From 15f342d9e3751ca9404567b49626ec43789a30e5 Mon Sep 17 00:00:00 2001 From: Julien Dessaux Date: Sun, 17 Nov 2024 23:55:02 +0100 Subject: add migrating privatebin blog article --- content/blog/ansible/privatebin.md | 228 +++++++++++++++++++++++++++++++++++++ 1 file changed, 228 insertions(+) create mode 100644 content/blog/ansible/privatebin.md diff --git a/content/blog/ansible/privatebin.md b/content/blog/ansible/privatebin.md new file mode 100644 index 0000000..abbf527 --- /dev/null +++ b/content/blog/ansible/privatebin.md @@ -0,0 +1,228 @@ +--- +title: 'Migrating privatebin from NixOS to Debian' +description: 'How I deploy privatebin with ansible' +date: '2024-11-17' +tags: +- ansible +- privatebin +--- + +## Introduction + +I am migrating several services from a NixOS server (myth.adyxax.org) to a Debian server (lore.adyxax.org). Here is how I performed the operation for my self hosted [privatebin](https://privatebin.info/) served from paste.adyxax.org. + +## Ansible role + +### Meta + +The `meta/main.yaml` contains the role dependencies: + +``` yaml +--- +dependencies: + - role: 'borg' + - role: 'nginx' + - role: 'podman' +``` + +### Tasks + +The `tasks/main.yaml` file only creates a data directory and drops a configuration file. All the heavy lifting is then done by calling other roles: + +``` yaml +--- +- name: 'Make privatebin data directory' + file: + path: '/srv/privatebin' + owner: '65534' + group: '65534' + mode: '0750' + state: 'directory' + +- name: 'Deploy privatebin configuration file' + copy: + src: 'privatebin.conf.php' + dest: '/etc/' + owner: 'root' + mode: '0444' + notify: 'restart privatebin' + +- include_role: + name: 'podman' + tasks_from: 'container' + vars: + container: + cmd: ['--config-path', '/srv/cfg/conf.php'] + name: 'privatebin' + env_vars: + - name: 'PHP_TZ' + value: 'Europe/Paris' + - name: 'TZ' + value: 'Europe/Paris' + image: '{{ versions.privatebin.image }}:{{ versions.privatebin.tag }}' + publishs: + - container_port: '8080' + host_port: '8082' + ip: '127.0.0.1' + volumes: + - dest: '/srv/cfg/conf.php:ro' + src: '/etc/privatebin.conf.php' + - dest: '/srv/data' + src: '/srv/privatebin' + +- include_role: + name: 'nginx' + tasks_from: 'vhost' + vars: + vhost: + name: 'privatebin' + path: 'roles/paste.adyxax.org/files/nginx-vhost.conf' + +- include_role: + name: 'borg' + tasks_from: 'client' + vars: + client: + jobs: + - name: 'data' + paths: + - '/srv/privatebin' + name: 'privatebin' + server: '{{ paste_adyxax_org.borg }}' +``` + +### Handlers + +There is a single handler: + +``` yaml +--- +- name: 'restart privatebin' + service: + name: 'podman-privatebin' + state: 'restarted' +``` + +### Files + +First there is my privatebin configuration, fairly simple: + +``` php +;############################################################################### +;# \_o< WARNING : This file is being managed by ansible! >o_/ # +;# ~~~~ ~~~~ # +;############################################################################### + +[main] +discussion = true +opendiscussion = false +password = true +fileupload = true +burnafterreadingselected = false +defaultformatter = "plaintext" +sizelimit = 10000000 +template = "bootstrap" +notice = "Note: This is a personal sharing service: Data may be deleted anytime. Don't share illegal, unethical or morally reprehensible content." +languageselection = true +zerobincompatibility = false +[expire] +default = "1week" +[expire_options] +5min = 300 +10min = 600 +1hour = 3600 +1day = 86400 +1week = 604800 +1month = 2592000 +1year = 31536000 +[formatter_options] +plaintext = "Plain Text" +syntaxhighlighting = "Source Code" +markdown = "Markdown" +[traffic] +limit = 10 +header = "X_FORWARDED_FOR" +dir = PATH "data" +[purge] +limit = 300 +batchsize = 10 +dir = PATH "data" +[model] +class = Filesystem +[model_options] +dir = PATH "data" +``` + +Then the nginx vhost file, fairly straightforward too: + +``` nginx +############################################################################### +# \_o< WARNING : This file is being managed by ansible! >o_/ # +# ~~~~ ~~~~ # +############################################################################### + +server { + listen 80; + listen [::]:80; + server_name paste.adyxax.org; + location / { + return 308 https://$server_name$request_uri; + } +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + server_name paste.adyxax.org; + + location / { + proxy_pass http://127.0.0.1:8082; + } + ssl_certificate adyxax.org.fullchain; + ssl_certificate_key adyxax.org.key; +} +``` + +## Migration process + +The first step is to deploy this new configuration to the server: + +``` shell +make run limit=lore.adyxax.org tags=paste.adyxax.org +``` + +After that I log in and manually migrate the privatebin data folder. On the old server I make a backup with: + +``` shell +systemctl stop podman-privatebin +tar czf /tmp/privatebin.tar.gz /srv/privatebin/ +``` + +I retrieve this backup on my laptop and send it to the new server with: + +``` shell +scp root@myth.adyxax.org:/tmp/privatebin.tar.gz . +scp privatebin.tar.gz root@lore.adyxax.org: +``` + +On the new server, I restore the backup with: + +``` shell +systemctl stop podman-privatebin +tar -xzf privatebin.tar.gz -C /srv/privatebin/ +chown -R 65534:65534 /srv/privatebin +chmod -R u=rwX /srv/privatebin +systemctl start podman-privatebin +``` + +I then test the new server by setting the record in my `/etc/hosts` file. Since all works well, I rollback my change to `/etc/hosts` and update the DNS record using OpenTofu. I then clean up by running this on my laptop: + +``` shell +rm privatebin.tar.gz +ssh root@myth.adyxax.org 'rm /tmp/privatebin.tar.gz' +ssh root@lore.adyxax.org 'rm privatebin.tar.gz' +``` + +## Conclusion + +I did all this in early October, my backlog of blog articles is only growing! -- cgit v1.2.3