Decouple lrproxy from valkyrie
This commit is contained in:
parent
226bd0369f
commit
34c4e29a43
@ -30,7 +30,7 @@ vpn_bridge_dnat: "\
|
||||
# --------------------------------------------------------------------------------------------------
|
||||
# services
|
||||
# --------------------------------------------------------------------------------------------------
|
||||
services_root_directory: "/var/lib/{{ ansible_hostname }}"
|
||||
services_root_directory: "/var/lib/{{ services_hostname }}"
|
||||
services_home_directory: "{{ services_root_directory }}/home"
|
||||
services_data_directory: "{{ services_root_directory }}/data"
|
||||
services_containers_directory: "{{ services_root_directory }}/containers"
|
||||
@ -40,6 +40,8 @@ services_all_services: "{{
|
||||
services_all_hosts | map('extract', hostvars, 'services_host_services') | map('dict2items') |
|
||||
flatten | items2dict }}"
|
||||
|
||||
services_resolv_host: "valkyrie"
|
||||
|
||||
services:
|
||||
rproxy: {}
|
||||
www:
|
||||
|
@ -30,6 +30,8 @@ vpn_wireguard_clients:
|
||||
# --------------------------------------------------------------------------------------------------
|
||||
# services
|
||||
# --------------------------------------------------------------------------------------------------
|
||||
services_hostname: "valkyrie"
|
||||
|
||||
services_host_services:
|
||||
rproxy:
|
||||
address: "{{ vpn_bridge_prefix }}.2"
|
||||
|
@ -57,6 +57,8 @@ backups_snapshots_sanoid_system_datasets:
|
||||
# --------------------------------------------------------------------------------------------------
|
||||
# services
|
||||
# --------------------------------------------------------------------------------------------------
|
||||
services_hostname: "yggdrasil"
|
||||
|
||||
services_root_dataset: "rpool{{ services_root_directory }}"
|
||||
services_home_dataset: "rpool{{ services_home_directory }}"
|
||||
services_data_dataset: "rpool{{ services_data_directory }}"
|
||||
@ -66,6 +68,8 @@ services_host_services:
|
||||
lrproxy:
|
||||
address: "{{ vpn_bridge_prefix }}.2"
|
||||
tcp: [80, 443]
|
||||
rproxy_host: "valkyrie"
|
||||
rproxy_user: "pod-rproxy"
|
||||
database:
|
||||
address: "{{ vpn_bridge_prefix }}.3"
|
||||
cloud:
|
||||
|
@ -13,6 +13,10 @@
|
||||
dest: "/usr/local/bin/restic.bz2"
|
||||
mode: 0644
|
||||
|
||||
- name: "install bzip2"
|
||||
ansible.builtin.apt:
|
||||
name: "bzip2"
|
||||
|
||||
- name: "unpack restic binary"
|
||||
command: "bunzip2 /usr/local/bin/restic.bz2"
|
||||
|
||||
|
@ -0,0 +1,7 @@
|
||||
---
|
||||
argument_specs:
|
||||
main:
|
||||
options:
|
||||
services_data_dataset:
|
||||
type: "str"
|
||||
required: true
|
@ -8,9 +8,6 @@ argument_specs:
|
||||
services_service_name:
|
||||
type: "str"
|
||||
required: true
|
||||
services_data_dataset:
|
||||
type: "str"
|
||||
required: true
|
||||
services_backups_restic_services:
|
||||
type: "dict"
|
||||
elem: "dict"
|
||||
|
@ -21,7 +21,7 @@ ExecStart=/usr/bin/podman run \
|
||||
--label "io.containers.autoupdate=image" \
|
||||
-dt \
|
||||
--add-host=pod-database:{{ services_all_services['database'].address }} \
|
||||
-v {{ services_root_directory }}/valkyrie-resolv.conf:/etc/resolv.conf:ro \
|
||||
-v {{ services_root_directory }}/{{ services_resolv_host }}-resolv.conf:/etc/resolv.conf:ro \
|
||||
-v {{ services_data_directory }}/pod-cloud/nextcloud/_data:/var/www/html \
|
||||
-v {{ services_data_directory }}/pod-cloud/data/_data:/var/www/html/data \
|
||||
--name=pod-cloud-cron \
|
||||
|
@ -21,7 +21,7 @@ ExecStart=/usr/bin/podman run \
|
||||
--label "io.containers.autoupdate=image" \
|
||||
-dt \
|
||||
--add-host=pod-database:{{ services_all_services['database'].address }} \
|
||||
-v {{ services_root_directory }}/valkyrie-resolv.conf:/etc/resolv.conf:ro \
|
||||
-v {{ services_root_directory }}/{{ services_resolv_host }}-resolv.conf:/etc/resolv.conf:ro \
|
||||
-v {{ services_data_directory }}/pod-cloud/nextcloud/_data:/var/www/html \
|
||||
-v {{ services_data_directory }}/pod-cloud/data/_data:/var/www/html/data \
|
||||
-v ./.config/pod-cloud/database.name:/run/secrets/database.name:ro \
|
||||
|
@ -20,7 +20,7 @@ ExecStart=/usr/bin/podman run \
|
||||
--replace \
|
||||
--label "io.containers.autoupdate=image" \
|
||||
-dt \
|
||||
-v {{ services_root_directory }}/valkyrie-resolv.conf:/etc/resolv.conf:ro \
|
||||
-v {{ services_root_directory }}/{{ services_resolv_host }}-resolv.conf:/etc/resolv.conf:ro \
|
||||
-v ./.config/pod-cloud/nginx.conf:/etc/nginx/nginx.conf:ro \
|
||||
-v {{ services_data_directory }}/pod-cloud/nextcloud/_data:/var/www/html \
|
||||
-v {{ services_data_directory }}/pod-cloud/data/_data:/var/www/html/data \
|
||||
|
@ -20,7 +20,7 @@ ExecStart=/usr/bin/podman run \
|
||||
--replace \
|
||||
--label "io.containers.autoupdate=image" \
|
||||
-dt \
|
||||
-v {{ services_root_directory }}/valkyrie-resolv.conf:/etc/resolv.conf:ro \
|
||||
-v {{ services_root_directory }}/{{ services_resolv_host }}-resolv.conf:/etc/resolv.conf:ro \
|
||||
-v ./.config/pod-database/database.password:/run/secrets/database.password:ro \
|
||||
-e POSTGRES_PASSWORD_FILE=/run/secrets/database.password \
|
||||
-v {{ services_data_directory }}/pod-database/wal/_data:/var/lib/postgresql-wal \
|
||||
|
@ -21,7 +21,7 @@ ExecStart=/usr/bin/podman run \
|
||||
--label "io.containers.autoupdate=image" \
|
||||
-dt \
|
||||
--add-host=pod-database:{{ services_all_services['database'].address }} \
|
||||
-v {{ services_root_directory }}/valkyrie-resolv.conf:/etc/resolv.conf:ro \
|
||||
-v {{ services_root_directory }}/{{ services_resolv_host }}-resolv.conf:/etc/resolv.conf:ro \
|
||||
-v {{ services_data_directory }}/pod-git/data/_data:/data \
|
||||
-v /etc/timezone:/etc/timezone:ro \
|
||||
-v /etc/localtime:/etc/localtime:ro \
|
||||
|
@ -24,3 +24,11 @@ argument_specs:
|
||||
type: "dict"
|
||||
elem: "dict"
|
||||
required: true
|
||||
services_host_services:
|
||||
lrproxy:
|
||||
rproxy_host:
|
||||
type: "str"
|
||||
required: false
|
||||
rproxy_user:
|
||||
type: "str"
|
||||
required: false
|
||||
|
@ -38,8 +38,6 @@
|
||||
loop:
|
||||
- "pod-lrproxy.service"
|
||||
- "container-lrproxy-nginx.service"
|
||||
- "rsync-certificates.service"
|
||||
- "rsync-certificates.timer"
|
||||
register: services_deploy_lrproxy_systemd_files
|
||||
|
||||
- name: "systemd user daemon reload"
|
||||
@ -49,13 +47,6 @@
|
||||
when:
|
||||
services_deploy_lrproxy_systemd_files.changed
|
||||
|
||||
- name: "enable rsync-certificates timer"
|
||||
ansible.builtin.systemd:
|
||||
name: "rsync-certificates.timer"
|
||||
enabled: true
|
||||
scope: "user"
|
||||
register: services_deploy_lrproxy_rsync_certificates_timer
|
||||
|
||||
- name: "generate diffie hellman ephemeral parameters"
|
||||
ansible.builtin.command: >-
|
||||
openssl dhparam
|
||||
