shockrah/rice
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Moving setup into its own role, where we just set up the system configuuration for running k3s'

Browse Source
This commit is contained in:
shockrah
2024-02-11 15:10:38 -08:00
parent 35505f90f3
commit afd64caebd
35 changed files with 22 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
docker-host/roles/setup/defaults/main.yml Normal file
View File

@@ -0,0 +1,3 @@
---
# defaults file for setup
LAB_FQDN: leftcoast.local

8
docker-host/roles/setup/files/default.lablad Normal file
View File

@@ -0,0 +1,8 @@
# This config is purely for the default landing page that nginx normally serves
# up. The intention is to make Nginx's default page useful
server {
listen 80 default_server;
listen [::]:80 default_server;
root /var/www/html;
}

18
docker-host/roles/setup/files/etc/hosts Normal file
View File

@@ -0,0 +1,18 @@
# WARN: this should never be committed to source control
# The following is used because we
# use DNSMasq for its dead simple nature
127.0.0.1 localhost
127.0.1.1 recycled-lab-host
# Sugma
192.168.1.23 git.lablad
192.168.1.23 files.lablad
192.168.1.23 main.lablad
192.168.1.23 music.lablad
192.168.1.1 router
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

6
docker-host/roles/setup/files/files.lablad Normal file
View File

@@ -0,0 +1,6 @@
server {
server_name files.lablad.net;
location / {
proxy_pass http://127.0.0.1:8080;
}
}

10
docker-host/roles/setup/files/git.lablad Normal file
View File

@@ -0,0 +1,10 @@
# This file pertains to the Gitea service which is served under the FQDN:
# git.lablad
# The default port is listed under /vars/main.yml as 3000 as GITEA_PUB_PORT
server {
server_name git.lablad.net;
location / {
proxy_pass http://127.0.0.1:3000;
}
}

8
docker-host/roles/setup/files/home.lablad Normal file
View File

@@ -0,0 +1,8 @@
server {
root /var/www/html;
index index.html;
server_name lablad.net;
location / {
try_files $uri $uri/ =404;
}
}

10
docker-host/roles/setup/files/metrics.lablad Normal file
View File

@@ -0,0 +1,10 @@
# metrics.lablad
server {
server_name metrics.lablad.net;
proxy_set_header Host $http_host;
location / {
proxy_pass http://127.0.0.1:6000;
}
}

6
docker-host/roles/setup/files/music.lablad Normal file
View File

@@ -0,0 +1,6 @@
server {
server_name music.lablad.net;
location / {
proxy_pass http://127.0.0.1:4040;
}
}

17
docker-host/roles/setup/files/services/node_exporter.service Normal file
View File

@@ -0,0 +1,17 @@
[Unit]
Description=Node Exporter which exposes host metrics for Prometheus
After=network.target
[Service]
WorkingDirectory=/opt/prom-node-exporter
Type=simple
Restart=simple
Restart=always
Restart=10
ExecStart=/opt/prom-node-exporter/node_exporter
[Install]
WantedBy=multi-user.target

8
docker-host/roles/setup/files/todo.lablad Normal file
View File

@@ -0,0 +1,8 @@
server {
server_name todo.lablad.net;
location / {
proxy_pass http://127.0.0.1:9238;
}
}

14
docker-host/roles/setup/files/vault-config.json Normal file
View File

@@ -0,0 +1,14 @@
{
"backend": {
"file": {
"path": "/vault/file"
}
},
"listener": {
"tcp": {
"address": "0.0.0.0:{{VAULT_PORT}}",
"tls_disable": 1
}
},
"ui": true
}

11
docker-host/roles/setup/files/vault.lablad Normal file
View File

@@ -0,0 +1,11 @@
# This file pertains to the Gitea service which is served under the FQDN:
# vault.lablad
# The default port is listed under /vars/main.yml as 8200 as VAULT_PORT
server {
server_name vault.lablad.net;
location / {
proxy_pass http://127.0.0.1:8200;
}
}

