saibotk-de/infrastructure
saibotk-de/infrastructure
1
0
Fork 0
Code Issues Pull requests Releases 42 Activity

Compare commits

base: saibotk-de:master
Branches Tags
saibotk-de:master
saibotk-de:renovate/owncast-image-0.x
saibotk-de:renovate/telegraf-1.x
saibotk-de:renovate/minecraft-telegraf-1.x
saibotk-de:renovate/penpot
saibotk-de:renovate/factorio-2.x
saibotk-de:renovate/fedora.linux_system_roles-1.x
saibotk-de:renovate/gitlab-17.x
saibotk-de:renovate/traefik-3.x
saibotk-de:renovate/traefik-2.x
saibotk-de:renovate/minecraft-image-2025.x
saibotk-de:renovate/community.general-10.x
saibotk-de:renovate/community.docker-4.x
saibotk-de:renovate/devsec.hardening-10.x
saibotk-de:renovate/minecraft-image-2024.x
saibotk-de:renovate/camo-2.x
saibotk-de:renovate/gitlab-runner_image-17.x
saibotk-de:renovate/matrix-elementweb-1.x
saibotk-de:renovate/matrix-synapse-1.x
saibotk-de:renovate/gitlab-telegraf-1.x
saibotk-de:renovate/ansible.posix-2.x
saibotk-de:renovate/mastodon-elasticsearch-7.x
saibotk-de:renovate/keycloak-26.x
saibotk-de:renovate/vikunja-database-17.x
saibotk-de:renovate/matrix-sliding_sync_database-17.x
saibotk-de:renovate/matrix-maubot_database-17.x
saibotk-de:renovate/matrix-database-17.x
saibotk-de:renovate/mastodon-database-17.x
saibotk-de:renovate/codimd-postgres-17.x
saibotk-de:renovate/vikunja-database-13.x
saibotk-de:renovate/matrix-sliding_sync_database-16.x
saibotk-de:renovate/matrix-maubot_database-13.x
saibotk-de:renovate/matrix-database-13.x
saibotk-de:renovate/mastodon-database-15.x
saibotk-de:renovate/keycloak-postgres-17.x
saibotk-de:renovate/matrix-sliding_sync-0.x
saibotk-de:v24.10
saibotk-de:v24.08
saibotk-de:v24.07
saibotk-de:v24.06
saibotk-de:v24.05
saibotk-de:v24.04
saibotk-de:v24.03
saibotk-de:v24.02
saibotk-de:v24.01
saibotk-de:v23.12
saibotk-de:v23.11
saibotk-de:v23.10
saibotk-de:v23.09
saibotk-de:v23.08
saibotk-de:v23.07
saibotk-de:v23.06
saibotk-de:v23.05
saibotk-de:v23.04
saibotk-de:v23.03
saibotk-de:v23.01
saibotk-de:v22.12
saibotk-de:v22.11
saibotk-de:v22.10
saibotk-de:v22.09
saibotk-de:v22.08
saibotk-de:v22.07
saibotk-de:v22.06
saibotk-de:v22.05
saibotk-de:v22.04
saibotk-de:v22.03
saibotk-de:v22.02
saibotk-de:v22.01
saibotk-de:v21.12
saibotk-de:v21.11
saibotk-de:v21.10
saibotk-de:v21.09
saibotk-de:v21.08
saibotk-de:v21.07
saibotk-de:v21.06
saibotk-de:v21.05
saibotk-de:v21.04
saibotk-de:v21.03
..
compare: saibotk-de:v21.06
Branches Tags
saibotk-de:master
saibotk-de:renovate/owncast-image-0.x
saibotk-de:renovate/telegraf-1.x
saibotk-de:renovate/minecraft-telegraf-1.x
saibotk-de:renovate/penpot
saibotk-de:renovate/factorio-2.x
saibotk-de:renovate/fedora.linux_system_roles-1.x
saibotk-de:renovate/gitlab-17.x
saibotk-de:renovate/traefik-3.x
saibotk-de:renovate/traefik-2.x
saibotk-de:renovate/minecraft-image-2025.x
saibotk-de:renovate/community.general-10.x
saibotk-de:renovate/community.docker-4.x
saibotk-de:renovate/devsec.hardening-10.x
saibotk-de:renovate/minecraft-image-2024.x
saibotk-de:renovate/camo-2.x
saibotk-de:renovate/gitlab-runner_image-17.x
saibotk-de:renovate/matrix-elementweb-1.x
saibotk-de:renovate/matrix-synapse-1.x
saibotk-de:renovate/gitlab-telegraf-1.x
saibotk-de:renovate/ansible.posix-2.x
saibotk-de:renovate/mastodon-elasticsearch-7.x
saibotk-de:renovate/keycloak-26.x
saibotk-de:renovate/vikunja-database-17.x
saibotk-de:renovate/matrix-sliding_sync_database-17.x
saibotk-de:renovate/matrix-maubot_database-17.x
saibotk-de:renovate/matrix-database-17.x
saibotk-de:renovate/mastodon-database-17.x
saibotk-de:renovate/codimd-postgres-17.x
saibotk-de:renovate/vikunja-database-13.x
saibotk-de:renovate/matrix-sliding_sync_database-16.x
saibotk-de:renovate/matrix-maubot_database-13.x
saibotk-de:renovate/matrix-database-13.x
saibotk-de:renovate/mastodon-database-15.x
saibotk-de:renovate/keycloak-postgres-17.x
saibotk-de:renovate/matrix-sliding_sync-0.x
saibotk-de:v24.10
saibotk-de:v24.08
saibotk-de:v24.07
saibotk-de:v24.06
saibotk-de:v24.05
saibotk-de:v24.04
saibotk-de:v24.03
saibotk-de:v24.02
saibotk-de:v24.01
saibotk-de:v23.12
saibotk-de:v23.11
saibotk-de:v23.10
saibotk-de:v23.09
saibotk-de:v23.08
saibotk-de:v23.07
saibotk-de:v23.06
saibotk-de:v23.05
saibotk-de:v23.04
saibotk-de:v23.03
saibotk-de:v23.01
saibotk-de:v22.12
saibotk-de:v22.11
saibotk-de:v22.10
saibotk-de:v22.09
saibotk-de:v22.08
saibotk-de:v22.07
saibotk-de:v22.06
saibotk-de:v22.05
saibotk-de:v22.04
saibotk-de:v22.03
saibotk-de:v22.02
saibotk-de:v22.01
saibotk-de:v21.12
saibotk-de:v21.11
saibotk-de:v21.10
saibotk-de:v21.09
saibotk-de:v21.08
saibotk-de:v21.07
saibotk-de:v21.06
saibotk-de:v21.05
saibotk-de:v21.04
saibotk-de:v21.03

No commits in common. "master" and "v21.06" have entirely different histories.
master ... v21.06

314 changed files with 9096 additions and 5417 deletions
Show stats Expand all files Collapse all files

2
.ansible/skeleton/default/defaults/main.yml.j2
View file

@ -3,7 +3,7 @@
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2022 Saibotk
# Copyright (C) 2021 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by

2
.ansible/skeleton/default/handlers/main.yml.j2
View file

@ -3,7 +3,7 @@
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2022 Saibotk
# Copyright (C) 2021 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by

36
.ansible/skeleton/default/meta/main.yml.j2
View file

@ -1,41 +1,13 @@
galaxy_info:
author: saibotk
description: "Setup {{ role_name }}."
description: Setup {{ role_name }}.
license: GPL-3.0-only
min_ansible_version: "2.9"
standalone: true
min_ansible_version: 2.9
platforms:
- name: EL
- name: CentOS
versions:
- all
- name: GenericUNIX
versions:
- all
- name: Fedora
versions:
- all
- name: opensuse
versions:
- all
- name: GenericBSD
versions:
- all
- name: FreeBSD
versions:
- all
- name: Ubuntu
versions:
- all
- name: SLES
versions:
- all
- name: GenericLinux
versions:
- all
- name: Debian
versions:
- all
- 7
galaxy_tags: []

2
.ansible/skeleton/default/tasks/main.yml.j2
View file

@ -3,7 +3,7 @@
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2022 Saibotk
# Copyright (C) 2021 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by

3
.editorconfig
View file

@ -9,9 +9,6 @@ indent_style = space
indent_size = 4
trim_trailing_whitespace = true
[Makefile]
indent_style = tab
[*.md]
insert_final_newline = false
trim_trailing_whitespace = false

12
.gitlab-ci.yml
View file

@ -4,10 +4,6 @@ include:
image: registry.git.saibotk.de/saibotk.de/infrastructure-ci-container:latest
variables:
ANSIBLE_FORCE_COLOR: 'true'
PY_COLORS: '1'
stages:
- lint
- test
@ -15,18 +11,12 @@ stages:
ansible-lint:
stage: lint
variables:
ANSIBLE_CONFIG: "$CI_PROJECT_DIR/ansible.lint.cfg"
script:
- ansible-galaxy install --timeout=120 -f -r requirements.yml
- ansible-lint --version
- ansible-lint --offline -f codeclimate roles/ playbooks/ > ansible-lint-report.json
- ansible-lint -f codeclimate *.yml > ansible-lint-report.json
artifacts:
paths:
- "ansible-lint-report.json"
reports:
codequality: ansible-lint-report.json
when: always
# Automated month-based releases
release-branch:

8
.renovaterc.json
View file

@ -5,13 +5,13 @@
"docker:enableMajor",
":prHourlyLimitNone"
],
"prConcurrentLimit": 0,
"prConcurrentLimit": 10,
"semanticCommits": "disabled",
"commitMessagePrefix": "automation:",
"commitMessageTopic": "{{depName}}",
"commitMessageExtra": "to {{#if isMajor}}version {{{newMajor}}}{{else}}{{#if isSingleVersion}}version {{{toVersion}}}{{else}}{{{newValue}}}{{/if}}{{/if}}",
"regexManagers": [
{
{
"fileMatch": ["defaults/main.yml$"],
"matchStrings": [
"# renovate: depName=(?<lookupName>.*?)( versioning=(?<versioning>.*?))?\\n(?<roleName>\\S+?)(_(?<softwareName>\\S+?))?_version: \"?(?<currentValue>[^\"]*?)\"?\\s"
@ -34,10 +34,6 @@
"camo"
],
"extractVersion": "^v(?<version>.*)$"
},
{
"matchPackagePatterns": ["penpot"],
"groupName": "penpot"
}
]
}

16
Makefile
View file

@ -1,16 +0,0 @@
SHELL := /bin/bash
.POSIX:
.PHONY: help lint install
help: ## Show this help
@egrep -h '\s##\s' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-20s\033[0m %s\n", $$1, $$2}'
lint: ## Lint ansible files with ansible-lint
ANSIBLE_CONFIG=ansible.lint.cfg ansible-lint --offline roles/ playbooks/
install: ## Install or update requirements
ansible-galaxy install -f -r requirements.yml
role: ## Create a new role based on the default skeleton
@read -p "Enter role name: " name; \
ansible-galaxy role init --init-path ./roles $$name

5
README.md
View file

@ -24,11 +24,12 @@ When creating new roles, you can set up an initial folder structure with Ansible
For more information check out the Ansible documentation [here](https://docs.ansible.com/ansible/devel/galaxy/dev_guide.html#using-a-custom-role-skeleton)
```
make role
cd roles
ansible-galaxy init ROLE_NAME
```
## License
This repository is licensed under GPL-3 and many roles are derived from the awesome [infrastructure](https://git.shivering-isles.com/shivering-isles/infrastructure) repository published by [Sheogorath](https://shivering-isles.com).
Thank you, and so I hope this can be as useful to someone else as Sheogorath's repository was to me.
Thank you, and so I hope this can be as useful to someone else as Sheogorath's repository was to me.

17
ansible.cfg
View file

@ -1,22 +1,15 @@
[defaults]
playbook_dir = ./playbooks
roles_path = ./roles:~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles
inventory = ./inventory
retry_files_enabled = false
vault_password_file = .vault_pass
retry_files_enabled = False
nocows=True
use_persistent_connections = True
interpreter_python = auto_silent
[connection]
pipelining = True
[ssh_connection]
transfer_method = piped
scp_if_ssh = true
transfer_method = scp
[privilege_escalation]
become_ask_pass = False
become_ask_pass = false
[galaxy]
role_skeleton = ./.ansible/skeleton/default

5
ansible.lint.cfg
View file

@ -1,5 +0,0 @@
# Empty stub config file, so ansible-lint does not use the default config's vault_password_file.
# Otherwise ansible-lint always tries to get a vault password and fails.
[defaults]
roles_path = ./roles:~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles
collections_path = ./collections:~/.ansible/collections:/usr/share/ansible/collections:/etc/ansible/collections

48
guides/SETUP_FEDORA_41.md
View file

@ -1,48 +0,0 @@
# Fedora 41 ISO install setup GUI
## Netcup stuff
- Setup Network mappings with hostnames / reverse addresses
- Assign IPv6 address from space
- Enable UEFI Boot
- Set VNC keymap to DE
## Anaconda Setup (GUI)
1. Select English US for installation
2. Change keyboard to de nodeadkeys
3. Choose Fedora Cloud Server and Guest Agents
4. Disk
- Choose Custom config
- Delete all existing paritions
- Choose Btrfs + encrypt
- Click to create automatically
- Done
- Enter disk encryption pw generated via pass
5. Network
- Set hostname
- Edit Interface
- Set IPv6 to Manual
- Enter address as given by provider
- Set Gateway to fe80::1
- Set IPv4 to Automatic (DHCP) addresses only
- Configure DNS Servers on IPv4 to
- 1.1.1.1
- 9.9.9.9
- Configure DNS Servers on IPv6 to
- 2606:4700:4700::1111
- 2620:fe::fe
6. Date/Time: Set to Berlin
- NTP Servers:
- Remove default pool
- Add time.cloudflare.com (only NTS ticked, not pool)
- Add sth1.nts.netnod.se (only NTS ticked, not pool)
7. User Account
- Leave root user disabled
- Add your own user, use temp PW and replace with pass generated when connected via SSH
## Ansible prep
Install python3-libdnf5
Workaround until Ansible version is released with this fix:
https://github.com/ansible/ansible/issues/84206

12
playbooks/caddy.yml
View file

@ -1,12 +0,0 @@
- name: Install Caddy.
hosts: caddy
roles:
- role: podman
become: true
tags:
- always
- podman
- role: caddy
become: true

28
playbooks/camo.yml Normal file
View file

@ -0,0 +1,28 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- hosts: camo
roles:
- docker
- docker_compose
- docker_cleanup
- traefik
- camo
environment:
PYTHONPATH: /opt/ansible-dependencies/lib/python2.7/site-packages

27
playbooks/codimd.yml Normal file
View file

@ -0,0 +1,27 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- hosts: codimd
roles:
- docker
- docker_compose
- docker_cleanup
- traefik
- codimd
environment:
PYTHONPATH: /opt/ansible-dependencies/lib/python2.7/site-packages

5
playbooks/dnf.yml
View file

@ -1,5 +0,0 @@
- name: Setup dnf.
hosts: dnf
roles:
- role: dnf
become: true

26
playbooks/docker_ipv6_nat.yml Normal file
View file

@ -0,0 +1,26 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- hosts: docker_ipv6_nat
roles:
- docker
- docker_compose
- docker_cleanup
- docker_ipv6_nat
environment:
PYTHONPATH: /opt/ansible-dependencies/lib/python2.7/site-packages

17
playbooks/elementweb.yml
View file

@ -1,17 +0,0 @@
- name: Install Element Web.
hosts: elementweb
roles:
- role: podman
become: true
tags:
- always
- podman
- role: caddy
become: true
tags:
- always
- caddy
- role: elementweb
become: true

26
playbooks/factorio.yml Normal file
View file

@ -0,0 +1,26 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- hosts: factorio
roles:
- docker
- docker_compose
- docker_cleanup
- factorio
environment:
PYTHONPATH: /opt/ansible-dependencies/lib/python2.7/site-packages

28
playbooks/gitlab.yml Normal file
View file

@ -0,0 +1,28 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- hosts: gitlab
roles:
- docker
- docker_compose
- docker_cleanup
- traefik
- gitlab
environment:
PYTHONPATH: /opt/ansible-dependencies/lib/python2.7/site-packages

27
playbooks/gitlab_runner.yml Normal file
View file

@ -0,0 +1,27 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- hosts: gitlab_runner
roles:
- docker
- docker_compose
- docker_cleanup
- gitlab_runner
environment:
PYTHONPATH: /opt/ansible-dependencies/lib/python2.7/site-packages

17
playbooks/hedgedoc.yml
View file

@ -1,17 +0,0 @@
- name: Install Hedgedoc.
hosts: hedgedoc
roles:
- role: podman
become: true
tags:
- always
- podman
- role: caddy
become: true
tags:
- always
- caddy
- role: hedgedoc
become: true

39
playbooks/keycloak.yml
View file

@ -1,17 +1,28 @@
- name: Install Keycloak.
---
hosts: keycloak
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- hosts: keycloak
roles:
- role: podman
become: true
tags:
- always
- podman
- role: caddy
become: true
tags:
- always
- caddy
- role: keycloak
become: true
- docker
- docker_compose
- docker_cleanup
- traefik
- keycloak
environment:
PYTHONPATH: /opt/ansible-dependencies/lib/python2.7/site-packages

16
playbooks/luks_ssh.yml
View file

@ -1,4 +1,5 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
@ -15,14 +16,7 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Install & configure LUKS SSH setup
hosts: luks_ssh
tasks:
- name: Install haveged
ansible.builtin.include_role:
name: haveged
when: ansible_kernel is version('5.4', '<')
- name: Install LUKS SSH
ansible.builtin.include_role:
name: luks_ssh
- hosts: luks_ssh
roles:
- haveged
- luks_ssh

24
playbooks/lvm_self_backup.yml Normal file
View file

@ -0,0 +1,24 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- hosts: lvm_self_backup
roles:
- docker
- lvm_self_backup
environment:
PYTHONPATH: /opt/ansible-dependencies/lib/python2.7/site-packages

54
playbooks/mailcow.yml
View file

@ -1,4 +1,5 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2020 Saibotk
@ -15,58 +16,19 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Install & prepare Mailcow setup & backup cronjob
hosts: mailcow
- hosts: mailcow
roles:
- docker
- docker_compose
environment:
PYTHONPATH: /opt/ansible-dependencies/lib/python2.7/site-packages
tasks:
- name: Install backup crontab
ansible.builtin.cron:
cron:
name: "Backup mailcow daily"
minute: "5"
hour: "3"
# yamllint disable-line rule:line-length
job: "MAILCOW_BACKUP_LOCATION=/srv/mailcow-backups /srv/mailcow-dockerized/helper-scripts/backup_and_restore.sh backup all --delete-days 2 2>&1 | /usr/bin/logger -t mailcow_data_backup"
become: true
- name: Install git
ansible.builtin.package:
name: "git"
state: "present"
become: true
- name: Clone mailcow # noqa latest[git]
ansible.builtin.git:
repo: "https://github.com/mailcow/mailcow-dockerized"
update: false
dest: "/srv/mailcow-dockerized"
become: true
- name: Create backup directory
ansible.builtin.file:
path: "/srv/mailcow-backups"
owner: "root"
group: "root"
state: directory
mode: "0755"
become: true
- name: Open ports
ansible.posix.firewalld:
state: enabled
permanent: true
immediate: true
zone: public
port: "{{ item }}"
loop:
- "25/tcp"
- "465/tcp"
- "587/tcp"
- "143/tcp"
- "993/tcp"
- "110/tcp"
- "995/tcp"
- "4190/tcp"
- "80/tcp"
- "443/tcp"
become: true
# Manual steps:
# - Open ports / disable postfix

39
playbooks/mastodon.yml
View file

@ -1,17 +1,28 @@
- name: Install Mastodon.
---
hosts: mastodon
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- hosts: mastodon
roles:
- role: podman
become: true
tags:
- always
- podman
- role: caddy
become: true
tags:
- always
- caddy
- role: mastodon
become: true
- docker
- docker_compose
- docker_cleanup
- traefik
- mastodon
environment:
PYTHONPATH: /opt/ansible-dependencies/lib/python2.7/site-packages

27
playbooks/matrix.yml Normal file
View file

@ -0,0 +1,27 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- hosts: matrix
roles:
- docker
- docker_compose
- docker_cleanup
- traefik
- matrix
environment:
PYTHONPATH: /opt/ansible-dependencies/lib/python2.7/site-packages

27
playbooks/minecraft.yml Normal file
View file

@ -0,0 +1,27 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- hosts: minecraft
roles:
- docker
- docker_compose
- docker_cleanup
- minecraft
environment:
PYTHONPATH: /opt/ansible-dependencies/lib/python2.7/site-packages

27
playbooks/minecraft_blockmap.yml Normal file
View file

@ -0,0 +1,27 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- hosts: minecraft
roles:
- docker
- docker_compose
- docker_cleanup
- traefik
- minecraft_blockmap
environment:
PYTHONPATH: /opt/ansible-dependencies/lib/python2.7/site-packages

28
playbooks/minio.yml Normal file
View file

@ -0,0 +1,28 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- hosts: minio
roles:
- docker
- docker_compose
- docker_cleanup
- traefik
- minio
environment:
PYTHONPATH: /opt/ansible-dependencies/lib/python2.7/site-packages

49
playbooks/monitoring.yml
View file

@ -1,17 +1,38 @@
- name: Install Monitoring Suite with Grafana, Loki and Prometheus.
---
hosts: monitoring
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- hosts: monitoring
roles:
- role: podman
become: true
tags:
- always
- podman
- role: caddy
become: true
tags:
- always
- caddy
- role: monitoring
become: true
- docker
- docker_compose
- docker_cleanup
- traefik
- monitoring
environment:
PYTHONPATH: /opt/ansible-dependencies/lib/python2.7/site-packages
- hosts: all
serial: 1
roles:
- docker
- docker_compose
- docker_cleanup
- telegraf
environment:
PYTHONPATH: /opt/ansible-dependencies/lib/python2.7/site-packages

27
playbooks/owncast.yml Normal file
View file

@ -0,0 +1,27 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- hosts: owncast
roles:
- docker
- docker_compose
- docker_cleanup
- traefik
- owncast
environment:
PYTHONPATH: /opt/ansible-dependencies/lib/python2.7/site-packages

27
playbooks/penpot.yml Normal file
View file

@ -0,0 +1,27 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2021 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- hosts: penpot
roles:
- docker
- docker_compose
- docker_cleanup
- traefik
- penpot
environment:
PYTHONPATH: /opt/ansible-dependencies/lib/python2.7/site-packages

7
playbooks/podman.yml
View file

@ -1,7 +0,0 @@
- name: Install and configure podman.
hosts: podman
roles:
- role: podman
become: true

1
playbooks/roles
View file

@ -1 +0,0 @@
../roles

17
playbooks/saiblog.yml
View file

@ -1,17 +0,0 @@
- name: Install Saiblog.
hosts: saiblog
roles:
- role: podman
become: true
tags:
- always
- podman
- role: caddy
become: true
tags:
- always
- caddy
- role: saiblog
become: true

51
playbooks/site.yml
View file

@ -1,16 +1,35 @@
- name: Install & configure Keycloak
import_playbook: keycloak.yml
- name: Install & configure monitoring
import_playbook: monitoring.yml
- name: Install & configure Mastodon
import_playbook: mastodon.yml
- name: Install & configure HedgeDoc
import_playbook: hedgedoc.yml
- name: Install & configure Synapse
import_playbook: synapse.yml
- name: Install & configure Element Web
import_playbook: elementweb.yml
- name: Install & configure Saiblog
import_playbook: saiblog.yml
- name: Install & configure Teamspeak
import_playbook: teamspeak.yml
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- import_playbook: docker_ipv6_nat.yml
- import_playbook: lvm_self_backup.yml
- import_playbook: gitlab.yml
- import_playbook: gitlab_runner.yml
- import_playbook: camo.yml
- import_playbook: keycloak.yml
- import_playbook: monitoring.yml
- import_playbook: minio.yml
- import_playbook: mastodon.yml
- import_playbook: codimd.yml
- import_playbook: matrix.yml
- import_playbook: static_websites.yml
- import_playbook: teamspeak.yml
- import_playbook: owncast.yml
- import_playbook: factorio.yml
- import_playbook: penpot.yml

7
playbooks/ssh.yml
View file

@ -1,4 +1,5 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
@ -16,10 +17,12 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Configure SSH
hosts: ssh
- hosts: ssh
collections:
- devsec.hardening
roles:
- role: ssh
- role: devsec.hardening.ssh_hardening
become: true
- role: epel
- role: fail2ban

29
playbooks/static_websites.yml Normal file
View file

@ -0,0 +1,29 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- hosts: static_websites
serial: 1
roles:
- docker
- docker_compose
- docker_cleanup
- traefik
- static_websites
environment:
PYTHONPATH: /opt/ansible-dependencies/lib/python2.7/site-packages

17
playbooks/synapse.yml
View file

@ -1,17 +0,0 @@
- name: Install Synapse.
hosts: synapse
roles:
- role: podman
become: true
tags:
- always
- podman
- role: caddy
become: true
tags:
- always
- caddy
- role: synapse
become: true

34
playbooks/teamspeak.yml
View file

@ -1,12 +1,28 @@
- name: Install teamspeak3 server.
---
hosts: teamspeak
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- hosts: teamspeak
roles:
- role: podman
become: true
tags:
- always
- podman
- role: teamspeak
become: true
- docker
- docker_compose
- docker_cleanup
- traefik
- teamspeak
- ts3audiobot
environment:
PYTHONPATH: /opt/ansible-dependencies/lib/python2.7/site-packages

14
requirements.yml
View file

@ -1,16 +1,4 @@
---
collections:
- name: devsec.hardening
version: 10.1.0
- name: community.general
version: 10.0.0
- name: community.docker
version: 4.0.0
- name: ansible.posix
version: 1.6.2
- name: ansible.utils
version: 5.1.2
- name: containers.podman
version: 1.16.2
- name: fedora.linux_system_roles
version: 1.89.1
version: 7.7.0

18
roles/caddy/defaults/main.yml
View file

@ -1,18 +0,0 @@
caddy_install_dir: /srv/caddy
caddy_container_image: docker.io/library/caddy
# renovate: depName=docker.io/library/caddy
caddy_image_tag: "2.8.4-alpine"
caddy_selinux_level: "{{ omit }}"
caddy_memory_high: 0
caddy_memory_low: 128m
caddy_swap_max: -1
caddy_letsencrypt_email: no-reply@example.com
# possible values: ed25519|p256|p384|rsa2048|rsa4096
caddy_letsencrypt_key_type: rsa4096
caddy_letsencrypt_ca_server: https://acme-staging-v02.api.letsencrypt.org/directory
caddy_log_level: warn

20
roles/caddy/handlers/main.yml
View file

@ -1,20 +0,0 @@
- name: Apply new SELinux file context to filesystem.
ansible.builtin.command: "restorecon -irF {{ caddy_install_dir }}"
become: true
changed_when: true
listen: "caddy selinux context changed"
- name: Restart caddy service.
ansible.builtin.systemd:
state: restarted
name: "caddy"
daemon_reload: true
become: true
listen: "caddy service changed"
- name: Reload caddy service.
ansible.builtin.systemd:
state: reloaded
name: "caddy"
become: true
listen: "caddy config changed"

18
roles/caddy/meta/main.yml
View file

@ -1,18 +0,0 @@
galaxy_info:
author: histalek
description: Deploy Caddy with podman and systemd.
issue_tracker_url: https://git.histalek.de/histalek-de/infrastructure/-/issues
license: GPL-3.0-only
min_ansible_version: "2.14"
platforms:
- name: Fedora
versions:
- "38"
- "39"
- "40"
standalone: true

109
roles/caddy/tasks/main.yml
View file

@ -1,109 +0,0 @@
- name: Update default SELinux contexts.
community.general.sefcontext:
target: "{{ item }}(/.*)?"
setype: "container_file_t"
selevel: "{{ caddy_selinux_level }}"
state: present
loop:
- "{{ caddy_install_dir }}/config"
- "{{ caddy_install_dir }}/data"
- "{{ caddy_install_dir }}/srv"
become: true
notify: "caddy selinux context changed"
- name: Create caddy directories.
ansible.builtin.file:
path: "{{ caddy_install_dir }}"
state: directory
mode: "0700"
owner: "root"
group: "root"
become: true
- name: Ensure caddy directories and configs exist.
block:
- name: Stat caddy config directory.
ansible.builtin.stat:
path: "{{ caddy_install_dir }}/config"
become: true
register: caddy_stat_config_dir
- name: Create caddy directories.
ansible.builtin.file:
path: "{{ item.path }}"
state: directory
owner: "{{ caddy_stat_config_dir.stat.uid | default('root') }}"
group: "{{ caddy_stat_config_dir.stat.gid | default('root') }}"
mode: "0700"
loop:
- path: "{{ caddy_install_dir }}/config"
- path: "{{ caddy_install_dir }}/data"
- path: "{{ caddy_install_dir }}/srv"
become: true
- name: Deploy caddy configs.
ansible.builtin.template:
src: Caddyfile.j2
dest: "{{ caddy_install_dir }}/config/Caddyfile"
mode: "0600"
owner: "{{ caddy_stat_config_dir.stat.uid | default('root') }}"
group: "{{ caddy_stat_config_dir.stat.gid | default('root') }}"
become: true
notify: "caddy config changed"
- name: Ensure container image is present on the host.
containers.podman.podman_image:
name: "{{ caddy_container_image }}"
state: present
tag: "{{ caddy_image_tag }}"
become: true
- name: Allow http and https.
ansible.posix.firewalld:
service: "{{ item }}"
zone: public
permanent: true
immediate: true
state: enabled
loop:
- http
- https
become: true
# Ref: https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes
- name: Set maximum udp send/receive buffer size to around 2,5MB for quic.
ansible.posix.sysctl:
name: "{{ item.name }}"
value: 7500000
sysctl_set: true
state: present
reload: true
loop:
- name: net.core.rmem_max
- name: net.core.wmem_max
become: true
- name: Create caddy container / network file.
ansible.builtin.template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: "root"
group: "root"
mode: "0644"
loop:
- src: caddy.container.j2
dest: /etc/containers/systemd/caddy.container
- src: caddy.network.j2
dest: /etc/containers/systemd/caddy.network
become: true
notify: "caddy service changed"
- name: Flush handlers.
ansible.builtin.meta: flush_handlers
- name: Start and enable caddy service.
ansible.builtin.systemd:
state: started
enabled: true
name: "caddy"
become: true

21
roles/caddy/templates/Caddyfile.j2
View file

@ -1,21 +0,0 @@
{
admin
persist_config off
log {
output stdout
format console
level warn
}
email {{ caddy_letsencrypt_email }}
skip_install_trust
acme_ca {{ caddy_letsencrypt_ca_server }}
key_type {{ caddy_letsencrypt_key_type }}
servers {
# metrics
strict_sni_host
}
}
import /config/*.caddy

50
roles/caddy/templates/caddy.container.j2
View file

@ -1,50 +0,0 @@
{{ ansible_managed | comment }}
[Unit]
Description=Caddy reverse proxy
[Service]
Restart=always
RestartSec=5s
ExecReload=/usr/bin/podman exec \
-w /config \
caddy \
caddy reload
[Container]
Image={{ caddy_container_image }}:{{ caddy_image_tag }}
ContainerName=caddy
Exec=caddy run \
--config /config/Caddyfile \
--adapter caddyfile
AutoUpdate=registry
LogDriver=journald
NoNewPrivileges=true
ReadOnly=true
DropCapability=all
AddCapability=CAP_NET_BIND_SERVICE
UserNS=auto:size=65535
{% if caddy_selinux_level != omit %}
SecurityLabelLevel={{ caddy_selinux_level }}
{% endif %}
Network=caddy.network
PublishPort=80:80/tcp
PublishPort=443:443/tcp
PublishPort=443:443/udp
Volume={{ caddy_install_dir }}/config:/config:ro,U
Volume={{ caddy_install_dir }}/data:/data:U
Volume={{ caddy_install_dir }}/srv:/srv:U
PodmanArgs=--memory={{ caddy_memory_high }}
PodmanArgs=--memory-swap={{ caddy_swap_max }}
PodmanArgs=--memory-reservation={{ caddy_memory_low }}
[Install]
WantedBy=default.target

6
roles/caddy/templates/caddy.network.j2
View file

@ -1,6 +0,0 @@
{{ ansible_managed | comment }}
[Network]
NetworkName=caddy_reverseproxy
Driver=bridge
IPv6=true

35
roles/camo/README.md Normal file
View file

@ -0,0 +1,35 @@
Camo
=========
This will setup a [go-camo](https://github.com/cactus/go-camo) content proxy server with their official docker container and traefik.
Requirements
------------
You will need to have docker, docker-compose and traefik installed or declared as dependencies with their respective roles.
**This role assumes that you have setup traefik with an endpoint called `websecure`.**
Role Variables
--------------
**Please look at the [defaults/main.yml](defaults/main.yml) for all available variables and their description.**
**Note: Lines that are commented out via `#` are usually still valid/used variables, but they are not defined by default, so they might enable a feature, when uncommenting/defining them!**
### Global variables, that are used:
- `proxy_network`: Defined by the local traefik installation, this is the shared proxy network used by traefik to reach the containers. (optional)
- `proxy_hiddenservice`: Defined by the local traefik installation, this is used to generate the alt-svc header for the alternative Tor domain. (optional)
Dependencies
------------
- docker
- docker-compose
- traefik
License
-------
GPL-3.0-only

42
roles/camo/defaults/main.yml Normal file
View file

@ -0,0 +1,42 @@
---
# Default variables for the camo role
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# The install location (where the docker-compose file is stored)
camo_install_location: "/srv/camo"
# The camo version that should be used
# renovate: depName=docker.io/cactus4docker/go-camo
camo_version: "2.2.1"
# The domain under which camo should be available using traefik
camo_domain: camo.example.com
# The certresolver that is used by traefik for camo's domain
camo_traefik_certresolver: "letsencrypt_http"
# The HMAC key to be used
camo_key: "{{ lookup('passwordstore', camo_domain + '/hmac-key create=true length=128') }}"
# The maximum allowed response size (in KB). (0 means unlimited)
camo_max_size: 0
# Docker image and version
camo_image: "docker.io/cactus4docker/go-camo"
camo_image_version: "v{{ camo_version }}"

17
roles/camo/meta/main.yml Normal file
View file

@ -0,0 +1,17 @@
galaxy_info:
author: saibotk
description: Installs a go-camo image proxy server.
license: GPL-3.0-only
min_ansible_version: 2.9
platforms:
- name: CentOS
versions:
- 7
galaxy_tags: []
dependencies:
- docker
- docker_compose
- traefik

54
roles/camo/tasks/main.yml Normal file
View file

@ -0,0 +1,54 @@
---
# Tasks file for the camo role
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Create install directory
file:
path: "{{ item }}"
state: directory
mode: '0700'
owner: 'root'
group: 'root'
with_items:
- "{{ camo_install_location }}"
become: true
tags:
- camo
- name: Deploy docker-compose.yml
template:
src: docker-compose.yml
dest: "{{ camo_install_location }}/docker-compose.yml"
mode: '0600'
owner: 'root'
group: 'root'
validate: docker-compose -f %s config -q
tags:
- docker
- camo
become: true
- name: Compose camo container
docker_compose:
state: present
project_src: "{{ camo_install_location }}"
pull: true
remove_orphans: true
tags:
- camo
become: true

62
roles/camo/templates/docker-compose.yml Normal file
View file

@ -0,0 +1,62 @@
{{ ansible_managed | comment }}
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
version: '2'
services:
camo:
image: "{{ camo_image }}:{{ camo_image_version }}"
mem_limit: 64mb
memswap_limit: 128mb
security_opt:
- no-new-privileges
environment:
- "GOCAMO_HMAC={{ camo_key }}"
labels:
- "traefik.enable=true"
- "traefik.http.routers.camo.rule=Host(`{{ camo_domain }}`) && PathPrefix(`/`)"
- "traefik.http.routers.camo.entrypoints=websecure"
- "traefik.http.routers.camo.tls=true"
- "traefik.http.routers.camo.tls.certresolver={{ camo_traefik_certresolver }}"
- "traefik.http.routers.camo.middlewares=camo,compress"
- "traefik.http.middlewares.camo.headers.sslredirect=true"
- "traefik.http.middlewares.camo.headers.stsSeconds=63072000"
- "traefik.http.middlewares.camo.headers.referrerPolicy=no-referrer"
{% if proxy_network is defined %}
- "traefik.docker.network={{ proxy_network }}"
{% endif %}
{% if proxy_hiddenservice is defined and proxy_hiddenservice.content is defined %}
- "traefik.http.middlewares.camo.headers.customresponseheaders.alt-svc=h2={{ proxy_hiddenservice['content'] | b64decode | trim }}:443; ma=2592000"
{% endif %}
command:
- "--max-size={{ camo_max_size }}"
- "--server-name='go-camo v{{ camo_version }}'"
restart: always
{% if proxy_network is defined %}
networks:
{{ proxy_network }}:
{% endif %}
{% if proxy_network is defined %}
networks:
{{ proxy_network }}:
external: true
{% endif %}

35
roles/codimd/README.md Normal file
View file

@ -0,0 +1,35 @@
HedgeDoc
=========
This will setup a [HedgeDoc](https://github.com/hedgedoc/hedgedoc) server with their official docker container and traefik.
Requirements
------------
You will need to have docker, docker-compose and traefik installed or declared as dependencies with their respective roles.
**This role assumes that you have setup traefik with an endpoint called `websecure`.**
Role Variables
--------------
**Please look at the [defaults/main.yml](defaults/main.yml) for all available variables and their description.**
**Note: Lines that are commented out via `#` are usually still valid/used variables, but they are not defined by default, so they might enable a feature, when uncommenting/defining them!**
### Global variables, that are used:
- `proxy_network`: Defined by the local traefik installation, this is the shared proxy network used by traefik to reach the containers. (optional)
- `proxy_hiddenservice`: Defined by the local traefik installation, this is used to generate the alt-svc header for the alternative Tor domain. (optional)
Dependencies
------------
- docker
- docker-compose
- traefik
License
-------
GPL-3.0-only

66
roles/codimd/defaults/main.yml Normal file
View file

@ -0,0 +1,66 @@
---
# Default variables for the codimd role
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Database access variables: Please change/set the password!
codimd_database_user: codimd
codimd_database_password: codimdpass
codimd_database_name: codimd
# Adjust specific data locations, usually you would want to only adjust the "codimd_install_location" (the base path):
codimd_install_location: /srv/codimd
codimd_database_location: "{{ codimd_install_location }}/database"
codimd_uploads_location: "{{ codimd_install_location }}/uploads"
# Should a local uploads directory be created and mounted?
codimd_uploads_local: false
# Set the certresolver to your desired traefik certresolver.
# Note: This is `letsencrypt_cf` by default for backwards compatibility, you might want to use `letsencrypt_http` instead, depending on your setup
codimd_traefik_certresolver: letsencrypt_http
# The domain under which traefik should make CodiMD reachable
codimd_domain: pad.example.com
# This is where all application related environment variables are defined except the database connection.
# For all possible environment variables look here: https://github.com/codimd/server/blob/master/docs/configuration.md.
# Note: All variables below will automatically be prefixed with "CMD_", eg. "DOMAIN" will automatically become "CMD_DOMAIN".
codimd_options:
ALLOW_FREE_URL: false
DOMAIN: "{{ codimd_domain }}"
EMAIL: false
PROTOCOL_USESSL: true
URL_ADDPORT: false
USECDN: true
# The version of codimd and its postgres server
# (don't upgrade postgres without a backup etc, as it might have introduced breaking changes!)
# renovate: depName=quay.io/hedgedoc/hedgedoc
codimd_version: 1.8.2
# renovate: depName=docker.io/library/postgres
codimd_postgres_version: 11.12
# The image tags that should be used (templated using the versions provided above)
codimd_image_version: "{{ codimd_version }}"
codimd_postgres_image_version: "{{ codimd_postgres_version }}-alpine"
# SELinux level for codimd and the database, which are applied to their data folders and the containers.
# (By default these will be omitted and ignored)
codimd_selinux_level: "{{ omit }}"
codimd_database_selinux_level: "{{ omit }}"

16
roles/codimd/meta/main.yml Normal file
View file

@ -0,0 +1,16 @@
galaxy_info:
author: saibotk
description: Installs HedgeDoc as a docker container
license: GPL-3.0-only
min_ansible_version: 2.9
platforms:
- name: CentOS
versions:
- 7
galaxy_tags: []
dependencies:
- docker
- docker_compose
- traefik

90
roles/codimd/tasks/main.yml Normal file
View file

@ -0,0 +1,90 @@
---
# Tasks file for the codimd role
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
# Copyright (C) 2020 Alexander Wellbrock
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Update default SELinux contexts
sefcontext:
target: '{{ item.location }}(/.*)?'
setype: "container_file_t"
selevel: "{{ item.selevel | default(omit) }}"
state: present
when: item.when | default(true)
with_items:
- location: "{{ codimd_database_location }}"
selevel: "{{ codimd_database_selinux_level }}"
- location: "{{ codimd_uploads_location }}"
selevel: "{{ codimd_selinux_level }}"
when: "{{ codimd_uploads_local }}"
tags:
- codimd
become: true
- name: Create install directory
file:
path: "{{ item }}"
state: directory
mode: '0700'
owner: 'root'
group: 'root'
with_items:
- "{{ codimd_install_location }}"
tags:
- codimd
become: true
- name: Create data directory
file: # noqa risky-file-permissions # Container adjusts permissions on its own
path: "{{ item.location }}"
state: directory
setype: "container_file_t"
selevel: "{{ item.selevel | default(omit) }}"
when: item.when | default(true)
with_items:
- location: "{{ codimd_database_location }}"
selevel: "{{ codimd_database_selinux_level }}"
- location: "{{ codimd_uploads_location }}"
selevel: "{{ codimd_selinux_level }}"
when: "{{ codimd_uploads_local }}"
tags:
- codimd
become: true
- name: Deploy docker-compose.yml
template:
src: docker-compose.yml
dest: "{{ codimd_install_location }}/docker-compose.yml"
mode: '0600'
owner: 'root'
group: 'root'
validate: docker-compose -f %s config -q
tags:
- docker
- codimd
become: true
- name: Compose codimd
docker_compose:
state: present
project_src: "{{ codimd_install_location }}"
pull: true
remove_orphans: true
tags:
- codimd
become: true

105
roles/codimd/templates/docker-compose.yml Normal file
View file

@ -0,0 +1,105 @@
{{ ansible_managed | comment }}
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
version: '2'
services:
database:
image: docker.io/library/postgres:{{ codimd_postgres_image_version }}
mem_limit: 256mb
memswap_limit: 512mb
read_only: true
{% if codimd_database_selinux_level != omit %}
security_opt:
- label=level:{{ codimd_database_selinux_level }}
{% endif %}
tmpfs:
- /run/postgresql:size=512K
- /tmp:size=128K
stop_grace_period: 2m
stop_signal: SIGINT
environment:
- POSTGRES_USER={{ codimd_database_user }}
- POSTGRES_PASSWORD={{ codimd_database_password }}
- POSTGRES_DB={{ codimd_database_name }}
volumes:
- {{ codimd_database_location }}:/var/lib/postgresql/data
networks:
backend:
restart: always
codimd:
image: quay.io/hedgedoc/hedgedoc:{{ codimd_image_version }}
mem_limit: 256mb
memswap_limit: 512mb
restart: always
read_only: true
{% if codimd_selinux_level != omit %}
security_opt:
- label=level:{{ codimd_selinux_level }}
{% endif %}
tmpfs:
- /tmp:size=10M
{% if not codimd_uploads_local %}
- /hedgedoc/public/uploads:size=10M
{% endif %}
environment:
- "CMD_DB_URL=postgres://{{ codimd_database_user }}:{{ codimd_database_password }}@database:5432/{{ codimd_database_name }}"
{% for key, value in codimd_options.items() %}
- "CMD_{{ key }}={{ value }}"
{% endfor %}
labels:
- "traefik.http.routers.codimd.rule=Host(`{{ codimd_domain }}`) && PathPrefix(`/`)"
- "traefik.http.routers.codimd.entrypoints=websecure"
- "traefik.http.routers.codimd.tls=true"
- "traefik.http.routers.codimd.tls.certresolver={{ codimd_traefik_certresolver }}"
- "traefik.http.routers.codimd.middlewares=codimd,compress"
- "traefik.http.routers.codimd.service=codimd"
- "traefik.http.services.codimd.loadbalancer.server.port=3000"
- "traefik.http.middlewares.codimd.headers.sslredirect=true"
- "traefik.http.middlewares.codimd.headers.stsSeconds=63072000"
- "traefik.http.middlewares.codimd.headers.browserXssFilter=true"
- "traefik.http.middlewares.codimd.headers.contentTypeNosniff=true"
- "traefik.enable=true"
{% if proxy_network is defined %}
- "traefik.docker.network={{ proxy_network }}"
{% endif %}
{% if proxy_hiddenservice is defined and proxy_hiddenservice.content is defined %}
- "traefik.http.middlewares.codimd.headers.customresponseheaders.alt-svc=h2={{ proxy_hiddenservice['content'] | b64decode | trim }}:443; ma=2592000"
{% endif %}
{% if codimd_uploads_local %}
volumes:
- {{ codimd_uploads_location }}:/codimd/public/uploads
{% endif %}
networks:
backend:
{% if proxy_network is defined %}
{{ proxy_network }}:
{% endif %}
networks:
backend:
{% if proxy_network is defined %}
{{ proxy_network }}:
external: true
{% endif %}

31
roles/dnf/defaults/main.yml
View file

@ -1,31 +0,0 @@
dnf_install_epel: false
# For more information refer to https://github.com/rpm-software-management/dnf/blob/master/doc/automatic.rst
# [commands]
dnf_install_updates: true
dnf_download_updates: true
# one of 'security', 'all',
dnf_upgrade_type: security
dnf_random_sleep: 300
dnf_network_online_timeout: 60
# [emitters]
dnf_emit_via: stdio
dnf_system_name: "{{ ansible_nodename }}"
# [command]
dnf_command_format: cat
dnf_stdin_format: "{body}"
# [command_email]
dnf_email_command_format: mail -Ssendwait -s {subject} -r {email_from} {email_to}
dnf_email_stdin_format: "{body}"
# [email]
dnf_email_from: root
dnf_email_to: root
dnf_email_host: localhost
# [base]
dnf_base_overrides: {}

27
roles/dnf/meta/main.yml
View file

@ -1,27 +0,0 @@
galaxy_info:
author: histalek
description: Configure automatic updates with dnf.
issue_tracker_url: https://git.histalek.de/histalek-de/infrastructure/-/issues
license: GPL-3.0-only
min_ansible_version: "2.10"
platforms:
- name: Fedora
versions:
- "32"
- "33"
- "34"
- "35"
- "36"
- name: EL
versions:
- "9"
standalone: true
galaxy_tags: []
dependencies: []

35
roles/dnf/tasks/main.yml
View file

@ -1,35 +0,0 @@
- name: Install EPEL repository
ansible.builtin.dnf:
name: epel-release
state: present
when: dnf_install_epel
become: true
- name: Install dnf-plugin-tracer.
ansible.builtin.dnf:
name: dnf-plugin-tracer
state: present
when: ansible_facts['distribution'] == "Fedora"
become: true
- name: Install dnf-automatic
ansible.builtin.dnf:
name: dnf-automatic
state: present
become: true
- name: Deploy automatic.conf
ansible.builtin.template:
src: automatic.conf.j2
dest: /etc/dnf/automatic.conf
mode: '0700'
owner: 'root'
group: 'root'
become: true
- name: Start and enable systemd timer for dnf-automatic
ansible.builtin.systemd:
name: dnf-automatic.timer
state: started
enabled: true
become: true

42
roles/dnf/templates/automatic.conf.j2
View file

@ -1,42 +0,0 @@
{{ ansible_managed | comment }}
# Ref: https://github.com/rpm-software-management/dnf/blob/master/doc/automatic.rst
[commands]
apply_updates = {{ dnf_install_updates }}
download_updates = {{ dnf_download_updates }}
network_online_timeout = {{ dnf_network_online_timeout }}
random_sleep = {{ dnf_random_sleep }}
upgrade_type = {{ dnf_upgrade_type }}
[emitters]
emit_via = {{ dnf_emit_via }}
system_name = {{ dnf_system_name }}
[command]
command_format = {{ dnf_command_format }}
stdin_format = {{ dnf_stdin_format }}
[command_email]
command_format = {{ dnf_email_command_format }}
email_from = {{ dnf_email_from }}
email_to = {{ dnf_email_to }}
stdin_format = {{ dnf_email_stdin_format }}
[email]
email_from = {{ dnf_email_from }}
email_host = {{ dnf_email_host }}
email_to = {{ dnf_email_to }}
[base]
{% if dnf_base_overrides is mapping %}
{% for key, value in dnf_base_overrides.items() %}
{{ key }}={{ value }}
{% endfor %}
{% endif %}

23
roles/docker/README.md
View file

@ -1,17 +1,26 @@
# Docker
Docker
=========
This will install [Docker](https://www.docker.com/) from their official repository.
This will install [Docker](https://www.docker.com/) from their official repository and install the docker python library via pip.
## Role Variables
Requirements
------------
For CentOS: You will need to have the EPEL repository enabled (eg. by installing the `epel-release` package).
Role Variables
--------------
**Please look at the [defaults/main.yml](defaults/main.yml) for all available variables and their description.**
**Note: Lines that are commented out via `#` are usually still valid/used variables, but they are not defined by default, so they might enable a feature, when uncommenting/defining them!**
**Note: Lines that are commented out via `#` are usually still valid/used variables, but they are not defined by default, so they might enable a feature, when uncommenting/defining them!**
## Dependencies
Dependencies
------------
None
- epel (for CentOS)
## License
License
-------
GPL-3.0-only

20
roles/docker/defaults/main.yml
View file

@ -27,7 +27,7 @@ docker_apt_architecture_map:
"armv7l": "armhf"
# Edition can be one of: 'ce' (Community Edition) or 'ee' (Enterprise Edition).
docker_edition: "ce"
docker_edition: 'ce'
# The docker package settings
docker_package: "docker-{{ docker_edition }}"
@ -42,11 +42,11 @@ docker_install_repository: true
# The repository settings
# The repository will be added as a repository to allow downloading/installing the package
docker_yum_repository_url: https://download.docker.com/linux/{{ ansible_distribution | lower }}/docker-{{ docker_edition }}.repo
docker_yum_repository_url: https://download.docker.com/linux/centos/docker-{{ docker_edition }}.repo
docker_yum_repository_destination: /etc/yum.repos.d/docker-{{ docker_edition }}.repo
# Where to fetch the docker repository GPG key from
docker_yum_repository_gpg_key: https://download.docker.com/linux/{{ ansible_distribution | lower }}/gpg
docker_yum_repository_gpg_key: https://download.docker.com/linux/centos/gpg
# The apt repository settings
docker_apt_key_id: "9DC858229FC7DD38854AE2D88D81803C0EBFCD88"
@ -56,4 +56,16 @@ docker_apt_repository: >
https://download.docker.com/linux/{{ ansible_distribution | lower }}
{{ ansible_distribution_release }} stable
docker_requests_python_package: "python-requests"
# Should the python package for docker be installed via pip?
docker_python_package_install: true
# Where should it be installed? (Note: This will be installed as a standalone without breaking system dependencies)
docker_python_package_path: /opt/ansible-dependencies
# The package states of needed packages to install for the python libraries
docker_python_pip_package_state: "present"
docker_python_virtualenv_package_state: "present"
# The pip package name of the docker library
docker_pip_package: "docker"
docker_pip_package_state: "present"
docker_pip_package_version: "{{ omit }}" # This will be omitted by default, so the latest version will be installed.

2
roles/docker/handlers/main.yml
View file

@ -19,7 +19,7 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Restart docker
ansible.builtin.service:
service:
name: docker
state: "restarted"
become: true

14
roles/docker/meta/main.yml
View file

@ -1,20 +1,16 @@
galaxy_info:
author: saibotk
description: "Installs Docker package from their official repository."
description: Installs docker package from their official repository and installs the docker python package via pip.
license: GPL-3.0-only
min_ansible_version: "2.9"
standalone: true
min_ansible_version: 2.9
platforms:
- name: Fedora
- name: CentOS
versions:
- all
- 7
- name: Ubuntu
versions:
- all
- name: Debian
versions:
- all
- 20.04
galaxy_tags: []

19
roles/docker/tasks/Debian.yml
View file

@ -19,7 +19,7 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Ensure dependencies are installed.
ansible.builtin.apt:
apt:
name:
- apt-transport-https
- ca-certificates
@ -28,7 +28,7 @@
become: true
- name: Add Docker GPG key.
ansible.builtin.apt_key:
apt_key:
id: "{{ docker_apt_key_id }}"
url: "{{ docker_apt_key_url }}"
state: present
@ -37,9 +37,22 @@
become: true
- name: Add Docker repository.
ansible.builtin.apt_repository:
apt_repository:
repo: "{{ docker_apt_repository }}"
update_cache: true
when:
- docker_install_repository
become: true
- name: Ensure pip & virtualenv are installed.
package:
name: "{{ item.name }}"
state: "{{ item.state }}"
loop:
- name: "python3-pip"
state: "{{ docker_python_pip_package_state }}"
- name: "python3-virtualenv"
state: "{{ docker_python_virtualenv_package_state }}"
when:
- docker_python_package_install
become: true

22
roles/docker/tasks/RedHat.yml
View file

@ -19,16 +19,15 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Ensure old versions of Docker are not installed.
ansible.builtin.package:
package:
name:
- docker
- docker-common
- docker-engine
state: absent
become: true
- name: Add Docker GPG key.
ansible.builtin.rpm_key:
rpm_key:
key: "{{ docker_yum_repository_gpg_key }}"
state: present
when:
@ -36,12 +35,25 @@
become: true
- name: Add Docker repository.
ansible.builtin.get_url:
get_url:
url: "{{ docker_yum_repository_url }}"
dest: "{{ docker_yum_repository_destination }}"
owner: root
group: root
mode: "0644"
mode: '0644'
when:
- docker_install_repository
become: true
- name: Ensure pip & virtualenv are installed.
package:
name: "{{ item.name }}"
state: "{{ item.state }}"
loop:
- name: "python-pip"
state: "{{ docker_python_pip_package_state }}"
- name: "python-virtualenv"
state: "{{ docker_python_virtualenv_package_state }}"
when:
- docker_python_package_install
become: true

22
roles/docker/tasks/main.yml
View file

@ -18,8 +18,8 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: "Select tasks for {{ ansible_distribution }} {{ ansible_distribution_major_version }}" # noqa name[template]
ansible.builtin.include_tasks: "{{ distro_file }}"
- name: "Select tasks for {{ ansible_distribution }} {{ ansible_distribution_major_version }}"
include_tasks: "{{ distro_file }}"
with_first_found:
- "{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml"
- "{{ ansible_distribution }}.yml"
@ -28,24 +28,28 @@
loop_var: distro_file
- name: Install Docker.
ansible.builtin.package:
package:
name: "{{ docker_package }}"
state: "{{ docker_package_state }}"
notify: Restart docker
become: true
- name: Ensure Docker is started and enabled at boot.
ansible.builtin.service:
service:
name: docker
state: "{{ docker_service_state }}"
enabled: "{{ docker_service_enabled | bool }}"
become: true
- name: Ensure handlers are notified now to avoid firewall conflicts.
ansible.builtin.meta: flush_handlers
meta: flush_handlers
- name: Install required python requests library
ansible.builtin.package:
name: "{{ docker_requests_python_package }}"
state: present
- name: Install docker python package.
pip:
name: "{{ docker_pip_package }}"
state: "{{ docker_pip_package_state }}"
extra_args: "--target {{ docker_python_package_path }}"
version: "{{ docker_pip_package_version }}"
become: true
changed_when: false
when: docker_python_package_install

24
roles/docker_cleanup/README.md Normal file
View file

@ -0,0 +1,24 @@
docker_cleanup
=========
This will prune unused docker images older than 3 days, to keep the system clean.
Requirements
------------
You will need to have docker installed with its python package to use this role.
Role Variables
--------------
None
Dependencies
------------
- docker
License
-------
GPL-3.0-only

16
roles/docker_cleanup/meta/main.yml Normal file
View file

@ -0,0 +1,16 @@
galaxy_info:
author: Christoph Kern
description: Cleans up the exsting docker install
license: GPL-3.0-only
min_ansible_version: 2.4
platforms:
- name: CentOS
versions:
- 7
galaxy_tags: []
dependencies:
- docker

21
roles/sys_upgrade/tasks/Fedora.yml → roles/docker_cleanup/tasks/main.yml
View file

@ -1,8 +1,7 @@
---
# tasks file for sys-upgrade
# Shivering-Isles Infrastructure
# Ansible instructions to deploy the infrastructure for the Shivering-Isles
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
#
# This program is free software: you can redistribute it and/or modify
@ -16,15 +15,11 @@
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
- name: Upgrade all packages
ansible.builtin.dnf:
name: "*"
state: latest # noqa package-latest
update_cache: true
tags:
- dnf
- download
- packages
- name: Prune docker images older than 3 days
docker_prune:
images: true
images_filters:
dangling: false
until: 72h
become: true

27
roles/docker_compose/README.md Normal file
View file

@ -0,0 +1,27 @@
docker_compose
=========
This will install the [docker-compose](https://docs.docker.com/compose/) python library via pip and by default choose another install location,
to prevent breaking system-wide pip packages.
Requirements
------------
You will need to have the EPEL repository enabled (eg. by installing the `epel-release` package), if you want to install `docker-compose` via yum.
Role Variables
--------------
**Please look at the [defaults/main.yml](defaults/main.yml) for all available variables and their description.**
**Note: Lines that are commented out via `#` are usually still valid/used variables, but they are not defined by default, so they might enable a feature, when uncommenting/defining them!**
Dependencies
------------
- epel (optional/situational)
License
-------
GPL-3.0-only

42
roles/docker_compose/defaults/main.yml Normal file
View file

@ -0,0 +1,42 @@
---
# Default variables for the docker_compose role
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Control if the docker-compose package should be removed (default)
docker_compose_package: "docker-compose"
docker_compose_package_state: "absent"
# Should a docker-compose wrapper script be deployed?
# This will ensure, that you can still use the `docker-compose` command as usual.
docker_compose_install_wrapper: true
docker_compose_wrapper_path: /usr/local/bin/docker-compose
# Should docker-compose be installed via pip to another target?
# This is used to prevent docker-compose from corrupting other system-wide installed pip packages and thus
# the package will be installed standalone in another directory as defined below.
docker_compose_python_package_install: true
docker_compose_python_package_path: /opt/ansible-dependencies
# The package states of needed packages to install for the python libraries
docker_compose_python_pip_package_state: "present"
docker_compose_python_virtualenv_package_state: "present"
# The pip package name of for `docker-compose`
docker_compose_pip_package: "docker-compose"
docker_compose_pip_package_state: "present"
docker_compose_pip_package_version: "1.24.1"

17
roles/docker_compose/meta/main.yml Normal file
View file

@ -0,0 +1,17 @@
galaxy_info:
author: saibotk
description: Installs the docker-compose pip package.
license: GPL-3.0-only
min_ansible_version: 2.9
platforms:
- name: CentOS
versions:
- 7
- name: Ubuntu
versions:
- 20.04
galaxy_tags: []
dependencies: []

32
roles/docker_compose/tasks/Debian.yml Normal file
View file

@ -0,0 +1,32 @@
---
# Tasks file for the docker_compose role
# Infrastructure
# Ansible instructions to deploy the infrastructure
#
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Ensure pip & virtualenv are installed.
package:
name: "{{ item.name }}"
state: "{{ item.state }}"
loop:
- name: "python3-pip"
state: "{{ docker_compose_python_pip_package_state }}"
- name: "python3-virtualenv"
state: "{{ docker_compose_python_virtualenv_package_state }}"
when:
- docker_compose_python_package_install
become: true

32
roles/docker_compose/tasks/RedHat.yml Normal file
View file

@ -0,0 +1,32 @@
---
# Tasks file for the docker_compose role
# Infrastructure
# Ansible instructions to deploy the infrastructure
#
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Ensure pip & virtualenv are installed.
package:
name: "{{ item.name }}"
state: "{{ item.state }}"
loop:
- name: "python-pip"
state: "{{ docker_compose_python_pip_package_state }}"
- name: "python-virtualenv"
state: "{{ docker_compose_python_virtualenv_package_state }}"
when:
- docker_compose_python_package_install
become: true

63
roles/docker_compose/tasks/main.yml Normal file
View file

@ -0,0 +1,63 @@
---
# Tasks file for the docker-compose role
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Ensure package install state
package:
name: "{{ docker_compose_package }}"
state: "{{ docker_compose_package_state }}"
become: true
- name: "Select tasks for {{ ansible_distribution }} {{ ansible_distribution_major_version }}"
include_tasks: "{{ distro_file }}"
with_first_found:
- "{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml"
- "{{ ansible_distribution }}.yml"
- "{{ ansible_os_family }}.yml"
loop_control:
loop_var: distro_file
- name: Install docker-compose python package.
pip:
name: "{{ docker_compose_pip_package }}"
state: "{{ docker_compose_pip_package_state }}"
virtualenv: "{{ docker_compose_python_package_path }}"
version: "{{ docker_compose_pip_package_version | default(omit) }}"
become: true
changed_when: false
when: docker_compose_python_package_install
- name: Deploy docker-compose wrapper
template:
src: bin/docker-compose.j2
dest: "{{ docker_compose_wrapper_path }}"
owner: 'root'
group: 'root'
mode: '0755'
become: true
when:
- docker_compose_install_wrapper
- name: Create symlink in /usr/bin for wrapper
file:
src: "{{ docker_compose_wrapper_path }}"
dest: "/usr/bin/docker-compose"
state: link
become: true
when:
- docker_compose_install_wrapper

12
playbooks/sys_upgrade.yml → roles/docker_compose/templates/bin/docker-compose.j2
View file

@ -1,7 +1,8 @@
---
#!/usr/bin/env bash
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2022 Saibotk
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@ -15,7 +16,6 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Install latest updates to all packages on hosts
hosts: all
roles:
- sys_upgrade
set -eo pipefail
exec {{ docker_compose_python_package_path }}/bin/docker-compose "$@"

31
roles/docker_ipv6_nat/README.md Normal file
View file

@ -0,0 +1,31 @@
docker_ipv6_nat
===============
This will install the [docker-ipv6nat](https://github.com/robbertkl/docker-ipv6nat) container to manage IPv6 with ease on a single IP.
The container will automatically create ip6table forwarding rules on demand. To use the functionality, make sure that each container, that exposes a port
also has an `ipv6_enabled: true` user-defined network attached to it, with a ULA IPv6 for the tool to forward to.
**Note: This will enable the kernel module `ipv6nat` if not enabled!**
Requirements
------------
You will need to have docker, docker-compose installed or declared as dependencies with their respective roles.
Role Variables
--------------
**Please look at the [defaults/main.yml](defaults/main.yml) for all available variables and their description.**
**Note: Lines that are commented out via `#` are usually still valid/used variables, but they are not defined by default, so they might enable a feature, when uncommenting/defining them!**
Dependencies
------------
- docker
- docker-compose
License
-------
GPL-3.0-only

26
roles/docker_ipv6_nat/defaults/main.yml Normal file
View file

@ -0,0 +1,26 @@
---
# Default variables for the docker_ipv6_nat role
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# The install location (where the docker-compose.yml file will be deployed)
docker_ipv6_nat_install_location: /srv/docker-ipv6-nat
# The docker image and version/tag to use
docker_ipv6_nat_baseimage: docker.io/robbertkl/ipv6nat
# renovate: depName=docker.io/robbertkl/ipv6nat
docker_ipv6_nat_version: 0.4.3

16
roles/docker_ipv6_nat/meta/main.yml Normal file
View file

@ -0,0 +1,16 @@
galaxy_info:
author: saibotk
description: Deploys a robbertkl/ipv6nat container.
license: GPL-3.0-only
min_ansible_version: 2.9
platforms:
- name: CentOS
versions:
- 7
galaxy_tags: []
dependencies:
- docker
- docker_compose

55
roles/docker_ipv6_nat/tasks/main.yml Normal file
View file

@ -0,0 +1,55 @@
---
# Tasks file for the docker_ipv6_nat role
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Create install directory
file:
path: "{{ item }}"
state: directory
mode: '0700'
owner: 'root'
group: 'root'
with_items:
- "{{ docker_ipv6_nat_install_location }}"
tags:
- docker-ipv6-nat
become: true
- name: Deploy docker-compose.yml
template:
src: docker-compose.yml
dest: "{{ docker_ipv6_nat_install_location }}/docker-compose.yml"
mode: '0600'
owner: 'root'
group: 'root'
validate: docker-compose -f %s config -q
tags:
- docker
- docker-ipv6-nat
become: true
- name: Compose docker-ipv6-nat
docker_compose:
state: present
project_src: "{{ docker_ipv6_nat_install_location }}"
pull: true
remove_orphans: true
tags:
- docker
- docker-ipv6-nat
become: true

35
roles/docker_ipv6_nat/templates/docker-compose.yml Normal file
View file

@ -0,0 +1,35 @@
{{ ansible_managed | comment }}
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
version: '2'
services:
ipv6nat:
image: {{ docker_ipv6_nat_baseimage }}:{{ docker_ipv6_nat_version }}
security_opt:
- label:disable
restart: always
network_mode: "host"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- "/lib/modules:/lib/modules:ro"
cap_drop:
- ALL
cap_add:
- NET_ADMIN
- NET_RAW
- SYS_MODULE

38
roles/elementweb/defaults/main.yml
View file

@ -1,38 +0,0 @@
elementweb_install_dir: "/opt/elementweb"
elementweb_domain: element.example.com
elementweb_containerimage: docker.io/vectorim/element-web
# renovate: depName=docker.io/vectorim/element-web
elementweb_image_tag: "v1.11.90"
elementweb_selinux_level: "{{ omit }}"
elementweb_memory_low: 32m
elementweb_memory_high: 0
elementweb_swap_max: -1
# The homeserver URL and display name
elementweb_base_url: "https://matrix.example.com"
elementweb_servername: "example.com"
# Controls whether Element shows the presence feature for all (empty list) or specific servers (key = value list with the key being the server url)
elementweb_enable_presence_by_hs_url: []
# Should users only be allowed to use this instance with the given matrix server?
elementweb_disable_custom_urls: true
# Should Element-Web disable guests? (without sign-in)
elementweb_disable_guests: true
# Should Element-Web disable 3PID login? (Login with Email etc)
elementweb_disable_3pid_login: false
# Integration Server URLs to use (see https://github.com/vector-im/element-web/blob/develop/docs/config.md)
elementweb_integrations_ui_url: "https://scalar.vector.im/"
elementweb_integrations_rest_url: "https://scalar.vector.im/api"
elementweb_integrations_widgets_urls: ["https://scalar.vector.im/api"]
elementweb_integrations_jitsi_widget_url: "https://scalar.vector.im/api/widgets/jitsi.html"
# Element Web public room directory server(s)
elementweb_roomdir_servers: ["matrix.org"]

14
roles/elementweb/handlers/main.yml
View file

@ -1,14 +0,0 @@
- name: Apply new SELinux file context to filesystem.
ansible.builtin.command: "restorecon -irF {{ elementweb_install_dir }}"
become: true
listen: "elementweb selinux context changed"
- name: Restart elementweb service.
ansible.builtin.systemd:
state: restarted
name: elementweb.service
daemon_reload: true
become: true
listen:
- "elementweb service changed"
- "elementweb selinux context changed"

20
roles/elementweb/meta/main.yml
View file

@ -1,20 +0,0 @@
galaxy_info:
author: saibotk
description: Deploy element web with podman and systemd.
issue_tracker_url: https://git.sipsofcode.de/saibotk-de/infrastructure/issues
license: GPL-3.0-only
min_ansible_version: "2.10"
platforms:
- name: Fedora
versions:
- "41"
standalone: true
galaxy_tags: []
dependencies: []