@ -66,30 +57,63 @@
|
||||
{{ services_service_user_home }}/.config/{{ services_service_user_name }}/dhparam.pem"
|
||||
register: services_deploy_lrproxy_dhparam
|
||||
|
||||
- name: "create the .ssh directory"
|
||||
ansible.builtin.file:
|
||||
path: "{{ services_service_user_home }}/.ssh"
|
||||
state: "directory"
|
||||
mode: 0700
|
||||
- block:
|
||||
|
||||
- name: "generate ssh keypair for rsync"
|
||||
community.crypto.openssh_keypair:
|
||||
path: "{{ services_service_user_home }}/.ssh/valkyrie-pod-rproxy"
|
||||
type: "ed25519"
|
||||
register: services_deploy_lrproxy_keypair
|
||||
- name: "configure rsync-certificates service"
|
||||
ansible.builtin.template:
|
||||
src: "./systemd/{{ item }}.j2"
|
||||
dest: "{{ services_service_user_home }}/.config/systemd/user/{{ item }}"
|
||||
mode: 0600
|
||||
loop:
|
||||
- "rsync-certificates.service"
|
||||
- "rsync-certificates.timer"
|
||||
register: services_deploy_lrproxy_rsync_certificates_files
|
||||
|
||||
- name: "configure public key on valkyrie"
|
||||
delegate_to: "valkyrie"
|
||||
become_user: "pod-rproxy"
|
||||
ansible.posix.authorized_key:
|
||||
user: "pod-rproxy"
|
||||
state: "present"
|
||||
key: "{{ services_deploy_lrproxy_keypair.public_key }}"
|
||||
key_options: "\
|
||||
command=\"rsync --server --sender -avz . \
|
||||
{{ hostvars['valkyrie'].services_data_directory }}/pod-rproxy/etc-letsencrypt/\
|
||||
\",from=\"{{ vpn_wireguard_address }}\",\
|
||||
no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-x11-forwarding"
|
||||
- name: "systemd user daemon reload"
|
||||
ansible.builtin.systemd:
|
||||
daemon_reload: true
|
||||
scope: "user"
|
||||
when:
|
||||
services_deploy_lrproxy_rsync_certificates_files.changed
|
||||
|
||||
- name: "enable rsync-certificates timer"
|
||||
ansible.builtin.systemd:
|
||||
name: "rsync-certificates.timer"
|
||||
enabled: true
|
||||
scope: "user"
|
||||
register: services_deploy_lrproxy_rsync_certificates_timer
|
||||
|
||||
- name: "create the .ssh directory"
|
||||
ansible.builtin.file:
|
||||
path: "{{ services_service_user_home }}/.ssh"
|
||||
state: "directory"
|
||||
mode: 0700
|
||||
|
||||
- name: "generate ssh keypair for rsync"
|
||||
community.crypto.openssh_keypair:
|
||||
path: "\
|
||||
{{ services_service_user_home }}/.ssh/\
|
||||
{{ services_host_services.lrproxy.rproxy_host }}-\
|
||||
{{ services_host_services.lrproxy.rproxy_user }}"
|
||||
type: "ed25519"
|
||||
register: services_deploy_lrproxy_keypair
|
||||
|
||||
- name: "configure public key on {{ services_host_services.lrproxy.rproxy_host }}"
|
||||
delegate_to: "{{ services_host_services.lrproxy.rproxy_host }}"
|
||||
become_user: "{{ services_host_services.lrproxy.rproxy_user }}"
|
||||
ansible.posix.authorized_key:
|
||||
user: "{{ services_host_services.lrproxy.rproxy_user }}"
|
||||
state: "present"
|
||||
key: "{{ services_deploy_lrproxy_keypair.public_key }}"
|
||||
key_options: "\
|
||||
command=\"rsync --server --sender -avz . \
|
||||
{{ hostvars[services_host_services.lrproxy.rproxy_host].services_data_directory }}/\
|
||||
{{ services_host_services.lrproxy.rproxy_user }}/etc-letsencrypt/\
|
||||
\",from=\"{{ vpn_wireguard_address }}\",\
|
||||
no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-x11-forwarding"
|
||||
|
||||
when:
|
||||
services_host_services.lrproxy.rproxy_host is defined
|
||||
|
||||
- name: "get uid"
|
||||
ansible.builtin.getent:
|
||||
@ -113,6 +137,7 @@
|
||||
when:
|
||||
(services_deploy_lrproxy_config_files.changed or
|
||||
services_deploy_lrproxy_systemd_files.changed or
|
||||
services_deploy_lrproxy_rsync_certificates_files.changed or
|
||||
services_deploy_lrproxy_rsync_certificates_timer.changed or
|
||||
services_deploy_lrproxy_dhparam.changed or
|
||||
services_deploy_lrproxy_keypair.changed) and
|
||||
|
@ -21,7 +21,7 @@ ExecStart=/usr/bin/podman run \
|
||||
--label "io.containers.autoupdate=image" \
|
||||
-dt \
|
||||
{{ services_rproxy_nginx_add_hosts }} \
|
||||
-v {{ services_root_directory }}/valkyrie-resolv.conf:/etc/resolv.conf:ro \
|
||||
-v {{ services_root_directory }}/{{ services_resolv_host }}-resolv.conf:/etc/resolv.conf:ro \
|
||||
-v ./.config/pod-lrproxy/nginx.conf:/etc/nginx/nginx.conf:ro \
|
||||
-v ./.config/pod-lrproxy/nginx-conf.d:/etc/nginx/conf.d:ro \
|
||||
-v ./.config/pod-lrproxy/dhparam.pem:/etc/ssl/certs/dhparam.pem:ro \
|
||||
|
@ -5,8 +5,8 @@ OnFailure=status-mail@%n.service
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStart=/usr/bin/rsync -e 'ssh -i .ssh/valkyrie-pod-rproxy -l pod-rproxy' \
|
||||
ExecStart=/usr/bin/rsync -e 'ssh -i .ssh/{{ services_host_services.lrproxy.rproxy_host }}-{{ services_host_services.lrproxy.rproxy_user }} -l {{ services_host_services.lrproxy.rproxy_user }}' \
|
||||
-avz \
|
||||
--delete \
|
||||
{{ hostvars['valkyrie'].vpn_wireguard_address }}:{{ hostvars['valkyrie'].services_data_directory }}/pod-rproxy/etc-letsencrypt/ \
|
||||
{{ hostvars['yggdrasil'].services_data_directory }}/pod-lrproxy/etc-letsencrypt
|
||||
{{ hostvars[services_host_services.lrproxy.rproxy_host].vpn_wireguard_address }}:{{ hostvars[services_host_services.lrproxy.rproxy_host].services_data_directory }}/{{ services_host_services.lrproxy.rproxy_user }}/etc-letsencrypt/ \
|
||||
{{ services_data_directory }}/pod-lrproxy/etc-letsencrypt
|
||||
|
@ -22,7 +22,7 @@ ExecStart=/usr/bin/podman run \
|
||||
--label "io.containers.autoupdate=image" \
|
||||
-dt \
|
||||
--add-host=pod-database:{{ services_all_services['database'].address }} \
|
||||
-v {{ services_root_directory }}/valkyrie-resolv.conf:/etc/resolv.conf:ro \
|
||||
-v {{ services_root_directory }}/{{ services_resolv_host }}-resolv.conf:/etc/resolv.conf:ro \
|
||||
-v {{ services_data_directory }}/pod-notes/data/_data:/data \
|
||||
-e APP_BASE_URL="https://{{ services[services_service_name].domain }}" \
|
||||
-e APP_PORT="22300" \
|
||||
|
@ -1,16 +1,14 @@
|
||||
---
|
||||
- name: "nameserver : fetch valkyrie's resolv.conf"
|
||||
- name: "nameserver : fetch {{ services_resolv_host }}'s resolv.conf"
|
||||
ansible.builtin.fetch:
|
||||
src: "/etc/resolv.conf"
|
||||
dest: "./files/services/setup/system/nameserver/"
|
||||
flat: true
|
||||
when:
|
||||
ansible_hostname == "valkyrie"
|
||||
ansible_hostname == services_resolv_host
|
||||
|
||||
- name: "nameserver : copy valkyrie's resolv.conf to other hosts"
|
||||
- name: "nameserver : copy {{ services_resolv_host }}'s resolv.conf to other hosts"
|
||||
ansible.builtin.copy:
|
||||
src: "files/services/setup/system/nameserver/resolv.conf"
|
||||
dest: "{{ services_root_directory }}/valkyrie-resolv.conf"
|
||||
dest: "{{ services_root_directory }}/{{ services_resolv_host }}-resolv.conf"
|
||||
mode: 0644
|
||||
when:
|
||||
ansible_hostname != "valkyrie"
|
||||
|
Loading…
Reference in New Issue
Block a user