292 lines
7.9 KiB
YAML
292 lines
7.9 KiB
YAML
---
|
|
- hosts: all
|
|
become: true
|
|
vars:
|
|
container_count: 1
|
|
default_container_name: docker
|
|
default_container_image: hello-world
|
|
default_container_command: sleep 1
|
|
tasks:
|
|
- name: Install required system packages
|
|
apt:
|
|
pkg:
|
|
- apt-transport-https
|
|
- ca-certificates
|
|
- curl
|
|
- software-properties-common
|
|
- virtualenv
|
|
- python3-psycopg2
|
|
- postgresql
|
|
- acl
|
|
- bc
|
|
- sysstat
|
|
- auditd
|
|
state: latest
|
|
update_cache: true
|
|
|
|
- name: Copy nginx conf
|
|
copy:
|
|
src: /vagrant/sandbox/nginx.conf
|
|
dest: /home/vagrant/nginx.conf
|
|
|
|
- name: Copy docker compose
|
|
copy:
|
|
src: /vagrant/sandbox/docker-compose.yml
|
|
dest: /home/vagrant/docker-compose.yml
|
|
|
|
- name: Ensure certs directory exists
|
|
file:
|
|
path: /home/vagrant/nginx/certs
|
|
state: directory
|
|
mode: '0755'
|
|
|
|
- name: Install mkcert dependencies
|
|
apt:
|
|
pkg:
|
|
- libnss3-tools
|
|
- ca-certificates
|
|
state: present
|
|
update_cache: yes
|
|
|
|
- name: Download mkcert binary
|
|
get_url:
|
|
url: https://github.com/FiloSottile/mkcert/releases/latest/download/mkcert-v1.4.4-linux-amd64
|
|
dest: /usr/local/bin/mkcert
|
|
mode: '0755'
|
|
register: mkcert_download
|
|
|
|
- name: Ensure mkcert CAROOT directory exists
|
|
file:
|
|
path: /home/vagrant/.local/share/mkcert
|
|
state: directory
|
|
mode: '0755'
|
|
|
|
- name: Initialize mkcert CA
|
|
command: mkcert -install
|
|
environment:
|
|
XDG_DATA_HOME: /home/vagrant/.local/share
|
|
CAROOT: /home/vagrant/.local/share/mkcert
|
|
args:
|
|
creates: /home/vagrant/.local/share/mkcert/rootCA.pem
|
|
|
|
- name: Generate cert for gitea.vm.local
|
|
command: >
|
|
mkcert
|
|
-cert-file /home/vagrant/nginx/certs/gitea.vm.local.pem
|
|
-key-file /home/vagrant/nginx/certs/gitea.vm.local-key.pem
|
|
gitea.vm.local
|
|
args:
|
|
creates: /home/vagrant/nginx/certs/gitea.vm.local.pem
|
|
|
|
- name: Generate cert for bitwarden.vm.local
|
|
command: >
|
|
mkcert
|
|
-cert-file /home/vagrant/nginx/certs/bitwarden.vm.local.pem
|
|
-key-file /home/vagrant/nginx/certs/bitwarden.vm.local-key.pem
|
|
bitwarden.vm.local
|
|
args:
|
|
creates: /home/vagrant/nginx/certs/bitwarden.vm.local.pem
|
|
|
|
- name: Ensure export directory exists
|
|
file:
|
|
path: /vagrant/shared/ca
|
|
state: directory
|
|
mode: '0755'
|
|
|
|
- name: Copy mkcert rootCA.pem to shared directory
|
|
copy:
|
|
src: /home/vagrant/.local/share/mkcert/rootCA.pem
|
|
dest: /vagrant/shared/ca/rootCA.pem
|
|
remote_src: yes
|
|
|
|
- name: Add Docker GPG apt Key
|
|
apt_key:
|
|
url: https://download.docker.com/linux/ubuntu/gpg
|
|
state: present
|
|
|
|
- name: Add Docker Repository
|
|
apt_repository:
|
|
repo: deb https://download.docker.com/linux/ubuntu focal stable
|
|
state: present
|
|
|
|
- name: Update apt and install docker-ce
|
|
apt:
|
|
pkg:
|
|
- docker-ce
|
|
- docker-compose-plugin
|
|
state: latest
|
|
update_cache: true
|
|
|
|
- name: Add 'vagrant' and 'git' users to docker group
|
|
user:
|
|
name: "{{ item }}"
|
|
groups: docker
|
|
append: yes
|
|
loop:
|
|
- vagrant
|
|
- git
|
|
|
|
- name: Create git user
|
|
user:
|
|
name: git
|
|
shell: /home/git/docker-shell
|
|
home: /home/git
|
|
create_home: yes
|
|
|
|
- name: Deploy docker passthrough shell
|
|
copy:
|
|
dest: /home/git/docker-shell
|
|
content: |
|
|
#!/bin/sh
|
|
exec /usr/bin/docker exec -i -u git --env SSH_ORIGINAL_COMMAND="$SSH_ORIGINAL_COMMAND" gitea sh "$@"
|
|
mode: '0755'
|
|
|
|
- name: Update SSH config for git user
|
|
blockinfile:
|
|
path: /etc/ssh/sshd_config
|
|
block: |
|
|
Match User git
|
|
AuthorizedKeysCommandUser git
|
|
AuthorizedKeysCommand /usr/bin/docker exec -i -u git gitea /usr/local/bin/gitea keys -c /data/gitea/conf/app.ini -e git -u %u -t %t -k %k
|
|
|
|
- name: Restart SSH
|
|
service:
|
|
name: ssh
|
|
state: restarted
|
|
|
|
- name: Ensure PostgreSQL service is running
|
|
service:
|
|
name: postgresql
|
|
state: started
|
|
enabled: yes
|
|
|
|
- name: Create PostgreSQL user for gitea
|
|
become: true
|
|
become_user: postgres
|
|
postgresql_user:
|
|
name: gitea
|
|
password: gitea
|
|
state: present
|
|
|
|
- name: Create PostgreSQL database for gitea
|
|
become: true
|
|
become_user: postgres
|
|
postgresql_db:
|
|
name: gitea
|
|
owner: gitea
|
|
state: present
|
|
|
|
- name: Create PostgreSQL user for vaultwarden
|
|
become: true
|
|
become_user: postgres
|
|
postgresql_user:
|
|
name: vaultwarden
|
|
password: vaultwarden
|
|
state: present
|
|
|
|
- name: Create PostgreSQL database for vaultwarden
|
|
become: true
|
|
become_user: postgres
|
|
postgresql_db:
|
|
name: vaultwarden
|
|
owner: vaultwarden
|
|
state: present
|
|
|
|
- name: Set PostgreSQL to listen on localhost and Docker bridge IP
|
|
become: yes
|
|
lineinfile:
|
|
path: /etc/postgresql/14/main/postgresql.conf
|
|
regexp: '^#?listen_addresses\s*='
|
|
line: "listen_addresses = 'localhost,172.18.0.1'"
|
|
notify: Restart PostgreSQL
|
|
|
|
- name: Allow connections from Docker subnet in pg_hba.conf
|
|
become: yes
|
|
lineinfile:
|
|
path: /etc/postgresql/14/main/pg_hba.conf
|
|
line: 'host all all 172.18.0.0/16 md5'
|
|
create: yes
|
|
insertafter: EOF
|
|
state: present
|
|
notify: Restart PostgreSQL
|
|
|
|
- name: Configure audit rules for Docker
|
|
copy:
|
|
dest: /etc/audit/rules.d/docker.rules
|
|
owner: root
|
|
group: root
|
|
mode: '0640'
|
|
content: |
|
|
-w /usr/bin/dockerd -k docker
|
|
-w /run/containerd -k docker
|
|
-w /var/lib/docker -k docker
|
|
-w /etc/docker -k docker
|
|
-w /lib/systemd/system/docker.service -k docker
|
|
-w /run/containerd/containerd.sock -k docker
|
|
-w /var/run/docker.sock -k docker
|
|
-w /etc/default/docker -k docker
|
|
-w /etc/docker/daemon.json -k docker
|
|
-w /etc/containerd/config.toml -k docker
|
|
-w /etc/sysconfig/docker -k docker
|
|
-w /usr/bin/containerd -k docker
|
|
-w /usr/bin/containerd-shim -k docker
|
|
-w /usr/bin/containerd-shim-runc-v1 -k docker
|
|
-w /usr/bin/containerd-shim-runc-v2 -k docker
|
|
-w /usr/bin/runc -k docker
|
|
-w /usr/lib/systemd/system/docker.socket -k docker
|
|
-w /usr/bin/containerd -k docker
|
|
-w /usr/bin/containerd-shim -k docker
|
|
-w /usr/bin/containerd-shim-runc-v1 -k docker
|
|
-w /usr/bin/containerd-shim-runc-v2 -k docker
|
|
-w /usr/bin/runc -k docker
|
|
|
|
- name: Restart auditd to apply new rules
|
|
service:
|
|
name: auditd
|
|
state: restarted
|
|
enabled: yes
|
|
|
|
- name: Ensure Docker daemon configuration is hardened
|
|
copy:
|
|
dest: /etc/docker/daemon.json
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
content: |
|
|
{
|
|
"live-restore": true,
|
|
"icc": false,
|
|
"no-new-privileges": true,
|
|
"log-level": "info",
|
|
"log-driver": "json-file",
|
|
"log-opts": {
|
|
"max-size": "10m",
|
|
"max-file": "3"
|
|
},
|
|
"userland-proxy": false
|
|
}
|
|
notify: Restart Docker
|
|
|
|
- name: Ensure Docker service is running
|
|
service:
|
|
name: docker
|
|
state: started
|
|
enabled: true
|
|
|
|
- name: Run docker compose up -d
|
|
command: docker compose up -d
|
|
args:
|
|
chdir: /home/vagrant
|
|
|
|
handlers:
|
|
- name: Restart PostgreSQL
|
|
become: yes
|
|
service:
|
|
name: postgresql
|
|
state: restarted
|
|
|
|
- name: Restart Docker
|
|
become: yes
|
|
systemd:
|
|
name: docker
|
|
state: restarted |