From 83f1c71c190972a681b41502a62497360fc6bae3 Mon Sep 17 00:00:00 2001 From: forest Date: Sun, 12 Jun 2022 03:09:46 +0000 Subject: [PATCH 01/14] get rid of concourse pipelines --- concourse-pipelines/capsul-archlinux.yml | 52 ------------------------ 1 file changed, 52 deletions(-) delete mode 100644 concourse-pipelines/capsul-archlinux.yml diff --git a/concourse-pipelines/capsul-archlinux.yml b/concourse-pipelines/capsul-archlinux.yml deleted file mode 100644 index 690aa60..0000000 --- a/concourse-pipelines/capsul-archlinux.yml +++ /dev/null @@ -1,52 +0,0 @@ -# to update the pipeline, run: -# fly -t cyberia set-pipeline -c capsul-archlinux.yml -p capsul-archlinux -# see https://man.cyberia.club/services/concourse-ci.md -resources: -- name: capsul-images - source: - uri: https://git.sr.ht/~j3s/capsul-images - type: git -- name: time-interval-24h - source: - interval: 24h - type: time -jobs: -- name: capsul-archlinux - plan: - - get: time-interval-24h - trigger: true - - get: capsul-images - - config: - image_resource: - name: "" - source: - repository: archlinux - tag: latest - type: docker-image - inputs: - - name: capsul-images - platform: linux - run: - args: - - -c - - | - # see https://bugs.archlinux.org/task/69563 - printf "patching glibc...\n" - patched_glibc=glibc-linux4-2.33-4-x86_64.pkg.tar.zst - curl -LO "https://repo.archlinuxcn.org/x86_64/$patched_glibc" > /dev/null - bsdtar -C / -xvf "$patched_glibc" > /dev/null - - printf "updating repos...\n" - pacman -Sy --noconfirm > /dev/null - - printf "installing deps...\n" - pacman -S --noconfirm arch-install-scripts qemu-headless procps-ng reflector syslinux pacman-contrib > /dev/null - - printf "building image...\n" - # build the image - cd capsul-images/archlinux - ./build - path: sh - task: build-image - public: true - -- 2.40.1 From 0a9f810228cf19cda93b0452fc95dc1711ec96ef Mon Sep 17 00:00:00 2001 From: forest Date: Sun, 12 Jun 2022 03:09:58 +0000 Subject: [PATCH 02/14] get rid of concourse pipelines --- concourse-pipelines/capsul-guixsystem.yml | 66 ----------------------- 1 file changed, 66 deletions(-) delete mode 100644 concourse-pipelines/capsul-guixsystem.yml diff --git a/concourse-pipelines/capsul-guixsystem.yml b/concourse-pipelines/capsul-guixsystem.yml deleted file mode 100644 index e904d8b..0000000 --- a/concourse-pipelines/capsul-guixsystem.yml +++ /dev/null @@ -1,66 +0,0 @@ -# to update the pipeline, run: -# fly -t cyberia set-pipeline -c capsul-guixsystem.yml -p capsul-guixsystem -# to run the pipeline, run: -# fly -t cyberia trigger-job -j capsul-guixsystem/capsul-guixsystem -# then you should see it in the web UI here: https://concourse.cyberia.club/teams/main/pipelines/capsul-guixsystem/jobs/capsul-guix-system/builds/ -# to get a shell inside the pipeline while its running: -# fly -t cyberia hijack --job capsul-guixsystem/capsul-guixsystem --build 2 --step image sh -# see https://man.cyberia.club/services/concourse-ci.md -resources: -- name: time-interval-24h - type: time - source: - interval: 24h - -jobs: -- name: capsul-guixsystem - plan: - - get: time-interval-24h - trigger: true - - task: capsul-guixsystem-task - config: - image_resource: - name: "" - source: - repository: alpine - tag: '3.14.0' - type: docker-image - platform: linux - run: - path: sh - args: - - '-c' - - | - echo "installing required build deps" - apk add packer qemu-img qemu-system-x86_64 rsync git - - # produced qemu files are sent TO baikal.cyberia.club (the server which hosts capsul) - # - # space separated - servers="192.168.1.246" - - # the following ssh host public keys were obtained with this command: - # cat /etc/ssh/ssh_host_ed25519_key.pub | awk "{ print \"$(echo .cyberia.club) \""'$1" "$2'" }" - mkdir .ssh - echo ' - baikal.cyberia.club ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEFqtdN4dBInWhmp3oXEkjrMvA/yfI3Lb7tVIK6L7YFi - ' >> .ssh/known_hosts - - # the double parenthesis is concourse syntax for interpolating in a secret. - # See https://man.cyberia.club/services/concourse-ci.md#secrets-and-vault - # - # the deploy user has accounts on all capsul systems, and only has privs - # to write images. - - echo '((deploy_user_ssh_private_key))' > .ssh/id_ed25519 - - # openssh will complain if we don't make the ownership of the private key file exclusive - chmod 400 .ssh/id_ed25519 - - # build the vm with packer - git clone https://git.cyberia.club/services/capsul-images - cd capsul-images/guixsystem - ./build 1.3.0 - - - public: true -- 2.40.1 From 84434b824a69f2ab8c05a78de66fd82fe53e45f1 Mon Sep 17 00:00:00 2001 From: forest Date: Sun, 12 Jun 2022 03:10:36 +0000 Subject: [PATCH 03/14] Delete 'concourse-pipelines/capsul-openbsd.yml' --- concourse-pipelines/capsul-openbsd.yml | 61 -------------------------- 1 file changed, 61 deletions(-) delete mode 100644 concourse-pipelines/capsul-openbsd.yml diff --git a/concourse-pipelines/capsul-openbsd.yml b/concourse-pipelines/capsul-openbsd.yml deleted file mode 100644 index 3ddc15d..0000000 --- a/concourse-pipelines/capsul-openbsd.yml +++ /dev/null @@ -1,61 +0,0 @@ -# to update the pipeline, run: -# fly -t cyberia set-pipeline -c capsul-openbsd.yml -p capsul-openbsd -# see https://man.cyberia.club/services/concourse-ci.md -resources: -- name: time-interval-24h - type: time - source: - interval: 24h - -jobs: -- name: capsul-openbsd - plan: - - get: time-interval-24h - trigger: true - - task: capsul-openbsd-task - config: - image_resource: - name: "" - source: - repository: alpine - tag: '3.14.0' - type: docker-image - platform: linux - run: - path: sh - args: - - '-c' - - | - echo "installing required build deps" - apk add packer qemu-img qemu-system-x86_64 rsync git - - # produced qemu files are sent TO baikal.cyberia.club (the server which hosts capsul) - # - # space separated - servers="192.168.1.246" - - # the following ssh host public keys were obtained with this command: - # cat /etc/ssh/ssh_host_ed25519_key.pub | awk "{ print \"$(echo .cyberia.club) \""'$1" "$2'" }" - mkdir .ssh - echo ' - baikal.cyberia.club ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEFqtdN4dBInWhmp3oXEkjrMvA/yfI3Lb7tVIK6L7YFi - ' >> .ssh/known_hosts - - # the double parenthesis is concourse syntax for interpolating in a secret. - # See https://man.cyberia.club/services/concourse-ci.md#secrets-and-vault - # - # the deploy user has accounts on all capsul systems, and only has privs - # to write images. - # echo 'deploy_ssh_private_key' > .ssh/id_ed25519 - echo 'testcrap' > .ssh/id_ed25519 - - # openssh will complain if we don't make the ownership of the private key file exclusive - chmod 400 .ssh/id_ed25519 - - # build the vm with packer - git clone https://git.cyberia.club/services/capsul-images - cd capsul-images/openbsd - ./build 6.9 - - - public: true -- 2.40.1 From f53765f5e72fd8b6a86bf8f829b7013b036336ce Mon Sep 17 00:00:00 2001 From: forest Date: Sun, 12 Jun 2022 03:10:46 +0000 Subject: [PATCH 04/14] get rid of concourse pipelines --- concourse-pipelines/postgres-backup.yml | 84 ------------------------- 1 file changed, 84 deletions(-) delete mode 100644 concourse-pipelines/postgres-backup.yml diff --git a/concourse-pipelines/postgres-backup.yml b/concourse-pipelines/postgres-backup.yml deleted file mode 100644 index cfab630..0000000 --- a/concourse-pipelines/postgres-backup.yml +++ /dev/null @@ -1,84 +0,0 @@ -# to update the pipeline, run: -# fly -t cyberia sp -c ~/Desktop/git/cyberia-ops-handbook/concourse-pipelines/postgres-backup.yml -p postgres-backup -# (see https://man.cyberia.club/services/concourse-ci.md) -resources: -- name: time-interval-24h - type: time - source: - interval: 24h - -jobs: -- name: postgres-backup - plan: - - get: time-interval-24h - trigger: true - - task: postgres-backup-task - config: - image_resource: - name: "" - source: - repository: alpine - tag: '3.13.5' - type: docker-image - platform: linux - run: - path: sh - args: - - '-c' - - | - - # alpine image does not come with ssh client by default :\ - - echo "installing openssh-client..." - apk add -q openssh-client 2>&1 > apk-log - - # https://en.wikibooks.org/wiki/Bourne_Shell_Scripting/Appendix_C:_Quick_Reference#IF_statement - if [ "$?" = "1" ] - then - echo 'failed to install openssh-client:' - cat apk-log - fi - - echo '.' - echo '.' - echo '.' - - # backups are sent FROM the postgres dbs on the following servers - servers='matrix.cyberia.club legion.cyberia.club rosewater.cyberia.club' - - # backups are sent TO magnataur.cyberia.club (the server which hosts jitsi and btcpay server) - magnataur_lan_ip="192.168.1.246" - - # the following ssh host public keys were obtained with this command: - # cat /etc/ssh/ssh_host_ed25519_key.pub | awk "{ print \"$(echo .cyberia.club) \""'$1" "$2'" }" - echo ' - rosewater.cyberia.club ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILkQzQcJUMl0Yb0MPgvkIFa5vVEuhyg2F+DCn8BWr/FN - matrix.cyberia.club ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFA3Z/hLRYNysAA06x6DFOC8Bm1V6qdGKuJMbpedPO/r - legion.cyberia.club ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEjP99CUIMvER+D/OFkaJtxx1bjcv2Xz+dX6Q8O0wxqv - magnataur.cyberia.club ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINPPrQcmbXOLUDhSISU6PJxdhTTZYQv+tgAO9iLNWvMI - '"$magnataur_lan_ip"' ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINPPrQcmbXOLUDhSISU6PJxdhTTZYQv+tgAO9iLNWvMI - ' > /tmp/known_hosts - - # the double parenthesis is concourse syntax for interpolating in a secret. - # See https://man.cyberia.club/services/concourse-ci.md#secrets-and-vault - echo '((backups_ssh_private_key))' > /tmp/backups_ssh_private_key - - # openssh will complain if we don't make the ownership of the private key file exclusive - chmod 700 /tmp/backups_ssh_private_key - - # https://en.wikibooks.org/wiki/Bourne_Shell_Scripting/Appendix_C:_Quick_Reference#Loop_statements - for server in $servers - do - - echo "backing up /var/lib/postgresql/pgbackup.gz from $server..." - scp -3 -i /tmp/backups_ssh_private_key -o UserKnownHostsFile=/tmp/known_hosts -o HostKeyAlgorithms=ssh-ed25519 \ - "backups@$server:/var/lib/postgresql/pgbackup.gz" \ - "backups@$magnataur_lan_ip:/tank/backups/postgres/$server-pgbackup.gz" - - echo "writing postgresql_offsite_backup_last_run_seconds metric for $server..." - ssh -i /tmp/backups_ssh_private_key -o UserKnownHostsFile=/tmp/known_hosts -o HostKeyAlgorithms=ssh-ed25519 \ - "backups@$server" prom-collect postgresql_offsite_backup_last_run_seconds $(date +%s) - - done - - public: true -- 2.40.1 From 7e2c35ad8e596e8fb3d79b22a1d9b29668ef8f61 Mon Sep 17 00:00:00 2001 From: j3s Date: Sun, 12 Jun 2022 21:55:12 +0000 Subject: [PATCH 05/14] Update nullhex instructions --- howto/email-make-user.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/howto/email-make-user.md b/howto/email-make-user.md index cda68a7..2d983a3 100644 --- a/howto/email-make-user.md +++ b/howto/email-make-user.md @@ -1,4 +1,4 @@ ``` -ssh m1.nullhex.com -l cyberian -mknullhex example@nullhex.com +ssh domechild.cyberia.club +sudo mkaddr example@nullhex.com ``` -- 2.40.1 From 2ea37e8bb0e19b23d399235eaa6f2683112a1cec Mon Sep 17 00:00:00 2001 From: zico Date: Wed, 15 Jun 2022 02:56:26 +0000 Subject: [PATCH 06/14] Add 'ansible/group_vars/gancioservers' --- ansible/group_vars/gancioservers | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 ansible/group_vars/gancioservers diff --git a/ansible/group_vars/gancioservers b/ansible/group_vars/gancioservers new file mode 100644 index 0000000..60b29fb --- /dev/null +++ b/ansible/group_vars/gancioservers @@ -0,0 +1,3 @@ +--- +tls_certs: + - calendar.layerze,ro \ No newline at end of file -- 2.40.1 From 6c8bd9facbe7889846e772866f244e4fffea0671 Mon Sep 17 00:00:00 