Compare commits

..

1 commit

Author SHA1 Message Date
cb474c5752 explicitly set the TLS challenge to true 2023-12-09 21:51:04 +01:00
49 changed files with 507 additions and 316 deletions

1
.gitignore vendored
View file

@ -6,4 +6,3 @@ vault-password
tmp/ tmp/
.DS_store .DS_store
UNHB_INFRA_UMBAU UNHB_INFRA_UMBAU
authentik-api-invite.token

View file

@ -1,65 +0,0 @@
- name: "Clean up the Synapse DB"
hosts: unhb4
remote_user: root
tasks:
- name: "Install jq"
ansible.builtin.apt:
pkg:
- jq
- python3-psycopg2
- name: "Get IP of DB container for the database synapse uses"
ansible.builtin.shell: |
docker inspect {{ synapse_db_clean_container_db }} | jq -r '.[].NetworkSettings.Networks[].IPAddress'
register: docker_network_inspect_synapse_db
- ansible.builtin.set_fact:
postgres_ip_synapse_db: "{{ docker_network_inspect_synapse_db.stdout }}"
- name: "Ensure Synapse is disabled before accessing the database"
ansible.builtin.shell:
cmd: "docker compose stop {{ synapse_db_clean_container_synapse }}"
chdir: "{{ synapse_db_clean_compose_file_dir }}"
tags: molecule-notest
- name: "Delete orphan state_groups_state"
postgresql_query:
db: "{{ synapse_db_clean_db }}"
login_host: "{{ postgres_ip_synapse_db }}"
login_user: "{{ synapse_db_clean_user }}"
login_password: "{{ synapse_db_clean_password }}"
query: DELETE FROM state_groups_state WHERE room_id IN (SELECT DISTINCT(state_groups.room_id) AS room_id_gone FROM state_groups LEFT JOIN events USING(room_id) WHERE events.room_id IS NULL GROUP BY room_id_gone)
- name: "Delete orphan state_groups_state"
postgresql_query:
db: "{{ synapse_db_clean_db }}"
login_host: "{{ postgres_ip_synapse_db }}"
login_user: "{{ synapse_db_clean_user }}"
login_password: "{{ synapse_db_clean_password }}"
query: DELETE FROM state_groups WHERE room_id IN (SELECT DISTINCT(state_groups.room_id) AS room_id_gone FROM state_groups LEFT JOIN events USING(room_id) WHERE events.room_id IS NULL GROUP BY room_id_gone)
- name: "Reindex DB"
postgresql_query:
db: "{{ synapse_db_clean_db }}"
login_host: "{{ postgres_ip_synapse_db }}"
login_user: "{{ synapse_db_clean_user }}"
login_password: "{{ synapse_db_clean_password }}"
autocommit: yes
query: "REINDEX (VERBOSE) DATABASE {{ synapse_db_clean_db }}"
- name: "Vacuum DB"
postgresql_query:
db: "{{ synapse_db_clean_db }}"
login_host: "{{ postgres_ip_synapse_db }}"
login_user: "{{ synapse_db_clean_user }}"
login_password: "{{ synapse_db_clean_password }}"
autocommit: yes
query: VACUUM FULL VERBOSE
- name: "Ensure Synapse is re-enabled"
ansible.builtin.shell:
cmd: "docker compose up -d {{ synapse_db_clean_container_synapse }}"
chdir: "{{ synapse_db_clean_compose_file_dir }}"
tags: molecule-notest

View file

@ -1,2 +0,0 @@
#!/bin/bash
ansible-playbook clean-synapse-db.yml -i inventory.ini

View file

@ -6,5 +6,4 @@ APT_Periodic_AutocleanInterval: "7"
APT_Periodic_Unattended_Upgrade: "1" APT_Periodic_Unattended_Upgrade: "1"
restic_repository_location: "sftp:restic_{{ inventory_hostname }}@proxmox.unhb.space:/storage/restic-backup/" restic_repository_location: "sftp:restic_{{ inventory_hostname }}@proxmox.unhb.space:/storage/restic-backup/"
restic_start_time: "*-*-* 1:00:00" restic_start_time: "*-*-* 3:00:00"
restic_prune_start_time: "*-*-* 11:00:00"

View file

@ -16,8 +16,6 @@ firewall_services:
firewall_ports: firewall_ports:
- "587/tcp" - "587/tcp"
firewall_zone: "external"
pretix_container_name: "pretix_app.server2" pretix_container_name: "pretix_app.server2"
pretix_currency: "EUR" pretix_currency: "EUR"
pretix_db_backend: "postgresql" pretix_db_backend: "postgresql"
@ -38,9 +36,6 @@ pretix_redis_container_name: "pretix_redis.server2"
pretix_registration: "off" pretix_registration: "off"
pretix_redis_sessions: "true" pretix_redis_sessions: "true"
traefik_container_name: "traefik"
traefik_dashboard_hostname: "traefik2.un-hack-bar.de"
watchtower_container_name: "watchtower.server2" watchtower_container_name: "watchtower.server2"
watchtower_domainname: "unhb.de" watchtower_domainname: "unhb.de"
watchtower_hostname: "neuromancer" watchtower_hostname: "neuromancer"

