Many improvements

This commit is contained in:
Sam A. 2023-11-13 21:17:17 +01:00
parent 0616ed1b38
commit d726d95557
Signed by: samsapti
GPG key ID: CBBBE7371E81C4EA
21 changed files with 206 additions and 56 deletions

View file

@ -1,7 +1,7 @@
# vim: ft=yaml.ansible # vim: ft=yaml.ansible
# code: language=ansible # code: language=ansible
--- ---
encrypted_fs: /data data_fs: /data
hostname: "{{ inventory_hostname }}" hostname: "{{ inventory_hostname }}"
timezone: Europe/Copenhagen timezone: Europe/Copenhagen

View file

@ -1,5 +1,7 @@
# vim: ft=yaml.ansible # vim: ft=yaml.ansible
# code: language=ansible # code: language=ansible
--- ---
apps_base_domain: sapti.me
db_inventory_hostname: sapt-labp-db01 db_inventory_hostname: sapt-labp-db01
db_host: "{{ hostvars[db_inventory_hostname].fqdn }}" db_host: "{{ hostvars[db_inventory_hostname].fqdn }}"

View file

@ -1,9 +1,6 @@
# vim: ft=yaml.ansible # vim: ft=yaml.ansible
# code: language=ansible # code: language=ansible
--- ---
apps_data_root: "{{ encrypted_fs }}/apps"
docker_data_root: "{{ encrypted_fs }}/docker"
redis_passwords: redis_passwords:
nextcloud: "{{ vault_redis_passwords.nextcloud }}" nextcloud: "{{ vault_redis_passwords.nextcloud }}"

View file

@ -1,4 +0,0 @@
# vim: ft=yaml.ansible
# code: language=ansible
---
postgresql_pgdata: "{{ encrypted_fs }}/pgsql/{{ postgresql_version }}/data"

View file

@ -16,7 +16,7 @@ sapt-labs-db01 ansible_host=192.168.17.60
sapt-labr-prx01 ansible_host=192.168.17.10 sapt-labr-prx01 ansible_host=192.168.17.10
sapt-labr-prx02 ansible_host=192.168.17.11 sapt-labr-prx02 ansible_host=192.168.17.11
[monitoring_shrd] [monitor_shrd]
sapt-labr-mon01 ansible_host=192.168.17.20 sapt-labr-mon01 ansible_host=192.168.17.20
[proxmox_infra] [proxmox_infra]
@ -45,6 +45,12 @@ app_stage
db_prod db_prod
db_stage db_stage
[proxyservers:children]
proxy_shrd
[monitorservers:children]
monitor_shrd
[virtualservers:children] [virtualservers:children]
production production
staging staging

View file

@ -1,9 +1,8 @@
# vim: ft=yaml.ansible # vim: ft=yaml.ansible
# code: language=ansible # code: language=ansible
--- ---
apps_base_domain: sapti.me apps_data_root: "{{ data_fs }}/apps"
apps_local_domain: local.{{ apps_base_domain }} apps_local_domain: local.{{ apps_base_domain }}
apps_data_root: /apps
apps_shared_docker_network: apps_network apps_shared_docker_network: apps_network
apps_postfix_docker_network: postfix_network apps_postfix_docker_network: postfix_network
@ -61,7 +60,7 @@ apps_vars:
backup: false backup: false
sender: false sender: false
extra_tasks: false extra_tasks: false
version: '1.7.0' version: '1.7.1'
apps_include: "{{ apps_vars | dict2items | map(attribute='key') | list }}" apps_include: "{{ apps_vars | dict2items | map(attribute='key') | list }}"
apps_backup: "{{ apps_vars | dict2items | selectattr('value.backup', 'true') | map(attribute='key') | list | intersect(apps_include) }}" apps_backup: "{{ apps_vars | dict2items | selectattr('value.backup', 'true') | map(attribute='key') | list | intersect(apps_include) }}"

View file

@ -1,4 +0,0 @@
# vim: ft=yaml.ansible
# code: language=ansible
---
docker_data_root: /var/lib/docker

View file

@ -1,5 +1,4 @@
{ {
"data-root": "{{ docker_data_root }}",
"experimental": true, "experimental": true,
"ip6tables": true "ip6tables": true
} }

View file

@ -28,8 +28,8 @@
state: present state: present
- name: Copy Docker daemon config file - name: Copy Docker daemon config file
ansible.builtin.template: ansible.builtin.copy:
src: etc/docker/daemon.json.j2 src: etc/docker/daemon.json
dest: /etc/docker/daemon.json dest: /etc/docker/daemon.json
owner: root owner: root
mode: u=rw,g=r,o=r mode: u=rw,g=r,o=r

View file

@ -1,7 +1,5 @@
# vim: ft=yaml.ansible # vim: ft=yaml.ansible
# code: language=ansible # code: language=ansible
--- ---
postgresql_version: 16 postgresql_pgdata: "{{ data_fs }}/pgsql/{{ postgresql_version }}/data"
postgresql_pgdata_default: /var/lib/pgsql/{{ postgresql_version }}/data
postgresql_pgdata: "{{ postgresql_pgdata_default }}"
postgresql_service: postgresql-{{ postgresql_version }} postgresql_service: postgresql-{{ postgresql_version }}

View file

@ -23,7 +23,7 @@
- python{{ ansible_python.version.major }}-psycopg2 - python{{ ansible_python.version.major }}-psycopg2
state: present state: present
- name: Create PostgreSQL service override directory - name: Create PostgreSQL service override folder
ansible.builtin.file: ansible.builtin.file:
path: /etc/systemd/system/{{ postgresql_service }}.service.d path: /etc/systemd/system/{{ postgresql_service }}.service.d
owner: root owner: root
@ -36,12 +36,18 @@
dest: /etc/systemd/system/{{ postgresql_service }}.service.d/override.conf dest: /etc/systemd/system/{{ postgresql_service }}.service.d/override.conf
owner: root owner: root
mode: u=rw,g=r,o=r mode: u=rw,g=r,o=r
when: postgresql_pgdata != postgresql_pgdata_default
notify: Reload systemd notify: Reload systemd
- name: Flush handlers - name: Flush handlers
ansible.builtin.meta: flush_handlers ansible.builtin.meta: flush_handlers
- name: Create PGDATA folder
ansible.builtin.file:
path: "{{ postgresql_pgdata }}"
owner: root
mode: u=rwx,g=rx,o=rx
state: directory
- name: Initialize database - name: Initialize database
ansible.builtin.command: ansible.builtin.command:
cmd: /usr/pgsql-{{ postgresql_version }}/bin/postgresql-{{ postgresql_version }}-setup initdb cmd: /usr/pgsql-{{ postgresql_version }}/bin/postgresql-{{ postgresql_version }}-setup initdb

View file

@ -1,8 +1,8 @@
# vim: ft=yaml.ansible # vim: ft=yaml.ansible
# code: language=ansible # code: language=ansible
--- ---
proxy_data_root: /proxy proxy_data_root: "{{ data_fs }}/proxy"
proxy_mode: global proxy_caddy_version: '2.7.4'
proxy_vars: proxy_vars:
production: production:

View file

@ -0,0 +1,8 @@
# vim: ft=yaml.ansible
# code: language=ansible
---
- name: Build custom Docker image for Caddy
ansible.builtin.command:
cmd: docker compose build
chdir: "{{ proxy_data_root }}/{{ proxy_mode }}"
warn: false

View file

@ -1,9 +1,69 @@
# vim: ft=yaml.ansible # vim: ft=yaml.ansible
# code: language=ansible # code: language=ansible
--- ---
- name: Create base folder
ansible.builtin.file:
path: "{{ proxy_data_root }}"
owner: root
mode: u=rwx,g=rx,o=rx
state: directory
- name: Create folder for Caddy
ansible.builtin.file:
path: "{{ proxy_data_root }}/{{ proxy_mode }}"
owner: root
mode: u=rwx,go=
state: directory
- name: Create build folder for Caddy
ansible.builtin.file:
path: "{{ proxy_data_root }}/{{ proxy_mode }}/build"
owner: root
mode: u=rwx,g=rx,o=rx
state: directory
- name: Copy Compose file for Caddy
ansible.builtin.template:
src: docker/docker-compose.yml.j2
dest: "{{ proxy_data_root }}/{{ proxy_mode }}/docker-compose.yml"
owner: root
mode: u=rw,go=
- name: Copy Dockerfile for Caddy
ansible.builtin.template:
src: docker/Dockerfile.j2
dest: "{{ proxy_data_root }}/{{ proxy_mode }}/build/Dockerfile"
owner: root
mode: u=rw,g=r,o=r
notify: Build custom Docker image for Caddy
- name: Create data folder for Caddy
ansible.builtin.file:
path: "{{ proxy_data_root }}/{{ proxy_mode }}/data"
owner: root
mode: u=rwx,g=rx,o=rx
state: directory
- name: Copy Caddyfile - name: Copy Caddyfile
ansible.builtin.template: ansible.builtin.template:
src: caddy/{{ proxy_mode }}.Caddyfile.j2 src: caddy/{{ proxy_mode }}.Caddyfile.j2
dest: "{{ proxy_data_root }}/caddy/data/Caddyfile" dest: "{{ proxy_data_root }}/{{ proxy_mode }}/data/Caddyfile"
owner: root owner: root
mode: u=rw,go= mode: u=rw,go=
- name: Create subfolders for Caddy data
ansible.builtin.file:
path: "{{ proxy_data_root }}/{{ proxy_mode }}/data/caddy-{{ item }}"
owner: root
mode: u=rwx,go=
state: directory
loop:
- config
- data
- name: Copy deploy.sh
ansible.builtin.template:
src: scripts/deploy.sh.j2
dest: /usr/local/bin/deploy.sh
owner: root
mode: u=rwx,g=rx,o=rx

View file

@ -0,0 +1,7 @@
# code: language=ansible-jinja
FROM caddy:{{ proxy_caddy_version }}-builder-alpine AS builder
RUN xcaddy build v{{ proxy_caddy_version }} \
--with github.com/caddy-dns/njalla
FROM caddy:{{ proxy_caddy_version }}-alpine
COPY --from=builder /usr/bin/caddy /usr/bin/caddy

View file

@ -0,0 +1,19 @@
# code: language=ansible-jinja
version: "3.8"
services:
caddy:
image: custom/caddy:{{ proxy_caddy_version }}-alpine
build:
context: ./build
restart: always
network_mode: host
volumes:
- "./data/Caddyfile:/etc/caddy/Caddyfile:ro"
- "./data/caddy-config:/config:rw"
- "./data/caddy-data:/data:rw"
cap_add:
- net_bind_service
- dac_override
cap_drop:
- all

View file

@ -0,0 +1,21 @@
#!/usr/bin/env bash
# code: language=bash
ARG="$1"
PROXY_DIR="{{ proxy_data_root }}/{{ proxy_mode }}"
case $ARG in
start)
docker compose -f $PROXY_DIR/docker-compose.yml up --remove-orphans -d
;;
stop)
docker compose -f $PROXY_DIR/docker-compose.yml down --remove-orphans
;;
restart)
docker compose -f $PROXY_DIR/docker-compose.yml restart
;;
*)
echo "Unrecognized argument"
exit 1
;;
esac

View file

@ -16,25 +16,6 @@
owner: root owner: root
mode: u=rw,g=r,o=r mode: u=rw,g=r,o=r
- name: Disable systemd-resolved stub resolver
when: hostname in groups['control_infra']
block:
- name: Set /etc/resolv.conf symlink
ansible.builtin.file:
path: /etc/resolv.conf
src: /run/systemd/resolve/resolv.conf
owner: root
force: true
state: link
- name: Set DNSStubListener=no
ansible.builtin.lineinfile:
path: /etc/systemd/resolved.conf
regexp: '^#?DNSStubListener='
line: 'DNSStubListener=no'
state: present
notify: Restart systemd-resolved
- name: Enable extra repositories - name: Enable extra repositories
ansible.builtin.dnf: ansible.builtin.dnf:
name: name:

View file

@ -4,19 +4,29 @@
- name: General firewall rules - name: General firewall rules
notify: Reload firewalld notify: Reload firewalld
block: block:
- name: Move main LAN and VPN networks to zone 'drop' - name: Move Guest LAN and and IoT LAN networks to zone 'drop'
ansible.posix.firewalld: ansible.posix.firewalld:
zone: drop zone: drop
source: "{{ item }}" source: "{{ item }}"
permanent: true permanent: true
state: enabled state: enabled
loop:
- 192.168.2.0/24
- 192.168.4.0/24
- name: Move Home LAN and VPN networks to zone 'dmz'
ansible.posix.firewalld:
zone: dmz
source: "{{ item }}"
permanent: true
state: enabled
loop: loop:
- 192.168.1.0/24 - 192.168.1.0/24
- 192.168.8.0/24 - 192.168.8.0/24
- name: Move lab network to zone 'dmz' - name: Move Lab LAN network to zone 'public'
ansible.posix.firewalld: ansible.posix.firewalld:
zone: dmz zone: public
source: 192.168.17.0/24 source: 192.168.17.0/24
permanent: true permanent: true
state: enabled state: enabled
@ -28,32 +38,35 @@
permanent: true permanent: true
state: enabled state: enabled
- name: Default deny incoming connections to SSH port in zones 'dmz' and 'internal' - name: Default deny incoming connections to SSH port in all zones
ansible.posix.firewalld: ansible.posix.firewalld:
zone: "{{ item }}" zone: "{{ item }}"
service: ssh service: ssh
permanent: true permanent: true
state: disabled state: disabled
loop: loop:
- drop
- dmz - dmz
- public
- internal - internal
# Until sapt-labx-ctl01 is deployed # Until sapt-labx-ctl01 is deployed
- name: Allow incoming connections to SSH port in zone 'drop' - name: Allow incoming connections to SSH port in zone 'dmz'
ansible.posix.firewalld: ansible.posix.firewalld:
zone: drop zone: dmz
service: ssh service: ssh
permanent: true permanent: true
state: enabled state: enabled
# When sapt-labx-ctl01 is deployed # When sapt-labx-ctl01 is deployed
# - name: Allow incoming connections from jump host to SSH port in zone 'dmz' # - name: Allow incoming connections from control machines to SSH port in zone 'public'
# ansible.posix.firewalld: # ansible.posix.firewalld:
# zone: dmz # zone: public
# source: "{{ hostvars['sapt-labx-ctl01'].ansible_host }}" # source: "{{ hostvars[item].ansible_host }}"
# service: ssh # service: ssh
# permanent: true # permanent: true
# state: enabled # state: enabled
# loop: "{{ groups['control_infra'] }}"
- name: Firewall rules for production and staging - name: Firewall rules for production and staging
loop: loop:
@ -61,6 +74,7 @@
- stage - stage
loop_control: loop_control:
loop_var: env loop_var: env
when: hostname in groups['production'] or hostname in groups['staging']
notify: Reload firewalld notify: Reload firewalld
block: block:
- name: Allow incoming connections from app servers to PostgreSQL port in zone 'internal' - name: Allow incoming connections from app servers to PostgreSQL port in zone 'internal'
@ -73,5 +87,39 @@
loop: "{{ groups['app_' + env] }}" loop: "{{ groups['app_' + env] }}"
when: hostname in groups['db_' + env] when: hostname in groups['db_' + env]
- name: Firewall rules for proxy servers
when: hostname in group['proxyservers']
notify: Reload firewalld
block:
- name: Allow incoming connections to HTTP port in zones 'drop' and 'dmz'
ansible.posix.firewalld:
zone: "{{ item }}"
service: http
permanent: true
state: enabled
loop:
- drop
- dmz
- name: Allow incoming connections to HTTPS port in zones 'drop' and 'dmz'
ansible.posix.firewalld:
zone: "{{ item }}"
service: https
permanent: true
state: enabled
loop:
- drop
- dmz
- name: Allow incoming connections to HTTP/3 port in zones 'drop' and 'dmz'
ansible.posix.firewalld:
zone: "{{ item }}"
service: http3
permanent: true
state: enabled
loop:
- drop
- dmz
- name: Flush handlers - name: Flush handlers
ansible.builtin.meta: flush_handlers ansible.builtin.meta: flush_handlers

View file

@ -1,6 +1,6 @@
# code: language=ansible-jinja # code: language=ansible-jinja
127.0.0.1 localhost 127.0.0.1 localhost
127.0.1.1 {{ fqdn }} 127.0.1.1 {{ hostname }} {{ fqdn }}
# The following lines are desirable for IPv6 capable hosts # The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback ::1 ip6-localhost ip6-loopback

View file

@ -19,3 +19,10 @@
remote_user: ansible remote_user: ansible
roles: roles:
- postgresql - postgresql
- name: Proxy servers
hosts: proxyservers
remote_user: ansible
roles:
- docker
- proxy