salt/ansible
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Move everything into one huge monolithic VM

Browse Source
This commit is contained in:
Salt 2022-07-21 21:05:27 -05:00
parent 974628ef86
commit 5a9c435dd3
9 changed files with 96 additions and 206 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
playbooks/local_dns.yml
View File

@ -70,24 +70,12 @@
state: "{{ item.state | default('present', true) }}" state: "{{ item.state | default('present', true) }}"
value: [ "{{ item.value }}" ] value: [ "{{ item.value }}" ]
with_items: with_items:
- record: bastion1.desu.ltd
value: bastion1.dallas.mgmt.desu.ltd
- record: com1.desu.ltd
value: com1.dallas.mgmt.desu.ltd
- record: dsk-ryzen-0.desu.ltd - record: dsk-ryzen-0.desu.ltd
value: dsk-ryzen-1.ws.mgmt.desu.ltd value: dsk-ryzen-1.ws.mgmt.desu.ltd
- record: lap-s76-lemp9-0.desu.ltd - record: lap-s76-lemp9-0.desu.ltd
value: lap-s76-lemp9-1.ws.mgmt.desu.ltd value: lap-s76-lemp9-1.ws.mgmt.desu.ltd
- record: pi-homeauto-1.desu.ltd - record: pi-homeauto-1.desu.ltd
value: pi-homeauto-1.home.mgmt.desu.ltd value: pi-homeauto-1.home.mgmt.desu.ltd
- record: psql1.desu.ltd
value: psql1.dallas.mgmt.desu.ltd
- record: web1.desu.ltd
value: web1.dallas.mgmt.desu.ltd
- record: web2.desu.ltd
value: web2.dallas.mgmt.desu.ltd
- record: web3.desu.ltd
value: web3.dallas.mgmt.desu.ltd
loop_control: loop_control:
label: "{{ item.record }}" label: "{{ item.record }}"
delegate_to: localhost delegate_to: localhost
@ -102,22 +90,22 @@
value: [ "{{ item.value }}" ] value: [ "{{ item.value }}" ]
with_items: with_items:
# Public # Public
- record: git.desu.ltd
value: web1.dallas.mgmt.desu.ltd
- record: jenkins.desu.ltd
value: web2.dallas.mgmt.desu.ltd
- record: matrix.desu.ltd
value: com1.dallas.mgmt.desu.ltd
- record: movie.desu.ltd
value: web3.dallas.mgmt.desu.ltd
- record: nagios.desu.ltd
value: web3.dallas.mgmt.desu.ltd
- record: nc.desu.ltd
value: web1.dallas.mgmt.desu.ltd
- record: netbox.desu.ltd
value: web3.dallas.mgmt.desu.ltd
- record: ara.desu.ltd - record: ara.desu.ltd
value: web3.dallas.mgmt.desu.ltd value: vm-general-1.ashburn.mgmt.desu.ltd
- record: git.desu.ltd
value: vm-general-1.ashburn.mgmt.desu.ltd
- record: jenkins.desu.ltd
value: vm-general-1.ashburn.mgmt.desu.ltd
- record: matrix.desu.ltd
value: vm-general-1.ashburn.mgmt.desu.ltd
- record: movie.desu.ltd
value: vm-general-1.ashburn.mgmt.desu.ltd
- record: nagios.desu.ltd
value: vm-general-1.ashburn.mgmt.desu.ltd
- record: nc.desu.ltd
value: vm-general-1.ashburn.mgmt.desu.ltd
- record: netbox.desu.ltd
value: vm-general-1.ashburn.mgmt.desu.ltd
# Local # Local
- record: homeauto.local.desu.ltd - record: homeauto.local.desu.ltd
value: pi-homeauto-1.home.mgmt.desu.ltd value: pi-homeauto-1.home.mgmt.desu.ltd

40
playbooks/prod_com.yml
View File

@ -1,40 +0,0 @@
#!/usr/bin/env ansible-playbook
# vim:ft=ansible:
# Webservers
---
- hosts: com1.dallas.mgmt.desu.ltd
gather_facts: no
module_defaults:
docker_container:
state: started
restart_policy: unless-stopped
pull: yes
pre_tasks:
- name: ensure docker network
docker_network: name=web
tags: [ docker ]
tasks:
- name: include tasks for applications
include_tasks: tasks/{{ item }}
with_items:
- web/element-web.yml
- web/synapse.yml
tags: [ always ]
roles:
- role: backup
vars:
backup_s3backup_list_extra:
- /data
tags: [ backup ]
- role: ingress
vars:
ingress_servers:
- name: matrix.desu.ltd
proxies:
- location: "~* ^(\/_matrix|\/_synapse|\/client|\/health)"
pass: http://synapse:8008
- location: /
pass: http://element:80
directives:
- "client_max_body_size 0"
tags: [ web, docker, ingress ]

12
playbooks/prod_db.yml
View File

@ -2,17 +2,15 @@
# vim:ft=ansible: # vim:ft=ansible:
# Database servers # Database servers
--- ---
- hosts: psql1.dallas.mgmt.desu.ltd - hosts: vm-general-1.ashburn.mgmt.desu.ltd
roles: roles:
- role: backup
tags: [ backup ]
- role: geerlingguy.postgresql - role: geerlingguy.postgresql
vars: vars:
postgresql_global_config_options: postgresql_global_config_options:
- option: listen_addresses - option: listen_addresses
value: 192.168.164.156,127.0.0.1 value: 10.0.0.2,127.0.0.1
- option: max_connections - option: max_connections
value: 60 value: 240
- option: shared_buffers - option: shared_buffers
value: 128MB value: 128MB
postgresql_hba_entries: postgresql_hba_entries:
@ -21,7 +19,9 @@
- { type: host, database: all, user: all, address: '127.0.0.1/32', auth_method: md5 } - { type: host, database: all, user: all, address: '127.0.0.1/32', auth_method: md5 }
- { type: host, database: all, user: all, address: '::1/128', auth_method: md5 } - { type: host, database: all, user: all, address: '::1/128', auth_method: md5 }
# Used for internal access from other nodes # Used for internal access from other nodes
- { type: host, database: all, user: all, address: '192.168.0.0/16', auth_method: md5 } - { type: host, database: all, user: all, address: '10.0.0.0/8', auth_method: md5 }
# Used for internal access from Docker
- { type: host, database: all, user: all, address: '172.16.0.0/12', auth_method: md5 }
postgresql_users: postgresql_users:
- name: ara-desultd - name: ara-desultd
password: "{{ secret_ara_db_pass }}" password: "{{ secret_ara_db_pass }}"

12
playbooks/prod_game.yml
View File

@ -1,12 +0,0 @@
#!/usr/bin/env ansible-playbook
# vim:ft=ansible:
# Game servers
---
- hosts: vm-game-1.dallas.mgmt.desu.ltd
gather_facts: no
tasks:
- name: include tasks for gameservers
include_tasks: tasks/game/{{ item }}
with_items:
- scpsl.yml
tags: [ always ]

188
playbooks/prod_web.yml
View File

@ -2,26 +2,32 @@
# vim:ft=ansible: # vim:ft=ansible:
# Webservers # Webservers
--- ---
- hosts: web1.dallas.mgmt.desu.ltd - hosts: vm-general-1.ashburn.mgmt.desu.ltd
gather_facts: no gather_facts: no
module_defaults: module_defaults:
docker_container: docker_container:
state: started state: started
restart_policy: unless-stopped restart_policy: unless-stopped
pull: yes pull: yes
tasks: pre_tasks:
- name: ensure docker network - name: ensure docker network
docker_network: name=web docker_network: name=web
tags: [ docker ] tags: [ docker ]
tasks:
- name: include tasks for applications - name: include tasks for applications
include_tasks: tasks/{{ item }} include_tasks: tasks/{{ item }}
with_items: with_items:
- app/redis.yml - app/redis.yml
- web/9iron.yml - web/9iron.yml
- web/ara.yml
- web/desultd.yml - web/desultd.yml
- web/element-web.yml
- web/gitea.yml - web/gitea.yml
- web/jenkins.yml
- web/netbox.yml
- web/nextcloud.yml - web/nextcloud.yml
- web/srv.yml - web/srv.yml
- web/synapse.yml
tags: [ always ] tags: [ always ]
roles: roles:
- role: backup - role: backup
@ -40,118 +46,6 @@
- repo: https://git.desu.ltd/salt/gitea-custom - repo: https://git.desu.ltd/salt/gitea-custom
dest: /data/gitea/data/gitea/custom dest: /data/gitea/data/gitea/custom
tags: [ web, git ] tags: [ web, git ]
- role: ingress
vars:
ingress_servers:
# desu.ltd
- name: desu.ltd
proxy_pass: http://desultd:80
locations:
- location: /.well-known/matrix/server
contents: |
default_type application/json;
return 200 '{"m.server":"matrix.desu.ltd:443"}';
- location: /.well-known/matrix/client
contents: |
default_type application/json;
return 200 '{"m.homeserver":{"base_url":"https://matrix.desu.ltd"}}';
- name: git.desu.ltd
proxy_pass: http://gitea:3000
- name: nc.desu.ltd
directives:
- "add_header Strict-Transport-Security \"max-age=31536000\""
- "client_max_body_size 0"
proxy_pass: http://nextcloud:80
locations:
- location: "^~ /.well-known"
contents: |
location = /.well-known/carddav { return 301 /remote.php/dav/; }
location = /.well-known/caldav { return 301 /remote.php/dav/; }
location ^~ /.well-known { return 301 /index.php$uri; }
try_files $uri $uri/ =404;
# 9iron
- name: www.9iron.club
directives:
- "return 301 $scheme://9iron.club$request_uri"
- name: 9iron.club
proxy_pass: http://9iron:80
- name: srv.9iron.club
proxy_pass: http://srv:80
tags: [ web, docker, ingress ]
- hosts: web2.dallas.mgmt.desu.ltd
gather_facts: no
module_defaults:
docker_container:
state: started
restart_policy: unless-stopped
pull: yes
pre_tasks:
- name: ensure docker network
docker_network: name=web
tags: [ docker ]
- name: include tasks for applications
include_tasks: tasks/{{ item }}
with_items:
- app/redis.yml
- web/jenkins.yml
tags: [ always ]
roles:
- role: backup
vars:
backup_s3backup_list_extra:
- /data
tags: [ backup ]
- role: ingress
vars:
ingress_servers:
- name: jenkins.desu.ltd
locations:
- location: "/"
contents: |
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
proxy_pass http://jenkins:8080;
- location: |
~ "^/static/[0-9a-fA-F]{8}\/(.*)$"
contents: |
rewrite "^/static/[0-9a-fA-F]{8}\/(.*)" /$1 last;
- location: "/userContent"
contents: |
root /data/jenkins/home/;
if (!-f $request_filename) {
rewrite (.*) /$1 last;
break;
}
tags: [ web, docker, ingress ]
- hosts: web3.dallas.mgmt.desu.ltd
module_defaults:
docker_container:
state: started
restart_policy: unless-stopped
pull: yes
pre_tasks:
- name: clear host errors
ansible.builtin.meta: clear_host_errors
tasks:
- name: ensure docker network
docker_network: name=web
tags: [ docker ]
- name: include tasks for applications
include_tasks: tasks/{{ item }}
with_items:
- app/redis.yml
- web/netbox.yml
- web/ara.yml
tags: [ always ]
roles:
- role: backup
vars:
backup_s3backup_list_extra:
- /data
tags: [ backup ]
# TODO: Replace this with Naemon(?)
- role: nagios - role: nagios
vars: vars:
nagios_matrix_server: "https://matrix.desu.ltd" nagios_matrix_server: "https://matrix.desu.ltd"
@ -313,10 +207,72 @@
- role: ingress - role: ingress
vars: vars:
ingress_servers: ingress_servers:
# desu.ltd
- name: ara.desu.ltd - name: ara.desu.ltd
proxy_pass: http://ara:8000 proxy_pass: http://ara:8000
- name: netbox.desu.ltd - name: desu.ltd
proxy_pass: http://netbox:8080 proxy_pass: http://desultd:80
locations:
- location: /.well-known/matrix/server
contents: |
default_type application/json;
return 200 '{"m.server":"matrix.desu.ltd:443"}';
- location: /.well-known/matrix/client
contents: |
default_type application/json;
return 200 '{"m.homeserver":{"base_url":"https://matrix.desu.ltd"}}';
- name: git.desu.ltd
proxy_pass: http://gitea:3000
- name: jenkins.desu.ltd
locations:
- location: "/"
contents: |
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
proxy_pass http://jenkins:8080;
- location: |
~ "^/static/[0-9a-fA-F]{8}\/(.*)$"
contents: |
rewrite "^/static/[0-9a-fA-F]{8}\/(.*)" /$1 last;
- location: "/userContent"
contents: |
root /data/jenkins/home/;
if (!-f $request_filename) {
rewrite (.*) /$1 last;
break;
}
- name: matrix.desu.ltd
proxies:
- location: "~* ^(\/_matrix|\/_synapse|\/client|\/health)"
pass: http://synapse:8008
- location: /
pass: http://element:80
directives:
- "client_max_body_size 0"
- name: nagios.desu.ltd - name: nagios.desu.ltd
proxy_pass: http://nagios:80 proxy_pass: http://nagios:80
- name: nc.desu.ltd
directives:
- "add_header Strict-Transport-Security \"max-age=31536000\""
- "client_max_body_size 0"
proxy_pass: http://nextcloud:80
locations:
- location: "^~ /.well-known"
contents: |
location = /.well-known/carddav { return 301 /remote.php/dav/; }
location = /.well-known/caldav { return 301 /remote.php/dav/; }
location ^~ /.well-known { return 301 /index.php$uri; }
try_files $uri $uri/ =404;
- name: netbox.desu.ltd
proxy_pass: http://netbox:8080
# 9iron
- name: www.9iron.club
directives:
- "return 301 $scheme://9iron.club$request_uri"
- name: 9iron.club
proxy_pass: http://9iron:80
- name: srv.9iron.club
proxy_pass: http://srv:80
tags: [ web, docker, ingress ] tags: [ web, docker, ingress ]

2
playbooks/site_main.yml
View File

@ -14,5 +14,3 @@
# Production configuration # Production configuration
- import_playbook: prod_db.yml - import_playbook: prod_db.yml
- import_playbook: prod_web.yml - import_playbook: prod_web.yml
- import_playbook: prod_com.yml
- import_playbook: prod_game.yml

2
playbooks/tasks/web/ara.yml
View File

@ -9,7 +9,7 @@
ARA_DATABASE_NAME: ara-desultd ARA_DATABASE_NAME: ara-desultd
ARA_DATABASE_USER: ara-desultd ARA_DATABASE_USER: ara-desultd
ARA_DATABASE_PASSWORD: "{{ secret_ara_db_pass }}" ARA_DATABASE_PASSWORD: "{{ secret_ara_db_pass }}"
ARA_DATABASE_HOST: 192.168.164.156 ARA_DATABASE_HOST: 10.0.0.2
networks: networks:
- name: web - name: web
aliases: [ "ara" ] aliases: [ "ara" ]

2
playbooks/tasks/web/gitea.yml
View File

@ -7,7 +7,7 @@
USER_UID: "1002" USER_UID: "1002"
USER_GID: "1002" USER_GID: "1002"
GITEA__database_DB_TYPE: postgres GITEA__database_DB_TYPE: postgres
GITEA__database_HOST: 192.168.164.156:5432 GITEA__database_HOST: 10.0.0.2:5432
GITEA__database_NAME: gitea-desultd GITEA__database_NAME: gitea-desultd
GITEA__database_USER: gitea-desultd GITEA__database_USER: gitea-desultd
GITEA__database_PASSWD: "{{ secret_gitea_db_pass }}" GITEA__database_PASSWD: "{{ secret_gitea_db_pass }}"

2
playbooks/tasks/web/netbox.yml
View File

@ -13,7 +13,7 @@
SUPERUSER_API_TOKEN: "{{ secret_netbox_api_token }}" SUPERUSER_API_TOKEN: "{{ secret_netbox_api_token }}"
SECRET_KEY: "{{ secret_netbox_secret_key }}" SECRET_KEY: "{{ secret_netbox_secret_key }}"
ALLOWED_HOST: netbox.desu.ltd ALLOWED_HOST: netbox.desu.ltd
DB_HOST: 192.168.164.156 DB_HOST: 10.0.0.2
DB_NAME: netbox-desultd DB_NAME: netbox-desultd
DB_USER: netbox-desultd DB_USER: netbox-desultd
DB_PASSWORD: "{{ secret_netbox_db_pass }}" DB_PASSWORD: "{{ secret_netbox_db_pass }}"