ansible playbook added

this playbook will install docker then install uptime kuma using docker and install and configure nginx with ssl
3 years ago · 12d3aeb0cd
parent b7528b9a4e
commit 12d3aeb0cd
9 changed files with 223 additions and 0 deletions
--- a/ansible/README.md
+++ b/ansible/README.md
@ -0,0 +1,10 @@
+# Ansible Playbook to install uptime kuma using docker
+
+This playbook comes with three roles
+
+    1. docker (to install docker)
+    2. nginx (to install nginx using docker with ssl)
+    3. uptime kuma (to install uptime kuma using docker)
+
+To see more info see docker-compose, tasks and config files 
+I will try to make this readme better
--- a/ansible/playbook.yml
+++ b/ansible/playbook.yml
@ -0,0 +1,7 @@
+- name: install uptime kuma with nginx connected
+  hosts: all
+  roles:
+    - {role: docker,            tags: ["docker"]}
+    - {role: kuma,              tags: ["kuma"]}
+    - {role: nginx,             tags: ["nginx"]}
+    
--- a/ansible/roles/docker/tasks/main.yml
+++ b/ansible/roles/docker/tasks/main.yml
@ -0,0 +1,44 @@
+- name: Ensure docker and docker-compose and essentional libs are installed
+  package:
+    name: "{{item}}"
+    state: present
+  loop:
+    - docker.io
+    - docker-compose
+    - python-pip
+    - python3-docker
+    - python3-pip
+    - libssl-dev
+    - libffi-dev
+    - python-setuptools
+
+- name: Ensure docker-compose is installed via pip
+  pip:
+    name: "{{item}}"
+    executable: pip3
+  loop:
+    - docker
+    # - docker-compose
+
+### FIX a BUG: https://github.com/docker/docker-py/issues/1502#issuecomment-506544849
+- name: FIX a BUG Uninstall pip's backports.ssl-match-hostname
+  pip:
+    name: backports.ssl-match-hostname
+    executable: pip
+    state: absent
+- name: FIX a BUG install Debian's python-backports.ssl-match-hostname package
+  package:
+    name: python-backports.ssl-match-hostname
+    state: present
+
+- name: Ensure docker service is enabled and up
+  systemd: 
+    name: docker
+    state: started
+    enabled: yes
+
+- name: Ensure docker socket is enabled and up
+  systemd: 
+    name: docker.socket
+    state: started
+    enabled: yes
--- a/ansible/roles/nginx/files/README.md
+++ b/ansible/roles/nginx/files/README.md
@ -0,0 +1,2 @@
+## Your ssl certs will go here
+put them in ssl directory see nginx.conf for more info
--- a/ansible/roles/nginx/tasks/main.yml
+++ b/ansible/roles/nginx/tasks/main.yml
@ -0,0 +1,29 @@
+- name: Ensure Volumes & Files directories exists
+  file:
+    dest: "{{item}}"
+    state: directory
+  loop:
+    - /compose
+    - /compose/nginx
+    - /compose/volumes
+    - /compose/volumes/nginx
+
+- name: Ensure docker-compose file has been updated
+  template:
+    src: "{{item}}"
+    dest: /compose/nginx/
+  loop:
+    - docker-compose.yml
+
+- name: Ensure nginx config directory exist
+  copy:
+    src: nginx
+    dest: /compose/volumes/nginx/
+    mode: 'preserve'
+    group: root
+    owner: root
+
+- name: Ensure config files are updated
+  template:
+    src: "nginx.conf"
+    dest: /compose/volumes/nginx/nginx.conf
--- a/ansible/roles/nginx/templates/docker-compose.yml
+++ b/ansible/roles/nginx/templates/docker-compose.yml
@ -0,0 +1,8 @@
+version: '3.3'
+services:
+    nginx:
+        network_mode: host
+        restart: always
+        image: nginx:1.21.3-alpine
+        volumes:
+            - '/compose/volumes/nginx/:/etc/nginx/'
--- a/ansible/roles/nginx/templates/nginx.conf
+++ b/ansible/roles/nginx/templates/nginx.conf
@ -0,0 +1,90 @@
+user nginx;
+worker_processes auto;
+
+pid         /var/run/nginx.pid;
+error_log   /var/log/nginx/error.log;
+
+events {
+    worker_connections 2048;
+}
+
+http {
+    sendfile on;
+    tcp_nopush on;
+    tcp_nodelay on;
+    keepalive_timeout 65;
+    types_hash_max_size 2048;
+    server_tokens off;
+
+    default_type application/octet-stream;
+
+
+    ### SSL Settings for all servers (https://ssl-config.mozilla.org/#server=nginx&server-version=1.17.2&config=intermediate)
+    # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
+    ssl_certificate     /etc/nginx/ssl/status.yoursite.fullchain.pem;
+    ssl_certificate_key /etc/nginx/ssl/status.yoursite.privkey.pem;
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
+    ssl_session_tickets off;
+
+    # intermediate configuration
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers off;
+
+    # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /etc/nginx/ssl/dhparam.pem (TODO: check if it's secure to use others DH parameters!)
+    # openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096
+    ssl_dhparam /etc/nginx/ssl/dhparam.pem;
+
+    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+    add_header Strict-Transport-Security "max-age=63072000" always;
+
+    # OCSP stapling
+    ssl_stapling on;
+    ssl_stapling_verify on;
+
+    log_format main '$remote_addr - $remote_user [$time_local] "$request_method $scheme://$host$request_uri $server_protocol" $status $body_bytes_sent '
+                 '"$http_referer" "$http_user_agent" $request_time $upstream_response_time UPA:$upstream_addr BYS:$bytes_sent BYR:$request_length';
+    access_log  /var/log/nginx/access.log main;
+
+    ### Set additional headers to be send to upstream
+    proxy_set_header    Host                $http_host;
+    proxy_set_header    X-Real-IP           $remote_addr;
+    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
+    proxy_set_header    X-Forwarded-Proto   $scheme;
+
+
+    # Remove Headers that gonna be sent to client
+    proxy_hide_header   X-Powered-By;
+    proxy_hide_header   Server;
+
+    # Redirect HTTP request to HTTPS
+    server {
+      listen              80 default_server;
+      server_name         status.yoursite;
+      return 302 https://$host$request_uri;
+    }
+
+    server {
+        server_name     status.yoursite;
+        listen          443 ssl http2 default_server;
+
+        access_log      /var/log/nginx/yoursite.access.log main;
+        error_log       /var/log/nginx/yoursite.error.log;
+
+        location / {
+            # rewrite ^/(.*)/$ /$1 permanent;
+            ### redirect urls with trailing slash to non-trailing slash
+            # https://serverfault.dev/questions/597302/removing-the-trailing-slash-from-a-url-with-nginx
+            # location ~ (?<no_slash>.+)/$ {
+            #     return 302 https://$host$no_slash;
+            # }
+	        proxy_set_header   X-Real-IP $remote_addr;
+            proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_pass         http://localhost:3001/;
+            proxy_http_version 1.1;
+            proxy_set_header   Upgrade $http_upgrade;
+            proxy_set_header   Connection "upgrade";
+        }
+    }
+}
--- a/ansible/roles/uptime-kuma/tasks/main.yml
+++ b/ansible/roles/uptime-kuma/tasks/main.yml
@ -0,0 +1,23 @@
+- name: Ensure Volumes & Files directories exists
+  file:
+    dest: "{{item}}"
+    state: directory
+  loop:
+    - /compose
+    - /compose/kuma
+    - /compose/volumes
+    - /compose/volumes/kuma
+
+- name: Ensure docker-compose file has been updated
+  template:
+    src: "{{item}}"
+    dest: /compose/kuma/
+  loop:
+    - docker-compose.yml
+
+- name: Ensure uptime-kuma is up
+  docker_compose:
+    state: present
+    project_src: /compose/kuma
+    pull: yes
+
--- a/ansible/roles/uptime-kuma/templates/docker-compose.yml
+++ b/ansible/roles/uptime-kuma/templates/docker-compose.yml
@ -0,0 +1,10 @@
+version: '3.3'
+services:
+    uptime-kuma:
+        restart: always
+        ports:
+            - '127.0.0.1:3001:3001'
+        volumes:
+            - '/compose/volumes/uptime-kuma:/app/data'
+        container_name: uptime-kuma
+        image: 'louislam/uptime-kuma:latest'