Browse Source

feat: setup tailscale and gitea

pull/3/head
Karan Sharma 1 year ago
parent
commit
dbe63bd282
  1. 1
      .gitignore
  2. 5
      hetzner/ansible/README.md
  3. 2
      hetzner/ansible/ansible.cfg
  4. 23
      hetzner/ansible/playbook.yml
  5. 11
      hetzner/ansible/roles/bootstrap-node/tasks/apt.yml
  6. 6
      hetzner/ansible/roles/bootstrap-node/tasks/docker.yml
  7. 2
      hetzner/ansible/roles/bootstrap-node/tasks/main.yml
  8. 0
      hetzner/ansible/roles/bootstrap-node/tasks/node-exporter.yml
  9. 9
      hetzner/ansible/roles/bootstrap-node/tasks/ufw.yml
  10. 6
      hetzner/ansible/roles/bootstrap-node/tasks/user.yml
  11. 14
      hetzner/ansible/roles/setup-gitea/tasks/main.yml
  12. 21
      hetzner/ansible/roles/setup-gitea/templates/gitea-docker-compose.yml.j2
  13. 16
      hetzner/ansible/roles/setup-tailscale/handlers/main.yml
  14. 33
      hetzner/ansible/roles/setup-tailscale/tasks/main.yml

1
.gitignore

@ -10,3 +10,4 @@ inventory
*.backup
*.env
AdGuardHome.yaml
.ci-vault-pass

5
hetzner/ansible/README.md

@ -7,3 +7,8 @@
1) `ansible_ssh_user` for the first run is `root` since there is no user in the instance.
You must ensure that `bootstrap-nodes` role is first run before continuing. It disables the `root` SSH login to the instance and only
the `username` supplied in `inventory` has access to SSH. If you fail at this step, you need to debug before proceeding.
2) For Tailscale, it is recommended to generate `Pre Authorisation Keys` and encrypt them in vault:
- To encrypt the string `ansible-vault encrypt_string '<AUTH-KEY>' --name 'tailscale_auth_key`
- To run the playbook: `ansible-playbook -i inventory playbook.yml --tag=tailscale --ask-vault-pass`

2
hetzner/ansible/ansible.cfg

@ -1,5 +1,7 @@
[defaults]
roles_path = ./roles
inventory = ./inventory
strategy_plugins = /home/karan/.local/lib/python3.8/site-packages/ansible_mitogen/plugins/strategy
strategy = mitogen_linear
[ssh_connection]
scp_if_ssh = True

23
hetzner/ansible/playbook.yml

@ -1,11 +1,26 @@
---
- hosts: all
become: yes
become_method: sudo
roles:
- bootstrap-node
- role: bootstrap-node
tags:
- bootstrap
- role: setup-gitea
tags:
- gitea
vars:
- gitea_image_tag: 1.12.3
- gitea_project_dir: "{{ansible_env.HOME}}/services/gitea"
- role: setup-tailscale
become: yes
# vars:
# tailscale_auth_key: !vault |
tags:
- tailscale
- role: gantsign.antigen
tags:
- bootstrap
- zsh
users:
- username: "{{username}}"
antigen_libraries:
@ -20,4 +35,4 @@
- name: command-not-found
# Syntax highlighting bundle.
- name: zsh-syntax-highlighting # `name` is required (any valid file name will do so long as it's unique for the bundles)
url: zsh-users/zsh-syntax-highlighting
url: zsh-users/zsh-syntax-highlighting

11
hetzner/ansible/roles/bootstrap-node/tasks/apt.yml

@ -1,9 +1,11 @@
- name: Update apt cache and upgrade
become: yes
apt:
update_cache: yes
upgrade: "yes"
- name: Install dependencies
become: yes
apt:
name: "{{ packages }}"
vars:
@ -13,6 +15,13 @@
- curl
- jq
- fzf
- python
- python3-pip
- python-apt
- python3-apt
- python-is-python3
- gnupg2
- gnupg-agent
- name: install unattended-upgrades
apt:
@ -20,9 +29,11 @@
state: present
- name: Remove useless packages from the cache
become: yes
apt:
autoclean: yes
- name: Remove dependencies that are no longer required
become: yes
apt:
autoremove: yes

6
hetzner/ansible/roles/bootstrap-node/tasks/docker.yml

@ -81,9 +81,15 @@
group: "root"
mode: "0644"
notify: Restart Docker
tags:
- docker
- name: Install Docker-compose
shell: sudo curl -L "https://github.com/docker/compose/releases/download/1.26.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
tags:
- docker
- name: Changing perm of /usr/local/bin/docker-compose
file: dest=/usr/local/bin/docker-compose mode=a+x
tags:
- docker

2
hetzner/ansible/roles/bootstrap-node/tasks/main.yml

@ -17,6 +17,7 @@
- ssh
- import_tasks: ufw.yml
become: yes
tags:
- ufw
@ -25,6 +26,7 @@
- timezone
- import_tasks: docker.yml
become: yes
tags:
- docker

0
hetzner/ansible/roles/bootstrap-node/tasks/node-exporter.yml

9
hetzner/ansible/roles/bootstrap-node/tasks/ufw.yml

@ -12,3 +12,12 @@
ufw:
rule: allow
name: OpenSSH
- name: Allow access to tcp port 80 from Tailscale CIDR
ufw:
rule: allow
port: "80"
src: "{{item}}"
proto: tcp
loop:
- 100.64.0.0/10

6
hetzner/ansible/roles/bootstrap-node/tasks/user.yml

@ -12,8 +12,9 @@
regexp: '^%wheel'
line: '%wheel ALL=(ALL) NOPASSWD: ALL'
validate: 'visudo -cf %s'
when: ansible_user == "root"
- name: Create user and grant sudo access
- name: Add user to wheel group
user:
name: "{{username}}"
groups:
@ -22,10 +23,11 @@
state: present
createhome: yes
shell: /bin/bash
when: ansible_user == "root"
- name: Set authorized key for user
authorized_key:
user: "{{username}}"
state: present
key: "{{github_ssh_key_url}}"
when: github_ssh_key_url != None
when: github_ssh_key_url != None and ansible_user == username

14
hetzner/ansible/roles/setup-gitea/tasks/main.yml

@ -0,0 +1,14 @@
- name: Create gitea project directory if it does not exist
file:
path: "{{gitea_project_dir}}"
state: directory
- name: Copy gitea docker-compose
template:
src: gitea-docker-compose.yml.j2
dest: "{{gitea_project_dir}}/docker-compose.yml"
- name: Start docker-compose
shell:
cmd: docker-compose up -d
chdir: "{{gitea_project_dir}}"

21
hetzner/ansible/roles/setup-gitea/templates/gitea-docker-compose.yml.j2

@ -0,0 +1,21 @@
version: "3.8"
services:
server:
image: gitea/gitea:{{gitea_image_tag}}
environment:
- USER_UID=1000
- USER_GID=1000
restart: always
networks:
- gitea
volumes:
- /data/gitea:/data
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
ports:
- "3000:3000"
- "2221:22"
networks:
gitea:

16
hetzner/ansible/roles/setup-tailscale/handlers/main.yml

@ -0,0 +1,16 @@
- name: enable tailscaled service
service:
name: tailscaled
state: started
enabled: yes
- name: Tailscale Status
listen: Confirm Tailscale is Connected
command: tailscale status
register: handlers_tailscale_status
- name: Assert Tailscale is Connected
listen: Confirm Tailscale is Connected
assert:
that:
- handlers_tailscale_status.stdout | length != 0

33
hetzner/ansible/roles/setup-tailscale/tasks/main.yml

@ -0,0 +1,33 @@
- name: Update apt cache and upgrade
apt:
update_cache: yes
upgrade: "yes"
- name: Tailscale Signing Key
apt_key:
url: https://pkgs.tailscale.com/stable/{{ ansible_distribution | lower }}/{{ ansible_distribution_release | lower }}.gpg
state: present
- name: Add Tailscale Deb
apt_repository:
repo: deb https://pkgs.tailscale.com/stable/{{ ansible_distribution | lower }} {{ ansible_distribution_release | lower }} main
state: present
- name: Install Tailscale
apt:
name: tailscale
state: present
update_cache: yes
notify: enable tailscaled service
- name: Check if Tailscale is connected
command: tailscale status
changed_when: false
register: tailscale_status
# - name: Bring Tailscale Up
# become: yes
# command: tailscale up --authkey={{ tailscale_auth_key }}
# register: tailscale_start
# when: tailscale_status.stdout | length == 0
# notify: Confirm Tailscale is Connected
Loading…
Cancel
Save