automation/deployer
2021-05-03 09:01:33 +02:00
..
group_vars/all synapse v1.32.2 & gitea v1.14.1 2021-05-03 09:01:33 +02:00
roles rewrote parts of the OS install guide 2021-04-11 17:05:18 +02:00
ansible.cfg improved wordpress creation, added host config for docker and logrotate 2020-05-03 14:52:54 +02:00
build.yml moved stuff around 2020-05-02 07:51:39 +02:00
command moved stuff around 2020-05-02 07:51:39 +02:00
deploy.yml moved stuff around 2020-05-02 07:51:39 +02:00
host.yml improved wordpress creation, added host config for docker and logrotate 2020-05-03 14:52:54 +02:00
inventory moved stuff around 2020-05-02 07:51:39 +02:00
README.md Synapse v1.26.0, solved a bug for changing password, and removed error logs for .well-known files in nginx 2021-01-29 10:54:45 +01:00
sites.yml moved stuff around 2020-05-02 07:51:39 +02:00

Deployer: deploy your shit and make it run

So lame to have to configure nginx, MySQL, and your filesystem to install a stupid Wordpress instance.

Deployer does my config for me like the slave it is.

All the configuration is defined in group_vars/all/vars.yml, go check.

Create a side group_vars/all/vault.yml for your secrets, and encrypt it with Ansible Vault:

ansible-vault encrypt group_vars/all/vault.yml
# other sub-commands: edit, decrypt...

I usually run the following command:

ansible-playbook --ask-vault-pass sites.yml -i inventory -v

Required packages on remote

Python modules:

  • docker
  • docker-compose
  • pymysql
  • psycopg2

TODO: Ansible task to install that before the rest

Features

  • Creating Wordpress instances (yoohoo, da best)

    • That send mail!!11!1!
    • Supports existing and new installs
  • Creating Drupal instances

    • Only existing ones (no new installs)
  • Create Gitea instances

    • Nginx and docker-compose configurations
    • Most of the work is by hand, because there is quite a lot of interaction between the host and the container (for forwarding ssh).
  • Create Synapse instances

    • Configured to access PostGreSQL on host.

      • Access through TCP: You need to allow postgres to listen to your docker network, e.g. 172.27.0.0/16. See /etc/postgresql/x.y/main/pg_hba.conf, and read the comments about changing listen_addresses too.
      • Access through Unix socket: Make a non-superuser role for root, and configure Synapse to use /var/run/postgresql as DB host.

Does not support

  • Setting up the host

  • SSL certificate creation (bro, do it yourself!). That is:

    # Make an nginx file for certbot 
    cat << EOF > /etc/nginx/sites-enabled/yoursite.com
    server {
    	listen 80;
    	server_name www.yoursite.com yoursite.com;
    	include snippets/letsencrypt.conf;
    }
    EOF
    nginx -t # Is everything alright?
    # If so, restart nginx
    service nginx restart 
    # Create the certificate
    certbot certonly --webroot -w /var/www/letsencrypt -d yoursite.com -d www.yoursite.com
    # Remove the stupid file
    rm /etc/nginx/sites-enabled/yoursite.com
    service nginx restart
    

Misc

Creating and rotating backups using logrotate

This is quite cool because logrotate manages rotation/deletion of 'log' files very well, so why not use it to rotate backup archives?

One can also add prerotate/postrotate scripts to a logrotate block, which allows to create the backups using logrotate too! (This way, there is only one utility taking care of the full backup creation/rotation/deletion process.)

A problem is that logrotate blocks won't run if the block's file does not exist. So, if you create a block like so:

/path/to/backup/dir/db-backup.sql.gz {
  prerotate
  	# create the backup file
  endscript
  weekly
  missingok
  nocompress
  nocreate
}

This block will never run unless /path/to/backup/dir/db-backup.sql.gz exists. This is why roles/build/tasks/backup.yml creates an empty backup file while defining the logrotate entry.

Synapse

Someone advised me to install matrix-media-repo to enable animated thumbnails as people's avatar (https://github.com/turt2live/matrix-media-repo/blob/master/config.sample.yaml#L394), and to setup https://github.com/ma1uta/ma1sd which is a federated identity server.

TODO

NextCloud

Steps to dockerization:

  • Check the databases

    • Modify character set to utf8mb4 / collate utf8mb4_general_ci.

        ALTER DATABASE owncloud CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci;
      
    • Change the default for the whole server while at it:

        SET character_set_server = 'utf8mb4';
        SET collation_server = 'utf8mb4_general_ci';
      
  • Backup:

      # Database 
      mysqldump -u root -R owncloud > /vault/backups/owncloud.sql
      # Data (exclude './data' folder which is too big):
      tar --exclude='./data' -czvf /vault/backups/nextcloud.tar.gz /var/www/nextcloud
    

Apparently this is needed, but since I'm using a single MariaDB for every service, I won't bother changing the global config:

Ansible

Useful MySQL commands

select host, user, password from mysql.user order by user;
create user 'arvuhez'@'172.26.0.2' identified by 'kjhs';
grant all on arvuhez.* to 'arvuhez'@'172.26.0.2';
show grants for 'arvuhez'@'172.26.0.2';