Compare commits

..

28 commits

Author SHA1 Message Date
3e07ead889 Merge pull request 'update Authentik to 2024.8.3' (#3) from update/authentik-202483 into main
Reviewed-on: #3
2024-10-23 12:05:52 +02:00
bd923e6894 update Authentik to 2024.8.3 2024-10-23 11:47:47 +02:00
439603a12e Add SSH configs 2024-09-09 10:35:28 +02:00
10750ffbe9 cleaned up restic role a bit 2024-08-27 11:08:18 +02:00
c37af9a00a update Authentik to 2024.6.3 2024-08-23 12:30:16 +02:00
4b8f5c03c5 disable compression for backing up the Synapse DB, as this slows down backups and the whole server massively 2024-08-20 14:31:31 +02:00
a7e3208de2 remove bz2 compression from database dumps so that the backup storage does not fill up and backups are much quicker 2024-08-20 14:13:15 +02:00
bf62cba8e7 added a playbook for cleaning the database used by Synapse 2024-08-17 09:23:39 +02:00
64f4773c01 add restic prune job 2024-08-16 20:26:27 +02:00
d1ae38cb3d fix artifact of migration to traefik 2024-07-16 22:04:43 +02:00
714706be71 amend .gitignore 2024-07-16 22:01:39 +02:00
333032f27b add invite link script 2024-07-16 22:01:39 +02:00
a8cc1fd810 switch from docker.io to docker-ce 2024-07-16 22:01:39 +02:00
9dcf7d7696 add firewall zone variable 2024-07-16 22:01:39 +02:00
6148fab2cc fixes for traefik, update authentik 2024-07-16 22:01:39 +02:00
779d4f1e3f Neuen Mailserver eingetragen 2024-07-15 21:43:12 +02:00
11946d4dfe small fix 2024-04-10 12:21:41 +02:00
765b5f5557 Merge branch 'main' of https://git.un-hack-bar.de/unhb_admin/ansible 2024-04-10 11:59:10 +02:00
233a4736f1 fix watchtower config which apparently broke due to an update 2024-04-10 11:59:00 +02:00
eb0d41debf Backupzeit auf 1 Uhr Nachts vorverlegt 2024-03-29 15:29:28 +01:00
a6b1b4c148 SQL Dumps werden nun gepackt; außerdem einige Verzeichnisse aus dem Backup entfernt da sie nicht gesichert werden müssen 2024-03-29 15:27:49 +01:00
ccb4197aa0 kleiner fix weil sonst Certs nicht erneuert werden können 2024-03-27 21:36:57 +01:00
058f5b7ca7 Authentik-Container-Name korrigiert 2024-03-27 21:08:10 +01:00
8ca4253e4b fixed unit name 2024-03-27 11:24:12 +01:00
5099a7d2a2 adjusted which and how long keeping snapshots 2024-03-26 16:57:52 +01:00
2b1f01c94f typo gefixt 2024-03-05 22:20:00 +01:00
1781c23774 shortlinks eingefügt 2024-03-05 22:12:06 +01:00
fc26e177a8 traefik version aktuallisiert 2024-03-05 21:48:18 +01:00
44 changed files with 310 additions and 505 deletions

1
.gitignore vendored
View file

@ -6,3 +6,4 @@ vault-password
tmp/ tmp/
.DS_store .DS_store
UNHB_INFRA_UMBAU UNHB_INFRA_UMBAU
authentik-api-invite.token

65
clean-synapse-db.yml Normal file
View file

@ -0,0 +1,65 @@
- name: "Clean up the Synapse DB"
hosts: unhb4
remote_user: root
tasks:
- name: "Install jq"
ansible.builtin.apt:
pkg:
- jq
- python3-psycopg2
- name: "Get IP of DB container for the database synapse uses"
ansible.builtin.shell: |
docker inspect {{ synapse_db_clean_container_db }} | jq -r '.[].NetworkSettings.Networks[].IPAddress'
register: docker_network_inspect_synapse_db
- ansible.builtin.set_fact:
postgres_ip_synapse_db: "{{ docker_network_inspect_synapse_db.stdout }}"
- name: "Ensure Synapse is disabled before accessing the database"
ansible.builtin.shell:
cmd: "docker compose stop {{ synapse_db_clean_container_synapse }}"
chdir: "{{ synapse_db_clean_compose_file_dir }}"
tags: molecule-notest
- name: "Delete orphan state_groups_state"
postgresql_query:
db: "{{ synapse_db_clean_db }}"
login_host: "{{ postgres_ip_synapse_db }}"
login_user: "{{ synapse_db_clean_user }}"
login_password: "{{ synapse_db_clean_password }}"
query: DELETE FROM state_groups_state WHERE room_id IN (SELECT DISTINCT(state_groups.room_id) AS room_id_gone FROM state_groups LEFT JOIN events USING(room_id) WHERE events.room_id IS NULL GROUP BY room_id_gone)
- name: "Delete orphan state_groups_state"
postgresql_query:
db: "{{ synapse_db_clean_db }}"
login_host: "{{ postgres_ip_synapse_db }}"
login_user: "{{ synapse_db_clean_user }}"
login_password: "{{ synapse_db_clean_password }}"
query: DELETE FROM state_groups WHERE room_id IN (SELECT DISTINCT(state_groups.room_id) AS room_id_gone FROM state_groups LEFT JOIN events USING(room_id) WHERE events.room_id IS NULL GROUP BY room_id_gone)
- name: "Reindex DB"
postgresql_query:
db: "{{ synapse_db_clean_db }}"
login_host: "{{ postgres_ip_synapse_db }}"
login_user: "{{ synapse_db_clean_user }}"
login_password: "{{ synapse_db_clean_password }}"
autocommit: yes
query: "REINDEX (VERBOSE) DATABASE {{ synapse_db_clean_db }}"
- name: "Vacuum DB"
postgresql_query:
db: "{{ synapse_db_clean_db }}"
login_host: "{{ postgres_ip_synapse_db }}"
login_user: "{{ synapse_db_clean_user }}"
login_password: "{{ synapse_db_clean_password }}"
autocommit: yes
query: VACUUM FULL VERBOSE
- name: "Ensure Synapse is re-enabled"
ansible.builtin.shell:
cmd: "docker compose up -d {{ synapse_db_clean_container_synapse }}"
chdir: "{{ synapse_db_clean_compose_file_dir }}"
tags: molecule-notest

2
clean_synapse_db.sh Executable file
View file

@ -0,0 +1,2 @@
#!/bin/bash
ansible-playbook clean-synapse-db.yml -i inventory.ini

View file

@ -6,4 +6,5 @@ APT_Periodic_AutocleanInterval: "7"
APT_Periodic_Unattended_Upgrade: "1" APT_Periodic_Unattended_Upgrade: "1"
restic_repository_location: "sftp:restic_{{ inventory_hostname }}@proxmox.unhb.space:/storage/restic-backup/" restic_repository_location: "sftp:restic_{{ inventory_hostname }}@proxmox.unhb.space:/storage/restic-backup/"
restic_start_time: "*-*-* 3:00:00" restic_start_time: "*-*-* 1:00:00"
restic_prune_start_time: "*-*-* 11:00:00"

View file

@ -16,6 +16,8 @@ firewall_services:
firewall_ports: firewall_ports:
- "587/tcp" - "587/tcp"
firewall_zone: "external"
pretix_container_name: "pretix_app.server2" pretix_container_name: "pretix_app.server2"
pretix_currency: "EUR" pretix_currency: "EUR"
pretix_db_backend: "postgresql" pretix_db_backend: "postgresql"
@ -36,6 +38,9 @@ pretix_redis_container_name: "pretix_redis.server2"
pretix_registration: "off" pretix_registration: "off"
pretix_redis_sessions: "true" pretix_redis_sessions: "true"
traefik_container_name: "traefik"
traefik_dashboard_hostname: "traefik2.un-hack-bar.de"
watchtower_container_name: "watchtower.server2" watchtower_container_name: "watchtower.server2"
watchtower_domainname: "unhb.de" watchtower_domainname: "unhb.de"
watchtower_hostname: "neuromancer" watchtower_hostname: "neuromancer"

View file

@ -1,38 +1,42 @@
$ANSIBLE_VAULT;1.1;AES256 $ANSIBLE_VAULT;1.1;AES256
36386661383262363762326636333638663039376235393062363831613537303533623564636330 34663134653636313763396465363236363138636632666439336236623535343137633332356439
3162653935633634336165316264373836383063336166620a366234356163643532643937613835 3764376137346635383238333438313239363263656534350a326665346331343736663334653933
64383262313039346165653136343037326639383434323235333834343931636235306134383431 39353535386230336631373964376462626363303632336166393135656532636162663633316461
6465616134653133660a363163323132343532656164356237616162656265663662656363643136 6364303032636230380a393739353836623730353866626633333232306464613430383366326234
63383739316639383733623964666132663139646437343036633038393335653338663432366234 62393931653331353263343963633365383831323164396238323535346535343438643032616463
66386564393133303865353433333063623238353964303236373763613137663264336337353737 32383534393534633662623966653566643730393961663731376366643034366335643130623265
38333536366235383333306434323432326163396461313861663764613961393161306363646466 66333130303866366565613735346131333262393234346166303266336264343332646534656634
39613833643330616530653065373934633563313137643666316531643066373834363537336638 31386634333766333062653166396262613262623738343135653139653934306362613365653835
63363662393038346230313434326134353866306665643235326161306332316531323238316430 37303437346363303039653861663033323966306437623961396265386536646433643836373439
39646138656637636266643864653735613632383365623032346565623135666533316665303732 64316665383361646531343237303036356362653635393330383061383939376161336661383961
39336462326437303730343865303962653932326138336232646234323561303463326432663337 38666335353166613735666565373136653064643734616130633137663731613237323433613536
34333066666462363638323536326464663633653864386666343533313231326639376234633565 38613033626137393435353931616233363930343761616431386564356237383761613333386630
32353636376431303735386365393033636235323365333832333339653132623965663737616138 31656237616135653135306639336264656666343163633531653961633833623863633436663033
61393130653432373361623936656635343935666332303064343763656338656433663063386137 32646465343262333562656436353234386663356134353637393431613561303435303633633765
63613865313733393264386638613966306634643036643139393934616237363663353938363461 39316435623066613764323064636239313332663463353065303461396133666239636231333835
66343739653262313963383363326339336361333430643263306131316231643935653835653437 36356331643663366230323230363963383233353738363635653963363137343039336632363933
63333239353362396261636438346236623966623666666634663965306630333138333138666632 35353733633730626562653038343035393133316166356138343537363834343834373761336539
31663066393336643033383535626635373762656333363166316661646464313937616365646234 62333633373339346161333866366136343830326363343131313838643864653635643465363861
62383564656534623164333166363937626139393137663965646232326532396536356437383563 38653131306433306638666464613363613331616430613234323736343231306230396330323733
63343261383538343335653861383530323837613938623036356630653937653237333739323433 65353231336131353434663063333237366433373731323432653530313434663563656432313764
31396464333733333630656363623761383032353732316235363462623131366634343539653938 36656662303039383236323135313465663139346138396665376336323336386230626631643037
34353234376266333364363264303531356631363030303961343134366133666432323866343537 35643832373139373063653136306365313233613238623034336261383866306632636339356439
31383066636664346230633035393739623339393231313661666435363337316431353364666464 34346132393832643832356434313331343536396333343437646337383133333361663861646633
65333935653936626230333161353133653231323139393335393636663533346563663433666431 32393732613331613635626537333765366261656361363634303737653939396636363861316531
38653965376335656639373435343439393664326262376235386337623034386636336661303934 62653333306462356333373861373139373363393531633466663531646130653130376266653334
66653565663965306664376133616664313437306137616536346432353738383964616461313139 37666534363566643863613536313839396139383535666463626562363563336537353235316133
38383263313539323063363439663734383861336364653962316665376362383035356335616630 64623664396166616433313532663930623232383339306534303234326536303932346131663564
39383337636366633232313262303364343931316462633932346162646262373932373864333866 64373936623964646436646465336365373965663863306663663061613363343037656463306635
31336461643032313933356237343966633138663934643765646431306637653439633536303961 39336635323365303935633965343733653531646261376638643161373937303138316664313563
34636366396330303135386630393537653538663638653034633262373463383430643839656563 39353939373335363963383764316262643734656537356462616335353831323561336266656238
39323463373637393230383130656362303030623365383638333363303430373231393866643236 63323230323933663236356438363735326364333662613262323561333262356366343639656562
61653736363134303437626233653966353266636438636335633734613533613263656466366163 37396332393033383531303062376539326130396466343635663333666232343334653965633931
64653437333662656235636437636266343565663837343461646163326238366165326135373363 38626435303366333365623537373761333838333037303562343437633363386333623662323639
61366131336665656661356433376262663836356230323063373766313437646630626535303935 63363731303163383135363961376231633162626234393535333835363462373431376365343333
31616331323132663665636162353331346631353636613964396635323766383334343566643938 30303236383365323836613133383830613233326464366163613230656264643833376136363963
33313739396361616265313134333564353633646531383666363031376238626465383735666636 38633765333238656166646563303930373366313931333733616238333230353131356431613533
3236 65653265356338393766373266613433323765623233666465666361393631666532336335386638
66373465656364656564336138333033376562373566396636633735363864363761393062303635
39323134303831383638313239633664383463343938373765613061306163663561343863313134
33336666633164656639636466303566666263346662653662383235326265626330373931346461
6533

View file

@ -10,7 +10,7 @@ container_names:
element_web: "element_web.server4" element_web: "element_web.server4"
authentik_error_reporting: "false" authentik_error_reporting: "false"
authentik_email_host: "mail.un-hack-bar.de" authentik_email_host: "imehl.un-hack-bar.de"
authentik_email_port: "587" authentik_email_port: "587"
authentik_email_use_tls: "true" authentik_email_use_tls: "true"
authentik_email_use_ssl: "false" authentik_email_use_ssl: "false"
@ -64,9 +64,11 @@ firewall_ports:
- 64738/udp # Mumble - 64738/udp # Mumble
- 21117/tcp # Rustdesk - 21117/tcp # Rustdesk
firewall_zone: "external"
traefik_container_name: "traefik" traefik_container_name: "traefik"
traefik_dashboard_hostname: "traefik.un-hack-bar.de" traefik_dashboard_hostname: "traefik.un-hack-bar.de"
version: version:
authentik: "2023.10.7" authentik: "2024.8.3"
element_web: "latest" element_web: "latest"

