Add Debian/Official Docker repo toggle

- Default docker_official toggle to false (for now)
- Preempt MariaDB restart before container restarts
- Start containers in a handler

dev/gitea.yml

@@ -6,4 +6,5 @@
   roles:
     - base
     - docker
+    - mariadb
     - gitea

dev/host_vars/gitea.yml

@@ -2,12 +2,19 @@
 allow_reboot: false
 manage_network: false
 
+users:
+  git:
+    uid: 1001
+    gid: 1001
+    home: true
+
 # Import my GPG key for git signature verification
 root_gpgkeys:
   - name: kris@lamoureux.io
     id: FBF673CEEC030F8AECA814E73EDA9C3441EDA925
 
 # docker
+docker_official: true # docker's apt repos
 docker_users:
   - vagrant
 
@@ -16,10 +23,25 @@ docker_compose_deploy:
   # Traefik
   - name: traefik
     url: https://github.com/krislamo/traefik
-    version: 31ee724feebc1d5f91cb17ffd6892c352537f194
+    version: 398eb48d311db78b86abf783f903af4a1658d773
     enabled: true
-    accept_newhostkey: true # Consider verifying manually instead
+    accept_newhostkey: true
     trusted_keys:
       - FBF673CEEC030F8AECA814E73EDA9C3441EDA925
     env:
       ENABLE: true
+  # Gitea
+  - name: gitea
+    url: https://github.com/krislamo/gitea
+    version: b0ce66f6a1ab074172eed79eeeb36d7e9011ef8f
+    enabled: true
+    env:
+      USER_UID: "{{ users.git.uid }}"
+      USER_GID: "{{ users.git.gid }}"
+      DB_PASSWD: "{{ gitea.DB_PASSWD }}"
+
+# gitea
+gitea:
+  DB_NAME: gitea
+  DB_USER: gitea
+  DB_PASSWD: password

dev/host_vars/mediaserver.yml

@@ -5,7 +5,12 @@ allow_reboot: false
 manage_network: false
 
 users:
-  - name: jellyfin
+  jellyfin:
+    uid: 1001
+    gid: 1001
+    shell: /usr/sbin/nologin
+    home: false
+    system: true
 
 samba:
   users:

forward-ssh.sh

@@ -23,9 +23,10 @@ function ssh_connect {
     [yY])
       printf "[INFO]: Starting new vagrant SSH tunnel on PID "
       sudo -u "$USER" ssh -fNT -i "$PRIVATE_KEY" \
-        -L 8443:localhost:8443 \
+        -L 22:localhost:22 \
         -L 80:localhost:80 \
         -L 443:localhost:443 \
+        -L 8443:localhost:8443 \
         -o UserKnownHostsFile=/dev/null \
         -o StrictHostKeyChecking=no \
         vagrant@"$HOST_IP" 2>/dev/null

roles/base/handlers/main.yml

@@ -5,6 +5,10 @@
   listen: reboot_host
   when: allow_reboot
 
+- name: Reconfigure locales
+  ansible.builtin.command: dpkg-reconfigure -f noninteractive locales
+  listen: reconfigure_locales
+
 - name: Restart WireGuard
   ansible.builtin.service:
     name: wg-quick@wg0

roles/base/tasks/ansible.yml

@@ -2,4 +2,4 @@
   ansible.builtin.file:
     path: "~/.ansible/tmp"
     state: directory
-    mode: 0700
+    mode: "700"

roles/base/tasks/ddclient.yml

@@ -7,7 +7,7 @@
   ansible.builtin.template:
     src: ddclient.conf.j2
     dest: /etc/ddclient.conf
-    mode: 0600
+    mode: "600"
   register: ddclient_settings
 
 - name: Start ddclient and enable on boot

roles/base/tasks/firewall.yml

@@ -32,14 +32,14 @@
   ansible.builtin.template:
     src: fail2ban-ssh.conf.j2
     dest: /etc/fail2ban/jail.d/sshd.conf
-    mode: 0640
+    mode: "640"
   notify: restart_fail2ban
 
 - name: Install Fail2ban IP allow list
   ansible.builtin.template:
     src: fail2ban-allowlist.conf.j2
     dest: /etc/fail2ban/jail.d/allowlist.conf
-    mode: 0640
+    mode: "640"
   when: fail2ban_ignoreip is defined
   notify: restart_fail2ban
 

roles/base/tasks/mail.yml

@@ -11,10 +11,10 @@
   ansible.builtin.template:
     src: msmtprc.j2
     dest: /root/.msmtprc
-    mode: 0600
+    mode: "600"
 
 - name: Install /etc/aliases
   ansible.builtin.copy:
     dest: /etc/aliases
     content: "root: {{ mail.rootalias }}"
-    mode: 0644
+    mode: "644"

roles/base/tasks/network.yml

@@ -10,6 +10,6 @@
   ansible.builtin.template:
     src: "interface.j2"
     dest: "/etc/network/interfaces.d/{{ item.name }}"
-    mode: 0400
+    mode: "400"
   loop: "{{ interfaces }}"
   notify: reboot_host

roles/base/tasks/samba.yml

@@ -3,23 +3,15 @@
     name: samba
     state: present
 
-- name: Create nologin shell accounts for Samba
-  ansible.builtin.user:
-    name: "{{ item.name }}"
-    state: present
-    shell: /usr/sbin/nologin
-    createhome: false
-    system: yes
-  loop: "{{ samba.users }}"
-  when: item.manage_user is defined and item.manage_user is true
-
 - name: Create Samba users
-  ansible.builtin.shell: "smbpasswd -a {{ item.name }}"
+  ansible.builtin.command: "smbpasswd -a {{ item.name }}"
   args:
     stdin: "{{ item.password }}\n{{ item.password }}"
   loop: "{{ samba.users }}"
+  loop_control:
+    label: "{{ item.name }}"
   register: samba_users
-  changed_when: "'User added' in samba_users.stdout"
+  changed_when: "'Added user' in samba_users.stdout"
 
 - name: Ensure share directories exist
   ansible.builtin.file:
@@ -27,13 +19,14 @@
     owner: "{{ item.owner }}"
     group: "{{ item.group }}"
     state: directory
-    mode: 0755
+    mode: "755"
   loop: "{{ samba.shares }}"
 
 - name: Configure Samba shares
   ansible.builtin.template:
     src: smb.conf.j2
     dest: /etc/samba/smb.conf
+    mode: "700"
   notify: restart_samba
 
 - name: Start smbd and enable on boot

roles/base/tasks/system.yml

@@ -10,7 +10,7 @@
     state: present
 
 - name: Check for existing GPG keys
-  command: "gpg --list-keys {{ item.id }} 2>/dev/null"
+  ansible.builtin.command: "gpg --list-keys {{ item.id }} 2>/dev/null"
   register: gpg_check
   loop: "{{ root_gpgkeys }}"
   failed_when: false
@@ -18,20 +18,22 @@
   when: root_gpgkeys is defined
 
 - name: Import GPG keys
-  command: "gpg --keyserver {{ item.item.server | default('keys.openpgp.org') }} --recv-key {{ item.item.id }}"
+  ansible.builtin.command:
+    "gpg --keyserver {{ item.item.server | default('keys.openpgp.org') }} --recv-key {{ item.item.id }}"
   register: gpg_check_import
   loop: "{{ gpg_check.results }}"
   loop_control:
     label: "{{ item.item }}"
+  changed_when: false
   when: root_gpgkeys is defined and item.rc != 0
 
 - name: Check GPG key imports
-  fail:
+  ansible.builtin.fail:
     msg: "{{ item.stderr }}"
   loop: "{{ gpg_check_import.results }}"
   loop_control:
     label: "{{ item.item.item }}"
-  when: (item.skipped | default(false) == false) and ('imported' not in item.stderr)
+  when: root_gpgkeys is defined and (not item.skipped | default(false)) and ('imported' not in item.stderr)
 
 - name: Install NTPsec
   ansible.builtin.apt:
@@ -47,7 +49,7 @@
   community.general.locale_gen:
     name: "{{ locale_default }}"
     state: present
-  register: locale_gen_output
+  notify: reconfigure_locales
 
 - name: Set the default locale
   ansible.builtin.lineinfile:
@@ -55,24 +57,35 @@
     regexp: "^LANG="
     line: "LANG={{ locale_default }}"
 
-- name: Reconfigure locales
-  ansible.builtin.command: dpkg-reconfigure -f noninteractive locales
-  when: locale_gen_output.changed
-
 - name: Manage root authorized_keys
   ansible.builtin.template:
     src: authorized_keys.j2
     dest: /root/.ssh/authorized_keys
-    mode: 0400
+    mode: "400"
   when: authorized_keys is defined
 
+- name: Create system user groups
+  ansible.builtin.group:
+    name: "{{ item.key }}"
+    gid: "{{ item.value.gid }}"
+    state: present
+  loop: "{{ users | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+  when: users is defined
+
 - name: Create system users
   ansible.builtin.user:
-    name: "{{ item.name }}"
+    name: "{{ item.key }}"
     state: present
-    shell: "{{ item.shell | default('/bin/bash') }}"
-    create_home: "{{ item.home | default(false) }}"
-  loop: "{{ users }}"
+    uid: "{{ item.value.uid }}"
+    group: "{{ item.value.gid }}"
+    shell: "{{ item.value.shell | default('/bin/bash') }}"
+    create_home: "{{ item.value.home | default(false) }}"
+    system: "{{ item.value.system | default(false) }}"
+  loop: "{{ users | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
   when: users is defined
 
 - name: Set authorized_keys for system users
@@ -80,7 +93,9 @@
     user: "{{ item.key }}"
     key: "{{ item.value.key }}"
     state: present
-  loop: "{{ users }}"
+  loop: "{{ users | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
   when: users is defined and item.value.key is defined
 
 - name: Manage filesystem mounts

roles/base/tasks/wireguard.yml

@@ -22,7 +22,7 @@
   ansible.builtin.template:
     src: wireguard.j2
     dest: /etc/wireguard/wg0.conf
-    mode: 0400
+    mode: "400"
   notify: restart_wireguard
 
 - name: Start WireGuard interface

roles/docker/defaults/main.yml

@@ -1,6 +1,11 @@
+docker_apt_keyring: /etc/apt/keyrings/docker.asc
+docker_apt_keyring_hash: 1500c1f56fa9e26b9b8f42452a553675796ade0807cdce11975eb98170b3a570
+docker_apt_keyring_url: https://download.docker.com/linux/debian/gpg
+docker_apt_repo: https://download.docker.com/linux/debian
 docker_compose_root: /var/lib/compose
 docker_compose_service: compose
-docker_compose: /usr/bin/docker-compose
+docker_compose: "{{ (docker_official | bool) | ternary('/usr/bin/docker compose', '/usr/bin/docker-compose') }}"
+docker_official: false
 docker_repos_keys: "{{ docker_repos_path }}/.keys"
 docker_repos_keytype: rsa
 docker_repos_path: /srv/.compose_repos

roles/docker/handlers/main.yml

@@ -21,6 +21,19 @@
   when: item.changed
   listen: compose_restart
 
+- name: Restart MariaDB
+  ansible.builtin.service:
+    name: mariadb
+    state: restarted
+  when: not mariadb_restarted
+  listen: restart_mariadb # hijack handler for early restart
+
+- name: Set MariaDB as restarted
+  set_fact:
+    mariadb_restarted: true
+  when: not mariadb_restarted
+  listen: restart_mariadb
+
 - name: Restart {{ docker_compose_service }} services
   ansible.builtin.systemd:
     state: restarted
@@ -28,3 +41,14 @@
   loop: "{{ compose_restart_list | unique }}"
   when: compose_restart_list is defined
   listen: compose_restart
+
+- name: Start {{ docker_compose_service }} services and enable on boot
+  ansible.builtin.service:
+    name: "{{ docker_compose_service }}@{{ item.name }}"
+    state: started
+    enabled: true
+  loop: "{{ docker_compose_deploy }}"
+  loop_control:
+    label: "{{ docker_compose_service }}@{{ item.name }}"
+  when: item.enabled is defined and item.enabled is true
+  listen: compose_enable

roles/docker/tasks/main.yml

@@ -1,7 +1,37 @@
-- name: Install Docker
+- name: Add official Docker APT key
+  ansible.builtin.get_url:
+    url: "{{ docker_apt_keyring_url }}"
+    dest: "{{ docker_apt_keyring }}"
+    checksum: "sha256:{{ docker_apt_keyring_hash }}"
+  when: docker_official
+
+- name: Remove official Docker APT key
+  ansible.builtin.file:
+    path: "{{ docker_apt_keyring }}"
+    state: absent
+  when: not docker_official
+
+- name: Add/remove official Docker APT repository
+  ansible.builtin.apt_repository:
+    repo: >
+      deb [arch=amd64 signed-by={{ docker_apt_keyring }}]
+      {{ docker_apt_repo }} {{ ansible_distribution_release }} stable
+    state: "{{ 'present' if docker_official else 'absent' }}"
+    filename: "{{ docker_apt_keyring | regex_replace('^.*/', '') }}"
+
+- name: Install/uninstall Docker from Debian repositories
   ansible.builtin.apt:
-    name: ['docker.io', 'docker-compose']
-    state: present
+    name: ['docker.io', 'docker-compose', 'containerd', 'runc']
+    state: "{{ 'absent' if docker_official else 'present' }}"
+    autoremove: true
+    update_cache: true
+
+- name: Install/uninstall Docker from Docker repositories
+  ansible.builtin.apt:
+    name: ['docker-ce', 'docker-ce-cli', 'containerd.io',
+           'docker-buildx-plugin', 'docker-compose-plugin']
+    state: "{{ 'present' if docker_official else 'absent' }}"
+    autoremove: true
     update_cache: true
 
 - name: Login to private registry
@@ -15,20 +45,20 @@
   ansible.builtin.file:
     path: "{{ docker_compose_root }}"
     state: directory
-    mode: 0500
+    mode: "500"
 
 - name: Install docker-compose systemd service
   ansible.builtin.template:
     src: docker-compose.service.j2
     dest: "/etc/systemd/system/{{ docker_compose_service }}@.service"
-    mode: 0400
+    mode: "400"
   notify: compose_systemd
 
 - name: Create directories to clone docker-compose repositories
   ansible.builtin.file:
     path: "{{ item }}"
     state: directory
-    mode: 0400
+    mode: "400"
   loop:
     - "{{ docker_repos_path }}"
     - "{{ docker_repos_keys }}"
@@ -39,7 +69,13 @@
     path: "{{ docker_repos_keys }}/id_{{ docker_repos_keytype }}"
     type: "{{ docker_repos_keytype }}"
     comment: "{{ ansible_hostname }}-deploy-key"
-    mode: 0400
+    mode: "400"
+    state: present
+  when: docker_compose_deploy is defined
+
+- name: Check for git installation
+  ansible.builtin.apt:
+    name: git
     state: present
   when: docker_compose_deploy is defined
 
@@ -48,7 +84,7 @@
     repo: "{{ item.url }}"
     dest: "{{ docker_repos_path }}/{{ item.name }}"
     version: "{{ item.version }}"
-    accept_newhostkey: "{{ item.accept_newhostkey | default('false') }}"
+    accept_newhostkey: "{{ item.accept_newhostkey | default(false) }}"
     gpg_whitelist: "{{ item.trusted_keys | default([]) }}"
     verify_commit: "{{ true if (item.trusted_keys is defined and item.trusted_keys) else false }}"
     key_file: "{{ docker_repos_keys }}/id_{{ docker_repos_keytype }}"
@@ -61,7 +97,7 @@
   ansible.builtin.file:
     path: "{{ docker_compose_root }}/{{ item.name }}"
     state: directory
-    mode: 0400
+    mode: "400"
   loop: "{{ docker_compose_deploy }}"
   loop_control:
     label: "{{ item.name }}"
@@ -73,7 +109,9 @@
     dest: "{{ docker_compose_root }}/{{ item.name }}/docker-compose.yml"
   delegate_to: "{{ inventory_hostname }}"
   register: compose_update
-  notify: compose_restart
+  notify:
+    - compose_restart
+    - compose_enable
   loop: "{{ docker_compose_deploy | default([]) }}"
   loop_control:
     label: "{{ item.name }}"
@@ -83,10 +121,12 @@
   ansible.builtin.template:
     src: docker-compose-env.j2
     dest: "{{ docker_compose_root }}/{{ item.name }}/.env"
-    mode: 0400
+    mode: "400"
   register: compose_env_update
-  notify: compose_restart
-  no_log: "{{ docker_compose_env_nolog | default('true') }}"
+  notify:
+    - compose_restart
+    - compose_enable
+  no_log: "{{ docker_compose_env_nolog | default(true) }}"
   loop: "{{ docker_compose_deploy }}"
   loop_control:
     label: "{{ item.name }}"
@@ -105,13 +145,4 @@
     name: docker
     state: started
     enabled: true
-
-- name: Start docker-compose services and enable on boot
-  ansible.builtin.service:
-    name: "{{ docker_compose_service }}@{{ item.name }}"
-    state: started
-    enabled: true
-  loop: "{{ docker_compose_deploy }}"
-  loop_control:
-    label: "{{ docker_compose_service }}@{{ item.name }}"
-  when: item.enabled is defined and item.enabled is true
+  when: docker_managed | default(true)

roles/docker/templates/docker-compose.service.j2

@@ -1,5 +1,5 @@
 [Unit]
-Description=%i docker-compose service
+Description=%i {{ docker_compose_service }} service
 PartOf=docker.service
 After=docker.service
 

roles/gitea/tasks/main.yml

@@ -1,38 +1,23 @@
-- name: Create Gitea directory
-  ansible.builtin.file:
-    path: "{{ gitea_root }}"
-    state: directory
+- name: Install MySQL module for Ansible
+  ansible.builtin.apt:
+    name: python3-pymysql
+    state: present
 
 - name: Create Gitea database
   community.mysql.mysql_db:
-    name: "{{ gitea_dbname }}"
+    name: "{{ gitea.DB_NAME }}"
     state: present
     login_unix_socket: /var/run/mysqld/mysqld.sock
 
 - name: Create Gitea database user
   community.mysql.mysql_user:
-    name: "{{ gitea_dbuser }}"
-    password: "{{ gitea_dbpass }}"
+    name: "{{ gitea.DB_USER }}"
+    password: "{{ gitea.DB_PASSWD }}"
     host: '%'
     state: present
-    priv: "{{ gitea_dbname }}.*:ALL"
+    priv: "{{ gitea.DB_NAME }}.*:ALL"
     login_unix_socket: /var/run/mysqld/mysqld.sock
 
-- name: Create git user
-  ansible.builtin.user:
-    name: git
-    state: present
-
-- name: Git user uid
-  ansible.builtin.getent:
-    database: passwd
-    key: git
-
-- name: Git user gid
-  ansible.builtin.getent:
-    database: group
-    key: git
-
 - name: Create git's .ssh directory
   ansible.builtin.file:
     path: /home/git/.ssh
@@ -70,28 +55,11 @@
     dest: /usr/local/bin/gitea
     mode: 0755
 
-- name: Install Gitea's docker-compose file
-  ansible.builtin.template:
-    src: docker-compose.yml.j2
-    dest: "{{ gitea_root }}/docker-compose.yml"
-  notify: restart_gitea
-
-- name: Install Gitea's docker-compose variables
-  ansible.builtin.template:
-    src: compose-env.j2
-    dest: "{{ gitea_root }}/.env"
-  notify: restart_gitea
-
 - name: Create Gitea's logging directory
   ansible.builtin.file:
     name: /var/log/gitea
     state: directory
 
-- name: Create Gitea's initial log file
-  ansible.builtin.file:
-    name: /var/log/gitea/gitea.log
-    state: touch
-
 - name: Install Gitea's Fail2ban filter
   ansible.builtin.template:
     src: fail2ban-filter.conf.j2
@@ -103,9 +71,3 @@
     src: fail2ban-jail.conf.j2
     dest: /etc/fail2ban/jail.d/gitea.conf
   notify: restart_fail2ban
-
-- name: Start and enable Gitea service
-  ansible.builtin.service:
-    name: "{{ docker_compose_service }}@{{ gitea_name }}"
-    state: started
-    enabled: true

roles/mariadb/defaults/main.yml

@@ -1,3 +0,0 @@
-mariadb_trust:
-  - "172.16.0.0/12"
-  - "192.168.0.0/16"

roles/mariadb/handlers/main.yml

@@ -0,0 +1,12 @@
+- name: Restart MariaDB
+  ansible.builtin.service:
+    name: mariadb
+    state: restarted
+  when: not mariadb_restarted
+  listen: restart_mariadb
+
+- name: Set MariaDB as restarted
+  set_fact:
+    mariadb_restarted: true
+  when: not mariadb_restarted
+  listen: restart_mariadb

roles/mariadb/tasks/main.yml

@@ -3,23 +3,24 @@
     name: mariadb-server
     state: present
 
-- name: Change the bind-address to allow Docker
+- name: Set MariaDB restarted fact
+  set_fact:
+    mariadb_restarted: false
+
+- name: Regather facts for the potentially new docker0 interface
+  ansible.builtin.setup:
+
+- name: Change the bind-address to allow from docker0
   ansible.builtin.lineinfile:
     path: /etc/mysql/mariadb.conf.d/50-server.cnf
     regex: "^bind-address"
-    line: "bind-address            = 0.0.0.0"
-  register: mariadb_conf
+    line: "bind-address            = {{ ansible_facts.docker0.ipv4.address }}"
+  notify: restart_mariadb
 
-- name: Restart MariaDB
-  ansible.builtin.service:
-    name: mariadb
-    state: restarted
-  when: mariadb_conf.changed
-
-- name: Allow database connections
+- name: Allow database connections from Docker
   community.general.ufw:
     rule: allow
     port: "3306"
     proto: tcp
     src: "{{ item }}"
-  loop: "{{ mariadb_trust }}"
+  loop: "{{ mariadb_trust | default(['172.16.0.0/12']) }}"