Initial commit

.gitea/workflows/deploy.yml

@@ -0,0 +1,63 @@
+name: Ansible Playbook lint & deploy
+on: [push]
+
+jobs:
+  ansible-lint:
+    runs-on: imgbuilder
+    container:
+      image: gitea.konchin.com/system/ansible-image
+      credentials:
+        username: ${{ secrets.REGISTRY_USERNAME }}
+        password: ${{ secrets.REGISTRY_PASSWORD }}
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v4
+      - name: Ansible Lint
+        run: |
+          ansible-lint roles/ playbooks/
+
+  run-ansible-mongo:
+    needs: ansible-lint
+    runs-on: imgbuilder
+    container:
+      image: gitea.konchin.com/system/ansible-image
+      credentials:
+        username: ${{ secrets.REGISTRY_USERNAME }}
+        password: ${{ secrets.REGISTRY_PASSWORD }}
+      options: --dns 192.168.68.254 --dns-search konchin.com --dns-option ndots:15
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v4
+      - name: Setup ssh key
+        run: |
+          printf '%s\n' "${{ secrets.ANSIBLE_ED25519 }}" > ~/.ssh/id_ed25519
+          chmod 0600 ~/.ssh/id_ed25519                    
+      - name: Setup ssh pubkey
+        run: |
+          printf '%s\n' "${{ secrets.ANSIBLE_ED25519_PUB }}" > ~/.ssh/id_ed25519_pub
+
+      - name: Run playbook
+        run: ansible-playbook playbooks/mongo_users.yml
+
+  run-ansible-postgres:
+    needs: ansible-lint
+    runs-on: imgbuilder
+    container:
+      image: gitea.konchin.com/system/ansible-image
+      credentials:
+        username: ${{ secrets.REGISTRY_USERNAME }}
+        password: ${{ secrets.REGISTRY_PASSWORD }}
+      options: --dns 192.168.68.254 --dns-search konchin.com --dns-option ndots:15
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v4
+      - name: Setup ssh key
+        run: |
+          printf '%s\n' "${{ secrets.ANSIBLE_ED25519 }}" > ~/.ssh/id_ed25519
+          chmod 0600 ~/.ssh/id_ed25519                    
+      - name: Setup ssh pubkey
+        run: |
+          printf '%s\n' "${{ secrets.ANSIBLE_ED25519_PUB }}" > ~/.ssh/id_ed25519_pub
+
+      - name: Run playbook
+        run: ansible-playbook playbooks/postgres_users.yml

.gitignore

@@ -0,0 +1 @@
+group_vars/*/secret.yml

ansible.cfg

@@ -0,0 +1,5 @@
+[defaults]
+inventory=./hosts
+remote_user=root
+roles_path=./roles/
+remote_tmp=/tmp/ansible-$USER

hosts

@@ -0,0 +1,11 @@
+[control]
+localhost ansible_connection=local
+
+[mongo]
+mongo.konchin.com
+
+[postgres]
+pg.konchin.com
+
+[all:vars]
+ansible_python_interpreter=/usr/bin/python

playbooks/mongo_install.yml

@@ -0,0 +1,7 @@
+---
+- name: Install mongodb
+  hosts: mongo
+  roles:
+    - install_mongo
+    - configure_mongo
+    - mongo_backup

playbooks/mongo_users.yml

@@ -0,0 +1,14 @@
+---
+- name: Configure mongo users
+  hosts: mongo
+  roles:
+    - role: mongo_users
+      vars:
+        mongo_users_database: amane
+        mongo_users_username: amane
+        mongo_users_password: "{{ amane_password }}"
+    - role: mongo_users
+      vars:
+        mongo_users_database: hina
+        mongo_users_username: hina
+        mongo_users_password: "{{ hina_password }}"

playbooks/postgres_install.yml

@@ -0,0 +1,7 @@
+---
+- name: Install postgresql
+  hosts: postgres
+  roles:
+    - install_postgres
+    - configure_postgres
+    - postgres_backup

playbooks/postgres_users.yml

@@ -0,0 +1,9 @@
+---
+- name: Configure postgres users
+  hosts: postgres
+  roles:
+    - role: postgres_users
+      vars:
+        postgres_users_database: hedgedoc
+        postgres_users_username: hedgedoc
+        postgres_users_password: "{{ hedgedoc_pass }}"

roles/configure_mongo/files/99-swappiness.conf

@@ -0,0 +1 @@
+vm.swappiness = 1

roles/configure_mongo/files/mongodb.conf

@@ -0,0 +1,37 @@
+# mongod.conf
+
+# for documentation of all options, see:
+#   http://docs.mongodb.org/manual/reference/configuration-options/
+
+# Where and how to store data.
+storage:
+  dbPath: /var/lib/mongodb
+#  engine:
+#  wiredTiger:
+
+# where to write logging data.
+systemLog:
+  destination: file
+  logAppend: true
+  path: /var/log/mongodb/mongod.log
+
+# network interfaces
+net:
+  port: 27017
+#  bindIp: 127.0.0.1
+  bindIp: 0.0.0.0
+
+# how the process runs
+processManagement:
+  timeZoneInfo: /usr/share/zoneinfo
+
+
+#operationProfiling:
+
+#replication:
+
+#sharding:
+
+## Enterprise-Only Options:
+
+#auditLog:

roles/configure_mongo/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: Restart mongodb
+  ansible.builtin.systemd_service:
+    name: mongodb.service
+    state: restarted

roles/configure_mongo/tasks/main.yml

@@ -0,0 +1,45 @@
+---
+- name: Configure swappiness
+  ansible.builtin.copy:
+    src: 99-swappiness.conf
+    dest: /etc/sysctl.d/99-swappiness.conf
+    mode: '0644'
+    owner: root
+    group: root
+
+- name: Install mongodb
+  block:
+    - name: Check if mongodb up
+      ansible.builtin.systemd_service:
+        name: mongodb.service
+        state: started
+      check_mode: true
+  rescue:
+    - name: Install mongodb config
+      ansible.builtin.copy:
+        src: mongodb.conf
+        dest: /etc/mongodb.conf
+        mode: '0644'
+        owner: root
+        group: root
+    - name: Start and enable mongodb
+      ansible.builtin.systemd_service:
+        name: mongodb.service
+        state: started
+        enabled: true
+    - name: Setup admin account
+      community.mongodb.mongodb_user:
+        database: admin
+        name: root
+        password: "{{ mongodb_root_password }}"
+        state: present
+        roles: root
+    - name: Apply authorization
+      ansible.builtin.blockinfile:
+        path: /etc/mongodb.conf
+        block: |
+          security:
+            authorization: "enabled"
+      notify: Restart mongodb
+    - name: Flush handlers
+      ansible.builtin.meta: flush_handlers

roles/configure_postgres/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: Restart postgresql
+  ansible.builtin.systemd_service:
+    name: postgresql.service
+    state: restarted

roles/configure_postgres/tasks/main.yml

@@ -0,0 +1,35 @@
+---
+- name: Initiate postgres
+  ansible.builtin.command: |
+    initdb --locale=C.UTF-8 --encoding=UTF8 -D /var/lib/postgres/data
+  args:
+    creates: /var/lib/postgres/data
+  become: true
+  become_user: postgres
+- name: Start and enable postgres
+  ansible.builtin.systemd_service:
+    name: postgresql.service
+    state: started
+    enabled: true
+- name: Configure postgres
+  notify: Restart postgresql
+  block:
+    - name: Modify client authentication config
+      community.postgresql.postgresql_pg_hba:
+        dest: /var/lib/postgres/data/pg_hba.conf
+        overwrite: true
+        rules_behavior: combine
+        databases: all
+        rules:
+          - contype: local
+            users: postgres
+            method: peer
+          - contype: host
+            users: all
+            method: scram-sha-256
+            address: all
+    - name: Edit listen addresses
+      ansible.builtin.lineinfile:
+        path: /var/lib/postgres/data/postgresql.conf
+        regexp: '^#listen_addresses'
+        line: "listen_addresses = '*'"

