netz39-infra-ansible/host-tau.yml
Stefan Haun 8855f7cc10 🚑 Pin Dokuwiki container to specific digest
There seem to be compatibility issues with container updates within the
same tag. These updates happen every time we run Ansible and are usually
desired, as they can fix security issues (esp. in the base image).

However, if the update cannot be trusted to run without manual intervention,
we have to pin the version and check for updates manually.
2022-11-18 17:12:13 +01:00

174 lines
5.3 KiB
YAML

---
- hosts: tau.netz39.de
become: true
vars:
ansible_python_interpreter: /usr/bin/python3
data_dir: "/srv/data"
docker_registry_port: 5000 # this is the reg standard port
docker_registry_domain: "docker.n39.eu"
dokuwiki_domain: "wiki.netz39.de"
dokuwiki_port: 9005
# This container is pinned, because there are issues
# with backwards compatibility within the same tag!
dokuwiki_image: "bitnami/dokuwiki:20220731@sha256:989ab52cf2d2e0f84166e114ca4ce88f59546b8f6d34958905f8d81c18cbd759"
roles:
- role: docker_setup
- role: apache
- role: penguineer.dehydrated_cron
tasks:
- name: Setup docker network
docker_network:
name: dockernet
driver: bridge
ipam_config:
- subnet: 192.168.0.0/24
gateway: 192.168.0.1
state: present
- name: Setup Dehydrated
include_role:
name: ansible-role-dehydrated
vars:
dehydrated_contact_email: "{{ server_admin }}"
dehydrated_domains:
- name: "testredmine.netz39.de"
deploy_challenge_hook: "/bin/systemctl restart apache2"
- name: "mysql.adm.netz39.de"
deploy_challenge_hook: "/bin/systemctl restart apache2"
- name: "{{ docker_registry_domain }}"
deploy_challenge_hook: "/bin/systemctl restart apache2"
- name: "{{ dokuwiki_domain }}"
deploy_challenge_hook: "/bin/systemctl restart apache2"
- name: Setup proxy site testredmine.netz39.de
include_role:
name: setup_http_site_proxy
vars:
site_name: testredmine.netz39.de
proxy_port: 9004
- name: Setup phpmyadmin
docker_container:
name: phpmyadmin
state: started
image: phpmyadmin:5.0
networks_cli_compatible: true
networks:
- name: dockernet
restart_policy: always
env:
TZ: "{{ timezone }}"
PMA_HOST: 192.168.0.1
MYSQL_ROOT_PASSWORD: "{{ mysql_root_pw }}"
PMA_ABSOLUTE_URI: "https://mysql.adm.netz39.de"
published_ports:
- 9001:80
- name: Setup proxy site mysql.adm.netz39.de
include_role:
name: setup_http_site_proxy
vars:
site_name: mysql.adm.netz39.de
proxy_port: 9001
- name: Check if Docker Registry auth dir exists
ansible.builtin.stat:
path: "{{ data_dir }}/registry/auth"
register: docker_dir
- name: Fail if docker registry data dir does not exist
ansible.builtin.fail:
msg: "Docker Registry auth dir is missing, please restore from the backup!"
when: not docker_dir.stat.exists
- name: Ensure the Docker Registry data directory exists
# This may not be part of the backup
file:
path: "{{ data_dir }}/registry/data"
state: directory
mode: "0755"
- name: Setup Docker Registry Container
docker_container:
name: registry
image: "registry:2"
pull: true
state: started
restart_policy: unless-stopped
detach: yes
ports:
- 127.0.0.1:{{ docker_registry_port }}:{{ docker_registry_port }}
env:
TZ: "{{ timezone }}"
REGISTRY_HTTP_HOST: "https://{{ docker_registry_domain }}"
REGISTRY_AUTH_HTPASSWD_REALM: "Netz39 Docker Registry"
REGISTRY_AUTH_HTPASSWD_PATH: "/auth/htpasswd"
volumes:
- "{{ data_dir }}/registry/data:/var/lib/registry:rw"
- "{{ data_dir }}/registry/auth:/auth:rw"
- name: Setup proxy site for the Docker Registry
include_role:
name: setup_http_site_proxy
vars:
site_name: "{{ docker_registry_domain }}"
proxy_port: "{{ docker_registry_port }}"
- name: Check if Dokuwiki data dir exists
ansible.builtin.stat:
path: "{{ data_dir }}/dokuwiki"
register: dokuwiki_dir
- name: Fail if Dokuwiki data dir does not exist
ansible.builtin.fail:
msg: "Dokuwiki data dir is missing, please restore from the backup!"
when: not dokuwiki_dir.stat.exists
- name: Set correct user for Dokuwiki data
ansible.builtin.file:
path: "{{ data_dir }}/dokuwiki"
owner: "1001" # According to container config
recurse: yes
- name: Setup Dokuwiki Container
docker_container:
name: dokuwiki
image: "{{ dokuwiki_image }}"
pull: true
state: started
restart_policy: unless-stopped
detach: yes
ports:
- 127.0.0.1:{{ dokuwiki_port }}:{{ 8080 }}
# env: No env here, because we copy the data
# and the container will never be created from scratch.
volumes:
- "{{ data_dir }}/dokuwiki:/bitnami/dokuwiki:rw"
env:
TZ: "{{ timezone }}"
- name: Setup proxy site for Dokuwiki
include_role:
name: setup_http_site_proxy
vars:
site_name: "{{ dokuwiki_domain }}"
proxy_port: "{{ dokuwiki_port }}"
- name: Setup container for secondary FFMD DNS
docker_container:
name: bind9-md-freifunk-net
image: "ffmd/bind9-md-freifunk-net:2022111601"
pull: true
state: started
restart_policy: unless-stopped
detach: yes
ports:
- "53:53/udp"
env:
TZ: "{{ timezone }}"