homeserver/group_vars/docker.yml

---
  ### oefenweb.ufw
  ufw_rules:
    - rule: allow
      to_port: 22
      protocol: tcp
      comment: 'ssh'
      from_ip: 192.168.2.0/24
    # Weitere Regeln sind nicht notwendig da Docker iptables selber verwaltet.
#    - rule: allow
#      comment: 'alles erlauben'
  ### geerlingguy.docker
  docker_users:
    - mg
    - root
    - ansible-user
    - git
  ### ryandaniels.create_users
  users:
  - username: mg
    password: "{{ lookup('keepass', 'mg_linux_password_hash', 'password') }}"
    update_password: on_create
    ssh_key: "{{ lookup('keepass', 'mg_ssh_pubkey', 'password') }}"
    use_sudo: yes
    use_sudo_nopass: yes
    user_state: present
    groups: ssh, sudo, docker
    servers:
      - production
      - test
  - username: ansible-user
    password: "{{ lookup('keepass', 'ansible_user_linux_password_hash', 'password') }}"
    update_password: on_create
    ssh_key: "{{ lookup('keepass', 'ansible_user_ssh_pubkey', 'password') }}"
    use_sudo: yes
    use_sudo_nopass: yes
    user_state: present
    groups: ssh, sudo
    servers:
      - production
      - test

  ### mgrote.restic
  restic_folders_to_backup: /usr/local /etc /root /home /var/lib/docker
  restic_cron_hours: "*"
  restic_exclude: |
        ._*
        desktop.ini
        .Trash-*
        **/**cache***/**
        **/**Cache***/**
        **/**AppData***/**
        /var/lib/docker/volumes/***Musik***
        /var/lib/docker/volumes/***musik***
        /var/lib/docker/volumes/***musik***
        /var/lib/docker/volumes/ocrmypdf-auto_scan_input/*
        /var/lib/docker/volumes/ocrmypdf-auto_scan_output/*
        # https://github.com/restic/restic/issues/1005
        # https://forum.restic.net/t/exclude-syntax-confusion/1531/12
Vars entschlüsselt Rolle zu ansible-Playbook hinzugefügt, Var liegen in Group_Vars KeepassPW mit Vault verschlüsselt wip Umstellung in DB pb var auf testeinzeln miniflux storage gitignore angepasst pb vars wieder auf all virt 2020-08-19 12:29:49 +02:00			`---`
			`### oefenweb.ufw`
			`ufw_rules:`
			`- rule: allow`
ufw: Regeln verschärft (#11) Docker: allow all weg, dafür einzelne dienste freigeschaltet smb aus lan jenkins-webgui aus lan pihole-webgui aus lan acng aus LAN ssh nur aus LAN Co-authored-by: Michael Grote <38253905+quotengrote@users.noreply.github.com> Reviewed-on: https://git.mgrote.net/mg/ansible/pulls/11 2020-12-23 17:34:11 +01:00			`to_port: 22`
			`protocol: tcp`
			`comment: 'ssh'`
Firewallregeln verschärft 2020-12-31 14:39:17 +01:00			`from_ip: 192.168.2.0/24`
ufw: Docker aufgeräumt 2020-12-31 15:14:22 +01:00			`# Weitere Regeln sind nicht notwendig da Docker iptables selber verwaltet.`
ufw: Regeln verschärft (#11) Docker: allow all weg, dafür einzelne dienste freigeschaltet smb aus lan jenkins-webgui aus lan pihole-webgui aus lan acng aus LAN ssh nur aus LAN Co-authored-by: Michael Grote <38253905+quotengrote@users.noreply.github.com> Reviewed-on: https://git.mgrote.net/mg/ansible/pulls/11 2020-12-23 17:34:11 +01:00			`# - rule: allow`
			`# comment: 'alles erlauben'`
Houesekeeping (#59) * Variablen von Docker Playbook zu Docker Vars verschoben * Variablen nickyjj.ansible-user aus Playbook entfernt, Rolle wird hier nicht verwendet 2020-11-04 11:49:02 +01:00			`### geerlingguy.docker`
			`docker_users:`
			`- mg`
			`- root`
			`- ansible-user`
Bugfix: gitlab-runner 2021-02-01 08:20:01 +01:00			`- git`
Bugfix: docker User rights 2020-11-30 09:34:33 +01:00			`### ryandaniels.create_users`
			`users:`
			`- username: mg`
ssh: gitlab-user für docker + housekeeping 2021-02-05 12:52:23 +01:00			`password: "{{ lookup('keepass', 'mg_linux_password_hash', 'password') }}"`
Bugfix: docker User rights 2020-11-30 09:34:33 +01:00			`update_password: on_create`
ssh: gitlab-user für docker + housekeeping 2021-02-05 12:52:23 +01:00			`ssh_key: "{{ lookup('keepass', 'mg_ssh_pubkey', 'password') }}"`
			`use_sudo: yes`
			`use_sudo_nopass: yes`
			`user_state: present`
			`groups: ssh, sudo, docker`
			`servers:`
			`- production`
Bugfix: docker User rights 2020-11-30 09:34:33 +01:00			`- test`
Housekeeping 2021-02-07 13:16:51 +01:00			`- username: ansible-user`
			`password: "{{ lookup('keepass', 'ansible_user_linux_password_hash', 'password') }}"`
			`update_password: on_create`
			`ssh_key: "{{ lookup('keepass', 'ansible_user_ssh_pubkey', 'password') }}"`
			`use_sudo: yes`
			`use_sudo_nopass: yes`
			`user_state: present`
			`groups: ssh, sudo`
			`servers:`
			`- production`
			`- test`

Bugfix: restic - Pfade 2020-12-03 12:18:00 +01:00			`### mgrote.restic`
Restic Docker (#82) * Schließe Musik mount von airsonic aus * Pfade docker 2020-12-03 13:18:00 +01:00			`restic_folders_to_backup: /usr/local /etc /root /home /var/lib/docker`
Bugfix: Restic --- * Cron angepasst für Docker * richtiges Passwort für mount gesetzt 2020-12-03 12:04:01 +01:00			`restic_cron_hours: "*"`
Docker: restic Variablen angepasst 2020-12-22 12:27:43 +01:00			`restic_exclude: \|`
			`._*`
			`desktop.ini`
			`.Trash-*`
			`/cache*/`
			`/Cache*/`
			`/AppData*/`
			`/var/lib/docker/volumes/*Musik*`
			`/var/lib/docker/volumes/*musik*`
Restic: Ausnahme für Docker für OCR 2021-01-21 19:08:30 +01:00			`/var/lib/docker/volumes/*musik*`
			`/var/lib/docker/volumes/ocrmypdf-auto_scan_input/*`
			`/var/lib/docker/volumes/ocrmypdf-auto_scan_output/*`
Docker: restic Variablen angepasst 2020-12-22 12:27:43 +01:00			`# https://github.com/restic/restic/issues/1005`
			`# https://forum.restic.net/t/exclude-syntax-confusion/1531/12`