|
||||||
ENABLE: true
|
|
||||||
# Gitea
|
|
||||||
- name: gitea
|
|
||||||
url: https://github.com/krislamo/gitea
|
|
||||||
version: b0ce66f6a1ab074172eed79eeeb36d7e9011ef8f
|
|
||||||
enabled: true
|
|
||||||
trusted_keys:
|
|
||||||
- FBF673CEEC030F8AECA814E73EDA9C3441EDA925
|
|
||||||
env:
|
|
||||||
ENTRYPOINT: web
|
|
||||||
ENABLE_TLS: false
|
|
||||||
USER_UID: "{{ users.git.uid }}"
|
|
||||||
USER_GID: "{{ users.git.gid }}"
|
|
||||||
DB_PASSWD: "{{ gitea.DB_PASSWD }}"
|
|
||||||
|
|
||||||
# gitea
|
|
||||||
gitea_domain: "git.{{ base_domain }}"
|
|
||||||
gitea:
|
|
||||||
DB_NAME: gitea
|
|
||||||
DB_USER: gitea
|
|
||||||
DB_PASSWD: password
|
|
||||||
|
|
||||||
# bitwarden
|
|
||||||
# Get Installation ID & Key at https://bitwarden.com/host/
|
|
||||||
bitwarden_domain: "vault.{{ base_domain }}"
|
|
||||||
bitwarden_dbpass: password
|
|
||||||
bitwarden_install_id: 4ea840a3-532e-4cb6-a472-abd900728b23
|
|
||||||
bitwarden_install_key: 1yB3Z2gRI0KnnH90C6p
|
|
||||||
#bitwarden_prodution: true
|
|
||||||
@@ -9,14 +9,14 @@ docker_users:
|
|||||||
# traefik
|
# traefik
|
||||||
traefik_version: latest
|
traefik_version: latest
|
||||||
traefik_dashboard: true
|
traefik_dashboard: true
|
||||||
traefik_domain: traefik.local.krislamo.org
|
traefik_domain: traefik.vm.krislamo.org
|
||||||
traefik_auth: admin:$apr1$T1l.BCFz$Jyg8msXYEAUi3LLH39I9d1 # admin:admin
|
traefik_auth: admin:$apr1$T1l.BCFz$Jyg8msXYEAUi3LLH39I9d1 # admin:admin
|
||||||
#traefik_acme_email: realemail@example.com # Let's Encrypt settings
|
#traefik_acme_email: realemail@example.com # Let's Encrypt settings
|
||||||
#traefik_production: true
|
#traefik_production: true
|
||||||
|
|
||||||
# container settings
|
# container settings
|
||||||
wordpress_version: latest
|
wordpress_version: latest
|
||||||
wordpress_domain: wordpress.local.krislamo.org
|
wordpress_domain: wordpress.vm.krislamo.org
|
||||||
wordpress_multisite: true
|
wordpress_multisite: true
|
||||||
|
|
||||||
# database settings
|
# database settings
|
||||||
|
|||||||
@@ -1,11 +1,10 @@
|
|||||||
- name: Install Media Server
|
- name: Install MediaWiki Server
|
||||||
hosts: all
|
hosts: all
|
||||||
become: true
|
become: true
|
||||||
vars_files:
|
vars_files:
|
||||||
- host_vars/mediaserver.yml
|
- host_vars/mediawiki.yml
|
||||||
roles:
|
roles:
|
||||||
- base
|
- base
|
||||||
- proxy
|
|
||||||
- docker
|
- docker
|
||||||
- traefik
|
- traefik
|
||||||
- jellyfin
|
- mediawiki
|
||||||
@@ -1,12 +0,0 @@
|
|||||||
- name: Install Proxy Server
|
|
||||||
hosts: all
|
|
||||||
become: true
|
|
||||||
vars_files:
|
|
||||||
- host_vars/proxy.yml
|
|
||||||
roles:
|
|
||||||
- base
|
|
||||||
- proxy
|
|
||||||
- docker
|
|
||||||
- mariadb
|
|
||||||
- gitea
|
|
||||||
- bitwarden
|
|
||||||
21
docker.yml
Normal file
21
docker.yml
Normal file
@@ -0,0 +1,21 @@
|
|||||||
|
# Copyright (C) 2020 Kris Lamoureux
|
||||||
|
#
|
||||||
|
# This program is free software: you can redistribute it and/or modify
|
||||||
|
# it under the terms of the GNU General Public License as published by
|
||||||
|
# the Free Software Foundation, version 3 of the License.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be useful,
|
||||||
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
# GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with this program. If not, see <https://www.gnu.org/licenses/>.
|
||||||
|
|
||||||
|
- name: Install Docker Server
|
||||||
|
hosts: dockerhosts
|
||||||
|
become: true
|
||||||
|
roles:
|
||||||
|
- base
|
||||||
|
- docker
|
||||||
|
- jenkins
|
||||||
26
dockerbox.yml
Normal file
26
dockerbox.yml
Normal file
@@ -0,0 +1,26 @@
|
|||||||
|
# Copyright (C) 2020 Kris Lamoureux
|
||||||
|
#
|
||||||
|
# This program is free software: you can redistribute it and/or modify
|
||||||
|
# it under the terms of the GNU General Public License as published by
|
||||||
|
# the Free Software Foundation, version 3 of the License.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be useful,
|
||||||
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
# GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with this program. If not, see <https://www.gnu.org/licenses/>.
|
||||||
|
|
||||||
|
- name: Install Docker Box Server
|
||||||
|
hosts: dockerhosts
|
||||||
|
become: true
|
||||||
|
roles:
|
||||||
|
- base
|
||||||
|
- docker
|
||||||
|
- traefik
|
||||||
|
- nextcloud
|
||||||
|
- gitea
|
||||||
|
- jenkins
|
||||||
|
- prometheus
|
||||||
|
- nginx
|
||||||
125
forward-ssh.sh
125
forward-ssh.sh
@@ -1,125 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
|
|
||||||
# Finds the SSH private key under ./.vagrant and connects to
|
|
||||||
# the Vagrant box, port forwarding localhost ports: 8443, 443, 80, 22
|
|
||||||
#
|
|
||||||
# Download the latest script:
|
|
||||||
# https://git.krislamo.org/kris/homelab/raw/branch/main/forward-ssh.sh
|
|
||||||
#
|
|
||||||
# Copyright (C) 2023 Kris Lamoureux
|
|
||||||
#
|
|
||||||
# This program is free software: you can redistribute it and/or modify
|
|
||||||
# it under the terms of the GNU General Public License as published by
|
|
||||||
# the Free Software Foundation, version 3 of the License.
|
|
||||||
#
|
|
||||||
# This program is distributed in the hope that it will be useful,
|
|
||||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
# GNU General Public License for more details.
|
|
||||||
#
|
|
||||||
# You should have received a copy of the GNU General Public License
|
|
||||||
# along with this program. If not, see <https://www.gnu.org/licenses/>.
|
|
||||||
|
|
||||||
# Root check
|
|
||||||
if [ "$EUID" -ne 0 ]; then
|
|
||||||
echo "[ERROR]: Please run this script as root"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Clean environment
|
|
||||||
unset PRIVATE_KEY
|
|
||||||
unset HOST_IP
|
|
||||||
unset MATCH_PATTERN
|
|
||||||
unset PKILL_ANSWER
|
|
||||||
|
|
||||||
# Function to create the SSH tunnel
|
|
||||||
function ssh_connect {
|
|
||||||
read -rp "Start a new vagrant SSH tunnel? [y/N] " PSTART_ANSWER
|
|
||||||
echo
|
|
||||||
case "$PSTART_ANSWER" in
|
|
||||||
[yY])
|
|
||||||
printf "[INFO]: Starting new vagrant SSH tunnel on PID "
|
|
||||||
sudo -u "$USER" ssh -fNT -i "$PRIVATE_KEY" \
|
|
||||||
-L 22:localhost:22 \
|
|
||||||
-L 80:"$HOST_IP":80 \
|
|
||||||
-L 443:"$HOST_IP":443 \
|
|
||||||
-L 8443:localhost:8443 \
|
|
||||||
-o UserKnownHostsFile=/dev/null \
|
|
||||||
-o StrictHostKeyChecking=no \
|
|
||||||
vagrant@"$HOST_IP" 2>/dev/null
|
|
||||||
sleep 2
|
|
||||||
pgrep -f "$MATCH_PATTERN"
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
echo "[INFO]: Declined to start a new vagrant SSH tunnel"
|
|
||||||
exit 0
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
}
|
|
||||||
|
|
||||||
# Check for valid PRIVATE_KEY location
|
|
||||||
PRIVATE_KEY="$(find .vagrant -name "private_key" 2>/dev/null | sort)"
|
|
||||||
|
|
||||||
# Single vagrant machine or multiple
|
|
||||||
if [ "$(echo "$PRIVATE_KEY" | wc -l)" -gt 1 ]; then
|
|
||||||
while IFS= read -r KEYFILE; do
|
|
||||||
if ! ssh-keygen -l -f "$KEYFILE" &>/dev/null; then
|
|
||||||
echo "[ERROR]: The SSH key '$KEYFILE' is not valid. Are your virtual machines running?"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
echo "[CHECK]: Valid key at $KEYFILE"
|
|
||||||
done < <(echo "$PRIVATE_KEY")
|
|
||||||
PRIVATE_KEY="$(echo "$PRIVATE_KEY" | grep -m1 "${1:-default}")"
|
|
||||||
elif ! ssh-keygen -l -f "$PRIVATE_KEY" &>/dev/null; then
|
|
||||||
echo "[ERROR]: The SSH key '$PRIVATE_KEY' is not valid. Is your virtual machine running?"
|
|
||||||
exit 1
|
|
||||||
else
|
|
||||||
echo "[CHECK]: Valid key at $PRIVATE_KEY"
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Grab first IP or use whatever HOST_IP_FIELD is set to and check that the guest is up
|
|
||||||
HOST_IP="$(sudo -u "$SUDO_USER" vagrant ssh -c "hostname -I | cut -d' ' -f${HOST_IP_FIELD:-1}" "${1:-default}" 2>/dev/null)"
|
|
||||||
if [ -z "$HOST_IP" ]; then
|
|
||||||
echo "[ERROR]: Failed to find ${1:-default}'s IP"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
HOST_IP="${HOST_IP::-1}" # trim
|
|
||||||
|
|
||||||
if ! ping -c 1 "$HOST_IP" &>/dev/null; then
|
|
||||||
echo "[ERROR]: Cannot ping the host IP '$HOST_IP'"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
echo "[CHECK]: Host at $HOST_IP (${1:-default}) is up"
|
|
||||||
|
|
||||||
# Pattern for matching processes running
|
|
||||||
MATCH_PATTERN="ssh -fNT -i ${PRIVATE_KEY}.*vagrant@"
|
|
||||||
|
|
||||||
# Check amount of processes that match the pattern
|
|
||||||
if [ "$(pgrep -afc "$MATCH_PATTERN")" -eq 0 ]; then
|
|
||||||
ssh_connect
|
|
||||||
else
|
|
||||||
# Processes found, so prompt to kill remaining ones then start tunnel
|
|
||||||
printf "\n[WARNING]: Found processes running:\n"
|
|
||||||
pgrep -fa "$MATCH_PATTERN"
|
|
||||||
printf '\n'
|
|
||||||
read -rp "Would you like to kill these processes? [y/N] " PKILL_ANSWER
|
|
||||||
echo
|
|
||||||
case "$PKILL_ANSWER" in
|
|
||||||
[yY])
|
|
||||||
echo "[WARNING]: Killing old vagrant SSH tunnel(s): "
|
|
||||||
pgrep -f "$MATCH_PATTERN" | tee >(xargs kill -15)
|
|
||||||
echo
|
|
||||||
if [ "$(pgrep -afc "$MATCH_PATTERN")" -eq 0 ]; then
|
|
||||||
ssh_connect
|
|
||||||
else
|
|
||||||
echo "[ERROR]: Unable to kill processes:"
|
|
||||||
pgrep -f "$MATCH_PATTERN"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
echo "[INFO]: Declined to kill existing processes"
|
|
||||||
exit 0
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
fi
|
|
||||||
@@ -1,7 +0,0 @@
|
|||||||
- name: Install Docker Server
|
|
||||||
hosts: "{{ PLAYBOOK_HOST | default('none') }}"
|
|
||||||
become: true
|
|
||||||
roles:
|
|
||||||
- base
|
|
||||||
- jenkins
|
|
||||||
- docker
|
|
||||||
@@ -1,11 +0,0 @@
|
|||||||
- name: Install Dockerbox Server
|
|
||||||
hosts: "{{ PLAYBOOK_HOST | default('none') }}"
|
|
||||||
become: true
|
|
||||||
roles:
|
|
||||||
- base
|
|
||||||
- docker
|
|
||||||
- traefik
|
|
||||||
- nextcloud
|
|
||||||
- jenkins
|
|
||||||
- prometheus
|
|
||||||
- nginx
|
|
||||||
@@ -1,10 +0,0 @@
|
|||||||
- name: Install Media Server
|
|
||||||
hosts: "{{ PLAYBOOK_HOST | default('none') }}"
|
|
||||||
become: true
|
|
||||||
roles:
|
|
||||||
- base
|
|
||||||
- jenkins
|
|
||||||
- proxy
|
|
||||||
- docker
|
|
||||||
- traefik
|
|
||||||
- jellyfin
|
|
||||||
@@ -1,11 +0,0 @@
|
|||||||
- name: Install Proxy Server
|
|
||||||
hosts: proxyhosts
|
|
||||||
become: true
|
|
||||||
roles:
|
|
||||||
- base
|
|
||||||
- jenkins
|
|
||||||
- mariadb
|
|
||||||
- proxy
|
|
||||||
- docker
|
|
||||||
- gitea
|
|
||||||
- bitwarden
|
|
||||||
18
roles/.gitignore
vendored
Normal file
18
roles/.gitignore
vendored
Normal file
@@ -0,0 +1,18 @@
|
|||||||
|
/*
|
||||||
|
!.gitignore
|
||||||
|
!requirements.yml
|
||||||
|
!base*/
|
||||||
|
!bitwarden*/
|
||||||
|
!docker*/
|
||||||
|
!gitea*/
|
||||||
|
!jenkins*/
|
||||||
|
!libvirt*/
|
||||||
|
!mediawiki*/
|
||||||
|
!minecraft*/
|
||||||
|
!nextcloud*/
|
||||||
|
!nginx*/
|
||||||
|
!prometheus*/
|
||||||
|
!rsnapshot*/
|
||||||
|
!traefik*/
|
||||||
|
!unifi*/
|
||||||
|
!wordpress*/
|
||||||
@@ -1,11 +1,8 @@
|
|||||||
allow_reboot: true
|
|
||||||
manage_firewall: true
|
|
||||||
manage_network: false
|
manage_network: false
|
||||||
network_type: static
|
network_type: static
|
||||||
locale_default: en_US.UTF-8
|
allow_reboot: true
|
||||||
|
|
||||||
packages:
|
packages:
|
||||||
- apache2-utils
|
|
||||||
- cryptsetup
|
- cryptsetup
|
||||||
- curl
|
- curl
|
||||||
- dnsutils
|
- dnsutils
|
||||||
|
|||||||
1
roles/base/files/buster-backports.list
Normal file
1
roles/base/files/buster-backports.list
Normal file
@@ -0,0 +1 @@
|
|||||||
|
deb http://deb.debian.org/debian buster-backports main
|
||||||
@@ -1,34 +1,12 @@
|
|||||||
- name: Reboot host
|
- name: Reboot host
|
||||||
ansible.builtin.reboot:
|
reboot:
|
||||||
msg: "Reboot initiated by Ansible"
|
msg: "Reboot initiated by Ansible"
|
||||||
connect_timeout: 5
|
connect_timeout: 5
|
||||||
listen: reboot_host
|
listen: reboot_host
|
||||||
when: allow_reboot
|
when: allow_reboot
|
||||||
|
|
||||||
- name: Reconfigure locales
|
|
||||||
ansible.builtin.command: dpkg-reconfigure -f noninteractive locales
|
|
||||||
listen: reconfigure_locales
|
|
||||||
|
|
||||||
- name: Restart WireGuard
|
- name: Restart WireGuard
|
||||||
ansible.builtin.service:
|
service:
|
||||||
name: wg-quick@wg0
|
name: wg-quick@wg0
|
||||||
state: restarted
|
state: restarted
|
||||||
listen: restart_wireguard
|
listen: restart_wireguard
|
||||||
|
|
||||||
- name: Restart Fail2ban
|
|
||||||
ansible.builtin.service:
|
|
||||||
name: fail2ban
|
|
||||||
state: restarted
|
|
||||||
listen: restart_fail2ban
|
|
||||||
|
|
||||||
- name: Restart ddclient
|
|
||||||
ansible.builtin.service:
|
|
||||||
name: ddclient
|
|
||||||
state: restarted
|
|
||||||
listen: restart_ddclient
|
|
||||||
|
|
||||||
- name: Restart Samba
|
|
||||||
ansible.builtin.service:
|
|
||||||
name: smbd
|
|
||||||
state: restarted
|
|
||||||
listen: restart_samba
|
|
||||||
|
|||||||
@@ -1,5 +1,15 @@
|
|||||||
- name: Create Ansible's temporary remote directory
|
- name: 'Install Ansible dependency: python3-apt'
|
||||||
ansible.builtin.file:
|
shell: 'apt-get update && apt-get install python3-apt -y'
|
||||||
path: "~/.ansible/tmp"
|
args:
|
||||||
state: directory
|
creates: /usr/lib/python3/dist-packages/apt
|
||||||
mode: "700"
|
warn: false
|
||||||
|
|
||||||
|
- name: Install additional Ansible dependencies
|
||||||
|
apt:
|
||||||
|
name: "{{ item }}"
|
||||||
|
state: present
|
||||||
|
force_apt_get: true
|
||||||
|
update_cache: true
|
||||||
|
loop:
|
||||||
|
- aptitude
|
||||||
|
- python3-docker
|
||||||
|
|||||||
@@ -1,17 +1,22 @@
|
|||||||
- name: Install ddclient
|
- name: Install ddclient
|
||||||
ansible.builtin.apt:
|
apt:
|
||||||
name: ddclient
|
name: ddclient
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
- name: Install ddclient settings
|
- name: Install ddclient settings
|
||||||
ansible.builtin.template:
|
template:
|
||||||
src: ddclient.conf.j2
|
src: ddclient.conf.j2
|
||||||
dest: /etc/ddclient.conf
|
dest: /etc/ddclient.conf
|
||||||
mode: "600"
|
|
||||||
register: ddclient_settings
|
register: ddclient_settings
|
||||||
|
|
||||||
- name: Start ddclient and enable on boot
|
- name: Start ddclient and enable on boot
|
||||||
ansible.builtin.service:
|
service:
|
||||||
name: ddclient
|
name: ddclient
|
||||||
state: started
|
state: started
|
||||||
enabled: true
|
enabled: true
|
||||||
|
|
||||||
|
- name: Restart ddclient
|
||||||
|
service:
|
||||||
|
name: ddclient
|
||||||
|
state: restarted
|
||||||
|
when: ddclient_settings.changed
|
||||||
|
|||||||
@@ -1,48 +0,0 @@
|
|||||||
- name: Install the Uncomplicated Firewall
|
|
||||||
ansible.builtin.apt:
|
|
||||||
name: ufw
|
|
||||||
state: present
|
|
||||||
|
|
||||||
- name: Install Fail2ban
|
|
||||||
ansible.builtin.apt:
|
|
||||||
name: fail2ban
|
|
||||||
state: present
|
|
||||||
|
|
||||||
- name: Deny incoming traffic by default
|
|
||||||
community.general.ufw:
|
|
||||||
default: deny
|
|
||||||
direction: incoming
|
|
||||||
|
|
||||||
- name: Allow outgoing traffic by default
|
|
||||||
community.general.ufw:
|
|
||||||
default: allow
|
|
||||||
direction: outgoing
|
|
||||||
|
|
||||||
- name: Allow OpenSSH with rate limiting
|
|
||||||
community.general.ufw:
|
|
||||||
name: ssh
|
|
||||||
rule: limit
|
|
||||||
|
|
||||||
- name: Remove Fail2ban defaults-debian.conf
|
|
||||||
ansible.builtin.file:
|
|
||||||
path: /etc/fail2ban/jail.d/defaults-debian.conf
|
|
||||||
state: absent
|
|
||||||
|
|
||||||
- name: Install OpenSSH's Fail2ban jail
|
|
||||||
ansible.builtin.template:
|
|
||||||
src: fail2ban-ssh.conf.j2
|
|
||||||
dest: /etc/fail2ban/jail.d/sshd.conf
|
|
||||||
mode: "640"
|
|
||||||
notify: restart_fail2ban
|
|
||||||
|
|
||||||
- name: Install Fail2ban IP allow list
|
|
||||||
ansible.builtin.template:
|
|
||||||
src: fail2ban-allowlist.conf.j2
|
|
||||||
dest: /etc/fail2ban/jail.d/allowlist.conf
|
|
||||||
mode: "640"
|
|
||||||
when: fail2ban_ignoreip is defined
|
|
||||||
notify: restart_fail2ban
|
|
||||||
|
|
||||||
- name: Enable firewall
|
|
||||||
community.general.ufw:
|
|
||||||
state: enabled
|
|
||||||
@@ -1,5 +1,5 @@
|
|||||||
- name: Install msmtp
|
- name: Install msmtp
|
||||||
ansible.builtin.apt:
|
apt:
|
||||||
name: "{{ item }}"
|
name: "{{ item }}"
|
||||||
state: present
|
state: present
|
||||||
loop:
|
loop:
|
||||||
@@ -8,13 +8,12 @@
|
|||||||
- mailutils
|
- mailutils
|
||||||
|
|
||||||
- name: Install msmtp configuration
|
- name: Install msmtp configuration
|
||||||
ansible.builtin.template:
|
template:
|
||||||
src: msmtprc.j2
|
src: msmtprc.j2
|
||||||
dest: /root/.msmtprc
|
dest: /root/.msmtprc
|
||||||
mode: "600"
|
mode: 0700
|
||||||
|
|
||||||
- name: Install /etc/aliases
|
- name: Install /etc/aliases
|
||||||
ansible.builtin.copy:
|
copy:
|
||||||
dest: /etc/aliases
|
dest: /etc/aliases
|
||||||
content: "root: {{ mail.rootalias }}"
|
content: "root: {{ mail.rootalias }}"
|
||||||
mode: "644"
|
|
||||||
|
|||||||
@@ -1,37 +1,21 @@
|
|||||||
- name: Import Ansible tasks
|
- import_tasks: ansible.yml
|
||||||
ansible.builtin.import_tasks: ansible.yml
|
|
||||||
tags: ansible
|
tags: ansible
|
||||||
|
|
||||||
- name: Import System tasks
|
- import_tasks: system.yml
|
||||||
ansible.builtin.import_tasks: system.yml
|
|
||||||
tags: system
|
tags: system
|
||||||
|
|
||||||
- name: Import Firewall tasks
|
- import_tasks: network.yml
|
||||||
ansible.builtin.import_tasks: firewall.yml
|
|
||||||
tags: firewall
|
|
||||||
when: manage_firewall
|
|
||||||
|
|
||||||
- name: Import Network tasks
|
|
||||||
ansible.builtin.import_tasks: network.yml
|
|
||||||
tags: network
|
tags: network
|
||||||
when: manage_network
|
when: manage_network
|
||||||
|
|
||||||
- name: Import Mail tasks
|
- import_tasks: mail.yml
|
||||||
ansible.builtin.import_tasks: mail.yml
|
|
||||||
tags: mail
|
tags: mail
|
||||||
when: mail is defined
|
when: mail is defined
|
||||||
|
|
||||||
- name: Import ddclient tasks
|
- import_tasks: ddclient.yml
|
||||||
ansible.builtin.import_tasks: ddclient.yml
|
|
||||||
tags: ddclient
|
tags: ddclient
|
||||||
when: ddclient is defined
|
when: ddclient is defined
|
||||||
|
|
||||||
- name: Import WireGuard tasks
|
- import_tasks: wireguard.yml
|
||||||
ansible.builtin.import_tasks: wireguard.yml
|
|
||||||
tags: wireguard
|
tags: wireguard
|
||||||
when: wireguard is defined
|
when: wireguard is defined
|
||||||
|
|
||||||
- name: Import Samba tasks
|
|
||||||
ansible.builtin.import_tasks: samba.yml
|
|
||||||
tags: samba
|
|
||||||
when: samba is defined
|
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
- name: Install network interfaces file
|
- name: Install network interfaces file
|
||||||
ansible.builtin.copy:
|
copy:
|
||||||
src: network-interfaces.cfg
|
src: network-interfaces.cfg
|
||||||
dest: /etc/network/interfaces
|
dest: /etc/network/interfaces
|
||||||
owner: root
|
owner: root
|
||||||
@@ -7,9 +7,13 @@
|
|||||||
mode: '0644'
|
mode: '0644'
|
||||||
|
|
||||||
- name: Install network interfaces
|
- name: Install network interfaces
|
||||||
ansible.builtin.template:
|
template:
|
||||||
src: "interface.j2"
|
src: "interface.j2"
|
||||||
dest: "/etc/network/interfaces.d/{{ item.name }}"
|
dest: "/etc/network/interfaces.d/{{ item.name }}"
|
||||||
mode: "400"
|
|
||||||
loop: "{{ interfaces }}"
|
loop: "{{ interfaces }}"
|
||||||
notify: reboot_host
|
notify: reboot_host
|
||||||
|
|
||||||
|
- name: Install bridge utilities
|
||||||
|
apt:
|
||||||
|
name: bridge-utils
|
||||||
|
state: present
|
||||||
|
|||||||
@@ -1,46 +0,0 @@
|
|||||||
- name: Install Samba
|
|
||||||
ansible.builtin.apt:
|
|
||||||
name: samba
|
|
||||||
state: present
|
|
||||||
|
|
||||||
- name: Create Samba users
|
|
||||||
ansible.builtin.command: "smbpasswd -a {{ item.name }}"
|
|
||||||
args:
|
|
||||||
stdin: "{{ item.password }}\n{{ item.password }}"
|
|
||||||
loop: "{{ samba.users }}"
|
|
||||||
loop_control:
|
|
||||||
label: "{{ item.name }}"
|
|
||||||
register: samba_users
|
|
||||||
changed_when: "'Added user' in samba_users.stdout"
|
|
||||||
|
|
||||||
- name: Ensure share directories exist
|
|
||||||
ansible.builtin.file:
|
|
||||||
path: "{{ item.path }}"
|
|
||||||
owner: "{{ item.owner }}"
|
|
||||||
group: "{{ item.group }}"
|
|
||||||
state: directory
|
|
||||||
mode: "755"
|
|
||||||
loop: "{{ samba.shares }}"
|
|
||||||
|
|
||||||
- name: Configure Samba shares
|
|
||||||
ansible.builtin.template:
|
|
||||||
src: smb.conf.j2
|
|
||||||
dest: /etc/samba/smb.conf
|
|
||||||
mode: "700"
|
|
||||||
notify: restart_samba
|
|
||||||
|
|
||||||
- name: Start smbd and enable on boot
|
|
||||||
ansible.builtin.service:
|
|
||||||
name: smbd
|
|
||||||
state: started
|
|
||||||
enabled: true
|
|
||||||
|
|
||||||
- name: Allow SMB connections
|
|
||||||
community.general.ufw:
|
|
||||||
rule: allow
|
|
||||||
port: 445
|
|
||||||
proto: tcp
|
|
||||||
from: "{{ item }}"
|
|
||||||
state: enabled
|
|
||||||
loop: "{{ samba.firewall }}"
|
|
||||||
when: manage_firewall
|
|
||||||
@@ -1,105 +1,23 @@
|
|||||||
- name: Install useful software
|
- name: Install useful software
|
||||||
ansible.builtin.apt:
|
apt:
|
||||||
name: "{{ packages }}"
|
name: "{{ packages }}"
|
||||||
state: present
|
state: present
|
||||||
update_cache: true
|
update_cache: true
|
||||||
|
|
||||||
- name: Install GPG
|
|
||||||
ansible.builtin.apt:
|
|
||||||
name: gpg
|
|
||||||
state: present
|
|
||||||
|
|
||||||
- name: Check for existing GPG keys
|
|
||||||
ansible.builtin.command: "gpg --list-keys {{ item.id }} 2>/dev/null"
|
|
||||||
register: gpg_check
|
|
||||||
loop: "{{ root_gpgkeys }}"
|
|
||||||
failed_when: false
|
|
||||||
changed_when: false
|
|
||||||
when: root_gpgkeys is defined
|
|
||||||
|
|
||||||
- name: Import GPG keys
|
|
||||||
ansible.builtin.command:
|
|
||||||
"gpg --keyserver {{ item.item.server | default('keys.openpgp.org') }} --recv-key {{ item.item.id }}"
|
|
||||||
register: gpg_check_import
|
|
||||||
loop: "{{ gpg_check.results }}"
|
|
||||||
loop_control:
|
|
||||||
label: "{{ item.item }}"
|
|
||||||
changed_when: false
|
|
||||||
when: root_gpgkeys is defined and item.rc != 0
|
|
||||||
|
|
||||||
- name: Check GPG key imports
|
|
||||||
ansible.builtin.fail:
|
|
||||||
msg: "{{ item.stderr }}"
|
|
||||||
loop: "{{ gpg_check_import.results }}"
|
|
||||||
loop_control:
|
|
||||||
label: "{{ item.item.item }}"
|
|
||||||
when: root_gpgkeys is defined and (not item.skipped | default(false)) and ('imported' not in item.stderr)
|
|
||||||
|
|
||||||
- name: Install NTPsec
|
|
||||||
ansible.builtin.apt:
|
|
||||||
name: ntpsec
|
|
||||||
state: present
|
|
||||||
|
|
||||||
- name: Install locales
|
|
||||||
ansible.builtin.apt:
|
|
||||||
name: locales
|
|
||||||
state: present
|
|
||||||
|
|
||||||
- name: Generate locale
|
|
||||||
community.general.locale_gen:
|
|
||||||
name: "{{ locale_default }}"
|
|
||||||
state: present
|
|
||||||
notify: reconfigure_locales
|
|
||||||
|
|
||||||
- name: Set the default locale
|
|
||||||
ansible.builtin.lineinfile:
|
|
||||||
path: /etc/default/locale
|
|
||||||
regexp: "^LANG="
|
|
||||||
line: "LANG={{ locale_default }}"
|
|
||||||
|
|
||||||
- name: Manage root authorized_keys
|
- name: Manage root authorized_keys
|
||||||
ansible.builtin.template:
|
template:
|
||||||
src: authorized_keys.j2
|
src: authorized_keys.j2
|
||||||
dest: /root/.ssh/authorized_keys
|
dest: /root/.ssh/authorized_keys
|
||||||
mode: "400"
|
|
||||||
when: authorized_keys is defined
|
when: authorized_keys is defined
|
||||||
|
|
||||||
- name: Create system user groups
|
- name: Install btrfs-tools
|
||||||
ansible.builtin.group:
|
apt:
|
||||||
name: "{{ item.key }}"
|
name: btrfs-tools
|
||||||
gid: "{{ item.value.gid }}"
|
|
||||||
state: present
|
state: present
|
||||||
loop: "{{ users | dict2items }}"
|
when: btrfs_support is defined and btrfs_support | bool == true
|
||||||
loop_control:
|
|
||||||
label: "{{ item.key }}"
|
|
||||||
when: users is defined
|
|
||||||
|
|
||||||
- name: Create system users
|
|
||||||
ansible.builtin.user:
|
|
||||||
name: "{{ item.key }}"
|
|
||||||
state: present
|
|
||||||
uid: "{{ item.value.uid }}"
|
|
||||||
group: "{{ item.value.gid }}"
|
|
||||||
shell: "{{ item.value.shell | default('/bin/bash') }}"
|
|
||||||
create_home: "{{ item.value.home | default(false) }}"
|
|
||||||
system: "{{ item.value.system | default(false) }}"
|
|
||||||
loop: "{{ users | dict2items }}"
|
|
||||||
loop_control:
|
|
||||||
label: "{{ item.key }}"
|
|
||||||
when: users is defined
|
|
||||||
|
|
||||||
- name: Set authorized_keys for system users
|
|
||||||
ansible.posix.authorized_key:
|
|
||||||
user: "{{ item.key }}"
|
|
||||||
key: "{{ item.value.key }}"
|
|
||||||
state: present
|
|
||||||
loop: "{{ users | dict2items }}"
|
|
||||||
loop_control:
|
|
||||||
label: "{{ item.key }}"
|
|
||||||
when: users is defined and item.value.key is defined
|
|
||||||
|
|
||||||
- name: Manage filesystem mounts
|
- name: Manage filesystem mounts
|
||||||
ansible.posix.mount:
|
mount:
|
||||||
path: "{{ item.path }}"
|
path: "{{ item.path }}"
|
||||||
src: "UUID={{ item.uuid }}"
|
src: "UUID={{ item.uuid }}"
|
||||||
fstype: "{{ item.fstype }}"
|
fstype: "{{ item.fstype }}"
|
||||||
|
|||||||
@@ -1,39 +1,51 @@
|
|||||||
|
# Copyright (C) 2021 Kris Lamoureux
|
||||||
|
#
|
||||||
|
# This program is free software: you can redistribute it and/or modify
|
||||||
|
# it under the terms of the GNU General Public License as published by
|
||||||
|
# the Free Software Foundation, version 3 of the License.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be useful,
|
||||||
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
# GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with this program. If not, see <https://www.gnu.org/licenses/>.
|
||||||
|
|
||||||
|
- name: Add Debian Buster backports
|
||||||
|
copy:
|
||||||
|
src: buster-backports.list
|
||||||
|
dest: /etc/apt/sources.list.d/buster-backports.list
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: '0644'
|
||||||
|
|
||||||
- name: Install WireGuard
|
- name: Install WireGuard
|
||||||
ansible.builtin.apt:
|
apt:
|
||||||
name: wireguard
|
name: wireguard
|
||||||
state: present
|
state: present
|
||||||
update_cache: true
|
update_cache: true
|
||||||
|
|
||||||
- name: Generate WireGuard keys
|
- name: Generate WireGuard keys
|
||||||
ansible.builtin.shell: |
|
shell: wg genkey | tee privatekey | wg pubkey > publickey
|
||||||
set -o pipefail
|
|
||||||
wg genkey | tee privatekey | wg pubkey > publickey
|
|
||||||
args:
|
args:
|
||||||
chdir: /etc/wireguard/
|
chdir: /etc/wireguard/
|
||||||
creates: /etc/wireguard/privatekey
|
creates: /etc/wireguard/privatekey
|
||||||
executable: /usr/bin/bash
|
|
||||||
|
|
||||||
- name: Grab WireGuard private key for configuration
|
- name: Grab WireGuard private key for configuration
|
||||||
ansible.builtin.slurp:
|
slurp:
|
||||||
src: /etc/wireguard/privatekey
|
src: /etc/wireguard/privatekey
|
||||||
register: wgkey
|
register: wgkey
|
||||||
|
|
||||||
- name: Install WireGuard configuration
|
- name: Install WireGuard configuration
|
||||||
ansible.builtin.template:
|
template:
|
||||||
src: wireguard.j2
|
src: wireguard.j2
|
||||||
dest: /etc/wireguard/wg0.conf
|
dest: /etc/wireguard/wg0.conf
|
||||||
mode: "400"
|
notify:
|
||||||
notify: restart_wireguard
|
- restart_wireguard
|
||||||
|
|
||||||
- name: Start WireGuard interface
|
- name: Start WireGuard interface
|
||||||
ansible.builtin.service:
|
service:
|
||||||
name: wg-quick@wg0
|
name: wg-quick@wg0
|
||||||
state: started
|
state: started
|
||||||
enabled: true
|
enabled: true
|
||||||
|
|
||||||
- name: Add WireGuard firewall rule
|
|
||||||
community.general.ufw:
|
|
||||||
rule: allow
|
|
||||||
port: "{{ wireguard.listenport }}"
|
|
||||||
proto: udp
|
|
||||||
when: wireguard.listenport is defined
|
|
||||||
|
|||||||
@@ -1,2 +0,0 @@
|
|||||||
[DEFAULT]
|
|
||||||
ignoreip = {% for host in fail2ban_ignoreip %}{{ host }}{% if not loop.last %} {% endif %}{% endfor %}
|
|
||||||
@@ -1,3 +0,0 @@
|
|||||||
[sshd]
|
|
||||||
mode = aggressive
|
|
||||||
enabled = true
|
|
||||||
@@ -1,28 +0,0 @@
|
|||||||
[global]
|
|
||||||
workgroup = WORKGROUP
|
|
||||||
server string = Samba Server %v
|
|
||||||
netbios name = {{ ansible_hostname }}
|
|
||||||
security = user
|
|
||||||
map to guest = bad user
|
|
||||||
dns proxy = no
|
|
||||||
{% for user in samba.users %}
|
|
||||||
smb encrypt = {{ 'mandatory' if user.encrypt | default(false) else 'disabled' }}
|
|
||||||
{% endfor %}
|
|
||||||
|
|
||||||
{% for share in samba.shares %}
|
|
||||||
[{{ share.name }}]
|
|
||||||
path = {{ share.path }}
|
|
||||||
browsable = yes
|
|
||||||
{% if share.guest_allow is defined and share.guest_allow %}
|
|
||||||
guest ok = yes
|
|
||||||
{% else %}
|
|
||||||
guest ok = no
|
|
||||||
{% endif %}
|
|
||||||
read only = {{ 'yes' if share.read_only | default(false) else 'no' }}
|
|
||||||
{% if share.valid_users is defined %}
|
|
||||||
valid users = {{ share.valid_users }}
|
|
||||||
{% endif %}
|
|
||||||
{% if share.force_user is defined %}
|
|
||||||
force user = {{ share.force_user }}
|
|
||||||
{% endif %}
|
|
||||||
{% endfor %}
|
|
||||||
@@ -1,8 +1,4 @@
|
|||||||
bitwarden_name: bitwarden
|
bitwarden_name: bitwarden
|
||||||
bitwarden_root: "/var/lib/{{ bitwarden_name }}"
|
bitwarden_root: "/opt/{{ bitwarden_name }}"
|
||||||
bitwarden_logs_identity: "{{ bitwarden_root }}/bwdata/logs/identity/Identity"
|
|
||||||
bitwarden_logs_identity_date: "{{ ansible_date_time.year }}{{ ansible_date_time.month }}{{ ansible_date_time.day }}"
|
|
||||||
bitwarden_database: "{{ bitwarden_name }}"
|
|
||||||
bitwarden_realips: "172.16.0.0/12"
|
|
||||||
bitwarden_standalone: false
|
bitwarden_standalone: false
|
||||||
bitwarden_production: false
|
bitwarden_production: false
|
||||||
|
|||||||
@@ -1,28 +1,7 @@
|
|||||||
- name: Stop Bitwarden for rebuild
|
|
||||||
ansible.builtin.service:
|
|
||||||
name: "{{ bitwarden_name }}"
|
|
||||||
state: stopped
|
|
||||||
listen: rebuild_bitwarden
|
|
||||||
|
|
||||||
- name: Rebuild Bitwarden
|
- name: Rebuild Bitwarden
|
||||||
ansible.builtin.command: "{{ bitwarden_root }}/bitwarden.sh rebuild"
|
shell: "{{ bitwarden_root }}/bitwarden.sh rebuild"
|
||||||
listen: rebuild_bitwarden
|
listen: rebuild_bitwarden
|
||||||
|
|
||||||
- name: Reload systemd manager configuration
|
- name: Start Bitwarden
|
||||||
ansible.builtin.systemd:
|
shell: "{{ bitwarden_root }}/bitwarden.sh start"
|
||||||
daemon_reload: true
|
listen: start_bitwarden
|
||||||
listen: rebuild_bitwarden
|
|
||||||
|
|
||||||
- name: Start Bitwarden after rebuild
|
|
||||||
ansible.builtin.service:
|
|
||||||
name: "{{ bitwarden_name }}"
|
|
||||||
state: started
|
|
||||||
enabled: true
|
|
||||||
listen: rebuild_bitwarden
|
|
||||||
|
|
||||||
- name: Create Bitwarden's initial log file
|
|
||||||
ansible.builtin.file:
|
|
||||||
path: "{{ bitwarden_logs_identity }}/{{ bitwarden_logs_identity_date }}.txt"
|
|
||||||
state: touch
|
|
||||||
mode: "644"
|
|
||||||
listen: touch_bitwarden
|
|
||||||
|
|||||||
@@ -1,97 +1,76 @@
|
|||||||
- name: Install expect
|
- name: Install expect
|
||||||
ansible.builtin.apt:
|
apt:
|
||||||
name: expect
|
name: expect
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
- name: Create Bitwarden directory
|
- name: Create Bitwarden directory
|
||||||
ansible.builtin.file:
|
file:
|
||||||
path: "{{ bitwarden_root }}"
|
path: "{{ bitwarden_root }}"
|
||||||
state: directory
|
state: directory
|
||||||
mode: "755"
|
|
||||||
|
|
||||||
- name: Download Bitwarden script
|
- name: Download Bitwarden script
|
||||||
ansible.builtin.get_url:
|
get_url:
|
||||||
url: "https://raw.githubusercontent.com/\
|
url: "https://raw.githubusercontent.com/\
|
||||||
bitwarden/self-host/master/bitwarden.sh"
|
bitwarden/server/master/scripts/bitwarden.sh"
|
||||||
dest: "{{ bitwarden_root }}"
|
dest: "{{ bitwarden_root }}"
|
||||||
mode: u+x
|
mode: u+x
|
||||||
|
|
||||||
- name: Install Bitwarden script wrapper
|
- name: Install Bitwarden script wrapper
|
||||||
ansible.builtin.template:
|
template:
|
||||||
src: bw_wrapper.j2
|
src: bw_wrapper.j2
|
||||||
dest: "{{ bitwarden_root }}/bw_wrapper"
|
dest: "{{ bitwarden_root }}/bw_wrapper"
|
||||||
mode: u+x
|
mode: u+x
|
||||||
|
|
||||||
- name: Run Bitwarden installation script
|
- name: Run Bitwarden installation script
|
||||||
ansible.builtin.command: "{{ bitwarden_root }}/bw_wrapper"
|
shell: "{{ bitwarden_root }}/bw_wrapper"
|
||||||
args:
|
args:
|
||||||
creates: "{{ bitwarden_root }}/bwdata/config.yml"
|
creates: "{{ bitwarden_root }}/bwdata/config.yml"
|
||||||
|
notify: start_bitwarden
|
||||||
|
|
||||||
- name: Install compose override
|
- name: Install docker-compose override
|
||||||
ansible.builtin.template:
|
template:
|
||||||
src: compose.override.yml.j2
|
src: compose.override.yml.j2
|
||||||
dest: "{{ bitwarden_root }}/bwdata/docker/docker-compose.override.yml"
|
dest: "{{ bitwarden_root }}/bwdata/docker/docker-compose.override.yml"
|
||||||
mode: "644"
|
notify:
|
||||||
when: bitwarden_override | default(true)
|
- rebuild_bitwarden
|
||||||
notify: rebuild_bitwarden
|
- start_bitwarden
|
||||||
|
|
||||||
- name: Disable bitwarden-nginx HTTP on 80
|
- name: Disable bitwarden-nginx HTTP on 80
|
||||||
ansible.builtin.replace:
|
replace:
|
||||||
path: "{{ bitwarden_root }}/bwdata/config.yml"
|
path: "{{ bitwarden_root }}/bwdata/config.yml"
|
||||||
regexp: "^http_port: 80$"
|
regexp: "^http_port: 80$"
|
||||||
replace: "http_port: {{ bitwarden_http_port | default('127.0.0.1:9080') }}"
|
replace: "http_port: 8080"
|
||||||
when: not bitwarden_standalone
|
when: not bitwarden_standalone
|
||||||
notify: rebuild_bitwarden
|
notify:
|
||||||
|
- rebuild_bitwarden
|
||||||
|
- start_bitwarden
|
||||||
|
|
||||||
- name: Disable bitwarden-nginx HTTPS on 443
|
- name: Disable bitwarden-nginx HTTPS on 443
|
||||||
ansible.builtin.replace:
|
replace:
|
||||||
path: "{{ bitwarden_root }}/bwdata/config.yml"
|
path: "{{ bitwarden_root }}/bwdata/config.yml"
|
||||||
regexp: "^https_port: 443$"
|
regexp: "^https_port: 443$"
|
||||||
replace: "https_port: {{ bitwarden_https_port | default('127.0.0.1:9443') }}"
|
replace: "https_port: 8443"
|
||||||
when: not bitwarden_standalone
|
when: not bitwarden_standalone
|
||||||
notify: rebuild_bitwarden
|
notify:
|
||||||
|
- rebuild_bitwarden
|
||||||
|
- start_bitwarden
|
||||||
|
|
||||||
- name: Disable Bitwarden managed Lets Encrypt
|
- name: Disable Bitwarden managed Lets Encrypt
|
||||||
ansible.builtin.replace:
|
replace:
|
||||||
path: "{{ bitwarden_root }}/bwdata/config.yml"
|
path: "{{ bitwarden_root }}/bwdata/config.yml"
|
||||||
regexp: "^ssl_managed_lets_encrypt: true$"
|
regexp: "^ssl_managed_lets_encrypt: true$"
|
||||||
replace: "ssl_managed_lets_encrypt: false"
|
replace: "ssl_managed_lets_encrypt: false"
|
||||||
when: not bitwarden_standalone or not bitwarden_production
|
when: not bitwarden_standalone or not bitwarden_production
|
||||||
notify: rebuild_bitwarden
|
notify:
|
||||||
|
- rebuild_bitwarden
|
||||||
|
- start_bitwarden
|
||||||
|
|
||||||
- name: Disable Bitwarden managed SSL
|
- name: Disable Bitwarden managed SSL
|
||||||
ansible.builtin.replace:
|
replace:
|
||||||
path: "{{ bitwarden_root }}/bwdata/config.yml"
|
path: "{{ bitwarden_root }}/bwdata/config.yml"
|
||||||
regexp: "^ssl: true$"
|
regexp: "^ssl: true$"
|
||||||
replace: "ssl: false"
|
replace: "ssl: false"
|
||||||
when: not bitwarden_standalone
|
when: not bitwarden_standalone
|
||||||
notify: rebuild_bitwarden
|
notify:
|
||||||
|
- rebuild_bitwarden
|
||||||
- name: Define reverse proxy servers
|
- start_bitwarden
|
||||||
ansible.builtin.lineinfile:
|
|
||||||
path: "{{ bitwarden_root }}/bwdata/config.yml"
|
|
||||||
line: "- {{ bitwarden_realips }}"
|
|
||||||
insertafter: "^real_ips"
|
|
||||||
notify: rebuild_bitwarden
|
|
||||||
|
|
||||||
- name: Install Bitwarden systemd service
|
|
||||||
ansible.builtin.template:
|
|
||||||
src: bitwarden.service.j2
|
|
||||||
dest: "/etc/systemd/system/{{ bitwarden_name }}.service"
|
|
||||||
mode: "644"
|
|
||||||
register: bitwarden_systemd
|
|
||||||
notify: rebuild_bitwarden
|
|
||||||
|
|
||||||
- name: Create Bitwarden's initial logging directory
|
|
||||||
ansible.builtin.file:
|
|
||||||
path: "{{ bitwarden_logs_identity }}"
|
|
||||||
state: directory
|
|
||||||
mode: "755"
|
|
||||||
notify: touch_bitwarden
|
|
||||||
|
|
||||||
- name: Install Bitwarden's Fail2ban jail
|
|
||||||
ansible.builtin.template:
|
|
||||||
src: fail2ban-jail.conf.j2
|
|
||||||
dest: /etc/fail2ban/jail.d/bitwarden.conf
|
|
||||||
mode: "640"
|
|
||||||
notify: restart_fail2ban
|
|
||||||
|
|||||||
@@ -1,13 +0,0 @@
|
|||||||
[Unit]
|
|
||||||
Description=Bitwarden Password Manager Server
|
|
||||||
PartOf=docker.service
|
|
||||||
After=docker.service
|
|
||||||
|
|
||||||
[Service]
|
|
||||||
Type=oneshot
|
|
||||||
RemainAfterExit=true
|
|
||||||
ExecStart={{ bitwarden_root }}/bitwarden.sh start
|
|
||||||
ExecStop={{ bitwarden_root }}/bitwarden.sh stop
|
|
||||||
|
|
||||||
[Install]
|
|
||||||
WantedBy=multi-user.target
|
|
||||||
@@ -14,22 +14,16 @@ send "y\r"
|
|||||||
send "n\r"
|
send "n\r"
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
expect "Enter the database name for your Bitwarden instance (ex. vault):"
|
|
||||||
send "{{ bitwarden_database }}\r"
|
|
||||||
|
|
||||||
expect "Enter your installation id (get at https://bitwarden.com/host):"
|
expect "Enter your installation id (get at https://bitwarden.com/host):"
|
||||||
send "{{ bitwarden_install_id }}\r"
|
send "{{ bitwarden_install_id }}\r"
|
||||||
|
|
||||||
expect "Enter your installation key:"
|
expect "Enter your installation key:"
|
||||||
send "{{ bitwarden_install_key }}\r"
|
send "{{ bitwarden_install_key }}\r"
|
||||||
|
|
||||||
expect "Enter your region (US/EU) \\\[US\\\]:"
|
expect "Do you have a SSL certificate to use? (y/n):"
|
||||||
send "US\r"
|
|
||||||
|
|
||||||
expect "Do you have a SSL certificate to use? (y/N):"
|
|
||||||
send "n\r"
|
send "n\r"
|
||||||
|
|
||||||
expect "Do you want to generate a self-signed SSL certificate? (y/N):"
|
expect "Do you want to generate a self-signed SSL certificate? (y/n):"
|
||||||
{% if bitwarden_standalone and not bitwarden_production %}
|
{% if bitwarden_standalone and not bitwarden_production %}
|
||||||
send "y\r"
|
send "y\r"
|
||||||
{% else %}
|
{% else %}
|
||||||
|
|||||||
@@ -1,16 +1,16 @@
|
|||||||
version: '3'
|
|
||||||
|
|
||||||
services:
|
services:
|
||||||
nginx:
|
nginx:
|
||||||
networks:
|
networks:
|
||||||
- traefik
|
- traefik
|
||||||
labels:
|
labels:
|
||||||
traefik.http.routers.bitwarden.rule: "Host(`{{ bitwarden_domain }}`)"
|
traefik.http.routers.bitwarden.rule: "Host(`{{ bitwarden_domain }}`)"
|
||||||
traefik.http.routers.bitwarden.entrypoints: {{ bitwarden_entrypoint | default('web') }}
|
traefik.http.routers.bitwarden.entrypoints: websecure
|
||||||
traefik.http.routers.bitwarden.tls: {{ bitwarden_traefik_tls | default('false') }}
|
traefik.http.routers.bitwarden.tls.certresolver: letsencrypt
|
||||||
|
traefik.http.routers.bitwarden.middlewares: "securehttps@file"
|
||||||
traefik.http.services.bitwarden.loadbalancer.server.port: 8080
|
traefik.http.services.bitwarden.loadbalancer.server.port: 8080
|
||||||
traefik.docker.network: traefik
|
traefik.docker.network: traefik
|
||||||
traefik.enable: "true"
|
traefik.enable: "true"
|
||||||
|
|
||||||
networks:
|
networks:
|
||||||
traefik:
|
traefik:
|
||||||
external: true
|
external: true
|
||||||
|
|||||||
@@ -1,9 +0,0 @@
|
|||||||
# {{ ansible_managed }}
|
|
||||||
[bitwarden]
|
|
||||||
enabled = true
|
|
||||||
filter = bitwarden
|
|
||||||
logpath = {{ bitwarden_root }}/bwdata/logs/identity/Identity/*
|
|
||||||
maxretry = 10
|
|
||||||
findtime = 3600
|
|
||||||
bantime = 900
|
|
||||||
action = iptables-allports
|
|
||||||
@@ -1,11 +0,0 @@
|
|||||||
docker_apt_keyring: /etc/apt/keyrings/docker.asc
|
|
||||||
docker_apt_keyring_hash: 1500c1f56fa9e26b9b8f42452a553675796ade0807cdce11975eb98170b3a570
|
|
||||||
docker_apt_keyring_url: https://download.docker.com/linux/debian/gpg
|
|
||||||
docker_apt_repo: https://download.docker.com/linux/debian
|
|
||||||
docker_compose_root: /var/lib/compose
|
|
||||||
docker_compose_service: compose
|
|
||||||
docker_compose: "{{ (docker_official | bool) | ternary('/usr/bin/docker compose', '/usr/bin/docker-compose') }}"
|
|
||||||
docker_official: false
|
|
||||||
docker_repos_keys: "{{ docker_repos_path }}/.keys"
|
|
||||||
docker_repos_keytype: rsa
|
|
||||||
docker_repos_path: /srv/.compose_repos
|
|
||||||
1
roles/docker/docker-ce.list
Normal file
1
roles/docker/docker-ce.list
Normal file
@@ -0,0 +1 @@
|
|||||||
|
deb [arch=amd64] https://download.docker.com/linux/debian buster stable
|
||||||
@@ -1,54 +0,0 @@
|
|||||||
- name: Reload systemd manager configuration
|
|
||||||
ansible.builtin.systemd:
|
|
||||||
daemon_reload: true
|
|
||||||
listen: compose_systemd
|
|
||||||
|
|
||||||
- name: Find which services had a docker-compose.yml updated
|
|
||||||
ansible.builtin.set_fact:
|
|
||||||
compose_restart_list: "{{ (compose_restart_list | default([])) + [item.item.name] }}"
|
|
||||||
loop: "{{ compose_update.results }}"
|
|
||||||
loop_control:
|
|
||||||
label: "{{ item.item.name }}"
|
|
||||||
when: item.changed
|
|
||||||
listen: compose_restart
|
|
||||||
|
|
||||||
- name: Find which services had their .env updated
|
|
||||||
ansible.builtin.set_fact:
|
|
||||||
compose_restart_list: "{{ (compose_restart_list | default([])) + [item.item.name] }}"
|
|
||||||
loop: "{{ compose_env_update.results }}"
|
|
||||||
loop_control:
|
|
||||||
label: "{{ item.item.name }}"
|
|
||||||
when: item.changed
|
|
||||||
listen: compose_restart
|
|
||||||
|
|
||||||
- name: Restart MariaDB
|
|
||||||
ansible.builtin.service:
|
|
||||||
name: mariadb
|
|
||||||
state: restarted
|
|
||||||
when: not mariadb_restarted
|
|
||||||
listen: restart_mariadb # hijack handler for early restart
|
|
||||||
|
|
||||||
- name: Set MariaDB as restarted
|
|
||||||
ansible.builtin.set_fact:
|
|
||||||
mariadb_restarted: true
|
|
||||||
when: not mariadb_restarted
|
|
||||||
listen: restart_mariadb
|
|
||||||
|
|
||||||
- name: Restart compose services
|
|
||||||
ansible.builtin.systemd:
|
|
||||||
state: restarted
|
|
||||||
name: "{{ docker_compose_service }}@{{ item }}"
|
|
||||||
loop: "{{ compose_restart_list | default([]) | unique }}"
|
|
||||||
when: compose_restart_list is defined
|
|
||||||
listen: compose_restart
|
|
||||||
|
|
||||||
- name: Start compose services and enable on boot
|
|
||||||
ansible.builtin.service:
|
|
||||||
name: "{{ docker_compose_service }}@{{ item.name }}"
|
|
||||||
state: started
|
|
||||||
enabled: true
|
|
||||||
loop: "{{ docker_compose_deploy }}"
|
|
||||||
loop_control:
|
|
||||||
label: "{{ docker_compose_service }}@{{ item.name }}"
|
|
||||||
when: item.enabled is defined and item.enabled is true
|
|
||||||
listen: compose_enable
|
|
||||||
38
roles/docker/install-compose.sh
Normal file
38
roles/docker/install-compose.sh
Normal file
@@ -0,0 +1,38 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# Github username and repo name
|
||||||
|
user="docker"
|
||||||
|
repo="compose"
|
||||||
|
|
||||||
|
# Retrieve the latest version number
|
||||||
|
addr="https://github.com/$user/$repo/releases/latest"
|
||||||
|
page=$(curl -s $addr | grep -o releases/tag/*.*\")
|
||||||
|
version=$(echo $page | awk '{print substr($1, 14, length($1) - 14)}')
|
||||||
|
|
||||||
|
# Download prep
|
||||||
|
url="https://github.com/$user/$repo/releases/download/$version"
|
||||||
|
file="docker-compose-$(uname -s)-$(uname -m)"
|
||||||
|
|
||||||
|
# Download latest Docker Compose if that version hasn't been downloaded
|
||||||
|
if [ ! -f /tmp/docker_compose_$version ]; then
|
||||||
|
curl -L $url/$file -o /tmp/docker-compose_$version
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Is it already installed?
|
||||||
|
if installed=$(which docker-compose); then
|
||||||
|
|
||||||
|
new_chksum=$(sha256sum /tmp/docker-compose_$version)
|
||||||
|
old_chksum=$(sha256sum /usr/local/bin/docker-compose)
|
||||||
|
|
||||||
|
# If checksums are different, delete and install new version
|
||||||
|
if [ ! "$new_chksum" = "$old_chksum" ]; then
|
||||||
|
rm /usr/local/bin/docker-compose
|
||||||
|
mv /tmp/docker-compose_$version /usr/local/bin/docker-compose
|
||||||
|
chmod +x /usr/local/bin/docker-compose
|
||||||
|
fi
|
||||||
|
|
||||||
|
else
|
||||||
|
# It's not installed, so no need to remove
|
||||||
|
mv /tmp/docker-compose_$version /usr/local/bin/docker-compose
|
||||||
|
chmod +x /usr/local/bin/docker-compose
|
||||||
|
fi
|
||||||
@@ -1,151 +1,61 @@
|
|||||||
- name: Add official Docker APT key
|
# Copyright (C) 2019 Kris Lamoureux
|
||||||
ansible.builtin.get_url:
|
#
|
||||||
url: "{{ docker_apt_keyring_url }}"
|
# This program is free software: you can redistribute it and/or modify
|
||||||
dest: "{{ docker_apt_keyring }}"
|
# it under the terms of the GNU General Public License as published by
|
||||||
checksum: "sha256:{{ docker_apt_keyring_hash }}"
|
# the Free Software Foundation, version 3 of the License.
|
||||||
mode: "644"
|
#
|
||||||
owner: root
|
# This program is distributed in the hope that it will be useful,
|
||||||
group: root
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
when: docker_official
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
# GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with this program. If not, see <https://www.gnu.org/licenses/>.
|
||||||
|
|
||||||
- name: Remove official Docker APT key
|
- name: Remove old versions of Docker
|
||||||
ansible.builtin.file:
|
apt:
|
||||||
path: "{{ docker_apt_keyring }}"
|
name: ['docker', 'docker-engine', 'docker.io', 'containerd', 'runc']
|
||||||
state: absent
|
state: absent
|
||||||
when: not docker_official
|
|
||||||
|
|
||||||
- name: Add/remove official Docker APT repository
|
|
||||||
ansible.builtin.apt_repository:
|
|
||||||
repo: >
|
|
||||||
deb [arch=amd64 signed-by={{ docker_apt_keyring }}]
|
|
||||||
{{ docker_apt_repo }} {{ ansible_distribution_release }} stable
|
|
||||||
state: "{{ 'present' if docker_official else 'absent' }}"
|
|
||||||
filename: "{{ docker_apt_keyring | regex_replace('^.*/', '') }}"
|
|
||||||
|
|
||||||
- name: Install/uninstall Docker from Debian repositories
|
|
||||||
ansible.builtin.apt:
|
|
||||||
name: ['docker.io', 'docker-compose', 'containerd', 'runc']
|
|
||||||
state: "{{ 'absent' if docker_official else 'present' }}"
|
|
||||||
autoremove: true
|
|
||||||
update_cache: true
|
update_cache: true
|
||||||
|
|
||||||
- name: Install/uninstall Docker from Docker repositories
|
- name: Install HTTPS capability for apt
|
||||||
ansible.builtin.apt:
|
apt:
|
||||||
name: ['docker-ce', 'docker-ce-cli', 'containerd.io',
|
name: ['apt-transport-https', 'ca-certificates',
|
||||||
'docker-buildx-plugin', 'docker-compose-plugin']
|
'curl', 'gnupg2', 'software-properties-common']
|
||||||
state: "{{ 'present' if docker_official else 'absent' }}"
|
state: present
|
||||||
autoremove: true
|
|
||||||
|
- name: Install Docker's signing key
|
||||||
|
apt_key:
|
||||||
|
url: https://download.docker.com/linux/debian/gpg
|
||||||
|
id: 9DC858229FC7DD38854AE2D88D81803C0EBFCD88
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- name: Install Docker's stable repository
|
||||||
|
template:
|
||||||
|
src: docker-ce.list
|
||||||
|
dest: /etc/apt/sources.list.d/docker-ce.list
|
||||||
|
|
||||||
|
- name: Install Docker CE
|
||||||
|
apt:
|
||||||
|
name: ['docker-ce', 'docker-ce-cli', 'containerd.io']
|
||||||
|
state: present
|
||||||
update_cache: true
|
update_cache: true
|
||||||
|
|
||||||
- name: Login to private registry
|
|
||||||
community.docker.docker_login:
|
|
||||||
registry_url: "{{ docker_login_url | default('') }}"
|
|
||||||
username: "{{ docker_login_user }}"
|
|
||||||
password: "{{ docker_login_pass }}"
|
|
||||||
when: docker_login_user is defined and docker_login_pass is defined
|
|
||||||
|
|
||||||
- name: Create docker-compose root
|
|
||||||
ansible.builtin.file:
|
|
||||||
path: "{{ docker_compose_root }}"
|
|
||||||
state: directory
|
|
||||||
mode: "500"
|
|
||||||
|
|
||||||
- name: Install docker-compose systemd service
|
|
||||||
ansible.builtin.template:
|
|
||||||
src: docker-compose.service.j2
|
|
||||||
dest: "/etc/systemd/system/{{ docker_compose_service }}@.service"
|
|
||||||
mode: "400"
|
|
||||||
notify: compose_systemd
|
|
||||||
|
|
||||||
- name: Create directories to clone docker-compose repositories
|
|
||||||
ansible.builtin.file:
|
|
||||||
path: "{{ item }}"
|
|
||||||
state: directory
|
|
||||||
mode: "400"
|
|
||||||
loop:
|
|
||||||
- "{{ docker_repos_path }}"
|
|
||||||
- "{{ docker_repos_keys }}"
|
|
||||||
when: docker_compose_deploy is defined
|
|
||||||
|
|
||||||
- name: Generate OpenSSH deploy keys for docker-compose clones
|
|
||||||
community.crypto.openssh_keypair:
|
|
||||||
path: "{{ docker_repos_keys }}/id_{{ docker_repos_keytype }}"
|
|
||||||
type: "{{ docker_repos_keytype }}"
|
|
||||||
comment: "{{ ansible_hostname }}-deploy-key"
|
|
||||||
mode: "400"
|
|
||||||
state: present
|
|
||||||
when: docker_compose_deploy is defined
|
|
||||||
|
|
||||||
- name: Check for git installation
|
|
||||||
ansible.builtin.apt:
|
|
||||||
name: git
|
|
||||||
state: present
|
|
||||||
when: docker_compose_deploy is defined
|
|
||||||
|
|
||||||
- name: Clone external docker-compose projects
|
|
||||||
ansible.builtin.git:
|
|
||||||
repo: "{{ item.url }}"
|
|
||||||
dest: "{{ docker_repos_path }}/{{ item.name }}"
|
|
||||||
version: "{{ item.version }}"
|
|
||||||
accept_newhostkey: "{{ item.accept_newhostkey | default(false) }}"
|
|
||||||
gpg_whitelist: "{{ item.trusted_keys | default([]) }}"
|
|
||||||
verify_commit: "{{ true if (item.trusted_keys is defined and item.trusted_keys) else false }}"
|
|
||||||
key_file: "{{ docker_repos_keys }}/id_{{ docker_repos_keytype }}"
|
|
||||||
loop: "{{ docker_compose_deploy }}"
|
|
||||||
loop_control:
|
|
||||||
label: "{{ item.url }}"
|
|
||||||
when: docker_compose_deploy is defined
|
|
||||||
|
|
||||||
- name: Create directories for docker-compose projects using the systemd service
|
|
||||||
ansible.builtin.file:
|
|
||||||
path: "{{ docker_compose_root }}/{{ item.name }}"
|
|
||||||
state: directory
|
|
||||||
mode: "400"
|
|
||||||
loop: "{{ docker_compose_deploy }}"
|
|
||||||
loop_control:
|
|
||||||
label: "{{ item.name }}"
|
|
||||||
when: docker_compose_deploy is defined
|
|
||||||
|
|
||||||
- name: Synchronize docker-compose.yml
|
|
||||||
ansible.posix.synchronize:
|
|
||||||
src: "{{ docker_repos_path }}/{{ item.name }}/{{ item.path | default('docker-compose.yml') }}"
|
|
||||||
dest: "{{ docker_compose_root }}/{{ item.name }}/docker-compose.yml"
|
|
||||||
delegate_to: "{{ inventory_hostname }}"
|
|
||||||
register: compose_update
|
|
||||||
notify:
|
|
||||||
- compose_restart
|
|
||||||
- compose_enable
|
|
||||||
loop: "{{ docker_compose_deploy | default([]) }}"
|
|
||||||
loop_control:
|
|
||||||
label: "{{ item.name }}"
|
|
||||||
when: docker_compose_deploy is defined and docker_compose_deploy | length > 0
|
|
||||||
|
|
||||||
- name: Set environment variables for docker-compose projects
|
|
||||||
ansible.builtin.template:
|
|
||||||
src: docker-compose-env.j2
|
|
||||||
dest: "{{ docker_compose_root }}/{{ item.name }}/.env"
|
|
||||||
mode: "400"
|
|
||||||
register: compose_env_update
|
|
||||||
notify:
|
|
||||||
- compose_restart
|
|
||||||
- compose_enable
|
|
||||||
no_log: "{{ docker_compose_env_nolog | default(true) }}"
|
|
||||||
loop: "{{ docker_compose_deploy }}"
|
|
||||||
loop_control:
|
|
||||||
label: "{{ item.name }}"
|
|
||||||
when: docker_compose_deploy is defined and item.env is defined
|
|
||||||
|
|
||||||
- name: Add users to docker group
|
- name: Add users to docker group
|
||||||
ansible.builtin.user:
|
user:
|
||||||
name: "{{ item }}"
|
name: "{{ item }}"
|
||||||
groups: docker
|
groups: docker
|
||||||
append: true
|
append: true
|
||||||
loop: "{{ docker_users }}"
|
loop: "{{ docker_users }}"
|
||||||
when: docker_users is defined
|
when: docker_users is defined
|
||||||
|
|
||||||
|
- name: Install docker-compose
|
||||||
|
script: install-compose.sh
|
||||||
|
args:
|
||||||
|
creates: /usr/local/bin/docker-compose
|
||||||
|
|
||||||
- name: Start Docker and enable on boot
|
- name: Start Docker and enable on boot
|
||||||
ansible.builtin.service:
|
service:
|
||||||
name: docker
|
name: docker
|
||||||
state: started
|
state: started
|
||||||
enabled: true
|
enabled: true
|
||||||
when: docker_managed | default(true)
|
|
||||||
|
|||||||
@@ -1,10 +0,0 @@
|
|||||||
# {{ ansible_managed }}
|
|
||||||
{% if item.env is defined %}
|
|
||||||
{% for key, value in item.env.items() %}
|
|
||||||
{% if value is boolean %}
|
|
||||||
{{ key }}={{ value | lower }}
|
|
||||||
{% else %}
|
|
||||||
{{ key }}={{ value }}
|
|
||||||
{% endif %}
|
|
||||||
{% endfor %}
|
|
||||||
{% endif %}
|
|
||||||
@@ -1,14 +0,0 @@
|
|||||||
[Unit]
|
|
||||||
Description=%i {{ docker_compose_service }} service
|
|
||||||
PartOf=docker.service
|
|
||||||
After=docker.service
|
|
||||||
|
|
||||||
[Service]
|
|
||||||
Type=oneshot
|
|
||||||
RemainAfterExit=true
|
|
||||||
WorkingDirectory={{ docker_compose_root }}/%i
|
|
||||||
ExecStart={{ docker_compose }} up -d --remove-orphans
|
|
||||||
ExecStop={{ docker_compose }} down
|
|
||||||
|
|
||||||
[Install]
|
|
||||||
WantedBy=multi-user.target
|
|
||||||
@@ -1,22 +1,11 @@
|
|||||||
# container settings
|
# container settings
|
||||||
gitea_name: gitea
|
gitea_name: gitea
|
||||||
gitea_sshport: "222"
|
gitea_dbname: "{{ gitea_name }}-db"
|
||||||
gitea_webport: "3000"
|
gitea_ports: "222:22"
|
||||||
gitea_ssh: "127.0.0.1:{{ gitea_sshport }}"
|
|
||||||
gitea_web: "127.0.0.1:{{ gitea_webport }}"
|
|
||||||
gitea_volume: "{{ gitea_name }}"
|
|
||||||
gitea_rooturl: "https://{{ gitea_domain }}"
|
|
||||||
gitea_signup: true
|
|
||||||
|
|
||||||
# database settings
|
# database settings
|
||||||
gitea_dbtype: mysql
|
gitea_dbuser: "{{ gitea_dbname }}"
|
||||||
gitea_dbhost: host.docker.internal
|
|
||||||
gitea_dbname: "{{ gitea_name }}"
|
|
||||||
gitea_dbuser: "{{ gitea_name }}"
|
|
||||||
|
|
||||||
# proxy settings
|
|
||||||
gitea_proxy_limit: "1"
|
|
||||||
gitea_trusted_proxies: "172.16.0.0/12"
|
|
||||||
|
|
||||||
# host
|
# host
|
||||||
gitea_root: "{{ docker_compose_root }}/{{ gitea_name }}"
|
gitea_root: "/opt/{{ gitea_name }}/data"
|
||||||
|
gitea_dbroot: "/opt/{{ gitea_name }}/database"
|
||||||
|
|||||||
@@ -1,5 +0,0 @@
|
|||||||
- name: Restart Gitea
|
|
||||||
ansible.builtin.service:
|
|
||||||
name: "{{ docker_compose_service }}@{{ gitea_name }}"
|
|
||||||
state: restarted
|
|
||||||
listen: restart_gitea
|
|
||||||
@@ -1,78 +1,54 @@
|
|||||||
- name: Install MySQL module for Ansible
|
- name: Create Gitea Network
|
||||||
ansible.builtin.apt:
|
docker_network:
|
||||||
name: python3-pymysql
|
name: "{{ gitea_name }}"
|
||||||
state: present
|
|
||||||
|
|
||||||
- name: Create Gitea database
|
- name: Start Gitea's database container
|
||||||
community.mysql.mysql_db:
|
docker_container:
|
||||||
name: "{{ gitea.DB_NAME }}"
|
name: "{{ gitea_dbname }}"
|
||||||
state: present
|
image: mariadb:{{ gitea_dbversion }}
|
||||||
login_unix_socket: /var/run/mysqld/mysqld.sock
|
state: started
|
||||||
|
restart_policy: always
|
||||||
|
volumes: "{{ gitea_dbroot }}:/var/lib/mysql"
|
||||||
|
networks_cli_compatible: true
|
||||||
|
networks:
|
||||||
|
- name: "{{ gitea_name }}"
|
||||||
|
env:
|
||||||
|
MYSQL_RANDOM_ROOT_PASSWORD: "true"
|
||||||
|
MYSQL_DATABASE: "{{ gitea_dbname }}"
|
||||||
|
MYSQL_USER: "{{ gitea_dbuser }}"
|
||||||
|
MYSQL_PASSWORD: "{{ gitea_dbpass }}"
|
||||||
|
|
||||||
- name: Create Gitea database user
|
- name: Start Gitea container
|
||||||
community.mysql.mysql_user:
|
docker_container:
|
||||||
name: "{{ gitea.DB_USER }}"
|
name: "{{ gitea_name }}"
|
||||||
password: "{{ gitea.DB_PASSWD }}"
|
image: gitea/gitea:{{ gitea_version }}
|
||||||
host: '%'
|
state: started
|
||||||
state: present
|
restart_policy: always
|
||||||
priv: "{{ gitea.DB_NAME }}.*:ALL"
|
networks_cli_compatible: true
|
||||||
login_unix_socket: /var/run/mysqld/mysqld.sock
|
ports: "{{ gitea_ports }}"
|
||||||
|
networks:
|
||||||
- name: Create git's .ssh directory
|
- name: "{{ gitea_name }}"
|
||||||
ansible.builtin.file:
|
- name: traefik
|
||||||
path: /home/git/.ssh
|
volumes:
|
||||||
mode: "700"
|
- "{{ gitea_root }}:/data"
|
||||||
state: directory
|
- /etc/timezone:/etc/timezone:ro
|
||||||
|
- /etc/localtime:/etc/localtime:ro
|
||||||
- name: Generate git's SSH keys
|
env:
|
||||||
community.crypto.openssh_keypair:
|
USER_UID: "1000"
|
||||||
path: /home/git/.ssh/id_rsa
|
USER_GID: "1000"
|
||||||
|
DB_TYPE: mysql
|
||||||
- name: Find git's public SSH key
|
DB_HOST: "{{ gitea_dbname }}"
|
||||||
ansible.builtin.slurp:
|
DB_NAME: "{{ gitea_dbname }}"
|
||||||
src: /home/git/.ssh/id_rsa.pub
|
DB_USER: "{{ gitea_dbuser }}"
|
||||||
register: git_rsapub
|
DB_PASSWD: "{{ gitea_dbpass }}"
|
||||||
|
ROOT_URL: "https://{{ gitea_domain }}/"
|
||||||
- name: Get stats on git's authorized_keys file
|
SSH_DOMAIN: "{{ gitea_domain }}"
|
||||||
ansible.builtin.stat:
|
DOMAIN: "{{ gitea_domain }}"
|
||||||
path: /home/git/.ssh/authorized_keys
|
labels:
|
||||||
register: git_authkeys
|
traefik.http.routers.gitea.rule: "Host(`{{ gitea_domain }}`)"
|
||||||
|
traefik.http.routers.gitea.entrypoints: websecure
|
||||||
- name: Create git's authorized_keys file
|
traefik.http.routers.gitea.tls.certresolver: letsencrypt
|
||||||
ansible.builtin.file:
|
traefik.http.routers.gitea.middlewares: "securehttps@file"
|
||||||
path: /home/git/.ssh/authorized_keys
|
traefik.http.services.gitea.loadbalancer.server.port: "3000"
|
||||||
mode: "600"
|
traefik.docker.network: traefik
|
||||||
state: touch
|
traefik.enable: "true"
|
||||||
when: not git_authkeys.stat.exists
|
|
||||||
|
|
||||||
- name: Add git's public SSH key to authorized_keys
|
|
||||||
ansible.builtin.lineinfile:
|
|
||||||
path: /home/git/.ssh/authorized_keys
|
|
||||||
regex: "^ssh-rsa"
|
|
||||||
line: "{{ git_rsapub['content'] | b64decode }}"
|
|
||||||
|
|
||||||
- name: Create Gitea host script for SSH
|
|
||||||
ansible.builtin.template:
|
|
||||||
src: gitea.sh.j2
|
|
||||||
dest: /usr/local/bin/gitea
|
|
||||||
mode: "755"
|
|
||||||
|
|
||||||
- name: Create Gitea's logging directory
|
|
||||||
ansible.builtin.file:
|
|
||||||
name: /var/log/gitea
|
|
||||||
state: directory
|
|
||||||
mode: "755"
|
|
||||||
|
|
||||||
- name: Install Gitea's Fail2ban filter
|
|
||||||
ansible.builtin.template:
|
|
||||||
src: fail2ban-filter.conf.j2
|
|
||||||
dest: /etc/fail2ban/filter.d/gitea.conf
|
|
||||||
mode: "644"
|
|
||||||
notify: restart_fail2ban
|
|
||||||
|
|
||||||
- name: Install Gitea's Fail2ban jail
|
|
||||||
ansible.builtin.template:
|
|
||||||
src: fail2ban-jail.conf.j2
|
|
||||||
dest: /etc/fail2ban/jail.d/gitea.conf
|
|
||||||
mode: "640"
|
|
||||||
notify: restart_fail2ban
|
|
||||||
|
|||||||
@@ -1,19 +0,0 @@
|
|||||||
# {{ ansible_managed }}
|
|
||||||
gitea_version={{ gitea_version }}
|
|
||||||
gitea_name={{ gitea_name }}
|
|
||||||
gitea_domain={{ gitea_domain }}
|
|
||||||
gitea_rooturl={{ gitea_rooturl }}
|
|
||||||
gitea_web={{ gitea_web }}
|
|
||||||
gitea_ssh={{ gitea_ssh }}
|
|
||||||
gitea_dbtype={{ gitea_dbtype }}
|
|
||||||
gitea_dbhost={{ gitea_dbhost }}
|
|
||||||
gitea_dbname={{ gitea_dbname }}
|
|
||||||
gitea_dbuser={{ gitea_dbuser }}
|
|
||||||
gitea_dbpass={{ gitea_dbpass }}
|
|
||||||
gitea_proxy_limit={{ gitea_proxy_limit }}
|
|
||||||
gitea_trusted_proxies={{ gitea_trusted_proxies }}
|
|
||||||
{% if not gitea_signup %}
|
|
||||||
gitea_disable_registration=true
|
|
||||||
{% else %}
|
|
||||||
gitea_disable_registration=false
|
|
||||||
{% endif %}
|
|
||||||
@@ -1,36 +0,0 @@
|
|||||||
version: '3.7'
|
|
||||||
|
|
||||||
services:
|
|
||||||
gitea:
|
|
||||||
image: "gitea/gitea:${gitea_version}"
|
|
||||||
container_name: "${gitea_name}"
|
|
||||||
ports:
|
|
||||||
- "${gitea_ssh}:22"
|
|
||||||
- "${gitea_web}:3000"
|
|
||||||
extra_hosts:
|
|
||||||
- "host.docker.internal:host-gateway"
|
|
||||||
environment:
|
|
||||||
- USER_UID={{ getent_passwd.git[1] }}
|
|
||||||
- USER_GID={{ getent_group.git[1] }}
|
|
||||||
- GITEA__log__MODE=file
|
|
||||||
- GITEA__server__ROOT_URL=${gitea_rooturl}
|
|
||||||
- GITEA__server__DOMAIN=${gitea_domain}
|
|
||||||
- GITEA__server__SSH_DOMAIN=${gitea_domain}
|
|
||||||
- GITEA__database__DB_TYPE=${gitea_dbtype}
|
|
||||||
- GITEA__database__HOST=${gitea_dbhost}
|
|
||||||
- GITEA__database__NAME=${gitea_dbname}
|
|
||||||
- GITEA__database__USER=${gitea_dbuser}
|
|
||||||
- GITEA__database__PASSWD=${gitea_dbpass}
|
|
||||||
- GITEA__security__INSTALL_LOCK=true
|
|
||||||
- GITEA__security__REVERSE_PROXY_LIMIT=${gitea_proxy_limit}
|
|
||||||
- GITEA__security__REVERSE_PROXY_TRUSTED_PROXIES=${gitea_trusted_proxies}
|
|
||||||
- GITEA__service__DISABLE_REGISTRATION=${gitea_disable_registration}
|
|
||||||
volumes:
|
|
||||||
- {{ gitea_volume }}:/data
|
|
||||||
- /home/git/.ssh:/data/git/.ssh
|
|
||||||
- /var/log/gitea:/data/gitea/log
|
|
||||||
- /etc/timezone:/etc/timezone:ro
|
|
||||||
- /etc/localtime:/etc/localtime:ro
|
|
||||||
|
|
||||||
volumes:
|
|
||||||
{{ gitea_volume }}:
|
|
||||||
@@ -1,4 +0,0 @@
|
|||||||
# {{ ansible_managed }}
|
|
||||||
[Definition]
|
|
||||||
failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
|
|
||||||
ignoreregex =
|
|
||||||
@@ -1,18 +0,0 @@
|
|||||||
# {{ ansible_managed }}
|
|
||||||
[gitea]
|
|
||||||
enabled = true
|
|
||||||
filter = gitea
|
|
||||||
logpath = /var/log/gitea/gitea.log
|
|
||||||
maxretry = 10
|
|
||||||
findtime = 3600
|
|
||||||
bantime = 900
|
|
||||||
action = iptables-allports
|
|
||||||
|
|
||||||
[gitea-docker]
|
|
||||||
enabled = true
|
|
||||||
filter = gitea
|
|
||||||
logpath = /var/log/gitea/gitea.log
|
|
||||||
maxretry = 10
|
|
||||||
findtime = 3600
|
|
||||||
bantime = 900
|
|
||||||
action = iptables-allports[chain="FORWARD"]
|
|
||||||
@@ -1,2 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
ssh -p {{ gitea_sshport }} -o StrictHostKeyChecking=no git@127.0.0.1 "SSH_ORIGINAL_COMMAND=\"$SSH_ORIGINAL_COMMAND\" $0 $@"
|
|
||||||
@@ -1,4 +0,0 @@
|
|||||||
jellyfin_name: jellyfin
|
|
||||||
jellyfin_router: "{{ jellyfin_name }}"
|
|
||||||
jellyfin_rooturl: "https://{{ jellyfin_domain }}"
|
|
||||||
jellyfin_root: "{{ docker_compose_root }}/{{ jellyfin_name }}"
|
|
||||||
@@ -1,5 +0,0 @@
|
|||||||
- name: Restart Jellyfin
|
|
||||||
ansible.builtin.service:
|
|
||||||
name: "{{ docker_compose_service }}@{{ jellyfin_name }}"
|
|
||||||
state: restarted
|
|
||||||
listen: restart_jellyfin
|
|
||||||
@@ -1,35 +0,0 @@
|
|||||||
- name: Create Jellyfin directory
|
|
||||||
ansible.builtin.file:
|
|
||||||
path: "{{ jellyfin_root }}"
|
|
||||||
state: directory
|
|
||||||
mode: 0500
|
|
||||||
|
|
||||||
- name: Get user jellyfin uid
|
|
||||||
ansible.builtin.getent:
|
|
||||||
database: passwd
|
|
||||||
key: jellyfin
|
|
||||||
|
|
||||||
- name: Get user jellyfin gid
|
|
||||||
ansible.builtin.getent:
|
|
||||||
database: group
|
|
||||||
key: jellyfin
|
|
||||||
|
|
||||||
- name: Install Jellyfin's docker-compose file
|
|
||||||
ansible.builtin.template:
|
|
||||||
src: docker-compose.yml.j2
|
|
||||||
dest: "{{ jellyfin_root }}/docker-compose.yml"
|
|
||||||
mode: 0400
|
|
||||||
notify: restart_jellyfin
|
|
||||||
|
|
||||||
- name: Install Jellyfin's docker-compose variables
|
|
||||||
ansible.builtin.template:
|
|
||||||
src: compose-env.j2
|
|
||||||
dest: "{{ jellyfin_root }}/.env"
|
|
||||||
mode: 0400
|
|
||||||
notify: restart_jellyfin
|
|
||||||
|
|
||||||
- name: Start and enable Jellyfin service
|
|
||||||
ansible.builtin.service:
|
|
||||||
name: "{{ docker_compose_service }}@{{ jellyfin_name }}"
|
|
||||||
state: started
|
|
||||||
enabled: true
|
|
||||||
@@ -1,5 +0,0 @@
|
|||||||
# {{ ansible_managed }}
|
|
||||||
jellyfin_version={{ jellyfin_version }}
|
|
||||||
jellyfin_name={{ jellyfin_name }}
|
|
||||||
jellyfin_domain={{ jellyfin_domain }}
|
|
||||||
jellyfin_rooturl={{ jellyfin_rooturl }}
|
|
||||||
@@ -1,30 +0,0 @@
|
|||||||
version: '3.7'
|
|
||||||
|
|
||||||
volumes:
|
|
||||||
config:
|
|
||||||
cache:
|
|
||||||
|
|
||||||
networks:
|
|
||||||
traefik:
|
|
||||||
external: true
|
|
||||||
|
|
||||||
services:
|
|
||||||
jellyfin:
|
|
||||||
image: "jellyfin/jellyfin:${jellyfin_version}"
|
|
||||||
container_name: "${jellyfin_name}"
|
|
||||||
networks:
|
|
||||||
- traefik
|
|
||||||
labels:
|
|
||||||
- "traefik.http.routers.{{ jellyfin_router }}.rule=Host(`{{ jellyfin_domain }}`)"
|
|
||||||
{% if traefik_http_only %}
|
|
||||||
- "traefik.http.routers.{{ jellyfin_router }}.entrypoints=web"
|
|
||||||
{% else %}
|
|
||||||
- "traefik.http.routers.{{ jellyfin_router }}.entrypoints=websecure"
|
|
||||||
{% endif %}
|
|
||||||
- "traefik.http.services.{{ jellyfin_router }}.loadbalancer.server.port=8096"
|
|
||||||
- "traefik.docker.network=traefik"
|
|
||||||
- "traefik.enable=true"
|
|
||||||
volumes:
|
|
||||||
- config:/config
|
|
||||||
- cache:/cache
|
|
||||||
- {{ jellyfin_media }}:/media
|
|
||||||
1
roles/jenkins/files/ansible.list
Normal file
1
roles/jenkins/files/ansible.list
Normal file
@@ -0,0 +1 @@
|
|||||||
|
deb http://ppa.launchpad.net/ansible/ansible/ubuntu trusty main
|
||||||
@@ -1,5 +1,10 @@
|
|||||||
|
- name: Install GnuPG
|
||||||
|
apt:
|
||||||
|
name: gnupg
|
||||||
|
state: present
|
||||||
|
|
||||||
- name: Create Jenkins user
|
- name: Create Jenkins user
|
||||||
ansible.builtin.user:
|
user:
|
||||||
name: "{{ jenkins_user }}"
|
name: "{{ jenkins_user }}"
|
||||||
state: present
|
state: present
|
||||||
shell: /bin/bash
|
shell: /bin/bash
|
||||||
@@ -7,25 +12,35 @@
|
|||||||
generate_ssh_key: true
|
generate_ssh_key: true
|
||||||
|
|
||||||
- name: Set Jenkins authorized key
|
- name: Set Jenkins authorized key
|
||||||
ansible.posix.authorized_key:
|
authorized_key:
|
||||||
user: jenkins
|
user: jenkins
|
||||||
state: present
|
state: present
|
||||||
exclusive: true
|
exclusive: true
|
||||||
key: "{{ jenkins_sshkey }}"
|
key: "{{ jenkins_sshkey }}"
|
||||||
|
|
||||||
- name: Give Jenkins user passwordless sudo
|
- name: Give Jenkins user passwordless sudo
|
||||||
ansible.builtin.template:
|
template:
|
||||||
src: jenkins_sudoers.j2
|
src: jenkins_sudoers.j2
|
||||||
dest: /etc/sudoers.d/{{ jenkins_user }}
|
dest: /etc/sudoers.d/{{ jenkins_user }}
|
||||||
validate: "visudo -cf %s"
|
validate: "visudo -cf %s"
|
||||||
mode: 0440
|
mode: 0440
|
||||||
|
|
||||||
|
- name: Install Ansible source
|
||||||
|
copy:
|
||||||
|
src: ansible.list
|
||||||
|
dest: /etc/apt/sources.list.d/ansible.list
|
||||||
|
|
||||||
|
- name: Add Ansible source key
|
||||||
|
apt_key:
|
||||||
|
keyserver: keyserver.ubuntu.com
|
||||||
|
id: 93C4A3FD7BB9C367
|
||||||
|
|
||||||
- name: Install Ansible
|
- name: Install Ansible
|
||||||
ansible.builtin.apt:
|
apt:
|
||||||
name: ansible
|
name: ansible
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
- name: Install Java
|
- name: Install Java
|
||||||
ansible.builtin.apt:
|
apt:
|
||||||
name: default-jre
|
name: default-jre
|
||||||
state: present
|
state: present
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
- ansible.builtin.import_tasks: agent.yml
|
- import_tasks: agent.yml
|
||||||
when: jenkins_sshkey is defined
|
when: jenkins_sshkey is defined
|
||||||
|
|
||||||
- ansible.builtin.import_tasks: server.yml
|
- import_tasks: server.yml
|
||||||
when: jenkins_domain is defined
|
when: jenkins_domain is defined
|
||||||
|
|||||||
@@ -1,12 +1,12 @@
|
|||||||
- name: Create Jenkin's directory
|
- name: Create Jenkin's directory
|
||||||
ansible.builtin.file:
|
file:
|
||||||
path: "{{ jenkins_root }}"
|
path: "{{ jenkins_root }}"
|
||||||
state: directory
|
state: directory
|
||||||
owner: "1000"
|
owner: "1000"
|
||||||
group: "1000"
|
group: "1000"
|
||||||
|
|
||||||
- name: Start Jenkins Container
|
- name: Start Jenkins Container
|
||||||
community.general.docker_container:
|
docker_container:
|
||||||
name: "{{ jenkins_name }}"
|
name: "{{ jenkins_name }}"
|
||||||
image: jenkins/jenkins:{{ jenkins_version }}
|
image: jenkins/jenkins:{{ jenkins_version }}
|
||||||
state: started
|
state: started
|
||||||
|
|||||||
@@ -1,15 +1,15 @@
|
|||||||
- name: Install QEMU/KVM
|
- name: Install QEMU/KVM
|
||||||
ansible.builtin.apt:
|
apt:
|
||||||
name: qemu-kvm
|
name: qemu-kvm
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
- name: Install Libvirt
|
- name: Install Libvirt
|
||||||
ansible.builtin.apt:
|
apt:
|
||||||
name: ["libvirt-clients", "libvirt-daemon-system"]
|
name: ["libvirt-clients", "libvirt-daemon-system"]
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
- name: Add users to libvirt group
|
- name: Add users to libvirt group
|
||||||
ansible.builtin.user:
|
user:
|
||||||
name: "{{ item }}"
|
name: "{{ item }}"
|
||||||
groups: libvirt
|
groups: libvirt
|
||||||
append: yes
|
append: yes
|
||||||
@@ -17,12 +17,12 @@
|
|||||||
when: libvirt_users is defined
|
when: libvirt_users is defined
|
||||||
|
|
||||||
- name: Check for NODOWNLOAD file
|
- name: Check for NODOWNLOAD file
|
||||||
ansible.builtin.stat:
|
stat:
|
||||||
path: /var/lib/libvirt/images/NODOWNLOAD
|
path: /var/lib/libvirt/images/NODOWNLOAD
|
||||||
register: NODOWNLOAD
|
register: NODOWNLOAD
|
||||||
|
|
||||||
- name: Download GNU/Linux ISOs
|
- name: Download GNU/Linux ISOs
|
||||||
ansible.builtin.get_url:
|
get_url:
|
||||||
url: "{{ item.url }}"
|
url: "{{ item.url }}"
|
||||||
dest: /var/lib/libvirt/images
|
dest: /var/lib/libvirt/images
|
||||||
checksum: "{{ item.hash }}"
|
checksum: "{{ item.hash }}"
|
||||||
@@ -34,7 +34,7 @@
|
|||||||
|
|
||||||
# Prevent downloaded ISOs from being rehashed every run
|
# Prevent downloaded ISOs from being rehashed every run
|
||||||
- name: Create NODOWNLOAD file
|
- name: Create NODOWNLOAD file
|
||||||
ansible.builtin.file:
|
file:
|
||||||
path: /var/lib/libvirt/images/NODOWNLOAD
|
path: /var/lib/libvirt/images/NODOWNLOAD
|
||||||
state: touch
|
state: touch
|
||||||
when: download_isos.changed
|
when: download_isos.changed
|
||||||
|
|||||||
@@ -1,12 +0,0 @@
|
|||||||
- name: Restart MariaDB
|
|
||||||
ansible.builtin.service:
|
|
||||||
name: mariadb
|
|
||||||
state: restarted
|
|
||||||
when: not mariadb_restarted
|
|
||||||
listen: restart_mariadb
|
|
||||||
|
|
||||||
- name: Set MariaDB as restarted
|
|
||||||
ansible.builtin.set_fact:
|
|
||||||
mariadb_restarted: true
|
|
||||||
when: not mariadb_restarted
|
|
||||||
listen: restart_mariadb
|
|
||||||
@@ -1,30 +0,0 @@
|
|||||||
- name: Install MariaDB
|
|
||||||
ansible.builtin.apt:
|
|
||||||
name: mariadb-server
|
|
||||||
state: present
|
|
||||||
|
|
||||||
- name: Set MariaDB restarted fact
|
|
||||||
ansible.builtin.set_fact:
|
|
||||||
mariadb_restarted: false
|
|
||||||
|
|
||||||
- name: Regather facts for the potentially new docker0 interface
|
|
||||||
ansible.builtin.setup:
|
|
||||||
|
|
||||||
- name: Change the bind-address to allow from docker0
|
|
||||||
ansible.builtin.lineinfile:
|
|
||||||
path: /etc/mysql/mariadb.conf.d/50-server.cnf
|
|
||||||
regex: "^bind-address"
|
|
||||||
line: "bind-address = {{ ansible_facts.docker0.ipv4.address }}"
|
|
||||||
notify: restart_mariadb
|
|
||||||
|
|
||||||
- name: Flush handlers to ensure MariaDB restarts immediately
|
|
||||||
ansible.builtin.meta: flush_handlers
|
|
||||||
tags: restart_mariadb
|
|
||||||
|
|
||||||
- name: Allow database connections from Docker
|
|
||||||
community.general.ufw:
|
|
||||||
rule: allow
|
|
||||||
port: "3306"
|
|
||||||
proto: tcp
|
|
||||||
src: "{{ item }}"
|
|
||||||
loop: "{{ mariadb_trust | default(['172.16.0.0/12']) }}"
|
|
||||||
1
roles/mediawiki/defaults/main.yml
Normal file
1
roles/mediawiki/defaults/main.yml
Normal file
@@ -0,0 +1 @@
|
|||||||
|
mediawiki_name: mediawiki
|
||||||
51
roles/mediawiki/tasks/main.yml
Normal file
51
roles/mediawiki/tasks/main.yml
Normal file
@@ -0,0 +1,51 @@
|
|||||||
|
- name: Create MediaWiki Network
|
||||||
|
docker_network:
|
||||||
|
name: "{{ mediawiki_name }}"
|
||||||
|
|
||||||
|
- name: Start MediaWiki's database container
|
||||||
|
docker_container:
|
||||||
|
name: "{{ mediawiki_dbname }}"
|
||||||
|
image: mariadb:{{ mediawiki_dbversion }}
|
||||||
|
state: started
|
||||||
|
restart_policy: always
|
||||||
|
volumes: "{{ mediawiki_dbroot }}:/var/lib/mysql"
|
||||||
|
networks_cli_compatible: true
|
||||||
|
networks:
|
||||||
|
- name: "{{ mediawiki_name }}"
|
||||||
|
env:
|
||||||
|
MYSQL_RANDOM_ROOT_PASSWORD: "true"
|
||||||
|
MYSQL_DATABASE: "{{ mediawiki_dbname }}"
|
||||||
|
MYSQL_USER: "{{ mediawiki_dbuser }}"
|
||||||
|
MYSQL_PASSWORD: "{{ mediawiki_dbpass }}"
|
||||||
|
|
||||||
|
- name: Start mediawiki container
|
||||||
|
docker_container:
|
||||||
|
name: "{{ mediawiki_name }}"
|
||||||
|
image: mediawiki/mediawiki:{{ mediawiki_version }}
|
||||||
|
state: started
|
||||||
|
restart_policy: always
|
||||||
|
networks_cli_compatible: true
|
||||||
|
ports: "{{ mediawiki_ports }}"
|
||||||
|
networks:
|
||||||
|
- name: "{{ mediawiki_name }}"
|
||||||
|
- name: traefik
|
||||||
|
# volumes:
|
||||||
|
# env:
|
||||||
|
# USER_UID: "1000"
|
||||||
|
# USER_GID: "1000"
|
||||||
|
# DB_TYPE: mysql
|
||||||
|
# DB_HOST: "{{ gitea_dbname }}"
|
||||||
|
# DB_NAME: "{{ gitea_dbname }}"
|
||||||
|
# DB_USER: "{{ gitea_dbuser }}"
|
||||||
|
# DB_PASSWD: "{{ gitea_dbpass }}"
|
||||||
|
# ROOT_URL: "https://{{ gitea_domain }}/"
|
||||||
|
# SSH_DOMAIN: "{{ gitea_domain }}"
|
||||||
|
# DOMAIN: "{{ gitea_domain }}"
|
||||||
|
# labels:
|
||||||
|
# traefik.http.routers.gitea.rule: "Host(`{{ gitea_domain }}`)"
|
||||||
|
# traefik.http.routers.gitea.entrypoints: websecure
|
||||||
|
# traefik.http.routers.gitea.tls.certresolver: letsencrypt
|
||||||
|
# traefik.http.routers.gitea.middlewares: "securehttps@file"
|
||||||
|
# traefik.http.services.gitea.loadbalancer.server.port: "3000"
|
||||||
|
# traefik.docker.network: traefik
|
||||||
|
# traefik.enable: "true"
|
||||||
@@ -1,28 +1,28 @@
|
|||||||
- name: Install GPG
|
- name: Install GPG
|
||||||
ansible.builtin.apt:
|
apt:
|
||||||
name: gpg
|
name: gpg
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
- name: Add AdoptOpenJDK's signing key
|
- name: Add AdoptOpenJDK's signing key
|
||||||
ansible.builtin.apt_key:
|
apt_key:
|
||||||
id: 8ED17AF5D7E675EB3EE3BCE98AC3B29174885C03
|
id: 8ED17AF5D7E675EB3EE3BCE98AC3B29174885C03
|
||||||
url: https://adoptopenjdk.jfrog.io/adoptopenjdk/api/gpg/key/public
|
url: https://adoptopenjdk.jfrog.io/adoptopenjdk/api/gpg/key/public
|
||||||
|
|
||||||
- name: Install AdoptOpenJDK repository
|
- name: Install AdoptOpenJDK repository
|
||||||
ansible.builtin.apt_repository:
|
apt_repository:
|
||||||
repo: deb https://adoptopenjdk.jfrog.io/adoptopenjdk/deb/ buster main
|
repo: deb https://adoptopenjdk.jfrog.io/adoptopenjdk/deb/ buster main
|
||||||
mode: 0644
|
mode: 0644
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
- name: Install Java
|
- name: Install Java
|
||||||
ansible.builtin.apt:
|
apt:
|
||||||
name: "adoptopenjdk-{{ item.java.version }}-hotspot"
|
name: "adoptopenjdk-{{ item.java.version }}-hotspot"
|
||||||
state: present
|
state: present
|
||||||
when: item.java.version is defined
|
when: item.java.version is defined
|
||||||
loop: "{{ minecraft }}"
|
loop: "{{ minecraft }}"
|
||||||
|
|
||||||
- name: "Install default Java, version {{ minecraft_java }}"
|
- name: "Install default Java, version {{ minecraft_java }}"
|
||||||
ansible.builtin.apt:
|
apt:
|
||||||
name: "{{ minecraft_java_pkg }}"
|
name: "{{ minecraft_java_pkg }}"
|
||||||
state: present
|
state: present
|
||||||
when: item.java.version is not defined
|
when: item.java.version is not defined
|
||||||
@@ -30,7 +30,7 @@
|
|||||||
register: minecraft_java_default
|
register: minecraft_java_default
|
||||||
|
|
||||||
- name: "Activate default Java, version {{ minecraft_java }}"
|
- name: "Activate default Java, version {{ minecraft_java }}"
|
||||||
community.general.alternatives:
|
alternatives:
|
||||||
name: java
|
name: java
|
||||||
path: "/usr/lib/jvm/{{ minecraft_java_pkg }}-amd64/bin/java"
|
path: "/usr/lib/jvm/{{ minecraft_java_pkg }}-amd64/bin/java"
|
||||||
when: minecraft_java_default.changed
|
when: minecraft_java_default.changed
|
||||||
|
|||||||
@@ -1,14 +1,14 @@
|
|||||||
- ansible.builtin.import_tasks: system.yml
|
- import_tasks: system.yml
|
||||||
when: minecraft_eula
|
when: minecraft_eula
|
||||||
|
|
||||||
- ansible.builtin.import_tasks: java.yml
|
- import_tasks: java.yml
|
||||||
when: minecraft_eula
|
when: minecraft_eula
|
||||||
|
|
||||||
- ansible.builtin.import_tasks: vanilla.yml
|
- import_tasks: vanilla.yml
|
||||||
when: minecraft_eula
|
when: minecraft_eula
|
||||||
|
|
||||||
- ansible.builtin.import_tasks: modpacks.yml
|
- import_tasks: modpacks.yml
|
||||||
when: minecraft_eula
|
when: minecraft_eula
|
||||||
|
|
||||||
- ansible.builtin.import_tasks: service.yml
|
- import_tasks: service.yml
|
||||||
when: minecraft_eula
|
when: minecraft_eula
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
- name: Download Minecraft modpack installer
|
- name: Download Minecraft modpack installer
|
||||||
ansible.builtin.get_url:
|
get_url:
|
||||||
url: "{{ minecraft_modpack_url }}"
|
url: "{{ minecraft_modpack_url }}"
|
||||||
dest: "{{ minecraft_home }}/{{ item.name }}/serverinstall_{{ item.modpack | replace ('/', '_') }}"
|
dest: "{{ minecraft_home }}/{{ item.name }}/serverinstall_{{ item.modpack | replace ('/', '_') }}"
|
||||||
owner: "{{ minecraft_user }}"
|
owner: "{{ minecraft_user }}"
|
||||||
@@ -9,7 +9,7 @@
|
|||||||
when: item.modpack is defined and item.sha1 is not defined
|
when: item.modpack is defined and item.sha1 is not defined
|
||||||
|
|
||||||
- name: Run Minecraft modpack installer
|
- name: Run Minecraft modpack installer
|
||||||
ansible.builtin.command: "sudo -u {{ minecraft_user }} ./serverinstall_{{ item.modpack | replace ('/', '_') }} --auto"
|
command: "sudo -u {{ minecraft_user }} ./serverinstall_{{ item.modpack | replace ('/', '_') }} --auto"
|
||||||
args:
|
args:
|
||||||
creates: "{{ minecraft_home }}/{{ item.name }}/mods"
|
creates: "{{ minecraft_home }}/{{ item.name }}/mods"
|
||||||
chdir: "{{ minecraft_home }}/{{ item.name }}"
|
chdir: "{{ minecraft_home }}/{{ item.name }}"
|
||||||
@@ -17,7 +17,7 @@
|
|||||||
when: item.modpack is defined and item.sha1 is not defined
|
when: item.modpack is defined and item.sha1 is not defined
|
||||||
|
|
||||||
- name: Find Minecraft Forge
|
- name: Find Minecraft Forge
|
||||||
ansible.builtin.find:
|
find:
|
||||||
paths: "{{ minecraft_home }}/{{ item.name }}"
|
paths: "{{ minecraft_home }}/{{ item.name }}"
|
||||||
patterns: "forge*.jar"
|
patterns: "forge*.jar"
|
||||||
register: minecraft_forge
|
register: minecraft_forge
|
||||||
@@ -25,7 +25,7 @@
|
|||||||
when: item.modpack is defined and item.sha1 is not defined
|
when: item.modpack is defined and item.sha1 is not defined
|
||||||
|
|
||||||
- name: Link to Minecraft Forge
|
- name: Link to Minecraft Forge
|
||||||
ansible.builtin.file:
|
file:
|
||||||
src: "{{ item.files[0].path }}"
|
src: "{{ item.files[0].path }}"
|
||||||
dest: "{{ minecraft_home }}/{{ item.item.name }}/minecraft_server.jar"
|
dest: "{{ minecraft_home }}/{{ item.item.name }}/minecraft_server.jar"
|
||||||
owner: "{{ minecraft_user }}"
|
owner: "{{ minecraft_user }}"
|
||||||
|
|||||||
@@ -1,11 +1,11 @@
|
|||||||
- name: Deploy Minecraft systemd service
|
- name: Deploy Minecraft systemd service
|
||||||
ansible.builtin.template:
|
template:
|
||||||
src: minecraft.service.j2
|
src: minecraft.service.j2
|
||||||
dest: "/etc/systemd/system/minecraft@.service"
|
dest: "/etc/systemd/system/minecraft@.service"
|
||||||
register: minecraft_systemd
|
register: minecraft_systemd
|
||||||
|
|
||||||
- name: Deploy service environmental variables
|
- name: Deploy service environmental variables
|
||||||
ansible.builtin.template:
|
template:
|
||||||
src: environment.conf.j2
|
src: environment.conf.j2
|
||||||
dest: "{{ minecraft_home }}/{{ item.name }}/environment.conf"
|
dest: "{{ minecraft_home }}/{{ item.name }}/environment.conf"
|
||||||
owner: "{{ minecraft_user }}"
|
owner: "{{ minecraft_user }}"
|
||||||
@@ -13,25 +13,25 @@
|
|||||||
loop: "{{ minecraft }}"
|
loop: "{{ minecraft }}"
|
||||||
|
|
||||||
- name: Reload systemd manager configuration
|
- name: Reload systemd manager configuration
|
||||||
ansible.builtin.systemd:
|
systemd:
|
||||||
daemon_reload: true
|
daemon_reload: true
|
||||||
when: minecraft_systemd.changed
|
when: minecraft_systemd.changed
|
||||||
|
|
||||||
- name: Disable non-default service instances
|
- name: Disable non-default service instances
|
||||||
ansible.builtin.service:
|
service:
|
||||||
name: "minecraft@{{ item.name }}"
|
name: "minecraft@{{ item.name }}"
|
||||||
enabled: false
|
enabled: false
|
||||||
loop: "{{ minecraft }}"
|
loop: "{{ minecraft }}"
|
||||||
when: item.name != minecraft_onboot
|
when: item.name != minecraft_onboot
|
||||||
|
|
||||||
- name: Enable default service instance
|
- name: Enable default service instance
|
||||||
ansible.builtin.service:
|
service:
|
||||||
name: "minecraft@{{ minecraft_onboot }}"
|
name: "minecraft@{{ minecraft_onboot }}"
|
||||||
enabled: true
|
enabled: true
|
||||||
when: minecraft_eula and minecraft_onboot is defined
|
when: minecraft_eula and minecraft_onboot is defined
|
||||||
|
|
||||||
- name: Run default service instance
|
- name: Run default service instance
|
||||||
ansible.builtin.service:
|
service:
|
||||||
name: "minecraft@{{ minecraft_onboot }}"
|
name: "minecraft@{{ minecraft_onboot }}"
|
||||||
state: started
|
state: started
|
||||||
when: minecraft_eula and minecraft_onboot is defined and minecraft_onboot_run
|
when: minecraft_eula and minecraft_onboot is defined and minecraft_onboot_run
|
||||||
|
|||||||
@@ -1,16 +1,16 @@
|
|||||||
- name: Install Screen
|
- name: Install Screen
|
||||||
ansible.builtin.apt:
|
apt:
|
||||||
name: screen
|
name: screen
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
- name: Create Minecraft user
|
- name: Create Minecraft user
|
||||||
ansible.builtin.user:
|
user:
|
||||||
name: "{{ minecraft_user }}"
|
name: "{{ minecraft_user }}"
|
||||||
state: present
|
state: present
|
||||||
ansible.builtin.shell: /bin/bash
|
shell: /bin/bash
|
||||||
|
|
||||||
- name: Create Minecraft directory
|
- name: Create Minecraft directory
|
||||||
ansible.builtin.file:
|
file:
|
||||||
path: "{{ minecraft_home }}/{{ item.name }}"
|
path: "{{ minecraft_home }}/{{ item.name }}"
|
||||||
state: directory
|
state: directory
|
||||||
owner: "{{ minecraft_user }}"
|
owner: "{{ minecraft_user }}"
|
||||||
@@ -18,7 +18,7 @@
|
|||||||
loop: "{{ minecraft }}"
|
loop: "{{ minecraft }}"
|
||||||
|
|
||||||
- name: Answer to Mojang's EULA
|
- name: Answer to Mojang's EULA
|
||||||
ansible.builtin.template:
|
template:
|
||||||
src: eula.txt.j2
|
src: eula.txt.j2
|
||||||
dest: "{{ minecraft_home }}/{{ item.name }}/eula.txt"
|
dest: "{{ minecraft_home }}/{{ item.name }}/eula.txt"
|
||||||
owner: "{{ minecraft_user }}"
|
owner: "{{ minecraft_user }}"
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
- name: Download Minecraft
|
- name: Download Minecraft
|
||||||
ansible.builtin.get_url:
|
get_url:
|
||||||
url: "{{ minecraft_url }}"
|
url: "{{ minecraft_url }}"
|
||||||
dest: "{{ minecraft_home }}/{{ item.name }}/minecraft_server.jar"
|
dest: "{{ minecraft_home }}/{{ item.name }}/minecraft_server.jar"
|
||||||
checksum: "sha1:{{ item.sha1 }}"
|
checksum: "sha1:{{ item.sha1 }}"
|
||||||
|
|||||||
@@ -1 +1,11 @@
|
|||||||
nextcloud_name: nextcloud
|
# container names
|
||||||
|
nextcloud_container: nextcloud
|
||||||
|
nextcloud_dbcontainer: "{{ nextcloud_container }}-db"
|
||||||
|
|
||||||
|
# database settings
|
||||||
|
nextcloud_dbname: "{{ nextcloud_container }}"
|
||||||
|
nextcloud_dbuser: "{{ nextcloud_dbname }}"
|
||||||
|
|
||||||
|
# host mounts
|
||||||
|
nextcloud_root: "/opt/{{ nextcloud_container }}/public_html"
|
||||||
|
nextcloud_dbroot: "/opt/{{ nextcloud_container }}/database"
|
||||||
|
|||||||
@@ -1,25 +0,0 @@
|
|||||||
- name: Set Nextcloud's Trusted Proxy
|
|
||||||
ansible.builtin.command: >
|
|
||||||
docker exec --user www-data "{{ nextcloud_name }}"
|
|
||||||
php occ config:system:set trusted_proxies 0 --value="{{ traefik_name }}"
|
|
||||||
register: nextcloud_trusted_proxy
|
|
||||||
changed_when: "nextcloud_trusted_proxy.stdout == 'System config value trusted_proxies => 0 set to string ' ~ traefik_name"
|
|
||||||
listen: install_nextcloud
|
|
||||||
|
|
||||||
- name: Set Nextcloud's Trusted Domain
|
|
||||||
ansible.builtin.command: >
|
|
||||||
docker exec --user www-data "{{ nextcloud_name }}"
|
|
||||||
php occ config:system:set trusted_domains 0 --value="{{ nextcloud.DOMAIN }}"
|
|
||||||
register: nextcloud_trusted_domains
|
|
||||||
changed_when: "nextcloud_trusted_domains.stdout == 'System config value trusted_domains => 0 set to string ' ~ nextcloud.DOMAIN"
|
|
||||||
listen: install_nextcloud
|
|
||||||
|
|
||||||
- name: Preform Nextcloud database maintenance
|
|
||||||
ansible.builtin.command: >
|
|
||||||
docker exec --user www-data "{{ nextcloud_name }}" {{ item }}
|
|
||||||
loop:
|
|
||||||
- "php occ maintenance:mode --on"
|
|
||||||
- "php occ db:add-missing-indices"
|
|
||||||
- "php occ db:convert-filecache-bigint"
|
|
||||||
- "php occ maintenance:mode --off"
|
|
||||||
listen: install_nextcloud
|
|
||||||
@@ -1,66 +1,109 @@
|
|||||||
- name: Install MySQL module for Ansible
|
- name: Create Nextcloud network
|
||||||
ansible.builtin.apt:
|
docker_network:
|
||||||
name: python3-pymysql
|
name: "{{ nextcloud_container }}"
|
||||||
state: present
|
|
||||||
|
|
||||||
- name: Create Nextcloud database
|
- name: Start Nextcloud's database container
|
||||||
community.mysql.mysql_db:
|
docker_container:
|
||||||
name: "{{ nextcloud.DB_NAME | default('nextcloud') }}"
|
name: "{{ nextcloud_dbcontainer }}"
|
||||||
state: present
|
image: mariadb:{{ nextcloud_dbversion }}
|
||||||
login_unix_socket: /var/run/mysqld/mysqld.sock
|
|
||||||
|
|
||||||
- name: Create Nextcloud database user
|
|
||||||
community.mysql.mysql_user:
|
|
||||||
name: "{{ nextcloud.DB_USER | default('nextcloud') }}"
|
|
||||||
password: "{{ nextcloud.DB_PASSWD }}"
|
|
||||||
host: '%'
|
|
||||||
state: present
|
|
||||||
priv: "{{ nextcloud.DB_NAME | default('nextcloud') }}.*:ALL"
|
|
||||||
login_unix_socket: /var/run/mysqld/mysqld.sock
|
|
||||||
|
|
||||||
- name: Start Nextcloud service and enable on boot
|
|
||||||
ansible.builtin.service:
|
|
||||||
name: "{{ docker_compose_service }}@{{ nextcloud_name }}"
|
|
||||||
state: started
|
state: started
|
||||||
enabled: true
|
restart_policy: always
