diff --git a/dev/host_vars/gitea.yml b/dev/host_vars/gitea.yml index 44cae68..4adb429 100644 --- a/dev/host_vars/gitea.yml +++ b/dev/host_vars/gitea.yml @@ -14,6 +14,7 @@ root_gpgkeys: id: FBF673CEEC030F8AECA814E73EDA9C3441EDA925 # docker +docker_official: true # docker's apt repos docker_users: - vagrant @@ -33,6 +34,7 @@ docker_compose_deploy: - name: gitea url: https://github.com/krislamo/gitea version: b0ce66f6a1ab074172eed79eeeb36d7e9011ef8f + enabled: true env: USER_UID: "{{ users.git.uid }}" USER_GID: "{{ users.git.gid }}" diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml index 5eeb8e9..8d8aedc 100644 --- a/roles/docker/defaults/main.yml +++ b/roles/docker/defaults/main.yml @@ -1,6 +1,11 @@ +docker_apt_keyring: /etc/apt/keyrings/docker.asc +docker_apt_keyring_hash: 1500c1f56fa9e26b9b8f42452a553675796ade0807cdce11975eb98170b3a570 +docker_apt_keyring_url: https://download.docker.com/linux/debian/gpg +docker_apt_repo: https://download.docker.com/linux/debian docker_compose_root: /var/lib/compose docker_compose_service: compose -docker_compose: /usr/bin/docker-compose +docker_compose: "{{ (docker_official | bool) | ternary('/usr/bin/docker compose', '/usr/bin/docker-compose') }}" +docker_official: false docker_repos_keys: "{{ docker_repos_path }}/.keys" docker_repos_keytype: rsa docker_repos_path: /srv/.compose_repos \ No newline at end of file diff --git a/roles/docker/handlers/main.yml b/roles/docker/handlers/main.yml index a0b6878..7719bf2 100644 --- a/roles/docker/handlers/main.yml +++ b/roles/docker/handlers/main.yml @@ -21,6 +21,19 @@ when: item.changed listen: compose_restart +- name: Restart MariaDB + ansible.builtin.service: + name: mariadb + state: restarted + when: not mariadb_restarted + listen: restart_mariadb # hijack handler for early restart + +- name: Set MariaDB as restarted + set_fact: + mariadb_restarted: true + when: not mariadb_restarted + listen: restart_mariadb + - name: Restart {{ docker_compose_service }} services ansible.builtin.systemd: state: restarted @@ -28,3 +41,14 @@ loop: "{{ compose_restart_list | unique }}" when: compose_restart_list is defined listen: compose_restart + +- name: Start {{ docker_compose_service }} services and enable on boot + ansible.builtin.service: + name: "{{ docker_compose_service }}@{{ item.name }}" + state: started + enabled: true + loop: "{{ docker_compose_deploy }}" + loop_control: + label: "{{ docker_compose_service }}@{{ item.name }}" + when: item.enabled is defined and item.enabled is true + listen: compose_enable diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index d5ba874..561dd16 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -1,7 +1,37 @@ -- name: Install Docker +- name: Add official Docker APT key + ansible.builtin.get_url: + url: "{{ docker_apt_keyring_url }}" + dest: "{{ docker_apt_keyring }}" + checksum: "sha256:{{ docker_apt_keyring_hash }}" + when: docker_official + +- name: Remove official Docker APT key + ansible.builtin.file: + path: "{{ docker_apt_keyring }}" + state: absent + when: not docker_official + +- name: Add/remove official Docker APT repository + ansible.builtin.apt_repository: + repo: > + deb [arch=amd64 signed-by={{ docker_apt_keyring }}] + {{ docker_apt_repo }} {{ ansible_distribution_release }} stable + state: "{{ 'present' if docker_official else 'absent' }}" + filename: "{{ docker_apt_keyring | regex_replace('^.*/', '') }}" + +- name: Install/uninstall Docker from Debian repositories ansible.builtin.apt: - name: ['docker.io', 'docker-compose'] - state: present + name: ['docker.io', 'docker-compose', 'containerd', 'runc'] + state: "{{ 'absent' if docker_official else 'present' }}" + autoremove: true + update_cache: true + +- name: Install/uninstall Docker from Docker repositories + ansible.builtin.apt: + name: ['docker-ce', 'docker-ce-cli', 'containerd.io', + 'docker-buildx-plugin', 'docker-compose-plugin'] + state: "{{ 'present' if docker_official else 'absent' }}" + autoremove: true update_cache: true - name: Login to private registry @@ -15,20 +45,20 @@ ansible.builtin.file: path: "{{ docker_compose_root }}" state: directory - mode: 0500 + mode: "500" - name: Install docker-compose systemd service ansible.builtin.template: src: docker-compose.service.j2 dest: "/etc/systemd/system/{{ docker_compose_service }}@.service" - mode: 0400 + mode: "400" notify: compose_systemd - name: Create directories to clone docker-compose repositories ansible.builtin.file: path: "{{ item }}" state: directory - mode: 0400 + mode: "400" loop: - "{{ docker_repos_path }}" - "{{ docker_repos_keys }}" @@ -39,7 +69,13 @@ path: "{{ docker_repos_keys }}/id_{{ docker_repos_keytype }}" type: "{{ docker_repos_keytype }}" comment: "{{ ansible_hostname }}-deploy-key" - mode: 0400 + mode: "400" + state: present + when: docker_compose_deploy is defined + +- name: Check for git installation + ansible.builtin.apt: + name: git state: present when: docker_compose_deploy is defined @@ -61,7 +97,7 @@ ansible.builtin.file: path: "{{ docker_compose_root }}/{{ item.name }}" state: directory - mode: 0400 + mode: "400" loop: "{{ docker_compose_deploy }}" loop_control: label: "{{ item.name }}" @@ -73,7 +109,9 @@ dest: "{{ docker_compose_root }}/{{ item.name }}/docker-compose.yml" delegate_to: "{{ inventory_hostname }}" register: compose_update - notify: compose_restart + notify: + - compose_restart + - compose_enable loop: "{{ docker_compose_deploy | default([]) }}" loop_control: label: "{{ item.name }}" @@ -83,9 +121,11 @@ ansible.builtin.template: src: docker-compose-env.j2 dest: "{{ docker_compose_root }}/{{ item.name }}/.env" - mode: 0400 + mode: "400" register: compose_env_update - notify: compose_restart + notify: + - compose_restart + - compose_enable no_log: "{{ docker_compose_env_nolog | default(true) }}" loop: "{{ docker_compose_deploy }}" loop_control: @@ -105,13 +145,4 @@ name: docker state: started enabled: true - -- name: Start docker-compose services and enable on boot - ansible.builtin.service: - name: "{{ docker_compose_service }}@{{ item.name }}" - state: started - enabled: true - loop: "{{ docker_compose_deploy }}" - loop_control: - label: "{{ docker_compose_service }}@{{ item.name }}" - when: item.enabled is defined and item.enabled is true + when: docker_managed | default(true) diff --git a/roles/docker/templates/docker-compose.service.j2 b/roles/docker/templates/docker-compose.service.j2 index de9d95d..051f9f9 100644 --- a/roles/docker/templates/docker-compose.service.j2 +++ b/roles/docker/templates/docker-compose.service.j2 @@ -1,5 +1,5 @@ [Unit] -Description=%i docker-compose service +Description=%i {{ docker_compose_service }} service PartOf=docker.service After=docker.service diff --git a/roles/gitea/tasks/main.yml b/roles/gitea/tasks/main.yml index 611047e..9fb1a24 100644 --- a/roles/gitea/tasks/main.yml +++ b/roles/gitea/tasks/main.yml @@ -71,9 +71,3 @@ src: fail2ban-jail.conf.j2 dest: /etc/fail2ban/jail.d/gitea.conf notify: restart_fail2ban - -- name: Start and enable Gitea service - ansible.builtin.service: - name: "{{ docker_compose_service }}@{{ gitea_name }}" - state: started - enabled: true diff --git a/roles/mariadb/handlers/main.yml b/roles/mariadb/handlers/main.yml index d69f765..3a13136 100644 --- a/roles/mariadb/handlers/main.yml +++ b/roles/mariadb/handlers/main.yml @@ -2,4 +2,11 @@ ansible.builtin.service: name: mariadb state: restarted + when: not mariadb_restarted + listen: restart_mariadb + +- name: Set MariaDB as restarted + set_fact: + mariadb_restarted: true + when: not mariadb_restarted listen: restart_mariadb diff --git a/roles/mariadb/tasks/main.yml b/roles/mariadb/tasks/main.yml index fd5c944..f30b02a 100644 --- a/roles/mariadb/tasks/main.yml +++ b/roles/mariadb/tasks/main.yml @@ -3,6 +3,10 @@ name: mariadb-server state: present +- name: Set MariaDB restarted fact + set_fact: + mariadb_restarted: false + - name: Regather facts for the potentially new docker0 interface ansible.builtin.setup: