pad (HedgeDoc) und cloud (NextCloud) dazu
cloud braucht noch etwas Arbeit, insbesondere die Abslage der Daten in /data und die Keycloak-Anbindung.
This commit is contained in:
parent
06233d22d5
commit
dff8f0ee8b
10 changed files with 260 additions and 4 deletions
24
README.md
24
README.md
|
@ -13,3 +13,27 @@ Grundsätzlich sollten Secrets vermieden werden. (Also z.B.: Nutze SSH Keys stat
|
|||
|
||||
Da Secrets aber durchaus doch gebraucht werden, werden diese dann in diesem Repo direkt aus dem [password-store](https://gitlab.hamburg.ccc.de/ccchh/password-store) (meist aus einem Sub-Eintrag des `noc/` Ordners) geladen.
|
||||
Dies geschieht mit Hilfe des `community.general.passwordstore` lookup Plugins.
|
||||
|
||||
|
||||
## Playbook nur für einzelne Hosts ausführen
|
||||
|
||||
Ein paar der Hosts haben den selben Namen, was es etwas schwieriger macht, das Playbook nur für einen der Hosts auszuführen, z. B. `public-reverse-proxy`. Die Kombination aus `--inventory` und `--limit` führt zum Erfolg:
|
||||
```
|
||||
ansible-playbook playbooks/deploy.yaml --inventory inventories/chaosknoten/hosts.yaml --limit public-reverse-proxy
|
||||
```
|
||||
|
||||
## Neuen Web-Service hinzufügen
|
||||
|
||||
Wir deployen Web-Services hinter dem `public-reverse-proxy`. Der Service-Name `service.hamburg.ccc.de` ist ein CNAME für public-reverse-proxy.hamburg.ccc.de, und die Service-VM ist unter `service-intern.hamburg.ccc.de` mit einer `172.31.17.x`-Adresse erreichbar.
|
||||
|
||||
Im Ansible-Repo müssen diese Sachen hinzugefügt werden:
|
||||
* `inventories/chaosknoten/hosts.yaml`:
|
||||
* SSH-Config für die neue VM unter all/children/debian_12/hosts
|
||||
* Einträge für die Rollen, die dieser Host haben soll, min. `certbot_hosts`, `nginx_hosts`, ggf. `docker_compose_hosts`
|
||||
* `inventories/chaosknoten/host_vars/`*host*`.yaml`: config vars für den neuen Host
|
||||
* `playbooks/files/chaosknoten/configs/public-reverse-proxy/nginx/acme_challenge.conf`: Liste der Hostnamen um den neuen Host erweitern, die hinter dem Reverse-Proxy stehen
|
||||
* `playbooks/files/chaosknoten/configs/public-reverse-proxy/nginx/nginx.conf`: Liste der Hostnamen um den neuen Host erweitern, die hinter dem Reverse-Proxy stehen
|
||||
* `playbooks/files/chaosknoten/configs/cloud/nginx/`*host*`.hamburg.ccc.de.conf`: Server auf dem Service-Host
|
||||
* Individuelle Config für den Service. Wenn Docker Compose, hier weiterleiten auf den eigentlichen Dienst in Compose.
