Add protonmail + cloud + fix prometheus

2023-05-20 16:36:15 +02:00 · 2023-05-20 16:36:15 +02:00 · 427838c903
commit 427838c903
parent 525c6ed2a4
13 changed files with 106 additions and 2 deletions
--- a/roles/cloud/files/cron.sh
+++ b/roles/cloud/files/cron.sh
@ -0,0 +1,2 @@
+#!/bin/sh
+docker-compose exec -T nextcloud su - www-data -s /bin/bash -c 'php -f /var/www/html/cron.php'
--- a/roles/cloud/tasks/base.yml
+++ b/roles/cloud/tasks/base.yml
@ -0,0 +1,39 @@
+---
+
+- name: Check cloud directory exist
+  ansible.builtin.file:
+    path: cloud
+    state: directory
+
+- name: Copy cloud conf
+  ansible.builtin.copy:
+    backup: true
+    src: .
+    dest: cloud/
+  register: cloud_copy_files_results
+
+- name: Copy template conf
+  ansible.builtin.template:
+    backup: true
+    src: "{{ item.src }}"
+    dest: "cloud/{{ item.dest }}"
+  loop:
+    - { src: 'docker-compose.yml.j2', dest: 'docker-compose.yml' }
+  register: cloud_copy_templates_results
+
+- name: Force update and restart container
+  community.docker.docker_compose:
+    project_src: cloud
+    state: present
+    pull: true
+    restarted: true
+  when: cloud_copy_files_results.changed or cloud_copy_templates_results.changed
+  become: true
+
+- name: Update or start container
+  community.docker.docker_compose:
+    project_src: cloud
+    state: present
+    pull: true
+  when: not cloud_copy_files_results.changed and not cloud_copy_templates_results.changed
+  become: true
--- a/roles/cloud/tasks/cron.yml
+++ b/roles/cloud/tasks/cron.yml
@ -0,0 +1,7 @@
+---
+
+- name: Ensure a job that run all 5 minutes for nextcloud cron
+  ansible.builtin.cron:
+    name: "check dirs"
+    minute: "*/5"
+    job: "cd {{ ansible_env.HOME }}/cloud && ./cron.sh"
--- a/roles/cloud/tasks/main.yml
+++ b/roles/cloud/tasks/main.yml
@ -0,0 +1,7 @@
+---
+
+- ansible.builtin.import_tasks: base.yml
+  name: base
+
+- ansible.builtin.import_tasks: cron.yml
+  name: cron
--- a/roles/cloud/templates/docker-compose.yml.j2
+++ b/roles/cloud/templates/docker-compose.yml.j2
@ -0,0 +1,70 @@
+version: '3'
+
+services:
+  db:
+    image: postgres:14
+    restart: always
+    container_name: nextcloud_db
+    networks:
+      - internal
+    volumes:
+      - db:/var/lib/postgresql/data
+    environment:
+      - POSTGRES_PASSWORD=nextcloud
+      - POSTGRES_DB=nextcloud
+      - POSTGRES_USER=nextcloud
+
+  nextcloud:
+    image: nextcloud
+    restart: always
+    container_name: nextcloud
+    networks:
+      - proxy
+      - protonmail
+      - internal
+    depends_on:
+      - db
+    volumes:
+      - nextcloud:/var/www/html
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.middlewares.nextcloud-compress.compress=true"
+      - "traefik.http.middlewares.nextcloud-regex-redirect.redirectregex.permanent=true"
+      - "traefik.http.middlewares.nextcloud-regex-redirect.redirectregex.regex=https://(.*)/.well-known/(card|cal)dav"
+      - "traefik.http.middlewares.nextcloud-regex-redirect.redirectregex.replacement=https://$$1/remote.php/dav/"
+      - "traefik.http.middlewares.nextcloud-headers.headers.frameDeny=true"
+      - "traefik.http.middlewares.nextcloud-headers.headers.sslRedirect=true"
+      - "traefik.http.middlewares.nextcloud-headers.headers.contentTypeNosniff=true"
+      - "traefik.http.middlewares.nextcloud-headers.headers.stsIncludeSubdomains=true"
+      - "traefik.http.middlewares.nextcloud-headers.headers.stsPreload=true"
+      - "traefik.http.middlewares.nextcloud-headers.headers.stsSeconds=31536000"
+      - "traefik.http.middlewares.nextcloud-headers.headers.referrerPolicy=same-origin"
+      - "traefik.http.middlewares.nextcloud-headers.headers.browserXssFilter=true"
+      - "traefik.http.middlewares.nextcloud-headers.headers.customRequestHeaders.X-Forwarded-Proto=https"
+      - "traefik.http.middlewares.nextcloud-headers.headers.customRequestHeaders.X-Robots-Tag=none"
+      - "traefik.http.middlewares.nextcloud-headers.headers.customFrameOptionsValue=SAMEORIGIN"
+      - "traefik.http.routers.nextcloud-secure.entrypoints=https"
+      - "traefik.http.routers.nextcloud-secure.rule=Host(`mycld.{{ server.domain }}`)"
+      - "traefik.http.routers.nextcloud-secure.tls=true"
+      - "traefik.http.routers.nextcloud-secure.tls.certresolver=sslResolver"
+      - "traefik.http.routers.nextcloud-secure.middlewares=nextcloud-compress,nextcloud-regex-redirect,nextcloud-headers"
+      # - "traefik.http.routers.nextcloud-secure.service=nextcloud"
+      # - "traefik.http.services.nextcloud.loadbalancer.server.port=9002"
+      - "traefik.docker.network=proxy"
+    environment:
+      - POSTGRES_PASSWORD=nextcloud
+      - POSTGRES_DATABASE=nextcloud
+      - POSTGRES_USER=nextcloud
+      - POSTGRES_HOST=db
+      - OVERWRITEPROTOCOL=https
+
+volumes:
+  nextcloud:
+  db:
+
+networks:
+  internal:
+  proxy:
+    external: true
+  protonmail:
+    external: true
--- a/roles/protonmail/files/docker-compose.yml
+++ b/roles/protonmail/files/docker-compose.yml
@ -0,0 +1,18 @@
+version: '3'
+
+services: 
+  protonmail-bridge:
+    image: shenxn/protonmail-bridge
+    restart: always
+    container_name: protonmail-bridge
+    networks:
+      - protonmail
+    volumes:
+      - protonmail:/root
+
+volumes:
+  protonmail:
+
+networks:
+  protonmail:
+      external: true
--- a/roles/protonmail/files/init.sh
+++ b/roles/protonmail/files/init.sh
@ -0,0 +1,2 @@
+#!/bin/sh
+docker-compose run protonmail-bridge init
--- a/roles/protonmail/tasks/base.yml
+++ b/roles/protonmail/tasks/base.yml
@ -0,0 +1,41 @@
+---
+
+- name: Check protonmail directory exist
+  ansible.builtin.file:
+    path: protonmail
+    state: directory
+
+- name: Copy protonmail conf
+  ansible.builtin.copy:
+    backup: true
+    src: .
+    dest: protonmail/
+  register: protonmail_copy_files_results
+
+- name: Create protonmail network
+  community.docker.docker_network:
+    name: protonmail
+    state: present
+  become: true
+
+- name: Show message if not initialized
+  ansible.builtin.debug:
+    msg: Please run init.sh in protonmail folder and set variable protonmail.initialized to true and restart tasks
+  when: not protonmail.initialized
+
+- name: Force update and restart container
+  community.docker.docker_compose:
+    project_src: protonmail
+    state: present
+    pull: true
+    restarted: true
+  when: protonmail.initialized and protonmail_copy_files_results.changed
+  become: true
+
+- name: Update or start container
+  community.docker.docker_compose:
+    project_src: protonmail
+    state: present
+    pull: true
+  when: protonmail.initialized and not protonmail_copy_files_results.changed
+  become: true
--- a/roles/protonmail/tasks/main.yml
+++ b/roles/protonmail/tasks/main.yml
@ -0,0 +1,4 @@
+---
+
+- ansible.builtin.import_tasks: base.yml
+  name: base
--- a/roles/traefik/files/prometheus/alert.rules
+++ b/roles/traefik/files/prometheus/alert.rules
@ -0,0 +1,11 @@
+groups:
+- name: traefik
+  rules:
+  - alert: service_down
+    expr: up == 0
+    for: 2m
+    labels:
+      severity: page
+    annotations:
+      summary: "Instance {{ $labels.instance }} down"
+      description: "{{ $labels.instance }} of job {{ $labels.job }} has been down for more than 2 minutes"
--- a/roles/traefik/files/prometheus/prometheus.yml
+++ b/roles/traefik/files/prometheus/prometheus.yml
@ -0,0 +1,12 @@
+global:
+  scrape_interval:     15s
+  evaluation_interval: 15s
+
+rule_files:
+  - 'alert.rules'
+
+scrape_configs:
+  - job_name: 'traefik'
+    scrape_interval: 5s
+    static_configs:
+      - targets: ['traefik:8080']