Compare commits

..

447 Commits

Author SHA1 Message Date
vincent
90dd0ecd9a chore: link makefile
Some checks failed
continuous-integration/drone/push Build is failing
2024-11-09 10:24:15 +01:00
vincent
4f6743db5f perf: tweak mealie and pihole memory
Some checks failed
continuous-integration/drone/push Build is failing
2024-11-09 10:23:42 +01:00
vincent
2452a2ad44 fix (flaresolverr): change image to resolve chalenge issue 2024-11-09 10:23:07 +01:00
vincent
5e2bb57914 rutorrent: resolve issue with docker 2024-11-09 10:22:24 +01:00
vincent
3eb2dbfa08 authelia: custom consent preconfigured time 2024-11-09 10:21:50 +01:00
vincent
1ea094aa6e Revert "perfs: decrease CPU"
This reverts commit 6ea5de0315.
2024-10-29 19:21:05 +01:00
vincent
c1e48d4ace add compute parameter to oscar
Some checks failed
continuous-integration/drone/push Build is failing
2024-10-29 19:08:41 +01:00
vincent
b2710aab2f add oauth to gitea 2024-10-19 16:28:25 +02:00
vincent
c000933f66 add paperless-ng SSO
Some checks failed
continuous-integration/drone/push Build is failing
2024-10-12 10:12:38 +02:00
vincent
7948773757 perfs: increase memory-max for some job
Some checks failed
continuous-integration/drone/push Build is failing
2024-09-29 17:51:05 +02:00
vincent
3d90a1f6d7 fix: wrong dns in docker daemon.json 2024-09-29 17:50:31 +02:00
vincent
1f29007172 switch to nfs v4 on share 2024-09-29 17:50:11 +02:00
vincent
af58866882 dns: pdns-admin in dedicated nomad group 2024-09-29 17:38:27 +02:00
vincent
374a62c304 fix: aur call in database playbook
Some checks failed
continuous-integration/drone/push Build is failing
2024-08-04 11:49:40 +02:00
vincent
9451443266 refactor: split job in role folder
Some checks failed
continuous-integration/drone/push Build is failing
2024-08-03 15:06:36 +02:00
vincent
dacd187f7b fix: loki config
Some checks failed
continuous-integration/drone/push Build is failing
2024-08-03 14:47:27 +02:00
vincent
e48a879c43 fix: torrent PUID 2024-08-03 14:46:47 +02:00
vincent
6ea5de0315 perfs: decrease CPU 2024-08-03 14:46:05 +02:00
vincent
984b712c78 update: nfs csi nfs plugins 4.7 2024-08-03 14:45:22 +02:00
vincent
293fddd81c remove backup disk mount 2024-08-03 14:45:04 +02:00
vincent
0952c4bf42 fix: change media mount path 2024-08-03 14:43:30 +02:00
vincent
3228054172 oscar hardware replacement
Some checks failed
continuous-integration/drone/push Build is failing
2024-06-29 10:21:44 +02:00
vincent
ee7cd0c12e fix: wrong interface variable call 2024-06-29 10:20:25 +02:00
vincent
22a60b42d4 add vikunja to generate vault 2024-06-25 18:45:46 +02:00
vincent
d578fefbce perfs (registry): add memory 2024-06-25 18:45:16 +02:00
vincent
cae4ceb623 update: remove immich microservice 2024-06-25 18:44:51 +02:00
vincent
ddc4320fe9 feat (vikunja): implemant oauth
Some checks reported errors
continuous-integration/drone/push Build was killed
2024-05-20 12:15:56 +02:00
vincent
d1b475d651 fix: add cluster consraint to prowalar and tt-rss 2024-05-20 11:21:45 +02:00
vincent
d817f3a7f8 perfs (immich): increase memory 2024-05-20 11:21:21 +02:00
vincent
18a78f6fd2 chore (immich): fix logo 2024-05-20 11:20:32 +02:00
vincent
f22e3406be borgmatic: modify jellyfin backup exeption 2024-05-16 19:19:00 +02:00
vincent
1520ec0dcc disable authelia notifier check 2024-05-16 19:18:18 +02:00
vincent
275435664c feat: grafanna sso
Some checks failed
continuous-integration/drone/push Build is failing
2024-05-10 15:50:45 +02:00
vincent
f9ff70a9d9 feat: immich sso
Some checks failed
continuous-integration/drone/push Build is failing
2024-05-10 14:49:50 +02:00
vincent
8915ff52dd fix: wrong array character 2024-05-10 14:49:20 +02:00
vincent
74794f866a feat: improve database playbook 2024-05-10 08:35:14 +02:00
vincent
7244ceb5b1 feat: manage all nomad folder creation on build 2024-05-10 08:35:14 +02:00
vincent
49a8a427f7 perf: adjust openldap ram 2024-05-10 08:35:14 +02:00
vincent
f4f77fc55a fix: add dev network to docker insecure registry 2024-05-10 08:35:14 +02:00
vincent
351d7c287f fix: increase VM ram among 2024-05-10 08:35:14 +02:00
vincent
598896ad5f feat: implement immich job 2024-05-10 08:20:01 +02:00
vincent
6e00668840 add terrform immich variable for vault and dns 2024-05-10 08:18:53 +02:00
vincent
24eb640c60 configure db for immich 2024-05-09 09:25:23 +02:00
vincent
9b6ed6cc6e switch to opentofu 2024-05-09 09:14:25 +02:00
vincent
2f1de5dcd5 fix vault dn
Some checks failed
continuous-integration/drone/push Build is failing
Signed-off-by: vincent <vincent@ducamps.win>
2024-05-08 21:38:10 +02:00
vincent
78692be3fd add vector.rs to database playbook 2024-05-08 21:37:27 +02:00
vincent
272efbb844 update openldap default tree 2024-05-08 21:14:37 +02:00
vincent
c9f4656470 switch gerard-dev to archlinux 2024-05-08 21:07:57 +02:00
vincent
6e679c82a0 fix: add missing argument to ldap manager
Some checks failed
continuous-integration/drone/push Build is failing
2024-05-08 09:11:28 +02:00
vincent
9d0c513787 chore: update nomad template 2024-04-28 16:11:37 +02:00
vincent
69a2ad4efd feat: implement mealie
Some checks failed
continuous-integration/drone/push Build is failing
2024-04-28 16:10:43 +02:00
vincent
2f6c814fb1 CI: terraform makefile command parameter
Some checks failed
continuous-integration/drone/push Build is failing
2024-04-27 14:29:38 +02:00
vincent
ab3c42cf8b feat: add authelia oidc authent
Some checks failed
continuous-integration/drone/push Build is failing
2024-04-24 21:23:39 +02:00
vincent
992937c011 feat: migrate rutorrent on authelia for authent
Some checks failed
continuous-integration/drone/push Build is failing
2024-04-12 08:59:40 +02:00
vincent
5fe61223c3 feat: create authelia job 2024-04-12 08:59:20 +02:00
vincent
452ab3611a fix (syncthing): change UID to match to folder 2024-04-12 08:58:02 +02:00
vincent
1ee5e21f84 ldap: remove login shell for service acount 2024-04-12 08:57:38 +02:00
vincent
92befa7ea4 chore: update alertmanager smtp hello url 2024-04-12 08:56:50 +02:00
vincent
4be6af919d refactor: mmove lldap to decom job 2024-04-12 08:56:34 +02:00
vincent
77e7cd4f88 style: update missing icon 2024-04-12 08:56:12 +02:00
vincent
fe9bc8dbab feat: add torrent automation job (prawlarr + flareresolver) 2024-04-11 10:16:20 +02:00
vincent
60cfe75e47 perfs (prometheus): add memory_max
Some checks failed
continuous-integration/drone/push Build is failing
2024-04-09 08:41:06 +02:00
vincent
4fcf862279 borgmatic: add exclusion 2024-04-09 08:40:53 +02:00
vincent
98c1d63962 borgmatic: add action 2024-04-09 08:40:38 +02:00
vincent
0b067cabca loki: review config 2024-04-09 08:39:37 +02:00
vincent
4ef30222f7 fix: memory_max
Some checks failed
continuous-integration/drone/push Build is failing
2024-03-29 21:15:39 +01:00
vincent
117e9397a3 switch volume to nfsv4 2024-03-29 21:14:24 +01:00
vincent
0b25eb194e feat: add authorization for local docker in nfs
Some checks failed
continuous-integration/drone/push Build is failing
2024-03-17 19:07:51 +01:00
vincent
74dc3a0c89 chore: clean gerard from inventory 2024-03-17 19:01:52 +01:00
vincent
9bc0e24357 fix: pureftpd variable 2024-03-17 19:01:32 +01:00
vincent
e0f9190b76 feat: docker pull througt mirror
Some checks failed
continuous-integration/drone/push Build is failing
2024-03-17 18:58:24 +01:00
vincent
f0676ec3f7 fix: change rutorrent tag 2024-03-17 11:07:59 +01:00
vincent
8b895fee06 docs: update ADR 2024-03-17 11:07:59 +01:00
vincent
aeed90ea34 perfs: adjust max mermory 2024-03-17 11:07:59 +01:00
vincent
a89109e1ff feat: add actual budget 2024-03-17 11:07:59 +01:00
vincent
d748beb6a4 feat: switxh from vsftp to pure-ftpd 2024-03-17 11:07:59 +01:00
vincent
3a80c47b56 add service account ou in ldap default tree 2024-03-17 11:07:59 +01:00
vincent
c75e9e707a fix: staging nas bind 2024-03-17 11:07:59 +01:00
vincent
4926b4eb06 perfs: increase backup postgress memory 2024-03-17 11:07:59 +01:00
vincent
0ebd087544 fix: move binding dn 2024-03-17 11:07:59 +01:00
vincent
b7dc26cc27 borgmatic: fix config 2024-03-17 11:07:59 +01:00
vincent
012c448c73 improve share binding 2024-03-17 11:07:59 +01:00
vincent
1b79fe4cb0 Borgmatic: add know host 2024-03-17 11:07:59 +01:00
vincent
6848ffa05b fix: become on nut role 2024-03-17 11:07:59 +01:00
vincent
aec7230f11 feat: ftp local user iss chroot 2024-03-17 11:07:58 +01:00
vincent
da3b290d4a feat: enable crossmount in nfs share 2024-03-17 11:07:58 +01:00
vincent
5718968407 fix:hard DNS on oscar instead Nas (if NAS is shutdown cluster DNS will
shutdown )
2024-03-17 11:07:58 +01:00
vincent
0db8555fe8 change rutorrent group 2024-03-17 11:07:58 +01:00
vincent
2fee8293dc feat: add role for nut 2024-03-17 11:07:58 +01:00
vincent
3dae6adb33 switch dns on oberon 2024-03-17 11:07:58 +01:00
vincent
f207be7d7d finalize Nas data migration 2024-03-17 11:07:58 +01:00
vincent
f32c0d1e40 fix: no issue on nfs cluster if one device is down 2024-03-17 11:07:58 +01:00
vincent
d37fe78e39 feat: enable vsftp user session 2024-03-17 11:07:58 +01:00
vincent
586e6101ca feat: correct homedir for samba 2024-03-17 11:07:58 +01:00
vincent
e470b204a5 feat: add constrainst to limit nas job 2024-03-17 11:07:58 +01:00
vincent
c4d10aacfe fix: change path 2024-03-17 11:07:58 +01:00
vincent
e10830e028 fix: path issue 2024-03-17 11:07:58 +01:00
vincent
c37083b5c9 feat: isolate wireguard playbook 2024-03-17 11:07:58 +01:00
vincent
c7e6270c3a fix: remove separator from create user 2024-03-17 11:07:58 +01:00
vincent
625bda7fda feat: deploy NAS on oberon 2024-03-17 11:07:58 +01:00
vincent
d1cc5ff299 fix: add lan dns redirection to pdns recursor 2024-03-17 11:07:58 +01:00
vincent
0a57c5659c fix: upgrade vikunka 2024-03-17 11:07:58 +01:00
vincent
7191cb7216 rename nas to oberon 2024-03-17 11:07:58 +01:00
vincent
b3488061da dns: decrease local ttl 2024-03-17 11:07:58 +01:00
vincent
c08032052d fix: terraform dns makefile secret 2024-03-17 11:07:58 +01:00
vincent
25780828cc job: add borgmatic 2024-03-17 11:07:58 +01:00
vincent
46b4a51935 CI: improve consul stagging switch 2024-03-17 11:07:58 +01:00
vincent
993753f284 feat: intergrate SAMBA Nas role 2024-03-17 11:07:58 +01:00
vincent
5188d865d8 fix: get ldap admin password in vault 2024-03-17 11:07:58 +01:00
vincent
2a731201a1 add default crypt password for vault service account 2024-03-17 11:07:58 +01:00
vincent
70e0d6011b CI: autoapprove for terraform apply 2024-03-17 11:07:58 +01:00
vincent
2c0da4bd15 feat: enable automoint for staging 2024-03-17 11:07:58 +01:00
vincent
547ce05466 chore: complete generate-vault-secret 2024-03-17 11:07:58 +01:00
vincent
bfb3ec3d34 fix: modify vault endpoint for create nomad token 2024-03-17 11:07:58 +01:00
vincent
9756939f8e fix: create nomad dir in playbook with correct right 2024-03-17 11:07:58 +01:00
vincent
f420f17929 feat: modify staging domain name 2024-03-17 11:07:58 +01:00
vincent
2bae64c40b create script to bootstrap vault secret 2024-03-17 11:07:58 +01:00
vincent
c8f7d7f8c3 ordo: improve makefile for terraform 2024-03-17 11:07:58 +01:00
vincent
2632c6d2b0 dns: switch cname to alias 2024-03-17 11:07:58 +01:00
vincent
f61008b570 fix: bootstrap become 2024-03-17 11:07:58 +01:00
vincent
73df5fa582 refactor: consul in first of hashicorp stack 2024-03-17 11:07:58 +01:00
vincent
e3d76630c3 feat: replace rocky by arch in vagrant 2024-03-17 11:07:58 +01:00
vincent
41b1a71c76 feat: switch consul DNS in makefile 2024-03-17 11:07:58 +01:00
vincent
e9ad317436 feat ensure nfs share folder exist 2024-03-17 11:07:58 +01:00
vincent
2db6061516 fix: declare main interface variable for stagging 2024-03-17 11:07:58 +01:00
vincent
3367c78314 feat: merge user create and config playbook 2024-03-17 11:07:58 +01:00
vincent
08ea604028 feat: create home share ans delete home mont on cluster 2024-03-17 11:07:58 +01:00
vincent
29ab70a1d5 fix: samba mount option issue 2024-03-17 11:07:58 +01:00
vincent
e083f4da7a terraform: remove corwin 2024-03-17 11:07:58 +01:00
vincent
2ea4992f57 fix dockermailserver: add privae network to ha proxy auth 2024-03-17 11:07:58 +01:00
vincent
49de33bbdb calc docket mtu on wireguard MTU 2024-03-17 11:07:58 +01:00
vincent
2b678b7786 remove bootstap become 2024-03-17 11:07:58 +01:00
vincent
fc2dcd7b33 fix: add empty env group to avoid issue 2024-03-17 11:07:58 +01:00
vincent
29d70cac0e migrate to merlin 2024-03-17 11:07:58 +01:00
vincent
4117bd80c5 fix: www specific location for archiso 2024-03-17 11:07:58 +01:00
vincent
da6f04e42e fix: database pg_hba 2024-03-17 11:07:58 +01:00
vincent
13bda4cd34 fix: case where vault root file not exist 2024-03-17 11:07:58 +01:00
vincent
63cd352fff archiso on web server 2024-03-17 11:07:58 +01:00
vincent
a65e3484b5 implement default interface variable 2024-03-17 11:07:58 +01:00
vincent
2b9e034232 delete old var file 2024-03-17 11:07:58 +01:00
vincent
527d2f2345 add packer to build arch image on hetzner 2024-03-17 11:07:58 +01:00
vincent
2da18e9c12 docs: add smtp case troubleshoot 2024-03-17 11:07:58 +01:00
vincent
49f639cb15 delete old dns terraform file 2024-03-17 11:07:58 +01:00
vincent
abc88f0074 add packer for hetzner image 2024-03-17 11:07:58 +01:00
vincent
394dbaf6cb move filestash on homelab 2024-03-17 11:07:58 +01:00
vincent
78762b477e move mail on homelab 2024-03-17 11:07:58 +01:00
vincent
2c00b9be59 feat: redirect all cluster traffic on wirequard 2024-03-17 11:07:58 +01:00
vincent
acc6cdc5fa fix crowsec: rename data file 2024-03-17 11:07:58 +01:00
vincent
43b6cf9158 fix www: change redirection method 2024-03-17 11:07:58 +01:00
vincent
015a89b27e fix: port 25 entrypoint conflict 2024-03-17 11:07:58 +01:00
vincent
68434f3e92 fix: switch ldap user manager traefik router 2024-03-17 11:07:58 +01:00
vincent
fe6d1c5e26 add user group to tree ldif 2024-03-17 11:07:58 +01:00
vincent
f8bc026165 feat: implemant openldap and migration 2024-03-17 11:07:58 +01:00
vincent
80f489422a change docker repo for testing 2024-03-17 11:07:58 +01:00
vincent
4207b1fc75 init lldap job 2024-03-17 11:07:58 +01:00
vincent
ea30fce975 feat: move backup in dedicated folder 2024-03-17 11:07:58 +01:00
vincent
5b23006e97 feat: move last application data folder in nomad share 2024-03-17 11:07:58 +01:00
vincent
9370a92518 put hashicorpstack before nas role 2024-03-17 11:07:58 +01:00
vincent
9fcf2d78e6 config repo on prod 2024-03-17 11:07:58 +01:00
vincent
f82c99c2ba fix: typo 2024-03-17 11:07:58 +01:00
vincent
cecad8b785 feat: change nas if by consul service for stagging 2024-03-17 11:07:58 +01:00
vincent
28fc2bf6a7 init csi 2024-01-13 18:37:11 +01:00
vincent
a0214d0d74 allow nomad privileged on all
All checks were successful
continuous-integration/drone/push Build is passing
2024-01-13 18:36:27 +01:00
vincent
9812376a1d gather all device before nas playbook 2024-01-13 18:36:27 +01:00
vincent
6ddcc4736e put nfs share in export bind 2024-01-13 18:32:02 +01:00
vincent
11fe5fb5dc conf dhcp: add ip for shelly
All checks were successful
continuous-integration/drone/push Build is passing
2024-01-13 16:49:47 +01:00
vincent
ec2ecd08cd perfs backup-postgress: increse memory
All checks were successful
continuous-integration/drone/push Build is passing
2024-01-13 10:20:53 +01:00
vincent
40ce7c1550 feat: improce variable management
All checks were successful
continuous-integration/drone/push Build is passing
2024-01-09 18:52:47 +01:00
vincent
64346cc63b depends: update terraform plugins 2024-01-09 18:52:47 +01:00
vincent
ffd597f710 by mount enable option instead dedicated variable 2024-01-09 18:52:47 +01:00
vincent
c4f1423501 recover dynamic ip for nfs mount 2024-01-09 18:52:47 +01:00
vincent
5a8c4519a6 fix: switch nfs auth to IP 2024-01-09 18:52:47 +01:00
vincent
908495bce3 norootsquash 2024-01-07 10:04:53 +01:00
vincent
8ca6413b02 add nas host file 2024-01-07 10:04:53 +01:00
vincent
8008295780 add become to nas role 2024-01-07 10:04:53 +01:00
vincent
05930da661 switch ducamps.eu 2024-01-07 10:04:53 +01:00
vincent
5d966908c5 add ftp role 2024-01-07 10:04:53 +01:00
vincent
c7a6ed5392 add some share
--amend

squash
2024-01-07 10:04:53 +01:00
vincent
f3469bd612 feat: dedicated playbook for autofs 2024-01-07 10:04:53 +01:00
vincent
33b4fc6ad5 feat: variable file by env
squash
2024-01-07 10:04:53 +01:00
vincent
351bef555c feat: server playbook for all device 2024-01-07 10:04:53 +01:00
vincent
6db6b28706 fix: nfs role execution 2024-01-07 10:04:53 +01:00
vincent
8081e89176 add nas variable and playbook 2024-01-07 10:04:53 +01:00
vincent
3628139699 init nas config 2024-01-07 10:04:52 +01:00
vincent
f0dd3e8f33 add repli in pg_hba variable
All checks were successful
continuous-integration/drone/push Build is passing
2024-01-07 09:58:40 +01:00
vincent
0b78cbe0e3 fix: add second dns for docker
All checks were successful
continuous-integration/drone/push Build is passing
issue with drone docker in docker DNS connection refused on systemd rstub DNS
2024-01-07 09:47:15 +01:00
vincent
da1686cdea fix rutorrent: PUID
All checks were successful
continuous-integration/drone/push Build is passing
2024-01-04 19:37:42 +01:00
vincent
5939ff8057 perfs: increase memory for postgres backup
All checks were successful
continuous-integration/drone/push Build is passing
2024-01-01 11:44:10 +01:00
vincent
d15939640f deps: remove role pdn
All checks were successful
continuous-integration/drone/push Build is passing
2023-12-23 10:34:00 +01:00
vincent
47761bf90e use nas IP for mount
All checks were successful
continuous-integration/drone/push Build is passing
2023-12-17 10:54:53 +01:00
vincent
2fc86fc14f fix: run rutoren batch each hour
All checks were successful
continuous-integration/drone/push Build is passing
2023-12-03 10:16:49 +01:00
vincent
49d2ce491f add loki metrics in prometheus
All checks were successful
continuous-integration/drone/push Build is passing
2023-11-28 19:02:19 +01:00
vincent
1992f75888 dockermailserver switch to latest
All checks were successful
continuous-integration/drone/push Build is passing
2023-11-28 18:30:52 +01:00
vincent
a0179b829d feat: switch to vector for docker log collect
Signed-off-by: vincent <vincent@ducamps.win>
2023-11-28 18:22:13 +01:00
vincent
2cad7575d1 add batch to clen rutorrent forward folder 2023-11-25 18:57:52 +01:00
vincent
9f5c738317 rename batch job 2023-11-25 18:57:32 +01:00
vincent
f2c7e9a95a change torrent copy
All checks were successful
continuous-integration/drone/push Build is passing
2023-11-23 20:57:56 +01:00
vincent
4f1646afc2 change ldap dns 2023-11-17 20:03:33 +01:00
vincent
ba4647379e update makefile
All checks were successful
continuous-integration/drone/push Build is passing
2023-11-14 17:48:20 +01:00
vincent
58f89756d3 add defualt nomad interface for corwin 2023-11-14 17:47:53 +01:00
vincent
a60a1bc578 docs: update ADR NAS and DNS 2023-11-14 17:47:18 +01:00
vincent
9578b25804 remove dns option from promtail 2023-11-14 17:46:24 +01:00
vincent
f2bc16cbe0 perf: increase memory 2023-11-14 17:45:52 +01:00
vincent
70eec26d0a pacoloco manage archarmV8 2023-11-14 17:45:38 +01:00
vincent
98f1e34d04 perf: decrease memory pdns 2023-11-07 18:56:03 +01:00
vincent
9e4348065e add variable system_ip_unprivileged_port_start 2023-11-07 18:55:34 +01:00
vincent
f17a946d81 add recursort in front of auth server 2023-11-06 19:07:25 +01:00
vincent
b494eaf358 big bang ducamps.win -> ducamps.eu 2023-11-05 19:08:17 +01:00
vincent
5d3432ff45 switch dns update on pdns
All checks were successful
continuous-integration/drone/push Build is passing
2023-11-05 17:00:16 +01:00
vincent
5685458fbf fix mail dns entry
All checks were successful
continuous-integration/drone/push Build is passing
2023-11-05 14:58:41 +01:00
vincent
674813e2e4 migrate ducamps.eu on pdns 2023-11-05 14:58:10 +01:00
vincent
3944d444aa pihole listen only on 192.168.1.4 2023-11-05 11:58:07 +01:00
vincent
9a0aa359a5 add basic auth to torrent
All checks were successful
continuous-integration/drone/push Build is passing
2023-11-04 21:34:03 +01:00
vincent
4e9155e0db prepare DNS migration 2023-11-04 21:33:51 +01:00
vincent
b54420c0d9 style: fix markdown
All checks were successful
continuous-integration/drone/push Build is passing
2023-11-01 19:53:42 +01:00
vincent
db8b2c3b1e consul backup in nomad
Some checks failed
continuous-integration/drone/push Build is failing
2023-11-01 19:30:39 +01:00
vincent
bed1a666da add dns config for docker
Some checks failed
continuous-integration/drone/push Build is failing
2023-11-01 18:58:56 +01:00
vincent
9d44ad59c7 vault backup cron in nomad 2023-11-01 18:58:42 +01:00
vincent
c8a1ba34f3 fix: tt-rss db host 2023-11-01 09:08:47 +01:00
vincent
b1afa5a801 fix: vault unseal key encrypted
Some checks failed
continuous-integration/drone/push Build is failing
2023-11-01 08:42:30 +01:00
vincent
4cd583622b database DNS entry in consul 2023-11-01 08:42:04 +01:00
vincent
8718bfe051 user_config ouside of site (to remove git.ducamps.win dependance) 2023-11-01 08:41:03 +01:00
vincent
594ffcad44 add alias to see all vault alias
Some checks failed
continuous-integration/drone/push Build is failing
2023-10-29 20:23:41 +01:00
vincent
14b1ac38e2 remove hasshicorp vault dependance on ansil metal deployment 2023-10-29 20:04:53 +01:00
vincent
521ea28229 fix nomad token condition
Signed-off-by: vincent <vincent@ducamps.win>
2023-10-29 20:03:08 +01:00
vincent
85d9dfa7d7 decom msmtp 2023-10-29 18:06:36 +01:00
vincent
61d182dfe6 factorize consul domain on corwin
Some checks failed
continuous-integration/drone/push Build is failing
2023-10-29 15:36:05 +01:00
vincent
ecc4e1dbb9 add dns in site 2023-10-29 15:35:51 +01:00
vincent
439611990e add base dev 2023-10-29 15:35:30 +01:00
vincent
ef927ee761 manage nomad vault token in ansible 2023-10-29 15:35:11 +01:00
vincent
3770c41d03 ansible variable: split variable in file 2023-10-29 15:33:24 +01:00
vincent
50d43dd44c ansible: increase sssh timeout 2023-10-29 15:30:10 +01:00
vincent
1accb487e6 vagrant: bootstrap per VM 2023-10-29 15:29:20 +01:00
vincent
9965a58e47 update debian image 2023-10-29 15:28:48 +01:00
vincent
b972781036 increase prometheus memory
Some checks failed
continuous-integration/drone/push Build is failing
2023-10-23 19:16:47 +02:00
vincent
0e4d6c30d1 increase prometheus retention 2023-10-23 19:16:27 +02:00
vincent
cf53b72179 remove duplicate label 2023-10-23 19:15:55 +02:00
vincent
a99d4534c6 increate prometheus retention time 2023-10-22 21:50:12 +02:00
vincent
38ea6d811e feat: add prometheus alerting for node hardware
Some checks failed
continuous-integration/drone/push Build is failing
2023-10-22 17:26:57 +02:00
vincent
202fdf176e docs: add DNS ADR 2023-10-22 16:10:22 +02:00
vincent
dc7d2134bf fix: conflict between pihole and dnsmasq
Some checks failed
continuous-integration/drone/push Build is failing
2023-10-21 22:37:59 +02:00
vincent
aef03b0e13 docs: update DNS schema 2023-10-21 15:54:10 +02:00
vincent
d5ad4a239c docs: complete DNS ADR 2023-10-21 15:43:13 +02:00
vincent
42cce82722 add systemd-resolved redirection variable 2023-10-21 15:24:58 +02:00
vincent
276fa3c7ec update wireguard DNS 2023-10-21 14:04:12 +02:00
vincent
7a433c2492 fix second dhcp IP 2023-10-21 14:04:12 +02:00
vincent
6f55907bb3 disable DNSSEC 2023-10-21 14:04:12 +02:00
vincent
bfa620f178 move vagrant domain 2023-10-21 14:04:12 +02:00
vincent
1fbf3a9407 create config powerdns 2023-10-21 14:04:12 +02:00
vincent
a8ed6daf77 fix: missing NS entry for trafieck acme 2023-10-21 14:02:05 +02:00
vincent
ae52d90998 switch to private IP for corwin
All checks were successful
continuous-integration/drone/push Build is passing
2023-10-18 19:19:35 +02:00
vincent
32b5b30760 disable gatherfact for bootstrap role 2023-10-18 19:19:15 +02:00
vincent
24ab28b538 fiw www: entrypoint with a s
All checks were successful
continuous-integration/drone/push Build is passing
2023-10-14 09:14:26 +02:00
vincent
6b0b4ff807 infra: factoring firewall
All checks were successful
continuous-integration/drone/push Build is passing
2023-10-09 20:12:43 +02:00
vincent
bf88a6e74f add nuts exporter
All checks were successful
continuous-integration/drone/push Build is passing
2023-10-08 16:50:19 +02:00
vincent
7e1771d998 rename tt-rss to ttrss task 2023-10-08 14:52:53 +02:00
vincent
4a3e6b3450 perf: increase loki memory 2023-10-08 14:52:33 +02:00
vincent
18dccdd54c improve promtail label 2023-10-08 14:52:00 +02:00
vincent
196d1b1759 crowdsec add some collection
All checks were successful
continuous-integration/drone/push Build is passing
2023-10-08 10:25:15 +02:00
vincent
6149b95b4e dns: add paperless to external dns 2023-10-08 09:38:23 +02:00
vincent
cbb2ba178b fox last entrypoint fix 2023-10-07 19:09:56 +02:00
vincent
5253490f65 fix: proxy smtp port 25 issue
All checks were successful
continuous-integration/drone/push Build is passing
2023-10-07 18:40:40 +02:00
vincent
6d2c5f57a5 traefik reverse proxy for port 25 2023-10-07 18:00:37 +02:00
vincent
211a2adc5c disable rpsamd for authenticated User 2023-10-07 17:59:19 +02:00
vincent
bfd67fdf46 change ttrss URL 2023-10-07 17:34:55 +02:00
vincent
a8637576eb configure alertmanager smtp alert 2023-10-07 17:34:17 +02:00
vincent
614e237d45 docs: mailserver ADR done
All checks were successful
continuous-integration/drone/push Build is passing
2023-10-07 09:05:31 +02:00
vincent
b44c620f95 perf: add memory max to jellyfin 2023-10-07 09:03:43 +02:00
vincent
2c1f3629c5 dns: update DMARC entry 2023-10-07 09:02:21 +02:00
vincent
4a987e6446 add rspamd service
All checks were successful
continuous-integration/drone/push Build is passing
2023-10-04 21:15:01 +02:00
vincent
db04c1b678 infra: add autodiscover in DNS 2023-10-04 20:56:15 +02:00
vincent
eadf067157 add Rspamd for spam DKIM and DMARC 2023-10-04 20:55:42 +02:00
vincent
b4d1c7ffb9 bypasss traefik for smtp 2023-10-03 19:27:36 +02:00
vincent
fb5f6978ac change spf 2023-10-03 19:24:37 +02:00
vincent
6705e06541 create docker-mailserver job 2023-10-01 19:30:23 +02:00
vincent
0d2e2a3d52 redirect ducamps.eu in pihole 2023-10-01 19:29:58 +02:00
vincent
cd35d16f0f add mail firewall rules 2023-10-01 19:29:19 +02:00
vincent
15e1c5c018 modify dns for mail 2023-10-01 19:28:43 +02:00
vincent
9f853d91f5 infra: add entry imap and smtp
All checks were successful
continuous-integration/drone/push Build is passing
2023-09-26 18:23:21 +02:00
vincent
a99cc3a76b add ducamps.eu dns zone 2023-09-24 10:58:46 +02:00
vincent
c2737f6771 docs: add location context 2023-09-21 19:24:42 +02:00
vincent
5a92d6b37a docs: add ADR mail server 2023-09-21 19:19:19 +02:00
vincent
55801ac7e1 increase corwin memory
All checks were successful
continuous-integration/drone/push Build is passing
2023-09-21 19:18:48 +02:00
vincent
4fa4b83484 format: fix md
All checks were successful
continuous-integration/drone/push Build is passing
2023-09-19 18:38:48 +02:00
vincent
a9da5949e2 create dedicated lan zone in dns
Some checks failed
continuous-integration/drone/push Build is failing
2023-09-19 18:33:27 +02:00
vincent
7fb16ee116 move to heztner DNS
Some checks failed
continuous-integration/drone/push Build is failing
2023-09-17 19:47:14 +02:00
vincent
b4e76f9325 perfs: decrease jellyfin priority 2023-09-14 20:27:06 +02:00
vincent
989453a16a prometheus: add nomadbatch error alert 2023-09-14 20:26:16 +02:00
vincent
29a6f1ae1a perf paperless: decrease redis memoris
Some checks failed
continuous-integration/drone/push Build is failing
2023-09-04 18:53:11 +02:00
vincent
7929ae75e7 add ghostfolio service 2023-09-04 18:52:49 +02:00
vincent
54d298dbcf change jellyfin-vue icon
Some checks failed
continuous-integration/drone/push Build is failing
2023-08-30 20:54:47 +02:00
vincent
27847f256b add vault snapshot
Some checks reported errors
continuous-integration/drone/push Build was killed
2023-08-27 17:06:45 +02:00
vincent
42dbb13323 feat vault storage right for admin 2023-08-27 15:40:38 +02:00
vincent
295e45e5f8 wireguard on staging
Some checks failed
continuous-integration/drone/push Build is failing
2023-08-27 11:35:56 +02:00
vincent
0951fbb6c7 clean old host entry 2023-08-27 11:35:28 +02:00
vincent
1c4ae9b1e2 vault migration plan 2023-08-26 17:31:50 +02:00
vincent
a47ee8f846 create vault migration config 2023-08-26 17:31:30 +02:00
vincent
ddf50d4837 create new vault snapshot policy 2023-08-26 17:31:08 +02:00
vincent
efa707dea0 exclude VPS from vault 2023-08-26 17:30:41 +02:00
vincent
0d983dd085 docs: create vault backend ADR 2023-08-25 17:34:50 +02:00
vincent
1606797e71 style: yaml formatting
All checks were successful
continuous-integration/drone/push Build is passing
2023-08-25 14:12:38 +02:00
vincent
8e30abd428 docs: add vagrant docs 2023-08-25 14:12:22 +02:00
vincent
d72f6d540e fix: add python interpreter variable
Some checks failed
continuous-integration/drone/push Build is failing
2023-08-25 13:56:18 +02:00
vincent
353bb70e85 chore: configure domain to lib virtd network 2023-08-25 13:56:18 +02:00
vincent
9e11793375 refactor: clean molecule file 2023-08-25 13:56:18 +02:00
vincent
5f4c8aafbf chore: force vagrant destroy 2023-08-25 13:56:18 +02:00
vincent
8bfb3a1361 create vagrant file and adapt process 2023-08-25 13:56:18 +02:00
vincent
071ac98956 fix vault: lowercase in drone secret path
Some checks failed
continuous-integration/drone/push Build is failing
2023-08-25 13:55:16 +02:00
vincent
3ac0213417 fix vault: modify ansible policy 2023-08-25 10:14:29 +02:00
vincent
0538343169 migration: vagrant as molecule provider
Some checks failed
continuous-integration/drone/push Build is failing
2023-08-24 18:37:20 +02:00
vincent
3487f79ec2 fix: ntfs mounting 2023-08-19 09:36:27 +02:00
vincent
d9b6525812 increase paperless memory 2023-08-17 10:06:28 +02:00
vincent
1bee6ee326 change gerard network interface name 2023-08-17 10:06:07 +02:00
vincent
85106ce630 update paperless allowed host 2023-05-22 08:56:52 +02:00
vincent
88d6055da9 change phone key 2023-05-22 08:56:30 +02:00
vincent
2470faf2c7 feat: review prometheus label 2023-04-26 20:35:09 +02:00
vincent
d3a1b4178c oscar is dead
Some checks failed
continuous-integration/drone/push Build is failing
2023-04-16 19:27:26 +02:00
vincent
c254799d4a test supysonic ldap 2023-04-16 19:27:05 +02:00
vincent
c13a264105 perf: increase memory for postgres backup 2023-04-16 19:26:42 +02:00
vincent
f7d77d61cc fix: add DNS to promtail job
Some checks failed
continuous-integration/drone/push Build is failing
2023-02-25 10:23:59 +01:00
vincent
76dfa1c0de feat disable IPv6 on all device
Some checks failed
continuous-integration/drone/push Build is failing
2023-02-25 09:58:26 +01:00
vincent
ebfcc02ae5 fix: dns issue on corwin wireguard
Some checks failed
continuous-integration/drone/push Build is failing
2023-02-06 19:30:33 +01:00
vincent
d8ec201e92 fix supysonic: switch to fix version 2023-01-28 11:10:33 +01:00
vincent
cba82f9183 style: linting playbook 2023-01-15 16:59:36 +01:00
vincent
dfc5eb566b feat: enable sssd on VPS 2023-01-15 16:22:48 +01:00
vincent
f8a19d3e65 feat: move user task in dedicated playbook and role 2023-01-15 16:22:32 +01:00
vincent
b00763ddce fix stagging: change nomad & consul bootstrap number 2023-01-10 18:16:16 +01:00
vincent
5337092bee feat: disable IPV6 on homelab 2022-12-31 09:48:55 +01:00
vincent
825f93dd7f chore traefick: add acceslog
All checks were successful
continuous-integration/drone/push Build is passing
2022-12-18 12:25:11 +01:00
vincent
e8ef99aaa9 feat: enable wol config
All checks were successful
continuous-integration/drone/push Build is passing
2022-12-10 20:27:45 +01:00
vincent
34083cbed9 perf: set nomad priority 2022-12-10 17:10:32 +01:00
vincent
7b9c34c567 fix crowdsec-agent: error on start try to create user 2022-12-10 17:09:19 +01:00
vincent
b8b2db7632 fix seedboxsync: correct image name
All checks were successful
continuous-integration/drone/push Build is passing
2022-12-06 19:13:46 +01:00
vincent
ab74166a49 fix pihole: issue when query local pihole host 2022-12-05 21:56:04 +01:00
vincent
feec56e12d perf vikunja: increase memory
All checks were successful
continuous-integration/drone/push Build is passing
2022-12-04 10:32:37 +01:00
vincent
af6f627250 fix syncthing: add constraint amd64
All checks were successful
continuous-integration/drone/push Build is passing
2022-12-04 09:59:59 +01:00
vincent
45707d5b2b fix gitea: webhook timeout 2022-12-04 09:36:50 +01:00
vincent
53eaf5254d style: lint markdown
All checks were successful
continuous-integration/drone/push Build is passing
2022-11-29 22:08:34 +01:00
vincent
bcddfe7dd3 CI: add markdown lint config
Some checks failed
continuous-integration/drone Build is failing
continuous-integration/drone/push Build is failing
2022-11-29 21:25:38 +01:00
vincent
5f105ae8e9 style: fix yaml
Some checks failed
continuous-integration/drone/push Build is failing
2022-11-29 21:23:44 +01:00
vincent
69c5e14b47 CI: Add yamllint config file 2022-11-29 21:11:00 +01:00
vincent
8ddc3113f4 feat vault: add lease right in policy
Some checks failed
continuous-integration/drone/push Build is failing
2022-11-29 21:08:13 +01:00
vincent
905d8fecd5 fix drone: move approle in tempalte
Some checks failed
continuous-integration/drone/push Build is failing
2022-11-29 21:03:12 +01:00
vincent
0f15912367 fix vault: change upercase in policy
Some checks failed
continuous-integration/drone/push Build is failing
continuous-integration/drone Build is failing
2022-11-29 20:29:30 +01:00
vincent
93edd48b81 fix vault: put correct policy
Some checks failed
continuous-integration/drone/push Build is failing
2022-11-29 20:25:32 +01:00
vincent
18e4596e72 fix: add data to vault sevret path
Some checks failed
continuous-integration/drone/push Build is failing
2022-11-29 20:09:13 +01:00
vincent
e8477f77ae fix drone: add mappind to 3000 on vault-drone
Some checks failed
continuous-integration/drone/push Build is failing
2022-11-29 20:05:11 +01:00
vincent
6e966077a1 CI: switch to vault secret
Some checks failed
continuous-integration/drone/push Build is failing
2022-11-29 19:54:44 +01:00
vincent
d9719a0077 refactor vault: dedicated teraform file
Some checks failed
continuous-integration/drone/push Build is failing
2022-11-29 19:02:29 +01:00
vincent
0ecb686bfc feat: add secretID automaticaly in KV for DroneCI
Some checks failed
continuous-integration/drone/push Build is failing
2022-11-29 18:10:25 +01:00
vincent
510e1f14cb feat: remove token variable 2022-11-29 18:04:09 +01:00
vincent
545d426bd3 feat: vault secret in droneCI
Some checks failed
continuous-integration/drone/push Build is failing
2022-11-27 15:25:26 +01:00
vincent
fc7407300b feat: change DNS in DHCP
Some checks failed
continuous-integration/drone/push Build is failing
2022-11-27 11:36:23 +01:00
vincent
5d55feab96 perf: increase memry on vikunja 2022-11-27 11:10:31 +01:00
vincent
1e42376ed4 feat: add floating IP to pihole 2022-11-27 11:09:59 +01:00
vincent
2c770c0163 feat: add docker caps variable
Some checks failed
continuous-integration/drone/push Build is failing
2022-11-27 09:31:41 +01:00
vincent
a7b590626f add contraint x64 2022-11-26 21:04:51 +01:00
vincent
83bd59ef03 change port env 2022-11-26 21:04:33 +01:00
vincent
af70c6d368 perf: switch bootestrap expect to 3 2022-11-26 10:00:24 +01:00
vincent
0b082b7377 force build
Some checks failed
continuous-integration/drone/push Build is failing
2022-11-21 23:02:30 +01:00
vincent
af9309621c modify makefile
Some checks failed
continuous-integration/drone/push Build is failing
2022-11-21 22:59:26 +01:00
vincent
633cc6bbd5 drone: fix option site-dir
Some checks failed
continuous-integration/drone/push Build is failing
2022-11-21 22:53:15 +01:00
vincent
06b9151c77 drone:add drone file
Some checks failed
continuous-integration/drone Build is failing
2022-11-21 22:50:24 +01:00
vincent
37e755978f docs: add a new job 2022-11-21 22:40:21 +01:00
vincent
c86a618ee1 vikunja: init job 2022-11-21 22:28:41 +01:00
vincent
c2eacbd13f prometheus: relabel instance for hass 2022-11-21 20:33:35 +01:00
vincent
93399e0b8f prometheus: add X86 constraint 2022-11-21 20:33:18 +01:00
vincent
b55a41a338 add staging group 2022-11-21 19:42:17 +01:00
vincent
6cac635294 cleanup old varaible 2022-11-21 19:41:52 +01:00
vincent
c412854050 seedboxsync: switch lftp to rsync 2022-11-21 19:41:03 +01:00
vincent
50935ae052 remove merlin 2022-11-13 17:22:37 +01:00
vincent
658de35b0d update readme 2022-11-13 17:19:21 +01:00
vincent
0596832337 remove adherence to oscar 2022-11-13 17:01:03 +01:00
vincent
1880303b43 add bleys variable 2022-11-13 16:42:22 +01:00
vincent
eeff68a02c add bley to inventory 2022-11-13 16:41:56 +01:00
vincent
edfa7eacd8 add nomad plugin podman to corwin 2022-11-13 16:41:41 +01:00
vincent
0fd5535833 add bleys to dhcp 2022-11-13 16:41:14 +01:00
vincent
6d41655e0a change wireguard domaine to only redirect local domain on dns 2022-11-13 14:49:13 +01:00
vincent
05d0055210 change arch mirror path 2022-11-13 14:48:27 +01:00
vincent
550c0b8ec0 switch rutorrent to podman for rocky 9 bug 2022-11-13 10:12:11 +01:00
vincent
b33438b434 add ansible key 2022-11-11 20:51:05 +01:00
vincent
58d55cb486 wireguard on top of playbook 2022-11-11 17:47:28 +01:00
vincent
c3bbaf6cfc become create profile 2022-11-11 17:47:00 +01:00
vincent
4ed00fdb74 remove bootstrap default login option 2022-11-11 17:46:33 +01:00
vincent
88cf62f45e clean VPS mount 2022-11-11 17:46:03 +01:00
vincent
a68543aeca complete corwin vars 2022-11-11 17:45:46 +01:00
vincent
aed8122aba dedicated ansible user and dedicated sssd playbook 2022-11-06 19:14:27 +01:00
vincent
9fe27b845c vault standalone script generate a root keys 2022-11-06 17:08:46 +01:00
vincent
515e14367b docs: complete readme 2022-11-01 20:41:45 +01:00
vincent
d8e2e5b822 custom makefile 2022-11-01 20:41:27 +01:00
vincent
15f4dd762b remove stagging from wireguard 2022-11-01 20:41:00 +01:00
vincent
902671515f finish molecule configuration 2022-11-01 20:40:42 +01:00
vincent
3ce2f9327a fix database variable issue 2022-11-01 20:39:25 +01:00
vincent
97ec6e30c2 group_vars: rationalize 2022-11-01 18:04:18 +01:00
vincent
10af2e4848 add doc to makefile 2022-11-01 10:50:10 +01:00
vincent
1046d63037 modify docs 2022-11-01 10:49:56 +01:00
vincent
7bd66ecdad add bootstrap-dev docs 2022-11-01 10:45:58 +01:00
vincent
cd66acfa7e add dev-environement ADR 2022-11-01 10:45:21 +01:00
vincent
c5ff235b97 terraform: update vault plugins 2022-10-30 21:50:34 +01:00
vincent
d65eb1a6f3 init dev env with molecule 2022-10-30 18:18:58 +01:00
vincent
4b2fc3b11d remove access-table policy 2022-10-30 12:15:52 +01:00
vincent
bb1bb51b4a vault policy segmentation 2022-10-30 12:15:52 +01:00
vincent
a3abcb41a3 formatting 2022-10-29 10:40:01 +02:00
vincent
732d4b458d add postgress backup job 2022-10-29 10:39:47 +02:00
vincent
9c02f03cac add ansible-lint 2022-10-23 18:49:05 +02:00
vincent
0d25b5d03d custom seed sync job 2022-10-23 17:32:01 +02:00
vincent
262c97168b add dump user 2022-10-23 17:31:08 +02:00
vincent
e9361a6c90 switch datacenter 2022-10-17 21:44:55 +02:00
vincent
a0c899eb13 decom job 2022-10-17 21:44:31 +02:00
vincent
57ecdbadc2 README alias 2022-10-16 15:10:38 +02:00
vincent
ec24a076f9 init mkdocs config 2022-10-16 11:09:02 +02:00
vincent
ed4752f059 add DHCP in flowchart 2022-10-16 10:13:42 +02:00
vincent
91b23e0c0b add DNS architecture doc 2022-10-16 10:03:28 +02:00
vincent
a87120ac1f ignore ssh key change for server 2022-10-15 13:23:31 +02:00
vincent
5b09a5806e change template password change mod 2022-10-15 10:50:21 +02:00
vincent
4151190d71 Mise à jour de 'Readme.md' 2022-10-14 14:02:31 +00:00
vincent
03950f61ef update arch 2022-10-14 12:23:29 +00:00
vincent
7954e0ca79 update terraform provider 2022-10-14 13:08:58 +02:00
vincent
89cec17224 change datacenter 2022-10-14 13:08:10 +02:00
vincent
f79f326479 change wireguard perssistant time 2022-10-14 12:52:34 +02:00
vincent
72a0539844 change memory repartition 2022-10-13 22:13:50 +02:00
vincent
66b6c1c0d5 add synchro seedbox 2022-10-12 21:18:43 +02:00
vincent
5e7bd9eb06 put private IP 2022-10-10 21:23:22 +02:00
vincent
85a02032f8 add default rules 2022-10-10 21:22:57 +02:00
vincent
6882646740 fix rutorrent config wrong location 2022-10-10 21:22:42 +02:00
vincent
f8a0ec9a49 update firewall 2022-10-08 09:12:41 +02:00
vincent
c174d8fb72 update IP 2022-10-08 08:52:22 +02:00
vincent
a30d9d112d add hass metrics to prometeus 2022-10-08 08:52:09 +02:00
vincent
2221784cb1 remove second server 2022-10-07 15:04:10 +02:00
vincent
65d34f708b fix dns issue on merlin wireguaard 2022-09-21 20:31:08 +02:00
vincent
9b0b4954b2 add 64bit contrainst to ttrss 2022-09-18 14:50:21 +02:00
vincent
7f9c734981 add MQTT job 2022-09-18 14:49:42 +02:00
vincent
6ee2ec0ecd decom deconz job 2022-09-18 14:49:25 +02:00
vincent
ff9f930747 add ws port 2022-09-18 14:48:52 +02:00
vincent
29c395395e add alert nomad job queue 2022-09-18 14:48:28 +02:00
vincent
24ae45a3fd roll over ttrss on homelab 2022-09-13 21:21:04 +02:00
vincent
15dc6226c5 Merge branch 'retour' 2022-09-13 20:43:38 +02:00
vincent
237262d7d1 add option to auth with underprivilege account 2022-09-13 20:35:56 +02:00
vincent
3db0616a17 provisionning dedicated role without call site playbook 2022-09-13 19:50:33 +02:00
vincent
17a019d1c2 remove database role from merlin 2022-09-13 19:49:37 +02:00
vincent
4dc30ddf20 fixe wireguard issue and custome allowed ips 2022-09-13 19:49:37 +02:00
vincent
688c4166cc fix gerard wireguard address 2022-09-13 14:38:38 +02:00
vincent
6189c3c40c improve jellyfin memory 2022-09-09 18:57:14 +02:00
vincent
267746a5d6 fix ssh issue traefick 2022-09-09 18:53:54 +02:00
vincent
94045dc3ff add ssh entrypoint 2022-09-09 17:50:28 +02:00
vincent
29f574c6fe wiregard on gerard and database on merlin 2022-09-09 17:33:35 +02:00
vincent
2def4bb733 switch main service on hetner 2022-09-09 17:19:07 +02:00
238 changed files with 9801 additions and 2577 deletions

66
.drone.yml Executable file
View File

@ -0,0 +1,66 @@
---
kind: pipeline
type: docker
name: lint
steps:
- name: yaml linting
image: pipelinecomponents/yamllint
commands:
- yamllint .
- name: markdown linting
image: 06kellyjac/markdownlint-cli
commands:
- markdownlint . --config .markdownlint.yaml
---
kind: pipeline
type: docker
name: test build
steps:
- name: build
image: squidfunk/mkdocs-material
commands:
- mkdocs build --clean --strict --verbose --site-dir build
trigger:
event:
exclude:
- push
---
kind: pipeline
type: docker
name: deploy
steps:
- name: build
image: squidfunk/mkdocs-material
commands:
- mkdocs build --clean --strict --verbose --site-dir homelab
- name: deploy
image: appleboy/drone-scp
when:
status:
- success
settings:
host: www.service.consul
user: drone-deploy
overwrite: true
key:
from_secret: dronePrivateKey
target: /srv/http
source: homelab
trigger:
branch:
- master
event:
- push
---
kind: secret
name: dronePrivateKey
get:
path: secrets/data/droneci/keyRSA
name: dronePrivateKey

3
.gitignore vendored
View File

@ -35,4 +35,7 @@ override.tf.json
# Ignore CLI configuration files # Ignore CLI configuration files
.terraformrc .terraformrc
terraform.rc terraform.rc
site
.vagrant

10
.markdownlint.yaml Executable file
View File

@ -0,0 +1,10 @@
---
# Default state for all rules
default: true
MD009:
strict: false
MD013: false
MD033: false
MD024: false
MD041: false

33
.yamllint Normal file
View File

@ -0,0 +1,33 @@
---
# Based on ansible-lint config
extends: default
rules:
braces:
max-spaces-inside: 1
level: error
brackets:
max-spaces-inside: 1
level: error
colons:
max-spaces-after: -1
level: error
commas:
max-spaces-after: -1
level: error
comments: disable
comments-indentation: disable
document-start: disable
empty-lines:
max: 3
level: error
hyphens:
level: error
indentation: disable
key-duplicates: enable
line-length: disable
new-line-at-end-of-file: disable
new-lines:
type: unix
trailing-spaces: disable
truthy: disable

48
README.md Normal file
View File

@ -0,0 +1,48 @@
# Homelab
This repository contain my homelab Infrastructure As Code
this Homelab is build over Hashicorp software stack:
- Nomad
- Consul
- Vault
## Dev
dev stack is build over vagrant box with libvirt provider
curently need to have vault and ldap production up to be correctly provision
to launch dev stack provissionning :
```sh
make create-dev
```
## Rebuild
## Architecture
```mermaid
flowchart LR
subgraph Home
bleys[bleys]
oscar[oscar]
gerard[gerard]
LAN
NAS
end
subgraph Cloud
corwin[corwin]
end
LAN--main road--ooscar
LAN --- bleys
LAN --- gerard
LAN --- NAS
bleys <--wireguard--> corwin
oscar <--wiregard--> corwin
gerard <--wiregard--> corwin
corwin <--> internet
```

View File

@ -1,11 +0,0 @@
# homelab
## rebuild
to rebuild from scratch ansible need a vault server up and unseal
you can rebuild a standalone vault srver with a consul database snaphot with
```
make vault-dev FILE=./yourconsulsnaphot.snap
```

105
Vagrantfile vendored Normal file
View File

@ -0,0 +1,105 @@
Vagrant.configure('2') do |config|
if Vagrant.has_plugin?('vagrant-cachier')
config.cache.scope = 'machine'
config.cache.enable :pacman
end
config.vm.provider :libvirt do |libvirt|
libvirt.management_network_domain = "lan.ducamps.dev"
end
config.vm.define "oscar-dev" do |c|
# Box definition
c.vm.box = "archlinux/archlinux"
# Config options
c.vm.synced_folder ".", "/vagrant", disabled: true
c.ssh.insert_key = true
c.vm.hostname = "oscar-dev"
# Network
# instance_raw_config_args
# Provider
c.vm.provider "libvirt" do |libvirt, override|
libvirt.memory = 2048
libvirt.cpus = 2
end
c.vm.provision "ansible" do |bootstrap|
bootstrap.playbook= "ansible/playbooks/bootstrap.yml"
bootstrap.galaxy_roles_path= "ansible/roles"
bootstrap.limit="oscar-dev"
bootstrap.extra_vars = { ansible_python_interpreter:"/usr/bin/python3" }
end
end
config.vm.define "merlin-dev" do |c|
# Box definition
c.vm.box = "archlinux/archlinux"
# Config options
c.vm.synced_folder ".", "/vagrant", disabled: true
c.ssh.insert_key = true
c.vm.hostname = "merlin-dev"
# Network
# instance_raw_config_args
# Provider
c.vm.provider "libvirt" do |libvirt, override|
libvirt.memory = 512
libvirt.cpus = 2
end
c.vm.provision "ansible" do |bootstrap|
bootstrap.playbook= "ansible/playbooks/bootstrap.yml"
bootstrap.galaxy_roles_path= "ansible/roles"
bootstrap.limit="merlin-dev"
bootstrap.extra_vars = { ansible_python_interpreter:"/usr/bin/python3" }
end
end
config.vm.define "gerard-dev" do |c|
# Box definition
c.vm.box = "archlinux/archlinux"
# Config options
c.vm.synced_folder ".", "/vagrant", disabled: true
c.ssh.insert_key = true
c.vm.hostname = "gerard-dev"
# Network
# instance_raw_config_args
# Provider
c.vm.provider "libvirt" do |libvirt, override|
libvirt.memory = 2048
libvirt.cpus = 2
end
c.vm.provision "ansible" do |bootstrap|
bootstrap.playbook= "ansible/playbooks/bootstrap.yml"
bootstrap.galaxy_roles_path= "ansible/roles"
bootstrap.limit="gerard-dev"
bootstrap.extra_vars = { ansible_python_interpreter:"/usr/bin/python3" }
end
end
config.vm.define "nas-dev" do |c|
# Box definition
c.vm.box = "archlinux/archlinux"
# Config options
c.vm.synced_folder ".", "/vagrant", disabled: true
c.ssh.insert_key = true
c.vm.hostname = "nas-dev"
# Network
# instance_raw_config_args
# Provider
c.vm.provider "libvirt" do |libvirt, override|
libvirt.memory = 2048
libvirt.cpus = 2
end
c.vm.provision "ansible" do |bootstrap|
bootstrap.playbook= "ansible/playbooks/bootstrap.yml"
bootstrap.galaxy_roles_path= "ansible/roles"
bootstrap.limit="nas-dev"
bootstrap.extra_vars = { ansible_python_interpreter:"/usr/bin/python3" }
end
end
end

2
ansible/.ansible-lint Normal file
View File

@ -0,0 +1,2 @@
skip_list:
- 'fcqn-builtins'

View File

@ -99,7 +99,7 @@ host_key_checking = False
#sudo_flags = -H -S -n #sudo_flags = -H -S -n
# SSH timeout # SSH timeout
#timeout = 10 timeout = 30
# default user to use for playbooks if user is not specified # default user to use for playbooks if user is not specified
# (/usr/bin/ansible will use current user as default) # (/usr/bin/ansible will use current user as default)
@ -136,7 +136,7 @@ host_key_checking = False
# If set, configures the path to the Vault password file as an alternative to # If set, configures the path to the Vault password file as an alternative to
# specifying --vault-password-file on the command line. # specifying --vault-password-file on the command line.
#vault_password_file = /path/to/vault_password_file vault_password_file = ./misc/vault-keyring-client.sh
# format of string {{ ansible_managed }} available within Jinja2 # format of string {{ ansible_managed }} available within Jinja2
# templates indicates to users editing templates files will be replaced. # templates indicates to users editing templates files will be replaced.
@ -275,7 +275,7 @@ retry_files_enabled = False
# turn this on to have behaviour more like Ansible prior to 2.1.x. See # turn this on to have behaviour more like Ansible prior to 2.1.x. See
# https://docs.ansible.com/ansible/become.html#becoming-an-unprivileged-user # https://docs.ansible.com/ansible/become.html#becoming-an-unprivileged-user
# for more secure ways to fix this than enabling this option. # for more secure ways to fix this than enabling this option.
#allow_world_readable_tmpfiles = False allow_world_readable_tmpfiles = True
# controls the compression level of variables sent to # controls the compression level of variables sent to
# worker processes. At the default of 0, no compression # worker processes. At the default of 0, no compression

24
ansible/group_vars/DNS Normal file
View File

@ -0,0 +1,24 @@
pdns_config:
local-address: "127.0.0.1"
local-port: "5300"
api: yes
api-key:
pdns_backends:
gsqlite3:
dnssec: yes
database: "/var/lib/powerdns/powerdns.sqlite"
pdns_sqlite_databases_locations:
- "/var/lib/powerdns/powerdns.sqlite"
pdns_rec_config:
forward-zones:
- "{{ consul_domain }}=127.0.0.1:8600"
- "ducamps.win=192.168.1.10"
- "{{ domain.name }}=192.168.1.5"
- "lan.{{ domain.name }}=192.168.1.5"
- "1.168.192.in-addr.arpa=192.168.1.5:5300"
local-address: "{{ hostvars[inventory_hostname]['ansible_'+ default_interface].ipv4.address|default(ansible_default_ipv4.address) }}"
dnssec: "off"

View File

@ -0,0 +1,90 @@
NAS_nomad_folder:
- name: actualbudget
- name: archiso
owner: 1000001
- name: backup
owner: 1000001
- name: borgmatic
- name: crowdsec
owner: 1000001
- name: dms
owner: 1000001
- name: filestash
owner: 1000
- name: gitea
owner: 1000000
- name: grafana
owner: 472
- name: hass
owner: 1000001
- name: homer
owner: 1000001
- name: immich/cache
- name: immich/upload
- name: jellyfin
owner: 1000001
- name: loki
owner: 10001
- name: mealie
owner: 1000001
- name: mosquito
owner: 1883
- name: pacoloco
owner: 1000001
- name: pdns-auth
owner: 1000001
- name: pdns-admin
owner: 1000001
- name: pihole
owner: 999
- name: prometheus
owner: 65534
- name: prowlarr
owner: 1000001
- name: radicale
owner: 1000001
- name: openldap
owner: 1001
- name: registry/ghcr
- name: registry/docker
- name: syncthing
owner: 1000001
- name: traefik
owner: 1000001
- name: tt-rss
owner: 1000001
- name: vaultwarden
owner: 1000001
- name: zigbee2mqtt
owner: 1000001
nas_bind_target: "/exports"
nas_bind_source:
- dest: "{{ nas_bind_target }}/nomad"
source: /data/data1/nomad
- dest: "{{ nas_bind_target }}/music"
source: /data/data1/music
- dest: "{{ nas_bind_target }}/download"
source: /data/data1/download
- dest: "{{ nas_bind_target }}/media/serie"
source: /data/data2/serie
- dest: "{{ nas_bind_target }}/media/film"
source: /data/data3/film
- dest: "{{ nas_bind_target }}/photo"
source: /data/data1/photo
- dest: "{{ nas_bind_target }}/homes"
source: /data/data1/homes
- dest: "{{ nas_bind_target }}/ebook"
source: /data/data1/ebook
- dest: "{{ nas_bind_target }}/media/download/serie"
source: /data/data1/download/serie
- dest: "{{ nas_bind_target }}/media/download/film"
source: /data/data1/download/film
- dest: "{{ nas_bind_target }}/music/download/"
source: /data/data1/download/music

View File

@ -0,0 +1 @@
vsftpd_config: {}

View File

@ -0,0 +1,15 @@
nfs_cluster_list: "{% for server in groups['all']%} {% if hostvars[server]['ansible_default_ipv4']['address'] is defined %} {{hostvars[server]['ansible_' + hostvars[server]['nfs_iface']|default('')].ipv4.address|default(hostvars[server]['ansible_default_ipv4']['address'],true)}}{{ nfs_options }} {% endif %} {%endfor%}"
nfs_options: "(rw,no_root_squash,crossmnt,async,insecure_locks,sec=sys)"
nfs_consul_service: true
nfs_bind_target: "/exports"
nfs_exports:
- "{{ nas_bind_target }} *(fsid=0,insecure,no_subtree_check)"
- "{{ nas_bind_target }}/nomad {{nfs_cluster_list}} 172.17.0.0/16{{ nfs_options }}"
- "{{ nas_bind_target }}/download {{nfs_cluster_list}} 172.17.0.0/16{{ nfs_options }}"
- "{{ nas_bind_target }}/music {{nfs_cluster_list}} 172.17.0.0/16{{ nfs_options }}"
- "{{ nas_bind_target }}/media {{nfs_cluster_list}} 172.17.0.0/16{{ nfs_options }}"
- "{{ nas_bind_target }}/photo {{nfs_cluster_list}} 172.17.0.0/16{{ nfs_options }}"
- "{{ nas_bind_target }}/homes {{nfs_cluster_list}} 172.17.0.0/16{{ nfs_options }}"
- "{{ nas_bind_target }}/ebook {{nfs_cluster_list}} 172.17.0.0/16{{ nfs_options }}"

View File

@ -0,0 +1 @@
nomad_node_class: 'NAS'

View File

@ -0,0 +1,25 @@
samba_passdb_backend: tdbsam
samba_shares_root: /exports
samba_shares:
- name: media
comment: "media"
write_list: "@NAS_media"
browseable: true
- name: ebook
comment: "ebook"
write_list: "@NAS_ebook"
browseable: true
- name: music
comment: "music"
write_list: "@NAS_music"
browseable: true
- name: photo
comment: "photo"
write_list: "@NAS_photo"
browseable: true
- name: download
comment: "downlaod"
write_list: "@NAS_download"
browseable: true
samba_load_homes: True
samba_homes_include: samba_homes_include.conf

View File

@ -1,24 +0,0 @@
system_upgrade: true
nginx_error_log: "/var/log/nginx/error.log debug"
hosts_entries:
- name: ducamps.win
ip: 127.0.0.1
aliases:
- arch.ducamps.win
- www.ducamps.win
- file.ducamps.win
- supysonic.ducamps.win
- syno.ducamps.win
- vault.ducamps.win
- ww.ducamps.win
- hass.ducamps.win
- git.ducamps.win
consul_bootstrap_expect: 1
nomad_bootstrap_expect: 1
nomad_datacenter: hml
consul_server: False
nomad_server: False
consul_retry_join_force:
- 192.168.1.40

View File

@ -1,99 +0,0 @@
# defaults file for ansible-arch-provissionning
partition_table:
- device: "/dev/sda"
label: gpt
settings:
- number: 1
part_end: 64MB
flags: [boot, esp]
fstype: vfat
format: yes
- number: 2
part_start: 512MB
part_end: 1524MB
flags: []
fstype: swap
format: yes
- number: 3
part_start: 1524MB
flags: [lvm]
fstype: ext4
format: yes
#- device: "/dev/sdb"
#settings:
#- number: 1
#name: home
#fstype: ext4
#format:
mount_table:
- device: "/dev/sda"
settings:
- number: 3
mountpath: /mnt
fstype: ext4
- number: 1
mountpath: /mnt/boot
fstype: vfat
#need vfat boot partition with esp label
provissionning_UEFI_Enable: True
sssd_configure: False
nomad_datacenter: hetzner
systemd_mounts:
diskstation_nomad:
share: diskstation.ducamps.win:/volume2/nomad
mount: /mnt/diskstation/nomad
type: nfs
options:
- " "
automount: true
hetzner_storage:
share: //u304977.your-storagebox.de/backup
mount: /mnt/hetzner/storagebox
type: cifs
options:
- credentials=/etc/creds/hetzner_credentials
- uid= 1024
- gid= 10
- vers=3.0
- mfsymlinks
automount: true
diskstation_git:
share: diskstation.ducamps.win:/volume2/git
mount: /mnt/diskstation/git
type: nfs
options:
- " "
automount: true
diskstation_CardDav:
share: diskstation.ducamps.win:/volume2/CardDav
mount: /mnt/diskstation/CardDav
type: nfs
options:
- " "
automount: true
diskstation_music:
share: diskstation.ducamps.win:/volume2/music
mount: /mnt/diskstation/music
type: nfs
options:
- " "
automount: true
credentials_files:
1:
type: smb
path: /etc/creds/hetzner_credentials
username: u304977
password: "{{ lookup('hashi_vault','secret=secrets/data/ansible/storage:hetzner') }}"
systemd_mounts_enabled:
- diskstation_nomad
- hetzner_storage
- diskstation_git
- diskstation_music
- diskstation_CardDav

View File

@ -0,0 +1,45 @@
# defaults file for ansible-arch-provissionning
partition_table:
- device: "/dev/sda"
label: gpt
settings:
- number: 1
part_end: 64MB
flags: [boot, esp]
fstype: vfat
format: yes
- number: 2
part_start: 512MB
part_end: 1524MB
flags: []
fstype: swap
format: yes
- number: 3
part_start: 1524MB
flags: [lvm]
fstype: ext4
format: yes
#- device: "/dev/sdb"
#settings:
#- number: 1
#name: home
#fstype: ext4
#format:
mount_table:
- device: "/dev/sda"
settings:
- number: 3
mountpath: /mnt
fstype: ext4
- number: 1
mountpath: /mnt/boot
fstype: vfat
#need vfat boot partition with esp label
provissionning_UEFI_Enable: True
#sssd_configure: False
nomad_datacenter: hetzner
consul_server: False
nomad_server: False

View File

@ -0,0 +1,28 @@
systemd_mounts:
diskstation_nomad:
share: "{{ nas_ip }}:{{ env_default_nfs_path }}/nomad"
mount: /mnt/diskstation/nomad
type: nfs
options:
- "vers=4"
automount: "{{ env_automount }}"
enabled: true
hetzner_storage:
share: //u304977.your-storagebox.de/backup
mount: /mnt/hetzner/storagebox
type: cifs
options:
- credentials=/etc/creds/hetzner_credentials
- uid=100001
- gid=10
- vers=3.0
- mfsymlinks
automount: "{{ env_automount }}"
enabled: true
credentials_files:
1:
type: smb
path: /etc/creds/hetzner_credentials
username: u304977
password: "{{ lookup('hashi_vault','secret=secrets/data/ansible/storage:hetzner') }}"

View File

@ -0,0 +1,12 @@
$ANSIBLE_VAULT;1.1;AES256
31303539336464336239376636623862303066336438383739356163616431643366386565366361
3264336232303135336334333663326234393832343235640a313638323963666631353836373531
61636261623662396330653135326238363630363938323166303861313563393063386161393238
3231336232663533640a333763643864363939336566333731353031313739616633623537386435
39613934663133613733356433616162363430616439623830663837343530623937656434366663
33656466396263616132356337326236383761363834663363643163343231366563333865656433
39316365663734653734363362363539623636666261333534313935343566646166316233623535
32323831626463656337313266343634303830633936396232663966373264313762346235646665
61333139363039363436393962666365336334663164306230393433636664623934343039323637
33383036323233646237343031633030353330633734353232343633623864333834646239346362
643634303135656333646235343366636361

View File

@ -0,0 +1,45 @@
# defaults file for ansible-arch-provissionning
partition_table:
- device: "/dev/sda"
label: gpt
settings:
- number: 1
part_end: 64MB
flags: [boot, esp]
fstype: vfat
format: yes
- number: 2
part_start: 512MB
part_end: 1524MB
flags: []
fstype: swap
format: yes
- number: 3
part_start: 1524MB
flags: [lvm]
fstype: ext4
format: yes
#- device: "/dev/sdb"
#settings:
#- number: 1
#name: home
#fstype: ext4
#format:
mount_table:
- device: "/dev/sda"
settings:
- number: 3
mountpath: /mnt
fstype: ext4
- number: 1
mountpath: /mnt/boot
fstype: vfat
#need vfat boot partition with esp label
provissionning_UEFI_Enable: True
#sssd_configure: False
nomad_datacenter: hetzner
consul_server: False
nomad_server: False

View File

@ -1,20 +1,7 @@
##ansible_python_interpreter: /usr/bin/python2 ansible_python_interpreter: /usr/bin/python3
user:
name: vincent
uid: 1024
mail: vincent@ducamps.win
domain:
name: ducamps.win
hass_public_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDfVei9iC/Ra5qmSZcLu8z2CTaXCmfn4JSS4o3eu0HhykdYGSqhBTcUDD3/FhcTPQJVFsu1P4Gwqq1dCE+EvaZZRQaMUqVKUpOliThSG6etbImkvqLQQsC1qt+/NqSvfzu2+28A6+YspzuxsViGo7e3Gg9MdwV3LMGh0mcOr/uXb/HIk18sJg5yQpwMfYTj0Wda90nyegcN3F2iZMeauh/aaFJzWcHNakAAewceDYOErU07NhlZgVA2C8HgkJ8HL7AqIVqt9VOx3xLp91DbKTNXSxvyM0X4NQP24P7ZFxAOk/j0AX3hAWhaNmievCHyBWvQve1VshZXFwEIiuHm8q4GSCxK2r0oQudKdtIuQMfuUALigdiSxo522oEiML/2kSk17WsxZwh7SxfD0DKa82fy9iAwcAluWLwJ+yN3nGnDFF/tHYaamSiowpmTTmQ9ycyIPWPLVZclt3BlEt9WH/FPOdzAyY7YLzW9X6jhsU3QwViyaTRGqAdqzUAiflKCMsNzb5kq0oYsDFC+/eqp1USlgTZDhoKtTKRGEjW2KuUlDsXGBeB6w1D8XZxXJXAaHuMh4oMUgLswjLUdTH3oLnnAvfOrl8O66kTkmcQ8i/kr1wDODMy/oNUzs8q4DeRuhD5dpUiTUGYDTWPYj6m6U/GAEHvN/2YEqSgfVff1iQ4VBw== hass_public_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDfVei9iC/Ra5qmSZcLu8z2CTaXCmfn4JSS4o3eu0HhykdYGSqhBTcUDD3/FhcTPQJVFsu1P4Gwqq1dCE+EvaZZRQaMUqVKUpOliThSG6etbImkvqLQQsC1qt+/NqSvfzu2+28A6+YspzuxsViGo7e3Gg9MdwV3LMGh0mcOr/uXb/HIk18sJg5yQpwMfYTj0Wda90nyegcN3F2iZMeauh/aaFJzWcHNakAAewceDYOErU07NhlZgVA2C8HgkJ8HL7AqIVqt9VOx3xLp91DbKTNXSxvyM0X4NQP24P7ZFxAOk/j0AX3hAWhaNmievCHyBWvQve1VshZXFwEIiuHm8q4GSCxK2r0oQudKdtIuQMfuUALigdiSxo522oEiML/2kSk17WsxZwh7SxfD0DKa82fy9iAwcAluWLwJ+yN3nGnDFF/tHYaamSiowpmTTmQ9ycyIPWPLVZclt3BlEt9WH/FPOdzAyY7YLzW9X6jhsU3QwViyaTRGqAdqzUAiflKCMsNzb5kq0oYsDFC+/eqp1USlgTZDhoKtTKRGEjW2KuUlDsXGBeB6w1D8XZxXJXAaHuMh4oMUgLswjLUdTH3oLnnAvfOrl8O66kTkmcQ8i/kr1wDODMy/oNUzs8q4DeRuhD5dpUiTUGYDTWPYj6m6U/GAEHvN/2YEqSgfVff1iQ4VBw==
system_arch_local_mirror: "https://arch.{{domain.name}}/repo/archlinux_$arch"
system_arch_local_mirror: "https://arch.{{domain.name}}" system_sudoers_group: "serverAdmin"
system_ipV6_disable: True
privatekeytodeploy: system_ip_unprivileged_port_start: 0
- user: "{{user.name}}" wireguard_mtu: 1420
keyfile: "/home/{{user.name}}/.ssh/id_gitea"
privatekey: "{{lookup('hashi_vault', 'secret=secrets/data/ansible/privatekey:gitea')}}"
- user: root
keyfile: /root/.ssh/id_gitea
privatekey: "{{lookup('hashi_vault', 'secret=secrets/data/ansible/privatekey:gitea')}}"

View File

@ -0,0 +1,5 @@
consul_client_addr: "0.0.0.0"
consul_datacenter: "homelab"
consul_backup_location: "/mnt/diskstation/git/backup/consul"
consul_ansible_group: all
consul_systemd_resolved_enable: true

View File

@ -0,0 +1,8 @@
docker_daemon_config:
dns:
- 172.17.0.1
- 192.168.1.6
mtu: 1420
insecure-registries:
- 192.168.1.0/24
- 192.168.121.0/24

View File

@ -0,0 +1,9 @@
nomad_docker_allow_caps:
- NET_ADMIN
- NET_BROADCAST
- NET_RAW
nomad_allow_privileged: True
nomad_vault_enabled: true
nomad_vault_address: "http://active.vault.service.{{consul_domain}}:8200"
nomad_vault_role: "nomad-cluster"
nomad_docker_extra_labels: ["job_name", "task_group_name", "task_name", "namespace", "node_name"]

View File

@ -1,37 +0,0 @@
consul_client_addr: "0.0.0.0"
consul_datacenter: "homelab"
consul_backup_location: "/mnt/diskstation/git/backup/consul"
consul_ansible_group: all
consul_bootstrap_expect: 2
nomad_vault_enabled: true
nomad_vault_address: "http://active.vault.service.consul:8200"
nomad_vault_role: "nomad-cluster"
nomad_vault_token: "{{ lookup('hashi_vault','secret=secrets/data/ansible/hashistack:nomad_vault_token') }}"
nomad_bootstrap_expect: 2
notification_mail: "{{inventory_hostname}}@{{ domain.name }}"
msmtp_mailhub: smtp.{{ domain.name }}
msmtp_auth_user: "{{ user.mail }}"
msmtp_auth_pass: "{{ lookup('hashi_vault','secret=secrets/data/ansible/other:email') }}"
docker_users: "{{user.name}}"
system_user:
- name: drone-deploy
home: /home/drone-deploy
shell: /bin/bash
keystodeploy:
- name: juicessh with password
user: "{{user.name}}"
sshkey: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINN5V9WPPi2/HwAQuDeaJO3hUPf8HxNMHqVmkf1pDjWg JuiceSSH
- name: fixe-pc new
user: "{{user.name}}"
sshkey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDBrP9akjyailPU9tUMvKrtDsqjI191W1L95u3OFjBqqapXgbDVx1FVtSlIIKcCHZyTII1zgC7woZmNRpmaIJRh6N+VIuRrRs29xx2GUVc4pxflUwwIAK36hgZS3nqmA2biacmPR9HogZLZMcPtZdLhWGlLuUv1cWqbqW7UcDa0lbubCo2v4OQMx/zt37voKAZSkkbH9mVszH6eKxNFy1KXbLYhwXiKfYBnAHbivhiSkZUGV6D4HNj8Jx6IY1YF3bfwMXmt841Q/7OY+t3RTIS8ewvSF+jpQ7GKHBEsZTZUGwIoSyZFFvCgKQVOJu/ZJJS4HNkluilir9Sxtx2LRgy+HHQ251trnsVsJp3ts4uTiMkKJQy1PXy1ZvQXYkip9Af3vlXUMmTyVj8cv+No07G1rZ1pZ3wXKX4RkTsoep5GsYlhyUd7GzsAQQiX9YhYyWDQ6NHBYAGAWbw2BLNxltWa4AyWOa1C8v+1+mRwdvpdMY7powJNCXQaIJmiOZiI/Us= vincent@fixe-pc-2020-03-01
- name: zen-pc
user: "{{user.name}}"
sshkey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCYHkEIa38p3e4+m/LScHm8Ei7H2X/pDksjVAzoJ4fHr8oXc6DKkC8SWwMnh3L4WzWBhfTbzwUgFTNpsxhp/UyJf+fdzmzetlbVlYSuA6yWuSmgMeFbXFImhZ+Sn3i59hLeqAAyrkQLjba2waehdEsuOQ/AGoDbMYm38Xf9Wka/1YIeUPE4gLeLvymRnGw7BSug6Unycy52WlFAquollObOvc7tNiX0uLDh81Dp0KZhqWRs75hfmQ9du4g4uNhFLiF11hOGNgj3PWV+nWe8GWNQYVUBChWX1dsP8ct/ahG9IFXSPEaFD1IZeFp29u2ln3mgKkBtcRTRe1e3CLQqiRsUq2aixVFbSgFMFgGSUiNGNqKR4f9DeyJrYBplSj6HXjWoBny4Wm8+yfk8qR2RtQpS6AUu81xtKnXOaj9Q5VZO3kVF0U3EXHAZutTYDj9mDlhLSBS7x7hmrkRBbIy7adSx9Gx5Ck3/RllqG6KD+LdJa4I0pUTRNetpLpYDeZpwjnDP1r7udaSQMyRMH5YKLzhtHqIV/imn9QO4KCxNxTgwxt9ho6HDvlDGERCxm+yeHUu3CPyq2ZGSF5HHsYTGUtYvQw4JfQyw/5DrZ7IIdU1e7ZuaE3h/NvFgKJPVTP52nmUtIW7pIOkHpn9mddjm/oKMayOzMspLn9HLFVbqi7A5Xw== vincent@zen-pc
- name: drone
user: drone-deploy
sshkey: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDUaK+pQlosmopbZfucll9UdqDOTaODOBwoxRwkJEk1i drone@oscar

View File

@ -1,9 +1,5 @@
sssd_configure: true sssd_configure: true
# sssd_configure is False by default - by default nothing is done by this role. # sssd_configure is False by default - by default nothing is done by this role.
ldap_search_base: "dc=ducamps,dc=win" ldap_search_base: "dc=ducamps,dc=eu"
ldap_uri: "ldaps://ldap.ducamps.win" ldap_uri: "ldaps://ldaps.service.consul"
ldap_sudo_search_base: "ou=sudoers,dc=ducamps,dc=win" ldap_sudo_search_base: "ou=sudoers,dc=ducamps,dc=eu"
ldap_default_bind_dn : "uid=vaultserviceaccount,cn=users,dc=ducamps,dc=win"
ldap_password : "{{lookup('hashi_vault', 'secret=secrets/data/ansible/other:vaulserviceaccount')}}"

View File

@ -0,0 +1,42 @@
user:
name: vincent
home: /home/vincent
uid: 1024
mail: vincent@ducamps.eu
groups:
- docker
authorized_keys:
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINN5V9WPPi2/HwAQuDeaJO3hUPf8HxNMHqVmkf1pDjWg JuiceSSH
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDBrP9akjyailPU9tUMvKrtDsqjI191W1L95u3OFjBqqapXgbDVx1FVtSlIIKcCHZyTII1zgC7woZmNRpmaIJRh6N+VIuRrRs29xx2GUVc4pxflUwwIAK36hgZS3nqmA2biacmPR9HogZLZMcPtZdLhWGlLuUv1cWqbqW7UcDa0lbubCo2v4OQMx/zt37voKAZSkkbH9mVszH6eKxNFy1KXbLYhwXiKfYBnAHbivhiSkZUGV6D4HNj8Jx6IY1YF3bfwMXmt841Q/7OY+t3RTIS8ewvSF+jpQ7GKHBEsZTZUGwIoSyZFFvCgKQVOJu/ZJJS4HNkluilir9Sxtx2LRgy+HHQ251trnsVsJp3ts4uTiMkKJQy1PXy1ZvQXYkip9Af3vlXUMmTyVj8cv+No07G1rZ1pZ3wXKX4RkTsoep5GsYlhyUd7GzsAQQiX9YhYyWDQ6NHBYAGAWbw2BLNxltWa4AyWOa1C8v+1+mRwdvpdMY7powJNCXQaIJmiOZiI/Us= vincent@fixe-pc-2020-03-01
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCYHkEIa38p3e4+m/LScHm8Ei7H2X/pDksjVAzoJ4fHr8oXc6DKkC8SWwMnh3L4WzWBhfTbzwUgFTNpsxhp/UyJf+fdzmzetlbVlYSuA6yWuSmgMeFbXFImhZ+Sn3i59hLeqAAyrkQLjba2waehdEsuOQ/AGoDbMYm38Xf9Wka/1YIeUPE4gLeLvymRnGw7BSug6Unycy52WlFAquollObOvc7tNiX0uLDh81Dp0KZhqWRs75hfmQ9du4g4uNhFLiF11hOGNgj3PWV+nWe8GWNQYVUBChWX1dsP8ct/ahG9IFXSPEaFD1IZeFp29u2ln3mgKkBtcRTRe1e3CLQqiRsUq2aixVFbSgFMFgGSUiNGNqKR4f9DeyJrYBplSj6HXjWoBny4Wm8+yfk8qR2RtQpS6AUu81xtKnXOaj9Q5VZO3kVF0U3EXHAZutTYDj9mDlhLSBS7x7hmrkRBbIy7adSx9Gx5Ck3/RllqG6KD+LdJa4I0pUTRNetpLpYDeZpwjnDP1r7udaSQMyRMH5YKLzhtHqIV/imn9QO4KCxNxTgwxt9ho6HDvlDGERCxm+yeHUu3CPyq2ZGSF5HHsYTGUtYvQw4JfQyw/5DrZ7IIdU1e7ZuaE3h/NvFgKJPVTP52nmUtIW7pIOkHpn9mddjm/oKMayOzMspLn9HLFVbqi7A5Xw== vincent@zen-pc
privatekey:
- keyname: "id_gitea"
key: "{{lookup('file', '~/.ssh/id_gitea')}}"
system_user:
- name: drone-deploy
home: /home/drone-deploy
shell: /bin/bash
authorized_keys:
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDUaK+pQlosmopbZfucll9UdqDOTaODOBwoxRwkJEk1i drone@oscar
- name: ansible
home: /home/ansible
shell: /bin/bash
- name: root
home: /root
privatekey:
- keyname: id_gitea
key: "{{lookup('file', '~/.ssh/id_gitea')}}"
user_custom_host:
- host: "git.ducamps.eu"
user: "git"
keyfile: "~/.ssh/id_gitea"
user_config_repo: "ssh://git@git.ducamps.eu:2222/vincent/conf2.git"

View File

@ -0,0 +1 @@
vault_raft_group_name: "homelab"

View File

@ -0,0 +1,11 @@
$ANSIBLE_VAULT;1.1;AES256
39613433313663653039643961643165643632313938626339653365376633613135653436363938
6331623132366638633665636163336462393333336264320a666466303465663839646435626231
38396437363034313236383261326637306238616162303131356537393635363939376236386130
6466353961643233310a306631333664363332336263656638623763393732306361306632386662
37623934633932653965316532386664353130653830356237313337643266366233346633323265
37616533303561363864626531396366323565396536383133643539663630636633356238386633
34383464333363663532643239363438626135336632316135393537643930613532336231633064
35376561663637623932313365636261306131353233636661313435643563323534623365346436
65366132333635643832353464323961643466343832376635386531393834336535386364396333
3932393561646133336437643138373230366266633430663937

View File

@ -0,0 +1,12 @@
$ANSIBLE_VAULT;1.1;AES256
61326233336236343231396231306638373837653661313334313261313539316532373437346132
3931306637303530373032663236363466383433316161310a396439393564643731656664663639
32386130663837303663376432633930393663386436666263313939326631616466643237333138
3365346131636333330a376436323964656563363664336638653564656231636136663635303439
35346461356337303064623861326331346263373539336335393566623462343464323065366237
61346637326336613232643462323733366530656439626234663335633965376335623733336162
37323739376237323534613361333831396531663637666161666366656237353563626164626632
33326336353663356235373835666166643465666562616663336539316233373430633862613133
36363831623361393230653161626131353264366634326233363232336635306266376363363739
66373434343330633337633436316135656533613465613963363931383266323466653762623365
363332393662393532313063613066653964

View File

@ -0,0 +1,14 @@
$ANSIBLE_VAULT;1.1;AES256
35303137383361396262313561623237626336306366376630663065396664643630383638376436
3930346265616235383331383735613166383461643233310a663564356266663366633539303630
37616532393035356133653838323964393464333230313861356465326433353339336435363263
3162653932646662650a613762393062613433343362633365316434663661306637623363333834
61303231303362313133346461373738633239613933303564383532353537626538363636306461
66663330346566356637623036363964396137646435333139323430353639386134396537366334
39303130386432366335383433626431663034656466626265393863623438366130346562623365
63653963393663353666313631326131636361333230386461383638333338393137336562323935
37343034363961306663303232346139356534613837663230393962323333656536303161373939
65626164336166306264653538313661393934383966303135356161336331623835663235646332
63343764643861366537383962616230323036326331386333346463353835393762653735353862
32323839663365353337303363313535633362643231653663393936363539363933636430613832
32336566633962646463316636346330336265626130373636643335323762363661

View File

@ -0,0 +1,14 @@
$ANSIBLE_VAULT;1.1;AES256
64396261616266633665646330393631316463386334633032353965323964633464333331323334
6261653930313764313836366531383462313965336231620a656637623439623639383931373361
37373434636531623563336565356136633031633835633636643436653165386436636564616130
3763383036343739370a376565343130636631653635616566653531323464343632623566313436
32396165636333393032636636613030373663393238323964396462323163616162613933626536
31623931343633346131636563643563393230323839636438373933666137393031326532356535
32363439306338623533353734613966396362303164616335363535333438326234623161653732
66613762653966613763623966633939323634346536636334343364306332323563653361346563
65313433376634363261323934376637646233636233346536316262386634353666376539613235
63666432396636373139663861393164626165383665663933383734303165623464666630343231
33323339663138373530396636636333323439616137313434316465633162396237306238343366
30326162306539396630633738323435323432646338633331626665363838376363343835336534
3635

View File

@ -0,0 +1,50 @@
systemd_mounts:
diskstation_photo:
share: "{{ nas_ip }}:{{ env_default_nfs_path }}/photo"
mount: /mnt/diskstation/photo
type: nfs
options:
- "vers=4"
automount: "{{ env_automount }}"
enabled: true
diskstation_music:
share: "{{ nas_ip }}:{{ env_default_nfs_path }}/music"
mount: /mnt/diskstation/music
type: nfs
options:
- "vers=4"
automount: "{{ env_automount }}"
enabled: true
diskstation_media:
share: "{{ nas_ip }}:{{ env_default_nfs_path }}/media"
mount: /mnt/diskstation/media
type: nfs
options:
- "vers=4"
automount: "{{ env_automount }}"
enabled: true
diskstation_ebook:
share: "{{ nas_ip }}:{{ env_default_nfs_path }}/ebook"
mount: /mnt/diskstation/ebook
type: nfs
options:
- "vers=4"
automount: "{{ env_automount }}"
enabled: true
diskstation_nomad:
share: "{{ nas_ip }}:{{ env_default_nfs_path }}/nomad"
mount: /mnt/diskstation/nomad
type: nfs
options:
- " "
automount: "{{ env_automount }}"
enabled: true
diskstation_download:
share: "{{ nas_ip }}:{{ env_default_nfs_path }}/download"
mount: /mnt/diskstation/download
type: nfs
options:
- "vers=4"
automount: "{{ env_automount }}"
enabled: true

View File

@ -0,0 +1 @@
nomad_node_class: 'cluster'

View File

@ -1,47 +0,0 @@
postgresql_users:
- name: root
role_attr_flags: SUPERUSER
password: "{{ lookup('hashi_vault', 'secret=secrets/data/ansible/database:root')}}"
- name: wikijs
password: "{{ lookup('hashi_vault', 'secret=secrets/data/ansible/database:wikijs')}}"
- name: ttrss
password: "{{ lookup('hashi_vault', 'secret=secrets/data/ansible/database:ttrss')}}"
- name: gitea
password: "{{ lookup('hashi_vault', 'secret=secrets/data/ansible/database:gitea')}}"
- name: supysonic
password: "{{ lookup('hashi_vault', 'secret=secrets/data/ansible/database:supysonic')}}"
- name: hass
password: "{{ lookup('hashi_vault', 'secret=secrets/data/ansible/database:hass')}}"
- name: nextcloud
password: "{{ lookup('hashi_vault', 'secret=secrets/data/ansible/database:nextcloud')}}"
- name: vaultwarden
password: "{{ lookup('hashi_vault', 'secret=secrets/data/ansible/database:vaultwarden')}}"
- name: drone
password: "{{ lookup('hashi_vault', 'secret=secrets/data/ansible/database:drone')}}"
- name: dendrite
password: "{{ lookup('hashi_vault', 'secret=secrets/data/ansible/database:dendrite')}}"
- name: paperless
password: "{{ lookup('hashi_vault', 'secret=secrets/data/ansible/database:paperless')}}"
postgresql_databases:
- name: wikijs
owner: wikijs
- name: ttrss
owner: ttrss
- name: gitea
owner: gitea
- name: supysonic
owner: supysonic
- name: hass
owner: hass
- name: nextcloud
owner: nextcloud
- name: vaultwarden
owner: vaultwarden
- name: drone
owner: drone
- name: dendrite
owner: dendrite
- name: paperless
owner: paperless

View File

@ -0,0 +1,38 @@
postgres_consul_service: true
postgres_consul_service_name: db
postgresql_databases:
- name: ttrss
owner: ttrss
- name: gitea
owner: gitea
- name: supysonic
owner: supysonic
- name: hass
owner: hass
- name: vaultwarden
owner: vaultwarden
- name: drone
owner: drone
- name: paperless
owner: paperless
- name: vikunja
owner: vikunja
- name: ghostfolio
owner: ghostfolio
- name: pdns-auth
owner: pdns-auth
- name: pdns-admin
owner: pdns-admin
- name: mealie
owner: mealie
- name: immich
owner: immich
postgresql_hba_entries:
- {type: local, database: all, user: postgres, auth_method: peer}
- {type: local, database: all, user: all, auth_method: peer}
- {type: host, database: all, user: all, address: '127.0.0.1/32', auth_method: md5}
- {type: host, database: all, user: all, address: '::1/128', auth_method: md5}
- {type: host, database: all, user: all, address: '::0/128', auth_method: md5}
- {type: host, database: all, user: all, address: '0.0.0.0/0', auth_method: md5}

View File

@ -0,0 +1,54 @@
$ANSIBLE_VAULT;1.1;AES256
39363436643831373861376361613830316334613939346338616636393462663033393261633838
6337336161393063646136613538396366653538656435360a303062636463383739653730346639
61323634306265613336313634653039313639663836363032353261383566393865613166613032
3837313634633466610a313062646237396138316361303361663565353862363139343566306539
38303161303163323265376539323939393938373965353934303535613962653534363362346563
61643638353138623162353364353736396162613735333063633739346132613161303564356437
62343535363263646463306466663536613937393463666336396332646533343439613433626566
38643363343065393165646134343935386461626166316662356365366666363737653336626631
64643230616431396666666462303366343164323233303139643939346635353730316234386163
35613235643034643833393233373536383863333763393066373564353535353463363336316335
63363537643432663266386438316563656663656462333039303861393364333966383430643263
63356435373064633861343137616637393161383361306135373864386235653034323732316663
65336465386135663532356433386562666639333464633362663131646237613034646563396133
33303464633635636233626633353038656230373266666132323561383866343632333561323363
61346664623338376436373332646232646235323639633262666166346535663238653563363239
34663365633363313433376333653534333364393635316235333965383262313563373161663065
36393565396534353235623238303835343334646632306638306332336539616463393966653538
35336462623031326539633139636533633632623137393463333531663935323765663139306361
66643434393533313039356434326438626265323066613966323634306632653765363834613034
30373039336536393865383265643335396232643537343363313338383838383030386665303237
64363666346535633237353462333232623132353031323231623338356136656261303662656465
31313039643561623635643435333133663032313964323061393231666336343233363038616231
36356262326530383233336130326361613431623866633832663361633937646461343731343938
33306262346463623935663466356264393837626239313739356431653163376563333234346566
38373663643532313635333131663239383736343930623735323861663037356136353433633865
63626435613936303661366637623338633961643137613933303735366265663933396130363039
34396637643638613839306639343765393539653164616536653661373264376436626639316666
61303835323761643531326438363035343539383464376433363534623934366534373631353364
61383866323737316430303736366533643939313637393631303833363431613562303639323939
66313434613963656464383964313734383938353366306462666537653563336465376464303538
34336531663334303938333739313638636363623562613536333736386137363139653164626261
62663662316365663563646164303935323866633336633939323837393962393130626330666233
63663661303565646236623130663034636264353235376561306630376365613966663536303963
63643161386435633831393334333035653761393863373731616239313235383033633439376166
39613762376162386231633938393036633461303732323337656430373430636435313337303365
37646461336339623339316663616636373036656564383462356562306465623762653162633963
35636466386138333564666564323034393162633965386133643235303938616439333130353637
61343536323034366464653138353665326436396133313432666563353335383733363335613562
61646365346665383866623364396138323666326338313530353663323938613362653038313339
32613663616535313661386538366330373364366637386634633437646362383764346263636434
35616166393065343038643861636333373738363335353164326435303961326662356230323262
35656531653535643630376330393731643532353132366662636664626132646632306361323035
31373136616435336362633439356339336466313337623538383763386132396135653864386638
31393864363466653137643565306462616238333435343036613331653866393532313861376331
33646636623666343439616332386363373664346164313963623861393134666463383366633539
35313761333564303635656364303566643436393130356163623137313530653539656537653139
38336636623732313630303933303962303561376436623737633139643564343166326335386639
31373437336139326562613339393235393065396538333566323864643639303132313733396132
35613532396363326166313061353136373965303964623534653634613639303764393038333037
63656131616463663565653134363336326139303736313138366262616338643339316231663631
30656132386462393433313261313466303239346138623433643634616465656139343764353338
62616139613731363665333438383861623837643432643134626461643631323034383262656439
33653563323434343964633236353434643739333863636630636363633639373630

View File

@ -0,0 +1 @@
postgres_consul_tag: "active"

View File

@ -0,0 +1 @@
postgres_consul_tag: "standby"

View File

@ -1,152 +0,0 @@
dhcpd_authoritative: True
dhcpd_lease_time: '72'
dhcpd_domain_name: "{{ domain.name }}"
dhcpd_nameservers:
- '192.168.1.40'
- '192.168.1.10'
dhcpd_keys:
- key: dhcp
algorithm: HMAC-MD5
secret: "{{ lookup('hashi_vault','secret=secrets/data/ansible/other:dhcpd_key') }}"
dhcpd_zones:
- zone: "{{ domain.name }}."
primary: "192.168.1.10"
key: "dhcp"
- zone: "1.168.192.in-addr.arpa."
primary: "192.168.1.10"
key: "dhcp"
dhcpd_options: |
ddns-updates on;
ddns-update-style interim;
ignore client-updates;
update-static-leases on;
ddns-domainname "ducamps.win.";
ddns-rev-domainname "in-addr.arpa.";
dhcpd_subnets:
- subnet: '192.168.1.0'
netmask: '255.255.255.0'
options: |
option routers 192.168.1.1;
pools:
- range: '192.168.1.100 192.168.1.140'
dhcpd_hosts:
- hostname: 'zen-pc'
address: '192.168.1.14'
ethernet: 'f0:d5:bf:f4:ce:d7'
- hostname: 'fixe-pc'
address: '192.168.1.15'
ethernet: 'ee:35:20:fc:7b:04'
- hostname: 'oscar'
address: '192.168.1.40'
ethernet: '7C:83:34:B3:49:9A'
- hostname: 'VMAS-HML'
address: '192.168.1.50'
ethernet: '52:54:00:02:74:ed'
- hostname: 'VMAS-BUILD'
address: '192.168.1.53'
ethernet: '52:54:13:1e:93'
- hostname: 'xiaomi-chambre-gateway'
address: '192.168.1.61'
ethernet: '04:cf:8c:9c:f7:f0'
- hostname: 'xiaomi-ampoule-chambre'
address: '192.168.1.62'
ethernet: '44:23:7c:88:1f:ea'
- hostname: 'shelly-chambre-ecran'
address: '192.168.1.63'
ethernet: 'b4:e6:2d:7a:ea:77'
- hostname: 'shelly-salon-cadre'
address: '192.168.1.64'
ethernet: 'b4:e6:2d:7a:e6:1e'
- hostname: 'shelly-chambre-ventilo'
address: '192.168.1.65'
ethernet: 'e0:98:06:97:78:0b'
keystodeploy:
- name: juicessh with password
user: "{{user.name}}"
sshkey: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINN5V9WPPi2/HwAQuDeaJO3hUPf8HxNMHqVmkf1pDjWg JuiceSSH
- name: fixe-pc new
user: "{{user.name}}"
sshkey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDBrP9akjyailPU9tUMvKrtDsqjI191W1L95u3OFjBqqapXgbDVx1FVtSlIIKcCHZyTII1zgC7woZmNRpmaIJRh6N+VIuRrRs29xx2GUVc4pxflUwwIAK36hgZS3nqmA2biacmPR9HogZLZMcPtZdLhWGlLuUv1cWqbqW7UcDa0lbubCo2v4OQMx/zt37voKAZSkkbH9mVszH6eKxNFy1KXbLYhwXiKfYBnAHbivhiSkZUGV6D4HNj8Jx6IY1YF3bfwMXmt841Q/7OY+t3RTIS8ewvSF+jpQ7GKHBEsZTZUGwIoSyZFFvCgKQVOJu/ZJJS4HNkluilir9Sxtx2LRgy+HHQ251trnsVsJp3ts4uTiMkKJQy1PXy1ZvQXYkip9Af3vlXUMmTyVj8cv+No07G1rZ1pZ3wXKX4RkTsoep5GsYlhyUd7GzsAQQiX9YhYyWDQ6NHBYAGAWbw2BLNxltWa4AyWOa1C8v+1+mRwdvpdMY7powJNCXQaIJmiOZiI/Us= vincent@fixe-pc-2020-03-01
- name: zen-pc
user: "{{user.name}}"
sshkey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCYHkEIa38p3e4+m/LScHm8Ei7H2X/pDksjVAzoJ4fHr8oXc6DKkC8SWwMnh3L4WzWBhfTbzwUgFTNpsxhp/UyJf+fdzmzetlbVlYSuA6yWuSmgMeFbXFImhZ+Sn3i59hLeqAAyrkQLjba2waehdEsuOQ/AGoDbMYm38Xf9Wka/1YIeUPE4gLeLvymRnGw7BSug6Unycy52WlFAquollObOvc7tNiX0uLDh81Dp0KZhqWRs75hfmQ9du4g4uNhFLiF11hOGNgj3PWV+nWe8GWNQYVUBChWX1dsP8ct/ahG9IFXSPEaFD1IZeFp29u2ln3mgKkBtcRTRe1e3CLQqiRsUq2aixVFbSgFMFgGSUiNGNqKR4f9DeyJrYBplSj6HXjWoBny4Wm8+yfk8qR2RtQpS6AUu81xtKnXOaj9Q5VZO3kVF0U3EXHAZutTYDj9mDlhLSBS7x7hmrkRBbIy7adSx9Gx5Ck3/RllqG6KD+LdJa4I0pUTRNetpLpYDeZpwjnDP1r7udaSQMyRMH5YKLzhtHqIV/imn9QO4KCxNxTgwxt9ho6HDvlDGERCxm+yeHUu3CPyq2ZGSF5HHsYTGUtYvQw4JfQyw/5DrZ7IIdU1e7ZuaE3h/NvFgKJPVTP52nmUtIW7pIOkHpn9mddjm/oKMayOzMspLn9HLFVbqi7A5Xw== vincent@zen-pc
nomad_datacenter: homelab
systemd_mounts:
diskstation_nomad:
share: diskstation.ducamps.win:/volume2/nomad
mount: /mnt/diskstation/nomad
type: nfs
options:
- " "
automount: true
diskstation_git:
share: diskstation.ducamps.win:/volume2/git
mount: /mnt/diskstation/git
type: nfs
options:
- " "
automount: true
diskstation_music:
share: diskstation.ducamps.win:/volume2/music
mount: /mnt/diskstation/music
type: nfs
options:
- " "
automount: true
diskstation_nextcloud:
share: //diskstation.ducamps.win/nextcloud
mount: /mnt/diskstation/nextcloud
type: cifs
options:
- credentials=/etc/creds/.diskstation_credentials
- uid=33
- gid=33
- vers=3.0
- dir_mode=0770
- _netdev
automount: true
diskstation_CardDav:
share: diskstation.ducamps.win:/volume2/CardDav
mount: /mnt/diskstation/CardDav
type: nfs
options:
- " "
automount: true
diskstation_archMirror:
share: diskstation.ducamps.win:/volume2/archMirror
mount: /mnt/diskstation/archMirror
type: nfs
options:
- " "
automount: true
credentials_files:
1:
type: smb
path: /etc/creds/.diskstation_credentials
username: admin
password: "{{ lookup('hashi_vault','secret=secrets/data/ansible/storage:diskstation_admin') }}"
systemd_mounts_enabled:
- diskstation_nomad
- diskstation_git
- diskstation_music
- diskstation_nextcloud
- diskstation_CardDav
- diskstation_archMirror

View File

@ -0,0 +1,68 @@
dhcpd_authoritative: True
dhcpd_lease_time: '72'
dhcpd_domain_name: "lan.{{ domain.name }}"
dhcpd_nameservers:
- '192.168.1.4'
- '192.168.1.40'
dhcpd_zones:
- zone: "lan.{{ domain.name }}."
primary: "192.168.1.5"
key: "dhcpdupdate"
- zone: "1.168.192.in-addr.arpa."
primary: "192.168.1.5"
key: "dhcpdupdate"
dhcpd_options: |
ddns-updates on;
ddns-update-style interim;
ignore client-updates;
update-static-leases on;
ddns-domainname "lan.{{ domain.name }}.";
ddns-rev-domainname "in-addr.arpa.";
dhcpd_subnets:
- subnet: '192.168.1.0'
netmask: '255.255.255.0'
options: |
option routers 192.168.1.1;
pools:
- range: '192.168.1.100 192.168.1.140'
dhcpd_hosts:
- hostname: 'zen-pc'
address: '192.168.1.14'
ethernet: 'f0:d5:bf:f4:ce:d7'
- hostname: 'fixe-pc'
address: '192.168.1.15'
ethernet: 'ee:35:20:fc:7b:04'
- hostname: 'oscar'
address: '192.168.1.40'
ethernet: '68:1D:EF:3C:F0:44'
- hostname: 'bleys'
address: '192.168.1.42'
ethernet: '68:1d:ef:2b:3d:24'
- hostname: 'xiaomi-chambre-gateway'
address: '192.168.1.61'
ethernet: '04:cf:8c:9c:f7:f0'
- hostname: 'xiaomi-ampoule-chambre'
address: '192.168.1.62'
ethernet: '44:23:7c:88:1f:ea'
- hostname: 'shelly-chambre-ecran'
address: '192.168.1.63'
ethernet: 'b4:e6:2d:7a:ea:77'
- hostname: 'shelly-salon-cadre'
address: '192.168.1.64'
ethernet: 'b4:e6:2d:7a:e6:1e'
- hostname: 'shelly-chambre-ventilo'
address: '192.168.1.65'
ethernet: 'e0:98:06:97:78:0b'
- hostname: 'shelly-Bureau-chauffeau'
address: '192.168.1.66'
ethernet: '8c:aa:b5:42:b9:b9'

View File

@ -0,0 +1,14 @@
$ANSIBLE_VAULT;1.1;AES256
65303666336535386536653939626336646338623431353161636565393532623264316534326539
6265393839323438376666393030383839326239323261660a333132613538306137383332336538
38323830353062366133643734303138343939323135333532333666653039326437316361353463
6665393263376132620a346239386437326462363565636335303766306638393331656664376665
63373131373039653065633861626263646635323634333538343163346239633937303761366362
31376438363731613666393531656232653033336332653261313866396434616461303831353336
38663965636536313932346133363733636636643938366364366435366237316435643062336231
34343931653963613431336465653036616431323263613731393963656637303561366461663038
31336131346266393035343135323131636435333865323733386439363763376638383337613530
34356331356361636665383933633130343564373739343630663835313164326565393439306163
31386538633033333961386534323234653833323537356565616436346462613333663139623035
30636265313230383162633466373937353262383965313631326336666133653331366230653961
6131

View File

@ -1,10 +1,2 @@
chisel_server: true
chisel_server_port: 9090
chisel_server_backend: https://www.{{domain.name}}
chisel_server_auth:
user: chisel
pass: "{{ lookup('hashi_vault','secret=secrets/data/ansible/other:chisel_pass') }}"
arch_mirror_location: "/mnt/diskstation/archMirror"
nomad_datacenter: homelab nomad_datacenter: homelab
nomad_allow_privileged: True system_wol_enable: True

View File

@ -1,92 +0,0 @@
systemd_mounts:
diskstation_git:
share: diskstation.ducamps.win:/volume2/git
mount: /mnt/diskstation/git
type: nfs
options:
- " "
automount: true
diskstation_CardDav:
share: diskstation.ducamps.win:/volume2/CardDav
mount: /mnt/diskstation/CardDav
type: nfs
options:
- " "
automount: true
backup_disk:
share: /dev/sdb1
mount: /mnt/backup
type: ntfs-3g
options:
- "uid=1024
- guid=100
- vers=3.0"
automount: true
diskstation_home:
share: diskstation.ducamps.win:/volume2/homes/admin
mount: /mnt/diskstation/home
type: nfs
options:
- " "
automount: true
diskstation_photo:
share: diskstation.ducamps.win:/volume2/photo
mount: /mnt/diskstation/photo
type: nfs
options:
- " "
automount: true
diskstation_music:
share: diskstation.ducamps.win:/volume2/music
mount: /mnt/diskstation/music
type: nfs
options:
- " "
automount: true
diskstation_media:
share: diskstation.ducamps.win:/volume1/media
mount: /mnt/diskstation/media
type: nfs
options:
- " "
automount: true
diskstation_ebook:
share: diskstation.ducamps.win:/volume2/ebook
mount: /mnt/diskstation/ebook
type: nfs
options:
- " "
automount: true
diskstation_archMirror:
share: diskstation.ducamps.win:/volume2/archMirror
mount: /mnt/diskstation/archMirror
type: nfs
options:
- " "
automount: true
diskstation_nomad:
share: diskstation.ducamps.win:/volume2/nomad
mount: /mnt/diskstation/nomad
type: nfs
options:
- " "
automount: true
systemd_mounts_enabled:
- diskstation_git
- diskstation_music
- backup_disk
- diskstation_photo
- diskstation_home
- diskstation_CardDav
- diskstation_media
- diskstation_ebook
- diskstation_archMirror
- diskstation_nomad
credentials_files:
1:
type: smb
path: /etc/creds/.diskstation_credentials
username: admin
password: "{{ lookup('hashi_vault','secret=secrets/data/ansible/storage:diskstation_admin') }}"

View File

@ -0,0 +1,13 @@
domain:
name: ducamps.eu
consul_bootstrap_expect: 3
consul_domain: "consul"
nomad_bootstrap_expect: 3
nomad_client_meta:
- name: "env"
value: "production"
vault_unseal_keys_dir_output: "~/vaultUnseal/production"
env_default_nfs_path: ""
env_media_nfs_path: "/volume1"
env_automount: true
nas_ip: "192.168.1.43"

View File

@ -0,0 +1,21 @@
domain:
name: ducamps.dev
#systemd_mounts: []
#systemd_mounts_enabled: []
consul_bootstrap_expect: 2
consul_domain: "consul"
nomad_bootstrap_expect: 2
nomad_client_meta:
- name: "env"
value: "staging"
vault_unseal_keys_dir_output: "~/vaultUnseal/staging"
hosts_entries:
- ip: "{{ hostvars['nas-dev']['ansible_default_ipv4']['address'] }}"
name: diskstation.ducamps.eu
env_default_nfs_path: ""
env_automount: true
nas_ip: "nfs.service.consul"

View File

@ -1,2 +0,0 @@
chainetv_repo_branch: dev

View File

@ -1,2 +0,0 @@
chainetv_repo_branch: master

View File

@ -1,2 +0,0 @@
wireguard_address: "10.0.0.100/24"

65
ansible/host_vars/bleys Normal file
View File

@ -0,0 +1,65 @@
---
ansible_host: "192.168.1.42"
ansible_python_interpreter: "/usr/bin/python3"
default_interface: "enp2s0"
consul_iface: "{{ default_interface}}"
vault_iface: "{{ default_interface}}"
nfs_iface: "{{ default_interface}}"
wireguard_address: "10.0.0.7/24"
wireguard_byhost_allowed_ips:
merlin: 10.0.0.7,192.168.1.42,192.168.1.0/24
corwin: 10.0.0.7,192.168.1.42,192.168.1.0/24
perrsistent_keepalive: "20"
wireguard_endpoint: ""
wireguard_postup:
- iptables -A FORWARD -i wg0 -j ACCEPT
- iptables -A FORWARD -o wg0 -j ACCEPT
- iptables -t nat -A POSTROUTING -o {{default_interface}} -j MASQUERADE
- sysctl -w net.ipv4.ip_forward=1
wireguard_postdown:
- iptables -D FORWARD -i wg0 -j ACCEPT
- iptables -D FORWARD -o wg0 -j ACCEPT
- iptables -t nat -D POSTROUTING -o {default_interface} -j MASQUERADE
- sysctl -w net.ipv4.ip_forward=0
partition_table:
- device: "/dev/sda"
label: gpt
settings:
- number: 1
part_end: 300MB
flags: [boot, esp]
fstype: vfat
format: yes
- number: 2
part_start: 512MB
part_end: 1524MB
flags: []
fstype: swap
format: yes
- number: 3
part_start: 1524MB
flags: [lvm]
fstype: ext4
format: yes
#- device: "/dev/sdb"
#settings:
#- number: 1
#name: home
#fstype: ext4
#format:
mount_table:
- device: "/dev/sda"
settings:
- number: 3
mountpath: /mnt
fstype: ext4
- number: 1
mountpath: /mnt/boot
fstype: vfat
#need vfat boot partition with esp label
provissionning_UEFI_Enable: True

View File

@ -1,30 +1,35 @@
--- ---
ansible_host: 65.108.221.233 ansible_host: 10.0.0.1
#ansible_host: 135.181.150.203
default_interface: "eth0"
wireguard_address: "10.0.0.1/24" wireguard_address: "10.0.0.1/24"
wireguard_endpoint: "65.108.221.233" wireguard_endpoint: "135.181.150.203"
wireguard_persistent_keepalive: "30" wireguard_persistent_keepalive: "20"
wireguard_allowed_ips: "10.0.0.1/32" wireguard_allowed_ips: 10.0.0.1
wireguard_postup: wireguard_postup:
- iptables -A FORWARD -o %i -j ACCEPT - iptables -A FORWARD -o %i -j ACCEPT
- iptables -A FORWARD -i %i -j ACCEPT - iptables -A FORWARD -i %i -j ACCEPT
- iptables -t nat -A POSTROUTING -o enp1s0 -j MASQUERADE - iptables -t nat -A POSTROUTING -o {{ default_interface }} -j MASQUERADE
- sysctl -w net.ipv4.ip_forward=1
- resolvectl dns %i 192.168.1.4 192.168.1.41; resolvectl domain %i '~ducamps.win' '~ducamps.eu' '~{{ consul_domain }}'
wireguard_postdown: wireguard_postdown:
- iptables -D FORWARD -i %i -j ACCEPT - iptables -D FORWARD -i %i -j ACCEPT
- iptables -D FORWARD -o %i -j ACCEPT - iptables -D FORWARD -o %i -j ACCEPT
- iptables -t nat -D POSTROUTING -o enp1s0 -j MASQUERADE - iptables -t nat -D POSTROUTING -o {{ default_interface }} -j MASQUERADE
- sysctl -w net.ipv4.ip_forward=0
wireguard_unmanaged_peers: wireguard_unmanaged_peers:
phone: phone:
public_key: ioG35kDFTtip+Acfq+je9qDHYbZij+J6+Pg3T6Z4N0w= public_key: IYKgrQ2VJUbOnupSqedOfIilsbmBBABZUTRF9ZoTrkc=
allowed_ips: 10.0.0.3/32 allowed_ips: 10.0.0.3/32
persistent_keepalive: 0 persistent_keepalive: 0
zen: zen:
public_key: rYYljQw8InmM95pxCP9KyZ8R+kcicgnjr6E9qtkI1Ag= public_key: rYYljQw8InmM95pxCP9KyZ8R+kcicgnjr6E9qtkI1Ag=
allowed_ips: 10.0.0.5/32 allowed_ips: 10.0.0.5/32
persistent_keepalive: 0 persistent_keepalive: 0
wireguard_dns: "192.168.1.4,192.168.1.41"
consul_client_addr: "127.0.0.1 10.0.0.1" consul_client_addr: "127.0.0.1 10.0.0.1"
consul_bind_address: "10.0.0.1" consul_bind_address: "10.0.0.1"
consul_ui: True consul_ui: True
@ -34,7 +39,9 @@ nomad_host_networks:
- name: "private" - name: "private"
interface: wg0 interface: wg0
- name: "public" - name: "public"
interface: enp1s0 interface: eth0
- name: "default" - name: "default"
interface: wg0 interface: wg0
nomad_client_network_interface : "wg0"
vault_listener_address: 10.0.0.1 vault_listener_address: 10.0.0.1
nomad_plugins_podman: True

View File

@ -1,18 +1,24 @@
--- ---
ansible_host: "192.168.1.41" ansible_host: "192.168.1.41"
ansible_python_interpreter: "/usr/bin/python3" ansible_python_interpreter: "/usr/bin/python3"
wireguard_address: "10.0.0.5/24" default_interface: "enu1u1"
wireguard_allowed_ips: "10.0.0.5/32,192.168.1.0/24" consul_iface: "{{ default_interface }}"
perrsistent_keepalive: "30" vault_iface: "{{ default_interface }}"
wireguard_address: "10.0.0.6/24"
wireguard_byhost_allowed_ips:
merlin: 10.0.0.6,192.168.1.41
corwin: 10.0.0.6,192.168.1.41
perrsistent_keepalive: "20"
wireguard_endpoint: "" wireguard_endpoint: ""
wireguard_postup: wireguard_postup:
- iptables -A FORWARD -i wg0 -j ACCEPT - iptables -A FORWARD -i wg0 -j ACCEPT
- iptables -A FORWARD -o wg0 -j ACCEPT - iptables -A FORWARD -o wg0 -j ACCEPT
- iptables -t nat -A POSTROUTING -o eno1 -j MASQUERADE - iptables -t nat -A POSTROUTING -o {{ default_interface }} -j MASQUERADE
wireguard_postdown: wireguard_postdown:
- iptables -D FORWARD -i wg0 -j ACCEPT - iptables -D FORWARD -i wg0 -j ACCEPT
- iptables -D FORWARD -o wg0 -j ACCEPT - iptables -D FORWARD -o wg0 -j ACCEPT
- iptables -t nat -D POSTROUTING -o eno1 -j MASQUERADE - iptables -t nat -D POSTROUTING -o {{ default_interface }} -j MASQUERADE

View File

@ -0,0 +1,19 @@
---
default_interface: eth0
vault_iface: "{{ default_interface}}"
ansible_host: gerard-dev.lan.ducamps.dev
wireguard_address: "10.0.1.6/24"
perrsistent_keepalive: "20"
wireguard_endpoint: ""
wireguard_postup:
- iptables -A FORWARD -i wg0 -j ACCEPT
- iptables -A FORWARD -o wg0 -j ACCEPT
- iptables -t nat -A POSTROUTING -o {{ default_interface }} -j MASQUERADE
wireguard_postdown:
- iptables -D FORWARD -i wg0 -j ACCEPT
- iptables -D FORWARD -o wg0 -j ACCEPT
- iptables -t nat -D POSTROUTING -o {{ default_interface}} -j MASQUERADE

