Full Rewrite / Re-Doing of Everything, Part 1
This commit is contained in:
parent
c5eaaa9bb1
commit
139f7b2534
28 changed files with 348 additions and 57 deletions
2
.gitignore
vendored
2
.gitignore
vendored
|
@ -5,4 +5,4 @@ vault-password
|
|||
.idea
|
||||
tmp/
|
||||
.DS_store
|
||||
|
||||
UNHB_INFRA_UMBAU
|
||||
|
|
2
ansible-checkmode-command-unhb2.sh
Executable file
2
ansible-checkmode-command-unhb2.sh
Executable file
|
@ -0,0 +1,2 @@
|
|||
#!/bin/bash
|
||||
ansible-playbook site.yml -i inventory.ini --limit unhb2 --check --diff
|
|
@ -1,2 +1,2 @@
|
|||
#!/bin/bash
|
||||
ansible-playbook site.yml -i inventory.yml --limit unhb4 --check --diff
|
||||
ansible-playbook site.yml -i inventory.ini --limit unhb4 --check --diff
|
||||
|
|
2
ansible-deploy-command-unhb2.sh
Executable file
2
ansible-deploy-command-unhb2.sh
Executable file
|
@ -0,0 +1,2 @@
|
|||
#!/bin/bash
|
||||
ansible-playbook site.yml -i inventory.ini --limit unhb2 --diff
|
|
@ -1,2 +1,2 @@
|
|||
#!/bin/bash
|
||||
ansible-playbook site.yml -i inventory.yml --limit unhb4 --diff
|
||||
ansible-playbook site.yml -i inventory.ini --limit unhb4 --diff
|
||||
|
|
38
host_vars/unhb2/unhb2.yml
Normal file
38
host_vars/unhb2/unhb2.yml
Normal file
|
@ -0,0 +1,38 @@
|
|||
---
|
||||
|
||||
docker_volumes_dir: "/srv/docker-volumes"
|
||||
|
||||
firewall_services:
|
||||
- ssh
|
||||
- http
|
||||
- https
|
||||
- smtp
|
||||
- smtps
|
||||
- imap
|
||||
- imaps
|
||||
- pop3
|
||||
- pop3s
|
||||
|
||||
firewall_ports:
|
||||
- "587/tcp"
|
||||
|
||||
pretix_container_name: "pretix_app.server2"
|
||||
pretix_db_container_name: "pretix_pg-sql.server2"
|
||||
pretix_db_env_mysql_random_root_password: "true"
|
||||
pretix_db_env_postgres_db_name: "pretix"
|
||||
pretix_db_env_postgres_user: "prtxdb"
|
||||
pretix_env_virtual_host: "pretix.unhb.de,pretix.un-hack-bar.de"
|
||||
pretix_env_virtual_port: "80"
|
||||
pretix_env_letsencrypt_host: "pretix.unhb.de,pretix.un-hack-bar.de"
|
||||
pretix_redis_container_name: "pretix_redis.server2"
|
||||
|
||||
watchtower_container_name: "watchtower.server2"
|
||||
watchtower_domainname: "unhb.de"
|
||||
watchtower_hostname: "neuromancer"
|
||||
watchtower_poll_interval: "21600"
|
||||
watchtower_notifications: "email"
|
||||
watchtower_notification_email_to: "watchtower@lists.unhb.de"
|
||||
watchtower_notification_email_server: "mail.un-hack-bar.de"
|
||||
watchtower_notification_email_server_port: "587"
|
||||
watchtower_warn_on_head_failure: "never"
|
||||
watchtower_version: "latest"
|
18
host_vars/unhb2/unhb2_vault.yml
Normal file
18
host_vars/unhb2/unhb2_vault.yml
Normal file
|
@ -0,0 +1,18 @@
|
|||
$ANSIBLE_VAULT;1.1;AES256
|
||||
39666564363562383332393961383732613932393235656335376265366563663062353766666639
|
||||
6566663762623536643463313331326331373339373531360a623862346266663338363035653831
|
||||
33343035326230656531373437316332643930323033383033383836396538316461363634393232
|
||||
6262306463316565330a316537393533633565306363313964303763383363306630316438666561
|
||||
64343930326331346161326239353934646439383332653734653832373638616561666334336162
|
||||
39383036363733373231613331353835326136653831306163326536393339393464316162376563
|
||||
31623432656363393130366263623763333633363264343039666661333235393463396464306436
|
||||
33343665323338356531646233643939633762333963646637646230633739663130663533663135
