mirror of
https://github.com/louislam/uptime-kuma.git
synced 2024-12-01 10:44:05 +00:00
ansible playbook added
this playbook will install docker then install uptime kuma using docker and install and configure nginx with ssl
This commit is contained in:
parent
b7528b9a4e
commit
12d3aeb0cd
9 changed files with 223 additions and 0 deletions
10
ansible/README.md
Normal file
10
ansible/README.md
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
# Ansible Playbook to install uptime kuma using docker
|
||||||
|
|
||||||
|
This playbook comes with three roles
|
||||||
|
|
||||||
|
1. docker (to install docker)
|
||||||
|
2. nginx (to install nginx using docker with ssl)
|
||||||
|
3. uptime kuma (to install uptime kuma using docker)
|
||||||
|
|
||||||
|
To see more info see docker-compose, tasks and config files
|
||||||
|
I will try to make this readme better
|
7
ansible/playbook.yml
Normal file
7
ansible/playbook.yml
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
- name: install uptime kuma with nginx connected
|
||||||
|
hosts: all
|
||||||
|
roles:
|
||||||
|
- {role: docker, tags: ["docker"]}
|
||||||
|
- {role: kuma, tags: ["kuma"]}
|
||||||
|
- {role: nginx, tags: ["nginx"]}
|
||||||
|
|
44
ansible/roles/docker/tasks/main.yml
Normal file
44
ansible/roles/docker/tasks/main.yml
Normal file
|
@ -0,0 +1,44 @@
|
||||||
|
- name: Ensure docker and docker-compose and essentional libs are installed
|
||||||
|
package:
|
||||||
|
name: "{{item}}"
|
||||||
|
state: present
|
||||||
|
loop:
|
||||||
|
- docker.io
|
||||||
|
- docker-compose
|
||||||
|
- python-pip
|
||||||
|
- python3-docker
|
||||||
|
- python3-pip
|
||||||
|
- libssl-dev
|
||||||
|
- libffi-dev
|
||||||
|
- python-setuptools
|
||||||
|
|
||||||
|
- name: Ensure docker-compose is installed via pip
|
||||||
|
pip:
|
||||||
|
name: "{{item}}"
|
||||||
|
executable: pip3
|
||||||
|
loop:
|
||||||
|
- docker
|
||||||
|
# - docker-compose
|
||||||
|
|
||||||
|
### FIX a BUG: https://github.com/docker/docker-py/issues/1502#issuecomment-506544849
|
||||||
|
- name: FIX a BUG Uninstall pip's backports.ssl-match-hostname
|
||||||
|
pip:
|
||||||
|
name: backports.ssl-match-hostname
|
||||||
|
executable: pip
|
||||||
|
state: absent
|
||||||
|
- name: FIX a BUG install Debian's python-backports.ssl-match-hostname package
|
||||||
|
package:
|
||||||
|
name: python-backports.ssl-match-hostname
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- name: Ensure docker service is enabled and up
|
||||||
|
systemd:
|
||||||
|
name: docker
|
||||||
|
state: started
|
||||||
|
enabled: yes
|
||||||
|
|
||||||
|
- name: Ensure docker socket is enabled and up
|
||||||
|
systemd:
|
||||||
|
name: docker.socket
|
||||||
|
state: started
|
||||||
|
enabled: yes
|
2
ansible/roles/nginx/files/README.md
Normal file
2
ansible/roles/nginx/files/README.md
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
## Your ssl certs will go here
|
||||||
|
put them in ssl directory see nginx.conf for more info
|
29
ansible/roles/nginx/tasks/main.yml
Normal file
29
ansible/roles/nginx/tasks/main.yml
Normal file
|
@ -0,0 +1,29 @@
|
||||||
|
- name: Ensure Volumes & Files directories exists
|
||||||
|
file:
|
||||||
|
dest: "{{item}}"
|
||||||
|
state: directory
|
||||||
|
loop:
|
||||||
|
- /compose
|
||||||
|
- /compose/nginx
|
||||||
|
- /compose/volumes
|
||||||
|
- /compose/volumes/nginx
|
||||||
|
|
||||||
|
- name: Ensure docker-compose file has been updated
|
||||||
|
template:
|
||||||
|
src: "{{item}}"
|
||||||
|
dest: /compose/nginx/
|
||||||
|
loop:
|
||||||
|
- docker-compose.yml
|
||||||
|
|
||||||
|
- name: Ensure nginx config directory exist
|
||||||
|
copy:
|
||||||
|
src: nginx
|
||||||
|
dest: /compose/volumes/nginx/
|
||||||
|
mode: 'preserve'
|
||||||
|
group: root
|
||||||
|
owner: root
|
||||||
|
|
||||||
|
- name: Ensure config files are updated
|
||||||
|
template:
|
||||||
|
src: "nginx.conf"
|
||||||
|
dest: /compose/volumes/nginx/nginx.conf
|
8
ansible/roles/nginx/templates/docker-compose.yml
Normal file
8
ansible/roles/nginx/templates/docker-compose.yml
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
version: '3.3'
|
||||||
|
services:
|
||||||
|
nginx:
|
||||||
|
network_mode: host
|
||||||
|
restart: always
|
||||||
|
image: nginx:1.21.3-alpine
|
||||||
|
volumes:
|
||||||
|
- '/compose/volumes/nginx/:/etc/nginx/'
|
90
ansible/roles/nginx/templates/nginx.conf
Normal file
90
ansible/roles/nginx/templates/nginx.conf
Normal file
|
@ -0,0 +1,90 @@
|
||||||
|
user nginx;
|
||||||
|
worker_processes auto;
|
||||||
|
|
||||||
|
pid /var/run/nginx.pid;
|
||||||
|
error_log /var/log/nginx/error.log;
|
||||||
|
|
||||||
|
events {
|
||||||
|
worker_connections 2048;
|
||||||
|
}
|
||||||
|
|
||||||
|
http {
|
||||||
|
sendfile on;
|
||||||
|
tcp_nopush on;
|
||||||
|
tcp_nodelay on;
|
||||||
|
keepalive_timeout 65;
|
||||||
|
types_hash_max_size 2048;
|
||||||
|
server_tokens off;
|
||||||
|
|
||||||
|
default_type application/octet-stream;
|
||||||
|
|
||||||
|
|
||||||
|
### SSL Settings for all servers (https://ssl-config.mozilla.org/#server=nginx&server-version=1.17.2&config=intermediate)
|
||||||
|
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
|
||||||
|
ssl_certificate /etc/nginx/ssl/status.yoursite.fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/nginx/ssl/status.yoursite.privkey.pem;
|
||||||
|
ssl_session_timeout 1d;
|
||||||
|
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
||||||
|
ssl_session_tickets off;
|
||||||
|
|
||||||
|
# intermediate configuration
|
||||||
|
ssl_protocols TLSv1.2 TLSv1.3;
|
||||||
|
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
||||||
|
ssl_prefer_server_ciphers off;
|
||||||
|
|
||||||
|
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /etc/nginx/ssl/dhparam.pem (TODO: check if it's secure to use others DH parameters!)
