A4UDIA-14147 added git installation

LICENSE

@@ -0,0 +1,9 @@
+MIT License
+
+Copyright (c) 2023 lehmann-automation
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

README.md

@@ -0,0 +1,39 @@
+# de.lehmann.automation.ansible.main
+
+Ansible automation for proxmox server and tools
+
+## Requirements
+
+Some ansible roles are necessary. Run galaxy installer to get the latest role versions
+
+```bash
+ansible-galaxy install -f -r ./requriements.yml
+```
+
+To get access by ssh ssh config must be adjusted (vi ~/.ssh/config)
+
+```bash
+Host git.captica.de
+  Hostname srvweb01.captica.de
+  Port 1122
+  User tobiaslehmann
+  IdentityFile ~/.ssh/id_ed25519_ansible_container
+```
+
+
+Be sure the root ssh pub key is already installed. If not and password auth is allowed use "--ask-pass" on ansible-playbook!
+
+
+## Install server
+
+Run playbook to install the serves
+
+```bash
+ansible-playbook -v -i inventory/hosts.yml --user=root --ask-vault-pass --extra-vars '@secrets/vault.yml' playbooks/captica-webserver.yml
+```
+
+or with tags 
+
+```bash
+ansible-playbook -v -i inventory/hosts.yml --tags "install,gitea,gist" --user=root --ask-vault-pass --extra-vars '@secrets/vault.yml' playbooks/captica-webserver.yml
+```

files/ssh/ansible.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINOjMLOUrXJbCofUUWAfrel9UOIwy1XhCgpY1hfzF7md root@leh01 for Ansible

files/ssh/id_ed25519_ansible.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINOjMLOUrXJbCofUUWAfrel9UOIwy1XhCgpY1hfzF7md root@leh01 for Ansible

files/ssh/root.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICpRyWEd77UUIzCd5myRADg2z8GE4nc/spxxq/JITBdm root@leh01 for tobi

inventory/hosts.yml

@@ -0,0 +1,10 @@
+all:
+  vars:
+    ansible_home: ~/ansible
+    ansible_become: yes
+    ansible_become_method: sudo
+  children:
+    webserver:
+      hosts:
+        git:
+          ansible_host: 192.168.180.20

playbooks/captica-webserver.yml

@@ -0,0 +1,64 @@
+#
+# 
+# Automated webserver installation with plesk for captica Webservers
+# 
+# Project: playbooks
+# Author: Marc Böhm <marc.boehm@captica.de>
+# License: MIT License (see LICENSE.md)
+# 
+# Copyright (c) captica GmbH est. 2021
+#
+- hosts: "git" 
+  vars:    
+    hostname: git
+    tools_install_users:
+      - root     
+      - ansible
+    ssh_pubkeys_root:
+      - "../files/ssh/root.pub"
+    ssh_pubkeys_ansible:
+      - "../files/ssh/id_ed25519_ansible.pub"
+  roles: 
+    - linux-base-install
+    - zsh
+    - vim
+    - fzf
+    - linux-docker       
+
+- hosts: "git"
+  tags: 
+    - gitea
+    - install
+  vars:
+    service_name: gitea
+    service_directory: /opt/git/gitea
+    service_volume_dirs:
+      - appdata
+      - db
+    service_user_name: gitea
+    service_user_id: 1020
+    service_group_name: gitea
+    service_group_id: 1020    
+    gitea_version: latest
+  tasks:
+    - name: "Install gitea application"
+      include_tasks: setup-docker-application.yml
+
+- hosts: "git"
+  tags: 
+    - opengist
+    - install
+  vars:
+    service_name: opengist
+    service_directory: /opt/git/opengist
+    service_volume_dirs:
+      - appdata      
+      - config
+    service_user_name: opengist
+    service_user_id: 1025
+    service_group_name: opengist
+    service_group_id: 1025
+    opengist_version: "lates"
+  tasks:
+    - name: "Install opengist application"
+      include_tasks: setup-docker-application.yml

playbooks/setup-docker-application.yml

@@ -0,0 +1,49 @@
+- name: "Create application service group"
+  ansible.builtin.group:
+    name: "{{ service_group_name }}"
+    state: present
+    gid: "{{ service_group_id }}"
+
+- name: "Create service user"
+  user:
+    name: "{{ service_user_name }}" 
+    password: "{{ lookup('password', '/dev/null chars=ascii_lowercase,digits length=16') | string | password_hash('sha512') }}"
+    uid: "{{ service_user_id }}"
+    update_password: on_create
+    shell: /bin/zsh
+    comment: Service Account
+    group: "{{ service_group_name }}"
+    groups: docker
+
+- name: "Create service directory"
+  ansible.builtin.file:
+    path: "{{ service_directory }}"
+    state: directory
+    mode: '0770'
+    owner: "{{ service_user_name }}"
+    group: "{{ service_group_name }}"
+
+- block:
+    - name: "Create volume directories"
+      ansible.builtin.file:
+        path: "{{ service_directory }}/data/{{ item }}"
+        state: directory
+        mode: '0770'
+        owner: "{{ service_user_name }}"
+        group: "{{ service_group_name }}"
+      loop: '{{ service_volume_dirs }}'
+
+    - name: Copy docker compose config to target
+      template:
+        src: "../templates/{{ service_name }}/docker-compose.yml.j2"
+        dest: "{{ service_directory }}/docker-compose.yml"
+        mode: '0644'
+    
+    - name: Copy .env to target
+      tags: always
+      template:
+        src: "../templates/{{ service_name }}/.env.j2"
+        dest: "{{ service_directory }}/.env"
+        mode: '0644'   
+  become: yes
+  become_user: "{{ service_user_name }}"    

requirements.yml

@@ -0,0 +1,47 @@
+# Role requirements
+roles:
+  - name: linux-base-install
+    src: git@git.captica.de:captica-automation/de.captica.automation.ansible.role.linux-base-install.git
+    scm: git
+    version: main
+
+  - name: fzf
+    src: git@git.captica.de:captica-automation/de.captica.automation.ansible.role.fzf.git
+    scm: git
+    version: main
+
+  - name: vim
+    src: git@git.captica.de:captica-automation/de.captica.automation.ansible.role.vim.git
+    scm: git
+    version: main
+
+  - name: zsh
+    src: git@git.captica.de:captica-automation/de.captica.automation.ansible.role.zsh.git
+    scm: git
+    version: main
+
+  - name: linux-docker
+    src: git@git.captica.de:captica-automation/de.captica.automation.ansible.role.linux-docker.git
+    scm: git
+    version: main
+
+  - name: plesk
+    src: git@git.captica.de:captica-automation/de.captica.automation.ansible.role.plesk.git
+    scm: git
+    version: main
+
+  - name: rclone
+    src: git@git.captica.de:captica-automation/de.captica.automation.ansible.role.rclone.git
+    scm: git
+    version: main  
+  
+  - name: nextcloud-hpb
+    src: git@git.captica.de:captica-automation/de.captica.automation.ansible.role.nextcloud-talk-hpb.git
+    scm: git
+    version: main
+
+# Collections requirements
+collections:
+  - name: community.general
+    version: ">=8.0.0"
+    source: https://galaxy.ansible.com

secrets/vault.yml

@@ -0,0 +1,22 @@
+$ANSIBLE_VAULT;1.1;AES256
+31353763393864643362386461303165343234636237346162616533333437623839326634363831
+3431656264666639373932336136383262613563353631310a343233333362646332623265323630
+61383864353836396339393334626634323862626438623066323434396365656365303830633937
+6332303833356161380a643632396266326533633366303461383565323534616239343530336631
+64626135646164396336323832666461346537613636363338383637616330643636636266666231
+39633365646166346336646433343037633864613433346361656336356531616262366464653163
+61303830303832623862366361666139356465333963313463666365646366653664366132363536
+63383438636666356562353265383339653733376163616237373062366131393233323333366463
+63386134376664613763346363313034326530643162303431653666643238323831623039316466
+35356532636162636432373434646538613033353332376330363437303931366639313630353736
+62386338376661633663646430323061653134313137373031363636386139616233333730323332
+66643865306635366361363738633833633239383831633033633132393333383937303364306239
+34616234633134613735326532323163316136663232623233626537356636393730663432353231
+37323639666333383436353865343861623038363065636639643930333466633165653864626431
+39333966333931666634313162303134303538313665303163326638656364653162393764336363
+64353164333433336361323365626435396165643061353337376263326434636263383135343462
+64623331323661663864386163323132306130666531303436383561333135353438616136336139
+33626332616332383163663962356639386637373961303963323335356237626262663133343630
+30633263653837626538366365353363333832623364653632626639626538353962653064333435
+36393937306231656136336462623363663932653965353066303066666634343239666437323435
+65636234306135376131616630623138326532343737636163646163653961383161

templates/gitea/docker-compose.yml.j2

@@ -0,0 +1,44 @@
+version: '3.9'
+
+services:
+  app:
+    image: gitea/gitea:{{gitea_version}}    
+    environment:
+      - USER_UID={{ service_user_id }}
+      - USER_GID={{ service_group_id }}
+      - GITEA__database__DB_TYPE=postgres
+      - GITEA__database__HOST=db:5432
+      - GITEA__database__NAME=${DB_NAME}
+      - GITEA__database__USER=${DB_USER}
+      - GITEA__database__PASSWD=${DB_PASSWORD}
+      - ROOT_URL=https://git.lehmannhaus.de/
+      - SSH_DOMAIN=git.lehmannhaus.de
+    restart: always
+    volumes:
+      - {{ service_directory }}/data/appdata:/data
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    ports:
+      - '3000:3000'
+      - '1122:22'      
+    networks:
+      - default
+  db:
+    image: postgres:14    
+    restart: always
+    environment:
+      - POSTGRES_USER=${DB_USER}
+      - POSTGRES_PASSWORD=${DB_PASSWORD}
+      - POSTGRES_DB=${DB_NAME}
+    networks:
+      - default 
+    volumes:
+      - {{ service_directory }}/data/db:/var/lib/postgresql/data
+
+networks:
+  default:
+    ipam:
+      driver: default
+      config:
+        - subnet: 172.2.0.0/16
+          gateway: 172.2.0.1

templates/mattermost/docker-compose.yml.j2

@@ -0,0 +1,59 @@
+version: "3.9"
+
+services:
+  db:
+    image: postgres:${POSTGRES_IMAGE_TAG}    
+    restart: ${RESTART_POLICY}
+    tmpfs:
+      - /tmp
+      - /var/run/postgresql
+    security_opt:
+      - no-new-privileges:true
+    networks:
+      - default
+    volumes:
+      - {{ service_directory }}/data/db:/var/lib/postgresql/data
+    environment:
+      # timezone inside container
+      - TZ
+      # necessary Postgres options/variables
+      - POSTGRES_USER
+      - POSTGRES_PASSWORD
+      - POSTGRES_DB
+
+  app:
+    depends_on:
+      - db 
+    image: mattermost/${MATTERMOST_IMAGE}:${MATTERMOST_IMAGE_TAG}    
+    restart: ${RESTART_POLICY}
+    security_opt:
+      - no-new-privileges:true
+    tmpfs:
+      - /tmp
+    ports:
+      - ${APP_PORT}:8065
+      - ${CALLS_PORT}:8443/udp
+    networks:
+      - default
+    volumes:
+      - {{ service_directory }}/data/config:/mattermost/config
+      - {{ service_directory }}/data/appdata:/mattermost/data
+      - {{ service_directory }}/data/logs:/mattermost/logs
+      - {{ service_directory }}/data/plugins:/mattermost/plugins
+      - {{ service_directory }}/data/plugins_client:/mattermost/client/plugins
+      - {{ service_directory }}/data/bleve_indexes:/mattermost/bleve-indexes
+    environment:
+      # timezone inside container
+      - TZ
+      - MM_SQLSETTINGS_DRIVERNAME
+      - MM_SQLSETTINGS_DATASOURCE
+      # necessary for bleve
+      - MM_BLEVESETTINGS_INDEXDIR
+
+networks:
+  default:
+    ipam:
+      driver: default
+      config:
+        - subnet: 172.1.0.0/16
+          gateway: 172.1.0.1

templates/nextcloud/docker-compose.yml.j2

@@ -0,0 +1,73 @@
+version: '3.9'
+
+services:
+  db:
+    image: postgres:14    
+    restart: always
+    volumes:
+      - {{ service_directory }}/data/db:/var/lib/postgresql/data
+    environment:
+      - POSTGRES_PASSWORD
+      - POSTGRES_DB
+      - POSTGRES_USER
+    networks:
+      - default
+
+  redis:
+    image: redis:alpine    
+    restart: always
+    volumes:
+      - {{ service_directory }}/data/redis:/data
+    networks:
+      - default 
+
+  app:
+    image: nextcloud:{{nextcloud_version}}    
+    restart: always
+    ports:
+      - 127.0.0.1:10080:80
+    volumes:
+      - {{ service_directory }}/data/system:/var/www/html
+      - {{ service_directory }}/data/apps:/var/www/html/custom_apps
+      - {{ service_directory }}/data/config:/var/www/html/config
+      - {{ service_directory }}/data/appdata:/var/www/html/data
+      - {{ service_directory }}/data/themes:/var/www/html/themes
+    networks:
+      - default
+    environment:
+      - POSTGRES_HOST      
+      - POSTGRES_PASSWORD
+      - POSTGRES_DB
+      - POSTGRES_USER
+      - NEXTCLOUD_ADMIN_PASSWORD
+      - NEXTCLOUD_ADMIN_USER
+      - REDIS_HOST
+      - APACHE_DISABLE_REWRITE_IP
+      - TRUSTED_PROXIES
+      - NEXTCLOUD_TRUSTED_DOMAINS
+      - OVERWRITEPROTOCOL  
+    depends_on:
+      - db
+      - redis
+
+  cron:
+    image: nextcloud:{{nextcloud_version}}    
+    restart: always
+    volumes:
+      - {{ service_directory }}/data/system:/var/www/html
+      - {{ service_directory }}/data/apps:/var/www/html/custom_apps
+      - {{ service_directory }}/data/config:/var/www/html/config
+      - {{ service_directory }}/data/appdata:/var/www/html/data
+      - {{ service_directory }}/data/themes:/var/www/html/themes
+    entrypoint: /cron.sh
+    depends_on:
+      - db
+      - redis
+
+networks:
+  default:
+    ipam:
+      driver: default
+      config:
+        - subnet: 172.3.0.0/16
+          gateway: 172.3.0.1

templates/opengist/docker-compose.yml.j2

@@ -0,0 +1,25 @@
+version: '3.9'
+
+services:
+  opengist:
+    image: ghcr.io/thomiceli/opengist:latest
+    restart: unless-stopped
+    ports:
+      - "6157:6157" # HTTP port
+      - "1023:2222" # SSH port, can be removed if you don't use SSH
+    volumes:
+      - {{ service_directory }}/data/appdata:/opengist"
+      - {{ service_directory }}/data/config/config.yml:/config.yml"
+    networks:
+      - default
+    environment:
+      UID: {{ service_user_id }}
+      GID: {{ service_group_id }}
+
+networks:
+  default:
+    ipam:
+      driver: default
+      config:
+        - subnet: 172.4.0.0/16
+          gateway: 172.4.0.1