phfroidmont/self-hosting
1
0
Fork 0
mirror of https://github.com/phfroidmont/self-hosting.git synced 2025-12-25 05:36:59 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Remove legacy Ansible configuration

Browse source
This commit is contained in:
Paul-Henri Froidmont 2022-03-15 19:06:17 +01:00
parent eb0a0a793c
commit 37b85f860e
Signed by: phfroidmont
GPG key ID: BE948AFD7E7873BE
91 changed files with 0 additions and 4431 deletions
Download patch file Download diff file Expand all files Collapse all files

3
.gitmodules vendored
View file

@ -1,3 +0,0 @@
[submodule "kubespray"]
path = kubespray
url = ssh://git@gitlab.banditlair.com:2224/phfroidmont/kubespray.git

14
ansible-playbook.sh
View file

@ -1,14 +0,0 @@
#! /bin/bash
set -e
export HCLOUD_TOKEN=$(./get_hcloud_token.sh)
ENVIRONMENT=$(cat .environment)
source .virtualenv/bin/activate
ARGS="-i inventories/$ENVIRONMENT"
ARGS="$ARGS --vault-id=~/.ssh/vault-pass"
ARGS="$ARGS $@"
echo "ansible-playbook $ARGS"
ansible-playbook $ARGS

25
ansible.cfg
View file

@ -1,25 +0,0 @@
[defaults]
any_errors_fatal = True
deprecation_warnings = True
display_skipped_hosts = False
host_key_checking = False
nocows = 1
#stdout_callback=skippy
callback_whitelist=profile_tasks
remote_user = root
retry_files_enabled = False
library = kubespray/library/
roles_path = kubespray/roles/
invalid_task_attribute_failed=False
force_valid_group_names = ignore
strategy_plugins = kubespray/plugins/mitogen/ansible_mitogen/plugins/strategy
fact_caching = jsonfile
fact_caching_connection = /tmp
[ssh_connection]
control_path = /tmp/ansible-ssh-%%h-%%p-%%r
pipelining = True
ssh_args = -C -o ControlMaster=auto -o ControlPersist=5m -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null
[inventory]
enable_plugins = hcloud, ini, script, yaml

27
group_vars/all/vars.yml
View file

@ -1,27 +0,0 @@
---
ansible_python_interpreter: /usr/bin/python3
kubeadm_enabled: true
harden_linux_root_password: "{{k8s_scaleway_root_password}}"
harden_linux_deploy_user: deploy
harden_linux_deploy_user_password: "{{k8s_scaleway_deploy_user_password}}"
harden_linux_deploy_user_home: /home/deploy
harden_linux_ufw_defaults_user:
"^DEFAULT_FORWARD_POLICY": 'DEFAULT_FORWARD_POLICY="ACCEPT"'
harden_linux_deploy_user_public_keys: "{{ scw_authorized_keys }}"
harden_linux_ufw_allow_networks:
- "10.0.0.0/8"
- "172.16.0.0/12"
- "192.168.0.0/16"
harden_linux_sysctl_settings_user:
"net.ipv4.ip_forward": 1
"net.ipv6.conf.default.forwarding": 1
"net.ipv6.conf.all.forwarding": 1
harden_linux_ufw_logging: 'on'
harden_linux_sshguard_whitelist:
- "127.0.0.0/8"
- "::1/128"
- "212.83.165.111"
- "10.3.0.0/24"
- "10.200.0.0/16"

66
group_vars/all/vault
View file

@ -1,66 +0,0 @@
$ANSIBLE_VAULT;1.1;AES256
64366663356439393235303130346265663733333431373661363739653333336233386265653231
3435376361366666663135396566313539383136643739320a313335666464393538386538636138
61636534633461363331363139643064343530396463353131636336613163373034653531343763
6237663337333063300a373737393066383533323961656539653466363336656632333331386263
65323366323536316661303365653335653237356239356535653230393464623333643730646534
65313338363731646339616435346166373635623538323433336464656535313866343363393132
36373830316666653161323063303131623030666439326338393431316233326562303862363537
34333133616333636561633763356665336132653933646331626463316236306537383437393238
34306438313634653064313161643865646361393432323436623230333566303336383562393366
30613362306632356333323838646430333564306232386439346262613632663234626631393763
35336363303361366561646639353831303336346264313665313932343039353938313638366366
38376162616339653534333335616365323864323436393361356165333231313037356564393861
65623135346465373266373233353438303263373163623762613032356565623362636533383064
61333566393364363936356135303763326531333737303765313135613266366132646266636164
33396535323861653732653135393838323463336230373330353862386261346331366339663861
31626331313732356361353534363330616434336230663635653035376535363765393836323232
39663734356234376335353233363635393562326537663461613035383239363739353437383930
35343866323431343562383539396437653433336463373830316165323266333062323238613839
32343865366163646466663266336664336262616562666538656266373263393366326337323034
64326337663038373234353535336133613363623336396236393137343234323161613232373139
38383139393961646133636132323966376531336266613364656439626264373264396231346531
30643163363836663137393930343538353334313165646134316430623536313465656535333037
39646232633730383764653235613736323339653164613265663537386535653265343832343937
32343432306338616163663466363930353439373333626335363935636538373233383465626330
65356165643062393234666432303065306464636635626536336262636566656663356535353133
33303266373962353866643963343265383136643436393739656163663464636262323462353137
33383736333362316564643937623761636237323164383332653561346264386639346361616166
63656538303934623536386330623835626463316231663561373139306566353630653864613534
35323139353365396662656236363036353733333464343932353532633230343736653939373538
61336333303235356235376431666337353630666461313065383765376234373931313063306331
32386162666537653036343833353237666161326635376439636162626635633938366562636662
35366632363564366239316236373037393239343237316565393862666130343933623561383833
62383232663638313862343962356530316632303438363331653531613131333561343437326362
66366162386336346234383831633961346531316461623733313762613430356137353938643366
32316435336461386563616637396162623739336137396135326439333331623730313433336434
37613833353031313764616339646661383533616465663331323634663763313636653332633966
33383038646262343465323732643230336537613564373932306139633339666437313161656136
33343264636539636563653239363730373762306135613131353035626365373934616539303363
38636437626638326234396238396363656362373137653634666664346536323837653839306165
35623164373361636162656263393738386666396434363537356234303131363331633035393164
31386633386334303661333936633539636132326663643166366339303939366132346666313463
65636535363463323732323237373661646164383166343163613465336233343162333637313131
36306334333039643461376532353936353233336332623031613530323236626334343266653433
63666130663831393336643132616166363730616531633161373865353962366238343437613963
38376639613666316436313431626564303937363933663262646637386134353335316632383963
65656637303061356335343366666161333662626466313938303864373666373731616266616163
65323362353966333236393634366436356532353632373237666566363263663532353438623236
35343134616432383363633036313531626632643530393966646332363533386364383138363236
65636536663465356265353733353436363135626462383535366538303265386139663261383832
64366338663562393262333065393064663366643531616361383736653665623532343164653937
31316530653533393366373531626562353436376234636530396266616630313764623966346462
64356361313539613732386564663065646561313262376532616633343434323734353966396333
30613366363536323631333266353634623132376330613762333133626565393537386534393135
32316236323638326262656261663731366563623034373465643962663339386663646436653562
35653637323266623466643230666237346136343061616138613064653136356132633762623235
39366232363939336162333965626566323761376230653431333235316266396432336464353639
33343930666332396530383535343761313832323339346439666165623965333035386334313332
63616166333234383231643436306433326631313162613133386662636539393864626239356334
63393739303837373864323266373766353266663931616231613439336438356334343036383565
61393064356539386437613135613930653132336331386265646531336134326339663231306637
64646639303666383235373361643066643234343532626537323939333737613962363035356430
31333034343938366536313163636533626238653139393738633434373063613561633532373334
36353939623963383438313866313637316463323866373332666536373764393463636132353066
65303766653033623862653665636332306466643435623238346430353564653364336661393832
36363136653461306362623265383161313138363062373265313431363333613866

43
playbook.yml
View file

@ -1,43 +0,0 @@
---
- hosts: storage
become: true
vars:
docker_compose_files_folder_previous_server: /etc/compose
docker_compose_files_folder: /etc/compose
domain_name: banditlair.com
sub_domains:
- rpg
roles:
- role: base
tags: ['base']
- role: scripts
tags: [ 'scripts' ]
- role: daily-backup
tags: [ 'backup' ]
- role: docker
tags: [ 'docker' ]
- role: traefik-proxy-docker
tags: [ 'traefik' ]
- role: searx-docker
tags: [ 'searx' ]
- role: wiki-docker
tags: [ 'wiki' ]
- role: emby-docker
tags: [ 'emby' ]
- role: gitlab-docker
tags: [ 'gitlab' ]
- role: torrent-docker
tags: [ 'torrent' ]
- role: monit
tags: [ 'monit' ]
- role: stb-wordpress-docker
tags: [ 'stb' ]
- role: invidious-docker
tags: [ 'invidious' ]
- role: ddns-docker
tags: [ 'ddns' ]
- role: mailu-docker
tags: [ 'mailu' ]
- role: website-marie-docker
tags: [ 'website-marie' ]

2
production
View file

@ -1,2 +0,0 @@
[storage]
storage1 ansible_user=root ansible_python_interpreter=/usr/bin/python3 ansible_host=144.76.18.197

12
roles/base/tasks/main.yml
View file

@ -1,12 +0,0 @@
---
- name: Install base packages
package:
name:
- htop
- git
- nload
- ufw
- borgbackup
- vim
state: present
update_cache: yes

14
roles/daily-backup/tasks/main.yml
View file

@ -1,14 +0,0 @@
---
- name: Create fullBackup.sh
template:
src: fullBackup.sh
dest: /root/fullBackup.sh
mode: 0700
- name: Create backup cron job
cron:
name: daily backup
state: present
minute: 0
hour: 4
job: "/root/fullBackup.sh >> /var/log/backup.log 2>&1"

67
roles/daily-backup/templates/fullBackup.sh
View file

@ -1,67 +0,0 @@
#!/bin/sh
set -e
touch /backups/backup-ongoing
REPOSITORY=ssh://backup@212.129.12.205:22/./
export BORG_PASSPHRASE='{{backup_borg_passphrase}}'
#echo 'Dumping NextCloud database'
#docker exec nextcloud_postgres_1 sh -c "pg_dump -U nextcloud nextcloud > /backups/database.dmp"
echo 'Dumping S.T.B. wordpress database'
docker exec stb_db_1 sh -c "mysqldump -u stb -p{{stb_mysql_password}} stb > /backups/database.dmp"
#echo 'Dumping matrix database'
#docker exec matrix_db_1 sh -c "pg_dump -U synapse synapse > /backups/database.dmp"
#echo 'Dumping invidious database'
#docker exec invidious_postgres_1 sh -c "pg_dump -U kemal invidious > /backups/database.dmp"
echo 'Copying murmur database'
docker stop murmur_murmur_1
cp /var/lib/murmur/murmur.sqlite /backups/murmur/murmur.sqlite
docker start murmur_murmur_1
echo 'Creating GitLab backup'
docker exec gitlab_gitlab_1 gitlab-rake gitlab:backup:create
echo 'Starting Borg backup'
borg create -v --stats --compression lz4 \
${REPOSITORY}::'{hostname}-{now:%Y-%m-%d}' \
/root \
/home \
/data \
/etc \
/var/lib/mailu \
/var/lib/matrix/media_store \
/var/lib/nextcloud \
/var/lib/transmission \
/var/lib/wiki \
/var/lib/stb \
/var/lib/nzbget \
/opt/factorio \
/backups \
--exclude '/var/lib/nextcloud/db'
# If there is an error backing up, reset password envvar and exit
if [ "$?" = "1" ] ; then
export BORG_PASSPHRASE=""
exit 1
fi
# Use the `prune` subcommand to maintain 14 daily, 8 weekly and 12 monthly
# archives of THIS machine. The '{hostname}-' prefix is very important to
# limit prune's operation to this machine's archives and not apply to
# other machine's archives also.
borg prune -v --list ${REPOSITORY} --prefix '{hostname}-' \
--keep-daily=14 --keep-weekly=8 --keep-monthly=12
# Unset the password
export BORG_PASSPHRASE=""
rm -f /backups/backup-ongoing
touch /backups/backup-ok
exit 0

31
roles/ddns-docker/files/ddns/docker-compose.yml
View file

@ -1,31 +0,0 @@
version: '3'
networks:
web:
external:
name: web
services:
ddns:
image: davd/docker-ddns:latest
restart: unless-stopped
environment:
RECORD_TTL: 60
ZONE: ddns.banditlair.com
SHARED_SECRET: changeme
labels:
- "traefik.backend=ddns"
- "traefik.docker.network=web"
- "traefik.frontend.rule=Host:ns.banditlair.com"
- "traefik.enable=true"
- "traefik.port=8080"
- "traefik.default.protocol=http"
expose:
- 8080
ports:
- "53:53"
- "53:53/udp"
networks:
- web
volumes:
- /var/lib/ddns/bind:/var/cache/bind

10
roles/ddns-docker/tasks/main.yml
View file

@ -1,10 +0,0 @@
---
- name: Copy ddns config
copy:
src: ddns
dest: "{{docker_compose_files_folder}}"
- name: Start ddns docker project
docker_compose:
project_src: "{{docker_compose_files_folder}}/ddns"
state: present

4
roles/docker/defaults/main.yml
View file

@ -1,4 +0,0 @@
docker_apt_key: https://download.docker.com/linux/ubuntu/gpg
docker_apt_repository: https://download.docker.com/linux/ubuntu
# Choose 'edge' 'stable' or 'testing' for docker channel
docker_apt_channel: stable

5
roles/docker/handlers/main.yml
View file

@ -1,5 +0,0 @@
---
- name: restart docker
systemd:
name: docker
state: restarted

93
roles/docker/tasks/main.yml
View file

@ -1,93 +0,0 @@
---
- name: Ensure docker packages are not present
apt:
state: absent
name: ['docker', 'docker-engine', 'docker.io']
- name: Install docker package dependencies
apt:
state: latest
name: ['apt-transport-https', 'ca-certificates']
update_cache: yes
cache_valid_time: 86400
register: result
retries: 3
until: result is success
- name: Adding Docker official gpg key
apt_key:
url: "{{ docker_apt_key }}"
id: 9DC858229FC7DD38854AE2D88D81803C0EBFCD88
state: present
- name: Setting Docker repository depending on arch
set_fact:
docker_repository: "deb [arch={{ item.apt_arch }}] {{ docker_apt_repository }} {{ ansible_distribution_release }} {{ docker_apt_channel }}"
when: ansible_architecture == item.system_arch
with_items:
- { system_arch: 'x86_64', apt_arch: 'amd64' }
- { system_arch: 'arm', apt_arch: 'armhf' }
- name: Printing Docker repository
debug:
var: docker_repository
- name: Adding Docker repository
apt_repository:
repo: "{{ docker_repository }}"
state: present
update_cache: true
- name: Install Docker.
package:
name: docker-ce
state: present
notify: restart docker
- name: Ensure containerd service dir exists.
file:
path: /etc/systemd/system/containerd.service.d
state: directory
- name: Add shim to ensure Docker can start in all environments.
template:
src: override.conf.j2
dest: /etc/systemd/system/containerd.service.d/override.conf
register: override_template
- name: Reload systemd daemon if template is changed.
systemd:
daemon_reload: true
when: override_template is changed
- name: Ensure Docker is started and enabled at boot.
service:
name: docker
state: started
enabled: true
- name: Ensure handlers are notified now to avoid firewall conflicts.
meta: flush_handlers
- name: Install python3-pip
apt:
name: python3-pip
state: latest
cache_valid_time: 86400
register: result
retries: 3
until: result is success
- name: Install docker-compose package dependencies
apt:
state: latest
name: python3-setuptools
update_cache: yes
cache_valid_time: 86400
register: result
retries: 3
until: result is success
- name: Install docker-compose
pip:
name: docker-compose

3
roles/docker/templates/override.conf.j2
View file

@ -1,3 +0,0 @@
# {{ ansible_managed }}
[Service]
ExecStartPre=

27
roles/emby-docker/files/emby/docker-compose.yml
View file

@ -1,27 +0,0 @@
version: '2.2'
networks:
web:
external:
name: web
services:
emby:
image: emby/embyserver:latest
volumes:
- ./config:/config
- /data:/media:ro
- /etc/localtime:/etc/localtime:ro
environment:
- UID=33
- GID=33
labels:
- "traefik.backend=emby"
- "traefik.docker.network=web"
- "traefik.frontend.rule=Host:emby.banditlair.com"
- "traefik.enable=true"
- "traefik.port=8096"
- "traefik.default.protocol=http"
networks:
- web
restart: always

9
roles/emby-docker/tasks/main.yml
View file

@ -1,9 +0,0 @@
---
- name: Copy emby config
copy:
src: emby
dest: "{{docker_compose_files_folder}}"
- name: Start emby docker project
docker_compose:
project_src: "{{docker_compose_files_folder}}/emby"
state: present

2
roles/gitlab-docker/defaults/main.yml
View file

@ -1,2 +0,0 @@
---
email_password: ""

1
roles/gitlab-docker/files/gitlab/.env
View file

@ -1 +0,0 @@
GITLAB_DOMAIN=gitlab.banditlair.com

41
roles/gitlab-docker/files/gitlab/docker-compose.yml
View file

@ -1,41 +0,0 @@
version: '2.2'
networks:
web:
external:
name: web
services:
gitlab:
image: 'gitlab/gitlab-ce:13.7.3-ce.0'
hostname: ${GITLAB_DOMAIN}
labels:
- "traefik.docker.network=web"
- "traefik.enable=true"
- "traefik.default.protocol=http"
- "traefik.gitlab.frontend.rule=Host:gitlab.banditlair.com"
- "traefik.gitlab.port=9090"
- "traefik.registry.frontend.rule=Host:registry.banditlair.com"
- "traefik.registry.port=5005"
ports:
- "2224:22"
expose:
- 9090
- 5005
volumes:
- ./config:/etc/gitlab
- /var/log/gitlab:/var/log/gitlab
- /var/lib/gitlab:/var/opt/gitlab
- /backups/gitlab:/var/opt/gitlab/backups
- /etc/localtime:/etc/localtime:ro
networks:
- web
restart: always
runner:
image: 'gitlab/gitlab-runner:latest'
volumes:
- ./runner-config:/etc/gitlab-runner
- /var/run/docker.sock:/var/run/docker.sock
- /etc/localtime:/etc/localtime:ro
restart: always

16
roles/gitlab-docker/files/gitlab/runner-config/config.toml
View file

@ -1,16 +0,0 @@
concurrent = 1
check_interval = 0
[[runners]]
name = "local-runner"
url = "https://gitlab.banditlair.com/"
token = "1cc1e58b1325920f45fc52a4468292"
executor = "docker"
[runners.docker]
tls_verify = false
image = "alpine:latest"
privileged = false
disable_cache = false
volumes = ["/cache"]
shm_size = 0
[runners.cache]

5
roles/gitlab-docker/files/restore-backup.sh
View file

@ -1,5 +0,0 @@
#!/bin/bash
set -e
docker-compose exec gitlab chown -R $1:$1 /var/opt/gitlab/backups
docker-compose exec gitlab gitlab-rake gitlab:backup:restore force=yes

51
roles/gitlab-docker/tasks/main.yml
View file

@ -1,51 +0,0 @@
---
- name: Copy docker-compose.yml
copy:
src: gitlab
dest: "{{docker_compose_files_folder}}"
- name: Create gitlab config folder
file:
dest: "{{docker_compose_files_folder}}/gitlab/config"
state: directory
- name: Create gitlab config
template:
src: gitlab/config/gitlab.rb
dest: "{{docker_compose_files_folder}}/gitlab/config/gitlab.rb"
- name: Start gitlab docker project
docker_compose:
project_src: "{{docker_compose_files_folder}}/gitlab"
state: present
- name: Find Gitlab user repositories
find:
paths: /var/lib/gitlab/git-data/repositories/
file_type: directory
patterns: "*"
register: gitlab_users_repos
- name: Get Gitlab git user id
command: docker-compose exec -T gitlab id -u git
args:
chdir: "{{docker_compose_files_folder}}/gitlab/"
register: gitlab_git_uid
when: gitlab_users_repos.matched|int == 0
- name: Wait for Gitlab to be installed
wait_for:
path: /var/lib/gitlab/postgres-exporter/
state: present
timeout: 600
when: gitlab_users_repos.matched|int == 0
- name: Restore backup if no users are found
script: restore-backup.sh {{gitlab_git_uid.stdout}}
register: gitlab_backup_restore
args:
chdir: "{{docker_compose_files_folder}}/gitlab/"
retries: 5
delay: 30
until: gitlab_backup_restore.rc == 0
when: gitlab_users_repos.matched|int == 0

1624
roles/gitlab-docker/templates/gitlab/config/gitlab.rb
View file

File diff suppressed because it is too large Load diff

66
roles/invidious-docker/files/docker-compose.yml
View file

@ -1,66 +0,0 @@
version: '2.4'
networks:
web:
external:
name: web
services:
postgres:
image: postgres:10
restart: unless-stopped
volumes:
- /var/lib/postgresql/invidious:/var/lib/postgresql/data
- /backups/invidious:/backups
- ./repo/config/sql:/config/sql
- ./repo/docker/init-invidious-db.sh:/docker-entrypoint-initdb.d/init-invidious-db.sh
environment:
POSTGRES_DB: invidious
POSTGRES_PASSWORD: kemal
POSTGRES_USER: kemal
healthcheck:
test: [ "CMD", "pg_isready", "-U", "postgres" ]
invidious:
build:
context: repo
dockerfile: docker/Dockerfile
mem_limit: 2g
restart: unless-stopped
volumes:
- ./config.yml:/invidious/config/config.yml
expose:
- 3000
environment:
# Adapted from ./config/config.yml
INVIDIOUS_CONFIG: |
crawl_threads: 1
channel_threads: 1
check_tables: true
feed_threads: 1
video_threads: 1
db:
user: kemal
password: kemal
host: postgres
port: 5432
dbname: invidious
full_refresh: false
https_only: true
geo_bypass: true
top_enabled: false
force_resolve: ipv4
admins:
- paultrial
domain: yt.banditlair.com
labels:
- "traefik.backend=invidious"
- "traefik.docker.network=web"
- "traefik.frontend.rule=Host:yt.banditlair.com"
- "traefik.enable=true"
- "traefik.port=3000"
- "traefik.default.protocol=http"
depends_on:
- postgres
networks:
- web
- default

18
roles/invidious-docker/tasks/main.yml
View file

@ -1,18 +0,0 @@
---
- name: Copy docker-compose.yml
copy:
src: docker-compose.yml
dest: "{{docker_compose_files_folder}}/invidious/"
- name: Checkout git repo
git:
repo: https://github.com/omarroth/invidious.git
dest: "{{docker_compose_files_folder}}/invidious/repo"
force: yes
- name: Build and start docker project
docker_compose:
project_src: "{{docker_compose_files_folder}}/invidious"
build: yes
pull: yes
state: present

3
roles/keepalived-hcloud/files/check_nginx.sh
View file

@ -1,3 +0,0 @@
#!/bin/bash
curl 127.0.0.1/healthz -fsS

60
roles/keepalived-hcloud/files/hcloud_failover.py
View file

@ -1,60 +0,0 @@
#!/usr/bin/env python3
# (c) 2018 Maximilian Siegl
import sys
import json
import os
import requests
from multiprocessing import Process
CONFIG_PATH = os.path.join(os.path.abspath(
os.path.dirname(__file__)), "config.json")
def del_ip(ip_bin_path, floating_ip, interface):
os.system(ip_bin_path + " addr del " + floating_ip + " dev " + interface)
def add_ip(ip_bin_path, floating_ip, interface):
os.system(ip_bin_path + " addr add " + floating_ip + " dev " + interface)
def change_request(endstate, url, header, payload, ip_bin_path, floating_ip, interface):
if endstate == "BACKUP":
del_ip(ip_bin_path, floating_ip, interface)
elif endstate == "FAULT":
del_ip(ip_bin_path, floating_ip, interface)
elif endstate == "MASTER":
add_ip(ip_bin_path, floating_ip, interface)
print("Post request to: " + url)
print("Header: " + str(header))
print("Data: " + str(payload))
r = requests.post(url, data=payload, headers=header)
print("Response:")
print(r.status_code, r.reason)
print(r.text)
else:
print("Error: Endstate not defined!")
def main(arg_type, arg_name, arg_endstate):
with open(CONFIG_PATH, "r") as config_file:
config = json.load(config_file)
header = {
"Content-Type": "application/json",
"Authorization": "Bearer " + config["api-token"]
}
payload = '''{"server": ''' + str(config["server-id"]) + "}"
print("Perform action for transition to " + arg_endstate + " state")
for ips in config["ips"]:
url = config["url"].format(ips["floating-ip-id"])
Process(target=change_request, args=(arg_endstate, url, header, payload,
config["ip_bin_path"], ips["floating-ip"], config["interface"])).start()
if __name__ == "__main__":
main(arg_type=sys.argv[1], arg_name=sys.argv[2], arg_endstate=sys.argv[3])

4
roles/keepalived-hcloud/handlers/main.yml
View file

@ -1,4 +0,0 @@
- name: restart keepalived
systemd:
name: keepalived
state: restarted

34
roles/keepalived-hcloud/tasks/main.yml
View file

@ -1,34 +0,0 @@
- name: Install keepalived
package:
name: keepalived
state: present
- name: Keepalived config
template:
src: keepalived.conf.j2
dest: /etc/keepalived/keepalived.conf
notify: restart keepalived
- name: Copy nginx healtcheck script
copy:
src: check_nginx.sh
dest: /etc/keepalived/check_nginx.sh
mode: 0700
- name: Copy hcloud failover script
copy:
src: hcloud_failover.py
dest: /etc/keepalived/hcloud_failover.py
mode: 0700
- name: Copy hcloud failover script config
template:
src: config.json.j2
dest: /etc/keepalived/config.json
mode: 0700
- name: Start and enable keepalived
systemd:
name: keepalived
enabled: yes
state: started

13
roles/keepalived-hcloud/templates/config.json.j2
View file

@ -1,13 +0,0 @@
{
"url": "https://api.hetzner.cloud/v1/floating_ips/{}/actions/assign",
"api-token": "{{ hcloud_token_vip }}",
"ips": [
{
"floating-ip-id": "{{ floating_ip_id }}",
"floating-ip": "{{ floating_ip }}"
}
],
"server-id": {{ hostvars[inventory_hostname]['id'] }},
"interface": "eth0",
"ip_bin_path": "/bin/ip"
}

41
roles/keepalived-hcloud/templates/keepalived.conf.j2
View file

@ -1,41 +0,0 @@
vrrp_script check_nginx {
script /etc/keepalived/check_nginx.sh
interval 3
fall 5
rise 1
}
vrrp_instance VI_1 {
{% if inventory_hostname == groups['kube-node'][0] %}
state MASTER
{% else %}
state BACKUP
{% endif %}
priority 100
interface eth0
virtual_router_id 50
unicast_src_ip {{ hostvars[inventory_hostname]['ipv4'] }}
unicast_peer {
{% for host in (groups['kube-node']) %}
{% if host != inventory_hostname %}
{{ hostvars[host]['ipv4'] }}
{% endif %}
{% endfor %}
}
authentication {
auth_type PASS
auth_pass "{{ keepalived_shared_secret }}"
}
virtual_ipaddress {
{{ floating_ip }}
}
track_script {
chk_haproxy
}
notify /etc/keepalived/hcloud_failover.py
}

2
roles/mailu-docker/defaults/main.yml
View file

@ -1,2 +0,0 @@
---
mailu_secret_key:

123
roles/mailu-docker/files/mailu/docker-compose.yml
View file

@ -1,123 +0,0 @@
version: '3.6'
networks:
web:
external:
name: web
default:
driver: bridge
ipam:
driver: default
config:
- subnet: 192.168.64.0/20
services:
front:
image: mailu/nginx:$VERSION
restart: always
env_file: .env
logging:
driver: json-file
ports:
- "$BIND_ADDRESS4:110:110"
- "$BIND_ADDRESS4:143:143"
- "$BIND_ADDRESS4:993:993"
- "$BIND_ADDRESS4:995:995"
- "$BIND_ADDRESS4:25:25"
- "$BIND_ADDRESS4:465:465"
- "$BIND_ADDRESS4:587:587"
labels:
- "traefik.backend=webmail"
- "traefik.docker.network=web"
- "traefik.frontend.rule=Host:webmail.banditlair.com"
- "traefik.enable=true"
- "traefik.port=80"
- "traefik.default.protocol=http"
volumes:
- "../traefik/certs/ssl/certs/banditlair.com.crt:/certs/cert.pem"
- "../traefik/certs/ssl/private/banditlair.com.key:/certs/key.pem"
- "/var/lib/mailu/overrides/nginx:/overrides"
networks:
- web
- default
redis:
image: redis:alpine
restart: always
volumes:
- "/var/lib/mailu/redis:/data"
resolver:
image: mailu/unbound:$VERSION
restart: always
env_file: .env
networks:
default:
ipv4_address: 192.168.64.254
admin:
image: mailu/admin:$VERSION
restart: always
env_file: .env
volumes:
- "/var/lib/mailu/data:/data"
- "/var/lib/mailu/dkim:/dkim"
depends_on:
- redis
imap:
image: mailu/dovecot:$VERSION
restart: always
env_file: .env
volumes:
- "/var/lib/mailu/data:/data"
- "/var/lib/mailu/mail:/mail"
- "./overrides:/overrides"
depends_on:
- front
smtp:
image: mailu/postfix:$VERSION
restart: always
env_file: .env
volumes:
- "/var/lib/mailu/data:/data"
- "./overrides:/overrides"
depends_on:
- front
- resolver
dns:
- 192.168.64.254
antispam:
image: mailu/rspamd:$VERSION
restart: always
env_file: .env
volumes:
- "/var/lib/mailu/filter:/var/lib/rspamd"
- "/var/lib/mailu/dkim:/dkim"
- "./overrides/rspamd:/etc/rspamd/override.d"
depends_on:
- front
- resolver
dns:
- 192.168.64.254
fetchmail:
image: mailu/fetchmail:$VERSION
restart: always
env_file: .env
depends_on:
- resolver
dns:
- 192.168.64.254
webmail:
image: mailu/rainloop
restart: always
env_file: .env
volumes:
- "/var/lib/mailu/webmail:/data"
depends_on:
- imap

6
roles/mailu-docker/files/mailu/overrides/dovecot.conf
View file

@ -1,6 +0,0 @@
protocol imap {
# Maximum number of IMAP connections allowed for a user from each IP address.
# NOTE: The username is compared case-sensitively.
mail_max_userip_connections = 100
}

1
roles/mailu-docker/files/mailu/overrides/postfix.cf
View file

@ -1 +0,0 @@
#debug_peer_list = 172.22.0.1

2
roles/mailu-docker/files/mailu/overrides/rspamd/dkim_signing.conf
View file

@ -1,2 +0,0 @@
allow_username_mismatch = true;

13
roles/mailu-docker/tasks/main.yml
View file

@ -1,13 +0,0 @@
---
- name: Copy mailu config
copy:
src: mailu
dest: "{{docker_compose_files_folder}}"
- name: Create mailu config
template:
src: mailu/.env
dest: "{{docker_compose_files_folder}}/mailu/.env"
- name: Start mailu docker project
docker_compose:
project_src: "{{docker_compose_files_folder}}/mailu"
state: present

137
roles/mailu-docker/templates/mailu/.env
View file

@ -1,137 +0,0 @@
# Mailu main configuration file
#
# Most configuration variables can be modified through the Web interface,
# these few settings must however be configured before starting the mail
# server and require a restart upon change.
###################################
# Common configuration variables
###################################
# Mailu version to run (stable, 1.0, 1.1, etc. or latest)
VERSION=1.6
# Set to a randomly generated 16 bytes string
SECRET_KEY={{mailu_secret_key}}
BIND_ADDRESS4=0.0.0.0
# Subnet of the docker network. This should not conflict with any networks to which your system is connected. (Internal and external!
SUBNET=192.168.64.0/20
# Main mail domain
DOMAIN=banditlair.com
# Exposed mail-server hostname
HOSTNAMES=mail.banditlair.com,mail2.banditlair.com
# Postmaster local part (will append the main mail domain)
POSTMASTER=admin
# Choose how secure connections will behave (value: letsencrypt, cert, notls, mail)
TLS_FLAVOR=mail
# Authentication rate limit (per source IP address)
AUTH_RATELIMIT=30/minute;1800/hour
# Opt-out of statistics, replace with "True" to opt out
DISABLE_STATISTICS=True
###################################
# Optional features
###################################
# Expose the admin interface (value: true, false)
ADMIN=true
# Choose which webmail to run if any (values: roundcube, rainloop, none)
WEBMAIL=rainloop
# Dav server implementation (value: radicale, none)
WEBDAV=none
# Antivirus solution (value: clamav, none)
ANTIVIRUS=none
###################################
# Mail settings
###################################
# Message size limit in bytes
# Default: accept messages up to 50MB
# Max attachment size will be 33% smaller
MESSAGE_SIZE_LIMIT=50000000
# Networks granted relay permissions
# Use this with care, all hosts in this networks will be able to send mail without authentication!
RELAYNETS=192.168.64.0/20
# Will relay all outgoing mails if configured
RELAYHOST=
# Fetchmail delay
FETCHMAIL_DELAY=600
# Recipient delimiter, character used to delimiter localpart from custom address part
# e.g. localpart+custom@domain;tld
RECIPIENT_DELIMITER=+
# DMARC rua and ruf email
DMARC_RUA=dmarc
DMARC_RUF=dmarc
# Weclome email, enable and set a topic and body if you wish to send welcome
# emails to all users.
WELCOME=true
WELCOME_SUBJECT=Welcome to your new email account
WELCOME_BODY=Welcome to your new email account, if you can read this, then it is configured properly!
###################################
# Web settings
###################################
# Path to redirect / to
WEBROOT_REDIRECT=/webmail
# Path to the admin interface if enabled
WEB_ADMIN=/admin
# Path to the webmail if enabled
WEB_WEBMAIL=/webmail
# Website name
SITENAME=Banditlair mails
# Linked Website URL
WEBSITE=https://banditlair.com
###################################
# Advanced settings
###################################
# Docker-compose project name, this will prepended to containers names.
COMPOSE_PROJECT_NAME=mailu
# Default password scheme used for newly created accounts and changed passwords
# (value: SHA512-CRYPT, SHA256-CRYPT, MD5-CRYPT, CRYPT)
PASSWORD_SCHEME=BLF-CRYPT
# Header to take the real ip from
REAL_IP_HEADER=
# IPs for nginx set_real_ip_from (CIDR list separated by commas)
REAL_IP_FROM=
# choose wether mailu bounces (no) or rejects (yes) mail when recipient is unknown (value: yes, no)
REJECT_UNLISTED_RECIPIENT=
# Log level threshold in start.py (value: CRITICAL, ERROR, WARNING, INFO, DEBUG, NOTSET)
LOG_LEVEL=WARNING
###################################
# Database settings
###################################
DB_FLAVOR=sqlite

1
roles/matrix-docker/defaults/main.yml
View file

@ -1 +0,0 @@
---

76
roles/matrix-docker/files/matrix/docker-compose.yml
View file

@ -1,76 +0,0 @@
version: "2"
services:
db:
image: postgres:9
restart: always
ports:
- "127.0.0.1:5432:5432"
volumes:
- /var/lib/matrix/db:/var/lib/postgresql/data
- /backups/matrix:/backups
- /etc/localtime:/etc/localtime:ro
environment:
- POSTGRES_PASSWORD=synapse
- POSTGRES_USER=synapse
networks:
- matrix
synapse:
image: matrixdotorg/synapse
# ports:
# Coturn
# - "3478:3478"
# - "5349:5349"
labels:
- "traefik.enable=true"
- "traefik.default.protocol=http"
- "traefik.docker.network=web"
- "traefik.port=8008"
- "traefik.backend=synapse"
- "traefik.frontend.rule=Host:banditlair.com,matrix.banditlair.com"
- "traefik.frontend.passHostHeader=true"
volumes:
- /var/lib/matrix/media_store:/data/media_store
- /var/log/synapse:/data/log
- ./synapse:/data
- /etc/localtime:/etc/localtime:ro
depends_on:
- db
networks:
- matrix
- web
restart: always
coturn:
image: instrumentisto/coturn
network_mode: host
volumes:
- ./synapse:/data
- ./synapse/turnserver.conf:/etc/coturn/turnserver.conf
tmpfs:
- /var/lib/coturn
dimension:
image: turt2live/matrix-dimension
labels:
- "traefik.docker.network=web"
- "traefik.backend=dimension"
- "traefik.frontend.rule=Host:dimension.banditlair.com"
- "traefik.enable=true"
- "traefik.port=8184"
- "traefik.default.protocol=http"
expose:
- 8184
volumes:
- ./dimension:/data
networks:
- web
restart: always
networks:
matrix:
external:
name: matrix-network
web:
external:
name: web

29
roles/matrix-docker/tasks/main.yml
View file

@ -1,29 +0,0 @@
---
- name: Copy matrix docker files
copy:
src: matrix
dest: "{{docker_compose_files_folder}}"
- name: Create matrix-network docker network
docker_network:
name: matrix-network
- name: Start matrix docker project
docker_compose:
project_src: "{{docker_compose_files_folder}}/matrix"
state: present
- name: Wait for database to start and count matrix users
shell: docker-compose exec -T db psql -U synapse synapse -c "select count(*) from users;" -t
args:
chdir: "{{docker_compose_files_folder}}/matrix/"
register: matrix_users_count
until: matrix_users_count.rc == 0
retries: 10
changed_when: false
- name: Restore Matrix database if needed
command: docker-compose exec -T db sh -c "psql -U synapse synapse < /backups/database.dmp"
args:
chdir: "{{docker_compose_files_folder}}/matrix/"
when: matrix_users_count.stdout|int == 0

17
roles/monit/files/checkBackupStatus.sh
View file

@ -1,17 +0,0 @@
#!/bin/bash
set -e
ONGOING_FILE="/backups/backup-ongoing"
if [ -f "$ONGOING_FILE" ]
then
if test `find "$ONGOING_FILE" -mmin +180`
then
LAST_MODIFICATION_HOURS=`expr "$(($(date +%s) - $(date +%s -r $ONGOING_FILE)))" / 3600`
echo "Backup not finished after more than $LAST_MODIFICATION_HOURS hours"
exit 1
fi
fi
exit 0

3
roles/monit/handlers/main.yml
View file

@ -1,3 +0,0 @@
---
- name: reload monit
command: monit reload

25
roles/monit/tasks/main.yml
View file

@ -1,25 +0,0 @@
---
- name: Install monit
package:
name: monit
state: present
update_cache: yes
- name: Enable and start monit service
systemd:
name: monit.service
state: started
enabled: True
- name: Create fullBackup.sh
copy:
src: checkBackupStatus.sh
dest: /usr/local/bin/checkBackupStatus.sh
mode: 0700
- name: Copy monit config
template:
src: monitrc
dest: /etc/monit/monitrc
mode: 0600
notify: reload monit

365
roles/monit/templates/monitrc
View file

@ -1,365 +0,0 @@
###############################################################################
## Monit control file
###############################################################################
##
## Comments begin with a '#' and extend through the end of the line. Keywords
## are case insensitive. All path's MUST BE FULLY QUALIFIED, starting with '/'.
##
## Below you will find examples of some frequently used statements. For
## information about the control file and a complete list of statements and
## options, please have a look in the Monit manual.
##
##
###############################################################################
## Global section
###############################################################################
##
## Start Monit in the background (run as a daemon):
#
set daemon 30 # check services at 30 seconds intervals
with start delay 300 # optional: delay the first check by 4-minutes (by
# # default Monit check immediately after Monit start)
#
#
## Set syslog logging. If you want to log to a standalone log file instead,
## specify the full path to the log file
#
set log syslog
#
#
## Set the location of the Monit lock file which stores the process id of the
## running Monit instance. By default this file is stored in $HOME/.monit.pid
#
# set pidfile /var/run/monit.pid
#
## Set the location of the Monit id file which stores the unique id for the
## Monit instance. The id is generated and stored on first Monit start. By
## default the file is placed in $HOME/.monit.id.
#
# set idfile /var/.monit.id
#
## Set the location of the Monit state file which saves monitoring states
## on each cycle. By default the file is placed in $HOME/.monit.state. If
## the state file is stored on a persistent filesystem, Monit will recover
## the monitoring state across reboots. If it is on temporary filesystem, the
## state will be lost on reboot which may be convenient in some situations.
#
# set statefile /var/.monit.state
#
#
## Set limits for various tests. The following example shows the default values:
##
# set limits {
# programOutput: 512 B, # check program's output truncate limit
# sendExpectBuffer: 256 B, # limit for send/expect protocol test
# fileContentBuffer: 512 B, # limit for file content test
# httpContentBuffer: 1 MB, # limit for HTTP content test
# networkTimeout: 5 seconds # timeout for network I/O
# programTimeout: 300 seconds # timeout for check program
# stopTimeout: 30 seconds # timeout for service stop
# startTimeout: 30 seconds # timeout for service start
# restartTimeout: 30 seconds # timeout for service restart
# }
## Set global SSL options (just most common options showed, see manual for
## full list).
#
set ssl {
verify : enable, # verify SSL certificates (disabled by default but STRONGLY RECOMMENDED)
#selfsigned : allow # allow self signed SSL certificates (reject by default)
}
#
#
## Set the list of mail servers for alert delivery. Multiple servers may be
## specified using a comma separator. If the first mail server fails, Monit
# will use the second mail server in the list and so on. By default Monit uses
# port 25 - it is possible to override this with the PORT option.
#
# set mailserver mail.bar.baz, # primary mailserver
# backup.bar.baz port 10025, # backup mailserver on port 10025
# localhost # fallback relay
set mailserver mail.banditlair.com PORT 465
USERNAME noreply@banditlair.com PASSWORD {{email_password}}
using SSL
#
#
## By default Monit will drop alert events if no mail servers are available.
## If you want to keep the alerts for later delivery retry, you can use the
## EVENTQUEUE statement. The base directory where undelivered alerts will be
## stored is specified by the BASEDIR option. You can limit the queue size
## by using the SLOTS option (if omitted, the queue is limited by space
## available in the back end filesystem).
#
set eventqueue
basedir /var/monit # set the base directory where events will be stored
slots 100 # optionally limit the queue size
#
#
## Send status and events to M/Monit (for more informations about M/Monit
## see https://mmonit.com/). By default Monit registers credentials with
## M/Monit so M/Monit can smoothly communicate back to Monit and you don't
## have to register Monit credentials manually in M/Monit. It is possible to
## disable credential registration using the commented out option below.
## Though, if safety is a concern we recommend instead using https when
## communicating with M/Monit and send credentials encrypted. The password
## should be URL encoded if it contains URL-significant characters like
## ":", "?", "@". Default timeout is 5 seconds, you can customize it by
## adding the timeout option.
#
set mmonit https://{{monit_mmonit_login}}:{{monit_mmonit_password}}@mmonit.camefaitplaisir.com/collector
# # with timeout 30 seconds # Default timeout is 5 seconds
# # and register without credentials # Don't register credentials
#
#
## Monit by default uses the following format for alerts if the mail-format
## statement is missing::
## --8<--
## set mail-format {
## from: Monit <monit@$HOST>
## subject: monit alert -- $EVENT $SERVICE
## message: $EVENT Service $SERVICE
## Date: $DATE
## Action: $ACTION
## Host: $HOST
## Description: $DESCRIPTION
##
## Your faithful employee,
## Monit
## }
## --8<--
##
## You can override this message format or parts of it, such as subject
## or sender using the MAIL-FORMAT statement. Macros such as $DATE, etc.
## are expanded at runtime. For example, to override the sender, use:
#
# set mail-format { from: monit@foo.bar }
#
set mail-format { from: monit@banditlair.com }
#
## You can set alert recipients whom will receive alerts if/when a
## service defined in this file has errors. Alerts may be restricted on
## events by using a filter as in the second example below.
#
# set alert sysadm@foo.bar # receive all alerts
#
set alert self.alert@banditlair.com
#set alert pascal.falbo@hotmail.fr # Fucking Microshit blacklists my mail server
## Do not alert when Monit starts, stops or performs a user initiated action.
## This filter is recommended to avoid getting alerts for trivial cases.
#
# set alert your-name@your.domain not on { instance, action }
#
#
## Monit has an embedded HTTP interface which can be used to view status of
## services monitored and manage services from a web interface. The HTTP
## interface is also required if you want to issue Monit commands from the
## command line, such as 'monit status' or 'monit restart service' The reason
## for this is that the Monit client uses the HTTP interface to send these
## commands to a running Monit daemon. See the Monit Wiki if you want to
## enable SSL for the HTTP interface.
#
set httpd port 2812 and
use address localhost # only accept connection from localhost
allow localhost # allow localhost to connect to the server and
allow admin:monit # require user 'admin' with password 'monit'
#with ssl { # enable SSL/TLS and set path to server certificate
# pemfile: /etc/ssl/certs/monit.pem
#}
###############################################################################
## Services
##############################################################################
##
## Check general system resources such as load average, cpu and memory
## usage. Each test specifies a resource, conditions and the action to be
## performed should a test fail.
#
# check system $HOST
# if loadavg (1min) > 4 then alert
# if loadavg (5min) > 2 then alert
# if cpu usage > 95% for 10 cycles then alert
# if memory usage > 75% then alert
# if swap usage > 25% then alert
check system $HOST
# if loadavg (1min) > 4 then alert
# if loadavg (5min) > 2 then alert
if cpu usage > 95% for 10 cycles then alert
if memory usage > 75% then alert
if swap usage > 25% then alert
#
#
## Check if a file exists, checksum, permissions, uid and gid. In addition
## to alert recipients in the global section, customized alert can be sent to
## additional recipients by specifying a local alert handler. The service may
## be grouped using the GROUP option. More than one group can be specified by
## repeating the 'group name' statement.
#
# check file apache_bin with path /usr/local/apache/bin/httpd
# if failed checksum and
# expect the sum 8f7f419955cefa0b33a2ba316cba3659 then unmonitor
# if failed permission 755 then unmonitor
# if failed uid "root" then unmonitor
# if failed gid "root" then unmonitor
# alert security@foo.bar on {
# checksum, permission, uid, gid, unmonitor
# } with the mail-format { subject: Alarm! }
# group server
#
#
## Check that a process is running, in this case Apache, and that it respond
## to HTTP and HTTPS requests. Check its resource usage such as cpu and memory,
## and number of children. If the process is not running, Monit will restart
## it by default. In case the service is restarted very often and the
## problem remains, it is possible to disable monitoring using the TIMEOUT
## statement. This service depends on another service (apache_bin) which
## is defined above.
#
# check process apache with pidfile /usr/local/apache/logs/httpd.pid
# start program = "/etc/init.d/httpd start" with timeout 60 seconds
# stop program = "/etc/init.d/httpd stop"
# if cpu > 60% for 2 cycles then alert
# if cpu > 80% for 5 cycles then restart
# if totalmem > 200.0 MB for 5 cycles then restart
# if children > 250 then restart
# if loadavg(5min) greater than 10 for 8 cycles then stop
# if disk read > 500 kb/s for 10 cycles then alert
# if disk write > 500 kb/s for 10 cycles then alert
# if failed host www.tildeslash.com port 80 protocol http and request "/somefile.html" then restart
# if failed port 443 protocol https with timeout 15 seconds then restart
# if 3 restarts within 5 cycles then unmonitor
# depends on apache_bin
# group server
#
#
## Check filesystem permissions, uid, gid, space usage, inode usage and disk I/O.
## Other services, such as databases, may depend on this resource and an automatically
## graceful stop may be cascaded to them before the filesystem will become full and data
## lost.
#
# check filesystem datafs with path /dev/sdb1
# start program = "/bin/mount /data"
# stop program = "/bin/umount /data"
# if failed permission 660 then unmonitor
# if failed uid "root" then unmonitor
# if failed gid "disk" then unmonitor
# if space usage > 80% for 5 times within 15 cycles then alert
# if space usage > 99% then stop
# if inode usage > 30000 then alert
# if inode usage > 99% then stop
# if read rate > 1 MB/s for 5 cycles then alert
# if read rate > 500 operations/s for 5 cycles then alert
# if write rate > 1 MB/s for 5 cycles then alert
# if write rate > 500 operations/s for 5 cycles then alert
# if service time > 10 milliseconds for 3 times within 5 cycles then alert
# group server
check filesystem root with path /
if SPACE usage > 90% then alert
#
#
## Check a file's timestamp. In this example, we test if a file is older
## than 15 minutes and assume something is wrong if its not updated. Also,
## if the file size exceed a given limit, execute a script
#
# check file database with path /data/mydatabase.db
# if failed permission 700 then alert
# if failed uid "data" then alert
# if failed gid "data" then alert
# if timestamp > 15 minutes then alert
# if size > 100 MB then exec "/my/cleanup/script" as uid dba and gid dba
#
#
## Check directory permission, uid and gid. An event is triggered if the
## directory does not belong to the user with uid 0 and gid 0. In addition,
## the permissions have to match the octal description of 755 (see chmod(1)).
#
# check directory bin with path /bin
# if failed permission 755 then unmonitor
# if failed uid 0 then unmonitor
# if failed gid 0 then unmonitor
#
#
## Check a remote host availability by issuing a ping test and check the
## content of a response from a web server. Up to three pings are sent and
## connection to a port and an application level network check is performed.
#
# check host myserver with address 192.168.1.1
# if failed ping then alert
# if failed port 3306 protocol mysql with timeout 15 seconds then alert
# if failed port 80 protocol http
# and request /some/path with content = "a string"
# then alert
#
#
## Check a network link status (up/down), link capacity changes, saturation
## and bandwidth usage.
#
check network public with interface enp3s0
if failed link then alert
# if changed link then alert
# if saturation > 90% then alert
# if download > 10 MB/s then alert
# if total uploaded > 1 GB in last hour then alert
#
#
## Check custom program status output.
#
# check program myscript with path /usr/local/bin/myscript.sh
# if status != 0 then alert
#
#
check file daily-backup-done with path /backups/backup-ok
if changed timestamp then alert
check program checkBackupStatus with path /usr/local/bin/checkBackupStatus.sh
if status != 0 then alert
check host home-ssh with address phf.ddns.banditlair.com
if failed port 2222 protocol ssh with timeout 20 seconds then alert
check host searX with address banditlair.com
if failed port 443 protocol https with timeout 20 seconds then alert
check host NextCloud with address cloud.banditlair.com
if failed port 443 protocol https with timeout 20 seconds then alert
check host Gitlab-ssh with address gitlab.banditlair.com
if failed port 2224 protocol ssh with timeout 20 seconds then alert
check host Gitlab-ui with address gitlab.banditlair.com
if failed port 443 protocol https with timeout 20 seconds then alert
check host mail-admin with address mailu.banditlair.com
if failed url https://webmail.banditlair.com/admin/ with timeout 20 seconds then alert
#check host Grafana with address grafana.banditlair.com
# if failed port 443 protocol https with timeout 20 seconds then alert
#check host sonar with address sonar.banditlair.com
# if failed port 443 protocol https with timeout 20 seconds then alert
check host transmission with address transmission.banditlair.com
if failed
port 443
protocol https
status = 401
with timeout 20 seconds
then alert
check host anderia-wiki with address anderia.banditlair.com
if failed port 443 protocol https with timeout 20 seconds then alert
###############################################################################
## Includes
###############################################################################
##
## It is possible to include additional configuration parts from other files or
## directories.
#
# include /etc/monit.d/*
#

1
roles/nextcloud-docker/defaults/main.yml
View file

@ -1 +0,0 @@
---

14
roles/nextcloud-docker/files/nextcloud/app/Dockerfile
View file

@ -1,14 +0,0 @@
FROM nextcloud:21.0.3-fpm
RUN apt-get update && apt-get install -y \
supervisor \
cron \
vim \
&& rm -rf /var/lib/apt/lists/*
RUN mkdir /var/log/supervisord /var/run/supervisord && \
echo "*/15 * * * * su - www-data -s /bin/bash -c \"php -f /var/www/html/cron.php\""| crontab -
COPY supervisord.conf /etc/supervisor/supervisord.conf
CMD ["/usr/bin/supervisord"]

23
roles/nextcloud-docker/files/nextcloud/app/supervisord.conf
View file

@ -1,23 +0,0 @@
[supervisord]
nodaemon=true
logfile=/var/log/supervisord/supervisord.log
pidfile=/var/run/supervisord/supervisord.pid
childlogdir=/var/log/supervisord/
logfile_maxbytes=50MB ; maximum size of logfile before rotation
logfile_backups=10 ; number of backed up logfiles
loglevel=debug
[program:php-fpm]
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0
stderr_logfile=/dev/stderr
stderr_logfile_maxbytes=0
command=php-fpm
[program:cron]
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0
stderr_logfile=/dev/stderr
stderr_logfile_maxbytes=0
command=cron -f

15
roles/nextcloud-docker/files/nextcloud/config/.htaccess
View file

@ -1,15 +0,0 @@
# line below if for Apache 2.4
<ifModule mod_authz_core.c>
Require all denied
</ifModule>
# line below if for Apache 2.2
<ifModule !mod_authz_core.c>
deny from all
</ifModule>
# section for Apache 2.2 and 2.4
<ifModule mod_autoindex.c>
IndexIgnore *
</ifModule>

15
roles/nextcloud-docker/files/nextcloud/config/apps.config.php
View file

@ -1,15 +0,0 @@
<?php
$CONFIG = array (
"apps_paths" => array (
0 => array (
"path" => OC::$SERVERROOT."/apps",
"url" => "/apps",
"writable" => false,
),
1 => array (
"path" => OC::$SERVERROOT."/custom_apps",
"url" => "/custom_apps",
"writable" => true,
),
),
);

10
roles/nextcloud-docker/files/nextcloud/config/redis.config.php
View file

@ -1,10 +0,0 @@
<?php
$CONFIG = array (
'memcache.local' => '\OC\Memcache\Redis',
'memcache.locking' => '\OC\Memcache\Redis',
'redis' => array(
'host' => 'redis',
'port' => 6379,
),
);

3
roles/nextcloud-docker/files/nextcloud/db/custom.cnf
View file

@ -1,3 +0,0 @@
[mysqld]
innodb_buffer_pool_size=2G

81
roles/nextcloud-docker/files/nextcloud/docker-compose.yml
View file

@ -1,81 +0,0 @@
version: '3'
networks:
web:
external:
name: web
services:
web:
build: ./web
volumes:
- /var/lib/nextcloud:/var/www/html:ro
- /etc/localtime:/etc/localtime:ro
labels:
- "traefik.backend=nextcloud"
- "traefik.docker.network=web"
- "traefik.frontend.rule=Host:cloud.banditlair.com"
- "traefik.frontend.headers.customResponseHeaders=Strict-Transport-Security:max-age=15552000; includeSubDomains"
- "traefik.frontend.headers.referrerPolicy=no-referrer"
- "traefik.enable=true"
- "traefik.port=80"
- "traefik.default.protocol=http"
depends_on:
- app
networks:
- web
- default
restart: always
app:
build: ./app
volumes:
- /var/lib/nextcloud:/var/www/html
- ./config:/var/www/html/config
- /data:/media
- /etc/localtime:/etc/localtime:ro
environment:
- NEXTCLOUD_UPDATE=1
depends_on:
- postgres
- redis
restart: always
postgres:
image: postgres:12
volumes:
- /var/lib/postgresql/nextcloud:/var/lib/postgresql/data
- /backups/nextcloud:/backups
- /etc/localtime:/etc/localtime:ro
environment:
- MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD}
- POSTGRES_DB=nextcloud
- POSTGRES_USER=nextcloud
- POSTGRES_PASSWORD=${MYSQL_PASSWORD}
restart: always
redis:
image: redis
restart: always
onlyoffice:
image: onlyoffice/documentserver:latest
stdin_open: true
tty: true
expose:
- 80
labels:
- "traefik.backend=onlyoffice"
- "traefik.docker.network=web"
- "traefik.frontend.rule=Host:office.banditlair.com"
- "traefik.enable=true"
- "traefik.port=80"
- "traefik.default.protocol=http"
volumes:
- /var/lib/onlyoffice:/var/www/onlyoffice/Data
- /var/log/onlyoffice:/var/log/onlyoffice
networks:
- web
- default
restart: always

4
roles/nextcloud-docker/files/nextcloud/web/Dockerfile
View file

@ -1,4 +0,0 @@
FROM nginx
COPY nginx.conf /etc/nginx/nginx.conf

160
roles/nextcloud-docker/files/nextcloud/web/nginx.conf
View file

@ -1,160 +0,0 @@
user www-data;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
upstream php-handler {
server app:9000;
}
server {
listen 80;
# Add headers to serve security related headers
# Before enabling Strict-Transport-Security headers please read into this
# topic first.
# add_header Strict-Transport-Security "max-age=15768000;
# includeSubDomains; preload;";
#
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
fastcgi_hide_header X-Powered-By;
root /var/www/html;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
# last;
location = /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
# set max upload size
client_max_body_size 10G;
fastcgi_buffers 64 4K;
# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;
location / {
rewrite ^ /index.php$uri;
}
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS on;
#Avoid sending the security headers twice
fastcgi_param modHeadersAvailable true;
fastcgi_param front_controller_active true;
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
location ~ ^/(?:updater|ocs-provider)(?:$|/) {
try_files $uri/ =404;
index index.php;
}
# Adding the cache control header for js and css files
# Make sure it is BELOW the PHP block
location ~ \.(?:css|js|woff|svg|gif)$ {
try_files $uri /index.php$uri$is_args$args;
add_header Cache-Control "public, max-age=15778463";
# Add headers to serve security related headers (It is intended to
# have those duplicated to the ones above)
# Before enabling Strict-Transport-Security headers please read into
# this topic first.
# add_header Strict-Transport-Security "max-age=15768000;
# includeSubDomains; preload;";
#
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
# Optional: Don't log access to assets
access_log off;
}
location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
try_files $uri /index.php$uri$is_args$args;
# Optional: Don't log access to other assets
access_log off;
}
}
}

49
roles/nextcloud-docker/tasks/main.yml
View file

@ -1,49 +0,0 @@
---
- name: Copy nextcloud docker files
copy:
src: nextcloud
dest: "{{docker_compose_files_folder}}"
- name: Create .env
template:
src: nextcloud/.env
dest: "{{docker_compose_files_folder}}/nextcloud/.env"
- name: Create nextcloud config
template:
src: nextcloud/config/{{item}}
dest: "{{docker_compose_files_folder}}/nextcloud/config/{{item}}"
with_items:
- base.config.php
- database.config.php
- mail.config.php
- name: Change config folder owner to http
file:
path: "{{docker_compose_files_folder}}/nextcloud/config"
owner: "33"
group: "33"
recurse: yes
- name: Build and start nextcloud docker project
docker_compose:
project_src: "{{docker_compose_files_folder}}/nextcloud"
build: yes
pull: yes
state: present
- name: Check if database tables exist
command: docker-compose exec -T postgres psql -U nextcloud nextcloud -c "\dt"
args:
chdir: "{{docker_compose_files_folder}}/nextcloud/"
register: db_tables_exist
retries: 15
delay: 10
until: db_tables_exist is succeeded
changed_when: no
- name: Restore Nextcloud database
command: docker-compose exec -T postgres sh -c "psql -U nextcloud nextcloud < /backups/database.dmp"
args:
chdir: "{{docker_compose_files_folder}}/nextcloud/"
when: db_tables_exist.stdout_lines|length == 0

15
roles/nextcloud-docker/templates/nextcloud/.env
View file

@ -1,15 +0,0 @@
COMPOSE_PROJECT_NAME=nextcloud
#Domains
CLOUD_DOMAIN=cloud.banditlair.com
COLLABORA_DOMAIN=office.banditlair.com
#Letsencrypt
LETSENCRYPT_EMAIL=banditlair@outlook.com
#MySQL
MYSQL_ROOT_PASSWORD={{nextcloud_mysql_root_password}}
MYSQL_DATABASE=nextcloud
MYSQL_USER=nextcloud
MYSQL_PASSWORD={{nextcloud_mysql_password}}

20
roles/nextcloud-docker/templates/nextcloud/config/base.config.php
View file

@ -1,20 +0,0 @@
<?php
$CONFIG = array (
'instanceid' => 'ocbsz7gnyjst',
'passwordsalt' => '{{nextcloud_passwordsalt}}',
'secret' => '{{nextcloud_secret}}',
'trusted_domains' =>
array (
0 => 'localhost',
1 => 'web',
2 => 'cloud.banditlair.com',
),
'datadirectory' => '/var/www/html/data',
'overwrite.cli.url' => 'https://cloud.banditlair.com',
'htaccess.RewriteBase' => '/',
'maintenance' => false,
'updater.release.channel' => 'stable',
'loglevel' => '1',
'filelocking.enabled' => true,
'theme' => '',
);

9
roles/nextcloud-docker/templates/nextcloud/config/database.config.php
View file

@ -1,9 +0,0 @@
<?php
$CONFIG = array (
'dbtype' => 'pgsql',
'dbname' => 'nextcloud',
'dbhost' => 'postgres',
'dbtableprefix' => 'oc_',
'dbuser' => 'nextcloud',
'dbpassword' => '{{nextcloud_mysql_password}}'
);

13
roles/nextcloud-docker/templates/nextcloud/config/mail.config.php
View file

@ -1,13 +0,0 @@
<?php
$CONFIG = array (
'mail_smtpmode' => 'smtp',
'mail_smtpauthtype' => 'PLAIN',
'mail_smtpsecure' => 'ssl',
'mail_smtpauth' => 1,
'mail_from_address' => 'noreply',
'mail_domain' => 'banditlair.com',
'mail_smtphost' => 'mail.banditlair.com',
'mail_smtpport' => '465',
'mail_smtpname' => 'noreply@banditlair.com',
'mail_smtppassword' => '{{email_password}}',
);

37
roles/scripts/files/proxyFirewall.sh
View file

@ -1,37 +0,0 @@
#!/bin/bash
# Clear config
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X
echo 1 > /proc/sys/net/ipv4/ip_forward
PORTS_TO_FORWARD_TCP_STORAGE="53 80 143 443 2224 3478 8008 8448 27015 64738"
PORTS_TO_FORWARD_UDP_STORAGE="53 34197 64738"
PORTS_TO_FORWARD_TCP_MAIL="25 110 143 465 587 993 995"
DESTINATION_IP_STORAGE="5.9.66.49"
DESTINATION_IP_MAIL="5.9.66.49"
for port in `echo $PORTS_TO_FORWARD_TCP_STORAGE`
do
iptables -t nat -A PREROUTING -p tcp -m tcp --dport ${port} -j DNAT --to-destination ${DESTINATION_IP_STORAGE}
iptables -A FORWARD -d ${DESTINATION_IP_STORAGE}/32 -p tcp -m tcp --dport ${port} -j ACCEPT
done
for port in `echo $PORTS_TO_FORWARD_UDP_STORAGE`
do
iptables -t nat -A PREROUTING -p udp -m udp --dport ${port} -j DNAT --to-destination ${DESTINATION_IP_STORAGE}
iptables -A FORWARD -d ${DESTINATION_IP_STORAGE}/32 -p tcp -m tcp --dport ${port} -j ACCEPT
done
for port in `echo $PORTS_TO_FORWARD_TCP_MAIL`
do
iptables -t nat -A PREROUTING -p tcp -m tcp --dport ${port} -j DNAT --to-destination ${DESTINATION_IP_MAIL}
iptables -A FORWARD -d ${DESTINATION_IP_MAIL}/32 -p tcp -m tcp --dport ${port} -j ACCEPT
done
iptables -t nat -A POSTROUTING -j MASQUERADE

7
roles/scripts/files/syncDataToK8s.sh
View file

@ -1,7 +0,0 @@
#!/bin/bash
set -e
DESTINATION_HOST=116.203.8.164
rsync -aAvh -e 'ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -p 30522' --progress /var/lib/wiki/ root@${DESTINATION_HOST}:/data/wiki --delete

17
roles/scripts/tasks/main.yml
View file

@ -1,17 +0,0 @@
---
- name: Create scripts
template:
src: "{{ item }}"
dest: /root/{{ item }}
mode: 0700
loop:
- dockerComposeAll.sh
- syncData.sh
- updateAll.sh
- name: Create syncDataToK8s.sh
copy:
src: syncDataToK8s.sh
dest: /root/syncDataToK8s.sh
mode: 0700

