testing

2023-05-04 03:09:34 -04:00
26 changed files with 83 additions and 254 deletions
--- a/.github/workflows/vagrant.yml
+++ b/.github/workflows/vagrant.yml
@@ -1,39 +0,0 @@
 name: homelab-ci
 on:
  push:
    branches:
      - main
      - testing
 jobs:
  homelab-ci:
    runs-on: macos-latest
    steps:
      - uses: actions/checkout@v3
      - name: Cache Vagrant boxes
        uses: actions/cache@v3
        with:
          path: ~/.vagrant.d/boxes
          key: ${{ runner.os }}-vagrant-${{ hashFiles('Vagrantfile') }}
          restore-keys: |
            ${{ runner.os }}-vagrant-
      - name: Install Ansible
        run: brew install ansible@7
      - name: Software Versions
        run: |
          printf "VirtualBox "
          vboxmanage --version
          vagrant --version
          export PATH="/usr/local/opt/ansible@7/bin:$PATH"
          ansible --version
      - name: Vagrant Up with Dockerbox Playbook
        run: |
          export PATH="/usr/local/opt/ansible@7/bin:$PATH"
          PLAYBOOK=dockerbox vagrant up
          vagrant ssh -c "docker ps"
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,3 @@
 .vagrant
 .playbook
 .vagrant*
 .vscode
 /environments/
--- a/51
+++ b/51
@@ -1,45 +1,43 @@
 # -*- mode: ruby -*-
 # vi: set ft=ruby :
-require 'yaml'
+SSH_FORWARD=ENV["SSH_FORWARD"]
-settings_path = '.vagrant.yml'
+if !(SSH_FORWARD == "true")
-settings = {}
+  SSH_FORWARD = false
 if File.exist?(settings_path)
  settings = YAML.load_file(settings_path)
 end
 VAGRANT_BOX  = settings['VAGRANT_BOX']  || 'debian/bookworm64'
 VAGRANT_CPUS = settings['VAGRANT_CPUS'] || 2
 VAGRANT_MEM  = settings['VAGRANT_MEM']  || 2048
 SSH_FORWARD  = settings['SSH_FORWARD']  || false
 # Default to shell environment variable: PLAYBOOK (priority #1)
 PLAYBOOK=ENV["PLAYBOOK"]
 if !PLAYBOOK
-  # PLAYBOOK setting in .vagrant.yml (priority #2)
+  if File.exist?('.playbook')
-  PLAYBOOK = settings['PLAYBOOK'] || false
+    PLAYBOOK = IO.read('.playbook').split("\n")[0]
  if !PLAYBOOK || PLAYBOOK.empty?
    puts "[VAGRANTFILE ERROR]: Set PLAYBOOK setting in .vagrant.yml"
    abort
  end
  if !PLAYBOOK || PLAYBOOK.empty?
    PLAYBOOK = "\nERROR: Set env PLAYBOOK"
  end
 else
  File.write(".playbook", PLAYBOOK)
 end
 Vagrant.configure("2") do |config|
-  config.vm.box = VAGRANT_BOX
+  config.vm.box = "debian/bullseye64"
  config.vm.network "private_network", type: "dhcp"
  config.vm.synced_folder ".", "/vagrant", disabled: true
  config.vm.synced_folder "./scratch", "/vagrant/scratch"
  config.ssh.forward_agent = SSH_FORWARD
-  # Libvrit provider
+  # Machine Name
-  config.vm.provider :libvirt do |libvirt|
+  config.vm.define :moxie do |moxie| #
    libvirt.cpus   = VAGRANT_CPUS
    libvirt.memory = VAGRANT_MEM
  end
-  # Virtualbox provider
+  config.vm.provider :libvirt do |libvirt|
-  config.vm.provider :virtualbox do |vbox|
+    libvirt.cpus = 2
-    vbox.cpus   = VAGRANT_CPUS
+    libvirt.memory = 4096
-    vbox.memory = VAGRANT_MEM
+    libvirt.default_prefix = ""
  end
  config.vm.provider "virtualbox" do |vbox|
    vbox.memory = 4096
  end
  # Provision with Ansible
@@ -48,4 +46,5 @@ Vagrant.configure("2") do |config|
    ansible.compatibility_mode = "2.0"
    ansible.playbook = "dev/" + PLAYBOOK + ".yml"
  end
 end
--- a/dev/host_vars/mediaserver.yml
+++ b/dev/host_vars/mediaserver.yml
@@ -4,24 +4,6 @@ base_domain: vm.krislamo.org
 allow_reboot: false
 manage_network: false
 users:
  - name: jellyfin
 samba:
  users:
    - name: jellyfin
      password: jellyfin
  shares:
    - name: jellyfin
      path: /srv/jellyfin
      owner: jellyfin
      group: jellyfin
      valid_users: jellyfin
  firewall:
    - 10.0.0.0/8
    - 172.16.0.0/12
    - 192.168.0.0/16
 # proxy
 proxy:
  #production: true
@@ -53,4 +35,3 @@ traefik_http_only: true # if behind reverse-proxy
 # jellyfin
 jellyfin_domain: "jellyfin.{{ base_domain }}"
 jellyfin_version: latest
 jellyfin_media: /srv/jellyfin
--- a/dev/host_vars/staticweb.yml
+++ b/dev/host_vars/staticweb.yml
@@ -14,7 +14,7 @@ traefik_auth: admin:$apr1$T1l.BCFz$Jyg8msXYEAUi3LLH39I9d1 # admin:admin
 #traefik_acme_email: realemail@example.com # Let's Encrypt settings
 #traefik_production: true
-# staticweb
+# nginx
 nginx_domain: nginx.vm.krislamo.org
 nginx_name: staticsite
 nginx_repo_url: https://git.krislamo.org/kris/example-website/
--- a/dev/staticweb.yml
+++ b/dev/staticweb.yml
@@ -1,10 +1,10 @@
- name: Install a static web container
+- name: Install nginx server (docker)
  hosts: all
  become: true
  vars_files:
-    - host_vars/staticweb.yml
+    - host_vars/nginx.yml
  roles:
    - base
    - docker
    - traefik
-    - staticweb
+    - nginx
--- a/docker.yml
+++ b/docker.yml
@@ -1,7 +1,21 @@
 # Copyright (C) 2020  Kris Lamoureux
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, version 3 of the License.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <https://www.gnu.org/licenses/>.
 - name: Install Docker Server
-  hosts: "{{ PLAYBOOK_HOST | default('none') }}"
+  hosts: dockerhosts
  become: true
  roles:
    - base
    - jenkins
    - docker
    - jenkins
--- a/mediaserver.yml
+++ b/mediaserver.yml
@@ -1,9 +1,8 @@
 - name: Install Media Server
-  hosts: "{{ PLAYBOOK_HOST | default('none') }}"
+  hosts: mediaservers
  become: true
  roles:
    - base
    - jenkins
    - proxy
    - docker
    - traefik
--- a/roles/base/defaults/main.yml
+++ b/roles/base/defaults/main.yml
@@ -1,7 +1,6 @@
 allow_reboot: true
 manage_firewall: true
 manage_network: false
 network_type: static
 allow_reboot: true
 packages:
  - apache2-utils
--- a/roles/base/handlers/main.yml
+++ b/roles/base/handlers/main.yml
@@ -22,9 +22,3 @@
    name: ddclient
    state: restarted
  listen: restart_ddclient
 - name: Restart Samba
  ansible.builtin.service:
    name: smbd
    state: restarted
  listen: restart_samba
--- a/roles/base/tasks/ansible.yml
+++ b/roles/base/tasks/ansible.yml
@@ -1,3 +1,21 @@
 - name: 'Install Ansible dependency: python3-apt'
  ansible.builtin.shell: 'apt-get update && apt-get install python3-apt -y'
  args:
    creates: /usr/lib/python3/dist-packages/apt
    warn: false
 - name: Install additional Ansible dependencies
  ansible.builtin.apt:
    name: "{{ item }}"
    state: present
    force_apt_get: true
    update_cache: true
  loop:
    - aptitude
    - python3-docker
    - python3-pymysql
    - python3-psycopg2
 - name: Create Ansible's temporary remote directory
  ansible.builtin.file:
    path: "~/.ansible/tmp"
--- a/roles/base/tasks/main.yml
+++ b/roles/base/tasks/main.yml
@@ -9,7 +9,6 @@
 - name: Import Firewall tasks
  ansible.builtin.import_tasks: firewall.yml
  tags: firewall
  when: manage_firewall
 - name: Import Network tasks
  ansible.builtin.import_tasks: network.yml
@@ -30,8 +29,3 @@
  ansible.builtin.import_tasks: wireguard.yml
  tags: wireguard
  when: wireguard is defined
 - name: Import Samba tasks
  ansible.builtin.import_tasks: samba.yml
  tags: samba
  when: samba is defined
--- a/roles/base/tasks/samba.yml
+++ b/roles/base/tasks/samba.yml
@@ -3,18 +3,8 @@
    name: samba
    state: present
 - name: Create nologin shell accounts for Samba
  ansible.builtin.user:
    name: "{{ item.name }}"
    state: present
    shell: /usr/sbin/nologin
    createhome: false
    system: yes
  loop: "{{ samba.users }}"
  when: item.manage_user is defined and item.manage_user is true
 - name: Create Samba users
-  ansible.builtin.shell: "smbpasswd -a {{ item.name }}"
+  ansible.builtin.command: "smbpasswd -a -s {{ item.name }}"
  args:
    stdin: "{{ item.password }}\n{{ item.password }}"
  loop: "{{ samba.users }}"
@@ -24,8 +14,6 @@
 - name: Ensure share directories exist
  ansible.builtin.file:
    path: "{{ item.path }}"
    owner: "{{ item.owner }}"
    group: "{{ item.group }}"
    state: directory
    mode: 0755
  loop: "{{ samba.shares }}"
@@ -34,20 +22,4 @@
  ansible.builtin.template:
    src: smb.conf.j2
    dest: /etc/samba/smb.conf
-  notify: restart_samba
+  notify: samba_restart
 - name: Start smbd and enable on boot
  ansible.builtin.service:
    name: smbd
    state: started
    enabled: true
 - name: Allow SMB connections
  community.general.ufw:
    rule: allow
    port: 445
    proto: tcp
    from: "{{ item }}"
    state: enabled
  loop: "{{ samba.firewall }}"
  when: manage_firewall
--- a/roles/base/tasks/system.yml
+++ b/roles/base/tasks/system.yml
@@ -11,23 +11,6 @@
    mode: 0400
  when: authorized_keys is defined
 - name: Create system users
  ansible.builtin.user:
    name: "{{ item.name }}"
    state: present
    shell: "{{ item.shell | default('/bin/bash') }}"
    create_home: "{{ item.home | default(false) }}"
  loop: "{{ users }}"
  when: users is defined
 - name: Set authorized_keys for system users
  ansible.posix.authorized_key:
    user: "{{ item.key }}"
    key: "{{ item.value.key }}"
    state: present
  loop: "{{ users }}"
