systems/infrastructure
1
Fork 0
Code Issues 1 Pull requests 17 Activity Actions

Deploy a dokku

Browse source
This commit is contained in:
Jake Howard 2023-10-01 16:25:20 +01:00
parent b02be4e77a
commit a54a91ea44
Signed by: jake
GPG key ID: 57AFB45680EDD477
14 changed files with 149 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
ansible/ansible.cfg
View file

@ -7,6 +7,8 @@ collections_path = $PWD/galaxy_collections
inventory = ./hosts inventory = ./hosts
become_ask_pass = True become_ask_pass = True
interpreter_python = auto_silent interpreter_python = auto_silent
# HACK: Force Ansible to find dokku plugins
library = $PWD/galaxy_roles/dokku_bot.ansible_dokku/library
[ssh_connection] [ssh_connection]
pipelining = True pipelining = True

2
ansible/galaxy-requirements.yml
View file

@ -16,3 +16,5 @@ roles:
- src: chmduquesne.iptables_persistent - src: chmduquesne.iptables_persistent
- src: ironicbadger.snapraid - src: ironicbadger.snapraid
version: 1.0.0 version: 1.0.0
- src: dokku_bot.ansible_dokku
version: v2022.10.17

1
ansible/host_vars/pve-docker/main.yml
View file

@ -3,6 +3,7 @@ private_ip: "{{ pve_hosts.docker.ip }}"
traefik_provider_jellyfin: true traefik_provider_jellyfin: true
traefik_provider_homeassistant: true traefik_provider_homeassistant: true
traefik_provider_grafana: true traefik_provider_grafana: true
traefik_provider_dokku: true
with_fail2ban: true with_fail2ban: true

1
ansible/host_vars/pve-dokku.yml Normal file
View file

@ -0,0 +1 @@
ssh_extra_allowed_users: dokku

4
ansible/main.yml
View file

@ -127,3 +127,7 @@
- pihole - pihole
- role: prometheus.prometheus.node_exporter - role: prometheus.prometheus.node_exporter
become: true become: true
- hosts: pve-dokku
roles:
- dokku

29
ansible/roles/dokku/files/nginx.conf Normal file
View file

@ -0,0 +1,29 @@
worker_processes auto;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
gzip on;
# Block requests which don't have an explicit handler
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
access_log off;
return 418;
}
# Load configuration files for the default server block.
include /etc/nginx/conf.d/*.conf;
}

5
ansible/roles/dokku/handlers/main.yml Normal file
View file

@ -0,0 +1,5 @@
- name: restart nginx
service:
name: nginx
state: restarted
become: true

53
ansible/roles/dokku/tasks/main.yml Normal file
View file

@ -0,0 +1,53 @@
# HACK: Fake include some tasks from `ansible_dokku`, so its library plugins can be used below
- name: Run role without running any tasks
include_role:
name: dokku_bot.ansible_dokku
tasks_from: init.yml
apply:
when: false
- name: Install Dokku
package:
name: dokku
become: true
- name: List dokku plugins
command: dokku plugin:list
changed_when: false
register: installed_dokku_plugins
- name: Install Dokku plugins
command: dokku plugin:install {{ item.url }} --name {{ item.name }}
when: installed_dokku_plugins.stdout.find(item.name) == -1
loop: "{{ dokku_plugins }}"
loop_control:
label: "{{ item.name }}"
become: true
- name: Automatically update Dokku plugins
cron:
name: "dokku plugin:update {{ item.name }}"
minute: "0"
hour: "12"
user: "root"
job: "/usr/bin/chronic /usr/bin/dokku plugin:update {{ item.name }}"
cron_file: "dokku-plugin-update-{{ item.name }}"
loop: "{{ dokku_plugins }}"
loop_control:
label: "{{ item.name }}"
become: true
- name: Set up global domain
dokku_domains:
global: true
domains: d.theorangeone.net
become: true
- name: Install custom nginx config
template:
src: files/nginx.conf
dest: /etc/nginx/nginx.conf
validate: nginx -t -c %s
mode: "644"
notify: restart nginx
become: true

9
ansible/roles/dokku/vars/main.yml Normal file
View file

@ -0,0 +1,9 @@
dokku_plugins:
- name: postgres
url: https://github.com/dokku/dokku-postgres.git
- name: redis
url: https://github.com/dokku/dokku-redis.git
- name: redirect
url: https://github.com/dokku/dokku-redirect.git
- name: http-auth
url: https://github.com/dokku/dokku-http-auth.git

1
ansible/roles/traefik/defaults/main.yml
View file

@ -1,5 +1,6 @@
traefik_provider_jellyfin: false traefik_provider_jellyfin: false
traefik_provider_homeassistant: false traefik_provider_homeassistant: false
traefik_provider_grafana: false traefik_provider_grafana: false
traefik_provider_dokku: false
with_fail2ban: false with_fail2ban: false

10
ansible/roles/traefik/files/file-provider-dokku.yml Normal file
View file

@ -0,0 +1,10 @@
http:
routers:
router-dokku:
rule: HostRegexp(`{subdomain:[a-z]+}.d.theorangeone.net`)
service: service-dokku
services:
service-dokku:
loadBalancer:
servers:
- url: http://{{ pve_hosts.dokku.ip }}

4
ansible/roles/traefik/files/traefik.yml
View file

@ -26,6 +26,10 @@ entryPoints:
sans: "*.jakehoward.tech" sans: "*.jakehoward.tech"
- main: 0rng.one - main: 0rng.one
sans: "*.0rng.one" sans: "*.0rng.one"
{% if traefik_provider_dokku %}
- main: d.theorangeone.net
sans: "*.d.theorangeone.net"
{% endif %}
proxyProtocol: proxyProtocol:
trustedIPs: trustedIPs:
- "{{ wireguard.cidr }}" - "{{ wireguard.cidr }}"

12
ansible/roles/traefik/tasks/main.yml
View file

@ -47,6 +47,8 @@
dest: /opt/traefik/traefik/traefik.yml dest: /opt/traefik/traefik/traefik.yml
mode: "{{ docker_compose_file_mask }}" mode: "{{ docker_compose_file_mask }}"
owner: "{{ docker_user.name }}" owner: "{{ docker_user.name }}"
lstrip_blocks: true
trim_blocks: true
notify: restart traefik notify: restart traefik
become: true become: true
@ -89,6 +91,16 @@
when: traefik_provider_grafana when: traefik_provider_grafana
become: true become: true
- name: Install dokku provider
template:
src: files/file-provider-dokku.yml
dest: /opt/traefik/traefik/conf/dokku.yml
mode: "{{ docker_compose_file_mask }}"
owner: "{{ docker_user.name }}"
notify: restart traefik
when: traefik_provider_dokku
become: true
- name: logrotate config - name: logrotate config
template: template:
src: files/logrotate.conf src: files/logrotate.conf

16
terraform/theorangeone.net.tf
View file

@ -181,6 +181,22 @@ resource "cloudflare_record" "theorangeonenet_privatebin" {
ttl = 1 ttl = 1
} }
resource "cloudflare_record" "theorangeonenet_dokku" {
zone_id = cloudflare_zone.theorangeonenet.id
name = "d"
value = linode_instance.casey.ip_address
type = "A"
ttl = 1
}
resource "cloudflare_record" "theorangeonenet_dokku_wildcard" {
zone_id = cloudflare_zone.theorangeonenet.id
name = "*.d"
value = cloudflare_record.theorangeonenet_dokku.hostname
type = "CNAME"
ttl = 1
}
resource "cloudflare_record" "theorangeonenet_google_site_verification" { resource "cloudflare_record" "theorangeonenet_google_site_verification" {
zone_id = cloudflare_zone.theorangeonenet.id zone_id = cloudflare_zone.theorangeonenet.id
name = "@" name = "@"