Automate offworld container deployment with ansible

Makefile

@@ -6,10 +6,10 @@ init:
 format:
 	terraform fmt --recursive ./terraform
 
-dryrun:
+plan:
 	terraform -chdir=./terraform plan
 
-deploy:
+apply:
 	terraform -chdir=./terraform apply
 
 destroy:

ansible/ansible.cfg

@@ -0,0 +1,12 @@
+[defaults]
+ask_vault_pass = true
+forks = 20
+internal_poll_interval = 0.001
+interpreter_python = auto
+inventory = inventory
+private_key_file = ~/.ssh/id_ed25519_infra
+remote_user = root
+
+[ssh_connection]
+pipelining = true
+ssh_args = -o ControlMaster=auto -o ControlPersist=60s

ansible/host_vars/offworld.ppanda.org.yml

@@ -0,0 +1,21 @@
+$ANSIBLE_VAULT;1.1;AES256
+33656639666361623365616662353265656561663339633666656561646661623365393734363431
+6265633666643033393236353330333235663066333233320a343764393562623637643866623865
+34363239343835353835656363626439326231663565616166363739623536653436613435313561
+6338326363366264640a623737383434323438336164363064663038386634626139393166383430
+37353738643834653034303465653739643265363430313962343736363838323963376539353366
+64333135363461353234313837656134376235306135383936323362643330343733323836663135
+34396134376532306134306236646632386235623333346337623237316134653437303532666262
+30663637366532623438363937373962336163386336373162643330643866353931636631376631
+31336164663234333962653166613731373431633132313537363332393061323439313734376535
+30336166323661313730393963626230663765633434633132323839383763326665353163383064
+33323936373565376136656565623039323336376134303030626530343736383634393434393464
+64326465616337326264663137626235643038626663303439336336363662646537623064656161
+37626332313737616264386435373238613234323864346431343931323031313033623463656131
+39356663626537343562633234393631363837383139633638323937313366653132336336613162
+61626362316664633034323437656564373561343862616432316562616638303761366139336465
+63663634646262353035323362663062303466376439363863326539623166373461646235653036
+65626365396365643264333335623762393935633363303133323936366432376633653236366236
+64373632656136356333643863636165363162656535353032363462626637396261653530363034
+34613066613766376265383331323931653737663363336335653666333934653236643562656330
+61353662343665333161

ansible/inventory

@@ -0,0 +1 @@
+offworld.ppanda.org

ansible/main.yml

@@ -0,0 +1,9 @@
+---
+- name: Set up offworld vm
+  hosts: offworld.ppanda.org
+  become: true
+  gather_facts: no
+  roles:
+    - docker
+    - tailscale
+    - containers

docker/caddy/Caddyfile → ansible/roles/containers/files/caddy/Caddyfile

@@ -9,6 +9,12 @@ nas.ppanda.org:443 {
     }
 }
 
+sync.ppanda.org:5984 {
+    reverse_proxy http://nexus-boron.scorpion-galaxy.ts.net:5984 {
+        header_up Host {upstream_hostport}
+    }
+}
+
 status.ppanda.org:443 {
     reverse_proxy uptime-kuma:3001
 }

ansible/roles/containers/tasks/main.yml

@@ -0,0 +1,26 @@
+---
+- name: Copy caddy to the server
+  ansible.builtin.copy:
+    src: "./files/caddy"
+    dest: "/root/app"
+    mode: "0644"
+
+- name: Copy uptime-kuma the server
+  ansible.builtin.copy:
+    src: "./files/uptime-kuma"
+    dest: "/root/app"
+    mode: "0644"
+
+- name: Create docker network
+  ansible.builtin.command: >
+    docker network create proxy-network
+  failed_when: false
+  become: true
+
+- name: Run docker-compose up for Caddy and Uptime Kuma
+  ansible.builtin.command: >
+    docker compose
+      -f "/root/app/caddy/docker-compose.yml"
+      -f "/root/app/uptime-kuma/docker-compose.yml"
+      up -d
+  become: true

ansible/roles/docker/defaults/main.yml

@@ -0,0 +1,2 @@
+---
+gvisor_src_base_url: "https://storage.googleapis.com/gvisor/releases/release/latest/x86_64"

ansible/roles/docker/files/docker-daemon.json

@@ -0,0 +1,7 @@
+{
+  "runtimes": {
+    "runsc": {
+      "path": "/usr/local/bin/runsc"
+    }
+  }
+}

ansible/roles/docker/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: Restart Docker service
+  ansible.builtin.service:
+    name: docker
+    state: restarted

ansible/roles/docker/tasks/gvisor.yml

@@ -0,0 +1,31 @@
+---
+- name: Ensure gvisor is downloaded
+  ansible.builtin.get_url:
+    url: "{{ gvisor_src_base_url }}/runsc"
+    dest: /usr/local/bin/runsc
+    checksum: "sha512:{{ gvisor_src_base_url }}/runsc.sha512"
+    mode: "0744"
+
+- name: Ensure containerd-shim is downloaded
+  ansible.builtin.get_url:
+    url: "{{ gvisor_src_base_url }}/containerd-shim-runsc-v1"
+    dest: /usr/local/bin/containerd-shim-runsc-v1
+    checksum: "sha512:{{ gvisor_src_base_url }}/containerd-shim-runsc-v1.sha512"
+    mode: "0744"
+
+- name: Ensure /etc/docker exists
+  ansible.builtin.file:
+    dest: /etc/docker
+    state: directory
+    owner: root
+    group: root
+    mode: "0755"
+
+- name: Ensure gvisor is installed
+  ansible.builtin.copy:
+    src: docker-daemon.json
+    dest: /etc/docker/daemon.json
+    owner: root
+    group: root
+    mode: "0644"
+  notify: "Restart Docker service"

ansible/roles/docker/tasks/install.yml

@@ -0,0 +1,10 @@
+---
+- name: Ensure Docker and related packages are installed
+  ansible.builtin.package:
+    name:
+      - docker
+      - docker-cli-compose
+      - linux-virt
+      - linux-virt-dev
+    state: latest
+    update_cache: true

ansible/roles/docker/tasks/main.yml

@@ -0,0 +1,4 @@
+---
+- include_tasks: install.yml
+- include_tasks: service.yml
+- include_tasks: gvisor.yml

ansible/roles/docker/tasks/service.yml

@@ -0,0 +1,6 @@
+---
+- name: Ensure Docker service is started
+  ansible.builtin.service:
+    name: docker
+    enabled: true
+    state: started

ansible/roles/tailscale/defaults/main.yml

@@ -0,0 +1,17 @@
+---
+# Installation options
+tailscale_uninstall: false
+tailscale_authkey: ""
+tailscale_tags: []
+
+# Certificate options
+tailscale_cert_enabled: false
+tailscale_cert_caddy_user_permission: false
+tailscale_cert_domain: ""
+tailscale_cert_dir: "/usr/local/etc/ssl/certs"
+tailscale_cert_filename: "{{ tailscale_cert_domain }}.crt"
+tailscale_cert_private_key_dir: "/usr/local/etc/ssl/private"
+tailscale_cert_private_key_filename: "{{ tailscale_cert_domain }}.key"
+
+# Debug
+insecurely_log_authkey: false

ansible/roles/tailscale/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: Restart tailscale
+  ansible.builtin.service:
+    name: tailscale
+    state: restarted

ansible/roles/tailscale/tasks/certificates.yml

@@ -0,0 +1,68 @@
+---
+- name: Assert that tailscale_cert_domain is not empty
+  ansible.builtin.assert:
+    that:
+      - tailscale_cert_domain | length > 0
+    quiet: true
+
+- name: Assert that tailscale_cert_dir is not empty
+  ansible.builtin.assert:
+    that:
+      - tailscale_cert_dir | length > 0
+    quiet: true
+
+- name: Assert that tailscale_cert_filename is not empty
+  ansible.builtin.assert:
+    that:
+      - tailscale_cert_filename | length > 0
+    quiet: true
+
+- name: Assert that tailscale_cert_private_key_dir is not empty
+  ansible.builtin.assert:
+    that:
+      - tailscale_cert_private_key_dir | length > 0
+    quiet: true
+
+- name: Assert that tailscale_cert_private_key_filename is not empty
+  ansible.builtin.assert:
+    that:
+      - tailscale_cert_private_key_filename | length > 0
+    quiet: true
+
+- name: Ensure {{ tailscale_cert_dir }} exists
+  ansible.builtin.file:
+    path: "{{ tailscale_cert_dir }}"
+    state: directory
+
+- name: Ensure {{ tailscale_cert_private_key_dir }} exists
+  ansible.builtin.file:
+    path: "{{ tailscale_cert_private_key_dir }}"
+    state: directory
+
+- name: Check that certificates exist
+  stat:
+    path: "{{ item }}"
+  loop:
+    - "{{ tailscale_cert_dir }}/{{ tailscale_cert_filename }}"
+    - "{{ tailscale_cert_private_key_dir }}/{{ tailscale_cert_private_key_filename }}"
+  register: stat_certs
+
+- name: Run tailscale cert and generate cert
+  ansible.builtin.command: >
+    tailscale cert
+      --cert-file="{{ tailscale_cert_dir }}/{{ tailscale_cert_filename }}"
+      --key-file="{{ tailscale_cert_private_key_dir }}/{{ tailscale_cert_private_key_filename }}"
+      "{{ tailscale_cert_domain }}"
+  when: not (stat_certs.results | map(attribute='stat.exists')) is all
+
+- name: Allow caddy uid in /etc/default/tailscaled
+  ansible.builtin.lineinfile:
+    create: true
+    dest: /etc/default/tailscaled
+    regexp: "^#?TS_PERMIT_CERT_UID"
+    line: "TS_PERMIT_CERT_UID=\"caddy\""
+    insertafter: EOF
+    state: present
+  notify:
+    - Restart tailscale
+  when: tailscale_cert_caddy_user_permission | bool

ansible/roles/tailscale/tasks/install.yml

@@ -0,0 +1,15 @@
+---
+- name: Add community tailscale source for alpine
+  ansible.builtin.lineinfile:
+    dest: /etc/apk/repositories
+    regexp: "^http://dl-2\\.alpinelinux\\.org/alpine/edge/community.*"
+    line: "http://dl-2.alpinelinux.org/alpine/edge/community"
+    state: present
+
+- name: Install dhclient and tailscale
+  ansible.builtin.package:
+    name:
+      - dhclient  # https://tailscale.com/kb/1188/linux-dns#dhcp-dhclient-overwriting-etcresolvconf
+      - tailscale
+    state: latest
+    update_cache: yes

ansible/roles/tailscale/tasks/main.yml

@@ -0,0 +1,21 @@
+---
+- name: Include uninstall.yml
+  include_tasks: uninstall.yml
+  when: tailscale_uninstall | bool
+
+- name: Include install.yml
+  include_tasks: install.yml
+  when: not tailscale_uninstall | bool
+
+- name: Include service.yml
+  include_tasks: service.yml
+  when: not tailscale_uninstall | bool
+
+# if /etc/default/tailscaled was modified, run 'restart tailscaled' handler
+# before running `tailscale cert` command
+- name: Flush handlers
+  meta: flush_handlers
+
+- name: Include certificates.yml
+  include_tasks: certificates.yml
+  when: not tailscale_uninstall | bool and tailscale_cert_enabled | bool

ansible/roles/tailscale/tasks/service.yml

@@ -0,0 +1,31 @@
+---
+- name: Enable tailscale daemon
+  become: true
+  ansible.builtin.service:
+    name: tailscale
+    state: started
+    enabled: true
+
+- name: Assert that tailscale_authkey is not empty
+  ansible.builtin.assert:
+    that:
+      - tailscale_authkey | length > 0
+    quiet: true
+
+- name: Prepend 'tag:' to each item in the list
+  ansible.builtin.set_fact:
+    tailscale_prepared_tags: "{{ tailscale_tags | map('regex_replace', '^', 'tag:') | list }}"
+
+- name: Build tailscale tag args
+  ansible.builtin.set_fact:
+    tailscale_tags_string: >-
+      {% if tailscale_tags | length > 0 %}
+      --advertise-tags={{ tailscale_prepared_tags | join(',') }}
+      {% endif %}
+
+- name: Authenticate tailscale
+  ansible.builtin.command: >
+    tailscale up
+      {{ tailscale_tags_string | trim if tailscale_tags_string is not none else '' }}
+      --authkey="{{ tailscale_authkey }}"
+  no_log: "{{ not (insecurely_log_authkey | bool) }}"

ansible/roles/tailscale/tasks/uninstall.yml

@@ -0,0 +1,36 @@
+---
+- name: Check if tailscale is connected
+  ansible.builtin.command: tailscale status
+  changed_when: false
+  failed_when: false
+  register: tailscale_status
+
+- name: De-register tailscale node
+  become: true
+  # Hack to get correct changed/ok status
+  ansible.builtin.shell: tailscale status; tailscale logout
+  register: tailscale_logout
+  changed_when: "'Logged out.' not in tailscale_status.stdout and 'not logged in' not in tailscale_status.stdout"
+  when:
+    # [Errno 2] No such file or directory: 'tailscale'
+    - tailscale_status.rc != 2
+    # "bash: tailscale: command not found"
+    - tailscale_status.rc != 127
+
+- name: Disable tailscale service
+  become: true
+  ansible.builtin.service:
+    name: tailscale
+    state: stopped
+    enabled: false
+
+- name: Remove tailscale state and logs
+  become: true
+  ansible.builtin.file:
+    path: "/var/lib/tailscale"
+    state: absent
+
+- name: Uninstall tailscale package
+  ansible.builtin.package:
+    name: tailscale
+    state: absent