From 73cc8cbbb39b175e6a86fc7af87e82766c43353d Mon Sep 17 00:00:00 2001
From: Jesper Hess Nielsen <jesper@graffen.dk>
Date: Fri, 20 May 2022 19:49:13 +0200
Subject: [PATCH] Refactor netdata to use docker_compose directive

Add docker socket proxy for security
---
 roles/docker/defaults/main.yml          |  1 +
 roles/docker/tasks/services/netdata.yml | 82 +++++++++++++++++--------
 2 files changed, 58 insertions(+), 25 deletions(-)

diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml
index 86472bf..41156b5 100644
--- a/roles/docker/defaults/main.yml
+++ b/roles/docker/defaults/main.yml
@@ -49,6 +49,7 @@ hedgedoc:
 
 netdata:
   domain: "netdata.{{ base_domain }}"
+  volume_folder: "{{ volume_root_folder }}/netdata"
 
 docker_registry:
   domain: "docker.{{ base_domain }}"
diff --git a/roles/docker/tasks/services/netdata.yml b/roles/docker/tasks/services/netdata.yml
index 80068eb..c0458d8 100644
--- a/roles/docker/tasks/services/netdata.yml
+++ b/roles/docker/tasks/services/netdata.yml
@@ -1,27 +1,59 @@
 ---
+- name: create netdata volume folders
+  file:
+    name: "{{ netdata.volume_folder }}/{{ volume }}"
+    state: directory
+  loop:
+    - "config"
+    - "lib"
+    - "cache"
+  loop_control:
+    loop_var: volume
 
-- name: setup netdata docker container for system monitoring
-  docker_container:
-    name: netdata
-    image: netdata/netdata
-    restart_policy: unless-stopped
-    hostname: "hevonen.servers.{{ base_domain }}"
-    capabilities:
-      - SYS_PTRACE
-    security_opts:
-      - apparmor:unconfined
-    volumes:
-      - /proc:/host/proc:ro
-      - /sys:/host/sys:ro
-      - /var/run/docker.sock:/var/run/docker.sock:ro
-    networks:
-      - name: external_services
-    env:
-      VIRTUAL_HOST : "{{ netdata.domain }}"
-      LETSENCRYPT_HOST: "{{ netdata.domain }}"
-      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
-      PGID: "999"
-    labels:
-      com.ouroboros.enable: "true"
-
-
+- name: "setup netdata for system monitoring"
+  docker_compose:
+    project_name: "netdata"
+    pull: "yes"
+    definition:
+      services: 
+        netdata:
+          image: "netdata/netdata"
+          restart: "unless-stopped"
+          hostname: "hevonen.servers.{{ base_domain }}"
+          cap_add:
+            - SYS_PTRACE
+          security_opt:
+            - apparmor:unconfined
+          volumes: 
+            - "{{ netdata.volume_folder }}/config:/etc/netdata"
+            - "{{ netdata.volume_folder }}/lib:/var/lib/netdata"
+            - "{{ netdata.volume_folder }}/cache:/var/cache/netdata"
+            - "/etc/passwd:/host/etc/passwd:ro"
+            - "/etc/group:/host/etc/group:ro"
+            - "/proc:/host/proc:ro"
+            - "/sys:/host/sys:ro"
+            - "/etc/os-release:/host/etc/os-release:ro"
+          networks:
+            - external_services
+            - docker_proxy
+          environment:
+            VIRTUAL_HOST : "{{ netdata.domain }}"
+            LETSENCRYPT_HOST: "{{ netdata.domain }}"
+            LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
+            PGID: "999"
+            DOCKER_HOST: "proxy:2375"
+          labels:
+            com.ouroboros.enable: "true"
+        
+        proxy:
+          image: "tecnativa/docker-socket-proxy"
+          volumes:
+          - "/var/run/docker.sock:/var/run/docker.sock:ro"
+          environment:
+            CONTAINERS : 1
+          networks:
+            - docker_proxy
+      networks:
+        docker_proxy:
+        external_services:
+          external: true
-- 
2.40.1