Compare commits

...

23 Commits

  1. 4
      .git-crypt/.gitattributes
  2. BIN
      .git-crypt/keys/default/0/72934A74AAED477B5C87F9322E4FB8CB817B8E6F.gpg
  3. 3
      .gitattributes
  4. 7
      README.md
  5. 2
      files/borgmatic.service
  6. BIN
      files/borgmatic.yaml
  7. 11
      files/borgmatic.yaml_clear
  8. 7
      files/lxd-containers-upgrade.sh
  9. 2
      files/lxd-databases.sh
  10. 48
      files/main.cf
  11. BIN
      files/sasl_passwd
  12. BIN
      files/zfs-scrub.sh
  13. 4
      files/zfs-scrub.sh_clear
  14. 17
      group_data/all.py
  15. 2
      inventory.py
  16. 4
      setup-backup.py
  17. 97
      setup-base.py
  18. 4
      setup-zfs-and-lxd.py

4
.git-crypt/.gitattributes

@ -0,0 +1,4 @@
# Do not edit this file. To specify the files to encrypt, create your own
# .gitattributes file in the directory where your files are.
* !filter !diff
*.gpg binary

BIN
.git-crypt/keys/default/0/72934A74AAED477B5C87F9322E4FB8CB817B8E6F.gpg

3
.gitattributes

@ -0,0 +1,3 @@
files/sasl_passwd filter=git-crypt diff=git-crypt
files/borgmatic.yaml filter=git-crypt diff=git-crypt
files/zfs-scrub.sh filter=git-crypt diff=git-crypt

7
README.md

@ -2,10 +2,11 @@
Pyinfra that deploy my LXD server.
First unlock secret files with `git-crypt unlock`.
```
pyinfra inventory.py setup-base.py
pyinfra inventory.py setup-zfs-and-lxd.py
pyinfra inventory.py setup-haproxy.py
pyinfra inventory.py setup-base.py --use-sudo-password
pyinfra inventory.py [...] --use-sudo-password
```
TODO:

2
files/borgmatic.service

@ -5,7 +5,7 @@ Description=Backup with borgmatic
Nice=19
IOSchedulingClass=idle
KillSignal=SIGINT
ExecStart=/usr/bin/borgmatic
ExecStart=/usr/bin/borgmatic --stats
[Install]
WantedBy=multi-user.target

BIN
files/borgmatic.yaml

11
templates/borgmatic.yaml.j2 → files/borgmatic.yaml_clear

@ -4,7 +4,7 @@ location:
one_file_system: false
repositories:
- quv7z6k8@quv7z6k8.repo.borgbase.com:repo
- <repo>
exclude_patterns:
- ~/*/.cache
@ -14,14 +14,13 @@ location:
storage:
compression: auto,zstd
encryption_passphrase: '{{ host.data.borg_passphrase }}'
encryption_passphrase: '<passphrase>'
archive_name_format: '{hostname}-{now}'
retention:
keep_daily: 3
keep_daily: 7
keep_weekly: 4
keep_monthly: 12
keep_yearly: 2
keep_monthly: 3
prefix: '{hostname}-'
consistency:
@ -43,4 +42,4 @@ hooks:
after_backup:
- echo "`date` - Finished backup"
healthchecks: {{ host.data.borg_healthchecks }}
healthchecks: <healthchecks>

7
files/lxd-containers-upgrade.sh

@ -13,5 +13,12 @@ for i in $(lxc list --format csv -c n); do
lxc exec "$i" -- sudo -u benpro yay -Sc --noconfirm
lxc exec "$i" -- sudo -u benpro yay -Syu --noconfirm
fi
if lxc exec "$i" -- which apk >/dev/null 2>&1; then
echo "Upgrading Alpine $i"
lxc exec "$i" -- apk update
lxc exec "$i" -- apk add --upgrade apk-tools
lxc exec "$i" -- apk upgrade
fi
lxc exec "$i" -- sync
lxc exec "$i" -- reboot
done

2
files/lxd-databases.sh

@ -5,7 +5,7 @@ cd /var/backups/databases
for i in $(lxc list --format csv -c n); do
if lxc exec "$i" -- which mysql >/dev/null 2>&1; then
echo "Dumping $i"
lxc exec "$i" -- mysqldump --opt --all-databases --force --events --hex-blob | cat > "${i}.sql"
lxc exec "$i" -- mysqldump --opt --all-databases --force --hex-blob | cat > "${i}.sql"
fi
if lxc exec "$i" -- which psql >/dev/null 2>&1; then
if lxc exec "$i" -- id postgres >/dev/null 2>&1; then

48
files/main.cf

@ -0,0 +1,48 @@
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_security_level=may
smtp_tls_CApath=/etc/ssl/certs
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = lxd.home.arpa
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $myhostname, localhost
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 10.193.205.0/24
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
relayhost = [mail.benpro.fr]:587
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_use_tls = yes
smtp_tls_security_level = encrypt
smtp_tls_note_starttls_offer = yes

BIN
files/sasl_passwd

BIN
files/zfs-scrub.sh

4
templates/zfs-scrub.sh.j2 → files/zfs-scrub.sh_clear

@ -2,7 +2,7 @@
# https://serverfault.com/questions/538978/how-to-run-a-command-once-a-zfs-scrub-completes
set -euo pipefail
curl -m 10 --retry 5 {{ host.data.zfs_healthchecks }}/start
curl -m 10 --retry 5 <healthchecks_url>/start
zpool scrub local
# wait until scrub is finished
while zpool status local | grep -q 'scan: *scrub in progress'; do
@ -14,5 +14,5 @@ zpool status local
# Get stdout from journalctl
LOG=$(journalctl -o cat -u zfs-scrub.service -n 100)
curl -fsS -m 10 --retry 5 --data-raw "$LOG" {{ host.data.zfs_healthchecks }}
curl -fsS -m 10 --retry 5 --data-raw "$LOG" <healthchecks_url>
exit 0

17
group_data/all.py

@ -1,17 +0,0 @@
from getpass import getpass
import privy
password = getpass('Please provide the secret password: ')
def get_secret(crypted_value):
return privy.peek(crypted_value, password)
b_borg_passphrase = get_secret(b'1$2$o9juQh0wvpWhOsXHhh-xyimKIpWAUOk9MgLeSHiM_NA=$Z0FBQUFBQmdGb3U0RmNfaDdYYkVfU1pvdW9SbXFJMC1GN2FsSXJoTVpkVENaRlN1V2ZiOVNpalk2Z28zS3R5bFRWMkh3VnQ4cFhIZVhtWVphWDhwQi00ejJsWS1pMkZMSGhvTnlVTi15aTBLejdTTHVjdGZLYUtqRUY0Wm9Lc19ISTZ3Wkc1SHJFLWNIMUNtekFXMzFBV1BMN1hNZlludG5xMU9WdkNPM3lwaDZfWFpESExaVHdFPQ==')
borg_passphrase = b_borg_passphrase.decode('utf-8')
b_borg_healthchecks = get_secret(b'1$2$qCFfK9b1A2D-xf3oEJ5uwOt1r3QOm0DJGsi_hKKjk0Q=$Z0FBQUFBQmdVeFFnZ0c1SUhhSzNBQ3h3MzRxLXd1b1luSjl6NjcxdzdxdjBFU3pncG1jSVYySFNlV0dZdU5VaU0wRVkxSEJveU01RU9Oby1uU1U5dXExQXlKNG9xNmxMeDRfNW9tUXprSzVFaWFYdWlya0V0TmlWQ1ZDdk5JRUhrdVFXdW5LOFh4ODNnak1RcGJIOVI5SDFtN3g1T1pWMkh3PT0=')
borg_healthchecks = b_borg_healthchecks.decode('utf-8')
b_zfs_healthchecks = get_secret(b'1$2$Km9O6WZsSvCsvwcPxl0v27FXK6ZiI05OOThCLGmp0iI=$Z0FBQUFBQmdVVmRQS1F4SllzWWxkLU9UYjNQMXBaYmZIUFAxN0Q2dmh6S2M0ZHQwMUxra1R2aTZEbWVqeG9jRGZYeUtla1FncEFMMFc0VHg1ZXZoeDl6WWgzdUFMMHNiQ3J5Y1hmTzFXTlg4bVFGQjVUVndyNWt3VUZ2ZUI5OGU1UzlVQkhaSlFhc2pna3dCLTNzT051cGw0a1MyNWRqM1Z3PT0=')
zfs_healthchecks = b_zfs_healthchecks.decode('utf-8')

2
inventory.py

@ -1 +1 @@
my_hosts = ['lxd.local']
my_hosts = ['lxd.home.arpa']

4
setup-backup.py

@ -49,9 +49,9 @@ if not host.fact.command('mount | grep databases || true'):
commands=['zfs mount backup/databases || true'],
)
files.template(
files.put(
name='Push borgmatic config',
src='templates/borgmatic.yaml.j2',
src='files/borgmatic.yaml',
dest='/etc/borgmatic/config.yaml',
mode='600',
user='root',

97
setup-base.py

@ -14,7 +14,7 @@ server.user(
server.hostname(
name='Set the hostname',
hostname='lxd.local',
hostname='lxd.home.arpa',
)
apt.update(
@ -25,60 +25,77 @@ apt.upgrade(
name='Upgrade apt packages',
)
# ufw disabled since no support for nftables and in a LAN
#apt.packages(
# name='Install ufw',
# packages=['ufw'],
# update=False,
#)
#
#server.shell(
# name='Add ufw rules',
# commands=['ufw limit 22'],
#)
#
#server.shell(
# name='Enable ufw',
# commands=['yes | ufw enable'],
#)
apt.packages(
name='Install ufw',
packages=['ufw'],
name='Install packages',
packages=['manpages', 'man', 'snapd', 'vim', 'file',
'parted', 'htop', 'ncdu', 'byobu', 'tcpdump', 'lm-sensors', 'iotop',
'strace', 'lsof', 'iftop', 'haveged', 'postfix', 'nftables'],
update=False,
)
server.shell(
name='Add ufw rules',
commands=['ufw limit 22'],
files.put(
name='Add postfix conf with relay to mail.benpro.fr',
src='files/main.cf',
dest='/etc/postfix/main.cf',
user='root',
group='root',
mode='644',
)
files.put(
name='Add postfix sasl_passwd',
src='files/sasl_passwd',
dest='/etc/postfix/sasl_passwd',
user='root',
group='root',
mode='400',
)
server.shell(
name='Enable ufw',
commands=['yes | ufw enable'],
name='Postmap sasl_passwd',
commands=['postmap hash:/etc/postfix/sasl_passwd'],
)
apt.packages(
name='Install packages',
packages=['manpages', 'man', 'snapd', 'vim', 'file',
'parted', 'htop', 'ncdu', 'byobu', 'tcpdump', 'lm-sensors', 'iotop',
'strace', 'lsof', 'iftop', 'haveged', 'postfix'],
update=False,
files.line(
name='Set root aliases',
path='/etc/aliases',
line='root: lxd@benpro.fr',
)
#files.line(
# name='Enable postfix relays to mail.benpro.fr',
# path='/etc/postfix/main.cf',
# line=r'relayhost = .*',
# replace='relayhost = 10.0.0.2',
#)
#
#files.line(
# name='Set root aliases',
# path='/etc/aliases',
# line='root: lxd10@benpro.fr',
#)
#
#server.shell(
# name='Load aliases table',
# commands=['newaliases'],
#)
#
#systemd.service(
# name='Restart and enable postfix service',
# service='postfix.service',
# running=True,
# restarted=True,
# enabled=True,
#)
server.shell(
name='Load aliases table',
commands=['newaliases'],
)
systemd.service(
name='Restart and enable postfix service',
service='postfix.service',
running=True,
restarted=True,
enabled=True,
)
if not host.fact.directory('/var/snap/lxd'):
server.shell(
name='Install lxd',
commands=['snap install lxd'],
commands=['snap install lxd --channel=latest/stable'],
)
files.put(

4
setup-zfs-and-lxd.py

@ -40,9 +40,9 @@ if not host.fact.command('lxc storage volume list default | grep images || true'
commands=['lxc storage volume create default images', 'lxc config set storage.images_volume default/images']
)
files.template(
files.put(
name='Push zfs-scrub script',
src='templates/zfs-scrub.sh.j2',
src='files/zfs-scrub.sh',
dest='/usr/local/bin/zfs-scrub.sh',
mode='700',
user='root',

Loading…
Cancel
Save