From a331265bde137a12effc8cd2bb6e1077b9037db0 Mon Sep 17 00:00:00 2001
From: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>
Date: Thu, 4 Jun 2026 01:44:55 +0200
Subject: [PATCH] feat(edge_vps): add pangolin/gerbil/traefik stack with
 versioned images

---
 roles/edge_vps/defaults/main.yaml             |  8 ++-
 roles/edge_vps/handlers/main.yaml             | 10 +++-
 roles/edge_vps/tasks/10_directories.yaml      |  4 +-
 roles/edge_vps/tasks/40_pangolin.yaml         | 15 ++---
 .../templates/pangolin/docker-compose.yml.j2  | 57 +++++++++++++++----
 5 files changed, 66 insertions(+), 28 deletions(-)

diff --git a/roles/edge_vps/defaults/main.yaml b/roles/edge_vps/defaults/main.yaml
index 155244b..6006d65 100644
--- a/roles/edge_vps/defaults/main.yaml
+++ b/roles/edge_vps/defaults/main.yaml
@@ -6,6 +6,10 @@ edge_vps_wireguard_address: "10.133.7.1/24"
 edge_vps_wireguard_port: 61975
 edge_vps_traefik_config_dir: "{{ edge_vps_config_base }}/traefik"
 edge_vps_traefik_logs_dir: "{{ edge_vps_traefik_config_dir }}/logs"
-edge_vps_pangolin_config_dir: "{{ edge_vps_config_base }}/pangolin"
-edge_vps_elastic_config_dir: "{{ edge_vps_config_base }}/elastic-agent"
+edge_vps_pangolin_config_dir: "{{ edge_vps_config_base }}"
+edge_vps_pangolin_compose_dir: /root
+edge_vps_pangolin_version: "1.12.1"
+edge_vps_gerbil_version: "1.2.2"
+edge_vps_traefik_version: "v3.5"
+edge_vps_elastic_config_dir: /root/agent
 edge_vps_elastic_state_dir: /var/lib/elastic-agent/elastic-system/elastic-agent/state
diff --git a/roles/edge_vps/handlers/main.yaml b/roles/edge_vps/handlers/main.yaml
index f26432c..ddb012d 100644
--- a/roles/edge_vps/handlers/main.yaml
+++ b/roles/edge_vps/handlers/main.yaml
@@ -7,6 +7,12 @@
 
 - name: Restart traefik
   ansible.builtin.command:
-    cmd: docker compose restart
-    chdir: "{{ edge_vps_traefik_config_dir }}"
+    cmd: podman compose restart traefik
+    chdir: "{{ edge_vps_pangolin_compose_dir }}"
   listen: restart traefik
+
+- name: Restart pangolin
+  ansible.builtin.command:
+    cmd: podman compose restart pangolin
+    chdir: "{{ edge_vps_pangolin_compose_dir }}"
+  listen: restart pangolin
diff --git a/roles/edge_vps/tasks/10_directories.yaml b/roles/edge_vps/tasks/10_directories.yaml
index 3518a02..0c1b791 100644
--- a/roles/edge_vps/tasks/10_directories.yaml
+++ b/roles/edge_vps/tasks/10_directories.yaml
@@ -14,9 +14,9 @@
     - "{{ edge_vps_traefik_config_dir }}"
     - "{{ edge_vps_traefik_logs_dir }}"
 
-- name: Create Pangolin config directory
+- name: Create Pangolin letsencrypt directory
   ansible.builtin.file:
-    path: "{{ edge_vps_pangolin_config_dir }}"
+    path: "{{ edge_vps_pangolin_config_dir }}/letsencrypt"
     state: directory
     mode: "0755"
 
diff --git a/roles/edge_vps/tasks/40_pangolin.yaml b/roles/edge_vps/tasks/40_pangolin.yaml
index 68bf51e..00ba3ad 100644
--- a/roles/edge_vps/tasks/40_pangolin.yaml
+++ b/roles/edge_vps/tasks/40_pangolin.yaml
@@ -9,16 +9,11 @@
 - name: Deploy Pangolin docker-compose
   ansible.builtin.template:
     src: pangolin/docker-compose.yml.j2
-    dest: "{{ edge_vps_pangolin_config_dir }}/docker-compose.yml"
+    dest: "{{ edge_vps_pangolin_compose_dir }}/docker-compose.yml"
     mode: "0644"
 
-- name: Create letsencrypt directory for Pangolin
-  ansible.builtin.file:
-    path: "{{ edge_vps_pangolin_config_dir }}/letsencrypt"
-    state: directory
-    mode: "0755"
-
 - name: Start Pangolin
-  community.docker.docker_compose_v2:
-    project_src: "{{ edge_vps_pangolin_config_dir }}"
-    state: present
+  ansible.builtin.command:
+    cmd: podman compose up -d
+    chdir: "{{ edge_vps_pangolin_compose_dir }}"
+  changed_when: false
diff --git a/roles/edge_vps/templates/pangolin/docker-compose.yml.j2 b/roles/edge_vps/templates/pangolin/docker-compose.yml.j2
index 6fb08f0..daec372 100644
--- a/roles/edge_vps/templates/pangolin/docker-compose.yml.j2
+++ b/roles/edge_vps/templates/pangolin/docker-compose.yml.j2
@@ -1,25 +1,58 @@
+name: pangolin
 services:
   pangolin:
-    image: fosrl/pangolin:latest
+    image: docker.io/fosrl/pangolin:{{ edge_vps_pangolin_version }}
     container_name: pangolin
     restart: unless-stopped
-    ports:
-      - "3001:3001"
-      - "443:443"
-      - "80:80"
     volumes:
-      - ./config.yml:/app/config/config.yml:ro
-      - ./letsencrypt:/letsencrypt
-    depends_on:
-      - gerbil
+      - ./config:/app/config
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:3001/api/v1/"]
+      interval: "10s"
+      timeout: "10s"
+      retries: 15
 
   gerbil:
-    image: fosrl/gerbil:latest
+    image: docker.io/fosrl/gerbil:{{ edge_vps_gerbil_version }}
     container_name: gerbil
     restart: unless-stopped
-    network_mode: host
+    depends_on:
+      pangolin:
+        condition: service_healthy
+    command:
+      - --reachableAt=http://gerbil:3004
+      - --generateAndSaveKeyTo=/var/config/key
+      - --remoteConfig=http://pangolin:3001/api/v1/
+    volumes:
+      - ./config/:/var/config
     cap_add:
       - NET_ADMIN
       - SYS_MODULE
+    ports:
+      - 51820:51820/udp
+      - 21820:21820/udp
+      - 443:443
+      - 80:80
+      - 6443:6443
+
+  traefik:
+    image: docker.io/traefik:{{ edge_vps_traefik_version }}
+    container_name: traefik
+    restart: unless-stopped
+    network_mode: service:gerbil
+    depends_on:
+      pangolin:
+        condition: service_healthy
+    command:
+      - --configFile=/etc/traefik/traefik_config.yml
+    environment:
+      CLOUDFLARE_DNS_API_TOKEN: {{ vault_edge_vps.traefik.cloudflare_api_token }}
     volumes:
-      - /lib/modules:/lib/modules
+      - ./config/traefik:/etc/traefik:ro
+      - ./config/letsencrypt:/letsencrypt
+      - ./config/traefik/logs:/var/log/traefik
+
+networks:
+  default:
+    driver: bridge
+    name: pangolin