Initial commit

2022-03-16 00:52:23 -04:00 · 2022-03-16 00:52:23 -04:00 · 1c451f880c
commit 1c451f880c
17 changed files with 481 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1 @@
+foundry_cache
--- a/69
+++ b/69
@ -0,0 +1,69 @@
+{
+	email sean@seanclayton.me
+
+	order authenticate before respond
+	order authorize before basicauth
+
+	security {
+		authentication portal authportal {
+			crypto default token lifetime 3600
+			crypto key sign-verify {env.JWT_SHARED_KEY}
+			backend local /data/caddy/users.json local
+			cookie domain gopoop.org
+
+			ui {
+				password_recovery_enabled yes
+			}
+
+			transform user {
+				match realm generic
+				action add role authp/user
+				ui link "Cloud" https://cloud.gopoop.org/ icon "las la-star"
+			}
+		}
+
+		authorization policy users_policy {
+			set auth url https://auth.gopoop.org/
+			allow roles authp/admin authp/user
+			crypto key verify {env.JWT_SHARED_KEY}
+			acl rule {
+				comment allow users
+				match role authp/user
+				allow stop log info
+			}
+			acl rule {
+				comment default deny
+				match any
+				deny log warn
+			}
+		}
+	}
+}
+
+auth.gopoop.org {
+	route {
+		authenticate with authportal
+	}
+}
+
+foundry.gopoop.org {
+	reverse_proxy server_foundry:30000
+}
+
+admin.gopoop.org {
+	authorize with users_policy
+	reverse_proxy server_portainer:9000
+}
+
+monitor.gopoop.org {
+	authorize with users_policy
+	reverse_proxy server_netdata:19999
+}
+
+code.sean.wtf {
+	reverse_proxy server_gitea:3000
+}
+
+ci.sean.wtf {
+	reverse_proxy server_woodpecker-server:8000
+}
--- a/3
+++ b/3
@ -0,0 +1,3 @@
+Permission to use, copy, modify, and/or distribute this work for any purpose with or without fee is hereby granted.
+
+THE WORK IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS WORK INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS WORK.
--- a/caddy.yaml
+++ b/caddy.yaml
@ -0,0 +1,54 @@
+---
+- name: Setup Caddy
+
+  hosts: all
+
+  vars_files:
+    - vault.yaml
+    - vars.yaml
+
+  tasks:
+    - name: Send Caddy Dockerfile
+      copy:
+        src: ./caddy/
+        dest: ~/caddy/
+
+    - name: Send Caddyfile
+      copy:
+        src: ./Caddyfile
+        dest: ~/
+
+    - name: Build Caddy image
+      docker_image:
+        name: caddy_with_auth
+        source: build
+        build:
+          cache_from:
+            - caddy:2-builder
+            - caddy:2
+          path: "./caddy"
+
+    - name: Start Caddy
+      docker_container:
+        name: "{{ stack_prefix_name }}caddy"
+        recreate: true
+        restart_policy: unless-stopped
+        image: caddy_with_auth
+        env:
+          JWT_SHARED_KEY: "{{ secret_authp_jwt_shared_key }}"
+          HOME: "/root"
+        published_ports:
+          - "80:80"
+          - "443:443"
+        mounts:
+          - target: /etc/caddy/Caddyfile
+            source: "/home/server/Caddyfile"
+            type: bind
+          - target: /data
+            source: "{{ stack_prefix_name }}caddy_data"
+          - target: /config
+            source: "{{ stack_prefix_name }}caddy_config"
+        networks:
+          - name: "{{ stack_prefix_name }}{{ docker_internal_network }}"
+          - name: "{{ stack_prefix_name }}{{ docker_external_network }}"
+        state: "{{ container_state }}"
--- a/caddy/Dockerfile
+++ b/caddy/Dockerfile
@ -0,0 +1,8 @@
+FROM caddy:2-builder-alpine AS builder
+
+RUN xcaddy build \
+  --with github.com/greenpau/caddy-security
