Compare commits
1 Commits
main
...
transcaffe
Author | SHA1 | Date | |
---|---|---|---|
6b513531a3 |
10
README.md
10
README.md
@ -5,12 +5,15 @@
|
||||
This ansible collection provides various roles for installing
|
||||
and configuring basic system utilities like gnupg, ssh etc
|
||||
|
||||
- [`elasticsearch`](roles/elasticsearch/README.md): Deploy [elasticsearch](https://www.docker.elastic.co/r/elasticsearch/elasticsearch-oss),
|
||||
a popular (distributed) search and analytics engine, mostly known by it's
|
||||
letter "E" in the ELK-stack.
|
||||
|
||||
- [`git`](roles/git/README.md): configures git on the target system
|
||||
|
||||
- [`gnupg`](roles/gnupg/README.md): configures gnupg on the target system
|
||||
|
||||
- [`lego`](roles/lego/README.md): runs [lego (LetsEncrypt Go)](https://github.com/go-acme/lego),
|
||||
a ACME client written in go, using systemd (timers). Multi-instance capable.
|
||||
- [`mariadb`](roles/mariadb/README.md): runs [MariaDB Server](https://mariadb.org/), one of the world's most popular open source relational database
|
||||
|
||||
- [`minio`](roles/minio/README.md): Deploy [min.io](https://min.io), an
|
||||
s3-compatible object storage server, using docker containers.
|
||||
@ -21,9 +24,6 @@ and configuring basic system utilities like gnupg, ssh etc
|
||||
- [`restic`](roles/restic/README.md): Manage backups using restic
|
||||
and persist them to a configurable backend.
|
||||
|
||||
- [`powerdns_tsig_key`](roles/powerdns_tsig_key/README.md): Simple ansible role
|
||||
for generating TSIG keys in PowerDNS.
|
||||
|
||||
## License
|
||||
|
||||
[CNPLv7+](LICENSE.md): Cooperative Nonviolent Public License
|
||||
|
13
galaxy.yml
13
galaxy.yml
@ -1,21 +1,12 @@
|
||||
namespace: finallycoffee
|
||||
name: base
|
||||
version: 0.2.1
|
||||
version: 0.0.2
|
||||
readme: README.md
|
||||
authors:
|
||||
- transcaffeine <transcaffeine@finally.coffee>
|
||||
description: Roles for base services which are common dependencies other services like databases
|
||||
dependencies:
|
||||
"community.docker": "^4.2.0"
|
||||
license_file: LICENSE.md
|
||||
build_ignore:
|
||||
- '*.tar.gz'
|
||||
repository: https://git.finally.coffee/finallycoffee/base
|
||||
issues: https://codeberg.org/finallycoffee/ansible-collection-base/issues
|
||||
tags:
|
||||
- docker
|
||||
- lego
|
||||
- minio
|
||||
- nginx
|
||||
- restic
|
||||
- docker
|
||||
issues: https://git.finally.coffee/finallycoffee/base/issues
|
||||
|
@ -1,3 +1,3 @@
|
||||
---
|
||||
|
||||
requires_ansible: ">=2.15"
|
||||
requires_ansible: ">=2.12"
|
||||
|
@ -1,78 +0,0 @@
|
||||
---
|
||||
- name: Bootstrap everything needed for an ansible connection
|
||||
hosts: "{{ target_hosts | default('all', true) }}"
|
||||
become: "{{ target_host_become | default(true, false) }}"
|
||||
gather_facts: false
|
||||
pre_tasks:
|
||||
- name: Gather information about the target system id
|
||||
ansible.builtin.raw: "cat /etc/os-release | grep '^ID=' | cut -d '=' -f2"
|
||||
register: target_host_os_info
|
||||
check_mode: false
|
||||
changed_when: false
|
||||
- name: Set /etc/os-release system id
|
||||
ansible.builtin.set_fact:
|
||||
target_host_system_id: "{{ target_host_os_info.stdout_lines | first | trim }}"
|
||||
delegate_to: localhost
|
||||
- name: Gather information about the target system version
|
||||
ansible.builtin.raw: "cat /etc/os-release | grep '^VERSION_ID=' | cut -d '=' -f2"
|
||||
register: target_host_os_info_version
|
||||
check_mode: false
|
||||
changed_when: false
|
||||
- name: Set /etc/os-release system version id
|
||||
ansible.builtin.set_fact:
|
||||
target_host_system_version_id: "{{ target_host_os_info_version.stdout_lines | first | trim }}"
|
||||
delegate_to: localhost
|
||||
|
||||
tasks:
|
||||
- name: Ensure apt bootstrap packages are installed
|
||||
ansible.builtin.raw: "apt install {{ apt_bootstrap_packages | join(' ') }}"
|
||||
register: target_host_apt_info
|
||||
when: target_host_system_id in targets_using_apt
|
||||
changed_when:
|
||||
- "'0 upgraded' not in target_host_apt_info.stdout_lines | last"
|
||||
- "'0 newly installed' not in target_host_apt_info.stdout_lines | last"
|
||||
- name: Ensure dnf < 4 bootstrap packages are installed
|
||||
ansible.builtin.raw: "dnf install --assumeyes {{ dnf4_bootstrap_packages | join(' ') }}"
|
||||
register: target_host_dnf_info
|
||||
when:
|
||||
- target_host_system_id in targets_using_dnf4.keys()
|
||||
- target_host_system_version_id | int < targets_using_dnf4[target_host_system_id]
|
||||
changed_when:
|
||||
- "(target_host_dnf_info.stdout_lines | last) != 'Nothing to do.'"
|
||||
- name: Ensure dnf5 bootstrap packages are installed
|
||||
ansible.builtin.raw: "dnf install --assumeyes {{ dnf5_bootstrap_packages | join(' ') }}"
|
||||
register: target_host_dnf_info
|
||||
when:
|
||||
- target_host_system_id in targets_using_dnf5.keys()
|
||||
- target_host_system_version_id | int >= targets_using_dnf5[target_host_system_id]
|
||||
changed_when:
|
||||
- "(target_host_dnf_info.stdout_lines | last) != 'Nothing to do.'"
|
||||
- name: Sort hosts into os-specific groups
|
||||
ansible.builtin.group_by:
|
||||
key: >-2
|
||||
{{ (os_group_prefix
|
||||
| default(false, true)
|
||||
| ternary(os_group_prefix | default('') + (os_group_seperator | default('_')), ''))
|
||||
+ target_host_system_id }}
|
||||
when: target_hosts_sort_into_system_ids | default(false, true)
|
||||
changed_when: false
|
||||
delegate_to: localhost
|
||||
vars:
|
||||
targets_using_apt:
|
||||
- debian
|
||||
- ubuntu
|
||||
apt_bootstrap_packages:
|
||||
- python3
|
||||
- python3-apt
|
||||
# default package manager is dnf5 since fedora 41
|
||||
# https://fedoraproject.org/wiki/Changes/SwitchToDnf5#Current_status
|
||||
targets_using_dnf4:
|
||||
fedora: 41
|
||||
targets_using_dnf5:
|
||||
fedora: 41
|
||||
dnf4_bootstrap_packages:
|
||||
- python3
|
||||
- python3-dnf
|
||||
- python3-libdnf
|
||||
dnf5_bootstrap_packages:
|
||||
- python3-libdnf5
|
@ -1,6 +0,0 @@
|
||||
---
|
||||
- name: Install and configure docker daemon
|
||||
hosts: "{{ docker_hosts | default('docker', true) }}"
|
||||
become: "{{ docker_become | default(false, true) }}"
|
||||
roles:
|
||||
- role: finallycoffee.base.docker
|
@ -1,24 +0,0 @@
|
||||
---
|
||||
- name: Install system packages on the remote
|
||||
hosts: "{{ target_hosts | default('all', true) }}"
|
||||
become: "{{ target_host_become | default(true, true) }}"
|
||||
gather_facts: "{{ target_host_gather_facts | default(true, true) }}"
|
||||
tasks:
|
||||
- name: Install packages (apt)
|
||||
ansible.builtin.apt:
|
||||
package: "{{ package.name }}"
|
||||
state: "{{ package.state | default('present') }}"
|
||||
loop: "{{ system_packages | default([], true) }}"
|
||||
loop_control:
|
||||
loop_var: package
|
||||
label: "{{ package.name }}"
|
||||
when: ansible_facts['pkg_mgr'] == 'apt'
|
||||
- name: Install packages (dnf)
|
||||
ansible.builtin.dnf:
|
||||
name: "{{ package.name }}"
|
||||
state: "{{ package.state | default('present') }}"
|
||||
loop: "{{ system_packages | default([], true) }}"
|
||||
loop_control:
|
||||
loop_var: package
|
||||
label: "{{ package.name }}"
|
||||
when: ansible_facts['pkg_mgr'] in ['dnf', 'dnf5', 'yum']
|
@ -1,7 +0,0 @@
|
||||
---
|
||||
- name: Configure user accounts
|
||||
hosts: "{{ user_hosts | default('all', true) }}"
|
||||
become: "{{ user_role_become | default(false, true) }}"
|
||||
gather_facts: "{{ user_role_gather_facts | default(false, true) }}"
|
||||
roles:
|
||||
- role: finallycoffee.base.user
|
@ -1,33 +0,0 @@
|
||||
# `finallycoffee.base.dns` ansible role
|
||||
|
||||
Simple role for wrapping around the
|
||||
[`famedly.dns.update`](https://github.com/famedly/ansible-collection-dns/blob/main/plugins/modules/update.py)
|
||||
ansible module.
|
||||
|
||||
## Usage
|
||||
|
||||
### Example playbook
|
||||
```yaml
|
||||
- target: "{{ target_hosts }}"
|
||||
roles:
|
||||
- role: finallycoffee.base.dns
|
||||
vars:
|
||||
dns_server: "dns.example.org"
|
||||
dns_zone: "zone.example.org"
|
||||
dns_records: "{{ dns_records }}"
|
||||
dns_record_state: exact
|
||||
dns_tsig_name: "mykeyname"
|
||||
dns_tsig_algo: "hmac-sha256"
|
||||
dns_tsig_key: "mykeycontent"
|
||||
vars:
|
||||
dns_records:
|
||||
- type: A
|
||||
name: gitea
|
||||
content: "127.0.0.1"
|
||||
- type: AAAA
|
||||
name: gitea
|
||||
content: "fe80::1"
|
||||
- type: CNAME
|
||||
name: "_acme_challenge.gitea"
|
||||
content: "delegated-cname.challenge.example.org"
|
||||
```
|
@ -1,13 +0,0 @@
|
||||
# `finallycoffee.base.docker` ansible role
|
||||
|
||||
Install and configure the docker daemon.
|
||||
|
||||
## Configuration
|
||||
|
||||
- `docker_daemon_config` - configuration for the docker daemon
|
||||
- `docker_remove_legacy_packages` - clean up old versions of docker (see https://docs.docker.com/engine/install/debian/#uninstall-old-versions)
|
||||
|
||||
## Plugins
|
||||
|
||||
- `docker_plugin_buildx_enable` - enable the buildx plugin
|
||||
- `docker_plugin_compose_enable` - enable docker compose
|
@ -1,31 +0,0 @@
|
||||
---
|
||||
docker_apt_key_url: "https://download.docker.com/linux/debian/gpg"
|
||||
docker_apt_key_id: "9DC858229FC7DD38854AE2D88D81803C0EBFCD88"
|
||||
|
||||
docker_apt_arch: amd64
|
||||
docker_apt_release_channel: stable
|
||||
docker_apt_repository_url: "https://download.docker.com/linux/debian"
|
||||
docker_apt_repository: >-2
|
||||
deb [arch={{ docker_apt_arch }}] {{ docker_apt_repository_url }} {{ ansible_distribution_release }} {{ docker_apt_release_channel }}
|
||||
docker_apt_cli_package: "docker-ce-cli"
|
||||
docker_apt_plugin_buildx_package: "docker-buildx-plugin"
|
||||
docker_apt_plugin_compose_package: "docker-compose-plugin"
|
||||
docker_apt_base_packages:
|
||||
- "docker-ce"
|
||||
- "docker-ce-cli"
|
||||
- "containerd.io"
|
||||
docker_apt_packages: >-2
|
||||
{{
|
||||
docker_apt_base_packages
|
||||
+ (docker_plugin_buildx_enable | default(false)
|
||||
| ternary([ docker_apt_plugin_buildx_package ], []))
|
||||
+ (docker_plugin_compose_enable | default(false)
|
||||
| ternary([ docker_apt_plugin_compose_package ], []))
|
||||
}}
|
||||
docker_apt_legacy_packages:
|
||||
- "docker.io"
|
||||
- "docker-compose"
|
||||
- "docker-doc"
|
||||
- "podman-docker"
|
||||
- "containerd"
|
||||
- "runc"
|
@ -1,34 +0,0 @@
|
||||
---
|
||||
docker_fedora_repo_name: "docker-ce-stable"
|
||||
docker_fedora_repo_description: "Docker CE Stable - $basearch"
|
||||
docker_fedora_repo_url: "https://download.docker.com/linux/fedora/$releasever/$basearch/stable"
|
||||
docker_fedora_repo_validate_certs: true
|
||||
docker_fedora_repo_gpg_check: true
|
||||
docker_fedora_repo_gpg_key: "https://download.docker.com/linux/fedora/gpg"
|
||||
|
||||
docker_fedora_cli_package: "docker-ce-cli"
|
||||
docker_fedora_plugin_buildx_package: "docker-buildx-plugin"
|
||||
docker_fedora_plugin_compose_package: "docker-compose-plugin"
|
||||
docker_fedora_base_packages:
|
||||
- "docker-ce"
|
||||
- "docker-ce-cli"
|
||||
- "containerd.io"
|
||||
docker_fedora_packages: >-2
|
||||
{{
|
||||
docker_fedora_base_packages
|
||||
+ (docker_plugin_buildx_enable | default(false)
|
||||
| ternary([ docker_fedora_plugin_buildx_package ], []))
|
||||
+ (docker_plugin_compose_enable | default(false)
|
||||
| ternary([ docker_fedora_plugin_compose_package ], []))
|
||||
}}
|
||||
docker_fedora_legacy_packages:
|
||||
- "docker"
|
||||
- "docker-client"
|
||||
- "docker-client-latest"
|
||||
- "docker-common"
|
||||
- "docker-latest"
|
||||
- "docker-latest-logrotate"
|
||||
- "docker-logrotate"
|
||||
- "docker-selinux"
|
||||
- "docker-engine-selinux"
|
||||
- "docker-engine"
|
@ -1,13 +0,0 @@
|
||||
---
|
||||
docker_state: "present"
|
||||
|
||||
docker_daemon_config: {}
|
||||
docker_daemon_config_file: "/etc/docker/daemon.json"
|
||||
docker_daemon_config_file_mode: "0644"
|
||||
docker_daemon_config_owner: root
|
||||
docker_daemon_config_group: "{{ docker_daemon_config_owner }}"
|
||||
|
||||
docker_plugin_buildx_enable: false
|
||||
docker_plugin_compose_enable: false
|
||||
|
||||
docker_remove_legacy_packages: true
|
@ -1,5 +0,0 @@
|
||||
---
|
||||
docker_systemd_service_name: "docker.service"
|
||||
docker_systemd_service_state: >-2
|
||||
{{ (docker_state == 'present') | ternary('started', 'stopped') }}
|
||||
docker_systemd_service_enabled: "{{ (docker_state == 'present') }}"
|
@ -1,6 +0,0 @@
|
||||
---
|
||||
- name: Restart docker daemon
|
||||
ansible.builtin.systemd_service:
|
||||
name: "{{ docker_systemd_service_name }}"
|
||||
state: "restarted"
|
||||
listen: "docker-restart"
|
@ -1,18 +0,0 @@
|
||||
---
|
||||
- name: Ensure config directory '{{ docker_daemon_config_file | dirname }}' is present
|
||||
ansible.builtin.file:
|
||||
path: "{{ docker_daemon_config_file | dirname }}"
|
||||
state: "directory"
|
||||
mode: "0755"
|
||||
owner: "{{ docker_daemon_config_owner }}"
|
||||
group: "{{ docker_daemon_config_group }}"
|
||||
|
||||
- name: Configure docker daemon using '{{ docker_daemon_config_file }}'
|
||||
ansible.builtin.copy:
|
||||
content: "{{ docker_daemon_config | to_nice_json }}"
|
||||
dest: "{{ docker_daemon_config_file }}"
|
||||
mode: "{{ docker_daemon_config_file_mode }}"
|
||||
owner: "{{ docker_daemon_config_owner }}"
|
||||
group: "{{ docker_daemon_config_group }}"
|
||||
when: docker_daemon_config | string | length > 0
|
||||
notify: docker-restart
|
@ -1,30 +0,0 @@
|
||||
---
|
||||
- name: Ensure legacy docker packages are removed
|
||||
ansible.builtin.apt:
|
||||
name: "{{ docker_apt_legacy_packages }}"
|
||||
state: absent
|
||||
when: docker_remove_legacy_packages
|
||||
|
||||
- name: Add apt key for docker repository
|
||||
ansible.builtin.apt_key:
|
||||
id: "{{ docker_apt_key_id }}"
|
||||
url: "{{ docker_apt_key_url }}"
|
||||
state: "{{ docker_state }}"
|
||||
|
||||
- name: Add apt repository for docker
|
||||
ansible.builtin.apt_repository:
|
||||
repo: "{{ docker_apt_repository }}"
|
||||
state: "{{ docker_state }}"
|
||||
register: docker_apt_repository_info
|
||||
|
||||
- name: Update apt cache if repository was newly added
|
||||
ansible.builtin.apt:
|
||||
update_cache: true
|
||||
when:
|
||||
- docker_state == 'present'
|
||||
- docker_apt_repository_info.changed
|
||||
|
||||
- name: Install apt packages for docker
|
||||
ansible.builtin.apt:
|
||||
name: "{{ docker_apt_packages }}"
|
||||
state: "{{ docker_state }}"
|
@ -1,21 +0,0 @@
|
||||
---
|
||||
- name: Ensure legacy docker packages are removed
|
||||
ansible.builtin.dnf:
|
||||
name: "{{ docker_fedora_legacy_packages }}"
|
||||
state: "removed"
|
||||
when: docker_remove_legacy_packages
|
||||
|
||||
- name: Ensure dnf repository for docker is {{ docker_state }}
|
||||
ansible.builtin.yum_repository:
|
||||
name: "{{ docker_fedora_repo_name }}"
|
||||
description: "{{ docker_fedora_repo_description }}"
|
||||
baseurl: "{{ docker_fedora_repo_url }}"
|
||||
validate_certs: "{{ docker_fedora_repo_validate_certs }}"
|
||||
gpgkey: "{{ docker_fedora_repo_gpg_key }}"
|
||||
gpgcheck: "{{ docker_fedora_repo_gpg_check }}"
|
||||
state: "{{ docker_state }}"
|
||||
|
||||
- name: Install dnf packages for docker
|
||||
ansible.builtin.dnf:
|
||||
name: "{{ docker_fedora_packages }}"
|
||||
state: "{{ docker_state }}"
|
@ -1,29 +0,0 @@
|
||||
---
|
||||
- name: Check if target OS is supported
|
||||
ansible.builtin.fail:
|
||||
msg: >-2
|
||||
OS '{{ docker_os }}' is not supported!
|
||||
when: docker_os not in docker_supported_oses
|
||||
vars:
|
||||
docker_os: "{{ ansible_distribution | lower }}"
|
||||
|
||||
- name: Ensure docker is {{ docker_state }} on {{ ansible_distribution }}
|
||||
ansible.builtin.include_tasks:
|
||||
file: "install-{{ ansible_distribution | lower }}.yml"
|
||||
|
||||
- name: Configure docker daemon
|
||||
ansible.builtin.include_tasks:
|
||||
file: "configure.yml"
|
||||
when: docker_state == 'present'
|
||||
|
||||
- name: Ensure docker daemon is {{ docker_systemd_service_enabled | ternary('enabled', 'disabled') }}
|
||||
ansible.builtin.systemd_service:
|
||||
name: "{{ docker_systemd_service_name }}"
|
||||
enabled: "{{ docker_systemd_service_enabled }}"
|
||||
when: ansible_facts['service_mgr'] == 'systemd'
|
||||
|
||||
- name: Ensure docker daemon is {{ docker_systemd_service_state }}
|
||||
ansible.builtin.systemd_service:
|
||||
name: "{{ docker_systemd_service_name }}"
|
||||
state: "{{ docker_systemd_service_state }}"
|
||||
when: ansible_facts['service_mgr'] == 'systemd'
|
@ -1,4 +0,0 @@
|
||||
---
|
||||
docker_supported_oses:
|
||||
- 'debian'
|
||||
- 'fedora'
|
22
roles/elasticsearch/README.md
Normal file
22
roles/elasticsearch/README.md
Normal file
@ -0,0 +1,22 @@
|
||||
# `finallycoffee.base.elastiscsearch`
|
||||
|
||||
A simple ansible role which deploys a single-node elastic container to provide
|
||||
an easy way to do some indexing.
|
||||
|
||||
## Usage
|
||||
|
||||
Per default, `/opt/elasticsearch/data` is used to persist data, it is
|
||||
customizable by using either `elasticsearch_base_path` or `elasticsearch_data_path`.
|
||||
|
||||
As elasticsearch be can be quite memory heavy, the maximum amount of allowed RAM
|
||||
can be configured using `elasticsearch_allocated_ram_mb`, defaulting to 512 (mb).
|
||||
|
||||
The cluster name and discovery type can be overridden using
|
||||
`elasticsearch_config_cluster_name` (default: elastic) and
|
||||
`elasticsearch_config_discovery_type` (default: single-node), should one
|
||||
need a multi-node elasticsearch deployment.
|
||||
|
||||
Per default, no ports or networks are mapped, and explizit mapping using
|
||||
either ports (`elasticsearch_container_ports`) or networks
|
||||
(`elasticsearch_container_networks`) is required in order for other services
|
||||
to use elastic.
|
35
roles/elasticsearch/defaults/main.yml
Normal file
35
roles/elasticsearch/defaults/main.yml
Normal file
@ -0,0 +1,35 @@
|
||||
---
|
||||
|
||||
elasticsearch_version: 7.17.7
|
||||
|
||||
elasticsearch_base_path: /opt/elasticsearch
|
||||
elasticsearch_data_path: "{{ elasticsearch_base_path }}/data"
|
||||
|
||||
elasticsearch_config_cluster_name: elastic
|
||||
elasticsearch_config_discovery_type: single-node
|
||||
elasticsearch_config_boostrap_memory_lock: true
|
||||
elasticsearch_allocated_ram_mb: 512
|
||||
|
||||
elasticsearch_container_image_name: docker.elastic.co/elasticsearch/elasticsearch-oss
|
||||
elasticsearch_container_image_tag: ~
|
||||
elasticsearch_container_image: >-
|
||||
{{ elasticsearch_container_image_name }}:{{ elasticsearch_container_image_tag | default(elasticsearch_version, true) }}
|
||||
|
||||
elasticsearch_container_name: elasticsearch
|
||||
elasticsearch_container_env:
|
||||
"ES_JAVA_OPTS": "-Xms{{ elasticsearch_allocated_ram_mb }}m -Xmx{{ elasticsearch_allocated_ram_mb }}m"
|
||||
"cluster.name": "{{ elasticsearch_config_cluster_name }}"
|
||||
"discovery.type": "{{ elasticsearch_config_discovery_type }}"
|
||||
"bootstrap.memory_lock": "{{ 'true' if elasticsearch_config_boostrap_memory_lock else 'false' }}"
|
||||
elasticsearch_container_user: ~
|
||||
elasticsearch_container_ports: ~
|
||||
elasticsearch_container_labels:
|
||||
version: "{{ elasticsearch_version }}"
|
||||
elasticsearch_container_ulimits:
|
||||
# - "memlock:{{ (1.5 * 1024 * elasticsearch_allocated_ram_mb) | int }}:{{ (1.5 * 1024 * elasticsearch_allocated_ram_mb) | int }}"
|
||||
- "memlock:-1:-1"
|
||||
elasticsearch_container_volumes:
|
||||
- "{{ elasticsearch_data_path }}:/usr/share/elasticsearch/data:z"
|
||||
elasticsearch_container_networks: ~
|
||||
elasticsearch_container_purge_networks: ~
|
||||
elasticsearch_container_restart_policy: unless-stopped
|
32
roles/elasticsearch/tasks/main.yml
Normal file
32
roles/elasticsearch/tasks/main.yml
Normal file
@ -0,0 +1,32 @@
|
||||
---
|
||||
|
||||
- name: Ensure host directories are present
|
||||
file:
|
||||
path: "{{ item }}"
|
||||
state: directory
|
||||
mode: "0777"
|
||||
loop:
|
||||
- "{{ elasticsearch_base_path }}"
|
||||
- "{{ elasticsearch_data_path }}"
|
||||
|
||||
- name: Ensure elastic container image is present
|
||||
docker_image:
|
||||
name: "{{ elasticsearch_container_image }}"
|
||||
state: present
|
||||
source: pull
|
||||
force_source: "{{ elasticsearch_container_image_tag|default(false, true)|bool }}"
|
||||
|
||||
- name: Ensure elastic container is running
|
||||
docker_container:
|
||||
name: "{{ elasticsearch_container_name }}"
|
||||
image: "{{ elasticsearch_container_image }}"
|
||||
env: "{{ elasticsearch_container_env | default(omit, True) }}"
|
||||
user: "{{ elasticsearch_container_user | default(omit, True) }}"
|
||||
ports: "{{ elasticsearch_container_ports | default(omit, True) }}"
|
||||
labels: "{{ elasticsearch_container_labels | default(omit, True) }}"
|
||||
volumes: "{{ elasticsearch_container_volumes }}"
|
||||
ulimits: "{{ elasticsearch_container_ulimits }}"
|
||||
networks: "{{ elasticsearch_container_networks | default(omit, True) }}"
|
||||
purge_networks: "{{ elasticsearch_container_purge_networks | default(omit, True) }}"
|
||||
restart_policy: "{{ elasticsearch_container_restart_policy }}"
|
||||
state: started
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
lego_user: "lego"
|
||||
lego_version: "4.23.0"
|
||||
lego_version: "4.17.4"
|
||||
lego_instance: default
|
||||
lego_base_path: "/opt/lego"
|
||||
lego_cert_user: "acme-{{ lego_instance }}"
|
||||
@ -58,7 +58,7 @@ lego_systemd_timer_name: "lego-{{ lego_instance }}.timer"
|
||||
lego_systemd_timer_template: lego.timer.j2
|
||||
lego_systemd_timer_calendar: "*-*-* *:00/15:00"
|
||||
|
||||
lego_architecture: "{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}"
|
||||
lego_architecture: "amd64"
|
||||
lego_os: "linux"
|
||||
lego_binary_allow_net_bind_service: false
|
||||
|
||||
|
@ -1,10 +1,11 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
LEGO_BINARY=$(/usr/bin/env which lego)
|
||||
|
||||
if [[ -n "${LEGO_HTTP_FALLBACK_PORT:-}" ]]; then
|
||||
if ! nc_binary="$(type -p 'nc')" || [[ -z $nc_binary ]]; then
|
||||
if [[ -n "$LEGO_HTTP_FALLBACK_PORT" ]]; then
|
||||
if ! nc_binary="$(type -p \"nc\")" || [[ -z $nc_binary ]]; then
|
||||
echo "nc not found (in PATH), exiting"
|
||||
exit 1
|
||||
fi
|
||||
@ -14,10 +15,6 @@ if [[ -n "${LEGO_HTTP_FALLBACK_PORT:-}" ]]; then
|
||||
fi
|
||||
fi
|
||||
|
||||
if [[ -n "${LEGO_PRE_RENEWAL_HOOK:-}" ]]; then
|
||||
$LEGO_PRE_RENEWAL_HOOK
|
||||
fi
|
||||
|
||||
LEGO_COMMAND_ARGS_EXPANDED=$(bash -c "echo $LEGO_COMMAND_ARGS") # This is a bit icky
|
||||
|
||||
FILES_IN_DIR=$(find "$LEGO_CERT_STORE_PATH/certificates" -type f | wc -l)
|
||||
@ -27,9 +24,5 @@ else
|
||||
$LEGO_BINARY $LEGO_COMMAND_ARGS_EXPANDED run
|
||||
fi
|
||||
|
||||
find "$LEGO_CERT_STORE_PATH/certificates" -type f | xargs -I{} -n 1 chmod "$LEGO_CERT_MODE" "{}"
|
||||
find "$LEGO_CERT_STORE_PATH/certificates" -type f | xargs -I{} -n 1 chown "${LEGO_CERT_USER}:${LEGO_CERT_GROUP}" "{}"
|
||||
|
||||
if [[ -n "${LEGO_POST_RENEWAL_HOOK:-}" ]]; then
|
||||
$LEGO_POST_RENEWAL_HOOK
|
||||
fi
|
||||
find "$LEGO_CERT_STORE_PATH/certificates/" -type f | xargs -I{} -n 1 chmod "$LEGO_CERT_MODE" "{}"
|
||||
find "$LEGO_CERT_STORE_PATH/certificates/" -type f | xargs -I{} -n 1 chown "${LEGO_CERT_USER}:${LEGO_CERT_GROUP}" "{}"
|
||||
|
@ -25,44 +25,35 @@
|
||||
- "{{ lego_cert_group }}"
|
||||
append: true
|
||||
|
||||
- name: Check if lego is present
|
||||
ansible.builtin.command:
|
||||
cmd: which lego
|
||||
changed_when: false
|
||||
failed_when: false
|
||||
register: lego_binary_info
|
||||
check_mode: false
|
||||
|
||||
- name: Check which version of lego is present
|
||||
ansible.builtin.command:
|
||||
cmd: "lego --version"
|
||||
changed_when: false
|
||||
failed_when: false
|
||||
register: lego_binary_version_info
|
||||
when: lego_binary_info.rc == 0
|
||||
check_mode: false
|
||||
|
||||
- name: Ensure lego is installed
|
||||
when: (lego_binary_info.rc != 0) or (lego_version not in lego_binary_version_info.stdout)
|
||||
block:
|
||||
- name: Check if lego is present
|
||||
ansible.builtin.command:
|
||||
cmd: which lego
|
||||
changed_when: false
|
||||
failed_when: false
|
||||
register: lego_binary_info
|
||||
|
||||
- name: Download lego from source
|
||||
ansible.builtin.get_url:
|
||||
url: "{{ lego_release_archive_url }}"
|
||||
url_username: "{{ lego_release_archive_url_username | default(omit) }}"
|
||||
url_password: "{{ lego_release_archive_url_password | default(omit) }}"
|
||||
dest: "{{ lego_release_archive_file_path }}"
|
||||
when: lego_binary_info.rc != 0
|
||||
|
||||
- name: Create folder to uncompress into
|
||||
ansible.builtin.file:
|
||||
dest: "{{ lego_release_archive_path }}"
|
||||
state: directory
|
||||
when: lego_binary_info.rc != 0
|
||||
|
||||
- name: Uncompress lego source archive
|
||||
ansible.builtin.unarchive:
|
||||
src: "{{ lego_release_archive_file_path }}"
|
||||
dest: "{{ lego_release_archive_path }}"
|
||||
remote_src: true
|
||||
ignore_errors: "{{ ansible_check_mode }}"
|
||||
when: lego_binary_info.rc != 0
|
||||
|
||||
- name: Ensure lego binary is present in PATH
|
||||
ansible.builtin.copy:
|
||||
@ -70,7 +61,14 @@
|
||||
dest: "/usr/local/bin/lego"
|
||||
mode: "u+rwx,g+rx,o+rx"
|
||||
remote_src: true
|
||||
ignore_errors: "{{ ansible_check_mode }}"
|
||||
when: lego_binary_info.rc != 0
|
||||
|
||||
- name: Ensure lego is allowed to bind to ports < 1024
|
||||
community.general.capabilities:
|
||||
path: "/usr/local/bin/lego"
|
||||
capability: "cap_net_bind_service+ep"
|
||||
state: present
|
||||
when: lego_binary_allow_net_bind_service
|
||||
|
||||
- name: Ensure intermediate data is gone
|
||||
ansible.builtin.file:
|
||||
@ -79,13 +77,7 @@
|
||||
loop:
|
||||
- "{{ lego_release_archive_path }}"
|
||||
- "{{ lego_release_archive_file_path }}"
|
||||
|
||||
- name: Ensure lego is allowed to bind to ports < 1024
|
||||
community.general.capabilities:
|
||||
path: "/usr/local/bin/lego"
|
||||
capability: "cap_net_bind_service+ep"
|
||||
state: present
|
||||
when: lego_binary_allow_net_bind_service
|
||||
when: lego_binary_info.rc != 0
|
||||
|
||||
- name: Ensure lego base path exists
|
||||
ansible.builtin.file:
|
||||
@ -107,7 +99,6 @@
|
||||
{{ entry.key }}={{ entry.value }}
|
||||
{% endfor %}
|
||||
dest: "{{ lego_base_path }}/{{ lego_instance }}.conf"
|
||||
register: lego_env_file_info
|
||||
|
||||
- name: Ensure timer unit is templated
|
||||
ansible.builtin.template:
|
||||
@ -121,7 +112,6 @@
|
||||
src: "lego_run.sh"
|
||||
dest: "{{ lego_base_path }}/run.sh"
|
||||
mode: "0755"
|
||||
register: lego_handler_script_info
|
||||
|
||||
- name: Ensure per-instance base path is created
|
||||
ansible.builtin.file:
|
||||
@ -161,18 +151,7 @@
|
||||
name: "{{ lego_systemd_timer_name }}"
|
||||
state: "started"
|
||||
|
||||
- name: Check if certificates are present
|
||||
ansible.builtin.find:
|
||||
path: "{{ lego_instance_path }}/certificates"
|
||||
recurse: false
|
||||
file_type: "file"
|
||||
register: lego_certificate_info
|
||||
|
||||
- name: Ensure systemd service is started once to obtain the certificate
|
||||
ansible.builtin.systemd_service:
|
||||
name: "{{ lego_systemd_service_name }}"
|
||||
state: "started"
|
||||
when: >-2
|
||||
lego_handler_script_info.changed
|
||||
or lego_env_file_info.changed
|
||||
or lego_certificate_info.files | default([]) | length == 0
|
||||
|
19
roles/mariadb/README.md
Normal file
19
roles/mariadb/README.md
Normal file
@ -0,0 +1,19 @@
|
||||
# `finallycoffee.base.mariadb` ansible role
|
||||
|
||||
This role deploys a MariaDB instance in a docker container.
|
||||
|
||||
## Usage
|
||||
|
||||
The role expects the following variables to be populated with values and/or secrets:
|
||||
|
||||
```yaml
|
||||
mariadb_root_password: #mariadb root password
|
||||
mariadb_database: # name of the database to create
|
||||
mariadb_username: # name of a user to auto-create and assign permission on the mariadb_database
|
||||
mariadb_password: # password of the user in mariadb_username
|
||||
```
|
||||
|
||||
## Requirements
|
||||
|
||||
- Docker installed
|
||||
- python-docker present on target system for ansible to be able to talk with the docker API.
|
32
roles/mariadb/defaults/main.yml
Normal file
32
roles/mariadb/defaults/main.yml
Normal file
@ -0,0 +1,32 @@
|
||||
---
|
||||
|
||||
mariadb_version: "10.11.6"
|
||||
mariadb_base_path: /var/lib/mariadb
|
||||
mariadb_data_path: "{{ mariadb_base_path }}/{{ mariadb_version }}"
|
||||
|
||||
mariadb_root_password: ~
|
||||
mariadb_database: ~
|
||||
mariadb_username: ~
|
||||
mariadb_password: ~
|
||||
|
||||
mariadb_container_base_environment:
|
||||
MARIADB_ROOT_PASSWORD: "{{ mariadb_root_password }}"
|
||||
mariadb_container_extra_environment: {}
|
||||
|
||||
mariadb_container_name: mariadb
|
||||
mariadb_container_image_name: docker.io/mariadb
|
||||
mariadb_container_image_tag: ~
|
||||
mariadb_container_image: "{{ mariadb_container_image_name }}:{{ mariadb_container_image_tag | default(mariadb_version, true) }}"
|
||||
mariadb_container_base_volumes:
|
||||
- "{{ mariadb_data_path }}:{{ mariadb_container_data_path }}:z"
|
||||
mariadb_container_extra_volumes: []
|
||||
mariadb_container_base_labels:
|
||||
version: "{{ mariadb_version }}"
|
||||
mariadb_container_extra_labels: {}
|
||||
mariadb_container_restart_policy: "unless-stopped"
|
||||
mariadb_container_environment: >-2
|
||||
{{ mariadb_container_base_environment
|
||||
| combine(mariadb_container_database_environment
|
||||
if (mariadb_database and mariadb_username and mariadb_password)
|
||||
else {}, recursive=True)
|
||||
| combine(mariadb_container_extra_environment) }}
|
20
roles/mariadb/tasks/main.yml
Normal file
20
roles/mariadb/tasks/main.yml
Normal file
@ -0,0 +1,20 @@
|
||||
---
|
||||
- name: Ensure mariaDB container image is present on host
|
||||
community.docker.docker_image:
|
||||
name: "{{ mariadb_container_image }}"
|
||||
state: present
|
||||
source: pull
|
||||
|
||||
- name: Ensure mariaDB {{ mariadb_version }} is running as '{{ mariadb_container_name }}'
|
||||
community.docker.docker_container:
|
||||
name: "{{ mariadb_container_name }}"
|
||||
image: "{{ mariadb_container_image }}"
|
||||
env: "{{ mariadb_container_environment }}"
|
||||
ports: "{{ mariadb_container_ports }}"
|
||||
labels: "{{ mariadb_container_labels }}"
|
||||
volumes: "{{ mariadb_container_volumes }}"
|
||||
networks: "{{ mariadb_container_networks | default(omit, true) }}"
|
||||
etc_hosts: "{{ mariadb_container_etc_hosts | default(omit, true) }}"
|
||||
purge_networks: "{{ mariadb_container_purge_networks | default(omit, true) }}"
|
||||
restart_policy: "{{ mariadb_container_restart_policy }}"
|
||||
state: started
|
10
roles/mariadb/vars/main.yml
Normal file
10
roles/mariadb/vars/main.yml
Normal file
@ -0,0 +1,10 @@
|
||||
---
|
||||
|
||||
mariadb_container_database_environment:
|
||||
MARIADB_DATABASE: "{{ mariadb_database }}"
|
||||
MARIADB_USER: "{{ mariadb_username }}"
|
||||
MARIADB_PASSWORD: "{{ mariadb_password }}"
|
||||
|
||||
mariadb_container_data_path: /var/lib/mysql
|
||||
mariadb_container_volumes: "{{ mariadb_container_base_volumes + mariadb_container_extra_volumes }}"
|
||||
mariadb_container_labels: "{{ mariadb_container_base_labels | combine(mariadb_container_extra_labels, recursive=True) }}"
|
@ -1,7 +1,17 @@
|
||||
---
|
||||
|
||||
minio_user: ~
|
||||
minio_data_path: /opt/minio
|
||||
|
||||
minio_create_user: false
|
||||
minio_manage_host_filesystem: false
|
||||
|
||||
minio_root_username: root
|
||||
minio_root_password: ~
|
||||
|
||||
minio_container_name: minio
|
||||
minio_container_image_name: "docker.io/minio/minio"
|
||||
minio_container_image_tag: "RELEASE.2025-04-08T15-41-24Z"
|
||||
minio_container_image_name: docker.io/minio/minio
|
||||
minio_container_image_tag: latest
|
||||
minio_container_image: "{{ minio_container_image_name }}:{{ minio_container_image_tag }}"
|
||||
minio_container_networks: []
|
||||
minio_container_ports: []
|
||||
@ -24,8 +34,6 @@ minio_container_command:
|
||||
- ":{{ minio_container_listen_port_console }}"
|
||||
minio_container_restart_policy: "unless-stopped"
|
||||
minio_container_image_force_source: "{{ (minio_container_image_tag == 'latest')|bool }}"
|
||||
minio_container_state: >-2
|
||||
{{ (minio_state == 'present') | ternary('started', 'absent') }}
|
||||
|
||||
minio_container_listen_port_api: 9000
|
||||
minio_container_listen_port_console: 8900
|
@ -1,12 +0,0 @@
|
||||
---
|
||||
minio_user: ~
|
||||
minio_data_path: /opt/minio
|
||||
|
||||
minio_create_user: false
|
||||
minio_manage_host_filesystem: false
|
||||
|
||||
minio_root_username: root
|
||||
minio_root_password: ~
|
||||
|
||||
minio_state: present
|
||||
minio_deployment_method: docker
|
@ -1,29 +0,0 @@
|
||||
---
|
||||
- name: Ensure filesystem mounts ({{ minio_data_path }}) for container volumes are present
|
||||
ansible.builtin.file:
|
||||
path: "{{ minio_data_path }}"
|
||||
state: directory
|
||||
user: "{{ minio_user|default(omit, True) }}"
|
||||
group: "{{ minio_user|default(omit, True) }}"
|
||||
when: minio_manage_host_filesystem
|
||||
|
||||
- name: Ensure container image '{{ minio_container_image }}' is {{ minio_state }}
|
||||
community.docker.docker_image:
|
||||
name: "{{ minio_container_image }}"
|
||||
state: "{{ minio_state }}"
|
||||
source: pull
|
||||
force_source: "{{ minio_container_image_force_source }}"
|
||||
|
||||
- name: Ensure container '{{ minio_container_name }}' is {{ minio_container_state }}
|
||||
community.docker.docker_container:
|
||||
name: "{{ minio_container_name }}"
|
||||
image: "{{ minio_container_image }}"
|
||||
volumes: "{{ minio_container_volumes }}"
|
||||
env: "{{ minio_container_env }}"
|
||||
labels: "{{ minio_container_labels }}"
|
||||
networks: "{{ minio_container_networks }}"
|
||||
ports: "{{ minio_container_ports }}"
|
||||
user: "{{ minio_user|default(omit, True) }}"
|
||||
command: "{{ minio_container_command }}"
|
||||
restart_policy: "{{ minio_container_restart_policy }}"
|
||||
state: "{{ minio_container_state }}"
|
@ -1,25 +1,37 @@
|
||||
---
|
||||
- name: Ensure 'minio_state' is valid
|
||||
ansible.builtin.fail:
|
||||
msg: >-
|
||||
Unsupported state '{{ minio_state }}'!
