Full Rewrite / Re-Doing of Everything, Part 1

.gitignore

@@ -5,4 +5,4 @@ vault-password
 .idea
 tmp/
 .DS_store
-
+UNHB_INFRA_UMBAU

ansible-checkmode-command-unhb2.sh

@@ -0,0 +1,2 @@
+#!/bin/bash
+ansible-playbook site.yml -i inventory.ini --limit unhb2 --check --diff

ansible-checkmode-command-unhb4.sh

@@ -1,2 +1,2 @@
 #!/bin/bash
-ansible-playbook site.yml -i inventory.yml --limit unhb4 --check --diff
+ansible-playbook site.yml -i inventory.ini --limit unhb4 --check --diff

ansible-deploy-command-unhb2.sh

@@ -0,0 +1,2 @@
+#!/bin/bash
+ansible-playbook site.yml -i inventory.ini --limit unhb2 --diff

ansible-deploy-command-unhb4.sh

@@ -1,2 +1,2 @@
 #!/bin/bash
-ansible-playbook site.yml -i inventory.yml --limit unhb4 --diff
+ansible-playbook site.yml -i inventory.ini --limit unhb4 --diff

host_vars/unhb2/unhb2.yml

@@ -0,0 +1,38 @@
+---
+
+docker_volumes_dir: "/srv/docker-volumes"
+
+firewall_services:
+  - ssh
+  - http
+  - https
+  - smtp
+  - smtps
+  - imap
+  - imaps
+  - pop3
+  - pop3s
+  
+firewall_ports:
+  - "587/tcp"
+
+pretix_container_name: "pretix_app.server2"
+pretix_db_container_name: "pretix_pg-sql.server2"
+pretix_db_env_mysql_random_root_password: "true"
+pretix_db_env_postgres_db_name: "pretix"
+pretix_db_env_postgres_user: "prtxdb"
+pretix_env_virtual_host: "pretix.unhb.de,pretix.un-hack-bar.de"
+pretix_env_virtual_port: "80"
+pretix_env_letsencrypt_host: "pretix.unhb.de,pretix.un-hack-bar.de"
+pretix_redis_container_name: "pretix_redis.server2"
+
+watchtower_container_name: "watchtower.server2"
+watchtower_domainname: "unhb.de"
+watchtower_hostname: "neuromancer"
+watchtower_poll_interval: "21600"
+watchtower_notifications: "email"
+watchtower_notification_email_to: "watchtower@lists.unhb.de"
+watchtower_notification_email_server: "mail.un-hack-bar.de"
+watchtower_notification_email_server_port: "587"
+watchtower_warn_on_head_failure: "never"
+watchtower_version: "latest"

host_vars/unhb2/unhb2_vault.yml

@@ -0,0 +1,18 @@
+$ANSIBLE_VAULT;1.1;AES256
+39666564363562383332393961383732613932393235656335376265366563663062353766666639
+6566663762623536643463313331326331373339373531360a623862346266663338363035653831
+33343035326230656531373437316332643930323033383033383836396538316461363634393232
+6262306463316565330a316537393533633565306363313964303763383363306630316438666561
+64343930326331346161326239353934646439383332653734653832373638616561666334336162
+39383036363733373231613331353835326136653831306163326536393339393464316162376563
+31623432656363393130366263623763333633363264343039666661333235393463396464306436
+33343665323338356531646233643939633762333963646637646230633739663130663533663135
+64666236386666376139323264316162626663353033633564663263666332373131326563353062
+64396232353062616335633164346365643664643463613439643561373834623431393731353431
+36663730363362633034633862383631313734626534633161383936383831663365353665393631
+35623737613961306335366235613363623136623131353737363537653766343431383139316230
+63633564353337393766393832316237636338643263313864336666383835356265363030376361
+62363930323831323064643965323465346132383761646633393639376661656262316133313135
+34393862376434353764303939396438306533663761353733653165366262303361326662383839
+66353137333137653738643830373765653639613730613332393133333935313065343632613264
+3131

host_vars/unhb4/authentik-vault.yml

@@ -1,22 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-31343963396633396632623766363862386661353265393166666536656530623938383233653464
-3034386666346435313062306463383864393233623363360a363464343263353337306634656630
-37623936636161363766386130663838633933393862386466383433326661663565353836663539
-3839303839336432330a613031613936613166313034346437373635346639313733666562333331
-62636632313339356363316436316238303338306538346564346431363730656466656265303134
-32393662666332313665373464656262646636336632306562616536633166303434346135623461
-62316339653533326430636361313931656366623330316638373139343835366535666639663630
-39313230613331613663643736326563323734353861613036623565303931653932376134643336
-62623965363034373939646165366461366134653538623262343462363736636365346133653034
-39633030376237326436316632393433333733333966323366313536393233343866353831393462
-39393132613534396534386539643864323966633363353934363838323830356463663936353336
-36346638663336616265656363636264383563336663313364646461306662323531303038373364
-33633536646331393738613534613430663330663462346432616230306338386131326566636331
-66663065393939393733646131663031313963353830316633376263383666333930613664366635
-64333563393639653364373636393134326362626131336232306439323634666462616534326439
-62616533643065623063303536303964366531313164366532316536643839363764316430323236
-31336333333031363661323935623739363263663461323266616338306139393265323332363462
-64616637346239366131663863326261373838626164613230383862313361633136396365636666
-39383035363236323036613365316565383232363631393839626436336665626566303964653163
-31646634323536343730366462393137656135646661383030346137373364613138386638316138
-3634

host_vars/unhb4/unhb4_vault.yml

@@ -0,0 +1,22 @@
+$ANSIBLE_VAULT;1.1;AES256
+64313764393735373863643066306663323136343837363765656131666335326163613634613834
+3863363562303665356364613533343631633136636136660a653436663566383063666661653739
+33343462363062623164303433316364623763653739373237666131373666633062396239626539
+6630363630616336330a326365613064623139386637393561376430333332636135643361383737
+62323637366365316430306437356639623938393633623338306134386564656538643933303636
+34363631303130646162653130376333373763306362323364333865346166333438303038646134
+65336230663336346636303265363631653038303230656530333061346163363931343565333233
+63613263353665376363336364306566313466643433306466316336346630643039663363643031
+31633531386566666662653766376563383731333032616365353438363564383163366436633865
+36336564346431653933333933646563633161366264326633366539396630636161303830343566
+62663337633062313033313561383261636539336530306361326462313135353464346636616132
+37636463346135646339316132336237363465366430336338356463633838356538636636326131
+39323063333361303363396165346164333265613461353761316436356137343061313338393030
+32353965346230356636396438613138313864363761376434346233613030313063336635663038
+32613638633037303263366436636435623732643266663363613234323034643937323139613138
+65316638336666623238383165343665666532356630353266643438613062333866643763656235
+35643536353237363931633564333639666230326165393263343339633732666566356436663930
+61313664383861353131343432623635623937636138383866303366646335666464633238316466
+64653865623732333065346166306638313238393139313866386338663931663539616134343764
+36663861356362313730383038383332306435653466393034636533313331333661666663643566
+6462

inventory.ini

@@ -0,0 +1,5 @@
+[servers:children]
+debianservers
+[debianservers]
+unhb2
+unhb4

inventory.yml

@@ -1,7 +0,0 @@
----
-
-all:
-  children:
-    debianservers:
-      hosts:
-        unhb4

roles/apt/tasks/apt.yml

@@ -1,17 +0,0 @@
----
-
-- name: Install packages if Debian based
-  apt:
-    name: unattended-upgrades
-    state: present
-    update_cache: true
-  become: true
-
-- name: Apt Config (/etc/apt.conf.d/10periodic)
-  ansible.builtin.template:
-    src: ../templates/10periodic.j2
-    dest: /etc/apt/apt.conf.d/10periodic
-    owner: root
-    group: root
-    mode: '0644'
-  notify: restart-unattendedupgrades