View file

@ -1,50 +1,65 @@
$ANSIBLE_VAULT;1.1;AES256 $ANSIBLE_VAULT;1.1;AES256
39663531646261623063306461623531383931653762613831656461313064376561336138663733 36666365343065316630613363313965396532623165336164353162316430623436363830366664
6434313637646163656637323234613335323031363933330a373661353061373033333063336331 3133313530303132353661336534616338663666306632620a663461346230353038646635303031
31646266353135336237386163623861306463613733633964656462366634306361646365313566 66333830666564316262636239643035353836313137393063376131333730343365313061333831
6239323762343662630a626336326137346261306363643862376636323266393362353437623161 3435363164666463350a373839336464666133346561333332386439393938336365636336343464
33356635303231346363613537396631643130313033646332323565666434373066613662353161 66623136323930303133333931623738333235313130663935383639373839366265633133633735
37346366666663336639663664616134366264383061643336356135343631626332656466373638 31316331613864633662346662346262346136633161333566623332666530393861306464393834
38666363336139343739353931313062613430653735376532613866313062663032613432346330 32306265656562326462306232633236313335646231306662323966363265393535633039656335
34653139316539373131393363303736386433363734616432326430346636653762363935363032 62313936653463643134363961376464373765313838363631366364633832396437353132386361
63633861333663626566323539366362633665666537653765313361353963343133326638643538 32613563316438383033333735643634356530336264356139356230366165626364353233373061
62643035383936666637333135616662343436303864373665613463363834623363623366613164 63326462383862373232663030326462346537353837643164663937306335653538343031343733
61633536613438636433653935333437653432656232633936346438323439353662373165626630 37303339393337663235663362646164643135643437626466303630633732636366366538333665
37356333646166303837373738643465353635376531623231623937666633613165643434356535 64646436343362643139323131393466653835623331393735346361653230663533353132306132
39353833366435396639646331666433353431353137393531653539303538313064313534376330 31316435353666393537373231306361353137343236383132653163313336353332346339386630
32376131386530373032373235323765663836663962663262363532303866323331663130623864 31393238353039323032376265366331346235346430623766663566663762356130363232336437
66313631646234323639613362653230363363326564633033623136643439653461373439376331 32356664353330623334343130393532646465666137346162353437396162353062636335333166
64303162613235333639613663373833643632376238316130333764373334616531303761393861 61633939663336346335383339653761343962336465666161306166646465316238666632336532
63303464653436393062343164306631646161333064303230366264313332303365326235383931 38316532376339666539636335636230373430643464663663383939303865376665366663656263
34666466626266333761373837373730633030356163333538313434666238623432623965383262 66633864373132653337656531623839313132303332303737623633623731613336363432616234
64626661323464323465643761356332343365316535343964353836346339313132333937333939 37343738373461623038363535313666373032613132326163646433326164636230656563393532
31656338613739363633373838363862343763613061373463306161643131653264646664323966 35663864323239363765373162303933363238353831363037306431656666643136313731643238
62653638646438336531633534336663326631303461613661383830353564363862373966343862 34323635633464633266623232356364303239633933613261323864336165316538323161383037
61373366326366366137333765376566663638366366303264363366363838646136306330313361 64333161613461333863333035626130346431663764666165383864346331323561366263363964
39306430333234363664383039373764636431303934323664646430303863383131623237356433 63633333643162643664356365366466366233643233353434633732313335363361363564333533
66316434323161653764363361383563643734366635356539386561316135663736303831353264 35323164633739346333623864646464623539363139396239316663333334356363373631343331
61346131633831613365313966626363393765376639326263643237346333363033313763376533 34653730363466326632333337373531646332386438383732613832333935323833313565373139
32396132666164396338653439626436396661366131623234646564356232353764303931313337 61323763646636373437333839623935626632663934303666306131383738633139663635643562
64636365313739343864346333396235623963303061396262653230353533613564636163656262 65643039313637306663616266623435383733333336623261643761363030613234343030363162
33376663663231343266336131613634623233633733343130636133316336363433666134393166 61646337346362303866336464316438316565666166666630336539663137326630383532333930
36633831373762373464376633613430633839333061303531376462626432333264333232356238 37393662653334616263623566653836343034323962346132333834666331316139303637646534
30663461653461626236633865346639363536666264663036653961623737343434306133663735 66353564353961343963393164643135383833666663336562353966323033356265323730343931
30356464343831623463393262646131336538376232323366316666386462653939336365613663 39663932613261323465373837656430323265373936613561323136663263636261346638383735
63613264623861386332663534313562636134373736396263653336393365323665666161336634 33636133396237303034373739663039663465376265356263313633386234333465316135306537
31656536393161653866363933356266323566666438353237656531356162636234323865386437 62363865383764613062613762616339336632643938663333636661666236303138626633623637
62653333623738323264313331303565646533663037633837366632303136633330643132613039 30363235323532383336633633626538386439663437323231353661353665346437613237643432
35393933613161363431643565353234393861636535643463636362306533353961656636383366 37333563616139663935613863313937303865383732313835386635623036636630303562393862
61323366663765373339646363383435306537376336633833393238633238623338303161336332 35636666393339333537373434306161366435373537353338356161633266386539326564643562
39656463303134623461383761613431653439343038623661363765333166363239316435646631 38616332363638343338623232643461633339656164383130303037653038326365373864373166
37346237346466313439653263326262616130613664613332343065636130353661633662393666 31303039663038396333306634653534383336626630613163373037316333373263376334383037
66306234346661303334383363333831323763336663383030633164623230343530383365316565 64306536626333353566346261393033336430363062623530643261353065313462616166383230
64323732653165653535643838376264313930376632373835623866356462626630333833663366 33633933643763613364653131306437653065663833663932326334613639613664333336613265
32623335333435333437653063393633323732636531353334613333353233633536373533326636 66313539303761343336303363646463366666333465303432383031653766613935343362343536
33646264363136343238626133663231653238396539326462326362633839333031383432656465 33306261646532643766626339333738613932616661376562383435623434613566336366306438
38353735623133386564626133663261643030626365303139613832306130613337663062613834 37373138396538353465393536643566333135623237303663343932313962383865353233323966
33653962636431356534653036326434386466616438666131363834353235343762643365323330 62306333383638383362666463343238333064303633623037333138646362643763623536383334
62383933623461383437633631633761616633653430326636393635666533373339336266383338 31646334356164353731353366393039663663383939643537383663663938613735303533613235
64316361656330306233343330613335373164656138353964646535323762323835333265636435 39333666663861373730323061313032656161323034376434363630393164353037383338346435
37376338653238333863383664373064323331363334353765636265663334363739363363636463 61636366323562646264643663346463303535636234366130336431363538656630653534346431
30656331366463353639383065363234653661346330346131353838626362373634353661326163 38656639633035323764623563663031333139336139353063663266343265393466373565306236
63623762383639633264353466323837383434653536343931653231656535343064 36366337393164653264303066363533346532313030313766666637663933363036666632303663
64346134316138616239396334623466323663623933656662626138363462653730373639643261
39323331386164326365313365333836396636336334663865666431343736643161323561623433
32326233653365653734326136303066323966643263313164306466303930666436383564323936
36363261363963353938666532373264616532623733393033366230323965613432346134613462
65646664383838376332653662393031313739343438666538376164666332653962333134306135
65656634663766316365386366363639336430663666303935303033343039326164656166373837
38663337373132316662663334383737643732653338373435383064316266396434623463623565
36363134363039626232643936353631343866633931353530656234616562626330636638303537
65363633366230633635366132656437623962396538363836316235633465383262623030353533
61353631336465313265353363313239363538653231383336343738656635383837363665336338
38646162393461313066666235376434303861366437353433313464323030636463396363333364
34646333366564633034343833643562373366643263316263626363363838653563633065396633
63616239343665326432643735313765306461333032663934393639303263303662393064353664
32383537383338376661393638383831313263346236343635333638333666333430373936303964
63653664356435306266

