Full Rewrite / Re-Doing of Everything, Part 1

2023-09-04 14:45:09 +02:00 · 2023-09-04 14:45:09 +02:00 · 139f7b2534
commit 139f7b2534
parent c5eaaa9bb1
28 changed files with 348 additions and 57 deletions
--- a/.gitignore
+++ b/.gitignore
@ -5,4 +5,4 @@ vault-password
 .idea
 tmp/
 .DS_store
-
+UNHB_INFRA_UMBAU
--- a/ansible-checkmode-command-unhb2.sh
+++ b/ansible-checkmode-command-unhb2.sh
@ -0,0 +1,2 @@
 #!/bin/bash
 ansible-playbook site.yml -i inventory.ini --limit unhb2 --check --diff
--- a/ansible-checkmode-command-unhb4.sh
+++ b/ansible-checkmode-command-unhb4.sh
@ -1,2 +1,2 @@
 #!/bin/bash
-ansible-playbook site.yml -i inventory.yml --limit unhb4 --check --diff
+ansible-playbook site.yml -i inventory.ini --limit unhb4 --check --diff
--- a/ansible-deploy-command-unhb2.sh
+++ b/ansible-deploy-command-unhb2.sh
@ -0,0 +1,2 @@
 #!/bin/bash
 ansible-playbook site.yml -i inventory.ini --limit unhb2 --diff
--- a/ansible-deploy-command-unhb4.sh
+++ b/ansible-deploy-command-unhb4.sh
@ -1,2 +1,2 @@
 #!/bin/bash
-ansible-playbook site.yml -i inventory.yml --limit unhb4 --diff
+ansible-playbook site.yml -i inventory.ini --limit unhb4 --diff
--- a/host_vars/unhb2/unhb2.yml
+++ b/host_vars/unhb2/unhb2.yml
@ -0,0 +1,38 @@
 ---
 docker_volumes_dir: "/srv/docker-volumes"
 firewall_services:
  - ssh
  - http
  - https
  - smtp
  - smtps
  - imap
  - imaps
  - pop3
  - pop3s
 firewall_ports:
  - "587/tcp"
 pretix_container_name: "pretix_app.server2"
 pretix_db_container_name: "pretix_pg-sql.server2"
 pretix_db_env_mysql_random_root_password: "true"
 pretix_db_env_postgres_db_name: "pretix"
 pretix_db_env_postgres_user: "prtxdb"
 pretix_env_virtual_host: "pretix.unhb.de,pretix.un-hack-bar.de"
 pretix_env_virtual_port: "80"
 pretix_env_letsencrypt_host: "pretix.unhb.de,pretix.un-hack-bar.de"
 pretix_redis_container_name: "pretix_redis.server2"
 watchtower_container_name: "watchtower.server2"
 watchtower_domainname: "unhb.de"
 watchtower_hostname: "neuromancer"
 watchtower_poll_interval: "21600"
 watchtower_notifications: "email"
 watchtower_notification_email_to: "watchtower@lists.unhb.de"
 watchtower_notification_email_server: "mail.un-hack-bar.de"
 watchtower_notification_email_server_port: "587"
 watchtower_warn_on_head_failure: "never"
 watchtower_version: "latest"
--- a/host_vars/unhb2/unhb2_vault.yml
+++ b/host_vars/unhb2/unhb2_vault.yml
@ -0,0 +1,18 @@
 $ANSIBLE_VAULT;1.1;AES256
 39666564363562383332393961383732613932393235656335376265366563663062353766666639
 6566663762623536643463313331326331373339373531360a623862346266663338363035653831
 33343035326230656531373437316332643930323033383033383836396538316461363634393232
 6262306463316565330a316537393533633565306363313964303763383363306630316438666561
 64343930326331346161326239353934646439383332653734653832373638616561666334336162
 39383036363733373231613331353835326136653831306163326536393339393464316162376563
 31623432656363393130366263623763333633363264343039666661333235393463396464306436
 33343665323338356531646233643939633762333963646637646230633739663130663533663135
 64666236386666376139323264316162626663353033633564663263666332373131326563353062
 64396232353062616335633164346365643664643463613439643561373834623431393731353431
 36663730363362633034633862383631313734626534633161383936383831663365353665393631
 35623737613961306335366235613363623136623131353737363537653766343431383139316230
 63633564353337393766393832316237636338643263313864336666383835356265363030376361
 62363930323831323064643965323465346132383761646633393639376661656262316133313135
 34393862376434353764303939396438306533663761353733653165366262303361326662383839
 66353137333137653738643830373765653639613730613332393133333935313065343632613264
 3131
--- a/host_vars/unhb4/authentik-vault.yml
+++ b/host_vars/unhb4/authentik-vault.yml
@ -1,22 +0,0 @@
 $ANSIBLE_VAULT;1.1;AES256
 31343963396633396632623766363862386661353265393166666536656530623938383233653464
 3034386666346435313062306463383864393233623363360a363464343263353337306634656630
 37623936636161363766386130663838633933393862386466383433326661663565353836663539
 3839303839336432330a613031613936613166313034346437373635346639313733666562333331
 62636632313339356363316436316238303338306538346564346431363730656466656265303134
 32393662666332313665373464656262646636336632306562616536633166303434346135623461
 62316339653533326430636361313931656366623330316638373139343835366535666639663630
 39313230613331613663643736326563323734353861613036623565303931653932376134643336
 62623965363034373939646165366461366134653538623262343462363736636365346133653034
 39633030376237326436316632393433333733333966323366313536393233343866353831393462
 39393132613534396534386539643864323966633363353934363838323830356463663936353336
 36346638663336616265656363636264383563336663313364646461306662323531303038373364
 33633536646331393738613534613430663330663462346432616230306338386131326566636331
 66663065393939393733646131663031313963353830316633376263383666333930613664366635
 64333563393639653364373636393134326362626131336232306439323634666462616534326439
 62616533643065623063303536303964366531313164366532316536643839363764316430323236
 31336333333031363661323935623739363263663461323266616338306139393265323332363462
 64616637346239366131663863326261373838626164613230383862313361633136396365636666
 39383035363236323036613365316565383232363631393839626436336665626566303964653163
 31646634323536343730366462393137656135646661383030346137373364613138386638316138
 3634
--- a/host_vars/unhb4/unhb4_vault.yml
+++ b/host_vars/unhb4/unhb4_vault.yml
@ -0,0 +1,22 @@
 $ANSIBLE_VAULT;1.1;AES256
 64313764393735373863643066306663323136343837363765656131666335326163613634613834
 3863363562303665356364613533343631633136636136660a653436663566383063666661653739
 33343462363062623164303433316364623763653739373237666131373666633062396239626539
 6630363630616336330a326365613064623139386637393561376430333332636135643361383737
 62323637366365316430306437356639623938393633623338306134386564656538643933303636
 34363631303130646162653130376333373763306362323364333865346166333438303038646134
 65336230663336346636303265363631653038303230656530333061346163363931343565333233
 63613263353665376363336364306566313466643433306466316336346630643039663363643031
 31633531386566666662653766376563383731333032616365353438363564383163366436633865
 36336564346431653933333933646563633161366264326633366539396630636161303830343566
 62663337633062313033313561383261636539336530306361326462313135353464346636616132
 37636463346135646339316132336237363465366430336338356463633838356538636636326131
 39323063333361303363396165346164333265613461353761316436356137343061313338393030
 32353965346230356636396438613138313864363761376434346233613030313063336635663038
 32613638633037303263366436636435623732643266663363613234323034643937323139613138
 65316638336666623238383165343665666532356630353266643438613062333866643763656235
 35643536353237363931633564333639666230326165393263343339633732666566356436663930
 61313664383861353131343432623635623937636138383866303366646335666464633238316466
 64653865623732333065346166306638313238393139313866386338663931663539616134343764
 36663861356362313730383038383332306435653466393034636533313331333661666663643566
 6462
--- a/inventory.ini
+++ b/inventory.ini
@ -0,0 +1,5 @@
 [servers:children]
 debianservers
 [debianservers]
 unhb2
 unhb4
--- a/inventory.yml
+++ b/inventory.yml
@ -1,7 +0,0 @@
 ---
 all:
  children:
    debianservers:
      hosts:
        unhb4
--- a/roles/apt/tasks/apt.yml
+++ b/roles/apt/tasks/apt.yml
@ -1,17 +0,0 @@
 ---
 - name: Install packages if Debian based
  apt:
    name: unattended-upgrades
    state: present
    update_cache: true
  become: true
 - name: Apt Config (/etc/apt.conf.d/10periodic)
  ansible.builtin.template:
    src: ../templates/10periodic.j2
    dest: /etc/apt/apt.conf.d/10periodic
    owner: root
    group: root
    mode: '0644'
  notify: restart-unattendedupgrades
--- a/roles/apt/tasks/main.yml
+++ b/roles/apt/tasks/main.yml
@ -1,6 +1,17 @@
 ---
- name: Include other yaml files
+- name: Install packages if Debian based
-  include_tasks: "{{ item }}"
+  apt:
-  with_fileglob:
+    name: unattended-upgrades
-    - apt.yml
+    state: present
    update_cache: true
  become: true
 - name: Apt Config (/etc/apt.conf.d/10periodic)
  ansible.builtin.template:
    src: ../templates/10periodic.j2
    dest: /etc/apt/apt.conf.d/10periodic
    owner: root
    group: root
    mode: '0644'
  notify: restart-unattendedupgrades
--- a/roles/basic_common_settings/tasks/main.yml
+++ b/roles/basic_common_settings/tasks/main.yml
@ -7,7 +7,7 @@
  include_tasks: "sudo.yml"
 - name: Set up earlyoom (Debian)
-  include_tasks: "sudo.yml"
+  include_tasks: "earlyoom.yml"
 - name: Deploy update script
  include_tasks: "update_script.yml"
--- a/roles/docker_pretix/handlers/main.yml
+++ b/roles/docker_pretix/handlers/main.yml
@ -0,0 +1,11 @@
 ---
 - name: restart-pretix-docker
  ansible.builtin.service:
    state: restarted
    name: "{{ item }}"
  tags: molecule-notest
  with_items:
    - pretix.service
    - pretix-db.service
    - pretix-redis.service
--- a/roles/docker_pretix/tasks/main.yml
+++ b/roles/docker_pretix/tasks/main.yml
@ -0,0 +1,70 @@
 ---
 - name: "Install dependencies"
  ansible.builtin.apt:
    pkg:
      - docker.io
      - apparmor # if not installed, Docker will complain
 - name: "Create directories for Pretix"
  ansible.builtin.file:
    path: "{{ item }}"
    state: directory
    owner: root
    group: root
    mode: '0750'
    recurse: true
  with_items:
    - "{{ docker_volumes_dir }}/pretix/postgres-db"
    - "{{ docker_volumes_dir }}/pretix/data"
    - "{{ docker_volumes_dir }}/pretix/conf"
 - name: "Template .env files for Pretix"
  ansible.builtin.template:
    src: "{{ item }}.j2"
    dest: "{{ docker_volumes_dir }}/pretix/{{ item }}"
    force: true
    owner: root
    group: root
    mode: '0660'
  with_items:
    - pretix.env
    - pretix-db.env
  notify: restart-pretix-docker
 - name: "Template systemd unit files for Pretix"
  ansible.builtin.template:
    src: "{{ item }}.j2"
    dest: "/etc/systemd/system/{{ item }}"
    force: true
    owner: root
    group: root
    mode: '0644'
  with_items:
    - pretix.service
    - pretix-db.service
    - pretix-redis.service
  register: unit
  notify: restart-pretix-docker
 - name: "Reload systemd units"
  ansible.builtin.systemd:
    daemon_reload: yes
  when: unit.changed
 - name: "Enable systemd units for Pretix"
  ansible.builtin.systemd:
    state: started
    enabled: true
    name: "{{ item }}"
  with_items:
    - pretix.service
    - pretix-db.service
    - pretix-redis.service
 - name: "Add Pretix to Docker network nginx_net"
  docker_network:
    name: nginx_net
    connected:
      - "{{ pretix_container_name }}"
    appends: true
--- a/roles/docker_pretix/templates/pretix-db.env.j2
+++ b/roles/docker_pretix/templates/pretix-db.env.j2
@ -0,0 +1,4 @@
 MYSQL_RANDOM_ROOT_PASSWORD={{ pretix_db_env_mysql_random_root_password }}
 POSTGRES_DB={{ pretix_db_env_postgres_db_name }}
 POSTGRES_USER={{ pretix_db_env_postgres_user }}
 POSTGRES_PASSWORD={{ pretix_db_env_postgres_password }}
--- a/roles/docker_pretix/templates/pretix-db.service.j2
+++ b/roles/docker_pretix/templates/pretix-db.service.j2
@ -0,0 +1,15 @@
 [Unit]
 Description=Postgres DB for Pretix with Docker
 After=docker.service
 Requires=docker.service
 [Service]
 ExecStartPre=-/usr/bin/docker rm --force {{ pretix_db_container_name }}
 ExecStart=/usr/bin/docker run --name {{ pretix_db_container_name }} --network pretix --label com.centurylinklabs.watchtower.enable={WATCHTOWER_ENABLED} \
         -v {{ docker_volumes_dir }}/pretix/postgres-db:/var/lib/postgresql/data --env-file {{ docker_volumes_dir }}/pretix/pretix-db.env postgres:15
 ExecStop=/usr/bin/docker stop {{ pretix_db_container_name }}
 Restart=always
 RestartSec=15s
 [Install]
 WantedBy=multi-user.target
--- a/roles/docker_pretix/templates/pretix-redis.service.j2
+++ b/roles/docker_pretix/templates/pretix-redis.service.j2
@ -0,0 +1,14 @@
 [Unit]
 Description=Redis for Pretix with Docker
 After=docker.service
 Requires=docker.service
 [Service]
 ExecStartPre=-/usr/bin/docker rm --force {{ pretix_redis_container_name }}
 ExecStart=/usr/bin/docker run --name {{ pretix_redis_container_name }} --network pretix --label com.centurylinklabs.watchtower.enable={WATCHTOWER_ENABLED} redis
 ExecStop=/usr/bin/docker stop {{ pretix_redis_container_name }}
 Restart=always
 RestartSec=15s
 [Install]
 WantedBy=multi-user.target
--- a/roles/docker_pretix/templates/pretix.env.j2
+++ b/roles/docker_pretix/templates/pretix.env.j2
@ -0,0 +1,3 @@
 VIRTUAL_HOST={{ pretix_env_virtual_host }}
 VIRTUAL_PORT={{ pretix_env_virtual_port }}
 LETSENCRYPT_HOST={{ pretix_env_letsencrypt_host }}
--- a/roles/docker_pretix/templates/pretix.service.j2
+++ b/roles/docker_pretix/templates/pretix.service.j2
@ -0,0 +1,20 @@
 [Unit]
 Description=Pretix with Docker
 After=docker.service
 Requires=docker.service
 Requires={{ pretix_db_container_name }}
 Requires={{ pretix_redis_container_name }}
 [Service]
 ExecStartPre=-/usr/bin/docker rm --force {{ pretix_container_name }}
 ExecStart=/usr/bin/docker run --rm --name {{ pretix_container_name }} --network pretix \
          --label com.centurylinklabs.watchtower.enable={WATCHTOWER_ENABLED} --env-file {{ docker_volumes_dir }}/pretix/pretix.env \
          -v {{ docker_volumes_dir }}/pretix/data:/data \
          -v {{ docker_volumes_dir }}/pretix/conf:/etc/pretix \
          pretix/standalone:stable
 ExecStop=/usr/bin/docker stop {{ watchtower_container_name }}
 Restart=always
 RestartSec=15s
 [Install]
 WantedBy=multi-user.target
--- a/roles/docker_pretix/templates/pretix_.env
+++ b/roles/docker_pretix/templates/pretix_.env
@ -0,0 +1,5 @@
 # Change this enviroment variable to "false" to disable automatic updates
 # Also keep in mind to re-run "docker-compose up -d" after changing this file
 WATCHTOWER_ENABLED=true
 #WATCHTOWER_ENABLED=true
--- a/roles/docker_watchtower/handlers/main.yml
+++ b/roles/docker_watchtower/handlers/main.yml
@ -0,0 +1,10 @@
 ---
 - name: restart-watchtower-docker
  ansible.builtin.service:
    state: restarted
    name: "{{ item }}"
  tags: molecule-notest
  with_items:
    - watchtower.service
--- a/roles/docker_watchtower/tasks/main.yml
+++ b/roles/docker_watchtower/tasks/main.yml
@ -0,0 +1,56 @@
 ---
 - name: "Install dependencies"
  ansible.builtin.apt:
    pkg:
      - docker.io
      - apparmor # if not installed, Docker will complain
 - name: "Create directories for Watchtower"
  ansible.builtin.file:
    path: "{{ item }}"
    state: directory
    owner: root
    group: root
    mode: '0750'
    recurse: true
  with_items:
    - "{{ docker_volumes_dir }}/watchtower"
 - name: "Template .env files for Watchtower"
  ansible.builtin.template:
    src: "{{ item }}.j2"
    dest: "{{ docker_volumes_dir }}/watchtower/{{ item }}"
    force: true
    owner: root
    group: root
    mode: '0660'
  with_items:
    - watchtower.env
  notify: restart-watchtower-docker
 - name: "Template systemd unit files for Watchtower"
  ansible.builtin.template:
    src: "{{ item }}.j2"
    dest: "/etc/systemd/system/{{ item }}"
    force: true
    owner: root
    group: root
    mode: '0644'
  with_items:
    - watchtower.service
  register: unit
  notify: restart-watchtower-docker
 - name: "Reload systemd units"
  ansible.builtin.systemd:
    daemon_reload: yes
  when: unit.changed
 - name: "Enable systemd units for Watchtower"
  ansible.builtin.systemd:
    state: started
    enabled: true
    name: "{{ item }}"
  with_items:
    - watchtower.service
--- a/roles/docker_watchtower/templates/watchtower.env.j2
+++ b/roles/docker_watchtower/templates/watchtower.env.j2
@ -0,0 +1,9 @@
 WATCHTOWER_POLL_INTERVAL={{ watchtower_poll_interval }}
 WATCHTOWER_NOTIFICATIONS="{{ watchtower_notifications }}
 WATCHTOWER_NOTIFICATION_EMAIL_FROM="{{ watchtower_notification_email_from }}"
 WATCHTOWER_NOTIFICATION_EMAIL_TO="{{ watchtower_notification_email_to }}"
 WATCHTOWER_NOTIFICATION_EMAIL_SERVER="{{ watchtower_notification_email_server }}"
 WATCHTOWER_NOTIFICATION_EMAIL_SERVER_PORT="{{ watchtower_notification_email_server_port }}"
 WATCHTOWER_NOTIFICATION_EMAIL_SERVER_USER="{{ watchtower_notification_email_server_user }}"
 WATCHTOWER_NOTIFICATION_EMAIL_SERVER_PASSWORD="{{ watchtower_notification_email_server_password }}"
 WATCHTOWER_WARN_ON_HEAD_FAILURE="{{ watchtower_warn_on_head_failure }}"
--- a/roles/docker_watchtower/templates/watchtower.service.j2
+++ b/roles/docker_watchtower/templates/watchtower.service.j2
@ -0,0 +1,14 @@
 [Unit]
 Description=Watchtower with Docker
 After=docker.service
 Requires=docker.service
 [Service]
 ExecStartPre=-/usr/bin/docker rm --force {{ watchtower_container_name }}
 ExecStart=/usr/bin/docker run --rm --name {{ watchtower_container_name }} --hostname {{ watchtower_hostname }} --domainname {{ watchtower_domainname }} --env-file {{ docker_volumes_dir }}/watchtower/watchtower.env -v /var/run/docker.sock:/var/run/docker.sock containrrr/watchtower:{{ watchtower_version }}
 ExecStop=/usr/bin/docker stop {{ watchtower_container_name }}
 Restart=always
 RestartSec=15s
 [Install]
 WantedBy=multi-user.target
--- a/roles/firewalld/tasks/main.yml
+++ b/roles/firewalld/tasks/main.yml
@ -1,15 +1,15 @@
 ---
- name: install firewalld
+- name: Install firewalld
  package:
    name: firewalld
    state: present
 - name: "Make sure FirewallD is running"
-  ansible.builtin.service:
+  ansible.builtin.systemd:
    name: firewalld
    enabled: yes
    state: started
    enabled: true
 - name: Open SSH port in firewall
  ansible.posix.firewalld:
--- a/site.yml
+++ b/site.yml
@ -10,6 +10,14 @@
    - apt_listchanges
    - basic_common_settings
    - firewalld
 - name: Set up roles on unhb4
  hosts: unhb2
  remote_user: root
  roles:
    - docker_watchtower
    - docker_pretix
 - name: Set up roles on unhb4
  hosts: unhb4
		`@ -0,0 +1,2 @@`
							`#!/bin/bash`
							`ansible-playbook site.yml -i inventory.ini --limit unhb2 --check --diff`
`@ -1,2 +1,2 @@`
	`#!/bin/bash`	`#!/bin/bash`
	`ansible-playbook site.yml -i inventory.yml --limit unhb4 --check --diff`	`ansible-playbook site.yml -i inventory.ini --limit unhb4 --check --diff`