Split playbook

coreos-config/plays/common.yaml

@@ -0,0 +1,83 @@
+- name: Backup
+  hosts: backup
+  become: true
+  become_user: root
+  tasks:
+    - name: Install backup script
+      ansible.builtin.template:
+        src: backup.sh.j2
+        dest: /root/backup.sh
+        mode: '0700'
+        owner: root
+    - ansible.builtin.file:
+        path: /root/.ssh
+        owner: root
+        state: directory
+        mode: '0700'
+    - name: Install SSH Keys
+      ansible.builtin.template:
+        src: storagebox.j2
+        dest: /root/.ssh/storagebox
+        mode: '0600'
+        owner: root
+    - name: Add Known Hosts entries
+      ansible.builtin.known_hosts:
+        path: "/root/.ssh/known_hosts"
+        name: "{{ backup.known_hosts.name }}"
+        key: "{{ backup.known_hosts.key }}"
+- name: Restore from Backup
+  hosts: unprovisioned
+  become: true
+  become_user: root
+  gather_facts: true
+  tasks:
+    - block:
+        - name: Install restore script
+          ansible.builtin.template:
+            src: restore.sh.j2
+            dest: /root/restore.sh
+            mode: '0700'
+            owner: root
+        - ansible.builtin.file:
+            path: /root/.ssh
+            owner: root
+            state: directory
+            mode: '0700'
+        - name: Install SSH Keys
+          ansible.builtin.template:
+            src: storagebox.j2
+            dest: /root/.ssh/storagebox
+            mode: '0600'
+            owner: root
+        - name: Add Known Hosts entries
+          ansible.builtin.known_hosts:
+            path: "/root/.ssh/known_hosts"
+            name: "{{ backup.known_hosts.name }}"
+            key: "{{ backup.known_hosts.key }}"
+        - name: Restore from Borg
+          become: true
+          become_user: root
+          ansible.builtin.command:
+            chdir: /
+            cmd: bash /root/restore.sh
+        - name: Remove script from host
+          ansible.builtin.file:
+            path: /root/restore.sh
+            state: absent
+        - set_fact:
+            provisioned: true
+            cacheable: true
+      when: ansible_facts.provisioned is undefined
+- name: Setup Registry credentials
+  hosts: all
+  tasks:
+    - ansible.builtin.file:
+        path: /home/core/.docker
+        owner: core
+        state: directory
+        mode: '0700'
+    - ansible.builtin.template:
+        src: docker-config.json.j2
+        dest: /home/core/.docker/config.json
+        mode: '0600'
+        owner: core

coreos-config/plays/monitoring.yaml

@@ -0,0 +1,30 @@
+- name: Base Setup Monitoring
+  hosts: mon1.hel1.chaoswg.org
+  vars:
+    state: present
+  roles:
+    - {role: compose_project, service: traefik}
+    - {role: compose_project, service: pantalaimon}
+    - {role: compose_project, service: watchtower}
+- name: Setup Monitoring Kuma 1
+  hosts: mon1.hel1.chaoswg.org
+  vars:
+    state: present
+  roles:
+    - role: compose_project
+      service: kuma
+      vars:
+        service_name: "tobias"
+        urls:
+          - "status.tobiasmanske.de"
+          - "monitor.chaoswg.org"
+- name: Setup Monitoring Kuma 2
+  hosts: mon1.hel1.chaoswg.org
+  vars:
+    state: present
+  roles:
+    - role: compose_project
+      service: kuma
+      vars:
+        service_name: "istannen"
+        urls: ["monitor.ialistannen.de"]

coreos-config/plays/templates/backup.sh.j2

@@ -0,0 +1,68 @@
+#!/bin/sh
+# Setting this, so the repo does not need to be given on the commandline:
+PUSH_KEY={{ backup.pushkey }}
+
+# See the section "Passphrase notes" for more infos.
+export BORG_PASSPHRASE='{{ backup.password }}'
+export BORG_REPO=ssh://{{ backup.remote.user }}@{{ backup.remote.url }}
+export BORG_RSH='ssh -i /root/.ssh/storagebox'
+
+# some helpers and error handling:
+info() { printf "\n%s %s\n\n" "$( date )" "$*" >&2; }
+trap 'echo $( date ) Backup interrupted >&2; exit 2' INT TERM
+
+info "Initialize Repo"
+borg init -e repokey
+
+info "Starting backup"
+
+
+# Backup the most important directories into an archive named after
+# the machine this script is currently running on:
+
+borg create                         \
+    --verbose                       \
+    --filter AME                    \
+    --list                          \
+    --stats                         \
+    --show-rc                       \
+    --compression lz4               \
+    --exclude-caches                \
+    --one-file-system		        \
+    --exclude "re:^/var/lib/docker/volumes/nobackup_.*"   \
+    ::'{hostname}-{now}'            \
+    /var/lib/docker
+
+backup_exit=$?
+
+info "Pruning repository"
+
+# Use the `prune` subcommand to maintain 7 daily, 4 weekly and 6 monthly
+# archives of THIS machine. The '{hostname}-' prefix is very important to
+# limit prune's operation to this machine's archives and not apply to
+# other machines' archives also:
+
+borg prune                          \
+    --list                          \
+    --glob-archives '{hostname}-*'  \
+    --show-rc                       \
+    --keep-daily    7               \
+    --keep-weekly   4               \
+    --keep-monthly  6
+
+prune_exit=$?
+
+# use highest exit code as global exit code
+global_exit=$(( backup_exit > prune_exit ? backup_exit : prune_exit ))
+
+if [ ${global_exit} -eq 0 ]; then
+    info "Backup and Prune finished successfully"
+    /usr/bin/curl -fsS -m 10 --retry 5 -o /dev/null "https://monitor.chaoswg.org/api/push/${PUSH_KEY}?msg=OK&ping="
+elif [ ${global_exit} -eq 1 ]; then
+    info "Backup and/or Prune finished with warnings"
+    /usr/bin/curl -fsS -m 10 --retry 5 -o /dev/null "https://monitor.chaoswg.org/api/push/${PUSH_KEY}?msg=OK&ping="
+else
+    info "Backup and/or Prune finished with errors"
+fi
+
+exit ${global_exit}

coreos-config/plays/templates/docker-config.json.j2

@@ -0,0 +1,11 @@
+$ANSIBLE_VAULT;1.2;AES256;secrets
+32643032393961616163376565363738383166373031393037306436383037663736613439326166
+6439663833356435653161636132616133663062333063640a373137646539616561376535313739
+31373932393934666133356332646237636563623631316233303962393637386534313966353839
+6164343438666539390a643032333839633737336162383830386436653462363963643639616164
+66656233643639613639663962383261356661343232663365353031623533643238303838373764
+35633838383533666662636263656562633865396330653733616366386232353162656362626161
+32383830346363313536336632656265636437323665316362303966366439316533333934373039
+36633531383831363533323734373936633339373562633563663863623733346662613435636664
+36633233333961396633313234303962376535616139323062316137616536326235346231666238
+6231363536663534653466633730316637313162303837626366

coreos-config/plays/templates/restore.sh.j2

@@ -0,0 +1,52 @@
+#!/bin/sh
+
+
+# Setting this, so the repo does not need to be given on the commandline:
+# See the section "Passphrase notes" for more infos.
+export BORG_PASSPHRASE='{{ backup.password }}'
+export BORG_REPO=ssh://{{ backup.remote.user }}@{{ backup.remote.url }}
+export BORG_RSH='ssh -i /root/.ssh/storagebox'
+
+{% if provision.from_backup.name is defined %}
+RESTORE_FROM={{ provision.from_backup.name }}
+{% else %}
+RESTORE_FROM=$(borg list --short --sort-by timestamp --last 1 --glob-archives "{hostname}*")
+{% endif %}
+
+{% raw %}
+
+# some helpers and error handling:
+info() { printf "\n%s %s\n\n" "$( date )" "$*" >&2; }
+trap 'echo $( date ) Backup interrupted >&2; exit 2' INT TERM
+
+# Backup the most important directories into an archive named after
+# the machine this script is currently running on:
+
+# Starting restore
+info "Starting Restore from backup"
+
+cd /
+
+
+borg extract \
+    --list \
+    "::${RESTORE_FROM}"
+
+
+restore_exit=$?
+
+
+# use highest exit code as global exit code
+global_exit=$restore_exit
+
+if [ ${global_exit} -eq 0 ]; then
+    info "Restore finished successfully"
+elif [ ${global_exit} -eq 1 ]; then
+    info "Restore finished with warnings"
+else
+    info "Restore finished with errors"
+fi
+
+exit ${global_exit}
+
+{% endraw %}

coreos-config/plays/templates/storagebox.j2

@@ -0,0 +1 @@
+{{ backup.remote.keyfile }}

coreos-config/plays/thonkpad.yaml

@@ -0,0 +1,9 @@
+- name: Setup Thonkpad
+  hosts: thonkpad.ka.chaoswg.org
+  vars:
+    state: present
+  roles:
+    - {role: compose_project, service: pantalaimon}
+    - {role: compose_project, service: wireguard}
+    - {role: compose_project, service: watchtower}
+    - {role: compose_project, service: gitea-runner}

coreos-config/plays/vps.yaml

@@ -0,0 +1,27 @@
+- name: Setup VPS
+  hosts: host.nc.chaoswg.org
+  vars:
+    state: present
+  roles:
+    - {role: compose_project, service: traefik, with_fa: true}
+    - {role: compose_project, service: keycloak}
+    - {role: compose_project, service: minio}
+    - {role: compose_project, service: repo_proxy}
+    - {role: compose_project, service: registry}
+    - {role: compose_project, service: pantalaimon}
+    - {role: compose_project, service: gitea}
+    - {role: compose_project, service: gitea-runner}
+    - {role: compose_project, service: ba-gitlab-runner}
+    - {role: compose_project, service: wireguard}
+    - {role: compose_project, service: hedgedoc}
+    - {role: compose_project, service: miniflux}
+    - {role: compose_project, service: matrix}
+    - {role: compose_project, service: radicale}
+    - {role: compose_project, service: search}
+    - {role: compose_project, service: syncthing}
+    - {role: compose_project, service: blog}
+    - {role: compose_project, service: wkd}
+    - {role: compose_project, service: linktree}
+    - {role: compose_project, service: caddy}
+    - {role: compose_project, service: diun}
+    - {role: compose_project, service: watchtower}