Split Docker role into services and Docker + configure rootless Docker

host_vars/folald.yml

@@ -5,7 +5,7 @@ ansible_host: 85.209.118.134
 ansible_port: 19022
 
 vm_host: cavall
-vm_type: qemu
+vm_type: control
 
 hostname: "{{ inventory_hostname }}"
 fqdn: "{{ hostname }}.vm.{{ vm_host }}.servers.data.coop"

host_vars/hestur.yml

@@ -5,7 +5,7 @@ ansible_host: 159.223.17.241
 ansible_port: 22
 
 vm_host: cloud
-vm_type: vps
+vm_type: app
 
 hostname: "{{ inventory_hostname }}"
 fqdn: "{{ hostname }}.vm.{{ vm_host }}.servers.data.coop"

host_vars/poltre.yml

@@ -5,7 +5,7 @@ ansible_host: 85.209.118.142
 ansible_port: 19022
 
 vm_host: cavall
-vm_type: qemu
+vm_type: app
 
 hostname: "{{ inventory_hostname }}"
 fqdn: "{{ hostname }}.vm.{{ vm_host }}.servers.data.coop"

host_vars/varsa.yml

@@ -5,7 +5,7 @@ ansible_host: 85.209.118.143
 ansible_port: 19022
 
 vm_host: cavall
-vm_type: qemu
+vm_type: app
 
 hostname: "{{ inventory_hostname }}"
 fqdn: "{{ hostname }}.vm.{{ vm_host }}.servers.data.coop"

playbook.yml

@@ -5,9 +5,11 @@
   gather_facts: true
   become: true
   roles:
-    - name: os_base
+    - name: vm-common
-      tags:
+      tags: [base_only]
-        - base_only
+    - name: zfs
+      tags: [zfs]
     - name: docker
-      tags:
+      tags: [docker]
-        - docker
+    - name: services
+      tags: [services]

