pad (HedgeDoc) und cloud (NextCloud) dazu

cloud braucht noch etwas Arbeit, insbesondere die Abslage der Daten in
/data und die Keycloak-Anbindung.
This commit is contained in:
Stefan Bethke 2023-08-05 17:23:49 +02:00
parent 06233d22d5
commit dff8f0ee8b
10 changed files with 260 additions and 4 deletions

View file

@ -13,3 +13,27 @@ Grundsätzlich sollten Secrets vermieden werden. (Also z.B.: Nutze SSH Keys stat
Da Secrets aber durchaus doch gebraucht werden, werden diese dann in diesem Repo direkt aus dem [password-store](https://gitlab.hamburg.ccc.de/ccchh/password-store) (meist aus einem Sub-Eintrag des `noc/` Ordners) geladen.
Dies geschieht mit Hilfe des `community.general.passwordstore` lookup Plugins.
## Playbook nur für einzelne Hosts ausführen
Ein paar der Hosts haben den selben Namen, was es etwas schwieriger macht, das Playbook nur für einen der Hosts auszuführen, z. B. `public-reverse-proxy`. Die Kombination aus `--inventory` und `--limit` führt zum Erfolg:
```
ansible-playbook playbooks/deploy.yaml --inventory inventories/chaosknoten/hosts.yaml --limit public-reverse-proxy
```
## Neuen Web-Service hinzufügen
Wir deployen Web-Services hinter dem `public-reverse-proxy`. Der Service-Name `service.hamburg.ccc.de` ist ein CNAME für public-reverse-proxy.hamburg.ccc.de, und die Service-VM ist unter `service-intern.hamburg.ccc.de` mit einer `172.31.17.x`-Adresse erreichbar.
Im Ansible-Repo müssen diese Sachen hinzugefügt werden:
* `inventories/chaosknoten/hosts.yaml`:
* SSH-Config für die neue VM unter all/children/debian_12/hosts
* Einträge für die Rollen, die dieser Host haben soll, min. `certbot_hosts`, `nginx_hosts`, ggf. `docker_compose_hosts`
* `inventories/chaosknoten/host_vars/`*host*`.yaml`: config vars für den neuen Host
* `playbooks/files/chaosknoten/configs/public-reverse-proxy/nginx/acme_challenge.conf`: Liste der Hostnamen um den neuen Host erweitern, die hinter dem Reverse-Proxy stehen
* `playbooks/files/chaosknoten/configs/public-reverse-proxy/nginx/nginx.conf`: Liste der Hostnamen um den neuen Host erweitern, die hinter dem Reverse-Proxy stehen
* `playbooks/files/chaosknoten/configs/cloud/nginx/`*host*`.hamburg.ccc.de.conf`: Server auf dem Service-Host
* Individuelle Config für den Service. Wenn Docker Compose, hier weiterleiten auf den eigentlichen Dienst in Compose.
* Cert-Dateinamen anpassen
* `playbooks/templates/chaosknoten/configs/`*host*`/compose.yaml.j2`: Config für Docker Compose (wenn verwendet)

View file

@ -0,0 +1,12 @@
docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'chaosknoten/configs/cloud/compose.yaml.j2') }}"
docker_compose__configuration_files: []
certbot__version_spec: ""
certbot__acme_account_email_address: le-admin@hamburg.ccc.de
certbot__certificate_domains:
- "cloud.hamburg.ccc.de"
nginx__version_spec: ""
nginx__configurations:
- name: cloud.hamburg.ccc.de
content: "{{ lookup('ansible.builtin.file', 'chaosknoten/configs/cloud/nginx/cloud.hamburg.ccc.de.conf') }}"

View file

@ -0,0 +1,12 @@
docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'chaosknoten/configs/pad/compose.yaml.j2') }}"
docker_compose__configuration_files: []
certbot__version_spec: ""
certbot__acme_account_email_address: le-admin@hamburg.ccc.de
certbot__certificate_domains:
- "pad.hamburg.ccc.de"
nginx__version_spec: ""
nginx__configurations:
- name: pad.hamburg.ccc.de
content: "{{ lookup('ansible.builtin.file', 'chaosknoten/configs/pad/nginx/pad.hamburg.ccc.de.conf') }}"

View file

@ -1,13 +1,33 @@
all:
children:
certbot_hosts:
hosts:
cloud:
pad:
debian_12:
hosts:
cloud:
ansible_host: cloud-intern.hamburg.ccc.de
ansible_port: 42666
ansible_user: chaos
ansible_ssh_common_args: -J public-reverse-proxy
pad:
ansible_host: pad-intern.hamburg.ccc.de
ansible_port: 42666
ansible_user: chaos
ansible_ssh_common_args: -J public-reverse-proxy
public-reverse-proxy:
ansible_host: public-reverse-proxy.hamburg.ccc.de
ansible_port: 42666
ansible_user: chaos
docker_compose_hosts:
hosts:
cloud:
pad:
nginx_hosts:
hosts:
cloud:
pad:
public-reverse-proxy:
public_reverse_proxy_hosts:
hosts:

View file

@ -0,0 +1,42 @@
# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
# Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
server_name cloud.hamburg.ccc.de;
ssl_certificate /etc/letsencrypt/live/cloud.hamburg.ccc.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/cloud.hamburg.ccc.de/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/cloud.hamburg.ccc.de/chain.pem;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Port 443;
# This is https in any case.
proxy_set_header X-Forwarded-Proto https;
# Hide the X-Forwarded header.
proxy_hide_header X-Forwarded;
# Assume we are the only Reverse Proxy (well using Proxy Protocol, but that
# is transparent).
# Also provide "_hidden" for by, since it's not relevant.
proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden";
location / {
proxy_pass http://127.0.0.1:8080/;
}
}

View file

@ -0,0 +1,42 @@
# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
# Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
server_name pad.hamburg.ccc.de;
ssl_certificate /etc/letsencrypt/live/pad.hamburg.ccc.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/pad.hamburg.ccc.de/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/pad.hamburg.ccc.de/chain.pem;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Port 443;
# This is https in any case.
proxy_set_header X-Forwarded-Proto https;
# Hide the X-Forwarded header.
proxy_hide_header X-Forwarded;
# Assume we are the only Reverse Proxy (well using Proxy Protocol, but that
# is transparent).
# Also provide "_hidden" for by, since it's not relevant.
proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden";
location / {
proxy_pass http://127.0.0.1:3000/;
}
}

View file

@ -1,6 +1,6 @@
map $host $upstream_acme_challenge_host {
# Something like this should be here at some point:
# aes.ccchh.net 10.31.206.14:31820;
cloud.hamburg.ccc.de cloud-intern.hamburg.ccc.de:31820;
pad.hamburg.ccc.de pad-intern.hamburg.ccc.de:31820;
default "";
}

View file

@ -15,9 +15,11 @@ events {
# Listen on port 443 as a reverse proxy and use PROXY Protocol for the
# upstreams.
stream {
resolver 212.12.50.158 192.76.134.90;
map $ssl_preread_server_name $address {
# Something like this should be here at some point:
# aes.ccchh.net 10.31.206.14:8443;
cloud.hamburg.ccc.de cloud-intern.hamburg.ccc.de:8443;
pad.hamburg.ccc.de pad-intern.hamburg.ccc.de:8443;
}
server {

View file

@ -0,0 +1,40 @@
---
version: "3.6"
services:
database:
image: docker.io/library/mariadb:11
restart: always
command: --transaction-isolation=READ-COMMITTED --log-bin=binlog --binlog-format=ROW
volumes:
- database:/var/lib/mysql
environment:
- "MYSQL_ROOT_PASSWORD={{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/pad/DB_PASSWORD", create=false, missing="error") }}"
- "MYSQL_PASSWORD={{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/pad/DB_PASSWORD", create=false, missing="error") }}"
- "MYSQL_DATABASE=nextcloud"
- "MYSQL_USER=nextcloud"
app:
image: docker.io/library/nextcloud:25-fpm
restart: always
ports:
- 8080:8080
links:
- db
volumes:
- nextcloud:/var/www/html
environment:
- "MYSQL_PASSWORD={{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/cloud/DB_PASSWORD", create=false, missing="error") }}"
- "MYSQL_DATABASE=nextcloud"
- "MYSQL_USER=nextcloud"
- "MYSQL_HOST=db"
volumes:
# FIXME: tell Docker to put volumes in /data instead of /var/lib/docker/
database: {}
nextcloud: {}
networks:
backend:
internal: true
frontend: {}

View file

@ -0,0 +1,62 @@
---
# see https://github.com/hedgedoc/container/blob/master/docker-compose.yml
version: "3.6"
services:
database:
image: docker.io/library/postgres:15-alpine
environment:
- "POSTGRES_USER=hedgedoc"
- "POSTGRES_PASSWORD={{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/pad/DB_PASSWORD", create=false, missing="error") }}"
- "POSTGRES_DB=hedgedoc"
volumes:
- database:/var/lib/postgresql/data
networks:
backend:
restart: always
app:
#image: quay.io/hedgedoc/hedgedoc:1.9.9
image: quay.io/hedgedoc/hedgedoc:latest
environment:
- "CMD_DB_URL=postgres://hedgedoc:{{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/pad/DB_PASSWORD", create=false, missing="error") }}@database:5432/hedgedoc"
- "CMD_DOMAIN=pad.hamburg.ccc.de"
- "CMD_PROTOCOL_USESSL=true"
- "CMD_HSTS_ENABLE=false"
- "CMD_URL_ADDPORT=false"
- "CMD_ALLOW_FREEURL=true"
- "CMD_ALLOW_EMAIL_REGISTER=false"
- "CMD_ALLOW_ANONYMOUS=false"
- "CMD_ALLOW_ANONYMOUS_EDITS=true"
- "CMD_ALLOW_ANONYMOUS_VIEWS=true"
- "CMD_DEFAULT_PERMISSION=limited"
- "CMD_EMAIL=false"
- "CMD_OAUTH2_USER_PROFILE_URL=https://id.ccchh.net/realms/ccchh/protocol/openid-connect/userinfo"
- "CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR=preferred_username"
- "CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR=name"
- "CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR=email"
- "CMD_OAUTH2_TOKEN_URL=https://id.ccchh.net/realms/ccchh/protocol/openid-connect/token"
- "CMD_OAUTH2_AUTHORIZATION_URL=https://id.ccchh.net/realms/ccchh/protocol/openid-connect/auth"
- "CMD_OAUTH2_CLIENT_ID=pad"
- "CMD_OAUTH2_CLIENT_SECRET={{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/pad/KC_SECRET", create=false, missing="error") }}"
- "CMD_OAUTH2_PROVIDERNAME=Keycloak"
- "CMD_OAUTH2_SCOPE=openid email profile"
volumes:
- uploads:/hedgedoc/public/uploads
ports:
- "127.0.0.1:3000:3000"
networks:
backend:
frontend:
restart: always
depends_on:
- database
volumes:
database: {}
uploads: {}
networks:
backend:
internal: true
frontend: