fsfe-system-hackers/container-server
6
1
Fork 0
Code Issues 2 Pull Requests 1 Packages Projects Releases Wiki Activity
133 Commits 2 Branches 0 Tags
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Linus Sehn af9a1552c8
All checks were successful
continuous-integration/drone/push Build is passing
Details
chore: bump ansible-docker-rootless
2023-07-18 14:21:36 +02:00
.reuse
changed .reuse/dep5 to test
2021-07-11 14:06:47 +02:00
group_vars
Remove wekandb backup
2023-05-09 16:31:38 +02:00
host_vars
clean all leftovers of nginx and traefik as reverse proxy
2022-01-13 16:07:49 +01:00
inventory @ de8e53f300
Bump inventory
2022-12-16 14:30:11 +01:00
LICENSES
make REUSE compliant
2021-12-06 17:39:39 +01:00
molecule/default
fix REUSE compliance
2022-02-25 13:44:20 +01:00
roles
chore: bump ansible-docker-rootless
2023-07-18 14:21:36 +02:00
.ansible-lint
Some linting changes
2022-10-24 17:20:14 +02:00
.drone.yml
Sign .drone.yml
2023-05-10 13:42:17 +02:00
.gitignore
added licences
2021-07-11 14:29:35 +02:00
.gitmodules
use proper upsream by konstruktoid
2022-01-21 15:08:09 +01:00
.yamllint
fix REUSE compliance
2022-02-25 13:44:20 +01:00
ansible.cfg
added vault_password_file to ansible.cfg
2021-05-13 15:04:52 +02:00
docker-compose.yml
Make watchtower less noisy
2023-05-10 13:38:15 +02:00
LICENSE
Initial commit
2021-05-12 15:27:49 +00:00
open_the_vault.sh
added licences
2021-07-11 14:29:35 +02:00
playbook.yml
add role for regular cron jobs
2022-01-14 11:46:00 +01:00
README.md
add backup and cron to README
2022-01-14 11:46:00 +01:00
vault_passphrase.gpg
Re-encrypt vault_passphrase for @tobiasd
2023-01-30 13:10:35 +01:00
vault_passphrase.gpg.license
added final licences
2021-07-11 14:35:20 +02:00

README.md

Container Server Playbook

REUSE status Build Status

Configure a host to run containers

Table of Contents

Background

Not every host we have needs to run containers. If it does, however, this playbook is the place to start. Currently, it does the following:

  • sets up Docker in rootless mode
  • configures Caddy with automatic certificate generation to act as a reverse proxy, with docker2caddy for automatic config generation based on container labels
  • configures a Drone Docker runner
  • sets up backup steps and cron jobs

Security

This playbook repository contains secrets that are encrypted using the Ansible vault. The passphrase to decrypt the vault lives in the GPG-encrypted file vault_passphrase.gpg. If you need access to the encrypted parts of this playbook or you want to be able to encrypt variables whilst setting up a new host, simply create an issue in this repository and we will review your request.

Install

You need a host that runs at least Debian 11 and an up-to-date version of our inventory, the latter of which can be attained by running:

git clone --recurse-submodules git@git.fsfe.org:fsfe-system-hackers/container-server.git

or when you have already cloned the repository without recursing into submodules:

git submodule update --remote inventory

Next, you obviously need Ansible. To obtain and use the version of Ansible this playbook is tested with (2.11), obtain a working version of pipenv and run:

pipenv install
pipenv shell

Gotchas

The current version of fuse-overlayfs in Debian Buster was too old (0.3-1) and caused problems when building images, e.g. via docker-compose in rootless mode. After installing the version which will be available in Bullseye (1.4.1), the problem was fixed and all builds succeeded. This will be monitored.

Usage

In order to ...

you need to do two things:

  1. Apply the labels container_server to the desired hosts in the inventory.
  2. Then, simply run:
ansible-playbook playbook.yml

If you just want to install the container engine, run:

ansible-playbook playbook.yml --tags container-engine

Configuration

The default relevant variables are configured in the group_vars directory, but some variables are host-specific. Simply create a file in the host_vars directory called <hostname>.yml, e.g. host_vars/cont1.noris.fsfeurope.org.yml. So far, the following configuration is tested to work on a fresh and minimal Debian 11 install.

Additional Resources

Third-party Ansible roles used in this playbook are:

Description
Configure a host to run containers
ansiblecontainersdockerplaybook
Readme 201 KiB
Languages
Jinja 91.1%
Shell 8.9%