13
roles/scripts/templates/dockerComposeAll.sh
View file

@ -1,13 +0,0 @@
#!/bin/bash
for dir in {{docker_compose_files_folder}}/*
do
if [ -d ${dir} ]
then
echo "docker-compose $1 ${dir}"
cd "${dir}"
docker-compose $1
echo --------------------------------------------------------------
fi
done;

51
roles/scripts/templates/syncData.sh
View file

@ -1,51 +0,0 @@
#!/bin/bash
set -e
SOURCE_HOST=5.9.66.49
#Sync Media
rsync -aAvh --progress root@${SOURCE_HOST}:/data/ /data --delete
#Sync Backups
rsync -aAvh --progress root@${SOURCE_HOST}:/backups/ /backups --delete
#Sync Torrents
mkdir -p {{docker_compose_files_folder}}/torrent
rsync -aAvh --progress root@${SOURCE_HOST}:{{docker_compose_files_folder_previous_server}}/torrent/config/ {{docker_compose_files_folder}}/torrent/config --delete
rsync -aAvh --progress root@${SOURCE_HOST}:/var/lib/transmission/ /var/lib/transmission --delete
#Sync emby
mkdir -p {{docker_compose_files_folder}}/emby
rsync -aAvh --progress root@${SOURCE_HOST}:{{docker_compose_files_folder_previous_server}}/emby/config/ {{docker_compose_files_folder}}/emby/config --exclude "transcoding-temp" --delete
#Sync matrix
mkdir -p {{docker_compose_files_folder}}/matrix
mkdir -p /var/lib/matrix
rsync -aAvh --progress root@${SOURCE_HOST}:{{docker_compose_files_folder_previous_server}}/matrix/synapse/ {{docker_compose_files_folder}}/matrix/synapse --delete
rsync -aAvh --progress root@${SOURCE_HOST}:/var/lib/matrix/media_store/ /var/lib/matrix/media_store --delete
rsync -aAvh --progress root@${SOURCE_HOST}:/var/log/synapse/ /var/log/synapse --delete
#Sync nextcloud
mkdir -p {{docker_compose_files_folder}}/nextcloud/config
rsync -aAvh --progress root@${SOURCE_HOST}:{{docker_compose_files_folder_previous_server}}/nextcloud/config/ {{docker_compose_files_folder}}/nextcloud/config --delete
rsync -aAvh --progress root@${SOURCE_HOST}:/var/lib/nextcloud/ /var/lib/nextcloud --delete
#Sync Wiki
rsync -aAvh --progress root@${SOURCE_HOST}:/var/lib/wiki/ /var/lib/wiki --delete
#Sync certificates
mkdir -p {{docker_compose_files_folder}}/traefik/certs/
rsync -aAvh --progress root@${SOURCE_HOST}:{{docker_compose_files_folder_previous_server}}/traefik/certs/ {{docker_compose_files_folder}}/traefik/certs --delete
#Sync factorio
mkdir -p /opt/factorio
rsync -aAvh --progress root@${SOURCE_HOST}:/opt/factorio/ /opt/factorio --delete
#Sync STB wordpress
mkdir -p /var/lib/stb
rsync -aAvh --progress root@${SOURCE_HOST}:/var/lib/stb/ /var/lib/stb --delete
rsync -aAvh --progress root@${SOURCE_HOST}:{{docker_compose_files_folder_previous_server}}/stb/ {{docker_compose_files_folder}}/stb --delete
#Sync Mailu
rsync -aAvh --progress root@${SOURCE_HOST}:/var/lib/mailu/ /var/lib/mailu --delete

16
roles/scripts/templates/updateAll.sh
View file

@ -1,16 +0,0 @@
#!/bin/bash
for dir in {{docker_compose_files_folder}}/*
do
if [ -d ${dir} ]
then
echo "Updating ${dir}"
cd "${dir}"
docker-compose pull
[ ${dir} = 'nextcloud' ] && docker-compose build --pull
docker-compose up -d
echo --------------------------------------------------------------
fi
done;

1
roles/searx-docker/files/searx/.env
View file

@ -1 +0,0 @@
COMPOSE_PROJECT_NAME=searx

23
roles/searx-docker/files/searx/docker-compose.yml
View file

@ -1,23 +0,0 @@
version: '2.2'
networks:
web:
external:
name: web
services:
searx:
image: hoellen/searx
environment:
- BASE_URL="https://banditlair.com"
- IMAGE_PROXY=True
# labels:
# - "traefik.backend=searx"
# - "traefik.docker.network=web"
# - "traefik.frontend.rule=Host:banditlair.com"
# - "traefik.enable=true"
# - "traefik.port=8888"
# - "traefik.default.protocol=http"
networks:
- web
restart: always

10
roles/searx-docker/tasks/main.yml
View file

@ -1,10 +0,0 @@
---
- name: Copy searx config
copy:
src: searx
dest: "{{docker_compose_files_folder}}"
- name: Start searx docker project
docker_compose:
project_src: "{{docker_compose_files_folder}}/searx"
state: present

6
roles/sonar-docker/files/sonar/.env
View file

@ -1,6 +0,0 @@
COMPOSE_PROJECT_NAME=sonar
SONAR_DOMAIN=sonar.banditlair.com
#Letsencrypt
LETSENCRYPT_EMAIL=banditlair@outlook.com

43
roles/sonar-docker/files/sonar/docker-compose.yml
View file

@ -1,43 +0,0 @@
version: '2.2'
networks:
proxy-tier:
external:
name: nginx-proxy
sonarnet:
driver: bridge
services:
sonarqube:
image: sonarqube
expose:
- 9000
environment:
- SONARQUBE_JDBC_URL=jdbc:postgresql://db:5432/sonar
- VIRTUAL_HOST=${SONAR_DOMAIN}
- VIRTUAL_NETWORK=nginx-proxy
- VIRTUAL_PORT=9000
# - LETSENCRYPT_HOST=${SONAR_DOMAIN}
# - LETSENCRYPT_EMAIL=${LETSENCRYPT_EMAIL}
volumes:
- ./sonarqube:/opt/sonarqube/conf
- /var/lib/sonarqube/data:/opt/sonarqube/data
- /var/lib/sonarqube/extensions:/opt/sonarqube/extensions
- /var/lib/sonarqube/lib/bundled-plugins:/opt/sonarqube/lib/bundled-plugins
links:
- db
networks:
- sonarnet
- proxy-tier
restart: unless-stopped
db:
image: postgres
environment:
- POSTGRES_USER=sonar
- POSTGRES_PASSWORD=sonar
volumes:
- /var/lib/sonaqube/db:/var/lib/postgresql
networks:
- sonarnet
restart: unless-stopped

57
roles/stb-wordpress-docker/files/docker-compose.yml
View file

@ -1,57 +0,0 @@
version: '3'
networks:
web:
external:
name: web
services:
biathlon:
build: ./biathlon
volumes:
- ./storage:/root/storage
- /etc/localtime:/etc/localtime:ro
labels:
- "traefik.backend=biathlon"
- "traefik.docker.network=web"
- "traefik.frontend.rule=Host:biathlon.societe-de-tir-bertrix.com"
- "traefik.enable=true"
- "traefik.port=8080"
- "traefik.default.protocol=http"
networks:
- web
- default
restart: always
db:
image: mariadb:10.3.8
volumes:
- /var/lib/mariadb/stb:/var/lib/mysql
- /backups/stb:/backups
- /etc/localtime:/etc/localtime:ro
environment:
- MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD}
- MYSQL_DATABASE=${MYSQL_DATABASE}
- MYSQL_USER=${MYSQL_USER}
- MYSQL_PASSWORD=${MYSQL_PASSWORD}
restart: always
wordpress:
image: wordpress:4.9.4-php7.1-apache
volumes:
- /var/lib/stb:/var/www/html
- ./uploads.ini:/usr/local/etc/php/conf.d/uploads.ini
labels:
- "traefik.backend=wordpress"
- "traefik.docker.network=web"
- "traefik.frontend.rule=Host:societe-de-tir-bertrix.com,www.societe-de-tir-bertrix.com"
- "traefik.frontend.redirect.regex=^https?://societe-de-tir-bertrix.com/(.*)"
- "traefik.frontend.redirect.replacement=https://www.societe-de-tir-bertrix.com/$${1}"
- "traefik.enable=true"
- "traefik.port=80"
- "traefik.default.protocol=http"
depends_on:
- db
networks:
- web
- default
restart: always

6
roles/stb-wordpress-docker/files/uploads.ini
View file

@ -1,6 +0,0 @@
file_uploads = On
memory_limit = 64M
upload_max_filesize = 64M
post_max_size = 64M
max_execution_time = 600

41
roles/stb-wordpress-docker/tasks/main.yml
View file

@ -1,41 +0,0 @@
---
- name: Create config folder
file:
state: directory
dest: "{{docker_compose_files_folder}}/stb"
- name: Copy STB docker-compose
copy:
src: docker-compose.yml
dest: "{{docker_compose_files_folder}}/stb/"
- name: Copy php upload config
copy:
src: uploads.ini
dest: "{{docker_compose_files_folder}}/stb/"
- name: Create .env
template:
src: .env
dest: "{{docker_compose_files_folder}}/stb/.env"
- name: Pull and start docker project
docker_compose:
project_src: "{{docker_compose_files_folder}}/stb"
state: present
- name: Check if database tables exist
command: docker-compose exec -T db mysql -u stb -p{{stb_mysql_password}} stb -e "show tables;"
args:
chdir: "{{docker_compose_files_folder}}/stb/"
register: db_tables_exist
retries: 15
delay: 10
until: db_tables_exist.rc == 0
changed_when: no
- name: Restore STB database
command: docker-compose exec -T db sh -c "mysql -u stb -p{{stb_mysql_password}} stb < /backups/database.dmp"
args:
chdir: "{{docker_compose_files_folder}}/stb/"
when: db_tables_exist.stdout_lines|length == 0

8
roles/stb-wordpress-docker/templates/.env
View file

@ -1,8 +0,0 @@
COMPOSE_PROJECT_NAME=stb
#MySQL
MYSQL_ROOT_PASSWORD={{stb_mysql_root_password}}
MYSQL_DATABASE=stb
MYSQL_USER=stb
MYSQL_PASSWORD={{stb_mysql_password}}

1
roles/torrent-docker/defaults/main.yml
View file

@ -1 +0,0 @@
---

173
roles/torrent-docker/files/torrent/docker-compose.yml
View file

@ -1,173 +0,0 @@
version: '2.2'
networks:
web:
external:
name: web
services:
transmission:
image: haugene/transmission-openvpn:latest
cap_add:
- NET_ADMIN
devices:
- /dev/net/tun:/dev/net/tun
sysctls:
- net.ipv6.conf.all.disable_ipv6=0
volumes:
- /var/lib/transmission:/data
- ./config/transmission:/config
- /data:/media
- /etc/localtime:/etc/localtime:ro
expose:
- 9091
environment:
- OPENVPN_PROVIDER=NORDVPN
- NORDVPN_COUNTRY=DE
- NORDVPN_CATEGORY=legacy_p2p
- NORDVPN_PROTOCOL=udp
- OPENVPN_USERNAME=${VPN_USER}
- OPENVPN_PASSWORD=${VPN_PASS}
- WEBPROXY_ENABLED=false
- LOCAL_NETWORK=172.19.0.0/16
- PUID=33
- PGID=33
- TRANSMISSION_RPC_USERNAME=admin
- TRANSMISSION_RPC_PASSWORD=${TRANSMISSION_RPC_PASSWORD}
dns:
- 208.67.222.222
- 208.67.220.220
labels:
- "traefik.backend=transmission"
- "traefik.docker.network=web"
- "traefik.frontend.rule=Host:transmission.banditlair.com"
- "traefik.enable=true"
- "traefik.port=9091"
- "traefik.default.protocol=http"
- "traefik.frontend.auth.basic=admin:${TRANSMISSION_BASIC_PASSWORD_HASH}"
restart: always
networks:
- web
sonarr:
image: linuxserver/sonarr
expose:
- 8989
environment:
- PUID=33
- PGID=33
labels:
- "traefik.backend=sonarr"
- "traefik.docker.network=web"
- "traefik.frontend.rule=Host:sonarr.banditlair.com"
- "traefik.enable=true"
- "traefik.port=8989"
- "traefik.default.protocol=http"
volumes:
- /var/lib/transmission/completed:/downloads
- /var/lib/nzbget/downloads:/nzbget
- ./config/sonarr:/config
- /data/TV:/tv
- /etc/localtime:/etc/localtime:ro
restart: always
networks:
- web
radarr:
image: linuxserver/radarr
expose:
- 7878
environment:
- PUID=33
- PGID=33
labels:
- "traefik.backend=radarr"
- "traefik.docker.network=web"
- "traefik.frontend.rule=Host:radarr.banditlair.com"
- "traefik.enable=true"
- "traefik.port=7878"
- "traefik.default.protocol=http"
volumes:
- /var/lib/transmission/completed:/downloads
- /var/lib/nzbget/downloads:/nzbget
- ./config/radarr:/config
- /data/Movies:/movies
- /etc/localtime:/etc/localtime:ro
restart: always
networks:
- web
headphones:
image: linuxserver/headphones
expose:
- 8181
environment:
- PUID=33
- PGID=33
labels:
- "traefik.backend=headphones"
- "traefik.docker.network=web"
- "traefik.frontend.rule=Host:headphones.banditlair.com"
- "traefik.enable=true"
- "traefik.port=8181"
- "traefik.default.protocol=http"
volumes:
- /var/lib/transmission:/data
- ./config/headphones:/config
- /data/Music:/music
- /etc/localtime:/etc/localtime:ro
restart: always
networks:
- web
nzbget:
image: linuxserver/nzbget
expose:
- 6789
environment:
- PUID=33
- PGID=33
labels:
- "traefik.backend=nzbget"
- "traefik.docker.network=web"
- "traefik.frontend.rule=Host:nzbget.banditlair.com"
- "traefik.enable=true"
- "traefik.port=6789"
- "traefik.default.protocol=http"
volumes:
- /var/lib/nzbget/downloads:/downloads
- ./config/nzbget:/config
- /etc/localtime:/etc/localtime:ro
restart: always
networks:
- web
jackett:
image: linuxserver/jackett
expose:
- 9117
environment:
- PUID=33
- PGID=33
labels:
- "traefik.backend=jackett"
- "traefik.docker.network=web"
- "traefik.frontend.rule=Host:jackett.banditlair.com"
- "traefik.enable=true"
- "traefik.port=9117"
- "traefik.default.protocol=http"
volumes:
- ./config/jackett:/config
- /etc/localtime:/etc/localtime:ro
restart: always
networks:
- web
flaresolverr:
image: ghcr.io/flaresolverr/flaresolverr:latest
environment:
- LOG_LEVEL=debug
- CAPTCHA_SOLVER=hcaptcha-solver
restart: unless-stopped
networks:
- web

13
roles/torrent-docker/tasks/main.yml
View file

@ -1,13 +0,0 @@
---
- name: Copy torrent docker files
copy:
src: torrent
dest: "{{docker_compose_files_folder}}"
- name: Create torrent .env
template:
src: torrent/.env
dest: "{{docker_compose_files_folder}}/torrent/.env"
- name: Start torrent docker project
docker_compose:
project_src: "{{docker_compose_files_folder}}/torrent"
state: present

13
roles/torrent-docker/templates/torrent/.env
View file

@ -1,13 +0,0 @@
COMPOSE_PROJECT_NAME=torrent
#VPN
VPN_USER={{deluge_vpn_user}}
VPN_PASS={{deluge_vpn_password}}
VPN_REMOTE=vpn.blackvpn.de
VPN_PORT=443
VPN_PROTOCOL=udp
VPN_PROV=blackvpn_de
#Transmission
TRANSMISSION_RPC_PASSWORD={{transmission_rpc_password}}
TRANSMISSION_BASIC_PASSWORD_HASH={{transmission_rpc_password | password_hash('md5')}}

16
roles/traefik-proxy-docker/tasks/main.yml
View file

@ -1,16 +0,0 @@
---
- name: Copy traefik files
template:
src: "{{item}}"
dest: "{{docker_compose_files_folder}}/traefik/{{item}}"
loop:
- .env
- docker-compose.yml
- data/traefik.toml
- name: Create web docker network
community.general.docker_network:
name: web
- name: Start traefik docker project
docker_compose:
project_src: "{{docker_compose_files_folder}}/traefik"
state: present

1
roles/traefik-proxy-docker/templates/.env
View file

@ -1 +0,0 @@
TRAEFIK_DASHBOARD_PASSWORD_HASH={{traefik_dashboard_password_hash}}

53
roles/traefik-proxy-docker/templates/data/traefik.toml
View file

@ -1,53 +0,0 @@
debug = false
logLevel = "ERROR"
defaultEntryPoints = ["https","http"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[entryPoints.traefik]
address = ":8080"
# Activate API and Dashboard
[api]
entryPoint = "traefik"
dashboard = true
[retry]
[docker]
endpoint = "unix:///var/run/docker.sock"
{% if inventory_hostname in (groups['mail']) %}
domain = "mail1.banditlair.com"
{% else %}
domain = "banditlair.com"
{% endif %}
watch = true
exposedbydefault = false
[acme]
email = "letsencrypt.account@banditlair.com"
storage = "acme.json"
entryPoint = "https"
OnHostRule = true
KeyType = "RSA4096"
[acme.httpChallenge]
entryPoint = "http"
[[acme.domains]]
{% if inventory_hostname in (groups['mail']) %}
main = "mail1.banditlair.com"
{% else %}
main = "banditlair.com"
sans = ["mail.banditlair.com"]
{% endif %}
[accessLog]
filePath = "/var/log/traefik/access.log"

38
roles/traefik-proxy-docker/templates/docker-compose.yml
View file

@ -1,38 +0,0 @@
version: '3'
services:
traefik:
container_name: traefik
image: traefik:1.7-alpine
ports:
- 80:80
- 443:443
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./data:/etc/traefik
- /var/log/traefik:/var/log/traefik
- ./certs/acme.json:/acme.json
labels:
- "traefik.backend=traefik"
- "traefik.docker.network=web"
- "traefik.frontend.rule=Host:traefik.banditlair.com"
- "traefik.enable=true"
- "traefik.port=8080"
- "traefik.default.protocol=http"
- "traefik.frontend.auth.basic=admin:${TRAEFIK_DASHBOARD_PASSWORD_HASH}"
networks:
- web
restart: always
certdumper:
image: ldez/traefik-certs-dumper:v2.4.1
depends_on:
- traefik
restart: unless-stopped
volumes:
- ./certs:/traefik
command: file --source /traefik/acme.json --dest /traefik/ssl --watch
networks:
web:
external: true

25
roles/website-marie-docker/files/website-marie/docker-compose.yml
View file

@ -1,25 +0,0 @@
version: '2.2'
networks:
web:
external:
name: web
services:
website-marie:
image: nginx
labels:
- "traefik.backend=website-marie"
- "traefik.docker.network=web"
- "traefik.frontend.rule=Host:osteopathie.froidmont.org,www.osteopathie.froidmont.org"
- "traefik.frontend.redirect.regex=^https?://www.osteopathie.froidmont.org/(.*)"
- "traefik.frontend.redirect.replacement=https://osteopathie.froidmont.org/$${1}"
- "traefik.enable=true"
- "traefik.port=80"
- "traefik.default.protocol=http"
volumes:
- /var/lib/website-marie:/usr/share/nginx/html:ro
- ./nginx.conf:/etc/nginx/nginx.conf:ro
networks:
- web
restart: always

31
roles/website-marie-docker/files/website-marie/nginx.conf
View file

@ -1,31 +0,0 @@
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
gzip on;
include /etc/nginx/conf.d/*.conf;
}

11
roles/website-marie-docker/tasks/main.yml
View file

@ -1,11 +0,0 @@
---
- name: Copy website config
copy:
src: website-marie
dest: "{{docker_compose_files_folder}}"
- name: Start website-marie docker project
docker_compose:
project_src: "{{docker_compose_files_folder}}/website-marie"
state: present

2
roles/wiki-docker/files/wiki/.env
View file

@ -1,2 +0,0 @@
COMPOSE_PROJECT_NAME=wiki

42
roles/wiki-docker/files/wiki/docker-compose.yml
View file

@ -1,42 +0,0 @@
version: '2.2'
networks:
web:
external:
name: web
services:
anderia:
image: 'bitnami/dokuwiki:0.20180422.201901061035'
expose:
- 80
volumes:
- '/var/lib/wiki/anderia:/bitnami'
- /etc/localtime:/etc/localtime:ro
labels:
- "traefik.backend=anderia"
- "traefik.docker.network=web"
- "traefik.frontend.rule=Host:anderia.banditlair.com"
- "traefik.enable=true"
- "traefik.port=80"
- "traefik.default.protocol=http"
networks:
- web
restart: always
arkadia:
image: 'bitnami/dokuwiki:0.20180422.201901061035'
expose:
- 80
volumes:
- '/var/lib/wiki/arkadia:/bitnami'
- /etc/localtime:/etc/localtime:ro
labels:
- "traefik.backend=arkadia"
- "traefik.docker.network=web"
- "traefik.frontend.rule=Host:arkadia.banditlair.com"
- "traefik.enable=true"
- "traefik.port=80"
- "traefik.default.protocol=http"
networks:
- web
restart: always

10
roles/wiki-docker/tasks/main.yml
View file

@ -1,10 +0,0 @@
---
- name: Copy wiki config
copy:
src: wiki
dest: "{{docker_compose_files_folder}}"
- name: Start wiki docker project
docker_compose:
project_src: "{{docker_compose_files_folder}}/wiki"
state: present