From e1205564cb2fd95b877d7978907ad931e48cb608 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Mon, 15 Nov 2021 20:26:20 +0000 Subject: [PATCH 001/120] Update nebula to 1.5.0 --- ansible/roles/nebula/vars/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/nebula/vars/main.yml b/ansible/roles/nebula/vars/main.yml index 1dbeede..47d7c5e 100644 --- a/ansible/roles/nebula/vars/main.yml +++ b/ansible/roles/nebula/vars/main.yml @@ -2,4 +2,4 @@ nebula_lighthouse_public_ip: "{{ hosts.casey_ip }}" nebula_lighthouse_ip: "{{ nebula.clients.casey.ip }}" nebula_lighthouse_port: 6328 -nebula_version: 1.4.0 +nebula_version: 1.5.0 From 5c0987de4dc15467239de709efdeba4ce3ec2a4c Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Mon, 15 Nov 2021 20:26:29 +0000 Subject: [PATCH 002/120] Update uptime-kuma --- ansible/roles/uptime_kuma/files/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/uptime_kuma/files/docker-compose.yml b/ansible/roles/uptime_kuma/files/docker-compose.yml index 3509c14..ae8a05d 100644 --- a/ansible/roles/uptime_kuma/files/docker-compose.yml +++ b/ansible/roles/uptime_kuma/files/docker-compose.yml @@ -2,7 +2,7 @@ version: "2.3" services: uptime-kuma: - image: louislam/uptime-kuma:1.9.2-alpine + image: louislam/uptime-kuma:1.10.1-alpine restart: unless-stopped environment: - PUID={{ docker_user.id }} From 47bcbd855e8862a07331adf15762c9d29bf9deb5 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Tue, 16 Nov 2021 21:04:54 +0000 Subject: [PATCH 003/120] Update nextcloud to 22.2.3 --- ansible/roles/pve_docker/files/nextcloud/config.php | 2 +- ansible/roles/pve_docker/files/nextcloud/docker-compose.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ansible/roles/pve_docker/files/nextcloud/config.php b/ansible/roles/pve_docker/files/nextcloud/config.php index 7c30fb9..8b48b9d 100644 --- a/ansible/roles/pve_docker/files/nextcloud/config.php +++ b/ansible/roles/pve_docker/files/nextcloud/config.php @@ -19,7 +19,7 @@ $CONFIG = array ( 0 => 'intersect.jakehoward.tech', ), 'dbtype' => 'mysql', - 'version' => '22.2.0.2', + 'version' => '22.2.3.0', 'overwrite.cli.url' => 'https://intersect.jakehoward.tech', 'dbname' => 'nextcloud', 'dbhost' => 'mariadb', diff --git a/ansible/roles/pve_docker/files/nextcloud/docker-compose.yml b/ansible/roles/pve_docker/files/nextcloud/docker-compose.yml index 9f723e9..9c37ad6 100644 --- a/ansible/roles/pve_docker/files/nextcloud/docker-compose.yml +++ b/ansible/roles/pve_docker/files/nextcloud/docker-compose.yml @@ -2,7 +2,7 @@ version: "2.3" services: nextcloud: - image: lscr.io/linuxserver/nextcloud:version-22.2.0 + image: lscr.io/linuxserver/nextcloud:version-22.2.3 environment: - PUID={{ docker_user.id }} - PGID={{ docker_user.id }} From eed75d8648c783bf953c763edaea69da96cd565b Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Sun, 21 Nov 2021 21:53:35 +0000 Subject: [PATCH 004/120] Mount homeassistant data into restic for external backup --- ansible/host_vars/restic.yml | 1 + ansible/roles/restic/tasks/homeassistant.yml | 29 ++++++++++++++++++++ ansible/roles/restic/tasks/main.yml | 4 +++ ansible/roles/restic/vars/main.yml | 4 +++ 4 files changed, 38 insertions(+) create mode 100644 ansible/roles/restic/tasks/homeassistant.yml diff --git a/ansible/host_vars/restic.yml b/ansible/host_vars/restic.yml index 6c5ae4b..5f2d778 100644 --- a/ansible/host_vars/restic.yml +++ b/ansible/host_vars/restic.yml @@ -1,5 +1,6 @@ restic_backup_locations: - /mnt/tank + - /mnt/home-assistant restic_healthchecks_id: !vault | $ANSIBLE_VAULT;1.1;AES256 61343535336633643231356138356631663130313234343538366634393661666232303965643365 diff --git a/ansible/roles/restic/tasks/homeassistant.yml b/ansible/roles/restic/tasks/homeassistant.yml new file mode 100644 index 0000000..dfd2d01 --- /dev/null +++ b/ansible/roles/restic/tasks/homeassistant.yml @@ -0,0 +1,29 @@ +- name: Install CIFS utils + package: + name: cifs-utils + become: true + +- name: Create dir for CIFS mount + file: + path: /mnt/home-assistant + state: directory + mode: "0755" + become: true + +- name: Create dir for each CIFS mount + file: + path: /mnt/home-assistant/{{ item }} + state: directory + mode: "0600" + become: true + loop: "{{ restic_homeassistant_mounts }}" + +- name: Create mounts + mount: + path: /mnt/home-assistant/{{ item }} + fstype: cifs + opts: username=homeassistant,password=homeassistant + src: //{{ pve_hosts.homeassistant.ip }}/{{ item }} + state: mounted + become: true + loop: "{{ restic_homeassistant_mounts }}" diff --git a/ansible/roles/restic/tasks/main.yml b/ansible/roles/restic/tasks/main.yml index f2df011..d5bed99 100644 --- a/ansible/roles/restic/tasks/main.yml +++ b/ansible/roles/restic/tasks/main.yml @@ -90,3 +90,7 @@ mode: "0600" become: true when: ansible_os_family == 'Archlinux' + +- name: Install HomeAssistant mounts + include_tasks: homeassistant.yml + when: ansible_hostname == 'pve-restic' diff --git a/ansible/roles/restic/vars/main.yml b/ansible/roles/restic/vars/main.yml index 28cc7e0..09ca845 100644 --- a/ansible/roles/restic/vars/main.yml +++ b/ansible/roles/restic/vars/main.yml @@ -25,3 +25,7 @@ restic_key: !vault | 66643135336539333738623231346331623464636637373639666435663961383936 restic_b2_bucket: 0rng-restic healthchecks_host: https://hc-ping.com + +restic_homeassistant_mounts: + - backup + - config From 4452cc4eeb5b30260eb810e6f14ae70272896794 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Tue, 23 Nov 2021 22:04:42 +0000 Subject: [PATCH 005/120] Update synapse to 1.47.1 --- ansible/roles/pve_docker/files/synapse/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/pve_docker/files/synapse/docker-compose.yml b/ansible/roles/pve_docker/files/synapse/docker-compose.yml index 3599162..cbcd76b 100644 --- a/ansible/roles/pve_docker/files/synapse/docker-compose.yml +++ b/ansible/roles/pve_docker/files/synapse/docker-compose.yml @@ -3,7 +3,7 @@ version: "2.3" services: synapse: - image: matrixdotorg/synapse:v1.44.0 + image: matrixdotorg/synapse:v1.47.1 restart: unless-stopped environment: - SYNAPSE_CONFIG_PATH=/etc/homeserver.yaml From bbfd872a241398a21faf14708d7d716edcd3de54 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Sat, 11 Dec 2021 13:17:58 +0000 Subject: [PATCH 006/120] Mount the whole host into the restic LXC, so I can backup PVE config --- ansible/host_vars/restic.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ansible/host_vars/restic.yml b/ansible/host_vars/restic.yml index 5f2d778..5d2a96e 100644 --- a/ansible/host_vars/restic.yml +++ b/ansible/host_vars/restic.yml @@ -1,5 +1,6 @@ restic_backup_locations: - - /mnt/tank + - /mnt/host/mnt/tank + - /mnt/host/etc/pve - /mnt/home-assistant restic_healthchecks_id: !vault | $ANSIBLE_VAULT;1.1;AES256 From 9e899d0f52084f5f98f7199cf9a7d2f871026f0a Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Wed, 15 Dec 2021 20:18:25 +0000 Subject: [PATCH 007/120] Update nebula to 1.5.2 --- ansible/roles/nebula/vars/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/nebula/vars/main.yml b/ansible/roles/nebula/vars/main.yml index 47d7c5e..c1e1be2 100644 --- a/ansible/roles/nebula/vars/main.yml +++ b/ansible/roles/nebula/vars/main.yml @@ -2,4 +2,4 @@ nebula_lighthouse_public_ip: "{{ hosts.casey_ip }}" nebula_lighthouse_ip: "{{ nebula.clients.casey.ip }}" nebula_lighthouse_port: 6328 -nebula_version: 1.5.0 +nebula_version: 1.5.2 From 699673c3b5e466e3ed263a8f208825dc1d5b0343 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Wed, 15 Dec 2021 20:19:51 +0000 Subject: [PATCH 008/120] Update Synapse to 1.49.0 --- ansible/roles/pve_docker/files/synapse/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/pve_docker/files/synapse/docker-compose.yml b/ansible/roles/pve_docker/files/synapse/docker-compose.yml index cbcd76b..ca6aa51 100644 --- a/ansible/roles/pve_docker/files/synapse/docker-compose.yml +++ b/ansible/roles/pve_docker/files/synapse/docker-compose.yml @@ -3,7 +3,7 @@ version: "2.3" services: synapse: - image: matrixdotorg/synapse:v1.47.1 + image: matrixdotorg/synapse:v1.49.0 restart: unless-stopped environment: - SYNAPSE_CONFIG_PATH=/etc/homeserver.yaml From 9834a45ec5252b4a3e72363901dc171096aa4a37 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Wed, 15 Dec 2021 20:20:50 +0000 Subject: [PATCH 009/120] Update uptime-kuma to 1.11.1 --- ansible/roles/uptime_kuma/files/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/uptime_kuma/files/docker-compose.yml b/ansible/roles/uptime_kuma/files/docker-compose.yml index ae8a05d..3c7c065 100644 --- a/ansible/roles/uptime_kuma/files/docker-compose.yml +++ b/ansible/roles/uptime_kuma/files/docker-compose.yml @@ -2,7 +2,7 @@ version: "2.3" services: uptime-kuma: - image: louislam/uptime-kuma:1.10.1-alpine + image: louislam/uptime-kuma:1.11.1-alpine restart: unless-stopped environment: - PUID={{ docker_user.id }} From a5329665c0e6b9b67148a6c9cd9329a794b783a1 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Wed, 15 Dec 2021 20:21:01 +0000 Subject: [PATCH 010/120] Update vaultwarden to 1.23.1 --- ansible/roles/vaultwarden/files/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/vaultwarden/files/docker-compose.yml b/ansible/roles/vaultwarden/files/docker-compose.yml index f43cc0e..46326a2 100644 --- a/ansible/roles/vaultwarden/files/docker-compose.yml +++ b/ansible/roles/vaultwarden/files/docker-compose.yml @@ -2,7 +2,7 @@ version: "2.3" services: vaultwarden: - image: vaultwarden/server:1.23.0-alpine + image: vaultwarden/server:1.23.1-alpine restart: unless-stopped user: "{{ docker_user.id }}:{{ docker_user.id }}" volumes: From b50659ab5d5f195db118131776cbaca51bea5756 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Sun, 19 Dec 2021 21:18:09 +0000 Subject: [PATCH 011/120] Update nextcloud to 23 --- ansible/roles/pve_docker/files/nextcloud/config.php | 2 +- ansible/roles/pve_docker/files/nextcloud/docker-compose.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ansible/roles/pve_docker/files/nextcloud/config.php b/ansible/roles/pve_docker/files/nextcloud/config.php index 8b48b9d..ec55e98 100644 --- a/ansible/roles/pve_docker/files/nextcloud/config.php +++ b/ansible/roles/pve_docker/files/nextcloud/config.php @@ -19,7 +19,7 @@ $CONFIG = array ( 0 => 'intersect.jakehoward.tech', ), 'dbtype' => 'mysql', - 'version' => '22.2.3.0', + 'version' => '23.0.0.10', 'overwrite.cli.url' => 'https://intersect.jakehoward.tech', 'dbname' => 'nextcloud', 'dbhost' => 'mariadb', diff --git a/ansible/roles/pve_docker/files/nextcloud/docker-compose.yml b/ansible/roles/pve_docker/files/nextcloud/docker-compose.yml index 9c37ad6..e7ed1a0 100644 --- a/ansible/roles/pve_docker/files/nextcloud/docker-compose.yml +++ b/ansible/roles/pve_docker/files/nextcloud/docker-compose.yml @@ -2,7 +2,7 @@ version: "2.3" services: nextcloud: - image: lscr.io/linuxserver/nextcloud:version-22.2.3 + image: lscr.io/linuxserver/nextcloud:version-23.0.0 environment: - PUID={{ docker_user.id }} - PGID={{ docker_user.id }} From 9e473265a530807a5123c3f7f3d99736aca2e35a Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Mon, 20 Dec 2021 17:25:18 +0000 Subject: [PATCH 012/120] Read vault password from bitwarden instead of filesystem https://theorangeone.net/posts/ansible-vault-bitwarden/ --- .gitignore | 1 - README.md | 2 +- ansible/ansible.cfg | 1 + ansible/vault-pass.sh | 3 +++ scripts/ansible/deploy.sh | 2 +- 5 files changed, 6 insertions(+), 3 deletions(-) create mode 100755 ansible/vault-pass.sh diff --git a/.gitignore b/.gitignore index d876c26..ddfdfa4 100644 --- a/.gitignore +++ b/.gitignore @@ -112,7 +112,6 @@ dmypy.json # End of https://www.gitignore.io/api/python,ansible env/ -ansible/.vault_pass ansible/galaxy_roles ansible/galaxy_collections diff --git a/README.md b/README.md index 221d981..3f697fb 100644 --- a/README.md +++ b/README.md @@ -15,7 +15,7 @@ ### Private Settings -The ansible vault password needs setting in `ansible/.vault_pass`. +Ansible [integrates](https://theorangeone.net/posts/ansible-vault-bitwarden/) with Bitwarden through its [CLI](https://bitwarden.com/help/article/cli/). Terraform configuration needs to be placed in `terraform/secrets.auto.tfvars`. diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg index 6ab62d9..5eec73e 100644 --- a/ansible/ansible.cfg +++ b/ansible/ansible.cfg @@ -7,6 +7,7 @@ collections_path = $PWD/galaxy_collections inventory = ./hosts become_ask_pass = True interpreter_python = auto +vault_password_file = ./vault-pass.sh [ssh_connection] pipelining = True diff --git a/ansible/vault-pass.sh b/ansible/vault-pass.sh new file mode 100755 index 0000000..8cbf3c9 --- /dev/null +++ b/ansible/vault-pass.sh @@ -0,0 +1,3 @@ +#!/bin/sh + +bw get password infrastructure diff --git a/scripts/ansible/deploy.sh b/scripts/ansible/deploy.sh index fed0067..9c7f847 100755 --- a/scripts/ansible/deploy.sh +++ b/scripts/ansible/deploy.sh @@ -4,4 +4,4 @@ set -ex cd ansible/ -time ansible-playbook main.yml -K --vault-password-file .vault_pass $@ +time ansible-playbook main.yml -K $@ From e2029cf8aa6fe94ba4155d6b8de6f869fdeed9b4 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Mon, 20 Dec 2021 17:48:14 +0000 Subject: [PATCH 013/120] Pretend vault pass script is the password --- .gitlab-ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 3a32cb5..449cee7 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -17,5 +17,6 @@ ansible: - chmod 0755 ansible/ # HACK: https://docs.ansible.com/ansible/devel/reference_appendices/config.html#cfg-in-world-writable-dir - apt-get update && apt-get install -y bash git - ./scripts/ansible/setup.sh + - chmod -x ansible/vault-pass.sh # HACK: Pretend executable _is_ the password script: - ./scripts/ansible/lint.sh From 8d40a49780821366efa28502a3820132a7828042 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Mon, 20 Dec 2021 21:17:25 +0000 Subject: [PATCH 014/120] Move traefik pages secret into full vault file Trialing a new pattern for vault storage --- ansible/group_vars/all/traefik-pages.yml | 12 ++++++++++++ ansible/group_vars/all/traefik.yml | 11 ----------- ansible/roles/pages/vars/main.yml | 1 + ansible/roles/traefik/vars/main.yml | 1 + 4 files changed, 14 insertions(+), 11 deletions(-) create mode 100644 ansible/group_vars/all/traefik-pages.yml delete mode 100644 ansible/group_vars/all/traefik.yml diff --git a/ansible/group_vars/all/traefik-pages.yml b/ansible/group_vars/all/traefik-pages.yml new file mode 100644 index 0000000..02b8335 --- /dev/null +++ b/ansible/group_vars/all/traefik-pages.yml @@ -0,0 +1,12 @@ +$ANSIBLE_VAULT;1.1;AES256 +61383731383962383834343666623839613833363038383639636162616635303339613135666337 +3033393839646364326161323239656231623632356332360a663131313738303063623366616338 +35636237343065626631303231396661633733643861316630356435383239346365343335633362 +6439633838363938370a623762396532323066353565333932626230306137626663383238623262 +64376634323066656462613038383735343837613361333431326664653338356366643330666163 +33666632613238643362616531303265373038333761613139303065353632633435323736626538 +35383336643934383233653931643833373934323130636439386264373465633635303037356137 +38366665623839343230653330633933373633343633663335316161613063613931323737393565 +31376232396363303966363936386363653038393734373939653162666536313863393434376663 +39376161346163383536633135336236636366353935353938356336653239326330373534376531 +343034333237326339326237636233343462 diff --git a/ansible/group_vars/all/traefik.yml b/ansible/group_vars/all/traefik.yml deleted file mode 100644 index e81ff56..0000000 --- a/ansible/group_vars/all/traefik.yml +++ /dev/null @@ -1,11 +0,0 @@ -traefik_pages_password: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 36613865643964363065396534373438383931323930333962653762633831383039363737386430 - 3832343537373366306162383136316365313836623236360a343936623764383264633166666139 - 37666165653938636164363765613964336663326666643537343131613133313336626266663138 - 6162326633306162650a363731663031613738333564393033333131373630383163666264663130 - 36323039363133366562626262386530616134623234623365663662643362386239643637346633 - 33383735303736336661633739623565356664386462653062313632353830323439393563386439 - 35313433666362383066303135396265393632376535396265323838376437653132393637376531 - 66643233353735353133626539346432366166303732343666333735633136313661333761653865 - 33623164306363623665613063656438303938306138336233393234663532323938 diff --git a/ansible/roles/pages/vars/main.yml b/ansible/roles/pages/vars/main.yml index d7ef8ca..3f6be40 100644 --- a/ansible/roles/pages/vars/main.yml +++ b/ansible/roles/pages/vars/main.yml @@ -20,3 +20,4 @@ github_user_password: !vault | 38343763363363623334313735346230373135626337343437633833633230376466396663363233 32303562653733653334316439663230353031656132363661383166656639396235353838396535 31636364366363316339386131333530626462633765393033393666343763303366 +traefik_pages_password: "{{ vault_traefik_pages_password }}" diff --git a/ansible/roles/traefik/vars/main.yml b/ansible/roles/traefik/vars/main.yml index 12f39e3..cdfd256 100644 --- a/ansible/roles/traefik/vars/main.yml +++ b/ansible/roles/traefik/vars/main.yml @@ -14,3 +14,4 @@ letsencrypt_email: !vault | 62633331616264623932303031663130623135623566323964656162656265633863336333373538 3963303639373032620a363434643539393838303233653037383765363961373363333034343534 37663462663235613062633837373334366163636362386364356635313730363566 +traefik_pages_password: "{{ vault_traefik_pages_password }}" From 3f37cd4448b2b0c3660308435419d975b9d2726a Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Mon, 20 Dec 2021 21:17:42 +0000 Subject: [PATCH 015/120] Be quiet on interpreter warnings It works fine, I don't need to be screamed at --- ansible/ansible.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg index 5eec73e..b3bf7cb 100644 --- a/ansible/ansible.cfg +++ b/ansible/ansible.cfg @@ -6,7 +6,7 @@ roles_path = $PWD/galaxy_roles:$PWD/roles collections_path = $PWD/galaxy_collections inventory = ./hosts become_ask_pass = True -interpreter_python = auto +interpreter_python = auto_silent vault_password_file = ./vault-pass.sh [ssh_connection] From dce7c782ec7bb60b3e90ddab8b93d1fa22b08b0e Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Tue, 21 Dec 2021 17:58:52 +0000 Subject: [PATCH 016/120] Move wireguard keys into a separate vault file --- ansible/group_vars/all/wireguard-keys.yml | 38 ++++++++++++ ansible/group_vars/all/wireguard.yml | 72 +++-------------------- 2 files changed, 46 insertions(+), 64 deletions(-) create mode 100644 ansible/group_vars/all/wireguard-keys.yml diff --git a/ansible/group_vars/all/wireguard-keys.yml b/ansible/group_vars/all/wireguard-keys.yml new file mode 100644 index 0000000..fbb9e9b --- /dev/null +++ b/ansible/group_vars/all/wireguard-keys.yml @@ -0,0 +1,38 @@ +$ANSIBLE_VAULT;1.1;AES256 +33383161333137333035386230323863336231663936653161346236656539376666313264613465 +3665303737386265643333303034616566303437373362340a353239313530646564643563393537 +63326539313264353761313936623438653934386166636361373337333061363863323033633364 +3963376433393430610a393330333939663238386662386634353561393938326434396461636632 +39343565643034626362663461613231646562383365313537383361303235636437376430363035 +31633165313638346361663036323534633334323230323335303832333336366563383761333134 +63303534373466316131313764336431373139666264333335313434393933663737343234323262 +62366565656232386134393530333636376463333631653339373533393931646635326337616338 +63353531396565386335313933636662633062383336303065333862353836323632333935616437 +34623638616531306636636665623935316538303766626636366432616436663837343435613931 +35336163616635613932656138356365336239643662353631656136643736636134383466373935 +61663665353137363666323065643537353433373537633337386132323934306532303365353763 +31333339323234353865623333333963363762373338316639313264623337373535666565303061 +64333661383665323164633764393634663961323833383661623231393436346137616266333961 +34626565326366383138353337633132313330653366626231633033623038313861313562383835 +35316439343638616465333735623232346264383536623761333462666461396435323633326331 +64393062616438333235323061353132383032336337346633613162653337633739383631353734 +65613834333636376336353131626565613532653965303666613833303835393063666361353036 +35663062316366333739373163613336366636353130656530393563646632636466343633636133 +31303136396665356434396238343736666461343764323538663536666435336138653966633563 +33626465613763613762323134633037373465366436616132613665386232616131386331613333 +38643737353165633838373835343238343932313635663830663962383837393563616262373434 +61393130663632613935373136336134626132393235353433633466346333623762633663613730 +31313635623263623264323730313165656436653865616366353637373163613462313563643365 +36323065386564336435303464623932626238346264303461313262303065393838356231636135 +61326337383032306164663639306165343633353637643165323761386364613662346664326331 +34626535666234353362386264633061633537666635623064613465316530663030353231306236 +37353466663264383839323437663962326661313937313033393332616565613239363462663738 +66306464616636653233663536386166353461343638623538353164636265393736663332383636 +30643539646266623333333932333461386662343766666466623630663830343964303461373036 +35343661353932613837646266363231363866353133303938383165636361666661383937366661 +37303533623130613833373436343335366238366133343161383061613561306661396536373535 +36353932313963623861616366366661653264336664323733333838323434336264666535623035 +30303866383130313463663862653230313636353835303233333063363034363830643962646663 +65636266333361633635353762646135613865653366626361623366306531333138363562633962 +61663239663836633635613863666662336239656238656332323666363430656461326364623662 +6235 diff --git a/ansible/group_vars/all/wireguard.yml b/ansible/group_vars/all/wireguard.yml index 3a11c5d..90f4f64 100644 --- a/ansible/group_vars/all/wireguard.yml +++ b/ansible/group_vars/all/wireguard.yml @@ -4,74 +4,18 @@ wireguard: cidr: 10.23.0.0/24 server: ip: 10.23.0.1 - public_key: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 38663861323433663733306266313862383538613562616531656262616665393130626564666539 - 6636666561663137623166383432396163653835346335650a616139306431363934383031353161 - 63656233623963316238663366613237613165663238343937313062616565333038326664373463 - 6463623861656362350a636564363163353736613032386533613163333039336637356433633037 - 66663563666263613737336235316565663337636339613933343939323563393034353431343932 - 6339386262333134373465616637613534333839333265613563 - private_key: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 39333362373534343265623337353037343238623365633863373333323166646562326234336633 - 3265653136326337306439623331393733346237326630340a346466316562643432656330313764 - 64303535663736356561623636366261343830366561343463653561343337353034626533306634 - 3334323935303734660a373961303535646336663637346137316337383132346665366336353139 - 34313137366239323361386136396666646362306538616661643164383166326335666638336230 - 6432363064313239656338356630626235336239356662326362 + public_key: "{{ vault_wireguard_server_public_key }}" + private_key: "{{ vault_wireguard_server_private_key }}" clients: bartowski: ip: 10.23.0.10 - public_key: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 65636435336562653438363866663238353065303132383633613539633738303461303838313332 - 3331626266336635376338636236383131333765626634310a663765363736653363366463306464 - 37633539396233333036313837363033623038386437393461316335643038383234656338646439 - 6336386563383162360a316463316539623536643235346461303463616230663964666438623837 - 39346131303535656335633034393963393632346531643133383365333161376464336338393138 - 6633386362393932323739353638383566373434643766613536 - private_key: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 30656637616266383939373864643365343730396434303561336661646561333462313231373032 - 3661333939633863393166396532303065316464616466630a653733626539353263376632633766 - 61646264343332346639326239306465363033303566326638363262656363313963393637353135 - 3935663663613332370a656438663934343365343766373665643538616233366563353463336331 - 61623763306665636361643664383566373861363037386664626638666566623034633134626465 - 3831666130333133636536633539346431613863623330326430 + public_key: "{{ vault_wireguard_bartowski_public_key }}" + private_key: "{{ vault_wireguard_bartowski_private_key }}" op7: ip: 10.23.0.11 - public_key: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 64383363343138626533326634313735666336393632396239333037383664366661356231663335 - 6130326664303735376661353031666561333232396437350a343334333831663834353934356136 - 34306439346661326363396136396632663435633430323238393737393565313136613166313264 - 3231626438346636360a643766633130393761646433613565653765393330616136343033303166 - 37623262333037323136363732626366363036626332306437373439633762353461306436363033 - 3733613235356636323930656364646531633665616537316462 - private_key: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 33376138383030336261303764626561643764633433316564613535383963636239666437363032 - 6338666632376231386430396662656130323637383461620a613534653563343363653764663734 - 64656565636133663063323163383030373366353863393661393733616231346565666531373939 - 6533393634663939350a313237386565313737346664333334653932663935653338623465383631 - 34646432373131626465653632613235363730353531363136333339383130346535313536636265 - 3631316663306563366137656364313266366237646665303362 + public_key: "{{ vault_wireguard_op7_public_key }}" + private_key: "{{ vault_wireguard_op7_private_key }}" ingress: ip: 10.23.0.2 - public_key: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 35303230376161383436623662376136623039646533323737613533346662333633303335363337 - 3662396435616535386334623563396330306432653263380a306563303664636565333537313338 - 34356331336664336362616235353136346237303263326331383137306536643438313639653938 - 3961366563356562660a303131396334626135663038633536326132623332313436363037343632 - 64613566623238393337613161333438316536633631626536393263656466316363356131623732 - 3134333035613634313934333461626531333437313835386431 - private_key: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 39353738366635326164316161636531366133613439343166383030623164366361613830303232 - 3738303931386336313534303332396363366233623164660a386664353333393137623065396634 - 36333261376136313939616563326235376331636164353538626363393361313739383239613466 - 3635663664366261320a653334626366376539386232373034643235356433643934383132343439 - 33633865353337356636343562383163323039663061653763633166346566396665366434666335 - 3832346662303438633233393165343030616331353936633262 + public_key: "{{ vault_wireguard_ingress_public_key }}" + private_key: "{{ vault_wireguard_ingress_private_key }}" From 0b352e22d11092c7a64753386fc5a98f6bd3fe38 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Tue, 21 Dec 2021 18:04:03 +0000 Subject: [PATCH 017/120] Merge all group vars into single vault file This will make tracking down where a secret is defined much simpler --- ansible/group_vars/all/traefik-pages.yml | 12 ------ ansible/group_vars/all/vault.yml | 46 +++++++++++++++++++++++ ansible/group_vars/all/wireguard-keys.yml | 38 ------------------- 3 files changed, 46 insertions(+), 50 deletions(-) delete mode 100644 ansible/group_vars/all/traefik-pages.yml create mode 100644 ansible/group_vars/all/vault.yml delete mode 100644 ansible/group_vars/all/wireguard-keys.yml diff --git a/ansible/group_vars/all/traefik-pages.yml b/ansible/group_vars/all/traefik-pages.yml deleted file mode 100644 index 02b8335..0000000 --- a/ansible/group_vars/all/traefik-pages.yml +++ /dev/null @@ -1,12 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -61383731383962383834343666623839613833363038383639636162616635303339613135666337 -3033393839646364326161323239656231623632356332360a663131313738303063623366616338 -35636237343065626631303231396661633733643861316630356435383239346365343335633362 -6439633838363938370a623762396532323066353565333932626230306137626663383238623262 -64376634323066656462613038383735343837613361333431326664653338356366643330666163 -33666632613238643362616531303265373038333761613139303065353632633435323736626538 -35383336643934383233653931643833373934323130636439386264373465633635303037356137 -38366665623839343230653330633933373633343633663335316161613063613931323737393565 -31376232396363303966363936386363653038393734373939653162666536313863393434376663 -39376161346163383536633135336236636366353935353938356336653239326330373534376531 -343034333237326339326237636233343462 diff --git a/ansible/group_vars/all/vault.yml b/ansible/group_vars/all/vault.yml new file mode 100644 index 0000000..1ab251a --- /dev/null +++ b/ansible/group_vars/all/vault.yml @@ -0,0 +1,46 @@ +$ANSIBLE_VAULT;1.1;AES256 +30343133373338316432396463353230353530636565643265313335353739323638326635313331 +6563393438343438363539643864636330333138323362350a303563323730393933323164363033 +65366435613762333662356239303138393033393639376438396362343838376634346432663461 +3963633862303834390a656363303732653563636135313837373731366333633430376231343036 +34393438326166613135373035653031626663383565343262376232333662323138656331373437 +39383961626432653864336465623362323934326164376561386631366261323339316265383233 +65333233333666653231343336393162633838663032313233653339373630356664383463306639 +35343166376637626437356631393030363362306634633133353534303031653363323332393934 +36666466333431663762366163396238343534373131663733666536393536323365616334376566 +37636336363437323631663334653038316333663330336562383934323930646337356231643566 +33303431616436383966323065393761313732643063376534386136343965346231666335386434 +33363138626234613937306564663861326666373865363664346231333061396464666235356439 +39373734613535626530306163643463343038666534656338626263383337656430356561356164 +65306236613832383639306363636538376334656531656666373332623463636636323638303165 +62386166626361383532636162393461343463303638303766666638376539363266663261636330 +63633039663066373234613432333561363834363363363866346537383838633231653663313135 +34356331613162336237356265326561656362646330666664343461316430343736373237616163 +35346437343634663439633935303331376239356636653136656535636631663734656431626438 +66616331303564353833653161653266623639303134656137376161356439346636373465376437 +31663063383534613638636531373761333764653266653161313231373261656134373436643366 +62633666363833636564656562353138333436653630316135663735376661663834633937393538 +37336434613362303165383139353663623231326139636365623137656134353638353862316563 +61303538663663363332303231373139653638666231356165383039353662653033613238366166 +33356236643333383335346532383065653839353133323437333264643632303230333339396665 +66663032643638616536303061366561626234346664663734306166633064323933653031306131 +39366538393533393765623131353434366535346535316139656361396538313435613338623763 +36653366636135633537643761363762383963643238646337356631353132343939633963373938 +63623265356435383731613031626261346264373330343066643965386431353362383134356630 +31313661373332643861383939633633383236626138343231383930643464343131663164396565 +32313939323235336132653566373931653738376464363136366363336466336336633463646537 +64306339653862636361376436396533643736653335316430353465396133323938373338653434 +39336562383235376336373265346230333834343566653530376334336131393332336362303834 +63363933643665383264373532303436623965633563396638356539366433396664303439353137 +65643463306134353735363838353562356265613239323264386465336232396361663938363266 +66313962613966346633303334633537376130313663343332333130626563303232316363633735 +31373862313039626262336130643139653762363165333063323661616430653332653739316661 +39363866643036613036633164343964633366653866366138323339363238363861336166373266 +64323163313661333730313437653232353564656434316364613232326237346666346166323935 +37363839653933366365393162393739656634343037623236376362666262333537653231306332 +61333166303963653563396531646631643439343039663631383664643835356337333933316533 +63633366616136396665343233336565396561333531666433336234636366666535376565303165 +33306263346633373936303661656233326263313164353334616166376666336236663534363466 +66386534633833333533323463646637383266613361643735643832383730373562353133326661 +39653137306166353265653834323961343136333765386431336461356664343061656363333535 +3035 diff --git a/ansible/group_vars/all/wireguard-keys.yml b/ansible/group_vars/all/wireguard-keys.yml deleted file mode 100644 index fbb9e9b..0000000 --- a/ansible/group_vars/all/wireguard-keys.yml +++ /dev/null @@ -1,38 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -33383161333137333035386230323863336231663936653161346236656539376666313264613465 -3665303737386265643333303034616566303437373362340a353239313530646564643563393537 -63326539313264353761313936623438653934386166636361373337333061363863323033633364 -3963376433393430610a393330333939663238386662386634353561393938326434396461636632 -39343565643034626362663461613231646562383365313537383361303235636437376430363035 -31633165313638346361663036323534633334323230323335303832333336366563383761333134 -63303534373466316131313764336431373139666264333335313434393933663737343234323262 -62366565656232386134393530333636376463333631653339373533393931646635326337616338 -63353531396565386335313933636662633062383336303065333862353836323632333935616437 -34623638616531306636636665623935316538303766626636366432616436663837343435613931 -35336163616635613932656138356365336239643662353631656136643736636134383466373935 -61663665353137363666323065643537353433373537633337386132323934306532303365353763 -31333339323234353865623333333963363762373338316639313264623337373535666565303061 -64333661383665323164633764393634663961323833383661623231393436346137616266333961 -34626565326366383138353337633132313330653366626231633033623038313861313562383835 -35316439343638616465333735623232346264383536623761333462666461396435323633326331 -64393062616438333235323061353132383032336337346633613162653337633739383631353734 -65613834333636376336353131626565613532653965303666613833303835393063666361353036 -35663062316366333739373163613336366636353130656530393563646632636466343633636133 -31303136396665356434396238343736666461343764323538663536666435336138653966633563 -33626465613763613762323134633037373465366436616132613665386232616131386331613333 -38643737353165633838373835343238343932313635663830663962383837393563616262373434 -61393130663632613935373136336134626132393235353433633466346333623762633663613730 -31313635623263623264323730313165656436653865616366353637373163613462313563643365 -36323065386564336435303464623932626238346264303461313262303065393838356231636135 -61326337383032306164663639306165343633353637643165323761386364613662346664326331 -34626535666234353362386264633061633537666635623064613465316530663030353231306236 -37353466663264383839323437663962326661313937313033393332616565613239363462663738 -66306464616636653233663536386166353461343638623538353164636265393736663332383636 -30643539646266623333333932333461386662343766666466623630663830343964303461373036 -35343661353932613837646266363231363866353133303938383165636361666661383937366661 -37303533623130613833373436343335366238366133343161383061613561306661396536373535 -36353932313963623861616366366661653264336664323733333838323434336264666535623035 -30303866383130313463663862653230313636353835303233333063363034363830643962646663 -65636266333361633635353762646135613865653366626361623366306531333138363562633962 -61663239663836633635613863666662336239656238656332323666363430656461326364623662 -6235 From fcda77e750ef226dccfeb20f7eef8c7003463fa9 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Tue, 21 Dec 2021 19:36:52 +0000 Subject: [PATCH 018/120] Extract vault items from host vars --- ansible/host_vars/decker.yml | 11 ---- ansible/host_vars/decker/main.yml | 4 ++ ansible/host_vars/decker/vault.yml | 9 +++ .../host_vars/{grimes.yml => grimes/main.yml} | 9 +-- ansible/host_vars/grimes/vault.yml | 9 +++ ansible/host_vars/pve.yml | 59 ------------------- ansible/host_vars/pve/main.yml | 46 +++++++++++++++ ansible/host_vars/pve/vault.yml | 13 ++++ ansible/host_vars/restic.yml | 22 ------- ansible/host_vars/restic/main.yml | 8 +++ ansible/host_vars/restic/vault.yml | 12 ++++ ansible/host_vars/walker.yml | 13 ---- ansible/host_vars/walker/main.yml | 6 ++ ansible/host_vars/walker/vault.yml | 9 +++ 14 files changed, 117 insertions(+), 113 deletions(-) delete mode 100644 ansible/host_vars/decker.yml create mode 100644 ansible/host_vars/decker/main.yml create mode 100644 ansible/host_vars/decker/vault.yml rename ansible/host_vars/{grimes.yml => grimes/main.yml} (58%) create mode 100644 ansible/host_vars/grimes/vault.yml delete mode 100644 ansible/host_vars/pve.yml create mode 100644 ansible/host_vars/pve/main.yml create mode 100644 ansible/host_vars/pve/vault.yml delete mode 100644 ansible/host_vars/restic.yml create mode 100644 ansible/host_vars/restic/main.yml create mode 100644 ansible/host_vars/restic/vault.yml delete mode 100644 ansible/host_vars/walker.yml create mode 100644 ansible/host_vars/walker/main.yml create mode 100644 ansible/host_vars/walker/vault.yml diff --git a/ansible/host_vars/decker.yml b/ansible/host_vars/decker.yml deleted file mode 100644 index 39de68a..0000000 --- a/ansible/host_vars/decker.yml +++ /dev/null @@ -1,11 +0,0 @@ -restic_backup_locations: - - /opt - - "{{ home }}/db-backups" -restic_healthchecks_id: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 38326130663036353465396538356534333432393033623531393433383263383665353736653762 - 3061633438386630643536366265633262663365363539320a343134396562626136346435373163 - 33313762336136373836376133656437396139653366363666353432616433663464356532303535 - 3833323130363961620a666630313566376134313139666361366439626666393962373965386238 - 37326164393231303331616630636231316664383461346136323738616364383635313261666537 - 3162363138386335656232336666646536666266383665346634 diff --git a/ansible/host_vars/decker/main.yml b/ansible/host_vars/decker/main.yml new file mode 100644 index 0000000..5e80d54 --- /dev/null +++ b/ansible/host_vars/decker/main.yml @@ -0,0 +1,4 @@ +restic_backup_locations: + - /opt + - "{{ home }}/db-backups" +restic_healthchecks_id: "{{ vault_restic_healthchecks_id }}" diff --git a/ansible/host_vars/decker/vault.yml b/ansible/host_vars/decker/vault.yml new file mode 100644 index 0000000..653f1bf --- /dev/null +++ b/ansible/host_vars/decker/vault.yml @@ -0,0 +1,9 @@ +$ANSIBLE_VAULT;1.1;AES256 +64386132336631373533383835363066313631666162666662376665643434333935666334393633 +6662663138396139626663313961303265633535653439330a393732323931653137626638313765 +34343931396166363338346431616632326263653663326537386561646466633835343663323534 +3833653734373962610a383238623138636164623732336165613930323364346333646338383566 +62633532343063653665363663356461383134333439636230333839646331626239346438306636 +62373262663730343963643061383262356437346535323031326539663637636432376463643666 +33616463326261326336316331373331613635613036636235643934646466306530653363303266 +33393864386538656234 diff --git a/ansible/host_vars/grimes.yml b/ansible/host_vars/grimes/main.yml similarity index 58% rename from ansible/host_vars/grimes.yml rename to ansible/host_vars/grimes/main.yml index 67d3305..982dbf8 100644 --- a/ansible/host_vars/grimes.yml +++ b/ansible/host_vars/grimes/main.yml @@ -28,11 +28,4 @@ restic_backup_locations: restic_backup_excludes: - /home/dokku/**/cache # Caches are big, don't need those -restic_healthchecks_id: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 66316632623066346265613438663263636530643862353664613939323835353736613635343662 - 3433313362346338623439343962333161343134623930610a386133653939366630646537656335 - 66666633323063353464326564653362356666376331656635663863353966363434333863396463 - 3264326637306366380a383739653061343561303939363932396232323065323164653563663161 - 66646363326639333530376134343465666138656134343765663130333739313631666266636363 - 3539613535636461316461386238373730643238313435303439 +restic_healthchecks_id: "{{ vault_restic_healthchecks_id }}" diff --git a/ansible/host_vars/grimes/vault.yml b/ansible/host_vars/grimes/vault.yml new file mode 100644 index 0000000..4866140 --- /dev/null +++ b/ansible/host_vars/grimes/vault.yml @@ -0,0 +1,9 @@ +$ANSIBLE_VAULT;1.1;AES256 +61636635633634366161363765363961396430313436353337616466653964373464633236663631 +3066653963336137343065343631623730653536343934660a666662306464313738636163316131 +66386565303630376663643330396630303832323839366164303061303331636362306236396131 +3136326432323939380a373764616161623333343834623566663139396139323561323463376330 +39386531373266353063316566366636363538663865373638643736366135373937313030373630 +36303166643533653038323466353230383464353130323233333838656432343931643035663535 +66383332363762353832316535663234373066386662656135343564353363303232613766313563 +32336561313639366461 diff --git a/ansible/host_vars/pve.yml b/ansible/host_vars/pve.yml deleted file mode 100644 index 5bce9c3..0000000 --- a/ansible/host_vars/pve.yml +++ /dev/null @@ -1,59 +0,0 @@ -private_ip: "{{ pve_hosts.pve.ip }}" - -zpools_to_scrub: - - tank - - rpool - -# 7GB, or so -zfs_arc_size: 7000000000 - -sanoid_datasets: - tank: - use_template: production - recursive: true - process_children_only: true - - rpool: - use_template: production - recursive: true - -# Snapraid -snapraid_install: false -snapraid_runner: false - -snapraid_data_disks: - - path: /mnt/bulk - content: true -snapraid_parity_disks: - - path: /mnt/parity - content: true - -snapraid_content_files: - - /mnt/tank/files/snapraid.content - - /var/snapraid.content - -snapraid_config_excludes: - - "*.unrecoverable" - - /lost+found/ - - "*.!sync" - - /tmp/ - -snapraid_scrub_schedule: - hour: 5 - weekday: 4 -snapraid_scrub_healthcheck_io_uuid: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 39306266626437303331656561323032666232616430383534306464396437363436643234353862 - 3061373137353131353139383862326166643230323564370a383636353035316538623661303331 - 37383836636330663335336633333464623938626365373935346538633638613931653338376638 - 6161313231343164370a363031353365336131333337336531346539383131363034376236303332 - 66313661636635633631376163656235373034343637313161393633353866643662353639623062 - 3465366462363062363438666237306538363234613862666238 -snapraid_sync_healthcheck_io_uuid: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 63303862326336613366333136633633613864663364616235346632303033303339316635363863 - 3134646236636663396663363835323130666665643935630a376437613131373338623237393761 - 62303731373138366136323432316261396232386365636635316637643031386138653936636234 - 6639323030383330310a623234333235323536313534643736666237666265393533343736316466 - 30643363653761336364323331663037643030313962656339646661336534396337353761393738 - 6563613764353932633962343261643832656637613961373333 diff --git a/ansible/host_vars/pve/main.yml b/ansible/host_vars/pve/main.yml new file mode 100644 index 0000000..55e5343 --- /dev/null +++ b/ansible/host_vars/pve/main.yml @@ -0,0 +1,46 @@ +private_ip: "{{ pve_hosts.pve.ip }}" + +zpools_to_scrub: + - tank + - rpool + +# 7GB, or so +zfs_arc_size: 7000000000 + +sanoid_datasets: + tank: + use_template: production + recursive: true + process_children_only: true + + rpool: + use_template: production + recursive: true + +# Snapraid +snapraid_install: false +snapraid_runner: false + +snapraid_data_disks: + - path: /mnt/bulk + content: true +snapraid_parity_disks: + - path: /mnt/parity + content: true + +snapraid_content_files: + - /mnt/tank/files/snapraid.content + - /var/snapraid.content + +snapraid_config_excludes: + - "*.unrecoverable" + - /lost+found/ + - "*.!sync" + - /tmp/ + +snapraid_scrub_schedule: + hour: 5 + weekday: 4 + +snapraid_scrub_healthcheck_io_uuid: "{{ vault_snapraid_scrub_healthcheck_io_uuid }}" +snapraid_sync_healthcheck_io_uuid: "{{ vault_snapraid_sync_healthcheck_io_uuid }}" diff --git a/ansible/host_vars/pve/vault.yml b/ansible/host_vars/pve/vault.yml new file mode 100644 index 0000000..8434467 --- /dev/null +++ b/ansible/host_vars/pve/vault.yml @@ -0,0 +1,13 @@ +$ANSIBLE_VAULT;1.1;AES256 +35373139393931313861616335663835396132626632363635316430306539666631393230323539 +3830333131633532343962376562663463656235333137340a343536626237306465646661656566 +32346535633838386137383238336130663639633266366137353739633062313730333963626462 +3436633035396461630a313433343330303434396665313536656462306166623636633731353937 +33366265383932343231386438633432623263316363623032356662393538346234326238333130 +64326434393165653134386631636165303836323763636532303562326238366638333063636135 +33303866383934393961363933316433623637656264333531623034383337343231323361383363 +63623264626537363832623662313533326230326665363161643931306338363831343566353839 +39363562366430383461396232653531626131386234643731643463616563363334636365353934 +66643561326566613364653363313763356662623066326232653938373135313561386636313264 +31633938363863633866336435396239346266343662356231376161363763666332306330393337 +64373933396136386366 diff --git a/ansible/host_vars/restic.yml b/ansible/host_vars/restic.yml deleted file mode 100644 index 5d2a96e..0000000 --- a/ansible/host_vars/restic.yml +++ /dev/null @@ -1,22 +0,0 @@ -restic_backup_locations: - - /mnt/host/mnt/tank - - /mnt/host/etc/pve - - /mnt/home-assistant -restic_healthchecks_id: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 61343535336633643231356138356631663130313234343538366634393661666232303965643365 - 3735323363366366303366336163623334316638653164610a633735316466336637346666666536 - 64323361653034303033383333333037346637343865636634386533653337363936386130396265 - 3134623162393034370a383737386434653036373639636631363233623232383936313264656539 - 62376636326332386330663432306135313938623134383239373435666666356538363639323333 - 3264386632376261666566373032363261643961376635336131 - -restic_forget: true -restic_forget_healthchecks_id: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 35356435623338613263633563623834376461643133386432366666373336373637326637626538 - 3264323338323034613633346431363362656362303530650a303861343438643232396436383065 - 34366236343664616566646564616532643066353732616566343665306464353637613362373837 - 6135323461646234360a383039623663333761343439636332323139616365313865666261336162 - 65663363666165313065323939653530613234613139316436343839356262363666373262366539 - 6666333133626561636638326335353135313637393033313138 diff --git a/ansible/host_vars/restic/main.yml b/ansible/host_vars/restic/main.yml new file mode 100644 index 0000000..49e08ca --- /dev/null +++ b/ansible/host_vars/restic/main.yml @@ -0,0 +1,8 @@ +restic_backup_locations: + - /mnt/host/mnt/tank + - /mnt/host/etc/pve + - /mnt/home-assistant +restic_healthchecks_id: "{{ vault_restic_healthchecks_id }}" + +restic_forget: true +restic_forget_healthchecks_id: "{{ vault_restic_forget_healthchecks_id }}" diff --git a/ansible/host_vars/restic/vault.yml b/ansible/host_vars/restic/vault.yml new file mode 100644 index 0000000..cb262ed --- /dev/null +++ b/ansible/host_vars/restic/vault.yml @@ -0,0 +1,12 @@ +$ANSIBLE_VAULT;1.1;AES256 +31333338396531316366353161666432346634373335356464663837386231616632373833656130 +3361383732623965393533316366373864323064393530330a346565393462316561383733653437 +62363736356432363239373863303734323437333034343266313135383866303566396639646230 +3839333535393036390a383534346233633935393561353637353835663763343531613238653664 +39356365306630373036396132373562646130636439373964333363306431666565613434646365 +64353933656365653431386463623034643564303266396438353064373434336436366431366338 +31386637376165633731373633656336623531323965343534323031363163356239353031643165 +37663232636234663735613037666161393736663432656139646264313763303164386161626162 +65393363336435333738303061613738636666303961653361376131376161623264343666353061 +61663636656339363539666335643239653361383961333665646562613935396335623565306531 +643165653537326431373637303639343763 diff --git a/ansible/host_vars/walker.yml b/ansible/host_vars/walker.yml deleted file mode 100644 index 6a501e1..0000000 --- a/ansible/host_vars/walker.yml +++ /dev/null @@ -1,13 +0,0 @@ -with_traefik_pages: true - -restic_backup_locations: - - /opt - - "{{ home }}/db-backups" -restic_healthchecks_id: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 30663732643431326232366364373238653263613039373232663563303334326137376663373366 - 6136306335363665313133623531643736653934323034620a346461633634633932343936376361 - 36386539376630333361336664616238363532643764616137666435336366373962396336633835 - 6338343236636637620a643137396563333862376464333461376535663938313034323236653334 - 34393364666562303630396333663463363735353134313161303062373433393731373461383634 - 6266613466303865333834616630626337383735323566336639 diff --git a/ansible/host_vars/walker/main.yml b/ansible/host_vars/walker/main.yml new file mode 100644 index 0000000..051f12b --- /dev/null +++ b/ansible/host_vars/walker/main.yml @@ -0,0 +1,6 @@ +with_traefik_pages: true + +restic_backup_locations: + - /opt + - "{{ home }}/db-backups" +restic_healthchecks_id: "{{ vault_restic_healthchecks_id }}" diff --git a/ansible/host_vars/walker/vault.yml b/ansible/host_vars/walker/vault.yml new file mode 100644 index 0000000..0f34a25 --- /dev/null +++ b/ansible/host_vars/walker/vault.yml @@ -0,0 +1,9 @@ +$ANSIBLE_VAULT;1.1;AES256 +63343332346238306230643233623336383766656433366339346331653036633636666238613764 +3431336432616166386462346532633664616562636136630a613836643565633962656432653333 +65356132316139363261373961663930383131393535633861343734393666326665653931663036 +3632613637663132360a373266303662623739633831613764313061616239303135386630616638 +62323930366166326433363835316536646363616431653566306363323736343761643038346262 +39316564333435663539653563653737333730616131393766643964303536373235323430616261 +39306535356562313133653337383762373636373234363732636266613165333439356334383661 +39343333303337363766 From 66662594d014f284ef8204faffc372134f7c46c2 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Tue, 21 Dec 2021 19:57:43 +0000 Subject: [PATCH 019/120] Extract plausible secrets to dedicated vault --- .../roles/plausible/files/docker-compose.yml | 4 ++-- ansible/roles/plausible/tasks/main.yml | 3 +++ ansible/roles/plausible/vars/main.yml | 23 ++----------------- ansible/roles/plausible/vars/vault.yml | 16 +++++++++++++ 4 files changed, 23 insertions(+), 23 deletions(-) create mode 100644 ansible/roles/plausible/vars/vault.yml diff --git a/ansible/roles/plausible/files/docker-compose.yml b/ansible/roles/plausible/files/docker-compose.yml index ca34222..a769ac1 100644 --- a/ansible/roles/plausible/files/docker-compose.yml +++ b/ansible/roles/plausible/files/docker-compose.yml @@ -22,8 +22,8 @@ services: - traefik.http.routers.plausible-embed.middlewares=plausible-index environment: - - SECRET_KEY_BASE={{ secret_key }} - - SIGNING_SALT={{ signing_salt }} + - SECRET_KEY_BASE={{ plausible_secret_key }} + - SIGNING_SALT={{ plausible_signing_salt }} - DATABASE_URL=postgres://plausible:plausible@db:5432/plausible - DISABLE_REGISTRATION=true - DISABLE_SUBSCRIPTION=true diff --git a/ansible/roles/plausible/tasks/main.yml b/ansible/roles/plausible/tasks/main.yml index 0293245..4c431a7 100644 --- a/ansible/roles/plausible/tasks/main.yml +++ b/ansible/roles/plausible/tasks/main.yml @@ -1,3 +1,6 @@ +- name: Include vault + include_vars: vault.yml + - name: Create install directory file: path: /opt/plausible diff --git a/ansible/roles/plausible/vars/main.yml b/ansible/roles/plausible/vars/main.yml index 9d2dd72..aff74af 100644 --- a/ansible/roles/plausible/vars/main.yml +++ b/ansible/roles/plausible/vars/main.yml @@ -1,21 +1,2 @@ -secret_key: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 39336333353061326461306663306661393465646536323664353933643030623561393732323438 - 3162376361386238623238323765376261303431643530660a646234653266326264336636343264 - 38396537646661386435353134663033336133646233343334356364663136373233623436383862 - 6139326335313830370a623737303837643630613535363534613663343163353330626131376435 - 61346534303264643065663763653837396530333166336364346234663031616565666163323631 - 64626666626466333131353264313166313139623865393833393766636466383139323463313263 - 36376337623437346465346665633732333264333662363632623235326262626339366434396563 - 64326232306534656161343638316166313763333834393065323965626465663136356332636463 - 62343466396637643466373561316665333238393964306232353239303062653432303466666638 - 62623038393639393339303661633039306463306364656339656164313033643536356266363939 - 613233393837653836633837373339653934 -signing_salt: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 35366665313061333735636265386535663830666531376365323033353338653536633334646566 - 3065393638663934623237336561633365303664613863350a326661393439393532316666653134 - 61353939626433396530636665636439313966636130386365396535326239366331646664383562 - 3763326533373266620a376230613664633332663065393561656565653634366130323534633865 - 35336236653664373131343364373637653261303030663239333534653432386438343162393866 - 3563353137633338623239346538643662393537313932386366 +plausible_secret_key: "{{ vault_plausible_secret_key }}" +plausible_signing_salt: "{{ vault_plausible_signing_salt }}" diff --git a/ansible/roles/plausible/vars/vault.yml b/ansible/roles/plausible/vars/vault.yml new file mode 100644 index 0000000..caf934d --- /dev/null +++ b/ansible/roles/plausible/vars/vault.yml @@ -0,0 +1,16 @@ +$ANSIBLE_VAULT;1.1;AES256 +31656261333332323730306162626265323432313264663230303264623662353065393362616635 +6131376236383233646366663264653663363930653937650a373264623632633130626330343264 +66633064303765323666323162376262636461626563626134613230326635616636386463393931 +6633373864666139310a636137346161333738396335346239623334663061353231326337343436 +63313338336535356538316132393066343965646466633864666263356139363934316161363062 +65646236663464626335636661623063626166633363336237303738393739346232623132386432 +39663561313139636261323238373163333432643237333334393364323831636266636132316261 +32396235663364353439386430653765663063343761323832323332383538323934656131373034 +31356665623632646163626361353462396531323263346162626236396333396564306631613766 +31313136613938383661643263373064366566616432306263643235626461653465613134623738 +62323630613533316138363837303366373835653661626332656638646265356538383535636436 +64356332363662356630613839373039323463306362313937313364613736363832323830656163 +64356537363935613362386436656434333338313565613464346534616634653532343566643739 +33303037636633623163363465663630366333323464666231333432643133646636643130383034 +326237356631656161376530303139633032 From 4cbc15fe0bf4e40da4fa3b87a1a9866d7a488f03 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Tue, 21 Dec 2021 20:00:54 +0000 Subject: [PATCH 020/120] Move gitlab runner secrets to dedicated vault --- ansible/roles/gitlab_runner/tasks/main.yml | 3 +++ ansible/roles/gitlab_runner/vars/main.yml | 8 +------- ansible/roles/gitlab_runner/vars/vault.yml | 8 ++++++++ 3 files changed, 12 insertions(+), 7 deletions(-) create mode 100644 ansible/roles/gitlab_runner/vars/vault.yml diff --git a/ansible/roles/gitlab_runner/tasks/main.yml b/ansible/roles/gitlab_runner/tasks/main.yml index df82f02..d2f2a37 100644 --- a/ansible/roles/gitlab_runner/tasks/main.yml +++ b/ansible/roles/gitlab_runner/tasks/main.yml @@ -1,3 +1,6 @@ +- name: Include vault + include_vars: vault.yml + - name: Install runner package: name: gitlab-runner diff --git a/ansible/roles/gitlab_runner/vars/main.yml b/ansible/roles/gitlab_runner/vars/main.yml index 83ee4e3..5e4d04c 100644 --- a/ansible/roles/gitlab_runner/vars/main.yml +++ b/ansible/roles/gitlab_runner/vars/main.yml @@ -1,7 +1 @@ -gitlab_runner_token: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 65643664363337623138623538363032646330316263626632353233373832313235353939643465 - 3736633363663137653432306465626331653064303736310a313030646266316230396563313834 - 39366638646238303936633961343030623030633034653133376663656263333034373265313764 - 6637373531373262610a323037316336346339616563373933313436633337656634393535333235 - 36653337383864666137323331636136653338313133316265366337646465313533 +gitlab_runner_token: "{{ vault_gitlab_runner_token }}" diff --git a/ansible/roles/gitlab_runner/vars/vault.yml b/ansible/roles/gitlab_runner/vars/vault.yml new file mode 100644 index 0000000..43b42fe --- /dev/null +++ b/ansible/roles/gitlab_runner/vars/vault.yml @@ -0,0 +1,8 @@ +$ANSIBLE_VAULT;1.1;AES256 +61313533333239316433623837616239346461393538356665363034663533343165366434316137 +3837376330386436656265356637343166643465616534390a666634323334383831306336613636 +36623630646235386661633266633533396664656464333561623036313865343036653734643132 +6333393739383764340a646361383961373434303936383131326364626439353262623965643564 +31343631656234666464383935306434383363316362666263323165613939663736326435313966 +35373466333937636633383138636434333765646235633630616539343464343237383236613739 +313038366164653662616461626661363832 From 7b6675a9d0a513ef382f5e484ab3cd47644b7083 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Tue, 21 Dec 2021 20:12:05 +0000 Subject: [PATCH 021/120] Move gitlab variables to single vault --- ansible/roles/gitlab/tasks/main.yml | 3 +++ ansible/roles/gitlab/vars/main.yml | 24 +++--------------------- ansible/roles/gitlab/vars/vault.yml | 12 ++++++++++++ 3 files changed, 18 insertions(+), 21 deletions(-) create mode 100644 ansible/roles/gitlab/vars/vault.yml diff --git a/ansible/roles/gitlab/tasks/main.yml b/ansible/roles/gitlab/tasks/main.yml index 23c2366..f997702 100644 --- a/ansible/roles/gitlab/tasks/main.yml +++ b/ansible/roles/gitlab/tasks/main.yml @@ -1,3 +1,6 @@ +- name: Include vault + include_vars: vault.yml + - name: Install and configure GitLab import_role: name: geerlingguy.gitlab diff --git a/ansible/roles/gitlab/vars/main.yml b/ansible/roles/gitlab/vars/main.yml index e26a275..4881f08 100644 --- a/ansible/roles/gitlab/vars/main.yml +++ b/ansible/roles/gitlab/vars/main.yml @@ -1,23 +1,5 @@ gitlab_config_template: files/gitlab.rb gitlab_create_self_signed_cert: false -gitlab_smtp_password: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 65613432613564643737373038393834363865356139636239393635373437323730646166366539 - 3264306365663964383364643530313731356565393364310a333364396164303933383364323564 - 32653239623662306437383332376233633764303131613733646661316261373130363763623064 - 3832323835653964620a393264353864393066303264343438336665626266643338666564386532 - 62626366343236623337353566623764653633356435623961623835313462343632 -gitlab_smtp_user: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 65363932326464623165396365326130383464336166343832643563356363363930373339386534 - 3530316232363430386666623736366632313439313934360a313862646530383833383737333332 - 31313931626464636231616465313635306363666165383437386136383463646532626566376133 - 6134663039653633360a353036336135366530336530313562626262653130626463393836643435 - 66313166656461363931383837323937363365656139323564383263653037333434 -gitlab_from_email: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 65643234353935653465613934373736643931396363303734336233393335346431373136356630 - 3234363436383761346135613039353562643438306532630a383937346662306538623533623430 - 34346434653530613764626661396463323634336365653232616661306437333034313137316231 - 6465396332383363320a316632306261363964623263626539373037366638323834623533366335 - 39383566353935353066306139626337643165333161653430393137323438623132 +gitlab_smtp_password: "{{ vault_gitlab_smtp_password }}" +gitlab_smtp_user: "{{ vault_gitlab_smtp_user }}" +gitlab_from_email: "{{ vault_gitlab_from_email }}" diff --git a/ansible/roles/gitlab/vars/vault.yml b/ansible/roles/gitlab/vars/vault.yml new file mode 100644 index 0000000..3a7e5a2 --- /dev/null +++ b/ansible/roles/gitlab/vars/vault.yml @@ -0,0 +1,12 @@ +$ANSIBLE_VAULT;1.1;AES256 +61366238363431353336613362396330363337633339363735383438383939353532376539316263 +6133383136353261386239303730633431653434343636350a353339393932396634656164333035 +65353136333962366334396139316264646666353964643332313933346132303066323231626433 +3761333362396231650a373935363763343831626431633930336337393037633933346339366135 +34653062663737313833623731343462303935376131343061643632336366656636356439653534 +39373430626466353333646638363936383932373161376135376239383231633665303439393939 +62336361643336616634376562613963636461356265303834313162643261323433393965613762 +31663133383163346434343662613965306234306563343565663362386563633664623538343363 +63333965623262653735386563393162386532643362626562643539356339363131396430633030 +31383361396265366237613635323839633562663264666638323531373933363733303839656564 +626432386162306638356434616465396265 From 0734ff42d841471397071866587f0112309bf4e8 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Tue, 21 Dec 2021 20:22:47 +0000 Subject: [PATCH 022/120] Move grafana variables to vault file --- ansible/roles/forrest/tasks/main.yml | 3 +++ ansible/roles/forrest/vars/main.yml | 24 +++--------------------- ansible/roles/forrest/vars/vault.yml | 12 ++++++++++++ 3 files changed, 18 insertions(+), 21 deletions(-) create mode 100644 ansible/roles/forrest/vars/vault.yml diff --git a/ansible/roles/forrest/tasks/main.yml b/ansible/roles/forrest/tasks/main.yml index bc350b9..14b386f 100644 --- a/ansible/roles/forrest/tasks/main.yml +++ b/ansible/roles/forrest/tasks/main.yml @@ -1,3 +1,6 @@ +- name: Include vault + include_vars: vault.yml + - name: Grafana include: grafana.yml diff --git a/ansible/roles/forrest/vars/main.yml b/ansible/roles/forrest/vars/main.yml index 7955bd9..7b8b8f8 100644 --- a/ansible/roles/forrest/vars/main.yml +++ b/ansible/roles/forrest/vars/main.yml @@ -1,21 +1,3 @@ -grafana_smtp_password: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 30316563333931376361643430343463636266636464303536356166623062633236323331363465 - 3039666538633165616139663764343031316339666565390a663934313165306631303162373864 - 36383262386365386664613431373863333963326538633535336139383433316465356236666466 - 6530386564313761300a346239646234353631386530663931613861313664666633346237313863 - 31623136616236363235666634303434383866346462643731346532646561656236 -grafana_smtp_user: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 33613266323466316166643631393938653439383333343736313061393261366662663238303035 - 6132346334343863633232303863636230333962316633650a616661346634646666636439323032 - 63633936336361303635323064666637396335626136613431366161653062303534386637656666 - 6630623330613439640a613863326331656235313164663736643539373934636633383430346365 - 39356331376364373931393365646630316566353662356532383034616439393237 -grafana_from_email: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 62613637623430356637343861326237366162626435306336376461643062643265363438666366 - 3932333666346338366334303564343064323862373930390a333162636231663961386532326264 - 65626435353036663938356330303564346137363961313236636263333238313166656231353931 - 6161633634636337320a396661373963623661363162643161393033653032623432323536306630 - 39346665653031316261346636336566343563373165653763643831313234356532 +grafana_smtp_password: "{{ vault_grafana_smtp_password }}" +grafana_smtp_user: "{{ vault_grafana_smtp_user }}" +grafana_from_email: "{{ vault_grafana_from_email }}" diff --git a/ansible/roles/forrest/vars/vault.yml b/ansible/roles/forrest/vars/vault.yml new file mode 100644 index 0000000..874f9de --- /dev/null +++ b/ansible/roles/forrest/vars/vault.yml @@ -0,0 +1,12 @@ +$ANSIBLE_VAULT;1.1;AES256 +39626534366162623533633336393263363933636563323938643564666332633662363563636265 +6562343564353338346438643861336563363837633462330a383764653037346165633064323863 +36626537373632626265336337366232663239666238353233393463353866653934356634613837 +6636666432323837330a313434396632316335363561346465636563356462313864633464373533 +64323335393665383634613233613230393139303561393335373736303135333666613062616363 +31383064386339323232306337396164346566306632356531616663376264303031633862636232 +61393036353464623939313839626334363135356135663037613436643634326339633264376434 +62656436636532623030333961653961613163623335303831346161323731663031306566303462 +64623263646666666333343062623434636533303539323365333932313734643036356363623462 +61303430373166613466613164623534663236353762613565306662623831343335656363316138 +336538346664316633303764643961373639 From c5beb223be26723315e787a8e597c3c1458c0f14 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Tue, 21 Dec 2021 21:31:53 +0000 Subject: [PATCH 023/120] Update clickhouse to 21.12 --- ansible/roles/plausible/files/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/plausible/files/docker-compose.yml b/ansible/roles/plausible/files/docker-compose.yml index a769ac1..d1362a0 100644 --- a/ansible/roles/plausible/files/docker-compose.yml +++ b/ansible/roles/plausible/files/docker-compose.yml @@ -31,7 +31,7 @@ services: - BASE_URL=https://elbisualp.theorangeone.net clickhouse: - image: yandex/clickhouse-server:21.6-alpine + image: yandex/clickhouse-server:21.12-alpine restart: unless-stopped volumes: - ./clickhouse:/var/lib/clickhouse From 1c645fa10688c8fac7500d82615b5aab94b6879d Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Tue, 21 Dec 2021 21:40:56 +0000 Subject: [PATCH 024/120] Update yourls mariadb to 10.7 --- ansible/roles/yourls/files/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/yourls/files/docker-compose.yml b/ansible/roles/yourls/files/docker-compose.yml index 2e024bc..c6ca64f 100644 --- a/ansible/roles/yourls/files/docker-compose.yml +++ b/ansible/roles/yourls/files/docker-compose.yml @@ -20,7 +20,7 @@ services: - traefik.http.routers.yourls.rule=Host(`0rng.one`) mariadb: - image: mariadb:10.5 + image: mariadb:10.7 environment: - MYSQL_ROOT_PASSWORD=root - MYSQL_DATABASE=yourls From b6a0fdfd1da1e759bab447f0c4e200491490c944 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Tue, 21 Dec 2021 21:48:41 +0000 Subject: [PATCH 025/120] Unpin the version of yourls It's a very simple, non-critical application, which I keep forgetting to update --- ansible/roles/yourls/files/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/yourls/files/docker-compose.yml b/ansible/roles/yourls/files/docker-compose.yml index c6ca64f..8af36a8 100644 --- a/ansible/roles/yourls/files/docker-compose.yml +++ b/ansible/roles/yourls/files/docker-compose.yml @@ -2,7 +2,7 @@ version: "2.3" services: yourls: - image: yourls:1.7.9-apache + image: yourls:apache restart: unless-stopped depends_on: - mariadb From 31b7811b1f1095b7db127df815ff638290c6a481 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Wed, 22 Dec 2021 12:01:25 +0000 Subject: [PATCH 026/120] Use new clickhouse docker repository --- ansible/roles/plausible/files/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/plausible/files/docker-compose.yml b/ansible/roles/plausible/files/docker-compose.yml index d1362a0..e6aff8d 100644 --- a/ansible/roles/plausible/files/docker-compose.yml +++ b/ansible/roles/plausible/files/docker-compose.yml @@ -31,7 +31,7 @@ services: - BASE_URL=https://elbisualp.theorangeone.net clickhouse: - image: yandex/clickhouse-server:21.12-alpine + image: clickhouse/clickhouse-server:21.12-alpine restart: unless-stopped volumes: - ./clickhouse:/var/lib/clickhouse From 6681ad43fb3472e5e124c5b51541111d037ba286 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Wed, 22 Dec 2021 12:57:49 +0000 Subject: [PATCH 027/120] Update plausible DB to postgres 14 --- ansible/roles/plausible/files/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/plausible/files/docker-compose.yml b/ansible/roles/plausible/files/docker-compose.yml index e6aff8d..bc735cf 100644 --- a/ansible/roles/plausible/files/docker-compose.yml +++ b/ansible/roles/plausible/files/docker-compose.yml @@ -45,7 +45,7 @@ services: hard: 262144 db: - image: postgres:12-alpine + image: postgres:14-alpine restart: unless-stopped volumes: - ./postgres:/var/lib/postgresql/data From da41fcd7bc2f503d0060280484975bbb7493e58e Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Wed, 22 Dec 2021 13:10:06 +0000 Subject: [PATCH 028/120] Update grafana DB to postgres 14 --- ansible/roles/forrest/files/grafana/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/forrest/files/grafana/docker-compose.yml b/ansible/roles/forrest/files/grafana/docker-compose.yml index fca7e94..39ac091 100644 --- a/ansible/roles/forrest/files/grafana/docker-compose.yml +++ b/ansible/roles/forrest/files/grafana/docker-compose.yml @@ -30,7 +30,7 @@ services: - renderer db: - image: postgres:12-alpine + image: postgres:14-alpine restart: unless-stopped volumes: - /mnt/tank/dbs/postgres/grafana/:/var/lib/postgresql/data From fbdbc8afb5021ecac2469bfaafc2a617bf3361f8 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Wed, 22 Dec 2021 13:17:01 +0000 Subject: [PATCH 029/120] Update quassel DB to postgres 14 --- ansible/roles/pve_docker/files/quassel/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/pve_docker/files/quassel/docker-compose.yml b/ansible/roles/pve_docker/files/quassel/docker-compose.yml index e518a3f..122308a 100644 --- a/ansible/roles/pve_docker/files/quassel/docker-compose.yml +++ b/ansible/roles/pve_docker/files/quassel/docker-compose.yml @@ -20,7 +20,7 @@ services: - 4242:4242 db: - image: postgres:12-alpine + image: postgres:14-alpine restart: unless-stopped environment: - POSTGRES_USER=quassel From ec9ca428a3b4f05ba499f023f9e89197ae7b835c Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Wed, 22 Dec 2021 15:24:37 +0000 Subject: [PATCH 030/120] Update synapse DB to postgres 14 --- ansible/roles/pve_docker/files/synapse/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/pve_docker/files/synapse/docker-compose.yml b/ansible/roles/pve_docker/files/synapse/docker-compose.yml index ca6aa51..521ef72 100644 --- a/ansible/roles/pve_docker/files/synapse/docker-compose.yml +++ b/ansible/roles/pve_docker/files/synapse/docker-compose.yml @@ -20,7 +20,7 @@ services: - traefik.http.routers.synapse.rule=Host(`matrix.jakehoward.tech`) db: - image: postgres:12-alpine + image: postgres:14-alpine restart: unless-stopped environment: - POSTGRES_USER=synapse From e6ecffdf6216fe064c5a600155283f12defc273b Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Wed, 22 Dec 2021 15:33:40 +0000 Subject: [PATCH 031/120] Update vaultwarden DB to postgres 14 --- ansible/roles/vaultwarden/files/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/vaultwarden/files/docker-compose.yml b/ansible/roles/vaultwarden/files/docker-compose.yml index 46326a2..ba4255a 100644 --- a/ansible/roles/vaultwarden/files/docker-compose.yml +++ b/ansible/roles/vaultwarden/files/docker-compose.yml @@ -37,7 +37,7 @@ services: - WEBSOCKET_ENABLED=true db: - image: postgres:12-alpine + image: postgres:14-alpine restart: unless-stopped volumes: - /mnt/tank/dbs/postgres/vaultwarden/:/var/lib/postgresql/data From 66c48c4a69269d6fdb1dde1de22713ef46451a53 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Wed, 22 Dec 2021 15:41:14 +0000 Subject: [PATCH 032/120] Remove old domain for vaultwarden It's been long enough --- ansible/roles/vaultwarden/files/docker-compose.yml | 4 ++-- terraform/jakehoward.tech.tf | 8 -------- 2 files changed, 2 insertions(+), 10 deletions(-) diff --git a/ansible/roles/vaultwarden/files/docker-compose.yml b/ansible/roles/vaultwarden/files/docker-compose.yml index ba4255a..4c77e9f 100644 --- a/ansible/roles/vaultwarden/files/docker-compose.yml +++ b/ansible/roles/vaultwarden/files/docker-compose.yml @@ -13,11 +13,11 @@ services: labels: - traefik.enable=true - - traefik.http.routers.vaultwarden-ui.rule=Host(`bw.jakehoward.tech`) || Host(`vaultwarden.jakehoward.tech`) + - traefik.http.routers.vaultwarden-ui.rule=Host(`vaultwarden.jakehoward.tech`) - traefik.http.routers.vaultwarden-ui.service=vaultwarden-ui - traefik.http.services.vaultwarden-ui.loadbalancer.server.port=80 - - traefik.http.routers.vaultwarden-websocket.rule=(Host(`bw.jakehoward.tech`) || Host(`vaultwarden.jakehoward.tech`) )&& Path(`/notifications/hub`) + - traefik.http.routers.vaultwarden-websocket.rule=Host(`vaultwarden.jakehoward.tech`) && Path(`/notifications/hub`) - traefik.http.routers.vaultwarden-websocket.service=vaultwarden-websocket - traefik.http.services.vaultwarden-websocket.loadbalancer.server.port=3012 diff --git a/terraform/jakehoward.tech.tf b/terraform/jakehoward.tech.tf index a72a7f9..02dcf85 100644 --- a/terraform/jakehoward.tech.tf +++ b/terraform/jakehoward.tech.tf @@ -132,14 +132,6 @@ resource "cloudflare_record" "jakehowardtech_grafana" { ttl = 1 } -resource "cloudflare_record" "jakehowardtech_bw" { - zone_id = cloudflare_zone.jakehowardtech.id - name = "bw" - value = vultr_instance.casey.main_ip - type = "A" - ttl = 1 -} - resource "cloudflare_record" "jakehowardtech_vaultwarden" { zone_id = cloudflare_zone.jakehowardtech.id name = "vaultwarden" From 3a7d2194cc8fa9891403fbed00556b590c181444 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Wed, 22 Dec 2021 22:39:46 +0000 Subject: [PATCH 033/120] Update tt-rss DB to postgres 14 --- ansible/roles/pve_docker/files/tt-rss/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/pve_docker/files/tt-rss/docker-compose.yml b/ansible/roles/pve_docker/files/tt-rss/docker-compose.yml index 209c7d5..ed5a206 100644 --- a/ansible/roles/pve_docker/files/tt-rss/docker-compose.yml +++ b/ansible/roles/pve_docker/files/tt-rss/docker-compose.yml @@ -29,7 +29,7 @@ services: - /config/log db: - image: postgres:12-alpine + image: postgres:14-alpine restart: unless-stopped volumes: - /mnt/tank/dbs/postgres/tt-rss/:/var/lib/postgresql/data From 711d78bfd376075254d052e3ca24659262652b1a Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Tue, 28 Dec 2021 12:57:08 +0000 Subject: [PATCH 034/120] Only try and rotate the log files Previously, this was also rotating the compressed logs, for some reason --- ansible/roles/restic/files/backrest-logrotate | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/restic/files/backrest-logrotate b/ansible/roles/restic/files/backrest-logrotate index b074ee8..8fded94 100644 --- a/ansible/roles/restic/files/backrest-logrotate +++ b/ansible/roles/restic/files/backrest-logrotate @@ -1,4 +1,4 @@ -/home/restic/log/* { +/home/restic/log/*.log { weekly rotate 12 missingok From 062c4a25fb7d2cd0dd62d61c938b64791b8a94ef Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Tue, 28 Dec 2021 12:57:57 +0000 Subject: [PATCH 035/120] Keep just 2 weeks of backrest logs That's ample --- ansible/roles/restic/files/backrest-logrotate | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ansible/roles/restic/files/backrest-logrotate b/ansible/roles/restic/files/backrest-logrotate index 8fded94..8417c77 100644 --- a/ansible/roles/restic/files/backrest-logrotate +++ b/ansible/roles/restic/files/backrest-logrotate @@ -1,6 +1,6 @@ /home/restic/log/*.log { - weekly - rotate 12 + daily + rotate 14 missingok compress nodateext From b81f250d02c6d86928e77796497b419d20b766ed Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Wed, 29 Dec 2021 17:34:07 +0000 Subject: [PATCH 036/120] Update clickhouse config to reference new tables to remove --- ansible/roles/plausible/files/clickhouse-config.xml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ansible/roles/plausible/files/clickhouse-config.xml b/ansible/roles/plausible/files/clickhouse-config.xml index b8bd4e5..ee630ed 100644 --- a/ansible/roles/plausible/files/clickhouse-config.xml +++ b/ansible/roles/plausible/files/clickhouse-config.xml @@ -12,4 +12,6 @@ + + From 78b0161585b0488e25651acc06d70e502345e6c0 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Sat, 1 Jan 2022 18:23:32 +0000 Subject: [PATCH 037/120] Install renovate It doesn't quite work, as really it needs docker to correctly update packages. But it's a start for now --- ansible/main.yml | 1 + ansible/roles/renovate/files/config.js | 11 ++++++ .../roles/renovate/files/docker-compose.yml | 23 +++++++++++ ansible/roles/renovate/files/entrypoint.sh | 11 ++++++ ansible/roles/renovate/handlers/main.yml | 4 ++ ansible/roles/renovate/tasks/main.yml | 38 +++++++++++++++++++ ansible/roles/renovate/vars/main.yml | 2 + ansible/roles/renovate/vars/vault.yml | 11 ++++++ 8 files changed, 101 insertions(+) create mode 100644 ansible/roles/renovate/files/config.js create mode 100644 ansible/roles/renovate/files/docker-compose.yml create mode 100644 ansible/roles/renovate/files/entrypoint.sh create mode 100644 ansible/roles/renovate/handlers/main.yml create mode 100644 ansible/roles/renovate/tasks/main.yml create mode 100644 ansible/roles/renovate/vars/main.yml create mode 100644 ansible/roles/renovate/vars/vault.yml diff --git a/ansible/main.yml b/ansible/main.yml index ff43776..d72e7b7 100644 --- a/ansible/main.yml +++ b/ansible/main.yml @@ -56,6 +56,7 @@ - pve_nebula_route - privatebin - vaultwarden + - renovate - hosts: ingress roles: diff --git a/ansible/roles/renovate/files/config.js b/ansible/roles/renovate/files/config.js new file mode 100644 index 0000000..731a916 --- /dev/null +++ b/ansible/roles/renovate/files/config.js @@ -0,0 +1,11 @@ +module.exports = { + endpoint: 'https://git.theorangeone.net/api/v4/', + token: '{{ renovate_gitlab_token }}', + platform: 'gitlab', + //dryRun: true, + autodiscover: true, + onboarding: false, + redisUrl: 'redis://redis', + repositoryCache: 'enabled', + persistRepoData: true +}; diff --git a/ansible/roles/renovate/files/docker-compose.yml b/ansible/roles/renovate/files/docker-compose.yml new file mode 100644 index 0000000..568b819 --- /dev/null +++ b/ansible/roles/renovate/files/docker-compose.yml @@ -0,0 +1,23 @@ +version: "2.3" +services: + renovate: + image: renovate/renovate:31-slim + user: "{{ docker_user.id }}" + command: /entrypoint.sh + environment: + - TZ={{ TZ }} + - GITHUB_COM_TOKEN={{ renovate_github_token }} + restart: unless-stopped + depends_on: + - redis + tmpfs: + - /tmp + volumes: + - "{{ app_data_dir }}/renovate/config.js:/usr/src/app/config.js:ro" + - "{{ app_data_dir }}/renovate/entrypoint.sh:/entrypoint.sh:ro" + + redis: + image: redis:6-alpine + restart: unless-stopped + volumes: + - /mnt/tank/dbs/redis/renovate:/data diff --git a/ansible/roles/renovate/files/entrypoint.sh b/ansible/roles/renovate/files/entrypoint.sh new file mode 100644 index 0000000..6b7f42e --- /dev/null +++ b/ansible/roles/renovate/files/entrypoint.sh @@ -0,0 +1,11 @@ +#!/usr/bin/env bash + +set -e + +while true; +do + renovate $@ + echo "> Sleeping for 1 hour..." + sleep 1h & + wait $! +done diff --git a/ansible/roles/renovate/handlers/main.yml b/ansible/roles/renovate/handlers/main.yml new file mode 100644 index 0000000..9ec2233 --- /dev/null +++ b/ansible/roles/renovate/handlers/main.yml @@ -0,0 +1,4 @@ +- name: restart renovate + shell: + chdir: /opt/renovate + cmd: "{{ docker_update_command }}" diff --git a/ansible/roles/renovate/tasks/main.yml b/ansible/roles/renovate/tasks/main.yml new file mode 100644 index 0000000..dc065c7 --- /dev/null +++ b/ansible/roles/renovate/tasks/main.yml @@ -0,0 +1,38 @@ +- name: Include vault + include_vars: vault.yml + +- name: Create install directory + file: + path: /opt/renovate + state: directory + owner: "{{ docker_user.name }}" + mode: "{{ docker_compose_directory_mask }}" + become: true + +- name: Install compose file + template: + src: files/docker-compose.yml + dest: /opt/renovate/docker-compose.yml + mode: "{{ docker_compose_file_mask }}" + owner: "{{ docker_user.name }}" + validate: docker-compose -f %s config + notify: restart renovate + become: true + +- name: Install config file + template: + src: files/config.js + dest: "{{ app_data_dir }}/renovate/config.js" + mode: "{{ docker_compose_file_mask }}" + owner: "{{ docker_user.name }}" + notify: restart renovate + become: true + +- name: Install custom entrypoint + template: + src: files/entrypoint.sh + dest: "{{ app_data_dir }}/renovate/entrypoint.sh" + mode: "0755" + owner: "{{ docker_user.name }}" + notify: restart renovate + become: true diff --git a/ansible/roles/renovate/vars/main.yml b/ansible/roles/renovate/vars/main.yml new file mode 100644 index 0000000..9635a1e --- /dev/null +++ b/ansible/roles/renovate/vars/main.yml @@ -0,0 +1,2 @@ +renovate_gitlab_token: "{{ vault_renovate_gitlab_token }}" +renovate_github_token: "{{ vault_renovate_github_token }}" diff --git a/ansible/roles/renovate/vars/vault.yml b/ansible/roles/renovate/vars/vault.yml new file mode 100644 index 0000000..3f0466d --- /dev/null +++ b/ansible/roles/renovate/vars/vault.yml @@ -0,0 +1,11 @@ +$ANSIBLE_VAULT;1.1;AES256 +37666339323131376463616330376335623238363930353938383162623162633665623763626464 +3833623739633363616362643166393538386139373139310a393530323937373938346237633536 +32376237386536633134613438383730323565356164313933376232343866303764643033396237 +6133313835663637660a336162303239636137313339366330323463326339366537343164663336 +61346434383164336138626261663939333265306430316535653062393431646230636162373665 +39386436306534316632376238616332636265303534316366356139303865323631323064303665 +64636565666231643330396164383066623166393339633330363633343639346637343239313936 +37613266393438616166326138313262623837386231393666633361396364313335346238313863 +65383435626335333631326537373366636439306366373235386132393839663063333063383133 +6333613165306462376631326239613864613630363738633331 From 1a74e05a7c3622292784053bb97f97e58f5e1b1c Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Sat, 1 Jan 2022 22:58:03 +0000 Subject: [PATCH 038/120] Create a dedicated machine for renovate This way it can do what it wants with docker. Because apparently it's very picky about how it's setup --- ansible/group_vars/all/pve.yml | 2 ++ ansible/hosts | 1 + ansible/main.yml | 6 ++++- ansible/roles/renovate/files/config.js | 6 ++++- .../roles/renovate/files/docker-compose.yml | 25 ++++++++++++++----- ansible/roles/renovate/tasks/main.yml | 4 +-- 6 files changed, 34 insertions(+), 10 deletions(-) diff --git a/ansible/group_vars/all/pve.yml b/ansible/group_vars/all/pve.yml index 7cbd82c..b337803 100644 --- a/ansible/group_vars/all/pve.yml +++ b/ansible/group_vars/all/pve.yml @@ -21,3 +21,5 @@ pve_hosts: ip: 192.168.2.203 qbittorrent: ip: 10.23.1.105 + renovate: + ip: 10.23.1.110 diff --git a/ansible/hosts b/ansible/hosts index b0ed8e8..f58da32 100644 --- a/ansible/hosts +++ b/ansible/hosts @@ -14,3 +14,4 @@ qbittorrent restic pve-gitlab pve-gitlab-runner +renovate diff --git a/ansible/main.yml b/ansible/main.yml index d72e7b7..00f46f1 100644 --- a/ansible/main.yml +++ b/ansible/main.yml @@ -32,6 +32,7 @@ - pve-gitlab-runner - grimes - decker + - renovate roles: - role: geerlingguy.docker become: true @@ -56,7 +57,6 @@ - pve_nebula_route - privatebin - vaultwarden - - renovate - hosts: ingress roles: @@ -122,3 +122,7 @@ - nebula - restic - uptime_kuma + +- hosts: renovate + roles: + - renovate diff --git a/ansible/roles/renovate/files/config.js b/ansible/roles/renovate/files/config.js index 731a916..7d0b643 100644 --- a/ansible/roles/renovate/files/config.js +++ b/ansible/roles/renovate/files/config.js @@ -7,5 +7,9 @@ module.exports = { onboarding: false, redisUrl: 'redis://redis', repositoryCache: 'enabled', - persistRepoData: true + persistRepoData: true, + binarySource: "docker", + dockerUser: "{{ docker_user.id }}", + baseDir: "/opt/renovate/renovate", + cacheDir: "/opt/renovate/renovate/cache" }; diff --git a/ansible/roles/renovate/files/docker-compose.yml b/ansible/roles/renovate/files/docker-compose.yml index 568b819..b46f20b 100644 --- a/ansible/roles/renovate/files/docker-compose.yml +++ b/ansible/roles/renovate/files/docker-compose.yml @@ -2,22 +2,35 @@ version: "2.3" services: renovate: image: renovate/renovate:31-slim - user: "{{ docker_user.id }}" command: /entrypoint.sh + user: "{{ docker_user.id }}" environment: - TZ={{ TZ }} - GITHUB_COM_TOKEN={{ renovate_github_token }} + - DOCKER_HOST=tcp://docker_proxy:2375 + - LOG_LEVEL=debug # Noisy, but required for debugging restart: unless-stopped depends_on: - redis - tmpfs: - - /tmp + - docker_proxy volumes: - - "{{ app_data_dir }}/renovate/config.js:/usr/src/app/config.js:ro" - - "{{ app_data_dir }}/renovate/entrypoint.sh:/entrypoint.sh:ro" + - ./config.js:/usr/src/app/config.js:ro + - ./entrypoint.sh:/entrypoint.sh:ro + - /opt/renovate/renovate:/opt/renovate/renovate # These must be the same redis: image: redis:6-alpine restart: unless-stopped volumes: - - /mnt/tank/dbs/redis/renovate:/data + - ./redis:/data + + docker_proxy: + image: tecnativa/docker-socket-proxy:latest + restart: unless-stopped + environment: + - POST=1 + - CONTAINERS=1 + - INFO=1 + - IMAGES=1 + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro diff --git a/ansible/roles/renovate/tasks/main.yml b/ansible/roles/renovate/tasks/main.yml index dc065c7..1dfff88 100644 --- a/ansible/roles/renovate/tasks/main.yml +++ b/ansible/roles/renovate/tasks/main.yml @@ -22,7 +22,7 @@ - name: Install config file template: src: files/config.js - dest: "{{ app_data_dir }}/renovate/config.js" + dest: /opt/renovate/config.js mode: "{{ docker_compose_file_mask }}" owner: "{{ docker_user.name }}" notify: restart renovate @@ -31,7 +31,7 @@ - name: Install custom entrypoint template: src: files/entrypoint.sh - dest: "{{ app_data_dir }}/renovate/entrypoint.sh" + dest: /opt/renovate/entrypoint.sh mode: "0755" owner: "{{ docker_user.name }}" notify: restart renovate From 02cfd37a02e1332ae7c991b96df2cd727504847f Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Sat, 8 Jan 2022 12:18:25 +0000 Subject: [PATCH 039/120] Update uptime-kuma --- ansible/roles/uptime_kuma/files/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/uptime_kuma/files/docker-compose.yml b/ansible/roles/uptime_kuma/files/docker-compose.yml index 3c7c065..aff9920 100644 --- a/ansible/roles/uptime_kuma/files/docker-compose.yml +++ b/ansible/roles/uptime_kuma/files/docker-compose.yml @@ -2,7 +2,7 @@ version: "2.3" services: uptime-kuma: - image: louislam/uptime-kuma:1.11.1-alpine + image: louislam/uptime-kuma:1.11.3-alpine restart: unless-stopped environment: - PUID={{ docker_user.id }} From 1f6c6858e5683a1d12308038276b8eb8b885c2b7 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Sat, 8 Jan 2022 12:29:13 +0000 Subject: [PATCH 040/120] Fix NTP timesyncd issue https://github.com/geerlingguy/ansible-role-ntp/pull/110 --- ansible/galaxy-requirements.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ansible/galaxy-requirements.yml b/ansible/galaxy-requirements.yml index 873ca71..20a30cd 100644 --- a/ansible/galaxy-requirements.yml +++ b/ansible/galaxy-requirements.yml @@ -6,7 +6,9 @@ collections: roles: - src: geerlingguy.docker - - src: geerlingguy.ntp + - src: https://github.com/blmhemu/ansible-role-ntp + version: fa40f44c2542e6fcff96d50eaf06a417a9376244 # https://github.com/geerlingguy/ansible-role-ntp/pull/110 + name: geerlingguy.ntp - src: realorangeone.reflector - src: https://github.com/jsclayton/ansible-role-proxmox-nag-removal version: b0502ef4c371bbfb18faf85f5d869e3ffec661a8 # https://github.com/IronicBadger/ansible-role-proxmox-nag-removal/pull/15 From 41289ab35988bc5f84a48ee7f2184d17d39892bf Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Sat, 8 Jan 2022 12:29:35 +0000 Subject: [PATCH 041/120] Reduce ZFS memory usage to 5GB That's still more than 1GB per usable TB of space. Should really be ample --- ansible/host_vars/pve/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ansible/host_vars/pve/main.yml b/ansible/host_vars/pve/main.yml index 55e5343..c9102cb 100644 --- a/ansible/host_vars/pve/main.yml +++ b/ansible/host_vars/pve/main.yml @@ -4,8 +4,8 @@ zpools_to_scrub: - tank - rpool -# 7GB, or so -zfs_arc_size: 7000000000 +# 5GB, or so +zfs_arc_size: 5000000000 sanoid_datasets: tank: From 0a13f78d29f6038ad2e50fbc7c095de7a17ad8ce Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Sat, 8 Jan 2022 22:11:34 +0000 Subject: [PATCH 042/120] Add linode to terraform setup Let the migration, begin! --- terraform/providers.tf | 4 ++++ terraform/terraform.tf | 4 ++++ terraform/variables.tf | 1 + 3 files changed, 9 insertions(+) diff --git a/terraform/providers.tf b/terraform/providers.tf index 523fdef..e833ed3 100644 --- a/terraform/providers.tf +++ b/terraform/providers.tf @@ -12,3 +12,7 @@ provider "cloudflare" { provider "aws" { region = "eu-west-2" } + +provider "linode" { + token = var.linode_personal_access_token +} diff --git a/terraform/terraform.tf b/terraform/terraform.tf index ada7aba..8593525 100644 --- a/terraform/terraform.tf +++ b/terraform/terraform.tf @@ -12,5 +12,9 @@ terraform { source = "hashicorp/aws" version = "3.8.0" } + linode = { + source = "linode/linode" + version = "1.25.1" + } } } diff --git a/terraform/variables.tf b/terraform/variables.tf index 4cc277f..17d94d2 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -1,3 +1,4 @@ variable "vultr_api_key" {} variable "cloudflare_api_key" {} variable "cloudflare_email" {} +variable "linode_personal_access_token" {} From e50a1f9a72288a01f85af0d7190275ad2c60d008 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Sat, 8 Jan 2022 22:12:28 +0000 Subject: [PATCH 043/120] Privision a decker on linode --- terraform/decker_vps.tf | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/terraform/decker_vps.tf b/terraform/decker_vps.tf index 56bf9c5..14924a5 100644 --- a/terraform/decker_vps.tf +++ b/terraform/decker_vps.tf @@ -15,3 +15,29 @@ resource "vultr_instance" "decker" { hostname = "decker" firewall_group_id = module.decker_firewall.firewall_group.id } + + +# Linode + +resource "linode_instance" "decker" { + label = "decker" + image = "linode/arch" + region = "eu-central" + type = "g6-nanode-1" + private_ip = true +} + +resource "linode_firewall" "decker" { + label = "decker" + linodes = [linode_instance.decker.id] + outbound_policy = "ACCEPT" + inbound_policy = "DROP" + + inbound { + label = "allow-ping" + action = "ACCEPT" + protocol = "ICMP" + ipv4 = ["0.0.0.0/0"] + ipv6 = ["::/0"] + } +} From 50398eac0767ce0df0de94175dc4e8be58d908d7 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Sat, 8 Jan 2022 22:12:44 +0000 Subject: [PATCH 044/120] Commit the terraform lock file It tells you to --- .gitignore | 1 - terraform/.terraform.lock.hcl | 98 +++++++++++++++++++++++++++++++++++ 2 files changed, 98 insertions(+), 1 deletion(-) create mode 100644 terraform/.terraform.lock.hcl diff --git a/.gitignore b/.gitignore index ddfdfa4..f017bb5 100644 --- a/.gitignore +++ b/.gitignore @@ -152,4 +152,3 @@ override.tf.json terraform/secrets.auto.tfvars terraform/secrets.sh -terraform/.terraform.lock.hcl diff --git a/terraform/.terraform.lock.hcl b/terraform/.terraform.lock.hcl new file mode 100644 index 0000000..5b07f89 --- /dev/null +++ b/terraform/.terraform.lock.hcl @@ -0,0 +1,98 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/cloudflare/cloudflare" { + version = "2.11.0" + constraints = "2.11.0" + hashes = [ + "h1:C+Yi2SSXY0j07UPRqg40xpyX2G8q1+kevz8dPwqveTc=", + "zh:0ae743775b7eb32a72bae690e9153291370f6e45cfab978112289605d89d6b8f", + "zh:3183078306ddbe7248cad81322d0ebf5eddae3a2792929651a48d60ebb5ae61d", + "zh:5d211cacf6baa238468dad7c39d7775bd055cc944bb2b4fbdaa5f60c80735137", + "zh:6ade3a98133832852b0a8357322632b316a00c311b3111293a3b8f2c1a8bad21", + "zh:71828e5015c095547c0f2e9053536486110d1a53939aa3c81f0e680b269ed8a2", + "zh:a32dc93fbce15af678196201507074d71a7a4b90c44710a39ca0c721a5068c7b", + "zh:a643d84e9b7792482e797e96ee783678f9c6fda534b0f718c482853611aecb4d", + "zh:d6e52640721b777606cf292ba2f823af07dfc14d11f24799d4c3a4f05af06220", + "zh:deff9d1e2b859481ba3c1b09c856de3ae705783adb967d26519c92f9f34f8be5", + "zh:e7d8a9ccae6da76a54ab37a408a37fb79de4cc90a36838bd69ade24e9eaa1172", + "zh:ec23e7b1f0d3e267da7a340326520347b1a62ea6cbc4722dea1fd50762895708", + ] +} + +provider "registry.terraform.io/hashicorp/aws" { + version = "3.8.0" + constraints = "3.8.0" + hashes = [ + "h1:BVmiigtBDykRR58vG3TxvnWHls1ODJw+LsU5rJNIs5E=", + "zh:1ebc1f75d085e2d710e72458706e8c89e64f2f74eb41a77533f866692cf8266b", + "zh:421b6b1108dfc11ed1a42e39bf07bc459142a1bff051103bac3e8a564c8363f2", + "zh:573c3096eaef0b2045b253c7ccf090f2b4eb740cf81eab359565c6827cbab8ff", + "zh:579f920de241446e3cc2d788a991d628144a4664c3b1bb2267a03d9b0d3ddc4e", + "zh:93cd69c7a0957e86d31ee9aefc7bbdfb0326b87eba7b6cde5e3839c8cf882313", + "zh:b24e23875aa4581a9020519f3ca654cb66bf0b395121fffeb4b11c393cee6b56", + "zh:bfed6644cac0885e3dbf6e1485a32ad386ba7b581b7730edd71111f73f79c923", + "zh:c523c7db06c404c21ccd3b62a8d11d2118e0e0258a745c38a9989958bf818c33", + "zh:d931d23ad961616f1ad437b48cb4ad147b3b68fedf8d1b541ab6c5e49eacb32c", + "zh:e05ac4243af39a9731b64d35fcc4fbf070525692089e1f104df43c93a6e1d151", + ] +} + +provider "registry.terraform.io/hashicorp/local" { + version = "2.1.0" + hashes = [ + "h1:EYZdckuGU3n6APs97nS2LxZm3dDtGqyM4qaIvsmac8o=", + "zh:0f1ec65101fa35050978d483d6e8916664b7556800348456ff3d09454ac1eae2", + "zh:36e42ac19f5d68467aacf07e6adcf83c7486f2e5b5f4339e9671f68525fc87ab", + "zh:6db9db2a1819e77b1642ec3b5e95042b202aee8151a0256d289f2e141bf3ceb3", + "zh:719dfd97bb9ddce99f7d741260b8ece2682b363735c764cac83303f02386075a", + "zh:7598bb86e0378fd97eaa04638c1a4c75f960f62f69d3662e6d80ffa5a89847fe", + "zh:ad0a188b52517fec9eca393f1e2c9daea362b33ae2eb38a857b6b09949a727c1", + "zh:c46846c8df66a13fee6eff7dc5d528a7f868ae0dcf92d79deaac73cc297ed20c", + "zh:dc1a20a2eec12095d04bf6da5321f535351a594a636912361db20eb2a707ccc4", + "zh:e57ab4771a9d999401f6badd8b018558357d3cbdf3d33cc0c4f83e818ca8e94b", + "zh:ebdcde208072b4b0f8d305ebf2bfdc62c926e0717599dcf8ec2fd8c5845031c3", + "zh:ef34c52b68933bedd0868a13ccfd59ff1c820f299760b3c02e008dc95e2ece91", + ] +} + +provider "registry.terraform.io/linode/linode" { + version = "1.25.1" + constraints = "1.25.1" + hashes = [ + "h1:kNBJat6vK3+lVWMUdv2HUcmU2j5UWrnojxkl0zfP+4Q=", + "zh:011d31d5ba135db140a9e4d34b6a358b05f26e9649fa3ac252ba5753be87dbc7", + "zh:0c61b38aa196c7bbc12285893c9a8a5e995e56fd6a013329774c670b62b38897", + "zh:1227a34a2002145aa4817999a08cdba3f0f412d51d24f4848aa0a9b08a58f186", + "zh:4f6c119d150576ee737aa532062378e577a0754b85c32eec988ee094af798a07", + "zh:62751d4e56c38cd4952a69746a2c941a28d6b76fa12173fb7d135ba999d3b7ae", + "zh:743c1f54c40c2a129df35c0deb0a4af899472ff85fb79a58a282b2107072954c", + "zh:78a7c6d4a75eae1e6753bf74341245739f65d90ff4c78bdeab49a579db678a52", + "zh:835b587b57caa1e695bdc932e0036efafd3a069bfae3151e1d574c854eaef24c", + "zh:93a797797f7c566af735802a4da17a0adbf4b5303cb2fcd62173289a2211b059", + "zh:942bb3aef76f55067379d991a64f9641f44f5d40ed8d31f8857683bb75ee3f47", + "zh:9bd2bc6fa211153cff5487ac3a8afad24f742cd946985eade67dc413c0a47d84", + "zh:a4f9dfef3a29e861282b6ef8917819f351da8fb00b390cb75549718b6c8b9dc4", + "zh:af185b9471439c37dc0580871eb230a36f4cfc0dbb75c3ec911242a56b92efda", + "zh:eb7dfa4e9041a947ff776b9fd0da06790bd5ea23c26e4c5332f88f9ff3b24cff", + ] +} + +provider "registry.terraform.io/vultr/vultr" { + version = "2.1.4" + constraints = "2.1.4" + hashes = [ + "h1:xlp22yaH/Z/ub7vAZTDyPnViL8QfJBQnZR/e6UWZqXk=", + "zh:087b47412fbc46d750df122c3e2e8e4ecf4921af3e17957f1f4eac7e4ac9b470", + "zh:1edde9112f2c7026cac0be274ae1c65c9b40848ee4be36040202d4eda7d9e368", + "zh:39e3e81b135d5692d6729795bd73a4c0fc2e846c69a4a7c134b89680b5295f58", + "zh:3e739d1eb8e22fe32d5c9fe0ddc27f8a2697df3baccc25e8493a6baecb6a3ab8", + "zh:710afe1c0a7fb555bb684de4aaaacd4a427512ccab7addfed9def26ca96f6721", + "zh:7c1d7f4cc5d30521a352d28526dbca4bc8494818ccea44314376232625ddce85", + "zh:87ec18cc87d7ba8563e96c0fbf6120e286b34d77392e384289d7332a57b0be40", + "zh:a38b698278359ac4b3c63318906b06a49d7bed43c614a2394918404812dd375d", + "zh:ab92d9eb1b2042cb853f05ccc884a9b6fe0ed972d328a65d0f80ae45f981524a", + "zh:aeafd160fd2cade4c3e7d5f32daf005269cf0e345cf329a8793875a871406fb8", + "zh:e76920737b3e0af032f28bf210d2285e26887c4c090d44b1f89f1d5e8cd89e0c", + ] +} From cf0e718bfbad08b1df0550c6bc863b6b93bc55e8 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Tue, 11 Jan 2022 09:07:48 +0000 Subject: [PATCH 045/120] Migrate decker services to linode Mostly just uptime-kuma --- ansible/group_vars/all/hosts.yml | 2 +- terraform/context.tf | 2 +- terraform/theorangeone.net.tf | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/ansible/group_vars/all/hosts.yml b/ansible/group_vars/all/hosts.yml index 68d7e6c..f02d3e6 100755 --- a/ansible/group_vars/all/hosts.yml +++ b/ansible/group_vars/all/hosts.yml @@ -1,5 +1,5 @@ "hosts": "casey_ip": "108.61.221.88" - "decker_ip": "95.179.223.50" + "decker_ip": "192.46.233.9" "grimes_ip": "104.238.172.209" "walker_ip": "192.248.168.230" diff --git a/terraform/context.tf b/terraform/context.tf index 6253795..a5dc829 100644 --- a/terraform/context.tf +++ b/terraform/context.tf @@ -4,7 +4,7 @@ resource "local_file" "hosts" { casey_ip : vultr_instance.casey.main_ip, walker_ip : vultr_instance.walker.main_ip, grimes_ip : vultr_instance.grimes.main_ip, - decker_ip : vultr_instance.decker.main_ip, + decker_ip : linode_instance.decker.ip_address, } }) filename = "${path.module}/../ansible/group_vars/all/hosts.yml" diff --git a/terraform/theorangeone.net.tf b/terraform/theorangeone.net.tf index 077d806..3a3eddc 100644 --- a/terraform/theorangeone.net.tf +++ b/terraform/theorangeone.net.tf @@ -184,7 +184,7 @@ resource "cloudflare_record" "theorangeonenet_dokku_wildcard" { resource "cloudflare_record" "theorangeonenet_status" { zone_id = cloudflare_zone.theorangeonenet.id name = "status" - value = vultr_instance.decker.main_ip + value = linode_instance.decker.ip_address type = "A" ttl = 1 } From ceb62cc0c8f130d28a4b80b7bfd3a63b4c5e223b Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Tue, 11 Jan 2022 09:08:23 +0000 Subject: [PATCH 046/120] Open the right ports so web traffic will flow --- terraform/decker_vps.tf | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/terraform/decker_vps.tf b/terraform/decker_vps.tf index 14924a5..9189b7c 100644 --- a/terraform/decker_vps.tf +++ b/terraform/decker_vps.tf @@ -40,4 +40,22 @@ resource "linode_firewall" "decker" { ipv4 = ["0.0.0.0/0"] ipv6 = ["::/0"] } + + inbound { + label = "allow-inbound-https" + action = "ACCEPT" + protocol = "TCP" + ports = "443" + ipv4 = ["0.0.0.0/0"] + ipv6 = ["::/0"] + } + + inbound { + label = "allow-inbound-http" + action = "ACCEPT" + protocol = "TCP" + ports = "80" + ipv4 = ["0.0.0.0/0"] + ipv6 = ["::/0"] + } } From db68c107d00685505924f1f48e679735ec738357 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Tue, 11 Jan 2022 19:25:04 +0000 Subject: [PATCH 047/120] Decommission decker on Vultr --- terraform/decker_vps.tf | 21 --------------------- 1 file changed, 21 deletions(-) diff --git a/terraform/decker_vps.tf b/terraform/decker_vps.tf index 9189b7c..33d7e9d 100644 --- a/terraform/decker_vps.tf +++ b/terraform/decker_vps.tf @@ -1,24 +1,3 @@ -module "decker_firewall" { - source = "./vultr_firewall/" - - description = "decker" - ports = [ - "80/tcp", - "443/tcp", - ] -} - - -resource "vultr_instance" "decker" { - plan = "vc2-1c-1gb" - region = "cdg" - hostname = "decker" - firewall_group_id = module.decker_firewall.firewall_group.id -} - - -# Linode - resource "linode_instance" "decker" { label = "decker" image = "linode/arch" From c5215e330bced5e53b6a307c047bd9f37cb28c5a Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Tue, 11 Jan 2022 20:51:12 +0000 Subject: [PATCH 048/120] Update yamllint to fix dependency issue I think this still validates everything we need it to --- ansible/.ansible-lint | 9 +++++---- ansible/dev-requirements.txt | 2 +- ansible/group_vars/all/base.yml | 2 +- ansible/main.yml | 2 +- ansible/roles/base/tasks/ssh.yml | 2 +- ansible/roles/forrest/files/grafana/docker-compose.yml | 4 ++-- ansible/roles/gateway/tasks/wireguard.yml | 6 +++--- ansible/roles/gitlab/files/gitlab.rb | 2 +- ansible/roles/ingress/tasks/wireguard.yml | 4 ++-- ansible/roles/nebula/tasks/main.yml | 2 +- ansible/roles/privatebin/files/docker-compose.yml | 2 +- .../roles/pve_docker/files/calibre/docker-compose.yml | 2 +- .../roles/pve_docker/files/librespeed/docker-compose.yml | 2 +- .../roles/pve_docker/files/nextcloud/docker-compose.yml | 2 +- .../roles/pve_docker/files/quassel/docker-compose.yml | 2 +- ansible/roles/pve_docker/files/tt-rss/docker-compose.yml | 2 +- ansible/roles/renovate/files/docker-compose.yml | 2 +- ansible/roles/uptime_kuma/files/docker-compose.yml | 2 +- scripts/ansible/lint.sh | 8 ++++---- 19 files changed, 30 insertions(+), 29 deletions(-) diff --git a/ansible/.ansible-lint b/ansible/.ansible-lint index 4858af9..c2c7262 100644 --- a/ansible/.ansible-lint +++ b/ansible/.ansible-lint @@ -1,10 +1,11 @@ skip_list: - - 305 - - 401 - - 301 - - 503 + - command-instead-of-shell + - no-handler + - git-latest exclude_paths: - ansible/galaxy_roles/ - ansible/galaxy_collections/ - ~/.ansible + - roles/nebula/files/nebula.yml + - roles/traefik/files/traefik.yml diff --git a/ansible/dev-requirements.txt b/ansible/dev-requirements.txt index 2af2326..16ed479 100644 --- a/ansible/dev-requirements.txt +++ b/ansible/dev-requirements.txt @@ -1,2 +1,2 @@ -ansible-lint==4.3.5 +ansible-lint==5.3.2 yamllint==1.24.2 diff --git a/ansible/group_vars/all/base.yml b/ansible/group_vars/all/base.yml index 61f4117..4bea0c8 100644 --- a/ansible/group_vars/all/base.yml +++ b/ansible/group_vars/all/base.yml @@ -1,4 +1,4 @@ -TZ: Europe/London +timezone: Europe/London # noqa var-naming # HACK: Some of the hostnames aren't valid dict keys hostname_slug: "{{ ansible_hostname | replace('-', '_') }}" diff --git a/ansible/main.yml b/ansible/main.yml index 00f46f1..402db44 100644 --- a/ansible/main.yml +++ b/ansible/main.yml @@ -22,7 +22,7 @@ - role: geerlingguy.ntp become: true vars: - ntp_timezone: "{{ TZ }}" + ntp_timezone: "{{ timezone }}" ntp_manage_config: true - hosts: diff --git a/ansible/roles/base/tasks/ssh.yml b/ansible/roles/base/tasks/ssh.yml index e284c1d..c1ea135 100644 --- a/ansible/roles/base/tasks/ssh.yml +++ b/ansible/roles/base/tasks/ssh.yml @@ -20,7 +20,7 @@ src: files/sshd_config dest: /etc/ssh/sshd_config validate: /usr/sbin/sshd -t -f %s - backup: yes + backup: true mode: 0644 become: true register: sshd_config diff --git a/ansible/roles/forrest/files/grafana/docker-compose.yml b/ansible/roles/forrest/files/grafana/docker-compose.yml index 39ac091..8519d2a 100644 --- a/ansible/roles/forrest/files/grafana/docker-compose.yml +++ b/ansible/roles/forrest/files/grafana/docker-compose.yml @@ -4,7 +4,7 @@ services: grafana: image: grafana/grafana:latest environment: - - TZ={{ TZ }} + - TZ={{ timezone }} - GF_DATABASE_URL=postgres://grafana:grafana@db/grafana - GF_RENDERING_SERVER_URL=http://renderer:8081/render - GF_RENDERING_CALLBACK_URL=http://grafana:3000/ @@ -42,7 +42,7 @@ services: image: grafana/grafana-image-renderer:latest restart: unless-stopped environment: - - BROWSER_TZ={{ TZ }} + - BROWSER_TZ={{ timezone }} networks: diff --git a/ansible/roles/gateway/tasks/wireguard.yml b/ansible/roles/gateway/tasks/wireguard.yml index e5da01d..e69a938 100644 --- a/ansible/roles/gateway/tasks/wireguard.yml +++ b/ansible/roles/gateway/tasks/wireguard.yml @@ -3,7 +3,7 @@ src: files/wireguard-server.conf dest: /etc/wireguard/wg0.conf mode: "0600" - backup: yes + backup: true become: true register: wireguard_conf @@ -41,9 +41,9 @@ sysctl: name: net.ipv4.ip_forward value: "1" - sysctl_set: yes + sysctl_set: true state: present - reload: yes + reload: true sysctl_file: /etc/sysctl.d/99-sysctl.conf become: true diff --git a/ansible/roles/gitlab/files/gitlab.rb b/ansible/roles/gitlab/files/gitlab.rb index 0dd9070..d39cc04 100644 --- a/ansible/roles/gitlab/files/gitlab.rb +++ b/ansible/roles/gitlab/files/gitlab.rb @@ -11,7 +11,7 @@ nginx['ssl_certificate'] = "/etc/ssl/certs/ssl-cert-snakeoil.pem" nginx['ssl_certificate_key'] = "/etc/ssl/private/ssl-cert-snakeoil.key" letsencrypt['enable'] = false -gitlab_rails['time_zone'] = '{{ TZ }}' +gitlab_rails['time_zone'] = '{{ timezone }}' # https://docs.gitlab.com/omnibus/settings/memory_constrained_envs.html puma['worker_processes'] = 2 diff --git a/ansible/roles/ingress/tasks/wireguard.yml b/ansible/roles/ingress/tasks/wireguard.yml index 8119272..9144598 100644 --- a/ansible/roles/ingress/tasks/wireguard.yml +++ b/ansible/roles/ingress/tasks/wireguard.yml @@ -27,8 +27,8 @@ sysctl: name: net.ipv4.ip_forward value: "1" - sysctl_set: yes + sysctl_set: true state: present - reload: yes + reload: true sysctl_file: /etc/sysctl.d/99-sysctl.conf become: true diff --git a/ansible/roles/nebula/tasks/main.yml b/ansible/roles/nebula/tasks/main.yml index 17ee84c..c24112b 100644 --- a/ansible/roles/nebula/tasks/main.yml +++ b/ansible/roles/nebula/tasks/main.yml @@ -9,7 +9,7 @@ unarchive: src: https://github.com/slackhq/nebula/releases/download/v{{ nebula_version }}/nebula-linux-amd64.tar.gz dest: /usr/bin - remote_src: yes + remote_src: true mode: "0755" become: true notify: restart nebula diff --git a/ansible/roles/privatebin/files/docker-compose.yml b/ansible/roles/privatebin/files/docker-compose.yml index 8d6d3dc..04e856f 100644 --- a/ansible/roles/privatebin/files/docker-compose.yml +++ b/ansible/roles/privatebin/files/docker-compose.yml @@ -4,7 +4,7 @@ services: privatebin: image: privatebin/nginx-fpm-alpine:latest environment: - - TZ={{ TZ }} + - TZ={{ timezone }} volumes: - "{{ app_data_dir }}/privatebin/:/srv/data" - "{{ app_data_dir }}/privatebin/conf.php:/srv/cfg/conf.php:ro" diff --git a/ansible/roles/pve_docker/files/calibre/docker-compose.yml b/ansible/roles/pve_docker/files/calibre/docker-compose.yml index b87c80e..3e9c824 100644 --- a/ansible/roles/pve_docker/files/calibre/docker-compose.yml +++ b/ansible/roles/pve_docker/files/calibre/docker-compose.yml @@ -5,7 +5,7 @@ services: environment: - PUID={{ docker_user.id }} - PGID={{ docker_user.id }} - - TZ={{ TZ }} + - TZ={{ timezone }} restart: unless-stopped volumes: - /mnt/tank/app-data/calibre:/config diff --git a/ansible/roles/pve_docker/files/librespeed/docker-compose.yml b/ansible/roles/pve_docker/files/librespeed/docker-compose.yml index 8aeff73..d075255 100644 --- a/ansible/roles/pve_docker/files/librespeed/docker-compose.yml +++ b/ansible/roles/pve_docker/files/librespeed/docker-compose.yml @@ -5,7 +5,7 @@ services: environment: - PUID={{ docker_user.id }} - PGID={{ docker_user.id }} - - TZ={{ TZ }} + - TZ={{ timezone }} ports: - 33377:80 restart: unless-stopped diff --git a/ansible/roles/pve_docker/files/nextcloud/docker-compose.yml b/ansible/roles/pve_docker/files/nextcloud/docker-compose.yml index e7ed1a0..9f3656b 100644 --- a/ansible/roles/pve_docker/files/nextcloud/docker-compose.yml +++ b/ansible/roles/pve_docker/files/nextcloud/docker-compose.yml @@ -6,7 +6,7 @@ services: environment: - PUID={{ docker_user.id }} - PGID={{ docker_user.id }} - - TZ={{ TZ }} + - TZ={{ timezone }} - DOCKER_MODS=theorangeone/lsio-mod-more-processes:latest volumes: - "{{ app_data_dir }}/nextcloud/apps:/config/www/nextcloud/apps" diff --git a/ansible/roles/pve_docker/files/quassel/docker-compose.yml b/ansible/roles/pve_docker/files/quassel/docker-compose.yml index 122308a..d07501a 100644 --- a/ansible/roles/pve_docker/files/quassel/docker-compose.yml +++ b/ansible/roles/pve_docker/files/quassel/docker-compose.yml @@ -5,7 +5,7 @@ services: environment: - PUID={{ docker_user.id }} - PGID={{ docker_user.id }} - - TZ={{ TZ }} + - TZ={{ timezone }} - DB_BACKEND=PostgreSQL - DB_PGSQL_USERNAME=quassel - DB_PGSQL_PASSWORD=quassel diff --git a/ansible/roles/pve_docker/files/tt-rss/docker-compose.yml b/ansible/roles/pve_docker/files/tt-rss/docker-compose.yml index ed5a206..3c9e385 100644 --- a/ansible/roles/pve_docker/files/tt-rss/docker-compose.yml +++ b/ansible/roles/pve_docker/files/tt-rss/docker-compose.yml @@ -6,7 +6,7 @@ services: environment: - PUID={{ docker_user.id }} - PGID={{ docker_user.id }} - - TZ={{ TZ }} + - TZ={{ timezone }} - DOCKER_MODS=theorangeone/lsio-mod-more-processes:latest - TTRSS_DB_USER=tt-rss diff --git a/ansible/roles/renovate/files/docker-compose.yml b/ansible/roles/renovate/files/docker-compose.yml index b46f20b..e633c36 100644 --- a/ansible/roles/renovate/files/docker-compose.yml +++ b/ansible/roles/renovate/files/docker-compose.yml @@ -5,7 +5,7 @@ services: command: /entrypoint.sh user: "{{ docker_user.id }}" environment: - - TZ={{ TZ }} + - TZ={{ timezone }} - GITHUB_COM_TOKEN={{ renovate_github_token }} - DOCKER_HOST=tcp://docker_proxy:2375 - LOG_LEVEL=debug # Noisy, but required for debugging diff --git a/ansible/roles/uptime_kuma/files/docker-compose.yml b/ansible/roles/uptime_kuma/files/docker-compose.yml index aff9920..cc9cc0c 100644 --- a/ansible/roles/uptime_kuma/files/docker-compose.yml +++ b/ansible/roles/uptime_kuma/files/docker-compose.yml @@ -7,7 +7,7 @@ services: environment: - PUID={{ docker_user.id }} - PGID={{ docker_user.id }} - - TZ={{ TZ }} + - TZ={{ timezone }} volumes: - ./data:/app/data labels: diff --git a/scripts/ansible/lint.sh b/scripts/ansible/lint.sh index ebfe14e..8f9bc5a 100755 --- a/scripts/ansible/lint.sh +++ b/scripts/ansible/lint.sh @@ -4,10 +4,10 @@ set -e PATH=${PWD}/env/bin:${PATH} -set -x +yamllint -sc ansible/yamllint.yml ansible -yamllint -sc ansible/yamllint.yml ansible/ +cd ansible/ -ansible-lint ansible/main.yml -p -c ansible/.ansible-lint +ansible-lint -p -cd ansible/ && ansible-playbook main.yml --syntax-check +ansible-playbook main.yml --syntax-check From 89a99d2db299b7e547c9387bb06df632b4cbcfc3 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Tue, 11 Jan 2022 21:19:02 +0000 Subject: [PATCH 049/120] Make ansible a dev dependency It's required by `ansible-lint` to work properly --- ansible/dev-requirements.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/ansible/dev-requirements.txt b/ansible/dev-requirements.txt index 16ed479..02bfca2 100644 --- a/ansible/dev-requirements.txt +++ b/ansible/dev-requirements.txt @@ -1,2 +1,3 @@ ansible-lint==5.3.2 yamllint==1.24.2 +ansible From 1348eb8b1c8979d093e40f9666e477a05b267fa1 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Tue, 11 Jan 2022 21:20:23 +0000 Subject: [PATCH 050/120] Prefent yourls redirect page being indexed --- ansible/roles/yourls/files/index.html | 1 + 1 file changed, 1 insertion(+) diff --git a/ansible/roles/yourls/files/index.html b/ansible/roles/yourls/files/index.html index 8e8085b..7f1407d 100644 --- a/ansible/roles/yourls/files/index.html +++ b/ansible/roles/yourls/files/index.html @@ -1,6 +1,7 @@ +

Redirecting to website...

From d5c7d94ac8251b60d34005a044365efb1dc6cc0d Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Sat, 15 Jan 2022 23:44:06 +0000 Subject: [PATCH 051/120] Run traefik as dockeruser, and without host networking This required port forwarding, a docker proxy, and a docker network, but the end result should be much more secure! --- ansible/roles/pages/files/docker-compose.yml | 9 ++++-- .../roles/plausible/files/docker-compose.yml | 7 +++++ .../roles/privatebin/files/docker-compose.yml | 7 +++++ .../files/calibre/docker-compose.yml | 7 +++++ .../files/librespeed/docker-compose.yml | 7 +++++ .../files/nextcloud/docker-compose.yml | 7 +++++ .../files/synapse/docker-compose.yml | 10 +++++++ .../files/tt-rss/docker-compose.yml | 7 +++++ .../files/wallabag/docker-compose.yml | 7 +++++ .../files/whoami/docker-compose.yml | 7 +++++ .../roles/traefik/files/docker-compose.yml | 29 ++++++++++++++++++- ansible/roles/traefik/files/traefik.yml | 7 +++-- ansible/roles/traefik/tasks/main.yml | 8 +++++ ansible/roles/upload/files/docker-compose.yml | 16 ++++++++++ .../uptime_kuma/files/docker-compose.yml | 7 +++++ .../vaultwarden/files/docker-compose.yml | 7 +++++ ansible/roles/yourls/files/docker-compose.yml | 7 +++++ 17 files changed, 150 insertions(+), 6 deletions(-) diff --git a/ansible/roles/pages/files/docker-compose.yml b/ansible/roles/pages/files/docker-compose.yml index b020d97..9673de3 100644 --- a/ansible/roles/pages/files/docker-compose.yml +++ b/ansible/roles/pages/files/docker-compose.yml @@ -19,12 +19,17 @@ services: - ./sites:/sites:ro restart: unless-stopped user: "{{ docker_user.id }}" - ports: - - 127.0.0.1:5000:5000 environment: - SITES_ROOT=/sites - TRAEFIK_SERVICE=traefik-pages-pages@docker - AUTH_PASSWORD={{ traefik_pages_password }} - TRAEFIK_CERT_RESOLVER=le + networks: + - default + - traefik labels: - traefik.enable=true + +networks: + traefik: + external: true diff --git a/ansible/roles/plausible/files/docker-compose.yml b/ansible/roles/plausible/files/docker-compose.yml index bc735cf..e992103 100644 --- a/ansible/roles/plausible/files/docker-compose.yml +++ b/ansible/roles/plausible/files/docker-compose.yml @@ -8,6 +8,9 @@ services: depends_on: - db - clickhouse + networks: + - default + - traefik labels: - traefik.enable=true - traefik.http.routers.plausible.rule=Host(`plausible.theorangeone.net`) @@ -52,3 +55,7 @@ services: environment: - POSTGRES_PASSWORD=plausible - POSTGRES_USER=plausible + +networks: + traefik: + external: true diff --git a/ansible/roles/privatebin/files/docker-compose.yml b/ansible/roles/privatebin/files/docker-compose.yml index 04e856f..2f719e3 100644 --- a/ansible/roles/privatebin/files/docker-compose.yml +++ b/ansible/roles/privatebin/files/docker-compose.yml @@ -12,3 +12,10 @@ services: labels: - traefik.enable=true - traefik.http.routers.privatebin.rule=Host(`bin.theorangeone.net`) + networks: + - default + - traefik + +networks: + traefik: + external: true diff --git a/ansible/roles/pve_docker/files/calibre/docker-compose.yml b/ansible/roles/pve_docker/files/calibre/docker-compose.yml index 3e9c824..0ada5e6 100644 --- a/ansible/roles/pve_docker/files/calibre/docker-compose.yml +++ b/ansible/roles/pve_docker/files/calibre/docker-compose.yml @@ -13,3 +13,10 @@ services: labels: - traefik.enable=true - traefik.http.routers.calibre.rule=Host(`calibre.jakehoward.tech`) + networks: + - default + - traefik + +networks: + traefik: + external: true diff --git a/ansible/roles/pve_docker/files/librespeed/docker-compose.yml b/ansible/roles/pve_docker/files/librespeed/docker-compose.yml index d075255..82bce75 100644 --- a/ansible/roles/pve_docker/files/librespeed/docker-compose.yml +++ b/ansible/roles/pve_docker/files/librespeed/docker-compose.yml @@ -14,3 +14,10 @@ services: - traefik.http.routers.librespeed.rule=Host(`speed.jakehoward.tech`) - traefik.http.routers.librespeed.middlewares=librespeed-auth@docker - traefik.http.middlewares.librespeed-auth.basicauth.users={{ librespeed_basicauth }} + networks: + - default + - traefik + +networks: + traefik: + external: true diff --git a/ansible/roles/pve_docker/files/nextcloud/docker-compose.yml b/ansible/roles/pve_docker/files/nextcloud/docker-compose.yml index 9f3656b..32ea086 100644 --- a/ansible/roles/pve_docker/files/nextcloud/docker-compose.yml +++ b/ansible/roles/pve_docker/files/nextcloud/docker-compose.yml @@ -26,6 +26,9 @@ services: - traefik.http.services.nextcloud-nextcloud.loadbalancer.server.scheme=https - traefik.http.middlewares.nextcloud-hsts.headers.stsseconds=15552000 - traefik.http.routers.nextcloud.middlewares=nextcloud-hsts@docker + networks: + - default + - traefik mariadb: image: mariadb:10.5 @@ -43,3 +46,7 @@ services: restart: unless-stopped volumes: - /mnt/tank/dbs/redis/nextcloud:/data + +networks: + traefik: + external: true diff --git a/ansible/roles/pve_docker/files/synapse/docker-compose.yml b/ansible/roles/pve_docker/files/synapse/docker-compose.yml index 521ef72..362fc60 100644 --- a/ansible/roles/pve_docker/files/synapse/docker-compose.yml +++ b/ansible/roles/pve_docker/files/synapse/docker-compose.yml @@ -18,6 +18,9 @@ services: labels: - traefik.enable=true - traefik.http.routers.synapse.rule=Host(`matrix.jakehoward.tech`) + networks: + - default + - traefik db: image: postgres:14-alpine @@ -43,3 +46,10 @@ services: - traefik.http.routers.synapse-admin.rule=Host(`matrix.jakehoward.tech`) && PathPrefix(`/admin`) - traefik.http.middlewares.synapse-admin-path.stripprefix.prefixes=/admin - traefik.http.routers.synapse-admin.middlewares=synapse-admin-path@docker + networks: + - default + - traefik + +networks: + traefik: + external: true diff --git a/ansible/roles/pve_docker/files/tt-rss/docker-compose.yml b/ansible/roles/pve_docker/files/tt-rss/docker-compose.yml index 3c9e385..71a850f 100644 --- a/ansible/roles/pve_docker/files/tt-rss/docker-compose.yml +++ b/ansible/roles/pve_docker/files/tt-rss/docker-compose.yml @@ -27,6 +27,9 @@ services: - db tmpfs: - /config/log + networks: + - default + - traefik db: image: postgres:14-alpine @@ -36,3 +39,7 @@ services: environment: - POSTGRES_PASSWORD=tt-rss - POSTGRES_USER=tt-rss + +networks: + traefik: + external: true diff --git a/ansible/roles/pve_docker/files/wallabag/docker-compose.yml b/ansible/roles/pve_docker/files/wallabag/docker-compose.yml index a88c42e..64df922 100644 --- a/ansible/roles/pve_docker/files/wallabag/docker-compose.yml +++ b/ansible/roles/pve_docker/files/wallabag/docker-compose.yml @@ -15,9 +15,16 @@ services: - traefik.http.routers.wallabag.rule=Host(`wallabag.jakehoward.tech`) depends_on: - redis + networks: + - default + - traefik redis: image: redis:6-alpine restart: unless-stopped volumes: - /mnt/tank/dbs/redis/wallabag:/data + +networks: + traefik: + external: true diff --git a/ansible/roles/pve_docker/files/whoami/docker-compose.yml b/ansible/roles/pve_docker/files/whoami/docker-compose.yml index 2bf9a7b..0c1cd24 100644 --- a/ansible/roles/pve_docker/files/whoami/docker-compose.yml +++ b/ansible/roles/pve_docker/files/whoami/docker-compose.yml @@ -7,3 +7,10 @@ services: labels: - traefik.enable=true - traefik.http.routers.whoami.rule=Host(`whoami.theorangeone.net`) || Host(`who.0rng.one`) + networks: + - default + - traefik + +networks: + traefik: + external: true diff --git a/ansible/roles/traefik/files/docker-compose.yml b/ansible/roles/traefik/files/docker-compose.yml index fc73942..bb7cade 100644 --- a/ansible/roles/traefik/files/docker-compose.yml +++ b/ansible/roles/traefik/files/docker-compose.yml @@ -3,7 +3,7 @@ version: "2.3" services: traefik: image: traefik:v2.5 - network_mode: host + user: "{{ docker_user.id }}" environment: - CF_DNS_API_TOKEN={{ cloudflare_api_token }} volumes: @@ -11,3 +11,30 @@ services: - /tmp/traefik-logs:/var/log/traefik - ./traefik:/etc/traefik restart: unless-stopped + ports: + - 80:80 + - 443:443 + - "{{ private_ip }}:8080:8080" + depends_on: + - docker_proxy + networks: + - default + - traefik + - proxy_private + + docker_proxy: + image: tecnativa/docker-socket-proxy:latest + restart: unless-stopped + environment: + - CONTAINERS=1 + - INFO=1 + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro + networks: + - proxy_private + +networks: + traefik: + external: true + proxy_private: + internal: true diff --git a/ansible/roles/traefik/files/traefik.yml b/ansible/roles/traefik/files/traefik.yml index 48481f4..e0d0069 100644 --- a/ansible/roles/traefik/files/traefik.yml +++ b/ansible/roles/traefik/files/traefik.yml @@ -32,21 +32,22 @@ entryPoints: - "{{ pve_hosts.internal_cidr }}" - "{{ nebula.cidr }}" traefik: - address: "{{ private_ip }}:8080" + address: :8080 ping: {} providers: docker: - endpoint: unix:///var/run/docker.sock + endpoint: tcp://docker_proxy:2375 watch: true exposedByDefault: false + network: traefik file: directory: /etc/traefik/conf {% if with_traefik_pages %} http: endpoint: - - "http://{{ traefik_pages_password }}@127.0.0.1:5000/.traefik-pages/provider" + - "http://{{ traefik_pages_password }}@traefik-pages:5000/.traefik-pages/provider" {% endif %} api: diff --git a/ansible/roles/traefik/tasks/main.yml b/ansible/roles/traefik/tasks/main.yml index 5246076..df0e3ae 100644 --- a/ansible/roles/traefik/tasks/main.yml +++ b/ansible/roles/traefik/tasks/main.yml @@ -1,3 +1,9 @@ +- name: Create network + docker_network: + name: traefik + internal: true + become: true + - name: Create install directory file: path: /opt/traefik @@ -11,6 +17,7 @@ path: /opt/traefik/traefik/ state: directory mode: "{{ docker_compose_directory_mask }}" + owner: "{{ docker_user.name }}" become: true - name: Create file provider directory @@ -18,6 +25,7 @@ path: /opt/traefik/traefik/conf state: directory mode: "{{ docker_compose_directory_mask }}" + owner: "{{ docker_user.name }}" become: true - name: Install compose file diff --git a/ansible/roles/upload/files/docker-compose.yml b/ansible/roles/upload/files/docker-compose.yml index 2b72265..a952958 100644 --- a/ansible/roles/upload/files/docker-compose.yml +++ b/ansible/roles/upload/files/docker-compose.yml @@ -12,6 +12,9 @@ services: labels: - traefik.enable=true - traefik.http.routers.upload.rule=Host(`upload.theorangeone.net`) + networks: + - default + - traefik img: image: ghcr.io/realorangeone/static-server:latest @@ -23,6 +26,9 @@ services: labels: - traefik.enable=true - traefik.http.routers.img.rule=Host(`img.theorangeone.net`) || Host(`img.0rng.one`) + networks: + - default + - traefik bg: image: ghcr.io/realorangeone/static-server:latest @@ -35,6 +41,9 @@ services: labels: - traefik.enable=true - traefik.http.routers.bg.rule=Host(`bg.theorangeone.net`) + networks: + - default + - traefik dl: image: ghcr.io/realorangeone/static-server:latest @@ -46,3 +55,10 @@ services: labels: - traefik.enable=true - traefik.http.routers.dl.rule=Host(`dl.theorangeone.net`) || Host(`dl.0rng.one`) + networks: + - default + - traefik + +networks: + traefik: + external: true diff --git a/ansible/roles/uptime_kuma/files/docker-compose.yml b/ansible/roles/uptime_kuma/files/docker-compose.yml index cc9cc0c..198c6d4 100644 --- a/ansible/roles/uptime_kuma/files/docker-compose.yml +++ b/ansible/roles/uptime_kuma/files/docker-compose.yml @@ -8,8 +8,15 @@ services: - PUID={{ docker_user.id }} - PGID={{ docker_user.id }} - TZ={{ timezone }} + networks: + - default + - traefik volumes: - ./data:/app/data labels: - traefik.enable=true - traefik.http.routers.uptime-kuma.rule=Host(`status.theorangeone.net`) + +networks: + traefik: + external: true diff --git a/ansible/roles/vaultwarden/files/docker-compose.yml b/ansible/roles/vaultwarden/files/docker-compose.yml index 4c77e9f..3ac27e2 100644 --- a/ansible/roles/vaultwarden/files/docker-compose.yml +++ b/ansible/roles/vaultwarden/files/docker-compose.yml @@ -35,6 +35,9 @@ services: - INVITATIONS_ALLOWED=false - ROCKET_WORKERS={{ ansible_processor_nproc // 2 }} - WEBSOCKET_ENABLED=true + networks: + - default + - traefik db: image: postgres:14-alpine @@ -44,3 +47,7 @@ services: environment: - POSTGRES_PASSWORD={{ vaultwarden_database_password }} - POSTGRES_USER=vaultwarden + +networks: + traefik: + external: true diff --git a/ansible/roles/yourls/files/docker-compose.yml b/ansible/roles/yourls/files/docker-compose.yml index 8af36a8..be589ac 100644 --- a/ansible/roles/yourls/files/docker-compose.yml +++ b/ansible/roles/yourls/files/docker-compose.yml @@ -18,6 +18,9 @@ services: labels: - traefik.enable=true - traefik.http.routers.yourls.rule=Host(`0rng.one`) + networks: + - default + - traefik mariadb: image: mariadb:10.7 @@ -29,3 +32,7 @@ services: volumes: - /mnt/tank/dbs/mariadb/yourls:/var/lib/mysql restart: unless-stopped + +networks: + traefik: + external: true From 6c0314b7581038687f473667a4a63b7127562743 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Sun, 16 Jan 2022 14:08:29 +0000 Subject: [PATCH 052/120] Add an nginx container to do crazy things with traefik --- ansible/roles/traefik/files/docker-compose.yml | 9 +++++++++ .../roles/traefik/files/file-provider-main.yml | 4 ++++ ansible/roles/traefik/files/nginx.conf | 14 ++++++++++++++ ansible/roles/traefik/files/traefik.yml | 1 + ansible/roles/traefik/tasks/main.yml | 15 +++++++++++++++ 5 files changed, 43 insertions(+) create mode 100644 ansible/roles/traefik/files/nginx.conf diff --git a/ansible/roles/traefik/files/docker-compose.yml b/ansible/roles/traefik/files/docker-compose.yml index bb7cade..30e3186 100644 --- a/ansible/roles/traefik/files/docker-compose.yml +++ b/ansible/roles/traefik/files/docker-compose.yml @@ -17,6 +17,7 @@ services: - "{{ private_ip }}:8080:8080" depends_on: - docker_proxy + - nginx networks: - default - traefik @@ -33,6 +34,14 @@ services: networks: - proxy_private + shenanigans: + image: nginx:alpine + restart: unless-stopped + volumes: + - /opt/traefik/nginx.conf:/etc/nginx/conf.d/default.conf:ro + networks: + - proxy_private + networks: traefik: external: true diff --git a/ansible/roles/traefik/files/file-provider-main.yml b/ansible/roles/traefik/files/file-provider-main.yml index 013625a..9db0547 100644 --- a/ansible/roles/traefik/files/file-provider-main.yml +++ b/ansible/roles/traefik/files/file-provider-main.yml @@ -8,3 +8,7 @@ http: headers: customResponseHeaders: Permissions-Policy: interest-cohort=() + + shenanigans: + forwardAuth: + address: http://shenanigans diff --git a/ansible/roles/traefik/files/nginx.conf b/ansible/roles/traefik/files/nginx.conf new file mode 100644 index 0000000..9b40f9e --- /dev/null +++ b/ansible/roles/traefik/files/nginx.conf @@ -0,0 +1,14 @@ +# NOTE: Use `$http_x_forwarded_host` intead of `$host`. + +server { + listen 80 default_server; + + # Get IP correctly + real_ip_header X-Forwarded-For; + set_real_ip_from 0.0.0.0/0; + + # Allow everything through by default + location / { + return 200; + } +} diff --git a/ansible/roles/traefik/files/traefik.yml b/ansible/roles/traefik/files/traefik.yml index e0d0069..1b74ffd 100644 --- a/ansible/roles/traefik/files/traefik.yml +++ b/ansible/roles/traefik/files/traefik.yml @@ -17,6 +17,7 @@ entryPoints: middlewares: - floc-block@file - compress@file + - shenanigans@file tls: certresolver: le domains: diff --git a/ansible/roles/traefik/tasks/main.yml b/ansible/roles/traefik/tasks/main.yml index df0e3ae..2ff67af 100644 --- a/ansible/roles/traefik/tasks/main.yml +++ b/ansible/roles/traefik/tasks/main.yml @@ -106,3 +106,18 @@ - name: fail2ban include: fail2ban.yml when: with_fail2ban + +- name: Check for nginx config + stat: + path: /opt/traefik/nginx.conf + register: nginx_file + become: true + +- name: Create nginx config, if it doesn't exist already + template: + src: files/nginx.conf + dest: /opt/traefik/nginx.conf + mode: "0600" + when: not nginx_file.stat.exists + notify: restart traefik + become: true From 5cc552d0ebb5391ef6121ebc248ebb5a4458c768 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Sun, 16 Jan 2022 16:55:40 +0000 Subject: [PATCH 053/120] Add container to automatically backup DBs --- ansible/host_vars/decker/vault.yml | 19 ++++---- ansible/host_vars/forrest/vault.yml | 9 ++++ ansible/host_vars/grimes/vault.yml | 19 ++++---- .../{pve-docker.yml => pve-docker/main.yml} | 2 + ansible/host_vars/pve-docker/vault.yml | 9 ++++ ansible/host_vars/walker/vault.yml | 19 ++++---- ansible/main.yml | 9 ++++ .../roles/db_auto_backup/defaults/main.yml | 1 + .../db_auto_backup/files/docker-compose.yml | 11 +++++ .../roles/db_auto_backup/handlers/main.yml | 4 ++ ansible/roles/db_auto_backup/tasks/main.yml | 17 +++++++ ansible/roles/db_auto_backup/vars/main.yml | 1 + .../files/docker-utils/db-backup | 45 ------------------- .../roles/traefik/files/docker-compose.yml | 2 +- 14 files changed, 97 insertions(+), 70 deletions(-) create mode 100644 ansible/host_vars/forrest/vault.yml rename ansible/host_vars/{pve-docker.yml => pve-docker/main.yml} (83%) create mode 100644 ansible/host_vars/pve-docker/vault.yml create mode 100644 ansible/roles/db_auto_backup/defaults/main.yml create mode 100644 ansible/roles/db_auto_backup/files/docker-compose.yml create mode 100644 ansible/roles/db_auto_backup/handlers/main.yml create mode 100644 ansible/roles/db_auto_backup/tasks/main.yml create mode 100644 ansible/roles/db_auto_backup/vars/main.yml delete mode 100755 ansible/roles/docker_cleanup/files/docker-utils/db-backup diff --git a/ansible/host_vars/decker/vault.yml b/ansible/host_vars/decker/vault.yml index 653f1bf..ce7903a 100644 --- a/ansible/host_vars/decker/vault.yml +++ b/ansible/host_vars/decker/vault.yml @@ -1,9 +1,12 @@ $ANSIBLE_VAULT;1.1;AES256 -64386132336631373533383835363066313631666162666662376665643434333935666334393633 -6662663138396139626663313961303265633535653439330a393732323931653137626638313765 -34343931396166363338346431616632326263653663326537386561646466633835343663323534 -3833653734373962610a383238623138636164623732336165613930323364346333646338383566 -62633532343063653665363663356461383134333439636230333839646331626239346438306636 -62373262663730343963643061383262356437346535323031326539663637636432376463643666 -33616463326261326336316331373331613635613036636235643934646466306530653363303266 -33393864386538656234 +37326662353562626466613939643162346663306230333066323231346233633561363932313364 +6636326134326435356161653231643666343432373133380a623161326465613235626236623062 +63303436626538646432323337343062376235363734623935663135666531306562616630343835 +6537356330336261360a666166366663633937326534616534316531366136613237633035383738 +38333832653935623637333437386531353831616130656532356662363765306439633464626661 +66386538336266353538356431393162373763383734633638323866396434363465303866303163 +31366566316338636239313539343465343336376435633834396239643535663563373832303331 +35643966653666653538626236663437616164653764323562346238663538396233636233326165 +62373633383539353237376130363334373936623532653538326366366261613833383734376330 +34393234393461346137336561363264613139616161333239363334346465323234376661616166 +656331326539323739626633376662613564 diff --git a/ansible/host_vars/forrest/vault.yml b/ansible/host_vars/forrest/vault.yml new file mode 100644 index 0000000..eacb481 --- /dev/null +++ b/ansible/host_vars/forrest/vault.yml @@ -0,0 +1,9 @@ +$ANSIBLE_VAULT;1.1;AES256 +36376462326539663933303664633661303163333865656435356465373264626366336137303563 +6239643535636538636434313739303030333162613635610a643831613934643631306232613130 +65386166663136646161643133643238643033363533616664653565313463396138663839353131 +3637333263663333610a653361336264313835383239396662626462353239616165626134666663 +36386234633039653431343564653463376561306430663939663338646665616532393364363363 +38613034393265376133366232386662373634623662613762653439633931323634613838656262 +30623763366362653834636161646339393933346134613132623365656363373165323633663432 +37636538383734646363 diff --git a/ansible/host_vars/grimes/vault.yml b/ansible/host_vars/grimes/vault.yml index 4866140..22839fb 100644 --- a/ansible/host_vars/grimes/vault.yml +++ b/ansible/host_vars/grimes/vault.yml @@ -1,9 +1,12 @@ $ANSIBLE_VAULT;1.1;AES256 -61636635633634366161363765363961396430313436353337616466653964373464633236663631 -3066653963336137343065343631623730653536343934660a666662306464313738636163316131 -66386565303630376663643330396630303832323839366164303061303331636362306236396131 -3136326432323939380a373764616161623333343834623566663139396139323561323463376330 -39386531373266353063316566366636363538663865373638643736366135373937313030373630 -36303166643533653038323466353230383464353130323233333838656432343931643035663535 -66383332363762353832316535663234373066386662656135343564353363303232613766313563 -32336561313639366461 +35343036383263323932663736373236313935646135656437646566373637373933643631663466 +3234633065393161663761323330626230383633643865610a663064313938353131663833633534 +63353431633763313731316564363863343232623663383366386133383035343465383935626464 +3661373034663330360a653734363033663531383338343239636263626162353036333964383862 +38316636653961643638386162323466643032646663383866306565636234333431366538613930 +65376137353932393931333366373962663939656664373536653063666534653631663964366466 +61316232663430346237343165363461396661343836316137326238313437356562333038306235 +38613732356434326637383832303636666162316333366564346562656530343461326662666230 +63663535616461646539623863373631383630313533623138613530383334333939366638653131 +61666539316263396666616264636533633035393937623332653632663130326630303337643439 +336466346361336239333938636239306563 diff --git a/ansible/host_vars/pve-docker.yml b/ansible/host_vars/pve-docker/main.yml similarity index 83% rename from ansible/host_vars/pve-docker.yml rename to ansible/host_vars/pve-docker/main.yml index 50265cb..3da7c38 100644 --- a/ansible/host_vars/pve-docker.yml +++ b/ansible/host_vars/pve-docker/main.yml @@ -6,3 +6,5 @@ traefik_provider_grafana: true traefik_provider_gitlab: true with_fail2ban: true + +db_backups_dir: /mnt/tank/dbs/backups diff --git a/ansible/host_vars/pve-docker/vault.yml b/ansible/host_vars/pve-docker/vault.yml new file mode 100644 index 0000000..b7c98ce --- /dev/null +++ b/ansible/host_vars/pve-docker/vault.yml @@ -0,0 +1,9 @@ +$ANSIBLE_VAULT;1.1;AES256 +35383562343262633962376665646331613539666465663661376361306439366662646439376561 +6139303637323938303537313331353937636631396537630a626362383465336661636431373163 +36666665373636353263636366303064386262653038396338396532376363616236623430363431 +3965653231323338360a396635666137343865373063376639333735323434346136663636396533 +65616465633839663335666236383039356334353561343830363264353532326530326565323339 +61643637663966626264626166663639666465383063333266353064396565653564623735663939 +35646461393163633639326563353835313762353166346237383430336632353761623438353930 +61333536343662396331 diff --git a/ansible/host_vars/walker/vault.yml b/ansible/host_vars/walker/vault.yml index 0f34a25..90dcecb 100644 --- a/ansible/host_vars/walker/vault.yml +++ b/ansible/host_vars/walker/vault.yml @@ -1,9 +1,12 @@ $ANSIBLE_VAULT;1.1;AES256 -63343332346238306230643233623336383766656433366339346331653036633636666238613764 -3431336432616166386462346532633664616562636136630a613836643565633962656432653333 -65356132316139363261373961663930383131393535633861343734393666326665653931663036 -3632613637663132360a373266303662623739633831613764313061616239303135386630616638 -62323930366166326433363835316536646363616431653566306363323736343761643038346262 -39316564333435663539653563653737333730616131393766643964303536373235323430616261 -39306535356562313133653337383762373636373234363732636266613165333439356334383661 -39343333303337363766 +65616232306563653238306536316238353432656365303665343830323833376436303231646230 +6633613632646639326266333639663734326135373165660a616534353763643737646363363635 +35316462343935666362313735376164343238313564366232346330313565613039643735626535 +3335366566303730640a656665323266386430383263326161376435663062353763396264316462 +62663166326262633437643065396132326366646331323330316565626637656632643162636563 +63623563386164333638633638633061616266316333336133313166373639643633643631386136 +39633565343862333134323737393761323365636534303863646233646639636437656335633836 +66356237386162316365376238343430373866623463633635383634383336393264363364663139 +32613761643030343764396339386538333663376633646332613330373838343137373833643235 +61303762336132326339363366623231366565316139383561656364376564336230346533323638 +626365336439666234343531666266646437 diff --git a/ansible/main.yml b/ansible/main.yml index 402db44..2ac5f98 100644 --- a/ansible/main.yml +++ b/ansible/main.yml @@ -43,6 +43,15 @@ - "{{ user }}" - docker_cleanup +- hosts: + - pve-docker + - forrest + - walker + - grimes + - decker + roles: + - db_auto_backup + - hosts: - pve-docker - walker diff --git a/ansible/roles/db_auto_backup/defaults/main.yml b/ansible/roles/db_auto_backup/defaults/main.yml new file mode 100644 index 0000000..a766fd8 --- /dev/null +++ b/ansible/roles/db_auto_backup/defaults/main.yml @@ -0,0 +1 @@ +db_backups_dir: ./backups diff --git a/ansible/roles/db_auto_backup/files/docker-compose.yml b/ansible/roles/db_auto_backup/files/docker-compose.yml new file mode 100644 index 0000000..bdd7f47 --- /dev/null +++ b/ansible/roles/db_auto_backup/files/docker-compose.yml @@ -0,0 +1,11 @@ +version: "2.3" + +services: + backup: + image: ghcr.io/realorangeone/db-auto-backup:latest + restart: unless-stopped + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro + - "{{ db_backups_dir }}:/var/backups" + environment: + - HEALTHCHECKS_ID={{ db_auto_backup_healthchecks_id }} diff --git a/ansible/roles/db_auto_backup/handlers/main.yml b/ansible/roles/db_auto_backup/handlers/main.yml new file mode 100644 index 0000000..e1be2cc --- /dev/null +++ b/ansible/roles/db_auto_backup/handlers/main.yml @@ -0,0 +1,4 @@ +- name: restart db-auto-backup + shell: + chdir: /opt/db-auto-backup + cmd: "{{ docker_update_command }}" diff --git a/ansible/roles/db_auto_backup/tasks/main.yml b/ansible/roles/db_auto_backup/tasks/main.yml new file mode 100644 index 0000000..cc6fd8c --- /dev/null +++ b/ansible/roles/db_auto_backup/tasks/main.yml @@ -0,0 +1,17 @@ +- name: Create install directory + file: + path: /opt/db-auto-backup + state: directory + owner: "{{ docker_user.name }}" + mode: "{{ docker_compose_directory_mask }}" + become: true + +- name: Install compose file + template: + src: files/docker-compose.yml + dest: /opt/db-auto-backup/docker-compose.yml + mode: "{{ docker_compose_file_mask }}" + owner: "{{ docker_user.name }}" + validate: docker-compose -f %s config + notify: restart db-auto-backup + become: true diff --git a/ansible/roles/db_auto_backup/vars/main.yml b/ansible/roles/db_auto_backup/vars/main.yml new file mode 100644 index 0000000..afa6846 --- /dev/null +++ b/ansible/roles/db_auto_backup/vars/main.yml @@ -0,0 +1 @@ +db_auto_backup_healthchecks_id: "{{ vault_db_auto_backup_healthchecks_id }}" diff --git a/ansible/roles/docker_cleanup/files/docker-utils/db-backup b/ansible/roles/docker_cleanup/files/docker-utils/db-backup deleted file mode 100755 index 11ac011..0000000 --- a/ansible/roles/docker_cleanup/files/docker-utils/db-backup +++ /dev/null @@ -1,45 +0,0 @@ -#!/usr/bin/env bash - -BACKUP_DIR=$1 - -if [ -z "$BACKUP_DIR" ] - then - echo "No backup dir" -fi - -all_containers=$(docker ps --format "{{.ID}}:{{ .Image }}") - -for line in $all_containers -do - IFS=':' read -a container_details <<< $line - - container_name=${container_details[1]} - container_id=${container_details[0]} - - case "$container_name" in - "mariadb") - db_name=$(docker exec $container_id bash -c 'echo $MYSQL_USER') - echo Backing up mariadb $db_name - docker exec $container_id bash -c 'mysqldump -u $MYSQL_USER -p$MYSQL_PASSWORD --all-databases' | pv > $BACKUP_DIR/$db_name.sql - ;; - - "postgres") - db_name=$(docker exec $container_id bash -c 'echo $POSTGRES_USER') - echo Backing up postgres $db_name - docker exec $container_id bash -c 'PGPASSWORD=$POSTGRES_PASSWORD pg_dumpall -U $POSTGRES_USER' | pv > $BACKUP_DIR/$db_name.sql - ;; - "yandex/clickhouse-server") - # Hardcode for plausible - tables=$(docker exec $container_id clickhouse-client --query "SELECT name FROM system.tables where database == 'plausible';") - for table in $tables - do - echo Backing up clickhouse table $table - docker exec $container_id clickhouse-client --query "SELECT * FROM plausible.$table" --format CSVWithNames | pv > $BACKUP_DIR/plausible-$table.csv - done - ;; - - esac -done - -echo "Setting user permissions..." -chown -R root:root $BACKUP_DIR diff --git a/ansible/roles/traefik/files/docker-compose.yml b/ansible/roles/traefik/files/docker-compose.yml index 30e3186..2786a7a 100644 --- a/ansible/roles/traefik/files/docker-compose.yml +++ b/ansible/roles/traefik/files/docker-compose.yml @@ -17,7 +17,7 @@ services: - "{{ private_ip }}:8080:8080" depends_on: - docker_proxy - - nginx + - shenanigans networks: - default - traefik From a07b1dbad570062d5a4f5bbd371d28785ada27f0 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Sun, 16 Jan 2022 17:56:13 +0000 Subject: [PATCH 054/120] Ensure grimes backs up its databases --- ansible/host_vars/grimes/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/ansible/host_vars/grimes/main.yml b/ansible/host_vars/grimes/main.yml index 982dbf8..7e1bdad 100644 --- a/ansible/host_vars/grimes/main.yml +++ b/ansible/host_vars/grimes/main.yml @@ -24,6 +24,7 @@ restic_backup_locations: - /var/lib/dokku/config - /var/lib/dokku/data - /var/lib/dokku/services + - /opt/db-auto-backup/backups restic_backup_excludes: - /home/dokku/**/cache # Caches are big, don't need those From 9404f71dc6298e28c4a560ba56d7b2a2509d3889 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Sun, 16 Jan 2022 17:56:45 +0000 Subject: [PATCH 055/120] Remove old DB backups dir from backups --- ansible/host_vars/decker/main.yml | 1 - ansible/host_vars/walker/main.yml | 1 - 2 files changed, 2 deletions(-) diff --git a/ansible/host_vars/decker/main.yml b/ansible/host_vars/decker/main.yml index 5e80d54..f3e016e 100644 --- a/ansible/host_vars/decker/main.yml +++ b/ansible/host_vars/decker/main.yml @@ -1,4 +1,3 @@ restic_backup_locations: - /opt - - "{{ home }}/db-backups" restic_healthchecks_id: "{{ vault_restic_healthchecks_id }}" diff --git a/ansible/host_vars/walker/main.yml b/ansible/host_vars/walker/main.yml index 051f12b..d01eb67 100644 --- a/ansible/host_vars/walker/main.yml +++ b/ansible/host_vars/walker/main.yml @@ -2,5 +2,4 @@ with_traefik_pages: true restic_backup_locations: - /opt - - "{{ home }}/db-backups" restic_healthchecks_id: "{{ vault_restic_healthchecks_id }}" From af07840de79a22846fee3ee6fda04254725210a1 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Wed, 19 Jan 2022 08:19:51 +0000 Subject: [PATCH 056/120] Harden SPF --- terraform/jakehoward.tech.tf | 2 +- terraform/theorangeone.net.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/jakehoward.tech.tf b/terraform/jakehoward.tech.tf index 02dcf85..76df96d 100644 --- a/terraform/jakehoward.tech.tf +++ b/terraform/jakehoward.tech.tf @@ -23,7 +23,7 @@ resource "cloudflare_record" "jakehowardtech_mx2" { resource "cloudflare_record" "jakehowardtech_txt" { zone_id = cloudflare_zone.jakehowardtech.id name = "@" - value = "v=spf1 include:spf.messagingengine.com ?all" + value = "v=spf1 include:spf.messagingengine.com ~all" type = "TXT" ttl = 1 } diff --git a/terraform/theorangeone.net.tf b/terraform/theorangeone.net.tf index 3a3eddc..45f6597 100644 --- a/terraform/theorangeone.net.tf +++ b/terraform/theorangeone.net.tf @@ -39,7 +39,7 @@ resource "cloudflare_record" "theorangeonenet_mx2" { resource "cloudflare_record" "theorangeonenet_txt" { zone_id = cloudflare_zone.theorangeonenet.id name = "@" - value = "v=spf1 include:spf.messagingengine.com ?all" + value = "v=spf1 include:spf.messagingengine.com ~all" type = "TXT" ttl = 1 } From 619d5bfa7b18a16fe7b93eecee1665f998331d66 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Wed, 19 Jan 2022 08:29:56 +0000 Subject: [PATCH 057/120] Give every cloud machine its own cname --- terraform/casey_vps.tf | 7 ++++++- terraform/decker_vps.tf | 5 +++++ terraform/grimes_vps.tf | 7 ++++++- terraform/sys_domains.tf | 31 +++++++++++++++++++++++++++++++ terraform/walker_vps.tf | 7 ++++++- 5 files changed, 54 insertions(+), 3 deletions(-) create mode 100644 terraform/sys_domains.tf diff --git a/terraform/casey_vps.tf b/terraform/casey_vps.tf index 60ab3de..ca20147 100644 --- a/terraform/casey_vps.tf +++ b/terraform/casey_vps.tf @@ -11,10 +11,15 @@ module "casey_firewall" { ] } - resource "vultr_instance" "casey" { plan = "" # On a plan unsupported by API region = "lhr" hostname = "casey" firewall_group_id = module.casey_firewall.firewall_group.id } + +resource "vultr_reverse_ipv4" "casey_reverse_ipv4" { + instance_id = vultr_instance.casey.id + ip = vultr_instance.casey.main_ip + reverse = "casey.sys.theorangeone.net" +} diff --git a/terraform/decker_vps.tf b/terraform/decker_vps.tf index 33d7e9d..44a6ed3 100644 --- a/terraform/decker_vps.tf +++ b/terraform/decker_vps.tf @@ -38,3 +38,8 @@ resource "linode_firewall" "decker" { ipv6 = ["::/0"] } } + +resource "linode_rdns" "decker_reverse_ipv4" { + address = linode_instance.decker.ip_address + rdns = "decker.sys.theorangeone.net" +} diff --git a/terraform/grimes_vps.tf b/terraform/grimes_vps.tf index 42ab870..aedbf3f 100644 --- a/terraform/grimes_vps.tf +++ b/terraform/grimes_vps.tf @@ -8,10 +8,15 @@ module "grimes_firewall" { ] } - resource "vultr_instance" "grimes" { plan = "vhf-1c-1gb" region = "lhr" hostname = "grimes" firewall_group_id = module.grimes_firewall.firewall_group.id } + +resource "vultr_reverse_ipv4" "grimes_reverse_ipv4" { + instance_id = vultr_instance.grimes.id + ip = vultr_instance.grimes.main_ip + reverse = "grimes.sys.theorangeone.net" +} diff --git a/terraform/sys_domains.tf b/terraform/sys_domains.tf new file mode 100644 index 0000000..f46c677 --- /dev/null +++ b/terraform/sys_domains.tf @@ -0,0 +1,31 @@ +resource "cloudflare_record" "sys_domain_casey" { + zone_id = cloudflare_zone.theorangeonenet.id + name = "casey.sys" + value = vultr_instance.casey.main_ip + type = "A" + ttl = 1 +} + +resource "cloudflare_record" "sys_domain_walker" { + zone_id = cloudflare_zone.theorangeonenet.id + name = "walker.sys" + value = vultr_instance.walker.main_ip + type = "A" + ttl = 1 +} + +resource "cloudflare_record" "sys_domain_grimes" { + zone_id = cloudflare_zone.theorangeonenet.id + name = "grimes.sys" + value = vultr_instance.grimes.main_ip + type = "A" + ttl = 1 +} + +resource "cloudflare_record" "sys_domain_decker" { + zone_id = cloudflare_zone.theorangeonenet.id + name = "decker.sys" + value = linode_instance.decker.ip_address + type = "A" + ttl = 1 +} diff --git a/terraform/walker_vps.tf b/terraform/walker_vps.tf index a639a2d..9736b20 100644 --- a/terraform/walker_vps.tf +++ b/terraform/walker_vps.tf @@ -8,10 +8,15 @@ module "walker_firewall" { ] } - resource "vultr_instance" "walker" { plan = "vhf-1c-1gb" region = "lhr" hostname = "walker" firewall_group_id = module.walker_firewall.firewall_group.id } + +resource "vultr_reverse_ipv4" "walker_reverse_ipv4" { + instance_id = vultr_instance.walker.id + ip = vultr_instance.walker.main_ip + reverse = "walker.sys.theorangeone.net" +} From 1db289b604c0456a7a12ecbc7a9a9eedd088a649 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Wed, 19 Jan 2022 09:00:20 +0000 Subject: [PATCH 058/120] Show domain in logs rather than upstream The upstream is always the same, and no use to us --- ansible/roles/gateway/files/nginx.conf | 6 ++++-- ansible/roles/ingress/files/nginx.conf | 4 +++- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/ansible/roles/gateway/files/nginx.conf b/ansible/roles/gateway/files/nginx.conf index 4cbd321..3f53ada 100644 --- a/ansible/roles/gateway/files/nginx.conf +++ b/ansible/roles/gateway/files/nginx.conf @@ -36,15 +36,17 @@ stream { log_format access '$remote_addr [$time_local] ' '$protocol $status $bytes_sent $bytes_received ' - '$session_time "$upstream_addr" ' + '$session_time "$ssl_preread_server_name" ' '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"'; - log_format ips '$remote_addr [$time_local] $upstream_addr'; + log_format ips '$remote_addr [$time_local] $ssl_preread_server_name'; access_log /var/log/nginx/access.log access; access_log /var/log/nginx/ips.log ips; + ssl_preread on; + server { listen 443; listen 8448; diff --git a/ansible/roles/ingress/files/nginx.conf b/ansible/roles/ingress/files/nginx.conf index dc5296b..d3d8e6a 100644 --- a/ansible/roles/ingress/files/nginx.conf +++ b/ansible/roles/ingress/files/nginx.conf @@ -35,11 +35,13 @@ stream { log_format access '$remote_addr [$time_local] ' '$protocol $status $bytes_sent $bytes_received ' - '$session_time "$upstream_addr" ' + '$session_time "$ssl_preread_server_name" ' '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"'; access_log /var/log/nginx/access.log access; + ssl_preread on; + # Internal LAN route server { listen 443; From c1319a134a4975d1ba715e3fa333da2e467f40ce Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Thu, 20 Jan 2022 17:43:56 +0000 Subject: [PATCH 059/120] Forget snapshots in groups by host By default, it includes the path, which means path changes result in very old snapshots https://twitter.com/RealOrangeOne/status/1484217495124852748 --- ansible/roles/restic/files/backrest.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/restic/files/backrest.sh b/ansible/roles/restic/files/backrest.sh index 82e853f..fbba2c1 100644 --- a/ansible/roles/restic/files/backrest.sh +++ b/ansible/roles/restic/files/backrest.sh @@ -11,7 +11,7 @@ export GOGC=20 # HACK: Work around for restic's high memory usage https://githu export RESTIC_LOG_DIR="$HOME/log" export RESTIC_LOG_FILE="$RESTIC_LOG_DIR/$1-$(date -Iseconds).log" -export FORGET_OPTIONS="--keep-daily 30" +export FORGET_OPTIONS="--keep-daily 30 --group-by host" mkdir -p "$RESTIC_LOG_DIR" From 188b7c9dd69a143d9f36bccd2fe936cc92142306 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Fri, 21 Jan 2022 20:29:34 +0000 Subject: [PATCH 060/120] Install wireguard tools before provisioning config --- ansible/roles/gateway/tasks/wireguard.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/ansible/roles/gateway/tasks/wireguard.yml b/ansible/roles/gateway/tasks/wireguard.yml index e69a938..5b15893 100644 --- a/ansible/roles/gateway/tasks/wireguard.yml +++ b/ansible/roles/gateway/tasks/wireguard.yml @@ -1,3 +1,11 @@ +- name: Install wireguard tools + package: + name: "{{ item }}" + become: true + loop: + - wireguard-tools + - qrencode + - name: Wireguard server config template: src: files/wireguard-server.conf @@ -46,11 +54,3 @@ reload: true sysctl_file: /etc/sysctl.d/99-sysctl.conf become: true - -- name: Install wireguard tools - package: - name: "{{ item }}" - become: true - loop: - - wireguard-tools - - qrencode From af396a21cbdeb13dfb9d3430c718327c172ff832 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Fri, 21 Jan 2022 21:52:21 +0000 Subject: [PATCH 061/120] Provision a new `casey`on Linode --- ansible/group_vars/all/hosts.yml | 2 +- terraform/0rng.one.tf | 2 +- terraform/casey_vps.tf | 77 ++++++++++++++++++++++++++++++-- terraform/context.tf | 2 +- terraform/jakehoward.tech.tf | 22 ++++----- terraform/sys_domains.tf | 2 +- terraform/theorangeone.net.tf | 6 +-- 7 files changed, 91 insertions(+), 22 deletions(-) diff --git a/ansible/group_vars/all/hosts.yml b/ansible/group_vars/all/hosts.yml index f02d3e6..59703fa 100755 --- a/ansible/group_vars/all/hosts.yml +++ b/ansible/group_vars/all/hosts.yml @@ -1,5 +1,5 @@ "hosts": - "casey_ip": "108.61.221.88" + "casey_ip": "213.219.38.11" "decker_ip": "192.46.233.9" "grimes_ip": "104.238.172.209" "walker_ip": "192.248.168.230" diff --git a/terraform/0rng.one.tf b/terraform/0rng.one.tf index 95fb3dd..4534b96 100644 --- a/terraform/0rng.one.tf +++ b/terraform/0rng.one.tf @@ -29,7 +29,7 @@ resource "cloudflare_record" "orngone_img" { resource "cloudflare_record" "orngone_yourls" { zone_id = cloudflare_zone.orngone.id name = "@" - value = vultr_instance.casey.main_ip + value = linode_instance.casey.ip_address type = "A" ttl = 1 } diff --git a/terraform/casey_vps.tf b/terraform/casey_vps.tf index ca20147..e20cd87 100644 --- a/terraform/casey_vps.tf +++ b/terraform/casey_vps.tf @@ -18,8 +18,77 @@ resource "vultr_instance" "casey" { firewall_group_id = module.casey_firewall.firewall_group.id } -resource "vultr_reverse_ipv4" "casey_reverse_ipv4" { - instance_id = vultr_instance.casey.id - ip = vultr_instance.casey.main_ip - reverse = "casey.sys.theorangeone.net" +# Linode + +resource "linode_instance" "casey" { + label = "casey" + image = "linode/arch" + region = "eu-west" + type = "g6-nanode-1" + private_ip = true +} + +resource "linode_firewall" "casey" { + label = "casey" + linodes = [linode_instance.casey.id] + outbound_policy = "ACCEPT" + inbound_policy = "DROP" + + inbound { + label = "allow-ping" + action = "ACCEPT" + protocol = "ICMP" + ipv4 = ["0.0.0.0/0"] + ipv6 = ["::/0"] + } + + inbound { + label = "allow-inbound-https" + action = "ACCEPT" + protocol = "TCP" + ports = "443" + ipv4 = ["0.0.0.0/0"] + ipv6 = ["::/0"] + } + + inbound { + label = "allow-inbound-http" + action = "ACCEPT" + protocol = "TCP" + ports = "80" + ipv4 = ["0.0.0.0/0"] + ipv6 = ["::/0"] + } + + inbound { + label = "allow-inbound-wireguard" + action = "ACCEPT" + protocol = "UDP" + ports = "51820" + ipv4 = ["0.0.0.0/0"] + ipv6 = ["::/0"] + } + + inbound { + label = "allow-inbound-nebula" + action = "ACCEPT" + protocol = "UDP" + ports = "6328" + ipv4 = ["0.0.0.0/0"] + ipv6 = ["::/0"] + } + + inbound { + label = "allow-inbound-matrix" + action = "ACCEPT" + protocol = "TCP" + ports = "8448" + ipv4 = ["0.0.0.0/0"] + ipv6 = ["::/0"] + } +} + +resource "linode_rdns" "casey_reverse_ipv4" { + address = linode_instance.casey.ip_address + rdns = "casey.sys.theorangeone.net" } diff --git a/terraform/context.tf b/terraform/context.tf index a5dc829..a24c446 100644 --- a/terraform/context.tf +++ b/terraform/context.tf @@ -1,7 +1,7 @@ resource "local_file" "hosts" { content = yamlencode({ hosts : { - casey_ip : vultr_instance.casey.main_ip, + casey_ip : linode_instance.casey.ip_address, walker_ip : vultr_instance.walker.main_ip, grimes_ip : vultr_instance.grimes.main_ip, decker_ip : linode_instance.decker.ip_address, diff --git a/terraform/jakehoward.tech.tf b/terraform/jakehoward.tech.tf index 76df96d..6f238fa 100644 --- a/terraform/jakehoward.tech.tf +++ b/terraform/jakehoward.tech.tf @@ -55,7 +55,7 @@ resource "cloudflare_record" "jakehowardtech_dkim_fm3" { resource "cloudflare_record" "jakehowardtech_wallabag" { zone_id = cloudflare_zone.jakehowardtech.id name = "wallabag" - value = vultr_instance.casey.main_ip + value = linode_instance.casey.ip_address type = "A" ttl = 1 } @@ -63,7 +63,7 @@ resource "cloudflare_record" "jakehowardtech_wallabag" { resource "cloudflare_record" "jakehowardtech_ttrss" { zone_id = cloudflare_zone.jakehowardtech.id name = "tt-rss" - value = vultr_instance.casey.main_ip + value = linode_instance.casey.ip_address type = "A" ttl = 1 } @@ -71,7 +71,7 @@ resource "cloudflare_record" "jakehowardtech_ttrss" { resource "cloudflare_record" "jakehowardtech_speed" { zone_id = cloudflare_zone.jakehowardtech.id name = "speed" - value = vultr_instance.casey.main_ip + value = linode_instance.casey.ip_address type = "A" ttl = 1 } @@ -79,7 +79,7 @@ resource "cloudflare_record" "jakehowardtech_speed" { resource "cloudflare_record" "jakehowardtech_quassel" { zone_id = cloudflare_zone.jakehowardtech.id name = "quassel" - value = vultr_instance.casey.main_ip + value = linode_instance.casey.ip_address type = "A" ttl = 1 } @@ -87,7 +87,7 @@ resource "cloudflare_record" "jakehowardtech_quassel" { resource "cloudflare_record" "jakehowardtech_media" { zone_id = cloudflare_zone.jakehowardtech.id name = "media" - value = vultr_instance.casey.main_ip + value = linode_instance.casey.ip_address type = "A" ttl = 1 } @@ -95,7 +95,7 @@ resource "cloudflare_record" "jakehowardtech_media" { resource "cloudflare_record" "jakehowardtech_matrix" { zone_id = cloudflare_zone.jakehowardtech.id name = "matrix" - value = vultr_instance.casey.main_ip + value = linode_instance.casey.ip_address type = "A" ttl = 1 } @@ -103,7 +103,7 @@ resource "cloudflare_record" "jakehowardtech_matrix" { resource "cloudflare_record" "jakehowardtech_intersect" { zone_id = cloudflare_zone.jakehowardtech.id name = "intersect" - value = vultr_instance.casey.main_ip + value = linode_instance.casey.ip_address type = "A" ttl = 1 } @@ -111,7 +111,7 @@ resource "cloudflare_record" "jakehowardtech_intersect" { resource "cloudflare_record" "jakehowardtech_calibre" { zone_id = cloudflare_zone.jakehowardtech.id name = "calibre" - value = vultr_instance.casey.main_ip + value = linode_instance.casey.ip_address type = "A" ttl = 1 } @@ -119,7 +119,7 @@ resource "cloudflare_record" "jakehowardtech_calibre" { resource "cloudflare_record" "jakehowardtech_homeassistant" { zone_id = cloudflare_zone.jakehowardtech.id name = "homeassistant" - value = vultr_instance.casey.main_ip + value = linode_instance.casey.ip_address type = "A" ttl = 1 } @@ -127,7 +127,7 @@ resource "cloudflare_record" "jakehowardtech_homeassistant" { resource "cloudflare_record" "jakehowardtech_grafana" { zone_id = cloudflare_zone.jakehowardtech.id name = "grafana" - value = vultr_instance.casey.main_ip + value = linode_instance.casey.ip_address type = "A" ttl = 1 } @@ -135,7 +135,7 @@ resource "cloudflare_record" "jakehowardtech_grafana" { resource "cloudflare_record" "jakehowardtech_vaultwarden" { zone_id = cloudflare_zone.jakehowardtech.id name = "vaultwarden" - value = vultr_instance.casey.main_ip + value = linode_instance.casey.ip_address type = "A" ttl = 1 } diff --git a/terraform/sys_domains.tf b/terraform/sys_domains.tf index f46c677..a251fe6 100644 --- a/terraform/sys_domains.tf +++ b/terraform/sys_domains.tf @@ -1,7 +1,7 @@ resource "cloudflare_record" "sys_domain_casey" { zone_id = cloudflare_zone.theorangeonenet.id name = "casey.sys" - value = vultr_instance.casey.main_ip + value = linode_instance.casey.ip_address type = "A" ttl = 1 } diff --git a/terraform/theorangeone.net.tf b/terraform/theorangeone.net.tf index 45f6597..3463679 100644 --- a/terraform/theorangeone.net.tf +++ b/terraform/theorangeone.net.tf @@ -5,7 +5,7 @@ resource "cloudflare_zone" "theorangeonenet" { resource "cloudflare_record" "theorangeonenet_git" { zone_id = cloudflare_zone.theorangeonenet.id name = "git" - value = vultr_instance.casey.main_ip + value = linode_instance.casey.ip_address type = "A" ttl = 1 } @@ -13,7 +13,7 @@ resource "cloudflare_record" "theorangeonenet_git" { resource "cloudflare_record" "theorangeonenet_whoami" { zone_id = cloudflare_zone.theorangeonenet.id name = "whoami" - value = vultr_instance.casey.main_ip + value = linode_instance.casey.ip_address type = "A" ttl = 1 } @@ -160,7 +160,7 @@ resource "cloudflare_record" "theorangeonenet_notes" { resource "cloudflare_record" "theorangeonenet_privatebin" { zone_id = cloudflare_zone.theorangeonenet.id name = "bin" - value = vultr_instance.casey.main_ip + value = linode_instance.casey.ip_address type = "A" ttl = 1 } From e8d4244946fd335c197951b82f2803bfe5c85682 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Fri, 21 Jan 2022 21:52:48 +0000 Subject: [PATCH 062/120] Restart nebula, rather than reloading it Reloading doesn't actually work it seems --- ansible/roles/nebula/handlers/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/nebula/handlers/main.yml b/ansible/roles/nebula/handlers/main.yml index 77dcdaf..092c1e5 100644 --- a/ansible/roles/nebula/handlers/main.yml +++ b/ansible/roles/nebula/handlers/main.yml @@ -1,5 +1,5 @@ - name: restart nebula service: name: nebula - state: reloaded + state: restarted become: true From 6db0500e1b92b7674dbd1709e75484c13db14f6b Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Fri, 21 Jan 2022 22:11:49 +0000 Subject: [PATCH 063/120] Provision remote f2b key with ansible --- ansible/roles/fail2ban_ssh/files/f2b_key.pub | 10 ++++++++ ansible/roles/fail2ban_ssh/tasks/main.yml | 7 ++++++ .../roles/traefik/files/fail2ban/f2b_key.key | 25 +++++++++++++++++++ .../traefik/files/fail2ban/remote-action.conf | 4 +-- ansible/roles/traefik/tasks/fail2ban.yml | 9 +++++++ 5 files changed, 53 insertions(+), 2 deletions(-) create mode 100644 ansible/roles/fail2ban_ssh/files/f2b_key.pub create mode 100644 ansible/roles/traefik/files/fail2ban/f2b_key.key diff --git a/ansible/roles/fail2ban_ssh/files/f2b_key.pub b/ansible/roles/fail2ban_ssh/files/f2b_key.pub new file mode 100644 index 0000000..faf3950 --- /dev/null +++ b/ansible/roles/fail2ban_ssh/files/f2b_key.pub @@ -0,0 +1,10 @@ +$ANSIBLE_VAULT;1.1;AES256 +65656562376262323162613131353164623832616263313530383838623161333739393037363362 +3332616430663862363566613532396230643636376537620a356261383430643566323264343437 +39333034643632316130303136326433613333383738386531353530633539616661626664626430 +3230666237616165650a326536313835643135626135316437356363623562343538383132306539 +38366339356565393336396133616261363232356139623164623738633138363963353637353734 +33333334313864376131653535653132626366306630393764353464636331316564616230396663 +31363463643765386538643761666265383166353765633233323934663235316331346465653234 +31396139633936363738383766356135656434343338623137663436626436663866366663363534 +3364 diff --git a/ansible/roles/fail2ban_ssh/tasks/main.yml b/ansible/roles/fail2ban_ssh/tasks/main.yml index 5da9cc7..e8e9226 100644 --- a/ansible/roles/fail2ban_ssh/tasks/main.yml +++ b/ansible/roles/fail2ban_ssh/tasks/main.yml @@ -25,3 +25,10 @@ mode: 0755 become: true register: sshd_config + +- name: Set up authorized keys + ansible.posix.authorized_key: + user: "{{ f2b_user }}" + state: present + key: "{{ lookup('file', 'files/f2b_key.pub') }}" + become: true diff --git a/ansible/roles/traefik/files/fail2ban/f2b_key.key b/ansible/roles/traefik/files/fail2ban/f2b_key.key new file mode 100644 index 0000000..bb4a5d4 --- /dev/null +++ b/ansible/roles/traefik/files/fail2ban/f2b_key.key @@ -0,0 +1,25 @@ +$ANSIBLE_VAULT;1.1;AES256 +62333161626439326166306363343866616336646134376134326265386134343338313164653334 +3131633561363730376161323034643836333738303361320a613764383135373933636537333331 +32633335663462653361643538656533313633666666303830363533616263663135323635613235 +3738396530363130370a323338663966353333373862353964636333343436613932303765373035 +61353363633836613830346631323565326338616331353665653333383065376565626164306266 +32346133643635626632326133333933656333346336336232613536386661366537383439646632 +35323838633266633263646563323834363066336432663665616433303632646234326266653036 +35666532383261663430303764383833396336393031316361633563336538663931333736633161 +33333230343731663038626362353163663363396134303431393061333136393664643535393662 +65333561623335656635393364666135343462646237316138393637356261303634383830636462 +63336231643030643636643431616434643765373037393832613563323132383864383365316365 +35663930373938653163363436373236313162353661646531333461643463663336383332633431 +63633938306533343561646663393165353633306131336135633762306666326465306335343665 +34323261623531646566626561643465333737323562646137366235363339663163656566383266 +39326637373739623338653633633237396362633062303033366530383334353032643434623339 +38633563396432326430386638333837343733633364336536626563363932646636343333326333 +63326566663265346537633134653636636436323738396530326332656165396635316634653133 +31373137636233323563343433383837633132636434303134313431343364313735316633343732 +62663537616663356133636337373630616134363262333332303965393463643833343561386639 +62316136363661653430336566323539643239346539353535346539646138366462346634336165 +37343737656564333365346538656661343165623037613030356233626534306533303738646363 +35396566303561366333363265373733636138336533336534393262643831613836326639623633 +62313830626264323965303933393466643433373136353232383262323963613432313139303062 +34373236363635623337 diff --git a/ansible/roles/traefik/files/fail2ban/remote-action.conf b/ansible/roles/traefik/files/fail2ban/remote-action.conf index 4a8ffe0..58a99fc 100644 --- a/ansible/roles/traefik/files/fail2ban/remote-action.conf +++ b/ansible/roles/traefik/files/fail2ban/remote-action.conf @@ -1,6 +1,6 @@ [Definition] -actionban = ssh -p 7743 f2b@{{ nebula.clients.casey.ip }} -i /root/.ssh/f2b/id_ed25519 set traefik banip -actionunban = ssh -p 7743 f2b@{{ nebula.clients.casey.ip }} -i /root/.ssh/f2b/id_ed25519 set traefik unbanip +actionban = ssh -p 7743 f2b@{{ nebula.clients.casey.ip }} -i /etc/fail2ban/f2b_key.key set traefik banip +actionunban = ssh -p 7743 f2b@{{ nebula.clients.casey.ip }} -i /etc/fail2ban/f2b_key.key set traefik unbanip actioncheck = actionstart = actionstop = diff --git a/ansible/roles/traefik/tasks/fail2ban.yml b/ansible/roles/traefik/tasks/fail2ban.yml index a576346..3a6b375 100644 --- a/ansible/roles/traefik/tasks/fail2ban.yml +++ b/ansible/roles/traefik/tasks/fail2ban.yml @@ -21,3 +21,12 @@ mode: 0644 become: true notify: restart fail2ban + +- name: Create SSH key + copy: + src: files/fail2ban/f2b_key.key + dest: /etc/fail2ban/f2b_key.key + owner: root + group: root + mode: "0600" + become: true From 7e6e630808ddeacce9b7e456e4398244cf8218f0 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Fri, 21 Jan 2022 22:28:13 +0000 Subject: [PATCH 064/120] Don't provision occ script on every machine It only makes sense on 1 --- .../files/docker-utils => pve_docker/files/nextcloud}/occ | 0 ansible/roles/pve_docker/tasks/nextcloud.yml | 8 ++++++++ 2 files changed, 8 insertions(+) rename ansible/roles/{docker_cleanup/files/docker-utils => pve_docker/files/nextcloud}/occ (100%) diff --git a/ansible/roles/docker_cleanup/files/docker-utils/occ b/ansible/roles/pve_docker/files/nextcloud/occ similarity index 100% rename from ansible/roles/docker_cleanup/files/docker-utils/occ rename to ansible/roles/pve_docker/files/nextcloud/occ diff --git a/ansible/roles/pve_docker/tasks/nextcloud.yml b/ansible/roles/pve_docker/tasks/nextcloud.yml index e3fb593..a3e7717 100644 --- a/ansible/roles/pve_docker/tasks/nextcloud.yml +++ b/ansible/roles/pve_docker/tasks/nextcloud.yml @@ -28,6 +28,14 @@ register: config_file become: true +- name: Install occ script + template: + src: files/nextcloud/occ + dest: /opt/nextcloud/occ + mode: "0755" + owner: "{{ docker_user.name }}" + become: true + - name: restart nextcloud shell: chdir: /opt/nextcloud From 106a89d72fa1afd4c89163169af5c0b434557a04 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Sat, 22 Jan 2022 20:01:07 +0000 Subject: [PATCH 065/120] Use groups to manage sudo access rather than editing sudoers file --- ansible/roles/base/tasks/user.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/ansible/roles/base/tasks/user.yml b/ansible/roles/base/tasks/user.yml index 062836f..120b1e0 100644 --- a/ansible/roles/base/tasks/user.yml +++ b/ansible/roles/base/tasks/user.yml @@ -8,7 +8,8 @@ become: true - name: Give user sudo access - lineinfile: - path: /etc/sudoers - line: "{{ user }} ALL=(ALL) ALL" + user: + name: "{{ user }}" + groups: "{{ 'sudo' if ansible_os_family == 'Debian' else 'wheel' }}" + append: true become: true From f07b5d9b7b409da2ab36e39bf73b0cc5bb36a368 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Sat, 22 Jan 2022 20:21:32 +0000 Subject: [PATCH 066/120] Migrate `include:` to `include_tasks` --- ansible/roles/base/tasks/main.yml | 10 +++++----- ansible/roles/docker_cleanup/tasks/main.yml | 2 +- ansible/roles/forrest/tasks/main.yml | 4 ++-- ansible/roles/gateway/tasks/main.yml | 6 +++--- ansible/roles/ingress/tasks/main.yml | 4 ++-- ansible/roles/pve_docker/tasks/main.yml | 16 ++++++++-------- ansible/roles/qbittorrent/tasks/main.yml | 4 ++-- ansible/roles/traefik/tasks/main.yml | 2 +- ansible/roles/zfs/tasks/main.yml | 2 +- 9 files changed, 25 insertions(+), 25 deletions(-) diff --git a/ansible/roles/base/tasks/main.yml b/ansible/roles/base/tasks/main.yml index 5eae83b..ad3add7 100644 --- a/ansible/roles/base/tasks/main.yml +++ b/ansible/roles/base/tasks/main.yml @@ -1,14 +1,14 @@ - name: Packages - include: packages.yml + include_tasks: packages.yml - name: User - include: user.yml + include_tasks: user.yml - name: SSH - include: ssh.yml + include_tasks: ssh.yml - name: fail2ban - include: fail2ban.yml + include_tasks: fail2ban.yml - name: logrotate - include: logrotate.yml + include_tasks: logrotate.yml diff --git a/ansible/roles/docker_cleanup/tasks/main.yml b/ansible/roles/docker_cleanup/tasks/main.yml index ef8c765..356f74f 100644 --- a/ansible/roles/docker_cleanup/tasks/main.yml +++ b/ansible/roles/docker_cleanup/tasks/main.yml @@ -49,5 +49,5 @@ directory_mode: 0755 - name: override docker service for zfs dependencies - include: zfs-override.yml + include_tasks: zfs-override.yml when: docker_zfs_override diff --git a/ansible/roles/forrest/tasks/main.yml b/ansible/roles/forrest/tasks/main.yml index 14b386f..687e326 100644 --- a/ansible/roles/forrest/tasks/main.yml +++ b/ansible/roles/forrest/tasks/main.yml @@ -2,7 +2,7 @@ include_vars: vault.yml - name: Grafana - include: grafana.yml + include_tasks: grafana.yml - name: Prometheus - include: prometheus.yml + include_tasks: prometheus.yml diff --git a/ansible/roles/gateway/tasks/main.yml b/ansible/roles/gateway/tasks/main.yml index 2231577..c77f6fb 100644 --- a/ansible/roles/gateway/tasks/main.yml +++ b/ansible/roles/gateway/tasks/main.yml @@ -1,8 +1,8 @@ - name: Configure Nginx - include: nginx.yml + include_tasks: nginx.yml - name: Configure wireguard - include: wireguard.yml + include_tasks: wireguard.yml - name: Configure fail2ban - include: fail2ban.yml + include_tasks: fail2ban.yml diff --git a/ansible/roles/ingress/tasks/main.yml b/ansible/roles/ingress/tasks/main.yml index 13d371e..3bdbc3c 100644 --- a/ansible/roles/ingress/tasks/main.yml +++ b/ansible/roles/ingress/tasks/main.yml @@ -1,5 +1,5 @@ - name: Configure wireguard - include: wireguard.yml + include_tasks: wireguard.yml - name: Configure nginx - include: nginx.yml + include_tasks: nginx.yml diff --git a/ansible/roles/pve_docker/tasks/main.yml b/ansible/roles/pve_docker/tasks/main.yml index ad251f3..4fd5c51 100644 --- a/ansible/roles/pve_docker/tasks/main.yml +++ b/ansible/roles/pve_docker/tasks/main.yml @@ -1,23 +1,23 @@ - name: Install calibre - include: calibre.yml + include_tasks: calibre.yml - name: Install librespeed - include: librespeed.yml + include_tasks: librespeed.yml - name: Install nextcloud - include: nextcloud.yml + include_tasks: nextcloud.yml - name: Install quassel - include: quassel.yml + include_tasks: quassel.yml - name: Install synapse - include: synapse.yml + include_tasks: synapse.yml - name: Install tt-rss - include: tt-rss.yml + include_tasks: tt-rss.yml - name: Install wallabag - include: wallabag.yml + include_tasks: wallabag.yml - name: Install whoami - include: whoami.yml + include_tasks: whoami.yml diff --git a/ansible/roles/qbittorrent/tasks/main.yml b/ansible/roles/qbittorrent/tasks/main.yml index d7faa19..060f268 100644 --- a/ansible/roles/qbittorrent/tasks/main.yml +++ b/ansible/roles/qbittorrent/tasks/main.yml @@ -1,5 +1,5 @@ - name: qbittorrent - include: qbittorrent.yml + include_tasks: qbittorrent.yml - name: nginx - include: nginx.yml + include_tasks: nginx.yml diff --git a/ansible/roles/traefik/tasks/main.yml b/ansible/roles/traefik/tasks/main.yml index 2ff67af..7770be5 100644 --- a/ansible/roles/traefik/tasks/main.yml +++ b/ansible/roles/traefik/tasks/main.yml @@ -104,7 +104,7 @@ become: true - name: fail2ban - include: fail2ban.yml + include_tasks: fail2ban.yml when: with_fail2ban - name: Check for nginx config diff --git a/ansible/roles/zfs/tasks/main.yml b/ansible/roles/zfs/tasks/main.yml index abe0638..dfde141 100644 --- a/ansible/roles/zfs/tasks/main.yml +++ b/ansible/roles/zfs/tasks/main.yml @@ -22,4 +22,4 @@ become: true - name: Sanoid - include: sanoid.yml + include_tasks: sanoid.yml From a5d9463f804bdb927025ed2e154339c31d851666 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Sat, 29 Jan 2022 22:11:19 +0000 Subject: [PATCH 067/120] Ensure webdav pages is also accessible to Traefik --- ansible/roles/pages/files/docker-compose.