forked from finallycoffee/base
Compare commits
14 Commits
967ebab4c1
...
153df81836
Author | SHA1 | Date | |
---|---|---|---|
153df81836 | |||
7021ed1a89 | |||
afe72f554e | |||
c36e95d7eb | |||
97526aec36 | |||
fc73fdd1fa | |||
bd43f3963c | |||
1076a9f384 | |||
82e69bdda3 | |||
b9b5c19d38 | |||
b9e4abdf36 | |||
aac6891518 | |||
31d025ed75 | |||
1423d2a243 |
@ -13,6 +13,9 @@ and configuring basic system utilities like gnupg, ssh etc
|
||||
|
||||
- [`gnupg`](roles/gnupg/README.md): configures gnupg on the target system
|
||||
|
||||
- [`lego`](roles/lego/README.md): runs [lego (LetsEncrypt Go)](https://github.com/go-acme/lego),
|
||||
a ACME client written in go, using systemd (timers). Multi-instance capable.
|
||||
|
||||
- [`mariadb`](roles/mariadb/README.md): runs [MariaDB Server](https://mariadb.org/), one of the world's most popular open source relational database
|
||||
|
||||
- [`minio`](roles/minio/README.md): Deploy [min.io](https://min.io), an
|
||||
@ -24,6 +27,9 @@ and configuring basic system utilities like gnupg, ssh etc
|
||||
- [`restic`](roles/restic/README.md): Manage backups using restic
|
||||
and persist them to a configurable backend.
|
||||
|
||||
- [`powerdns_tsig_key`](roles/powerdns_tsig_key/README.md): Simple ansible role
|
||||
for generating TSIG keys in PowerDNS.
|
||||
|
||||
## License
|
||||
|
||||
[CNPLv7+](LICENSE.md): Cooperative Nonviolent Public License
|
||||
|
14
galaxy.yml
14
galaxy.yml
@ -1,12 +1,22 @@
|
||||
namespace: finallycoffee
|
||||
name: base
|
||||
version: 0.0.2
|
||||
version: 0.1.2
|
||||
readme: README.md
|
||||
authors:
|
||||
- transcaffeine <transcaffeine@finally.coffee>
|
||||
description: Roles for base services which are common dependencies other services like databases
|
||||
dependencies:
|
||||
"community.docker": "^3.0.0"
|
||||
license_file: LICENSE.md
|
||||
build_ignore:
|
||||
- '*.tar.gz'
|
||||
repository: https://git.finally.coffee/finallycoffee/base
|
||||
issues: https://git.finally.coffee/finallycoffee/base/issues
|
||||
issues: https://codeberg.org/finallycoffee/ansible-collection-base/issues
|
||||
tags:
|
||||
- docker
|
||||
- elastic
|
||||
- lego
|
||||
- mariadb
|
||||
- minio
|
||||
- nginx
|
||||
- restic
|
||||
|
@ -1,3 +1,3 @@
|
||||
---
|
||||
|
||||
requires_ansible: ">=2.12"
|
||||
requires_ansible: ">=2.15"
|
||||
|
33
roles/dns/README.md
Normal file
33
roles/dns/README.md
Normal file
@ -0,0 +1,33 @@
|
||||
# `finallycoffee.base.dns` ansible role
|
||||
|
||||
Simple role for wrapping around the
|
||||
[`famedly.dns.update`](https://github.com/famedly/ansible-collection-dns/blob/main/plugins/modules/update.py)
|
||||
ansible module.
