forked from cyberia/ops-handbook
master #1
12 changed files with 158 additions and 265 deletions
29
ansible/files/calendar.layerze.ro/nginx
Normal file
29
ansible/files/calendar.layerze.ro/nginx
Normal file
|
@ -0,0 +1,29 @@
|
||||||
|
server {
|
||||||
|
listen 80;
|
||||||
|
server_name calendar.layerze.ro;
|
||||||
|
include /etc/nginx/snippets/letsencrypt.conf;
|
||||||
|
location / {
|
||||||
|
return 301 https://calendar.layerze.ro/;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl http2;
|
||||||
|
listen [::]:443 ssl http2;
|
||||||
|
server_name calendar.layerze.ro;
|
||||||
|
include /etc/nginx/snippets/ssl.conf;
|
||||||
|
ssl_certificate /etc/ssl/uacme/calendar.layerze.ro/cert.pem;
|
||||||
|
ssl_certificate_key /etc/ssl/uacme/private/calendar.layerze.ro/key.pem;
|
||||||
|
|
||||||
|
keepalive_timeout 70;
|
||||||
|
sendfile on;
|
||||||
|
client_max_body_size 80m;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
try_files $uri @proxy;
|
||||||
|
}
|
||||||
|
|
||||||
|
location @proxy {
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_pass http://127.0.0.1:13120;
|
||||||
|
}
|
3
ansible/group_vars/gancioservers
Normal file
3
ansible/group_vars/gancioservers
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
---
|
||||||
|
tls_certs:
|
||||||
|
- calendar.layerze.ro
|
|
@ -13,6 +13,9 @@ legion.cyberia.club
|
||||||
[goatcounterservers]
|
[goatcounterservers]
|
||||||
elliot.cyberia.club
|
elliot.cyberia.club
|
||||||
|
|
||||||
|
[gancioservers]
|
||||||
|
calendar.layerze.ro
|
||||||
|
|
||||||
[gitservers]
|
[gitservers]
|
||||||
paimon.cyberia.club
|
paimon.cyberia.club
|
||||||
|
|
||||||
|
|
9
ansible/roles/gancio/files/gancio-backup.sh
Normal file
9
ansible/roles/gancio/files/gancio-backup.sh
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
#!/bin/bash
|
||||||
|
# script to back up postgres and gancio
|
||||||
|
|
||||||
|
sudo -u postgres pg_dump -Fc gancio > gancio.dump
|
||||||
|
|
||||||
|
tar -czf gancio-$(date +%Y-%m-%d-%H%M%S)-backup.tgz $(ls -d config.json uploads user_locale db.sqlite gancio.dump postgres data db logs 2> /dev/null)
|
||||||
|
mv gancio-*-backup.tgz backups/
|
||||||
|
cd backups/
|
||||||
|
ls -tp | grep -v '/$' | tail -n +15 | xargs -I {} rm -- {}
|
17
ansible/roles/gancio/files/gancio.initd
Normal file
17
ansible/roles/gancio/files/gancio.initd
Normal file
|
@ -0,0 +1,17 @@
|
||||||
|
#!/sbin/openrc-run
|
||||||
|
|
||||||
|
name="gancio daemon"
|
||||||
|
command="/usr/local/bin/$SVCNAME"
|
||||||
|
command_user="gancio"
|
||||||
|
pidfile="/var/run/$SVCNAME"
|
||||||
|
command_background="yes"
|
||||||
|
directory="/opt/gancio"
|
||||||
|
|
||||||
|
depend() {
|
||||||
|
need localmount
|
||||||
|
use logger
|
||||||
|
}
|
||||||
|
|
||||||
|
stop() {
|
||||||
|
kill -9 `cat $pidfile`
|
||||||
|
}
|
88
ansible/roles/gancio/tasks/main.yml
Normal file
88
ansible/roles/gancio/tasks/main.yml
Normal file
|
@ -0,0 +1,88 @@
|
||||||
|
# install tools first
|
||||||
|
- name: Install dependencies
|
||||||
|
community.general.apk:
|
||||||
|
update_cache: yes
|
||||||
|
name: "{{ item }}"
|
||||||
|
state: present
|
||||||
|
with_items:
|
||||||
|
- build-base
|
||||||
|
- postgresql
|
||||||
|
- postgresql-bdr-dev
|
||||||
|
- nodejs
|
||||||
|
- yarn
|
||||||
|
- git
|
||||||
|
|
||||||
|
# Create database and user
|
||||||
|
- name: start postgres
|
||||||
|
service:
|
||||||
|
name: postgresql
|
||||||
|
enabled: yes
|
||||||
|
started: yes
|
||||||
|
|
||||||
|
- name: Create gancio database
|
||||||
|
community.postgresql.postgresql_db:
|
||||||
|
name: gancio
|
||||||
|
|
||||||
|
- name: Create postgres gancio user
|
||||||
|
community.postgresql.postgresql_user:
|
||||||
|
db: gancio
|
||||||
|
name: gancio
|
||||||
|
password: TBD
|
||||||
|
|
||||||
|
- name: Grant all privs to ganio on db gancio
|
||||||
|
community.postgresql.postgresql_privs:
|
||||||
|
db: gancio
|
||||||
|
privs: ALL
|
||||||
|
type: database
|
||||||
|
role: gancio
|
||||||
|
|
||||||
|
# Add gancio user to system
|
||||||
|
- name: Add gancio unix user
|
||||||
|
user:
|
||||||
|
name: gancio
|
||||||
|
system: yes
|
||||||
|
shell: /bin/false
|
||||||
|
home: /opt/gancio
|
||||||
|
|
||||||
|
# Install gancio with yarn
|
||||||
|
- name: Install gancio
|
||||||
|
community.general.yarn:
|
||||||
|
global: yes
|
||||||
|
repository: 'https://git.cyberia.club/zico/gancio-patched/raw/branch/main/gancio-patched-latest.tgz'
|
||||||
|
|
||||||
|
# Download and install gancio service file
|
||||||
|
- name: copy gancio service file
|
||||||
|
copy:
|
||||||
|
src: "files/gancio.initd"
|
||||||
|
dest: "/etc/initd/gancio"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: '0755'
|
||||||
|
|
||||||
|
# Enable and start gancio service
|
||||||
|
- name: Start and enable gancio service
|
||||||
|
service:
|
||||||
|
name: gancio
|
||||||
|
enabled: yes
|
||||||
|
state: started
|
||||||
|
|
||||||
|
# Copy backup script and enable
|
||||||
|
- name: copy over backup script
|
||||||
|
copy:
|
||||||
|
src: "files/gancio-backup.sh"
|
||||||
|
dest: "/usr/local/bin/gancio-backup.sh"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0755
|
||||||
|
|
||||||
|
- name: make backups directory
|
||||||
|
file:
|
||||||
|
path: /opt/gancio/backups
|
||||||
|
state: directory
|
||||||
|
|
||||||
|
- name: Set up cron job for gancio-backup
|
||||||
|
cron:
|
||||||
|
name: "gancio backup script"
|
||||||
|
minute: 27
|
||||||
|
hour: */12
|
||||||
|
job: "cd /opt/gancio && /usr/local/bin/gancio-backup.sh"
|
|
@ -80,6 +80,13 @@
|
||||||
- role: owncast
|
- role: owncast
|
||||||
tags: owncast
|
tags: owncast
|
||||||
|
|
||||||
|
- name: setup gancioservers
|
||||||
|
hosts: gancioservers
|
||||||
|
become: true
|
||||||
|
roles:
|
||||||
|
- role: gancio
|
||||||
|
tags: gancio
|
||||||
|
|
||||||
- name: alpine save all iptables rules
|
- name: alpine save all iptables rules
|
||||||
hosts: os_Alpine
|
hosts: os_Alpine
|
||||||
become: true
|
become: true
|
||||||
|
|
|
@ -1,52 +0,0 @@
|
||||||
# to update the pipeline, run:
|
|
||||||
# fly -t cyberia set-pipeline -c capsul-archlinux.yml -p capsul-archlinux
|
|
||||||
# see https://man.cyberia.club/services/concourse-ci.md
|
|
||||||
resources:
|
|
||||||
- name: capsul-images
|
|
||||||
source:
|
|
||||||
uri: https://git.sr.ht/~j3s/capsul-images
|
|
||||||
type: git
|
|
||||||
- name: time-interval-24h
|
|
||||||
source:
|
|
||||||
interval: 24h
|
|
||||||
type: time
|
|
||||||
jobs:
|
|
||||||
- name: capsul-archlinux
|
|
||||||
plan:
|
|
||||||
- get: time-interval-24h
|
|
||||||
trigger: true
|
|
||||||
- get: capsul-images
|
|
||||||
- config:
|
|
||||||
image_resource:
|
|
||||||
name: ""
|
|
||||||
source:
|
|
||||||
repository: archlinux
|
|
||||||
tag: latest
|
|
||||||
type: docker-image
|
|
||||||
inputs:
|
|
||||||
- name: capsul-images
|
|
||||||
platform: linux
|
|
||||||
run:
|
|
||||||
args:
|
|
||||||
- -c
|
|
||||||
- |
|
|
||||||
# see https://bugs.archlinux.org/task/69563
|
|
||||||
printf "patching glibc...\n"
|
|
||||||
patched_glibc=glibc-linux4-2.33-4-x86_64.pkg.tar.zst
|
|
||||||
curl -LO "https://repo.archlinuxcn.org/x86_64/$patched_glibc" > /dev/null
|
|
||||||
bsdtar -C / -xvf "$patched_glibc" > /dev/null
|
|
||||||
|
|
||||||
printf "updating repos...\n"
|
|
||||||
pacman -Sy --noconfirm > /dev/null
|
|
||||||
|
|
||||||
printf "installing deps...\n"
|
|
||||||
pacman -S --noconfirm arch-install-scripts qemu-headless procps-ng reflector syslinux pacman-contrib > /dev/null
|
|
||||||
|
|
||||||
printf "building image...\n"
|
|
||||||
# build the image
|
|
||||||
cd capsul-images/archlinux
|
|
||||||
./build
|
|
||||||
path: sh
|
|
||||||
task: build-image
|
|
||||||
public: true
|
|
||||||
|
|
|
@ -1,66 +0,0 @@
|
||||||
# to update the pipeline, run:
|
|
||||||
# fly -t cyberia set-pipeline -c capsul-guixsystem.yml -p capsul-guixsystem
|
|
||||||
# to run the pipeline, run:
|
|
||||||
# fly -t cyberia trigger-job -j capsul-guixsystem/capsul-guixsystem
|
|
||||||
# then you should see it in the web UI here: https://concourse.cyberia.club/teams/main/pipelines/capsul-guixsystem/jobs/capsul-guix-system/builds/
|
|
||||||
# to get a shell inside the pipeline while its running:
|
|
||||||
# fly -t cyberia hijack --job capsul-guixsystem/capsul-guixsystem --build 2 --step image sh
|
|
||||||
# see https://man.cyberia.club/services/concourse-ci.md
|
|
||||||
resources:
|
|
||||||
- name: time-interval-24h
|
|
||||||
type: time
|
|
||||||
source:
|
|
||||||
interval: 24h
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
- name: capsul-guixsystem
|
|
||||||
plan:
|
|
||||||
- get: time-interval-24h
|
|
||||||
trigger: true
|
|
||||||
- task: capsul-guixsystem-task
|
|
||||||
config:
|
|
||||||
image_resource:
|
|
||||||
name: ""
|
|
||||||
source:
|
|
||||||
repository: alpine
|
|
||||||
tag: '3.14.0'
|
|
||||||
type: docker-image
|
|
||||||
platform: linux
|
|
||||||
run:
|
|
||||||
path: sh
|
|
||||||
args:
|
|
||||||
- '-c'
|
|
||||||
- |
|
|
||||||
echo "installing required build deps"
|
|
||||||
apk add packer qemu-img qemu-system-x86_64 rsync git
|
|
||||||
|
|
||||||
# produced qemu files are sent TO baikal.cyberia.club (the server which hosts capsul)
|
|
||||||
#
|
|
||||||
# space separated
|
|
||||||
servers="192.168.1.246"
|
|
||||||
|
|
||||||
# the following ssh host public keys were obtained with this command:
|
|
||||||
# cat /etc/ssh/ssh_host_ed25519_key.pub | awk "{ print \"$(echo <servername>.cyberia.club) \""'$1" "$2'" }"
|
|
||||||
mkdir .ssh
|
|
||||||
echo '
|
|
||||||
baikal.cyberia.club ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEFqtdN4dBInWhmp3oXEkjrMvA/yfI3Lb7tVIK6L7YFi
|
|
||||||
' >> .ssh/known_hosts
|
|
||||||
|
|
||||||
# the double parenthesis is concourse syntax for interpolating in a secret.
|
|
||||||
# See https://man.cyberia.club/services/concourse-ci.md#secrets-and-vault
|
|
||||||
#
|
|
||||||
# the deploy user has accounts on all capsul systems, and only has privs
|
|
||||||
# to write images.
|
|
||||||
|
|
||||||
echo '((deploy_user_ssh_private_key))' > .ssh/id_ed25519
|
|
||||||
|
|
||||||
# openssh will complain if we don't make the ownership of the private key file exclusive
|
|
||||||
chmod 400 .ssh/id_ed25519
|
|
||||||
|
|
||||||
# build the vm with packer
|
|
||||||
git clone https://git.cyberia.club/services/capsul-images
|
|
||||||
cd capsul-images/guixsystem
|
|
||||||
./build 1.3.0
|
|
||||||
|
|
||||||
|
|
||||||
public: true
|
|
|
@ -1,61 +0,0 @@
|
||||||
# to update the pipeline, run:
|
|
||||||
# fly -t cyberia set-pipeline -c capsul-openbsd.yml -p capsul-openbsd
|
|
||||||
# see https://man.cyberia.club/services/concourse-ci.md
|
|
||||||
resources:
|
|
||||||
- name: time-interval-24h
|
|
||||||
type: time
|
|
||||||
source:
|
|
||||||
interval: 24h
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
- name: capsul-openbsd
|
|
||||||
plan:
|
|
||||||
- get: time-interval-24h
|
|
||||||
trigger: true
|
|
||||||
- task: capsul-openbsd-task
|
|
||||||
config:
|
|
||||||
image_resource:
|
|
||||||
name: ""
|
|
||||||
source:
|
|
||||||
repository: alpine
|
|
||||||
tag: '3.14.0'
|
|
||||||
type: docker-image
|
|
||||||
platform: linux
|
|
||||||
run:
|
|
||||||
path: sh
|
|
||||||
args:
|
|
||||||
- '-c'
|
|
||||||
- |
|
|
||||||
echo "installing required build deps"
|
|
||||||
apk add packer qemu-img qemu-system-x86_64 rsync git
|
|
||||||
|
|
||||||
# produced qemu files are sent TO baikal.cyberia.club (the server which hosts capsul)
|
|
||||||
#
|
|
||||||
# space separated
|
|
||||||
servers="192.168.1.246"
|
|
||||||
|
|
||||||
# the following ssh host public keys were obtained with this command:
|
|
||||||
# cat /etc/ssh/ssh_host_ed25519_key.pub | awk "{ print \"$(echo <servername>.cyberia.club) \""'$1" "$2'" }"
|
|
||||||
mkdir .ssh
|
|
||||||
echo '
|
|
||||||
baikal.cyberia.club ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEFqtdN4dBInWhmp3oXEkjrMvA/yfI3Lb7tVIK6L7YFi
|
|
||||||
' >> .ssh/known_hosts
|
|
||||||
|
|
||||||
# the double parenthesis is concourse syntax for interpolating in a secret.
|
|
||||||
# See https://man.cyberia.club/services/concourse-ci.md#secrets-and-vault
|
|
||||||
#
|
|
||||||
# the deploy user has accounts on all capsul systems, and only has privs
|
|
||||||
# to write images.
|
|
||||||
# echo 'deploy_ssh_private_key' > .ssh/id_ed25519
|
|
||||||
echo 'testcrap' > .ssh/id_ed25519
|
|
||||||
|
|
||||||
# openssh will complain if we don't make the ownership of the private key file exclusive
|
|
||||||
chmod 400 .ssh/id_ed25519
|
|
||||||
|
|
||||||
# build the vm with packer
|
|
||||||
git clone https://git.cyberia.club/services/capsul-images
|
|
||||||
cd capsul-images/openbsd
|
|
||||||
./build 6.9
|
|
||||||
|
|
||||||
|
|
||||||
public: true
|
|
|
@ -1,84 +0,0 @@
|
||||||
# to update the pipeline, run:
|
|
||||||
# fly -t cyberia sp -c ~/Desktop/git/cyberia-ops-handbook/concourse-pipelines/postgres-backup.yml -p postgres-backup
|
|
||||||
# (see https://man.cyberia.club/services/concourse-ci.md)
|
|
||||||
resources:
|
|
||||||
- name: time-interval-24h
|
|
||||||
type: time
|
|
||||||
source:
|
|
||||||
interval: 24h
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
- name: postgres-backup
|
|
||||||
plan:
|
|
||||||
- get: time-interval-24h
|
|
||||||
trigger: true
|
|
||||||
- task: postgres-backup-task
|
|
||||||
config:
|
|
||||||
image_resource:
|
|
||||||
name: ""
|
|
||||||
source:
|
|
||||||
repository: alpine
|
|
||||||
tag: '3.13.5'
|
|
||||||
type: docker-image
|
|
||||||
platform: linux
|
|
||||||
run:
|
|
||||||
path: sh
|
|
||||||
args:
|
|
||||||
- '-c'
|
|
||||||
- |
|
|
||||||
|
|
||||||
# alpine image does not come with ssh client by default :\
|
|
||||||
|
|
||||||
echo "installing openssh-client..."
|
|
||||||
apk add -q openssh-client 2>&1 > apk-log
|
|
||||||
|
|
||||||
# https://en.wikibooks.org/wiki/Bourne_Shell_Scripting/Appendix_C:_Quick_Reference#IF_statement
|
|
||||||
if [ "$?" = "1" ]
|
|
||||||
then
|
|
||||||
echo 'failed to install openssh-client:'
|
|
||||||
cat apk-log
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo '.'
|
|
||||||
echo '.'
|
|
||||||
echo '.'
|
|
||||||
|
|
||||||
# backups are sent FROM the postgres dbs on the following servers
|
|
||||||
servers='matrix.cyberia.club legion.cyberia.club rosewater.cyberia.club'
|
|
||||||
|
|
||||||
# backups are sent TO magnataur.cyberia.club (the server which hosts jitsi and btcpay server)
|
|
||||||
magnataur_lan_ip="192.168.1.246"
|
|
||||||
|
|
||||||
# the following ssh host public keys were obtained with this command:
|
|
||||||
# cat /etc/ssh/ssh_host_ed25519_key.pub | awk "{ print \"$(echo <servername>.cyberia.club) \""'$1" "$2'" }"
|
|
||||||
echo '
|
|
||||||
rosewater.cyberia.club ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILkQzQcJUMl0Yb0MPgvkIFa5vVEuhyg2F+DCn8BWr/FN
|
|
||||||
matrix.cyberia.club ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFA3Z/hLRYNysAA06x6DFOC8Bm1V6qdGKuJMbpedPO/r
|
|
||||||
legion.cyberia.club ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEjP99CUIMvER+D/OFkaJtxx1bjcv2Xz+dX6Q8O0wxqv
|
|
||||||
magnataur.cyberia.club ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINPPrQcmbXOLUDhSISU6PJxdhTTZYQv+tgAO9iLNWvMI
|
|
||||||
'"$magnataur_lan_ip"' ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINPPrQcmbXOLUDhSISU6PJxdhTTZYQv+tgAO9iLNWvMI
|
|
||||||
' > /tmp/known_hosts
|
|
||||||
|
|
||||||
# the double parenthesis is concourse syntax for interpolating in a secret.
|
|
||||||
# See https://man.cyberia.club/services/concourse-ci.md#secrets-and-vault
|
|
||||||
echo '((backups_ssh_private_key))' > /tmp/backups_ssh_private_key
|
|
||||||
|
|
||||||
# openssh will complain if we don't make the ownership of the private key file exclusive
|
|
||||||
chmod 700 /tmp/backups_ssh_private_key
|
|
||||||
|
|
||||||
# https://en.wikibooks.org/wiki/Bourne_Shell_Scripting/Appendix_C:_Quick_Reference#Loop_statements
|
|
||||||
for server in $servers
|
|
||||||
do
|
|
||||||
|
|
||||||
echo "backing up /var/lib/postgresql/pgbackup.gz from $server..."
|
|
||||||
scp -3 -i /tmp/backups_ssh_private_key -o UserKnownHostsFile=/tmp/known_hosts -o HostKeyAlgorithms=ssh-ed25519 \
|
|
||||||
"backups@$server:/var/lib/postgresql/pgbackup.gz" \
|
|
||||||
"backups@$magnataur_lan_ip:/tank/backups/postgres/$server-pgbackup.gz"
|
|
||||||
|
|
||||||
echo "writing postgresql_offsite_backup_last_run_seconds metric for $server..."
|
|
||||||
ssh -i /tmp/backups_ssh_private_key -o UserKnownHostsFile=/tmp/known_hosts -o HostKeyAlgorithms=ssh-ed25519 \
|
|
||||||
"backups@$server" prom-collect postgresql_offsite_backup_last_run_seconds $(date +%s)
|
|
||||||
|
|
||||||
done
|
|
||||||
|
|
||||||
public: true
|
|
|
@ -1,4 +1,4 @@
|
||||||
```
|
```
|
||||||
ssh m1.nullhex.com -l cyberian
|
ssh domechild.cyberia.club
|
||||||
mknullhex example@nullhex.com
|
sudo mkaddr example@nullhex.com
|
||||||
```
|
```
|
||||||
|
|
Loading…
Reference in a new issue