Initial move to consolidate services on ryzen host
This commit is contained in:
Executable
+206
@@ -0,0 +1,206 @@
|
||||
---
|
||||
- name: Frontend setup
|
||||
hosts: frontend-cockpit
|
||||
|
||||
vars:
|
||||
username: matt
|
||||
|
||||
certbot_install_method: package
|
||||
certbot_create_method: standalone
|
||||
# certbot_install_method: source
|
||||
# certbot_repo: https://github.com/certbot/certbot.git
|
||||
# certbot_version: master
|
||||
certbot_keep_updated: true
|
||||
# certbot_dir: /opt/certbot
|
||||
certbot_create_extra_args: "--http-01-port 8080"
|
||||
certbot_auto_renew_user: "root"
|
||||
certbot_auto_renew_hour: "3"
|
||||
certbot_auto_renew_minute: "30"
|
||||
certbot_create_if_missing: true
|
||||
certbot_admin_email: matthew@thespencers.me.uk
|
||||
certbot_certs:
|
||||
- domains:
|
||||
- "apptabulous.co.uk"
|
||||
- "www.apptabulous.co.uk"
|
||||
- "hub.apptabulous.co.uk"
|
||||
- "watchtower.apptabulous.co.uk"
|
||||
webroot: "/var/www/html"
|
||||
- domains:
|
||||
- "m5p3nc3r.co.uk"
|
||||
- "www.m5p3nc3r.co.uk"
|
||||
- "gitea.m5p3nc3r.co.uk"
|
||||
webroot: "/var/www/html"
|
||||
|
||||
|
||||
cockpit_plugins:
|
||||
- cockpit-podman
|
||||
cockpit_core_packages:
|
||||
- cockpit
|
||||
- cockpit-bridge
|
||||
- cockpit-ws
|
||||
- cockpit-ws-selinux
|
||||
- cockpit-system
|
||||
|
||||
roles:
|
||||
- role: geerlingguy.git
|
||||
become: true
|
||||
- role: geerlingguy.certbot
|
||||
become: true
|
||||
|
||||
pre_tasks:
|
||||
- name: Install python3-libdnf5 for DNF5 support on Fedora 41+
|
||||
become: true
|
||||
ansible.builtin.raw: dnf install -y python3-libdnf5
|
||||
when: ansible_facts['os_family'] == 'RedHat'
|
||||
changed_when: false
|
||||
|
||||
tasks:
|
||||
- name: Reload systemd daemon
|
||||
become: true
|
||||
ansible.builtin.systemd:
|
||||
daemon_reload: true
|
||||
|
||||
- name: Install Cockpit
|
||||
include_role:
|
||||
name: linux-system-roles.cockpit
|
||||
apply:
|
||||
become: true
|
||||
vars:
|
||||
# Prometheus is currently running on port 9090
|
||||
cockpit_port: 9091
|
||||
cockpit_packages: default
|
||||
|
||||
- name: Gather package facts
|
||||
ansible.builtin.package_facts:
|
||||
manager: auto
|
||||
|
||||
- name: Remove unwanted Cockpit plugins
|
||||
become: true
|
||||
ansible.builtin.package:
|
||||
name: "{{ ansible_facts.packages | dict2items
|
||||
| selectattr('key', 'match', '^cockpit-')
|
||||
| map(attribute='key')
|
||||
| reject('in', cockpit_plugins + cockpit_core_packages)
|
||||
| list }}"
|
||||
state: absent
|
||||
when: >
|
||||
ansible_facts.packages | dict2items
|
||||
| selectattr('key', 'match', '^cockpit-')
|
||||
| map(attribute='key')
|
||||
| reject('in', cockpit_plugins + cockpit_core_packages)
|
||||
| list | length > 0
|
||||
|
||||
- name: Install Podman
|
||||
become: true
|
||||
ansible.builtin.package:
|
||||
name: podman
|
||||
state: present
|
||||
|
||||
- name: Install Cockpit plugins
|
||||
become: true
|
||||
ansible.builtin.package:
|
||||
name: "{{ cockpit_plugins }}"
|
||||
state: present
|
||||
|
||||
|
||||
- name: Grant {{ username }} read access to letsencrypt certificates
|
||||
become: true
|
||||
ansible.posix.acl:
|
||||
path: /etc/letsencrypt
|
||||
entity: "{{ username }}"
|
||||
etype: user
|
||||
permissions: rX
|
||||
recursive: true
|
||||
state: present
|
||||
|
||||
- name: Override default certbot start/stop jobs
|
||||
become: true
|
||||
ansible.builtin.copy:
|
||||
src: letsencrypt
|
||||
dest: /etc
|
||||
|
||||
- name: Copy reverse proxy configuration to host
|
||||
become: true
|
||||
ansible.builtin.copy:
|
||||
src: apptabulous/reverseproxy
|
||||
dest: /etc
|
||||
|
||||
- name: Create shared container network
|
||||
containers.podman.podman_network:
|
||||
name: webservices
|
||||
state: present
|
||||
|
||||
- name: Start reverse proxy container
|
||||
containers.podman.podman_container:
|
||||
name: reverse_proxy
|
||||
image: docker.io/library/nginx:alpine
|
||||
restart_policy: always
|
||||
network: webservices
|
||||
volumes:
|
||||
- /etc/reverseproxy/nginx.conf:/etc/nginx/nginx.conf
|
||||
- /etc/reverseproxy/conf.d:/etc/nginx/conf.d
|
||||
- /etc/reverseproxy/stream.d:/etc/nginx/stream.d
|
||||
- /etc/letsencrypt:/etc/letsencrypt
|
||||
ports:
|
||||
- "8080:80"
|
||||
- "8443:443"
|
||||
state: started
|
||||
|
||||
# - name: Start docker registry
|
||||
# community.docker.docker_container:
|
||||
# name: registry
|
||||
# image: registry:2
|
||||
# restart_policy: always
|
||||
# ports:
|
||||
# - "5000:5000"
|
||||
# state: started
|
||||
|
||||
- name: Log into ghcr.io registry
|
||||
# become: true
|
||||
containers.podman.podman_login:
|
||||
registry: ghcr.io
|
||||
username: "{{ secrets.GITHUB_ACTOR }}"
|
||||
password: "{{ secrets.GITHUB_TOKEN }}"
|
||||
|
||||
- name: Open firewall ports for web services
|
||||
become: true
|
||||
ansible.posix.firewalld:
|
||||
port: "{{ item }}/tcp"
|
||||
permanent: true
|
||||
state: enabled
|
||||
immediate: true
|
||||
loop:
|
||||
- 8080
|
||||
- 8443
|
||||
- 2222
|
||||
|
||||
- name: Start m5p3nc3r website
|
||||
containers.podman.podman_container:
|
||||
name: website
|
||||
image: ghcr.io/m5p3nc3r/website:main
|
||||
restart_policy: always
|
||||
network: webservices
|
||||
label:
|
||||
io.containers.autoupdate: registry
|
||||
volumes:
|
||||
- /home/matt/public/apps:/app/public/apps:Z
|
||||
env:
|
||||
NEXT_SERVER_ACTIONS_ENCRYPTION_KEY: "{{ secrets.NEXT_SERVER_ACTIONS_ENCRYPTION_KEY }}"
|
||||
state: started
|
||||
|
||||
- name: Start Apptabulous website
|
||||
containers.podman.podman_container:
|
||||
name: apptabulous_website
|
||||
image: ghcr.io/m5p3nc3r/apptabulous_website:main
|
||||
restart_policy: always
|
||||
network: webservices
|
||||
label:
|
||||
io.containers.autoupdate: registry
|
||||
state: started
|
||||
|
||||
- name: Enable podman auto-update timer
|
||||
become: true
|
||||
ansible.builtin.systemd:
|
||||
name: podman-auto-update.timer
|
||||
enabled: true
|
||||
state: started
|
||||
Reference in New Issue
Block a user