-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathansible-server.yml
329 lines (296 loc) · 9.29 KB
/
ansible-server.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
- hosts: webservers
tasks:
- name: Run tasks to configure unattended upgrades.
ansible.builtin.import_tasks: tasks/unattended.yml
- name: Install snapd.
ansible.builtin.package:
name:
- snapd
- name: Install LXD 5.0.
community.general.snap:
name: lxd
channel: 5.0/stable
- name: Add kubic repository key on Ubuntu.
apt_key:
url: https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable/xUbuntu_{{ ansible_distribution_version}}/Release.key
state: present
when: ansible_distribution == 'Ubuntu' and ansible_distribution_release == "focal"
- name: Add kubic repository on Ubuntu.
apt_repository:
repo: deb http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_{{ ansible_distribution_version}}/ /
state: present
when: ansible_distribution == 'Ubuntu' and ansible_distribution_release == "focal"
- name: Install Podman packages.
ansible.builtin.package:
name:
- podman
- buildah
- skopeo
- slirp4netns
# - name: Set driver to zfs in Podman.
# lineinfile:
# path: /etc/containers/storage.conf
# regexp: ^driver
# line: driver = "zfs"
# insertafter: '^# Default Storage Driver'
# - name: Set environment variable DOCKER_HOST to podman socket.
# lineinfile:
# dest: /etc/environment
# state: present
# regexp: '^DOCKER_HOST'
# line: 'DOCKER_HOST=unix:///run/podman/podman.sock'
# - name: Install docker-compose.
# get_url:
# url: https://github.com/docker/compose/releases/download/1.29.2/docker-compose-Linux-x86_64
# dest: /usr/local/bin/docker-compose
# mode: '0755'
# - name: Enable Podman socket.
# ansible.builtin.systemd:
# name: podman.socket
# enabled: yes
# masked: no
# daemon_reload: yes
# state: started
- name: Init LXD.
shell: |
lxd init --preseed << EOF
config: {}
networks:
- config:
ipv4.address: 172.16.10.254/24
ipv4.nat: "true"
ipv6.address: auto
description: ""
name: lxdbr0
type: ""
storage_pools:
- config:
source: tank/lxd
description: ""
name: default
driver: zfs
profiles:
- config: {}
description: ""
devices:
eth0:
name: eth0
network: lxdbr0
type: nic
root:
path: /
pool: default
type: disk
name: default
cluster: null
EOF
changed_when: false
- name: Install useful packages.
ansible.builtin.package:
name:
- sanoid
- fish
- nano
- htop
- jq
- name: Enable a timer unit for sanoid
ansible.builtin.systemd:
name: sanoid.timer
state: started
enabled: true
- name: Create /etc/sanoid
ansible.builtin.file:
path: /etc/sanoid
state: directory
mode: '0755'
# TODO volumes
- name: Configure sanoid
ansible.builtin.copy:
dest: /etc/sanoid/sanoid.conf
mode: '0644'
content: |
[tank/home]
use_template = production
# podman containers
[tank/containers]
use_template = production
recursive = yes
process_children_only = yes
# lxd containers
[tank/lxd/containers]
use_template = production
recursive = yes
process_children_only = yes
# lxd vms
[tank/lxd/virtual-machines]
use_template = production
recursive = yes
process_children_only = yes
#############################
# templates below this line #
#############################
[template_production]
frequently = 0
hourly = 36
daily = 30
monthly = 3
yearly = 0
autosnap = yes
autoprune = yes
- name: Allow routed as default
community.general.ufw:
default: allow
direction: routed
- name: configure ufw for dnsmasq of LXD
community.general.ufw:
rule: allow
interface: lxdbr0
direction: in
- name: configure ufw for dnsmasq of LXD (routing)
community.general.ufw:
rule: allow
route: true
interface: lxdbr0
direction: in
- name: "make .lxd domains resolvable from host"
ansible.builtin.copy:
dest: /etc/systemd/network/lxdbr0.network
mode: '0644'
content: |
[Match]
Name=lxdbr0
[Network]
DNS=172.16.10.254
Domains=~lxd
register: nw
- name: reboot after network change
reboot:
when: nw.changed
- name: Add own ssh key to default profile
community.general.lxd_profile:
name: default
merge_profile: true
config:
cloud-init.user-data: |
#cloud-config
packages:
- openssh-server
ssh_pwauth: false
users:
- name: ansible
gecos: Ansible User
groups: users,admin,wheel
sudo: ALL=(ALL) NOPASSWD:ALL
shell: /bin/bash
ssh_authorized_keys:
- "{{ lookup('file', '~/.ssh/id_ed25519.pub') }}"
- name: Create the wordpress container
community.general.lxd_container:
name: wordpress
ignore_volatile_options: true
state: started
source:
type: image
mode: pull
server: https://cloud-images.ubuntu.com/releases
protocol: simplestreams # if you get a 404, try setting protocol: simplestreams
alias: "22.04"
profiles: ["default"]
wait_for_ipv4_addresses: true
timeout: 600
config:
security.nesting: "true"
register: wordpress
- name: Create the xcaddy container
community.general.lxd_container:
name: xcaddy
ignore_volatile_options: true
state: started
source:
type: image
mode: pull
server: https://cloud-images.ubuntu.com/releases
protocol: simplestreams # if you get a 404, try setting protocol: simplestreams
alias: "22.04"
profiles: ["default"]
wait_for_ipv4_addresses: true
timeout: 600
register: xcaddy
- name: Get IP address from wordpress container.
shell:
cmd: |
lxc ls wordpress -c4 -f json | jq -r '.[0].state.network.eth0.addresses[0].address'
register: wp_ip
- debug:
msg: "{{ wp_ip }}"
- debug:
msg: "{{ wp_ip.stdout }}"
- name: Configure destination NAT.
ansible.builtin.blockinfile:
path: /etc/ufw/before.rules
insertbefore: BOF
block: |
*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -i {{ ansible_default_ipv4.interface }} -p tcp --dport 80 -j DNAT --to-destination {{ wp_ip.stdout }}
-A PREROUTING -i {{ ansible_default_ipv4.interface }} -p tcp --dport 443 -j DNAT --to-destination {{ wp_ip.stdout }}
COMMIT
- name: Restart ufw.
ansible.builtin.systemd_service:
name: ufw
state: restarted
- name: Install wordpress.
hosts: wordpress.lxd
become: true
tasks:
- name: Wait for wordpress.lxd to allow connections
ansible.builtin.wait_for_connection:
- name: Create wp directories
file:
path: "{{ item }}"
state: directory
loop:
- /root/wp
- /root/wp/conf
- /root/wp/data
- name: Run nesting playbook on wordpress LXD container.
ansible.builtin.import_tasks: tasks/nesting.yml
- name: Copy docker-compose.yml.
ansible.builtin.copy:
dest: /root/wp/docker-compose.yml
src: wordpress/docker-compose.yml
- name: Install template for mariadb.
ansible.builtin.template:
src: wordpress/mariadb.env.j2
dest: /root/wp/conf/mariadb.env
- name: Install template for mariadb.
ansible.builtin.template:
src: wordpress/Caddyfile.j2
dest: /root/wp/conf/Caddyfile
- name: Install template for wordpress.
ansible.builtin.template:
src: wordpress/wordpress.env.j2
dest: /root/wp/conf/wordpress.env
- name: Install template for php.
ansible.builtin.template:
src: wordpress/php.ini.j2
dest: /root/wp/conf/php.ini
# fix systemd unit
- name: Run podman-compose.
command: podman-compose up -d --force-recreate
become: yes
args:
chdir: /root/wp
# https://github.com/containers/podman-compose/issues/534#issuecomment-1274603325
- name: Install xcaddy.
hosts: xcaddy.lxd
tasks:
- name: Wait for xcaddy.lxd to allow connections
ansible.builtin.wait_for_connection:
- name: Install fish
become: true
ansible.builtin.apt:
name:
- fish
# copy Dockerfile
# copy docker-compose.yml to build xcaddy