Compare commits

...

7 commits

12 changed files with 117 additions and 72 deletions

View file

@ -62,5 +62,7 @@ all:
$(MAKE) visualize
visualize:
./visualize.py | d2 - infrastructure.svg
./scripts/visualize.py | d2 - infrastructure.svg
new_role:
./scripts/new_role.sh

View file

@ -31,7 +31,8 @@ terraform {
locals {
services_auth = {for key, val in var.services : key => val if val.auth}
services_database = {for key, val in var.services : key => val if val.database}
services_s3 = {for key, val in var.services : key => val if val.s3}
services_s3 = {for key, val in var.services : key => (val.s3_buckets != null) ? val.s3_buckets : [key] if val.s3}
buckets_s3 = merge([for key, val in local.services_s3 : {for bucket in val : bucket => key}]...)
hetzner_hosts = {for key, val in var.hosts : key => val if val.provider == "hetzner"}
}

View file

@ -51,9 +51,9 @@ output "healthchecksio" {
output "scaleway_data" {
value = {
for key in keys(scaleway_iam_application.service_applications) : key => {
"access_key" = scaleway_iam_api_key.service_keys[key].access_key
"secret_key" = scaleway_iam_api_key.service_keys[key].secret_key
for key, val in local.buckets_s3 : key => {
"access_key" = scaleway_iam_api_key.service_keys[val].access_key
"secret_key" = scaleway_iam_api_key.service_keys[val].secret_key
"name" = scaleway_object_bucket.service_buckets[key].name
"region" = scaleway_object_bucket.service_buckets[key].region
"endpoint" = scaleway_object_bucket.service_buckets[key].endpoint

View file

@ -27,15 +27,15 @@ resource "scaleway_iam_policy" "service_storage_policies" {
}
resource "scaleway_object_bucket" "service_buckets" {
for_each = local.services_s3
name = "${each.key}.serguzim.me"
for_each = local.buckets_s3
name = replace("${each.key}.serguzim.me", "_", "-")
lifecycle {
prevent_destroy = true
}
}
resource "scaleway_object_bucket_policy" "service_bucket_policies" {
for_each = local.services_s3
for_each = local.buckets_s3
bucket = scaleway_object_bucket.service_buckets[each.key].id
policy = jsonencode({
Version = "2023-04-17",
@ -58,7 +58,7 @@ resource "scaleway_object_bucket_policy" "service_bucket_policies" {
Effect = "Allow"
Action = "*"
Principal = {
SCW = "application_id:${scaleway_iam_application.service_applications[each.key].id}"
SCW = "application_id:${scaleway_iam_application.service_applications[each.value].id}"
}
Resource = [
"${scaleway_object_bucket.service_buckets[each.key].name}",

View file

@ -32,6 +32,7 @@ variable "services" {
auth_cert = optional(string)
auth_redirects = optional(list(string))
s3 = bool
s3_buckets = optional(list(string))
database = bool
}))
}

View file

@ -82,7 +82,7 @@ forgejo_env:
forgejo_compose:
watchtower: update
image: codeberg.org/forgejo/forgejo:9
image: codeberg.org/forgejo/forgejo:11
volumes:
- data:/data
- ./templates:/data/gitea/templates

View file

@ -0,0 +1,3 @@
[Resolve]
DNSOverTLS=opportunistic
DNSStubListenerExtra=172.17.0.1

View file

@ -6,10 +6,20 @@
update_cache: true
become: true
- name: Enable systemd-resolved
- name: Copy systemd config
ansible.builtin.copy:
src: systemd-resolved.conf
dest: /etc/systemd/resolved.conf
mode: "0644"
owner: "root"
group: "root"
become: true
register: systemd_resolved_config
- name: Enable systemd-resolved and (re)start
ansible.builtin.systemd_service:
name: systemd-resolved.service
state: started
state: "{{ 'restarted' if systemd_resolved_config.changed else 'started' }}"
enabled: true
daemon_reload: true
become: true

