Migrate all proxy resources to their respective service configs, init matrix service config

prox-server-setup.yml

@@ -95,37 +95,6 @@
         path: /etc/nginx/sites-available/
         state: directory
 
-    # Ensure all NGinx site configurations are updated/enabled
-    - name: Ensure all NGinx site configurations are updated
-      template:
-        src: proxy_resources/etc/nginx/sites-available/git.domain
-        dest: "/etc/nginx/sites-available/{{ item }}.{{ domain_name }}"
-      loop:
-        - git
-        - mail
-        - searxng
-        - nextcloud
-        - chat
-        - invidious
-    - name: Ensure all NGinx site configurations are enabled      
-      ansible.builtin.file:
-        src: "/etc/nginx/sites-available/{{ item }}.{{ domain_name }}"
-        dest: "/etc/nginx/sites-enabled/{{ item }}.{{ domain_name }}"
-        state: link
-      loop:
-        - git
-        - mail
-        - searxng
-        - nextcloud
-        - chat
-        - invidious
-
-    - name: Enable NGinx
-      ansible.builtin.systemd:
-        name: nginx
-        enabled: yes
-        state: started
-
     # Experimental NGinx Email Proxy
     #    - name: Ensure Email Proxy Authentication Server is updated
     #      ansible.builtin.template:
@@ -136,10 +105,6 @@
     #  template:
     #    src: proxy_resources/etc/haproxy/haproxy.cfg
     #    dest: "/etc/haproxy/haproxy.cfg"
-    #- name: Enable HAProxy
-    #  ansible.builtin.systemd:
-    #    name: haproxy
-    #    state: started
 
     - name: Reset doas configuration back to default
       become: yes

proxy_resources/etc/nginx/sites-available/mail.domain

@@ -1,15 +0,0 @@
-# {{ ansible_managed }}
-# Frontend proxy to do SSL certificate authentication on backend etc
-
-server {
-	listen 80;
-	listen [::]:80;
-
-	server_name mail.{{ domain_name }};
-
-	location / {
-		proxy_pass http://10.0.0.2;
-		include    proxy_params;
-	}
-
-}

services/service_git/ansible.cfg

@@ -1,5 +1,5 @@
 [defaults]
-inventory = hosts
+inventory = ../../hosts
 
 [privilege_escalation]
 become_method=doas

services/service_invidious/ansible.cfg

@@ -0,0 +1,6 @@
+[defaults]
+inventory = ../../hosts
+
+[privilege_escalation]
+become_method=doas
+become_ask_pass=True

services/service_mail/ansible.cfg

@@ -1,5 +1,5 @@
 [defaults]
-inventory = hosts
+inventory = ../../hosts
 
 [privilege_escalation]
 become_method=doas

services/service_mail/ansible_resources/hosts

@@ -1,6 +0,0 @@
-# {{ ansible_managed }}
-
-all:
-  hosts:
-    {{ proxy_server_hostname }}:
-    {{ proxy_server_hostname }}-defaultport:

services/service_mail/ansible_resources/prox-deploy-service.yml

@@ -1,41 +0,0 @@
-# Ansible managed
-
-- hosts: {{ proxy_server_hostname }}
-  become: 'yes'
-  vars:
-    ansible_become_method: doas
-  tasks:
-    - name: Temporarily disable doas pass prompt as doas persist does not work within scripts
-      replace:
-        path: /etc/doas.conf
-        regexp: 'persist'
-        replace: 'nopass'
-
-    - name: Copy haproxy reverse proxy configuration to proxy 
-      ansible.builtin.template:
-        src: "proxy_resources/etc/haproxy/haproxy.cfg"
-        dest: "/etc/haproxy/haproxy.cfg"
-        owner: cspark-dev
-        group: cspark-dev
-    - name: Enable HAProxy
-      ansible.builtin.systemd:
-        name: haproxy
-        state: started
-
-    - name: Fetch SSL certificates
-      become: yes
-      synchronize:
-        src: /etc/letsencrypt/
-        dest: "data/certbot/certs"
-        mode: pull
-        rsync_path: doas rsync
-
-    - name: Switch back to doas persist 
-      replace:
-        path: /etc/doas.conf
-        regexp: 'nopass'
-        replace: 'persist'
-
-    - name: Debug Finish message
-      debug:
-        msg: Ansible playbook has finished!

services/service_mail/prox-server-ansible-playbooks-generate.yml

@@ -1,13 +0,0 @@
-- hosts: localhost
-  tasks:
-    - name: Generate proxy server playbooks
-      template:
-        src: "ansible_resources/{{ item }}"
-        dest: "{{ item }}"
-        mode: '0777'
-      loop:
-        - hosts
-        - prox-deploy-service.yml
-    - name: Debug Finish message
-      debug:
-        msg: Ansible playbook has finished!

services/service_matrix/ansible.cfg

@@ -0,0 +1,6 @@
+[defaults]
+inventory = hosts
+
+[privilege_escalation]
+become_method=doas
+become_ask_pass=True

services/service_matrix/deploy-service.yml

@@ -0,0 +1,25 @@
+- hosts: localhost
+  become: 'yes'
+  vars:
+    ansible_become_method: doas
+  tasks:
+    - name: Create necessary directories
+      ansible.builtin.file:
+        path: "{{ item }}" 
+        owner: service_git
+        group: service_git
+        state: directory
+      loop:
+        - "{{ services_directory }}/service_git/postgres-data"
+    - name: Copy docker compose config and other git files
+      ansible.builtin.template:
+        src: "{{ item }}" 
+        dest: "{{ services_directory }}/service_git/{{ item }}"
+        owner: service_git
+        group: service_git
+      loop:
+        - docker-compose.yml 
+
+    - name: Debug Finish message
+      debug:
+        msg: Ansible playbook has finished!

services/service_matrix/docker-compose.yml

@@ -0,0 +1,79 @@
+version: "3"
+services:
+
+  # Gluetun is used to connect container to VPN
+  forgejo-gluetun:
+    image: qmcgaw/gluetun
+    cap_add:
+      - NET_ADMIN
+    environment:
+      - VPN_SERVICE_PROVIDER=custom
+      - VPN_TYPE=wireguard
+      - VPN_ENDPOINT_IP={{ proxy_server_ip }}
+      - VPN_ENDPOINT_PORT={{ proxy_server_vpn_port }}
+      - WIREGUARD_PUBLIC_KEY={{ vpn_server_pubkey }}
+      - WIREGUARD_PRIVATE_KEY={{ git_service_privkey }}
+      - WIREGUARD_ADDRESSES=10.0.0.3/32
+      - FIREWALL_VPN_INPUT_PORTS=3000,22,222,5432
+    ports:
+      - "3000:3000"
+      - "222:22"
+    networks:
+      forgejo:
+    deploy:
+      limits:
+        cpus: '0.10'
+        memory: 512M
+
+  forgejo:
+    image: codeberg.org/forgejo/forgejo:1.21
+    network_mode: "service:forgejo-gluetun"
+    environment:
+      # Service git UID and GID
+      - USER_UID=1006
+      - USER_GID=1007
+
+      - FORGEJO__database__DB_TYPE=postgres
+      - FORGEJO__database__HOST=11.1.0.22:5432
+      - FORGEJO__database__NAME=forgejo
+      - FORGEJO__database__USER=forgejo
+      - FORGEJO__database__PASSWD={{ service_git_postgres_pass }}
+    restart: always
+    volumes:
+      - ./forgejo-data:/data
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    deploy:
+      limits:
+        cpus: '0.25'
+        memory: 512M
+    depends_on:
+      - forgejo-db
+
+  forgejo-db:
+    image: postgres:16-alpine
+    restart: always
+    environment:
+      - POSTGRES_DB=forgejo
+      - POSTGRES_USER=forgejo
+      - POSTGRES_PASSWORD={{ service_git_postgres_pass }}
+    volumes:
+      - ./postgres-data:/var/lib/postgresql/data
+    networks:
+      forgejo:
+        ipv4_address: 11.1.0.22
+    deploy:
+      limits:
+        cpus: '0.10'
+        memory: 128M
+
+networks:
+  forgejo:
+    driver: bridge
+    driver_opts:
+      com.docker.network.bridge.name: forgejo
+        #      com.docker.network.driver.enable_ip_masquerade: 0
+    ipam:
+      config:
+        - subnet: 11.1.0.0/16
+          #          gateway: 11.5.0.1

services/service_matrix/matrix-genconfig.sh

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+docker run -it --rm \
+    --mount type=bind,src=./generated-data,dst=/data \
+    -e SYNAPSE_SERVER_NAME=my.matrix.host \
+    -e SYNAPSE_REPORT_STATS=yes \
+    matrixdotorg/synapse:latest generate

services/service_matrix/servicesecrets.example

@@ -0,0 +1,2 @@
+# Example service secrets for git docker service, to be encrypted with ansible vault and called servicesecrets.enc
+service_git_postgres_pass: ***

services/service_nextcloud/ansible.cfg

@@ -0,0 +1,6 @@
+[defaults]
+inventory = ../../hosts
+
+[privilege_escalation]
+become_method=doas
+become_ask_pass=True

services/service_searxng/ansible.cfg

@@ -0,0 +1,6 @@
+[defaults]
+inventory = ../../hosts
+
+[privilege_escalation]
+become_method=doas
+become_ask_pass=True