martin
/
ansible
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

New server setup based on ubuntu

This commit is contained in:
Martin Bauer 2023-09-19 10:55:47 +02:00
parent 578be1a1cf
commit 7776095180
30 changed files with 240 additions and 186 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
inventory.yml
View File

@ -3,7 +3,8 @@ all:
server:
ansible_host: home.bauer.tech
ansible_port: 22187
server2:
children:
iot:
hosts:

21
roles/server-basic-environment/tasks/main.yml Normal file
View File

@ -0,0 +1,21 @@
---
- name: Do apt update/upgrade
apt: upgrade=yes update_cache=yes cache_valid_time=300
- name: Apt install download & unzip packages
apt:
name:
- wget
- zip
- htop
- xz-utils
- python3
- python3-venv
- python3-wheel
- git
- iotop
- name: Download and install mbenv
ansible.builtin.unarchive:
src: "https://owncloud.bauer.tech/s/vMu7X4mRl2vComu/download?path=%2F&files=mbenv.tar.xz"
remote_src: yes
dest: "/home/core/"

38
roles/server-debian-docker/tasks/main.yml Normal file
View File

@ -0,0 +1,38 @@
---
- name: Install required system packages
apt:
name:
- apt-transport-https
- ca-certificates
- curl
- software-properties-common
- python3-pip
- virtualenv
- python3-setuptools
state: latest
update_cache: true
- name: Add Docker GPG apt Key
apt_key:
url: https://download.docker.com/linux/debian/gpg
state: present
- name: Add Docker Repository
apt_repository:
repo: deb https://download.docker.com/linux/debian {{ ansible_facts['distribution_release'] }} stable
state: present
- name: Update apt and install docker-ce
apt:
name:
- docker-ce
- docker-compose-plugin
state: latest
update_cache: true
- name: Add core to docker group
ansible.builtin.user:
name: core
groups: docker
append: true

2
roles/server-exthdd-mount/files/99-automounts.rules Normal file
View File

@ -0,0 +1,2 @@
ACTION=="add", SUBSYSTEM=="block", ENV{DEVLINKS}=="*/dev/disk/by-label/MartinsPassport4*", ENV{SYSTEMD_WANTS}="media-passport4.mount"
ACTION=="add", SUBSYSTEM=="block", ENV{DEVLINKS}=="*/dev/disk/by-label/MartinsPassport5*", ENV{SYSTEMD_WANTS}="media-passport5.mount"

12
roles/server-exthdd-mount/files/media-passport4.mount Normal file
View File

@ -0,0 +1,12 @@
[Unit]
Description=Mount /dev/disk/by-label/MartinsPassport4 at /media/passport4
Before=local-fs.target
[Mount]
What=/dev/disk/by-label/MartinsPassport4
Where=/media/passport4
Type=btrfs
Options=noauto,nofail
[Install]
WantedBy=local-fs.target

12
roles/server-exthdd-mount/files/media-passport5.mount Normal file
View File

@ -0,0 +1,12 @@
[Unit]
Description=Mount /dev/disk/by-label/MartinsPassport5 at /media/passport5
Before=local-fs.target
[Mount]
What=/dev/disk/by-label/MartinsPassport5
Where=/media/passport5
Type=btrfs
Options=noauto,nofail
[Install]
WantedBy=local-fs.target

14
roles/server-exthdd-mount/tasks/main.yml Normal file
View File

@ -0,0 +1,14 @@
---
- name: Automount passport4 systemd file
copy: src=media-passport4.mount dest=/etc/systemd/system
- name: Automount passport5 systemd file
copy: src=media-passport5.mount dest=/etc/systemd/system
- name: Create udev rules
copy: src=99-automounts.rules dest=/etc/udev/rules.d
- name: Systemd reread configs
ansible.builtin.systemd:
daemon_reload: true
- name: Reload udev
ansible.builtin.command:
cmd: "udevadm control --reload"

20
roles/server-link-aggregation/files/interfaces Normal file
View File

@ -0,0 +1,20 @@
source /etc/network/interfaces.d/*
# The loopback network interface
auto lo
iface lo inet loopback
## The primary network interface
#allow-hotplug enp2s0
#iface enp2s0 inet dhcp
## This is an autoconfigured IPv6 interface
#iface enp2s0 inet6 auto
auto bond0
iface bond0 inet dhcp
bond-slaves enp3s0 enp4s0 enp5s0
bond-mode 802.3ad
bond-lacp-rate 1
bond-miimon 100
bond-xmit-hash-policy layer3+4

8
roles/server-link-aggregation/tasks/main.yml Normal file
View File

@ -0,0 +1,8 @@
---
- name: Apt install download & unzip packages
apt:
name:
- ifenslave
- name: Interface file
copy: src=interfaces dest=/etc/network/interfaces

20
roles/server-nfs/tasks/main.yml Normal file
View File

@ -0,0 +1,20 @@
---
- name: Apt install NFS server
apt:
name: nfs-kernel-server
update_cache: yes
- name: Ensure correct entry in /etc/exports
lineinfile:
path: /etc/exports
state: present
line: "{{ item }}"
with_items:
- '/data/main 192.168.178.0/255.255.255.0(rw,async,no_subtree_check)'
- name: Restart nfs-kernel-server.service
ansible.builtin.systemd:
daemon_reload: yes
state: started
name: nfs-kernel-server.service

9
server.yml Normal file
View File

@ -0,0 +1,9 @@
- hosts: server
roles:
- server-basic-environment
- server-debian-docker
- server-exthdd-mount
- server-nfs
- server-link-aggregation

6
server/readme.md
View File

@ -1,6 +0,0 @@
Select Boot device
==================
Bios accessible using [F2]

1
server/scripts/docker-images/influxdb.run
View File

@ -1 +0,0 @@
docker run -d --restart=always --name home_influx -p 8086:8086 -v /volumes/influxdb_data/:/var/lib/influxdb influxdb

17
server/scripts/docker-images/tagspace/Dockerfile
View File

@ -1,17 +0,0 @@
FROM ubuntu
MAINTAINER "Martin Bauer"
ENV DEBIAN_FRONTEND noninteractive
RUN apt-get update
RUN apt-get upgrade -y && apt-get install -y nginx
ADD tagspaces /var/www/
RUN echo "daemon off;" >> /etc/nginx/nginx.conf
RUN rm /etc/nginx/sites-enabled/*
ADD nginx.conf /etc/nginx/conf.d/tagspaces.conf
CMD nginx

10
server/scripts/docker-images/tagspace/nginx.conf
View File

@ -1,10 +0,0 @@
server {
listen 80;
server_name "";
root /var/www/;
location / {
index index.html;
}
}

6
server/scripts/files_to_backup.txt
View File

@ -1,6 +0,0 @@
/root/scripts
/etc/nginx/sites-enabled/reverse-proxy
/etc/letsencrypt/
/etc/samba/smb.conf
/etc/environment

11
server/scripts/make_btrfs_snapshots.sh
View File

@ -1,11 +0,0 @@
#!/bin/bash
BASE=/media/passport4/
TARGET=/media/passport4/snapshots
DATE=`date +%F`
btrfs subvolume snapshot -r $BASE/main_data $TARGET/main_data/$DATE
btrfs subvolume snapshot -r $BASE/films_and_software $TARGET/films_and_software/$DATE
btrfs subvolume snapshot -r $BASE/docker_volume_backup $TARGET/docker_volume_backup/$DATE

8
server/scripts/renew_certificates.sh
View File

@ -1,8 +0,0 @@
#!/bin/bash
# certificate obtained with
#letsencrypt certonly --standalone -d home.bauer.tech
service nginx stop
sleep 30
letsencrypt renew
service nginx start

17
server/scripts/restart_home_dbs.sh
View File

@ -1,17 +0,0 @@
#!/bin/bash
echo "-------- InfluxDB ------------"
docker pull influxdb
docker rm -f home_influx
docker run -d --restart=always --name home_influx -p 8086:8086 -v /volumes/influxdb_data/:/var/lib/influxdb influxdb
echo "------- MongoDB ------------"
docker pull mongo:4
docker rm -f homemongo
docker run --restart=always --name homemongo -p 27017:27017 -v /volumes/mongo/:/data/db -d mongo:4
echo "------ Grafana -------------"
docker pull grafana/grafana
docker rm -f grafana
docker run --restart=always -d --name=grafana -p 3000:3000 -v /volumes/grafana:/var/lib/grafana grafana/grafana

6
server/scripts/restart_owncloud.sh
View File

@ -1,6 +0,0 @@
#!/bin/bash
docker pull owncloud
docker rm -f owncloud
docker run -d --restart=always --name=owncloud -v /volumes/owncloud/apps:/var/www/html/apps -v /volumes/owncloud/config:/var/www/html/config -v /volumes/owncloud/data:/var/www/html/data -p 5555:80 owncloud

4
server/scripts/restart_smarthome.sh
View File

@ -1,4 +0,0 @@
#!/bin/bash
docker rm -f mypysmarthome
docker run -d --restart=always --privileged -v /dev/serial/by-id/usb-busware.de_CUL868-if00:/dev/ttyACM0 -p 0.0.0.0:51826:51826 -p 0.0.0.0:7072:7072 -p 0.0.0.0:6720:6720 -p 0.0.0.0:2222:2222 -p 0.0.0.0:8080:8080 --net=host --name=mypysmarthome pysmarthome

8
server/scripts/restart_squeezeserver.sh
View File

@ -1,8 +0,0 @@
#!/bin/bash
# To build
# cd /root/scripts/docker-images/squeezeserver
# docker build -t squeezeserver791 .
docker rm -f squeezeserver
docker run -d --name squeezeserver --restart=always -p 9090:9090 -p 9000:9000 -p 3483:3483 -p 3483:3483/udp -v /volumes/squeezeserver/state/:/mnt/state -v /volumes/squeezeserver/music/:/home/martin/Musik -v /volumes/squeezeserver/playlists/:/home/martin/Playlists squeezeserver791

6
server/scripts/restart_squid_proxy.sh
View File

@ -1,6 +0,0 @@
#!/bin/bash
docker pull sameersbn/squid
docker rm -f squid
docker run --name squid -d --restart=always --publish 3128:3128 --volume /volumes/squid:/var/spool/squid --volume /root/scripts/squid.conf:/etc/squid/squid.conf sameersbn/squid

22
server/scripts/rsync_to_disk.sh
View File

@ -1,22 +0,0 @@
#!/bin/bash
SRC=/volumes
DST=/media/passport4/docker_volume_backup/
echo "Owncloud Backup"
rsync -azW --delete $SRC/owncloud $DST
echo "Squeezebox Music Backup"
rsync -azW --delete $SRC/squeezeserver $DST
echo "MongoDB Homeautomation Backup"
rsync -azW --delete $SRC/mongo $DST
echo "InfluxDB Homeautomation Backup"
rsync -azW --delete $SRC/influxdb_data $DST
echo "WWW"
rsync -azW --delete $SRC/www $DST
echo "Other files"
rsync -arW --delete --files-from=/root/scripts/files_to_backup.txt / $DST/other

49
server/scripts/squid.conf
View File

@ -1,49 +0,0 @@
# ----------------- Default from https://gist.github.com/hpcorona/5065634 ----------
#Recommended minimum configuration:
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 0.0.0.0/8 192.168.178.0/24
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
icp_access deny all
htcp_access deny all
http_port 3128
hierarchy_stoplist cgi-bin ?
#Suggested default:
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid3
# Allow all machines to all sites
http_access allow all
# ------------ Custom stuff --------------------------------
cache_mem 512 MB # RAM usage
cache_dir aufs /var/spool/squid 200000 16 256 # 200 GB cache
maximum_object_size 5120 MB # dont store objects larger than 5 GB

BIN
server_flatcar/ct-v0.9.3-x86_64-unknown-linux-gnu
View File

Binary file not shown.