roles/docker/defaults/main.yml

@@ -1,226 +1,6 @@
 # vim: ft=yaml.ansible
 # code: language=ansible
 ---
-volume_root_folder: "/docker-volumes"
+docker_rootless: false
-volume_website_folder: "{{ volume_root_folder }}/websites"
+docker_rootless_user: docker_user
-
+docker_rootless_user_uid: 1100
-services:
-  ### Internal services ###
-  postfix:
-    domain: "smtp.{{ base_domain }}"
-    volume_folder: "{{ volume_root_folder }}/postfix"
-    pre_deploy_tasks: true
-    version: "v3.6.1-alpine"
-
-  nginx_proxy:
-    volume_folder: "{{ volume_root_folder }}/nginx"
-    pre_deploy_tasks: true
-    version: "1.3-alpine"
-    acme_companion_version: "2.2"
-
-  openldap:
-    domain: "ldap.{{ base_domain }}"
-    volume_folder: "{{ volume_root_folder }}/openldap"
-    pre_deploy_tasks: true
-    version: "1.5.0"
-    phpldapadmin_version: "0.9.0"
-
-  netdata:
-    domain: "netdata.{{ base_domain }}"
-    volume_folder: "{{ volume_root_folder }}/netdata"
-    version: "v1"
-
-  portainer:
-    domain: "portainer.{{ base_domain }}"
-    volume_folder: "{{ volume_root_folder }}/portainer"
-    version: "2.19.0"
-
-  keycloak:
-    domain: sso.{{ base_domain }}
-    volume_folder: "{{ volume_root_folder }}/keycloak"
-    version: "22.0"
-    postgres_version: "10"
-    allowed_sender_domain: true
-
-  restic:
-    volume_folder: "{{ volume_root_folder }}/restic"
-    pre_deploy_tasks: true
-    remote_user: dc-user
-    remote_domain: rynkeby.skovgaard.tel
-    host_key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBLGol2G+a87ssy0nu/STKBZSiGyhZhZKx/ujfe9IeFo
-    repository: restic
-    version: "1.7.0"
-    # mail dance
-    domain: "noreply.{{ base_domain }}"
-    allowed_sender_domain: true
-    mail_from: "backup@noreply.{{ base_domain }}"
-
-  docker_registry:
-    domain: "docker.{{ base_domain }}"
-    volume_folder: "{{ volume_root_folder }}/docker-registry"
-    pre_deploy_tasks: true
-    post_deploy_tasks: true
-    username: "docker"
-    password: "{{ docker_password }}"
-    version: "2"
-
-  ### External services ###
-  nextcloud:
-    domain: "cloud.{{ base_domain }}"
-    volume_folder: "{{ volume_root_folder }}/nextcloud"
-    pre_deploy_tasks: true
-    version: 28-apache
-    postgres_version: "10"
-    redis_version: 7-alpine
-    allowed_sender_domain: true
-
-  forgejo:
-    domain: "git.{{ base_domain }}"
-    volume_folder: "{{ volume_root_folder }}/forgejo"
-    version: "1.21.8-0"
-    allowed_sender_domain: true
-
-  passit:
-    domain: "passit.{{ base_domain }}"
-    volume_folder: "{{ volume_root_folder }}/passit"
-    version: stable
-    postgres_version: 15-alpine
-    allowed_sender_domain: true
-
-  matrix:
-    domain: "matrix.{{ base_domain }}"
-    volume_folder: "{{ volume_root_folder }}/matrix"
-    pre_deploy_tasks: true
-    version: v1.98.0
-    postgres_version: 15-alpine
-    allowed_sender_domain: true
-
-  element:
-    domain: "element.{{ base_domain }}"
-    volume_folder: "{{ volume_root_folder }}/element"
-    pre_deploy_tasks: true
-    version: v1.11.51
-
-  privatebin:
-    domain: "paste.{{ base_domain }}"
-    volume_folder: "{{ volume_root_folder }}/privatebin"
-    pre_deploy_tasks: true
-    version: "20221009"
-
-  hedgedoc:
-    domain: "pad.{{ base_domain }}"
-    volume_folder: "{{ volume_root_folder }}/hedgedoc"
-    pre_deploy_tasks: true
-    version: 1.9.9-alpine
-    postgres_version: 10-alpine
-
-  data_coop_website:
-    domain: "{{ base_domain }}"
-    www_domain: "www.{{ base_domain }}"
-    volume_folder: "{{ volume_website_folder }}/datacoop"
-    pre_deploy_tasks: true
-    version: stable
-    staging_domain: "staging.{{ base_domain }}"
-    staging_version: staging
-
-  slides_2022_website:
-    domain: "2022.slides.{{ base_domain }}"
-    volume_folder: "{{ volume_website_folder }}/slides-2022"
-    version: latest
-
-  fedi_dk_website:
-    domain: fedi.dk
-    volume_folder: "{{ volume_website_folder }}/fedidk"
-    version: latest
-
-  vhs_website:
-    domain: vhs.data.coop
-    volume_folder: "{{ volume_website_folder }}/vhs"
-    version: latest
-
-  cryptohagen_website:
-    domains:
-      - "cryptohagen.dk"
-      - "www.cryptohagen.dk"
-    volume_folder: "{{ volume_website_folder }}/cryptohagen"
-
-  ulovliglogning_website:
-    domains:
-      - "ulovliglogning.dk"
-      - "www.ulovliglogning.dk"
-      - "ulovlig-logning.dk"
-      - "www.ulovlig-logning.dk"
-    volume_folder: "{{ volume_website_folder }}/ulovliglogning"
-
-  cryptoaarhus_website:
-    domains:
-      - "cryptoaarhus.dk"
-      - "www.cryptoaarhus.dk"
-    volume_folder: "{{ volume_website_folder }}/cryptoaarhus"
-
-  drone:
-    domain: "drone.{{ base_domain }}"
-    volume_folder: "{{ volume_root_folder }}/drone"
-    version: "1"
-
-  mailu:
-    domain: "mail.{{ base_domain }}"
-    volume_folder: "{{ volume_root_folder }}/mailu"
-    pre_deploy_tasks: true
-    dns: 192.168.203.254
-    subnet: 192.168.203.0/24
-    version: "2.0"
-    postgres_version: 14-alpine
-    redis_version: alpine
-
-  mastodon:
-    domain: "social.{{ base_domain }}"
-    volume_folder: "{{ volume_root_folder }}/mastodon"
-    pre_deploy_tasks: true
-    version: v4.2.8
-    postgres_version: 14-alpine
-    redis_version: 6-alpine
-    allowed_sender_domain: true
-
-  rallly:
-    domain: "when.{{ base_domain }}"
-    volume_folder: "{{ volume_root_folder }}/rallly"
-    pre_deploy_tasks: true
-    version: "2"
-    postgres_version: 14-alpine
-    allowed_sender_domain: true
-
-  membersystem:
-    domain: "member.{{ base_domain }}"
-    django_admins: "Vidir:valberg@orn.li"
-    volume_folder: "{{ volume_root_folder }}/membersystem"
-    version: latest
-    postgres_version: 13-alpine
-    allowed_sender_domain: true
-
-  writefreely:
-    domain: "write.{{ base_domain }}"
-    volume_folder: "{{ volume_root_folder }}/writefreely"
-    pre_deploy_tasks: true
-    version: v0.15.0
-    mariadb_version: "11.2"
-    allowed_sender_domain: true
-
-  watchtower:
-    volume_folder: "{{ volume_root_folder }}/watchtower"
-    version: "1.5.3"
-
-  diun:
-    version: "4.27"
-    volume_folder: "{{ volume_root_folder }}/diun"
-
-  ### Uptime monitoring ###
-  uptime_kuma:
-    domain: "uptime.{{ base_domain }}"
-    status_domain: "status.{{ base_domain }}"
-    volume_folder: "{{ volume_root_folder }}/uptime_kuma"
-    pre_deploy_tasks: true
-    version: "latest"
-
-services_exclude: []
-services_include: "{{ services | dict2items | map(attribute='key') | list | difference(services_exclude) }}"

roles/docker/tasks/main.yml

@@ -1,15 +1,16 @@
 # vim: ft=yaml.ansible
 # code: language=ansible
 ---
-- name: Add Docker PGP key
+- name: Add Docker apt PGP key
-  apt_key:
+  ansible.builtin.apt_key:
-    keyserver: pgp.mit.edu
+    id: 9DC858229FC7DD38854AE2D88D81803C0EBFCD88
-    id: 8D81803C0EBFCD88
+    url: https://download.docker.com/linux/debian/gpg
     state: present
 
 - name: Add Docker apt repository
-  apt_repository:
+  ansible.builtin.apt_repository:
-    repo: deb https://download.docker.com/linux/ubuntu bionic stable
+    filename: docker
+    repo: "deb [arch=amd64] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable"
     state: present
     update_cache: true
 
@@ -17,27 +18,84 @@
   apt:
     name:
       - docker-ce
+      - docker-ce-cli
+      - containerd.io
+      - docker-buildx-plugin
       - docker-compose-plugin
     state: present
 
-- name: Configure cron job to prune unused Docker data weekly
+- name: Configure rootful Docker
-  cron:
+  when: not docker_rootless
-    name: Prune unused Docker data
+  block:
-    cron_file: ansible_docker_prune
+    - name: Make sure Docker is running
-    job: 'docker system prune -fa && docker volume prune -fa'
+      ansible.builtin.service:
-    special_time: weekly
+        name: docker
-    user: root
+        state: started
-    state: present
+        enabled: true
 
-- name: Create folder structure for bind mounts
+    - name: Configure cron job to prune unused Docker data weekly
-  file:
+      ansible.builtin.cron:
-    name: "{{ item }}"
+        name: Prune unused Docker data
-    state: directory
+        cron_file: ansible_docker_prune
-  loop:
+        job: docker system prune -fa --volumes --filter "until=6h"
-    - "{{ volume_root_folder }}"
+        special_time: weekly
-    - "{{ volume_website_folder }}"
+        user: root
+        state: present
 
-- name: Set up services
+- name: Configure rootless Docker
-  import_tasks: services.yml
+  when: docker_rootless
-  tags:
+  block:
-    - setup_services
+    - name: Make sure rootful Docker is stopped and disabled
+      ansible.builtin.systemd_service:
+        scope: system
+        name: docker
+        state: stopped
+        enabled: false
+
+    - name: Install packages needed by rootless Docker
+      ansible.builtin.apt:
+        name:
+          - docker-ce-rootless-extras
+          - uidmap
+          - dbus-user-session
+          - fuse-overlayfs
+          - slirp4netns
+
+    - name: Enable lingering for Docker user
+      ansible.builtin.command:
+        cmd: loginctl enable-linger {{ docker_rootless_user }}
+        creates: /var/lib/systemd/linger/{{ docker_rootless_user }}
+
+    - name: Run rootless Docker setup script
+      ansible.builtin.command:
+        cmd: dockerd-rootless-setuptool.sh install
+        creates: /home/{{ docker_rootless_user }}/.config/systemd/user/docker.service
+      become: true
+      become_user: "{{ docker_rootless_user }}"
+
+    - name: Set DOCKER_HOST environment variable
+      ansible.builtin.lineinfile:
+        path: /home/{{ docker_rootless_user }}/.bashrc
+        regexp: '^export DOCKER_HOST='
+        line: export DOCKER_HOST=unix:///run/user/{{ docker_rootless_user_uid }}/docker.sock
+        state: present
+      become: true
+      become_user: "{{ docker_rootless_user }}"
+
+    - name: Make sure rootless Docker is running
+      ansible.builtin.systemd_service:
+        scope: user
+        name: docker.service
+        state: started
+        enabled: true
+      become: true
+      become_user: "{{ docker_rootless_user }}"
+
+    - name: Configure cron job to prune unused Docker data weekly
+      ansible.builtin.cron:
+        name: Prune unused Docker data
+        cron_file: ansible_docker_rootless_prune
+        job: docker --host unix:///run/user/{{ docker_rootless_user_uid }}/docker.sock system prune -fa --volumes --filter "until=6h"
+        special_time: weekly
+        user: "{{ docker_rootless_user }}"
+        state: present

roles/services/defaults/main.yml

@@ -0,0 +1,226 @@
+# vim: ft=yaml.ansible
+# code: language=ansible
+---
+volume_root_folder: "/docker-volumes"
+volume_website_folder: "{{ volume_root_folder }}/websites"
+
+services:
+  ### Internal services ###
+  postfix:
+    domain: "smtp.{{ base_domain }}"
+    volume_folder: "{{ volume_root_folder }}/postfix"
+    pre_deploy_tasks: true
+    version: "v3.6.1-alpine"
+
+  nginx_proxy:
+    volume_folder: "{{ volume_root_folder }}/nginx"
+    pre_deploy_tasks: true
+    version: "1.3-alpine"
+    acme_companion_version: "2.2"
+
+  openldap:
+    domain: "ldap.{{ base_domain }}"
+    volume_folder: "{{ volume_root_folder }}/openldap"
+    pre_deploy_tasks: true
+    version: "1.5.0"
+    phpldapadmin_version: "0.9.0"
+
+  netdata:
+    domain: "netdata.{{ base_domain }}"
+    volume_folder: "{{ volume_root_folder }}/netdata"
+    version: "v1"
+
+  portainer:
+    domain: "portainer.{{ base_domain }}"
+    volume_folder: "{{ volume_root_folder }}/portainer"
+    version: "2.19.0"
+
+  keycloak:
+    domain: sso.{{ base_domain }}
+    volume_folder: "{{ volume_root_folder }}/keycloak"
+    version: "22.0"
+    postgres_version: "10"
+    allowed_sender_domain: true
+
+  restic:
+    volume_folder: "{{ volume_root_folder }}/restic"
+    pre_deploy_tasks: true
+    remote_user: dc-user
+    remote_domain: rynkeby.skovgaard.tel
+    host_key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBLGol2G+a87ssy0nu/STKBZSiGyhZhZKx/ujfe9IeFo
+    repository: restic
+    version: "1.7.0"
+    # mail dance
+    domain: "noreply.{{ base_domain }}"
+    allowed_sender_domain: true
+    mail_from: "backup@noreply.{{ base_domain }}"
+
+  docker_registry:
+    domain: "docker.{{ base_domain }}"
+    volume_folder: "{{ volume_root_folder }}/docker-registry"
+    pre_deploy_tasks: true
+    post_deploy_tasks: true
+    username: "docker"
+    password: "{{ docker_password }}"
+    version: "2"
+
+  ### External services ###
+  nextcloud:
+    domain: "cloud.{{ base_domain }}"
+    volume_folder: "{{ volume_root_folder }}/nextcloud"
+    pre_deploy_tasks: true
+    version: 28-apache
+    postgres_version: "10"
+    redis_version: 7-alpine
+    allowed_sender_domain: true
+
+  forgejo:
+    domain: "git.{{ base_domain }}"
+    volume_folder: "{{ volume_root_folder }}/forgejo"
+    version: "1.21.8-0"
+    allowed_sender_domain: true
+
+  passit:
+    domain: "passit.{{ base_domain }}"
+    volume_folder: "{{ volume_root_folder }}/passit"
+    version: stable
+    postgres_version: 15-alpine
+    allowed_sender_domain: true
+
+  matrix:
+    domain: "matrix.{{ base_domain }}"
+    volume_folder: "{{ volume_root_folder }}/matrix"
+    pre_deploy_tasks: true
+    version: v1.98.0
+    postgres_version: 15-alpine
+    allowed_sender_domain: true
+
+  element:
+    domain: "element.{{ base_domain }}"
+    volume_folder: "{{ volume_root_folder }}/element"
+    pre_deploy_tasks: true
+    version: v1.11.51
+
+  privatebin:
+    domain: "paste.{{ base_domain }}"
+    volume_folder: "{{ volume_root_folder }}/privatebin"
+    pre_deploy_tasks: true
+    version: "20221009"
+
+  hedgedoc:
+    domain: "pad.{{ base_domain }}"
+    volume_folder: "{{ volume_root_folder }}/hedgedoc"
+    pre_deploy_tasks: true
+    version: 1.9.9-alpine
+    postgres_version: 10-alpine
+
+  data_coop_website:
+    domain: "{{ base_domain }}"
+    www_domain: "www.{{ base_domain }}"
+    volume_folder: "{{ volume_website_folder }}/datacoop"
+    pre_deploy_tasks: true
+    version: stable
+    staging_domain: "staging.{{ base_domain }}"
+    staging_version: staging
+
+  slides_2022_website:
+    domain: "2022.slides.{{ base_domain }}"
+    volume_folder: "{{ volume_website_folder }}/slides-2022"
+    version: latest
+
+  fedi_dk_website:
+    domain: fedi.dk
+    volume_folder: "{{ volume_website_folder }}/fedidk"
+    version: latest
+
+  vhs_website:
+    domain: vhs.data.coop
+    volume_folder: "{{ volume_website_folder }}/vhs"
+    version: latest
+
+  cryptohagen_website:
+    domains:
+      - "cryptohagen.dk"
+      - "www.cryptohagen.dk"
+    volume_folder: "{{ volume_website_folder }}/cryptohagen"
+
+  ulovliglogning_website:
+    domains:
+      - "ulovliglogning.dk"
+      - "www.ulovliglogning.dk"
+      - "ulovlig-logning.dk"
+      - "www.ulovlig-logning.dk"
+    volume_folder: "{{ volume_website_folder }}/ulovliglogning"
+
+  cryptoaarhus_website:
+    domains:
+      - "cryptoaarhus.dk"
+      - "www.cryptoaarhus.dk"
+    volume_folder: "{{ volume_website_folder }}/cryptoaarhus"
+
+  drone:
+    domain: "drone.{{ base_domain }}"
+    volume_folder: "{{ volume_root_folder }}/drone"
+    version: "1"
+
+  mailu:
+    domain: "mail.{{ base_domain }}"
+    volume_folder: "{{ volume_root_folder }}/mailu"
+    pre_deploy_tasks: true
+    dns: 192.168.203.254
+    subnet: 192.168.203.0/24
+    version: "2.0"
+    postgres_version: 14-alpine
+    redis_version: alpine
+
+  mastodon:
+    domain: "social.{{ base_domain }}"
+    volume_folder: "{{ volume_root_folder }}/mastodon"
+    pre_deploy_tasks: true
+    version: v4.2.8
+    postgres_version: 14-alpine
+    redis_version: 6-alpine
+    allowed_sender_domain: true
+
+  rallly:
+    domain: "when.{{ base_domain }}"
+    volume_folder: "{{ volume_root_folder }}/rallly"
+    pre_deploy_tasks: true
+    version: "2"
+    postgres_version: 14-alpine
+    allowed_sender_domain: true
+
+  membersystem:
+    domain: "member.{{ base_domain }}"
+    django_admins: "Vidir:valberg@orn.li"
+    volume_folder: "{{ volume_root_folder }}/membersystem"
+    version: latest
+    postgres_version: 13-alpine
+    allowed_sender_domain: true
+
+  writefreely:
+    domain: "write.{{ base_domain }}"
+    volume_folder: "{{ volume_root_folder }}/writefreely"
+    pre_deploy_tasks: true
+    version: v0.15.0
+    mariadb_version: "11.2"
+    allowed_sender_domain: true
+
+  watchtower:
+    volume_folder: "{{ volume_root_folder }}/watchtower"
+    version: "1.5.3"
+
+  diun:
+    version: "4.27"
+    volume_folder: "{{ volume_root_folder }}/diun"
+
+  ### Uptime monitoring ###
+  uptime_kuma:
+    domain: "uptime.{{ base_domain }}"
+    status_domain: "status.{{ base_domain }}"
+    volume_folder: "{{ volume_root_folder }}/uptime_kuma"
+    pre_deploy_tasks: true
+    version: "latest"
+
+services_exclude: []
+services_include: "{{ services | dict2items | map(attribute='key') | list | difference(services_exclude) }}"

roles/services/tasks/main.yml

@@ -0,0 +1,15 @@
+# vim: ft=yaml.ansible
+# code: language=ansible
+---
+- name: Create folder structure for bind mounts
+  file:
+    name: "{{ item }}"
+    state: directory
+  loop:
+    - "{{ volume_root_folder }}"
+    - "{{ volume_website_folder }}"
+
+- name: Set up services
+  import_tasks: services.yml
+  tags:
+    - setup_services