+
+FROM caddy:2-alpine
+
+COPY --from=builder /usr/bin/caddy /usr/bin/caddy
--- a/docker.yaml
+++ b/docker.yaml
@ -0,0 +1,23 @@
+---
+- name: Setup Docker
+
+  hosts: all
+
+  vars_files:
+    - vault.yaml
+    - vars.yaml
+
+  tasks:
+    - name: Create internal network
+      docker_network:
+        name: "{{ stack_prefix_name }}{{ docker_internal_network }}"
+        internal: true
+        driver: bridge
+        state: "{{ network_state }}"
+        force: yes
+
+    - name: Create external network
+      docker_network:
+        name: "{{ stack_prefix_name }}{{ docker_external_network }}"
+        state: "{{ network_state }}"
+        force: yes
--- a/foundry.yaml
+++ b/foundry.yaml
@ -0,0 +1,37 @@
+---
+- name: Setup Foundry
+
+  hosts: all
+
+  vars_files:
+    - vault.yaml
+    - vars.yaml
+
+  tasks:
+    - name: Create Foundry data folder
+      file:
+        path: /home/server/foundry_data
+        state: directory
+
+    - name: Run Foundry
+      docker_container:
+        name: "{{ stack_prefix_name }}foundry"
+        recreate: true
+        restart_policy: unless-stopped
+        image: felddy/foundryvtt:release-9.255
+        hostname: foundry.gopoop.org
+        init: yes
+        env:
+          FOUNDRY_USERNAME: "{{ secret_foundry_username }}"
+          FOUNDRY_PASSWORD: "{{ secret_foundry_password }}"
+          FOUNDRY_ADMIN_KEY: "{{ secret_foundry_admin_key }}"
+          CONTAINER_PRESERVE_CONFIG: "true"
+        networks:
+          - name: "{{ stack_prefix_name }}{{ docker_internal_network }}"
+          # Foundry needs to talk to the outside world to validate the license.
+          - name: "{{ stack_prefix_name }}{{ docker_external_network }}"
+        mounts:
+          - target: /data
+            source: /home/server/foundry_data
+            type: bind
+        state: "{{ container_state }}"
--- a/gitea.yaml
+++ b/gitea.yaml
@ -0,0 +1,59 @@
+---
+- name: Setup Gitea
+
+  hosts: all
+
+  vars_files:
+    - vault.yaml
+    - vars.yaml
+
+  tasks:
+    - name: Run Gitea Postgres DB
+      docker_container:
+        name: "{{ stack_prefix_name }}gitea-db"
+        recreate: true
+        restart_policy: unless-stopped
+        image: postgres:14.2
+        env:
+          USER_UID: "1000"
+          USER_GID: "1000"
+          POSTGRES_USER: gitea
+          POSTGRES_DB: gitea
+          POSTGRES_PASSWORD: "{{ secret_gitea_db_password }}"
+        networks:
+          - name: "{{ stack_internal_network }}"
+        mounts:
+          - source: "{{ stack_prefix_name }}gitea_db_data"
+            target: /var/lib/postgresql/data
+        state: "{{ container_state }}"
+
+    - name: Run Gitea
+      docker_container:
+        name: "{{ stack_prefix_name }}gitea"
+        recreate: true
+        restart_policy: unless-stopped
+        image: gitea/gitea:1.16.4
+        published_ports:
+          - "3000:3000"
+        env:
+          USER_UID: "1000"
+          USER_GID: "1000"
+          GITEA__database__DB_TYPE: postgres
+          GITEA__database__HOST: "{{ stack_prefix_name }}gitea-db:5432"
+          GITEA__database__NAME: gitea
+          GITEA__database__USER: gitea
+          GITEA__database__PASSWD: "{{ secret_gitea_db_password }}"
+        networks:
+          - name: "{{ stack_internal_network }}"
+          - name: "{{ stack_external_network }}"
+        # May need to open ssh ports for some things. Maybe not.
+        mounts:
+          - source: "{{ stack_prefix_name }}gitea_data"
+            target: /data
+          - source: /etc/timezone
+            target: /etc/timezone:ro
+            type: bind
+          - source: /etc/localtime
+            target: /etc/localtime:ro
+            type: bind
+        state: "{{ container_state }}"
--- a/inventories/dev
+++ b/inventories/dev
@ -0,0 +1,2 @@
+[server]
+localhost
--- a/inventories/prod
+++ b/inventories/prod
@ -0,0 +1,2 @@
+[server]
+gopoop
--- a/netdata.yaml
+++ b/netdata.yaml
@ -0,0 +1,51 @@
+---
+- name: Setup Netdata
+
+  hosts: all
+
+  vars_files:
+    - vault.yaml
+    - vars.yaml
+
+  tasks:
+    - name: Run Netdata container
+      docker_container:
+        name: "{{ stack_prefix_name }}netdata"
+        recreate: true
+        restart_policy: unless-stopped
+        image: netdata/netdata
+        hostname: monitor.gopoop.org
+        capabilities:
+          - SYS_PTRACE
+        security_opts:
+          - apparmor=unconfined
+        networks:
+          - name: "{{ stack_prefix_name }}{{ docker_internal_network }}"
+        env:
+          PGID: "998"
+        mounts:
+          - source: /var/run/docker.sock
+            target: /var/run/docker.sock:ro
+            type: bind
+          - target: /etc/netdata:ro
+            source: /home/server/netdataconfig/netdata
+            type: bind
+          - target: /var/lib/netdata
+            source: "{{ stack_prefix_name }}netdatalib"
+          - target: /var/cache/netdata
+            source: "{{ stack_prefix_name }}netdatacache"
+          - target: /host/etc/passwd:ro
+            source: /etc/passwd
+            type: bind
+          - target: /host/etc/group:ro
+            source: /etc/group
+            type: bind
+          - target: /host/proc:ro
+            source: /proc
+            type: bind
+          - target: /host/sys:ro
+            source: /sys
+            type: bind
+          - target: /host/etc/os-release:ro
+            source: /etc/os-release
+            type: bind
--- a/portainer.yaml
+++ b/portainer.yaml
@ -0,0 +1,26 @@
+---
+- name: Setup Portainer
+
+  hosts: all
+
+  vars_files:
+    - vault.yaml
+    - vars.yaml
+
+  tasks:
+    - name: Run Portainer container
+      docker_container:
+        name: "{{ stack_prefix_name }}portainer"
+        recreate: true
+        restart_policy: always
+        image: portainer/portainer-ce:latest
+        networks:
+          - name: "{{ stack_prefix_name }}{{ docker_internal_network }}"
+          # Portainer needs to talk to the outside world sometimes.
+          - name: "{{ stack_prefix_name }}{{ docker_external_network }}"
+        mounts:
+          - source: /var/run/docker.sock
+            target: /var/run/docker.sock
+            type: bind
+          - target: /data
+            source: "{{ stack_prefix_name }}portainer_data"
--- a/vars.yaml
+++ b/vars.yaml
@ -0,0 +1,8 @@
+---
+docker_internal_network: internal
+docker_external_network: external
+stack_prefix_name: server_
+stack_internal_network: server_internal
+stack_external_network: server_external
+container_state: started
+network_state: present
--- a/vault.yaml
+++ b/vault.yaml
@ -0,0 +1,35 @@
+$ANSIBLE_VAULT;1.1;AES256
+62376165316166336232386536363337306364346464383531663365393363396662356535303034
+3666613434373737666666313239653231326438653531330a636138343161343466313835386633
+62616232313762363039303635336234336433313637643630643964383431326534366130346166
+6635346237623935330a303962396539653030386361313038353161663336393334313562633466
+39643066383833623133613135363433313866633134636363323335306235303264613039386265
+39323032396164616666383132306439393830616663366339353164623433666238376631303162
+38653361633730363539636364313235633537666663626436336334646161616563343366303761
+66353338613437363265313266656663383432343962626638333934666434666533363030663061
+62323333333064666337333465396139663366333732666266663834323336393837646338346561
+33356236336263353735306236343335303864333030383632343139613831623462393137376432
+31356163363333623430643430616532646662373165356531646466326136316166646133333932
+64653139383463633734376335653730316134343839653364386161626235303763613931336333
+31313066333635653865623030346365343533356532653436363332643734386337666134386334
+31336431303031373937386234633965373631323630316166396336303839626632333936626232
+39373063393430663062363631313632656637353830303736376136386335366131623363353339
+36386266343334653262653663343831313538393934653133333938656238616261383364323064
+63386237393632346134346436306261636234643134323065646435306631656664366263626636
+34656134316165313637366361313732356364363230386664353031313137373466653862613430
+31303862373830353539646536666263313239343231613930336630643962383564613366343061
+35663064653464343035356665383935633534333266356632643666303732366638333463313265
+62323436363337636439343535663730383263343163383666363565636463303630313761306366
+66633930353631353037376164643631333264323531356436653932363835373235383962356530
+61343331643831366166646630343563643861323038626339653765613638636331643434383266
+36386235636465613134343762353263343933323166313161653431646633383962333665373262
+36383238656465663730353333373432306230353262613938383132613630316364613935643437
+33646138666631376538623265646262313036343366626335323262616265613537323465633139
+37313534643538316565613661656266336161623565306138623161373561393933353165623737
+30366532633933613939336237623437396136643938396138353964663030383964373438613537
+62383764363030383935616363626438643264333231356531376661306131383563646461386234
+30623363343063373331663934323036633239383264383536643464326539623830353833333566
+32383465663865303364616562363663643038386632666263633265616363383338646432303032
+66306535346666633262616462383638653233613532653665626565353039323830336136383635
+62313537366436623238616635656664356430313639643131613834613833663463623866303764
+3734376366336639656365666666373966326638336162376539
--- a/watchdog.yaml
+++ b/watchdog.yaml
@ -0,0 +1,23 @@
+---
+- name: Setup Watchdog
+
+  hosts: all
+
+  vars_files:
+    - vault.yaml
+    - vars.yaml
+
+  tasks:
+    - name: Run Watchdog container
+      docker_container:
+        name: "{{ stack_prefix_name }}watchdog"
+        recreate: true
+        restart_policy: always
+        image: buanet/watchdog:latest
+        env:
+          DOCKER_HOST: "tcp://{{ stack_prefix_name }}docker-proxy:2375"
+          WATCHDOG_CONTAINER_LABEL: all
+        mounts:
+          - source: /var/run/docker.sock
+            target: /var/run/docker.sock
+            type: bind
--- a/watchtower.yaml
+++ b/watchtower.yaml
@ -0,0 +1,26 @@
+---
+- name: Setup Watchtower
+
+  hosts: all
+
+  vars_files:
+    - vault.yaml
+    - vars.yaml
+
+  tasks:
+    - name: Run Watchtower container
+      docker_container:
+        name: "{{ stack_prefix_name }}watchtower"
+        recreate: true
+        restart_policy: always
+        image: containrrr/watchtower
+        env:
+          DOCKER_HOST: "tcp://{{ stack_prefix_name }}docker-proxy:2375"
+        networks:
+          - name: "{{ stack_prefix_name }}{{ docker_internal_network }}"
+          # Watchtower needs to talk to the outside world sometimes.
+          - name: "{{ stack_prefix_name }}{{ docker_external_network }}"
+        mounts:
+          - source: /var/run/docker.sock
+            target: /var/run/docker.sock
+            type: bind
--- a/woodpecker.yaml
+++ b/woodpecker.yaml
@ -0,0 +1,54 @@
+---
+- name: Setup Woodpecker CI
+
+  hosts: all
+
+  vars_files:
+    - vault.yaml
+    - vars.yaml
+
+  vars:
+    gitea_url: https://code.sean.wtf
+    woodpecker_host: https://ci.sean.wtf
+
+  tasks:
+    - name: Start Woodpecker server
+      docker_container:
+        name: "{{ stack_prefix_name }}woodpecker-server"
+        recreate: true
+        restart_policy: unless-stopped
+        image: woodpeckerci/woodpecker-server:v0.15.0-alpine
+        env:
+          WOODPECKER_OPEN: "true"
+          WOODPECKER_AGENT_SECRET: "{{ secret_woodpecker_agent_secret }}"
+          WOODPECKER_GITEA: "true"
+          WOODPECKER_GITEA_URL: "{{ gitea_url }}"
+          WOODPECKER_GITEA_CLIENT: "{{ secret_woodpecker_gitea_client }}"
+          WOODPECKER_GITEA_SECRET: "{{ secret_woodpecker_gitea_secret }}"
+          WOODPECKER_HOST: "{{ woodpecker_host }}"
+        mounts:
+          - source: "{{ stack_prefix_name }}woodpecker_data"
+            target: /var/lib/woodpecker/
+        networks:
+          - name: "{{ stack_prefix_name }}{{ docker_internal_network }}"
+          - name: "{{ stack_prefix_name }}{{ docker_external_network }}"
+        state: "{{ container_state }}"
+
+    - name: Start Woodpecker Agent
+      docker_container:
+        name: "{{ stack_prefix_name }}woodpecker-agent"
+        recreate: true
+        restart_policy: unless-stopped
+        image: woodpeckerci/woodpecker-agent:v0.15.0-alpine
+        env:
+          WOODPECKER_AGENT_SECRET: "{{ secret_woodpecker_agent_secret }}"
+          WOODPECKER_MAX_PROCS: "4"
+          WOODPECKER_SERVER: "{{ stack_prefix_name }}woodpecker-server:9000"
+        mounts:
+          - source: /var/run/docker.sock
+            target: /var/run/docker.sock
+            type: bind
+        networks:
+          - name: "{{ stack_prefix_name }}{{ docker_internal_network }}"
+          - name: "{{ stack_prefix_name }}{{ docker_external_network }}"
+        state: "{{ container_state }}"