kris/homelab
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: kris:gitea
Branches Tags
kris:main kris:podman kris:bitwarden kris:testing kris:dockerbox_update kris:HOST_IP kris:gitea kris:organize kris:staticweb kris:vagrantfile kris:proxy_script kris:master kris:jellyfin kris:traefik kris:dockerbox_bullseye kris:readme kris:kutt kris:mediawiki kris:jekyll kris:docs
..
compare: kris:vagrantfile
Branches Tags
kris:podman kris:bitwarden kris:main kris:testing kris:dockerbox_update kris:HOST_IP kris:gitea kris:organize kris:staticweb kris:vagrantfile kris:proxy_script kris:master kris:jellyfin kris:traefik kris:dockerbox_bullseye kris:readme kris:kutt kris:mediawiki kris:jekyll kris:docs

1 Commits
gitea ... vagrantfil

Author SHA1 Message Date
Kris Lamoureux
a97eb30314 testing 2023-08-23 17:31:52 -04:00
39 changed files with 169 additions and 416 deletions
Expand all files Collapse all files

10
Makefile
View File

@@ -1,10 +0,0 @@
.PHONY: clean install
all: install
install:
vagrant up --no-destroy-on-error
sudo ./forward-ssh.sh
clean:
vagrant destroy -f && rm -rf .vagrant

7
Vagrantfile vendored
View File

@@ -18,7 +18,11 @@ SSH_FORWARD = settings['SSH_FORWARD'] || false
PLAYBOOK=ENV["PLAYBOOK"] PLAYBOOK=ENV["PLAYBOOK"]
if !PLAYBOOK || PLAYBOOK.empty? if !PLAYBOOK || PLAYBOOK.empty?
# PLAYBOOK setting in .vagrant.yml (priority #2) # PLAYBOOK setting in .vagrant.yml (priority #2)
PLAYBOOK = settings['PLAYBOOK'] || 'default' PLAYBOOK = settings['PLAYBOOK'] || false
if !PLAYBOOK || PLAYBOOK.empty?
puts "[VAGRANTFILE ERROR]: Set PLAYBOOK setting in .vagrant.yml"
abort
end
end end
Vagrant.configure("2") do |config| Vagrant.configure("2") do |config|
@@ -43,6 +47,5 @@ Vagrant.configure("2") do |config|
ENV['ANSIBLE_ROLES_PATH'] = File.dirname(__FILE__) + "/roles" ENV['ANSIBLE_ROLES_PATH'] = File.dirname(__FILE__) + "/roles"
ansible.compatibility_mode = "2.0" ansible.compatibility_mode = "2.0"
ansible.playbook = "dev/" + PLAYBOOK + ".yml" ansible.playbook = "dev/" + PLAYBOOK + ".yml"
ansible.raw_arguments = ["--diff"]
end end
end end

1
ansible.cfg
View File

@@ -1,7 +1,6 @@
[defaults] [defaults]
inventory = ./environments/development inventory = ./environments/development
interpreter_python = /usr/bin/python3 interpreter_python = /usr/bin/python3
roles_path = ./roles
[connection] [connection]
pipelining = true pipelining = true

0
playbooks/backup.yml → backup.yml
View File

0
playbooks/bitwarden.yml → bitwarden.yml
View File

4
dev/default.yml
View File

@@ -1,4 +0,0 @@
- name: Install 'default' aka nothing
hosts: all
become: true
tasks: []

8
dev/docker.yml
View File

@@ -1,8 +0,0 @@
- name: Install Docker Server
hosts: all
become: true
vars_files:
- host_vars/docker.yml
roles:
- base
- docker

2
dev/dockerbox.yml
View File

@@ -1,4 +1,4 @@
- name: Install Dockerbox Server - name: Install Docker Box Server
hosts: all hosts: all
become: true become: true
vars_files: vars_files:

10
dev/gitea.yml
View File

@@ -1,10 +0,0 @@
- name: Install Gitea Server
hosts: all
become: true
vars_files:
- host_vars/gitea.yml
roles:
- base
- docker
- mariadb
- gitea

4
dev/host_vars/bitwarden.yml
View File

@@ -9,14 +9,14 @@ docker_users:
# traefik # traefik
traefik_version: latest traefik_version: latest
traefik_dashboard: true traefik_dashboard: true
traefik_domain: traefik.local.krislamo.org traefik_domain: traefik.vm.krislamo.org
traefik_auth: admin:$apr1$T1l.BCFz$Jyg8msXYEAUi3LLH39I9d1 # admin:admin traefik_auth: admin:$apr1$T1l.BCFz$Jyg8msXYEAUi3LLH39I9d1 # admin:admin
#traefik_acme_email: realemail@example.com # Let's Encrypt settings #traefik_acme_email: realemail@example.com # Let's Encrypt settings
#traefik_production: true #traefik_production: true
# bitwarden # bitwarden
# Get Installation ID & Key at https://bitwarden.com/host/ # Get Installation ID & Key at https://bitwarden.com/host/
bitwarden_domain: vault.local.krislamo.org bitwarden_domain: vault.vm.krislamo.org
bitwarden_dbpass: password bitwarden_dbpass: password
bitwarden_install_id: 4ea840a3-532e-4cb6-a472-abd900728b23 bitwarden_install_id: 4ea840a3-532e-4cb6-a472-abd900728b23
bitwarden_install_key: 1yB3Z2gRI0KnnH90C6p bitwarden_install_key: 1yB3Z2gRI0KnnH90C6p

48
dev/host_vars/docker.yml
View File

@@ -1,48 +0,0 @@
# base
allow_reboot: false
manage_network: false
# Import my GPG key for git signature verification
root_gpgkeys:
- name: kris@lamoureux.io
id: FBF673CEEC030F8AECA814E73EDA9C3441EDA925
# docker
docker_users:
- vagrant
#docker_login_url: https://myregistry.example.com
#docker_login_user: myuser
#docker_login_pass: YOUR_PASSWD
docker_compose_env_nolog: false # dev only setting
docker_compose_deploy:
# Traefik
- name: traefik
url: https://github.com/krislamo/traefik
version: 31ee724feebc1d5f91cb17ffd6892c352537f194
enabled: true
accept_newhostkey: true # Consider verifying manually instead
trusted_keys:
- FBF673CEEC030F8AECA814E73EDA9C3441EDA925
env:
ENABLE: true
# Traefik 2 (no other external compose to test currently)
- name: traefik2
url: https://github.com/krislamo/traefik
version: 31ee724feebc1d5f91cb17ffd6892c352537f194
enabled: true
accept_newhostkey: true # Consider verifying manually instead
trusted_keys:
- FBF673CEEC030F8AECA814E73EDA9C3441EDA925
env:
ENABLE: true
VERSION: "2.10"
DOMAIN: traefik2.local.krislamo.org
NAME: traefik2
ROUTER: traefik2
NETWORK: traefik2
WEB_PORT: 127.0.0.1:8000:80
WEBSECURE_PORT: 127.0.0.1:4443:443
LOCAL_PORT: 127.0.0.1:8444:8443

22
dev/host_vars/dockerbox.yml
View File

@@ -9,36 +9,40 @@ docker_users:
# traefik # traefik
traefik_version: latest traefik_version: latest
traefik_dashboard: true traefik_dashboard: true
traefik_domain: traefik.local.krislamo.org traefik_domain: traefik.vm.krislamo.org
traefik_auth: admin:$apr1$T1l.BCFz$Jyg8msXYEAUi3LLH39I9d1 # admin:admin traefik_auth: admin:$apr1$T1l.BCFz$Jyg8msXYEAUi3LLH39I9d1 # admin:admin
traefik_web_entry: 0.0.0.0:80
traefik_websecure_entry: 0.0.0.0:443
#traefik_acme_email: realemail@example.com # Let's Encrypt settings #traefik_acme_email: realemail@example.com # Let's Encrypt settings
#traefik_production: true #traefik_production: true
#traefik_http_only: true # if behind reverse-proxy traefik_http_only: true # if behind reverse-proxy
# nextcloud # nextcloud
nextcloud_version: stable nextcloud_version: stable
nextcloud_admin: admin nextcloud_admin: admin
nextcloud_pass: password nextcloud_pass: password
nextcloud_domain: cloud.local.krislamo.org nextcloud_domain: cloud.vm.krislamo.org
nextcloud_dbversion: latest nextcloud_dbversion: latest
nextcloud_dbpass: password nextcloud_dbpass: password
# gitea
gitea_domain: git.vm.krislamo.org
gitea_version: 1
gitea_dbversion: latest
gitea_dbpass: password
# jenkins # jenkins
jenkins_version: lts jenkins_version: lts
jenkins_domain: jenkins.local.krislamo.org jenkins_domain: jenkins.vm.krislamo.org
# prometheus (includes grafana) # prometheus (includes grafana)
prom_version: latest prom_version: latest
prom_domain: prom.local.krislamo.org prom_domain: prom.vm.krislamo.org
grafana_version: latest grafana_version: latest
grafana_domain: grafana.local.krislamo.org grafana_domain: grafana.vm.krislamo.org
prom_targets: "['10.0.2.15:9100']" prom_targets: "['10.0.2.15:9100']"
# nginx # nginx
nginx_domain: nginx.local.krislamo.org nginx_domain: nginx.vm.krislamo.org
nginx_name: staticsite nginx_name: staticsite
nginx_repo_url: https://git.krislamo.org/kris/example-website/ nginx_repo_url: https://git.krislamo.org/kris/example-website/
nginx_auth: admin:$apr1$T1l.BCFz$Jyg8msXYEAUi3LLH39I9d1 # admin:admin nginx_auth: admin:$apr1$T1l.BCFz$Jyg8msXYEAUi3LLH39I9d1 # admin:admin

