Add Traefik
parent
3ed115b410
commit
e3a9a64675
8
all.yml
8
all.yml
|
@ -10,9 +10,9 @@
|
||||||
tags: ["ufw"]
|
tags: ["ufw"]
|
||||||
- role: fail2ban
|
- role: fail2ban
|
||||||
tags: ["fail2ban"]
|
tags: ["fail2ban"]
|
||||||
|
|
||||||
- hosts: all
|
|
||||||
become: yes
|
|
||||||
roles:
|
|
||||||
- role: "node-exporter"
|
- role: "node-exporter"
|
||||||
tags: ["node-exporter"]
|
tags: ["node-exporter"]
|
||||||
|
- role: "docker"
|
||||||
|
tags: ["docker"]
|
||||||
|
- role: "traefik"
|
||||||
|
tags: ["docker", "traefik"]
|
||||||
|
|
|
@ -1,10 +1,22 @@
|
||||||
|
---
|
||||||
|
base_user_name: chosto
|
||||||
ihl_base_users:
|
ihl_base_users:
|
||||||
- name: chosto
|
- name: "{{ base_user_name }}"
|
||||||
group: chosto
|
group: "{{ base_user_name }}"
|
||||||
groups:
|
groups:
|
||||||
- sudo
|
- sudo
|
||||||
ssh_keys:
|
ssh_keys:
|
||||||
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6fs07sdt9PbzzQ6IA2tkbPLqspaWXAMLzUK/LtXQBhN/+q4Bxz4I4eUyF7regsWgvOObjKoMilGfOXi2Q8ZZIXZ3DBqSMJpYkwVC0qqU3YJfVLhNa1NU5m+QYqhmREu8HIIFty4jZRTmkAxjy5Zv8af4l3q0VEWUxGV0MoDsJYroao5UcOPKo/Qv75ZIy7x4KWLcXMM1jYLczjF0E6XR99aOWex1XuAvW5bDS9wC+fAN/nMRS7A6Wsvt2tyth9lR40fM0IaUjG+TjQ2CCbmp7zFBpa0LQcCktksSXpfd4Vj6eczHz7N+l1V+inbAd99s84K7LKoTH0tXv02c42XSK52pVBUzyif2EO85dgHJ3NFmTcNdRJ1v5bSRu3vm0Gcq0kgWjYZq2TCHUYOkm5WWdJuDLIbPLydaSr8LGfv+QqL6RHJnKBt5CZ5Nrrei/ZPTjZCm/OgCrmbMQQeoSpE8ZBEMSlN5An5+ZuaR7BPfCNFoQK/mcbA2cqs6ZiNUQdoeb93DAbsQMqDtCnevDf7hbiy282rRMkRYX5Cj6vt3jpUKS7vwoDMIKWYAOKASPZ2IgvC6Buj8aE4p24qR3xbiTHF4iJyxdo2B/x1pwT+kRmCdmCK5XnlkrQfrwP1Kkaiz88XOxkqfsvpRWd1JUUcipYbO+7zTvVQZkLnKZ2AzciQ== quentinduchemin@tuta.io
|
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6fs07sdt9PbzzQ6IA2tkbPLqspaWXAMLzUK/LtXQBhN/+q4Bxz4I4eUyF7regsWgvOObjKoMilGfOXi2Q8ZZIXZ3DBqSMJpYkwVC0qqU3YJfVLhNa1NU5m+QYqhmREu8HIIFty4jZRTmkAxjy5Zv8af4l3q0VEWUxGV0MoDsJYroao5UcOPKo/Qv75ZIy7x4KWLcXMM1jYLczjF0E6XR99aOWex1XuAvW5bDS9wC+fAN/nMRS7A6Wsvt2tyth9lR40fM0IaUjG+TjQ2CCbmp7zFBpa0LQcCktksSXpfd4Vj6eczHz7N+l1V+inbAd99s84K7LKoTH0tXv02c42XSK52pVBUzyif2EO85dgHJ3NFmTcNdRJ1v5bSRu3vm0Gcq0kgWjYZq2TCHUYOkm5WWdJuDLIbPLydaSr8LGfv+QqL6RHJnKBt5CZ5Nrrei/ZPTjZCm/OgCrmbMQQeoSpE8ZBEMSlN5An5+ZuaR7BPfCNFoQK/mcbA2cqs6ZiNUQdoeb93DAbsQMqDtCnevDf7hbiy282rRMkRYX5Cj6vt3jpUKS7vwoDMIKWYAOKASPZ2IgvC6Buj8aE4p24qR3xbiTHF4iJyxdo2B/x1pwT+kRmCdmCK5XnlkrQfrwP1Kkaiz88XOxkqfsvpRWd1JUUcipYbO+7zTvVQZkLnKZ2AzciQ== quentinduchemin@tuta.io
|
||||||
|
|
||||||
ihl_base_ssh_users:
|
ihl_base_ssh_users:
|
||||||
- chosto
|
- "{{ base_user_name }}"
|
||||||
|
|
||||||
|
docker_edition: 'ce'
|
||||||
|
docker_package_state: present
|
||||||
|
docker_service_state: started
|
||||||
|
docker_service_enabled: true
|
||||||
|
docker_restart_handler_state: restarted
|
||||||
|
docker_install_compose: true
|
||||||
|
docker_compose_version: "1.28.5"
|
||||||
|
docker_users:
|
||||||
|
- "{{ base_user_name }}"
|
||||||
|
|
|
@ -1,7 +1,16 @@
|
||||||
$ANSIBLE_VAULT;1.1;AES256
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
33343337653333343366613634323137303835383230363964333832666562633230656233636530
|
66363166326338646463393939653335373564616361303565363066633931333637656330616636
|
||||||
3462643333626535363437656337363239653533633830320a633762323565393235616431626361
|
3031633235313930666138646662643036376662613139340a396466303434386232663131346466
|
||||||
65313861666266313336626537383636666566383634363234613532373631343061323837633636
|
35653261386639623264646331363037336439373065323437663039333635633430323938363861
|
||||||
3762333033636462330a323362323034336365326432373030626634396265343365393162326538
|
6631656433626432320a303938333734373961333264663835316134326464643365393963613036
|
||||||
33663862303831646239383735353766616464386532346665316664376434666363633034396363
|
30306337373636366336373736633233393466323663306331343762336465373737383536393735
|
||||||
3763316133353034653439316538383563353739323132626164
|
35353837316264663461643733653536346537333731646436646566656538643661623530323536
|
||||||
|
62646665303566633461343739626332326334636531336264636533353431393436336333393564
|
||||||
|
30353062326434613663373730656431623638333537383031343837353231323665666432356166
|
||||||
|
31653432383261396664383863623864633633373431356363656131313862336364343061393730
|
||||||
|
38666236323237626536313739643063303838653636613037383465663163313061326532356239
|
||||||
|
32363966323363353233356631363033616462313036376663383833636331353763373132303031
|
||||||
|
38653866303636633163303064343239663330666537333833373630326335323261356534643062
|
||||||
|
30363463643162623736373233633661623530353037353430376535636361336534353936336136
|
||||||
|
61346235373034626563343637336166633531373939636366666666616338396339353535323032
|
||||||
|
623138313638333138323638336365643930
|
||||||
|
|
|
@ -3,8 +3,16 @@ firewall_in_ports:
|
||||||
- "443"
|
- "443"
|
||||||
- "{{ ssh_port }}"
|
- "{{ ssh_port }}"
|
||||||
|
|
||||||
hostname: chosto
|
hostname: "{{ base_user_name }}"
|
||||||
|
|
||||||
ssh_port: "2220"
|
ssh_port: "2220"
|
||||||
|
|
||||||
prometheus_server_ip: "51.178.182.35"
|
prometheus_server_ip: "51.178.182.35"
|
||||||
|
|
||||||
|
docker_files: "/home/{{ base_user_name }}/docker"
|
||||||
|
|
||||||
|
traefik_network: proxy
|
||||||
|
|
||||||
|
domain_name: new.chosto.me
|
||||||
|
|
||||||
|
letsencrypt_email: quentinduchemin@tuta.io
|
||||||
|
|
|
@ -21,11 +21,5 @@ docker_apt_repository: "deb [arch={{ docker_apt_arch }}] https://download.docker
|
||||||
docker_apt_ignore_key_error: true
|
docker_apt_ignore_key_error: true
|
||||||
docker_apt_gpg_key: https://download.docker.com/linux/{{ ansible_distribution | lower }}/gpg
|
docker_apt_gpg_key: https://download.docker.com/linux/{{ ansible_distribution | lower }}/gpg
|
||||||
|
|
||||||
# Used only for RedHat/CentOS/Fedora.
|
|
||||||
docker_yum_repo_url: https://download.docker.com/linux/{{ (ansible_distribution == "Fedora") | ternary("fedora","centos") }}/docker-{{ docker_edition }}.repo
|
|
||||||
docker_yum_repo_enable_nightly: '0'
|
|
||||||
docker_yum_repo_enable_test: '0'
|
|
||||||
docker_yum_gpg_key: https://download.docker.com/linux/centos/gpg
|
|
||||||
|
|
||||||
# A list of users who will be added to the docker group.
|
# A list of users who will be added to the docker group.
|
||||||
docker_users: []
|
docker_users: []
|
|
@ -1,3 +1,3 @@
|
||||||
---
|
---
|
||||||
- name: restart docker
|
- name: Restart docker
|
||||||
service: "name=docker state={{ docker_restart_handler_state }}"
|
service: "name=docker state={{ docker_restart_handler_state }}"
|
|
@ -1,7 +1,4 @@
|
||||||
---
|
---
|
||||||
- include_tasks: setup-RedHat.yml
|
|
||||||
when: ansible_os_family == 'RedHat'
|
|
||||||
|
|
||||||
- include_tasks: setup-Debian.yml
|
- include_tasks: setup-Debian.yml
|
||||||
when: ansible_os_family == 'Debian'
|
when: ansible_os_family == 'Debian'
|
||||||
|
|
||||||
|
@ -9,7 +6,14 @@
|
||||||
package:
|
package:
|
||||||
name: "{{ docker_package }}"
|
name: "{{ docker_package }}"
|
||||||
state: "{{ docker_package_state }}"
|
state: "{{ docker_package_state }}"
|
||||||
notify: restart docker
|
notify: Restart docker
|
||||||
|
|
||||||
|
- name: Install Docker and Compose pip package
|
||||||
|
pip:
|
||||||
|
name: "{{ item }}"
|
||||||
|
loop:
|
||||||
|
- docker
|
||||||
|
- docker-compose
|
||||||
|
|
||||||
- name: Ensure Docker is started and enabled at boot.
|
- name: Ensure Docker is started and enabled at boot.
|
||||||
service:
|
service:
|
|
@ -22,17 +22,6 @@
|
||||||
register: add_repository_key
|
register: add_repository_key
|
||||||
ignore_errors: "{{ docker_apt_ignore_key_error }}"
|
ignore_errors: "{{ docker_apt_ignore_key_error }}"
|
||||||
|
|
||||||
- name: Ensure curl is present (on older systems without SNI).
|
|
||||||
package: name=curl state=present
|
|
||||||
when: add_repository_key is failed
|
|
||||||
|
|
||||||
- name: Add Docker apt key (alternative for older systems without SNI).
|
|
||||||
shell: >
|
|
||||||
curl -sSL {{ docker_apt_gpg_key }} | sudo apt-key add -
|
|
||||||
args:
|
|
||||||
warn: false
|
|
||||||
when: add_repository_key is failed
|
|
||||||
|
|
||||||
- name: Add Docker repository.
|
- name: Add Docker repository.
|
||||||
apt_repository:
|
apt_repository:
|
||||||
repo: "{{ docker_apt_repository }}"
|
repo: "{{ docker_apt_repository }}"
|
|
@ -1,3 +0,0 @@
|
||||||
skip_list:
|
|
||||||
- '306'
|
|
||||||
- '106'
