Many improvements
This commit is contained in:
parent
0616ed1b38
commit
d726d95557
|
@ -1,7 +1,7 @@
|
|||
# vim: ft=yaml.ansible
|
||||
# code: language=ansible
|
||||
---
|
||||
encrypted_fs: /data
|
||||
data_fs: /data
|
||||
hostname: "{{ inventory_hostname }}"
|
||||
timezone: Europe/Copenhagen
|
||||
|
||||
|
|
|
@ -1,5 +1,7 @@
|
|||
# vim: ft=yaml.ansible
|
||||
# code: language=ansible
|
||||
---
|
||||
apps_base_domain: sapti.me
|
||||
|
||||
db_inventory_hostname: sapt-labp-db01
|
||||
db_host: "{{ hostvars[db_inventory_hostname].fqdn }}"
|
||||
|
|
|
@ -1,9 +1,6 @@
|
|||
# vim: ft=yaml.ansible
|
||||
# code: language=ansible
|
||||
---
|
||||
apps_data_root: "{{ encrypted_fs }}/apps"
|
||||
docker_data_root: "{{ encrypted_fs }}/docker"
|
||||
|
||||
redis_passwords:
|
||||
nextcloud: "{{ vault_redis_passwords.nextcloud }}"
|
||||
|
||||
|
|
|
@ -1,4 +0,0 @@
|
|||
# vim: ft=yaml.ansible
|
||||
# code: language=ansible
|
||||
---
|
||||
postgresql_pgdata: "{{ encrypted_fs }}/pgsql/{{ postgresql_version }}/data"
|
|
@ -16,7 +16,7 @@ sapt-labs-db01 ansible_host=192.168.17.60
|
|||
sapt-labr-prx01 ansible_host=192.168.17.10
|
||||
sapt-labr-prx02 ansible_host=192.168.17.11
|
||||
|
||||
[monitoring_shrd]
|
||||
[monitor_shrd]
|
||||
sapt-labr-mon01 ansible_host=192.168.17.20
|
||||
|
||||
[proxmox_infra]
|
||||
|
@ -45,6 +45,12 @@ app_stage
|
|||
db_prod
|
||||
db_stage
|
||||
|
||||
[proxyservers:children]
|
||||
proxy_shrd
|
||||
|
||||
[monitorservers:children]
|
||||
monitor_shrd
|
||||
|
||||
[virtualservers:children]
|
||||
production
|
||||
staging
|
||||
|
|
|
@ -1,9 +1,8 @@
|
|||
# vim: ft=yaml.ansible
|
||||
# code: language=ansible
|
||||
---
|
||||
apps_base_domain: sapti.me
|
||||
apps_data_root: "{{ data_fs }}/apps"
|
||||
apps_local_domain: local.{{ apps_base_domain }}
|
||||
apps_data_root: /apps
|
||||
apps_shared_docker_network: apps_network
|
||||
apps_postfix_docker_network: postfix_network
|
||||
|
||||
|
@ -61,7 +60,7 @@ apps_vars:
|
|||
backup: false
|
||||
sender: false
|
||||
extra_tasks: false
|
||||
version: '1.7.0'
|
||||
version: '1.7.1'
|
||||
|
||||
apps_include: "{{ apps_vars | dict2items | map(attribute='key') | list }}"
|
||||
apps_backup: "{{ apps_vars | dict2items | selectattr('value.backup', 'true') | map(attribute='key') | list | intersect(apps_include) }}"
|
||||
|
|
|
@ -1,4 +0,0 @@
|
|||
# vim: ft=yaml.ansible
|
||||
# code: language=ansible
|
||||
---
|
||||
docker_data_root: /var/lib/docker
|
|
@ -1,5 +1,4 @@
|
|||
{
|
||||
"data-root": "{{ docker_data_root }}",
|
||||
"experimental": true,
|
||||
"ip6tables": true
|
||||
}
|
|
@ -28,8 +28,8 @@
|
|||
state: present
|
||||
|
||||
- name: Copy Docker daemon config file
|
||||
ansible.builtin.template:
|
||||
src: etc/docker/daemon.json.j2
|
||||
ansible.builtin.copy:
|
||||
src: etc/docker/daemon.json
|
||||
dest: /etc/docker/daemon.json
|
||||
owner: root
|
||||
mode: u=rw,g=r,o=r
|
||||
|
|
|
@ -1,7 +1,5 @@
|
|||
# vim: ft=yaml.ansible
|
||||
# code: language=ansible
|
||||
---
|
||||
postgresql_version: 16
|
||||
postgresql_pgdata_default: /var/lib/pgsql/{{ postgresql_version }}/data
|
||||
postgresql_pgdata: "{{ postgresql_pgdata_default }}"
|
||||
postgresql_pgdata: "{{ data_fs }}/pgsql/{{ postgresql_version }}/data"
|
||||
postgresql_service: postgresql-{{ postgresql_version }}
|
||||
|
|
|
@ -23,7 +23,7 @@
|
|||
- python{{ ansible_python.version.major }}-psycopg2
|
||||
state: present
|
||||
|
||||
- name: Create PostgreSQL service override directory
|
||||
- name: Create PostgreSQL service override folder
|
||||
ansible.builtin.file:
|
||||
path: /etc/systemd/system/{{ postgresql_service }}.service.d
|
||||
owner: root
|
||||
|
@ -36,12 +36,18 @@
|
|||
dest: /etc/systemd/system/{{ postgresql_service }}.service.d/override.conf
|
||||
owner: root
|
||||
mode: u=rw,g=r,o=r
|
||||
when: postgresql_pgdata != postgresql_pgdata_default
|
||||
notify: Reload systemd
|
||||
|
||||
- name: Flush handlers
|
||||
ansible.builtin.meta: flush_handlers
|
||||
|
||||
- name: Create PGDATA folder
|
||||
ansible.builtin.file:
|
||||
path: "{{ postgresql_pgdata }}"
|
||||
owner: root
|
||||
mode: u=rwx,g=rx,o=rx
|
||||
state: directory
|
||||
|
||||
- name: Initialize database
|
||||
ansible.builtin.command:
|
||||
cmd: /usr/pgsql-{{ postgresql_version }}/bin/postgresql-{{ postgresql_version }}-setup initdb
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
# vim: ft=yaml.ansible
|
||||
# code: language=ansible
|
||||
---
|
||||
proxy_data_root: /proxy
|
||||
proxy_mode: global
|
||||
proxy_data_root: "{{ data_fs }}/proxy"
|
||||
proxy_caddy_version: '2.7.4'
|
||||
|
||||
proxy_vars:
|
||||
production:
|
||||
|
|
8
roles/proxy/handlers/main.yml
Normal file
8
roles/proxy/handlers/main.yml
Normal file
|
@ -0,0 +1,8 @@
|
|||
# vim: ft=yaml.ansible
|
||||
# code: language=ansible
|
||||
---
|
||||
- name: Build custom Docker image for Caddy
|
||||
ansible.builtin.command:
|
||||
cmd: docker compose build
|
||||
chdir: "{{ proxy_data_root }}/{{ proxy_mode }}"
|
||||
warn: false
|
|
@ -1,9 +1,69 @@
|
|||
# vim: ft=yaml.ansible
|
||||
# code: language=ansible
|
||||
---
|
||||
- name: Create base folder
|
||||
ansible.builtin.file:
|
||||
path: "{{ proxy_data_root }}"
|
||||
owner: root
|
||||
mode: u=rwx,g=rx,o=rx
|
||||
state: directory
|
||||
|
||||
- name: Create folder for Caddy
|
||||
ansible.builtin.file:
|
||||
path: "{{ proxy_data_root }}/{{ proxy_mode }}"
|
||||
owner: root
|
||||
mode: u=rwx,go=
|
||||
state: directory
|
||||
|
||||
- name: Create build folder for Caddy
|
||||
ansible.builtin.file:
|
||||
path: "{{ proxy_data_root }}/{{ proxy_mode }}/build"
|
||||
owner: root
|
||||
mode: u=rwx,g=rx,o=rx
|
||||
state: directory
|
||||
|
||||
- name: Copy Compose file for Caddy
|
||||
ansible.builtin.template:
|
||||
src: docker/docker-compose.yml.j2
|
||||
dest: "{{ proxy_data_root }}/{{ proxy_mode }}/docker-compose.yml"
|
||||
owner: root
|
||||
mode: u=rw,go=
|
||||
|
||||
- name: Copy Dockerfile for Caddy
|
||||
ansible.builtin.template:
|
||||
src: docker/Dockerfile.j2
|
||||
dest: "{{ proxy_data_root }}/{{ proxy_mode }}/build/Dockerfile"
|
||||
owner: root
|
||||
mode: u=rw,g=r,o=r
|
||||
notify: Build custom Docker image for Caddy
|
||||
|
||||
- name: Create data folder for Caddy
|
||||
ansible.builtin.file:
|
||||
path: "{{ proxy_data_root }}/{{ proxy_mode }}/data"
|
||||
owner: root
|
||||
mode: u=rwx,g=rx,o=rx
|
||||
state: directory
|
||||
|
||||
- name: Copy Caddyfile
|
||||
ansible.builtin.template:
|
||||
src: caddy/{{ proxy_mode }}.Caddyfile.j2
|
||||
dest: "{{ proxy_data_root }}/caddy/data/Caddyfile"
|
||||
dest: "{{ proxy_data_root }}/{{ proxy_mode }}/data/Caddyfile"
|
||||
owner: root
|
||||
mode: u=rw,go=
|
||||
|
||||
- name: Create subfolders for Caddy data
|
||||
ansible.builtin.file:
|
||||
path: "{{ proxy_data_root }}/{{ proxy_mode }}/data/caddy-{{ item }}"
|
||||
owner: root
|
||||
mode: u=rwx,go=
|
||||
state: directory
|
||||
loop:
|
||||
- config
|
||||
- data
|
||||
|
||||
- name: Copy deploy.sh
|
||||
ansible.builtin.template:
|
||||
src: scripts/deploy.sh.j2
|
||||
dest: /usr/local/bin/deploy.sh
|
||||
owner: root
|
||||
mode: u=rwx,g=rx,o=rx
|
||||
|
|
7
roles/proxy/templates/docker/Dockerfile.j2
Normal file
7
roles/proxy/templates/docker/Dockerfile.j2
Normal file
|
@ -0,0 +1,7 @@
|
|||
# code: language=ansible-jinja
|
||||
FROM caddy:{{ proxy_caddy_version }}-builder-alpine AS builder
|
||||
RUN xcaddy build v{{ proxy_caddy_version }} \
|
||||
--with github.com/caddy-dns/njalla
|
||||
|
||||
FROM caddy:{{ proxy_caddy_version }}-alpine
|
||||
COPY --from=builder /usr/bin/caddy /usr/bin/caddy
|
19
roles/proxy/templates/docker/docker-compose.yml
Normal file
19
roles/proxy/templates/docker/docker-compose.yml
Normal file
|
@ -0,0 +1,19 @@
|
|||
# code: language=ansible-jinja
|
||||
version: "3.8"
|
||||
|
||||
services:
|
||||
caddy:
|
||||
image: custom/caddy:{{ proxy_caddy_version }}-alpine
|
||||
build:
|
||||
context: ./build
|
||||
restart: always
|
||||
network_mode: host
|
||||
volumes:
|
||||
- "./data/Caddyfile:/etc/caddy/Caddyfile:ro"
|
||||
- "./data/caddy-config:/config:rw"
|
||||
- "./data/caddy-data:/data:rw"
|
||||
cap_add:
|
||||
- net_bind_service
|
||||
- dac_override
|
||||
cap_drop:
|
||||
- all
|
21
roles/proxy/templates/scripts/deploy.sh.j2
Normal file
21
roles/proxy/templates/scripts/deploy.sh.j2
Normal file
|
@ -0,0 +1,21 @@
|
|||
#!/usr/bin/env bash
|
||||
# code: language=bash
|
||||
|
||||
ARG="$1"
|
||||
PROXY_DIR="{{ proxy_data_root }}/{{ proxy_mode }}"
|
||||
|
||||
case $ARG in
|
||||
start)
|
||||
docker compose -f $PROXY_DIR/docker-compose.yml up --remove-orphans -d
|
||||
;;
|
||||
stop)
|
||||
docker compose -f $PROXY_DIR/docker-compose.yml down --remove-orphans
|
||||
;;
|
||||
restart)
|
||||
docker compose -f $PROXY_DIR/docker-compose.yml restart
|
||||
;;
|
||||
*)
|
||||
echo "Unrecognized argument"
|
||||
exit 1
|
||||
;;
|
||||
esac
|
|
@ -16,25 +16,6 @@
|
|||
owner: root
|
||||
mode: u=rw,g=r,o=r
|
||||
|
||||
- name: Disable systemd-resolved stub resolver
|
||||
when: hostname in groups['control_infra']
|
||||
block:
|
||||
- name: Set /etc/resolv.conf symlink
|
||||
ansible.builtin.file:
|
||||
path: /etc/resolv.conf
|
||||
src: /run/systemd/resolve/resolv.conf
|
||||
owner: root
|
||||
force: true
|
||||
state: link
|
||||
|
||||
- name: Set DNSStubListener=no
|
||||
ansible.builtin.lineinfile:
|
||||
path: /etc/systemd/resolved.conf
|
||||
regexp: '^#?DNSStubListener='
|
||||
line: 'DNSStubListener=no'
|
||||
state: present
|
||||
notify: Restart systemd-resolved
|
||||
|
||||
- name: Enable extra repositories
|
||||
ansible.builtin.dnf:
|
||||
name:
|
||||
|
|
|
@ -4,19 +4,29 @@
|
|||
- name: General firewall rules
|
||||
notify: Reload firewalld
|
||||
block:
|
||||
- name: Move main LAN and VPN networks to zone 'drop'
|
||||
- name: Move Guest LAN and and IoT LAN networks to zone 'drop'
|
||||
ansible.posix.firewalld:
|
||||
zone: drop
|
||||
source: "{{ item }}"
|
||||
permanent: true
|
||||
state: enabled
|
||||
loop:
|
||||
- 192.168.2.0/24
|
||||
- 192.168.4.0/24
|
||||
|
||||
- name: Move Home LAN and VPN networks to zone 'dmz'
|
||||
ansible.posix.firewalld:
|
||||
zone: dmz
|
||||
source: "{{ item }}"
|
||||
permanent: true
|
||||
state: enabled
|
||||
loop:
|
||||
- 192.168.1.0/24
|
||||
- 192.168.8.0/24
|
||||
|
||||
- name: Move lab network to zone 'dmz'
|
||||
- name: Move Lab LAN network to zone 'public'
|
||||
ansible.posix.firewalld:
|
||||
zone: dmz
|
||||
zone: public
|
||||
source: 192.168.17.0/24
|
||||
permanent: true
|
||||
state: enabled
|
||||
|
@ -28,32 +38,35 @@
|
|||
permanent: true
|
||||
state: enabled
|
||||
|
||||
- name: Default deny incoming connections to SSH port in zones 'dmz' and 'internal'
|
||||
- name: Default deny incoming connections to SSH port in all zones
|
||||
ansible.posix.firewalld:
|
||||
zone: "{{ item }}"
|
||||
service: ssh
|
||||
permanent: true
|
||||
state: disabled
|
||||
loop:
|
||||
- drop
|
||||
- dmz
|
||||
- public
|
||||
- internal
|
||||
|
||||
# Until sapt-labx-ctl01 is deployed
|
||||
- name: Allow incoming connections to SSH port in zone 'drop'
|
||||
- name: Allow incoming connections to SSH port in zone 'dmz'
|
||||
ansible.posix.firewalld:
|
||||
zone: drop
|
||||
zone: dmz
|
||||
service: ssh
|
||||
permanent: true
|
||||
state: enabled
|
||||
|
||||
# When sapt-labx-ctl01 is deployed
|
||||
# - name: Allow incoming connections from jump host to SSH port in zone 'dmz'
|
||||
# - name: Allow incoming connections from control machines to SSH port in zone 'public'
|
||||
# ansible.posix.firewalld:
|
||||
# zone: dmz
|
||||
# source: "{{ hostvars['sapt-labx-ctl01'].ansible_host }}"
|
||||
# zone: public
|
||||
# source: "{{ hostvars[item].ansible_host }}"
|
||||
# service: ssh
|
||||
# permanent: true
|
||||
# state: enabled
|
||||
# loop: "{{ groups['control_infra'] }}"
|
||||
|
||||
- name: Firewall rules for production and staging
|
||||
loop:
|
||||
|
@ -61,6 +74,7 @@
|
|||
- stage
|
||||
loop_control:
|
||||
loop_var: env
|
||||
when: hostname in groups['production'] or hostname in groups['staging']
|
||||
notify: Reload firewalld
|
||||
block:
|
||||
- name: Allow incoming connections from app servers to PostgreSQL port in zone 'internal'
|
||||
|
@ -73,5 +87,39 @@
|
|||
loop: "{{ groups['app_' + env] }}"
|
||||
when: hostname in groups['db_' + env]
|
||||
|
||||
- name: Firewall rules for proxy servers
|
||||
when: hostname in group['proxyservers']
|
||||
notify: Reload firewalld
|
||||
block:
|
||||
- name: Allow incoming connections to HTTP port in zones 'drop' and 'dmz'
|
||||
ansible.posix.firewalld:
|
||||
zone: "{{ item }}"
|
||||
service: http
|
||||
permanent: true
|
||||
state: enabled
|
||||
loop:
|
||||
- drop
|
||||
- dmz
|
||||
|
||||
- name: Allow incoming connections to HTTPS port in zones 'drop' and 'dmz'
|
||||
ansible.posix.firewalld:
|
||||
zone: "{{ item }}"
|
||||
service: https
|
||||
permanent: true
|
||||
state: enabled
|
||||
loop:
|
||||
- drop
|
||||
- dmz
|
||||
|
||||
- name: Allow incoming connections to HTTP/3 port in zones 'drop' and 'dmz'
|
||||
ansible.posix.firewalld:
|
||||
zone: "{{ item }}"
|
||||
service: http3
|
||||
permanent: true
|
||||
state: enabled
|
||||
loop:
|
||||
- drop
|
||||
- dmz
|
||||
|
||||
- name: Flush handlers
|
||||
ansible.builtin.meta: flush_handlers
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# code: language=ansible-jinja
|
||||
127.0.0.1 localhost
|
||||
127.0.1.1 {{ fqdn }}
|
||||
127.0.1.1 {{ hostname }} {{ fqdn }}
|
||||
|
||||
# The following lines are desirable for IPv6 capable hosts
|
||||
::1 ip6-localhost ip6-loopback
|
||||
|
|
Loading…
Reference in a new issue