View file

@ -8,10 +8,14 @@ ExecStartPre=-/usr/bin/docker rm --force {{ container_names.authentik.server }}
ExecStartPre=-/usr/bin/docker pull ghcr.io/goauthentik/server:{{ version.authentik }} ExecStartPre=-/usr/bin/docker pull ghcr.io/goauthentik/server:{{ version.authentik }}
ExecStart=/usr/bin/docker run --rm --name {{ container_names.authentik.server }} \ ExecStart=/usr/bin/docker run --rm --name {{ container_names.authentik.server }} \
--network authentik_net --publish 127.0.0.1:9000:9000 --publish 127.0.0.1:9443:9443 \ --network authentik_net --publish 127.0.0.1:9000:9000 --publish 127.0.0.1:9443:9443 \
--label "traefik.enable=true" --label "traefik.http.routers.authentik.rule=Host(`auth.un-hack-bar.de`)" \ --label "traefik.enable=true" --label "traefik.http.routers.authentik.rule=Host(`auth.un-hack-bar.de`,`auth.unhb.de`,`a.unhb.de`)" \
--label "traefik.http.routers.authentik.middlewares=authentik_redirect" \
--label "traefik.http.routers.authentik.entrypoints=websecure" \ --label "traefik.http.routers.authentik.entrypoints=websecure" \
--label "traefik.http.routers.authentik.tls.certresolver=letsencrypt" \ --label "traefik.http.routers.authentik.tls.certresolver=letsencrypt" \
--label "traefik.http.services.authentik.loadbalancer.server.port=9000" \ --label "traefik.http.services.authentik.loadbalancer.server.port=9000" \
--label "traefik.http.middlewares.authentik_redirect.redirectregex.permanent=true" \
--label "traefik.http.middlewares.authentik_redirect.redirectregex.regex=^https?://(auth|a)\\.unhb\\.de/(.*)" \
--label "traefik.http.middlewares.authentik_redirect.redirectregex.replacement=https://auth.un-hack-bar.de/$${2}" \
--env-file {{ docker_volumes_dir }}/authentik/authentik.env \ --env-file {{ docker_volumes_dir }}/authentik/authentik.env \
-v {{ docker_volumes_dir }}/authentik/media:/media \ -v {{ docker_volumes_dir }}/authentik/media:/media \
-v {{ docker_volumes_dir }}/authentik/custom-templates:/templates \ -v {{ docker_volumes_dir }}/authentik/custom-templates:/templates \

View file

@ -17,6 +17,7 @@
permanent: yes permanent: yes
state: enabled state: enabled
immediate: yes immediate: yes
zone: "{{ firewall_zone }}"
#this is seperate so you don't accidentally remove it #this is seperate so you don't accidentally remove it
- name: Open services in firewall - name: Open services in firewall
@ -25,6 +26,7 @@
permanent: yes permanent: yes
state: enabled state: enabled
immediate: yes immediate: yes
zone: "{{ firewall_zone }}"
with_items: "{{ firewall_services }}" with_items: "{{ firewall_services }}"
- name: Open ports in firewall - name: Open ports in firewall
@ -33,5 +35,6 @@
permanent: yes permanent: yes
state: enabled state: enabled
immediate: yes immediate: yes
zone: "{{ firewall_zone }}"
with_items: "{{ firewall_ports }}" with_items: "{{ firewall_ports }}"
when: firewall_ports is defined when: firewall_ports is defined

View file

@ -3,7 +3,7 @@
- name: "Install dependencies" - name: "Install dependencies"
ansible.builtin.apt: ansible.builtin.apt:
pkg: pkg:
- docker.io - docker-ce
- name: "Create directories for Pretix and give it access" - name: "Create directories for Pretix and give it access"
ansible.builtin.file: ansible.builtin.file:
@ -95,9 +95,9 @@
- pretix-db.service - pretix-db.service
- pretix-redis.service - pretix-redis.service
- name: "Add Pretix to Docker network nginx_net" - name: "Add Pretix to Docker network traefik"
docker_network: docker_network:
name: nginx_net name: traefik
connected: connected:
- "{{ pretix_container_name }}" - "{{ pretix_container_name }}"
appends: true appends: true

View file

@ -11,8 +11,13 @@ ExecStart=/usr/bin/docker run --rm --name {{ pretix_container_name }} --network
--label com.centurylinklabs.watchtower.enable=false --env-file {{ docker_volumes_dir }}/pretix/pretix.env \ --label com.centurylinklabs.watchtower.enable=false --env-file {{ docker_volumes_dir }}/pretix/pretix.env \
-v {{ docker_volumes_dir }}/pretix/data:/data \ -v {{ docker_volumes_dir }}/pretix/data:/data \
-v {{ docker_volumes_dir }}/pretix/conf:/etc/pretix \ -v {{ docker_volumes_dir }}/pretix/conf:/etc/pretix \
--label "traefik.enable=true" --label "traefik.http.routers.pretix.rule=Host(`pretix.un-hack-bar.de`)" \
--label "traefik.http.routers.pretix.entrypoints=websecure" \
--label "traefik.http.routers.pretix.tls.certresolver=letsencrypt" \
--label "traefik.http.services.pretix.loadbalancer.server.port=80" \
--label "traefik.docker.network=traefik" \
pretix/standalone:stable pretix/standalone:stable
ExecStartPost=/usr/bin/bash -c "/bin/sleep 10 && /usr/bin/docker network connect nginx_net {{ pretix_container_name }}" ExecStartPost=/usr/bin/bash -c "/bin/sleep 10 && /usr/bin/docker network connect traefik {{ pretix_container_name }}"
ExecStop=/usr/bin/docker stop {{ pretix_container_name }} ExecStop=/usr/bin/docker stop {{ pretix_container_name }}
Restart=always Restart=always
RestartSec=15s RestartSec=15s

View file

@ -16,7 +16,7 @@
with_items: with_items:
- "{{ docker_volumes_dir }}/traefik" - "{{ docker_volumes_dir }}/traefik"
- name: "Template Config for Pretix" - name: "Template Config for Traefik"
ansible.builtin.template: ansible.builtin.template:
src: "{{ item }}.j2" src: "{{ item }}.j2"
dest: "{{ docker_volumes_dir }}/traefik/{{ item }}" dest: "{{ docker_volumes_dir }}/traefik/{{ item }}"
@ -47,7 +47,7 @@
daemon_reload: yes daemon_reload: yes
when: unit.changed when: unit.changed
- name: "Enable systemd units for Pretix" - name: "Enable systemd units for Traefik"
ansible.builtin.systemd: ansible.builtin.systemd:
state: started state: started
enabled: true enabled: true

View file

@ -8,7 +8,7 @@ ExecStartPre=-/usr/bin/docker rm --force {{ traefik_container_name }}
ExecStart=/usr/bin/docker run --rm --name {{ traefik_container_name }} \ ExecStart=/usr/bin/docker run --rm --name {{ traefik_container_name }} \
-v /var/run/docker.sock:/var/run/docker.sock -v {{ docker_volumes_dir }}/traefik/traefik.yml:/traefik.yml \ -v /var/run/docker.sock:/var/run/docker.sock -v {{ docker_volumes_dir }}/traefik/traefik.yml:/traefik.yml \
-v {{ docker_volumes_dir }}/traefik/traefik_dynamic.yml:/traefik_dynamic.yml -v {{ docker_volumes_dir }}/traefik/letsencrypt/:/letsencrypt \ -v {{ docker_volumes_dir }}/traefik/traefik_dynamic.yml:/traefik_dynamic.yml -v {{ docker_volumes_dir }}/traefik/letsencrypt/:/letsencrypt \
-p 80:80 -p 443:443 -p 8448:8448 --network traefik --label=com.centurylinklabs.watchtower.enable=false traefik:v2.10.5 -p 80:80 -p 443:443 -p 8448:8448 --network traefik --label=com.centurylinklabs.watchtower.enable=false traefik:v2.11
ExecStop=/usr/bin/docker stop {{ traefik_container_name }} ExecStop=/usr/bin/docker stop {{ traefik_container_name }}
Restart=always Restart=always
RestartSec=15s RestartSec=15s

View file

@ -1,5 +1,4 @@
entryPoints: entryPoints:
web: web:
address: ":80" address: ":80"
@ -29,7 +28,7 @@ certificatesResolvers:
email: "{{ letsencrypt_email }}" email: "{{ letsencrypt_email }}"
storage: "/letsencrypt/acme.json" storage: "/letsencrypt/acme.json"
#caServer: "https://acme-staging-v02.api.letsencrypt.org/directory" #caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
tlsChallenge: tlsChallenge: true
providers: providers:

View file

@ -1,12 +0,0 @@
# allow members of the sudo group to run backups, but without password
%sudo ALL = NOPASSWD: /opt/scripts/restic/restic-backup.sh
#%sudo ALL = NOPASSWD: /opt/scripts/restic/restic-prune.sh
%sudo ALL = NOPASSWD: /opt/scripts/restic/restic-mount.sh
%sudo ALL = NOPASSWD: /opt/scripts/restic/restic-check.sh
%sudo ALL = NOPASSWD: /opt/scripts/restic/restic-check-read-data.sh
%sudo ALL = NOPASSWD: /opt/scripts/restic/restic-backup-externe-4TB-HD-auf-NAS.sh
#%sudo ALL = NOPASSWD: /opt/scripts/restic/restic-backup-externe-4TB-HD-auf-NAS-PRUNE.sh
%sudo ALL = NOPASSWD: /opt/scripts/restic/restic-backup-externe-4TB-HD-auf-NAS-MOUNT.sh
%sudo ALL = NOPASSWD: /opt/scripts/restic/restic-backup-externe-4TB-HD-auf-NAS-CHECK.sh
%sudo ALL = NOPASSWD: /opt/scripts/restic/restic-backup-externe-4TB-HD-auf-NAS-READ-DATA.sh

View file

@ -1,6 +0,0 @@
#!/bin/bash
source /opt/scripts/restic/restic.env
restic check --read-data
echo "done! :)"

View file

@ -1,6 +0,0 @@
#!/bin/bash
source /opt/scripts/restic/restic.env
restic check
echo "done! :)"

View file

@ -1,6 +0,0 @@
#!/bin/bash
source /opt/scripts/restic/restic.env
restic mount /mnt/restic
echo "done! :)"

View file

@ -1,4 +0,0 @@
#!/bin/bash
source /opt/scripts/restic/restic.env
restic unlock
echo "done! :)"

View file

@ -1,111 +0,0 @@
---
- name: "Install restic"
ansible.builtin.apt:
name:
- restic
state: latest
update_cache: true
become: true
when: ansible_os_family == 'Debian'
- name: "Ensure /opt/scripts/ exists"
ansible.builtin.file:
path: /opt/scripts
state: directory
mode: '0755'
when: "ansible_os_family == 'Debian'"
- name: "Ensure /opt/db_dumps/ exists"
ansible.builtin.file:
path: /opt/db_dumps/
state: directory
owner: postgres
group: postgres
mode: '0774'
ignore_errors: true #to do: auf mautrix-signal kein User "postgres" weil in Docker, muss gelöst werden
when: "ansible_os_family == 'Debian' and 'desktops' not in group_names and 'mautrix-signal' not in inventory_hostname"
- name: "Copy restic backup scripts"
ansible.builtin.copy:
src: "restic-backup-scripts/"
dest: /opt/scripts/restic/.
owner: root
group: root
mode: u+rwx
force: true
when: "ansible_os_family == 'Debian'"
- name: "Template restic backup script restic-backup_{{ inventory_hostname }}.sh"
ansible.builtin.template:
src: ../templates/restic-backup_{{ inventory_hostname }}.sh.j2
dest: /opt/scripts/restic/restic-backup_{{ inventory_hostname }}.sh
owner: root
group: root
mode: 'u+rwx'
force: true
when: "ansible_os_family == 'Debian' and 'desktops' not in group_names"
#- name: "Template restic backup script ENTWURF"
# ansible.builtin.template:
# src: ../templates/restic-backup_ENTWURF.sh.j2
# dest: /opt/scripts/restic/restic-backup_ENTWURF.sh
# owner: root
# group: root
# mode: 'u+rwx'
- name: "Template restic backup script restic-backup_desktops.sh"
ansible.builtin.template:
src: ../templates/restic-backup_desktops.sh.j2
dest: /opt/scripts/restic/restic-backup_desktops.sh
owner: root
group: root
mode: 'u+rwx'
force: true
when: "ansible_os_family == 'Debian' and 'desktops' in group_names"
- name: "Template restic prune script restic-prune.sh"
ansible.builtin.template:
src: ../templates/restic-prune.sh.j2
dest: /opt/scripts/restic/restic-prune.sh
owner: root
group: root
mode: 'u+rwx'
force: true
when: "ansible_os_family == 'Debian'"
- name: "Template environment variable file restic.env"
ansible.builtin.template:
src: ../templates/restic.env.j2
dest: /opt/scripts/restic/restic.env
owner: root
group: root
mode: '0644'
force: true
when: "ansible_os_family == 'Debian'"
- name: "Template restic password file restic-password-repo"
ansible.builtin.template:
src: ../templates/restic-password-repo.j2
dest: /opt/scripts/restic/restic-password-repo
owner: root
group: root
mode: '0440'
force: true
when: "ansible_os_family == 'Debian'"
- name: "Cronjob for Backups"
ansible.builtin.cron:
name: "Restic Backup"
minute: "0"
hour: "3"
job: "/opt/scripts/restic/restic-backup_{{ inventory_hostname }}.sh"
when: "ansible_os_family == 'Debian' and 'desktops' not in group_names"
- name: "Cronjob for Backups"
ansible.builtin.cron:
name: "Restic Backup"
minute: "0"
hour: "3"
job: "/opt/scripts/restic/restic-backup_desktops.sh"
when: "ansible_os_family == 'Debian' and 'desktops' in group_names"

