Compare commits
3 Commits
Author | SHA1 | Date |
---|---|---|
taudris | 8a0d5e0b05 | |
taudris | 28e164e638 | |
taudris | af4121d43b |
|
@ -0,0 +1,40 @@
|
|||
ansible: controls remote computers via ssh using playbooks
|
||||
terraform: vm provisioning on various platforms, eg proxmox
|
||||
|
||||
* use ansible to set up terraform on a host
|
||||
* use ansible to tell terraform to set up VMs?
|
||||
|
||||
|
||||
=== wsl ansible prep ===
|
||||
|
||||
sudo apt install ansible
|
||||
|
||||
|
||||
|
||||
=== proxmox ansible prep ===
|
||||
|
||||
make ansible configure cloud image remotely:
|
||||
https://ronamosa.io/docs/engineer/LAB/proxmox-cloudinit/
|
||||
https://forum.proxmox.com/threads/regenerate-cloud-init-image-using-ansible.89964/
|
||||
|
||||
make ansible install python remotely:
|
||||
https://blog.knoldus.com/how-to-install-python-in-target-host-using-ansible/
|
||||
|
||||
something to secure secrets:
|
||||
https://docs.ansible.com/ansible/2.8/user_guide/vault.html
|
||||
|
||||
use gvisor as the container kernel:
|
||||
https://gvisor.dev/docs/user_guide/install/
|
||||
|
||||
|
||||
-- auth --
|
||||
create user called "ansible" using pam auth
|
||||
add an api token
|
||||
ansible@pam!ansible_pve_token
|
||||
cb1b5fac-035c-4cc0-a6c7-7a442e943686
|
||||
|
||||
-- install ansible requirements --
|
||||
apt install -y python3-pip python3-dev build-essential libguestfs-tools
|
||||
pip3 install virtualenv
|
||||
|
||||
not sure if needed: pip3 install proxmoxer requests
|
|
@ -0,0 +1,18 @@
|
|||
---
|
||||
- name: Clone VM
|
||||
community.general.proxmox_kvm:
|
||||
api_user: root@pam
|
||||
api_password: "{{ lookup('keepass', 'pveroot', 'password') }}"
|
||||
api_host: pve
|
||||
clone: ubuntu-jammy-template
|
||||
name: ubuntu-jammy-vm
|
||||
node: pve
|
||||
storage: local-lvm
|
||||
format: raw
|
||||
timeout: 500
|
||||
net:
|
||||
net0: "virtio,bridge=vmbr0"
|
||||
#ipconfig:
|
||||
# ipconfig0: "ip=192.168.56.201/24"
|
||||
#ciuser: user
|
||||
#cipassword: hallowelt
|
|
@ -0,0 +1,58 @@
|
|||
---
|
||||
#proxmox module documentation: https://docs.ansible.com/ansible/latest/collections/community/general/proxmox_kvm_module.html
|
||||
- name: Download Ubuntu cloud image
|
||||
get_url:
|
||||
#url: https://cloud-images.ubuntu.com/jammy/current/jammy-server-cloudimg-amd64.img
|
||||
url: https://cloud-images.ubuntu.com/jammy/current/jammy-server-cloudimg-amd64-disk-kvm.img #slightly smaller
|
||||
dest: /home/ansible/jammy-server-cloudimg-amd64-disk-kvm.img
|
||||
|
||||
- name: Create empty VM using Cloud-Init
|
||||
community.general.proxmox_kvm:
|
||||
node: pve
|
||||
api_user: root@pam
|
||||
api_password: "{{ lookup('keepass', 'pveroot', 'password') }}"
|
||||
api_host: pve
|
||||
name: ubuntu-jammy-template
|
||||
scsihw: virtio-scsi-pci
|
||||
scsi:
|
||||
scsi0: 'local-lvm:1,format=raw'
|
||||
ide:
|
||||
ide2: 'local:cloudinit,format=qcow2'
|
||||
bootdisk: scsi0
|
||||
ciuser: user
|
||||
cipassword: hallowelt
|
||||
net:
|
||||
net0: 'virtio,bridge=vmbr0'
|
||||
ipconfig:
|
||||
ipconfig0: 'ip=192.168.56.230/24'
|
||||
proxmox_default_behavior: compatibility
|
||||
|
||||
- name: import init disk
|
||||
ansible.builtin.command:
|
||||
cmd: "qm importdisk 299 /home/ansible/jammy-server-cloudimg-amd64-disk-kvm.img local-lvm"
|
||||
creates: "/dev/mapper/pve-vm--299--disk--1"
|
||||
|
||||
|
||||
- name: attache base image disk
|
||||
ansible.builtin.lineinfile:
|
||||
path: /etc/pve/local/qemu-server/299.conf
|
||||
regexp: '^scsi0:.*'
|
||||
line: 'scsi0: local-lvm:vm-299-disk-1'
|
||||
|
||||
- name: make vm to template
|
||||
community.general.proxmox_kvm:
|
||||
node: pve
|
||||
api_user: root@pam
|
||||
api_password: "{{ lookup('keepass', 'pveroot', 'password') }}"
|
||||
api_host: pve
|
||||
vmid: 299
|
||||
name: ubuntu-jammy-template
|
||||
scsihw: virtio-scsi-pci
|
||||
ide:
|
||||
ide2: 'local:cloudinit,format=qcow2'
|
||||
bootdisk: scsi0
|
||||
ciuser: user
|
||||
cipassword: hallowelt
|
||||
proxmox_default_behavior: compatibility
|
||||
template: yes
|
||||
update: yes
|
|
@ -0,0 +1,13 @@
|
|||
maybe kubernetes won't have any permission issues because it has a CSI driver that supports SMB shares directly
|
||||
|
||||
* create vm for k3s.taudris.com
|
||||
* get it running at all: ca-taudris-com
|
||||
* get persistence working with samba CSI thingy: transmission
|
||||
* get haproxy and a gui working?
|
||||
possible to automate cert renewal?
|
||||
* get nextcloud working
|
||||
* get the rest working
|
||||
* migrate
|
||||
* tear down vm for apps.taudris.com
|
||||
|
||||
* how to secure k8s (or whichever flavor of it)?
|
|
@ -0,0 +1,19 @@
|
|||
root@72be92618e35:/var/www/html# php -f /var/www/html/cron.php
|
||||
Console has to be executed with the user that owns the file config/config.php
|
||||
Current user id: 0
|
||||
Owner id of config.php: 1002
|
||||
root@72be92618e35:/var/www/html#
|
||||
|
||||
|
||||
|
||||
root@72be92618e35:/var/www/html# cat /var/spool/cron/crontabs/www-data
|
||||
*/5 * * * * php -f /var/www/html/cron.php
|
||||
root@72be92618e35:/var/www/html#
|
||||
|
||||
|
||||
|
||||
the whole reason to run the container as a different user is to gain access to the file share
|
||||
nextcloud has the ability to use file shares as external storage
|
||||
but nextcloud has more data than what would go on the external storage, and that data also needs to be backed up
|
||||
|
||||
looks impossible to modify the cron job to run as a different user without customizing the container :(
|
Loading…
Reference in New Issue