Move pangolin role

ansible/roles/pangolin_server/tasks/main.yaml

@@ -0,0 +1,134 @@
+- name: Create a pangolin group
+  group:
+    name: pangolin
+    state: present
+    gid: 1051
+
+- name: Create a pangolin user
+  user:
+    name: pangolin
+    uid: 1051
+    group: 1051
+    comment: "pangolin user"
+    shell: /bin/bash
+    state: present
+    create_home: yes
+
+- name: Permanently enable http service (firewalld)
+  ansible.posix.firewalld:
+    service: http
+    state: enabled
+    permanent: true
+    immediate: true
+    offline: true
+
+- name: Permanently enable https service (firewalld)
+  ansible.posix.firewalld:
+    service: https
+    state: enabled
+    permanent: true
+    immediate: true
+    offline: true
+
+- name: Permanently enable wireguard service (firewalld)
+  ansible.posix.firewalld:
+    service: wireguard
+    state: enabled
+    permanent: true
+    immediate: true
+    offline: true
+
+- name: Permit traffic in default zone on port 21820/udp
+  ansible.posix.firewalld:
+    port: 21820/udp
+    permanent: true
+    state: enabled
+    immediate: true
+    offline: true
+
+- name: Install epel
+  package:
+    name: epel-release
+    state: present
+
+- name: Install podman
+  package:
+    name: podman
+    state: present
+
+- name: Install podman-compose
+  package:
+    name: podman-compose
+    state: present
+
+- name: Start and enable podman service
+  service:
+    name: podman
+    state: started
+    enabled: true
+
+- name: Start and enabled podman-restart
+  service:
+    name: podman-restart
+    state: started
+    enabled: true
+
+- name: Create pangolin config, logging and backup directories
+  file:
+    path: "{{ item }}"
+    state: directory
+    mode: 0750
+    owner: pangolin
+    group: pangolin
+  loop:
+    - /home/pangolin/config
+    - /home/pangolin/config/db
+    - /home/pangolin/config/traefik
+    - /home/pangolin/config/letsencrypt
+    - /home/pangolin/config/logs
+    - /home/pangolin/backups
+
+- name: Create pangolin config
+  template: 
+    src: templates/config.yaml.j2
+    dest: /home/pangolin/config/config.yml
+    owner: pangolin
+    group: pangolin
+    mode: 0600
+
+- name: Create traefik config
+  template:
+    src: templates/traefik_config.yaml.j2
+    dest: /home/pangolin/config/traefik/traefik_config.yml
+    owner: pangolin
+    group: pangolin
+    mode: 0600
+
+- name: Create traefik dynamic config
+  template: 
+    src: templates/dynamic_config.yaml.j2
+    dest: /home/pangolin/config/traefik/dynamic_config.yml
+    owner: pangolin
+    group: pangolin
+    mode: 0600
+
+- name: Create or update docker-compose
+  template:
+    src: templates/docker-compose.yaml.j2
+    dest: /home/pangolin/docker-compose.yaml
+    owner: pangolin
+    group: pangolin
+    mode: 0600
+  notify: Restart pangolin
+
+- name: Create local backup of config directory
+  copy:
+    src: /home/pangolin/config
+    dest: /home/pangolin/backups/config.backup.{{ ansible_date_time.date }}
+    remote_src: yes
+
+- name: Create local backup of docker-compose
+  copy:
+    src: /home/pangolin/docker-compose.yaml
+    dest: /home/pangolin/backups/docker-compose.yaml.backup.{{ ansible_date_time.date }}
+    remote_src: yes

ansible/roles/pangolin_server/tasks/templates/config.yaml.j2

@@ -0,0 +1,18 @@
+app:
+  dashboard_url: "https://{{ pangolin_base_domain }}"
+
+domains:
+  domain1:
+    base_domain: "{{ pangolin_base_domain }}"
+    cert_resolver: "letsencrypt"
+
+server:
+  secret: {{ pangolin_secret_string }}
+
+gerbil:
+  base_endpoint: "{{ pangolin_base_domain }}"
+
+flags:
+  require_email_verification: {{ require_email_verification }}
+  disable_signup_without_invite:  {{ disable_signup_without_invite }}
+  disable_user_create_org: {{ disable_user_create_org }}

ansible/roles/pangolin_server/tasks/templates/docker-compose.yaml.j2

@@ -0,0 +1,58 @@
+services:
+  pangolin:
+    image: fosrl/pangolin:{{ pangolin_version }} # https://github.com/fosrl/pangolin/releases
+    container_name: pangolin
+    restart: unless-stopped
+    volumes:
+      - ./config:/app/config
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:3001/api/v1/"]
+      interval: "3s"
+      timeout: "3s"
+      retries: 15
+
+  gerbil:
+    image: fosrl/gerbil:{{ gerbil_version }} # https://github.com/fosrl/gerbil/releases
+    container_name: gerbil
+    restart: unless-stopped
+    depends_on:
+      pangolin:
+        condition: service_healthy
+    command:
+      - --reachableAt=http://gerbil:3004
+      - --generateAndSaveKeyTo=/var/config/key
+      - --remoteConfig=http://pangolin:3001/api/v1/
+    volumes:
+      - ./config/:/var/config
+    cap_add:
+      - NET_ADMIN
+      - SYS_MODULE
+    ports:
+      - "[::1]:51820:51820/udp"
+      - 51820:51820/udp
+      - "[::1]:21820:21820/udp"
+      - 21820:21820/udp
+      - "[::1]:443:443"
+      - 443:443 # Port for traefik because of the network_mode
+      - "[::1]:80:80"
+      - 80:80 # Port for traefik because of the network_mode
+
+  traefik:
+    image: traefik:v{{ traefik_version }}
+    container_name: traefik
+    restart: unless-stopped
+    network_mode: service:gerbil # Ports appear on the gerbil service
+    depends_on:
+      pangolin:
+        condition: service_healthy
+    command:
+      - --configFile=/etc/traefik/traefik_config.yml
+    volumes:
+      - ./config/traefik:/etc/traefik:ro # Volume to store the Traefik configuration
+      - ./config/letsencrypt:/letsencrypt # Volume to store the Let's Encrypt certificates
+      - ./config/traefik/logs:/var/log/traefik # Volume to store Traefik logs
+
+networks:
+  default:
+    driver: bridge
+    name: pangolin

ansible/roles/pangolin_server/tasks/templates/dynamic_config.yaml.j2

@@ -0,0 +1,64 @@
+http:
+  middlewares:
+    badger:
+      plugin:
+        badger:
+          disableForwardAuth: true
+    redirect-to-https:
+      redirectScheme:
+        scheme: https
+
+  routers:
+    # HTTP to HTTPS redirect router
+    main-app-router-redirect:
+      rule: "Host(`{{ pangolin_base_domain }}`)" 
+      service: next-service
+      entryPoints:
+        - web
+      middlewares:
+        - redirect-to-https
+        - badger
+
+    # Next.js router (handles everything except API and WebSocket paths)
+    next-router:
+      rule: "Host(`{{ pangolin_base_domain }}`) && !PathPrefix(`/api/v1`)" # REPLACE WITH YOUR DOMAIN
+      service: next-service
+      entryPoints:
+        - websecure
+      middlewares:
+        - badger
+      tls:
+        certResolver: letsencrypt
+
+    # API router (handles /api/v1 paths)
+    api-router:
+      rule: "Host(`{{ pangolin_base_domain }}`) && PathPrefix(`/api/v1`)" # REPLACE WITH YOUR DOMAIN
+      service: api-service
+      entryPoints:
+        - websecure
+      middlewares:
+        - badger
+      tls:
+        certResolver: letsencrypt
+
+    # WebSocket router
+    ws-router:
+      rule: "Host(`{{ pangolin_base_domain }}`)" # REPLACE WITH YOUR DOMAIN
+      service: api-service
+      entryPoints:
+        - websecure
+      middlewares:
+        - badger
+      tls:
+        certResolver: letsencrypt
+
+  services:
+    next-service:
+      loadBalancer:
+        servers:
+          - url: "http://pangolin:3002" # Next.js server
+
+    api-service:
+      loadBalancer:
+        servers:
+          - url: "http://pangolin:3000" # API/WebSocket server

ansible/roles/pangolin_server/tasks/templates/traefik_config.yaml.j2

@@ -0,0 +1,47 @@
+api:
+  insecure: true
+  dashboard: true
+
+providers:
+  http:
+    endpoint: "http://pangolin:3001/api/v1/traefik-config"
+    pollInterval: "5s"
+  file:
+    filename: "/etc/traefik/dynamic_config.yml"
+
+experimental:
+  plugins:
+    badger:
+      moduleName: "github.com/fosrl/badger"
+      version: "v1.3.0"
+
+log:
+  level: "INFO"
+  format: "common"
+
+certificatesResolvers:
+  letsencrypt:
+    acme:
+      httpChallenge:
+        entryPoint: web
+      email: {{ pangolin_cert_email }}
+      storage: "/letsencrypt/acme.json"
+      caServer: "https://acme-v02.api.letsencrypt.org/directory"
+
+entryPoints:
+  web:
+    address: ":80"
+  websecure:
+    address: ":443"
+    transport:
+      respondingTimeouts:
+        readTimeout: "30m"
+    http:
+      tls:
+        certResolver: "letsencrypt"
+
+serversTransport:
+  insecureSkipVerify: true
+
+ping:
+    entryPoint: "web"