Decouple lrproxy from valkyrie

This commit is contained in:
Wojciech Kozlowski 2023-02-12 19:37:33 +01:00
parent 226bd0369f
commit 34c4e29a43
17 changed files with 98 additions and 51 deletions

View File

@ -30,7 +30,7 @@ vpn_bridge_dnat: "\
# --------------------------------------------------------------------------------------------------
# services
# --------------------------------------------------------------------------------------------------
services_root_directory: "/var/lib/{{ ansible_hostname }}"
services_root_directory: "/var/lib/{{ services_hostname }}"
services_home_directory: "{{ services_root_directory }}/home"
services_data_directory: "{{ services_root_directory }}/data"
services_containers_directory: "{{ services_root_directory }}/containers"
@ -40,6 +40,8 @@ services_all_services: "{{
services_all_hosts | map('extract', hostvars, 'services_host_services') | map('dict2items') |
flatten | items2dict }}"
services_resolv_host: "valkyrie"
services:
rproxy: {}
www:

View File

@ -30,6 +30,8 @@ vpn_wireguard_clients:
# --------------------------------------------------------------------------------------------------
# services
# --------------------------------------------------------------------------------------------------
services_hostname: "valkyrie"
services_host_services:
rproxy:
address: "{{ vpn_bridge_prefix }}.2"

View File

@ -57,6 +57,8 @@ backups_snapshots_sanoid_system_datasets:
# --------------------------------------------------------------------------------------------------
# services
# --------------------------------------------------------------------------------------------------
services_hostname: "yggdrasil"
services_root_dataset: "rpool{{ services_root_directory }}"
services_home_dataset: "rpool{{ services_home_directory }}"
services_data_dataset: "rpool{{ services_data_directory }}"
@ -66,6 +68,8 @@ services_host_services:
lrproxy:
address: "{{ vpn_bridge_prefix }}.2"
tcp: [80, 443]
rproxy_host: "valkyrie"
rproxy_user: "pod-rproxy"
database:
address: "{{ vpn_bridge_prefix }}.3"
cloud:

View File

@ -13,6 +13,10 @@
dest: "/usr/local/bin/restic.bz2"
mode: 0644
- name: "install bzip2"
ansible.builtin.apt:
name: "bzip2"
- name: "unpack restic binary"
command: "bunzip2 /usr/local/bin/restic.bz2"

View File

@ -0,0 +1,7 @@
---
argument_specs:
main:
options:
services_data_dataset:
type: "str"
required: true

View File

@ -8,9 +8,6 @@ argument_specs:
services_service_name:
type: "str"
required: true
services_data_dataset:
type: "str"
required: true
services_backups_restic_services:
type: "dict"
elem: "dict"

View File

@ -21,7 +21,7 @@ ExecStart=/usr/bin/podman run \
--label "io.containers.autoupdate=image" \
-dt \
--add-host=pod-database:{{ services_all_services['database'].address }} \
-v {{ services_root_directory }}/valkyrie-resolv.conf:/etc/resolv.conf:ro \
-v {{ services_root_directory }}/{{ services_resolv_host }}-resolv.conf:/etc/resolv.conf:ro \
-v {{ services_data_directory }}/pod-cloud/nextcloud/_data:/var/www/html \
-v {{ services_data_directory }}/pod-cloud/data/_data:/var/www/html/data \
--name=pod-cloud-cron \

View File

@ -21,7 +21,7 @@ ExecStart=/usr/bin/podman run \
--label "io.containers.autoupdate=image" \
-dt \
--add-host=pod-database:{{ services_all_services['database'].address }} \
-v {{ services_root_directory }}/valkyrie-resolv.conf:/etc/resolv.conf:ro \
-v {{ services_root_directory }}/{{ services_resolv_host }}-resolv.conf:/etc/resolv.conf:ro \
-v {{ services_data_directory }}/pod-cloud/nextcloud/_data:/var/www/html \
-v {{ services_data_directory }}/pod-cloud/data/_data:/var/www/html/data \
-v ./.config/pod-cloud/database.name:/run/secrets/database.name:ro \

View File

@ -20,7 +20,7 @@ ExecStart=/usr/bin/podman run \
--replace \
--label "io.containers.autoupdate=image" \
-dt \
-v {{ services_root_directory }}/valkyrie-resolv.conf:/etc/resolv.conf:ro \
-v {{ services_root_directory }}/{{ services_resolv_host }}-resolv.conf:/etc/resolv.conf:ro \
-v ./.config/pod-cloud/nginx.conf:/etc/nginx/nginx.conf:ro \
-v {{ services_data_directory }}/pod-cloud/nextcloud/_data:/var/www/html \
-v {{ services_data_directory }}/pod-cloud/data/_data:/var/www/html/data \

View File

@ -20,7 +20,7 @@ ExecStart=/usr/bin/podman run \
--replace \
--label "io.containers.autoupdate=image" \
-dt \
-v {{ services_root_directory }}/valkyrie-resolv.conf:/etc/resolv.conf:ro \
-v {{ services_root_directory }}/{{ services_resolv_host }}-resolv.conf:/etc/resolv.conf:ro \
-v ./.config/pod-database/database.password:/run/secrets/database.password:ro \
-e POSTGRES_PASSWORD_FILE=/run/secrets/database.password \
-v {{ services_data_directory }}/pod-database/wal/_data:/var/lib/postgresql-wal \

View File

@ -21,7 +21,7 @@ ExecStart=/usr/bin/podman run \
--label "io.containers.autoupdate=image" \
-dt \
--add-host=pod-database:{{ services_all_services['database'].address }} \
-v {{ services_root_directory }}/valkyrie-resolv.conf:/etc/resolv.conf:ro \
-v {{ services_root_directory }}/{{ services_resolv_host }}-resolv.conf:/etc/resolv.conf:ro \
-v {{ services_data_directory }}/pod-git/data/_data:/data \
-v /etc/timezone:/etc/timezone:ro \
-v /etc/localtime:/etc/localtime:ro \

View File

@ -24,3 +24,11 @@ argument_specs:
type: "dict"
elem: "dict"
required: true
services_host_services:
lrproxy:
rproxy_host:
type: "str"
required: false
rproxy_user:
type: "str"
required: false

View File

@ -38,8 +38,6 @@
loop:
- "pod-lrproxy.service"
- "container-lrproxy-nginx.service"
- "rsync-certificates.service"
- "rsync-certificates.timer"
register: services_deploy_lrproxy_systemd_files
- name: "systemd user daemon reload"
@ -49,13 +47,6 @@
when:
services_deploy_lrproxy_systemd_files.changed
- name: "enable rsync-certificates timer"
ansible.builtin.systemd:
name: "rsync-certificates.timer"
enabled: true
scope: "user"
register: services_deploy_lrproxy_rsync_certificates_timer
- name: "generate diffie hellman ephemeral parameters"
ansible.builtin.command: >-
openssl dhparam
@ -66,30 +57,63 @@
{{ services_service_user_home }}/.config/{{ services_service_user_name }}/dhparam.pem"
register: services_deploy_lrproxy_dhparam
- name: "create the .ssh directory"
ansible.builtin.file:
path: "{{ services_service_user_home }}/.ssh"
state: "directory"
mode: 0700
- block:
- name: "generate ssh keypair for rsync"
community.crypto.openssh_keypair:
path: "{{ services_service_user_home }}/.ssh/valkyrie-pod-rproxy"
type: "ed25519"
register: services_deploy_lrproxy_keypair
- name: "configure rsync-certificates service"
ansible.builtin.template:
src: "./systemd/{{ item }}.j2"
dest: "{{ services_service_user_home }}/.config/systemd/user/{{ item }}"
mode: 0600
loop:
- "rsync-certificates.service"
- "rsync-certificates.timer"
register: services_deploy_lrproxy_rsync_certificates_files
- name: "configure public key on valkyrie"
delegate_to: "valkyrie"
become_user: "pod-rproxy"
ansible.posix.authorized_key:
user: "pod-rproxy"
state: "present"
key: "{{ services_deploy_lrproxy_keypair.public_key }}"
key_options: "\
command=\"rsync --server --sender -avz . \
{{ hostvars['valkyrie'].services_data_directory }}/pod-rproxy/etc-letsencrypt/\
\",from=\"{{ vpn_wireguard_address }}\",\
no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-x11-forwarding"
- name: "systemd user daemon reload"
ansible.builtin.systemd:
daemon_reload: true
scope: "user"
when:
services_deploy_lrproxy_rsync_certificates_files.changed
- name: "enable rsync-certificates timer"
ansible.builtin.systemd:
name: "rsync-certificates.timer"
enabled: true
scope: "user"
register: services_deploy_lrproxy_rsync_certificates_timer
- name: "create the .ssh directory"
ansible.builtin.file:
path: "{{ services_service_user_home }}/.ssh"
state: "directory"
mode: 0700
- name: "generate ssh keypair for rsync"
community.crypto.openssh_keypair:
path: "\
{{ services_service_user_home }}/.ssh/\
{{ services_host_services.lrproxy.rproxy_host }}-\
{{ services_host_services.lrproxy.rproxy_user }}"
type: "ed25519"
register: services_deploy_lrproxy_keypair
- name: "configure public key on {{ services_host_services.lrproxy.rproxy_host }}"
delegate_to: "{{ services_host_services.lrproxy.rproxy_host }}"
become_user: "{{ services_host_services.lrproxy.rproxy_user }}"
ansible.posix.authorized_key:
user: "{{ services_host_services.lrproxy.rproxy_user }}"
state: "present"
key: "{{ services_deploy_lrproxy_keypair.public_key }}"
key_options: "\
command=\"rsync --server --sender -avz . \
{{ hostvars[services_host_services.lrproxy.rproxy_host].services_data_directory }}/\
{{ services_host_services.lrproxy.rproxy_user }}/etc-letsencrypt/\
\",from=\"{{ vpn_wireguard_address }}\",\
no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-x11-forwarding"
when:
services_host_services.lrproxy.rproxy_host is defined
- name: "get uid"
ansible.builtin.getent:
@ -113,6 +137,7 @@
when:
(services_deploy_lrproxy_config_files.changed or
services_deploy_lrproxy_systemd_files.changed or
services_deploy_lrproxy_rsync_certificates_files.changed or
services_deploy_lrproxy_rsync_certificates_timer.changed or
services_deploy_lrproxy_dhparam.changed or
services_deploy_lrproxy_keypair.changed) and

View File

@ -21,7 +21,7 @@ ExecStart=/usr/bin/podman run \
--label "io.containers.autoupdate=image" \
-dt \
{{ services_rproxy_nginx_add_hosts }} \
-v {{ services_root_directory }}/valkyrie-resolv.conf:/etc/resolv.conf:ro \
-v {{ services_root_directory }}/{{ services_resolv_host }}-resolv.conf:/etc/resolv.conf:ro \
-v ./.config/pod-lrproxy/nginx.conf:/etc/nginx/nginx.conf:ro \
-v ./.config/pod-lrproxy/nginx-conf.d:/etc/nginx/conf.d:ro \
-v ./.config/pod-lrproxy/dhparam.pem:/etc/ssl/certs/dhparam.pem:ro \

View File

@ -5,8 +5,8 @@ OnFailure=status-mail@%n.service
[Service]
Type=oneshot
ExecStart=/usr/bin/rsync -e 'ssh -i .ssh/valkyrie-pod-rproxy -l pod-rproxy' \
ExecStart=/usr/bin/rsync -e 'ssh -i .ssh/{{ services_host_services.lrproxy.rproxy_host }}-{{ services_host_services.lrproxy.rproxy_user }} -l {{ services_host_services.lrproxy.rproxy_user }}' \
-avz \
--delete \
{{ hostvars['valkyrie'].vpn_wireguard_address }}:{{ hostvars['valkyrie'].services_data_directory }}/pod-rproxy/etc-letsencrypt/ \
{{ hostvars['yggdrasil'].services_data_directory }}/pod-lrproxy/etc-letsencrypt
{{ hostvars[services_host_services.lrproxy.rproxy_host].vpn_wireguard_address }}:{{ hostvars[services_host_services.lrproxy.rproxy_host].services_data_directory }}/{{ services_host_services.lrproxy.rproxy_user }}/etc-letsencrypt/ \
{{ services_data_directory }}/pod-lrproxy/etc-letsencrypt

View File

@ -22,7 +22,7 @@ ExecStart=/usr/bin/podman run \
--label "io.containers.autoupdate=image" \
-dt \
--add-host=pod-database:{{ services_all_services['database'].address }} \
-v {{ services_root_directory }}/valkyrie-resolv.conf:/etc/resolv.conf:ro \
-v {{ services_root_directory }}/{{ services_resolv_host }}-resolv.conf:/etc/resolv.conf:ro \
-v {{ services_data_directory }}/pod-notes/data/_data:/data \
-e APP_BASE_URL="https://{{ services[services_service_name].domain }}" \
-e APP_PORT="22300" \

View File

@ -1,16 +1,14 @@
---
- name: "nameserver : fetch valkyrie's resolv.conf"
- name: "nameserver : fetch {{ services_resolv_host }}'s resolv.conf"
ansible.builtin.fetch:
src: "/etc/resolv.conf"
dest: "./files/services/setup/system/nameserver/"
flat: true
when:
ansible_hostname == "valkyrie"
ansible_hostname == services_resolv_host
- name: "nameserver : copy valkyrie's resolv.conf to other hosts"
- name: "nameserver : copy {{ services_resolv_host }}'s resolv.conf to other hosts"
ansible.builtin.copy:
src: "files/services/setup/system/nameserver/resolv.conf"
dest: "{{ services_root_directory }}/valkyrie-resolv.conf"
dest: "{{ services_root_directory }}/{{ services_resolv_host }}-resolv.conf"
mode: 0644
when:
ansible_hostname != "valkyrie"