Compare commits
3 commits
5246a6b101
...
8a861e080b
Author | SHA1 | Date | |
---|---|---|---|
8a861e080b | |||
05014af744 | |||
068a8e2cd7 |
17 changed files with 296 additions and 5 deletions
18
filter_plugins/acmedns_to_lego.py
Normal file
18
filter_plugins/acmedns_to_lego.py
Normal file
|
@ -0,0 +1,18 @@
|
|||
class FilterModule(object):
|
||||
def filters(self):
|
||||
return {
|
||||
'acmedns_to_lego': self.acmedns_to_lego,
|
||||
}
|
||||
|
||||
def acmedns_to_lego(self, acmedns_registered):
|
||||
result = {}
|
||||
for (key, value) in acmedns_registered.items():
|
||||
result[key] = {
|
||||
"fulldomain": value["subd"] + "." + value["host"],
|
||||
"subdomain": value["subd"],
|
||||
"username": value["user"],
|
||||
"password": value["pass"],
|
||||
"server_url": "https://" + value["host"]
|
||||
}
|
||||
|
||||
return result
|
|
@ -6,6 +6,8 @@
|
|||
tags: [always]
|
||||
- role: backup
|
||||
tags: [backup]
|
||||
- role: lego
|
||||
tags: [lego, certificates]
|
||||
- role: caddy
|
||||
tags: [caddy, reverse-proxy, webserver]
|
||||
vars:
|
||||
|
@ -38,6 +40,8 @@
|
|||
tags: [influxdb, sensors, monitoring]
|
||||
- role: jellyfin
|
||||
tags: [jellyfin, media]
|
||||
- role: ntfy
|
||||
tags: [ntfy, notifications, push]
|
||||
- role: reitanlage_oranienburg
|
||||
tags: [reitanlage-oranienburg, website]
|
||||
- role: synapse
|
||||
|
|
6
roles/lego/files/hook.sh
Normal file
6
roles/lego/files/hook.sh
Normal file
|
@ -0,0 +1,6 @@
|
|||
#!/usr/bin/env sh
|
||||
|
||||
cp -f "$LEGO_CERT_PATH" /certificates
|
||||
cp -f "$LEGO_CERT_KEY_PATH" /certificates
|
||||
|
||||
exit 33 # special exit code to signal that the certificate has been updated
|
15
roles/lego/files/lego.sh
Executable file
15
roles/lego/files/lego.sh
Executable file
|
@ -0,0 +1,15 @@
|
|||
#!/usr/bin/env sh
|
||||
|
||||
domain="$1"
|
||||
action="${2:-renew}"
|
||||
|
||||
docker compose run --rm app \
|
||||
--domains "$domain" \
|
||||
"$action" \
|
||||
"--$action-hook" "/config/hook.sh"
|
||||
|
||||
if [ "$?" = "33" ] && [ -x "./lego.d/$domain" ];
|
||||
then
|
||||
echo "Running hook for $domain"
|
||||
"./lego.d/$domain"
|
||||
fi
|
10
roles/lego/files/lego@.timer
Normal file
10
roles/lego/files/lego@.timer
Normal file
|
@ -0,0 +1,10 @@
|
|||
[Unit]
|
||||
Description=Renew certificates
|
||||
|
||||
[Timer]
|
||||
Persistent=true
|
||||
OnCalendar=*-*-* 01:15:00
|
||||
RandomizedDelaySec=2h
|
||||
|
||||
[Install]
|
||||
WantedBy=timers.target
|
16
roles/lego/files/node002/db.serguzim.me
Executable file
16
roles/lego/files/node002/db.serguzim.me
Executable file
|
@ -0,0 +1,16 @@
|
|||
#!/usr/bin/env sh
|
||||
|
||||
domain="db.serguzim.me"
|
||||
|
||||
docker compose run --rm app "$1" "$domain"
|
||||
|
||||
_install() {
|
||||
install --owner=postgres --group=postgres --mode=600 \
|
||||
"/opt/services/_certificates/$domain.$1" \
|
||||
"/var/lib/postgresql/server.$1"
|
||||
}
|
||||
|
||||
_install crt
|
||||
_install key
|
||||
|
||||
sudo -u postgres pg_ctl -D /var/lib/postgres/data/ reload
|
17
roles/lego/files/node002/registry.serguzim.me
Executable file
17
roles/lego/files/node002/registry.serguzim.me
Executable file
|
@ -0,0 +1,17 @@
|
|||
#!/usr/bin/env sh
|
||||
|
||||
domain="registry.serguzim.me"
|
||||
|
||||
docker compose run --rm app "$1" "$domain"
|
||||
|
||||
_install() {
|
||||
install --owner=root --group=root --mode=600 \
|
||||
"/opt/services/_certificates/$domain.$1" \
|
||||
"/opt/services/harbor/server.$1"
|
||||
}
|
||||
|
||||
_install crt
|
||||
_install key
|
||||
|
||||
export HARBOR_BUNDLE_DIR=/opt/services/harbor
|
||||
$HARBOR_BUNDLE_DIR/data/install.sh
|
19
roles/lego/tasks/config.yml
Normal file
19
roles/lego/tasks/config.yml
Normal file
|
@ -0,0 +1,19 @@
|
|||
---
|
||||
- name: Set config path
|
||||
ansible.builtin.set_fact:
|
||||
config_path: "{{ (service_path, 'config') | path_join }}"
|
||||
- name: Create config directory
|
||||
ansible.builtin.file:
|
||||
path: "{{ config_path }}"
|
||||
state: directory
|
||||
mode: "0755"
|
||||
- name: Copy the acme-dns-accounts
|
||||
ansible.builtin.template:
|
||||
src: "json.j2"
|
||||
dest: "{{ (config_path, 'acme-dns-accounts.json') | path_join }}"
|
||||
mode: "0644"
|
||||
- name: Copy the hook script
|
||||
ansible.builtin.copy:
|
||||
src: "hook.sh"
|
||||
dest: "{{ (config_path, 'hook.sh') | path_join }}"
|
||||
mode: "0755"
|
16
roles/lego/tasks/lego.d.yml
Normal file
16
roles/lego/tasks/lego.d.yml
Normal file
|
@ -0,0 +1,16 @@
|
|||
---
|
||||
- name: Set lego.d path
|
||||
ansible.builtin.set_fact:
|
||||
lego_d_path: "{{ (service_path, 'lego.d') | path_join }}"
|
||||
- name: Create lego.d directory
|
||||
ansible.builtin.file:
|
||||
path: "{{ lego_d_path }}"
|
||||
state: directory
|
||||
mode: "0755"
|
||||
- name: Copy the additional lego scripts
|
||||
ansible.builtin.copy:
|
||||
src: "{{ item }}"
|
||||
dest: "{{ lego_d_path }}"
|
||||
mode: "0755"
|
||||
with_fileglob:
|
||||
- "{{ ansible_facts.hostname }}/*"
|
35
roles/lego/tasks/main.yml
Normal file
35
roles/lego/tasks/main.yml
Normal file
|
@ -0,0 +1,35 @@
|
|||
---
|
||||
- name: Set common facts
|
||||
ansible.builtin.import_tasks: tasks/set-default-facts.yml
|
||||
|
||||
- name: Deploy {{ svc.name }}
|
||||
vars:
|
||||
svc: "{{ lego_svc }}"
|
||||
env: "{{ lego_env }}"
|
||||
json: "{{ vault_acmedns_registered | acmedns_to_lego }}"
|
||||
compose: "{{ lego_compose }}"
|
||||
block:
|
||||
- name: Import prepare tasks for common service
|
||||
ansible.builtin.import_tasks: tasks/prepare-common-service.yml
|
||||
|
||||
- name: Create _certificates directory
|
||||
ansible.builtin.file:
|
||||
path: "{{ certificates_path }}"
|
||||
state: directory
|
||||
mode: "0755"
|
||||
|
||||
- name: Import tasks specific to the config directory
|
||||
ansible.builtin.import_tasks: config.yml
|
||||
- name: Import tasks specific to lego.d
|
||||
ansible.builtin.import_tasks: lego.d.yml
|
||||
- name: Import tasks specific to systemd
|
||||
ansible.builtin.import_tasks: systemd.yml
|
||||
|
||||
- name: Copy the run script
|
||||
ansible.builtin.copy:
|
||||
src: "lego.sh"
|
||||
dest: "{{ (service_path, 'lego.sh') | path_join }}"
|
||||
mode: "0755"
|
||||
|
||||
- name: Import tasks create a service.env file
|
||||
ansible.builtin.import_tasks: tasks/steps/template-service-env.yml
|
23
roles/lego/tasks/systemd.yml
Normal file
23
roles/lego/tasks/systemd.yml
Normal file
|
@ -0,0 +1,23 @@
|
|||
---
|
||||
- name: Copy the system service
|
||||
ansible.builtin.template:
|
||||
src: lego@.service.j2
|
||||
dest: /etc/systemd/system/lego@.service
|
||||
mode: "0644"
|
||||
become: true
|
||||
- name: Copy the system timer
|
||||
ansible.builtin.copy:
|
||||
src: lego@.timer
|
||||
dest: /etc/systemd/system/lego@.timer
|
||||
mode: "0644"
|
||||
become: true
|
||||
- name: Enable the system timer for {{ item }}
|
||||
ansible.builtin.systemd_service:
|
||||
name: lego@{{ item }}.timer
|
||||
state: started
|
||||
enabled: true
|
||||
daemon_reload: true
|
||||
loop:
|
||||
- db.serguzim.me
|
||||
- registry.serguzim.me
|
||||
become: true
|
4
roles/lego/templates/lego@.service.j2
Normal file
4
roles/lego/templates/lego@.service.j2
Normal file
|
@ -0,0 +1,4 @@
|
|||
[Service]
|
||||
Type=oneshot
|
||||
ExecStart={{ service_path }}/lego.sh %i
|
||||
WorkingDirectory={{ service_path }}
|
31
roles/lego/vars/main.yml
Normal file
31
roles/lego/vars/main.yml
Normal file
|
@ -0,0 +1,31 @@
|
|||
---
|
||||
lego_svc:
|
||||
name: lego
|
||||
|
||||
lego_env:
|
||||
ACME_DNS_API_BASE: https://{{ acme_dns.host }}
|
||||
ACME_DNS_STORAGE_PATH: /config/acme-dns-accounts.json
|
||||
|
||||
LEGO_EMAIL: "{{ admin_email }}"
|
||||
LEGO_PATH: /data
|
||||
|
||||
lego_compose:
|
||||
watchtower: false
|
||||
network: false
|
||||
image: goacme/lego
|
||||
volumes:
|
||||
- ./config:/config:ro
|
||||
- "{{ certificates_path }}:/certificates"
|
||||
- data:/data
|
||||
file:
|
||||
services:
|
||||
app:
|
||||
restart: never
|
||||
network_mode: "host"
|
||||
entrypoint:
|
||||
- /lego
|
||||
- --accept-tos
|
||||
- --email={{ admin_email }}
|
||||
- --dns=acme-dns
|
||||
volumes:
|
||||
data:
|
12
roles/ntfy/tasks/main.yml
Normal file
12
roles/ntfy/tasks/main.yml
Normal file
|
@ -0,0 +1,12 @@
|
|||
---
|
||||
- name: Set common facts
|
||||
ansible.builtin.import_tasks: tasks/set-default-facts.yml
|
||||
|
||||
- name: Deploy {{ svc.name }}
|
||||
vars:
|
||||
svc: "{{ ntfy_svc }}"
|
||||
compose: "{{ ntfy_compose }}"
|
||||
env: "{{ ntfy_env }}"
|
||||
block:
|
||||
- name: Import tasks to deploy common service
|
||||
ansible.builtin.import_tasks: tasks/deploy-common-service.yml
|
55
roles/ntfy/vars/main.yml
Normal file
55
roles/ntfy/vars/main.yml
Normal file
|
@ -0,0 +1,55 @@
