134 lines
4.0 KiB
YAML
134 lines
4.0 KiB
YAML
---
|
|
- name: Update Docker configuration
|
|
hosts: gods
|
|
tasks:
|
|
- name: Add groups
|
|
become: true
|
|
ansible.builtin.group:
|
|
name: "{{ item.name }}"
|
|
gid: "{{ item.uid }}"
|
|
state: "{{ item.state }}"
|
|
system: true
|
|
loop: "{{ gods_users }}"
|
|
- name: Add users for running containers
|
|
become: true
|
|
ansible.builtin.user:
|
|
name: "{{ item.name }}"
|
|
uid: "{{ item.uid }}"
|
|
group: "{{ item.name }}"
|
|
state: "{{ item.state }}"
|
|
create_home: false
|
|
system: true
|
|
loop: "{{ gods_users }}"
|
|
- name: Create Caddy network
|
|
become: true
|
|
community.docker.docker_network:
|
|
name: caddy-network
|
|
state: present
|
|
- name: Upload docker configuration
|
|
become: true
|
|
ansible.builtin.copy:
|
|
src: ../../docker/docker
|
|
dest: /etc/pbri
|
|
# Files should inaccessible to non-root users.
|
|
mode: u=rw,g=,o=
|
|
# Directories should be listable
|
|
directory_mode: u=rwx,g=rx,o=rx
|
|
- name: Create directory for docker volumes
|
|
become: true
|
|
ansible.builtin.file:
|
|
path: /var/lib/pbri/docker
|
|
state: directory
|
|
# Hide contents from non-root users
|
|
mode: u=rwx,g=,o=
|
|
- name: Upload and decrypt docker environment vars
|
|
become: true
|
|
ansible.builtin.copy:
|
|
src: "../../docker/envs/{{ item.name }}/.env"
|
|
dest: /etc/pbri/docker/{{ item.name }}/.env
|
|
# Files should inaccessible to non-root users.
|
|
mode: u=rw,g=,o=
|
|
# This is true by default but I put it here anyways
|
|
# to emphasize what's happening
|
|
decrypt: true
|
|
loop:
|
|
- name: gitea
|
|
state: present
|
|
- name: codi
|
|
state: present
|
|
- name: vrnp
|
|
state: present
|
|
- name: zomboid
|
|
state: present
|
|
- name: yore
|
|
state: present
|
|
# This needs to be done for any services where user:
|
|
# is set in docker-compose.yaml.
|
|
- name: Create volume directories with correct permissions
|
|
become: true
|
|
ansible.builtin.file:
|
|
path: "/var/lib/pbri/docker/{{ item.name }}"
|
|
owner: "{{ item.user }}"
|
|
group: "{{ item.user }}"
|
|
state: directory
|
|
mode: u=rwx,g=,o=
|
|
loop:
|
|
- name: caddy_config
|
|
user: caddy
|
|
- name: caddy_data
|
|
user: caddy
|
|
- name: codi_uploads
|
|
user: hackmd
|
|
- name: nix_runner_etc
|
|
user: 1000
|
|
- name: nix_runner_nix
|
|
user: 1000
|
|
- name: nix_runner_home_node
|
|
user: 1000
|
|
- name: yore_data
|
|
user: yore
|
|
# Since some docker-compose configuration might want to pull
|
|
# images from the Gitea package repository, we need to ensure
|
|
# that Gitea is reachable before those configurations are deployed.
|
|
- name: Set up caddy and gitea containers
|
|
become: true
|
|
community.docker.docker_compose_v2:
|
|
project_src: "/etc/pbri/docker/{{ item.name }}"
|
|
state: "{{ item.state }}"
|
|
build: "always"
|
|
pull: "always"
|
|
loop:
|
|
- name: caddy
|
|
state: present
|
|
- name: gitea
|
|
state: present
|
|
# Before deploying the remaining configs below, we check that
|
|
# Gitea is reachable at git.pbrinkmeier.de
|
|
- name: Wait for gitea to be reachable
|
|
check_mode: false
|
|
ansible.builtin.uri:
|
|
method: GET
|
|
url: https://git.pbrinkmeier.de/api/v1/version
|
|
register: gitea_version_response
|
|
until: gitea_version_response.status == 200
|
|
retries: 10
|
|
delay: 3 # Retry every 3 seconds
|
|
- name: Set up other containers
|
|
become: true
|
|
community.docker.docker_compose_v2:
|
|
project_src: "/etc/pbri/docker/{{ item.name }}"
|
|
state: "{{ item.state }}"
|
|
build: "always"
|
|
pull: "always"
|
|
loop:
|
|
- name: codi
|
|
state: present
|
|
- name: utoy
|
|
state: present
|
|
- name: vrnp
|
|
state: present
|
|
- name: yore
|
|
state: present
|
|
- name: zomboid
|
|
state: absent
|