Refactor: Dir structure

ansible/plays/templates/backup.sh.j2

@@ -0,0 +1,69 @@
+#!/bin/sh
+# Setting this, so the repo does not need to be given on the commandline:
+PUSH_KEY={{ backup.pushkey }}
+
+# See the section "Passphrase notes" for more infos.
+export BORG_PASSPHRASE='{{ backup.password }}'
+export BORG_REPO=ssh://{{ backup.remote.user }}@{{ backup.remote.url }}
+export BORG_RSH='ssh -i /root/.ssh/storagebox'
+
+# some helpers and error handling:
+info() { printf "\n%s %s\n\n" "$( date )" "$*" >&2; }
+trap 'echo $( date ) Backup interrupted >&2; exit 2' INT TERM
+
+info "Initialize Repo"
+borg init -e repokey
+
+info "Starting backup"
+
+
+# Backup the most important directories into an archive named after
+# the machine this script is currently running on:
+
+borg create                         \
+    --verbose                       \
+    --filter AME                    \
+    --list                          \
+    --stats                         \
+    --show-rc                       \
+    --compression lz4               \
+    --exclude-caches                \
+    --one-file-system		        \
+    --exclude "re:^/var/lib/docker/volumes/nobackup_.*"   \
+    ::'{hostname}-{now}'            \
+    /var/lib/docker
+
+backup_exit=$?
+
+info "Pruning repository"
+
+# Use the `prune` subcommand to maintain 7 daily, 4 weekly and 6 monthly
+# archives of THIS machine. The '{hostname}-' prefix is very important to
+# limit prune's operation to this machine's archives and not apply to
+# other machines' archives also:
+
+borg prune                          \
+    --list                          \
+    --glob-archives '{hostname}-*'  \
+    --show-rc                       \
+    --keep-daily    7               \
+    --keep-weekly   4               \
+    --keep-monthly  6
+
+prune_exit=$?
+
+# use highest exit code as global exit code
+global_exit=$(( backup_exit > prune_exit ? backup_exit : prune_exit ))
+
+if [ ${global_exit} -eq 0 ]; then
+    info "Backup and Prune finished successfully"
+    /usr/bin/curl -fsS -m 10 --retry 5 -o /dev/null "https://monitor.chaoswg.org/api/push/${PUSH_KEY}?msg=OK&ping="
+elif [ ${global_exit} -eq 1 ]; then
+    info "Backup and/or Prune finished with warnings"
+    /usr/bin/curl -fsS -m 10 --retry 5 -o /dev/null "https://monitor.chaoswg.org/api/push/${PUSH_KEY}?msg=OK&ping="
+    exit 0 # We dont want to get notified about warnings as this would make the systemd unit fail.
+else
+    info "Backup and/or Prune finished with errors"
+fi
+
+exit ${global_exit}

ansible/plays/templates/connection.nmconnection.j2

@@ -0,0 +1,19 @@
+[connection]
+id=Wired connection 1
+uuid=18c78ff6-605e-33c6-89b3-24bb1630d2b2
+type=ethernet
+autoconnect-priority=-999
+interface-name={{ network_interface | mandatory }}
+timestamp=1693314040
+
+[ethernet]
+
+[ipv4]
+ignore-auto-dns=true
+method=auto
+
+[ipv6]
+addr-gen-mode=default
+address1={{ network_ipv6_addr | mandatory }}/64,fe80::1
+ignore-auto-dns=true
+method=manual

ansible/plays/templates/docker-config.json.j2

@@ -0,0 +1,11 @@
+$ANSIBLE_VAULT;1.2;AES256;secrets
+32643032393961616163376565363738383166373031393037306436383037663736613439326166
+6439663833356435653161636132616133663062333063640a373137646539616561376535313739
+31373932393934666133356332646237636563623631316233303962393637386534313966353839
+6164343438666539390a643032333839633737336162383830386436653462363963643639616164
+66656233643639613639663962383261356661343232663365353031623533643238303838373764
+35633838383533666662636263656562633865396330653733616366386232353162656362626161
+32383830346363313536336632656265636437323665316362303966366439316533333934373039
+36633531383831363533323734373936633339373562633563663863623733346662613435636664
+36633233333961396633313234303962376535616139323062316137616536326235346231666238
+6231363536663534653466633730316637313162303837626366

ansible/plays/templates/docker-daemon.json.j2

@@ -0,0 +1,11 @@
+{% raw %}
+{
+  "log-driver": "json-file",
+  "log-opts": {
+    "max-size": "100m",
+    "tag": "{{.ImageName}}|{{.Name}}|{{.FullID}}"
+  },
+  "bip": "10.254.1.1/24",
+  "default-address-pools":[{"base":"10.254.0.0/17","size":26}]
+}
+{% endraw %}

ansible/plays/templates/heartbeat.service.j2

@@ -0,0 +1,7 @@
+[Unit]
+Description=Heartbeat
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/curl -fsS -m 10 --retry 5 {{ monitor_url }}
+StandardOutput=null

ansible/plays/templates/heartbeat.timer.j2

@@ -0,0 +1,9 @@
+[Unit]
+Description=Send heartbeat every 5 minutes
+
+[Timer]
+OnCalendar=*-*-* *:00/5:00
+Persistent=true
+
+[Install]
+WantedBy=timers.target

ansible/plays/templates/restore.sh.j2

@@ -0,0 +1,52 @@
+#!/bin/sh
+
+
+# Setting this, so the repo does not need to be given on the commandline:
+# See the section "Passphrase notes" for more infos.
+export BORG_PASSPHRASE='{{ backup.password }}'
+export BORG_REPO=ssh://{{ backup.remote.user }}@{{ backup.remote.url }}
+export BORG_RSH='ssh -i /root/.ssh/storagebox'
+
+{% if provision.from_backup.name is defined %}
+RESTORE_FROM={{ provision.from_backup.name }}
+{% else %}
+RESTORE_FROM=$(borg list --short --sort-by timestamp --last 1 --glob-archives "{hostname}*")
+{% endif %}
+
+{% raw %}
+
+# some helpers and error handling:
+info() { printf "\n%s %s\n\n" "$( date )" "$*" >&2; }
+trap 'echo $( date ) Backup interrupted >&2; exit 2' INT TERM
+
+# Backup the most important directories into an archive named after
+# the machine this script is currently running on:
+
+# Starting restore
+info "Starting Restore from backup"
+
+cd /
+
+
+borg extract \
+    --list \
+    "::${RESTORE_FROM}"
+
+
+restore_exit=$?
+
+
+# use highest exit code as global exit code
+global_exit=$restore_exit
+
+if [ ${global_exit} -eq 0 ]; then
+    info "Restore finished successfully"
+elif [ ${global_exit} -eq 1 ]; then
+    info "Restore finished with warnings"
+else
+    info "Restore finished with errors"
+fi
+
+exit ${global_exit}
+
+{% endraw %}

ansible/plays/templates/sshd_config.j2

@@ -0,0 +1 @@
+AuthorizedKeysFile /etc/ssh/authorized_keys/%u

ansible/plays/templates/storagebox.j2

@@ -0,0 +1 @@
+{{ backup.remote.keyfile }}

ansible/plays/templates/wg_infra.conf.j2

@@ -0,0 +1,27 @@
+# DO NOT PFUSCH IN THIS FILE!
+# ANSIBLE WILL NOT CARE AND RUIN YOUR DAY!
+# CONSIDER YOUSELF WARNED.
+
+[Interface]
+Address = {{ wg_addr | mandatory }}/32
+MTU = 1280
+SaveConfig = false
+ListenPort = 52000
+PrivateKey = {{ wg_private_key | mandatory }}
+
+{% for node in nodes %}
+{% set hvar=hostvars[node] %}
+# node: {{ hvar.inventory_hostname }}
+[peer]
+PublicKey = {{ hvar.wg_public_key | mandatory }}
+AllowedIPs = {{ hvar.wg_addr | mandatory }}/32
+
+{% if hvar.ansible_default_ipv6 is defined and ansible_default_ipv6 is defined and hvar.ansible_default_ipv6.scope == "global" and ansible_default_ipv6.scope == "global" %}
+Endpoint = [{{ hvar.ansible_default_ipv6.address | mandatory }}]:52000
+{% else %}
+Endpoint = [{{ hvar.ansible_default_ipv4.address | mandatory }}]:52000
+{% endif %}
+{% if hvar.wg_keepalive is defined %}
+PersistentKeepalive = {{ hvar.wg_keepalive }}
+{% endif %}
+{% endfor %}