|
|
|
@ -1,4 +0,0 @@
|
||||||
# These are supported funding model platforms
|
|
||||||
---
|
|
||||||
github: geerlingguy
|
|
||||||
patreon: geerlingguy
|
|
|
@ -1,56 +0,0 @@
|
||||||
# Configuration for probot-stale - https://github.com/probot/stale
|
|
||||||
---
|
|
||||||
# Number of days of inactivity before an Issue or Pull Request becomes stale
|
|
||||||
daysUntilStale: 90
|
|
||||||
|
|
||||||
# Number of days of inactivity before an Issue or Pull Request with the stale label is closed.
|
|
||||||
# Set to false to disable. If disabled, issues still need to be closed manually, but will remain marked as stale.
|
|
||||||
daysUntilClose: 30
|
|
||||||
|
|
||||||
# Only issues or pull requests with all of these labels are check if stale. Defaults to `[]` (disabled)
|
|
||||||
onlyLabels: []
|
|
||||||
|
|
||||||
# Issues or Pull Requests with these labels will never be considered stale. Set to `[]` to disable
|
|
||||||
exemptLabels:
|
|
||||||
- pinned
|
|
||||||
- security
|
|
||||||
- planned
|
|
||||||
|
|
||||||
# Set to true to ignore issues in a project (defaults to false)
|
|
||||||
exemptProjects: false
|
|
||||||
|
|
||||||
# Set to true to ignore issues in a milestone (defaults to false)
|
|
||||||
exemptMilestones: false
|
|
||||||
|
|
||||||
# Set to true to ignore issues with an assignee (defaults to false)
|
|
||||||
exemptAssignees: false
|
|
||||||
|
|
||||||
# Label to use when marking as stale
|
|
||||||
staleLabel: stale
|
|
||||||
|
|
||||||
# Limit the number of actions per hour, from 1-30. Default is 30
|
|
||||||
limitPerRun: 30
|
|
||||||
|
|
||||||
pulls:
|
|
||||||
markComment: |-
|
|
||||||
This pull request has been marked 'stale' due to lack of recent activity. If there is no further activity, the PR will be closed in another 30 days. Thank you for your contribution!
|
|
||||||
|
|
||||||
Please read [this blog post](https://www.jeffgeerling.com/blog/2020/enabling-stale-issue-bot-on-my-github-repositories) to see the reasons why I mark pull requests as stale.
|
|
||||||
|
|
||||||
unmarkComment: >-
|
|
||||||
This pull request is no longer marked for closure.
|
|
||||||
|
|
||||||
closeComment: >-
|
|
||||||
This pull request has been closed due to inactivity. If you feel this is in error, please reopen the pull request or file a new PR with the relevant details.
|
|
||||||
|
|
||||||
issues:
|
|
||||||
markComment: |-
|
|
||||||
This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!
|
|
||||||
|
|
||||||
Please read [this blog post](https://www.jeffgeerling.com/blog/2020/enabling-stale-issue-bot-on-my-github-repositories) to see the reasons why I mark issues as stale.
|
|
||||||
|
|
||||||
unmarkComment: >-
|
|
||||||
This issue is no longer marked for closure.
|
|
||||||
|
|
||||||
closeComment: >-
|
|
||||||
This issue has been closed due to inactivity. If you feel this is in error, please reopen the issue or file a new issue with the relevant details.
|
|
|
@ -1,72 +0,0 @@
|
||||||
---
|
|
||||||
name: CI
|
|
||||||
'on':
|
|
||||||
pull_request:
|
|
||||||
push:
|
|
||||||
branches:
|
|
||||||
- master
|
|
||||||
schedule:
|
|
||||||
- cron: "0 7 * * 0"
|
|
||||||
|
|
||||||
defaults:
|
|
||||||
run:
|
|
||||||
working-directory: 'geerlingguy.docker'
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
|
|
||||||
lint:
|
|
||||||
name: Lint
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
steps:
|
|
||||||
- name: Check out the codebase.
|
|
||||||
uses: actions/checkout@v2
|
|
||||||
with:
|
|
||||||
path: 'geerlingguy.docker'
|
|
||||||
|
|
||||||
- name: Set up Python 3.
|
|
||||||
uses: actions/setup-python@v2
|
|
||||||
with:
|
|
||||||
python-version: '3.x'
|
|
||||||
|
|
||||||
- name: Install test dependencies.
|
|
||||||
run: pip3 install yamllint ansible-lint
|
|
||||||
|
|
||||||
- name: Lint code.
|
|
||||||
run: |
|
|
||||||
yamllint .
|
|
||||||
ansible-lint
|
|
||||||
|
|
||||||
molecule:
|
|
||||||
name: Molecule
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
strategy:
|
|
||||||
matrix:
|
|
||||||
distro:
|
|
||||||
- centos8
|
|
||||||
- centos7
|
|
||||||
- ubuntu2004
|
|
||||||
- ubuntu1804
|
|
||||||
- debian10
|
|
||||||
- debian9
|
|
||||||
- fedora31
|
|
||||||
|
|
||||||
steps:
|
|
||||||
- name: Check out the codebase.
|
|
||||||
uses: actions/checkout@v2
|
|
||||||
with:
|
|
||||||
path: 'geerlingguy.docker'
|
|
||||||
|
|
||||||
- name: Set up Python 3.
|
|
||||||
uses: actions/setup-python@v2
|
|
||||||
with:
|
|
||||||
python-version: '3.x'
|
|
||||||
|
|
||||||
- name: Install test dependencies.
|
|
||||||
run: pip3 install ansible molecule[docker] docker
|
|
||||||
|
|
||||||
- name: Run Molecule tests.
|
|
||||||
run: molecule test
|
|
||||||
env:
|
|
||||||
PY_COLORS: '1'
|
|
||||||
ANSIBLE_FORCE_COLOR: '1'
|
|
||||||
MOLECULE_DISTRO: ${{ matrix.distro }}
|
|
|
@ -1,38 +0,0 @@
|
||||||
---
|
|
||||||
# This workflow requires a GALAXY_API_KEY secret present in the GitHub
|
|
||||||
# repository or organization.
|
|
||||||
#
|
|
||||||
# See: https://github.com/marketplace/actions/publish-ansible-role-to-galaxy
|
|
||||||
# See: https://github.com/ansible/galaxy/issues/46
|
|
||||||
|
|
||||||
name: Release
|
|
||||||
'on':
|
|
||||||
push:
|
|
||||||
tags:
|
|
||||||
- '*'
|
|
||||||
|
|
||||||
defaults:
|
|
||||||
run:
|
|
||||||
working-directory: 'geerlingguy.docker'
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
|
|
||||||
release:
|
|
||||||
name: Release
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
steps:
|
|
||||||
- name: Check out the codebase.
|
|
||||||
uses: actions/checkout@v2
|
|
||||||
with:
|
|
||||||
path: 'geerlingguy.docker'
|
|
||||||
|
|
||||||
- name: Set up Python 3.
|
|
||||||
uses: actions/setup-python@v2
|
|
||||||
with:
|
|
||||||
python-version: '3.x'
|
|
||||||
|
|
||||||
- name: Install Ansible.
|
|
||||||
run: pip3 install ansible-base
|
|
||||||
|
|
||||||
- name: Trigger a new import on Galaxy.
|
|
||||||
run: ansible-galaxy role import --api-key ${{ secrets.GALAXY_API_KEY }} $(echo ${{ github.repository }} | cut -d/ -f1) $(echo ${{ github.repository }} | cut -d/ -f2)
|
|
|
@ -1,3 +0,0 @@
|
||||||
*.retry
|
|
||||||
*/__pycache__
|
|
||||||
*.pyc
|
|
|
@ -1,11 +0,0 @@
|
||||||
---
|
|
||||||
extends: default
|
|
||||||
|
|
||||||
rules:
|
|
||||||
line-length:
|
|
||||||
max: 200
|
|
||||||
level: warning
|
|
||||||
|
|
||||||
ignore: |
|
|
||||||
.github/stale.yml
|
|
||||||
.travis.yml
|
|
|
@ -1,2 +0,0 @@
|
||||||
install_date: Sun Mar 14 18:38:43 2021
|
|
||||||
version: 3.0.0
|
|
|
@ -1,35 +0,0 @@
|
||||||
---
|
|
||||||
dependencies: []
|
|
||||||
|
|
||||||
galaxy_info:
|
|
||||||
role_name: docker
|
|
||||||
author: geerlingguy
|
|
||||||
description: Docker for Linux.
|
|
||||||
company: "Midwestern Mac, LLC"
|
|
||||||
license: "license (BSD, MIT)"
|
|
||||||
min_ansible_version: 2.4
|
|
||||||
platforms:
|
|
||||||
- name: EL
|
|
||||||
versions:
|
|
||||||
- 7
|
|
||||||
- 8
|
|
||||||
- name: Fedora
|
|
||||||
versions:
|
|
||||||
- all
|
|
||||||
- name: Debian
|
|
||||||
versions:
|
|
||||||
- stretch
|
|
||||||
- buster
|
|
||||||
- name: Ubuntu
|
|
||||||
versions:
|
|
||||||
- xenial
|
|
||||||
- bionic
|
|
||||||
- focal
|
|
||||||
galaxy_tags:
|
|
||||||
- web
|
|
||||||
- system
|
|
||||||
- containers
|
|
||||||
- docker
|
|
||||||
- orchestration
|
|
||||||
- compose
|
|
||||||
- server
|
|
|
@ -1,24 +0,0 @@
|
||||||
---
|
|
||||||
- name: Converge
|
|
||||||
hosts: all
|
|
||||||
become: true
|
|
||||||
|
|
||||||
pre_tasks:
|
|
||||||
- name: Update apt cache.
|
|
||||||
apt: update_cache=yes cache_valid_time=600
|
|
||||||
when: ansible_os_family == 'Debian'
|
|
||||||
|
|
||||||
- name: Wait for systemd to complete initialization. # noqa 303
|
|
||||||
command: systemctl is-system-running
|
|
||||||
register: systemctl_status
|
|
||||||
until: >
|
|
||||||
'running' in systemctl_status.stdout or
|
|
||||||
'degraded' in systemctl_status.stdout
|
|
||||||
retries: 30
|
|
||||||
delay: 5
|
|
||||||
when: ansible_service_mgr == 'systemd'
|
|
||||||
changed_when: false
|
|
||||||
failed_when: systemctl_status.rc > 1
|
|
||||||
|
|
||||||
roles:
|
|
||||||
- role: geerlingguy.docker
|
|
|
@ -1,17 +0,0 @@
|
||||||
---
|
|
||||||
dependency:
|
|
||||||
name: galaxy
|
|
||||||
driver:
|
|
||||||
name: docker
|
|
||||||
platforms:
|
|
||||||
- name: instance
|
|
||||||
image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest"
|
|
||||||
command: ${MOLECULE_DOCKER_COMMAND:-""}
|
|
||||||
volumes:
|
|
||||||
- /sys/fs/cgroup:/sys/fs/cgroup:ro
|
|
||||||
privileged: true
|
|
||||||
pre_build_image: true
|
|
||||||
provisioner:
|
|
||||||
name: ansible
|
|
||||||
playbooks:
|
|
||||||
converge: ${MOLECULE_PLAYBOOK:-converge.yml}
|
|
|
@ -1,50 +0,0 @@
|
||||||
---
|
|
||||||
- name: Ensure old versions of Docker are not installed.
|
|
||||||
package:
|
|
||||||
name:
|
|
||||||
- docker
|
|
||||||
- docker-common
|
|
||||||
- docker-engine
|
|
||||||
state: absent
|
|
||||||
|
|
||||||
- name: Add Docker GPG key.
|
|
||||||
rpm_key:
|
|
||||||
key: "{{ docker_yum_gpg_key }}"
|
|
||||||
state: present
|
|
||||||
|
|
||||||
- name: Add Docker repository.
|
|
||||||
get_url:
|
|
||||||
url: "{{ docker_yum_repo_url }}"
|
|
||||||
dest: '/etc/yum.repos.d/docker-{{ docker_edition }}.repo'
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: 0644
|
|
||||||
|
|
||||||
- name: Configure Docker Nightly repo.
|
|
||||||
ini_file:
|
|
||||||
dest: '/etc/yum.repos.d/docker-{{ docker_edition }}.repo'
|
|
||||||
section: 'docker-{{ docker_edition }}-nightly'
|
|
||||||
option: enabled
|
|
||||||
value: '{{ docker_yum_repo_enable_nightly }}'
|
|
||||||
mode: 0644
|
|
||||||
|
|
||||||
- name: Configure Docker Test repo.
|
|
||||||
ini_file:
|
|
||||||
dest: '/etc/yum.repos.d/docker-{{ docker_edition }}.repo'
|
|
||||||
section: 'docker-{{ docker_edition }}-test'
|
|
||||||
option: enabled
|
|
||||||
value: '{{ docker_yum_repo_enable_test }}'
|
|
||||||
mode: 0644
|
|
||||||
|
|
||||||
- name: Configure containerd on RHEL 8.
|
|
||||||
block:
|
|
||||||
- name: Ensure container-selinux is installed.
|
|
||||||
package:
|
|
||||||
name: container-selinux
|
|
||||||
state: present
|
|
||||||
|
|
||||||
- name: Ensure containerd.io is installed.
|
|
||||||
package:
|
|
||||||
name: containerd.io
|
|
||||||
state: present
|
|
||||||
when: ansible_distribution_major_version | int == 8
|
|
|
@ -0,0 +1,17 @@
|
||||||
|
traefik_folder_name: "{{ docker_files }}/traefik"
|
||||||
|
traefik_certs_directory: "{{ traefik_folder_name }}/certs"
|
||||||
|
traefik_metrics_port: 8082
|
||||||
|
traefik_http_port: 80
|
||||||
|
traefik_https_port: 443
|
||||||
|
# Equivalent of docker-compose stop
|
||||||
|
traefik_stopped: no
|
||||||
|
# Equivalent of docker-compose restart
|
||||||
|
traefik_restarted: no
|
||||||
|
# If always, equivalent to up -d --force-recreate
|
||||||
|
traefik_recreated: smart
|
||||||
|
# If present, up (or restart/stop depending of the above)
|
||||||
|
# If absent, equivalent of docker-compose down
|
||||||
|
traefik_state: present
|
||||||
|
traefik_subdomain: proxy
|
||||||
|
|
||||||
|
traefik_version: 2.4
|
|
@ -0,0 +1,49 @@
|
||||||
|
---
|
||||||
|
- name: Create Traefik directory
|
||||||
|
file:
|
||||||
|
path: "{{ traefik_folder_name }}"
|
||||||
|
state: directory
|
||||||
|
owner: "{{ base_user_name }}"
|
||||||
|
group: "{{ base_user_name }}"
|
||||||
|
mode: 0755
|
||||||
|
|
||||||
|
- name: Create certs directory
|
||||||
|
file:
|
||||||
|
path: "{{ traefik_certs_directory }}"
|
||||||
|
state: directory
|
||||||
|
owner: "root"
|
||||||
|
group: "root"
|
||||||
|
mode: 0600
|
||||||
|
|
||||||
|
- name: Create certs file
|
||||||
|
file:
|
||||||
|
path: "{{ traefik_certs_directory }}/acme.json"
|
||||||
|
state: touch
|
||||||
|
modification_time: preserve
|
||||||
|
access_time: preserve
|
||||||
|
owner: "root"
|
||||||
|
group: "root"
|
||||||
|
mode: 0600
|
||||||
|
|
||||||
|
- name: Copy Traefik files
|
||||||
|
template:
|
||||||
|
src: "{{ item }}"
|
||||||
|
# Remove .j2 extension
|
||||||
|
dest: "{{ traefik_folder_name }}/{{ (item | splitext)[0] }}"
|
||||||
|
owner: "{{ base_user_name }}"
|
||||||
|
group: "{{ base_user_name }}"
|
||||||
|
mode: 0644
|
||||||
|
loop:
|
||||||
|
- docker-compose.yml.j2
|
||||||
|
- traefik.toml.j2
|
||||||
|
- traefik_dynamic.toml.j2
|
||||||
|
|
||||||
|
- name: Ensure container is up to date
|
||||||
|
community.docker.docker_compose:
|
||||||
|
project_src: "{{ traefik_folder_name }}"
|
||||||
|
remove_orphans: yes
|
||||||
|
pull: yes
|
||||||
|
recreate: "{{ traefik_recreated }}"
|
||||||
|
restarted: "{{ traefik_restarted }}"
|
||||||
|
state: "{{ traefik_state }}"
|
||||||
|
stopped: "{{ traefik_stopped }}"
|
|
@ -0,0 +1,38 @@
|
||||||
|
version: "3.7"
|
||||||
|
|
||||||
|
networks:
|
||||||
|
proxy:
|
||||||
|
name: "{{ traefik_network }}"
|
||||||
|
|
||||||
|
services:
|
||||||
|
traefik:
|
||||||
|
image: traefik:{{ traefik_version }}
|
||||||
|
container_name: traefik
|
||||||
|
ports:
|
||||||
|
- "{{ traefik_http_port }}:80"
|
||||||
|
- "{{ traefik_https_port}}:443"
|
||||||
|
volumes:
|
||||||
|
- /etc/localtime:/etc/localtime:ro
|
||||||
|
- /var/run/docker.sock:/var/run/docker.sock
|
||||||
|
- ./traefik.toml:/traefik.toml
|
||||||
|
- ./traefik_dynamic.toml:/traefik_dynamic.toml
|
||||||
|
- {{ traefik_certs_directory }}:/certs
|
||||||
|
labels:
|
||||||
|
traefik.http.routers.traefik-metrics.entrypoints: websecure
|
||||||
|
traefik.http.routers.traefik-metrics.rule: "Host(`{{ traefik_subdomain }}.{{ domain_name }}`) && PathPrefix(`/metrics`)"
|
||||||
|
traefik.http.routers.traefik-metrics.service: traefik-metrics
|
||||||
|
traefik.http.routers.traefik-metrics.middlewares: traefik-metrics-auth@docker
|
||||||
|
# htpasswd string contains $, interpreted as variable,
|
||||||
|
# escape them with double $
|
||||||
|
traefik.http.middlewares.traefik-metrics-auth.basicauth.users: "metrics:{{ traefik_metrics_htpasswd | replace("$", "$$") }}"
|
||||||
|
traefik.http.services.traefik-metrics.loadbalancer.server.port: "{{ traefik_metrics_port }}"
|
||||||
|
traefik.http.routers.traefik-api.rule: "Host(`{{ traefik_subdomain }}.{{ domain_name }}`)"
|
||||||
|
traefik.http.routers.traefik-api.service: api@internal
|
||||||
|
traefik.http.routers.traefik-api.middlewares: traefik-api-auth@docker
|
||||||
|
traefik.http.middlewares.traefik-api-auth.basicauth.users: "dashboard:{{ traefik_dashboard_htpasswd | replace("$", "$$") }}"
|
||||||
|
traefik.enable: true
|
||||||
|
environment:
|
||||||
|
GANDIV5_API_KEY: "{{ gandi_api_key }}"
|
||||||
|
networks:
|
||||||
|
- "{{ traefik_network }}"
|
||||||
|
restart: unless-stopped
|
|
@ -0,0 +1,50 @@
|
||||||
|
[global]
|
||||||
|
sendAnonymousUsage = false
|
||||||
|
checkNewVersion = true
|
||||||
|
|
||||||
|
[api]
|
||||||
|
|
||||||
|
[entryPoints]
|
||||||
|
[entryPoints.web]
|
||||||
|
address = ":{{ traefik_http_port }}"
|
||||||
|
[entryPoints.web.http.redirections.entryPoint]
|
||||||
|
to = "websecure"
|
||||||
|
scheme = "https"
|
||||||
|
[entryPoints.websecure]
|
||||||
|
address = ":{{ traefik_https_port }}"
|
||||||
|
[entryPoints.websecure.http]
|
||||||
|
middlewares = ["hardening@file", "compression@file"]
|
||||||
|
[entryPoints.websecure.http.tls]
|
||||||
|
certResolver = "letsencrypt"
|
||||||
|
options = "tls12@file"
|
||||||
|
[entryPoints.metrics]
|
||||||
|
address = ":{{ traefik_metrics_port }}"
|
||||||
|
|
||||||
|
[providers]
|
||||||
|
providersThrottleDuration = "2s"
|
||||||
|
[providers.docker]
|
||||||
|
watch = true
|
||||||
|
endpoint = "unix:///var/run/docker.sock"
|
||||||
|
exposedByDefault = false
|
||||||
|
network = "proxy"
|
||||||
|
[providers.file]
|
||||||
|
filename = "/traefik_dynamic.toml"
|
||||||
|
watch = true
|
||||||
|
|
||||||
|
[log]
|
||||||
|
level = "INFO"
|
||||||
|
|
||||||
|
[accessLog]
|
||||||
|
|
||||||
|
[certificatesResolvers]
|
||||||
|
[certificatesResolvers.letsencrypt]
|
||||||
|
[certificatesResolvers.letsencrypt.acme]
|
||||||
|
email = "{{ letsencrypt_email }}"
|
||||||
|
storage = "/certs/acme.json"
|
||||||
|
[certificatesResolvers.letsencrypt.acme.dnsChallenge]
|
||||||
|
provider = "gandiv5"
|
||||||
|
delayBeforeCheck = 10
|
||||||
|
|
||||||
|
[metrics]
|
||||||
|
[metrics.prometheus]
|
||||||
|
entryPoint = "metrics"
|
|
@ -0,0 +1,34 @@
|
||||||
|
[tls.options]
|
||||||
|
[tls.options.tls12]
|
||||||
|
minVersion = "VersionTLS12"
|
||||||
|
cipherSuites = [
|
||||||
|
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
|
||||||
|
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
|
||||||
|
"TLS_AES_256_GCM_SHA384",
|
||||||
|
"TLS_CHACHA20_POLY1305_SHA256",
|
||||||
|
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
|
||||||
|
]
|
||||||
|
curvePreferences = ["CurveP521", "CurveP384", "CurveP256"]
|
||||||
|
|
||||||
|
[http]
|
||||||
|
[http.middlewares.hardening.headers]
|
||||||
|
browserXssFilter = true
|
||||||
|
contentTypeNosniff = true
|
||||||
|
forceSTSHeader = true
|
||||||
|
frameDeny = true
|
||||||
|
stsIncludeSubdomains = true
|
||||||
|
stsPreload = true
|
||||||
|
customFrameOptionsValue = "SAMEORIGIN"
|
||||||
|
referrerPolicy = "same-origin"
|
||||||
|
featurePolicy = "vibrate 'self'"
|
||||||
|
stsSeconds = 315360000
|
||||||
|
|
||||||
|
[http.middlewares.compression.compress]
|
||||||
|
excludedContentTypes = ["text/event-stream"]
|
||||||
|
|
||||||
|
[http.middlewares.allowFrameAndCORS.headers]
|
||||||
|
contentSecurityPolicy = "frame-ancestors *"
|
||||||
|
accessControlAllowHeaders = ["*"]
|
||||||
|
accessControlAllowMethods = ["GET", "POST", "OPTIONS"]
|
||||||
|
accessControlAllowOriginList = ["*"]
|
||||||
|
accessControlExposeHeaders = ["*"]
|
Loading…
Reference in New Issue