From 0ad4fd39454991ee2e2b1013589871b85fdd824a Mon Sep 17 00:00:00 2001 From: Lino Silva Date: Sun, 26 Mar 2023 15:51:28 +0100 Subject: [PATCH] fix: Enable ssh --- roles/{ => archive}/traefik/tasks/main.yml | 0 .../traefik/templates/dashboard-ingress.yml | 0 .../traefik/templates/default-headers.yml | 0 .../templates/middleware-forwardauth.yml | 0 .../traefik/templates/secret-dashboard.yml | 0 .../traefik/templates/values.yml | 0 .../cloudflare-ddns/enable-ssh/tasks/main.yml | 8 ++ .../install-app/tasks/main.yml | 6 +- roles/immich/enable-ssh/tasks/main.yml | 8 ++ roles/immich/install-app/tasks/main.yml | 28 ++++ roles/immich/install-app/templates/.env | 16 +++ .../install-app/templates/docker-compose.yml | 120 ++++++++++++++++++ roles/immich/install-docker/tasks/main.yml | 27 ++++ roles/immich/provision/create/tasks/main.yml | 27 ++++ roles/immich/provision/delete/tasks/main.yml | 26 ++++ roles/immich/provision/start/tasks/main.yml | 8 ++ roles/immich/update/tasks/main.yml | 6 + roles/swag/enable-ssh/tasks/main.yml | 8 ++ 18 files changed, 285 insertions(+), 3 deletions(-) rename roles/{ => archive}/traefik/tasks/main.yml (100%) rename roles/{ => archive}/traefik/templates/dashboard-ingress.yml (100%) rename roles/{ => archive}/traefik/templates/default-headers.yml (100%) rename roles/{ => archive}/traefik/templates/middleware-forwardauth.yml (100%) rename roles/{ => archive}/traefik/templates/secret-dashboard.yml (100%) rename roles/{ => archive}/traefik/templates/values.yml (100%) create mode 100644 roles/cloudflare-ddns/enable-ssh/tasks/main.yml create mode 100644 roles/immich/enable-ssh/tasks/main.yml create mode 100644 roles/immich/install-app/tasks/main.yml create mode 100644 roles/immich/install-app/templates/.env create mode 100644 roles/immich/install-app/templates/docker-compose.yml create mode 100644 roles/immich/install-docker/tasks/main.yml create mode 100644 roles/immich/provision/create/tasks/main.yml create mode 100644 roles/immich/provision/delete/tasks/main.yml create mode 100644 roles/immich/provision/start/tasks/main.yml create mode 100644 roles/immich/update/tasks/main.yml create mode 100644 roles/swag/enable-ssh/tasks/main.yml diff --git a/roles/traefik/tasks/main.yml b/roles/archive/traefik/tasks/main.yml similarity index 100% rename from roles/traefik/tasks/main.yml rename to roles/archive/traefik/tasks/main.yml diff --git a/roles/traefik/templates/dashboard-ingress.yml b/roles/archive/traefik/templates/dashboard-ingress.yml similarity index 100% rename from roles/traefik/templates/dashboard-ingress.yml rename to roles/archive/traefik/templates/dashboard-ingress.yml diff --git a/roles/traefik/templates/default-headers.yml b/roles/archive/traefik/templates/default-headers.yml similarity index 100% rename from roles/traefik/templates/default-headers.yml rename to roles/archive/traefik/templates/default-headers.yml diff --git a/roles/traefik/templates/middleware-forwardauth.yml b/roles/archive/traefik/templates/middleware-forwardauth.yml similarity index 100% rename from roles/traefik/templates/middleware-forwardauth.yml rename to roles/archive/traefik/templates/middleware-forwardauth.yml diff --git a/roles/traefik/templates/secret-dashboard.yml b/roles/archive/traefik/templates/secret-dashboard.yml similarity index 100% rename from roles/traefik/templates/secret-dashboard.yml rename to roles/archive/traefik/templates/secret-dashboard.yml diff --git a/roles/traefik/templates/values.yml b/roles/archive/traefik/templates/values.yml similarity index 100% rename from roles/traefik/templates/values.yml rename to roles/archive/traefik/templates/values.yml diff --git a/roles/cloudflare-ddns/enable-ssh/tasks/main.yml b/roles/cloudflare-ddns/enable-ssh/tasks/main.yml new file mode 100644 index 0000000..3a179de --- /dev/null +++ b/roles/cloudflare-ddns/enable-ssh/tasks/main.yml @@ -0,0 +1,8 @@ +--- +# Unable to use ansible.builtin.lineinfile, because we need to run this through the proxmox host (because SSH is not enabled duh) + +- name: Allow SSH into LXC + ansible.builtin.command: lxc-attach -n 607 -- sed -i "s/#PermitRootLogin prohibit-password/PermitRootLogin yes/g" /etc/ssh/sshd_config + +- name: Restart SSH Service + ansible.builtin.command: lxc-attach -n 607 service ssh restart diff --git a/roles/cloudflare-ddns/install-app/tasks/main.yml b/roles/cloudflare-ddns/install-app/tasks/main.yml index d2f41d7..3aa3110 100644 --- a/roles/cloudflare-ddns/install-app/tasks/main.yml +++ b/roles/cloudflare-ddns/install-app/tasks/main.yml @@ -1,14 +1,14 @@ --- - name: Create directory for docker-compose ansible.builtin.file: - path: /root/docker/swag/ + path: /root/docker/ state: directory mode: "0755" - name: Copy docker-compose file template: src: "docker-compose.yml" - dest: /root/docker/swag/docker-compose.yml + dest: /root/docker/docker-compose.yml owner: root group: root mode: 0755 @@ -17,4 +17,4 @@ ansible.builtin.shell: args: cmd: docker compose up -d - chdir: /root/docker/swag/ + chdir: /root/docker/ diff --git a/roles/immich/enable-ssh/tasks/main.yml b/roles/immich/enable-ssh/tasks/main.yml new file mode 100644 index 0000000..fd8bfed --- /dev/null +++ b/roles/immich/enable-ssh/tasks/main.yml @@ -0,0 +1,8 @@ +--- +# Unable to use ansible.builtin.lineinfile, because we need to run this through the proxmox host (because SSH is not enabled duh) + +- name: Allow SSH into LXC + ansible.builtin.command: lxc-attach -n 609 -- sed -i "s/#PermitRootLogin prohibit-password/PermitRootLogin yes/g" /etc/ssh/sshd_config + +- name: Restart SSH Service + ansible.builtin.command: lxc-attach -n 609 service ssh restart diff --git a/roles/immich/install-app/tasks/main.yml b/roles/immich/install-app/tasks/main.yml new file mode 100644 index 0000000..05ccd3b --- /dev/null +++ b/roles/immich/install-app/tasks/main.yml @@ -0,0 +1,28 @@ +--- +- name: Create directory for docker-compose + ansible.builtin.file: + path: /root/docker/immich/ + state: directory + mode: "0755" + +- name: Copy .env file + template: + src: ".env" + dest: /root/docker/immich/.env + owner: root + group: root + mode: 0755 + +- name: Copy docker-compose file + template: + src: "docker-compose.yml" + dest: /root/docker/immich/docker-compose.yml + owner: root + group: root + mode: 0755 + +- name: Run docker-compose + ansible.builtin.shell: + args: + cmd: docker compose up -d + chdir: /root/docker/immich/ diff --git a/roles/immich/install-app/templates/.env b/roles/immich/install-app/templates/.env new file mode 100644 index 0000000..22a9b3d --- /dev/null +++ b/roles/immich/install-app/templates/.env @@ -0,0 +1,16 @@ +DB_HOSTNAME=immich_postgres +DB_USERNAME=ANVdeo9LyBqXwKwsCZMnSYe4yApjB7mvKtDE9CTTrMaq2tA3Hn +DB_PASSWORD=KfVYJXdmN2jJd8BpU2AMGcJ9t9od4NgQrcRc6g9yeqZAZVYo68 +DB_DATABASE_NAME=immich +REDIS_HOSTNAME=immich_redis +UPLOAD_LOCATION=/export/photos/phone-lino +LOG_LEVEL=simple +PUBLIC_LOGIN_PAGE_MESSAGE="Photos" +NODE_ENV=production +IMMICH_WEB_URL=http://immich-web:3000 +IMMICH_SERVER_URL=http://immich-server:3001 +IMMICH_MACHINE_LEARNING_URL=http://immich-machine-learning:3003 +TYPESENSE_API_KEY=CmRqRuYpn6KoH4rCVAXaVdKoixvKCMowfjW3JgKQoXKyVPYy8C +TYPESENSE_ENABLED=true + +CONFIG_DIR=/data \ No newline at end of file diff --git a/roles/immich/install-app/templates/docker-compose.yml b/roles/immich/install-app/templates/docker-compose.yml new file mode 100644 index 0000000..3a0505a --- /dev/null +++ b/roles/immich/install-app/templates/docker-compose.yml @@ -0,0 +1,120 @@ +version: "3.8" + +services: + immich-server: + container_name: immich_server + image: altran1502/immich-server:release + entrypoint: [ "/bin/sh", "./start-server.sh" ] + deploy: + resources: + limits: + cpus: '4' + memory: 4096M + reservations: + cpus: '2' + memory: 2048M + volumes: + - ${UPLOAD_LOCATION}:/usr/src/app/upload + env_file: + - .env + environment: + - NODE_ENV=production + depends_on: + - redis + - database + - typesense + restart: always + + immich-microservices: + container_name: immich_microservices + image: altran1502/immich-server:release + entrypoint: [ "/bin/sh", "./start-microservices.sh" ] + deploy: + resources: + limits: + cpus: '4' + memory: 4096M + reservations: + cpus: '2' + memory: 2048M + volumes: + - ${UPLOAD_LOCATION}:/usr/src/app/upload + env_file: + - .env + environment: + - NODE_ENV=production + depends_on: + - redis + - database + - typesense + restart: always + + typesense: + container_name: immich_typesense + image: typesense/typesense:0.24.0 + environment: + - TYPESENSE_API_KEY=${TYPESENSE_API_KEY} + - TYPESENSE_DATA_DIR=/data + logging: + driver: none + volumes: + - ${CONFIG_DIR}/docker/immich/tsdata:/data + + immich-machine-learning: + container_name: immich_machine_learning + image: altran1502/immich-machine-learning:release + deploy: + resources: + limits: + cpus: '4' + memory: 4096M + reservations: + cpus: '2' + memory: 2048M + volumes: + - ${UPLOAD_LOCATION}:/usr/src/app/upload + - ${CONFIG_DIR}/docker/immich/cache:/cache + env_file: + - .env + environment: + - NODE_ENV=production + restart: always + + immich-web: + container_name: immich_web + image: altran1502/immich-web:release + entrypoint: [ "/bin/sh", "./entrypoint.sh" ] + env_file: + - .env + restart: always + + redis: + container_name: immich_redis + image: redis:6.2 + restart: always + + database: + container_name: immich_postgres + image: postgres:14 + env_file: + - .env + environment: + PG_DATA: /var/lib/postgresql/data + volumes: + - ${CONFIG_DIR}/docker/immich/pgsql:/var/lib/postgresql/data + restart: always + + immich-proxy: + container_name: immich_proxy + image: altran1502/immich-proxy:release + environment: + # Make sure these values get passed through from the env file + - IMMICH_SERVER_URL + - IMMICH_WEB_URL + logging: + driver: none + depends_on: + - immich-server + restart: always + ports: + - 8080:8080 diff --git a/roles/immich/install-docker/tasks/main.yml b/roles/immich/install-docker/tasks/main.yml new file mode 100644 index 0000000..d5baba9 --- /dev/null +++ b/roles/immich/install-docker/tasks/main.yml @@ -0,0 +1,27 @@ +--- +- name: Get convenience script + uri: + url: "https://get.docker.com" + method: GET + dest: /tmp/get-docker.sh + mode: a+x + creates: /tmp/get-docker.sh + +- name: Execute script + ansible.builtin.shell: /tmp/get-docker.sh + +- name: Ensure group "docker" exists + ansible.builtin.group: + name: docker + state: present + +- name: Add root user to docker group + ansible.builtin.user: + name: root + groups: docker + append: yes + +- name: Enable docker on startup + ansible.builtin.shell: | + systemctl enable docker.service + systemctl enable containerd.service diff --git a/roles/immich/provision/create/tasks/main.yml b/roles/immich/provision/create/tasks/main.yml new file mode 100644 index 0000000..ac6fd2f --- /dev/null +++ b/roles/immich/provision/create/tasks/main.yml @@ -0,0 +1,27 @@ +--- +- name: Create container + community.general.proxmox: + vmid: 608 + node: revali + api_user: root@pam + api_password: "{{ proxmox_api_password }}" + api_host: 10.0.2.2 + password: "{{ lxc_password }}" + hostname: dahua-to-mqtt + ostemplate: "hyrule-8tb-nfs:vztmpl/debian-11-standard_11.3-1_amd64.tar.zst" + netif: "{'net0':'name=eth0,\ + gw=10.0.0.1,\ + ip=10.0.2.17/21,\ + hwaddr=cc:c6:cf:de:17:77,\ + bridge=vmbr0'}" + cores: 1 + memory: 256 + unprivileged: no + swap: 0 + searchdomain: "home" + onboot: 1 + features: + - nesting=1 + - keyctl=1 + disk: local-lvm:5 + force: yes diff --git a/roles/immich/provision/delete/tasks/main.yml b/roles/immich/provision/delete/tasks/main.yml new file mode 100644 index 0000000..13e7bf1 --- /dev/null +++ b/roles/immich/provision/delete/tasks/main.yml @@ -0,0 +1,26 @@ +--- +- name: Stop container + community.general.proxmox: + vmid: "{{ vmid }}" + api_user: root@pam + api_password: "{{ proxmox_api_password }}" + api_host: 10.0.2.2 + state: stopped + ignore_errors: true + timeout: 90 + +- name: Remove containers + community.general.proxmox: + vmid: "{{ vmid }}" + api_user: root@pam + api_password: "{{ proxmox_api_password }}" + api_host: 10.0.2.2 + state: absent + ignore_errors: true + timeout: 90 + +- name: Remove .ssh/known_hosts lines + ansible.builtin.lineinfile: + path: /Users/lino.silva/.ssh/known_hosts + state: absent + regexp: "^10.0.2.16" diff --git a/roles/immich/provision/start/tasks/main.yml b/roles/immich/provision/start/tasks/main.yml new file mode 100644 index 0000000..de86b9b --- /dev/null +++ b/roles/immich/provision/start/tasks/main.yml @@ -0,0 +1,8 @@ +--- +- name: Start deployments + community.general.proxmox: + vmid: "{{ vmid }}" + api_user: root@pam + api_password: "{{ proxmox_api_password }}" + api_host: 10.0.2.2 + state: started diff --git a/roles/immich/update/tasks/main.yml b/roles/immich/update/tasks/main.yml new file mode 100644 index 0000000..8227bf4 --- /dev/null +++ b/roles/immich/update/tasks/main.yml @@ -0,0 +1,6 @@ +--- +- name: Update all packages to their latest version + become: true + ansible.builtin.apt: + update_cache: yes + upgrade: full diff --git a/roles/swag/enable-ssh/tasks/main.yml b/roles/swag/enable-ssh/tasks/main.yml new file mode 100644 index 0000000..88dae36 --- /dev/null +++ b/roles/swag/enable-ssh/tasks/main.yml @@ -0,0 +1,8 @@ +--- +# Unable to use ansible.builtin.lineinfile, because we need to run this through the proxmox host (because SSH is not enabled duh) + +- name: Allow SSH into LXC + ansible.builtin.command: lxc-attach -n 606 -- sed -i "s/#PermitRootLogin prohibit-password/PermitRootLogin yes/g" /etc/ssh/sshd_config + +- name: Restart SSH Service + ansible.builtin.command: lxc-attach -n 606 service ssh restart