cuqmbr/homelab
1
0
Fork 0
Code

Compare commits

base: cuqmbr:286005e01439bb00ff71c53511de7064bfd0712f
Branches Tags
cuqmbr:main
...
compare: cuqmbr:c5ce4faae65cf47309bf12da7d41c07aa1e13e2a
Branches Tags
cuqmbr:main

3 Commits
286005e014 ... c5ce4faae6

Author SHA1 Message Date
cuqmbr
c5ce4faae6
add separation between common, dev and prod environments 2025-06-29 17:28:10 +03:00
cuqmbr
4f0fe0113f
add init role to every playbook 
to be able to configure users separatly
 2025-06-29 11:38:45 +03:00
cuqmbr
bed64e1256
add base_url variable to hugo role 2025-06-29 11:38:10 +03:00
36 changed files with 447 additions and 383 deletions
Show Stats Expand all files Collapse all files

1
ansible/10_monitoring.yml
View File

@ -10,6 +10,7 @@
cache_valid_time: 86400
roles:
- role: roles/init
- role: roles/fluent_bit
- role: roles/grafana_loki
- role: roles/prometheus_server

1
ansible/15_postgresql.yml
View File

@ -10,6 +10,7 @@
cache_valid_time: 86400
roles:
- role: roles/init
- role: roles/fluent_bit
- role: roles/prometheus_node_exporter
- role: roles/postgresql

1
ansible/21_searxng.yml
View File

@ -10,6 +10,7 @@
cache_valid_time: 86400
roles:
- role: roles/init
- role: roles/fluent_bit
- role: roles/prometheus_node_exporter
- role: roles/searxng

1
ansible/30_load_balancer.yml
View File

@ -13,6 +13,7 @@
name: roles/nginx
roles:
- role: roles/init
- role: roles/fluent_bit
- role: roles/prometheus_node_exporter
- role: roles/prometheus_nginx_exporter

2
ansible/ansible.cfg
View File

@ -2,4 +2,4 @@
nocows=True
[ssh_connection]
ssh_args = -o StrictHostKeyChecking=accept-new -o ConnectTimeout=300 -o ConnectionAttempts=5 -o PreferredAuthentications=publickey
ssh_args = -o StrictHostKeyChecking=accept-new -o PreferredAuthentications=publickey

23
ansible/inventories/common/group_vars/all.yml Normal file
View File

@ -0,0 +1,23 @@
---
users:
- name: admin
password_hash: !vault |
$ANSIBLE_VAULT;1.1;AES256
30623138653735643561343061356531373430393662383764633038383238383837626636393432
3138653539356430306266663864343563616332656131310a343632323363653665646363366437
66643430626437333461656231303339656435346261336238313036306431396333643965666631
3665393163623266320a373838313538626438623330393533353931336331623464613664633430
32303734396634376431383936643431313561303864343930393363623130663236666636353637
63613237383666656263316661333031643032323266636464313839653065316138343035346161
64313037336666353136383462333832373031623637636630326330313832333265386632343139
30306638356434376635346637346134653064613236326333656566383137353166393063333563
32623638343263313463313062303465626439356461613235656661623364656138
ssh_public_keys:
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDKNzJdo6/c7uXrg0lqVwyXOhcNxO/BnylyJeqoBe4rAO5fhjwWLsvMAeCEmYa/3i8ITSvurFEou7BELo25vM58dNfGQHig52LrA/GU/jwDAhHyTXP3AvqqgIFa0ysMaHasYny6oqXi+eb2w/KimtgOhe5/oUdNBe/KgqZ+hP3qlTchxBl5MEzZIKgXTXQeYJpYYrnFb0l/R8qSkFBJv2xzxVJxEamN71SG7OIsi9m14D6hd2pNDHDDqHgKBVbN5irxDuJAzHN5upzfziXiYCOusud23tX6/nNv8t03CbB7FW0OxaCGhAjbavTFAf164L9GM7j76BGsLwWSh2HhG9G9lKs2bEI3IQudllMc6p9N6j2FhMOCKK6YYekdAOVc3ozTFc73VLkXtN8pnTC8OCSavthSt5jOUd0qTsQGH91lWlEkVe0bWi+s9nggfeWFM7HMVmqsR1jYlOXoi5s7xYwKLUdeUjRk3/rkzIFoOxquE5sVVuNDRNCaqcpPVY4k0gE= openpgp:0x8880F3E0"
opendoas_settings: "permit persist admin as root"
- name: ansible
password_hash: ""
ssh_public_keys:
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDKNzJdo6/c7uXrg0lqVwyXOhcNxO/BnylyJeqoBe4rAO5fhjwWLsvMAeCEmYa/3i8ITSvurFEou7BELo25vM58dNfGQHig52LrA/GU/jwDAhHyTXP3AvqqgIFa0ysMaHasYny6oqXi+eb2w/KimtgOhe5/oUdNBe/KgqZ+hP3qlTchxBl5MEzZIKgXTXQeYJpYYrnFb0l/R8qSkFBJv2xzxVJxEamN71SG7OIsi9m14D6hd2pNDHDDqHgKBVbN5irxDuJAzHN5upzfziXiYCOusud23tX6/nNv8t03CbB7FW0OxaCGhAjbavTFAf164L9GM7j76BGsLwWSh2HhG9G9lKs2bEI3IQudllMc6p9N6j2FhMOCKK6YYekdAOVc3ozTFc73VLkXtN8pnTC8OCSavthSt5jOUd0qTsQGH91lWlEkVe0bWi+s9nggfeWFM7HMVmqsR1jYlOXoi5s7xYwKLUdeUjRk3/rkzIFoOxquE5sVVuNDRNCaqcpPVY4k0gE= openpgp:0x8880F3E0"
opendoas_settings: "permit nopass ansible"

0
ansible/inventories/dev/group_vars/bastion.yml → ansible/inventories/common/group_vars/bastion.yml
View File

106
ansible/inventories/common/group_vars/load_balancers.yml Normal file
View File

@ -0,0 +1,106 @@
---
users:
- name: admin
password_hash: !vault |
$ANSIBLE_VAULT;1.1;AES256
30623138653735643561343061356531373430393662383764633038383238383837626636393432
3138653539356430306266663864343563616332656131310a343632323363653665646363366437
66643430626437333461656231303339656435346261336238313036306431396333643965666631
3665393163623266320a373838313538626438623330393533353931336331623464613664633430
32303734396634376431383936643431313561303864343930393363623130663236666636353637
63613237383666656263316661333031643032323266636464313839653065316138343035346161
64313037336666353136383462333832373031623637636630326330313832333265386632343139
30306638356434376635346637346134653064613236326333656566383137353166393063333563
32623638343263313463313062303465626439356461613235656661623364656138
ssh_public_keys:
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDKNzJdo6/c7uXrg0lqVwyXOhcNxO/BnylyJeqoBe4rAO5fhjwWLsvMAeCEmYa/3i8ITSvurFEou7BELo25vM58dNfGQHig52LrA/GU/jwDAhHyTXP3AvqqgIFa0ysMaHasYny6oqXi+eb2w/KimtgOhe5/oUdNBe/KgqZ+hP3qlTchxBl5MEzZIKgXTXQeYJpYYrnFb0l/R8qSkFBJv2xzxVJxEamN71SG7OIsi9m14D6hd2pNDHDDqHgKBVbN5irxDuJAzHN5upzfziXiYCOusud23tX6/nNv8t03CbB7FW0OxaCGhAjbavTFAf164L9GM7j76BGsLwWSh2HhG9G9lKs2bEI3IQudllMc6p9N6j2FhMOCKK6YYekdAOVc3ozTFc73VLkXtN8pnTC8OCSavthSt5jOUd0qTsQGH91lWlEkVe0bWi+s9nggfeWFM7HMVmqsR1jYlOXoi5s7xYwKLUdeUjRk3/rkzIFoOxquE5sVVuNDRNCaqcpPVY4k0gE= openpgp:0x8880F3E0"
opendoas_settings: "permit persist admin as root"
- name: ansible
password_hash: ""
ssh_public_keys:
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDKNzJdo6/c7uXrg0lqVwyXOhcNxO/BnylyJeqoBe4rAO5fhjwWLsvMAeCEmYa/3i8ITSvurFEou7BELo25vM58dNfGQHig52LrA/GU/jwDAhHyTXP3AvqqgIFa0ysMaHasYny6oqXi+eb2w/KimtgOhe5/oUdNBe/KgqZ+hP3qlTchxBl5MEzZIKgXTXQeYJpYYrnFb0l/R8qSkFBJv2xzxVJxEamN71SG7OIsi9m14D6hd2pNDHDDqHgKBVbN5irxDuJAzHN5upzfziXiYCOusud23tX6/nNv8t03CbB7FW0OxaCGhAjbavTFAf164L9GM7j76BGsLwWSh2HhG9G9lKs2bEI3IQudllMc6p9N6j2FhMOCKK6YYekdAOVc3ozTFc73VLkXtN8pnTC8OCSavthSt5jOUd0qTsQGH91lWlEkVe0bWi+s9nggfeWFM7HMVmqsR1jYlOXoi5s7xYwKLUdeUjRk3/rkzIFoOxquE5sVVuNDRNCaqcpPVY4k0gE= openpgp:0x8880F3E0"
opendoas_settings: "permit nopass ansible"
nginx_settings:
server_tokens: false
gzip: true
ssl_protocols:
- TLSv1.2
- TLSv1.3
load_balancers:
http:
- upstream:
name: main-page
servers:
- 192.168.0.10:80
server:
listen_port: 80
names:
- dev.cuqmbr.xyz
- dev.cuqmbr.home
- upstream:
name: searxng
servers:
- 192.168.0.15:8888
server:
listen_port: 80
names:
- searxng.dev.cuqmbr.xyz
- searxng.dev.cuqmbr.home
# - upstream:
# name: prometheus
# servers:
# - 192.168.0.252:9090
# server:
# listen_port: 80
# names:
# - prometheus.dev.cuqmbr.xyz
# - prometheus.dev.cuqmbr.home
- upstream:
name: grafana
servers:
- 192.168.0.252:3000
server:
listen_port: 80
names:
- monitoring.dev.cuqmbr.xyz
- monitoring.dev.cuqmbr.home
statements:
- proxy_set_header Host $http_host
fluentbit_settings:
service:
flush: 1
daemon: false
log_level: info
http_server: false
pipeline:
inputs:
- name: systemd
tag: systemd_input
filters:
- name: rewrite_tag
match: systemd_input
rule: $_SYSTEMD_UNIT ^(nginx.service)$ nginx false
- name: rewrite_tag
match: systemd_input
rule: $_SYSTEMD_UNIT ^(nginx.service.+|(?!nginx.service).*)$ systemd false
- name: record_modifier
match: nginx
allowlist_key:
- MESSAGE
# - name: record_modifier
# match: systemd_tag
# allowlist_key:
# - _SYSTEMD_UNIT
# - MESSAGE
outputs:
- name: loki
host: 192.168.0.252
labels: "env=common,hostname=load-balancer,service_name=nginx"
match: nginx
- name: loki
host: 192.168.0.252
labels: "env=common,hostname=load-balancer,service_name=systemd"
match: systemd

22
ansible/inventories/dev/group_vars/monitoring.yml → ansible/inventories/common/group_vars/monitoring.yml
View File

@ -1,5 +1,27 @@
---
users:
- name: admin
password_hash: !vault |
$ANSIBLE_VAULT;1.1;AES256
30623138653735643561343061356531373430393662383764633038383238383837626636393432
3138653539356430306266663864343563616332656131310a343632323363653665646363366437
66643430626437333461656231303339656435346261336238313036306431396333643965666631
3665393163623266320a373838313538626438623330393533353931336331623464613664633430
32303734396634376431383936643431313561303864343930393363623130663236666636353637
63613237383666656263316661333031643032323266636464313839653065316138343035346161
64313037336666353136383462333832373031623637636630326330313832333265386632343139
30306638356434376635346637346134653064613236326333656566383137353166393063333563
32623638343263313463313062303465626439356461613235656661623364656138
ssh_public_keys:
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDKNzJdo6/c7uXrg0lqVwyXOhcNxO/BnylyJeqoBe4rAO5fhjwWLsvMAeCEmYa/3i8ITSvurFEou7BELo25vM58dNfGQHig52LrA/GU/jwDAhHyTXP3AvqqgIFa0ysMaHasYny6oqXi+eb2w/KimtgOhe5/oUdNBe/KgqZ+hP3qlTchxBl5MEzZIKgXTXQeYJpYYrnFb0l/R8qSkFBJv2xzxVJxEamN71SG7OIsi9m14D6hd2pNDHDDqHgKBVbN5irxDuJAzHN5upzfziXiYCOusud23tX6/nNv8t03CbB7FW0OxaCGhAjbavTFAf164L9GM7j76BGsLwWSh2HhG9G9lKs2bEI3IQudllMc6p9N6j2FhMOCKK6YYekdAOVc3ozTFc73VLkXtN8pnTC8OCSavthSt5jOUd0qTsQGH91lWlEkVe0bWi+s9nggfeWFM7HMVmqsR1jYlOXoi5s7xYwKLUdeUjRk3/rkzIFoOxquE5sVVuNDRNCaqcpPVY4k0gE= openpgp:0x8880F3E0"
opendoas_settings: "permit persist admin as root"
- name: ansible
password_hash: ""
ssh_public_keys:
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDKNzJdo6/c7uXrg0lqVwyXOhcNxO/BnylyJeqoBe4rAO5fhjwWLsvMAeCEmYa/3i8ITSvurFEou7BELo25vM58dNfGQHig52LrA/GU/jwDAhHyTXP3AvqqgIFa0ysMaHasYny6oqXi+eb2w/KimtgOhe5/oUdNBe/KgqZ+hP3qlTchxBl5MEzZIKgXTXQeYJpYYrnFb0l/R8qSkFBJv2xzxVJxEamN71SG7OIsi9m14D6hd2pNDHDDqHgKBVbN5irxDuJAzHN5upzfziXiYCOusud23tX6/nNv8t03CbB7FW0OxaCGhAjbavTFAf164L9GM7j76BGsLwWSh2HhG9G9lKs2bEI3IQudllMc6p9N6j2FhMOCKK6YYekdAOVc3ozTFc73VLkXtN8pnTC8OCSavthSt5jOUd0qTsQGH91lWlEkVe0bWi+s9nggfeWFM7HMVmqsR1jYlOXoi5s7xYwKLUdeUjRk3/rkzIFoOxquE5sVVuNDRNCaqcpPVY4k0gE= openpgp:0x8880F3E0"
opendoas_settings: "permit nopass ansible"
prometheus_options:
global:

12
ansible/inventories/common/hosts.yml Normal file
View File

@ -0,0 +1,12 @@
---
all:
children:
bastion:
hosts:
192.168.0.254:
load_balancers:
hosts:
192.168.0.253:
monitoring:
hosts:
192.168.0.252:

84
ansible/inventories/dev/group_vars/load_balancers.yml
View File

@ -1,84 +0,0 @@
---
nginx_settings:
server_tokens: false
gzip: true
ssl_protocols:
- TLSv1.2
- TLSv1.3
load_balancers:
http:
- upstream:
name: main-page
servers:
- 192.168.0.10:80
server:
listen_port: 80
names:
- dev.cuqmbr.xyz
- dev.cuqmbr.home
- upstream:
name: searxng
servers:
- 192.168.0.15:8888
server:
listen_port: 80
names:
- searxng.dev.cuqmbr.xyz
- searxng.dev.cuqmbr.home
# - upstream:
# name: prometheus
# servers:
# - 192.168.0.252:9090
# server:
# listen_port: 80
# names:
# - prometheus.dev.cuqmbr.xyz
# - prometheus.dev.cuqmbr.home
- upstream:
name: grafana
servers:
- 192.168.0.252:3000
server:
listen_port: 80
names:
- monitoring.dev.cuqmbr.xyz
- monitoring.dev.cuqmbr.home
statements:
- proxy_set_header Host $http_host
fluentbit_settings:
service:
flush: 1
daemon: false
log_level: info
http_server: false
pipeline:
inputs:
- name: systemd
tag: systemd_input
filters:
- name: rewrite_tag
match: systemd_input
rule: $_SYSTEMD_UNIT ^(nginx.service)$ nginx false
- name: rewrite_tag
match: systemd_input
rule: $_SYSTEMD_UNIT ^(nginx.service.+|(?!nginx.service).*)$ systemd false
- name: record_modifier
match: nginx
allowlist_key:
- MESSAGE
# - name: record_modifier
# match: systemd_tag
# allowlist_key:
# - _SYSTEMD_UNIT
# - MESSAGE
outputs:
- name: loki
host: 192.168.0.252
labels: "env=common,hostname=load-balancer,service_name=nginx"
match: nginx
- name: loki
host: 192.168.0.252
labels: "env=common,hostname=load-balancer,service_name=systemd"
match: systemd

3
ansible/inventories/dev/group_vars/main_page.yml
View File

@ -32,8 +32,9 @@ users:
hugo_version: 0.147.9
hugo_homedir: /opt/hugo
hugo_git_repo: https://gitea.cuqmbr.xyz/cuqmbr/cuqmbr.xyz.git
hugo_git_commit: 5b894854d47b41996b1901fa257f8c2cad9224f9
hugo_git_commit: 585a8ad8ca4cfeab4df7ae5d852f5fb616b72aca
hugo_git_refspec: refs/heads/main
hugo_base_url: http://dev.cuqmbr.xyz
nginx_settings:
server_tokens: false

27
ansible/inventories/dev/group_vars/postgresql.yml
View File

@ -1,5 +1,28 @@
---
users:
- name: admin
password_hash: !vault |
$ANSIBLE_VAULT;1.1;AES256
30623138653735643561343061356531373430393662383764633038383238383837626636393432
3138653539356430306266663864343563616332656131310a343632323363653665646363366437
66643430626437333461656231303339656435346261336238313036306431396333643965666631
3665393163623266320a373838313538626438623330393533353931336331623464613664633430
32303734396634376431383936643431313561303864343930393363623130663236666636353637
63613237383666656263316661333031643032323266636464313839653065316138343035346161
64313037336666353136383462333832373031623637636630326330313832333265386632343139
30306638356434376635346637346134653064613236326333656566383137353166393063333563
32623638343263313463313062303465626439356461613235656661623364656138
ssh_public_keys:
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDKNzJdo6/c7uXrg0lqVwyXOhcNxO/BnylyJeqoBe4rAO5fhjwWLsvMAeCEmYa/3i8ITSvurFEou7BELo25vM58dNfGQHig52LrA/GU/jwDAhHyTXP3AvqqgIFa0ysMaHasYny6oqXi+eb2w/KimtgOhe5/oUdNBe/KgqZ+hP3qlTchxBl5MEzZIKgXTXQeYJpYYrnFb0l/R8qSkFBJv2xzxVJxEamN71SG7OIsi9m14D6hd2pNDHDDqHgKBVbN5irxDuJAzHN5upzfziXiYCOusud23tX6/nNv8t03CbB7FW0OxaCGhAjbavTFAf164L9GM7j76BGsLwWSh2HhG9G9lKs2bEI3IQudllMc6p9N6j2FhMOCKK6YYekdAOVc3ozTFc73VLkXtN8pnTC8OCSavthSt5jOUd0qTsQGH91lWlEkVe0bWi+s9nggfeWFM7HMVmqsR1jYlOXoi5s7xYwKLUdeUjRk3/rkzIFoOxquE5sVVuNDRNCaqcpPVY4k0gE= openpgp:0x8880F3E0"
opendoas_settings: "permit persist admin as root"
- name: ansible
password_hash: ""
ssh_public_keys:
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDKNzJdo6/c7uXrg0lqVwyXOhcNxO/BnylyJeqoBe4rAO5fhjwWLsvMAeCEmYa/3i8ITSvurFEou7BELo25vM58dNfGQHig52LrA/GU/jwDAhHyTXP3AvqqgIFa0ysMaHasYny6oqXi+eb2w/KimtgOhe5/oUdNBe/KgqZ+hP3qlTchxBl5MEzZIKgXTXQeYJpYYrnFb0l/R8qSkFBJv2xzxVJxEamN71SG7OIsi9m14D6hd2pNDHDDqHgKBVbN5irxDuJAzHN5upzfziXiYCOusud23tX6/nNv8t03CbB7FW0OxaCGhAjbavTFAf164L9GM7j76BGsLwWSh2HhG9G9lKs2bEI3IQudllMc6p9N6j2FhMOCKK6YYekdAOVc3ozTFc73VLkXtN8pnTC8OCSavthSt5jOUd0qTsQGH91lWlEkVe0bWi+s9nggfeWFM7HMVmqsR1jYlOXoi5s7xYwKLUdeUjRk3/rkzIFoOxquE5sVVuNDRNCaqcpPVY4k0gE= openpgp:0x8880F3E0"
opendoas_settings: "permit nopass ansible"
postgresql_global_config_options:
- option: unix_socket_directories
value: '{{ postgresql_unix_socket_directories | join(",") }}'
@ -14,12 +37,10 @@ postgresql_hba_entries:
- {type: local, database: all, user: postgres, auth_method: peer}
- {type: host, database: all, user: all, address: '127.0.0.1/32', auth_method: "{{ postgresql_auth_method }}"}
- {type: host, database: forgejo_db, user: forgejo, address: '192.168.0.20/32', auth_method: "{{ postgresql_auth_method }}"}
- {type: host, database: test_db, user: test, address: '0.0.0.0/0', auth_method: "{{ postgresql_auth_method }}"}
postgresql_databases:
- name: forgejo_db
owner: forgejo
# state: absent
postgresql_users:
- name: forgejo
@ -37,14 +58,12 @@ postgresql_users:
63303735393638336137666234383363383764313533323031303533343562336230613434316432
383632343762373735633664313431613064
encrypted: true
# state: absent
postgresql_privs:
- db: forgejo_db
roles: forgejo
privs: ALL
type: database
# state: absent
postgres_users_no_log: false

23
ansible/inventories/dev/group_vars/searxng.yml
View File

@ -1,5 +1,28 @@
---
users:
- name: admin
password_hash: !vault |
$ANSIBLE_VAULT;1.1;AES256
30623138653735643561343061356531373430393662383764633038383238383837626636393432
3138653539356430306266663864343563616332656131310a343632323363653665646363366437
66643430626437333461656231303339656435346261336238313036306431396333643965666631
3665393163623266320a373838313538626438623330393533353931336331623464613664633430
32303734396634376431383936643431313561303864343930393363623130663236666636353637
63613237383666656263316661333031643032323266636464313839653065316138343035346161
64313037336666353136383462333832373031623637636630326330313832333265386632343139
30306638356434376635346637346134653064613236326333656566383137353166393063333563
32623638343263313463313062303465626439356461613235656661623364656138
ssh_public_keys:
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDKNzJdo6/c7uXrg0lqVwyXOhcNxO/BnylyJeqoBe4rAO5fhjwWLsvMAeCEmYa/3i8ITSvurFEou7BELo25vM58dNfGQHig52LrA/GU/jwDAhHyTXP3AvqqgIFa0ysMaHasYny6oqXi+eb2w/KimtgOhe5/oUdNBe/KgqZ+hP3qlTchxBl5MEzZIKgXTXQeYJpYYrnFb0l/R8qSkFBJv2xzxVJxEamN71SG7OIsi9m14D6hd2pNDHDDqHgKBVbN5irxDuJAzHN5upzfziXiYCOusud23tX6/nNv8t03CbB7FW0OxaCGhAjbavTFAf164L9GM7j76BGsLwWSh2HhG9G9lKs2bEI3IQudllMc6p9N6j2FhMOCKK6YYekdAOVc3ozTFc73VLkXtN8pnTC8OCSavthSt5jOUd0qTsQGH91lWlEkVe0bWi+s9nggfeWFM7HMVmqsR1jYlOXoi5s7xYwKLUdeUjRk3/rkzIFoOxquE5sVVuNDRNCaqcpPVY4k0gE= openpgp:0x8880F3E0"
opendoas_settings: "permit persist admin as root"
- name: ansible
password_hash: ""
ssh_public_keys:
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDKNzJdo6/c7uXrg0lqVwyXOhcNxO/BnylyJeqoBe4rAO5fhjwWLsvMAeCEmYa/3i8ITSvurFEou7BELo25vM58dNfGQHig52LrA/GU/jwDAhHyTXP3AvqqgIFa0ysMaHasYny6oqXi+eb2w/KimtgOhe5/oUdNBe/KgqZ+hP3qlTchxBl5MEzZIKgXTXQeYJpYYrnFb0l/R8qSkFBJv2xzxVJxEamN71SG7OIsi9m14D6hd2pNDHDDqHgKBVbN5irxDuJAzHN5upzfziXiYCOusud23tX6/nNv8t03CbB7FW0OxaCGhAjbavTFAf164L9GM7j76BGsLwWSh2HhG9G9lKs2bEI3IQudllMc6p9N6j2FhMOCKK6YYekdAOVc3ozTFc73VLkXtN8pnTC8OCSavthSt5jOUd0qTsQGH91lWlEkVe0bWi+s9nggfeWFM7HMVmqsR1jYlOXoi5s7xYwKLUdeUjRk3/rkzIFoOxquE5sVVuNDRNCaqcpPVY4k0gE= openpgp:0x8880F3E0"
opendoas_settings: "permit nopass ansible"
searxng_homedir: /opt/searxng
searxng_git_commit: e52e9bb4b699e39d9ce51874ea339d4773717389