roles/install_mongo/handlers/main.yml

@@ -0,0 +1,4 @@
+---
+- name: Upgrade packages
+  community.general.pacman:
+    upgrade: true

roles/install_mongo/tasks/main.yml

@@ -0,0 +1,13 @@
+---
+- name: Update packages
+  community.general.pacman:
+    update_cache: true
+- name: Install packages
+  community.general.pacman:
+    pkg:
+      - mongodb-bin
+      - mongosh-bin
+      - python-pymongo
+  notify: Upgrade packages
+- name: Flush handlers
+  ansible.builtin.meta: flush_handlers

roles/install_postgres/handlers/main.yml

@@ -0,0 +1,4 @@
+---
+- name: Upgrade packages
+  community.general.pacman:
+    upgrade: true

roles/install_postgres/tasks/main.yml

@@ -0,0 +1,12 @@
+---
+- name: Update packages
+  community.general.pacman:
+    update_cache: true
+- name: Install postgres
+  community.general.pacman:
+    pkg:
+      - postgresql
+      - python-psycopg2
+  notify: Upgrade packages
+- name: Flush handlers
+  ansible.builtin.meta: flush_handlers

roles/mongo_backup/files/mongo-backup.service

@@ -0,0 +1,20 @@
+[Unit]
+Description=Mongodb auto backup daemon
+After=network.target
+
+[Service]
+Type=oneshot
+User=mongodb
+Group=mongodb
+WorkingDirectory=/var/lib/mongodb
+EnvironmentFile=/etc/mongo-backup/secret
+ExecStart=/usr/bin/sh -c 'mongodump -u "$MONGO_USERNAME" -p "$MONGO_PASSWORD" -j 2'
+ExecStart=/usr/bin/sh -c 'tar -cf "dump-$(date -I).tar.xz" -I "xz -T2" dump'
+ExecStart=/usr/bin/sh -c 'mcli --config-dir .mcli cp dump-*.tar.xz s3/konchin-mongo-backup/'
+ExecStart=/usr/bin/sh -c 'rm -r dump dump-*.tar.xz'
+StandardError=journal
+StandardOutput=journal
+StandardInput=null
+
+[Install]
+WantedBy=default.target

roles/mongo_backup/files/mongo-backup.timer

@@ -0,0 +1,8 @@
+[Unit]
+Description=Weekly push Mongo backup to S3
+
+[Timer]
+OnCalendar=weekly Asia/Taipei
+
+[Install]
+WantedBy=timers.target

roles/mongo_backup/handlers/main.yml

@@ -0,0 +1,4 @@
+---
+- name: Upgrade packages
+  community.general.pacman:
+    upgrade: true

roles/mongo_backup/tasks/main.yml

@@ -0,0 +1,45 @@
+---
+- name: Update packages
+  community.general.pacman:
+    update_cache: true
+- name: Install minio cli
+  community.general.pacman:
+    pkg:
+      - minio-client
+  notify: Upgrade packages
+- name: Flush handlers
+  ansible.builtin.meta: flush_handlers
+
+- name: Install mongo-backup.service
+  ansible.builtin.copy:
+    src: mongo-backup.service
+    dest: /etc/systemd/system/mongo-backup.service
+    mode: '0644'
+    owner: root
+    group: root
+- name: Install mongo-backup.timer
+  ansible.builtin.copy:
+    src: mongo-backup.timer
+    dest: /etc/systemd/system/mongo-backup.timer
+    mode: '0644'
+    owner: root
+    group: root
+- name: Install etc directory
+  ansible.builtin.file:
+    path: /etc/mongo-backup/
+    state: directory
+    mode: '0755'
+    owner: root
+    group: root
+- name: Install credential
+  ansible.builtin.template:
+    src: secret
+    dest: /etc/mongo-backup/secret
+    mode: '0600'
+    owner: root
+    group: root
+- name: Start and enable mongo-backup.timer
+  ansible.builtin.systemd_service:
+    name: mongo-backup.timer
+    state: started
+    enabled: true

roles/mongo_backup/templates/secret

@@ -0,0 +1,2 @@
+MONGO_USERNAME=root
+MONGO_PASSWORD={{ mongodb_root_password }}

roles/mongo_users/tasks/main.yml

@@ -0,0 +1,14 @@
+---
+- name: Set username and password
+  ansible.builtin.set_fact:
+    database: "{{ mongo_users_database }}"
+    username: "{{ mongo_users_username }}"
+    password: "{{ mongo_users_password }}"
+- name: Create user
+  community.mongodb.mongodb_user:
+    login_user: root
+    login_password: "{{ mongodb_root_password }}"
+    database: "{{ database }}"
+    name: "{{ username }}"
+    password: "{{ password }}"
+    roles: readWrite

roles/postgres_backup/files/postgres-backup.service

@@ -0,0 +1,18 @@
+[Unit]
+Description=Postgres auto backup daemon
+After=network.target
+
+[Service]
+Type=oneshot
+User=postgres
+Group=postgres
+WorkingDirectory=/var/lib/postgres/
+ExecStart=/usr/bin/sh -c 'pg_dumpall | xz -c -T2 > dumpall-$(date -I).xz'
+ExecStart=/usr/bin/sh -c 'mcli --config-dir .mcli cp dumpall-*.xz s3/konchin-pg-backup/'
+ExecStart=/usr/bin/sh -c 'rm dumpall-*.xz'
+StandardError=journal
+StandardOutput=journal
+StandardInput=null
+
+[Install]
+WantedBy=default.target

roles/postgres_backup/files/postgres-backup.timer

@@ -0,0 +1,8 @@
+[Unit]
+Description=Weekly push postgres backup to S3
+
+[Timer]
+OnCalendar=weekly Asia/Taipei
+
+[Install]
+WantedBy=timers.target

roles/postgres_backup/handlers/main.yml

@@ -0,0 +1,4 @@
+---
+- name: Upgrade packages
+  community.general.pacman:
+    upgrade: true

roles/postgres_backup/tasks/main.yml

@@ -0,0 +1,38 @@
+---
+- name: Update packages
+  community.general.pacman:
+    update_cache: true
+- name: Install minio cli
+  community.general.pacman:
+    pkg:
+      - minio-client
+  notify: Upgrade packages
+- name: Flush handlers
+  ansible.builtin.meta: flush_handlers
+
+- name: Install postgres-backup.service
+  ansible.builtin.copy:
+    src: postgres-backup.service
+    dest: /etc/systemd/system/postgres-backup.service
+    mode: '0644'
+    owner: root
+    group: root
+- name: Install postgres-backup.timer
+  ansible.builtin.copy:
+    src: postgres-backup.timer
+    dest: /etc/systemd/system/postgres-backup.timer
+    mode: '0644'
+    owner: root
+    group: root
+- name: Install etc directory
+  ansible.builtin.file:
+    path: /etc/postgres-backup/
+    state: directory
+    mode: '0755'
+    owner: root
+    group: root
+- name: Start and enable postgres-backup.timer
+  ansible.builtin.systemd_service:
+    name: postgres-backup.timer
+    state: started
+    enabled: true

roles/postgres_users/tasks/main.yml

@@ -0,0 +1,26 @@
+---
+- name: Set username and password
+  ansible.builtin.set_fact:
+    database: "{{ postgres_users_database }}"
+    username: "{{ postgres_users_username }}"
+    password: "{{ postgres_users_password }}"
+- name: Create DB, role, and privs
+  become: true
+  become_user: postgres
+  block:
+    - name: Create database
+      community.postgresql.postgresql_db:
+        name: "{{ database }}"
+    - name: Create user
+      community.postgresql.postgresql_user:
+        db: "{{ database }}"
+        name: "{{ username }}"
+        password: "{{ password }}"
+      environment:
+        PGOPTIONS: "-c password_encryption=scram-sha-256"
+    - name: Configure privileges
+      community.postgresql.postgresql_privs:
+        db: "{{ database }}"
+        role: "{{ username }}"
+        privs: ALL
+        objs: ALL_IN_SCHEMA