17 changed files with 5 additions and 296 deletions
--- a/filter_plugins/acmedns_to_lego.py
+++ b/filter_plugins/acmedns_to_lego.py
@ -1,18 +0,0 @@
 class FilterModule(object):
    def filters(self):
        return {
            'acmedns_to_lego': self.acmedns_to_lego,
        }
    def acmedns_to_lego(self, acmedns_registered):
        result = {}
        for (key, value) in acmedns_registered.items():
            result[key] = {
                "fulldomain": value["subd"] + "." + value["host"],
                "subdomain": value["subd"],
                "username": value["user"],
                "password": value["pass"],
                "server_url": "https://" + value["host"]
            }
        return result
--- a/node002.yml
+++ b/node002.yml
@ -6,8 +6,6 @@
      tags: [always]
    - role: backup
      tags: [backup]
    - role: lego
      tags: [lego, certificates]
    - role: caddy
      tags: [caddy, reverse-proxy, webserver]
      vars:
@ -40,8 +38,6 @@
      tags: [influxdb, sensors, monitoring]
    - role: jellyfin
      tags: [jellyfin, media]
    - role: ntfy
      tags: [ntfy, notifications, push]
    - role: reitanlage_oranienburg
      tags: [reitanlage-oranienburg, website]
    - role: synapse
--- a/roles/lego/files/hook.sh
+++ b/roles/lego/files/hook.sh
@ -1,6 +0,0 @@
 #!/usr/bin/env sh
 cp -f "$LEGO_CERT_PATH" /certificates
 cp -f "$LEGO_CERT_KEY_PATH" /certificates
 exit 33 # special exit code to signal that the certificate has been updated
--- a/roles/lego/files/lego.sh
+++ b/roles/lego/files/lego.sh
@ -1,15 +0,0 @@
 #!/usr/bin/env sh
 domain="$1"
 action="${2:-renew}"
 docker compose run --rm app \
 	--domains "$domain" \
 	"$action" \
 	"--$action-hook" "/config/hook.sh"
 if [ "$?" = "33" ] && [ -x "./lego.d/$domain" ];
 then
 	echo "Running hook for $domain"
 	"./lego.d/$domain"
 fi
--- a/roles/lego/files/lego@.timer
+++ b/roles/lego/files/lego@.timer
@ -1,10 +0,0 @@
 [Unit]
 Description=Renew certificates
 [Timer]
 Persistent=true
 OnCalendar=*-*-* 01:15:00
 RandomizedDelaySec=2h
 [Install]
 WantedBy=timers.target
--- a/roles/lego/files/node002/db.serguzim.me
+++ b/roles/lego/files/node002/db.serguzim.me
@ -1,16 +0,0 @@
 #!/usr/bin/env sh
 domain="db.serguzim.me"
 docker compose run --rm app "$1" "$domain"
 _install() {
  install --owner=postgres --group=postgres --mode=600 \
 	  "/opt/services/_certificates/$domain.$1" \
 	  "/var/lib/postgresql/server.$1"
 }
 _install crt
 _install key
 sudo -u postgres pg_ctl -D /var/lib/postgres/data/ reload
--- a/roles/lego/files/node002/registry.serguzim.me
+++ b/roles/lego/files/node002/registry.serguzim.me
@ -1,17 +0,0 @@
 #!/usr/bin/env sh
 domain="registry.serguzim.me"
 docker compose run --rm app "$1" "$domain"
 _install() {
  install --owner=root --group=root --mode=600 \
 	  "/opt/services/_certificates/$domain.$1" \
 	  "/opt/services/harbor/server.$1"
 }
 _install crt
 _install key
 export HARBOR_BUNDLE_DIR=/opt/services/harbor
 $HARBOR_BUNDLE_DIR/data/install.sh
--- a/roles/lego/tasks/config.yml
+++ b/roles/lego/tasks/config.yml
@ -1,19 +0,0 @@
 ---
 - name: Set config path
  ansible.builtin.set_fact:
    config_path: "{{ (service_path, 'config') | path_join }}"
 - name: Create config directory
  ansible.builtin.file:
    path: "{{ config_path }}"
    state: directory
    mode: "0755"
 - name: Copy the acme-dns-accounts
  ansible.builtin.template:
    src: "json.j2"
    dest: "{{ (config_path, 'acme-dns-accounts.json') | path_join }}"
    mode: "0644"
 - name: Copy the hook script
  ansible.builtin.copy:
    src: "hook.sh"
    dest: "{{ (config_path, 'hook.sh') | path_join }}"
    mode: "0755"
--- a/roles/lego/tasks/lego.d.yml
+++ b/roles/lego/tasks/lego.d.yml
@ -1,16 +0,0 @@
 ---
 - name: Set lego.d path
  ansible.builtin.set_fact:
    lego_d_path: "{{ (service_path, 'lego.d') | path_join }}"
 - name: Create lego.d directory
  ansible.builtin.file:
    path: "{{ lego_d_path }}"
    state: directory
    mode: "0755"
 - name: Copy the additional lego scripts
  ansible.builtin.copy:
    src: "{{ item }}"
    dest: "{{ lego_d_path }}"
    mode: "0755"
  with_fileglob:
    - "{{ ansible_facts.hostname }}/*"
--- a/roles/lego/tasks/main.yml
+++ b/roles/lego/tasks/main.yml
@ -1,35 +0,0 @@
 ---
 - name: Set common facts
  ansible.builtin.import_tasks: tasks/set-default-facts.yml
 - name: Deploy {{ svc.name }}
  vars:
    svc: "{{ lego_svc }}"
    env: "{{ lego_env }}"
    json: "{{ vault_acmedns_registered | acmedns_to_lego }}"
    compose: "{{ lego_compose }}"
  block:
    - name: Import prepare tasks for common service
      ansible.builtin.import_tasks: tasks/prepare-common-service.yml
    - name: Create _certificates directory
      ansible.builtin.file:
        path: "{{ certificates_path }}"
        state: directory
        mode: "0755"
    - name: Import tasks specific to the config directory
      ansible.builtin.import_tasks: config.yml
    - name: Import tasks specific to lego.d
      ansible.builtin.import_tasks: lego.d.yml
    - name: Import tasks specific to systemd
      ansible.builtin.import_tasks: systemd.yml
    - name: Copy the run script
      ansible.builtin.copy:
        src: "lego.sh"
        dest: "{{ (service_path, 'lego.sh') | path_join }}"
        mode: "0755"
    - name: Import tasks create a service.env file
      ansible.builtin.import_tasks: tasks/steps/template-service-env.yml
--- a/roles/lego/tasks/systemd.yml
+++ b/roles/lego/tasks/systemd.yml
@ -1,23 +0,0 @@
 ---
 - name: Copy the system service
  ansible.builtin.template:
    src: lego@.service.j2
    dest: /etc/systemd/system/lego@.service
    mode: "0644"
  become: true
 - name: Copy the system timer
  ansible.builtin.copy:
    src: lego@.timer
    dest: /etc/systemd/system/lego@.timer
    mode: "0644"
  become: true
 - name: Enable the system timer for {{ item }}
  ansible.builtin.systemd_service:
    name: lego@{{ item }}.timer
    state: started
    enabled: true
    daemon_reload: true
  loop:
    - db.serguzim.me
    - registry.serguzim.me
  become: true
--- a/roles/lego/templates/lego@.service.j2
+++ b/roles/lego/templates/lego@.service.j2
@ -1,4 +0,0 @@
 [Service]
 Type=oneshot
 ExecStart={{ service_path }}/lego.sh %i
 WorkingDirectory={{ service_path }}
--- a/roles/lego/vars/main.yml
+++ b/roles/lego/vars/main.yml
@ -1,31 +0,0 @@
 ---
 lego_svc:
  name: lego
 lego_env:
  ACME_DNS_API_BASE: https://{{ acme_dns.host }}
  ACME_DNS_STORAGE_PATH: /config/acme-dns-accounts.json
  LEGO_EMAIL: "{{ admin_email }}"
  LEGO_PATH: /data
 lego_compose:
  watchtower: false
  network: false
  image: goacme/lego
  volumes:
    - ./config:/config:ro
    - "{{ certificates_path }}:/certificates"
    - data:/data