45
dev/host_vars/gitea.yml
View File

@@ -1,45 +0,0 @@
# base
allow_reboot: false
manage_network: false
users:
git:
uid: 1001
gid: 1001
home: true
# Import my GPG key for git signature verification
root_gpgkeys:
- name: kris@lamoureux.io
id: FBF673CEEC030F8AECA814E73EDA9C3441EDA925
# docker
docker_users:
- vagrant
docker_compose_env_nolog: false # dev only setting
docker_compose_deploy:
# Traefik
- name: traefik
url: https://github.com/krislamo/traefik
version: 398eb48d311db78b86abf783f903af4a1658d773
enabled: true
accept_newhostkey: true
trusted_keys:
- FBF673CEEC030F8AECA814E73EDA9C3441EDA925
env:
ENABLE: true
# Gitea
- name: gitea
url: https://github.com/krislamo/gitea
version: b0ce66f6a1ab074172eed79eeeb36d7e9011ef8f
env:
USER_UID: "{{ users.git.uid }}"
USER_GID: "{{ users.git.gid }}"
DB_PASSWD: "{{ gitea.DB_PASSWD }}"
# gitea
gitea:
DB_NAME: gitea
DB_USER: gitea
DB_PASSWD: password

2
dev/host_vars/mediaserver.yml
View File

@@ -1,4 +1,4 @@
base_domain: local.krislamo.org base_domain: vm.krislamo.org
# base # base
allow_reboot: false allow_reboot: false

4
dev/host_vars/nextcloud.yml
View File

@@ -5,14 +5,14 @@ docker_users:
# traefik # traefik
traefik_version: latest traefik_version: latest
traefik_dashboard: true traefik_dashboard: true
traefik_domain: traefik.local.krislamo.org traefik_domain: traefik.vm.krislamo.org
traefik_auth: admin:$apr1$T1l.BCFz$Jyg8msXYEAUi3LLH39I9d1 # admin:admin traefik_auth: admin:$apr1$T1l.BCFz$Jyg8msXYEAUi3LLH39I9d1 # admin:admin
# container settings # container settings
nextcloud_version: stable nextcloud_version: stable
nextcloud_admin: admin nextcloud_admin: admin
nextcloud_pass: password nextcloud_pass: password
nextcloud_domain: cloud.local.krislamo.org nextcloud_domain: cloud.vm.krislamo.org
# database settings # database settings
nextcloud_dbversion: latest nextcloud_dbversion: latest

4
dev/host_vars/nginx.yml
View File

@@ -9,13 +9,13 @@ docker_users:
# traefik # traefik
traefik_version: latest traefik_version: latest
traefik_dashboard: true traefik_dashboard: true
traefik_domain: traefik.local.krislamo.org traefik_domain: traefik.vm.krislamo.org
traefik_auth: admin:$apr1$T1l.BCFz$Jyg8msXYEAUi3LLH39I9d1 # admin:admin traefik_auth: admin:$apr1$T1l.BCFz$Jyg8msXYEAUi3LLH39I9d1 # admin:admin
#traefik_acme_email: realemail@example.com # Let's Encrypt settings #traefik_acme_email: realemail@example.com # Let's Encrypt settings
#traefik_production: true #traefik_production: true
# nginx # nginx
nginx_domain: nginx.local.krislamo.org nginx_domain: nginx.vm.krislamo.org
nginx_name: staticsite nginx_name: staticsite
nginx_repo_url: https://git.krislamo.org/kris/example-website/ nginx_repo_url: https://git.krislamo.org/kris/example-website/
nginx_auth: admin:$apr1$T1l.BCFz$Jyg8msXYEAUi3LLH39I9d1 # admin:admin nginx_auth: admin:$apr1$T1l.BCFz$Jyg8msXYEAUi3LLH39I9d1 # admin:admin