80
roles/elementweb/tasks/main.yml
View file

@ -1,80 +0,0 @@
- name: Update default SELinux contexts
community.general.sefcontext:
target: "{{ item.target }}"
setype: "container_file_t"
selevel: "{{ item.selevel }}"
state: present
loop:
- target: "{{ elementweb_install_dir }}/config.json"
selevel: "{{ elementweb_selinux_level }}"
become: true
notify: "elementweb selinux context changed"
- name: Create elementweb directories.
ansible.builtin.file:
path: "{{ elementweb_install_dir }}"
owner: "root"
group: "root"
mode: "0700"
state: directory
become: true
- name: Stat elementweb config file.
ansible.builtin.stat:
path: "{{ elementweb_install_dir }}/config.json"
become: true
register: elementweb_stat_config
- name: Add caddy config file.
block:
- name: Check caddy config dir.
ansible.builtin.stat:
path: "{{ caddy_install_dir }}/config"
become: true
register: caddy_stat_config_dir
- name: Template caddy config for elementweb.
ansible.builtin.template:
src: elementweb.caddy.j2
dest: "{{ caddy_install_dir }}/config/elementweb.caddy"
mode: "0600"
setype: "container_file_t"
selevel: "{{ caddy_selinux_level }}"
owner: "{{ caddy_stat_config_dir.stat.uid }}"
group: "{{ caddy_stat_config_dir.stat.gid }}"
notify: "caddy config changed"
become: true
- name: Create elementweb container file.
ansible.builtin.template:
src: elementweb.container.j2
dest: /etc/containers/systemd/elementweb.container
owner: "root"
group: "root"
mode: "0644"
become: true
notify: "elementweb service changed"
- name: Create elementweb config file.
ansible.builtin.template:
src: config.json.j2
dest: "{{ elementweb_install_dir }}/config.json"
setype: "container_file_t"
selevel: "{{ elementweb_selinux_level }}"
owner: "{{ elementweb_stat_config.stat.uid | default('root') }}"
group: "{{ elementweb_stat_config.stat.gid | default('root') }}"
mode: "0644"
become: true
- name: Flush handlers
ansible.builtin.meta: flush_handlers
- name: Ensure elementweb services are started and enabled.
ansible.builtin.systemd:
state: started
enabled: true
name: "{{ item }}"
daemon_reload: true
loop:
- elementweb.service
become: true

23
roles/elementweb/templates/config.json.j2
View file

@ -1,23 +0,0 @@
{
"default_server_config": {
"m.homeserver": {
"base_url": {{ elementweb_base_url | string | to_json }},
"server_name": {{ elementweb_servername | string | to_json }}
}
},
"disable_custom_urls": {{ elementweb_disable_custom_urls | to_json }},
"disable_3pid_login": {{ elementweb_disable_3pid_login | to_json }},
"disable_guests": {{ elementweb_disable_guests | to_json }},
"integrations_ui_url": {{ elementweb_integrations_ui_url | string | to_json }},
"integrations_rest_url": {{ elementweb_integrations_rest_url | string | to_json }},
"integrations_widgets_urls": {{ elementweb_integrations_widgets_urls | to_json }},
"integrations_jitsi_widget_url": {{ elementweb_integrations_jitsi_widget_url | string | to_json }},
"bug_report_endpoint_url": "https://element.io/bugreports/submit",
"showLabsSettings": true,
{% if elementweb_enable_presence_by_hs_url %}
"enable_presence_by_hs_url": {{ elementweb_enable_presence_by_hs_url | to_json }},
{% endif %}
"roomDirectory": {
"servers": {{ elementweb_roomdir_servers | to_json }}
}
}

24
roles/elementweb/templates/elementweb.caddy.j2
View file

@ -1,24 +0,0 @@
{{ ansible_managed | comment }}
{{ elementweb_domain }} {
encode gzip
header {
# enable HSTS
Strict-Transport-Security "max-age=31536000; preload;"
# disable clients from sniffing the media type
X-Content-Type-Options nosniff
# clickjacking protection
X-Frame-Options DENY
# keep referrer data off of HTTP connections
Referrer-Policy no-referrer-when-downgrade
# Server name removing
-Server
}
reverse_proxy elementweb:8000
}

41
roles/elementweb/templates/elementweb.container.j2
View file

@ -1,41 +0,0 @@
{{ ansible_managed | comment }}
[Unit]
Description = Element Web
[Service]
Restart = always
RestartSec = 5s
[Container]
Image = {{ elementweb_containerimage }}:{{ elementweb_image_tag }}
ContainerName = elementweb
# AutoUpdate = registry
LogDriver = journald
ReadOnly = true
NoNewPrivileges = true
DropCapability = all
AddCapability = DAC_OVERRIDE
UserNS = auto:size=65535
{% if elementweb_selinux_level != omit %}
SecurityLabelLevel = {{ elementweb_selinux_level }}
{% endif %}
Network = caddy.network
Environment = ELEMENT_WEB_PORT=8000
Volume = {{ elementweb_install_dir }}/config.json:/app/config.json:ro,U
Tmpfs = /var/cache/nginx:rw,noexec,nosuid,nodev,size=1m
Tmpfs = /var/run:rw,noexec,nosuid,nodev,size=1m
Tmpfs = /etc/nginx/conf.d:rw,noexec,nosuid,nodev,size=8m,mode=1770,U
PodmanArgs = --memory={{ elementweb_memory_high }}
PodmanArgs = --memory-swap={{ elementweb_swap_max }}
PodmanArgs = --memory-reservation={{ elementweb_memory_low }}
[Install]
WantedBy = default.target

6
roles/sys_upgrade/README.md → roles/epel/README.md
View file

@ -1,7 +1,7 @@
sys_upgrade
EPEL
=========
Installs the latest updates to a system via the respective package manager.
Installs the `epel-release` package via yum.
Requirements
------------
@ -16,7 +16,7 @@ None
Dependencies
------------
None.
None, except for a CentOS 7 system.
License
-------

14
roles/epel/meta/main.yml Normal file
View file

@ -0,0 +1,14 @@
galaxy_info:
author: saibotk
description: Installs the epel-release package.
license: GPL-3.0-only
min_ansible_version: 2.9
platforms:
- name: CentOS
versions:
- 7
galaxy_tags: []
dependencies: []

20
roles/sys_upgrade/tasks/RedHat.yml → roles/epel/tasks/main.yml
View file

@ -1,8 +1,8 @@
---
# tasks file for sys-upgrade
# Tasks file for the epel role
# Shivering-Isles Infrastructure
# Ansible instructions to deploy the infrastructure for the Shivering-Isles
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
#
# This program is free software: you can redistribute it and/or modify
@ -16,15 +16,9 @@
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
- name: Upgrade all packages (RedHat-common) # noqa fqcn
ansible.builtin.yum:
name: "*"
state: latest # noqa package-latest
update_cache: true
tags:
- yum
- download
- packages
- name: Install EPEL repository package
yum:
name: epel-release
state: present
become: true

27
roles/factorio/README.md Normal file
View file

@ -0,0 +1,27 @@
Factorio
=========
This will setup a [Factorio](https://github.com/factoriotools/factorio-docker) gameserver using a docker container.
Requirements
------------
You will need to have docker and docker-compose installed or declared as dependencies with their respective roles.
Role Variables
--------------
**Please look at the [defaults/main.yml](defaults/main.yml) for all available variables and their description.**
**Note: Lines that are commented out via `#` are usually still valid/used variables, but they are not defined by default, so they might enable a feature, when uncommenting/defining them!**
Dependencies
------------
- docker
- docker-compose
License
-------
GPL-3.0-only

37
roles/factorio/defaults/main.yml Normal file
View file

@ -0,0 +1,37 @@
---
# Default variables for the factorio role
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# The install location (where the docker-compose file is stored)
factorio_install_location: "/srv/factorio"
factorio_data_location: "{{ factorio_install_location }}/data"
# The camo version that should be used
# renovate: depName=docker.io/factoriotools/factorio
factorio_version: "1.1.34"
# Docker image
factorio_image: "docker.io/factoriotools/factorio"
# The factorio server port that should be exposed
factorio_server_port: 34197
# IPv6 ULA config for the bridge network used by docker-ipv6-nat
factorio_ipv6:
enabled: false
subnet: "fd9e:21a7:a92c:2456::/64"

16
roles/factorio/meta/main.yml Normal file
View file

@ -0,0 +1,16 @@
galaxy_info:
author: saibotk
description: Installs a factorio server.
license: GPL-3.0-only
min_ansible_version: 2.9
platforms:
- name: CentOS
versions:
- 7
galaxy_tags: []
dependencies:
- docker
- docker_compose

79
roles/factorio/tasks/main.yml Normal file
View file

@ -0,0 +1,79 @@
---
# Tasks file for the factorio role
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Update default SELinux contexts
sefcontext:
target: '{{ item }}(/.*)?'
setype: "container_file_t"
state: present
with_items:
- "{{ factorio_data_location }}"
tags:
- factorio
become: true
- name: Create install directory
file:
path: "{{ item }}"
state: directory
mode: '0700'
owner: 'root'
group: 'root'
with_items:
- "{{ factorio_install_location }}"
become: true
tags:
- factorio
- name: Create data directory
file:
path: "{{ item }}"
state: directory
mode: '0750'
owner: '845'
group: '845'
setype: "container_file_t"
with_items:
- "{{ factorio_data_location }}"
tags:
- factorio
become: true
- name: Deploy docker-compose.yml
template:
src: docker-compose.yml
dest: "{{ factorio_install_location }}/docker-compose.yml"
mode: '0600'
owner: 'root'
group: 'root'
validate: docker-compose -f %s config -q
tags:
- docker
- factorio
become: true
- name: Compose factorio container
docker_compose:
state: present
project_src: "{{ factorio_install_location }}"
pull: true
remove_orphans: true
tags:
- factorio
become: true

Some files were not shown because too many files have changed in this diff Show more