WIP: update docker swarm configuration
This commit is contained in:
parent
73e4d7fd19
commit
e468308815
7 changed files with 79 additions and 70 deletions
1
.gitignore
vendored
1
.gitignore
vendored
|
|
@ -205,3 +205,4 @@ cython_debug/
|
||||||
#.idea/
|
#.idea/
|
||||||
|
|
||||||
.decrypt-pass.txt
|
.decrypt-pass.txt
|
||||||
|
.become-pass.txt
|
||||||
|
|
|
||||||
|
|
@ -1,8 +1,9 @@
|
||||||
export ANSIBLE_VAULT_PASSWORD_FILE := ".decrypt-pass.txt"
|
export ANSIBLE_VAULT_PASSWORD_FILE := ".decrypt-pass.txt"
|
||||||
|
export ANSIBLE_BECOME_PASSWORD_FILE := ".become-pass.txt"
|
||||||
|
|
||||||
# Debug output, disabled in CI
|
# Debug output, disabled in CI
|
||||||
export ANSIBLE_DISPLAY_ARGS_TO_STDOUT := if env('CI', '') == 'true' { 'false' } else { 'true' }
|
export ANSIBLE_DISPLAY_ARGS_TO_STDOUT := if env('CI', '') == 'true' { 'false' } else { 'true' }
|
||||||
export ANSIBLE_ENABLE_TASK_DEBUGGER := if env('CI', '') == 'true' { 'false' } else { 'true' }
|
# export ANSIBLE_ENABLE_TASK_DEBUGGER := if env('CI', '') == 'true' { 'false' } else { 'true' }
|
||||||
|
|
||||||
|
|
||||||
play +ARGS:
|
play +ARGS:
|
||||||
|
|
|
||||||
|
|
@ -1,4 +1,6 @@
|
||||||
homelab:
|
homelab:
|
||||||
|
vars:
|
||||||
|
ansible_become_method: doas
|
||||||
children:
|
children:
|
||||||
docker:
|
docker:
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -35,3 +35,15 @@
|
||||||
networks: true
|
networks: true
|
||||||
builder_cache: true
|
builder_cache: true
|
||||||
|
|
||||||
|
- name: Remove network interface
|
||||||
|
become: true
|
||||||
|
ansible.builtin.command:
|
||||||
|
cmd: ip link delete docker_gwbridge
|
||||||
|
when: ansible_facts['interfaces'] | select('match', 'docker_gwbridge') | list | length > 0
|
||||||
|
|
||||||
|
- name: Restart docker
|
||||||
|
become: true
|
||||||
|
ansible.builtin.service:
|
||||||
|
name: docker
|
||||||
|
state: restarted
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -16,7 +16,7 @@
|
||||||
ansible.posix.authorized_key:
|
ansible.posix.authorized_key:
|
||||||
user: "{{ item.key }}"
|
user: "{{ item.key }}"
|
||||||
state: present
|
state: present
|
||||||
exclusive: true
|
exclusive: false
|
||||||
key: "{{ lookup('file', item.value.ssh_keys.pub) }}"
|
key: "{{ lookup('file', item.value.ssh_keys.pub) }}"
|
||||||
key_options: "{{ 'command=\"' + robo_allowed_commands | join('; ') + '\"' if robo_allowed_commands is defined and item.key == 'robo' else omit }}"
|
key_options: "{{ 'command=\"' + robo_allowed_commands | join('; ') + '\"' if robo_allowed_commands is defined and item.key == 'robo' else omit }}"
|
||||||
|
|
||||||
|
|
@ -27,6 +27,15 @@
|
||||||
current_user: "{{ users[user_name] | default(None) }}"
|
current_user: "{{ users[user_name] | default(None) }}"
|
||||||
when: current_user
|
when: current_user
|
||||||
block:
|
block:
|
||||||
|
- name: Creates directory
|
||||||
|
run_once: True
|
||||||
|
local_action:
|
||||||
|
module: file
|
||||||
|
path: "{{ user_dir }}/.ssh/credentials"
|
||||||
|
state: directory
|
||||||
|
owner: "{{ user_name }}"
|
||||||
|
group: "{{ user_name }}"
|
||||||
|
|
||||||
- name: Save SSH Key in localhost
|
- name: Save SSH Key in localhost
|
||||||
run_once: True
|
run_once: True
|
||||||
local_action:
|
local_action:
|
||||||
|
|
|
||||||
|
|
@ -19,3 +19,11 @@
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
|
|
||||||
|
- name: Enable TCP access to Docker daemon
|
||||||
|
when: "'docker_managers' in group_names"
|
||||||
|
lineinfile:
|
||||||
|
path: /etc/conf.d/docker
|
||||||
|
create: yes
|
||||||
|
line: 'DOCKER_OPTS="-H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock"'
|
||||||
|
notify:
|
||||||
|
- Restart docker
|
||||||
|
|
|
||||||
|
|
@ -4,78 +4,54 @@
|
||||||
register: swarm_info
|
register: swarm_info
|
||||||
community.docker.docker_swarm:
|
community.docker.docker_swarm:
|
||||||
state: present
|
state: present
|
||||||
|
# default_addr_pool:
|
||||||
|
# - 10.10.0.0/24
|
||||||
|
|
||||||
- name: Create Traefik network
|
- name: Disable workload on managers
|
||||||
community.docker.docker_network:
|
community.docker.docker_node:
|
||||||
name: reverse-proxy
|
hostname: "{{ ansible_hostname }}"
|
||||||
driver: overlay
|
role: manager
|
||||||
attachable: true
|
availability: drain
|
||||||
|
|
||||||
- name: Check if Docker context exists
|
|
||||||
local_action: ansible.builtin.command docker context inspect {{ ansible_hostname }}
|
|
||||||
register: context_exists
|
|
||||||
ignore_errors: true
|
|
||||||
|
|
||||||
- name: Create Docker context for each Swarm manager machine
|
- name: Create Docker context for each Swarm manager machine
|
||||||
|
ignore_errors: true
|
||||||
local_action: >
|
local_action: >
|
||||||
ansible.builtin.command docker context create {{ ansible_hostname }} --docker "host=ssh://{{ ansible_default_ipv4.address }}"
|
ansible.builtin.command docker context create {{ ansible_hostname }} --docker "host=ssh://{{ ansible_default_ipv4.address }}"
|
||||||
when: context_exists.stderr != ''
|
|
||||||
|
|
||||||
- name: Deploy Traefik service
|
- name: Deploy Traefik service
|
||||||
community.docker.docker_compose_v2:
|
community.docker.docker_stack:
|
||||||
remove_orphans: true
|
prune: true
|
||||||
project_name: reverse-proxy
|
name: reverse_proxy
|
||||||
definition:
|
compose:
|
||||||
networks:
|
- services:
|
||||||
reverse-proxy:
|
traefik:
|
||||||
external: true
|
image: 'traefik:v3.2'
|
||||||
services:
|
restart: unless-stopped
|
||||||
traefik:
|
deploy:
|
||||||
container_name: traefix-proxy
|
mode: global
|
||||||
image: 'traefik:latest'
|
ports:
|
||||||
restart: unless-stopped
|
# listen on host ports without ingress network
|
||||||
networks:
|
- target: 80
|
||||||
- reverse-proxy
|
published: 80
|
||||||
ports:
|
protocol: tcp
|
||||||
# listen on host ports without ingress network
|
mode: host
|
||||||
- target: 80
|
- target: 443
|
||||||
published: 80
|
published: 443
|
||||||
protocol: tcp
|
protocol: tcp
|
||||||
mode: host
|
mode: host
|
||||||
- target: 443
|
- target: 8080
|
||||||
published: 443
|
published: 8080
|
||||||
protocol: tcp
|
protocol: tcp
|
||||||
mode: host
|
mode: host
|
||||||
- target: 8080
|
command:
|
||||||
published: 8080
|
- '--log.level=DEBUG'
|
||||||
protocol: tcp
|
- '--api.dashboard=true'
|
||||||
mode: host
|
- '--api.insecure=true'
|
||||||
volumes:
|
- '--entrypoints.http.address=:80'
|
||||||
- /var/run/docker.sock:/var/run/docker.sock:ro
|
- '--entryPoints.http.forwardedHeaders.trustedIPs=10.0.10.0/24'
|
||||||
healthcheck:
|
- '--entrypoints.http.http.encodequerysemicolons=true'
|
||||||
test: 'wget -qO- http://localhost:80/ping || exit 1'
|
- '--entryPoints.http.http2.maxConcurrentStreams=50'
|
||||||
interval: 4s
|
- '--providers.swarm=true'
|
||||||
timeout: 2s
|
- '--providers.swarm.endpoint=tcp://{{ ansible_default_ipv4.address }}:2375'
|
||||||
retries: 5
|
- '--providers.swarm.exposedByDefault=false'
|
||||||
command:
|
- '--providers.swarm.useBindPortIP=true'
|
||||||
- '--ping=true'
|
|
||||||
- '--ping.entrypoint=http'
|
|
||||||
- '--api.dashboard=true'
|
|
||||||
- '--api.insecure=true'
|
|
||||||
- '--entrypoints.http.address=:80'
|
|
||||||
- '--entryPoints.http.forwardedHeaders.trustedIPs=10.0.10.0/24'
|
|
||||||
- '--entrypoints.http.http.encodequerysemicolons=true'
|
|
||||||
- '--entryPoints.http.http2.maxConcurrentStreams=50'
|
|
||||||
# - "--providers.swarm.endpoint=tcp://{{ ansible_default_ipv4.address }}:2375"
|
|
||||||
- --providers.swarm.exposedByDefault=false
|
|
||||||
- --providers.swarm.network=reverse-proxy
|
|
||||||
deploy:
|
|
||||||
mode: global
|
|
||||||
placement:
|
|
||||||
constraints:
|
|
||||||
- node.role==manager
|
|
||||||
labels:
|
|
||||||
- traefik.enable=true
|
|
||||||
- traefik.http.routers.traefik.entrypoints=http
|
|
||||||
- traefik.http.routers.traefik.service=api@internal
|
|
||||||
- traefik.http.services.traefik.loadbalancer.server.port=8080
|
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue