From 87aa7ecf8b8e1a968735c6e6946dc05b0159255d Mon Sep 17 00:00:00 2001 From: Kris Lamoureux Date: Mon, 9 Oct 2023 23:47:49 -0400 Subject: [PATCH] Add external compose support in the docker role - Use ansible.posix.synchronize for compose.yml - Set fact for compose service restarts - Introduce plain Docker dev host - Optionally verify repos via GPG before sync - Hide docker_repos_path in .folder - Tweak .env for conciseness - Add --diff to Ansible in Vagrantfile - Clean output with loop_control - Embed GPG in base role --- Vagrantfile | 1 + dev/docker.yml | 8 ++++ dev/host_vars/docker.yml | 44 ++++++++++++++++++++ roles/base/tasks/system.yml | 5 +++ roles/docker/defaults/main.yml | 2 +- roles/docker/handlers/main.yml | 26 ++++++++++++ roles/docker/tasks/main.yml | 29 ++++++++++--- roles/docker/templates/docker-compose-env.j2 | 3 +- 8 files changed, 109 insertions(+), 9 deletions(-) create mode 100644 dev/docker.yml create mode 100644 dev/host_vars/docker.yml diff --git a/Vagrantfile b/Vagrantfile index 20d1880..4da8435 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -43,5 +43,6 @@ Vagrant.configure("2") do |config| ENV['ANSIBLE_ROLES_PATH'] = File.dirname(__FILE__) + "/roles" ansible.compatibility_mode = "2.0" ansible.playbook = "dev/" + PLAYBOOK + ".yml" + ansible.raw_arguments = ["--diff"] end end diff --git a/dev/docker.yml b/dev/docker.yml new file mode 100644 index 0000000..cca95b9 --- /dev/null +++ b/dev/docker.yml @@ -0,0 +1,8 @@ +- name: Install Docker Server + hosts: all + become: true + vars_files: + - host_vars/docker.yml + roles: + - base + - docker diff --git a/dev/host_vars/docker.yml b/dev/host_vars/docker.yml new file mode 100644 index 0000000..a6ca476 --- /dev/null +++ b/dev/host_vars/docker.yml @@ -0,0 +1,44 @@ +# base +allow_reboot: false +manage_network: false + +# docker +docker_users: + - vagrant + +#docker_login_url: https://myregistry.example.com +#docker_login_user: myuser +#docker_login_pass: YOUR_PASSWD + +docker_compose_deploy: + # Traefik + - name: traefik + url: https://github.com/krislamo/traefik + version: 31ee724feebc1d5f91cb17ffd6892c352537f194 + enabled: true + accept_newhostkey: true # Consider verifying manually instead + # Must manually add my public GPG key to root's keyring + #trusted_keys: + # - FBF673CEEC030F8AECA814E73EDA9C3441EDA925 + env: + ENABLE: true + + # Traefik 2 (no other external compose to test currently) + - name: traefik2 + url: https://github.com/krislamo/traefik + version: 31ee724feebc1d5f91cb17ffd6892c352537f194 + enabled: true + accept_newhostkey: true # Consider verifying manually instead + # Must manually add my public GPG key to root's keyring + #trusted_keys: + # - FBF673CEEC030F8AECA814E73EDA9C3441EDA925 + env: + ENABLE: true + VERSION: "2.10" + DOMAIN: traefik2.local.krislamo.org + NAME: traefik2 + ROUTER: traefik2 + NETWORK: traefik2 + WEB_PORT: 127.0.0.1:8000:80 + WEBSECURE_PORT: 127.0.0.1:4443:443 + LOCAL_PORT: 127.0.0.1:8444:8443 diff --git a/roles/base/tasks/system.yml b/roles/base/tasks/system.yml index d6d1e79..d8b4437 100644 --- a/roles/base/tasks/system.yml +++ b/roles/base/tasks/system.yml @@ -4,6 +4,11 @@ state: present update_cache: true +- name: Install GPG + ansible.builtin.apt: + name: gpg + state: present + - name: Manage root authorized_keys ansible.builtin.template: src: authorized_keys.j2 diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml index 205692e..5eeb8e9 100644 --- a/roles/docker/defaults/main.yml +++ b/roles/docker/defaults/main.yml @@ -3,4 +3,4 @@ docker_compose_service: compose docker_compose: /usr/bin/docker-compose docker_repos_keys: "{{ docker_repos_path }}/.keys" docker_repos_keytype: rsa -docker_repos_path: /srv/compose_repos +docker_repos_path: /srv/.compose_repos \ No newline at end of file diff --git a/roles/docker/handlers/main.yml b/roles/docker/handlers/main.yml index 47f5644..a0b6878 100644 --- a/roles/docker/handlers/main.yml +++ b/roles/docker/handlers/main.yml @@ -2,3 +2,29 @@ ansible.builtin.systemd: daemon_reload: true listen: compose_systemd + +- name: Find which services had a docker-compose.yml updated + set_fact: + compose_restart_list: "{{ (compose_restart_list | default([])) + [item.item.name] }}" + loop: "{{ compose_update.results }}" + loop_control: + label: "{{ item.item.name }}" + when: item.changed + listen: compose_restart + +- name: Find which services had their .env updated + set_fact: + compose_restart_list: "{{ (compose_restart_list | default([])) + [item.item.name] }}" + loop: "{{ compose_env_update.results }}" + loop_control: + label: "{{ item.item.name }}" + when: item.changed + listen: compose_restart + +- name: Restart {{ docker_compose_service }} services + ansible.builtin.systemd: + state: restarted + name: "{{ docker_compose_service }}@{{ item }}" + loop: "{{ compose_restart_list | unique }}" + when: compose_restart_list is defined + listen: compose_restart diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index 843e608..fd37dbb 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -38,6 +38,7 @@ community.crypto.openssh_keypair: path: "{{ docker_repos_keys }}/id_{{ docker_repos_keytype }}" type: "{{ docker_repos_keytype }}" + comment: "{{ ansible_hostname }}-deploy-key" mode: 0400 state: present when: docker_compose_deploy is defined @@ -46,11 +47,15 @@ ansible.builtin.git: repo: "{{ item.url }}" dest: "{{ docker_repos_path }}/{{ item.name }}" - version: "{{ item.version | default('main') }}" - force: true + version: "{{ item.version }}" + accept_newhostkey: "{{ item.accept_newhostkey | default('false') }}" + gpg_whitelist: "{{ item.trusted_keys | default([]) }}" + verify_commit: "{{ true if (item.trusted_keys is defined and item.trusted_keys) else false }}" key_file: "{{ docker_repos_keys }}/id_{{ docker_repos_keytype }}" - when: docker_compose_deploy is defined loop: "{{ docker_compose_deploy }}" + loop_control: + label: "{{ item.url }}" + when: docker_compose_deploy is defined - name: Create directories for docker-compose projects using the systemd service ansible.builtin.file: @@ -58,14 +63,20 @@ state: directory mode: 0400 loop: "{{ docker_compose_deploy }}" + loop_control: + label: "{{ item.name }}" when: docker_compose_deploy is defined -- name: Copy docker-compose.yml files to their service directories - ansible.builtin.copy: +- name: Synchronize docker-compose.yml + ansible.posix.synchronize: src: "{{ docker_repos_path }}/{{ item.name }}/{{ item.path | default('docker-compose.yml') }}" dest: "{{ docker_compose_root }}/{{ item.name }}/docker-compose.yml" - remote_src: yes + delegate_to: "{{ inventory_hostname }}" + register: compose_update + notify: compose_restart loop: "{{ docker_compose_deploy }}" + loop_control: + label: "{{ item.name }}" when: docker_compose_deploy is defined - name: Set environment variables for docker-compose projects @@ -73,7 +84,11 @@ src: docker-compose-env.j2 dest: "{{ docker_compose_root }}/{{ item.name }}/.env" mode: 0400 + register: compose_env_update + notify: compose_restart loop: "{{ docker_compose_deploy }}" + loop_control: + label: "{{ item.name }}" when: docker_compose_deploy is defined and item.env is defined - name: Add users to docker group @@ -96,4 +111,6 @@ state: started enabled: true loop: "{{ docker_compose_deploy }}" + loop_control: + label: "{{ docker_compose_service }}@{{ item.name }}" when: item.enabled is defined and item.enabled is true diff --git a/roles/docker/templates/docker-compose-env.j2 b/roles/docker/templates/docker-compose-env.j2 index f83d868..c74006f 100644 --- a/roles/docker/templates/docker-compose-env.j2 +++ b/roles/docker/templates/docker-compose-env.j2 @@ -1,7 +1,6 @@ # {{ ansible_managed }} - {% if item.env is defined %} {% for kvpair in item.env.items() %} {{ kvpair.0 }}={{ kvpair.1 }} {% endfor %} -{% endif %} +{% endif %} \ No newline at end of file