any.tools.caddy: switch to better module

inventory/group_vars/all/vars.yml

@@ -27,3 +27,5 @@ gitea_lfs_jwt_secret: "{{ vault_gitea_lfs_jwt_secret }}"
 gitea_secret_key: "{{ vault_gitea_secret_key }}"
 gitea_internal_token: "{{ vault_gitea_internal_token }}"
 gitea_jwt_secret: "{{ vault_gitea_jwt_secret }}"
+
+vieter_api_key: "{{ vault_vieter_api_key }}"

inventory/group_vars/all/vault.yml

@@ -1,32 +1,35 @@
 $ANSIBLE_VAULT;1.1;AES256
-62316366343931626135336332623963643864616164386132363565303565303165326238303132
+31633936653331306164363661363236383930316462316238626661666437323665656435313235
-3266623662613739333637393937373137313161306136310a613335346362346333323461336130
+6234613265663530393832653631313636656633383831650a666661356337633630666462333466
-61386264346464376539303733393961306664376663613034316337313963343761636634636131
+38636564313065623238663336653437393964663530656163396332616361616662363037313963
-3231633934646130630a303038383563346539383561386362613935376634306561643964626334
+3834383464653731320a636263663631653561386534626434373066363838653665326565306130
-35333166623531383236623535636362323039613136346534343232306163393436366135373634
+65323135313439343839656435623030653739613531656266303031383234663663326665373638
-31303338303939613433326633373838353431653231646430333333323665643130306436663539
+31633735346634343934636339353735616635383136323934643734643730353762613963363334
-35393266346232366161653332303264623733343262636363613630323366376130646264333739
+36333738623664373833643333643562623832396635366365326565653336666264386432626333
-34396139303130613631646535363831623463333565396134376234356132336236373366313830
+61353433336534306564396438636234383265616464643534383833663833663037656538313166
-61386661303966313862653732653338386466643838636263393766366139373237316165643764
+37643439333337343431386463393131303830383562336662616264633335346436333432636164
-66336465613838316465316166653064343066623339616530303038356238303832373135663665
+37616230333634356234363831616665316132376561666265313666303738356534383764373465
-35383938333362643038326635316538666536613137663633363434336138306135316665353734
+63613037326465363332666264383231663536663833643765386130643938623166353661336565
-63633439366664613633353465643466663564663832396435663931643538636238643233373039
+34386464326166376438323338653037333331326135386437373536383265303532323032616637
-35623438333139353632383263343538626561343035613239366266623033636335633536643431
+32366531303538383133303662643564373038383066303966616561623563623437386265346266
-30663139353634663662373062363937393838393266343264386134306333326164656334316364
+34366265396166343037636262653936323033303230643434323332343065626639353330396461
-39343662313464383362646237383337393664623632653235623165666636363635383636363430
+37373035663139623031316166333730386137383037343166306337366264353230323631346264
-35306365383536356265363733396165303765316638366331376230306630393735393334653362
+35313736306465613261383830643662366430346463363338313736633363646365656436653137
-65313332646434323831313764306230616236383963376634623437346635653937623830653064
+35346163373133326130313161623137326535343033656530616631336464333065336133333736
-62396162396165643563373239373264396137666334646238616262663464623363373565626539
+64636338326239376432313937363932666232356437646136323036303631396466376364636564
-64373936346166356134306431616638346633376366336136383939666665373565383633336431
+36326137353134346565323730303465386261383661356561393036663931303134656631316637
-33346431353639643063616630313630653038616430316366323137303034336539643161383734
+30663632626466326631316266633239316138653934346537396134326563383533356338623030
-35346430643433653866663636333639343364363831343531363937313330343865323535353533
+37393261663535343135353766653438363063393063633531333137366334386334363035366266
-32666566343736653135363966643665396234636437316438636530366231653963356237613065
+61313639343335656237616361336264383764663563316163353832313463383465353234613333
-30623338323733666365613631666361306666613364393261623732623963613731613933383138
+37363233623934393561393433366237343735393332353763303863323664366239333061656433
-65656565396435643833613764346139343365663766623535626166346330633938626135326230
+61663466356362613637636134373365356163666631663536326362393330656337633539356139
-63356535633834633763363666333662646633366537623732623835653332316239646135373933
+63353033303164353637663733303164393861316562306364383466616337343264383433333661
-30333339396237386538343434653764613036396463333263333061316136323336356663666664
+31393834336232613835363366666235306162623565333333666532316265336131626437373266
-36363235643334363666336364333336366439646537306235333532343832653531356430353730
+65326462656638613163653637326339636630376164356434333031343664613438653263366533
-34303830343734653631313936383962343131643965303464343031633030613635356231633566
+33376266393135626166323235363736613863306539353634366439633230333133643736653636
-63366531663361386461333532383638636662633261343365633361346535366132303339346664
+62386332316338346133633862333063303861303339303032623863326465383730633161303038
-33626638643233333766356534393039393962343630303137653733393532633264616664363235
+32643338323364343266303033393363383865346136636139336434393535363535633639303162
-343465376233356362383334663334633033
+30643137393635323537333630636435346130313164313561663561313466333934356566363032
+33613063353334306131646633393264343335636462386136343265356463653836383135616364
+64626539636333316333366132633139663937663431363362353233313639633165626539333366
+6432313732616435396663376332353337653131393230633365

plays/pearl.yml

@@ -12,9 +12,16 @@
   roles:
     - 'any.common.debian-repositories'
     - 'any.tools.default'
-    - 'any.tools.ufw'
     - 'any.tools.restic'
     - 'any.tools.caddy'
+    # First change SSH settings before enabling firewall
     - 'any.common.ssh'
+    - 'any.tools.ufw'
     - 'pearl.mounts'
   tags: base
+
+- hosts: pearl
+  become: true
+  roles:
+    - 'any.software.vieter-podman'
+  tags: vieter

roles/any.software.vieter-podman/files/vieter-server.Caddyfile

@@ -0,0 +1,3 @@
+arch.r8r.be {
+    reverse_proxy 127.0.0.1:8020
+}

roles/any.software.vieter-podman/files/vieter-server.container

@@ -0,0 +1,16 @@
+# vim: ft=systemd
+[Unit]
+Description=Self-hostable Arch repository server
+
+[Container]
+Image=docker.io/chewingbever/vieter:dev
+EnvironmentFile=/etc/vieter/vieter.env
+
+PublishPort=127.0.0.1:8020:8000
+Volume=/mnt/data1/vieter/data:/data
+
+[Service]
+Restart=always
+
+[Install]
+WantedBy=default.target

roles/any.software.vieter-podman/files/vieter.data.backup.sh

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+
+data_dir='/mnt/data1/vieter/data'
+snapshot_dir="${data_dir}.snapshot"
+
+# Read-only snapshot for atomic backup
+btrfs subvolume snapshot -r "$data_dir" "$snapshot_dir" || exit $?
+
+/usr/local/bin/restic backup "$snapshot_dir"
+
+# Always remove snapshot subvolume, even if restic fails
+btrfs subvolume delete "$snapshot_dir"

roles/any.software.vieter-podman/handlers/main.yml

@@ -0,0 +1,4 @@
+- name: 'restart vieter'
+  ansible.builtin.service:
+    name: 'vieter-server'
+    state: 'restarted'

roles/any.software.vieter-podman/meta/main.yml

@@ -0,0 +1,3 @@
+---
+dependencies:
+  - role: 'any.tools.caddy'

roles/any.software.vieter-podman/tasks/main.yml

@@ -0,0 +1,80 @@
+---
+- name: Ensure data directory is present
+  ansible.builtin.file:
+    path: '/mnt/data1/vieter'
+    state: directory
+    mode: '0755'
+    owner: 'root'
+    group: 'root'
+
+- name: Ensure data subvolumes are present
+  community.general.btrfs_subvolume:
+    name: '/vieter/{{ item }}'
+  loop:
+    - 'data'
+
+- name: Ensure subvolume permissions are correct
+  ansible.builtin.file:
+    path: "/mnt/data1/vieter/{{ item }}"
+    state: directory
+    mode: '0755'
+    owner: '33'
+    group: '33'
+  loop:
+    - 'data'
+
+- name: Ensure configuration directory is present
+  ansible.builtin.file:
+    path: '/etc/vieter'
+    state: directory
+    mode: '0755'
+
+- name: Ensure environment file is present
+  ansible.builtin.template:
+    src: 'vieter.env.j2'
+    dest: '/etc/vieter/vieter.env'
+    mode: '0644'
+    owner: 'root'
+    group: 'root'
+  notify: 'restart vieter'
+
+- name: Ensure backup scripts are present
+  ansible.builtin.copy:
+    src: "vieter.{{ item }}.backup.sh"
+    dest: "/etc/backups/vieter.{{ item }}.backup.sh"
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  loop:
+    - 'data'
+
+- name: Ensure Container unit files are present
+  ansible.builtin.copy:
+    src: "{{ item }}"
+    dest: "/etc/containers/systemd/{{ item }}"
+    mode: '0644'
+    owner: 'root'
+    group: 'root'
+  loop:
+    - 'vieter-server.container'
+  register: res
+
+- name: systemd-reload
+  ansible.builtin.systemd_service:
+    daemon_reload: true
+  when: 'res.changed'
+
+- name: Ensure Caddyfile is present
+  ansible.builtin.copy:
+    src: 'vieter-server.Caddyfile'
+    dest: '/etc/caddy/vieter-server.Caddyfile'
+    mode: '0644'
+    owner: 'root'
+    group: 'root'
+  notify: 'reload caddy'
+
+- name: Ensure vieter service is enabled
+  ansible.builtin.service:
+    name: 'vieter-server'
+    enabled: true
+    state: 'started'

roles/any.software.vieter-podman/templates/vieter.env.j2

@@ -0,0 +1,11 @@
+VIETER_API_KEY={{ vieter_api_key }}
+VIETER_LOG_LEVEL=DEBUG
+VIETER_DEFAULT_ARCH=x86_64
+VIETER_BASE_IMAGE=ghcr.io/menci/archlinuxarm:base-devel
+VIETER_GLOBAL_SCHEDULE=0 23
+VIETER_MAX_LOG_AGE=120
+VIETER_COLLECT_METRICS=0
+VIETER_ADDRESS=https://arch.r8r.be
+VIETER_MAX_CONCURRENT_BUILDS=1
+VIETER_ARCH=x86_64
+VIETER_POLLING_FREQUENCY=120

roles/any.tools.caddy/tasks/main.yml

@@ -1,18 +1,13 @@
-- name: Add Caddy GPG key
+- name: Add Caddy repository and key
-  ansible.builtin.get_url:
+  ansible.builtin.deb822_repository:
-    url: 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key'
+    name: 'caddy'
-    dest: '/etc/apt/trusted.gpg.d/caddy.asc'
+    types: 
-    mode: '0644'
-    force: true
-
-- name: Add Caddy repositories
-  apt_repository:
-    repo: "{{ item }} https://dl.cloudsmith.io/public/caddy/stable/deb/debian any-version main"
-    filename: 'caddy-stable'
-    state: present
-  with_items:
       - deb
       - deb-src
+    uris: 'https://dl.cloudsmith.io/public/caddy/stable/deb/debian'
+    suites: 'any-version'
+    components: 'main'
+    signed_by: 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key'
 
 - name: Install Caddy
   apt: