bastian/deploy_home
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

debyltech updates, satisfactory

Browse Source
This commit is contained in:
Bastian de Byl
2023-04-30 00:31:10 -04:00
parent 34c7199986
commit 7fba5179c4
22 changed files with 212 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
Makefile
View File

@@ -22,7 +22,7 @@ VAULT_FILE=ansible/vars/vault.yml
# Variables # Variables
ANSIBLE_INVENTORY=ansible/inventories/home/hosts.yml ANSIBLE_INVENTORY=ansible/inventories/home/hosts.yml
SSH_KEY=${HOME}/.ssh/id_rsa_home_ansible #SSH_KEY=${HOME}/.ssh/id_rsa_home_ansible
# Default to all ansible tags to run (passed via 'make deploy TAGS=sometag') # Default to all ansible tags to run (passed via 'make deploy TAGS=sometag')
TAGS?=all TAGS?=all
@@ -52,7 +52,7 @@ SKIP_FILE=./.lint-vars.sh
# Targets # Targets
deploy: ${ANSIBLE} ${VAULT_FILE} deploy: ${ANSIBLE} ${VAULT_FILE}
${ANSIBLE} --diff --private-key ${SSH_KEY} -t ${TAGS} --skip-tags ${SKIP_TAGS} -i ${ANSIBLE_INVENTORY} -l ${TARGET} --vault-password-file ${VAULT_PASS_FILE} ansible/deploy.yml ${ANSIBLE} --diff -t ${TAGS} --skip-tags ${SKIP_TAGS} -i ${ANSIBLE_INVENTORY} -l ${TARGET} --vault-password-file ${VAULT_PASS_FILE} ansible/deploy.yml
list-tags: ${ANSIBLE} ${VAULT_FILE} list-tags: ${ANSIBLE} ${VAULT_FILE}
${ANSIBLE} --list-tags -i ${ANSIBLE_INVENTORY} -l ${TARGET} --vault-password-file ${VAULT_PASS_FILE} ansible/deploy.yml ${ANSIBLE} --list-tags -i ${ANSIBLE_INVENTORY} -l ${TARGET} --vault-password-file ${VAULT_PASS_FILE} ansible/deploy.yml
@@ -61,7 +61,7 @@ list-tasks: ${ANSIBLE} ${VAULT_FILE}
${ANSIBLE} --list-tasks -i ${ANSIBLE_INVENTORY} -l ${TARGET} --vault-password-file ${VAULT_PASS_FILE} ansible/deploy.yml ${ANSIBLE} --list-tasks -i ${ANSIBLE_INVENTORY} -l ${TARGET} --vault-password-file ${VAULT_PASS_FILE} ansible/deploy.yml
check: ${ANSIBLE} ${VAULT_FILE} check: ${ANSIBLE} ${VAULT_FILE}
${ANSIBLE} --check --diff --private-key ${SSH_KEY} -t ${TAGS} --skip-tags ${SKIP_TAGS} -i ${ANSIBLE_INVENTORY} -l ${TARGET} --vault-password-file ${VAULT_PASS_FILE} ansible/deploy.yml ${ANSIBLE} --check --diff --private-key -t ${TAGS} --skip-tags ${SKIP_TAGS} -i ${ANSIBLE_INVENTORY} -l ${TARGET} --vault-password-file ${VAULT_PASS_FILE} ansible/deploy.yml
vault: ${ANSIBLE_VAULT} ${VAULT_FILE} vault: ${ANSIBLE_VAULT} ${VAULT_FILE}
${ANSIBLE_VAULT} edit --vault-password-file ${VAULT_PASS_FILE} ${VAULT_FILE} ${ANSIBLE_VAULT} edit --vault-password-file ${VAULT_PASS_FILE} ${VAULT_FILE}

4
ansible/roles/podman/defaults/main.yml
View File

@@ -1,6 +1,7 @@
--- ---
bookstack_path: "{{ podman_volumes }}/bookstack" bookstack_path: "{{ podman_volumes }}/bookstack"
cloud_path: "{{ podman_volumes }}/cloud" cloud_path: "{{ podman_volumes }}/cloud"
debyltech_path: "{{ podman_volumes }}/debyltech"
drone_path: "{{ podman_volumes }}/drone" drone_path: "{{ podman_volumes }}/drone"
graylog_path: "{{ podman_volumes }}/graylog" graylog_path: "{{ podman_volumes }}/graylog"
hass_path: "{{ podman_volumes }}/hass" hass_path: "{{ podman_volumes }}/hass"
@@ -8,12 +9,13 @@ nginx_path: "{{ podman_volumes }}/nginx"
partkeepr_path: "{{ podman_volumes }}/partkeepr" partkeepr_path: "{{ podman_volumes }}/partkeepr"
photos_path: "{{ podman_volumes }}/photos" photos_path: "{{ podman_volumes }}/photos"
pihole_path: "{{ podman_volumes }}/pihole" pihole_path: "{{ podman_volumes }}/pihole"
valheim_path: "{{ podman_volumes }}/valheim" satisfactory_path: "{{ podman_volumes }}/satisfactory"
drone_server_proto: "http" drone_server_proto: "http"
drone_runner_capacity: "8" drone_runner_capacity: "8"
# nginx and modsec configuration # nginx and modsec configuration
api_debyltech_server_name: api.debyltech.com
assistant_server_name: assistant.bdebyl.net assistant_server_name: assistant.bdebyl.net
bookstack_server_name: wiki.skudakrennsport.com bookstack_server_name: wiki.skudakrennsport.com
ci_server_name: ci.bdebyl.net ci_server_name: ci.bdebyl.net

2
ansible/roles/podman/tasks/configuration-nginx-http.yml
View File

@@ -71,6 +71,7 @@
- "{{ photos_server_name }}.conf" - "{{ photos_server_name }}.conf"
- "{{ pi_server_name }}.conf" - "{{ pi_server_name }}.conf"
- "{{ video_server_name }}.conf" - "{{ video_server_name }}.conf"
- "{{ api_debyltech_server_name }}.conf"
notify: notify:
- restorecon podman - restorecon podman
- restart nginx - restart nginx
@@ -95,6 +96,7 @@
- "{{ photos_server_name }}.conf" - "{{ photos_server_name }}.conf"
- "{{ pi_server_name }}.conf" - "{{ pi_server_name }}.conf"
- "{{ video_server_name }}.conf" - "{{ video_server_name }}.conf"
- "{{ api_debyltech_server_name }}.conf"
notify: notify:
- restorecon podman - restorecon podman
- restart nginx - restart nginx

2
ansible/roles/podman/tasks/configuration-nginx-https.yml
View File

@@ -39,6 +39,7 @@
- "{{ cloud_server_name }}.https.conf" - "{{ cloud_server_name }}.https.conf"
- "{{ parts_server_name }}.https.conf" - "{{ parts_server_name }}.https.conf"
- "{{ photos_server_name }}.https.conf" - "{{ photos_server_name }}.https.conf"
- "{{ api_debyltech_server_name }}.https.conf"
notify: notify:
- restorecon podman - restorecon podman
- restart nginx - restart nginx
@@ -58,6 +59,7 @@
- "{{ cloud_server_name }}.https.conf" - "{{ cloud_server_name }}.https.conf"
- "{{ parts_server_name }}.https.conf" - "{{ parts_server_name }}.https.conf"
- "{{ photos_server_name }}.https.conf" - "{{ photos_server_name }}.https.conf"
- "{{ api_debyltech_server_name }}.https.conf"
notify: notify:
- restorecon podman - restorecon podman
- restart nginx - restart nginx

4
ansible/roles/podman/tasks/container-awsddns.yml
View File

@@ -8,7 +8,7 @@
image: docker.io/bdebyl/awsddns:1.0.34 image: docker.io/bdebyl/awsddns:1.0.34
recreate: false recreate: false
restart: true restart: true
restart_policy: on-failure restart_policy: on-failure:3
log_driver: journald log_driver: journald
env: env:
AWS_ZONE_TTL: 60 AWS_ZONE_TTL: 60
@@ -34,7 +34,7 @@
image: docker.io/bdebyl/awsddns:1.0.34 image: docker.io/bdebyl/awsddns:1.0.34
recreate: false recreate: false
restart: true restart: true
restart_policy: on-failure restart_policy: on-failure:3
log_driver: journald log_driver: journald
env: env:
AWS_ZONE_TTL: 60 AWS_ZONE_TTL: 60

4
ansible/roles/podman/tasks/container-bookstack.yml
View File

@@ -34,7 +34,7 @@
image: docker.io/mysql:5.7.21 image: docker.io/mysql:5.7.21
recreate: false recreate: false
restart: false restart: false
restart_policy: on-failure restart_policy: on-failure:3
log_driver: journald log_driver: journald
network: network:
- shared - shared
@@ -62,7 +62,7 @@
image: docker.io/solidnerd/bookstack:22.11.1 image: docker.io/solidnerd/bookstack:22.11.1
recreate: true recreate: true
restart: false restart: false
restart_policy: on-failure restart_policy: on-failure:3
log_driver: journald log_driver: journald
network: network:
- shared - shared

4
ansible/roles/podman/tasks/container-cloud.yml
View File

@@ -52,7 +52,7 @@
image: docker.io/mariadb:10.5 image: docker.io/mariadb:10.5
recreate: false recreate: false
restart: false restart: false
restart_policy: on-failure restart_policy: on-failure:3
log_driver: journald log_driver: journald
network: network:
- shared - shared
@@ -79,7 +79,7 @@
image: docker.io/nextcloud:24.0.5-apache image: docker.io/nextcloud:24.0.5-apache
recreate: false recreate: false
restart: false restart: false
restart_policy: on-failure restart_policy: on-failure:3
log_driver: journald log_driver: journald
network: network:
- shared - shared

51
ansible/roles/podman/tasks/container-debyltech.yml Normal file
View File

@@ -0,0 +1,51 @@
---
- name: create required debyltech volumes
become: true
ansible.builtin.file:
path: "{{ item }}"
state: directory
owner: "{{ podman_subuid.stdout }}"
group: "{{ podman_subuid.stdout }}"
mode: 0755
notify: restorecon podman
loop:
- "{{ debyltech_path }}/api"
- "{{ debyltech_path }}/api/config"
tags: debyltech
- name: template api.debyltech.com files
become: true
ansible.builtin.template:
src: "debyltech/{{ item }}.j2"
dest: "{{ debyltech_path }}/api/config/{{ item }}"
owner: "{{ podman_user }}"
group: "{{ podman_user }}"
mode: 0644
loop:
- "config.json"
tags: debyltech
- name: create api.debyltech.com container
become: true
become_user: "{{ podman_user }}"
containers.podman.podman_container:
name: apidebyltech
image: docker.io/debyltech/go-snipcart-webhook:0.1.34
command: --config /conf/config.json --release
recreate: true
restart: true
restart_policy: on-failure:3
log_driver: journald
network:
- shared
volumes:
- "{{ debyltech_path }}/api/config:/conf"
ports:
- "8040:8080"
tags: debyltech
- name: create systemd startup job for api.debyltech.com
include_tasks: systemd-generate.yml
vars:
container_name: apidebyltech
tags: debyltech

8
ansible/roles/podman/tasks/container-drone.yml
View File

@@ -22,9 +22,9 @@
containers.podman.podman_container: containers.podman.podman_container:
name: drone name: drone
image: docker.io/drone/drone:2.16.0 image: docker.io/drone/drone:2.16.0
recreate: false recreate: true
restart: true restart: true
restart_policy: on-failure restart_policy: on-failure:3
log_driver: journald log_driver: journald
network: network:
- shared - shared
@@ -54,10 +54,10 @@
become_user: "{{ podman_user }}" become_user: "{{ podman_user }}"
containers.podman.podman_container: containers.podman.podman_container:
name: drone-runner name: drone-runner
image: docker.io/drone/drone-runner-docker:1.8.1 image: docker.io/drone/drone-runner-docker:1.8.3
recreate: false recreate: false
restart: true restart: true
restart_policy: on-failure restart_policy: on-failure:3
log_driver: journald log_driver: journald
network: network:
- shared - shared