9
ansible/inventories/dev/hosts.yml
View File

@ -1,15 +1,6 @@
---
all:
children:
bastion:
hosts:
192.168.0.254:
load_balancers:
hosts:
192.168.0.253:
monitoring:
hosts:
192.168.0.252:
postgresql:
hosts:
192.168.0.3:

1
ansible/roles/hugo/defaults/main.yml
View File

@ -5,3 +5,4 @@ hugo_homedir: /opt/hugo
hugo_git_repo: https://gitea.cuqmbr.xyz/cuqmbr/cuqmbr.xyz.git
hugo_git_commit: 5b894854d47b41996b1901fa257f8c2cad9224f9
hugo_git_refspec: refs/heads/main
hugo_base_url: https://cuqmbr.xyz

2
ansible/roles/hugo/tasks/main.yml
View File

@ -47,7 +47,7 @@
- name: Build hugo site.
ansible.builtin.shell:
chdir: "{{ hugo_source }}"
cmd: "hugo -d {{ hugo_compiled }}"
cmd: "hugo -b {{ hugo_base_url }} -d {{ hugo_compiled }}"
- name: Create hugo site deployment directory.
ansible.builtin.file:

0
terraform/.terraform.lock.hcl → terraform/common/.terraform.lock.hcl generated
View File

7
terraform/bastion.tf → terraform/common/bastion.tf
View File

@ -105,6 +105,11 @@ resource "proxmox_virtual_environment_firewall_rules" "bastion" {
rule {
security_group = proxmox_virtual_environment_cluster_firewall_security_group.prometheus_node_exporter.name
comment = "Allow Prometheus server to pull Prometheus node exporter from Monitoring Node."
comment = "Allow Prometheus server to pull Prometheus node exporter from Monitoring Node."
}
}
output "bastion_ct" {
value = proxmox_virtual_environment_container.bastion
sensitive = true
}

2
terraform/firewall_ipsets.tf → terraform/common/firewall_ipsets.tf
View File

@ -1,4 +1,4 @@
resource "proxmox_virtual_environment_firewall_ipset" "loggers" {
resource "proxmox_virtual_environment_firewall_ipset" "dev_loggers" {
name = "loggers"
comment = "Nodes that send logs to Monitoring Node."

20
terraform/firewall_security_groups.tf → terraform/common/firewall_security_groups.tf
View File

@ -11,6 +11,11 @@ resource "proxmox_virtual_environment_cluster_firewall_security_group" "promethe
}
}
output "prometheus_node_exporter_sg" {
value = proxmox_virtual_environment_cluster_firewall_security_group.prometheus_node_exporter
sensitive = true
}
resource "proxmox_virtual_environment_cluster_firewall_security_group" "prometheus_nginx_exporter" {
name = "prom-nginx-exp"
comment = "Allow Prometheus server to pull Prometheus nginx exporter from Monitoring Node."
@ -24,6 +29,11 @@ resource "proxmox_virtual_environment_cluster_firewall_security_group" "promethe
}
}
output "prometheus_nginx_exporter_sg" {
value = proxmox_virtual_environment_cluster_firewall_security_group.prometheus_nginx_exporter
sensitive = true
}
resource "proxmox_virtual_environment_cluster_firewall_security_group" "prometheus_server_exporter" {
name = "prom-srv-exp"
comment = "Allow Prometheus server to pull Prometheus default exporter from Monitoring Node."
@ -37,6 +47,11 @@ resource "proxmox_virtual_environment_cluster_firewall_security_group" "promethe
}
}
output "prometheus_server_exporter_sg" {
value = proxmox_virtual_environment_cluster_firewall_security_group.prometheus_server_exporter
sensitive = true
}
resource "proxmox_virtual_environment_cluster_firewall_security_group" "prometheus_alertmanager" {
name = "prom-alert"
comment = "Access Prometheus Alertmanager from Monitoring Node."
@ -49,3 +64,8 @@ resource "proxmox_virtual_environment_cluster_firewall_security_group" "promethe
action = "ACCEPT"
}
}
output "prometheus_alertmanager_sg" {
value = proxmox_virtual_environment_cluster_firewall_security_group.prometheus_alertmanager
sensitive = true
}

