RedXen/ansible
RedXen
/
ansible
Archived
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

Lots of changes, see individual files

This commit is contained in:
Alex 2020-05-31 20:27:29 +02:00
parent 92e393d6db
commit d78552898d
Signed by: caskd
GPG Key ID: F92BA85F61F4C173
22 changed files with 138 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
.gitmodules vendored
View File

@ -76,3 +76,9 @@
[submodule "roles/telegraf"]
path = roles/telegraf
url = https://git.redxen.eu/RedXen/ansible-telegraf
[submodule "roles/mounts"]
path = roles/mounts
url = https://git.redxen.eu/RedXen/ansible-mounts/
[submodule "roles/nsd"]
path = roles/nsd
url = https://git.redxen.eu/RedXen/ansible-nsd

16
backend.yml
View File

@ -9,7 +9,7 @@
- { package: "influxdb", state: present }
systemd:
services:
- { name: "postgresql@12-main", enabled: true, action: reloaded }
- { name: "postgresql@{{ postgres.version }}-main", enabled: true, action: reloaded }
- { name: "redis", enabled: true, action: restarted }
- { name: "influxdb", enabled: true, action: restarted }
overrides:
@ -17,6 +17,11 @@
postgres:
host: "{{ global.backend.postgres.host }}"
port: "{{ global.backend.postgres.port }}"
version: "12"
# NOTE: If something fails due to the following statement make sure
# the volume is mounted and the ansible cache is cleared!
data:
uuid: '28464b32-32f4-42e4-9625-1dddfb65e1a9'
databases:
- grafana
- pleroma
@ -25,13 +30,20 @@
redis:
host: "{{ global.backend.redis.host }}"
port: "{{ global.backend.redis.port }}"
data:
uuid: '1245e7d9-1054-4e2f-816a-d38efbb47589'
influxdb:
storage: "/var/lib/influxdb"
port: "{{ global.backend.influxdb.port }}"
vault:
- "postgresql"
roles:
- "postgresql"
mounts:
- { uuid: '{{ postgres.data.uuid }}', dest: '/var/lib/postgresql', state: 'mounted', fstype: 'ext4' }
- { uuid: '{{ redis.data.uuid }}', dest: '/var/lib/redis', state: 'mounted', fstype: 'ext4' }
roles:
- vault
- mounts
- apt
- postgresql
- influxdb

6
base.yml
View File

@ -15,12 +15,12 @@
upgrade: true
systemd:
services:
- { name: "netfilter-persistent", enabled: true, state: restarted }
- { name: "netfilter-persistent", enabled: true, action: restarted }
vault:
- "common"
roles:
- "common"
roles:
- vault
- apt
- apt-clean
- common # This group relies too much on handlers, it's better to use it as it is
- systemd

18
dev.yml
View File

@ -1,9 +1,6 @@
---
- hosts: dev
vars:
firewall:
- { port: '{{ global.dev.gitea.port.ssh }}', ipv: "v4", proto: "tcp" }
- { port: '{{ global.dev.gitea.port.ssh }}', ipv: "v6", proto: "tcp" }
systemd:
services:
- { name: "gitea", enabled: true, state: restarted }
@ -13,21 +10,28 @@
gitea:
user: "{{ global.dev.gitea.user }}"
domain: "{{ global.dev.gitea.domain }}"
data:
uuid: 'bdaa719c-b48c-468e-b923-82b379106905'
port:
http: "{{ global.dev.gitea.port.http }}"
ssh: "{{ global.dev.gitea.port.ssh }}"
ssh:
listen: "{{ global.dev.gitea.port.ssh }}"
display: "2442"
path:
data: "/mnt/gitea" # TODO: Replace with device UUIDs
config: "/etc/gitea"
users:
- { name: 'git', shell: '/bin/bash', lock: true, system: true, comm: 'Git Version Control' }
vault:
- "gitea"
- "postgresql"
roles:
- "gitea"
- "postgresql"
mounts:
- { uuid: '{{ gitea.data.uuid }}', dest: '/mnt/gitea', state: 'mounted', fstype: 'xfs' }
roles:
- vault
- mounts
- users
- file
- gitea
- systemd
- firewall

54
dns.yml
View File

@ -1,6 +1,9 @@
---
- hosts: dns
vars:
#file:
# - { path: "/etc/nsd/zones", owner: "nsd", group: "nsd", mode: "765", state: directory }
# - { path: "/etc/nsd", owner: "nsd", group: "nsd", mode: "665", state: directory }
firewall:
- { port: 53, ipv: "v4", proto: "tcp" }
- { port: 53, ipv: "v4", proto: "udp" }
@ -9,10 +12,19 @@
systemd:
services:
- { name: "systemd-resolved", action: stopped }
- { name: "unbound", enabled: true, action: reloaded }
- { name: "unbound", enabled: true, action: restarted }
# - { name: "nsd", enabled: true, action: restarted }
apt:
packages:
- { package: "unbound", state: present }
# - { package: "nsd", state: present }
# nsd:
# listen:
# addr: "127.0.0.1"
# port: 5353
# zones:
# - name: "redxen.eu"
# zonefile: "redxen.eu.zone"
unbound:
port: 53
listen:
@ -47,14 +59,46 @@
- { name: "6jxdve2mevelrsc4lrp5ymhu2pku67v4._domainkey.", pointer: "6jxdve2mevelrsc4lrp5ymhu2pku67v4.dkim.amazonses.com" }
- { name: "jqo2wv2wek7sh26vmc2tdzc4gdco6uou._domainkey.", pointer: "jqo2wv2wek7sh26vmc2tdzc4gdco6uou.dkim.amazonses.com" }
- { name: "edzxe6qpinwhafgwlt6b44yarhhfn3xl._domainkey.", pointer: "edzxe6qpinwhafgwlt6b44yarhhfn3xl.dkim.amazonses.com" }
A:
- { name: "", addr: "88.198.95.52" }
- { name: "seed.", addr: "88.198.95.52" }
- { name: "sd.", addr: "88.198.95.52" }
- { name: "social.", addr: "88.198.95.52" }
- { name: "nbg0.", addr: "88.198.95.52" }
- { name: "", addr: "88.198.95.107" }
- { name: "seed.", addr: "88.198.95.107" }
- { name: "sd.", addr: "88.198.95.107" }
- { name: "social.", addr: "88.198.95.107" }
- { name: "nbg1.", addr: "88.198.95.107" }
- { name: "", addr: "88.198.95.106" }
- { name: "seed.", addr: "88.198.95.106" }
- { name: "sd.", addr: "88.198.95.106" }
- { name: "social.", addr: "88.198.95.106" }
- { name: "nbg2.", addr: "88.198.95.106" }
- { name: "", addr: "88.198.95.100" }
- { name: "seed.", addr: "88.198.95.100" }
- { name: "sd.", addr: "88.198.95.100" }
- { name: "social.", addr: "88.198.95.100" }
- { name: "nbg3.", addr: "88.198.95.100" }
- { name: "", addr: "88.198.95.63" }
- { name: "seed.", addr: "88.198.95.63" }
- { name: "sd.", addr: "88.198.95.63" }
- { name: "social.", addr: "88.198.95.63" }
- { name: "nbg4.", addr: "88.198.95.63" }
group:
A:
- { domain: "dev-stats", group: "frontend" }
- { domain: "dev-gitea", group: "frontend" }
- { domain: "dev-transmission", group: "frontend" }
- { domain: "dev-sd", group: "frontend" }
- { domain: "stats", group: "frontend" }
- { domain: "git", group: "frontend" }
#- { domain: "seed", group: "frontend" }
#- { domain: "sd", group: "frontend" }
roles:
- file
- apt
#- nsd
- unbound
- systemd
- firewall

29
frontend.yml
View File

@ -1,6 +1,13 @@
---
- hosts: frontend
vars:
firewall:
- { port: "{{ haproxy.ports.https }}", ipv: "v4", proto: "tcp" }
- { port: "{{ haproxy.ports.https }}", ipv: "v6", proto: "tcp" }
- { port: "2442", ipv: "v4", proto: "tcp" }
- { port: "2442", ipv: "v6", proto: "tcp" }
- { port: "6400", ipv: "v4", proto: "tcp" }
- { port: "6400", ipv: "v6", proto: "tcp" }
apt:
packages:
- { package: "haproxy", state: present }
@ -8,9 +15,9 @@
- { package: "varnish", state: present }
systemd:
services:
- { name: "haproxy", enabled: true, action: reloaded, daemon_reload: true}
- { name: "hitch", enabled: true, action: reloaded, daemon_reload: true}
- { name: "varnish", enabled: true, action: reloaded, daemon_reload: true}
- { name: "haproxy", enabled: true, action: restarted }
- { name: "hitch", enabled: true, action: restarted }
- { name: "varnish", enabled: true, action: restarted }
overrides:
- "haproxy"
- "hitch"
@ -18,8 +25,8 @@
haproxy:
socketroot: "/run/haproxy"
config: "/etc/haproxy/haproxy.cfg"
user: "nobody"
group: "nogroup"
user: "varnish"
group: "varnish"
ports:
https: 443
tcp:
@ -28,10 +35,10 @@
#- {expose: 25565, proxy: 25575, group: "minecraft"} # Minecraft
public:
# These are load balanced, it doesn't matter what IP they point to
- {domain: "dev-stats", service: "grafana", httpchk: true}
- {domain: "dev-gitea", service: "gitea", httpchk: true}
- {domain: "dev-transmission", service: "transmission", httpchk: false}
- {domain: "dev-sd", service: "seedown", httpchk: true}
- {domain: "stats", count: 5, service: "grafana", httpchk: true}
- {domain: "git", count: 1, service: "gitea", httpchk: true}
- {domain: "seed", count: 1, service: "transmission", httpchk: false}
- {domain: "sd", count: 1, service: "seedown", httpchk: true}
varnish:
backend:
sock: '{{ haproxy.socketroot }}/haproxy.sock'
@ -49,12 +56,10 @@
group: '_hitch'
frontend:
port: 443
vault:
- "hitch"
roles:
- vault
- apt
- haproxy
- varnish
- hitch
- systemd
- firewall

4
group_vars/all
View File

@ -21,11 +21,11 @@ global:
dev:
gitea:
user: "git"
domain: "dev-gitea.redxen.eu"
domain: "git.redxen.eu"
port:
http: 3200
ssh: 2443
monitoring:
grafana:
domain: "dev-stats.redxen.eu"
domain: "stats.redxen.eu"
port: 3000

7
net.yml
View File

@ -11,8 +11,8 @@
services:
- { name: "wg-quick@wg0", enabled: true, action: restarted }
firewall:
- { port: "{{ wireguard.port }}", ipv: "v4", proto: "tcp" }
- { port: "{{ wireguard.port }}", ipv: "v6", proto: "tcp" }
- { port: "{{ wireguard.port }}", ipv: "v4", proto: "udp" }
- { port: "{{ wireguard.port }}", ipv: "v6", proto: "udp" }
wireguard:
interface: 'wg0'
port: 51820
@ -34,7 +34,8 @@
- { bit: 12, pubkey: "2FRcncz/oSmqFQLrHqICi4fEkgxrCeS9P8TTv5gcfCw=" }
- { bit: 14, pubkey: "XYUXzDDXzo1uDadvJ8YW5X/ISCZSyu10d35i7mb0pAY=" }
vault:
- "wireguard"
roles:
- "wireguard"
roles:
- vault
- file

21
production
View File

@ -1,35 +1,44 @@
n0
n1
n2
n3
n4
[frontend]
n0
n1
n2
n3
n4
[backend]
n0
n1
n4
[monitoring]
n0
n1
n2
n3
n4
[dns]
n0
n1
n2
n3
n4
[dev]
n0
n1
[net]
n0
n1
[games]
n0
n3
[seedbox]
n0
n2
[social]
n0

2
roles/apt

@ -1 +1 @@
Subproject commit 9c31de85617903e81ef8d4c14f049f58e5fc91e5
Subproject commit 0d63d9c45f0f7bfda874ec703572a4fab96b7a0d

2
roles/common

@ -1 +1 @@
Subproject commit d8ccb3b45aef5ad53651723e12b8dd5b80ce262c
Subproject commit bad44f0d33f85e9d119628ac39d2090e36b0e6b0

2
roles/gitea

@ -1 +1 @@
Subproject commit a5dd3ef3fd22c12279fffa14a15098630fe0170a
Subproject commit a92fbc43f24cb03e99308de5cd35d960f4fa330f

2
roles/haproxy

@ -1 +1 @@
Subproject commit 190452473b532818b6b2321e8dac51c4bcd87582
Subproject commit f7ca1f754bc818255b64e62431018226eaaf8fc8

1
roles/mounts Submodule

@ -0,0 +1 @@
Subproject commit 97682bf8650bb5d51eaddb81e7599ae3dcf69d8e

1
roles/nsd Submodule

@ -0,0 +1 @@
Subproject commit 317accedbc604da1ea5776cd8b8f7ad214e1c026

2
roles/postgresql

@ -1 +1 @@
Subproject commit 1671185876143434c0db4236d4b28c0d97b2d9c1
Subproject commit afbfd5d645dbc6dee91f15bb73391398d713cb5b

2
roles/systemd

@ -1 +1 @@
Subproject commit 806a6acd9d1d09a8c3b26803fa5dbfb3bc2fdced
Subproject commit 5203629648732eb390688f166cf32a4b305e2a3b

2
roles/telegraf

@ -1 +1 @@
Subproject commit 2149916cb51aaa536f281974f4c201d1c9f93ede
Subproject commit 363015e26cb29c4456e81a38b7bce06ba5a57619

2
roles/unbound

@ -1 +1 @@
Subproject commit edf6f225fa5d723faba79ed20130179b70eec160
Subproject commit 5e0c3647e4ac083898b13fb784cf5e5ac2fa554a

2
roles/wireguard

@ -1 +1 @@
Subproject commit b92cd5294ba633f83ee5d5bb238edcc6d72cf8ee
Subproject commit 0cd36bf935e26f8df454f04df6ca82cdc63e71ac

3
seedbox.yml
View File

@ -40,7 +40,8 @@
key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsD58tySBudDE7dw4aDttDv7rLWCqZ2c6N+GnrbSzqAxTcMxxn3GZeozXuz4pkl8NrGEKFk22AlB1hUl0gqnpAr0roL72mXE1WmjVc4EvEVYXLdHnm+rEi/FqvEK8D5mj1vs/ALGqtKGmY1363a8JRR7jSlBa45HkdC7IyJP0stpIkcriPS4kj/lEW0+J5KZ4NuKocjTbyVDoX67fLwBeu/YG4pz0ETKKU1/5xfBN+AxeD8brWvMMwrQzqJoAoRfLKCuD2yTSTPxek/Oa3lbNLUBF6o114gyxsc7zAWMpyNCPvstZoLCdQYqZ0sqVvcFGt0vmlrCtcQozkDVChz1E3 none"
}
vault:
- "transmission"
roles:
- "transmission"
roles:
- vault
- apt

7
social.yml
View File

@ -74,9 +74,10 @@
- { channel: "redxen", topic: "Welcome to RedXen IRC | https://redxen.eu", modes: "+nt *!*@*!*" }
- { channel: "support", topic: "Have patience when asking, it can take some time until someone answers your question", modes: "+nt *!*@*!*" }
vault:
- "pleroma"
- "murmur"
- "inspircd"
roles:
- "pleroma"
- "murmur"
- "inspircd"
roles:
- vault
- git-clone # NOTE: Uncomment pleroma stuff when parse_trans supports OTP >= 21