feat: media+app VMs, Komodo periphery working

ansible/inventories/group_vars/all/app_disks.yml

@@ -20,3 +20,21 @@ app_data_disks:
     disk_id: scsi2
     mount_point: /data/komodo
     device: /dev/sdc
+  komodo-periphery-media:
+    vm: media-1
+    vmid: 420
+    node: purah
+    size: "20"
+    storage: purah-mirror-860gb
+    disk_id: scsi1
+    mount_point: /data/komodo-periphery
+    device: /dev/sdb
+  komodo-periphery-apps:
+    vm: apps-1
+    vmid: 430
+    node: yunobo
+    size: "20"
+    storage: nvme-2tb
+    disk_id: scsi1
+    mount_point: /data/komodo-periphery
+    device: /dev/sdb

ansible/inventories/group_vars/all/main.yml

@@ -241,3 +241,5 @@ komodo_db_username: "{{ vault_komodo_db_username }}"
 komodo_db_password: "{{ vault_komodo_db_password }}"
 komodo_webhook_secret: "{{ vault_komodo_webhook_secret }}"
 komodo_jwt_secret: "{{ vault_komodo_jwt_secret }}"
+komodo_onboarding_key: "{{ vault_komodo_onboarding_key }}"
+komodo_core_address: "komodo.lino.cooking"

ansible/inventories/group_vars/all/vault.yml

@@ -1,42 +1,46 @@
 $ANSIBLE_VAULT;1.1;AES256
-38316332346633663733346561333162356230356539346265303565316635353866333166363663
-6238393162336531616335643063353061653339393163360a323365376231393636393938356663
-39636234653963653930393462323034613361366230323661633537326638346335643235653335
-3931313539333239330a306238646231306333353137656332656263363135343830653864323435
-63636337346165323030646264653036616237313134653537386436383632353237306136366361
-34626530643230353732366135616661633934323638313430386561636362363961613462653839
-31656130313765326431356437326435343431306561393938356162396562316638343333386164
-62396231323661626438356235393033313834366631343539613430333863653836316132373833
-62373665363062336530613462643839616633653233323135376564653134303134323230623833
-65356133646335663333376137613565386462303137336431346338616239653464633839633462
-66633465363365363037613564636336306261393931303065633839336331656264613534323030
-39303736343835646430326535333264383438343631623036326162653964653664303663383833
-36326430653862303539626461303334313436363930633033343339373464313663326464393633
-33623235643432666430336262626130346564396135343064333837633264383435666266333138
-39613830613639636433326334396165353035623136633534393638376532666134626631333764
-34653061346464306632386162633263616365636536656432666636663935353431633562663635
-64363038633561633532633139356236393463656139333933643261366262386364326231633434
-32326462633834613961303266313963363366613534363961383633366435626466666436306232
-65323365303932343933303238323363326637346363353938653630646135623636313636643437
-34393530343133356432616331386332383632333734346563306162396564373332373761643030
-39343561633764376138643634353463663066303637383262383762623534633536663138383363
-62613863383463316634653633343939343863336531623537343563373065616231393038616335
-63336562306435316338323934343331323436326661373762306533346530326637313863333432
-32316164333164353037313762396532343663623537313461376265666162316239366661396666
-66633637303361333065323234656461663333366163313138666465643634313961326431336331
-35336437626664356431313631353661666465353230303663393931373639326566646338333135
-39626334303438313631366466356431663536353639633931323633333135306432326166383937
-64626630666536343138643034663961353133643166633738663864366266643337636132386334
-37366464346364313166393835633465626535623332386162303564363030386430383966396461
-31626630643432376436396537306362633437663763616432633039386564393966333963386133
-62626563383831636136633539353731626463393861393132353834613936643564333365353934
-32376162636466393637336364363239636530316436653632336233613634623261373037646332
-36346162623164613736316263333132356131643461346332303531633439363037316437393661
-33646234333132393333383461663635626161306431323530333666373935323035373833363462
-33623237393033363930323533663434353535353962376539333431313561393062343466343337
-65303230376136323838313730623866306534646531356637323865393262663363383163623131
-31613063623935616438353735386134356139393634383136363935343739313836653637616533
-38316364303332646135373339343830306437613936323235616133363837616363666435613432
-32313830316164306463623861656361353961313235653730363633616464666533343863396662
-38646138326363386164623062353738363236643164666639383532373934636466303138383637
-37313466353036643766353266653737646363626439303962346235306338396631
+32666164303261303561346338303530366438613032393865383765643635386564383762343730
+3733623235313239653631623739393638396436323863630a643738343132313766626133663932
+64373061613562343864313735383730383362643332636630343665353130383165363437323832
+6565636230646430370a643833656235646262323032393933323734336434653432616430376233
+33336263323533636134633439323536643231396435623362633832643738313538353331313661
+61666133386331396132346336623337323662636566303262666238356438623930333339303430
+36653839383336613466313833343830346535363665643233646239623730386539613934323430
+62316333376164363839376330653333353339343135303837356466396266373639323533353064
+38646533656638623039633137386366643866336436373432333339313336653866346639303665
+35353162356165366637323031333133343561663534376665636263633739376437333834373233
+35616538383466656133663332656361653139313835323266626631636432373230323561616166
+62393031653035646132356562366133353839613137323465376266326130613439393664323335
+34663965396638613131626534643864373331656435386265303463656636373630643361346365
+64353861643231326466343262636664336532653338373866663462636239336166653261646437
+35343062303832633439393439643833303166663464303934613030666664363461376333353835
+34613361333932623864373037643630396635656138643666336263633431633839643937343630
+38343439326237313431626265623161313433636233326335623231376261396236383366653737
+62366365666465393132303130646661303765346535666132626562313761623630323936333562
+66343331363832393032353631393037616566343238363165663836396635656530356366363066
+66343435303037316362623265316566333938643439393937383839363235363131323030303465
+37303266303833353236363566383238353039623638376265353332323535353862373864356634
+34303939633836643336663236306639393163373264353565643031623336383965316333393862
+35633763653665383438333165626561663838336533633865623339363761333430356434373465
+37346634616638333738626630346538366631653237626538373864383837666535663931326361
+30643031366230653038623732623265383231656633393934323263303930666434623861326630
+30626136306431653539353135336237376432393638663961396431376434386438343633666261
+32653063373630303263646232626637313163366436363862346263343365363362393833303339
+30343437646466313566383238353632653361316461323331633438346562363038376639633932
+61653039626431366564643938336135353230636336306639373062666362666463656164363136
+61343434623636636136636334313865333864353061623363663865646364653238363337333439
+35353539343632653339336133313066626565333533336334303834653930346362333538363164
+34303334366562626665653630666539623735626661663435643236626537356630666433393835
+31383131333066616365363463333937636162633133343732343530336565333334373338323033
+36636439323766373563636664346433643263356466313566313662633438623462383334393438
+30383031376362376639346362386334333131343361646338623034356265373262643561656335
+31636265333833653839313830653230383733663635356562323062373365336137623738336530
+66636564663339626464356135646666376432313464346535636636613165353836386365333738
+62323739383939313561396235353537343637636262343338666332656238393566313231396135
+63393331326136656461316363346465633435653863663065633633663737616534353064643934
+34666565343437333839346235613766623334393166666162366430616439343364323661396230
+34393438663163313762653263653537376462316561306634666637356465646139323831343337
+32613736396437343064626233353532376263663338366337303832656166343063666231643037
+39303239633731306465303036356266353035626566313466623866346635363464333133346262
+30313235336231666363346361393064346432353533363937366663373536306632343439616133
+3365

ansible/inventories/group_vars/all/vms.yml

@@ -11,26 +11,27 @@ vms:
     storage: purah-mirror-860gb
     cpu_type: host
 
-  # media-1:
-  #   vmid: 420
-  #   node: purah
-  #   cores: 8
-  #   memory: 16384
-  #   disk: 200G
-  #   ip: 10.0.4.20
-  #   igpu: true
-  #   network_bridge: "vmbr0"
-  #   storage: purah-mirror-860gb
+  media-1:
+    vmid: 420
+    node: purah
+    template_vmid: 9000
+    cores: 8
+    memory: 16384
+    disk: 50G
+    ip: 10.0.4.20
+    network_bridge: "vmbr0"
+    storage: purah-mirror-860gb
 
-  # apps-1:
-  #   vmid: 430
-  #   node: yunobo
-  #   cores: 6
-  #   memory: 16384
-  #   disk: 100G
-  #   ip: 10.0.4.30
-  #   network_bridge: "vmbr2"
-  #   storage: nvme-2tb
+  apps-1:
+    vmid: 430
+    node: yunobo
+    template_vmid: 9003
+    cores: 6
+    memory: 16384
+    disk: 100G
+    ip: 10.0.4.30
+    network_bridge: "vmbr2"
+    storage: nvme-2tb
 
   edge-1:
     vmid: 401

ansible/inventories/host_vars/edge-1/main.yml

@@ -6,3 +6,5 @@ keepalived_interface: eth0
 keepalived_router_id: 51
 keepalived_vip: 10.0.4.254
 keepalived_password: "{{ vault_keepalived_password | default('changeme') }}"
+
+komodo_core_address: "10.0.4.10:9120"

ansible/inventories/host_vars/edge-2/main.yml

@@ -6,3 +6,5 @@ keepalived_interface: eth0
 keepalived_router_id: 51
 keepalived_vip: 10.0.4.254
 keepalived_password: "{{ vault_keepalived_password | default('changeme') }}"
+
+komodo_core_address: "10.0.4.10:9120"

ansible/inventories/production.yml

@@ -14,17 +14,11 @@ all:
       hosts:
         infra-core-1:
           ansible_host: 10.0.4.10
-    yunobo:
+    media:
       hosts:
         media-1:
           ansible_host: 10.0.4.20
+    apps:
+      hosts:
         apps-1:
           ansible_host: 10.0.4.30
-    mipha:
-      hosts:
-        edge-1:
-          ansible_host: 10.0.4.1
-    sidon:
-      hosts:
-        edge-2:
-          ansible_host: 10.0.4.2

ansible/playbooks/configure_vms.yml

@@ -0,0 +1,33 @@
+---
+- hosts: infra
+  become: yes
+  roles:
+    - base
+    - docker
+    - komodo
+    - tinyauth
+    - pocketid
+    - website
+
+- hosts: edge
+  become: yes
+  roles:
+    - base
+    - docker
+    - keepalived
+    - traefik
+    - komodo-periphery
+
+- hosts: media
+  become: yes
+  roles:
+    - base
+    - docker
+    - komodo-periphery
+
+- hosts: apps
+  become: yes
+  roles:
+    - base
+    - docker
+    - komodo-periphery

ansible/playbooks/provision_vms.yml

@@ -1,24 +1,5 @@
 ---
-# - hosts: localhost
-#   gather_facts: no
-#   roles:
-#     - proxmox_vm
-
-- hosts: infra
-  become: yes
+- hosts: localhost
+  gather_facts: no
   roles:
-    - base
-    - docker
-    - komodo
-    - tinyauth
-    - pocketid
-    - website
-
-- hosts: edge
-  become: yes
-  roles:
-    - base
-    - docker
-    - komodo-periphery
-    - keepalived
-    - traefik
+    - proxmox_vm

ansible/roles/komodo-periphery/templates/docker-compose.yml.j2

@@ -1,17 +1,21 @@
 services:
   periphery:
-    image: ghcr.io/moghtech/komodo-periphery:2
+    image: ghcr.io/moghtech/komodo-periphery:2.1.0
     init: true
     container_name: komodo-periphery
     restart: unless-stopped
     environment:
-      PERIPHERY_CORE_ADDRESS: 10.0.4.10:9120
+      PERIPHERY_CORE_ADDRESS: {{ komodo_core_address }}
       PERIPHERY_CONNECT_AS: {{ inventory_hostname }}
       PERIPHERY_CORE_PUBLIC_KEYS: file:/config/keys/core.pub
       PERIPHERY_ROOT_DIRECTORY: /etc/komodo
       PERIPHERY_DISABLE_TERMINALS: false
       PERIPHERY_DISABLE_CONTAINER_TERMINALS: false
       PERIPHERY_INCLUDE_DISK_MOUNTS: /etc/hostname
+      KOMODO_SSL_ENABLED: false
+      PERIPHERY_BIND_IP: 0.0.0.0
+      PERIPHERY_ONBOARDING_KEY: "{{ komodo_onboarding_key }}"
+      PERIPHERY_CORE_TLS_INSECURE_SKIP_VERIFY: true
       TZ: Europe/Lisbon
     volumes:
       - /data/komodo/app/keys:/config/keys

ansible/roles/komodo/templates/docker-compose.yml.j2

@@ -38,30 +38,10 @@ services:
       KOMODO_RESOURCE_POLL_INTERVAL: "1-hr"
       KOMODO_DISABLE_USER_REGISTRATION: true
       KOMODO_ENABLE_NEW_USERS: false
+      KOMODO_SSL_ENABLED: false
+      KOMODO_TLS_INSECURE_SKIP_VERIFY: true
       TZ: "Europe/Lisbon"
     volumes:
       - /data/komodo/app/keys:/config/keys
       - /data/komodo/app/backups:/backups
       - /var/run/docker.sock:/var/run/docker.sock
-
-  periphery:
-    image: ghcr.io/moghtech/komodo-periphery:2
-    init: true
-    container_name: komodo-periphery
-    restart: unless-stopped
-    depends_on:
-      - komodo-core
-    environment:
-      PERIPHERY_CORE_ADDRESS: ws://komodo-core:9120
-      PERIPHERY_CONNECT_AS: "infra-core-1"
-      PERIPHERY_CORE_PUBLIC_KEYS: file:/config/keys/core.pub
-      PERIPHERY_ROOT_DIRECTORY: /etc/komodo
-      PERIPHERY_DISABLE_TERMINALS: false
-      PERIPHERY_DISABLE_CONTAINER_TERMINALS: false
-      PERIPHERY_INCLUDE_DISK_MOUNTS: /etc/hostname
-      TZ: "Europe/Lisbon"
-    volumes:
-      - /data/komodo/app/keys:/config/keys
-      - /var/run/docker.sock:/var/run/docker.sock
-      - /proc:/proc
-      - /etc/komodo:/etc/komodo

ansible/roles/traefik/templates/remote-services.yml.j2

@@ -122,6 +122,22 @@ http:
       tls:
         certResolver: cloudflare
 {% endfor %}
+{% endif %}
+{% if config.auth_required | default(true) %}
+    # {{ service_name }} - internal network (no auth)
+    {{ service_name }}-int:
+      rule: "Host(`{{ config.subdomain }}.{{ domain }}`) && ClientIP(`10.0.0.0/21`)"
+      entryPoints:
+        - https
+      priority: 50
+{% if config.forward_https | default(false) %}
+      middlewares:
+        - {{ service_name }}-https-headers
+{% endif %}
+      service: {{ service_name }}
+      tls:
+        certResolver: cloudflare
+{% endif %}
     # {{ service_name }} - default path (with auth if required)
     {{ service_name }}:
       rule: "Host(`{{ config.subdomain }}.{{ domain }}`)"
@@ -140,24 +156,6 @@ http:
       service: {{ service_name }}
       tls:
         certResolver: cloudflare
-{% else %}
-    {{ service_name }}:
-      rule: "Host(`{{ config.subdomain }}.{{ domain }}`)"
-      entryPoints:
-        - https
-{% if config.auth_required | default(true) or config.forward_https | default(false) %}
-      middlewares:
-{% if config.auth_required | default(true) %}
-        - pocketid-auth
-{% endif %}
-{% if config.forward_https | default(false) %}
-        - {{ service_name }}-https-headers
-{% endif %}
-{% endif %}
-      service: {{ service_name }}
-      tls:
-        certResolver: cloudflare
-{% endif %}
 {% endfor %}
 
     # Auto-configured services - HTTP to HTTPS redirect

ansible/roles/vm_apps/tasks/main.yml

@@ -1,11 +0,0 @@
----
-- name: Create app directories
-  ansible.builtin.file:
-    path: "/data/{{ item }}"
-    state: directory
-    mode: "0755"
-  loop:
-    - paperless
-    - nextcloud
-    - mealie
-    - outline

ansible/roles/vm_infra/tasks/main.yml

@@ -1,10 +0,0 @@
----
-- name: Create infra directories
-  ansible.builtin.file:
-    path: "/data/{{ item }}"
-    state: directory
-    mode: "0755"
-  loop:
-    - vaultwarden
-    - pi-hole
-    - uptime-kuma

ansible/roles/vm_plex/tasks/main.yml

@@ -1,10 +0,0 @@
----
-- name: Ensure VM has iGPU passthrough (requires Proxmox pre-config)
-  ansible.builtin.debug:
-    msg: "Ensure /dev/dri is passed through on this VM: {{ inventory_hostname }}"
-
-- name: Mount media storage
-  ansible.builtin.file:
-    path: /data/media
-    state: directory
-    mode: "0755"