View file

@ -1,42 +1,38 @@
$ANSIBLE_VAULT;1.1;AES256 $ANSIBLE_VAULT;1.1;AES256
34663134653636313763396465363236363138636632666439336236623535343137633332356439 36386661383262363762326636333638663039376235393062363831613537303533623564636330
3764376137346635383238333438313239363263656534350a326665346331343736663334653933 3162653935633634336165316264373836383063336166620a366234356163643532643937613835
39353535386230336631373964376462626363303632336166393135656532636162663633316461 64383262313039346165653136343037326639383434323235333834343931636235306134383431
6364303032636230380a393739353836623730353866626633333232306464613430383366326234 6465616134653133660a363163323132343532656164356237616162656265663662656363643136
62393931653331353263343963633365383831323164396238323535346535343438643032616463 63383739316639383733623964666132663139646437343036633038393335653338663432366234
32383534393534633662623966653566643730393961663731376366643034366335643130623265 66386564393133303865353433333063623238353964303236373763613137663264336337353737
66333130303866366565613735346131333262393234346166303266336264343332646534656634 38333536366235383333306434323432326163396461313861663764613961393161306363646466
31386634333766333062653166396262613262623738343135653139653934306362613365653835 39613833643330616530653065373934633563313137643666316531643066373834363537336638
37303437346363303039653861663033323966306437623961396265386536646433643836373439 63363662393038346230313434326134353866306665643235326161306332316531323238316430
64316665383361646531343237303036356362653635393330383061383939376161336661383961 39646138656637636266643864653735613632383365623032346565623135666533316665303732
38666335353166613735666565373136653064643734616130633137663731613237323433613536 39336462326437303730343865303962653932326138336232646234323561303463326432663337
38613033626137393435353931616233363930343761616431386564356237383761613333386630 34333066666462363638323536326464663633653864386666343533313231326639376234633565
31656237616135653135306639336264656666343163633531653961633833623863633436663033 32353636376431303735386365393033636235323365333832333339653132623965663737616138
32646465343262333562656436353234386663356134353637393431613561303435303633633765 61393130653432373361623936656635343935666332303064343763656338656433663063386137
39316435623066613764323064636239313332663463353065303461396133666239636231333835 63613865313733393264386638613966306634643036643139393934616237363663353938363461
36356331643663366230323230363963383233353738363635653963363137343039336632363933 66343739653262313963383363326339336361333430643263306131316231643935653835653437
35353733633730626562653038343035393133316166356138343537363834343834373761336539 63333239353362396261636438346236623966623666666634663965306630333138333138666632
62333633373339346161333866366136343830326363343131313838643864653635643465363861 31663066393336643033383535626635373762656333363166316661646464313937616365646234
38653131306433306638666464613363613331616430613234323736343231306230396330323733 62383564656534623164333166363937626139393137663965646232326532396536356437383563
65353231336131353434663063333237366433373731323432653530313434663563656432313764 63343261383538343335653861383530323837613938623036356630653937653237333739323433
36656662303039383236323135313465663139346138396665376336323336386230626631643037 31396464333733333630656363623761383032353732316235363462623131366634343539653938
35643832373139373063653136306365313233613238623034336261383866306632636339356439 34353234376266333364363264303531356631363030303961343134366133666432323866343537
34346132393832643832356434313331343536396333343437646337383133333361663861646633 31383066636664346230633035393739623339393231313661666435363337316431353364666464
32393732613331613635626537333765366261656361363634303737653939396636363861316531 65333935653936626230333161353133653231323139393335393636663533346563663433666431
62653333306462356333373861373139373363393531633466663531646130653130376266653334 38653965376335656639373435343439393664326262376235386337623034386636336661303934
37666534363566643863613536313839396139383535666463626562363563336537353235316133 66653565663965306664376133616664313437306137616536346432353738383964616461313139
64623664396166616433313532663930623232383339306534303234326536303932346131663564 38383263313539323063363439663734383861336364653962316665376362383035356335616630
64373936623964646436646465336365373965663863306663663061613363343037656463306635 39383337636366633232313262303364343931316462633932346162646262373932373864333866
39336635323365303935633965343733653531646261376638643161373937303138316664313563 31336461643032313933356237343966633138663934643765646431306637653439633536303961
39353939373335363963383764316262643734656537356462616335353831323561336266656238 34636366396330303135386630393537653538663638653034633262373463383430643839656563
63323230323933663236356438363735326364333662613262323561333262356366343639656562 39323463373637393230383130656362303030623365383638333363303430373231393866643236
37396332393033383531303062376539326130396466343635663333666232343334653965633931 61653736363134303437626233653966353266636438636335633734613533613263656466366163
38626435303366333365623537373761333838333037303562343437633363386333623662323639 64653437333662656235636437636266343565663837343461646163326238366165326135373363
63363731303163383135363961376231633162626234393535333835363462373431376365343333 61366131336665656661356433376262663836356230323063373766313437646630626535303935
30303236383365323836613133383830613233326464366163613230656264643833376136363963 31616331323132663665636162353331346631353636613964396635323766383334343566643938
38633765333238656166646563303930373366313931333733616238333230353131356431613533 33313739396361616265313134333564353633646531383666363031376238626465383735666636
65653265356338393766373266613433323765623233666465666361393631666532336335386638 3236
66373465656364656564336138333033376562373566396636633735363864363761393062303635
39323134303831383638313239633664383463343938373765613061306163663561343863313134
33336666633164656639636466303566666263346662653662383235326265626330373931346461
6533

View file

@ -10,7 +10,7 @@ container_names:
element_web: "element_web.server4" element_web: "element_web.server4"
authentik_error_reporting: "false" authentik_error_reporting: "false"
authentik_email_host: "imehl.un-hack-bar.de" authentik_email_host: "mail.un-hack-bar.de"
authentik_email_port: "587" authentik_email_port: "587"
authentik_email_use_tls: "true" authentik_email_use_tls: "true"
authentik_email_use_ssl: "false" authentik_email_use_ssl: "false"
@ -64,11 +64,9 @@ firewall_ports:
- 64738/udp # Mumble - 64738/udp # Mumble
- 21117/tcp # Rustdesk - 21117/tcp # Rustdesk
firewall_zone: "external"
traefik_container_name: "traefik" traefik_container_name: "traefik"
traefik_dashboard_hostname: "traefik.un-hack-bar.de" traefik_dashboard_hostname: "traefik.un-hack-bar.de"
version: version:
authentik: "2024.10.1" authentik: "2023.10.3"
element_web: "latest" element_web: "latest"

View file

@ -1,65 +1,50 @@
$ANSIBLE_VAULT;1.1;AES256 $ANSIBLE_VAULT;1.1;AES256
36666365343065316630613363313965396532623165336164353162316430623436363830366664 39663531646261623063306461623531383931653762613831656461313064376561336138663733
3133313530303132353661336534616338663666306632620a663461346230353038646635303031 6434313637646163656637323234613335323031363933330a373661353061373033333063336331
66333830666564316262636239643035353836313137393063376131333730343365313061333831 31646266353135336237386163623861306463613733633964656462366634306361646365313566
3435363164666463350a373839336464666133346561333332386439393938336365636336343464 6239323762343662630a626336326137346261306363643862376636323266393362353437623161
66623136323930303133333931623738333235313130663935383639373839366265633133633735 33356635303231346363613537396631643130313033646332323565666434373066613662353161
31316331613864633662346662346262346136633161333566623332666530393861306464393834 37346366666663336639663664616134366264383061643336356135343631626332656466373638
32306265656562326462306232633236313335646231306662323966363265393535633039656335 38666363336139343739353931313062613430653735376532613866313062663032613432346330
62313936653463643134363961376464373765313838363631366364633832396437353132386361 34653139316539373131393363303736386433363734616432326430346636653762363935363032
32613563316438383033333735643634356530336264356139356230366165626364353233373061 63633861333663626566323539366362633665666537653765313361353963343133326638643538
63326462383862373232663030326462346537353837643164663937306335653538343031343733 62643035383936666637333135616662343436303864373665613463363834623363623366613164
37303339393337663235663362646164643135643437626466303630633732636366366538333665 61633536613438636433653935333437653432656232633936346438323439353662373165626630
64646436343362643139323131393466653835623331393735346361653230663533353132306132 37356333646166303837373738643465353635376531623231623937666633613165643434356535
31316435353666393537373231306361353137343236383132653163313336353332346339386630 39353833366435396639646331666433353431353137393531653539303538313064313534376330
31393238353039323032376265366331346235346430623766663566663762356130363232336437 32376131386530373032373235323765663836663962663262363532303866323331663130623864
32356664353330623334343130393532646465666137346162353437396162353062636335333166 66313631646234323639613362653230363363326564633033623136643439653461373439376331
61633939663336346335383339653761343962336465666161306166646465316238666632336532 64303162613235333639613663373833643632376238316130333764373334616531303761393861
38316532376339666539636335636230373430643464663663383939303865376665366663656263 63303464653436393062343164306631646161333064303230366264313332303365326235383931
66633864373132653337656531623839313132303332303737623633623731613336363432616234 34666466626266333761373837373730633030356163333538313434666238623432623965383262
37343738373461623038363535313666373032613132326163646433326164636230656563393532 64626661323464323465643761356332343365316535343964353836346339313132333937333939
35663864323239363765373162303933363238353831363037306431656666643136313731643238 31656338613739363633373838363862343763613061373463306161643131653264646664323966
34323635633464633266623232356364303239633933613261323864336165316538323161383037 62653638646438336531633534336663326631303461613661383830353564363862373966343862
64333161613461333863333035626130346431663764666165383864346331323561366263363964 61373366326366366137333765376566663638366366303264363366363838646136306330313361
63633333643162643664356365366466366233643233353434633732313335363361363564333533 39306430333234363664383039373764636431303934323664646430303863383131623237356433
35323164633739346333623864646464623539363139396239316663333334356363373631343331 66316434323161653764363361383563643734366635356539386561316135663736303831353264
34653730363466326632333337373531646332386438383732613832333935323833313565373139 61346131633831613365313966626363393765376639326263643237346333363033313763376533
61323763646636373437333839623935626632663934303666306131383738633139663635643562 32396132666164396338653439626436396661366131623234646564356232353764303931313337
65643039313637306663616266623435383733333336623261643761363030613234343030363162 64636365313739343864346333396235623963303061396262653230353533613564636163656262
61646337346362303866336464316438316565666166666630336539663137326630383532333930 33376663663231343266336131613634623233633733343130636133316336363433666134393166
37393662653334616263623566653836343034323962346132333834666331316139303637646534 36633831373762373464376633613430633839333061303531376462626432333264333232356238
66353564353961343963393164643135383833666663336562353966323033356265323730343931 30663461653461626236633865346639363536666264663036653961623737343434306133663735
39663932613261323465373837656430323265373936613561323136663263636261346638383735 30356464343831623463393262646131336538376232323366316666386462653939336365613663
33636133396237303034373739663039663465376265356263313633386234333465316135306537 63613264623861386332663534313562636134373736396263653336393365323665666161336634
62363865383764613062613762616339336632643938663333636661666236303138626633623637 31656536393161653866363933356266323566666438353237656531356162636234323865386437
30363235323532383336633633626538386439663437323231353661353665346437613237643432 62653333623738323264313331303565646533663037633837366632303136633330643132613039
37333563616139663935613863313937303865383732313835386635623036636630303562393862 35393933613161363431643565353234393861636535643463636362306533353961656636383366
35636666393339333537373434306161366435373537353338356161633266386539326564643562 61323366663765373339646363383435306537376336633833393238633238623338303161336332
38616332363638343338623232643461633339656164383130303037653038326365373864373166 39656463303134623461383761613431653439343038623661363765333166363239316435646631
31303039663038396333306634653534383336626630613163373037316333373263376334383037 37346237346466313439653263326262616130613664613332343065636130353661633662393666
64306536626333353566346261393033336430363062623530643261353065313462616166383230 66306234346661303334383363333831323763336663383030633164623230343530383365316565
33633933643763613364653131306437653065663833663932326334613639613664333336613265 64323732653165653535643838376264313930376632373835623866356462626630333833663366
66313539303761343336303363646463366666333465303432383031653766613935343362343536 32623335333435333437653063393633323732636531353334613333353233633536373533326636
33306261646532643766626339333738613932616661376562383435623434613566336366306438 33646264363136343238626133663231653238396539326462326362633839333031383432656465
37373138396538353465393536643566333135623237303663343932313962383865353233323966 38353735623133386564626133663261643030626365303139613832306130613337663062613834
62306333383638383362666463343238333064303633623037333138646362643763623536383334 33653962636431356534653036326434386466616438666131363834353235343762643365323330
31646334356164353731353366393039663663383939643537383663663938613735303533613235 62383933623461383437633631633761616633653430326636393635666533373339336266383338
39333666663861373730323061313032656161323034376434363630393164353037383338346435 64316361656330306233343330613335373164656138353964646535323762323835333265636435
61636366323562646264643663346463303535636234366130336431363538656630653534346431 37376338653238333863383664373064323331363334353765636265663334363739363363636463
38656639633035323764623563663031333139336139353063663266343265393466373565306236 30656331366463353639383065363234653661346330346131353838626362373634353661326163
36366337393164653264303066363533346532313030313766666637663933363036666632303663 63623762383639633264353466323837383434653536343931653231656535343064
64346134316138616239396334623466323663623933656662626138363462653730373639643261
39323331386164326365313365333836396636336334663865666431343736643161323561623433
32326233653365653734326136303066323966643263313164306466303930666436383564323936
36363261363963353938666532373264616532623733393033366230323965613432346134613462
65646664383838376332653662393031313739343438666538376164666332653962333134306135
65656634663766316365386366363639336430663666303935303033343039326164656166373837
38663337373132316662663334383737643732653338373435383064316266396434623463623565
36363134363039626232643936353631343866633931353530656234616562626330636638303537
65363633366230633635366132656437623962396538363836316235633465383262623030353533
61353631336465313265353363313239363538653231383336343738656635383837363665336338
38646162393461313066666235376434303861366437353433313464323030636463396363333364
34646333366564633034343833643562373366643263316263626363363838653563633065396633
63616239343665326432643735313765306461333032663934393639303263303662393064353664
32383537383338376661393638383831313263346236343635333638333666333430373936303964
63653664356435306266

View file

@ -8,7 +8,6 @@ ExecStartPre=-/usr/bin/docker rm --force {{ container_names.authentik.db }}
ExecStart=/usr/bin/docker run --rm --name {{ container_names.authentik.db }} --network authentik_net \ ExecStart=/usr/bin/docker run --rm --name {{ container_names.authentik.db }} --network authentik_net \
--env-file {{ docker_volumes_dir }}/authentik/authentik.env --expose 5432 \ --env-file {{ docker_volumes_dir }}/authentik/authentik.env --expose 5432 \
-v {{ docker_volumes_dir }}/authentik/database:/var/lib/postgresql/data \ -v {{ docker_volumes_dir }}/authentik/database:/var/lib/postgresql/data \
--label=com.centurylinklabs.watchtower.enable=false \
docker.io/library/postgres:{{ authentik_postgres_version }} docker.io/library/postgres:{{ authentik_postgres_version }}
ExecStop=-/usr/bin/docker stop {{ container_names.authentik.db }} ExecStop=-/usr/bin/docker stop {{ container_names.authentik.db }}
Restart=always Restart=always

View file

@ -8,7 +8,6 @@ ExecStartPre=-/usr/bin/docker rm --force {{ container_names.authentik.redis }}
ExecStart=/usr/bin/docker run --rm --name {{ container_names.authentik.redis }} \ ExecStart=/usr/bin/docker run --rm --name {{ container_names.authentik.redis }} \
--network authentik_net --expose 6379 \ --network authentik_net --expose 6379 \
-v {{ docker_volumes_dir }}/authentik/redis:/data \ -v {{ docker_volumes_dir }}/authentik/redis:/data \
--label=com.centurylinklabs.watchtower.enable=false \
docker.io/library/redis:alpine --save 60 1 --loglevel warning docker.io/library/redis:alpine --save 60 1 --loglevel warning
ExecStop=-/usr/bin/docker stop {{ container_names.authentik.redis }} ExecStop=-/usr/bin/docker stop {{ container_names.authentik.redis }}
Restart=always Restart=always

View file

@ -8,18 +8,13 @@ ExecStartPre=-/usr/bin/docker rm --force {{ container_names.authentik.server }}
ExecStartPre=-/usr/bin/docker pull ghcr.io/goauthentik/server:{{ version.authentik }} ExecStartPre=-/usr/bin/docker pull ghcr.io/goauthentik/server:{{ version.authentik }}
ExecStart=/usr/bin/docker run --rm --name {{ container_names.authentik.server }} \ ExecStart=/usr/bin/docker run --rm --name {{ container_names.authentik.server }} \
--network authentik_net --publish 127.0.0.1:9000:9000 --publish 127.0.0.1:9443:9443 \ --network authentik_net --publish 127.0.0.1:9000:9000 --publish 127.0.0.1:9443:9443 \
--label "traefik.enable=true" --label "traefik.http.routers.authentik.rule=Host(`auth.un-hack-bar.de`,`auth.unhb.de`,`a.unhb.de`)" \ --label "traefik.enable=true" --label "traefik.http.routers.authentik.rule=Host(`auth.un-hack-bar.de`)" \
--label "traefik.http.routers.authentik.middlewares=authentik_redirect" \
--label "traefik.http.routers.authentik.entrypoints=websecure" \ --label "traefik.http.routers.authentik.entrypoints=websecure" \
--label "traefik.http.routers.authentik.tls.certresolver=letsencrypt" \ --label "traefik.http.routers.authentik.tls.certresolver=letsencrypt" \
--label "traefik.http.services.authentik.loadbalancer.server.port=9000" \ --label "traefik.http.services.authentik.loadbalancer.server.port=9000" \
--label "traefik.http.middlewares.authentik_redirect.redirectregex.permanent=true" \
--label "traefik.http.middlewares.authentik_redirect.redirectregex.regex=^https?://(auth|a)\\.unhb\\.de/(.*)" \
--label "traefik.http.middlewares.authentik_redirect.redirectregex.replacement=https://auth.un-hack-bar.de/$${2}" \
--env-file {{ docker_volumes_dir }}/authentik/authentik.env \ --env-file {{ docker_volumes_dir }}/authentik/authentik.env \
-v {{ docker_volumes_dir }}/authentik/media:/media \ -v {{ docker_volumes_dir }}/authentik/media:/media \
-v {{ docker_volumes_dir }}/authentik/custom-templates:/templates \ -v {{ docker_volumes_dir }}/authentik/custom-templates:/templates \
--label=com.centurylinklabs.watchtower.enable=false \
ghcr.io/goauthentik/server:{{ version.authentik }} server ghcr.io/goauthentik/server:{{ version.authentik }} server
ExecStartPost=/usr/bin/bash -c "/bin/sleep 120 && /usr/bin/docker network connect traefik {{ container_names.authentik.server }}" ExecStartPost=/usr/bin/bash -c "/bin/sleep 120 && /usr/bin/docker network connect traefik {{ container_names.authentik.server }}"
ExecStop=-/usr/bin/docker stop {{ container_names.authentik.server }} ExecStop=-/usr/bin/docker stop {{ container_names.authentik.server }}

View file

@ -13,7 +13,6 @@ ExecStart=/usr/bin/docker run --rm --name {{ container_names.authentik.worker }}
-v {{ docker_volumes_dir }}/authentik/media:/media \ -v {{ docker_volumes_dir }}/authentik/media:/media \
-v {{ docker_volumes_dir }}/authentik/certs:/certs \ -v {{ docker_volumes_dir }}/authentik/certs:/certs \
-v {{ docker_volumes_dir }}/authentik/custom-templates:/templates \ -v {{ docker_volumes_dir }}/authentik/custom-templates:/templates \
--label=com.centurylinklabs.watchtower.enable=false \
ghcr.io/goauthentik/server:{{ version.authentik }} worker ghcr.io/goauthentik/server:{{ version.authentik }} worker
ExecStartPost=/usr/bin/bash -c "/bin/sleep 120 && /usr/bin/docker network connect nginx_net {{ container_names.authentik.worker }}" ExecStartPost=/usr/bin/bash -c "/bin/sleep 120 && /usr/bin/docker network connect nginx_net {{ container_names.authentik.worker }}"
ExecStop=-/usr/bin/docker stop {{ container_names.authentik.worker }} ExecStop=-/usr/bin/docker stop {{ container_names.authentik.worker }}

View file

@ -17,7 +17,6 @@
permanent: yes permanent: yes
state: enabled state: enabled
immediate: yes immediate: yes
zone: "{{ firewall_zone }}"
#this is seperate so you don't accidentally remove it #this is seperate so you don't accidentally remove it
- name: Open services in firewall - name: Open services in firewall
@ -26,7 +25,6 @@
permanent: yes permanent: yes
state: enabled state: enabled
immediate: yes immediate: yes
zone: "{{ firewall_zone }}"
with_items: "{{ firewall_services }}" with_items: "{{ firewall_services }}"
- name: Open ports in firewall - name: Open ports in firewall
@ -35,6 +33,5 @@
permanent: yes permanent: yes
state: enabled state: enabled
immediate: yes immediate: yes
zone: "{{ firewall_zone }}"
with_items: "{{ firewall_ports }}" with_items: "{{ firewall_ports }}"
when: firewall_ports is defined when: firewall_ports is defined

View file

@ -3,7 +3,7 @@
- name: "Install dependencies" - name: "Install dependencies"
ansible.builtin.apt: ansible.builtin.apt:
pkg: pkg:
- docker-ce - docker.io
- name: "Create directories for Pretix and give it access" - name: "Create directories for Pretix and give it access"
ansible.builtin.file: ansible.builtin.file:
@ -95,9 +95,9 @@
- pretix-db.service - pretix-db.service
- pretix-redis.service - pretix-redis.service
- name: "Add Pretix to Docker network traefik" - name: "Add Pretix to Docker network nginx_net"
docker_network: docker_network:
name: traefik name: nginx_net
connected: connected:
- "{{ pretix_container_name }}" - "{{ pretix_container_name }}"
appends: true appends: true

View file

@ -5,7 +5,7 @@ Requires=docker.service
[Service] [Service]
ExecStartPre=-/usr/bin/docker rm --force {{ pretix_db_container_name }} ExecStartPre=-/usr/bin/docker rm --force {{ pretix_db_container_name }}
ExecStart=/usr/bin/docker run --name {{ pretix_db_container_name }} --network pretix --label com.centurylinklabs.watchtower.enable=false \ ExecStart=/usr/bin/docker run --name {{ pretix_db_container_name }} --network pretix --label com.centurylinklabs.watchtower.enable={WATCHTOWER_ENABLED} \
-v {{ docker_volumes_dir }}/pretix/postgres-db:/var/lib/postgresql/data --env-file {{ docker_volumes_dir }}/pretix/pretix-db.env postgres:15 -v {{ docker_volumes_dir }}/pretix/postgres-db:/var/lib/postgresql/data --env-file {{ docker_volumes_dir }}/pretix/pretix-db.env postgres:15
ExecStop=/usr/bin/docker stop {{ pretix_db_container_name }} ExecStop=/usr/bin/docker stop {{ pretix_db_container_name }}
Restart=always Restart=always

View file

@ -5,7 +5,7 @@ Requires=docker.service
[Service] [Service]
ExecStartPre=-/usr/bin/docker rm --force {{ pretix_redis_container_name }} ExecStartPre=-/usr/bin/docker rm --force {{ pretix_redis_container_name }}
ExecStart=/usr/bin/docker run --name {{ pretix_redis_container_name }} --network pretix --label com.centurylinklabs.watchtower.enable=false redis ExecStart=/usr/bin/docker run --name {{ pretix_redis_container_name }} --network pretix --label com.centurylinklabs.watchtower.enable={WATCHTOWER_ENABLED} redis
ExecStop=/usr/bin/docker stop {{ pretix_redis_container_name }} ExecStop=/usr/bin/docker stop {{ pretix_redis_container_name }}
Restart=always Restart=always
RestartSec=15s RestartSec=15s

View file

@ -8,16 +8,11 @@ Requires=pretix-redis.service
[Service] [Service]
ExecStartPre=-/usr/bin/docker rm --force {{ pretix_container_name }} ExecStartPre=-/usr/bin/docker rm --force {{ pretix_container_name }}
ExecStart=/usr/bin/docker run --rm --name {{ pretix_container_name }} --network pretix \ ExecStart=/usr/bin/docker run --rm --name {{ pretix_container_name }} --network pretix \
--label com.centurylinklabs.watchtower.enable=false --env-file {{ docker_volumes_dir }}/pretix/pretix.env \ --label com.centurylinklabs.watchtower.enable={WATCHTOWER_ENABLED} --env-file {{ docker_volumes_dir }}/pretix/pretix.env \
-v {{ docker_volumes_dir }}/pretix/data:/data \ -v {{ docker_volumes_dir }}/pretix/data:/data \
-v {{ docker_volumes_dir }}/pretix/conf:/etc/pretix \ -v {{ docker_volumes_dir }}/pretix/conf:/etc/pretix \
--label "traefik.enable=true" --label "traefik.http.routers.pretix.rule=Host(`pretix.un-hack-bar.de`)" \
--label "traefik.http.routers.pretix.entrypoints=websecure" \
--label "traefik.http.routers.pretix.tls.certresolver=letsencrypt" \
--label "traefik.http.services.pretix.loadbalancer.server.port=80" \
--label "traefik.docker.network=traefik" \
pretix/standalone:stable pretix/standalone:stable
ExecStartPost=/usr/bin/bash -c "/bin/sleep 10 && /usr/bin/docker network connect traefik {{ pretix_container_name }}" ExecStartPost=/usr/bin/bash -c "/bin/sleep 10 && /usr/bin/docker network connect nginx_net {{ pretix_container_name }}"
ExecStop=/usr/bin/docker stop {{ pretix_container_name }} ExecStop=/usr/bin/docker stop {{ pretix_container_name }}
Restart=always Restart=always
RestartSec=15s RestartSec=15s

View file

@ -16,7 +16,7 @@
with_items: with_items:
- "{{ docker_volumes_dir }}/traefik" - "{{ docker_volumes_dir }}/traefik"
- name: "Template Config for Traefik" - name: "Template Config for Pretix"
ansible.builtin.template: ansible.builtin.template:
src: "{{ item }}.j2" src: "{{ item }}.j2"
dest: "{{ docker_volumes_dir }}/traefik/{{ item }}" dest: "{{ docker_volumes_dir }}/traefik/{{ item }}"
@ -47,7 +47,7 @@
daemon_reload: yes daemon_reload: yes
when: unit.changed when: unit.changed
- name: "Enable systemd units for Traefik" - name: "Enable systemd units for Pretix"
ansible.builtin.systemd: ansible.builtin.systemd:
state: started state: started
enabled: true enabled: true

View file

@ -8,7 +8,7 @@ ExecStartPre=-/usr/bin/docker rm --force {{ traefik_container_name }}
ExecStart=/usr/bin/docker run --rm --name {{ traefik_container_name }} \ ExecStart=/usr/bin/docker run --rm --name {{ traefik_container_name }} \
-v /var/run/docker.sock:/var/run/docker.sock -v {{ docker_volumes_dir }}/traefik/traefik.yml:/traefik.yml \ -v /var/run/docker.sock:/var/run/docker.sock -v {{ docker_volumes_dir }}/traefik/traefik.yml:/traefik.yml \
-v {{ docker_volumes_dir }}/traefik/traefik_dynamic.yml:/traefik_dynamic.yml -v {{ docker_volumes_dir }}/traefik/letsencrypt/:/letsencrypt \ -v {{ docker_volumes_dir }}/traefik/traefik_dynamic.yml:/traefik_dynamic.yml -v {{ docker_volumes_dir }}/traefik/letsencrypt/:/letsencrypt \
-p 80:80 -p 443:443 -p 8448:8448 --network traefik --label=com.centurylinklabs.watchtower.enable=false traefik:v2.11 -p 80:80 -p 443:443 -p 8448:8448 --network traefik traefik:v2.10.5
ExecStop=/usr/bin/docker stop {{ traefik_container_name }} ExecStop=/usr/bin/docker stop {{ traefik_container_name }}
Restart=always Restart=always
RestartSec=15s RestartSec=15s

View file

@ -1,4 +1,5 @@
entryPoints: entryPoints:
web: web:
address: ":80" address: ":80"

View file

@ -0,0 +1,12 @@
# allow members of the sudo group to run backups, but without password
%sudo ALL = NOPASSWD: /opt/scripts/restic/restic-backup.sh
#%sudo ALL = NOPASSWD: /opt/scripts/restic/restic-prune.sh
%sudo ALL = NOPASSWD: /opt/scripts/restic/restic-mount.sh
%sudo ALL = NOPASSWD: /opt/scripts/restic/restic-check.sh
%sudo ALL = NOPASSWD: /opt/scripts/restic/restic-check-read-data.sh
%sudo ALL = NOPASSWD: /opt/scripts/restic/restic-backup-externe-4TB-HD-auf-NAS.sh
#%sudo ALL = NOPASSWD: /opt/scripts/restic/restic-backup-externe-4TB-HD-auf-NAS-PRUNE.sh
%sudo ALL = NOPASSWD: /opt/scripts/restic/restic-backup-externe-4TB-HD-auf-NAS-MOUNT.sh
%sudo ALL = NOPASSWD: /opt/scripts/restic/restic-backup-externe-4TB-HD-auf-NAS-CHECK.sh
%sudo ALL = NOPASSWD: /opt/scripts/restic/restic-backup-externe-4TB-HD-auf-NAS-READ-DATA.sh

View file

@ -0,0 +1,6 @@
#!/bin/bash
source /opt/scripts/restic/restic.env
restic check --read-data
echo "done! :)"

View file

@ -0,0 +1,6 @@
#!/bin/bash
source /opt/scripts/restic/restic.env
restic check
echo "done! :)"

View file

@ -0,0 +1,6 @@
#!/bin/bash
source /opt/scripts/restic/restic.env
restic mount /mnt/restic
echo "done! :)"

View file

@ -0,0 +1,4 @@
#!/bin/bash
source /opt/scripts/restic/restic.env
restic unlock
echo "done! :)"

View file

@ -0,0 +1,111 @@
---
- name: "Install restic"
ansible.builtin.apt:
name:
- restic
state: latest
update_cache: true
become: true
when: ansible_os_family == 'Debian'
- name: "Ensure /opt/scripts/ exists"
ansible.builtin.file:
path: /opt/scripts
state: directory
mode: '0755'
when: "ansible_os_family == 'Debian'"
- name: "Ensure /opt/db_dumps/ exists"
ansible.builtin.file:
path: /opt/db_dumps/
state: directory
owner: postgres
group: postgres
mode: '0774'
ignore_errors: true #to do: auf mautrix-signal kein User "postgres" weil in Docker, muss gelöst werden
when: "ansible_os_family == 'Debian' and 'desktops' not in group_names and 'mautrix-signal' not in inventory_hostname"
- name: "Copy restic backup scripts"
ansible.builtin.copy:
src: "restic-backup-scripts/"
dest: /opt/scripts/restic/.
owner: root
group: root
mode: u+rwx
force: true
when: "ansible_os_family == 'Debian'"
- name: "Template restic backup script restic-backup_{{ inventory_hostname }}.sh"
ansible.builtin.template:
src: ../templates/restic-backup_{{ inventory_hostname }}.sh.j2
dest: /opt/scripts/restic/restic-backup_{{ inventory_hostname }}.sh
owner: root
group: root
mode: 'u+rwx'
force: true
when: "ansible_os_family == 'Debian' and 'desktops' not in group_names"
#- name: "Template restic backup script ENTWURF"
# ansible.builtin.template:
# src: ../templates/restic-backup_ENTWURF.sh.j2
# dest: /opt/scripts/restic/restic-backup_ENTWURF.sh
# owner: root
# group: root
# mode: 'u+rwx'
- name: "Template restic backup script restic-backup_desktops.sh"
ansible.builtin.template:
src: ../templates/restic-backup_desktops.sh.j2
dest: /opt/scripts/restic/restic-backup_desktops.sh
owner: root
group: root
mode: 'u+rwx'
force: true
when: "ansible_os_family == 'Debian' and 'desktops' in group_names"
- name: "Template restic prune script restic-prune.sh"
ansible.builtin.template:
src: ../templates/restic-prune.sh.j2
dest: /opt/scripts/restic/restic-prune.sh
owner: root
group: root
mode: 'u+rwx'
force: true
when: "ansible_os_family == 'Debian'"
- name: "Template environment variable file restic.env"
ansible.builtin.template:
src: ../templates/restic.env.j2
dest: /opt/scripts/restic/restic.env
owner: root
group: root
mode: '0644'
force: true
when: "ansible_os_family == 'Debian'"
- name: "Template restic password file restic-password-repo"
ansible.builtin.template:
src: ../templates/restic-password-repo.j2
dest: /opt/scripts/restic/restic-password-repo
owner: root
group: root
mode: '0440'
force: true
when: "ansible_os_family == 'Debian'"
- name: "Cronjob for Backups"
ansible.builtin.cron:
name: "Restic Backup"
minute: "0"
hour: "3"
job: "/opt/scripts/restic/restic-backup_{{ inventory_hostname }}.sh"
when: "ansible_os_family == 'Debian' and 'desktops' not in group_names"
- name: "Cronjob for Backups"
ansible.builtin.cron:
name: "Restic Backup"
minute: "0"
hour: "3"
job: "/opt/scripts/restic/restic-backup_desktops.sh"
when: "ansible_os_family == 'Debian' and 'desktops' in group_names"

View file

@ -0,0 +1,25 @@
#!/bin/bash
source {{ restic_env_file }}
#We will have to find out whether or not we need to initialize the repo. A non-zero exit code indicates that it has not yet been initialized.
restic snapshots
if [ "$?" -eq "0" ]
then
echo "Repo is already initialized, no need to do that."
else
echo "We need to initialize the repo first." && restic init
fi
{% if restic_execute_before is defined %}
{{ restic_execute_before }}
{% else %}
# restic_execute_before is not defined, to insert commands to run before the actual backup, please define the variable in the Ansible Playbook
{% endif %}
restic backup --verbose {{ restic_backup_paths }}
{% if restic_execute_after is defined %}
{{ restic_execute_after }}
{% else %}
# restic_execute_after is not defined, to insert commands to run before the actual backup, please define the variable in the Ansible Playbook
{% endif %}
echo "done! :)"

View file

@ -0,0 +1,25 @@
#!/bin/bash
{{ restic_env_file }}
#We will have to find out whether or not we need to initialize the repo. A non-zero exit code indicates that it has not yet been initialized.
restic snapshots
if [ "$?" -eq "0" ]
then
echo "Repo is already initialized, no need to do that."
else
echo "We need to initialize the repo first." && restic init
fi
{% if restic_execute_before is defined %}
{{ restic_execute_before }}
{% else %}
# restic_execute_before is not defined, to insert commands to run before the actual backup, please define the variable in the Ansible Playbook
{% endif %}
restic backup --verbose {{ restic_backup_paths }}
{% if restic_execute_after is defined %}
{{ restic_execute_after }}
{% else %}
# restic_execute_after is not defined, to insert commands to run before the actual backup, please define the variable in the Ansible Playbook
{% endif %}
echo "done! :)"

View file

@ -0,0 +1,45 @@
#!/bin/bash
source /opt/scripts/restic/restic.env
#We will have to find out whether or not we need to initialize the repo. A non-zero exit code indicates that it has not yet been initialized.
restic snapshots
if [ "$?" -eq "0" ]
then
echo "Repo is already initialized, no need to do that."
else
echo "We need to initialize the repo first." && restic init
fi
restic backup --verbose / \
--exclude /home/{{ user }}/.cache \
--exclude /home/{{ user }}/cache \
--exclude /home/{{ user }}/.config/Element/Cache/ \
--exclude /home/{{ user }}/.config/Element/GPUCache \
--exclude /home/{{ user }}/.config/Element/Code\ Cache/ \
--exclude /home/{{ user }}/.config/Signal/attachments.noindex \
--exclude /home/{{ user }}/.config/SchildiChat/Cache \
--exclude /home/{{ user }}/.config/SchildiChat/GPUCache \
--exclude /home/{{ user }}/.config/SchildiChat/Code\ Cache/ \
--exclude /home/{{ user }}/.config/Signal/Cache \
--exclude /home/{{ user }}/.config/Signal/GPUCache \
--exclude /home/{{ user }}/.config/Signal/Code\ Cache/ \
--exclude /home/{{ user }}/.local/share/Trash \
--exclude /home/{{ user }}/Bilder \
--exclude /home/{{ user }}/Downloads \
--exclude /home/{{ user }}/gPodder/Downloads/ \
--exclude /home/{{ user }}/Nextcloud \
--exclude /home/{{ user }}/no-backup \
--exclude /home/{{ user }}/synced_folders \
--exclude /home/{{ user }}/sync \
--exclude /home/{{ user }}/Signal_Backups \
--exclude /lost+found \
--exclude /media \
--exclude /mnt \
--exclude /proc \
--exclude /run \
--exclude /root/.cache \
--exclude /sys \
--exclude /tmp \
--exclude /var/cache \
--exclude /var/tmp
echo "done! :)"

View file

@ -0,0 +1,21 @@
#!/bin/bash
source /opt/scripts/restic/restic.env
#We will have to find out whether or not we need to initialize the repo. A non-zero exit code indicates that it has not yet been initialized.
restic snapshots
if [ "$?" -eq "0" ]
then
echo "Repo is already initialized, no need to do that."
else
echo "We need to initialize the repo first." && restic init
fi
su - postgres --session-command 'pg_dump "{{ matrix_db_name }}" -f /opt/db_dumps/db-dump-{{ matrix_db_name }}.sql'
su - postgres --session-command 'pg_dump "mautrix_googlechat" -f /opt/db_dumps/db-dump-mautrix_googlechat.sql'
su - postgres --session-command 'pg_dump "mautrix_slack" -f /opt/db_dumps/db-dump-mautrix_slack.sql'
restic backup --verbose \
/etc/matrix-synapse \
/opt \
/var/lib/matrix-synapse
echo "done! :)"

View file

@ -0,0 +1,24 @@
#!/bin/bash
source /opt/scripts/restic/restic.env
#We will have to find out whether or not we need to initialize the repo. A non-zero exit code indicates that it has not yet been initialized.
restic snapshots
if [ "$?" -eq "0" ]
then
echo "Repo is already initialized, no need to do that."
else
echo "We need to initialize the repo first." && restic init
fi
# systemctl disable --now mautrix-signal.service
su - postgres --session-command 'pg_dump "{{ database_vars.mautrix_signal.db }}" -f /opt/db_dumps/db-dump-mautrix-signal.sql'
restic backup --verbose \
/data-usb \
/etc/matrix-synapse \
/opt \
/var/lib/matrix-synapse
# systemctl enable --now mautrix-signal.service
echo "done! :)"

View file

@ -0,0 +1,20 @@
#!/bin/bash
source /opt/scripts/restic/restic.env
#We will have to find out whether or not we need to initialize the repo. A non-zero exit code indicates that it has not yet been initialized.
restic snapshots
if [ "$?" -eq "0" ]
then
echo "Repo is already initialized, no need to do that."
else
echo "We need to initialize the repo first." && restic init
fi
restic backup --verbose \
/etc \
/home \
/opt \
/root \
/srv \
/var/www
echo "done! :)"

