commit 883f31932e8271ce2033ddc48b1f563e173c446e Author: Tiara Rodney Date: Sat Mar 14 05:38:45 2026 +0100 init diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..eef233f --- /dev/null +++ b/.gitignore @@ -0,0 +1,6 @@ +/letsencrypt/ +/.pytest_cache/ +/.ssh/ +/.local/ +/.tox/ +/.vault-pass diff --git a/.ssh.vault b/.ssh.vault new file mode 100644 index 0000000..f0298e0 --- /dev/null +++ b/.ssh.vault @@ -0,0 +1,35 @@ +$ANSIBLE_VAULT;1.1;AES256 +39316330396162386166363162646363343365343430393266666638356139383832353833326132 +6531356666643331363735373863323037303562393437620a303135613738303166346234663137 +65303562666362383266323161323832666165323237313033303961363935313561343731363934 +3632666365663637640a666666616336343362356164366239373065656239656237373331303166 +34343539666565636462343064666163333132373236343065323735333562616434323333386438 +38393137306438656463333135316539663264353736636233663035623131623835636534633336 +63306666343238656233653232663663323837666437346565616137633638613439393861306636 +38646663356237623765626237653732336362393739373835363431393963663065633535366632 +33383031303434396334373834663662653735353030336563646236313532656464333863636263 +34656262646233646230646335376565666237366138303733326339656166636133333433346432 +30616139393936383261393763636563386138393237343738613933303562343837353236626665 +37323635343535353032663866666238646635346138646666646562386433303063333862393761 +39346234633962326231333032653732393435336434616664663961633062353739383937383866 +61343030383530353235346561346531633832613634616533306136653930326634393530383730 +35316438636333313930333235316361393863303961666165616130616639356632356330383139 +39346335396532636334636336346434613934376131643165333438373630653732643033376537 +32383066623565643964623535333262376236316564356666336532613337653333613338613865 +34616561613533333636306163303131323834653934666661653866666562363638616630376566 +30643330393031613836353936636661653164353531303163623666666563643837346462376436 +39653665656164303135343738373436383265613363366664373466333963333532353335323436 +38633163656532356435356334376164373864383031366332633131316162336161643034653664 +61356538356563356232653964623165373239323664616339383263333365333633616564383138 +63343435343630353461376662626365626565616366373937306637346635313462393834393430 +35343962316630663238376262396332336639643136626434626336346437373438393963623863 +31623237336530376364626634653663313837306165376165346363306166343739393866623537 +30633735646434633762303065306231346363306339316636373066373464383764636634323163 +31356431333339653266393138353061643261306135336563303462343261393261376139613364 +31373861333065646237376535366138353438336463333363623464303431333135353133363461 +61646262343734343362643432633837623234646633336639336566623038346561393863303636 +36393861636631333363646438376133616461303834653262616565303362396634626630646137 +37616631383264656333383035396262656162613162653039366139623634393030656137656563 +65613135333364636437376163303230323435353834636262656539363964626331343465373038 +64333735643234326665653036303465646561646362626662653966303966623130356433313034 +3661666134663430643830613463663761333162393766636263 diff --git a/.vault-pass-debug b/.vault-pass-debug new file mode 100644 index 0000000..2f21015 --- /dev/null +++ b/.vault-pass-debug @@ -0,0 +1 @@ +&0geF%B46!H30#fnuY4ad8yCAxpM&C*! diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..aa12d53 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,55 @@ +# Contributing + +## Code style + +- YAML files use 4-space indentation, formatted with `yamlfix`. +- Jinja2 templates use the file extension `.j2`. +- Role names use snake_case (e.g., `docker_registry`). +- Task names are human-readable sentences (e.g., "Ensure SSL private keys are readable by containers"). + +## Role structure + +Each role follows the standard Ansible layout: + +``` +roles// +├── defaults/main.yml # Default variables +├── tasks/ +│ ├── main.yml # Entry point +│ └── *.yml # Additional task files (deploy, restore, etc.) +├── templates/ # Jinja2 templates (.j2) +├── files/ # Static files +└── meta/main.yml # Role dependencies +``` + +## Adding a new service + +1. Create a new role in `ansible/roles//`. +2. Add it to the proxy or IDP play in `ansible/playbooks/setup.yml` with a + `tags: []` annotation. +3. If the role depends on docker or apache, those roles handle themselves + internally — just declare the dependency in `meta/main.yml`. +## Testing changes + +Always test locally before deploying to production: + +```bash +# Run against local VMs +pipenv run ansible-playbook -i ansible/inventories/debug/hosts.ini ansible/playbooks/setup.yml \ + --tags +``` + +## Committing + +- Keep commits focused: one logical change per commit. +- Use conventional-ish commit messages: + - `feat: add offline email notifications to prosody` + - `fix: correct registry vhost name collision` + - `chore: migrate collection roles to local roles/` + +## Vault changes + +When adding new secrets, add them to the vault file and document the variable +name (but not the value) somewhere discoverable — either in the role's +`defaults/main.yml` as a commented placeholder or in the playbook next to the +role invocation. diff --git a/DEVELOPMENT.md b/DEVELOPMENT.md new file mode 100644 index 0000000..0e1dbc5 --- /dev/null +++ b/DEVELOPMENT.md @@ -0,0 +1,168 @@ +# Development + +## Prerequisites + +```bash +sudo apt install -y qemu-system-x86 libvirt-daemon-system libvirt-clients \ + genisoimage ovmf screen +sudo usermod -aG libvirt $(whoami) +sudo usermod -aG kvm $(whoami) +pipenv install --dev +pipenv run ansible-galaxy collection install -r ansible/requirements.yml +``` + +## Repository layout + +``` +servers/ +├── ansible/ +│ ├── inventories/ +│ │ ├── debug/ # Local VMs (vm-proxy, vm-idp) +│ │ └── prod/ # Production VPS hosts +│ ├── playbooks/ +│ │ ├── setup.yml # Main deployment playbook +│ │ ├── backup.yml # Backup playbook +│ │ └── restore.yml # Restore playbook +│ ├── roles/ # All roles (formerly a separate collection) +│ └── requirements.yml # Ansible Galaxy dependencies +├── scripts/ +│ ├── provision.sh # One-time: create VMs + full playbook + snapshot +│ ├── deploy.sh # Iterate: restore + deploy a single service +│ ├── reset.sh # Restore VMs to a snapshot +│ ├── prod-deploy.sh # Deploy to production +│ └── vm/ # Low-level VM lifecycle (wrapping qemu-vm) +├── letsencrypt/ # TLS certificates (not committed) +├── Pipfile # Python dependencies +└── ansible.cfg # Ansible config (roles_path, vault) +``` + +## Development workflow + +The workflow is: develop and test locally against VMs, then deploy to +production once changes are idempotent and working. + +All scripts are meant to be run inside `pipenv shell` or via `pipenv run`. + +### 1. Provision (once) + +Creates VMs, runs the full ansible playbook, and snapshots the result as +`provisioned`. Prompts for sudo to set up the bridge network: + +```bash +pipenv run scripts/provision.sh +``` + +This gives you two VMs: +- **vm-proxy** at `10.10.0.2` (screen session `vm-proxy`) +- **vm-idp** at `10.10.0.3` (screen session `vm-idp`) + +Attach to a VM's serial console with `screen -r vm-proxy`. + +### 2. Iterate on a service + +Deploy a single service to the local VMs: + +```bash +# Deploy bugzilla on top of current VM state +pipenv run scripts/deploy.sh bugzilla + +# Skip dependencies you know haven't changed +pipenv run scripts/deploy.sh bugzilla --skip docker,apache + +# Restore to clean state first, then deploy +pipenv run scripts/deploy.sh prosody --restore + +# Restore to a specific snapshot first +pipenv run scripts/deploy.sh authentik --restore initialized +``` + +### 3. Reset + +Go back to a known state without deploying anything: + +```bash +# Reset to bare VMs (pre-ansible) +pipenv run scripts/reset.sh + +# Reset to fully provisioned state +pipenv run scripts/reset.sh provisioned +``` + +### 4. Custom snapshots + +Save and restore intermediate states during development: + +```bash +# Save current state +pipenv run scripts/vm/snapshot.sh after-bugzilla + +# Restore it later +pipenv run scripts/reset.sh after-bugzilla +``` + +### 5. Destroy and recreate + +Start completely from scratch: + +```bash +pipenv run scripts/vm/destroy.sh +pipenv run scripts/provision.sh +``` + +### 6. Deploy to production + +Once your changes work locally and are idempotent: + +```bash +# Full deployment +pipenv run scripts/prod-deploy.sh + +# Targeted deployment +pipenv run scripts/prod-deploy.sh prosody + +# Skip dependencies +pipenv run scripts/prod-deploy.sh bugzilla --skip docker,apache +``` + +## Low-level VM management + +The `scripts/vm/` directory contains building-block scripts for direct +VM control: + +| Script | Purpose | +|--------|---------| +| `vm/start.sh` | Start VMs in screen sessions | +| `vm/stop.sh` | Stop VMs gracefully | +| `vm/status.sh` | Show instances, volumes, screen sessions | +| `vm/snapshot.sh ` | Stop + snapshot both volumes | +| `vm/restore.sh ` | Restore + start both VMs | +| `vm/create.sh` | First-time VM creation + cloud-init | +| `vm/destroy.sh` | Delete VMs and volumes | +| `vm/setup-network.sh` | Create bridge network (requires root) | + +## Working with roles + +Roles live directly in `ansible/roles/`. No collection build/install step is +needed — Ansible finds them via `roles_path` in `ansible.cfg`. + +Each role is referenced by its directory name (e.g., `include_role: { name: prosody }`). +Cross-role dependencies use the same short names. + +## Working with vault + +```bash +# Edit encrypted variables +pipenv run ansible-vault edit ansible/inventories/prod/group_vars/all/vault.yml + +# Encrypt/decrypt files +ansible-vault-dir encrypt +ansible-vault-dir decrypt +``` + +## YAML formatting + +The project uses `yamlfix` for consistent YAML formatting: + +```bash +pipenv run yamlfix ansible/playbooks/setup.yml +``` diff --git a/NOTE-containerd-referrers.md b/NOTE-containerd-referrers.md new file mode 100644 index 0000000..f0e514e --- /dev/null +++ b/NOTE-containerd-referrers.md @@ -0,0 +1,60 @@ +# containerd-snapshotter: pull-through mirror fails with "failed to decode referrers index" + +## Summary + +When Docker Engine uses the containerd image store (`"features": {"containerd-snapshotter": true}`) +and a pull-through registry mirror (Docker Distribution `registry:2`), image pulls fail with: + +``` +failed to decode referrers index: invalid character '<' looking for beginning of value +``` + +or: + +``` +failed to unpack image on snapshotter overlayfs: unexpected media type text/html for sha256:...: not found +``` + +## Root cause + +After pulling an image through the mirror, containerd makes a **referrers API request** +(OCI Distribution Spec 1.1) directly to the **upstream registry** (e.g. `registry-1.docker.io`), +bypassing the mirror entirely. The upstream sometimes returns an HTML error page instead of +a valid JSON response for the referrers endpoint, causing containerd to fail the entire pull. + +Key observations: +- The image layers and manifests pull successfully through the mirror +- The referrers request goes **directly to upstream**, not through the mirror +- The `hosts.toml` mirror config with `capabilities = ["pull", "resolve"]` does not + cover referrers requests +- The error is **not** intermittent — it happens consistently for certain images +- Without `containerd-snapshotter` (classic Docker storage driver), the issue does not occur +- Affects both Docker 28.x and 29.x when containerd-snapshotter is enabled + +## Affected versions + +- Docker Engine 28.x and 29.x with `containerd-snapshotter: true` +- containerd 2.x (bundled with Docker) +- Registry mirror: Docker Distribution `registry:2` (v2.8.3) +- Tested on Debian 12 (bookworm), amd64 + +## Workaround + +Disable the containerd image store and use the classic Docker storage driver. +The classic driver does not make referrers API requests. + +Remove from `/etc/docker/daemon.json`: +```json +{ + "features": { + "containerd-snapshotter": true + } +} +``` + +Use `registry-mirrors` in `daemon.json` instead of `hosts.toml` for Docker Hub mirroring. +Note: `registry-mirrors` only supports Docker Hub, not per-registry mirrors (e.g. ghcr.io). + +## Reproduction + +See `scripts/reproduce-containerd-referrers.sh` for a self-contained reproduction script. diff --git a/Pipfile b/Pipfile new file mode 100644 index 0000000..b4f9555 --- /dev/null +++ b/Pipfile @@ -0,0 +1,16 @@ +[[source]] +url = "https://pypi.org/simple" +verify_ssl = true +name = "pypi" + +[packages] +ansible = "*" +"byteb4rb1e.utils" = {file = "../../byteb4rb1e/sphinx-courseware/sphinxcontrib.h5p.utils.pkg/vendor/py-utils.git"} +"byteb4rb1e.devutils" = {file = "../../byteb4rb1e/devutils"} + +[dev-packages] +"byteb4rb1e.utils" = {file = "../../byteb4rb1e/sphinx-courseware/sphinxcontrib.h5p.utils.pkg/vendor/py-utils.git", editable = true} +"byteb4rb1e.devutils" = {file = "../../byteb4rb1e/devutils", editable = true} + +[requires] +python_version = "3.13" diff --git a/Pipfile.lock b/Pipfile.lock new file mode 100644 index 0000000..5555407 --- /dev/null +++ b/Pipfile.lock @@ -0,0 +1,402 @@ +{ + "_meta": { + "hash": { + "sha256": "3ab63f11f8687a954fea0a1a3324efaaf2aaf321f7d09a3eef8f26a3ef128839" + }, + "pipfile-spec": 6, + "requires": { + "python_version": "3.13" + }, + "sources": [ + { + "name": "pypi", + "url": "https://pypi.org/simple", + "verify_ssl": true + } + ] + }, + "default": { + "ansible": { + "hashes": [ + "sha256:6d741511abc1f724443aa16992fb615cc822a22da427ade925ff937ccd691eb1", + "sha256:8c869fcc07954b53c5b125f1e914957cc7b541a92a7d512496207d80385a78eb" + ], + "index": "pypi", + "markers": "python_version >= '3.12'", + "version": "==13.4.0" + }, + "ansible-core": { + "hashes": [ + "sha256:38670ab2d2ffd67ee7e9e562f7c94e0927c8b7b4b0eb69233bc008c29e32d591", + "sha256:7fe2da953192cac5d5eb37bfc984bf9339daa252e0e3d1deb5526eb1f8be9f7f" + ], + "markers": "python_version >= '3.12'", + "version": "==2.20.3" + }, + "byteb4rb1e.devutils": { + "file": "../../byteb4rb1e/devutils" + }, + "byteb4rb1e.utils": { + "file": "../../byteb4rb1e/sphinx-courseware/sphinxcontrib.h5p.utils.pkg/vendor/py-utils.git" + }, + "cffi": { + "hashes": [ + "sha256:00bdf7acc5f795150faa6957054fbbca2439db2f775ce831222b66f192f03beb", + "sha256:07b271772c100085dd28b74fa0cd81c8fb1a3ba18b21e03d7c27f3436a10606b", + "sha256:087067fa8953339c723661eda6b54bc98c5625757ea62e95eb4898ad5e776e9f", + "sha256:0a1527a803f0a659de1af2e1fd700213caba79377e27e4693648c2923da066f9", + "sha256:0cf2d91ecc3fcc0625c2c530fe004f82c110405f101548512cce44322fa8ac44", + "sha256:0f6084a0ea23d05d20c3edcda20c3d006f9b6f3fefeac38f59262e10cef47ee2", + "sha256:12873ca6cb9b0f0d3a0da705d6086fe911591737a59f28b7936bdfed27c0d47c", + "sha256:19f705ada2530c1167abacb171925dd886168931e0a7b78f5bffcae5c6b5be75", + "sha256:1cd13c99ce269b3ed80b417dcd591415d3372bcac067009b6e0f59c7d4015e65", + "sha256:1e3a615586f05fc4065a8b22b8152f0c1b00cdbc60596d187c2a74f9e3036e4e", + "sha256:1f72fb8906754ac8a2cc3f9f5aaa298070652a0ffae577e0ea9bd480dc3c931a", + "sha256:1fc9ea04857caf665289b7a75923f2c6ed559b8298a1b8c49e59f7dd95c8481e", + "sha256:203a48d1fb583fc7d78a4c6655692963b860a417c0528492a6bc21f1aaefab25", + "sha256:2081580ebb843f759b9f617314a24ed5738c51d2aee65d31e02f6f7a2b97707a", + "sha256:21d1152871b019407d8ac3985f6775c079416c282e431a4da6afe7aefd2bccbe", + "sha256:24b6f81f1983e6df8db3adc38562c83f7d4a0c36162885ec7f7b77c7dcbec97b", + "sha256:256f80b80ca3853f90c21b23ee78cd008713787b1b1e93eae9f3d6a7134abd91", + "sha256:28a3a209b96630bca57cce802da70c266eb08c6e97e5afd61a75611ee6c64592", + "sha256:2c8f814d84194c9ea681642fd164267891702542f028a15fc97d4674b6206187", + "sha256:2de9a304e27f7596cd03d16f1b7c72219bd944e99cc52b84d0145aefb07cbd3c", + "sha256:38100abb9d1b1435bc4cc340bb4489635dc2f0da7456590877030c9b3d40b0c1", + "sha256:3925dd22fa2b7699ed2617149842d2e6adde22b262fcbfada50e3d195e4b3a94", + "sha256:3e17ed538242334bf70832644a32a7aae3d83b57567f9fd60a26257e992b79ba", + "sha256:3e837e369566884707ddaf85fc1744b47575005c0a229de3327f8f9a20f4efeb", + "sha256:3f4d46d8b35698056ec29bca21546e1551a205058ae1a181d871e278b0b28165", + "sha256:44d1b5909021139fe36001ae048dbdde8214afa20200eda0f64c068cac5d5529", + "sha256:45d5e886156860dc35862657e1494b9bae8dfa63bf56796f2fb56e1679fc0bca", + "sha256:4647afc2f90d1ddd33441e5b0e85b16b12ddec4fca55f0d9671fef036ecca27c", + "sha256:4671d9dd5ec934cb9a73e7ee9676f9362aba54f7f34910956b84d727b0d73fb6", + "sha256:53f77cbe57044e88bbd5ed26ac1d0514d2acf0591dd6bb02a3ae37f76811b80c", + "sha256:5eda85d6d1879e692d546a078b44251cdd08dd1cfb98dfb77b670c97cee49ea0", + "sha256:5fed36fccc0612a53f1d4d9a816b50a36702c28a2aa880cb8a122b3466638743", + "sha256:61d028e90346df14fedc3d1e5441df818d095f3b87d286825dfcbd6459b7ef63", + "sha256:66f011380d0e49ed280c789fbd08ff0d40968ee7b665575489afa95c98196ab5", + "sha256:6824f87845e3396029f3820c206e459ccc91760e8fa24422f8b0c3d1731cbec5", + "sha256:6c6c373cfc5c83a975506110d17457138c8c63016b563cc9ed6e056a82f13ce4", + "sha256:6d02d6655b0e54f54c4ef0b94eb6be0607b70853c45ce98bd278dc7de718be5d", + "sha256:6d50360be4546678fc1b79ffe7a66265e28667840010348dd69a314145807a1b", + "sha256:730cacb21e1bdff3ce90babf007d0a0917cc3e6492f336c2f0134101e0944f93", + "sha256:737fe7d37e1a1bffe70bd5754ea763a62a066dc5913ca57e957824b72a85e205", + "sha256:74a03b9698e198d47562765773b4a8309919089150a0bb17d829ad7b44b60d27", + "sha256:7553fb2090d71822f02c629afe6042c299edf91ba1bf94951165613553984512", + "sha256:7a66c7204d8869299919db4d5069a82f1561581af12b11b3c9f48c584eb8743d", + "sha256:7cc09976e8b56f8cebd752f7113ad07752461f48a58cbba644139015ac24954c", + "sha256:81afed14892743bbe14dacb9e36d9e0e504cd204e0b165062c488942b9718037", + "sha256:8941aaadaf67246224cee8c3803777eed332a19d909b47e29c9842ef1e79ac26", + "sha256:89472c9762729b5ae1ad974b777416bfda4ac5642423fa93bd57a09204712322", + "sha256:8ea985900c5c95ce9db1745f7933eeef5d314f0565b27625d9a10ec9881e1bfb", + "sha256:8eca2a813c1cb7ad4fb74d368c2ffbbb4789d377ee5bb8df98373c2cc0dee76c", + "sha256:92b68146a71df78564e4ef48af17551a5ddd142e5190cdf2c5624d0c3ff5b2e8", + "sha256:9332088d75dc3241c702d852d4671613136d90fa6881da7d770a483fd05248b4", + "sha256:94698a9c5f91f9d138526b48fe26a199609544591f859c870d477351dc7b2414", + "sha256:9a67fc9e8eb39039280526379fb3a70023d77caec1852002b4da7e8b270c4dd9", + "sha256:9de40a7b0323d889cf8d23d1ef214f565ab154443c42737dfe52ff82cf857664", + "sha256:a05d0c237b3349096d3981b727493e22147f934b20f6f125a3eba8f994bec4a9", + "sha256:afb8db5439b81cf9c9d0c80404b60c3cc9c3add93e114dcae767f1477cb53775", + "sha256:b18a3ed7d5b3bd8d9ef7a8cb226502c6bf8308df1525e1cc676c3680e7176739", + "sha256:b1e74d11748e7e98e2f426ab176d4ed720a64412b6a15054378afdb71e0f37dc", + "sha256:b21e08af67b8a103c71a250401c78d5e0893beff75e28c53c98f4de42f774062", + "sha256:b4c854ef3adc177950a8dfc81a86f5115d2abd545751a304c5bcf2c2c7283cfe", + "sha256:b882b3df248017dba09d6b16defe9b5c407fe32fc7c65a9c69798e6175601be9", + "sha256:baf5215e0ab74c16e2dd324e8ec067ef59e41125d3eade2b863d294fd5035c92", + "sha256:c649e3a33450ec82378822b3dad03cc228b8f5963c0c12fc3b1e0ab940f768a5", + "sha256:c654de545946e0db659b3400168c9ad31b5d29593291482c43e3564effbcee13", + "sha256:c6638687455baf640e37344fe26d37c404db8b80d037c3d29f58fe8d1c3b194d", + "sha256:c8d3b5532fc71b7a77c09192b4a5a200ea992702734a2e9279a37f2478236f26", + "sha256:cb527a79772e5ef98fb1d700678fe031e353e765d1ca2d409c92263c6d43e09f", + "sha256:cf364028c016c03078a23b503f02058f1814320a56ad535686f90565636a9495", + "sha256:d48a880098c96020b02d5a1f7d9251308510ce8858940e6fa99ece33f610838b", + "sha256:d68b6cef7827e8641e8ef16f4494edda8b36104d79773a334beaa1e3521430f6", + "sha256:d9b29c1f0ae438d5ee9acb31cadee00a58c46cc9c0b2f9038c6b0b3470877a8c", + "sha256:d9b97165e8aed9272a6bb17c01e3cc5871a594a446ebedc996e2397a1c1ea8ef", + "sha256:da68248800ad6320861f129cd9c1bf96ca849a2771a59e0344e88681905916f5", + "sha256:da902562c3e9c550df360bfa53c035b2f241fed6d9aef119048073680ace4a18", + "sha256:dbd5c7a25a7cb98f5ca55d258b103a2054f859a46ae11aaf23134f9cc0d356ad", + "sha256:dd4f05f54a52fb558f1ba9f528228066954fee3ebe629fc1660d874d040ae5a3", + "sha256:de8dad4425a6ca6e4e5e297b27b5c824ecc7581910bf9aee86cb6835e6812aa7", + "sha256:e11e82b744887154b182fd3e7e8512418446501191994dbf9c9fc1f32cc8efd5", + "sha256:e6e73b9e02893c764e7e8d5bb5ce277f1a009cd5243f8228f75f842bf937c534", + "sha256:f73b96c41e3b2adedc34a7356e64c8eb96e03a3782b535e043a986276ce12a49", + "sha256:f93fd8e5c8c0a4aa1f424d6173f14a892044054871c771f8566e4008eaa359d2", + "sha256:fc33c5141b55ed366cfaad382df24fe7dcbc686de5be719b207bb248e3053dc5", + "sha256:fc7de24befaeae77ba923797c7c87834c73648a05a4bde34b3b7e5588973a453", + "sha256:fe562eb1a64e67dd297ccc4f5addea2501664954f2692b69a76449ec7913ecbf" + ], + "markers": "python_version >= '3.9'", + "version": "==2.0.0" + }, + "cryptography": { + "hashes": [ + "sha256:02f547fce831f5096c9a567fd41bc12ca8f11df260959ecc7c3202555cc47a72", + "sha256:039917b0dc418bb9f6edce8a906572d69e74bd330b0b3fea4f79dab7f8ddd235", + "sha256:1abfdb89b41c3be0365328a410baa9df3ff8a9110fb75e7b52e66803ddabc9a9", + "sha256:2ae6971afd6246710480e3f15824ed3029a60fc16991db250034efd0b9fb4356", + "sha256:2b7a67c9cd56372f3249b39699f2ad479f6991e62ea15800973b956f4b73e257", + "sha256:351695ada9ea9618b3500b490ad54c739860883df6c1f555e088eaf25b1bbaad", + "sha256:38946c54b16c885c72c4f59846be9743d699eee2b69b6988e0a00a01f46a61a4", + "sha256:3b4995dc971c9fb83c25aa44cf45f02ba86f71ee600d81091c2f0cbae116b06c", + "sha256:3ce58ba46e1bc2aac4f7d9290223cead56743fa6ab94a5d53292ffaac6a91614", + "sha256:3ee190460e2fbe447175cda91b88b84ae8322a104fc27766ad09428754a618ed", + "sha256:4108d4c09fbbf2789d0c926eb4152ae1760d5a2d97612b92d508d96c861e4d31", + "sha256:420d0e909050490d04359e7fdb5ed7e667ca5c3c402b809ae2563d7e66a92229", + "sha256:47fb8a66058b80e509c47118ef8a75d14c455e81ac369050f20ba0d23e77fee0", + "sha256:4c3341037c136030cb46e4b1e17b7418ea4cbd9dd207e4a6f3b2b24e0d4ac731", + "sha256:4d7e3d356b8cd4ea5aff04f129d5f66ebdc7b6f8eae802b93739ed520c47c79b", + "sha256:4d8ae8659ab18c65ced284993c2265910f6c9e650189d4e3f68445ef82a810e4", + "sha256:4e817a8920bfbcff8940ecfd60f23d01836408242b30f1a708d93198393a80b4", + "sha256:50bfb6925eff619c9c023b967d5b77a54e04256c4281b0e21336a130cd7fc263", + "sha256:556e106ee01aa13484ce9b0239bca667be5004efb0aabbed28d353df86445595", + "sha256:582f5fcd2afa31622f317f80426a027f30dc792e9c80ffee87b993200ea115f1", + "sha256:5be7bf2fb40769e05739dd0046e7b26f9d4670badc7b032d6ce4db64dddc0678", + "sha256:60ee7e19e95104d4c03871d7d7dfb3d22ef8a9b9c6778c94e1c8fcc8365afd48", + "sha256:61aa400dce22cb001a98014f647dc21cda08f7915ceb95df0c9eaf84b4b6af76", + "sha256:68f68d13f2e1cb95163fa3b4db4bf9a159a418f5f6e7242564fc75fcae667fd0", + "sha256:7d1f30a86d2757199cb2d56e48cce14deddf1f9c95f1ef1b64ee91ea43fe2e18", + "sha256:7d731d4b107030987fd61a7f8ab512b25b53cef8f233a97379ede116f30eb67d", + "sha256:803812e111e75d1aa73690d2facc295eaefd4439be1023fefc4995eaea2af90d", + "sha256:80a8d7bfdf38f87ca30a5391c0c9ce4ed2926918e017c29ddf643d0ed2778ea1", + "sha256:8293f3dea7fc929ef7240796ba231413afa7b68ce38fd21da2995549f5961981", + "sha256:8456928655f856c6e1533ff59d5be76578a7157224dbd9ce6872f25055ab9ab7", + "sha256:890bcb4abd5a2d3f852196437129eb3667d62630333aacc13dfd470fad3aaa82", + "sha256:94a76daa32eb78d61339aff7952ea819b1734b46f73646a07decb40e5b3448e2", + "sha256:9f16fbdf4da055efb21c22d81b89f155f02ba420558db21288b3d0035bafd5f4", + "sha256:a3d1fae9863299076f05cb8a778c467578262fae09f9dc0ee9b12eb4268ce663", + "sha256:a3d507bb6a513ca96ba84443226af944b0f7f47dcc9a399d110cd6146481d24c", + "sha256:abace499247268e3757271b2f1e244b36b06f8515cf27c4d49468fc9eb16e93d", + "sha256:ba2a27ff02f48193fc4daeadf8ad2590516fa3d0adeeb34336b96f7fa64c1e3a", + "sha256:bc84e875994c3b445871ea7181d424588171efec3e185dced958dad9e001950a", + "sha256:bfd56bb4b37ed4f330b82402f6f435845a5f5648edf1ad497da51a8452d5d62d", + "sha256:c18ff11e86df2e28854939acde2d003f7984f721eba450b56a200ad90eeb0e6b", + "sha256:c3bcce8521d785d510b2aad26ae2c966092b7daa8f45dd8f44734a104dc0bc1a", + "sha256:c4143987a42a2397f2fc3b4d7e3a7d313fbe684f67ff443999e803dd75a76826", + "sha256:c69fd885df7d089548a42d5ec05be26050ebcd2283d89b3d30676eb32ff87dee", + "sha256:ced80795227d70549a411a4ab66e8ce307899fad2220ce5ab2f296e687eacde9", + "sha256:d66e421495fdb797610a08f43b05269e0a5ea7f5e652a89bfd5a7d3c1dee3648", + "sha256:d861ee9e76ace6cf36a6a89b959ec08e7bc2493ee39d07ffe5acb23ef46d27da", + "sha256:e9251e3be159d1020c4030bd2e5f84d6a43fe54b6c19c12f51cde9542a2817b2", + "sha256:f145bba11b878005c496e93e257c1e88f154d278d2638e6450d17e0f31e558d2", + "sha256:fe346b143ff9685e40192a4960938545c699054ba11d4f9029f94751e3f71d87" + ], + "markers": "python_version >= '3.8' and python_full_version not in '3.9.0, 3.9.1'", + "version": "==46.0.5" + }, + "jinja2": { + "hashes": [ + "sha256:0137fb05990d35f1275a587e9aee6d56da821fc83491a0fb838183be43f66d6d", + "sha256:85ece4451f492d0c13c5dd7c13a64681a86afae63a5f347908daf103ce6d2f67" + ], + "markers": "python_version >= '3.7'", + "version": "==3.1.6" + }, + "markupsafe": { + "hashes": [ + "sha256:0303439a41979d9e74d18ff5e2dd8c43ed6c6001fd40e5bf2e43f7bd9bbc523f", + "sha256:068f375c472b3e7acbe2d5318dea141359e6900156b5b2ba06a30b169086b91a", + "sha256:0bf2a864d67e76e5c9a34dc26ec616a66b9888e25e7b9460e1c76d3293bd9dbf", + "sha256:0db14f5dafddbb6d9208827849fad01f1a2609380add406671a26386cdf15a19", + "sha256:0eb9ff8191e8498cca014656ae6b8d61f39da5f95b488805da4bb029cccbfbaf", + "sha256:0f4b68347f8c5eab4a13419215bdfd7f8c9b19f2b25520968adfad23eb0ce60c", + "sha256:1085e7fbddd3be5f89cc898938f42c0b3c711fdcb37d75221de2666af647c175", + "sha256:116bb52f642a37c115f517494ea5feb03889e04df47eeff5b130b1808ce7c219", + "sha256:12c63dfb4a98206f045aa9563db46507995f7ef6d83b2f68eda65c307c6829eb", + "sha256:133a43e73a802c5562be9bbcd03d090aa5a1fe899db609c29e8c8d815c5f6de6", + "sha256:1353ef0c1b138e1907ae78e2f6c63ff67501122006b0f9abad68fda5f4ffc6ab", + "sha256:15d939a21d546304880945ca1ecb8a039db6b4dc49b2c5a400387cdae6a62e26", + "sha256:177b5253b2834fe3678cb4a5f0059808258584c559193998be2601324fdeafb1", + "sha256:1872df69a4de6aead3491198eaf13810b565bdbeec3ae2dc8780f14458ec73ce", + "sha256:1b4b79e8ebf6b55351f0d91fe80f893b4743f104bff22e90697db1590e47a218", + "sha256:1b52b4fb9df4eb9ae465f8d0c228a00624de2334f216f178a995ccdcf82c4634", + "sha256:1ba88449deb3de88bd40044603fafffb7bc2b055d626a330323a9ed736661695", + "sha256:1cc7ea17a6824959616c525620e387f6dd30fec8cb44f649e31712db02123dad", + "sha256:218551f6df4868a8d527e3062d0fb968682fe92054e89978594c28e642c43a73", + "sha256:26a5784ded40c9e318cfc2bdb30fe164bdb8665ded9cd64d500a34fb42067b1c", + "sha256:2713baf880df847f2bece4230d4d094280f4e67b1e813eec43b4c0e144a34ffe", + "sha256:2a15a08b17dd94c53a1da0438822d70ebcd13f8c3a95abe3a9ef9f11a94830aa", + "sha256:2f981d352f04553a7171b8e44369f2af4055f888dfb147d55e42d29e29e74559", + "sha256:32001d6a8fc98c8cb5c947787c5d08b0a50663d139f1305bac5885d98d9b40fa", + "sha256:3524b778fe5cfb3452a09d31e7b5adefeea8c5be1d43c4f810ba09f2ceb29d37", + "sha256:3537e01efc9d4dccdf77221fb1cb3b8e1a38d5428920e0657ce299b20324d758", + "sha256:35add3b638a5d900e807944a078b51922212fb3dedb01633a8defc4b01a3c85f", + "sha256:38664109c14ffc9e7437e86b4dceb442b0096dfe3541d7864d9cbe1da4cf36c8", + "sha256:3a7e8ae81ae39e62a41ec302f972ba6ae23a5c5396c8e60113e9066ef893da0d", + "sha256:3b562dd9e9ea93f13d53989d23a7e775fdfd1066c33494ff43f5418bc8c58a5c", + "sha256:457a69a9577064c05a97c41f4e65148652db078a3a509039e64d3467b9e7ef97", + "sha256:4bd4cd07944443f5a265608cc6aab442e4f74dff8088b0dfc8238647b8f6ae9a", + "sha256:4e885a3d1efa2eadc93c894a21770e4bc67899e3543680313b09f139e149ab19", + "sha256:4faffd047e07c38848ce017e8725090413cd80cbc23d86e55c587bf979e579c9", + "sha256:509fa21c6deb7a7a273d629cf5ec029bc209d1a51178615ddf718f5918992ab9", + "sha256:5678211cb9333a6468fb8d8be0305520aa073f50d17f089b5b4b477ea6e67fdc", + "sha256:591ae9f2a647529ca990bc681daebdd52c8791ff06c2bfa05b65163e28102ef2", + "sha256:5a7d5dc5140555cf21a6fefbdbf8723f06fcd2f63ef108f2854de715e4422cb4", + "sha256:69c0b73548bc525c8cb9a251cddf1931d1db4d2258e9599c28c07ef3580ef354", + "sha256:6b5420a1d9450023228968e7e6a9ce57f65d148ab56d2313fcd589eee96a7a50", + "sha256:722695808f4b6457b320fdc131280796bdceb04ab50fe1795cd540799ebe1698", + "sha256:729586769a26dbceff69f7a7dbbf59ab6572b99d94576a5592625d5b411576b9", + "sha256:77f0643abe7495da77fb436f50f8dab76dbc6e5fd25d39589a0f1fe6548bfa2b", + "sha256:795e7751525cae078558e679d646ae45574b47ed6e7771863fcc079a6171a0fc", + "sha256:7be7b61bb172e1ed687f1754f8e7484f1c8019780f6f6b0786e76bb01c2ae115", + "sha256:7c3fb7d25180895632e5d3148dbdc29ea38ccb7fd210aa27acbd1201a1902c6e", + "sha256:7e68f88e5b8799aa49c85cd116c932a1ac15caaa3f5db09087854d218359e485", + "sha256:83891d0e9fb81a825d9a6d61e3f07550ca70a076484292a70fde82c4b807286f", + "sha256:8485f406a96febb5140bfeca44a73e3ce5116b2501ac54fe953e488fb1d03b12", + "sha256:8709b08f4a89aa7586de0aadc8da56180242ee0ada3999749b183aa23df95025", + "sha256:8f71bc33915be5186016f675cd83a1e08523649b0e33efdb898db577ef5bb009", + "sha256:915c04ba3851909ce68ccc2b8e2cd691618c4dc4c4232fb7982bca3f41fd8c3d", + "sha256:949b8d66bc381ee8b007cd945914c721d9aba8e27f71959d750a46f7c282b20b", + "sha256:94c6f0bb423f739146aec64595853541634bde58b2135f27f61c1ffd1cd4d16a", + "sha256:9a1abfdc021a164803f4d485104931fb8f8c1efd55bc6b748d2f5774e78b62c5", + "sha256:9b79b7a16f7fedff2495d684f2b59b0457c3b493778c9eed31111be64d58279f", + "sha256:a320721ab5a1aba0a233739394eb907f8c8da5c98c9181d1161e77a0c8e36f2d", + "sha256:a4afe79fb3de0b7097d81da19090f4df4f8d3a2b3adaa8764138aac2e44f3af1", + "sha256:ad2cf8aa28b8c020ab2fc8287b0f823d0a7d8630784c31e9ee5edea20f406287", + "sha256:b8512a91625c9b3da6f127803b166b629725e68af71f8184ae7e7d54686a56d6", + "sha256:bc51efed119bc9cfdf792cdeaa4d67e8f6fcccab66ed4bfdd6bde3e59bfcbb2f", + "sha256:bdc919ead48f234740ad807933cdf545180bfbe9342c2bb451556db2ed958581", + "sha256:bdd37121970bfd8be76c5fb069c7751683bdf373db1ed6c010162b2a130248ed", + "sha256:be8813b57049a7dc738189df53d69395eba14fb99345e0a5994914a3864c8a4b", + "sha256:c0c0b3ade1c0b13b936d7970b1d37a57acde9199dc2aecc4c336773e1d86049c", + "sha256:c47a551199eb8eb2121d4f0f15ae0f923d31350ab9280078d1e5f12b249e0026", + "sha256:c4ffb7ebf07cfe8931028e3e4c85f0357459a3f9f9490886198848f4fa002ec8", + "sha256:ccfcd093f13f0f0b7fdd0f198b90053bf7b2f02a3927a30e63f3ccc9df56b676", + "sha256:d2ee202e79d8ed691ceebae8e0486bd9a2cd4794cec4824e1c99b6f5009502f6", + "sha256:d53197da72cc091b024dd97249dfc7794d6a56530370992a5e1a08983ad9230e", + "sha256:d6dd0be5b5b189d31db7cda48b91d7e0a9795f31430b7f271219ab30f1d3ac9d", + "sha256:d88b440e37a16e651bda4c7c2b930eb586fd15ca7406cb39e211fcff3bf3017d", + "sha256:de8a88e63464af587c950061a5e6a67d3632e36df62b986892331d4620a35c01", + "sha256:df2449253ef108a379b8b5d6b43f4b1a8e81a061d6537becd5582fba5f9196d7", + "sha256:e1c1493fb6e50ab01d20a22826e57520f1284df32f2d8601fdd90b6304601419", + "sha256:e1cf1972137e83c5d4c136c43ced9ac51d0e124706ee1c8aa8532c1287fa8795", + "sha256:e2103a929dfa2fcaf9bb4e7c091983a49c9ac3b19c9061b6d5427dd7d14d81a1", + "sha256:e56b7d45a839a697b5eb268c82a71bd8c7f6c94d6fd50c3d577fa39a9f1409f5", + "sha256:e8afc3f2ccfa24215f8cb28dcf43f0113ac3c37c2f0f0806d8c70e4228c5cf4d", + "sha256:e8fc20152abba6b83724d7ff268c249fa196d8259ff481f3b1476383f8f24e42", + "sha256:eaa9599de571d72e2daf60164784109f19978b327a3910d3e9de8c97b5b70cfe", + "sha256:ec15a59cf5af7be74194f7ab02d0f59a62bdcf1a537677ce67a2537c9b87fcda", + "sha256:f190daf01f13c72eac4efd5c430a8de82489d9cff23c364c3ea822545032993e", + "sha256:f34c41761022dd093b4b6896d4810782ffbabe30f2d443ff5f083e0cbbb8c737", + "sha256:f3e98bb3798ead92273dc0e5fd0f31ade220f59a266ffd8a4f6065e0a3ce0523", + "sha256:f42d0984e947b8adf7dd6dde396e720934d12c506ce84eea8476409563607591", + "sha256:f71a396b3bf33ecaa1626c255855702aca4d3d9fea5e051b41ac59a9c1c41edc", + "sha256:f9e130248f4462aaa8e2552d547f36ddadbeaa573879158d721bbd33dfe4743a", + "sha256:fed51ac40f757d41b7c48425901843666a6677e3e8eb0abcff09e4ba6e664f50" + ], + "markers": "python_version >= '3.9'", + "version": "==3.0.3" + }, + "packaging": { + "hashes": [ + "sha256:00243ae351a257117b6a241061796684b084ed1c516a08c48a3f7e147a9d80b4", + "sha256:b36f1fef9334a5588b4166f8bcd26a14e521f2b55e6b9de3aaa80d3ff7a37529" + ], + "markers": "python_version >= '3.8'", + "version": "==26.0" + }, + "pycparser": { + "hashes": [ + "sha256:600f49d217304a5902ac3c37e1281c9fe94e4d0489de643a9504c5cdfdfc6b29", + "sha256:b727414169a36b7d524c1c3e31839a521725078d7b2ff038656844266160a992" + ], + "markers": "python_version >= '3.10'", + "version": "==3.0" + }, + "pyyaml": { + "hashes": [ + "sha256:00c4bdeba853cc34e7dd471f16b4114f4162dc03e6b7afcc2128711f0eca823c", + "sha256:0150219816b6a1fa26fb4699fb7daa9caf09eb1999f3b70fb6e786805e80375a", + "sha256:02893d100e99e03eda1c8fd5c441d8c60103fd175728e23e431db1b589cf5ab3", + "sha256:02ea2dfa234451bbb8772601d7b8e426c2bfa197136796224e50e35a78777956", + "sha256:0f29edc409a6392443abf94b9cf89ce99889a1dd5376d94316ae5145dfedd5d6", + "sha256:10892704fc220243f5305762e276552a0395f7beb4dbf9b14ec8fd43b57f126c", + "sha256:16249ee61e95f858e83976573de0f5b2893b3677ba71c9dd36b9cf8be9ac6d65", + "sha256:1d37d57ad971609cf3c53ba6a7e365e40660e3be0e5175fa9f2365a379d6095a", + "sha256:1ebe39cb5fc479422b83de611d14e2c0d3bb2a18bbcb01f229ab3cfbd8fee7a0", + "sha256:214ed4befebe12df36bcc8bc2b64b396ca31be9304b8f59e25c11cf94a4c033b", + "sha256:2283a07e2c21a2aa78d9c4442724ec1eb15f5e42a723b99cb3d822d48f5f7ad1", + "sha256:22ba7cfcad58ef3ecddc7ed1db3409af68d023b7f940da23c6c2a1890976eda6", + "sha256:27c0abcb4a5dac13684a37f76e701e054692a9b2d3064b70f5e4eb54810553d7", + "sha256:28c8d926f98f432f88adc23edf2e6d4921ac26fb084b028c733d01868d19007e", + "sha256:2e71d11abed7344e42a8849600193d15b6def118602c4c176f748e4583246007", + "sha256:34d5fcd24b8445fadc33f9cf348c1047101756fd760b4dacb5c3e99755703310", + "sha256:37503bfbfc9d2c40b344d06b2199cf0e96e97957ab1c1b546fd4f87e53e5d3e4", + "sha256:3c5677e12444c15717b902a5798264fa7909e41153cdf9ef7ad571b704a63dd9", + "sha256:3ff07ec89bae51176c0549bc4c63aa6202991da2d9a6129d7aef7f1407d3f295", + "sha256:41715c910c881bc081f1e8872880d3c650acf13dfa8214bad49ed4cede7c34ea", + "sha256:418cf3f2111bc80e0933b2cd8cd04f286338bb88bdc7bc8e6dd775ebde60b5e0", + "sha256:44edc647873928551a01e7a563d7452ccdebee747728c1080d881d68af7b997e", + "sha256:4a2e8cebe2ff6ab7d1050ecd59c25d4c8bd7e6f400f5f82b96557ac0abafd0ac", + "sha256:4ad1906908f2f5ae4e5a8ddfce73c320c2a1429ec52eafd27138b7f1cbe341c9", + "sha256:501a031947e3a9025ed4405a168e6ef5ae3126c59f90ce0cd6f2bfc477be31b7", + "sha256:5190d403f121660ce8d1d2c1bb2ef1bd05b5f68533fc5c2ea899bd15f4399b35", + "sha256:5498cd1645aa724a7c71c8f378eb29ebe23da2fc0d7a08071d89469bf1d2defb", + "sha256:5cf4e27da7e3fbed4d6c3d8e797387aaad68102272f8f9752883bc32d61cb87b", + "sha256:5e0b74767e5f8c593e8c9b5912019159ed0533c70051e9cce3e8b6aa699fcd69", + "sha256:5ed875a24292240029e4483f9d4a4b8a1ae08843b9c54f43fcc11e404532a8a5", + "sha256:5fcd34e47f6e0b794d17de1b4ff496c00986e1c83f7ab2fb8fcfe9616ff7477b", + "sha256:5fdec68f91a0c6739b380c83b951e2c72ac0197ace422360e6d5a959d8d97b2c", + "sha256:6344df0d5755a2c9a276d4473ae6b90647e216ab4757f8426893b5dd2ac3f369", + "sha256:64386e5e707d03a7e172c0701abfb7e10f0fb753ee1d773128192742712a98fd", + "sha256:652cb6edd41e718550aad172851962662ff2681490a8a711af6a4d288dd96824", + "sha256:66291b10affd76d76f54fad28e22e51719ef9ba22b29e1d7d03d6777a9174198", + "sha256:66e1674c3ef6f541c35191caae2d429b967b99e02040f5ba928632d9a7f0f065", + "sha256:6adc77889b628398debc7b65c073bcb99c4a0237b248cacaf3fe8a557563ef6c", + "sha256:79005a0d97d5ddabfeeea4cf676af11e647e41d81c9a7722a193022accdb6b7c", + "sha256:7c6610def4f163542a622a73fb39f534f8c101d690126992300bf3207eab9764", + "sha256:7f047e29dcae44602496db43be01ad42fc6f1cc0d8cd6c83d342306c32270196", + "sha256:8098f252adfa6c80ab48096053f512f2321f0b998f98150cea9bd23d83e1467b", + "sha256:850774a7879607d3a6f50d36d04f00ee69e7fc816450e5f7e58d7f17f1ae5c00", + "sha256:8d1fab6bb153a416f9aeb4b8763bc0f22a5586065f86f7664fc23339fc1c1fac", + "sha256:8da9669d359f02c0b91ccc01cac4a67f16afec0dac22c2ad09f46bee0697eba8", + "sha256:8dc52c23056b9ddd46818a57b78404882310fb473d63f17b07d5c40421e47f8e", + "sha256:9149cad251584d5fb4981be1ecde53a1ca46c891a79788c0df828d2f166bda28", + "sha256:93dda82c9c22deb0a405ea4dc5f2d0cda384168e466364dec6255b293923b2f3", + "sha256:96b533f0e99f6579b3d4d4995707cf36df9100d67e0c8303a0c55b27b5f99bc5", + "sha256:9c57bb8c96f6d1808c030b1687b9b5fb476abaa47f0db9c0101f5e9f394e97f4", + "sha256:9c7708761fccb9397fe64bbc0395abcae8c4bf7b0eac081e12b809bf47700d0b", + "sha256:9f3bfb4965eb874431221a3ff3fdcddc7e74e3b07799e0e84ca4a0f867d449bf", + "sha256:a33284e20b78bd4a18c8c2282d549d10bc8408a2a7ff57653c0cf0b9be0afce5", + "sha256:a80cb027f6b349846a3bf6d73b5e95e782175e52f22108cfa17876aaeff93702", + "sha256:b30236e45cf30d2b8e7b3e85881719e98507abed1011bf463a8fa23e9c3e98a8", + "sha256:b3bc83488de33889877a0f2543ade9f70c67d66d9ebb4ac959502e12de895788", + "sha256:b865addae83924361678b652338317d1bd7e79b1f4596f96b96c77a5a34b34da", + "sha256:b8bb0864c5a28024fac8a632c443c87c5aa6f215c0b126c449ae1a150412f31d", + "sha256:ba1cc08a7ccde2d2ec775841541641e4548226580ab850948cbfda66a1befcdc", + "sha256:bdb2c67c6c1390b63c6ff89f210c8fd09d9a1217a465701eac7316313c915e4c", + "sha256:c1ff362665ae507275af2853520967820d9124984e0f7466736aea23d8611fba", + "sha256:c2514fceb77bc5e7a2f7adfaa1feb2fb311607c9cb518dbc378688ec73d8292f", + "sha256:c3355370a2c156cffb25e876646f149d5d68f5e0a3ce86a5084dd0b64a994917", + "sha256:c458b6d084f9b935061bc36216e8a69a7e293a2f1e68bf956dcd9e6cbcd143f5", + "sha256:d0eae10f8159e8fdad514efdc92d74fd8d682c933a6dd088030f3834bc8e6b26", + "sha256:d76623373421df22fb4cf8817020cbb7ef15c725b9d5e45f17e189bfc384190f", + "sha256:ebc55a14a21cb14062aa4162f906cd962b28e2e9ea38f9b4391244cd8de4ae0b", + "sha256:eda16858a3cab07b80edaf74336ece1f986ba330fdb8ee0d6c0d68fe82bc96be", + "sha256:ee2922902c45ae8ccada2c5b501ab86c36525b883eff4255313a253a3160861c", + "sha256:efd7b85f94a6f21e4932043973a7ba2613b059c4a000551892ac9f1d11f5baf3", + "sha256:f7057c9a337546edc7973c0d3ba84ddcdf0daa14533c2065749c9075001090e6", + "sha256:fa160448684b4e94d80416c0fa4aac48967a969efe22931448d853ada8baf926", + "sha256:fc09d0aa354569bc501d4e787133afc08552722d3ab34836a80547331bb5d4a0" + ], + "markers": "python_version >= '3.8'", + "version": "==6.0.3" + }, + "resolvelib": { + "hashes": [ + "sha256:7d08a2022f6e16ce405d60b68c390f054efcfd0477d4b9bd019cc941c28fad1c", + "sha256:fb06b66c8da04172d9e72a21d7d06186d8919e32ae5ab5cdf5b9d920be805ac2" + ], + "markers": "python_version >= '3.9'", + "version": "==1.2.1" + } + }, + "develop": { + "byteb4rb1e.devutils": { + "file": "../../byteb4rb1e/devutils" + }, + "byteb4rb1e.utils": { + "file": "../../byteb4rb1e/sphinx-courseware/sphinxcontrib.h5p.utils.pkg/vendor/py-utils.git" + } + } +} diff --git a/README.md b/README.md new file mode 100644 index 0000000..2a57a33 --- /dev/null +++ b/README.md @@ -0,0 +1,107 @@ +# servers + +Homelab infrastructure managed with Ansible and tested against local QEMU VMs. +Two production VPS hosts (proxy and IDP) are connected via WireGuard and run +everything behind Apache reverse proxies with Let's Encrypt TLS. + +## Architecture + +``` +┌─────────────────────────────────────────────────┐ +│ Proxy (10.0.0.1) │ +│ ┌───────────┐ ┌──────────┐ ┌────────────────┐ │ +│ │ Apache │ │ Prosody │ │ Docker Registry│ │ +│ │ (reverse │ │ (XMPP) │ │ (pull-through) │ │ +│ │ proxy) │ │ │ │ │ │ +│ ├───────────┤ ├──────────┤ ├────────────────┤ │ +│ │ ConverseJS│ │ Bugzilla │ │ Comentario │ │ +│ │ Kellnr │ │ DevPI │ │ dnsmasq │ │ +│ └───────────┘ └──────────┘ └────────────────┘ │ +│ WireGuard ─────────────────────────┐ │ +└─────────────────────────────────────┼────────────┘ + │ +┌─────────────────────────────────────┼────────────┐ +│ IDP (10.0.0.2) │ │ +│ ┌──────────────────────────────────┘ │ +│ │ Authentik (identity provider) │ +│ │ PostgreSQL + Redis │ +│ └───────────────────────────────────────────────┘ +└──────────────────────────────────────────────────┘ +``` + +Clients (phone, workstation) connect over WireGuard and resolve names via +dnsmasq on the proxy. + +## Quick start + +```bash +# Install Python dependencies +pipenv install + +# Install Ansible collection dependencies +pipenv run ansible-galaxy collection install -r ansible/requirements.yml + +# Deploy to production +pipenv run ansible-playbook -i ansible/inventories/prod/hosts.ini ansible/playbooks/setup.yml + +# Deploy a single service (e.g. bugzilla) +pipenv run ansible-playbook -i ansible/inventories/prod/hosts.ini ansible/playbooks/setup.yml --tags bugzilla + +# Deploy a service without its dependencies +pipenv run ansible-playbook -i ansible/inventories/prod/hosts.ini ansible/playbooks/setup.yml --tags bugzilla --skip-tags docker,apache +``` + +See [DEVELOPMENT.md](DEVELOPMENT.md) for the full local development workflow. + +## Available tags + +| Tag | What it deploys | Host | +|-----|----------------|------| +| `host` | Base host config (SSH keys, users, swap) | all | +| `docker` | Docker engine + registry mirrors | docker_hosts | +| `wireguard` | WireGuard tunnels | proxy, idp | +| `apache` | Apache + Let's Encrypt certs | proxy | +| `dnsmasq` | DNS resolver | proxy | +| `docker-registry` | Pull-through registry mirrors | proxy | +| `restic` | Backup infrastructure | proxy, idp | +| `prosody` | XMPP server + upload proxy | proxy | +| `conversejs` | Web XMPP client | proxy | +| `kellnr` | Rust crate registry | proxy | +| `devpi` | Python package index | proxy | +| `comentario` | Comment system | proxy | +| `bugzilla` | Bug tracker | proxy | +| `authentik` | Identity provider + reverse proxy | idp, proxy | +| `blog` | Static blog site | proxy | +| `spec` | Static spec site | proxy | + +## Backups + +```bash +# Run backup +pipenv run ansible-playbook -i ansible/inventories/prod/hosts.ini ansible/playbooks/backup.yml + +# Restore +pipenv run ansible-playbook -i ansible/inventories/prod/hosts.ini ansible/playbooks/restore.yml +``` + +Automated backups run via systemd timer (bi-weekly by default). + +## Vault + +Sensitive variables live in `ansible/inventories/prod/group_vars/all/vault.yml`, +encrypted with `ansible-vault`. The vault password file is `.vault-pass` +(not committed). + +```bash +# Edit vault +pipenv run ansible-vault edit ansible/inventories/prod/group_vars/all/vault.yml +``` + +## Authentik notes + +App passwords with more than 30 minutes expiration require a user or group +attribute: + +``` +goauthentik.io/user/token-maximum-lifetime: days=365 +``` diff --git a/ansible.cfg b/ansible.cfg new file mode 100644 index 0000000..c919f13 --- /dev/null +++ b/ansible.cfg @@ -0,0 +1,3 @@ +[defaults] +roles_path = ansible/roles +vault_password_file = .vault-pass diff --git a/ansible/README.md b/ansible/README.md new file mode 100644 index 0000000..4177d69 --- /dev/null +++ b/ansible/README.md @@ -0,0 +1,35 @@ +Install collection dependencies: + + ansible-galaxy collection install -r requirements.yml + +Run setup: + + ansible-playbook -i inventories/prod/hosts.ini playbooks/setup.yml + +Run backup: + + ansible-playbook -i inventories/prod/hosts.ini playbooks/backup.yml + +Run restore: + + ansible-playbook -i inventories/prod/hosts.ini playbooks/restore.yml + +Manual backup: + + ansible-playbook -i inventories/prod/hosts.ini playbooks/backup.yml + +Automated backups run via systemd timer (bi-weekly by default). + +Vault variables (inventories/prod/group_vars/all/vault.yml): + + vault_kellnr_admin_pwd: "..." + vault_pg_password: "..." + vault_secret_key: "random-long-django-secret" + vault_restic_password: "..." + vault_accounts_ssh_pubkey: "ssh-ed25519 ..." + vault_accounts_ssh_private_key: | + -----BEGIN OPENSSH PRIVATE KEY----- + ... + vault_rclone_proton_username: "user@proton.me" + vault_rclone_proton_password: "rclone-obscured-password" + vault_rclone_proton_2fa: "TOTP-SECRET" diff --git a/ansible/inventories/debug/group_vars/all/secrets.yml b/ansible/inventories/debug/group_vars/all/secrets.yml new file mode 100644 index 0000000..f92169a --- /dev/null +++ b/ansible/inventories/debug/group_vars/all/secrets.yml @@ -0,0 +1,27 @@ +--- +vault_kellnr_admin_pwd: debug +vault_pg_password: debug +vault_secret_key: debug +s3_bucket: backups-testing +vault_xmpp_admin_user: tiara +vault_xmpp_oauth_client_id: xmpp-client-id +vault_xmpp_oauth_client_secret: xmpp-client-secret +vault_xmpp_ropc_client_id: xmpp-ropc-client-id +vault_xmpp_ropc_client_secret: xmpp-ropc-client-secret +vault_comentario_oauth_client_id: comentario-client-id +vault_comentario_oauth_client_secret: comentario-client-secret +vault_bugzilla_oauth_client_id: bugzilla-client-id +vault_bugzilla_oauth_client_secret: bugzilla-client-secret +vault_bugzilla_oidc_passphrase: bugzilla-oidc-passphrase +vault_bugzilla_db_password: debug +vault_bugzilla_admin_pwd: debugdebug +vault_social_google_client_id: google-client-id-placeholder +vault_social_google_client_secret: google-client-secret-placeholder +vault_social_microsoft_client_id: microsoft-client-id-placeholder +vault_social_microsoft_client_secret: microsoft-client-secret-placeholder +vault_social_apple_client_id: apple-client-id-placeholder +vault_social_apple_client_secret: apple-client-secret-placeholder +vault_social_facebook_client_id: facebook-client-id-placeholder +vault_social_facebook_client_secret: facebook-client-secret-placeholder +vault_social_twitter_client_id: twitter-client-id-placeholder +vault_social_twitter_client_secret: twitter-client-secret-placeholder diff --git a/ansible/inventories/debug/group_vars/all/vault.yml b/ansible/inventories/debug/group_vars/all/vault.yml new file mode 100644 index 0000000..f090c0a --- /dev/null +++ b/ansible/inventories/debug/group_vars/all/vault.yml @@ -0,0 +1,54 @@ +$ANSIBLE_VAULT;1.1;AES256 +34646335663961323835326462363434393133316464393063356666396362626637306263626332 +3137613332313531333364643331373934363237363231640a393362313738383035373131633537 +30623432363962313538323131323836613539643533623364666631663733353134316461373930 +6364393465613665620a336261336630346630646530653135336163653136336532333130333338 +64626264353737363235353865303039656339653062633335623964643939326364393263393832 +36663030646363636130353164313063356133396635643334653561343462333662656237633766 +39646363646161303165316439646164613530636266373761396135663830383932663837383661 +62636334383861396133353839616239316366303437383934333265343063366139613564346131 +39656434653662316534386263383361333131383037313163326464353963643239343661663932 +37303065366463653761623062326439633363663030616432346538373461353830353338623230 +64306261326135363566656232313330353037613164616264656431363439326331613837376662 +36646134366463383665393136616437393339346134363638666431363933636637366632366439 +39656138366234646138353131313166656431303463316332663138303330326135666261363533 +34393833626239323036663035646239316266323434366435323931366532623639653837373261 +37633333663233646332393239613264363562343164653033303865313233393432306539646536 +39643264623862393833653362323436396661353065306233646234306235306366666139666130 +61643364613133326461383331366664363531643963376137653561376532393736393633313831 +31303861373037363766316664623234633563386338353431396663383034343061643962366535 +31653833393765663961613338336334366162656466663863306662383838386664326631336434 +65366563333533396434333861333937333466313861626661363061303939373538666130326238 +62363130633566336163653238356636623066306662326536366463613532626536633564353430 +64303165353436626266636131333864666336386535663832313564313533333163633639393038 +64633236333236616535396634653162396464363337393163623262653866666664303534376164 +35303066626665386535656537666432636132656639646431663463363630333466316534303739 +30396466356131616666626130383963333166396339623861303662333535343239643364633535 +37656466363535363163643036653464336538623334633565346163343630663463633235383831 +66306462396163313634666130666264336138643163643563663635333362623262373330643766 +33626633303062656462313862393763616163363231323036306638633536313230656261303835 +35333738396430356139346331643839386236343464323137663964336561633766353262353863 +32313635323632643065343139366436373864636465376538376365333835366232613032333230 +35376134343861373333346537623838303165366639653063303364303638626431316535656466 +38353261393262306433383035353261363265653838653661636463636638636465383665383763 +34303238323838313364373137613566663737323938306365376565353066656162656135376363 +39326366623830616330336163363738326263663832313337323164656331636334333937383737 +61653336613033363766636435353365356265373263656165326162316130333134336230353637 +36656364646336336163333338663966613934356266313865643934373566343964363062326366 +38646562373261313638383338636139333835626239346363336331663536306431636463336630 +38656236366436316234393236646234613264353264333030626362343463333863373065343336 +63663135363365316265636464663864313765663763613131613030636133643637336364316234 +62393061346337383563313866303463633362356263356238323336663262646532343136393439 +64333362383461366230663435396164393031616432323537396237383634353363393332376536 +39646631386365646266366530623762616264663164346533323239643863363036663565323438 +63663537306133363337363962646462323131353065313537626432633534653432393639626337 +66393234313835613163663030363332336361316365616238643964333363386134663232323766 +33306165626431373730373135306431373937613235333861636266666662336431356265623638 +38623065623933646237326339353932353439383932663631346131316431316234323537353062 +37353632333961386334646232393930666234373432653463613931643537623536656364626632 +61393063636333663961336562326330653461393562313064626566626436383765356264633838 +39356232626362323935626362316563363430383134636230373665613930336462383363393831 +37356261663238303337383833353930383736386434666539333939616434626532393831643866 +35386137663632383639376538386435373065333138643064383136656136373634323839636366 +31356561396137326134643562396264303561363639636637313362616438646231663162656332 +3739 diff --git a/ansible/inventories/debug/group_vars/idp/firewall.yml b/ansible/inventories/debug/group_vars/idp/firewall.yml new file mode 100644 index 0000000..8b7dad0 --- /dev/null +++ b/ansible/inventories/debug/group_vars/idp/firewall.yml @@ -0,0 +1,4 @@ +--- +ufw_allow: + - { port: "51820", proto: udp } + - { port: "9000", proto: tcp, from: "10.0.0.0/24" } diff --git a/ansible/inventories/debug/group_vars/proxy/firewall.yml b/ansible/inventories/debug/group_vars/proxy/firewall.yml new file mode 100644 index 0000000..2ca5768 --- /dev/null +++ b/ansible/inventories/debug/group_vars/proxy/firewall.yml @@ -0,0 +1,9 @@ +--- +ufw_allow: + - { port: "80" } + - { port: "443" } + - { port: "51820", proto: udp } + - { port: "5000", proto: tcp } + - { port: "5222", proto: tcp, from: "10.0.0.0/24" } + - { port: "5269", proto: tcp, from: "10.0.0.0/24" } + - { port: "53", proto: udp, from: "10.0.0.0/24" } diff --git a/ansible/inventories/debug/group_vars/wg_peers/wireguard.yml b/ansible/inventories/debug/group_vars/wg_peers/wireguard.yml new file mode 100644 index 0000000..4493693 --- /dev/null +++ b/ansible/inventories/debug/group_vars/wg_peers/wireguard.yml @@ -0,0 +1,6 @@ +--- +wg_client_peers: + - + name: "Ansible controller" + public_key: "{{ lookup('file', '/etc/wireguard/public.key') }}" + allowed_ips: "10.0.0.3/32" diff --git a/ansible/inventories/debug/hosts.ini b/ansible/inventories/debug/hosts.ini new file mode 100644 index 0000000..12f0b79 --- /dev/null +++ b/ansible/inventories/debug/hosts.ini @@ -0,0 +1,13 @@ +[proxy] +vm-proxy ansible_host=10.10.0.2 ansible_user=debian wg_endpoint=10.10.0.2 + +[idp] +vm-idp ansible_host=10.10.0.3 ansible_user=debian + +[docker_hosts:children] +proxy +idp + +[wg_peers:children] +proxy +idp diff --git a/ansible/inventories/prod/group_vars/all/vault.yml b/ansible/inventories/prod/group_vars/all/vault.yml new file mode 100644 index 0000000..7d1409d --- /dev/null +++ b/ansible/inventories/prod/group_vars/all/vault.yml @@ -0,0 +1,126 @@ +$ANSIBLE_VAULT;1.1;AES256 +65656630393666376132613061363366363432303437313961303434323431333832636331633535 +3364623638626435326236656563646435396661353939610a366337363936633038623065323134 +63353766653532623164353764353761363633633366633538633566323465303835323831656238 +3565353965646338630a343232386563313764313465383666356136326336336230303432346538 +38316130663339386235343265616237373536613762626338376564666432366464323436353639 +36326137373232316438383837633830366163633437643565313863613137323033353430356638 +33663736623032323263353831343430313734373065393232663065643432333864323563663265 +33386465326335373635333435623764346666353765336630643764373737306637343834656639 +35653466366666383332663464626463646235303737306166373832396531623038376532656665 +65663964373565303538343732393137396361613330613336326564613633363662306232643534 +37393939323563343332613833613339313630396434663235656232643631303031393735396263 +63613863366162383637363736393430643233326533383534623539646330313737383332396165 +32393134323739363866386633646563393036373235353332333062316639653362626261376434 +31366437383465616534653465386636376163653430663764613236366134336435636631623963 +37346430393933306331636633333636666239333962323137393466356265626363376361393435 +30656432353333646337346662653637303430313739353431666237373037666534316566666564 +65663838643461316566616532343461343138323637356231393730393062363164633537363539 +36623035386636376239306633303766616636333935336464323636626437393466356139393164 +32373039326138346465383736616433343234303762343161313661363563353864663538316662 +30613432356438663561626137316636623431656432346238303735313865326230633231633636 +33666434343038656266323866663634653063353864366163653737363938336235316565306635 +35646137313936303738623630356333623261303839346632363562646263616130643734353066 +61663761326264313732396166303362313231333166346231306165346630636331666262373631 +61636137356430633566323732303233656635643639353539626238613761386532336136663535 +32356561613635633230303733303836336635396338666134303464376437316163633238373365 +34363230383933613136343761326563633034306539623866376661336539303535336565393962 +62613138623334376134373566623034313365616238353864616265383533363037363463343835 +32623334663832333630326565633833373936376633343937363633363533633162646164393537 +35663765626362366234626432663064346231386265376132396335353130336432356435336337 +37636136303631366333316636313733376137343961393062613762333962616263373233633366 +30383236386462393732373464333363376638663465363634396238376564326363383432386438 +36363638383437643233393436383539333162373730633533666533343864346432623130626237 +33643436653732333532666333613038316539626536366265386332623563353133363663663530 +31643131653566323935393932353537343533343131666239663864653232633331363961663031 +37346664383031646264316132356433616631373936376435613666653139313630316665636237 +61626137653765623638393132303436366364353162333036353138376535626635343731666432 +34663032643936393732373966363534303435313234323334393964313235333263373136313962 +35386539393238326132346134346333626437353464333538623966363965663237353331363438 +34336630343930633363663062316639336630396164653236303538383537333062636535366461 +36393534336462633062316535376665303666643538303630653234396533323463323131303365 +38336636666238316332646162323164343436303264396335646466643165623937363934363734 +33366532396332393231633366353632363561663662633362343838653431356633633462393738 +62333236613831316334343837333465303535383036353933396436346235653162326266663934 +36633434633630303234333336633834623465613433333833666430353538663332396366316237 +39656638303763633535393932326132346266666635353462623132306331626266303336396362 +62346564636365353031366264656534376665366664386636633136373738323038663132643034 +39303261313333333465656666636435323338336335313166343431396238643738633534366364 +34383733383366626265313936353039613630626237636439343930393831323238333161656637 +34303763386635373237393463623838303738383434306639303161336337313831653862346535 +32363237333932343633653165663138393761656365363632393539356665613837343663396438 +62313333306262303435386330616233313230323338666537346265343562343065326362643461 +37373330386531646465393039656165333032383735643566366465366130313263653930336434 +32346234626561373236333934633130366134626239323963346536626339336139326536346238 +38396663323837393330343633313939656430343366626637396564653036303830633065396336 +61383234653130623933666262353339363737633230636239323339643032323264306636343161 +62636133656364303231666535393764633035393363313732306331663131393331366436373764 +32386134303532653934306239323362306637396263363361386638343631633761653534643061 +66613761336333643062306635313834333464343936333438636664666561393237303139366666 +30653263623738383839613564623635336236356630353031323636333631373339376366323834 +63393839656535313966643335636135336366336135376561303661633332363338363266646364 +30346536323835326165663336326337336431376337356161613566356562326334333566343963 +34316433343231343735313236313432323732616363653634323262393235333063386234376135 +62616536383339333461393462313365633834326638656433383032336639633861363466636462 +33643066363631633438363432316366313836383864663266633336373865633733353933323531 +61373531336130303834643739336237343966626239613731373034313232343764613637356564 +66366330346431663031613535633435356239376361663936646334383466373261316531653762 +63306138306334616333373139663432326366646534396331613265313465646338323063653735 +31653739616534303138363465653966613436613634616166323665613538363263346334336338 +34623235636630363332343566616336323636646235663132373633313230623639623962643466 +39356137313239653431383339646135616636616437623830353639616634306534663636386232 +39363864303733363164313130666536366664303733366132663439656333626562343063386336 +33396261663030333332333139353163623133663134363736326538653763373730326563313937 +62353434356232376630306538633731626435613639303165616535316164336637343362353465 +39633031366231633032313162336437336362626131613363353131663532646266306636396138 +62333939383065653866356633663834373265646366353261653661353465613766633638333836 +66643335396563316166393535623734303730346138386434323034643735313137313362306636 +31386565383032663937323334346462656436376633306638323562376238363339323530353230 +38353537333232306536386238653765393061646432646162626438636365323564363363316362 +64646662633036316530326437366530353234346231303865306665343061613134613338336664 +64313237643137633361643466313938623137366561376532646133366261633637623837653233 +33306263666665636136633531393866323232356562656135653464333836363830323634343338 +63633836386565336563646131333861666332336261393034326337323836393035346262663631 +64666635623362626235373433613132303037396136663630353334353938656434656337386134 +31666364626335626639396334396162326138626631353635323364383364616162353735303336 +38306330666538326130316635323562393963343635663666333038383564323832646239323062 +66356363323664663637656332363461363430393938313930316364623766303437623865633461 +31663133626235626265323661353531386232323836353737313138353330653936306339343235 +38663563653439626435373361383530646262656238306239643136373161396134336233366566 +38663863616139383738303061383431313763323336353463636361613132616363326133323339 +37363562363633393664643334386266366337353464336333336363373161663034303835396262 +61623233666137343963613161643164333336323130353538636565363735376561356561313133 +63333033336666393538396534353463393331363033353631393162653132396532623864333536 +61656231353437356532353066663261633861616530313332343263643635613034393563373961 +64663631383736613835376633633735626466636661353765303765643038623039303733636264 +66353133313464316633626661663665646264666133356133383435646563346332383865306235 +64353265393463326633646434633264303734626532663935326665363632393435333565306635 +35666464643364313039363264333261623365373330316637653038616639643637663437366663 +39643134613465376162396238376562643930323632643465393038333432663062383434626432 +34366665663761316564656436326331373165626237383839343736373063383765383032383762 +65303433353535393665323638666239336538326239363263646534653239333039643034656362 +35353062636334353264353964303938636563306631356664303965306331613134326264653730 +33613061633931663066616139646663343334323763343630636432353931313265303931343833 +63303831333032383839633263626539653139313561626432393731623932383733666464313061 +39393537393563343238306438313032353134383630386436643534306266393364303966393361 +32333538383863353031373735353932633633613538316261396164653230336463666165313965 +35653533393662393230343736303466643737353437333966653966613861646361303637323933 +34393365643235373762323631633930316538333835303230613265366265393938646432613964 +62323637326166303936303663313038393133316336653462313931663335316230306536356165 +62346432366234623232353666313131613330636436303830363261323465363164366637353238 +66656463353633343133326531333131396438663964623861323037623162303666613565663161 +66376531373739396463653461356131643131623561663633343331346237393063303932306239 +37363533323632323336373934323237656338623962323539376230616139353463336631306264 +38383233313261333466613462356234653530356535633439646432303862316236613834393765 +38373263636338343030366161316464656362653433353137323532356438643238373665346336 +63343230633163633066623936343661656565356533333433613838353937613233326464386462 +61613261333739376630363036656564363363616665313639313463323239666636396366303663 +38393466613561663436653736393431633530346263363964393961613833376235383664313331 +65363233326165643533373139663233636538653937313835316263633834326139386230643338 +66663133373739623236633338663435663838376633333534633337366135343438663365626533 +63393437613637383033363237633363633531356535366339386334363535643364356564313765 +33343039303035303739366239643333326461653736353362373133663331306362616339366236 +38636237366230313332336437376539333233626361333138663164383334336138643333363030 +63623166366163656431666233323564386236306165623162386639316131633939356136666336 +33376366353866343033373264626334303334383766623564313262303135666232313765653536 +34653430363436303237373833363765383963613865323566633436653266313036 diff --git a/ansible/inventories/prod/group_vars/idp/firewall.yml b/ansible/inventories/prod/group_vars/idp/firewall.yml new file mode 100644 index 0000000..8b7dad0 --- /dev/null +++ b/ansible/inventories/prod/group_vars/idp/firewall.yml @@ -0,0 +1,4 @@ +--- +ufw_allow: + - { port: "51820", proto: udp } + - { port: "9000", proto: tcp, from: "10.0.0.0/24" } diff --git a/ansible/inventories/prod/group_vars/proxy/firewall.yml b/ansible/inventories/prod/group_vars/proxy/firewall.yml new file mode 100644 index 0000000..2ca5768 --- /dev/null +++ b/ansible/inventories/prod/group_vars/proxy/firewall.yml @@ -0,0 +1,9 @@ +--- +ufw_allow: + - { port: "80" } + - { port: "443" } + - { port: "51820", proto: udp } + - { port: "5000", proto: tcp } + - { port: "5222", proto: tcp, from: "10.0.0.0/24" } + - { port: "5269", proto: tcp, from: "10.0.0.0/24" } + - { port: "53", proto: udp, from: "10.0.0.0/24" } diff --git a/ansible/inventories/prod/group_vars/wg_peers/wireguard.yml b/ansible/inventories/prod/group_vars/wg_peers/wireguard.yml new file mode 100644 index 0000000..89b84ec --- /dev/null +++ b/ansible/inventories/prod/group_vars/wg_peers/wireguard.yml @@ -0,0 +1,10 @@ +--- +wg_client_peers: + - + name: "Tiara's Pixel 8 Pro" + public_key: "0bMudTNuiRCaOdFKvWy+N6X2czYWt8nKe7OIiFS5LEY=" + allowed_ips: "10.0.0.3/32" + - + name: "Tiara's Workstation" + public_key: "8Cwcyqu3Xo0th6Lkk5arcG7MdgwEejocYrA/+RRbrgA=" + allowed_ips: "10.0.0.4/32" diff --git a/ansible/inventories/prod/hosts.ini b/ansible/inventories/prod/hosts.ini new file mode 100644 index 0000000..0858c45 --- /dev/null +++ b/ansible/inventories/prod/hosts.ini @@ -0,0 +1,13 @@ +[proxy] +hwsrv-953720.hostwindsdns.com ansible_user=tiara wg_endpoint=tiararodney.com + +[idp] +hwsrv-1317920.hostwindsdns.com ansible_user=tiara + +[docker_hosts:children] +proxy +idp + +[wg_peers:children] +proxy +idp diff --git a/ansible/playbooks/backup.yml b/ansible/playbooks/backup.yml new file mode 100644 index 0000000..236da81 --- /dev/null +++ b/ansible/playbooks/backup.yml @@ -0,0 +1,20 @@ +--- +- + hosts: proxy + become: yes + tasks: + - + name: Trigger backup + systemd: + name: restic-backup.service + state: started + +- + hosts: idp + become: yes + tasks: + - + name: Trigger backup + systemd: + name: restic-backup.service + state: started diff --git a/ansible/playbooks/restore.yml b/ansible/playbooks/restore.yml new file mode 100644 index 0000000..b20c955 --- /dev/null +++ b/ansible/playbooks/restore.yml @@ -0,0 +1,28 @@ +--- +- + hosts: proxy + become: yes + tasks: + - + include_role: { name: restic, tasks_from: restore-restic } + vars: + host_id: proxy + - + include_role: { name: kellnr, tasks_from: restore } + - + include_role: { name: devpi, tasks_from: restore } + - + include_role: { name: prosody, tasks_from: restore } + - + include_role: { name: comentario, tasks_from: restore } + +- + hosts: idp + become: yes + tasks: + - + include_role: { name: restic, tasks_from: restore-restic } + vars: + host_id: idp + - + include_role: { name: authentik, tasks_from: restore-authentik } diff --git a/ansible/playbooks/setup.yml b/ansible/playbooks/setup.yml new file mode 100644 index 0000000..a560b66 --- /dev/null +++ b/ansible/playbooks/setup.yml @@ -0,0 +1,425 @@ +--- +- + hosts: all + become: yes + tags: [host] + tasks: + - + include_role: { name: host } + vars: + ssh_pubkey_dir: "{{ playbook_dir }}/../../.ssh" +- + hosts: docker_hosts + become: yes + tags: [docker] + tasks: + - + include_role: { name: docker } + vars: + registry_mirror_ip: "10.0.0.1" + registry_mirrors: + - + upstream: docker.io + mirror: "https://dockerhub.oci.code.tiararodney.com" + - + upstream: ghcr.io + mirror: "https://ghcr.oci.code.tiararodney.com" +- + hosts: proxy + become: yes + tasks: + - + include_role: + name: restic + apply: { tags: [restic] } + tags: [restic] + vars: + host_id: proxy +- + hosts: idp + become: yes + tasks: + - + include_role: + name: restic + apply: { tags: [restic] } + tags: [restic] + vars: + host_id: idp +- + hosts: localhost + connection: local + gather_facts: false + tags: [letsencrypt, apache] + tasks: + - + name: Create letsencrypt certificate archive + command: + cmd: "tar czf /tmp/letsencrypt.tar.gz --dereference -C {{ (playbook_dir + '/../../letsencrypt') | realpath }} ." + creates: /tmp/letsencrypt.tar.gz +- + hosts: wg_peers + become: yes + tags: [wireguard] + tasks: + - + include_role: { name: wireguard } + - + include_role: { name: wireguard, tasks_from: generate-keys } +- + hosts: proxy + become: yes + tags: [wireguard] + tasks: + - + name: Build WireGuard peer list + set_fact: + wg_peers: + - + public_key: "{{ hostvars[groups['idp'][0]]['wg_public_key'] }}" + allowed_ips: "10.0.0.2/32" + when: groups['idp'][0] in hostvars and 'wg_public_key' in hostvars[groups['idp'][0]] + - + name: Append client peers + set_fact: + wg_peers: "{{ wg_peers + wg_client_peers }}" + when: wg_peers is defined + - + include_role: { name: wireguard, tasks_from: deploy-wireguard } + vars: + wg_address: "10.0.0.1/24" + when: wg_peers is defined + - + name: Display proxy WireGuard public key + debug: + msg: "Proxy WG public key: {{ wg_public_key }}" + when: wg_public_key is defined +- + hosts: idp + become: yes + tags: [wireguard] + tasks: + - + name: Build WireGuard peer list + set_fact: + wg_peers: + - + public_key: "{{ hostvars[groups['proxy'][0]]['wg_public_key'] }}" + allowed_ips: "10.0.0.1/32" + endpoint: "{{ hostvars[groups['proxy'][0]]['wg_endpoint'] }}:51820" + persistent_keepalive: true + when: groups['proxy'][0] in hostvars and 'wg_public_key' in hostvars[groups['proxy'][0]] + - + name: Append client peers + set_fact: + wg_peers: "{{ wg_peers + wg_client_peers }}" + when: wg_peers is defined + - + include_role: { name: wireguard, tasks_from: deploy-wireguard } + vars: + wg_address: "10.0.0.2/24" + when: wg_peers is defined +- + hosts: proxy + become: yes + vars: + chat_domain: chat.tiararodney.com + authentik_url: https://accounts.tiararodney.com + authentik_internal_url: http://10.0.0.2:9000 + tasks: + - + include_role: + name: host + tasks_from: setup-swap + apply: { tags: [host, swap] } + tags: [host, swap] + - + name: Ensure accounts.tiararodney.com resolves to localhost for mod_auth_openidc + tags: [apache, bugzilla] + lineinfile: + path: /etc/hosts + regexp: "accounts\\.tiararodney\\.com" + line: "127.0.0.1 accounts.tiararodney.com" + - + include_role: + name: dnsmasq + apply: { tags: [dnsmasq] } + tags: [dnsmasq] + vars: + dns_records: + - { domain: tiararodney.com, ip: "10.0.0.1" } + - + include_role: + name: apache + apply: { tags: [apache] } + tags: [apache] + vars: + letsencrypt_archive: /tmp/letsencrypt.tar.gz + - + include_role: + name: docker_registry + apply: { tags: [docker-registry] } + tags: [docker-registry] + vars: + hostname: dockerhub.oci.code.tiararodney.com + - + include_role: + name: docker_registry + apply: { tags: [docker-registry] } + tags: [docker-registry] + vars: + hostname: ghcr.oci.code.tiararodney.com + install_dir: /opt/docker-registry-ghcr + port: 5051 + remote_url: "https://ghcr.io" + - + include_role: + name: restic + tasks_from: restore-restic + apply: { tags: [registry-restore, never] } + tags: [registry-restore, never] + vars: + host_id: proxy + restore_include: /var/backups/docker-registry + - + include_role: + name: docker_registry + tasks_from: restore-registry + apply: { tags: [registry-restore, never] } + tags: [registry-restore, never] + - + include_role: + name: apache + tasks_from: deploy-static-site + apply: { tags: [blog] } + tags: [blog] + vars: + name: blog + server_name: blog.tiararodney.com + document_root: /var/www/blog.tiararodney.com + ssl_cert: "{{ ssl_cert_tiararodney }}" + ssl_key: "{{ ssl_key_tiararodney }}" + - + include_role: + name: apache + tasks_from: deploy-static-site + apply: { tags: [spec] } + tags: [spec] + vars: + name: spec + server_name: specs.code.tiararodney.com + document_root: /var/www/specs.code.tiararodney.com + directory_index: "README.html README.md README.txt" + ssl_cert: "{{ ssl_cert_tiararodney }}" + ssl_key: "{{ ssl_key_tiararodney }}" + - + include_role: + name: kellnr + apply: { tags: [kellnr] } + tags: [kellnr] + vars: + version: "6.0.0-rc.2" + hostname: crates.code.tiararodney.com + admin_pwd: "{{ vault_kellnr_admin_pwd }}" + - + include_role: + name: devpi + apply: { tags: [devpi] } + tags: [devpi] + vars: + hostname: pypi.code.tiararodney.com + - + include_role: + name: prosody + apply: { tags: [prosody] } + tags: [prosody] + vars: + version: "13.0" + domain: "{{ chat_domain }}" + admin_jid: "{{ vault_xmpp_admin_user }}@{{ chat_domain }}" + bind_address: "10.0.0.1" + ssl_cert: /etc/letsencrypt/live/tiararodney.com/fullchain.pem + ssl_key: /etc/letsencrypt/live/tiararodney.com/privkey.pem + oauth_client_id: "{{ vault_xmpp_oauth_client_id }}" + oauth_userinfo_url: "{{ authentik_internal_url }}/application/o/userinfo/" + oauth_ropc_client_id: "{{ vault_xmpp_ropc_client_id }}" + oauth_ropc_client_secret: "{{ vault_xmpp_ropc_client_secret }}" + oauth_token_url: "{{ authentik_internal_url }}/application/o/token/" + session_timeout: 1800 + smtp_host: "{{ vault_prosody_smtp_hostname }}" + smtp_username: "{{ vault_prosody_smtp_username }}" + smtp_password: "{{ vault_prosody_smtp_password }}" + default_contacts: + - + jid: "{{ vault_xmpp_admin_user }}@{{ chat_domain }}" + name: Tiara + - + include_role: + name: conversejs + apply: { tags: [conversejs] } + tags: [conversejs] + vars: + version: "12.0.0" + domain: "{{ chat_domain }}" + oauth_client_id: "{{ vault_xmpp_oauth_client_id }}" + oauth_authorize_url: "{{ authentik_url }}/application/o/authorize/" + oauth_token_url: "{{ authentik_url }}/application/o/token/" + - + include_role: + name: apache + tasks_from: deploy-reverse-proxy + apply: { tags: [prosody, xmpp-upload] } + tags: [prosody, xmpp-upload] + vars: + vhost_name: xmpp-upload + server_name: "upload.{{ chat_domain }}" + ssl_cert: "{{ ssl_cert_tiararodney }}" + ssl_key: "{{ ssl_key_tiararodney }}" + backend_port: 5280 + - + include_role: + name: comentario + apply: { tags: [comentario] } + tags: [comentario] + vars: + version: "latest" + domain: comments.tiararodney.com + oauth_issuer_url: "{{ authentik_url }}/application/o/comentario" + oauth_client_id: "{{ vault_comentario_oauth_client_id }}" + oauth_client_secret: "{{ vault_comentario_oauth_client_secret }}" + smtp_host: "{{ vault_comentario_smtp_hostname }}" + smtp_username: "{{ vault_comentario_smtp_username }}" + smtp_password: "{{ vault_comentario_smtp_password }}" + - + include_role: + name: bugzilla + apply: { tags: [bugzilla] } + tags: [bugzilla] + vars: + version: "5.0.4.1" + domain: bugs.code.tiararodney.com + db_password: "{{ vault_bugzilla_db_password }}" + admin_email: "me@tiararodney.com" + admin_pwd: "{{ vault_bugzilla_admin_pwd }}" + oauth_issuer_url: "{{ authentik_url }}/application/o/bugs" + oauth_authorize_url: "{{ authentik_url }}/application/o/authorize/" + oauth_token_url: "{{ authentik_url }}/application/o/token/" + oauth_userinfo_url: "{{ authentik_url }}/application/o/userinfo/" + oauth_jwks_url: "{{ authentik_url }}/application/o/bugs/jwks/" + oauth_client_id: "{{ vault_bugzilla_oauth_client_id }}" + oauth_client_secret: "{{ vault_bugzilla_oauth_client_secret }}" + oauth_crypto_passphrase: "{{ vault_bugzilla_oidc_passphrase }}" + smtp_host: "{{ vault_bugzilla_smtp_hostname }}" + smtp_username: "{{ vault_bugzilla_smtp_username }}" + smtp_password: "{{ vault_bugzilla_smtp_password }}" + - + include_role: + name: apache + tasks_from: deploy-reverse-proxy + apply: { tags: [authentik] } + tags: [authentik] + vars: + vhost_name: accounts + server_name: accounts.tiararodney.com + ssl_cert: "{{ ssl_cert_tiararodney }}" + ssl_key: "{{ ssl_key_tiararodney }}" + backend_host: "10.0.0.2" + backend_port: 9000 + websocket: true + restricted_locations: + - + path: "/if/admin/" + allowed_ips: ["10.0.0.0/24"] +- + hosts: idp + become: yes + tags: [authentik] + tasks: + - + include_role: + name: host + tasks_from: setup-zram + apply: { tags: [host, swap, zram] } + tags: [host, swap, zram] + - + include_role: { name: authentik } + vars: + version: "2026.2.1" + domain: "accounts.tiararodney.com" + pg_password: "{{ vault_pg_password }}" + secret_key: "{{ vault_secret_key }}" + bind_address: "10.0.0.2" + smtp_host: "{{ vault_authentik_smtp_hostname }}" + smtp_username: "{{ vault_authentik_smtp_username }}" + smtp_password: "{{ vault_authentik_smtp_password }}" + oauth_applications: + - + name: Chat + slug: chat + client_type: public + client_id: "{{ vault_xmpp_oauth_client_id }}" + redirect_uris: + - "https://chat.tiararodney.com/" + - + name: Chat XMPP + slug: chat-xmpp + client_id: "{{ vault_xmpp_ropc_client_id }}" + client_secret: "{{ vault_xmpp_ropc_client_secret }}" + redirect_uris: + - "https://chat.tiararodney.com/" + - + name: Comments + slug: comments + client_id: "{{ vault_comentario_oauth_client_id }}" + client_secret: "{{ vault_comentario_oauth_client_secret }}" + redirect_uris: + - "https://comments.tiararodney.com/api/oauth/oidc/callback/authentik" + - + name: Bugs + slug: bugs + client_id: "{{ vault_bugzilla_oauth_client_id }}" + client_secret: "{{ vault_bugzilla_oauth_client_secret }}" + redirect_uris: + - "https://bugs.code.tiararodney.com/oidc-callback" + social_login_sources: + - + name: Google Account + slug: google + provider_type: google + client_id: "{{ vault_social_google_client_id }}" + client_secret: "{{ vault_social_google_client_secret }}" + - + name: Microsoft Account + slug: microsoft + provider_type: entraid + client_id: "{{ vault_social_microsoft_client_id }}" + client_secret: "{{ vault_social_microsoft_client_secret }}" + - + name: Apple ID + slug: apple + provider_type: apple + client_id: "{{ vault_social_apple_client_id }}" + client_secret: "{{ vault_social_apple_client_secret }}" + - + name: Facebook Account + slug: facebook + provider_type: facebook + client_id: "{{ vault_social_facebook_client_id }}" + client_secret: "{{ vault_social_facebook_client_secret }}" + - + name: X (formerly Twitter) Account + slug: twitter + provider_type: twitter + client_id: "{{ vault_social_twitter_client_id }}" + client_secret: "{{ vault_social_twitter_client_secret }}" +- + hosts: proxy + become: yes + tasks: + - + name: Trigger registry backups + tags: [registry-backup, never] + command: "{{ item }}" + loop: + - /etc/restic/pre-backup.d/docker-registry.sh + - /etc/restic/pre-backup.d/docker-registry-ghcr.sh diff --git a/ansible/requirements.yml b/ansible/requirements.yml new file mode 100644 index 0000000..1dbc374 --- /dev/null +++ b/ansible/requirements.yml @@ -0,0 +1,4 @@ +collections: + - name: community.docker + - name: ansible.posix + - name: community.general diff --git a/ansible/roles/apache/defaults/main.yml b/ansible/roles/apache/defaults/main.yml new file mode 100644 index 0000000..0e6498e --- /dev/null +++ b/ansible/roles/apache/defaults/main.yml @@ -0,0 +1,5 @@ +--- +ssl_cert_tiararodney: /etc/letsencrypt/live/tiararodney.com/fullchain.pem +ssl_key_tiararodney: /etc/letsencrypt/live/tiararodney.com/privkey.pem +ssl_cert_administratrix: /etc/letsencrypt/live/administratrix.io/fullchain.pem +ssl_key_administratrix: /etc/letsencrypt/live/administratrix.io/privkey.pem diff --git a/ansible/roles/apache/handlers/main.yml b/ansible/roles/apache/handlers/main.yml new file mode 100644 index 0000000..e8706cc --- /dev/null +++ b/ansible/roles/apache/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- + name: reload apache + service: + name: "{{ apache_service }}" + state: reloaded diff --git a/ansible/roles/apache/meta/main.yml b/ansible/roles/apache/meta/main.yml new file mode 100644 index 0000000..23d65c7 --- /dev/null +++ b/ansible/roles/apache/meta/main.yml @@ -0,0 +1,2 @@ +--- +dependencies: [] diff --git a/ansible/roles/apache/tasks/deploy-reverse-proxy.yml b/ansible/roles/apache/tasks/deploy-reverse-proxy.yml new file mode 100644 index 0000000..244e3d4 --- /dev/null +++ b/ansible/roles/apache/tasks/deploy-reverse-proxy.yml @@ -0,0 +1,18 @@ +--- +- + name: Ensure Apache is installed + include_tasks: main.yml + +- + name: "Deploy {{ vhost_name }} reverse proxy vhost" + template: + src: reverse-proxy-vhost.conf.j2 + dest: "{{ apache_sites_available }}/{{ vhost_name }}.conf" + notify: reload apache + +- + name: "Enable {{ vhost_name }} site" + command: "{{ apache_enable_site_cmd }} {{ vhost_name }}" + args: + creates: "{{ apache_sites_enabled }}/{{ vhost_name }}.conf" + notify: reload apache diff --git a/ansible/roles/apache/tasks/deploy-static-site.yml b/ansible/roles/apache/tasks/deploy-static-site.yml new file mode 100644 index 0000000..23a5bc4 --- /dev/null +++ b/ansible/roles/apache/tasks/deploy-static-site.yml @@ -0,0 +1,27 @@ +--- +- + name: Ensure Apache is installed + include_tasks: main.yml + +- + name: Ensure document root exists + file: + path: "{{ document_root }}" + state: directory + owner: www-data + group: www-data + mode: "0755" + +- + name: Deploy vhost configuration + template: + src: static-site-vhost.conf.j2 + dest: "{{ apache_sites_available }}/{{ name }}.conf" + notify: reload apache + +- + name: Enable site + command: "{{ apache_enable_site_cmd }} {{ name }}" + args: + creates: "{{ apache_sites_enabled }}/{{ name }}.conf" + notify: reload apache diff --git a/ansible/roles/apache/tasks/install-apache.yml b/ansible/roles/apache/tasks/install-apache.yml new file mode 100644 index 0000000..029aec5 --- /dev/null +++ b/ansible/roles/apache/tasks/install-apache.yml @@ -0,0 +1,83 @@ +--- +- + name: Ensure letsencrypt directory exists + file: + path: /etc/letsencrypt + state: directory + mode: "0700" + +- + name: Deploy SSL certificates + unarchive: + src: "{{ letsencrypt_archive }}" + dest: /etc/letsencrypt/ + when: letsencrypt_archive is defined + notify: reload apache + +- + name: Ensure SSL private keys are readable by containers + shell: find /etc/letsencrypt -name 'privkey*.pem' -exec chmod 644 {} + + changed_when: false + when: letsencrypt_archive is defined + +- + name: Install Apache + apt: + name: "{{ apache_package }}" + state: present + update_cache: yes + +- + name: Enable Apache modules + community.general.apache2_module: + name: "{{ item }}" + state: present + loop: + - proxy + - proxy_http + - proxy_wstunnel + - ssl + - rewrite + - headers + - auth_basic + - autoindex + notify: reload apache + +- + name: Disable default site + command: "{{ apache_disable_site_cmd }} 000-default" + args: + removes: "{{ apache_sites_enabled }}/000-default.conf" + notify: reload apache + +- + name: Ensure tiararodney.com document root exists + file: + path: /var/www/tiararodney.com + state: directory + mode: "0755" + +- + name: Deploy tiararodney.com vhost + template: + src: 000-default-redirect.conf.j2 + dest: "{{ apache_sites_available }}/000-default-redirect.conf" + notify: reload apache + +- + name: Enable tiararodney.com redirect vhost + command: "{{ apache_enable_site_cmd }} 000-default-redirect" + args: + creates: "{{ apache_sites_enabled }}/000-default-redirect.conf" + notify: reload apache + +- + name: Ensure Apache is started and enabled + service: + name: "{{ apache_service }}" + state: started + enabled: yes + +- + name: Ensure Apache is reloaded with current config + meta: flush_handlers diff --git a/ansible/roles/apache/tasks/main.yml b/ansible/roles/apache/tasks/main.yml new file mode 100644 index 0000000..3cb919e --- /dev/null +++ b/ansible/roles/apache/tasks/main.yml @@ -0,0 +1,8 @@ +--- +- + name: Load OS-specific variables + ansible.builtin.include_vars: "{{ ansible_os_family }}.yml" + +- + name: Install and configure Apache + ansible.builtin.include_tasks: install-apache.yml diff --git a/ansible/roles/apache/templates/000-default-redirect.conf.j2 b/ansible/roles/apache/templates/000-default-redirect.conf.j2 new file mode 100644 index 0000000..705fe40 --- /dev/null +++ b/ansible/roles/apache/templates/000-default-redirect.conf.j2 @@ -0,0 +1,18 @@ + + ServerName tiararodney.com + Redirect permanent / https://tiararodney.com/ + + + + ServerName tiararodney.com + SSLEngine on + SSLCertificateFile {{ ssl_cert_tiararodney }} + SSLCertificateKeyFile {{ ssl_key_tiararodney }} + + DocumentRoot /var/www/tiararodney.com + + Options FollowSymLinks + AllowOverride None + Require all granted + + diff --git a/ansible/roles/apache/templates/reverse-proxy-vhost.conf.j2 b/ansible/roles/apache/templates/reverse-proxy-vhost.conf.j2 new file mode 100644 index 0000000..28bb823 --- /dev/null +++ b/ansible/roles/apache/templates/reverse-proxy-vhost.conf.j2 @@ -0,0 +1,31 @@ + + ServerName {{ server_name }} + Redirect permanent / https://{{ server_name }}/ + + + + ServerName {{ server_name }} + SSLEngine on + SSLCertificateFile {{ ssl_cert }} + SSLCertificateKeyFile {{ ssl_key }} + +{% for loc in restricted_locations | default([]) %} + +{% for ip in loc.allowed_ips %} + Require ip {{ ip }} +{% endfor %} + +{% endfor %} + + ProxyPreserveHost on + RequestHeader set X-Forwarded-Proto "https" + RequestHeader set X-Forwarded-Ssl "on" +{% if websocket | default(false) %} + RewriteEngine on + RewriteCond %{HTTP:Upgrade} websocket [NC] + RewriteCond %{HTTP:Connection} upgrade [NC] + RewriteRule ^/(.*) ws://{{ backend_host | default('127.0.0.1') }}:{{ backend_port }}/$1 [P,L] +{% endif %} + ProxyPass / http://{{ backend_host | default('127.0.0.1') }}:{{ backend_port }}/ + ProxyPassReverse / http://{{ backend_host | default('127.0.0.1') }}:{{ backend_port }}/ + diff --git a/ansible/roles/apache/templates/static-site-vhost.conf.j2 b/ansible/roles/apache/templates/static-site-vhost.conf.j2 new file mode 100644 index 0000000..359e709 --- /dev/null +++ b/ansible/roles/apache/templates/static-site-vhost.conf.j2 @@ -0,0 +1,21 @@ + + ServerName {{ server_name }} + Redirect permanent / https://{{ server_name }}/ + + + + ServerName {{ server_name }} + SSLEngine on + SSLCertificateFile {{ ssl_cert }} + SSLCertificateKeyFile {{ ssl_key }} + + DocumentRoot {{ document_root }} + + Options Indexes FollowSymLinks + AllowOverride None + Require all granted + +{% if directory_index is defined %} + DirectoryIndex {{ directory_index }} +{% endif %} + diff --git a/ansible/roles/apache/vars/Debian.yml b/ansible/roles/apache/vars/Debian.yml new file mode 100644 index 0000000..5502e0e --- /dev/null +++ b/ansible/roles/apache/vars/Debian.yml @@ -0,0 +1,7 @@ +--- +apache_package: apache2 +apache_service: apache2 +apache_sites_available: /etc/apache2/sites-available +apache_sites_enabled: /etc/apache2/sites-enabled +apache_enable_site_cmd: a2ensite +apache_disable_site_cmd: a2dissite diff --git a/ansible/roles/authentik/defaults/main.yml b/ansible/roles/authentik/defaults/main.yml new file mode 100644 index 0000000..58f79e0 --- /dev/null +++ b/ansible/roles/authentik/defaults/main.yml @@ -0,0 +1,9 @@ +--- +install_dir: /opt/authentik +bind_address: "0.0.0.0" +port: 9000 +postgres_shared_buffers: 64MB +postgres_work_mem: 4MB +postgres_maintenance_work_mem: 32MB +postgres_effective_cache_size: 256MB +redis_maxmemory: 80mb diff --git a/ansible/roles/authentik/files/branding/.gitkeep b/ansible/roles/authentik/files/branding/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/ansible/roles/authentik/meta/main.yml b/ansible/roles/authentik/meta/main.yml new file mode 100644 index 0000000..de32aa1 --- /dev/null +++ b/ansible/roles/authentik/meta/main.yml @@ -0,0 +1,4 @@ +--- +dependencies: + - + role: docker diff --git a/ansible/roles/authentik/tasks/deploy-authentik.yml b/ansible/roles/authentik/tasks/deploy-authentik.yml new file mode 100644 index 0000000..4579f1a --- /dev/null +++ b/ansible/roles/authentik/tasks/deploy-authentik.yml @@ -0,0 +1,92 @@ +--- +- + name: Ensure install directory exists + file: + path: "{{ install_dir }}" + state: directory + mode: "0755" + +- + name: Deploy environment file + template: + src: env.j2 + dest: "{{ install_dir }}/.env" + +- + name: Ensure blueprints directory exists + file: + path: "{{ install_dir }}/blueprints" + state: directory + mode: "0755" + +- + name: Deploy OAuth2 blueprint + template: + src: blueprint-oauth2.yml.j2 + dest: "{{ install_dir }}/blueprints/oauth2-applications.yaml" + when: oauth_applications is defined and oauth_applications | length > 0 + +- + name: Deploy enrollment blueprint + template: + src: blueprint-enrollment.yml.j2 + dest: "{{ install_dir }}/blueprints/enrollment.yaml" + +- + name: Deploy social login blueprint + template: + src: blueprint-social-logins.yml.j2 + dest: "{{ install_dir }}/blueprints/social-logins.yaml" + when: social_login_sources is defined and social_login_sources | length > 0 + +- + name: Ensure media directory exists + file: + path: "{{ install_dir }}/media/public" + state: directory + mode: "0755" + +- + name: Copy branding assets + copy: + src: branding/ + dest: "{{ install_dir }}/media/public/" + mode: "0644" + when: branding_assets | default(false) + +- + name: Ensure custom-templates email directory exists + file: + path: "{{ install_dir }}/custom-templates/email" + state: directory + mode: "0755" + +- + name: Deploy custom email templates + template: + src: "email/{{ item }}.j2" + dest: "{{ install_dir }}/custom-templates/email/{{ item }}" + loop: + - account-confirmation.html + - password-reset.html + +- + name: Deploy docker-compose file + template: + src: docker-compose.yml.j2 + dest: "{{ install_dir }}/docker-compose.yml" + +- + name: Start Authentik stack + include_role: + name: docker + tasks_from: start-compose + vars: + compose_project_dir: "{{ install_dir }}" + +- + name: Deploy Authentik backup script + template: + src: backup.sh.j2 + dest: /etc/restic/pre-backup.d/authentik.sh + mode: "0755" diff --git a/ansible/roles/authentik/tasks/main.yml b/ansible/roles/authentik/tasks/main.yml new file mode 100644 index 0000000..13bd2c0 --- /dev/null +++ b/ansible/roles/authentik/tasks/main.yml @@ -0,0 +1,4 @@ +--- +- + name: Deploy Authentik + ansible.builtin.include_tasks: deploy-authentik.yml diff --git a/ansible/roles/authentik/tasks/restore-authentik.yml b/ansible/roles/authentik/tasks/restore-authentik.yml new file mode 100644 index 0000000..69e9789 --- /dev/null +++ b/ansible/roles/authentik/tasks/restore-authentik.yml @@ -0,0 +1,46 @@ +--- +- + name: Set backup staging directory + set_fact: + _authentik_backup_dir: "{{ backup_staging_dir | default('/var/backups') }}/authentik" + +- + name: Stop Authentik stack + community.docker.docker_compose_v2: + project_src: "{{ install_dir }}" + state: absent + +- + name: Restore config files + copy: + src: "{{ _authentik_backup_dir }}/{{ item }}" + dest: "{{ install_dir }}/{{ item }}" + remote_src: yes + mode: "0600" + loop: + - .env + - docker-compose.yml + +- + name: Start Postgres only + command: > + docker compose -f {{ install_dir }}/docker-compose.yml + up -d postgres + +- + name: Wait for Postgres to be ready + pause: + seconds: 10 + +- + name: Restore Postgres dump + shell: > + docker compose -f {{ install_dir }}/docker-compose.yml + exec -T postgres psql -U authentik authentik + < {{ _authentik_backup_dir }}/authentik.sql + +- + name: Start full Authentik stack + community.docker.docker_compose_v2: + project_src: "{{ install_dir }}" + state: present diff --git a/ansible/roles/authentik/templates/backup.sh.j2 b/ansible/roles/authentik/templates/backup.sh.j2 new file mode 100644 index 0000000..671e88a --- /dev/null +++ b/ansible/roles/authentik/templates/backup.sh.j2 @@ -0,0 +1,7 @@ +#!/bin/bash +set -euo pipefail +BACKUP_DIR="{{ backup_staging_dir | default('/var/backups') }}/authentik" +mkdir -p "$BACKUP_DIR" +docker compose -f {{ install_dir }}/docker-compose.yml exec -T postgres pg_dump -U authentik authentik > "$BACKUP_DIR/authentik.sql" +cp "{{ install_dir }}/.env" "$BACKUP_DIR/.env" +cp "{{ install_dir }}/docker-compose.yml" "$BACKUP_DIR/docker-compose.yml" diff --git a/ansible/roles/authentik/templates/blueprint-enrollment.yml.j2 b/ansible/roles/authentik/templates/blueprint-enrollment.yml.j2 new file mode 100644 index 0000000..53078ae --- /dev/null +++ b/ansible/roles/authentik/templates/blueprint-enrollment.yml.j2 @@ -0,0 +1,326 @@ +version: 1 +metadata: + name: enrollment-flow +entries: + # --- Brand configuration --- + - model: authentik_brands.brand + identifiers: + domain: authentik-default + state: present + attrs: + branding_title: {{ domain }} +{% if branding_logo is defined %} + branding_logo: {{ branding_logo }} +{% endif %} +{% if branding_favicon is defined %} + branding_favicon: {{ branding_favicon }} +{% endif %} + + # --- Enrollment flow --- + - model: authentik_flows.flow + id: enrollment-flow + identifiers: + slug: default-enrollment-flow + attrs: + name: Sign Up + title: Create an account + designation: enrollment + authentication: require_unauthenticated + + # --- Recovery flow --- + - model: authentik_flows.flow + id: recovery-flow + identifiers: + slug: default-recovery-flow + attrs: + name: Password Recovery + title: Reset your password + designation: recovery + authentication: require_unauthenticated + + # --- Prompt fields --- + - model: authentik_stages_prompt.prompt + id: field-email + identifiers: + name: enrollment-field-email + attrs: + field_key: email + label: Email + type: email + required: true + placeholder: Email + placeholder_expression: false + order: 0 + + - model: authentik_stages_prompt.prompt + id: field-username + identifiers: + name: enrollment-field-username + attrs: + field_key: username + label: Username + type: username + required: true + placeholder: Username + placeholder_expression: false + order: 1 + + - model: authentik_stages_prompt.prompt + id: field-password + identifiers: + name: enrollment-field-password + attrs: + field_key: password + label: Password + type: password + required: true + placeholder: Password + placeholder_expression: false + order: 2 + + - model: authentik_stages_prompt.prompt + id: field-password-repeat + identifiers: + name: enrollment-field-password-repeat + attrs: + field_key: password_repeat + label: Password (repeat) + type: password + required: true + placeholder: Password (repeat) + placeholder_expression: false + order: 3 + + # --- Password policy --- + - model: authentik_policies_password.passwordpolicy + id: password-policy + identifiers: + name: enrollment-password-policy + attrs: + name: enrollment-password-policy + length_min: 10 + amount_uppercase: 1 + amount_lowercase: 1 + amount_digits: 1 + amount_symbols: 1 + check_static_rules: true + check_have_i_been_pwned: true + check_zxcvbn: true + zxcvbn_score_threshold: 3 + error_message: "Password must be at least 10 characters with uppercase, lowercase, digit, and symbol." + + # --- Enrollment stages --- + - model: authentik_stages_prompt.promptstage + id: enrollment-prompt-stage + identifiers: + name: enrollment-prompt + attrs: + fields: + - !KeyOf field-email + - !KeyOf field-username + - !KeyOf field-password + - !KeyOf field-password-repeat + validation_policies: + - !KeyOf password-policy + + - model: authentik_stages_user_write.userwritestage + id: enrollment-user-write + identifiers: + name: enrollment-user-write + attrs: + user_creation_mode: always_create + create_users_as_inactive: true + + - model: authentik_stages_email.emailstage + id: enrollment-email-verification + identifiers: + name: enrollment-email-verification + attrs: + use_global_settings: true + activate_user_on_success: true + subject: Verify your email address + template: email/account-confirmation.html + + - model: authentik_stages_user_login.userloginstage + id: enrollment-user-login + identifiers: + name: enrollment-user-login + + # --- Enrollment flow stage bindings --- + - model: authentik_flows.flowstagebinding + identifiers: + target: !KeyOf enrollment-flow + stage: !KeyOf enrollment-prompt-stage + order: 10 + + - model: authentik_flows.flowstagebinding + identifiers: + target: !KeyOf enrollment-flow + stage: !KeyOf enrollment-user-write + order: 20 + + - model: authentik_flows.flowstagebinding + identifiers: + target: !KeyOf enrollment-flow + stage: !KeyOf enrollment-email-verification + order: 30 + + - model: authentik_flows.flowstagebinding + identifiers: + target: !KeyOf enrollment-flow + stage: !KeyOf enrollment-user-login + order: 100 + + # --- Recovery stages --- + - model: authentik_stages_identification.identificationstage + id: recovery-identification + identifiers: + name: recovery-identification + attrs: + user_fields: + - email + + - model: authentik_stages_email.emailstage + id: recovery-email + identifiers: + name: recovery-email + attrs: + use_global_settings: true + subject: Reset your password + template: email/password-reset.html + + - model: authentik_stages_prompt.prompt + id: field-recovery-password + identifiers: + name: recovery-field-password + attrs: + field_key: password + label: New Password + type: password + required: true + placeholder: New Password + placeholder_expression: false + order: 0 + + - model: authentik_stages_prompt.prompt + id: field-recovery-password-repeat + identifiers: + name: recovery-field-password-repeat + attrs: + field_key: password_repeat + label: New Password (repeat) + type: password + required: true + placeholder: New Password (repeat) + placeholder_expression: false + order: 1 + + - model: authentik_stages_prompt.promptstage + id: recovery-password-stage + identifiers: + name: recovery-password-prompt + attrs: + fields: + - !KeyOf field-recovery-password + - !KeyOf field-recovery-password-repeat + validation_policies: + - !KeyOf password-policy + + - model: authentik_stages_user_write.userwritestage + id: recovery-user-write + identifiers: + name: recovery-user-write + attrs: + user_creation_mode: never_create + + - model: authentik_stages_user_login.userloginstage + id: recovery-user-login + identifiers: + name: recovery-user-login + + # --- Recovery flow stage bindings --- + - model: authentik_flows.flowstagebinding + identifiers: + target: !KeyOf recovery-flow + stage: !KeyOf recovery-identification + order: 10 + + - model: authentik_flows.flowstagebinding + identifiers: + target: !KeyOf recovery-flow + stage: !KeyOf recovery-email + order: 20 + + - model: authentik_flows.flowstagebinding + identifiers: + target: !KeyOf recovery-flow + stage: !KeyOf recovery-password-stage + order: 30 + + - model: authentik_flows.flowstagebinding + identifiers: + target: !KeyOf recovery-flow + stage: !KeyOf recovery-user-write + order: 40 + + - model: authentik_flows.flowstagebinding + identifiers: + target: !KeyOf recovery-flow + stage: !KeyOf recovery-user-login + order: 100 + + # --- Unenrollment (account deletion) flow --- + - model: authentik_flows.flow + id: unenrollment-flow + identifiers: + slug: default-unenrollment-flow + attrs: + name: Delete Account + title: Delete your account + designation: unenrollment + + - model: authentik_stages_consent.consentstage + id: unenrollment-consent + identifiers: + name: unenrollment-consent + attrs: + mode: always_require + + - model: authentik_stages_user_delete.userdeletestage + id: unenrollment-user-delete + identifiers: + name: unenrollment-user-delete + + - model: authentik_flows.flowstagebinding + identifiers: + target: !KeyOf unenrollment-flow + stage: !KeyOf unenrollment-consent + order: 10 + + - model: authentik_flows.flowstagebinding + identifiers: + target: !KeyOf unenrollment-flow + stage: !KeyOf unenrollment-user-delete + order: 20 + + # --- Set recovery and unenrollment flows on brand --- + - model: authentik_brands.brand + identifiers: + domain: authentik-default + state: present + attrs: + flow_recovery: !KeyOf recovery-flow + flow_unenrollment: !KeyOf unenrollment-flow + +{% if social_login_sources is not defined or social_login_sources | length == 0 %} + # --- Bind enrollment flow to the default login identification stage --- + - model: authentik_stages_identification.identificationstage + identifiers: + name: default-authentication-identification + state: present + attrs: + user_fields: + - email + - username + enrollment_flow: !KeyOf enrollment-flow +{% endif %} diff --git a/ansible/roles/authentik/templates/blueprint-oauth2.yml.j2 b/ansible/roles/authentik/templates/blueprint-oauth2.yml.j2 new file mode 100644 index 0000000..2306fd7 --- /dev/null +++ b/ansible/roles/authentik/templates/blueprint-oauth2.yml.j2 @@ -0,0 +1,67 @@ +version: 1 +metadata: + name: oauth2-applications +entries: +{% for app in oauth_applications %} + - model: authentik_providers_oauth2.oauth2provider + identifiers: + name: {{ app.name }} + state: present + attrs: + name: {{ app.name }} + client_type: {{ app.client_type | default('confidential') }} + client_id: {{ app.client_id }} +{% if app.client_secret is defined %} + client_secret: {{ app.client_secret }} +{% endif %} + authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]] + authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]] + invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]] + redirect_uris: +{% for uri in app.redirect_uris %} + - url: "{{ uri }}" + matching_mode: strict +{% endfor %} + property_mappings: + - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]] + - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]] + - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]] + signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]] + + - model: authentik_core.application + identifiers: + slug: {{ app.slug }} + state: present + attrs: + name: {{ app.name }} + slug: {{ app.slug }} + provider: !Find [authentik_providers_oauth2.oauth2provider, [name, {{ app.name }}]] + policy_engine_mode: any + +{% endfor %} + - model: authentik_policies_expression.expressionpolicy + identifiers: + name: enforce-unique-email + state: present + attrs: + name: enforce-unique-email + expression: | + from authentik.core.models import User + email = request.context.get("prompt_data", {}).get("email", "") + if not email: + return True + if User.objects.filter(email=email).exists(): + ak_message("This email address is already in use.") + return False + return True + execution_logging: true + + - model: authentik_stages_prompt.promptstage + identifiers: + name: default-source-enrollment-prompt + state: present + attrs: + fields: + - !Find [authentik_stages_prompt.prompt, [name, default-source-enrollment-field-username]] + validation_policies: + - !Find [authentik_policies_expression.expressionpolicy, [name, enforce-unique-email]] diff --git a/ansible/roles/authentik/templates/blueprint-social-logins.yml.j2 b/ansible/roles/authentik/templates/blueprint-social-logins.yml.j2 new file mode 100644 index 0000000..cd0ae78 --- /dev/null +++ b/ansible/roles/authentik/templates/blueprint-social-logins.yml.j2 @@ -0,0 +1,35 @@ +version: 1 +metadata: + name: social-login-sources +entries: +{% for source in social_login_sources %} + - model: authentik_sources_oauth.oauthsource + id: source-{{ source.slug }} + identifiers: + slug: {{ source.slug }} + state: present + attrs: + name: {{ source.name }} + slug: {{ source.slug }} + provider_type: {{ source.provider_type }} + consumer_key: {{ source.client_id }} + consumer_secret: {{ source.client_secret }} + authentication_flow: !Find [authentik_flows.flow, [slug, default-source-authentication]] + enrollment_flow: !Find [authentik_flows.flow, [slug, default-source-enrollment]] + +{% endfor %} + # --- Add social login sources to the login identification stage --- + - model: authentik_stages_identification.identificationstage + identifiers: + name: default-authentication-identification + state: present + attrs: + user_fields: + - email + - username + enrollment_flow: !Find [authentik_flows.flow, [slug, default-enrollment-flow]] + recovery_flow: !Find [authentik_flows.flow, [slug, default-recovery-flow]] + sources: +{% for source in social_login_sources %} + - !KeyOf source-{{ source.slug }} +{% endfor %} diff --git a/ansible/roles/authentik/templates/docker-compose.yml.j2 b/ansible/roles/authentik/templates/docker-compose.yml.j2 new file mode 100644 index 0000000..7637f70 --- /dev/null +++ b/ansible/roles/authentik/templates/docker-compose.yml.j2 @@ -0,0 +1,51 @@ +services: + postgres: + image: postgres:15 + environment: + POSTGRES_PASSWORD: "${AUTHENTIK_POSTGRESQL__PASSWORD}" + POSTGRES_USER: "authentik" + POSTGRES_DB: "authentik" + volumes: + - postgres_data:/var/lib/postgresql/data + command: > + postgres -c shared_buffers={{ postgres_shared_buffers }} + -c work_mem={{ postgres_work_mem }} + -c maintenance_work_mem={{ postgres_maintenance_work_mem }} + -c effective_cache_size={{ postgres_effective_cache_size }} + restart: unless-stopped + + redis: + image: redis:7 + command: ["redis-server", "--maxmemory", "{{ redis_maxmemory }}", "--maxmemory-policy", "allkeys-lru"] + restart: unless-stopped + + server: + image: ghcr.io/goauthentik/server:{{ version }} + command: server + env_file: .env + ports: + - "{{ bind_address }}:{{ port }}:9000" + volumes: + - ./blueprints:/blueprints/custom:ro + - ./media:/media:ro + - ./custom-templates:/templates:ro + depends_on: + - postgres + - redis + restart: unless-stopped + + worker: + image: ghcr.io/goauthentik/server:{{ version }} + command: worker + env_file: .env + volumes: + - ./blueprints:/blueprints/custom:ro + - ./media:/media:ro + - ./custom-templates:/templates:ro + depends_on: + - postgres + - redis + restart: unless-stopped + +volumes: + postgres_data: diff --git a/ansible/roles/authentik/templates/email/account-confirmation.html.j2 b/ansible/roles/authentik/templates/email/account-confirmation.html.j2 new file mode 100644 index 0000000..d825853 --- /dev/null +++ b/ansible/roles/authentik/templates/email/account-confirmation.html.j2 @@ -0,0 +1,35 @@ +{% raw %}{% load i18n %} +{% load humanize %} + + + + + + + {% blocktrans with domain=branding_title %}Verify your email - {{ domain }}{% endblocktrans %} + + + +

{% blocktrans with domain=branding_title %}Welcome to {{ domain }}{% endblocktrans %}

{% blocktrans with username=user.username %}Hi {{ username }},{% endblocktrans %}

{% blocktrans %}Please click the button below to verify your email address and activate your account.{% endblocktrans %}

+ {% trans "Verify Email" %} +

{% blocktrans with expiry=expires|naturaltime %}This link will expire {{ expiry }}.{% endblocktrans %}

{% blocktrans %}If you did not create an account, you can safely ignore this email.{% endblocktrans %}

+ +

+ +{% endraw %} diff --git a/ansible/roles/authentik/templates/email/password-reset.html.j2 b/ansible/roles/authentik/templates/email/password-reset.html.j2 new file mode 100644 index 0000000..58f8014 --- /dev/null +++ b/ansible/roles/authentik/templates/email/password-reset.html.j2 @@ -0,0 +1,35 @@ +{% raw %}{% load i18n %} +{% load humanize %} + + + + + + + {% blocktrans with domain=branding_title %}Reset your password - {{ domain }}{% endblocktrans %} + + + +

{% trans "Reset your password" %}

{% blocktrans with username=user.username %}Hi {{ username }},{% endblocktrans %}

{% blocktrans with domain=branding_title %}A password reset was requested for your account on {{ domain }}.{% endblocktrans %}

+ {% trans "Reset Password" %} +

{% blocktrans with expiry=expires|naturaltime %}This link will expire {{ expiry }}.{% endblocktrans %}

{% blocktrans %}If you did not request a password reset, you can safely ignore this email.{% endblocktrans %}

+ +

+ +{% endraw %} diff --git a/ansible/roles/authentik/templates/env.j2 b/ansible/roles/authentik/templates/env.j2 new file mode 100644 index 0000000..68cef99 --- /dev/null +++ b/ansible/roles/authentik/templates/env.j2 @@ -0,0 +1,19 @@ +AUTHENTIK_SECRET_KEY={{ secret_key }} +AUTHENTIK_POSTGRESQL__PASSWORD={{ pg_password }} +AUTHENTIK_POSTGRESQL__HOST=postgres +AUTHENTIK_POSTGRESQL__USER=authentik +AUTHENTIK_POSTGRESQL__NAME=authentik +AUTHENTIK_REDIS__HOST=redis +AUTHENTIK_HOST={{ domain }} +AUTHENTIK_LISTEN__TRUSTED_PROXY_CIDRS=10.0.0.0/24,172.16.0.0/12 +AUTHENTIK_DISABLE_STARTUP_ANALYTICS=true +AUTHENTIK_DISABLE_UPDATE_CHECK=true +AUTHENTIK_ERROR_REPORTING__ENABLED=false +{% if smtp_host is defined %} +AUTHENTIK_EMAIL__HOST={{ smtp_host }} +AUTHENTIK_EMAIL__PORT={{ smtp_port | default(587) }} +AUTHENTIK_EMAIL__USERNAME={{ smtp_username }} +AUTHENTIK_EMAIL__PASSWORD={{ smtp_password }} +AUTHENTIK_EMAIL__USE_TLS=true +AUTHENTIK_EMAIL__FROM={{ smtp_from | default(smtp_username) }} +{% endif %} diff --git a/ansible/roles/bugzilla/defaults/main.yml b/ansible/roles/bugzilla/defaults/main.yml new file mode 100644 index 0000000..5cc0246 --- /dev/null +++ b/ansible/roles/bugzilla/defaults/main.yml @@ -0,0 +1,9 @@ +--- +install_dir: /opt/bugzilla +bugzilla_dir: /opt/bugzilla/bugzilla +bugzilla_download_url: "https://ftp.mozilla.org/pub/webtools/bugzilla/5.0-branch/bugzilla-{{ version }}.tar.gz" +db_port: 5433 +db_name: bugzilla +db_user: bugzilla +ssl_cert: /etc/letsencrypt/live/tiararodney.com/fullchain.pem +ssl_key: /etc/letsencrypt/live/tiararodney.com/privkey.pem diff --git a/ansible/roles/bugzilla/meta/main.yml b/ansible/roles/bugzilla/meta/main.yml new file mode 100644 index 0000000..0b6f13a --- /dev/null +++ b/ansible/roles/bugzilla/meta/main.yml @@ -0,0 +1,6 @@ +--- +dependencies: + - + role: docker + - + role: apache diff --git a/ansible/roles/bugzilla/tasks/deploy-bugzilla.yml b/ansible/roles/bugzilla/tasks/deploy-bugzilla.yml new file mode 100644 index 0000000..bd83bc3 --- /dev/null +++ b/ansible/roles/bugzilla/tasks/deploy-bugzilla.yml @@ -0,0 +1,160 @@ +--- +- + name: Include OS-specific variables + include_vars: "{{ ansible_os_family }}.yml" + +- + name: Ensure install directory exists + file: + path: "{{ install_dir }}" + state: directory + mode: "0755" + +- + name: Install Bugzilla Perl dependencies + apt: + name: "{{ bugzilla_packages }}" + state: present + update_cache: yes + +- + name: Enable Apache modules for Bugzilla + community.general.apache2_module: + name: "{{ item }}" + state: present + loop: + - cgid + - expires + - auth_openidc + notify: reload apache + +- + name: Deploy docker-compose file + template: + src: docker-compose.yml.j2 + dest: "{{ install_dir }}/docker-compose.yml" + +- + name: Start bugzilla database + include_role: + name: docker + tasks_from: start-compose + vars: + compose_project_dir: "{{ install_dir }}" + +- + name: Download Bugzilla + unarchive: + src: "{{ bugzilla_download_url }}" + dest: "{{ install_dir }}" + remote_src: yes + creates: "{{ install_dir }}/bugzilla-{{ version }}" + +- + name: Symlink versioned directory to bugzilla_dir + file: + src: "{{ install_dir }}/bugzilla-{{ version }}" + dest: "{{ bugzilla_dir }}" + state: link + when: bugzilla_dir != install_dir + '/bugzilla-' + version + +- + name: Deploy localconfig + template: + src: localconfig.j2 + dest: "{{ bugzilla_dir }}/localconfig" + mode: "0640" + group: www-data + +- + name: Deploy checksetup answers file + template: + src: checksetup-answers.j2 + dest: "{{ install_dir }}/checksetup-answers.pl" + mode: "0600" + +- + name: Wait for PostgreSQL to be ready + wait_for: + host: 127.0.0.1 + port: "{{ db_port }}" + delay: 2 + timeout: 30 + +- + name: Run Bugzilla checksetup + command: + cmd: "perl checksetup.pl {{ install_dir }}/checksetup-answers.pl" + chdir: "{{ bugzilla_dir }}" + register: checksetup_result + retries: 3 + delay: 5 + until: checksetup_result.rc == 0 + +- + name: Run Bugzilla checksetup again to generate params.json + command: + cmd: "perl checksetup.pl {{ install_dir }}/checksetup-answers.pl" + chdir: "{{ bugzilla_dir }}" + creates: "{{ bugzilla_dir }}/data/params.json" + +- + name: Configure Bugzilla Env auth login class + replace: + path: "{{ bugzilla_dir }}/data/params.json" + regexp: '"user_info_class"\s*:\s*"CGI"' + replace: '"user_info_class" : "Env,CGI"' + when: oauth_client_id is defined + +- + name: Configure Bugzilla Env auth email variable + replace: + path: "{{ bugzilla_dir }}/data/params.json" + regexp: '"auth_env_email"\s*:\s*""' + replace: '"auth_env_email" : "OIDC_CLAIM_email"' + when: oauth_client_id is defined + +- + name: Configure Bugzilla Env auth realname variable + replace: + path: "{{ bugzilla_dir }}/data/params.json" + regexp: '"auth_env_realname"\s*:\s*""' + replace: '"auth_env_realname" : "OIDC_CLAIM_name"' + when: oauth_client_id is defined + +- + name: Set Bugzilla file ownership + file: + path: "{{ install_dir }}/bugzilla-{{ version }}" + state: directory + owner: www-data + group: www-data + recurse: yes + +- + name: Deploy bugzilla vhost + template: + src: bugzilla-vhost.conf.j2 + dest: "{{ apache_sites_available }}/bugzilla.conf" + notify: reload apache + +- + name: Enable bugzilla site + command: "{{ apache_enable_site_cmd }} bugzilla" + args: + creates: "{{ apache_sites_enabled }}/bugzilla.conf" + notify: reload apache + +- + name: Deploy bugzilla backup script + include_role: + name: docker + tasks_from: deploy-backup + vars: + backup_name: bugzilla + backup_hook_dir: /etc/restic/pre-backup.d + backup_volumes: + - bugzilla_postgres_data + backup_files: + - "{{ install_dir }}/docker-compose.yml" + - "{{ bugzilla_dir }}/localconfig" diff --git a/ansible/roles/bugzilla/tasks/main.yml b/ansible/roles/bugzilla/tasks/main.yml new file mode 100644 index 0000000..5c090a4 --- /dev/null +++ b/ansible/roles/bugzilla/tasks/main.yml @@ -0,0 +1,4 @@ +--- +- + name: Deploy bugzilla + ansible.builtin.include_tasks: deploy-bugzilla.yml diff --git a/ansible/roles/bugzilla/tasks/restore.yml b/ansible/roles/bugzilla/tasks/restore.yml new file mode 100644 index 0000000..47fcf08 --- /dev/null +++ b/ansible/roles/bugzilla/tasks/restore.yml @@ -0,0 +1,42 @@ +--- +- + name: Set backup staging directory + set_fact: + _bugzilla_backup_dir: "{{ backup_staging_dir | default('/var/backups') }}/bugzilla" + +- + name: Stop bugzilla database + community.docker.docker_compose_v2: + project_src: "{{ install_dir }}" + state: absent + +- + name: Restore docker-compose file + copy: + src: "{{ _bugzilla_backup_dir }}/docker-compose.yml" + dest: "{{ install_dir }}/docker-compose.yml" + remote_src: yes + mode: "0600" + +- + name: Restore localconfig + copy: + src: "{{ _bugzilla_backup_dir }}/localconfig" + dest: "{{ bugzilla_dir }}/localconfig" + remote_src: yes + mode: "0640" + group: www-data + +- + name: Restore bugzilla postgres volume + command: > + docker run --rm + -v bugzilla_postgres_data:/data + -v {{ _bugzilla_backup_dir }}:/backup + alpine sh -c "rm -rf /data/* && tar xzf /backup/postgres_data.tar.gz -C /data" + +- + name: Start bugzilla database + community.docker.docker_compose_v2: + project_src: "{{ install_dir }}" + state: present diff --git a/ansible/roles/bugzilla/templates/bugzilla-vhost.conf.j2 b/ansible/roles/bugzilla/templates/bugzilla-vhost.conf.j2 new file mode 100644 index 0000000..fc89b8a --- /dev/null +++ b/ansible/roles/bugzilla/templates/bugzilla-vhost.conf.j2 @@ -0,0 +1,52 @@ + + ServerName {{ domain }} + Redirect permanent / https://{{ domain }}/ + + + + ServerName {{ domain }} + SSLEngine on + SSLCertificateFile {{ ssl_cert }} + SSLCertificateKeyFile {{ ssl_key }} + +{% if oauth_client_id is defined %} + OIDCProviderIssuer {{ oauth_issuer_url }} + OIDCProviderAuthorizationEndpoint {{ oauth_authorize_url }} + OIDCProviderTokenEndpoint {{ oauth_token_url }} + OIDCProviderTokenEndpointAuth client_secret_post + OIDCProviderUserInfoEndpoint {{ oauth_userinfo_url }} + OIDCProviderJwksUri {{ oauth_jwks_url }} + OIDCClientID {{ oauth_client_id }} + OIDCClientSecret {{ oauth_client_secret }} + OIDCRedirectURI https://{{ domain }}/oidc-callback + OIDCCryptoPassphrase {{ oauth_crypto_passphrase }} + OIDCScope "openid profile email" + OIDCRemoteUserClaim preferred_username + OIDCPassClaimsAs environment + OIDCSSLValidateServer Off + OIDCProviderEndSessionEndpoint {{ oauth_issuer_url }}/end-session/ + + + AuthType openid-connect + Require valid-user + + + + AuthType openid-connect + Require valid-user + + + RedirectMatch ^/logout$ /oidc-callback?logout=https%3A%2F%2F{{ domain }}%2F +{% endif %} + + DocumentRoot {{ bugzilla_dir }} + + AddHandler cgi-script .cgi + Options +ExecCGI +FollowSymLinks + DirectoryIndex index.cgi index.html + AllowOverride All +{% if oauth_client_id is not defined %} + Require all granted +{% endif %} + + diff --git a/ansible/roles/bugzilla/templates/checksetup-answers.j2 b/ansible/roles/bugzilla/templates/checksetup-answers.j2 new file mode 100644 index 0000000..e4fb136 --- /dev/null +++ b/ansible/roles/bugzilla/templates/checksetup-answers.j2 @@ -0,0 +1,4 @@ +$answer{'ADMIN_EMAIL'} = '{{ admin_email }}'; +$answer{'ADMIN_PASSWORD'} = '{{ admin_pwd }}'; +$answer{'ADMIN_REALNAME'} = '{{ admin_name | default("Admin") }}'; +$answer{'NO_PAUSE'} = 1; diff --git a/ansible/roles/bugzilla/templates/docker-compose.yml.j2 b/ansible/roles/bugzilla/templates/docker-compose.yml.j2 new file mode 100644 index 0000000..13cfc6b --- /dev/null +++ b/ansible/roles/bugzilla/templates/docker-compose.yml.j2 @@ -0,0 +1,15 @@ +services: + postgres: + image: postgres:17-alpine + environment: + POSTGRES_DB: {{ db_name }} + POSTGRES_USER: {{ db_user }} + POSTGRES_PASSWORD: "{{ db_password }}" + volumes: + - postgres_data:/var/lib/postgresql/data + ports: + - "127.0.0.1:{{ db_port }}:5432" + restart: unless-stopped + +volumes: + postgres_data: diff --git a/ansible/roles/bugzilla/templates/localconfig.j2 b/ansible/roles/bugzilla/templates/localconfig.j2 new file mode 100644 index 0000000..eb67537 --- /dev/null +++ b/ansible/roles/bugzilla/templates/localconfig.j2 @@ -0,0 +1,15 @@ +$db_driver = 'Pg'; +$db_host = '127.0.0.1'; +$db_port = {{ db_port }}; +$db_name = '{{ db_name }}'; +$db_user = '{{ db_user }}'; +$db_pass = '{{ db_password }}'; +$webservergroup = 'www-data'; +{% if smtp_host is defined %} +$smtp_server = '{{ smtp_host }}'; +$smtp_port = {{ smtp_port | default(587) }}; +$smtp_username = '{{ smtp_username }}'; +$smtp_password = '{{ smtp_password }}'; +$smtp_ssl = 'On'; +$mailfrom = '{{ smtp_from | default(smtp_username) }}'; +{% endif %} diff --git a/ansible/roles/bugzilla/vars/Debian.yml b/ansible/roles/bugzilla/vars/Debian.yml new file mode 100644 index 0000000..2448b50 --- /dev/null +++ b/ansible/roles/bugzilla/vars/Debian.yml @@ -0,0 +1,31 @@ +--- +bugzilla_packages: + - build-essential + - libgd-dev + - libappconfig-perl + - libdate-calc-perl + - libtemplate-perl + - libmime-tools-perl + - libdbi-perl + - libdbd-pg-perl + - libcgi-pm-perl + - libmath-random-isaac-perl + - libapache2-mod-perl2 + - libchart-perl + - libxml-twig-perl + - libgd-perl + - libgd-graph-perl + - libtemplate-plugin-gd-perl + - libsoap-lite-perl + - libhtml-scrubber-perl + - libemail-sender-perl + - libemail-mime-perl + - libjson-xs-perl + - libencode-detect-perl + - libtheschwartz-perl + - libdaemon-generic-perl + - libdatetime-perl + - libdatetime-timezone-perl + - libemail-address-perl + - perlmagick + - libapache2-mod-auth-openidc diff --git a/ansible/roles/comentario/defaults/main.yml b/ansible/roles/comentario/defaults/main.yml new file mode 100644 index 0000000..51ae42e --- /dev/null +++ b/ansible/roles/comentario/defaults/main.yml @@ -0,0 +1,5 @@ +--- +install_dir: /opt/comentario +port: 8060 +ssl_cert: /etc/letsencrypt/live/tiararodney.com/fullchain.pem +ssl_key: /etc/letsencrypt/live/tiararodney.com/privkey.pem diff --git a/ansible/roles/comentario/meta/main.yml b/ansible/roles/comentario/meta/main.yml new file mode 100644 index 0000000..0b6f13a --- /dev/null +++ b/ansible/roles/comentario/meta/main.yml @@ -0,0 +1,6 @@ +--- +dependencies: + - + role: docker + - + role: apache diff --git a/ansible/roles/comentario/tasks/deploy-comentario.yml b/ansible/roles/comentario/tasks/deploy-comentario.yml new file mode 100644 index 0000000..27f2832 --- /dev/null +++ b/ansible/roles/comentario/tasks/deploy-comentario.yml @@ -0,0 +1,52 @@ +--- +- + name: Ensure install directory exists + file: + path: "{{ install_dir }}" + state: directory + mode: "0755" + +- + name: Deploy secrets file + template: + src: secrets.yaml.j2 + dest: "{{ install_dir }}/secrets.yaml" + mode: "0600" + +- + name: Deploy docker-compose file + template: + src: docker-compose.yml.j2 + dest: "{{ install_dir }}/docker-compose.yml" + +- + name: Start comentario stack + include_role: + name: docker + tasks_from: start-compose + vars: + compose_project_dir: "{{ install_dir }}" + +- + name: Deploy comentario vhost + include_role: + name: apache + tasks_from: deploy-reverse-proxy + vars: + vhost_name: comentario + server_name: "{{ domain }}" + backend_port: "{{ port }}" + +- + name: Deploy comentario backup script + include_role: + name: docker + tasks_from: deploy-backup + vars: + backup_name: comentario + backup_hook_dir: /etc/restic/pre-backup.d + backup_volumes: + - comentario_comentario_postgres_data + backup_files: + - "{{ install_dir }}/docker-compose.yml" + - "{{ install_dir }}/secrets.yaml" diff --git a/ansible/roles/comentario/tasks/main.yml b/ansible/roles/comentario/tasks/main.yml new file mode 100644 index 0000000..0c3203e --- /dev/null +++ b/ansible/roles/comentario/tasks/main.yml @@ -0,0 +1,4 @@ +--- +- + name: Deploy comentario + ansible.builtin.include_tasks: deploy-comentario.yml diff --git a/ansible/roles/comentario/tasks/restore.yml b/ansible/roles/comentario/tasks/restore.yml new file mode 100644 index 0000000..e5a9d92 --- /dev/null +++ b/ansible/roles/comentario/tasks/restore.yml @@ -0,0 +1,41 @@ +--- +- + name: Set backup staging directory + set_fact: + _comentario_backup_dir: "{{ backup_staging_dir | default('/var/backups') }}/comentario" + +- + name: Stop comentario stack + community.docker.docker_compose_v2: + project_src: "{{ install_dir }}" + state: absent + +- + name: Restore docker-compose file + copy: + src: "{{ _comentario_backup_dir }}/docker-compose.yml" + dest: "{{ install_dir }}/docker-compose.yml" + remote_src: yes + mode: "0600" + +- + name: Restore secrets file + copy: + src: "{{ _comentario_backup_dir }}/secrets.yaml" + dest: "{{ install_dir }}/secrets.yaml" + remote_src: yes + mode: "0600" + +- + name: Restore comentario postgres volume + command: > + docker run --rm + -v comentario_comentario_postgres_data:/data + -v {{ _comentario_backup_dir }}:/backup + alpine sh -c "rm -rf /data/* && tar xzf /backup/comentario_postgres_data.tar.gz -C /data" + +- + name: Start comentario stack + community.docker.docker_compose_v2: + project_src: "{{ install_dir }}" + state: present diff --git a/ansible/roles/comentario/templates/docker-compose.yml.j2 b/ansible/roles/comentario/templates/docker-compose.yml.j2 new file mode 100644 index 0000000..5df4291 --- /dev/null +++ b/ansible/roles/comentario/templates/docker-compose.yml.j2 @@ -0,0 +1,26 @@ +services: + postgres: + image: postgres:17-alpine + environment: + POSTGRES_DB: comentario + POSTGRES_USER: postgres + POSTGRES_PASSWORD: postgres + volumes: + - postgres_data:/var/lib/postgresql/data + restart: unless-stopped + + comentario: + image: registry.gitlab.com/comentario/comentario:{{ version }} + ports: + - "127.0.0.1:{{ port }}:80" + environment: + BASE_URL: https://{{ domain }} + SECRETS_FILE: /secrets.yaml + volumes: + - ./secrets.yaml:/secrets.yaml:ro + depends_on: + - postgres + restart: unless-stopped + +volumes: + postgres_data: diff --git a/ansible/roles/comentario/templates/secrets.yaml.j2 b/ansible/roles/comentario/templates/secrets.yaml.j2 new file mode 100644 index 0000000..dbe768d --- /dev/null +++ b/ansible/roles/comentario/templates/secrets.yaml.j2 @@ -0,0 +1,27 @@ +postgres: + host: postgres + port: 5432 + database: comentario + username: postgres + password: postgres +{% if smtp_host is defined %} +smtp: + host: {{ smtp_host }} + port: {{ smtp_port | default(587) }} + username: {{ smtp_username }} + password: {{ smtp_password }} + from: {{ smtp_from | default(smtp_username) }} +{% endif %} +{% if oauth_client_id is defined %} +idp: + oidc: + - id: authentik + name: Authentik + url: {{ oauth_issuer_url }} + key: {{ oauth_client_id }} + secret: {{ oauth_client_secret }} + scopes: + - openid + - profile + - email +{% endif %} diff --git a/ansible/roles/conversejs/defaults/main.yml b/ansible/roles/conversejs/defaults/main.yml new file mode 100644 index 0000000..1f1c343 --- /dev/null +++ b/ansible/roles/conversejs/defaults/main.yml @@ -0,0 +1,5 @@ +--- +install_dir: /var/www/chat.tiararodney.com +ssl_cert: /etc/letsencrypt/live/tiararodney.com/fullchain.pem +ssl_key: /etc/letsencrypt/live/tiararodney.com/privkey.pem +prosody_port: 5280 diff --git a/ansible/roles/conversejs/meta/main.yml b/ansible/roles/conversejs/meta/main.yml new file mode 100644 index 0000000..4f72559 --- /dev/null +++ b/ansible/roles/conversejs/meta/main.yml @@ -0,0 +1,4 @@ +--- +dependencies: + - + role: apache diff --git a/ansible/roles/conversejs/tasks/deploy-conversejs.yml b/ansible/roles/conversejs/tasks/deploy-conversejs.yml new file mode 100644 index 0000000..56f81de --- /dev/null +++ b/ansible/roles/conversejs/tasks/deploy-conversejs.yml @@ -0,0 +1,49 @@ +--- +- + name: Ensure converse.js document root exists + file: + path: "{{ install_dir }}" + state: directory + owner: www-data + group: www-data + mode: "0755" + +- + name: Download converse.js release + unarchive: + src: "https://github.com/conversejs/converse.js/releases/download/v{{ version }}/converse.js-{{ version }}.tgz" + dest: "{{ install_dir }}" + remote_src: yes + extra_opts: ["--strip-components=1"] + owner: www-data + group: www-data + +- + name: Download libsignal-protocol for OMEMO + get_url: + url: "https://cdn.conversejs.org/3rdparty/libsignal-protocol.min.js" + dest: "{{ install_dir }}/dist/libsignal-protocol.min.js" + owner: www-data + group: www-data + +- + name: Deploy converse.js index page + template: + src: index.html.j2 + dest: "{{ install_dir }}/index.html" + owner: www-data + group: www-data + +- + name: Deploy chat vhost + template: + src: vhost.conf.j2 + dest: "{{ apache_sites_available }}/chat.conf" + notify: reload apache + +- + name: Enable chat site + command: "{{ apache_enable_site_cmd }} chat" + args: + creates: "{{ apache_sites_enabled }}/chat.conf" + notify: reload apache diff --git a/ansible/roles/conversejs/tasks/main.yml b/ansible/roles/conversejs/tasks/main.yml new file mode 100644 index 0000000..82cfafc --- /dev/null +++ b/ansible/roles/conversejs/tasks/main.yml @@ -0,0 +1,4 @@ +--- +- + name: Deploy conversejs + ansible.builtin.include_tasks: deploy-conversejs.yml diff --git a/ansible/roles/conversejs/templates/index.html.j2 b/ansible/roles/conversejs/templates/index.html.j2 new file mode 100644 index 0000000..00d472a --- /dev/null +++ b/ansible/roles/conversejs/templates/index.html.j2 @@ -0,0 +1,195 @@ + + + + + + Chat - {{ domain }} + + +{% if oauth_client_id is defined %} + +{% endif %} + + +{% if oauth_client_id is defined %} + + +{% else %} + + +{% endif %} + + diff --git a/ansible/roles/conversejs/templates/vhost.conf.j2 b/ansible/roles/conversejs/templates/vhost.conf.j2 new file mode 100644 index 0000000..5cf1510 --- /dev/null +++ b/ansible/roles/conversejs/templates/vhost.conf.j2 @@ -0,0 +1,31 @@ + + ServerName {{ domain }} + Redirect permanent / https://{{ domain }}/ + + + + ServerName {{ domain }} + SSLEngine on + SSLCertificateFile {{ ssl_cert }} + SSLCertificateKeyFile {{ ssl_key }} + + DocumentRoot {{ install_dir }} + + Options FollowSymLinks + AllowOverride None + Require all granted + + + # Proxy BOSH requests to Prosody + ProxyPreserveHost on + ProxyPass /http-bind http://127.0.0.1:{{ prosody_port }}/http-bind + ProxyPassReverse /http-bind http://127.0.0.1:{{ prosody_port }}/http-bind + + # Proxy WebSocket requests to Prosody + RewriteEngine on + RewriteCond %{HTTP:Upgrade} websocket [NC] + RewriteCond %{HTTP:Connection} upgrade [NC] + RewriteRule ^/xmpp-websocket(.*) ws://127.0.0.1:{{ prosody_port }}/xmpp-websocket$1 [P,L] + ProxyPass /xmpp-websocket http://127.0.0.1:{{ prosody_port }}/xmpp-websocket + ProxyPassReverse /xmpp-websocket http://127.0.0.1:{{ prosody_port }}/xmpp-websocket + diff --git a/ansible/roles/devpi/defaults/main.yml b/ansible/roles/devpi/defaults/main.yml new file mode 100644 index 0000000..6b820a0 --- /dev/null +++ b/ansible/roles/devpi/defaults/main.yml @@ -0,0 +1,5 @@ +--- +install_dir: /opt/devpi +port: 3141 +ssl_cert: /etc/letsencrypt/live/tiararodney.com/fullchain.pem +ssl_key: /etc/letsencrypt/live/tiararodney.com/privkey.pem diff --git a/ansible/roles/devpi/files/Dockerfile b/ansible/roles/devpi/files/Dockerfile new file mode 100644 index 0000000..3894053 --- /dev/null +++ b/ansible/roles/devpi/files/Dockerfile @@ -0,0 +1,11 @@ +FROM python:3.12-slim + +RUN pip install --no-cache-dir devpi-server devpi-web + +RUN devpi-init --serverdir /data || true + +EXPOSE 3141 + +VOLUME /data + +CMD ["devpi-server", "--serverdir", "/data", "--host", "0.0.0.0", "--port", "3141"] diff --git a/ansible/roles/devpi/meta/main.yml b/ansible/roles/devpi/meta/main.yml new file mode 100644 index 0000000..0b6f13a --- /dev/null +++ b/ansible/roles/devpi/meta/main.yml @@ -0,0 +1,6 @@ +--- +dependencies: + - + role: docker + - + role: apache diff --git a/ansible/roles/devpi/tasks/deploy-devpi.yml b/ansible/roles/devpi/tasks/deploy-devpi.yml new file mode 100644 index 0000000..0e350a7 --- /dev/null +++ b/ansible/roles/devpi/tasks/deploy-devpi.yml @@ -0,0 +1,51 @@ +--- +- + name: Ensure install directory exists + file: + path: "{{ install_dir }}" + state: directory + mode: "0755" + +- + name: Copy Dockerfile + copy: + src: Dockerfile + dest: "{{ install_dir }}/Dockerfile" + +- + name: Deploy docker-compose file + template: + src: docker-compose.yml.j2 + dest: "{{ install_dir }}/docker-compose.yml" + +- + name: Start devpi stack + include_role: + name: docker + tasks_from: start-compose + vars: + compose_project_dir: "{{ install_dir }}" + compose_build: policy + +- + name: Deploy devpi vhost + include_role: + name: apache + tasks_from: deploy-reverse-proxy + vars: + vhost_name: devpi + server_name: "{{ hostname }}" + backend_port: "{{ port }}" + +- + name: Deploy devpi backup script + include_role: + name: docker + tasks_from: deploy-backup + vars: + backup_name: devpi + backup_hook_dir: /etc/restic/pre-backup.d + backup_volumes: + - devpi_devpi_data + backup_files: + - "{{ install_dir }}/docker-compose.yml" diff --git a/ansible/roles/devpi/tasks/main.yml b/ansible/roles/devpi/tasks/main.yml new file mode 100644 index 0000000..dca9c0b --- /dev/null +++ b/ansible/roles/devpi/tasks/main.yml @@ -0,0 +1,4 @@ +--- +- + name: Deploy devpi + ansible.builtin.include_tasks: deploy-devpi.yml diff --git a/ansible/roles/devpi/tasks/restore.yml b/ansible/roles/devpi/tasks/restore.yml new file mode 100644 index 0000000..e92ade7 --- /dev/null +++ b/ansible/roles/devpi/tasks/restore.yml @@ -0,0 +1,33 @@ +--- +- + name: Set backup staging directory + set_fact: + _devpi_backup_dir: "{{ backup_staging_dir | default('/var/backups') }}/devpi" + +- + name: Stop devpi stack + community.docker.docker_compose_v2: + project_src: "{{ install_dir }}" + state: absent + +- + name: Restore docker-compose file + copy: + src: "{{ _devpi_backup_dir }}/docker-compose.yml" + dest: "{{ install_dir }}/docker-compose.yml" + remote_src: yes + mode: "0600" + +- + name: Restore devpi data volume + command: > + docker run --rm + -v devpi_devpi_data:/data + -v {{ _devpi_backup_dir }}:/backup + alpine sh -c "rm -rf /data/* && tar xzf /backup/devpi_data.tar.gz -C /data" + +- + name: Start devpi stack + community.docker.docker_compose_v2: + project_src: "{{ install_dir }}" + state: present diff --git a/ansible/roles/devpi/templates/docker-compose.yml.j2 b/ansible/roles/devpi/templates/docker-compose.yml.j2 new file mode 100644 index 0000000..76f42ee --- /dev/null +++ b/ansible/roles/devpi/templates/docker-compose.yml.j2 @@ -0,0 +1,11 @@ +services: + devpi: + build: . + ports: + - "127.0.0.1:{{ port }}:3141" + volumes: + - devpi_data:/data + restart: unless-stopped + +volumes: + devpi_data: diff --git a/ansible/roles/dnsmasq/defaults/main.yml b/ansible/roles/dnsmasq/defaults/main.yml new file mode 100644 index 0000000..27b4aa6 --- /dev/null +++ b/ansible/roles/dnsmasq/defaults/main.yml @@ -0,0 +1,7 @@ +--- +dns_listen_address: "10.0.0.1" +dns_port: 53 +dns_upstream: + - "1.1.1.1" + - "1.0.0.1" +dns_records: [] diff --git a/ansible/roles/dnsmasq/handlers/main.yml b/ansible/roles/dnsmasq/handlers/main.yml new file mode 100644 index 0000000..4ddcc27 --- /dev/null +++ b/ansible/roles/dnsmasq/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- + name: restart dnsmasq + service: + name: dnsmasq + state: restarted diff --git a/ansible/roles/dnsmasq/tasks/main.yml b/ansible/roles/dnsmasq/tasks/main.yml new file mode 100644 index 0000000..50bd7cd --- /dev/null +++ b/ansible/roles/dnsmasq/tasks/main.yml @@ -0,0 +1,20 @@ +--- +- + name: Install dnsmasq + apt: + name: dnsmasq + state: present + +- + name: Deploy dnsmasq configuration + template: + src: dnsmasq.conf.j2 + dest: /etc/dnsmasq.d/local.conf + notify: restart dnsmasq + +- + name: Ensure dnsmasq is running + service: + name: dnsmasq + state: started + enabled: yes diff --git a/ansible/roles/dnsmasq/templates/dnsmasq.conf.j2 b/ansible/roles/dnsmasq/templates/dnsmasq.conf.j2 new file mode 100644 index 0000000..3c6d39b --- /dev/null +++ b/ansible/roles/dnsmasq/templates/dnsmasq.conf.j2 @@ -0,0 +1,11 @@ +listen-address={{ dns_listen_address }} +port={{ dns_port }} +bind-interfaces +no-resolv +no-hosts +{% for server in dns_upstream %} +server={{ server }} +{% endfor %} +{% for record in dns_records %} +address=/{{ record.domain }}/{{ record.ip }} +{% endfor %} diff --git a/ansible/roles/docker/handlers/main.yml b/ansible/roles/docker/handlers/main.yml new file mode 100644 index 0000000..dec5885 --- /dev/null +++ b/ansible/roles/docker/handlers/main.yml @@ -0,0 +1,11 @@ +--- +- + name: restart containerd + service: + name: containerd + state: restarted +- + name: restart docker + service: + name: docker + state: restarted diff --git a/ansible/roles/docker/meta/main.yml b/ansible/roles/docker/meta/main.yml new file mode 100644 index 0000000..23d65c7 --- /dev/null +++ b/ansible/roles/docker/meta/main.yml @@ -0,0 +1,2 @@ +--- +dependencies: [] diff --git a/ansible/roles/docker/tasks/configure-mirror.yml b/ansible/roles/docker/tasks/configure-mirror.yml new file mode 100644 index 0000000..f47efed --- /dev/null +++ b/ansible/roles/docker/tasks/configure-mirror.yml @@ -0,0 +1,29 @@ +--- +- + name: Add registry mirror host entries + lineinfile: + path: /etc/hosts + regexp: "{{ item.mirror | urlsplit('hostname') | regex_escape }}" + line: "{{ registry_mirror_ip }} {{ item.mirror | urlsplit('hostname') }}" + loop: "{{ registry_mirrors }}" + when: registry_mirror_ip is defined + +- + name: Configure Docker Hub registry mirror + copy: + dest: /etc/docker/daemon.json + content: | + { + "registry-mirrors": [ + {% for item in registry_mirrors if item.upstream == 'docker.io' %} + "{{ item.mirror }}"{% if not loop.last %},{% endif %} + + {% endfor %} + ] + } + mode: "0644" + notify: restart docker + +- + name: Ensure Docker is restarted if mirror changed + meta: flush_handlers diff --git a/ansible/roles/docker/tasks/deploy-backup.yml b/ansible/roles/docker/tasks/deploy-backup.yml new file mode 100644 index 0000000..72ed640 --- /dev/null +++ b/ansible/roles/docker/tasks/deploy-backup.yml @@ -0,0 +1,7 @@ +--- +- + name: "Deploy {{ backup_name }} docker volume backup script" + template: + src: backup-docker-volumes.sh.j2 + dest: "{{ backup_hook_dir }}/{{ backup_name }}.sh" + mode: "0755" diff --git a/ansible/roles/docker/tasks/install-docker.yml b/ansible/roles/docker/tasks/install-docker.yml new file mode 100644 index 0000000..de17106 --- /dev/null +++ b/ansible/roles/docker/tasks/install-docker.yml @@ -0,0 +1,34 @@ +--- +- + name: Install Docker prerequisites + apt: + name: "{{ docker_prerequisites }}" + state: present + update_cache: yes + +- + name: Add Docker GPG key + apt_key: + url: "{{ docker_gpg_url }}" + state: present + +- + name: Add Docker repository + apt_repository: + repo: "{{ docker_repo }}" + state: present + +- + name: Install Docker Engine and Compose plugin + apt: + name: "{{ docker_packages }}" + state: present + update_cache: yes + +- + name: Ensure Docker service is running + service: + name: docker + state: started + enabled: yes + diff --git a/ansible/roles/docker/tasks/main.yml b/ansible/roles/docker/tasks/main.yml new file mode 100644 index 0000000..d820e37 --- /dev/null +++ b/ansible/roles/docker/tasks/main.yml @@ -0,0 +1,13 @@ +--- +- + name: Load OS-specific variables + ansible.builtin.include_vars: "{{ ansible_os_family }}.yml" + +- + name: Install and configure Docker + ansible.builtin.include_tasks: install-docker.yml + +- + name: Configure registry mirrors + ansible.builtin.include_tasks: configure-mirror.yml + when: registry_mirrors is defined diff --git a/ansible/roles/docker/tasks/start-compose.yml b/ansible/roles/docker/tasks/start-compose.yml new file mode 100644 index 0000000..b383e54 --- /dev/null +++ b/ansible/roles/docker/tasks/start-compose.yml @@ -0,0 +1,13 @@ +--- +- + name: "Create {{ compose_project_dir }} directory" + file: + path: "{{ compose_project_dir }}" + state: directory + +- + name: "Start docker compose stack in {{ compose_project_dir }}" + community.docker.docker_compose_v2: + project_src: "{{ compose_project_dir }}" + state: present + build: "{{ compose_build | default(omit) }}" diff --git a/ansible/roles/docker/templates/backup-docker-volumes.sh.j2 b/ansible/roles/docker/templates/backup-docker-volumes.sh.j2 new file mode 100644 index 0000000..0aa33ab --- /dev/null +++ b/ansible/roles/docker/templates/backup-docker-volumes.sh.j2 @@ -0,0 +1,10 @@ +#!/bin/bash +set -euo pipefail +BACKUP_DIR="{{ backup_staging_dir | default('/var/backups') }}/{{ backup_name }}" +mkdir -p "$BACKUP_DIR" +{% for vol in backup_volumes | default([]) %} +docker run --rm -v {{ vol }}:/data:ro -v "$BACKUP_DIR":/backup alpine sh -c "tar czf /backup/{{ vol }}.tar.gz -C /data . || [ \$? -eq 1 ]" +{% endfor %} +{% for f in backup_files | default([]) %} +cp "{{ f }}" "$BACKUP_DIR/" +{% endfor %} diff --git a/ansible/roles/docker/vars/Debian.yml b/ansible/roles/docker/vars/Debian.yml new file mode 100644 index 0000000..aac462b --- /dev/null +++ b/ansible/roles/docker/vars/Debian.yml @@ -0,0 +1,15 @@ +--- +docker_prerequisites: + - apt-transport-https + - ca-certificates + - curl + - gnupg + - lsb-release +docker_packages: + - docker-ce + - docker-ce-cli + - containerd.io + - docker-buildx-plugin + - docker-compose-plugin +docker_repo: "deb [arch=amd64] https://download.docker.com/linux/debian {{ ansible_facts['distribution_release'] }} stable" +docker_gpg_url: "https://download.docker.com/linux/debian/gpg" diff --git a/ansible/roles/docker_registry/defaults/main.yml b/ansible/roles/docker_registry/defaults/main.yml new file mode 100644 index 0000000..57e5ae8 --- /dev/null +++ b/ansible/roles/docker_registry/defaults/main.yml @@ -0,0 +1,5 @@ +--- +install_dir: /opt/docker-registry +port: 5050 +ssl_cert: /etc/letsencrypt/live/tiararodney.com/fullchain.pem +ssl_key: /etc/letsencrypt/live/tiararodney.com/privkey.pem diff --git a/ansible/roles/docker_registry/handlers/main.yml b/ansible/roles/docker_registry/handlers/main.yml new file mode 100644 index 0000000..88d9a56 --- /dev/null +++ b/ansible/roles/docker_registry/handlers/main.yml @@ -0,0 +1,11 @@ +--- +- + name: restart docker-registry + community.docker.docker_compose_v2: + project_src: "{{ install_dir }}" + state: restarted +- + name: reload apache + service: + name: "{{ apache_service }}" + state: reloaded diff --git a/ansible/roles/docker_registry/tasks/deploy-registry.yml b/ansible/roles/docker_registry/tasks/deploy-registry.yml new file mode 100644 index 0000000..284cb60 --- /dev/null +++ b/ansible/roles/docker_registry/tasks/deploy-registry.yml @@ -0,0 +1,61 @@ +--- +- + name: Ensure install directory exists + file: + path: "{{ install_dir }}" + state: directory + mode: "0755" + +- + name: Deploy registry configuration + template: + src: config.yml.j2 + dest: "{{ install_dir }}/config.yml" + notify: restart docker-registry + +- + name: Deploy docker-compose file + template: + src: docker-compose.yml.j2 + dest: "{{ install_dir }}/docker-compose.yml" + +- + name: Start registry stack + include_role: + name: docker + tasks_from: start-compose + vars: + compose_project_dir: "{{ install_dir }}" + +- + name: Load Apache variables + include_vars: + file: "{{ role_path }}/../apache/vars/{{ ansible_os_family }}.yml" + +- + name: Deploy registry vhost + template: + src: vhost.conf.j2 + dest: "{{ apache_sites_available }}/docker-registry-{{ hostname | regex_replace('\\..*', '') }}.conf" + notify: reload apache + +- + name: Enable registry vhost + command: "{{ apache_enable_site_cmd }} docker-registry-{{ hostname | regex_replace('\\..*', '') }}" + args: + creates: "{{ apache_sites_enabled }}/docker-registry-{{ hostname | regex_replace('\\..*', '') }}.conf" + notify: reload apache + +- + name: Deploy registry backup script + include_role: + name: docker + tasks_from: deploy-backup + vars: + backup_name: docker-registry + backup_hook_dir: /etc/restic/pre-backup.d + backup_volumes: + - docker-registry_registry_data + backup_files: + - "{{ install_dir }}/docker-compose.yml" + - "{{ install_dir }}/config.yml" diff --git a/ansible/roles/docker_registry/tasks/main.yml b/ansible/roles/docker_registry/tasks/main.yml new file mode 100644 index 0000000..0a4fe3a --- /dev/null +++ b/ansible/roles/docker_registry/tasks/main.yml @@ -0,0 +1,4 @@ +--- +- + name: Deploy registry + ansible.builtin.include_tasks: deploy-registry.yml diff --git a/ansible/roles/docker_registry/tasks/restore-registry.yml b/ansible/roles/docker_registry/tasks/restore-registry.yml new file mode 100644 index 0000000..f81b2e7 --- /dev/null +++ b/ansible/roles/docker_registry/tasks/restore-registry.yml @@ -0,0 +1,22 @@ +--- +- + name: Check if registry backup archive exists + stat: + path: /var/backups/docker-registry/docker-registry_registry_data.tar.gz + register: registry_backup + +- + name: Restore registry volume from backup + command: > + docker run --rm + -v docker-registry_registry_data:/data + -v /var/backups/docker-registry:/backup:ro + alpine sh -c "tar xzf /backup/docker-registry_registry_data.tar.gz -C /data" + when: registry_backup.stat.exists + +- + name: Restart registry after restore + community.docker.docker_compose_v2: + project_src: "{{ install_dir }}" + state: restarted + when: registry_backup.stat.exists diff --git a/ansible/roles/docker_registry/templates/config.yml.j2 b/ansible/roles/docker_registry/templates/config.yml.j2 new file mode 100644 index 0000000..c71c650 --- /dev/null +++ b/ansible/roles/docker_registry/templates/config.yml.j2 @@ -0,0 +1,13 @@ +version: 0.1 +log: + fields: + service: registry +storage: + filesystem: + rootdirectory: /var/lib/registry + delete: + enabled: true +http: + addr: :5000 +proxy: + remoteurl: {{ remote_url | default('https://registry-1.docker.io') }} diff --git a/ansible/roles/docker_registry/templates/docker-compose.yml.j2 b/ansible/roles/docker_registry/templates/docker-compose.yml.j2 new file mode 100644 index 0000000..309216e --- /dev/null +++ b/ansible/roles/docker_registry/templates/docker-compose.yml.j2 @@ -0,0 +1,12 @@ +services: + registry: + image: registry:2 + ports: + - "127.0.0.1:{{ port }}:5000" + volumes: + - registry_data:/var/lib/registry + - ./config.yml:/etc/docker/registry/config.yml:ro + restart: unless-stopped + +volumes: + registry_data: diff --git a/ansible/roles/docker_registry/templates/vhost.conf.j2 b/ansible/roles/docker_registry/templates/vhost.conf.j2 new file mode 100644 index 0000000..3e9d98c --- /dev/null +++ b/ansible/roles/docker_registry/templates/vhost.conf.j2 @@ -0,0 +1,28 @@ + + ServerName {{ hostname }} + Redirect permanent / https://{{ hostname }}/ + + + + ServerName {{ hostname }} + SSLEngine on + SSLCertificateFile {{ ssl_cert }} + SSLCertificateKeyFile {{ ssl_key }} + + # Return an empty OCI index for referrers requests. + # registry:2 does not support the OCI referrers API and proxies + # the request to upstream which may return HTML error pages, + # causing Docker 29+ to fail with "failed to decode referrers index". + RewriteEngine on + RewriteRule "^/v2/.*/referrers/" - [R=200,L,E=REFERRERS:1] + Header always set Content-Type "application/vnd.oci.image.index.v1+json" env=REFERRERS + + ErrorDocument 200 '{"schemaVersion":2,"mediaType":"application/vnd.oci.image.index.v1+json","manifests":[]}' + + + ProxyPreserveHost on + RequestHeader set X-Forwarded-Proto "https" + RequestHeader set X-Forwarded-Ssl "on" + ProxyPass / http://127.0.0.1:{{ port }}/ + ProxyPassReverse / http://127.0.0.1:{{ port }}/ + diff --git a/ansible/roles/host/defaults/main.yml b/ansible/roles/host/defaults/main.yml new file mode 100644 index 0000000..48934b1 --- /dev/null +++ b/ansible/roles/host/defaults/main.yml @@ -0,0 +1,3 @@ +--- +admin_user: tiara +admin_shell: /bin/bash diff --git a/ansible/roles/host/handlers/main.yml b/ansible/roles/host/handlers/main.yml new file mode 100644 index 0000000..293b76d --- /dev/null +++ b/ansible/roles/host/handlers/main.yml @@ -0,0 +1,11 @@ +--- +- + name: restart sshd + service: + name: sshd + state: restarted +- + name: restart zramswap + systemd: + name: zramswap + state: restarted diff --git a/ansible/roles/host/meta/main.yml b/ansible/roles/host/meta/main.yml new file mode 100644 index 0000000..23d65c7 --- /dev/null +++ b/ansible/roles/host/meta/main.yml @@ -0,0 +1,2 @@ +--- +dependencies: [] diff --git a/ansible/roles/host/tasks/main.yml b/ansible/roles/host/tasks/main.yml new file mode 100644 index 0000000..441d11f --- /dev/null +++ b/ansible/roles/host/tasks/main.yml @@ -0,0 +1,13 @@ +--- +- + name: Load OS-specific variables + ansible.builtin.include_vars: "{{ ansible_os_family }}.yml" + +- + name: Set up admin user + ansible.builtin.include_tasks: setup-admin.yml + when: ssh_pubkey_dir is defined + +- + name: Set up base system + ansible.builtin.include_tasks: setup-base.yml diff --git a/ansible/roles/host/tasks/setup-admin.yml b/ansible/roles/host/tasks/setup-admin.yml new file mode 100644 index 0000000..169a297 --- /dev/null +++ b/ansible/roles/host/tasks/setup-admin.yml @@ -0,0 +1,35 @@ +--- +- + name: Create admin user + user: + name: "{{ admin_user }}" + shell: "{{ admin_shell }}" + groups: sudo + append: yes + create_home: yes + +- + name: Allow admin user passwordless sudo + copy: + dest: "/etc/sudoers.d/{{ admin_user }}" + content: "{{ admin_user }} ALL=(ALL) NOPASSWD:ALL\n" + mode: "0440" + validate: "visudo -cf %s" + +- + name: Find SSH public keys + find: + paths: "{{ ssh_pubkey_dir }}" + patterns: "*.pub" + delegate_to: localhost + become: no + register: ssh_pubkeys + +- + name: Deploy SSH authorized keys + authorized_key: + user: "{{ admin_user }}" + key: "{{ lookup('file', item.path) }}" + loop: "{{ ssh_pubkeys.files }}" + loop_control: + label: "{{ item.path | basename }}" diff --git a/ansible/roles/host/tasks/setup-base.yml b/ansible/roles/host/tasks/setup-base.yml new file mode 100644 index 0000000..f82c3af --- /dev/null +++ b/ansible/roles/host/tasks/setup-base.yml @@ -0,0 +1,69 @@ +--- +- + name: Update apt cache + apt: + update_cache: yes + cache_valid_time: 0 + +- + name: Install base packages + apt: + name: "{{ host_base_packages }}" + state: present + +- + name: Disable SSH password authentication + lineinfile: + path: /etc/ssh/sshd_config + regexp: "^#?PasswordAuthentication" + line: "PasswordAuthentication no" + notify: restart sshd + +- + name: Disable SSH root login + lineinfile: + path: /etc/ssh/sshd_config + regexp: "^#?PermitRootLogin" + line: "PermitRootLogin no" + notify: restart sshd + +- + name: Allow SSH through UFW + community.general.ufw: + rule: allow + port: "22" + proto: tcp + +- + name: Allow additional UFW ports + community.general.ufw: + rule: allow + port: "{{ item.port }}" + proto: "{{ item.proto | default('tcp') }}" + from_ip: "{{ item.from | default('any') }}" + loop: "{{ ufw_allow | default([]) }}" + +- + name: Enable UFW with default deny + community.general.ufw: + state: enabled + default: deny + direction: incoming + +- + name: Configure fail2ban backend + copy: + dest: /etc/fail2ban/jail.local + content: | + [DEFAULT] + backend = {{ fail2ban_backend }} + owner: root + group: root + mode: "0644" + +- + name: Ensure fail2ban is running + service: + name: fail2ban + state: restarted + enabled: yes diff --git a/ansible/roles/host/tasks/setup-swap.yml b/ansible/roles/host/tasks/setup-swap.yml new file mode 100644 index 0000000..2a5cf92 --- /dev/null +++ b/ansible/roles/host/tasks/setup-swap.yml @@ -0,0 +1,37 @@ +--- +- + name: Ensure swap exists + command: fallocate -l {{ swap_size | default('2G') }} /swapfile + args: + creates: /swapfile + +- + name: Set swap permissions + file: + path: /swapfile + mode: '0600' + +- + name: Make swap + command: mkswap /swapfile + args: + creates: /swapfile.swap + +- + name: Mark swapfile as initialized + file: + path: /swapfile.swap + state: touch + +- + name: Enable swap + command: swapon /swapfile + register: swap_on + failed_when: false + +- + name: Add swap to fstab + lineinfile: + path: /etc/fstab + line: "/swapfile none swap sw 0 0" + state: present diff --git a/ansible/roles/host/tasks/setup-zram.yml b/ansible/roles/host/tasks/setup-zram.yml new file mode 100644 index 0000000..1e34e95 --- /dev/null +++ b/ansible/roles/host/tasks/setup-zram.yml @@ -0,0 +1,37 @@ +--- +- + name: Install zram-tools + apt: + name: zram-tools + state: present + +- + name: Configure zram + copy: + dest: /etc/default/zramswap + content: | + ALGO={{ zram_algorithm | default('zstd') }} + PERCENT={{ zram_percent | default(50) }} + PRIORITY={{ zram_priority | default(100) }} + mode: '0644' + notify: restart zramswap + +- + name: Enable zramswap service + systemd: + name: zramswap + enabled: true + state: started + +- + name: Disable file-backed swap if present + command: swapoff /swapfile + failed_when: false + changed_when: false + +- + name: Remove file-backed swap from fstab + lineinfile: + path: /etc/fstab + line: "/swapfile none swap sw 0 0" + state: absent diff --git a/ansible/roles/host/vars/Debian.yml b/ansible/roles/host/vars/Debian.yml new file mode 100644 index 0000000..917d0cb --- /dev/null +++ b/ansible/roles/host/vars/Debian.yml @@ -0,0 +1,9 @@ +--- +host_base_packages: + - fail2ban + - unattended-upgrades + - ufw + - vim + - curl + - rsync +fail2ban_backend: systemd diff --git a/ansible/roles/kellnr/defaults/main.yml b/ansible/roles/kellnr/defaults/main.yml new file mode 100644 index 0000000..8df407b --- /dev/null +++ b/ansible/roles/kellnr/defaults/main.yml @@ -0,0 +1,5 @@ +--- +install_dir: /opt/kellnr +port: 8000 +ssl_cert: /etc/letsencrypt/live/tiararodney.com/fullchain.pem +ssl_key: /etc/letsencrypt/live/tiararodney.com/privkey.pem diff --git a/ansible/roles/kellnr/meta/main.yml b/ansible/roles/kellnr/meta/main.yml new file mode 100644 index 0000000..0b6f13a --- /dev/null +++ b/ansible/roles/kellnr/meta/main.yml @@ -0,0 +1,6 @@ +--- +dependencies: + - + role: docker + - + role: apache diff --git a/ansible/roles/kellnr/tasks/deploy-kellnr.yml b/ansible/roles/kellnr/tasks/deploy-kellnr.yml new file mode 100644 index 0000000..ed27fad --- /dev/null +++ b/ansible/roles/kellnr/tasks/deploy-kellnr.yml @@ -0,0 +1,44 @@ +--- +- + name: Ensure install directory exists + file: + path: "{{ install_dir }}" + state: directory + mode: "0755" + +- + name: Deploy docker-compose file + template: + src: docker-compose.yml.j2 + dest: "{{ install_dir }}/docker-compose.yml" + +- + name: Start kellnr stack + include_role: + name: docker + tasks_from: start-compose + vars: + compose_project_dir: "{{ install_dir }}" + +- + name: Deploy kellnr vhost + include_role: + name: apache + tasks_from: deploy-reverse-proxy + vars: + vhost_name: kellnr + server_name: "{{ hostname }}" + backend_port: "{{ port }}" + +- + name: Deploy kellnr backup script + include_role: + name: docker + tasks_from: deploy-backup + vars: + backup_name: kellnr + backup_hook_dir: /etc/restic/pre-backup.d + backup_volumes: + - kellnr_kellnr_data + backup_files: + - "{{ install_dir }}/docker-compose.yml" diff --git a/ansible/roles/kellnr/tasks/main.yml b/ansible/roles/kellnr/tasks/main.yml new file mode 100644 index 0000000..17fb3d0 --- /dev/null +++ b/ansible/roles/kellnr/tasks/main.yml @@ -0,0 +1,4 @@ +--- +- + name: Deploy kellnr + ansible.builtin.include_tasks: deploy-kellnr.yml diff --git a/ansible/roles/kellnr/tasks/restore.yml b/ansible/roles/kellnr/tasks/restore.yml new file mode 100644 index 0000000..3b4fe80 --- /dev/null +++ b/ansible/roles/kellnr/tasks/restore.yml @@ -0,0 +1,33 @@ +--- +- + name: Set backup staging directory + set_fact: + _kellnr_backup_dir: "{{ backup_staging_dir | default('/var/backups') }}/kellnr" + +- + name: Stop kellnr stack + community.docker.docker_compose_v2: + project_src: "{{ install_dir }}" + state: absent + +- + name: Restore docker-compose file + copy: + src: "{{ _kellnr_backup_dir }}/docker-compose.yml" + dest: "{{ install_dir }}/docker-compose.yml" + remote_src: yes + mode: "0600" + +- + name: Restore kellnr data volume + command: > + docker run --rm + -v kellnr_kellnr_data:/data + -v {{ _kellnr_backup_dir }}:/backup + alpine sh -c "rm -rf /data/* && tar xzf /backup/kellnr_data.tar.gz -C /data" + +- + name: Start kellnr stack + community.docker.docker_compose_v2: + project_src: "{{ install_dir }}" + state: present diff --git a/ansible/roles/kellnr/templates/docker-compose.yml.j2 b/ansible/roles/kellnr/templates/docker-compose.yml.j2 new file mode 100644 index 0000000..832ce35 --- /dev/null +++ b/ansible/roles/kellnr/templates/docker-compose.yml.j2 @@ -0,0 +1,16 @@ +services: + kellnr: + image: ghcr.io/kellnr/kellnr:{{ version }} + ports: + - "127.0.0.1:{{ port }}:8000" + environment: + KELLNR_ORIGIN__HOSTNAME: "{{ hostname }}" + KELLNR_ORIGIN__PORT: "443" + KELLNR_ORIGIN__PROTOCOL: "https" + KELLNR_AUTH__ADMIN_PWD: "{{ admin_pwd }}" + volumes: + - kellnr_data:/var/lib/kellnr + restart: unless-stopped + +volumes: + kellnr_data: diff --git a/ansible/roles/prosody/defaults/main.yml b/ansible/roles/prosody/defaults/main.yml new file mode 100644 index 0000000..aa205e3 --- /dev/null +++ b/ansible/roles/prosody/defaults/main.yml @@ -0,0 +1,10 @@ +--- +install_dir: /opt/prosody +bind_address: "0.0.0.0" +bosh_port: 5280 +c2s_port: 5222 +s2s_port: 5269 +proxy65_port: 5000 +proxy65_address: "{{ bind_address }}" +http_upload_file_size_limit: 10485760 +http_upload_expire_after: 604800 diff --git a/ansible/roles/prosody/files/mod_auth_oauth_external.lua b/ansible/roles/prosody/files/mod_auth_oauth_external.lua new file mode 100644 index 0000000..eba1a61 --- /dev/null +++ b/ansible/roles/prosody/files/mod_auth_oauth_external.lua @@ -0,0 +1,153 @@ +-- Based on https://hg.prosody.im/prosody-modules/file/tip/mod_auth_oauth_external/mod_auth_oauth_external.lua +-- Patched to store email from userinfo in accounts store for mod_offline_email +local http = require "net.http"; +local async = require "util.async"; +local jid = require "util.jid"; +local json = require "util.json"; +local sasl = require "util.sasl"; + +local issuer_identity = module:get_option_string("oauth_external_issuer"); +local oidc_discovery_url = module:get_option_string("oauth_external_discovery_url", + issuer_identity and issuer_identity .. "/.well-known/oauth-authorization-server" or nil); +local validation_endpoint = module:get_option_string("oauth_external_validation_endpoint"); +local token_endpoint = module:get_option_string("oauth_external_token_endpoint"); + +local username_field = module:get_option_string("oauth_external_username_field", "preferred_username"); +local allow_plain = module:get_option_boolean("oauth_external_resource_owner_password", true); + +local client_id = module:get_option_string("oauth_external_client_id"); +local client_secret = module:get_option_string("oauth_external_client_secret"); +local scope = module:get_option_string("oauth_external_scope", "openid"); + +local accounts = module:open_store("accounts"); + +local host = module.host; +local provider = {}; + +local function not_implemented() + return nil, "method not implemented" +end + +provider.test_password = not_implemented; +provider.get_password = not_implemented; +provider.set_password = not_implemented; +provider.create_user = not_implemented; + +function provider.delete_user(username) + return accounts:set(username, nil); +end + +function provider.get_account_info(username) + local account, err = accounts:get(username); + if not account then return nil, err or "Account not available"; end + return { + created = account.created; + password_updated = account.updated; + enabled = not account.disabled; + }; +end + +function provider.user_exists(username) + local account, err = accounts:get(username); + if err then + return nil, err; + elseif account then + return true; + else + return false + end +end + +function provider.users() + return accounts:users(); +end + +local function save_account(username, response) + local account_data = { exists = true }; + if type(response) == "table" and type(response.email) == "string" then + account_data.email = response.email; + end + accounts:set(username, account_data); +end + +function provider.get_sasl_handler() + local profile = {}; + profile.http_client = http.default:new({ connection_pooling = true }); + local extra = { oidc_discovery_url = oidc_discovery_url }; + if token_endpoint and allow_plain then + local map_username = function (username, _realm) return username; end; + function profile:plain_test(username, password, realm) + username = jid.unescape(username); + local tok, err = async.wait_for(self.profile.http_client:request(token_endpoint, { + headers = { ["Content-Type"] = "application/x-www-form-urlencoded; charset=utf-8"; ["Accept"] = "application/json" }; + body = http.formencode({ + grant_type = "password"; + client_id = client_id; + client_secret = client_secret; + username = map_username(username, realm); + password = password; + scope = scope; + }); + })) + if err or not (tok.code >= 200 and tok.code < 300) then + return false, nil; + end + local token_resp = json.decode(tok.body); + if not token_resp or string.lower(token_resp.token_type or "") ~= "bearer" then + return false, nil; + end + if not validation_endpoint then + self.username = jid.escape(username); + self.token_info = token_resp; + save_account(self.username, nil); + return true, true; + end + local ret, err = async.wait_for(self.profile.http_client:request(validation_endpoint, + { headers = { ["Authorization"] = "Bearer " .. token_resp.access_token; ["Accept"] = "application/json" } })); + if err then + return false, nil; + end + if not (ret.code >= 200 and ret.code < 300) then + return false, nil; + end + local response = json.decode(ret.body); + if type(response) ~= "table" then + return false, nil, nil; + elseif type(response[username_field]) ~= "string" then + return false, nil, nil; + end + self.username = jid.escape(response[username_field]); + self.token_info = response; + save_account(self.username, response); + return true, true; + end + end + if validation_endpoint then + function profile:oauthbearer(token) + if token == "" then + return false, nil, extra; + end + + local ret, err = async.wait_for(self.profile.http_client:request(validation_endpoint, { + headers = { ["Authorization"] = "Bearer " .. token; ["Accept"] = "application/json" }; + })); + if err then + return false, nil, extra; + end + local response = ret and json.decode(ret.body); + if not (ret.code >= 200 and ret.code < 300) then + return false, nil, response or extra; + end + if type(response) ~= "table" or type(response[username_field]) ~= "string" then + return false, nil, nil; + end + + local username = jid.escape(response[username_field]); + save_account(username, response); + return username, true, response; + end + end + return sasl.new(host, profile); +end + +module:provides("auth", provider); diff --git a/ansible/roles/prosody/files/mod_sasl_oauthbearer_only_bosh.lua b/ansible/roles/prosody/files/mod_sasl_oauthbearer_only_bosh.lua new file mode 100644 index 0000000..f6e8ee4 --- /dev/null +++ b/ansible/roles/prosody/files/mod_sasl_oauthbearer_only_bosh.lua @@ -0,0 +1,35 @@ +-- Strip PLAIN from SASL mechanisms for BOSH and WebSocket connections. +-- Direct c2s connections keep PLAIN for native XMPP client auth. + +module:hook("stream-features", function(event) + local origin, features = event.origin, event.features; + + local is_bosh = origin.bosh_version ~= nil; + local is_websocket = origin.websocket_request ~= nil; + + if not (is_bosh or is_websocket) then + return; + end + + for i, child in ipairs(features.tags) do + if child.name == "mechanisms" then + local dominated = {}; + for j, mech in ipairs(child.tags) do + if mech:get_text() == "PLAIN" then + table.insert(dominated, j); + end + end + for k = #dominated, 1, -1 do + local idx = dominated[k]; + table.remove(child.tags, idx); + for m = #child, 1, -1 do + if type(child[m]) == "table" and child[m].name == "mechanism" and child[m]:get_text() == "PLAIN" then + table.remove(child, m); + break; + end + end + end + break; + end + end +end, -1); diff --git a/ansible/roles/prosody/files/mod_session_timeout.lua b/ansible/roles/prosody/files/mod_session_timeout.lua new file mode 100644 index 0000000..4422085 --- /dev/null +++ b/ansible/roles/prosody/files/mod_session_timeout.lua @@ -0,0 +1,16 @@ +-- Disconnect c2s sessions after a configurable timeout to force re-authentication. +-- This ensures that expired credentials (e.g. app passwords) are caught promptly. + +local timeout = module:get_option_number("session_timeout", 1800); -- default 30 minutes + +module:hook("resource-bind", function(event) + local session = event.session; + if not session then return; end + + session._timeout_timer = module:add_timer(timeout, function() + if session.type == "c2s" and not session.destroyed then + module:log("info", "Session timeout for %s, forcing re-authentication", session.full_jid); + session:close({ condition = "policy-violation", text = "Session expired, please reconnect" }); + end + end); +end); diff --git a/ansible/roles/prosody/meta/main.yml b/ansible/roles/prosody/meta/main.yml new file mode 100644 index 0000000..de32aa1 --- /dev/null +++ b/ansible/roles/prosody/meta/main.yml @@ -0,0 +1,4 @@ +--- +dependencies: + - + role: docker diff --git a/ansible/roles/prosody/tasks/deploy-prosody.yml b/ansible/roles/prosody/tasks/deploy-prosody.yml new file mode 100644 index 0000000..50c72ec --- /dev/null +++ b/ansible/roles/prosody/tasks/deploy-prosody.yml @@ -0,0 +1,84 @@ +--- +- + name: Ensure install directory exists + file: + path: "{{ install_dir }}" + state: directory + mode: "0755" + +- + name: Ensure modules directory exists + file: + path: "{{ install_dir }}/modules" + state: directory + mode: "0755" + when: oauth_client_id is defined or default_contacts is defined or smtp_host is defined or session_timeout is defined + +- + name: Deploy mod_auth_oauth_external + copy: + src: mod_auth_oauth_external.lua + dest: "{{ install_dir }}/modules/mod_auth_oauth_external.lua" + when: oauth_client_id is defined + +- + name: Deploy mod_sasl_oauthbearer_only_bosh + copy: + src: mod_sasl_oauthbearer_only_bosh.lua + dest: "{{ install_dir }}/modules/mod_sasl_oauthbearer_only_bosh.lua" + when: oauth_client_id is defined + +- + name: Deploy mod_default_contacts + template: + src: mod_default_contacts.lua.j2 + dest: "{{ install_dir }}/modules/mod_default_contacts.lua" + when: default_contacts is defined + +- + name: Deploy mod_session_timeout + copy: + src: mod_session_timeout.lua + dest: "{{ install_dir }}/modules/mod_session_timeout.lua" + when: session_timeout is defined + +- + name: Deploy mod_offline_email + template: + src: mod_offline_email.lua.j2 + dest: "{{ install_dir }}/modules/mod_offline_email.lua" + when: smtp_host is defined + +- + name: Deploy prosody configuration + template: + src: prosody.cfg.lua.j2 + dest: "{{ install_dir }}/prosody.cfg.lua" + +- + name: Deploy docker-compose file + template: + src: docker-compose.yml.j2 + dest: "{{ install_dir }}/docker-compose.yml" + +- + name: Start prosody stack + include_role: + name: docker + tasks_from: start-compose + vars: + compose_project_dir: "{{ install_dir }}" + +- + name: Deploy prosody backup script + include_role: + name: docker + tasks_from: deploy-backup + vars: + backup_name: prosody + backup_hook_dir: /etc/restic/pre-backup.d + backup_volumes: + - prosody_prosody_data + backup_files: + - "{{ install_dir }}/docker-compose.yml" + - "{{ install_dir }}/prosody.cfg.lua" diff --git a/ansible/roles/prosody/tasks/main.yml b/ansible/roles/prosody/tasks/main.yml new file mode 100644 index 0000000..b377963 --- /dev/null +++ b/ansible/roles/prosody/tasks/main.yml @@ -0,0 +1,4 @@ +--- +- + name: Deploy prosody + ansible.builtin.include_tasks: deploy-prosody.yml diff --git a/ansible/roles/prosody/tasks/restore.yml b/ansible/roles/prosody/tasks/restore.yml new file mode 100644 index 0000000..36abc56 --- /dev/null +++ b/ansible/roles/prosody/tasks/restore.yml @@ -0,0 +1,36 @@ +--- +- + name: Set backup staging directory + set_fact: + _prosody_backup_dir: "{{ backup_staging_dir | default('/var/backups') }}/prosody" + +- + name: Stop prosody stack + community.docker.docker_compose_v2: + project_src: "{{ install_dir }}" + state: absent + +- + name: Restore config files + copy: + src: "{{ _prosody_backup_dir }}/{{ item }}" + dest: "{{ install_dir }}/{{ item }}" + remote_src: yes + mode: "0600" + loop: + - docker-compose.yml + - prosody.cfg.lua + +- + name: Restore prosody data volume + command: > + docker run --rm + -v prosody_prosody_data:/data + -v {{ _prosody_backup_dir }}:/backup + alpine sh -c "rm -rf /data/* && tar xzf /backup/prosody_data.tar.gz -C /data" + +- + name: Start prosody stack + community.docker.docker_compose_v2: + project_src: "{{ install_dir }}" + state: present diff --git a/ansible/roles/prosody/templates/docker-compose.yml.j2 b/ansible/roles/prosody/templates/docker-compose.yml.j2 new file mode 100644 index 0000000..ef7c118 --- /dev/null +++ b/ansible/roles/prosody/templates/docker-compose.yml.j2 @@ -0,0 +1,18 @@ +services: + prosody: + image: prosodyim/prosody:{{ version }} + network_mode: host + volumes: + - prosody_data:/var/lib/prosody + - ./prosody.cfg.lua:/etc/prosody/prosody.cfg.lua:ro +{% if oauth_client_id is defined or default_contacts is defined %} + - ./modules:/usr/lib/prosody/custom-modules:ro +{% endif %} +{% if ssl_cert is defined %} + - {{ ssl_cert }}:/etc/prosody/certs/fullchain.pem:ro + - {{ ssl_key }}:/etc/prosody/certs/privkey.pem:ro +{% endif %} + restart: unless-stopped + +volumes: + prosody_data: diff --git a/ansible/roles/prosody/templates/mod_default_contacts.lua.j2 b/ansible/roles/prosody/templates/mod_default_contacts.lua.j2 new file mode 100644 index 0000000..29ebe10 --- /dev/null +++ b/ansible/roles/prosody/templates/mod_default_contacts.lua.j2 @@ -0,0 +1,40 @@ +local rostermanager = require "core.rostermanager"; +local host = module.host; + +local default_contacts = module:get_option("default_contacts", {}); + +module:hook("resource-bind", function(event) + local user = event.session.username; + local user_jid = user .. "@" .. host; + local roster = rostermanager.load_roster(user, host); + + for _, contact in ipairs(default_contacts) do + local contact_user = contact.jid:match("^([^@]+)@"); + if contact_user ~= user and not roster[contact.jid] then + -- Add contact to this user's roster + local groups = {}; + for _, gname in ipairs(contact.groups or {}) do + groups[gname] = true; + end + roster[contact.jid] = { + subscription = "both"; + name = contact.name; + groups = groups; + }; + rostermanager.save_roster(user, host); + rostermanager.roster_push(user, host, contact.jid); + + -- Add this user to the contact's roster (for bidirectional presence) + local contact_roster = rostermanager.load_roster(contact_user, host); + if contact_roster and not contact_roster[user_jid] then + contact_roster[user_jid] = { + subscription = "both"; + name = user; + groups = {}; + }; + rostermanager.save_roster(contact_user, host); + rostermanager.roster_push(contact_user, host, user_jid); + end + end + end +end); diff --git a/ansible/roles/prosody/templates/mod_offline_email.lua.j2 b/ansible/roles/prosody/templates/mod_offline_email.lua.j2 new file mode 100644 index 0000000..618b963 --- /dev/null +++ b/ansible/roles/prosody/templates/mod_offline_email.lua.j2 @@ -0,0 +1,144 @@ +local socket = require "socket"; +local ssl = require "ssl"; +local b64 = require "prosody.util.encodings".base64.encode; + +local smtp_server = module:get_option_string("offline_email_smtp_server"); +local smtp_port = module:get_option_number("offline_email_smtp_port", 587); +local smtp_username = module:get_option_string("offline_email_smtp_username"); +local smtp_password = module:get_option_string("offline_email_smtp_password"); +local smtp_from = module:get_option_string("offline_email_smtp_from", smtp_username); + +local accounts = module:open_store("accounts"); + +local function read_response(sock) + local lines = {}; + while true do + local line, err = sock:receive("*l"); + if not line then return nil, err; end + table.insert(lines, line); + if line:sub(4, 4) == " " then break; end + end + local code = tonumber(lines[1]:sub(1, 3)); + return code, table.concat(lines, "\n"); +end + +local function send_command(sock, cmd) + sock:send(cmd .. "\r\n"); + return read_response(sock); +end + +local function send_email(to_email, subject, body_text) + local sock = socket.tcp(); + sock:settimeout(10); + + local ok, err = sock:connect(smtp_server, smtp_port); + if not ok then return nil, "connect: " .. tostring(err); end + + local code, resp = read_response(sock); + if not code or code ~= 220 then + sock:close(); + return nil, "greeting: " .. tostring(resp); + end + + code = send_command(sock, "EHLO localhost"); + if code ~= 250 then sock:close(); return nil, "EHLO failed"; end + + code = send_command(sock, "STARTTLS"); + if code ~= 220 then sock:close(); return nil, "STARTTLS rejected"; end + + sock = ssl.wrap(sock, { mode = "client", protocol = "any", verify = "none" }); + ok = sock:dohandshake(); + if not ok then sock:close(); return nil, "TLS handshake failed"; end + + code = send_command(sock, "EHLO localhost"); + if code ~= 250 then sock:close(); return nil, "EHLO after TLS failed"; end + + local auth_str = b64("\0" .. smtp_username .. "\0" .. smtp_password); + code = send_command(sock, "AUTH PLAIN " .. auth_str); + if code ~= 235 then sock:close(); return nil, "AUTH failed"; end + + code = send_command(sock, "MAIL FROM:<" .. smtp_from .. ">"); + if code ~= 250 then sock:close(); return nil, "MAIL FROM failed"; end + + code = send_command(sock, "RCPT TO:<" .. to_email .. ">"); + if code ~= 250 then sock:close(); return nil, "RCPT TO failed"; end + + code = send_command(sock, "DATA"); + if code ~= 354 then sock:close(); return nil, "DATA failed"; end + + local message = "From: " .. smtp_from .. "\r\n" .. + "To: " .. to_email .. "\r\n" .. + "Subject: " .. subject .. "\r\n" .. + "Content-Type: text/plain; charset=UTF-8\r\n" .. + "\r\n" .. + body_text .. "\r\n.\r\n"; + sock:send(message); + code = read_response(sock); + if code ~= 250 then sock:close(); return nil, "message rejected"; end + + send_command(sock, "QUIT"); + sock:close(); + return true; +end + +local function notify_offline(to_user, stanza) + local body = stanza:get_child_text("body"); + local is_encrypted = stanza:get_child("encrypted", "eu.siacs.conversations.axolotl") ~= nil; + + if not is_encrypted and (not body or body == "") then return; end + + local account = accounts:get(to_user); + if not account or not account.email then return; end + + local from_jid = stanza.attr.from or "unknown"; + local from_name = from_jid:match("^([^@]+)") or from_jid; + local subject = "New message from " .. from_name; + local email_body; + if is_encrypted then + email_body = "Ahoy,\r\n\r\n" .. + "while offline, you've received an encrypted message from " .. from_name .. ".\r\n\r\n" .. + "This message was sent using end-to-end encryption (OMEMO).\r\n" .. + "To view it, log in from the same device where your encryption keys are stored. " .. + "The message cannot be read on a different device or client.\r\n\r\n" .. + "Kind regards,\r\n\r\n" .. + "Tiara"; + else + email_body = "Ahoy,\r\n\r\n" .. + "while offline, you received a plain-text message from " .. from_name .. ":\r\n\r\n" .. + ">> " .. body .. "\r\n\r\n" .. + "Kind regards,\r\n\r\n" .. + "Tiara"; + end + + local ok, err = send_email(account.email, subject, email_body); + if ok then + module:log("info", "Sent offline email notification to %s for user %s", account.email, to_user); + else + module:log("warn", "Failed to send offline email to %s: %s", account.email, tostring(err)); + end +end + +local bare_sessions = prosody.bare_sessions; +local jid = require "util.jid"; + +local function has_hibernating_session(username) + local bare = username .. "@" .. module.host; + local user = bare_sessions[bare]; + if not user then return false; end + for _, session in pairs(user.sessions) do + if session.hibernating then return true; end + end + return false; +end + +-- Fired when user is offline (no sessions) or when smacks gives up on a hibernating session +module:hook("message/offline/handle", function(event) + local to_user = event.username or (event.stanza.attr.to and event.stanza.attr.to:match("^([^@]+)")); + if not to_user then return; end + -- Skip if smacks is still hibernating — we'll get called again when it expires + if has_hibernating_session(to_user) then + module:log("debug", "Skipping email for %s — smacks session still hibernating", to_user); + return; + end + notify_offline(to_user, event.stanza); +end, 1); diff --git a/ansible/roles/prosody/templates/prosody.cfg.lua.j2 b/ansible/roles/prosody/templates/prosody.cfg.lua.j2 new file mode 100644 index 0000000..9e0df5f --- /dev/null +++ b/ansible/roles/prosody/templates/prosody.cfg.lua.j2 @@ -0,0 +1,111 @@ +admins = { "{{ admin_jid }}" } + +{% if oauth_client_id is defined or default_contacts is defined or smtp_host is defined or session_timeout is defined %} +plugin_paths = { "/usr/lib/prosody/custom-modules" } +{% endif %} + +modules_enabled = { + "roster"; + "saslauth"; + "tls"; + "dialback"; + "disco"; + "carbons"; + "pep"; + "private"; + "blocklist"; + "vcard4"; + "vcard_legacy"; + "version"; + "uptime"; + "time"; + "ping"; + "register"; + "admin_adhoc"; + "bosh"; + "websocket"; + "smacks"; + "csi_simple"; + "mam"; +{% if oauth_client_id is defined %} + "sasl_oauthbearer_only_bosh"; +{% endif %} +{% if session_timeout is defined %} + "session_timeout"; +{% endif %} +{% if smtp_host is defined %} + "offline"; + "offline_email"; +{% endif %} +} + +allow_registration = false + +http_ports = { 5280 } +http_interfaces = { "127.0.0.1" } + +https_ports = {} + +proxy65_ports = { {{ proxy65_port }} } + +consider_bosh_secure = true +consider_websocket_secure = true + +VirtualHost "{{ domain }}" +{% if oauth_client_id is defined %} + authentication = "oauth_external" + oauth_external_validation_endpoint = "{{ oauth_userinfo_url }}" + oauth_external_username_field = "preferred_username" + oauth_external_client_id = "{{ oauth_ropc_client_id | default(oauth_client_id) }}" +{% if oauth_ropc_client_secret is defined %} + oauth_external_client_secret = "{{ oauth_ropc_client_secret }}" + oauth_external_token_endpoint = "{{ oauth_token_url }}" + oauth_external_resource_owner_password = true + oauth_external_scope = "openid profile email" +{% endif %} +{% else %} + authentication = "internal_hashed" +{% endif %} +{% if session_timeout is defined %} + session_timeout = {{ session_timeout }} +{% endif %} +{% if smtp_host is defined %} + offline_email_smtp_server = "{{ smtp_host }}" + offline_email_smtp_port = {{ smtp_port | default(587) }} + offline_email_smtp_username = "{{ smtp_username }}" + offline_email_smtp_password = "{{ smtp_password }}" + offline_email_smtp_from = "{{ smtp_from | default(smtp_username) }}" +{% endif %} +{% if default_contacts is defined %} + modules_enabled = { "default_contacts" } + default_contacts = { +{% for contact in default_contacts %} + { jid = "{{ contact.jid }}"; name = "{{ contact.name }}"; groups = { "{{ contact.group | default('Contacts') }}" } }; +{% endfor %} + } +{% endif %} + +{% if ssl_cert is defined %} + ssl = { + certificate = "/etc/prosody/certs/fullchain.pem"; + key = "/etc/prosody/certs/privkey.pem"; + } +{% endif %} + +Component "conference.{{ domain }}" "muc" + modules_enabled = { "muc_mam" } + restrict_room_creation = true + muc_room_default_public = false + muc_room_default_members_only = true + muc_room_default_change_subject = true + muc_room_default_history_length = 50 + muc_room_locking = false + +Component "upload.{{ domain }}" "http_file_share" + http_file_share_size_limit = {{ http_upload_file_size_limit }} + http_file_share_expires_after = {{ http_upload_expire_after }} + http_host = "upload.{{ domain }}" + http_external_url = "https://upload.{{ domain }}" + +Component "proxy.{{ domain }}" "proxy65" + proxy65_address = "{{ proxy65_address }}" diff --git a/ansible/roles/restic/defaults/main.yml b/ansible/roles/restic/defaults/main.yml new file mode 100644 index 0000000..40ecedf --- /dev/null +++ b/ansible/roles/restic/defaults/main.yml @@ -0,0 +1,8 @@ +--- +s3_endpoint: "https://a1ccf35724deda4d054913d2891e80a0.eu.r2.cloudflarestorage.com" +s3_bucket: backups +password: "{{ vault_restic_password }}" +s3_access_key_id: "{{ vault_s3_access_key_id }}" +s3_secret_access_key: "{{ vault_s3_secret_access_key }}" +staging_dir: /var/backups +backup_schedule: "Mon *-*-1,15 02:00:00" diff --git a/ansible/roles/restic/meta/main.yml b/ansible/roles/restic/meta/main.yml new file mode 100644 index 0000000..23d65c7 --- /dev/null +++ b/ansible/roles/restic/meta/main.yml @@ -0,0 +1,2 @@ +--- +dependencies: [] diff --git a/ansible/roles/restic/tasks/install-restic.yml b/ansible/roles/restic/tasks/install-restic.yml new file mode 100644 index 0000000..dc17c22 --- /dev/null +++ b/ansible/roles/restic/tasks/install-restic.yml @@ -0,0 +1,57 @@ +--- +- + name: Install restic + apt: + name: restic + state: present + update_cache: yes + +- + name: Initialize restic S3 repository + command: restic init --repo s3:{{ s3_endpoint }}/{{ s3_bucket }}/{{ host_id }} + environment: + RESTIC_PASSWORD: "{{ password }}" + AWS_ACCESS_KEY_ID: "{{ s3_access_key_id }}" + AWS_SECRET_ACCESS_KEY: "{{ s3_secret_access_key }}" + register: restic_init + changed_when: restic_init.rc == 0 + failed_when: restic_init.rc != 0 and 'already initialized' not in restic_init.stderr + no_log: true + +- + name: Create pre-backup scripts directory + file: + path: /etc/restic/pre-backup.d + state: directory + mode: "0755" + +- + name: Deploy backup script + template: + src: restic-backup.sh.j2 + dest: /usr/local/bin/restic-backup.sh + mode: "0700" + +- + name: Deploy backup systemd service + template: + src: restic-backup.service.j2 + dest: /etc/systemd/system/restic-backup.service + +- + name: Deploy backup systemd timer + template: + src: restic-backup.timer.j2 + dest: /etc/systemd/system/restic-backup.timer + +- + name: Reload systemd + systemd: + daemon_reload: yes + +- + name: Enable backup timer + systemd: + name: restic-backup.timer + enabled: yes + state: started diff --git a/ansible/roles/restic/tasks/main.yml b/ansible/roles/restic/tasks/main.yml new file mode 100644 index 0000000..63a1d0d --- /dev/null +++ b/ansible/roles/restic/tasks/main.yml @@ -0,0 +1,4 @@ +--- +- + name: Install and configure restic + ansible.builtin.include_tasks: install-restic.yml diff --git a/ansible/roles/restic/tasks/restore-restic.yml b/ansible/roles/restic/tasks/restore-restic.yml new file mode 100644 index 0000000..0eee0fa --- /dev/null +++ b/ansible/roles/restic/tasks/restore-restic.yml @@ -0,0 +1,20 @@ +--- +- + name: Install restic + apt: + name: restic + state: present + update_cache: yes + +- + name: Restore latest snapshot from S3 + command: > + restic restore latest + --repo s3:{{ s3_endpoint }}/{{ s3_bucket }}/{{ host_id }} + --target / + {{ '--include ' + restore_include if restore_include is defined else '' }} + environment: + RESTIC_PASSWORD: "{{ password }}" + AWS_ACCESS_KEY_ID: "{{ s3_access_key_id }}" + AWS_SECRET_ACCESS_KEY: "{{ s3_secret_access_key }}" + no_log: true diff --git a/ansible/roles/restic/templates/restic-backup.service.j2 b/ansible/roles/restic/templates/restic-backup.service.j2 new file mode 100644 index 0000000..58be621 --- /dev/null +++ b/ansible/roles/restic/templates/restic-backup.service.j2 @@ -0,0 +1,9 @@ +[Unit] +Description=Restic backup +After=network-online.target +Wants=network-online.target + +[Service] +Type=oneshot +Environment=HOME=/root +ExecStart=/usr/local/bin/restic-backup.sh diff --git a/ansible/roles/restic/templates/restic-backup.sh.j2 b/ansible/roles/restic/templates/restic-backup.sh.j2 new file mode 100644 index 0000000..e2d64d2 --- /dev/null +++ b/ansible/roles/restic/templates/restic-backup.sh.j2 @@ -0,0 +1,22 @@ +#!/bin/bash +set -euo pipefail + +STAGING_DIR="{{ staging_dir }}" +RESTIC_REPO="s3:{{ s3_endpoint }}/{{ s3_bucket }}/{{ host_id }}" +export RESTIC_PASSWORD="{{ password }}" +export AWS_ACCESS_KEY_ID="{{ s3_access_key_id }}" +export AWS_SECRET_ACCESS_KEY="{{ s3_secret_access_key }}" + +echo "$(date -Iseconds) Running pre-backup scripts..." +if [ -d /etc/restic/pre-backup.d ]; then + for script in /etc/restic/pre-backup.d/*.sh; do + [ -x "$script" ] || continue + echo " Running $script" + "$script" + done +fi + +echo "$(date -Iseconds) Creating restic snapshot..." +restic backup --repo "$RESTIC_REPO" "$STAGING_DIR" + +echo "$(date -Iseconds) Backup complete." diff --git a/ansible/roles/restic/templates/restic-backup.timer.j2 b/ansible/roles/restic/templates/restic-backup.timer.j2 new file mode 100644 index 0000000..429f140 --- /dev/null +++ b/ansible/roles/restic/templates/restic-backup.timer.j2 @@ -0,0 +1,10 @@ +[Unit] +Description=Restic backup timer + +[Timer] +OnCalendar={{ backup_schedule }} +Persistent=true +RandomizedDelaySec=1h + +[Install] +WantedBy=timers.target diff --git a/ansible/roles/wireguard/defaults/main.yml b/ansible/roles/wireguard/defaults/main.yml new file mode 100644 index 0000000..fe08435 --- /dev/null +++ b/ansible/roles/wireguard/defaults/main.yml @@ -0,0 +1,4 @@ +--- +wg_interface: wg0 +wg_port: 51820 +wg_persistent_keepalive: 25 diff --git a/ansible/roles/wireguard/handlers/main.yml b/ansible/roles/wireguard/handlers/main.yml new file mode 100644 index 0000000..a937bf7 --- /dev/null +++ b/ansible/roles/wireguard/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- + name: restart wireguard + systemd: + name: "wg-quick@{{ wg_interface }}" + state: restarted diff --git a/ansible/roles/wireguard/meta/main.yml b/ansible/roles/wireguard/meta/main.yml new file mode 100644 index 0000000..23d65c7 --- /dev/null +++ b/ansible/roles/wireguard/meta/main.yml @@ -0,0 +1,2 @@ +--- +dependencies: [] diff --git a/ansible/roles/wireguard/tasks/deploy-wireguard.yml b/ansible/roles/wireguard/tasks/deploy-wireguard.yml new file mode 100644 index 0000000..55fbca6 --- /dev/null +++ b/ansible/roles/wireguard/tasks/deploy-wireguard.yml @@ -0,0 +1,21 @@ +--- +- + name: Read WireGuard private key + slurp: + src: /etc/wireguard/private.key + register: wg_private_key_file + +- + name: Deploy WireGuard configuration + template: + src: wg.conf.j2 + dest: "/etc/wireguard/{{ wg_interface }}.conf" + mode: "0600" + notify: restart wireguard + +- + name: Enable and start WireGuard + systemd: + name: "wg-quick@{{ wg_interface }}" + enabled: yes + state: started diff --git a/ansible/roles/wireguard/tasks/generate-keys.yml b/ansible/roles/wireguard/tasks/generate-keys.yml new file mode 100644 index 0000000..9d215a2 --- /dev/null +++ b/ansible/roles/wireguard/tasks/generate-keys.yml @@ -0,0 +1,45 @@ +--- +- + name: Ensure /etc/wireguard exists + file: + path: /etc/wireguard + state: directory + mode: "0700" + +- + name: Check for existing WireGuard private key + stat: + path: /etc/wireguard/private.key + register: wg_key_stat + +- + name: Generate WireGuard private key + command: wg genkey + register: wg_genkey + when: not wg_key_stat.stat.exists + +- + name: Save WireGuard private key + copy: + content: "{{ wg_genkey.stdout }}\n" + dest: /etc/wireguard/private.key + mode: "0600" + when: not wg_key_stat.stat.exists + +- + name: Derive WireGuard public key + shell: wg pubkey < /etc/wireguard/private.key + register: wg_pubkey_result + changed_when: false + +- + name: Save WireGuard public key + copy: + content: "{{ wg_pubkey_result.stdout }}\n" + dest: /etc/wireguard/public.key + mode: "0644" + +- + name: Set WireGuard key facts + set_fact: + wg_public_key: "{{ wg_pubkey_result.stdout | trim }}" diff --git a/ansible/roles/wireguard/tasks/install-wireguard.yml b/ansible/roles/wireguard/tasks/install-wireguard.yml new file mode 100644 index 0000000..5a1eb43 --- /dev/null +++ b/ansible/roles/wireguard/tasks/install-wireguard.yml @@ -0,0 +1,6 @@ +--- +- + name: Install WireGuard packages + package: + name: "{{ wg_packages }}" + state: present diff --git a/ansible/roles/wireguard/tasks/main.yml b/ansible/roles/wireguard/tasks/main.yml new file mode 100644 index 0000000..6a470d9 --- /dev/null +++ b/ansible/roles/wireguard/tasks/main.yml @@ -0,0 +1,8 @@ +--- +- + name: Include OS-specific variables + include_vars: "{{ ansible_os_family }}.yml" + +- + name: Install WireGuard + include_tasks: install-wireguard.yml diff --git a/ansible/roles/wireguard/templates/wg.conf.j2 b/ansible/roles/wireguard/templates/wg.conf.j2 new file mode 100644 index 0000000..f056025 --- /dev/null +++ b/ansible/roles/wireguard/templates/wg.conf.j2 @@ -0,0 +1,20 @@ +[Interface] +PrivateKey = {{ wg_private_key_file.content | b64decode | trim }} +Address = {{ wg_address }} +ListenPort = {{ wg_port }} + +{% for peer in wg_peers %} +{% if peer.name is defined %} +# {{ peer.name }} +{% endif %} +[Peer] +PublicKey = {{ peer.public_key }} +AllowedIPs = {{ peer.allowed_ips }} +{% if peer.endpoint is defined %} +Endpoint = {{ peer.endpoint }} +{% endif %} +{% if peer.persistent_keepalive | default(false) %} +PersistentKeepalive = {{ wg_persistent_keepalive }} +{% endif %} + +{% endfor %} diff --git a/ansible/roles/wireguard/vars/Debian.yml b/ansible/roles/wireguard/vars/Debian.yml new file mode 100644 index 0000000..40f9501 --- /dev/null +++ b/ansible/roles/wireguard/vars/Debian.yml @@ -0,0 +1,4 @@ +--- +wg_packages: + - wireguard + - wireguard-tools diff --git a/scripts/deploy.sh b/scripts/deploy.sh new file mode 100755 index 0000000..97dfd7d --- /dev/null +++ b/scripts/deploy.sh @@ -0,0 +1,69 @@ +#!/bin/sh +# Deploy a service to the local VMs. +# +# Usage: +# scripts/deploy.sh # deploy service +# scripts/deploy.sh --skip docker,apache # skip dependencies +# scripts/deploy.sh --restore # restore "provisioned" first +# scripts/deploy.sh --restore initialized # restore specific snapshot first +# +# Examples: +# scripts/deploy.sh bugzilla +# scripts/deploy.sh bugzilla --skip docker,apache +# scripts/deploy.sh prosody --restore +# scripts/deploy.sh authentik --restore initialized +set -eu +. "$(dirname "$0")/env.sh" + +service="" +skip_tags="" +restore_snapshot="" + +while [ $# -gt 0 ]; do + case "$1" in + --skip) + skip_tags="$2" + shift 2 + ;; + --restore) + restore_snapshot="${2:-provisioned}" + if [ $# -ge 2 ] && case "$2" in -*) false;; *) true;; esac; then + shift 2 + else + shift + fi + ;; + -*) + echo "Unknown option: $1" >&2 + exit 1 + ;; + *) + if [ -z "$service" ]; then + service="$1" + else + echo "Unexpected argument: $1" >&2 + exit 1 + fi + shift + ;; + esac +done + +if [ -z "$service" ]; then + echo "Usage: deploy.sh [--skip tags] [--restore [snapshot]]" >&2 + exit 1 +fi + +if [ -n "$restore_snapshot" ]; then + echo "==> Restoring to '$restore_snapshot'" + "$SCRIPT_DIR/vm/restore.sh" "$restore_snapshot" +fi + +echo "==> Deploying: $service" +if [ -n "$skip_tags" ]; then + ansible-playbook -i "$INVENTORY" "$PLAYBOOK" --vault-password-file "$VAULT_PASS" \ + --tags "$service" --skip-tags "$skip_tags" +else + ansible-playbook -i "$INVENTORY" "$PLAYBOOK" --vault-password-file "$VAULT_PASS" \ + --tags "$service" +fi diff --git a/scripts/env.sh b/scripts/env.sh new file mode 100644 index 0000000..12cc63d --- /dev/null +++ b/scripts/env.sh @@ -0,0 +1,10 @@ +#!/bin/sh +# Shared environment for top-level workflow scripts. +# Source this — don't execute directly. + +SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)" +INVENTORY=ansible/inventories/debug/hosts.ini +PLAYBOOK=ansible/playbooks/setup.yml +VAULT_PASS=.vault-pass-debug + +export QEMU_VM="$(command -v qemu-vm)" diff --git a/scripts/local/setup-hosts.sh b/scripts/local/setup-hosts.sh new file mode 100644 index 0000000..d15ccf0 --- /dev/null +++ b/scripts/local/setup-hosts.sh @@ -0,0 +1,32 @@ +#!/bin/sh +# Add /etc/hosts entries for VM service domains. Requires root. +set -eu + +# Domains on vm-proxy (WG: 10.0.0.1) +PROXY_DOMAINS=" +tiararodney.com +chat.tiararodney.com +comments.tiararodney.com +bugs.code.tiararodney.com +dockerhub.oci.code.tiararodney.com +ghcr.oci.code.tiararodney.com +crates.code.tiararodney.com +pypi.code.tiararodney.com +" + +# Domains on vm-idp (WG: 10.0.0.2) +IDP_DOMAINS=" +accounts.tiararodney.com +" + +for domain in $PROXY_DOMAINS; do + grep -q "$domain" /etc/hosts 2>/dev/null && continue + echo "10.0.0.1 $domain" >> /etc/hosts + echo " added $domain -> 10.0.0.1" +done + +for domain in $IDP_DOMAINS; do + grep -q "$domain" /etc/hosts 2>/dev/null && continue + echo "10.0.0.2 $domain" >> /etc/hosts + echo " added $domain -> 10.0.0.2" +done diff --git a/scripts/local/setup-wireguard.sh b/scripts/local/setup-wireguard.sh new file mode 100644 index 0000000..a467bb7 --- /dev/null +++ b/scripts/local/setup-wireguard.sh @@ -0,0 +1,49 @@ +#!/bin/sh +# Configure local WireGuard interface to peer with the VMs. Requires root. +# +# Expects /etc/wireguard/private.key and /etc/wireguard/public.key to exist. +# Generate with: +# wg genkey | tee /etc/wireguard/private.key | wg pubkey > /etc/wireguard/public.key +set -eu + +SSH_USER=debian +SSH_OPTS="-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR" +PROXY_HOST=10.10.0.2 +IDP_HOST=10.10.0.3 + +WG_IFACE=wg-dev +LOCAL_WG_IP=10.0.0.3/24 +WG_PORT=51820 + +# Get the VM public keys +PROXY_PUBKEY=$(ssh $SSH_OPTS "${SSH_USER}@${PROXY_HOST}" 'sudo cat /etc/wireguard/public.key' 2>/dev/null) +IDP_PUBKEY=$(ssh $SSH_OPTS "${SSH_USER}@${IDP_HOST}" 'sudo cat /etc/wireguard/public.key' 2>/dev/null) + +if [ -z "$PROXY_PUBKEY" ] || [ -z "$IDP_PUBKEY" ]; then + echo "Failed to retrieve VM WireGuard public keys." >&2 + echo "Has the wireguard role been deployed?" >&2 + exit 1 +fi + +cat > /etc/wireguard/${WG_IFACE}.conf </dev/null || true +wg-quick up ${WG_IFACE} + +echo "==> WireGuard ${WG_IFACE} up (${LOCAL_WG_IP})" diff --git a/scripts/local/teardown-hosts.sh b/scripts/local/teardown-hosts.sh new file mode 100644 index 0000000..87a0917 --- /dev/null +++ b/scripts/local/teardown-hosts.sh @@ -0,0 +1,21 @@ +#!/bin/sh +# Remove VM service domain entries from /etc/hosts. Requires root. +set -eu + +DOMAINS=" +tiararodney.com +chat.tiararodney.com +comments.tiararodney.com +bugs.code.tiararodney.com +dockerhub.oci.code.tiararodney.com +ghcr.oci.code.tiararodney.com +crates.code.tiararodney.com +pypi.code.tiararodney.com +accounts.tiararodney.com +" + +for domain in $DOMAINS; do + sed -i "/[[:space:]]${domain}$/d" /etc/hosts +done + +echo "==> /etc/hosts entries removed" diff --git a/scripts/local/teardown-wireguard.sh b/scripts/local/teardown-wireguard.sh new file mode 100644 index 0000000..1749c05 --- /dev/null +++ b/scripts/local/teardown-wireguard.sh @@ -0,0 +1,10 @@ +#!/bin/sh +# Remove local WireGuard interface. Requires root. +set -eu + +WG_IFACE=wg-dev + +wg-quick down ${WG_IFACE} 2>/dev/null || true +rm -f /etc/wireguard/${WG_IFACE}.conf + +echo "==> WireGuard ${WG_IFACE} removed" diff --git a/scripts/prod-deploy.sh b/scripts/prod-deploy.sh new file mode 100755 index 0000000..a78c7e2 --- /dev/null +++ b/scripts/prod-deploy.sh @@ -0,0 +1,45 @@ +#!/bin/sh +# Deploy to production. +# +# Usage: +# scripts/prod-deploy.sh # full deployment +# scripts/prod-deploy.sh # targeted deployment +# scripts/prod-deploy.sh --skip docker,apache +set -eu + +INVENTORY=ansible/inventories/prod/hosts.ini +PLAYBOOK=ansible/playbooks/setup.yml + +service="" +skip_tags="" + +while [ $# -gt 0 ]; do + case "$1" in + --skip) + skip_tags="$2" + shift 2 + ;; + -*) + echo "Unknown option: $1" >&2 + exit 1 + ;; + *) + service="$1" + shift + ;; + esac +done + +if [ -n "$service" ]; then + echo "==> Deploying to production: $service" + if [ -n "$skip_tags" ]; then + exec ansible-playbook -i "$INVENTORY" "$PLAYBOOK" \ + --tags "$service" --skip-tags "$skip_tags" + else + exec ansible-playbook -i "$INVENTORY" "$PLAYBOOK" \ + --tags "$service" + fi +else + echo "==> Full production deployment" + exec ansible-playbook -i "$INVENTORY" "$PLAYBOOK" +fi diff --git a/scripts/provision.sh b/scripts/provision.sh new file mode 100755 index 0000000..70ce093 --- /dev/null +++ b/scripts/provision.sh @@ -0,0 +1,29 @@ +#!/bin/sh +# Full first-time provisioning: set up networking, create VMs, run the +# complete playbook, then snapshot as "provisioned" for fast iteration. +set -eu +. "$(dirname "$0")/env.sh" + +echo "==> Setting up bridge network" +mkdir -p .local/qemu +sudo --preserve-env=QEMU_VM "$SCRIPT_DIR/vm/setup-network.sh" + +echo "==> Creating VMs" +"$SCRIPT_DIR/vm/create.sh" + +echo "==> Starting VMs" +"$SCRIPT_DIR/vm/start.sh" + +echo "==> Running full playbook" +ansible-playbook -i "$INVENTORY" "$PLAYBOOK" --vault-password-file "$VAULT_PASS" + +echo "==> Setting up local WireGuard" +sudo "$SCRIPT_DIR/local/setup-wireguard.sh" + +echo "==> Setting up local /etc/hosts" +sudo "$SCRIPT_DIR/local/setup-hosts.sh" + +echo "==> Snapshotting 'provisioned'" +"$SCRIPT_DIR/vm/snapshot.sh" provisioned + +echo "==> Done. Iterate with: scripts/deploy.sh " diff --git a/scripts/reproduce-containerd-referrers.sh b/scripts/reproduce-containerd-referrers.sh new file mode 100644 index 0000000..423818b --- /dev/null +++ b/scripts/reproduce-containerd-referrers.sh @@ -0,0 +1,98 @@ +#!/bin/sh +# Reproduce: containerd-snapshotter pull-through mirror referrers failure +# +# Prerequisites: Docker Engine installed, root access +# This script: +# 1. Starts a pull-through registry mirror for Docker Hub +# 2. Enables containerd-snapshotter +# 3. Configures Docker to use the mirror via hosts.toml +# 4. Pulls an image — fails with "failed to decode referrers index" +# +# Run as root. +set -eu + +MIRROR_PORT=5555 +MIRROR_NAME=registry-mirror-test + +cleanup() { + echo "==> Cleaning up" + docker rm -f "$MIRROR_NAME" 2>/dev/null || true + rm -rf /etc/docker/certs.d/docker.io + rm -f /tmp/mirror-config.yml + + # Restore daemon.json + if [ -f /etc/docker/daemon.json.bak ]; then + mv /etc/docker/daemon.json.bak /etc/docker/daemon.json + else + rm -f /etc/docker/daemon.json + fi + systemctl restart docker 2>/dev/null || true +} +trap cleanup EXIT + +echo "==> Step 1: Start pull-through registry mirror" +cat > /tmp/mirror-config.yml </dev/null || true +docker run -d \ + --name "$MIRROR_NAME" \ + -p "${MIRROR_PORT}:5000" \ + -v /tmp/mirror-config.yml:/etc/docker/registry/config.yml:ro \ + registry:2 + +echo " Waiting for mirror to start..." +sleep 3 + +echo "==> Step 2: Enable containerd-snapshotter" +if [ -f /etc/docker/daemon.json ]; then + cp /etc/docker/daemon.json /etc/docker/daemon.json.bak +fi +cat > /etc/docker/daemon.json < Step 3: Configure mirror via hosts.toml" +mkdir -p /etc/docker/certs.d/docker.io +cat > /etc/docker/certs.d/docker.io/hosts.toml < Step 4: Restart Docker" +systemctl restart docker +sleep 3 + +echo "==> Step 5: Remove cached image and pull through mirror" +docker image rm alpine:latest 2>/dev/null || true +echo " Pulling alpine:latest..." +if docker pull alpine:latest; then + echo " PASS: Pull succeeded (issue may be fixed)" +else + echo " FAIL: Pull failed with referrers error (issue reproduced)" +fi + +echo +echo "==> Docker version:" +docker version --format '{{.Server.Version}}' +echo "==> Storage driver:" +docker info --format '{{.Driver}}' diff --git a/scripts/reset.sh b/scripts/reset.sh new file mode 100755 index 0000000..a263209 --- /dev/null +++ b/scripts/reset.sh @@ -0,0 +1,12 @@ +#!/bin/sh +# Restore VMs to a snapshot. +# +# Usage: +# scripts/reset.sh # restore to "initialized" +# scripts/reset.sh provisioned # restore to "provisioned" +set -eu +. "$(dirname "$0")/env.sh" + +label="${1:-initialized}" + +exec "$SCRIPT_DIR/vm/restore.sh" "$label" diff --git a/scripts/resume.sh b/scripts/resume.sh new file mode 100755 index 0000000..8389d66 --- /dev/null +++ b/scripts/resume.sh @@ -0,0 +1,6 @@ +#!/bin/sh +# Resume VMs — start them back up. +set -eu +. "$(dirname "$0")/env.sh" + +exec "$SCRIPT_DIR/vm/start.sh" diff --git a/scripts/suspend.sh b/scripts/suspend.sh new file mode 100755 index 0000000..5c65c4c --- /dev/null +++ b/scripts/suspend.sh @@ -0,0 +1,6 @@ +#!/bin/sh +# Suspend VMs — stop them gracefully. +set -eu +. "$(dirname "$0")/env.sh" + +exec "$SCRIPT_DIR/vm/stop.sh" diff --git a/scripts/teardown.sh b/scripts/teardown.sh new file mode 100644 index 0000000..7761d45 --- /dev/null +++ b/scripts/teardown.sh @@ -0,0 +1,15 @@ +#!/bin/sh +# Full teardown: destroy VMs and clean up local machine config. +set -eu +. "$(dirname "$0")/env.sh" + +echo "==> Destroying VMs" +"$SCRIPT_DIR/vm/destroy.sh" + +echo "==> Tearing down local WireGuard" +sudo "$SCRIPT_DIR/local/teardown-wireguard.sh" + +echo "==> Removing local /etc/hosts entries" +sudo "$SCRIPT_DIR/local/teardown-hosts.sh" + +echo "==> Done. Run scripts/provision.sh to start over." diff --git a/scripts/vm/create.sh b/scripts/vm/create.sh new file mode 100755 index 0000000..d1b6b75 --- /dev/null +++ b/scripts/vm/create.sh @@ -0,0 +1,48 @@ +#!/bin/sh +# First-time setup: download image, create volumes, provision VMs, +# wait for cloud-init, then snapshot as "initialized". +set -eu +. "$(dirname "$0")/env.sh" + +echo "==> Downloading cloud image" +"$QEMU_VM" image download + +echo "==> Creating volumes" +"$QEMU_VM" volume create "$PROXY_VM" --size 20G --backing debian-12 +"$QEMU_VM" volume create "$IDP_VM" --size 20G --backing debian-12 + +echo "==> Preparing TAP interfaces" +sudo --preserve-env=QEMU_VM "$(dirname "$0")/setup-taps.sh" + +echo "==> Clearing stale SSH host keys" +clear_host_keys + +echo "==> Creating instances (in screen sessions)" +screen -dmS "$PROXY_VM" \ + "$QEMU_VM" instance create "$PROXY_VM" 0 \ + --network "$NETWORK" --ip "$PROXY_IP" --headless + +screen -dmS "$IDP_VM" \ + "$QEMU_VM" instance create "$IDP_VM" 0 \ + --network "$NETWORK" --ip "$IDP_IP" --headless + +echo "==> Waiting for cloud-init" +wait_ssh "$PROXY_HOST" +# shellcheck disable=SC2086 +ssh $SSH_OPTS "${SSH_USER}@${PROXY_HOST}" 'cloud-init status --wait' +echo " $PROXY_VM ready" + +wait_ssh "$IDP_HOST" +# shellcheck disable=SC2086 +ssh $SSH_OPTS "${SSH_USER}@${IDP_HOST}" 'cloud-init status --wait' +echo " $IDP_VM ready" + +echo "==> Stopping for initial snapshot" +"$QEMU_VM" instance stop "$PROXY_VM" +"$QEMU_VM" instance stop "$IDP_VM" + +echo "==> Snapshotting 'initialized'" +"$QEMU_VM" volume snapshot "$PROXY_VM" initialized +"$QEMU_VM" volume snapshot "$IDP_VM" initialized + +echo "==> Done. Run: scripts/vm/start.sh" diff --git a/scripts/vm/destroy.sh b/scripts/vm/destroy.sh new file mode 100755 index 0000000..391c14c --- /dev/null +++ b/scripts/vm/destroy.sh @@ -0,0 +1,13 @@ +#!/bin/sh +# Destroy everything: stop VMs, delete volumes. +# Use scripts/vm/create.sh to start over. +set -eu +. "$(dirname "$0")/env.sh" + +"$(dirname "$0")/stop.sh" + +echo "==> Deleting volumes" +"$QEMU_VM" volume delete "$PROXY_VM" 2>/dev/null || true +"$QEMU_VM" volume delete "$IDP_VM" 2>/dev/null || true + +echo "==> Destroyed. Run scripts/vm/create.sh to recreate." diff --git a/scripts/vm/env.sh b/scripts/vm/env.sh new file mode 100755 index 0000000..1ee6d29 --- /dev/null +++ b/scripts/vm/env.sh @@ -0,0 +1,47 @@ +#!/bin/sh +# Shared environment for all VM scripts. +# Source this — don't execute directly. + +# Caller must set QEMU_VM, or we fall back to PATH lookup. +QEMU_VM="${QEMU_VM:-qemu-vm}" + +BRIDGE=qemu-br0 +GATEWAY=10.10.0.1/24 +SUBNET=10.10.0.0/24 +NETWORK=lab + +PROXY_VM=vm-proxy +PROXY_IP=10.10.0.2/24 + +IDP_VM=vm-idp +IDP_IP=10.10.0.3/24 + +PROXY_HOST="${PROXY_IP%%/*}" +IDP_HOST="${IDP_IP%%/*}" + +SSH_USER=debian +SSH_OPTS="-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR" + +clear_host_keys() { + ssh-keygen -R "$PROXY_HOST" 2>/dev/null || true + ssh-keygen -R "$IDP_HOST" 2>/dev/null || true +} + +learn_host_keys() { + ssh-keyscan -H "$PROXY_HOST" >> ~/.ssh/known_hosts 2>/dev/null + ssh-keyscan -H "$IDP_HOST" >> ~/.ssh/known_hosts 2>/dev/null +} + +wait_ssh() { + _host=$1 _i=0 + while [ "$_i" -lt 60 ]; do + # shellcheck disable=SC2086 + if ssh $SSH_OPTS "${SSH_USER}@${_host}" true 2>/dev/null; then + return 0 + fi + _i=$((_i + 1)) + sleep 1 + done + echo "SSH timeout: ${_host}" >&2 + return 1 +} diff --git a/scripts/vm/restore.sh b/scripts/vm/restore.sh new file mode 100755 index 0000000..cd00e5b --- /dev/null +++ b/scripts/vm/restore.sh @@ -0,0 +1,20 @@ +#!/bin/sh +# Restore both VM volumes to a snapshot and start them. +# +# Usage: scripts/vm/restore.sh +# e.g. scripts/vm/restore.sh initialized +set -eu +. "$(dirname "$0")/env.sh" + +label="${1:?Usage: restore.sh }" + +"$(dirname "$0")/stop.sh" + +echo "==> Restoring '$label'" +"$QEMU_VM" volume restore "$PROXY_VM" "$label" +"$QEMU_VM" volume restore "$IDP_VM" "$label" + +echo "==> Clearing stale SSH host keys" +clear_host_keys + +exec "$(dirname "$0")/start.sh" diff --git a/scripts/vm/setup-network.sh b/scripts/vm/setup-network.sh new file mode 100755 index 0000000..3c583c8 --- /dev/null +++ b/scripts/vm/setup-network.sh @@ -0,0 +1,12 @@ +#!/bin/sh +# Create and activate the bridge network. Requires root. +set -eu +. "$(dirname "$0")/env.sh" + +"$QEMU_VM" network create "$NETWORK" \ + --type bridge \ + --bridge "$BRIDGE" \ + --gateway "$GATEWAY" \ + --subnet "$SUBNET" 2>/dev/null || true + +exec "$QEMU_VM" network setup "$NETWORK" diff --git a/scripts/vm/setup-taps.sh b/scripts/vm/setup-taps.sh new file mode 100755 index 0000000..3034c70 --- /dev/null +++ b/scripts/vm/setup-taps.sh @@ -0,0 +1,7 @@ +#!/bin/sh +# Pre-create TAP interfaces for both VMs. Requires root. +set -eu +. "$(dirname "$0")/env.sh" + +"$QEMU_VM" network attach "$NETWORK" "$PROXY_VM" +"$QEMU_VM" network attach "$NETWORK" "$IDP_VM" diff --git a/scripts/vm/snapshot.sh b/scripts/vm/snapshot.sh new file mode 100755 index 0000000..38f1eac --- /dev/null +++ b/scripts/vm/snapshot.sh @@ -0,0 +1,16 @@ +#!/bin/sh +# Snapshot both VM volumes. Stops VMs first. +# +# Usage: scripts/vm/snapshot.sh +set -eu +. "$(dirname "$0")/env.sh" + +label="${1:?Usage: snapshot.sh }" + +"$(dirname "$0")/stop.sh" + +echo "==> Snapshotting '$label'" +"$QEMU_VM" volume snapshot "$PROXY_VM" "$label" +"$QEMU_VM" volume snapshot "$IDP_VM" "$label" + +echo "==> Done. Restart with: scripts/vm/start.sh" diff --git a/scripts/vm/start.sh b/scripts/vm/start.sh new file mode 100755 index 0000000..40c0598 --- /dev/null +++ b/scripts/vm/start.sh @@ -0,0 +1,26 @@ +#!/bin/sh +# Start VMs in detached GNU screen sessions. +# Attach with: screen -r vm-proxy / screen -r vm-idp +set -eu +. "$(dirname "$0")/env.sh" + +echo "==> Ensuring bridge network" +sudo --preserve-env=QEMU_VM "$(dirname "$0")/setup-network.sh" + +echo "==> Preparing TAP interfaces" +sudo --preserve-env=QEMU_VM "$(dirname "$0")/setup-taps.sh" + +echo "==> Starting $PROXY_VM" +screen -dmS "$PROXY_VM" "$QEMU_VM" instance start "$PROXY_VM" + +echo "==> Starting $IDP_VM" +screen -dmS "$IDP_VM" "$QEMU_VM" instance start "$IDP_VM" + +echo "==> Waiting for SSH" +wait_ssh "$PROXY_HOST" && echo " $PROXY_VM ready" +wait_ssh "$IDP_HOST" && echo " $IDP_VM ready" + +echo "==> Learning host keys" +learn_host_keys + +echo "==> Attach with: screen -r vm-proxy / screen -r vm-idp" diff --git a/scripts/vm/status.sh b/scripts/vm/status.sh new file mode 100755 index 0000000..a5fc0d2 --- /dev/null +++ b/scripts/vm/status.sh @@ -0,0 +1,13 @@ +#!/bin/sh +# Show VM and volume status, plus screen sessions. +set -eu +. "$(dirname "$0")/env.sh" + +echo "==> Instances" +"$QEMU_VM" instance list +echo +echo "==> Volumes" +"$QEMU_VM" volume list +echo +echo "==> Screen sessions" +screen -ls 2>/dev/null | grep -E 'vm-(proxy|idp)' || echo " (none)" diff --git a/scripts/vm/stop.sh b/scripts/vm/stop.sh new file mode 100755 index 0000000..d1d0da6 --- /dev/null +++ b/scripts/vm/stop.sh @@ -0,0 +1,7 @@ +#!/bin/sh +# Stop both VMs gracefully. +set -eu +. "$(dirname "$0")/env.sh" + +"$QEMU_VM" instance stop "$PROXY_VM" || true +"$QEMU_VM" instance stop "$IDP_VM" || true