mirror of
https://github.com/auricom/home-cluster.git
synced 2025-09-30 23:45:25 +02:00
🗑️ truenas jails
This commit is contained in:
auricom
@@ -16,11 +16,6 @@ all:
|
||||
ansible_port: 35875
|
||||
vars:
|
||||
ansible_user: homelab
|
||||
truenas-jails:
|
||||
hosts:
|
||||
borgserver:
|
||||
ansible_host: borgserver.{{ secret_domain }}
|
||||
# postgres:
|
||||
kubernetes:
|
||||
children:
|
||||
master:
|
||||
|
||||
@@ -1,96 +0,0 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
PUID=${PUID:-1000}
|
||||
PGID=${PGID:-1000}
|
||||
|
||||
usermod -o -u "$PUID" borg &>/dev/null
|
||||
groupmod -o -g "$PGID" borg &>/dev/null
|
||||
|
||||
BORG_DATA_DIR=/backups
|
||||
SSH_KEY_DIR=/keys
|
||||
BORG_CMD='cd ${BORG_DATA_DIR}/${client_name}; borg serve --restrict-to-path ${BORG_DATA_DIR}/${client_name} ${BORG_SERVE_ARGS}'
|
||||
AUTHORIZED_KEYS_PATH=/home/borg/.ssh/authorized_keys
|
||||
|
||||
# Append only mode?
|
||||
BORG_APPEND_ONLY=${BORG_APPEND_ONLY:=no}
|
||||
|
||||
source /etc/os-release
|
||||
echo "########################################################"
|
||||
echo -n " * BorgServer powered by "
|
||||
borg -V
|
||||
echo " * Based on k8s-at-home"
|
||||
echo "########################################################"
|
||||
echo " * User id: $(id -u borg)"
|
||||
echo " * Group id: $(id -g borg)"
|
||||
echo "########################################################"
|
||||
|
||||
|
||||
# Precheck if BORG_ADMIN is set
|
||||
if [ "${BORG_APPEND_ONLY}" == "yes" ] && [ -z "${BORG_ADMIN}" ] ; then
|
||||
echo "WARNING: BORG_APPEND_ONLY is active, but no BORG_ADMIN was specified!"
|
||||
fi
|
||||
|
||||
# Precheck directories & client ssh-keys
|
||||
for dir in BORG_DATA_DIR SSH_KEY_DIR ; do
|
||||
dirpath=$(eval echo '$'${dir})
|
||||
echo " * Testing Volume ${dir}: ${dirpath}"
|
||||
if [ ! -d "${dirpath}" ] ; then
|
||||
echo "ERROR: ${dirpath} is no directory!"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ "$(find ${SSH_KEY_DIR}/clients ! -regex '.*/\..*' -a -type f | wc -l)" == "0" ] ; then
|
||||
echo "ERROR: No SSH-Pubkey file found in ${SSH_KEY_DIR}"
|
||||
exit 1
|
||||
fi
|
||||
done
|
||||
|
||||
# Create SSH-Host-Keys on persistent storage, if not exist
|
||||
mkdir -p ${SSH_KEY_DIR}/host 2>/dev/null
|
||||
echo " * Checking / Preparing SSH Host-Keys..."
|
||||
for keytype in ed25519 rsa ; do
|
||||
if [ ! -f "${SSH_KEY_DIR}/host/ssh_host_${keytype}_key" ] ; then
|
||||
echo " ** Creating SSH Hostkey [${keytype}]..."
|
||||
ssh-keygen -q -f "${SSH_KEY_DIR}/host/ssh_host_${keytype}_key" -N '' -t ${keytype}
|
||||
fi
|
||||
done
|
||||
|
||||
echo "########################################################"
|
||||
echo " * Starting SSH-Key import..."
|
||||
|
||||
# Add every key to borg-users authorized_keys
|
||||
rm ${AUTHORIZED_KEYS_PATH} &>/dev/null
|
||||
for keyfile in $(find "${SSH_KEY_DIR}/clients" ! -regex '.*/\..*' -a -type f); do
|
||||
client_name=$(basename ${keyfile})
|
||||
mkdir ${BORG_DATA_DIR}/${client_name} 2>/dev/null
|
||||
echo " ** Adding client ${client_name} with repo path ${BORG_DATA_DIR}/${client_name}"
|
||||
|
||||
# If client is $BORG_ADMIN unset $client_name, so path restriction equals $BORG_DATA_DIR
|
||||
# Otherwise add --append-only, if enabled
|
||||
borg_cmd=${BORG_CMD}
|
||||
if [ "${client_name}" == "${BORG_ADMIN}" ] ; then
|
||||
echo " ** Client '${client_name}' is BORG_ADMIN! **"
|
||||
unset client_name
|
||||
elif [ "${BORG_APPEND_ONLY}" == "yes" ] ; then
|
||||
borg_cmd="${BORG_CMD} --append-only"
|
||||
fi
|
||||
|
||||
echo -n "restrict,command=\"$(eval echo -n \"${borg_cmd}\")\" " >> ${AUTHORIZED_KEYS_PATH}
|
||||
cat ${keyfile} >> ${AUTHORIZED_KEYS_PATH}
|
||||
echo >> ${AUTHORIZED_KEYS_PATH}
|
||||
done
|
||||
chmod 0600 "${AUTHORIZED_KEYS_PATH}"
|
||||
|
||||
echo " * Validating structure of generated ${AUTHORIZED_KEYS_PATH}..."
|
||||
ERROR=$(ssh-keygen -lf ${AUTHORIZED_KEYS_PATH} 2>&1 >/dev/null)
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "ERROR: ${ERROR}"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
chown -R borg:borg ${BORG_DATA_DIR}
|
||||
chown borg:borg ${AUTHORIZED_KEYS_PATH}
|
||||
chmod 600 ${AUTHORIZED_KEYS_PATH}
|
||||
|
||||
echo "########################################################"
|
||||
echo " * Init done!"
|
||||
@@ -1,5 +0,0 @@
|
||||
HostKey /keys/host/ssh_host_rsa_key
|
||||
HostKey /keys/host/ssh_host_ed25519_key
|
||||
AuthorizedKeysFile .ssh/authorized_keys
|
||||
Subsystem sftp /usr/libexec/sftp-server
|
||||
PermitRootLogin yes
|
||||
@@ -1,112 +0,0 @@
|
||||
---
|
||||
- name: jail-borgserver | get jail ip
|
||||
ansible.builtin.shell:
|
||||
cmd: iocage exec borgserver ifconfig epair0b | grep 'inet' | awk -F ' ' '{ print $2 }'
|
||||
changed_when: false
|
||||
register: borgserver_jail_ip
|
||||
become: true
|
||||
|
||||
- block:
|
||||
- name: jail-borgserver | create zfs pools
|
||||
community.general.zfs:
|
||||
name: "{{ item }}"
|
||||
state: present
|
||||
loop:
|
||||
- "{{ pool_name }}/jail-mounts"
|
||||
- "{{ pool_name }}/jail-mounts/borgserver"
|
||||
- "{{ pool_name }}/jail-mounts/borgserver/backups"
|
||||
- "{{ pool_name }}/jail-mounts/borgserver/keys"
|
||||
|
||||
- name: jail-borgserver | create empty dirs
|
||||
ansible.builtin.shell:
|
||||
cmd: iocage exec borgserver mkdir -p /{{ item }}
|
||||
loop:
|
||||
- backups
|
||||
- keys
|
||||
|
||||
- name: jail-borgserver | mount dirs
|
||||
ansible.builtin.shell:
|
||||
cmd: iocage fstab -a borgserver /mnt/{{ pool_name }}/jail-mounts/borgserver/{{ item }} /{{ item }} nullfs rw 0 0
|
||||
loop:
|
||||
- backups
|
||||
- keys
|
||||
become: true
|
||||
|
||||
- block:
|
||||
- name: jail-borgserver | packages
|
||||
community.general.pkgng:
|
||||
name:
|
||||
#- py39-borgbackup
|
||||
- sshguard
|
||||
state: present
|
||||
|
||||
- name: jail-borgserver | download borg cli
|
||||
ansible.builtin.get_url:
|
||||
url: https://github.com/borgbackup/borg/releases/download/1.2.1/borg-freebsd64
|
||||
dest: /usr/local/bin/borg
|
||||
mode: 0755
|
||||
|
||||
- name: jail-borgserver | user borg
|
||||
ansible.builtin.user:
|
||||
name: borg
|
||||
uid: 1000
|
||||
state: present
|
||||
|
||||
- name: jail-borgserver | create directories
|
||||
ansible.builtin.file:
|
||||
path: /home/borg/.ssh
|
||||
owner: 1000
|
||||
group: 1000
|
||||
state: directory
|
||||
|
||||
- name: jail-borgserver | authorized_keys
|
||||
ansible.builtin.file:
|
||||
path: /home/borg/.ssh/authorized_keys
|
||||
owner: 1000
|
||||
group: 1000
|
||||
state: touch
|
||||
|
||||
- name: jail-borgserver | change folders mod
|
||||
ansible.builtin.file:
|
||||
path: "{{ item }}"
|
||||
owner: 1000
|
||||
group: 1000
|
||||
loop:
|
||||
- /backups
|
||||
- /keys
|
||||
|
||||
- name: jail-borgserver | copy sshd_config
|
||||
ansible.builtin.copy:
|
||||
src: borgserver/sshd_config
|
||||
dest: /etc/ssh/sshd_config'
|
||||
mode: 0644
|
||||
|
||||
- name: jail-borgserver | copy borgserver rc.d
|
||||
ansible.builtin.copy:
|
||||
src: borgserver/rc.d
|
||||
dest: /etc/rc.d/borgserver
|
||||
mode: 0755
|
||||
|
||||
- name: jail-borgserver | configure sshguard
|
||||
community.general.sysrc:
|
||||
name: "{{ item.name }}"
|
||||
value: "{{ item.value }}"
|
||||
state: present
|
||||
loop:
|
||||
- { name: "sshguard_enable", value: "YES" }
|
||||
- { name: "sshguard_danger_thresh", value: "30" }
|
||||
- { name: "sshguard_release_interval", value: "600" }
|
||||
- { name: "sshguard_reset_interval", value: "7200" }
|
||||
|
||||
- name: jail-borgserver | start sshguard service
|
||||
ansible.builtin.service:
|
||||
name: sshguard
|
||||
state: started
|
||||
|
||||
- name: jail-borgserver | restart sshd service
|
||||
ansible.builtin.service:
|
||||
name: sshd
|
||||
state: restarted
|
||||
|
||||
delegate_to: "{{ borgserver_jail_ip.stdout }}"
|
||||
remote_user: root
|
||||
@@ -1,31 +0,0 @@
|
||||
---
|
||||
- name: jail-prepare | {{ outside_item.item }} | create .ssh directory
|
||||
ansible.builtin.shell:
|
||||
cmd: iocage exec {{ outside_item.item }} 'mkdir -p /root/.ssh; echo "" > /root/.ssh/authorized_keys; chmod 700 /root/.ssh; chmod 600 /root/.ssh/authorized_keys'
|
||||
become: true
|
||||
|
||||
- name: jail-prepare | {{ outside_item.item }} | deploy ssh keys
|
||||
ansible.builtin.shell:
|
||||
cmd: iocage exec {{ outside_item.item }} 'echo "{{ item }}" >> /root/.ssh/authorized_keys'
|
||||
loop: "{{ public_ssh_keys }}"
|
||||
become: true
|
||||
|
||||
- name: jail-prepare | {{ outside_item.item }} | activate sshd
|
||||
ansible.builtin.shell:
|
||||
cmd: iocage exec {{ outside_item.item }} 'sysrc sshd_enable="YES"'
|
||||
become: true
|
||||
|
||||
- name: jail-prepare | {{ outside_item.item }} | sshd permit root login
|
||||
ansible.builtin.shell:
|
||||
cmd: iocage exec {{ outside_item.item }} 'echo "PermitRootLogin yes" >> /etc/ssh/sshd_config'
|
||||
become: true
|
||||
|
||||
- name: jail-prepare | {{ outside_item.item }} | start sshd
|
||||
ansible.builtin.shell:
|
||||
cmd: iocage exec {{ outside_item.item }} 'service sshd start'
|
||||
become: true
|
||||
|
||||
- name: jail-prepare | {{ outside_item.item }} | install packages
|
||||
ansible.builtin.shell:
|
||||
cmd: iocage exec {{ outside_item.item }} 'pkg install -y python39 bash; ln -s /usr/local/bin/bash /bin/bash'
|
||||
become: true
|
||||
@@ -1,41 +0,0 @@
|
||||
---
|
||||
- name: jails | check if jail exist
|
||||
ansible.builtin.shell:
|
||||
cmd: iocage list | grep {{ item }}
|
||||
loop: "{{ groups['truenas-jails'] }}"
|
||||
register: jails_check
|
||||
changed_when: false
|
||||
failed_when: jails_check.rc != 0 and jails_check.rc != 1
|
||||
|
||||
- name: jails | is iocage fetch required
|
||||
ansible.builtin.set_fact:
|
||||
jail_missing: true
|
||||
loop: "{{ jails_check.results }}"
|
||||
when: item.rc == 1
|
||||
|
||||
- block:
|
||||
- name: jails | get current FreeBSD release
|
||||
ansible.builtin.shell:
|
||||
cmd: freebsd-version -k
|
||||
register: release
|
||||
failed_when: release.rc != 0
|
||||
|
||||
- name: jails | fetch iocage template {{ release.stdout }}
|
||||
ansible.builtin.shell:
|
||||
cmd: iocage fetch -r {{ release.stdout }}
|
||||
become: true
|
||||
|
||||
- name: jails | create jail
|
||||
ansible.builtin.shell:
|
||||
cmd: iocage create -r {{ release.stdout }} -n {{ item.item }} dhcp=on boot=on
|
||||
loop: "{{ jails_check.results }}"
|
||||
when: item.rc == 1
|
||||
become: true
|
||||
when: jail_missing
|
||||
|
||||
- name: jails | init jails
|
||||
ansible.builtin.include_tasks: init.yml
|
||||
loop: "{{ jails_check.results }}"
|
||||
loop_control:
|
||||
loop_var: outside_item
|
||||
when: outside_item.rc == 1
|
||||
@@ -1,60 +0,0 @@
|
||||
---
|
||||
- name: jail-postgres | get jail ip
|
||||
ansible.builtin.shell:
|
||||
cmd: iocage exec postgres ifconfig epair0b | grep 'inet' | awk -F ' ' '{ print $2 }'
|
||||
changed_when: false
|
||||
register: postgres_jail_ip
|
||||
become: true
|
||||
|
||||
- name: jail-postgres | copy letsencrypt certificate
|
||||
ansible.builtin.copy:
|
||||
src: /mnt/storage/home/homelab/letsencrypt/{{ secret_domain }}/{{ item.src }}
|
||||
remote_src: true
|
||||
dest: /mnt/storage/jail-mounts/postgres/data{{ postgres_version }}/{{ item.dest }}
|
||||
owner: 770
|
||||
group: 770
|
||||
mode: 0600
|
||||
loop:
|
||||
- { src: "fullchain.pem", dest: "server.crt" }
|
||||
- { src: "key.pem", dest: "server.key" }
|
||||
notify: restart postgresql
|
||||
become: true
|
||||
|
||||
- block:
|
||||
- name: jail-postgres | disable full page writes because of ZFS
|
||||
ansible.builtin.lineinfile:
|
||||
path: /var/db/postgres/data{{ postgres_version }}/postgresql.conf
|
||||
regexp: '^full_page_writes\s*='
|
||||
line: "full_page_writes=off"
|
||||
state: present
|
||||
notify: restart postgresql
|
||||
|
||||
- name: jail-postgres | listen to all addresses
|
||||
ansible.builtin.lineinfile:
|
||||
path: /var/db/postgres/data{{ postgres_version }}/postgresql.conf
|
||||
regexp: '^listen_addresses\s*='
|
||||
line: "listen_addresses = '*'"
|
||||
state: present
|
||||
notify: restart postgresql
|
||||
|
||||
- name: jail-postgres | ssl configuration
|
||||
ansible.builtin.blockinfile:
|
||||
path: /var/db/postgres/data{{ postgres_version }}/postgresql.conf
|
||||
block: |
|
||||
ssl = on
|
||||
ssl_cert_file = 'server.crt'
|
||||
ssl_key_file = 'server.key'
|
||||
ssl_prefer_server_ciphers = on
|
||||
state: present
|
||||
notify: restart postgresql
|
||||
|
||||
- name: jail-postgres | configure postgres
|
||||
ansible.builtin.template:
|
||||
src: postgres/pg_hba.conf
|
||||
dest: /var/db/postgres/data{{ postgres_version }}/pg_hba.conf
|
||||
owner: postgres
|
||||
group: postgres
|
||||
notify: restart postgresql
|
||||
|
||||
delegate_to: "{{ postgres_jail_ip.stdout }}"
|
||||
remote_user: root
|
||||
@@ -1,143 +0,0 @@
|
||||
---
|
||||
- name: jail-postgres | get jail ip
|
||||
ansible.builtin.shell:
|
||||
cmd: iocage exec postgres ifconfig epair0b | grep 'inet' | awk -F ' ' '{ print $2 }'
|
||||
changed_when: false
|
||||
register: postgres_jail_ip
|
||||
become: true
|
||||
|
||||
- block:
|
||||
- name: jail-postgres | create zfs pools
|
||||
community.general.zfs:
|
||||
name: "{{ item }}"
|
||||
state: present
|
||||
loop:
|
||||
- "{{ pool_name }}/jail-mounts"
|
||||
- "{{ pool_name }}/jail-mounts/postgres"
|
||||
- "{{ pool_name }}/jail-mounts/postgres/data{{ postgres_version }}"
|
||||
|
||||
- name: jail-postgres | configure zfs pool postgresql
|
||||
community.general.zfs:
|
||||
name: "{{ pool_name }}/jail-mounts/postgres"
|
||||
state: present
|
||||
extra_zfs_properties:
|
||||
atime: off
|
||||
setuid: off
|
||||
|
||||
- name: jail-postgres | configure zfs pool postgresql
|
||||
community.general.zfs:
|
||||
name: "{{ pool_name }}/jail-mounts/postgres"
|
||||
state: present
|
||||
extra_zfs_properties:
|
||||
atime: off
|
||||
setuid: off
|
||||
|
||||
- name: jail-postgres | create empty data{{ postgres_version }} dir
|
||||
ansible.builtin.shell:
|
||||
cmd: iocage exec postgres mkdir -p /var/db/postgres/data{{ postgres_version }}
|
||||
|
||||
- name: jail-postgres | mount data{{ postgres_version }}
|
||||
ansible.builtin.shell:
|
||||
cmd: iocage fstab -a postgres /mnt/{{ pool_name }}/jail-mounts/postgres/data{{ postgres_version }} /var/db/postgres/data{{ postgres_version }} nullfs rw 0 0
|
||||
become: true
|
||||
|
||||
- block:
|
||||
- name: jail-postgres | packages
|
||||
community.general.pkgng:
|
||||
name:
|
||||
- postgresql{{ postgres_version }}-server
|
||||
- postgresql{{ postgres_version }}-contrib
|
||||
- postgresql{{ postgres_version }}-client
|
||||
- py39-pip
|
||||
state: present
|
||||
|
||||
- name: jail-postgres | pip packages
|
||||
ansible.builtin.pip:
|
||||
name: psycopg2
|
||||
state: present
|
||||
|
||||
- name: jail-postgres | change postgres/data{{ postgres_version }} mod
|
||||
ansible.builtin.file:
|
||||
path: /var/db/postgres/data{{ postgres_version }}
|
||||
owner: postgres
|
||||
group: postgres
|
||||
|
||||
- name: jail-postgres | initdb
|
||||
ansible.builtin.shell:
|
||||
cmd: su -m postgres -c 'initdb -E UTF-8 /var/db/postgres/data{{ postgres_version }}'
|
||||
|
||||
- name: jail-postgres | move base and pg_wal
|
||||
ansible.builtin.shell:
|
||||
cmd: su -m postgres -c 'mv /var/db/postgres/data{{ postgres_version }}/{{ item }} /var/db/postgres/data{{ postgres_version }}/{{ item }}0'
|
||||
loop:
|
||||
- base
|
||||
- pg_wal
|
||||
|
||||
- name: jail-postgres | create base and pg_wal empty dirs
|
||||
ansible.builtin.file:
|
||||
path: /var/db/postgres/data{{ postgres_version }}/{{ item }}
|
||||
state: directory
|
||||
owner: postgres
|
||||
group: postgres
|
||||
loop:
|
||||
- base
|
||||
- pg_wal
|
||||
|
||||
delegate_to: "{{ postgres_jail_ip.stdout }}"
|
||||
remote_user: root
|
||||
|
||||
- block:
|
||||
- name: jail-postgres | create missing zfs pools
|
||||
community.general.zfs:
|
||||
name: "{{ item }}"
|
||||
state: present
|
||||
loop:
|
||||
- "{{ pool_name }}/jail-mounts/postgres/data{{ postgres_version }}/base"
|
||||
- "{{ pool_name }}/jail-mounts/postgres/data{{ postgres_version }}/pg_wal"
|
||||
|
||||
- name: jail-postgres | mount base
|
||||
ansible.builtin.shell:
|
||||
cmd: iocage fstab -a postgres /mnt/{{ pool_name }}/jail-mounts/postgres/data{{ postgres_version }}/{{ item }} /var/db/postgres/data{{ postgres_version }}/{{ item }} nullfs rw 0 0
|
||||
loop:
|
||||
- base
|
||||
- pg_wal
|
||||
|
||||
become: true
|
||||
|
||||
- block:
|
||||
- name: jail-postgres | move base and pg_wal content to mounts
|
||||
ansible.builtin.shell:
|
||||
cmd: mv /var/db/postgres/data{{ postgres_version }}/{{ item }}0/* /var/db/postgres/data{{ postgres_version }}/{{ item }}/; rmdir /var/db/postgres/data{{ postgres_version }}/{{ item }}0
|
||||
loop:
|
||||
- base
|
||||
- pg_wal
|
||||
|
||||
- name: jail-postgres | change mod
|
||||
ansible.builtin.file:
|
||||
path: /var/db/postgres/data{{ postgres_version }}/{{ item }}
|
||||
state: directory
|
||||
owner: postgres
|
||||
group: postgres
|
||||
recurse: true
|
||||
loop:
|
||||
- base
|
||||
- pg_wal
|
||||
|
||||
- name: jail-postgres | enable postgresql service
|
||||
community.general.sysrc:
|
||||
name: postgresql_enable
|
||||
state: present
|
||||
value: "YES"
|
||||
|
||||
- name: jail-postgres | start postgresql service
|
||||
ansible.builtin.service:
|
||||
name: postgresql
|
||||
state: started
|
||||
|
||||
- name: jail-postgres | change postgres password
|
||||
postgresql_query:
|
||||
login_user: postgres
|
||||
query: ALTER USER postgres PASSWORD '{{ postgres_password }}'
|
||||
|
||||
delegate_to: "{{ postgres_jail_ip.stdout }}"
|
||||
remote_user: root
|
||||
@@ -7,30 +7,3 @@
|
||||
|
||||
- ansible.builtin.include_tasks: wireguard.yml
|
||||
when: "main_nas == false"
|
||||
|
||||
- block:
|
||||
- ansible.builtin.include_tasks: jails/main.yml
|
||||
|
||||
# - ansible.builtin.shell:
|
||||
# cmd: test -f /mnt/storage/jail-mounts/postgres/data{{ postgres_version }}/postgresql.conf
|
||||
# register: postgres_data_exists
|
||||
# become: true
|
||||
# changed_when: false
|
||||
# failed_when: postgres_data_exists.rc != 0 and postgres_data_exists.rc != 1
|
||||
|
||||
# - ansible.builtin.include_tasks: jails/postgres-init.yml
|
||||
# when: postgres_data_exists.rc == 1
|
||||
|
||||
# - ansible.builtin.include_tasks: jails/postgres-conf.yml
|
||||
|
||||
- ansible.builtin.shell:
|
||||
cmd: test -f /mnt/storage/jail-mounts/borgserver/keys/host/ssh_host_ed25519_key
|
||||
register: borgserver_data_exists
|
||||
become: true
|
||||
changed_when: false
|
||||
failed_when: borgserver_data_exists.rc != 0 and borgserver_data_exists.rc != 1
|
||||
|
||||
- ansible.builtin.include_tasks: jails/borgserver-init.yml
|
||||
when: borgserver_data_exists.rc == 1
|
||||
|
||||
when: "main_nas"
|
||||
|
||||
Reference in New Issue
Block a user