215 lines
7.5 KiB
YAML
215 lines
7.5 KiB
YAML
---
|
|
- name: Docker-Compose playbook
|
|
hosts: monitoring
|
|
become: true
|
|
|
|
# #
|
|
# # @author Stéphane Gratias (2021).
|
|
#
|
|
|
|
pre_tasks:
|
|
- name: Create node_exporter cert dir
|
|
file:
|
|
path: "{{ item }}"
|
|
state: directory
|
|
owner: root
|
|
group: root
|
|
loop:
|
|
- /etc/node_exporter
|
|
|
|
- name: Generate an OpenSSL private key with the default values (4096 bits, RSA)
|
|
community.crypto.openssl_privatekey:
|
|
path: /etc/node_exporter/tls.key
|
|
mode: 0644
|
|
|
|
# /etc/node_exporter# chmod 644 tls.key
|
|
|
|
- name: Generate an OpenSSL Certificate Signing Request
|
|
community.crypto.openssl_csr:
|
|
path: /etc/node_exporter/tls.csr
|
|
privatekey_path: /etc/node_exporter/tls.key
|
|
common_name: "{{ inventory_hostname }}.netbird.cloud"
|
|
|
|
- name: Generate a Self Signed OpenSSL certificate
|
|
community.crypto.x509_certificate:
|
|
path: /etc/node_exporter/tls.cert
|
|
privatekey_path: /etc/node_exporter/tls.key
|
|
csr_path: /etc/node_exporter/tls.csr
|
|
provider: selfsigned
|
|
|
|
roles:
|
|
- { role: geerlingguy.pip, tags: pip }
|
|
- { role: geerlingguy.docker, tags: docker }
|
|
|
|
tasks:
|
|
|
|
- name: Ensure Docker is installed and running
|
|
service:
|
|
name: docker
|
|
state: started
|
|
enabled: yes
|
|
|
|
- name: Create Docker network for Traefik (optional, adjust if needed)
|
|
docker_network:
|
|
name: traefik_network
|
|
|
|
- name: Deploy Traefik container
|
|
docker_container:
|
|
name: traefik
|
|
image: traefik:v2.11
|
|
command:
|
|
- --api.insecure=true
|
|
- --providers.docker
|
|
ports:
|
|
- "80:80"
|
|
- "8080:8080" # Web UI (optional)
|
|
volumes:
|
|
- /var/run/docker.sock:/var/run/docker.sock:ro
|
|
networks:
|
|
- name: traefik_network # Optional, adapt network name
|
|
restart: unless-stopped
|
|
|
|
- name: Deploy Traefik Forward Auth container
|
|
docker_container:
|
|
name: forward-auth
|
|
image: thomseddon/traefik-forward-auth:2.2.0
|
|
env_file:
|
|
- ./traefik-auth-conf.env # Path to your environment file
|
|
volumes:
|
|
- ./traefik-auth-conf.env:/config.ini:ro # Configuration file
|
|
labels:
|
|
- traefik.enable=true
|
|
- traefik.http.routers.auth.rule=Host(`auth.local.net`)
|
|
# Additional labels for authentication and TLS (uncomment and adjust as needed)
|
|
# - traefik.http.routers.auth.entrypoints=https # Enable HTTPS
|
|
# - traefik.http.routers.auth.tls.domains[0].main=your_domain.com # Main domain
|
|
# - traefik.http.routers.auth.tls.domains[0].sans=*.your_domain.com # Wildcard for subdomains
|
|
# - traefik.http.routers.auth.tls.certresolver=letsencrypt-resolver # Use Let's Encrypt
|
|
- traefik.http.routers.auth.service=auth@docker
|
|
- traefik.http.services.auth.loadbalancer.server.port=4181
|
|
- traefik.http.middlewares.forward-auth.forwardauth.address=http://forward-auth:4181 # Adjusted container name
|
|
- traefik.http.middlewares.forward-auth.forwardauth.trustForwardHeader=true
|
|
- traefik.http.middlewares.forward-auth.forwardauth.authResponseHeaders=X-Forwarded-User
|
|
- traefik.http.routers.auth.middlewares=forward-auth
|
|
networks:
|
|
- name: traefik_network # Optional, adapt network name
|
|
restart: unless-stopped
|
|
|
|
- name: Deploy Whoami container for testing (optional)
|
|
docker_container:
|
|
name: whoami
|
|
image: traefik/whoami
|
|
labels:
|
|
- traefik.http.routers.whoami.rule=Host(`whoami.local.net`)
|
|
- traefik.http.routers.whoami.middlewares=forward-auth
|
|
networks:
|
|
- name: traefik_network # Optional, adapt network name
|
|
restart: unless-stopped
|
|
|
|
# - name: create docker app base dir
|
|
# file:
|
|
# path: "{{ item }}"
|
|
# state: directory
|
|
# mode: 0755
|
|
# owner: root
|
|
# group: root
|
|
# with_items:
|
|
# - "{{ dockerapp_tree_base_dir | last }}"
|
|
# - "{{ dockerapp_tree_base_dir | last }}/{{ dockerapp_service }}"
|
|
# - "{{ dockerapp_tree_base_dir | last }}/{{ dockerapp_service }}/logs"
|
|
# - "{{ dockerapp_tree_base_dir | last }}/{{ dockerapp_service }}/logs/homeserver"
|
|
# tags:
|
|
# - docker-compose
|
|
# - bootstrap_dockerapp_create_base_dir
|
|
|
|
# - name: create docker volumes tree for containers
|
|
# file:
|
|
# path: "{{ dockerapp_tree_base_dir | last }}/{{ dockerapp_service }}/{{ item | default('') }}"
|
|
# state: directory
|
|
# mode: 0755
|
|
# with_items: "{{ dockerapp_tree_volumes | default([]) }}"
|
|
# tags:
|
|
# - docker-compose
|
|
# - bootstrap_dockerapp_create_app_dir
|
|
|
|
# - name: create the main docker-compose file (docker-compose.yml)
|
|
# template:
|
|
# src: "../templates/docker-compose.yml.j2"
|
|
# dest: "{{ dockerapp_tree_base_dir | last }}/{{ dockerapp_service }}/docker-compose-test.yml"
|
|
# mode: 0600
|
|
# tags:
|
|
# - docker-compose
|
|
# - bootstrap_dockerapp_configure_docker_compose
|
|
|
|
# - name: Run `docker-compose pull`
|
|
# community.docker.docker_compose:
|
|
# project_src: "{{ dockerapp_tree_base_dir | last }}/{{ dockerapp_service }}/docker-compose.yml"
|
|
# pull: true
|
|
# tags:
|
|
# - pull
|
|
|
|
# - name: Run `docker-compose up`
|
|
# community.docker.docker_compose:
|
|
# project_src: "{{ dockerapp_tree_base_dir | last }}/{{ dockerapp_service }}/docker-compose.yml"
|
|
# build: false
|
|
# tags:
|
|
# - pull
|
|
|
|
# - name: uncomment acme.caserver line
|
|
# ansible.builtin.lineinfile:
|
|
# path: /etc/sudoers
|
|
# state: absent
|
|
# regexp: '^%wheel'
|
|
# tags:
|
|
# - renew-httos
|
|
|
|
# - name: remove appdata/traefik2/acme/letsencrypt/acme.json file
|
|
# file:
|
|
# path: "{{ dockerapp_tree_base_dir | last }}/{{ dockerapp_service }}/appdata/traefik2/acme/letsencrypt/acme.json"
|
|
# state: absent
|
|
# tags:
|
|
# - renew-https
|
|
|
|
# - name: Run `docker-compose down`
|
|
# community.docker.docker_compose:
|
|
# project_src: "{{ dockerapp_tree_base_dir | last }}/{{ dockerapp_service }}/docker-compose.yml"
|
|
# state: absent
|
|
# tags:
|
|
# - renew-https
|
|
|
|
# - name: Run `docker-compose up`
|
|
# community.docker.docker_compose:
|
|
# project_src: "{{ dockerapp_tree_base_dir | last }}/{{ dockerapp_service }}/docker-compose.yml"
|
|
# build: false
|
|
# tags:
|
|
# - renew-https
|
|
|
|
# - name: Wait 5 minutes for news cert/key on acme.json (stagging)
|
|
# pause:
|
|
# seconds: 300
|
|
# tags:
|
|
# - renew-https
|
|
|
|
# - name: comment acme.caserver line
|
|
# ansible.builtin.lineinfile:
|
|
# path: /etc/sudoers
|
|
# state: absent
|
|
# regexp: '^%wheel'
|
|
# tags:
|
|
# - renew-https
|
|
|
|
# - name: remove appdata/traefik2/acme/letsencrypt/acme.json file
|
|
# file:
|
|
# path: "{{ dockerapp_tree_base_dir | last }}/{{ dockerapp_service }}/appdata/traefik2/acme/letsencrypt/acme.json"
|
|
# state: absent
|
|
# tags:
|
|
# - renew-https
|
|
|
|
# - name: Run `docker-compose restart traefik`
|
|
# community.docker.docker_compose:
|
|
# project_src: "{{ dockerapp_tree_base_dir | last }}/{{ dockerapp_service }}/docker-compose.yml"
|
|
# restarted: true
|
|
# services:
|
|
# - traefik
|
|
# tags:
|
|
# - renew-https |