6
ansible/roles/podman/tasks/container-graylog.yml
View File

@@ -51,7 +51,7 @@
image: docker.io/mongo:4.2 image: docker.io/mongo:4.2
recreate: false recreate: false
restart: false restart: false
restart_policy: on-failure restart_policy: on-failure:3
network: network:
- shared - shared
volumes: volumes:
@@ -72,7 +72,7 @@
image: docker.elastic.co/elasticsearch/elasticsearch-oss:7.10.2 image: docker.elastic.co/elasticsearch/elasticsearch-oss:7.10.2
recreate: false recreate: false
restart: false restart: false
restart_policy: on-failure restart_policy: on-failure:3
network: network:
- shared - shared
volumes: volumes:
@@ -99,7 +99,7 @@
image: docker.io/graylog/graylog:4.3.11 image: docker.io/graylog/graylog:4.3.11
recreate: true recreate: true
restart: true restart: true
restart_policy: on-failure restart_policy: on-failure:3
sysctl: sysctl:
net.ipv6.conf.all.disable_ipv6: 1 net.ipv6.conf.all.disable_ipv6: 1
net.ipv6.conf.default.disable_ipv6: 1 net.ipv6.conf.default.disable_ipv6: 1

2
ansible/roles/podman/tasks/container-hass.yml
View File

@@ -39,7 +39,7 @@
image: ghcr.io/home-assistant/home-assistant:stable image: ghcr.io/home-assistant/home-assistant:stable
recreate: false recreate: false
restart: true restart: true
restart_policy: on-failure restart_policy: on-failure:3
log_driver: journald log_driver: journald
cap_add: cap_add:
- CAP_NET_RAW - CAP_NET_RAW

4
ansible/roles/podman/tasks/container-partkeepr.yml
View File

@@ -24,7 +24,7 @@
image: docker.io/mariadb:10.0 image: docker.io/mariadb:10.0
recreate: false recreate: false
restart: false restart: false
restart_policy: on-failure restart_policy: on-failure:3
log_driver: journald log_driver: journald
network: network:
- shared - shared
@@ -51,7 +51,7 @@
image: docker.io/bdebyl/partkeepr:0.1.10 image: docker.io/bdebyl/partkeepr:0.1.10
recreate: false recreate: false
restart: false restart: false
restart_policy: on-failure restart_policy: on-failure:3
log_driver: journald log_driver: journald
network: network:
- shared - shared

4
ansible/roles/podman/tasks/container-photos.yml
View File

@@ -35,7 +35,7 @@
image: docker.io/mariadb:10.8 image: docker.io/mariadb:10.8
recreate: false recreate: false
restart: false restart: false
restart_policy: on-failure restart_policy: on-failure:3
log_driver: journald log_driver: journald
network: network:
- shared - shared
@@ -63,7 +63,7 @@
image: docker.io/photoprism/photoprism:221118-jammy image: docker.io/photoprism/photoprism:221118-jammy
recreate: false recreate: false
restart: false restart: false
restart_policy: on-failure restart_policy: on-failure:3
log_driver: journald log_driver: journald
network: network:
- shared - shared

2
ansible/roles/podman/tasks/container-pihole.yml
View File

@@ -25,7 +25,7 @@
image: docker.io/pihole/pihole:2022.04.3 image: docker.io/pihole/pihole:2022.04.3
recreate: false recreate: false
restart: true restart: true
restart_policy: on-failure restart_policy: on-failure:3
log_driver: journald log_driver: journald
cap_add: cap_add:
- CAP_NET_BIND_SERVICE - CAP_NET_BIND_SERVICE

46
ansible/roles/podman/tasks/container-satisfactory.yml Normal file
View File

@@ -0,0 +1,46 @@
---
- name: create satisfactory host directory volumes
become: true
ansible.builtin.file:
path: "{{ item }}"
state: directory
owner: "{{ podman_user }}"
group: "{{ podman_user }}"
mode: 0755
notify: restorecon podman
loop:
- "{{ satisfactory_path }}/config"
tags: satisfactory
- name: flush handlers
ansible.builtin.meta: flush_handlers
tags: satisfactory
- name: create satisfactory server container
become: true
become_user: "{{ podman_user }}"
containers.podman.podman_container:
name: satisfactory
image: docker.io/wolveix/satisfactory-server:latest
recreate: true
restart: true
restart_policy: on-failure:3
log_driver: journald
memory: 16g
memory_reservation: 12g
volumes:
- "{{ satisfactory_path }}/config:/config"
env:
MAXPLAYERS: 4
STEAMBETA: "false"
ports:
- "7777:7777/udp"
- "15000:15000/udp"
- "15777:15777/udp"
tags: satisfactory
- name: create systemd startup job for satisfactory
include_tasks: systemd-generate.yml
vars:
container_name: satisfactory
tags: satisfactory

4
ansible/roles/podman/tasks/firewall.yml
View File

@@ -18,6 +18,10 @@
- 53/udp - 53/udp
- 6875/tcp - 6875/tcp
- 80/tcp - 80/tcp
# satisfactory
- 7777/udp
- 15000/udp
- 15777/udp
notify: restart firewalld notify: restart firewalld
tags: firewall tags: firewall

2
ansible/roles/podman/tasks/main.yml
View File

@@ -11,4 +11,6 @@
- import_tasks: container-bookstack.yml - import_tasks: container-bookstack.yml
- import_tasks: container-photos.yml - import_tasks: container-photos.yml
- import_tasks: container-cloud.yml - import_tasks: container-cloud.yml
- import_tasks: container-debyltech.yml
- import_tasks: container-nginx.yml - import_tasks: container-nginx.yml
- import_tasks: container-satisfactory.yml

21
ansible/roles/podman/templates/debyltech/config.json.j2 Normal file
View File

@@ -0,0 +1,21 @@
{
"snipcart_api_key": "{{ snipcart_api_key }}",
"shippo_api_key": "{{ shippo_api_key }}",
"weight_unit": "g",
"dimension_unit": "cm",
"manufacture_country": "US",
"sender_address": {
"name": "de Byl Technologies LLC",
"address1": "176 Lull Rd",
"city": "Weare",
"state": "NH",
"country": "US",
"zip": "03281",
"email": "sales@debyltech.com"
},
"default_parcel": {
"length": "10",
"width": "19",
"height": "16.5"
}
}

16
ansible/roles/podman/templates/nginx/sites/api.debyltech.com.conf.j2 Normal file
View File

@@ -0,0 +1,16 @@
server {
modsecurity on;
modsecurity_rules_file /etc/nginx/modsec_includes.conf;
listen 80;
server_name {{ api_debyltech_server_name }};
location '/.well-known/acme-challenge' {
default_type "text/plain";
root /srv/http/letsencrypt;
}
location / {
return 302 https://$host$request_uri;
}
}

42
ansible/roles/podman/templates/nginx/sites/api.debyltech.com.https.conf.j2 Normal file
View File

@@ -0,0 +1,42 @@
upstream apidebyltech {
server 127.0.0.1:8040;
}
server {
modsecurity on;
modsecurity_rules_file /etc/nginx/modsec_includes.conf;
resolver 127.0.0.1 127.0.0.53 9.9.9.9 valid=60s;
listen 443 ssl http2;
server_name {{ api_debyltech_server_name }};
client_max_body_size 500M;
ssl_certificate /etc/letsencrypt/live/{{ api_debyltech_server_name }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ api_debyltech_server_name }}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/{{ api_debyltech_server_name }}/fullchain.pem;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_session_timeout 1d;
ssl_stapling on;
ssl_stapling_verify on;
location / {
add_header Referrer-Policy "same-origin" always;
add_header Strict-Transport-Security "max-age=630720000; includeSubDomains" always;
add_header X-Content-Type-Options "nosniff" always;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_buffering off;
proxy_http_version 1.1;
proxy_pass http://apidebyltech;
}
}

1
ansible/roles/ssl/tasks/certbot.yml
View File

@@ -13,6 +13,7 @@
- "{{ cloud_server_name }}" - "{{ cloud_server_name }}"
- "{{ parts_server_name }}" - "{{ parts_server_name }}"
- "{{ photos_server_name }}" - "{{ photos_server_name }}"
- "{{ api_debyltech_server_name }}"
tags: ssl tags: ssl
- name: set group ownership for /etc/letsencrypt/ - name: set group ownership for /etc/letsencrypt/

BIN
ansible/vars/vault.yml
View File

Binary file not shown.