tudattr
/
ansible
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat(ansible): add Docker host configuration with NFS mounts and utility packages 

- Introduce Docker host configuration playbooks in `docker_host` role
  - Install Docker and Docker Compose via apt repository
  - Configure Docker user, group, and required directories (`/opt/docker`, `/media`)
  - Add NFS mounts for Docker data, series, movies, and songs directories
- Add extra utility packages (`bat`, `ripgrep`, `fd-find`, `screen`, `eza`, `neovim`)
- Set up and manage `bash_aliases` for user-friendly command replacements (`batcat`, `nvim`, `eza`)
- Enhance `/group_vars` and `/host_vars` for Docker-related settings and secure access
- Add `docker-host00` and `docker-host01` entries to production and staging inventories

Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>
rewrite
Tuan-Dat Tran 2024-11-10 21:37:22 +01:00
parent ce0411cdb0
commit 4db26b56da
21 changed files with 803 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
README.md
View File

@ -65,9 +65,10 @@ When we have LVM-based root partition we can do the following:
# Create a new partition from the free space. # Create a new partition from the free space.
sudo fdisk /dev/sda sudo fdisk /dev/sda
# echo "n\n\n\n\n\nw\n" # echo "n\n\n\n\n\nw\n"
# n > 5x\n > w > \n
# Create a LVM volume on the new partition # Create a LVM volume on the new partition
sudo pvcreate /dev/sda3 sudo pvcreate /dev/sda3
sudo vgextend k3s-vg /dev/sda3 sudo vgextend k3s-vg /dev/sda3
# Use the newly available storage in the root volume # Use the newly available storage in the root volume
sudo lvresize --extents +100%FREE --resizefs /dev/k3s-vg/root sudo lvresize -l +100%FREE -r /dev/k3s-vg/root
``` ```

13
docker-host.yml Normal file
View File

@ -0,0 +1,13 @@
---
- name: Set up Servers
hosts: docker_host
gather_facts: yes
vars_files:
- secrets.yml
roles:
- role: common
tags:
- common
- role: docker_host
tags:
- docker_host

6
group_vars/all/vars.yml
View File

@ -27,3 +27,9 @@ common_packages:
- sudo - sudo
- systemd-timesyncd - systemd-timesyncd
- tree - tree
- screen
- bat
- fd-find
- ripgrep
arch: "{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}"

4
group_vars/docker/vars.yml Normal file
View File

@ -0,0 +1,4 @@
docker:
url: "https://download.docker.com/linux"
apt_release_channel: "stable"
dirs: "/opt/docker"

10
host_vars/docker-host00.yml Normal file
View File

@ -0,0 +1,10 @@
---
ansible_user: "{{ user }}"
ansible_host: 192.168.20.34
ansible_port: 22
ansible_ssh_private_key_file: "{{ pk_path }}"
ansible_become_pass: "{{ vault.docker.host00.sudo }}"
host:
hostname: "docker-host00"
ip: "{{ ansible_host }}"

10
host_vars/docker-host01.yml Normal file
View File

@ -0,0 +1,10 @@
---
ansible_user: "{{ user }}"
ansible_host: 192.168.20.35
ansible_port: 22
ansible_ssh_private_key_file: "{{ pk_path }}"
ansible_become_pass: "{{ vault.docker.host01.sudo }}"
host:
hostname: "docker-host01"
ip: "{{ ansible_host }}"

7
production
View File

@ -41,6 +41,7 @@ k3s-loadbalancer
k3s-longhorn00 k3s-longhorn00
k3s-longhorn01 k3s-longhorn01
k3s-longhorn02 k3s-longhorn02
docker-host00
[k3s_nodes] [k3s_nodes]
k3s-server00 k3s-server00
@ -61,3 +62,9 @@ k3s-loadbalancer
[vm:vars] [vm:vars]
ansible_ssh_common_args='-o ProxyCommand="ssh -p 22 -W %h:%p -q aya01"' ansible_ssh_common_args='-o ProxyCommand="ssh -p 22 -W %h:%p -q aya01"'
[docker]
docker-host00
[docker_host]
docker-host00

4
roles/common/files/bash/bash_aliases Normal file
View File

@ -0,0 +1,4 @@
alias cat=batcat
alias vim=nvim
alias fd=fdfind
alias ls=eza

9
roles/common/tasks/bash.yml
View File

@ -1,9 +1,12 @@
--- ---
- name: Copy .bashrc - name: Copy bash-configs
ansible.builtin.template: ansible.builtin.template:
src: files/bash/bashrc src: "files/bash/{{ item }}"
dest: "/home/{{ user }}/.bashrc" dest: "/home/{{ user }}/.{{ item }}"
owner: "{{ user }}" owner: "{{ user }}"
group: "{{ user }}" group: "{{ user }}"
mode: "644" mode: "644"
loop:
- bashrc
- bash_aliases
become: true become: true

95
roles/common/tasks/extra_packages.yml Normal file
View File

@ -0,0 +1,95 @@
---
- name: Ensure /etc/apt/keyrings directory exists
ansible.builtin.file:
path: /etc/apt/keyrings
state: directory
mode: "0755"
become: true
- name: Download and save Gierens repository GPG key
ansible.builtin.get_url:
url: https://raw.githubusercontent.com/eza-community/eza/main/deb.asc
dest: /etc/apt/keyrings/gierens.asc
mode: "0644"
register: gpg_key_result
become: true
- name: Add Gierens repository to apt sources
ansible.builtin.apt_repository:
repo: "deb [signed-by=/etc/apt/keyrings/gierens.asc] http://deb.gierens.de stable main"
state: present
update_cache: true
become: true
- name: Install eza package
ansible.builtin.apt:
name: eza
state: present
become: true
- name: Install bottom package
ansible.builtin.apt:
deb: https://github.com/ClementTsang/bottom/releases/download/0.9.6/bottom_0.9.6_amd64.deb
state: present
become: true
- name: Check if Neovim is already installed
ansible.builtin.command: "which nvim"
register: neovim_installed
changed_when: false
ignore_errors: true
- name: Download Neovim AppImage
ansible.builtin.get_url:
url: https://github.com/neovim/neovim/releases/download/v0.10.0/nvim.appimage
dest: /tmp/nvim.appimage
mode: "0755"
when: neovim_installed.rc != 0
register: download_result
- name: Extract Neovim AppImage
ansible.builtin.command:
cmd: "./nvim.appimage --appimage-extract"
chdir: /tmp
when: download_result.changed
register: extract_result
- name: Copy extracted Neovim files to /usr
ansible.builtin.copy:
src: /tmp/squashfs-root/usr/
dest: /usr/
remote_src: true
mode: "0755"
become: true
when: extract_result.changed
- name: Clean up extracted Neovim files
ansible.builtin.file:
path: /tmp/squashfs-root
state: absent
when: extract_result.changed
- name: Remove Neovim AppImage
ansible.builtin.file:
path: /tmp/nvim.appimage
state: absent
when: download_result.changed
- name: Check if Neovim config directory already exists
ansible.builtin.stat:
path: ~/.config/nvim
register: nvim_config
- name: Clone LazyVim starter to Neovim config directory
ansible.builtin.git:
repo: https://github.com/LazyVim/starter
dest: ~/.config/nvim
clone: true
update: false
when: not nvim_config.stat.exists
- name: Remove .git directory from Neovim config
ansible.builtin.file:
path: ~/.config/nvim/.git
state: absent
when: not nvim_config.stat.exists

2
roles/common/tasks/main.yml
View File

@ -5,6 +5,8 @@
ansible.builtin.include_tasks: hostname.yml ansible.builtin.include_tasks: hostname.yml
- name: Configure Packages - name: Configure Packages
ansible.builtin.include_tasks: packages.yml ansible.builtin.include_tasks: packages.yml
- name: Configure Extra-Packages
ansible.builtin.include_tasks: extra_packages.yml
- name: Configure Bash - name: Configure Bash
ansible.builtin.include_tasks: bash.yml ansible.builtin.include_tasks: bash.yml
- name: Configure SSH - name: Configure SSH

2
roles/common/tasks/packages.yml
View File

@ -6,7 +6,7 @@
autoremove: true autoremove: true
become: true become: true
- name: Install extra packages - name: Install base packages
ansible.builtin.apt: ansible.builtin.apt:
name: "{{ common_packages }}" name: "{{ common_packages }}"
state: present state: present

406
roles/docker_host/files/compose.yaml Normal file
View File

@ -0,0 +1,406 @@
services:
nginx:
container_name: "nginx"
image: "jc21/nginx-proxy-manager:latest"
restart: unless-stopped
networks:
- net
ports:
- "80:80"
- "443:443"
- "8080:81"
volumes:
- "/opt/docker/config/nginx/data:/data"
- "/opt/docker/config/nginx/letsencrypt:/etc/letsencrypt"
- "/var/run/docker.sock:/var/run/docker.sock"
syncthing:
image: syncthing/syncthing
container_name: syncthing
restart: unless-stopped
depends_on:
- nginx
networks:
- net
ports:
- 22000:22000/tcp # TCP file transfers
- 22000:22000/udp # QUIC file transfers
- 21027:21027/udp # Receive local discovery broadcasts
volumes:
- "/media/docker/data/syncthing/:/var/syncthing"
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/Berlin
hostname: syncthing
kuma:
container_name: kuma
image: louislam/uptime-kuma:1
restart: unless-stopped
depends_on:
- nginx
networks:
- net
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/Berlin
ports:
- "3001:3001"
volumes:
- "/opt/local/kuma/:/app/data"
plex:
image: lscr.io/linuxserver/plex:latest
container_name: plex
restart: unless-stopped
depends_on:
- nginx
networks:
- net
devices:
- /dev/dri:/dev/dri
ports:
- "32400:32400"
- "1900:1900"
- "3005:3005"
- "5353:5353"
- "32410:32410"
- "8324:8324"
- "32412:32412"
- "32469:32469"
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/Berlin
- VERSION=docker
volumes:
- "/opt/local/plex/config/:/config"
- "/media/series:/tv:ro"
- "/media/movies:/movies:ro"
- "/media/songs:/music:ro"
sonarr:
image: lscr.io/linuxserver/sonarr:latest
container_name: sonarr
restart: unless-stopped
depends_on:
- prowlarr
networks:
- net
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/Berlin
volumes:
- /opt/local/sonarr/config:/config
- /media/series:/tv #optional
- /media/docker/data/arr_downloads/sonarr:/downloads #optional
radarr:
image: lscr.io/linuxserver/radarr:latest
container_name: radarr
restart: unless-stopped
depends_on:
- prowlarr
networks:
- net
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/Berlin
volumes:
- /opt/local/radarr/config:/config
- /media/movies:/movies #optional
- /media/docker/data/arr_downloads/radarr:/downloads #optional
lidarr:
image: lscr.io/linuxserver/lidarr:latest
container_name: lidarr
restart: unless-stopped
depends_on:
- prowlarr
networks:
- net
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/Berlin
volumes:
- /opt/local/lidarr/config:/config
- /media/songs:/music #optional
- /media/docker/data/arr_downloads/lidarr:/downloads #optional
prowlarr:
image: lscr.io/linuxserver/prowlarr:latest
container_name: prowlarr
restart: unless-stopped
depends_on:
- torrentleech
networks:
- net
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/Berlin
volumes:
- /opt/local/prowlarr/config:/config
gluetun:
image: qmcgaw/gluetun
container_name: gluetun
restart: unless-stopped
networks:
- net
cap_add:
- NET_ADMIN
devices:
- /dev/net/tun:/dev/net/tun
volumes:
- /opt/docker/config/gluetun/config:/gluetun
ports:
- 8082:8082
- 8083:8083
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/Berlin
- VPN_SERVICE_PROVIDER=protonvpn
- UPDATER_VPN_SERVICE_PROVIDERS=protonvpn
- UPDATER_PERIOD=24h
- SERVER_COUNTRIES=Hungary
- OPENVPN_USER=MfCOtzTIEsmu1wY-q2lAZ3X1+pmp
- OPENVPN_PASSWORD=knCl1Zl5PHz4HMWVCGR77dYa
torrentleech:
image: qbittorrentofficial/qbittorrent-nox
container_name: torrentleech
restart: unless-stopped
depends_on:
- gluetun
network_mode: "container:gluetun"
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/Berlin
- QBT_EULA="accept"
- QBT_WEBUI_PORT="8083"
volumes:
- /opt/docker/config/torrentleech/config:/config
- /media/docker/data/arr_downloads:/downloads
qbit:
image: qbittorrentofficial/qbittorrent-nox
container_name: qbit
restart: unless-stopped
depends_on:
- gluetun
network_mode: "container:gluetun"
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/Berlin
- QBT_EULA="accept"
- QBT_WEBUI_PORT="8082"
volumes:
- /opt/docker/config/qbit/config:/config
- /media/docker/data/arr_downloads:/downloads
prometheus:
image: prom/prometheus
container_name: prometheus
restart: unless-stopped
depends_on:
- nginx
networks:
- net
environment:
- PUID=65534
- PGID=65534
- TZ=Europe/Berlin
volumes:
- /opt/docker/config/prometheus/:/etc/prometheus/
- prometheus_data:/prometheus/
grafana:
image: grafana/grafana-oss
container_name: grafana
restart: unless-stopped
user: "0:0"
depends_on:
- prometheus
networks:
- net
environment:
- PUID=472
- PGID=472
- TZ=Europe/Berlin
volumes:
- /media/docker/data/grafana/:/var/lib/grafana/
- /opt/docker/config/grafana/config/:/etc/grafana/
ddns-updater:
container_name: ddns-updater
image: "ghcr.io/qdm12/ddns-updater"
restart: unless-stopped
depends_on:
- nginx
networks:
net: {}
volumes:
- "/opt/docker/config/ddns-updater/data/:/updater/data/"
homeassistant:
container_name: homeassistant
image: "ghcr.io/home-assistant/home-assistant:stable"
restart: unless-stopped
depends_on:
- nginx
networks:
net: {}
volumes:
- "/etc/localtime:/etc/localtime:ro"
- "/opt/local/home-assistant/config/:/config/"
privileged: true
ports:
- "8123:8123"
- 4357:4357
- 5683:5683
- 5683:5683/udp
stirling:
container_name: stirling
image: frooodle/s-pdf:latest
restart: unless-stopped
depends_on:
- nginx
networks:
net: {}
jellyfin:
container_name: jellyfin
image: jellyfin/jellyfin
restart: "unless-stopped"
depends_on:
- nginx
networks:
net: {}
devices:
- /dev/dri:/dev/dri
volumes:
- /opt/docker/config/jellyfin/config:/config
- /opt/docker/config/jellyfin/cache:/cache
- /media/series:/tv:ro
- /media/movies:/movies:ro
- /media/songs:/music:ro
ports:
- "8096:8096"
paperless-broker:
container_name: paperless-broker
image: docker.io/library/redis:7
restart: unless-stopped
depends_on:
- nginx
networks:
- net
volumes:
- /opt/local/paperless/redis/data:/data
paperless-postgres:
container_name: paperless-postgres
image: docker.io/library/postgres:15
restart: unless-stopped
depends_on:
- nginx
networks:
- net
volumes:
- /opt/local/paperless/db/data:/var/lib/postgresql/data
environment:
POSTGRES_DB: paperless
POSTGRES_USER: paperless
POSTGRES_PASSWORD: 5fnhn%u2YWY3paNvMAjdoufYPQ2Hf3Yi
paperless:
container_name: paperless
image: ghcr.io/paperless-ngx/paperless-ngx:latest
restart: unless-stopped
depends_on:
- paperless-postgres
- paperless-broker
networks:
- net
healthcheck:
test:
["CMD", "curl", "-fs", "-S", "--max-time", "2", "http://localhost:8000"]
interval: 30s
timeout: 10s
retries: 5
volumes:
- /opt/local/paperless/data/data:/usr/src/paperless/data
- /opt/local/paperless/data/media:/usr/src/paperless/media
- /opt/local/paperless/data/export:/usr/src/paperless/export
- /opt/local/paperless/data/consume:/usr/src/paperless/consume
environment:
- "PAPERLESS_REDIS=redis://paperless-broker:6379"
- "PAPERLESS_DBHOST=paperless-postgres"
- "PAPERLESS_DBUSER=paperless"
- "PAPERLESS_DBPASS=5fnhn%u2YWY3paNvMAjdoufYPQ2Hf3Yi"
- "USERMAP_UID=1000"
- "USERMAP_GID=1000"
- "PAPERLESS_URL=https://paperless.docker-host00.lulu.seyshiro.de"
- "PAPERLESS_TIME_ZONE=Europe/Berlin"
- "PAPERLESS_OCR_LANGUAGE=deu"
git:
container_name: git
image: gitea/gitea:1.20.5-rootless
restart: unless-stopped
depends_on:
- nginx
networks:
- net
volumes:
- /opt/local/gitea/data:/var/lib/gitea
- /opt/local/gitea/config:/etc/gitea
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
ports:
- "3000:3000"
- "2222:2222"
environment:
- USER_UID=1000
- USER_GID=1000
athome:
container_name: athome
image: mos4/athome:latest
restart: unless-stopped
depends_on:
- nginx
networks:
- net
ports:
- "10000:8080"
changedetection:
container_name: changedetection
image: dgtlmoon/changedetection.io
restart: unless-stopped
networks:
- net
volumes:
- "/opt/docker/config/changedetection/data/:/datastore"
networks:
net:
driver: bridge
ipam:
driver: default
config:
- subnet: 172.16.69.0/24
volumes:
prometheus_data: {}

6
roles/docker_host/handlers/main.yml Normal file
View File

@ -0,0 +1,6 @@
---
- name: Restart docker
ansible.builtin.service:
name: docker
state: restarted
become: true

14
roles/docker_host/tasks/deploy_compose.yml Normal file
View File

@ -0,0 +1,14 @@
---
- name: Copy docker compose file to target
ansible.builtin.template:
src: "files/{{ item }}"
dest: "/opt/docker/compose/{{ item }}"
owner: "{{ user }}"
group: "{{ user }}"
mode: "644"
backup: true
loop:
- compose.yaml
notify:
- Restart docker
become: true

109
roles/docker_host/tasks/directory_setup.yml Normal file
View File

@ -0,0 +1,109 @@
---
- name: Create /media/docker directory
ansible.builtin.file:
path: /media/docker
state: directory
mode: "0755"
become: true
- name: Create /media/series directory
ansible.builtin.file:
path: /media/series
state: directory
mode: "0755"
become: true
- name: Create /media/movies directory
ansible.builtin.file:
path: /media/movies
state: directory
mode: "0755"
become: true
- name: Create /media/songs directory
ansible.builtin.file:
path: /media/songs
state: directory
mode: "0755"
become: true
- name: Create /opt/docker directory
ansible.builtin.file:
path: /opt/docker
state: directory
mode: "0755"
become: true
- name: Create /opt/local directory
ansible.builtin.file:
path: /opt/local
state: directory
mode: "0755"
become: true
- name: Set ownership of /opt/local to tudattr
ansible.builtin.file:
path: /opt/local
owner: tudattr
group: tudattr
become: true
- name: Set ownership of /opt/docker to tudattr
ansible.builtin.file:
path: /opt/docker
owner: tudattr
group: tudattr
become: true
- name: Set ownership of /media directories to tudattr
ansible.builtin.file:
path: /media/
owner: tudattr
group: tudattr
recurse: true
become: true
- name: Ensure /media/docker is mounted via NFS
ansible.posix.mount:
path: /media/docker
src: 192.168.20.12:/media/docker
fstype: nfs
opts: defaults,nolock
state: mounted
become: true
- name: Ensure /media/series is mounted via NFS
ansible.posix.mount:
path: /media/series
src: 192.168.20.12:/media/series
fstype: nfs
opts: defaults,nolock
state: mounted
become: true
- name: Ensure /media/movies is mounted via NFS
ansible.posix.mount:
path: /media/movies
src: 192.168.20.12:/media/movies
fstype: nfs
opts: defaults,nolock
state: mounted
become: true
- name: Ensure /media/songs is mounted via NFS
ansible.posix.mount:
path: /media/songs
src: 192.168.20.12:/media/songs
fstype: nfs
opts: defaults,nolock
state: mounted
become: true
- name: Ensure /opt/docker is mounted via NFS
ansible.posix.mount:
path: /opt/docker
src: 192.168.20.12:/opt/docker
fstype: nfs
opts: defaults,nolock
state: mounted
become: true

59
roles/docker_host/tasks/installation.yml Normal file
View File

@ -0,0 +1,59 @@
---
- name: Uninstall old versions
ansible.builtin.apt:
name: "{{ item }}"
state: absent
purge: true
loop:
- docker
- docker-engine
- docker.io
- containerd
- runc
become: true
- name: Update cache
ansible.builtin.apt:
update_cache: true
become: true
- name: Install dependencies for apt to use repositories over HTTPS
ansible.builtin.apt:
name: "{{ item }}"
state: present
loop:
- ca-certificates
- curl
- gnupg
- lsb-release
become: true
- name: Add Docker apt key.
ansible.builtin.get_url:
url: "{{ docker.url }}/{{ ansible_distribution | lower }}/gpg"
dest: /etc/apt/trusted.gpg.d/docker.asc
mode: "0664"
force: true
become: true
- name: Add Docker repository.
ansible.builtin.apt_repository:
repo: "deb [arch={{ arch }}] {{ docker.url }}/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} {{ docker.apt_release_channel }}"
state: present
become: true
- name: Update cache
ansible.builtin.apt:
update_cache: true
become: true
- name: Install Docker Engine, containerd, and Docker Compose.
ansible.builtin.apt:
name: "{{ item }}"
state: present
loop:
- docker-ce
- docker-ce-cli
- docker-compose-plugin
- containerd.io
become: true

15
roles/docker_host/tasks/main.yml Normal file
View File

@ -0,0 +1,15 @@
---
- name: Setup VM
ansible.builtin.include_tasks: setup.yml
- name: Install docker
ansible.builtin.include_tasks: installation.yml
- name: Setup user and group for docker
ansible.builtin.include_tasks: user_group_setup.yml
- name: Setup directory structure for docker
ansible.builtin.include_tasks: directory_setup.yml
- name: Deploy docker compose
ansible.builtin.include_tasks: deploy_compose.yml

9
roles/docker_host/tasks/setup.yml Normal file
View File

@ -0,0 +1,9 @@
---
- name: Enable HW accelerate for VM
ansible.builtin.apt:
name: "{{ item }}"
state: present
loop:
- firmware-misc-nonfree
- nfs-common
become: true

14
roles/docker_host/tasks/user_group_setup.yml Normal file
View File

@ -0,0 +1,14 @@
---
- name: Ensure group "docker" exists
ansible.builtin.group:
name: docker
state: present
become: true
- name: Append the group docker to "{{ user }}"
ansible.builtin.user:
name: "{{ user }}"
shell: /bin/bash
groups: docker
append: true
become: true

11
staging Normal file
View File

@ -0,0 +1,11 @@
[vm]
docker-host01
[vm:vars]
ansible_ssh_common_args='-o ProxyCommand="ssh -p 22 -W %h:%p -q aya01"'
[docker]
docker-host01
[docker_host]
docker-host01