Copy over some initial stuff

README.md

@@ -0,0 +1,38 @@
+# ansible-docker-swarm
+
+This repository contains a complete Ansible config for setting up a Docker
+Swarm on Debian 10-based nodes. I personally use it for a swarm of Raspberry
+Pi's, but in theory it should work with other hosts as well.
+
+## Inventory file
+
+A template for the inventory file can be found in `hosts.template.ini`. The
+hosts consists of three main groups:
+
+* `admin`: the admin is the host that initializes the Swarm. It serves several
+  functions:
+    * It's used to initialize the Swarm.
+    * It serves as the entrypoint to the Swarm.
+    * It hosts the NFS share that's used for persistent storage.
+* `managers`: these are the nodes that should be added as manager.
+* `workers`: these nodes will be added as workers.
+
+## Roles
+
+The config is divided into several roles to make management easier:
+
+* `install-python3`: replaces Python 2 with Python 3. This role currently
+  crashes, because Ansible doesn't like it when you change the Python install
+  during a run, but a consecutive run does work.
+* `install-net-security`: installs UFW & Fail2Ban & configures them
+* `install-docker`: installs Docker & any Docker-related tools
+* `init-docker-swarm`: initializes the Swarm on the `admin` host
+* `add-docker-swarm-managers`: adds the manager nodes to the swarm
+* `add-docker-swarm-workers`: adds the worker nodes to the swarm
+* `deploy-portainer`: deploys Portainer
+
+## Use of Portainer
+
+Portainer is a tool created for managing Docker engines, and in particular
+Docker Swarm. Because I use Portainer for setting up all other services, it's
+the only Docker service that I actually set up using Ansible.

ansible.cfg

@@ -0,0 +1,2 @@
+[defaults]
+inventory = hosts.ini

hosts.template.ini

@@ -0,0 +1,7 @@
+# The admin is the main host that initializes the swarm
+admin ansible_host=
+
+[managers]
+
+
+[workers]

main.yml

@@ -0,0 +1,17 @@
+---
+- name: Initalize base server.
+  hosts: all
+  become: yes
+  roles:
+    - net-security
+  tags: base
+
+# TODO set up samba
+
+# Runs last because it changes the Python symlink
+- name: Replace Python 2 with Python 3.
+  hosts: all
+  become: yes
+  roles:
+    - replace-python2
+  tags: base

roles/docker/tasks/main.yml

@@ -0,0 +1,53 @@
+---
+- name: Ensure older Docker versions aren't installed.
+  apt:
+    name:
+      - docker
+      - docker-engine
+      - docker.io
+      - containerd
+      - runc
+    state: absent
+
+- name: Install Docker PPA dependencies.
+  apt:
+    name:
+      - apt-transport-https
+      - ca-certificates
+      - gnupg
+      - lsb-release
+    state: present
+
+- name: Add Docker GPG key.
+  apt_key:
+    url: https://download.docker.com/linux/ubuntu/gpg
+    state: present
+
+- name: Add Docker PPA.
+  apt_repository:
+    # https://gist.github.com/rbq/886587980894e98b23d0eee2a1d84933
+    repo: deb [arch=amd64] https://download.docker.com/{{ ansible_system | lower }}/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} stable
+    state: present
+
+- name: Install Docker, docker-compose & cron.
+  apt:
+    name:
+      - docker-ce
+      - docker-ce-cli
+      - containerd.io
+      - docker-compose
+      - cron
+    state: present
+
+- name: Ensure Docker is running & enabled.
+  service:
+    name: docker
+    state: started
+    enabled: true
+
+- name: Add Docker prune cronjob.
+  cron:
+    name: Prune the Docker system.
+    hour: 4
+    minute: 0
+    job: docker system prune -f

roles/init-nfs/handlers/main.yml

@@ -0,0 +1,7 @@
+---
+- name: export file systems
+  command: exportfs -a
+- name: restart nfs server
+  service:
+    name: nfs-kernel-server
+    state: restarted

roles/init-nfs/tasks/main.yml

@@ -0,0 +1,39 @@
+---
+- name: Install NFS server.
+  apt:
+    name: nfs-kernel-server
+    state: present
+
+- name: Create directory to share.
+  file:
+    path: /mnt/data
+    state: directory
+    mode: '755'
+    owner: 1000
+    group: 1000
+
+- name: Create directory structure.
+  file:
+    path: /mnt/data/{{ item }}
+    state: directory
+    mode: '755'
+    owner: 1000
+    group: 1000
+  loop:
+    - portainer/data
+    - podgrab/assets
+    - podgrab/config
+
+- name: Copy over exports file.
+  template:
+    src: exports.j2
+    dest: /etc/exports
+  notify: 
+  - export file systems
+  - restart nfs server
+
+- name: Ensure NFS server is running & enabled.
+  service:
+    name: nfs-kernel-server
+    state: started
+    enabled: yes

roles/init-nfs/templates/exports.j2

@@ -0,0 +1 @@
+/mnt/data {{ ansible_host }}/24(rw,sync,no_subtree_check,all_squash,anonuid=1000,anongid=1000)

roles/mount-nfs/tasks/main.yml

@@ -0,0 +1,13 @@
+---
+- name: Install NFS client.
+  apt:
+    name: nfs-common
+    state: present
+
+- name: Mount NFS share.
+  ansible.posix.mount:
+    src: {{ hostvars['admin']['ansible_host'] }}:/mnt/data
+    path: /mnt/data
+    fstype: nfs4
+    opts: defaults,user,exec
+    state: mounted

roles/net-security/tasks/main.yml

@@ -0,0 +1,14 @@
+- name: Install fail2ban.
+  apt:
+    name: fail2ban
+    state: present
+
+# TODO add proper fail2ban config
+
+- name: Ensure fail2ban is started & enabled.
+  service:
+    name: fail2ban
+    state: started
+    enabled: true
+
+# TODO install UFW

roles/replace-python2/tasks/main.yml

@@ -0,0 +1,19 @@
+---
+- name: 'Install Python 3'
+  apt:
+    name:
+      - python3
+      - python3-pip
+    state: present
+
+- name: 'Remove Python 2.'
+  apt:
+    name:
+      - python
+      - python2
+      - python2.7
+      - python-minimal
+      - python2-minimal
+      - python2.7-minimal
+    state: absent
+    purge: true