Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Switch to Ansible/Podman/systemd #35

Open
wants to merge 358 commits into
base: main
Choose a base branch
from
Open

Switch to Ansible/Podman/systemd #35

wants to merge 358 commits into from

Conversation

PlqnK
Copy link
Owner

@PlqnK PlqnK commented Nov 24, 2023
edited
Loading

Here we go again, this time for real, I've finally made the switch to using Ansible, Podman and systemd to manage my services.

I've been running this code since April and it's been pretty much rock solid. The scope of my infrastructure has also expanded a bit in the meantime, I have two physical hosts and one cloud host now:

Physical:

  • One running Fedora IoT on bare metal to hosts my "medias" services
  • The other running Proxmox VE hosting 3 VM, all of them running Fedora IoT:
    • One to host my monitoring stack
    • Another to host my backup services
    • The last to host my home assistant services

Cloud:

  • One VPS hosted on Hetzner Cloud running Fedora Server to hosts my "documents" services

I've externalized the hosting of my critical services (mainly Nextcloud and Immich) because I've had some internet connection problems at home several times recently and I need those services to be available, Hetzner being a much more reliable hoster than myself!

The expansion of my infrastructure is another reason of why I really wanted to use Ansible to manage it, it's a better suited tool than docker-compose to manage multiple hosts.

The repo is in a good enough state to open this PR but there's still some things I would like to do before merging in main:

  • Switch to Fedora CoreOS as the containers host OS for both home and cloud hosts
    • I chose Fedora IoT initially but there's no official image available for my cloud provider of choice. CoreOS is extremely similar in its base, better suited for a "server" application and there's an image available for my cloud provider which makes it the perfect replacement. I've made the switch to using immutable OSes for both my Desktop/Laptop and servers OS and I can't see myself going back.
  • Use btrfs as the filesystem to store containers data so that I can use it's snapshot capability to make consistent backups as well as being alerted if there's any bitrot.
  • Switch to Quadlet to manage podman systemd units
  • Either update or remove the Vagrantfile
  • Update the demo inventory to match the production one
  • Update the README

Closes #12

PlqnK added 30 commits May 21, 2023 13:28
@PlqnK
Replace docker-socket-proxy with CetusGuard
ba0f6ea
@PlqnK
Add Cockpit container and enable PAM TOTP
ed7de0a
@PlqnK
Split Traefik configs and add Cockpit config
27ec284
@PlqnK
Add Cockpit container to all hosts
f1661e4
@PlqnK
Update production inventory
456d2c8
@PlqnK
Fix photoprism-app container name in timers
a7bf322
@PlqnK
Simplify loops in tasks, rename tasks, rename role
3c4f393
@PlqnK
Change import to include for selected roles
36d3875 
In the create subtasks file there's a task looping on a filtered
variable registered in a previous task. Ansible fails on the task
because it tries to evaluate the filter on an undefined variable even
though the task should be skipped.
So we use include_tasks instead.
@PlqnK
Change underscore to hyphen in containers names
4bd2039
@PlqnK
Change promtail port and add 514/tcp for syslog-ng
4880317 
Promtail only supports RFC5424 on syslog input, the standard port for
it is 601/tcp, so we change it for 1601/tcp for a better match.
Some equipments that use RFC3164 "BSD-syslog" can be configured to use
TCP instead of of the standard UDP so add a syslog-ng TCP listener on
port 514 for RFC3164 formatted messages.
@PlqnK
Replace ansible_host usage with ansible_fqdn fact
f5f2964
@PlqnK
Change cockpit and traefik to hosts FQDN
7a8b9b2
@PlqnK
Fix promtail syslog port
f9509f2
@PlqnK
Fix parsec execution
f0fb5ef
@PlqnK
Isolate podman networks
195b706
@PlqnK
Fix loop
190f34a
@PlqnK
Add ~/.borgmatic bind mount
9c3aa6a
@PlqnK
Update production inventory
4f1f286
@PlqnK
Copy instead of generate ssh key
21c227d
@PlqnK
Deploy promtail and exporters to all hosts
c634902
@PlqnK
Fix network omitting
21bbef4
@PlqnK
Disable isolation for external network
c0ad2a7 
Containers can't reach other containers published ports when the network
is isolated using netavark 1.6.0.
@PlqnK
Change VPN provider
70e0c94
@PlqnK
Add FreshRSS container
368494d
@PlqnK
Authorize syslog 514 TCP in firewalld
b9a89d3
@PlqnK
Update production inventory
94901d1
@PlqnK
Create missing volumes already declared in Dockerfiles
75e4caa
@PlqnK
Change containers data NFS storage location
72e5f62
@PlqnK
Fix podman_container keys order
5849af4
@PlqnK
Add Immich stack
4d03b9d
PlqnK added 30 commits June 16, 2024 20:26
@PlqnK
Scrub /var/lib/containers on all hosts now
803dcd8
@PlqnK
Install and configure NUT client on all bare metal hosts
1070cb0
@PlqnK
Capitalize acronyms in tasks names
8bf041f
@PlqnK
Remove immich-server Exec command
e42f57f
@PlqnK
Bump containers-podman collection to v1.15.2
f52a036
@PlqnK
Bump ansible containers.podman collection to 1.15.3
4060ca5
@PlqnK
Update Healthchecks to v3.4
b9de21e
@PlqnK
Update recyclarr to v7
9b0b225
@PlqnK
Add script to remove local images that have a more recent tag to podm…
393e88b 
…an-auto-prune service
@PlqnK
Fix immich-postgres HealthCmd
d7894f8
@PlqnK
Bump containers.podman collection to 1.15.4
7b4bcaf
@PlqnK
Upgrade traefik to v3.1
d8e59d6
@PlqnK
Bump containers-podman collection to v1.16.1
0f5a59e
@PlqnK
Install new cockpit-files package
529aa56
@PlqnK
Upgrade all PostgreSQL instances to v16
a1707c4
@PlqnK
Upgrade Healthchecks to v3.6
9a02baa
@PlqnK
Remove useless redirect middleware
08ee638 
The rules are already present in the nginx.conf file
@PlqnK
Add back headers to nextcloud nginx.conf
30c07ba 
To stay closer to upstream version in order to facilitate diffs in the long run
@PlqnK
Rename quality_profiles node to assign_scores_to in recyclarr config
ee689e5 
To anticipate it's removal in unrealeased v8, see https://recyclarr.dev/wiki/upgrade-guide/v8.0/#assign-scores-to
@PlqnK
Bump syslog-ng config version to 4.8
299b9d4
@PlqnK
Fix Immich big videos uploads
8b17f90
@PlqnK
Switch from local block volume to storage box mounted using SMB
f3790da
@PlqnK
Switch to new stirling-pdf image
3ba355a
@PlqnK
Switch to new immich-server port
c2add9e
@PlqnK
Bump containers-podman collection to v1.16.2
4fe4bbf
@PlqnK
Add hosts file configuration
c16ce49
@PlqnK
Add X-Forwarded-For support in nextcloud nginx config
293993a
@PlqnK
Update containers tags
4bbc802
@PlqnK
Add btrfs-scrub-ro service an enable its associated timer dynamically
6e28a08 
Before Fedora CoreOS 41, /sysroot was bind-mounted on / as rw so we could target a rw scrub on the root partition
Now, only /var and /etc are bind-mounted from /sysroot so we need to target a ro scrub on it
@PlqnK
Update Healthchecks and Traefik to latest minor version
e6966ae
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@guillaumebriday guillaumebriday guillaumebriday approved these changes

Assignees

@PlqnK PlqnK

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Replace docker/moby daemon with OCI compliant container daemon like CRI-O
2 participants
@PlqnK @guillaumebriday