2
dev/host_vars/proxy.yml
View File

@@ -1,4 +1,4 @@
base_domain: local.krislamo.org base_domain: vm.krislamo.org
# base # base
allow_reboot: false allow_reboot: false

4
dev/host_vars/wordpress.yml
View File

@@ -9,14 +9,14 @@ docker_users:
# traefik # traefik
traefik_version: latest traefik_version: latest
traefik_dashboard: true traefik_dashboard: true
traefik_domain: traefik.local.krislamo.org traefik_domain: traefik.vm.krislamo.org
traefik_auth: admin:$apr1$T1l.BCFz$Jyg8msXYEAUi3LLH39I9d1 # admin:admin traefik_auth: admin:$apr1$T1l.BCFz$Jyg8msXYEAUi3LLH39I9d1 # admin:admin
#traefik_acme_email: realemail@example.com # Let's Encrypt settings #traefik_acme_email: realemail@example.com # Let's Encrypt settings
#traefik_production: true #traefik_production: true
# container settings # container settings
wordpress_version: latest wordpress_version: latest
wordpress_domain: wordpress.local.krislamo.org wordpress_domain: wordpress.vm.krislamo.org
wordpress_multisite: true wordpress_multisite: true
# database settings # database settings

0
playbooks/docker.yml → docker.yml
View File

25
dockerbox.yml Normal file
View File

@@ -0,0 +1,25 @@
# Copyright (C) 2020 Kris Lamoureux
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <https://www.gnu.org/licenses/>.
- name: Install Docker Box Server
hosts: dockerhosts
become: true
roles:
- base
- docker
- traefik
- nextcloud
- jenkins
- prometheus
- nginx

91
forward-ssh.sh
View File

@@ -1,91 +0,0 @@
#!/bin/bash
# Finds the SSH private key under ./.vagrant and connects to
# the Vagrant box, port forwarding localhost ports: 8443, 80, 443
# Root check
if [ "$EUID" -ne 0 ]; then
echo "[ERROR]: Please run script as root"
exit 1
fi
# Clean environment
unset PRIVATE_KEY
unset HOST_IP
unset MATCH_PATTERN
unset PKILL_ANSWER
# Function to create the SSH tunnel
function ssh_connect {
read -rp "Start a new vagrant SSH tunnel? [y/N] " PSTART_ANSWER
echo
case "$PSTART_ANSWER" in
[yY])
printf "[INFO]: Starting new vagrant SSH tunnel on PID "
sudo -u "$USER" ssh -fNT -i "$PRIVATE_KEY" \
-L 22:localhost:22 \
-L 80:localhost:80 \
-L 443:localhost:443 \
-L 8443:localhost:8443 \
-o UserKnownHostsFile=/dev/null \
-o StrictHostKeyChecking=no \
vagrant@"$HOST_IP" 2>/dev/null
sleep 2
pgrep -f "$MATCH_PATTERN"
;;
*)
echo "[INFO]: Delined to start a new vagrant SSH tunnel"
exit 0
;;
esac
}
# Check for valid PRIVATE_KEY location
PRIVATE_KEY="$(find .vagrant -name "private_key" 2>/dev/null)"
if ! ssh-keygen -l -f "$PRIVATE_KEY" &>/dev/null; then
echo "[ERROR]: The SSH key '$PRIVATE_KEY' is not valid. Is your virtual machine running?"
exit 1
fi
echo "[CHECK]: Valid key at $PRIVATE_KEY"
# Grab first IP or use whatever HOST_IP_FIELD is set to and check that the guest is up
HOST_IP="$(vagrant ssh -c "hostname -I | cut -d' ' -f${HOST_IP_FIELD:-1}" 2>/dev/null)"
HOST_IP="${HOST_IP::-1}" # trim
if ! ping -c 1 "$HOST_IP" &>/dev/null; then
echo "[ERROR]: Cannot ping the host IP '$HOST_IP'"
exit 1
fi
echo "[CHECK]: Host at $HOST_IP is up"
# Pattern for matching processes running
MATCH_PATTERN="ssh -fNT -i ${PRIVATE_KEY}.*vagrant@"
# Check amount of processes that match the pattern
if [ "$(pgrep -afc "$MATCH_PATTERN")" -eq 0 ]; then
ssh_connect
else
# Processes found, so prompt to kill remaining ones then start tunnel
printf "\n[WARNING]: Found processes running:\n"
pgrep -fa "$MATCH_PATTERN"
printf '\n'
read -rp "Would you like to kill these processes? [y/N] " PKILL_ANSWER
echo
case "$PKILL_ANSWER" in
[yY])
echo "[WARNING]: Killing old vagrant SSH tunnel(s): "
pgrep -f "$MATCH_PATTERN" | tee >(xargs kill -15)
echo
if [ "$(pgrep -afc "$MATCH_PATTERN")" -eq 0 ]; then
ssh_connect
else
echo "[ERROR]: Unable to kill processes:"
pgrep -f "$MATCH_PATTERN"
exit 1
fi
;;
*)
echo "[INFO]: Declined to kill existing processes"
exit 0
;;
esac
fi

0
playbooks/hypervisor.yml → hypervisor.yml
View File

0
playbooks/mediaserver.yml → mediaserver.yml
View File

0
playbooks/minecraft.yml → minecraft.yml
View File

11
playbooks/dockerbox.yml
View File

@@ -1,11 +0,0 @@
- name: Install Dockerbox Server
hosts: "{{ PLAYBOOK_HOST | default('none') }}"
become: true
roles:
- base
- docker
- traefik
- nextcloud
- jenkins
- prometheus
- nginx

0
playbooks/proxy.yml → proxy.yml
View File

1
roles/base/defaults/main.yml
View File

@@ -2,7 +2,6 @@ allow_reboot: true
manage_firewall: true manage_firewall: true
manage_network: false manage_network: false
network_type: static network_type: static
locale_default: en_US.UTF-8
packages: packages:
- apache2-utils - apache2-utils

81
roles/base/tasks/system.yml
View File

@@ -4,61 +4,6 @@
state: present state: present
update_cache: true update_cache: true
- name: Install GPG
ansible.builtin.apt:
name: gpg
state: present
- name: Check for existing GPG keys
command: "gpg --list-keys {{ item.id }} 2>/dev/null"
register: gpg_check
loop: "{{ root_gpgkeys }}"
failed_when: false
changed_when: false
when: root_gpgkeys is defined
- name: Import GPG keys
command: "gpg --keyserver {{ item.item.server | default('keys.openpgp.org') }} --recv-key {{ item.item.id }}"
register: gpg_check_import
loop: "{{ gpg_check.results }}"
loop_control:
label: "{{ item.item }}"
when: root_gpgkeys is defined and item.rc != 0
- name: Check GPG key imports
fail:
msg: "{{ item.stderr }}"
loop: "{{ gpg_check_import.results }}"
loop_control:
label: "{{ item.item.item }}"
when: (item.skipped | default(false) == false) and ('imported' not in item.stderr)
- name: Install NTPsec
ansible.builtin.apt:
name: ntpsec
state: present
- name: Install locales
ansible.builtin.apt:
name: locales
state: present
- name: Generate locale
community.general.locale_gen:
name: "{{ locale_default }}"
state: present
register: locale_gen_output
- name: Set the default locale
ansible.builtin.lineinfile:
path: /etc/default/locale
regexp: "^LANG="
line: "LANG={{ locale_default }}"
- name: Reconfigure locales
ansible.builtin.command: dpkg-reconfigure -f noninteractive locales
when: locale_gen_output.changed
- name: Manage root authorized_keys - name: Manage root authorized_keys
ansible.builtin.template: ansible.builtin.template:
src: authorized_keys.j2 src: authorized_keys.j2
@@ -66,27 +11,13 @@
mode: 0400 mode: 0400
when: authorized_keys is defined when: authorized_keys is defined
- name: Create system user groups
ansible.builtin.group:
name: "{{ item.key }}"
gid: "{{ item.value.gid }}"
state: present
loop: "{{ users | dict2items }}"
loop_control:
label: "{{ item.key }}"
when: users is defined
- name: Create system users - name: Create system users
ansible.builtin.user: ansible.builtin.user:
name: "{{ item.key }}" name: "{{ item.name }}"
state: present state: present
uid: "{{ item.value.uid }}" shell: "{{ item.shell | default('/bin/bash') }}"
group: "{{ item.value.gid }}" create_home: "{{ item.home | default(false) }}"
shell: "{{ item.value.shell | default('/bin/bash') }}" loop: "{{ users }}"
create_home: "{{ item.value.home | default(false) }}"
loop: "{{ users | dict2items }}"
loop_control:
label: "{{ item.key }}"
when: users is defined when: users is defined
- name: Set authorized_keys for system users - name: Set authorized_keys for system users
@@ -94,9 +25,7 @@
user: "{{ item.key }}" user: "{{ item.key }}"
key: "{{ item.value.key }}" key: "{{ item.value.key }}"
state: present state: present
loop: "{{ users | dict2items }}" loop: "{{ users }}"
loop_control:
label: "{{ item.key }}"
when: users is defined and item.value.key is defined when: users is defined and item.value.key is defined
- name: Manage filesystem mounts - name: Manage filesystem mounts

2
roles/docker/defaults/main.yml
View File

@@ -3,4 +3,4 @@ docker_compose_service: compose
docker_compose: /usr/bin/docker-compose docker_compose: /usr/bin/docker-compose
docker_repos_keys: "{{ docker_repos_path }}/.keys" docker_repos_keys: "{{ docker_repos_path }}/.keys"
docker_repos_keytype: rsa docker_repos_keytype: rsa
docker_repos_path: /srv/.compose_repos docker_repos_path: /srv/compose_repos

26
roles/docker/handlers/main.yml
View File

@@ -2,29 +2,3 @@
ansible.builtin.systemd: ansible.builtin.systemd:
daemon_reload: true daemon_reload: true
listen: compose_systemd listen: compose_systemd
- name: Find which services had a docker-compose.yml updated
set_fact:
compose_restart_list: "{{ (compose_restart_list | default([])) + [item.item.name] }}"
loop: "{{ compose_update.results }}"
loop_control:
label: "{{ item.item.name }}"
when: item.changed
listen: compose_restart
- name: Find which services had their .env updated
set_fact:
compose_restart_list: "{{ (compose_restart_list | default([])) + [item.item.name] }}"
loop: "{{ compose_env_update.results }}"
loop_control:
label: "{{ item.item.name }}"
when: item.changed
listen: compose_restart
- name: Restart {{ docker_compose_service }} services
ansible.builtin.systemd:
state: restarted
name: "{{ docker_compose_service }}@{{ item }}"
loop: "{{ compose_restart_list | unique }}"
when: compose_restart_list is defined
listen: compose_restart

41
roles/docker/tasks/main.yml
View File

@@ -4,13 +4,6 @@
state: present state: present
update_cache: true update_cache: true
- name: Login to private registry
community.docker.docker_login:
registry_url: "{{ docker_login_url | default('') }}"
username: "{{ docker_login_user }}"
password: "{{ docker_login_pass }}"
when: docker_login_user is defined and docker_login_pass is defined
- name: Create docker-compose root - name: Create docker-compose root
ansible.builtin.file: ansible.builtin.file:
path: "{{ docker_compose_root }}" path: "{{ docker_compose_root }}"
@@ -38,7 +31,6 @@
community.crypto.openssh_keypair: community.crypto.openssh_keypair:
path: "{{ docker_repos_keys }}/id_{{ docker_repos_keytype }}" path: "{{ docker_repos_keys }}/id_{{ docker_repos_keytype }}"
type: "{{ docker_repos_keytype }}" type: "{{ docker_repos_keytype }}"
comment: "{{ ansible_hostname }}-deploy-key"
mode: 0400 mode: 0400
state: present state: present
when: docker_compose_deploy is defined when: docker_compose_deploy is defined
@@ -47,15 +39,11 @@
ansible.builtin.git: ansible.builtin.git:
repo: "{{ item.url }}" repo: "{{ item.url }}"
dest: "{{ docker_repos_path }}/{{ item.name }}" dest: "{{ docker_repos_path }}/{{ item.name }}"
version: "{{ item.version }}" version: "{{ item.version | default('main') }}"
accept_newhostkey: "{{ item.accept_newhostkey | default('false') }}" force: true
gpg_whitelist: "{{ item.trusted_keys | default([]) }}"
verify_commit: "{{ true if (item.trusted_keys is defined and item.trusted_keys) else false }}"
key_file: "{{ docker_repos_keys }}/id_{{ docker_repos_keytype }}" key_file: "{{ docker_repos_keys }}/id_{{ docker_repos_keytype }}"
loop: "{{ docker_compose_deploy }}"
loop_control:
label: "{{ item.url }}"
when: docker_compose_deploy is defined when: docker_compose_deploy is defined
loop: "{{ docker_compose_deploy }}"
- name: Create directories for docker-compose projects using the systemd service - name: Create directories for docker-compose projects using the systemd service
ansible.builtin.file: ansible.builtin.file:
@@ -63,33 +51,22 @@
state: directory state: directory
mode: 0400 mode: 0400
loop: "{{ docker_compose_deploy }}" loop: "{{ docker_compose_deploy }}"
loop_control:
label: "{{ item.name }}"
when: docker_compose_deploy is defined when: docker_compose_deploy is defined
- name: Synchronize docker-compose.yml - name: Copy docker-compose.yml files to their service directories
ansible.posix.synchronize: ansible.builtin.copy:
src: "{{ docker_repos_path }}/{{ item.name }}/{{ item.path | default('docker-compose.yml') }}" src: "{{ docker_repos_path }}/{{ item.name }}/{{ item.path | default('docker-compose.yml') }}"
dest: "{{ docker_compose_root }}/{{ item.name }}/docker-compose.yml" dest: "{{ docker_compose_root }}/{{ item.name }}/docker-compose.yml"
delegate_to: "{{ inventory_hostname }}" remote_src: yes
register: compose_update loop: "{{ docker_compose_deploy }}"
notify: compose_restart when: docker_compose_deploy is defined
loop: "{{ docker_compose_deploy | default([]) }}"
loop_control:
label: "{{ item.name }}"
when: docker_compose_deploy is defined and docker_compose_deploy | length > 0
- name: Set environment variables for docker-compose projects - name: Set environment variables for docker-compose projects
ansible.builtin.template: ansible.builtin.template:
src: docker-compose-env.j2 src: docker-compose-env.j2
dest: "{{ docker_compose_root }}/{{ item.name }}/.env" dest: "{{ docker_compose_root }}/{{ item.name }}/.env"
mode: 0400 mode: 0400
register: compose_env_update
notify: compose_restart
no_log: "{{ docker_compose_env_nolog | default('true') }}"
loop: "{{ docker_compose_deploy }}" loop: "{{ docker_compose_deploy }}"
loop_control:
label: "{{ item.name }}"
when: docker_compose_deploy is defined and item.env is defined when: docker_compose_deploy is defined and item.env is defined
- name: Add users to docker group - name: Add users to docker group
@@ -112,6 +89,4 @@
state: started state: started
enabled: true enabled: true
loop: "{{ docker_compose_deploy }}" loop: "{{ docker_compose_deploy }}"
loop_control:
label: "{{ docker_compose_service }}@{{ item.name }}"
when: item.enabled is defined and item.enabled is true when: item.enabled is defined and item.enabled is true

9
roles/docker/templates/docker-compose-env.j2
View File

@@ -1,10 +1,7 @@
# {{ ansible_managed }} # {{ ansible_managed }}
{% if item.env is defined %} {% if item.env is defined %}
{% for key, value in item.env.items() %} {% for kvpair in item.env.items() %}
{% if value is boolean %} {{ kvpair.0 }}={{ kvpair.1 }}
{{ key }}={{ value | lower }}
{% else %}
{{ key }}={{ value }}
{% endif %}
{% endfor %} {% endfor %}
{% endif %} {% endif %}

48
roles/gitea/tasks/main.yml
View File

@@ -1,23 +1,38 @@
- name: Install MySQL module for Ansible - name: Create Gitea directory
ansible.builtin.apt: ansible.builtin.file:
name: python3-pymysql path: "{{ gitea_root }}"
state: present state: directory
- name: Create Gitea database - name: Create Gitea database
community.mysql.mysql_db: community.mysql.mysql_db:
name: "{{ gitea.DB_NAME }}" name: "{{ gitea_dbname }}"
state: present state: present
login_unix_socket: /var/run/mysqld/mysqld.sock login_unix_socket: /var/run/mysqld/mysqld.sock
- name: Create Gitea database user - name: Create Gitea database user
community.mysql.mysql_user: community.mysql.mysql_user:
name: "{{ gitea.DB_USER }}" name: "{{ gitea_dbuser }}"
password: "{{ gitea.DB_PASSWD }}" password: "{{ gitea_dbpass }}"
host: '%' host: '%'
state: present state: present
priv: "{{ gitea.DB_NAME }}.*:ALL" priv: "{{ gitea_dbname }}.*:ALL"
login_unix_socket: /var/run/mysqld/mysqld.sock login_unix_socket: /var/run/mysqld/mysqld.sock
- name: Create git user
ansible.builtin.user:
name: git
state: present
- name: Git user uid
ansible.builtin.getent:
database: passwd
key: git
- name: Git user gid
ansible.builtin.getent:
database: group
key: git
- name: Create git's .ssh directory - name: Create git's .ssh directory
ansible.builtin.file: ansible.builtin.file:
path: /home/git/.ssh path: /home/git/.ssh
@@ -55,11 +70,28 @@
dest: /usr/local/bin/gitea dest: /usr/local/bin/gitea
mode: 0755 mode: 0755
- name: Install Gitea's docker-compose file
ansible.builtin.template:
src: docker-compose.yml.j2
dest: "{{ gitea_root }}/docker-compose.yml"
notify: restart_gitea
- name: Install Gitea's docker-compose variables
ansible.builtin.template:
src: compose-env.j2
dest: "{{ gitea_root }}/.env"
notify: restart_gitea
- name: Create Gitea's logging directory - name: Create Gitea's logging directory
ansible.builtin.file: ansible.builtin.file:
name: /var/log/gitea name: /var/log/gitea
state: directory state: directory
- name: Create Gitea's initial log file
ansible.builtin.file:
name: /var/log/gitea/gitea.log
state: touch
- name: Install Gitea's Fail2ban filter - name: Install Gitea's Fail2ban filter
ansible.builtin.template: ansible.builtin.template:
src: fail2ban-filter.conf.j2 src: fail2ban-filter.conf.j2

3
roles/mariadb/defaults/main.yml Normal file
View File

@@ -0,0 +1,3 @@
mariadb_trust:
- "172.16.0.0/12"
- "192.168.0.0/16"

5
roles/mariadb/handlers/main.yml
View File

@@ -1,5 +0,0 @@
- name: Restart MariaDB
ansible.builtin.service:
name: mariadb
state: restarted
listen: restart_mariadb

19
roles/mariadb/tasks/main.yml
View File

@@ -3,20 +3,23 @@
name: mariadb-server name: mariadb-server
state: present state: present
- name: Regather facts for the potentially new docker0 interface - name: Change the bind-address to allow Docker
ansible.builtin.setup:
- name: Change the bind-address to allow from docker0
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: /etc/mysql/mariadb.conf.d/50-server.cnf path: /etc/mysql/mariadb.conf.d/50-server.cnf
regex: "^bind-address" regex: "^bind-address"
line: "bind-address = {{ ansible_facts.docker0.ipv4.address }}" line: "bind-address = 0.0.0.0"
notify: restart_mariadb register: mariadb_conf
- name: Allow database connections from Docker - name: Restart MariaDB
ansible.builtin.service:
name: mariadb
state: restarted
when: mariadb_conf.changed
- name: Allow database connections
community.general.ufw: community.general.ufw:
rule: allow rule: allow
port: "3306" port: "3306"
proto: tcp proto: tcp
src: "{{ item }}" src: "{{ item }}"
loop: "{{ mariadb_trust | default(['172.16.0.0/12']) }}" loop: "{{ mariadb_trust }}"

0
playbooks/unifi.yml → unifi.yml
View File

42
update-hosts.sh Executable file
View File

@@ -0,0 +1,42 @@
#!/bin/bash
COMMENT="Project Moxie"
DOMAIN="vm.krislamo.org"
HOST[0]="traefik.${DOMAIN}"
HOST[1]="cloud.${DOMAIN}"
HOST[2]="git.${DOMAIN}"
HOST[3]="jenkins.${DOMAIN}"
HOST[4]="prom.${DOMAIN}"
HOST[5]="grafana.${DOMAIN}"
HOST[6]="nginx.${DOMAIN}"
HOST[7]="vault.${DOMAIN}"
HOST[8]="wordpress.${DOMAIN}"
HOST[9]="site1.wordpress.${DOMAIN}"
HOST[10]="site2.wordpress.${DOMAIN}"
HOST[11]="unifi.${DOMAIN}"
HOST[12]="jellyfin.${DOMAIN}"
# Get Vagrantbox guest IP
VAGRANT_OUTPUT=$(vagrant ssh -c "hostname -I | cut -d' ' -f2" 2>/dev/null)
# Remove ^M from the end
[ ${#VAGRANT_OUTPUT} -gt 1 ] && IP=${VAGRANT_OUTPUT::-1}
echo "Purging project addresses from /etc/hosts"
sudo sed -i "s/# $COMMENT//g" /etc/hosts
for address in "${HOST[@]}"; do
sudo sed -i "/$address/d" /etc/hosts
done
# Remove trailing newline
sudo sed -i '${/^$/d}' /etc/hosts
if [ -n "$IP" ]; then
echo -e "Adding new addresses...\n"
echo -e "# $COMMENT" | sudo tee -a /etc/hosts
for address in "${HOST[@]}"; do
echo -e "$IP\t$address" | sudo tee -a /etc/hosts
done
else
echo "Cannot find address. Is the Vagrant box running?"
fi