Refactor netdata to use docker_compose directive

Add docker socket proxy for security
This commit is contained in:
Jesper Hess 2022-05-20 19:49:13 +02:00
parent 2e3cd4c8b0
commit 73cc8cbbb3
Signed by untrusted user: graffen
GPG key ID: 351A89E40D763F0F
2 changed files with 58 additions and 25 deletions

View file

@ -49,6 +49,7 @@ hedgedoc:
netdata:
domain: "netdata.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/netdata"
docker_registry:
domain: "docker.{{ base_domain }}"

View file

@ -1,27 +1,59 @@
---
- name: create netdata volume folders
file:
name: "{{ netdata.volume_folder }}/{{ volume }}"
state: directory
loop:
- "config"
- "lib"
- "cache"
loop_control:
loop_var: volume
- name: setup netdata docker container for system monitoring
docker_container:
name: netdata
image: netdata/netdata
restart_policy: unless-stopped
- name: "setup netdata for system monitoring"
docker_compose:
project_name: "netdata"
pull: "yes"
definition:
services:
netdata:
image: "netdata/netdata"
restart: "unless-stopped"
hostname: "hevonen.servers.{{ base_domain }}"
capabilities:
cap_add:
- SYS_PTRACE
security_opts:
security_opt:
- apparmor:unconfined
volumes:
- /proc:/host/proc:ro
- /sys:/host/sys:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- "{{ netdata.volume_folder }}/config:/etc/netdata"
- "{{ netdata.volume_folder }}/lib:/var/lib/netdata"
- "{{ netdata.volume_folder }}/cache:/var/cache/netdata"
- "/etc/passwd:/host/etc/passwd:ro"
- "/etc/group:/host/etc/group:ro"
- "/proc:/host/proc:ro"
- "/sys:/host/sys:ro"
- "/etc/os-release:/host/etc/os-release:ro"
networks:
- name: external_services
env:
- external_services
- docker_proxy
environment:
VIRTUAL_HOST : "{{ netdata.domain }}"
LETSENCRYPT_HOST: "{{ netdata.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
PGID: "999"
DOCKER_HOST: "proxy:2375"
labels:
com.ouroboros.enable: "true"
proxy:
image: "tecnativa/docker-socket-proxy"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
environment:
CONTAINERS : 1
networks:
- docker_proxy
networks:
docker_proxy:
external_services:
external: true