opnxng/opnxng-deploy-playbook
0
0
Fork 0
Code

Added back-up.yml

Browse Source
This commit is contained in:
Opnxng 2023-11-11 21:15:57 +08:00
parent a21f4a6020
commit 216d2cfc11
4 changed files with 220 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -2,4 +2,5 @@ vars/secrets.yml
templates/conf/users_database.yml.j2 templates/conf/users_database.yml.j2
templates/conf/configuration.yml.j2 templates/conf/configuration.yml.j2
files/firefox files/firefox
production
.hidden .hidden

12
README.md
View File

@ -1,9 +1,11 @@
# Ansible playbook to deploy Docker services to Opnxng # Ansible playbook for Opnxng deployment
An Ansible playbook to deploy Docker services to our servers. An Ansible playbook to deploy Docker services to our servers and another to back up important data.
`ansible-playbook -i "production" "deploy.yml"` `ansible-playbook -i "production" "deploy.yml"`
`ansible-playbook -i "production" "back-up.yml"`
## Services ## Services
The services are hosted on one Vultr and four Oracle servers. A [variables file](vars/services.yml) defines the services to be deployed or already deployed. The services are hosted on one Vultr and four Oracle servers. A [variables file](vars/services.yml) defines the services to be deployed or already deployed.
@ -12,9 +14,11 @@ They are deployed with [Compose files](templates/compose) and load balanced acco
## Configurations ## Configurations
Our SearXNG instance uses a custom [settings.yml](templates/conf/settings.yml.j2) that always include upstream changes. It is updated by hand with reference to [Pussthecat.org's configuration](https://github.com/PussTheCat-org/PussTheCat.org-Configs/tree/master/Services/SearXNG). Our SearXNG instance uses a custom [settings.yml](templates/conf/settings.yml.j2) that always include upstream changes. It is updated by hand with reference to [Pussthecat.org's configuration](https://github.com/PussTheCat-org/PussTheCat.org-Configs/tree/master/Services/SearXNG). Thanks to [TheFrenchGhosty](https://github.com/PussTheCat-org).
Passwords and other sensitive data are kept locally as encrypted variables in [secrets.yml](/opnxng/ansible-opnxng-deploy). We host an Authelia and Firefox stack that is restricted to specific users only. Their related files are also kept locally. Data of our Privatebin, Etherpad, and Gitea instance are backed up periodically.
Passwords and other sensitive data are kept locally as encrypted variables in [secrets.yml](vars/secrets.example.yml). We host an Authelia and Firefox stack that is restricted to specific users only. Their related files are also kept locally.
## Contact ## Contact
Please contact us via [email](mailto:opnxng@tuta.io) if you discover any vulnerability or area for improvement in our infrastructure. We would truly appreciate it. Please contact us via [email](mailto:opnxng@tuta.io) if you discover any vulnerability or area for improvement in our infrastructure. We would truly appreciate it.

211
back-up.yml Executable file
View File

@ -0,0 +1,211 @@
---
- name: Back up
hosts: all
gather_facts: false
become: true
vars_files:
- vars/secrets.yml
tasks:
# ----------------------------------------------------------------------------------------------------
- name: Get current date
shell: date +%Y-%m-%d
run_once: true
register: current_date
# ----------------------------------------------------------------------------------------------------
- name: Stop Privatebin
command: docker stop privatebin
when: inventory_hostname == 'oracle1'
- name: Set permissions of privatebin directory
file:
path: "{{ docker_dir }}/privatebin/data"
state: directory
owner: 1000
group: 1000
mode: 0755
recurse: yes
when: inventory_hostname == 'oracle1'
- name: Compress privatebin directory
shell: "zip -r --password {{ backup_zip_password }} privatebin_{{ current_date.stdout }}.zip data"
args:
chdir: "{{ docker_dir }}/privatebin/"
when: inventory_hostname == 'oracle1'
- name: Set permissions of privatebin directory
file:
path: "{{ docker_dir }}/privatebin/data"
state: directory
owner: 65534
group: 82
mode: 0700
recurse: yes
when: inventory_hostname == 'oracle1'
- name: Start Privatebin
command: docker start privatebin
when: inventory_hostname == 'oracle1'
- name: Copy privatebin.zip
copy:
src: "{{ oracle1_nfs_docker_dir_on_control_host }}/privatebin/privatebin_{{ current_date.stdout }}.zip"
dest: "{{ backup_path_on_control_host }}/"
owner: 0
group: 0
mode: 0644
when: inventory_hostname == 'oracle1'
delegate_to: "{{ control_host }}"
- name: Remove privatebin.zip on remote server
file:
path: "{{ docker_dir }}/privatebin/privatebin_{{ current_date.stdout }}.zip"
state: absent
when: inventory_hostname == 'oracle1'
# To Restore:
# cd ./Docker/privatebin
# sudo unzip privatebin_2023-11-11.zip
# sudo chown -R 65534:82 {{ docker_dir }}/privatebin/data
# ----------------------------------------------------------------------------------------------------
- name: Backup Etherpaddb
command: "docker exec -e PGPASSWORD={{ etherpad_db_pass }} etherpaddb sh -c 'PGPASSWORD={{ etherpad_db_pass }} pg_dump -Ft -U etherpad etherpad > /backups/etherpaddb_{{ current_date.stdout }}.tar'"
when: inventory_hostname == 'oracle3'
- name: Prune Etherpaddb on remote server
command: find {{ docker_dir }}/etherpad/backups -type f -mtime +2 -delete
when: inventory_hostname == 'oracle3'
- name: Copy Etherpaddb backups
copy:
src: "{{ oracle3_nfs_docker_dir_on_control_host }}/etherpad/backups/"
dest: "{{ backup_path_on_control_host }}/"
owner: 0
group: 0
mode: 0644
when: inventory_hostname == 'oracle3'
delegate_to: "{{ control_host }}"
# ----------------------------------------------------------------------------------------------------
- name: Stop gitea
command: docker stop gitea
when: inventory_hostname == 'oracle3'
- name: Stop gitea-db
command: docker stop gitea-db
when: inventory_hostname == 'oracle3'
- name: Compress gitea directory
archive:
path: "{{ docker_dir }}/gitea/data/"
dest: "{{ docker_dir }}/gitea/gitea_{{ current_date.stdout }}.tar"
format: tar
when: inventory_hostname == 'oracle3'
- name: Copy gitea.tar
copy:
src: "{{ oracle3_nfs_docker_dir_on_control_host }}/gitea/gitea_{{ current_date.stdout }}.tar"
dest: "{{ backup_path_on_control_host }}/gitea_{{ current_date.stdout }}.tar"
owner: 0
group: 0
mode: 0644
when: inventory_hostname == 'oracle3'
delegate_to: "{{ control_host }}"
- name: Remove gitea.tar on remote server
file:
path: "{{ docker_dir }}/gitea/gitea_{{ current_date.stdout }}.tar"
state: absent
when: inventory_hostname == 'oracle3'
- name: Start gitea
command: docker start gitea
when: inventory_hostname == 'oracle3'
- name: Start gitea-db
command: docker start gitea-db
when: inventory_hostname == 'oracle3'
# ----------------------------------------------------------------------------------------------------
# - name: Stop ntfy
# command: docker stop ntfy
# when: inventory_hostname == 'oracle3'
# - name: Compress ntfy directory
# archive:
# path: "{{ docker_dir }}/ntfy/"
# dest: "{{ docker_dir }}/ntfy.tar"
# format: tar
# become: true
# when: inventory_hostname == 'oracle3'
# - name: Copy ntfy.tar
# copy:
# src: "{{ oracle3_nfs_docker_dir_on_control_host }}/ntfy.tar"
# dest: "{{ backup_path_on_control_host }}/ntfy.tar"
# owner: 1000
# group: 1000
# mode: 0755
# when: inventory_hostname == 'oracle3'
# delegate_to: "{{ control_host }}"
# - name: Remove ntfy.tar
# file:
# path: "{{ docker_dir }}/ntfy.tar"
# state: absent
# when: inventory_hostname == 'oracle3'
# - name: Start ntfy
# command: docker start ntfy
# when: inventory_hostname == 'oracle3'
# ----------------------------------------------------------------------------------------------------
- name: Remove old weekly files from send
command: find {{ docker_dir }}/send/uploads/ -name 7-\* -mmin +10130 -exec rm {} \;
when: inventory_hostname == 'oracle1'
- name: Remove old daily files from send
command: find {{ docker_dir }}/send/uploads/ -name 1-\* -mmin +1500 -exec rm {} \;
when: inventory_hostname == 'oracle1'
# - name: Compress send directory
# archive:
# path: "{{ docker_dir }}/send"
# dest: "{{ docker_dir }}/send.tar"
# format: tar
# delegate_to: oracle1
# tags: never
# when: inventory_hostname == 'oracle1'
# - name: Copy send.tar
# copy:
# src: "{{ oracle1_nfs_docker_dir_on_control_host }}/send.tar"
# dest: "{{ backup_path_on_control_host }}/send.tar"
# owner: 1000
# group: 1000
# mode: 0755
# tags: never
# when: inventory_hostname == 'oracle1'
# delegate_to: "{{ control_host }}"
# - name: Remove send.tar
# file:
# path: "{{ docker_dir }}/send.tar"
# state: absent
# tags: never
# when: inventory_hostname == 'oracle1'
# ----------------------------------------------------------------------------------------------------
- name: Prune outdated backups
command: find "{{ backup_path_on_control_host }}/" -type f -mtime +90 -delete
run_once: true
delegate_to: "{{ control_host }}"

30
production
View File

@ -1,30 +0,0 @@
oracle:
hosts:
oracle1:
ansible_host: [REDACTED]
oracle2:
ansible_host: [REDACTED]
oracle3:
ansible_host: [REDACTED]
oracle4:
ansible_host: [REDACTED]
vars:
ansible_ssh_private_key_file: [REDACTED]
ansible_user: [REDACTED]
ansible_ssh_port: [REDACTED]
pipelining: true
ansible_ssh_common_args: "-o StrictHostKeyChecking=no"
ansible_python_interpreter: /usr/bin/python3
# ----------------------------------------------------------------------------------------------------
cloudcompute:
hosts:
vultr:
ansible_host: [REDACTED]
ansible_ssh_private_key_file: [REDACTED]
ansible_user: [REDACTED]
ansible_ssh_port: [REDACTED]
pipelining: true
ansible_ssh_common_args: "-o StrictHostKeyChecking=no"
ansible_python_interpreter: /usr/bin/python3