Configure a host to run containers
Go to file
Linus Sehn af9a1552c8
All checks were successful
continuous-integration/drone/push Build is passing
chore: bump ansible-docker-rootless
2023-07-18 14:21:36 +02:00
.reuse changed .reuse/dep5 to test 2021-07-11 14:06:47 +02:00
group_vars Remove wekandb backup 2023-05-09 16:31:38 +02:00
host_vars clean all leftovers of nginx and traefik as reverse proxy 2022-01-13 16:07:49 +01:00
inventory@de8e53f300 Bump inventory 2022-12-16 14:30:11 +01:00
LICENSES make REUSE compliant 2021-12-06 17:39:39 +01:00
molecule/default fix REUSE compliance 2022-02-25 13:44:20 +01:00
roles chore: bump ansible-docker-rootless 2023-07-18 14:21:36 +02:00
.ansible-lint Some linting changes 2022-10-24 17:20:14 +02:00
.drone.yml Sign .drone.yml 2023-05-10 13:42:17 +02:00
.gitignore added licences 2021-07-11 14:29:35 +02:00
.gitmodules use proper upsream by konstruktoid 2022-01-21 15:08:09 +01:00
.yamllint fix REUSE compliance 2022-02-25 13:44:20 +01:00
ansible.cfg added vault_password_file to ansible.cfg 2021-05-13 15:04:52 +02:00
docker-compose.yml Make watchtower less noisy 2023-05-10 13:38:15 +02:00
LICENSE Initial commit 2021-05-12 15:27:49 +00:00
open_the_vault.sh added licences 2021-07-11 14:29:35 +02:00
playbook.yml add role for regular cron jobs 2022-01-14 11:46:00 +01:00
README.md add backup and cron to README 2022-01-14 11:46:00 +01:00
vault_passphrase.gpg Re-encrypt vault_passphrase for @tobiasd 2023-01-30 13:10:35 +01:00
vault_passphrase.gpg.license added final licences 2021-07-11 14:35:20 +02:00

Container Server Playbook

REUSE
status Build
Status

Configure a host to run containers

Table of Contents

Background

Not every host we have needs to run containers. If it does, however, this playbook is the place to start. Currently, it does the following:

  • sets up Docker in rootless mode
  • configures Caddy with automatic certificate generation to act as a reverse proxy, with docker2caddy for automatic config generation based on container labels
  • configures a Drone Docker runner
  • sets up backup steps and cron jobs

Security

This playbook repository contains secrets that are encrypted using the Ansible vault. The passphrase to decrypt the vault lives in the GPG-encrypted file vault_passphrase.gpg. If you need access to the encrypted parts of this playbook or you want to be able to encrypt variables whilst setting up a new host, simply create an issue in this repository and we will review your request.

Install

You need a host that runs at least Debian 11 and an up-to-date version of our inventory, the latter of which can be attained by running:

git clone --recurse-submodules git@git.fsfe.org:fsfe-system-hackers/container-server.git

or when you have already cloned the repository without recursing into submodules:

git submodule update --remote inventory

Next, you obviously need Ansible. To obtain and use the version of Ansible this playbook is tested with (2.11), obtain a working version of pipenv and run:

pipenv install
pipenv shell

Gotchas

The current version of fuse-overlayfs in Debian Buster was too old (0.3-1) and caused problems when building images, e.g. via docker-compose in rootless mode. After installing the version which will be available in Bullseye (1.4.1), the problem was fixed and all builds succeeded. This will be monitored.

Usage

In order to ...

you need to do two things:

  1. Apply the labels container_server to the desired hosts in the inventory.
  2. Then, simply run:
ansible-playbook playbook.yml

If you just want to install the container engine, run:

ansible-playbook playbook.yml --tags container-engine

Configuration

The default relevant variables are configured in the group_vars directory, but some variables are host-specific. Simply create a file in the host_vars directory called <hostname>.yml, e.g. host_vars/cont1.noris.fsfeurope.org.yml. So far, the following configuration is tested to work on a fresh and minimal Debian 11 install.

Additional Resources

Third-party Ansible roles used in this playbook are: