From 2a1b82bfa948b89723933cb7b768c77c826d57ef Mon Sep 17 00:00:00 2001
From: josiah <me@jowj.net>
Date: Fri, 22 Dec 2023 15:39:39 -0600
Subject: [PATCH] Copy mediaserver to abjure role as a WIP starting point.

---
 ansible/roles/abjure/readme.md                |  5 +
 ansible/roles/abjure/tasks/main.yml           | 70 +++++++++++++
 ansible/roles/abjure/templates/.env.j2        | 15 +++
 .../abjure/templates/mediaserver-compose.yml  | 98 +++++++++++++++++++
 ansible/roles/abjure/templates/traefik.yml.j2 | 49 ++++++++++
 ansible/roles/abjure/vars/main.yml            |  1 +
 6 files changed, 238 insertions(+)
 create mode 100644 ansible/roles/abjure/readme.md
 create mode 100644 ansible/roles/abjure/tasks/main.yml
 create mode 100644 ansible/roles/abjure/templates/.env.j2
 create mode 100644 ansible/roles/abjure/templates/mediaserver-compose.yml
 create mode 100644 ansible/roles/abjure/templates/traefik.yml.j2
 create mode 100644 ansible/roles/abjure/vars/main.yml

diff --git a/ansible/roles/abjure/readme.md b/ansible/roles/abjure/readme.md
new file mode 100644
index 0000000..e8fdbd9
--- /dev/null
+++ b/ansible/roles/abjure/readme.md
@@ -0,0 +1,5 @@
+# abjure
+This role deploys media servers we use to serve the home and halo.
+
+## notes
+If a container is failing, use docker service logs mediaserver_SERVICENAME to see the logs from the failed containers
diff --git a/ansible/roles/abjure/tasks/main.yml b/ansible/roles/abjure/tasks/main.yml
new file mode 100644
index 0000000..74c3f4d
--- /dev/null
+++ b/ansible/roles/abjure/tasks/main.yml
@@ -0,0 +1,70 @@
+---
+# deploy a media server from scratch.
+
+# boot strap server
+
+- name: Update apt
+  apt: update_cache=yes
+
+- name: Init a new swarm with default parameters
+  community.general.docker_swarm:
+    state: present    
+
+# set up mediaserver specific bullshit.
+- name: ensure traefik config directory exists
+  file: state=directory path=/home/josiah/apps/traefik/ owner=josiah group=josiah mode=0700
+
+- name: ensure mediaserver config directory exists
+  file: state=directory path=/home/josiah/apps/mediaserver/ owner=josiah group=josiah mode=0700  
+
+- name: ensure traefik.log exists
+  file: state=file path=/home/josiah/apps/traefik/traefik.log owner=josiah group=josiah mode=0700  
+
+- name: allow for pretty json errors
+  pip:
+    name: jsondiff
+    
+- name: Create deploy configs dir if it does not exist
+  file:
+    path: /home/josiah/deploys/mediaserver
+    state: directory
+    mode: '0755'
+
+- name: copy over mediaserver config files
+  template:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    mode: 0777
+  with_items:
+    - {src: 'mediaserver-compose.yml', dest: '/home/josiah/apps/mediaserver/mediaserver-compose.yml'}
+    - {src: 'traefik.yml.j2', dest: '/home/josiah/apps/traefik/traefik.yml'}
+
+- name: Ensure acme.json exists
+  copy:
+    content: ""
+    dest: /home/josiah/apps/traefik/acme.json
+    force: no
+    owner: root
+    group: root
+    state: file
+    mode: '0600'
+
+- name: Remove the mediaserver stack
+  block:
+    - name: Remove the mediaserver stack
+      docker_stack:
+        state: absent
+        name: mediaserver
+        compose:
+          - /home/josiah/apps/mediaserver/mediaserver-compose.yml
+    - name: Pause so the network gets deleted too
+      pause:
+        seconds: 15
+
+- name: Deploy mediaserver stack
+  docker_stack:
+    state: present
+    name: mediaserver
+    prune: yes
+    compose:
+      - /home/josiah/apps/mediaserver/mediaserver-compose.yml
diff --git a/ansible/roles/abjure/templates/.env.j2 b/ansible/roles/abjure/templates/.env.j2
new file mode 100644
index 0000000..2ab3e59
--- /dev/null
+++ b/ansible/roles/abjure/templates/.env.j2
@@ -0,0 +1,15 @@
+# Docker Compose can read environment variables from this file.
+# See https://docs.docker.com/compose/env-file/
+
+# Put admin areas behind a login prompt, with username and password
+# specified here. Run `htpasswd -n admin` to create a password hash
+# for user "admin". Paste the output here. SSL strongly recommended.
+BASIC_AUTH=
+
+# Let's Encrypt needs an email address for registration.
+ACME_EMAIL=admin@home.jowj.net
+
+# The Traefik dashboard will be available at these domains.
+# The URL is http://example.com/traefik/
+# You'll need to fill in BASIC_AUTH above.
+TRAEFIK_DOMAINS=lair.home.jowj.net
diff --git a/ansible/roles/abjure/templates/mediaserver-compose.yml b/ansible/roles/abjure/templates/mediaserver-compose.yml
new file mode 100644
index 0000000..e8cc284
--- /dev/null
+++ b/ansible/roles/abjure/templates/mediaserver-compose.yml
@@ -0,0 +1,98 @@
+---
+version: '3.7'
+
+services:
+  traefik:
+    image: traefik:2.5    
+    networks:
+      - pubnet    
+    command: --web --docker --docker.swarmmode --docker.watch --docker.domain="services.jowj.net" --providers.docker.network=pubnet --logLevel=DEBUG
+    ports:
+      - 80:80/tcp
+      - 443:443/tcp
+      - 8080:8080/tcp  
+    volumes:
+      - /home/josiah/apps/traefik/acme.json:/acme.json        
+      - traefik_logs:/var/log/access.log
+      - /var/run/docker.sock:/var/run/docker.sock
+      - /home/josiah/apps/traefik/traefik.yml:/traefik.yml
+    deploy:
+      mode: global      
+      placement:
+        constraints:
+          - node.role == manager
+    environment:
+      DO_AUTH_TOKEN: "{{  DO_AUTH_TOKEN  }}"
+    labels:
+      # Dashboard shit I stole from Micah:
+      # WARNING: A TRAILING SLASH IS MANDATORY IN THE BROWSER
+      # e.g. https://example.com/dashboard/, not merely /dashboard      
+      - "traefik.enable=true"    
+      - "traefik.http.routers.mediaserver-traefik-api.tls.certResolver=mediaserver-resolver"
+      - "traefik.http.routers.mediaserver-traefik-api.rule=Host(`lair.home.jowj.net`)&&(PathPrefix(`/api`)||PathPrefix(`/dashboard`)||PathPrefix(`/debug`))"
+      - "traefik.http.routers.mediaserver-traefik-api.service=api@internal"
+      - "traefik.http.services.mediaserver-traefik-api.loadbalancer.server.port=8080"      
+      # - "traefik.http.routers.mediaserver-traefik-api.entrypoints=http"
+      - "traefik.http.routers.mediaserver-traefik-api.entrypoints=https"      
+      # middleware redirect
+      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
+      # global redirect to https
+      - "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
+      - "traefik.http.routers.http-catchall.entrypoints=http"
+      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
+        
+
+
+  whoami:
+    image: containous/whoami:latest
+    networks:
+      - pubnet
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.mediaserver-whoami.rule=Host(`whoami.services.jowj.net`)"
+      - "traefik.http.routers.mediaserver-whoami.service=mediaserver-whoami"
+      - "traefik.http.services.mediaserver-whoami.loadbalancer.server.port=80"
+      - "traefik.http.routers.mediaserver-whoami.tls.certResolver=mediaserver-resolver"        
+      - "traefik.http.routers.mediaserver-whoami.tls=true"
+
+  stash:
+    image: git.awful.club/packages/hoard:latest
+    ## If you intend to use stash's DLNA functionality uncomment the below network mode and comment out the above ports section
+    # network_mode: host
+    logging:
+      driver: "json-file"
+      options:
+        max-file: "10"
+        max-size: "2m"
+    environment:
+      - STASH_STASH=/data/
+      - STASH_GENERATED=/generated/
+      - STASH_METADATA=/metadata/
+      - STASH_CACHE=/cache/
+      ## Adjust below to change default port (9999)
+      # - STASH_PORT=9999
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - "{{ vault_stash_config }}:/root/.stash"
+      - "{{ vault_stash_data }}:/data"
+      - "{{ vault_stash_metadata }}:/metadata"
+      - "{{ vault_stash_cache }}:/cache"
+      - "{{ vault_stash_generated }}:/generated"
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.services.mediaserver-hoard.loadbalancer.server.port=9999"
+      - "traefik.http.routers.mediaserver-hoard.service=mediaserver-hoard"
+      - "traefik.http.routers.mediaserver-hoard.rule=Host(`hoard.services.jowj.net`)"
+      - "traefik.http.routers.mediaserver-hoard.tls.certResolver=mediaserver-resolver"
+      - "traefik.http.routers.mediaserver-hoard.tls=true"
+    networks:
+      - pubnet      
+
+        
+volumes:
+  traefik_acme:
+  traefik_logs:
+
+networks:
+  pubnet:
+    driver: overlay
diff --git a/ansible/roles/abjure/templates/traefik.yml.j2 b/ansible/roles/abjure/templates/traefik.yml.j2
new file mode 100644
index 0000000..b365df5
--- /dev/null
+++ b/ansible/roles/abjure/templates/traefik.yml.j2
@@ -0,0 +1,49 @@
+---
+
+# defaultEntryPoints must be at the top
+defaultEntryPoints:
+  - http
+  - https
+
+log:
+  level: DEBUG
+  format: common
+accessLog:
+  format: common
+
+api:
+  dashboard: true
+
+entryPoints:
+  http:
+    address: ":80"
+  https:
+    address: ":443"
+
+http:
+  middlewares:
+    mediaserver-https-redir:
+      redirectScheme:
+        scheme: https
+        permanent: true
+
+certificatesResolvers:
+  mediaserver-resolver:
+    acme:
+      storage: /acme.json
+      email: "admin@home.jowj.net"
+      dnsChallenge:
+        provider: "digitalocean"
+
+providers:
+  docker: {}
+
+docker:
+  endpoint: unix:///var/run/docker.sock
+  domain: "services.jowj.net"
+  watch: true
+  exposedbydefault: false
+
+# smh https://github.com/traefik/traefik/issues/7360
+pilot:
+  dashboard: false
diff --git a/ansible/roles/abjure/vars/main.yml b/ansible/roles/abjure/vars/main.yml
new file mode 100644
index 0000000..ef86eef
--- /dev/null
+++ b/ansible/roles/abjure/vars/main.yml
@@ -0,0 +1 @@
+sys_packages: [ 'curl', 'vim', 'git', 'emacs', 'build-essential', 'mosh', 'python', 'python3-pip' ]