35
terraform/load-balancer.tf → terraform/common/load-balancer.tf
View File

@ -89,11 +89,11 @@ resource "proxmox_virtual_environment_firewall_rules" "load_balancer" {
vm_id = proxmox_virtual_environment_container.load_balancer.vm_id
rule {
type = "in"
source = split("/", proxmox_virtual_environment_container.bastion.initialization[0].ip_config[1].ipv4[0].address)[0]
proto = "tcp"
dport = "22"
action = "ACCEPT"
type = "in"
source = split("/", proxmox_virtual_environment_container.bastion.initialization[0].ip_config[1].ipv4[0].address)[0]
proto = "tcp"
dport = "22"
action = "ACCEPT"
comment = "SSH from Bastion."
}
@ -105,28 +105,33 @@ resource "proxmox_virtual_environment_firewall_rules" "load_balancer" {
}
rule {
type = "in"
action = "ACCEPT"
dport = "80"
proto = "tcp"
type = "in"
action = "ACCEPT"
dport = "80"
proto = "tcp"
comment = "Ping."
}
rule {
type = "in"
proto = "tcp"
dport = "443"
action = "ACCEPT"
type = "in"
proto = "tcp"
dport = "443"
action = "ACCEPT"
comment = "HTTPS."
}
rule {
security_group = proxmox_virtual_environment_cluster_firewall_security_group.prometheus_node_exporter.name
comment = "Allow Prometheus server to pull Prometheus node exporter from Monitoring Node."
comment = "Allow Prometheus server to pull Prometheus node exporter from Monitoring Node."
}
rule {
security_group = proxmox_virtual_environment_cluster_firewall_security_group.prometheus_nginx_exporter.name
comment = "Allow Prometheus server to pull Prometheus nginx exporter from Monitoring Node."
comment = "Allow Prometheus server to pull Prometheus nginx exporter from Monitoring Node."
}
}
output "load_balancer_ct" {
value = proxmox_virtual_environment_container.load_balancer
sensitive = true
}

4
terraform/main.tf → terraform/common/main.tf
View File

@ -10,7 +10,7 @@ terraform {
}
provider "proxmox" {
endpoint = var.virtual_environment_endpoint
endpoint = var.virtual_environment_endpoint
api_token = var.virtual_environment_api_token
insecure = true
insecure = true
}

54
terraform/monitoring.tf → terraform/common/monitoring.tf
View File

@ -77,61 +77,61 @@ resource "proxmox_virtual_environment_firewall_rules" "monitoring" {
vm_id = proxmox_virtual_environment_container.monitoring.vm_id
rule {
type = "in"
source = split("/", proxmox_virtual_environment_container.bastion.initialization[0].ip_config[1].ipv4[0].address)[0]
proto = "tcp"
dport = "22"
action = "ACCEPT"
type = "in"
source = split("/", proxmox_virtual_environment_container.bastion.initialization[0].ip_config[1].ipv4[0].address)[0]
proto = "tcp"
dport = "22"
action = "ACCEPT"
comment = "SSH from Bastion."
}
rule {
type = "in"
proto = "icmp"
dport = "8"
action = "ACCEPT"
type = "in"
proto = "icmp"
dport = "8"
action = "ACCEPT"
comment = "Ping."
}
rule {
type = "in"
source = split("/", proxmox_virtual_environment_container.load_balancer.initialization[0].ip_config[1].ipv4[0].address)[0]
proto = "tcp"
dport = "3000"
action = "ACCEPT"
type = "in"
source = split("/", proxmox_virtual_environment_container.load_balancer.initialization[0].ip_config[1].ipv4[0].address)[0]
proto = "tcp"
dport = "3000"
action = "ACCEPT"
comment = "Grafana Server from Load Balancer."
}
rule {
type = "in"
source = split("/", proxmox_virtual_environment_container.load_balancer.initialization[0].ip_config[1].ipv4[0].address)[0]
proto = "tcp"
dport = "9090"
action = "ACCEPT"
type = "in"
source = split("/", proxmox_virtual_environment_container.load_balancer.initialization[0].ip_config[1].ipv4[0].address)[0]
proto = "tcp"
dport = "9090"
action = "ACCEPT"
comment = "Prometheus Server from Load Balancer."
}
rule {
security_group = proxmox_virtual_environment_cluster_firewall_security_group.prometheus_node_exporter.name
comment = "Allow Prometheus server to pull Prometheus node exporter from Monitoring Node."
comment = "Allow Prometheus server to pull Prometheus node exporter from Monitoring Node."
}
rule {
security_group = proxmox_virtual_environment_cluster_firewall_security_group.prometheus_server_exporter.name
comment = "Allow Prometheus server to pull Prometheus default exporter from Monitoring Node."
comment = "Allow Prometheus server to pull Prometheus default exporter from Monitoring Node."
}
rule {
security_group = proxmox_virtual_environment_cluster_firewall_security_group.prometheus_alertmanager.name
comment = "Access Prometheus Alertmanager from Monitoring Node."
comment = "Access Prometheus Alertmanager from Monitoring Node."
}
rule {
type = "in"
source = "+${proxmox_virtual_environment_firewall_ipset.loggers.name}"
proto = "tcp"
dport = "3100"
action = "ACCEPT"
type = "in"
source = "+${proxmox_virtual_environment_firewall_ipset.dev_loggers.name}"
proto = "tcp"
dport = "3100"
action = "ACCEPT"
comment = "Access Grafana Loki from logging nodes."
}
}

37
terraform/common/variables.tf Normal file
View File

@ -0,0 +1,37 @@
# Connection Settings
variable "virtual_environment_endpoint" {
description = "Proxmox Virtual Envirnment Endpoint e.g. https://pve.domain.tld:8006/."
type = string
}
variable "virtual_environment_api_token" {
description = "Tocket to access PVE API on behalf of the user."
type = string
sensitive = true
}
variable "ssh_public_key" {
description = "SSH public key to place into authorized_keys of a root user in new vm/ct."
type = string
sensitive = true
}
# Variables
variable "datastore_id" {
type = string
}
variable "external_network_bridge_name" {
type = string
}
variable "development_network_bridge_name" {
type = string
}
variable "production_network_bridge_name" {
type = string
}

9
terraform/dev/.terraform.lock.hcl generated Normal file
View File

@ -0,0 +1,9 @@
# This file is maintained automatically by "terraform init".
# Manual edits may be lost in future updates.
provider "local/bpg/proxmox" {
version = "0.78.2"
hashes = [
"h1:N/p0BJCms7y2MBJmYjoWXFtxocN55PKYz1ulwzPTO00=",
]
}

10
terraform/main-page.tf → terraform/dev/main-page.tf
View File

@ -21,7 +21,7 @@ resource "proxmox_virtual_environment_container" "main_page" {
}
network_interface {
bridge = var.development_network_bridge_name
bridge = var.internal_network_bridge_name
name = "eth-dev"
firewall = true
enabled = true
@ -78,7 +78,7 @@ resource "proxmox_virtual_environment_firewall_rules" "main_page" {
rule {
type = "in"
source = split("/", proxmox_virtual_environment_container.bastion.initialization[0].ip_config[1].ipv4[0].address)[0]
source = split("/", data.terraform_remote_state.common.outputs.bastion_ct.initialization[0].ip_config[1].ipv4[0].address)[0]
proto = "tcp"
dport = "22"
action = "ACCEPT"
@ -95,7 +95,7 @@ resource "proxmox_virtual_environment_firewall_rules" "main_page" {
rule {
type = "in"
source = split("/", proxmox_virtual_environment_container.load_balancer.initialization[0].ip_config[1].ipv4[0].address)[0]
source = split("/", data.terraform_remote_state.common.outputs.load_balancer_ct.initialization[0].ip_config[1].ipv4[0].address)[0]
proto = "tcp"
dport = "80"
action = "ACCEPT"
@ -103,7 +103,7 @@ resource "proxmox_virtual_environment_firewall_rules" "main_page" {
}
rule {
security_group = proxmox_virtual_environment_cluster_firewall_security_group.prometheus_node_exporter.name
comment = "Allow Prometheus server to pull Prometheus node exporter from Monitoring Node."
security_group = data.terraform_remote_state.common.outputs.prometheus_node_exporter_sg.name
comment = "Allow Prometheus server to pull Prometheus node exporter from Monitoring Node."
}
}

23
terraform/dev/main.tf Normal file
View File

@ -0,0 +1,23 @@
terraform {
backend "local" {
path = "./terraform.tfstate"
}
required_providers {
proxmox = {
source = "local/bpg/proxmox"
}
}
}
provider "proxmox" {
endpoint = var.virtual_environment_endpoint
api_token = var.virtual_environment_api_token
insecure = true
}
data "terraform_remote_state" "common" {
backend = "local"
config = {
path = "../common/terraform.tfstate"
}
}

16
terraform/postgresql.tf → terraform/dev/postgresql.tf
View File

@ -21,7 +21,7 @@ resource "proxmox_virtual_environment_container" "postgresql" {
}
network_interface {
bridge = var.development_network_bridge_name
bridge = var.internal_network_bridge_name
name = "eth-dev"
firewall = true
enabled = true
@ -78,7 +78,7 @@ resource "proxmox_virtual_environment_firewall_rules" "postgresql" {
rule {
type = "in"
source = split("/", proxmox_virtual_environment_container.bastion.initialization[0].ip_config[1].ipv4[0].address)[0]
source = split("/", data.terraform_remote_state.common.outputs.bastion_ct.initialization[0].ip_config[1].ipv4[0].address)[0]
proto = "tcp"
dport = "22"
action = "ACCEPT"
@ -86,15 +86,15 @@ resource "proxmox_virtual_environment_firewall_rules" "postgresql" {
}
rule {
type = "in"
proto = "icmp"
dport = "8"
action = "ACCEPT"
type = "in"
proto = "icmp"
dport = "8"
action = "ACCEPT"
comment = "Ping."
}
rule {
security_group = proxmox_virtual_environment_cluster_firewall_security_group.prometheus_node_exporter.name
comment = "Allow Prometheus server to pull Prometheus node exporter from Monitoring Node."
security_group = data.terraform_remote_state.common.outputs.prometheus_node_exporter_sg.name
comment = "Allow Prometheus server to pull Prometheus node exporter from Monitoring Node."
}
}

10
terraform/searxng.tf → terraform/dev/searxng.tf
View File

@ -21,7 +21,7 @@ resource "proxmox_virtual_environment_container" "searxng" {
}
network_interface {
bridge = var.development_network_bridge_name
bridge = var.internal_network_bridge_name
name = "eth-dev"
firewall = true
enabled = true
@ -78,7 +78,7 @@ resource "proxmox_virtual_environment_firewall_rules" "searxng" {
rule {
type = "in"
source = split("/", proxmox_virtual_environment_container.bastion.initialization[0].ip_config[1].ipv4[0].address)[0]
source = split("/", data.terraform_remote_state.common.outputs.bastion_ct.initialization[0].ip_config[1].ipv4[0].address)[0]
proto = "tcp"
dport = "22"
action = "ACCEPT"
@ -95,7 +95,7 @@ resource "proxmox_virtual_environment_firewall_rules" "searxng" {
rule {
type = "in"
source = split("/", proxmox_virtual_environment_container.load_balancer.initialization[0].ip_config[1].ipv4[0].address)[0]
source = split("/", data.terraform_remote_state.common.outputs.load_balancer_ct.initialization[0].ip_config[1].ipv4[0].address)[0]
proto = "tcp"
dport = "8888"
action = "ACCEPT"
@ -103,7 +103,7 @@ resource "proxmox_virtual_environment_firewall_rules" "searxng" {
}
rule {
security_group = proxmox_virtual_environment_cluster_firewall_security_group.prometheus_node_exporter.name
comment = "Allow Prometheus server to pull Prometheus node exporter from Monitoring Node."
security_group = data.terraform_remote_state.common.outputs.prometheus_node_exporter_sg.name
comment = "Allow Prometheus server to pull Prometheus node exporter from Monitoring Node."
}
}

2
terraform/variables.tf → terraform/dev/variables.tf
View File

@ -28,6 +28,6 @@ variable "external_network_bridge_name" {
type = string
}
variable "development_network_bridge_name" {
variable "internal_network_bridge_name" {
type = string
}

