Configure a host to run containers
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
Linus Sehn a2290bac10 bump submodules 3 months ago
.reuse changed .reuse/dep5 to test 12 months ago
LICENSES make REUSE compliant 7 months ago
group_vars allow ping 5 months ago
host_vars clean all leftovers of nginx and traefik as reverse proxy 6 months ago
inventory@cf31dd4f63 bump submodules 3 months ago
molecule/default fix REUSE compliance 4 months ago
roles bump submodules 3 months ago
.drone.yml switch ansible-lint with yamllint due to vault complications 12 months ago
.gitignore added licences 12 months ago
.gitmodules use proper upsream by konstruktoid 5 months ago
.yamllint fix REUSE compliance 4 months ago
LICENSE Initial commit 1 year ago
README.md add backup and cron to README 6 months ago
ansible.cfg added vault_password_file to ansible.cfg 1 year ago
open_the_vault.sh added licences 12 months ago
playbook.yml add role for regular cron jobs 6 months ago
shell.nix fix REUSE compliance 4 months ago
vault_passphrase.gpg added ansible vault scripts 1 year ago
vault_passphrase.gpg.license added final licences 12 months ago

README.md

Container Server Playbook

REUSEstatus BuildStatus

Configure a host to run containers

Table of Contents

Background

Not every host we have needs to run containers. If it does, however, this playbook is the place to start. Currently, it does the following:

  • sets up Docker in rootless mode
  • configures Caddy with automatic certificate generation to act as a reverse proxy, with docker2caddy for automatic config generation based on container labels
  • configures a Drone Docker runner
  • sets up backup steps and cron jobs

Security

This playbook repository contains secrets that are encrypted using the Ansible vault. The passphrase to decrypt the vault lives in the GPG-encrypted file vault_passphrase.gpg. If you need access to the encrypted parts of this playbook or you want to be able to encrypt variables whilst setting up a new host, simply create an issue in this repository and we will review your request.

Install

You need a host that runs at least Debian 11 and an up-to-date version of our inventory, the latter of which can be attained by running:

git clone --recurse-submodules git@git.fsfe.org:fsfe-system-hackers/container-server.git

or when you have already cloned the repository without recursing into submodules:

git submodule update --remote inventory

Next, you obviously need Ansible. To obtain and use the version of Ansible this playbook is tested with (2.11), obtain a working version of pipenv and run:

pipenv install
pipenv shell

Gotchas

The current version of fuse-overlayfs in Debian Buster was too old (0.3-1) and caused problems when building images, e.g. via docker-compose in rootless mode. After installing the version which will be available in Bullseye (1.4.1), the problem was fixed and all builds succeeded. This will be monitored.

Usage

In order to ...

you need to do two things:

  1. Apply the labels container_server to the desired hosts in the inventory.
  2. Then, simply run:
ansible-playbook playbook.yml

If you just want to install the container engine, run:

ansible-playbook playbook.yml --tags container-engine

Configuration

The default relevant variables are configured in the group_vars directory, but some variables are host-specific. Simply create a file in the host_vars directory called <hostname>.yml, e.g. host_vars/cont1.noris.fsfeurope.org.yml. So far, the following configuration is tested to work on a fresh and minimal Debian 11 install.

Additional Resources

Third-party Ansible roles used in this playbook are: