Add playbook

This commit is contained in:
Perflyst 2021-03-09 13:42:28 +01:00
parent 736c8b6c79
commit 1ef70ae1f0
No known key found for this signature in database
GPG key ID: B0D9C8E56E999F68
10 changed files with 266 additions and 0 deletions

2
.gitignore vendored Normal file
View file

@ -0,0 +1,2 @@
ansible.cfg
roles

8
group_vars/all/vault Normal file
View file

@ -0,0 +1,8 @@
$ANSIBLE_VAULT;1.1;AES256
30613534346431333631646634333061336363386330343564323661356666663233656137343132
3034323166623230643138663761386234393537626262300a373139366231623230343361353937
37663037323733623561356130373834396136336433636338646635666330666437323564636537
3731636465626463300a613263333138613230346639646337313332366262613630643164666431
34636632643161383436326338646366323031363237343965336633343131353165613961653063
65316162613535353432613962353535333631326166383035366532366564653435613835356634
396466653535653563393632313736613735

22
group_vars/main/main.yml Normal file
View file

@ -0,0 +1,22 @@
ansible_python_interpreter: /usr/bin/python3
ansible_user: root
ansible_port: 233
apt_packages:
- vim
- tmux
- screen
- htop
- bash-completion
- net-tools
- python3-setuptools
- jq
pip_install_packages:
- name: docker
- name: docker-compose
caddy_user: caddy
caddy_setcap: false
caddy_systemd_capabilities_enabled: true
caddy_config: "{{ lookup('template', 'templates/Caddyfile.j2') }}"

7
inventory.yml Normal file
View file

@ -0,0 +1,7 @@
---
all:
children:
main:
hosts:
invidious.io:
ansible_host: 188.34.196.170

89
main.yml Normal file
View file

@ -0,0 +1,89 @@
---
- hosts: main
handlers:
- name: restart ssh
systemd:
name: sshd
state: restarted
tasks:
- name: SSH config
template:
src: sshd_config.j2
dest: /etc/ssh/sshd_config
mode: 0644
notify: restart ssh
tags: [ssh,base]
- name: SSH keys
template:
src: authorized_keys.j2
dest: /root/.ssh/authorized_keys
mode: 0600
tags: [ssh,base]
- name: Install packages
apt:
name: "{{ apt_packages }}"
tags: [apt,base]
- name: unattended-upgrades
import_role:
name: jvn.unattended-upgrades
tags: [unattended-upgrades]
- name: pip
import_role:
name: geerlingguy.pip
tags: [pip,docker]
- name: docker
import_role:
name: geerlingguy.docker
tags: [dockerd,docker]
- name: Create Invidious API container
community.docker.docker_container:
name: api
image: quay.io/invidious/instances:latest
pull: true
restart_policy: unless-stopped
published_ports:
- "127.0.0.1:3000:3000"
tags: [api,instances,docker]
- name: Create Invidious redirect container
community.docker.docker_container:
name: redirect
image: quay.io/invidious/invidious-redirect:latest
pull: true
restart_policy: unless-stopped
published_ports:
- "127.0.0.1:8080:80"
tags: [redirect,docker]
- name: Create wikijs compose folder
file:
path: /root/compose/wikijs/
state: directory
recurse: true
mode: 0755
tags: [wikijs,docker]
- name: Template wikijs docker compose
template:
src: docker-compose-wikijs.yml
dest: /root/compose/wikijs/docker-compose.yml
mode: 0600
tags: [wikijs,docker]
- name: Compose wikijs
community.docker.docker_compose:
project_src: /root/compose/wikijs
pull: true
tags: [wikijs,docker]
- name: caddy
import_role:
name: caddy_ansible.caddy_ansible
tags: [ caddy ]

9
requirements.yml Normal file
View file

@ -0,0 +1,9 @@
roles:
- name: jvn.unattended-upgrades
version: v1.10.0
- name: geerlingguy.pip
version: 2.0.0
- name: geerlingguy.docker
version: 3.0.0
- name: caddy_ansible.caddy_ansible
version: TODO (wait for MRs)

66
templates/Caddyfile.j2 Normal file
View file

@ -0,0 +1,66 @@
# {{ ansible_managed }}
(common) {
encode gzip
log {
output file /var/log/caddy/access.log {
roll_size 500mb
roll_keep 5
}
format filter {
wrap json
fields {
common_log delete
request>remote_addr ip_mask {
ipv4 24
ipv6 32
}
}
}
}
}
www.invidio.us {
import common
redir https://invidious.io{uri}
}
invidious.io {
import common
root * /var/www/invidious.io
file_server
}
git.invidious.io {
import common
redir https://github.com/iv-org/invidious
}
invidio.us {
import common
redir https://redirect.invidious.io{uri}
header /api* content-type "application/json"
respond /api* "{\"error\":\"This server no longer hosts the Invidious API.\"}" 410
}
redirect.invidious.io {
import common
reverse_proxy http://127.0.0.1:8080
}
instances.invidio.us {
import common
redir https://api.invidious.io{uri}
}
api.invidious.io {
import common
reverse_proxy http://127.0.0.1:3000
header /static* Cache-Control "max-age=86400"
}
uptime.invidio.us {
import common
redir https://uptime.invidious.io{uri}
}
docs.invidious.io {
import common
reverse_proxy http://127.0.0.1:3001
}

View file

@ -0,0 +1,4 @@
# {{ ansible_managed }}
no-port-forwarding,no-X11-forwarding,no-agent-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGfkXt+RnduQ6CKIuoe0GbLZM76O/lyWippAisuv0Qlk perflyst
# TODO: thefrenchghosty creates new keys

View file

@ -0,0 +1,32 @@
version: "3"
services:
db:
image: docker.io/postgres:11-alpine
environment:
POSTGRES_DB: wikijs
POSTGRES_PASSWORD: "{{ vault_wikijs_db_password }}"
POSTGRES_USER: wikijs
logging:
driver: "none"
restart: unless-stopped
volumes:
- db-data:/var/lib/postgresql/data
wiki:
image: requarks/wiki:2.5
depends_on:
- db
environment:
DB_TYPE: postgres
DB_HOST: db
DB_PORT: 5432
DB_USER: wikijs
DB_PASS: "{{ vault_wikijs_db_password }}"
DB_NAME: wikijs
restart: unless-stopped
ports:
- "127.0.0.1:3001:3000"
volumes:
db-data:

27
templates/sshd_config.j2 Normal file
View file

@ -0,0 +1,27 @@
Protocol 2
Port {{ ansible_port }}
ListenAddress {{ ansible_default_ipv4.address }}
ListenAddress {{ ansible_default_ipv6.address }}
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
PermitRootLogin without-password
StrictModes yes
MaxAuthTries 2
AllowUsers root
PubkeyAuthentication yes
AuthenticationMethods publickey
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no
PermitEmptyPasswords no
IgnoreRhosts yes
UsePAM yes
ChallengeResponseAuthentication no
PrintMotd no
X11Forwarding no
AllowTcpForwarding no
Subsystem sftp /usr/lib/openssh/sftp-server