initial dump

pull/4/head
Tiago Carrondo 7 months ago
commit ca802e834e
  1. 23
      00_preps.yaml
  2. 11
      01_prep_lxd.yaml
  3. 44
      02_lxc_containers.yaml
  4. 55
      03_container_haproxy.yaml
  5. 19
      04_container_gitea.yaml
  6. 30
      README.md
  7. 14
      files/ha_certbot_renew.sh
  8. 84
      files/ha_haproxy.cfg.j2
  9. 13
      files/ha_new_cert.sh
  10. 6
      hosts
  11. 13
      main.yaml

@ -0,0 +1,23 @@
---
- name: Preps Playbook
hosts: lxd_hosts
become: true
roles:
- fail2ban
tasks:
- name: PREPS -- install needed packages
become: true
package:
state: present
name: '{{ item }}'
with_items:
- unattended-upgrades
- zfsutils-linux # needed for lxd
- name: PREPS -- install lxd snap
become: true
snap:
name: lxd
- name: Add user 'git'
become: true
user:
name: git

@ -0,0 +1,11 @@
---
- name: Prep lxd Playbook
hosts: lxd_hosts
become: true
tasks:
- name: PREP LXD -- Check if ubuntu minimal repo already added.
shell: lxc remote list | grep ubuntu-minimal | wc -l
register: ubuntu_minimal_repo
- name: PREP LXD -- Add ubuntu minimal repo
command: lxc remote add --protocol simplestreams ubuntu-minimal https://cloud-images.ubuntu.com/minimal/releases/
when: ubuntu_minimal_repo.stdout != "1"

@ -0,0 +1,44 @@
---
- name: LXD Playbook
hosts: lxd_hosts
become: true
tasks:
- name: Create lxd containers
community.general.lxd_container:
name: '{{ item }}'
state: started
source:
type: image
mode: pull
server: https://cloud-images.ubuntu.com/minimal/releases/
protocol: simplestreams # if you get a 404, try setting protocol: simplestreams
alias: focal
profiles: ['default']
wait_for_ipv4_addresses: true
timeout: 600
with_items:
- haproxy
- gitea
- name: Create haproxy port forwards
community.general.lxd_container:
name: haproxy
devices:
map_port_80:
type: proxy
listen: tcp:0.0.0.0:80
connect: tcp:127.0.0.1:80
proxy_protocol: 'true'
map_port_443:
type: proxy
listen: tcp:0.0.0.0:443
connect: tcp:127.0.0.1:443
proxy_protocol: 'true'
- name: Create gitea port forward(s)
community.general.lxd_container:
name: gitea
devices:
map_port_2222:
type: proxy
listen: tcp:0.0.0.0:2222
connect: tcp:127.0.0.1:2222
proxy_protocol: 'true'

@ -0,0 +1,55 @@
---
- name: HAPROXY -- install
hosts: haproxy
become: true
tasks:
- name: HAPROXY -- install needed packages
become: true
package:
state: present
name: '{{ item }}'
with_items:
- unattended-upgrades
- haproxy
- name: HAPROXY -- Generate Diffie-Hellman parameters with the default size (4096 bits)
community.crypto.openssl_dhparam:
path: /etc/haproxy/dhparam.pem
- name: HAPROXY -- create ssl folder
become: true
file:
path: '/etc/haproxy/ssl'
state: directory
- name: HAPROXY -- new cert script
copy:
src: 'files/ha_new_cert.sh'
dest: '/usr/local/bin/new_certbot'
mode: 0755
- name: HAPROXY -- cert renew script
become: true
copy:
src: 'files/ha_certbot_renew.sh'
dest: '/etc/cron.weekly/certbot_renew.sh'
mode: 0755
- name: HAPROXY -- config file
become: true
template:
src: files/ha_haproxy.cfg.j2
dest: /etc/haproxy/haproxy.cfg
owner: root
group: root
mode: 0644
tags:
- hot
notify:
- reload haproxy
- name: HAPROXY -- install certbot snap
become: true
snap:
name: certbot
classic: yes
handlers:
- name: reload haproxy
service:
name: haproxy
state: reloaded
enabled: yes

@ -0,0 +1,19 @@
---
- name: GITEA -- install
hosts: gitea
roles:
- { role: do1jlr.gitea, tags: gitea }
vars:
gitea_fqdn: 'git.ansol.org'
gitea_root_url: 'https://git.ansol.org'
gitea_http_listen: '0.0.0.0'
gitea_protocol: http
gitea_only_allow_external_registration: true
gitea_enable_captcha: false
gitea_require_signin: false
gitea_show_registration_button: false
gitea_start_ssh: true
gitea_oauth2_extra_config: |
ENABLE_AUTO_REGISTRATION = true
USERNAME = email
ACCOUNT_LINKING = auto

@ -0,0 +1,30 @@
# Passos manuais preparatórios
```bash
$ apt install zfsutils-linux snapd
$ snap install lxd
$ lxd init
```
```text
Would you like to use LXD clustering? (yes/no): NO
Do you want to configure a new storage pool? (yes/no): YES
Name of the new storage pool: wireguards
Name of the storage backend to use (btrfs, dir, lvm, zfs): ZFS
Create a new ZFS pool? (yes/no): YES
Would you like to use an existing block device? (yes/no): NO
Size in GB of the new loop device (1GB minimum): 5 ????
Would you like to connect to a MAAS server? (yes/no): NO
Would you like to create a new local network bridge? (yes/no): YES
What should the new bridge be called?: lxdbr0
What IPv4 address should be used? (CIDR subnet notation, “auto” or “none”): AUTO
What IPv6 address should be used? (CIDR subnet notation, “auto” or “none”): AUTO
Would you like LXD to be available over the network? (yes/no): NO
Would you like stale cached images to be updated automatically? (yes/no): YES
Would you like a YAML "lxd init" preseed to be printed? (yes/no): NO
```
```bash
$ lxc config set core.https_address "[::]"
$ lxc config set core.trust_password uma_pass
$ lxc config unset core.trust_password
```

@ -0,0 +1,14 @@
#!/usr/bin/env bash
CERTS=$(certbot certificates | grep 'Certificate Name'| cut -c 21-)
# Renew the certificate
certbot renew #--force-renewal --tls-sni-01-port=8888
# Concatenate new cert files, with less output (avoiding the use tee and its output to stdout)
for certs in $CERTS; do
bash -c "cat /etc/letsencrypt/live/$certs/fullchain.pem /etc/letsencrypt/live/$certs/privkey.pem > /etc/haproxy/ssl/$certs.pem"
done
# Reload HAProxy
systemctl reload haproxy

@ -0,0 +1,84 @@
global
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 300s
user haproxy
group haproxy
daemon
ulimit-n 120041
maxconn 60000
pidfile /var/run/haproxy.pid
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384::ECDHE-ECDSA-AES256-SHA384
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam.pem
ssl-dh-param-file /etc/haproxy/dhparam.pem
defaults
log global
mode http
retries 3
option httplog
option dontlognull
option redispatch
option forwardfor except 127.0.0.1
timeout http-request 10s
timeout check 10s
timeout client 60s
timeout connect 10s
timeout server 60s
maxconn 60000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
# The web frontend
frontend http_https
bind :80 accept-proxy
bind :443 accept-proxy ssl crt /etc/haproxy/ssl/ alpn h2,http/1.1
http-request set-header X-Port %[dst_port]
http-request set-header X-Real-Ip %[src]
http-request set-header X-Orig-URL %[req.hdr(Host)]%[url]
http-request set-header X-Proto SSL if { ssl_fc }
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload;"
# Redirect if HTTPS is *not* used
redirect scheme https code 301 if !{ ssl_fc }
# Test URI to see if its a letsencrypt request
acl letsencrypt-acl path_beg /.well-known/acme-challenge/
use_backend letsencrypt if letsencrypt-acl
# Gitea
acl git-ansol-org hdr(host) -i git.ansol.org
use_backend git-ansol-org if git-ansol-org
# Let's Encrypt
backend letsencrypt
server letsencrypt 127.0.0.1:8888
# Gitea
backend git-ansol-org
server git-ansol-org gitea:3000 check

@ -0,0 +1,13 @@
#/bin/bash
set -e
sudo certbot certonly --standalone -d "$1" \
--non-interactive \
--agree-tos \
--email contacto@ansol.org \
--preferred-challenges http \
--http-01-address 127.0.0.1 \
--http-01-port 8888 \
cat /etc/letsencrypt/live/"$1"/fullchain.pem /etc/letsencrypt/live/"$1"/privkey.pem > /etc/haproxy/ssl/"$1".pem

@ -0,0 +1,6 @@
[lxd_hosts]
git.ansol.org ansible_ssh_user=root
[containers]
haproxy ansible_lxd_remote=lxd-ansol ansible_lxd_host=haproxy ansible_connection=community.general.lxd ansible_python_interpreter=/usr/bin/python3
gitea ansible_lxd_remote=lxd-ansol ansible_lxd_host=gitea ansible_connection=community.general.lxd ansible_python_interpreter=/usr/bin/python3

@ -0,0 +1,13 @@
---
# Preparatory tasks
- import_playbook: 00_preps.yaml
# README manual steps, then:
- import_playbook: 01_prep_lxd.yaml
# LXD containers
- import_playbook: 02_lxc_containers.yaml
# Container Haproxy
- import_playbook: 03_container_haproxy.yaml
# Container Gitea
- import_playbook: 04_container_gitea.yaml
Loading…
Cancel
Save