.ansible-lint.yml

@@ -1,3 +0,0 @@
----
-exclude_paths:
-- 'galaxy.roles/'

.gitignore

@@ -2,6 +2,6 @@
 /.vagrant
 /.vscode
 
-/galaxy.roles/
+/ansible/galaxy.roles/
-/ansible-vault-password-file
+ansible-vault-password-file
 *.retry

README.md

@@ -15,7 +15,7 @@
 
 ```bash
 $ cp ansible-vault-password-file.dist ansible-vault-password-file
-$ ansible-galaxy install --role-file requirements.yml
+$ ansible-galaxy install --role-file ansible/requirements.yml
 ```
 
 ## Структура
@@ -24,7 +24,7 @@ $ ansible-galaxy install --role-file requirements.yml
 - Для доступа используется ssh-ключ.
 - Докер используется для запуска и изоляции приложений. Для загрузки образов настраивается Yandex Docker Registry.
 - Выход во внешнюю сеть через proxy server [Caddy](https://caddyserver.com/).
-- Чувствительные данные в `vars/vars.yaml` зашифрованы с помощью Ansible Vault.
+- Чувствительные данные в `ansible/vars/vars.yaml` зашифрованы с помощью Ansible Vault.
 - Для мониторинга за сервером устанавливается [netdata](https://github.com/netdata/netdata).
 
 ## Частые команды

ansible.cfg

@@ -1,4 +1,4 @@
 [defaults]
 host_key_checking = True
 vault_password_file = ./ansible-vault-password-file
-roles_path = ./galaxy.roles
+roles_path = ./ansible/galaxy.roles

ansible/configuration.yml

@@ -1,12 +1,58 @@
 ---
 - hosts: all
-
+  vars:
+    base_port: 41080
+    notes_port: "{{ base_port + 1 }}"
+    dayoff_port: "{{ base_port + 2 }}"
+    homepage_port: "{{ base_port + 3 }}"
+    netdata_port: "{{ base_port + 4 }}"
+    wiki_port: "{{ base_port + 5 }}"
+    nomie_port: "{{ base_port + 6 }}"
+    nomie_db_port: "{{ base_port + 7 }}"
+    gitea_port: "{{ base_port + 8 }}"
+    keycloak_port: "{{ base_port + 9 }}"
+    outline_port: "{{ base_port + 10 }}"
   vars_files:
-    - vars/ports.yml
     - vars/vars.yml
 
   tasks:
 
+    - name: 'Install additional packages.'
+      apt:
+        name: '{{ packages }}'
+        update_cache: yes
+      vars:
+        packages:
+          - git
+          - python3-pip
+          - acl
+
+    - import_role:
+        name: yatesr.timezone
+      vars:
+        timezone: UTC
+
+    - import_role:
+        name: geerlingguy.security
+      vars:
+        security_ssh_permit_root_login: "yes"
+        security_autoupdate_enabled: "no"
+        security_fail2ban_enabled: "yes"
+
+    - name: 'Install python docker lib.'
+      pip:
+        name: docker
+      tags:
+        - docker
+
+    - import_role:
+        name: geerlingguy.docker
+      vars:
+        docker_users:
+          - major
+      tags:
+        - docker
+
     - name: 'Ensure networkd service is started (required by Caddy).'
       systemd:
         name: systemd-networkd
@@ -27,6 +73,14 @@
       tags:
         - webserver
 
+    - import_role:
+        name: netdata
+      vars:
+        netdata_version: 'v2.0.0'
+        netdata_exposed_port: '{{ netdata_port }}'
+      tags:
+        - monitoring
+
     # Applications
 
     - import_role:

ansible/requirements.yml

@@ -1,12 +1,12 @@
 ---
 - src: yatesr.timezone
-  version: 1.2.2
+  version: 1.2.0
 
 - src: geerlingguy.security
-  version: 2.4.0
+  version: 2.2.0
 
 - src: geerlingguy.docker
-  version: 7.4.3
+  version: 6.1.0
 
 - src: caddy_ansible.caddy_ansible
   version: v3.2.0

ansible/roles/netdata/tasks/main.yml

@@ -0,0 +1,22 @@
+---
+- name: 'Grab docker group id.'
+  shell: grep docker /etc/group | cut -d ':' -f 3
+  register: docker_group
+
+- name: 'Create NetData container from {{ netdata_image }}'
+  community.docker.docker_container:
+    name: netdata
+    image: '{{ netdata_image }}'
+    restart_policy: 'always'
+    published_ports:
+      - '127.0.0.1:{{ netdata_exposed_port }}:19999'
+    volumes:
+      - '/proc:/host/proc:ro'
+      - '/sys:/host/sys:ro'
+      - '/var/run/docker.sock:/var/run/docker.sock:ro'
+    capabilities:
+      - 'SYS_PTRACE'
+    security_opts:
+      - 'apparmor:unconfined'
+    env:
+      PGID: '{{ docker_group.stdout | default(999) }}'

app/gitea/docker-compose.yml

@@ -1,12 +1,14 @@
+version: "3"
+
 services:
 
   server:
-    image: gitea/gitea:1.22.6
+    image: gitea/gitea:1.22.4
-    restart: unless-stopped
     environment:
       - "USER_UID=${USER_UID}"
       - "USER_GID=${USER_GID}"
       - "GITEA__server__SSH_PORT=2222"
+    restart: unless-stopped
     volumes:
       - ./data:/data
       - /etc/timezone:/etc/timezone:ro

app/keycloak/docker-compose.prod.yml

@@ -1,3 +1,5 @@
+version: "3"
+
 # Images: https://quay.io/repository/keycloak/keycloak?tab=tags&tag=latest
 # Configuration: https://www.keycloak.org/server/all-config
 

app/keycloak/docker-compose.yml

@@ -1,3 +1,5 @@
+version: "3"
+
 # Images: https://quay.io/repository/keycloak/keycloak?tab=tags&tag=latest
 # Configuration: https://www.keycloak.org/server/all-config
 

app/outline/docker-compose.prod.yml

@@ -1,8 +1,8 @@
+version: "3.2"
 services:
 
   outline-app:
     image: outlinewiki/outline:0.81.1
-    restart: unless-stopped
     ports:
       - "${WEB_SERVER_PORT}:3000"
     depends_on:
@@ -37,7 +37,6 @@ services:
 
   redis:
     image: redis:7.2-bookworm
-    restart: unless-stopped
     ports:
       - "6379:6379"
     volumes:
@@ -46,7 +45,6 @@ services:
 
   postgres:
     image: postgres:16.3-bookworm
-    restart: unless-stopped
     ports:
       - "5432:5432"
     volumes:

app/wiki/docker-compose.yml

@@ -0,0 +1,33 @@
+version: "3"
+
+services:
+
+  db:
+    image: postgres:15.2-alpine
+    environment:
+      POSTGRES_DB: wiki
+      POSTGRES_PASSWORD: wikijsrocks
+      POSTGRES_USER: wikijs
+    logging:
+      driver: "none"
+    restart: unless-stopped
+    volumes:
+      - db-data:/var/lib/postgresql/data
+
+  wiki:
+    image: ghcr.io/requarks/wiki:2.5.300
+    depends_on:
+      - db
+    environment:
+      DB_TYPE: postgres
+      DB_HOST: db
+      DB_PORT: 5432
+      DB_USER: wikijs
+      DB_PASS: wikijsrocks
+      DB_NAME: wiki
+    restart: unless-stopped
+    ports:
+      - "${WEB_SERVER_PORT}:3000"
+
+volumes:
+  db-data:

playbook-docker.yml

@@ -1,25 +0,0 @@
----
-- name: 'Configure docker parameters'
-  hosts: all
-
-  vars_files:
-    - vars/ports.yml
-    - vars/vars.yml
-
-  tasks:
-
-    - name: 'Install python docker lib from pip'
-      ansible.builtin.pip:
-        name: docker
-
-    - name: 'Install docker'
-      ansible.builtin.import_role:
-        name: geerlingguy.docker
-      vars:
-        docker_edition: 'ce'
-        docker_packages:
-          - "docker-{{ docker_edition }}"
-          - "docker-{{ docker_edition }}-cli"
-          - "docker-{{ docker_edition }}-rootless-extras"        
-        docker_users:
-          - major

playbook-netdata.yml

@@ -1,17 +0,0 @@
----
-- name: 'Install Netdata monitoring service'
-  hosts: all
-
-  vars_files:
-    - vars/ports.yml
-    - vars/vars.yml
-
-  tasks:
-    - name: 'Install Netdata from role'
-      ansible.builtin.import_role:
-        name: netdata
-      vars:
-        netdata_version: 'v2.1.0'
-        netdata_exposed_port: '{{ netdata_port }}'
-      tags:
-        - monitoring

playbook-system.yml

@@ -1,36 +0,0 @@
----
-- name: 'Configure base system parameters'
-  hosts: all
-
-  vars_files:
-    - vars/ports.yml
-    - vars/vars.yml
-
-  vars:
-    apt_packages:
-      - acl
-      - git
-      - python3-pip
-
-  tasks:
-
-    - name: 'Install additional apt packages'
-      ansible.builtin.apt:
-        name: '{{ apt_packages }}'
-        update_cache: true
-
-    - name: 'Configure timezone'
-      ansible.builtin.import_role:
-        name: yatesr.timezone
-      vars:
-        timezone: UTC
-      tags:
-        - skip_ansible_lint
-
-    - name: 'Configure security settings'
-      ansible.builtin.import_role:
-        name: geerlingguy.security
-      vars:
-        security_ssh_permit_root_login: "yes"
-        security_autoupdate_enabled: "no"
-        security_fail2ban_enabled: "yes"