View file

@ -0,0 +1,29 @@
#!/bin/bash
source /opt/scripts/restic/restic.env
#We will have to find out whether or not we need to initialize the repo. A non-zero exit code indicates that it has not yet been initialized.
restic snapshots
if [ "$?" -eq "0" ]
then
echo "Repo is already initialized, no need to do that."
else
echo "We need to initialize the repo first." && restic init
fi
echo "Now dumping databases, this might take a while..."
set -x
docker exec -t pretix_pg-sql.server2 pg_dumpall -c -U prtxdb > /opt/db_dumps/db-dump-pretix_db.sql
#docker exec docker-partkeepr-database-1 sh -c "exec mariadb-dump --all-databases -u{{ unhb4_mariadb_containers['partkeepr'].user }} --password=$MARIADB_PASSWORD_PARTKEEPR" > /opt/db_dumps/db-dump-partkeepr_db.sql
source /opt/scripts/restic/restic_db_passwords.env
docker exec -t engel_sql.server2 sh -c "exec mysqldump --all-databases -u{{ unhb4_mariadb_containers['engelsystem'].user }} --password=$MARIADB_PASSWORD_ENGELSYSTEM" > /opt/db_dumps/db-dump-engelsystem_db.sql
set +x
restic backup --verbose \
/etc \
/home \
/opt \
/root \
/srv \
/var/lib/docker/volumes/ \
/var/www
echo "done! :)"

View file

@ -0,0 +1,42 @@
#!/bin/bash
#
#
# This file is managed via Ansible, do not edit manually. Changes might get overwitten.
#
#
source /opt/scripts/restic/restic.env
source /opt/scripts/restic/restic_db_passwords.env
#We will have to find out whether or not we need to initialize the repo. A non-zero exit code indicates that it has not yet been initialized.
restic snapshots
if [ "$?" -eq "0" ]
then
echo "Repo is already initialized, no need to do that."
else
echo "We need to initialize the repo first." && restic init
fi
echo "Now dumping databases, this might take a while..."
set -x
docker exec -t matrix_sql.server4 pg_dumpall -c -U user_synapse_unhb > /opt/db_dumps/db-dump-synapse_db.sql
docker exec -t authentik-postgresql-1 pg_dumpall -c -U authentik > /opt/db_dumps/db-dump-authentik_db.sql
docker exec -t hedgedoc_sql15.server4 pg_dumpall -c -U md > /opt/db_dumps/db-dump-hedgedoc_db.sql
docker exec -t tandoor-tandoor_recipes_db-1 pg_dumpall -c -U djangouser > /opt/db_dumps/db-dump-tandoor_db.sql
docker exec -t wikijs-wikijs-db-1 pg_dumpall -c -U wikijs > /opt/db_dumps/db-dump-wikijs_db.sql
docker exec -t nextcloud_sql.server4 sh -c "exec mariadb-dump --all-databases -uroot --password=$MARIADB_ROOT_PASSWORD_NEXTCLOUD" > /opt/db_dumps/db-dump-nextcloud_db.sql
docker exec -t etherpad_sql.server4 sh -c "exec mariadb-dump --all-databases -uroot --password=$MARIADB_ROOT_PASSWORD_ETHERPAD" > /opt/db_dumps/db-dump-etherpad_db.sql
docker exec -t jverein_sql.server4 sh -c "exec mariadb-dump --all-databases -uroot --password=$MARIADB_ROOT_PASSWORD_JVEREIN" > /opt/db_dumps/db-dump-jverein_db.sql
docker exec -t url-shortener_sql.server4 sh -c "exec mariadb-dump --all-databases -uroot --password=$MARIADB_ROOT_PASSWORD_URLSHORTENER" > /opt/db_dumps/db-dump-urlshortener_db.sql
docker exec -t wiki_sql.server4 sh -c "exec mariadb-dump --all-databases -uroot --password=$MARIADB_ROOT_PASSWORD_WIKI" > /opt/db_dumps/db-dump-wiki_db.sql
docker exec -t wordpress_sql.server4 sh -c "exec mysqldump --all-databases -uroot --password=$MARIADB_ROOT_PASSWORD_WORDPRESS" > /opt/db_dumps/db-dump-wordpress_db.sql
set +x
restic backup --verbose \
/etc \
/home \
/opt \
/root \
/srv \
/var/lib/docker/volumes/ \
/var/www
echo "done! :)"

View file

@ -0,0 +1 @@
{{ restic_password_repo[inventory_hostname]["password"] }}

View file

@ -0,0 +1,6 @@
#!/bin/bash
source /opt/scripts/restic/restic.env
restic forget --prune --keep-within 1m --host={{ ansible_hostname }}
echo "done! :)"

View file

@ -0,0 +1,3 @@
#!/bin/bash
export RESTIC_REPOSITORY="{{ restic_repository_location }}{{ inventory_hostname }}"
export RESTIC_PASSWORD_FILE="/opt/scripts/restic/restic-password-repo"

View file

@ -82,18 +82,6 @@
owner: root owner: root
group: root group: root
mode: 'u+rw' mode: 'u+rw'
force: true
register: unit
when: "ansible_os_family == 'Debian'"
- name: "Template systemd units for restic"
ansible.builtin.template:
src: "restic-prune.service.j2"
dest: "/etc/systemd/system/restic-prune.service"
owner: root
group: root
mode: 'u+rw'
force: true
register: unit register: unit
when: "ansible_os_family == 'Debian'" when: "ansible_os_family == 'Debian'"
@ -104,18 +92,6 @@
owner: root owner: root
group: root group: root
mode: 'u+rw' mode: 'u+rw'
force: true
register: unit
when: "ansible_os_family == 'Debian'"
- name: "Template systemd timers for restic"
ansible.builtin.template:
src: "restic-prune.timer.j2"
dest: "/etc/systemd/system/restic-prune.timer"
owner: root
group: root
mode: 'u+rw'
force: true
register: unit register: unit
when: "ansible_os_family == 'Debian'" when: "ansible_os_family == 'Debian'"
@ -131,8 +107,6 @@
with_items: with_items:
- "restic@{{ inventory_hostname }}.service" - "restic@{{ inventory_hostname }}.service"
- "restic@{{ inventory_hostname }}.timer" - "restic@{{ inventory_hostname }}.timer"
- "restic-prune.service"
- "restic-prune.timer"
when: unit.changed when: unit.changed
#- name: "Enable systemd units for restic-wasabi" #- name: "Enable systemd units for restic-wasabi"

View file

@ -9,7 +9,7 @@ else
echo "We need to initialize the repo first." && restic init echo "We need to initialize the repo first." && restic init
fi fi
restic backup --host="{{ inventory_hostname }}" --verbose \ restic backup --verbose \
/etc \ /etc \
/home \ /home \
/opt \ /opt \

View file

@ -19,7 +19,7 @@ docker exec -t engel_sql.server2 sh -c "exec mysqldump --all-databases -uroot --
set +x set +x
restic backup --host="{{ inventory_hostname }}" --verbose \ restic backup --verbose \
/etc \ /etc \
/home \ /home \
/opt \ /opt \

View file

@ -17,8 +17,8 @@ fi
echo "Now dumping databases, this might take a while..." echo "Now dumping databases, this might take a while..."
set -x set -x
docker exec -t matrix_sql.server4 pg_dump -Z0 -c -U user_synapse_unhb -d synapse_db > /opt/db_dumps/db-dump-synapse_db.sql docker exec -t matrix_sql.server4 pg_dumpall -c -U user_synapse_unhb > /opt/db_dumps/db-dump-synapse_db.sql
docker exec -t authentik-postgresql-1.server4 pg_dumpall -c -U authentik > /opt/db_dumps/db-dump-authentik_db.sql docker exec -t authentik-postgresql-1 pg_dumpall -c -U authentik > /opt/db_dumps/db-dump-authentik_db.sql
docker exec -t hedgedoc_sql15.server4 pg_dumpall -c -U md > /opt/db_dumps/db-dump-hedgedoc_db.sql docker exec -t hedgedoc_sql15.server4 pg_dumpall -c -U md > /opt/db_dumps/db-dump-hedgedoc_db.sql
docker exec -t tandoor-tandoor_recipes_db-1 pg_dumpall -c -U djangouser > /opt/db_dumps/db-dump-tandoor_db.sql docker exec -t tandoor-tandoor_recipes_db-1 pg_dumpall -c -U djangouser > /opt/db_dumps/db-dump-tandoor_db.sql
docker exec -t wikijs-wikijs-db-1 pg_dumpall -c -U wikijs > /opt/db_dumps/db-dump-wikijs_db.sql docker exec -t wikijs-wikijs-db-1 pg_dumpall -c -U wikijs > /opt/db_dumps/db-dump-wikijs_db.sql
@ -30,12 +30,13 @@ docker exec -t wiki_sql.server4 sh -c "exec mariadb-dump --all-databases -uroot
docker exec -t wordpress_sql.server4 sh -c "exec mysqldump --all-databases -uroot --password=$MARIADB_PASSWORD_WORDPRESS" > /opt/db_dumps/db-dump-wordpress_db.sql docker exec -t wordpress_sql.server4 sh -c "exec mysqldump --all-databases -uroot --password=$MARIADB_PASSWORD_WORDPRESS" > /opt/db_dumps/db-dump-wordpress_db.sql
set +x set +x
restic backup --host="{{ inventory_hostname }}" --verbose \ restic backup --verbose \
/etc \ /etc \
/home \ /home \
/opt \ /opt \
/root \ /root \
/srv /srv \
# /var/lib/docker/volumes/ \ /var/lib/docker/volumes/ \
/var/www
echo "done! :)" echo "done! :)"

View file

@ -1,11 +0,0 @@
[Unit]
Description=This unit will start pruning restic snapshots
After=
Wants=
[Service]
Restart=no
Type=simple
ExecStart=/opt/scripts/restic/restic-prune.sh
[Install]

View file

@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
source /opt/scripts/restic/restic.env source /opt/scripts/restic/restic.env
restic forget --prune --keep-daily 7 --keep-weekly 4 --keep-monthly 6 --host={{ inventory_hostname }} restic forget --prune --keep-within 1m --host={{ ansible_hostname }}
echo "done! :)" echo "done! :)"

View file

@ -1,9 +0,0 @@
[Unit]
Description=Timer starting restic-prune.service
[Timer]
OnCalendar={{ restic_prune_start_time }}
Unit=restic-prune.service
[Install]
WantedBy=multi-user.target

View file

@ -1,9 +1,9 @@
[Unit] [Unit]
Description=Timer starting restic.service Description=Timer starting restic-wasabi.service
[Timer] [Timer]
OnCalendar={{ restic_start_time }} OnCalendar={{ restic_start_time }}
Unit=restic@%i.service Unit=restic-wasabi@%i.service
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target

View file

@ -1,9 +1,9 @@
WATCHTOWER_POLL_INTERVAL={{ watchtower_poll_interval }} WATCHTOWER_POLL_INTERVAL={{ watchtower_poll_interval }}
WATCHTOWER_NOTIFICATIONS={{ watchtower_notifications }} WATCHTOWER_NOTIFICATIONS="{{ watchtower_notifications }}"
WATCHTOWER_NOTIFICATION_EMAIL_FROM={{ watchtower_notification_email_from }} WATCHTOWER_NOTIFICATION_EMAIL_FROM="{{ watchtower_notification_email_from }}"
WATCHTOWER_NOTIFICATION_EMAIL_TO={{ watchtower_notification_email_to }} WATCHTOWER_NOTIFICATION_EMAIL_TO="{{ watchtower_notification_email_to }}"
WATCHTOWER_NOTIFICATION_EMAIL_SERVER={{ watchtower_notification_email_server }} WATCHTOWER_NOTIFICATION_EMAIL_SERVER="{{ watchtower_notification_email_server }}"
WATCHTOWER_NOTIFICATION_EMAIL_SERVER_PORT={{ watchtower_notification_email_server_port }} WATCHTOWER_NOTIFICATION_EMAIL_SERVER_PORT="{{ watchtower_notification_email_server_port }}"
WATCHTOWER_NOTIFICATION_EMAIL_SERVER_USER={{ watchtower_notification_email_server_user }} WATCHTOWER_NOTIFICATION_EMAIL_SERVER_USER="{{ watchtower_notification_email_server_user }}"
WATCHTOWER_NOTIFICATION_EMAIL_SERVER_PASSWORD={{ watchtower_notification_email_server_password }} WATCHTOWER_NOTIFICATION_EMAIL_SERVER_PASSWORD="{{ watchtower_notification_email_server_password }}"
WATCHTOWER_WARN_ON_HEAD_FAILURE={{ watchtower_warn_on_head_failure }} WATCHTOWER_WARN_ON_HEAD_FAILURE="{{ watchtower_warn_on_head_failure }}"

View file

@ -1,17 +0,0 @@
#!/usr/bin/env bash
DATEINAMONTH=$(date --date='31 days' +%F)
if [ ! -f "authentik-api-invite.token" ]; then echo "ERROR - authentik-api.token does not exist, please save the API token to that file" && exit 1; fi
BEARERTOKEN=$(cat authentik-api-invite.token)
if [ -z ${1+x} ]; then echo "ERROR - Invite Token has no name. Spaces and special characters are not allowed. Example: ./unhb-authentik-invite.sh invite_for_jon_doe" && exit 1; fi
echo "INFO - Generating invite link for: $1"
LINK=$(curl --silent -X POST "https://auth.un-hack-bar.de/api/v3/stages/invitation/invitations/" \
-H "accept: application/json"\
-H "authorization: Bearer $BEARERTOKEN"\
-H "content-type: application/json" \
-d '{"name":"'$1'","expires":"'$DATEINAMONTH'T00:00:00.000Z","fixed_data":{},"single_use":true,"flow":"6a0afde87a4e40a3b3bb2215de9c34f0"}' | jq ".pk" -r 2>/dev/null | xargs -I {} -n 1 -0 echo 'https://auth.un-hack-bar.de/if/flow/unhb-invite-enrollment/?itoken={}')
echo $LINK | qrencode -m 2 -t utf8
echo $LINK

View file

@ -18,9 +18,8 @@
remote_user: root remote_user: root
roles: roles:
#- watchtower_docker # Needs changes when migrating to Traefik - watchtower_docker # Needs changes when migrating to Traefik
- pretix_docker # Needs changes when migrating to Traefik - pretix_docker # Needs changes when migrating to Traefik
- traefik_docker
- name: Set up roles on unhb4 - name: Set up roles on unhb4
hosts: unhb4 hosts: unhb4

View file

@ -1,22 +0,0 @@
Add this to your SSH Config:
```
Host unhb4
#Key: SHA256:pgNNZwqtDY4rkx99svN+UMwZ1W30kS44CJNsRbuavvg (ed25519)
HostName server4.unhb.de
User root
LocalForward 9000 localhost:9000
Host unhb-proxmox-local
#Key: SHA256:VoFtWYe3YhGSEK0m3M2O4GHxRqk0X3QwtH5rhnUo7/I (ed25519)
HostName proxmox.unhb.space
User root
```
The door is currently not managed via Ansible, but here is its config anyway:
```
Host unhb-door
HostName 192.168.88.244
User keymaster
IdentityFile ~/.ssh/YOUR_IDENTITY_FILE_FOR_THE_DOOR
```