  when: users is defined and item.value.key is defined
 - name: Manage filesystem mounts
  ansible.posix.mount:
    path: "{{ item.path }}"
--- a/roles/base/tasks/wireguard.yml
+++ b/roles/base/tasks/wireguard.yml
@@ -11,7 +11,6 @@
  args:
    chdir: /etc/wireguard/
    creates: /etc/wireguard/privatekey
    executable: /usr/bin/bash
 - name: Grab WireGuard private key for configuration
  ansible.builtin.slurp:
@@ -35,5 +34,5 @@
  community.general.ufw:
    rule: allow
    port: "{{ wireguard.listenport }}"
-    proto: udp
+    proto: tcp
  when: wireguard.listenport is defined
--- a/roles/base/templates/smb.conf.j2
+++ b/roles/base/templates/smb.conf.j2
@@ -13,16 +13,7 @@
 [{{ share.name }}]
   path = {{ share.path }}
   browsable = yes
 {% if share.guest_allow is defined and share.guest_allow %}
   guest ok = yes
 {% else %}
   guest ok = no
 {% endif %}
   read only = {{ 'yes' if share.read_only | default(false) else 'no' }}
 {% if share.valid_users is defined %}
   valid users = {{ share.valid_users }}
 {% endif %}
 {% if share.force_user is defined %}
   force user = {{ share.force_user }}
 {% endif %}
 {% endfor %}
--- a/roles/docker/defaults/main.yml
+++ b/roles/docker/defaults/main.yml
@@ -1,6 +1,3 @@
 docker_compose_root: /var/lib/compose
 docker_compose_service: compose
 docker_compose: /usr/bin/docker-compose
-docker_repos_keys: "{{ docker_repos_path }}/.keys"
+docker_compose_service: compose
 docker_repos_keytype: rsa
 docker_repos_path: /srv/compose_repos
--- a/roles/docker/tasks/main.yml
+++ b/roles/docker/tasks/main.yml
@@ -17,58 +17,6 @@
    mode: 0400
  notify: compose_systemd
 - name: Create directories to clone docker-compose repositories
  ansible.builtin.file:
    path: "{{ item }}"
    state: directory
    mode: 0400
  loop:
    - "{{ docker_repos_path }}"
    - "{{ docker_repos_keys }}"
  when: docker_compose_deploy is defined
 - name: Generate OpenSSH deploy keys for docker-compose clones
  community.crypto.openssh_keypair:
    path: "{{ docker_repos_keys }}/id_{{ docker_repos_keytype }}"
    type: "{{ docker_repos_keytype }}"
    mode: 0400
    state: present
  when: docker_compose_deploy is defined
 - name: Clone external docker-compose projects
  ansible.builtin.git:
    repo: "{{ item.url }}"
    dest: "{{ docker_repos_path }}/{{ item.name }}"
    version: "{{ item.version | default('main') }}"
    force: true
    key_file: "{{ docker_repos_keys }}/id_{{ docker_repos_keytype }}"
  when: docker_compose_deploy is defined
  loop: "{{ docker_compose_deploy }}"
 - name: Create directories for docker-compose projects using the systemd service
  ansible.builtin.file:
    path: "{{ docker_compose_root }}/{{ item.name }}"
    state: directory
    mode: 0400
  loop: "{{ docker_compose_deploy }}"
  when: docker_compose_deploy is defined
 - name: Copy docker-compose.yml files to their service directories
  ansible.builtin.copy:
    src: "{{ docker_repos_path }}/{{ item.name }}/{{ item.path | default('docker-compose.yml') }}"
    dest: "{{ docker_compose_root }}/{{ item.name }}/docker-compose.yml"
    remote_src: yes
  loop: "{{ docker_compose_deploy }}"
  when: docker_compose_deploy is defined
 - name: Set environment variables for docker-compose projects
  ansible.builtin.template:
    src: docker-compose-env.j2
    dest: "{{ docker_compose_root }}/{{ item.name }}/.env"
    mode: 0400
