Merge pull request 'Modified roles for use with Traefik' (#1) from feature/treafik into main

Reviewed-on: unhb_admin/ansible#1
This commit is contained in:
erebion 2023-11-20 01:14:54 +01:00
commit 26fb659793
10 changed files with 124 additions and 8 deletions

View file

@ -64,6 +64,8 @@ firewall_ports:
- 64738/udp # Mumble - 64738/udp # Mumble
- 21117/tcp # Rustdesk - 21117/tcp # Rustdesk
traefik_container_name: "traefik"
version: version:
authentik: "2023.10.3" authentik: "2023.10.3"
element_web: "latest" element_web: "latest"

View file

@ -3,7 +3,8 @@
- name: "Install dependencies" - name: "Install dependencies"
ansible.builtin.apt: ansible.builtin.apt:
pkg: pkg:
- docker.io - docker-ce
- apparmor
- name: "Create directory for Authentik with Docker" - name: "Create directory for Authentik with Docker"
ansible.builtin.file: ansible.builtin.file:

View file

@ -8,11 +8,15 @@ ExecStartPre=-/usr/bin/docker rm --force {{ container_names.authentik.server }}
ExecStartPre=-/usr/bin/docker pull ghcr.io/goauthentik/server:{{ version.authentik }} ExecStartPre=-/usr/bin/docker pull ghcr.io/goauthentik/server:{{ version.authentik }}
ExecStart=/usr/bin/docker run --rm --name {{ container_names.authentik.server }} \ ExecStart=/usr/bin/docker run --rm --name {{ container_names.authentik.server }} \
--network authentik_net --publish 127.0.0.1:9000:9000 --publish 127.0.0.1:9443:9443 \ --network authentik_net --publish 127.0.0.1:9000:9000 --publish 127.0.0.1:9443:9443 \
--label "traefik.enable=true" --label "traefik.http.routers.authentik.rule=Host(`auth.un-hack-bar.de`)" \
--label "traefik.http.routers.authentik.entrypoints=websecure" \
--label "traefik.http.routers.authentik.tls.certresolver=letsencrypt" \
--label "traefik.http.services.authentik.loadbalancer.server.port=9000" \
--env-file {{ docker_volumes_dir }}/authentik/authentik.env \ --env-file {{ docker_volumes_dir }}/authentik/authentik.env \
-v {{ docker_volumes_dir }}/authentik/media:/media \ -v {{ docker_volumes_dir }}/authentik/media:/media \
-v {{ docker_volumes_dir }}/authentik/custom-templates:/templates \ -v {{ docker_volumes_dir }}/authentik/custom-templates:/templates \
ghcr.io/goauthentik/server:{{ version.authentik }} server ghcr.io/goauthentik/server:{{ version.authentik }} server
ExecStartPost=/usr/bin/bash -c "/bin/sleep 120 && /usr/bin/docker network connect nginx_net {{ container_names.authentik.server }}" ExecStartPost=/usr/bin/bash -c "/bin/sleep 120 && /usr/bin/docker network connect traefik {{ container_names.authentik.server }}"
ExecStop=-/usr/bin/docker stop {{ container_names.authentik.server }} ExecStop=-/usr/bin/docker stop {{ container_names.authentik.server }}
Restart=always Restart=always
RestartSec=60s RestartSec=60s

View file

@ -3,7 +3,8 @@
- name: "Install dependencies" - name: "Install dependencies"
ansible.builtin.apt: ansible.builtin.apt:
pkg: pkg:
- docker.io - docker-ce
- apparmor
- name: "Create directory for Element Web with Docker" - name: "Create directory for Element Web with Docker"
ansible.builtin.file: ansible.builtin.file:

View file

@ -6,14 +6,18 @@ Requires=docker.service
[Service] [Service]
ExecStartPre=-/usr/bin/docker rm --force {{ container_names.element_web.element_web }} ExecStartPre=-/usr/bin/docker rm --force {{ container_names.element_web.element_web }}
ExecStart=/usr/bin/docker run --rm --name {{ container_names.element_web.element_web }} \ ExecStart=/usr/bin/docker run --rm --name {{ container_names.element_web.element_web }} \
--network nginx_net --env-file {{ docker_volumes_dir }}/element_web/element_web.env \ --network traefik --env-file {{ docker_volumes_dir }}/element_web/element_web.env \
--label "traefik.enable=true" --label "traefik.http.routers.element.rule=Host(`chat.un-hack-bar.de`)" \
--label "traefik.http.routers.element.entrypoints=websecure" \
--label "traefik.http.routers.element.tls.certresolver=letsencrypt" \
--label "traefik.http.services.element.loadbalancer.server.port=80" \
--env-file {{ docker_volumes_dir }}/element_web/element_web.env \
-v {{ docker_volumes_dir }}/element_web/config/config.json:/app/config.json:ro \ -v {{ docker_volumes_dir }}/element_web/config/config.json:/app/config.json:ro \
-v {{ docker_volumes_dir }}/element_web/config/unhb.png:/app/unhb.png:ro \ -v {{ docker_volumes_dir }}/element_web/config/unhb.png:/app/unhb.png:ro \
vectorim/element-web:{{ version.element_web }} vectorim/element-web:{{ version.element_web }}
ExecStop=-/usr/bin/docker stop {{ container_names.element_web.element_web }} ExecStop=-/usr/bin/docker stop {{ container_names.element_web.element_web }}
Restart=always Restart=always
RestartSec=60s RestartSec=60s
TimeoutRestartSec=60s
Type=exec Type=exec
[Install] [Install]

View file

@ -13,7 +13,7 @@ ExecStart=/usr/bin/docker run --rm --name {{ pretix_container_name }} --network
-v {{ docker_volumes_dir }}/pretix/conf:/etc/pretix \ -v {{ docker_volumes_dir }}/pretix/conf:/etc/pretix \
pretix/standalone:stable pretix/standalone:stable
ExecStartPost=/usr/bin/bash -c "/bin/sleep 10 && /usr/bin/docker network connect nginx_net {{ pretix_container_name }}" ExecStartPost=/usr/bin/bash -c "/bin/sleep 10 && /usr/bin/docker network connect nginx_net {{ pretix_container_name }}"
ExecStop=/usr/bin/docker stop {{ watchtower_container_name }} ExecStop=/usr/bin/docker stop {{ pretix_container_name }}
Restart=always Restart=always
RestartSec=15s RestartSec=15s
Type=exec Type=exec

View file

@ -0,0 +1,7 @@
---
- name: restart-traefik-docker
ansible.builtin.service:
state: restarted
name: traefik.service
tags: molecule-notest

View file

@ -0,0 +1,78 @@
---
- name: "Install dependencies"
ansible.builtin.apt:
pkg:
- docker-ce
- apparmor
- name: "Create directory for Traefik"
ansible.builtin.file:
path: "{{ item }}"
state: directory
owner: root
group: root
mode: '0755'
with_items:
- "{{ docker_volumes_dir }}/traefik"
#- name: "Ensure Pretix has access to its files"
# ansible.builtin.file:
# path: "{{ item }}"
# state: file
# owner: 15371
# group: 15371
# mode: '0600'
# with_items:
# - "{{ docker_volumes_dir }}/pretix/data/.secret"
#- name: "Template .env files for Pretix"
# ansible.builtin.template:
# src: "{{ item }}.j2"
# dest: "{{ docker_volumes_dir }}/pretix/{{ item }}"
# force: true
# owner: root
# group: root
# mode: '0660'
# with_items:
# - pretix.env
# - pretix-db.env
# notify: restart-pretix-docker
#- name: "Template Config for Pretix"
# ansible.builtin.template:
# src: "{{ item }}.j2"
# dest: "{{ docker_volumes_dir }}/pretix/conf/{{ item }}"
# force: true
# owner: 15371
# group: 15371
# mode: '0640'
# with_items:
# - pretix.cfg
# notify: restart-pretix-docker
- name: "Template systemd unit files for Traefik"
ansible.builtin.template:
src: "{{ item }}.j2"
dest: "/etc/systemd/system/{{ item }}"
force: true
owner: root
group: root
mode: '0644'
with_items:
- traefik.service
register: unit
notify: restart-traefik-docker
- name: "Reload systemd units"
ansible.builtin.systemd:
daemon_reload: yes
when: unit.changed
- name: "Enable systemd units for Pretix"
ansible.builtin.systemd:
state: started
enabled: true
name: "{{ item }}"
with_items:
- traefik.service

View file

@ -0,0 +1,18 @@
[Unit]
Description=Traefik with Docker
After=docker.service
Requires=docker.service
[Service]
ExecStartPre=-/usr/bin/docker rm --force {{ traefik_container_name }}
ExecStart=/usr/bin/docker run --rm --name {{ traefik_container_name }} \
-v /var/run/docker.sock:/var/run/docker.sock -v {{ docker_volumes_dir }}/traefik/traefik.toml:/traefik.toml \
-v {{ docker_volumes_dir }}/traefik/traefik_dynamic.toml:/traefik_dynamic.toml -v {{ docker_volumes_dir }}/traefik/letsencrypt/:/letsencrypt \
-p 80:80 -p 443:443 -p 8448:8448 --network traefik traefik:v2.10.5
ExecStop=/usr/bin/docker stop {{ traefik_container_name }}
Restart=always
RestartSec=15s
Type=exec
[Install]
WantedBy=multi-user.target

View file

@ -18,8 +18,8 @@
remote_user: root remote_user: root
roles: roles:
- watchtower_docker - watchtower_docker # Needs changes when migrating to Traefik
- pretix_docker - pretix_docker # Needs changes when migrating to Traefik
- name: Set up roles on unhb4 - name: Set up roles on unhb4
hosts: unhb4 hosts: unhb4
@ -28,3 +28,4 @@
roles: roles:
- authentik_docker - authentik_docker
- element_web_docker - element_web_docker
- traefik_docker