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ansible/roles/pages/files/docker-compose.yml b/ansible/roles/pages/files/docker-compose.yml index 9673de3..4cda77e 100644 --- a/ansible/roles/pages/files/docker-compose.yml +++ b/ansible/roles/pages/files/docker-compose.yml @@ -9,6 +9,9 @@ services: - ./htpasswd.txt:/etc/nginx/.htpasswd:ro environment: - PUID={{ docker_user.id }} + networks: + - default + - traefik labels: - traefik.enable=true - traefik.http.routers.pages.rule=Host(`pages.theorangeone.net`) From b91072b0da84a89d22d44a09280fa421f7129524 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Sat, 29 Jan 2022 22:18:07 +0000 Subject: [PATCH 068/120] Create a pages user for user with status checks --- ansible/roles/pages/tasks/main.yml | 8 ++++++++ ansible/roles/pages/vars/main.yml | 11 +++++++++++ 2 files changed, 19 insertions(+) diff --git a/ansible/roles/pages/tasks/main.yml b/ansible/roles/pages/tasks/main.yml index 61e4d12..50b6407 100644 --- a/ansible/roles/pages/tasks/main.yml +++ b/ansible/roles/pages/tasks/main.yml @@ -40,3 +40,11 @@ password: "{{ github_user_password }}" mode: 0640 become: true + +- name: Create status user + htpasswd: + path: /opt/pages/htpasswd.txt + name: status + password: "{{ status_user_password }}" + mode: 0640 + become: true diff --git a/ansible/roles/pages/vars/main.yml b/ansible/roles/pages/vars/main.yml index 3f6be40..45ec8b3 100644 --- a/ansible/roles/pages/vars/main.yml +++ b/ansible/roles/pages/vars/main.yml @@ -20,4 +20,15 @@ github_user_password: !vault | 38343763363363623334313735346230373135626337343437633833633230376466396663363233 32303562653733653334316439663230353031656132363661383166656639396235353838396535 31636364366363316339386131333530626462633765393033393666343763303366 +status_user_password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 38383638393932323735303533393663386130653438353532383330346563353538333235643439 + 3030663365636138626432313832653265326436326261380a353331356636633231366337363163 + 32386431643665393263313332316439633562623738396565643364643165303865616636323531 + 6637343239346465360a626562373534396330643830393332306138633961663561323539363639 + 65613432383964386130393064663834613735656132303331353631623135393963333239356662 + 62653764616264663761333461393734303439363538353333613237333536366637366538353539 + 37613238343339346533386231336231663430316637323835666534646365376138653563653432 + 65373232623736396230326139653162353065326664653733623033613734643032643336663063 + 30616339326564383031633566653834656631376361663136343161393334303036 traefik_pages_password: "{{ vault_traefik_pages_password }}" From 5df4a2c79afde0cbec190b9a3eddf7f12cecb2ea Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Sun, 30 Jan 2022 20:52:00 +0000 Subject: [PATCH 069/120] Rotate nebula keys Turns out they expired last night... --- ansible/roles/nebula/files/ca.crt | 34 ++++++++--------- ansible/roles/nebula/files/certs/casey.crt | 38 +++++++++---------- ansible/roles/nebula/files/certs/casey.key | 20 +++++----- ansible/roles/nebula/files/certs/decker.crt | 38 +++++++++---------- ansible/roles/nebula/files/certs/decker.key | 20 +++++----- ansible/roles/nebula/files/certs/grimes.crt | 38 +++++++++---------- ansible/roles/nebula/files/certs/grimes.key | 20 +++++----- ansible/roles/nebula/files/certs/ingress.crt | 40 ++++++++++---------- ansible/roles/nebula/files/certs/ingress.key | 20 +++++----- ansible/roles/nebula/files/certs/walker.crt | 38 +++++++++---------- ansible/roles/nebula/files/certs/walker.key | 20 +++++----- 11 files changed, 163 insertions(+), 163 deletions(-) diff --git a/ansible/roles/nebula/files/ca.crt b/ansible/roles/nebula/files/ca.crt index 94366cb..195802e 100644 --- a/ansible/roles/nebula/files/ca.crt +++ b/ansible/roles/nebula/files/ca.crt @@ -1,18 +1,18 @@ $ANSIBLE_VAULT;1.1;AES256 -64383034666438336663396339636630323434633037373635386466633163396435336230303736 -3562386239313435373566373161343932306333356365610a363238356132363465626139643233 -32343862303066386533303536336335333034326564343030366435643765643032336635646437 -3131653964356437310a616138306362626139376662373866343238623363646236376364646661 -34306461373835373037383038626266663565346466393933613836663230643263303361356465 -31396532656262303336303839383264303435633437303463666338356465616339666231346265 -31626134613162663461356130373036663366623437653934376462616234373266663435353365 -30646534353931363766303366393235303964613332316434306366346336363866323235346363 -63363932626364313731356635323338623766306338653331323363643561643132643630333965 -39343766393061663039373630666136653635386535346462323937633164663937383762643962 -34666531363530653163303364633638633838613433353836393830306333656634383137636538 -36353538383135646138653939613863323866616634643432383437393065653535633734383434 -35643161343662626466366136393533666234646431313631353631616631366236656365366465 -37373735636533633762646661653931323533316634336631303834393438646233363866623663 -61396364303139326539666166633535666639393332346131303539653835616261653436333666 -38666363323533333631303938663065336163643430373636393866323136646662356333373761 -3366 +35346565636566303064316339396339363831623963306131303331366338643338326261626137 +3031333365383139383466323931353339346534366136350a353034373561653238643039373766 +37316638363166303162373739393934653936373639323038663639656138313035666132646136 +6339386166383137320a363536336166343539633238336364663633306562313965636536303663 +35376234336566626232383231326362393664386464346363643262393932316130623936383366 +63313539653035383665373962376165336533396565643263666634333434663432386635663434 +31613064653739363637643433653639343930623038626539353534393861646165366166616638 +38313036303261336635666161383135353637633966646462376439313539383962343564626336 +37343566306638626337316135663763343961653065616531396332303966643638646163393461 +63353630393364666336633630653765613331386233386130366636393965323231373561333163 +38613165623533396531383031316631346434333239616335373162333637363830636263613338 +38316165343632313361633362383934653832306332663732303061333135393234306232636464 +36346465633166303335363365336336383333636165633230626263633663356336366662313263 +36353231623930653361313466643064356234656639616332326534306133396338363538366136 +30643633626230613364353434323262333335363132303865646130653733623032346166653031 +63653761393935333430636230353966353765626235336439383331333436623061373835616462 +3661 diff --git a/ansible/roles/nebula/files/certs/casey.crt b/ansible/roles/nebula/files/certs/casey.crt index 5b9f547..798fbbb 100644 --- a/ansible/roles/nebula/files/certs/casey.crt +++ b/ansible/roles/nebula/files/certs/casey.crt @@ -1,20 +1,20 @@ $ANSIBLE_VAULT;1.1;AES256 -64613133383265373737643031303930643035303131303331313864306332323231616534663731 -6332326533376638613331386665346166366632376465610a326635366539313466346663336361 -30366163666530626132373633653732333930306236383934353730336334653366316533333532 -6462326439306639330a633333373363613339303635373235643961346630373261316365336666 -63643135366363376666313839656537383265636330323238323738356634343933376334383866 -66346338316166303332636663396365363339386462356666303038353062633839333339633633 -66303265666464313737346431313463393265616134346138623763343261646334313061396364 -34646663633538343965653464343933633062343633643064326463653932383739326430656433 -62316337626135653534613035363235343135333435646264613664386236623632306465376266 -31306666656463333561373232343061393034356336393339386135306364363533643965613361 -34613939653765646263353863633462623434393961396335303735336433653866373534313130 -64366632313764633636353265383332303561343435333135656230656336316235353734363265 -63373033613161303736373065323565336638386537656235333639303262383437643739333762 -31323636373239623838303834353130623038633933306238333632323533303731353539383465 -34366464366161626163363163323365333932396231333930336132313563323062626334313930 -64373562366164613964613534306161366531643530343331313538383461666537306639663965 -62343036386166323036653266343362323961613432336466313731333561636234386662333264 -64393463303336643231616531393365383632303030616337336234393137393939333130633339 -333837383764333662313933666132383837 +63636434323163343761373034626236333037376261336634366531393035356435653037326238 +3839323731623165633234613132376534646266373466310a356635313261333263366632336664 +39326533333462373831663132633733666136623938313164313265326637333332616463386363 +6634333536313132310a613766363630313933343365333633333663613035313362343437383534 +32636433613365643633643536633862376231316135376437333835353164613839323562333430 +39323331353639333539356165616661663262386363386239346664643364653137633332626661 +35393332653530373162666365326135663633663265313634643135373562663763376530623038 +63343231333933616237666465306461663634363261656237383236383663336235363161623265 +30343366643637326135356636626564343436396635613566393636643264333933656265346333 +61363335303737666238393665633265393835633838636561393534343437366639636361373761 +34366334366236373633613037346463373632323265343034343335333436373733613465663464 +65643863303037643338366537336562613232313331323366663835316437376535623635383463 +38386539353834383236663766393563393063333233623661303335396534353166316230396566 +34393034333864346534383665616666633836376439646632303566613633376138313961636637 +37313635393739656161313466633231396539393666663635623034613765393438633735636666 +33326635373966353633356166313138656462373962663666653961366438383936626338663439 +36643039613061646531366462623064623837666633326532663232616139623737343732346130 +64646337356266353261363438326237313833323765663336346635353236396638376530663033 +306365363634643665646230366332653632 diff --git a/ansible/roles/nebula/files/certs/casey.key b/ansible/roles/nebula/files/certs/casey.key index 04ceb94..fa8b5d4 100644 --- a/ansible/roles/nebula/files/certs/casey.key +++ b/ansible/roles/nebula/files/certs/casey.key @@ -1,11 +1,11 @@ $ANSIBLE_VAULT;1.1;AES256 -31386138633139343335346361323831306435383234653738613139376138393138383964633031 -3337346361396334636433393538666433666136353337360a376435363861393333666438383765 -35383334303931383331303161303738636437303135623833356462393766633262666433316232 -6631356631383164620a383265376365643032623835346238353130356463383139623436303935 -32636463613164613533313633333838396531303431393938393163633566363433613630303435 -36633138366362623636653565343637633338306534393236643030653532623563613834633538 -31663565626138376231643537306362336334336334353662633166653630366438633636633765 -33636362333630653064326165336334396538653332323332656634656361613335373939636264 -64356163336138316235626331373637316661363233366535356532323539653166303234346162 -3062666234396362623664626535326534376535346233376232 +31646561316237653338613966616162363239323863393862376136623639613730633339396230 +3830343834383934333236633462663734366432666331620a393739313230656636653432646532 +65386466633832623663386131393866666664303439613738303933656239393761653263386466 +3561656162343632350a383737343661663037306461636264353239373865613861393034626237 +37633134636638633539346534346365346332643939653737626136393961343864386438323731 +39353663353362623563326230643961623231646361396561623431376139626236313362343938 +38336138376133656130633161363766393861656466363565646264653963396539386266616631 +66333965383862633061623961316334326134326630623064323562373937323338313838353066 +38343830316665326663313331613561393238373161326637396630383030666137623633616365 +6461333239666365363339613533323536613839356332373530 diff --git a/ansible/roles/nebula/files/certs/decker.crt b/ansible/roles/nebula/files/certs/decker.crt index f8baec6..56fc937 100644 --- a/ansible/roles/nebula/files/certs/decker.crt +++ b/ansible/roles/nebula/files/certs/decker.crt @@ -1,20 +1,20 @@ $ANSIBLE_VAULT;1.1;AES256 -66313365626166623139343638363632626563616434626336313637376537333165303363353932 -6434393565666434643433316436323338653965653064630a663063393863306131363666326135 -30333435633430383133373831326662613136313736353032643563383165396239653866393534 -3366626536373065640a623930643863636634313062383164303237643965623034643363343561 -63646234633238626139613736343434313531336531376639303261346135643933626537636439 -32313137623261316639326238303365646365376534303831303663636437343163393536313562 -62393566396536396363383865393962636236356335353264383139633663373865393861393034 -35613465373830663632316264353634623361396663343764303732316131333337663432616230 -33333463663738386132366235623661653037623564366166643061363266656438313739313830 -34356464373238363730366239326231653532346162633066363164303838366438323962306366 -62616136643130663534633161633633336461636564353734393737386364333734353065353661 -39333964323661393864346231346436353533373334313936343433343538373666396232383433 -66353264373332353366646666333636633166333565643363373636656263316130613564623134 -30616161346138386538383931326531646634376634336137363864326165643231643735366435 -61613435623339383231373062376434333839393134623138303366636637323464343232306235 -37303034316637376664363437653662326138326236633733636535393436353638303438333738 -61343332626633653838303535303430373436366263313062376233393565633266356436306365 -63656137666161396537616339613031396663656139663462396261643162316438653439643537 -386438626131393330383465303037633366 +65353231313330393239343839623361663961346636306236363938373037363538373338633731 +6430663764633362633565616462373066366234356463370a356462363864396134376338363936 +36646437363265306131643131353033613939363235643965333331633231653231366236393961 +6433386362653437650a323733353361343130306533623662323536653265306361393265393732 +39663236343530643835373132653664663661313731393433306635396639653635356531313365 +35656435353032333639366534386530363637643365356332663864323161383531316561376436 +62633036636432336434383461396564323536376238646161386562366338383734343462646631 +63636330393639303566376131643761613132346462366237623062383737663838393833383964 +30396661373738343536363831303939393738363866396364303236616262376337366637303632 +65393139623064613166353235343963653364333365323966373837373435303565343335356334 +66613963393339363638643931376434623333386133336638363336353334313835313961626235 +34306364393233663062636639396164303963303433353538386335383432376535383735646436 +65656436373234323936653263396363316432666666343536303537383032656462353761363464 +32396464646532356663346234623939656138343233353932333165623237353132633264333035 +64373134623863306564633738313233363835623733313766383761386230383033383232616137 +31363430303763656662363666646533316262646530306632613733363566366461666133623638 +64333330306637613730633733666561616331663463623739336263636637316463323061383735 +32323666383633656363643633386139613666366565356431393134356233343038663061353064 +303334396630656532363137383034323763 diff --git a/ansible/roles/nebula/files/certs/decker.key b/ansible/roles/nebula/files/certs/decker.key index d2e8b7c..15fadfd 100644 --- a/ansible/roles/nebula/files/certs/decker.key +++ b/ansible/roles/nebula/files/certs/decker.key @@ -1,11 +1,11 @@ $ANSIBLE_VAULT;1.1;AES256 -31626534383936313834333334346434626464656166323664616562663831623630313237663864 -3437303465383439376538623466613330326236356637350a353034613434653965633165363831 -32613766336338396434306339353530363139626236326436333835363933373732663935333163 -3233643931303535650a646531303063313265616435653336376561353138326233356563646363 -64326164356532666537306137633465346562363063653436643131656534643166376535383035 -35316130663436643261333838333531353234303635616166666164376366373737626561643135 -39613265303662373933623235633266343430363766623064313065626631326131323633373439 -32366332343864643736313163353635323333356562383839623965613365633236363633306431 -35353932343261613239616462626333396532343737343166653032383033313032636230343337 -6462373035316266633134323961643866323630653237653539 +38646235373534373165393032646530386230363864316439633366663962383432313931613265 +3565373033636239306139313166373264363366386539380a323933393234653565623633643065 +30643236313165396637326533343864336235393634663765626638623561303062343865323730 +3766373635363739620a366531363234393034613761303838373264383138303031313739393962 +63316132636264316334366661303830343961313561613038326134386134613565666336383065 +32626138356661343366643137363735306466333933306539633063663134616165363062303366 +39326133393439633330393762373637396465633337383861376138336362343365303065326431 +33613365303464633163646130336139306430346431313465323930653164323931656432386438 +33376165656635663335353263376635333262616263376132326362393434383830313434626237 +6664653033366130313861326163623532353363633364626433 diff --git a/ansible/roles/nebula/files/certs/grimes.crt b/ansible/roles/nebula/files/certs/grimes.crt index a5e1e5c..3205fc3 100644 --- a/ansible/roles/nebula/files/certs/grimes.crt +++ b/ansible/roles/nebula/files/certs/grimes.crt @@ -1,20 +1,20 @@ $ANSIBLE_VAULT;1.1;AES256 -61626636613635336231376431613661653133633662636237643136633439326535666262663739 -3764623865653936313661393265616434386432336165340a636430376232653032313030636531 -64303835653862663531353661336233303533626666383735316437336436346564306439366533 -3230353533633038340a616364656536613634346437646466386666643934616365396161313538 -33666232306336636562623937643064366335666538303738656233303436326261343035663762 -33336636316134383131623761346330363264333734623832376662363936363061613731366131 -34343762313964633661326633303034363466326532643665303965636366613865353233666237 -37313064643863306261346331366231306632313230663433653233626661323761376366346433 -32393637383937306562616238626338343936633732356633313636643765383231623066363839 -65386130313065663663373739376134386365343965353634663832636564393362336264393165 -65323162323066653163636465663038333132386561346364303133386138646439656633336338 -64343238353733386364383662363034346264363431343636303939373362663230663636613366 -62653861643438666630633263336638386433353066323336376565663864653766663030326462 -62393265323036663066363730636339313662633530396362396432346233383662666137383734 -37623132636231323539326130626639393432313930396662343934633666313466336665626466 -37663132363933666565346634623832363638353431306132393539633163643864313865656238 -37643939393866303933633831363635633463383135396432643065356435326361326536373130 -32613161323734636130353362666331316231353063653237336433303238656365646135316461 -396461396434313838373063643438613161 +63633837623439346639323936306262626164653662373065666133363139616631316336323961 +6135306263303839346335373262646637613963643166360a396638363534643461373531363461 +32313433383466646630396661373430353238336365303234626636306338353764623534323738 +6362373163626433660a623134343362623838363034393934323131373531616363643439336437 +32343332313936623334626434643535363361346464653634366664363964386530376261663962 +61353031313937643130333836366366656432633036383730386364343566353031653164613630 +30343062383864613833333361353566313862316436313161303364656566353765643439323162 +65663534663137383033633666396163663739326130616536386263356465303062643366666331 +30353333643632306466653935626430373437613263333563656331383936623834643839303937 +34373537613165383137653431333562323233323563353362613430616332363265656335613361 +32376333393261336333616634356161656134636533636363313261613261613539353937373462 +32373166643739363034356436323630626431363335303366373566373939356332303563383839 +35303464623133666430333265633638383266343765356565626361376164323830653265333663 +38613762326432336635373933396138616566376330316534646236663833366139323064366632 +31316461316430633865613666363439343735663466383162326539353561366436663765623565 +34326539376437613130396462653431383335326661653938623636393634613434646333343132 +34363239303163306130633037653539306162353930393265313238366437323334636131333066 +34383463303136386436663138653962623238663038623938383364363931666134626161663265 +646366313463663161653337333634353035 diff --git a/ansible/roles/nebula/files/certs/grimes.key b/ansible/roles/nebula/files/certs/grimes.key index 8eb52f5..cd694bf 100644 --- a/ansible/roles/nebula/files/certs/grimes.key +++ b/ansible/roles/nebula/files/certs/grimes.key @@ -1,11 +1,11 @@ $ANSIBLE_VAULT;1.1;AES256 -63383863316433356463343636613030353935363566663764623132306132343338666231326537 -3366366462663730383864333536373335336139326336350a653163353432396438313132306537 -66623438633864633866653234303462616238653665336138346264313736623631366261666530 -3364303135313435630a313436663862366531303036616361356639316331303737323630303235 -64373136313065623536356139393965383233633362333739303335396137653735303534653539 -37373961626634626336646231633265643837626336666436383936636332363165353162656364 -61663139333061643330363635363135353637633235313638346537636335663536326363376634 -31336662323238323238363937626639326665663763636236643863393334636338386634343730 -36623464313665623264613962306330323666313830373161663165326464393965326135623733 -3566326635613839336164633138653061383735323662653561 +30333230396339326639656262343232396664326430383664623232376535396462366133633532 +3437663638623965373461373162623831633566633030610a383130386634363132353034326535 +35643939393230343662646135363531376162373636363438353461363031643465643435363764 +6435333432616434660a363837336462616333643330653165333562636166363361336537333966 +64623363373861623362383938613638313836346335303261336333383634356666323265303961 +39356533343132306266643063396636373265633333366330666362626130396533326365336663 +63383839306265346532333439396134343332613664323638383835366437313362323464383033 +65306336616534663531633164653139313463666434636436376233633330326633333237343361 +34626535636230316437396638316232623230643866383962323766313763633734643837323736 +6239613865336261323961353239636134393237613733303133 diff --git a/ansible/roles/nebula/files/certs/ingress.crt b/ansible/roles/nebula/files/certs/ingress.crt index 8284d36..bb5a9d7 100644 --- a/ansible/roles/nebula/files/certs/ingress.crt +++ b/ansible/roles/nebula/files/certs/ingress.crt @@ -1,21 +1,21 @@ $ANSIBLE_VAULT;1.1;AES256 -33613132393536346238646436336337333631646337353863653235313463663238393731313438 -6630633261383936623762313834333233653036376663620a336338333734616561623734653737 -63313162393834333636313763643832643861643635633534343364643436646166363337353135 -6661386263333064640a663737306436356639336234633961363836633161376237366439653931 -65323761333863316530313331343730656436376435346230333466363265303734396432373065 -65386139643266333539313162393632643038343364323438653230623461626266393864633261 -65323361623639376562393538326431396238643263376366396632333962396264653730623466 -63383463363832613738616461656638616330333733663164346562386630653734313463653461 -33336563656534613339323536666265313435396563653033613835386630313465666466396330 -64336631343364383734613839356639346165313633326130376634663537336261366238623637 -38306435313861653232323666643235303930636137636165633838313962306438333236313135 -61313638343066646261613530623039316439386637326335376264653032396235306431363134 -35353932363565633463653330633339343331343366393436666166343130643038666230383431 -36353138623533633865333837633035666566376264313737373861373834306132653662393037 -36393538373964366564323963386664313832303439393166633636336637396262613331333862 -38663164613230323762343833396231366139643836623665326231626533323433636164613736 -37653163663131333332366339613337376635623064383935303038646336373361346366616636 -62363162633835353937323565646665313730396633383835313662306161383466383562333462 -39363234646365343938393733323463333764623638363238643037323065303865633066333666 -61363731646566366663 +62613762323836666136313634353965643132326439656165623938326130633631623939336434 +3931613737633935363439316362613663363335626134340a306631376131363635326337333234 +34373262383861626564383834306462306633376332353630666265303766333731613839333231 +6666343965353866320a313930383762646431656433393433336436623064643864343639393465 +37613062336430646130653833363130343266303833353739393839376235646433663236636532 +31303439663030353934383862396234663633343932646234353566313833613038366262373862 +62646262393431343638373936333339373230346134313661303138656563613463613836643634 +33343236633235316364336438613932316431383839393136343662333365396639313931663461 +33363336323532376566316532373832306662373538343361336239346163626330333736636566 +33306435306136643563643465373964383336376566383539613530313830353961623861323936 +64633336323438353238616663323338396536386161326132633466643135636162363536656665 +39653734653839366362383034366437613734373830386533363138373036323231363764633335 +34633163353237656266663035616463383165623634353062636464373361376438653230343661 +35343434656335623533623836313335616162666665313064653730356537633666336163616132 +31663432396564613538303662396538643131656137343434646333666634653938353363316363 +38623730623532663133343937643663633961353034316234663931646331656636303739383464 +37623264663038656632343262336165343635633566393535343663393163313234396463373766 +35313337353833306262363532616265656461356536633430383234633464613839303562356565 +39643738616262383734656535636566323831373035306166343039666334633264303435663865 +39623533653333323766 diff --git a/ansible/roles/nebula/files/certs/ingress.key b/ansible/roles/nebula/files/certs/ingress.key index cdccb2a..c5c72c6 100644 --- a/ansible/roles/nebula/files/certs/ingress.key +++ b/ansible/roles/nebula/files/certs/ingress.key @@ -1,11 +1,11 @@ $ANSIBLE_VAULT;1.1;AES256 -64383037313331303138303765616563663233333366613162363534626131653635626639343437 -3134643661613762373363616435366335303838623061640a303031326164616563623632653037 -35636633653731616533373862663839646462383830616634656630376231343639643434366437 -3933353135646430320a343366386363643037323538323132646366393165383935363236643934 -61336261383633636464316563306631333131393861373963636637656262393231663035333164 -65653537626365613335313363313765373561333466613365336239363136346531333335323461 -38393737376365663533386365353035346539333566343938336136623134633736613936656461 -35663634363332366530626233663333663963343764316633366337663166393335376638393037 -38376331626266353431623235353462626230663230323666346636306439646164333965396539 -3764336237653833366565313531366462336130303565346639 +37626435646463663062363233393732353239386231366436653663623035656339633136346138 +3963626465363538653430343733663965373865376263330a373638663731656435646438646134 +38663334363137666530653934356337326264356664343633623432613265643139353464666136 +6236383631366130310a386265373334663831333137303538303737663062656239663839326338 +35613739313935373362333933653636383033343164363964353935633061636635353464643831 +64626363646136663166373632343830333634356565336138393436313864646333386561396663 +65636436663830633661396531643838333938366236633762323231363966643035643539383438 +30396136633264396561353034653161343536313461623532303265663531323937363737353566 +32363564333536306166346165393662353234363131383733396338633839333439373538623362 +3738616565663331353362633939343832323238383930643263 diff --git a/ansible/roles/nebula/files/certs/walker.crt b/ansible/roles/nebula/files/certs/walker.crt index 1280c5c..d3938f6 100644 --- a/ansible/roles/nebula/files/certs/walker.crt +++ b/ansible/roles/nebula/files/certs/walker.crt @@ -1,20 +1,20 @@ $ANSIBLE_VAULT;1.1;AES256 -62613030333861376363373831343030363236303265346261613565656661623166343462383564 -6536656631633963623166653235396634313432623036370a303865633866346331316461643930 -33633739366434353037333931653265623236373465383137306139633635633531643538383339 -3263313561333038650a383433373561656537363939306633393734363830333935633764323036 -66303863623936343239363938333665373335313164376265336662656265306436653766383266 -65343733616265653232343337363031326435653531353962363438646631653630316431333166 -36363764653534626133363631346635666665653836383735613530623537363539393033373734 -38623363356639323939373434326136356638633262613235636232383232366263333030326230 -63643837353733373665663137666161636339643461396538363465323566656339633461303631 -63653563373037303166613364653531376337343133326138386438313165646536346130303830 -30646332346537663136306138636366663566303733383432393537613937643730623765633764 -62373230376636336632383265643863306336393266363636643436613163613761663464313463 -62653765346238343530626539323933333833633639633230613038656330646363633166303063 -30313136663035373636343864626231613766653361633937303563323530326465653133303038 -34336433646534343638393530383661333036616331316134313362393662316339623731666132 -33306161333761353562383030323165623566613737663538313531373134613834613565383336 -30316130343137373537393338386532613763323763623637666130393035626462613132653339 -65333862336133333839306530353165663764666130643263616661643836343934313331663163 -383563373561373932353537623065643963 +32636232306462356330643137616236306261373438653332326239343662363234313765356563 +6361383264626665636130373539613936373036343061350a316438383266306538303836636138 +39643434323831303337336230623463633138633436386539363531626633633364663031376131 +3162363530393734380a303162386436396338383864333439313365383665666361313666373538 +35666262616466663061383463653361303230653036643033376434303236656638343134316262 +31303663396231623065316261353938613934303934613331393836663061653731316163663230 +39653337373230386337383665303638346136353031373931616166663437313431353832633239 +62343063323765636466353031353930636132373263306631616365623332646639333265653235 +61636237326561613364303538323861393061303839383532323136306134633437363731616464 +32633538376130613164646264666332303762386436383566663563346536663935323165323939 +65666333363163373165316633383430653066663938303562613739303835316661623437613863 +32383330336261356364353163666432353130343564366333626336306332643936623166386261 +35656431366431663830336631346164333362376262663365623635376161373864303831306462 +61326462343039376363663139636638663239306362353232366166623030376464336634643130 +65373532393034623730663431373763636261393035346639653137383235633265386365613063 +37303435363136613365633139316133386332373665626566346161343665626365656639346661 +30396133366566306238303564633662306561303830613937666264303731666230356633373662 +33656133323364313461353562373337356232666536643633336663326334353231613336646461 +376435366338383534623436353434623334 diff --git a/ansible/roles/nebula/files/certs/walker.key b/ansible/roles/nebula/files/certs/walker.key index 9a31ba5..33a151a 100644 --- a/ansible/roles/nebula/files/certs/walker.key +++ b/ansible/roles/nebula/files/certs/walker.key @@ -1,11 +1,11 @@ $ANSIBLE_VAULT;1.1;AES256 -33383339366463623838653336343938633539353939326561663761663331363465383830633030 -6432366561666130393363366339313162653733346337630a356535396562333364363165323736 -36363335313530663331383266663536646236386439323465336163343462663963626464373737 -3831666265643432640a376137303764323434313361346330343039623062646665396235316662 -64333463326132346436613331373337656364333538653864616131636638336437376537373537 -37666539653435636133656365616636633534323636623462643734653061653662356333386232 -31373834376465663035366139373235613433626330613139333462666232393733346630346432 -64343431326539376430616532393261383464326531643032303638613231356337303938313365 -31313037356132643132393032313038313439366462343462373163333435376166343161656131 -3938323631333731626364383864333232303134383566343763 +65626437643961386636343536313832353663373863313963383430363465333965363031653635 +3038636237383665653135313962643434386135346630360a666239663139353063623436633038 +38613062393337373232343338626334353033633738306138373464313739323334373637366334 +3335623465633164310a646162376139373838643731326361373366623765323263643934616432 +66626333653335343234393936653931306132333933616138616665626139396164386437633338 +36653637346532376564306537643330343135313331343163326331363664663761616533353563 +66643964313736653263666466643134656532643536343464356464663465313438643466643130 +35643738313337663663343466353232396264356163343234653032333032336134666437306139 +63653239363132396465376565306666363131366131376466356530386438653433613063646365 +6432616539316163376162613630623066626539666135366664 From 151c5bc1d99bf0700ed815f88dfc3ad4b57ed7e0 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Sun, 30 Jan 2022 20:59:33 +0000 Subject: [PATCH 070/120] Decommission casey instance in vultr The end of an era, my oldest server. --- terraform/casey_vps.tf | 22 ---------------------- 1 file changed, 22 deletions(-) diff --git a/terraform/casey_vps.tf b/terraform/casey_vps.tf index e20cd87..93adae2 100644 --- a/terraform/casey_vps.tf +++ b/terraform/casey_vps.tf @@ -1,25 +1,3 @@ -module "casey_firewall" { - source = "./vultr_firewall/" - - description = "casey" - ports = [ - "80/tcp", - "443/tcp", - "51820/udp", - "8448/tcp", - "6328/udp" - ] -} - -resource "vultr_instance" "casey" { - plan = "" # On a plan unsupported by API - region = "lhr" - hostname = "casey" - firewall_group_id = module.casey_firewall.firewall_group.id -} - -# Linode - resource "linode_instance" "casey" { label = "casey" image = "linode/arch" From af0eb65ccee3cd022a773b62675f4fc0b934eb1b Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Tue, 8 Feb 2022 08:55:41 +0000 Subject: [PATCH 071/120] Update synapse to 1.51 --- ansible/roles/pve_docker/files/synapse/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/pve_docker/files/synapse/docker-compose.yml b/ansible/roles/pve_docker/files/synapse/docker-compose.yml index 362fc60..54a5653 100644 --- a/ansible/roles/pve_docker/files/synapse/docker-compose.yml +++ b/ansible/roles/pve_docker/files/synapse/docker-compose.yml @@ -3,7 +3,7 @@ version: "2.3" services: synapse: - image: matrixdotorg/synapse:v1.49.0 + image: matrixdotorg/synapse:v1.51.0 restart: unless-stopped environment: - SYNAPSE_CONFIG_PATH=/etc/homeserver.yaml From 4562b60517867cc5e7a2587968ce37bf360ee761 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Tue, 8 Feb 2022 08:55:50 +0000 Subject: [PATCH 072/120] Update Traefik to 2.6 --- ansible/roles/traefik/files/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/traefik/files/docker-compose.yml b/ansible/roles/traefik/files/docker-compose.yml index 2786a7a..f357f29 100644 --- a/ansible/roles/traefik/files/docker-compose.yml +++ b/ansible/roles/traefik/files/docker-compose.yml @@ -2,7 +2,7 @@ version: "2.3" services: traefik: - image: traefik:v2.5 + image: traefik:v2.6 user: "{{ docker_user.id }}" environment: - CF_DNS_API_TOKEN={{ cloudflare_api_token }} From a075b8f2524254080102fea8589b5db184665a98 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Tue, 8 Feb 2022 08:56:28 +0000 Subject: [PATCH 073/120] Update Vaultwarden to 1.24 --- ansible/roles/vaultwarden/files/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/vaultwarden/files/docker-compose.yml b/ansible/roles/vaultwarden/files/docker-compose.yml index 3ac27e2..f7531fe 100644 --- a/ansible/roles/vaultwarden/files/docker-compose.yml +++ b/ansible/roles/vaultwarden/files/docker-compose.yml @@ -2,7 +2,7 @@ version: "2.3" services: vaultwarden: - image: vaultwarden/server:1.23.1-alpine + image: vaultwarden/server:1.24.0-alpine restart: unless-stopped user: "{{ docker_user.id }}:{{ docker_user.id }}" volumes: From 722b964bc904a995dd420e95c76a8b8b3ac20c5d Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Sun, 13 Feb 2022 16:43:09 +0000 Subject: [PATCH 074/120] Add Google Search Console integration to Plausible --- .../roles/plausible/files/docker-compose.yml | 2 + ansible/roles/plausible/vars/main.yml | 2 + ansible/roles/plausible/vars/vault.yml | 40 ++++++++++++------- terraform/theorangeone.net.tf | 10 ++++- 4 files changed, 38 insertions(+), 16 deletions(-) diff --git a/ansible/roles/plausible/files/docker-compose.yml b/ansible/roles/plausible/files/docker-compose.yml index e992103..0dee2bf 100644 --- a/ansible/roles/plausible/files/docker-compose.yml +++ b/ansible/roles/plausible/files/docker-compose.yml @@ -32,6 +32,8 @@ services: - DISABLE_SUBSCRIPTION=true - CLICKHOUSE_DATABASE_URL=http://clickhouse:8123/plausible - BASE_URL=https://elbisualp.theorangeone.net + - GOOGLE_CLIENT_ID={{ plausible_google_client_id }} + - GOOGLE_CLIENT_SECRET={{ plausible_google_client_secret }} clickhouse: image: clickhouse/clickhouse-server:21.12-alpine diff --git a/ansible/roles/plausible/vars/main.yml b/ansible/roles/plausible/vars/main.yml index aff74af..34c080a 100644 --- a/ansible/roles/plausible/vars/main.yml +++ b/ansible/roles/plausible/vars/main.yml @@ -1,2 +1,4 @@ plausible_secret_key: "{{ vault_plausible_secret_key }}" plausible_signing_salt: "{{ vault_plausible_signing_salt }}" +plausible_google_client_id: "{{ vault_plausible_google_client_id }}" +plausible_google_client_secret: "{{ vault_plausible_google_client_secret }}" diff --git a/ansible/roles/plausible/vars/vault.yml b/ansible/roles/plausible/vars/vault.yml index caf934d..6f76661 100644 --- a/ansible/roles/plausible/vars/vault.yml +++ b/ansible/roles/plausible/vars/vault.yml @@ -1,16 +1,26 @@ $ANSIBLE_VAULT;1.1;AES256 -31656261333332323730306162626265323432313264663230303264623662353065393362616635 -6131376236383233646366663264653663363930653937650a373264623632633130626330343264 -66633064303765323666323162376262636461626563626134613230326635616636386463393931 -6633373864666139310a636137346161333738396335346239623334663061353231326337343436 -63313338336535356538316132393066343965646466633864666263356139363934316161363062 -65646236663464626335636661623063626166633363336237303738393739346232623132386432 -39663561313139636261323238373163333432643237333334393364323831636266636132316261 -32396235663364353439386430653765663063343761323832323332383538323934656131373034 -31356665623632646163626361353462396531323263346162626236396333396564306631613766 -31313136613938383661643263373064366566616432306263643235626461653465613134623738 -62323630613533316138363837303366373835653661626332656638646265356538383535636436 -64356332363662356630613839373039323463306362313937313364613736363832323830656163 -64356537363935613362386436656434333338313565613464346534616634653532343566643739 -33303037636633623163363465663630366333323464666231333432643133646636643130383034 -326237356631656161376530303139633032 +31656661613230326431396337643933383263633639376230636236333031653566306465366438 +3131663665396638333364613661333435613138623736640a636234363832343430353262653464 +64653131376639306163343235633565393635393231643230396463363563646265356535313839 +3931313064666630640a613433616261343033613863633865393266363438373163343362356235 +38306438623830613364333363646665643437656238323262653066336437386534386563313166 +35653261636534366230303363353263616137306230303832646630353439346561326464323330 +37386366306332393734623734316231613631626364393839653830353636323034633662646535 +31306632643962353766333934303538326663386436323466393363656266666336336361663339 +31323834373563343130353732666334356137356432636363633239333130393662356166643332 +32393837313033333934373362656466633863303732353765313931663330613532613035303466 +63646265333730363561386538623663353735323139333465363761316362326464396330383062 +61366665306166386337323630613861343465363339343531613934636139643136336132613038 +32396235363531336562306262633035313035653432376466303665326331666365393465656631 +38373238313637636434313135353862366264316138366261613634326161326437643238383730 +35313039333462626162343733363031386136396139386434366334366237353465366363333936 +34316662623864383539636166616432346533346338633865306565386638353666333733616164 +65316364633534303231313163623236333662636137313564653537396630306532663830323033 +33303232303037613433316538303364356435366161613662303639323361363561633964313434 +39343139613139396334646538313364343038376464316161346431646438313636356239356135 +32393937623435306335636133643365343537656463343232323164323333376264353935306230 +66313137663739373834333235653433313330616632346664616134343532613063616435343832 +38396536626234353437613631356434393331373366633764326564346366316365383363363932 +61646563663565323737393536366331646635326239613565316432376337363430396236303837 +37623337366261636661316563633661333065643164363265626132633036343033306161386364 +6538 diff --git a/terraform/theorangeone.net.tf b/terraform/theorangeone.net.tf index 3463679..aded068 100644 --- a/terraform/theorangeone.net.tf +++ b/terraform/theorangeone.net.tf @@ -36,7 +36,7 @@ resource "cloudflare_record" "theorangeonenet_mx2" { ttl = 1 } -resource "cloudflare_record" "theorangeonenet_txt" { +resource "cloudflare_record" "theorangeonenet_spf" { zone_id = cloudflare_zone.theorangeonenet.id name = "@" value = "v=spf1 include:spf.messagingengine.com ~all" @@ -188,3 +188,11 @@ resource "cloudflare_record" "theorangeonenet_status" { type = "A" ttl = 1 } + +resource "cloudflare_record" "theorangeonenet_google_site_verification" { + zone_id = cloudflare_zone.theorangeonenet.id + name = "@" + value = "google-site-verification=IXY4iSBN_vOcM3cp_f-BgVvEI_shz1GzXuY_8dqY61o" + type = "TXT" + ttl = 1 +} From 6b63c2685b5719b344bce4197035d7eea0b1fe28 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Sun, 13 Feb 2022 20:54:46 +0000 Subject: [PATCH 075/120] Add an additional domain for matrix I'll migrate over to this eventually. But doing a hard migration has just wasted my entire evening... --- ansible/roles/pve_docker/files/synapse/docker-compose.yml | 4 ++-- terraform/theorangeone.net.tf | 8 ++++++++ 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/ansible/roles/pve_docker/files/synapse/docker-compose.yml b/ansible/roles/pve_docker/files/synapse/docker-compose.yml index 54a5653..49f0bc7 100644 --- a/ansible/roles/pve_docker/files/synapse/docker-compose.yml +++ b/ansible/roles/pve_docker/files/synapse/docker-compose.yml @@ -17,7 +17,7 @@ services: - db labels: - traefik.enable=true - - traefik.http.routers.synapse.rule=Host(`matrix.jakehoward.tech`) + - traefik.http.routers.synapse.rule=Host(`matrix.jakehoward.tech`) || Host(`matrix.theorangeone.net`) networks: - default - traefik @@ -43,7 +43,7 @@ services: restart: unless-stopped labels: - traefik.enable=true - - traefik.http.routers.synapse-admin.rule=Host(`matrix.jakehoward.tech`) && PathPrefix(`/admin`) + - traefik.http.routers.synapse-admin.rule=Host(`matrix.theorangeone.net`) && PathPrefix(`/admin`) - traefik.http.middlewares.synapse-admin-path.stripprefix.prefixes=/admin - traefik.http.routers.synapse-admin.middlewares=synapse-admin-path@docker networks: diff --git a/terraform/theorangeone.net.tf b/terraform/theorangeone.net.tf index aded068..4a386b4 100644 --- a/terraform/theorangeone.net.tf +++ b/terraform/theorangeone.net.tf @@ -101,6 +101,14 @@ resource "cloudflare_record" "theorangeonenet_img" { ttl = 1 } +resource "cloudflare_record" "theorangeonenet_matrix" { + zone_id = cloudflare_zone.theorangeonenet.id + name = "matrix" + value = linode_instance.casey.ip_address + type = "A" + ttl = 1 +} + resource "cloudflare_record" "theorangeonenet_dl" { zone_id = cloudflare_zone.theorangeonenet.id name = "dl" From c34b9e48f4dd65ba0b0d907649a051ae45c8e3f6 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Mon, 14 Feb 2022 09:09:28 +0000 Subject: [PATCH 076/120] Add support for building docker containers on CI This is easier than dind --- ansible/roles/gitlab_runner/files/config.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ansible/roles/gitlab_runner/files/config.toml b/ansible/roles/gitlab_runner/files/config.toml index 18c5cea..4c53989 100644 --- a/ansible/roles/gitlab_runner/files/config.toml +++ b/ansible/roles/gitlab_runner/files/config.toml @@ -14,7 +14,7 @@ check_interval = 10 [runners.docker] image = "alpine" - privileged = false + privileged = true disable_cache = false - volumes = ["/cache"] + volumes = ["/cache", "/var/run/docker.sock:/var/run/docker.sock:ro"] pull_policy = "if-not-present" From 7a05e154a6efa3eb61cc0182a3f6516f98908d43 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Mon, 21 Feb 2022 21:50:07 +0000 Subject: [PATCH 077/120] Update uptime-kuma --- ansible/roles/uptime_kuma/files/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/uptime_kuma/files/docker-compose.yml b/ansible/roles/uptime_kuma/files/docker-compose.yml index 198c6d4..62415cc 100644 --- a/ansible/roles/uptime_kuma/files/docker-compose.yml +++ b/ansible/roles/uptime_kuma/files/docker-compose.yml @@ -2,7 +2,7 @@ version: "2.3" services: uptime-kuma: - image: louislam/uptime-kuma:1.11.3-alpine + image: louislam/uptime-kuma:1.11.4-alpine restart: unless-stopped environment: - PUID={{ docker_user.id }} From 7ad6e81981f1db94fdee0c9ee192b07bd8fc325d Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Mon, 21 Feb 2022 21:50:18 +0000 Subject: [PATCH 078/120] Update nextcloud to 23.0.2 --- ansible/roles/pve_docker/files/nextcloud/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/pve_docker/files/nextcloud/docker-compose.yml b/ansible/roles/pve_docker/files/nextcloud/docker-compose.yml index 32ea086..97cbc2f 100644 --- a/ansible/roles/pve_docker/files/nextcloud/docker-compose.yml +++ b/ansible/roles/pve_docker/files/nextcloud/docker-compose.yml @@ -2,7 +2,7 @@ version: "2.3" services: nextcloud: - image: lscr.io/linuxserver/nextcloud:version-23.0.0 + image: lscr.io/linuxserver/nextcloud:version-23.0.2 environment: - PUID={{ docker_user.id }} - PGID={{ docker_user.id }} From 997fb0e600d91ff0aba8854183e8653c6ee406e2 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Mon, 21 Feb 2022 21:50:30 +0000 Subject: [PATCH 079/120] Update synapse to 1.52 --- ansible/roles/pve_docker/files/synapse/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/pve_docker/files/synapse/docker-compose.yml b/ansible/roles/pve_docker/files/synapse/docker-compose.yml index 49f0bc7..374fd97 100644 --- a/ansible/roles/pve_docker/files/synapse/docker-compose.yml +++ b/ansible/roles/pve_docker/files/synapse/docker-compose.yml @@ -3,7 +3,7 @@ version: "2.3" services: synapse: - image: matrixdotorg/synapse:v1.51.0 + image: matrixdotorg/synapse:v1.52.0 restart: unless-stopped environment: - SYNAPSE_CONFIG_PATH=/etc/homeserver.yaml From 47b5a2fbd3ce080c7836ffdaf21e3411c75ce96b Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Mon, 21 Feb 2022 21:53:22 +0000 Subject: [PATCH 080/120] Add renovate config --- renovate.json | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 renovate.json diff --git a/renovate.json b/renovate.json new file mode 100644 index 0000000..00a4f65 --- /dev/null +++ b/renovate.json @@ -0,0 +1,7 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": [ + "config:base" + ], + "prHourlyLimit": 0 +} From 293aed0fd3200ad54461e71423699dedac716b0c Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Fri, 25 Feb 2022 21:48:13 +0000 Subject: [PATCH 081/120] Enable GitLab registry --- ansible/roles/gitlab/files/gitlab.rb | 15 ++++++++++ ansible/roles/gitlab/vars/main.yml | 2 ++ ansible/roles/gitlab/vars/vault.yml | 28 +++++++++++-------- .../traefik/files/file-provider-gitlab.yml | 3 ++ terraform/theorangeone.net.tf | 8 ++++++ 5 files changed, 45 insertions(+), 11 deletions(-) diff --git a/ansible/roles/gitlab/files/gitlab.rb b/ansible/roles/gitlab/files/gitlab.rb index d39cc04..610529f 100644 --- a/ansible/roles/gitlab/files/gitlab.rb +++ b/ansible/roles/gitlab/files/gitlab.rb @@ -36,3 +36,18 @@ gitlab_rails['gitlab_email_from'] = "{{ gitlab_from_email }}" gitlab_rails['artifacts_path'] = "/mnt/gitlab-bulk/artifacts" gitlab_rails['backup_path'] = "/mnt/gitlab-bulk/backups" + +# Registry +registry_external_url "https://registry.git.theorangeone.net" +registry_nginx['redirect_http_to_https'] = false +registry_nginx['ssl_certificate'] = "/etc/ssl/certs/ssl-cert-snakeoil.pem" +registry_nginx['ssl_certificate_key'] = "/etc/ssl/private/ssl-cert-snakeoil.key" +registry['storage'] = { + 's3' => { + 'accesskey' => '{{ gitlab_registry_access_key }}', + 'secretkey' => '{{ gitlab_registry_secret_key }}', + 'bucket' => '0rng-registry', + 'region' => 'eu-central-003', + 'regionendpoint' => 'https://s3.eu-central-003.backblazeb2.com' + } +} diff --git a/ansible/roles/gitlab/vars/main.yml b/ansible/roles/gitlab/vars/main.yml index 4881f08..69a3108 100644 --- a/ansible/roles/gitlab/vars/main.yml +++ b/ansible/roles/gitlab/vars/main.yml @@ -3,3 +3,5 @@ gitlab_create_self_signed_cert: false gitlab_smtp_password: "{{ vault_gitlab_smtp_password }}" gitlab_smtp_user: "{{ vault_gitlab_smtp_user }}" gitlab_from_email: "{{ vault_gitlab_from_email }}" +gitlab_registry_access_key: "{{ vault_gitlab_registry_access_key }}" +gitlab_registry_secret_key: "{{ vault_gitlab_registry_secret_key }}" diff --git a/ansible/roles/gitlab/vars/vault.yml b/ansible/roles/gitlab/vars/vault.yml index 3a7e5a2..e5321d5 100644 --- a/ansible/roles/gitlab/vars/vault.yml +++ b/ansible/roles/gitlab/vars/vault.yml @@ -1,12 +1,18 @@ $ANSIBLE_VAULT;1.1;AES256 -61366238363431353336613362396330363337633339363735383438383939353532376539316263 -6133383136353261386239303730633431653434343636350a353339393932396634656164333035 -65353136333962366334396139316264646666353964643332313933346132303066323231626433 -3761333362396231650a373935363763343831626431633930336337393037633933346339366135 -34653062663737313833623731343462303935376131343061643632336366656636356439653534 -39373430626466353333646638363936383932373161376135376239383231633665303439393939 -62336361643336616634376562613963636461356265303834313162643261323433393965613762 -31663133383163346434343662613965306234306563343565663362386563633664623538343363 -63333965623262653735386563393162386532643362626562643539356339363131396430633030 -31383361396265366237613635323839633562663264666638323531373933363733303839656564 -626432386162306638356434616465396265 +32363562323531613830333735616464333836386638373166633935383663646462323337633533 +6334646537616133366436343335623333626663663732620a653038383139326565336139656135 +39393334373164316334376262353030343732333531346434666336393631363833653262636337 +6139343461613930620a613234353063373433623238333637663462643233396632333831616239 +31616137333339376364653461343266373862666333326563383432383366643731613439643233 +35353831666432636332363035666464373161313765306439316365306537363531373439656439 +36316338636332623630393634306261613365333134373166613334356535336366316534393661 +66363761643532656637333934643763326562626561323639653461383930623333396464383832 +65646238343666326366376666356534353263626638323563323232383563386165663736383439 +39376536396439633137393139643737346234313939396532366333396630666162613232323266 +35663036346562633138623833306631363034663564383238323337616238663361363834623765 +32366266613665363336646635363963626334623937653332366338343163396132353930376164 +63323664666364633032326231356465316262393139336236363032653536326364653433303237 +36343261613732343663653530313333353231333732653834363936303230633138303632643830 +37343130343931346130616634346164393531613638393030366164633665306566323864353331 +66383437383061643634663163303962386261353663393038376332363130306631633332326437 +65383564316131316664393864393731356230663763663932333734636664366466 diff --git a/ansible/roles/traefik/files/file-provider-gitlab.yml b/ansible/roles/traefik/files/file-provider-gitlab.yml index 130f06f..38f36fc 100644 --- a/ansible/roles/traefik/files/file-provider-gitlab.yml +++ b/ansible/roles/traefik/files/file-provider-gitlab.yml @@ -3,6 +3,9 @@ http: router-gitlab: rule: Host(`git.theorangeone.net`) service: service-gitlab + router-gitlab-registry: + rule: Host(`registry.git.theorangeone.net`) + service: service-gitlab services: service-gitlab: loadBalancer: diff --git a/terraform/theorangeone.net.tf b/terraform/theorangeone.net.tf index 4a386b4..6cfdaba 100644 --- a/terraform/theorangeone.net.tf +++ b/terraform/theorangeone.net.tf @@ -10,6 +10,14 @@ resource "cloudflare_record" "theorangeonenet_git" { ttl = 1 } +resource "cloudflare_record" "theorangeonenet_git_registry" { + zone_id = cloudflare_zone.theorangeonenet.id + name = "registry.git" + value = cloudflare_record.theorangeonenet_git.hostname + type = "CNAME" + ttl = 1 +} + resource "cloudflare_record" "theorangeonenet_whoami" { zone_id = cloudflare_zone.theorangeonenet.id name = "whoami" From 271516192988c07d12d3ab5d4f6a8afe4509309a Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Thu, 3 Mar 2022 20:29:53 +0000 Subject: [PATCH 082/120] Make sure SSH port is exposed on `grimes` This is needed for dokku deployments --- terraform/grimes_vps.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/grimes_vps.tf b/terraform/grimes_vps.tf index aedbf3f..73b8a17 100644 --- a/terraform/grimes_vps.tf +++ b/terraform/grimes_vps.tf @@ -5,6 +5,7 @@ module "grimes_firewall" { ports = [ "80/tcp", "443/tcp", + "7743/tcp", ] } From 3ad719a4e7d2226f7a405b17991a1298e673599b Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Thu, 3 Mar 2022 21:50:24 +0000 Subject: [PATCH 083/120] Init a k8s May god have mercy on my ~soul~. The firewall config may not be valid, due to node recycling, but here's hoping! --- terraform/the-ring.tf | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 terraform/the-ring.tf diff --git a/terraform/the-ring.tf b/terraform/the-ring.tf new file mode 100644 index 0000000..e3e4015 --- /dev/null +++ b/terraform/the-ring.tf @@ -0,0 +1,28 @@ +resource "linode_lke_cluster" "the-ring" { + label = "the-ring" + k8s_version = "1.22" + region = "eu-west" + + pool { + type = "g6-standard-1" + count = 1 + } +} + +resource "linode_firewall" "the-ring" { + label = "the-ring" + linodes = [ + for node in linode_lke_cluster.the-ring.pool[0].nodes : + node.instance_id + ] + outbound_policy = "ACCEPT" + inbound_policy = "DROP" + + inbound { + label = "allow-ping" + action = "ACCEPT" + protocol = "ICMP" + ipv4 = ["0.0.0.0/0"] + ipv6 = ["::/0"] + } +} From 812e82886202cd9b0396a9ad3202877d1cacfd5d Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Mon, 7 Mar 2022 20:32:14 +0000 Subject: [PATCH 084/120] Allow unprivileged ports to access cluster This is needed for ingress-nginx --- terraform/the-ring.tf | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/terraform/the-ring.tf b/terraform/the-ring.tf index e3e4015..f35475d 100644 --- a/terraform/the-ring.tf +++ b/terraform/the-ring.tf @@ -25,4 +25,13 @@ resource "linode_firewall" "the-ring" { ipv4 = ["0.0.0.0/0"] ipv6 = ["::/0"] } + + inbound { + label = "allow-k8s-unprivileged" + action = "ACCEPT" + protocol = "TCP" + ports = "30000-32767" + ipv4 = ["0.0.0.0/0"] + ipv6 = ["::/0"] + } } From 2093f72602b788b6c12a909855c9dcb34fd07928 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Mon, 7 Mar 2022 21:58:17 +0000 Subject: [PATCH 085/120] Add a skeleton k8s deployment setup DNS will come later --- ansible/yamllint.yml | 18 +----------------- k8s/kustomization.yml | 4 ++++ k8s/whoami/deployment.yml | 24 ++++++++++++++++++++++++ k8s/whoami/ingress.yml | 17 +++++++++++++++++ k8s/whoami/kustomization.yml | 8 ++++++++ k8s/whoami/namespace.yml | 4 ++++ k8s/whoami/service.yml | 13 +++++++++++++ scripts/k8s/apply.sh | 5 +++++ scripts/k8s/lint.sh | 7 +++++++ yamllint.yml | 17 +++++++++++++++++ 10 files changed, 100 insertions(+), 17 deletions(-) mode change 100644 => 120000 ansible/yamllint.yml create mode 100644 k8s/kustomization.yml create mode 100644 k8s/whoami/deployment.yml create mode 100644 k8s/whoami/ingress.yml create mode 100644 k8s/whoami/kustomization.yml create mode 100644 k8s/whoami/namespace.yml create mode 100644 k8s/whoami/service.yml create mode 100755 scripts/k8s/apply.sh create mode 100755 scripts/k8s/lint.sh create mode 100644 yamllint.yml diff --git a/ansible/yamllint.yml b/ansible/yamllint.yml deleted file mode 100644 index 2dd2400..0000000 --- a/ansible/yamllint.yml +++ /dev/null @@ -1,17 +0,0 @@ -extends: default - -ignore: | - ansible/galaxy_roles - ansible/galaxy_collections - ansible/group_vars/all/hosts.yml - ansible/roles/traefik/files/traefik.yml - ansible/roles/nebula/files/nebula.yml - -rules: - document-start: disable - truthy: disable - quoted-strings: - quote-type: double - required: only-when-needed - line-length: - max: 160 diff --git a/ansible/yamllint.yml b/ansible/yamllint.yml new file mode 120000 index 0000000..ad62d0d --- /dev/null +++ b/ansible/yamllint.yml @@ -0,0 +1 @@ +./yamllint.yml \ No newline at end of file diff --git a/k8s/kustomization.yml b/k8s/kustomization.yml new file mode 100644 index 0000000..338d5e1 --- /dev/null +++ b/k8s/kustomization.yml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - whoami diff --git a/k8s/whoami/deployment.yml b/k8s/whoami/deployment.yml new file mode 100644 index 0000000..2299d1f --- /dev/null +++ b/k8s/whoami/deployment.yml @@ -0,0 +1,24 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: whoami +spec: + selector: + matchLabels: + app: whoami + replicas: 2 + template: + metadata: + labels: + app: whoami + spec: + containers: + - name: whoami + image: traefik/whoami + readinessProbe: + httpGet: + path: / + port: 80 + ports: + - containerPort: 80 + imagePullPolicy: Always diff --git a/k8s/whoami/ingress.yml b/k8s/whoami/ingress.yml new file mode 100644 index 0000000..71e6a6e --- /dev/null +++ b/k8s/whoami/ingress.yml @@ -0,0 +1,17 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: whoami +spec: + ingressClassName: nginx + rules: + - host: whoami.localhost + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: whoami + port: + number: 80 diff --git a/k8s/whoami/kustomization.yml b/k8s/whoami/kustomization.yml new file mode 100644 index 0000000..30a02f5 --- /dev/null +++ b/k8s/whoami/kustomization.yml @@ -0,0 +1,8 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: whoami +resources: + - deployment.yml + - ingress.yml + - namespace.yml + - service.yml diff --git a/k8s/whoami/namespace.yml b/k8s/whoami/namespace.yml new file mode 100644 index 0000000..f7d1afe --- /dev/null +++ b/k8s/whoami/namespace.yml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: whoami diff --git a/k8s/whoami/service.yml b/k8s/whoami/service.yml new file mode 100644 index 0000000..39f0019 --- /dev/null +++ b/k8s/whoami/service.yml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Service +metadata: + name: whoami + labels: + app: whoami +spec: + ports: + - port: 80 + targetPort: 80 + protocol: TCP + selector: + app: whoami diff --git a/scripts/k8s/apply.sh b/scripts/k8s/apply.sh new file mode 100755 index 0000000..5ab9cbe --- /dev/null +++ b/scripts/k8s/apply.sh @@ -0,0 +1,5 @@ +#!/usr/bin/env bash + +set -e + +kubectl apply -k ./k8s diff --git a/scripts/k8s/lint.sh b/scripts/k8s/lint.sh new file mode 100755 index 0000000..7fc9627 --- /dev/null +++ b/scripts/k8s/lint.sh @@ -0,0 +1,7 @@ +#!/usr/bin/env bash + +set -e + +PATH=${PWD}/env/bin:${PATH} + +yamllint -c ./yamllint.yml ./k8s diff --git a/yamllint.yml b/yamllint.yml new file mode 100644 index 0000000..2dd2400 --- /dev/null +++ b/yamllint.yml @@ -0,0 +1,17 @@ +extends: default + +ignore: | + ansible/galaxy_roles + ansible/galaxy_collections + ansible/group_vars/all/hosts.yml + ansible/roles/traefik/files/traefik.yml + ansible/roles/nebula/files/nebula.yml + +rules: + document-start: disable + truthy: disable + quoted-strings: + quote-type: double + required: only-when-needed + line-length: + max: 160 From 5d136a8a2f1970cdab493910c2f928496bce4857 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Sun, 13 Mar 2022 15:59:24 +0000 Subject: [PATCH 086/120] Update synapse to 1.54 --- ansible/roles/pve_docker/files/synapse/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/pve_docker/files/synapse/docker-compose.yml b/ansible/roles/pve_docker/files/synapse/docker-compose.yml index 374fd97..2e957f0 100644 --- a/ansible/roles/pve_docker/files/synapse/docker-compose.yml +++ b/ansible/roles/pve_docker/files/synapse/docker-compose.yml @@ -3,7 +3,7 @@ version: "2.3" services: synapse: - image: matrixdotorg/synapse:v1.52.0 + image: matrixdotorg/synapse:v1.54.0 restart: unless-stopped environment: - SYNAPSE_CONFIG_PATH=/etc/homeserver.yaml From ffe9a13ff1a37991fcb79991ac51de1f4da77518 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Sun, 13 Mar 2022 15:59:37 +0000 Subject: [PATCH 087/120] Update uptime-kuma to 1.12.1 --- ansible/roles/uptime_kuma/files/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/uptime_kuma/files/docker-compose.yml b/ansible/roles/uptime_kuma/files/docker-compose.yml index 62415cc..15e84de 100644 --- a/ansible/roles/uptime_kuma/files/docker-compose.yml +++ b/ansible/roles/uptime_kuma/files/docker-compose.yml @@ -2,7 +2,7 @@ version: "2.3" services: uptime-kuma: - image: louislam/uptime-kuma:1.11.4-alpine + image: louislam/uptime-kuma:1.12.1-alpine restart: unless-stopped environment: - PUID={{ docker_user.id }} From bd49c1c86987862a2ebfe6c1ad68c0a8522b7cd0 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Fri, 18 Mar 2022 18:06:07 +0000 Subject: [PATCH 088/120] Update renovate to v32 --- ansible/roles/renovate/files/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/renovate/files/docker-compose.yml b/ansible/roles/renovate/files/docker-compose.yml index e633c36..692868b 100644 --- a/ansible/roles/renovate/files/docker-compose.yml +++ b/ansible/roles/renovate/files/docker-compose.yml @@ -1,7 +1,7 @@ version: "2.3" services: renovate: - image: renovate/renovate:31-slim + image: renovate/renovate:32-slim command: /entrypoint.sh user: "{{ docker_user.id }}" environment: From b8736e1c65924e583b72c06525cbcfef8f8be90b Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Fri, 18 Mar 2022 19:44:06 +0000 Subject: [PATCH 089/120] Create VPN for port 53 --- ansible/main.yml | 1 + ansible/roles/wireguard_53/files/client.conf | 10 ++++++ ansible/roles/wireguard_53/files/server.conf | 11 +++++++ ansible/roles/wireguard_53/handlers/main.yml | 5 +++ ansible/roles/wireguard_53/tasks/main.yml | 33 ++++++++++++++++++++ ansible/roles/wireguard_53/vars/main.yml | 8 +++++ ansible/roles/wireguard_53/vars/vault.yml | 19 +++++++++++ terraform/casey_vps.tf | 9 ++++++ 8 files changed, 96 insertions(+) create mode 100644 ansible/roles/wireguard_53/files/client.conf create mode 100644 ansible/roles/wireguard_53/files/server.conf create mode 100644 ansible/roles/wireguard_53/handlers/main.yml create mode 100644 ansible/roles/wireguard_53/tasks/main.yml create mode 100644 ansible/roles/wireguard_53/vars/main.yml create mode 100644 ansible/roles/wireguard_53/vars/vault.yml diff --git a/ansible/main.yml b/ansible/main.yml index 2ac5f98..d1cd2c3 100644 --- a/ansible/main.yml +++ b/ansible/main.yml @@ -9,6 +9,7 @@ - gateway - nebula - fail2ban_ssh + - wireguard_53 - hosts: - pve diff --git a/ansible/roles/wireguard_53/files/client.conf b/ansible/roles/wireguard_53/files/client.conf new file mode 100644 index 0000000..4322c32 --- /dev/null +++ b/ansible/roles/wireguard_53/files/client.conf @@ -0,0 +1,10 @@ +[Interface] +Address = {{ client_cidr }} +PrivateKey = {{ client_private_key }} + +[Peer] +PublicKey = {{ server_public_key }} +Endpoint = {{ server_public_ip }}:53 +AllowedIPs = 0.0.0.0/0 + +PersistentKeepalive = 25 diff --git a/ansible/roles/wireguard_53/files/server.conf b/ansible/roles/wireguard_53/files/server.conf new file mode 100644 index 0000000..2ab3e09 --- /dev/null +++ b/ansible/roles/wireguard_53/files/server.conf @@ -0,0 +1,11 @@ +[Interface] +Address = {{ server_ip }} +PrivateKey = {{ server_private_key }} +ListenPort = 53 + +PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE +PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE + +[Peer] +PublicKey = {{ client_public_key }} +AllowedIPs = {{ client_cidr }} diff --git a/ansible/roles/wireguard_53/handlers/main.yml b/ansible/roles/wireguard_53/handlers/main.yml new file mode 100644 index 0000000..989e9bc --- /dev/null +++ b/ansible/roles/wireguard_53/handlers/main.yml @@ -0,0 +1,5 @@ +- name: restart wireguard + service: + name: wg-quick@wg53 + state: restarted + become: true diff --git a/ansible/roles/wireguard_53/tasks/main.yml b/ansible/roles/wireguard_53/tasks/main.yml new file mode 100644 index 0000000..1a34919 --- /dev/null +++ b/ansible/roles/wireguard_53/tasks/main.yml @@ -0,0 +1,33 @@ +- name: Include vault + include_vars: vault.yml + +- name: Install wireguard tools + package: + name: "{{ item }}" + become: true + loop: + - wireguard-tools + - qrencode + +- name: Wireguard server config + template: + src: files/server.conf + dest: /etc/wireguard/wg53.conf + mode: "0600" + backup: true + become: true + notify: restart wireguard + +- name: Wireguard client config + template: + src: files/client.conf + dest: "{{ home }}/wg53.conf" + mode: "0600" + become: true + notify: restart wireguard + +- name: Enable wireguard + service: + name: wg-quick@wg53 + enabled: true + become: true diff --git a/ansible/roles/wireguard_53/vars/main.yml b/ansible/roles/wireguard_53/vars/main.yml new file mode 100644 index 0000000..c3a2553 --- /dev/null +++ b/ansible/roles/wireguard_53/vars/main.yml @@ -0,0 +1,8 @@ +client_public_key: "{{ vault_client_public_key }}" +client_private_key: "{{ vault_client_private_key }}" +client_cidr: 10.23.4.2/24 + +server_public_key: "{{ vault_server_public_key }}" +server_private_key: "{{ vault_server_private_key }}" +server_public_ip: "{{ ansible_default_ipv4.address }}" +server_ip: 10.23.4.1 diff --git a/ansible/roles/wireguard_53/vars/vault.yml b/ansible/roles/wireguard_53/vars/vault.yml new file mode 100644 index 0000000..c6d44cd --- /dev/null +++ b/ansible/roles/wireguard_53/vars/vault.yml @@ -0,0 +1,19 @@ +$ANSIBLE_VAULT;1.1;AES256 +35366163656631633636333937333238346539653236323463316333356637623263326436623130 +3333616234643935306337386165623734333265663237610a326538636532643835373137316333 +30363133343035353235616639613637353435303863393130396261623063633836383430326530 +3634313639353264310a393266313230646132656561393737363834646566313765633235343139 +36303834353039303134393061386634373735316135656564386464363863376265633239313037 +62616535313239353233376163343437303933346264323266386533336138656135663664356164 +65643262303436343164613133333361393438616234616566336131636461383538326130623264 +62313134386430636665646539306661383039323339373838346164653836326536386332616634 +34313331623166356137363131356130623863313339663938386138643538323666616239656662 +36313534323237306631663931633830346565616139313864333762356330643131343630653535 +62323939376163363436336633386433323435316535623462353138386430333332653966383262 +33636534346466326631333362343638616332633163623533613364326665376565643739666261 +34646533613133313034366636623134613336623134356562393335313337336336623634336633 +66623365353866396564386536386330353537383866616665373762306530356333643265326537 +38353138626331623433643636623130613766616638343034633536306232316133303133356463 +36616665643264396137336234316466306238303461363531653461623834376361653334326235 +31366530636565383062313562663639393534373737363465656538393266363936333136636161 +3239303565613865633433313237393932306632633633373261 diff --git a/terraform/casey_vps.tf b/terraform/casey_vps.tf index 93adae2..47082b4 100644 --- a/terraform/casey_vps.tf +++ b/terraform/casey_vps.tf @@ -47,6 +47,15 @@ resource "linode_firewall" "casey" { ipv6 = ["::/0"] } + inbound { + label = "allow-inbound-wireguard-53" + action = "ACCEPT" + protocol = "UDP" + ports = "53" + ipv4 = ["0.0.0.0/0"] + ipv6 = ["::/0"] + } + inbound { label = "allow-inbound-nebula" action = "ACCEPT" From 81116998b1eeb0fcd2f9a82057164247e4b878fd Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Fri, 18 Mar 2022 19:44:57 +0000 Subject: [PATCH 090/120] Fix symbolic link for yamllint config --- ansible/yamllint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/yamllint.yml b/ansible/yamllint.yml index ad62d0d..ed6c4a0 120000 --- a/ansible/yamllint.yml +++ b/ansible/yamllint.yml @@ -1 +1 @@ -./yamllint.yml \ No newline at end of file +../yamllint.yml \ No newline at end of file From e0df63e3c91c432bd2f4f2fa79eaed6e58a46e1c Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Tue, 22 Mar 2022 21:19:43 +0000 Subject: [PATCH 091/120] Update nextcloud to 23.0.3 --- ansible/roles/pve_docker/files/nextcloud/config.php | 2 +- ansible/roles/pve_docker/files/nextcloud/docker-compose.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ansible/roles/pve_docker/files/nextcloud/config.php b/ansible/roles/pve_docker/files/nextcloud/config.php index ec55e98..8e7f26d 100644 --- a/ansible/roles/pve_docker/files/nextcloud/config.php +++ b/ansible/roles/pve_docker/files/nextcloud/config.php @@ -19,7 +19,7 @@ $CONFIG = array ( 0 => 'intersect.jakehoward.tech', ), 'dbtype' => 'mysql', - 'version' => '23.0.0.10', + 'version' => '23.0.3.2', 'overwrite.cli.url' => 'https://intersect.jakehoward.tech', 'dbname' => 'nextcloud', 'dbhost' => 'mariadb', diff --git a/ansible/roles/pve_docker/files/nextcloud/docker-compose.yml b/ansible/roles/pve_docker/files/nextcloud/docker-compose.yml index 97cbc2f..828afb9 100644 --- a/ansible/roles/pve_docker/files/nextcloud/docker-compose.yml +++ b/ansible/roles/pve_docker/files/nextcloud/docker-compose.yml @@ -2,7 +2,7 @@ version: "2.3" services: nextcloud: - image: lscr.io/linuxserver/nextcloud:version-23.0.2 + image: lscr.io/linuxserver/nextcloud:version-23.0.3 environment: - PUID={{ docker_user.id }} - PGID={{ docker_user.id }} From cccfa8bf51acae2844d969a43e8044b37d7a12a3 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Tue, 22 Mar 2022 21:22:07 +0000 Subject: [PATCH 092/120] Remove version prefix from nextcloud tag Apparently that's not needed anymore --- ansible/roles/pve_docker/files/nextcloud/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/pve_docker/files/nextcloud/docker-compose.yml b/ansible/roles/pve_docker/files/nextcloud/docker-compose.yml index 828afb9..f457202 100644 --- a/ansible/roles/pve_docker/files/nextcloud/docker-compose.yml +++ b/ansible/roles/pve_docker/files/nextcloud/docker-compose.yml @@ -2,7 +2,7 @@ version: "2.3" services: nextcloud: - image: lscr.io/linuxserver/nextcloud:version-23.0.3 + image: lscr.io/linuxserver/nextcloud:23.0.3 environment: - PUID={{ docker_user.id }} - PGID={{ docker_user.id }} From 793506492f2354a86e2eaa55e832db566263386e Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Wed, 23 Mar 2022 19:25:30 +0000 Subject: [PATCH 093/120] No shenanigans by default This causes strange problems with nextcloud --- ansible/roles/traefik/files/traefik.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/ansible/roles/traefik/files/traefik.yml b/ansible/roles/traefik/files/traefik.yml index 1b74ffd..e0d0069 100644 --- a/ansible/roles/traefik/files/traefik.yml +++ b/ansible/roles/traefik/files/traefik.yml @@ -17,7 +17,6 @@ entryPoints: middlewares: - floc-block@file - compress@file - - shenanigans@file tls: certresolver: le domains: From 72c54029cd9ee067af4dc75038efcf8ac7d397a9 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Thu, 24 Mar 2022 22:13:52 +0000 Subject: [PATCH 094/120] Update synapse to 1.55.2 --- ansible/roles/pve_docker/files/synapse/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/pve_docker/files/synapse/docker-compose.yml b/ansible/roles/pve_docker/files/synapse/docker-compose.yml index 2e957f0..eac1093 100644 --- a/ansible/roles/pve_docker/files/synapse/docker-compose.yml +++ b/ansible/roles/pve_docker/files/synapse/docker-compose.yml @@ -3,7 +3,7 @@ version: "2.3" services: synapse: - image: matrixdotorg/synapse:v1.54.0 + image: matrixdotorg/synapse:v1.55.2 restart: unless-stopped environment: - SYNAPSE_CONFIG_PATH=/etc/homeserver.yaml From 54b81917549138acb8400ab9dbe37a26caa5f7eb Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Thu, 24 Mar 2022 22:20:29 +0000 Subject: [PATCH 095/120] Update uptime-kuma to 1.13.1 --- ansible/roles/uptime_kuma/files/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/uptime_kuma/files/docker-compose.yml b/ansible/roles/uptime_kuma/files/docker-compose.yml index 15e84de..a2c7df2 100644 --- a/ansible/roles/uptime_kuma/files/docker-compose.yml +++ b/ansible/roles/uptime_kuma/files/docker-compose.yml @@ -2,7 +2,7 @@ version: "2.3" services: uptime-kuma: - image: louislam/uptime-kuma:1.12.1-alpine + image: louislam/uptime-kuma:1.13.1-alpine restart: unless-stopped environment: - PUID={{ docker_user.id }} From b8c5d40c73043de3f6ee17b73bd9e7720ee78cf7 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Tue, 26 Apr 2022 20:39:05 +0100 Subject: [PATCH 096/120] Update nextcloud to 23.0.4 --- ansible/roles/pve_docker/files/nextcloud/config.php | 2 +- ansible/roles/pve_docker/files/nextcloud/docker-compose.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ansible/roles/pve_docker/files/nextcloud/config.php b/ansible/roles/pve_docker/files/nextcloud/config.php index 8e7f26d..5bd90a1 100644 --- a/ansible/roles/pve_docker/files/nextcloud/config.php +++ b/ansible/roles/pve_docker/files/nextcloud/config.php @@ -19,7 +19,7 @@ $CONFIG = array ( 0 => 'intersect.jakehoward.tech', ), 'dbtype' => 'mysql', - 'version' => '23.0.3.2', + 'version' => '23.0.4.1', 'overwrite.cli.url' => 'https://intersect.jakehoward.tech', 'dbname' => 'nextcloud', 'dbhost' => 'mariadb', diff --git a/ansible/roles/pve_docker/files/nextcloud/docker-compose.yml b/ansible/roles/pve_docker/files/nextcloud/docker-compose.yml index f457202..66627e4 100644 --- a/ansible/roles/pve_docker/files/nextcloud/docker-compose.yml +++ b/ansible/roles/pve_docker/files/nextcloud/docker-compose.yml @@ -2,7 +2,7 @@ version: "2.3" services: nextcloud: - image: lscr.io/linuxserver/nextcloud:23.0.3 + image: lscr.io/linuxserver/nextcloud:23.0.4 environment: - PUID={{ docker_user.id }} - PGID={{ docker_user.id }} From 679cd5eba1ae49c6b78244de494be350a60d9048 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Tue, 26 Apr 2022 20:39:16 +0100 Subject: [PATCH 097/120] Update synapse to 1.57.1 --- ansible/roles/pve_docker/files/synapse/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/pve_docker/files/synapse/docker-compose.yml b/ansible/roles/pve_docker/files/synapse/docker-compose.yml index eac1093..f87fb36 100644 --- a/ansible/roles/pve_docker/files/synapse/docker-compose.yml +++ b/ansible/roles/pve_docker/files/synapse/docker-compose.yml @@ -3,7 +3,7 @@ version: "2.3" services: synapse: - image: matrixdotorg/synapse:v1.55.2 + image: matrixdotorg/synapse:v1.57.1 restart: unless-stopped environment: - SYNAPSE_CONFIG_PATH=/etc/homeserver.yaml From 208c605f05e4003e568e082f2667224b44d210b8 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Tue, 26 Apr 2022 20:40:33 +0100 Subject: [PATCH 098/120] Update uptime-kuma to 1.15.0 --- ansible/roles/uptime_kuma/files/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/uptime_kuma/files/docker-compose.yml b/ansible/roles/uptime_kuma/files/docker-compose.yml index a2c7df2..721c8fe 100644 --- a/ansible/roles/uptime_kuma/files/docker-compose.yml +++ b/ansible/roles/uptime_kuma/files/docker-compose.yml @@ -2,7 +2,7 @@ version: "2.3" services: uptime-kuma: - image: louislam/uptime-kuma:1.13.1-alpine + image: louislam/uptime-kuma:1.15.0-alpine restart: unless-stopped environment: - PUID={{ docker_user.id }} From 588152461eff7830d7122cd8fa1b2cd1def306bf Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Wed, 27 Apr 2022 08:39:24 +0100 Subject: [PATCH 099/120] Pin to released version of ansible-role-snapraid Now https://github.com/IronicBadger/ansible-role-snapraid/pull/9 has been merged. --- ansible/galaxy-requirements.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/ansible/galaxy-requirements.yml b/ansible/galaxy-requirements.yml index 20a30cd..97fb713 100644 --- a/ansible/galaxy-requirements.yml +++ b/ansible/galaxy-requirements.yml @@ -17,6 +17,5 @@ roles: - src: rossmcdonald.telegraf - src: geerlingguy.gitlab - src: dokku_bot.ansible_dokku - - src: https://github.com/RealOrangeOne/ansible-role-snapraid + - src: https://github.com/IronicBadger/ansible-role-snapraid name: IronicBadger.snapraid - version: 8bb040fef8ad33f01f9175f754adb750b8828b32 # https://github.com/IronicBadger/ansible-role-snapraid/pull/9 From 51779a1f7e6b21cb69bf4cf72b8b8d5ef96ad9df Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Wed, 27 Apr 2022 08:40:17 +0100 Subject: [PATCH 100/120] Use released version of ntp role Now https://github.com/geerlingguy/ansible-role-ntp/pull/110 has shipped. --- ansible/galaxy-requirements.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/ansible/galaxy-requirements.yml b/ansible/galaxy-requirements.yml index 97fb713..19e88f0 100644 --- a/ansible/galaxy-requirements.yml +++ b/ansible/galaxy-requirements.yml @@ -6,9 +6,7 @@ collections: roles: - src: geerlingguy.docker - - src: https://github.com/blmhemu/ansible-role-ntp - version: fa40f44c2542e6fcff96d50eaf06a417a9376244 # https://github.com/geerlingguy/ansible-role-ntp/pull/110 - name: geerlingguy.ntp + - src: geerlingguy.ntp - src: realorangeone.reflector - src: https://github.com/jsclayton/ansible-role-proxmox-nag-removal version: b0502ef4c371bbfb18faf85f5d869e3ffec661a8 # https://github.com/IronicBadger/ansible-role-proxmox-nag-removal/pull/15 From da450c08dd311b2ae9488159fc6fc1c1c9f9dc9b Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Mon, 2 May 2022 21:44:33 +0100 Subject: [PATCH 101/120] Decommission k8s environment Need a little more time in the playground before I have use of a production-grade environment. Especially when it's costing $20/mo --- k8s/kustomization.yml | 4 ---- k8s/whoami/deployment.yml | 24 ----------------------- k8s/whoami/ingress.yml | 17 ----------------- k8s/whoami/kustomization.yml | 8 -------- k8s/whoami/namespace.yml | 4 ---- k8s/whoami/service.yml | 13 ------------- scripts/k8s/apply.sh | 5 ----- scripts/k8s/lint.sh | 7 ------- terraform/the-ring.tf | 37 ------------------------------------ 9 files changed, 119 deletions(-) delete mode 100644 k8s/kustomization.yml delete mode 100644 k8s/whoami/deployment.yml delete mode 100644 k8s/whoami/ingress.yml delete mode 100644 k8s/whoami/kustomization.yml delete mode 100644 k8s/whoami/namespace.yml delete mode 100644 k8s/whoami/service.yml delete mode 100755 scripts/k8s/apply.sh delete mode 100755 scripts/k8s/lint.sh delete mode 100644 terraform/the-ring.tf diff --git a/k8s/kustomization.yml b/k8s/kustomization.yml deleted file mode 100644 index 338d5e1..0000000 --- a/k8s/kustomization.yml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - whoami diff --git a/k8s/whoami/deployment.yml b/k8s/whoami/deployment.yml deleted file mode 100644 index 2299d1f..0000000 --- a/k8s/whoami/deployment.yml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: whoami -spec: - selector: - matchLabels: - app: whoami - replicas: 2 - template: - metadata: - labels: - app: whoami - spec: - containers: - - name: whoami - image: traefik/whoami - readinessProbe: - httpGet: - path: / - port: 80 - ports: - - containerPort: 80 - imagePullPolicy: Always diff --git a/k8s/whoami/ingress.yml b/k8s/whoami/ingress.yml deleted file mode 100644 index 71e6a6e..0000000 --- a/k8s/whoami/ingress.yml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: whoami -spec: - ingressClassName: nginx - rules: - - host: whoami.localhost - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: whoami - port: - number: 80 diff --git a/k8s/whoami/kustomization.yml b/k8s/whoami/kustomization.yml deleted file mode 100644 index 30a02f5..0000000 --- a/k8s/whoami/kustomization.yml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -namespace: whoami -resources: - - deployment.yml - - ingress.yml - - namespace.yml - - service.yml diff --git a/k8s/whoami/namespace.yml b/k8s/whoami/namespace.yml deleted file mode 100644 index f7d1afe..0000000 --- a/k8s/whoami/namespace.yml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: whoami diff --git a/k8s/whoami/service.yml b/k8s/whoami/service.yml deleted file mode 100644 index 39f0019..0000000 --- a/k8s/whoami/service.yml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: whoami - labels: - app: whoami -spec: - ports: - - port: 80 - targetPort: 80 - protocol: TCP - selector: - app: whoami diff --git a/scripts/k8s/apply.sh b/scripts/k8s/apply.sh deleted file mode 100755 index 5ab9cbe..0000000 --- a/scripts/k8s/apply.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/usr/bin/env bash - -set -e - -kubectl apply -k ./k8s diff --git a/scripts/k8s/lint.sh b/scripts/k8s/lint.sh deleted file mode 100755 index 7fc9627..0000000 --- a/scripts/k8s/lint.sh +++ /dev/null @@ -1,7 +0,0 @@ -#!/usr/bin/env bash - -set -e - -PATH=${PWD}/env/bin:${PATH} - -yamllint -c ./yamllint.yml ./k8s diff --git a/terraform/the-ring.tf b/terraform/the-ring.tf deleted file mode 100644 index f35475d..0000000 --- a/terraform/the-ring.tf +++ /dev/null @@ -1,37 +0,0 @@ -resource "linode_lke_cluster" "the-ring" { - label = "the-ring" - k8s_version = "1.22" - region = "eu-west" - - pool { - type = "g6-standard-1" - count = 1 - } -} - -resource "linode_firewall" "the-ring" { - label = "the-ring" - linodes = [ - for node in linode_lke_cluster.the-ring.pool[0].nodes : - node.instance_id - ] - outbound_policy = "ACCEPT" - inbound_policy = "DROP" - - inbound { - label = "allow-ping" - action = "ACCEPT" - protocol = "ICMP" - ipv4 = ["0.0.0.0/0"] - ipv6 = ["::/0"] - } - - inbound { - label = "allow-k8s-unprivileged" - action = "ACCEPT" - protocol = "TCP" - ports = "30000-32767" - ipv4 = ["0.0.0.0/0"] - ipv6 = ["::/0"] - } -} From 2c7e4e5532535e32c40bc51f356a8fe03c58d826 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Wed, 4 May 2022 22:32:33 +0100 Subject: [PATCH 102/120] Unpin fork of `proxmox-nag-removal` --- ansible/galaxy-requirements.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/ansible/galaxy-requirements.yml b/ansible/galaxy-requirements.yml index 19e88f0..0deb070 100644 --- a/ansible/galaxy-requirements.yml +++ b/ansible/galaxy-requirements.yml @@ -8,8 +8,7 @@ roles: - src: geerlingguy.docker - src: geerlingguy.ntp - src: realorangeone.reflector - - src: https://github.com/jsclayton/ansible-role-proxmox-nag-removal - version: b0502ef4c371bbfb18faf85f5d869e3ffec661a8 # https://github.com/IronicBadger/ansible-role-proxmox-nag-removal/pull/15 + - src: https://github.com/IronicBadger/ansible-role-proxmox-nag-removal name: IronicBadger.proxmox-nag-removal - src: chmduquesne.iptables_persistent - src: rossmcdonald.telegraf From d7056861b93869ca8f0bb3c6df1ee0ce0def7d7f Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Sat, 7 May 2022 11:34:46 +0100 Subject: [PATCH 103/120] Keep data for a bit longer Don't ask me why I did this... --- ansible/roles/restic/files/backrest.sh | 2 +- ansible/roles/zfs/defaults/main.yml | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/ansible/roles/restic/files/backrest.sh b/ansible/roles/restic/files/backrest.sh index fbba2c1..4036b86 100644 --- a/ansible/roles/restic/files/backrest.sh +++ b/ansible/roles/restic/files/backrest.sh @@ -11,7 +11,7 @@ export GOGC=20 # HACK: Work around for restic's high memory usage https://githu export RESTIC_LOG_DIR="$HOME/log" export RESTIC_LOG_FILE="$RESTIC_LOG_DIR/$1-$(date -Iseconds).log" -export FORGET_OPTIONS="--keep-daily 30 --group-by host" +export FORGET_OPTIONS="--keep-daily 30 --keep-monthly 3 --group-by host" mkdir -p "$RESTIC_LOG_DIR" diff --git a/ansible/roles/zfs/defaults/main.yml b/ansible/roles/zfs/defaults/main.yml index d0768ed..b3a2074 100644 --- a/ansible/roles/zfs/defaults/main.yml +++ b/ansible/roles/zfs/defaults/main.yml @@ -14,17 +14,17 @@ sanoid_datasets: sanoid_templates: production: frequently: 0 - hourly: 24 - daily: 14 - monthly: 2 + hourly: 36 + daily: 21 + monthly: 3 yearly: 0 autosnap: true autoprune: true replaceable: frequently: 0 - hourly: 6 - daily: 2 + hourly: 12 + daily: 5 monthly: 0 yearly: 0 autosnap: true From 15b56971a17f9bfeb08d9a1e0601330b001cb87b Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Sat, 7 May 2022 11:37:49 +0100 Subject: [PATCH 104/120] Update uptime-kuma to 1.15.1 --- ansible/roles/uptime_kuma/files/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/uptime_kuma/files/docker-compose.yml b/ansible/roles/uptime_kuma/files/docker-compose.yml index 721c8fe..f9f9c4a 100644 --- a/ansible/roles/uptime_kuma/files/docker-compose.yml +++ b/ansible/roles/uptime_kuma/files/docker-compose.yml @@ -2,7 +2,7 @@ version: "2.3" services: uptime-kuma: - image: louislam/uptime-kuma:1.15.0-alpine + image: louislam/uptime-kuma:1.15.1-alpine restart: unless-stopped environment: - PUID={{ docker_user.id }} From 26b4b18737f220821e2a16d32fb2042c053a27f3 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Sat, 7 May 2022 11:38:46 +0100 Subject: [PATCH 105/120] Update synapse to 1.58.1 --- ansible/roles/pve_docker/files/synapse/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/pve_docker/files/synapse/docker-compose.yml b/ansible/roles/pve_docker/files/synapse/docker-compose.yml index f87fb36..77da07b 100644 --- a/ansible/roles/pve_docker/files/synapse/docker-compose.yml +++ b/ansible/roles/pve_docker/files/synapse/docker-compose.yml @@ -3,7 +3,7 @@ version: "2.3" services: synapse: - image: matrixdotorg/synapse:v1.57.1 + image: matrixdotorg/synapse:v1.58.1 restart: unless-stopped environment: - SYNAPSE_CONFIG_PATH=/etc/homeserver.yaml From 8eae7b69e0e2ffc38ea073f2aa7639337575dc82 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Sat, 7 May 2022 12:08:52 +0100 Subject: [PATCH 106/120] Pin versions of galaxy requirements --- ansible/galaxy-requirements.yml | 13 +++++++++---- ansible/main.yml | 4 ++-- 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/ansible/galaxy-requirements.yml b/ansible/galaxy-requirements.yml index 0deb070..62767c6 100644 --- a/ansible/galaxy-requirements.yml +++ b/ansible/galaxy-requirements.yml @@ -6,13 +6,18 @@ collections: roles: - src: geerlingguy.docker + version: 4.2.2 - src: geerlingguy.ntp + version: 2.3.1 - src: realorangeone.reflector - - src: https://github.com/IronicBadger/ansible-role-proxmox-nag-removal - name: IronicBadger.proxmox-nag-removal + - src: ironicbadger.proxmox_nag_removal + version: 1.0.1 - src: chmduquesne.iptables_persistent - src: rossmcdonald.telegraf + version: v1.2.0 - src: geerlingguy.gitlab + version: 3.2.0 - src: dokku_bot.ansible_dokku - - src: https://github.com/IronicBadger/ansible-role-snapraid - name: IronicBadger.snapraid + version: v2021.11.28 + - src: ironicbadger.snapraid + version: 1.0.0 diff --git a/ansible/main.yml b/ansible/main.yml index d1cd2c3..3b8a545 100644 --- a/ansible/main.yml +++ b/ansible/main.yml @@ -79,12 +79,12 @@ - hosts: pve roles: - - role: IronicBadger.proxmox-nag-removal + - role: ironicbadger.proxmox_nag_removal become: true - zfs - pve_nebula_route - telegraf - - role: IronicBadger.snapraid + - role: ironicbadger.snapraid become: true - hosts: forrest From 050479faadf25b9895b0a9824abfa1bc47c177a8 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Sat, 7 May 2022 12:12:29 +0100 Subject: [PATCH 107/120] Remove limit for open MRs --- renovate.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/renovate.json b/renovate.json index 00a4f65..432cb31 100644 --- a/renovate.json +++ b/renovate.json @@ -3,5 +3,6 @@ "extends": [ "config:base" ], - "prHourlyLimit": 0 + "prHourlyLimit": 0, + "prConcurrentLimit": 0 } From 306d2368c132eb964a48f358015f7342d9def120 Mon Sep 17 00:00:00 2001 From: Renovate Date: Mon, 21 Feb 2022 22:39:30 +0000 Subject: [PATCH 108/120] Update dependency wallabag/wallabag to v2.4.3 --- ansible/roles/pve_docker/files/wallabag/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/pve_docker/files/wallabag/docker-compose.yml b/ansible/roles/pve_docker/files/wallabag/docker-compose.yml index 64df922..5c377d9 100644 --- a/ansible/roles/pve_docker/files/wallabag/docker-compose.yml +++ b/ansible/roles/pve_docker/files/wallabag/docker-compose.yml @@ -2,7 +2,7 @@ version: "2.3" services: wallabag: - image: wallabag/wallabag:2.4.2 + image: wallabag/wallabag:2.4.3 restart: unless-stopped environment: - SYMFONY__ENV__SECRET={{ wallabag_secret }} From 1c14c10b74d04276ee93e9f2efdc9d42be75d021 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Sat, 7 May 2022 12:34:57 +0100 Subject: [PATCH 109/120] Allow 2 cores per runner job for concurrency Allowing 2 clear cores runs fewer jobs, but should run them a lot faster --- ansible/roles/gitlab_runner/files/config.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/gitlab_runner/files/config.toml b/ansible/roles/gitlab_runner/files/config.toml index 4c53989..fc1aec4 100644 --- a/ansible/roles/gitlab_runner/files/config.toml +++ b/ansible/roles/gitlab_runner/files/config.toml @@ -1,4 +1,4 @@ -concurrent = {{ ansible_processor_nproc }} +concurrent = {{ ansible_processor_nproc // 2 }} log_level = "warning" check_interval = 10 From 82040a5c85a44d6dbcad2b3fa689d5a4bbb60f01 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Mon, 16 May 2022 22:02:01 +0100 Subject: [PATCH 110/120] Move qbittorrent to be a LXC --- ansible/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/ansible/main.yml b/ansible/main.yml index 3b8a545..3c711b5 100644 --- a/ansible/main.yml +++ b/ansible/main.yml @@ -15,7 +15,6 @@ - pve - casey - ingress - - qbittorrent - walker - grimes - decker From f2290aafa6faa154831a51e87e10f3add3fb90bf Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Mon, 9 May 2022 22:55:22 +0100 Subject: [PATCH 111/120] Reduce usage and reliance on downsampled snapshots Keep more at a lower resolution, as really those are the most useful --- ansible/roles/restic/files/backrest.sh | 2 +- ansible/roles/zfs/defaults/main.yml | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/ansible/roles/restic/files/backrest.sh b/ansible/roles/restic/files/backrest.sh index 4036b86..b369500 100644 --- a/ansible/roles/restic/files/backrest.sh +++ b/ansible/roles/restic/files/backrest.sh @@ -11,7 +11,7 @@ export GOGC=20 # HACK: Work around for restic's high memory usage https://githu export RESTIC_LOG_DIR="$HOME/log" export RESTIC_LOG_FILE="$RESTIC_LOG_DIR/$1-$(date -Iseconds).log" -export FORGET_OPTIONS="--keep-daily 30 --keep-monthly 3 --group-by host" +export FORGET_OPTIONS="--keep-daily 60 --keep-monthly 6 --group-by host" mkdir -p "$RESTIC_LOG_DIR" diff --git a/ansible/roles/zfs/defaults/main.yml b/ansible/roles/zfs/defaults/main.yml index b3a2074..ab5fff4 100644 --- a/ansible/roles/zfs/defaults/main.yml +++ b/ansible/roles/zfs/defaults/main.yml @@ -14,8 +14,8 @@ sanoid_datasets: sanoid_templates: production: frequently: 0 - hourly: 36 - daily: 21 + hourly: 48 + daily: 28 monthly: 3 yearly: 0 autosnap: true @@ -23,8 +23,8 @@ sanoid_templates: replaceable: frequently: 0 - hourly: 12 - daily: 5 + hourly: 24 + daily: 7 monthly: 0 yearly: 0 autosnap: true From e176ba371cf371801918ab79d20b7ad2ef79a03f Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Mon, 9 May 2022 22:57:30 +0100 Subject: [PATCH 112/120] Move my settings out of default --- ansible/host_vars/pve/main.yml | 20 ++++++++++++++++++++ ansible/roles/zfs/defaults/main.yml | 29 ++--------------------------- 2 files changed, 22 insertions(+), 27 deletions(-) diff --git a/ansible/host_vars/pve/main.yml b/ansible/host_vars/pve/main.yml index c9102cb..c01c5bc 100644 --- a/ansible/host_vars/pve/main.yml +++ b/ansible/host_vars/pve/main.yml @@ -17,6 +17,26 @@ sanoid_datasets: use_template: production recursive: true +sanoid_templates: + production: + frequently: 0 + hourly: 48 + daily: 28 + monthly: 3 + yearly: 0 + autosnap: true + autoprune: true + + replaceable: + frequently: 0 + hourly: 24 + daily: 7 + monthly: 0 + yearly: 0 + autosnap: true + autoprune: true + + # Snapraid snapraid_install: false snapraid_runner: false diff --git a/ansible/roles/zfs/defaults/main.yml b/ansible/roles/zfs/defaults/main.yml index ab5fff4..5a63096 100644 --- a/ansible/roles/zfs/defaults/main.yml +++ b/ansible/roles/zfs/defaults/main.yml @@ -1,31 +1,6 @@ # Cap ARC size to 50% RAM zfs_arc_size: "{{ (ansible_memtotal_mb * 1024 * 1024) * 0.5 }}" -sanoid_datasets: - tank: - use_template: production - recursive: true - process_children_only: true +sanoid_datasets: {} - tank/downloads: - use_template: replaceable - recursive: true - -sanoid_templates: - production: - frequently: 0 - hourly: 48 - daily: 28 - monthly: 3 - yearly: 0 - autosnap: true - autoprune: true - - replaceable: - frequently: 0 - hourly: 24 - daily: 7 - monthly: 0 - yearly: 0 - autosnap: true - autoprune: true +sanoid_templates: {} From b23b5e130e1243c653422961644112b993a1e8f2 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Mon, 9 May 2022 23:01:59 +0100 Subject: [PATCH 113/120] Keep a few frequent backups in case of screw ups --- ansible/host_vars/pve/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/host_vars/pve/main.yml b/ansible/host_vars/pve/main.yml index c01c5bc..dbc0645 100644 --- a/ansible/host_vars/pve/main.yml +++ b/ansible/host_vars/pve/main.yml @@ -19,7 +19,7 @@ sanoid_datasets: sanoid_templates: production: - frequently: 0 + frequently: 2 hourly: 48 daily: 28 monthly: 3 From 6a60e7284ec7c83d8477c29be2da29ae2a6b9cc4 Mon Sep 17 00:00:00 2001 From: Renovate Date: Wed, 18 May 2022 12:16:59 +0000 Subject: [PATCH 114/120] Update dependency matrixdotorg/synapse to v1.59.1 --- ansible/roles/pve_docker/files/synapse/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/pve_docker/files/synapse/docker-compose.yml b/ansible/roles/pve_docker/files/synapse/docker-compose.yml index 77da07b..723f8f1 100644 --- a/ansible/roles/pve_docker/files/synapse/docker-compose.yml +++ b/ansible/roles/pve_docker/files/synapse/docker-compose.yml @@ -3,7 +3,7 @@ version: "2.3" services: synapse: - image: matrixdotorg/synapse:v1.58.1 + image: matrixdotorg/synapse:v1.59.1 restart: unless-stopped environment: - SYNAPSE_CONFIG_PATH=/etc/homeserver.yaml From 6116eed775d3f76842fc52bb1c835007d93ff1f3 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Thu, 19 May 2022 09:39:30 +0100 Subject: [PATCH 115/120] Use external DNS for monitoring This avoids potential issues with host DNS jitters --- ansible/roles/uptime_kuma/files/docker-compose.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ansible/roles/uptime_kuma/files/docker-compose.yml b/ansible/roles/uptime_kuma/files/docker-compose.yml index f9f9c4a..919f6a0 100644 --- a/ansible/roles/uptime_kuma/files/docker-compose.yml +++ b/ansible/roles/uptime_kuma/files/docker-compose.yml @@ -13,6 +13,9 @@ services: - traefik volumes: - ./data:/app/data + dns: + - 1.1.1.1 + - 8.8.8.8 labels: - traefik.enable=true - traefik.http.routers.uptime-kuma.rule=Host(`status.theorangeone.net`) From 284bed5e90a67c6ffa325546da1c1d9cb06ced70 Mon Sep 17 00:00:00 2001 From: Renovate Date: Sat, 21 May 2022 20:38:08 +0000 Subject: [PATCH 116/120] Update dependency wallabag/wallabag to v2.5.0 --- ansible/roles/pve_docker/files/wallabag/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/pve_docker/files/wallabag/docker-compose.yml b/ansible/roles/pve_docker/files/wallabag/docker-compose.yml index 5c377d9..838dfc3 100644 --- a/ansible/roles/pve_docker/files/wallabag/docker-compose.yml +++ b/ansible/roles/pve_docker/files/wallabag/docker-compose.yml @@ -2,7 +2,7 @@ version: "2.3" services: wallabag: - image: wallabag/wallabag:2.4.3 + image: wallabag/wallabag:2.5.0 restart: unless-stopped environment: - SYMFONY__ENV__SECRET={{ wallabag_secret }} From 565e1a156cfa578963556584df12e625e9d69272 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Tue, 24 May 2022 20:22:18 +0100 Subject: [PATCH 117/120] Update nextcloud to 24.0.1 --- ansible/roles/pve_docker/files/nextcloud/config.php | 2 +- ansible/roles/pve_docker/files/nextcloud/docker-compose.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ansible/roles/pve_docker/files/nextcloud/config.php b/ansible/roles/pve_docker/files/nextcloud/config.php index 5bd90a1..608805a 100644 --- a/ansible/roles/pve_docker/files/nextcloud/config.php +++ b/ansible/roles/pve_docker/files/nextcloud/config.php @@ -19,7 +19,7 @@ $CONFIG = array ( 0 => 'intersect.jakehoward.tech', ), 'dbtype' => 'mysql', - 'version' => '23.0.4.1', + 'version' => '24.0.1.1', 'overwrite.cli.url' => 'https://intersect.jakehoward.tech', 'dbname' => 'nextcloud', 'dbhost' => 'mariadb', diff --git a/ansible/roles/pve_docker/files/nextcloud/docker-compose.yml b/ansible/roles/pve_docker/files/nextcloud/docker-compose.yml index 66627e4..d232b3f 100644 --- a/ansible/roles/pve_docker/files/nextcloud/docker-compose.yml +++ b/ansible/roles/pve_docker/files/nextcloud/docker-compose.yml @@ -2,7 +2,7 @@ version: "2.3" services: nextcloud: - image: lscr.io/linuxserver/nextcloud:23.0.4 + image: lscr.io/linuxserver/nextcloud:24.0.1 environment: - PUID={{ docker_user.id }} - PGID={{ docker_user.id }} From 0c1107924672783905869ba1e3ac288727307a88 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Wed, 25 May 2022 08:35:12 +0100 Subject: [PATCH 118/120] Update geerlingguy.docker to fix issue installing on Arch https://github.com/geerlingguy/ansible-role-docker/issues/346 --- ansible/galaxy-requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/galaxy-requirements.yml b/ansible/galaxy-requirements.yml index 62767c6..d61c3c7 100644 --- a/ansible/galaxy-requirements.yml +++ b/ansible/galaxy-requirements.yml @@ -6,7 +6,7 @@ collections: roles: - src: geerlingguy.docker - version: 4.2.2 + version: 4.2.3 - src: geerlingguy.ntp version: 2.3.1 - src: realorangeone.reflector From c159a157c3b23a6951a46451fb36dbd1dd60f485 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Wed, 25 May 2022 08:46:37 +0100 Subject: [PATCH 119/120] Update download location for qbittorrent --- ansible/roles/qbittorrent/tasks/qbittorrent.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/ansible/roles/qbittorrent/tasks/qbittorrent.yml b/ansible/roles/qbittorrent/tasks/qbittorrent.yml index 1c6fed0..3e557f7 100644 --- a/ansible/roles/qbittorrent/tasks/qbittorrent.yml +++ b/ansible/roles/qbittorrent/tasks/qbittorrent.yml @@ -31,9 +31,7 @@ - {section: AutoRun, option: enabled, value: "false"} - {section: LegalNotice, option: Accepted, value: "true"} - {section: Preferences, option: Connection\UPnP, value: "false"} - - {section: Preferences, option: Downloads\SavePath, value: /mnt/downloads/completed/} - - {section: Preferences, option: Downloads\TempPath, value: /mnt/downloads/} - - {section: Preferences, option: Downloads\TempPathEnabled, value: "true"} + - {section: Preferences, option: Downloads\SavePath, value: /mnt/media/temp/downloads} - {section: Preferences, option: WebUI\Address, value: "*"} - {section: Preferences, option: WebUI\ServerDomains, value: "*"} - {section: Preferences, option: WebUI\Port, value: "8080"} From 0fd891f9880be30d8e8474d2b788a6ca4d2e799c Mon Sep 17 00:00:00 2001 From: Renovate Date: Sun, 29 May 2022 05:48:38 +0000 Subject: [PATCH 120/120] Update dependency louislam/uptime-kuma to v1.16.1 --- ansible/roles/uptime_kuma/files/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/uptime_kuma/files/docker-compose.yml b/ansible/roles/uptime_kuma/files/docker-compose.yml index 919f6a0..6cd9882 100644 --- a/ansible/roles/uptime_kuma/files/docker-compose.yml +++ b/ansible/roles/uptime_kuma/files/docker-compose.yml @@ -2,7 +2,7 @@ version: "2.3" services: uptime-kuma: - image: louislam/uptime-kuma:1.15.1-alpine + image: louislam/uptime-kuma:1.16.1-alpine restart: unless-stopped environment: - PUID={{ docker_user.id }}