Move web1 over to a containerized setup, containerize Nextcloud

playbooks/prod_web.yml

@@ -15,6 +15,80 @@
       restart_policy: unless-stopped
       pull: yes
   tasks:
+    - name: ensure docker network
+      docker_network: name=web
+      tags: [ docker ]
+    - name: ensure docker nginx config
+      copy:
+        dest: /data/nginx-certbot/user_conf.d/vhosts.conf
+        mode: "0750"
+        content: |
+          server {
+            listen 443 ssl default_server;
+            server_name desu.ltd;
+            ssl_certificate /etc/letsencrypt/live/desu.ltd/fullchain.pem;
+            ssl_certificate_key /etc/letsencrypt/live/desu.ltd/privkey.pem;
+            ssl_trusted_certificate /etc/letsencrypt/live/desu.ltd/chain.pem;
+            ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem;
+            location / {
+              proxy_set_header Host $host;
+              proxy_set_header X-Real-IP $remote_addr;
+              proxy_pass http://desultd:80;
+            }
+          }
+          server {
+            listen 443 ssl;
+            server_name 9iron.club;
+            ssl_certificate /etc/letsencrypt/live/desu.ltd/fullchain.pem;
+            ssl_certificate_key /etc/letsencrypt/live/desu.ltd/privkey.pem;
+            ssl_trusted_certificate /etc/letsencrypt/live/desu.ltd/chain.pem;
+            ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem;
+            location / {
+              proxy_set_header Host $host;
+              proxy_set_header X-Real-IP $remote_addr;
+              proxy_pass http://9iron:80;
+            }
+          }
+          server {
+            listen 443 ssl;
+            server_name git.desu.ltd;
+            ssl_certificate /etc/letsencrypt/live/desu.ltd/fullchain.pem;
+            ssl_certificate_key /etc/letsencrypt/live/desu.ltd/privkey.pem;
+            ssl_trusted_certificate /etc/letsencrypt/live/desu.ltd/chain.pem;
+            ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem;
+            location / {
+              proxy_set_header Host $host;
+              proxy_set_header X-Real-IP $remote_addr;
+              proxy_pass http://gitea:3000;
+            }
+          }
+          server {
+            listen 443 ssl;
+            server_name nc.desu.ltd;
+            ssl_certificate /etc/letsencrypt/live/desu.ltd/fullchain.pem;
+            ssl_certificate_key /etc/letsencrypt/live/desu.ltd/privkey.pem;
+            ssl_trusted_certificate /etc/letsencrypt/live/desu.ltd/chain.pem;
+            ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem;
+            location / {
+              proxy_set_header Host $host;
+              proxy_set_header X-Real-IP $remote_addr;
+              proxy_pass http://nextcloud:80;
+            }
+          }
+          server {
+            listen 443 ssl;
+            server_name srv.9iron.club;
+            ssl_certificate /etc/letsencrypt/live/desu.ltd/fullchain.pem;
+            ssl_certificate_key /etc/letsencrypt/live/desu.ltd/privkey.pem;
+            ssl_trusted_certificate /etc/letsencrypt/live/desu.ltd/chain.pem;
+            ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem;
+            location / {
+              proxy_set_header Host $host;
+              proxy_set_header X-Real-IP $remote_addr;
+              proxy_pass http://srv:80;
+            }
+          }
+      tags: [ docker, ingress ]
     - name: include tasks for apps
       include_tasks: tasks/app/{{ task }}
       with_items:
@@ -28,6 +102,9 @@
         - 9iron.yml
         - desultd.yml
         - gitea.yml
+        - nextcloud.yml
+        - srv.yml
+        - ingress-generic.yml
       loop_control:
         loop_var: task
       tags: [ always ]
@@ -47,20 +124,12 @@
           - /var/lib/gitea/log
           - /data/gitea/data/gitea/log
       tags: [ backup ]
-    - role: certbot
-      tags: [ web, certbot ]
-    - role: php
-      tags: [ web, php ]
-    - role: apache
-      tags: [ web, apache ]
     - role: git
       vars:
         git_repos:
           - repo: https://git.desu.ltd/salt/gitea-custom
             dest: /data/gitea/data/gitea/custom
       tags: [ web, git ]
-    - role: nextcloud
-      tags: [ web, nextcloud ]
 - hosts: web2.desu.ltd
   module_defaults:
     docker_container:

playbooks/tasks/web/9iron.yml

@@ -3,8 +3,9 @@
   docker_container:
     name: 9iron
     image: rehashedsalt/9iron:latest
-    ports:
+    networks:
-      - 8001:80
+      - name: web
+        aliases: [ "9iron" ]
     volumes:
       - /data/9iron/files:/var/www/html/files
       - /data/9iron/packs:/var/www/html/minecraft/packs

playbooks/tasks/web/desultd.yml

@@ -3,8 +3,9 @@
   docker_container:
     name: desultd
     image: rehashedsalt/desultd:latest
-    ports:
+    networks:
-      - 8002:80
+      - name: web
+        aliases: [ "desultd" ]
     volumes:
       - /data/9iron/files:/var/www/html/files
   tags: [ docker, 9iron ]

playbooks/tasks/web/gitea.yml

@@ -12,8 +12,10 @@
       GITEA__database_USER: gitea-desultd
       GITEA__database_PASSWD: "{{ secret_gitea_db_pass }}"
     ports:
-      - 3000:3000
       - 127.0.0.1:2222:22
+    networks:
+      - name: web
+        aliases: [ "gitea" ]
     volumes:
       - /data/gitea/data:/data
       - /etc/timezone:/etc/timezone:ro

playbooks/tasks/web/nextcloud.yml

@@ -0,0 +1,14 @@
+# vim:ft=ansible:
+- name: docker deploy nextcloud
+  docker_container:
+    name: nextcloud
+    image: nextcloud:21
+    networks:
+      - name: web
+        aliases: [ "nextcloud" ]
+    volumes:
+      - /data/nextcloud/apps:/var/www/html/apps
+      - /data/nextcloud/config:/var/www/html/config
+      - /data/nextcloud/themes:/var/www/html/themes
+      - /srv/desu.ltd/nc:/var/www/html/data
+  tags: [ docker, nextcloud ]

playbooks/tasks/web/srv.yml

@@ -0,0 +1,13 @@
+# vim:ft=ansible:
+- name: docker deploy nextcloud shim
+  docker_container:
+    # NOTE: We depend on the default configuration of Apache here, specifically
+    # the default to have server-generated indexes. Makes srv easier to navigate
+    name: srv
+    image: httpd:latest
+    networks:
+      - name: web
+        aliases: [ "srv" ]
+    volumes:
+      - /var/www/srv.9iron.club:/usr/local/apache2/htdocs
+  tags: [ docker, 9iron ]