From 29ead64f6a56cfb0240c8c8fe869fb79bdfa983b Mon Sep 17 00:00:00 2001 From: Francesco Antognazza Date: Mon, 6 Feb 2023 09:59:41 +0100 Subject: [PATCH] Enable DNS in inter-container networks --- containers/nextcloud/tasks.yml | 373 ++++++++++++++++----------------- containers/portainer/tasks.yml | 125 ++++++----- containers/traefik/tasks.yml | 3 +- 3 files changed, 249 insertions(+), 252 deletions(-) diff --git a/containers/nextcloud/tasks.yml b/containers/nextcloud/tasks.yml index bd72443..81ed4a7 100644 --- a/containers/nextcloud/tasks.yml +++ b/containers/nextcloud/tasks.yml @@ -2,201 +2,200 @@ - hosts: all name: Nextcloud file sharing web service tasks: - - name: Pull container images - become_user: containers - become: true - containers.podman.podman_image: - name: docker.io/{{ item }} - loop: - - nextcloud:latest - - redis:alpine - - mariadb:latest + - name: Pull container images + become_user: containers + become: true + containers.podman.podman_image: + name: docker.io/{{ item }} + loop: + - nextcloud:latest + - redis:alpine + - mariadb:latest - - name: Create podman volumes - containers.podman.podman_volume: - state: present - name: "{{ item }}" - become_user: containers - become: true - loop: - - nextcloud-html - - nextcloud-custom_apps - - nextcloud-theme - - nextcloud-data - - nextcloud-config - - redis-data - - nextcloud-db + - name: Create podman volumes + containers.podman.podman_volume: + state: present + name: "{{ item }}" + become_user: containers + become: true + loop: + - nextcloud-html + - nextcloud-custom_apps + - nextcloud-theme + - nextcloud-data + - nextcloud-config + - redis-data + - nextcloud-db - - name: Change permission to nextcloud folder - become: true - ansible.builtin.file: - path: /etc/nextcloud - owner: containers - group: containers - mode: 0700 - state: directory + - name: Change permission to nextcloud folder + become: true + ansible.builtin.file: + path: /etc/nextcloud + owner: containers + group: containers + mode: 0700 + state: directory - - name: Copy nextcloud config directory - become: true - ansible.builtin.copy: - src: files/nextcloud/ - dest: /etc/nextcloud/config/ - owner: containers - group: containers - mode: 0600 + - name: Copy nextcloud config directory + become: true + ansible.builtin.copy: + src: files/nextcloud/ + dest: /etc/nextcloud/config/ + owner: containers + group: containers + mode: 0600 - - name: Copy systemd service and timer - become: true - become_user: containers - ansible.builtin.copy: - src: files/systemd/ - dest: "/home/containers/.config/systemd/user/" - owner: containers - group: containers - mode: 0644 + - name: Copy systemd service and timer + become: true + become_user: containers + ansible.builtin.copy: + src: files/systemd/ + dest: "/home/containers/.config/systemd/user/" + owner: containers + group: containers + mode: 0644 - - name: Copy mariadb config directory - become: true - ansible.builtin.copy: - src: files/mariadb/ - dest: /etc/nextcloud/mariadb/ - owner: containers - group: containers - mode: 0600 + - name: Copy mariadb config directory + become: true + ansible.builtin.copy: + src: files/mariadb/ + dest: /etc/nextcloud/mariadb/ + owner: containers + group: containers + mode: 0600 - - name: Create podman networks - containers.podman.podman_network: - name: "{{ item }}" - recreate: false - state: "present" - disable_dns: true - become_user: containers - become: true - loop: - - traefik-nextcloud - - mariadb-nextcloud - - redis-nextcloud - - - name: Create redis instance - become_user: containers - become: true - containers.podman.podman_container: - name: redis - image: docker.io/redis:latest - state: present - volume: - - redis-data:/data:Z - network: - - redis-nextcloud - generate_systemd: - path: /home/containers/.config/systemd/user/ - restart_policy: on-failure - names: true - new: true - - - name: Create mariadb instance - become_user: containers - become: true - containers.podman.podman_container: - name: db_nextcloud - image: docker.io/mariadb:latest - state: present - command: - - "--transaction-isolation=READ-COMMITTED" - - "--binlog-format=ROW" - volume: - - nextcloud-db:/var/lib/mysql:Z - - /etc/nextcloud/mariadb/:/etc/mysql/conf.d:Z - network: - - mariadb-nextcloud - env: - MARIADB_ROOT_PASSWORD: "{{ vault_nextcloud_mariadb_root_password }}" - MARIADB_DATABASE: "{{ vault_nextcloud_mariadb_database }}" - MARIADB_USER: "{{ vault_nextcloud_mariadb_user }}" - MARIADB_PASSWORD: "{{ vault_nextcloud_mariadb_password }}" - MARIADB_AUTO_UPGRADE: "true" - generate_systemd: - path: /home/containers/.config/systemd/user/ - restart_policy: on-failure - names: true - new: true - - - name: Create nextcloud instance - become_user: containers - become: true - containers.podman.podman_container: - name: nextcloud - image: docker.io/nextcloud:latest - state: present - volume: - - nextcloud-html:/var/www/html:Z - - nextcloud-custom_apps:/var/www/html/custom_apps:Z - - nextcloud-theme:/var/www/html/themes:Z - - nextcloud-data:/var/www/html/data:Z - - nextcloud-config:/var/www/html/config:Z - network: + - name: Create podman networks + containers.podman.podman_network: + name: "{{ item }}" + recreate: false + state: "present" + become_user: containers + become: true + loop: - traefik-nextcloud - mariadb-nextcloud - redis-nextcloud - label: - io.containers.autoupdate: "registry" - traefik.enable: "true" - traefik.http.routers.nextcloud.entrypoints: "https" - traefik.http.routers.nextcloud.rule: "Path(`/cloud`)" - traefik.http.routers.nextcloud.tls: "true" - traefik.http.routers.nextcloud.tls.certresolver: "wildcard" - traefik.http.routers.nextcloud.service: "nextcloud" - traefik.http.routers.nextcloud.middlewares: "nextcloud-redirectregex,nextcloud-headers,http-compress@file" - traefik.http.middlewares.nextcloud-redirectregex.redirectRegex.permanent: "true" - traefik.http.middlewares.nextcloud-redirectregex.redirectRegex.regex: "https://(.*)/cloud/.well-known/(card|cal)dav" - traefik.http.middlewares.nextcloud-redirectregex.redirectRegex.replacement: "https://${1}/cloud/remote.php/dav/" - traefik.http.middlewares.nextcloud-headers.headers.stsSeconds: "31536000" - traefik.http.middlewares.nextcloud-headers.headers.stsIncludeSubdomains: "true" - traefik.http.services.nextcloud.loadbalancer.server.port: "80" - traefik.docker.network: "traefik-nextcloud" - env: - REDIS_HOST: "redis" - REDIS_PORT: "6379" - MYSQL_DATABASE: "{{ vault_nextcloud_mariadb_database }}" - MYSQL_USER: "{{ vault_nextcloud_mariadb_user }}" - MYSQL_PASSWORD: "{{ vault_nextcloud_mariadb_password }}" - MYSQL_HOST: "db_nextcloud" - NEXTCLOUD_DATA_DIR: "/var/www/html/data" - SMTP_HOST: "{{ vault_smtp_host }}" - SMTP_SECURE: "{{ vault_smtp_protocol }}" - SMTP_PORT: "{{ vault_smtp_port }}" - SMTP_AUTHTYPE: "LOGIN" - SMTP_NAME: "{{ vault_smtp_user }}" - SMTP_PASSWORD: "{{ vault_smtp_password }}" - MAIL_FROM_ADDRESS: "nextcloud" - MAIL_DOMAIN: "{{ vault_smtp_domain }}" - TRUSTED_PROXIES: "traefik" - generate_systemd: - path: /home/containers/.config/systemd/user/ - restart_policy: on-failure - names: true - new: true - - name: Start containers at boot - become_user: containers - become: true - ansible.builtin.systemd: - scope: user - name: container-{{ item }}.service - enabled: true - state: started - daemon_reload: true - loop: - - nextcloud - - redis - - db_nextcloud + - name: Create redis instance + become_user: containers + become: true + containers.podman.podman_container: + name: redis + image: docker.io/redis:latest + state: present + volume: + - redis-data:/data:Z + network: + - redis-nextcloud + generate_systemd: + path: /home/containers/.config/systemd/user/ + restart_policy: on-failure + names: true + new: true - - name: Enable a timer unit - become: true - become_user: containers - ansible.builtin.systemd: - scope: user - name: nextcloudcron.timer - enabled: true - state: started - daemon_reload: true + - name: Create mariadb instance + become_user: containers + become: true + containers.podman.podman_container: + name: db_nextcloud + image: docker.io/mariadb:latest + state: present + command: + - "--transaction-isolation=READ-COMMITTED" + - "--binlog-format=ROW" + volume: + - nextcloud-db:/var/lib/mysql:Z + - /etc/nextcloud/mariadb/:/etc/mysql/conf.d:Z + network: + - mariadb-nextcloud + env: + MARIADB_ROOT_PASSWORD: "{{ vault_nextcloud_mariadb_root_password }}" + MARIADB_DATABASE: "{{ vault_nextcloud_mariadb_database }}" + MARIADB_USER: "{{ vault_nextcloud_mariadb_user }}" + MARIADB_PASSWORD: "{{ vault_nextcloud_mariadb_password }}" + MARIADB_AUTO_UPGRADE: "true" + generate_systemd: + path: /home/containers/.config/systemd/user/ + restart_policy: on-failure + names: true + new: true + + - name: Create nextcloud instance + become_user: containers + become: true + containers.podman.podman_container: + name: nextcloud + image: docker.io/nextcloud:latest + state: present + volume: + - nextcloud-html:/var/www/html:Z + - nextcloud-custom_apps:/var/www/html/custom_apps:Z + - nextcloud-theme:/var/www/html/themes:Z + - nextcloud-data:/var/www/html/data:Z + - nextcloud-config:/var/www/html/config:Z + network: + - traefik-nextcloud + - mariadb-nextcloud + - redis-nextcloud + label: + io.containers.autoupdate: "registry" + traefik.enable: "true" + traefik.http.routers.nextcloud.entrypoints: "https" + traefik.http.routers.nextcloud.rule: "PathPrefix(`/cloud`)" + traefik.http.routers.nextcloud.tls: "true" + traefik.http.routers.nextcloud.tls.certresolver: "wildcard" + traefik.http.routers.nextcloud.service: "nextcloud" + traefik.http.routers.nextcloud.middlewares: "nextcloud-redirectregex,nextcloud-headers,http-compress@file" + traefik.http.middlewares.nextcloud-redirectregex.redirectRegex.permanent: "true" + traefik.http.middlewares.nextcloud-redirectregex.redirectRegex.regex: "https://(.*)/cloud/.well-known/(card|cal)dav" + traefik.http.middlewares.nextcloud-redirectregex.redirectRegex.replacement: "https://${1}/cloud/remote.php/dav/" + traefik.http.middlewares.nextcloud-headers.headers.stsSeconds: "31536000" + traefik.http.middlewares.nextcloud-headers.headers.stsIncludeSubdomains: "true" + traefik.http.services.nextcloud.loadbalancer.server.port: "80" + traefik.docker.network: "traefik-nextcloud" + env: + REDIS_HOST: "redis" + REDIS_PORT: "6379" + MYSQL_DATABASE: "{{ vault_nextcloud_mariadb_database }}" + MYSQL_USER: "{{ vault_nextcloud_mariadb_user }}" + MYSQL_PASSWORD: "{{ vault_nextcloud_mariadb_password }}" + MYSQL_HOST: "db_nextcloud" + NEXTCLOUD_DATA_DIR: "/var/www/html/data" + SMTP_HOST: "{{ vault_smtp_host }}" + SMTP_SECURE: "{{ vault_smtp_protocol }}" + SMTP_PORT: "{{ vault_smtp_port }}" + SMTP_AUTHTYPE: "LOGIN" + SMTP_NAME: "{{ vault_smtp_user }}" + SMTP_PASSWORD: "{{ vault_smtp_password }}" + MAIL_FROM_ADDRESS: "nextcloud" + MAIL_DOMAIN: "{{ vault_smtp_domain }}" + TRUSTED_PROXIES: "traefik" + generate_systemd: + path: /home/containers/.config/systemd/user/ + restart_policy: on-failure + names: true + new: true + + - name: Start containers at boot + become_user: containers + become: true + ansible.builtin.systemd: + scope: user + name: container-{{ item }}.service + enabled: true + state: started + daemon_reload: true + loop: + - nextcloud + - redis + - db_nextcloud + + - name: Enable a timer unit + become: true + become_user: containers + ansible.builtin.systemd: + scope: user + name: nextcloudcron.timer + enabled: true + state: started + daemon_reload: true diff --git a/containers/portainer/tasks.yml b/containers/portainer/tasks.yml index 8af51ce..db1a9d3 100644 --- a/containers/portainer/tasks.yml +++ b/containers/portainer/tasks.yml @@ -2,71 +2,70 @@ - hosts: all name: Portainer container manager tasks: - - name: Get containers UID - ansible.builtin.command: "id -u containers" - register: uid_containers - changed_when: uid_containers.rc != 0 + - name: Get containers UID + ansible.builtin.command: "id -u containers" + register: uid_containers + changed_when: uid_containers.rc != 0 - - name: Pull portainer image - become_user: containers - become: true - containers.podman.podman_image: - name: docker.io/portainer/portainer-ee:latest + - name: Pull portainer image + become_user: containers + become: true + containers.podman.podman_image: + name: docker.io/portainer/portainer-ee:latest - - name: Create traefik-portainer network - containers.podman.podman_network: - name: traefik-portainer - recreate: false - state: "present" - disable_dns: true - become_user: containers - become: true + - name: Create traefik-portainer network + containers.podman.podman_network: + name: traefik-portainer + recreate: false + state: "present" + become_user: containers + become: true - - name: Create portainer data volume - containers.podman.podman_volume: - state: present - name: portainer - become_user: containers - become: true + - name: Create portainer data volume + containers.podman.podman_volume: + state: present + name: portainer + become_user: containers + become: true - - name: Create portainer instance - become_user: containers - become: true - containers.podman.podman_container: - name: portainer - image: docker.io/portainer/portainer-ee:latest - state: present - security_opt: - - label=type:container_runtime_t - volume: - - /run/user/{{ uid_containers.stdout }}/podman/podman.sock:/var/run/docker.sock:z - - portainer:/data:Z - network: - - traefik-portainer - label: - io.containers.autoupdate: "registry" - traefik.enable: "true" - traefik.http.routers.portainer.entrypoints: "https" - traefik.http.routers.portainer.rule: "Path(`/portainer`)" - traefik.http.routers.portainer.tls: "true" - traefik.http.routers.portainer.tls.certresolver: "wildcard" - traefik.http.routers.portainer.service: "portainer" - traefik.http.services.portainer.loadbalancer.server.port: "9000" - traefik.docker.network: "traefik-portainer" - generate_systemd: - path: /home/containers/.config/systemd/user/ - restart_policy: on-failure - names: true - new: true + - name: Create portainer instance + become_user: containers + become: true + containers.podman.podman_container: + name: portainer + image: docker.io/portainer/portainer-ee:latest + state: present + security_opt: + - label=type:container_runtime_t + volume: + - /run/user/{{ uid_containers.stdout }}/podman/podman.sock:/var/run/docker.sock:z + - portainer:/data:Z + network: + - traefik-portainer + label: + io.containers.autoupdate: "registry" + traefik.enable: "true" + traefik.http.routers.portainer.entrypoints: "https" + traefik.http.routers.portainer.rule: "PathPrefix(`/portainer`)" + traefik.http.routers.portainer.tls: "true" + traefik.http.routers.portainer.tls.certresolver: "wildcard" + traefik.http.routers.portainer.service: "portainer" + traefik.http.services.portainer.loadbalancer.server.port: "9000" + traefik.docker.network: "traefik-portainer" + generate_systemd: + path: /home/containers/.config/systemd/user/ + restart_policy: on-failure + names: true + new: true - - name: Start containers at boot - become_user: containers - become: true - ansible.builtin.systemd: - scope: user - name: container-{{ item }}.service - enabled: true - state: started - daemon_reload: true - loop: - - portainer + - name: Start containers at boot + become_user: containers + become: true + ansible.builtin.systemd: + scope: user + name: container-{{ item }}.service + enabled: true + state: started + daemon_reload: true + loop: + - portainer diff --git a/containers/traefik/tasks.yml b/containers/traefik/tasks.yml index 83eaadd..6c8694d 100644 --- a/containers/traefik/tasks.yml +++ b/containers/traefik/tasks.yml @@ -66,7 +66,6 @@ name: "{{ item }}" recreate: false state: "present" - disable_dns: true become_user: containers become: true loop: @@ -100,7 +99,7 @@ traefik.enable: "true" traefik.http.middlewares.traefik-auth.basicauth.users: "{{ vault_traefik_basic_auth }}" traefik.http.routers.traefik.entrypoints: "https" - traefik.http.routers.traefik.rule: "Path(`/traefik`)" + traefik.http.routers.traefik.rule: "PathPrefix(`/traefik`)" traefik.http.routers.traefik.middlewares: "traefik-auth@docker" traefik.http.routers.traefik.tls: "true" traefik.http.routers.traefik.tls.certresolver: "wildcard"