|
|||
---
|
||||
ntfy_svc:
|
||||
name: ntfy
|
||||
domain: push.serguzim.me
|
||||
port: 80
|
||||
|
||||
ntfy_env:
|
||||
TZ: "{{ timezone }}"
|
||||
|
||||
NTFY_BASE_URL: "https://{{ ntfy_svc.domain }}"
|
||||
|
||||
NTFY_CACHE_FILE: /var/cache/ntfy/cache.db
|
||||
NTFY_CACHE_DURATION: "12h"
|
||||
|
||||
NTFY_BEHIND_PROXY: true
|
||||
|
||||
NTFY_AUTH_FILE: /var/lib/ntfy/user.db
|
||||
NTFY_AUTH_DEFAULT_ACCESS: "deny-all"
|
||||
|
||||
NTFY_ATTACHMENT_CACHE_DIR: "/var/cache/ntfy/attachments"
|
||||
NTFY_ATTACHMENT_TOTAL_SIZE_LIMIT: "5G"
|
||||
NTFY_ATTACHMENT_FILE_SIZE_LIMIT: "15M"
|
||||
NTFY_ATTACHMENT_EXPIRY_DURATION: "3h"
|
||||
|
||||
NTFY_KEEPALIVE_INTERVAL: "45s"
|
||||
NTFY_MANAGER_INTERVAL: "60m"
|
||||
|
||||
NTFY_ENABLE_SIGNUP: false
|
||||
NTFY_ENABLE_LOGIN: true
|
||||
NTFY_ENABLE_RESERVATIONS: true
|
||||
|
||||
NTFY_GLOBAL_TOPIC_LIMIT: 15000
|
||||
|
||||
NTFY_VISITOR_SUBSCRIPTION_LIMIT: 30
|
||||
NTFY_VISITOR_REQUEST_LIMIT_BURST: 60
|
||||
NTFY_VISITOR_REQUEST_LIMIT_REPLENISH: "5s"
|
||||
NTFY_VISITOR_ATTACHMENT_TOTAL_SIZE_LIMIT: "100M"
|
||||
NTFY_VISITOR_ATTACHMENT_DAILY_BANDWIDTH_LIMIT: "500M"
|
||||
|
||||
NTFY_ENABLE_METRICS: true
|
||||
|
||||
ntfy_compose:
|
||||
watchtower: true
|
||||
image: binwiederhier/ntfy
|
||||
volumes:
|
||||
- cache:/var/cache/ntfy
|
||||
- data:/var/lib/ntfy
|
||||
file:
|
||||
services:
|
||||
app:
|
||||
command:
|
||||
- serve
|
||||
volumes:
|
||||
cache:
|
||||
data:
|
|
@ -18,12 +18,19 @@
|
|||
|
||||
[[inputs.prometheus]]
|
||||
urls = [
|
||||
{%- for url in svc.prometheus.urls -%}
|
||||
{%- for url in svc.prometheus_unprotected.urls -%}
|
||||
"{{ url }}",
|
||||
{%- endfor -%}
|
||||
]
|
||||
|
||||
bearer_token_string = "{{ svc.prometheus.bearer_token }}"
|
||||
[[inputs.prometheus]]
|
||||
urls = [
|
||||
{%- for url in svc.prometheus_protected.urls -%}
|
||||
"{{ url }}",
|
||||
{%- endfor -%}
|
||||
]
|
||||
|
||||
bearer_token_string = "{{ svc.prometheus_protected.bearer_token }}"
|
||||
|
||||
[[inputs.postgresql]]
|
||||
address = "postgres://{{ svc.postgresql.user }}:{{ svc.postgresql.pass }}@{{ svc.postgresql.host }}:{{ svc.postgresql.port }}/{{ svc.postgresql.database }}?sslmode=verify-full"
|
||||
|
|
|
@ -6,12 +6,15 @@ telegraf_svc:
|
|||
token: "{{ vault_telegraf.influxdb_token }}"
|
||||
organization: serguzim.net
|
||||
bucket: metrics
|
||||
prometheus:
|
||||
prometheus_unprotected:
|
||||
urls:
|
||||
- https://matrix.msrg.cc/_synapse/metrics
|
||||
- https://push.serguzim.me/metrics
|
||||
- https://tick.serguzim.me/metrics
|
||||
prometheus_protected:
|
||||
urls:
|
||||
- https://ci.serguzim.me/metrics
|
||||
- https://git.serguzim.me/metrics
|
||||
- https://matrix.msrg.cc/_synapse/metrics
|
||||
- https://tick.serguzim.me/metrics
|
||||
bearer_token: "{{ vault_metrics_token }}"
|
||||
postgresql:
|
||||
user: "{{ vault_telegraf.db.user }}"
|
||||
|
|
Reference in a new issue