Move rproxy and lrproxy to use bind-mounts

This commit is contained in:
Wojciech Kozlowski 2022-10-26 23:22:38 +02:00
parent f296ed9ea5
commit af11b75713
8 changed files with 46 additions and 5 deletions

View File

@ -11,6 +11,6 @@ Environment=PODMAN_SYSTEMD_UNIT=%n
TimeoutStopSec=70 TimeoutStopSec=70
ExecStartPre=/bin/rm -f %t/container-rproxy-certbot.pid %t/container-rproxy-certbot.ctr-id ExecStartPre=/bin/rm -f %t/container-rproxy-certbot.pid %t/container-rproxy-certbot.ctr-id
ExecStartPre=/usr/bin/podman pull docker.io/certbot/certbot ExecStartPre=/usr/bin/podman pull docker.io/certbot/certbot
ExecStart=/usr/bin/podman run --conmon-pidfile %t/container-rproxy-certbot.pid --cidfile %t/container-rproxy-certbot.ctr-id --cgroups=no-conmon --pod-id-file %t/pod-rproxy.pod-id --replace -v /etc/resolv.conf:/etc/resolv.conf:ro -v etc_letsencrypt:/etc/letsencrypt -v var_lib_letsencrypt:/var/lib/letsencrypt -v ./.config/pod-rproxy/html:/var/www/html --name=pod-rproxy-certbot docker.io/certbot/certbot --non-interactive renew ExecStart=/usr/bin/podman run --conmon-pidfile %t/container-rproxy-certbot.pid --cidfile %t/container-rproxy-certbot.ctr-id --cgroups=no-conmon --pod-id-file %t/pod-rproxy.pod-id --replace -v /etc/resolv.conf:/etc/resolv.conf:ro -v /var/lib/valkyrie/data/pod-rproxy/etc-letsencrypt:/etc/letsencrypt -v var-lib-letsencrypt:/var/lib/letsencrypt -v ./.config/pod-rproxy/html:/var/www/html --name=pod-rproxy-certbot docker.io/certbot/certbot --non-interactive renew
ExecStopPost=/usr/bin/podman rm --ignore -f --cidfile %t/container-rproxy-certbot.ctr-id ExecStopPost=/usr/bin/podman rm --ignore -f --cidfile %t/container-rproxy-certbot.ctr-id
Type=oneshot Type=oneshot

View File

@ -11,7 +11,7 @@ Environment=PODMAN_SYSTEMD_UNIT=%n
Restart=on-failure Restart=on-failure
TimeoutStopSec=70 TimeoutStopSec=70
ExecStartPre=/bin/rm -f %t/container-rproxy-nginx.pid %t/container-rproxy-nginx.ctr-id ExecStartPre=/bin/rm -f %t/container-rproxy-nginx.pid %t/container-rproxy-nginx.ctr-id
ExecStart=/usr/bin/podman run --conmon-pidfile %t/container-rproxy-nginx.pid --cidfile %t/container-rproxy-nginx.ctr-id --cgroups=no-conmon --pod-id-file %t/pod-rproxy.pod-id --replace --label "io.containers.autoupdate=image" -dt {{ service_rproxy_hosts }} -v /etc/resolv.conf:/etc/resolv.conf:ro -v ./.config/pod-rproxy/nginx.conf:/etc/nginx/nginx.conf:ro -v ./.config/pod-rproxy/nginx-conf.d:/etc/nginx/conf.d:ro -v ./.config/pod-rproxy/dhparam.pem:/etc/ssl/certs/dhparam.pem:ro -v etc_letsencrypt:/etc/letsencrypt:ro -v var_lib_letsencrypt:/var/lib/letsencrypt:ro -v ./.config/pod-rproxy/html:/var/www/html --name=pod-rproxy-nginx docker.io/library/nginx ExecStart=/usr/bin/podman run --conmon-pidfile %t/container-rproxy-nginx.pid --cidfile %t/container-rproxy-nginx.ctr-id --cgroups=no-conmon --pod-id-file %t/pod-rproxy.pod-id --replace --label "io.containers.autoupdate=image" -dt {{ service_rproxy_hosts }} -v /etc/resolv.conf:/etc/resolv.conf:ro -v ./.config/pod-rproxy/nginx.conf:/etc/nginx/nginx.conf:ro -v ./.config/pod-rproxy/nginx-conf.d:/etc/nginx/conf.d:ro -v ./.config/pod-rproxy/dhparam.pem:/etc/ssl/certs/dhparam.pem:ro -v /var/lib/valkyrie/data/pod-rproxy/etc-letsencrypt:/etc/letsencrypt:ro -v var-lib-letsencrypt:/var/lib/letsencrypt:ro -v ./.config/pod-rproxy/html:/var/www/html --name=pod-rproxy-nginx docker.io/library/nginx
ExecStop=/usr/bin/podman stop --ignore --cidfile %t/container-rproxy-nginx.ctr-id -t 10 ExecStop=/usr/bin/podman stop --ignore --cidfile %t/container-rproxy-nginx.ctr-id -t 10
ExecStopPost=/usr/bin/podman rm --ignore -f --cidfile %t/container-rproxy-nginx.ctr-id ExecStopPost=/usr/bin/podman rm --ignore -f --cidfile %t/container-rproxy-nginx.ctr-id
PIDFile=%t/container-rproxy-nginx.pid PIDFile=%t/container-rproxy-nginx.pid

View File

@ -11,7 +11,7 @@ Environment=PODMAN_SYSTEMD_UNIT=%n
Restart=on-failure Restart=on-failure
TimeoutStopSec=70 TimeoutStopSec=70
ExecStartPre=/bin/rm -f %t/container-lrproxy-nginx.pid %t/container-lrproxy-nginx.ctr-id ExecStartPre=/bin/rm -f %t/container-lrproxy-nginx.pid %t/container-lrproxy-nginx.ctr-id
ExecStart=/usr/bin/podman run --conmon-pidfile %t/container-lrproxy-nginx.pid --cidfile %t/container-lrproxy-nginx.ctr-id --cgroups=no-conmon --pod-id-file %t/pod-lrproxy.pod-id --replace --label "io.containers.autoupdate=image" -dt {{ service_rproxy_hosts }} -v /var/lib/yggdrasil/valkyrie-resolv.conf:/etc/resolv.conf:ro -v ./.config/pod-lrproxy/nginx.conf:/etc/nginx/nginx.conf:ro -v ./.config/pod-lrproxy/nginx-conf.d:/etc/nginx/conf.d:ro -v ./.config/pod-lrproxy/dhparam.pem:/etc/ssl/certs/dhparam.pem:ro -v etc_letsencrypt:/etc/letsencrypt:ro --name=pod-lrproxy-nginx docker.io/library/nginx ExecStart=/usr/bin/podman run --conmon-pidfile %t/container-lrproxy-nginx.pid --cidfile %t/container-lrproxy-nginx.ctr-id --cgroups=no-conmon --pod-id-file %t/pod-lrproxy.pod-id --replace --label "io.containers.autoupdate=image" -dt {{ service_rproxy_hosts }} -v /var/lib/yggdrasil/valkyrie-resolv.conf:/etc/resolv.conf:ro -v ./.config/pod-lrproxy/nginx.conf:/etc/nginx/nginx.conf:ro -v ./.config/pod-lrproxy/nginx-conf.d:/etc/nginx/conf.d:ro -v ./.config/pod-lrproxy/dhparam.pem:/etc/ssl/certs/dhparam.pem:ro -v /var/lib/yggdrasil/data/pod-lrproxy/etc-letsencrypt:/etc/letsencrypt:ro --name=pod-lrproxy-nginx docker.io/library/nginx
ExecStop=/usr/bin/podman stop --ignore --cidfile %t/container-lrproxy-nginx.ctr-id -t 10 ExecStop=/usr/bin/podman stop --ignore --cidfile %t/container-lrproxy-nginx.ctr-id -t 10
ExecStopPost=/usr/bin/podman rm --ignore -f --cidfile %t/container-lrproxy-nginx.ctr-id ExecStopPost=/usr/bin/podman rm --ignore -f --cidfile %t/container-lrproxy-nginx.ctr-id
PIDFile=%t/container-lrproxy-nginx.pid PIDFile=%t/container-lrproxy-nginx.pid

