Initial Commit

2025-09-08 18:29:40 +10:00
commit 12444311a4
59 changed files with 2931 additions and 0 deletions
--- a/roles/docker/defaults/main.yml
+++ b/roles/docker/defaults/main.yml
@ -0,0 +1,2 @@
+---
+# defaults file for docker
--- a/roles/docker/meta/main.yml
+++ b/roles/docker/meta/main.yml
@ -0,0 +1,52 @@
+galaxy_info:
+  author: Matthew McKinnon
+  description: Mounting NFS filesystem
+  company: support@comprofix.com
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Choose a valid license ID from https://spdx.org - some suggested licenses:
+  # - BSD-3-Clause (default)
+  # - MIT
+  # - GPL-2.0-or-later
+  # - GPL-3.0-only
+  # - Apache-2.0
+  # - CC-BY-4.0
+  license: license (GPL-2.0-or-later, MIT, etc)
+
+  min_ansible_version: 2.1
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  #
+  # Provide a list of supported platforms, and for each platform a list of versions.
+  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  # platforms:
+  # - name: Fedora
+  #   versions:
+  #   - all
+  #   - 25
+  # - name: SomePlatform
+  #   versions:
+  #   - all
+  #   - 1.0
+  #   - 7
+  #   - 99.99
+
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.
--- a/roles/docker/tasks/main.yml
+++ b/roles/docker/tasks/main.yml
@ -0,0 +1,49 @@
+---
+- name: Add Docker apt key.
+  ansible.builtin.get_url:
+    url: "{{ docker_apt_gpg_key }}"
+    dest: /etc/apt/trusted.gpg.d/docker.asc
+    mode: "0644"
+    force: false
+    checksum: "{{ docker_apt_gpg_key_checksum | default(omit) }}"
+  ignore_errors: true
+
+- name: Add Docker repository.
+  apt_repository:
+    repo: "{{ docker_apt_repository }}"
+    state: present
+    filename: "{{ docker_apt_filename }}"
+    update_cache: true
+
+- name: Install Docker packages.
+  package:
+    name: "{{ docker_packages }}"
+    state: "present"
+
+- name: Install Docker Module for Python
+  pip:
+    name:
+      - PyYAML==5.3.1
+      - docker
+      - docker-compose
+      - pymysql
+      - passlib
+    state: "present"
+
+- name: Ensure docker users are added to the docker group.
+  user:
+    name: "{{ item }}"
+    groups: docker
+    append: true
+  with_items: "{{ docker_users }}"
+
+- name: Reset ssh connection to apply user changes.
+  meta: reset_connection
+
+- name: Setup cron job for backup
+  cron:
+    name: Docker Prune
+    weekday: 0
+    minute: 0
+    hour: 5
+    job: "docker system prune -af && docker image prune -af && docker system prune -af --volumes"
--- a/roles/docker/vars/main.yml
+++ b/roles/docker/vars/main.yml
@ -0,0 +1,51 @@
+$ANSIBLE_VAULT;1.1;AES256
+32396236613762346266373632613335306233666563346466653731653034613637656335636463
+3864336133316534333262373835643732303963353538320a343235363461613837383962303762
+62373739653137326664306563646632663661323339626636333461303132366133393266313833
+6137313537666138320a376334396531643233626265643538613133313866623236383338353035
+62623166316366393837313166646539376362383363353862303439303230376163366335353237
+66626130373762333536396265663262376335323162633961656139313435333765363163633161
+65393532663339363738623232316135326338656330303764633530663661626163343533643430
+63646337363636386337373435373939363434646161616638326665316636383362346232303763
+39656636643261383137306339633433613534313362636537393433656230613333333463396437
+32623630636464313665656562393766376330633038366534623634656535303237666332363638
+36373566303432653664383230626436663362323336336233396363353430353535336464376137
+33393762363330633963656161383535306365383062616466626266373637396338643930333931
+66373739303232393233303131663031333639346236633030346337313938383739386561386263
+36643831323930666665376237656163393532333438346332653562306532636530386365636331
+38643637613261373030323963656266613661656663643330383333336336383433393633383335
+65326130646536323861346437336362333630613034366639656536353430326366316530396436
+34636235336433666261386163316330363337393963643761646261633932666134316331386463
+63643463343162313162323537623764303564343438636133643162646530643435306262653838
+30376539303130303536316136383761333836646231316563633564643635376230313333653739
+38663032343736626461303835656662323064666139323935323534346362383636636237333937
+34616663666364323734643530343936383030326539623065356561633563653764386134633562
+37616463633931336233623335336331313463656132653331303530616332306332613936623130
+63616264333531303762663665323636663466313933393064623534653561343561633632636565
+39633435313963393034366336316665323339333962343666666533646632343666393332323635
+65653062643332663362343666643433336562353639656366623961306132313734613838336237
+36653962353839636662363335373238393433613037623364356637336562303765313466313166
+34326365393433646166653461333138386166663537343566633565316163323866333932366432
+34666532346164316232663964666132653232393264633066333734333238636135376263643937
+66353665353564353938343934363337396165616462336439363338343065306533653334636566
+35356231346431646237636662633030313135633663336163383965656136393238636334396137
+65613833666662353339616434623735386638656331643831383134626163386636313633323333
+34383862373634373732613333656437323436383962306163633833343430303336383433366336
+63313138383237373330623536383438306330373164336637646165313562343935656566653531
+30356365333863383165633634343230653735343164393030313339653563376435313832396266
+65623237393066666163363530356163313861323366373233383531386533623965306237623137
+33363239396634306466663535323736373333643266336164336230303836643939343335626339
+35373166616136633666323034313364613334303462616564383861343738653964663332616536
+32353135633331336239353834666237313939386334383261663532333139636363353436363864
+33396336623566346532613738353332643965623335653162323534613330663964353833333937
+30373761393834323964633039393339376538353261396331316336323333383064356363633264
+62613432313436353163383837363935373164366236343936313366623936336439613364336639
+63336536333732326236323761323033613965333763366237316431303363346263373131663338
+65376535386239353362326630396232623533626266376233326330316466383564313935663134
+65363839323134663537356663346437616662366463393036353736353664356538656163353562
+65323162663934653462353136353065333666353564313066613466663734623066623439613964
+36353035653163306661393335636430623233633962303033656539363265663135666663643164
+37613334653964366433646366613861336335373137393065373739363863626334316631323332
+66623465373730373231316265653330383061326231373931636132663233643735343564313636
+36313330336461616134663336306566646639383435396236383162366266366662383635333832
+3266363963363362343563653131373339666163663536653032
--- a/roles/docker/vars/main.yml-template
+++ b/roles/docker/vars/main.yml-template
@ -0,0 +1,21 @@
+---
+# vars file for docker
+docker_edition: 'ce'
+docker_packages:
+  - "docker-{{ docker_edition }}"
+  - "docker-{{ docker_edition }}-cli"
+  - "docker-{{ docker_edition }}-rootless-extras"
+  - "containerd.io"
+  - "docker"
+  - "docker-compose-plugin"
+# Docker repo URL.
+docker_url: https://download.docker.com/linux
+docker_apt_repository: "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/docker.asc] {{docker_url}}/{{ ansible_distribution | lower}} {{ansible_distribution_release}} stable"
+docker_apt_ignore_key_error: true
+docker_apt_gpg_key: "{{ docker_url }}/{{ ansible_distribution | lower }}/gpg"
+docker_apt_gpg_key_checksum: "sha256:1500c1f56fa9e26b9b8f42452a553675796ade0807cdce11975eb98170b3a570"
+docker_apt_filename: "docker"
+# A list of users who will be added to the docker group.
+docker_users: [administrator] # CHANGE_ME!!! - Add addition users.
+# Docker daemon options as a dict
+docker_daemon_options: {} 
--- a/roles/nfs/defaults/main.yml
+++ b/roles/nfs/defaults/main.yml
@ -0,0 +1,8 @@
+---
+# defaults file for roles/nfs-mount
+
+# List of NFS shares
+nfs_share_mounts: []
+
+# Default NFS4 mount options
+nfs_mount_opts: "rw,sync,hard"
--- a/roles/nfs/meta/main.yml
+++ b/roles/nfs/meta/main.yml
@ -0,0 +1,52 @@
+galaxy_info:
+  author: Matthew McKinnon
+  description: Mounting NFS filesystem
+  company: support@comprofix.com
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Choose a valid license ID from https://spdx.org - some suggested licenses:
+  # - BSD-3-Clause (default)
+  # - MIT
+  # - GPL-2.0-or-later
+  # - GPL-3.0-only
+  # - Apache-2.0
+  # - CC-BY-4.0
+  license: license (GPL-2.0-or-later, MIT, etc)
+
+  min_ansible_version: 2.1
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  #
+  # Provide a list of supported platforms, and for each platform a list of versions.
+  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  # platforms:
+  # - name: Fedora
+  #   versions:
+  #   - all
+  #   - 25
+  # - name: SomePlatform
+  #   versions:
+  #   - all
+  #   - 1.0
+  #   - 7
+  #   - 99.99
+
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.
--- a/roles/nfs/tasks/main.yml
+++ b/roles/nfs/tasks/main.yml
@ -0,0 +1,20 @@
+---
+  
+- name: Install NFS mount utility
+  ansible.builtin.apt:
+    update_cache: true
+    pkg: nfs-common
+    state: present
+  when: ansible_os_family == "Debian"
+
+- name: Mount an NFS volume
+  ansible.posix.mount:
+    src: "{{ item.src }}"
+    path: "{{ item.path }}"
+    opts: "{{ item.opts | default(nfs_mount_opts) }}"
+    state: "{{ item.state | default( 'mounted' ) }}"
+    fstype: nfs
+  with_items: "{{ mounts }}"
+    
+
+
--- a/roles/traefik/defaults/main.yml
+++ b/roles/traefik/defaults/main.yml
@ -0,0 +1,2 @@
+---
+# defaults file for common
--- a/roles/traefik/meta/main.yml
+++ b/roles/traefik/meta/main.yml
@ -0,0 +1,52 @@
+galaxy_info:
+  author: Matthew McKinnon
+  description: Traefik Proxy
+  company: support@comprofix.com
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Choose a valid license ID from https://spdx.org - some suggested licenses:
+  # - BSD-3-Clause (default)
+  # - MIT
+  # - GPL-2.0-or-later
+  # - GPL-3.0-only
+  # - Apache-2.0
+  # - CC-BY-4.0
+  license: license (GPL-2.0-or-later, MIT, etc)
+
+  min_ansible_version: 2.1
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  #
+  # Provide a list of supported platforms, and for each platform a list of versions.
+  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  # platforms:
+  # - name: Fedora
+  #   versions:
+  #   - all
+  #   - 25
+  # - name: SomePlatform
+  #   versions:
+  #   - all
+  #   - 1.0
+  #   - 7
+  #   - 99.99
+
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.
--- a/roles/traefik/tasks/main.yml
+++ b/roles/traefik/tasks/main.yml
@ -0,0 +1,95 @@
+---
+- name: Create directories
+  file:
+    path: "{{ item }}"
+    state: directory
+  with_items:
+    - "{{ data_folder }}/traefik"
+    - "{{ data_folder }}/traefik/data"
+    - "{{ data_folder }}/traefik/data/log"
+
+
+- name: Create a network
+  docker_network:
+    name: proxy
+  register: network
+
+- name: Copy Traefik config
+  template:
+    src: templates/traefik.yml.j2
+    dest: "{{ data_folder }}/traefik/data/traefik.yml"
+    mode: "0600"
+
+- name: Copy Traefik config
+  template:
+    src: templates/config.yml.j2
+    dest: "{{ data_folder }}/traefik/data/config.yml"
+    mode: "0600"
+  when: traefik_host == "traefik02.comprofix.xyz"
+
+- name: Check if {{ data_folder }}/traefik/data/acme.json exists
+  ansible.builtin.stat:
+    path: "{{ data_folder }}/traefik/data/acme.json"
+  register: file_status
+
+- name: Creates {{ data_folder }}/traefik/data/acme.json if it doesn't exists
+  ansible.builtin.file:
+    path: "{{ data_folder }}/traefik/data/acme.json"
+    state: touch
+    owner: root
+    group: root
+    mode: "0600"
+  when: not file_status.stat.exists
+
+- name: Check if traefik.json.log exists
+  ansible.builtin.stat:
+    path: "{{ data_folder }}/traefik/data/log/traefik.json.log"
+  register: file_status
+
+- name: Creates traefik.json.log if it doesn't exists
+  ansible.builtin.file:
+    path: "{{ data_folder }}/traefik/data/log/traefik.json.log"
+    state: touch
+    owner: root
+    group: root
+    mode: "0600"
+  when: not file_status.stat.exists
+
+- name: Create traefik Container
+  docker_container:
+    name: traefik
+    image: traefik:v3.5
+    restart_policy: unless-stopped
+    networks:
+      - name: "proxy"
+    ports:
+      - 80:80
+      - 443:443
+    env:
+      CF_API_EMAIL: "{{ CF_API_EMAIL }}"
+      CF_DNS_API_TOKEN: "{{CF_DNS_API_TOKEN}}"
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - "{{ data_folder }}/traefik/data/traefik.yml:/traefik.yml:ro"
+      - "{{ data_folder }}/traefik/data/acme.json:/acme.json"
+      - "{{ data_folder }}/traefik/data/log:/var/log/traefik"
+      - "{{ data_folder }}/traefik/data/config.yml:/config.yml:ro"
+    labels:
+      traefik.enable: "true"
+      traefik.http.routers.traefik.entrypoints: "http"
+      traefik.http.routers.traefik.rule: "Host(`{{traefik_host}}`)"
+      traefik.http.middlewares.traefik-auth.basicauth.users: "{{ traefik_api_user }}:{{ traefik_api_password | password_hash('blowfish','1234567890123456789012') }}"
+      traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme: "https"
+      traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto: "https"
+      traefik.http.routers.traefik.middlewares: "traefik-https-redirect"
