zico/ops-handbook
1
0
Fork 0
forked from cyberia/ops-handbook
Code Issues Pull requests Projects Releases Wiki Activity

master #1

Merged
zico merged 19 commits from cyberia/ops-handbook:master into master 2022-06-15 20:59:07 +00:00
Conversation 0 Commits 19 Files changed 12 +158 -265
12 changed files with 158 additions and 265 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

29
ansible/files/calendar.layerze.ro/nginx Normal file
View file

@ -0,0 +1,29 @@
server {
listen 80;
server_name calendar.layerze.ro;
include /etc/nginx/snippets/letsencrypt.conf;
location / {
return 301 https://calendar.layerze.ro/;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name calendar.layerze.ro;
include /etc/nginx/snippets/ssl.conf;
ssl_certificate /etc/ssl/uacme/calendar.layerze.ro/cert.pem;
ssl_certificate_key /etc/ssl/uacme/private/calendar.layerze.ro/key.pem;
keepalive_timeout 70;
sendfile on;
client_max_body_size 80m;
location / {
try_files $uri @proxy;
}
location @proxy {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:13120;
}

3
ansible/group_vars/gancioservers Normal file
View file

@ -0,0 +1,3 @@
---
tls_certs:
- calendar.layerze.ro

3
ansible/hosts
View file

@ -13,6 +13,9 @@ legion.cyberia.club
[goatcounterservers] [goatcounterservers]
elliot.cyberia.club elliot.cyberia.club
[gancioservers]
calendar.layerze.ro
[gitservers] [gitservers]
paimon.cyberia.club paimon.cyberia.club

9
ansible/roles/gancio/files/gancio-backup.sh Normal file
View file

@ -0,0 +1,9 @@
#!/bin/bash
# script to back up postgres and gancio
sudo -u postgres pg_dump -Fc gancio > gancio.dump
tar -czf gancio-$(date +%Y-%m-%d-%H%M%S)-backup.tgz $(ls -d config.json uploads user_locale db.sqlite gancio.dump postgres data db logs 2> /dev/null)
mv gancio-*-backup.tgz backups/
cd backups/
ls -tp | grep -v '/$' | tail -n +15 | xargs -I {} rm -- {}

17
ansible/roles/gancio/files/gancio.initd Normal file
View file

@ -0,0 +1,17 @@
#!/sbin/openrc-run
name="gancio daemon"
command="/usr/local/bin/$SVCNAME"
command_user="gancio"
pidfile="/var/run/$SVCNAME"
command_background="yes"
directory="/opt/gancio"
depend() {
need localmount
use logger
}
stop() {
kill -9 `cat $pidfile`
}

88
ansible/roles/gancio/tasks/main.yml Normal file
View file

@ -0,0 +1,88 @@
# install tools first
- name: Install dependencies
community.general.apk:
update_cache: yes
name: "{{ item }}"
state: present
with_items:
- build-base
- postgresql
- postgresql-bdr-dev
- nodejs
- yarn
- git
# Create database and user
- name: start postgres
service:
name: postgresql
enabled: yes
started: yes
- name: Create gancio database
community.postgresql.postgresql_db:
name: gancio
- name: Create postgres gancio user
community.postgresql.postgresql_user:
db: gancio
name: gancio
password: TBD
- name: Grant all privs to ganio on db gancio
community.postgresql.postgresql_privs:
db: gancio
privs: ALL
type: database
role: gancio
# Add gancio user to system
- name: Add gancio unix user
user:
name: gancio
system: yes
shell: /bin/false
home: /opt/gancio
# Install gancio with yarn
- name: Install gancio
community.general.yarn:
global: yes
repository: 'https://git.cyberia.club/zico/gancio-patched/raw/branch/main/gancio-patched-latest.tgz'
# Download and install gancio service file
- name: copy gancio service file
copy:
src: "files/gancio.initd"
dest: "/etc/initd/gancio"
owner: root
group: root
mode: '0755'
# Enable and start gancio service
- name: Start and enable gancio service
service:
name: gancio
enabled: yes
state: started
# Copy backup script and enable
- name: copy over backup script
copy:
src: "files/gancio-backup.sh"
dest: "/usr/local/bin/gancio-backup.sh"
owner: root
group: root
mode: 0755
- name: make backups directory
file:
path: /opt/gancio/backups
state: directory
- name: Set up cron job for gancio-backup
cron:
name: "gancio backup script"
minute: 27
hour: */12
job: "cd /opt/gancio && /usr/local/bin/gancio-backup.sh"

7
ansible/site.yml
View file

@ -80,6 +80,13 @@
- role: owncast - role: owncast
tags: owncast tags: owncast
- name: setup gancioservers
hosts: gancioservers
become: true
roles:
- role: gancio
tags: gancio
- name: alpine save all iptables rules - name: alpine save all iptables rules
hosts: os_Alpine hosts: os_Alpine
become: true become: true

52
concourse-pipelines/capsul-archlinux.yml
View file

@ -1,52 +0,0 @@
# to update the pipeline, run:
# fly -t cyberia set-pipeline -c capsul-archlinux.yml -p capsul-archlinux
# see https://man.cyberia.club/services/concourse-ci.md
resources:
- name: capsul-images
source:
uri: https://git.sr.ht/~j3s/capsul-images
type: git
- name: time-interval-24h
source:
interval: 24h
type: time
jobs:
- name: capsul-archlinux
plan:
- get: time-interval-24h
trigger: true
- get: capsul-images
- config:
image_resource:
name: ""
source:
repository: archlinux
tag: latest
type: docker-image
inputs:
- name: capsul-images
platform: linux
run:
args:
- -c
- |
# see https://bugs.archlinux.org/task/69563
printf "patching glibc...\n"
patched_glibc=glibc-linux4-2.33-4-x86_64.pkg.tar.zst
curl -LO "https://repo.archlinuxcn.org/x86_64/$patched_glibc" > /dev/null
bsdtar -C / -xvf "$patched_glibc" > /dev/null
printf "updating repos...\n"
pacman -Sy --noconfirm > /dev/null
printf "installing deps...\n"
pacman -S --noconfirm arch-install-scripts qemu-headless procps-ng reflector syslinux pacman-contrib > /dev/null
printf "building image...\n"
# build the image
cd capsul-images/archlinux
./build
path: sh
task: build-image
public: true

66
concourse-pipelines/capsul-guixsystem.yml
View file

@ -1,66 +0,0 @@
# to update the pipeline, run:
# fly -t cyberia set-pipeline -c capsul-guixsystem.yml -p capsul-guixsystem
# to run the pipeline, run:
# fly -t cyberia trigger-job -j capsul-guixsystem/capsul-guixsystem
# then you should see it in the web UI here: https://concourse.cyberia.club/teams/main/pipelines/capsul-guixsystem/jobs/capsul-guix-system/builds/
# to get a shell inside the pipeline while its running:
# fly -t cyberia hijack --job capsul-guixsystem/capsul-guixsystem --build 2 --step image sh
# see https://man.cyberia.club/services/concourse-ci.md
resources:
- name: time-interval-24h
type: time
source:
interval: 24h
jobs:
- name: capsul-guixsystem
plan:
- get: time-interval-24h
trigger: true
- task: capsul-guixsystem-task
config:
image_resource:
name: ""
source:
repository: alpine
tag: '3.14.0'
type: docker-image
platform: linux
run:
path: sh
args:
- '-c'
- |
echo "installing required build deps"
apk add packer qemu-img qemu-system-x86_64 rsync git
# produced qemu files are sent TO baikal.cyberia.club (the server which hosts capsul)
#
# space separated
servers="192.168.1.246"
# the following ssh host public keys were obtained with this command:
# cat /etc/ssh/ssh_host_ed25519_key.pub | awk "{ print \"$(echo <servername>.cyberia.club) \""'$1" "$2'" }"
mkdir .ssh
echo '
baikal.cyberia.club ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEFqtdN4dBInWhmp3oXEkjrMvA/yfI3Lb7tVIK6L7YFi
' >> .ssh/known_hosts
# the double parenthesis is concourse syntax for interpolating in a secret.
# See https://man.cyberia.club/services/concourse-ci.md#secrets-and-vault
#
# the deploy user has accounts on all capsul systems, and only has privs
# to write images.
echo '((deploy_user_ssh_private_key))' > .ssh/id_ed25519
# openssh will complain if we don't make the ownership of the private key file exclusive
chmod 400 .ssh/id_ed25519
# build the vm with packer
git clone https://git.cyberia.club/services/capsul-images
cd capsul-images/guixsystem
./build 1.3.0
public: true

61
concourse-pipelines/capsul-openbsd.yml
View file

@ -1,61 +0,0 @@
# to update the pipeline, run:
# fly -t cyberia set-pipeline -c capsul-openbsd.yml -p capsul-openbsd
# see https://man.cyberia.club/services/concourse-ci.md
resources:
- name: time-interval-24h
type: time
source:
interval: 24h
jobs:
- name: capsul-openbsd
plan:
- get: time-interval-24h
trigger: true
- task: capsul-openbsd-task
config:
image_resource:
name: ""
source:
repository: alpine
tag: '3.14.0'
type: docker-image
platform: linux
run:
path: sh
args:
- '-c'
- |
echo "installing required build deps"
apk add packer qemu-img qemu-system-x86_64 rsync git
# produced qemu files are sent TO baikal.cyberia.club (the server which hosts capsul)
#
# space separated
servers="192.168.1.246"
# the following ssh host public keys were obtained with this command:
# cat /etc/ssh/ssh_host_ed25519_key.pub | awk "{ print \"$(echo <servername>.cyberia.club) \""'$1" "$2'" }"
mkdir .ssh
echo '
baikal.cyberia.club ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEFqtdN4dBInWhmp3oXEkjrMvA/yfI3Lb7tVIK6L7YFi
' >> .ssh/known_hosts
# the double parenthesis is concourse syntax for interpolating in a secret.
# See https://man.cyberia.club/services/concourse-ci.md#secrets-and-vault
#
# the deploy user has accounts on all capsul systems, and only has privs
# to write images.
# echo 'deploy_ssh_private_key' > .ssh/id_ed25519
echo 'testcrap' > .ssh/id_ed25519
# openssh will complain if we don't make the ownership of the private key file exclusive
chmod 400 .ssh/id_ed25519
# build the vm with packer
git clone https://git.cyberia.club/services/capsul-images
cd capsul-images/openbsd
./build 6.9
public: true

84
concourse-pipelines/postgres-backup.yml
View file

@ -1,84 +0,0 @@
# to update the pipeline, run:
# fly -t cyberia sp -c ~/Desktop/git/cyberia-ops-handbook/concourse-pipelines/postgres-backup.yml -p postgres-backup
# (see https://man.cyberia.club/services/concourse-ci.md)
resources:
- name: time-interval-24h
type: time
source:
interval: 24h
jobs:
- name: postgres-backup
plan:
- get: time-interval-24h
trigger: true
- task: postgres-backup-task
config:
image_resource:
name: ""
source:
repository: alpine
tag: '3.13.5'
type: docker-image
platform: linux
run:
path: sh
args:
- '-c'
- |
# alpine image does not come with ssh client by default :\
echo "installing openssh-client..."
apk add -q openssh-client 2>&1 > apk-log
# https://en.wikibooks.org/wiki/Bourne_Shell_Scripting/Appendix_C:_Quick_Reference#IF_statement
if [ "$?" = "1" ]
then
echo 'failed to install openssh-client:'
cat apk-log
fi
echo '.'
echo '.'
echo '.'
# backups are sent FROM the postgres dbs on the following servers
servers='matrix.cyberia.club legion.cyberia.club rosewater.cyberia.club'
# backups are sent TO magnataur.cyberia.club (the server which hosts jitsi and btcpay server)
magnataur_lan_ip="192.168.1.246"
# the following ssh host public keys were obtained with this command:
# cat /etc/ssh/ssh_host_ed25519_key.pub | awk "{ print \"$(echo <servername>.cyberia.club) \""'$1" "$2'" }"
echo '
rosewater.cyberia.club ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILkQzQcJUMl0Yb0MPgvkIFa5vVEuhyg2F+DCn8BWr/FN
matrix.cyberia.club ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFA3Z/hLRYNysAA06x6DFOC8Bm1V6qdGKuJMbpedPO/r
legion.cyberia.club ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEjP99CUIMvER+D/OFkaJtxx1bjcv2Xz+dX6Q8O0wxqv
magnataur.cyberia.club ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINPPrQcmbXOLUDhSISU6PJxdhTTZYQv+tgAO9iLNWvMI
'"$magnataur_lan_ip"' ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINPPrQcmbXOLUDhSISU6PJxdhTTZYQv+tgAO9iLNWvMI
' > /tmp/known_hosts
# the double parenthesis is concourse syntax for interpolating in a secret.
# See https://man.cyberia.club/services/concourse-ci.md#secrets-and-vault
echo '((backups_ssh_private_key))' > /tmp/backups_ssh_private_key
# openssh will complain if we don't make the ownership of the private key file exclusive
chmod 700 /tmp/backups_ssh_private_key
# https://en.wikibooks.org/wiki/Bourne_Shell_Scripting/Appendix_C:_Quick_Reference#Loop_statements
for server in $servers
do
echo "backing up /var/lib/postgresql/pgbackup.gz from $server..."
scp -3 -i /tmp/backups_ssh_private_key -o UserKnownHostsFile=/tmp/known_hosts -o HostKeyAlgorithms=ssh-ed25519 \
"backups@$server:/var/lib/postgresql/pgbackup.gz" \
"backups@$magnataur_lan_ip:/tank/backups/postgres/$server-pgbackup.gz"
echo "writing postgresql_offsite_backup_last_run_seconds metric for $server..."
ssh -i /tmp/backups_ssh_private_key -o UserKnownHostsFile=/tmp/known_hosts -o HostKeyAlgorithms=ssh-ed25519 \
"backups@$server" prom-collect postgresql_offsite_backup_last_run_seconds $(date +%s)
done
public: true

4
howto/email-make-user.md
View file

@ -1,4 +1,4 @@
``` ```
ssh m1.nullhex.com -l cyberian ssh domechild.cyberia.club
mknullhex example@nullhex.com sudo mkaddr example@nullhex.com
``` ```