Full Rewrite / Re-Doing of Everything, Part 1

This commit is contained in:
erebion 2023-09-04 14:45:09 +02:00
parent c5eaaa9bb1
commit 139f7b2534
28 changed files with 348 additions and 57 deletions

2
.gitignore vendored
View file

@ -5,4 +5,4 @@ vault-password
.idea .idea
tmp/ tmp/
.DS_store .DS_store
UNHB_INFRA_UMBAU

View file

@ -0,0 +1,2 @@
#!/bin/bash
ansible-playbook site.yml -i inventory.ini --limit unhb2 --check --diff

View file

@ -1,2 +1,2 @@
#!/bin/bash #!/bin/bash
ansible-playbook site.yml -i inventory.yml --limit unhb4 --check --diff ansible-playbook site.yml -i inventory.ini --limit unhb4 --check --diff

View file

@ -0,0 +1,2 @@
#!/bin/bash
ansible-playbook site.yml -i inventory.ini --limit unhb2 --diff

View file

@ -1,2 +1,2 @@
#!/bin/bash #!/bin/bash
ansible-playbook site.yml -i inventory.yml --limit unhb4 --diff ansible-playbook site.yml -i inventory.ini --limit unhb4 --diff

38
host_vars/unhb2/unhb2.yml Normal file
View file

@ -0,0 +1,38 @@
---
docker_volumes_dir: "/srv/docker-volumes"
firewall_services:
- ssh
- http
- https
- smtp
- smtps
- imap
- imaps
- pop3
- pop3s
firewall_ports:
- "587/tcp"
pretix_container_name: "pretix_app.server2"
pretix_db_container_name: "pretix_pg-sql.server2"
pretix_db_env_mysql_random_root_password: "true"
pretix_db_env_postgres_db_name: "pretix"
pretix_db_env_postgres_user: "prtxdb"
pretix_env_virtual_host: "pretix.unhb.de,pretix.un-hack-bar.de"
pretix_env_virtual_port: "80"
pretix_env_letsencrypt_host: "pretix.unhb.de,pretix.un-hack-bar.de"
pretix_redis_container_name: "pretix_redis.server2"
watchtower_container_name: "watchtower.server2"
watchtower_domainname: "unhb.de"
watchtower_hostname: "neuromancer"
watchtower_poll_interval: "21600"
watchtower_notifications: "email"
watchtower_notification_email_to: "watchtower@lists.unhb.de"
watchtower_notification_email_server: "mail.un-hack-bar.de"
watchtower_notification_email_server_port: "587"
watchtower_warn_on_head_failure: "never"
watchtower_version: "latest"

View file

@ -0,0 +1,18 @@
$ANSIBLE_VAULT;1.1;AES256
39666564363562383332393961383732613932393235656335376265366563663062353766666639
6566663762623536643463313331326331373339373531360a623862346266663338363035653831
33343035326230656531373437316332643930323033383033383836396538316461363634393232
6262306463316565330a316537393533633565306363313964303763383363306630316438666561
64343930326331346161326239353934646439383332653734653832373638616561666334336162
39383036363733373231613331353835326136653831306163326536393339393464316162376563
31623432656363393130366263623763333633363264343039666661333235393463396464306436
33343665323338356531646233643939633762333963646637646230633739663130663533663135
64666236386666376139323264316162626663353033633564663263666332373131326563353062
64396232353062616335633164346365643664643463613439643561373834623431393731353431
36663730363362633034633862383631313734626534633161383936383831663365353665393631
35623737613961306335366235613363623136623131353737363537653766343431383139316230
63633564353337393766393832316237636338643263313864336666383835356265363030376361
62363930323831323064643965323465346132383761646633393639376661656262316133313135
34393862376434353764303939396438306533663761353733653165366262303361326662383839
66353137333137653738643830373765653639613730613332393133333935313065343632613264
3131