|
||||
64666236386666376139323264316162626663353033633564663263666332373131326563353062
|
||||
64396232353062616335633164346365643664643463613439643561373834623431393731353431
|
||||
36663730363362633034633862383631313734626534633161383936383831663365353665393631
|
||||
35623737613961306335366235613363623136623131353737363537653766343431383139316230
|
||||
63633564353337393766393832316237636338643263313864336666383835356265363030376361
|
||||
62363930323831323064643965323465346132383761646633393639376661656262316133313135
|
||||
34393862376434353764303939396438306533663761353733653165366262303361326662383839
|
||||
66353137333137653738643830373765653639613730613332393133333935313065343632613264
|
||||
3131
|
|
@ -1,22 +0,0 @@
|
|||
$ANSIBLE_VAULT;1.1;AES256
|
||||
31343963396633396632623766363862386661353265393166666536656530623938383233653464
|
||||
3034386666346435313062306463383864393233623363360a363464343263353337306634656630
|
||||
37623936636161363766386130663838633933393862386466383433326661663565353836663539
|
||||
3839303839336432330a613031613936613166313034346437373635346639313733666562333331
|
||||
62636632313339356363316436316238303338306538346564346431363730656466656265303134
|
||||
32393662666332313665373464656262646636336632306562616536633166303434346135623461
|
||||
62316339653533326430636361313931656366623330316638373139343835366535666639663630
|
||||
39313230613331613663643736326563323734353861613036623565303931653932376134643336
|
||||
62623965363034373939646165366461366134653538623262343462363736636365346133653034
|
||||
39633030376237326436316632393433333733333966323366313536393233343866353831393462
|
||||
39393132613534396534386539643864323966633363353934363838323830356463663936353336
|
||||
36346638663336616265656363636264383563336663313364646461306662323531303038373364
|
||||
33633536646331393738613534613430663330663462346432616230306338386131326566636331
|
||||
66663065393939393733646131663031313963353830316633376263383666333930613664366635
|
||||
64333563393639653364373636393134326362626131336232306439323634666462616534326439
|
||||
62616533643065623063303536303964366531313164366532316536643839363764316430323236
|
||||
31336333333031363661323935623739363263663461323266616338306139393265323332363462
|
||||
64616637346239366131663863326261373838626164613230383862313361633136396365636666
|
||||
39383035363236323036613365316565383232363631393839626436336665626566303964653163
|
||||
31646634323536343730366462393137656135646661383030346137373364613138386638316138
|
||||
3634
|
22
host_vars/unhb4/unhb4_vault.yml
Normal file
22
host_vars/unhb4/unhb4_vault.yml
Normal file
|
@ -0,0 +1,22 @@
|
|||
$ANSIBLE_VAULT;1.1;AES256
|
||||
64313764393735373863643066306663323136343837363765656131666335326163613634613834
|
||||
3863363562303665356364613533343631633136636136660a653436663566383063666661653739
|
||||
33343462363062623164303433316364623763653739373237666131373666633062396239626539
|
||||
6630363630616336330a326365613064623139386637393561376430333332636135643361383737
|
||||
62323637366365316430306437356639623938393633623338306134386564656538643933303636
|
||||
34363631303130646162653130376333373763306362323364333865346166333438303038646134
|
||||
65336230663336346636303265363631653038303230656530333061346163363931343565333233
|
||||