|
||||||
when: nextcloud.ENABLE | default('false')
|
volumes: "{{ nextcloud_dbroot }}:/var/lib/mysql"
|
||||||
|
networks_cli_compatible: true
|
||||||
|
networks:
|
||||||
|
- name: "{{ nextcloud_container }}"
|
||||||
|
env:
|
||||||
|
MYSQL_RANDOM_ROOT_PASSWORD: "true"
|
||||||
|
MYSQL_DATABASE: "{{ nextcloud_dbname }}"
|
||||||
|
MYSQL_USER: "{{ nextcloud_dbuser }}"
|
||||||
|
MYSQL_PASSWORD: "{{ nextcloud_dbpass }}"
|
||||||
|
|
||||||
|
- name: Start Nextcloud container
|
||||||
|
docker_container:
|
||||||
|
name: "{{ nextcloud_container }}"
|
||||||
|
image: nextcloud:{{ nextcloud_version }}
|
||||||
|
state: started
|
||||||
|
restart_policy: always
|
||||||
|
volumes: "{{ nextcloud_root }}:/var/www/html"
|
||||||
|
networks_cli_compatible: true
|
||||||
|
networks:
|
||||||
|
- name: "{{ nextcloud_container }}"
|
||||||
|
- name: traefik
|
||||||
|
labels:
|
||||||
|
traefik.http.routers.nextcloud.rule: "Host(`{{ nextcloud_domain }}`)"
|
||||||
|
traefik.http.routers.nextcloud.entrypoints: websecure
|
||||||
|
traefik.http.routers.nextcloud.tls.certresolver: letsencrypt
|
||||||
|
traefik.http.routers.nextcloud.middlewares: "securehttps@file,nextcloud-webdav"
|
||||||
|
traefik.http.middlewares.nextcloud-webdav.redirectregex.regex: "https://(.*)/.well-known/(card|cal)dav"
|
||||||
|
traefik.http.middlewares.nextcloud-webdav.redirectregex.replacement: "https://${1}/remote.php/dav/"
|
||||||
|
traefik.http.middlewares.nextcloud-webdav.redirectregex.permanent: "true"
|
||||||
|
traefik.docker.network: traefik
|
||||||
|
traefik.enable: "true"
|
||||||
|
|
||||||
|
- name: Grab Nextcloud database container information
|
||||||
|
docker_container_info:
|
||||||
|
name: "{{ nextcloud_dbcontainer }}"
|
||||||
|
register: nextcloud_dbinfo
|
||||||
|
|
||||||
- name: Grab Nextcloud container information
|
- name: Grab Nextcloud container information
|
||||||
community.general.docker_container_info:
|
docker_container_info:
|
||||||
name: "{{ nextcloud_name }}"
|
name: "{{ nextcloud_container }}"
|
||||||
register: nextcloud_info
|
register: nextcloud_info
|
||||||
|
|
||||||
- name: Wait for Nextcloud to become available
|
- name: Wait for Nextcloud to become available
|
||||||
ansible.builtin.wait_for:
|
wait_for:
|
||||||
host: "{{ nextcloud_info.container.NetworkSettings.Networks.traefik.IPAddress }}"
|
host: "{{ nextcloud_info.container.NetworkSettings.Networks.traefik.IPAddress }}"
|
||||||
delay: 10
|
|
||||||
port: 80
|
port: 80
|
||||||
|
|
||||||
- name: Check Nextcloud status
|
- name: Check Nextcloud status
|
||||||
ansible.builtin.command: >
|
command: "docker exec --user www-data {{ nextcloud_container }}
|
||||||
docker exec --user www-data "{{ nextcloud_name }}" php occ status
|
php occ status"
|
||||||
register: nextcloud_status
|
register: nextcloud_status
|
||||||
changed_when: false
|
args:
|
||||||
|
removes: "{{ nextcloud_root }}/config/CAN_INSTALL"
|
||||||
|
|
||||||
|
- name: Wait for Nextcloud database to become available
|
||||||
|
wait_for:
|
||||||
|
host: "{{ nextcloud_dbinfo.container.NetworkSettings.Networks.nextcloud.IPAddress }}"
|
||||||
|
port: 3306
|
||||||
|
|
||||||
- name: Install Nextcloud
|
- name: Install Nextcloud
|
||||||
ansible.builtin.command: >
|
command: 'docker exec --user www-data {{ nextcloud_container }}
|
||||||
docker exec --user www-data {{ nextcloud_name }}
|
php occ maintenance:install
|
||||||
php occ maintenance:install
|
--database "mysql"
|
||||||
--database "mysql"
|
--database-host "{{ nextcloud_dbcontainer }}"
|
||||||
--database-host "{{ nextcloud.DB_HOST | default('host.docker.internal') }}"
|
--database-name "{{ nextcloud_dbname }}"
|
||||||
--database-name "{{ nextcloud.DB_NAME | default('nextcloud') }}"
|
--database-user "{{ nextcloud_dbuser }}"
|
||||||
--database-user "{{ nextcloud.DB_USER | default('nextcloud') }}"
|
--database-pass "{{ nextcloud_dbpass }}"
|
||||||
--database-pass "{{ nextcloud.DB_PASSWD }}"
|
--admin-user "{{ nextcloud_admin }}"
|
||||||
--admin-user "{{ nextcloud.ADMIN_USER | default('admin') }}"
|
--admin-pass "{{ nextcloud_pass }}"'
|
||||||
--admin-pass "{{ nextcloud.ADMIN_PASSWD }}"
|
|
||||||
register: nextcloud_install
|
register: nextcloud_install
|
||||||
when: nextcloud_status.stderr[:26] == "Nextcloud is not installed"
|
when:
|
||||||
changed_when: nextcloud_install.stdout == "Nextcloud was successfully installed"
|
- nextcloud_status.stdout[:26] == "Nextcloud is not installed"
|
||||||
notify: install_nextcloud
|
- nextcloud_domain is defined
|
||||||
|
|
||||||
- name: Install Nextcloud background jobs cron
|
- name: Set Nextcloud's Trusted Proxy
|
||||||
ansible.builtin.cron:
|
command: 'docker exec --user www-data {{ nextcloud_container }}
|
||||||
name: Nextcloud background job
|
php occ config:system:set trusted_proxies 0
|
||||||
minute: "*/5"
|
--value="{{ traefik_name }}"'
|
||||||
job: "/usr/bin/docker exec -u www-data nextcloud /usr/local/bin/php -f /var/www/html/cron.php"
|
when: nextcloud_install.changed
|
||||||
user: root
|
|
||||||
|
- name: Set Nextcloud's Trusted Domain
|
||||||
|
command: 'docker exec --user www-data {{ nextcloud_container }}
|
||||||
|
php occ config:system:set trusted_domains 0
|
||||||
|
--value="{{ nextcloud_domain }}"'
|
||||||
|
when: nextcloud_install.changed
|
||||||
|
|
||||||
|
- name: Preform Nextcloud database maintenance
|
||||||
|
command: "docker exec --user www-data {{ nextcloud_container }} {{ item }}"
|
||||||
|
loop:
|
||||||
|
- "php occ maintenance:mode --on"
|
||||||
|
- "php occ db:add-missing-indices"
|
||||||
|
- "php occ db:convert-filecache-bigint"
|
||||||
|
- "php occ maintenance:mode --off"
|
||||||
|
when: nextcloud_install.changed
|
||||||
|
|
||||||
|
- name: Remove Nextcloud's CAN_INSTALL file
|
||||||
|
file:
|
||||||
|
path: "{{ nextcloud_root }}/config/CAN_INSTALL"
|
||||||
|
state: absent
|
||||||
|
|||||||
@@ -1,15 +1,15 @@
|
|||||||
- name: Create nginx root
|
- name: Create nginx root
|
||||||
ansible.builtin.file:
|
file:
|
||||||
path: "{{ nginx_root }}"
|
path: "{{ nginx_root }}"
|
||||||
state: directory
|
state: directory
|
||||||
|
|
||||||
- name: Generate deploy keys
|
- name: Generate deploy keys
|
||||||
community.crypto.openssh_keypair:
|
openssh_keypair:
|
||||||
path: "{{ nginx_repo_key }}"
|
path: "{{ nginx_repo_key }}"
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
- name: Clone static website files
|
- name: Clone static website files
|
||||||
ansible.builtin.git:
|
git:
|
||||||
repo: "{{ nginx_repo_url }}"
|
repo: "{{ nginx_repo_url }}"
|
||||||
dest: "{{ nginx_html }}"
|
dest: "{{ nginx_html }}"
|
||||||
version: "{{ nginx_repo_branch }}"
|
version: "{{ nginx_repo_branch }}"
|
||||||
@@ -17,7 +17,7 @@
|
|||||||
separate_git_dir: "{{ nginx_repo_dest }}"
|
separate_git_dir: "{{ nginx_repo_dest }}"
|
||||||
|
|
||||||
- name: Start nginx container
|
- name: Start nginx container
|
||||||
community.general.docker_container:
|
docker_container:
|
||||||
name: "{{ nginx_name }}"
|
name: "{{ nginx_name }}"
|
||||||
image: nginx:{{ nginx_version }}
|
image: nginx:{{ nginx_version }}
|
||||||
state: started
|
state: started
|
||||||
@@ -29,9 +29,9 @@
|
|||||||
- "{{ nginx_html }}:/usr/share/nginx/html:ro"
|
- "{{ nginx_html }}:/usr/share/nginx/html:ro"
|
||||||
labels:
|
labels:
|
||||||
traefik.http.routers.nginx.rule: "Host(`{{ nginx_domain }}`)"
|
traefik.http.routers.nginx.rule: "Host(`{{ nginx_domain }}`)"
|
||||||
#traefik.http.middlewares.nginxauth.basicauth.users: "{{ nginx_auth }}"
|
traefik.http.middlewares.nginxauth.basicauth.users: "{{ nginx_auth }}"
|
||||||
traefik.http.routers.nginx.entrypoints: websecure
|
traefik.http.routers.nginx.entrypoints: websecure
|
||||||
#traefik.http.routers.nginx.tls.certresolver: letsencrypt
|
traefik.http.routers.nginx.tls.certresolver: letsencrypt
|
||||||
#traefik.http.routers.nginx.middlewares: "securehttps@file,nginxauth"
|
traefik.http.routers.nginx.middlewares: "securehttps@file,nginxauth"
|
||||||
traefik.docker.network: traefik
|
traefik.docker.network: traefik
|
||||||
traefik.enable: "true"
|
traefik.enable: "true"
|
||||||
|
|||||||
@@ -1,5 +0,0 @@
|
|||||||
postgresql_config: /etc/postgresql/13/main/pg_hba.conf
|
|
||||||
postgresql_listen: "*"
|
|
||||||
postgresql_trust:
|
|
||||||
- "172.16.0.0/12"
|
|
||||||
- "192.168.0.0/16"
|
|
||||||
@@ -1,43 +0,0 @@
|
|||||||
- name: Install PostgreSQL
|
|
||||||
ansible.builtin.apt:
|
|
||||||
name: postgresql
|
|
||||||
state: present
|
|
||||||
|
|
||||||
- name: Trust connections to PostgreSQL
|
|
||||||
community.general.postgresql_pg_hba:
|
|
||||||
dest: "{{ postgresql_config }}"
|
|
||||||
contype: host
|
|
||||||
databases: all
|
|
||||||
users: all
|
|
||||||
address: "{{ item }}"
|
|
||||||
method: trust
|
|
||||||
register: postgresql_hba
|
|
||||||
loop: "{{ postgresql_trust }}"
|
|
||||||
|
|
||||||
- name: Change PostgreSQL listen addresses
|
|
||||||
community.general.postgresql_set:
|
|
||||||
name: listen_addresses
|
|
||||||
value: "{{ postgresql_listen }}"
|
|
||||||
become: true
|
|
||||||
become_user: postgres
|
|
||||||
register: postgresql_config
|
|
||||||
|
|
||||||
- name: Reload PostgreSQL
|
|
||||||
ansible.builtin.service:
|
|
||||||
name: postgresql
|
|
||||||
state: reloaded
|
|
||||||
when: postgresql_hba.changed and not postgresql_config.changed
|
|
||||||
|
|
||||||
- name: Restart PostgreSQL
|
|
||||||
ansible.builtin.service:
|
|
||||||
name: postgresql
|
|
||||||
state: restarted
|
|
||||||
when: postgresql_config.changed
|
|
||||||
|
|
||||||
- name: Allow database connections
|
|
||||||
community.general.ufw:
|
|
||||||
rule: allow
|
|
||||||
port: "5432"
|
|
||||||
proto: tcp
|
|
||||||
src: "{{ item }}"
|
|
||||||
loop: "{{ postgresql_trust }}"
|
|
||||||
@@ -1,35 +1,35 @@
|
|||||||
- name: Install Prometheus node exporter
|
- name: Install Prometheus node exporter
|
||||||
ansible.builtin.apt:
|
apt:
|
||||||
name: prometheus-node-exporter
|
name: prometheus-node-exporter
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
- name: Run Prometheus node exporter
|
- name: Run Prometheus node exporter
|
||||||
ansible.builtin.service:
|
service:
|
||||||
name: prometheus-node-exporter
|
name: prometheus-node-exporter
|
||||||
state: started
|
state: started
|
||||||
|
|
||||||
- name: Create Prometheus data directory
|
- name: Create Prometheus data directory
|
||||||
ansible.builtin.file:
|
file:
|
||||||
path: "{{ prom_root }}/prometheus"
|
path: "{{ prom_root }}/prometheus"
|
||||||
state: directory
|
state: directory
|
||||||
owner: nobody
|
owner: nobody
|
||||||
|
|
||||||
- name: Create Prometheus config directory
|
- name: Create Prometheus config directory
|
||||||
ansible.builtin.file:
|
file:
|
||||||
path: "{{ prom_root }}/config"
|
path: "{{ prom_root }}/config"
|
||||||
state: directory
|
state: directory
|
||||||
|
|
||||||
- name: Install Prometheus configuration
|
- name: Install Prometheus configuration
|
||||||
ansible.builtin.template:
|
template:
|
||||||
src: prometheus.yml.j2
|
src: prometheus.yml.j2
|
||||||
dest: "{{ prom_root }}/config/prometheus.yml"
|
dest: "{{ prom_root }}/config/prometheus.yml"
|
||||||
|
|
||||||
- name: Create Prometheus network
|
- name: Create Prometheus network
|
||||||
community.general.docker_network:
|
docker_network:
|
||||||
name: "{{ prom_name }}"
|
name: "{{ prom_name }}"
|
||||||
|
|
||||||
- name: Start Prometheus container
|
- name: Start Prometheus container
|
||||||
community.general.docker_container:
|
docker_container:
|
||||||
name: "{{ prom_name }}"
|
name: "{{ prom_name }}"
|
||||||
image: prom/prometheus:{{ prom_version }}
|
image: prom/prometheus:{{ prom_version }}
|
||||||
state: started
|
state: started
|
||||||
@@ -51,7 +51,7 @@
|
|||||||
traefik.enable: "true"
|
traefik.enable: "true"
|
||||||
|
|
||||||
- name: Start Grafana container
|
- name: Start Grafana container
|
||||||
community.general.docker_container:
|
docker_container:
|
||||||
name: "{{ grafana_name }}"
|
name: "{{ grafana_name }}"
|
||||||
image: grafana/grafana:{{ grafana_version }}
|
image: grafana/grafana:{{ grafana_version }}
|
||||||
state: started
|
state: started
|
||||||
|
|||||||
@@ -1 +0,0 @@
|
|||||||
cached_dhparams_pem: /vagrant/scratch/dhparams.pem
|
|
||||||
@@ -1,2 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
systemctl reload nginx
|
|
||||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user