initial dump

00_preps.yaml

@@ -0,0 +1,23 @@
+---
+- name: Preps Playbook
+  hosts: lxd_hosts
+  become: true
+  roles:
+    - fail2ban
+  tasks:
+    - name: PREPS -- install needed packages
+      become: true
+      package:
+        state: present
+        name: '{{ item }}'
+      with_items:
+        - unattended-upgrades
+        - zfsutils-linux # needed for lxd
+    - name: PREPS -- install lxd snap
+      become: true
+      snap:
+        name: lxd
+    - name: Add user 'git'
+      become: true
+      user:
+        name: git

01_prep_lxd.yaml

@@ -0,0 +1,11 @@
+---
+- name: Prep lxd Playbook
+  hosts: lxd_hosts
+  become: true
+  tasks:
+    - name: PREP LXD -- Check if ubuntu minimal repo already added.
+      shell: lxc remote list | grep ubuntu-minimal | wc -l
+      register: ubuntu_minimal_repo
+    - name: PREP LXD -- Add ubuntu minimal repo
+      command: lxc remote add --protocol simplestreams ubuntu-minimal https://cloud-images.ubuntu.com/minimal/releases/
+      when: ubuntu_minimal_repo.stdout != "1"

02_lxc_containers.yaml

@@ -0,0 +1,44 @@
+---
+- name: LXD Playbook
+  hosts: lxd_hosts
+  become: true
+  tasks:
+    - name: Create lxd containers
+      community.general.lxd_container:
+        name: '{{ item }}'
+        state: started
+        source:
+          type: image
+          mode: pull
+          server: https://cloud-images.ubuntu.com/minimal/releases/
+          protocol: simplestreams # if you get a 404, try setting protocol: simplestreams
+          alias: focal
+        profiles: ['default']
+        wait_for_ipv4_addresses: true
+        timeout: 600
+      with_items:
+        - haproxy
+        - gitea
+    - name: Create haproxy port forwards
+      community.general.lxd_container:
+        name: haproxy
+        devices:
+          map_port_80:
+            type: proxy
+            listen: tcp:0.0.0.0:80
+            connect: tcp:127.0.0.1:80
+            proxy_protocol: 'true'
+          map_port_443:
+            type: proxy
+            listen: tcp:0.0.0.0:443
+            connect: tcp:127.0.0.1:443
+            proxy_protocol: 'true'
+    - name: Create gitea port forward(s)
+      community.general.lxd_container:
+        name: gitea
+        devices:
+          map_port_2222:
+            type: proxy
+            listen: tcp:0.0.0.0:2222
+            connect: tcp:127.0.0.1:2222
+            proxy_protocol: 'true'

03_container_haproxy.yaml

@@ -0,0 +1,55 @@
+---
+- name: HAPROXY -- install
+  hosts: haproxy
+  become: true
+  tasks:
+    - name: HAPROXY -- install needed packages
+      become: true
+      package:
+        state: present
+        name: '{{ item }}'
+      with_items:
+        - unattended-upgrades
+        - haproxy
+    - name: HAPROXY -- Generate Diffie-Hellman parameters with the default size (4096 bits)
+      community.crypto.openssl_dhparam:
+        path: /etc/haproxy/dhparam.pem
+    - name: HAPROXY -- create ssl folder
+      become: true
+      file:
+        path: '/etc/haproxy/ssl'
+        state: directory
+    - name: HAPROXY -- new cert script
+      copy:
+        src: 'files/ha_new_cert.sh'
+        dest: '/usr/local/bin/new_certbot'
+        mode: 0755
+    - name: HAPROXY -- cert renew script
+      become: true
+      copy:
+        src: 'files/ha_certbot_renew.sh'
+        dest: '/etc/cron.weekly/certbot_renew.sh'
+        mode: 0755
+    - name: HAPROXY -- config file
+      become: true
+      template:
+        src: files/ha_haproxy.cfg.j2
+        dest: /etc/haproxy/haproxy.cfg
+        owner: root
+        group: root
+        mode: 0644
+      tags:
+        - hot
+      notify:
+        - reload haproxy
+    - name: HAPROXY -- install certbot snap
+      become: true
+      snap:
+        name: certbot
+        classic: yes
+  handlers:
+    - name: reload haproxy
+      service:
+        name: haproxy
+        state: reloaded
+        enabled: yes

04_container_gitea.yaml

@@ -0,0 +1,19 @@
+---
+- name: GITEA -- install
+  hosts: gitea
+  roles:
+    - { role: do1jlr.gitea, tags: gitea }
+  vars:
+    gitea_fqdn: 'git.ansol.org'
+    gitea_root_url: 'https://git.ansol.org'
+    gitea_http_listen: '0.0.0.0'
+    gitea_protocol: http
+    gitea_only_allow_external_registration: true
+    gitea_enable_captcha: false
+    gitea_require_signin: false
+    gitea_show_registration_button: false
+    gitea_start_ssh: true
+    gitea_oauth2_extra_config: |
+      ENABLE_AUTO_REGISTRATION = true
+      USERNAME = email
+      ACCOUNT_LINKING = auto

README.md

@@ -0,0 +1,30 @@
+# Passos manuais preparatórios
+
+```bash
+$ apt install zfsutils-linux snapd
+$ snap install lxd
+$ lxd init
+```
+```text
+Would you like to use LXD clustering? (yes/no): NO
+Do you want to configure a new storage pool? (yes/no): YES
+Name of the new storage pool: wireguards
+Name of the storage backend to use (btrfs, dir, lvm, zfs): ZFS
+Create a new ZFS pool? (yes/no): YES
+Would you like to use an existing block device? (yes/no): NO
+Size in GB of the new loop device (1GB minimum): 5 ????
+Would you like to connect to a MAAS server? (yes/no): NO
+Would you like to create a new local network bridge? (yes/no): YES
+What should the new bridge be called?: lxdbr0
+What IPv4 address should be used? (CIDR subnet notation, “auto” or “none”): AUTO
+What IPv6 address should be used? (CIDR subnet notation, “auto” or “none”): AUTO
+Would you like LXD to be available over the network? (yes/no): NO
+Would you like stale cached images to be updated automatically? (yes/no): YES
+Would you like a YAML "lxd init" preseed to be printed? (yes/no): NO
+```
+```bash
+$ lxc config set core.https_address "[::]"
+$ lxc config set core.trust_password uma_pass
+
+$ lxc config unset core.trust_password
+```

files/ha_certbot_renew.sh

@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+
+CERTS=$(certbot certificates | grep 'Certificate Name'| cut -c 21-)
+
+# Renew the certificate
+certbot renew #--force-renewal --tls-sni-01-port=8888
+
+# Concatenate new cert files, with less output (avoiding the use tee and its output to stdout)
+for certs in $CERTS; do
+  bash -c "cat /etc/letsencrypt/live/$certs/fullchain.pem /etc/letsencrypt/live/$certs/privkey.pem > /etc/haproxy/ssl/$certs.pem"
+done
+
+# Reload  HAProxy
+systemctl reload haproxy

files/ha_haproxy.cfg.j2

@@ -0,0 +1,84 @@
+global
+        log /dev/log    local1 notice
+        chroot /var/lib/haproxy
+        stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
+        stats timeout 300s
+
+        user haproxy
+        group haproxy
+        daemon
+
+        ulimit-n  120041
+        maxconn   60000
+        pidfile   /var/run/haproxy.pid
+
+        # Default SSL material locations
+        ca-base /etc/ssl/certs
+        crt-base /etc/ssl/private
+
+        ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384::ECDHE-ECDSA-AES256-SHA384
+        ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
+        ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
+
+        # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam.pem
+        ssl-dh-param-file /etc/haproxy/dhparam.pem
+
+defaults
+        log     global
+        mode    http
+        retries 3
+
+        option  httplog
+        option  dontlognull
+        option  redispatch
+        option  forwardfor except 127.0.0.1
+
+        timeout http-request    10s
+        timeout check           10s
+        timeout client          60s
+        timeout connect         10s
+        timeout server          60s
+
+        maxconn   60000
+
+        errorfile 400 /etc/haproxy/errors/400.http
+        errorfile 403 /etc/haproxy/errors/403.http
+        errorfile 408 /etc/haproxy/errors/408.http
+        errorfile 500 /etc/haproxy/errors/500.http
+        errorfile 502 /etc/haproxy/errors/502.http
+        errorfile 503 /etc/haproxy/errors/503.http
+        errorfile 504 /etc/haproxy/errors/504.http
+
+# The web frontend
+
+frontend http_https
+        bind :80 accept-proxy
+        bind :443 accept-proxy ssl crt /etc/haproxy/ssl/ alpn h2,http/1.1
+
+        http-request set-header X-Port %[dst_port]
+        http-request set-header X-Real-Ip %[src]
+        http-request set-header X-Orig-URL %[req.hdr(Host)]%[url]
+        http-request set-header X-Proto SSL if { ssl_fc }
+        http-request set-header X-Forwarded-Proto https if { ssl_fc }
+        http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload;"
+
+        # Redirect if HTTPS is *not* used
+        redirect scheme https code 301 if !{ ssl_fc }
+
+        # Test URI to see if its a letsencrypt request
+        acl letsencrypt-acl path_beg /.well-known/acme-challenge/
+        use_backend letsencrypt if letsencrypt-acl
+
+        # Gitea
+        acl git-ansol-org hdr(host) -i git.ansol.org
+        use_backend git-ansol-org if git-ansol-org
+
+# Let's Encrypt
+
+backend letsencrypt
+        server letsencrypt 127.0.0.1:8888
+
+# Gitea
+
+backend git-ansol-org
+        server git-ansol-org gitea:3000 check

files/ha_new_cert.sh

@@ -0,0 +1,13 @@
+#/bin/bash
+
+set -e
+
+sudo certbot certonly --standalone -d "$1" \
+    --non-interactive \
+    --agree-tos \
+    --email contacto@ansol.org \
+    --preferred-challenges http \
+    --http-01-address 127.0.0.1 \
+    --http-01-port 8888 \
+
+cat /etc/letsencrypt/live/"$1"/fullchain.pem /etc/letsencrypt/live/"$1"/privkey.pem > /etc/haproxy/ssl/"$1".pem

hosts

@@ -0,0 +1,6 @@
+[lxd_hosts]
+git.ansol.org ansible_ssh_user=root
+
+[containers]
+haproxy ansible_lxd_remote=lxd-ansol ansible_lxd_host=haproxy ansible_connection=community.general.lxd ansible_python_interpreter=/usr/bin/python3
+gitea ansible_lxd_remote=lxd-ansol ansible_lxd_host=gitea ansible_connection=community.general.lxd ansible_python_interpreter=/usr/bin/python3

main.yaml

@@ -0,0 +1,13 @@
+---
+# Preparatory tasks
+- import_playbook: 00_preps.yaml
+# README manual steps, then:
+- import_playbook: 01_prep_lxd.yaml
+
+# LXD containers
+- import_playbook: 02_lxc_containers.yaml
+
+# Container Haproxy
+- import_playbook: 03_container_haproxy.yaml
+# Container Gitea
+- import_playbook: 04_container_gitea.yaml