ansible playbook added

this playbook will install docker
then install uptime kuma using docker
and install and configure nginx with ssl
This commit is contained in:
Muhammed Hussein Karimi 2021-10-11 23:48:01 +03:30
parent b7528b9a4e
commit 12d3aeb0cd
9 changed files with 223 additions and 0 deletions

10
ansible/README.md Normal file
View file

@ -0,0 +1,10 @@
# Ansible Playbook to install uptime kuma using docker
This playbook comes with three roles
1. docker (to install docker)
2. nginx (to install nginx using docker with ssl)
3. uptime kuma (to install uptime kuma using docker)
To see more info see docker-compose, tasks and config files
I will try to make this readme better

7
ansible/playbook.yml Normal file
View file

@ -0,0 +1,7 @@
- name: install uptime kuma with nginx connected
hosts: all
roles:
- {role: docker, tags: ["docker"]}
- {role: kuma, tags: ["kuma"]}
- {role: nginx, tags: ["nginx"]}

View file

@ -0,0 +1,44 @@
- name: Ensure docker and docker-compose and essentional libs are installed
package:
name: "{{item}}"
state: present
loop:
- docker.io
- docker-compose
- python-pip
- python3-docker
- python3-pip
- libssl-dev
- libffi-dev
- python-setuptools
- name: Ensure docker-compose is installed via pip
pip:
name: "{{item}}"
executable: pip3
loop:
- docker
# - docker-compose
### FIX a BUG: https://github.com/docker/docker-py/issues/1502#issuecomment-506544849
- name: FIX a BUG Uninstall pip's backports.ssl-match-hostname
pip:
name: backports.ssl-match-hostname
executable: pip
state: absent
- name: FIX a BUG install Debian's python-backports.ssl-match-hostname package
package:
name: python-backports.ssl-match-hostname
state: present
- name: Ensure docker service is enabled and up
systemd:
name: docker
state: started
enabled: yes
- name: Ensure docker socket is enabled and up
systemd:
name: docker.socket
state: started
enabled: yes

View file

@ -0,0 +1,2 @@
## Your ssl certs will go here
put them in ssl directory see nginx.conf for more info

View file

@ -0,0 +1,29 @@
- name: Ensure Volumes & Files directories exists
file:
dest: "{{item}}"
state: directory
loop:
- /compose
- /compose/nginx
- /compose/volumes
- /compose/volumes/nginx
- name: Ensure docker-compose file has been updated
template:
src: "{{item}}"
dest: /compose/nginx/
loop:
- docker-compose.yml
- name: Ensure nginx config directory exist
copy:
src: nginx
dest: /compose/volumes/nginx/
mode: 'preserve'
group: root
owner: root
- name: Ensure config files are updated
template:
src: "nginx.conf"
dest: /compose/volumes/nginx/nginx.conf

View file

@ -0,0 +1,8 @@
version: '3.3'
services:
nginx:
network_mode: host
restart: always
image: nginx:1.21.3-alpine
volumes:
- '/compose/volumes/nginx/:/etc/nginx/'

View file

@ -0,0 +1,90 @@
user nginx;
worker_processes auto;
pid /var/run/nginx.pid;
error_log /var/log/nginx/error.log;
events {
worker_connections 2048;
}
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_tokens off;
default_type application/octet-stream;
### SSL Settings for all servers (https://ssl-config.mozilla.org/#server=nginx&server-version=1.17.2&config=intermediate)
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /etc/nginx/ssl/status.yoursite.fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/status.yoursite.privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
# intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /etc/nginx/ssl/dhparam.pem (TODO: check if it's secure to use others DH parameters!)
# openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
log_format main '$remote_addr - $remote_user [$time_local] "$request_method $scheme://$host$request_uri $server_protocol" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" $request_time $upstream_response_time UPA:$upstream_addr BYS:$bytes_sent BYR:$request_length';
access_log /var/log/nginx/access.log main;
### Set additional headers to be send to upstream
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Remove Headers that gonna be sent to client
proxy_hide_header X-Powered-By;
proxy_hide_header Server;
# Redirect HTTP request to HTTPS
server {
listen 80 default_server;
server_name status.yoursite;
return 302 https://$host$request_uri;
}
server {
server_name status.yoursite;
listen 443 ssl http2 default_server;
access_log /var/log/nginx/yoursite.access.log main;
error_log /var/log/nginx/yoursite.error.log;
location / {
# rewrite ^/(.*)/$ /$1 permanent;
### redirect urls with trailing slash to non-trailing slash
# https://serverfault.dev/questions/597302/removing-the-trailing-slash-from-a-url-with-nginx
# location ~ (?<no_slash>.+)/$ {
# return 302 https://$host$no_slash;
# }
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:3001/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
}

View file

@ -0,0 +1,23 @@
- name: Ensure Volumes & Files directories exists
file:
dest: "{{item}}"
state: directory
loop:
- /compose
- /compose/kuma
- /compose/volumes
- /compose/volumes/kuma
- name: Ensure docker-compose file has been updated
template:
src: "{{item}}"
dest: /compose/kuma/
loop:
- docker-compose.yml
- name: Ensure uptime-kuma is up
docker_compose:
state: present
project_src: /compose/kuma
pull: yes

View file

@ -0,0 +1,10 @@
version: '3.3'
services:
uptime-kuma:
restart: always
ports:
- '127.0.0.1:3001:3001'
volumes:
- '/compose/volumes/uptime-kuma:/app/data'
container_name: uptime-kuma
image: 'louislam/uptime-kuma:latest'