diff --git a/ansible/playbooks/nanna-docker.yaml b/ansible/playbooks/nanna-docker.yaml new file mode 100644 index 0000000..3bf2dee --- /dev/null +++ b/ansible/playbooks/nanna-docker.yaml @@ -0,0 +1,67 @@ +--- +- name: Update Docker configuration + hosts: nanna + tasks: + - name: Add users for running containers + become: true + ansible.builtin.user: + name: "{{ item.name }}" + uid: "{{ item.uid }}" + state: "{{ item.state }}" + create_home: false + system: true + loop: + - name: gitea + uid: 42001 + state: present + - name: caddy + uid: 42002 + state: present + - name: Create Caddy network + become: true + community.docker.docker_network: + name: caddy-network + state: present + - name: Upload docker configuration + become: true + ansible.builtin.copy: + src: ../../docker/docker + dest: /etc/pbri + # Files should inaccessible to non-root users. + mode: u=rw,g=,o= + # Directories should be listable + directory_mode: u=rwx,g=rx,o=rx + - name: Create directory for docker volumes + become: true + ansible.builtin.file: + path: /var/lib/pbri/docker + state: directory + # Hide contents from non-root users + mode: u=rwx,g=,o= + - name: Upload and decrypt docker environment vars + become: true + ansible.builtin.copy: + src: "../../docker/envs/{{ item.name }}/.env" + dest: /etc/pbri/docker/{{ item.name }}/.env + # Files should inaccessible to non-root users. + mode: u=rw,g=,o= + # This is true by default but I put it here anyways + # to emphasize what's happening + decrypt: true + # Not quite happy with all the seperate loops yet. + loop: + - name: gitea + state: present + - name: Create volume directories with correct permissions + become: true + ansible.builtin.file: + path: "/var/lib/pbri/docker/{{ item.name }}" + owner: "{{ item.user }}" + group: "{{ item.user }}" + state: directory + mode: u=rwx,g=,o= + loop: + - name: caddy_config + user: caddy + - name: caddy_data + user: caddy diff --git a/ansible/playbooks/nanna-setup.yaml b/ansible/playbooks/nanna-setup.yaml index c424ead..49fc254 100644 --- a/ansible/playbooks/nanna-setup.yaml +++ b/ansible/playbooks/nanna-setup.yaml @@ -17,6 +17,9 @@ validate: /usr/sbin/sshd -T -f %s notify: - Restart sshd + - name: Install and set up Docker and docker-compose + ansible.builtin.include_role: + name: docker handlers: - name: Restart sshd diff --git a/ansible/playbooks/nanna-sites.yaml b/ansible/playbooks/nanna-sites.yaml new file mode 100644 index 0000000..887baf5 --- /dev/null +++ b/ansible/playbooks/nanna-sites.yaml @@ -0,0 +1,18 @@ +--- +- name: Check out static sites hosted on nanna + hosts: nanna + tasks: + - name: Check out static sites + ansible.builtin.include_role: + name: checkout_static_sites + vars: + checkout_static_sites_config: + checkouts: + - path: /home/paul/Sites/pbrinkmeier.de + url: https://git.pbrinkmeier.de/paul/pbrinkmeier.de + commit: bab3208e61972851a5e609930a05e0d4322f8a06 + owner: paul + - path: /home/paul/Sites/tichy.click + url: https://github.com/pbrinkmeier/tichy-clicker + commit: 7dfb14183c765e3661fda84a7e89c2f73ca86f26 + owner: paul diff --git a/ansible/roles/docker/defaults/main.yaml b/ansible/roles/docker/defaults/main.yaml new file mode 100644 index 0000000..8e28402 --- /dev/null +++ b/ansible/roles/docker/defaults/main.yaml @@ -0,0 +1,4 @@ +--- +docker_apt_arch: "amd64" +docker_ubuntu_release: "{{ ansible_distribution_release }}" + diff --git a/ansible/roles/docker/tasks/main.yaml b/ansible/roles/docker/tasks/main.yaml index 03f9904..188c4ed 100644 --- a/ansible/roles/docker/tasks/main.yaml +++ b/ansible/roles/docker/tasks/main.yaml @@ -25,12 +25,6 @@ stdin: "{{ docker_gpg_key.content }}" creates: /usr/share/keyrings/docker-archive-keyring.gpg -- name: Retrieve dpkg architecture - check_mode: false - ansible.builtin.command: dpkg --print-architecture - register: docker_dpkg_architecture - changed_when: false - - name: Add Docker apt repository become: true ansible.builtin.template: @@ -48,3 +42,4 @@ - docker-ce - docker-ce-cli - containerd.io + - docker-compose-plugin diff --git a/ansible/roles/docker/templates/docker.list.j2 b/ansible/roles/docker/templates/docker.list.j2 index b4288d5..9ae5be4 100644 --- a/ansible/roles/docker/templates/docker.list.j2 +++ b/ansible/roles/docker/templates/docker.list.j2 @@ -1 +1 @@ -deb [arch={{ docker_dpkg_architecture.stdout }} signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable +deb [arch={{ docker_apt_arch }} signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu {{ docker_ubuntu_release }} stable diff --git a/docker/docker/caddy/docker-compose.yaml b/docker/docker/caddy/docker-compose.yaml index 2228ea0..e77a4c2 100644 --- a/docker/docker/caddy/docker-compose.yaml +++ b/docker/docker/caddy/docker-compose.yaml @@ -6,6 +6,7 @@ services: ports: - "80:80" - "443:443" + user: "42002" volumes: - /var/lib/pbri/docker/caddy_data:/data - /var/lib/pbri/docker/caddy_config:/config diff --git a/docker/docker/gitea/Dockerfile b/docker/docker/gitea/Dockerfile index f7c8685..8428c0e 100644 --- a/docker/docker/gitea/Dockerfile +++ b/docker/docker/gitea/Dockerfile @@ -1,3 +1,3 @@ - FROM gitea/act_runner:0.2.10 + FROM gitea/act_runner:0.2.11 COPY runner-config.yaml /opt/runner-config.yaml diff --git a/docker/docker/gitea/docker-compose.yaml b/docker/docker/gitea/docker-compose.yaml index f28263f..b88ff8a 100644 --- a/docker/docker/gitea/docker-compose.yaml +++ b/docker/docker/gitea/docker-compose.yaml @@ -64,7 +64,8 @@ services: - /var/lib/pbri/docker/gitea_db:/var/lib/postgresql/data gitea_runner: - image: pbrinkmeier/act_runner:0.2.10 + # Make sure to keep this in sync with the version in the Dockerfile + image: pbrinkmeier/act_runner:0.2.11 build: . restart: unless-stopped environment: