30 changed files with 68 additions and 256 deletions
--- a/ansible/group_vars/all/main.yml
+++ b/ansible/group_vars/all/main.yml
@ -63,8 +63,11 @@ vault_ca_cert_payload: |
 nomad_version: 1.1.3
 nomad_podman_driver_version: 0.3.0

+# podman
+podman_version: 3.0.1+dfsg1-3+b2
+
 # lnd
-lnd_version: 0.14.2-beta
+lnd_version: 0.13.1-beta

 # lego
 lego_version: 4.4.0
--- a/ansible/group_vars/hardtack/main.yml
+++ b/ansible/group_vars/hardtack/main.yml
@ -3,5 +3,3 @@ hashi_arch: arm
 consul_arch: arm64
 nomad_arch: arm64
 docker_arch: arm64
-k3s_version: v1.23.4+k3s1
-k3s_role: 'client'
--- a/ansible/group_vars/hardtack/nomad.yml
+++ b/ansible/group_vars/hardtack/nomad.yml
@ -0,0 +1,5 @@
+---
+nomad_meta_values:
+  - { name: "storage_optimized", value: "false" }
+  - { name: "ram_optimized", value: "false" }
+...
--- a/ansible/host_vars/hardtack1.minhas.io/main.yml
+++ b/ansible/host_vars/hardtack1.minhas.io/main.yml
@ -1,3 +0,0 @@
---
-k3s_role: server
-...
--- a/ansible/host_vars/ivyking.minhas.io/haproxy.yml
+++ b/ansible/host_vars/ivyking.minhas.io/haproxy.yml
@ -1,10 +1,10 @@
 ---
 haproxy_domains:
-    - { name: "freshrss", url: "rss.minhas.io" }
    - { name: "gitea", url: "git.minhas.io" }
-    - { name: "kanban", url: "kanban.minhas.io" }
-    - { name: "nextcloud", url: "nextcloud.minhas.io" }
+    - { name: "freshrss", url: "rss.minhas.io" }
    - { name: "radicale", url: "dav.minhas.io" }
-    - { name: "sudoscientist-go-backend", url: "api.sudoscientist.com" }
    - { name: "wallabag", url: "wallabag.minhas.io" }
+    - { name: "kanban", url: "kanban.minhas.io" }
+    - { name: "sudoscientist-go-backend", url: "api.sudoscientist.com" }
+    - { name: "nextcloud", url: "nextcloud.minhas.io" }
 ...
--- a/ansible/inventory.txt
+++ b/ansible/inventory.txt
@ -17,9 +17,6 @@ ivyking.minhas.io
 [hardtack]
 hardtack[1:7].minhas.io

-[k3s]
-hardtack[1:7].minhas.io
-
 [lnd]
 redwingcherokee.minhas.io

@ -27,6 +24,7 @@ redwingcherokee.minhas.io
 ivyking.minhas.io

 [nomad_client]
+hardtack[1:7].minhas.io
 ivyking.minhas.io
 sedan.minhas.io

--- a/ansible/playbooks/k3s.yml
+++ b/ansible/playbooks/k3s.yml
@ -1,5 +0,0 @@
---
- hosts: k3s
-  roles:
-    - role: k3s
-...
--- a/ansible/playbooks/lnd.yml
+++ b/ansible/playbooks/lnd.yml
@ -2,5 +2,6 @@
 - hosts: lnd
  roles:
    - role: tor
+    - role: bitcoind
    - role: lnd
 ...
--- a/ansible/playbooks/site.yml
+++ b/ansible/playbooks/site.yml
@ -5,7 +5,6 @@
 - import_playbook: consul-client.yml
 - import_playbook: docker.yml
 - import_playbook: nomad.yml
- import_playbook: k3s.yml
 - import_playbook: nexus.yml
 - import_playbook: lnd.yml
 - import_playbook: wekan.yml
--- a/ansible/roles/docker/tasks/main.yml
+++ b/ansible/roles/docker/tasks/main.yml
@ -21,6 +21,8 @@
    state: present
    mode: 0644

+- name: update apt cache
+  apt:
 - name: install docker-ce
  apt:
    state: present
--- a/ansible/roles/haproxy/templates/haproxy.cfg.j2
+++ b/ansible/roles/haproxy/templates/haproxy.cfg.j2
@ -32,11 +32,6 @@ defaults
    errorfile 503 /etc/haproxy/errors/503.http
    errorfile 504 /etc/haproxy/errors/504.http

-frontend fe_tcp
-    mode    tcp
-    bind    :8000
-    default_backend be_airsonic
-
 frontend fe_default
    mode    http
    bind    :443 ssl crt /etc/haproxy/certs/ alpn h2,http/1.1
@ -56,11 +51,6 @@ backend be_{{ domain.name }}
    server-template {{ domain.name }} 1 _{{ domain.name }}._tcp.service.masked.name resolvers consul resolve-opts allow-dup-ip resolve-prefer ipv4 check

 {% endfor %}
-
-backend be_airsonic
-    balance leastconn
-    server airsonic 192.168.0.12:8000
-
 resolvers consul
    nameserver consul 127.0.0.1:8600
    accepted_payload_size 8192
--- a/ansible/roles/k3s/tasks/clients.yml
+++ b/ansible/roles/k3s/tasks/clients.yml
@ -1,16 +0,0 @@
---
- name: template k3s server systemd
-  template:
-    src: templates/k3s.service.j2
-    dest: /etc/systemd/system/k3s.service
-    owner: root
-    group: root
-    mode: 0644
-
- name: enable and start k3s
-  systemd:
-    daemon_reload: yes
-    enabled: yes
-    name: k3s
-    state: started
-...
--- a/ansible/roles/k3s/tasks/get_k3s.yml
+++ b/ansible/roles/k3s/tasks/get_k3s.yml
@ -1,25 +0,0 @@
---
- name: check k3s version
-  shell:
-    cmd: "k3s --version | grep k3s | cut -d' ' -f3"
-  args:
-    executable: /bin/bash
-  changed_when: False
-  register: installed_k3s_version
-  check_mode: False
-
- name: get k3s
-  get_url:
-    url: "https://github.com/k3s-io/k3s/releases/download/{{ k3s_version }}/k3s-arm64"
-    dest: /usr/local/bin/k3s
-    mode: 0755
-    owner: root
-    group: root
-  when: installed_k3s_version.stdout != k3s_version
-
- name: link k3s
-  file:
-    src: /usr/local/bin/k3s
-    dest: /usr/local/bin/kubernetes
-    state: link
-...
--- a/ansible/roles/k3s/tasks/main.yml
+++ b/ansible/roles/k3s/tasks/main.yml
@ -1,7 +0,0 @@
---
- include: get_k3s.yml
- include: server.yml
-  when: k3s_role == "server"
- include: clients.yml
-  when: k3s_role == "client"
-...
--- a/ansible/roles/k3s/tasks/server.yml
+++ b/ansible/roles/k3s/tasks/server.yml
@ -1,25 +0,0 @@
---
- name: template k3s server systemd
-  template:
-    src: templates/k3s.service.j2
-    dest: /etc/systemd/system/k3s.service
-    owner: root
-    group: root
-    mode: 0644
-
- name: enable and start k3s
-  systemd:
-    daemon_reload: yes
-    enabled: yes
-    name: k3s
-    state: started
-
- name: get k3s token
-  slurp:
-    src: /var/lib/rancher/k3s/server/node-token
-  register: registered_k3s_node_token
-
- name: set k3s token var
-  set_fact:
-    k3s_node_token: "{{ registered_k3s_node_token.content | b64decode | trim }}"
-...
--- a/ansible/roles/k3s/templates/k3s.service.j2
+++ b/ansible/roles/k3s/templates/k3s.service.j2
@ -1,23 +0,0 @@
-[Unit]
-Description=k3s
-Wants=network-online.target
-After=network-online.target
-
-[Service]
-ExecReload=/bin/kill -HUP $MAINPID
-{% if k3s_role == 'server' %}
-ExecStart=/usr/local/bin/k3s server --write-kubeconfig-mode 644 --disable servicelb --disable traefik
-{% else %}
-ExecStart=/usr/local/bin/k3s agent --server https://hardtack1.minhas.io:6443 --token {{ hostvars['hardtack1.minhas.io'].k3s_node_token }}
-{% endif %}
-KillMode=process
-KillSignal=SIGINT
-LimitNOFILE=infinity
-LimitNPROC=infinity
-Restart=on-failure
-RestartSec=2
-StartLimitBurst=3
-TasksMax=infinity
-
-[Install]
-WantedBy=multi-user.target
--- a/ansible/roles/lego/tasks/main.yml
+++ b/ansible/roles/lego/tasks/main.yml
@ -100,26 +100,12 @@
    mode: 0700
  loop: "{{ lego_certs }}"

- name: set cron env to bash
-  cron:
-    name: SHELL
-    env: True
-    job: /bin/bash
-    user: lego
-
- name: set cron env to bash
-  cron:
-    name: SHELL
-    env: True
-    job: /bin/bash
-    user: root
-
 - name: create renewal crontabs
  cron:
    name: "{{ item.name }} renewal"
    hour: "4"
    user: lego
-    job: 'source /etc/default/lego && /usr/local/bin/lego --pem --path {{ lego_path }} --email {{ lego_email_address }} --dns {{ item.dns }} --domains "{{ item.domain }}" renew --days 30'
+    job: 'source /etc/default/lego && /usr/local/bin/lego --pem --path {{ lego_path }} --email {{ lego_email_address }} --dns {{ item.dns }} --domains "{{ item.domain }}" renew --days 45'
  loop: "{{ lego_certs }}"

 - name: create haproxy reload crontab
--- a/ansible/roles/nexus/tasks/main.yml
+++ b/ansible/roles/nexus/tasks/main.yml
@ -119,7 +119,7 @@
 - name: run nexus3
  docker_container:
    name: nexus
-    image:  sonatype/nexus3:latest
+    image:  sonatype/nexus3
    env:
      REGISTRY_HTTP_TLS_CERTIFICATE: /certs/nexus.crt
      REGISTRY_HTTP_TLS_KEY: /certs/nexus.key
--- a/ansible/roles/nomad_client/files/containers.conf
+++ b/ansible/roles/nomad_client/files/containers.conf
@ -1,29 +0,0 @@
-[containers]
-default_capabilities = [
-    "CHOWN",
-    "DAC_OVERRIDE",
-    "FOWNER",
-    "FSETID",
-    "KILL",
-    "NET_BIND_SERVICE",
-    "SETFCAP",
-    "SETGID",
-    "SETPCAP",
-    "SETUID",
-    "SYS_CHROOT"
-]
-
-default_sysctls = [
- "net.ipv4.ping_group_range=0 1",
-]
-
-[engine]
-runtime = "crun"
-cgroup_manager = "cgroupfs"
-events_logger = "journald"
-
-#[storage]
-#driver = "overlay"
-#
-#[storage.options]
-#mount_program = "/usr/bin/fuse-overlayfs"
--- a/ansible/roles/nomad_client/files/podman.socket
+++ b/ansible/roles/nomad_client/files/podman.socket
@ -0,0 +1,11 @@
+[Unit]
+Description=Podman API Socket
+Documentation=man:podman-system-service(1)
+
+[Socket]
+ListenStream=/run/podman/io.podman
+SocketMode=0660
+SocketGroup=podman
+
+[Install]
+WantedBy=sockets.target
--- a/ansible/roles/nomad_client/tasks/main.yml
+++ b/ansible/roles/nomad_client/tasks/main.yml
@ -1,5 +1,5 @@
 ---
- import_tasks: podman.yml
+- import_tasks: podman_prep.yml
 - import_tasks: nomad.yml
 - import_tasks: client_setup.yml
 ...
--- a/ansible/roles/nomad_client/tasks/nomad.yml
+++ b/ansible/roles/nomad_client/tasks/nomad.yml
@ -59,11 +59,6 @@
    group: root
  notify: daemon_reload

- name: get podman from passwd
-  getent:
-    database: passwd
-    key: podman
-
 - name: template nomad config
  template:
    src: templates/nomad.hcl.j2
--- a/ansible/roles/nomad_client/tasks/podman.yml
+++ b/ansible/roles/nomad_client/tasks/podman.yml
@ -1,72 +0,0 @@
---
- name: ensure podman group
-  group:
-    name: podman
-    state: present
-    system: True
-
- name: ensure podman user
-  user:
-    name: podman
-    state: present
-    group: podman
-    system: True
-
- name: ensure podman is installed
-  apt:
-    name:
-      - catatonit
-      - fuse-overlayfs
-      - podman
-      - slirp4netns
-      - uidmap
-    state: present
-
- name: ensure containers.conf is configured
-  copy:
-    src: containers.conf
-    dest: /etc/containers/containers.conf
-    owner: root
-    group: root
-    mode: 0644
-
- name: Check if podman lingers
-  stat: path=/var/lib/systemd/linger/podman
-  register: linger
-
- name: enable lingering for podman
-  command: loginctl enable-linger podman
-  when: not linger.stat.exists
-
- name: enable podman
-  systemd:
-    name: podman
-    state: started
-    enabled: True
-    scope: user
-  changed_when: False
-  become: True
-  become_user: podman
-
- name: check if subuid is configured
-  shell: grep podman /etc/subuid
-  register: subuid
-  changed_when: False
-  check_mode: False
-  failed_when: False
-
- name: check if subgid is configured
-  shell: grep podman /etc/subgid
-  register: subgid
-  changed_when: False
-  check_mode: False
-  failed_when: False
-
- name: configure subuid
-  shell: usermod --add-subuids 200000-201000 podman
-  when: subuid.rc != 0
-
- name: configure subgid
-  shell: usermod --add-subgids 200000-201000 podman
-  when: subgid.rc != 0
-...
--- a/ansible/roles/nomad_client/tasks/podman_prep.yml
+++ b/ansible/roles/nomad_client/tasks/podman_prep.yml
@ -0,0 +1,30 @@
+---
+- name: ensure podman group
+  group:
+    name: podman
+    state: present
+    system: True
+
+- name: ensure podman user
+  user:
+    name: podman
+    state: present
+    group: podman
+    system: True
+
+- name: ensure podman is installed
+  apt:
+    name:
+      - fuse-overlayfs
+      - "podman={{ podman_version }}"
+      - uidmap
+    state: present
+
+- name: enable podman
+  systemd:
+    name: podman
+    state: started
+    enabled: True
+    daemon_reload: True
+  changed_when: False
+...
--- a/ansible/roles/nomad_client/templates/nomad.hcl.j2
+++ b/ansible/roles/nomad_client/templates/nomad.hcl.j2
@ -39,6 +39,6 @@ plugin_dir = "/opt/nomad_plugins"
 plugin "nomad-driver-podman" {
  enabled   = true
  config {
-    socket_path = "unix:///run/user/{{ getent_passwd.podman[1] }}/podman/podman.sock"
+    socket_path = "unix:///run/user/1000/podman/podman.sock"
  }
 }
--- a/docker/nextcloud/Dockerfile
+++ b/docker/nextcloud/Dockerfile
@ -1,4 +1,4 @@
-FROM nextcloud:23.0-apache
+FROM nextcloud:21.0.0-apache

 # Copy masked.name root cert
 COPY files/MaskedName_Root_CA.crt /usr/local/share/ca-certificates/MaskedName_Root_CA.crt
--- a/docker/sudoscientist-go-backend/Dockerfile
+++ b/docker/sudoscientist-go-backend/Dockerfile
@ -1,4 +1,4 @@
-FROM golang:alpine
+FROM golang:1.17-alpine3.14

 RUN apk add --no-cache ca-certificates git && \
    go install -tags 'postgres' github.com/golang-migrate/migrate/v4/cmd/migrate@latest && \
@ -6,7 +6,7 @@ RUN apk add --no-cache ca-certificates git && \
    cd ${GOPATH}/src/git.minhas.io/asara && \
    git clone https://git.minhas.io/asara/sudoscientist-go-backend && \
    cd ${GOPATH}/src/git.minhas.io/asara/sudoscientist-go-backend && \
-    go mod init && go get && go build -o /go/bin/sudoscientist-go-backend main.go && \
+    go mod init && go get && go build main.go && \
    mv /go/bin/* /usr/local/bin/ && \
    rm -rf /go/src && \
    apk del git
--- a/nomad/gitea.nomad
+++ b/nomad/gitea.nomad
@ -23,7 +23,7 @@ job "gitea" {
      }
      driver = "docker"
      config {
-        image   = "docker.service.masked.name:8082/gitea:latest"
+        image   = "docker.service.masked.name:8082/gitea"
        ports   = ["http"]
        volumes = [
            "/mnt/raid/gitea:/data"
--- a/nomad/nextcloud.nomad
+++ b/nomad/nextcloud.nomad
@ -23,7 +23,7 @@ job "nextcloud" {
      }
      driver = "docker"
      config {
-        image   = "docker.service.masked.name:8082/nextcloud:latest"
+        image   = "docker.service.masked.name:8082/nextcloud:21.0.0-apache"
        ports   = ["nextcloud"]
        volumes = [
            "/mnt/raid/nextcloud/:/var/www/html"
--- a/nomad/sudoscientist-go-backend.nomad
+++ b/nomad/sudoscientist-go-backend.nomad
@ -5,10 +5,9 @@ job "sudoscientist-go-backend" {

  constraint {
    attribute = "${attr.cpu.arch}"
-    value     = "amd64"
+    value     = "arm64"
  }

-
  update {
    stagger      = "30s"
    max_parallel = 1