From af11b75713b1e660d75a4f48f03bdb5e7903c080 Mon Sep 17 00:00:00 2001 From: Wojciech Kozlowski Date: Wed, 26 Oct 2022 23:22:38 +0200 Subject: [PATCH] Move rproxy and lrproxy to use bind-mounts --- .../user/container-rproxy-certbot.service.j2 | 2 +- .../user/container-rproxy-nginx.service.j2 | 2 +- .../user/container-lrproxy-nginx.service.j2 | 2 +- .../systemd/user/rsync-certificates.service.j2 | 2 +- .../deploy/service/01-user.d/data/lrproxy.yml | 15 +++++++++++++++ .../deploy/service/01-user.d/data/rproxy.yml | 15 +++++++++++++++ .../deploy/service/01-zfs-datasets.d/lrproxy.yml | 11 +++++++++++ .../services/deploy/service/03-pod.d/lrproxy.yml | 2 +- 8 files changed, 46 insertions(+), 5 deletions(-) create mode 100644 playbooks/tasks/services/deploy/service/01-user.d/data/lrproxy.yml create mode 100644 playbooks/tasks/services/deploy/service/01-user.d/data/rproxy.yml create mode 100644 playbooks/tasks/services/deploy/service/01-zfs-datasets.d/lrproxy.yml diff --git a/playbooks/filesystem/valkyrie/var/lib/valkyrie/home/pod-rproxy/.config/systemd/user/container-rproxy-certbot.service.j2 b/playbooks/filesystem/valkyrie/var/lib/valkyrie/home/pod-rproxy/.config/systemd/user/container-rproxy-certbot.service.j2 index bcaa3a3..e56fdb5 100644 --- a/playbooks/filesystem/valkyrie/var/lib/valkyrie/home/pod-rproxy/.config/systemd/user/container-rproxy-certbot.service.j2 +++ b/playbooks/filesystem/valkyrie/var/lib/valkyrie/home/pod-rproxy/.config/systemd/user/container-rproxy-certbot.service.j2 @@ -11,6 +11,6 @@ Environment=PODMAN_SYSTEMD_UNIT=%n TimeoutStopSec=70 ExecStartPre=/bin/rm -f %t/container-rproxy-certbot.pid %t/container-rproxy-certbot.ctr-id ExecStartPre=/usr/bin/podman pull docker.io/certbot/certbot -ExecStart=/usr/bin/podman run --conmon-pidfile %t/container-rproxy-certbot.pid --cidfile %t/container-rproxy-certbot.ctr-id --cgroups=no-conmon --pod-id-file %t/pod-rproxy.pod-id --replace -v /etc/resolv.conf:/etc/resolv.conf:ro -v etc_letsencrypt:/etc/letsencrypt -v var_lib_letsencrypt:/var/lib/letsencrypt -v ./.config/pod-rproxy/html:/var/www/html --name=pod-rproxy-certbot docker.io/certbot/certbot --non-interactive renew +ExecStart=/usr/bin/podman run --conmon-pidfile %t/container-rproxy-certbot.pid --cidfile %t/container-rproxy-certbot.ctr-id --cgroups=no-conmon --pod-id-file %t/pod-rproxy.pod-id --replace -v /etc/resolv.conf:/etc/resolv.conf:ro -v /var/lib/valkyrie/data/pod-rproxy/etc-letsencrypt:/etc/letsencrypt -v var-lib-letsencrypt:/var/lib/letsencrypt -v ./.config/pod-rproxy/html:/var/www/html --name=pod-rproxy-certbot docker.io/certbot/certbot --non-interactive renew ExecStopPost=/usr/bin/podman rm --ignore -f --cidfile %t/container-rproxy-certbot.ctr-id Type=oneshot diff --git a/playbooks/filesystem/valkyrie/var/lib/valkyrie/home/pod-rproxy/.config/systemd/user/container-rproxy-nginx.service.j2 b/playbooks/filesystem/valkyrie/var/lib/valkyrie/home/pod-rproxy/.config/systemd/user/container-rproxy-nginx.service.j2 index 2b9e61d..75e9f7d 100644 --- a/playbooks/filesystem/valkyrie/var/lib/valkyrie/home/pod-rproxy/.config/systemd/user/container-rproxy-nginx.service.j2 +++ b/playbooks/filesystem/valkyrie/var/lib/valkyrie/home/pod-rproxy/.config/systemd/user/container-rproxy-nginx.service.j2 @@ -11,7 +11,7 @@ Environment=PODMAN_SYSTEMD_UNIT=%n Restart=on-failure TimeoutStopSec=70 ExecStartPre=/bin/rm -f %t/container-rproxy-nginx.pid %t/container-rproxy-nginx.ctr-id -ExecStart=/usr/bin/podman run --conmon-pidfile %t/container-rproxy-nginx.pid --cidfile %t/container-rproxy-nginx.ctr-id --cgroups=no-conmon --pod-id-file %t/pod-rproxy.pod-id --replace --label "io.containers.autoupdate=image" -dt {{ service_rproxy_hosts }} -v /etc/resolv.conf:/etc/resolv.conf:ro -v ./.config/pod-rproxy/nginx.conf:/etc/nginx/nginx.conf:ro -v ./.config/pod-rproxy/nginx-conf.d:/etc/nginx/conf.d:ro -v ./.config/pod-rproxy/dhparam.pem:/etc/ssl/certs/dhparam.pem:ro -v etc_letsencrypt:/etc/letsencrypt:ro -v var_lib_letsencrypt:/var/lib/letsencrypt:ro -v ./.config/pod-rproxy/html:/var/www/html --name=pod-rproxy-nginx docker.io/library/nginx +ExecStart=/usr/bin/podman run --conmon-pidfile %t/container-rproxy-nginx.pid --cidfile %t/container-rproxy-nginx.ctr-id --cgroups=no-conmon --pod-id-file %t/pod-rproxy.pod-id --replace --label "io.containers.autoupdate=image" -dt {{ service_rproxy_hosts }} -v /etc/resolv.conf:/etc/resolv.conf:ro -v ./.config/pod-rproxy/nginx.conf:/etc/nginx/nginx.conf:ro -v ./.config/pod-rproxy/nginx-conf.d:/etc/nginx/conf.d:ro -v ./.config/pod-rproxy/dhparam.pem:/etc/ssl/certs/dhparam.pem:ro -v /var/lib/valkyrie/data/pod-rproxy/etc-letsencrypt:/etc/letsencrypt:ro -v var-lib-letsencrypt:/var/lib/letsencrypt:ro -v ./.config/pod-rproxy/html:/var/www/html --name=pod-rproxy-nginx docker.io/library/nginx ExecStop=/usr/bin/podman stop --ignore --cidfile %t/container-rproxy-nginx.ctr-id -t 10 ExecStopPost=/usr/bin/podman rm --ignore -f --cidfile %t/container-rproxy-nginx.ctr-id PIDFile=%t/container-rproxy-nginx.pid diff --git a/playbooks/filesystem/yggdrasil/var/lib/yggdrasil/home/pod-lrproxy/.config/systemd/user/container-lrproxy-nginx.service.j2 b/playbooks/filesystem/yggdrasil/var/lib/yggdrasil/home/pod-lrproxy/.config/systemd/user/container-lrproxy-nginx.service.j2 index d4e2414..ace3008 100644 --- a/playbooks/filesystem/yggdrasil/var/lib/yggdrasil/home/pod-lrproxy/.config/systemd/user/container-lrproxy-nginx.service.j2 +++ b/playbooks/filesystem/yggdrasil/var/lib/yggdrasil/home/pod-lrproxy/.config/systemd/user/container-lrproxy-nginx.service.j2 @@ -11,7 +11,7 @@ Environment=PODMAN_SYSTEMD_UNIT=%n Restart=on-failure TimeoutStopSec=70 ExecStartPre=/bin/rm -f %t/container-lrproxy-nginx.pid %t/container-lrproxy-nginx.ctr-id -ExecStart=/usr/bin/podman run --conmon-pidfile %t/container-lrproxy-nginx.pid --cidfile %t/container-lrproxy-nginx.ctr-id --cgroups=no-conmon --pod-id-file %t/pod-lrproxy.pod-id --replace --label "io.containers.autoupdate=image" -dt {{ service_rproxy_hosts }} -v /var/lib/yggdrasil/valkyrie-resolv.conf:/etc/resolv.conf:ro -v ./.config/pod-lrproxy/nginx.conf:/etc/nginx/nginx.conf:ro -v ./.config/pod-lrproxy/nginx-conf.d:/etc/nginx/conf.d:ro -v ./.config/pod-lrproxy/dhparam.pem:/etc/ssl/certs/dhparam.pem:ro -v etc_letsencrypt:/etc/letsencrypt:ro --name=pod-lrproxy-nginx docker.io/library/nginx +ExecStart=/usr/bin/podman run --conmon-pidfile %t/container-lrproxy-nginx.pid --cidfile %t/container-lrproxy-nginx.ctr-id --cgroups=no-conmon --pod-id-file %t/pod-lrproxy.pod-id --replace --label "io.containers.autoupdate=image" -dt {{ service_rproxy_hosts }} -v /var/lib/yggdrasil/valkyrie-resolv.conf:/etc/resolv.conf:ro -v ./.config/pod-lrproxy/nginx.conf:/etc/nginx/nginx.conf:ro -v ./.config/pod-lrproxy/nginx-conf.d:/etc/nginx/conf.d:ro -v ./.config/pod-lrproxy/dhparam.pem:/etc/ssl/certs/dhparam.pem:ro -v /var/lib/yggdrasil/data/pod-lrproxy/etc-letsencrypt:/etc/letsencrypt:ro --name=pod-lrproxy-nginx docker.io/library/nginx ExecStop=/usr/bin/podman stop --ignore --cidfile %t/container-lrproxy-nginx.ctr-id -t 10 ExecStopPost=/usr/bin/podman rm --ignore -f --cidfile %t/container-lrproxy-nginx.ctr-id PIDFile=%t/container-lrproxy-nginx.pid diff --git a/playbooks/filesystem/yggdrasil/var/lib/yggdrasil/home/pod-lrproxy/.config/systemd/user/rsync-certificates.service.j2 b/playbooks/filesystem/yggdrasil/var/lib/yggdrasil/home/pod-lrproxy/.config/systemd/user/rsync-certificates.service.j2 index 633f417..dbef3c4 100644 --- a/playbooks/filesystem/yggdrasil/var/lib/yggdrasil/home/pod-lrproxy/.config/systemd/user/rsync-certificates.service.j2 +++ b/playbooks/filesystem/yggdrasil/var/lib/yggdrasil/home/pod-lrproxy/.config/systemd/user/rsync-certificates.service.j2 @@ -7,5 +7,5 @@ BindsTo=pod-lrproxy.service After=pod-lrproxy.service [Service] -ExecStart=/usr/bin/rsync -e 'ssh -i .ssh/valkyrie-pod-rproxy -l pod-rproxy -o "StrictHostKeyChecking=no"' -avz {{ vpn_wg0_remote_address }}:/var/lib/valkyrie/data/pod-rproxy/etc_letsencrypt/_data/ /var/lib/yggdrasil/data/pod-lrproxy/etc_letsencrypt/_data +ExecStart=/usr/bin/rsync -e 'ssh -i .ssh/valkyrie-pod-rproxy -l pod-rproxy' -avz {{ vpn_wg0_remote_address }}:/var/lib/valkyrie/data/pod-rproxy/etc-letsencrypt/ /var/lib/yggdrasil/data/pod-lrproxy/etc-letsencrypt Type=oneshot diff --git a/playbooks/tasks/services/deploy/service/01-user.d/data/lrproxy.yml b/playbooks/tasks/services/deploy/service/01-user.d/data/lrproxy.yml new file mode 100644 index 0000000..9f93ca6 --- /dev/null +++ b/playbooks/tasks/services/deploy/service/01-user.d/data/lrproxy.yml @@ -0,0 +1,15 @@ +- name: Create volume data directory for user {{ service_user_name }} + file: + path: "/var/lib/{{ ansible_hostname }}/data/{{ service_user_name }}" + state: directory + owner: "{{ service_user_name }}" + group: "{{ service_user_name }}" + mode: 0755 + +- name: Create etc-letsencrypt directory for user {{ service_user_name }} + file: + path: "/var/lib/{{ ansible_hostname }}/data/{{ service_user_name }}/etc-letsencrypt" + state: directory + owner: "{{ service_user_name }}" + group: "{{ service_user_name }}" + mode: 0755 diff --git a/playbooks/tasks/services/deploy/service/01-user.d/data/rproxy.yml b/playbooks/tasks/services/deploy/service/01-user.d/data/rproxy.yml new file mode 100644 index 0000000..9f93ca6 --- /dev/null +++ b/playbooks/tasks/services/deploy/service/01-user.d/data/rproxy.yml @@ -0,0 +1,15 @@ +- name: Create volume data directory for user {{ service_user_name }} + file: + path: "/var/lib/{{ ansible_hostname }}/data/{{ service_user_name }}" + state: directory + owner: "{{ service_user_name }}" + group: "{{ service_user_name }}" + mode: 0755 + +- name: Create etc-letsencrypt directory for user {{ service_user_name }} + file: + path: "/var/lib/{{ ansible_hostname }}/data/{{ service_user_name }}/etc-letsencrypt" + state: directory + owner: "{{ service_user_name }}" + group: "{{ service_user_name }}" + mode: 0755 diff --git a/playbooks/tasks/services/deploy/service/01-zfs-datasets.d/lrproxy.yml b/playbooks/tasks/services/deploy/service/01-zfs-datasets.d/lrproxy.yml new file mode 100644 index 0000000..d6f1186 --- /dev/null +++ b/playbooks/tasks/services/deploy/service/01-zfs-datasets.d/lrproxy.yml @@ -0,0 +1,11 @@ +- name: Create data dataset for user {{ service_user_name }} + zfs: + name: rpool/var/lib/{{ ansible_hostname }}/data/{{ service_user_name }} + state: present + extra_zfs_properties: + canmount: "off" + +- name: Create etc-letsencrypt dataset for user {{ service_user_name }} + zfs: + name: rpool/var/lib/{{ ansible_hostname }}/data/{{ service_user_name }}/etc-letsencrypt + state: present diff --git a/playbooks/tasks/services/deploy/service/03-pod.d/lrproxy.yml b/playbooks/tasks/services/deploy/service/03-pod.d/lrproxy.yml index 60b82f1..1fb2f85 100644 --- a/playbooks/tasks/services/deploy/service/03-pod.d/lrproxy.yml +++ b/playbooks/tasks/services/deploy/service/03-pod.d/lrproxy.yml @@ -38,7 +38,7 @@ user: pod-rproxy state: present key: "{{ rsync_keypair.public_key }}" - key_options: command="rsync --server --sender -avz . /var/lib/valkyrie/data/pod-rproxy/etc_letsencrypt/_data/",from="{{ vpn_wg0_address}}",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-x11-forwarding + key_options: command="rsync --server --sender -avz . /var/lib/valkyrie/data/pod-rproxy/etc-letsencrypt/",from="{{ vpn_wg0_address}}",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-x11-forwarding - name: Record changes set_fact: