shockrah/infra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: shockrah:2df78721e449b4d16c7d227834a965bf52a0051f
Branches Tags
shockrah:master
...
compare: shockrah:7947e3791cc042cca2b587125e8ee32a86a4d378
Branches Tags
shockrah:master

10 Commits
2df78721e4 ... 7947e3791c

Author SHA1 Message Date
shockrah
7947e3791c Updating ports and readme 2024-08-03 16:04:08 -07:00
shockrah
2a9f876b85 New firewall rule for gitea ssh 2024-08-03 15:57:27 -07:00
shockrah
8b143f6be0 Simple docker compose and setting up git.shocrah.xyz domain 2024-08-03 15:25:06 -07:00
shockrah
d410112831 Docker compose has a proper gitea container with basic host containers setup 2024-07-29 02:53:01 -07:00
shockrah
1079dc7bb8 setting up docker-compose and other things now 2024-07-29 01:34:00 -07:00
shockrah
5ad17d66a6 proper ssh setup now 2024-07-28 23:37:44 -07:00
shockrah
25923dffa9 git them plans tf out the repo 2024-07-26 16:42:13 -07:00
shockrah
86da75aaf2 commiting defunct project for now 2024-07-26 16:38:57 -07:00
shockrah
67debbdb1c INgress controller 2024-06-24 23:46:53 -07:00
shockrah
3bb611548d idk loadbalancer works now with cname i guess 2024-06-24 23:04:41 -07:00
12 changed files with 212 additions and 43 deletions
Show Stats Expand all files Collapse all files

1
.gitignore vendored
View File

@ -20,3 +20,4 @@ playbooks/beta/files/*.pub
docker/beta/shockrah.xyz/ docker/beta/shockrah.xyz/
docker/beta/resume.shockrah.xyz/ docker/beta/resume.shockrah.xyz/
k8s/config.yaml k8s/config.yaml
infra/**/tfplan

22
infra/containers/docker-compose.yaml Normal file
View File

@ -0,0 +1,22 @@
networks:
gitea:
external: false
services:
gitea:
image: gitea/gitea:latest
container_name: gitea
environment:
- USER_UID=1000
- USER_GID=1000
restart: always
networks:
- gitea
volumes:
- /opt/containers/gitea:/data
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
ports:
- "3000:3000"
- "2222:22"

13
infra/containers/readme Normal file
View File

@ -0,0 +1,13 @@
What is this
============
Here we contain scripts to build out all the containers that are run.
All of these images are based on images that are made from other projects
docker-compose.yaml
===================
Services that are more/less "special" go here since most of the stuff that is
run on the main host are basically just static html websites

1
infra/dns/shockrah-xyz.tf
View File

@ -37,6 +37,7 @@ locals {
{ name = "www.shockrah.xyz", records = [ var.vultr_host ] }, { name = "www.shockrah.xyz", records = [ var.vultr_host ] },
{ name = "resume.shockrah.xyz", records = [ var.vultr_host ] }, { name = "resume.shockrah.xyz", records = [ var.vultr_host ] },
{ name = "immich.shockrah.xyz", records = [ "45.32.92.196" ] }, { name = "immich.shockrah.xyz", records = [ "45.32.92.196" ] },
{ name = "git.shockrah.xyz", records = [ var.vultr_host ] },
] ]
} }

1
infra/static-vultr/ansible/playbooks/refresh-nginx.yml
View File

@ -4,6 +4,7 @@
vars: vars:
websites: websites:
- shockrah.xyz - shockrah.xyz
- git.shockrah.xyz
- temper.tv - temper.tv
- resume.shockrah.xyz - resume.shockrah.xyz
tasks: tasks:

7
infra/static-vultr/ansible/playbooks/run-docker-compose.yaml Normal file
View File

@ -0,0 +1,7 @@
---
- hosts: webhost
remote_user: webadmin
tasks:
- name: Run docker-compose up
community.docker.docker_compose_v2:
project_src: ../../../containers/

54
infra/static-vultr/ansible/playbooks/secure-ssh-user.yml Normal file
View File

@ -0,0 +1,54 @@
# This playbook is to be executed when first setting up
# the machine so we'll have to login as root, but in doing so
# we'll setup a user which can use sudo and use pem based authentication
# this should remove the ability to login as root with a janky password
---
- hosts: webhost
remote_user: root
tasks:
- name: Ensure sudo is available
apt:
state: present
update_cache: true
pkg:
- sudo
- zsh
- name: Create webadmin user
user:
name: webadmin
state: present
shell: /bin/zsh
groups:
- nginx
append: yes
- name: webadmin key copy
authorized_key:
user: webadmin
state: present
key: "{{ lookup('file', '~/.ssh/vultr/webadmin.pem.pub') }}"
- name: Add webadmin to sudoers
copy:
dest: "/etc/sudoers.d/webadmin"
content: "webadmin ALL=(ALL) NOPASSWD: ALL"
- name: Disable Password Authentication
lineinfile:
dest: /etc/ssh/sshd_config
line: PasswordAuthentication no
state: present
backup: yes
notify:
- restart ssh
- name: Disable root login
lineinfile:
dest: /etc/ssh/sshd_config
line: PermitRootLogin no
state: present
backup: yes
notify:
- restart ssh
handlers:
- name: restart ssh
service:
name: sshd
state: restarted

47
infra/static-vultr/ansible/playbooks/setup-docker-compose.yaml Normal file
View File

@ -0,0 +1,47 @@
---
- hosts: webhost
remote_user: webadmin
become: true
tasks:
- name: Install docker and docker-compose
apt:
update_cache: true
pkg:
- ca-certificates
- curl
- name: Setup keyring
command:
cmd: "install -m 0755 -d /etc/apt/keyrings"
- name: Download docker gpg key
get_url:
url: https://download.docker.com/linux/ubuntu/gpg
dest: /etc/apt/keyrings/docker.asc
- name: Set perms on /etc/apt/keyrings/docker.asc
file:
dest: /etc/apt/keyrings/docker.asc
mode: a+r
- name: Ensure docker.lst exists
copy:
content: ''
dest: /etc/apt/sources.list.d/docker.list
force: false
group: root
owner: root
mode: 0644
- name: Ensure docker.lst is present for apt
lineinfile:
line: "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu jammy stable\n"
dest: /etc/apt/sources.list.d/docker.list
state: present
- name: install docker packages
apt:
update_cache: true
pkg:
- docker-ce
- docker-ce-cli
- containerd.io
- docker-buildx-plugin
- docker-compose-plugin

9
infra/static-vultr/firewall.tf
View File

@ -33,4 +33,13 @@ resource vultr_firewall_rule ssh_v4 {
port = "22" port = "22"
} }
resource vultr_firewall_rule gitea_ssh {
firewall_group_id = vultr_firewall_group.host.id
protocol = "tcp"
ip_type = "v4"
subnet = "0.0.0.0"
subnet_size = 0
port = "2222"
}

50
infra/vultr-kubernetes/k8s/ingress.tf Normal file
View File

@ -0,0 +1,50 @@
resource kubernetes_ingress_v1 athens {
metadata {
name = var.shockrahxyz.name
namespace = kubernetes_namespace.websites.metadata.0.name
labels = {
app = "websites"
}
}
spec {
rule {
host = "test.shockrah.xyz"
http {
path {
backend {
service {
name = var.shockrahxyz.name
port {
number = 80
}
}
}
path = "/"
}
}
}
}
}
resource kubernetes_service athens_lb {
metadata {
name = "athens-websites"
namespace = kubernetes_namespace.websites.metadata.0.name
labels = {
app = "websites"
}
}
spec {
selector = {
app = kubernetes_ingress_v1.athens.metadata.0.labels.app
}
port {
port = 80
target_port = 80
}
type = "LoadBalancer"
external_ips = [ var.cluster.ip ]
}
}

44
infra/vultr-kubernetes/k8s/shockrah-xyz.tf
View File

@ -1,4 +1,4 @@
# Plain nginx for now so that we can test out reverse dns Plain nginx for now so that we can test out reverse dns
resource kubernetes_pod shockrah { resource kubernetes_pod shockrah {
metadata { metadata {
name = var.shockrahxyz.name name = var.shockrahxyz.name
@ -18,46 +18,4 @@ resource kubernetes_pod shockrah {
} }
} }
# Expose the pod above with a simple service
resource kubernetes_service shockrah {
metadata {
name = var.shockrahxyz.name
namespace = kubernetes_namespace.websites.metadata.0.name
}
spec {
selector = {
app = kubernetes_pod.shockrah.metadata.0.labels.app
}
port {
port = var.shockrahxyz.port
target_port = 80
}
type = "ExternalName"
external_name = var.shockrahxyz.dns
}
}
resource kubernetes_ingress_v1 shockrah {
metadata {
name = "shockrah"
}
spec {
rule {
http {
path {
path = "/"
backend {
service {
name = var.shockrahxyz.name
port {
number = var.shockrahxyz.port
}
}
}
}
}
}
}
}

6
infra/vultr-kubernetes/k8s/variables.tf
View File

@ -27,3 +27,9 @@ variable shockrahxyz {
}) })
} }
variable cluster {
type = object({
ip = string
})
}