6
docker-host/roles/setup/handlers/docker-cleanup.yml Normal file
View File

@@ -0,0 +1,6 @@
- name: Cleanup old containers
become: yes
become_method: sudo
listen: cleanup-docker
command: docker images | grep none | awk '{print $3}' | xargs docker rmi

6
docker-host/roles/setup/handlers/nginx.yml Normal file
View File

@@ -0,0 +1,6 @@
- name: Restart Nginx
listen: restart-nginx
service:
name: nginx
state: restarted

31
docker-host/roles/setup/meta/main.yml Normal file
View File

@@ -0,0 +1,31 @@
galaxy_info:
author: shockrah
description: This role provides multiple tools for setting up a private lab server
company: Personal
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker
license: GPL-3.0-only
min_ansible_version: 2.1
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
platforms:
- name: Debian
versions:
- Sid
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
dependencies:
- community.docker

15
docker-host/roles/setup/tasks/dns.yml Normal file
View File

@@ -0,0 +1,15 @@
# Further changes to DNS config are going to vary so heavily that I'm not
# even going to bother putting down anything else for dns configuration
# At this point basically just change /etc/resolv.conf to change dns targets
# and then add stuff to the /etc/hosts file as required
---
- hosts: leftcoastlab
tasks:
- name: Install DNSMasq
become: yes
apt:
name: "{{ item }}"
update_cache: yes
loop:
- dnsmasq

31
docker-host/roles/setup/tasks/file-server.yml Normal file
View File

@@ -0,0 +1,31 @@
# This playbook goes through the process of setting up a simple FTP server on
# the target host.
---
- hosts: leftcoastlab
become: yes
tasks:
- name: Include Vars
include_vars:
dir: ../vars
- name: Ensure Filebrowser Volume Exists
community.docker.docker_volume:
name: file-storage
state: present
- name: Setup Filebrowser Container
community.docker.docker_container:
name: filebrowser
image: filebrowser/filebrowser
restart_policy: always
recreate: yes
volumes:
- "file-storage:/srv"
ports:
- "{{FILEBROWSER_PORT}}:80"
log_driver: loki
log_options:
loki-url: "http://localhost:{{LOKI_PORT}}/loki/api/v1/push"

23
docker-host/roles/setup/tasks/fresh.yml Normal file
View File

@@ -0,0 +1,23 @@
# Setup a brand new system from the ground up.
---
- hosts: leftcoastlab
tasks:
- name: Import Global Vars
include_vars:
dir: ../vars
# System pre-reqs
- import_playbook: 'system-update.yml'
- import_playbook: 'install-docker.yml'
- import_playbook: 'dns.yml'
# Logging stack
- import_playbook: 'install-loki-logger.yml'
- import_playbook: 'grafana.yml'
# For host metrics
- import_playbook: 'vector.yml'
# Containerized services
- import_playbook: 'file-server.yml'
- import_playbook: 'git-stack.yml'
- import_playbook: 'subsonic.yml'
- import_playbook: 'nginx.yml'

33
docker-host/roles/setup/tasks/git-stack.yml Normal file
View File

@@ -0,0 +1,33 @@
---
- hosts: leftcoastlab
become: yes
vars:
GITEA_VOLUME: gitea-volume
tasks:
- name: Import Vars required for configuration
include_vars:
dir: ../vars
- name: Create Gitea Volume
community.docker.docker_volume:
name: "{{GITEA_VOLUME}}"
- name: Update/Install Git Tea Container Service
community.docker.docker_container:
name: gitea
image: gitea/gitea
pull: yes
restart_policy: always
recreate: yes
volumes:
- "{{GITEA_VOLUME}}:/data"
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
ports:
- "{{GITEA_PUB_PORT}}:3000"
- "{{GITEA_SSH_PORT}}:22"
log_driver: loki
log_options:
loki-url: "http://localhost:{{LOKI_PORT}}/loki/api/v1/push"

