diff --git a/Vagrantfile b/Vagrantfile new file mode 100644 index 0000000..1922e55 --- /dev/null +++ b/Vagrantfile @@ -0,0 +1,73 @@ +Vagrant.configure("2") do |config| + # Disable default synced folder + config.vm.synced_folder ".", "/vagrant", disabled: true + + # DMZ - Traefik Reverse Proxy + config.vm.define "dmz" do |dmz| + dmz.vm.box = "debian/bookworm64" + dmz.vm.hostname = "dmz" + dmz.vm.network "private_network", ip: "192.168.56.10" + dmz.vm.network "forwarded_port", guest: 80, host: 8080 + dmz.vm.network "forwarded_port", guest: 443, host: 8443 + + # Libvirt provider - much better performance than virtualbox + dmz.vm.provider "libvirt" do |lv| + lv.memory = 2048 + lv.cpus = 2 + end + + # Provision dependencies + dmz.vm.provision "shell", inline: <<-SHELL + # Update system + apt-get update + apt-get install -y sudo python3 ca-certificates curl gnupg + SHELL + end + + # Backend - Container Host + config.vm.define "backend" do |backend| + backend.vm.box = "debian/bookworm64" + backend.vm.hostname = "backend" + backend.vm.network "private_network", ip: "192.168.56.11" + + # Libvirt provider - much better performance than virtualbox + backend.vm.provider "libvirt" do |lv| + lv.memory = 2048 + lv.cpus = 2 + end + + # Provision dependencies + backend.vm.provision "shell", inline: <<-SHELL + # Update system + apt-get update + apt-get install -y sudo python3 ca-certificates curl gnupg + SHELL + end + + # Backend2 - Second smaller Container Host for testing + config.vm.define "backend2" do |backend2| + backend2.vm.box = "debian/bookworm64" + backend2.vm.hostname = "backend2" + backend2.vm.network "private_network", ip: "192.168.56.12" + + backend2.vm.provider "libvirt" do |lv| + lv.memory = 1024 + lv.cpus = 1 + end + + # Provision dependencies + backend2.vm.provision "shell", inline: <<-SHELL + # Update system + apt-get update + apt-get install -y sudo python3 ca-certificates curl gnupg + SHELL + + # Provision all VMs with Ansible after the last VM is up + backend2.vm.provision "ansible" do |ansible| + ansible.limit = "all" + ansible.playbook = "playbooks/site.yml" + ansible.inventory_path = "inventories/vagrant" + ansible.verbose = "v" + end + end +end diff --git a/ansible.cfg b/ansible.cfg index a2993f2..2fb7196 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,3 +1,3 @@ [defaults] -collections_paths = ./collections +collections_path = ./collections:~/.ansible/collections:/usr/share/ansible/collections remote_user = root \ No newline at end of file diff --git a/inventories/dev/hosts.ini b/inventories/dev/hosts.ini deleted file mode 100644 index e69de29..0000000 diff --git a/inventories/prod/group_vars/all_servers.yml b/inventories/prod/group_vars/all_servers.yml deleted file mode 100644 index 49f540a..0000000 --- a/inventories/prod/group_vars/all_servers.yml +++ /dev/null @@ -1,2 +0,0 @@ -docker_compose_base_dir: /srv/test-compose/ -docker_volume_base_dir: /srv/test-volume/ \ No newline at end of file diff --git a/inventories/prod/group_vars/reverseproxy_servers_dmz.yml b/inventories/prod/group_vars/reverseproxy_servers_dmz.yml deleted file mode 100644 index 9d94b54..0000000 --- a/inventories/prod/group_vars/reverseproxy_servers_dmz.