mirror of
https://gitea.invidious.io/iv-org/infrastructure.git
synced 2024-08-15 00:53:31 +00:00
Add playbook
This commit is contained in:
parent
736c8b6c79
commit
1ef70ae1f0
10 changed files with 266 additions and 0 deletions
2
.gitignore
vendored
Normal file
2
.gitignore
vendored
Normal file
|
@ -0,0 +1,2 @@
|
|||
ansible.cfg
|
||||
roles
|
8
group_vars/all/vault
Normal file
8
group_vars/all/vault
Normal file
|
@ -0,0 +1,8 @@
|
|||
$ANSIBLE_VAULT;1.1;AES256
|
||||
30613534346431333631646634333061336363386330343564323661356666663233656137343132
|
||||
3034323166623230643138663761386234393537626262300a373139366231623230343361353937
|
||||
37663037323733623561356130373834396136336433636338646635666330666437323564636537
|
||||
3731636465626463300a613263333138613230346639646337313332366262613630643164666431
|
||||
34636632643161383436326338646366323031363237343965336633343131353165613961653063
|
||||
65316162613535353432613962353535333631326166383035366532366564653435613835356634
|
||||
396466653535653563393632313736613735
|
22
group_vars/main/main.yml
Normal file
22
group_vars/main/main.yml
Normal file
|
@ -0,0 +1,22 @@
|
|||
ansible_python_interpreter: /usr/bin/python3
|
||||
ansible_user: root
|
||||
ansible_port: 233
|
||||
|
||||
apt_packages:
|
||||
- vim
|
||||
- tmux
|
||||
- screen
|
||||
- htop
|
||||
- bash-completion
|
||||
- net-tools
|
||||
- python3-setuptools
|
||||
- jq
|
||||
|
||||
pip_install_packages:
|
||||
- name: docker
|
||||
- name: docker-compose
|
||||
|
||||
caddy_user: caddy
|
||||
caddy_setcap: false
|
||||
caddy_systemd_capabilities_enabled: true
|
||||
caddy_config: "{{ lookup('template', 'templates/Caddyfile.j2') }}"
|
7
inventory.yml
Normal file
7
inventory.yml
Normal file
|
@ -0,0 +1,7 @@
|
|||
---
|
||||
all:
|
||||
children:
|
||||
main:
|
||||
hosts:
|
||||
invidious.io:
|
||||
ansible_host: 188.34.196.170
|
89
main.yml
Normal file
89
main.yml
Normal file
|
@ -0,0 +1,89 @@
|
|||
---
|
||||
- hosts: main
|
||||
handlers:
|
||||
- name: restart ssh
|
||||
systemd:
|
||||
name: sshd
|
||||
state: restarted
|
||||
|
||||
tasks:
|
||||
- name: SSH config
|
||||
template:
|
||||
src: sshd_config.j2
|
||||
dest: /etc/ssh/sshd_config
|
||||
mode: 0644
|
||||
notify: restart ssh
|
||||
tags: [ssh,base]
|
||||
|
||||
- name: SSH keys
|
||||
template:
|
||||
src: authorized_keys.j2
|
||||
dest: /root/.ssh/authorized_keys
|
||||
mode: 0600
|
||||
tags: [ssh,base]
|
||||
|
||||
- name: Install packages
|
||||
apt:
|
||||
name: "{{ apt_packages }}"
|
||||
tags: [apt,base]
|
||||
|
||||
- name: unattended-upgrades
|
||||
import_role:
|
||||
name: jvn.unattended-upgrades
|
||||
tags: [unattended-upgrades]
|
||||
|
||||
- name: pip
|
||||
import_role:
|
||||
name: geerlingguy.pip
|
||||
tags: [pip,docker]
|
||||
|
||||
- name: docker
|
||||
import_role:
|
||||
name: geerlingguy.docker
|
||||
tags: [dockerd,docker]
|
||||
|
||||
- name: Create Invidious API container
|
||||
community.docker.docker_container:
|
||||
name: api
|
||||
image: quay.io/invidious/instances:latest
|
||||
pull: true
|
||||
restart_policy: unless-stopped
|
||||
published_ports:
|
||||
- "127.0.0.1:3000:3000"
|
||||
tags: [api,instances,docker]
|
||||
|
||||
- name: Create Invidious redirect container
|
||||
community.docker.docker_container:
|
||||
name: redirect
|
||||
image: quay.io/invidious/invidious-redirect:latest
|
||||
pull: true
|
||||
restart_policy: unless-stopped
|
||||
published_ports:
|
||||
- "127.0.0.1:8080:80"
|
||||
tags: [redirect,docker]
|
||||
|
||||
- name: Create wikijs compose folder
|
||||
file:
|
||||
path: /root/compose/wikijs/
|
||||
state: directory
|
||||
recurse: true
|
||||
mode: 0755
|
||||
tags: [wikijs,docker]
|
||||
|
||||
- name: Template wikijs docker compose
|
||||
template:
|
||||
src: docker-compose-wikijs.yml
|
||||
dest: /root/compose/wikijs/docker-compose.yml
|
||||
mode: 0600
|
||||
tags: [wikijs,docker]
|
||||
|
||||
- name: Compose wikijs
|
||||
community.docker.docker_compose:
|
||||
project_src: /root/compose/wikijs
|
||||
pull: true
|
||||
tags: [wikijs,docker]
|
||||
|
||||
- name: caddy
|
||||
import_role:
|
||||
name: caddy_ansible.caddy_ansible
|
||||
tags: [ caddy ]
|
9
requirements.yml
Normal file
9
requirements.yml
Normal file
|
@ -0,0 +1,9 @@
|
|||
roles:
|
||||
- name: jvn.unattended-upgrades
|
||||
version: v1.10.0
|
||||
- name: geerlingguy.pip
|
||||
version: 2.0.0
|
||||
- name: geerlingguy.docker
|
||||
version: 3.0.0
|
||||
- name: caddy_ansible.caddy_ansible
|
||||
version: TODO (wait for MRs)
|
66
templates/Caddyfile.j2
Normal file
66
templates/Caddyfile.j2
Normal file
|
@ -0,0 +1,66 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
(common) {
|
||||
encode gzip
|
||||
log {
|
||||
output file /var/log/caddy/access.log {
|
||||
roll_size 500mb
|
||||
roll_keep 5
|
||||
}
|
||||
format filter {
|
||||
wrap json
|
||||
fields {
|
||||
common_log delete
|
||||
request>remote_addr ip_mask {
|
||||
ipv4 24
|
||||
ipv6 32
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
www.invidio.us {
|
||||
import common
|
||||
redir https://invidious.io{uri}
|
||||
}
|
||||
invidious.io {
|
||||
import common
|
||||
root * /var/www/invidious.io
|
||||
file_server
|
||||
}
|
||||
git.invidious.io {
|
||||
import common
|
||||
redir https://github.com/iv-org/invidious
|
||||
}
|
||||
|
||||
invidio.us {
|
||||
import common
|
||||
redir https://redirect.invidious.io{uri}
|
||||
header /api* content-type "application/json"
|
||||
respond /api* "{\"error\":\"This server no longer hosts the Invidious API.\"}" 410
|
||||
}
|
||||
redirect.invidious.io {
|
||||
import common
|
||||
reverse_proxy http://127.0.0.1:8080
|
||||
}
|
||||
|
||||
instances.invidio.us {
|
||||
import common
|
||||
redir https://api.invidious.io{uri}
|
||||
}
|
||||
api.invidious.io {
|
||||
import common
|
||||
reverse_proxy http://127.0.0.1:3000
|
||||
header /static* Cache-Control "max-age=86400"
|
||||
}
|
||||
|
||||
uptime.invidio.us {
|
||||
import common
|
||||
redir https://uptime.invidious.io{uri}
|
||||
}
|
||||
|
||||
docs.invidious.io {
|
||||
import common
|
||||
reverse_proxy http://127.0.0.1:3001
|
||||
}
|
4
templates/authorized_keys.j2
Normal file
4
templates/authorized_keys.j2
Normal file
|
@ -0,0 +1,4 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
no-port-forwarding,no-X11-forwarding,no-agent-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGfkXt+RnduQ6CKIuoe0GbLZM76O/lyWippAisuv0Qlk perflyst
|
||||
# TODO: thefrenchghosty creates new keys
|
32
templates/docker-compose-wikijs.yml
Normal file
32
templates/docker-compose-wikijs.yml
Normal file
|
@ -0,0 +1,32 @@
|
|||
version: "3"
|
||||
services:
|
||||
|
||||
db:
|
||||
image: docker.io/postgres:11-alpine
|
||||
environment:
|
||||
POSTGRES_DB: wikijs
|
||||
POSTGRES_PASSWORD: "{{ vault_wikijs_db_password }}"
|
||||
POSTGRES_USER: wikijs
|
||||
logging:
|
||||
driver: "none"
|
||||
restart: unless-stopped
|
||||
volumes:
|
||||
- db-data:/var/lib/postgresql/data
|
||||
|
||||
wiki:
|
||||
image: requarks/wiki:2.5
|
||||
depends_on:
|
||||
- db
|
||||
environment:
|
||||
DB_TYPE: postgres
|
||||
DB_HOST: db
|
||||
DB_PORT: 5432
|
||||
DB_USER: wikijs
|
||||
DB_PASS: "{{ vault_wikijs_db_password }}"
|
||||
DB_NAME: wikijs
|
||||
restart: unless-stopped
|
||||
ports:
|
||||
- "127.0.0.1:3001:3000"
|
||||
|
||||
volumes:
|
||||
db-data:
|
27
templates/sshd_config.j2
Normal file
27
templates/sshd_config.j2
Normal file
|
@ -0,0 +1,27 @@
|
|||
Protocol 2
|
||||
Port {{ ansible_port }}
|
||||
ListenAddress {{ ansible_default_ipv4.address }}
|
||||
ListenAddress {{ ansible_default_ipv6.address }}
|
||||
|
||||
HostKey /etc/ssh/ssh_host_rsa_key
|
||||
HostKey /etc/ssh/ssh_host_ed25519_key
|
||||
|
||||
PermitRootLogin without-password
|
||||
StrictModes yes
|
||||
MaxAuthTries 2
|
||||
AllowUsers root
|
||||
|
||||
PubkeyAuthentication yes
|
||||
AuthenticationMethods publickey
|
||||
AuthorizedKeysFile .ssh/authorized_keys
|
||||
PasswordAuthentication no
|
||||
PermitEmptyPasswords no
|
||||
|
||||
IgnoreRhosts yes
|
||||
UsePAM yes
|
||||
ChallengeResponseAuthentication no
|
||||
PrintMotd no
|
||||
X11Forwarding no
|
||||
AllowTcpForwarding no
|
||||
|
||||
Subsystem sftp /usr/lib/openssh/sftp-server
|
Loading…
Reference in a new issue