Decouple lrproxy from valkyrie

This commit is contained in:
Wojciech Kozlowski 2023-02-12 19:37:33 +01:00
parent 226bd0369f
commit 34c4e29a43
17 changed files with 98 additions and 51 deletions

View File

@ -30,7 +30,7 @@ vpn_bridge_dnat: "\
# -------------------------------------------------------------------------------------------------- # --------------------------------------------------------------------------------------------------
# services # services
# -------------------------------------------------------------------------------------------------- # --------------------------------------------------------------------------------------------------
services_root_directory: "/var/lib/{{ ansible_hostname }}" services_root_directory: "/var/lib/{{ services_hostname }}"
services_home_directory: "{{ services_root_directory }}/home" services_home_directory: "{{ services_root_directory }}/home"
services_data_directory: "{{ services_root_directory }}/data" services_data_directory: "{{ services_root_directory }}/data"
services_containers_directory: "{{ services_root_directory }}/containers" services_containers_directory: "{{ services_root_directory }}/containers"
@ -40,6 +40,8 @@ services_all_services: "{{
services_all_hosts | map('extract', hostvars, 'services_host_services') | map('dict2items') | services_all_hosts | map('extract', hostvars, 'services_host_services') | map('dict2items') |
flatten | items2dict }}" flatten | items2dict }}"
services_resolv_host: "valkyrie"
services: services:
rproxy: {} rproxy: {}
www: www:

View File

@ -30,6 +30,8 @@ vpn_wireguard_clients:
# -------------------------------------------------------------------------------------------------- # --------------------------------------------------------------------------------------------------
# services # services
# -------------------------------------------------------------------------------------------------- # --------------------------------------------------------------------------------------------------
services_hostname: "valkyrie"
services_host_services: services_host_services:
rproxy: rproxy:
address: "{{ vpn_bridge_prefix }}.2" address: "{{ vpn_bridge_prefix }}.2"

View File

@ -57,6 +57,8 @@ backups_snapshots_sanoid_system_datasets:
# -------------------------------------------------------------------------------------------------- # --------------------------------------------------------------------------------------------------
# services # services
# -------------------------------------------------------------------------------------------------- # --------------------------------------------------------------------------------------------------
services_hostname: "yggdrasil"
services_root_dataset: "rpool{{ services_root_directory }}" services_root_dataset: "rpool{{ services_root_directory }}"
services_home_dataset: "rpool{{ services_home_directory }}" services_home_dataset: "rpool{{ services_home_directory }}"
services_data_dataset: "rpool{{ services_data_directory }}" services_data_dataset: "rpool{{ services_data_directory }}"
@ -66,6 +68,8 @@ services_host_services:
lrproxy: lrproxy:
address: "{{ vpn_bridge_prefix }}.2" address: "{{ vpn_bridge_prefix }}.2"
tcp: [80, 443] tcp: [80, 443]
rproxy_host: "valkyrie"
rproxy_user: "pod-rproxy"
database: database:
address: "{{ vpn_bridge_prefix }}.3" address: "{{ vpn_bridge_prefix }}.3"
cloud: cloud:

View File

@ -13,6 +13,10 @@
dest: "/usr/local/bin/restic.bz2" dest: "/usr/local/bin/restic.bz2"
mode: 0644 mode: 0644
- name: "install bzip2"
ansible.builtin.apt:
name: "bzip2"
- name: "unpack restic binary" - name: "unpack restic binary"
command: "bunzip2 /usr/local/bin/restic.bz2" command: "bunzip2 /usr/local/bin/restic.bz2"

View File

@ -0,0 +1,7 @@
---
argument_specs:
main:
options:
services_data_dataset:
type: "str"
required: true

View File

@ -8,9 +8,6 @@ argument_specs:
services_service_name: services_service_name:
type: "str" type: "str"
required: true required: true
services_data_dataset:
type: "str"
required: true
services_backups_restic_services: services_backups_restic_services:
type: "dict" type: "dict"
elem: "dict" elem: "dict"

View File

@ -21,7 +21,7 @@ ExecStart=/usr/bin/podman run \
--label "io.containers.autoupdate=image" \ --label "io.containers.autoupdate=image" \
-dt \ -dt \
--add-host=pod-database:{{ services_all_services['database'].address }} \ --add-host=pod-database:{{ services_all_services['database'].address }} \
-v {{ services_root_directory }}/valkyrie-resolv.conf:/etc/resolv.conf:ro \ -v {{ services_root_directory }}/{{ services_resolv_host }}-resolv.conf:/etc/resolv.conf:ro \
-v {{ services_data_directory }}/pod-cloud/nextcloud/_data:/var/www/html \ -v {{ services_data_directory }}/pod-cloud/nextcloud/_data:/var/www/html \
-v {{ services_data_directory }}/pod-cloud/data/_data:/var/www/html/data \ -v {{ services_data_directory }}/pod-cloud/data/_data:/var/www/html/data \
--name=pod-cloud-cron \ --name=pod-cloud-cron \

View File

@ -21,7 +21,7 @@ ExecStart=/usr/bin/podman run \
--label "io.containers.autoupdate=image" \ --label "io.containers.autoupdate=image" \
-dt \ -dt \
--add-host=pod-database:{{ services_all_services['database'].address }} \ --add-host=pod-database:{{ services_all_services['database'].address }} \
-v {{ services_root_directory }}/valkyrie-resolv.conf:/etc/resolv.conf:ro \ -v {{ services_root_directory }}/{{ services_resolv_host }}-resolv.conf:/etc/resolv.conf:ro \
-v {{ services_data_directory }}/pod-cloud/nextcloud/_data:/var/www/html \ -v {{ services_data_directory }}/pod-cloud/nextcloud/_data:/var/www/html \
-v {{ services_data_directory }}/pod-cloud/data/_data:/var/www/html/data \ -v {{ services_data_directory }}/pod-cloud/data/_data:/var/www/html/data \
-v ./.config/pod-cloud/database.name:/run/secrets/database.name:ro \ -v ./.config/pod-cloud/database.name:/run/secrets/database.name:ro \

View File

@ -20,7 +20,7 @@ ExecStart=/usr/bin/podman run \
--replace \ --replace \
--label "io.containers.autoupdate=image" \ --label "io.containers.autoupdate=image" \
-dt \ -dt \
-v {{ services_root_directory }}/valkyrie-resolv.conf:/etc/resolv.conf:ro \ -v {{ services_root_directory }}/{{ services_resolv_host }}-resolv.conf:/etc/resolv.conf:ro \
-v ./.config/pod-cloud/nginx.conf:/etc/nginx/nginx.conf:ro \ -v ./.config/pod-cloud/nginx.conf:/etc/nginx/nginx.conf:ro \
-v {{ services_data_directory }}/pod-cloud/nextcloud/_data:/var/www/html \ -v {{ services_data_directory }}/pod-cloud/nextcloud/_data:/var/www/html \
-v {{ services_data_directory }}/pod-cloud/data/_data:/var/www/html/data \ -v {{ services_data_directory }}/pod-cloud/data/_data:/var/www/html/data \

View File

@ -20,7 +20,7 @@ ExecStart=/usr/bin/podman run \
--replace \ --replace \
--label "io.containers.autoupdate=image" \ --label "io.containers.autoupdate=image" \
-dt \ -dt \
-v {{ services_root_directory }}/valkyrie-resolv.conf:/etc/resolv.conf:ro \ -v {{ services_root_directory }}/{{ services_resolv_host }}-resolv.conf:/etc/resolv.conf:ro \
-v ./.config/pod-database/database.password:/run/secrets/database.password:ro \ -v ./.config/pod-database/database.password:/run/secrets/database.password:ro \
-e POSTGRES_PASSWORD_FILE=/run/secrets/database.password \ -e POSTGRES_PASSWORD_FILE=/run/secrets/database.password \
-v {{ services_data_directory }}/pod-database/wal/_data:/var/lib/postgresql-wal \ -v {{ services_data_directory }}/pod-database/wal/_data:/var/lib/postgresql-wal \

View File

@ -21,7 +21,7 @@ ExecStart=/usr/bin/podman run \
--label "io.containers.autoupdate=image" \ --label "io.containers.autoupdate=image" \
-dt \ -dt \
--add-host=pod-database:{{ services_all_services['database'].address }} \ --add-host=pod-database:{{ services_all_services['database'].address }} \
-v {{ services_root_directory }}/valkyrie-resolv.conf:/etc/resolv.conf:ro \ -v {{ services_root_directory }}/{{ services_resolv_host }}-resolv.conf:/etc/resolv.conf:ro \
-v {{ services_data_directory }}/pod-git/data/_data:/data \ -v {{ services_data_directory }}/pod-git/data/_data:/data \
-v /etc/timezone:/etc/timezone:ro \ -v /etc/timezone:/etc/timezone:ro \
-v /etc/localtime:/etc/localtime:ro \ -v /etc/localtime:/etc/localtime:ro \

View File

@ -24,3 +24,11 @@ argument_specs:
type: "dict" type: "dict"
elem: "dict" elem: "dict"
required: true required: true
services_host_services:
lrproxy:
rproxy_host:
type: "str"
required: false
rproxy_user:
type: "str"
required: false

