cspark
/
Host-Ansible-Setup
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add auto service user configuration to host setup, init icinga2 service. Add docker to host configuration

This commit is contained in:
Curt Spark 2024-03-27 16:28:43 +00:00
parent 711b81dd99
commit e6e5346f25
5 changed files with 309 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

78
server-setup.yml
View File

@ -264,6 +264,84 @@
group: root group: root
mode: '1700' mode: '1700'
# Docker Setup
- name: Add Docker GPG apt Key
become: yes
apt_key:
url: https://download.docker.com/linux/debian/gpg
state: present
- name: Add Docker Repository
become: yes
apt_repository:
repo: deb https://download.docker.com/linux/debian bullseye stable
state: present
- name: Install docker packages
become: yes
apt:
pkg:
- docker-ce
- docker-ce-cli
- containerd.io
- docker-buildx-plugin
- docker-compose-plugin
state: present
update_cache:true
# Each respective service will have a user associated to it to ensure it'll be able to only edit the files in their folder in the service directory
- name : Find all service directories available in ansible configuration
find:
paths: "{{ ansibleconf_directory }}/services"
file_type: directory
use_regex: yes
patterns: ['service_']
recurse: no
register: findoutput
- name: Add found ansible configuration service directories to service directories variable
#no_log: true
set_fact:
available_servicedirs: "{{ available_servicedirs + [item.path | split('/') | last]}}"
with_items: "{{ findoutput.files }}"
- name: Automatically create service users based on found ansible conf service directories
become: yes
ansible.builtin.user:
name: "{{ item }}"
state: present
shell: /bin/bash
groups: docker
append: yes
loop: "{{ available_servicedirs }}"
# Services Configuration - Permissions
# Services
- name: Ensure service directory exists
become: yes
ansible.builtin.file:
path: "{{ services_directory }}"
state: directory
owner: root
group: root
mode: '1755'
- name: Automatically create all services directory based on found ansible conf service directories
become: yes
ansible.builtin.file:
path: "{{ services_directory }}/{{ item }}"
state: directory
owner: "{{ item }}"
group: "{{ item }}"
mode: '1700'
loop: "{{ available_servicedirs }}"
- name: Ensure service users upon login start in their respective service directory
become: yes
ansible.builtin.lineinfile:
path: "/home/{{ item }}/.profile"
line: "cd {{ services_directory }}/{{ item }}"
loop: "{{ available_servicedirs }}"
- name: Reset doas configuration back to default - name: Reset doas configuration back to default
become: yes become: yes
template: template:

5
serversecrets.example
View File

@ -24,6 +24,11 @@ usbkey_keysdir: /mnt/keys
# Frontend reverse proxy VPN key # Frontend reverse proxy VPN key
vpn_server_pubkey: *** vpn_server_pubkey: ***
# Other services - Private Keys
icinga2_backend_privkey: ***
# Other services - Public Keys
icinga2_backend_pubkey: ***
# VPN Key to link reverse proxy and cockpit backend # VPN Key to link reverse proxy and cockpit backend
cockpit_backend_privkey: *** cockpit_backend_privkey: ***

32
services/service_icinga2/deploy-service.yml Normal file
View File

@ -0,0 +1,32 @@
- hosts: localhost
become: 'yes'
vars:
ansible_become_method: doas
tasks:
- name: Create necessary directories
ansible.builtin.file:
path: "{{ item }}"
owner: service_icinga2
group: service_icinga2
state: directory
loop:
- "{{ services_directory }}/service_icinga2/icinga2-master-data"
- "{{ services_directory }}/service_icinga2/redis-data"
- "{{ services_directory }}/service_icinga2/postgres-data"
- "{{ services_directory }}/service_icinga2/postgres-data/icinga2-db"
- "{{ services_directory }}/service_icinga2/postgres-data/icinga2-web-db"
- "{{ services_directory }}/service_icinga2/icinga2-web-data"
- name: Copy docker compose config and other git files
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ services_directory }}/service_icinga2/{{ item }}"
owner: service_icinga2
group: service_icinga2
loop:
- docker-compose.yml
- name: Debug Finish message
debug:
msg: Ansible playbook has finished!

189
services/service_icinga2/docker-compose.yml Normal file
View File

@ -0,0 +1,189 @@
services:
# Gluetun is used to connect container to VPN
icinga2-gluetun:
image: qmcgaw/gluetun
cap_add:
- NET_ADMIN
environment:
- VPN_SERVICE_PROVIDER=custom
- VPN_TYPE=wireguard
- VPN_ENDPOINT_IP={{ proxy_server_ip }}
- VPN_ENDPOINT_PORT={{ proxy_server_vpn_port }}
- WIREGUARD_PUBLIC_KEY={{ vpn_server_pubkey }}
- WIREGUARD_PRIVATE_KEY={{ icinga2_backend_privkey }}
- WIREGUARD_ADDRESSES=10.0.0.4/32
- FIREWALL_VPN_INPUT_PORTS=8080,5665
networks:
icinga2:
ports:
# Web UI Port
- "8080:8080"
# Backend API Port
- "5665:5665"
deploy:
limits:
cpus: '0.10'
memory: 512M
# Backend service that does the checking and hosts API
icinga2-master:
network_mode: "service:icinga2-gluetun"
image: icinga/icinga2
container_name: icinga2-master
hostname: icinga2-master
volumes:
- ./icinga2-master-data:/data
environment:
- ICINGA_MASTER=1
depends_on:
- icinga2-dbhandler
deploy:
limits:
cpus: '0.25'
memory: 512M
# Service that handles everything between icinga SQL and icinga Redis databases
icinga2-dbhandler: image: icinga/icingadb
restart: always
environment:
- ICINGADB_REDIS_HOST=11.1.0.21
- ICINGADB_REDIS_PORT=6379
- ICINGADB_REDIS_PASSWORD="{{ service_icinga2_icinga2-redis_password }}"
- ICINGADB_DATABASE_TYPE=pgsql
- ICINGADB_DATABASE_HOST=11.1.0.22
- ICINGADB_DATABASE_PORT=5432
- ICINGADB_DATABASE_DATABASE=icinga2-db
- ICINGADB_DATABASE_USER=icinga2-db
- ICINGADB_DATABASE_PASSWORD="{{ service_icinga2_icinga2-db_postgres_password }}"
depends_on:
- icinga2-redis
- icinga2-db
networks:
icinga2:
ipv4_address:11.1.0.20
deploy:
limits:
cpus: '0.10'
memory: 256M
icinga2-redis:
image: "redis:alpine"
command: "redis-server --save 60 1 --loglevel warning --requirepass {{ service_icinga2_icinga2-redis_password }}"
volumes:
- ./redis-data:/data
networks:
icinga2:
ipv4_address:11.1.0.21
deploy:
limits:
cpus: '0.10'
memory: 128M
icinga2-db:
image: docker.io/library/postgres:16-alpine
restart: unless-stopped
volumes:
- ./postgres-data/icinga2-db:/var/lib/postgresql/data
environment:
POSTGRES_DB: icinga2-db
POSTGRES_USER: icinga2-db
POSTGRES_PASSWORD: "{{ service_icinga2_icinga2-db_postgres_password }}"
healthcheck:
test: ["CMD-SHELL","pg_isready -U $$POSTGRES_USER -d $$POSTGRES_DB"]
networks:
icinga2:
ipv4_address:11.1.0.22
deploy:
limits:
cpus: '0.10'
memory: 128M
icinga2-web-db:
image: docker.io/library/postgres:16-alpine
restart: unless-stopped
volumes:
- ./postgres-data/icinga2-web-db:/var/lib/postgresql/data
environment:
POSTGRES_DB: icinga2-web-db
POSTGRES_USER: icinga2-web-db
POSTGRES_PASSWORD: "{{ service_icinga2_icinga2-web-db_postgres_password }}"
healthcheck:
test: ["CMD-SHELL","pg_isready -U $$POSTGRES_USER -d $$POSTGRES_DB"]
networks:
icinga2:
ipv4_address:11.1.0.23
deploy:
limits:
cpus: '0.10'
memory: 128M
# # Web UI
# icinga2-web:
# network_mode: "service:icinga2-gluetun"
# image: icinga/icingaweb2
# volumes:
# - ./icinga2-web-data:/data
# environment:
# # Incingaweb General Configuration
# - icingaweb.enabledModules=icingadb
# - icingaweb.authentication.icingaweb2.backend=db
# - icingaweb.authentication.icingaweb2.resource=icingaweb_db
# - icingaweb.config.global.config_backend=db
# - icingaweb.config.global.config_resource=icingaweb_db
# - icingaweb.config.logging.log=php
# - icingaweb.groups.icingaweb2.backend=db
# - icingaweb.groups.icingaweb2.resource=icingaweb_db
#
# # IncingaDB Redis Database configuration
# - icingaweb.modules.icingadb.config.icingadb.resource=icingadb
# - icingaweb.modules.icingadb.redis.redis1.host=11.1.0.21
# - icingaweb.modules.icingadb.redis.redis1.port=6379
#
# # Connection to backend Incinga server API
# - icingaweb.modules.icingadb.commandtransports.icinga2.transport=api
# - icingaweb.modules.icingadb.commandtransports.icinga2.host=127.0.0.1
# - icingaweb.modules.icingadb.commandtransports.icinga2.username=root
# - icingaweb.modules.icingadb.commandtransports.icinga2.password=123456
#
# # Incinga Web SQL Database configuration
# - icingaweb.resources.icingaweb_db.type=db
# - icingaweb.resources.icingaweb_db.db=pgsql
# - icingaweb.resources.icingaweb_db.host=11.1.0.23
# - icingaweb.resources.icingaweb_db.dbname=icinga2-web-db
# - icingaweb.resources.icingaweb_db.username=icinga2-web-db
# - icingaweb.resources.icingaweb_db.password="{{ service_icinga2_icinga2-web-db_postgres_password }}"
# - icingaweb.resources.icingaweb_db.charset=utf8mb4
#
# # IncingaDB SQL Database configuration
# - icingaweb.resources.icingadb.type=db
# - icingaweb.resources.icingadb.db=pgsql
# - icingaweb.resources.icingadb.host=11.1.0.22
# - icingaweb.resources.icingadb.dbname=icinga2-db
# - icingaweb.resources.icingadb.username=icinga2-db
# - icingaweb.resources.icingadb.password="{{ service_icinga2_icinga2-db_postgres_password }}"
# - icingaweb.resources.icingadb.charset=utf8mb4
#
# # Incinga User/Admin Configuration
# - icingaweb.passwords.icingaweb2.icingaadmin="{{ service_icinga2_icingaadmin_password }}"
# - icingaweb.roles.Administrators.users=icingaadmin
# - icingaweb.roles.Administrators.permissions=*
# - icingaweb.roles.Administrators.groups=Administrators
# depends_on:
# - icinga2-master
# - icinga2-web-db
# deploy:
# limits:
# cpus: '0.25'
# memory: 512M
networks:
icinga2:
driver: bridge
driver_opts:
com.docker.network.bridge.name: icinga2
# com.docker.network.driver.enable_ip_masquerade: 0
ipam:
config:
- subnet: 11.1.0.0/16
# gateway: 11.5.0.1

5
services/service_icinga2/servicesecrets.example Normal file
View File

@ -0,0 +1,5 @@
# Example service secrets for icinga2 docker service, to be encrypted with ansible vault and called servicesecrets.enc
service_icinga2_incingaadmin_password: ***
service_icinga2_icinga2-redis_password: ***
service_icinga2_icinga2-web-db_postgres_password: ***
service_icinga2_icinga2-db_postgres_password: ***