2001 From: zico Date: Wed, 15 Jun 2022 03:00:00 +0000 Subject: [PATCH 07/14] Add 'ansible/roles/gancio/tasks/main.yml' --- ansible/roles/gancio/tasks/main.yml | 88 +++++++++++++++++++++++++++++ 1 file changed, 88 insertions(+) create mode 100644 ansible/roles/gancio/tasks/main.yml diff --git a/ansible/roles/gancio/tasks/main.yml b/ansible/roles/gancio/tasks/main.yml new file mode 100644 index 0000000..e6cebec --- /dev/null +++ b/ansible/roles/gancio/tasks/main.yml @@ -0,0 +1,88 @@ +# install tools first +- name: Install dependencies + community.general.apk: + update_cache: yes + name: "{{ item }}" + state: present + with_items: + - build-base + - postgresql + - postgresql-bdr-dev + - nodejs + - yarn + - git + +# Create database and user +- name: start postgres + service: + name: postgresql + enabled: yes + started: yes + +- name: Create gancio database + community.postgresql.postgresql_db: + name: gancio + +- name: Create postgres gancio user + community.postgresql.postgresql_user: + db: gancio + name: gancio + password: TBD + +- name: Grant all privs to ganio on db gancio + community.postgresql.postgresql_privs: + db: gancio + privs: ALL + type: database + role: gancio + +# Add gancio user to system +- name: Add gancio unix user + user: + name: gancio + system: yes + shell: /bin/false + home: /opt/gancio + +# Install gancio with yarn +- name: Install gancio + community.general.yarn: + global: yes + repository: 'https://git.cyberia.club/zico/gancio-patched/raw/branch/main/gancio-v1.4.4.tgz' + +# Download and install gancio service file +- name: copy gancio service file + copy: + src: "files/gancio.initd" + dest: "/etc/initd/gancio" + owner: root + group: root + mode: '0755' + +# Enable and start gancio service +- name: Start and enable gancio service + service: + name: gancio + enabled: yes + state: started + +# Copy backup script and enable +- name: copy over backup script + copy: + src: "files/gancio-backup.sh" + dest: "/usr/local/bin/gancio-backup.sh" + owner: root + group: root + mode: 0755 + +- name: make backups directory + file: + path: /opt/gancio/backups + state: directory + +- name: Set up cron job for gancio-backup + cron: + name: "gancio backup script" + minute: 27 + hour: */12 + job: "cd /opt/gancio && /usr/local/bin/gancio-backup.sh" \ No newline at end of file -- 2.40.1 From c8936556b29259ab6cbd5638e4d609d6ab99fa85 Mon Sep 17 00:00:00 2001 From: zico Date: Wed, 15 Jun 2022 03:01:28 +0000 Subject: [PATCH 08/14] Add 'ansible/roles/gancio/files/gancio-backup.sh' --- ansible/roles/gancio/files/gancio-backup.sh | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 ansible/roles/gancio/files/gancio-backup.sh diff --git a/ansible/roles/gancio/files/gancio-backup.sh b/ansible/roles/gancio/files/gancio-backup.sh new file mode 100644 index 0000000..8626c6d --- /dev/null +++ b/ansible/roles/gancio/files/gancio-backup.sh @@ -0,0 +1,9 @@ +#!/bin/bash +# script to back up postgres and gancio + +sudo -u postgres pg_dump -Fc gancio > gancio.dump + +tar -czf gancio-$(date +%Y-%m-%d-%H%M%S)-backup.tgz $(ls -d config.json uploads user_locale db.sqlite gancio.dump postgres data db logs 2> /dev/null) +mv gancio-*-backup.tgz backups/ +cd backups/ +ls -tp | grep -v '/$' | tail -n +15 | xargs -I {} rm -- {} \ No newline at end of file -- 2.40.1 From d04b8aebde7d5f63fdb8eab60efeb1544038a127 Mon Sep 17 00:00:00 2001 From: zico Date: Wed, 15 Jun 2022 03:02:19 +0000 Subject: [PATCH 09/14] Add 'ansible/roles/gancio/files/gancio.initd' --- ansible/roles/gancio/files/gancio.initd | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 ansible/roles/gancio/files/gancio.initd diff --git a/ansible/roles/gancio/files/gancio.initd b/ansible/roles/gancio/files/gancio.initd new file mode 100644 index 0000000..2796cd5 --- /dev/null +++ b/ansible/roles/gancio/files/gancio.initd @@ -0,0 +1,17 @@ +#!/sbin/openrc-run + +name="gancio daemon" +command="/usr/local/bin/$SVCNAME" +command_user="gancio" +pidfile="/var/run/$SVCNAME" +command_background="yes" +directory="/opt/gancio" + +depend() { + need localmount + use logger +} + +stop() { + kill -9 `cat $pidfile` +} \ No newline at end of file -- 2.40.1 From 022f9f26d901c21811b6f1f2bbd442f45d3f3046 Mon Sep 17 00:00:00 2001 From: zico Date: Wed, 15 Jun 2022 03:13:01 +0000 Subject: [PATCH 10/14] Add 'ansible/files/calendar.layerze.ro/nginx' --- ansible/files/calendar.layerze.ro/nginx | 29 +++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 ansible/files/calendar.layerze.ro/nginx diff --git a/ansible/files/calendar.layerze.ro/nginx b/ansible/files/calendar.layerze.ro/nginx new file mode 100644 index 0000000..836b207 --- /dev/null +++ b/ansible/files/calendar.layerze.ro/nginx @@ -0,0 +1,29 @@ +server { + listen 80; + server_name calendar.layerze.ro; + include /etc/nginx/snippets/letsencrypt.conf; + location / { + return 301 https://calendar.layerze.ro/; + } +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name calendar.layerze.ro; + include /etc/nginx/snippets/ssl.conf; + ssl_certificate /etc/ssl/uacme/calendar.layerze.ro/cert.pem; + ssl_certificate_key /etc/ssl/uacme/private/calendar.layerze.ro/key.pem; + + keepalive_timeout 70; + sendfile on; + client_max_body_size 80m; + + location / { + try_files $uri @proxy; + } + + location @proxy { + proxy_set_header Host $host; + proxy_pass http://127.0.0.1:13120; + } \ No newline at end of file -- 2.40.1 From dca58c0b1966a9384287ff8f9e1367ed8ff50f68 Mon Sep 17 00:00:00 2001 From: zico Date: Wed, 15 Jun 2022 03:16:52 +0000 Subject: [PATCH 11/14] Update 'ansible/site.yml' --- ansible/site.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/ansible/site.yml b/ansible/site.yml index a7c3b14..c129f28 100644 --- a/ansible/site.yml +++ b/ansible/site.yml @@ -80,6 +80,13 @@ - role: owncast tags: owncast +- name: setup gancioservers + hosts: gancioservers + become: true + roles: + - role: gancio + tags: gancio + - name: alpine save all iptables rules hosts: os_Alpine become: true -- 2.40.1 From 2e7ad20bf68e8667eaebdefb167d1b08b49eab11 Mon Sep 17 00:00:00 2001 From: zico Date: Wed, 15 Jun 2022 03:17:58 +0000 Subject: [PATCH 12/14] Update 'ansible/hosts' --- ansible/hosts | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ansible/hosts b/ansible/hosts index 933bcaa..63f9321 100644 --- a/ansible/hosts +++ b/ansible/hosts @@ -13,6 +13,9 @@ legion.cyberia.club [goatcounterservers] elliot.cyberia.club +[gancioservers] +calendar.layerze.ro + [gitservers] paimon.cyberia.club -- 2.40.1 From f7820de0e2f1f7faab5eb136c883c1d9c598c57f Mon Sep 17 00:00:00 2001 From: zico Date: Wed, 15 Jun 2022 06:40:56 +0000 Subject: [PATCH 13/14] typo --- ansible/group_vars/gancioservers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/group_vars/gancioservers b/ansible/group_vars/gancioservers index 60b29fb..859e0d9 100644 --- a/ansible/group_vars/gancioservers +++ b/ansible/group_vars/gancioservers @@ -1,3 +1,3 @@ --- tls_certs: - - calendar.layerze,ro \ No newline at end of file + - calendar.layerze.ro \ No newline at end of file -- 2.40.1 From 95541f2c755558e9861977a4be1d6196567fa400 Mon Sep 17 00:00:00 2001 From: zico Date: Wed, 15 Jun 2022 18:13:58 +0000 Subject: [PATCH 14/14] small tweak to gancio tasks --- ansible/roles/gancio/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/gancio/tasks/main.yml b/ansible/roles/gancio/tasks/main.yml index e6cebec..d4262d6 100644 --- a/ansible/roles/gancio/tasks/main.yml +++ b/ansible/roles/gancio/tasks/main.yml @@ -48,7 +48,7 @@ - name: Install gancio community.general.yarn: global: yes - repository: 'https://git.cyberia.club/zico/gancio-patched/raw/branch/main/gancio-v1.4.4.tgz' + repository: 'https://git.cyberia.club/zico/gancio-patched/raw/branch/main/gancio-patched-latest.tgz' # Download and install gancio service file - name: copy gancio service file -- 2.40.1