homeserver/group_vars/docker.yml
2024-11-10 14:55:22 +01:00

170 lines
6.1 KiB
YAML

---
### mgrote_minio_configure
minio_url: https://s3.mgrote.net
minio_root_access_key: "{{ lookup('viczem.keepass.keepass', 'minio/minio_root_access_key', 'password') }}"
minio_root_secret_key: "{{ lookup('viczem.keepass.keepass', 'minio/minio_root_secret_key', 'password') }}"
minio_users:
- name: testuser
secret: "{{ lookup('viczem.keepass.keepass', 'minio/minio_testuser_secret_key', 'password') }}"
state: present
policy: testbucket_rw
minio_buckets:
- name: testbucket
state: present
### mrlesmithjr.manage_lvm
lvm_groups:
- vgname: vg_docker
disks:
- /dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi1
create: true
lvnames:
- lvname: lv_docker
size: +100%FREE
create: true
filesystem: xfs
mount: true
mntp: /var/lib/docker
manage_lvm: true
pvresize_to_max: true
### geerlingguy.pip
pip_package: python3-pip
pip_install_packages:
- name: docker # für munin-plugin docker_
- name: minio # für ansible-minio_configure-Rolle
### mgrote.apt_manage_packages
apt_packages_extra:
- libnet-dns-perl # für munin: dnsresponse_*
### mgrote_user
users:
- username: mg
password: "{{ lookup('viczem.keepass.keepass', 'mg_linux_password_hash', 'password') }}"
update_password: always
groups:
- ssh
- sudo
- docker
state: present
public_ssh_key: "{{ ssh_public_key_mg }}"
allow_sudo: true
allow_passwordless_sudo: true
- username: docker-user
password: "{{ lookup('viczem.keepass.keepass', 'docker-user_linux_password_hash', 'password') }}"
update_password: always
groups:
- ssh
- sudo
- docker
state: present
allow_sudo: true
allow_passwordless_sudo: true
uid: "5000"
- username: ansible-user
password: "{{ lookup('viczem.keepass.keepass', 'ansible_user_linux_password_hash', 'password') }}"
update_password: always
groups:
- ssh
- sudo
state: present
public_ssh_key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJcBwOjanQV6sFWaTetqpl20SVe3aRzGjKbsp7hKkDCE mg@irantu
allow_sudo: true
allow_passwordless_sudo: true
### geerlingguy.docker
docker_users:
- mg
- docker-user
docker_install_compose: true
docker_add_repo: false # erstelle kein Repo-Eintrag unter /etc/apt/sources.list.d/, steht explizit unter "repos_override", wird nur zum installieren benötigt
### mgrote_docker-compose-deploy
docker_compose_base_dir: /home/docker-user
### mgrote_apt_manage_sources
repos_override: # mit docker-repos
- deb [arch=amd64] https://download.docker.com/linux/ubuntu jammy stable
- "deb http://de.archive.ubuntu.com/ubuntu/ {{ ansible_distribution_release }} main restricted"
- "deb http://de.archive.ubuntu.com/ubuntu/ {{ ansible_distribution_release }}-updates main restricted"
- "deb http://de.archive.ubuntu.com/ubuntu/ {{ ansible_distribution_release }} universe"
- "deb http://de.archive.ubuntu.com/ubuntu/ {{ ansible_distribution_release }}-updates universe"
- "deb http://de.archive.ubuntu.com/ubuntu/ {{ ansible_distribution_release }} multiverse"
- "deb http://de.archive.ubuntu.com/ubuntu/ {{ ansible_distribution_release }}-updates multiverse"
- "deb http://de.archive.ubuntu.com/ubuntu/ {{ ansible_distribution_release }}-backports main restricted universe multiverse"
- "deb http://security.ubuntu.com/ubuntu {{ ansible_distribution_release }}-security main restricted"
- "deb http://security.ubuntu.com/ubuntu {{ ansible_distribution_release }}-security universe"
- "deb http://security.ubuntu.com/ubuntu {{ ansible_distribution_release }}-security multiverse"
### mgrote_systemd_resolved
systemd_resolved_nameserver: 192.168.2.37
### mgrote_restic
restic_folders_to_backup: "/usr/local /etc /root /home /var/lib/docker"
### mgrote_munin_node
munin_node_plugin_timeout: 120 # in sec, docker_multi braucht länger
munin_node_allowed_cidrs: [0.0.0.0/0] # weil der munin-server aus einem anderen subnet zugreift
munin_node_plugins:
- name: systemd_status
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/systemd/systemd_status
- name: systemd_mem
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/systemd/systemd_mem
config: |
[systemd_mem]
env.all_services true
- name: lvm_
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/disk/lvm_
config: |
[lvm_*]
user root
- name: fail2ban
src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/fail2ban
config: |
[fail2ban]
env.client /usr/bin/fail2ban-client
env.config_dir /etc/fail2ban
user root
- name: chrony
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/chrony/chrony
- name: docker_volumesize
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/docker/docker_volumesize
- name: docker_containers
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/docker/docker_
config: |
[docker_*]
group docker
env.DOCKER_HOST unix://run/docker.sock
env.EXCLUDE_CONTAINER_NAME wp
- name: docker_cpu
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/docker/docker_
- name: docker_images
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/docker/docker_
- name: docker_memory
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/docker/docker_
- name: docker_network
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/docker/docker_
- name: docker_status
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/docker/docker_
- name: docker_volumes
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/docker/docker_
### oefenweb.ufw
ufw_rules:
- rule: allow
to_port: 22
protocol: tcp
comment: 'ssh'
from_ip: 0.0.0.0/0
- rule: allow
to_port: 4949
protocol: tcp
comment: 'munin'
from_ip: 192.168.2.0/24
- rule: allow
from_ip: 192.168.0.0/16
comment: 'docker networks'
- rule: allow
from_ip: 172.0.0.0/8
comment: 'docker networks'