19
scripts/new_role.sh Executable file
View file

@ -0,0 +1,19 @@
#!/usr/bin/env bash
roles_dir="./playbooks/roles"
read -p "Enter the new role name: " new_role
if [ -z "$new_role" ]; then
echo "Usage: $0 <role_name>"
exit 1
fi
if [ -d "$roles_dir/$new_role" ]; then
echo "Role $new_role already exists."
exit 1
fi
cp -r "$roles_dir/_TEMPLATE" "$roles_dir/$new_role"
sed -i "s/NAME_/${new_role}_/g" "$roles_dir/$new_role"/**/*.yml

View file

@ -14,11 +14,13 @@ icon_overrides = {
"healthcheck": "healthchecks",
"lego": "lets-encrypt",
"mailcowdockerized": "mailcow",
"minecraft_3": "minecraft",
"reitanlage_oranienburg": "grav",
"tandoor": "tandoor-recipes",
"tinytinyrss": "tiny-tiny-rss",
"webdis": "redis",
"wiki_js": "wiki-js",
"woodpecker": "woodpecker-ci"
}
icon_format = {
@ -26,14 +28,12 @@ icon_format = {
"linkwarden": "webp",
"telegraf": "webp",
"tiny-tiny-rss": "webp",
"watchtower": "webp", # TODO revert when icon is fixed
}
icon_url = {
"dokku": "https://avatars.githubusercontent.com/u/13455795?s=200&v=4",
"factorio": "https://avatars.githubusercontent.com/u/50074624?s=200&v=4",
"mimir": "https://raw.githubusercontent.com/grafana/mimir/refs/heads/main/images/logo.png",
"teamspeak_fallback": "https://avatars.githubusercontent.com/u/136759148?s=200&v=4",
"woodpecker": "https://avatars.githubusercontent.com/u/84780935?s=200&v=4",
}
def get_icon(svc):

View file

@ -1,3 +1,11 @@
# Groups:
## 1-hosts
## 3-services
## 4-websites
## 7-support
## 8-backup
## 9-external
services = {
"acme_dns" = {
host = "node001"
@ -34,7 +42,7 @@ services = {
}]
monitoring = {
url = "/-/health/live/"
group = "4-services"
group = "3-services"
}
certificates = ["auth.serguzim.me"]
auth = false
@ -57,7 +65,7 @@ services = {
}]
monitoring = {
url = "/"
group = "4-services"
group = "3-services"
}
auth = false
database = false
@ -142,42 +150,42 @@ services = {
s3 = false
},
"factorio" = {
host = "node002"
dns = [{
domain = "factorio.serguzim.me"
}]
backup = [{
name = "factorio_data"
type = "docker"
}]
monitoring = {
url = "https://multiplayer.factorio.com/get-game-details/91.107.211.57:34197"
group = "4-services"
interval = "5m"
conditions = [
"DEFAULT",
"[BODY].name == StammtischOnAutomation"
]
}
ports = [
{
description = "Game port for factorio"
port = 34197
protocol = "udp"
type = "firewall"
},
{
description = "RCON port for factorio"
port = 27015
protocol = "tcp"
type = "firewall"
}
]
auth = false
database = false
s3 = false
}
#"factorio" = {
# host = "node002"
# dns = [{
# domain = "factorio.serguzim.me"
# }]
# backup = [{
# name = "factorio_data"
# type = "docker"
# }]
# monitoring = {
# url = "https://multiplayer.factorio.com/get-game-details/91.107.211.57:34197"
# group = "3-services"
# interval = "5m"
# conditions = [
# "DEFAULT",
# "[BODY].name == StammtischOnAutomation"
# ]
# }
# ports = [
# {
# description = "Game port for factorio"
# port = 34197
# protocol = "udp"
# type = "firewall"
# },
# {
# description = "RCON port for factorio"
# port = 27015
# protocol = "tcp"
# type = "firewall"
# }
# ]
# auth = false
# database = false
# s3 = false
#}
"forgejo" = {
host = "node001"
@ -190,7 +198,7 @@ services = {
}]
monitoring = {
url = "/api/v1/version"
group = "4-services"
group = "3-services"
}
ports = [
{
@ -247,7 +255,7 @@ services = {
}]
monitoring = {
url = "/api/v1/status"
group = "4-services"
group = "3-services"
conditions = [
"DEFAULT",
"[BODY].health == true"
@ -275,7 +283,7 @@ services = {
}
]
monitoring = {
group = "4-services"
group = "3-services"
}
auth = true
auth_redirects = ["https://gallery.serguzim.me/auth/login"]
@ -294,7 +302,7 @@ services = {
}]
monitoring = {
url = "/health"
group = "4-services"
group = "3-services"
conditions = [
"DEFAULT",
"[BODY].status == pass"
@ -322,7 +330,7 @@ services = {
]
monitoring = {
url = "/health"
group = "4-services"
group = "3-services"
conditions = [
"DEFAULT",
"[BODY] == Healthy"
@ -347,7 +355,7 @@ services = {
}]
monitoring = {
url = "/api/v1/logins"
group = "4-services"
group = "3-services"
}
auth = true
auth_cert = "rsa"
@ -366,7 +374,7 @@ services = {
type = "hook"
}]
monitoring = {
group = "4-services"
group = "3-services"
}
ports = [
{
@ -428,7 +436,7 @@ services = {
]
monitoring = {
url = "tcp://minecraft.serguzim.me:25565"
group = "4-services"
group = "3-services"
conditions = [
"[CONNECTED] == true"
]
@ -479,7 +487,7 @@ services = {
}]
monitoring = {
url = "/v1/health"
group = "4-services"
group = "3-services"
conditions = [
"DEFAULT",
"[BODY].healthy == true"
@ -529,7 +537,7 @@ services = {
type = "docker"
}]
monitoring = {
group = "5-websites"
group = "4-websites"
}
auth = false
database = false
@ -555,7 +563,7 @@ services = {
]
monitoring = {
url = "/rest/health"
group = "4-services"
group = "3-services"
conditions = [
"DEFAULT",
"[BODY].status == pass"
@ -584,7 +592,7 @@ services = {
}]
monitoring = {
url = "/_matrix/client/versions"
group = "4-services"
group = "3-services"
}
ports = [
{
@ -612,7 +620,7 @@ services = {
}]
monitoring = {
url = "/accounts/login/"
group = "4-services"
group = "3-services"
}
auth = false
database = true
@ -677,7 +685,7 @@ services = {
}]
monitoring = {
url = "/tt-rss/"
group = "4-services"
group = "3-services"
}
auth = false
database = true
@ -691,7 +699,7 @@ services = {
}]
monitoring = {
url = "/api/heartbeat"
group = "4-services"
group = "3-services"
}
auth = false
database = true
@ -709,7 +717,7 @@ services = {
}]
monitoring = {
url = "/api/v1/info"
group = "4-services"
group = "3-services"
}
auth = true
auth_redirects = ["https://todo.serguzim.me/auth/openid/authserguzimme"]
@ -733,7 +741,7 @@ services = {
}]
monitoring = {
url = "/info"
group = "4-services"
group = "3-services"
}
auth = false
database = false
@ -746,7 +754,7 @@ services = {
domain = "wiki.serguzim.me"
}]
monitoring = {
group = "4-services"
group = "3-services"
}
auth = true
auth_redirects = ["https://wiki.serguzim.me/login/f792bc7d-1a25-4437-944e-55eaf0111102/callback"]
@ -769,7 +777,7 @@ services = {
]
monitoring = {
url = "/healthz"
group = "4-services"
group = "3-services"
}
auth = false
database = true

View file

@ -162,6 +162,7 @@ variable "services" {
auth_cert = optional(string)
auth_redirects = optional(list(string))
s3 = bool
s3_buckets = optional(list(string))
database = bool
mail = optional(string)
}))