79
server_flatcar/flatcar-install → server_flatcar_deprecated_2023_08/flatcar-install
View File

@ -74,7 +74,7 @@ CHANNEL_ID=${GROUP:-stable}
BOARD=$(default_board)
OEM_ID=
for f in /usr/share/oem/oem-release /etc/oem-release; do
for f in /oem/oem-release /usr/share/oem/oem-release /etc/oem-release; do
if [[ -e $f ]]; then
# Pull in OEM information too, but prefixing variables with OEM_
eval "$(sed -e 's/^/OEM_/' $f)"
@ -421,8 +421,43 @@ uvyCrat1qt4F8aKqao8sXbopH7QvDBpqGqgMGLkoPheOXypBvnvoYKL7tOoF4XJL
AFM9PKGECoegwC0Mla15amgkfViUWdCsDy8UsSlPfBdvHdJrhChuPDwZV9GztZjj
NdYVRi1OaxZP24IN7o40VFxvMh12E3HaideLi5MzZxxkXhr8m485b2hgvkuNUjoD
nvFn8rZe8axx9FFhpg7/JvCAik3IxRbusM3WDqmFuBGK33phfD5wAKIWrBwT3iMU
4GnMNmKOMrYCE/edg4eOPFj+wjWw8ZGD8XrnHVI0k8fGOoLvAm/x
=xU/g
4GnMNmKOMrYCE/edg4eOPFj+wjWw8ZGD8XrnHVI0k8fGOoLvAm/xuQINBGQHFqQB
EACucSUehSi8KixdOc9pYVWBCoqu5V2NlrjbpVVpmPB118fLPaZV4MSB/AnHssWw
XDeO9zWyyLYstN78D/dWcX8Al74JFtBAM0lfgnqE5na8JZYrEivdsjQUO3Cf250G
yXJwpK+CXpAtH6qVrO595exknHKKTv2dfV51UxDXXzYhLznnYHZoTnzpMKUSwqwP
ywdwDVkalpXfFxP43w+gSuX7uOAI/hhX/iRE0drVDy85422FZnncNdigO6JjARn7
CAoYDcb4K1+zn9WcwzWqV4+yhYDt+yf+o+TLhyF9BarG8cQ1tE4RfaDMZuXp0iKL
itX01mFb0sQ2ZF0YBhQdGaBj/AcfE4e7Sacz9gC93Xd3FaVt0zgsTxMt3Z0dMzAw
9lf7i/aPFFJQLoAZtuYU4hb3S4CG0+l3WPTdW5U276bV5WrTyvibfpNs8mctH4lB
I4jhSkqoPwZ+8gts3XT336P3F2Z/i3cbLmfjbSeAUYRV5BdkozbuWfO6JrZq/BId
KEUMlVi99CJD1fREyMXnr3aROdw7jKhtW5x59Act/ZXB9jixJ5EdxMe5aLeYKNSm
L8I4TXG4DEvbPu/HCHNMlDRoga1CCmVaUEhuJwQaH4PhhlX9M69Bmz42NS8A0Fol
JkiCsCQTQjyzvgXb1Pa0WKUVjPkQIGEUAaQdAGcns9svJQARAQABiQRyBBgBCAAm
FiEE+Iz+3v8ppbTZUjhk4l2a7QWTs0oFAmQHFqQCGwIFCQPCZwACQAkQ4l2a7QWT
s0rBdCAEGQEIAB0WIQTpQm2LZ+Nd9Ha9BIGF98iGiDficQUCZAcWpAAKCRCF98iG
iDficV5MEAClR4UiibpFIYRsbdtPQC/RUIRPbx8naJ8o9h3RqnQKQPgIPkJUS8d9
vVHQlQ8rhzrzWctOMWHgDRDEojLjXwyYSHRBawJN39D/Fs+D6Nrg9gFkdBmrU2My
+Xia2Wgb+R2qUTnl8sP+d8k8zUC8UoZIX2ksK5yzw3Zwozg6X5Bd70zIru1RJtQd
9ZFDb/PVobWGbqS+saGEDi0Wa7YrmRRA+kQtvMIywX5LFJ5/bSqH3BsJduwmCnJH
84WcxYW6Ntbta7MsnmrDEwfKwmu6d0XgL0mUaOGlt7UoECckZLU/VWh+V9hhSjPi
Dp1IX3ucfmWfsEokN1ePMnl1LWbew7yF5WsNl0/BLVczx99uoYZ6FeW3cy+8PT3q
5Tuc7kjV9oQddJcS+slmlpyuXGH+vXa8WvSDWxPHat1tPhh2QEMGbVFeCw9XhwLu
98YC+Hc2BImD9FfL46GMXPmiBJ5S9qqJjb2lGB+Y4lnbus8DavpudumgO2b3p4CH
eWQYCZY993gcZIiI1/9YMXtXABZ034XoennSq1gzoAxmWGoEk9E/ZNcDLhigW2UN
D8w/mfBKD729NhGSBlL8LmAxwHe61fnL2Z+yTjVvWfsgMXSsn1U0QYkjgE6rzqDY
1w29Iduo1QLvcXQj+fVvu0O5zYPeRYV+RHG+l65KmB8Tjomq6FW2tsInD/92KSGF
0TIk0rOjJA8Zy7Eers21QsTScUrfI3hntzcPpMZzWRBWuyXqf/4350lRTki3hMSx
YB/eJlwehTmUAkC9E3oUE36PJqpp2mzC2cP68CIOdUtkdOVqzkfeZ54LlaJxgo5y
BuC9AqUH5OfVNjZps3yygYv2ahIPBMR8JNduUiTAuvXbIENVy58q6/rZjHcKRp8b
MUX6uWJrIXO5aSAIEljx9DbQoxSbmNJPiriuSKHbhrNPpI4xRlO9gTbaEC0ELKGC
qw0lA1it1XvbZtP4CHcfJ0hyGvy9yvDH2poMgjkhu7OZdN1qBsBRHIIED/Ijy+tz
nq7rQvmaDqZavlQbYREHdrjB/sS10Sblfu9h+vIwSx05UwSNGWNiDrvkQDPbVnTh
R32zsNAlq+f0CEmsgbYPrE/lFwfFS49F2Kmma92qcDiK76Audz/dqz6xPvYQCqra
a6Sa/uYr9aiaLsZTJ7nQ904KUE+Zwk7gcO32Bl7UO3NvkWlvSqOWGS/75WUgbrD6
RARo6Xv6c8/OxgizzkboGBrdqqpmbG9PGi+gMrxShYtmZYcpD+dB91oKMC5q2lu6
IGrEVlky2zd7KvrIE3YMETdYL0Eec/H0Jwuxnp9sr7GkBSUns0IczEK/En/NLcBm
TkvXzMghTKTbYL9TjbK/CLzOR+5XXCHxXgDGLg==
=VZfW
-----END PGP PUBLIC KEY BLOCK-----
"
@ -533,17 +568,19 @@ if [[ -n "${DRY_RUN}" ]]; then
exit 0
fi
function is_modified() [[ -e "${WORKDIR}/disk_modified" ]]
function is_modified() {
[[ -e "${WORKDIR}/disk_modified" ]]
}
_disk_status=
function wait_for_disk() {
function get_disk_status() {
[ -n "${_disk_status}" ] ||
read -rt 7200 _disk_status <> "${WORKDIR}/disk_modified"
read -rt 0.1 _disk_status <> "${WORKDIR}/disk_modified" # Use a timeout of 100ms to behave like a non-blocking read
echo "${_disk_status}"
}
function write_to_disk() {
mkfifo -m 0600 "${WORKDIR}/disk_modified"
trap '(exec 2>/dev/null ; echo done > "${WORKDIR}/disk_modified") &' RETURN
# We are at the point of no return, so wipe disk labels missed below.
# In particular, ZFS writes labels in the last half-MiB of the disk.
@ -562,6 +599,8 @@ function write_to_disk() {
done
[ -z "$try" ] || exit 1
udevadm settle
# Communicate success through FIFO when the caller can't act on the return code
(exec 2>/dev/null ; echo "done" > "${WORKDIR}/disk_modified") &
}
function install_from_file() {
@ -667,9 +706,16 @@ function install_from_url() {
[ ${EEND[2]} -ne 0 ] && echo "${EEND[2]}: GPG signature verification failed for ${IMAGE_NAME}" >&2
exit 1
fi 3> >(write_to_disk)
wait
if [ "$(get_disk_status)" != "done" ]; then
echo "write_to_disk: Failed writing image to disk" >&2
exit 1
fi
}
function write_cloudinit() if [[ -n "${CLOUDINIT}${COPY_NET}" ]]; then
function write_cloudinit() {
if [[ -n "${CLOUDINIT}${COPY_NET}" ]]; then
(
# The ROOT partition should be #9 but make no assumptions here!
# Also don't mount by label directly in case other devices conflict.
local ROOT_DEV=$(blkid -t "LABEL=ROOT" -o device "${DEVICE}"*)
@ -679,7 +725,7 @@ function write_cloudinit() if [[ -n "${CLOUDINIT}${COPY_NET}" ]]; then
"btrfs") mount -t btrfs -o subvol=root "${ROOT_DEV}" "${WORKDIR}/rootfs" ;;
*) mount "${ROOT_DEV}" "${WORKDIR}/rootfs" ;;
esac
trap 'umount "${WORKDIR}/rootfs"' RETURN
trap 'umount "${WORKDIR}/rootfs"' EXIT
if [[ -n "${CLOUDINIT}" ]]; then
echo "Installing cloud-config..."
@ -692,20 +738,26 @@ function write_cloudinit() if [[ -n "${CLOUDINIT}${COPY_NET}" ]]; then
# Copy the entire directory, do not overwrite anything that might exist there, keep permissions, and copy the resolve.conf link as a file.
cp --recursive --no-clobber --preserve --dereference /run/systemd/network/* "${WORKDIR}/rootfs/etc/systemd/network"
fi
fi
)
fi
}
function write_ignition() if [[ -n "${IGNITION}" ]]; then
function write_ignition() {
if [[ -n "${IGNITION}" ]]; then
(
# The OEM partition should be #6 but make no assumptions here!
# Also don't mount by label directly in case other devices conflict.
local OEM_DEV=$(blkid -t "LABEL=OEM" -o device "${DEVICE}"*)
mkdir -p "${WORKDIR}/oemfs"
mount "${OEM_DEV}" "${WORKDIR}/oemfs" || { btrfstune -f -u "${OEM_DEV}" ; mount "${OEM_DEV}" "${WORKDIR}/oemfs" ; }
trap 'umount "${WORKDIR}/oemfs"' RETURN
trap 'umount "${WORKDIR}/oemfs"' EXIT
echo "Installing Ignition config ${IGNITION}..."
cp "${IGNITION}" "${WORKDIR}/oemfs/config.ign"
fi
)
fi
}
function create_uefi() {
ensure_tool "efibootmgr"
@ -728,7 +780,6 @@ else
else
install_from_url
fi
wait_for_disk
write_cloudinit
write_ignition
if [[ -n "${CREATE_UEFI}" ]]; then

17
server_flatcar_deprecated_2023_08/howto.md Normal file
View File

@ -0,0 +1,17 @@
yaml -> json
./ct-v0.9.3-x86_64-unknown-linux-gnu --in-file server_new.yaml > server_new.json
connect hard drive to running system and then install
sudo ./flatcar-install -d /dev/sdb -C stable -i server_new.json
- this failed, during gpg verification, then re-downloaded new version from github -> worked
couldn't use flatcar on new machine because it didn't boot with:
moklistrt: not found
I played around in bios settings, disabled secure boot etc.. didn't help
went for debian instead

0
server_flatcar/server.json → server_flatcar_deprecated_2023_08/server.json
View File

0
server_flatcar/server.yaml → server_flatcar_deprecated_2023_08/server.yaml
View File