roles/apt/tasks/main.yml

@@ -1,6 +1,17 @@
 ---
 
-- name: Include other yaml files
-  include_tasks: "{{ item }}"
-  with_fileglob:
-    - apt.yml
+- name: Install packages if Debian based
+  apt:
+    name: unattended-upgrades
+    state: present
+    update_cache: true
+  become: true
+
+- name: Apt Config (/etc/apt.conf.d/10periodic)
+  ansible.builtin.template:
+    src: ../templates/10periodic.j2
+    dest: /etc/apt/apt.conf.d/10periodic
+    owner: root
+    group: root
+    mode: '0644'
+  notify: restart-unattendedupgrades

roles/basic_common_settings/tasks/main.yml

@@ -7,7 +7,7 @@
   include_tasks: "sudo.yml"
   
 - name: Set up earlyoom (Debian)
-  include_tasks: "sudo.yml"
+  include_tasks: "earlyoom.yml"
 
 - name: Deploy update script
   include_tasks: "update_script.yml"

roles/docker_pretix/handlers/main.yml

@@ -0,0 +1,11 @@
+---
+
+- name: restart-pretix-docker
+  ansible.builtin.service:
+    state: restarted
+    name: "{{ item }}"
+  tags: molecule-notest
+  with_items:
+    - pretix.service
+    - pretix-db.service
+    - pretix-redis.service

roles/docker_pretix/tasks/main.yml

@@ -0,0 +1,70 @@
+---
+
+- name: "Install dependencies"
+  ansible.builtin.apt:
+    pkg:
+      - docker.io
+      - apparmor # if not installed, Docker will complain
+
+- name: "Create directories for Pretix"
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    owner: root
+    group: root
+    mode: '0750'
+    recurse: true
+  with_items:
+    - "{{ docker_volumes_dir }}/pretix/postgres-db"
+    - "{{ docker_volumes_dir }}/pretix/data"
+    - "{{ docker_volumes_dir }}/pretix/conf"
+
+- name: "Template .env files for Pretix"
+  ansible.builtin.template:
+    src: "{{ item }}.j2"
+    dest: "{{ docker_volumes_dir }}/pretix/{{ item }}"
+    force: true
+    owner: root
+    group: root
+    mode: '0660'
+  with_items:
+    - pretix.env
+    - pretix-db.env
+  notify: restart-pretix-docker
+
+- name: "Template systemd unit files for Pretix"
+  ansible.builtin.template:
+    src: "{{ item }}.j2"
+    dest: "/etc/systemd/system/{{ item }}"
+    force: true
+    owner: root
+    group: root
+    mode: '0644'
+  with_items:
+    - pretix.service
+    - pretix-db.service
+    - pretix-redis.service
+  register: unit
+  notify: restart-pretix-docker
+    
+- name: "Reload systemd units"
+  ansible.builtin.systemd:
+    daemon_reload: yes
+  when: unit.changed
+
+- name: "Enable systemd units for Pretix"
+  ansible.builtin.systemd:
+    state: started
+    enabled: true
+    name: "{{ item }}"
+  with_items:
+    - pretix.service
+    - pretix-db.service
+    - pretix-redis.service
+    
+- name: "Add Pretix to Docker network nginx_net"
+  docker_network:
+    name: nginx_net
+    connected:
+      - "{{ pretix_container_name }}"
+    appends: true

roles/docker_pretix/templates/pretix-db.env.j2

@@ -0,0 +1,4 @@
+MYSQL_RANDOM_ROOT_PASSWORD={{ pretix_db_env_mysql_random_root_password }}
+POSTGRES_DB={{ pretix_db_env_postgres_db_name }}
+POSTGRES_USER={{ pretix_db_env_postgres_user }}
+POSTGRES_PASSWORD={{ pretix_db_env_postgres_password }}

