Split Docker role into services and Docker + configure rootless Docker

This commit is contained in:
Sam A. 2024-03-30 20:09:03 +01:00
parent 54249980e9
commit 27ae28797f
Signed by: samsapti
GPG key ID: CBBBE7371E81C4EA
87 changed files with 338 additions and 257 deletions

View file

@ -5,7 +5,7 @@ ansible_host: 85.209.118.134
ansible_port: 19022
vm_host: cavall
vm_type: qemu
vm_type: control
hostname: "{{ inventory_hostname }}"
fqdn: "{{ hostname }}.vm.{{ vm_host }}.servers.data.coop"

View file

@ -5,7 +5,7 @@ ansible_host: 159.223.17.241
ansible_port: 22
vm_host: cloud
vm_type: vps
vm_type: app
hostname: "{{ inventory_hostname }}"
fqdn: "{{ hostname }}.vm.{{ vm_host }}.servers.data.coop"

View file

@ -5,7 +5,7 @@ ansible_host: 85.209.118.142
ansible_port: 19022
vm_host: cavall
vm_type: qemu
vm_type: app
hostname: "{{ inventory_hostname }}"
fqdn: "{{ hostname }}.vm.{{ vm_host }}.servers.data.coop"

View file

@ -5,7 +5,7 @@ ansible_host: 85.209.118.143
ansible_port: 19022
vm_host: cavall
vm_type: qemu
vm_type: app
hostname: "{{ inventory_hostname }}"
fqdn: "{{ hostname }}.vm.{{ vm_host }}.servers.data.coop"

View file

@ -5,9 +5,11 @@
gather_facts: true
become: true
roles:
- name: os_base
tags:
- base_only
- name: vm-common
tags: [base_only]
- name: zfs
tags: [zfs]
- name: docker
tags:
- docker
tags: [docker]
- name: services
tags: [services]

View file

@ -1,226 +1,6 @@
# vim: ft=yaml.ansible
# code: language=ansible
---
volume_root_folder: "/docker-volumes"
volume_website_folder: "{{ volume_root_folder }}/websites"
services:
### Internal services ###
postfix:
domain: "smtp.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/postfix"
pre_deploy_tasks: true
version: "v3.6.1-alpine"
nginx_proxy:
volume_folder: "{{ volume_root_folder }}/nginx"
pre_deploy_tasks: true
version: "1.3-alpine"
acme_companion_version: "2.2"
openldap:
domain: "ldap.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/openldap"
pre_deploy_tasks: true
version: "1.5.0"
phpldapadmin_version: "0.9.0"
netdata:
domain: "netdata.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/netdata"
version: "v1"
portainer:
domain: "portainer.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/portainer"
version: "2.19.0"
keycloak:
domain: sso.{{ base_domain }}
volume_folder: "{{ volume_root_folder }}/keycloak"
version: "22.0"
postgres_version: "10"
allowed_sender_domain: true
restic:
volume_folder: "{{ volume_root_folder }}/restic"
pre_deploy_tasks: true
remote_user: dc-user
remote_domain: rynkeby.skovgaard.tel
host_key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBLGol2G+a87ssy0nu/STKBZSiGyhZhZKx/ujfe9IeFo
repository: restic
version: "1.7.0"
# mail dance
domain: "noreply.{{ base_domain }}"
allowed_sender_domain: true
mail_from: "backup@noreply.{{ base_domain }}"
docker_registry:
domain: "docker.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/docker-registry"
pre_deploy_tasks: true
post_deploy_tasks: true
username: "docker"
password: "{{ docker_password }}"
version: "2"
### External services ###
nextcloud:
domain: "cloud.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/nextcloud"
pre_deploy_tasks: true
version: 28-apache
postgres_version: "10"
redis_version: 7-alpine
allowed_sender_domain: true
forgejo:
domain: "git.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/forgejo"
version: "1.21.8-0"
allowed_sender_domain: true
passit:
domain: "passit.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/passit"
version: stable
postgres_version: 15-alpine
allowed_sender_domain: true
matrix:
domain: "matrix.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/matrix"
pre_deploy_tasks: true
version: v1.98.0
postgres_version: 15-alpine
allowed_sender_domain: true
element:
domain: "element.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/element"
pre_deploy_tasks: true
version: v1.11.51
privatebin:
domain: "paste.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/privatebin"
pre_deploy_tasks: true
version: "20221009"
hedgedoc:
domain: "pad.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/hedgedoc"
pre_deploy_tasks: true
version: 1.9.9-alpine
postgres_version: 10-alpine
data_coop_website:
domain: "{{ base_domain }}"
www_domain: "www.{{ base_domain }}"
volume_folder: "{{ volume_website_folder }}/datacoop"
pre_deploy_tasks: true
version: stable
staging_domain: "staging.{{ base_domain }}"
staging_version: staging
slides_2022_website:
domain: "2022.slides.{{ base_domain }}"
volume_folder: "{{ volume_website_folder }}/slides-2022"
version: latest
fedi_dk_website:
domain: fedi.dk
volume_folder: "{{ volume_website_folder }}/fedidk"
version: latest
vhs_website:
domain: vhs.data.coop
volume_folder: "{{ volume_website_folder }}/vhs"
version: latest
cryptohagen_website:
domains:
- "cryptohagen.dk"
- "www.cryptohagen.dk"
volume_folder: "{{ volume_website_folder }}/cryptohagen"
ulovliglogning_website:
domains:
- "ulovliglogning.dk"
- "www.ulovliglogning.dk"
- "ulovlig-logning.dk"
- "www.ulovlig-logning.dk"
volume_folder: "{{ volume_website_folder }}/ulovliglogning"
cryptoaarhus_website:
domains:
- "cryptoaarhus.dk"
- "www.cryptoaarhus.dk"
volume_folder: "{{ volume_website_folder }}/cryptoaarhus"
drone:
domain: "drone.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/drone"
version: "1"
mailu:
domain: "mail.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/mailu"
pre_deploy_tasks: true
dns: 192.168.203.254
subnet: 192.168.203.0/24
version: "2.0"
postgres_version: 14-alpine
redis_version: alpine
mastodon:
domain: "social.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/mastodon"
pre_deploy_tasks: true
version: v4.2.8
postgres_version: 14-alpine
redis_version: 6-alpine
allowed_sender_domain: true
rallly:
domain: "when.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/rallly"
pre_deploy_tasks: true
version: "2"
postgres_version: 14-alpine
allowed_sender_domain: true
membersystem:
domain: "member.{{ base_domain }}"
django_admins: "Vidir:valberg@orn.li"
volume_folder: "{{ volume_root_folder }}/membersystem"
version: latest
postgres_version: 13-alpine
allowed_sender_domain: true
writefreely:
domain: "write.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/writefreely"
pre_deploy_tasks: true
version: v0.15.0
mariadb_version: "11.2"
allowed_sender_domain: true
watchtower:
volume_folder: "{{ volume_root_folder }}/watchtower"
version: "1.5.3"
diun:
version: "4.27"
volume_folder: "{{ volume_root_folder }}/diun"
### Uptime monitoring ###
uptime_kuma:
domain: "uptime.{{ base_domain }}"
status_domain: "status.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/uptime_kuma"
pre_deploy_tasks: true
version: "latest"
services_exclude: []
services_include: "{{ services | dict2items | map(attribute='key') | list | difference(services_exclude) }}"
docker_rootless: false
docker_rootless_user: docker_user
docker_rootless_user_uid: 1100