View File

@ -38,8 +38,6 @@
loop: loop:
- "pod-lrproxy.service" - "pod-lrproxy.service"
- "container-lrproxy-nginx.service" - "container-lrproxy-nginx.service"
- "rsync-certificates.service"
- "rsync-certificates.timer"
register: services_deploy_lrproxy_systemd_files register: services_deploy_lrproxy_systemd_files
- name: "systemd user daemon reload" - name: "systemd user daemon reload"
@ -49,13 +47,6 @@
when: when:
services_deploy_lrproxy_systemd_files.changed services_deploy_lrproxy_systemd_files.changed
- name: "enable rsync-certificates timer"
ansible.builtin.systemd:
name: "rsync-certificates.timer"
enabled: true
scope: "user"
register: services_deploy_lrproxy_rsync_certificates_timer
- name: "generate diffie hellman ephemeral parameters" - name: "generate diffie hellman ephemeral parameters"
ansible.builtin.command: >- ansible.builtin.command: >-
openssl dhparam openssl dhparam
@ -66,30 +57,63 @@
{{ services_service_user_home }}/.config/{{ services_service_user_name }}/dhparam.pem" {{ services_service_user_home }}/.config/{{ services_service_user_name }}/dhparam.pem"
register: services_deploy_lrproxy_dhparam register: services_deploy_lrproxy_dhparam
- name: "create the .ssh directory" - block:
ansible.builtin.file:
path: "{{ services_service_user_home }}/.ssh"
state: "directory"
mode: 0700
- name: "generate ssh keypair for rsync" - name: "configure rsync-certificates service"
community.crypto.openssh_keypair: ansible.builtin.template:
path: "{{ services_service_user_home }}/.ssh/valkyrie-pod-rproxy" src: "./systemd/{{ item }}.j2"
type: "ed25519" dest: "{{ services_service_user_home }}/.config/systemd/user/{{ item }}"
register: services_deploy_lrproxy_keypair mode: 0600
loop:
- "rsync-certificates.service"
- "rsync-certificates.timer"
register: services_deploy_lrproxy_rsync_certificates_files
- name: "configure public key on valkyrie" - name: "systemd user daemon reload"
delegate_to: "valkyrie" ansible.builtin.systemd:
become_user: "pod-rproxy" daemon_reload: true
ansible.posix.authorized_key: scope: "user"
user: "pod-rproxy" when:
state: "present" services_deploy_lrproxy_rsync_certificates_files.changed
key: "{{ services_deploy_lrproxy_keypair.public_key }}"
key_options: "\ - name: "enable rsync-certificates timer"
command=\"rsync --server --sender -avz . \ ansible.builtin.systemd:
{{ hostvars['valkyrie'].services_data_directory }}/pod-rproxy/etc-letsencrypt/\ name: "rsync-certificates.timer"
\",from=\"{{ vpn_wireguard_address }}\",\ enabled: true
no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-x11-forwarding" scope: "user"
register: services_deploy_lrproxy_rsync_certificates_timer
- name: "create the .ssh directory"
ansible.builtin.file:
path: "{{ services_service_user_home }}/.ssh"
state: "directory"
mode: 0700
- name: "generate ssh keypair for rsync"
community.crypto.openssh_keypair:
path: "\
{{ services_service_user_home }}/.ssh/\
{{ services_host_services.lrproxy.rproxy_host }}-\
{{ services_host_services.lrproxy.rproxy_user }}"
type: "ed25519"
register: services_deploy_lrproxy_keypair
- name: "configure public key on {{ services_host_services.lrproxy.rproxy_host }}"
delegate_to: "{{ services_host_services.lrproxy.rproxy_host }}"
become_user: "{{ services_host_services.lrproxy.rproxy_user }}"
ansible.posix.authorized_key:
user: "{{ services_host_services.lrproxy.rproxy_user }}"
state: "present"
key: "{{ services_deploy_lrproxy_keypair.public_key }}"
key_options: "\
command=\"rsync --server --sender -avz . \
{{ hostvars[services_host_services.lrproxy.rproxy_host].services_data_directory }}/\
{{ services_host_services.lrproxy.rproxy_user }}/etc-letsencrypt/\
\",from=\"{{ vpn_wireguard_address }}\",\
no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-x11-forwarding"
when:
services_host_services.lrproxy.rproxy_host is defined
- name: "get uid" - name: "get uid"
ansible.builtin.getent: ansible.builtin.getent:
@ -113,6 +137,7 @@
when: when:
(services_deploy_lrproxy_config_files.changed or (services_deploy_lrproxy_config_files.changed or
services_deploy_lrproxy_systemd_files.changed or services_deploy_lrproxy_systemd_files.changed or
services_deploy_lrproxy_rsync_certificates_files.changed or
services_deploy_lrproxy_rsync_certificates_timer.changed or services_deploy_lrproxy_rsync_certificates_timer.changed or
services_deploy_lrproxy_dhparam.changed or services_deploy_lrproxy_dhparam.changed or
services_deploy_lrproxy_keypair.changed) and services_deploy_lrproxy_keypair.changed) and

View File

@ -21,7 +21,7 @@ ExecStart=/usr/bin/podman run \
--label "io.containers.autoupdate=image" \ --label "io.containers.autoupdate=image" \
-dt \ -dt \
{{ services_rproxy_nginx_add_hosts }} \ {{ services_rproxy_nginx_add_hosts }} \
-v {{ services_root_directory }}/valkyrie-resolv.conf:/etc/resolv.conf:ro \ -v {{ services_root_directory }}/{{ services_resolv_host }}-resolv.conf:/etc/resolv.conf:ro \
-v ./.config/pod-lrproxy/nginx.conf:/etc/nginx/nginx.conf:ro \ -v ./.config/pod-lrproxy/nginx.conf:/etc/nginx/nginx.conf:ro \
-v ./.config/pod-lrproxy/nginx-conf.d:/etc/nginx/conf.d:ro \ -v ./.config/pod-lrproxy/nginx-conf.d:/etc/nginx/conf.d:ro \
-v ./.config/pod-lrproxy/dhparam.pem:/etc/ssl/certs/dhparam.pem:ro \ -v ./.config/pod-lrproxy/dhparam.pem:/etc/ssl/certs/dhparam.pem:ro \

View File

@ -5,8 +5,8 @@ OnFailure=status-mail@%n.service
[Service] [Service]
Type=oneshot Type=oneshot
ExecStart=/usr/bin/rsync -e 'ssh -i .ssh/valkyrie-pod-rproxy -l pod-rproxy' \ ExecStart=/usr/bin/rsync -e 'ssh -i .ssh/{{ services_host_services.lrproxy.rproxy_host }}-{{ services_host_services.lrproxy.rproxy_user }} -l {{ services_host_services.lrproxy.rproxy_user }}' \
-avz \ -avz \
--delete \ --delete \
{{ hostvars['valkyrie'].vpn_wireguard_address }}:{{ hostvars['valkyrie'].services_data_directory }}/pod-rproxy/etc-letsencrypt/ \ {{ hostvars[services_host_services.lrproxy.rproxy_host].vpn_wireguard_address }}:{{ hostvars[services_host_services.lrproxy.rproxy_host].services_data_directory }}/{{ services_host_services.lrproxy.rproxy_user }}/etc-letsencrypt/ \
{{ hostvars['yggdrasil'].services_data_directory }}/pod-lrproxy/etc-letsencrypt {{ services_data_directory }}/pod-lrproxy/etc-letsencrypt

View File

@ -22,7 +22,7 @@ ExecStart=/usr/bin/podman run \
--label "io.containers.autoupdate=image" \ --label "io.containers.autoupdate=image" \
-dt \ -dt \
--add-host=pod-database:{{ services_all_services['database'].address }} \ --add-host=pod-database:{{ services_all_services['database'].address }} \
-v {{ services_root_directory }}/valkyrie-resolv.conf:/etc/resolv.conf:ro \ -v {{ services_root_directory }}/{{ services_resolv_host }}-resolv.conf:/etc/resolv.conf:ro \
-v {{ services_data_directory }}/pod-notes/data/_data:/data \ -v {{ services_data_directory }}/pod-notes/data/_data:/data \
-e APP_BASE_URL="https://{{ services[services_service_name].domain }}" \ -e APP_BASE_URL="https://{{ services[services_service_name].domain }}" \
-e APP_PORT="22300" \ -e APP_PORT="22300" \

View File

@ -1,16 +1,14 @@
--- ---
- name: "nameserver : fetch valkyrie's resolv.conf" - name: "nameserver : fetch {{ services_resolv_host }}'s resolv.conf"
ansible.builtin.fetch: ansible.builtin.fetch:
src: "/etc/resolv.conf" src: "/etc/resolv.conf"
dest: "./files/services/setup/system/nameserver/" dest: "./files/services/setup/system/nameserver/"
flat: true flat: true
when: when:
ansible_hostname == "valkyrie" ansible_hostname == services_resolv_host
- name: "nameserver : copy valkyrie's resolv.conf to other hosts" - name: "nameserver : copy {{ services_resolv_host }}'s resolv.conf to other hosts"
ansible.builtin.copy: ansible.builtin.copy:
src: "files/services/setup/system/nameserver/resolv.conf" src: "files/services/setup/system/nameserver/resolv.conf"
dest: "{{ services_root_directory }}/valkyrie-resolv.conf" dest: "{{ services_root_directory }}/{{ services_resolv_host }}-resolv.conf"
mode: 0644 mode: 0644
when:
ansible_hostname != "valkyrie"