View file

@ -1,22 +0,0 @@
$ANSIBLE_VAULT;1.1;AES256
31343963396633396632623766363862386661353265393166666536656530623938383233653464
3034386666346435313062306463383864393233623363360a363464343263353337306634656630
37623936636161363766386130663838633933393862386466383433326661663565353836663539
3839303839336432330a613031613936613166313034346437373635346639313733666562333331
62636632313339356363316436316238303338306538346564346431363730656466656265303134
32393662666332313665373464656262646636336632306562616536633166303434346135623461
62316339653533326430636361313931656366623330316638373139343835366535666639663630
39313230613331613663643736326563323734353861613036623565303931653932376134643336
62623965363034373939646165366461366134653538623262343462363736636365346133653034
39633030376237326436316632393433333733333966323366313536393233343866353831393462
39393132613534396534386539643864323966633363353934363838323830356463663936353336
36346638663336616265656363636264383563336663313364646461306662323531303038373364
33633536646331393738613534613430663330663462346432616230306338386131326566636331
66663065393939393733646131663031313963353830316633376263383666333930613664366635
64333563393639653364373636393134326362626131336232306439323634666462616534326439
62616533643065623063303536303964366531313164366532316536643839363764316430323236
31336333333031363661323935623739363263663461323266616338306139393265323332363462
64616637346239366131663863326261373838626164613230383862313361633136396365636666
39383035363236323036613365316565383232363631393839626436336665626566303964653163
31646634323536343730366462393137656135646661383030346137373364613138386638316138
3634

View file

@ -0,0 +1,22 @@
$ANSIBLE_VAULT;1.1;AES256
64313764393735373863643066306663323136343837363765656131666335326163613634613834
3863363562303665356364613533343631633136636136660a653436663566383063666661653739
33343462363062623164303433316364623763653739373237666131373666633062396239626539
6630363630616336330a326365613064623139386637393561376430333332636135643361383737
62323637366365316430306437356639623938393633623338306134386564656538643933303636
34363631303130646162653130376333373763306362323364333865346166333438303038646134
65336230663336346636303265363631653038303230656530333061346163363931343565333233
63613263353665376363336364306566313466643433306466316336346630643039663363643031
31633531386566666662653766376563383731333032616365353438363564383163366436633865
36336564346431653933333933646563633161366264326633366539396630636161303830343566
62663337633062313033313561383261636539336530306361326462313135353464346636616132
37636463346135646339316132336237363465366430336338356463633838356538636636326131
39323063333361303363396165346164333265613461353761316436356137343061313338393030
32353965346230356636396438613138313864363761376434346233613030313063336635663038
32613638633037303263366436636435623732643266663363613234323034643937323139613138
65316638336666623238383165343665666532356630353266643438613062333866643763656235
35643536353237363931633564333639666230326165393263343339633732666566356436663930
61313664383861353131343432623635623937636138383866303366646335666464633238316466
64653865623732333065346166306638313238393139313866386338663931663539616134343764
36663861356362313730383038383332306435653466393034636533313331333661666663643566
6462

5
inventory.ini Normal file
View file

@ -0,0 +1,5 @@
[servers:children]
debianservers
[debianservers]
unhb2
unhb4

View file

@ -1,7 +0,0 @@
---
all:
children:
debianservers:
hosts:
unhb4

View file

@ -1,17 +0,0 @@
---
- name: Install packages if Debian based
apt:
name: unattended-upgrades
state: present
update_cache: true
become: true
- name: Apt Config (/etc/apt.conf.d/10periodic)
ansible.builtin.template:
src: ../templates/10periodic.j2
dest: /etc/apt/apt.conf.d/10periodic
owner: root
group: root
mode: '0644'
notify: restart-unattendedupgrades

View file

@ -1,6 +1,17 @@
--- ---
- name: Include other yaml files - name: Install packages if Debian based
include_tasks: "{{ item }}" apt:
with_fileglob: name: unattended-upgrades
- apt.yml state: present
update_cache: true
become: true
- name: Apt Config (/etc/apt.conf.d/10periodic)
ansible.builtin.template:
src: ../templates/10periodic.j2
dest: /etc/apt/apt.conf.d/10periodic
owner: root
group: root
mode: '0644'
notify: restart-unattendedupgrades

View file

@ -7,7 +7,7 @@
include_tasks: "sudo.yml" include_tasks: "sudo.yml"
- name: Set up earlyoom (Debian) - name: Set up earlyoom (Debian)
include_tasks: "sudo.yml" include_tasks: "earlyoom.yml"
- name: Deploy update script - name: Deploy update script
include_tasks: "update_script.yml" include_tasks: "update_script.yml"

View file

@ -0,0 +1,11 @@
---
- name: restart-pretix-docker
ansible.builtin.service:
state: restarted
name: "{{ item }}"
tags: molecule-notest
with_items:
- pretix.service
- pretix-db.service
- pretix-redis.service