63613263353665376363336364306566313466643433306466316336346630643039663363643031
|
||||
31633531386566666662653766376563383731333032616365353438363564383163366436633865
|
||||
36336564346431653933333933646563633161366264326633366539396630636161303830343566
|
||||
62663337633062313033313561383261636539336530306361326462313135353464346636616132
|
||||
37636463346135646339316132336237363465366430336338356463633838356538636636326131
|
||||
39323063333361303363396165346164333265613461353761316436356137343061313338393030
|
||||
32353965346230356636396438613138313864363761376434346233613030313063336635663038
|
||||
32613638633037303263366436636435623732643266663363613234323034643937323139613138
|
||||
65316638336666623238383165343665666532356630353266643438613062333866643763656235
|
||||
35643536353237363931633564333639666230326165393263343339633732666566356436663930
|
||||
61313664383861353131343432623635623937636138383866303366646335666464633238316466
|
||||
64653865623732333065346166306638313238393139313866386338663931663539616134343764
|
||||
36663861356362313730383038383332306435653466393034636533313331333661666663643566
|
||||
6462
|
5
inventory.ini
Normal file
5
inventory.ini
Normal file
|
@ -0,0 +1,5 @@
|
|||
[servers:children]
|
||||
debianservers
|
||||
[debianservers]
|
||||
unhb2
|
||||
unhb4
|
|
@ -1,7 +0,0 @@
|
|||
---
|
||||
|
||||
all:
|
||||
children:
|
||||
debianservers:
|
||||
hosts:
|
||||
unhb4
|
|
@ -1,17 +0,0 @@
|
|||
---
|
||||
|
||||
- name: Install packages if Debian based
|
||||
apt:
|
||||
name: unattended-upgrades
|
||||
state: present
|
||||
update_cache: true
|
||||
become: true
|
||||
|
||||
- name: Apt Config (/etc/apt.conf.d/10periodic)
|
||||
ansible.builtin.template:
|
||||
src: ../templates/10periodic.j2
|
||||
dest: /etc/apt/apt.conf.d/10periodic
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0644'
|
||||
notify: restart-unattendedupgrades
|
|
@ -1,6 +1,17 @@
|
|||
---
|
||||
|
||||
- name: Include other yaml files
|
||||
include_tasks: "{{ item }}"
|
||||
with_fileglob:
|
||||
- apt.yml
|
||||
- name: Install packages if Debian based
|
||||
apt:
|
||||
name: unattended-upgrades
|
||||
state: present
|
||||
update_cache: true
|
||||
become: true
|
||||
|
||||
- name: Apt Config (/etc/apt.conf.d/10periodic)
|
||||
ansible.builtin.template:
|
||||
src: ../templates/10periodic.j2
|
||||
dest: /etc/apt/apt.conf.d/10periodic
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0644'
|
||||
notify: restart-unattendedupgrades
|
||||
|
|
|
@ -7,7 +7,7 @@
|
|||
include_tasks: "sudo.yml"
|
||||
|
||||
- name: Set up earlyoom (Debian)
|
||||
include_tasks: "sudo.yml"
|
||||
include_tasks: "earlyoom.yml"
|
||||
|
||||
- name: Deploy update script
|
||||
include_tasks: "update_script.yml"
|
||||
|
|
11
roles/docker_pretix/handlers/main.yml
Normal file
11
roles/docker_pretix/handlers/main.yml
Normal file
|
@ -0,0 +1,11 @@
|
|||
---
|
||||
|
||||
- name: restart-pretix-docker
|
||||
ansible.builtin.service:
|
||||
state: restarted
|
||||
name: "{{ item }}"
|
||||
tags: molecule-notest
|
||||
with_items:
|
||||
- pretix.service
|
||||
- pretix-db.service
|
||||
- pretix-redis.service
|
70
roles/docker_pretix/tasks/main.yml
Normal file
70
roles/docker_pretix/tasks/main.yml
Normal file
|
@ -0,0 +1,70 @@
|
|||
---
|
||||
|
||||
- name: "Install dependencies"
|
||||
ansible.builtin.apt:
|
||||
pkg:
|
||||
- docker.io
|
||||
- apparmor # if not installed, Docker will complain
|
||||
|
||||
- name: "Create directories for Pretix"
|
||||
ansible.builtin.file:
|
||||
path: "{{ item }}"
|
||||
state: directory
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0750'
|
||||
recurse: true
|
||||
with_items:
|
||||
- "{{ docker_volumes_dir }}/pretix/postgres-db"
|
||||
- "{{ docker_volumes_dir }}/pretix/data"
|
||||
- "{{ docker_volumes_dir }}/pretix/conf"
|
||||
|
||||
- name: "Template .env files for Pretix"
|
||||
ansible.builtin.template:
|
||||
src: "{{ item }}.j2"
|
||||
dest: "{{ docker_volumes_dir }}/pretix/{{ item }}"
|
||||
force: true
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0660'
|
||||
with_items:
|
||||
- pretix.env
|
||||
- pretix-db.env
|
||||
notify: restart-pretix-docker
|
||||
|
||||
- name: "Template systemd unit files for Pretix"
|
||||
ansible.builtin.template:
|
||||
src: "{{ item }}.j2"
|
||||
dest: "/etc/systemd/system/{{ item }}"
|
||||
force: true
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0644'
|
||||
with_items:
|
||||
- pretix.service
|
||||
- pretix-db.service
|
||||
- pretix-redis.service
|
||||
register: unit
|
||||
notify: restart-pretix-docker
|
||||
|
||||
- name: "Reload systemd units"
|
||||
ansible.builtin.systemd:
|
||||
daemon_reload: yes
|
||||
when: unit.changed
|
||||
|
||||
- name: "Enable systemd units for Pretix"
|
||||
ansible.builtin.systemd:
|
||||
state: started
|
||||
enabled: true
|
||||
name: "{{ item }}"
|
||||
with_items:
|
||||
- pretix.service
|
||||
- pretix-db.service
|
||||
- pretix-redis.service
|
||||
|
||||
- name: "Add Pretix to Docker network nginx_net"
|
||||
docker_network:
|
||||
name: nginx_net
|
||||
connected:
|
||||
- "{{ pretix_container_name }}"
|
||||
appends: true
|
4
roles/docker_pretix/templates/pretix-db.env.j2
Normal file
4
roles/docker_pretix/templates/pretix-db.env.j2
Normal file
|
@ -0,0 +1,4 @@
|
|||
MYSQL_RANDOM_ROOT_PASSWORD={{ pretix_db_env_mysql_random_root_password }}
|
||||
POSTGRES_DB={{ pretix_db_env_postgres_db_name }}
|
||||
POSTGRES_USER={{ pretix_db_env_postgres_user }}
|
||||
POSTGRES_PASSWORD={{ pretix_db_env_postgres_password }}
|
15
roles/docker_pretix/templates/pretix-db.service.j2
Normal file
15
roles/docker_pretix/templates/pretix-db.service.j2
Normal file
|
@ -0,0 +1,15 @@
|
|||
[Unit]
|
||||
Description=Postgres DB for Pretix with Docker
|
||||
After=docker.service
|
||||
Requires=docker.service
|
||||
|
||||
[Service]
|
||||
ExecStartPre=-/usr/bin/docker rm --force {{ pretix_db_container_name }}
|
||||
ExecStart=/usr/bin/docker run --name {{ pretix_db_container_name }} --network pretix --label com.centurylinklabs.watchtower.enable={WATCHTOWER_ENABLED} \
|
||||
-v {{ docker_volumes_dir }}/pretix/postgres-db:/var/lib/postgresql/data --env-file {{ docker_volumes_dir }}/pretix/pretix-db.env postgres:15
|
||||
ExecStop=/usr/bin/docker stop {{ pretix_db_container_name }}
|
||||
Restart=always
|
||||
RestartSec=15s
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
14
roles/docker_pretix/templates/pretix-redis.service.j2
Normal file
14
roles/docker_pretix/templates/pretix-redis.service.j2
Normal file
|
@ -0,0 +1,14 @@
|
|||
[Unit]
|
||||
Description=Redis for Pretix with Docker
|
||||
After=docker.service
|
||||
Requires=docker.service
|
||||
|
||||
[Service]
|
||||
ExecStartPre=-/usr/bin/docker rm --force {{ pretix_redis_container_name }}
|
||||
ExecStart=/usr/bin/docker run --name {{ pretix_redis_container_name }} --network pretix --label com.centurylinklabs.watchtower.enable={WATCHTOWER_ENABLED} redis
|
||||
ExecStop=/usr/bin/docker stop {{ pretix_redis_container_name }}
|
||||
Restart=always
|
||||
RestartSec=15s
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
3
roles/docker_pretix/templates/pretix.env.j2
Normal file
3
roles/docker_pretix/templates/pretix.env.j2
Normal file
|
@ -0,0 +1,3 @@
|
|||
VIRTUAL_HOST={{ pretix_env_virtual_host }}
|
||||
VIRTUAL_PORT={{ pretix_env_virtual_port }}
|
||||
LETSENCRYPT_HOST={{ pretix_env_letsencrypt_host }}
|
20
roles/docker_pretix/templates/pretix.service.j2
Normal file
20
roles/docker_pretix/templates/pretix.service.j2
Normal file
|
@ -0,0 +1,20 @@
|
|||
[Unit]
|
||||
Description=Pretix with Docker
|
||||
After=docker.service
|
||||
Requires=docker.service
|
||||
Requires={{ pretix_db_container_name }}
|
||||
Requires={{ pretix_redis_container_name }}
|
||||
|
||||
[Service]
|
||||
ExecStartPre=-/usr/bin/docker rm --force {{ pretix_container_name }}
|
||||
ExecStart=/usr/bin/docker run --rm --name {{ pretix_container_name }} --network pretix \
|
||||
--label com.centurylinklabs.watchtower.enable={WATCHTOWER_ENABLED} --env-file {{ docker_volumes_dir }}/pretix/pretix.env \
|
||||
-v {{ docker_volumes_dir }}/pretix/data:/data \
|
||||
-v {{ docker_volumes_dir }}/pretix/conf:/etc/pretix \
|
||||
pretix/standalone:stable
|
||||
ExecStop=/usr/bin/docker stop {{ watchtower_container_name }}
|
||||
Restart=always
|
||||
RestartSec=15s
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
5
roles/docker_pretix/templates/pretix_.env
Normal file
5
roles/docker_pretix/templates/pretix_.env
Normal file
|
@ -0,0 +1,5 @@
|
|||
# Change this enviroment variable to "false" to disable automatic updates
|
||||
# Also keep in mind to re-run "docker-compose up -d" after changing this file
|
||||
|
||||
WATCHTOWER_ENABLED=true
|
||||
#WATCHTOWER_ENABLED=true
|
10
roles/docker_watchtower/handlers/main.yml
Normal file
10
roles/docker_watchtower/handlers/main.yml
Normal file
|
@ -0,0 +1,10 @@
|
|||
---
|
||||
|
||||
- name: restart-watchtower-docker
|
||||
ansible.builtin.service:
|
||||
state: restarted
|
||||
name: "{{ item }}"
|
||||
tags: molecule-notest
|
||||
with_items:
|
||||
- watchtower.service
|
||||
|
56
roles/docker_watchtower/tasks/main.yml
Normal file
56
roles/docker_watchtower/tasks/main.yml
Normal file
|
@ -0,0 +1,56 @@
|
|||
---
|
||||
|
||||
- name: "Install dependencies"
|
||||
ansible.builtin.apt:
|
||||
pkg:
|
||||
- docker.io
|
||||
- apparmor # if not installed, Docker will complain
|
||||
|
||||
- name: "Create directories for Watchtower"
|
||||
ansible.builtin.file:
|
||||
path: "{{ item }}"
|
||||
state: directory
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0750'
|
||||
recurse: true
|
||||
with_items:
|
||||
- "{{ docker_volumes_dir }}/watchtower"
|
||||
|
||||
- name: "Template .env files for Watchtower"
|
||||
ansible.builtin.template:
|
||||
src: "{{ item }}.j2"
|
||||
dest: "{{ docker_volumes_dir }}/watchtower/{{ item }}"
|
||||
force: true
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0660'
|
||||
with_items:
|
||||
- watchtower.env
|
||||
notify: restart-watchtower-docker
|
||||
|
||||
- name: "Template systemd unit files for Watchtower"
|
||||
ansible.builtin.template:
|
||||
src: "{{ item }}.j2"
|
||||
dest: "/etc/systemd/system/{{ item }}"
|
||||
force: true
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0644'
|
||||
with_items:
|
||||
- watchtower.service
|
||||
register: unit
|
||||
notify: restart-watchtower-docker
|
||||
|
||||
- name: "Reload systemd units"
|
||||
ansible.builtin.systemd:
|
||||
daemon_reload: yes
|
||||
when: unit.changed
|
||||
|
||||
- name: "Enable systemd units for Watchtower"
|
||||
ansible.builtin.systemd:
|
||||
state: started
|
||||
enabled: true
|
||||
name: "{{ item }}"
|
||||
with_items:
|
||||
- watchtower.service
|
9
roles/docker_watchtower/templates/watchtower.env.j2
Normal file
9
roles/docker_watchtower/templates/watchtower.env.j2
Normal file
|
@ -0,0 +1,9 @@
|
|||
WATCHTOWER_POLL_INTERVAL={{ watchtower_poll_interval }}
|
||||
WATCHTOWER_NOTIFICATIONS="{{ watchtower_notifications }}
|
||||
WATCHTOWER_NOTIFICATION_EMAIL_FROM="{{ watchtower_notification_email_from }}"
|
||||
WATCHTOWER_NOTIFICATION_EMAIL_TO="{{ watchtower_notification_email_to }}"
|
||||
WATCHTOWER_NOTIFICATION_EMAIL_SERVER="{{ watchtower_notification_email_server }}"
|
||||
WATCHTOWER_NOTIFICATION_EMAIL_SERVER_PORT="{{ watchtower_notification_email_server_port }}"
|
||||
WATCHTOWER_NOTIFICATION_EMAIL_SERVER_USER="{{ watchtower_notification_email_server_user }}"
|
||||
WATCHTOWER_NOTIFICATION_EMAIL_SERVER_PASSWORD="{{ watchtower_notification_email_server_password }}"
|
||||
WATCHTOWER_WARN_ON_HEAD_FAILURE="{{ watchtower_warn_on_head_failure }}"
|
14
roles/docker_watchtower/templates/watchtower.service.j2
Normal file
14
roles/docker_watchtower/templates/watchtower.service.j2
Normal file
|
@ -0,0 +1,14 @@
|
|||
[Unit]
|
||||
Description=Watchtower with Docker
|
||||
After=docker.service
|
||||
Requires=docker.service
|
||||
|
||||
[Service]
|
||||
ExecStartPre=-/usr/bin/docker rm --force {{ watchtower_container_name }}
|
||||
ExecStart=/usr/bin/docker run --rm --name {{ watchtower_container_name }} --hostname {{ watchtower_hostname }} --domainname {{ watchtower_domainname }} --env-file {{ docker_volumes_dir }}/watchtower/watchtower.env -v /var/run/docker.sock:/var/run/docker.sock containrrr/watchtower:{{ watchtower_version }}
|
||||
ExecStop=/usr/bin/docker stop {{ watchtower_container_name }}
|
||||
Restart=always
|
||||
RestartSec=15s
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
|
@ -1,15 +1,15 @@
|
|||
---
|
||||
|
||||
- name: install firewalld
|
||||
- name: Install firewalld
|
||||
package:
|
||||
name: firewalld
|
||||
state: present
|
||||
|
||||
- name: "Make sure FirewallD is running"
|
||||
ansible.builtin.service:
|
||||
ansible.builtin.systemd:
|
||||
name: firewalld
|
||||
enabled: yes
|
||||
state: started
|
||||
enabled: true
|
||||
|
||||
- name: Open SSH port in firewall
|
||||
ansible.posix.firewalld:
|
||||
|
|
8
site.yml
8
site.yml
|
@ -10,6 +10,14 @@
|
|||
- apt_listchanges
|
||||
- basic_common_settings
|
||||
- firewalld
|
||||
|
||||
- name: Set up roles on unhb4
|
||||
hosts: unhb2
|
||||
remote_user: root
|
||||
|
||||
roles:
|
||||
- docker_watchtower
|
||||
- docker_pretix
|
||||
|
||||
- name: Set up roles on unhb4
|
||||
hosts: unhb4
|
||||
|
|
Loading…
Reference in a new issue