Add new apps server. Move first service over. Remove container dashboard and monitoring.

bootstrap

@@ -1,3 +1,3 @@
 #!/bin/bash
 
-ansible-playbook site.yml --inventory hosts --user=root --ask-pass $*
+ansible-playbook site.yml --inventory hosts --user=root $*

hosts

@@ -1,4 +1,5 @@
 apps.torsion.org
+newapps.torsion.org
 audio.dandy
 automation.dandy
 lyra-music.dandy

roles/common/tasks/main.yml

@@ -63,6 +63,7 @@
   lineinfile:
     dest: /etc/apt/apt.conf.d/20auto-upgrades
     state: present
+    create: true
     regexp: "^APT::Periodic::Unattended-Upgrade"
     line: "APT::Periodic::Unattended-Upgrade \"0\";"
   when: ansible_distribution == "Debian"

roles/container_dashboard/files/client_certificate_nginx.conf

@@ -1,2 +0,0 @@
-ssl_client_certificate /etc/nginx/certs/ca.crt;
-ssl_verify_client optional;

roles/container_dashboard/files/client_certificate_nginx_location.conf

@@ -1,3 +0,0 @@
-if ($ssl_client_verify != SUCCESS) {
-   return 403;
-}

roles/container_dashboard/meta/main.yml

@@ -1,3 +0,0 @@
-dependencies:
-  - role: docker_compose
-  - role: web_server

roles/container_dashboard/tasks/main.yml

@@ -1,39 +0,0 @@
-- name: add client certificate configuration
-  copy:
-    dest: "/etc/nginx/vhost.d/{{ container_dashboard_hostname }}"
-    src: client_certificate_nginx.conf
-  tags:
-    - container_dashboard
-
-- name: add client certificate location configuration
-  copy:
-    dest: "/etc/nginx/vhost.d/{{ container_dashboard_hostname }}_location"
-    src: client_certificate_nginx_location.conf
-  tags:
-    - container_dashboard
-
-- name: run Portainer container
-  docker_compose:
-    project_name: container_dashboard
-    pull: yes
-    definition:
-      version: '3'
-      services:
-        container-dashboard:
-          image: "portainer/portainer-ce:{{ portainer_version }}"
-          restart: always
-          volumes:
-            - /var/lib/portainer:/data
-            - /var/run/docker.sock:/var/run/docker.sock
-            - /etc/localtime:/etc/localtime:ro
-          environment:
-            VIRTUAL_HOST: "{{ container_dashboard_hostname }}"
-            VIRTUAL_PORT: 9000
-            LETSENCRYPT_HOST: "{{ container_dashboard_hostname }}"
-            LETSENCRYPT_EMAIL: "{{ admin_email }}"
-      networks:
-        default:
-          external:
-            name: shared
-  tags:
-    - container_dashboard

roles/docker/tasks/debian.yml

@@ -5,6 +5,7 @@
       - ca-certificates
       - gnupg2
       - python-setuptools
+      - apparmor
   tags:
     - docker
 

roles/domain_name_server/tasks/main.yml

@@ -23,6 +23,7 @@
       dest: /etc/coredns/{{ item }}
       mode: 0644
   with_items: "{{ domain_name_server_hostnames }}"
+  register: zone_file_result
   tags:
     - domain_name_server
 
@@ -54,5 +55,6 @@
         default:
           external:
             name: shared
+  when: zone_file_result.changed or restart_coredns
   tags:
     - domain_name_server

roles/monitoring/files/client_certificate_nginx.conf

@@ -1,2 +0,0 @@
-ssl_client_certificate /etc/nginx/certs/ca.crt;
-ssl_verify_client optional;

roles/monitoring/files/client_certificate_nginx_location.conf

@@ -1,3 +0,0 @@
-if ($ssl_client_verify != SUCCESS) {
-   return 403;
-}

roles/monitoring/files/web_log.conf

@@ -1,2 +0,0 @@
-nginx_netdata:
-  path: '/var/log/nginx/access.log'

roles/monitoring/meta/main.yml

@@ -1,3 +0,0 @@
-dependencies:
-  - role: docker_compose
-  - role: web_server

roles/monitoring/tasks/main.yml

@@ -1,104 +0,0 @@
-- name: add client certificate configuration
-  copy:
-    dest: "/etc/nginx/vhost.d/{{ monitoring_hostname }}"
-    src: client_certificate_nginx.conf
-  tags:
-    - monitoring
-
-- name: add client certificate location configuration
-  copy:
-    dest: "/etc/nginx/vhost.d/{{ monitoring_hostname }}_location"
-    src: client_certificate_nginx_location.conf
-  tags:
-    - monitoring
-
-- name: create configuration directory
-  file:
-    path: /etc/netdata/override/python.d
-    state: directory
-    mode: 0700
-  tags:
-    - monitoring
-
-- name: create lib directory
-  file:
-    path: /var/lib/netdata
-    state: directory
-    mode: 0700
-    owner: 201
-  tags:
-    - monitoring
-
-- name: create cache directory
-  file:
-    path: /var/cache/netdata
-    state: directory
-    mode: 0700
-    owner: 201
-  tags:
-    - monitoring
-
-- name: opt out of telemetry
-  blockinfile:
-    path: /etc/netdata/.opt-out-from-anonymous-statistics
-    block:
-    mode: 0600
-  tags:
-    - monitoring
-
-- name: get web log path
-  command: "docker inspect --format='{% raw %}{{ .LogPath }}{% endraw %}' nginx"
-  register: web_log_path_output
-  tags:
-    - monitoring
-
-- name: configure web log tailing
-  copy:
-    src: web_log.conf
-    dest: /etc/netdata/override/python.d/web_log.conf
-    mode: 0600
-  tags:
-    - monitoring
-
-- name: run monitoring containers
-  docker_compose:
-    project_name: monitoring
-    pull: yes
-    definition:
-      version: '3'
-      services:
-        monitoring:
-          image: netdata/netdata:v{{ netdata_version }}
-          hostname: "{{ monitoring_hostname }}"
-          restart: always
-          cap_add:
-            - SYS_PTRACE
-          security_opt:
-            - apparmor:unconfined
-          volumes:
-            - /etc/netdata:/etc/netdata:ro
-            - /var/lib/netdata:/var/lib/netdata
-            - /var/cache/netdata:/var/cache/netdata
-            - "{{ web_log_path_output.stdout }}:/var/log/nginx/access.log:ro"
-            - /etc/passwd:/host/etc/passwd:ro
-            - /etc/group:/host/etc/group:ro
-            - /proc:/host/proc:ro
-            - /sys:/host/sys:ro
-            - /etc/os-release:/host/etc/os-release:ro
-          environment:
-            VIRTUAL_HOST: "{{ monitoring_hostname }}"
-            VIRTUAL_PORT: 80
-            LETSENCRYPT_HOST: "{{ monitoring_hostname }}"
-            LETSENCRYPT_EMAIL: "{{ admin_email }}"
-            SMTP_FROM: "{{ monitoring_from_email }}"
-            SMTP_TO: "{{ monitoring_to_email }}"
-            SMTP_SERVER: "{{ monitoring_email_host }}"
-            SMTP_PORT: "{{ monitoring_email_port }}"
-            SMTP_USER: "{{ monitoring_email_username }}"
-            SMTP_PASS: "{{ monitoring_email_password }}"
-      networks:
-        default:
-          external:
-            name: shared
-  tags:
-    - monitoring

site.yml

@@ -17,7 +17,6 @@
           - /var/lib/gitea:/mnt/source/gitea:ro
           - /var/lib/gotify:/mnt/source/gotify:ro
           - /var/lib/mediagoblin/user_dev:/mnt/source/mediagoblin/user_dev:ro
-          - /var/lib/portainer:/mnt/source/portainer:ro
           - /var/lib/mailu:/mnt/source/mailu:ro
           - /var/lib/radicale:/mnt/source/radicale:ro
         backup_ssh_key_file: apps-root
@@ -53,17 +52,16 @@
     - role: gitea
       gitea_hostname: projects.torsion.org
       gitea_version: 1.18.5
-    - role: container_dashboard
-      container_dashboard_hostname: apps.torsion.org
-      portainer_version: 2.17.1
+
+- hosts: newapps.torsion.org
+  vars_files:
+    - group_vars/vault.yml
+  vars:
+    admin_email: webmaster@torsion.org
+  roles:
+    - role: common
+    - role: remote_server
     - role: torsion.org
-    - role: monitoring
-      monitoring_from_email: monitoring@torsion.org
-      monitoring_to_email: root@torsion.org
-      monitoring_hostname: monitoring.torsion.org
-      monitoring_email_host: mail2.torsion.org
-      monitoring_email_port: 587
-      netdata_version: 1.38.1
     - role: notification_server
       notification_server_hostname: notification.torsion.org
 

zone_files/torsion.org

@@ -3,7 +3,7 @@ torsion 3600    IN      MX      10 mail2.torsion.org.
         3600    IN      NS      ns1.torsion.org.
         3600    IN      NS      ns2.torsion.org.
         3600    IN      SOA     ns1.torsion.org. witten.torsion.org. (
-                218606417 10800 1800 1209600 3600 )
+                218606419 10800 1800 1209600 3600 )
         3600    IN      A       192.81.130.12
         3600    IN      TXT     "v=spf1 mx a:torsion.org -all"
         3600    IN      TXT     "google-site-verification=s7P4qT-7gp-JxI5rQqr_fS7oYihTB3IZrm0MuAc-fJE"
@@ -11,21 +11,18 @@ torsion 3600    IN      MX      10 mail2.torsion.org.
 $ORIGIN torsion.org.
 dkim._domainkey 3600 IN TXT     "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC9uQDLZAVjQx6eDUMEQkB6aFnup9EHPbWnwz7xDmrmacjN1xkP3vgPLa1tB5DxXi7UVeoNqjZT6khVDWmXEYW11lBhXr8PCReWPb6qoFMr+jFmAoBbPpfmt4P5m/owf5BSvc6EMLrZBqrJD2Xmt6wSnx10J4M9XXjDIDJ1Pa31IQIDAQAB"
 _dmarc  3600    IN      TXT     "v=DMARC1; p=reject; rua=mailto:zngyu12r@ag.dmarcian.com; ruf=mailto:zngyu12r@fr.dmarcian.com; adkim=s; aspf=s"
-vera    3600    IN      A       74.207.240.193
 mail    3600    IN      A       74.207.240.193
 ns1     3600    IN      A       192.81.130.12
 ns2     3600    IN      A       192.81.130.12
-ns3     3600    IN      A       74.207.240.193
-ns4     3600    IN      A       74.207.240.193
 apps    3600    IN      A       192.81.130.12
 mail2   3600    IN      A       192.81.130.12
 audio   3600    IN      A       67.170.43.81
+newapps 3600    IN      A       5.78.85.34
 build   3600    IN      CNAME   audio.torsion.org.
 calendar 3600   IN      CNAME   apps.torsion.org.
 media   3600    IN      CNAME   apps.torsion.org.
-monitoring 3600 IN      CNAME   apps.torsion.org.
-notification 3600 IN      CNAME   apps.torsion.org.
+notification 3600 IN      CNAME   newapps.torsion.org.
 projects 3600   IN      CNAME   apps.torsion.org.
-wedding 3600    IN      CNAME   apps.torsion.org.
+wedding 3600    IN      CNAME   newapps.torsion.org.
 www     3600    IN      CNAME   apps.torsion.org.
 status  3600    IN      CNAME   status.uptimerobot.com.