From 15c1b9c2ea9ae8fcad3a324ca62dcb16d3bde4a6 Mon Sep 17 00:00:00 2001 From: Vilmos Zsombor TANCZOS Date: Sun, 4 May 2025 23:49:10 +0200 Subject: [PATCH] initial commit with redbot and vaultwarden migrated --- .gitignore | 1 + ansible.cfg | 3 ++ group_vars/vault.yml | 10 ++++ inventory/home.yml | 11 ++++ playbooks/home-services.yml | 16 ++++++ roles/caddy/defaults/main.yml | 3 ++ roles/caddy/tasks/main.yml | 51 +++++++++++++++++++ roles/common/tasks/create_service_user.yml | 28 ++++++++++ roles/compose-service/defaults/main.yml | 6 +++ roles/compose-service/tasks/main.yml | 32 ++++++++++++ .../compose-service/templates/service.yml.j2 | 27 ++++++++++ roles/docker/tasks/main.yml | 21 ++++++++ roles/fedora/tasks/main.yml | 4 ++ roles/redbot/defaults/main.yml | 6 +++ roles/redbot/tasks/main.yml | 18 +++++++ roles/vaultwarden/defaults/main.yml | 4 ++ roles/vaultwarden/tasks/main.yml | 21 ++++++++ .../templates/vaultwarden.caddy.j2 | 5 ++ 18 files changed, 267 insertions(+) create mode 100644 .gitignore create mode 100644 ansible.cfg create mode 100644 group_vars/vault.yml create mode 100644 inventory/home.yml create mode 100644 playbooks/home-services.yml create mode 100644 roles/caddy/defaults/main.yml create mode 100644 roles/caddy/tasks/main.yml create mode 100644 roles/common/tasks/create_service_user.yml create mode 100644 roles/compose-service/defaults/main.yml create mode 100644 roles/compose-service/tasks/main.yml create mode 100644 roles/compose-service/templates/service.yml.j2 create mode 100644 roles/docker/tasks/main.yml create mode 100644 roles/fedora/tasks/main.yml create mode 100644 roles/redbot/defaults/main.yml create mode 100644 roles/redbot/tasks/main.yml create mode 100644 roles/vaultwarden/defaults/main.yml create mode 100644 roles/vaultwarden/tasks/main.yml create mode 100644 roles/vaultwarden/templates/vaultwarden.caddy.j2 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..3eca8f1 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.vaultpasswd diff --git a/ansible.cfg b/ansible.cfg new file mode 100644 index 0000000..d44bcd5 --- /dev/null +++ b/ansible.cfg @@ -0,0 +1,3 @@ +[defaults] +roles_path = ./roles +inventory = inventory/home.yml diff --git a/group_vars/vault.yml b/group_vars/vault.yml new file mode 100644 index 0000000..257b0e6 --- /dev/null +++ b/group_vars/vault.yml @@ -0,0 +1,10 @@ +$ANSIBLE_VAULT;1.1;AES256 +34666337636238346633666130656239363230316532373261353632643834643933353032663964 +3062636238396535333534353030383165626666353531630a336435306532313666656231633335 +66666238363665323262653630316230376232333561626337386434383866653038616133616430 +3631623636626532650a623763633535666563623864633434646231646530616364623236323166 +66333264376665356439663031616438336237366435306630393162323637626431306330356161 +31303730306231643962633232626235643566663836646137303563373034663064636632336663 +39353862353039303366336361363134626361373961613764363962613031376366643932623936 +36386334386663306363653032363336393432643335653066656638626364646561313532323938 +62666163616361386633313131386665383963356566363465313734396635393934 diff --git a/inventory/home.yml b/inventory/home.yml new file mode 100644 index 0000000..c6f9218 --- /dev/null +++ b/inventory/home.yml @@ -0,0 +1,11 @@ +all: + hosts: + lead: + ansible_host: lead + ansible_user: knightos +fedora: + hosts: + lead: +caddy: + hosts: + lead: diff --git a/playbooks/home-services.yml b/playbooks/home-services.yml new file mode 100644 index 0000000..2e6faf9 --- /dev/null +++ b/playbooks/home-services.yml @@ -0,0 +1,16 @@ +- name: Setup Fedora hosts + hosts: fedora + become: true + roles: + - fedora + +- name: Setup Docker and services on home server + hosts: lead + become: true + vars_files: + - ../group_vars/vault.yml + roles: + - docker + - caddy + - vaultwarden + - redbot diff --git a/roles/caddy/defaults/main.yml b/roles/caddy/defaults/main.yml new file mode 100644 index 0000000..a8ee8f0 --- /dev/null +++ b/roles/caddy/defaults/main.yml @@ -0,0 +1,3 @@ +service_name: caddy +docker_image: caddy +docker_image_version: alpine diff --git a/roles/caddy/tasks/main.yml b/roles/caddy/tasks/main.yml new file mode 100644 index 0000000..c113cd0 --- /dev/null +++ b/roles/caddy/tasks/main.yml @@ -0,0 +1,51 @@ +- name: Ensure Caddy user + ansible.builtin.import_tasks: ../../common/tasks/create_service_user.yml + +- name: Set Caddy facts + ansible.builtin.set_fact: + caddyfiles_directory: '{{ service_root }}/caddyfiles' + +- name: Ensure Caddy directories exist and are writable + ansible.builtin.file: + path: '{{ item }}' + state: directory + owner: '{{ service_user }}' + group: '{{ service_user }}' + mode: '700' + loop: + - '{{ service_root }}/data' + - '{{ service_root }}/config' + - '{{ service_root }}/conf' + - '{{ caddyfiles_directory }}' + +- name: Set Caddyfile to import caddyfiles directory + ansible.builtin.copy: + content: | + { + auto_https off + } + import /caddyfiles/* + dest: '{{ service_root }}/conf/Caddyfile' + owner: '{{ service_user }}' + group: '{{ service_user }}' + mode: '644' + +- name: Deploy caddy compose service + ansible.builtin.import_role: + name: compose-service + vars: + docker_volumes: + - '{{ service_root }}/data:/data' + - '{{ service_root }}/config:/config' + - '{{ service_root }}/conf:/etc/caddy' + - '{{ caddyfiles_directory }}:/caddyfiles' + docker_ports: + - "80:80" + - "443:443" + - "443:443/udp" + +- name: Add container to Caddy network + community.docker.docker_network: + name: Caddy + connected: + - '{{ service_name }}' diff --git a/roles/common/tasks/create_service_user.yml b/roles/common/tasks/create_service_user.yml new file mode 100644 index 0000000..6969d6b --- /dev/null +++ b/roles/common/tasks/create_service_user.yml @@ -0,0 +1,28 @@ +- name: Assert mandatory variables + ansible.builtin.assert: + that: + - service_user is defined + +- name: Ensure service user "{{ service_user }}" exists + ansible.builtin.user: + name: "{{ service_user }}" + comment: "Service user for {{ service_user }}" + shell: /sbin/nologin + # TODO: service_root should somehow be reflected here + home: "/opt/{{ service_user }}" + create_home: true + system: true + +- name: Ensure directory for "{{ service_user }}" + ansible.builtin.file: + # TODO: service_root + path: "/opt/{{ service_user }}" + state: directory + owner: "{{ service_user }}" + group: "{{ service_user }}" + mode: '755' + +- name: Get user info from passwd + ansible.builtin.getent: + database: passwd + key: '{{ service_user }}' diff --git a/roles/compose-service/defaults/main.yml b/roles/compose-service/defaults/main.yml new file mode 100644 index 0000000..30b5e26 --- /dev/null +++ b/roles/compose-service/defaults/main.yml @@ -0,0 +1,6 @@ +service_user: '{{ service_name }}' +service_root: '{{ "/opt/" ~ service_name }}' +docker_volumes: [] +docker_env: {} +docker_ports: [] +use_docker_user: true diff --git a/roles/compose-service/tasks/main.yml b/roles/compose-service/tasks/main.yml new file mode 100644 index 0000000..98b99d0 --- /dev/null +++ b/roles/compose-service/tasks/main.yml @@ -0,0 +1,32 @@ +- name: Deploy service + block: + - name: Assert mandatory variables are defines + ansible.builtin.assert: + that: + - service_name is defined + - docker_image is defined + + - name: Setup {{ service_user }} user and directories + ansible.builtin.import_tasks: ../../common/tasks/create_service_user.yml + + - name: Deploy {{ service_name }} docker-compose + ansible.builtin.template: + src: 'service.yml.j2' + dest: '{{ service_root }}/docker-compose.yml' + owner: '{{ service_user }}' + group: '{{ service_user }}' + mode: '0644' + + - name: Start {{ service_name }} container + community.docker.docker_compose_v2: + project_src: '{{ service_root }}' + state: present + remove_orphans: true + recreate: always + + - name: Add container to Caddy network + community.docker.docker_network: + name: Caddy + connected: + - '{{ service_name }}' + appends: true diff --git a/roles/compose-service/templates/service.yml.j2 b/roles/compose-service/templates/service.yml.j2 new file mode 100644 index 0000000..3a6a127 --- /dev/null +++ b/roles/compose-service/templates/service.yml.j2 @@ -0,0 +1,27 @@ +services: + {{ service_name }}: + container_name: {{ service_name }} + image: {{ docker_image }}{% if docker_image_version %}:{{ docker_image_version }}{% endif %} + +{% if use_docker_user %} + user: "{{ getent_passwd[service_user].1 }}:{{ getent_passwd[service_user].2 }}" +{% endif %} +{% if docker_volumes %} + volumes: +{% for volume in docker_volumes %} + - {{ volume }} +{% endfor %} +{% endif %} +{% if docker_env %} + environment: +{% for key, value in docker_env.items() %} + {{ key }}: {{ value }} +{% endfor %} +{% endif %} +{% if docker_ports %} + ports: +{% for port in docker_ports %} + - "{{ port }}" +{% endfor %} +{% endif %} + restart: unless-stopped diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml new file mode 100644 index 0000000..4bc0f83 --- /dev/null +++ b/roles/docker/tasks/main.yml @@ -0,0 +1,21 @@ +- name: Add Docker repo + ansible.builtin.yum_repository: + name: docker + description: Docker Fedora repo + baseurl: https://download.docker.com/linux/fedora/$releasever/$basearch/stable/ + gpgkey: https://download.docker.com/linux/fedora/gpg + +- name: Install Docker + ansible.builtin.dnf5: + name: + - docker-ce + - docker-ce-cli + - containerd.io + - docker-compose-plugin + state: present + +- name: Enable and start Docker service + ansible.builtin.service: + name: docker + enabled: true + state: started diff --git a/roles/fedora/tasks/main.yml b/roles/fedora/tasks/main.yml new file mode 100644 index 0000000..34f16f4 --- /dev/null +++ b/roles/fedora/tasks/main.yml @@ -0,0 +1,4 @@ +- name: Install python3-libdnf + ansible.builtin.command: + cmd: dnf install python3-libdnf5 -y + creates: /usr/lib64/python*/site-packages/libdnf5 diff --git a/roles/redbot/defaults/main.yml b/roles/redbot/defaults/main.yml new file mode 100644 index 0000000..b6692f9 --- /dev/null +++ b/roles/redbot/defaults/main.yml @@ -0,0 +1,6 @@ +service_name: redbot +docker_image: phasecorex/red-discordbot +docker_image_version: +data_directory: "{{ service_root }}/data" +discord_token: "{{ vault.discord_bot_token }}" +bot_prefix: . diff --git a/roles/redbot/tasks/main.yml b/roles/redbot/tasks/main.yml new file mode 100644 index 0000000..2e13ca6 --- /dev/null +++ b/roles/redbot/tasks/main.yml @@ -0,0 +1,18 @@ +- name: Ensure data directory exists + ansible.builtin.file: + path: '{{ data_directory }}' + state: directory + owner: '{{ service_user }}' + group: '{{ service_user }}' + mode: '700' + +- name: Deploy Redbot + ansible.builtin.import_role: + name: compose-service + vars: + docker_volumes: + - '{{ data_directory }}:/data' + docker_env: + TOKEN: '{{ discord_token }}' + PREFIX: '{{ bot_prefix }}' + use_docker_user: false diff --git a/roles/vaultwarden/defaults/main.yml b/roles/vaultwarden/defaults/main.yml new file mode 100644 index 0000000..a738baf --- /dev/null +++ b/roles/vaultwarden/defaults/main.yml @@ -0,0 +1,4 @@ +service_name: vaultwarden +docker_image: vaultwarden/server +docker_image_version: latest +data_directory: "{{ service_root }}/data" diff --git a/roles/vaultwarden/tasks/main.yml b/roles/vaultwarden/tasks/main.yml new file mode 100644 index 0000000..918b935 --- /dev/null +++ b/roles/vaultwarden/tasks/main.yml @@ -0,0 +1,21 @@ +- name: Ensure data directory exists + ansible.builtin.file: + path: '{{ data_directory }}' + state: directory + owner: '{{ service_user }}' + group: '{{ service_user }}' + mode: '700' + +- name: Deploy Vaultwarden + ansible.builtin.import_role: + name: compose-service + vars: + docker_volumes: + - '{{ data_directory }}:/data' + +- name: Deploy Caddyfile for vaultwarden + ansible.builtin.template: + src: vaultwarden.caddy.j2 + dest: '{{ caddyfiles_directory }}/vaultwarden' + mode: '644' + when: "'caddy' in group_names" diff --git a/roles/vaultwarden/templates/vaultwarden.caddy.j2 b/roles/vaultwarden/templates/vaultwarden.caddy.j2 new file mode 100644 index 0000000..5c3fef0 --- /dev/null +++ b/roles/vaultwarden/templates/vaultwarden.caddy.j2 @@ -0,0 +1,5 @@ +http://{{ service_name }}.{{ ansible_hostname }} { + reverse_proxy {{ service_name }}:80 + encode zstd gzip +} +