View file

@ -1,15 +1,16 @@
# vim: ft=yaml.ansible
# code: language=ansible
---
- name: Add Docker PGP key
apt_key:
keyserver: pgp.mit.edu
id: 8D81803C0EBFCD88
- name: Add Docker apt PGP key
ansible.builtin.apt_key:
id: 9DC858229FC7DD38854AE2D88D81803C0EBFCD88
url: https://download.docker.com/linux/debian/gpg
state: present
- name: Add Docker apt repository
apt_repository:
repo: deb https://download.docker.com/linux/ubuntu bionic stable
ansible.builtin.apt_repository:
filename: docker
repo: "deb [arch=amd64] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable"
state: present
update_cache: true
@ -17,27 +18,84 @@
apt:
name:
- docker-ce
- docker-ce-cli
- containerd.io
- docker-buildx-plugin
- docker-compose-plugin
state: present
- name: Configure cron job to prune unused Docker data weekly
cron:
- name: Configure rootful Docker
when: not docker_rootless
block:
- name: Make sure Docker is running
ansible.builtin.service:
name: docker
state: started
enabled: true
- name: Configure cron job to prune unused Docker data weekly
ansible.builtin.cron:
name: Prune unused Docker data
cron_file: ansible_docker_prune
job: 'docker system prune -fa && docker volume prune -fa'
job: docker system prune -fa --volumes --filter "until=6h"
special_time: weekly
user: root
state: present
- name: Create folder structure for bind mounts
file:
name: "{{ item }}"
state: directory
loop:
- "{{ volume_root_folder }}"
- "{{ volume_website_folder }}"
- name: Configure rootless Docker
when: docker_rootless
block:
- name: Make sure rootful Docker is stopped and disabled
ansible.builtin.systemd_service:
scope: system
name: docker
state: stopped
enabled: false
- name: Set up services
import_tasks: services.yml
tags:
- setup_services
- name: Install packages needed by rootless Docker
ansible.builtin.apt:
name:
- docker-ce-rootless-extras
- uidmap
- dbus-user-session
- fuse-overlayfs
- slirp4netns
- name: Enable lingering for Docker user
ansible.builtin.command:
cmd: loginctl enable-linger {{ docker_rootless_user }}
creates: /var/lib/systemd/linger/{{ docker_rootless_user }}
- name: Run rootless Docker setup script
ansible.builtin.command:
cmd: dockerd-rootless-setuptool.sh install
creates: /home/{{ docker_rootless_user }}/.config/systemd/user/docker.service
become: true
become_user: "{{ docker_rootless_user }}"
- name: Set DOCKER_HOST environment variable
ansible.builtin.lineinfile:
path: /home/{{ docker_rootless_user }}/.bashrc
regexp: '^export DOCKER_HOST='
line: export DOCKER_HOST=unix:///run/user/{{ docker_rootless_user_uid }}/docker.sock
state: present
become: true
become_user: "{{ docker_rootless_user }}"
- name: Make sure rootless Docker is running
ansible.builtin.systemd_service:
scope: user
name: docker.service
state: started
enabled: true
become: true
become_user: "{{ docker_rootless_user }}"
- name: Configure cron job to prune unused Docker data weekly
ansible.builtin.cron:
name: Prune unused Docker data
cron_file: ansible_docker_rootless_prune
job: docker --host unix:///run/user/{{ docker_rootless_user_uid }}/docker.sock system prune -fa --volumes --filter "until=6h"
special_time: weekly
user: "{{ docker_rootless_user }}"
state: present

View file

@ -0,0 +1,226 @@
# vim: ft=yaml.ansible
# code: language=ansible
---
volume_root_folder: "/docker-volumes"
volume_website_folder: "{{ volume_root_folder }}/websites"
services:
### Internal services ###
postfix:
domain: "smtp.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/postfix"
pre_deploy_tasks: true
version: "v3.6.1-alpine"
nginx_proxy:
volume_folder: "{{ volume_root_folder }}/nginx"
pre_deploy_tasks: true
version: "1.3-alpine"
acme_companion_version: "2.2"
openldap:
domain: "ldap.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/openldap"
pre_deploy_tasks: true
version: "1.5.0"
phpldapadmin_version: "0.9.0"
netdata:
domain: "netdata.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/netdata"
version: "v1"
portainer:
domain: "portainer.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/portainer"
version: "2.19.0"
keycloak:
domain: sso.{{ base_domain }}
volume_folder: "{{ volume_root_folder }}/keycloak"
version: "22.0"
postgres_version: "10"
allowed_sender_domain: true
restic:
volume_folder: "{{ volume_root_folder }}/restic"
pre_deploy_tasks: true
remote_user: dc-user
remote_domain: rynkeby.skovgaard.tel
host_key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBLGol2G+a87ssy0nu/STKBZSiGyhZhZKx/ujfe9IeFo
repository: restic
version: "1.7.0"
# mail dance
domain: "noreply.{{ base_domain }}"
allowed_sender_domain: true
mail_from: "backup@noreply.{{ base_domain }}"
docker_registry:
domain: "docker.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/docker-registry"
pre_deploy_tasks: true
post_deploy_tasks: true
username: "docker"
password: "{{ docker_password }}"
version: "2"
### External services ###
nextcloud:
domain: "cloud.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/nextcloud"
pre_deploy_tasks: true
version: 28-apache
postgres_version: "10"
redis_version: 7-alpine
allowed_sender_domain: true
forgejo:
domain: "git.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/forgejo"
version: "1.21.8-0"
allowed_sender_domain: true
passit:
domain: "passit.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/passit"
version: stable
postgres_version: 15-alpine
allowed_sender_domain: true
matrix:
domain: "matrix.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/matrix"
pre_deploy_tasks: true
version: v1.98.0
postgres_version: 15-alpine
allowed_sender_domain: true
element:
domain: "element.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/element"
pre_deploy_tasks: true
version: v1.11.51
privatebin:
domain: "paste.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/privatebin"
pre_deploy_tasks: true
version: "20221009"
hedgedoc:
domain: "pad.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/hedgedoc"
pre_deploy_tasks: true
version: 1.9.9-alpine
postgres_version: 10-alpine
data_coop_website:
domain: "{{ base_domain }}"
www_domain: "www.{{ base_domain }}"
volume_folder: "{{ volume_website_folder }}/datacoop"
pre_deploy_tasks: true
version: stable
staging_domain: "staging.{{ base_domain }}"
staging_version: staging
slides_2022_website:
domain: "2022.slides.{{ base_domain }}"
volume_folder: "{{ volume_website_folder }}/slides-2022"
version: latest
fedi_dk_website:
domain: fedi.dk
volume_folder: "{{ volume_website_folder }}/fedidk"
version: latest
vhs_website:
domain: vhs.data.coop
volume_folder: "{{ volume_website_folder }}/vhs"
version: latest
cryptohagen_website:
domains:
- "cryptohagen.dk"
- "www.cryptohagen.dk"
volume_folder: "{{ volume_website_folder }}/cryptohagen"
ulovliglogning_website:
domains:
- "ulovliglogning.dk"
- "www.ulovliglogning.dk"
- "ulovlig-logning.dk"
- "www.ulovlig-logning.dk"
volume_folder: "{{ volume_website_folder }}/ulovliglogning"
cryptoaarhus_website:
domains:
- "cryptoaarhus.dk"
- "www.cryptoaarhus.dk"
volume_folder: "{{ volume_website_folder }}/cryptoaarhus"
drone:
domain: "drone.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/drone"
version: "1"
mailu:
domain: "mail.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/mailu"
pre_deploy_tasks: true
dns: 192.168.203.254
subnet: 192.168.203.0/24
version: "2.0"
postgres_version: 14-alpine
redis_version: alpine
mastodon:
domain: "social.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/mastodon"
pre_deploy_tasks: true
version: v4.2.8
postgres_version: 14-alpine
redis_version: 6-alpine
allowed_sender_domain: true
rallly:
domain: "when.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/rallly"
pre_deploy_tasks: true
version: "2"
postgres_version: 14-alpine
allowed_sender_domain: true
membersystem:
domain: "member.{{ base_domain }}"
django_admins: "Vidir:valberg@orn.li"
volume_folder: "{{ volume_root_folder }}/membersystem"
version: latest
postgres_version: 13-alpine
allowed_sender_domain: true
writefreely:
domain: "write.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/writefreely"
pre_deploy_tasks: true
version: v0.15.0
mariadb_version: "11.2"
allowed_sender_domain: true
watchtower:
volume_folder: "{{ volume_root_folder }}/watchtower"
version: "1.5.3"
diun:
version: "4.27"
volume_folder: "{{ volume_root_folder }}/diun"
### Uptime monitoring ###
uptime_kuma:
domain: "uptime.{{ base_domain }}"
status_domain: "status.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/uptime_kuma"
pre_deploy_tasks: true
version: "latest"
services_exclude: []
services_include: "{{ services | dict2items | map(attribute='key') | list | difference(services_exclude) }}"

View file

@ -0,0 +1,15 @@
# vim: ft=yaml.ansible
# code: language=ansible
---
- name: Create folder structure for bind mounts
file:
name: "{{ item }}"
state: directory
loop:
- "{{ volume_root_folder }}"
- "{{ volume_website_folder }}"
- name: Set up services
import_tasks: services.yml
tags:
- setup_services