  loop: "{{ docker_compose_deploy }}"
  when: docker_compose_deploy is defined and item.env is defined
 - name: Add users to docker group
  ansible.builtin.user:
    name: "{{ item }}"
@@ -82,11 +30,3 @@
    name: docker
    state: started
    enabled: true
 - name: Start docker-compose services and enable on boot
  ansible.builtin.service:
    name: "{{ docker_compose_service }}@{{ item.name }}"
    state: started
    enabled: true
  loop: "{{ docker_compose_deploy }}"
  when: item.enabled is defined and item.enabled is true
--- a/roles/docker/templates/docker-compose-env.j2
+++ b/roles/docker/templates/docker-compose-env.j2
@@ -1,7 +0,0 @@
 # {{ ansible_managed }}
 {% if item.env is defined %}
 {% for kvpair in item.env.items() %}
 {{ kvpair.0 }}={{ kvpair.1 }}
 {% endfor %}
 {% endif %}
--- a/roles/jellyfin/defaults/main.yml
+++ b/roles/jellyfin/defaults/main.yml
@@ -1,4 +1,5 @@
 jellyfin_name: jellyfin
 jellyfin_volume: "{{ jellyfin_name }}"
 jellyfin_router: "{{ jellyfin_name }}"
 jellyfin_rooturl: "https://{{ jellyfin_domain }}"
 jellyfin_root: "{{ docker_compose_root }}/{{ jellyfin_name }}"
--- a/roles/jellyfin/tasks/main.yml
+++ b/roles/jellyfin/tasks/main.yml
@@ -4,6 +4,11 @@
    state: directory
    mode: 0500
 - name: Create jellyfin user
  ansible.builtin.user:
    name: jellyfin
    state: present
 - name: Get user jellyfin uid
  ansible.builtin.getent:
    database: passwd
--- a/roles/jellyfin/templates/docker-compose.yml.j2
+++ b/roles/jellyfin/templates/docker-compose.yml.j2
@@ -1,8 +1,7 @@
 version: '3.7'
 volumes:
-  config:
+  {{ jellyfin_volume }}:
  cache:
 networks:
  traefik:
@@ -25,6 +24,6 @@ services:
      - "traefik.docker.network=traefik"
      - "traefik.enable=true"
    volumes:
-      - config:/config
+      - ./config:/config
-      - cache:/cache
+      - ./cache:/cache
-      - {{ jellyfin_media }}:/media
+      - {{ jellyfin_volume }}:/media
--- a/roles/nextcloud/tasks/main.yml
+++ b/roles/nextcloud/tasks/main.yml
@@ -29,8 +29,6 @@
    networks:
      - name: "{{ nextcloud_container }}"
      - name: traefik
    env:
      PHP_MEMORY_LIMIT: 1024M
    labels:
      traefik.http.routers.nextcloud.rule: "Host(`{{ nextcloud_domain }}`)"
      traefik.http.routers.nextcloud.entrypoints: websecure
@@ -105,13 +103,6 @@
    - "php occ maintenance:mode --off"
  when: nextcloud_install.changed
 - name: Install Nextcloud background jobs cron
  ansible.builtin.cron:
    name: Nextcloud background job
    minute: "*/5"
    job: "/usr/bin/docker exec -u www-data nextcloud /usr/local/bin/php -f /var/www/html/cron.php"
    user: root
 - name: Remove Nextcloud's CAN_INSTALL file
  ansible.builtin.file:
    path: "{{ nextcloud_root }}/config/CAN_INSTALL"
--- a/roles/staticweb/defaults/main.yml
+++ b/roles/staticweb/defaults/main.yml
--- a/roles/staticweb/tasks/main.yml
+++ b/roles/staticweb/tasks/main.yml
--- a/roles/proxy/tasks/main.yml
+++ b/roles/proxy/tasks/main.yml
@@ -19,14 +19,14 @@
  ansible.builtin.template:
    src: nginx.conf.j2
    dest: /etc/nginx/nginx.conf
-    mode: 0644
+    mode: '0644'
  notify: reload_nginx
 - name: Install nginx sites configuration
  ansible.builtin.template:
    src: server-nginx.conf.j2
    dest: "/etc/nginx/sites-available/{{ item.domain }}.conf"
-    mode: 0400
+    mode: '0644'
  loop: "{{ proxy.servers }}"
  notify: reload_nginx
  register: nginx_sites