From 6b93b3f7ed631e899f475ac585b6b59f5fb47fe9 Mon Sep 17 00:00:00 2001 From: Jef Roosens Date: Sun, 6 Jul 2025 12:59:36 +0200 Subject: [PATCH] feat: added site-podman role --- inventory/group_vars/all/vars.yml | 2 + inventory/group_vars/all/vault.yml | 71 ++++++++-------- plays/pearl.yml | 6 ++ .../files/site.Caddyfile | 3 + .../files/site.container | 16 ++++ .../files/site.data.backup.sh | 12 +++ .../handlers/main.yml | 4 + roles/any.software.site-podman/meta/main.yml | 3 + roles/any.software.site-podman/tasks/main.yml | 80 +++++++++++++++++++ .../templates/site.env.j2 | 1 + 10 files changed, 164 insertions(+), 34 deletions(-) create mode 100644 roles/any.software.site-podman/files/site.Caddyfile create mode 100644 roles/any.software.site-podman/files/site.container create mode 100644 roles/any.software.site-podman/files/site.data.backup.sh create mode 100644 roles/any.software.site-podman/handlers/main.yml create mode 100644 roles/any.software.site-podman/meta/main.yml create mode 100644 roles/any.software.site-podman/tasks/main.yml create mode 100644 roles/any.software.site-podman/templates/site.env.j2 diff --git a/inventory/group_vars/all/vars.yml b/inventory/group_vars/all/vars.yml index 23835a8..567e034 100644 --- a/inventory/group_vars/all/vars.yml +++ b/inventory/group_vars/all/vars.yml @@ -29,3 +29,5 @@ gitea_internal_token: "{{ vault_gitea_internal_token }}" gitea_jwt_secret: "{{ vault_gitea_jwt_secret }}" vieter_api_key: "{{ vault_vieter_api_key }}" + +site_api_key: "{{ vault_site_api_key }}" diff --git a/inventory/group_vars/all/vault.yml b/inventory/group_vars/all/vault.yml index abd6bd4..cb2acab 100644 --- a/inventory/group_vars/all/vault.yml +++ b/inventory/group_vars/all/vault.yml @@ -1,35 +1,38 @@ $ANSIBLE_VAULT;1.1;AES256 -31633936653331306164363661363236383930316462316238626661666437323665656435313235 -6234613265663530393832653631313636656633383831650a666661356337633630666462333466 -38636564313065623238663336653437393964663530656163396332616361616662363037313963 -3834383464653731320a636263663631653561386534626434373066363838653665326565306130 -65323135313439343839656435623030653739613531656266303031383234663663326665373638 -31633735346634343934636339353735616635383136323934643734643730353762613963363334 -36333738623664373833643333643562623832396635366365326565653336666264386432626333 -61353433336534306564396438636234383265616464643534383833663833663037656538313166 -37643439333337343431386463393131303830383562336662616264633335346436333432636164 -37616230333634356234363831616665316132376561666265313666303738356534383764373465 -63613037326465363332666264383231663536663833643765386130643938623166353661336565 -34386464326166376438323338653037333331326135386437373536383265303532323032616637 -32366531303538383133303662643564373038383066303966616561623563623437386265346266 -34366265396166343037636262653936323033303230643434323332343065626639353330396461 -37373035663139623031316166333730386137383037343166306337366264353230323631346264 -35313736306465613261383830643662366430346463363338313736633363646365656436653137 -35346163373133326130313161623137326535343033656530616631336464333065336133333736 -64636338326239376432313937363932666232356437646136323036303631396466376364636564 -36326137353134346565323730303465386261383661356561393036663931303134656631316637 -30663632626466326631316266633239316138653934346537396134326563383533356338623030 -37393261663535343135353766653438363063393063633531333137366334386334363035366266 -61313639343335656237616361336264383764663563316163353832313463383465353234613333 -37363233623934393561393433366237343735393332353763303863323664366239333061656433 -61663466356362613637636134373365356163666631663536326362393330656337633539356139 -63353033303164353637663733303164393861316562306364383466616337343264383433333661 -31393834336232613835363366666235306162623565333333666532316265336131626437373266 -65326462656638613163653637326339636630376164356434333031343664613438653263366533 -33376266393135626166323235363736613863306539353634366439633230333133643736653636 -62386332316338346133633862333063303861303339303032623863326465383730633161303038 -32643338323364343266303033393363383865346136636139336434393535363535633639303162 -30643137393635323537333630636435346130313164313561663561313466333934356566363032 -33613063353334306131646633393264343335636462386136343265356463653836383135616364 -64626539636333316333366132633139663937663431363362353233313639633165626539333366 -6432313732616435396663376332353337653131393230633365 +63383436646334636234393830626134323666343733656139383235633233346239323335616531 +6138343436653662313466336339333133386361376232370a323038663962373733636539363166 +64376364653462316466333739633266656464376638303636316631636366643239376330353861 +6266663963626532360a666166343466326266343135326139333435396661393432316230386430 +31343339663862323230353266363239363532613564336536333262643231306435663964653535 +39653630653963363937656335633530613462656462633038363864386565383334383238613561 +64396163336234633837366565623239303835626334363334313132383530316631363039626161 +33653931656636393935643263636532313831613334613564383837636230373466383739323031 +34643633613432326437386137346263346438383836376130356262623531633535623537653661 +31666339313961306162393763646439636263303863376532366165656433383532353436616662 +34643334326461313665303130633461366665653064376566343763636362633634643661653739 +36666262383838656535356166353563393334336162616463626662383361646133373130653836 +61643233393163303232383566613566666332326432623139663135366263363536353762316666 +35393831396635616264346364633236393364376534323932346265393831323234616530373061 +36666433313162663738303462666430663261663666626339333837323838303734666436373935 +38666264626238376533303934636363333034336439343431326430646262303833393561383734 +30643734383030303261366133626531363932363162663136363866653635326363366530333033 +37396532663864333737613165383131383263373263303836363539633164656237663563323164 +38323564383163363834336633633265393562633461313665646633663231336662653834643130 +65303032333139643662323166313632333431616338313462613035626366653430623463663865 +64346634666132663935376532666362666636323134333633393030613965383761316530396132 +63343533323138323164633837363361633062323065356465623166633963313461656231396437 +64363861393466636435616439653266333963666137316332316565323431373930363130643662 +63353164633037653138393139616463643437663839653261353861626463356461313039383163 +33306637326234393237303264336537633538336634353830383839353864393366316536393734 +38633532633432323763623430393335613739636235346465363232643631303632383362643562 +33623966323065613563613865383630613634366338393464393563343361383831373736353936 +33613336343334633639626263626438623065643130356266323434613037636265633136396162 +38343631623034633336303731363334383036356133343832323433386565653233643438643437 +61393832323766633063353764363465316633343566323363393733333834623039383238373530 +37653939646562393830396364656333663463643361333461326561323638343539326266306235 +32393837353631633961373066356130383566346365653033356336333435613932653736376235 +33663237613437366364613731626162613761646364643061343531323761333132316535346530 +30646432653336313864323036313234616231333533343535663532643133666166613433656538 +38333038666634613333653831623463376261313864613736383862656362643731343637633736 +64343036376238643361613362646662623462353438333730656362373336616235626134666430 +37613134626637393762663562353432653439353333643665386265376561653036 diff --git a/plays/pearl.yml b/plays/pearl.yml index 576b54d..086ac7f 100644 --- a/plays/pearl.yml +++ b/plays/pearl.yml @@ -25,3 +25,9 @@ roles: - 'any.software.vieter-podman' tags: vieter + +- hosts: pearl + become: true + roles: + - 'any.software.site-podman' + tags: site diff --git a/roles/any.software.site-podman/files/site.Caddyfile b/roles/any.software.site-podman/files/site.Caddyfile new file mode 100644 index 0000000..1c69c6e --- /dev/null +++ b/roles/any.software.site-podman/files/site.Caddyfile @@ -0,0 +1,3 @@ +rustybever.be www.rustybever.be { + reverse_proxy 127.0.0.1:8021 +} diff --git a/roles/any.software.site-podman/files/site.container b/roles/any.software.site-podman/files/site.container new file mode 100644 index 0000000..d549054 --- /dev/null +++ b/roles/any.software.site-podman/files/site.container @@ -0,0 +1,16 @@ +# vim: ft=systemd +[Unit] +Description=The Rusty Bever backend + +[Container] +Image=docker.io/chewingbever/site:latest +EnvironmentFile=/etc/site/site.env + +PublishPort=127.0.0.1:8021:3000 +Volume=/mnt/data1/site/data:/data + +[Service] +Restart=always + +[Install] +WantedBy=default.target diff --git a/roles/any.software.site-podman/files/site.data.backup.sh b/roles/any.software.site-podman/files/site.data.backup.sh new file mode 100644 index 0000000..8518104 --- /dev/null +++ b/roles/any.software.site-podman/files/site.data.backup.sh @@ -0,0 +1,12 @@ +#!/usr/bin/env bash + +data_dir='/mnt/data1/site/data' +snapshot_dir="${data_dir}.snapshot" + +# Read-only snapshot for atomic backup +btrfs subvolume snapshot -r "$data_dir" "$snapshot_dir" || exit $? + +/usr/local/bin/restic backup "$snapshot_dir" + +# Always remove snapshot subvolume, even if restic fails +btrfs subvolume delete "$snapshot_dir" diff --git a/roles/any.software.site-podman/handlers/main.yml b/roles/any.software.site-podman/handlers/main.yml new file mode 100644 index 0000000..f37e420 --- /dev/null +++ b/roles/any.software.site-podman/handlers/main.yml @@ -0,0 +1,4 @@ +- name: 'restart site' + ansible.builtin.service: + name: 'site' + state: 'restarted' diff --git a/roles/any.software.site-podman/meta/main.yml b/roles/any.software.site-podman/meta/main.yml new file mode 100644 index 0000000..6e47e89 --- /dev/null +++ b/roles/any.software.site-podman/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - role: 'any.tools.caddy' diff --git a/roles/any.software.site-podman/tasks/main.yml b/roles/any.software.site-podman/tasks/main.yml new file mode 100644 index 0000000..fe1b12a --- /dev/null +++ b/roles/any.software.site-podman/tasks/main.yml @@ -0,0 +1,80 @@ +--- +- name: Ensure data directory is present + ansible.builtin.file: + path: '/mnt/data1/site' + state: directory + mode: '0755' + owner: 'root' + group: 'root' + +- name: Ensure data subvolumes are present + community.general.btrfs_subvolume: + name: '/site/{{ item }}' + loop: + - 'data' + +- name: Ensure subvolume permissions are correct + ansible.builtin.file: + path: "/mnt/data1/site/{{ item }}" + state: directory + mode: '0755' + owner: '82' + group: '82' + loop: + - 'data' + +- name: Ensure configuration directory is present + ansible.builtin.file: + path: '/etc/site' + state: directory + mode: '0755' + +- name: Ensure environment file is present + ansible.builtin.template: + src: 'site.env.j2' + dest: '/etc/site/site.env' + mode: '0644' + owner: 'root' + group: 'root' + notify: 'restart site' + +- name: Ensure backup scripts are present + ansible.builtin.copy: + src: "site.{{ item }}.backup.sh" + dest: "/etc/backups/site.{{ item }}.backup.sh" + owner: 'root' + group: 'root' + mode: '0644' + loop: + - 'data' + +- name: Ensure Container unit files are present + ansible.builtin.copy: + src: "{{ item }}" + dest: "/etc/containers/systemd/{{ item }}" + mode: '0644' + owner: 'root' + group: 'root' + loop: + - 'site.container' + register: res + +- name: systemd-reload + ansible.builtin.systemd_service: + daemon_reload: true + when: 'res.changed' + +- name: Ensure Caddyfile is present + ansible.builtin.copy: + src: 'site.Caddyfile' + dest: '/etc/caddy/site.Caddyfile' + mode: '0644' + owner: 'root' + group: 'root' + notify: 'reload caddy' + +- name: Ensure site service is enabled + ansible.builtin.service: + name: 'site' + enabled: true + state: 'started' diff --git a/roles/any.software.site-podman/templates/site.env.j2 b/roles/any.software.site-podman/templates/site.env.j2 new file mode 100644 index 0000000..f6e270b --- /dev/null +++ b/roles/any.software.site-podman/templates/site.env.j2 @@ -0,0 +1 @@ +API_KEY={{ site_api_key }}