From 34c4e29a430518ed082da5c3e3c5e49f87663ed7 Mon Sep 17 00:00:00 2001 From: Wojciech Kozlowski Date: Sun, 12 Feb 2023 19:37:33 +0100 Subject: [PATCH] Decouple lrproxy from valkyrie --- inventory/group_vars/asgard/vars.yml | 4 +- inventory/host_vars/valkyrie/vars.yml | 2 + inventory/host_vars/yggdrasil/vars.yml | 4 + .../roles/backups/restic/setup/tasks/main.yml | 4 + .../backups/include/meta/argument_specs.yml | 7 ++ .../backups/restic/meta/argument_specs.yml | 3 - .../systemd/container-cloud-cron.service.j2 | 2 +- .../container-cloud-nextcloud.service.j2 | 2 +- .../systemd/container-cloud-nginx.service.j2 | 2 +- .../container-database-postgres.service.j2 | 2 +- .../systemd/container-git-gitea.service.j2 | 2 +- .../deploy/lrproxy/meta/argument_specs.yml | 8 ++ .../services/deploy/lrproxy/tasks/main.yml | 87 ++++++++++++------- .../container-lrproxy-nginx.service.j2 | 2 +- .../systemd/rsync-certificates.service.j2 | 6 +- .../systemd/container-notes-joplin.service.j2 | 2 +- .../setup/system/tasks/include/nameserver.yml | 10 +-- 17 files changed, 98 insertions(+), 51 deletions(-) create mode 100644 playbooks/roles/services/backups/include/meta/argument_specs.yml diff --git a/inventory/group_vars/asgard/vars.yml b/inventory/group_vars/asgard/vars.yml index ec9bcab..522b3bf 100644 --- a/inventory/group_vars/asgard/vars.yml +++ b/inventory/group_vars/asgard/vars.yml @@ -30,7 +30,7 @@ vpn_bridge_dnat: "\ # -------------------------------------------------------------------------------------------------- # services # -------------------------------------------------------------------------------------------------- -services_root_directory: "/var/lib/{{ ansible_hostname }}" +services_root_directory: "/var/lib/{{ services_hostname }}" services_home_directory: "{{ services_root_directory }}/home" services_data_directory: "{{ services_root_directory }}/data" services_containers_directory: "{{ services_root_directory }}/containers" @@ -40,6 +40,8 @@ services_all_services: "{{ services_all_hosts | map('extract', hostvars, 'services_host_services') | map('dict2items') | flatten | items2dict }}" +services_resolv_host: "valkyrie" + services: rproxy: {} www: diff --git a/inventory/host_vars/valkyrie/vars.yml b/inventory/host_vars/valkyrie/vars.yml index 7a0d18b..dae3bb3 100644 --- a/inventory/host_vars/valkyrie/vars.yml +++ b/inventory/host_vars/valkyrie/vars.yml @@ -30,6 +30,8 @@ vpn_wireguard_clients: # -------------------------------------------------------------------------------------------------- # services # -------------------------------------------------------------------------------------------------- +services_hostname: "valkyrie" + services_host_services: rproxy: address: "{{ vpn_bridge_prefix }}.2" diff --git a/inventory/host_vars/yggdrasil/vars.yml b/inventory/host_vars/yggdrasil/vars.yml index 6b2ef3d..2fb6647 100644 --- a/inventory/host_vars/yggdrasil/vars.yml +++ b/inventory/host_vars/yggdrasil/vars.yml @@ -57,6 +57,8 @@ backups_snapshots_sanoid_system_datasets: # -------------------------------------------------------------------------------------------------- # services # -------------------------------------------------------------------------------------------------- +services_hostname: "yggdrasil" + services_root_dataset: "rpool{{ services_root_directory }}" services_home_dataset: "rpool{{ services_home_directory }}" services_data_dataset: "rpool{{ services_data_directory }}" @@ -66,6 +68,8 @@ services_host_services: lrproxy: address: "{{ vpn_bridge_prefix }}.2" tcp: [80, 443] + rproxy_host: "valkyrie" + rproxy_user: "pod-rproxy" database: address: "{{ vpn_bridge_prefix }}.3" cloud: diff --git a/playbooks/roles/backups/restic/setup/tasks/main.yml b/playbooks/roles/backups/restic/setup/tasks/main.yml index c6edadd..8030646 100644 --- a/playbooks/roles/backups/restic/setup/tasks/main.yml +++ b/playbooks/roles/backups/restic/setup/tasks/main.yml @@ -13,6 +13,10 @@ dest: "/usr/local/bin/restic.bz2" mode: 0644 + - name: "install bzip2" + ansible.builtin.apt: + name: "bzip2" + - name: "unpack restic binary" command: "bunzip2 /usr/local/bin/restic.bz2" diff --git a/playbooks/roles/services/backups/include/meta/argument_specs.yml b/playbooks/roles/services/backups/include/meta/argument_specs.yml new file mode 100644 index 0000000..ff7595a --- /dev/null +++ b/playbooks/roles/services/backups/include/meta/argument_specs.yml @@ -0,0 +1,7 @@ +--- +argument_specs: + main: + options: + services_data_dataset: + type: "str" + required: true diff --git a/playbooks/roles/services/backups/restic/meta/argument_specs.yml b/playbooks/roles/services/backups/restic/meta/argument_specs.yml index 4922206..ec0e528 100644 --- a/playbooks/roles/services/backups/restic/meta/argument_specs.yml +++ b/playbooks/roles/services/backups/restic/meta/argument_specs.yml @@ -8,9 +8,6 @@ argument_specs: services_service_name: type: "str" required: true - services_data_dataset: - type: "str" - required: true services_backups_restic_services: type: "dict" elem: "dict" diff --git a/playbooks/roles/services/deploy/cloud/templates/systemd/container-cloud-cron.service.j2 b/playbooks/roles/services/deploy/cloud/templates/systemd/container-cloud-cron.service.j2 index c0cb4ab..ae82a0a 100644 --- a/playbooks/roles/services/deploy/cloud/templates/systemd/container-cloud-cron.service.j2 +++ b/playbooks/roles/services/deploy/cloud/templates/systemd/container-cloud-cron.service.j2 @@ -21,7 +21,7 @@ ExecStart=/usr/bin/podman run \ --label "io.containers.autoupdate=image" \ -dt \ --add-host=pod-database:{{ services_all_services['database'].address }} \ - -v {{ services_root_directory }}/valkyrie-resolv.conf:/etc/resolv.conf:ro \ + -v {{ services_root_directory }}/{{ services_resolv_host }}-resolv.conf:/etc/resolv.conf:ro \ -v {{ services_data_directory }}/pod-cloud/nextcloud/_data:/var/www/html \ -v {{ services_data_directory }}/pod-cloud/data/_data:/var/www/html/data \ --name=pod-cloud-cron \ diff --git a/playbooks/roles/services/deploy/cloud/templates/systemd/container-cloud-nextcloud.service.j2 b/playbooks/roles/services/deploy/cloud/templates/systemd/container-cloud-nextcloud.service.j2 index 175df20..d99866e 100644 --- a/playbooks/roles/services/deploy/cloud/templates/systemd/container-cloud-nextcloud.service.j2 +++ b/playbooks/roles/services/deploy/cloud/templates/systemd/container-cloud-nextcloud.service.j2 @@ -21,7 +21,7 @@ ExecStart=/usr/bin/podman run \ --label "io.containers.autoupdate=image" \ -dt \ --add-host=pod-database:{{ services_all_services['database'].address }} \ - -v {{ services_root_directory }}/valkyrie-resolv.conf:/etc/resolv.conf:ro \ + -v {{ services_root_directory }}/{{ services_resolv_host }}-resolv.conf:/etc/resolv.conf:ro \ -v {{ services_data_directory }}/pod-cloud/nextcloud/_data:/var/www/html \ -v {{ services_data_directory }}/pod-cloud/data/_data:/var/www/html/data \ -v ./.config/pod-cloud/database.name:/run/secrets/database.name:ro \ diff --git a/playbooks/roles/services/deploy/cloud/templates/systemd/container-cloud-nginx.service.j2 b/playbooks/roles/services/deploy/cloud/templates/systemd/container-cloud-nginx.service.j2 index 9a7117f..5921aa6 100644 --- a/playbooks/roles/services/deploy/cloud/templates/systemd/container-cloud-nginx.service.j2 +++ b/playbooks/roles/services/deploy/cloud/templates/systemd/container-cloud-nginx.service.j2 @@ -20,7 +20,7 @@ ExecStart=/usr/bin/podman run \ --replace \ --label "io.containers.autoupdate=image" \ -dt \ - -v {{ services_root_directory }}/valkyrie-resolv.conf:/etc/resolv.conf:ro \ + -v {{ services_root_directory }}/{{ services_resolv_host }}-resolv.conf:/etc/resolv.conf:ro \ -v ./.config/pod-cloud/nginx.conf:/etc/nginx/nginx.conf:ro \ -v {{ services_data_directory }}/pod-cloud/nextcloud/_data:/var/www/html \ -v {{ services_data_directory }}/pod-cloud/data/_data:/var/www/html/data \ diff --git a/playbooks/roles/services/deploy/database/templates/systemd/container-database-postgres.service.j2 b/playbooks/roles/services/deploy/database/templates/systemd/container-database-postgres.service.j2 index 790574b..f689aa3 100644 --- a/playbooks/roles/services/deploy/database/templates/systemd/container-database-postgres.service.j2 +++ b/playbooks/roles/services/deploy/database/templates/systemd/container-database-postgres.service.j2 @@ -20,7 +20,7 @@ ExecStart=/usr/bin/podman run \ --replace \ --label "io.containers.autoupdate=image" \ -dt \ - -v {{ services_root_directory }}/valkyrie-resolv.conf:/etc/resolv.conf:ro \ + -v {{ services_root_directory }}/{{ services_resolv_host }}-resolv.conf:/etc/resolv.conf:ro \ -v ./.config/pod-database/database.password:/run/secrets/database.password:ro \ -e POSTGRES_PASSWORD_FILE=/run/secrets/database.password \ -v {{ services_data_directory }}/pod-database/wal/_data:/var/lib/postgresql-wal \ diff --git a/playbooks/roles/services/deploy/git/templates/systemd/container-git-gitea.service.j2 b/playbooks/roles/services/deploy/git/templates/systemd/container-git-gitea.service.j2 index 636ef72..45e8ead 100644 --- a/playbooks/roles/services/deploy/git/templates/systemd/container-git-gitea.service.j2 +++ b/playbooks/roles/services/deploy/git/templates/systemd/container-git-gitea.service.j2 @@ -21,7 +21,7 @@ ExecStart=/usr/bin/podman run \ --label "io.containers.autoupdate=image" \ -dt \ --add-host=pod-database:{{ services_all_services['database'].address }} \ - -v {{ services_root_directory }}/valkyrie-resolv.conf:/etc/resolv.conf:ro \ + -v {{ services_root_directory }}/{{ services_resolv_host }}-resolv.conf:/etc/resolv.conf:ro \ -v {{ services_data_directory }}/pod-git/data/_data:/data \ -v /etc/timezone:/etc/timezone:ro \ -v /etc/localtime:/etc/localtime:ro \ diff --git a/playbooks/roles/services/deploy/lrproxy/meta/argument_specs.yml b/playbooks/roles/services/deploy/lrproxy/meta/argument_specs.yml index 8ae8103..4a43ae8 100644 --- a/playbooks/roles/services/deploy/lrproxy/meta/argument_specs.yml +++ b/playbooks/roles/services/deploy/lrproxy/meta/argument_specs.yml @@ -24,3 +24,11 @@ argument_specs: type: "dict" elem: "dict" required: true + services_host_services: + lrproxy: + rproxy_host: + type: "str" + required: false + rproxy_user: + type: "str" + required: false diff --git a/playbooks/roles/services/deploy/lrproxy/tasks/main.yml b/playbooks/roles/services/deploy/lrproxy/tasks/main.yml index 513b9cc..7ee46c3 100644 --- a/playbooks/roles/services/deploy/lrproxy/tasks/main.yml +++ b/playbooks/roles/services/deploy/lrproxy/tasks/main.yml @@ -38,8 +38,6 @@ loop: - "pod-lrproxy.service" - "container-lrproxy-nginx.service" - - "rsync-certificates.service" - - "rsync-certificates.timer" register: services_deploy_lrproxy_systemd_files - name: "systemd user daemon reload" @@ -49,13 +47,6 @@ when: services_deploy_lrproxy_systemd_files.changed - - name: "enable rsync-certificates timer" - ansible.builtin.systemd: - name: "rsync-certificates.timer" - enabled: true - scope: "user" - register: services_deploy_lrproxy_rsync_certificates_timer - - name: "generate diffie hellman ephemeral parameters" ansible.builtin.command: >- openssl dhparam @@ -66,30 +57,63 @@ {{ services_service_user_home }}/.config/{{ services_service_user_name }}/dhparam.pem" register: services_deploy_lrproxy_dhparam - - name: "create the .ssh directory" - ansible.builtin.file: - path: "{{ services_service_user_home }}/.ssh" - state: "directory" - mode: 0700 + - block: - - name: "generate ssh keypair for rsync" - community.crypto.openssh_keypair: - path: "{{ services_service_user_home }}/.ssh/valkyrie-pod-rproxy" - type: "ed25519" - register: services_deploy_lrproxy_keypair + - name: "configure rsync-certificates service" + ansible.builtin.template: + src: "./systemd/{{ item }}.j2" + dest: "{{ services_service_user_home }}/.config/systemd/user/{{ item }}" + mode: 0600 + loop: + - "rsync-certificates.service" + - "rsync-certificates.timer" + register: services_deploy_lrproxy_rsync_certificates_files - - name: "configure public key on valkyrie" - delegate_to: "valkyrie" - become_user: "pod-rproxy" - ansible.posix.authorized_key: - user: "pod-rproxy" - state: "present" - key: "{{ services_deploy_lrproxy_keypair.public_key }}" - key_options: "\ - command=\"rsync --server --sender -avz . \ - {{ hostvars['valkyrie'].services_data_directory }}/pod-rproxy/etc-letsencrypt/\ - \",from=\"{{ vpn_wireguard_address }}\",\ - no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-x11-forwarding" + - name: "systemd user daemon reload" + ansible.builtin.systemd: + daemon_reload: true + scope: "user" + when: + services_deploy_lrproxy_rsync_certificates_files.changed + + - name: "enable rsync-certificates timer" + ansible.builtin.systemd: + name: "rsync-certificates.timer" + enabled: true + scope: "user" + register: services_deploy_lrproxy_rsync_certificates_timer + + - name: "create the .ssh directory" + ansible.builtin.file: + path: "{{ services_service_user_home }}/.ssh" + state: "directory" + mode: 0700 + + - name: "generate ssh keypair for rsync" + community.crypto.openssh_keypair: + path: "\ + {{ services_service_user_home }}/.ssh/\ + {{ services_host_services.lrproxy.rproxy_host }}-\ + {{ services_host_services.lrproxy.rproxy_user }}" + type: "ed25519" + register: services_deploy_lrproxy_keypair + + - name: "configure public key on {{ services_host_services.lrproxy.rproxy_host }}" + delegate_to: "{{ services_host_services.lrproxy.rproxy_host }}" + become_user: "{{ services_host_services.lrproxy.rproxy_user }}" + ansible.posix.authorized_key: + user: "{{ services_host_services.lrproxy.rproxy_user }}" + state: "present" + key: "{{ services_deploy_lrproxy_keypair.public_key }}" + key_options: "\ + command=\"rsync --server --sender -avz . \ + {{ hostvars[services_host_services.lrproxy.rproxy_host].services_data_directory }}/\ + {{ services_host_services.lrproxy.rproxy_user }}/etc-letsencrypt/\ + \",from=\"{{ vpn_wireguard_address }}\",\ + no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-x11-forwarding" + + when: + services_host_services.lrproxy.rproxy_host is defined - name: "get uid" ansible.builtin.getent: @@ -113,6 +137,7 @@ when: (services_deploy_lrproxy_config_files.changed or services_deploy_lrproxy_systemd_files.changed or + services_deploy_lrproxy_rsync_certificates_files.changed or services_deploy_lrproxy_rsync_certificates_timer.changed or services_deploy_lrproxy_dhparam.changed or services_deploy_lrproxy_keypair.changed) and diff --git a/playbooks/roles/services/deploy/lrproxy/templates/systemd/container-lrproxy-nginx.service.j2 b/playbooks/roles/services/deploy/lrproxy/templates/systemd/container-lrproxy-nginx.service.j2 index 219d05c..c8523b6 100644 --- a/playbooks/roles/services/deploy/lrproxy/templates/systemd/container-lrproxy-nginx.service.j2 +++ b/playbooks/roles/services/deploy/lrproxy/templates/systemd/container-lrproxy-nginx.service.j2 @@ -21,7 +21,7 @@ ExecStart=/usr/bin/podman run \ --label "io.containers.autoupdate=image" \ -dt \ {{ services_rproxy_nginx_add_hosts }} \ - -v {{ services_root_directory }}/valkyrie-resolv.conf:/etc/resolv.conf:ro \ + -v {{ services_root_directory }}/{{ services_resolv_host }}-resolv.conf:/etc/resolv.conf:ro \ -v ./.config/pod-lrproxy/nginx.conf:/etc/nginx/nginx.conf:ro \ -v ./.config/pod-lrproxy/nginx-conf.d:/etc/nginx/conf.d:ro \ -v ./.config/pod-lrproxy/dhparam.pem:/etc/ssl/certs/dhparam.pem:ro \ diff --git a/playbooks/roles/services/deploy/lrproxy/templates/systemd/rsync-certificates.service.j2 b/playbooks/roles/services/deploy/lrproxy/templates/systemd/rsync-certificates.service.j2 index edb3d0c..98b46a3 100644 --- a/playbooks/roles/services/deploy/lrproxy/templates/systemd/rsync-certificates.service.j2 +++ b/playbooks/roles/services/deploy/lrproxy/templates/systemd/rsync-certificates.service.j2 @@ -5,8 +5,8 @@ OnFailure=status-mail@%n.service [Service] Type=oneshot -ExecStart=/usr/bin/rsync -e 'ssh -i .ssh/valkyrie-pod-rproxy -l pod-rproxy' \ +ExecStart=/usr/bin/rsync -e 'ssh -i .ssh/{{ services_host_services.lrproxy.rproxy_host }}-{{ services_host_services.lrproxy.rproxy_user }} -l {{ services_host_services.lrproxy.rproxy_user }}' \ -avz \ --delete \ - {{ hostvars['valkyrie'].vpn_wireguard_address }}:{{ hostvars['valkyrie'].services_data_directory }}/pod-rproxy/etc-letsencrypt/ \ - {{ hostvars['yggdrasil'].services_data_directory }}/pod-lrproxy/etc-letsencrypt + {{ hostvars[services_host_services.lrproxy.rproxy_host].vpn_wireguard_address }}:{{ hostvars[services_host_services.lrproxy.rproxy_host].services_data_directory }}/{{ services_host_services.lrproxy.rproxy_user }}/etc-letsencrypt/ \ + {{ services_data_directory }}/pod-lrproxy/etc-letsencrypt diff --git a/playbooks/roles/services/deploy/notes/templates/systemd/container-notes-joplin.service.j2 b/playbooks/roles/services/deploy/notes/templates/systemd/container-notes-joplin.service.j2 index c90807f..ad191ba 100644 --- a/playbooks/roles/services/deploy/notes/templates/systemd/container-notes-joplin.service.j2 +++ b/playbooks/roles/services/deploy/notes/templates/systemd/container-notes-joplin.service.j2 @@ -22,7 +22,7 @@ ExecStart=/usr/bin/podman run \ --label "io.containers.autoupdate=image" \ -dt \ --add-host=pod-database:{{ services_all_services['database'].address }} \ - -v {{ services_root_directory }}/valkyrie-resolv.conf:/etc/resolv.conf:ro \ + -v {{ services_root_directory }}/{{ services_resolv_host }}-resolv.conf:/etc/resolv.conf:ro \ -v {{ services_data_directory }}/pod-notes/data/_data:/data \ -e APP_BASE_URL="https://{{ services[services_service_name].domain }}" \ -e APP_PORT="22300" \ diff --git a/playbooks/roles/services/setup/system/tasks/include/nameserver.yml b/playbooks/roles/services/setup/system/tasks/include/nameserver.yml index 753afaf..6e871e2 100644 --- a/playbooks/roles/services/setup/system/tasks/include/nameserver.yml +++ b/playbooks/roles/services/setup/system/tasks/include/nameserver.yml @@ -1,16 +1,14 @@ --- -- name: "nameserver : fetch valkyrie's resolv.conf" +- name: "nameserver : fetch {{ services_resolv_host }}'s resolv.conf" ansible.builtin.fetch: src: "/etc/resolv.conf" dest: "./files/services/setup/system/nameserver/" flat: true when: - ansible_hostname == "valkyrie" + ansible_hostname == services_resolv_host -- name: "nameserver : copy valkyrie's resolv.conf to other hosts" +- name: "nameserver : copy {{ services_resolv_host }}'s resolv.conf to other hosts" ansible.builtin.copy: src: "files/services/setup/system/nameserver/resolv.conf" - dest: "{{ services_root_directory }}/valkyrie-resolv.conf" + dest: "{{ services_root_directory }}/{{ services_resolv_host }}-resolv.conf" mode: 0644 - when: - ansible_hostname != "valkyrie"