+      traefik.http.routers.traefik-secure.entrypoints: "https"
+      traefik.http.routers.traefik-secure.rule: "Host(`{{traefik_host}}`)"
+      traefik.http.routers.traefik-secure.middlewares: "traefik-auth"
+      traefik.http.routers.traefik-secure.tls: "true"
+      traefik.http.routers.traefik-secure.tls.certresolver: "cloudflare"
+      traefik.http.routers.traefik-secure.tls.domains[0].main: "comprofix.com"
+      traefik.http.routers.traefik-secure.tls.domains[0].sans: "*.comprofix.com"
+      traefik.http.routers.traefik-secure.tls.domains[1].main: "comprofix.xyz"
+      traefik.http.routers.traefik-secure.tls.domains[1].sans: "*.comprofix.xyz"
+      traefik.http.routers.traefik-secure.service: "api@internal"
--- a/roles/traefik/templates/config.yml.j2
+++ b/roles/traefik/templates/config.yml.j2
@ -0,0 +1,51 @@
+---
+http:
+  routers:
+    oc-router:
+      entryPoints:
+        - "https"
+      service: oc-service
+      rule: "Host(`omada.comprofix.xyz`)" # change it to actual address
+      tls: {}
+      middlewares:
+        - default-headers
+        - https-redirect
+
+  services:
+    oc-service:
+      loadBalancer:
+        servers:
+          - url: https://omada-lxc.comprofix.xyz:8043 # change it to actual ip of the controller
+
+  middlewares:
+    https-redirect:
+      redirectScheme:
+        scheme: https
+        permanent: true
+
+    default-headers:
+      headers:
+        frameDeny: true
+        sslRedirect: true
+        browserXssFilter: true
+        contentTypeNosniff: true
+        forceSTSHeader: true
+        stsIncludeSubdomains: true
+        stsPreload: true
+        stsSeconds: 15552000
+        customFrameOptionsValue: SAMEORIGIN
+        customRequestHeaders:
+          X-Forwarded-Proto: https
+
+    default-whitelist:
+      IPAllowList:
+        sourceRange:
+        - "10.0.0.0/8"
+        - "192.168.0.0/16"
+        - "172.16.0.0/12"
+        - "100.64.0.0/10"
+
+    secured:
+      chain:
+        middlewares:
+        - default-headers
--- a/roles/traefik/templates/traefik.yml.j2
+++ b/roles/traefik/templates/traefik.yml.j2
@ -0,0 +1,42 @@
+api:
+  dashboard: true
+  debug: true
+
+entryPoints:
+  http:
+    address: ":80"
+    http:
+      redirections:
+        entryPoint:
+          to: https
+          scheme: https
+  https:
+    address: ":443"
+
+serversTransport:
+  insecureSkipVerify: true
+
+log:
+  level: DEBUG
+  filePath: /var/log/traefik/traefik.json.log
+  format: json
+
+providers:
+  docker:
+    endpoint: "unix:///var/run/docker.sock"
+    exposedByDefault: false
+  file:
+    filename: /config.yml
+
+certificatesResolvers:
+  cloudflare:
+    acme:
+      email: {{ CF_API_EMAIL }}
+      storage: acme.json
+      dnsChallenge:
+        provider: cloudflare
+        #disablePropagationCheck: true # uncomment this if you have issues pulling certificates through cloudflare, By setting this flag to true disables the need to wait for the propagation of the TXT record to all authoritative name servers.
+        resolvers:
+          - "1.1.1.1:53"
+          - "1.0.0.1:53"
+  
--- a/roles/traefik/vars/main.yml
+++ b/roles/traefik/vars/main.yml
@ -0,0 +1,14 @@
+$ANSIBLE_VAULT;1.1;AES256
+61386364396339353533653064303734346336653531366139333738353461613037396365663265
+3731366362343630646162353636316565356563323135350a636335653931376137666139653739
+36306631376639336561643064386430633636343362646233623263356635636134303931356364
+6466383864366236320a376134623032383566643166626231323432373562373864333864653032
+63316630303362616337383833623733316131323764626532366338333566643834326236383232
+31646330363965386233383739336238336538666165383166393834643134663937393535333361
+34373236386339366436643733393030313331303537636233383864623435386166366537386633
+37653030313066393136616661356564373932643033663735656238313132396664623438343833
+65356539386435656433393933653939313635376639366163353336373661396230336533626238
+39643438313763343635393165376263666633363963623962643263323531616466656532646432
+62383430346666343465613436346637333336663562316165303864376464363566343165633665
+66353134313866393439323564353834346436326132643439383134623864333765616162353436
+6338
--- a/roles/traefik/vars/main.yml-template
+++ b/roles/traefik/vars/main.yml-template
@ -0,0 +1,5 @@
+---
+CF_API_EMAIL: CF_EMAIL
+CF_DNS_API_TOKEN: "CF_API_TOKEN"
+traefik_api_user: "admin"
+traefik_api_password: "password"