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -# DMZ reverse proxy - no local services, only proxies to backend services -services: [] - -use_static_services: true -use_docker_provider: false \ No newline at end of file diff --git a/inventories/prod/hosts.ini b/inventories/prod/hosts.ini deleted file mode 100644 index 69db06a..0000000 --- a/inventories/prod/hosts.ini +++ /dev/null @@ -1,23 +0,0 @@ -[all_servers] -172.16.9.88 -172.16.17.72 -172.16.17.73 - -[reverseproxy_servers_dmz] -172.16.9.88 ansible_port=2222 - -[forgejo_servers] -172.16.17.72 - -[nextcloud_servers] -172.16.17.73 - -[reverseproxy_servers] -172.16.17.72 -172.16.17.73 - -[forgejo_runners] -172.16.17.198 - -[minio_storage] -172.16.17.149 \ No newline at end of file diff --git a/inventories/vagrant/group_vars/all.yml b/inventories/vagrant/group_vars/all.yml new file mode 100644 index 0000000..88b1e04 --- /dev/null +++ b/inventories/vagrant/group_vars/all.yml @@ -0,0 +1,3 @@ +--- +# Variables for all hosts +ansible_python_interpreter: /usr/bin/python3 \ No newline at end of file diff --git a/inventories/vagrant/group_vars/traefik_servers_backend.yml b/inventories/vagrant/group_vars/traefik_servers_backend.yml new file mode 100644 index 0000000..70c5e8f --- /dev/null +++ b/inventories/vagrant/group_vars/traefik_servers_backend.yml @@ -0,0 +1,10 @@ +--- +# Configuration for backend reverse proxy servers +# These use Docker provider for local service discovery + +traefik_mode: backend +use_ssl: true +cert_mode: "selfsigned" +enable_dashboard: true +log_level: DEBUG +traefik_network: proxy \ No newline at end of file diff --git a/inventories/vagrant/group_vars/traefik_servers_dmz.yml b/inventories/vagrant/group_vars/traefik_servers_dmz.yml new file mode 100644 index 0000000..ccbd2b3 --- /dev/null +++ b/inventories/vagrant/group_vars/traefik_servers_dmz.yml @@ -0,0 +1,24 @@ +--- +# Configuration for DMZ reverse proxy servers +# These are public-facing proxies that route traffic to backend servers + +traefik_mode: dmz +use_ssl: true +cert_mode: "selfsigned" # Use 'acme' for production +enable_dashboard: true +log_level: DEBUG +traefik_network: proxy + +# Backend servers to proxy (if empty, proxies to all backend_servers) +# This allows multiple DMZ proxies to handle different backend servers +# backend_servers_to_proxy: +# - backend1 +# - backend2 + +# ACME configuration (uncomment for production with cert_mode: acme) +# ssl_email: "admin@example.com" +# ssl_cert_resolver: "dns" +# acme_dns_zone: "digitalboard._acme.digitalboard.ch." +# acme_dns_nameserver: "192.168.1.1:53" +# acme_tsig_key: "your-tsig-key-name" +# acme_tsig_secret: "your-tsig-secret" \ No newline at end of file diff --git a/inventories/vagrant/host_vars/backend/keycloak.yml b/inventories/vagrant/host_vars/backend/keycloak.yml new file mode 100644 index 0000000..a83f8dc --- /dev/null +++ b/inventories/vagrant/host_vars/backend/keycloak.yml @@ -0,0 +1 @@ +keycloak_admin_password: admin \ No newline at end of file diff --git a/inventories/vagrant/host_vars/backend/main.yml b/inventories/vagrant/host_vars/backend/main.yml new file mode 100644 index 0000000..3d91d22 --- /dev/null +++ b/inventories/vagrant/host_vars/backend/main.yml @@ -0,0 +1,3 @@ +--- +# Backend server configuration +# This server hosts application services that are exposed via the DMZ reverse proxy \ No newline at end of file diff --git a/inventories/vagrant/host_vars/backend/traefik.yml b/inventories/vagrant/host_vars/backend/traefik.yml new file mode 100644 index 0000000..da93bef --- /dev/null +++ b/inventories/vagrant/host_vars/backend/traefik.yml @@ -0,0 +1,21 @@ +# Services to be exposed through the DMZ reverse proxy +traefik_services: + - name: httpbin + domain: httpbin.local.test + port: 443 + protocol: https + - name: keycloak + domain: keycloak.local.test + port: 443 + protocol: https + + # Example: Add more services as you deploy them + # - name: forgejo + # domain: git.example.com + # port: 3000 + # protocol: http + + # - name: nextcloud + # domain: cloud.example.com + # port: 80 + # protocol: http \ No newline at end of file diff --git a/inventories/vagrant/host_vars/backend2/httbin.yml b/inventories/vagrant/host_vars/backend2/httbin.yml new file mode 100644 index 0000000..3ad499d --- /dev/null +++ b/inventories/vagrant/host_vars/backend2/httbin.yml @@ -0,0 +1,2 @@ +# Httpbin service configuration (overrides for this host) +httpbin_domain: "httpbin-srv2.local.test" \ No newline at end of file diff --git a/inventories/vagrant/host_vars/backend2/main.yml b/inventories/vagrant/host_vars/backend2/main.yml new file mode 100644 index 0000000..bfe30aa --- /dev/null +++ b/inventories/vagrant/host_vars/backend2/main.yml @@ -0,0 +1,3 @@ +--- +# Backend2 server configuration +# This is a minimal test server for testing multi-backend routing diff --git a/inventories/vagrant/host_vars/backend2/traefik.yml b/inventories/vagrant/host_vars/backend2/traefik.yml new file mode 100644 index 0000000..51f9fc2 --- /dev/null +++ b/inventories/vagrant/host_vars/backend2/traefik.yml @@ -0,0 +1,6 @@ +# Services to be exposed through the DMZ reverse proxy +traefik_services: + - name: httpbin-srv2 + domain: "{{ httpbin_domain }}" + port: 443 + protocol: https \ No newline at end of file diff --git a/inventories/vagrant/host_vars/dmz/main.yml b/inventories/vagrant/host_vars/dmz/main.yml new file mode 100644 index 0000000..659b0f0 --- /dev/null +++ b/inventories/vagrant/host_vars/dmz/main.yml @@ -0,0 +1,4 @@ +--- +# Host-specific variables for dmz +# Example: +# custom_var: value \ No newline at end of file diff --git a/inventories/vagrant/hosts.ini b/inventories/vagrant/hosts.ini new file mode 100644 index 0000000..564c47d --- /dev/null +++ b/inventories/vagrant/hosts.ini @@ -0,0 +1,36 @@ +# This file defines the group structure for vagrant VMs +# Fixed IPs are defined in the Vagrantfile +# Additional host-specific variables should go in host_vars/ +# Group-specific variables should go in group_vars/ + +[all_servers] +dmz ansible_host=192.168.56.10 ansible_ssh_private_key_file=.vagrant/machines/dmz/libvirt/private_key ansible_user=vagrant +backend ansible_host=192.168.56.11 ansible_ssh_private_key_file=.vagrant/machines/backend/libvirt/private_key ansible_user=vagrant +backend2 ansible_host=192.168.56.12 ansible_ssh_private_key_file=.vagrant/machines/backend2/libvirt/private_key ansible_user=vagrant + +# Backend servers that host application services +[backend_servers] +backend +backend2 + +# Reverse proxy servers in DMZ (public-facing, file provider mode) +[traefik_servers_dmz] +dmz + +# Reverse proxy servers on backend (docker provider mode) +[traefik_servers_backend] +backend +backend2 + +# All reverse proxy servers +[traefik_servers:children] +traefik_servers_dmz +traefik_servers_backend + +# Application servers +[httpbin_servers] +backend +backend2 + +[keycloak_servers] +backend \ No newline at end of file diff --git a/playbooks/site.yml b/playbooks/site.yml index f41d037..03c1ec3 100644 --- a/playbooks/site.yml +++ b/playbooks/site.yml @@ -5,26 +5,26 @@ roles: - digitalboard.core.base -- name: Configure reverse proxy on servers - hosts: reverseproxy_servers +- name: Configure reverse proxy on application servers + hosts: traefik_servers_backend become: yes roles: - - digitalboard.core.reverseproxy + - digitalboard.core.traefik -- name: Configure Forgejo servers - hosts: forgejo_servers +- name: Deploy httpbin service + hosts: httpbin_servers become: yes roles: - - digitalboard.core.reverseproxy + - digitalboard.core.httpbin -- name: Configure Nextcloud servers - hosts: nextcloud_servers +- name: Deploy keycloak service + hosts: keycloak_servers become: yes roles: - - digitalboard.core.reverseproxy + - digitalboard.core.keycloak - name: Configure reverse proxy on DMZ servers - hosts: reverseproxy_servers_dmz + hosts: traefik_servers_dmz become: yes roles: - - digitalboard.core.reverseproxy + - digitalboard.core.traefik