Update apps for docker compose plugin

.ansible-lint.yml

@@ -0,0 +1,3 @@
+---
+exclude_paths:
+- 'galaxy.roles/'

.gitignore

@@ -2,6 +2,6 @@
 /.vagrant
 /.vscode
 
-/ansible/galaxy.roles/
-ansible-vault-password-file
+/galaxy.roles/
+/ansible-vault-password-file
 *.retry

README.md

@@ -15,7 +15,7 @@
 
 ```bash
 $ cp ansible-vault-password-file.dist ansible-vault-password-file
-$ ansible-galaxy install --role-file ansible/requirements.yml
+$ ansible-galaxy install --role-file requirements.yml
 ```
 
 ## Структура
@@ -24,7 +24,7 @@ $ ansible-galaxy install --role-file ansible/requirements.yml
 - Для доступа используется ssh-ключ.
 - Докер используется для запуска и изоляции приложений. Для загрузки образов настраивается Yandex Docker Registry.
 - Выход во внешнюю сеть через proxy server [Caddy](https://caddyserver.com/).
-- Чувствительные данные в `ansible/vars/vars.yaml` зашифрованы с помощью Ansible Vault.
+- Чувствительные данные в `vars/vars.yaml` зашифрованы с помощью Ansible Vault.
 - Для мониторинга за сервером устанавливается [netdata](https://github.com/netdata/netdata).
 
 ## Частые команды

ansible.cfg

@@ -1,4 +1,4 @@
 [defaults]
 host_key_checking = True
 vault_password_file = ./ansible-vault-password-file
-roles_path = ./ansible/galaxy.roles
+roles_path = ./galaxy.roles

ansible/roles/netdata/tasks/main.yml

@@ -1,22 +0,0 @@
----
-- name: 'Grab docker group id.'
-  shell: grep docker /etc/group | cut -d ':' -f 3
-  register: docker_group
-
-- name: 'Create NetData container from {{ netdata_image }}'
-  community.docker.docker_container:
-    name: netdata
-    image: '{{ netdata_image }}'
-    restart_policy: 'always'
-    published_ports:
-      - '127.0.0.1:{{ netdata_exposed_port }}:19999'
-    volumes:
-      - '/proc:/host/proc:ro'
-      - '/sys:/host/sys:ro'
-      - '/var/run/docker.sock:/var/run/docker.sock:ro'
-    capabilities:
-      - 'SYS_PTRACE'
-    security_opts:
-      - 'apparmor:unconfined'
-    env:
-      PGID: '{{ docker_group.stdout | default(999) }}'

app/gitea/docker-compose.yml

@@ -1,14 +1,12 @@
-version: "3"
-
 services:
 
   server:
-    image: gitea/gitea:1.22.4
+    image: gitea/gitea:1.22.6
+    restart: unless-stopped
     environment:
       - "USER_UID=${USER_UID}"
       - "USER_GID=${USER_GID}"
       - "GITEA__server__SSH_PORT=2222"
-    restart: unless-stopped
     volumes:
       - ./data:/data
       - /etc/timezone:/etc/timezone:ro

app/keycloak/docker-compose.prod.yml

@@ -1,5 +1,3 @@
-version: "3"
-
 # Images: https://quay.io/repository/keycloak/keycloak?tab=tags&tag=latest
 # Configuration: https://www.keycloak.org/server/all-config
 

app/keycloak/docker-compose.yml

@@ -1,5 +1,3 @@
-version: "3"
-
 # Images: https://quay.io/repository/keycloak/keycloak?tab=tags&tag=latest
 # Configuration: https://www.keycloak.org/server/all-config
 

app/outline/docker-compose.prod.yml

@@ -1,8 +1,8 @@
-version: "3.2"
 services:
 
   outline-app:
     image: outlinewiki/outline:0.81.1
+    restart: unless-stopped
     ports:
       - "${WEB_SERVER_PORT}:3000"
     depends_on:
@@ -37,6 +37,7 @@ services:
 
   redis:
     image: redis:7.2-bookworm
+    restart: unless-stopped
     ports:
       - "6379:6379"
     volumes:
@@ -45,6 +46,7 @@ services:
 
   postgres:
     image: postgres:16.3-bookworm
+    restart: unless-stopped
     ports:
       - "5432:5432"
     volumes:

app/wiki/docker-compose.yml

@@ -1,33 +0,0 @@
-version: "3"
-
-services:
-
-  db:
-    image: postgres:15.2-alpine
-    environment:
-      POSTGRES_DB: wiki
-      POSTGRES_PASSWORD: wikijsrocks
-      POSTGRES_USER: wikijs
-    logging:
-      driver: "none"
-    restart: unless-stopped
-    volumes:
-      - db-data:/var/lib/postgresql/data
-
-  wiki:
-    image: ghcr.io/requarks/wiki:2.5.300
-    depends_on:
-      - db
-    environment:
-      DB_TYPE: postgres
-      DB_HOST: db
-      DB_PORT: 5432
-      DB_USER: wikijs
-      DB_PASS: wikijsrocks
-      DB_NAME: wiki
-    restart: unless-stopped
-    ports:
-      - "${WEB_SERVER_PORT}:3000"
-
-volumes:
-  db-data:

playbook-configuration.yml

@@ -1,58 +1,12 @@
 ---
 - hosts: all
-  vars:
-    base_port: 41080
-    notes_port: "{{ base_port + 1 }}"
-    dayoff_port: "{{ base_port + 2 }}"
-    homepage_port: "{{ base_port + 3 }}"
-    netdata_port: "{{ base_port + 4 }}"
-    wiki_port: "{{ base_port + 5 }}"
-    nomie_port: "{{ base_port + 6 }}"
-    nomie_db_port: "{{ base_port + 7 }}"
-    gitea_port: "{{ base_port + 8 }}"
-    keycloak_port: "{{ base_port + 9 }}"
-    outline_port: "{{ base_port + 10 }}"
+
   vars_files:
+    - vars/ports.yml
     - vars/vars.yml
 
   tasks:
 
-    - name: 'Install additional packages.'
-      apt:
-        name: '{{ packages }}'
-        update_cache: yes
-      vars:
-        packages:
-          - git
-          - python3-pip
-          - acl
-
-    - import_role:
-        name: yatesr.timezone
-      vars:
-        timezone: UTC
-
-    - import_role:
-        name: geerlingguy.security
-      vars:
-        security_ssh_permit_root_login: "yes"
-        security_autoupdate_enabled: "no"
-        security_fail2ban_enabled: "yes"
-
-    - name: 'Install python docker lib.'
-      pip:
-        name: docker
-      tags:
-        - docker
-
-    - import_role:
-        name: geerlingguy.docker
-      vars:
-        docker_users:
-          - major
-      tags:
-        - docker
-
     - name: 'Ensure networkd service is started (required by Caddy).'
       systemd:
         name: systemd-networkd
@@ -73,14 +27,6 @@
       tags:
         - webserver
 
-    - import_role:
-        name: netdata
-      vars:
-        netdata_version: 'v2.0.0'
-        netdata_exposed_port: '{{ netdata_port }}'
-      tags:
-        - monitoring
-
     # Applications
 
     - import_role:

playbook-docker.yml

@@ -0,0 +1,25 @@
+---
+- name: 'Configure docker parameters'
+  hosts: all
+
+  vars_files:
+    - vars/ports.yml
+    - vars/vars.yml
+
+  tasks:
+
+    - name: 'Install python docker lib from pip'
+      ansible.builtin.pip:
+        name: docker
+
+    - name: 'Install docker'
+      ansible.builtin.import_role:
+        name: geerlingguy.docker
+      vars:
+        docker_edition: 'ce'
+        docker_packages:
+          - "docker-{{ docker_edition }}"
+          - "docker-{{ docker_edition }}-cli"
+          - "docker-{{ docker_edition }}-rootless-extras"        
+        docker_users:
+          - major

playbook-netdata.yml

@@ -0,0 +1,17 @@
+---
+- name: 'Install Netdata monitoring service'
+  hosts: all
+
+  vars_files:
+    - vars/ports.yml
+    - vars/vars.yml
+
+  tasks:
+    - name: 'Install Netdata from role'
+      ansible.builtin.import_role:
+        name: netdata
+      vars:
+        netdata_version: 'v2.1.0'
+        netdata_exposed_port: '{{ netdata_port }}'
+      tags:
+        - monitoring

playbook-system.yml

@@ -0,0 +1,36 @@
+---
+- name: 'Configure base system parameters'
+  hosts: all
+
+  vars_files:
+    - vars/ports.yml
+    - vars/vars.yml
+
+  vars:
+    apt_packages:
+      - acl
+      - git
+      - python3-pip
+
+  tasks:
+
+    - name: 'Install additional apt packages'
+      ansible.builtin.apt:
+        name: '{{ apt_packages }}'
+        update_cache: true
+
+    - name: 'Configure timezone'
+      ansible.builtin.import_role:
+        name: yatesr.timezone
+      vars:
+        timezone: UTC
+      tags:
+        - skip_ansible_lint
+
+    - name: 'Configure security settings'
+      ansible.builtin.import_role:
+        name: geerlingguy.security
+      vars:
+        security_ssh_permit_root_login: "yes"
+        security_autoupdate_enabled: "no"
+        security_fail2ban_enabled: "yes"

playbook-upgrade.yml

@@ -0,0 +1,27 @@
+---
+- name: 'Update and upgrade system packages'
+  hosts: all
+
+  vars_files:
+    - vars/ports.yml
+    - vars/vars.yml
+
+  tasks:
+    - name: Perform an upgrade of packages
+      ansible.builtin.apt:
+        upgrade: 'yes'
+        update_cache: yes
+
+    - name: Check if a reboot is required
+      ansible.builtin.stat:
+        path: /var/run/reboot-required
+        get_checksum: no
+      register: reboot_required_file
+
+    - name: Reboot the server (if required)
+      ansible.builtin.reboot:
+      when: reboot_required_file.stat.exists == true
+
+    - name: Remove dependencies that are no longer required
+      ansible.builtin.apt:
+        autoremove: yes

requirements.yml

@@ -1,12 +1,12 @@
 ---
 - src: yatesr.timezone
-  version: 1.2.0
+  version: 1.2.2
 
 - src: geerlingguy.security
-  version: 2.2.0
+  version: 2.4.0
 
 - src: geerlingguy.docker
-  version: 6.1.0
+  version: 7.4.3
 
 - src: caddy_ansible.caddy_ansible
   version: v3.2.0

roles/netdata/tasks/main.yml

@@ -0,0 +1,36 @@
+---
+- name: 'Grab docker group id.'
+  ansible.builtin.shell:
+    cmd: |
+      set -o pipefail
+      grep docker /etc/group | cut -d ':' -f 3
+    executable: /bin/bash
+  register: netdata_docker_group_output
+  changed_when: netdata_docker_group_output.rc != 0
+
+- name: 'Create NetData container from {{ netdata_image }}'
+  community.docker.docker_container:
+    name: netdata
+    image: '{{ netdata_image }}'
+    image_name_mismatch: 'recreate'
+    restart_policy: 'always'
+    published_ports:
+      - '127.0.0.1:{{ netdata_exposed_port }}:19999'
+    volumes:
+      - '/:/host/root:ro,rslave'
+      - '/etc/group:/host/etc/group:ro'
+      - '/etc/localtime:/etc/localtime:ro'
+      - '/etc/os-release:/host/etc/os-release:ro'
+      - '/etc/passwd:/host/etc/passwd:ro'
+      - '/proc:/host/proc:ro'
+      - '/run/dbus:/run/dbus:ro'
+      - '/sys:/host/sys:ro'
+      - '/var/log:/host/var/log:ro'
+      - '/var/run/docker.sock:/var/run/docker.sock:ro'
+    capabilities:
+      - 'SYS_PTRACE'
+      - 'SYS_ADMIN'
+    security_opts:
+      - 'apparmor:unconfined'
+    env:
+      PGID: '{{ netdata_docker_group_output.stdout | default(999) }}'

tasks.py

@@ -3,7 +3,7 @@ import shlex
 import fabric
 from invoke import task
 
-SERVER_HOST_FILE = "ansible/hosts_prod"
+SERVER_HOST_FILE = "hosts_prod"
 DOKER_REGISTRY = "cr.yandex/crplfk0168i4o8kd7ade"
 
 
@@ -12,11 +12,6 @@ def deploy_gitea(context):
     deploy("gitea", dirs=["data"])
 
 
-@task(name="deploy:wiki")
-def deploy_wiki(context):
-    deploy("wiki")
-
-
 @task(name="deploy:keycloak")
 def deploy_keykloak(context):
     deploy("keycloak", compose_file="docker-compose.prod.yml", dirs=["data"])
@@ -56,7 +51,7 @@ def deploy(app_name: str, compose_file="docker-compose.yml", dirs=None):
             c.run(f"mkdir -p {d}")
         print("Up services")
         c.run(
-            f"docker-compose --project-name {shlex.quote(app_name)} --env-file=.env.prod up --detach --remove-orphans"
+            f"docker compose --project-name {shlex.quote(app_name)} --env-file=.env.prod up --detach --remove-orphans"
         )
         c.run(
             f"docker system prune --all --volumes --force"

vars/ports.yml

@@ -0,0 +1,12 @@
+---
+base_port: 41080
+notes_port: "{{ base_port + 1 }}"
+dayoff_port: "{{ base_port + 2 }}"
+homepage_port: "{{ base_port + 3 }}"
+netdata_port: "{{ base_port + 4 }}"
+wiki_port: "{{ base_port + 5 }}"
+nomie_port: "{{ base_port + 6 }}"
+nomie_db_port: "{{ base_port + 7 }}"
+gitea_port: "{{ base_port + 8 }}"
+keycloak_port: "{{ base_port + 9 }}"
+outline_port: "{{ base_port + 10 }}"