|
||
---|---|---|
.reuse | ||
group_vars | ||
host_vars | ||
inventory@de8e53f300 | ||
LICENSES | ||
molecule/default | ||
roles | ||
.ansible-lint | ||
.drone.yml | ||
.gitignore | ||
.gitmodules | ||
.yamllint | ||
ansible.cfg | ||
docker-compose.yml | ||
LICENSE | ||
open_the_vault.sh | ||
playbook.yml | ||
README.md | ||
vault_passphrase.gpg | ||
vault_passphrase.gpg.license |
Container Server Playbook
Configure a host to run containers
Table of Contents
Background
Not every host we have needs to run containers. If it does, however, this playbook is the place to start. Currently, it does the following:
- sets up Docker in rootless mode
- configures Caddy with automatic certificate generation to act as a reverse proxy, with docker2caddy for automatic config generation based on container labels
- configures a Drone Docker runner
- sets up backup steps and cron jobs
Security
This playbook repository contains secrets that are encrypted using the Ansible
vault. The
passphrase to decrypt the vault lives in the GPG-encrypted file
vault_passphrase.gpg
. If you need access to the
encrypted parts of this playbook or you want to be able to encrypt variables
whilst setting up a new host, simply create an issue in this repository and we
will review your request.
Install
You need a host that runs at least Debian 11 and an up-to-date version of our inventory, the latter of which can be attained by running:
git clone --recurse-submodules git@git.fsfe.org:fsfe-system-hackers/container-server.git
or when you have already cloned the repository without recursing into submodules:
git submodule update --remote inventory
Next, you obviously need Ansible. To obtain and use the version of Ansible this
playbook is tested with (2.11), obtain a working version of
pipenv
and run:
pipenv install
pipenv shell
Gotchas
The current version of fuse-overlayfs
in Debian Buster was too
old
(0.3-1) and caused problems when building images, e.g. via docker-compose
in
rootless mode. After installing the version which will be available in Bullseye
(1.4.1), the problem was fixed and all builds succeeded. This will be monitored.
Usage
In order to ...
- install the container engine (currently Docker in rootless
mode) along with
docker-compose
andctop
, - configure Caddy as a reverse proxy, and docker2caddy to automatically create config files,
- configure the Drone Docker runner and connect it to the FSFE's Drone server,
- create necessary sudo permissions for our monitoring system to be able to read health information,
- create pre-backup tasks to be run before the regular backup, and to set up cron jobs,
you need to do two things:
- Apply the labels
container_server
to the desired hosts in the inventory. - Then, simply run:
ansible-playbook playbook.yml
If you just want to install the container engine, run:
ansible-playbook playbook.yml --tags container-engine
Configuration
The default relevant variables are configured in the group_vars
directory, but some variables are host-specific. Simply create a
file in the host_vars
directory called <hostname>.yml
, e.g.
host_vars/cont1.noris.fsfeurope.org.yml
.
So far, the following configuration is tested to work on a fresh and minimal
Debian 11 install.
Additional Resources
Third-party Ansible roles used in this playbook are:
- ansible-docker-rootless by Thomas Sjögren