|
||||
|
||||
## Usage
|
||||
|
||||
### Example playbook
|
||||
```yaml
|
||||
- target: "{{ target_hosts }}"
|
||||
roles:
|
||||
- role: finallycoffee.base.dns
|
||||
vars:
|
||||
dns_server: "dns.example.org"
|
||||
dns_zone: "zone.example.org"
|
||||
dns_records: "{{ dns_records }}"
|
||||
dns_record_state: exact
|
||||
dns_tsig_name: "mykeyname"
|
||||
dns_tsig_algo: "hmac-sha256"
|
||||
dns_tsig_key: "mykeycontent"
|
||||
vars:
|
||||
dns_records:
|
||||
- type: A
|
||||
name: gitea
|
||||
content: "127.0.0.1"
|
||||
- type: AAAA
|
||||
name: gitea
|
||||
content: "fe80::1"
|
||||
- type: CNAME
|
||||
name: "_acme_challenge.gitea"
|
||||
content: "delegated-cname.challenge.example.org"
|
||||
```
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
lego_user: "lego"
|
||||
lego_version: "4.17.4"
|
||||
lego_version: "4.18.0"
|
||||
lego_instance: default
|
||||
lego_base_path: "/opt/lego"
|
||||
lego_cert_user: "acme-{{ lego_instance }}"
|
||||
@ -58,7 +58,7 @@ lego_systemd_timer_name: "lego-{{ lego_instance }}.timer"
|
||||
lego_systemd_timer_template: lego.timer.j2
|
||||
lego_systemd_timer_calendar: "*-*-* *:00/15:00"
|
||||
|
||||
lego_architecture: "amd64"
|
||||
lego_architecture: "{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}"
|
||||
lego_os: "linux"
|
||||
lego_binary_allow_net_bind_service: false
|
||||
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
|
||||
mariadb_version: "10.11.6"
|
||||
mariadb_version: "10.11.9"
|
||||
mariadb_base_path: /var/lib/mariadb
|
||||
mariadb_data_path: "{{ mariadb_base_path }}/{{ mariadb_version }}"
|
||||
|
||||
|
@ -26,3 +26,8 @@ For exposing this server to the host and/or internet, the `nginx_container_ports
|
||||
from host to container), `nginx_container_networks` (docker networking) or `nginx_container_labels`
|
||||
(for label-based routing discovery like traefik) can be used. The options correspond to the arguments
|
||||
of the `community.docker.docker_container` module.
|
||||
|
||||
## Deployment methods
|
||||
|
||||
Set `nginx_deployment_method` to either `docker` or `podman` to use the respective ansible modules for
|
||||
creating and managing the container and its image. See all supported methods in `nginx_deployment_methods`.
|
||||
|
@ -1,9 +1,10 @@
|
||||
---
|
||||
|
||||
nginx_version: "1.25.3"
|
||||
nginx_version: "1.27.2"
|
||||
nginx_flavour: alpine
|
||||
nginx_base_path: /opt/nginx
|
||||
nginx_config_file: "{{ nginx_base_path }}/nginx.conf"
|
||||
nginx_state: present
|
||||
nginx_deployment_method: docker
|
||||
|
||||
nginx_container_name: nginx
|
||||
nginx_container_image_reference: >-
|
||||
@ -26,6 +27,9 @@ nginx_container_image_repository: >-
|
||||
nginx_container_image_registry: "docker.io"
|
||||
nginx_container_image_name: "nginx"
|
||||
nginx_container_image_tag: ~
|
||||
nginx_container_image_source: pull
|
||||
nginx_container_state: >-2
|
||||
{{ (nginx_state == 'present') | ternary('started', 'absent') }}
|
||||
|
||||
nginx_container_restart_policy: "unless-stopped"
|
||||
nginx_container_volumes:
|
||||
|
12
roles/nginx/meta/main.yml
Normal file
12
roles/nginx/meta/main.yml
Normal file
@ -0,0 +1,12 @@
|
||||
---
|
||||
allow_duplicates: true
|
||||
dependencies: []
|
||||
galaxy_info:
|
||||
role_name: nginx
|
||||
description: Deploy nginx, a webserver
|
||||
galaxy_tags:
|
||||
- nginx
|
||||
- http
|
||||
- webserver
|
||||
- docker
|
||||
- podman
|
28
roles/nginx/tasks/deploy-docker.yml
Normal file
28
roles/nginx/tasks/deploy-docker.yml
Normal file
@ -0,0 +1,28 @@
|
||||
---
|
||||
- name: Ensure docker container image '{{ nginx_container_image_reference }}' is {{ nginx_state }}
|
||||
community.docker.docker_image:
|
||||
name: "{{ nginx_container_image_reference }}"
|
||||
state: "{{ nginx_state }}"
|
||||
source: "{{ nginx_container_image_source }}"
|
||||
force_source: >-2
|
||||
{{ nginx_container_image_force_source
|
||||
| default(nginx_container_image_tag | default(false, true)) }}
|
||||
register: nginx_container_image_info
|
||||
until: nginx_container_image_info is success
|
||||
retries: 5
|
||||
delay: 3
|
||||
|
||||
- name: Ensure docker container '{{ nginx_container_name }}' is {{ nginx_container_state }}
|
||||
community.docker.docker_container:
|
||||
name: "{{ nginx_container_name }}"
|
||||
image: "{{ nginx_container_image_reference }}"
|
||||
env: "{{ nginx_container_env | default(omit, true) }}"
|
||||
user: "{{ nginx_container_user | default(omit, true) }}"
|
||||
ports: "{{ nginx_container_ports | default(omit, true) }}"
|
||||
labels: "{{ nginx_container_labels | default(omit, true) }}"
|
||||
volumes: "{{ nginx_container_volumes | default(omit, true) }}"
|
||||
etc_hosts: "{{ nginx_container_etc_hosts | default(omit, true) }}"
|
||||
networks: "{{ nginx_container_networks | default(omit, true) }}"
|
||||
purge_networks: "{{ nginx_container_purge_networks | default(omit, true) }}"
|
||||
restart_policy: "{{ nginx_container_restart_policy }}"
|
||||
state: "{{ nginx_container_state }}"
|
27
roles/nginx/tasks/deploy-podman.yml
Normal file
27
roles/nginx/tasks/deploy-podman.yml
Normal file
@ -0,0 +1,27 @@
|
||||
---
|
||||
- name: Ensure container image '{{ nginx_container_image_reference }}' is {{ nginx_state }}
|
||||
containers.podman.podman_image:
|
||||
name: "{{ nginx_container_image_reference }}"
|
||||
state: "{{ nginx_state }}"
|
||||
pull: "{{ nginx_container_image_source == 'pull' }}"
|
||||
force: >-2
|
||||
{{ nginx_container_image_force_source
|
||||
| default(nginx_container_image_tag | default(false, true)) }}
|
||||
register: nginx_container_image_info
|
||||
until: nginx_container_image_info is success
|
||||
retries: 5
|
||||
delay: 3
|
||||
|
||||
- name: Ensure container '{{ nginx_container_name }}' is {{ nginx_container_state }}
|
||||
containers.podman.podman_container:
|
||||
name: "{{ nginx_container_name }}"
|
||||
image: "{{ nginx_container_image_reference }}"
|
||||
env: "{{ nginx_container_env | default(omit, true) }}"
|
||||
user: "{{ nginx_container_user | default(omit, true) }}"
|
||||
ports: "{{ nginx_container_ports | default(omit, true) }}"
|
||||
labels: "{{ nginx_container_labels | default(omit, true) }}"
|
||||
volumes: "{{ nginx_container_volumes | default(omit, true) }}"
|
||||
etc_hosts: "{{ nginx_container_etc_hosts | default(omit, true) }}"
|
||||
network: "{{ nginx_container_networks | default(omit, true) }}"
|
||||
restart_policy: "{{ nginx_container_restart_policy }}"
|
||||
state: "{{ nginx_container_state }}"
|
@ -1,10 +1,30 @@
|
||||
---
|
||||
- name: Check if state is supported
|
||||
ansible.builtin.fail:
|
||||
msg: >-2
|
||||
Unsupported state '{{ nginx_state }}'. Supported
|
||||
states are {{ nginx_states | join(', ') }}.
|
||||
when: nginx_state not in nginx_states
|
||||
|
||||
- name: Ensure base path '{{ nginx_base_path }}' exists
|
||||
- name: Check if deployment_method is supported
|
||||
ansible.builtin.fail:
|
||||
msg: >-2
|
||||
Unsupported state '{{ nginx_deployment_method }}'. Supported
|
||||
states are {{ nginx_deployment_methods | join(', ') }}.
|
||||
when: nginx_deployment_method not in nginx_deployment_methods
|
||||
|
||||
- name: Ensure nginx config file is {{ nginx_state }}
|
||||
ansible.builtin.file:
|
||||
path: "{{ nginx_config_file }}"
|
||||
state: "{{ nginx_state }}"
|
||||
when: nginx_state == 'absent'
|
||||
|
||||
- name: Ensure base path '{{ nginx_base_path }}' is {{ nginx_state }}
|
||||
ansible.builtin.file:
|
||||
path: "{{ nginx_base_path }}"
|
||||
state: directory
|
||||
mode: 0755
|
||||
mode: "0755"
|
||||
state: >-2
|
||||
{{ (nginx_state == 'present') | ternary('directory', 'absent') }}
|
||||
|
||||
- name: Ensure nginx config file is templated
|
||||
ansible.builtin.copy:
|
||||
@ -13,25 +33,8 @@
|
||||
mode: 0640
|
||||
notify:
|
||||
- restart-nginx
|
||||
when: nginx_state == 'present'
|
||||
|
||||
- name: Ensure docker container image is present
|
||||
community.docker.docker_image:
|
||||
name: "{{ nginx_container_image_reference }}"
|
||||
state: present
|
||||
source: pull
|
||||
force_source: "{{ nginx_container_image_tag is defined and nginx_container_image_tag | string != '' }}"
|
||||
|
||||
- name: Ensure docker container '{{ nginx_container_name }}' is running
|
||||
community.docker.docker_container:
|
||||
name: "{{ nginx_container_name }}"
|
||||
image: "{{ nginx_container_image_reference }}"
|
||||
env: "{{ nginx_container_env | default(omit, true) }}"
|
||||
user: "{{ nginx_container_user | default(omit, true) }}"
|
||||
ports: "{{ nginx_container_ports | default(omit, true) }}"
|
||||
labels: "{{ nginx_container_labels | default(omit, true) }}"
|
||||
volumes: "{{ nginx_container_volumes | default(omit, true) }}"
|
||||
etc_hosts: "{{ nginx_container_etc_hosts | default(omit, true) }}"
|
||||
networks: "{{ nginx_container_networks | default(omit, true) }}"
|
||||
purge_networks: "{{ nginx_container_purge_networks | default(omit, true) }}"
|
||||
restart_policy: "{{ nginx_container_restart_policy }}"
|
||||
state: started
|
||||
- name: Deploy using {{ nginx_deployment_method }}
|
||||
ansible.builtin.include_tasks:
|
||||
file: "deploy-{{ nginx_deployment_method }}.yml"
|
||||
|
7
roles/nginx/vars/main.yml
Normal file
7
roles/nginx/vars/main.yml
Normal file
@ -0,0 +1,7 @@
|
||||
---
|
||||
nginx_states:
|
||||
- present
|
||||
- absent
|
||||
nginx_deployment_methods:
|
||||
- docker
|
||||
- podman
|
25
roles/powerdns_tsig_key/README.md
Normal file
25
roles/powerdns_tsig_key/README.md
Normal file
@ -0,0 +1,25 @@
|
||||
# `finallycoffee.base.powerdns_tsig_key`
|
||||
|
||||
Simple ansible role for ensuring a TSIG key is present in a given PowerDNS-
|
||||
instance.
|
||||
|
||||
## Usage
|
||||
|
||||
The usage example below assumes `powerdns` is running in a container named `powerdns` (as supplied to `powerdns_tsig_key_container_name`.
|
||||
|
||||
```yaml
|
||||
- hosts: "{{ target_hosts }}"
|
||||
become: true
|
||||
roles:
|
||||
- role: finallycoffee.base.powerdns_tsig_key
|
||||
vars:
|
||||
powerdns_tsig_key_name: "nameofmykey"
|
||||
powerdns_tsig_key_path: "/var/lib/myapp/tsig.key"
|
||||
powernds_tsig_key_algo: "hmac-sha512"
|
||||
powerdns_tsig_key_path_owner: "myappuser"
|
||||
powerdns_tsig_key_path_group: "myappgroup"
|
||||
powerdns_tsig_key_container_name: 'powerdns'
|
||||
```
|
||||
|
||||
> [!NOTE]
|
||||
> Support for non-docker deployments is pending.
|
@ -10,18 +10,41 @@ restic_backup_stdin_command: ~
|
||||
restic_backup_stdin_command_filename: ~
|
||||
|
||||
restic_policy_keep_all_within: 1d
|
||||
restic_policy_keep_hourly: 6
|
||||
restic_policy_keep_daily: 2
|
||||
restic_policy_keep_weekly: 7
|
||||
restic_policy_keep_monthly: 4
|
||||
restic_policy_keep_hourly: 12
|
||||
restic_policy_keep_daily: 7
|
||||
restic_policy_keep_weekly: 6
|
||||
restic_policy_keep_monthly: 6
|
||||
restic_policy_keep_yearly: 5
|
||||
restic_policy_backup_frequency: hourly
|
||||
|
||||
restic_base_environment:
|
||||
RESTIC_JOBNAME: "{{ restic_job_name | default('unknown') }}"
|
||||
RESTIC_FORGET_KEEP_WITHIN: "{{ restic_policy_keep_all_within }}"
|
||||
RESTIC_FORGET_KEEP_HOURLY: "{{ restic_policy_keep_hourly }}"
|
||||
RESTIC_FORGET_KEEP_DAILY: "{{ restic_policy_keep_daily }}"
|
||||
RESTIC_FORGET_KEEP_WEEKLY: "{{ restic_policy_keep_weekly }}"
|
||||
RESTIC_FORGET_KEEP_MONTHLY: "{{ restic_policy_keep_monthly }}"
|
||||
RESTIC_FORGET_KEEP_YEARLY: "{{ restic_policy_keep_yearly }}"
|
||||
|
||||
restic_s3_environment:
|
||||
AWS_ACCESS_KEY_ID: "{{ restic_s3_key_id }}"
|
||||
AWS_SECRET_ACCESS_KEY: "{{ restic_s3_access_key }}"
|
||||
|
||||
restic_complete_environment: >-
|
||||
{{
|
||||
restic_base_environment
|
||||
| combine((restic_s3_environment
|
||||
if (restic_s3_key_id and restic_s3_access_key) else {}) | default({}))
|
||||
| combine(restic_environment | default({}))
|
||||
}}
|
||||
|
||||
restic_policy:
|
||||
keep_within: "{{ restic_policy_keep_all_within }}"
|
||||
hourly: "{{ restic_policy_keep_hourly }}"
|
||||
daily: "{{ restic_policy_keep_daily }}"
|
||||
weekly: "{{ restic_policy_keep_weekly }}"
|
||||
monthly: "{{ restic_policy_keep_monthly }}"
|
||||
yearly: "{{ restic_policy_keep_yearly }}"
|
||||
frequency: "{{ restic_policy_backup_frequency }}"
|
||||
|
||||
restic_user: root
|
||||
|
@ -9,26 +9,43 @@ SyslogIdentifier={{ restic_systemd_syslog_identifier }}
|
||||
|
||||
Environment=RESTIC_REPOSITORY={{ restic_repo_url }}
|
||||
Environment=RESTIC_PASSWORD={{ restic_repo_password }}
|
||||
{% if restic_s3_key_id and restic_s3_access_key %}
|
||||
Environment=AWS_ACCESS_KEY_ID={{ restic_s3_key_id }}
|
||||
Environment=AWS_SECRET_ACCESS_KEY={{ restic_s3_access_key }}
|
||||
{% for kv in restic_complete_environment | dict2items %}
|
||||
Environment={{ kv.key }}={{ kv.value }}
|
||||
{% endfor %}
|
||||
|
||||
{% if restic_init | default(true) %}
|
||||
ExecStartPre=-/bin/sh -c '/usr/bin/restic snapshots || /usr/bin/restic init'
|
||||
{% endif %}
|
||||
{% if restic_unlock_before_backup | default(false) %}
|
||||
ExecStartPre=-/bin/sh -c '/usr/bin/restic unlock'
|
||||
ExecStartPre=-/bin/sh -c 'sleep 3 && /usr/bin/restic unlock'
|
||||
{% endif %}
|
||||
|
||||
ExecStartPre=-/bin/sh -c '/usr/bin/restic snapshots || /usr/bin/restic init'
|
||||
{% if restic_backup_pre_hook | default(false) %}
|
||||
ExecStart=-{{ restic_backup_pre_hook }}
|
||||
ExecStartPre=-{{ restic_backup_pre_hook }}
|
||||
{% endif %}
|
||||
{% if restic_backup_stdin_command %}
|
||||
ExecStart=/bin/sh -c '{{ restic_backup_stdin_command }} | /usr/bin/restic backup --verbose --stdin --stdin-filename {{ restic_backup_stdin_command_filename }}'
|
||||
ExecStart=/bin/sh -c '{{ restic_backup_stdin_command }} | /usr/bin/restic backup \
|
||||
--retry-lock {{ restic_retry_lock | default('5m') }} \
|
||||
--verbose --stdin \
|
||||
--stdin-filename {{ restic_backup_stdin_command_filename }}'
|
||||
{% else %}
|
||||
ExecStart=/usr/bin/restic --verbose backup {{ restic_backup_paths | join(' ') }}
|
||||
ExecStart=/opt/restic-backup-directories.sh {{ restic_backup_paths | join(' ') }}
|
||||
{% endif %}
|
||||
{% if restic_forget_prune | default(true) %}
|
||||
ExecStartPost=/usr/bin/restic forget --prune \
|
||||
--retry-lock {{ restic_retry_lock | default('5m') }} \
|
||||
--keep-within={{ restic_policy.keep_within }} \
|
||||
--keep-hourly={{ restic_policy.hourly }} \
|
||||
--keep-daily={{ restic_policy.daily }} \
|
||||
--keep-weekly={{ restic_policy.weekly }} \
|
||||
--keep-monthly={{ restic_policy.monthly }} \
|
||||
--keep-yearly={{ restic_policy.yearly }}
|
||||
{% endif %}
|
||||
{% if restic_list_snapshots | default(true) %}
|
||||
ExecStartPost=-/usr/bin/restic snapshots --retry-lock {{ restic_retry_lock | default('5m') }}
|
||||
{% endif %}
|
||||
ExecStartPost=/usr/bin/restic forget --prune --keep-within={{ restic_policy.keep_within }} --keep-hourly={{ restic_policy.hourly }} --keep-daily={{ restic_policy.daily }} --keep-weekly={{ restic_policy.weekly }} --keep-monthly={{ restic_policy.monthly }}
|
||||
ExecStartPost=-/usr/bin/restic snapshots
|
||||
{% if restic_backup_post_hook | default(false) %}
|
||||
ExecStartPost=-{{ restic_backup_post_hook }}
|
||||
{% endif %}
|
||||
ExecStartPost=/usr/bin/restic check
|
||||
{% if restic_check | default(true) %}
|
||||
ExecStartPost=/usr/bin/restic check --retry-lock {{ restic_retry_lock | default('5m') }}
|
||||
{% endif %}
|
||||
|
Loading…
Reference in New Issue
Block a user