View file

@ -0,0 +1,70 @@
---
- name: "Install dependencies"
ansible.builtin.apt:
pkg:
- docker.io
- apparmor # if not installed, Docker will complain
- name: "Create directories for Pretix"
ansible.builtin.file:
path: "{{ item }}"
state: directory
owner: root
group: root
mode: '0750'
recurse: true
with_items:
- "{{ docker_volumes_dir }}/pretix/postgres-db"
- "{{ docker_volumes_dir }}/pretix/data"
- "{{ docker_volumes_dir }}/pretix/conf"
- name: "Template .env files for Pretix"
ansible.builtin.template:
src: "{{ item }}.j2"
dest: "{{ docker_volumes_dir }}/pretix/{{ item }}"
force: true
owner: root
group: root
mode: '0660'
with_items:
- pretix.env
- pretix-db.env
notify: restart-pretix-docker
- name: "Template systemd unit files for Pretix"
ansible.builtin.template:
src: "{{ item }}.j2"
dest: "/etc/systemd/system/{{ item }}"
force: true
owner: root
group: root
mode: '0644'
with_items:
- pretix.service
- pretix-db.service
- pretix-redis.service
register: unit
notify: restart-pretix-docker
- name: "Reload systemd units"
ansible.builtin.systemd:
daemon_reload: yes
when: unit.changed
- name: "Enable systemd units for Pretix"
ansible.builtin.systemd:
state: started
enabled: true
name: "{{ item }}"
with_items:
- pretix.service
- pretix-db.service
- pretix-redis.service
- name: "Add Pretix to Docker network nginx_net"
docker_network:
name: nginx_net
connected:
- "{{ pretix_container_name }}"
appends: true

View file

@ -0,0 +1,4 @@
MYSQL_RANDOM_ROOT_PASSWORD={{ pretix_db_env_mysql_random_root_password }}
POSTGRES_DB={{ pretix_db_env_postgres_db_name }}
POSTGRES_USER={{ pretix_db_env_postgres_user }}
POSTGRES_PASSWORD={{ pretix_db_env_postgres_password }}

View file

@ -0,0 +1,15 @@
[Unit]
Description=Postgres DB for Pretix with Docker
After=docker.service
Requires=docker.service
[Service]
ExecStartPre=-/usr/bin/docker rm --force {{ pretix_db_container_name }}
ExecStart=/usr/bin/docker run --name {{ pretix_db_container_name }} --network pretix --label com.centurylinklabs.watchtower.enable={WATCHTOWER_ENABLED} \
-v {{ docker_volumes_dir }}/pretix/postgres-db:/var/lib/postgresql/data --env-file {{ docker_volumes_dir }}/pretix/pretix-db.env postgres:15
ExecStop=/usr/bin/docker stop {{ pretix_db_container_name }}
Restart=always
RestartSec=15s
[Install]
WantedBy=multi-user.target

View file

@ -0,0 +1,14 @@
[Unit]
Description=Redis for Pretix with Docker
After=docker.service
Requires=docker.service
[Service]
ExecStartPre=-/usr/bin/docker rm --force {{ pretix_redis_container_name }}
ExecStart=/usr/bin/docker run --name {{ pretix_redis_container_name }} --network pretix --label com.centurylinklabs.watchtower.enable={WATCHTOWER_ENABLED} redis
ExecStop=/usr/bin/docker stop {{ pretix_redis_container_name }}
Restart=always
RestartSec=15s
[Install]
WantedBy=multi-user.target

View file

@ -0,0 +1,3 @@
VIRTUAL_HOST={{ pretix_env_virtual_host }}
VIRTUAL_PORT={{ pretix_env_virtual_port }}
LETSENCRYPT_HOST={{ pretix_env_letsencrypt_host }}

View file

@ -0,0 +1,20 @@
[Unit]
Description=Pretix with Docker
After=docker.service
Requires=docker.service
Requires={{ pretix_db_container_name }}
Requires={{ pretix_redis_container_name }}
[Service]
ExecStartPre=-/usr/bin/docker rm --force {{ pretix_container_name }}
ExecStart=/usr/bin/docker run --rm --name {{ pretix_container_name }} --network pretix \
--label com.centurylinklabs.watchtower.enable={WATCHTOWER_ENABLED} --env-file {{ docker_volumes_dir }}/pretix/pretix.env \
-v {{ docker_volumes_dir }}/pretix/data:/data \
-v {{ docker_volumes_dir }}/pretix/conf:/etc/pretix \
pretix/standalone:stable
ExecStop=/usr/bin/docker stop {{ watchtower_container_name }}
Restart=always
RestartSec=15s
[Install]
WantedBy=multi-user.target

View file

@ -0,0 +1,5 @@
# Change this enviroment variable to "false" to disable automatic updates
# Also keep in mind to re-run "docker-compose up -d" after changing this file
WATCHTOWER_ENABLED=true
#WATCHTOWER_ENABLED=true

View file

@ -0,0 +1,10 @@
---
- name: restart-watchtower-docker
ansible.builtin.service:
state: restarted
name: "{{ item }}"
tags: molecule-notest
with_items:
- watchtower.service

View file

@ -0,0 +1,56 @@
---
- name: "Install dependencies"
ansible.builtin.apt:
pkg:
- docker.io
- apparmor # if not installed, Docker will complain
- name: "Create directories for Watchtower"
ansible.builtin.file:
path: "{{ item }}"
state: directory
owner: root
group: root
mode: '0750'
recurse: true
with_items:
- "{{ docker_volumes_dir }}/watchtower"
- name: "Template .env files for Watchtower"
ansible.builtin.template:
src: "{{ item }}.j2"
dest: "{{ docker_volumes_dir }}/watchtower/{{ item }}"
force: true
owner: root
group: root
mode: '0660'
with_items:
- watchtower.env
notify: restart-watchtower-docker
- name: "Template systemd unit files for Watchtower"
ansible.builtin.template:
src: "{{ item }}.j2"
dest: "/etc/systemd/system/{{ item }}"
force: true
owner: root
group: root
mode: '0644'
with_items:
- watchtower.service
register: unit
notify: restart-watchtower-docker
- name: "Reload systemd units"
ansible.builtin.systemd:
daemon_reload: yes
when: unit.changed
- name: "Enable systemd units for Watchtower"
ansible.builtin.systemd:
state: started
enabled: true
name: "{{ item }}"
with_items:
- watchtower.service

View file

@ -0,0 +1,9 @@
WATCHTOWER_POLL_INTERVAL={{ watchtower_poll_interval }}
WATCHTOWER_NOTIFICATIONS="{{ watchtower_notifications }}
WATCHTOWER_NOTIFICATION_EMAIL_FROM="{{ watchtower_notification_email_from }}"
WATCHTOWER_NOTIFICATION_EMAIL_TO="{{ watchtower_notification_email_to }}"
WATCHTOWER_NOTIFICATION_EMAIL_SERVER="{{ watchtower_notification_email_server }}"
WATCHTOWER_NOTIFICATION_EMAIL_SERVER_PORT="{{ watchtower_notification_email_server_port }}"
WATCHTOWER_NOTIFICATION_EMAIL_SERVER_USER="{{ watchtower_notification_email_server_user }}"
WATCHTOWER_NOTIFICATION_EMAIL_SERVER_PASSWORD="{{ watchtower_notification_email_server_password }}"
WATCHTOWER_WARN_ON_HEAD_FAILURE="{{ watchtower_warn_on_head_failure }}"

View file

@ -0,0 +1,14 @@
[Unit]
Description=Watchtower with Docker
After=docker.service
Requires=docker.service
[Service]
ExecStartPre=-/usr/bin/docker rm --force {{ watchtower_container_name }}
ExecStart=/usr/bin/docker run --rm --name {{ watchtower_container_name }} --hostname {{ watchtower_hostname }} --domainname {{ watchtower_domainname }} --env-file {{ docker_volumes_dir }}/watchtower/watchtower.env -v /var/run/docker.sock:/var/run/docker.sock containrrr/watchtower:{{ watchtower_version }}
ExecStop=/usr/bin/docker stop {{ watchtower_container_name }}
Restart=always
RestartSec=15s
[Install]
WantedBy=multi-user.target

View file

@ -1,15 +1,15 @@
--- ---
- name: install firewalld - name: Install firewalld
package: package:
name: firewalld name: firewalld
state: present state: present
- name: "Make sure FirewallD is running" - name: "Make sure FirewallD is running"
ansible.builtin.service: ansible.builtin.systemd:
name: firewalld name: firewalld
enabled: yes
state: started state: started
enabled: true
- name: Open SSH port in firewall - name: Open SSH port in firewall
ansible.posix.firewalld: ansible.posix.firewalld:

View file

@ -11,6 +11,14 @@
- basic_common_settings - basic_common_settings
- firewalld - firewalld
- name: Set up roles on unhb4
hosts: unhb2
remote_user: root
roles:
- docker_watchtower
- docker_pretix
- name: Set up roles on unhb4 - name: Set up roles on unhb4
hosts: unhb4 hosts: unhb4
remote_user: root remote_user: root