From c3e9305bce9fd1aaf165779fb46570c683750e6f Mon Sep 17 00:00:00 2001 From: Elizabeth Hunt Date: Sun, 4 May 2025 00:10:22 -0700 Subject: Tried to use docker ingress to solve x-real-ip on mail daemon but it didn't work for other ports --- create.py | 2 +- deploy.yml | 9 ++-- group_vars/all.yml | 5 +- group_vars/labdns.yml | 1 + group_vars/nginx-proxy.yml | 4 -- group_vars/nginx_proxy.yml | 4 ++ group_vars/test.yml | 4 ++ inventory | 5 +- playbooks/ceph-mount.yml | 7 --- playbooks/ceph_mount.yml | 7 +++ playbooks/nginx-proxy.yml | 7 --- playbooks/nginx_proxy.yml | 7 +++ playbooks/roles/mail/tasks/main.yml | 1 + .../volumes/data/dms/config/user-patches.sh | 6 ++- playbooks/roles/nginx-proxy/handlers/main.yml | 9 ---- playbooks/roles/nginx-proxy/tasks/main.yml | 13 ----- .../roles/nginx-proxy/templates/docker-compose.yml | 58 ---------------------- .../templates/toplevel.conf.d/stream.conf | 55 -------------------- playbooks/roles/nginx_proxy/handlers/main.yml | 9 ++++ playbooks/roles/nginx_proxy/tasks/main.yml | 13 +++++ .../roles/nginx_proxy/templates/docker-compose.yml | 58 ++++++++++++++++++++++ .../templates/toplevel.conf.d/stream.conf | 55 ++++++++++++++++++++ playbooks/roles/swarm-init/tasks/main.yml | 19 ------- playbooks/roles/swarm-join/tasks/main.yml | 21 -------- playbooks/roles/swarm_init/tasks/main.yml | 19 +++++++ playbooks/roles/swarm_join/tasks/main.yml | 22 ++++++++ playbooks/roles/test/tasks/main.yml | 8 +++ .../roles/test/templates/stacks/docker-compose.yml | 30 +++++++++++ .../roles/test/templates/volumes/data/.gitkeep | 0 .../traefik/templates/stacks/docker-compose.yml | 10 ++-- playbooks/swarm-cluster.yml | 24 --------- playbooks/swarm_cluster.yml | 24 +++++++++ playbooks/test.yml | 7 +++ 33 files changed, 292 insertions(+), 231 deletions(-) delete mode 100644 group_vars/nginx-proxy.yml create mode 100644 group_vars/nginx_proxy.yml create mode 100644 group_vars/test.yml delete mode 100644 playbooks/ceph-mount.yml create mode 100644 playbooks/ceph_mount.yml delete mode 100644 playbooks/nginx-proxy.yml create mode 100644 playbooks/nginx_proxy.yml delete mode 100644 playbooks/roles/nginx-proxy/handlers/main.yml delete mode 100644 playbooks/roles/nginx-proxy/tasks/main.yml delete mode 100644 playbooks/roles/nginx-proxy/templates/docker-compose.yml delete mode 100644 playbooks/roles/nginx-proxy/templates/toplevel.conf.d/stream.conf create mode 100644 playbooks/roles/nginx_proxy/handlers/main.yml create mode 100644 playbooks/roles/nginx_proxy/tasks/main.yml create mode 100644 playbooks/roles/nginx_proxy/templates/docker-compose.yml create mode 100644 playbooks/roles/nginx_proxy/templates/toplevel.conf.d/stream.conf delete mode 100644 playbooks/roles/swarm-init/tasks/main.yml delete mode 100644 playbooks/roles/swarm-join/tasks/main.yml create mode 100644 playbooks/roles/swarm_init/tasks/main.yml create mode 100644 playbooks/roles/swarm_join/tasks/main.yml create mode 100644 playbooks/roles/test/tasks/main.yml create mode 100644 playbooks/roles/test/templates/stacks/docker-compose.yml create mode 100644 playbooks/roles/test/templates/volumes/data/.gitkeep delete mode 100644 playbooks/swarm-cluster.yml create mode 100644 playbooks/swarm_cluster.yml create mode 100644 playbooks/test.yml diff --git a/create.py b/create.py index c956f1b..01dcaef 100755 --- a/create.py +++ b/create.py @@ -153,7 +153,7 @@ class RoleGenerator: networks: - proxy healthcheck: - test: ["CMD-SHELL", "curl", "--fail", "http://localhost:8000"] + test: ["CMD-SHELL", "curl", "--fail", "http://localhost:{self.port}"] timeout: 