Playbooks to deploy pod-rproxy and pod-www
This commit is contained in:
parent
3bd5df7c65
commit
9e227d132a
@ -17,3 +17,10 @@ postfix_smtp_user:
|
|||||||
vpn_wg0_port:
|
vpn_wg0_port:
|
||||||
vpn_wg0_netmask:
|
vpn_wg0_netmask:
|
||||||
vpn_wg0_preshared_key:
|
vpn_wg0_preshared_key:
|
||||||
|
|
||||||
|
# Service variables
|
||||||
|
services: {
|
||||||
|
name: {
|
||||||
|
address: X.X.X.X,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
@ -23,3 +23,10 @@ vpn_wg0_endpoint_address:
|
|||||||
vpn_remote_subnet:
|
vpn_remote_subnet:
|
||||||
|
|
||||||
vpn_reverse_proxy_address:
|
vpn_reverse_proxy_address:
|
||||||
|
|
||||||
|
# Service variables
|
||||||
|
host_services: [
|
||||||
|
service_name_1,
|
||||||
|
service_name_2,
|
||||||
|
]
|
||||||
|
service_bridge_gateway:
|
||||||
|
@ -0,0 +1,19 @@
|
|||||||
|
iface {{ service_iface_name }} inet manual
|
||||||
|
pre-up mkdir -p /run/netns
|
||||||
|
pre-up ln -sfTv /proc/$(cat /var/lib/{{ ansible_hostname }}/containers/{{ service_user_name }}/pidfile)/ns/net /run/netns/{{ service_user_name }}
|
||||||
|
|
||||||
|
pre-up ip link add name $IFACE type veth peer name veth0 netns {{ service_user_name }}
|
||||||
|
pre-up ip link set $IFACE master br0
|
||||||
|
|
||||||
|
post-up ip -n {{ service_user_name }} link set veth0 up
|
||||||
|
post-up ip -n {{ service_user_name }} address add {{ service_bridge_address }}/24 dev veth0
|
||||||
|
post-up ip -n {{ service_user_name }} route add default via {{ service_bridge_gateway }} dev veth0
|
||||||
|
|
||||||
|
pre-down ip -n {{ service_user_name }} route del default via {{ service_bridge_gateway }} dev veth0
|
||||||
|
pre-down ip -n {{ service_user_name }} address del {{ service_bridge_address }}/24 dev veth0
|
||||||
|
pre-down ip -n {{ service_user_name }} link set veth0 down
|
||||||
|
|
||||||
|
post-down ip link set $IFACE nomaster
|
||||||
|
post-down ip link del dev $IFACE
|
||||||
|
|
||||||
|
post-down rm /run/netns/{{ service_user_name }}
|
@ -0,0 +1,5 @@
|
|||||||
|
[Path]
|
||||||
|
PathModified=/var/lib/{{ ansible_hostname }}/containers/pod-%i/pidfile
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target network.target
|
@ -0,0 +1,7 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=Connect %i to root bridge
|
||||||
|
After=network.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
ExecStart=/usr/bin/sh -c '/usr/sbin/ifdown --ignore-errors veth-%i || /usr/bin/true ; /usr/sbin/ifup veth-%i'
|
@ -0,0 +1,2 @@
|
|||||||
|
[engine]
|
||||||
|
volume_path = "/var/lib/{{ ansible_hostname }}/data/{{ service_user_name }}"
|
@ -0,0 +1,6 @@
|
|||||||
|
[storage]
|
||||||
|
graphroot = "/var/lib/{{ ansible_hostname }}/containers/{{ service_user_name }}/storage"
|
||||||
|
driver = "overlay"
|
||||||
|
|
||||||
|
[storage.options]
|
||||||
|
mount_program = "/usr/bin/fuse-overlayfs"
|
@ -0,0 +1,11 @@
|
|||||||
|
# /etc/cron.d/certbot: crontab entries for the certbot package
|
||||||
|
#
|
||||||
|
# Upstream recommends attempting renewal twice a day
|
||||||
|
#
|
||||||
|
# Eventually, this will be an opportunity to validate certificates
|
||||||
|
# haven't been revoked, etc. Renewal will only occur if expiration
|
||||||
|
# is within 30 days.
|
||||||
|
SHELL=/bin/sh
|
||||||
|
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
|
||||||
|
|
||||||
|
0 */12 * * * root perl -e 'sleep int(rand(3600))' && certbot -q renew --webroot-path /var/www/html
|
@ -0,0 +1,57 @@
|
|||||||
|
server {
|
||||||
|
listen 80;
|
||||||
|
server_name wojciechkozlowski.eu www.wojciechkozlowski.eu;
|
||||||
|
|
||||||
|
location ^~ /.well-known {
|
||||||
|
allow all;
|
||||||
|
root /var/www/html;
|
||||||
|
}
|
||||||
|
|
||||||
|
location / {
|
||||||
|
return 301 https://$server_name$request_uri;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name wojciechkozlowski.eu;
|
||||||
|
|
||||||
|
ssl_certificate /etc/letsencrypt/live/wojciechkozlowski.eu/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/wojciechkozlowski.eu/privkey.pem;
|
||||||
|
ssl_trusted_certificate /etc/letsencrypt/live/wojciechkozlowski.eu/chain.pem;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $remote_addr;
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_pass http://pod-www;
|
||||||
|
}
|
||||||
|
|
||||||
|
error_page 500 502 503 504 /50x.html;
|
||||||
|
location = /50x.html {
|
||||||
|
root /usr/share/nginx/html;
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name www.wojciechkozlowski.eu;
|
||||||
|
|
||||||
|
ssl_certificate /etc/letsencrypt/live/www.wojciechkozlowski.eu/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/www.wojciechkozlowski.eu/privkey.pem;
|
||||||
|
ssl_trusted_certificate /etc/letsencrypt/live/www.wojciechkozlowski.eu/chain.pem;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $remote_addr;
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_pass http://pod-www;
|
||||||
|
}
|
||||||
|
|
||||||
|
error_page 500 502 503 504 /50x.html;
|
||||||
|
location = /50x.html {
|
||||||
|
root /usr/share/nginx/html;
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
@ -0,0 +1,58 @@
|
|||||||
|
user nginx;
|
||||||
|
worker_processes auto;
|
||||||
|
|
||||||
|
error_log /var/log/nginx/error.log notice;
|
||||||
|
pid /var/run/nginx.pid;
|
||||||
|
|
||||||
|
|
||||||
|
events {
|
||||||
|
worker_connections 1024;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
http {
|
||||||
|
include /etc/nginx/mime.types;
|
||||||
|
default_type application/octet-stream;
|
||||||
|
|
||||||
|
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
||||||
|
'$status $body_bytes_sent "$http_referer" '
|
||||||
|
'"$http_user_agent" "$http_x_forwarded_for"';
|
||||||
|
|
||||||
|
access_log /var/log/nginx/access.log main;
|
||||||
|
|
||||||
|
sendfile on;
|
||||||
|
#tcp_nopush on;
|
||||||
|
|
||||||
|
keepalive_timeout 65;
|
||||||
|
|
||||||
|
#gzip on;
|
||||||
|
|
||||||
|
# Configuration based on https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html.
|
||||||
|
|
||||||
|
# SSL protocols.
|
||||||
|
ssl_protocols TLSv1.2 TLSv1.3;
|
||||||
|
|
||||||
|
# Ciphers suite based on intermediate list from
|
||||||
|
# https://wiki.mozilla.org/Security/Server_Side_TLS. To verify OpenSSL names, use
|
||||||
|
# https://raw.githubusercontent.com/openssl/openssl/master/include/openssl/tls1.h.
|
||||||
|
ssl_ciphers TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
||||||
|
|
||||||
|
# Prefer server's settings.
|
||||||
|
ssl_prefer_server_ciphers on;
|
||||||
|
ssl_session_cache shared:SSL:10m;
|
||||||
|
|
||||||
|
# Diffie Hellman Ephemeral Parameters: `openssl dhparam -out dhparam.pem 4096`.
|
||||||
|
ssl_dhparam /etc/ssl/certs/dhparam.pem;
|
||||||
|
ssl_ecdh_curve secp384r1;
|
||||||
|
|
||||||
|
# OCSP Stapling.
|
||||||
|
ssl_stapling on;
|
||||||
|
ssl_stapling_verify on;
|
||||||
|
resolver 1.1.1.1 1.0.0.1 valid=300s;
|
||||||
|
resolver_timeout 5s;
|
||||||
|
|
||||||
|
# HTTP Strict Transport Security.
|
||||||
|
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; " always;
|
||||||
|
|
||||||
|
include /etc/nginx/conf.d/*.conf;
|
||||||
|
}
|
@ -0,0 +1,15 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=Podman container-rproxy-certbot.service
|
||||||
|
Documentation=man:podman-generate-systemd(1)
|
||||||
|
Wants=network.target
|
||||||
|
After=network-online.target
|
||||||
|
BindsTo=pod-rproxy.service
|
||||||
|
After=pod-rproxy.service
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Environment=PODMAN_SYSTEMD_UNIT=%n
|
||||||
|
TimeoutStopSec=70
|
||||||
|
ExecStartPre=/bin/rm -f %t/container-rproxy-certbot.pid %t/container-rproxy-certbot.ctr-id
|
||||||
|
ExecStart=/usr/bin/podman run --conmon-pidfile %t/container-rproxy-certbot.pid --cidfile %t/container-rproxy-certbot.ctr-id --cgroups=no-conmon --pod-id-file %t/pod-rproxy.pod-id --replace -v ./.config/pod-rproxy/certbot.cron:/etc/cron.d/certbot:ro -v etc_letsencrypt:/etc/letsencrypt -v var_lib_letsencrypt:/var/lib/letsencrypt -v ./.config/pod-rproxy/html:/var/www/html --name=pod-rproxy-certbot docker.io/certbot/certbot --non-interactive renew --webroot-path /var/www/html
|
||||||
|
ExecStopPost=/usr/bin/podman rm --ignore -f --cidfile %t/container-rproxy-certbot.ctr-id
|
||||||
|
Type=exec
|
@ -0,0 +1,15 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=Renew certificates with certbot
|
||||||
|
Documentation=man:certbot(1)
|
||||||
|
Wants=network.target
|
||||||
|
After=network-online.target
|
||||||
|
BindsTo=pod-rproxy.service
|
||||||
|
After=pod-rproxy.service
|
||||||
|
|
||||||
|
[Timer]
|
||||||
|
OnCalendar=*-*-* 06,18:00:00
|
||||||
|
Persistent=true
|
||||||
|
RandomizedDelaySec=1h
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=timers.target
|
@ -0,0 +1,21 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=Podman container-rproxy-nginx.service
|
||||||
|
Documentation=man:podman-generate-systemd(1)
|
||||||
|
Wants=network.target
|
||||||
|
After=network-online.target
|
||||||
|
BindsTo=pod-rproxy.service
|
||||||
|
After=pod-rproxy.service
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Environment=PODMAN_SYSTEMD_UNIT=%n
|
||||||
|
Restart=on-failure
|
||||||
|
TimeoutStopSec=70
|
||||||
|
ExecStartPre=/bin/rm -f %t/container-rproxy-nginx.pid %t/container-rproxy-nginx.ctr-id
|
||||||
|
ExecStart=/usr/bin/podman run --conmon-pidfile %t/container-rproxy-nginx.pid --cidfile %t/container-rproxy-nginx.ctr-id --cgroups=no-conmon --pod-id-file %t/pod-rproxy.pod-id --replace -dt {{ service_rproxy_hosts }} -v ./.config/pod-rproxy/nginx.conf:/etc/nginx/nginx.conf:ro -v ./.config/pod-rproxy/nginx-conf.d:/etc/nginx/conf.d:ro -v ./.config/pod-rproxy/dhparam.pem:/etc/ssl/certs/dhparam.pem:ro -v etc_letsencrypt:/etc/letsencrypt:ro -v var_lib_letsencrypt:/var/lib/letsencrypt:ro -v ./.config/pod-rproxy/html:/var/www/html --name=pod-rproxy-nginx docker.io/library/nginx
|
||||||
|
ExecStop=/usr/bin/podman stop --ignore --cidfile %t/container-rproxy-nginx.ctr-id -t 10
|
||||||
|
ExecStopPost=/usr/bin/podman rm --ignore -f --cidfile %t/container-rproxy-nginx.ctr-id
|
||||||
|
PIDFile=%t/container-rproxy-nginx.pid
|
||||||
|
Type=forking
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target default.target
|
@ -0,0 +1,24 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=Podman pod-rproxy.service
|
||||||
|
Documentation=man:podman-generate-systemd(1)
|
||||||
|
Wants=network.target
|
||||||
|
After=network-online.target
|
||||||
|
Requires=container-rproxy-nginx.service container-rproxy-certbot.timer
|
||||||
|
Before=container-rproxy-nginx.service container-rproxy-certbot.timer
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Environment=PODMAN_SYSTEMD_UNIT=%n
|
||||||
|
Restart=on-failure
|
||||||
|
TimeoutStopSec=70
|
||||||
|
ExecStartPre=/bin/rm -f /var/lib/{{ ansible_hostname }}/containers/pod-rproxy/pidfile
|
||||||
|
ExecStartPre=/bin/rm -f %t/pod-rproxy.pid %t/pod-rproxy.pod-id
|
||||||
|
ExecStartPre=/usr/bin/podman pod create --infra-conmon-pidfile %t/pod-rproxy.pid --pod-id-file %t/pod-rproxy.pod-id --name=rproxy --network=none --replace
|
||||||
|
ExecStart=/usr/bin/podman pod start --pod-id-file %t/pod-rproxy.pod-id
|
||||||
|
ExecStartPost=/usr/bin/sh -c 'podman inspect --format "{% raw %}{{ .State.Pid }}{% endraw %}" $(podman inspect --format "{% raw %}{{ .InfraContainerID }}{% endraw %}" rproxy) > /var/lib/{{ ansible_hostname }}/containers/pod-rproxy/pidfile'
|
||||||
|
ExecStop=/usr/bin/podman pod stop --ignore --pod-id-file %t/pod-rproxy.pod-id -t 10
|
||||||
|
ExecStopPost=/usr/bin/podman pod rm --ignore -f --pod-id-file %t/pod-rproxy.pod-id
|
||||||
|
PIDFile=%t/pod-rproxy.pid
|
||||||
|
Type=forking
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target default.target
|
@ -0,0 +1,21 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=Podman container-www-nginx.service
|
||||||
|
Documentation=man:podman-generate-systemd(1)
|
||||||
|
Wants=network.target
|
||||||
|
After=network-online.target
|
||||||
|
BindsTo=pod-www.service
|
||||||
|
After=pod-www.service
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Environment=PODMAN_SYSTEMD_UNIT=%n
|
||||||
|
Restart=on-failure
|
||||||
|
TimeoutStopSec=70
|
||||||
|
ExecStartPre=/bin/rm -f %t/container-www-nginx.pid %t/container-www-nginx.ctr-id
|
||||||
|
ExecStart=/usr/bin/podman run --conmon-pidfile %t/container-www-nginx.pid --cidfile %t/container-www-nginx.ctr-id --cgroups=no-conmon --pod-id-file %t/pod-www.pod-id --replace -dt -v ./.config/pod-www/wojciechkozlowski.eu/public:/usr/share/nginx/html:ro --name=pod-www-nginx docker.io/library/nginx
|
||||||
|
ExecStop=/usr/bin/podman stop --ignore --cidfile %t/container-www-nginx.ctr-id -t 10
|
||||||
|
ExecStopPost=/usr/bin/podman rm --ignore -f --cidfile %t/container-www-nginx.ctr-id
|
||||||
|
PIDFile=%t/container-www-nginx.pid
|
||||||
|
Type=forking
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target default.target
|
@ -0,0 +1,24 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=Podman pod-www.service
|
||||||
|
Documentation=man:podman-generate-systemd(1)
|
||||||
|
Wants=network.target
|
||||||
|
After=network-online.target
|
||||||
|
Requires=container-www-nginx.service
|
||||||
|
Before=container-www-nginx.service
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Environment=PODMAN_SYSTEMD_UNIT=%n
|
||||||
|
Restart=on-failure
|
||||||
|
TimeoutStopSec=70
|
||||||
|
ExecStartPre=/bin/rm -f /var/lib/{{ ansible_hostname }}/containers/pod-www/pidfile
|
||||||
|
ExecStartPre=/bin/rm -f %t/pod-www.pid %t/pod-www.pod-id
|
||||||
|
ExecStartPre=/usr/bin/podman pod create --infra-conmon-pidfile %t/pod-www.pid --pod-id-file %t/pod-www.pod-id --name=rproxy --network=none --replace
|
||||||
|
ExecStart=/usr/bin/podman pod start --pod-id-file %t/pod-www.pod-id
|
||||||
|
ExecStartPost=/usr/bin/sh -c 'podman inspect --format "{% raw %}{{ .State.Pid }}{% endraw %}" $(podman inspect --format "{% raw %}{{ .InfraContainerID }}{% endraw %}" rproxy) > /var/lib/{{ ansible_hostname }}/containers/pod-www/pidfile'
|
||||||
|
ExecStop=/usr/bin/podman pod stop --ignore --pod-id-file %t/pod-www.pod-id -t 10
|
||||||
|
ExecStopPost=/usr/bin/podman pod rm --ignore -f --pod-id-file %t/pod-www.pod-id
|
||||||
|
PIDFile=%t/pod-www.pid
|
||||||
|
Type=forking
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target default.target
|
16
playbooks/services.yml
Normal file
16
playbooks/services.yml
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
---
|
||||||
|
- name: "Deploy services"
|
||||||
|
# Before applying this to yggdrasil need handle zfs datasets
|
||||||
|
hosts: valkyrie
|
||||||
|
|
||||||
|
vars:
|
||||||
|
- service_rproxy_hosts:
|
||||||
|
|
||||||
|
tasks:
|
||||||
|
- import_tasks: tasks/services/00-podman.yml
|
||||||
|
- import_tasks: tasks/services/01-hosts.yml
|
||||||
|
- import_tasks: tasks/services/02-directories.yml
|
||||||
|
- include_tasks: tasks/services/03-service.yml
|
||||||
|
with_items: "{{ host_services }}"
|
||||||
|
loop_control:
|
||||||
|
loop_var: service_name
|
@ -12,7 +12,7 @@
|
|||||||
|
|
||||||
- name: Configure logcheck ignores
|
- name: Configure logcheck ignores
|
||||||
template:
|
template:
|
||||||
src: ./filesystem/common/etc/logcheck/ignore.d.server/hostname.j2
|
src: ./filesystem/common/etc/logcheck/ignore.d.server/_hostname.j2
|
||||||
dest: /etc/logcheck/ignore.d.server/{{ ansible_hostname }}
|
dest: /etc/logcheck/ignore.d.server/{{ ansible_hostname }}
|
||||||
group: logcheck
|
group: logcheck
|
||||||
mode: 0644
|
mode: 0644
|
||||||
|
@ -1,6 +1,7 @@
|
|||||||
- name: Install utility programs
|
- name: Install utility programs
|
||||||
apt:
|
apt:
|
||||||
name:
|
name:
|
||||||
|
- acl
|
||||||
- git
|
- git
|
||||||
- htop
|
- htop
|
||||||
- man
|
- man
|
||||||
|
10
playbooks/tasks/services/00-podman.yml
Normal file
10
playbooks/tasks/services/00-podman.yml
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
- name: Install podman
|
||||||
|
apt:
|
||||||
|
name: podman
|
||||||
|
register: podman_install
|
||||||
|
|
||||||
|
# Required for podman.
|
||||||
|
- name: Reboot machine
|
||||||
|
reboot:
|
||||||
|
when:
|
||||||
|
podman_install is changed
|
7
playbooks/tasks/services/01-hosts.yml
Normal file
7
playbooks/tasks/services/01-hosts.yml
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
- name: Collect reverse proxy hosts
|
||||||
|
set_fact:
|
||||||
|
service_rproxy_hosts: "{{ service_rproxy_hosts }} --add-host=pod-{{ item.key }}:{{ item.value.address }}"
|
||||||
|
with_items: "{{ services | dict2items }}"
|
||||||
|
|
||||||
|
- debug:
|
||||||
|
msg: "{{ service_rproxy_hosts }}"
|
23
playbooks/tasks/services/02-directories.yml
Normal file
23
playbooks/tasks/services/02-directories.yml
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
- name: Create service directory
|
||||||
|
file:
|
||||||
|
path: /var/lib/{{ ansible_hostname }}
|
||||||
|
state: directory
|
||||||
|
mode: 0755
|
||||||
|
|
||||||
|
- name: Create service container directory
|
||||||
|
file:
|
||||||
|
path: /var/lib/{{ ansible_hostname }}/containers
|
||||||
|
state: directory
|
||||||
|
mode: 0755
|
||||||
|
|
||||||
|
- name: Create service data directory
|
||||||
|
file:
|
||||||
|
path: /var/lib/{{ ansible_hostname }}/data
|
||||||
|
state: directory
|
||||||
|
mode: 0755
|
||||||
|
|
||||||
|
- name: Create service home directory
|
||||||
|
file:
|
||||||
|
path: /var/lib/{{ ansible_hostname }}/home
|
||||||
|
state: directory
|
||||||
|
mode: 0755
|
4
playbooks/tasks/services/03-service.yml
Normal file
4
playbooks/tasks/services/03-service.yml
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
- import_tasks: service/00-vars.yml
|
||||||
|
- import_tasks: service/01-user.yml
|
||||||
|
- import_tasks: service/02-veth.yml
|
||||||
|
- import_tasks: service/03-pod.yml
|
25
playbooks/tasks/services/service/00-vars.yml
Normal file
25
playbooks/tasks/services/service/00-vars.yml
Normal file
@ -0,0 +1,25 @@
|
|||||||
|
- name: Set service variables
|
||||||
|
set_fact:
|
||||||
|
service_user_name: "pod-{{ service_name }}"
|
||||||
|
service_iface_name: "veth-{{ service_name }}"
|
||||||
|
service_bridge_address: "{{ services[service_name].address }}"
|
||||||
|
service_changed: false
|
||||||
|
|
||||||
|
- name: Set service variables
|
||||||
|
set_fact:
|
||||||
|
service_home: "/var/lib/{{ ansible_hostname }}/home/{{ service_user_name }}"
|
||||||
|
|
||||||
|
- name: Set service variables
|
||||||
|
set_fact:
|
||||||
|
local_service_home: "./filesystem/{{ ansible_hostname }}/{{ service_home }}"
|
||||||
|
|
||||||
|
- name: Print service variables
|
||||||
|
debug:
|
||||||
|
msg:
|
||||||
|
- "service_name: {{ service_name }}"
|
||||||
|
- "service_user_name: {{ service_user_name }}"
|
||||||
|
- "service_iface_name: {{ service_iface_name }}"
|
||||||
|
- "service_bridge_address: {{ service_bridge_address }}"
|
||||||
|
- "service_changed: {{ service_changed }}"
|
||||||
|
- "service_home: {{ service_home }}"
|
||||||
|
- "local_service_home: {{ local_service_home }}"
|
81
playbooks/tasks/services/service/01-user.yml
Normal file
81
playbooks/tasks/services/service/01-user.yml
Normal file
@ -0,0 +1,81 @@
|
|||||||
|
- name: Create system user for {{ service_name }}
|
||||||
|
user:
|
||||||
|
name: "{{ service_user_name }}"
|
||||||
|
create_home: yes
|
||||||
|
home: "{{ service_home }}"
|
||||||
|
shell: /usr/sbin/nologin
|
||||||
|
system: yes
|
||||||
|
register: user_create
|
||||||
|
|
||||||
|
- name: Configure subuids and subgids for user {{ service_user_name }}
|
||||||
|
shell: |
|
||||||
|
export NEW_SUBUID=$(($(tail -1 /etc/subuid | awk -F ":" '{print $2}')+65536))
|
||||||
|
export NEW_SUBGID=$(($(tail -1 /etc/subgid | awk -F ":" '{print $2}')+65536))
|
||||||
|
usermod --add-subuids ${NEW_SUBUID}-$((${NEW_SUBUID}+65535)) \
|
||||||
|
--add-subgids ${NEW_SUBGID}-$((${NEW_SUBGID}+65535)) \
|
||||||
|
{{ service_user_name }}
|
||||||
|
when:
|
||||||
|
user_create is changed
|
||||||
|
|
||||||
|
- name: Ensure XDG_RUNTIME_DIR is set for user {{ service_user_name }}
|
||||||
|
shell: |
|
||||||
|
echo '\nexport XDG_RUNTIME_DIR=/run/user/$(id -u)' >> \
|
||||||
|
{{ service_home }}/.bashrc
|
||||||
|
when:
|
||||||
|
user_create is changed
|
||||||
|
|
||||||
|
- name: Enable lingering for user {{ service_user_name }}
|
||||||
|
command: loginctl enable-linger {{ service_user_name }}
|
||||||
|
when:
|
||||||
|
user_create is changed
|
||||||
|
|
||||||
|
- name: Create container directory for user {{ service_user_name }}
|
||||||
|
file:
|
||||||
|
path: "/var/lib/{{ ansible_hostname }}/containers/{{ service_user_name }}"
|
||||||
|
state: directory
|
||||||
|
owner: "{{ service_user_name }}"
|
||||||
|
group: "{{ service_user_name }}"
|
||||||
|
mode: 0755
|
||||||
|
|
||||||
|
- name: Create volume data directory for user {{ service_user_name }}
|
||||||
|
file:
|
||||||
|
path: "/var/lib/{{ ansible_hostname }}/data/{{ service_user_name }}"
|
||||||
|
state: directory
|
||||||
|
owner: "{{ service_user_name }}"
|
||||||
|
group: "{{ service_user_name }}"
|
||||||
|
mode: 0755
|
||||||
|
|
||||||
|
- block:
|
||||||
|
- name: Create configuration directory for user {{ service_user_name }}
|
||||||
|
file:
|
||||||
|
path: "{{ service_home }}/.config"
|
||||||
|
state: directory
|
||||||
|
mode: 0755
|
||||||
|
|
||||||
|
- name: Create container configuration directory for user {{ service_user_name }}
|
||||||
|
file:
|
||||||
|
path: "{{ service_home }}/.config/containers"
|
||||||
|
state: directory
|
||||||
|
mode: 0755
|
||||||
|
|
||||||
|
- name: Configure storage.conf for user {{ service_user_name }}
|
||||||
|
template:
|
||||||
|
src: "./filesystem/common/var/lib/_hostname/home/_service_user_name/.config/containers/storage.conf.j2"
|
||||||
|
dest: "{{ service_home }}/.config/containers/storage.conf"
|
||||||
|
mode: 0644
|
||||||
|
register: user_containers_storage
|
||||||
|
|
||||||
|
- name: Configure containers.conf for user {{ service_user_name }}
|
||||||
|
template:
|
||||||
|
src: "./filesystem/common/var/lib/_hostname/home/_service_user_name/.config/containers/containers.conf.j2"
|
||||||
|
dest: "{{ service_home }}/.config/containers/containers.conf"
|
||||||
|
mode: 0644
|
||||||
|
register: user_containers_containers
|
||||||
|
|
||||||
|
- name: Reset podman
|
||||||
|
shell: "cd $HOME; yes | podman system reset"
|
||||||
|
when:
|
||||||
|
user_containers_storage is changed or
|
||||||
|
user_containers_containers is changed
|
||||||
|
|
||||||
|
become_user: "{{ service_user_name }}"
|
41
playbooks/tasks/services/service/02-veth.yml
Normal file
41
playbooks/tasks/services/service/02-veth.yml
Normal file
@ -0,0 +1,41 @@
|
|||||||
|
- name: Configure veth interface for user {{ service_user_name }}
|
||||||
|
template:
|
||||||
|
src: "./filesystem/common/etc/network/interfaces.d/veth-_service.j2"
|
||||||
|
dest: "/etc/network/interfaces.d/{{ service_iface_name }}"
|
||||||
|
mode: 0644
|
||||||
|
validate: >
|
||||||
|
bash -c
|
||||||
|
'export NEWIF=%s;
|
||||||
|
if ! diff ${NEWIF} /etc/network/interfaces.d/{{ service_iface_name }} &&
|
||||||
|
ip link show dev {{ service_iface_name }} ;
|
||||||
|
then
|
||||||
|
ifdown {{ service_iface_name }} && ifup -i ${NEWIF} {{ service_iface_name }} ;
|
||||||
|
fi'
|
||||||
|
register: veth_service_intf
|
||||||
|
|
||||||
|
- name: Configure connect-pod-service
|
||||||
|
copy:
|
||||||
|
src: "./filesystem/common/etc/systemd/system/connect-pod-service@.service"
|
||||||
|
dest: "/etc/systemd/system/connect-pod-service@.service"
|
||||||
|
mode: 0644
|
||||||
|
register: systemd_connect_pod_service_service
|
||||||
|
|
||||||
|
- name: Configure connect-pod-service path trigger
|
||||||
|
template:
|
||||||
|
src: "./filesystem/common/etc/systemd/system/connect-pod-service@.path.j2"
|
||||||
|
dest: "/etc/systemd/system/connect-pod-service@.path"
|
||||||
|
mode: 0644
|
||||||
|
register: systemd_connect_pod_service_path
|
||||||
|
|
||||||
|
- name: SystemD daemon reload
|
||||||
|
systemd:
|
||||||
|
daemon_reload: true
|
||||||
|
when:
|
||||||
|
systemd_connect_pod_service_service is changed or
|
||||||
|
systemd_connect_pod_service_path is changed
|
||||||
|
|
||||||
|
- name: Enable the path trigger service for {{ service_name }}
|
||||||
|
systemd:
|
||||||
|
name: "connect-pod-service@{{ service_name }}.path"
|
||||||
|
enabled: yes
|
||||||
|
state: started
|
20
playbooks/tasks/services/service/03-pod.d/rproxy.yml
Normal file
20
playbooks/tasks/services/service/03-pod.d/rproxy.yml
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
- block:
|
||||||
|
- name: Create html directory for letsencrypt
|
||||||
|
file:
|
||||||
|
path: "{{ service_home }}/.config/{{ service_user_name }}/html"
|
||||||
|
state: directory
|
||||||
|
mode: 0755
|
||||||
|
|
||||||
|
- name: Generate Diffie Hellman ephemeral parameters
|
||||||
|
command: openssl dhparam --out /{{ service_home }}/.config/{{ service_user_name}}/dhparam.pem 4096
|
||||||
|
args:
|
||||||
|
creates: "{{ service_home }}/.config/{{ service_user_name }}/dhparam.pem"
|
||||||
|
register: dhparam
|
||||||
|
|
||||||
|
- name: Record changes
|
||||||
|
set_fact:
|
||||||
|
service_changed: true
|
||||||
|
when:
|
||||||
|
dhparam is changed
|
||||||
|
|
||||||
|
become_user: "{{ service_user_name }}"
|
28
playbooks/tasks/services/service/03-pod.d/www.yml
Normal file
28
playbooks/tasks/services/service/03-pod.d/www.yml
Normal file
@ -0,0 +1,28 @@
|
|||||||
|
- block:
|
||||||
|
- name: Check if hugo is installed
|
||||||
|
stat:
|
||||||
|
path: "/usr/local/bin/hugo"
|
||||||
|
register: hugo_path
|
||||||
|
|
||||||
|
- name: Install hugo
|
||||||
|
become_user: root
|
||||||
|
apt:
|
||||||
|
deb: https://github.com/gohugoio/hugo/releases/download/v0.56.0/hugo_extended_0.56.0_Linux-64bit.deb
|
||||||
|
when:
|
||||||
|
not hugo_path.stat.exists
|
||||||
|
|
||||||
|
- name: Clone website repository
|
||||||
|
git:
|
||||||
|
repo: https://gitlab.wojciechkozlowski.eu/wojtek/wojciechkozlowski.eu.git
|
||||||
|
dest: "{{ service_home }}/.config/{{ service_user_name }}/wojciechkozlowski.eu"
|
||||||
|
recursive: yes
|
||||||
|
register: wojciechkozlowski_eu_git
|
||||||
|
|
||||||
|
- name: Generate static page using hugo
|
||||||
|
command:
|
||||||
|
cmd: hugo
|
||||||
|
chdir: "{{ service_home }}/.config/{{ service_user_name }}/wojciechkozlowski.eu"
|
||||||
|
when:
|
||||||
|
wojciechkozlowski_eu_git is changed
|
||||||
|
|
||||||
|
become_user: "{{ service_user_name }}"
|
78
playbooks/tasks/services/service/03-pod.yml
Normal file
78
playbooks/tasks/services/service/03-pod.yml
Normal file
@ -0,0 +1,78 @@
|
|||||||
|
- block:
|
||||||
|
- name: Create configuration directory for user {{ service_user_name }}
|
||||||
|
file:
|
||||||
|
path: "{{ service_home }}/.config"
|
||||||
|
state: directory
|
||||||
|
mode: 0755
|
||||||
|
|
||||||
|
- name: Check if service configuration exists
|
||||||
|
become: no
|
||||||
|
delegate_to: localhost
|
||||||
|
stat:
|
||||||
|
path: "{{ local_service_home }}/.config/{{ service_user_name }}"
|
||||||
|
register: local_service_path
|
||||||
|
|
||||||
|
- name: Synchronise service configuration
|
||||||
|
copy:
|
||||||
|
src: "{{ local_service_home }}/.config/{{ service_user_name }}"
|
||||||
|
dest: "{{ service_home }}/.config"
|
||||||
|
directory_mode: 0755
|
||||||
|
mode: 0644
|
||||||
|
register: service_synchronise
|
||||||
|
when:
|
||||||
|
local_service_path.stat.exists
|
||||||
|
|
||||||
|
- include_tasks: "{{ item }}"
|
||||||
|
with_first_found:
|
||||||
|
- files:
|
||||||
|
- "03-pod.d/{{ service_name }}.yml"
|
||||||
|
skip: true
|
||||||
|
|
||||||
|
- name: Create systemd directory for user {{ service_user_name }}
|
||||||
|
file:
|
||||||
|
path: "{{ service_home }}/.config/systemd"
|
||||||
|
state: directory
|
||||||
|
mode: 0755
|
||||||
|
|
||||||
|
- name: Create systemd service directory for user {{ service_user_name }}
|
||||||
|
file:
|
||||||
|
path: "{{ service_home }}/.config/systemd/user"
|
||||||
|
state: directory
|
||||||
|
mode: 0755
|
||||||
|
|
||||||
|
- name: Configure {{ service_user_name }} service
|
||||||
|
template:
|
||||||
|
src: "{{ item }}"
|
||||||
|
dest: /{{ service_home }}/.config/systemd/user/{{ item | basename | regex_replace('\.j2','') }}
|
||||||
|
mode: 0644
|
||||||
|
with_fileglob:
|
||||||
|
- "{{ local_service_home }}/.config/systemd/user/*.j2"
|
||||||
|
register: systemd_pod_service_files
|
||||||
|
|
||||||
|
- name: SystemD user daemon reload
|
||||||
|
systemd:
|
||||||
|
daemon_reload: true
|
||||||
|
scope: user
|
||||||
|
when:
|
||||||
|
systemd_pod_service_files is changed
|
||||||
|
|
||||||
|
- name: Enable the {{ service_name }} service
|
||||||
|
systemd:
|
||||||
|
name: "pod-{{ service_name }}.service"
|
||||||
|
enabled: yes
|
||||||
|
state: started
|
||||||
|
scope: user
|
||||||
|
register: systemd_pod_service_enable
|
||||||
|
|
||||||
|
- name: Restart the {{ service_name }} service
|
||||||
|
systemd:
|
||||||
|
name: "pod-{{ service_name }}.service"
|
||||||
|
state: restarted
|
||||||
|
scope: user
|
||||||
|
when:
|
||||||
|
(service_synchronise is changed or
|
||||||
|
service_changed is true or
|
||||||
|
systemd_pod_service_files is changed) and
|
||||||
|
systemd_pod_service_enable is not changed
|
||||||
|
|
||||||
|
become_user: "{{ service_user_name }}"
|
@ -17,7 +17,12 @@
|
|||||||
src: ./filesystem/{{ ansible_hostname }}/etc/network/interfaces.d/br0.j2
|
src: ./filesystem/{{ ansible_hostname }}/etc/network/interfaces.d/br0.j2
|
||||||
dest: /etc/network/interfaces.d/br0
|
dest: /etc/network/interfaces.d/br0
|
||||||
mode: 0644
|
mode: 0644
|
||||||
validate: bash -c 'if ! diff %s /etc/network/interfaces.d/br0 && ip link show dev br0 ; then ifdown br0 ; fi'
|
validate: >
|
||||||
|
bash -c
|
||||||
|
'if ! diff %s /etc/network/interfaces.d/br0 && ip link show dev br0 ;
|
||||||
|
then
|
||||||
|
ifdown br0 ;
|
||||||
|
fi'
|
||||||
register: br_intf
|
register: br_intf
|
||||||
|
|
||||||
- name: Restart bridge interface
|
- name: Restart bridge interface
|
||||||
|
@ -28,7 +28,12 @@
|
|||||||
src: ./filesystem/{{ ansible_hostname }}/etc/network/interfaces.d/wg0.j2
|
src: ./filesystem/{{ ansible_hostname }}/etc/network/interfaces.d/wg0.j2
|
||||||
dest: /etc/network/interfaces.d/wg0
|
dest: /etc/network/interfaces.d/wg0
|
||||||
mode: 0644
|
mode: 0644
|
||||||
validate: bash -c 'if ! diff %s /etc/network/interfaces.d/wg0 && ip link show dev wg0 ; then ifdown wg0 ; fi'
|
validate: >
|
||||||
|
bash -c
|
||||||
|
'if ! diff %s /etc/network/interfaces.d/wg0 && ip link show dev wg0 ;
|
||||||
|
then
|
||||||
|
ifdown wg0 ;
|
||||||
|
fi'
|
||||||
register: wg_intf
|
register: wg_intf
|
||||||
|
|
||||||
- name: Restart WireGuard interface
|
- name: Restart WireGuard interface
|
||||||
|
Loading…
Reference in New Issue
Block a user