|
||||
* Cert-Dateinamen anpassen
|
||||
* `playbooks/templates/chaosknoten/configs/`*host*`/compose.yaml.j2`: Config für Docker Compose (wenn verwendet)
|
||||
|
|
12
inventories/chaosknoten/host_vars/cloud.yaml
Normal file
12
inventories/chaosknoten/host_vars/cloud.yaml
Normal file
|
@ -0,0 +1,12 @@
|
|||
docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'chaosknoten/configs/cloud/compose.yaml.j2') }}"
|
||||
docker_compose__configuration_files: []
|
||||
|
||||
certbot__version_spec: ""
|
||||
certbot__acme_account_email_address: le-admin@hamburg.ccc.de
|
||||
certbot__certificate_domains:
|
||||
- "cloud.hamburg.ccc.de"
|
||||
|
||||
nginx__version_spec: ""
|
||||
nginx__configurations:
|
||||
- name: cloud.hamburg.ccc.de
|
||||
content: "{{ lookup('ansible.builtin.file', 'chaosknoten/configs/cloud/nginx/cloud.hamburg.ccc.de.conf') }}"
|
12
inventories/chaosknoten/host_vars/pad.yaml
Normal file
12
inventories/chaosknoten/host_vars/pad.yaml
Normal file
|
@ -0,0 +1,12 @@
|
|||
docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'chaosknoten/configs/pad/compose.yaml.j2') }}"
|
||||
docker_compose__configuration_files: []
|
||||
|
||||
certbot__version_spec: ""
|
||||
certbot__acme_account_email_address: le-admin@hamburg.ccc.de
|
||||
certbot__certificate_domains:
|
||||
- "pad.hamburg.ccc.de"
|
||||
|
||||
nginx__version_spec: ""
|
||||
nginx__configurations:
|
||||
- name: pad.hamburg.ccc.de
|
||||
content: "{{ lookup('ansible.builtin.file', 'chaosknoten/configs/pad/nginx/pad.hamburg.ccc.de.conf') }}"
|
|
@ -1,13 +1,33 @@
|
|||
all:
|
||||
children:
|
||||
certbot_hosts:
|
||||
hosts:
|
||||
cloud:
|
||||
pad:
|
||||
debian_12:
|
||||
hosts:
|
||||
cloud:
|
||||
ansible_host: cloud-intern.hamburg.ccc.de
|
||||
ansible_port: 42666
|
||||
ansible_user: chaos
|
||||
ansible_ssh_common_args: -J public-reverse-proxy
|
||||
pad:
|
||||
ansible_host: pad-intern.hamburg.ccc.de
|
||||
ansible_port: 42666
|
||||
ansible_user: chaos
|
||||
ansible_ssh_common_args: -J public-reverse-proxy
|
||||
public-reverse-proxy:
|
||||
ansible_host: public-reverse-proxy.hamburg.ccc.de
|
||||
ansible_port: 42666
|
||||
ansible_user: chaos
|
||||
docker_compose_hosts:
|
||||
hosts:
|
||||
cloud:
|
||||
pad:
|
||||
nginx_hosts:
|
||||
hosts:
|
||||
cloud:
|
||||
pad:
|
||||
public-reverse-proxy:
|
||||
public_reverse_proxy_hosts:
|
||||
hosts:
|
||||
|
|
|
@ -0,0 +1,42 @@
|
|||
# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
|
||||
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
|
||||
server {
|
||||
# Listen on a custom port for the proxy protocol.
|
||||
listen 8443 ssl http2 proxy_protocol;
|
||||
# Make use of the ngx_http_realip_module to set the $remote_addr and
|
||||
# $remote_port to the client address and client port, when using proxy
|
||||
# protocol.
|
||||
# First set our proxy protocol proxy as trusted.
|
||||
set_real_ip_from 172.31.17.140;
|
||||
# Then tell the realip_module to get the addreses from the proxy protocol
|
||||
# header.
|
||||
real_ip_header proxy_protocol;
|
||||
|
||||
server_name cloud.hamburg.ccc.de;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/cloud.hamburg.ccc.de/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/cloud.hamburg.ccc.de/privkey.pem;
|
||||
# verify chain of trust of OCSP response using Root CA and Intermediate certs
|
||||
ssl_trusted_certificate /etc/letsencrypt/live/cloud.hamburg.ccc.de/chain.pem;
|
||||
|
||||
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
|
||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Port 443;
|
||||
# This is https in any case.
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
# Hide the X-Forwarded header.
|
||||
proxy_hide_header X-Forwarded;
|
||||
# Assume we are the only Reverse Proxy (well using Proxy Protocol, but that
|
||||
# is transparent).
|
||||
# Also provide "_hidden" for by, since it's not relevant.
|
||||
proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden";
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:8080/;
|
||||
}
|
||||
}
|
|
@ -0,0 +1,42 @@
|
|||
# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
|
||||
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
|
||||
server {
|
||||
# Listen on a custom port for the proxy protocol.
|
||||
listen 8443 ssl http2 proxy_protocol;
|
||||
# Make use of the ngx_http_realip_module to set the $remote_addr and
|
||||
# $remote_port to the client address and client port, when using proxy
|
||||
# protocol.
|
||||
# First set our proxy protocol proxy as trusted.
|
||||
set_real_ip_from 172.31.17.140;
|
||||
# Then tell the realip_module to get the addreses from the proxy protocol
|
||||
# header.
|
||||
real_ip_header proxy_protocol;
|
||||
|
||||
server_name pad.hamburg.ccc.de;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/pad.hamburg.ccc.de/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/pad.hamburg.ccc.de/privkey.pem;
|
||||
# verify chain of trust of OCSP response using Root CA and Intermediate certs
|
||||
ssl_trusted_certificate /etc/letsencrypt/live/pad.hamburg.ccc.de/chain.pem;
|
||||
|
||||
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
|
||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Port 443;
|
||||
# This is https in any case.
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
# Hide the X-Forwarded header.
|
||||
proxy_hide_header X-Forwarded;
|
||||
# Assume we are the only Reverse Proxy (well using Proxy Protocol, but that
|
||||
# is transparent).
|
||||
# Also provide "_hidden" for by, since it's not relevant.
|
||||
proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden";
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:3000/;
|
||||
}
|
||||
}
|
|
@ -1,6 +1,6 @@
|
|||
map $host $upstream_acme_challenge_host {
|
||||
# Something like this should be here at some point:
|
||||
# aes.ccchh.net 10.31.206.14:31820;
|
||||
cloud.hamburg.ccc.de cloud-intern.hamburg.ccc.de:31820;
|
||||
pad.hamburg.ccc.de pad-intern.hamburg.ccc.de:31820;
|
||||
default "";
|
||||
}
|
||||
|
||||
|
|
|
@ -15,9 +15,11 @@ events {
|
|||
# Listen on port 443 as a reverse proxy and use PROXY Protocol for the
|
||||
# upstreams.
|
||||
stream {
|
||||
resolver 212.12.50.158 192.76.134.90;
|
||||
|
||||
map $ssl_preread_server_name $address {
|
||||
# Something like this should be here at some point:
|
||||
# aes.ccchh.net 10.31.206.14:8443;
|
||||
cloud.hamburg.ccc.de cloud-intern.hamburg.ccc.de:8443;
|
||||
pad.hamburg.ccc.de pad-intern.hamburg.ccc.de:8443;
|
||||
}
|
||||
|
||||
server {
|
||||
|
|
|
@ -0,0 +1,40 @@
|
|||
---
|
||||
version: "3.6"
|
||||
|
||||
services:
|
||||
database:
|
||||
image: docker.io/library/mariadb:11
|
||||
restart: always
|
||||
command: --transaction-isolation=READ-COMMITTED --log-bin=binlog --binlog-format=ROW
|
||||
volumes:
|
||||
- database:/var/lib/mysql
|
||||
environment:
|
||||
- "MYSQL_ROOT_PASSWORD={{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/pad/DB_PASSWORD", create=false, missing="error") }}"
|
||||
- "MYSQL_PASSWORD={{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/pad/DB_PASSWORD", create=false, missing="error") }}"
|
||||
- "MYSQL_DATABASE=nextcloud"
|
||||
- "MYSQL_USER=nextcloud"
|
||||
|
||||
app:
|
||||
image: docker.io/library/nextcloud:25-fpm
|
||||
restart: always
|
||||
ports:
|
||||
- 8080:8080
|
||||
links:
|
||||
- db
|
||||
volumes:
|
||||
- nextcloud:/var/www/html
|
||||
environment:
|
||||
- "MYSQL_PASSWORD={{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/cloud/DB_PASSWORD", create=false, missing="error") }}"
|
||||
- "MYSQL_DATABASE=nextcloud"
|
||||
- "MYSQL_USER=nextcloud"
|
||||
- "MYSQL_HOST=db"
|
||||
|
||||
volumes:
|
||||
# FIXME: tell Docker to put volumes in /data instead of /var/lib/docker/
|
||||
database: {}
|
||||
nextcloud: {}
|
||||
|
||||
networks:
|
||||
backend:
|
||||
internal: true
|
||||
frontend: {}
|
62
playbooks/templates/chaosknoten/configs/pad/compose.yaml.j2
Normal file
62
playbooks/templates/chaosknoten/configs/pad/compose.yaml.j2
Normal file
|
@ -0,0 +1,62 @@
|
|||
---
|
||||
# see https://github.com/hedgedoc/container/blob/master/docker-compose.yml
|
||||
version: "3.6"
|
||||
|
||||
services:
|
||||
database:
|
||||
image: docker.io/library/postgres:15-alpine
|
||||
environment:
|
||||
- "POSTGRES_USER=hedgedoc"
|
||||
- "POSTGRES_PASSWORD={{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/pad/DB_PASSWORD", create=false, missing="error") }}"
|
||||
- "POSTGRES_DB=hedgedoc"
|
||||
volumes:
|
||||
- database:/var/lib/postgresql/data
|
||||
networks:
|
||||
backend:
|
||||
restart: always
|
||||
|
||||
app:
|
||||
#image: quay.io/hedgedoc/hedgedoc:1.9.9
|
||||
image: quay.io/hedgedoc/hedgedoc:latest
|
||||
environment:
|
||||
- "CMD_DB_URL=postgres://hedgedoc:{{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/pad/DB_PASSWORD", create=false, missing="error") }}@database:5432/hedgedoc"
|
||||
- "CMD_DOMAIN=pad.hamburg.ccc.de"
|
||||
- "CMD_PROTOCOL_USESSL=true"
|
||||
- "CMD_HSTS_ENABLE=false"
|
||||
- "CMD_URL_ADDPORT=false"
|
||||
- "CMD_ALLOW_FREEURL=true"
|
||||
- "CMD_ALLOW_EMAIL_REGISTER=false"
|
||||
- "CMD_ALLOW_ANONYMOUS=false"
|
||||
- "CMD_ALLOW_ANONYMOUS_EDITS=true"
|
||||
- "CMD_ALLOW_ANONYMOUS_VIEWS=true"
|
||||
- "CMD_DEFAULT_PERMISSION=limited"
|
||||
- "CMD_EMAIL=false"
|
||||
- "CMD_OAUTH2_USER_PROFILE_URL=https://id.ccchh.net/realms/ccchh/protocol/openid-connect/userinfo"
|
||||
- "CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR=preferred_username"
|
||||
- "CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR=name"
|
||||
- "CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR=email"
|
||||
- "CMD_OAUTH2_TOKEN_URL=https://id.ccchh.net/realms/ccchh/protocol/openid-connect/token"
|
||||
- "CMD_OAUTH2_AUTHORIZATION_URL=https://id.ccchh.net/realms/ccchh/protocol/openid-connect/auth"
|
||||
- "CMD_OAUTH2_CLIENT_ID=pad"
|
||||
- "CMD_OAUTH2_CLIENT_SECRET={{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/pad/KC_SECRET", create=false, missing="error") }}"
|
||||
- "CMD_OAUTH2_PROVIDERNAME=Keycloak"
|
||||
- "CMD_OAUTH2_SCOPE=openid email profile"
|
||||
volumes:
|
||||
- uploads:/hedgedoc/public/uploads
|
||||
ports:
|
||||
- "127.0.0.1:3000:3000"
|
||||
networks:
|
||||
backend:
|
||||
frontend:
|
||||
restart: always
|
||||
depends_on:
|
||||
- database
|
||||
|
||||
volumes:
|
||||
database: {}
|
||||
uploads: {}
|
||||
|
||||
networks:
|
||||
backend:
|
||||
internal: true
|
||||
frontend:
|
Loading…
Reference in a new issue