15s interval: 30s retries: 3 diff --git a/deploy.yml b/deploy.yml index 0484fe8..89fd643 100644 --- a/deploy.yml +++ b/deploy.yml @@ -7,16 +7,16 @@ ansible.builtin.import_playbook: playbooks/docker.yml - name: NGINX Proxy - ansible.builtin.import_playbook: playbooks/nginx-proxy.yml + ansible.builtin.import_playbook: playbooks/nginx_proxy.yml - name: Outbound ansible.builtin.import_playbook: playbooks/outbound.yml - name: Ceph mountpoints - ansible.builtin.import_playbook: playbooks/ceph-mount.yml + ansible.builtin.import_playbook: playbooks/ceph_mount.yml - name: Swarm - ansible.builtin.import_playbook: playbooks/swarm-cluster.yml + ansible.builtin.import_playbook: playbooks/swarm_cluster.yml - name: Traefik ansible.builtin.import_playbook: playbooks/traefik.yml @@ -53,3 +53,6 @@ - name: src ansible.builtin.import_playbook: playbooks/src.yml + +- name: test + ansible.builtin.import_playbook: playbooks/test.yml diff --git a/group_vars/all.yml b/group_vars/all.yml index 6c39b25..f6747d0 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -9,19 +9,20 @@ ansible_user: serve loadbalancer_ip: "10.128.0.200" homelab_network: "10.0.0.0/8" docker_network: "172.16.0.0/12" +headnet_network: "100.64.0.0/10" rfc1918_cgnat_networks: - "{{ homelab_network }}" - "{{ docker_network }}" - 192.168.0.0/16 - - 100.64.0.0/10 + - "{{ headnet_network }}" timezone: "America/Los_Angeles" domain: "liz.coffee" idm_domain: "idm.{{ domain }}" headscale_host: "vpn.{{ domain }}" - mail_domain: "mail.{{ domain }}" + info_mail_user: "info" info_mail: "{{ info_mail_user }}@{{ domain }}" diff --git a/group_vars/labdns.yml b/group_vars/labdns.yml index 1209e98..5ec022c 100644 --- a/group_vars/labdns.yml +++ b/group_vars/labdns.yml @@ -3,6 +3,7 @@ labdns_base: "{{ swarm_base }}/labdns" internal_services: + - test - bin - ci - idm diff --git a/group_vars/nginx-proxy.yml b/group_vars/nginx-proxy.yml deleted file mode 100644 index bd5a27a..0000000 --- a/group_vars/nginx-proxy.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- - -certs_email: elizabeth@simponic.xyz -nginx_proxy_base: "/etc/docker/compose/nginx-proxy" diff --git a/group_vars/nginx_proxy.yml b/group_vars/nginx_proxy.yml new file mode 100644 index 0000000..bd5a27a --- /dev/null +++ b/group_vars/nginx_proxy.yml @@ -0,0 +1,4 @@ +--- + +certs_email: elizabeth@simponic.xyz +nginx_proxy_base: "/etc/docker/compose/nginx-proxy" diff --git a/group_vars/test.yml b/group_vars/test.yml new file mode 100644 index 0000000..0b3f4c4 --- /dev/null +++ b/group_vars/test.yml @@ -0,0 +1,4 @@ +--- + +test_domain: test.liz.coffee +test_base: "{{ swarm_base }}/test" diff --git a/inventory b/inventory index 2b7107c..69d14d8 100644 --- a/inventory +++ b/inventory @@ -6,7 +6,7 @@ swarm-three ansible_host=10.128.0.203 ansible_user=serve ansible_connection=ssh # outbound-one.liz.coffee ansible_user=serve ansible_connection=ssh ansible_become_password='{{ outbound_become_password }}' outbound-two.liz.coffee ansible_user=serve ansible_connection=ssh ansible_become_password='{{ outbound_become_password }}' -[nginx-proxy] +[nginx_proxy] outbound-two.liz.coffee ansible_user=serve ansible_connection=ssh ansible_become_password='{{ outbound_become_password }}' # outbound-one.liz.coffee ansible_user=serve ansible_connection=ssh ansible_become_password='{{ outbound_become_password }}' @@ -62,3 +62,6 @@ swarm-one ansible_host=10.128.0.201 ansible_user=serve ansible_connectio [src] swarm-one ansible_host=10.128.0.201 ansible_user=serve ansible_connection=ssh ansible_become_password='{{ swarm_become_password }}' +[test] +swarm-one ansible_host=10.128.0.201 ansible_user=serve ansible_connection=ssh ansible_become_password='{{ swarm_become_password }}' + diff --git a/playbooks/ceph-mount.yml b/playbooks/ceph-mount.yml deleted file mode 100644 index de2dd5b..0000000 --- a/playbooks/ceph-mount.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- - -- name: Setup ceph - hosts: ceph - become: true - roles: - - ceph diff --git a/playbooks/ceph_mount.yml b/playbooks/ceph_mount.yml new file mode 100644 index 0000000..de2dd5b --- /dev/null +++ b/playbooks/ceph_mount.yml @@ -0,0 +1,7 @@ +--- + +- name: Setup ceph + hosts: ceph + become: true + roles: + - ceph diff --git a/playbooks/nginx-proxy.yml b/playbooks/nginx-proxy.yml deleted file mode 100644 index 329f186..0000000 --- a/playbooks/nginx-proxy.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- - -- name: nginx-proxy setup - hosts: nginx-proxy - become: true - roles: - - nginx-proxy diff --git a/playbooks/nginx_proxy.yml b/playbooks/nginx_proxy.yml new file mode 100644 index 0000000..1a328eb --- /dev/null +++ b/playbooks/nginx_proxy.yml @@ -0,0 +1,7 @@ +--- + +- name: nginx_proxy setup + hosts: nginx_proxy + become: true + roles: + - nginx_proxy diff --git a/playbooks/roles/mail/tasks/main.yml b/playbooks/roles/mail/tasks/main.yml index dbda130..0d07acd 100644 --- a/playbooks/roles/mail/tasks/main.yml +++ b/playbooks/roles/mail/tasks/main.yml @@ -15,3 +15,4 @@ service_name: mail template_render_dir: "../templates" service_destination_dir: "{{ mail_base }}" + diff --git a/playbooks/roles/mail/templates/volumes/data/dms/config/user-patches.sh b/playbooks/roles/mail/templates/volumes/data/dms/config/user-patches.sh index 34ecd51..e2aa356 100755 --- a/playbooks/roles/mail/templates/volumes/data/dms/config/user-patches.sh +++ b/playbooks/roles/mail/templates/volumes/data/dms/config/user-patches.sh @@ -1,5 +1,9 @@ #!/bin/bash +# fix perms for potential rollbacks +chown -R 5000:5000 /var/mail/* +chown -R 100:102 /var/mail-state/lib-postfix + postconf -e 'smtpd_sasl_type = dovecot' postconf -e 'smtpd_sasl_path = /dev/shm/sasl-auth.sock' postconf -e 'smtpd_sasl_auth_enable = yes' @@ -55,5 +59,3 @@ userdb { postconf -e 'virtual_uid_maps = static:5000' postconf -e 'virtual_gid_maps = static:5000' postconf -e 'virtual_minimum_uid = 5000' - -chown -R 5000:5000 /var/mail/* diff --git a/playbooks/roles/nginx-proxy/handlers/main.yml b/playbooks/roles/nginx-proxy/handlers/main.yml deleted file mode 100644 index 98486dc..0000000 --- a/playbooks/roles/nginx-proxy/handlers/main.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- - -- name: (Re)start nginx-proxy - ansible.builtin.service: - name: docker-compose@nginx-proxy - state: restarted - enabled: true - when: compose_mode is not defined or compose_mode != false - diff --git a/playbooks/roles/nginx-proxy/tasks/main.yml b/playbooks/roles/nginx-proxy/tasks/main.yml deleted file mode 100644 index aa7f922..0000000 --- a/playbooks/roles/nginx-proxy/tasks/main.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- - -- name: Deploy nginx-proxy - ansible.builtin.import_tasks: manage-docker-compose-service.yml - vars: - service_name: nginx-proxy - template_render_dir: "../templates" - service_destination_dir: "{{ nginx_proxy_base }}" - state: restarted -# can't rollout the nginx-proxy without a parent reverse proxy. which -# would need a reverse proxy to rollout. which would need a... yeah you -# get the idea. -# rollout_services: diff --git a/playbooks/roles/nginx-proxy/templates/docker-compose.yml b/playbooks/roles/nginx-proxy/templates/docker-compose.yml deleted file mode 100644 index 33b3243..0000000 --- a/playbooks/roles/nginx-proxy/templates/docker-compose.yml +++ /dev/null @@ -1,58 +0,0 @@ ---- - -services: - nginx-proxy: - image: nginxproxy/nginx-proxy - container_name: nginx-proxy - ports: - # http - - "80:80" - - "443:443" - # smtp - - "25:25" - - "465:465" - - "587:587" - # imap - - "993:993" - # sieve - - "4190:4190" - # src - - "2222:2222" - volumes: - - /var/run/docker.sock:/tmp/docker.sock:ro - - {{ nginx_proxy_base }}/certs:/etc/nginx/certs - - {{ nginx_proxy_base }}/toplevel.conf.d:/etc/nginx/toplevel.conf.d - environment: - - TZ={{ timezone }} - - DEPLOYMENT_TIME={{ deployment_time }} - - NO_COLOR=1 - - LOG_JSON=true - - TRUST_DOWNSTREAM_PROXY=false - networks: - - proxy - labels: - - com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy - - nginx-acme-companion: - image: nginxproxy/acme-companion - depends_on: - - nginx-proxy - volumes: - - /var/run/docker.sock:/var/run/docker.sock:ro - - acme:/etc/acme.sh - - {{ nginx_proxy_base }}/certs:/etc/nginx/certs - environment: - - TZ={{ timezone }} - - DEPLOYMENT_TIME={{ deployment_time }} - - DEFAULT_EMAIL={{ certs_email }} - - ACME_CHALLENGE=DNS-01 - - "ACMESH_DNS_API_CONFIG={'DNS_API': 'dns_cf', 'CF_Key': '{{ cloudflare_token }}', 'CF_Email': '{{ cloudflare_email }}'}" - networks: - - proxy - -volumes: - acme: - -networks: - proxy: - name: proxy diff --git a/playbooks/roles/nginx-proxy/templates/toplevel.conf.d/stream.conf b/playbooks/roles/nginx-proxy/templates/toplevel.conf.d/stream.conf deleted file mode 100644 index 3e7c125..0000000 --- a/playbooks/roles/nginx-proxy/templates/toplevel.conf.d/stream.conf +++ /dev/null @@ -1,55 +0,0 @@ -{% if not homelab_build %} - -stream { - upstream imaps { - server {{ vpn_proxy_filter_container_name }}:993; - } - upstream smtps { - server {{ vpn_proxy_filter_container_name }}:465; - } - upstream smtptls { - server {{ vpn_proxy_filter_container_name }}:587; - } - upstream smtp { - server {{ vpn_proxy_filter_container_name }}:25; - } - upstream managesieve { - server {{ vpn_proxy_filter_container_name }}:4190; - } - - upstream src { - server {{ vpn_proxy_filter_container_name }}:2222; - } - - server { - listen 993; - proxy_pass imaps; - proxy_protocol on; - } - server { - listen 25; - proxy_pass smtp; - proxy_protocol on; - } - server { - listen 587; - proxy_pass smtptls; - proxy_protocol on; - } - server { - listen 465; - proxy_pass smtps; - proxy_protocol on; - } - server { - listen 4190; - proxy_pass managesieve; - proxy_protocol on; - } - server { - listen 2222; - proxy_pass src; - } -} - -{% endif %} diff --git a/playbooks/roles/nginx_proxy/handlers/main.yml b/playbooks/roles/nginx_proxy/handlers/main.yml new file mode 100644 index 0000000..98486dc --- /dev/null +++ b/playbooks/roles/nginx_proxy/handlers/main.yml @@ -0,0 +1,9 @@ +--- + +- name: (Re)start nginx-proxy + ansible.builtin.service: + name: docker-compose@nginx-proxy + state: restarted + enabled: true + when: compose_mode is not defined or compose_mode != false + diff --git a/playbooks/roles/nginx_proxy/tasks/main.yml b/playbooks/roles/nginx_proxy/tasks/main.yml new file mode 100644 index 0000000..aa7f922 --- /dev/null +++ b/playbooks/roles/nginx_proxy/tasks/main.yml @@ -0,0 +1,13 @@ +--- + +- name: Deploy nginx-proxy + ansible.builtin.import_tasks: manage-docker-compose-service.yml + vars: + service_name: nginx-proxy + template_render_dir: "../templates" + service_destination_dir: "{{ nginx_proxy_base }}" + state: restarted +# can't rollout the nginx-proxy without a