TODO.md

@@ -2,10 +2,7 @@
 
 - [ ] Update Readme (CI, Git, plantuml, etc.)
 - [ ] Split `docker/web/docker-compose.yaml` into different configs (e.g. `web`, `gitlab`, `drone`) using the same network
-- [x] Use `/var/lib/pbri/docker/...` instead of Docker volumes (makes backups easier)
+- [ ] Use `/var/lib/pbri/docker/...` instead of Docker volumes (makes backups easier)
     - [x] Make it inaccessible to anyone but root (`-rw------`)
 - [x] Add [Drone runner](https://docs.drone.io/runner/docker/installation/linux/)
 - [ ] Figure out how to dependably store `.env` files (Ansible vault? Something else?)
-- [ ] Check out docker swarm and current best practices for Ansible
-- [ ] Use Gitea instead of GitLab
-- [ ] Add drone exec runner for Nix builds with shared `/nix`

ansible/README.md

@@ -20,13 +20,12 @@ Sets up:
 
 ## `misc-docker.yaml`
 
-Deploys Docker configurations from `../docker`:
+- Deploys Docker configurations from `../docker`
-
-- Sets up the docker network `caddy-network` for services that are reverse proxied by caddy
-- Copies configuration into `/etc/pbri/docker`
-- Creates folder `/var/lib/pbri/docker` for storing application files
-- Creates users with `42xxx` UIDs for running containers
 
 ## `misc-sites.yaml`
 
 Checks out static sites into `/home/paul/Sites` which is mounted into `/srv` in the Caddy container.
+
+## `misc-backup.yaml`
+
+Backs up relevant Docker volumes.

ansible/misc-backup.yaml

@@ -0,0 +1,50 @@
+---
+- hosts: misc
+  vars:
+    start_time: "{{ ansible_date_time.iso8601_basic_short }}"
+  tasks:
+    - name: Stop docker stuff
+      become: yes
+      docker_compose:
+        project_src: /etc/pbri/docker/web
+        state: present
+        stopped: yes
+    - name: Create backups in /etc/pbri/backups
+      become: yes
+      docker_container:
+        container_default_behavior: no_defaults
+        name: bacman
+        image: busybox
+        volumes:
+          - "{{ item }}:/data"
+          - "/etc/pbri/backups/{{ start_time }}:/backup"
+        command: "cp -r /data /backup/{{ item }}"
+        detach: no
+        cleanup: yes
+      loop:
+        - codi_database
+        - codi_uploads
+        - gitlab_data
+        - gitlab_logs
+        - gitlab_config
+    - name: Make tar
+      become: yes
+      shell:
+        cmd: "tar -czvf ../{{ start_time }}.tar.gz *"
+        chdir: "/etc/pbri/backups/{{ start_time }}"
+    - name: Download tar
+      become: yes
+      fetch:
+        src: /etc/pbri/backups/{{ start_time }}.tar.gz
+        dest: ../backups
+    - name: Remove backups folder
+      become: yes
+      file:
+        path: /etc/pbri/backups
+        state: absent
+    - name: Restart docker stuff
+      become: yes
+      docker_compose:
+        project_src: /etc/pbri/docker/web
+        state: present
+        restarted: yes

ansible/misc-docker.yaml

@@ -1,12 +1,6 @@
 ---
 - hosts: misc
   tasks:
-    # All services that are behind Caddy need to be in this network
-    - name: Create Caddy network
-      become: yes
-      docker_network:
-        name: caddy-network
-        state: present
     - name: Upload docker configuration
       become: yes
       copy:
@@ -16,13 +10,35 @@
         mode: u=rw,g=,o=
         # Directories should be listable
         directory_mode: u=rwx,g=rx,o=rx
-    - name: Create directory for docker volumes
+    - name: Create global docker volumes (/var/lib)
       become: yes
       file:
-        path: /var/lib/pbri/docker
+        path: "/var/lib/pbri/docker/{{ item.name }}"
         state: directory
         # Hide contents from non-root users
-        mode: u=rwx,g=,o=
+        mode: u=rw,g=,o=
+      loop:
+        - name: drone
+    - name: Create global docker volumes (docker_volume)
+      become: yes
+      docker_volume:
+        name: "{{ item.name }}"
+        state: "{{ item.state }}"
+      loop:
+        - name: codi_database
+          state: present
+        - name: codi_uploads
+          state: present
+        - name: gitlab_data
+          state: present
+        - name: gitlab_logs
+          state: present
+        - name: gitlab_config
+          state: present
+        - name: gitlab_runner_config
+          state: present
+        - name: gitlab_runner_cache
+          state: present
     - name: Set up docker stuff
       become: yes
       docker_compose:
@@ -32,27 +48,15 @@
         debug: yes
       loop:
         - name: web
-          state: absent
+          state: present
         - name: runner
           state: absent
-        - name: gitea
+    - name: Add jupyter user with UID 42000
-          state: present
-        - name: caddy
-          state: present
-    - name: Add users for running containers
       become: yes
       ansible.builtin.user:
-        name: "{{ item.name }}"
+        name: jupyter
-        uid: "{{ item.uid }}"
-        create_home: no
-        state: present
-      loop:
-        - name: jupyter
         uid: 42000
         state: present
-        - name: gitea
-          uid: 42001
-          state: present
     - name: Add Notebooks folder
       become: yes
       ansible.builtin.file:

docker/caddy/docker-compose.yaml

@@ -1,20 +0,0 @@
-version: "3"
-
-services:
-  # Webserver for static files and reverse proxy
-  web:
-    image: pbrinkmeier/web
-    build: .
-    ports:
-      - 80:80
-      - 443:443
-    volumes:
-      - /var/lib/pbri/docker/caddy_data:/data
-      - /var/lib/pbri/docker/caddy_config:/config
-      - /home/paul/Sites:/srv:ro
-    restart: always
-
-networks:
-  default:
-    name: caddy-network
-    external: true

docker/gitea/docker-compose.yaml

@@ -1,61 +0,0 @@
-version: "3"
-
-services:
-  gitea:
-    image: gitea/gitea:1.17.1
-    restart: always
-    environment:
-      USER: gitea
-      USER_UID: 42001
-      USER_GID: 42001
-      GITEA__server__DOMAIN: pbrinkmeier.de
-      GITEA__server__HTTP_PORT: 3000
-      GITEA__server__ROOT_URL: https://git.pbrinkmeier.de/
-      GITEA__server__SSH_DOMAIN: pbrinkmeier.de
-      GITEA__server__SSH_LISTEN_PORT: 22
-      GITEA__server__SSH_PORT: 22
-      GITEA__server__OFFLINE_MODE: "true"
-      GITEA__database__DB_TYPE: postgres
-      GITEA__database__HOST: gitea_db:5432
-      GITEA__database__NAME: gitea
-      GITEA__database__USER: gitea
-      GITEA__database__PASSWD: "${GITEA_DB_PASSWORD}"
-      GITEA__picture__DISABLE_GRAVATAR: "true"
-      GITEA__picture__FEDERATED_AVATAR: "false"
-      GITEA__service__DISABLE_REGISTRATION: "true"
-      GITEA__service__REGISTER_EMAIL_CONFIRM: "true"
-      GITEA__service__ENABLE_NOTIFY_MAIL: "true"
-      GITEA__service__NOREPLY_ADDRESS: noreply.pbrinkmeier.de
-      GITEA__service__ENABLE_TIMETRACKING: "false"
-      GITEA__service__DEFAULT_ENABLE_TIMETRACKING: "false"
-      GITEA__service__DEFAULT_ALLOW_ONLY_CONTRIBUTORS_TO_TRACK_TIME: "false"
-      GITEA__mailer__ENABLED: "true"
-      GITEA__mailer__HOST: smtp.mailbox.org:465
-      GITEA__mailer__FROM: git@pbrinkmeier.de
-      GITEA__mailer__USER: hallo@pbrinkmeier.de
-      GITEA__mailer__PASSWD: "${GITEA_SMTP_PASSWORD}"
-      GITEA__openid__ENABLE_OPENID_SIGNIN: "false"
-      GITEA__openid__ENABLE_OPENID_SIGNUP: "false"
-    volumes:
-      - /var/lib/pbri/docker/gitea:/data
-      - /etc/timezone:/etc/timezone:ro
-      - /etc/localtime:/etc/localtime:ro
-    ports:
-      - 22:22
-    depends_on:
-      - gitea_db
-
-  gitea_db:
-    image: postgres:14.5-alpine
-    restart: always
-    environment:
-      POSTGRES_DB: gitea
-      POSTGRES_USER: gitea
-      POSTGRES_PASSWORD: "${GITEA_DB_PASSWORD}"
-    volumes:
-      - /var/lib/pbri/docker/gitea_db:/var/lib/postgresql/data
-
-networks:
-  default:
-    name: caddy-network
-    external: true

docker/web/Caddyfile

@@ -15,7 +15,7 @@ codi.pbrinkmeier.de {
 }
 
 git.pbrinkmeier.de {
-    reverse_proxy gitea:3000
+    reverse_proxy gitlab:80
 }
 
 ci.pbrinkmeier.de {

docker/web/README.md

@@ -1,6 +1,6 @@
 # web
 
-Old god project.
+Contains stuff exposed via HTTP(S) to the Internet, e.g. personal website, Wiki, etc.
 
 ## Jupyter
 

docker/web/docker-compose.yaml

@@ -1,6 +1,19 @@
 version: "3"
 
 services:
+  # Webserver for static files and reverse proxy
+  web:
+    image: pbrinkmeier/web
+    build: .
+    ports:
+      - 80:80
+      - 443:443
+    volumes:
+      - caddy_data:/data
+      - caddy_config:/config
+      - /home/paul/Sites:/srv:ro
+    restart: always
+
   codi:
     image: hackmdio/hackmd:2.4.2
     # CMD_DB_{URL,CMD_SESSION_SECRET}
@@ -17,7 +30,7 @@ services:
       - codi_db
       - codi_plantuml
     volumes:
-      - /var/lib/pbri/docker/codi_uploads:/home/hackmd/app/public/uploads
+      - codi_uploads:/home/hackmd/app/public/uploads
     restart: always
     
   codi_db:
@@ -26,7 +39,7 @@ services:
     # Must match CMD_DB_URL in codi.env
     env_file: codi_db.env
     volumes:
-      - /var/lib/pbri/docker/codi_database:/var/lib/postgresql/data
+      - codi_database:/var/lib/postgresql/data
     restart: always
   
   codi_plantuml:
@@ -38,9 +51,9 @@ services:
     ports:
       - "22:22"
     volumes:
-      - /var/lib/pbri/docker/gitlab_data:/var/opt/gitlab
+      - gitlab_data:/var/opt/gitlab
-      - /var/lib/pbri/docker/gitlab_logs:/var/log/gitlab
+      - gitlab_logs:/var/log/gitlab
-      - /var/lib/pbri/docker/gitlab_config:/etc/gitlab
+      - gitlab_config:/etc/gitlab
     restart: always
     # GITLAB_SMTP_PASSWORD
     env_file: gitlab.env
@@ -66,17 +79,11 @@ services:
         # https://docs.gitlab.com/omnibus/settings/rpi.html
         puma['worker_processes'] = 2
         sidekiq['concurrency'] = 9
+        prometheus_monitoring['enable'] = false
 
         nginx['listen_port'] = 80
         nginx['listen_https'] = false
 
-        # https://forum.gitlab.com/t/clear-up-postges-prometheus-data/38216/3
-        prometheus_monitoring['enable'] = false
-        prometheus['enable'] = false
-        prometheus['flags'] = {
-          'storage.tsdb.retention.time' => "12h"
-        }
-
   jupyter:
     image: ihaskell-docker:1.0
     # ports:
@@ -112,3 +119,17 @@ services:
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
     restart: always
+
+volumes:
+  caddy_data:
+  caddy_config:
+  codi_uploads:
+    external: yes
+  codi_database:
+    external: yes
+  gitlab_data:
+    external: yes
+  gitlab_logs:
+    external: yes
+  gitlab_config:
+    external: yes