From 56fa50ec696493216eb93b8617295000cc2ad2bb Mon Sep 17 00:00:00 2001
From: Nick Stokoe <git.wu-lee@noodlefactory.co.uk>
Date: Sun, 29 Nov 2020 12:39:02 +0000
Subject: [PATCH] initial import from social-coop

---
 .gitignore                             |  6 ++++
 ansible.cfg                            |  4 +++
 bootstrap-debian.yml                   | 35 ++++++++++++++++++++
 bootstrap.yml                          | 34 +++++++++++++++++++
 roles/docker-install/defaults/main.yml | 15 +++++++++
 roles/docker-install/tasks/main.yml    | 45 ++++++++++++++++++++++++++
 server.playbook.yml                    | 30 +++++++++++++++++
 7 files changed, 169 insertions(+)
 create mode 100644 .gitignore
 create mode 100644 ansible.cfg
 create mode 100644 bootstrap-debian.yml
 create mode 100644 bootstrap.yml
 create mode 100644 roles/docker-install/defaults/main.yml
 create mode 100644 roles/docker-install/tasks/main.yml
 create mode 100644 server.playbook.yml

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..f65190b
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,6 @@
+group_vars/all.yml
+vault-password
+
+# emacs temp/backup files
+*~
+*#
\ No newline at end of file
diff --git a/ansible.cfg b/ansible.cfg
new file mode 100644
index 0000000..c4f8978
--- /dev/null
+++ b/ansible.cfg
@@ -0,0 +1,4 @@
+[defaults]
+retry_files_enabled = False
+pipelining = True
+inventory = inventory
diff --git a/bootstrap-debian.yml b/bootstrap-debian.yml
new file mode 100644
index 0000000..e8ccb71
--- /dev/null
+++ b/bootstrap-debian.yml
@@ -0,0 +1,35 @@
+---
+- name: debian bootstrap fact gathering
+  hosts: all
+  user: root
+  gather_facts: False
+
+# Install the basics required to gather facts.
+# This shouldn't be run normally, however, can't find a way to
+# conditionally run it so far.
+  tasks:
+    - name: update apt repository
+      action: raw apt-get -q -y update
+      
+    - name: install python
+      action: raw apt-get -q -y install python
+
+# the command succeeds (returns code 0) if python needs simplejson
+    - name: check if python is old enough to need simplejson
+      action: raw python -c 'import sys; sys.stdout.write("%s" % (sys.version_info<(2,6)))'
+      register: need_simplejson
+
+    - name: ensure other prereqs installed
+      action: raw apt-get -qy install python-simplejson
+      when: need_simplejson.stdout
+
+    - name: ensure other prereqs installed
+      action: raw apt-get -qy install python-paramiko python-yaml python-jinja2 python-apt python-docker 
+
+- name: update packages
+  tags:
+    - update
+  hosts: all
+  user: root
+  roles:
+    - role: apt-upgrade
\ No newline at end of file
diff --git a/bootstrap.yml b/bootstrap.yml
new file mode 100644
index 0000000..513c2e0
--- /dev/null
+++ b/bootstrap.yml
@@ -0,0 +1,34 @@
+---
+- name: bootstrap fact gathering
+  hosts: all
+  user: root
+  gather_facts: False
+
+# Probe the system for package management type
+  tasks:
+    - name: check package management
+      action: raw apt-get
+      ignore_errors: yes
+      register: has_apt
+
+# For now we don't support other package management systems!
+    - name: fail if no apt package management
+      fail:
+        msg: We currently only support Linux with apt
+      when: not has_apt
+
+- import_playbook: bootstrap-debian.yml
+  when: has_apt
+  
+
+# Maybe add these somewhere later.
+# # Needs to be included before sshd, since root needs to have a key installed
+# # before sshd port changes when bootstrapping
+#     - role: ssh-key
+#       ssh_key_user: root
+#       ssh_key_pubfile: "{{userdefs.root.pubkey}}" 
+
+#     - role: sshd
+#       sshd_port: "{{sshd.port}}"
+#       # ... moves port
+
diff --git a/roles/docker-install/defaults/main.yml b/roles/docker-install/defaults/main.yml
new file mode 100644
index 0000000..f9d1ff7
--- /dev/null
+++ b/roles/docker-install/defaults/main.yml
@@ -0,0 +1,15 @@
+---
+## Installs docker-CE
+# Following guide from here:
+# https://docs.docker.com/install/linux/docker-ce/ubuntu/#set-up-the-repository
+
+# The docker apt repo key uri
+docker_compose_install_apt_key_uri: https://download.docker.com/linux/ubuntu/gpg
+
+# The docker apt repo config line
+docker_compose_install_apt_repo: deb https://download.docker.com/linux/ubuntu bionic stable
+
+# Get this version from https://github.com/docker/compose/releases/
+# Check compatibility with docker.
+docker_compose_install_compose_verion: 1.22.0
+
diff --git a/roles/docker-install/tasks/main.yml b/roles/docker-install/tasks/main.yml
new file mode 100644
index 0000000..2b61dc8
--- /dev/null
+++ b/roles/docker-install/tasks/main.yml
@@ -0,0 +1,45 @@
+---
+
+- name: install prereqs (apt)
+  apt:
+    update_cache: true
+    name:
+      - apt-transport-https
+      - ca-certificates
+      - software-properties-common
+      - python-pip
+      - virtualenv
+      - python-setuptools
+      - python-docker
+
+- name: add docker repository key
+  apt_key:
+    url: "{{ docker_compose_install_apt_key_uri }}"
+    state: present
+
+- name: add docker repository
+  apt_repository:
+    repo: "{{ docker_compose_install_apt_repo }}"
+    filename: docker-ce
+    state: present
+    update_cache: true
+
+- name: install docker-ce
+  apt:
+    name:
+      - docker-ce
+
+# Oddly, there is no docker-compose PPA, the suggested linux install
+# method is to download a binary. See:
+# https://docs.docker.com/compose/install/#master-builds
+
+- name: install docker-compose
+  pip:
+    name:
+      - docker-compose
+
+- name: enable docker
+  service:
+    name: docker
+    state: started
+    enabled: yes
diff --git a/server.playbook.yml b/server.playbook.yml
new file mode 100644
index 0000000..9a4ec80
--- /dev/null
+++ b/server.playbook.yml
@@ -0,0 +1,30 @@
+---
+- name: social.coop | server
+  hosts: all
+  become: yes
+  vars_files:
+    - secrets.vars.yml
+  vars:
+    s3_access_key_id: "{{lookup('passwordstore', 'deployment/backupninja/s3access')}}"
+    s3_secret_access_key: "{{lookup('passwordstore', 'deployment/backupninja/s3sec')}}"
+  roles:
+    - role: server
+    - role: social-coop
+
+    - role: logcheck-custom
+      tags: logcheck-custom
+
+    # Installs a script to dump the mastodon-live PgSQL database, and
+    # copy the GPG encrypted archive to our S3 space with rclone. This
+    # is invoked daily using a systemd timer. Encryption is done with
+    # the public key in the password store
+    # deployment/backupninja/pub. To decrypt, you need to use the
+    # associated private key
+    - role: pg-dump-to-s3
+      tags: pg-dump-to-s3
+      pg_dump_to_s3_systemd_timer_section: OnCalendar=00:40:00
+      pg_dump_to_s3_desturl: "spaces:social-coop-media/backups/{{inventory_hostname_short}}/"
+      pg_dump_to_s3_pgdump_opts: -h localhost -U root -d mastodon-live -Fc 
+      pg_dump_to_s3_pubkey: "{{lookup('passwordstore', 'deployment/backupninja/pub returnall=true')}}"
+      pg_dump_to_s3_rclone_config: "{{lookup('template', 'templates/rclone-conf.j2')}}"
+