Add media server LXC instances

group_vars/all/vars.yml

@@ -3,3 +3,12 @@
 ---
 hostname: "{{ inventory_hostname }}"
 timezone: Europe/Copenhagen
+
+users:
+  - name: lab_admin
+    comment: System administrator
+    groups:
+      - sudo
+    ssh_keys:
+      - sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIFWZGLov8wPBNxuvnaPK+8vv6wK5hHUVEFzXKsN9QeuBAAAADHNzaDpzYW1zYXB0aQ== ssh:samsapti
+      - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPd/4fQV7CL8/KVwbo/phiV5UdXFBIDlkZ+ps8C7FeRf cardno:14 336 332

group_vars/control_infra/vars.yml

@@ -1,11 +0,0 @@
-# vim: ft=yaml.ansible
-# code: language=ansible
----
-users:
-  - name: lab_admin
-    comment: System administrator
-    groups:
-      - sudo
-    ssh_keys:
-      - sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIFWZGLov8wPBNxuvnaPK+8vv6wK5hHUVEFzXKsN9QeuBAAAADHNzaDpzYW1zYXB0aQ== ssh:samsapti
-      - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPd/4fQV7CL8/KVwbo/phiV5UdXFBIDlkZ+ps8C7FeRf cardno:14 336 332

group_vars/virtualservers/vars.yml

@@ -2,19 +2,3 @@
 # code: language=ansible
 ---
 data_fs: /data
-
-users:
-  - name: lab_admin
-    comment: System administrator
-    groups:
-      - sudo
-    ssh_keys:
-      - sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIFWZGLov8wPBNxuvnaPK+8vv6wK5hHUVEFzXKsN9QeuBAAAADHNzaDpzYW1zYXB0aQ== ssh:samsapti
-      - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPd/4fQV7CL8/KVwbo/phiV5UdXFBIDlkZ+ps8C7FeRf cardno:14 336 332
-
-  - name: ansible
-    comment: Ansible user
-    groups:
-      - sudo
-    ssh_keys:
-      - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDyAuOqh0vcpLMBa8FFbvrTOgw8N+bcImFzyBspfQDAf ansible

host_vars/sapt-labp-app01.yml

@@ -4,3 +4,4 @@
 fqdn: sapt-labp-app01.prod.servers.sapti.me
 ansible_host: 192.168.17.30
 internal_ipv4: 10.2.16.10
+virt_type: kvm

host_vars/sapt-labp-db01.yml

@@ -4,3 +4,4 @@
 fqdn: sapt-labp-db01.prod.servers.sapti.me
 ansible_host: 192.168.17.40
 internal_ipv4: 10.2.16.20
+virt_type: kvm

host_vars/sapt-labp-mda01.yml

@@ -0,0 +1,7 @@
+# vim: ft=yaml.ansible
+# code: language=ansible
+---
+fqdn: sapt-labp-mda01.prod.servers.sapti.me
+ansible_host: 192.168.17.35
+internal_ipv4: 10.2.16.15
+virt_type: lxc

host_vars/sapt-labr-mon01.yml

@@ -4,3 +4,4 @@
 fqdn: sapt-labr-mon01.shrd.servers.sapti.me
 ansible_host: 192.168.17.20
 internal_ipv4: 10.2.18.20
+virt_type: kvm

host_vars/sapt-labr-prx01.yml

@@ -4,5 +4,6 @@
 fqdn: sapt-labr-prx01.shrd.servers.sapti.me
 ansible_host: 192.168.17.10
 internal_ipv4: 10.2.18.10
+virt_type: kvm
 
 proxy_mode: global

host_vars/sapt-labr-prx02.yml

@@ -4,5 +4,6 @@
 fqdn: sapt-labr-prx02.shrd.servers.sapti.me
 ansible_host: 192.168.17.11
 internal_ipv4: 10.2.18.11
+virt_type: kvm
 
 proxy_mode: local

host_vars/sapt-labs-app01.yml

@@ -4,3 +4,4 @@
 fqdn: sapt-labs-app01.stage.servers.sapti.me
 ansible_host: 192.168.17.50
 internal_ipv4: 10.2.19.10
+virt_type: kvm

host_vars/sapt-labs-db01.yml

@@ -4,3 +4,4 @@
 fqdn: sapt-labs-db01.stage.servers.sapti.me
 ansible_host: 192.168.17.60
 internal_ipv4: 10.2.19.20
+virt_type: kvm

host_vars/sapt-labs-mda01.yml

@@ -0,0 +1,7 @@
+# vim: ft=yaml.ansible
+# code: language=ansible
+---
+fqdn: sapt-labs-mda01.stage.servers.sapti.me
+ansible_host: 192.168.17.55
+internal_ipv4: 10.2.19.15
+virt_type: lxc

inventory.ini

@@ -1,12 +1,18 @@
 [app_prod]
 sapt-labp-app01
 
+[mda_prod]
+sapt-labp-mda01
+
 [db_prod]
 sapt-labp-db01
 
 [app_stage]
 sapt-labs-app01
 
+[mda_stage]
+sapt-labs-mda01
+
 [db_stage]
 sapt-labs-db01
 
@@ -39,6 +45,10 @@ monitoring_shrd
 app_prod
 app_stage
 
+[mediaservers:children]
+mda_prod
+mda_stage
+
 [dbservers:children]
 db_prod
 db_stage

roles/proxy/defaults/main.yml

@@ -7,7 +7,9 @@ proxy_caddy_version: '2.7.4'
 proxy_vars:
   production:
     app01: "{{ hostvars['sapt-labp-app01'] }}"
+    mda01: "{{ hostvars['sapt-labp-mda01'] }}"
   staging:
     app01: "{{ hostvars['sapt-labs-app01'] }}"
+    mda01: "{{ hostvars['sapt-labs-mda01'] }}"
   shared:
     mon01: "{{ hostvars['sapt-labr-mon01'] }}"

roles/virt-common/handlers/main.yml

@@ -1,12 +1,17 @@
 # vim: ft=yaml.ansible
 # code: language=ansible
 ---
-- name: Restart systemd-resolved
-  ansible.builtin.service:
-    name: systemd-resolved
-    state: restarted
-
 - name: Reload firewalld
   ansible.builtin.service:
     name: firewalld
     state: reloaded
+
+- name: Restart sshd
+  ansible.builtin.service:
+    name: sshd
+    state: restarted
+
+- name: Restart systemd-resolved
+  ansible.builtin.service:
+    name: systemd-resolved
+    state: restarted

roles/virt-common/tasks/main.yml

@@ -0,0 +1,98 @@
+# vim: ft=yaml.ansible
+# code: language=ansible
+---
+- name: Set hostname
+  ansible.builtin.hostname:
+    name: "{{ hostname }}"
+
+- name: Set timezone
+  community.general.timezone:
+    name: "{{ timezone }}"
+
+- name: Copy hosts file
+  ansible.builtin.template:
+    src: hosts.j2
+    dest: /etc/hosts
+    owner: root
+    mode: u=rw,g=r,o=r
+
+- name: Add users
+  ansible.builtin.user:
+    name: "{{ item.name }}"
+    comment: "{{ item.comment }}"
+    groups: "{{ item.groups }}"
+    shell: /bin/bash
+    state: present
+  loop: "{{ users }}"
+
+- name: Add SSH keys to users
+  ansible.posix.authorized_key:
+    user: "{{ item.name }}"
+    key: "{{ item.ssh_keys | join('\n') }}"
+    exclusive: true
+  loop: "{{ users }}"
+
+- name: Allow passwordless sudo
+  community.general.sudoers:
+    name: passwordless
+    group: sudo
+    host: ALL
+    commands: ALL
+    nopassword: true
+    state: present
+
+- name: Copy sshd_config
+  ansible.builtin.copy:
+    src: sshd_config
+    dest: /etc/ssh/sshd_config
+    owner: root
+    mode: u=rw,g=r,o=r
+    validate: /usr/sbin/sshd -t -f %s
+  notify: Restart sshd
+
+- name: Enable extra repositories
+  ansible.builtin.dnf:
+    name:
+      - epel-release
+      - rocky-release-security
+    state: present
+
+- name: Install system packages
+  ansible.builtin.dnf:
+    name:
+      - firewalld
+      - haveged
+      - htop
+      - jq
+      - logrotate
+      - mtr
+      - rsyslog
+    update_cache: true
+    state: present
+
+- name: Ensure services are enabled and running
+  ansible.builtin.service:
+    name: "{{ item }}"
+    enabled: true
+    state: started
+  loop:
+    - firewalld
+    - haveged
+    - rsyslog
+
+- name: LKRG installation
+  when: virt_type == 'kvm'
+  block:
+    - name: Install LKRG package
+      ansible.builtin.dnf:
+        name: lkrg
+        state: present
+
+    - name: Ensure LKRG is enabled and running
+      ansible.builtin.service:
+        name: lkrg
+        enabled: true
+        state: started
+
+- name: Configure firewall
+  ansible.builtin.import_tasks: firewall.yml

roles/vm-common/tasks/main.yml

@@ -1,44 +0,0 @@
-# vim: ft=yaml.ansible
-# code: language=ansible
----
-- name: Copy hosts file
-  ansible.builtin.template:
-    src: hosts.j2
-    dest: /etc/hosts
-    owner: root
-    mode: u=rw,g=r,o=r
-
-- name: Enable extra repositories
-  ansible.builtin.dnf:
-    name:
-      - epel-release
-      - rocky-release-security
-    state: present
-
-- name: Install system packages
-  ansible.builtin.dnf:
-    name:
-      - firewalld
-      - haveged
-      - htop
-      - jq
-      - lkrg
-      - logrotate
-      - mtr
-      - rsyslog
-    update_cache: true
-    state: present
-
-- name: Ensure services are enabled and running
-  ansible.builtin.service:
-    name: "{{ item }}"
-    enabled: true
-    state: started
-  loop:
-    - firewalld
-    - haveged
-    - lkrg
-    - rsyslog
-
-- name: Configure firewall
-  ansible.builtin.import_tasks: firewall.yml

roles/vm-init/handlers/main.yml

@@ -1,7 +0,0 @@
-# vim: ft=yaml.ansible
-# code: language=ansible
----
-- name: Restart sshd
-  ansible.builtin.service:
-    name: sshd
-    state: restarted

roles/vm-init/tasks/main.yml

@@ -1,44 +0,0 @@
-# vim: ft=yaml.ansible
-# code: language=ansible
----
-- name: Set hostname
-  ansible.builtin.hostname:
-    name: "{{ hostname }}"
-
-- name: Set timezone
-  community.general.timezone:
-    name: "{{ timezone }}"
-
-- name: Add users
-  ansible.builtin.user:
-    name: "{{ item.name }}"
-    comment: "{{ item.comment }}"
-    groups: "{{ item.groups }}"
-    shell: /bin/bash
-    state: present
-  loop: "{{ users }}"
-
-- name: Add SSH keys to users
-  ansible.posix.authorized_key:
-    user: "{{ item.name }}"
-    key: "{{ item.ssh_keys | join('\n') }}"
-    exclusive: true
-  loop: "{{ users }}"
-
-- name: Allow passwordless sudo
-  community.general.sudoers:
-    name: passwordless
-    group: sudo
-    host: ALL
-    commands: ALL
-    nopassword: true
-    state: present
-
-- name: Copy sshd_config
-  ansible.builtin.copy:
-    src: sshd_config
-    dest: /etc/ssh/sshd_config
-    owner: root
-    mode: u=rw,g=r,o=r
-    validate: /usr/sbin/sshd -t -f %s
-  notify: Restart sshd

site.yml

@@ -13,18 +13,12 @@
 #   roles:
 #     - ctl-common
 
-- name: VM initialization
+- name: Base configuration
-  hosts: virtualservers
-  remote_user: root
-  roles:
-    - vm-init
-
-- name: Base VM configuration
   hosts: virtualservers
   remote_user: ansible
   become: true
   roles:
-    - vm-common
+    - virt-common
 
 - name: Docker hosts
   hosts: appservers:proxyservers:monitorservers
@@ -32,14 +26,21 @@
   roles:
     - docker
 
-- name: App servers
+- name: Application servers
   hosts: appservers
   remote_user: ansible
   become: true
   roles:
     - apps
 
-- name: DB servers
+# - name: Media servers
+#   hosts: mediaservers
+#   remote_user: ansible
+#   become: true
+#   roles:
+#     - jellyfin
+
+- name: Database servers
   hosts: dbservers
   remote_user: ansible
   become: true