Skip to content
Snippets Groups Projects
Commit 03afaed3 authored by jabertwo's avatar jabertwo
Browse files

erste services auf testserver installieren

parent 314865ba
No related branches found
No related tags found
No related merge requests found
Showing
with 3653 additions and 24 deletions
......@@ -5,21 +5,4 @@ ansible_python_interpreter: /usr/bin/python3
# Globale Variablen für alle Server
# Letsencrypt notification mail
letsencrypt_mail: verwaltung@warpzone.ms
# Zentrale InfluxDb für Systemmonitoring
influxdb_sysmon:
url: "http://192.168.0.201:18086"
db: "influx"
user: "influx"
password: "influx"
# Zentrale InfluxDb für Snmp Daten
influxdb_snmp:
url: "http://192.168.0.201:28086"
db: "influx"
user: "influx"
password: "influx"
letsencrypt_mail: verwaltung@warpzone.ms
\ No newline at end of file
# Globale Variablen für alle produktiven Server
# SMTP Settings
smtp_domain: enteentelos.com
smtp_host: mailserver.enteentelos.com
smtp_domain: test-warpzone.de
smtp_host: mailserver.test-warpzone.de
smtp_port: 587
noreply_email_user: noreply@enteentelos.com
noreply_email_user: noreply@test-warpzone.de
# Globale Domains
global_domains:
warpzonems:
domain: test-warpzone.de
# Globale Mail konfiguration
mail_domains:
warpzonems:
maildomain: "test-warpzone.de"
mxserver: "mailserver.test-warpzone.de"
mxhostname: "webserver"
spf: "v=spf1 mx a:mailserver.test-warpzone.de ip4:{{ hostvars['webserver'].ext_ip4 }} ip6:{{ hostvars['webserver'].ext_ip6 }} -all"
dmarc: "v=DMARC1; p=none;"
dkim:
- { selector: "dkim", value: "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxNnNZElbWq9EonFULbr8vWWykKmZEylRwjo4lYx/lXsGDFWBuNh2s6gFF10OuHWtavokjvh/7sFidNaRYQkn3uwHmylBWFn7Jr2lPWY8PBEoIeAZZx5qHaDWxJVgzE7maFyXAswDGXcR/DRTn2xR6osNXOovjGeYXq/atR/45iwfgkhqAaXaV1uP/K9y\" \"y2sZ2dRtGEwCKsWbP26cOZ6MUcADszgUTEp59iKey79m0uwi0IpA8WjEKVwbMcf/6fBw1ejIEjVUX+bami2fQ6RPl4uEyloco4paV3w/vww2hh4VchCFLYAEKMkZOZs/eTDGsjaMguwHbPeVJjkpX2T6WQIDAQAB" }
member_warpzonems:
maildomain: "member.test-warpzone.de"
mxserver: "mailserver.test-warpzone.de"
mxhostname: "webserver"
spf: "v=spf1 mx a:mailserver.test-warpzone.de ip4:{{ hostvars['webserver'].ext_ip4 }} ip6:{{ hostvars['webserver'].ext_ip6 }} -all"
dkim:
- { selector: "dkim", value: "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu334a+uJ5b7D8UTz3Up6A8EjZhEnXaIpiIcKAGPXXD2ZBGmkWfUNcwDcfMoDErH6ntXzf0uH2VMvaajB/wdKLyly1irDKoyjLA3hJb5wnF9Gh0anL1qxY6UA189vWsw+2JlZJWyQ3IcaQ720SM3OrrK4AL3gRItieSEQ+23m5aW0P6sgUuMXTmmKLbd4\" \"DzZ14Emw293TD2p4gJtgxW/6EfIfcUU+/jP1NNm9gksyzynH1pJXPwVruo9u4QujEQiPqtVsVtrtUm1kbnW+pexj3eKOLLEHGZ+p5AZ/jtALk9pJfNumm/XHFK5PTZDBIipXOYvuG8RdwsaCQRezGKy04QIDAQAB" }
lists_warpzonems:
maildomain: "lists.test-warpzone.de"
mxserver: "mailserver.test-warpzone.de"
mxhostname: "webserver"
spf: "v=spf1 mx a:mailserver.test-warpzone.de ip4:{{ hostvars['webserver'].ext_ip4 }} ip6:{{ hostvars['webserver'].ext_ip6 }} -all"
dkim:
- { selector: "dkim", value: "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoO7SXkUkM17Y1Vi/cvO48IJmlReGWSaYHY+wEldLHt80TiXP0AGZ8nG+DshXi1J2D5xjn8cJu4VqgDrLFnsRJyGYKmi7yVukANVg6gjYlET4y5+UU7Vk2W3xhN2U/8F0rcyynALzQa8i4Y/wEI0qkgHyE6+lITmglJvlj6tgp4YYK2TBH3Zo//PukOmU\" \"6gG/qu0+6p+CepvqzfGT2l1duov5a2+DJJzlJTULJ5D5Blsmg/0GeC81gZ4QDC3S8aaM5Pw3I3lQCSJT4Q4Ge6Ues4ccagNrdnZhtHNaVFGdL1mR1k+G784gpMZphPj5MylNEpA3V4bD7/Ygf4GuAvHdMwIDAQAB" }
# Monitoring
monitoring:
external_dns_servers:
- { ip: "1.1.1.1", name: "Cloudflare" }
- { ip: "8.8.8.8", name: "Google" }
- { ip: "9.9.9.9", name: "Quad9" }
# Host spezifische Variablen
motd_lines:
- "Testserver"
- "Öffentliche IPs: {{ansible_eth0.ipv4.address}} / {{ansible_eth0.ipv6[0].address}}"
debian_sources:
- "deb http://ftp2.de.debian.org/debian/ bookworm main contrib non-free"
- "deb http://ftp.debian.org/debian bookworm-updates main contrib non-free"
- "deb http://security.debian.org/ bookworm-security main contrib non-free"
- "deb https://download.docker.com/linux/debian bookworm stable"
debian_keys_id:
debian_keys_url:
- "https://download.docker.com/linux/debian/gpg"
# Primäre IP Adressen des Hosts
ext_ip4: 159.69.57.56
ext_ip6: 2a01:4f8:231:8a1:159:69:57:56
int_ip4: 127.0.0.1
# Art des Hosts: physical, vm, docker
host_type: "lxc"
# SSL aktivieren
webserver_ssl: true
# Liste der gehosteten Domänen
webserver_domains:
- "test-warpzone.de"
# - "api.test-warpzone.de"
# - "auth.test-warpzone.de"
- "gitlab.test-warpzone.de"
# - "matrix.test-warpzone.de"
# - "mailserver.test-warpzone.de"
# - "ldap.test-warpzone.de"
# - "keycloak.test-warpzone.de"
# - "md.test-warpzone.de"
# - "turn.test-warpzone.de"
- "wiki.test-warpzone.de"
- "www.test-warpzone.de"
# - "workadventure.test-warpzone.de"
# - "play.workadventure.test-warpzone.de"
# - "pusher.workadventure.test-warpzone.de"
# - "api.workadventure.test-warpzone.de"
# - "icon.workadventure.test-warpzone.de"
# #OpenVPN Konfigurationen
# openvpn_server:
# - "server-zone"
# - "server-verwaltung"
administratorenteam:
- "void"
- "sandhome"
- "jabertwo"
# Docker konfigurationen
docker:
# Interne Docker-Netzwerke
internal_networks:
- web
# Monitoring aktivieren
alert:
load:
warn: 5
crit: 10
containers:
#- { name: "coturn_coturn_1" }
- { name: "dockerstats-app-1" }
#- { name: "dokuwiki_app_1" }
- { name: "gitlab-app-1" }
- { name: "gitlab-dind-1" }
- { name: "gitlab-runner-1" }
#- { name: "hackmd_app_1" }
#- { name: "hackmd_db_1" }
#- { name: "icinga_app_1" }
#- { name: "icinga_db_1" }
#- { name: "icinga_graphite_1" }
#- { name: "keycloak_app_1" }
#- { name: "keycloak_db_1" }
#- { name: "keycloak_sync-group-active_1" }
#- { name: "ldap_openldap_1" }
#- { name: "ldap_phpldapadmin_1" }
#- { name: "mail_admin_1" }
#- { name: "mail_antispam_1" }
#- { name: "mail_certdumper_1" }
#- { name: "mail_db_1" }
#- { name: "mail_front_1" }
#- { name: "mail_imap_1" }
#- { name: "mail_oletools_1" }
#- { name: "mail_redis_1" }
#- { name: "mail_resolver_1" }
#- { name: "mail_smtp_1" }
#- { name: "mail_webmail_1" }
#- { name: "mail_mailman-core_1" }
#- { name: "mail_mailman-web_1" }
#- { name: "mail_mailman-nginx_1" }
#- { name: "matrix_ma1sd_1" }
#- { name: "matrix_db_1" }
#- { name: "matrix_purgemediacache_1" }
#- { name: "matrix_synapse_1" }
#- { name: "matterbridge_cw_1" }
#- { name: "matterbridge_wz_1" }
#- { name: "matterbridge_web_1" }
#- { name: "matterbridge_restarter_1" }
- { name: "traefik-app-1" }
#- { name: "vpnserver_app_1" }
#- { name: "warpapi_app_1" }
#- { name: "watchtower_app_1" }
- { name: "wordpress-app-1" }
- { name: "wordpress-db-1" }
#- { name: "workadventure_back_1" }
#- { name: "workadventure_front_1" }
#- { name: "workadventure_icon_1" }
#- { name: "workadventure_pusher_1" }
#- { name: "workadventure_redis_1" }
disks:
- { mountpoint: "/", warn: "5 GB", crit: "1 GB" }
- { mountpoint: "/srv", warn: "5 GB", crit: "1 GB" }
# # Definition von Borgbackup Repositories
# borgbackup_repos:
# # warpsrvint:
# # # URL des Repos
# # repo: "ssh://warpzone@192.168.0.201:22/data/warpzone/webserver"
# # # Repo-spezifische Optionen zum Aufruf von Borgbackup
# # # z.B. bei Sicherungen zu rsync.net ist --remote-path=borg1 erforderlich
# # options: ""
# # # Compression Options, z,b. "zlib,5, "zstd,5"
# # compression: "zlib,5"
# # # Prune Optionen
# # prune: "--keep-within=2d --keep-daily=7 --keep-weekly=4 --keep-monthly=6"
# # # Backup Schedule
# # weekday: "*"
# # hour: "6"
# # minute: "0"
# # # Zusätzliche Verzeichnisse, die nur in diesem Backup gesichtert werden sollen
# # # directories:
# # # Monitoring
# # alert: true
# # warning_age: 26
# # critical_age: 50
# # warning_count: 10
# # critical_count: 5
# borgbase:
# # URL des Repos
# repo: "ani9ve0q@ani9ve0q.repo.borgbase.com:repo"
# # Repo-spezifische Optionen zum Aufruf von Borgbackup
# # z.B. bei Sicherungen zu rsync.net ist --remote-path=borg1 erforderlich
# options: ""
# # Compression Options, z,b. "zlib,5, "zstd,5"
# compression: "zlib,5"
# # Prune Optionen
# prune: "--keep-within=2d --keep-daily=7 --keep-weekly=4 --keep-monthly=6"
# # Backup Schedule
# weekday: "*"
# hour: "4"
# minute: "10"
# # Zusätzliche Verzeichnisse, die nur in diesem Backup gesichtert werden sollen
# # directories:
# # Monitoring
# alert: true
# warning_age: 26
# critical_age: 50
# warning_count: 10
# critical_count: 5
# # Definition der Verzeichnisse, die in allen Borgbackup Repos gesichert werden sollen
# borgbackup_directories:
# - "/etc/"
# - "/srv/"
......@@ -70,4 +70,12 @@ event:
# Wichtige Optionen: Nesting = Yes, keyctl = enabled
hix:
ansible_ssh_host: 10.111.10.101
ansible_user: root
test:
children:
vms:
hosts:
test-warpzone-de:
ansible_ssh_host: 2a01:4f8:231:8a1:159:69:57:56
ansible_user: root
\ No newline at end of file
......@@ -14,6 +14,44 @@
# Test Server
##################################################
- hosts: test-warpzone-de
remote_user: root
roles:
- { role: common/cronapt, tags: cronapt }
- { role: common/docker, tags: docker }
# - {
# role: testserver/docker_dockerstats, tags: dockerstats,
# servicename: dockerstats,
# basedir: /srv/dockerstats
# }
- {
role: testserver/docker_traefik, tags: traefik,
servicename: traefik,
basedir: /srv/traefik,
domain: "test-warpzone.de",
domain_default: "www.test-warpzone.de",
}
- {
role: testserver/docker_dokuwiki, tags: dokuwiki,
servicename: "dokuwiki",
domain: "wiki.test-warpzone.de",
basedir: /srv/dokuwiki,
# healthchecks_url: "https://hc-ping.com/038adcfe-05bf-45b4-919b-88b69aab8844"
}
- {
role: testserver/docker_gitlab, tags: gitlab,
servicename: "gitlab",
domain: "gitlab.test-warpzone.de",
domain_registry: "gitlab-registry.test-warpzone.de"
}
- {
role: testserver/docker_wordpress, tags: wordpress,
servicename: "wordpress",
basedir: /srv/wordpress,
domain: "www.test-warpzone.de"
}
##################################################
# Produktive Server
##################################################
......
---
- name: "create folder struct for {{ servicename }}"
file:
path: "{{ item }}"
state: "directory"
with_items:
- "{{ basedir }}"
- name: Konfig-Dateien erstellen
template:
src: "{{ item }}"
dest: "{{ basedir }}/{{ item }}"
with_items:
- Dockerfile
- docker-compose.yml
register: config
- name: "stop {{ servicename }} docker"
community.docker.docker_compose_v2:
project_src: "{{ basedir }}"
state: absent
- name: "start {{ servicename }} docker"
community.docker.docker_compose_v2:
project_src: "{{ basedir }}"
state: present
FROM node:21-alpine
RUN apk update \
&& apk upgrade \
&& apk add --no-cache git
RUN mkdir -p /usr/src/app \
&& cd /usr/src/app \
&& git clone https://github.com/elberfeld/docker_stats_exporter.git \
&& cd /usr/src/app/docker_stats_exporter \
&& git checkout 2020.07.30.1 \
&& npm install
WORKDIR /usr/src/app/docker_stats_exporter
EXPOSE 9487
ENV DOCKERSTATS_PORT=9487 DOCKERSTATS_INTERVAL=15 DEBUG=0
ENTRYPOINT [ "npm", "start" ]
version: "3"
services:
app:
build: .
restart: always
ports:
- "{{ int_ip4 }}:9487:9487"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /usr/bin/docker:/usr/bin/docker
---
- include_tasks: ../functions/get_secret.yml
with_items:
- { path: /srv/shared/noreply_email_pass, length: -1 }
- name: create folder struct for dokuwiki
file:
path: "{{item}}"
state: "directory"
with_items:
- "{{ basedir }}"
- "{{ basedir }}/data"
- "{{ basedir }}/pdftemplate"
- name: Docker Compose Konfig-Datei erstellen
template:
src: "{{item}}"
dest: "{{ basedir }}/{{item}}"
with_items:
- docker-compose.yml
- Dockerfile
register: config
# - name: Cronjob für Mailversand Plenumsmail
# cron:
# name: "sendmail_plenum"
# weekday: "0"
# hour: "20"
# minute: "0"
# job: "/usr/bin/python3 {{ basedir }}/sendmail_plenum.py"
# disabled: false
- name: "stop {{ servicename}} docker"
community.docker.docker_compose_v2:
project_src: "{{ basedir }}"
state: absent
when: config.changed
- name: "start {{ servicename}} docker"
community.docker.docker_compose_v2:
project_src: "{{ basedir }}"
state: present
FROM php:8.3.2-apache-bookworm
# php-gd modul für dw2pdf plugin
RUN apt-get update && apt-get install -y \
libfreetype6-dev \
libjpeg62-turbo-dev \
libpng-dev \
&& docker-php-ext-configure gd --with-freetype --with-jpeg \
&& docker-php-ext-install -j$(nproc) gd
# Upload-Limits hoch setzen (Edit by Parad0x)
RUN touch /usr/local/etc/php/conf.d/uploads.ini \
&& echo "upload_max_filesize = 10M;" >> /usr/local/etc/php/conf.d/uploads.ini \
&& echo "post_max_size = 10M;" >> /usr/local/etc/php/conf.d/uploads.ini
# Configure LDAP.
RUN apt-get update \
&& apt-get install libldap2-dev -y \
&& docker-php-ext-configure ldap --with-libdir=lib/x86_64-linux-gnu/ \
&& docker-php-ext-install ldap
# Change apache settings
RUN a2enmod rewrite
# Expose ports
EXPOSE 80
# startup
CMD ["apache2-foreground"]
version: "3"
services:
app:
# values set in configuration: noreply_email_user - noreply_email_pass - smtp_host - smtp_port
build: .
image: "dokuwiki--{{ ansible_date_time.date }}--{{ ansible_date_time.hour }}-{{ ansible_date_time.minute }}-{{ ansible_date_time.second }}"
restart: always
volumes:
- /srv/dokuwiki/data/:/var/www/html
- /srv/dokuwiki/pdftemplate/:/var/www/html/lib/plugins/dw2pdf/tpl/warpzone/
labels:
- traefik.enable=true
- traefik.http.routers.{{ servicename }}.rule=Host(`{{ domain }}`)
- traefik.http.routers.{{ servicename }}.entrypoints=websecure
- traefik.http.services.{{ servicename }}.loadbalancer.server.port=80
networks:
- default
- web
networks:
web:
external: true
---
- include_tasks: ../functions/get_secret.yml
with_items:
- { path: /srv/shared/noreply_email_pass, length: -1 }
- { path: /srv/ldap/secret/ldap_readonly_pass, length: -1 }
- { path: /srv/gitlab/runner_registration_token, length: -1 }
# Benötigte Verzeichnisstrukturen erstellen
- name: create folder structur for gitlab
file:
path: "{{ item }}"
state: directory
owner: root
group: root
with_items:
- "/srv/gitlab/"
- "/srv/gitlab/conf/"
- "/srv/gitlab/data/"
- "/srv/gitlab/log"
- "/srv/gitlab/runner"
# Konfigurationsdateien erstellen
- name: Konfig-Datei Gitlab
template:
src: "{{ item }}"
dest: "/srv/gitlab/{{ item }}"
with_items:
- "conf/gitlab.rb"
- "docker-compose.yml"
register: configs
- name: stop gitlab docker
community.docker.docker_compose_v2:
project_src: /srv/gitlab/
state: absent
when: configs.changed
- name: start gitlab docker
community.docker.docker_compose_v2:
project_src: /srv/gitlab/
state: present
This diff is collapsed.
version: "2.4"
services:
app:
image: gitlab/gitlab-ce:16.7.4-ce.0
restart: always
ports:
- "444:22"
volumes:
- /srv/gitlab/conf:/etc/gitlab
- /srv/gitlab/log:/var/log/gitlab
- /srv/gitlab/data:/var/opt/gitlab
labels:
- traefik.enable=true
- traefik.http.routers.{{ servicename }}.rule=Host(`{{ domain }}`)
- traefik.http.routers.{{ servicename }}.entrypoints=websecure
- traefik.http.routers.{{ servicename }}.service={{ servicename }}
- traefik.http.services.{{ servicename }}.loadbalancer.server.port=80
- traefik.http.routers.{{ servicename }}.middlewares={{ servicename }}-cors-headers
- traefik.http.middlewares.{{ servicename }}-cors-headers.headers.accesscontrolalloworiginlist=*
- traefik.http.routers.{{ servicename }}_registry.rule=Host(`{{ domain_registry }}`)
- traefik.http.routers.{{ servicename }}_registry.entrypoints=websecure
- traefik.http.routers.{{ servicename }}_registry.service={{ servicename }}_registry
- traefik.http.services.{{ servicename }}_registry.loadbalancer.server.port=5005
networks:
- default
- web
# Docker in Docker for Gitlab-Runner execution
# see https://forum.gitlab.com/t/example-gitlab-runner-docker-compose-configuration/67344
dind:
image: docker:25-dind
restart: always
privileged: true
environment:
DOCKER_TLS_CERTDIR: ""
command:
- --storage-driver=overlay2
networks:
- default
runner:
restart: always
image: registry.gitlab.com/gitlab-org/gitlab-runner:alpine
depends_on:
- dind
- app
environment:
- DOCKER_HOST=tcp://dind:2375
volumes:
- "/srv/gitlab/runner:/etc/gitlab-runner:z"
networks:
- default
# Runner Registration
# Excecute once when Gitlab is running
# register-runner:
# restart: 'no'
# image: registry.gitlab.com/gitlab-org/gitlab-runner:alpine
# depends_on:
# - dind
# - app
# environment:
# - CI_SERVER_URL=https://{{ domain }}
# - REGISTRATION_TOKEN={{ runner_registration_token }}
# command:
# - register
# - --non-interactive
# - --locked=false
# - --name=warpzone-webserver
# - --executor=docker
# - --docker-image=docker:20-dind
# - --docker-volumes=/var/run/docker.sock:/var/run/docker.sock
# volumes:
# - "/srv/gitlab/runner:/etc/gitlab-runner:z"
# networks:
# - default
networks:
web:
external: true
default:
driver: bridge
enable_ipv6: true
ipam:
driver: default
config:
# must be a ULA range
- subnet: fd00:dead:beef:444::/64
# Eigene CA und Server Zertifikat erstellen, falls diese noch nicht existiert
- name: "Install Packages"
apt:
name: "{{ packages }}"
state: present
vars:
packages:
- python3-cryptography
- name: "Check if SelfSigned CA key exists"
stat:
path: "{{ basedir }}/ca.key"
register: ca_key_stat_result
- name: "Create SelfSigned CA key"
community.crypto.openssl_privatekey:
path: "{{ basedir }}/ca.key"
when: not ca_key_stat_result.stat.exists
- name: "Check if SelfSigned CA cert exists"
stat:
path: "{{ basedir }}/ca.pem"
register: ca_cert_stat_result
- name: "Check if SelfSigned CA cert CSR"
community.crypto.openssl_csr_pipe:
privatekey_path: "{{ basedir }}/ca.key"
common_name: "{{ selfSignedCN }} CA"
use_common_name_for_san: false # since we do not specify SANs, don't use CN as a SAN
basic_constraints:
- 'CA:TRUE'
basic_constraints_critical: true
key_usage:
- keyCertSign
key_usage_critical: true
register: ca_csr
when: not ca_cert_stat_result.stat.exists
- name: "Create SelfSigned CA cert from CSR"
community.crypto.x509_certificate:
path: "{{ basedir }}/ca.pem"
csr_content: "{{ ca_csr.csr }}"
privatekey_path: "{{ basedir }}/ca.key"
provider: selfsigned
when: not ca_cert_stat_result.stat.exists
- name: "Check if ServerCert key exists"
stat:
path: "{{ basedir }}/cert.key"
register: cert_key_stat_result
- name: "Create ServerCert key"
community.crypto.openssl_privatekey:
path: "{{ basedir }}/cert.key"
when: not cert_key_stat_result.stat.exists
- name: "Check if ServerCert cert exists"
stat:
path: "{{ basedir }}/cert.pem"
register: cert_cert_stat_result
- name: "Create ServerCert CSR"
community.crypto.openssl_csr_pipe:
privatekey_path: "{{ basedir }}/cert.key"
subject_alt_name:
- "DNS:{{ selfSignedDomain }}"
- "DNS:{{ domain }}"
register: cert_csr
when: not cert_cert_stat_result.stat.exists
- name: "Create ServerCert from CSR"
community.crypto.x509_certificate_pipe:
csr_content: "{{ cert_csr.csr }}"
provider: ownca
ownca_path: "{{ basedir }}/ca.pem"
ownca_privatekey_path: "{{ basedir }}/ca.key"
ownca_not_after: +9999d # long lifetime
ownca_not_before: "-1d" # valid since yesterday
register: cert
when: not cert_cert_stat_result.stat.exists
- name: "Create ServerCert chain"
community.crypto.certificate_complete_chain:
input_chain: "{{ cert.certificate }}"
root_certificates:
- "{{ basedir }}/ca.pem"
register: cert_chain
when: not cert_cert_stat_result.stat.exists
- name: "Create ServerCert chain"
copy:
dest: "{{ basedir }}/cert.pem"
content: "{{ ''.join(cert_chain.complete_chain) }}"
when: not cert_cert_stat_result.stat.exists
- include_tasks: ../functions/get_secret.yml
with_items:
- { path: "{{ basedir }}/letsencrypt_notification_email", length: -1 }
when: selfSignedCN is not defined
- name: "create folder struct for {{ servicename }}"
file:
path: "{{ item }}"
state: "directory"
with_items:
- "{{ basedir }}"
- "{{ basedir }}/dynamic"
- name: "Check if CertStore exists"
stat:
path: "{{ basedir }}/acme.json"
register: acme_stat_result
- name: "Create CertStore if needed and set permissions"
file:
path: "{{ basedir }}/acme.json"
owner: root
group: root
mode: '600'
state: touch
when: not acme_stat_result.stat.exists
- name: "Create SelfSigned CA and Cert"
ansible.builtin.include_tasks: certificate.yml
when: selfSignedCN is defined
- name: Docker Compose Konfig-Datei erstellen
template:
src: "{{ item }}"
dest: "{{ basedir }}/{{ item }}"
with_items:
- docker-compose.yml
- traefik.yml
- dynamic/tls.yml
register: config
- name: redirect-default ersstellen, wenn domain_default definiert ist
template:
src: "{{ item }}"
dest: "{{ basedir }}/{{ item }}"
with_items:
- dynamic/redirect-default.yml
when: domain_default is defined
register: config
- name: "stop {{ servicename}} docker"
community.docker.docker_compose_v2:
project_src: "{{ basedir }}"
state: absent
when: config.changed
- name: "start {{ servicename}} docker"
community.docker.docker_compose_v2:
project_src: "{{ basedir }}"
state: present
version: '2.4'
services:
app:
image: traefik:v3.0.0-beta5
restart: always
ports:
- "80:80"
- "443:443"
{% if matrix_federation is defined and matrix_federation == true %} - "8448:8448"
{% endif %}
- "{{ int_ip4 }}:8081:8080"
volumes:
- "/srv/traefik/traefik.yml:/etc/traefik/traefik.yml:ro"
- "/srv/traefik/dynamic:/etc/traefik/dynamic:ro"
- "/srv/traefik/acme.json:/acme.json"
- "/var/run/docker.sock:/var/run/docker.sock"
{% if selfSignedCN is defined %}
- "{{ basedir }}/cert.pem:/cert.pem:ro"
- "{{ basedir }}/cert.key:/cert.key:ro"
{% endif %}
networks:
- default
- web
healthcheck:
test: ['CMD', 'traefik', 'healthcheck']
interval: 30s
timeout: 10s
retries: 3
# for debugging only
# whoami:
# image: containous/whoami
# labels:
# - traefik.enable=true
# - traefik.http.routers.{{ servicename }}.rule=Host(`{ domain }`)
# - traefik.http.routers.{{ servicename }}.entrypoints=websecure
# - traefik.http.services.{{ servicename }}.loadbalancer.server.port=80
# networks:
# - web
networks:
web:
external: true
default:
driver: bridge
enable_ipv6: true
ipam:
driver: default
config:
# must be a ULA range
- subnet: fd00:dead:beef:80::/64
http:
routers:
router-default:
entrypoints:
- websecure
rule: "Host(`{{ domain }}`)"
middlewares:
- redirect-default
service: service-default
services:
service-default:
loadBalancer:
servers:
- url: http://noop-dummy
middlewares:
redirect-default:
redirectRegex:
regex: "^https://{{ domain }}/(.*)"
replacement: "https://{{ domain_default }}/$1"
# TLS Options
tls:
{% if selfSignedCN is defined %}
# use local certificate
certificates:
- certFile: "/cert.pem"
keyFile: "/cert.key"
{% endif %}
options:
default:
sniStrict: true
minVersion: "VersionTLS12"
curvePreferences:
- "secp521r1"
- "secp384r1"
cipherSuites:
- "TLS_AES_128_GCM_SHA256"
- "TLS_AES_256_GCM_SHA384"
- "TLS_CHACHA20_POLY1305_SHA256"
- "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
- "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
- "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
# Global settings
global:
checkNewVersion: true
# Entrypoints
entryPoints:
# HTTP, redirect all to HTTPS
web:
address: ":80"
http:
redirections:
entryPoint:
to: "websecure"
scheme: "https"
permanent: true
# HTTPS, get certificates from letsencrypt
websecure:
address: ":443"
http:
tls:
certResolver: "letsencrypt"
{% if matrix_federation is defined and matrix_federation == true %}
# additional entrypoint for matrix-federation
matrix_federation:
address: ":8448"
http:
tls:
certResolver: "letsencrypt"
{% endif %}
# Discover configuration via docker
# use network 'web' for interconnect
providers:
docker:
watch: true
endpoint: "unix:///var/run/docker.sock"
network: "web"
exposedByDefault: false
file:
directory: "/etc/traefik/dynamic"
watch: true
# Traefik API and dashboard
api:
insecure: true
dashboard: true
debug: false
# Enable Ping endpoint for docker healthcheck
ping: {}
# Enable prometheus metrics
metrics:
prometheus:
addEntryPointsLabels: true
addServicesLabels: true
# Logging
log:
level: "INFO"
format: "common"
{% if selfSignedCN is not defined %}
# get certificates from letsEncrypt
certificatesResolvers:
letsencrypt:
acme:
email: "{{ letsencrypt_notification_email }}"
storage: "/acme.json"
tlsChallenge: true
{% endif %}
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment