--- - name: Docker-Compose playbook hosts: monitoring become: true # # # # @author Stéphane Gratias (2021). # pre_tasks: - name: Create node_exporter cert dir file: path: "{{ item }}" state: directory owner: root group: root loop: - /etc/node_exporter ####lala ### lala - name: Generate an OpenSSL private key with the default values (4096 bits, RSA) community.crypto.openssl_privatekey: path: /etc/node_exporter/tls.key mode: 0644 # /etc/node_exporter# chmod 644 tls.key - name: Generate an OpenSSL Certificate Signing Request community.crypto.openssl_csr: path: /etc/node_exporter/tls.csr privatekey_path: /etc/node_exporter/tls.key common_name: "{{ inventory_hostname }}.netbird.cloud" - name: Generate a Self Signed OpenSSL certificate community.crypto.x509_certificate: path: /etc/node_exporter/tls.cert privatekey_path: /etc/node_exporter/tls.key csr_path: /etc/node_exporter/tls.csr provider: selfsigned roles: - { role: geerlingguy.pip, tags: pip } - { role: geerlingguy.docker, tags: docker } tasks: - name: Ensure Docker is installed and running service: name: docker state: started enabled: yes - name: Create Docker network for Traefik (optional, adjust if needed) docker_network: name: traefik_network - name: Deploy Traefik container docker_container: name: traefik image: traefik:v2.11 command: - --api.insecure=true - --providers.docker ports: - "80:80" - "8080:8080" # Web UI (optional) volumes: - /var/run/docker.sock:/var/run/docker.sock:ro networks: - name: traefik_network # Optional, adapt network name restart: unless-stopped - name: Deploy Traefik Forward Auth container docker_container: name: forward-auth image: thomseddon/traefik-forward-auth:2.2.0 env_file: - ./traefik-auth-conf.env # Path to your environment file volumes: - ./traefik-auth-conf.env:/config.ini:ro # Configuration file labels: - traefik.enable=true - traefik.http.routers.auth.rule=Host(`auth.local.net`) # Additional labels for authentication and TLS (uncomment and adjust as needed) # - traefik.http.routers.auth.entrypoints=https # Enable HTTPS # - traefik.http.routers.auth.tls.domains[0].main=your_domain.com # Main domain # - traefik.http.routers.auth.tls.domains[0].sans=*.your_domain.com # Wildcard for subdomains # - traefik.http.routers.auth.tls.certresolver=letsencrypt-resolver # Use Let's Encrypt - traefik.http.routers.auth.service=auth@docker - traefik.http.services.auth.loadbalancer.server.port=4181 - traefik.http.middlewares.forward-auth.forwardauth.address=http://forward-auth:4181 # Adjusted container name - traefik.http.middlewares.forward-auth.forwardauth.trustForwardHeader=true - traefik.http.middlewares.forward-auth.forwardauth.authResponseHeaders=X-Forwarded-User - traefik.http.routers.auth.middlewares=forward-auth networks: - name: traefik_network # Optional, adapt network name restart: unless-stopped - name: Deploy Whoami container for testing (optional) docker_container: name: whoami image: traefik/whoami labels: - traefik.http.routers.whoami.rule=Host(`whoami.local.net`) - traefik.http.routers.whoami.middlewares=forward-auth networks: - name: traefik_network # Optional, adapt network name restart: unless-stopped # - name: create docker app base dir # file: # path: "{{ item }}" # state: directory # mode: 0755 # owner: root # group: root # with_items: # - "{{ dockerapp_tree_base_dir | last }}" # - "{{ dockerapp_tree_base_dir | last }}/{{ dockerapp_service }}" # - "{{ dockerapp_tree_base_dir | last }}/{{ dockerapp_service }}/logs" # - "{{ dockerapp_tree_base_dir | last }}/{{ dockerapp_service }}/logs/homeserver" # tags: # - docker-compose # - bootstrap_dockerapp_create_base_dir # - name: create docker volumes tree for containers # file: # path: "{{ dockerapp_tree_base_dir | last }}/{{ dockerapp_service }}/{{ item | default('') }}" # state: directory # mode: 0755 # with_items: "{{ dockerapp_tree_volumes | default([]) }}" # tags: # - docker-compose # - bootstrap_dockerapp_create_app_dir # - name: create the main docker-compose file (docker-compose.yml) # template: # src: "../templates/docker-compose.yml.j2" # dest: "{{ dockerapp_tree_base_dir | last }}/{{ dockerapp_service }}/docker-compose-test.yml" # mode: 0600 # tags: # - docker-compose # - bootstrap_dockerapp_configure_docker_compose # - name: Run `docker-compose pull` # community.docker.docker_compose: # project_src: "{{ dockerapp_tree_base_dir | last }}/{{ dockerapp_service }}/docker-compose.yml" # pull: true # tags: # - pull # - name: Run `docker-compose up` # community.docker.docker_compose: # project_src: "{{ dockerapp_tree_base_dir | last }}/{{ dockerapp_service }}/docker-compose.yml" # build: false # tags: # - pull # - name: uncomment acme.caserver line # ansible.builtin.lineinfile: # path: /etc/sudoers # state: absent # regexp: '^%wheel' # tags: # - renew-httos # - name: remove appdata/traefik2/acme/letsencrypt/acme.json file # file: # path: "{{ dockerapp_tree_base_dir | last }}/{{ dockerapp_service }}/appdata/traefik2/acme/letsencrypt/acme.json" # state: absent # tags: # - renew-https # - name: Run `docker-compose down` # community.docker.docker_compose: # project_src: "{{ dockerapp_tree_base_dir | last }}/{{ dockerapp_service }}/docker-compose.yml" # state: absent # tags: # - renew-https # - name: Run `docker-compose up` # community.docker.docker_compose: # project_src: "{{ dockerapp_tree_base_dir | last }}/{{ dockerapp_service }}/docker-compose.yml" # build: false # tags: # - renew-https # - name: Wait 5 minutes for news cert/key on acme.json (stagging) # pause: # seconds: 300 # tags: # - renew-https # - name: comment acme.caserver line # ansible.builtin.lineinfile: # path: /etc/sudoers # state: absent # regexp: '^%wheel' # tags: # - renew-https # - name: remove appdata/traefik2/acme/letsencrypt/acme.json file # file: # path: "{{ dockerapp_tree_base_dir | last }}/{{ dockerapp_service }}/appdata/traefik2/acme/letsencrypt/acme.json" # state: absent # tags: # - renew-https # - name: Run `docker-compose restart traefik` # community.docker.docker_compose: # project_src: "{{ dockerapp_tree_base_dir | last }}/{{ dockerapp_service }}/docker-compose.yml" # restarted: true # services: # - traefik # tags: # - renew-https