Compare commits


1 Commits

43 changed files with 140 additions and 1228 deletions

View File

@ -5,25 +5,6 @@
This ansible collection provides various roles for installing This ansible collection provides various roles for installing
and configuring basic system utilities like gnupg, ssh etc and configuring basic system utilities like gnupg, ssh etc
- [`git`](roles/git/ configures git on the target system
- [`gnupg`](roles/gnupg/ configures gnupg on the target system
- [`lego`](roles/lego/ runs [lego (LetsEncrypt Go)](,
a ACME client written in go, using systemd (timers). Multi-instance capable.
- [`minio`](roles/minio/ Deploy [](, an
s3-compatible object storage server, using docker containers.
- [`nginx`](roles/nginx/ [nginx](,
an advanced load balancer, webserver and reverse proxy.
- [`restic`](roles/restic/ Manage backups using restic
and persist them to a configurable backend.
- [`powerdns_tsig_key`](roles/powerdns_tsig_key/ Simple ansible role
for generating TSIG keys in PowerDNS.
## License ## License
[CNPLv7+]( Cooperative Nonviolent Public License [CNPLv7+]( Cooperative Nonviolent Public License

View File

@ -1,20 +1,13 @@
namespace: finallycoffee namespace: finallycoffee
name: base name: base
version: 0.2.0 version: 0.0.1
readme: readme:
authors: authors:
- transcaffeine <> - Johanna Dorothea Reichmann <>
description: Roles for base services which are common dependencies other services like databases description: Roles for bootstrapping tools like gpg, ssh and git
dependencies: license:
"community.docker": "^3.0.0" - CNPLv7+
build_ignore: build_ignore:
- '*.tar.gz' - '*.tar.gz'
repository: repository:
issues: issues:
- docker
- lego
- minio
- nginx
- restic

View File

@ -1,3 +0,0 @@
requires_ansible: ">=2.15"

View File

@ -0,0 +1,20 @@
# `debian-proxmox` ansible role
This ansible role can be used to convert a (running and reachable) debian to a proxmox instance.
It automates the instructions from
## Usage
This role will attempt to ensure that the `/etc/hosts` are configured correctly for PVE.
The public IP of the server should be given in `debian_proxmox_public_ip` and defaults to
The hostname and fqdn should be correctly set in `debian_proxmox_hostname` and `debian_proxmox_fqdn`,
and default to `ansible_hostname` and `ansible_fqdn` respectively.
## Packages
It is recommended to remove the packages for the `os-prober` (which would attempt to add VMs as bootable entries
in the bootloader) and the default linux kernel `linux-image-amd64` / `linux-image-5.10*` (and use the proxmox-provided
kernel instead). This role will remove those packages without asking, so be aware.

View File

@ -0,0 +1,43 @@
- python3-apt
- gpg
debian_proxmox_apt_repo_fingerprint: "28139A2F830BD68478A1A01FDD4BA3917E23BF59"
debian_proxmox_apt_repo_key_url: "{{ ansible_distribution_release }}.gpg"
debian_proxmox_apt_repo_url: ""
debian_proxmox_apt_repo: "deb [arch=amd64] {{ debian_proxmox_apt_repo_url }} {{ ansible_distribution_release }} pve-no-subscription"
- "proxmox-ve"
- "postfix"
- "open-iscsi"
- "linux-image-amd64"
- "linux-image-{{ (ansible_facts['kernel'] | split('-') | first | split('.'))[:2] | join('.') }}*"
- "os-prober"
debian_proxmox_max_reboot_timeout_seconds: 900
debian_proxmox_public_ip: "{{ ansible_facts['eno1'].ipv4.address }}"
debian_proxmox_loopback_ipv4: "{{ ansible_facts['lo'].ipv4.address }}"
debian_proxmox_hostname: "{{ ansible_hostname }}"
debian_proxmox_fqdn: "{{ ansible_fqdn }}"
- ip: "{{ debian_proxmox_loopback_ipv4 }}"
fqdn: localhost.localdomain
- localhost
- ip: "{[ debian_proxmox_public_ip }}"
fqdn: "{{ debian_proxmox_fqdn }}"
- "{{ debian_proxmox_hostname }}"
- pvelocalhost
- ip:
fqdn: "{{ debian_proxmox_hostname }}"
state: absent

View File

@ -0,0 +1,67 @@
- name: Ensure python3-apt and gpg is available
package: "{{ debian_proxmox_role_required_packages }}"
state: present
- name: Check if target is debian before attempting to convert to proxmox
msg: "Target is {{ ansible_distribution }} which is not Debian"
when: ansible_distribution != 'Debian'
- name: Check if debian version is supported by role
msg: "{{ ansible_distribution }} {{ ansible_distribution_version }} is not supported by the role"
when: ansible_distribution_version not in debian_proxmox_supported_debian_versions
- name: Ensure /etc/hosts entries are safe for use with proxmox
dest: /etc/hosts
line: "{{ item.ip }}\t{{ item.fqdn | default('') }}\t{{ item.aliases | default([]) | join('\t') }}"
regex: "{{ item.ip }}.+"
state: "{{ item.state | default('present') }}"
loop: "{{ debian_proxmox_hosts_file }}"
- name: Ensure Proxmox VE apt repository keys are added
id: "{{ debian_proxmox_apt_repo_fingerprint }}"
url: "{{ debian_proxmox_apt_repo_key_url }}"
state: present
- name: Ensure Proxmox VE apt repository is added
filename: pve-install-repo
repo: "{{ debian_proxmox_apt_repo }}"
state: present
register: proxmox_ve_apt_repo
- name: Ensure APT cache is up to date
update_cache: yes
when: proxmox_ve_apt_repo.changed
- name: Ensure system is upgraded
upgrade: full
- name: Ensure Proxmox VE packages are installed
package: "{{ debian_proxmox_apt_packages }}"
state: present
register: proxmox_ve_installed
- name: Ensure system is rebooted after install of PVE packages
reboot_timeout: "{{ debian_proxmox_max_reboot_timeout_seconds | int }}"
when: proxmox_ve_installed.changed
- name: Ensure packages are removed that will conflict with proxmox operation
package: "{{ debian_proxmox_apt_packages_to_remove }}"
state: absent
register: proxmox_apt_packages_removed
- name: Ensure grub was updated after the kernel was removed
command: update-grub
when: proxmox_apt_packages_removed.changed

View File

@ -0,0 +1,4 @@
- 11

View File

@ -1,33 +0,0 @@
# `finallycoffee.base.dns` ansible role
Simple role for wrapping around the
ansible module.
## Usage
### Example playbook
- target: "{{ target_hosts }}"
- role: finallycoffee.base.dns
dns_server: ""
dns_zone: ""
dns_records: "{{ dns_records }}"
dns_record_state: exact
dns_tsig_name: "mykeyname"
dns_tsig_algo: "hmac-sha256"
dns_tsig_key: "mykeycontent"
- type: A
name: gitea
content: ""
- type: AAAA
name: gitea
content: "fe80::1"
- type: CNAME
name: "_acme_challenge.gitea"
content: ""

View File

@ -1,2 +0,0 @@
dns_record_state: present

View File

@ -1,11 +0,0 @@
- name: Ensure DNS records in '{{ dns_zone }}' are up to date
primary_master: "{{ dns_server }}"
zone: "{{ dns_zone }}"
tsig_name: "{{ dns_tsig_name }}"
tsig_algo: "{{ dns_tsig_algo }}"
tsig_key: "{{ dns_tsig_key }}"
rr_set: "{{ dns_records }}"
state: "{{ dns_record_state }}"

View File

@ -1,19 +0,0 @@
# `finallycoffee.base.git` ansible role
This role configures git for the `ansible_user` and can be used
to (pre)-configure git.
## Examples
git_config_user_name: # user name to use for git
git_config_user_email: # email to use for git
git_config_core_editor: vim # editor to use
- remote_url:
username: my_github_username

View File

@ -1,4 +0,0 @@
# `finallycoffee.base.gnupg` ansible role
Configures GnuPG on the target system, including a Smart-Card (SC) daemon
and can set up gpg-agent as an SSH-agent.

View File

@ -1,46 +0,0 @@
# `` ansible role
This role can be used to retrieve ACME certificates on the target host. It uses `lego` for that, and with systemd template units provides an easy way to configure and monitor the status for each certificate.
## Requirements
- `systemd`
- write access to /tmp to unpack the lego release tarball during installation
- write access to /opt/lego (or whatever `lego_base_path` is set to) for configuration and certificate data
- `become` privileges of the `ansible_user` on the target
## Usage
### Required configuration
- `lego_instance` - used for allowing multiple lego jobs to run with systemd template units. recommended to be set to the CN / first SAN of the certificate.
- `lego_cert_domains` - list of FQDNs to request a certificate for
- `lego_acme_account_email` - when using letsencrypt, a contact email is mandatory
### Proxies / Registries
The role ensure `lego` is downloaded from the github release page. If you are behind a proxy or use a registry like Nexus3, set `lego_release_archive_server`.
### ACME server
Per default, the Letsencrypt Staging ACME server is configured. Set `lego_acme_server_url` from `lego_letsencrypt_server_urls.{qa,prod}` or configure your own ACME v2 server directly.
### Certificate
To set for which domains to request a certificate for, set them as a list of SANs in `lego_cert_domains`. The default key type is EC256 and can be overridden using `lego_cert_key_type`.
Set the type of challenge in `lego_acme_challenge_type` (to either `http` or `dns`), and `lego_acme_challenge_provider` to, for example, `rfc2136` for DNS challenges using the DNSUPDATE mechanism. If your challenge needs additional data, set that in `lego_command_config` as a dictionary analog to `lego_base_command_config` (see [defaults](defaults/main.yml)).
## Trivia
### Architecture
By default, the lego distribution for `linux` on `amd64` is downloaded. If your target needs a different architecture or target OS, adjust this in `lego_os` and `lego_architecture`, cross-checking with the [lego GitHub release page]( for upstream availability.
### User management
The role will attempt to create user+group for each seperate lego instance for data isolation (i.e. to avoid leaking a TSIG key from one lego instance to other services). The user and group are of the form `acme-{{ lego_instance }}`. Beware that changing this in `lego_cert_{user,group}` also requires `lego_systemd_{user,group}` to be adjusted!
### Binding to ports < 1024 (HTTP-01 challenge)
Set `lego_binary_allow_net_bind_service: true` to allow the lego binary to bind to ports in the 'privileged' (< 1024) port range.

View File

@ -1,71 +0,0 @@
lego_user: "lego"
lego_version: "4.22.2"
lego_instance: default
lego_base_path: "/opt/lego"
lego_cert_user: "acme-{{ lego_instance }}"
lego_cert_group: "{{ lego_cert_user }}"
lego_cert_mode: "0640" # rw-r-----
lego_systemd_user: "acme-%i"
lego_systemd_group: "{{ lego_systemd_user }}"
lego_instance_base_path: "{{ lego_base_path }}/instances"
lego_instance_path: "{{ lego_instance_base_path }}/{{ lego_instance }}"
lego_cert_domains: []
lego_cert_key_type: ec256
lego_cert_days_to_renew: 30
lego_acme_account_email: ~
lego_acme_challenge_type: http
lego_acme_challenge_provider: ~
qa: ""
prod: ""
lego_acme_server_url: "{{ }}"
LEGO_CERT_USER: "{{ lego_cert_user }}"
LEGO_CERT_GROUP: "{{ lego_cert_group }}"
LEGO_CERT_MODE: "{{ lego_cert_mode }}"
LEGO_CERT_STORE_PATH: "{{ lego_instance_path }}"
LEGO_CERT_DAYS_TO_RENEW: "{{ lego_cert_days_to_renew }}"
LEGO_KEY_TYPE: "{{ lego_cert_key_type }}"
LEGO_ACME_CHALLENGE_TYPE: "{{ lego_acme_challenge_type }}"
LEGO_ACME_SERVER: "{{ lego_acme_server_url }}"
LEGO_COMMAND_ARGS: "{{ lego_command_args }}"
server: "{{ lego_acme_server_url }}"
accept_tos: true
email: "{{ lego_acme_account_email }}"
path: "{{ lego_instance_path }}"
key_type: "{{ lego_cert_key_type }}"
lego_acme_challenge_config: >-
{{ {lego_acme_challenge_type: lego_acme_challenge_provider} }}
lego_systemd_unit_path: "/etc/systemd/system"
lego_systemd_template_unit_name: "lego@.service"
lego_systemd_template_unit_file: "{{ lego_systemd_template_unit_name }}.j2"
lego_systemd_service_name: "lego@{{ lego_instance }}.service"
lego_systemd_environment: >-
{{ lego_base_environment | combine(lego_environment | default({})) }}
lego_full_command_config: >-
{{ lego_base_command_config
| combine(lego_acme_challenge_config)
| combine(lego_command_config | default({})) }}
lego_systemd_timer_name: "lego-{{ lego_instance }}.timer"
lego_systemd_timer_template: lego.timer.j2
lego_systemd_timer_calendar: "*-*-* *:00/15:00"
lego_architecture: "{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}"
lego_os: "linux"
lego_binary_allow_net_bind_service: false
lego_release_archive_server: ""
lego_release_archive_filename: >-
lego_v{{ lego_version }}_{{ lego_os }}_{{ lego_architecture }}.tar.gz
lego_release_archive_url: >-
{{ lego_release_archive_server }}/go-acme/lego/releases/download/v{{ lego_version }}/{{ lego_release_archive_filename }}
lego_release_archive_file_path: "/tmp/{{ lego_release_archive_filename }}"
lego_release_archive_path: "/tmp/lego_v{{ lego_version }}_{{ lego_os }}_{{ lego_architecture }}"

View File

@ -1,35 +0,0 @@
#!/usr/bin/env bash
set -euo pipefail
LEGO_BINARY=$(/usr/bin/env which lego)
if [[ -n "$LEGO_HTTP_FALLBACK_PORT" ]]; then
if ! nc_binary="$(type -p \"nc\")" || [[ -z $nc_binary ]]; then
echo "nc not found (in PATH), exiting"
exit 1
if [[ $? -eq 0 ]]; then
if [[ -n "$LEGO_PRE_RENEWAL_HOOK" ]]; then
LEGO_COMMAND_ARGS_EXPANDED=$(bash -c "echo $LEGO_COMMAND_ARGS") # This is a bit icky
FILES_IN_DIR=$(find "$LEGO_CERT_STORE_PATH/certificates" -type f | wc -l)
if [[ $FILES_IN_DIR -gt 2 ]]; then
find "$LEGO_CERT_STORE_PATH/certificates" -type f | xargs -I{} -n 1 chmod "$LEGO_CERT_MODE" "{}"
find "$LEGO_CERT_STORE_PATH/certificates" -type f | xargs -I{} -n 1 chown "${LEGO_CERT_USER}:${LEGO_CERT_GROUP}" "{}"
if [[ -n "$LEGO_POST_RENEWAL_HOOK" ]]; then

View File

@ -1,5 +0,0 @@
- name: Ensure systemd daemon is reloaded
daemon_reload: true
listen: systemd_reload

View File

@ -1,157 +0,0 @@
- name: Ensure lego cert group is created
name: "{{ lego_cert_group }}"
state: present
system: true
- name: Ensure lego cert user is created
name: "{{ lego_cert_user }}"
state: present
system: true
create_home: false
- "{{ lego_cert_group }}"
append: true
- name: Ensure lego user is created
name: "{{ lego_user }}"
state: present
system: true
create_home: false
- "{{ lego_cert_group }}"
append: true
- name: Ensure lego is installed
- name: Check if lego is present
cmd: which lego
changed_when: false
failed_when: false
register: lego_binary_info
- name: Download lego from source
url: "{{ lego_release_archive_url }}"
url_username: "{{ lego_release_archive_url_username | default(omit) }}"
url_password: "{{ lego_release_archive_url_password | default(omit) }}"
dest: "{{ lego_release_archive_file_path }}"
when: lego_binary_info.rc != 0
- name: Create folder to uncompress into
dest: "{{ lego_release_archive_path }}"
state: directory
when: lego_binary_info.rc != 0
- name: Uncompress lego source archive
src: "{{ lego_release_archive_file_path }}"
dest: "{{ lego_release_archive_path }}"
remote_src: true
when: lego_binary_info.rc != 0
- name: Ensure lego binary is present in PATH
src: "{{ lego_release_archive_path }}/lego"
dest: "/usr/local/bin/lego"
mode: "u+rwx,g+rx,o+rx"
remote_src: true
when: lego_binary_info.rc != 0
- name: Ensure lego is allowed to bind to ports < 1024
path: "/usr/local/bin/lego"
capability: "cap_net_bind_service+ep"
state: present
when: lego_binary_allow_net_bind_service
- name: Ensure intermediate data is gone
path: "{{ item }}"
state: absent
- "{{ lego_release_archive_path }}"
- "{{ lego_release_archive_file_path }}"
when: lego_binary_info.rc != 0
- name: Ensure lego base path exists
path: "{{ lego_base_path }}"
state: directory
mode: "0755"
- name: Ensure template unit file is present
src: "{{ lego_systemd_template_unit_file }}"
dest: "{{ lego_systemd_unit_path }}/{{ lego_systemd_template_unit_name }}"
- systemd_reload
- name: Ensure env file is templated
content: |+
{% for entry in lego_systemd_environment | dict2items %}
{{ entry.key }}={{ entry.value }}
{% endfor %}
dest: "{{ lego_base_path }}/{{ lego_instance }}.conf"
- name: Ensure timer unit is templated
src: "{{ lego_systemd_timer_template }}"
dest: "{{ lego_systemd_unit_path }}/{{ lego_systemd_timer_name }}"
- systemd_reload
- name: Ensure handling script is templated
src: ""
dest: "{{ lego_base_path }}/"
mode: "0755"
- name: Ensure per-instance base path is created
path: "{{ lego_instance_path }}"
state: directory
owner: "{{ lego_cert_user }}"
group: "{{ lego_cert_group }}"
mode: "0755"
- name: Ensure per-instance sub folders are created with correct permissions
path: "{{ item.path }}"
state: directory
owner: "{{ item.owner | default(lego_cert_user) }}"
group: "{{ | default(lego_cert_group) }}"
mode: "{{ item.mode }}"
- path: "{{ lego_instance_path }}/secrets"
mode: "0750"
- path: "{{ lego_instance_path }}/accounts"
mode: "0770"
- path: "{{ lego_instance_path }}/certificates"
mode: "0775"
label: "{{ item.path }}"
- name: Ensure systemd daemon is reloaded
meta: flush_handlers
- name: Ensure systemd timer is enabled
name: "{{ lego_systemd_timer_name }}"
enabled: true
- name: Ensure systemd timer is started
name: "{{ lego_systemd_timer_name }}"
state: "started"
- name: Ensure systemd service is started once to obtain the certificate
name: "{{ lego_systemd_service_name }}"
state: "started"

View File

@ -1,9 +0,0 @@
Description=Run lego@{{ lego_instance}}.service
OnCalendar={{ lego_systemd_timer_calendar }}
Unit=lego@{{ lego_instance }}.service

View File

@ -1,14 +0,0 @@
Description=Run lego (letsencrypt client in go)
EnvironmentFile={{ lego_base_path }}/%i.conf
User={{ lego_systemd_user }}
Group={{ lego_systemd_group }}
ExecStart={{ lego_base_path }}/

View File

@ -1,16 +0,0 @@
lego_domain_command_args: >-
{% for domain in lego_cert_domains %}
--domains={{ domain }}
{%- endfor %}
lego_config_command_args: >-
{% for key in lego_full_command_config %}
--{{ key | replace("_", "-") }}
{%- if lego_full_command_config[key] != None and lego_full_command_config[key] != '' -%}
={{ lego_full_command_config[key] }}
{%- endif -%}
{%- endfor -%}
lego_command_args: "{{ lego_domain_command_args }} {{ lego_config_command_args }}"

View File

@ -1,29 +0,0 @@
# `finallycoffee.base.minio` ansible role
## Overview
This role deploys a []( server (s3-compatible object storage server)
using the official docker container image.
## Configuration
The role requires setting the password for the `root` user (name can be changed by
setting `minio_root_username`) in `minio_root_password`. That user has full control
over the minio-server instance.
### Useful config hints
Most configuration is done by setting environment variables in
`minio_container_extra_env`, for example:
# disable the "console" web browser UI
# enable public prometheus metrics on `/minio/v2/metrics/cluster`
When serving minio (or any s3-compatible server) on a "subfolder",

View File

@ -1,41 +0,0 @@
minio_user: ~
minio_data_path: /opt/minio
minio_create_user: false
minio_manage_host_filesystem: false
minio_root_username: root
minio_root_password: ~
minio_container_name: minio
minio_container_image_tag: latest
minio_container_image: "{{ minio_container_image_name }}:{{ minio_container_image_tag }}"
minio_container_networks: []
minio_container_ports: []
- "{{ minio_data_path }}:{{ minio_container_data_path }}:z"
minio_container_extra_volumes: []
MINIO_ROOT_USER: "{{ minio_root_username }}"
MINIO_ROOT_PASSWORD: "{{ minio_root_password }}"
minio_container_extra_env: {}
minio_container_labels: {}
- "server"
- "{{ minio_container_data_path }}"
- "--console-address"
- ":{{ minio_container_listen_port_console }}"
minio_container_restart_policy: "unless-stopped"
minio_container_image_force_source: "{{ (minio_container_image_tag == 'latest')|bool }}"
minio_container_listen_port_api: 9000
minio_container_listen_port_console: 8900
minio_container_data_path: /storage

View File

@ -1,37 +0,0 @@
- name: Ensure minio run user is present
name: "{{ minio_user }}"
state: present
system: yes
when: minio_create_user
- name: Ensure filesystem mounts ({{ minio_data_path }}) for container volumes are present
path: "{{ minio_data_path }}"
state: directory
user: "{{ minio_user|default(omit, True) }}"
group: "{{ minio_user|default(omit, True) }}"
when: minio_manage_host_filesystem
- name: Ensure container image for minio is present
name: "{{ minio_container_image }}"
state: present
source: pull
force_source: "{{ minio_container_image_force_source }}"
- name: Ensure container {{ minio_container_name }} is running
name: "{{ minio_container_name }}"
image: "{{ minio_container_image }}"
volumes: "{{ minio_container_volumes }}"
env: "{{ minio_container_env }}"
labels: "{{ minio_container_labels }}"
networks: "{{ minio_container_networks }}"
ports: "{{ minio_container_ports }}"
user: "{{ minio_user|default(omit, True) }}"
command: "{{ minio_container_command }}"
restart_policy: "{{ minio_container_restart_policy }}"
state: started

View File

@ -1,5 +0,0 @@
minio_container_volumes: "{{ minio_container_base_volumes + minio_container_extra_volumes }}"
minio_container_env: "{{ minio_container_base_env | combine(minio_container_extra_env) }}"

View File

@ -1,33 +0,0 @@
# `` ansible role
## Description
Runs `nginx`, a HTTP reverse proxy, in a docker container.
## Usage
For the role to do anything, `nginx_config` needs to be populated with the configuration for nginx.
An example would be:
nginx_config: |+
server {
listen 80 default_server;
server_name my.server.fqdn;
location / { return 200; }
The container is named `nginx` by default, this can be overridden in `nginx_container_name`.
When running this role multiple times, `nginx_base_path` should also be changed for each run,
otherwise the configuration files collide in the filesystem.
For exposing this server to the host and/or internet, the `nginx_container_ports` (port forwarding host
from host to container), `nginx_container_networks` (docker networking) or `nginx_container_labels`
(for label-based routing discovery like traefik) can be used. The options correspond to the arguments
of the `community.docker.docker_container` module.
## Deployment methods
Set `nginx_deployment_method` to either `docker` or `podman` to use the respective ansible modules for
creating and managing the container and its image. See all supported methods in `nginx_deployment_methods`.

View File

@ -1,37 +0,0 @@
nginx_version: "1.27.4"
nginx_flavour: alpine
nginx_base_path: /opt/nginx
nginx_config_file: "{{ nginx_base_path }}/nginx.conf"
nginx_state: present
nginx_deployment_method: docker
nginx_container_name: nginx
nginx_container_image_reference: >-
+ ':' + (nginx_container_image_tag
| default(nginx_version
+ (('-' + nginx_flavour) if nginx_flavour is defined else ''), true))
nginx_container_image_repository: >-
| default(nginx_container_image_registry)
+ '/'
+ nginx_container_image_namespace | default('')
+ nginx_container_image_name
nginx_container_image_registry: ""
nginx_container_image_name: "nginx"
nginx_container_image_tag: ~
nginx_container_image_source: pull
nginx_container_state: >-2
{{ (nginx_state == 'present') | ternary('started', 'absent') }}
nginx_container_restart_policy: "unless-stopped"
- "{{ nginx_config_file }}:/etc/nginx/conf.d/nginx.conf:ro"

View File

@ -1,8 +0,0 @@
- name: Ensure nginx container '{{ nginx_container_name }}' is restarted
name: "{{ nginx_container_name }}"
state: started
restart: true
listen: restart-nginx

View File

@ -1,12 +0,0 @@
allow_duplicates: true
dependencies: []
role_name: nginx
description: Deploy nginx, a webserver
- nginx
- http
- webserver
- docker
- podman

View File

@ -1,28 +0,0 @@
- name: Ensure docker container image '{{ nginx_container_image_reference }}' is {{ nginx_state }}
name: "{{ nginx_container_image_reference }}"
state: "{{ nginx_state }}"
source: "{{ nginx_container_image_source }}"
force_source: >-2
{{ nginx_container_image_force_source
| default(nginx_container_image_tag | default(false, true)) }}
register: nginx_container_image_info
until: nginx_container_image_info is success
retries: 5
delay: 3
- name: Ensure docker container '{{ nginx_container_name }}' is {{ nginx_container_state }}
name: "{{ nginx_container_name }}"
image: "{{ nginx_container_image_reference }}"
env: "{{ nginx_container_env | default(omit, true) }}"
user: "{{ nginx_container_user | default(omit, true) }}"
ports: "{{ nginx_container_ports | default(omit, true) }}"
labels: "{{ nginx_container_labels | default(omit, true) }}"
volumes: "{{ nginx_container_volumes | default(omit, true) }}"
etc_hosts: "{{ nginx_container_etc_hosts | default(omit, true) }}"
networks: "{{ nginx_container_networks | default(omit, true) }}"
purge_networks: "{{ nginx_container_purge_networks | default(omit, true) }}"
restart_policy: "{{ nginx_container_restart_policy }}"
state: "{{ nginx_container_state }}"

View File

@ -1,27 +0,0 @@
- name: Ensure container image '{{ nginx_container_image_reference }}' is {{ nginx_state }}
name: "{{ nginx_container_image_reference }}"
state: "{{ nginx_state }}"
pull: "{{ nginx_container_image_source == 'pull' }}"
force: >-2
{{ nginx_container_image_force_source
| default(nginx_container_image_tag | default(false, true)) }}
register: nginx_container_image_info
until: nginx_container_image_info is success
retries: 5
delay: 3
- name: Ensure container '{{ nginx_container_name }}' is {{ nginx_container_state }}
name: "{{ nginx_container_name }}"
image: "{{ nginx_container_image_reference }}"
env: "{{ nginx_container_env | default(omit, true) }}"
user: "{{ nginx_container_user | default(omit, true) }}"
ports: "{{ nginx_container_ports | default(omit, true) }}"
labels: "{{ nginx_container_labels | default(omit, true) }}"
volumes: "{{ nginx_container_volumes | default(omit, true) }}"
etc_hosts: "{{ nginx_container_etc_hosts | default(omit, true) }}"
network: "{{ nginx_container_networks | default(omit, true) }}"
restart_policy: "{{ nginx_container_restart_policy }}"
state: "{{ nginx_container_state }}"

View File

@ -1,40 +0,0 @@
- name: Check if state is supported
msg: >-2
Unsupported state '{{ nginx_state }}'. Supported
states are {{ nginx_states | join(', ') }}.
when: nginx_state not in nginx_states
- name: Check if deployment_method is supported
msg: >-2
Unsupported state '{{ nginx_deployment_method }}'. Supported
states are {{ nginx_deployment_methods | join(', ') }}.
when: nginx_deployment_method not in nginx_deployment_methods
- name: Ensure nginx config file is {{ nginx_state }}
path: "{{ nginx_config_file }}"
state: "{{ nginx_state }}"
when: nginx_state == 'absent'
- name: Ensure base path '{{ nginx_base_path }}' is {{ nginx_state }}
path: "{{ nginx_base_path }}"
mode: "0755"
state: >-2
{{ (nginx_state == 'present') | ternary('directory', 'absent') }}
- name: Ensure nginx config file is templated
dest: "{{ nginx_config_file }}"
content: "{{ nginx_config }}"
mode: 0640
- restart-nginx
when: nginx_state == 'present'
- name: Deploy using {{ nginx_deployment_method }}
file: "deploy-{{ nginx_deployment_method }}.yml"

View File

@ -1,7 +0,0 @@
- present
- absent
- docker
- podman

View File

@ -1,25 +0,0 @@
# `finallycoffee.base.powerdns_tsig_key`
Simple ansible role for ensuring a TSIG key is present in a given PowerDNS-
## Usage
The usage example below assumes `powerdns` is running in a container named `powerdns` (as supplied to `powerdns_tsig_key_container_name`.
- hosts: "{{ target_hosts }}"
become: true
- role: finallycoffee.base.powerdns_tsig_key
powerdns_tsig_key_name: "nameofmykey"
powerdns_tsig_key_path: "/var/lib/myapp/tsig.key"
powernds_tsig_key_algo: "hmac-sha512"
powerdns_tsig_key_path_owner: "myappuser"
powerdns_tsig_key_path_group: "myappgroup"
powerdns_tsig_key_container_name: 'powerdns'
> [!NOTE]
> Support for non-docker deployments is pending.

View File

@ -1,2 +0,0 @@
powerdns_tsig_key_container_name: powerdns

View File

@ -1,104 +0,0 @@
- name: Ensure unix group '{{ powerdns_tsig_key_path_group }}' exists
name: "{{ powerdns_tsig_key_path_group }}"
state: "present"
system: true
register: powerdns_tsig_key_path_group_info
when: powerdns_tsig_key_path_group is defined
- name: Ensure unix user '{{ powerdns_tsig_key_path_owner }}' exists
name: "{{ powerdns_tsig_key_path_owner }}"
state: "present"
system: true
create_home: false
groups: "{{ powerdns_tsig_key_path_group is defined | ternary([powerdns_tsig_key_path_group], omit) }}"
append: "{{ powerdns_tsig_key_path_group is defined | ternary(true, omit) }}"
register: powerdns_tsig_key_path_owner_info
when: powerdns_tsig_key_path_owner is defined
- name: Check if TSIG key is already present
path: "{{ powerdns_tsig_key_path }}"
register: powerdns_tsig_key_info
- name: Ensure TSIG key directory is present
path: "{{ powerdns_tsig_key_path | dirname }}"
state: directory
owner: "{{ powerdns_tsig_key_path_owner | default(omit) }}"
group: "{{ powerdns_tsig_key_path_group | default(omit) }}"
mode: "u+rwX,g+rX"
recurse: true
- name: Ensure a TSIG key is configured and persisted
when: >-
not powerdns_tsig_key_info.stat.exists
or powerdns_tsig_key_info.stat.size == 0
- name: Ensure TSIG key is not already present
container: "{{ powerdns_tsig_key_container_name }}"
command: "pdnsutil list-tsig-keys"
delegate_to: "{{ powerdns_tsig_key_hostname }}"
register: powerdns_tsig_key_powerdns_info
changed_when: false
check_mode: false
become: true
- name: Ensure TSIG key is generated in powerdns
container: "{{ powerdns_tsig_key_container_name }}"
command: "pdnsutil generate-tsig-key '{{ powerdns_tsig_key_name }}' '{{ powerdns_tsig_key_algo }}'"
when: >-
(powerdns_tsig_key_name ~ '. ' ~ powerdns_tsig_key_algo ~ '. ')
not in powerdns_tsig_key_powerdns_info.stdout
delegate_to: "{{ powerdns_tsig_key_hostname }}"
register: powerdns_tsig_key_powerdns_generated_tsig_key
throttle: 1
become: true
- name: Ensure PowerDNS is restarted
name: "{{ powerdns_tsig_key_container_name }}"
state: started
restart: true
when: >-
(powerdns_tsig_key_name ~ '. ' ~ powerdns_tsig_key_algo ~ '. ')
not in powerdns_tsig_key_powerdns_info.stdout
delegate_to: "{{ powerdns_tsig_key_hostname }}"
throttle: 1
become: true
- name: Extract TSIG key into variable
powerdns_tsig_key_key: >-
(powerdns_tsig_key_powerdns_generated_tsig_key.stdout | trim | split(' ') | list | last)
if (powerdns_tsig_key_name ~ '. ' ~ powerdns_tsig_key_algo ~ '. ')
not in powerdns_tsig_key_powerdns_info.stdout
else (powerdns_generated_tsig_key | trim | split(' ') | list | last)
powerdns_generated_tsig_key: >-
{% for line in powerdns_tsig_key_powerdns_info.stdout_lines %}
{% if powerdns_tsig_key_name in line %}
{{ line }}
{% endif %}
{% endfor %}
- name: Ensure TSIG key is persisted into {{ powerdns_tsig_key_path }}
content: "{{ powerdns_tsig_key_key }}"
dest: "{{ powerdns_tsig_key_path }}"
owner: "{{ powerdns_tsig_key_path_owner | default(omit) }}"
group: "{{ powerdns_tsig_key_path_group | default(omit) }}"
mode: "0640"
- name: Ensure TSIG key permissions on {{ powerdns_tsig_key_path }} are correct
path: "{{ powerdns_tsig_key_path }}"
owner: "{{ powerdns_tsig_key_path_owner | default(omit) }}"
group: "{{ powerdns_tsig_key_path_group | default(omit) }}"
mode: "u+rwX,g+rwX"

View File

@ -1,77 +0,0 @@
# `finallycoffee.base.restic`
Ansible role for backup up data using `restic`, utilizing `systemd` timers for scheduling.
## Overview
As restic encrypts the data before storing it, the `restic_repo_password` needs
to be populated with a strong key, and saved accordingly as only this key can
be used to decrypt the data for a restore!
### Backends
#### S3 Backend
To use a `s3`-compatible backend like AWS buckets or minio, both `restic_s3_key_id`
and `restic_s3_access_key` need to be populated, and the `restic_repo_url` has the
format `s3:https://my.s3.endpoint:port/bucket-name`.
#### SFTP Backend
Using the `sftp` backend requires the configured `restic_user` to be able to
authenticate to the configured SFTP-Server using password-less methods like
publickey-authentication. The `restic_repo_url` then follows the format
`sftp:{user}@{server}:/my-restic-repository` (or without leading `/` for relative
paths to the `{user}`s home directory.
### Backing up data
A job name like `$service-postgres` or similar needs to be set in `restic_job_name`,
which is used for naming the `systemd` units, their syslog identifiers etc.
If backing up filesystem locations, the paths need to be specified in
`restic_backup_paths` as lists of strings representing absolute filesystem
If backing up f.ex. database or other data which is generating backups using
a command like `pg_dump`, use `restic_backup_stdin_command` (which needs to output
to `stdout`) in conjunction with `restic_backup_stdin_command_filename` to name
the resulting output (required).
### Policy
The backup policy can be adjusted by overriding the `restic_policy_keep_*`
variables, with the defaults being:
restic_policy_keep_all_within: 1d
restic_policy_keep_hourly: 6
restic_policy_keep_daily: 2
restic_policy_keep_weekly: 7
restic_policy_keep_monthly: 4
restic_policy_backup_frequency: hourly
**Note:** `restic_policy_backup_frequency` must conform to `systemd`s
`OnCalendar` syntax, which can be checked using `systemd-analyze calender $x`.
## Role behaviour
Per default, when the systemd unit for a job changes, the job is not immediately
started. This can be overridden using `restic_start_job_on_unit_change: true`,
which will immediately start the backup job if it's configuration changed.
The systemd unit runs with `restic_user`, which is root by default, guaranteeing
that filesystem paths are always readable. The `restic_user` can be overridden,
but care needs to be taken to ensure the user has permission to read all the
provided filesystem paths / the backup command may be executed by the user.
If ansible should create the user, set `restic_create_user` to `true`, which
will attempt to create the `restic_user` as a system user.
### Installing
For Debian and RedHat, the role attempts to install restic using the default
package manager's ansible module (apt/dnf). For other distributions, the generic
`package` module tries to install `restic_package_name` (default: `restic`),
which can be overridden if needed.

View File

@ -1,60 +0,0 @@
restic_repo_url: ~
restic_repo_password: ~
restic_s3_key_id: ~
restic_s3_access_key: ~
restic_backup_paths: []
restic_backup_stdin_command: ~
restic_backup_stdin_command_filename: ~
restic_policy_keep_all_within: 1d
restic_policy_keep_hourly: 12
restic_policy_keep_daily: 7
restic_policy_keep_weekly: 6
restic_policy_keep_monthly: 6
restic_policy_keep_yearly: 5
restic_policy_backup_frequency: hourly
RESTIC_JOBNAME: "{{ restic_job_name | default('unknown') }}"
RESTIC_FORGET_KEEP_WITHIN: "{{ restic_policy_keep_all_within }}"
RESTIC_FORGET_KEEP_HOURLY: "{{ restic_policy_keep_hourly }}"
RESTIC_FORGET_KEEP_DAILY: "{{ restic_policy_keep_daily }}"
RESTIC_FORGET_KEEP_WEEKLY: "{{ restic_policy_keep_weekly }}"
RESTIC_FORGET_KEEP_MONTHLY: "{{ restic_policy_keep_monthly }}"
RESTIC_FORGET_KEEP_YEARLY: "{{ restic_policy_keep_yearly }}"
AWS_ACCESS_KEY_ID: "{{ restic_s3_key_id }}"
AWS_SECRET_ACCESS_KEY: "{{ restic_s3_access_key }}"
restic_complete_environment: >-
| combine((restic_s3_environment
if (restic_s3_key_id and restic_s3_access_key) else {}) | default({}))
| combine(restic_environment | default({}))
keep_within: "{{ restic_policy_keep_all_within }}"
hourly: "{{ restic_policy_keep_hourly }}"
daily: "{{ restic_policy_keep_daily }}"
weekly: "{{ restic_policy_keep_weekly }}"
monthly: "{{ restic_policy_keep_monthly }}"
yearly: "{{ restic_policy_keep_yearly }}"
frequency: "{{ restic_policy_backup_frequency }}"
restic_user: root
restic_create_user: false
restic_start_job_on_unit_change: false
restic_job_name: ~
restic_job_description: "Restic backup job for {{ restic_job_name }}"
restic_systemd_unit_naming_scheme: "restic.{{ restic_job_name }}"
restic_systemd_working_directory: /tmp
restic_systemd_syslog_identifier: "restic-{{ restic_job_name }}"
restic_package_name: restic

View File

@ -1,37 +0,0 @@
#!/usr/bin/env bash
set -euo pipefail
if [[ -n ${RESTIC_PRE_BACKUP_HOOK-} ]]; then
/bin/bash -c "$RESTIC_PRE_BACKUP_HOOK"
echo "List existing snapshots or initialize repository"
restic snapshots || restic init
sleep 2;
echo "Attempting to remove lock if present"
restic unlock
sleep 2
echo "Start backup on ${@:1}"
restic --verbose --retry-lock=${RESTIC_RETRY_LOCK:-5m} backup "${@:1}"
sleep 2
echo "Forget and prune old snapshots"
restic forget --prune --retry-lock=${RESTIC_RETRY_LOCK:-5m} \
--keep-within=${RESTIC_FORGET_KEEP_WITHIN:-1d} \
--keep-hourly=${RESTIC_FORGET_KEEP_HOURLY:-6} \
--keep-daily=${RESTIC_FORGET_KEEP_DAILY:-2} \
--keep-weekly=${RESTIC_FORGET_KEEP_WEEKLY:-7} \
--keep-monthly=${RESTIC_FORGET_KEEP_MONTHLY:-4} \
sleep 2
echo "Generate snapshot metrics"
restic --json snapshots | /opt/ \
> /var/lib/node_exporter/restic-snapshots-${RESTIC_JOBNAME:-unknown}.prom-src
sleep 2
echo "Check repository"
restic check

View File

@ -1,12 +0,0 @@
#!/usr/bin/env bash
echo $RESTIC_JSON | jq -r '.[]
| {
"hostname": .hostname,
"username": .username,
"short_id": .short_id,
"time": ((((.time | split(".")[0]) + "Z") | fromdate) - (3600 * (.time | split("+")[1] | split(":")[0] | tonumber + 1))),
"paths": .paths[]
} | "restic_snapshots{hostname=\"\(.hostname)\",username=\"\(.username)\",short_id=\"\(.short_id)\",paths=\"\(.paths)\"} \(.time)"'

View File

@ -1,13 +0,0 @@
- name: Ensure system daemon is reloaded
listen: reload-systemd
daemon_reload: true
- name: Ensure systemd service for '{{ restic_job_name }}' is started immediately
listen: trigger-restic
name: "{{ restic_systemd_unit_naming_scheme }}.service"
state: started
when: restic_start_job_on_unit_change

View File

@ -1,77 +0,0 @@
- name: Ensure {{ restic_user }} system user exists
name: "{{ restic_user }}"
state: present
system: true
when: restic_create_user
- name: Ensure either backup_paths or backup_stdin_command is populated
when: restic_backup_paths|length > 0 and restic_backup_stdin_command and false
msg: "Setting both `restic_backup_paths` and `restic_backup_stdin_command` is not supported"
- name: Ensure a filename for stdin_command backup is given
when: restic_backup_stdin_command and not restic_backup_stdin_command_filename
msg: "`restic_backup_stdin_command` was set but no filename for the resulting output was supplied in `restic_backup_stdin_command_filename`"
- name: Ensure backup frequency adheres to systemd's OnCalender syntax
cmd: "systemd-analyze calendar {{ restic_policy.frequency }}"
register: systemd_calender_parse_res
failed_when: systemd_calender_parse_res.rc != 0
changed_when: false
- name: Ensure restic is installed
- name: Ensure restic is installed via apt
package: restic
state: latest
when: ansible_os_family == 'Debian'
- name: Ensure restic is installed via dnf
name: restic
state: latest
when: ansible_os_family == 'RedHat'
- name: Ensure restic is installed using the auto-detected package-manager
name: "{{ restic_package_name }}"
state: present
when: ansible_os_family not in ['RedHat', 'Debian']
- name: Ensure systemd service file for '{{ restic_job_name }}' is templated
dest: "/etc/systemd/system/{{ restic_systemd_unit_naming_scheme }}.service"
src: restic.service.j2
owner: root
group: root
mode: 0640
- reload-systemd
- trigger-restic
- name: Ensure systemd service file for '{{ restic_job_name }}' is templated
dest: "/etc/systemd/system/{{ restic_systemd_unit_naming_scheme }}.timer"
src: restic.timer.j2
owner: root
group: root
mode: 0640
- reload-systemd
- name: Flush handlers to ensure systemd knows about '{{ restic_job_name }}'
meta: flush_handlers
- name: Ensure systemd timer for '{{ restic_job_name }}' is activated
name: "{{ restic_systemd_unit_naming_scheme }}.timer"
enabled: true
- name: Ensure systemd timer for '{{ restic_job_name }}' is started
name: "{{ restic_systemd_unit_naming_scheme }}.timer"
state: started

View File

@ -1,51 +0,0 @@
Description={{ restic_job_description }}
User={{ restic_user }}
WorkingDirectory={{ restic_systemd_working_directory }}
SyslogIdentifier={{ restic_systemd_syslog_identifier }}
Environment=RESTIC_REPOSITORY={{ restic_repo_url }}
Environment=RESTIC_PASSWORD={{ restic_repo_password }}
{% for kv in restic_complete_environment | dict2items %}
Environment={{ kv.key }}={{ kv.value }}
{% endfor %}
{% if restic_init | default(true) %}
ExecStartPre=-/bin/sh -c '/usr/bin/restic snapshots || /usr/bin/restic init'
{% endif %}
{% if restic_unlock_before_backup | default(false) %}
ExecStartPre=-/bin/sh -c 'sleep 3 && /usr/bin/restic unlock'
{% endif %}
{% if restic_backup_pre_hook | default(false) %}
ExecStartPre=-{{ restic_backup_pre_hook }}
{% endif %}
{% if restic_backup_stdin_command %}
ExecStart=/bin/sh -c '{{ restic_backup_stdin_command }} | /usr/bin/restic backup \
--retry-lock {{ restic_retry_lock | default('5m') }} \
--verbose --stdin \
--stdin-filename {{ restic_backup_stdin_command_filename }}'
{% else %}
ExecStart=/opt/ {{ restic_backup_paths | join(' ') }}
{% endif %}
{% if restic_forget_prune | default(true) %}
ExecStartPost=/usr/bin/restic forget --prune \
--retry-lock {{ restic_retry_lock | default('5m') }} \
--keep-within={{ restic_policy.keep_within }} \
--keep-hourly={{ restic_policy.hourly }} \
--keep-daily={{ restic_policy.daily }} \
--keep-weekly={{ restic_policy.weekly }} \
--keep-monthly={{ restic_policy.monthly }} \
--keep-yearly={{ restic_policy.yearly }}
{% endif %}
{% if restic_list_snapshots | default(true) %}
ExecStartPost=-/usr/bin/restic snapshots --retry-lock {{ restic_retry_lock | default('5m') }}
{% endif %}
{% if restic_backup_post_hook | default(false) %}
ExecStartPost=-{{ restic_backup_post_hook }}
{% endif %}
{% if restic_check | default(true) %}
ExecStartPost=/usr/bin/restic check --retry-lock {{ restic_retry_lock | default('5m') }}
{% endif %}

View File

@ -1,9 +0,0 @@
Description=Run {{ restic_timer_description | default(restic_job_name) }}
OnCalendar={{ restic_policy.frequency }}
Unit={{ restic_systemd_unit_naming_scheme }}.service