parent reverse proxy. which +# would need a reverse proxy to rollout. which would need a... yeah you +# get the idea. +# rollout_services: diff --git a/playbooks/roles/nginx_proxy/templates/docker-compose.yml b/playbooks/roles/nginx_proxy/templates/docker-compose.yml new file mode 100644 index 0000000..33b3243 --- /dev/null +++ b/playbooks/roles/nginx_proxy/templates/docker-compose.yml @@ -0,0 +1,58 @@ +--- + +services: + nginx-proxy: + image: nginxproxy/nginx-proxy + container_name: nginx-proxy + ports: + # http + - "80:80" + - "443:443" + # smtp + - "25:25" + - "465:465" + - "587:587" + # imap + - "993:993" + # sieve + - "4190:4190" + # src + - "2222:2222" + volumes: + - /var/run/docker.sock:/tmp/docker.sock:ro + - {{ nginx_proxy_base }}/certs:/etc/nginx/certs + - {{ nginx_proxy_base }}/toplevel.conf.d:/etc/nginx/toplevel.conf.d + environment: + - TZ={{ timezone }} + - DEPLOYMENT_TIME={{ deployment_time }} + - NO_COLOR=1 + - LOG_JSON=true + - TRUST_DOWNSTREAM_PROXY=false + networks: + - proxy + labels: + - com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy + + nginx-acme-companion: + image: nginxproxy/acme-companion + depends_on: + - nginx-proxy + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro + - acme:/etc/acme.sh + - {{ nginx_proxy_base }}/certs:/etc/nginx/certs + environment: + - TZ={{ timezone }} + - DEPLOYMENT_TIME={{ deployment_time }} + - DEFAULT_EMAIL={{ certs_email }} + - ACME_CHALLENGE=DNS-01 + - "ACMESH_DNS_API_CONFIG={'DNS_API': 'dns_cf', 'CF_Key': '{{ cloudflare_token }}', 'CF_Email': '{{ cloudflare_email }}'}" + networks: + - proxy + +volumes: + acme: + +networks: + proxy: + name: proxy diff --git a/playbooks/roles/nginx_proxy/templates/toplevel.conf.d/stream.conf b/playbooks/roles/nginx_proxy/templates/toplevel.conf.d/stream.conf new file mode 100644 index 0000000..3e7c125 --- /dev/null +++ b/playbooks/roles/nginx_proxy/templates/toplevel.conf.d/stream.conf @@ -0,0 +1,55 @@ +{% if not homelab_build %} + +stream { + upstream imaps { + server {{ vpn_proxy_filter_container_name }}:993; + } + upstream smtps { + server {{ vpn_proxy_filter_container_name }}:465; + } + upstream smtptls { + server {{ vpn_proxy_filter_container_name }}:587; + } + upstream smtp { + server {{ vpn_proxy_filter_container_name }}:25; + } + upstream managesieve { + server {{ vpn_proxy_filter_container_name }}:4190; + } + + upstream src { + server {{ vpn_proxy_filter_container_name }}:2222; + } + + server { + listen 993; + proxy_pass imaps; + proxy_protocol on; + } + server { + listen 25; + proxy_pass smtp; + proxy_protocol on; + } + server { + listen 587; + proxy_pass smtptls; + proxy_protocol on; + } + server { + listen 465; + proxy_pass smtps; + proxy_protocol on; + } + server { + listen 4190; + proxy_pass managesieve; + proxy_protocol on; + } + server { + listen 2222; + proxy_pass src; + } +} + +{% endif %} diff --git a/playbooks/roles/swarm-init/tasks/main.yml b/playbooks/roles/swarm-init/tasks/main.yml deleted file mode 100644 index 19967e9..0000000 --- a/playbooks/roles/swarm-init/tasks/main.yml +++ /dev/null @@ -1,19 +0,0 @@ ---- - -- name: Check Docker Swarm Status - ansible.builtin.command: docker info --format '{{ "{{.Swarm.LocalNodeState}}" }}' - register: docker_swarm_status - changed_when: false - -- name: Initialize Docker Swarm if Inactive - ansible.builtin.command: - cmd: docker swarm init --advertise-addr "{{ ansible_default_ipv4.address }}" - when: docker_swarm_status.stdout == "inactive" - register: swarm_init - changed_when: '"Swarm initialized" in swarm_init.stdout' - -- name: Retrieve Docker Swarm Manager Token - ansible.builtin.command: docker swarm join-token manager -q - register: manager_token - changed_when: false - diff --git a/playbooks/roles/swarm-join/tasks/main.yml b/playbooks/roles/swarm-join/tasks/main.yml deleted file mode 100644 index 5fdb66f..0000000 --- a/playbooks/roles/swarm-join/tasks/main.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- - -- name: Check Docker Swarm Status - ansible.builtin.command: docker info --format '{{ "{{.Swarm.LocalNodeState}}" }}' - register: docker_swarm_status - changed_when: false - -- name: Join Swarm as Manager - ansible.builtin.command: - cmd: docker swarm join --token {{ hostvars[groups['swarm'][0]]['manager_token'].stdout }} {{ hostvars[groups['swarm'][0]]['ansible_default_ipv4']['address'] }}:2377 - when: - - hostvars[groups['swarm'][0]]['manager_token'].stdout is defined - - docker_swarm_status.stdout != "active" - register: swarm_join - changed_when: '"This node joined a swarm as a manager" in swarm_join.stdout' - -- name: Label Docker Swarm Manager Nodes - ansible.builtin.command: - cmd: docker node update --label-add manager=true {{ ansible_hostname }} - when: swarm_join is changed - changed_when: false diff --git a/playbooks/roles/swarm_init/tasks/main.yml b/playbooks/roles/swarm_init/tasks/main.yml new file mode 100644 index 0000000..19967e9 --- /dev/null +++ b/playbooks/roles/swarm_init/tasks/main.yml @@ -0,0 +1,19 @@ +--- + +- name: Check Docker Swarm Status + ansible.builtin.command: docker info --format '{{ "{{.Swarm.LocalNodeState}}" }}' + register: docker_swarm_status + changed_when: false + +- name: Initialize Docker Swarm if Inactive + ansible.builtin.command: + cmd: docker swarm init --advertise-addr "{{ ansible_default_ipv4.address }}" + when: docker_swarm_status.stdout == "inactive" + register: swarm_init + changed_when: '"Swarm initialized" in swarm_init.stdout' + +- name: Retrieve Docker Swarm Manager Token + ansible.builtin.command: docker swarm join-token manager -q + register: manager_token + changed_when: false + diff --git a/playbooks/roles/swarm_join/tasks/main.yml b/playbooks/roles/swarm_join/tasks/main.yml new file mode 100644 index 0000000..f6fe454 --- /dev/null +++ b/playbooks/roles/swarm_join/tasks/main.yml @@ -0,0 +1,22 @@ +--- + +- name: Check Docker Swarm Status + ansible.builtin.command: docker info --format '{{ "{{.Swarm.LocalNodeState}}" }}' + register: docker_swarm_status + changed_when: false + +- name: Join Swarm as Manager + ansible.builtin.command: + cmd: docker swarm join --token {{ hostvars[groups['swarm'][0]]['manager_token'].stdout }} {{ hostvars[groups['swarm'][0]]['ansible_default_ipv4']['address'] }}:2377 + when: + - hostvars[groups['swarm'][0]]['manager_token'].stdout is defined + - docker_swarm_status.stdout != "active" + register: swarm_join + changed_when: '"This node joined a swarm as a manager" in swarm_join.stdout' + +- name: Label Docker Swarm Manager Nodes + ansible.builtin.command: + cmd: docker node update --label-add manager=true {{ ansible_hostname }} + when: swarm_join is changed + changed_when: false + diff --git a/playbooks/roles/test/tasks/main.yml b/playbooks/roles/test/tasks/main.yml new file mode 100644 index 0000000..e370cae --- /dev/null +++ b/playbooks/roles/test/tasks/main.yml @@ -0,0 +1,8 @@ +--- + +- name: Deploy test + ansible.builtin.import_tasks: manage-docker-swarm-service.yml + vars: + service_name: test + template_render_dir: "../templates" + service_destination_dir: "{{ test_base }}" diff --git a/playbooks/roles/test/templates/stacks/docker-compose.yml b/playbooks/roles/test/templates/stacks/docker-compose.yml new file mode 100644 index 0000000..52f220f --- /dev/null +++ b/playbooks/roles/test/templates/stacks/docker-compose.yml @@ -0,0 +1,30 @@ +services: + test: + image: traefik/whoami:latest + volumes: + - {{ test_base }}/volumes/data:/data + environment: + - TZ={{ timezone }} + - DEPLOYMENT_TIME={{ deployment_time }} + networks: + - proxy + deploy: + mode: replicated + update_config: + parallelism: 1 + failure_action: rollback + order: start-first + delay: 5s + replicas: 1 + labels: + - traefik.enable=true + - traefik.swarm.network=proxy + - traefik.http.routers.test.tls=true + - traefik.http.routers.test.tls.certResolver=letsencrypt + - traefik.http.routers.test.rule=Host(`{{ test_domain }}`) + - traefik.http.routers.test.entrypoints=websecure + - traefik.http.services.test.loadbalancer.server.port=80 + +networks: + proxy: + external: true diff --git a/playbooks/roles/test/templates/volumes/data/.gitkeep b/playbooks/roles/test/templates/volumes/data/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/playbooks/roles/traefik/templates/stacks/docker-compose.yml b/playbooks/roles/traefik/templates/stacks/docker-compose.yml index dfcf72c..ad5e228 100644 --- a/playbooks/roles/traefik/templates/stacks/docker-compose.yml +++ b/playbooks/roles/traefik/templates/stacks/docker-compose.yml @@ -1,7 +1,7 @@ services: headscale-client: image: tailscale/tailscale:latest - hostname: headscale-traefik + hostname: headscale-client-{{ deployment_time }} environment: - DEPLOYMENT_TIME={{ deployment_time }} - TZ={{ timezone }} @@ -27,7 +27,7 @@ services: replicas: 1 update_config: parallelism: 1 - order: stop-first # hostname conflicts + order: start-first failure_action: rollback monitor: 8s traefik: @@ -35,9 +35,10 @@ services: depends_on: - headscale-client ports: + # TODO: FIGURE OUT HOW TO READ X-FORWARDED-FOR CORRECTLY # http - - 80:80 - - 443:443 + - "80:80" + - "443:443" healthcheck: test: traefik healthcheck --ping interval: 10s @@ -57,7 +58,6 @@ services: - headnet deploy: mode: replicated - replicas: 2 update_config: parallelism: 1 order: start-first diff --git a/playbooks/swarm-cluster.yml b/playbooks/swarm-cluster.yml deleted file mode 100644 index 945edb9..0000000 --- a/playbooks/swarm-cluster.yml +++ /dev/null @@ -1,24 +0,0 @@ ---- - -- name: Configure Docker Swarm Firewall Rules - hosts: swarm - become: true - tasks: - - name: Enable Local Swarm Communications - community.general.ufw: - rule: allow - from: "10.0.0.0/8" - state: enabled - -- name: Setup swarm on init node - hosts: swarm[0] - become: true - roles: - - swarm-init - -- name: Join non-init nodes - hosts: swarm:!swarm[0] - become: true - roles: - - swarm-join - diff --git a/playbooks/swarm_cluster.yml b/playbooks/swarm_cluster.yml new file mode 100644 index 0000000..6a13f8c --- /dev/null +++ b/playbooks/swarm_cluster.yml @@ -0,0 +1,24 @@ +--- + +- name: Configure Docker Swarm Firewall Rules + hosts: swarm + become: true + tasks: + - name: Enable Local Swarm Communications + community.general.ufw: + rule: allow + from: "{{ homelab_network }}" + state: enabled + +- name: Setup swarm on init node + hosts: swarm[0] + become: true + roles: + - swarm_init + +- name: Join non-init nodes + hosts: swarm:!swarm[0] + become: true + roles: + - swarm_join + diff --git a/playbooks/test.yml b/playbooks/test.yml new file mode 100644 index 0000000..305f111 --- /dev/null +++ b/playbooks/test.yml @@ -0,0 +1,7 @@ +--- + +- name: test setup + hosts: test + become: true + roles: + - test -- cgit v1.2.3-70-g09d2