diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg index 6c18dd7..a04c0f7 100644 --- a/ansible/ansible.cfg +++ b/ansible/ansible.cfg @@ -1,4 +1,5 @@ [defaults] +remote_user = mike inventory = ./hosts.ini interpreter_python = auto_silent vault_password_file = ./vault-pass.sh diff --git a/ansible/roles/gluetun/tasks/main.yml b/ansible/roles/gluetun/tasks/main.yml index edd3091..cb43e5c 100644 --- a/ansible/roles/gluetun/tasks/main.yml +++ b/ansible/roles/gluetun/tasks/main.yml @@ -10,6 +10,7 @@ template: src: docker-compose.yml dest: "{{ install_directory }}/{{ role_name }}/docker-compose.yml" + owner: "{{ docker_user }}" mode: "{{ docker_compose_file_mask }}" validate: docker-compose -f %s config become: true diff --git a/ansible/roles/lidarr/tasks/main.yml b/ansible/roles/lidarr/tasks/main.yml index b4c4d2d..d32cc1a 100644 --- a/ansible/roles/lidarr/tasks/main.yml +++ b/ansible/roles/lidarr/tasks/main.yml @@ -18,6 +18,7 @@ template: src: docker-compose.yml dest: "{{ install_directory }}/{{ role_name }}/docker-compose.yml" + owner: "{{ docker_user }}" mode: "{{ docker_compose_file_mask }}" validate: docker-compose -f %s config become: true diff --git a/ansible/roles/ntfy/tasks/main.yml b/ansible/roles/ntfy/tasks/main.yml index edd3091..cb43e5c 100644 --- a/ansible/roles/ntfy/tasks/main.yml +++ b/ansible/roles/ntfy/tasks/main.yml @@ -10,6 +10,7 @@ template: src: docker-compose.yml dest: "{{ install_directory }}/{{ role_name }}/docker-compose.yml" + owner: "{{ docker_user }}" mode: "{{ docker_compose_file_mask }}" validate: docker-compose -f %s config become: true diff --git a/ansible/roles/overseerr/tasks/main.yml b/ansible/roles/overseerr/tasks/main.yml index 11077f8..b8a91f7 100644 --- a/ansible/roles/overseerr/tasks/main.yml +++ b/ansible/roles/overseerr/tasks/main.yml @@ -16,6 +16,7 @@ template: src: docker-compose.yml dest: "{{ install_directory }}/{{ role_name }}/docker-compose.yml" + owner: "{{ docker_user }}" mode: "{{ docker_compose_file_mask }}" validate: docker-compose -f %s config become: true diff --git a/ansible/roles/prowlarr/tasks/main.yml b/ansible/roles/prowlarr/tasks/main.yml index b4c4d2d..d32cc1a 100644 --- a/ansible/roles/prowlarr/tasks/main.yml +++ b/ansible/roles/prowlarr/tasks/main.yml @@ -18,6 +18,7 @@ template: src: docker-compose.yml dest: "{{ install_directory }}/{{ role_name }}/docker-compose.yml" + owner: "{{ docker_user }}" mode: "{{ docker_compose_file_mask }}" validate: docker-compose -f %s config become: true diff --git a/ansible/roles/qbittorrent/tasks/main.yml b/ansible/roles/qbittorrent/tasks/main.yml index b4c4d2d..d32cc1a 100644 --- a/ansible/roles/qbittorrent/tasks/main.yml +++ b/ansible/roles/qbittorrent/tasks/main.yml @@ -18,6 +18,7 @@ template: src: docker-compose.yml dest: "{{ install_directory }}/{{ role_name }}/docker-compose.yml" + owner: "{{ docker_user }}" mode: "{{ docker_compose_file_mask }}" validate: docker-compose -f %s config become: true diff --git a/ansible/roles/radarr/tasks/main.yml b/ansible/roles/radarr/tasks/main.yml index b4c4d2d..d32cc1a 100644 --- a/ansible/roles/radarr/tasks/main.yml +++ b/ansible/roles/radarr/tasks/main.yml @@ -18,6 +18,7 @@ template: src: docker-compose.yml dest: "{{ install_directory }}/{{ role_name }}/docker-compose.yml" + owner: "{{ docker_user }}" mode: "{{ docker_compose_file_mask }}" validate: docker-compose -f %s config become: true diff --git a/ansible/roles/sonarr/tasks/main.yml b/ansible/roles/sonarr/tasks/main.yml index b4c4d2d..d32cc1a 100644 --- a/ansible/roles/sonarr/tasks/main.yml +++ b/ansible/roles/sonarr/tasks/main.yml @@ -18,6 +18,7 @@ template: src: docker-compose.yml dest: "{{ install_directory }}/{{ role_name }}/docker-compose.yml" + owner: "{{ docker_user }}" mode: "{{ docker_compose_file_mask }}" validate: docker-compose -f %s config become: true diff --git a/ansible/roles/traefik/handlers/main.yml b/ansible/roles/traefik/handlers/main.yml index d0a3d35..1555db9 100644 --- a/ansible/roles/traefik/handlers/main.yml +++ b/ansible/roles/traefik/handlers/main.yml @@ -1,4 +1,4 @@ -- name: Restart Traefik +- name: restart traefik community.docker.docker_compose: project_src: "{{ install_directory }}/traefik" restarted: true diff --git a/ansible/roles/traefik/tasks/main.yml b/ansible/roles/traefik/tasks/main.yml index 2961a0e..e7e482c 100644 --- a/ansible/roles/traefik/tasks/main.yml +++ b/ansible/roles/traefik/tasks/main.yml @@ -14,16 +14,11 @@ template: src: docker-compose.yml dest: "{{ install_directory}}/traefik/docker-compose.yml" + owner: "{{ docker_user }}" mode: "{{ docker_compose_file_mask }}" validate: docker-compose -f %s config become: true -- name: Start docker container - community.docker.docker_compose: - project_src: "{{ install_directory }}/traefik" - pull: true - remove_orphans: yes - - name: Install config template: src: traefik.yml @@ -40,3 +35,25 @@ mode: "{{ docker_compose_directory_mask }}" owner: "{{ primary_user }}" become: true + +- name: Install file providers + template: + src: "{{ item }}" + dest: "{{ data_dir }}/traefik/conf/" + mode: "{{ docker_compose_file_mask }}" + owner: "{{ primary_user }}" + with_fileglob: + - "templates/conf/*" + +- name: Create acme storage file + file: + path: "{{ data_dir }}/traefik/acme.json" + state: touch + mode: 0600 + become: true + +- name: Start docker container + community.docker.docker_compose: + project_src: "{{ install_directory }}/traefik" + pull: true + remove_orphans: yes diff --git a/ansible/roles/traefik/templates/conf/middlewares.yml b/ansible/roles/traefik/templates/conf/middlewares.yml new file mode 100644 index 0000000..66d8846 --- /dev/null +++ b/ansible/roles/traefik/templates/conf/middlewares.yml @@ -0,0 +1,17 @@ +http: + middlewares: + lan-whitelist: + ipWhitelist: + sourceRange: + - 10.0.0.0/24 + - 10.67.115.0/24 + + secure-headers: + headers: + customFrameOptionsValue: SAMEORIGIN + forceSTSHeader: true + stsSeconds: 15552000 + stsPreload: true + customResponseHeaders: + Permissions-Policy: interest-cohort() # Opts out of Google's FLoC network. See https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network + X-Robots-Tag: none diff --git a/ansible/roles/traefik/templates/docker-compose.yml b/ansible/roles/traefik/templates/docker-compose.yml index 6a30089..b426a50 100644 --- a/ansible/roles/traefik/templates/docker-compose.yml +++ b/ansible/roles/traefik/templates/docker-compose.yml @@ -3,11 +3,15 @@ version: "{{ docker_compose_version }}" networks: traefik: external: true + docker-socket-proxy: + external: false services: traefik: container_name: traefik - image: traefik:latest + image: traefik:v2.9 + depends_on: + - docker_socket_proxy networks: - traefik - docker-socket-proxy @@ -24,3 +28,15 @@ services: traefik.http.routers.traefik-dashboard.rule: "Host(`traefik.local.{{ personal_domain }}`)" traefik.http.routers.traefik-dashboard.service: api@internal traefik.http.routers.traefik-dashboard.middlewares: lan-whitelist@file + + docker_socket_proxy: + image: tecnativa/docker-socket-proxy:latest + restart: unless-stopped + networks: + - docker-socket-proxy + environment: + - CONTAINERS=1 + - SERVICES=1 + - INFO=1 + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro diff --git a/ansible/roles/traefik/templates/traefik.yml b/ansible/roles/traefik/templates/traefik.yml index 4b3ca00..5c33d92 100644 --- a/ansible/roles/traefik/templates/traefik.yml +++ b/ansible/roles/traefik/templates/traefik.yml @@ -23,19 +23,25 @@ entryPoints: traefik: address: :8080 +api: + dashboard: true + debug: false + certificatesResolvers: letsencrypt: acme: # Staging server - caServer: https://acme-staging-v02.api.letsencrypt.org/directory + #caServer: https://acme-staging-v02.api.letsencrypt.org/directory # Production server - # caServer: https://acme-v02.api.letsencrypt.org/directory - email: "{{ letsencrypt_email }}" - storage: /etc/traefik.acme.json - dnsChallenge: - provider: porkbun - delayBeforeCheck: 0 + caServer: https://acme-v02.api.letsencrypt.org/directory + email: "{{ letsencrypt_email }}" + storage: /etc/traefik/acme.json + dnsChallenge: + provider: porkbun + delayBeforeCheck: 0 + resolvers: + - "1.1.1.1:53" serversTransport: insecureSkipVerify: true diff --git a/ansible/roles/traefik/vars/main.yml b/ansible/roles/traefik/vars/main.yml index a8da3f1..819116c 100644 --- a/ansible/roles/traefik/vars/main.yml +++ b/ansible/roles/traefik/vars/main.yml @@ -1,29 +1,29 @@ porkbun_api_key: !vault | $ANSIBLE_VAULT;1.1;AES256 - 38353531366235383239643438376161613937643431303266663966663930386163353935386135 - 6135356665626161333763326635306132303162383532650a346130613565323330383739326161 - 64353462336430333162333562626432626136616238373237633366336433626231316635636264 - 6130396265333839300a643766303132376138356531393335336165613966633862623632313461 - 65643138383531396630666637623265396461376632393436613964306538383233326562623332 - 61626536313765303164323862326263396163386266613562326231643234623931323065326466 - 63643836316336343966613537623330376462373031363535373136333764336133303134653136 - 62623339616261316164 + 36633865383466613761653530356339306339376335363733623333323337323033643265366239 + 3662663339636537643761306131396239643235393939650a366631613839356538363566396136 + 61613232646335353962326131386439353562663766643230663738666665383234353565316334 + 3734343134326662390a343031366435363539396431323434623138643961313066333831376433 + 37656633383431393161303636366338346362306331666666656531666537343362323562366433 + 38356339346536333234656263633739663337323462633932393064366434353666643535303835 + 38326663303539393332356630396636306466313038333932613530316261363036643534666563 + 38643762396133386638 porkbun_secret_api_key: !vault | $ANSIBLE_VAULT;1.1;AES256 - 30356330383036313732363931663661303336336263306431383835653763643531303830366636 - 6638323437393130653566613061363061363465306633350a343530356334343232336665663138 - 33653737616239306536616139336162313830356462326630336238393137386334623031613833 - 6633363566373731610a383331386230323336633062623764373566323036663364623232613762 - 34636236616432393634366539393036386162343665363338636664393639623532356430613238 - 33393831323334626335333630366331633464353638353636666430616630306139336665376132 - 34326563626465633036656134373430616634393931626638636332323562366565326535626237 - 38313264383866633662 + 39386233356265366265303231306464653832383736623135303732633339343137613637633438 + 3565316266613631613039376337343662313635336566330a646138373931373534343236373939 + 33343733383664653430343432366461386438613164313763643536336639653439396335656538 + 3432663033323036620a356337666338656437373966616635646138336463623030376362303735 + 65373439316665353464303838393166323638643761376632336431666437623262363236616437 + 61396563306536393636356133613561633838656431343765323033663331626334376234353662 + 62396539316239653637363661646537316264626436386434373334336130623262343630373739 + 64363263623634643536 letsencrypt_email: !vault | $ANSIBLE_VAULT;1.1;AES256 - 62353466393863323930373663656438626661393566366336326235666137303932623838353865 - 3830323761643134656431646632656166656661303963320a343436353633613763643030303364 - 38396464663634343131306638383131343466613537346463373765646434393366373939653964 - 6630626639393637330a386365303332653162383933353265306134383232303635633935623132 - 63616137626161323037613062663063373963643263313366613233383536316638 + 66616132376664623230326531343438613064353632363466383261626565383136373962613838 + 3439623362373931323736663166326364316434303731340a303961376134643530393736366661 + 65386462643538666664626364613737343738303561366330623738633232376436356138656437 + 3363336137313338650a343739623839626632653830376338393162316139343033303261346539 + 64373364616434633438313936376563303437653764633631663431666337323738