--- - hosts: all become: true vars: container_count: 1 default_container_name: docker default_container_image: hello-world default_container_command: sleep 1 tasks: - name: Install required system packages apt: pkg: - apt-transport-https - ca-certificates - curl - software-properties-common - virtualenv - python3-psycopg2 - postgresql - acl - bc - sysstat - auditd state: latest update_cache: true - name: Copy nginx conf copy: src: /vagrant/sandbox/nginx.conf dest: /home/vagrant/nginx.conf - name: Copy docker compose copy: src: /vagrant/sandbox/docker-compose.yml dest: /home/vagrant/docker-compose.yml - name: Ensure certs directory exists file: path: /home/vagrant/nginx/certs state: directory mode: '0755' - name: Install mkcert dependencies apt: pkg: - libnss3-tools - ca-certificates state: present update_cache: yes - name: Download mkcert binary get_url: url: https://github.com/FiloSottile/mkcert/releases/latest/download/mkcert-v1.4.4-linux-amd64 dest: /usr/local/bin/mkcert mode: '0755' register: mkcert_download - name: Ensure mkcert CAROOT directory exists file: path: /home/vagrant/.local/share/mkcert state: directory mode: '0755' - name: Initialize mkcert CA command: mkcert -install environment: XDG_DATA_HOME: /home/vagrant/.local/share CAROOT: /home/vagrant/.local/share/mkcert args: creates: /home/vagrant/.local/share/mkcert/rootCA.pem - name: Generate cert for gitea.vm.local command: > mkcert -cert-file /home/vagrant/nginx/certs/gitea.vm.local.pem -key-file /home/vagrant/nginx/certs/gitea.vm.local-key.pem gitea.vm.local args: creates: /home/vagrant/nginx/certs/gitea.vm.local.pem - name: Generate cert for bitwarden.vm.local command: > mkcert -cert-file /home/vagrant/nginx/certs/bitwarden.vm.local.pem -key-file /home/vagrant/nginx/certs/bitwarden.vm.local-key.pem bitwarden.vm.local args: creates: /home/vagrant/nginx/certs/bitwarden.vm.local.pem - name: Ensure export directory exists file: path: /vagrant/shared/ca state: directory mode: '0755' - name: Copy mkcert rootCA.pem to shared directory copy: src: /home/vagrant/.local/share/mkcert/rootCA.pem dest: /vagrant/shared/ca/rootCA.pem remote_src: yes - name: Add Docker GPG apt Key apt_key: url: https://download.docker.com/linux/ubuntu/gpg state: present - name: Add Docker Repository apt_repository: repo: deb https://download.docker.com/linux/ubuntu focal stable state: present - name: Update apt and install docker-ce apt: pkg: - docker-ce - docker-compose-plugin state: latest update_cache: true - name: Add 'vagrant' and 'git' users to docker group user: name: "{{ item }}" groups: docker append: yes loop: - vagrant - git - name: Create git user user: name: git shell: /home/git/docker-shell home: /home/git create_home: yes - name: Deploy docker passthrough shell copy: dest: /home/git/docker-shell content: | #!/bin/sh exec /usr/bin/docker exec -i -u git --env SSH_ORIGINAL_COMMAND="$SSH_ORIGINAL_COMMAND" gitea sh "$@" mode: '0755' - name: Update SSH config for git user blockinfile: path: /etc/ssh/sshd_config block: | Match User git AuthorizedKeysCommandUser git AuthorizedKeysCommand /usr/bin/docker exec -i -u git gitea /usr/local/bin/gitea keys -c /data/gitea/conf/app.ini -e git -u %u -t %t -k %k - name: Restart SSH service: name: ssh state: restarted - name: Ensure PostgreSQL service is running service: name: postgresql state: started enabled: yes - name: Create PostgreSQL user for gitea become: true become_user: postgres postgresql_user: name: gitea password: gitea state: present - name: Create PostgreSQL database for gitea become: true become_user: postgres postgresql_db: name: gitea owner: gitea state: present - name: Create PostgreSQL user for vaultwarden become: true become_user: postgres postgresql_user: name: vaultwarden password: vaultwarden state: present - name: Create PostgreSQL database for vaultwarden become: true become_user: postgres postgresql_db: name: vaultwarden owner: vaultwarden state: present - name: Set PostgreSQL to listen on localhost and Docker bridge IP become: yes lineinfile: path: /etc/postgresql/14/main/postgresql.conf regexp: '^#?listen_addresses\s*=' line: "listen_addresses = 'localhost,172.18.0.1'" notify: Restart PostgreSQL - name: Allow connections from Docker subnet in pg_hba.conf become: yes lineinfile: path: /etc/postgresql/14/main/pg_hba.conf line: 'host all all 172.18.0.0/16 md5' create: yes insertafter: EOF state: present notify: Restart PostgreSQL - name: Configure audit rules for Docker copy: dest: /etc/audit/rules.d/docker.rules owner: root group: root mode: '0640' content: | -w /usr/bin/dockerd -k docker -w /run/containerd -k docker -w /var/lib/docker -k docker -w /etc/docker -k docker -w /lib/systemd/system/docker.service -k docker -w /run/containerd/containerd.sock -k docker -w /var/run/docker.sock -k docker -w /etc/default/docker -k docker -w /etc/docker/daemon.json -k docker -w /etc/containerd/config.toml -k docker -w /etc/sysconfig/docker -k docker -w /usr/bin/containerd -k docker -w /usr/bin/containerd-shim -k docker -w /usr/bin/containerd-shim-runc-v1 -k docker -w /usr/bin/containerd-shim-runc-v2 -k docker -w /usr/bin/runc -k docker -w /usr/lib/systemd/system/docker.socket -k docker -w /usr/bin/containerd -k docker -w /usr/bin/containerd-shim -k docker -w /usr/bin/containerd-shim-runc-v1 -k docker -w /usr/bin/containerd-shim-runc-v2 -k docker -w /usr/bin/runc -k docker - name: Restart auditd to apply new rules service: name: auditd state: restarted enabled: yes - name: Ensure Docker daemon configuration is hardened copy: dest: /etc/docker/daemon.json owner: root group: root mode: '0644' content: | { "live-restore": true, "icc": false, "no-new-privileges": true, "log-level": "info", "log-driver": "json-file", "log-opts": { "max-size": "10m", "max-file": "3" }, "userland-proxy": false } notify: Restart Docker - name: Ensure Docker service is running service: name: docker state: started enabled: true - name: Run docker compose up -d command: docker compose up -d args: chdir: /home/vagrant handlers: - name: Restart PostgreSQL become: yes service: name: postgresql state: restarted - name: Restart Docker become: yes systemd: name: docker state: restarted