document and keep processes for host and lxc standardization

2026-01-28 12:41:54 -07:00 · 2026-01-28 12:41:54 -07:00 · f8a81ac223
commit f8a81ac223
parent 98e24b17cb
5 changed files with 411 additions and 12 deletions
--- a/portainer/docker-compose.yml
+++ b/portainer/docker-compose.yml
@ -1,12 +0,0 @@
 services:
  portainer:
    image: portainer/portainer-ce:latest
    container_name: portainer
    restart: always
    ports:
      - "8000:8000"   # Optional: for edge agent (can be removed if not used)
      - "9443:9443"   # HTTPS UI (recommended)
      - "9000:9000"   # HTTP UI (deprecated, optional)
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /docker/portainer/data:/data
--- a/~host-setups/LXC-bootstrap.sh
+++ b/~host-setups/LXC-bootstrap.sh
@ -0,0 +1,69 @@
 #update core packages
 apt update && apt upgrade -y
 #apply all the packages I need
 apt install -y ca-certificates curl ethtool iptables-persistent git htop
 #enable IP forwarding
 Enable IP Forwarding (Persistent)
 sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/' /etc/sysctl.conf
 grep -qF "net.ipv4.ip_forward=1" /etc/sysctl.conf || echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
 sysctl -p
 #add the NAT rule for IPtables and save
 iptables -C POSTROUTING -t nat -s 172.16.0.0/12 -d 172.16.201.0/24 -j MASQUERADE 2>/dev/null || \
 iptables -t nat -I POSTROUTING 1 -s 172.16.0.0/12 -d 172.16.201.0/24 -j MASQUERADE
 netfilter-persistent save
 #change the virtio settings and Apply checksum fix immediately
 if ! grep -q "post-up /sbin/ethtool" /etc/network/interfaces; then
    sed -i '/gateway/a \        post-up /sbin/ethtool -K eth0 tx off rx off' /etc/network/interfaces
 fi
 ethtool -K eth0 tx off rx off
 #Enable Root SSH Login
 sed -i 's/^#*PermitRootLogin.*/PermitRootLogin yes/' /etc/ssh/sshd_config
 grep -q "^PermitRootLogin yes" /etc/ssh/sshd_config || echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
 systemctl restart ssh
 #install the keyring for the docker repo
 install -m 0755 -d /etc/apt/keyrings
 curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc
 chmod a+r /etc/apt/keyrings/docker.asc
 # Add the repository to Apt sources:
 tee /etc/apt/sources.list.d/docker.sources <<EOF
 Types: deb
 URIs: https://download.docker.com/linux/debian
 Suites: $(. /etc/os-release && echo "$VERSION_CODENAME")
 Components: stable
 Signed-By: /etc/apt/keyrings/docker.asc
 EOF
 #update from the docker repo and install docker
 apt update && apt install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin -y
 #pre-empt that pesky json is a folder issue
 rm -rf /root/.docker/config.json
 mkdir -p /root/.docker
 echo "{}" > /root/.docker/config.json 
 #sanitize the LXC  
 systemctl stop docker
 rm -f /etc/docker/key.json
 rm -f /etc/ssh/ssh_host_*
 truncate -s 0 /etc/machine-id
 rm -f /var/lib/dbus/machine-id
 ln -s /etc/machine-id /var/lib/dbus/machine-id
 #Clean Apt Cache & Logs
 apt clean
 rm -rf /var/lib/apt/lists/*
 rm -rf /var/log/*.log
 rm -rf /var/log/journal/*
 #Clear Command History
 history -c && history -w
 #shutdown and convert to template
 shutdown now
--- a/~host-setups/host-git-setup.txt
+++ b/~host-setups/host-git-setup.txt
@ -0,0 +1,44 @@
 ------gitea token------
 #get from --> gitea --> site administration --> actions --> runners
 ------install and register runner on host------
 # Download binary
 wget https://dl.gitea.com/act_runner/0.2.11/act_runner-0.2.11-linux-amd64 -O /usr/local/bin/act_runner
 chmod +x /usr/local/bin/act_runner
 # Register (Replace <URL> and <TOKEN>)
 # The --labels "pve:host" is key for your non-docker workflow
 act_runner register --no-interactive --instance https://git.mapletree.email --token 4aLQr2M0Ox5aUdMaOoSIoHhyUMgCWCrFNuKCFX5l --name pve1-runner --labels "pve1:host"
 ------Create and move config files------
 # Create the directory first
 mkdir -p /etc/gitea-runner
 # Generate the base config
 /usr/local/bin/act_runner generate-config > /etc/gitea-runner/config.yaml
 # Move the hidden .runner file (created during registration)
 mv .runner /etc/gitea-runner/
 ------Create service File------
 cat <<EOF > /etc/systemd/system/gitea-runner.service
 [Unit]
 Description=Gitea Actions runner
 After=network.target
 [Service]
 ExecStart=/usr/local/bin/act_runner daemon --config /etc/gitea-runner/config.yaml
 WorkingDirectory=/etc/gitea-runner
 User=root
 Restart=always
 RestartSec=5
 [Install]
 WantedBy=multi-user.target
 EOF
 ------start and enable------
 systemctl daemon-reload
 systemctl enable --now gitea-runner
--- a/~host-setups/keepalived-setup.txt
+++ b/~host-setups/keepalived-setup.txt
@ -0,0 +1,33 @@
 [[stack]]
 name = "pve1lxc6-keepalived"
 [stack.config]
 server = "pve1-lxc6"
 linked_repo = "mapletree-pve1lxc6"
 run_directory = "/docker/keepalived"
 file_paths = [
  "/etc/komodo/repos/mapletree-pve1lxc6/keepalived/docker-compose.yml"
 ]
 pre_deploy.command = """
  # Add# 1. Create Directory
 mkdir -p /docker/keepalived/config
 mkdir -p /docker/keepalived/checks
 # 2. Copy Templates from Checked-out Repo
 # (Overwrites existing files, which is what we want)
 cp /etc/komodo/repos/mapletree-pve1lxc6/keepalived/keepalived.conf.tpl /docker/keepalived/config/keepalived.conf
 cp /etc/komodo/repos/mapletree-pve1lxc6/keepalived/check_komodo.sh /docker/keepalived/checks/check_komodo.sh
 # 3. Permissions
 chmod +x /docker/keepalived/checks/check_komodo.sh
 # 4. Inject Variables (Directly modifying the file on Host)
 # Since we mount the DIRECTORY, the container will see these changes.
 sed -i "s/{{STATE}}/BACKUP/g" /docker/keepalived/config/keepalived.conf
 sed -i "s/{{PRIORITY}}/100/g" /docker/keepalived/config/keepalived.conf
 sed -i "s/{{PEER}}/172.16.201.206/g" /docker/keepalived/config/keepalived.conf
 sed -i "s/{{PASSWORD}}/HAPass22/g" /docker/keepalived/config/keepalived.conf
 """
 environment = """
 """
--- a/~host-setups/move-komodo-postgres.txt
+++ b/~host-setups/move-komodo-postgres.txt
@ -0,0 +1,265 @@
 ----first host setup-------
 ##backup the db
 cd /docker/management
 mkdir ./backup
 chmod 777 ./backup 
 docker run --rm --network container:ferretdb -v $(pwd)/backup:/backup mongo:6.0 mongodump --uri="mongodb://admin:admin@127.0.0.1:27017/komodo" --out=/backup
 # CRITICAL SAFETY CHECK:
 # Ensure these files actually exist and have size > 0
 ls -lh ./backup/komodo/
 # If you see empty folders or no files, STOP. Do not proceed to step 2.
 ##destroy the containers
 docker compose down -v
 ##change compose to this
 services:
  mongo:
    image: mongo:7.0
    container_name: mongo
    restart: always
    network_mode: host
    command: ["--replSet", "rs0", "--bind_ip_all", "--port", "27017"]
    volumes:
      - /docker/management/mongodb:/data/db
  komodo:
    # REVERT TO MOGHTECH
    image: ghcr.io/moghtech/komodo-core:latest
    container_name: komodo
    cpus: 2.0
    mem_limit: "2048m"
    mem_reservation: "512m"
    network_mode: host
    env_file:
      - /docker/management/.env
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /root/.ssh:/home/komodo/.ssh:ro
      - /docker/management/komodo/config:/config
      - /docker/management/komodo/backups:/backups
      - /docker/management/komodo/core-etc:/etc/komodo
      - /docker/management/komodo/var:/var/lib/komodo
      - /docker/management/komodo/repo-cache:/repo-cache
      - /docker:/docker
    environment:
      # CHANGE TO 'URI'
      # This tells Komodo: "Here is the full connection string, don't try to parse commas."
      - KOMODO_DATABASE_URI=mongodb://127.0.0.1:27017/komodo?directConnection=true&replicaSet=rs0
      # Explicitly unset ADDRESS to avoid conflicts
      - KOMODO_DATABASE_ADDRESS=
    depends_on:
      - mongo
    restart: unless-stopped
    labels:
      - "komodo.skip=true"
 ## up the mongodb service
 docker compose up -d mongo
 ## restore the data to the container
 docker run --rm --network host -v $(pwd)/backup:/backup mongo:6.0 mongorestore --uri="mongodb://127.0.0.1:27017/komodo" /backup/komodo
 ##make sure that mongo knows it's the primary
 docker exec -it mongo mongosh --eval 'rs.initiate({_id: "rs0", members: [{ _id: 0, host: "172.16.201.201:27017" }]})'
 ##make sure the framework is done
 ##make sure mongo connection string is active in compose 
 docker compose up -d komodo
 ##open gui to confirm it works
 ##restore the data into the framework in mongo
 docker run --rm --user 0:0 --network host -v $(pwd)/backup:/backup mongo:6.0 mongorestore --uri="mongodb://127.0.0.1:27017/komodo?replicaSet=rs0" /backup/komodo
 ##compose up the komodo
 docker compose up -d komodo
 ##validate
 ----second host base setup-------
 ##get the env setup
 mkdir /docker/managment/mongo
 ##deploy the same docker-compose.yml as above
 ##but only start the mongo for now
 docker compose up -d mongo
 ----first host replica setup-------
 ##get into the original mongo
 docker exec -it mongo mongosh
 ##add the new mongo member
 rs.add("172.16.201.106")
 ##check status
 rs.status()
 ----komodo redeploy-------
 ##change komodo compose file on both to have this as DB URI
 environment:
      # LIST BOTH IPs
      # This allows the driver to failover automatically.
      - KOMODO_DATABASE_URI=mongodb://172.16.201.206:27017,172.16.201.106:27017/komodo?replicaSet=rs0
 ##redeploy the original komodo
 docker compose down komodo && docker compose up -d komodo
 ##deploy the secondary
 docker compose up -d komodo
 ----second host replica check-------
 ##get into the second mongo
 docker exec -it mongo mongosh
 ##do a secondary check
 db.getMongo().setReadPref('secondary')
 #create a stack called "replica-test"
 ##check that the data exists
 use komodo
 db.Stack.find({name: "replica-test"})
 ----add arbiter-------
 ##already deployed on pve1-lxc2 - redeploy
 -->destroy the container
 -->delete the mongo-arbiter folder in pve-lxc2/docker
 --> use komodo to redeploy the mongo-arbiter
 ##do the following on whichever mongo is primary to add the arbiter
 docker exec -it mongo mongosh
 db.adminCommand({
  setDefaultRWConcern: 1,
  defaultWriteConcern: { w: 1 }
 })
 ##add the arbiter running on pve1-lxc2
 rs.addArb("172.16.201.102:27017")
 ##check DB HA
 rs.status()
 ----now do the lsyncd-------
 ##make sure pve1-lxc6 has rsync
 apt update && apt install rsync -y
 ##do on PVE2-lxc6
 ##install lsyncd and rsync
 apt update && apt install lsyncd rsync -y
 ##generate keys
 ssh-keygen -t rsa -b 4096
 ##lock down the keys - ensure root owns it
 chown root:root /etc/ssh/ssh_config.d/20-systemd-ssh-proxy.conf
 ##lock down the keys - Ensure only root can write to it
 chmod 644 /etc/ssh/ssh_config.d/20-systemd-ssh-proxy.conf
 ##May have to do a keygen on the target host
 ssh-keygen -A
 ##send key to pve1-lxc6
 ssh-copy-id root@172.16.201.101
 ## test
 ssh root@172.16.201.101
 ##if it asks for password do this on the other lxc
 chmod 700 /root/.ssh
 chmod 600 /root/.ssh/authorized_keys
 chown -R root:root /root/.ssh
 ##create config file
 mkdir /etc/lsyncd
 nano /etc/lsyncd/lsyncd.conf.lua
 ##paste this
 settings {
    logfile = "/var/log/lsyncd/lsyncd.log",
    statusFile = "/var/log/lsyncd/lsyncd.status",
    nodaemon = false,
 }
 -- The Sync Configuration
 sync {
    default.rsync,
    -- The folder on THIS server to watch
    -- CHECK: Is this mapped to /repo in your compose?
    source = "/repo/mapletree-pve2lxc6/management/komodo",
    -- The Destination
    target = "root@172.16.201.106:/repo/mapletree-pve1lxc6/management/komodo",
    -- Exclude temporary files
    exclude = { '.git', '*.tmp', '*.bak' },
    -- Rsync Options (Archive mode, Compress, Delete files on target if deleted on source)
    rsync = {
        archive = true,
        compress = true,
        verbose = true,
        _extra = { "--omit-dir-times" } 
    }
 }
 ##make sure the service is gunna work
 mkdir -p /var/log/lsyncd
 touch /var/log/lsyncd/lsyncd.log
 touch /var/log/lsyncd/lsyncd.status
 set the stack compose variables to (respectively):
 REPO_ROOT=/repo/mapletree-pve2lxc6/management/komodo
 REPO_ROOT=/repo/mapletree-pve1lxc6/management/komodo
 ##change the komodo compose block to include the repo...
 volumes:
  - ${REPO_ROOT}:/repo
 ##redeploy the komodos
 --> may have to do this cli
 ##start the sync
 systemctl restart lsyncd
 systemctl status lsyncd
 systemctl enable --now lsyncd
 ##the check (run on pve2 - 2 sessions)
 tail -f /var/log/lsyncd/lsyncd.log
 touch /repo/mapletree-pve2lxc6/management/komodo/sync_test.txt
 ##check on PVE1
 ls -l /repo/mapletree-pve1lxc6/management/komodo/
 ----now do the keepalived setup-------
 ##Make sure the LXC's are configured for the IP:
 echo "net.ipv4.ip_nonlocal_bind=1" >> /etc/sysctl.conf
 sysctl -p
 ##make sure the keepalive folder is created and mounted into the periphery
 mkdir /docker/keepalived || true
 nano /root/periphery/docker-compose.yml
 ##don't forget to compose down/up the periphery
 docker compose down && docker compose up -d
 ##deploy the containers 
 ##make sure the vars are done
 --> in Komodo