roles: refactor roles to start a docker container with directus and psotgresql database, add text-editor tool

.gitignore

@@ -1,3 +1,3 @@
 # ---> Ansible
 *.retry
-
+.env

inventory/hosts.ini

@@ -1,5 +1,11 @@
-[almalinux]
+[almalinux-root]
 vps-root
 
 [almalinux-user]
 vps
+
+[all:vars]
+user_name="jan"
+domain="janvoelkel-de"
+op_password_path="SSH/MyVPS jan/password"
+dnf_text_editor="nano"

playbooks/add_user.yml

@@ -3,8 +3,8 @@
   hosts: almalinux-user
   become: yes
   vars_prompt:
-    - name: "username"
+    - name: "user_name"
-      prompt: "Please enter the username to be created"
+      prompt: "Please enter the user_name to be created"
       private: no  # Der Benutzername wird sichtbar eingegeben
     - name: "user_password"
       prompt: "Please enter the password for the new user"

playbooks/setup_server.yml

@@ -1,18 +1,15 @@
----
+# ---
-- name: Server setup with roles
+# - name: Server setup with roles
-  hosts: almalinux  # Hier verwenden wir die Gruppe 'almalinux' aus der hosts.ini
+#   hosts: almalinux-root
+#   become: yes
+#   roles:
+#     - firewalld
+#     - dnf_tools
+#     - docker
+#     - create_user_with_root
+
+- name: Create directus with database
+  hosts: vps
   become: yes
-  vars_prompt:
-    - name: "username"
-      prompt: "Please enter the username to be created"
-      private: no  # Der Benutzername wird sichtbar eingegeben
-    - name: "user_password"
-      prompt: "Please enter the password for the new user"
-      private: yes  # Das Passwort wird versteckt eingegeben
-    - name: "ssh_public_key"
-      prompt: "Please enter the public key for ssh of your pc"
-      private: no
   roles:
-  # firewall
+    - directus
-    - create_user_with_root
-  # firewall

roles/create_user_with_root/files/authorized_keys

@@ -0,0 +1,2 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBRnv0VogdTwQWhfYqKaIMzSll2JG4hvO9jryP8aJl4u MacBook Pro von Jan
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHkNsib7eOmVt7EPp7R1QJ4iZRBu8MqsvGUaF9JdcbyU iPhone 16 Pro Max von Jan

roles/create_user_with_root/tasks/main.yml

@@ -1,42 +1,58 @@
 
 - name: Erstelle einen neuen User mit Sudo-Rechten
   user:
-    name: "{{ username }}"
+    name: "{{ user_name }}"
-    password: "{{ user_password | password_hash('sha512') }}"  # Das Passwort wird mit SHA-512 gehasht
+    password: "{{ lookup('pipe', 'op read \"op://' + op_password_path + '\"') | password_hash('sha512') }}"
     state: present
     shell: /bin/bash
-    groups: wheel  # Gibt Sudo-Rechte
+    groups: wheel
     append: yes
 
 - name: Erstelle den SSH-Ordner für den neuen User
   file:
-    path: "/home/{{ username }}/.ssh"
+    path: "/home/{{ user_name }}/.ssh"
     state: directory
     mode: '0700'
-    owner: "{{ username }}"
+    owner: "{{ user_name }}"
-    group: "{{ username }}"
+    group: "{{ user_name }}"
 
 - name: Setze die Berechtigungen für die authorized_keys-Datei
   file:
-    path: "/home/{{ username }}/.ssh/authorized_keys"
+    path: "/home/{{ user_name }}/.ssh/authorized_keys"
     state: touch
     mode: '0600'
-    owner: "{{ username }}"
+    owner: "{{ user_name }}"
-    group: "{{ username }}"
+    group: "{{ user_name }}"
 
-- name: Add public key to enable user ssh
+- name: Add public keys as authorized_keys
-  lineinfile:
+  copy:
-    path: "/home/{{ username }}/.ssh/authorized_keys"
+    src: files/authorized_keys
-    line: '{{ ssh_public_key }}'
+    dest: "/home/{{ user_name }}/.ssh/authorized_keys"
-    state: present
   
-- name: Grant sudo privileges to the user
+- name: Grant passwordless sudo privileges to the user
   lineinfile:
     path: /etc/sudoers
-    regexp: "^{{ username }} "
+    regexp: "^{{ user_name }} "
-    line: "{{ username }} ALL=(ALL) ALL"
+    line: "{{ user_name }} ALL=(ALL) NOPASSWD: ALL"
     validate: visudo -cf %s
 
+- name: Ensure Docker group exists
+  ansible.builtin.group:
+    name: docker
+    state: present
+
+- name: Add user to Docker group
+  ansible.builtin.user:
+    name: "{{ user_name }}"
+    groups: docker
+    append: yes
+
+- name: Enable and start Docker service
+  ansible.builtin.service:
+    name: docker
+    state: started
+    enabled: yes
+
 - name: Entferne den Root-SSH-Zugang
   lineinfile:
     path: /etc/ssh/sshd_config

roles/directus/files/.env.example

@@ -0,0 +1,24 @@
+
+# database
+POSTGRES_USER="database_user" # This variable needs to be specified here.
+POSTGRES_PASSWORD="database_password"
+POSTGRES_DB="database_name"
+
+# directus
+SECRET="<create with 'openssl rand -hex 32'>"
+DB_CLIENT="pg"
+DB_HOST="database"
+DB_PORT="5432"
+DB_DATABASE="database_name"
+DB_USER="database_user"
+DB_PASSWORD="database_password"
+ADMIN_EMAIL="directus_login_mail"
+ADMIN_PASSWORD="directus_login_password"
+CACHE_ENABLED="true"
+CACHE_AUTO_PURGE="true"
+CACHE_STORE="redis"
+REDIS="redis://cache:6379"
+
+# pgadmin4
+# PGADMIN_DEFAULT_EMAIL="pgadmin4_login_mail"
+# PGADMIN_DEFAULT_PASSWORD="pgadmin4_login_password"

roles/directus/files/docker-compose.yml

@@ -0,0 +1,52 @@
+
+services:
+  database:
+    env_file: .env
+    healthcheck:
+      test: ["CMD", "pg_isready", "--host=localhost", "--username=${POSTGRES_USER}", "--dbname=${POSTGRES_DB}"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+      start_interval: 5s
+      start_period: 30s
+    image: postgis/postgis:13-master
+    # platform: linux/amd64 # Required when running on platform other than amd64, like Apple M1/M2:
+    volumes:
+      - db:/var/lib/postgresql/data
+
+  # pgadmin4:
+  #   container_name: pgadmin4
+  #   depends_on:
+  #     - database
+  #   env_file: .env
+  #   image: docker.io/dpage/pgadmin4:8.14
+  #   ports:
+  #     - 5050:80
+  #   restart: unless-stopped
+
+  cache:
+    healthcheck:
+      test: ["CMD-SHELL", "[ $$(redis-cli ping) = 'PONG' ]"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+      start_interval: 5s
+      start_period: 30s
+    image: redis:6
+
+  directus:
+    depends_on:
+      database:
+        condition: service_healthy
+      cache:
+        condition: service_healthy
+    env_file: .env
+    image: directus/directus:11.5.1
+    ports:
+      - 8055:8055
+    volumes:
+      - ./uploads:/directus/uploads
+      - ./extensions:/directus/extensions
+
+volumes:
+  db:

roles/directus/tasks/main.yml

@@ -0,0 +1,32 @@
+---
+- name: Ensure project base directory exists
+  file:
+    path: "/opt/{{ domain }}"
+    state: directory
+    owner: "{{ user_name }}"
+    group: "{{ user_name }}"
+    mode: '0755'
+
+- name: Ensure Directus project directory exists
+  file:
+    path: "/opt/{{ domain }}/directus"
+    state: directory
+    owner: "{{ user_name }}"
+    group: "{{ user_name }}"
+    mode: '0755'
+
+- name: Copy docker compose file (directus)
+  copy:
+    src: "files/docker-compose.yml"
+    dest: "/opt/{{ domain }}/directus"
+
+- name: Copy env file (directus)
+  copy:
+    src: "files/.env"
+    dest: "/opt/{{ domain }}/directus"
+
+- name: Start docker container with compose file
+  community.docker.docker_compose_v2:
+    project_src: "/opt/{{ domain }}/directus"
+    files:
+      - "docker-compose.yml"

roles/dnf_tools/tasks/main.yml

@@ -0,0 +1,5 @@
+---
+- name: Install DNF tools
+  dnf:
+    name: "{{ dnf_text_editor }}"
+    state: present

roles/docker/files/daemon.json

@@ -0,0 +1,3 @@
+{
+    "iptables": false
+}

roles/docker/tasks/main.yml

@@ -0,0 +1,57 @@
+---
+- name: Remove old versions of Docker and conflicting packages
+  dnf:
+    name:
+      - docker
+      - docker-client
+      - docker-client-latest
+      - docker-common
+      - docker-latest
+      - docker-latest-logrotate
+      - docker-logrotate
+      - docker-engine
+      - podman
+      - runc
+    state: absent
+
+- name: Install DNF plugins
+  dnf:
+    name: dnf-plugins-core
+    state: present
+
+- name: Add Docker repository (RHEL official repo)
+  command: dnf config-manager --add-repo https://download.docker.com/linux/rhel/docker-ce.repo
+  args:
+    creates: /etc/yum.repos.d/docker-ce.repo
+
+- name: Update package cache
+  command: dnf makecache
+
+- name: Install Docker CE, CLI and other components
+  dnf:
+    name:
+      - docker-ce
+      - docker-ce-cli
+      - containerd.io
+      - docker-buildx-plugin
+      - docker-compose-plugin
+    state: present
+
+- name: Enable and start Docker service
+  systemd:
+    name: docker
+    state: started
+    enabled: yes
+
+- name: Disable iptables
+  copy:
+    src: files/daemon.json
+    dest: /etc/docker/daemon.json
+
+- name: Restart firewalld
+  command: firewall-cmd --reload
+
+- name: Restart Docker service
+  systemd:
+    name: docker
+    state: restarted

roles/firewalld/tasks/main.yml

@@ -0,0 +1,18 @@
+---
+- name: Install
+  package:
+    name: firewalld
+    state: present
+
+- name: Start and activate
+  service:
+    name: firewalld
+    state: started
+    enabled: yes
+
+- name: Block all ports
+  firewalld:
+    zone: public
+    service: ssh
+    permanent: yes
+    state: enabled

roles/setup_server/defaults/main.yml

@@ -1,4 +0,0 @@
----
-# roles/setup_server/defaults/main.yml
-
-username: jan

roles/setup_server/handlers/main.yml

@@ -1,7 +0,0 @@
----
-# roles/setup_server/handlers/main.yml
-
-- name: restart sshd
-  service:
-    name: sshd
-    state: restarted

roles/setup_server/tasks/main.yml

@@ -1,109 +0,0 @@
----
-# roles/setup_server/tasks/main.yml
-
-- name: Erstelle einen neuen User mit Sudo-Rechten
-  user:
-    name: "{{ username }}"
-    password: "{{ user_password | password_hash('sha512') }}"  # Das Passwort wird mit SHA-512 gehasht
-    state: present
-    shell: /bin/bash
-    groups: wheel  # Gibt Sudo-Rechte
-    append: yes
-
-- name: Erstelle den SSH-Ordner für den neuen User
-  file:
-    path: "/home/{{ username }}/.ssh"
-    state: directory
-    mode: '0700'
-    owner: "{{ username }}"
-    group: "{{ username }}"
-
-- name: Setze die Berechtigungen für die authorized_keys-Datei
-  file:
-    path: "/home/{{ username }}/.ssh/authorized_keys"
-    state: touch
-    mode: '0600'
-    owner: "{{ username }}"
-    group: "{{ username }}"
-
-- name: Entferne den Root-SSH-Zugang
-  lineinfile:
-    path: /etc/ssh/sshd_config
-    regexp: '^PermitRootLogin'
-    line: 'PermitRootLogin no'
-    state: present
-  notify:
-    - restart sshd
-
-- name: Installiere firewalld
-  package:
-    name: firewalld
-    state: present
-
-- name: Starte und aktiviere firewalld
-  service:
-    name: firewalld
-    state: started
-    enabled: yes
-
-- name: Sperre alle Ports in firewalld
-  firewalld:
-    zone: public
-    service: ssh
-    permanent: yes
-    state: enabled
-
-# roles/setup_server/tasks/main.yml
-
-- name: Entferne alte Docker-Versionen, falls vorhanden
-  dnf:
-    name:
-      - docker
-      - docker-client
-      - docker-client-latest
-      - docker-common
-      - docker-latest
-      - docker-latest-logrotate
-      - docker-logrotate
-      - docker-engine
-      - podman
-      - runc
-    state: absent
-
-- name: Installiere DNF-Plugins und Docker-Repository
-  dnf:
-    name: dnf-plugins-core
-    state: present
-
-- name: Installiere Docker CE, CLI und andere Docker-Komponenten
-  dnf:
-    name:
-      - docker-ce
-      - docker-ce-cli
-      - containerd.io
-      - docker-buildx-plugin
-      - docker-compose-plugin
-    state: present
-
-- name: Aktiviere und starte Docker
-  service:
-    name: docker
-    state: started
-    enabled: yes
-
-- name: Füge den neuen User zur Docker-Gruppe hinzu
-  user:
-    name: "{{ username }}"
-    groups: docker
-    append: yes
-
-- name: Starte den Docker-Dienst neu, um Änderungen zu übernehmen
-  systemd:
-    name: docker
-    state: restarted
-
-- name: Deaktiviere Docker-Zone in firewalld
-  firewalld:
-    zone: docker
-    state: disabled
-    permanent: yes