WIP: update docker swarm configuration

.gitignore

@@ -205,3 +205,4 @@ cython_debug/
 #.idea/
 
 .decrypt-pass.txt
+.become-pass.txt

.justfile

@@ -1,8 +1,9 @@
 export ANSIBLE_VAULT_PASSWORD_FILE := ".decrypt-pass.txt"
+export ANSIBLE_BECOME_PASSWORD_FILE := ".become-pass.txt"
 
 # Debug output, disabled in CI
 export ANSIBLE_DISPLAY_ARGS_TO_STDOUT := if env('CI', '') == 'true' { 'false' } else { 'true' }
-export ANSIBLE_ENABLE_TASK_DEBUGGER := if env('CI', '') == 'true' { 'false' } else { 'true' }
+# export ANSIBLE_ENABLE_TASK_DEBUGGER := if env('CI', '') == 'true' { 'false' } else { 'true' }
 
 
 play +ARGS:

hosts/inventory.yaml

@@ -1,4 +1,6 @@
 homelab:
+  vars:
+    ansible_become_method: doas
   children:
     docker:
 

playbooks/teardown/docker.yaml

@@ -35,3 +35,15 @@
         networks: true
         builder_cache: true
 
+    - name: Remove network interface
+      become: true
+      ansible.builtin.command:
+        cmd: ip link delete docker_gwbridge
+      when: ansible_facts['interfaces'] | select('match', 'docker_gwbridge') | list | length > 0
+
+    - name: Restart docker
+      become: true
+      ansible.builtin.service:
+        name: docker
+        state: restarted
+

roles/common/tasks/main.yaml

@@ -16,7 +16,7 @@
   ansible.posix.authorized_key:
     user: "{{ item.key }}"
     state: present
-    exclusive: true
+    exclusive: false
     key: "{{ lookup('file', item.value.ssh_keys.pub) }}"
     key_options: "{{ 'command=\"' + robo_allowed_commands | join('; ') + '\"' if robo_allowed_commands is defined and item.key == 'robo' else omit }}"
 
@@ -27,6 +27,15 @@
     current_user: "{{ users[user_name] | default(None) }}"
   when: current_user
   block:
+    - name: Creates directory
+      run_once: True
+      local_action:
+        module: file
+        path: "{{ user_dir }}/.ssh/credentials"
+        state: directory
+        owner: "{{ user_name }}"
+        group: "{{ user_name }}"
+
     - name: Save SSH Key in localhost
       run_once: True
       local_action:

roles/docker/tasks/docker_alpine.yaml

@@ -19,3 +19,11 @@
     owner: root
     group: root
 
+- name: Enable TCP access to Docker daemon
+  when: "'docker_managers' in group_names"
+  lineinfile:
+    path: /etc/conf.d/docker
+    create: yes
+    line: 'DOCKER_OPTS="-H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock"'
+  notify:
+    - Restart docker

roles/docker/tasks/swarm_manager.yaml

@@ -4,38 +4,31 @@
   register: swarm_info
   community.docker.docker_swarm:
     state: present
+    # default_addr_pool:
+    #   - 10.10.0.0/24
 
-- name: Create Traefik network
-  community.docker.docker_network:
-    name: reverse-proxy
-    driver: overlay
-    attachable: true
-
-- name: Check if Docker context exists
-  local_action: ansible.builtin.command docker context inspect {{ ansible_hostname }}
-  register: context_exists
-  ignore_errors: true
+- name: Disable workload on managers
+  community.docker.docker_node:
+    hostname: "{{ ansible_hostname }}"
+    role: manager
+    availability: drain
 
 - name: Create Docker context for each Swarm manager machine
+  ignore_errors: true
   local_action: >
     ansible.builtin.command docker context create {{ ansible_hostname }} --docker "host=ssh://{{ ansible_default_ipv4.address }}"
-  when: context_exists.stderr != ''
 
 - name: Deploy Traefik service
-  community.docker.docker_compose_v2:
-    remove_orphans: true
-    project_name: reverse-proxy
-    definition:
-      networks:
-        reverse-proxy:
-          external: true
-      services:
+  community.docker.docker_stack:
+    prune: true
+    name: reverse_proxy
+    compose:
+      - services:
           traefik:
-          container_name: traefix-proxy
-          image: 'traefik:latest'
+            image: 'traefik:v3.2'
             restart: unless-stopped
-          networks:
-            - reverse-proxy
+            deploy:
+              mode: global
             ports:
               # listen on host ports without ingress network
               - target: 80
@@ -50,32 +43,15 @@
                 published: 8080
                 protocol: tcp
                 mode: host
-          volumes:
-            - /var/run/docker.sock:/var/run/docker.sock:ro
-          healthcheck:
-            test: 'wget -qO- http://localhost:80/ping || exit 1'
-            interval: 4s
-            timeout: 2s
-            retries: 5
             command:
-            - '--ping=true'
-            - '--ping.entrypoint=http'
+              - '--log.level=DEBUG'
               - '--api.dashboard=true'
               - '--api.insecure=true'
               - '--entrypoints.http.address=:80'
               - '--entryPoints.http.forwardedHeaders.trustedIPs=10.0.10.0/24'
               - '--entrypoints.http.http.encodequerysemicolons=true'
               - '--entryPoints.http.http2.maxConcurrentStreams=50'
-            # - "--providers.swarm.endpoint=tcp://{{ ansible_default_ipv4.address }}:2375"
-            - --providers.swarm.exposedByDefault=false
-            - --providers.swarm.network=reverse-proxy
-          deploy:
-            mode: global
-            placement:
-              constraints:
-                - node.role==manager
-            labels:
-              - traefik.enable=true
-              - traefik.http.routers.traefik.entrypoints=http
-              - traefik.http.routers.traefik.service=api@internal
-              - traefik.http.services.traefik.loadbalancer.server.port=8080
+              - '--providers.swarm=true'
+              - '--providers.swarm.endpoint=tcp://{{ ansible_default_ipv4.address }}:2375'
+              - '--providers.swarm.exposedByDefault=false'
+              - '--providers.swarm.useBindPortIP=true'