From 86fb8e71c1096fff46d82823274484ad1f233a15 Mon Sep 17 00:00:00 2001 From: Paul-Henri Froidmont Date: Tue, 5 Nov 2019 03:37:05 +0100 Subject: [PATCH] Migrate to bigger Hetzner server --- dns/banditlair.com.zone | 18 +- playbook.yml | 51 ++++-- production | 8 +- roles/arch-mirror-docker/tasks/main.yml | 8 +- roles/ddns-docker/tasks/main.yml | 2 +- roles/docker/defaults/main.yml | 3 - roles/docker/handlers/main.yml | 5 - roles/docker/tasks/main.yml | 169 ++++++++---------- roles/docker/templates/daemon.json.j2 | 3 - roles/docker/templates/docker.service.j2 | 37 ---- roles/docker/templates/override.conf.j2 | 3 + roles/emby-docker/tasks/main.yml | 8 +- roles/gitlab-docker/tasks/main.yml | 28 ++- .../files/mailu/docker-compose.yml | 10 +- .../files/mailu/overrides/postfix.cf | 1 - roles/mailu-docker/tasks/main.yml | 12 +- roles/mailu-docker/templates/mailu/.env | 4 +- .../files/matrix/docker-compose.yml | 2 + roles/matrix-docker/tasks/main.yml | 8 +- roles/monit/templates/monitrc | 2 +- roles/murmur-docker/tasks/main.yml | 18 +- roles/nextcloud-docker/tasks/main.yml | 16 +- roles/scripts/files/proxyFirewall.sh | 29 +-- roles/scripts/templates/syncData.sh | 16 +- roles/searx-docker/tasks/main.yml | 9 +- roles/stb-wordpress-docker/tasks/main.yml | 8 +- roles/torrent-docker/tasks/main.yml | 4 +- roles/traefik-proxy-docker/tasks/main.yml | 16 +- .../templates/{traefik => }/.env | 2 +- .../traefik => templates}/data/traefik.toml | 9 + .../traefik => templates}/docker-compose.yml | 2 +- roles/wiki-docker/tasks/main.yml | 9 +- 32 files changed, 294 insertions(+), 226 deletions(-) delete mode 100644 roles/docker/templates/daemon.json.j2 delete mode 100644 roles/docker/templates/docker.service.j2 create mode 100644 roles/docker/templates/override.conf.j2 rename roles/traefik-proxy-docker/templates/{traefik => }/.env (94%) rename roles/traefik-proxy-docker/{files/traefik => templates}/data/traefik.toml (79%) rename roles/traefik-proxy-docker/{files/traefik => templates}/docker-compose.yml (91%) diff --git a/dns/banditlair.com.zone b/dns/banditlair.com.zone index 8cf8637..dc9ed1c 100644 --- a/dns/banditlair.com.zone +++ b/dns/banditlair.com.zone @@ -6,21 +6,25 @@ banditlair.com. 86400 IN NS ns0.online.net. banditlair.com. 86400 IN NS ns1.online.net. ; Custom DNS server +ns.banditlair.com. 600 IN A 144.76.18.197 ddns.banditlair.com. 3600 IN NS ns.banditlair.com. -ns.banditlair.com. 600 IN A 5.9.66.49 - ; Main domain -banditlair.com. 86400 IN A 5.9.66.49 -www.banditlair.com. 86400 IN CNAME banditlair.com. -storage1 600 IN A 5.9.66.49 -*.banditlair.com. 600 IN CNAME banditlair.com. +banditlair.com. 600 IN A 144.76.18.197 +www.banditlair.com. 600 IN CNAME banditlair.com. +storage1 600 IN A 144.76.18.197 +*.banditlair.com. 600 IN CNAME banditlair.com. + +; Avoid the proxy for Emby to keep maximum bandwidth +emby 600 IN A 144.76.18.197 ; Matrix special record banditlair.com.banditlair.com. 86400 IN SRV 12 10 8448 matrix.banditlair.com. ; Mail server related records -mail2 86400 IN A 5.9.66.49 +;webmail 86400 IN A 144.76.18.197 +;mail 86400 IN A 78.47.38.125 +;mail2 86400 IN A 144.76.18.197 banditlair.com. 86400 IN MX 20 mail2.banditlair.com. banditlair.com. 86400 IN MX 12 mail.banditlair.com. banditlair.com. 600 IN TXT "v=spf1 mx -all" diff --git a/playbook.yml b/playbook.yml index 3afb7dc..3ce8eea 100644 --- a/playbook.yml +++ b/playbook.yml @@ -1,11 +1,10 @@ --- -- hosts: all +- hosts: storage become: true vars: - docker_compose_files_folder_previous_server: /etc/images + docker_compose_files_folder_previous_server: /etc/compose docker_compose_files_folder: /etc/compose domain_name: banditlair.com - docker_version: 18.06.* sub_domains: - rpg roles: @@ -13,18 +12,38 @@ - { role: scripts, tags: [ 'scripts' ] } - { role: daily-backup, tags: [ 'backup' ] } - { role: docker, tags: [ 'docker' ] } - - { role: murmur-docker, tags: [ 'murmur', 'docker' ] } - - { role: searx-docker, tags: [ 'searx', 'docker' ] } - - { role: wiki-docker, tags: [ 'wiki', 'docker' ] } - - { role: emby-docker, tags: [ 'emby', 'docker' ] } - - { role: gitlab-docker, tags: [ 'gitlab', 'docker' ] } - - { role: mailu-docker, tags: [ 'mailu', 'docker' ] } - - { role: nextcloud-docker, tags: [ 'nextcloud', 'docker' ] } - - { role: matrix-docker, tags: [ 'matrix', 'docker' ] } - - { role: torrent-docker, tags: [ 'torrent', 'docker' ] } + - { role: murmur-docker, tags: [ 'murmur' ] } + - { role: searx-docker, tags: [ 'searx' ] } + - { role: wiki-docker, tags: [ 'wiki' ] } + - { role: emby-docker, tags: [ 'emby' ] } + - { role: gitlab-docker, tags: [ 'gitlab' ] } + - { role: nextcloud-docker, tags: [ 'nextcloud' ] } + - { role: matrix-docker, tags: [ 'matrix' ] } + - { role: torrent-docker, tags: [ 'torrent' ] } - { role: monit, tags: [ 'monit' ] } - - { role: stb-wordpress-docker, tags: [ 'stb', 'docker' ] } - - { role: invidious-docker, tags: [ 'invidious', 'docker' ] } - - { role: traefik-proxy-docker, tags: [ 'traefik', 'docker' ] } - - { role: ddns-docker, tags: [ 'ddns', 'docker' ] } + - { role: stb-wordpress-docker, tags: [ 'stb' ] } + - { role: invidious-docker, tags: [ 'invidious' ] } + - { role: traefik-proxy-docker, tags: [ 'traefik' ] } + - { role: ddns-docker, tags: [ 'ddns' ] } + - role: mailu-docker + tags: [ 'mailu' ] +- hosts: mail + become: true + vars: + docker_compose_files_folder_previous_server: /etc/compose + docker_compose_files_folder: /etc/compose + domain_name: banditlair.com + sub_domains: + - rpg + roles: + - role: scripts + tags: [ 'scripts' ] + - role: daily-backup + tags: [ 'backup' ] + - role: docker + tags: [ 'docker' ] + - role: mailu-docker + tags: [ 'mailu' ] + - role: traefik-proxy-docker + tags: [ 'traefik' ] diff --git a/production b/production index 89447bc..735efb1 100644 --- a/production +++ b/production @@ -1,2 +1,8 @@ #195.154.134.7 ansible_user=root -5.9.66.49 ansible_user=root ansible_python_interpreter=/usr/bin/python3 +#5.9.66.49 ansible_user=root ansible_python_interpreter=/usr/bin/python3 + +[storage] +storage1 ansible_user=root ansible_python_interpreter=/usr/bin/python3 ansible_host=144.76.18.197 + +[mail] +mail1 ansible_user=root ansible_python_interpreter=/usr/bin/python3 ansible_host=78.47.116.71 diff --git a/roles/arch-mirror-docker/tasks/main.yml b/roles/arch-mirror-docker/tasks/main.yml index f1d15b3..71c6970 100644 --- a/roles/arch-mirror-docker/tasks/main.yml +++ b/roles/arch-mirror-docker/tasks/main.yml @@ -14,6 +14,10 @@ job: "/home/claude/syncArchRepo.sh" user: claude - name: Copy Arch Linux mirror config - copy: src=arch-mirror dest={{docker_compose_files_folder}} + copy: + src: arch-mirror + dest: "{{docker_compose_files_folder}}" - name: Start Arch mirror project - docker_service: project_src={{docker_compose_files_folder}}/arch-mirror state=present + docker_compose: + project_src: "{{docker_compose_files_folder}}/arch-mirror" + state: present diff --git a/roles/ddns-docker/tasks/main.yml b/roles/ddns-docker/tasks/main.yml index 312d323..2f70377 100644 --- a/roles/ddns-docker/tasks/main.yml +++ b/roles/ddns-docker/tasks/main.yml @@ -5,6 +5,6 @@ dest: "{{docker_compose_files_folder}}" - name: Start ddns docker project - docker_service: + docker_compose: project_src: "{{docker_compose_files_folder}}/ddns" state: present diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml index a40ef61..ea5c3d3 100644 --- a/roles/docker/defaults/main.yml +++ b/roles/docker/defaults/main.yml @@ -2,6 +2,3 @@ docker_apt_key: https://download.docker.com/linux/ubuntu/gpg docker_apt_repository: https://download.docker.com/linux/ubuntu # Choose 'edge' 'stable' or 'testing' for docker channel docker_apt_channel: stable -# Docker daemon config file -docker_daemon_config: /etc/docker/daemon.json -docker_version: 18.06.* diff --git a/roles/docker/handlers/main.yml b/roles/docker/handlers/main.yml index 27417b0..27f9043 100644 --- a/roles/docker/handlers/main.yml +++ b/roles/docker/handlers/main.yml @@ -1,10 +1,5 @@ --- -- name: reload systemd - command: systemctl daemon-reload - - name: restart docker systemd: name: docker state: restarted - - diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index ba5cb71..0baa57c 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -1,107 +1,94 @@ --- -- name: Docker installation for Ubuntu distribution - block: +- name: Ensure docker packages are not present + apt: + state: absent + name: ['docker', 'docker-engine', 'docker.io'] - - name: Ensure docker packages are not present - apt: - state: absent - name: ['docker', 'docker-engine', 'docker.io'] +- name: Install docker package dependencies + apt: + state: latest + name: ['apt-transport-https', 'ca-certificates'] + update_cache: yes + cache_valid_time: 86400 + register: result + retries: 3 + until: result is success - - name: Install docker package dependencies - apt: - state: latest - name: ['apt-transport-https', 'ca-certificates', 'curl', 'software-properties-common'] - update_cache: yes - cache_valid_time: 86400 - register: result - retries: 3 - until: result is success +- name: Adding Docker official gpg key + apt_key: + url: "{{ docker_apt_key }}" + id: 9DC858229FC7DD38854AE2D88D81803C0EBFCD88 + state: present - - name: Adding Docker official gpg key - apt_key: - url: "{{ docker_apt_key }}" - state: present +- name: Setting Docker repository depending on arch + set_fact: + docker_repository: "deb [arch={{ item.apt_arch }}] {{ docker_apt_repository }} {{ ansible_distribution_release }} {{ docker_apt_channel }}" + when: ansible_architecture == item.system_arch + with_items: + - { system_arch: 'x86_64', apt_arch: 'amd64' } + - { system_arch: 'arm', apt_arch: 'armhf' } - - name: Setting Docker repository depending on arch - set_fact: - docker_repository: "deb [arch={{ item.apt_arch }}] {{ docker_apt_repository }} {{ ansible_distribution_release }} {{ docker_apt_channel }}" - when: ansible_architecture == item.system_arch - with_items: - - { system_arch: 'x86_64', apt_arch: 'amd64' } - - { system_arch: 'arm', apt_arch: 'armhf' } +- name: Printing Docker repository + debug: + var: docker_repository - - name: Printing Docker repository - debug: - var: docker_repository +- name: Adding Docker repository + apt_repository: + repo: "{{ docker_repository }}" + state: present + update_cache: true - - name: Adding Docker repository - apt_repository: - repo: "{{ docker_repository }}" - state: present - filename: 'docker' +- name: Install Docker. + package: + name: docker-ce + state: present + notify: restart docker - - name: Explicitly create docker0 - shell: | - ip link add name docker0 type bridge || true - ip addr add dev docker0 172.17.0.1/16 || true - changed_when: no +- name: Ensure containerd service dir exists. + file: + path: /etc/systemd/system/containerd.service.d + state: directory - - name: Install docker-ce - apt: - name: docker-ce={{ docker_version }} - update_cache: yes - register: result - retries: 3 - until: result is success +- name: Add shim to ensure Docker can start in all environments. + template: + src: override.conf.j2 + dest: /etc/systemd/system/containerd.service.d/override.conf + register: override_template - - name: Pin docker-ce release - copy: - dest: /etc/apt/preferences.d/docker-ce - content: | - Package: docker-ce - Pin: version {{ docker_version }} - Pin-Priority: 1002 +- name: Reload systemd daemon if template is changed. + systemd: + daemon_reload: true + when: override_template is changed - - name: Fixing systemd unit for Docker config file - template: - src: docker.service.j2 - dest: /lib/systemd/system/docker.service - notify: reload systemd +- name: Ensure Docker is started and enabled at boot. + service: + name: docker + state: started + enabled: true - - name: Create docker config directory - file: - path: /etc/docker - mode: 0700 - recurse: yes +- name: Ensure handlers are notified now to avoid firewall conflicts. + meta: flush_handlers - - name: Templating /etc/docker/daemon.json - template: - src: daemon.json.j2 - dest: /etc/docker/daemon.json - notify: restart docker +- name: Install python3-pip + apt: + name: python3-pip + state: latest + cache_valid_time: 86400 + register: result + retries: 3 + until: result is success - - name: Flushing handlers 2 - meta: flush_handlers - - name: Getting Docker version - shell: "docker --version" - register: docker_version - changed_when: no +- name: Install docker-compose package dependencies + apt: + state: latest + name: python3-setuptools + update_cache: yes + cache_valid_time: 86400 + register: result + retries: 3 + until: result is success - - name: Install python3-pip - apt: - name: python3-pip - state: latest - cache_valid_time: 3600 - register: result - retries: 3 - until: result is success - - - name: Install docker-compose - pip: - name: docker-compose - - - name: Printing Docker version - debug: var=docker_version - - when: ansible_distribution == "Ubuntu" +- name: Install docker-compose + pip: + name: docker-compose diff --git a/roles/docker/templates/daemon.json.j2 b/roles/docker/templates/daemon.json.j2 deleted file mode 100644 index 252f473..0000000 --- a/roles/docker/templates/daemon.json.j2 +++ /dev/null @@ -1,3 +0,0 @@ -{ - "experimental": true -} diff --git a/roles/docker/templates/docker.service.j2 b/roles/docker/templates/docker.service.j2 deleted file mode 100644 index 0c0a3ab..0000000 --- a/roles/docker/templates/docker.service.j2 +++ /dev/null @@ -1,37 +0,0 @@ -[Unit] -Description=Docker Application Container Engine -Documentation=https://docs.docker.com -After=network-online.target docker.socket firewalld.service -Wants=network-online.target -Requires=docker.socket - -[Service] -Type=notify -# the default is not to use systemd for cgroups because the delegate issues still -# exists and systemd currently does not support the cgroup feature set required -# for containers run by docker -ExecStart=/usr/bin/dockerd --config-file {{ docker_daemon_config }} -H fd:// -ExecReload=/bin/kill -s HUP $MAINPID -LimitNOFILE=1048576 -# Having non-zero Limit*s causes performance problems due to accounting overhead -# in the kernel. We recommend using cgroups to do container-local accounting. -LimitNPROC=infinity -LimitCORE=infinity -# Uncomment TasksMax if your systemd version supports it. -# Only systemd 226 and above support this version. -TasksMax=infinity -TimeoutStartSec=0 -# set delegate yes so that systemd does not reset the cgroups of docker containers -Delegate=yes -# kill only the docker process, not all processes in the cgroup -KillMode=process -# restart the docker process if it exits prematurely -Restart=on-failure -StartLimitBurst=3 -StartLimitInterval=60s -Environment="NO_PROXY=https://cp-par1.scaleway.com,https://cp-ams1.scaleway.com,https://account.scaleway.com,http://169.254.42.42,192.168.66.0/24" -Environment="DOCKER_OPTS=--iptables=false --ip-masq=false" - -[Install] -WantedBy=multi-user.target - diff --git a/roles/docker/templates/override.conf.j2 b/roles/docker/templates/override.conf.j2 new file mode 100644 index 0000000..adab53c --- /dev/null +++ b/roles/docker/templates/override.conf.j2 @@ -0,0 +1,3 @@ +# {{ ansible_managed }} +[Service] +ExecStartPre= diff --git a/roles/emby-docker/tasks/main.yml b/roles/emby-docker/tasks/main.yml index 5807eb5..7f864a5 100644 --- a/roles/emby-docker/tasks/main.yml +++ b/roles/emby-docker/tasks/main.yml @@ -1,5 +1,9 @@ --- - name: Copy emby config - copy: src=emby dest={{docker_compose_files_folder}} + copy: + src: emby + dest: "{{docker_compose_files_folder}}" - name: Start emby docker project - docker_service: project_src={{docker_compose_files_folder}}/emby state=present \ No newline at end of file + docker_compose: + project_src: "{{docker_compose_files_folder}}/emby" + state: present diff --git a/roles/gitlab-docker/tasks/main.yml b/roles/gitlab-docker/tasks/main.yml index bbfdd2e..6455a00 100644 --- a/roles/gitlab-docker/tasks/main.yml +++ b/roles/gitlab-docker/tasks/main.yml @@ -1,27 +1,45 @@ --- - name: Copy docker-compose.yml - copy: src=gitlab dest={{docker_compose_files_folder}} + copy: + src: gitlab + dest: "{{docker_compose_files_folder}}" + - name: Create gitlab config folder - file: dest={{docker_compose_files_folder}}/gitlab/config state=directory + file: + dest: "{{docker_compose_files_folder}}/gitlab/config" + state: directory + - name: Create gitlab config - template: src=gitlab/config/gitlab.rb dest={{docker_compose_files_folder}}/gitlab/config/gitlab.rb + template: + src: gitlab/config/gitlab.rb + dest: "{{docker_compose_files_folder}}/gitlab/config/gitlab.rb" + - name: Start gitlab docker project - docker_service: project_src={{docker_compose_files_folder}}/gitlab state=present + docker_compose: + project_src: "{{docker_compose_files_folder}}/gitlab" + state: present + - name: Find Gitlab user repositories - find: paths=/var/lib/gitlab/git-data/repositories/ file_type=directory patterns="*" + find: + paths: /var/lib/gitlab/git-data/repositories/ + file_type: directory + patterns: "*" register: gitlab_users_repos + - name: Get Gitlab git user id command: docker-compose exec -T gitlab id -u git args: chdir: "{{docker_compose_files_folder}}/gitlab/" register: gitlab_git_uid when: gitlab_users_repos.matched|int == 0 + - name: Wait for Gitlab to be installed wait_for: path: /var/lib/gitlab/postgres-exporter/ state: present timeout: 600 when: gitlab_users_repos.matched|int == 0 + - name: Restore backup if no users are found script: restore-backup.sh {{gitlab_git_uid.stdout}} register: gitlab_backup_restore diff --git a/roles/mailu-docker/files/mailu/docker-compose.yml b/roles/mailu-docker/files/mailu/docker-compose.yml index 81124db..0eab31c 100644 --- a/roles/mailu-docker/files/mailu/docker-compose.yml +++ b/roles/mailu-docker/files/mailu/docker-compose.yml @@ -9,7 +9,7 @@ networks: ipam: driver: default config: - - subnet: 172.22.0.0/16 + - subnet: 192.168.64.0/20 services: front: @@ -53,7 +53,7 @@ services: env_file: .env networks: default: - ipv4_address: 172.22.255.254 + ipv4_address: 192.168.64.254 admin: image: mailu/admin:$VERSION @@ -87,7 +87,7 @@ services: - front - resolver dns: - - 172.22.255.254 + - 192.168.64.254 antispam: image: mailu/rspamd:$VERSION @@ -101,7 +101,7 @@ services: - front - resolver dns: - - 172.22.255.254 + - 192.168.64.254 fetchmail: image: mailu/fetchmail:$VERSION @@ -110,7 +110,7 @@ services: depends_on: - resolver dns: - - 172.22.255.254 + - 192.168.64.254 webmail: image: mailu/rainloop diff --git a/roles/mailu-docker/files/mailu/overrides/postfix.cf b/roles/mailu-docker/files/mailu/overrides/postfix.cf index 1ee454c..f42f76e 100644 --- a/roles/mailu-docker/files/mailu/overrides/postfix.cf +++ b/roles/mailu-docker/files/mailu/overrides/postfix.cf @@ -1,2 +1 @@ - #debug_peer_list = 172.22.0.1 diff --git a/roles/mailu-docker/tasks/main.yml b/roles/mailu-docker/tasks/main.yml index c8d13c3..61dad85 100644 --- a/roles/mailu-docker/tasks/main.yml +++ b/roles/mailu-docker/tasks/main.yml @@ -1,7 +1,13 @@ --- - name: Copy mailu config - copy: src=mailu dest={{docker_compose_files_folder}} + copy: + src: mailu + dest: "{{docker_compose_files_folder}}" - name: Create mailu config - template: src=mailu/.env dest={{docker_compose_files_folder}}/mailu/.env + template: + src: mailu/.env + dest: "{{docker_compose_files_folder}}/mailu/.env" - name: Start mailu docker project - docker_service: project_src={{docker_compose_files_folder}}/mailu state=present + docker_compose: + project_src: "{{docker_compose_files_folder}}/mailu" + state: present diff --git a/roles/mailu-docker/templates/mailu/.env b/roles/mailu-docker/templates/mailu/.env index 9f147d7..b0b72ac 100644 --- a/roles/mailu-docker/templates/mailu/.env +++ b/roles/mailu-docker/templates/mailu/.env @@ -17,7 +17,7 @@ SECRET_KEY={{mailu_secret_key}} BIND_ADDRESS4=0.0.0.0 # Subnet of the docker network. This should not conflict with any networks to which your system is connected. (Internal and external! -SUBNET=172.22.0.0/16 +SUBNET=192.168.64.0/20 # Main mail domain DOMAIN=banditlair.com @@ -64,7 +64,7 @@ MESSAGE_SIZE_LIMIT=50000000 # Networks granted relay permissions # Use this with care, all hosts in this networks will be able to send mail without authentication! -RELAYNETS=172.22.0.0/16 +RELAYNETS=192.168.64.0/20 # Will relay all outgoing mails if configured RELAYHOST= diff --git a/roles/matrix-docker/files/matrix/docker-compose.yml b/roles/matrix-docker/files/matrix/docker-compose.yml index fc6cbb5..d9f6e66 100644 --- a/roles/matrix-docker/files/matrix/docker-compose.yml +++ b/roles/matrix-docker/files/matrix/docker-compose.yml @@ -33,6 +33,8 @@ services: - /var/log/synapse:/data/log - ./synapse:/data - /etc/localtime:/etc/localtime:ro + depends_on: + - db networks: - matrix - web diff --git a/roles/matrix-docker/tasks/main.yml b/roles/matrix-docker/tasks/main.yml index f3a2c39..6110faf 100644 --- a/roles/matrix-docker/tasks/main.yml +++ b/roles/matrix-docker/tasks/main.yml @@ -3,13 +3,16 @@ copy: src: matrix dest: "{{docker_compose_files_folder}}" + - name: Create matrix-network docker network docker_network: name: matrix-network + - name: Start matrix docker project - docker_service: + docker_compose: project_src: "{{docker_compose_files_folder}}/matrix" state: present + - name: Wait for database to start and count matrix users shell: docker-compose exec -T db psql -U synapse synapse -c "select count(*) from users;" -t args: @@ -18,8 +21,9 @@ until: matrix_users_count.rc == 0 retries: 10 changed_when: false + - name: Restore Matrix database if needed command: docker-compose exec -T db sh -c "psql -U synapse synapse < /backups/database.dmp" args: chdir: "{{docker_compose_files_folder}}/matrix/" - when: matrix_users_count.stdout|int == 0 \ No newline at end of file + when: matrix_users_count.stdout|int == 0 diff --git a/roles/monit/templates/monitrc b/roles/monit/templates/monitrc index 3d7c574..30f7ac8 100755 --- a/roles/monit/templates/monitrc +++ b/roles/monit/templates/monitrc @@ -352,7 +352,7 @@ check host transmission with address transmission.banditlair.com with timeout 20 seconds then alert -check host rpg-wiki with address rpg.banditlair.com +check host anderia-wiki with address anderia.banditlair.com if failed port 443 protocol https with timeout 20 seconds then alert ############################################################################### ## Includes diff --git a/roles/murmur-docker/tasks/main.yml b/roles/murmur-docker/tasks/main.yml index c777ca8..0b319cb 100644 --- a/roles/murmur-docker/tasks/main.yml +++ b/roles/murmur-docker/tasks/main.yml @@ -1,9 +1,19 @@ --- - name: Copy murmur config - copy: src=murmur dest={{docker_compose_files_folder}} + copy: + src: murmur + dest: "{{docker_compose_files_folder}}" - name: Create murmur data folder - file: dest=/var/lib/murmur state=directory + file: + dest: /var/lib/murmur + state: directory - name: Copy murmur database - copy: src=/backups/murmur/murmur.sqlite dest=/var/lib/murmur/ force=no remote_src=yes + copy: + src: /backups/murmur/murmur.sqlite + dest: /var/lib/murmur/ + force: no + remote_src: yes - name: Start murmur docker project - docker_service: project_src={{docker_compose_files_folder}}/murmur state=present \ No newline at end of file + docker_compose: + project_src: "{{docker_compose_files_folder}}/murmur" + state: present \ No newline at end of file diff --git a/roles/nextcloud-docker/tasks/main.yml b/roles/nextcloud-docker/tasks/main.yml index eef3782..a79ab9b 100644 --- a/roles/nextcloud-docker/tasks/main.yml +++ b/roles/nextcloud-docker/tasks/main.yml @@ -3,10 +3,12 @@ copy: src: nextcloud dest: "{{docker_compose_files_folder}}" + - name: Create .env template: src: nextcloud/.env dest: "{{docker_compose_files_folder}}/nextcloud/.env" + - name: Create nextcloud config template: src: nextcloud/config/{{item}} @@ -15,20 +17,23 @@ - base.config.php - database.config.php - mail.config.php + - name: Change config folder owner to http file: path: "{{docker_compose_files_folder}}/nextcloud/config" - owner: 33 - group: 33 + owner: "33" + group: "33" recurse: yes + - name: Build and start nextcloud docker project - docker_service: + docker_compose: project_src: "{{docker_compose_files_folder}}/nextcloud" build: yes pull: yes state: present + - name: Check if database tables exist - command: docker-compose exec -T db mysql -u nextcloud -p{{nextcloud_mysql_password}} nextcloud -e "show tables;" + command: docker-compose exec -T postgres psql -U nextcloud nextcloud -c "\dt" args: chdir: "{{docker_compose_files_folder}}/nextcloud/" register: db_tables_exist @@ -36,8 +41,9 @@ delay: 10 until: db_tables_exist.rc == 0 changed_when: no + - name: Restore Nextcloud database - command: docker-compose exec -T db sh -c "mysql -u nextcloud -p{{nextcloud_mysql_password}} nextcloud < /backups/database.dmp" + command: docker-compose exec -T postgres sh -c "psql -U nextcloud nextcloud < /backups/database.dmp" args: chdir: "{{docker_compose_files_folder}}/nextcloud/" when: db_tables_exist.stdout_lines|length == 0 diff --git a/roles/scripts/files/proxyFirewall.sh b/roles/scripts/files/proxyFirewall.sh index 4719d15..5c342c1 100644 --- a/roles/scripts/files/proxyFirewall.sh +++ b/roles/scripts/files/proxyFirewall.sh @@ -9,20 +9,29 @@ iptables -X echo 1 > /proc/sys/net/ipv4/ip_forward -PORTS_TO_FORWARD_TCP="25 53 80 110 143 443 465 587 993 995 2224 3478 8008 8448 27015 64738" -PORTS_TO_FORWARD_UDP="53 34197 64738" -#DESTINATION_IP="212.83.165.111" -DESTINATION_IP="5.9.66.49" +PORTS_TO_FORWARD_TCP_STORAGE="53 80 143 443 2224 3478 8008 8448 27015 64738" +PORTS_TO_FORWARD_UDP_STORAGE="53 34197 64738" +PORTS_TO_FORWARD_TCP_MAIL="25 110 143 465 587 993 995" -for port in `echo $PORTS_TO_FORWARD_TCP` +DESTINATION_IP_STORAGE="5.9.66.49" +DESTINATION_IP_MAIL="5.9.66.49" + +for port in `echo $PORTS_TO_FORWARD_TCP_STORAGE` do - iptables -t nat -A PREROUTING -p tcp -m tcp --dport ${port} -j DNAT --to-destination ${DESTINATION_IP} - iptables -A FORWARD -d ${DESTINATION_IP}/32 -p tcp -m tcp --dport ${port} -j ACCEPT + iptables -t nat -A PREROUTING -p tcp -m tcp --dport ${port} -j DNAT --to-destination ${DESTINATION_IP_STORAGE} + iptables -A FORWARD -d ${DESTINATION_IP_STORAGE}/32 -p tcp -m tcp --dport ${port} -j ACCEPT done -for port in `echo $PORTS_TO_FORWARD_UDP` +for port in `echo $PORTS_TO_FORWARD_UDP_STORAGE` do - iptables -t nat -A PREROUTING -p udp -m udp --dport ${port} -j DNAT --to-destination ${DESTINATION_IP} - iptables -A FORWARD -d ${DESTINATION_IP}/32 -p tcp -m tcp --dport ${port} -j ACCEPT + iptables -t nat -A PREROUTING -p udp -m udp --dport ${port} -j DNAT --to-destination ${DESTINATION_IP_STORAGE} + iptables -A FORWARD -d ${DESTINATION_IP_STORAGE}/32 -p tcp -m tcp --dport ${port} -j ACCEPT done + +for port in `echo $PORTS_TO_FORWARD_TCP_MAIL` +do + iptables -t nat -A PREROUTING -p tcp -m tcp --dport ${port} -j DNAT --to-destination ${DESTINATION_IP_MAIL} + iptables -A FORWARD -d ${DESTINATION_IP_MAIL}/32 -p tcp -m tcp --dport ${port} -j ACCEPT +done + iptables -t nat -A POSTROUTING -j MASQUERADE diff --git a/roles/scripts/templates/syncData.sh b/roles/scripts/templates/syncData.sh index 8e107bf..c45cc79 100644 --- a/roles/scripts/templates/syncData.sh +++ b/roles/scripts/templates/syncData.sh @@ -2,10 +2,11 @@ set -e -SOURCE_HOST=195.154.134.7 +SOURCE_HOST=5.9.66.49 +{% if inventory_hostname in (groups['storage']) %} #Sync Media -rsync -aAvh --progress root@${SOURCE_HOST}:/media/ /data --delete +rsync -aAvh --progress root@${SOURCE_HOST}:/data/ /data --delete #Sync Backups rsync -aAvh --progress root@${SOURCE_HOST}:/backups/ /backups --delete @@ -19,14 +20,12 @@ rsync -aAvh --progress root@${SOURCE_HOST}:/var/lib/transmission/ /var/lib/trans mkdir -p {{docker_compose_files_folder}}/emby rsync -aAvh --progress root@${SOURCE_HOST}:{{docker_compose_files_folder_previous_server}}/emby/config/ {{docker_compose_files_folder}}/emby/config --exclude "transcoding-temp" --delete -#Sync Mailu -rsync -aAvh --progress root@${SOURCE_HOST}:/var/lib/mailu/ /var/lib/mailu --delete - #Sync matrix mkdir -p {{docker_compose_files_folder}}/matrix mkdir -p /var/lib/matrix rsync -aAvh --progress root@${SOURCE_HOST}:{{docker_compose_files_folder_previous_server}}/matrix/synapse/ {{docker_compose_files_folder}}/matrix/synapse --delete rsync -aAvh --progress root@${SOURCE_HOST}:/var/lib/matrix/media_store/ /var/lib/matrix/media_store --delete +rsync -aAvh --progress root@${SOURCE_HOST}:/var/log/synapse/ /var/log/synapse --delete #Sync nextcloud mkdir -p {{docker_compose_files_folder}}/nextcloud/config @@ -47,3 +46,10 @@ rsync -aAvh --progress root@${SOURCE_HOST}:/opt/factorio/ /opt/factorio --delete #Sync STB wordpress mkdir -p /var/lib/stb rsync -aAvh --progress root@${SOURCE_HOST}:/var/lib/stb/ /var/lib/stb --delete +rsync -aAvh --progress root@${SOURCE_HOST}:{{docker_compose_files_folder_previous_server}}/stb/ {{docker_compose_files_folder}}/stb --delete +{% endif %} + +{% if inventory_hostname in (groups['mail']) %} +#Sync Mailu +rsync -aAvh --progress root@${SOURCE_HOST}:/var/lib/mailu/ /var/lib/mailu --delete +{% endif %} diff --git a/roles/searx-docker/tasks/main.yml b/roles/searx-docker/tasks/main.yml index 2b8ce61..17e6ca5 100644 --- a/roles/searx-docker/tasks/main.yml +++ b/roles/searx-docker/tasks/main.yml @@ -1,5 +1,10 @@ --- - name: Copy searx config - copy: src=searx dest={{docker_compose_files_folder}} + copy: + src: searx + dest: "{{docker_compose_files_folder}}" + - name: Start searx docker project - docker_service: project_src={{docker_compose_files_folder}}/searx state=present \ No newline at end of file + docker_compose: + project_src: "{{docker_compose_files_folder}}/searx" + state: present diff --git a/roles/stb-wordpress-docker/tasks/main.yml b/roles/stb-wordpress-docker/tasks/main.yml index 5288fa8..adbb1dc 100644 --- a/roles/stb-wordpress-docker/tasks/main.yml +++ b/roles/stb-wordpress-docker/tasks/main.yml @@ -3,22 +3,27 @@ file: state: directory dest: "{{docker_compose_files_folder}}/stb" + - name: Copy STB docker-compose copy: src: docker-compose.yml dest: "{{docker_compose_files_folder}}/stb/" + - name: Copy php upload config copy: src: uploads.ini dest: "{{docker_compose_files_folder}}/stb/" + - name: Create .env template: src: .env dest: "{{docker_compose_files_folder}}/stb/.env" + - name: Pull and start docker project - docker_service: + docker_compose: project_src: "{{docker_compose_files_folder}}/stb" state: present + - name: Check if database tables exist command: docker-compose exec -T db mysql -u stb -p{{stb_mysql_password}} stb -e "show tables;" args: @@ -28,6 +33,7 @@ delay: 10 until: db_tables_exist.rc == 0 changed_when: no + - name: Restore STB database command: docker-compose exec -T db sh -c "mysql -u stb -p{{stb_mysql_password}} stb < /backups/database.dmp" args: diff --git a/roles/torrent-docker/tasks/main.yml b/roles/torrent-docker/tasks/main.yml index 90e635d..1b69fd7 100644 --- a/roles/torrent-docker/tasks/main.yml +++ b/roles/torrent-docker/tasks/main.yml @@ -8,6 +8,6 @@ src: torrent/.env dest: "{{docker_compose_files_folder}}/torrent/.env" - name: Start torrent docker project - docker_service: + docker_compose: project_src: "{{docker_compose_files_folder}}/torrent" - state: present \ No newline at end of file + state: present diff --git a/roles/traefik-proxy-docker/tasks/main.yml b/roles/traefik-proxy-docker/tasks/main.yml index ee31384..5f16b3a 100644 --- a/roles/traefik-proxy-docker/tasks/main.yml +++ b/roles/traefik-proxy-docker/tasks/main.yml @@ -1,12 +1,16 @@ --- -- name: Copy traefik config - copy: src=traefik dest={{docker_compose_files_folder}} -- name: Create traefik .env +- name: Copy traefik files template: - src: traefik/.env - dest: "{{docker_compose_files_folder}}/traefik/.env" + src: "{{item}}" + dest: "{{docker_compose_files_folder}}/traefik/{{item}}" + loop: + - .env + - docker-compose.yml + - data/traefik.toml - name: Create web docker network docker_network: name: web - name: Start traefik docker project - docker_compose: project_src={{docker_compose_files_folder}}/traefik state=present + docker_compose: + project_src: "{{docker_compose_files_folder}}/traefik" + state: present diff --git a/roles/traefik-proxy-docker/templates/traefik/.env b/roles/traefik-proxy-docker/templates/.env similarity index 94% rename from roles/traefik-proxy-docker/templates/traefik/.env rename to roles/traefik-proxy-docker/templates/.env index fd2bc1b..4c7a168 100644 --- a/roles/traefik-proxy-docker/templates/traefik/.env +++ b/roles/traefik-proxy-docker/templates/.env @@ -1 +1 @@ -TRAEFIK_DASHBOARD_PASSWORD_HASH={{traefik_dashboard_password_hash}} \ No newline at end of file +TRAEFIK_DASHBOARD_PASSWORD_HASH={{traefik_dashboard_password_hash}} diff --git a/roles/traefik-proxy-docker/files/traefik/data/traefik.toml b/roles/traefik-proxy-docker/templates/data/traefik.toml similarity index 79% rename from roles/traefik-proxy-docker/files/traefik/data/traefik.toml rename to roles/traefik-proxy-docker/templates/data/traefik.toml index 2d540bd..594a608 100644 --- a/roles/traefik-proxy-docker/files/traefik/data/traefik.toml +++ b/roles/traefik-proxy-docker/templates/data/traefik.toml @@ -23,7 +23,11 @@ dashboard = true [docker] endpoint = "unix:///var/run/docker.sock" +{% if inventory_hostname in (groups['mail']) %} +domain = "mail1.banditlair.com" +{% else %} domain = "banditlair.com" +{% endif %} watch = true exposedbydefault = false @@ -37,8 +41,13 @@ KeyType = "RSA4096" entryPoint = "http" [[acme.domains]] +{% if inventory_hostname in (groups['mail']) %} +main = "mail1.banditlair.com" +{% else %} main = "banditlair.com" sans = ["mail.banditlair.com"] +{% endif %} + [accessLog] filePath = "/var/log/traefik/access.log" diff --git a/roles/traefik-proxy-docker/files/traefik/docker-compose.yml b/roles/traefik-proxy-docker/templates/docker-compose.yml similarity index 91% rename from roles/traefik-proxy-docker/files/traefik/docker-compose.yml rename to roles/traefik-proxy-docker/templates/docker-compose.yml index 29a3928..4ba014b 100644 --- a/roles/traefik-proxy-docker/files/traefik/docker-compose.yml +++ b/roles/traefik-proxy-docker/templates/docker-compose.yml @@ -15,7 +15,7 @@ services: labels: - "traefik.backend=traefik" - "traefik.docker.network=web" - - "traefik.frontend.rule=Host:traefik.banditlair.com" + - "traefik.frontend.rule=Host:traefik.{{inventory_hostname}}.banditlair.com" - "traefik.enable=true" - "traefik.port=8080" - "traefik.default.protocol=http" diff --git a/roles/wiki-docker/tasks/main.yml b/roles/wiki-docker/tasks/main.yml index 666ae6f..09c1a2e 100644 --- a/roles/wiki-docker/tasks/main.yml +++ b/roles/wiki-docker/tasks/main.yml @@ -1,5 +1,10 @@ --- - name: Copy wiki config - copy: src=wiki dest={{docker_compose_files_folder}} + copy: + src: wiki + dest: "{{docker_compose_files_folder}}" + - name: Start wiki docker project - docker_service: project_src={{docker_compose_files_folder}}/wiki state=present + docker_compose: + project_src: "{{docker_compose_files_folder}}/wiki" + state: present