Merge container server configuration

.github/workflows/lint.yml

@@ -11,10 +11,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
-      - name: Set up Python 3.9
+      - name: Set up Python 3.10
         uses: actions/setup-python@v1
         with:
-          python-version: 3.9
+          python-version: "3.10"
       - uses: actions/cache@v2
         with:
           path: venv/

README.md

@@ -68,3 +68,6 @@ New roles should be developed on branches, and changes rolled out to all servers
   - `ipxe`
 - `backed_up`
 - `ssh_gateway`
+- `docker`
+- `containers_dev`
+- `containers_prod`

hosts.yml

@@ -12,3 +12,4 @@ query_filters:
   - role: server
   - role: ssh-gateway
   - role: lxd-host
+  - role: container-host

playbook.yml

@@ -36,3 +36,24 @@
   roles:
     - role: ssh_gateway
       tags: ssh_gateway
+- name: Configure containers dev
+  hosts: CONTAINERS-1
+  roles:
+    - role: docker
+      tags: docker
+    - role: containers_dev
+      tags: containers_dev
+- name: Configure containers prod
+  hosts: CONTAINERS-2
+  roles:
+    - role: docker
+      tags: docker
+    - role: containers_prod
+      tags: containers_prod
+- name: Configure containers secure
+  hosts: CONTAINERS-3
+  roles:
+    - role: docker
+      tags: docker
+    - role: containers_secure
+      tags: containers_secure

requirements.txt

@@ -4,68 +4,72 @@
 #
 #    pip-compile
 #
-ansible==8.0.0
+ansible==9.2.0
     # via -r requirements.in
-ansible-compat==4.1.2
+ansible-compat==4.1.11
     # via ansible-lint
-ansible-core==2.15.0
+ansible-core==2.16.3
     # via
     #   ansible
     #   ansible-compat
     #   ansible-lint
-ansible-lint==6.17.0
+ansible-lint==24.2.0
     # via -r requirements.in
-attrs==23.1.0
-    # via jsonschema
-black==23.3.0
+attrs==23.2.0
+    # via
+    #   jsonschema
+    #   referencing
+black==24.1.1
     # via ansible-lint
-bracex==2.3.post1
+bracex==2.4
     # via wcmatch
-build==0.10.0
+build==1.0.3
     # via pip-tools
-cffi==1.15.1
+cffi==1.16.0
     # via cryptography
-click==8.1.3
+click==8.1.7
     # via
     #   black
     #   pip-tools
-cryptography==41.0.1
+cryptography==42.0.2
     # via ansible-core
-filelock==3.12.1
+filelock==3.13.1
     # via ansible-lint
-jinja2==3.1.2
+jinja2==3.1.3
     # via ansible-core
-jsonschema==4.17.3
+jsonschema==4.21.1
     # via
     #   ansible-compat
     #   ansible-lint
+jsonschema-specifications==2023.12.1
+    # via jsonschema
 markdown-it-py==3.0.0
     # via rich
-markupsafe==2.1.3
+markupsafe==2.1.5
     # via jinja2
 mdurl==0.1.2
     # via markdown-it-py
 mypy-extensions==1.0.0
     # via black
-packaging==23.1
+packaging==23.2
     # via
     #   ansible-compat
     #   ansible-core
     #   ansible-lint
     #   black
     #   build
-pathspec==0.11.1
+pathspec==0.12.1
     # via
     #   ansible-lint
     #   black
     #   yamllint
-pip-tools==6.13.0
+pip-tools==7.3.0
     # via -r requirements.in
-platformdirs==3.5.3
+platformdirs==4.2.0
     # via black
 pycparser==2.21
     # via cffi
-pygments==2.15.1
+pygments==2.17.2
     # via rich
 pyproject-hooks==1.0.0
     # via build
@@ -79,13 +83,21 @@ pyyaml==6.0
     #   ansible-core
     #   ansible-lint
     #   yamllint
+referencing==0.33.0
+    # via
+    #   jsonschema
+    #   jsonschema-specifications
 resolvelib==1.0.1
     # via ansible-core
-rich==13.4.2
+rich==13.7.0
     # via ansible-lint
-ruamel-yaml==0.17.31
+rpds-py==0.17.1
+    # via
+    #   jsonschema
+    #   referencing
+ruamel-yaml==0.18.6
     # via ansible-lint
-ruamel-yaml-clib==0.2.7
+ruamel-yaml-clib==0.2.8
     # via ruamel-yaml
 subprocess-tee==0.4.1
     # via
@@ -95,12 +107,15 @@ tomli==2.0.1
     # via
     #   black
     #   build
+    #   pip-tools
     #   pyproject-hooks
-wcmatch==8.4.1
+typing-extensions==4.9.0
+    # via black
+wcmatch==8.5
     # via ansible-lint
-wheel==0.40.0
+wheel==0.42.0
     # via pip-tools
-yamllint==1.32.0
+yamllint==1.34.0
     # via
     #   -r requirements.in
     #   ansible-lint

roles/containers_dev/tasks/containers.yml

@@ -0,0 +1,19 @@
+---
+- name: Install git
+  ansible.builtin.apt:
+    name: git
+    state: present
+
+- name: Checkout container configuration
+  ansible.builtin.git:
+    repo: "[email protected]:sown/containers-dev-docker-config.git"
+    dest: "/docker/managed"
+    version: master
+
+- name: Setup containers
+  community.docker.docker_compose_v2:
+    project_src: "{{ item }}"
+  with_items:
+    # setup utility containers first
+    - "/docker/managed/traefik"
+    # setup remaining containers

roles/containers_dev/tasks/main.yml

@@ -0,0 +1,3 @@
+---
+- name: Configure containers
+  import_tasks: containers.yml

roles/containers_prod/tasks/containers.yml

@@ -0,0 +1,24 @@
+---
+- name: Install git
+  ansible.builtin.apt:
+    name: git
+    state: present
+
+- name: Checkout container configuration
+  ansible.builtin.git:
+    repo: "[email protected]:sown/containers-prod-docker-config.git"
+    dest: "/docker"
+    version: master
+
+- name: Setup containers
+  community.docker.docker_compose_v2:
+    project_src: "{{ item }}"
+  with_items:
+    # setup utility containers first
+    - "/docker/traefik"
+    # setup remaining containers
+    - "/docker/suws_website_default"
+    - "/docker/suws_wordpress"
+    - "/docker/suws_wiki"
+    - "/docker/prometheus"
+    - "/docker/grafana"

roles/containers_prod/tasks/main.yml

@@ -0,0 +1,3 @@
+---
+- name: Configure containers
+  import_tasks: containers.yml

roles/containers_secure/tasks/containers.yml

@@ -0,0 +1,19 @@
+---
+- name: Install git
+  ansible.builtin.apt:
+    name: git
+    state: present
+
+- name: Checkout container configuration
+  ansible.builtin.git:
+    repo: "[email protected]:sown/containers-secure-docker-config.git"
+    dest: "/docker"
+    version: master
+
+- name: Setup containers
+  community.docker.docker_compose_v2:
+    project_src: "{{ item }}"
+  with_items:
+    # setup utility containers first
+    - "/docker/traefik"
+    # setup remaining containers

roles/containers_secure/tasks/main.yml

@@ -0,0 +1,3 @@
+---
+- name: Configure containers
+  import_tasks: containers.yml

roles/docker/tasks/docker.yml

@@ -0,0 +1,26 @@
+---
+- name: Install docker dependancies
+  apt:
+    name:
+      - apt-transport-https
+      - ca-certificates
+      - curl
+      - gnupg-agent
+      - software-properties-common
+    state: present
+
+- name: Add docker GPG key
+  apt_key:
+    url: https://download.docker.com/linux/ubuntu/gpg
+    state: present
+
+- name: Add docker repo
+  apt_repository:
+    repo: deb [arch=amd64] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable
+    state: present
+    update_cache: true
+
+- name: Install docker
+  apt:
+    name: docker-ce
+    state: present

roles/docker/tasks/main.yml

@@ -0,0 +1,3 @@
+---
+- name: Configure docker
+  import_tasks: docker.yml

roles/monitored/vars/main.yml

@@ -1,4 +1,4 @@
-nrpe_allowed_ips:
+nrpe_allowed_ips:  # noqa var-naming[no-role-prefix]
   - 127.0.0.1
   - ::1
   - 10.5.0.243  # monitor
@@ -7,7 +7,7 @@ nrpe_allowed_ips:
   - 10.5.0.215  # monitor2
   - 152.78.103.187  # monitor2
   - 2001:630:d0:f700::215  # monitor2
-nrpe_checks:
+nrpe_checks:  # noqa var-naming[no-role-prefix]
   users:
     check: "/usr/lib/nagios/plugins/check_users"
     arguments: "-w 10 -c 20"