26
docker-host/roles/setup/tasks/grafana.yml Normal file
View File

@@ -0,0 +1,26 @@
---
- hosts: leftcoastlab
become: yes
tasks:
- name: Include Vars
include_vars:
dir: ../vars
- name: Create Grafana Volume
community.docker.docker_volume:
name: grafana-volume
- name: Setup Grafana Container(latest)
community.docker.docker_container:
name: grafana
image: grafana/grafana-oss:latest
pull: yes
restart_policy: always
recreate: yes
timeout: 120
ports:
- "{{GRAFANA_PORT}}:3000"
volumes:
- "grafana-volume:/var/lib/grafana/"

29
docker-host/roles/setup/tasks/install-docker.yml Normal file
View File

@@ -0,0 +1,29 @@
---
- hosts: leftcoastlab
become: yes
tasks:
- name: Install docker dependencies
apt:
name: "{{item}}"
update_cache: yes
loop:
- apt-transport-https
- ca-certificates
- curl
- gnupg
- software-properties-common
- lsb-release
- python3-pip
- name: Install Docker
apt:
name: docker.io
update_cache: yes
- name: Install Docker Ansible Driver
pip:
name: docker

12
docker-host/roles/setup/tasks/install-loki-logger.yml Normal file
View File

@@ -0,0 +1,12 @@
# This playbook installs the loki docker plugin which allows other docker based
# services to do they're regular logging actions but centralize them
---
- hosts: leftcoastlab
become: yes
tasks:
# --grant-all-permissions is the default for ansible
- name: Install Loki Docker Plugin
community.docker.docker_plugin:
plugin_name: grafana/loki-docker-driver:latest
state: enabled
alias: loki

63
docker-host/roles/setup/tasks/kanboard.yml Normal file
View File

@@ -0,0 +1,63 @@
# Sets up an instance of Kanboard from top to bottom
---
- hosts: leftcoastlab
become: yes
vars:
PRE: kanboard
DATA_VOLUME: "{{PRE}}-data-volume"
PLUGINS_VOLUME: "{{PRE}}-plugins-volume"
SSL_VOLUME: "{{PRE}}-ssl-volume"
tasks:
- name: Include Vars
include_vars:
dir: ../vars
- name: Ensure Data volume exists
community.docker.docker_volume:
name: "{{DATA_VOLUME}}"
- name: Ensure Plugins Volume exists
community.docker.docker_volume:
name: "{{PLUGINS_VOLUME}}"
- name: Ensure SSL Volume exists
community.docker.docker_volume:
name: "{{SSL_VOLUME}}"
- name: Ensure Docker service is active
community.docker.docker_container:
name: kanboard
image: kanboard/kanboard:latest
pull: yes
restart_policy: always
recreate: yes
ports:
- "{{ KANBOARD_PORT }}:80"
- "{{ KANBOARD_PORT_SSL }}:443"
volumes:
- "{{DATA_VOLUME}}:/var/www/app/data"
- "{{PLUGINS_VOLUME}}:/var/www/app/plugins"
- "{{SSL_VOLUME}}:/etc/nginx/ssl"
- name: Create Nginx Config for service
template:
dest: /etc/nginx/sites-available/todo.lablad
src: ../templates/proxy.conf.j2
notify:
- restart-nginx
vars:
SERVER_NAME: todo.lablad
PORT: KANBOARD_PORT
- name: Restart Nginx
service:
name: nginx
state: restarted

8
docker-host/roles/setup/tasks/landing-page.yml Normal file
View File

@@ -0,0 +1,8 @@
---
- hosts: leftcoastlab
become: yes
tasks:
- name: Copy landing page
copy:
src: "{{LANDING_PAGE_ROOT_PATH}}/public/"
dest: /var/www/html/

77
docker-host/roles/setup/tasks/nginx.yml Normal file
View File

@@ -0,0 +1,77 @@
---
- hosts: leftcoastlab
become: yes
vars:
STATIC_USER: staticweb
tasks:
- name: Install Nginx Package
apt:
name: nginx
update_cache: yes
state: present
- name: Stop Apache2 Service
systemd:
name: apache2
state: stopped
enabled: no
- name: Remove Apache2
apt:
name: apache2
state: absent
- name: Ensure the default website is disabled
file:
path: /etc/nginx/sites-enabled/default
state: absent
- name: website user account
user:
name: "{{STATIC_USER}}"
comment: Static Website maintainer account
state: present
- name: Create Static web root directory
file:
path: /var/www
state: directory
recurse: yes
owner: "{{STATIC_USER}}"
group: "{{STATIC_USER}}"
- name: Copy Reverse proxy configs
copy:
src: "{{ item }}"
dest: /etc/nginx/sites-available/
loop:
- ../files/git.lablad
- ../files/music.lablad
- ../files/files.lablad
- ../files/metrics.lablad
- ../files/todo.lablad
- ../files/home.lablad
- ../files/vault.lablad
- name: Enable Sites
file:
src: /etc/nginx/sites-available/{{item}}
dest: /etc/nginx/sites-enabled/{{item}}
state: link
loop:
- git.lablad
- music.lablad
- files.lablad
- metrics.lablad
- vault.lablad
- todo.lablad
- home.lablad
notify:
- restart-nginx
handlers:
- import_tasks: ../handlers/nginx.yml

63
docker-host/roles/setup/tasks/prometheus.yml Normal file
View File

@@ -0,0 +1,63 @@
---
- hosts: leftcoastlab
vars:
PROM_URL: "https://github.com/prometheus/node_exporter/releases/download/v1.3.1/node_exporter-1.3.1.linux-amd64.tar.gz"
become: yes
tasks:
- name: Include Global Vars
include_vars:
dir: ../vars
- name: Download prometheus Node Explorer static binary tarball
get_url:
url: "{{ PROM_URL }}"
dest: /tmp/prom-node-exporer.tar.gz
- name: Untar node exporter tarball package
unarchive:
src: /tmp/prom-node-exporer.tar.gz
dest: /opt/prom-node-exporter
creates: /opt/prom-node-exporter
remote_src: yes
- name: Copy Unit file for node exporter
copy:
src: ../files/services/node_exporter.service
dest: /etc/systemd/system/node_exporter.service
- name: Install Node Exporter Service and Start
systemd:
daemon_reload: yes
name: node_exporter
state: restarted
enabled: yes
- name: Ensure Prom Docker Volume Exists
community.docker.docker_volume:
name: prometheus-volume
- name: Ensure Config directory exists
file:
path: /opt/prometheus
state: directory
- name: Copy Prometheus template to target directory
template:
dest: /opt/prometheus/prometheus.yml
src: ../templates/prometheus.yml.j2
- name: Setup Prometheus (Containerized) Service
community.docker.docker_container:
name: prometheus
image: prom/prometheus
pull: yes
restart_policy: always
recreate: yes
volumes:
- "prometheus-volume:/prometheus"
- "/opt/prometheus/prometheus.yml:/etc/prometheus/prometheus.yml"
ports:
- "{{PROM_PORT}}:{{PROM_PORT}}"

37
docker-host/roles/setup/tasks/subsonic.yml Normal file
View File

@@ -0,0 +1,37 @@
# This playbook sets up subsonic with/without a fresh to work with
---
- hosts: leftcoastlab
become: yes
vars:
SUBSONIC_DIR: /opt/subsonic/data
SUBSONIC_CONFIG_VOL: subsonic-config-volume
tasks:
- name: Include Vars
include_vars:
dir: ../vars
- name: Ensure Subsonic music directory exists
file:
path: "{{SUBSONIC_DIR}}"
state: directory
- name: Ensure Subsonic configuration volume exists
community.docker.docker_volume:
name: "{{SUBSONIC_CONFIG_VOL}}"
state: present
- name: Deploy Subsonic container
community.docker.docker_container:
name: subsonic
image: gzurowski/subsonic
restart_policy: always
recreate: yes
ports:
- "{{SUBSONIC_PORT}}:4040"
volumes:
- "{{SUBSONIC_DIR}}:/var/music"
log_driver: loki
log_options:
loki-url: "http://localhost:{{LOKI_PORT}}/loki/api/v1/push"