View file

@ -1,25 +0,0 @@
#!/bin/bash
source {{ restic_env_file }}
#We will have to find out whether or not we need to initialize the repo. A non-zero exit code indicates that it has not yet been initialized.
restic snapshots
if [ "$?" -eq "0" ]
then
echo "Repo is already initialized, no need to do that."
else
echo "We need to initialize the repo first." && restic init
fi
{% if restic_execute_before is defined %}
{{ restic_execute_before }}
{% else %}
# restic_execute_before is not defined, to insert commands to run before the actual backup, please define the variable in the Ansible Playbook
{% endif %}
restic backup --verbose {{ restic_backup_paths }}
{% if restic_execute_after is defined %}
{{ restic_execute_after }}
{% else %}
# restic_execute_after is not defined, to insert commands to run before the actual backup, please define the variable in the Ansible Playbook
{% endif %}
echo "done! :)"

View file

@ -1,25 +0,0 @@
#!/bin/bash
{{ restic_env_file }}
#We will have to find out whether or not we need to initialize the repo. A non-zero exit code indicates that it has not yet been initialized.
restic snapshots
if [ "$?" -eq "0" ]
then
echo "Repo is already initialized, no need to do that."
else
echo "We need to initialize the repo first." && restic init
fi
{% if restic_execute_before is defined %}
{{ restic_execute_before }}
{% else %}
# restic_execute_before is not defined, to insert commands to run before the actual backup, please define the variable in the Ansible Playbook
{% endif %}
restic backup --verbose {{ restic_backup_paths }}
{% if restic_execute_after is defined %}
{{ restic_execute_after }}
{% else %}
# restic_execute_after is not defined, to insert commands to run before the actual backup, please define the variable in the Ansible Playbook
{% endif %}
echo "done! :)"

View file

@ -1,45 +0,0 @@
#!/bin/bash
source /opt/scripts/restic/restic.env
#We will have to find out whether or not we need to initialize the repo. A non-zero exit code indicates that it has not yet been initialized.
restic snapshots
if [ "$?" -eq "0" ]
then
echo "Repo is already initialized, no need to do that."
else
echo "We need to initialize the repo first." && restic init
fi
restic backup --verbose / \
--exclude /home/{{ user }}/.cache \
--exclude /home/{{ user }}/cache \
--exclude /home/{{ user }}/.config/Element/Cache/ \
--exclude /home/{{ user }}/.config/Element/GPUCache \
--exclude /home/{{ user }}/.config/Element/Code\ Cache/ \
--exclude /home/{{ user }}/.config/Signal/attachments.noindex \
--exclude /home/{{ user }}/.config/SchildiChat/Cache \
--exclude /home/{{ user }}/.config/SchildiChat/GPUCache \
--exclude /home/{{ user }}/.config/SchildiChat/Code\ Cache/ \
--exclude /home/{{ user }}/.config/Signal/Cache \
--exclude /home/{{ user }}/.config/Signal/GPUCache \
--exclude /home/{{ user }}/.config/Signal/Code\ Cache/ \
--exclude /home/{{ user }}/.local/share/Trash \
--exclude /home/{{ user }}/Bilder \
--exclude /home/{{ user }}/Downloads \
--exclude /home/{{ user }}/gPodder/Downloads/ \
--exclude /home/{{ user }}/Nextcloud \
--exclude /home/{{ user }}/no-backup \
--exclude /home/{{ user }}/synced_folders \
--exclude /home/{{ user }}/sync \
--exclude /home/{{ user }}/Signal_Backups \
--exclude /lost+found \
--exclude /media \
--exclude /mnt \
--exclude /proc \
--exclude /run \
--exclude /root/.cache \
--exclude /sys \
--exclude /tmp \
--exclude /var/cache \
--exclude /var/tmp
echo "done! :)"

View file

@ -1,21 +0,0 @@
#!/bin/bash
source /opt/scripts/restic/restic.env
#We will have to find out whether or not we need to initialize the repo. A non-zero exit code indicates that it has not yet been initialized.
restic snapshots
if [ "$?" -eq "0" ]
then
echo "Repo is already initialized, no need to do that."
else
echo "We need to initialize the repo first." && restic init
fi
su - postgres --session-command 'pg_dump "{{ matrix_db_name }}" -f /opt/db_dumps/db-dump-{{ matrix_db_name }}.sql'
su - postgres --session-command 'pg_dump "mautrix_googlechat" -f /opt/db_dumps/db-dump-mautrix_googlechat.sql'
su - postgres --session-command 'pg_dump "mautrix_slack" -f /opt/db_dumps/db-dump-mautrix_slack.sql'
restic backup --verbose \
/etc/matrix-synapse \
/opt \
/var/lib/matrix-synapse
echo "done! :)"

View file

@ -1,24 +0,0 @@
#!/bin/bash
source /opt/scripts/restic/restic.env
#We will have to find out whether or not we need to initialize the repo. A non-zero exit code indicates that it has not yet been initialized.
restic snapshots
if [ "$?" -eq "0" ]
then
echo "Repo is already initialized, no need to do that."
else
echo "We need to initialize the repo first." && restic init
fi
# systemctl disable --now mautrix-signal.service
su - postgres --session-command 'pg_dump "{{ database_vars.mautrix_signal.db }}" -f /opt/db_dumps/db-dump-mautrix-signal.sql'
restic backup --verbose \
/data-usb \
/etc/matrix-synapse \
/opt \
/var/lib/matrix-synapse
# systemctl enable --now mautrix-signal.service
echo "done! :)"

View file

@ -1,20 +0,0 @@
#!/bin/bash
source /opt/scripts/restic/restic.env
#We will have to find out whether or not we need to initialize the repo. A non-zero exit code indicates that it has not yet been initialized.
restic snapshots
if [ "$?" -eq "0" ]
then
echo "Repo is already initialized, no need to do that."
else
echo "We need to initialize the repo first." && restic init
fi
restic backup --verbose \
/etc \
/home \
/opt \
/root \
/srv \
/var/www
echo "done! :)"

View file

@ -1,29 +0,0 @@
#!/bin/bash
source /opt/scripts/restic/restic.env
#We will have to find out whether or not we need to initialize the repo. A non-zero exit code indicates that it has not yet been initialized.
restic snapshots
if [ "$?" -eq "0" ]
then
echo "Repo is already initialized, no need to do that."
else
echo "We need to initialize the repo first." && restic init
fi
echo "Now dumping databases, this might take a while..."
set -x
docker exec -t pretix_pg-sql.server2 pg_dumpall -c -U prtxdb > /opt/db_dumps/db-dump-pretix_db.sql
#docker exec docker-partkeepr-database-1 sh -c "exec mariadb-dump --all-databases -u{{ unhb4_mariadb_containers['partkeepr'].user }} --password=$MARIADB_PASSWORD_PARTKEEPR" > /opt/db_dumps/db-dump-partkeepr_db.sql
source /opt/scripts/restic/restic_db_passwords.env
docker exec -t engel_sql.server2 sh -c "exec mysqldump --all-databases -u{{ unhb4_mariadb_containers['engelsystem'].user }} --password=$MARIADB_PASSWORD_ENGELSYSTEM" > /opt/db_dumps/db-dump-engelsystem_db.sql
set +x
restic backup --verbose \
/etc \
/home \
/opt \
/root \
/srv \
/var/lib/docker/volumes/ \
/var/www
echo "done! :)"

View file

@ -1,42 +0,0 @@
#!/bin/bash
#
#
# This file is managed via Ansible, do not edit manually. Changes might get overwitten.
#
#
source /opt/scripts/restic/restic.env
source /opt/scripts/restic/restic_db_passwords.env
#We will have to find out whether or not we need to initialize the repo. A non-zero exit code indicates that it has not yet been initialized.
restic snapshots
if [ "$?" -eq "0" ]
then
echo "Repo is already initialized, no need to do that."
else
echo "We need to initialize the repo first." && restic init
fi
echo "Now dumping databases, this might take a while..."
set -x
docker exec -t matrix_sql.server4 pg_dumpall -c -U user_synapse_unhb > /opt/db_dumps/db-dump-synapse_db.sql
docker exec -t authentik-postgresql-1 pg_dumpall -c -U authentik > /opt/db_dumps/db-dump-authentik_db.sql
docker exec -t hedgedoc_sql15.server4 pg_dumpall -c -U md > /opt/db_dumps/db-dump-hedgedoc_db.sql
docker exec -t tandoor-tandoor_recipes_db-1 pg_dumpall -c -U djangouser > /opt/db_dumps/db-dump-tandoor_db.sql
docker exec -t wikijs-wikijs-db-1 pg_dumpall -c -U wikijs > /opt/db_dumps/db-dump-wikijs_db.sql
docker exec -t nextcloud_sql.server4 sh -c "exec mariadb-dump --all-databases -uroot --password=$MARIADB_ROOT_PASSWORD_NEXTCLOUD" > /opt/db_dumps/db-dump-nextcloud_db.sql
docker exec -t etherpad_sql.server4 sh -c "exec mariadb-dump --all-databases -uroot --password=$MARIADB_ROOT_PASSWORD_ETHERPAD" > /opt/db_dumps/db-dump-etherpad_db.sql
docker exec -t jverein_sql.server4 sh -c "exec mariadb-dump --all-databases -uroot --password=$MARIADB_ROOT_PASSWORD_JVEREIN" > /opt/db_dumps/db-dump-jverein_db.sql
docker exec -t url-shortener_sql.server4 sh -c "exec mariadb-dump --all-databases -uroot --password=$MARIADB_ROOT_PASSWORD_URLSHORTENER" > /opt/db_dumps/db-dump-urlshortener_db.sql
docker exec -t wiki_sql.server4 sh -c "exec mariadb-dump --all-databases -uroot --password=$MARIADB_ROOT_PASSWORD_WIKI" > /opt/db_dumps/db-dump-wiki_db.sql
docker exec -t wordpress_sql.server4 sh -c "exec mysqldump --all-databases -uroot --password=$MARIADB_ROOT_PASSWORD_WORDPRESS" > /opt/db_dumps/db-dump-wordpress_db.sql
set +x
restic backup --verbose \
/etc \
/home \
/opt \
/root \
/srv \
/var/lib/docker/volumes/ \
/var/www
echo "done! :)"

View file

@ -1 +0,0 @@
{{ restic_password_repo[inventory_hostname]["password"] }}

View file

@ -1,6 +0,0 @@
#!/bin/bash
source /opt/scripts/restic/restic.env
restic forget --prune --keep-within 1m --host={{ ansible_hostname }}
echo "done! :)"

View file

@ -1,3 +0,0 @@
#!/bin/bash
export RESTIC_REPOSITORY="{{ restic_repository_location }}{{ inventory_hostname }}"
export RESTIC_PASSWORD_FILE="/opt/scripts/restic/restic-password-repo"

View file

@ -82,6 +82,18 @@
owner: root owner: root
group: root group: root
mode: 'u+rw' mode: 'u+rw'
force: true
register: unit
when: "ansible_os_family == 'Debian'"
- name: "Template systemd units for restic"
ansible.builtin.template:
src: "restic-prune.service.j2"
dest: "/etc/systemd/system/restic-prune.service"
owner: root
group: root
mode: 'u+rw'
force: true
register: unit register: unit
when: "ansible_os_family == 'Debian'" when: "ansible_os_family == 'Debian'"
@ -92,6 +104,18 @@
owner: root owner: root
group: root group: root
mode: 'u+rw' mode: 'u+rw'
force: true
register: unit
when: "ansible_os_family == 'Debian'"
- name: "Template systemd timers for restic"
ansible.builtin.template:
src: "restic-prune.timer.j2"
dest: "/etc/systemd/system/restic-prune.timer"
owner: root
group: root
mode: 'u+rw'
force: true
register: unit register: unit
when: "ansible_os_family == 'Debian'" when: "ansible_os_family == 'Debian'"
@ -107,6 +131,8 @@
with_items: with_items:
- "restic@{{ inventory_hostname }}.service" - "restic@{{ inventory_hostname }}.service"
- "restic@{{ inventory_hostname }}.timer" - "restic@{{ inventory_hostname }}.timer"
- "restic-prune.service"
- "restic-prune.timer"
when: unit.changed when: unit.changed
#- name: "Enable systemd units for restic-wasabi" #- name: "Enable systemd units for restic-wasabi"

View file

@ -9,7 +9,7 @@ else
echo "We need to initialize the repo first." && restic init echo "We need to initialize the repo first." && restic init
fi fi
restic backup --verbose \ restic backup --host="{{ inventory_hostname }}" --verbose \
/etc \ /etc \
/home \ /home \
/opt \ /opt \

View file

@ -19,7 +19,7 @@ docker exec -t engel_sql.server2 sh -c "exec mysqldump --all-databases -uroot --
set +x set +x
restic backup --verbose \ restic backup --host="{{ inventory_hostname }}" --verbose \
/etc \ /etc \
/home \ /home \
/opt \ /opt \

View file

@ -17,8 +17,8 @@ fi
echo "Now dumping databases, this might take a while..." echo "Now dumping databases, this might take a while..."
set -x set -x
docker exec -t matrix_sql.server4 pg_dumpall -c -U user_synapse_unhb > /opt/db_dumps/db-dump-synapse_db.sql docker exec -t matrix_sql.server4 pg_dump -Z0 -c -U user_synapse_unhb -d synapse_db > /opt/db_dumps/db-dump-synapse_db.sql
docker exec -t authentik-postgresql-1 pg_dumpall -c -U authentik > /opt/db_dumps/db-dump-authentik_db.sql docker exec -t authentik-postgresql-1.server4 pg_dumpall -c -U authentik > /opt/db_dumps/db-dump-authentik_db.sql
docker exec -t hedgedoc_sql15.server4 pg_dumpall -c -U md > /opt/db_dumps/db-dump-hedgedoc_db.sql docker exec -t hedgedoc_sql15.server4 pg_dumpall -c -U md > /opt/db_dumps/db-dump-hedgedoc_db.sql
docker exec -t tandoor-tandoor_recipes_db-1 pg_dumpall -c -U djangouser > /opt/db_dumps/db-dump-tandoor_db.sql docker exec -t tandoor-tandoor_recipes_db-1 pg_dumpall -c -U djangouser > /opt/db_dumps/db-dump-tandoor_db.sql
docker exec -t wikijs-wikijs-db-1 pg_dumpall -c -U wikijs > /opt/db_dumps/db-dump-wikijs_db.sql docker exec -t wikijs-wikijs-db-1 pg_dumpall -c -U wikijs > /opt/db_dumps/db-dump-wikijs_db.sql
@ -30,13 +30,12 @@ docker exec -t wiki_sql.server4 sh -c "exec mariadb-dump --all-databases -uroot
docker exec -t wordpress_sql.server4 sh -c "exec mysqldump --all-databases -uroot --password=$MARIADB_PASSWORD_WORDPRESS" > /opt/db_dumps/db-dump-wordpress_db.sql docker exec -t wordpress_sql.server4 sh -c "exec mysqldump --all-databases -uroot --password=$MARIADB_PASSWORD_WORDPRESS" > /opt/db_dumps/db-dump-wordpress_db.sql
set +x set +x
restic backup --verbose \ restic backup --host="{{ inventory_hostname }}" --verbose \
/etc \ /etc \
/home \ /home \
/opt \ /opt \
/root \ /root \
/srv \ /srv
/var/lib/docker/volumes/ \ # /var/lib/docker/volumes/ \
/var/www
echo "done! :)" echo "done! :)"

View file

@ -0,0 +1,11 @@
[Unit]
Description=This unit will start pruning restic snapshots
After=
Wants=
[Service]
Restart=no
Type=simple
ExecStart=/opt/scripts/restic/restic-prune.sh
[Install]

View file

@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
source /opt/scripts/restic/restic.env source /opt/scripts/restic/restic.env
restic forget --prune --keep-within 1m --host={{ ansible_hostname }} restic forget --prune --keep-daily 7 --keep-weekly 4 --keep-monthly 6 --host={{ inventory_hostname }}
echo "done! :)" echo "done! :)"

View file

@ -0,0 +1,9 @@
[Unit]
Description=Timer starting restic-prune.service
[Timer]
OnCalendar={{ restic_prune_start_time }}
Unit=restic-prune.service
[Install]
WantedBy=multi-user.target

View file

@ -1,9 +1,9 @@
[Unit] [Unit]
Description=Timer starting restic-wasabi.service Description=Timer starting restic.service
[Timer] [Timer]
OnCalendar={{ restic_start_time }} OnCalendar={{ restic_start_time }}
Unit=restic-wasabi@%i.service Unit=restic@%i.service
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target

View file

@ -1,9 +1,9 @@
WATCHTOWER_POLL_INTERVAL={{ watchtower_poll_interval }} WATCHTOWER_POLL_INTERVAL={{ watchtower_poll_interval }}
WATCHTOWER_NOTIFICATIONS="{{ watchtower_notifications }}" WATCHTOWER_NOTIFICATIONS={{ watchtower_notifications }}
WATCHTOWER_NOTIFICATION_EMAIL_FROM="{{ watchtower_notification_email_from }}" WATCHTOWER_NOTIFICATION_EMAIL_FROM={{ watchtower_notification_email_from }}
WATCHTOWER_NOTIFICATION_EMAIL_TO="{{ watchtower_notification_email_to }}" WATCHTOWER_NOTIFICATION_EMAIL_TO={{ watchtower_notification_email_to }}
WATCHTOWER_NOTIFICATION_EMAIL_SERVER="{{ watchtower_notification_email_server }}" WATCHTOWER_NOTIFICATION_EMAIL_SERVER={{ watchtower_notification_email_server }}
WATCHTOWER_NOTIFICATION_EMAIL_SERVER_PORT="{{ watchtower_notification_email_server_port }}" WATCHTOWER_NOTIFICATION_EMAIL_SERVER_PORT={{ watchtower_notification_email_server_port }}
WATCHTOWER_NOTIFICATION_EMAIL_SERVER_USER="{{ watchtower_notification_email_server_user }}" WATCHTOWER_NOTIFICATION_EMAIL_SERVER_USER={{ watchtower_notification_email_server_user }}
WATCHTOWER_NOTIFICATION_EMAIL_SERVER_PASSWORD="{{ watchtower_notification_email_server_password }}" WATCHTOWER_NOTIFICATION_EMAIL_SERVER_PASSWORD={{ watchtower_notification_email_server_password }}
WATCHTOWER_WARN_ON_HEAD_FAILURE="{{ watchtower_warn_on_head_failure }}" WATCHTOWER_WARN_ON_HEAD_FAILURE={{ watchtower_warn_on_head_failure }}

View file

@ -0,0 +1,17 @@
#!/usr/bin/env bash
DATEINAMONTH=$(date --date='31 days' +%F)
if [ ! -f "authentik-api-invite.token" ]; then echo "ERROR - authentik-api.token does not exist, please save the API token to that file" && exit 1; fi
BEARERTOKEN=$(cat authentik-api-invite.token)
if [ -z ${1+x} ]; then echo "ERROR - Invite Token has no name. Spaces and special characters are not allowed. Example: ./unhb-authentik-invite.sh invite_for_jon_doe" && exit 1; fi
echo "INFO - Generating invite link for: $1"
LINK=$(curl --silent -X POST "https://auth.un-hack-bar.de/api/v3/stages/invitation/invitations/" \
-H "accept: application/json"\
-H "authorization: Bearer $BEARERTOKEN"\
-H "content-type: application/json" \
-d '{"name":"'$1'","expires":"'$DATEINAMONTH'T00:00:00.000Z","fixed_data":{},"single_use":true,"flow":"6a0afde87a4e40a3b3bb2215de9c34f0"}' | jq ".pk" -r 2>/dev/null | xargs -I {} -n 1 -0 echo 'https://auth.un-hack-bar.de/if/flow/unhb-invite-enrollment/?itoken={}')
echo $LINK | qrencode -m 2 -t utf8
echo $LINK

View file

@ -18,8 +18,9 @@
remote_user: root remote_user: root
roles: roles:
- watchtower_docker # Needs changes when migrating to Traefik #- watchtower_docker # Needs changes when migrating to Traefik
- pretix_docker # Needs changes when migrating to Traefik - pretix_docker # Needs changes when migrating to Traefik
- traefik_docker
- name: Set up roles on unhb4 - name: Set up roles on unhb4
hosts: unhb4 hosts: unhb4

View file

@ -0,0 +1,22 @@
Add this to your SSH Config:
```
Host unhb4
#Key: SHA256:pgNNZwqtDY4rkx99svN+UMwZ1W30kS44CJNsRbuavvg (ed25519)
HostName server4.unhb.de
User root
LocalForward 9000 localhost:9000
Host unhb-proxmox-local
#Key: SHA256:VoFtWYe3YhGSEK0m3M2O4GHxRqk0X3QwtH5rhnUo7/I (ed25519)
HostName proxmox.unhb.space
User root
```
The door is currently not managed via Ansible, but here is its config anyway:
```
Host unhb-door
HostName 192.168.88.244
User keymaster
IdentityFile ~/.ssh/YOUR_IDENTITY_FILE_FOR_THE_DOOR
```