109
terraform/forgejo.tf.disabled
View File

@ -1,109 +0,0 @@
resource "proxmox_virtual_environment_container" "forgejo" {
node_name = "pve"
vm_id = 1200
tags = ["dev"]
unprivileged = true
cpu {
cores = 1
}
memory {
dedicated = 1536
}
disk {
datastore_id = var.datastore_id
size = 32
}
network_interface {
bridge = var.development_network_bridge_name
name = "eth-dev"
firewall = true
enabled = true
}
initialization {
hostname = "forgejo"
ip_config {
ipv4 {
address = "192.168.0.12/24"
gateway = "192.168.0.1"
}
}
user_account {
keys = [var.ssh_public_key]
}
}
operating_system {
template_file_id = "local:vztmpl/debian-12-standard_12.7-1_amd64.tar.zst"
type = "debian"
}
started = true
startup {
order = 500
up_delay = 0
down_delay = 0
}
features {
nesting = true
}
}
resource "proxmox_virtual_environment_firewall_options" "forgejo" {
depends_on = [proxmox_virtual_environment_container.forgejo]
node_name = proxmox_virtual_environment_container.forgejo.node_name
vm_id = proxmox_virtual_environment_container.forgejo.vm_id
enabled = true
dhcp = true
input_policy = "DROP"
output_policy = "ACCEPT"
}
resource "proxmox_virtual_environment_firewall_rules" "forgejo" {
depends_on = [proxmox_virtual_environment_container.forgejo]
node_name = proxmox_virtual_environment_container.forgejo.node_name
vm_id = proxmox_virtual_environment_container.forgejo.vm_id
rule {
type = "in"
source = split("/", proxmox_virtual_environment_container.bastion.initialization[0].ip_config[1].ipv4[0].address)[0]
proto = "tcp"
dport = "22"
action = "ACCEPT"
comment = "SSH from Bastion."
}
rule {
type = "in"
proto = "icmp"
dport = "8"
action = "ACCEPT"
comment = "Ping."
}
rule {
type = "in"
source = split("/", proxmox_virtual_environment_container.load_balancer.initialization[0].ip_config[1].ipv4[0].address)[0]
proto = "tcp"
dport = "3000"
action = "ACCEPT"
comment = "Forgejo."
}
rule {
security_group = proxmox_virtual_environment_cluster_firewall_security_group.prometheus_node_exporter.name
comment = "Allow Prometheus server to pull Prometheus node exporter from Monitoring Node."
}
}

9
terraform/prod/.terraform.lock.hcl generated Normal file
View File

@ -0,0 +1,9 @@
# This file is maintained automatically by "terraform init".
# Manual edits may be lost in future updates.
provider "local/bpg/proxmox" {
version = "0.78.2"
hashes = [
"h1:N/p0BJCms7y2MBJmYjoWXFtxocN55PKYz1ulwzPTO00=",
]
}

23
terraform/prod/main.tf Normal file
View File

@ -0,0 +1,23 @@
terraform {
backend "local" {
path = "./terraform.tfstate"
}
required_providers {
proxmox = {
source = "local/bpg/proxmox"
}
}
}
provider "proxmox" {
endpoint = var.virtual_environment_endpoint
api_token = var.virtual_environment_api_token
insecure = true
}
data "terraform_remote_state" "common" {
backend = "local"
config = {
path = "../common/terraform.tfstate"
}
}

33
terraform/prod/variables.tf Normal file
View File

@ -0,0 +1,33 @@
# Connection Settings
variable "virtual_environment_endpoint" {
description = "Proxmox Virtual Envirnment Endpoint e.g. https://pve.domain.tld:8006/."
type = string
}
variable "virtual_environment_api_token" {
description = "Tocket to access PVE API on behalf of the user."
type = string
sensitive = true
}
variable "ssh_public_key" {
description = "SSH public key to place into authorized_keys of a root user in new vm/ct."
type = string
sensitive = true
}
# Variables
variable "datastore_id" {
type = string
}
variable "external_network_bridge_name" {
type = string
}
variable "internal_network_bridge_name" {
type = string
}

109
terraform/test.tf.disabled
View File

@ -1,109 +0,0 @@
resource "proxmox_virtual_environment_container" "test" {
node_name = "pve"
vm_id = 1201
tags = ["dev"]
unprivileged = true
cpu {
cores = 1
}
memory {
dedicated = 1536
}
disk {
datastore_id = var.datastore_id
size = 10
}
network_interface {
bridge = var.development_network_bridge_name
name = "eth-dev"
firewall = true
enabled = true
}
initialization {
hostname = "test"
ip_config {
ipv4 {
address = "192.168.0.100/24"
gateway = "192.168.0.1"
}
}
user_account {
keys = [var.ssh_public_key]
}
}
operating_system {
template_file_id = "local:vztmpl/debian-12-standard_12.7-1_amd64.tar.zst"
type = "debian"
}
started = true
startup {
order = 500
up_delay = 0
down_delay = 0
}
features {
nesting = true
}
}
resource "proxmox_virtual_environment_firewall_options" "test" {
depends_on = [proxmox_virtual_environment_container.test]
node_name = proxmox_virtual_environment_container.test.node_name
vm_id = proxmox_virtual_environment_container.test.vm_id
enabled = true
dhcp = true
input_policy = "DROP"
output_policy = "ACCEPT"
}
resource "proxmox_virtual_environment_firewall_rules" "test" {
depends_on = [proxmox_virtual_environment_container.test]
node_name = proxmox_virtual_environment_container.test.node_name
vm_id = proxmox_virtual_environment_container.test.vm_id
rule {
type = "in"
source = split("/", proxmox_virtual_environment_container.bastion.initialization[0].ip_config[1].ipv4[0].address)[0]
proto = "tcp"
dport = "22"
action = "ACCEPT"
comment = "SSH from Bastion."
}
rule {
type = "in"
proto = "icmp"
dport = "8"
action = "ACCEPT"
comment = "Ping."
}
rule {
type = "in"
source = split("/", proxmox_virtual_environment_container.load_balancer.initialization[0].ip_config[1].ipv4[0].address)[0]
proto = "tcp"
dport = "3000"
action = "ACCEPT"
comment = "test."
}
rule {
security_group = proxmox_virtual_environment_cluster_firewall_security_group.prometheus_node_exporter.name
comment = "Allow Prometheus server to pull Prometheus node exporter from Monitoring Node."
}
}