Merge branch 'sifi'

Reviewed-on: #9

ansible/inventories/externals.yaml

@@ -1,5 +1,9 @@
+---
 externals:
     children:
+      nextcloud:
+        hosts:
+          c-service.sse.cloud.isti.cnr.it
       rup_tests:
         hosts:
           liquid:

ansible/inventories/group_vars/automotive/automotive.yaml

@@ -1,30 +1,31 @@
 ---
-#Common Docker 
+# Docker 
-docker_network_name: wp_net
+wordpress_docker_tag: 7.0.0-php8.2-apache
+mysql_docker_tag: 9.7.0
+nginx_docker_tag: 1.31.1
+
 docker_base_volume_path: /usr/data/wp
 
 
 # MYSQL Docker 
-mysql_docker_tag: 9.7.0
+db_name: automotive_db
-docker_mysql_hostname: web_db
+db_user: automotive_db_u
-
-db_name: automotive_test_db
-db_user: automotive_test_db_u
 db_password:  "{{ automotive_mysql_user_password }}"
 db_root_password: "{{ automotive_mysql_root_password }}"
 
 
 #NGINX Docker 
-nginx_docker_tag: 1.31.1
 nginx_server_name: automotive.sse.cloud.isti.cnr.it
 ssl: true
 
-#WORDPRESS Docker
-wordpress_docker_tag: 7.0.0-php8.2-apache
-docker_wordpress_hostname: automotive_test
 
-#CERTBOT for letsencrypt
+# WORDPRESS
-certbot_create_method: webroot
+wordpress_debug : true
+wordpress_debug_log: true
+
+
+#******* CERTBOT for letsencrypt
+certbot_create_method: standalone
 certbot_create_if_missing: true
 certbot_admin_email: fabio.sinibaldi@isti.cnr.it
 
@@ -35,5 +36,5 @@ certbot_certs:
     - "{{ nginx_server_name }}"
 
 #Certbot verbose level
-certbot_create_extra_args: "-vvv --force-renewal"
+certbot_create_extra_args: "-vvv"
 certbot_testmode: false

ansible/inventories/group_vars/wireguard_server/sifi.yaml

@@ -8,5 +8,8 @@ wg_server_address: 192.168.99.1/32
 
 wg_peers:  
   - name: fabio_test
-    publicKey: "dzODOKndtafZSf2GqvClFdxrpwyNJnZ/AsZkNl+ovEE="
+    publicKey: "byR/8T9AZK2t1cxDCLVzdLXsxcUPRXA06CnfI8gwQyY="
     allowedIP: "192.168.99.4/32"
+  - name: lucio
+    publicKey: "IifwTYaBMoL3IhAHHplyuVMCir7PHNT57cP57RvEIwg="
+    allowedIP: "192.168.99.3/32"

ansible/inventories/sifi.yaml

@@ -2,22 +2,22 @@
 # SIFI
 sifi:
   children:
-    opn:
+    #opn:
-      hosts:
+      #hosts:
-        sifi_opnsense.sifi.isti.cnr.it:
+        # sifi_opnsense.sifi.isti.cnr.it:
         # ns1.sifi.isti.cnr.it:
         # ansible_host:  146.48.108.51 #[WAN public ip]
         # ansible_host: 10.20.30.111
     wireguard_server:
       hosts:
-        wireguarder.sifi.isti.cnr.it:
+        vpn-1.sifi.sse.cloud.isti.cnr.it:
         #  ansible_host: 146.48.108.13
-    nameserver:
+    # nameserver:
-      hosts:
+    #   hosts:
-        ns1.sifi.isti.cnr.it:
+        #ns1.sifi.isti.cnr.it:
-          ansible_host: 146.48.108.51
+        #  ansible_host: 146.48.108.51
           # dns1.internal.sifi.isti.cnr.it:
           #  ansible_host: 10.11.12.11
     workers:
       hosts:
-        worker1.internal.sifi.isti.cnr.it:
+        dev-1.sifi.sse.cloud.isti.cnr.it:

ansible/inventories/sse-lab.yaml

@@ -1,5 +0,0 @@
----
-sse:
-  children:
-    testing:
-      tester.sse.cloud.isti.cnr.it:

ansible/inventories/vlab1.yaml

@@ -0,0 +1,12 @@
+---
+vlab-1:
+  children:
+    wireguard_server:
+      hosts:
+        vpn-1.sse.cloud.isti.cnr.it: 
+    nextcloud:
+      hosts:
+        b-service_2:
+          ansible_host: 10.22.2.77
+        b-service_1:
+          ansible_host: 10.22.1.145

ansible/playbooks/docker_deploy_image.yaml

@@ -0,0 +1,29 @@
+---
+- name: Create and run container
+  hosts: all
+  become : true
+  vars:
+    image_name: ubuntu
+    image_tag: latest
+    image_hostname: ubuntu
+    image_network:
+      - wp_net
+    image_volumes:
+      - "/usr/data/wp/wordpress/:/var/www"
+
+
+  tasks:
+  - name: Pull Image
+    docker_image:
+      name: "{{ image_name }}:{{ image_tag }}"
+      source: pull
+
+  - name: Create container with pulled image
+    docker_container:
+      name: "{{ image_name }}"
+      image: "{{ image_name }}"
+      networks:
+        - name: "{{ image_network }}"
+      hostname: "{{ image_hostname }}"
+      volumes: "{{image_volumes}}"
+      restart: true

ansible/playbooks/misc_tests.yaml

@@ -0,0 +1,9 @@
+---
+- name: Misc tests
+  hosts: web
+
+  tasks:
+    - name: Using dict2items
+      ansible.builtin.debug:
+        msg: "{{ item.name }}"
+      loop: "{{ certbot_certs }}"

ansible/playbooks/nextcloud.yaml

@@ -1,17 +1,8 @@
 ---
 - name: Install Nextcloud AIO Docker
-  hosts: all
+  hosts: nextcloud
   become: true
-  vars:
-    pip_install_packages:
-      - name: docker
-    docker_version: "=5:28.2.2-1~ubuntu.24.04~noble"
-    docker_users:
-      - fabio
-      - ansible
-
 
   roles: 
-    - geerlingguy.pip
     - geerlingguy.docker
-    # - nextcloud_aio
+    - nextcloud_aio

ansible/playbooks/roles/certbot/defaults/main.yaml

@@ -1,19 +1 @@
 certbot_with_dockered_nginx : True
-
-#CERTBOT for letsencrypt
-certbot_create_method: webroot
-certbot_create_if_missing: true
-certbot_admin_email: fabio.sinibaldi@isti.cnr.it
-
-certbot_webroot: "{{ docker_base_volume_path }}/www"
-
-certbot_certs:
-  - name: "{{ ansible_hostname }}"
-    domains: 
-      - "{{ inventory_hostname }}"
-    webroot: "{{ docker_base_volume_path }}/{{ ansible_hostname }}"
-
-#Certbot verbose level
-certbot_create_extra_args: "-vvv --force-renewal"
-certbot_testmode: false
-

ansible/playbooks/roles/certbot/tasks/certbot_with_dockered_nginx.yaml

@@ -1,18 +1,9 @@
 ---
-# Need to stop using port 80 for certbot webroot validation
+# Stop NGINX
-# Needed also if not first run 
+- name: Stop NGINX 
-
-- name: Gathering NGINX container state
-  docker_container_info:
-    name: nginx
-  register: nginx_info
-
-- name: Stop NGINX if present
   docker_container:
     name: nginx
     state: stopped
-  when: 
-    - nginx_info.exists
 
 # Manage certbot
 
@@ -20,23 +11,24 @@
   include_role:
     name: geerlingguy.certbot
 
-# - name: Copy fullchain files to nginx volume
-#   ansible.builtin.copy:
-#     src: "/etc/letsencrypt/live/{{ item.name }}/fullchain.pem"
-#     #TODO nginx configuration is not multi domain
-#     dest: "{{ docker_base_volume_path }}/nginx/ssl/fullchain.pem"
-#     remote_src: true
-#     mode: '0644'
-#   loop: "{{ certbot_certs }}"
 
-# - name: Copy privkey files to nginx volume
+- name: Copy fullchain files to nginx volume
-#   ansible.builtin.copy:
+  ansible.builtin.copy:
-#     src: "/etc/letsencrypt/live/{{ item.name }}/privkey.pem"
+    src: "/etc/letsencrypt/live/{{ item.name }}/fullchain.pem"
-#     #TODO nginx configuration is not multi domain
+    #TODO nginx configuration is not multi domain
-#     dest: "{{ docker_base_volume_path }}/nginx/ssl/privatekey.pem"
+    dest: "{{ docker_base_volume_path }}/nginx/ssl/fullchain.pem"
-#     remote_src: true
+    remote_src: true
-#     mode: '0644'
+    mode: '0644'
-#   loop: "{{ certbot_certs }}"
+  loop: "{{ certbot_certs }}"
+
+- name: Copy privkey files to nginx volume
+  ansible.builtin.copy:
+    src: "/etc/letsencrypt/live/{{ item.name }}/privkey.pem"
+    #TODO nginx configuration is not multi domain
+    dest: "{{ docker_base_volume_path }}/nginx/ssl/privatekey.pem"
+    remote_src: true
+    mode: '0644'
+  loop: "{{ certbot_certs }}"
 
 
 - name: Setting up Docker NGINX renewal hooks 
@@ -48,7 +40,7 @@
     - pre
     - post
 
-- name: Removing systemctl hooks (defined by geerlingguy)
+- name: Removing systemctl hooks
   ansible.builtin.file:
     path: "{{ item }}"
     state: absent
@@ -56,11 +48,7 @@
     - "/etc/letsencrypt/renewal-hooks/pre/stop_services"
     - "/etc/letsencrypt/renewal-hooks/post/start_services"
 
-
+# Start NGINX
-# Installs dockered NGINX if needed and start it 
-
-- name: Installing NGINX
-  include_task: install_nginx.yaml
-
 - name: Start NGINX
-  include_task: start_nginx.yaml
+  docker_container:
+    name: nginx

ansible/playbooks/roles/certbot/templates/docker_nginx_post.j2

@@ -1,9 +1,9 @@
 #!/bin/sh
 
-# {% for item in certbot_certs %}
+{% for item in certbot_certs %}
-# cp /etc/letsencrypt/live/{{ item.name }}/fullchain.pem {{ docker_base_volume_path }}/nginx/ssl/fullchain.pem
+cp /etc/letsencrypt/live/{{ item.name }}/fullchain.pem {{ docker_base_volume_path }}/nginx/ssl/fullchain.pem
-# cp /etc/letsencrypt/live/{{ item.name }}/privkey.pem {{ docker_base_volume_path }}/nginx/ssl/private.pem
+cp /etc/letsencrypt/live/{{ item.name }}/privkey.pem {{ docker_base_volume_path }}/nginx/ssl/private.pem
-# {% endfor %}
+{% endfor %}
 
 docker start nginx
 

ansible/playbooks/roles/certbot/templates/nginx.conf.j2

@@ -1,34 +0,0 @@
-{% for item in certbot_certs %}
-
-server {
-    listen 80;
-    listen [::]:80;
-    server_name {{ item.name }};
-
-    location / {
-        return 301 https://$host$request_uri;
-    }
-}
-
-server {
-    listen 443 ssl;
-    server_name {{ item.name }};
-
-    root   /var/www/html;
-    index  index.php;
-
-
-    ssl_certificate /etc/nginx/ssl/{{ item.name }}/fullchain.pem;
-    ssl_certificate_key /etc/nginx/ssl/{{ item.name }}/privatekey.pem;
-
-    client_max_body_size 40M;
-
-
-    location / {
-        proxy_pass http://{{ docker_wordpress_hostname }}:80;
-        proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
-    }
-}

ansible/playbooks/roles/docker-certbot/tasks/main.yaml

@@ -8,8 +8,11 @@
   docker_container:
     name: certbot
     image: certbot/certbot
+    command: "certonly --standalone --non-interactive -v --dry-run -d {{ nginx_server_name}} --agree-tos -m {{ certbot_domain_mail }}"
     networks:
       - name: "{{ docker_network_name }}"
+    ports: 
+      - "81:80"
     hostname: certbot
     volumes:
       - "{{ docker_base_volume_path }}/certbot/logs:/var/log/letsencrypt"

ansible/playbooks/roles/docker/defaults/main.yml

@@ -1,3 +1,3 @@
-#SPDX-License-Identifier: MIT-0
+docker_version: "*.*.*"
----
+docker_sudo_users: []
-# defaults file for docker
+

ansible/playbooks/roles/nextcloud_aio/defaults/main.yaml

@@ -0,0 +1,4 @@
+nextcloud_docker_image_name: "ghcr.io/nextcloud-releases/all-in-one"
+nextcloud_docker_image_tag: latest
+nextcloud_docker_skip_domain_validation: "true"
+nextcloud_docker_mastercontainer_volume_dir: /usr/data/nextcloud_aio_mastercontainer

ansible/playbooks/roles/nextcloud_aio/meta/main.yml

@@ -1,2 +0,0 @@
-dependencies:
-  - role: docker

ansible/playbooks/roles/nextcloud_aio/tasks/nextcloud_docker_aio.yaml

@@ -1,18 +1,31 @@
 ---
-- name: Create volumes 
+- name: Pull docker image
-  debug:
+  docker_image:
-    msg:
+    name: "{{ nextcloud_docker_image_name }}"
-    - "TODO!!!"
+    tag: "{{ nextcloud_docker_image_tag }}"
+    source: pull
 
-- name: Download compose file 
+- name: Create Master Container volume dir
-  become: true
+  file:
-  become_user: docker
+    path: "{{ nextcloud_docker_mastercontainer_volume_dir }}"
-  ansible.builtin.git:
+    state: directory
-    repo: "https://gitea-s2i2s.isti.cnr.it/sinibaldi/SSE-Lab"
+    mode: "0766"
-    dest: SSE-Lab
 
-- name: create and start docker compose services
+- name: Create container
-  become: true
+  docker_container:
-  become_user: docker
+    name: nextcloud-aio-mastercontainer
-  community.docker.docker_compose_v2:
+    image: "{{ nextcloud_docker_image_name }}"
-    project_src: ~/SSE-Lab/dockerized/nextcloud-aio/compose.yaml
+    ports:
+      - "8080:8080"
+      - "80:80"
+      - "8443:8443"
+    env:
+      APACHE_PORT: "443"
+      APACHE_IP_BINDING: "0.0.0.0"
+      APACHE_ADDITIONAL_NETWORK: ""
+      SKIP_DOMAIN_VALIDATION: "{{ nextcloud_docker_skip_domain_validation }}"
+    volumes:
+      - nextcloud_aio_mastercontainer:/mnt/docker-aio-config
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    restart_policy : "always"
+    init : true

ansible/playbooks/roles/vaultwarden/defaults/main.yaml

@@ -1,5 +0,0 @@
-vaultwarden_docker_tag
-docker_vaultwarden_network_name
-docker_vaultwarden_hostname
-docker_base_volume_path
-

ansible/playbooks/roles/vaultwarden/tasks/install_certbot.yaml

@@ -1,4 +0,0 @@
----
-- name: Instal and configure certbot
-  include_role:
-    name: geerlingguy.certbot

ansible/playbooks/roles/vaultwarden/tasks/main.yaml

@@ -1,17 +0,0 @@
----
-- name: Pull Vaultwarden server image
-  docker_image:
-    name: "vaultwarden/server:{{ vaultwarden_docker_tag }}"
-    source: pull
-
-- name: Create container with Vaultwarden image
-  docker_container:
-    name: vaultwarden
-    image: vaultwarden
-    networks:
-      - name: "{{ docker_vaultwarden_network_name }}"
-    hostname: "{{ docker_vaultwarden_hostname }}"
-    ports:
-      - "80:"
-    volumes:
-      - "{{ docker_base_volume_path }}/vaultwarden:/data/"

ansible/playbooks/roles/wordpress-docker/defaults/main.yaml

@@ -0,0 +1,27 @@
+---
+wordpress_docker_tag: latest
+nginx_docker_tag: latest
+mysql_docker_tag: latest
+
+docker_network_name: wordpress_network
+docker_wordpress_hostname: wordpress_host
+docker_nginx_hostname: nginx_host
+docker_mysql_hostname: mysql_host
+
+docker_base_volume_path: /home/wordpress_docker
+
+
+nginx_server_name: default_server
+ssl: false
+
+db_name: wordpress_database
+db_user: wordpress_user
+db_password: wordpress_password
+db_root_password: wordpress_rootpassword
+
+wordpress_debug : false
+wordpress_debug_log: false
+
+
+
+

ansible/playbooks/roles/wordpress-docker/tasks/main.yml

@@ -0,0 +1,57 @@
+---
+- name: Pull docker images
+  docker_image:
+    name: "{{ item.name }}"
+    tag: "{{ item.tag }}"
+    source: pull
+  loop:
+    - name : wordpress
+      tag: "{{ wordpress_docker_tag }}"
+    - name: mysql
+      tag : "{{ mysql_docker_tag }}"
+    - name: nginx
+      tag : "{{ nginx_docker_tag }}"
+    
+
+- name: Create docker network
+  docker_network:
+    name: "{{ docker_network_name }}"
+    state: present
+
+
+- name: Create container with mysql image
+  docker_container:
+    name: mysql
+    image: mysql
+    networks:
+      - name: "{{ docker_network_name }}"
+    hostname: "{{ docker_mysql_hostname }}"
+    env:
+      MYSQL_DATABASE: "{{ db_name }}"
+      MYSQL_USER: "{{ db_user }}"
+      MYSQL_PASSWORD: "{{ db_password }}"
+      MYSQL_ROOT_PASSWORD: "{{ db_root_password }}"
+    volumes:
+      - "{{ docker_base_volume_path }}/temp_db_data:/var/tmp"
+
+
+- name: Create container with Wordpress image
+  docker_container:
+    name: wordpress
+    image: wordpress
+    networks:
+      - name: "{{ docker_network_name }}"
+    hostname: "{{ docker_wordpress_hostname }}"
+    env:
+      WORDPRESS_DB_HOST: "{{ docker_mysql_hostname }}"
+      WORDPRESS_DB_NAME: "{{ db_name }}"
+      WORDPRESS_DB_USER: "{{ db_user }}"
+      WORDPRESS_DB_PASSWORD: "{{ db_password }}"
+      WORDPRESS_DEBUG: " {{ wordpress_debug }} "
+      WORDPRESS_DEBUG_LOG: " {{ wordpress_debug_log }} "
+    volumes:
+      - "{{ docker_base_volume_path }}/wordpress:/var/www/html"
+    restart: true
+
+- include_tasks: nginx.yaml
+  when: ssl is true

ansible/playbooks/roles/wordpress-docker/tasks/nginx.yaml

@@ -7,10 +7,12 @@
 
 - name: Copy nginx.conf to server
   template:
-    src: "templates/nginx.conf.j2"
+    src: templates/nginx.j2
     dest: "{{ docker_base_volume_path }}/nginx/conf/nginx.conf"
 
-- name: Pull Nginx image
+
-  docker_image:
+- include_tasks: nginx_http.yml
-    name: "nginx:{{ nginx_docker_tag }}"
+  when: ssl is false
-    source: pull
+
+- include_tasks: nginx_https.yml
+  when: ssl is true

ansible/playbooks/roles/wordpress-docker/tasks/nginx_http.yml

@@ -0,0 +1,15 @@
+---
+- name: Start Nginx Container (HTTP)
+  docker_container:
+    name: nginx
+    image: nginx
+    ports:
+      - "80:80"
+    networks:
+      - name: "{{ docker_network_name }}"
+    hostname: "{{ docker_nginx_hostname }}"
+    volumes:
+      - "{{ docker_base_volume_path }}/wordpress:/var/www/html"
+      - "{{ docker_base_volume_path }}/nginx/conf:/etc/nginx/conf.d"
+      - "{{ docker_base_volume_path }}/nginx/logs:/var/log/nginx"
+    restart: true

ansible/playbooks/roles/wordpress-docker/tasks/nginx_https.yml

@@ -7,11 +7,11 @@
       - "80:80"
       - "443:443"
     networks:
-      - name: "{{ docker_nginx_network_name }}"
+      - name: "{{ docker_network_name }}"
     hostname: "{{ docker_nginx_hostname }}"
     volumes:
-      - "{{ docker_base_volume_path }}/vaultwarden:/var/www/html"
+      - "{{ docker_base_volume_path }}/wordpress:/var/www/html"
       - "{{ docker_base_volume_path }}/nginx/conf:/etc/nginx/conf.d"
       - "{{ docker_base_volume_path }}/nginx/logs:/var/log/nginx"
-      - "/etc/letsencrypt/live:/etc/nginx/ssl/:ro"
+      - "{{ docker_base_volume_path }}/nginx/ssl:/etc/nginx/ssl/:ro"
     restart: true

ansible/playbooks/roles/wordpress-docker/templates/nginx.j2

@@ -15,12 +15,21 @@ server {
     root   /var/www/html;
     index  index.php;
 
+    # Needed to upload backups 
+
+    client_max_body_size 40M;
+
+
+    # Try to support website restore plugin 
+
+    proxy_read_timeout 600s;
+    keepalive_timeout 600s;
+
+
 
      ssl_certificate /etc/nginx/ssl/fullchain.pem;
     ssl_certificate_key /etc/nginx/ssl/privatekey.pem;
 
-    client_max_body_size 40M;
-
 
     location / {
         proxy_pass http://{{ docker_wordpress_hostname }}:80;
@@ -29,4 +38,5 @@ server {
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto $scheme;
     }
+
 }

ansible/playbooks/vaultwarden.yaml

@@ -1,14 +0,0 @@
----
-- name: Install and configure Vaultwarden
-  hosts: web
-  become : True
-
-  roles:
-    - geerlingguy.docker
-    - vaultwarden
-
-  tasks:
-    - name: Install certbot and nginx
-      include_task: nginx_http.yaml
-      when:
-        - vaultwarden_with_nginx_https.yaml

ansible/playbooks/wordpress.yaml

@@ -2,12 +2,9 @@
 - name: Install and configure Wordpress
   hosts: web
   become : True
-  collections:
+  
-    - chrissayon.wordpress_docker
 
   roles:
     - geerlingguy.docker
-    - chrissayon.wordpress_docker.network
+    - wordpress-docker
-    - chrissayon.wordpress_docker.mysql
-    - chrissayon.wordpress_docker.wordpress
     - certbot

ansible/requirements.yml

@@ -1,6 +1,10 @@
 # requirements.yml
 ---
 roles:
+  - name: githubixx.ansible_role_wireguard
+    src: https://github.com/githubixx/ansible-role-wireguard.git
+    version: 19.0.0
+
   # - name: bodsch.dns.bind
   #   version: