From 32d815621d7cc09e48337fbd2d0dd05c7da03356 Mon Sep 17 00:00:00 2001 From: ytshih Date: Tue, 3 Dec 2024 00:56:20 +0000 Subject: [PATCH] Initial commit --- .gitea/workflows/deploy.yml | 63 +++++++++++++++++++ .gitignore | 1 + ansible.cfg | 5 ++ hosts | 11 ++++ playbooks/mongo_install.yml | 7 +++ playbooks/mongo_users.yml | 14 +++++ playbooks/postgres_install.yml | 7 +++ playbooks/postgres_users.yml | 9 +++ .../configure_mongo/files/99-swappiness.conf | 1 + roles/configure_mongo/files/mongodb.conf | 37 +++++++++++ roles/configure_mongo/handlers/main.yml | 5 ++ roles/configure_mongo/tasks/main.yml | 45 +++++++++++++ roles/configure_postgres/handlers/main.yml | 5 ++ roles/configure_postgres/tasks/main.yml | 35 +++++++++++ roles/install_mongo/handlers/main.yml | 4 ++ roles/install_mongo/tasks/main.yml | 13 ++++ roles/install_postgres/handlers/main.yml | 4 ++ roles/install_postgres/tasks/main.yml | 12 ++++ roles/mongo_backup/files/mongo-backup.service | 20 ++++++ roles/mongo_backup/files/mongo-backup.timer | 8 +++ roles/mongo_backup/handlers/main.yml | 4 ++ roles/mongo_backup/tasks/main.yml | 45 +++++++++++++ roles/mongo_backup/templates/secret | 2 + roles/mongo_users/tasks/main.yml | 14 +++++ .../files/postgres-backup.service | 18 ++++++ .../files/postgres-backup.timer | 8 +++ roles/postgres_backup/handlers/main.yml | 4 ++ roles/postgres_backup/tasks/main.yml | 38 +++++++++++ roles/postgres_users/tasks/main.yml | 26 ++++++++ 29 files changed, 465 insertions(+) create mode 100644 .gitea/workflows/deploy.yml create mode 100644 .gitignore create mode 100644 ansible.cfg create mode 100644 hosts create mode 100644 playbooks/mongo_install.yml create mode 100644 playbooks/mongo_users.yml create mode 100644 playbooks/postgres_install.yml create mode 100644 playbooks/postgres_users.yml create mode 100644 roles/configure_mongo/files/99-swappiness.conf create mode 100644 roles/configure_mongo/files/mongodb.conf create mode 100644 roles/configure_mongo/handlers/main.yml create mode 100644 roles/configure_mongo/tasks/main.yml create mode 100644 roles/configure_postgres/handlers/main.yml create mode 100644 roles/configure_postgres/tasks/main.yml create mode 100644 roles/install_mongo/handlers/main.yml create mode 100644 roles/install_mongo/tasks/main.yml create mode 100644 roles/install_postgres/handlers/main.yml create mode 100644 roles/install_postgres/tasks/main.yml create mode 100644 roles/mongo_backup/files/mongo-backup.service create mode 100644 roles/mongo_backup/files/mongo-backup.timer create mode 100644 roles/mongo_backup/handlers/main.yml create mode 100644 roles/mongo_backup/tasks/main.yml create mode 100644 roles/mongo_backup/templates/secret create mode 100644 roles/mongo_users/tasks/main.yml create mode 100644 roles/postgres_backup/files/postgres-backup.service create mode 100644 roles/postgres_backup/files/postgres-backup.timer create mode 100644 roles/postgres_backup/handlers/main.yml create mode 100644 roles/postgres_backup/tasks/main.yml create mode 100644 roles/postgres_users/tasks/main.yml diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml new file mode 100644 index 0000000..7897274 --- /dev/null +++ b/.gitea/workflows/deploy.yml @@ -0,0 +1,63 @@ +name: Ansible Playbook lint & deploy +on: [push] + +jobs: + ansible-lint: + runs-on: imgbuilder + container: + image: gitea.konchin.com/system/ansible-image + credentials: + username: ${{ secrets.REGISTRY_USERNAME }} + password: ${{ secrets.REGISTRY_PASSWORD }} + steps: + - name: Check out repository code + uses: actions/checkout@v4 + - name: Ansible Lint + run: | + ansible-lint roles/ playbooks/ + + run-ansible-mongo: + needs: ansible-lint + runs-on: imgbuilder + container: + image: gitea.konchin.com/system/ansible-image + credentials: + username: ${{ secrets.REGISTRY_USERNAME }} + password: ${{ secrets.REGISTRY_PASSWORD }} + options: --dns 192.168.68.254 --dns-search konchin.com --dns-option ndots:15 + steps: + - name: Check out repository code + uses: actions/checkout@v4 + - name: Setup ssh key + run: | + printf '%s\n' "${{ secrets.ANSIBLE_ED25519 }}" > ~/.ssh/id_ed25519 + chmod 0600 ~/.ssh/id_ed25519 + - name: Setup ssh pubkey + run: | + printf '%s\n' "${{ secrets.ANSIBLE_ED25519_PUB }}" > ~/.ssh/id_ed25519_pub + + - name: Run playbook + run: ansible-playbook playbooks/mongo_users.yml + + run-ansible-postgres: + needs: ansible-lint + runs-on: imgbuilder + container: + image: gitea.konchin.com/system/ansible-image + credentials: + username: ${{ secrets.REGISTRY_USERNAME }} + password: ${{ secrets.REGISTRY_PASSWORD }} + options: --dns 192.168.68.254 --dns-search konchin.com --dns-option ndots:15 + steps: + - name: Check out repository code + uses: actions/checkout@v4 + - name: Setup ssh key + run: | + printf '%s\n' "${{ secrets.ANSIBLE_ED25519 }}" > ~/.ssh/id_ed25519 + chmod 0600 ~/.ssh/id_ed25519 + - name: Setup ssh pubkey + run: | + printf '%s\n' "${{ secrets.ANSIBLE_ED25519_PUB }}" > ~/.ssh/id_ed25519_pub + + - name: Run playbook + run: ansible-playbook playbooks/postgres_users.yml diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..c3d2f84 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +group_vars/*/secret.yml diff --git a/ansible.cfg b/ansible.cfg new file mode 100644 index 0000000..87da605 --- /dev/null +++ b/ansible.cfg @@ -0,0 +1,5 @@ +[defaults] +inventory=./hosts +remote_user=root +roles_path=./roles/ +remote_tmp=/tmp/ansible-$USER diff --git a/hosts b/hosts new file mode 100644 index 0000000..88b4844 --- /dev/null +++ b/hosts @@ -0,0 +1,11 @@ +[control] +localhost ansible_connection=local + +[mongo] +mongo.konchin.com + +[postgres] +pg.konchin.com + +[all:vars] +ansible_python_interpreter=/usr/bin/python diff --git a/playbooks/mongo_install.yml b/playbooks/mongo_install.yml new file mode 100644 index 0000000..6a80cc3 --- /dev/null +++ b/playbooks/mongo_install.yml @@ -0,0 +1,7 @@ +--- +- name: Install mongodb + hosts: mongo + roles: + - install_mongo + - configure_mongo + - mongo_backup diff --git a/playbooks/mongo_users.yml b/playbooks/mongo_users.yml new file mode 100644 index 0000000..7d2f235 --- /dev/null +++ b/playbooks/mongo_users.yml @@ -0,0 +1,14 @@ +--- +- name: Configure mongo users + hosts: mongo + roles: + - role: mongo_users + vars: + mongo_users_database: amane + mongo_users_username: amane + mongo_users_password: "{{ amane_password }}" + - role: mongo_users + vars: + mongo_users_database: hina + mongo_users_username: hina + mongo_users_password: "{{ hina_password }}" diff --git a/playbooks/postgres_install.yml b/playbooks/postgres_install.yml new file mode 100644 index 0000000..72c2433 --- /dev/null +++ b/playbooks/postgres_install.yml @@ -0,0 +1,7 @@ +--- +- name: Install postgresql + hosts: postgres + roles: + - install_postgres + - configure_postgres + - postgres_backup diff --git a/playbooks/postgres_users.yml b/playbooks/postgres_users.yml new file mode 100644 index 0000000..ef94139 --- /dev/null +++ b/playbooks/postgres_users.yml @@ -0,0 +1,9 @@ +--- +- name: Configure postgres users + hosts: postgres + roles: + - role: postgres_users + vars: + postgres_users_database: hedgedoc + postgres_users_username: hedgedoc + postgres_users_password: "{{ hedgedoc_pass }}" diff --git a/roles/configure_mongo/files/99-swappiness.conf b/roles/configure_mongo/files/99-swappiness.conf new file mode 100644 index 0000000..40356f3 --- /dev/null +++ b/roles/configure_mongo/files/99-swappiness.conf @@ -0,0 +1 @@ +vm.swappiness = 1 diff --git a/roles/configure_mongo/files/mongodb.conf b/roles/configure_mongo/files/mongodb.conf new file mode 100644 index 0000000..b8eac94 --- /dev/null +++ b/roles/configure_mongo/files/mongodb.conf @@ -0,0 +1,37 @@ +# mongod.conf + +# for documentation of all options, see: +# http://docs.mongodb.org/manual/reference/configuration-options/ + +# Where and how to store data. +storage: + dbPath: /var/lib/mongodb +# engine: +# wiredTiger: + +# where to write logging data. +systemLog: + destination: file + logAppend: true + path: /var/log/mongodb/mongod.log + +# network interfaces +net: + port: 27017 +# bindIp: 127.0.0.1 + bindIp: 0.0.0.0 + +# how the process runs +processManagement: + timeZoneInfo: /usr/share/zoneinfo + + +#operationProfiling: + +#replication: + +#sharding: + +## Enterprise-Only Options: + +#auditLog: diff --git a/roles/configure_mongo/handlers/main.yml b/roles/configure_mongo/handlers/main.yml new file mode 100644 index 0000000..5b4381a --- /dev/null +++ b/roles/configure_mongo/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Restart mongodb + ansible.builtin.systemd_service: + name: mongodb.service + state: restarted diff --git a/roles/configure_mongo/tasks/main.yml b/roles/configure_mongo/tasks/main.yml new file mode 100644 index 0000000..30dbd26 --- /dev/null +++ b/roles/configure_mongo/tasks/main.yml @@ -0,0 +1,45 @@ +--- +- name: Configure swappiness + ansible.builtin.copy: + src: 99-swappiness.conf + dest: /etc/sysctl.d/99-swappiness.conf + mode: '0644' + owner: root + group: root + +- name: Install mongodb + block: + - name: Check if mongodb up + ansible.builtin.systemd_service: + name: mongodb.service + state: started + check_mode: true + rescue: + - name: Install mongodb config + ansible.builtin.copy: + src: mongodb.conf + dest: /etc/mongodb.conf + mode: '0644' + owner: root + group: root + - name: Start and enable mongodb + ansible.builtin.systemd_service: + name: mongodb.service + state: started + enabled: true + - name: Setup admin account + community.mongodb.mongodb_user: + database: admin + name: root + password: "{{ mongodb_root_password }}" + state: present + roles: root + - name: Apply authorization + ansible.builtin.blockinfile: + path: /etc/mongodb.conf + block: | + security: + authorization: "enabled" + notify: Restart mongodb + - name: Flush handlers + ansible.builtin.meta: flush_handlers diff --git a/roles/configure_postgres/handlers/main.yml b/roles/configure_postgres/handlers/main.yml new file mode 100644 index 0000000..28a72f7 --- /dev/null +++ b/roles/configure_postgres/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Restart postgresql + ansible.builtin.systemd_service: + name: postgresql.service + state: restarted diff --git a/roles/configure_postgres/tasks/main.yml b/roles/configure_postgres/tasks/main.yml new file mode 100644 index 0000000..04c9c40 --- /dev/null +++ b/roles/configure_postgres/tasks/main.yml @@ -0,0 +1,35 @@ +--- +- name: Initiate postgres + ansible.builtin.command: | + initdb --locale=C.UTF-8 --encoding=UTF8 -D /var/lib/postgres/data + args: + creates: /var/lib/postgres/data + become: true + become_user: postgres +- name: Start and enable postgres + ansible.builtin.systemd_service: + name: postgresql.service + state: started + enabled: true +- name: Configure postgres + notify: Restart postgresql + block: + - name: Modify client authentication config + community.postgresql.postgresql_pg_hba: + dest: /var/lib/postgres/data/pg_hba.conf + overwrite: true + rules_behavior: combine + databases: all + rules: + - contype: local + users: postgres + method: peer + - contype: host + users: all + method: scram-sha-256 + address: all + - name: Edit listen addresses + ansible.builtin.lineinfile: + path: /var/lib/postgres/data/postgresql.conf + regexp: '^#listen_addresses' + line: "listen_addresses = '*'" diff --git a/roles/install_mongo/handlers/main.yml b/roles/install_mongo/handlers/main.yml new file mode 100644 index 0000000..92f57c5 --- /dev/null +++ b/roles/install_mongo/handlers/main.yml @@ -0,0 +1,4 @@ +--- +- name: Upgrade packages + community.general.pacman: + upgrade: true diff --git a/roles/install_mongo/tasks/main.yml b/roles/install_mongo/tasks/main.yml new file mode 100644 index 0000000..3f78b53 --- /dev/null +++ b/roles/install_mongo/tasks/main.yml @@ -0,0 +1,13 @@ +--- +- name: Update packages + community.general.pacman: + update_cache: true +- name: Install packages + community.general.pacman: + pkg: + - mongodb-bin + - mongosh-bin + - python-pymongo + notify: Upgrade packages +- name: Flush handlers + ansible.builtin.meta: flush_handlers diff --git a/roles/install_postgres/handlers/main.yml b/roles/install_postgres/handlers/main.yml new file mode 100644 index 0000000..92f57c5 --- /dev/null +++ b/roles/install_postgres/handlers/main.yml @@ -0,0 +1,4 @@ +--- +- name: Upgrade packages + community.general.pacman: + upgrade: true diff --git a/roles/install_postgres/tasks/main.yml b/roles/install_postgres/tasks/main.yml new file mode 100644 index 0000000..da458d0 --- /dev/null +++ b/roles/install_postgres/tasks/main.yml @@ -0,0 +1,12 @@ +--- +- name: Update packages + community.general.pacman: + update_cache: true +- name: Install postgres + community.general.pacman: + pkg: + - postgresql + - python-psycopg2 + notify: Upgrade packages +- name: Flush handlers + ansible.builtin.meta: flush_handlers diff --git a/roles/mongo_backup/files/mongo-backup.service b/roles/mongo_backup/files/mongo-backup.service new file mode 100644 index 0000000..77f15b2 --- /dev/null +++ b/roles/mongo_backup/files/mongo-backup.service @@ -0,0 +1,20 @@ +[Unit] +Description=Mongodb auto backup daemon +After=network.target + +[Service] +Type=oneshot +User=mongodb +Group=mongodb +WorkingDirectory=/var/lib/mongodb +EnvironmentFile=/etc/mongo-backup/secret +ExecStart=/usr/bin/sh -c 'mongodump -u "$MONGO_USERNAME" -p "$MONGO_PASSWORD" -j 2' +ExecStart=/usr/bin/sh -c 'tar -cf "dump-$(date -I).tar.xz" -I "xz -T2" dump' +ExecStart=/usr/bin/sh -c 'mcli --config-dir .mcli cp dump-*.tar.xz s3/konchin-mongo-backup/' +ExecStart=/usr/bin/sh -c 'rm -r dump dump-*.tar.xz' +StandardError=journal +StandardOutput=journal +StandardInput=null + +[Install] +WantedBy=default.target diff --git a/roles/mongo_backup/files/mongo-backup.timer b/roles/mongo_backup/files/mongo-backup.timer new file mode 100644 index 0000000..375dd42 --- /dev/null +++ b/roles/mongo_backup/files/mongo-backup.timer @@ -0,0 +1,8 @@ +[Unit] +Description=Weekly push Mongo backup to S3 + +[Timer] +OnCalendar=weekly Asia/Taipei + +[Install] +WantedBy=timers.target diff --git a/roles/mongo_backup/handlers/main.yml b/roles/mongo_backup/handlers/main.yml new file mode 100644 index 0000000..92f57c5 --- /dev/null +++ b/roles/mongo_backup/handlers/main.yml @@ -0,0 +1,4 @@ +--- +- name: Upgrade packages + community.general.pacman: + upgrade: true diff --git a/roles/mongo_backup/tasks/main.yml b/roles/mongo_backup/tasks/main.yml new file mode 100644 index 0000000..1ad45dc --- /dev/null +++ b/roles/mongo_backup/tasks/main.yml @@ -0,0 +1,45 @@ +--- +- name: Update packages + community.general.pacman: + update_cache: true +- name: Install minio cli + community.general.pacman: + pkg: + - minio-client + notify: Upgrade packages +- name: Flush handlers + ansible.builtin.meta: flush_handlers + +- name: Install mongo-backup.service + ansible.builtin.copy: + src: mongo-backup.service + dest: /etc/systemd/system/mongo-backup.service + mode: '0644' + owner: root + group: root +- name: Install mongo-backup.timer + ansible.builtin.copy: + src: mongo-backup.timer + dest: /etc/systemd/system/mongo-backup.timer + mode: '0644' + owner: root + group: root +- name: Install etc directory + ansible.builtin.file: + path: /etc/mongo-backup/ + state: directory + mode: '0755' + owner: root + group: root +- name: Install credential + ansible.builtin.template: + src: secret + dest: /etc/mongo-backup/secret + mode: '0600' + owner: root + group: root +- name: Start and enable mongo-backup.timer + ansible.builtin.systemd_service: + name: mongo-backup.timer + state: started + enabled: true diff --git a/roles/mongo_backup/templates/secret b/roles/mongo_backup/templates/secret new file mode 100644 index 0000000..934425b --- /dev/null +++ b/roles/mongo_backup/templates/secret @@ -0,0 +1,2 @@ +MONGO_USERNAME=root +MONGO_PASSWORD={{ mongodb_root_password }} diff --git a/roles/mongo_users/tasks/main.yml b/roles/mongo_users/tasks/main.yml new file mode 100644 index 0000000..c61e0bd --- /dev/null +++ b/roles/mongo_users/tasks/main.yml @@ -0,0 +1,14 @@ +--- +- name: Set username and password + ansible.builtin.set_fact: + database: "{{ mongo_users_database }}" + username: "{{ mongo_users_username }}" + password: "{{ mongo_users_password }}" +- name: Create user + community.mongodb.mongodb_user: + login_user: root + login_password: "{{ mongodb_root_password }}" + database: "{{ database }}" + name: "{{ username }}" + password: "{{ password }}" + roles: readWrite diff --git a/roles/postgres_backup/files/postgres-backup.service b/roles/postgres_backup/files/postgres-backup.service new file mode 100644 index 0000000..594b0c3 --- /dev/null +++ b/roles/postgres_backup/files/postgres-backup.service @@ -0,0 +1,18 @@ +[Unit] +Description=Postgres auto backup daemon +After=network.target + +[Service] +Type=oneshot +User=postgres +Group=postgres +WorkingDirectory=/var/lib/postgres/ +ExecStart=/usr/bin/sh -c 'pg_dumpall | xz -c -T2 > dumpall-$(date -I).xz' +ExecStart=/usr/bin/sh -c 'mcli --config-dir .mcli cp dumpall-*.xz s3/konchin-pg-backup/' +ExecStart=/usr/bin/sh -c 'rm dumpall-*.xz' +StandardError=journal +StandardOutput=journal +StandardInput=null + +[Install] +WantedBy=default.target diff --git a/roles/postgres_backup/files/postgres-backup.timer b/roles/postgres_backup/files/postgres-backup.timer new file mode 100644 index 0000000..aac081c --- /dev/null +++ b/roles/postgres_backup/files/postgres-backup.timer @@ -0,0 +1,8 @@ +[Unit] +Description=Weekly push postgres backup to S3 + +[Timer] +OnCalendar=weekly Asia/Taipei + +[Install] +WantedBy=timers.target diff --git a/roles/postgres_backup/handlers/main.yml b/roles/postgres_backup/handlers/main.yml new file mode 100644 index 0000000..92f57c5 --- /dev/null +++ b/roles/postgres_backup/handlers/main.yml @@ -0,0 +1,4 @@ +--- +- name: Upgrade packages + community.general.pacman: + upgrade: true diff --git a/roles/postgres_backup/tasks/main.yml b/roles/postgres_backup/tasks/main.yml new file mode 100644 index 0000000..14edb8e --- /dev/null +++ b/roles/postgres_backup/tasks/main.yml @@ -0,0 +1,38 @@ +--- +- name: Update packages + community.general.pacman: + update_cache: true +- name: Install minio cli + community.general.pacman: + pkg: + - minio-client + notify: Upgrade packages +- name: Flush handlers + ansible.builtin.meta: flush_handlers + +- name: Install postgres-backup.service + ansible.builtin.copy: + src: postgres-backup.service + dest: /etc/systemd/system/postgres-backup.service + mode: '0644' + owner: root + group: root +- name: Install postgres-backup.timer + ansible.builtin.copy: + src: postgres-backup.timer + dest: /etc/systemd/system/postgres-backup.timer + mode: '0644' + owner: root + group: root +- name: Install etc directory + ansible.builtin.file: + path: /etc/postgres-backup/ + state: directory + mode: '0755' + owner: root + group: root +- name: Start and enable postgres-backup.timer + ansible.builtin.systemd_service: + name: postgres-backup.timer + state: started + enabled: true diff --git a/roles/postgres_users/tasks/main.yml b/roles/postgres_users/tasks/main.yml new file mode 100644 index 0000000..134a370 --- /dev/null +++ b/roles/postgres_users/tasks/main.yml @@ -0,0 +1,26 @@ +--- +- name: Set username and password + ansible.builtin.set_fact: + database: "{{ postgres_users_database }}" + username: "{{ postgres_users_username }}" + password: "{{ postgres_users_password }}" +- name: Create DB, role, and privs + become: true + become_user: postgres + block: + - name: Create database + community.postgresql.postgresql_db: + name: "{{ database }}" + - name: Create user + community.postgresql.postgresql_user: + db: "{{ database }}" + name: "{{ username }}" + password: "{{ password }}" + environment: + PGOPTIONS: "-c password_encryption=scram-sha-256" + - name: Configure privileges + community.postgresql.postgresql_privs: + db: "{{ database }}" + role: "{{ username }}" + privs: ALL + objs: ALL_IN_SCHEMA