View File

@ -7,5 +7,5 @@ BindsTo=pod-lrproxy.service
After=pod-lrproxy.service After=pod-lrproxy.service
[Service] [Service]
ExecStart=/usr/bin/rsync -e 'ssh -i .ssh/valkyrie-pod-rproxy -l pod-rproxy -o "StrictHostKeyChecking=no"' -avz {{ vpn_wg0_remote_address }}:/var/lib/valkyrie/data/pod-rproxy/etc_letsencrypt/_data/ /var/lib/yggdrasil/data/pod-lrproxy/etc_letsencrypt/_data ExecStart=/usr/bin/rsync -e 'ssh -i .ssh/valkyrie-pod-rproxy -l pod-rproxy' -avz {{ vpn_wg0_remote_address }}:/var/lib/valkyrie/data/pod-rproxy/etc-letsencrypt/ /var/lib/yggdrasil/data/pod-lrproxy/etc-letsencrypt
Type=oneshot Type=oneshot

View File

@ -0,0 +1,15 @@
- name: Create volume data directory for user {{ service_user_name }}
file:
path: "/var/lib/{{ ansible_hostname }}/data/{{ service_user_name }}"
state: directory
owner: "{{ service_user_name }}"
group: "{{ service_user_name }}"
mode: 0755
- name: Create etc-letsencrypt directory for user {{ service_user_name }}
file:
path: "/var/lib/{{ ansible_hostname }}/data/{{ service_user_name }}/etc-letsencrypt"
state: directory
owner: "{{ service_user_name }}"
group: "{{ service_user_name }}"
mode: 0755

View File

@ -0,0 +1,15 @@
- name: Create volume data directory for user {{ service_user_name }}
file:
path: "/var/lib/{{ ansible_hostname }}/data/{{ service_user_name }}"
state: directory
owner: "{{ service_user_name }}"
group: "{{ service_user_name }}"
mode: 0755
- name: Create etc-letsencrypt directory for user {{ service_user_name }}
file:
path: "/var/lib/{{ ansible_hostname }}/data/{{ service_user_name }}/etc-letsencrypt"
state: directory
owner: "{{ service_user_name }}"
group: "{{ service_user_name }}"
mode: 0755

View File

@ -0,0 +1,11 @@
- name: Create data dataset for user {{ service_user_name }}
zfs:
name: rpool/var/lib/{{ ansible_hostname }}/data/{{ service_user_name }}
state: present
extra_zfs_properties:
canmount: "off"
- name: Create etc-letsencrypt dataset for user {{ service_user_name }}
zfs:
name: rpool/var/lib/{{ ansible_hostname }}/data/{{ service_user_name }}/etc-letsencrypt
state: present

View File

@ -38,7 +38,7 @@
user: pod-rproxy user: pod-rproxy
state: present state: present
key: "{{ rsync_keypair.public_key }}" key: "{{ rsync_keypair.public_key }}"
key_options: command="rsync --server --sender -avz . /var/lib/valkyrie/data/pod-rproxy/etc_letsencrypt/_data/",from="{{ vpn_wg0_address}}",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-x11-forwarding key_options: command="rsync --server --sender -avz . /var/lib/valkyrie/data/pod-rproxy/etc-letsencrypt/",from="{{ vpn_wg0_address}}",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-x11-forwarding
- name: Record changes - name: Record changes
set_fact: set_fact: