services/homelab
1
1
Fork 0
Code Issues 5 Pull Requests Actions Packages Projects Releases Wiki Activity

moving closer to podman systemd services for everything

Browse Source
This commit is contained in:
Reese Wells
2025-04-19 12:52:56 -04:00
parent 9acff25d43
commit 6e393d90ee
47 changed files with 1455 additions and 433 deletions
Download Patch File Download Diff File Expand all files Collapse all files

72
systemd/graduated/borg/borg.md Normal file
View File

@@ -0,0 +1,72 @@
# Borg Backup
## Server Setup
<https://borgbackup.readthedocs.io/en/stable/deployment/central-backup-server.html#user-and-group>
User: backup
Group: backup
Shell: /bin/bash (or other capable to run the borg serve command)
Home: /home/backup
```bash
dnf install borgbackup
useradd backup
mkdir /home/backup/.ssh
touch /home/backup/.ssh/authorized_keys
chown -R backup:backup /home/backup/.ssh
```
### Adding a Client
Note: See [adding nextcloud](#adding-nextcloud) for nextcloud instructions here.
```bash
export BACKUP_HOST=""
ssh-keygen -C backup@${BACKUP_HOST} -f ~/.ssh/id_${BACKUP_HOST}
cat <<EOF >> ~/.ssh/config
Host ${BACKUP_HOST}
Hostname ${BACKUP_HOST}
IdentityFile ~/.ssh/id_${BACKUP_HOST}
User backup
Port 22
KeepAlive yes
EOF
```
Now on the server:
```bash
export CLIENT_FQDN=""
# Should look like ssh-rsa abcd1234 backup@fqdn.something.com
export SSH_PUBKEY=""
export AUTHKEY_ENTRY="command=\"cd /home/backup/repos/${CLIENT_FQDN}; borg serve --restrict-to-path /home/backup/repos/${CLIENT_FQDN}\",restrict ${SSH_PUBKEY}"
echo $AUTHKEY_ENTRY >> /home/backup/.ssh/authorized_keys
mkdir /home/backup/repos/${CLIENT_FQDN}
chown backup:backup /home/backup/repos/${CLIENT_FQDN}
```
Then back on the client:
```bash
ssh borg.reeselink.com
borg init --encryption none backup@${BACKUP_HOST}:root
```
#### Adding Nextcloud
Rather than creating a client, just set the borg backup location to:
```text
backup@borg.reeselink.com:nextcloud
```
Then run the backup. It will generate a pubkey. Copy this into the authorized_keys file.

0
systemd/graduated/borg/borg.service Normal file
View File

75
systemd/graduated/borg/borg.sh Normal file
View File

@@ -0,0 +1,75 @@
#!/bin/sh
export BACKUP_HOST=driveripper.reeselink.com
sshfs ${BACKUP_HOST}:backup /backup
# Setting this, so the repo does not need to be given on the commandline:
export BORG_REPO='/backup'
# some helpers and error handling:
info() { printf "\n%s %s\n\n" "$( date )" "$*" >&2; }
trap 'echo $( date ) Backup interrupted >&2; exit 2' INT TERM
info "Starting backup"
# Backup the most important directories into an archive named after
# the machine this script is currently running on:
borg create \
--verbose \
--filter AME \
--list \
--stats \
--show-rc \
--compression none \
--exclude-caches \
--exclude 'home/*/.cache/*' \
--exclude 'var/tmp/*' \
\
::'{hostname}-{now}' \
/etc \
/home \
/root \
/var
backup_exit=$?
info "Pruning repository"
# Use the `prune` subcommand to maintain 7 daily, 4 weekly and 6 monthly
# archives of THIS machine. The '{hostname}-*' matching is very important to
# limit prune's operation to this machine's archives and not apply to
# other machines' archives also:
borg prune \
--list \
--glob-archives '{hostname}-*' \
--show-rc \
--keep-daily 7 \
--keep-weekly 2 \
--keep-monthly 1
prune_exit=$?
# actually free repo disk space by compacting segments
info "Compacting repository"
borg compact
compact_exit=$?
# use highest exit code as global exit code
global_exit=$(( backup_exit > prune_exit ? backup_exit : prune_exit ))
global_exit=$(( compact_exit > global_exit ? compact_exit : global_exit ))
if [ ${global_exit} -eq 0 ]; then
info "Backup, Prune, and Compact finished successfully"
elif [ ${global_exit} -eq 1 ]; then
info "Backup, Prune, and/or Compact finished with warnings"
else
info "Backup, Prune, and/or Compact finished with errors"
fi
fusermount -u /backup
exit ${global_exit}

0
systemd/graduated/borg/borg.timer Normal file
View File

15
systemd/graduated/ddns/ddns.md
View File

@@ -1,15 +0,0 @@
# DDNS Service
Since we occasionally need an ipv4 address we'll make one.
This creates and keeps updated ipv4 records for reeseapps.com and reeselink.com
as specified in vars.yaml
**NOTE**: This requires the aws cli to be installed on each node with
credentials that can modify records in route53. See
[aws_iam](/cloud/graduated/aws_iam/aws_iam.md) and
[aws_cli](/cloud/graduated/aws_cli/aws_cli.md)
```bash
ansible-playbook -i ansible/inventory.yaml systemd/graduated/ddns/install_ddns.yaml
```

5
systemd/graduated/ddns/ddns.service
View File

@@ -1,5 +0,0 @@
[Unit]
Description=Updates the IPv4 records with the current public IPV4 address
[Service]
ExecStart=/usr/local/scripts/ddns.sh

29
systemd/graduated/ddns/ddns.sh
View File

@@ -1,29 +0,0 @@
#!/bin/bash
# Get public IP address (there are many ways to do it, I picked this way)
PUBLIC_IPV4=$(curl -4 ifconfig.me)
PUBLIC_IPV6=$(curl -6 ifconfig.me)
# Update reeselink records
cat /etc/ddns/ipv4_reeselink_record_template.json \
| jq '.Changes[0].ResourceRecordSet.ResourceRecords[0].Value = "'$PUBLIC_IPV4'"' \
> /etc/ddns/ipv4_reeselink_record.json
cat /etc/ddns/ipv6_reeselink_record_template.json \
| jq '.Changes[0].ResourceRecordSet.ResourceRecords[0].Value = "'$PUBLIC_IPV6'"' \
> /etc/ddns/ipv6_reeselink_record.json
# Update reeseapps records
cat /etc/ddns/ipv4_reeseapps_record_template.json \
| jq '.Changes[].ResourceRecordSet.ResourceRecords[0].Value = "'$PUBLIC_IPV4'"' \
> /etc/ddns/ipv4_reeseapps_record.json
cat /etc/ddns/ipv6_reeseapps_record_template.json \
| jq '.Changes[].ResourceRecordSet.ResourceRecords[0].Value = "'$PUBLIC_IPV6'"' \
> /etc/ddns/ipv6_reeseapps_record.json
# Update reeselink records
aws route53 change-resource-record-sets --hosted-zone-id {{ reeselink_zone_id }} --change-batch file:///etc/ddns/ipv4_reeselink_record.json
aws route53 change-resource-record-sets --hosted-zone-id {{ reeselink_zone_id }} --change-batch file:///etc/ddns/ipv6_reeselink_record.json
# Update reeseapps records
aws route53 change-resource-record-sets --hosted-zone-id {{ reeseapps_zone_id }} --change-batch file:///etc/ddns/ipv4_reeseapps_record.json
aws route53 change-resource-record-sets --hosted-zone-id {{ reeseapps_zone_id }} --change-batch file:///etc/ddns/ipv6_reeseapps_record.json

11
systemd/graduated/ddns/ddns.timer
View File

@@ -1,11 +0,0 @@
[Unit]
Description=Run ddns service every hour
[Timer]
OnCalendar=hourly
AccuracySec=10min
Persistent=true
Unit=ddns.service
[Install]
WantedBy=timers.target

78
systemd/graduated/ddns/install_ddns.yaml
View File

@@ -1,78 +0,0 @@
- name: Create DDNS Service
hosts: 3dserver
vars_files:
- vars.yaml
- secrets/secret_vars.yaml
tasks:
- name: Ensure moreutils, jq is installed
ansible.builtin.dnf:
name:
- moreutils
- jq
state: present
- name: Create /usr/local/scripts dir
ansible.builtin.file:
path: /usr/local/scripts
state: directory
mode: '0755'
- name: Copy ddns.sh
template:
src: ddns.sh
dest: /usr/local/scripts/ddns.sh
owner: root
group: root
mode: '0755'
- name: Create /etc/ddns dir
ansible.builtin.file:
path: /etc/ddns
state: directory
mode: '0755'
- name: Copy IPv4 reeseapps_record_template.json
template:
src: ipv4_reeseapps_record_template.json.j2
dest: /etc/ddns/ipv4_reeseapps_record_template.json
owner: root
group: root
mode: '0644'
- name: Copy IPv4 reeselink_record_template.json
template:
src: ipv4_reeselink_record_template.json.j2
dest: /etc/ddns/ipv4_reeselink_record_template.json
owner: root
group: root
mode: '0644'
- name: Copy IPv6 reeseapps_record_template.json
template:
src: ipv6_reeseapps_record_template.json.j2
dest: /etc/ddns/ipv6_reeseapps_record_template.json
owner: root
group: root
mode: '0644'
- name: Copy IPv6 reeselink_record_template.json
template:
src: ipv6_reeselink_record_template.json.j2
dest: /etc/ddns/ipv6_reeselink_record_template.json
owner: root
group: root
mode: '0644'
- name: Copy ddns.service
template:
src: ddns.service
dest: /etc/systemd/system/ddns.service
owner: root
group: root
mode: '0644'
- name: Copy ddns.timer
template:
src: ddns.timer
dest: /etc/systemd/system/ddns.timer
owner: root
group: root
mode: '0644'
- name: Run ddns script
ansible.builtin.shell: /usr/local/scripts/ddns.sh
- name: Reload ddns timer
ansible.builtin.systemd_service:
state: restarted
name: ddns.timer
enabled: true

20
systemd/graduated/ddns/ipv4_reeseapps_record_template.json.j2
View File

@@ -1,20 +0,0 @@
{
"Comment": "Update Public IPV4 Address",
"Changes": [
{%- for item in records.reeseapps %}
{
"Action": "UPSERT",
"ResourceRecordSet": {
"Name": "{{ item }}.reeseapps.com",
"Type": "A",
"TTL": 300,
"ResourceRecords": [
{
"Value": ""
}
]
}
}{{ ", " if not loop.last else "" }}
{%- endfor %}
]
}

20
systemd/graduated/ddns/ipv4_reeselink_record_template.json.j2
View File

@@ -1,20 +0,0 @@
{
"Comment": "Update Public IPV4 Address",
"Changes": [
{%- for item in records.reeselink %}
{
"Action": "UPSERT",
"ResourceRecordSet": {
"Name": "{{ item }}.reeselink.com",
"Type": "A",
"TTL": 300,
"ResourceRecords": [
{
"Value": ""
}
]
}
}{{ ", " if not loop.last else "" }}
{%- endfor %}
]
}

20
systemd/graduated/ddns/ipv6_reeseapps_record_template.json.j2
View File

@@ -1,20 +0,0 @@
{
"Comment": "Update Public IPV4 Address",
"Changes": [
{%- for item in records.reeseapps %}
{
"Action": "UPSERT",
"ResourceRecordSet": {
"Name": "{{ item }}.reeseapps.com",
"Type": "AAAA",
"TTL": 300,
"ResourceRecords": [
{
"Value": ""
}
]
}
}{{ ", " if not loop.last else "" }}
{%- endfor %}
]
}

20
systemd/graduated/ddns/ipv6_reeselink_record_template.json.j2
View File

@@ -1,20 +0,0 @@
{
"Comment": "Update Public IPV4 Address",
"Changes": [
{%- for item in records.reeselink %}
{
"Action": "UPSERT",
"ResourceRecordSet": {
"Name": "{{ item }}.reeselink.com",
"Type": "AAAA",
"TTL": 300,
"ResourceRecords": [
{
"Value": ""
}
]
}
}{{ ", " if not loop.last else "" }}
{%- endfor %}
]
}

7
systemd/graduated/ddns/vars.yaml
View File

@@ -1,7 +0,0 @@
records:
reeseapps:
- nextcloud
- gitea
- git
reeselink:
- ipv4