feat: ansible infra setup

infra/.gitignore

@@ -0,0 +1,5 @@
+## Ansible .gitignore
+################################################################################
+
+.cache/
+.venv/

infra/Makefile

@@ -0,0 +1,17 @@
+SHELL = bash
+VENV = .venv
+
+all: $(VENV)
+
+install: $(VENV)
+$(VENV):
+	python3 -m venv $(VENV) --upgrade-deps
+	$(VENV)/bin/pip install wheel
+	$(VENV)/bin/pip install -r requirements.txt
+	$(VENV)/bin/ansible-galaxy install -r requirements.yml
+
+lint: $(VENV)
+	$(VENV)/bin/ansible-lint --force-color
+
+clean:
+	git clean -xdf -e .vault

infra/ansible.cfg

@@ -0,0 +1,26 @@
+# Config file for ansible -- https://ansible.com/
+# ===============================================
+
+[defaults]
+inventory = hcloud.yml, hosts.yml
+host_key_checking = False
+
+stdout_callback = community.general.yaml
+
+fact_caching = memory
+
+retry_files_enabled = False
+
+interpreter_python = /usr/bin/python3
+
+ask_vault_pass = False
+vault_password_file = tools/vault-password
+
+[inventory]
+enable_plugins = yaml, hetzner.hcloud.hcloud
+
+[privilege_escalation]
+become_ask_pass = False
+
+[ssh_connection]
+pipelining = True

infra/hcloud.yml

@@ -0,0 +1,5 @@
+---
+plugin: hetzner.hcloud.hcloud
+keyed_groups:
+  - key: labels
+    separator: ""

infra/host_vars/prod1.yml

@@ -0,0 +1,14 @@
+---
+ansible_user: root
+
+# firewall
+firewalld_zones:
+  public:
+    head: |
+      <interface name="{{ ansible_default_ipv4.interface }}"/>
+      <forward/>
+
+      <service name="ssh"/>
+      <service name="dhcpv6-client"/>
+      <service name="http"/>
+      <service name="https"/>

infra/hosts.yml

@@ -0,0 +1,8 @@
+---
+web:
+  hosts:
+    prod1:
+
+docker:
+  hosts:
+    prod1:

infra/infra.yml

@@ -0,0 +1,38 @@
+---
+- name: Setup servers
+  hosts: localhost
+  connection: local
+  vars:
+    ansible_python_interpreter: .venv/bin/python3
+  tasks:
+    - name: Create server
+      hetzner.hcloud.hcloud_server:
+        name: prod1
+        server_type: cx11
+        image: debian-11
+        location: fsn1
+        labels:
+          production: ""
+        ssh_keys:
+          - jooola
+        state: present
+
+    - name: Ensure the server is started
+      hetzner.hcloud.hcloud_server:
+        name: prod1
+        state: started
+      register: server
+
+    - name: Create server domain name
+      community.general.gandi_livedns:
+        api_key: "{{ lookup('ansible.builtin.env', 'GANDI_TOKEN') }}"
+        domain: libretime.org
+        record: prod1
+        type: A
+        values:
+          - "{{ server.hcloud_server.ipv4_address }}"
+        ttl: 360
+        state: present
+
+    - name: Refresh inventory
+      ansible.builtin.meta: refresh_inventory

infra/requirements.txt

@@ -0,0 +1,5 @@
+## Ansible
+ansible-core>=2.14,<2.15
+ansible-lint>=6.14.4,<6.15
+
+hcloud>=1.19.0,<1.20

infra/requirements.yml

@@ -0,0 +1,10 @@
+collections:
+  - name: community.general
+    source: git+https://github.com/ansible-collections/community.general
+    type: git
+    version: 6.5.0
+
+  - name: hetzner.hcloud
+    source: git+https://github.com/ansible-collections/hetzner.hcloud
+    type: git
+    version: 1.11.0

infra/roles/common/defaults/main.yml

@@ -0,0 +1,4 @@
+---
+lang: en_US.UTF-8
+language: en_US:en
+timezone: Europe/Berlin

infra/roles/common/tasks/main.yml

@@ -0,0 +1,41 @@
+---
+- name: Set timezone
+  community.general.timezone:
+    name: "{{ timezone }}"
+
+- name: Install locale
+  community.general.locale_gen:
+    name: "{{ lang }}"
+    state: present
+
+- name: Check default locale
+  ansible.builtin.lineinfile:
+    dest: /etc/default/locale
+    line: "{{ item }}"
+  check_mode: true
+  with_items:
+    - "LANG={{ lang }}"
+    - "LANGUAGE={{ language }}"
+  register: default_locale
+
+- name: Set locale # noqa no-handler no-changed-when
+  when: default_locale is changed
+  ansible.builtin.command: update-locale LANG="{{ lang }}" LANGUAGE="en_US:en"
+
+- name: Install common packages
+  ansible.builtin.apt:
+    state: present
+    update_cache: true
+    name:
+      - apt-transport-https
+      - bzip2
+      - curl
+      - git
+      - gpg
+      - rsync
+      - sudo
+      - unzip
+      - vim
+      - wget
+      - zip
+      - zsh

infra/roles/docker/defaults/main.yml

@@ -0,0 +1,2 @@
+---
+docker_bridge_ip: 172.17.0.1/16

infra/roles/docker/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: Restart docker
+  ansible.builtin.systemd:
+    name: docker
+    state: restarted

infra/roles/docker/tasks/main.yml

@@ -0,0 +1,44 @@
+---
+- name: Ensure apt keyrings directory exists
+  ansible.builtin.file:
+    path: /etc/apt/keyrings
+    state: directory
+    owner: root
+    group: root
+    mode: "0755"
+
+- name: Deploy apt repository key for docker # noqa command-instead-of-module risky-shell-pipe
+  ansible.builtin.shell: >
+    curl -sSL https://download.docker.com/linux/debian/gpg
+    | gpg --dearmor -o /etc/apt/keyrings/docker-archive-keyring.gpg
+  args:
+    creates: /etc/apt/keyrings/docker-archive-keyring.gpg
+
+- name: Deploy apt repository for docker
+  ansible.builtin.apt_repository:
+    repo: >
+      deb
+      [signed-by=/etc/apt/keyrings/docker-archive-keyring.gpg]
+      https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable
+    state: present
+
+- name: Install docker
+  ansible.builtin.apt:
+    name: [docker-ce, docker-compose-plugin, docker-buildx-plugin]
+    state: present
+
+- name: Deploy docker daemon conf
+  ansible.builtin.template:
+    src: docker/daemon.json.j2
+    dest: /etc/docker/daemon.json
+    owner: root
+    group: root
+    mode: "0644"
+    backup: true
+  notify: Restart docker
+
+- name: Enable/start docker daemon
+  ansible.builtin.systemd:
+    name: docker
+    state: started
+    enabled: true

infra/roles/docker/templates/docker/daemon.json.j2

@@ -0,0 +1,5 @@
+{
+  "ipv6": false,
+  "bip": "{{ docker_bridge_ip }}",
+  "ip": "127.0.0.1"
+}

infra/roles/firewall/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: Restart firewalld
+  ansible.builtin.systemd:
+    name: firewalld
+    state: reloaded

infra/roles/firewall/tasks/main.yml

@@ -0,0 +1,24 @@
+---
+- name: Install firewalld
+  ansible.builtin.apt:
+    name: firewalld
+    state: present
+
+- name: Enable/start firewalld
+  ansible.builtin.systemd:
+    name: firewalld
+    state: started
+    enabled: true
+
+- name: Deploy firewalld conf
+  ansible.builtin.template:
+    src: firewalld/zone.xml.j2
+    dest: /etc/firewalld/zones/{{ zone.key }}.xml
+    owner: root
+    group: root
+    mode: "0644"
+  with_dict: "{{ firewalld_zones }}"
+  loop_control:
+    loop_var: zone
+    label: "{{ zone.key }}"
+  notify: Restart firewalld

infra/roles/firewall/templates/firewalld/zone.xml.j2

@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="utf-8"?>
+<zone>
+  {{ zone.value.head | indent(2) }}
+{% if zone.value.rules is defined %}
+{% for rule in zone.value.rules %}
+  <!-- {{ rule }} -->
+  {{ zone.value.rules[rule] | indent(2) }}
+{% endfor %}
+{% endif %}
+</zone>

infra/roles/root/files/.bash_aliases

@@ -0,0 +1 @@
+alias dc="docker compose"