initial commit with redbot and vaultwarden migrated

.gitignore

@@ -0,0 +1 @@
+.vaultpasswd

ansible.cfg

@@ -0,0 +1,3 @@
+[defaults]
+roles_path = ./roles
+inventory = inventory/home.yml

group_vars/vault.yml

@@ -0,0 +1,10 @@
+$ANSIBLE_VAULT;1.1;AES256
+34666337636238346633666130656239363230316532373261353632643834643933353032663964
+3062636238396535333534353030383165626666353531630a336435306532313666656231633335
+66666238363665323262653630316230376232333561626337386434383866653038616133616430
+3631623636626532650a623763633535666563623864633434646231646530616364623236323166
+66333264376665356439663031616438336237366435306630393162323637626431306330356161
+31303730306231643962633232626235643566663836646137303563373034663064636632336663
+39353862353039303366336361363134626361373961613764363962613031376366643932623936
+36386334386663306363653032363336393432643335653066656638626364646561313532323938
+62666163616361386633313131386665383963356566363465313734396635393934

inventory/home.yml

@@ -0,0 +1,11 @@
+all:
+  hosts:
+    lead:
+      ansible_host: lead
+      ansible_user: knightos
+fedora:
+  hosts:
+    lead:
+caddy:
+  hosts:
+    lead:

playbooks/home-services.yml

@@ -0,0 +1,16 @@
+- name: Setup Fedora hosts
+  hosts: fedora
+  become: true
+  roles:
+    - fedora
+
+- name: Setup Docker and services on home server
+  hosts: lead
+  become: true
+  vars_files:
+    - ../group_vars/vault.yml
+  roles:
+    - docker
+    - caddy
+    - vaultwarden
+    - redbot

roles/caddy/defaults/main.yml

@@ -0,0 +1,3 @@
+service_name: caddy
+docker_image: caddy
+docker_image_version: alpine

roles/caddy/tasks/main.yml

@@ -0,0 +1,51 @@
+- name: Ensure Caddy user
+  ansible.builtin.import_tasks: ../../common/tasks/create_service_user.yml
+
+- name: Set Caddy facts
+  ansible.builtin.set_fact:
+    caddyfiles_directory: '{{ service_root }}/caddyfiles'
+
+- name: Ensure Caddy directories exist and are writable
+  ansible.builtin.file:
+    path: '{{ item }}'
+    state: directory
+    owner: '{{ service_user }}'
+    group: '{{ service_user }}'
+    mode: '700'
+  loop:
+    - '{{ service_root }}/data'
+    - '{{ service_root }}/config'
+    - '{{ service_root }}/conf'
+    - '{{ caddyfiles_directory }}'
+
+- name: Set Caddyfile to import caddyfiles directory
+  ansible.builtin.copy:
+    content: |
+      {
+        auto_https off
+      }
+      import /caddyfiles/*
+    dest: '{{ service_root }}/conf/Caddyfile'
+    owner: '{{ service_user }}'
+    group: '{{ service_user }}'
+    mode: '644'
+
+- name: Deploy caddy compose service
+  ansible.builtin.import_role:
+    name: compose-service
+  vars:
+    docker_volumes:
+      - '{{ service_root }}/data:/data'
+      - '{{ service_root }}/config:/config'
+      - '{{ service_root }}/conf:/etc/caddy'
+      - '{{ caddyfiles_directory }}:/caddyfiles'
+    docker_ports:
+      - "80:80"
+      - "443:443"
+      - "443:443/udp"
+
+- name: Add container to Caddy network
+  community.docker.docker_network:
+    name: Caddy
+    connected:
+      - '{{ service_name }}'

roles/common/tasks/create_service_user.yml

@@ -0,0 +1,28 @@
+- name: Assert mandatory variables
+  ansible.builtin.assert:
+    that:
+      - service_user is defined
+
+- name: Ensure service user "{{ service_user }}" exists
+  ansible.builtin.user:
+    name: "{{ service_user }}"
+    comment: "Service user for {{ service_user }}"
+    shell: /sbin/nologin
+    # TODO: service_root should somehow be reflected here
+    home: "/opt/{{ service_user }}"
+    create_home: true
+    system: true
+
+- name: Ensure directory for "{{ service_user }}"
+  ansible.builtin.file:
+    # TODO: service_root
+    path: "/opt/{{ service_user }}"
+    state: directory
+    owner: "{{ service_user }}"
+    group: "{{ service_user }}"
+    mode: '755'
+
+- name: Get user info from passwd
+  ansible.builtin.getent:
+    database: passwd
+    key: '{{ service_user }}'

roles/compose-service/defaults/main.yml

@@ -0,0 +1,6 @@
+service_user: '{{ service_name }}'
+service_root: '{{ "/opt/" ~ service_name }}'
+docker_volumes: []
+docker_env: {}
+docker_ports: []
+use_docker_user: true

roles/compose-service/tasks/main.yml

@@ -0,0 +1,32 @@
+- name: Deploy service
+  block:
+    - name: Assert mandatory variables are defines
+      ansible.builtin.assert:
+        that:
+          - service_name is defined
+          - docker_image is defined
+
+    - name: Setup {{ service_user }} user and directories
+      ansible.builtin.import_tasks: ../../common/tasks/create_service_user.yml
+
+    - name: Deploy {{ service_name }} docker-compose
+      ansible.builtin.template:
+        src: 'service.yml.j2'
+        dest: '{{ service_root }}/docker-compose.yml'
+        owner: '{{ service_user }}'
+        group: '{{ service_user }}'
+        mode: '0644'
+
+    - name: Start {{ service_name }} container
+      community.docker.docker_compose_v2:
+        project_src: '{{ service_root }}'
+        state: present
+        remove_orphans: true
+        recreate: always
+
+    - name: Add container to Caddy network
+      community.docker.docker_network:
+        name: Caddy
+        connected:
+          - '{{ service_name }}'
+        appends: true

roles/compose-service/templates/service.yml.j2

@@ -0,0 +1,27 @@
+services:
+  {{ service_name }}:
+    container_name: {{ service_name }}
+    image: {{ docker_image }}{% if docker_image_version %}:{{ docker_image_version }}{% endif %}
+
+{% if use_docker_user %}
+    user: "{{ getent_passwd[service_user].1 }}:{{ getent_passwd[service_user].2 }}"
+{% endif %}
+{% if docker_volumes %}
+    volumes:
+{% for volume in docker_volumes %}
+      - {{ volume }}
+{% endfor %}
+{% endif %}
+{% if docker_env %}
+    environment:
+{% for key, value in docker_env.items() %}
+      {{ key }}: {{ value }}
+{% endfor %}
+{% endif %}
+{% if docker_ports %}
+    ports:
+{% for port in docker_ports %}
+      - "{{ port }}"
+{% endfor %}
+{% endif %}
+    restart: unless-stopped

roles/docker/tasks/main.yml

@@ -0,0 +1,21 @@
+- name: Add Docker repo
+  ansible.builtin.yum_repository:
+    name: docker
+    description: Docker Fedora repo
+    baseurl: https://download.docker.com/linux/fedora/$releasever/$basearch/stable/
+    gpgkey: https://download.docker.com/linux/fedora/gpg
+
+- name: Install Docker
+  ansible.builtin.dnf5:
+    name:
+      - docker-ce
+      - docker-ce-cli
+      - containerd.io
+      - docker-compose-plugin
+    state: present
+
+- name: Enable and start Docker service
+  ansible.builtin.service:
+    name: docker
+    enabled: true
+    state: started

roles/fedora/tasks/main.yml

@@ -0,0 +1,4 @@
+- name: Install python3-libdnf
+  ansible.builtin.command:
+    cmd: dnf install python3-libdnf5 -y
+    creates: /usr/lib64/python*/site-packages/libdnf5

roles/redbot/defaults/main.yml

@@ -0,0 +1,6 @@
+service_name: redbot
+docker_image: phasecorex/red-discordbot
+docker_image_version:
+data_directory: "{{ service_root }}/data"
+discord_token: "{{ vault.discord_bot_token }}"
+bot_prefix: .

roles/redbot/tasks/main.yml

@@ -0,0 +1,18 @@
+- name: Ensure data directory exists
+  ansible.builtin.file:
+    path: '{{ data_directory }}'
+    state: directory
+    owner: '{{ service_user }}'
+    group: '{{ service_user }}'
+    mode: '700'
+
+- name: Deploy Redbot
+  ansible.builtin.import_role:
+    name: compose-service
+  vars:
+    docker_volumes:
+      - '{{ data_directory }}:/data'
+    docker_env:
+      TOKEN: '{{ discord_token }}'
+      PREFIX: '{{ bot_prefix }}'
+    use_docker_user: false

roles/vaultwarden/defaults/main.yml

@@ -0,0 +1,4 @@
+service_name: vaultwarden
+docker_image: vaultwarden/server
+docker_image_version: latest
+data_directory: "{{ service_root }}/data"

roles/vaultwarden/tasks/main.yml

@@ -0,0 +1,21 @@
+- name: Ensure data directory exists
+  ansible.builtin.file:
+    path: '{{ data_directory }}'
+    state: directory
+    owner: '{{ service_user }}'
+    group: '{{ service_user }}'
+    mode: '700'
+
+- name: Deploy Vaultwarden
+  ansible.builtin.import_role:
+    name: compose-service
+  vars:
+    docker_volumes:
+      - '{{ data_directory }}:/data'
+
+- name: Deploy Caddyfile for vaultwarden
+  ansible.builtin.template:
+    src: vaultwarden.caddy.j2
+    dest: '{{ caddyfiles_directory }}/vaultwarden'
+    mode: '644'
+  when: "'caddy' in group_names"

roles/vaultwarden/templates/vaultwarden.caddy.j2

@@ -0,0 +1,5 @@
+http://{{ service_name }}.{{ ansible_hostname }} {
+  reverse_proxy {{ service_name }}:80
+  encode zstd gzip
+}
+