roles/docker_pretix/templates/pretix-db.service.j2

@@ -0,0 +1,15 @@
+[Unit]
+Description=Postgres DB for Pretix with Docker
+After=docker.service
+Requires=docker.service
+
+[Service]
+ExecStartPre=-/usr/bin/docker rm --force {{ pretix_db_container_name }}
+ExecStart=/usr/bin/docker run --name {{ pretix_db_container_name }} --network pretix --label com.centurylinklabs.watchtower.enable={WATCHTOWER_ENABLED} \
+         -v {{ docker_volumes_dir }}/pretix/postgres-db:/var/lib/postgresql/data --env-file {{ docker_volumes_dir }}/pretix/pretix-db.env postgres:15
+ExecStop=/usr/bin/docker stop {{ pretix_db_container_name }}
+Restart=always
+RestartSec=15s
+
+[Install]
+WantedBy=multi-user.target

roles/docker_pretix/templates/pretix-redis.service.j2

@@ -0,0 +1,14 @@
+[Unit]
+Description=Redis for Pretix with Docker
+After=docker.service
+Requires=docker.service
+
+[Service]
+ExecStartPre=-/usr/bin/docker rm --force {{ pretix_redis_container_name }}
+ExecStart=/usr/bin/docker run --name {{ pretix_redis_container_name }} --network pretix --label com.centurylinklabs.watchtower.enable={WATCHTOWER_ENABLED} redis
+ExecStop=/usr/bin/docker stop {{ pretix_redis_container_name }}
+Restart=always
+RestartSec=15s
+
+[Install]
+WantedBy=multi-user.target

roles/docker_pretix/templates/pretix.env.j2

@@ -0,0 +1,3 @@
+VIRTUAL_HOST={{ pretix_env_virtual_host }}
+VIRTUAL_PORT={{ pretix_env_virtual_port }}
+LETSENCRYPT_HOST={{ pretix_env_letsencrypt_host }}

roles/docker_pretix/templates/pretix.service.j2

@@ -0,0 +1,20 @@
+[Unit]
+Description=Pretix with Docker
+After=docker.service
+Requires=docker.service
+Requires={{ pretix_db_container_name }}
+Requires={{ pretix_redis_container_name }}
+
+[Service]
+ExecStartPre=-/usr/bin/docker rm --force {{ pretix_container_name }}
+ExecStart=/usr/bin/docker run --rm --name {{ pretix_container_name }} --network pretix \
+          --label com.centurylinklabs.watchtower.enable={WATCHTOWER_ENABLED} --env-file {{ docker_volumes_dir }}/pretix/pretix.env \
+          -v {{ docker_volumes_dir }}/pretix/data:/data \
+          -v {{ docker_volumes_dir }}/pretix/conf:/etc/pretix \
+          pretix/standalone:stable
+ExecStop=/usr/bin/docker stop {{ watchtower_container_name }}
+Restart=always
+RestartSec=15s
+
+[Install]
+WantedBy=multi-user.target

roles/docker_pretix/templates/pretix_.env

@@ -0,0 +1,5 @@
+# Change this enviroment variable to "false" to disable automatic updates
+# Also keep in mind to re-run "docker-compose up -d" after changing this file
+
+WATCHTOWER_ENABLED=true
+#WATCHTOWER_ENABLED=true

roles/docker_watchtower/handlers/main.yml

@@ -0,0 +1,10 @@
+---
+
+- name: restart-watchtower-docker
+  ansible.builtin.service:
+    state: restarted
+    name: "{{ item }}"
+  tags: molecule-notest
+  with_items:
+    - watchtower.service
+

roles/docker_watchtower/tasks/main.yml

@@ -0,0 +1,56 @@
+---
+
+- name: "Install dependencies"
+  ansible.builtin.apt:
+    pkg:
+      - docker.io
+      - apparmor # if not installed, Docker will complain
+
+- name: "Create directories for Watchtower"
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    owner: root
+    group: root
+    mode: '0750'
+    recurse: true
+  with_items:
+    - "{{ docker_volumes_dir }}/watchtower"
+
+- name: "Template .env files for Watchtower"
+  ansible.builtin.template:
+    src: "{{ item }}.j2"
+    dest: "{{ docker_volumes_dir }}/watchtower/{{ item }}"
+    force: true
+    owner: root
+    group: root
+    mode: '0660'
+  with_items:
+    - watchtower.env
+  notify: restart-watchtower-docker
+
+- name: "Template systemd unit files for Watchtower"
+  ansible.builtin.template:
+    src: "{{ item }}.j2"
+    dest: "/etc/systemd/system/{{ item }}"
+    force: true
+    owner: root
+    group: root
+    mode: '0644'
+  with_items:
+    - watchtower.service
+  register: unit
+  notify: restart-watchtower-docker
+    
+- name: "Reload systemd units"
+  ansible.builtin.systemd:
+    daemon_reload: yes
+  when: unit.changed
+
+- name: "Enable systemd units for Watchtower"
+  ansible.builtin.systemd:
+    state: started
+    enabled: true
+    name: "{{ item }}"
+  with_items:
+    - watchtower.service

roles/docker_watchtower/templates/watchtower.env.j2

@@ -0,0 +1,9 @@
+WATCHTOWER_POLL_INTERVAL={{ watchtower_poll_interval }}
+WATCHTOWER_NOTIFICATIONS="{{ watchtower_notifications }}
+WATCHTOWER_NOTIFICATION_EMAIL_FROM="{{ watchtower_notification_email_from }}"
+WATCHTOWER_NOTIFICATION_EMAIL_TO="{{ watchtower_notification_email_to }}"
+WATCHTOWER_NOTIFICATION_EMAIL_SERVER="{{ watchtower_notification_email_server }}"
+WATCHTOWER_NOTIFICATION_EMAIL_SERVER_PORT="{{ watchtower_notification_email_server_port }}"
+WATCHTOWER_NOTIFICATION_EMAIL_SERVER_USER="{{ watchtower_notification_email_server_user }}"
+WATCHTOWER_NOTIFICATION_EMAIL_SERVER_PASSWORD="{{ watchtower_notification_email_server_password }}"
+WATCHTOWER_WARN_ON_HEAD_FAILURE="{{ watchtower_warn_on_head_failure }}"

roles/docker_watchtower/templates/watchtower.service.j2

@@ -0,0 +1,14 @@
+[Unit]
+Description=Watchtower with Docker
+After=docker.service
+Requires=docker.service
+
+[Service]
+ExecStartPre=-/usr/bin/docker rm --force {{ watchtower_container_name }}
+ExecStart=/usr/bin/docker run --rm --name {{ watchtower_container_name }} --hostname {{ watchtower_hostname }} --domainname {{ watchtower_domainname }} --env-file {{ docker_volumes_dir }}/watchtower/watchtower.env -v /var/run/docker.sock:/var/run/docker.sock containrrr/watchtower:{{ watchtower_version }}
+ExecStop=/usr/bin/docker stop {{ watchtower_container_name }}
+Restart=always
+RestartSec=15s
+
+[Install]
+WantedBy=multi-user.target

roles/firewalld/tasks/main.yml

@@ -1,15 +1,15 @@
 ---
 
-- name: install firewalld
+- name: Install firewalld
   package:
     name: firewalld
     state: present
 
 - name: "Make sure FirewallD is running"
-  ansible.builtin.service:
+  ansible.builtin.systemd:
     name: firewalld
-    enabled: yes
     state: started
+    enabled: true
     
 - name: Open SSH port in firewall
   ansible.posix.firewalld:

site.yml

@@ -10,6 +10,14 @@
     - apt_listchanges
     - basic_common_settings
     - firewalld
+    
+- name: Set up roles on unhb4
+  hosts: unhb2
+  remote_user: root
+  
+  roles:
+    - docker_watchtower
+    - docker_pretix
 
 - name: Set up roles on unhb4
   hosts: unhb4