dockerhost/deploy.yml

---
# - hosts: all
#   tasks:
#     - name: Print message
#       debug:
#         msg: Hello Ansible World

- hosts: all
  become: true

  tasks:
    ## Docker

    - name: Add Docker GPG apt Key (new)
      ansible.builtin.get_url:
        # Docker Release (CE deb) <docker@docker.com>
        url: "https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x8d81803c0ebfcd88"
        dest: /etc/apt/keyrings/docker_rel_ce_deb.asc

    - name: Add Docker Repository
      apt_repository:
        repo: "deb [signed-by=/etc/apt/keyrings/docker_rel_ce_deb.asc] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable"
        state: present

    - name: Update apt and install docker-ce
      apt:
        name: docker-ce
        state: latest
        update_cache: true

    - name: install pip3
      apt:
        name: python3-pip
        state: latest

    # - name: Container present test
    #   community.docker.docker_container:
    #     name: ansible_deployed
    #     state: absent

    - name: Registry cache
      community.docker.docker_container:
        name: registry_cache
        state: started
        restart_policy: unless-stopped
        image: mirror.gcr.io/registry:2
        ports:
          - "5000:5000"
        volumes:
          - /var/lib/registry:/var/lib/registry
        env:
          REGISTRY_PROXY_REMOTEURL: https://registry-1.docker.io
          REGISTRY_PROXY_USERNAME: stelb
          REGISTRY_PROXY_PASSWORD: "{{ DOCKER_IO_PASSWORD }}"

    - name: add docker rules to ufw
      blockinfile:
        path: /etc/ufw/after.rules 
        marker_begin: BEGIN UFW AND DOCKER
        marker_end: END UFW AND DOCKER
        state: present
        block: "{{ lookup('ansible.builtin.file', 'ufw-docker.rules') }}"
      tags:
        - ufw

    - name: allow OpenSSH
      community.general.ufw:
         rule: allow
         app: OpenSSH

    - name: enable ufw
      community.general.ufw:
        state: enabled
        policy: reject
      tags:
        - ufw

    - name: open ports
      community.general.ufw:
        rule: allow
        proto: "{{ item[1] }}"
        port: "{{ item[0] }}"
        route: "{{ item[2] | default(omit) }}"
      loop:
        - [ 80, 'tcp', true ]     # traefik
        - [ 443, 'tcp', true ]    # traefik
        - [ 25, 'tcp', true ]     # smtp ntfy
        - [ 51820, 'udp', true ]  # wireguard
        - [ 53, 'udp', true ]  # technitium, dns
        - [ 53, 'tcp', true ]  # technitium, dns
        # - [ 1935, 'udp', true ] # owncast
        # - [ 1935, 'tcp', true ] # owncast
        - [ 2222, 'tcp', true ] # forgejo
        - [ 22, 'tcp', true ] # forgejo
      tags:
        - ufw

    - name: open network for own hosts
      community.general.ufw:
        rule: allow
        from: "{{ item }}"
      loop: "{{ anyops_trusted_hosts }}"
        - 37.27.176.103      # muh.anyops.de
        - 37.120.191.100     # service01.anyops.de
        - 152.53.229.139     # service02.anyops.de
        - 5.75.165.105       # gate1.stelb.cloud
      tags:
        - ufw

    - name: autoupgrade
      ansible.builtin.include_role:
        name: anyops_autoupgrade
deploy.yml hinzugefügt 2025-03-10 19:04:20 +01:00			`---`
install docker 2025-03-10 21:13:19 +01:00			`# - hosts: all`
			`# tasks:`
			`# - name: Print message`
			`# debug:`
			`# msg: Hello Ansible World`

deploy.yml hinzugefügt 2025-03-10 19:04:20 +01:00			`- hosts: all`
install docker 2025-03-10 21:13:19 +01:00			`become: true`

deploy.yml hinzugefügt 2025-03-10 19:04:20 +01:00			`tasks:`
install docker 2025-03-10 21:13:19 +01:00			`## Docker`
new repo key handling 2025-03-19 19:46:19 +01:00
			`- name: Add Docker GPG apt Key (new)`
			`ansible.builtin.get_url:`
			`# Docker Release (CE deb) <docker@docker.com>`
deploy.yml aktualisiert 2025-03-19 20:02:43 +01:00			`url: "https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x8d81803c0ebfcd88"`
new repo key handling 2025-03-19 19:46:19 +01:00			`dest: /etc/apt/keyrings/docker_rel_ce_deb.asc`
install docker 2025-03-10 21:13:19 +01:00
			`- name: Add Docker Repository`
			`apt_repository:`
cleanup 2025-03-19 21:08:16 +01:00			`repo: "deb [signed-by=/etc/apt/keyrings/docker_rel_ce_deb.asc] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable"`
install docker 2025-03-10 21:13:19 +01:00			`state: present`

