diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..63b4a69 --- /dev/null +++ b/LICENSE @@ -0,0 +1,9 @@ +MIT License + +Copyright (c) 2023 lehmann-automation + +Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/README.md b/README.md index e69de29..a9809ce 100644 --- a/README.md +++ b/README.md @@ -0,0 +1,39 @@ +# de.lehmann.automation.ansible.main + +Ansible automation for proxmox server and tools + +## Requirements + +Some ansible roles are necessary. Run galaxy installer to get the latest role versions + +```bash +ansible-galaxy install -f -r ./requriements.yml +``` + +To get access by ssh ssh config must be adjusted (vi ~/.ssh/config) + +```bash +Host git.captica.de + Hostname srvweb01.captica.de + Port 1122 + User tobiaslehmann + IdentityFile ~/.ssh/id_ed25519_ansible_container +``` + + +Be sure the root ssh pub key is already installed. If not and password auth is allowed use "--ask-pass" on ansible-playbook! + + +## Install server + +Run playbook to install the serves + +```bash +ansible-playbook -v -i inventory/hosts.yml --user=root --ask-vault-pass --extra-vars '@secrets/vault.yml' playbooks/captica-webserver.yml +``` + +or with tags + +```bash +ansible-playbook -v -i inventory/hosts.yml --tags "install,gitea,gist" --user=root --ask-vault-pass --extra-vars '@secrets/vault.yml' playbooks/captica-webserver.yml +``` diff --git a/files/ssh/ansible.pub b/files/ssh/ansible.pub new file mode 100644 index 0000000..75e1fb7 --- /dev/null +++ b/files/ssh/ansible.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINOjMLOUrXJbCofUUWAfrel9UOIwy1XhCgpY1hfzF7md root@leh01 for Ansible \ No newline at end of file diff --git a/files/ssh/id_ed25519_ansible.pub b/files/ssh/id_ed25519_ansible.pub new file mode 100644 index 0000000..26dafb0 --- /dev/null +++ b/files/ssh/id_ed25519_ansible.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINOjMLOUrXJbCofUUWAfrel9UOIwy1XhCgpY1hfzF7md root@leh01 for Ansible diff --git a/files/ssh/root.pub b/files/ssh/root.pub new file mode 100644 index 0000000..1acfe81 --- /dev/null +++ b/files/ssh/root.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICpRyWEd77UUIzCd5myRADg2z8GE4nc/spxxq/JITBdm root@leh01 for tobi \ No newline at end of file diff --git a/inventory/hosts.yml b/inventory/hosts.yml new file mode 100644 index 0000000..75b280a --- /dev/null +++ b/inventory/hosts.yml @@ -0,0 +1,10 @@ +all: + vars: + ansible_home: ~/ansible + ansible_become: yes + ansible_become_method: sudo + children: + webserver: + hosts: + git: + ansible_host: 192.168.180.20 diff --git a/playbooks/captica-webserver.yml b/playbooks/captica-webserver.yml new file mode 100644 index 0000000..d21424d --- /dev/null +++ b/playbooks/captica-webserver.yml @@ -0,0 +1,64 @@ +# +# +# Automated webserver installation with plesk for captica Webservers +# +# Project: playbooks +# Author: Marc Böhm +# License: MIT License (see LICENSE.md) +# +# Copyright (c) captica GmbH est. 2021 +# +- hosts: "git" + vars: + hostname: git + tools_install_users: + - root + - ansible + ssh_pubkeys_root: + - "../files/ssh/root.pub" + ssh_pubkeys_ansible: + - "../files/ssh/id_ed25519_ansible.pub" + roles: + - linux-base-install + - zsh + - vim + - fzf + - linux-docker + +- hosts: "git" + tags: + - gitea + - install + vars: + service_name: gitea + service_directory: /opt/git/gitea + service_volume_dirs: + - appdata + - db + service_user_name: gitea + service_user_id: 1020 + service_group_name: gitea + service_group_id: 1020 + gitea_version: latest + tasks: + - name: "Install gitea application" + include_tasks: setup-docker-application.yml + +- hosts: "git" + tags: + - opengist + - install + vars: + service_name: opengist + service_directory: /opt/git/opengist + service_volume_dirs: + - appdata + - config + service_user_name: opengist + service_user_id: 1025 + service_group_name: opengist + service_group_id: 1025 + opengist_version: "lates" + tasks: + - name: "Install opengist application" + include_tasks: setup-docker-application.yml \ No newline at end of file diff --git a/playbooks/setup-docker-application.yml b/playbooks/setup-docker-application.yml new file mode 100644 index 0000000..98a8a21 --- /dev/null +++ b/playbooks/setup-docker-application.yml @@ -0,0 +1,49 @@ +- name: "Create application service group" + ansible.builtin.group: + name: "{{ service_group_name }}" + state: present + gid: "{{ service_group_id }}" + +- name: "Create service user" + user: + name: "{{ service_user_name }}" + password: "{{ lookup('password', '/dev/null chars=ascii_lowercase,digits length=16') | string | password_hash('sha512') }}" + uid: "{{ service_user_id }}" + update_password: on_create + shell: /bin/zsh + comment: Service Account + group: "{{ service_group_name }}" + groups: docker + +- name: "Create service directory" + ansible.builtin.file: + path: "{{ service_directory }}" + state: directory + mode: '0770' + owner: "{{ service_user_name }}" + group: "{{ service_group_name }}" + +- block: + - name: "Create volume directories" + ansible.builtin.file: + path: "{{ service_directory }}/data/{{ item }}" + state: directory + mode: '0770' + owner: "{{ service_user_name }}" + group: "{{ service_group_name }}" + loop: '{{ service_volume_dirs }}' + + - name: Copy docker compose config to target + template: + src: "../templates/{{ service_name }}/docker-compose.yml.j2" + dest: "{{ service_directory }}/docker-compose.yml" + mode: '0644' + + - name: Copy .env to target + tags: always + template: + src: "../templates/{{ service_name }}/.env.j2" + dest: "{{ service_directory }}/.env" + mode: '0644' + become: yes + become_user: "{{ service_user_name }}" \ No newline at end of file diff --git a/requirements.yml b/requirements.yml new file mode 100644 index 0000000..6e55b79 --- /dev/null +++ b/requirements.yml @@ -0,0 +1,47 @@ +# Role requirements +roles: + - name: linux-base-install + src: git@git.captica.de:captica-automation/de.captica.automation.ansible.role.linux-base-install.git + scm: git + version: main + + - name: fzf + src: git@git.captica.de:captica-automation/de.captica.automation.ansible.role.fzf.git + scm: git + version: main + + - name: vim + src: git@git.captica.de:captica-automation/de.captica.automation.ansible.role.vim.git + scm: git + version: main + + - name: zsh + src: git@git.captica.de:captica-automation/de.captica.automation.ansible.role.zsh.git + scm: git + version: main + + - name: linux-docker + src: git@git.captica.de:captica-automation/de.captica.automation.ansible.role.linux-docker.git + scm: git + version: main + + - name: plesk + src: git@git.captica.de:captica-automation/de.captica.automation.ansible.role.plesk.git + scm: git + version: main + + - name: rclone + src: git@git.captica.de:captica-automation/de.captica.automation.ansible.role.rclone.git + scm: git + version: main + + - name: nextcloud-hpb + src: git@git.captica.de:captica-automation/de.captica.automation.ansible.role.nextcloud-talk-hpb.git + scm: git + version: main + +# Collections requirements +collections: + - name: community.general + version: ">=8.0.0" + source: https://galaxy.ansible.com \ No newline at end of file diff --git a/secrets/vault.yml b/secrets/vault.yml new file mode 100644 index 0000000..41c845b --- /dev/null +++ b/secrets/vault.yml @@ -0,0 +1,22 @@ +$ANSIBLE_VAULT;1.1;AES256 +31353763393864643362386461303165343234636237346162616533333437623839326634363831 +3431656264666639373932336136383262613563353631310a343233333362646332623265323630 +61383864353836396339393334626634323862626438623066323434396365656365303830633937 +6332303833356161380a643632396266326533633366303461383565323534616239343530336631 +64626135646164396336323832666461346537613636363338383637616330643636636266666231 +39633365646166346336646433343037633864613433346361656336356531616262366464653163 +61303830303832623862366361666139356465333963313463666365646366653664366132363536 +63383438636666356562353265383339653733376163616237373062366131393233323333366463 +63386134376664613763346363313034326530643162303431653666643238323831623039316466 +35356532636162636432373434646538613033353332376330363437303931366639313630353736 +62386338376661633663646430323061653134313137373031363636386139616233333730323332 +66643865306635366361363738633833633239383831633033633132393333383937303364306239 +34616234633134613735326532323163316136663232623233626537356636393730663432353231 +37323639666333383436353865343861623038363065636639643930333466633165653864626431 +39333966333931666634313162303134303538313665303163326638656364653162393764336363 +64353164333433336361323365626435396165643061353337376263326434636263383135343462 +64623331323661663864386163323132306130666531303436383561333135353438616136336139 +33626332616332383163663962356639386637373961303963323335356237626262663133343630 +30633263653837626538366365353363333832623364653632626639626538353962653064333435 +36393937306231656136336462623363663932653965353066303066666634343239666437323435 +65636234306135376131616630623138326532343737636163646163653961383161 diff --git a/templates/gitea/docker-compose.yml.j2 b/templates/gitea/docker-compose.yml.j2 new file mode 100644 index 0000000..9f32811 --- /dev/null +++ b/templates/gitea/docker-compose.yml.j2 @@ -0,0 +1,44 @@ +version: '3.9' + +services: + app: + image: gitea/gitea:{{gitea_version}} + environment: + - USER_UID={{ service_user_id }} + - USER_GID={{ service_group_id }} + - GITEA__database__DB_TYPE=postgres + - GITEA__database__HOST=db:5432 + - GITEA__database__NAME=${DB_NAME} + - GITEA__database__USER=${DB_USER} + - GITEA__database__PASSWD=${DB_PASSWORD} + - ROOT_URL=https://git.lehmannhaus.de/ + - SSH_DOMAIN=git.lehmannhaus.de + restart: always + volumes: + - {{ service_directory }}/data/appdata:/data + - /etc/timezone:/etc/timezone:ro + - /etc/localtime:/etc/localtime:ro + ports: + - '3000:3000' + - '1122:22' + networks: + - default + db: + image: postgres:14 + restart: always + environment: + - POSTGRES_USER=${DB_USER} + - POSTGRES_PASSWORD=${DB_PASSWORD} + - POSTGRES_DB=${DB_NAME} + networks: + - default + volumes: + - {{ service_directory }}/data/db:/var/lib/postgresql/data + +networks: + default: + ipam: + driver: default + config: + - subnet: 172.2.0.0/16 + gateway: 172.2.0.1 \ No newline at end of file diff --git a/templates/mattermost/docker-compose.yml.j2 b/templates/mattermost/docker-compose.yml.j2 new file mode 100644 index 0000000..abd6c64 --- /dev/null +++ b/templates/mattermost/docker-compose.yml.j2 @@ -0,0 +1,59 @@ +version: "3.9" + +services: + db: + image: postgres:${POSTGRES_IMAGE_TAG} + restart: ${RESTART_POLICY} + tmpfs: + - /tmp + - /var/run/postgresql + security_opt: + - no-new-privileges:true + networks: + - default + volumes: + - {{ service_directory }}/data/db:/var/lib/postgresql/data + environment: + # timezone inside container + - TZ + # necessary Postgres options/variables + - POSTGRES_USER + - POSTGRES_PASSWORD + - POSTGRES_DB + + app: + depends_on: + - db + image: mattermost/${MATTERMOST_IMAGE}:${MATTERMOST_IMAGE_TAG} + restart: ${RESTART_POLICY} + security_opt: + - no-new-privileges:true + tmpfs: + - /tmp + ports: + - ${APP_PORT}:8065 + - ${CALLS_PORT}:8443/udp + networks: + - default + volumes: + - {{ service_directory }}/data/config:/mattermost/config + - {{ service_directory }}/data/appdata:/mattermost/data + - {{ service_directory }}/data/logs:/mattermost/logs + - {{ service_directory }}/data/plugins:/mattermost/plugins + - {{ service_directory }}/data/plugins_client:/mattermost/client/plugins + - {{ service_directory }}/data/bleve_indexes:/mattermost/bleve-indexes + environment: + # timezone inside container + - TZ + - MM_SQLSETTINGS_DRIVERNAME + - MM_SQLSETTINGS_DATASOURCE + # necessary for bleve + - MM_BLEVESETTINGS_INDEXDIR + +networks: + default: + ipam: + driver: default + config: + - subnet: 172.1.0.0/16 + gateway: 172.1.0.1 \ No newline at end of file diff --git a/templates/nextcloud/docker-compose.yml.j2 b/templates/nextcloud/docker-compose.yml.j2 new file mode 100644 index 0000000..12ecd2d --- /dev/null +++ b/templates/nextcloud/docker-compose.yml.j2 @@ -0,0 +1,73 @@ +version: '3.9' + +services: + db: + image: postgres:14 + restart: always + volumes: + - {{ service_directory }}/data/db:/var/lib/postgresql/data + environment: + - POSTGRES_PASSWORD + - POSTGRES_DB + - POSTGRES_USER + networks: + - default + + redis: + image: redis:alpine + restart: always + volumes: + - {{ service_directory }}/data/redis:/data + networks: + - default + + app: + image: nextcloud:{{nextcloud_version}} + restart: always + ports: + - 127.0.0.1:10080:80 + volumes: + - {{ service_directory }}/data/system:/var/www/html + - {{ service_directory }}/data/apps:/var/www/html/custom_apps + - {{ service_directory }}/data/config:/var/www/html/config + - {{ service_directory }}/data/appdata:/var/www/html/data + - {{ service_directory }}/data/themes:/var/www/html/themes + networks: + - default + environment: + - POSTGRES_HOST + - POSTGRES_PASSWORD + - POSTGRES_DB + - POSTGRES_USER + - NEXTCLOUD_ADMIN_PASSWORD + - NEXTCLOUD_ADMIN_USER + - REDIS_HOST + - APACHE_DISABLE_REWRITE_IP + - TRUSTED_PROXIES + - NEXTCLOUD_TRUSTED_DOMAINS + - OVERWRITEPROTOCOL + depends_on: + - db + - redis + + cron: + image: nextcloud:{{nextcloud_version}} + restart: always + volumes: + - {{ service_directory }}/data/system:/var/www/html + - {{ service_directory }}/data/apps:/var/www/html/custom_apps + - {{ service_directory }}/data/config:/var/www/html/config + - {{ service_directory }}/data/appdata:/var/www/html/data + - {{ service_directory }}/data/themes:/var/www/html/themes + entrypoint: /cron.sh + depends_on: + - db + - redis + +networks: + default: + ipam: + driver: default + config: + - subnet: 172.3.0.0/16 + gateway: 172.3.0.1 \ No newline at end of file diff --git a/templates/opengist/docker-compose.yml.j2 b/templates/opengist/docker-compose.yml.j2 new file mode 100644 index 0000000..e033606 --- /dev/null +++ b/templates/opengist/docker-compose.yml.j2 @@ -0,0 +1,25 @@ +version: '3.9' + +services: + opengist: + image: ghcr.io/thomiceli/opengist:latest + restart: unless-stopped + ports: + - "6157:6157" # HTTP port + - "1023:2222" # SSH port, can be removed if you don't use SSH + volumes: + - {{ service_directory }}/data/appdata:/opengist" + - {{ service_directory }}/data/config/config.yml:/config.yml" + networks: + - default + environment: + UID: {{ service_user_id }} + GID: {{ service_group_id }} + +networks: + default: + ipam: + driver: default + config: + - subnet: 172.4.0.0/16 + gateway: 172.4.0.1 \ No newline at end of file