initial commit

.gitignore

@@ -0,0 +1,2 @@
+.idea
+.vault.pass

defaults/main.yml

@@ -0,0 +1,140 @@
+---
+lb_olafnorge_de_compose:
+  version: "3.7"
+  services:
+    ext-proxy:
+      deploy:
+        placement:
+          constraints:
+            - node.role == manager
+        mode: global
+        restart_policy:
+          condition: on-failure
+          delay: 5s
+          max_attempts: 5
+          window: 300s
+        update_config:
+          failure_action: rollback
+          monitor: 120s
+      environment:
+        DATAPLANE_PASS: /run/secrets/lb_olafnorge_de_dataplane_pass
+        HAPROXY_LISTEN_NETWORK: ext-proxy
+        HAPROXY_MAIL_SERVICE_ENABLED: "true"
+        HAPROXY_MAIL_SERVICE_ACCEPT_PROXY: "true"
+        HAPROXY_MAIL_SERVICE_SEND_PROXY: "true"
+        HAPROXY_MAXCONN: 20000
+        HAPROXY_SSL_DH_PARAM_FILE: /run/secrets/lb_olafnorge_de_haproxy_ssl_dh_param_file
+        HAPROXY_STATS_AUTH_PASS: /run/secrets/lb_olafnorge_de_haproxy_stats_auth_pass
+      image: "olafnorge/haproxy:{{ lb_olafnorge_de_haproxy_version }}"
+      networks:
+        - ext-proxy
+      secrets:
+        - lb_olafnorge_de_dataplane_pass
+        - lb_olafnorge_de_haproxy_ssl_dh_param_file
+        - lb_olafnorge_de_haproxy_stats_auth_pass
+      volumes:
+        - /etc/localtime:/etc/localtime:ro
+        - /etc/timezone:/etc/timezone:ro
+    int-proxy:
+      deploy:
+        placement:
+          constraints:
+            - node.role == manager
+        mode: global
+        restart_policy:
+          condition: on-failure
+          delay: 5s
+          max_attempts: 5
+          window: 300s
+        update_config:
+          failure_action: rollback
+          monitor: 120s
+      environment:
+        DATAPLANE_PASS: /run/secrets/lb_olafnorge_de_dataplane_pass
+        HAPROXY_LISTEN_NETWORK: int-proxy
+        HAPROXY_MAXCONN: 20000
+        HAPROXY_SMB_SERVICE_ENABLED: "true"
+        HAPROXY_SSH_SERVICE_ENABLED: "true"
+        HAPROXY_SSL_DH_PARAM_FILE: /run/secrets/lb_olafnorge_de_haproxy_ssl_dh_param_file
+        HAPROXY_STATS_AUTH_PASS: /run/secrets/lb_olafnorge_de_haproxy_stats_auth_pass
+        HAPROXY_TCP_SERVICE_ENABLED: "true"
+      image: "olafnorge/haproxy:{{ lb_olafnorge_de_haproxy_version }}"
+      networks:
+        - int-proxy
+      secrets:
+        - lb_olafnorge_de_dataplane_pass
+        - lb_olafnorge_de_haproxy_ssl_dh_param_file
+        - lb_olafnorge_de_haproxy_stats_auth_pass
+      volumes:
+        - /etc/localtime:/etc/localtime:ro
+        - /etc/timezone:/etc/timezone:ro
+    certbot:
+      deploy:
+        placement:
+          constraints:
+            - node.role == manager
+        replicas: 1
+        restart_policy:
+          condition: on-failure
+          delay: 5s
+          max_attempts: 5
+          window: 300s
+        update_config:
+          failure_action: rollback
+          monitor: 120s
+      environment:
+        DNS_CLOUDFLARE_CREDENTIALS_FILE: /run/secrets/lb_olafnorge_de_certbot_credentials
+        CERTBOT_EMAIL: "{{ lb_olafnorge_de_certbot_environment.email }}"
+        CERTBOT_MODE: "{{ lb_olafnorge_de_certbot_environment.mode | default('staging') }}"
+      image: "olafnorge/certbot:{{ lb_olafnorge_de_certbot_version }}"
+      networks:
+        - ext-proxy
+        - int-proxy
+      secrets:
+        - lb_olafnorge_de_certbot_credentials
+      volumes:
+        - /etc/localtime:/etc/localtime:ro
+        - /etc/timezone:/etc/timezone:ro
+  networks: "{{ lb_olafnorge_de_network_definitions }}"
+  secrets:
+    lb_olafnorge_de_certbot_credentials:
+      external: true
+    lb_olafnorge_de_dataplane_pass:
+      external: true
+    lb_olafnorge_de_haproxy_ssl_dh_param_file:
+      external: true
+    lb_olafnorge_de_haproxy_stats_auth_pass:
+      external: true
+
+lb_olafnorge_de_name: lbolafnorgede
+lb_olafnorge_de_network_definitions:
+  ext-proxy:
+    external: true
+  int-proxy:
+    external: true
+lb_olafnorge_de_haproxy_version: latest
+lb_olafnorge_de_certbot_version: latest
+
+lb_olafnorge_de_certbot_environment:
+  email: [email protected]
+  mode: staging
+
+lb_olafnorge_de_secrets:
+  certbot_credentials:
+    data: "{{ lb_olafnorge_de_certbot_credentials }}"
+    name: lb_olafnorge_de_certbot_credentials
+  dataplane_pass:
+    data: "{{ lb_olafnorge_de_dataplane_pass }}"
+    name: lb_olafnorge_de_dataplane_pass
+  haproxy_ssl_dh_param_file:
+    data: "{{ lb_olafnorge_de_haproxy_ssl_dh_param_file }}"
+    name: lb_olafnorge_de_haproxy_ssl_dh_param_file
+  haproxy_stats_auth_pass:
+    data: "{{ lb_olafnorge_de_haproxy_stats_auth_pass }}"
+    name: lb_olafnorge_de_haproxy_stats_auth_pass
+
+# vaults, you may define them in a separate file which overrides these defaults
+lb_olafnorge_de_certbot_credentials: # FIXME: add your vault here using 'ansible-vault'
+lb_olafnorge_de_dataplane_pass: # FIXME: add your vault here using 'ansible-vault'
+lb_olafnorge_de_haproxy_ssl_dh_param_file: # FIXME: add your vault here using 'ansible-vault'
+lb_olafnorge_de_haproxy_stats_auth_pass: # FIXME: add your vault here using 'ansible-vault'

meta/main.yml

@@ -0,0 +1,63 @@
+galaxy_info:
+  author: Volker Machon
+  description: Ansible role to deploy lb.example.com in a swarm cluster
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Some suggested licenses:
+  # - BSD (default)
+  # - MIT
+  # - GPLv2
+  # - GPLv3
+  # - Apache
+  # - CC-BY
+  license: MIT
+
+  min_ansible_version: 2.8
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  # Optionally specify the branch Galaxy will use when accessing the GitHub
+  # repo for this role. During role install, if no tags are available,
+  # Galaxy will use this branch. During import Galaxy will access files on
+  # this branch. If Travis integration is configured, only notifications for this
+  # branch will be accepted. Otherwise, in all cases, the repo's default branch
+  # (usually master) will be used.
+  #github_branch:
+
+  #
+  # platforms is a list of platforms, and each platform has a name and a list of versions.
+  #
+  # platforms:
+  # - name: Fedora
+  #   versions:
+  #   - all
+  #   - 25
+  # - name: SomePlatform
+  #   versions:
+  #   - all
+  #   - 1.0
+  #   - 7
+  #   - 99.99
+  platforms:
+    - name: Debian
+      versions:
+        - all
+    - name: Ubuntu
+      versions:
+        - all
+
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+  #       Maximum 20 tags per role.
+
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.

tasks/main.yml

@@ -0,0 +1,23 @@
+---
+- name: create secrets for lb.example.com
+  docker_secret:
+    data: "{{ item.value.data }}"
+    name: "{{ item.value.name }}"
+    state: present
+  no_log: yes
+  with_dict: "{{ lb_olafnorge_de_secrets }}"
+
+- name: create docker overlay networks
+  docker_network:
+    driver: overlay
+    name: "{{ item.key }}"
+    state: present
+  with_dict: "{{ lb_olafnorge_de_network_definitions }}"
+
+- name: spawn lb.example.com service
+  docker_stack:
+    compose:
+      - "{{ lb_olafnorge_de_compose }}"
+    name: "{{ lb_olafnorge_de_name }}"
+    prune: yes
+    state: present