			`- name: Update apt and install docker-ce`
			`apt:`
			`name: docker-ce`
			`state: latest`
			`update_cache: true`

			`- name: install pip3`
			`apt:`
			`name: python3-pip`
			`state: latest`
ufw docker rules 2025-03-10 21:55:16 +01:00
cleanup 2025-03-19 21:08:16 +01:00			`# - name: Container present test`
			`# community.docker.docker_container:`
			`# name: ansible_deployed`
			`# state: absent`
deploy.yml aktualisiert 2025-03-12 10:42:15 +01:00
deploy.yml aktualisiert 2025-03-13 10:44:27 +01:00			`- name: Registry cache`
			`community.docker.docker_container:`
			`name: registry_cache`
			`state: started`
			`restart_policy: unless-stopped`
ghcr.io != gcr.io fix 2025-03-13 10:50:50 +01:00			`image: mirror.gcr.io/registry:2`
deploy.yml aktualisiert 2025-03-13 11:23:14 +01:00			`ports:`
deploy.yml aktualisiert 2025-03-13 11:16:52 +01:00			`- "5000:5000"`
deploy.yml aktualisiert 2025-03-13 11:03:08 +01:00			`volumes:`
			`- /var/lib/registry:/var/lib/registry`
deploy.yml aktualisiert 2025-03-13 10:44:27 +01:00			`env:`
			`REGISTRY_PROXY_REMOTEURL: https://registry-1.docker.io`
			`REGISTRY_PROXY_USERNAME: stelb`
			`REGISTRY_PROXY_PASSWORD: "{{ DOCKER_IO_PASSWORD }}"`
ufw docker rules 2025-03-10 21:55:16 +01:00
			`- name: add docker rules to ufw`
			`blockinfile:`
			`path: /etc/ufw/after.rules`
			`marker_begin: BEGIN UFW AND DOCKER`
			`marker_end: END UFW AND DOCKER`
			`state: present`
			`block: "{{ lookup('ansible.builtin.file', 'ufw-docker.rules') }}"`
			`tags:`
			`- ufw`

allow OpenSSH 2025-03-12 21:57:34 +01:00			`- name: allow OpenSSH`
			`community.general.ufw:`
fix OpenSSH 2025-03-12 22:01:57 +01:00			`rule: allow`
allow OpenSSH 2025-03-12 21:57:34 +01:00			`app: OpenSSH`

enable ufw 2025-03-12 19:48:29 +01:00			`- name: enable ufw`
			`community.general.ufw:`
			`state: enabled`
			`policy: reject`
			`tags:`
			`- ufw`

open some ports 2025-03-10 22:39:48 +01:00			`- name: open ports`
			`community.general.ufw:`
			`rule: allow`
			`proto: "{{ item[1] }}"`
			`port: "{{ item[0] }}"`
			`route: "{{ item[2] \| default(omit) }}"`
			`loop:`
			`- [ 80, 'tcp', true ] # traefik`
			`- [ 443, 'tcp', true ] # traefik`
			`- [ 25, 'tcp', true ] # smtp ntfy`
			`- [ 51820, 'udp', true ] # wireguard`
			`- [ 53, 'udp', true ] # technitium, dns`
			`- [ 53, 'tcp', true ] # technitium, dns`
			`# - [ 1935, 'udp', true ] # owncast`
			`# - [ 1935, 'tcp', true ] # owncast`
			`- [ 2222, 'tcp', true ] # forgejo`
			`- [ 22, 'tcp', true ] # forgejo`
			`tags:`
			`- ufw`

cleanup 2025-03-19 21:08:16 +01:00			`- name: open network for own hosts`
open some ports 2025-03-10 22:39:48 +01:00			`community.general.ufw:`
			`rule: allow`
			`from: "{{ item }}"`
trusted host from variable 2025-03-12 21:48:09 +01:00			`loop: "{{ anyops_trusted_hosts }}"`
cleanup 2025-03-19 21:08:16 +01:00			`- 37.27.176.103 # muh.anyops.de`
			`- 37.120.191.100 # service01.anyops.de`
			`- 152.53.229.139 # service02.anyops.de`
			`- 5.75.165.105 # gate1.stelb.cloud`
open some ports 2025-03-10 22:39:48 +01:00			`tags:`
			`- ufw`
add autoupgrade role 2025-03-17 18:17:11 +01:00
			`- name: autoupgrade`
			`ansible.builtin.include_role:`
			`name: anyops_autoupgrade`