this was spun out of agares (which has sense been deprecated) to keep my machine setup bullshit separate from deploys and small docker-compose files not deserving of their own repo.
this was spun out of agares (which has sense been deprecated) to keep my machine setup bullshit separate from deploys and small docker-compose files not deserving of their own repo.
** ansible
** goals:
houses ansible roles
- [ ] use docker for as much as possible (still WIP; pleroma is a notable non-docker core service I gotta figure out)
- [ ] use ansible for deployment (still WIP; mostly done, pleroma hasn't been moved over to ansible but I think that's the last thing)
- [X] use ansible-vault for secrets management.
- when I was a small baby in running my own infrastructure i used real bad default passwords because I didn't know how to do secrets management and just, like, thought I was clever for opting out? oops.
- [ ] be able to bootstrap my infrastructure from nothing (recovery scenario in case of house fire, robbery, whatever) with a single command.
*** arke
** ansible specific things
- deploys monitoring script
*** for when you inevitably forget how to deploy stuff:
- its mostly broken.
i mostly run commands using the ~all.yml~ file, like:
*** how to handle working with ansible-vault and not want to kill yourself
- deploy mojobot
i rely heavily on ~ansible-vault~ for secrets management, and to make deployments faster i use a gpg + ansible-vault contraption:
- two portions; web and rtm client.
- relies on droplet config
*** znc
- ~open_the_vault.sh~ is a 1liner that just has this inside ~gpg --batch --use-agent --decrypt vault_passphrase.gpg~
- deploys znc bouncer
- this script is called every time ansible tries to decrypt ~ansible-vault~ encrypted files
- relies on external drive attached to droplet
- ~vault_passphrase.gpg~ is a gpg encrypted file that contains the key to my ansible-vault files.
- relies on droplet config
- ~vault_passphrase.gpg~ can be decrypted by my gpg agent locally, automatically.
*** awfulAll
running ~ansible-vault edit~ opens a file in my $EDITOR transparently, without prompting me for a passphrase ever. same for deploying; you don't have to pass ~--ask-vault-pass~ ever again!! fuck that's so useful.
- deploy mojobot
- deploy znc
- deploy arke
- relies on droplet config
*** droplets
** riot/matrix deploys
- add regular user, sudo group, add user to group
this is included as a submod and I had to reimplement some of my secrets management / group vars and stuff in the submodule's ansible setup. kind of a pain, frankly, but i'm using a tracking mirror to follow ~ansible-docker-matrix~'s github repo, so there's a lot of work i /don't/ have to do with my setup.
- use local droplet key
- disable pw auth for root
- update apt and install req packages
- restart sshd service.
*** onprem
- configure aptitude
- add docker key, repo
- install req packages
- add my user to docker group.
*** splunk_servers
- remnent of a past job
- i don't believe ever worked
- here for historical purposes.
*** wg_vpn
** docker
houses small dockerfiles / dockercompose stuff.
*** mediaserver
- docker compose file
- sonarr (tv)
- radarr (movie)
- lidarr (music)
- sabnzb (dl manager)
- lazylibrarian (this sucks and doesn't really work)
** scripts
** scripts
houses small scripts that i used to use before i moved to ansible for most things. these should probably all get deleted or converted to ansible roles.
houses small scripts that i used to use before i moved to ansible for most things. these should probably all get deleted or converted to ansible roles.