playbook-upgrade.yml

@@ -1,27 +0,0 @@
----
-- name: 'Update and upgrade system packages'
-  hosts: all
-
-  vars_files:
-    - vars/ports.yml
-    - vars/vars.yml
-
-  tasks:
-    - name: Perform an upgrade of packages
-      ansible.builtin.apt:
-        upgrade: 'yes'
-        update_cache: yes
-
-    - name: Check if a reboot is required
-      ansible.builtin.stat:
-        path: /var/run/reboot-required
-        get_checksum: no
-      register: reboot_required_file
-
-    - name: Reboot the server (if required)
-      ansible.builtin.reboot:
-      when: reboot_required_file.stat.exists == true
-
-    - name: Remove dependencies that are no longer required
-      ansible.builtin.apt:
-        autoremove: yes

roles/netdata/tasks/main.yml

@@ -1,36 +0,0 @@
----
-- name: 'Grab docker group id.'
-  ansible.builtin.shell:
-    cmd: |
-      set -o pipefail
-      grep docker /etc/group | cut -d ':' -f 3
-    executable: /bin/bash
-  register: netdata_docker_group_output
-  changed_when: netdata_docker_group_output.rc != 0
-
-- name: 'Create NetData container from {{ netdata_image }}'
-  community.docker.docker_container:
-    name: netdata
-    image: '{{ netdata_image }}'
-    image_name_mismatch: 'recreate'
-    restart_policy: 'always'
-    published_ports:
-      - '127.0.0.1:{{ netdata_exposed_port }}:19999'
-    volumes:
-      - '/:/host/root:ro,rslave'
-      - '/etc/group:/host/etc/group:ro'
-      - '/etc/localtime:/etc/localtime:ro'
-      - '/etc/os-release:/host/etc/os-release:ro'
-      - '/etc/passwd:/host/etc/passwd:ro'
-      - '/proc:/host/proc:ro'
-      - '/run/dbus:/run/dbus:ro'
-      - '/sys:/host/sys:ro'
-      - '/var/log:/host/var/log:ro'
-      - '/var/run/docker.sock:/var/run/docker.sock:ro'
-    capabilities:
-      - 'SYS_PTRACE'
-      - 'SYS_ADMIN'
-    security_opts:
-      - 'apparmor:unconfined'
-    env:
-      PGID: '{{ netdata_docker_group_output.stdout | default(999) }}'

tasks.py

@@ -3,7 +3,7 @@ import shlex
 import fabric
 from invoke import task
 
-SERVER_HOST_FILE = "hosts_prod"
+SERVER_HOST_FILE = "ansible/hosts_prod"
 DOKER_REGISTRY = "cr.yandex/crplfk0168i4o8kd7ade"
 
 
@@ -12,6 +12,11 @@ def deploy_gitea(context):
     deploy("gitea", dirs=["data"])
 
 
+@task(name="deploy:wiki")
+def deploy_wiki(context):
+    deploy("wiki")
+
+
 @task(name="deploy:keycloak")
 def deploy_keykloak(context):
     deploy("keycloak", compose_file="docker-compose.prod.yml", dirs=["data"])
@@ -51,7 +56,7 @@ def deploy(app_name: str, compose_file="docker-compose.yml", dirs=None):
             c.run(f"mkdir -p {d}")
         print("Up services")
         c.run(
-            f"docker compose --project-name {shlex.quote(app_name)} --env-file=.env.prod up --detach --remove-orphans"
+            f"docker-compose --project-name {shlex.quote(app_name)} --env-file=.env.prod up --detach --remove-orphans"
         )
         c.run(
             f"docker system prune --all --volumes --force"

vars/ports.yml

@@ -1,12 +0,0 @@
----
-base_port: 41080
-notes_port: "{{ base_port + 1 }}"
-dayoff_port: "{{ base_port + 2 }}"
-homepage_port: "{{ base_port + 3 }}"
-netdata_port: "{{ base_port + 4 }}"
-wiki_port: "{{ base_port + 5 }}"
-nomie_port: "{{ base_port + 6 }}"
-nomie_db_port: "{{ base_port + 7 }}"
-gitea_port: "{{ base_port + 8 }}"
-keycloak_port: "{{ base_port + 9 }}"
-outline_port: "{{ base_port + 10 }}"