|
||||
Supported states are {{ minio_states | join(', ') }}.
|
||||
when: minio_state not in minio_states
|
||||
|
||||
- name: Ensure 'minio_deployment_method' is valid
|
||||
ansible.builtin.fail:
|
||||
msg: >-
|
||||
Unsupported state '{{ minio_deployment_method }}'!
|
||||
Supported states are {{ minio_deployment_methods | join(', ') }}.
|
||||
when: minio_deployment_method not in minio_deployment_methods
|
||||
|
||||
- name: Ensure minio run user is {{ minio_state }}
|
||||
ansible.builtin.user:
|
||||
- name: Ensure minio run user is present
|
||||
user:
|
||||
name: "{{ minio_user }}"
|
||||
state: "{{ minio_state }}"
|
||||
system: true
|
||||
state: present
|
||||
system: yes
|
||||
when: minio_create_user
|
||||
|
||||
- name: Deploy minio using {{ minio_deployment_method }}
|
||||
ansible.builtin.include_tasks:
|
||||
file: "deploy-{{ minio_deployment_method }}.yml"
|
||||
- name: Ensure filesystem mounts ({{ minio_data_path }}) for container volumes are present
|
||||
file:
|
||||
path: "{{ minio_data_path }}"
|
||||
state: directory
|
||||
user: "{{ minio_user|default(omit, True) }}"
|
||||
group: "{{ minio_user|default(omit, True) }}"
|
||||
when: minio_manage_host_filesystem
|
||||
|
||||
- name: Ensure container image for minio is present
|
||||
community.docker.docker_image:
|
||||
name: "{{ minio_container_image }}"
|
||||
state: present
|
||||
source: pull
|
||||
force_source: "{{ minio_container_image_force_source }}"
|
||||
|
||||
- name: Ensure container {{ minio_container_name }} is running
|
||||
docker_container:
|
||||
name: "{{ minio_container_name }}"
|
||||
image: "{{ minio_container_image }}"
|
||||
volumes: "{{ minio_container_volumes }}"
|
||||
env: "{{ minio_container_env }}"
|
||||
labels: "{{ minio_container_labels }}"
|
||||
networks: "{{ minio_container_networks }}"
|
||||
ports: "{{ minio_container_ports }}"
|
||||
user: "{{ minio_user|default(omit, True) }}"
|
||||
command: "{{ minio_container_command }}"
|
||||
restart_policy: "{{ minio_container_restart_policy }}"
|
||||
state: started
|
||||
|
@ -1,9 +1,5 @@
|
||||
---
|
||||
minio_states:
|
||||
- present
|
||||
- absent
|
||||
minio_deployment_methods:
|
||||
- docker
|
||||
|
||||
minio_container_volumes: "{{ minio_container_base_volumes + minio_container_extra_volumes }}"
|
||||
|
||||
minio_container_env: "{{ minio_container_base_env | combine(minio_container_extra_env) }}"
|
||||
|
@ -26,8 +26,3 @@ For exposing this server to the host and/or internet, the `nginx_container_ports
|
||||
from host to container), `nginx_container_networks` (docker networking) or `nginx_container_labels`
|
||||
(for label-based routing discovery like traefik) can be used. The options correspond to the arguments
|
||||
of the `community.docker.docker_container` module.
|
||||
|
||||
## Deployment methods
|
||||
|
||||
Set `nginx_deployment_method` to either `docker` or `podman` to use the respective ansible modules for
|
||||
creating and managing the container and its image. See all supported methods in `nginx_deployment_methods`.
|
||||
|
@ -1,10 +1,9 @@
|
||||
---
|
||||
nginx_version: "1.27.5"
|
||||
|
||||
nginx_version: "1.25.3"
|
||||
nginx_flavour: alpine
|
||||
nginx_base_path: /opt/nginx
|
||||
nginx_config_file: "{{ nginx_base_path }}/nginx.conf"
|
||||
nginx_state: present
|
||||
nginx_deployment_method: docker
|
||||
|
||||
nginx_container_name: nginx
|
||||
nginx_container_image_reference: >-
|
||||
@ -27,9 +26,6 @@ nginx_container_image_repository: >-
|
||||
nginx_container_image_registry: "docker.io"
|
||||
nginx_container_image_name: "nginx"
|
||||
nginx_container_image_tag: ~
|
||||
nginx_container_image_source: pull
|
||||
nginx_container_state: >-2
|
||||
{{ (nginx_state == 'present') | ternary('started', 'absent') }}
|
||||
|
||||
nginx_container_restart_policy: "unless-stopped"
|
||||
nginx_container_volumes:
|
||||
|
@ -1,12 +0,0 @@
|
||||
---
|
||||
allow_duplicates: true
|
||||
dependencies: []
|
||||
galaxy_info:
|
||||
role_name: nginx
|
||||
description: Deploy nginx, a webserver
|
||||
galaxy_tags:
|
||||
- nginx
|
||||
- http
|
||||
- webserver
|
||||
- docker
|
||||
- podman
|
@ -1,28 +0,0 @@
|
||||
---
|
||||
- name: Ensure docker container image '{{ nginx_container_image_reference }}' is {{ nginx_state }}
|
||||
community.docker.docker_image:
|
||||
name: "{{ nginx_container_image_reference }}"
|
||||
state: "{{ nginx_state }}"
|
||||
source: "{{ nginx_container_image_source }}"
|
||||
force_source: >-2
|
||||
{{ nginx_container_image_force_source
|
||||
| default(nginx_container_image_tag | default(false, true)) }}
|
||||
register: nginx_container_image_info
|
||||
until: nginx_container_image_info is success
|
||||
retries: 5
|
||||
delay: 3
|
||||
|
||||
- name: Ensure docker container '{{ nginx_container_name }}' is {{ nginx_container_state }}
|
||||
community.docker.docker_container:
|
||||
name: "{{ nginx_container_name }}"
|
||||
image: "{{ nginx_container_image_reference }}"
|
||||
env: "{{ nginx_container_env | default(omit, true) }}"
|
||||
user: "{{ nginx_container_user | default(omit, true) }}"
|
||||
ports: "{{ nginx_container_ports | default(omit, true) }}"
|
||||
labels: "{{ nginx_container_labels | default(omit, true) }}"
|
||||
volumes: "{{ nginx_container_volumes | default(omit, true) }}"
|
||||
etc_hosts: "{{ nginx_container_etc_hosts | default(omit, true) }}"
|
||||
networks: "{{ nginx_container_networks | default(omit, true) }}"
|
||||
purge_networks: "{{ nginx_container_purge_networks | default(omit, true) }}"
|
||||
restart_policy: "{{ nginx_container_restart_policy }}"
|
||||
state: "{{ nginx_container_state }}"
|
@ -1,27 +0,0 @@
|
||||
---
|
||||
- name: Ensure container image '{{ nginx_container_image_reference }}' is {{ nginx_state }}
|
||||
containers.podman.podman_image:
|
||||
name: "{{ nginx_container_image_reference }}"
|
||||
state: "{{ nginx_state }}"
|
||||
pull: "{{ nginx_container_image_source == 'pull' }}"
|
||||
force: >-2
|
||||
{{ nginx_container_image_force_source
|
||||
| default(nginx_container_image_tag | default(false, true)) }}
|
||||
register: nginx_container_image_info
|
||||
until: nginx_container_image_info is success
|
||||
retries: 5
|
||||
delay: 3
|
||||
|
||||
- name: Ensure container '{{ nginx_container_name }}' is {{ nginx_container_state }}
|
||||
containers.podman.podman_container:
|
||||
name: "{{ nginx_container_name }}"
|
||||
image: "{{ nginx_container_image_reference }}"
|
||||
env: "{{ nginx_container_env | default(omit, true) }}"
|
||||
user: "{{ nginx_container_user | default(omit, true) }}"
|
||||
ports: "{{ nginx_container_ports | default(omit, true) }}"
|
||||
labels: "{{ nginx_container_labels | default(omit, true) }}"
|
||||
volumes: "{{ nginx_container_volumes | default(omit, true) }}"
|
||||
etc_hosts: "{{ nginx_container_etc_hosts | default(omit, true) }}"
|
||||
network: "{{ nginx_container_networks | default(omit, true) }}"
|
||||
restart_policy: "{{ nginx_container_restart_policy }}"
|
||||
state: "{{ nginx_container_state }}"
|
@ -1,30 +1,10 @@
|
||||
---
|
||||
- name: Check if state is supported
|
||||
ansible.builtin.fail:
|
||||
msg: >-2
|
||||
Unsupported state '{{ nginx_state }}'. Supported
|
||||
states are {{ nginx_states | join(', ') }}.
|
||||
when: nginx_state not in nginx_states
|
||||
|
||||
- name: Check if deployment_method is supported
|
||||
ansible.builtin.fail:
|
||||
msg: >-2
|
||||
Unsupported state '{{ nginx_deployment_method }}'. Supported
|
||||
states are {{ nginx_deployment_methods | join(', ') }}.
|
||||
when: nginx_deployment_method not in nginx_deployment_methods
|
||||
|
||||
- name: Ensure nginx config file is {{ nginx_state }}
|
||||
ansible.builtin.file:
|
||||
path: "{{ nginx_config_file }}"
|
||||
state: "{{ nginx_state }}"
|
||||
when: nginx_state == 'absent'
|
||||
|
||||
- name: Ensure base path '{{ nginx_base_path }}' is {{ nginx_state }}
|
||||
- name: Ensure base path '{{ nginx_base_path }}' exists
|
||||
ansible.builtin.file:
|
||||
path: "{{ nginx_base_path }}"
|
||||
mode: "0755"
|
||||
state: >-2
|
||||
{{ (nginx_state == 'present') | ternary('directory', 'absent') }}
|
||||
state: directory
|
||||
mode: 0755
|
||||
|
||||
- name: Ensure nginx config file is templated
|
||||
ansible.builtin.copy:
|
||||
@ -33,8 +13,25 @@
|
||||
mode: 0640
|
||||
notify:
|
||||
- restart-nginx
|
||||
when: nginx_state == 'present'
|
||||
|
||||
- name: Deploy using {{ nginx_deployment_method }}
|
||||
ansible.builtin.include_tasks:
|
||||
file: "deploy-{{ nginx_deployment_method }}.yml"
|
||||
- name: Ensure docker container image is present
|
||||
community.docker.docker_image:
|
||||
name: "{{ nginx_container_image_reference }}"
|
||||
state: present
|
||||
source: pull
|
||||
force_source: "{{ nginx_container_image_tag is defined and nginx_container_image_tag | string != '' }}"
|
||||
|
||||
- name: Ensure docker container '{{ nginx_container_name }}' is running
|
||||
community.docker.docker_container:
|
||||
name: "{{ nginx_container_name }}"
|
||||
image: "{{ nginx_container_image_reference }}"
|
||||
env: "{{ nginx_container_env | default(omit, true) }}"
|
||||
user: "{{ nginx_container_user | default(omit, true) }}"
|
||||
ports: "{{ nginx_container_ports | default(omit, true) }}"
|
||||
labels: "{{ nginx_container_labels | default(omit, true) }}"
|
||||
volumes: "{{ nginx_container_volumes | default(omit, true) }}"
|
||||
etc_hosts: "{{ nginx_container_etc_hosts | default(omit, true) }}"
|
||||
networks: "{{ nginx_container_networks | default(omit, true) }}"
|
||||
purge_networks: "{{ nginx_container_purge_networks | default(omit, true) }}"
|
||||
restart_policy: "{{ nginx_container_restart_policy }}"
|
||||
state: started
|
||||
|
@ -1,7 +0,0 @@
|
||||
---
|
||||
nginx_states:
|
||||
- present
|
||||
- absent
|
||||
nginx_deployment_methods:
|
||||
- docker
|
||||
- podman
|
@ -1,25 +0,0 @@
|
||||
# `finallycoffee.base.powerdns_tsig_key`
|
||||
|
||||
Simple ansible role for ensuring a TSIG key is present in a given PowerDNS-
|
||||
instance.
|
||||
|
||||
## Usage
|
||||
|
||||
The usage example below assumes `powerdns` is running in a container named `powerdns` (as supplied to `powerdns_tsig_key_container_name`.
|
||||
|
||||
```yaml
|
||||
- hosts: "{{ target_hosts }}"
|
||||
become: true
|
||||
roles:
|
||||
- role: finallycoffee.base.powerdns_tsig_key
|
||||
vars:
|
||||
powerdns_tsig_key_name: "nameofmykey"
|
||||
powerdns_tsig_key_path: "/var/lib/myapp/tsig.key"
|
||||
powernds_tsig_key_algo: "hmac-sha512"
|
||||
powerdns_tsig_key_path_owner: "myappuser"
|
||||
powerdns_tsig_key_path_group: "myappgroup"
|
||||
powerdns_tsig_key_container_name: 'powerdns'
|
||||
```
|
||||
|
||||
> [!NOTE]
|
||||
> Support for non-docker deployments is pending.
|
@ -10,41 +10,18 @@ restic_backup_stdin_command: ~
|
||||
restic_backup_stdin_command_filename: ~
|
||||
|
||||
restic_policy_keep_all_within: 1d
|
||||
restic_policy_keep_hourly: 12
|
||||
restic_policy_keep_daily: 7
|
||||
restic_policy_keep_weekly: 6
|
||||
restic_policy_keep_monthly: 6
|
||||
restic_policy_keep_yearly: 5
|
||||
restic_policy_keep_hourly: 6
|
||||
restic_policy_keep_daily: 2
|
||||
restic_policy_keep_weekly: 7
|
||||
restic_policy_keep_monthly: 4
|
||||
restic_policy_backup_frequency: hourly
|
||||
|
||||
restic_base_environment:
|
||||
RESTIC_JOBNAME: "{{ restic_job_name | default('unknown') }}"
|
||||
RESTIC_FORGET_KEEP_WITHIN: "{{ restic_policy_keep_all_within }}"
|
||||
RESTIC_FORGET_KEEP_HOURLY: "{{ restic_policy_keep_hourly }}"
|
||||
RESTIC_FORGET_KEEP_DAILY: "{{ restic_policy_keep_daily }}"
|
||||
RESTIC_FORGET_KEEP_WEEKLY: "{{ restic_policy_keep_weekly }}"
|
||||
RESTIC_FORGET_KEEP_MONTHLY: "{{ restic_policy_keep_monthly }}"
|
||||
RESTIC_FORGET_KEEP_YEARLY: "{{ restic_policy_keep_yearly }}"
|
||||
|
||||
restic_s3_environment:
|
||||
AWS_ACCESS_KEY_ID: "{{ restic_s3_key_id }}"
|
||||
AWS_SECRET_ACCESS_KEY: "{{ restic_s3_access_key }}"
|
||||
|
||||
restic_complete_environment: >-
|
||||
{{
|
||||
restic_base_environment
|
||||
| combine((restic_s3_environment
|
||||
if (restic_s3_key_id and restic_s3_access_key) else {}) | default({}))
|
||||
| combine(restic_environment | default({}))
|
||||
}}
|
||||
|
||||
restic_policy:
|
||||
keep_within: "{{ restic_policy_keep_all_within }}"
|
||||
hourly: "{{ restic_policy_keep_hourly }}"
|
||||
daily: "{{ restic_policy_keep_daily }}"
|
||||
weekly: "{{ restic_policy_keep_weekly }}"
|
||||
monthly: "{{ restic_policy_keep_monthly }}"
|
||||
yearly: "{{ restic_policy_keep_yearly }}"
|
||||
frequency: "{{ restic_policy_backup_frequency }}"
|
||||
|
||||
restic_user: root
|
||||
|
@ -1,37 +0,0 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
if [[ -n ${RESTIC_PRE_BACKUP_HOOK-} ]]; then
|
||||
/bin/bash -c "$RESTIC_PRE_BACKUP_HOOK"
|
||||
fi
|
||||
|
||||
echo "List existing snapshots or attempt to initialize/unlock repository"
|
||||
restic snapshots || restic init || restic unlock
|
||||
sleep 1;
|
||||
|
||||
echo "Attempting to remove lock if present"
|
||||
restic unlock
|
||||
sleep 2
|
||||
|
||||
echo "Start backup on ${@:1}"
|
||||
restic --verbose --retry-lock=${RESTIC_RETRY_LOCK:-5m} backup "${@:1}"
|
||||
sleep 2
|
||||
|
||||
echo "Forget and prune old snapshots"
|
||||
restic forget --prune --retry-lock=${RESTIC_RETRY_LOCK:-5m} \
|
||||
--keep-within=${RESTIC_FORGET_KEEP_WITHIN:-1d} \
|
||||
--keep-hourly=${RESTIC_FORGET_KEEP_HOURLY:-6} \
|
||||
--keep-daily=${RESTIC_FORGET_KEEP_DAILY:-2} \
|
||||
--keep-weekly=${RESTIC_FORGET_KEEP_WEEKLY:-7} \
|
||||
--keep-monthly=${RESTIC_FORGET_KEEP_MONTHLY:-4} \
|
||||
--verbose
|
||||
sleep 2
|
||||
|
||||
echo "Generate snapshot metrics"
|
||||
restic --json snapshots | /opt/restic-generate-snapshot-metrics.sh \
|
||||
> /var/lib/node_exporter/restic-snapshots-${RESTIC_JOBNAME:-unknown}.prom-src
|
||||
sleep 2
|
||||
|
||||
echo "Check repository"
|
||||
restic check
|
@ -1,12 +0,0 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
RESTIC_JSON=$(</dev/stdin)
|
||||
|
||||
echo $RESTIC_JSON | jq -r '.[]
|
||||
| {
|
||||
"hostname": .hostname,
|
||||
"username": .username,
|
||||
"short_id": .short_id,
|
||||
"time": ((((.time | split(".")[0]) + "Z") | fromdate) - (3600 * (.time | split("+")[1] | split(":")[0] | tonumber + 1))),
|
||||
"paths": .paths[]
|
||||
} | "restic_snapshots{hostname=\"\(.hostname)\",username=\"\(.username)\",short_id=\"\(.short_id)\",paths=\"\(.paths)\"} \(.time)"'
|
@ -9,43 +9,26 @@ SyslogIdentifier={{ restic_systemd_syslog_identifier }}
|
||||
|
||||
Environment=RESTIC_REPOSITORY={{ restic_repo_url }}
|
||||
Environment=RESTIC_PASSWORD={{ restic_repo_password }}
|
||||
{% for kv in restic_complete_environment | dict2items %}
|
||||
Environment={{ kv.key }}={{ kv.value }}
|
||||
{% endfor %}
|
||||
|
||||
{% if restic_init | default(true) %}
|
||||
ExecStartPre=-/bin/sh -c '/usr/bin/restic snapshots || /usr/bin/restic init'
|
||||
{% if restic_s3_key_id and restic_s3_access_key %}
|
||||
Environment=AWS_ACCESS_KEY_ID={{ restic_s3_key_id }}
|
||||
Environment=AWS_SECRET_ACCESS_KEY={{ restic_s3_access_key }}
|
||||
{% endif %}
|
||||
{% if restic_unlock_before_backup | default(false) %}
|
||||
ExecStartPre=-/bin/sh -c 'sleep 3 && /usr/bin/restic unlock'
|
||||
ExecStartPre=-/bin/sh -c '/usr/bin/restic unlock'
|
||||
{% endif %}
|
||||
|
||||
ExecStartPre=-/bin/sh -c '/usr/bin/restic snapshots || /usr/bin/restic init'
|
||||
{% if restic_backup_pre_hook | default(false) %}
|
||||
ExecStartPre=-{{ restic_backup_pre_hook }}
|
||||
ExecStart=-{{ restic_backup_pre_hook }}
|
||||
{% endif %}
|
||||
{% if restic_backup_stdin_command %}
|
||||
ExecStart=/bin/sh -c '{{ restic_backup_stdin_command }} | /usr/bin/restic backup \
|
||||
--retry-lock {{ restic_retry_lock | default('5m') }} \
|
||||
--verbose --stdin \
|
||||
--stdin-filename {{ restic_backup_stdin_command_filename }}'
|
||||
ExecStart=/bin/sh -c '{{ restic_backup_stdin_command }} | /usr/bin/restic backup --verbose --stdin --stdin-filename {{ restic_backup_stdin_command_filename }}'
|
||||
{% else %}
|
||||
ExecStart=/opt/restic-backup-directories.sh {{ restic_backup_paths | join(' ') }}
|
||||
{% endif %}
|
||||
{% if restic_forget_prune | default(true) %}
|
||||
ExecStartPost=/usr/bin/restic forget --prune \
|
||||
--retry-lock {{ restic_retry_lock | default('5m') }} \
|
||||
--keep-within={{ restic_policy.keep_within }} \
|
||||
--keep-hourly={{ restic_policy.hourly }} \
|
||||
--keep-daily={{ restic_policy.daily }} \
|
||||
--keep-weekly={{ restic_policy.weekly }} \
|
||||
--keep-monthly={{ restic_policy.monthly }} \
|
||||
--keep-yearly={{ restic_policy.yearly }}
|
||||
{% endif %}
|
||||
{% if restic_list_snapshots | default(true) %}
|
||||
ExecStartPost=-/usr/bin/restic snapshots --retry-lock {{ restic_retry_lock | default('5m') }}
|
||||
ExecStart=/usr/bin/restic --verbose backup {{ restic_backup_paths | join(' ') }}
|
||||
{% endif %}
|
||||
ExecStartPost=/usr/bin/restic forget --prune --keep-within={{ restic_policy.keep_within }} --keep-hourly={{ restic_policy.hourly }} --keep-daily={{ restic_policy.daily }} --keep-weekly={{ restic_policy.weekly }} --keep-monthly={{ restic_policy.monthly }}
|
||||
ExecStartPost=-/usr/bin/restic snapshots
|
||||
{% if restic_backup_post_hook | default(false) %}
|
||||
ExecStartPost=-{{ restic_backup_post_hook }}
|
||||
{% endif %}
|
||||
{% if restic_check | default(true) %}
|
||||
ExecStartPost=/usr/bin/restic check --retry-lock {{ restic_retry_lock | default('5m') }}
|
||||
{% endif %}
|
||||
ExecStartPost=/usr/bin/restic check
|
||||
|
@ -1,23 +0,0 @@
|
||||
# `finallycoffee.base.user` ansible role
|
||||
|
||||
Provision and manage user accounts on the remote host. Supports setting user
|
||||
home, gecos (display name) and shell.
|
||||
|
||||
Warning: if the users' home exists and is changed, the role will attempt to
|
||||
move the home directory. Set `move_home` to false on the user to disable this
|
||||
behaviour.
|
||||
|
||||
## Examples
|
||||
```yaml
|
||||
- hosts: all
|
||||
roles:
|
||||
- role: finallycoffee.base.user
|
||||
vars:
|
||||
users:
|
||||
- name: root
|
||||
- name: alice
|
||||
- name: bob
|
||||
state: present
|
||||
- name: eve
|
||||
state: absent
|
||||
```
|
@ -1,2 +0,0 @@
|
||||
---
|
||||
users: []
|
@ -1,41 +0,0 @@
|
||||
---
|
||||
- name: Ensure user '{{ user.name }}' is {{ user_state }}
|
||||
ansible.builtin.user:
|
||||
name: "{{ user.name }}"
|
||||
state: "{{ user_state }}"
|
||||
system: "{{ user.system | default(false, true) }}"
|
||||
shell: "{{ user.shell | default(omit, true) }}"
|
||||
home: "{{ user.home | default(omit, true) }}"
|
||||
create_home: "{{ user.create_home | default(true, true) }}"
|
||||
move_home: "{{ user.move_home | default(true, true) }}"
|
||||
skeleton: >-2
|
||||
{{ (user.create_home | default(true, true) and 'skeleton' in user)
|
||||
| ternary(user.skeleton | default(''), omit) }}
|
||||
comment: "{{ user.comment | default(user.gecos | default(omit, true), true) }}"
|
||||
vars:
|
||||
user_state: "{{ user.state | default('present', false) }}"
|
||||
|
||||
- name: Ensure SSH authorized keys for '{{ user.name }}' are {{ user_state }}
|
||||
vars:
|
||||
user_state: "{{ user.state | default('present', false) }}"
|
||||
when:
|
||||
- user_state == 'present'
|
||||
- user.authorized_keys | default([]) | length > 0
|
||||
block:
|
||||
- name: Ensure .ssh directory for user '{{ user.name }}' exists
|
||||
ansible.builtin.file:
|
||||
path: "{{ user.home | default('/home/' + user.name) + '/.ssh' }}"
|
||||
state: "directory"
|
||||
owner: "{{ user.name }}"
|
||||
group: "{{ user.name }}"
|
||||
mode: "0700"
|
||||
- name: Ensure key is up to date
|
||||
ansible.posix.authorized_key:
|
||||
user: "{{ user.name }}"
|
||||
state: "{{ key.state | default('present', true) }}"
|
||||
key: "{{ key.type }} {{ key.key }}"
|
||||
comment: "{{ user.name }}-{{ key.comment }}"
|
||||
loop: "{{ user.authorized_keys }}"
|
||||
loop_control:
|
||||
loop_var: key
|
||||
label: "{{ user.name }}-{{ key.comment }}"
|
@ -1,8 +0,0 @@
|
||||
---
|
||||
- name: Ensure users are configured
|
||||
ansible.builtin.include_tasks:
|
||||
file: "configure-user.yml"
|
||||
loop: "{{ users }}"
|
||||
loop_control:
|
||||
loop_var: user
|
||||
label: "{{ user.name }}"
|
Loading…
x
Reference in New Issue
Block a user