View File

@ -1,31 +1,39 @@
--- ---
ansible_host: 65.109.13.133 ansible_host: 10.0.0.4
#ansible_host: 65.21.2.14
default_interface: "ens3"
nfs_iface: "wg0"
wireguard_address: "10.0.0.4/24" wireguard_address: "10.0.0.4/24"
wireguard_endpoint: "65.109.13.133" wireguard_endpoint: "65.21.2.14"
wireguard_persistent_keepalive: "30" wireguard_persistent_keepalive: "20"
wireguard_allowed_ips: "10.0.0.4/32,10.0.0.3/32,10.0.0.5/32" wireguard_byhost_allowed_ips:
oscar: "0.0.0.0/0"
bleys: "0.0.0.0/0"
wireguard_allowed_ips: "10.0.0.4/32,10.0.0.3,10.0.0.5"
wireguard_postup: wireguard_postup:
- iptables -A FORWARD -o %i -j ACCEPT - iptables -A FORWARD -o %i -j ACCEPT
- iptables -A FORWARD -i %i -j ACCEPT - iptables -A FORWARD -i %i -j ACCEPT
- iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE - iptables -t nat -A POSTROUTING -o {{ default_interface }} -j MASQUERADE
- sysctl -w net.ipv4.ip_forward=1
- resolvectl dns %i 192.168.1.4 192.168.1.41; resolvectl domain %i '~ducamps.win' '~ducamps.eu' '~{{ consul_domain }}'
wireguard_postdown: wireguard_postdown:
- iptables -D FORWARD -i %i -j ACCEPT - iptables -D FORWARD -i %i -j ACCEPT
- iptables -D FORWARD -o %i -j ACCEPT - iptables -D FORWARD -o %i -j ACCEPT
- iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE - iptables -t nat -D POSTROUTING -o {{ default_interface }} -j MASQUERADE
- sysctl -w net.ipv4.ip_forward=0
wireguard_unmanaged_peers: wireguard_unmanaged_peers:
phone: phone:
public_key: ioG35kDFTtip+Acfq+je9qDHYbZij+J6+Pg3T6Z4N0w= public_key: IYKgrQ2VJUbOnupSqedOfIilsbmBBABZUTRF9ZoTrkc=
allowed_ips: 10.0.0.3/32 allowed_ips: 10.0.0.3/32
persistent_keepalive: 0 persistent_keepalive: 0
zen: zen:
public_key: rYYljQw8InmM95pxCP9KyZ8R+kcicgnjr6E9qtkI1Ag= public_key: rYYljQw8InmM95pxCP9KyZ8R+kcicgnjr6E9qtkI1Ag=
allowed_ips: 10.0.0.5/32 allowed_ips: 10.0.0.5/32
persistent_keepalive: 0 persistent_keepalive: 0
wireguard_dns: "192.168.1.41,192.168.1.10" wireguard_dns: "192.168.1.4,192.168.1.41"
consul_client_addr: "127.0.0.1 10.0.0.4" consul_client_addr: "127.0.0.1 10.0.0.4"
consul_bind_address: "10.0.0.4" consul_bind_address: "10.0.0.4"
consul_ui: True consul_ui: True
@ -35,7 +43,8 @@ nomad_host_networks:
- name: "private" - name: "private"
interface: wg0 interface: wg0
- name: "public" - name: "public"
interface: eth0 interface: ens3
- name: "default" - name: "default"
interface: wg0 interface: wg0
vault_listener_address: 10.0.0.4 vault_listener_address: 10.0.0.4
nomad_plugins_podman: True

View File

@ -0,0 +1,41 @@
---
ansible_host: merlin-dev.lan.ducamps.dev
default_interface: eth0
vault_iface: "{{ default_interface}}"
wireguard_address: "10.0.1.4/24"
wireguard_endpoint: "{{ ansible_default_ipv4.address }}"
wireguard_persistent_keepalive: "30"
wireguard_postup:
- iptables -A FORWARD -o %i -j ACCEPT
- iptables -A FORWARD -i %i -j ACCEPT
- iptables -t nat -A POSTROUTING -o {{ default_interface }} -j MASQUERADE
wireguard_postdown:
- iptables -D FORWARD -i %i -j ACCEPT
- iptables -D FORWARD -o %i -j ACCEPT
- iptables -t nat -D POSTROUTING -o {{ default_interface }} -j MASQUERADE
wireguard_unmanaged_peers:
phone:
public_key: ioG35kDFTtip+Acfq+je9qDHYbZij+J6+Pg3T6Z4N0w=
allowed_ips: 10.0.1.3/32
persistent_keepalive: 0
zen:
public_key: rYYljQw8InmM95pxCP9KyZ8R+kcicgnjr6E9qtkI1Ag=
allowed_ips: 10.0.1.5/32
persistent_keepalive: 0
consul_client_addr: "127.0.0.1 10.0.1.4"
consul_bind_address: "10.0.1.4"
consul_ui: True
consul_iface: "wg0"
nomad_bind_addr: "10.0.1.4"
nomad_host_networks:
- name: "private"
interface: wg0
- name: "public"
interface: eth0
- name: "default"
interface: wg0
vault_listener_address: 10.0.1.4

17
ansible/host_vars/nas-dev Normal file
View File

@ -0,0 +1,17 @@
---
ansible_host: nas-dev.lan.ducamps.dev
default_interface: eth0
vault_iface: "{{ default_interface}}"
wireguard_address: "10.0.1.8/24"
perrsistent_keepalive: "30"
wireguard_endpoint: ""
wireguard_postup:
- iptables -A FORWARD -i wg0 -j ACCEPT
- iptables -A FORWARD -o wg0 -j ACCEPT
- iptables -t nat -A POSTROUTING -o {{ default_interface }} -j MASQUERADE
wireguard_postdown:
- iptables -D FORWARD -i wg0 -j ACCEPT
- iptables -D FORWARD -o wg0 -j ACCEPT
- iptables -t nat -D POSTROUTING -o {{ default_interface }} -j MASQUERADE

19
ansible/host_vars/oberon Normal file
View File

@ -0,0 +1,19 @@
---
wireguard_address: "10.0.0.8/24"
default_interface: "enp2s0"
consul_iface: "{{ default_interface}}"
vault_iface: "{{ default_interface}}"
perrsistent_keepalive: "30"
wireguard_endpoint: ""
wireguard_byhost_allowed_ips:
merlin: 10.0.0.8,192.168.1.43
corwin: 10.0.0.8,192.168.1.43
wireguard_postup:
- iptables -A FORWARD -i wg0 -j ACCEPT
- iptables -A FORWARD -o wg0 -j ACCEPT
- iptables -t nat -A POSTROUTING -o {{ default_interface }} -j MASQUERADE
wireguard_postdown:
- iptables -D FORWARD -i wg0 -j ACCEPT
- iptables -D FORWARD -o wg0 -j ACCEPT
- iptables -t nat -D POSTROUTING -o {{ default_interface }} -j MASQUERADE

View File

@ -1,19 +1,25 @@
--- ---
default_interface: "enp1s0"
consul_iface: "{{ default_interface}}"
vault_iface: "{{ default_interface}}"
nfs_iface: "{{ default_interface}}"
nomad_client_cpu_total_compute: 8000
wireguard_address: "10.0.0.2/24" wireguard_address: "10.0.0.2/24"
wireguard_allowed_ips: "10.0.0.2/32,192.168.1.0/24" wireguard_byhost_allowed_ips:
merlin: 10.0.0.2,192.168.1.40
corwin: 10.0.0.2,192.168.1.40
perrsistent_keepalive: "30" perrsistent_keepalive: "30"
wireguard_endpoint: "" wireguard_endpoint: ""
wireguard_postup: wireguard_postup:
- iptables -A FORWARD -i wg0 -j ACCEPT - iptables -A FORWARD -i wg0 -j ACCEPT
- iptables -A FORWARD -o wg0 -j ACCEPT - iptables -A FORWARD -o wg0 -j ACCEPT
- iptables -t nat -A POSTROUTING -o eno1 -j MASQUERADE - iptables -t nat -A POSTROUTING -o {{ default_interface }} -j MASQUERADE
wireguard_postdown: wireguard_postdown:
- iptables -D FORWARD -i wg0 -j ACCEPT - iptables -D FORWARD -i wg0 -j ACCEPT
- iptables -D FORWARD -o wg0 -j ACCEPT - iptables -D FORWARD -o wg0 -j ACCEPT
- iptables -t nat -D POSTROUTING -o eno1 -j MASQUERADE - iptables -t nat -D POSTROUTING -o {{ default_interface }} -j MASQUERADE
consul_snapshot: True
partition_table: partition_table:
- device: "/dev/sda" - device: "/dev/sda"

View File

@ -0,0 +1,17 @@
---
ansible_host: oscar-dev.lan.ducamps.dev
default_interface: eth0
vault_iface: "{{ default_interface}}"
wireguard_address: "10.0.1.2/24"
perrsistent_keepalive: "30"
wireguard_endpoint: ""
wireguard_postup:
- iptables -A FORWARD -i wg0 -j ACCEPT
- iptables -A FORWARD -o wg0 -j ACCEPT
- iptables -t nat -A POSTROUTING -o {{ default_interface }} -j MASQUERADE
wireguard_postdown:
- iptables -D FORWARD -i wg0 -j ACCEPT
- iptables -D FORWARD -o wg0 -j ACCEPT
- iptables -t nat -D POSTROUTING -o {{ default_interface }} -j MASQUERADE

View File

@ -1,12 +1,25 @@
requirements: requirements:
ansible-galaxy install -g -f -r roles/requirements.yml ansible-galaxy install -g -r roles/requirements.yml
deploy_production: deploy_production:
ansible-playbook site.yml -i production ansible-playbook site.yml -i production -u ansible
deploy_staging: deploy_production_wiregard:
ansible-playbook site.yml -i staging ansible-playbook playbooks/wireguard.yml -i production -u ansible
deploy_staging:
ansible-playbook playbooks/wireguard.yml -i staging -u ansible
ansible-playbook site.yml -i staging -u ansible
deploy_staging_base:
ansible-playbook playbooks/sssd.yml -i staging -u ansible
ansible-playbook playbooks/wireguard.yml -i staging -u ansible
ansible-playbook playbooks/server.yml -i staging -u ansible
view-allvault:
ansible-vault view `git grep -l "ANSIBLE_VAULT;1.1;AES256$$"`
generate-token:
@echo export VAULT_TOKEN=`vault token create -policy=ansible -field="token" -period 6h`

View File

@ -0,0 +1,9 @@
#!/bin/sh
readonly vault_password_file_encrypted="$(dirname $0)/vault-password.gpg"
# flock used to work around "gpg: decryption failed: No secret key" in tf-stage2
# would otherwise need 'auto-expand-secmem' (https://dev.gnupg.org/T3530#106174)
flock "$vault_password_file_encrypted" \
gpg --batch --decrypt --quiet "$vault_password_file_encrypted"

Binary file not shown.

View File

@ -0,0 +1,45 @@
---
prerun: false
dependency:
name: galaxy
enabled: false
driver:
name: vagrant
provider:
name: libvirt
default_box: archlinux/archlinux
platforms:
- name: oscar-dev
cpu: 1
memory: 1024
box: archlinux/archlinux
- name: merlin-dev
cpu: 1
memory: 1024
box: generic/rocky9
- name: gerard-dev
cpu: 1
memory: 1024
box: debian/bookworm64
- name: nas-dev
cpu: 1
memory: 1024
box: archlinux/archlinux
provisioner:
name: ansible
connection_options:
ansible_ssh_user: vagrant
ansible_become: true
env:
ANSIBLE_CONFIG: ../../ansible.cfg
ANSIBLE_ROLES_PATH: "../../roles"
log: true
lint:
name: ansible-lint
inventory:
host_vars: []
links:
group_vars: ../../group_vars
hosts: ../../staging
verifier:
name: ansible

View File

@ -1,10 +1,54 @@
- hosts: all ---
- name: Consul install
hosts: all
roles: roles:
- role: ansible-consul - role: ansible-consul
become: true become: true
- name: Vault install
hosts: homelab
roles:
- role: ansible-hashicorp-vault - role: ansible-hashicorp-vault
when: ansible_architecture == 'x86_64'
become: true become: true
post_tasks:
- name: Stat root file
ansible.builtin.stat:
path: "{{ vault_unseal_keys_dir_output }}/rootkey"
register: rootkey_exist
delegate_to: localhost
- name: Reading root contents
ansible.builtin.command: cat "{{ vault_unseal_keys_dir_output }}/rootkey"
register: root_token
delegate_to: localhost
when: rootkey_exist.stat.exists
changed_when: false
- name: debug
ansible.builtin.debug:
var: root_token
- name: Generate nomad token
community.hashi_vault.vault_token_create:
renewable: true
policies: "nomad-server-policy"
period: 72h
no_parent: true
token: "{{ root_token.stdout }}"
url: "http://active.vault.service.consul:8200"
retries: 4
run_once: true
delegate_to: localhost
when: root_token.stdout is defined
register: nomad_token_data
- name: Gather nomad token
ansible.builtin.set_fact:
nomad_vault_token: "{{ nomad_token_data.login.auth.client_token }}"
when: nomad_token_data.login is defined
- name: nomad
hosts: all
vars:
unseal_keys_dir_output: ~/vaultunseal
roles:
- role: ansible-nomad - role: ansible-nomad
become: true become: true
- role: docker - role: docker

View File

@ -0,0 +1,9 @@
---
- hosts:
- homelab
- VPS
- NAS
vars:
# certbot_force: true
roles:
- autofs

View File

@ -1,7 +1,6 @@
--- ---
- hosts: all - hosts: all
remote_user: root gather_facts: false
vars: become: true
ansible_password: "{{ lookup('hashi_vault','secret=secrets/data/ansible/user:root') }}"
roles: roles:
- ansible_bootstrap - ansible_bootstrap

View File

@ -0,0 +1,28 @@
---
- hosts: all
roles:
- role: ansible-user
vars:
user_name: '{{ user.name }}'
user_ldap: '{{ sssd_configure}}'
user_password: '{{ userPassword }}'
user_authorized_key: '{{ user.authorized_keys}}'
user_privatekey: '{{ user.privatekey}}'
user_shell: '/bin/zsh'
user_uid: '{{ user.uid }}'
user_groups:
- docker
become: true
become_user: '{{ user.name }}'
- hosts: all
roles:
- role: user_config
vars:
user_config_username: "{{ user.name }}"
become_user: "{{ user.name }}"
become: true
- role: user_config
vars:
user_config_username: root
become: true

View File

@ -1,7 +1,54 @@
--- ---
- hosts: database - name: Database playbook
hosts: database
vars: vars:
# certbot_force: true # certbot_force: true
pre_tasks:
- name: Install Pg vertors (immich)
aur:
name: pgvecto.rs-bin
state: present
become: true
become_user: aur_builder
- name: Add database member to pg_hba replication
ansible.builtin.set_fact:
postgresql_hba_entries: "{{ postgresql_hba_entries + [\
{'type':'host', \
'database': 'replication',\
'user':'repli',\
'address':hostvars[item]['ansible_'+hostvars[item]['default_interface']]['ipv4']['address']+'/32',\
'auth_method':'trust'}] }}"
loop: '{{ groups.database }}'
roles: roles:
- role: ansible-role-postgresql - role: ansible-role-postgresql
become: true become: true
tasks:
- name: Launch replication
ansible.builtin.command: pg_basebackup -D /var/lib/postgres/data -h {{groups["database_active"]|first}} -U repli -Fp -Xs -P -R -w
args:
creates: /var/lib/postgres/data/postgresql.conf
become: true
become_user: postgres
when: inventory_hostname in groups["database_standby"]
- name: Ensure PostgreSQL is started and enabled on boot.
ansible.builtin.service:
name: '{{ postgresql_daemon }}'
state: '{{ postgresql_service_state }}'
enabled: '{{ postgresql_service_enabled }}'
become: true
- name: Set Postgress shared libraries
community.postgresql.postgresql_set:
name: shared_preload_libraries
value: vectors.so
become: true
become_user: postgres
when: inventory_hostname in groups["database_active"]
notify: Restart postgresql
- name: Set Postgress shared libraries
community.postgresql.postgresql_set:
name: search_path
value: '$user, public, vectors'
become: true
become_user: postgres
when: inventory_hostname in groups["database_active"]

View File

@ -0,0 +1,6 @@
---
- name: DNS playbook
hosts: DNS
roles:
- role: pdns_recursor-ansible
become: true

View File

@ -5,4 +5,3 @@
- cronie - cronie
- hass-client-control - hass-client-control
- mpd - mpd

28
ansible/playbooks/nas.yml Normal file
View File

@ -0,0 +1,28 @@
---
- name: gather all
hosts: all
- name: NAS playbook
hosts: NAS
vars:
# certbot_force: true
pre_tasks:
- name: include task NasBind
ansible.builtin.include_tasks:
file: tasks/NasBind.yml
loop: "{{ nas_bind_source }}"
- name: create nomad folder
ansible.builtin.file:
path: "{{ nas_bind_target }}/nomad/{{ item.name }}"
owner: "{{ item.owner|default('root') }}"
state: directory
become: true
loop: "{{ NAS_nomad_folder }}"
roles:
- role: ansible-role-nut
become: true
- role: ansible-role-nfs
become: true
- role: ansible-role-pureftpd
become: true
- role: vladgh.samba.server
become: true

View File

@ -1,11 +1,26 @@
--- ---
- hosts: - hosts:
- homelab - homelab
- VPS - VPS
- NAS
vars: vars:
# certbot_force: true # certbot_force: true
tasks:
- name: Create user
ansible.builtin.include_role:
name: "ansible-user"
apply:
become: true
vars:
user_name: "{{ create.name }}"
user_home: "{{ create.home }}"
user_groups: "{{ create.groups|default('') }}"
user_shell: "{{ create.shell|default('') }}"
user_authorized_key: "{{ create.authorized_keys|default([]) }}"
user_privatekey: "{{ create.privatekey|default([])}}"
loop: "{{system_user}}"
loop_control:
loop_var: create
roles: roles:
- system - system
- autofs
- msmtp
- cronie - cronie

View File

@ -0,0 +1,5 @@
---
- hosts: all
roles:
- role: ansible-role-sssd
become: true

View File

@ -0,0 +1,18 @@
- name: Ensure base NFS directory exist
ansible.builtin.file:
path: "{{ item.dest }}"
state: directory
become: true
- name: Ensure source NFS directory exist
ansible.builtin.file:
path: "{{ item.source }}"
state: directory
become: true
- name: Bind NAS export
ansible.posix.mount:
path: "{{ item.dest }}"
src: "{{ item.source }}"
opts: bind
fstype: none
state: mounted
become: true

View File

@ -0,0 +1 @@
path = /exports/homes/%S

View File

@ -1,4 +0,0 @@
- hosts: all
vars:
roles:
- user_config

View File

@ -2,4 +2,4 @@
- hosts: wireguard - hosts: wireguard
roles: roles:
- role: ansible-role-wireguard - role: ansible-role-wireguard
become: True become: true

View File

@ -1,24 +1,52 @@
[homelab] [DNS]
oscar oscar
gerard
[VPS]
corwin
merlin
[dhcp] [dhcp]
gerard oberon
[wireguard] [database_active]
corwin bleys
oscar
merlin
gerard
[database] [database_standby]
oscar oscar
merlin
[database:children]
database_active
database_standby
[rsyncd] [rsyncd]
oscar oscar
bleys
[wireguard:children]
production
[NAS]
oberon
[cluster]
oscar
#gerard
bleys
[homelab:children]
NAS
cluster
[VPS]
merlin
[region:children]
homelab
VPS
production
[production]
oscar
merlin
#gerard
bleys
oberon
[staging]

View File

@ -6,10 +6,8 @@
- hosts: all - hosts: all
remote_user: root remote_user: root
vars:
ansible_password: "{{ lookup('hashi_vault','secret=secrets/data/ansible/user:root') }}"
roles: roles:
- ansible_bootstrap - ansible_bootstrap
- remote_user: "{{ user.name }}" # - remote_user: "{{ user.name }}"
import_playbook: site.yml # import_playbook: site.yml

View File

@ -1,37 +1,49 @@
--- ---
- src: ssh://git@git.ducamps.win:2222/ansible-roles/ansible-arch-provissionning.git roles:
- src: ssh://git@git.ducamps.eu:2222/ansible-roles/ansible-arch-provissionning.git
scm: git scm: git
- src: ssh://git@git.ducamps.win:2222/ansible-roles/ansible-role-postgresql.git - src: ssh://git@git.ducamps.eu:2222/ansible-roles/ansible-role-postgresql.git
scm: git scm: git
- src: ssh://git@git.ducamps.win:2222/ansible-roles/ansible-role-sssd - src: ssh://git@git.ducamps.eu:2222/ansible-roles/ansible-role-sssd
scm: git scm: git
- src: ssh://git@git.ducamps.win:2222/ansible-roles/ansible_bootstrap.git - src: ssh://git@git.ducamps.eu:2222/ansible-roles/ansible_bootstrap.git
scm: git scm: git
- src: ssh://git@git.ducamps.win:2222/ansible-roles/autofs.git - src: ssh://git@git.ducamps.eu:2222/ansible-roles/autofs.git
scm: git scm: git
- src: ssh://git@git.ducamps.win:2222/ansible-roles/cronie.git - src: ssh://git@git.ducamps.eu:2222/ansible-roles/cronie.git
scm: git scm: git
- src: ssh://git@git.ducamps.win:2222/ansible-roles/docker.git - src: ssh://git@git.ducamps.eu:2222/ansible-roles/docker.git
scm: git scm: git
- src: ssh://git@git.ducamps.win:2222/ansible-roles/hass-client-control.git - src: ssh://git@git.ducamps.eu:2222/ansible-roles/hass-client-control.git
scm: git scm: git
- src: ssh://git@git.ducamps.win:2222/ansible-roles/msmtp.git - src: ssh://git@git.ducamps.eu:2222/ansible-roles/msmtp.git
scm: git scm: git
- src: ssh://git@git.ducamps.win:2222/ansible-roles/rsyncd.git - src: ssh://git@git.ducamps.eu:2222/ansible-roles/rsyncd.git
scm: git scm: git
- src: ssh://git@git.ducamps.win:2222/ansible-roles/system.git - src: ssh://git@git.ducamps.eu:2222/ansible-roles/system.git
scm: git scm: git
- src: ssh://git@git.ducamps.win:2222/ansible-roles/user_config.git - src: ssh://git@git.ducamps.eu:2222/ansible-roles/user_config.git
scm: git scm: git
- src: https://github.com/githubixx/ansible-role-wireguard.git - src: git@github.com:vincentDcmps/ansible-role-wireguard.git
scm: git scm: git
- src: ssh://git@git.ducamps.win:2222/ansible-roles/ansible-consul.git - src: ssh://git@git.ducamps.eu:2222/ansible-roles/ansible-consul.git
scm: git scm: git
- src: ssh://git@git.ducamps.win:2222/ansible-roles/ansible-hashicorp-vault.git - src: ssh://git@git.ducamps.eu:2222/ansible-roles/ansible-hashicorp-vault.git
scm: git scm: git
- src: ssh://git@git.ducamps.win:2222/ansible-roles/ansible-nomad.git - src: ssh://git@git.ducamps.eu:2222/ansible-roles/ansible-nomad.git
scm: git scm: git
- src: ssh://git@git.ducamps.win:2222/ansible-roles/mpd.git - src: ssh://git@git.ducamps.eu:2222/ansible-roles/mpd.git
scm: git scm: git
- src: ssh://git@git.ducamps.win:2222/ansible-roles/ansible-dhcpd.git - src: ssh://git@git.ducamps.eu:2222/ansible-roles/ansible-dhcpd.git
scm: git scm: git
- src: ssh://git@git.ducamps.eu:2222/ansible-roles/ansible-user.git
scm: git
- src: git@github.com:vincentDcmps/ansible-role-nfs.git
scm: git
- src: git@github.com:vincentDcmps/ansible-role-nut.git
scm: git
- src: git@git.ducamps.eu:2222/ansible-roles/ansible-role-pureftpd.git
scm: git
- src: https://github.com/PowerDNS/pdns_recursor-ansible.git
collections:
- name: vladgh.samba

View File

@ -1,9 +1,10 @@
--- ---
- import_playbook: playbooks/server.yml - import_playbook: playbooks/server.yml
- import_playbook: playbooks/wireguard.yml - import_playbook: playbooks/dhcpd.yml
- import_playbook: playbooks/dns.yml
- import_playbook: playbooks/HashicorpStack.yml - import_playbook: playbooks/HashicorpStack.yml
- import_playbook: playbooks/nas.yml
- import_playbook: playbooks/autofs.yml
- import_playbook: playbooks/sssd.yml
- import_playbook: playbooks/database.yml - import_playbook: playbooks/database.yml
- import_playbook: playbooks/rsyncd.yml - import_playbook: playbooks/rsyncd.yml
- import_playbook: playbooks/music-player.yml
- import_playbook: playbooks/dhcpd.yml
- import_playbook: playbooks/user_config.yml

View File

@ -1,13 +1,44 @@
[DNS]
oscar-dev
[database_active]
oscar-dev
[database_standby]
gerard-dev
[database:children]
database_active
database_standby
[wireguard:children]
staging
[NAS]
nas-dev
[cluster]
oscar-dev
gerard-dev
[homelab:children]
NAS
cluster
[VPS] [VPS]
VMDR merlin-dev
[dhcp] [region:children]
VMAS-BUILD homelab
VPS
[VMServer] staging
VMAS-HML
[wireguard]
VMDR
[staging]
oscar-dev
gerard-dev
merlin-dev
nas-dev
[production]

View File

@ -6,15 +6,16 @@
"tags": [ "tags": [
"homer.enable=true", "homer.enable=true",
"homer.name=Diskstation", "homer.name=Diskstation",
"homer.url=https://syno.ducamps.win", "homer.url=https://syno.ducamps.eu",
"homer.logo=https://syno.ducamps.win/webman/resources/images/icon_dsm_96.png", "homer.logo=https://syno.ducamps.eu/webman/resources/images/icon_dsm_96.png",
"homer.service=Application", "homer.service=Application",
"homer.target=_blank", "homer.target=_blank",
"traefik.enable=true", "traefik.enable=true",
"traefik.http.routers.syno.rule=Host(`syno.ducamps.win`)", "traefik.http.routers.syno.rule=Host(`syno.ducamps.eu`)",
"traefik.http.routers.syno.tls.domains[0].sans=syno.ducamps.win", "traefik.http.routers.syno.tls.domains[0].sans=syno.ducamps.eu",
"traefik.http.routers.syno.tls.certresolver=myresolver" "traefik.http.routers.syno.tls.certresolver=myresolver",
"traefik.http.routers.syno.entrypoints=web,websecure"
] ]
} }
} }

View File

@ -0,0 +1,35 @@
# 001 Development environment
## Status
Accepted
## Context
we need to create a virtual cluster to do test without impact on production.
### Virtualisation or Container
Virtualisation provide better isolation but must ressource are needed.
Container able to create more item without consum as resource than virtual machine.
### Creation Wrapper
Vagrant is good top manage virtual machine but not a lot of LXC box availlable, Vagant van be use with other configuration manager than ansible.
Molecule can manage molecule with plugins molecule-LXD. molecule is ansible exclusive solution
## Decision
we will use container instead VM for the resource consumption avantage.
Molecule wrapper will be use because all our configuration is already provide by ansible and we can have a better choise of container with molecule than vagrant.
25/08/2023
some issue are meet with lxc (share kernel, privilege, plugin not maintain)
I have increase RAM on my computer so I can switch to virtual machine for the dev env
instead to build vagrant VM in a molecule playbooke we only use a vagrant file to avoid toi many overlay to maintain.
## Consequences
migrate molecule provissioning on dedicated vagrant file

View File

@ -0,0 +1,28 @@
# 002-Vault-Backend
## Status
## Context
Currently vault Backend is onboard in Consul KV
Hashicorp recommandation is to use integrated storage from vault cluster
This could remove consul dependancy on rebuild
## Decision
migrate to vault integrated storage
## Consequences
to do:
- [migration plan]("https://developer.hashicorp.com/vault/tutorials/raft/raft-migration")
1. basculer oscar,gerard et bleys and itegrated storage merlin restera en storage consul pendant l'opé avant décom
2. stoper le service vault sur oscar
3. lancer la commande de migration
4. joindre les autre node au cluster
5. décom vault sur merlin
6. adapter job backup
- [backup]("https://developer.hashicorp.com/vault/tutorials/standard-procedures/sop-backup")

View File

@ -0,0 +1,54 @@
# 003-mailserver
## Status
done
## Context
Gandi free email will become a pay service in 2 month.
In this condition it will be interesting to study selfhosted mail solution.
### domain name
do I take advantage of this to change domaine name:
Pro:
- could test more easy
- could redirect old domain name to new one untile end of gandi domain (2026)
- get a more "normal" extention
con:
- need to progresively update every personal account
### Container localisation
on hetzner:
- need to increase memory
on homelab:
- need to redirect all serveur flux to hetzner to be sure to be sure that mail will be send with hetzner IP (control PTR on this IP)
- hetzner will be too a SPOF
### software choose
mail server will run in nomad cluster.
docker-mailserver -> 1 container
mailu
## Decision
we will switch to another domain name on "https://www.bookmyname.com/": ducamps.eu""
docker-mailserver will be more easier to configure because only one container to migrate to nomad
for begining container will be launch on hetzner
## Consequences
- need to buy a new domaine name and configure DNS (done)
- inprove memory on corwin (done)

117
docs/ADR/004-DNS.md Normal file
View File

@ -0,0 +1,117 @@
# DNS
## 001 Recursor out off NAS
### Status
done
### Context
curently main local domain DNS is located on NAS.
goal:
- avoid DNS outtage in case of NAS reboot (my synology have 10 years and is a litle long to reboot) morever during NAS reboot we lost the adblock DNS in the nomad cluster because nomad depend of the NFS share.
- remove the direct redirection to service.consul DNS and the IPTABLE rule use to redirect port 53 on consul on gerard instead new DNS could be forward directly to an active consul node on port 8300
#### DNS software
need DHCP Dynamic update
could redirect domain on other port than port 53
### Decision
we will migrate Main Domain DNS from NAS to gerard (powerDNS)
powerDNS provide two disting binaries one for authority server one other for recursor
goal is to first migrate the recursice part from synology to a physical service
and in second time migrate authority server in nmad cluster
### Consequences
before to move authority server need to remove DB dns dependance (create db consul services)
need to delete the iptable rule on gerard before deploy
## 002 each node request self consul client for consul dns query
### Status
done
### Context
to avoid a cluster failled in case of the DNS recursor default.
I would like that each cluster client request their own consul client
first to resolve consul DNS query
### Decision
Implement sytemd-resolved on all cluster member and add a DNS redirection
### Consequences
need to modify annsible system role for systemd-resolved activation and consul role for configure redirection
## 003 migrate authority DNS from NAS to cluster
### Status
done
### Context
we have curently three authority domain on NAS:
- ducamps.win
- ducamps.eu
- lan.ducamps.eu
we could migrate authority DNS in cluster
ducamps.win and ducamps.eu are only use for application access so no dependence with cluster build
need to study cluster build dependance for lan.ducamps.eu-> in every case in case of build from scratch need to use IP
need keepalive IP and check if no conflict if store on same machine than pihole->ok don't need to listen on 53 only request by recursor
DNS authority will dependant to storage (less problematic than recursor)
### Decision
### Consequences
## 004 migrate recurson in cluster
### Status
done
### Context
now that cluster doesn't depend of recursor because request self consul agent for consul query need
need to study if we can migrate recursor in nomad wihout break dependance
advantage:
- recursor could change client in case of faillure
agains:
- this job need a keepalive IP like pihole
- *loss recursor if lost nomad cluster*
### Decision
put one recursor on cluster over authority server and keep the recursor on gerard for better recundancy
### Consequences
## 005 physical Recursor location
### Status
done
### Context
following NAS migration physical DNS Recursor was install directly on NAS this bring a SPOF when NAS failed Recursor on Nomad cluster are stopped because of volume dependance
### Decision
Put physical Recursor on a cluster node like that to have a DNS issue we need to have NAS and this nomad down on same Time

42
docs/ADR/005-NAS.md Normal file
View File

@ -0,0 +1,42 @@
# NAS
## 001 New Nas spec
### Status
In progress
### Context
Storage:
- Data filesytem will be in btrfs.
- Study if keep root filesystem in EXT4.
- Need to use LVM over btrfs added posibility to add cache later (cache on cold data useless on beginning maybe write cache in future use).
- hot Data (nomad, document,fresh download file,music?) on SSD cold DATA on HDD (film, serie photo)
- at least 2 HDD and 2 SSD
Hardware:
- network 2.5 gpbs will be good for evolve
- at least 4go ram (expansive will be appreciable)
Software:
be able to install custom linux distrib
### Decision
- Due to form factor/consumption and SSD capability my choise is on ASUSTOR Nimbustor 2 Gen 2 AS5402, he corresponding to need and less expensive than a DIY NAS
- buy only a new ssd of 2to in more to store system and hot data
### Cosequence
need to migrate Data and keep same disk
- install system
- copy all data from 2to HDD to SSD then format 2to HDD
- copy download data to FROM 4 to HDD to SSD
- copy serie to 2to HDD and copy film on external harddrive

View File

@ -0,0 +1,25 @@
# Docker Pull throught
# 001 architecture consideration
## Status
Accepted
## Context
docker hub get a pull limit if somebody go wrong on our infrastructure we can get quickyly this limit solution will be to implement a pull throught proxy.
### Decision
create two container task to create a dockerhub pull through and a ghcr one
we can add these registry to traefick to have both under the port 5000 but this will add a traefik dependancy on rebuild
so to begin we will use one trafick service on two diferent static port
## Consequences
- this registry need to be start first on cluster creation
- need to update all job image with local proxy url

36
docs/Concepts/DNS.md Normal file
View File

@ -0,0 +1,36 @@
# Architecture DNS
```mermaid
flowchart LR
subgraph External
externalRecursor[recursor]
GandiDns[ hetzner ducamps.win]
end
subgraph Internal
pihole[pihole]--ducamps.win-->NAS
pihole--service.consul-->consul[consul cluster]
pihole--->recursor
recursor--service.consul-->consul
DHCP --dynamic update--> NAS
NAS
recursor--ducamps.win-->NAS
consul--service.consul--->consul
clients--->pihole
clients--->recursor
end
pihole --> externalRecursor
recursor-->External
```
## Detail
Pihole container in nomad cluster is set as primary DNS as add blocker secondary DNS recursore is locate on gerard
DNS locate on NAS manage domain *ducamps.win* on local network each recursor forward each request on *ducamps.win* to this DNS.
Each DNS forward *service.consul* request to the consul cluster.
Each consul node have a consul redirection in systemd-resolved to theire own consul client
a DHCP service is set to do dynamic update on NAS DNS on lease delivery
external recursor are set on pihole on cloudflare and FDN in case of recursors faillure

View File

@ -0,0 +1,11 @@
# Add a new job
## Create Nomad job
## Add secret to vault
## Add a new policy to Vault terraform
## Add Database creation in ansible variable (if neeeded)
## Create CNAME in local DNS and External if needed

View File

@ -0,0 +1,25 @@
# ansible vault management
ansible password are encoded with a gpg key store in ansible/misc
to renew password follow this workflown
```sh
# Generate a new password for the default vault
pwgen -s 64 default-pw
# Re-encrypt all default vaults
ansible-vault rekey --new-vault-password-file ./default-pw \
$(git grep -l 'ANSIBLE_VAULT;1.1;AES256$')
# Save the new password in encrypted form
# (replace "RECIPIENT" with your email)
gpg -r RECIPIENT -o misc/vault--password.gpg -e default-pw
# Ensure the new password is usable
ansible-vault view misc/vaults/vault_hcloud.yml
# Remove the unencrypted password file
rm new-default-pw
```
script `vault-keyring-client.sh` is set in ansible.cfg as vault_password_file to decrypt the gpg file

View File

@ -0,0 +1,8 @@
# Troubleshooting
## issue with SMTP traefik port
ensure that no other traefik router (httt or TCP) listening on smtp or
all entrypoint this can pertuubate smtp TLS connection
see [https://doc.traefik.io/traefik/routing/routers/#entrypoints_1](here)

View File

@ -0,0 +1,23 @@
# How to Bootstrap dev env
## prerequisite
dev environment is manage by molecule job who launch container via LXD you need following software to launch it:
- LXD server up on your local machine
- molecule install ```pip install molecule```
- molecule-LXD plugins ```pip install molecule-lxd```
## provissionning
you can launch ```make create-dev``` on root project
molecule will create 3 container on different distribution
- archlinux
- rockylinux 9
- debian 11
To bootstrap the container (base account, sudo configuration) role [ansible_bootstrap](https://git.ducamps.win/ansible-roles/ansible_bootstrap) will be apply
Converge step call playbook [site.yml](https://git.ducamps.win/vincent/homelab/src/commit/c5ff235b9768d91b240ec97e7ff8e2ad5a9602ca/ansible/site.yml) to provission the cluster

3
docs/index.md Normal file
View File

@ -0,0 +1,3 @@
--8<--
README.md
--8<--

View File

@ -1,23 +0,0 @@
# This file is maintained automatically by "terraform init".
# Manual edits may be lost in future updates.
provider "registry.terraform.io/hetznercloud/hcloud" {
version = "1.33.2"
hashes = [
"h1:3Hx8p9LbcnHfBhy3nT7+unlc5rwkiSZjLt9SVQOSpB8=",
"zh:0a5d0f332d7dfe77fa27301094af98a185aabfb9f56d71b81936e03211e4d66f",
"zh:0e047859ee7296f335881933ccf8ce8c07aa47bef56d5449a81b85a2d9dac93a",
"zh:1d3d0896f518df9e245c3207ed231e528f5dcfe628508e7c3ceba4a2bfefaa7a",
"zh:1d7a31c8c490512896ce327ab220e950f1a2e30ee83cc2e58e69bbbfbbb87e72",
"zh:67cbb2492683cb22f6c54f26bee72aec140c8dd2d0881b2815d2ef80959fc751",
"zh:771062815e662979204ac2dc91c34c893f27670d67e02370e48124483d3c9838",
"zh:957ebb146898cd059c0cc8b4c32e574b61041d8b6a11cd854b3cc1d3baaeb3a9",
"zh:95dbd8634000b979213cb97b5d869cad78299ac994d0665d150c8dafc1390429",
"zh:a21b22b2e9d835e1b8b3b7e0b41a4d199171d62e9e9be78c444c700e96b31316",
"zh:aead1ba50640a51f20d574374f2c6065d9bfa4eea5ef044d1475873c33e58239",
"zh:cefabd0a78af40ea5cd08e1ca436c753df9b1c6496eb27281b755a2de1f167ab",
"zh:d98cffc5206b9a7550a23e13031a6f53566bd1ed3bf65314bc55ef12404d49ce",
"zh:dddaaf95b6aba701153659feff12c7bce6acc78362cb5ff8321a1a1cbf780cd9",
"zh:fd662b483250326a1bfbe5684c22c5083955a43e0773347eea35cd4c2cfe700e",
]
}

View File

@ -1,24 +0,0 @@
resource "hcloud_server" "HomeLab" {
count = var.instances
name = "merlin"
image = var.os_type
server_type = var.server_type
location = var.location
ssh_keys = [hcloud_ssh_key.default.id]
firewall_ids = [hcloud_firewall.prod.id]
labels = {
}
}
resource "hcloud_server" "HomeLab2" {
count = var.instances
name = "corwin"
image = "rocky-9"
server_type = var.server_type
location = var.location
ssh_keys = [hcloud_ssh_key.default.id]
firewall_ids = [hcloud_firewall.prod.id]
labels = {
}
}

View File

@ -9,3 +9,31 @@ vault-dev:
else \ else \
./vault/standalone_vault.sh $(FILE);\ ./vault/standalone_vault.sh $(FILE);\
fi fi
vagranup:
vagrant up
create-dev: vagranup DNS-stagging
make -C ansible deploy_staging
make -C terraform deploy_vault env=staging
VAULT_TOKEN=$(shell cat ~/vaultUnseal/staging/rootkey) python ./script/generate-vault-secret
create-dev-base: vagranup DNS-stagging
make -C ansible deploy_staging_base
destroy-dev:
vagrant destroy --force
serve:
mkdocs serve
DNS-stagging:
$(eval dns := $(shell dig oscar-dev.lan.ducamps.dev +short))
$(eval dns1 := $(shell dig nas-dev.lan.ducamps.dev +short))
sudo resolvectl dns virbr2 "$(dns)" "$(dns1)";sudo resolvectl domain virbr2 "~consul";sudo systemctl restart systemd-resolved.service
DNS-production:
sudo resolvectl dns virbr2 "";sudo resolvectl domain virbr2 "";sudo systemctl restart systemd-resolved.service

Some files were not shown because too many files have changed in this diff Show More