10
docker-host/roles/setup/tasks/system-update.yml Normal file
View File

@@ -0,0 +1,10 @@
# Simply update all required packages that we have on the system
# This also takes care of updating any packages that must updated through means
# of Git or some other non-apt method should it be required
---
- hosts: leftcoastlab
become: yes
tasks:
- name: Distribution Upgrade
apt:
upgrade: dist

47
docker-host/roles/setup/tasks/vault.yml Normal file
View File

@@ -0,0 +1,47 @@
---
- hosts: leftcoastlab
tasks:
- name: Pull In Vars
include_vars:
dir: ../vars
- name: Create Vault Bind Root
become: yes
file:
path: /opt/vault
state: directory
- name: Ensure Vault Bind directories in place
become: yes
file:
path: "/opt/vault/{{item}}"
state: directory
loop:
- config
- logs
- file
- name: Create Vault Config
become: yes
template:
src: ../templates/vault-config.json.j2
dest: /opt/vault/config/vault.json
- name: Start up Vault Service
community.docker.docker_container:
name: vault
image: vault
ports:
- "{{VAULT_PORT}}:8200"
restart_policy: always
volumes:
- /opt/vault/logs:/vault/logs
- /opt/vault/file:/vault/file
- /opt/vault/config:/vault/config
env:
VAULT_ADDR: http://127.0.0.1:8200
capabilities:
- IPC_LOCK
entrypoint:
- vault server -config=/vault/config/vault.json

26
docker-host/roles/setup/templates/prometheus.yml.j2 Normal file
View File

@@ -0,0 +1,26 @@
global:
scrape_interval: 15s
scrape_timeout: 10s
evaluation_interval: 15s
alerting:
alertmanagers:
- follow_redirects: true
enable_http2: true
scheme: http
timeout: 10s
api_version: v2
static_configs:
- targets: []
scrape_configs:
- job_name: prometheus-scraper
honor_timestamps: true
scrape_interval: 15s
scrape_timeout: 10s
metrics_path: /metrics
scheme: http
follow_redirects: true
enable_http2: true
static_configs:
- targets:
- localhost:9090
- "{{PRIVATE_IP}}":9100

6
docker-host/roles/setup/templates/proxy.conf.j2 Normal file
View File

@@ -0,0 +1,6 @@
server {
server_name {{SERVER_NAME}};
location / {
proxy_pass http://127.0.0.1:{{PORT}};
}
}

15
docker-host/roles/setup/templates/vault-config.json.j2 Normal file
View File

@@ -0,0 +1,15 @@
{
"backend": {
"file": {
"path": "/vault/file"
}
},
"listener": {
"tcp": {
"address": "0.0.0.0:{{VAULT_PORT}}",
"tls_disable": 1
}
},
"ui": true
}

19
docker-host/roles/setup/tests/test.yml Normal file
View File

@@ -0,0 +1,19 @@
---
- hosts: leftcoastlab
tasks:
- name: Normal Echo
command: echo Quick test of an echo
register: normal_echo
- debug:
var: normal_echo.stdout
- name: Checking Sudo access
become: yes
command: echo One more test with sudo this time
register: sudo_echo
- debug:
var: sudo_echo.stdout
- debug:
var: sudo_echo.stderr

13
docker-host/roles/setup/vars/main.yml Normal file
View File

@@ -0,0 +1,13 @@
---
# vars file for setup
DEBIAN_CODENAME: sid
GITEA_PUB_PORT: 3000
GITEA_SSH_PORT: 2222
FILEBROWSER_PORT: 8080
LOKI_PORT: 3100
GRAFANA_PORT: 6000
SUBSONIC_PORT: 4040
PROM_PORT: 9090
KANBOARD_PORT: 9238
KANBOARD_PORT_SSL: 9239
VAULT_PORT: 8200

4
docker-host/roles/setup/vars/private.yml Normal file
View File

@@ -0,0 +1,4 @@
FILES_UID: 1004
FILES_GID: 1004
FILES_HOME: /home/files
PRIVATE_IP: 192.168.1.23