From 15db3565443db59b7b6a5f6b26760a51f644e6ed Mon Sep 17 00:00:00 2001 From: Olivier Date: Sun, 9 Oct 2022 14:56:26 +0200 Subject: [PATCH] ansible playbook and roles --- ansible/gitlab_server.yml | 7 ++ ansible/roles/docker/defaults/main.yml | 67 ++++++++++++++++ ansible/roles/docker/handlers/main.yml | 7 ++ ansible/roles/docker/tasks/docker-users.yml | 7 ++ ansible/roles/docker/tasks/main.yml | 70 +++++++++++++++++ ansible/roles/docker/tasks/setup-Debian.yml | 55 +++++++++++++ ansible/roles/docker/tasks/setup-RedHat.yml | 34 ++++++++ ansible/roles/gitlab_server/defaults/main.yml | 16 ++++ ansible/roles/gitlab_server/handlers/main.yml | 6 ++ ansible/roles/gitlab_server/tasks/main.yml | 75 ++++++++++++++++++ .../gitlab_server/templates/gitlab.rb.j2 | 47 +++++++++++ .../gitlab_server/templates/robots.txt.j2 | 2 + ansible/roles/traefik/defaults/main.yml | 5 ++ .../traefik/files/config/dynamic_conf.toml | 9 +++ .../traefik/files/config/middlewares.yml | 7 ++ .../traefik/files/etc/certs/local.fr.crt | 28 +++++++ .../traefik/files/etc/certs/local.fr.csr | 17 ++++ .../traefik/files/etc/certs/local.fr.key | 28 +++++++ ansible/roles/traefik/files/traefik.toml | 33 ++++++++ ansible/roles/traefik/handlers/main.yml | 17 ++++ ansible/roles/traefik/tasks/main.yml | 77 +++++++++++++++++++ 21 files changed, 614 insertions(+) create mode 100644 ansible/gitlab_server.yml create mode 100644 ansible/roles/docker/defaults/main.yml create mode 100644 ansible/roles/docker/handlers/main.yml create mode 100644 ansible/roles/docker/tasks/docker-users.yml create mode 100644 ansible/roles/docker/tasks/main.yml create mode 100644 ansible/roles/docker/tasks/setup-Debian.yml create mode 100644 ansible/roles/docker/tasks/setup-RedHat.yml create mode 100644 ansible/roles/gitlab_server/defaults/main.yml create mode 100644 ansible/roles/gitlab_server/handlers/main.yml create mode 100644 ansible/roles/gitlab_server/tasks/main.yml create mode 100644 ansible/roles/gitlab_server/templates/gitlab.rb.j2 create mode 100644 ansible/roles/gitlab_server/templates/robots.txt.j2 create mode 100644 ansible/roles/traefik/defaults/main.yml create mode 100644 ansible/roles/traefik/files/config/dynamic_conf.toml create mode 100644 ansible/roles/traefik/files/config/middlewares.yml create mode 100644 ansible/roles/traefik/files/etc/certs/local.fr.crt create mode 100644 ansible/roles/traefik/files/etc/certs/local.fr.csr create mode 100644 ansible/roles/traefik/files/etc/certs/local.fr.key create mode 100644 ansible/roles/traefik/files/traefik.toml create mode 100644 ansible/roles/traefik/handlers/main.yml create mode 100644 ansible/roles/traefik/tasks/main.yml diff --git a/ansible/gitlab_server.yml b/ansible/gitlab_server.yml new file mode 100644 index 0000000..cf0068a --- /dev/null +++ b/ansible/gitlab_server.yml @@ -0,0 +1,7 @@ +--- +- hosts: gitlab_servers + roles: + - {role: 'docker', tags: ['docker'], become: true} + - {role: 'traefik', tags: ['traefik'], become: true} + - {role: 'gitlab_server', tags: ['gitlab_server'], become: true} + diff --git a/ansible/roles/docker/defaults/main.yml b/ansible/roles/docker/defaults/main.yml new file mode 100644 index 0000000..43ea5c3 --- /dev/null +++ b/ansible/roles/docker/defaults/main.yml @@ -0,0 +1,67 @@ +--- +# docker_log_driver: 'json-file' +# docker_live_restore: true +# docker_json_max_size: '300M' +# docker_json_max_file: '3' +# docker_json_compress: 'true' +# docker_apt_package: 'docker.io' +# vm_max_map_count: false +# use docker default shutdown timeout by default +# docker_shutdown_timeout: + +# Edition can be one of: 'ce' (Community Edition) or 'ee' (Enterprise Edition). +docker_edition: 'ce' +docker_packages: + - "docker-{{ docker_edition }}" + - "docker-{{ docker_edition }}-cli" + - "docker-{{ docker_edition }}-rootless-extras" + - "containerd.io" +docker_packages_state: present + +# Service options. +docker_service_manage: true +docker_service_state: started +docker_service_enabled: true +docker_restart_handler_state: restarted + +# Docker Compose Plugin options. +docker_install_compose_plugin: false +docker_compose_package: docker-compose-plugin +docker_compose_package_state: present + +# Docker Compose options. +docker_install_compose: true +docker_compose_version: "v2.11.1" +docker_compose_arch: "{{ ansible_architecture }}" +docker_compose_url: "https://github.com/docker/compose/releases/download/{{ docker_compose_version }}/docker-compose-linux-{{ docker_compose_arch }}" +docker_compose_path: /usr/local/bin/docker-compose + +# Docker repo URL. +docker_repo_url: https://download.docker.com/linux + +# Used only for Debian/Ubuntu. Switch 'stable' to 'nightly' if needed. +docker_apt_release_channel: stable +docker_apt_arch: "{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}" +docker_apt_repository: "deb [arch={{ docker_apt_arch }}] {{ docker_repo_url }}/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} {{ docker_apt_release_channel }}" +docker_apt_ignore_key_error: true +docker_apt_gpg_key: "{{ docker_repo_url }}/{{ ansible_distribution | lower }}/gpg" + +# Used only for RedHat/CentOS/Fedora. +docker_yum_repo_url: "{{ docker_repo_url }}/{{ (ansible_distribution == 'Fedora') | ternary('fedora','centos') }}/docker-{{ docker_edition }}.repo" +docker_yum_repo_enable_nightly: '0' +docker_yum_repo_enable_test: '0' +docker_yum_gpg_key: "{{ docker_repo_url }}/centos/gpg" + +# A list of users who will be added to the docker group. +docker_users: [vagrant] + +# Docker daemon options as a dict +docker_daemon_options: { + "log-driver": "json-file", + "log-opts": { + "max-size": "300m", + "max-file": "3", + "compress": "true" + }, + "live-restore": true +} \ No newline at end of file diff --git a/ansible/roles/docker/handlers/main.yml b/ansible/roles/docker/handlers/main.yml new file mode 100644 index 0000000..54d6ffb --- /dev/null +++ b/ansible/roles/docker/handlers/main.yml @@ -0,0 +1,7 @@ +--- +- name: restart docker + service: + name: docker + state: "{{ docker_restart_handler_state }}" + ignore_errors: "{{ ansible_check_mode }}" + when: docker_service_manage | bool \ No newline at end of file diff --git a/ansible/roles/docker/tasks/docker-users.yml b/ansible/roles/docker/tasks/docker-users.yml new file mode 100644 index 0000000..aeb2124 --- /dev/null +++ b/ansible/roles/docker/tasks/docker-users.yml @@ -0,0 +1,7 @@ +--- +- name: Ensure docker users are added to the docker group. + user: + name: "{{ item }}" + groups: docker + append: true + with_items: "{{ docker_users }}" \ No newline at end of file diff --git a/ansible/roles/docker/tasks/main.yml b/ansible/roles/docker/tasks/main.yml new file mode 100644 index 0000000..7fc59bb --- /dev/null +++ b/ansible/roles/docker/tasks/main.yml @@ -0,0 +1,70 @@ +--- +- include_tasks: setup-RedHat.yml + when: ansible_os_family == 'RedHat' + +- include_tasks: setup-Debian.yml + when: ansible_os_family == 'Debian' + +- name: Install Docker packages. + package: + name: "{{ docker_packages }}" + state: "{{ docker_packages_state }}" + notify: restart docker + ignore_errors: "{{ ansible_check_mode }}" + when: "ansible_version.full is version_compare('2.12', '<') or ansible_os_family not in ['RedHat', 'Debian']" + +- name: Install Docker packages (with downgrade option). + package: + name: "{{ docker_packages }}" + state: "{{ docker_packages_state }}" + allow_downgrade: true + notify: restart docker + ignore_errors: "{{ ansible_check_mode }}" + when: "ansible_version.full is version_compare('2.12', '>=') and ansible_os_family in ['RedHat', 'Debian']" + +- name: Ensure /etc/docker/ directory exists. + file: + path: /etc/docker + state: directory + mode: 0755 + when: docker_daemon_options.keys() | length > 0 + +- name: Configure Docker daemon options. + copy: + content: "{{ docker_daemon_options | to_nice_json }}" + dest: /etc/docker/daemon.json + mode: 0644 + when: docker_daemon_options.keys() | length > 0 + notify: restart docker + +- name: Ensure Docker is started and enabled at boot. + service: + name: docker + state: "{{ docker_service_state }}" + enabled: "{{ docker_service_enabled }}" + ignore_errors: "{{ ansible_check_mode }}" + when: docker_service_manage | bool + +- name: Ensure handlers are notified now to avoid firewall conflicts. + meta: flush_handlers + +# On récupère les utilisateurs membres du groupe docker si on a passé des users dans la variable docker_users +- name: Get docker group info using getent. + getent: + database: group + key: docker + split: ':' + when: docker_users | length > 0 + +# On vérifie si les users n'exsistent pas. Si c'est le cas on créé une nouvelle variable +- name: Check if there are any users to add to the docker group. + set_fact: + at_least_one_user_to_modify: true + when: + - docker_users | length > 0 + - item not in ansible_facts.getent_group["docker"][2] # Permet de récupérer une liste des utilisateurs renseignée dans le troisième champs. + with_items: "{{ docker_users }}" + +# Si la nouvelle variable a été définie on exécute la task +- include_tasks: docker-users.yml + when: at_least_one_user_to_modify is defined \ No newline at end of file diff --git a/ansible/roles/docker/tasks/setup-Debian.yml b/ansible/roles/docker/tasks/setup-Debian.yml new file mode 100644 index 0000000..a82bde5 --- /dev/null +++ b/ansible/roles/docker/tasks/setup-Debian.yml @@ -0,0 +1,55 @@ +--- +- name: Ensure old versions of Docker are not installed. + ansible.builtin.package: + name: + - docker + - docker-engine + - docker.io + state: absent + +- name: Ensure dependencies are installed. + ansible.builtin.apt: + name: + - apt-transport-https + - ca-certificates + state: present + +- name: Ensure additional dependencies are installed (on Ubuntu < 20.04 and any other systems). + ansible.builtin.apt: + name: gnupg2 + state: present + when: ansible_distribution != 'Ubuntu' or ansible_distribution_version is version('20.04', '<') + +- name: Ensure additional dependencies are installed (on Ubuntu >= 20.04). + ansible.builtin.apt: + name: gnupg + state: present + when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '>=') + +- name: Add Docker apt key. + ansible.builtin.get_url: + url: "{{ docker_apt_gpg_key }}" + dest: /etc/apt/trusted.gpg.d/docker.asc + mode: '0644' + force: true + register: add_repository_key + ignore_errors: "{{ docker_apt_ignore_key_error }}" + +- name: Ensure curl is present (on older systems without SNI). + ansible.builtin.package: + name: curl + state: present + when: add_repository_key is failed + +- name: Add Docker apt key (alternative for older systems without SNI). + shell: > + curl -sSL {{ docker_apt_gpg_key }} | apt-key add - + args: + warn: false + when: add_repository_key is failed + +- name: Add Docker repository. + apt_repository: + repo: "{{ docker_apt_repository }}" + state: present + update_cache: true \ No newline at end of file diff --git a/ansible/roles/docker/tasks/setup-RedHat.yml b/ansible/roles/docker/tasks/setup-RedHat.yml new file mode 100644 index 0000000..cb680d9 --- /dev/null +++ b/ansible/roles/docker/tasks/setup-RedHat.yml @@ -0,0 +1,34 @@ +--- +- name: Ensure old versions of Docker are not installed. + package: + name: + - docker + - docker-common + - docker-engine + state: absent + +- name: Add Docker GPG key. + rpm_key: + key: "{{ docker_yum_gpg_key }}" + state: present + +- name: Add Docker repository. + get_url: + url: "{{ docker_yum_repo_url }}" + dest: '/etc/yum.repos.d/docker-{{ docker_edition }}.repo' + owner: root + group: root + mode: 0644 + +- name: Configure containerd on RHEL 8. + block: + - name: Ensure container-selinux is installed. + package: + name: container-selinux + state: present + + - name: Ensure containerd.io is installed. + package: + name: containerd.io + state: present + when: ansible_distribution_major_version | int == 8 \ No newline at end of file diff --git a/ansible/roles/gitlab_server/defaults/main.yml b/ansible/roles/gitlab_server/defaults/main.yml new file mode 100644 index 0000000..07e5ff9 --- /dev/null +++ b/ansible/roles/gitlab_server/defaults/main.yml @@ -0,0 +1,16 @@ +--- +gitlab_image_tag: latest +gitlab_server_name: +gitlab_pages_server_name: +gitlab_services: [] +gitlab_base_dir: /opt/gitlab +gitlab_data_dir: '{{ gitlab_base_dir }}/data' +gitlab_backup_dir: '{{ gitlab_data_dir }}/backups' +gitlab_logs_dir: '{{ gitlab_base_dir }}/logs' +gitlab_conf_dir: '{{ gitlab_base_dir }}/conf' +gitlab_bin_dir: '{{ gitlab_base_dir }}/bin' +traefik_network: docker.local.fr + +# --- puma dir --- +puma_conf_dir: /opt/gitlab/var/puma +puma_conf_pid: '{{ puma_conf_dir}}/puma.pid' \ No newline at end of file diff --git a/ansible/roles/gitlab_server/handlers/main.yml b/ansible/roles/gitlab_server/handlers/main.yml new file mode 100644 index 0000000..95b08cc --- /dev/null +++ b/ansible/roles/gitlab_server/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: restart gitlab + command: docker exec gitlab gitlab-ctl restart + +- name: reconfigure gitlab + command: docker exec gitlab gitlab-ctl reconfigure diff --git a/ansible/roles/gitlab_server/tasks/main.yml b/ansible/roles/gitlab_server/tasks/main.yml new file mode 100644 index 0000000..b1bdd1b --- /dev/null +++ b/ansible/roles/gitlab_server/tasks/main.yml @@ -0,0 +1,75 @@ +--- +- name: Install packages + ansible.builtin.apt: + name: + - jq + state: present + +- name: Create directories + ansible.builtin.file: + path: '{{ item.path }}' + owner: '{{ item.owner | default("root") }}' + group: '{{ item.group | default("root") }}' + mode: '{{ item.mode | default("0755") }}' + state: directory + loop: + - path: '{{ gitlab_base_dir }}' + mode: '0700' + - path: '{{ gitlab_data_dir }}' + - path: '{{ gitlab_conf_dir }}' + mode: '0775' + - path: '{{ gitlab_logs_dir }}' + - path: '{{ gitlab_bin_dir }}' + +- name: Gitlab - Container up + community.docker.docker_container: + name: gitlab + image: 'gitlab/gitlab-ce:{{ gitlab_image_tag }}' + state: started + restart_policy: unless-stopped + volumes: + - '{{ gitlab_conf_dir }}:/etc/gitlab' + - '{{ gitlab_logs_dir }}:/var/log/gitlab' + - '{{ gitlab_data_dir }}:/var/opt/gitlab' + network_mode: '{{ traefik_network }}' + networks: + - name: '{{ traefik_network }}' + labels: + traefik.enable: 'true' + traefik.http.routers.gitlab.rule: 'Host(`gitlab.local.fr`)' + traefik.http.routers.gitlab.entrypoints: 'websecure' + traefik.http.services.gitlab.loadbalancer.server.port: '80' + traefik.http.routers.gitlab.tls: 'true' + +- name: Deploy gitlab config file + ansible.builtin.template: + src: gitlab.rb.j2 + dest: '{{ gitlab_conf_dir }}/gitlab.rb' + owner: root + group: root + mode: '0400' + notify: reconfigure gitlab + +- name: Modify sysctl values + ansible.builtin.sysctl: + name: '{{ item.name }}' + value: '{{ item.value }}' + state: present + loop: + - name: net.core.somaxconn + value: 1024 + - name: net.ipv4.tcp_max_syn_backlog + value: 1024 + - name: vm.overcommit_memory + value: 1 + +- name: Get initial root password for gitlab authent + ansible.builtin.command: docker exec -it gitlab grep 'Password:' /etc/gitlab/initial_root_password + register: _password + until: "_password is not failed" + retries: 3 + delay: 10 + +- name: Print password + ansible.builtin.debug: + msg: "{{ _password.stdout }}" diff --git a/ansible/roles/gitlab_server/templates/gitlab.rb.j2 b/ansible/roles/gitlab_server/templates/gitlab.rb.j2 new file mode 100644 index 0000000..cbf335c --- /dev/null +++ b/ansible/roles/gitlab_server/templates/gitlab.rb.j2 @@ -0,0 +1,47 @@ +{{ ansible_managed | comment }} + +external_url 'https://gitlab.local.fr' +nginx['listen_port'] = 80 +nginx['listen_https'] = false +nginx['redirect_http_to_https'] = false +nginx['http2_enabled'] = false +nginx['proxy_set_headers'] = { + "Host" => "$http_host", + "X-Real-IP" => "$remote_addr", + "X-Forwarded-For" => "$proxy_add_x_forwarded_for", + "X-Forwarded-Proto" => "https", + "X-Forwarded-Ssl" => "on" +} +nginx['real_ip_trusted_addresses'] = ['172.18.0.0/16'] +nginx['real_ip_header'] = 'X-Real-IP' +nginx['real_ip_recursive'] = 'on' +nginx['custom_gitlab_server_config'] = "\nlocation =/robots.txt { alias /etc/gitlab/robots.txt; }\n" + +letsencrypt['enable'] = false +prometheus_monitoring['enable'] = false + +gitlab_rails['smtp_enable'] = false + +# gitlab_rails['gitlab_shell_ssh_port'] = 22222 + + + +# --- Misc --- +grafana['enable'] = false + +# --- Puma --- +puma['enable'] = true +puma['worker_processes'] = 2 # Nb core-1 +puma['worker_timeout'] = 60 + +# Valeur par défaut conseiller 4 +puma['min_threads'] = 4 +puma['max_threads'] = 4 + +puma['per_worker_max_memory_mb'] = 1024 + +puma['pidfile'] = '{{ puma_conf_pid }}' +gitlab_rails['env'] = { + 'GITLAB_RAILS_RACK_TIMEOUT' => 600 + } + diff --git a/ansible/roles/gitlab_server/templates/robots.txt.j2 b/ansible/roles/gitlab_server/templates/robots.txt.j2 new file mode 100644 index 0000000..c6742d8 --- /dev/null +++ b/ansible/roles/gitlab_server/templates/robots.txt.j2 @@ -0,0 +1,2 @@ +User-Agent: * +Disallow: / diff --git a/ansible/roles/traefik/defaults/main.yml b/ansible/roles/traefik/defaults/main.yml new file mode 100644 index 0000000..4ebc889 --- /dev/null +++ b/ansible/roles/traefik/defaults/main.yml @@ -0,0 +1,5 @@ +--- +traefik_dev_version: 'v2.5' +traefik_user: 'vagrant' # user +traefik_dev_network: + - docker.local.fr diff --git a/ansible/roles/traefik/files/config/dynamic_conf.toml b/ansible/roles/traefik/files/config/dynamic_conf.toml new file mode 100644 index 0000000..0fe7fac --- /dev/null +++ b/ansible/roles/traefik/files/config/dynamic_conf.toml @@ -0,0 +1,9 @@ +[[tls.certificates]] + certFile = "/etc/certs/local.fr.crt" + keyFile = "/etc/certs/local.fr.key" + +[tls.stores] + [tls.stores.default] + [tls.stores.default.defaultCertificate] + certFile = "/etc/certs/local.fr.crt" + keyFile = "/etc/certs/local.fr.key" diff --git a/ansible/roles/traefik/files/config/middlewares.yml b/ansible/roles/traefik/files/config/middlewares.yml new file mode 100644 index 0000000..2eca3b8 --- /dev/null +++ b/ansible/roles/traefik/files/config/middlewares.yml @@ -0,0 +1,7 @@ +--- +http: + middlewares: + StagingHeader: + headers: + customRequestHeaders: + X-Is-Secure: "true" diff --git a/ansible/roles/traefik/files/etc/certs/local.fr.crt b/ansible/roles/traefik/files/etc/certs/local.fr.crt new file mode 100644 index 0000000..064e8dd --- /dev/null +++ b/ansible/roles/traefik/files/etc/certs/local.fr.crt @@ -0,0 +1,28 @@ +-----BEGIN CERTIFICATE----- +MIIEvjCCAqagAwIBAgIUA3+jwHAAm1FF+hMbkjpEtp7r5vkwDQYJKoZIhvcNAQEL +BQAwQjELMAkGA1UEBhMCRlIxFTATBgNVBAcMDERlZmF1bHQgQ2l0eTEcMBoGA1UE +CgwTRGVmYXVsdCBDb21wYW55IEx0ZDAeFw0yMjEwMDgxNTA5MTNaFw0yMzEwMDgx +NTA5MTNaMH0xCzAJBgNVBAYTAkZSMQ8wDQYDVQQIDAZGcmFuY2UxETAPBgNVBAcM +CFRvdWxvdXNlMREwDwYDVQQKDAhsb2NhbC5mcjEOMAwGA1UECwwFbG9jYWwxDjAM +BgNVBAMMBWxvY2FsMRcwFQYJKoZIhvcNAQkBFghsb2NhbC5mcjCCASIwDQYJKoZI +hvcNAQEBBQADggEPADCCAQoCggEBANY0jBXHVKKkxCac0+mFit+VcE/KbnfwXuBx +cyS0DEQwPTPA0yuzomfmWs/EWoNZKyg4e42HWVoEq1gCXSeDzfg3cvfBNcx5nbhs +uVMOLesIcMohmhKCrbeqBRuF1X6KM9qbJUDU0/hwQN0nyUW/yDDH4BqPY8yVYyTD +Vjp8s/lDMhiXnKyRT5KonXqwFLxvpiiHbZu8bh6agSj+RDiPJGzidw6HqL1GavBj +zwuzjmkJdnQKxqivwTv5BMDaWveX7+WCaTYXY3Dt/JRixlFjn7vXj+huRuOHu9GM +vT5a0Zkm524rw2O2hbFK2Gk9upSvo5j5IPJQaH1TuCs2ChShNDMCAwEAAaNxMG8w +HwYDVR0jBBgwFoAUZEj1ZQDuf7yPxxLCp0JqiSOM7oUwCQYDVR0TBAIwADALBgNV +HQ8EBAMCBPAwFQYDVR0RBA4wDIIKKi5sb2NhbC5mcjAdBgNVHQ4EFgQUx1Tra1AD +cKbECcIyyGSy5/6dadkwDQYJKoZIhvcNAQELBQADggIBAHoVo7EDCo++aGu8RsB+ +Tbufc2nGyLOv9vc+syG00SFE/K0ic0JTuOHQcGnXbsfqaq2b7mtz8UL/bbBq/hmn +7xDkbUIigbrTQgRAhXIrv+wfUp0U8Wq6g2uCKFpak29mSfmnNdzYCQxywREwdKwS +OzlUZbmxmjNjX3YRJHL1mO/d2Y/5QD/rgZJB3aYnE05v5pVayx+FwHx0nu5OPUFS +sJBNjn15As1DREA6jaKYV6AYKy1kyPeo+/YuNPWndX3nlkgq3zvWvAFgwes0Oold +TSPH1TZlFpGexUPqJ8ZKUy6nQz6gUkPr4+F7ZvuNJ4djmrm36Osc2nqTdSPapX0c +zsI+1J82JnEVzqp4mHAIOF8MX2BZgrKNA6Uc5ftsSMQZ5irqSuNC+U2Mwsz22OBx +pcuciW7tAPJf3MBp9yGc35pHFG5F0DcEZhHaELCx6h8+dZ+8ZwRK6Do6HSBpi98W +2CuWePV5q9AecYv/gKXGA+N2nH3dh+eDqqPW6dNWLSfQCsoueJthRawBe249XrIG +CUREUTr7/nn95DtYpWD4ytxHxeU+6hGHzcv2EPfQkKYSkcayhGWMwN2c6c0B1SFg +CcwYB6OXy5mzDMUgWlioW5pdILhLyxLFB5XI4N3KjowgATJc9xgAfA7kR88tKAmM +JxD+DMTwrvDbAkQ5iEV9GDRM +-----END CERTIFICATE----- diff --git a/ansible/roles/traefik/files/etc/certs/local.fr.csr b/ansible/roles/traefik/files/etc/certs/local.fr.csr new file mode 100644 index 0000000..dabf7a3 --- /dev/null +++ b/ansible/roles/traefik/files/etc/certs/local.fr.csr @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICwjCCAaoCAQAwfTELMAkGA1UEBhMCRlIxDzANBgNVBAgMBkZyYW5jZTERMA8G +A1UEBwwIVG91bG91c2UxETAPBgNVBAoMCGxvY2FsLmZyMQ4wDAYDVQQLDAVsb2Nh +bDEOMAwGA1UEAwwFbG9jYWwxFzAVBgkqhkiG9w0BCQEWCGxvY2FsLmZyMIIBIjAN +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1jSMFcdUoqTEJpzT6YWK35VwT8pu +d/Be4HFzJLQMRDA9M8DTK7OiZ+Zaz8Rag1krKDh7jYdZWgSrWAJdJ4PN+Ddy98E1 +zHmduGy5Uw4t6whwyiGaEoKtt6oFG4XVfooz2pslQNTT+HBA3SfJRb/IMMfgGo9j +zJVjJMNWOnyz+UMyGJecrJFPkqiderAUvG+mKIdtm7xuHpqBKP5EOI8kbOJ3Doeo +vUZq8GPPC7OOaQl2dArGqK/BO/kEwNpa95fv5YJpNhdjcO38lGLGUWOfu9eP6G5G +44e70Yy9PlrRmSbnbivDY7aFsUrYaT26lK+jmPkg8lBofVO4KzYKFKE0MwIDAQAB +oAAwDQYJKoZIhvcNAQELBQADggEBAKKp6AadSiP9tXHckhADHtzGFUpeq+CEC0Nk +AoaVMllkZHgEppdOzoj2FfCHdb7wfSOsA1ZjIE5oooEoZjUfb+xM/GnvJcpJT+Tr +rLT26DwXnPrsIxvzqIvMx6XsnfPcrr+3bHfW50W/jdNNDtzyeyq6kXCMMbxYat8p +flG+SMLeiMWFK6poTNrWh+X4ZzHbmDc+ckNdwilVXAVFgr0alzd6qo4Kc6WHRiQS +BTPjPQn9lgkq42S7kojLUXclcVfsvrHSmXTdUHtLFyj5H+7ppgs9wDWLSksOaBg2 +We9LcIGyuucaJBgbBuJ48WgtJDko0L2bpDFHRDipyQQeUCRkdRk= +-----END CERTIFICATE REQUEST----- diff --git a/ansible/roles/traefik/files/etc/certs/local.fr.key b/ansible/roles/traefik/files/etc/certs/local.fr.key new file mode 100644 index 0000000..fb93d8f --- /dev/null +++ b/ansible/roles/traefik/files/etc/certs/local.fr.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDWNIwVx1SipMQm +nNPphYrflXBPym538F7gcXMktAxEMD0zwNMrs6Jn5lrPxFqDWSsoOHuNh1laBKtY +Al0ng834N3L3wTXMeZ24bLlTDi3rCHDKIZoSgq23qgUbhdV+ijPamyVA1NP4cEDd +J8lFv8gwx+Aaj2PMlWMkw1Y6fLP5QzIYl5yskU+SqJ16sBS8b6Yoh22bvG4emoEo +/kQ4jyRs4ncOh6i9RmrwY88Ls45pCXZ0Csaor8E7+QTA2lr3l+/lgmk2F2Nw7fyU +YsZRY5+714/obkbjh7vRjL0+WtGZJuduK8NjtoWxSthpPbqUr6OY+SDyUGh9U7gr +NgoUoTQzAgMBAAECggEADmsUZYA4ptynBLUDC/GckBbZASXucE2ntT0ts5zC7pwT +TTZ/gFjjvPv5GjRspfFh7Ep7q+JzwJFr5Hf+7o1QAeiJk+UCIAoCScsCYSAlNcV9 +rL1nnN4Fn2/m+XFKwO0V4chrpi+CjR3RNTxbr0GM0hZsyUeO6ihsDKocAG0rGBiu +0ucbdCJfxl33QsEXWcFjCoX9eAobPhmM4RPAOK0yXRYrz6wBgbHfFY5A9JhT31zZ +xzZh/Wq881FYaBsrUB/mvsBVqCwO4GL76poA574TcHrmjb1ygKwgq6+zRpzEdlej +vY8RD2savLlkIOO0EhaCx+t+rBJ95lr3mj6AclPiAQKBgQD/tcJrx/KOaAs/pIf4 +q+3sRwduKxObJNQL63Aj+UzPIcK5pf7OwlsKmpZyz1ci/2XVF998hFLI2DKYVDNk +w85t4MZht+cnjjlRbWux3jzesdsZa/zYCfT0MX38OZsS28nOjJ2mbijtvPbmON+n +jw3eqEYfDlRFkYLrYcGpQKBnswKBgQDWcrzV3W8idok7SOyZ3j8i2OPaQkwDmEYI +my7M2WNZ62q+MPNAysnni4o04Rkw5TTC0lov9jRdcK4G+h73tqM7wvDGvPUOtemx +SfuOwg6fE8Er0cAmQ4rjBvxIVPJ6+Iz9CItyRvt1iCXvWTF9CjO6bkPmLR2QjZkh +SgJwpGXBgQKBgCJy3R9iD3ZJ5AIN61d/6gyjwQeBfCGxg3Oboz7lbgiVlsMl7r7y +BgvWqaAL+MQ5PgHINo5y0ShHoAFPjqDrlBrPZkpx2Q1GJsimghSzSOYDde3l02lT +ZhGjvUJGjHKs83IFFZP/UTo989EuJktPhWHSr6etaYL5yHZndAyWLUXrAoGAfq6b +JQ/Bhi9WFEKZGrByxagwug+uDfWXcaASvoqxKT5r+Vy7ZowlR/Zjt6c+FWdhirFu ++6RK/OQCujZpstYeicA4Mn8PmRgXrFbTF1tF/e1SkQtAopoF4uWOhUBBWimYSCYT +EngiNiUum70qAf7T3g8jZ0dBjtJHIqYw2NAVGIECgYAtJsZZcuqeT4v0SrF3aGuq +8TSaNFICQAPuRSeV7RN3Yq/ZzCxG0pt0N6U8/SZmOH+bx98yekRMLgY3A68XdlRi +uiyl+RZJIhaU83dhDnfv1/F0y0MmA8mEmUoPQSZkDrwg+IwvD38ob9DQUvaBcn5G +QBvZMa2+bHkceOnYRVfgzw== +-----END PRIVATE KEY----- diff --git a/ansible/roles/traefik/files/traefik.toml b/ansible/roles/traefik/files/traefik.toml new file mode 100644 index 0000000..689bbdd --- /dev/null +++ b/ansible/roles/traefik/files/traefik.toml @@ -0,0 +1,33 @@ +[accessLog] + filePath = "/dev/stdout" + +[log] + level = "ERROR" + +[providers.docker] + endpoint = "unix:///var/run/docker.sock" + watch = true + exposedByDefault = false + +[providers.file] + directory = "/etc/traefik/config" + watch = true + +[entryPoints] + [entryPoints.metrics] + address = ":8090" + [entryPoints.websecure] + address = ":443" + [entryPoints.web] + address = ":80" + [entryPoints.web.http.redirections] + [entryPoints.web.http.redirections.entryPoint] + to = "websecure" + scheme = "https" + permanent = "true" + +[api] + dashboard = true + +[metrics] + [metrics.prometheus] diff --git a/ansible/roles/traefik/handlers/main.yml b/ansible/roles/traefik/handlers/main.yml new file mode 100644 index 0000000..32a92e1 --- /dev/null +++ b/ansible/roles/traefik/handlers/main.yml @@ -0,0 +1,17 @@ +--- +- name: reload docker via systemd + # reload : set things like "live-restore" + ansible.builtin.systemd: + name: docker + state: reloaded + listen: reload docker + +- name: restart service docker + # then restart : + # - won't be disruptive with "live-restore" + # - necessary when changing "log-driver" + ansible.builtin.service: + name: docker + state: restarted + when: docker_live_restore + listen: reload docker diff --git a/ansible/roles/traefik/tasks/main.yml b/ansible/roles/traefik/tasks/main.yml new file mode 100644 index 0000000..7fed924 --- /dev/null +++ b/ansible/roles/traefik/tasks/main.yml @@ -0,0 +1,77 @@ +--- +- name: '{{ traefik_user }} | Create user' + ansible.builtin.user: + name: '{{ traefik_user }}' + password: "{{ traefik_user.hash_password | default('!') }}" + shell: '/bin/bash' + append: true + state: present + no_log: true + +- name: Ensure /etc/certs exist + ansible.builtin.file: + path: '{{ item.path }}' + state: '{{ item.state }}' + owner: '{{ traefik_user }}' + group: '{{ traefik_user }}' + mode: '0755' + loop: + - {path: '/home/{{ traefik_user }}/config/traefik/etc/certs', state: directory} + - {path: '/home/{{ traefik_user }}/config/traefik/config', state: directory} + +- name: 'Copy cert on {{ inventory_hostname }}.' + ansible.builtin.copy: + src: 'files/{{ item }}' + dest: '/home/{{ traefik_user }}/config/traefik/{{ item }}' + owner: '{{ traefik_user }}' + group: '{{ traefik_user }}' + mode: '0740' + loop: + - etc/certs/local.fr.crt + - etc/certs/local.fr.key + - config/dynamic_conf.toml + - config/middlewares.yml + - traefik.toml + +- name: "Add network for container" + community.docker.docker_network: + name: "{{ item }}" + internal: no + ipam_config: + - subnet: 172.18.0.0/16 + gateway: 172.18.0.1 + loop: "{{ traefik_dev_network }}" + +- name: Create traefik container + community.docker.docker_container: + name: 'traefik' + image: 'traefik:{{ traefik_dev_version }}' + state: started + restart: true + restart_policy: on-failure + restart_retries: 3 + purge_networks: yes + networks_cli_compatible: false + networks: + - name: "{{ traefik_dev_network[0] }}" + ipv4_address: 172.18.0.2 + volumes: + - /var/run/docker.sock:/var/run/docker.sock + - '/home/{{ traefik_user }}/config/traefik/etc/certs/:/etc/certs:ro' + - '/home/{{ traefik_user }}/config/traefik/config:/etc/traefik/config:ro' + - '/home/{{ traefik_user }}/config/traefik/traefik.toml:/traefik.toml:ro' + labels: + traefik.http.routers.api.rule: 'Host(`traefik.local.fr`)' + traefik.http.routers.api.service: 'api@internal' + traefik.http.middlewares.auth.basicauth.users: 'admin:$apr1$YNIut6CR$IAtMZlvNBBMXe7cRNXDG0.' + traefik.http.routers.api.entrypoints: 'websecure' + traefik.http.routers.api.tls: 'true' + traefik.enable: 'true' + ports: + - '443:443' + - '8090:8090' + - '80:80' + log_driver: 'json-file' + log_opt: + max-size: '1m' + max-file: '10'