From c458029a99ef48a7a3fd2a03ceb11a2080db4b58 Mon Sep 17 00:00:00 2001 From: Alex Date: Thu, 28 May 2020 17:08:29 +0200 Subject: [PATCH] Tweak vault, fix typos, update commits --- .gitmodules | 3 +++ backend.yml | 3 +++ base.yml | 3 +++ dev.yml | 4 ++++ frontend.yml | 3 +++ monitoring.yml | 63 +++++++++++++++++++++++++++++++++++++++++++------- net.yml | 3 +++ production | 1 + roles/telegraf | 1 + seedbox.yml | 3 +++ social.yml | 5 ++++ 11 files changed, 84 insertions(+), 8 deletions(-) create mode 160000 roles/telegraf diff --git a/.gitmodules b/.gitmodules index 619a204..95a39a5 100644 --- a/.gitmodules +++ b/.gitmodules @@ -73,3 +73,6 @@ [submodule "roles/grafana"] path = roles/grafana url = https://git.redxen.eu/RedXen/ansible-grafana +[submodule "roles/telegraf"] + path = roles/telegraf + url = https://git.redxen.eu/RedXen/ansible-telegraf diff --git a/backend.yml b/backend.yml index 48b3dbf..a146831 100644 --- a/backend.yml +++ b/backend.yml @@ -28,7 +28,10 @@ influxdb: storage: "/var/lib/influxdb" port: "{{ global.backend.influxdb.port }}" + vault: + - "postgresql" roles: + - vault - apt - postgresql - influxdb diff --git a/base.yml b/base.yml index decf66b..73efc12 100644 --- a/base.yml +++ b/base.yml @@ -16,7 +16,10 @@ systemd: services: - { name: "netfilter-persistent", enabled: true, state: restarted } + vault: + - "common" roles: + - vault - apt - apt-clean - common # This group relies too much on handlers, it's better to use it as it is diff --git a/dev.yml b/dev.yml index ff54258..c6890ea 100644 --- a/dev.yml +++ b/dev.yml @@ -21,7 +21,11 @@ config: "/etc/gitea" users: - { name: 'git', shell: '/bin/bash', lock: true, system: true, comm: 'Git Version Control' } + vault: + - "gitea" + - "postgresql" roles: + - vault - users - file - gitea diff --git a/frontend.yml b/frontend.yml index 4640c8f..539e06b 100644 --- a/frontend.yml +++ b/frontend.yml @@ -49,7 +49,10 @@ group: '_hitch' frontend: port: 443 + vault: + - "hitch" roles: + - vault - apt - haproxy - varnish diff --git a/monitoring.yml b/monitoring.yml index 7a30614..0d5c7bf 100644 --- a/monitoring.yml +++ b/monitoring.yml @@ -2,7 +2,7 @@ - hosts: monitoring vars: apt: - keys: + sign_keys: - "https://packages.grafana.com/gpg.key" - "https://repos.influxdata.com/influxdb.key" repos: @@ -13,25 +13,72 @@ - { package: "telegraf", state: present } systemd: services: - - { name: "grafana-server", enabled: true, state: restarted } - - { name: "telegraf", enabled: true, state: restarted } + - { name: "grafana-server", enabled: true, action: restarted } + - { name: "telegraf", enabled: true, action: restarted } vault: roles: - "postgresql" - "grafana" - "telegraf" - - "grafana" + - "gitea" + telegraf: + outputs: + influxdb: + host: "{{ global.backend.influxdb.host }}" + port: "{{ global.backend.influxdb.port }}" + database: "telegraf" + inputs: + redis: + servers: + - "tcp://{{ global.backend.redis.host }}:{{ global.backend.redis.port }}" + postgresql: + address: "host={{ global.backend.postgres.host }} port={{ global.backend.postgres.port }} user={{ vault_postgres.user }} password={{ vault_postgres.password }} sslmode=prefer" + + cloudwatch: + - { + region: "eu-central-1", + access_key: "{{ vault_telegraf.aws.access_key }}", + secret_key: "{{ vault_telegraf.aws.secret_key }}", + period: "24h", + interval: "6h", + namespace: "AWS/S3", + ratelimit: 50, + statistic_include: ["average"], + cache_ttl: "12h" + } + - { + region: "eu-west-1", + access_key: "{{ vault_telegraf.aws.access_key }}", + secret_key: "{{ vault_telegraf.aws.secret_key }}", + period: "24h", + interval: "6h", + namespace: "AWS/SES", + ratelimit: 15, + statistic_include: ["average"], + cache_ttl: "12h" + } + - { + region: "us-east-1", + access_key: "{{ vault_telegraf.aws.access_key }}", + secret_key: "{{ vault_telegraf.aws.secret_key }}", + period: "12h", + interval: "6h", + namespace: "AWS/Billing", + ratelimit: 15, + statistic_include: ["average"], + cache_ttl: "6h" + } grafana: listen: port: '{{ global.monitoring.grafana.port }}' domain: '{{ global.monitoring.grafana.domain }}' database: type: 'postgres' - host: '{{ postgres.host }}:{{ postgres.port }}' + host: '{{ global.backend.postgres.host }}:{{ global.backend.postgres.port }}' name: 'grafana' user: 'grafana' ssl: 'require' - password: "{{ postgres.dbpass['grafana'] }}" + password: "{{ vault_postgres.dbpass['grafana'] }}" cache: type: "redis" connstr: "addr={{ global.backend.redis.host }}:{{ global.backend.redis.port }},pool_size=100,db=9" @@ -41,8 +88,8 @@ name: 'Gitea', enabled: 'true', allow_sign_up: 'false', - client_id: '{{ vault_gitea.client_id }}', - client_secret: '{{ vault_gitea.client_secret }}', + client_id: '{{ vault_gitea.oauth.client_id }}', + client_secret: '{{ vault_gitea.oauth.client_secret }}', scopes: 'user:email', auth_url: 'https://{{ global.dev.gitea.domain }}/login/oauth/authorize', token_url: 'https://{{ global.dev.gitea.domain }}/login/oauth/access_token', diff --git a/net.yml b/net.yml index d3b086a..754f519 100644 --- a/net.yml +++ b/net.yml @@ -44,7 +44,10 @@ - { bit: 10, pubkey: "wpjMlhrcv173ER7rZ0KrmaqahcqZA/fm3ovpaGlRIRo=" } - { bit: 12, pubkey: "2FRcncz/oSmqFQLrHqICi4fEkgxrCeS9P8TTv5gcfCw=" } - { bit: 14, pubkey: "XYUXzDDXzo1uDadvJ8YW5X/ISCZSyu10d35i7mb0pAY=" } + vault: + - "wireguard" roles: + - vault - file - apt - wireguard diff --git a/production b/production index 7d9ba8f..68a4881 100644 --- a/production +++ b/production @@ -11,6 +11,7 @@ n1 [monitoring] n0 +n1 [dns] n0 diff --git a/roles/telegraf b/roles/telegraf new file mode 160000 index 0000000..2149916 --- /dev/null +++ b/roles/telegraf @@ -0,0 +1 @@ +Subproject commit 2149916cb51aaa536f281974f4c201d1c9f93ede diff --git a/seedbox.yml b/seedbox.yml index 9c422f4..af2532b 100644 --- a/seedbox.yml +++ b/seedbox.yml @@ -39,7 +39,10 @@ home: "{{ transmission.root_dir }}/downloads", key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsD58tySBudDE7dw4aDttDv7rLWCqZ2c6N+GnrbSzqAxTcMxxn3GZeozXuz4pkl8NrGEKFk22AlB1hUl0gqnpAr0roL72mXE1WmjVc4EvEVYXLdHnm+rEi/FqvEK8D5mj1vs/ALGqtKGmY1363a8JRR7jSlBa45HkdC7IyJP0stpIkcriPS4kj/lEW0+J5KZ4NuKocjTbyVDoX67fLwBeu/YG4pz0ETKKU1/5xfBN+AxeD8brWvMMwrQzqJoAoRfLKCuD2yTSTPxek/Oa3lbNLUBF6o114gyxsc7zAWMpyNCPvstZoLCdQYqZ0sqVvcFGt0vmlrCtcQozkDVChz1E3 none" } + vault: + - "transmission" roles: + - vault - apt - darkhttpd - file diff --git a/social.yml b/social.yml index c718766..59d04b1 100644 --- a/social.yml +++ b/social.yml @@ -73,7 +73,12 @@ permchannels: - { channel: "redxen", topic: "Welcome to RedXen IRC | https://redxen.eu", modes: "+nt *!*@*!*" } - { channel: "support", topic: "Have patience when asking, it can take some time until someone answers your question", modes: "+nt *!*@*!*" } + vault: + - "pleroma" + - "murmur" + - "inspircd" roles: + - vault - git-clone # NOTE: Uncomment pleroma stuff when parse_trans supports OTP >= 21 - apt - file