Stefan Haun
8855f7cc10
There seem to be compatibility issues with container updates within the same tag. These updates happen every time we run Ansible and are usually desired, as they can fix security issues (esp. in the base image). However, if the update cannot be trusted to run without manual intervention, we have to pin the version and check for updates manually.
174 lines
5.3 KiB
YAML
174 lines
5.3 KiB
YAML
---
|
|
- hosts: tau.netz39.de
|
|
become: true
|
|
|
|
vars:
|
|
ansible_python_interpreter: /usr/bin/python3
|
|
|
|
data_dir: "/srv/data"
|
|
|
|
docker_registry_port: 5000 # this is the reg standard port
|
|
docker_registry_domain: "docker.n39.eu"
|
|
|
|
dokuwiki_domain: "wiki.netz39.de"
|
|
dokuwiki_port: 9005
|
|
# This container is pinned, because there are issues
|
|
# with backwards compatibility within the same tag!
|
|
dokuwiki_image: "bitnami/dokuwiki:20220731@sha256:989ab52cf2d2e0f84166e114ca4ce88f59546b8f6d34958905f8d81c18cbd759"
|
|
|
|
roles:
|
|
- role: docker_setup
|
|
- role: apache
|
|
- role: penguineer.dehydrated_cron
|
|
|
|
tasks:
|
|
- name: Setup docker network
|
|
docker_network:
|
|
name: dockernet
|
|
driver: bridge
|
|
ipam_config:
|
|
- subnet: 192.168.0.0/24
|
|
gateway: 192.168.0.1
|
|
state: present
|
|
|
|
- name: Setup Dehydrated
|
|
include_role:
|
|
name: ansible-role-dehydrated
|
|
vars:
|
|
dehydrated_contact_email: "{{ server_admin }}"
|
|
dehydrated_domains:
|
|
- name: "testredmine.netz39.de"
|
|
deploy_challenge_hook: "/bin/systemctl restart apache2"
|
|
- name: "mysql.adm.netz39.de"
|
|
deploy_challenge_hook: "/bin/systemctl restart apache2"
|
|
- name: "{{ docker_registry_domain }}"
|
|
deploy_challenge_hook: "/bin/systemctl restart apache2"
|
|
- name: "{{ dokuwiki_domain }}"
|
|
deploy_challenge_hook: "/bin/systemctl restart apache2"
|
|
|
|
- name: Setup proxy site testredmine.netz39.de
|
|
include_role:
|
|
name: setup_http_site_proxy
|
|
vars:
|
|
site_name: testredmine.netz39.de
|
|
proxy_port: 9004
|
|
|
|
- name: Setup phpmyadmin
|
|
docker_container:
|
|
name: phpmyadmin
|
|
state: started
|
|
image: phpmyadmin:5.0
|
|
networks_cli_compatible: true
|
|
networks:
|
|
- name: dockernet
|
|
restart_policy: always
|
|
env:
|
|
TZ: "{{ timezone }}"
|
|
PMA_HOST: 192.168.0.1
|
|
MYSQL_ROOT_PASSWORD: "{{ mysql_root_pw }}"
|
|
PMA_ABSOLUTE_URI: "https://mysql.adm.netz39.de"
|
|
published_ports:
|
|
- 9001:80
|
|
|
|
- name: Setup proxy site mysql.adm.netz39.de
|
|
include_role:
|
|
name: setup_http_site_proxy
|
|
vars:
|
|
site_name: mysql.adm.netz39.de
|
|
proxy_port: 9001
|
|
|
|
|
|
- name: Check if Docker Registry auth dir exists
|
|
ansible.builtin.stat:
|
|
path: "{{ data_dir }}/registry/auth"
|
|
register: docker_dir
|
|
- name: Fail if docker registry data dir does not exist
|
|
ansible.builtin.fail:
|
|
msg: "Docker Registry auth dir is missing, please restore from the backup!"
|
|
when: not docker_dir.stat.exists
|
|
- name: Ensure the Docker Registry data directory exists
|
|
# This may not be part of the backup
|
|
file:
|
|
path: "{{ data_dir }}/registry/data"
|
|
state: directory
|
|
mode: "0755"
|
|
|
|
- name: Setup Docker Registry Container
|
|
docker_container:
|
|
name: registry
|
|
image: "registry:2"
|
|
pull: true
|
|
state: started
|
|
restart_policy: unless-stopped
|
|
detach: yes
|
|
ports:
|
|
- 127.0.0.1:{{ docker_registry_port }}:{{ docker_registry_port }}
|
|
env:
|
|
TZ: "{{ timezone }}"
|
|
REGISTRY_HTTP_HOST: "https://{{ docker_registry_domain }}"
|
|
REGISTRY_AUTH_HTPASSWD_REALM: "Netz39 Docker Registry"
|
|
REGISTRY_AUTH_HTPASSWD_PATH: "/auth/htpasswd"
|
|
volumes:
|
|
- "{{ data_dir }}/registry/data:/var/lib/registry:rw"
|
|
- "{{ data_dir }}/registry/auth:/auth:rw"
|
|
|
|
- name: Setup proxy site for the Docker Registry
|
|
include_role:
|
|
name: setup_http_site_proxy
|
|
vars:
|
|
site_name: "{{ docker_registry_domain }}"
|
|
proxy_port: "{{ docker_registry_port }}"
|
|
|
|
|
|
- name: Check if Dokuwiki data dir exists
|
|
ansible.builtin.stat:
|
|
path: "{{ data_dir }}/dokuwiki"
|
|
register: dokuwiki_dir
|
|
- name: Fail if Dokuwiki data dir does not exist
|
|
ansible.builtin.fail:
|
|
msg: "Dokuwiki data dir is missing, please restore from the backup!"
|
|
when: not dokuwiki_dir.stat.exists
|
|
|
|
- name: Set correct user for Dokuwiki data
|
|
ansible.builtin.file:
|
|
path: "{{ data_dir }}/dokuwiki"
|
|
owner: "1001" # According to container config
|
|
recurse: yes
|
|
|
|
- name: Setup Dokuwiki Container
|
|
docker_container:
|
|
name: dokuwiki
|
|
image: "{{ dokuwiki_image }}"
|
|
pull: true
|
|
state: started
|
|
restart_policy: unless-stopped
|
|
detach: yes
|
|
ports:
|
|
- 127.0.0.1:{{ dokuwiki_port }}:{{ 8080 }}
|
|
# env: No env here, because we copy the data
|
|
# and the container will never be created from scratch.
|
|
volumes:
|
|
- "{{ data_dir }}/dokuwiki:/bitnami/dokuwiki:rw"
|
|
env:
|
|
TZ: "{{ timezone }}"
|
|
|
|
- name: Setup proxy site for Dokuwiki
|
|
include_role:
|
|
name: setup_http_site_proxy
|
|
vars:
|
|
site_name: "{{ dokuwiki_domain }}"
|
|
proxy_port: "{{ dokuwiki_port }}"
|
|
|
|
|
|
- name: Setup container for secondary FFMD DNS
|
|
docker_container:
|
|
name: bind9-md-freifunk-net
|
|
image: "ffmd/bind9-md-freifunk-net:2022111601"
|
|
pull: true
|
|
state: started
|
|
restart_policy: unless-stopped
|
|
detach: yes
|
|
ports:
|
|
- "53:53/udp"
|
|
env:
|
|
TZ: "{{ timezone }}"
|