From ca802e834e2cc57560e56bcbda0a2f9361c0fc72 Mon Sep 17 00:00:00 2001 From: Tiago Carrondo Date: Tue, 1 Mar 2022 23:30:08 +0000 Subject: [PATCH] initial dump --- 00_preps.yaml | 23 +++++++++++ 01_prep_lxd.yaml | 11 +++++ 02_lxc_containers.yaml | 44 ++++++++++++++++++++ 03_container_haproxy.yaml | 55 +++++++++++++++++++++++++ 04_container_gitea.yaml | 19 +++++++++ README.md | 30 ++++++++++++++ files/ha_certbot_renew.sh | 14 +++++++ files/ha_haproxy.cfg.j2 | 84 +++++++++++++++++++++++++++++++++++++++ files/ha_new_cert.sh | 13 ++++++ hosts | 6 +++ main.yaml | 13 ++++++ 11 files changed, 312 insertions(+) create mode 100644 00_preps.yaml create mode 100644 01_prep_lxd.yaml create mode 100644 02_lxc_containers.yaml create mode 100644 03_container_haproxy.yaml create mode 100644 04_container_gitea.yaml create mode 100644 README.md create mode 100644 files/ha_certbot_renew.sh create mode 100644 files/ha_haproxy.cfg.j2 create mode 100644 files/ha_new_cert.sh create mode 100644 hosts create mode 100644 main.yaml diff --git a/00_preps.yaml b/00_preps.yaml new file mode 100644 index 0000000..11691a5 --- /dev/null +++ b/00_preps.yaml @@ -0,0 +1,23 @@ +--- +- name: Preps Playbook + hosts: lxd_hosts + become: true + roles: + - fail2ban + tasks: + - name: PREPS -- install needed packages + become: true + package: + state: present + name: '{{ item }}' + with_items: + - unattended-upgrades + - zfsutils-linux # needed for lxd + - name: PREPS -- install lxd snap + become: true + snap: + name: lxd + - name: Add user 'git' + become: true + user: + name: git diff --git a/01_prep_lxd.yaml b/01_prep_lxd.yaml new file mode 100644 index 0000000..7173478 --- /dev/null +++ b/01_prep_lxd.yaml @@ -0,0 +1,11 @@ +--- +- name: Prep lxd Playbook + hosts: lxd_hosts + become: true + tasks: + - name: PREP LXD -- Check if ubuntu minimal repo already added. + shell: lxc remote list | grep ubuntu-minimal | wc -l + register: ubuntu_minimal_repo + - name: PREP LXD -- Add ubuntu minimal repo + command: lxc remote add --protocol simplestreams ubuntu-minimal https://cloud-images.ubuntu.com/minimal/releases/ + when: ubuntu_minimal_repo.stdout != "1" diff --git a/02_lxc_containers.yaml b/02_lxc_containers.yaml new file mode 100644 index 0000000..56b7039 --- /dev/null +++ b/02_lxc_containers.yaml @@ -0,0 +1,44 @@ +--- +- name: LXD Playbook + hosts: lxd_hosts + become: true + tasks: + - name: Create lxd containers + community.general.lxd_container: + name: '{{ item }}' + state: started + source: + type: image + mode: pull + server: https://cloud-images.ubuntu.com/minimal/releases/ + protocol: simplestreams # if you get a 404, try setting protocol: simplestreams + alias: focal + profiles: ['default'] + wait_for_ipv4_addresses: true + timeout: 600 + with_items: + - haproxy + - gitea + - name: Create haproxy port forwards + community.general.lxd_container: + name: haproxy + devices: + map_port_80: + type: proxy + listen: tcp:0.0.0.0:80 + connect: tcp:127.0.0.1:80 + proxy_protocol: 'true' + map_port_443: + type: proxy + listen: tcp:0.0.0.0:443 + connect: tcp:127.0.0.1:443 + proxy_protocol: 'true' + - name: Create gitea port forward(s) + community.general.lxd_container: + name: gitea + devices: + map_port_2222: + type: proxy + listen: tcp:0.0.0.0:2222 + connect: tcp:127.0.0.1:2222 + proxy_protocol: 'true' diff --git a/03_container_haproxy.yaml b/03_container_haproxy.yaml new file mode 100644 index 0000000..f67b456 --- /dev/null +++ b/03_container_haproxy.yaml @@ -0,0 +1,55 @@ +--- +- name: HAPROXY -- install + hosts: haproxy + become: true + tasks: + - name: HAPROXY -- install needed packages + become: true + package: + state: present + name: '{{ item }}' + with_items: + - unattended-upgrades + - haproxy + - name: HAPROXY -- Generate Diffie-Hellman parameters with the default size (4096 bits) + community.crypto.openssl_dhparam: + path: /etc/haproxy/dhparam.pem + - name: HAPROXY -- create ssl folder + become: true + file: + path: '/etc/haproxy/ssl' + state: directory + - name: HAPROXY -- new cert script + copy: + src: 'files/ha_new_cert.sh' + dest: '/usr/local/bin/new_certbot' + mode: 0755 + - name: HAPROXY -- cert renew script + become: true + copy: + src: 'files/ha_certbot_renew.sh' + dest: '/etc/cron.weekly/certbot_renew.sh' + mode: 0755 + - name: HAPROXY -- config file + become: true + template: + src: files/ha_haproxy.cfg.j2 + dest: /etc/haproxy/haproxy.cfg + owner: root + group: root + mode: 0644 + tags: + - hot + notify: + - reload haproxy + - name: HAPROXY -- install certbot snap + become: true + snap: + name: certbot + classic: yes + handlers: + - name: reload haproxy + service: + name: haproxy + state: reloaded + enabled: yes diff --git a/04_container_gitea.yaml b/04_container_gitea.yaml new file mode 100644 index 0000000..ffda419 --- /dev/null +++ b/04_container_gitea.yaml @@ -0,0 +1,19 @@ +--- +- name: GITEA -- install + hosts: gitea + roles: + - { role: do1jlr.gitea, tags: gitea } + vars: + gitea_fqdn: 'git.ansol.org' + gitea_root_url: 'https://git.ansol.org' + gitea_http_listen: '0.0.0.0' + gitea_protocol: http + gitea_only_allow_external_registration: true + gitea_enable_captcha: false + gitea_require_signin: false + gitea_show_registration_button: false + gitea_start_ssh: true + gitea_oauth2_extra_config: | + ENABLE_AUTO_REGISTRATION = true + USERNAME = email + ACCOUNT_LINKING = auto diff --git a/README.md b/README.md new file mode 100644 index 0000000..df33054 --- /dev/null +++ b/README.md @@ -0,0 +1,30 @@ +# Passos manuais preparatórios + +```bash +$ apt install zfsutils-linux snapd +$ snap install lxd +$ lxd init +``` +```text +Would you like to use LXD clustering? (yes/no): NO +Do you want to configure a new storage pool? (yes/no): YES +Name of the new storage pool: wireguards +Name of the storage backend to use (btrfs, dir, lvm, zfs): ZFS +Create a new ZFS pool? (yes/no): YES +Would you like to use an existing block device? (yes/no): NO +Size in GB of the new loop device (1GB minimum): 5 ???? +Would you like to connect to a MAAS server? (yes/no): NO +Would you like to create a new local network bridge? (yes/no): YES +What should the new bridge be called?: lxdbr0 +What IPv4 address should be used? (CIDR subnet notation, “auto” or “none”): AUTO +What IPv6 address should be used? (CIDR subnet notation, “auto” or “none”): AUTO +Would you like LXD to be available over the network? (yes/no): NO +Would you like stale cached images to be updated automatically? (yes/no): YES +Would you like a YAML "lxd init" preseed to be printed? (yes/no): NO +``` +```bash +$ lxc config set core.https_address "[::]" +$ lxc config set core.trust_password uma_pass + +$ lxc config unset core.trust_password +``` diff --git a/files/ha_certbot_renew.sh b/files/ha_certbot_renew.sh new file mode 100644 index 0000000..a2986c0 --- /dev/null +++ b/files/ha_certbot_renew.sh @@ -0,0 +1,14 @@ +#!/usr/bin/env bash + +CERTS=$(certbot certificates | grep 'Certificate Name'| cut -c 21-) + +# Renew the certificate +certbot renew #--force-renewal --tls-sni-01-port=8888 + +# Concatenate new cert files, with less output (avoiding the use tee and its output to stdout) +for certs in $CERTS; do + bash -c "cat /etc/letsencrypt/live/$certs/fullchain.pem /etc/letsencrypt/live/$certs/privkey.pem > /etc/haproxy/ssl/$certs.pem" +done + +# Reload HAProxy +systemctl reload haproxy diff --git a/files/ha_haproxy.cfg.j2 b/files/ha_haproxy.cfg.j2 new file mode 100644 index 0000000..822ae7c --- /dev/null +++ b/files/ha_haproxy.cfg.j2 @@ -0,0 +1,84 @@ +global + log /dev/log local1 notice + chroot /var/lib/haproxy + stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners + stats timeout 300s + + user haproxy + group haproxy + daemon + + ulimit-n 120041 + maxconn 60000 + pidfile /var/run/haproxy.pid + + # Default SSL material locations + ca-base /etc/ssl/certs + crt-base /etc/ssl/private + + ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384::ECDHE-ECDSA-AES256-SHA384 + ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets + ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets + + # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam.pem + ssl-dh-param-file /etc/haproxy/dhparam.pem + +defaults + log global + mode http + retries 3 + + option httplog + option dontlognull + option redispatch + option forwardfor except 127.0.0.1 + + timeout http-request 10s + timeout check 10s + timeout client 60s + timeout connect 10s + timeout server 60s + + maxconn 60000 + + errorfile 400 /etc/haproxy/errors/400.http + errorfile 403 /etc/haproxy/errors/403.http + errorfile 408 /etc/haproxy/errors/408.http + errorfile 500 /etc/haproxy/errors/500.http + errorfile 502 /etc/haproxy/errors/502.http + errorfile 503 /etc/haproxy/errors/503.http + errorfile 504 /etc/haproxy/errors/504.http + +# The web frontend + +frontend http_https + bind :80 accept-proxy + bind :443 accept-proxy ssl crt /etc/haproxy/ssl/ alpn h2,http/1.1 + + http-request set-header X-Port %[dst_port] + http-request set-header X-Real-Ip %[src] + http-request set-header X-Orig-URL %[req.hdr(Host)]%[url] + http-request set-header X-Proto SSL if { ssl_fc } + http-request set-header X-Forwarded-Proto https if { ssl_fc } + http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload;" + + # Redirect if HTTPS is *not* used + redirect scheme https code 301 if !{ ssl_fc } + + # Test URI to see if its a letsencrypt request + acl letsencrypt-acl path_beg /.well-known/acme-challenge/ + use_backend letsencrypt if letsencrypt-acl + + # Gitea + acl git-ansol-org hdr(host) -i git.ansol.org + use_backend git-ansol-org if git-ansol-org + +# Let's Encrypt + +backend letsencrypt + server letsencrypt 127.0.0.1:8888 + +# Gitea + +backend git-ansol-org + server git-ansol-org gitea:3000 check diff --git a/files/ha_new_cert.sh b/files/ha_new_cert.sh new file mode 100644 index 0000000..2f5317c --- /dev/null +++ b/files/ha_new_cert.sh @@ -0,0 +1,13 @@ +#/bin/bash + +set -e + +sudo certbot certonly --standalone -d "$1" \ + --non-interactive \ + --agree-tos \ + --email contacto@ansol.org \ + --preferred-challenges http \ + --http-01-address 127.0.0.1 \ + --http-01-port 8888 \ + +cat /etc/letsencrypt/live/"$1"/fullchain.pem /etc/letsencrypt/live/"$1"/privkey.pem > /etc/haproxy/ssl/"$1".pem diff --git a/hosts b/hosts new file mode 100644 index 0000000..da9b2a0 --- /dev/null +++ b/hosts @@ -0,0 +1,6 @@ +[lxd_hosts] +git.ansol.org ansible_ssh_user=root + +[containers] +haproxy ansible_lxd_remote=lxd-ansol ansible_lxd_host=haproxy ansible_connection=community.general.lxd ansible_python_interpreter=/usr/bin/python3 +gitea ansible_lxd_remote=lxd-ansol ansible_lxd_host=gitea ansible_connection=community.general.lxd ansible_python_interpreter=/usr/bin/python3 diff --git a/main.yaml b/main.yaml new file mode 100644 index 0000000..52e76ec --- /dev/null +++ b/main.yaml @@ -0,0 +1,13 @@ +--- +# Preparatory tasks +- import_playbook: 00_preps.yaml +# README manual steps, then: +- import_playbook: 01_prep_lxd.yaml + +# LXD containers +- import_playbook: 02_lxc_containers.yaml + +# Container Haproxy +- import_playbook: 03_container_haproxy.yaml +# Container Gitea +- import_playbook: 04_container_gitea.yaml