|
||||||
|
# openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096
|
||||||
|
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
|
||||||
|
|
||||||
|
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
|
||||||
|
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||||
|
|
||||||
|
# OCSP stapling
|
||||||
|
ssl_stapling on;
|
||||||
|
ssl_stapling_verify on;
|
||||||
|
|
||||||
|
log_format main '$remote_addr - $remote_user [$time_local] "$request_method $scheme://$host$request_uri $server_protocol" $status $body_bytes_sent '
|
||||||
|
'"$http_referer" "$http_user_agent" $request_time $upstream_response_time UPA:$upstream_addr BYS:$bytes_sent BYR:$request_length';
|
||||||
|
access_log /var/log/nginx/access.log main;
|
||||||
|
|
||||||
|
### Set additional headers to be send to upstream
|
||||||
|
proxy_set_header Host $http_host;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
|
||||||
|
|
||||||
|
# Remove Headers that gonna be sent to client
|
||||||
|
proxy_hide_header X-Powered-By;
|
||||||
|
proxy_hide_header Server;
|
||||||
|
|
||||||
|
# Redirect HTTP request to HTTPS
|
||||||
|
server {
|
||||||
|
listen 80 default_server;
|
||||||
|
server_name status.yoursite;
|
||||||
|
return 302 https://$host$request_uri;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
server_name status.yoursite;
|
||||||
|
listen 443 ssl http2 default_server;
|
||||||
|
|
||||||
|
access_log /var/log/nginx/yoursite.access.log main;
|
||||||
|
error_log /var/log/nginx/yoursite.error.log;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
# rewrite ^/(.*)/$ /$1 permanent;
|
||||||
|
### redirect urls with trailing slash to non-trailing slash
|
||||||
|
# https://serverfault.dev/questions/597302/removing-the-trailing-slash-from-a-url-with-nginx
|
||||||
|
# location ~ (?<no_slash>.+)/$ {
|
||||||
|
# return 302 https://$host$no_slash;
|
||||||
|
# }
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_pass http://localhost:3001/;
|
||||||
|
proxy_http_version 1.1;
|
||||||
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
|
proxy_set_header Connection "upgrade";
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
23
ansible/roles/uptime-kuma/tasks/main.yml
Normal file
23
ansible/roles/uptime-kuma/tasks/main.yml
Normal file
|
@ -0,0 +1,23 @@
|
||||||
|
- name: Ensure Volumes & Files directories exists
|
||||||
|
file:
|
||||||
|
dest: "{{item}}"
|
||||||
|
state: directory
|
||||||
|
loop:
|
||||||
|
- /compose
|
||||||
|
- /compose/kuma
|
||||||
|
- /compose/volumes
|
||||||
|
- /compose/volumes/kuma
|
||||||
|
|
||||||
|
- name: Ensure docker-compose file has been updated
|
||||||
|
template:
|
||||||
|
src: "{{item}}"
|
||||||
|
dest: /compose/kuma/
|
||||||
|
loop:
|
||||||
|
- docker-compose.yml
|
||||||
|
|
||||||
|
- name: Ensure uptime-kuma is up
|
||||||
|
docker_compose:
|
||||||
|
state: present
|
||||||
|
project_src: /compose/kuma
|
||||||
|
pull: yes
|
||||||
|
|
10
ansible/roles/uptime-kuma/templates/docker-compose.yml
Normal file
10
ansible/roles/uptime-kuma/templates/docker-compose.yml
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
version: '3.3'
|
||||||
|
services:
|
||||||
|
uptime-kuma:
|
||||||
|
restart: always
|
||||||
|
ports:
|
||||||
|
- '127.0.0.1:3001:3001'
|
||||||
|
volumes:
|
||||||
|
- '/compose/volumes/uptime-kuma:/app/data'
|
||||||
|
container_name: uptime-kuma
|
||||||
|
image: 'louislam/uptime-kuma:latest'
|
Loading…
Reference in a new issue