Compare commits
No commits in common. "d00ffe54e4d4c1917c80c7e09e8727b27df0fc7d" and "38ff10d0e041def1232dcd0f7de2affe861db887" have entirely different histories.
d00ffe54e4
...
38ff10d0e0
21 changed files with 8 additions and 204 deletions
|
|
@ -1,3 +0,0 @@
|
||||||
# Changelog
|
|
||||||
|
|
||||||
WIP: development velocity / expected churn is too high at this time.
|
|
||||||
|
|
@ -1,19 +0,0 @@
|
||||||
---
|
|
||||||
- name: Run example SCE backup restoration playbook
|
|
||||||
hosts: sce-targets
|
|
||||||
become: true
|
|
||||||
roles:
|
|
||||||
- role: wingelaar.sce.backup_nfs
|
|
||||||
vars:
|
|
||||||
backup_nfs_remote: 127.0.0.1
|
|
||||||
backup_nfs_restore: 20241013T180449
|
|
||||||
backup_nfs_targets:
|
|
||||||
- user: podman
|
|
||||||
containers:
|
|
||||||
- name: forgejo
|
|
||||||
volumes:
|
|
||||||
- forgejo
|
|
||||||
- name: certbot
|
|
||||||
volumes:
|
|
||||||
- certbot-etc
|
|
||||||
- certbot-var-lib
|
|
||||||
|
|
@ -1,18 +0,0 @@
|
||||||
---
|
|
||||||
- name: Run example SCE backup creation playbook
|
|
||||||
hosts: sce-targets
|
|
||||||
become: true
|
|
||||||
roles:
|
|
||||||
- role: wingelaar.sce.backup_nfs
|
|
||||||
vars:
|
|
||||||
backup_nfs_remote: 127.0.0.1
|
|
||||||
backup_nfs_targets:
|
|
||||||
- user: podman
|
|
||||||
containers:
|
|
||||||
- name: forgejo
|
|
||||||
volumes:
|
|
||||||
- forgejo
|
|
||||||
- name: certbot
|
|
||||||
volumes:
|
|
||||||
- certbot-etc
|
|
||||||
- certbot-var-lib
|
|
||||||
|
|
@ -1,23 +0,0 @@
|
||||||
---
|
|
||||||
- name: Run example SCE playbook
|
|
||||||
hosts: sce-targets
|
|
||||||
become: true
|
|
||||||
roles:
|
|
||||||
- wingelaar.sce.install
|
|
||||||
- role: wingelaar.sce.firewall_nft
|
|
||||||
vars:
|
|
||||||
firewall_nft_port_mapping:
|
|
||||||
- "80:8080"
|
|
||||||
- "22:2222"
|
|
||||||
- role: wingelaar.sce.podman_certbot
|
|
||||||
vars:
|
|
||||||
podman_certbot_domains: git.example.com
|
|
||||||
podman_certbot_email: certbot@example.com
|
|
||||||
- wingelaar.sce.podman_certbot_root_transfer
|
|
||||||
- role: wingelaar.sce.nginx
|
|
||||||
vars:
|
|
||||||
nginx_htpasswd: super_secure_password
|
|
||||||
nginx_sites:
|
|
||||||
- name: git.example.com
|
|
||||||
port: 3000
|
|
||||||
- role: wingelaar.sce.podman_forgejo
|
|
||||||
|
|
@ -1,4 +0,0 @@
|
||||||
---
|
|
||||||
backup_nfs_create_directory: /podman-nfs-backups
|
|
||||||
backup_nfs_restore_directory: /podman-nfs-backups
|
|
||||||
backup_nfs_mountpoint: /opt/podman-nfs-backups
|
|
||||||
|
|
@ -1,6 +0,0 @@
|
||||||
---
|
|
||||||
- name: Import per-user tasks
|
|
||||||
ansible.builtin.import_tasks: per-user.yml
|
|
||||||
become_method: community.general.machinectl
|
|
||||||
become_user: "{{ backup_nfs_users['user'] }}"
|
|
||||||
become: true
|
|
||||||
|
|
@ -1,50 +0,0 @@
|
||||||
---
|
|
||||||
- name: Install NFS client software
|
|
||||||
ansible.builtin.apt:
|
|
||||||
name: nfs-common
|
|
||||||
state: present
|
|
||||||
|
|
||||||
- name: Check existence of mount directory
|
|
||||||
ansible.builtin.stat:
|
|
||||||
path: "{{ backup_nfs_mountpoint }}"
|
|
||||||
register: mountpoint
|
|
||||||
|
|
||||||
- name: Create mountpoint if it does not exist
|
|
||||||
ansible.builtin.file:
|
|
||||||
path: "{{ backup_nfs_mountpoint }}"
|
|
||||||
state: directory
|
|
||||||
mode: "0700"
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
when: not mountpoint.stat.exists
|
|
||||||
|
|
||||||
- name: This block ensures the NFS directory will be unmounted if a task fails
|
|
||||||
block:
|
|
||||||
- name: Mount backup NFS directory (for creating backups)
|
|
||||||
ansible.posix.mount:
|
|
||||||
src: "{{ backup_nfs_remote }}:{{ backup_nfs_create_directory }}"
|
|
||||||
path: "{{ backup_nfs_mountpoint }}"
|
|
||||||
opts: rw,sync,hard,vers=4
|
|
||||||
state: ephemeral
|
|
||||||
fstype: nfs
|
|
||||||
when: backup_nfs_restore is undefined
|
|
||||||
|
|
||||||
- name: Mount backup NFS directory (for restoring backups)
|
|
||||||
ansible.posix.mount:
|
|
||||||
src: "{{ backup_nfs_remote }}:{{ backup_nfs_restore_directory }}"
|
|
||||||
path: "{{ backup_nfs_mountpoint }}"
|
|
||||||
opts: ro,sync,hard,vers=4
|
|
||||||
state: ephemeral
|
|
||||||
fstype: nfs
|
|
||||||
when: backup_nfs_restore is defined
|
|
||||||
|
|
||||||
- name: Execute backup tasks inside service account
|
|
||||||
ansible.builtin.include_tasks: machinectl.yml
|
|
||||||
loop: "{{ backup_nfs_targets }}"
|
|
||||||
loop_control:
|
|
||||||
loop_var: backup_nfs_users
|
|
||||||
always:
|
|
||||||
- name: Unmount backup NFS directory
|
|
||||||
ansible.posix.mount:
|
|
||||||
path: "{{ backup_nfs_mountpoint }}"
|
|
||||||
state: unmounted
|
|
||||||
|
|
@ -1,24 +0,0 @@
|
||||||
---
|
|
||||||
- name: Ensure container is stopped
|
|
||||||
ansible.builtin.systemd_service:
|
|
||||||
name: container-{{ container }}.service
|
|
||||||
state: stopped
|
|
||||||
scope: user
|
|
||||||
register: container_state
|
|
||||||
|
|
||||||
- name: Create volume export
|
|
||||||
containers.podman.podman_export:
|
|
||||||
volume: "{{ item }}"
|
|
||||||
dest: "{{ backup_nfs_mountpoint }}/{{ container }}-{{ item }}-{{ ansible_date_time['iso8601_basic_short'] }}.tar"
|
|
||||||
loop: "{{ backup_nfs_containers['volumes'] }}"
|
|
||||||
|
|
||||||
# A container is not always running, so if it was stopped before
|
|
||||||
# the backup procedure even started, do not start it again.
|
|
||||||
# It's quite a hassle to have this behaviour with a handler, so
|
|
||||||
# we just suppress the linting error.
|
|
||||||
- name: Start container again if necessary # noqa: no-handler
|
|
||||||
ansible.builtin.systemd_service:
|
|
||||||
name: container-{{ container }}.service
|
|
||||||
state: started
|
|
||||||
scope: user
|
|
||||||
when: container_state is changed
|
|
||||||
|
|
@ -1,24 +0,0 @@
|
||||||
---
|
|
||||||
- name: Ensure container is stopped
|
|
||||||
ansible.builtin.systemd_service:
|
|
||||||
name: container-{{ container }}.service
|
|
||||||
state: stopped
|
|
||||||
scope: user
|
|
||||||
register: container_state
|
|
||||||
|
|
||||||
- name: Import the volumes
|
|
||||||
containers.podman.podman_import:
|
|
||||||
volume: "{{ item }}"
|
|
||||||
src: "{{ backup_nfs_mountpoint }}/{{ container }}-{{ item }}-{{ backup_nfs_restore }}.tar"
|
|
||||||
loop: "{{ backup_nfs_containers['volumes'] }}"
|
|
||||||
|
|
||||||
# A container is not always running, so if it was stopped before
|
|
||||||
# the backup procedure even started, do not start it again.
|
|
||||||
# It's quite a hassle to have this behaviour with a handler, so
|
|
||||||
# we just suppress the linting error.
|
|
||||||
- name: Start container again if necessary # noqa: no-handler
|
|
||||||
ansible.builtin.systemd_service:
|
|
||||||
name: container-{{ container }}.service
|
|
||||||
state: started
|
|
||||||
scope: user
|
|
||||||
when: container_state is changed
|
|
||||||
|
|
@ -1,18 +0,0 @@
|
||||||
---
|
|
||||||
- name: Iterate over configured nginx sites
|
|
||||||
ansible.builtin.include_tasks: per-container-create.yml
|
|
||||||
loop: "{{ backup_nfs_users['containers'] }}"
|
|
||||||
loop_control:
|
|
||||||
loop_var: backup_nfs_containers
|
|
||||||
vars:
|
|
||||||
container: "{{ backup_nfs_containers['name'] }}"
|
|
||||||
when: backup_nfs_restore is undefined
|
|
||||||
|
|
||||||
- name: Iterate over configured nginx sites
|
|
||||||
ansible.builtin.include_tasks: per-container-restore.yml
|
|
||||||
loop: "{{ backup_nfs_users['containers'] }}"
|
|
||||||
loop_control:
|
|
||||||
loop_var: backup_nfs_containers
|
|
||||||
vars:
|
|
||||||
container: "{{ backup_nfs_containers['name'] }}"
|
|
||||||
when: backup_nfs_restore is defined
|
|
||||||
|
|
@ -1,4 +1,3 @@
|
||||||
---
|
---
|
||||||
firewall_nft_table_name: sce_table
|
firewall_nft_table_name: sce_table
|
||||||
firewall_nft_table_filename: sce-port-mapping
|
firewall_nft_table_filename: sce-port-mapping
|
||||||
firewall_nft_port_mapping: []
|
|
||||||
|
|
|
||||||
|
|
@ -17,7 +17,7 @@ table inet {{ firewall_nft_table_name }} {
|
||||||
chain sce_port_mapping {
|
chain sce_port_mapping {
|
||||||
type nat hook prerouting priority filter + 1;
|
type nat hook prerouting priority filter + 1;
|
||||||
policy accept;
|
policy accept;
|
||||||
{% for item in firewall_nft_port_mapping %}
|
{% for item in port_mapping %}
|
||||||
{% set from_port, to_port = item.split(':') %}
|
{% set from_port, to_port = item.split(':') %}
|
||||||
tcp dport {{ from_port }} counter redirect to :{{ to_port }}
|
tcp dport {{ from_port }} counter redirect to :{{ to_port }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|
|
||||||
|
|
@ -18,6 +18,7 @@
|
||||||
owner: root
|
owner: root
|
||||||
group: www-data
|
group: www-data
|
||||||
mode: "0640"
|
mode: "0640"
|
||||||
|
when: nginx_htpasswd is defined
|
||||||
|
|
||||||
- name: Check if the passwdfile exists
|
- name: Check if the passwdfile exists
|
||||||
ansible.builtin.stat:
|
ansible.builtin.stat:
|
||||||
|
|
|
||||||
|
|
@ -15,10 +15,5 @@ server {
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
proxy_pass http://127.0.0.1:{{ site_port }};
|
proxy_pass http://127.0.0.1:{{ site_port }};
|
||||||
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -1,4 +1,3 @@
|
||||||
---
|
---
|
||||||
podman_certbot_port_mapping: "8080:80"
|
podman_certbot_port_mapping: "8080:80"
|
||||||
podman_certbot_timer: weekly
|
podman_certbot_timer: weekly
|
||||||
podman_certbot_user: podman
|
|
||||||
|
|
|
||||||
|
|
@ -4,5 +4,5 @@
|
||||||
daemon_reload: true
|
daemon_reload: true
|
||||||
scope: user
|
scope: user
|
||||||
become_method: community.general.machinectl
|
become_method: community.general.machinectl
|
||||||
become_user: "{{ podman_certbot_user }}"
|
become_user: podman
|
||||||
become: true
|
become: true
|
||||||
|
|
|
||||||
|
|
@ -2,5 +2,5 @@
|
||||||
- name: Configure Certbot service
|
- name: Configure Certbot service
|
||||||
ansible.builtin.import_tasks: machinectl.yml
|
ansible.builtin.import_tasks: machinectl.yml
|
||||||
become_method: community.general.machinectl
|
become_method: community.general.machinectl
|
||||||
become_user: "{{ podman_certbot_user }}"
|
become_user: podman
|
||||||
become: true
|
become: true
|
||||||
|
|
|
||||||
|
|
@ -4,5 +4,5 @@
|
||||||
daemon_reload: true
|
daemon_reload: true
|
||||||
scope: user
|
scope: user
|
||||||
become_method: community.general.machinectl
|
become_method: community.general.machinectl
|
||||||
become_user: "{{ podman_certbot_user }}"
|
become_user: podman
|
||||||
become: true
|
become: true
|
||||||
|
|
|
||||||
|
|
@ -20,7 +20,7 @@
|
||||||
- name: Allow podman user to execute the move command
|
- name: Allow podman user to execute the move command
|
||||||
community.general.sudoers:
|
community.general.sudoers:
|
||||||
name: allow-podman-move-certificates
|
name: allow-podman-move-certificates
|
||||||
user: "{{ podman_certbot_user }}"
|
user: podman
|
||||||
state: present
|
state: present
|
||||||
commands:
|
commands:
|
||||||
- /usr/local/bin/move-certificate-files-to-root
|
- /usr/local/bin/move-certificate-files-to-root
|
||||||
|
|
@ -29,5 +29,5 @@
|
||||||
- name: Configure Certbot service
|
- name: Configure Certbot service
|
||||||
ansible.builtin.import_tasks: machinectl.yml
|
ansible.builtin.import_tasks: machinectl.yml
|
||||||
become_method: community.general.machinectl
|
become_method: community.general.machinectl
|
||||||
become_user: "{{ podman_certbot_user }}"
|
become_user: podman
|
||||||
become: true
|
become: true
|
||||||
|
|
|
||||||
|
|
@ -1,3 +1,2 @@
|
||||||
---
|
---
|
||||||
podman_forgejo_version: 8.0.1
|
podman_forgejo_version: 8.0.1
|
||||||
podman_forgejo_user: podman
|
|
||||||
|
|
|
||||||
|
|
@ -2,5 +2,5 @@
|
||||||
- name: Configure Forgejo service
|
- name: Configure Forgejo service
|
||||||
ansible.builtin.import_tasks: machinectl.yml
|
ansible.builtin.import_tasks: machinectl.yml
|
||||||
become_method: community.general.machinectl
|
become_method: community.general.machinectl
|
||||||
become_user: "{{ podman_forgejo_user }}"
|
become_user: podman
|
||||||
become: true
|
become: true
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue