From a4a06d8a58bc63d635351875ebd7609178a44a4d Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Fri, 18 Nov 2022 18:59:00 +0100 Subject: [PATCH 01/12] Upgrade Watchtower and disable filter by enable label --- roles/docker/tasks/services/watchtower.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/roles/docker/tasks/services/watchtower.yml b/roles/docker/tasks/services/watchtower.yml index 586ce24..c5c63eb 100644 --- a/roles/docker/tasks/services/watchtower.yml +++ b/roles/docker/tasks/services/watchtower.yml @@ -2,13 +2,12 @@ - name: watchtower container docker_container: name: watchtower - image: containrrr/watchtower:1.4.0 + image: containrrr/watchtower:latest restart_policy: unless-stopped + env: + WATCHTOWER_POLL_INTERVAL: 60 networks: - name: external_services volumes: - /var/run/docker.sock:/var/run/docker.sock - "{{ docker_registry.volume_folder }}/auth/config.json:/config.json" - env: - WATCHTOWER_LABEL_ENABLE: "true" - WATCHTOWER_POLL_INTERVAL: "60" \ No newline at end of file From 5d26e1cdea7f9a24edcda4d1aaf1fd3f34626eab Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Fri, 18 Nov 2022 20:57:15 +0100 Subject: [PATCH 02/12] Fix mount point for Watchtower The auth file created by the registry login task doesn't need to be stored in a non-default path. --- roles/docker/tasks/services/docker_registry.yml | 3 +-- roles/docker/tasks/services/watchtower.yml | 4 ++-- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/roles/docker/tasks/services/docker_registry.yml b/roles/docker/tasks/services/docker_registry.yml index 975db50..a88a707 100644 --- a/roles/docker/tasks/services/docker_registry.yml +++ b/roles/docker/tasks/services/docker_registry.yml @@ -28,9 +28,8 @@ args: creates: "{{ docker_registry.volume_folder }}/auth/htpasswd" -- name: log in to local registry +- name: log in to registry docker_login: registry: "{{ docker_registry.domain }}" username: "docker" password: "{{ docker_password }}" - config_path: "{{ docker_registry.volume_folder }}/auth/config.json" diff --git a/roles/docker/tasks/services/watchtower.yml b/roles/docker/tasks/services/watchtower.yml index c5c63eb..e6afd3d 100644 --- a/roles/docker/tasks/services/watchtower.yml +++ b/roles/docker/tasks/services/watchtower.yml @@ -9,5 +9,5 @@ networks: - name: external_services volumes: - - /var/run/docker.sock:/var/run/docker.sock - - "{{ docker_registry.volume_folder }}/auth/config.json:/config.json" + - "/var/run/docker.sock:/var/run/docker.sock" + - "/root/.docker/config.json:/config.json:ro" From 27b918b46b010d4eb6aee151695fc8b540a0c2b4 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Fri, 18 Nov 2022 21:07:12 +0100 Subject: [PATCH 03/12] Remove labels --- roles/docker/tasks/services/membersystem.yml | 2 -- roles/docker/tasks/services/netdata.yml | 5 ----- roles/docker/tasks/services/rallly.yml | 4 ---- roles/docker/tasks/services/ulovliglogning-dk.yml | 2 -- roles/docker/tasks/services/websites.yml | 13 ------------- 5 files changed, 26 deletions(-) diff --git a/roles/docker/tasks/services/membersystem.yml b/roles/docker/tasks/services/membersystem.yml index b214abb..66a26b0 100644 --- a/roles/docker/tasks/services/membersystem.yml +++ b/roles/docker/tasks/services/membersystem.yml @@ -33,8 +33,6 @@ CSRF_TRUSTED_ORIGINS: "https://{{ membersystem.domain }}" DJANGO_ADMINS: "{{ membersystem.django_admins }}" DEFAULT_FROM_EMAIL: "noreply@{{ membersystem.domain }}" - labels: - com.centurylinklabs.watchtower.enable: "true" postgres: image: postgres:13-alpine diff --git a/roles/docker/tasks/services/netdata.yml b/roles/docker/tasks/services/netdata.yml index c1eb396..5edcb6c 100644 --- a/roles/docker/tasks/services/netdata.yml +++ b/roles/docker/tasks/services/netdata.yml @@ -1,5 +1,4 @@ --- - - name: setup netdata docker container for system monitoring docker_container: name: netdata @@ -21,7 +20,3 @@ LETSENCRYPT_HOST: "{{ netdata.domain }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" PGID: "999" - labels: - com.centurylinklabs.watchtower.enable: "true" - - diff --git a/roles/docker/tasks/services/rallly.yml b/roles/docker/tasks/services/rallly.yml index c5576f5..c083251 100644 --- a/roles/docker/tasks/services/rallly.yml +++ b/roles/docker/tasks/services/rallly.yml @@ -31,8 +31,6 @@ interval: 5s timeout: 5s retries: 5 - labels: - com.centurylinklabs.watchtower.enable: "true" rallly: image: "lukevella/rallly:latest" @@ -51,8 +49,6 @@ VIRTUAL_PORT: "3000" LETSENCRYPT_HOST: "{{ rallly.domain }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" - labels: - com.centurylinklabs.watchtower.enable: "true" networks: rallly_internal: diff --git a/roles/docker/tasks/services/ulovliglogning-dk.yml b/roles/docker/tasks/services/ulovliglogning-dk.yml index 0258df6..9b57bbb 100644 --- a/roles/docker/tasks/services/ulovliglogning-dk.yml +++ b/roles/docker/tasks/services/ulovliglogning-dk.yml @@ -9,5 +9,3 @@ VIRTUAL_HOST: "{{ ulovliglogning_website.domains|join(',') }}" LETSENCRYPT_HOST: "{{ ulovliglogning_website.domains|join(',') }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" - labels: - com.centurylinklabs.watchtower.enable: "true" diff --git a/roles/docker/tasks/services/websites.yml b/roles/docker/tasks/services/websites.yml index 8c1b793..8938e2d 100644 --- a/roles/docker/tasks/services/websites.yml +++ b/roles/docker/tasks/services/websites.yml @@ -11,9 +11,6 @@ VIRTUAL_HOST : "{{ data_coop_website.domains|join(',') }}" LETSENCRYPT_HOST: "{{ data_coop_website.domains|join(',') }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" - labels: - com.centurylinklabs.watchtower.enable: "true" - - name: setup new data.coop website using hugo docker_container: @@ -26,8 +23,6 @@ VIRTUAL_HOST : "new.{{ data_coop_website.domains|join(',') }}" LETSENCRYPT_HOST: "new.{{ data_coop_website.domains|join(',') }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" - labels: - com.centurylinklabs.watchtower.enable: "true" - name: setup new-new data.coop website using unipi docker_container: @@ -47,8 +42,6 @@ - NET_ADMIN devices: - "/dev/net/tun" - labels: - com.centurylinklabs.watchtower.enable: "true" - name: setup 2022.slides.data.coop website using unipi docker_container: @@ -68,8 +61,6 @@ - NET_ADMIN devices: - "/dev/net/tun" - labels: - com.centurylinklabs.watchtower.enable: "true" - name: setup cryptohagen.dk website docker container docker_container: @@ -82,8 +73,6 @@ VIRTUAL_HOST : "{{ cryptohagen_website.domains|join(',') }}" LETSENCRYPT_HOST: "{{ cryptohagen_website.domains|join(',') }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" - labels: - com.centurylinklabs.watchtower.enable: "true" - name: setup cryptoaarhus.dk website docker container docker_container: @@ -96,5 +85,3 @@ VIRTUAL_HOST : "{{ cryptoaarhus_website.domains|join(',') }}" LETSENCRYPT_HOST: "{{ cryptoaarhus_website.domains|join(',') }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" - labels: - com.centurylinklabs.watchtower.enable: "true" From e5dcfea003226494b402bb6fc434f73c98858498 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Sat, 19 Nov 2022 18:19:43 +0100 Subject: [PATCH 04/12] Pin Watchtower version --- roles/docker/tasks/services/watchtower.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/docker/tasks/services/watchtower.yml b/roles/docker/tasks/services/watchtower.yml index e6afd3d..370219a 100644 --- a/roles/docker/tasks/services/watchtower.yml +++ b/roles/docker/tasks/services/watchtower.yml @@ -2,7 +2,7 @@ - name: watchtower container docker_container: name: watchtower - image: containrrr/watchtower:latest + image: containrrr/watchtower:amd64-1.5.1 restart_policy: unless-stopped env: WATCHTOWER_POLL_INTERVAL: 60 From c9ab9f0c66ec3c78a6b6865d565a3cb5bc6551c3 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Sat, 19 Nov 2022 18:20:10 +0100 Subject: [PATCH 05/12] Watchtower doesn't need external_services network --- roles/docker/tasks/services/watchtower.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/roles/docker/tasks/services/watchtower.yml b/roles/docker/tasks/services/watchtower.yml index 370219a..6a03679 100644 --- a/roles/docker/tasks/services/watchtower.yml +++ b/roles/docker/tasks/services/watchtower.yml @@ -6,8 +6,6 @@ restart_policy: unless-stopped env: WATCHTOWER_POLL_INTERVAL: 60 - networks: - - name: external_services volumes: - "/var/run/docker.sock:/var/run/docker.sock" - "/root/.docker/config.json:/config.json:ro" From d9de1efc9af680491cb66963c3294a1d611e54d2 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Wed, 23 Nov 2022 20:02:30 +0100 Subject: [PATCH 06/12] Pin Gitea to 1.17 instead of 1.17.3 Gitea's "minor" version change seems to be the one that occasionally introduces breaking changes, so let's not update that automatically. Only keep the patch-releases automatically updated. --- roles/docker/tasks/services/gitea.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/docker/tasks/services/gitea.yml b/roles/docker/tasks/services/gitea.yml index aeffae1..1b1efdc 100644 --- a/roles/docker/tasks/services/gitea.yml +++ b/roles/docker/tasks/services/gitea.yml @@ -7,7 +7,7 @@ - name: gitea container docker_container: name: gitea - image: gitea/gitea:1.17.3 + image: gitea/gitea:1.17 restart_policy: unless-stopped networks: - name: gitea From 1f619096054d4be4001f3f4181acce83792225f1 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Wed, 23 Nov 2022 20:16:36 +0100 Subject: [PATCH 07/12] Pin HedgeDoc to major version 1 From https://docs.hedgedoc.org/setup/getting-started/#upgrading-hedgedoc > HedgeDoc follows [Semantic Versioning](https://semver.org/). > This means that minor and patch releases should not introduce > user-facing backwards-incompatible changes. --- roles/docker/tasks/services/hedgedoc.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/docker/tasks/services/hedgedoc.yml b/roles/docker/tasks/services/hedgedoc.yml index ea7b38d..96e82dc 100644 --- a/roles/docker/tasks/services/hedgedoc.yml +++ b/roles/docker/tasks/services/hedgedoc.yml @@ -34,7 +34,7 @@ - "{{ hedgedoc.volume_folder }}/db:/var/lib/postgresql/data" app: - image: quay.io/hedgedoc/hedgedoc:1.9.0 + image: quay.io/hedgedoc/hedgedoc:1 environment: CMD_DB_URL: "postgres://codimd:{{ postgres_passwords.hedgedoc }}@hedgedoc_database_1:5432/codimd" CMD_DOMAIN: "{{ hedgedoc.domain }}" @@ -63,4 +63,4 @@ networks: hedgedoc: external_services: - external: true \ No newline at end of file + external: true From 9261cb1952846052934e5c7daa4ddd8e3d5c9c31 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Wed, 23 Nov 2022 20:34:43 +0100 Subject: [PATCH 08/12] Pin Keycoak to 20.0 (minor version) --- roles/docker/tasks/services/keycloak.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/docker/tasks/services/keycloak.yml b/roles/docker/tasks/services/keycloak.yml index 26a5661..b1169ae 100644 --- a/roles/docker/tasks/services/keycloak.yml +++ b/roles/docker/tasks/services/keycloak.yml @@ -19,7 +19,7 @@ POSTGRES_DB: "keycloak" app: - image: "quay.io/keycloak/keycloak:20.0.1" + image: "quay.io/keycloak/keycloak:20.0" restart: "unless-stopped" networks: - "keycloak" From 687bff35e9c90eebb4dfff496d280dd514235ea4 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Wed, 23 Nov 2022 21:00:48 +0100 Subject: [PATCH 09/12] Pin netdata to v1 --- roles/docker/tasks/services/netdata.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/docker/tasks/services/netdata.yml b/roles/docker/tasks/services/netdata.yml index 5edcb6c..3b2a466 100644 --- a/roles/docker/tasks/services/netdata.yml +++ b/roles/docker/tasks/services/netdata.yml @@ -2,7 +2,7 @@ - name: setup netdata docker container for system monitoring docker_container: name: netdata - image: netdata/netdata + image: netdata/netdata:v1 restart_policy: unless-stopped hostname: "hevonen.servers.{{ base_domain }}" capabilities: From 221ddd987fa68b065d6d7250bd2a1ded03da9580 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Wed, 23 Nov 2022 21:05:01 +0100 Subject: [PATCH 10/12] Upgrade Postfix to 3.5.1 and use Alpine-based image --- roles/docker/tasks/services/postfix.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/docker/tasks/services/postfix.yml b/roles/docker/tasks/services/postfix.yml index 9fb9ce8..8b7e77e 100644 --- a/roles/docker/tasks/services/postfix.yml +++ b/roles/docker/tasks/services/postfix.yml @@ -10,7 +10,7 @@ - name: setup postfix docker container for outgoing mail docker_container: name: postfix - image: boky/postfix:v3.5.0 + image: boky/postfix:v3.5.1-alpine restart_policy: always networks: - name: postfix From 74dfcfb5e8043344f80d8c10a5b04df47766a1fc Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Wed, 23 Nov 2022 21:09:05 +0100 Subject: [PATCH 11/12] Keycloak: avoid very long lines :( --- roles/docker/tasks/services/keycloak.yml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/roles/docker/tasks/services/keycloak.yml b/roles/docker/tasks/services/keycloak.yml index b1169ae..ac1f673 100644 --- a/roles/docker/tasks/services/keycloak.yml +++ b/roles/docker/tasks/services/keycloak.yml @@ -25,7 +25,16 @@ - "keycloak" - "postfix" - "external_services" - command: "start --db=postgres --db-url=jdbc:postgresql://postgres:5432/keycloak --db-username=keycloak --db-password={{ postgres_passwords.keycloak }} --hostname={{ keycloak.domain }} --proxy=edge --https-port=8080 --http-relative-path=/auth" + command: + - "start" + - "--db=postgres" + - "--db-url=jdbc:postgresql://postgres:5432/keycloak" + - "--db-username=keycloak" + - "--db-password={{ postgres_passwords.keycloak }}" + - "--hostname={{ keycloak.domain }}" + - "--proxy=edge" + - "--https-port=8080" + - "--http-relative-path=/auth" environment: VIRTUAL_HOST: "{{ keycloak.domain }}" VIRTUAL_PORT: "8080" From 2c9c501562e954f0e033857f5cda7e73be29e9f0 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Tue, 6 Dec 2022 18:06:31 +0100 Subject: [PATCH 12/12] Remove label from Pinafore --- roles/docker/tasks/services/pinafore.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/roles/docker/tasks/services/pinafore.yml b/roles/docker/tasks/services/pinafore.yml index a275f3a..eadb99b 100644 --- a/roles/docker/tasks/services/pinafore.yml +++ b/roles/docker/tasks/services/pinafore.yml @@ -10,5 +10,3 @@ VIRTUAL_PORT: "4002" LETSENCRYPT_HOST: "{{ services.pinafore.domain }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" - labels: - com.centurylinklabs.watchtower.enable: "true"