From 124d8660db2dfed6823e7e253a15d649759028b3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=AD=C3=B0ir=20Valberg=20Gu=C3=B0mundsson?= Date: Fri, 25 Nov 2022 00:16:10 +0100 Subject: [PATCH 1/6] Moved membersystem image. --- roles/docker/tasks/services/membersystem.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/docker/tasks/services/membersystem.yml b/roles/docker/tasks/services/membersystem.yml index 2d2a38d0..671b026f 100644 --- a/roles/docker/tasks/services/membersystem.yml +++ b/roles/docker/tasks/services/membersystem.yml @@ -8,7 +8,7 @@ version: "3" services: backend: - image: docker.data.coop/member.data.coop:latest + image: docker.data.coop/membersystem:latest restart: always user: $UID:$GID tty: true From 5a63e8e1a8e43346a70a2568229f976b7e91d575 Mon Sep 17 00:00:00 2001 From: Sam A Date: Fri, 25 Nov 2022 13:07:09 +0000 Subject: [PATCH 2/6] Vagrant-based testing environment (#111) Co-authored-by: Sam A. Co-committed-by: Sam A. --- Vagrantfile | 47 ++++++++++++------- playbook.yml | 9 ++-- .../docker/tasks/services/docker_registry.yml | 5 +- roles/docker/tasks/services/mailu.yml | 3 +- roles/docker/tasks/services/nginx-proxy.yml | 1 + roles/ubuntu_base/tasks/base.yml | 17 ++++--- ...custom-apt-repos.yml => dell-apt-repo.yml} | 12 ++--- roles/ubuntu_base/tasks/main.yml | 13 +++-- roles/ubuntu_base/tasks/ssh-port.yml | 20 ++++++++ 9 files changed, 84 insertions(+), 43 deletions(-) rename roles/ubuntu_base/tasks/{custom-apt-repos.yml => dell-apt-repo.yml} (68%) create mode 100644 roles/ubuntu_base/tasks/ssh-port.yml diff --git a/Vagrantfile b/Vagrantfile index 28f2e28b..7d00af1e 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -1,24 +1,35 @@ -Vagrant.require_version ">= 1.7.0" +Vagrant.require_version ">= 2.0.0" +PORT = 19022 + +def provisioned?(vm="default", provider="virtualbox") + File.exist?(".vagrant/machines/#{vm}/#{provider}/action_provision") +end Vagrant.configure(2) do |config| + config.vm.network :private_network, ip: "192.168.56.10" + config.vm.network :forwarded_port, guest: PORT, host: PORT - config.vm.define "datacoop" do |datacoop| - datacoop.vm.box = "ubuntu/bionic64" - datacoop.vm.hostname = "datacoop" - datacoop.vm.provider "virtualbox" do |v| - v.memory = 4096 - end - datacoop.vm.network "private_network", ip: "192.168.0.42" - datacoop.vm.provision "ansible" do |ansible| - ansible.verbose = "v" - ansible.compatibility_mode = "2.0" - ansible.playbook = "playbook.yml" - ansible.ask_vault_pass = true - ansible.host_vars = { - "datacoop" => {"ansible_python_interpreter" => "/usr/bin/python3.6"} - } - ansible.groups = { - "all" => ["datacoop"] + config.vm.box = "ubuntu/focal64" + config.vm.hostname = "datacoop" + + config.vm.provider :virtualbox do |v| + v.memory = 4096 + end + + config.vm.provision :ansible do |ansible| + ansible.compatibility_mode = "2.0" + ansible.playbook = "playbook.yml" + ansible.ask_vault_pass = true + ansible.verbose = "v" + ansible.extra_vars = { + base_domain: "datacoop.devel" + } + + # If the VM is already provisioned, we need to use the new port + if provisioned? + config.ssh.guest_port = PORT + ansible.extra_vars = { + ansible_port: PORT } end end diff --git a/playbook.yml b/playbook.yml index 1b98c5d7..ba93281a 100644 --- a/playbook.yml +++ b/playbook.yml @@ -1,19 +1,22 @@ --- - hosts: all - gather_facts: False + gather_facts: true become: true vars: base_domain: data.coop letsencrypt_email: admin@data.coop ldap_dn: "dc=data,dc=coop" + vagrant: "{{ ansible_virtualization_role == 'guest' }}" + letsencrypt_enabled: "{{ not vagrant }}" + services: - nginx-proxy + - postfix - openldap - nextcloud - passit - gitea - - postfix - matrix_riot - privatebin - codimd @@ -36,6 +39,6 @@ - import_role: name: ubuntu_base tags: - - base_only + - base_only - import_role: name: docker diff --git a/roles/docker/tasks/services/docker_registry.yml b/roles/docker/tasks/services/docker_registry.yml index 975db503..3e538023 100644 --- a/roles/docker/tasks/services/docker_registry.yml +++ b/roles/docker/tasks/services/docker_registry.yml @@ -28,9 +28,8 @@ args: creates: "{{ docker_registry.volume_folder }}/auth/htpasswd" -- name: log in to local registry +- name: log in to registry docker_login: - registry: "{{ docker_registry.domain }}" + registry: "docker.data.coop" username: "docker" password: "{{ docker_password }}" - config_path: "{{ docker_registry.volume_folder }}/auth/config.json" diff --git a/roles/docker/tasks/services/mailu.yml b/roles/docker/tasks/services/mailu.yml index e53d92cb..3c28dee3 100644 --- a/roles/docker/tasks/services/mailu.yml +++ b/roles/docker/tasks/services/mailu.yml @@ -28,7 +28,7 @@ dest: "{{ mailu.volume_folder }}/certs/cert.pem" state: hard force: yes - + when: letsencrypt_enabled - name: hard link to Let's Encrypt TLS key file: @@ -36,6 +36,7 @@ dest: "{{ mailu.volume_folder }}/certs/key.pem" state: hard force: yes + when: letsencrypt_enabled - name: run mail server containers docker_compose: diff --git a/roles/docker/tasks/services/nginx-proxy.yml b/roles/docker/tasks/services/nginx-proxy.yml index 58154919..6dfbf751 100644 --- a/roles/docker/tasks/services/nginx-proxy.yml +++ b/roles/docker/tasks/services/nginx-proxy.yml @@ -44,4 +44,5 @@ - /var/run/docker.sock:/var/run/docker.sock:ro env: NGINX_PROXY_CONTAINER: nginx-proxy + when: letsencrypt_enabled diff --git a/roles/ubuntu_base/tasks/base.yml b/roles/ubuntu_base/tasks/base.yml index f4ed43f6..63e452c6 100644 --- a/roles/ubuntu_base/tasks/base.yml +++ b/roles/ubuntu_base/tasks/base.yml @@ -4,13 +4,16 @@ name: "{{ packages }}" vars: packages: - - aptitude - - python3-pip - - apparmor - - haveged - - mosh - - ufw - - srvadmin-all # Dell OpenManage + - aptitude + - python3-pip + - apparmor + - haveged + - mosh + +- name: Install Dell OpenManage + apt: + name: srvadmin-all + when: not vagrant - name: Install necessary packages via pip pip: diff --git a/roles/ubuntu_base/tasks/custom-apt-repos.yml b/roles/ubuntu_base/tasks/dell-apt-repo.yml similarity index 68% rename from roles/ubuntu_base/tasks/custom-apt-repos.yml rename to roles/ubuntu_base/tasks/dell-apt-repo.yml index 7bb042d6..b7d9d48c 100644 --- a/roles/ubuntu_base/tasks/custom-apt-repos.yml +++ b/roles/ubuntu_base/tasks/dell-apt-repo.yml @@ -1,15 +1,15 @@ --- -- name: import dell apt signing key +- name: Import dell apt signing key apt_key: id: "1285491434D8786F" keyserver: "keyserver.ubuntu.com" -- name: "configure dell apt repo" +- name: Configure dell apt repo apt_repository: repo: "deb https://linux.dell.com/repo/community/openmanage/10101/focal focal main" - state: "present" + state: present -- name: "restrict dell apt repo" +- name: Restrict dell apt repo" copy: dest: "/etc/apt/preferences.d/dell" content: | @@ -17,7 +17,3 @@ Package: * Pin: origin "linux.dell.com" Pin-Priority: 400 - -- name: update apt cache - apt: - update_cache: yes diff --git a/roles/ubuntu_base/tasks/main.yml b/roles/ubuntu_base/tasks/main.yml index dddc5089..a34d5b09 100644 --- a/roles/ubuntu_base/tasks/main.yml +++ b/roles/ubuntu_base/tasks/main.yml @@ -1,12 +1,19 @@ --- -- import_tasks: custom-apt-repos.yml - tags: [setup-custom-apt] +- import_tasks: ssh-port.yml + tags: [change-ssh-port] + +- import_tasks: dell-apt-repo.yml + tags: [setup-dell-apt-repo] + when: not vagrant + - import_tasks: upgrade.yml tags: [do-full-system-upgrade] + - import_tasks: base.yml tags: [install-base-packages] + - import_tasks: users.yml tags: [setup-users] + - import_tasks: firewall.yml tags: [setup-firewall] - diff --git a/roles/ubuntu_base/tasks/ssh-port.yml b/roles/ubuntu_base/tasks/ssh-port.yml new file mode 100644 index 00000000..1935168d --- /dev/null +++ b/roles/ubuntu_base/tasks/ssh-port.yml @@ -0,0 +1,20 @@ +--- +- name: Change SSH port on host + lineinfile: + dest: "/etc/ssh/sshd_config" + regexp: "^#?Port " + line: "Port 19022" + register: ssh_changed + +- name: Restart sshd + service: + name: sshd + state: restarted + when: ssh_changed is defined and + ssh_changed.changed + +- name: Change Ansible port to 19022 + set_fact: + ansible_port: 19022 + when: ssh_changed is defined and + ssh_changed.changed From 814a268965b5710ba1b532f502c83822ce58f65c Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Fri, 25 Nov 2022 21:37:14 +0100 Subject: [PATCH 3/6] Don't enable Restic Backup in Vagrant --- roles/docker/tasks/services/restic-backup.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/docker/tasks/services/restic-backup.yml b/roles/docker/tasks/services/restic-backup.yml index 3b0a9e3c..aa36a42a 100644 --- a/roles/docker/tasks/services/restic-backup.yml +++ b/roles/docker/tasks/services/restic-backup.yml @@ -36,3 +36,4 @@ RESTIC_REPOSITORY: "rest:https://{{ restic.user }}:{{ restic_secrets.user_password }}@{{ restic.domain }}/{{ restic.repository }}" RESTIC_PASSWORD: "{{ restic_secrets.repository_password }}" TZ: Europe/copenhagen + when: not vagrant From 439a538c141a2a7ccbd8c2828bb3b293c932d317 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Fri, 25 Nov 2022 21:41:37 +0100 Subject: [PATCH 4/6] Lint --- roles/docker/tasks/services/restic-backup.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/docker/tasks/services/restic-backup.yml b/roles/docker/tasks/services/restic-backup.yml index aa36a42a..c7452927 100644 --- a/roles/docker/tasks/services/restic-backup.yml +++ b/roles/docker/tasks/services/restic-backup.yml @@ -1,8 +1,9 @@ --- -- name: setup restic backup +- name: Setup restic backup + when: not vagrant docker_compose: project_name: restic_backup - pull: yes + pull: true definition: version: '3.6' services: @@ -27,7 +28,7 @@ TZ: Europe/Copenhagen volumes: - /docker-volumes:/mnt/volumes:ro - + restic-prune: image: "mazzolino/restic:1.6.0" environment: @@ -36,4 +37,3 @@ RESTIC_REPOSITORY: "rest:https://{{ restic.user }}:{{ restic_secrets.user_password }}@{{ restic.domain }}/{{ restic.repository }}" RESTIC_PASSWORD: "{{ restic_secrets.repository_password }}" TZ: Europe/copenhagen - when: not vagrant From 67a8c3d1a224208b2594b351ae556e3b2417e47e Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Fri, 25 Nov 2022 22:04:14 +0100 Subject: [PATCH 5/6] Add missing services to playbook.yml --- playbook.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/playbook.yml b/playbook.yml index ba93281a..66068c25 100644 --- a/playbook.yml +++ b/playbook.yml @@ -14,12 +14,15 @@ - nginx-proxy - postfix - openldap + - keycloak + - restic-backup - nextcloud - passit - gitea - matrix_riot - privatebin - codimd + - hedgedoc - netdata - docker_registry - drone From fa603b07d915773827edf73b02311db306d5a427 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Fri, 25 Nov 2022 22:04:38 +0100 Subject: [PATCH 6/6] Upgrade HedgeDoc to 1.9.6 --- roles/docker/tasks/services/hedgedoc.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/docker/tasks/services/hedgedoc.yml b/roles/docker/tasks/services/hedgedoc.yml index ea7b38d3..7a68f372 100644 --- a/roles/docker/tasks/services/hedgedoc.yml +++ b/roles/docker/tasks/services/hedgedoc.yml @@ -34,7 +34,7 @@ - "{{ hedgedoc.volume_folder }}/db:/var/lib/postgresql/data" app: - image: quay.io/hedgedoc/hedgedoc:1.9.0 + image: quay.io/hedgedoc/hedgedoc:1.9.6 environment: CMD_DB_URL: "postgres://codimd:{{ postgres_passwords.hedgedoc }}@hedgedoc_database_1:5432/codimd" CMD_DOMAIN: "{{ hedgedoc.domain }}" @@ -63,4 +63,4 @@ networks: hedgedoc: external_services: - external: true \ No newline at end of file + external: true