tiararodney/bugzilla
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

init

Browse source
This commit is contained in:
Tiara Rodney 2026-03-14 05:38:45 +01:00
commit 883f31932e
No known key found for this signature in database
GPG key ID: 5CD8EC1D46106723
169 changed files with 5676 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

20
ansible/playbooks/backup.yml Normal file
View file

@ -0,0 +1,20 @@
---
-
hosts: proxy
become: yes
tasks:
-
name: Trigger backup
systemd:
name: restic-backup.service
state: started
-
hosts: idp
become: yes
tasks:
-
name: Trigger backup
systemd:
name: restic-backup.service
state: started

28
ansible/playbooks/restore.yml Normal file
View file

@ -0,0 +1,28 @@
---
-
hosts: proxy
become: yes
tasks:
-
include_role: { name: restic, tasks_from: restore-restic }
vars:
host_id: proxy
-
include_role: { name: kellnr, tasks_from: restore }
-
include_role: { name: devpi, tasks_from: restore }
-
include_role: { name: prosody, tasks_from: restore }
-
include_role: { name: comentario, tasks_from: restore }
-
hosts: idp
become: yes
tasks:
-
include_role: { name: restic, tasks_from: restore-restic }
vars:
host_id: idp
-
include_role: { name: authentik, tasks_from: restore-authentik }

425
ansible/playbooks/setup.yml Normal file
View file

@ -0,0 +1,425 @@
---
-
hosts: all
become: yes
tags: [host]
tasks:
-
include_role: { name: host }
vars:
ssh_pubkey_dir: "{{ playbook_dir }}/../../.ssh"
-
hosts: docker_hosts
become: yes
tags: [docker]
tasks:
-
include_role: { name: docker }
vars:
registry_mirror_ip: "10.0.0.1"
registry_mirrors:
-
upstream: docker.io
mirror: "https://dockerhub.oci.code.tiararodney.com"
-
upstream: ghcr.io
mirror: "https://ghcr.oci.code.tiararodney.com"
-
hosts: proxy
become: yes
tasks:
-
include_role:
name: restic
apply: { tags: [restic] }
tags: [restic]
vars:
host_id: proxy
-
hosts: idp
become: yes
tasks:
-
include_role:
name: restic
apply: { tags: [restic] }
tags: [restic]
vars:
host_id: idp
-
hosts: localhost
connection: local
gather_facts: false
tags: [letsencrypt, apache]
tasks:
-
name: Create letsencrypt certificate archive
command:
cmd: "tar czf /tmp/letsencrypt.tar.gz --dereference -C {{ (playbook_dir + '/../../letsencrypt') | realpath }} ."
creates: /tmp/letsencrypt.tar.gz
-
hosts: wg_peers
become: yes
tags: [wireguard]
tasks:
-
include_role: { name: wireguard }
-
include_role: { name: wireguard, tasks_from: generate-keys }
-
hosts: proxy
become: yes
tags: [wireguard]
tasks:
-
name: Build WireGuard peer list
set_fact:
wg_peers:
-
public_key: "{{ hostvars[groups['idp'][0]]['wg_public_key'] }}"
allowed_ips: "10.0.0.2/32"
when: groups['idp'][0] in hostvars and 'wg_public_key' in hostvars[groups['idp'][0]]
-
name: Append client peers
set_fact:
wg_peers: "{{ wg_peers + wg_client_peers }}"
when: wg_peers is defined
-
include_role: { name: wireguard, tasks_from: deploy-wireguard }
vars:
wg_address: "10.0.0.1/24"
when: wg_peers is defined
-
name: Display proxy WireGuard public key
debug:
msg: "Proxy WG public key: {{ wg_public_key }}"
when: wg_public_key is defined
-
hosts: idp
become: yes
tags: [wireguard]
tasks:
-
name: Build WireGuard peer list
set_fact:
wg_peers:
-
public_key: "{{ hostvars[groups['proxy'][0]]['wg_public_key'] }}"
allowed_ips: "10.0.0.1/32"
endpoint: "{{ hostvars[groups['proxy'][0]]['wg_endpoint'] }}:51820"
persistent_keepalive: true
when: groups['proxy'][0] in hostvars and 'wg_public_key' in hostvars[groups['proxy'][0]]
-
name: Append client peers
set_fact:
wg_peers: "{{ wg_peers + wg_client_peers }}"
when: wg_peers is defined
-
include_role: { name: wireguard, tasks_from: deploy-wireguard }
vars:
wg_address: "10.0.0.2/24"
when: wg_peers is defined
-
hosts: proxy
become: yes
vars:
chat_domain: chat.tiararodney.com
authentik_url: https://accounts.tiararodney.com
authentik_internal_url: http://10.0.0.2:9000
tasks:
-
include_role:
name: host
tasks_from: setup-swap
apply: { tags: [host, swap] }
tags: [host, swap]
-
name: Ensure accounts.tiararodney.com resolves to localhost for mod_auth_openidc
tags: [apache, bugzilla]
lineinfile:
path: /etc/hosts
regexp: "accounts\\.tiararodney\\.com"
line: "127.0.0.1 accounts.tiararodney.com"
-
include_role:
name: dnsmasq
apply: { tags: [dnsmasq] }
tags: [dnsmasq]
vars:
dns_records:
- { domain: tiararodney.com, ip: "10.0.0.1" }
-
include_role:
name: apache
apply: { tags: [apache] }
tags: [apache]
vars:
letsencrypt_archive: /tmp/letsencrypt.tar.gz
-
include_role:
name: docker_registry
apply: { tags: [docker-registry] }
tags: [docker-registry]
vars:
hostname: dockerhub.oci.code.tiararodney.com
-
include_role:
name: docker_registry
apply: { tags: [docker-registry] }
tags: [docker-registry]
vars:
hostname: ghcr.oci.code.tiararodney.com
install_dir: /opt/docker-registry-ghcr
port: 5051
remote_url: "https://ghcr.io"
-
include_role:
name: restic
tasks_from: restore-restic
apply: { tags: [registry-restore, never] }
tags: [registry-restore, never]
vars:
host_id: proxy
restore_include: /var/backups/docker-registry
-
include_role:
name: docker_registry
tasks_from: restore-registry
apply: { tags: [registry-restore, never] }
tags: [registry-restore, never]
-
include_role:
name: apache
tasks_from: deploy-static-site
apply: { tags: [blog] }
tags: [blog]
vars:
name: blog
server_name: blog.tiararodney.com
document_root: /var/www/blog.tiararodney.com
ssl_cert: "{{ ssl_cert_tiararodney }}"
ssl_key: "{{ ssl_key_tiararodney }}"
-
include_role:
name: apache
tasks_from: deploy-static-site
apply: { tags: [spec] }
tags: [spec]
vars:
name: spec
server_name: specs.code.tiararodney.com
document_root: /var/www/specs.code.tiararodney.com
directory_index: "README.html README.md README.txt"
ssl_cert: "{{ ssl_cert_tiararodney }}"
ssl_key: "{{ ssl_key_tiararodney }}"
-
include_role:
name: kellnr
apply: { tags: [kellnr] }
tags: [kellnr]
vars:
version: "6.0.0-rc.2"
hostname: crates.code.tiararodney.com
admin_pwd: "{{ vault_kellnr_admin_pwd }}"
-
include_role:
name: devpi
apply: { tags: [devpi] }
tags: [devpi]
vars:
hostname: pypi.code.tiararodney.com
-
include_role:
name: prosody
apply: { tags: [prosody] }
tags: [prosody]
vars:
version: "13.0"
domain: "{{ chat_domain }}"
admin_jid: "{{ vault_xmpp_admin_user }}@{{ chat_domain }}"
bind_address: "10.0.0.1"
ssl_cert: /etc/letsencrypt/live/tiararodney.com/fullchain.pem
ssl_key: /etc/letsencrypt/live/tiararodney.com/privkey.pem
oauth_client_id: "{{ vault_xmpp_oauth_client_id }}"
oauth_userinfo_url: "{{ authentik_internal_url }}/application/o/userinfo/"
oauth_ropc_client_id: "{{ vault_xmpp_ropc_client_id }}"
oauth_ropc_client_secret: "{{ vault_xmpp_ropc_client_secret }}"
oauth_token_url: "{{ authentik_internal_url }}/application/o/token/"
session_timeout: 1800
smtp_host: "{{ vault_prosody_smtp_hostname }}"
smtp_username: "{{ vault_prosody_smtp_username }}"
smtp_password: "{{ vault_prosody_smtp_password }}"
default_contacts:
-
jid: "{{ vault_xmpp_admin_user }}@{{ chat_domain }}"
name: Tiara
-
include_role:
name: conversejs
apply: { tags: [conversejs] }
tags: [conversejs]
vars:
version: "12.0.0"
domain: "{{ chat_domain }}"
oauth_client_id: "{{ vault_xmpp_oauth_client_id }}"
oauth_authorize_url: "{{ authentik_url }}/application/o/authorize/"
oauth_token_url: "{{ authentik_url }}/application/o/token/"
-
include_role:
name: apache
tasks_from: deploy-reverse-proxy
apply: { tags: [prosody, xmpp-upload] }
tags: [prosody, xmpp-upload]
vars:
vhost_name: xmpp-upload
server_name: "upload.{{ chat_domain }}"
ssl_cert: "{{ ssl_cert_tiararodney }}"
ssl_key: "{{ ssl_key_tiararodney }}"
backend_port: 5280
-
include_role:
name: comentario
apply: { tags: [comentario] }
tags: [comentario]
vars:
version: "latest"
domain: comments.tiararodney.com
oauth_issuer_url: "{{ authentik_url }}/application/o/comentario"
oauth_client_id: "{{ vault_comentario_oauth_client_id }}"
oauth_client_secret: "{{ vault_comentario_oauth_client_secret }}"
smtp_host: "{{ vault_comentario_smtp_hostname }}"
smtp_username: "{{ vault_comentario_smtp_username }}"
smtp_password: "{{ vault_comentario_smtp_password }}"
-
include_role:
name: bugzilla
apply: { tags: [bugzilla] }
tags: [bugzilla]
vars:
version: "5.0.4.1"
domain: bugs.code.tiararodney.com
db_password: "{{ vault_bugzilla_db_password }}"
admin_email: "me@tiararodney.com"
admin_pwd: "{{ vault_bugzilla_admin_pwd }}"
oauth_issuer_url: "{{ authentik_url }}/application/o/bugs"
oauth_authorize_url: "{{ authentik_url }}/application/o/authorize/"
oauth_token_url: "{{ authentik_url }}/application/o/token/"
oauth_userinfo_url: "{{ authentik_url }}/application/o/userinfo/"
oauth_jwks_url: "{{ authentik_url }}/application/o/bugs/jwks/"
oauth_client_id: "{{ vault_bugzilla_oauth_client_id }}"
oauth_client_secret: "{{ vault_bugzilla_oauth_client_secret }}"
oauth_crypto_passphrase: "{{ vault_bugzilla_oidc_passphrase }}"
smtp_host: "{{ vault_bugzilla_smtp_hostname }}"
smtp_username: "{{ vault_bugzilla_smtp_username }}"
smtp_password: "{{ vault_bugzilla_smtp_password }}"
-
include_role:
name: apache
tasks_from: deploy-reverse-proxy
apply: { tags: [authentik] }
tags: [authentik]
vars:
vhost_name: accounts
server_name: accounts.tiararodney.com
ssl_cert: "{{ ssl_cert_tiararodney }}"
ssl_key: "{{ ssl_key_tiararodney }}"
backend_host: "10.0.0.2"
backend_port: 9000
websocket: true
restricted_locations:
-
path: "/if/admin/"
allowed_ips: ["10.0.0.0/24"]
-
hosts: idp
become: yes
tags: [authentik]
tasks:
-
include_role:
name: host
tasks_from: setup-zram
apply: { tags: [host, swap, zram] }
tags: [host, swap, zram]
-
include_role: { name: authentik }
vars:
version: "2026.2.1"
domain: "accounts.tiararodney.com"
pg_password: "{{ vault_pg_password }}"
secret_key: "{{ vault_secret_key }}"
bind_address: "10.0.0.2"
smtp_host: "{{ vault_authentik_smtp_hostname }}"
smtp_username: "{{ vault_authentik_smtp_username }}"
smtp_password: "{{ vault_authentik_smtp_password }}"
oauth_applications:
-
name: Chat
slug: chat
client_type: public
client_id: "{{ vault_xmpp_oauth_client_id }}"
redirect_uris:
- "https://chat.tiararodney.com/"
-
name: Chat XMPP
slug: chat-xmpp
client_id: "{{ vault_xmpp_ropc_client_id }}"
client_secret: "{{ vault_xmpp_ropc_client_secret }}"
redirect_uris:
- "https://chat.tiararodney.com/"
-
name: Comments
slug: comments
client_id: "{{ vault_comentario_oauth_client_id }}"
client_secret: "{{ vault_comentario_oauth_client_secret }}"
redirect_uris:
- "https://comments.tiararodney.com/api/oauth/oidc/callback/authentik"
-
name: Bugs
slug: bugs
client_id: "{{ vault_bugzilla_oauth_client_id }}"
client_secret: "{{ vault_bugzilla_oauth_client_secret }}"
redirect_uris:
- "https://bugs.code.tiararodney.com/oidc-callback"
social_login_sources:
-
name: Google Account
slug: google
provider_type: google
client_id: "{{ vault_social_google_client_id }}"
client_secret: "{{ vault_social_google_client_secret }}"
-
name: Microsoft Account
slug: microsoft
provider_type: entraid
client_id: "{{ vault_social_microsoft_client_id }}"
client_secret: "{{ vault_social_microsoft_client_secret }}"
-
name: Apple ID
slug: apple
provider_type: apple
client_id: "{{ vault_social_apple_client_id }}"
client_secret: "{{ vault_social_apple_client_secret }}"
-
name: Facebook Account
slug: facebook
provider_type: facebook
client_id: "{{ vault_social_facebook_client_id }}"
client_secret: "{{ vault_social_facebook_client_secret }}"
-
name: X (formerly Twitter) Account
slug: twitter
provider_type: twitter
client_id: "{{ vault_social_twitter_client_id }}"
client_secret: "{{ vault_social_twitter_client_secret }}"
-
hosts: proxy
become: yes
tasks:
-
name: Trigger registry backups
tags: [registry-backup, never]
command: "{{ item }}"
loop:
- /etc/restic/pre-backup.d/docker-registry.sh
- /etc/restic/pre-backup.d/docker-registry-ghcr.sh