Refactor netdata to use docker_compose directive

Add docker socket proxy for security

roles/docker/defaults/main.yml

@@ -49,6 +49,7 @@ hedgedoc:
 
 netdata:
   domain: "netdata.{{ base_domain }}"
+  volume_folder: "{{ volume_root_folder }}/netdata"
 
 docker_registry:
   domain: "docker.{{ base_domain }}"

roles/docker/tasks/services/netdata.yml

@@ -1,27 +1,59 @@
 ---
+- name: create netdata volume folders
+  file:
+    name: "{{ netdata.volume_folder }}/{{ volume }}"
+    state: directory
+  loop:
+    - "config"
+    - "lib"
+    - "cache"
+  loop_control:
+    loop_var: volume
 
-- name: setup netdata docker container for system monitoring
+- name: "setup netdata for system monitoring"
-  docker_container:
+  docker_compose:
-    name: netdata
+    project_name: "netdata"
-    image: netdata/netdata
+    pull: "yes"
-    restart_policy: unless-stopped
+    definition:
-    hostname: "hevonen.servers.{{ base_domain }}"
+      services: 
-    capabilities:
+        netdata:
-      - SYS_PTRACE
+          image: "netdata/netdata"
-    security_opts:
+          restart: "unless-stopped"
-      - apparmor:unconfined
+          hostname: "hevonen.servers.{{ base_domain }}"
-    volumes:
+          cap_add:
-      - /proc:/host/proc:ro
+            - SYS_PTRACE
-      - /sys:/host/sys:ro
+          security_opt:
-      - /var/run/docker.sock:/var/run/docker.sock:ro
+            - apparmor:unconfined
-    networks:
+          volumes: 
-      - name: external_services
+            - "{{ netdata.volume_folder }}/config:/etc/netdata"
-    env:
+            - "{{ netdata.volume_folder }}/lib:/var/lib/netdata"
-      VIRTUAL_HOST : "{{ netdata.domain }}"
+            - "{{ netdata.volume_folder }}/cache:/var/cache/netdata"
-      LETSENCRYPT_HOST: "{{ netdata.domain }}"
+            - "/etc/passwd:/host/etc/passwd:ro"
-      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
+            - "/etc/group:/host/etc/group:ro"
-      PGID: "999"
+            - "/proc:/host/proc:ro"
-    labels:
+            - "/sys:/host/sys:ro"
-      com.ouroboros.enable: "true"
+            - "/etc/os-release:/host/etc/os-release:ro"
-
+          networks:
-
+            - external_services
+            - docker_proxy
+          environment:
+            VIRTUAL_HOST : "{{ netdata.domain }}"
+            LETSENCRYPT_HOST: "{{ netdata.domain }}"
+            LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
+            PGID: "999"
+            DOCKER_HOST: "proxy:2375"
+          labels:
+            com.ouroboros.enable: "true"
+        
+        proxy:
+          image: "tecnativa/docker-socket-proxy"
+          volumes:
+          - "/var/run/docker.sock:/var/run/docker.sock:ro"
+          environment:
+            CONTAINERS : 1
+          networks:
+            - docker_proxy
+      networks:
+        docker_proxy:
+        external_services:
+          external: true