feat: add main infra

2023-05-13 02:30:08 +02:00 · 2023-05-13 02:30:08 +02:00 · a195aaeedb
commit a195aaeedb
9 changed files with 230 additions and 0 deletions
--- a/ansible.cfg
+++ b/ansible.cfg
@ -0,0 +1,4 @@
+[defaults]
+inventory = hosts
+host_key_checking = False
+roles_path = "./roles"
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@ -0,0 +1,5 @@
+ansible_user: root
+
+main_wireguard_public_key: "c47/vJ9Qu32Fy0hk++wEb1FZdvJI16WN0UcsuhGhJyw="
+main_wireguard_ip: "49.12.220.104"
+main_wireguard_port: 51194
--- a/5
+++ b/5
@ -0,0 +1,5 @@
+[bespoke]
+renovate  ansible_ssh_private_key_file=~/.ssh/id_clank ansible_host=5.75.254.153 wireguard_peer_ip=10.0.9.9
+
+[renovate]
+renovate  ansible_ssh_private_key_file=~/.ssh/id_clank ansible_host=5.75.254.153 wireguard_peer_ip=10.0.9.9
--- a/requirements.yml
+++ b/requirements.yml
@ -0,0 +1,2 @@
+collections:
+  - name: community.docker
--- a/roles/bespoke/tasks/main.yaml
+++ b/roles/bespoke/tasks/main.yaml
@ -0,0 +1,150 @@
+---
+- name: install wireguard
+  apt: 
+    name: wireguard
+    update_cache: yes
+    cache_valid_time: 3600
+
+- name: generate private and public key pair
+  args:
+    creates: /etc/wireguard
+  shell: |
+    mkdir -p /etc/wireguard/
+    cd /etc/wireguard/
+    wg genkey | tee clank-privatekey | wg pubkey > clank-publickey
+    chmod 0400 clank-privatekey
+    chmod 0400 clank-publickey
+
+- name: read public key
+  command: cat /etc/wireguard/clank-publickey
+  register: wireguard_publickey
+
+- name: read private key
+  command: cat /etc/wireguard/clank-privatekey
+  register: wireguard_privatekey
+
+- name: print publickey
+  debug:
+    msg: "{{ wireguard_publickey.stdout_lines[0] }}"
+
+- name: Generate WireGuard configuration
+  template:
+    src: wireguard.conf.j2
+    dest: /etc/wireguard/wg0.conf
+  vars:
+    interface_address: "{{ wireguard_peer_ip }}"
+    listen_port: " {{ main_wireguard_port }} "
+    private_key: "{{ wireguard_privatekey.stdout_lines[0] }}"
+    allowed_ips: "10.0.9.0/24"
+    peer_public_key: "{{ main_wireguard_public_key }}"
+    endpoint: "{{ main_wireguard_ip }}:{{ main_wireguard_port }}"
+    persistent_keepalive: 25
+
+- name: enable and start wireguard service 
+  systemd:
+    name: "wg-quick@wg0"
+    state: started
+    enabled: yes
+
+
+- name: Update apt cache
+  apt:
+    update_cache: yes
+
+- name: Install prerequisite packages
+  apt:
+    name:
+      - apt-transport-https
+      - ca-certificates
+      - curl
+      - gnupg
+      - lsb-release
+    state: present
+
+- name: Add Docker GPG key
+  apt_key:
+    url: https://download.docker.com/linux/debian/gpg
+    state: present
+
+- name: Add Docker repository
+  apt_repository:
+    repo: "deb [arch=amd64] https://download.docker.com/linux/debian {{ ansible_lsb.codename }} stable"
+    state: present
+
+- name: Install Docker
+  apt:
+    name: docker-ce
+    state: present
+
+- name: Start and enable Docker service
+  service:
+    name: docker
+    state: started
+    enabled: yes
+
+- name: Download Docker Compose
+  get_url:
+    url: "https://github.com/docker/compose/releases/latest/download/docker-compose-Linux-x86_64"
+    dest: /usr/local/bin/docker-compose
+    mode: 'u=rwx,g=rx,o=rx'
+
+- name: Set executable permissions for Docker Compose
+  file:
+    path: /usr/local/bin/docker-compose
+    mode: 'u=rwx,g=rx,o=rx'
+
+- name: install git
+  apt: 
+    name: 
+      - git 
+      - python3
+      - python3-pip
+    update_cache: yes
+    cache_valid_time: 3600
+
+- name: Install docker package
+  pip:
+    name: 
+      - docker
+      - docker-compose
+    state: present
+
+# Monitoring
+    
+## node exporter
+
+- name: clone private git repository
+  git:
+    repo: https://git:{{ git_token }}@git.front.kjuulh.io/kjuulh/node-exporter-local.git
+    dest: ~/git/git.front.kjuulh.io/kjuulh/node-exporter-local
+    version: main
+    force: yes
+
+- name: ensure docker compose file exists
+  stat:
+    path: ~/git/git.front.kjuulh.io/kjuulh/node-exporter-local/docker-compose.yml
+  register: compose_file_stat
+
+- name: run docker compose
+  docker_compose:
+    project_src: ~/git/git.front.kjuulh.io/kjuulh/node-exporter-local/
+  when: compose_file_stat.stat.exists
+
+## container exporter
+
+- name: clone private git repository
+  git:
+    repo: https://git:{{ git_token }}@git.front.kjuulh.io/kjuulh/container-exporter-local.git
+    dest: ~/git/git.front.kjuulh.io/kjuulh/container-exporter-local
+    version: main
+    force: yes
+
+- name: ensure docker compose file exists
+  stat:
+    path: ~/git/git.front.kjuulh.io/kjuulh/container-exporter-local/docker-compose.yml
+  register: compose_file_stat
+
+- name: run docker compose
+  docker_compose:
+    project_src: ~/git/git.front.kjuulh.io/kjuulh/container-exporter-local/
+  when: compose_file_stat.stat.exists
--- a/roles/bespoke/templates/wireguard.conf.j2
+++ b/roles/bespoke/templates/wireguard.conf.j2
@ -0,0 +1,11 @@
+[Interface]
+Address = {{ interface_address }}/32
+SaveConfig = true
+ListenPort = {{ listen_port }}
+PrivateKey = {{ private_key }}
+
+[Peer]
+PublicKey = {{ peer_public_key }}
+AllowedIPs = {{ allowed_ips }}
+Endpoint = {{ endpoint }}
+PersistentKeepalive = {{ persistent_keepalive }}
--- a/roles/repos/renovate/tasks/main.yml
+++ b/roles/repos/renovate/tasks/main.yml
@ -0,0 +1,27 @@
+
+- name: Clone private Git repository
+  git:
+    repo: https://git:{{ git_token }}@git.front.kjuulh.io/kjuulh/renovate.git
+    dest: ~/git/git.front.kjuulh.io/kjuulh/renovate
+    version: main
+    force: yes
+
+- name: Ensure Docker Compose file exists
+  stat:
+    path: ~/git/git.front.kjuulh.io/kjuulh/renovate/docker-compose.yaml
+  register: compose_file_stat
+
+- name: Ensure .github.env exists
+  stat:
+    path: ~/git/git.front.kjuulh.io/kjuulh/renovate/.github.env
+  register: github_env_stat
+
+- name: Ensure .env exists
+  stat:
+    path: ~/git/git.front.kjuulh.io/kjuulh/renovate/.env
+  register: env_stat
+
+- name: Run Docker Compose
+  docker_compose:
+    project_src: ~/git/git.front.kjuulh.io/kjuulh/renovate/
+  when: compose_file_stat.stat.exists and github_env_stat.stat.exists and env_stat.stat.exists
--- a/site.yml
+++ b/site.yml
@ -0,0 +1,18 @@
+---
+- hosts: bespoke
+  gather_facts: yes
+  become: yes
+  tags: bespoke
+  vars_files:
+    - vars.yaml
+  roles:
+    - bespoke
+
+- hosts: renovate
+  gather_facts: yes
+  become: yes
+  tags: renovate
+  vars_files:
+    - vars.yaml
+  roles:
+    - repos/renovate
--- a/vars.yaml
+++ b/vars.yaml
@ -0,0 +1,8 @@
+$ANSIBLE_VAULT;1.1;AES256
+62333662383565386562376137313632373163613130356562656163306235393062316365613930
+6664333566363335633562326332316666666465623464330a646432376363666534323364663239
+37616535383163353364313130336430336265633463353333616261356439396535396233643637
+6165393439353064320a323066336661393831616639653733623530356535383530616137363463
+30333831383561396363373161303833386465393337376634633336623765396433386465323731
+39626338353031643665366132643732356637383232376333656266653133616331636132323732
+366138336432336539663561363133653261