From 18ae3aaf4ed037f0b5cd54b7e3b6bcd181c15982 Mon Sep 17 00:00:00 2001 From: Chewing_Bever Date: Sat, 12 Nov 2022 12:21:39 +0100 Subject: [PATCH] Copy over some initial stuff --- README.md | 38 ++++++++++++++++++++ ansible.cfg | 2 ++ hosts.template.ini | 7 ++++ main.yml | 17 +++++++++ roles/docker/tasks/main.yml | 53 ++++++++++++++++++++++++++++ roles/init-nfs/handlers/main.yml | 7 ++++ roles/init-nfs/tasks/main.yml | 39 ++++++++++++++++++++ roles/init-nfs/templates/exports.j2 | 1 + roles/mount-nfs/tasks/main.yml | 13 +++++++ roles/net-security/tasks/main.yml | 14 ++++++++ roles/replace-python2/tasks/main.yml | 19 ++++++++++ 11 files changed, 210 insertions(+) create mode 100644 README.md create mode 100644 ansible.cfg create mode 100644 hosts.template.ini create mode 100644 main.yml create mode 100644 roles/docker/tasks/main.yml create mode 100644 roles/init-nfs/handlers/main.yml create mode 100644 roles/init-nfs/tasks/main.yml create mode 100644 roles/init-nfs/templates/exports.j2 create mode 100644 roles/mount-nfs/tasks/main.yml create mode 100644 roles/net-security/tasks/main.yml create mode 100644 roles/replace-python2/tasks/main.yml diff --git a/README.md b/README.md new file mode 100644 index 0000000..c08a1a2 --- /dev/null +++ b/README.md @@ -0,0 +1,38 @@ +# ansible-docker-swarm + +This repository contains a complete Ansible config for setting up a Docker +Swarm on Debian 10-based nodes. I personally use it for a swarm of Raspberry +Pi's, but in theory it should work with other hosts as well. + +## Inventory file + +A template for the inventory file can be found in `hosts.template.ini`. The +hosts consists of three main groups: + +* `admin`: the admin is the host that initializes the Swarm. It serves several + functions: + * It's used to initialize the Swarm. + * It serves as the entrypoint to the Swarm. + * It hosts the NFS share that's used for persistent storage. +* `managers`: these are the nodes that should be added as manager. +* `workers`: these nodes will be added as workers. + +## Roles + +The config is divided into several roles to make management easier: + +* `install-python3`: replaces Python 2 with Python 3. This role currently + crashes, because Ansible doesn't like it when you change the Python install + during a run, but a consecutive run does work. +* `install-net-security`: installs UFW & Fail2Ban & configures them +* `install-docker`: installs Docker & any Docker-related tools +* `init-docker-swarm`: initializes the Swarm on the `admin` host +* `add-docker-swarm-managers`: adds the manager nodes to the swarm +* `add-docker-swarm-workers`: adds the worker nodes to the swarm +* `deploy-portainer`: deploys Portainer + +## Use of Portainer + +Portainer is a tool created for managing Docker engines, and in particular +Docker Swarm. Because I use Portainer for setting up all other services, it's +the only Docker service that I actually set up using Ansible. diff --git a/ansible.cfg b/ansible.cfg new file mode 100644 index 0000000..5224259 --- /dev/null +++ b/ansible.cfg @@ -0,0 +1,2 @@ +[defaults] +inventory = hosts.ini diff --git a/hosts.template.ini b/hosts.template.ini new file mode 100644 index 0000000..892c487 --- /dev/null +++ b/hosts.template.ini @@ -0,0 +1,7 @@ +# The admin is the main host that initializes the swarm +admin ansible_host= + +[managers] + + +[workers] diff --git a/main.yml b/main.yml new file mode 100644 index 0000000..2c4c28b --- /dev/null +++ b/main.yml @@ -0,0 +1,17 @@ +--- +- name: Initalize base server. + hosts: all + become: yes + roles: + - net-security + tags: base + +# TODO set up samba + +# Runs last because it changes the Python symlink +- name: Replace Python 2 with Python 3. + hosts: all + become: yes + roles: + - replace-python2 + tags: base diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml new file mode 100644 index 0000000..b37a479 --- /dev/null +++ b/roles/docker/tasks/main.yml @@ -0,0 +1,53 @@ +--- +- name: Ensure older Docker versions aren't installed. + apt: + name: + - docker + - docker-engine + - docker.io + - containerd + - runc + state: absent + +- name: Install Docker PPA dependencies. + apt: + name: + - apt-transport-https + - ca-certificates + - gnupg + - lsb-release + state: present + +- name: Add Docker GPG key. + apt_key: + url: https://download.docker.com/linux/ubuntu/gpg + state: present + +- name: Add Docker PPA. + apt_repository: + # https://gist.github.com/rbq/886587980894e98b23d0eee2a1d84933 + repo: deb [arch=amd64] https://download.docker.com/{{ ansible_system | lower }}/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} stable + state: present + +- name: Install Docker, docker-compose & cron. + apt: + name: + - docker-ce + - docker-ce-cli + - containerd.io + - docker-compose + - cron + state: present + +- name: Ensure Docker is running & enabled. + service: + name: docker + state: started + enabled: true + +- name: Add Docker prune cronjob. + cron: + name: Prune the Docker system. + hour: 4 + minute: 0 + job: docker system prune -f diff --git a/roles/init-nfs/handlers/main.yml b/roles/init-nfs/handlers/main.yml new file mode 100644 index 0000000..9ea2ff8 --- /dev/null +++ b/roles/init-nfs/handlers/main.yml @@ -0,0 +1,7 @@ +--- +- name: export file systems + command: exportfs -a +- name: restart nfs server + service: + name: nfs-kernel-server + state: restarted diff --git a/roles/init-nfs/tasks/main.yml b/roles/init-nfs/tasks/main.yml new file mode 100644 index 0000000..c1f07fa --- /dev/null +++ b/roles/init-nfs/tasks/main.yml @@ -0,0 +1,39 @@ +--- +- name: Install NFS server. + apt: + name: nfs-kernel-server + state: present + +- name: Create directory to share. + file: + path: /mnt/data + state: directory + mode: '755' + owner: 1000 + group: 1000 + +- name: Create directory structure. + file: + path: /mnt/data/{{ item }} + state: directory + mode: '755' + owner: 1000 + group: 1000 + loop: + - portainer/data + - podgrab/assets + - podgrab/config + +- name: Copy over exports file. + template: + src: exports.j2 + dest: /etc/exports + notify: + - export file systems + - restart nfs server + +- name: Ensure NFS server is running & enabled. + service: + name: nfs-kernel-server + state: started + enabled: yes diff --git a/roles/init-nfs/templates/exports.j2 b/roles/init-nfs/templates/exports.j2 new file mode 100644 index 0000000..0ddd1d7 --- /dev/null +++ b/roles/init-nfs/templates/exports.j2 @@ -0,0 +1 @@ +/mnt/data {{ ansible_host }}/24(rw,sync,no_subtree_check,all_squash,anonuid=1000,anongid=1000) diff --git a/roles/mount-nfs/tasks/main.yml b/roles/mount-nfs/tasks/main.yml new file mode 100644 index 0000000..f5edcef --- /dev/null +++ b/roles/mount-nfs/tasks/main.yml @@ -0,0 +1,13 @@ +--- +- name: Install NFS client. + apt: + name: nfs-common + state: present + +- name: Mount NFS share. + ansible.posix.mount: + src: {{ hostvars['admin']['ansible_host'] }}:/mnt/data + path: /mnt/data + fstype: nfs4 + opts: defaults,user,exec + state: mounted diff --git a/roles/net-security/tasks/main.yml b/roles/net-security/tasks/main.yml new file mode 100644 index 0000000..83332f2 --- /dev/null +++ b/roles/net-security/tasks/main.yml @@ -0,0 +1,14 @@ +- name: Install fail2ban. + apt: + name: fail2ban + state: present + +# TODO add proper fail2ban config + +- name: Ensure fail2ban is started & enabled. + service: + name: fail2ban + state: started + enabled: true + +# TODO install UFW diff --git a/roles/replace-python2/tasks/main.yml b/roles/replace-python2/tasks/main.yml new file mode 100644 index 0000000..3bd6a47 --- /dev/null +++ b/roles/replace-python2/tasks/main.yml @@ -0,0 +1,19 @@ +--- +- name: 'Install Python 3' + apt: + name: + - python3 + - python3-pip + state: present + +- name: 'Remove Python 2.' + apt: + name: + - python + - python2 + - python2.7 + - python-minimal + - python2-minimal + - python2.7-minimal + state: absent + purge: true