diff --git a/Vagrantfile b/Vagrantfile index 28f2e28b..7d00af1e 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -1,24 +1,35 @@ -Vagrant.require_version ">= 1.7.0" +Vagrant.require_version ">= 2.0.0" +PORT = 19022 + +def provisioned?(vm="default", provider="virtualbox") + File.exist?(".vagrant/machines/#{vm}/#{provider}/action_provision") +end Vagrant.configure(2) do |config| + config.vm.network :private_network, ip: "192.168.56.10" + config.vm.network :forwarded_port, guest: PORT, host: PORT - config.vm.define "datacoop" do |datacoop| - datacoop.vm.box = "ubuntu/bionic64" - datacoop.vm.hostname = "datacoop" - datacoop.vm.provider "virtualbox" do |v| - v.memory = 4096 - end - datacoop.vm.network "private_network", ip: "192.168.0.42" - datacoop.vm.provision "ansible" do |ansible| - ansible.verbose = "v" - ansible.compatibility_mode = "2.0" - ansible.playbook = "playbook.yml" - ansible.ask_vault_pass = true - ansible.host_vars = { - "datacoop" => {"ansible_python_interpreter" => "/usr/bin/python3.6"} - } - ansible.groups = { - "all" => ["datacoop"] + config.vm.box = "ubuntu/focal64" + config.vm.hostname = "datacoop" + + config.vm.provider :virtualbox do |v| + v.memory = 4096 + end + + config.vm.provision :ansible do |ansible| + ansible.compatibility_mode = "2.0" + ansible.playbook = "playbook.yml" + ansible.ask_vault_pass = true + ansible.verbose = "v" + ansible.extra_vars = { + base_domain: "datacoop.devel" + } + + # If the VM is already provisioned, we need to use the new port + if provisioned? + config.ssh.guest_port = PORT + ansible.extra_vars = { + ansible_port: PORT } end end diff --git a/playbook.yml b/playbook.yml index 1b98c5d7..66068c25 100644 --- a/playbook.yml +++ b/playbook.yml @@ -1,22 +1,28 @@ --- - hosts: all - gather_facts: False + gather_facts: true become: true vars: base_domain: data.coop letsencrypt_email: admin@data.coop ldap_dn: "dc=data,dc=coop" + vagrant: "{{ ansible_virtualization_role == 'guest' }}" + letsencrypt_enabled: "{{ not vagrant }}" + services: - nginx-proxy + - postfix - openldap + - keycloak + - restic-backup - nextcloud - passit - gitea - - postfix - matrix_riot - privatebin - codimd + - hedgedoc - netdata - docker_registry - drone @@ -36,6 +42,6 @@ - import_role: name: ubuntu_base tags: - - base_only + - base_only - import_role: name: docker diff --git a/roles/docker/tasks/services/docker_registry.yml b/roles/docker/tasks/services/docker_registry.yml index a88a7074..3e538023 100644 --- a/roles/docker/tasks/services/docker_registry.yml +++ b/roles/docker/tasks/services/docker_registry.yml @@ -30,6 +30,6 @@ - name: log in to registry docker_login: - registry: "{{ docker_registry.domain }}" + registry: "docker.data.coop" username: "docker" password: "{{ docker_password }}" diff --git a/roles/docker/tasks/services/mailu.yml b/roles/docker/tasks/services/mailu.yml index e53d92cb..3c28dee3 100644 --- a/roles/docker/tasks/services/mailu.yml +++ b/roles/docker/tasks/services/mailu.yml @@ -28,7 +28,7 @@ dest: "{{ mailu.volume_folder }}/certs/cert.pem" state: hard force: yes - + when: letsencrypt_enabled - name: hard link to Let's Encrypt TLS key file: @@ -36,6 +36,7 @@ dest: "{{ mailu.volume_folder }}/certs/key.pem" state: hard force: yes + when: letsencrypt_enabled - name: run mail server containers docker_compose: diff --git a/roles/docker/tasks/services/membersystem.yml b/roles/docker/tasks/services/membersystem.yml index 01c1b53c..876fdcae 100644 --- a/roles/docker/tasks/services/membersystem.yml +++ b/roles/docker/tasks/services/membersystem.yml @@ -8,7 +8,7 @@ version: "3" services: backend: - image: docker.data.coop/member.data.coop:latest + image: docker.data.coop/membersystem:latest restart: always user: $UID:$GID tty: true diff --git a/roles/docker/tasks/services/nginx-proxy.yml b/roles/docker/tasks/services/nginx-proxy.yml index 58154919..6dfbf751 100644 --- a/roles/docker/tasks/services/nginx-proxy.yml +++ b/roles/docker/tasks/services/nginx-proxy.yml @@ -44,4 +44,5 @@ - /var/run/docker.sock:/var/run/docker.sock:ro env: NGINX_PROXY_CONTAINER: nginx-proxy + when: letsencrypt_enabled diff --git a/roles/docker/tasks/services/restic-backup.yml b/roles/docker/tasks/services/restic-backup.yml index 3b0a9e3c..c7452927 100644 --- a/roles/docker/tasks/services/restic-backup.yml +++ b/roles/docker/tasks/services/restic-backup.yml @@ -1,8 +1,9 @@ --- -- name: setup restic backup +- name: Setup restic backup + when: not vagrant docker_compose: project_name: restic_backup - pull: yes + pull: true definition: version: '3.6' services: @@ -27,7 +28,7 @@ TZ: Europe/Copenhagen volumes: - /docker-volumes:/mnt/volumes:ro - + restic-prune: image: "mazzolino/restic:1.6.0" environment: diff --git a/roles/ubuntu_base/tasks/base.yml b/roles/ubuntu_base/tasks/base.yml index f4ed43f6..63e452c6 100644 --- a/roles/ubuntu_base/tasks/base.yml +++ b/roles/ubuntu_base/tasks/base.yml @@ -4,13 +4,16 @@ name: "{{ packages }}" vars: packages: - - aptitude - - python3-pip - - apparmor - - haveged - - mosh - - ufw - - srvadmin-all # Dell OpenManage + - aptitude + - python3-pip + - apparmor + - haveged + - mosh + +- name: Install Dell OpenManage + apt: + name: srvadmin-all + when: not vagrant - name: Install necessary packages via pip pip: diff --git a/roles/ubuntu_base/tasks/custom-apt-repos.yml b/roles/ubuntu_base/tasks/dell-apt-repo.yml similarity index 68% rename from roles/ubuntu_base/tasks/custom-apt-repos.yml rename to roles/ubuntu_base/tasks/dell-apt-repo.yml index 7bb042d6..b7d9d48c 100644 --- a/roles/ubuntu_base/tasks/custom-apt-repos.yml +++ b/roles/ubuntu_base/tasks/dell-apt-repo.yml @@ -1,15 +1,15 @@ --- -- name: import dell apt signing key +- name: Import dell apt signing key apt_key: id: "1285491434D8786F" keyserver: "keyserver.ubuntu.com" -- name: "configure dell apt repo" +- name: Configure dell apt repo apt_repository: repo: "deb https://linux.dell.com/repo/community/openmanage/10101/focal focal main" - state: "present" + state: present -- name: "restrict dell apt repo" +- name: Restrict dell apt repo" copy: dest: "/etc/apt/preferences.d/dell" content: | @@ -17,7 +17,3 @@ Package: * Pin: origin "linux.dell.com" Pin-Priority: 400 - -- name: update apt cache - apt: - update_cache: yes diff --git a/roles/ubuntu_base/tasks/main.yml b/roles/ubuntu_base/tasks/main.yml index dddc5089..a34d5b09 100644 --- a/roles/ubuntu_base/tasks/main.yml +++ b/roles/ubuntu_base/tasks/main.yml @@ -1,12 +1,19 @@ --- -- import_tasks: custom-apt-repos.yml - tags: [setup-custom-apt] +- import_tasks: ssh-port.yml + tags: [change-ssh-port] + +- import_tasks: dell-apt-repo.yml + tags: [setup-dell-apt-repo] + when: not vagrant + - import_tasks: upgrade.yml tags: [do-full-system-upgrade] + - import_tasks: base.yml tags: [install-base-packages] + - import_tasks: users.yml tags: [setup-users] + - import_tasks: firewall.yml tags: [setup-firewall] - diff --git a/roles/ubuntu_base/tasks/ssh-port.yml b/roles/ubuntu_base/tasks/ssh-port.yml new file mode 100644 index 00000000..1935168d --- /dev/null +++ b/roles/ubuntu_base/tasks/ssh-port.yml @@ -0,0 +1,20 @@ +--- +- name: Change SSH port on host + lineinfile: + dest: "/etc/ssh/sshd_config" + regexp: "^#?Port " + line: "Port 19022" + register: ssh_changed + +- name: Restart sshd + service: + name: sshd + state: restarted + when: ssh_changed is defined and + ssh_changed.changed + +- name: Change Ansible port to 19022 + set_fact: + ansible_port: 19022 + when: ssh_changed is defined and + ssh_changed.changed