From 12d3aeb0cddc961df414f95113cdca4532d292d9 Mon Sep 17 00:00:00 2001 From: Muhammed Hussein Karimi Date: Mon, 11 Oct 2021 23:48:01 +0330 Subject: [PATCH] ansible playbook added this playbook will install docker then install uptime kuma using docker and install and configure nginx with ssl --- ansible/README.md | 10 +++ ansible/playbook.yml | 7 ++ ansible/roles/docker/tasks/main.yml | 44 +++++++++ ansible/roles/nginx/files/README.md | 2 + ansible/roles/nginx/tasks/main.yml | 29 ++++++ .../roles/nginx/templates/docker-compose.yml | 8 ++ ansible/roles/nginx/templates/nginx.conf | 90 +++++++++++++++++++ ansible/roles/uptime-kuma/tasks/main.yml | 23 +++++ .../uptime-kuma/templates/docker-compose.yml | 10 +++ 9 files changed, 223 insertions(+) create mode 100644 ansible/README.md create mode 100644 ansible/playbook.yml create mode 100644 ansible/roles/docker/tasks/main.yml create mode 100644 ansible/roles/nginx/files/README.md create mode 100644 ansible/roles/nginx/tasks/main.yml create mode 100644 ansible/roles/nginx/templates/docker-compose.yml create mode 100644 ansible/roles/nginx/templates/nginx.conf create mode 100644 ansible/roles/uptime-kuma/tasks/main.yml create mode 100644 ansible/roles/uptime-kuma/templates/docker-compose.yml diff --git a/ansible/README.md b/ansible/README.md new file mode 100644 index 000000000..2de047297 --- /dev/null +++ b/ansible/README.md @@ -0,0 +1,10 @@ +# Ansible Playbook to install uptime kuma using docker + +This playbook comes with three roles + + 1. docker (to install docker) + 2. nginx (to install nginx using docker with ssl) + 3. uptime kuma (to install uptime kuma using docker) + +To see more info see docker-compose, tasks and config files +I will try to make this readme better \ No newline at end of file diff --git a/ansible/playbook.yml b/ansible/playbook.yml new file mode 100644 index 000000000..f62b24f02 --- /dev/null +++ b/ansible/playbook.yml @@ -0,0 +1,7 @@ +- name: install uptime kuma with nginx connected + hosts: all + roles: + - {role: docker, tags: ["docker"]} + - {role: kuma, tags: ["kuma"]} + - {role: nginx, tags: ["nginx"]} + \ No newline at end of file diff --git a/ansible/roles/docker/tasks/main.yml b/ansible/roles/docker/tasks/main.yml new file mode 100644 index 000000000..cf7a619af --- /dev/null +++ b/ansible/roles/docker/tasks/main.yml @@ -0,0 +1,44 @@ +- name: Ensure docker and docker-compose and essentional libs are installed + package: + name: "{{item}}" + state: present + loop: + - docker.io + - docker-compose + - python-pip + - python3-docker + - python3-pip + - libssl-dev + - libffi-dev + - python-setuptools + +- name: Ensure docker-compose is installed via pip + pip: + name: "{{item}}" + executable: pip3 + loop: + - docker + # - docker-compose + +### FIX a BUG: https://github.com/docker/docker-py/issues/1502#issuecomment-506544849 +- name: FIX a BUG Uninstall pip's backports.ssl-match-hostname + pip: + name: backports.ssl-match-hostname + executable: pip + state: absent +- name: FIX a BUG install Debian's python-backports.ssl-match-hostname package + package: + name: python-backports.ssl-match-hostname + state: present + +- name: Ensure docker service is enabled and up + systemd: + name: docker + state: started + enabled: yes + +- name: Ensure docker socket is enabled and up + systemd: + name: docker.socket + state: started + enabled: yes \ No newline at end of file diff --git a/ansible/roles/nginx/files/README.md b/ansible/roles/nginx/files/README.md new file mode 100644 index 000000000..71f91486e --- /dev/null +++ b/ansible/roles/nginx/files/README.md @@ -0,0 +1,2 @@ +## Your ssl certs will go here +put them in ssl directory see nginx.conf for more info \ No newline at end of file diff --git a/ansible/roles/nginx/tasks/main.yml b/ansible/roles/nginx/tasks/main.yml new file mode 100644 index 000000000..a149f19b7 --- /dev/null +++ b/ansible/roles/nginx/tasks/main.yml @@ -0,0 +1,29 @@ +- name: Ensure Volumes & Files directories exists + file: + dest: "{{item}}" + state: directory + loop: + - /compose + - /compose/nginx + - /compose/volumes + - /compose/volumes/nginx + +- name: Ensure docker-compose file has been updated + template: + src: "{{item}}" + dest: /compose/nginx/ + loop: + - docker-compose.yml + +- name: Ensure nginx config directory exist + copy: + src: nginx + dest: /compose/volumes/nginx/ + mode: 'preserve' + group: root + owner: root + +- name: Ensure config files are updated + template: + src: "nginx.conf" + dest: /compose/volumes/nginx/nginx.conf diff --git a/ansible/roles/nginx/templates/docker-compose.yml b/ansible/roles/nginx/templates/docker-compose.yml new file mode 100644 index 000000000..1e7abb859 --- /dev/null +++ b/ansible/roles/nginx/templates/docker-compose.yml @@ -0,0 +1,8 @@ +version: '3.3' +services: + nginx: + network_mode: host + restart: always + image: nginx:1.21.3-alpine + volumes: + - '/compose/volumes/nginx/:/etc/nginx/' \ No newline at end of file diff --git a/ansible/roles/nginx/templates/nginx.conf b/ansible/roles/nginx/templates/nginx.conf new file mode 100644 index 000000000..ad14a598e --- /dev/null +++ b/ansible/roles/nginx/templates/nginx.conf @@ -0,0 +1,90 @@ +user nginx; +worker_processes auto; + +pid /var/run/nginx.pid; +error_log /var/log/nginx/error.log; + +events { + worker_connections 2048; +} + +http { + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + server_tokens off; + + default_type application/octet-stream; + + + ### SSL Settings for all servers (https://ssl-config.mozilla.org/#server=nginx&server-version=1.17.2&config=intermediate) + # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate + ssl_certificate /etc/nginx/ssl/status.yoursite.fullchain.pem; + ssl_certificate_key /etc/nginx/ssl/status.yoursite.privkey.pem; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; # about 40000 sessions + ssl_session_tickets off; + + # intermediate configuration + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + + # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /etc/nginx/ssl/dhparam.pem (TODO: check if it's secure to use others DH parameters!) + # openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096 + ssl_dhparam /etc/nginx/ssl/dhparam.pem; + + # HSTS (ngx_http_headers_module is required) (63072000 seconds) + add_header Strict-Transport-Security "max-age=63072000" always; + + # OCSP stapling + ssl_stapling on; + ssl_stapling_verify on; + + log_format main '$remote_addr - $remote_user [$time_local] "$request_method $scheme://$host$request_uri $server_protocol" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent" $request_time $upstream_response_time UPA:$upstream_addr BYS:$bytes_sent BYR:$request_length'; + access_log /var/log/nginx/access.log main; + + ### Set additional headers to be send to upstream + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + + # Remove Headers that gonna be sent to client + proxy_hide_header X-Powered-By; + proxy_hide_header Server; + + # Redirect HTTP request to HTTPS + server { + listen 80 default_server; + server_name status.yoursite; + return 302 https://$host$request_uri; + } + + server { + server_name status.yoursite; + listen 443 ssl http2 default_server; + + access_log /var/log/nginx/yoursite.access.log main; + error_log /var/log/nginx/yoursite.error.log; + + location / { + # rewrite ^/(.*)/$ /$1 permanent; + ### redirect urls with trailing slash to non-trailing slash + # https://serverfault.dev/questions/597302/removing-the-trailing-slash-from-a-url-with-nginx + # location ~ (?.+)/$ { + # return 302 https://$host$no_slash; + # } + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_pass http://localhost:3001/; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } + } +} diff --git a/ansible/roles/uptime-kuma/tasks/main.yml b/ansible/roles/uptime-kuma/tasks/main.yml new file mode 100644 index 000000000..bd42148a1 --- /dev/null +++ b/ansible/roles/uptime-kuma/tasks/main.yml @@ -0,0 +1,23 @@ +- name: Ensure Volumes & Files directories exists + file: + dest: "{{item}}" + state: directory + loop: + - /compose + - /compose/kuma + - /compose/volumes + - /compose/volumes/kuma + +- name: Ensure docker-compose file has been updated + template: + src: "{{item}}" + dest: /compose/kuma/ + loop: + - docker-compose.yml + +- name: Ensure uptime-kuma is up + docker_compose: + state: present + project_src: /compose/kuma + pull: yes + diff --git a/ansible/roles/uptime-kuma/templates/docker-compose.yml b/ansible/roles/uptime-kuma/templates/docker-compose.yml new file mode 100644 index 000000000..43705e144 --- /dev/null +++ b/ansible/roles/uptime-kuma/templates/docker-compose.yml @@ -0,0 +1,10 @@ +version: '3.3' +services: + uptime-kuma: + restart: always + ports: + - '127.0.0.1:3001:3001' + volumes: + - '/compose/volumes/uptime-kuma:/app/data' + container_name: uptime-kuma + image: 'louislam/uptime-kuma:latest'