diff --git a/README.md b/README.md index 2c1b98e..02ed414 100644 --- a/README.md +++ b/README.md @@ -27,6 +27,12 @@ Release file for http://security.debian.org/debian-security/dists/bullseye-security/InRelease is not valid yet (invalid for another 12h 46min 9s). Updates for this repository will not be applied. ``` By doing on remote system (example): +```sh +sudo systemctl stop ntp.service +sudo ntpd -gq +sudo systemctl start ntp.service +``` + ## RaspberryPi - Install raspbian lite (2022-09-22-raspios-bullseye-arm64-lite.img) on pi diff --git a/aya01.yml b/aya01.yml index 214aeb9..93bf0c2 100644 --- a/aya01.yml +++ b/aya01.yml @@ -5,3 +5,4 @@ roles: - role: common - role: power_management + - role: docker diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index 8891754..429b875 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -15,6 +15,7 @@ common_packages: - git - tmux - smartmontools + - curl # # Docker @@ -24,6 +25,8 @@ docker_apt_gpg_key: "{{ docker_repo_url }}/{{ ansible_distribution | lower }}/gp docker_apt_release_channel: stable docker_apt_arch: "{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}" docker_apt_repository: "deb [arch={{ docker_apt_arch }}] {{ docker_repo_url }}/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} {{ docker_apt_release_channel }}" - + docker_compose_dir: /opt/docker/compose docker_dir: /opt/docker/config + +mysql_user: user diff --git a/host_vars/aya01.yml b/host_vars/aya01.yml index 3f7a8b7..886e230 100644 --- a/host_vars/aya01.yml +++ b/host_vars/aya01.yml @@ -2,5 +2,5 @@ ansible_user: "{{ user }}" ansible_host: 192.168.20.12 ansible_port: 22 ansible_ssh_private_key_file: /mnt/veracrypt1/genesis -ansible_become_pass: '{{ aya01_tudattr_password }}' +ansible_become_pass: '{{ vault_aya01_tudattr_password }}' diff --git a/host_vars/pi.yml b/host_vars/pi.yml index 60974a2..a0f0a3d 100644 --- a/host_vars/pi.yml +++ b/host_vars/pi.yml @@ -2,4 +2,4 @@ ansible_user: "{{ user }}" ansible_host: 192.168.20.11 ansible_port: 22 ansible_ssh_private_key_file: /mnt/veracrypt1/genesis -ansible_become_pass: '{{ pi_tudattr_password }}' +ansible_become_pass: '{{ vault_pi_tudattr_password }}' diff --git a/roles/docker/tasks/aya01_compose.yml b/roles/docker/tasks/aya01_compose.yml new file mode 100644 index 0000000..00f3da1 --- /dev/null +++ b/roles/docker/tasks/aya01_compose.yml @@ -0,0 +1,24 @@ +--- +- name: Create Zoneminder directories + file: + path: "{{ item }}" + owner: 1000 + mode: '700' + state: directory + loop: + - "{{ docker_dir }}/zm/" + +- name: Shut down docker + shell: + cmd: "docker compose down --remove-orphans" + chdir: "{{ docker_compose_dir }}" + +- name: Copy the compose file + template: + src: templates/aya01/compose.yaml + dest: "{{ docker_compose_dir }}/compose.yaml" + +- name: Run docker compose + shell: + cmd: "docker compose up -d" + chdir: "{{ docker_compose_dir }}" diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index 5b9edcd..7be4290 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -1,5 +1,7 @@ --- - include_tasks: install.yml - include_tasks: user_group_setup.yml -- include_tasks: compose.yml - +- include_tasks: pi_compose.yml + when: ansible_hostname == "pi" +- include_tasks: aya01_compose.yml + when: ansible_hostname == "aya01" diff --git a/roles/docker/tasks/compose.yml b/roles/docker/tasks/pi_compose.yml similarity index 71% rename from roles/docker/tasks/compose.yml rename to roles/docker/tasks/pi_compose.yml index 5a371ba..b410c3a 100644 --- a/roles/docker/tasks/compose.yml +++ b/roles/docker/tasks/pi_compose.yml @@ -9,16 +9,19 @@ - name: Copy ddns-config template: owner: 1000 - src: "templates/ddns-updater/data/config.json" + src: "templates/pi/ddns-updater/data/config.json" dest: "{{ docker_dir }}/ddns-updater/data/config.json" mode: '400' - name: Create traefik-config directory file: - path: "{{ docker_dir }}/traefik/" + path: "{{ item }}" owner: 1000 mode: '700' state: directory + loop: + - "{{ docker_dir }}/traefik/etc-traefik/" + - "{{ docker_dir }}/traefik/var-log/" - name: Create pihole-config directory file: @@ -34,9 +37,13 @@ - name: Copy traefik-config template: owner: 1000 - src: "templates/traefik/traefik.yml" - dest: "{{ docker_dir }}/traefik/traefik.yml" + src: "templates/pi/{{ item }}" + dest: "{{ docker_dir }}/{{ item }}" mode: '400' + loop: + - "traefik/etc-traefik/traefik.yml" + - "traefik/var-log/access.log" + - "traefik/var-log/traefik.log" - name: Shut down docker shell: @@ -45,7 +52,7 @@ - name: Copy the compose file template: - src: templates/compose.yaml + src: templates/pi/compose.yaml dest: "{{ docker_compose_dir }}/compose.yaml" - name: Run docker compose diff --git a/roles/docker/templates/aya01/compose.yaml b/roles/docker/templates/aya01/compose.yaml new file mode 100644 index 0000000..c991d7d --- /dev/null +++ b/roles/docker/templates/aya01/compose.yaml @@ -0,0 +1,49 @@ +version: '3' +services: + db: + image: mariadb + restart: always + networks: + - zoneminder + volumes: + - "/etc/localtime:/etc/localtime:ro" + - "{{ docker_dir }}/zm/db:/var/lib/mysql" + environment: + - "MYSQL_DATABASE=zm" + - "MYSQL_ROOT_PASSWORD={{ vault_mysql_root_password }}" + - "MYSQL_USER={{ mysql_user }}" + - "MYSQL_PASSWORD={{ vault_mysql_user_password }}" + + zoneminder: + image: ghcr.io/zoneminder-containers/zoneminder-base:latest + restart: always + stop_grace_period: 45s + depends_on: + - db + ports: + - 80:80 + networks: + - zoneminder + - compose_net + volumes: + - "/etc/localtime:/etc/localtime:ro" + - "{{ docker_dir }}/zm/data:/data" + - "{{ docker_dir }}/zm/config:/config" + - "{{ docker_dir }}/zm/log:/log" + - type: tmpfs + target: /dev/shm + tmpfs: + size: 1000000000 + environment: + - MAX_LOG_SIZE_BYTES=1000000 + - MAX_LOG_NUMBER=20 + +networks: + zoneminder: + compose_net: + driver: bridge + ipam: + driver: default + config: + - subnet: 172.16.69.0/24 + gateway: 172.16.69.1 diff --git a/roles/docker/templates/compose.yaml b/roles/docker/templates/pi/compose.yaml similarity index 72% rename from roles/docker/templates/compose.yaml rename to roles/docker/templates/pi/compose.yaml index a6108c7..735a785 100644 --- a/roles/docker/templates/compose.yaml +++ b/roles/docker/templates/pi/compose.yaml @@ -2,13 +2,16 @@ version: '3' services: traefik: container_name: traefik - image: traefik:v2.5 + image: traefik:latest + restart: unless-stopped networks: - - compose_net + compose_net: {} volumes: - "/etc/localtime:/etc/localtime:ro" - "/var/run/docker.sock:/var/run/docker.sock:ro" - - {{ docker_dir }}/traefik/traefik.yml:/etc/traefik/traefik.yml + - "{{ docker_dir }}/traefik/etc-traefik/traefik.yml:/etc/traefik/traefik.yml" + - "{{ docker_dir }}/traefik/var-log/traefik.log:/var/log/traefik.log" + - "{{ docker_dir }}/traefik/var-log/access.log:/var/log/traefik.log" ports: - 80:80 - 8080:8080 @@ -20,22 +23,20 @@ services: ddns-updater: container_name: ddns-updater image: "ghcr.io/qdm12/ddns-updater" + restart: unless-stopped networks: - - compose_net + compose_net: {} volumes: - - {{ docker_dir }}/ddns-updater/data/:/updater/data/ + - "{{ docker_dir }}/ddns-updater/data/:/updater/data/" ports: - 8000:8000/tcp - restart: unless-stopped homeassistant: container_name: homeassistant image: "ghcr.io/home-assistant/home-assistant:stable" - networks: - - compose_net - volumes: - - /etc/localtime:/etc/localtime:ro - - {{ docker_dir }}/home-assistant/config/:/config/ restart: unless-stopped + volumes: + - "/etc/localtime:/etc/localtime:ro" + - "{{ docker_dir }}/home-assistant/config/:/config/" privileged: true network_mode: host labels: @@ -46,29 +47,29 @@ services: pihole: container_name: pihole image: pihole/pihole:latest + restart: unless-stopped networks: - - compose_net + compose_net: {} ports: - "53:53/tcp" - "53:53/udp" - "67:67/udp" - "8089:80/tcp" environment: - - "TZ=Europe/Berlin" - - "WEBPASSWORD=a" + - "WEBPASSWORD={{ vault_pihole_password }}" - "ServerIP=192.168.20.11" - "INTERFACE=eth0" - "DNS1=1.1.1.1" - "DNS1=1.0.0.1" volumes: - - "{{ docker_dir }}/pihole/etc-pihole/:/etc/pihole/" - - "{{ docker_dir }}/pihole/etc-dnsmasq.d/:/etc/dnsmasq.d/" + - "/etc/localtime:/etc/localtime:ro" + - "{{ docker_dir }}/pihole/etc-pihole/:/etc/pihole/" + - "{{ docker_dir }}/pihole/etc-dnsmasq.d/:/etc/dnsmasq.d/" dns: - 127.0.0.1 - 1.1.1.1 cap_add: - NET_ADMIN - restart: unless-stopped labels: - "traefik.enable=true" - "traefik.http.routers.pihole.rule=Host(`pihole.{{local_domain}}`)" diff --git a/roles/docker/templates/ddns-updater/data/config.json b/roles/docker/templates/pi/ddns-updater/data/config.json similarity index 100% rename from roles/docker/templates/ddns-updater/data/config.json rename to roles/docker/templates/pi/ddns-updater/data/config.json diff --git a/roles/docker/templates/traefik/traefik.yml b/roles/docker/templates/pi/traefik/etc-traefik/traefik.yml similarity index 65% rename from roles/docker/templates/traefik/traefik.yml rename to roles/docker/templates/pi/traefik/etc-traefik/traefik.yml index 0aeb4f4..ba9bd72 100644 --- a/roles/docker/templates/traefik/traefik.yml +++ b/roles/docker/templates/pi/traefik/etc-traefik/traefik.yml @@ -9,8 +9,17 @@ entryPoints: # Docker configuration backend providers: docker: + exposedByDefault: false + network: compose_net defaultRule: "Host(`{{ '{{' }} trimPrefix `/` .Name {{ '}}' }}.{{ local_domain }}`)" # API and dashboard configuration api: insecure: true + dashboard: true + +log: + filePath: "/var/log/traefik.log" + +accessLog: + filePath: "/var/log/access.log" diff --git a/roles/docker/templates/pi/traefik/var-log/access.log b/roles/docker/templates/pi/traefik/var-log/access.log new file mode 100644 index 0000000..e69de29 diff --git a/roles/docker/templates/pi/traefik/var-log/traefik.log b/roles/docker/templates/pi/traefik/var-log/traefik.log new file mode 100644 index 0000000..e69de29