--- ### mrlesmithjr.manage_lvm lvm_groups: - vgname: vg_docker disks: - /dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi1 create: true lvnames: - lvname: lv_docker size: +100%FREE create: true filesystem: xfs mount: true mntp: /var/lib/docker manage_lvm: true pvresize_to_max: true ### geerlingguy.pip pip_package: python3-pip pip_install_packages: - name: docker # für munin-plugin docker_ ### mgrote.apt_manage_packages apt_packages_extra: - libnet-dns-perl # für munin: dnsresponse_* ### mgrote_user users: - username: mg password: "{{ lookup('viczem.keepass.keepass', 'mg_linux_password_hash', 'password') }}" update_password: always groups: - ssh - sudo - docker state: present public_ssh_key: "{{ ssh_public_key_mg }}" allow_sudo: true allow_passwordless_sudo: true - username: docker-user password: "{{ lookup('viczem.keepass.keepass', 'docker-user_linux_password_hash', 'password') }}" update_password: always groups: - ssh - sudo - docker state: present allow_sudo: true allow_passwordless_sudo: true uid: "5000" - username: ansible-user password: "{{ lookup('viczem.keepass.keepass', 'ansible_user_linux_password_hash', 'password') }}" update_password: always groups: - ssh - sudo state: present public_ssh_key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJcBwOjanQV6sFWaTetqpl20SVe3aRzGjKbsp7hKkDCE mg@irantu allow_sudo: true allow_passwordless_sudo: true ### geerlingguy.docker docker_users: - mg - docker-user docker_install_compose: true docker_add_repo: false # erstelle kein Repo-Eintrag unter /etc/apt/sources.list.d/, steht explizit unter "repos_override", wird nur zum installieren benötigt ### mgrote_docker-compose-deploy docker_compose_base_dir: /home/docker-user ### mgrote_apt_manage_sources repos_override: # mit docker-repos - deb [arch=amd64] https://download.docker.com/linux/ubuntu jammy stable - "deb http://de.archive.ubuntu.com/ubuntu/ {{ ansible_distribution_release }} main restricted" - "deb http://de.archive.ubuntu.com/ubuntu/ {{ ansible_distribution_release }}-updates main restricted" - "deb http://de.archive.ubuntu.com/ubuntu/ {{ ansible_distribution_release }} universe" - "deb http://de.archive.ubuntu.com/ubuntu/ {{ ansible_distribution_release }}-updates universe" - "deb http://de.archive.ubuntu.com/ubuntu/ {{ ansible_distribution_release }} multiverse" - "deb http://de.archive.ubuntu.com/ubuntu/ {{ ansible_distribution_release }}-updates multiverse" - "deb http://de.archive.ubuntu.com/ubuntu/ {{ ansible_distribution_release }}-backports main restricted universe multiverse" - "deb http://security.ubuntu.com/ubuntu {{ ansible_distribution_release }}-security main restricted" - "deb http://security.ubuntu.com/ubuntu {{ ansible_distribution_release }}-security universe" - "deb http://security.ubuntu.com/ubuntu {{ ansible_distribution_release }}-security multiverse" ### mgrote_systemd_resolved systemd_resolved_nameserver: 192.168.2.37 ### mgrote_restic restic_folders_to_backup: "/usr/local /etc /root /home /var/lib/docker" ### mgrote_munin_node munin_node_plugin_timeout: 120 # in sec, docker_multi braucht länger munin_node_allowed_cidrs: [0.0.0.0/0] # weil der munin-server aus einem anderen subnet zugreift munin_node_plugins: - name: systemd_status src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/systemd/systemd_status - name: systemd_mem src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/systemd/systemd_mem config: | [systemd_mem] env.all_services true - name: lvm_ src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/disk/lvm_ config: | [lvm_*] user root - name: fail2ban src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/fail2ban config: | [fail2ban] env.client /usr/bin/fail2ban-client env.config_dir /etc/fail2ban user root - name: chrony src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/chrony/chrony - name: docker_volumesize src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/docker/docker_volumesize - name: docker_containers src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/docker/docker_ config: | [docker_*] group docker env.DOCKER_HOST unix://run/docker.sock env.EXCLUDE_CONTAINER_NAME wp - name: docker_cpu src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/docker/docker_ - name: docker_images src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/docker/docker_ - name: docker_memory src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/docker/docker_ - name: docker_network src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/docker/docker_ - name: docker_status src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/docker/docker_ - name: docker_volumes src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/docker/docker_ ### oefenweb.ufw ufw_rules: - rule: allow to_port: 22 protocol: tcp comment: 'ssh' from_ip: 0.0.0.0/0 - rule: allow to_port: 4949 protocol: tcp comment: 'munin' from_ip: 192.168.2.0/24 - rule: allow from_ip: 192.168.0.0/16 comment: 'docker networks' - rule: allow from_ip: 172.0.0.0/8 comment: 'docker networks'