  file:
    services:
      app:
        restart: never
        network_mode: "host"
        entrypoint:
          - /lego
          - --accept-tos
          - --email={{ admin_email }}
          - --dns=acme-dns
    volumes:
      data:
--- a/roles/ntfy/tasks/main.yml
+++ b/roles/ntfy/tasks/main.yml
@ -1,12 +0,0 @@
 ---
 - name: Set common facts
  ansible.builtin.import_tasks: tasks/set-default-facts.yml
 - name: Deploy {{ svc.name }}
  vars:
    svc: "{{ ntfy_svc }}"
    compose: "{{ ntfy_compose }}"
    env: "{{ ntfy_env }}"
  block:
    - name: Import tasks to deploy common service
      ansible.builtin.import_tasks: tasks/deploy-common-service.yml
--- a/roles/ntfy/vars/main.yml
+++ b/roles/ntfy/vars/main.yml
@ -1,55 +0,0 @@
 ---
 ntfy_svc:
  name: ntfy
  domain: push.serguzim.me
  port: 80
 ntfy_env:
  TZ: "{{ timezone }}"
  NTFY_BASE_URL: "https://{{ ntfy_svc.domain }}"
  NTFY_CACHE_FILE: /var/cache/ntfy/cache.db
  NTFY_CACHE_DURATION: "12h"
  NTFY_BEHIND_PROXY: true
  NTFY_AUTH_FILE: /var/lib/ntfy/user.db
  NTFY_AUTH_DEFAULT_ACCESS: "deny-all"
  NTFY_ATTACHMENT_CACHE_DIR: "/var/cache/ntfy/attachments"
  NTFY_ATTACHMENT_TOTAL_SIZE_LIMIT: "5G"
  NTFY_ATTACHMENT_FILE_SIZE_LIMIT: "15M"
  NTFY_ATTACHMENT_EXPIRY_DURATION: "3h"
  NTFY_KEEPALIVE_INTERVAL: "45s"
  NTFY_MANAGER_INTERVAL: "60m"
  NTFY_ENABLE_SIGNUP: false
  NTFY_ENABLE_LOGIN: true
  NTFY_ENABLE_RESERVATIONS: true
  NTFY_GLOBAL_TOPIC_LIMIT: 15000
  NTFY_VISITOR_SUBSCRIPTION_LIMIT: 30
  NTFY_VISITOR_REQUEST_LIMIT_BURST: 60
  NTFY_VISITOR_REQUEST_LIMIT_REPLENISH: "5s"
  NTFY_VISITOR_ATTACHMENT_TOTAL_SIZE_LIMIT: "100M"
  NTFY_VISITOR_ATTACHMENT_DAILY_BANDWIDTH_LIMIT: "500M"
  NTFY_ENABLE_METRICS: true
 ntfy_compose:
  watchtower: true
  image: binwiederhier/ntfy
  volumes:
    - cache:/var/cache/ntfy
    - data:/var/lib/ntfy
  file:
    services:
      app:
        command:
          - serve
    volumes:
      cache:
      data:
--- a/roles/telegraf/templates/telegraf.conf.j2
+++ b/roles/telegraf/templates/telegraf.conf.j2
@ -18,19 +18,12 @@
 [[inputs.prometheus]]
  urls = [
-  {%- for url in svc.prometheus_unprotected.urls -%}
+  {%- for url in svc.prometheus.urls -%}
    "{{ url }}",
  {%- endfor -%}
  ]
-[[inputs.prometheus]]
+  bearer_token_string = "{{ svc.prometheus.bearer_token }}"
  urls = [
  {%- for url in svc.prometheus_protected.urls -%}
    "{{ url }}",
  {%- endfor -%}
  ]
  bearer_token_string = "{{ svc.prometheus_protected.bearer_token }}"
 [[inputs.postgresql]]
  address = "postgres://{{ svc.postgresql.user }}:{{ svc.postgresql.pass }}@{{ svc.postgresql.host }}:{{ svc.postgresql.port }}/{{ svc.postgresql.database }}?sslmode=verify-full"
--- a/roles/telegraf/vars/main.yml
+++ b/roles/telegraf/vars/main.yml
@ -6,15 +6,12 @@ telegraf_svc:
    token: "{{ vault_telegraf.influxdb_token }}"
    organization: serguzim.net
    bucket: metrics
-  prometheus_unprotected:
+  prometheus:
    urls:
      - https://matrix.msrg.cc/_synapse/metrics
      - https://push.serguzim.me/metrics
      - https://tick.serguzim.me/metrics
  prometheus_protected:
    urls:
      - https://ci.serguzim.me/metrics
      - https://git.serguzim.me/metrics
      - https://matrix.msrg.cc/_synapse/metrics
      - https://tick.serguzim.me/metrics
    bearer_token: "{{ vault_metrics_token }}"
  postgresql:
    user: "{{ vault_telegraf.db.user }}"