Add watchtower and secrets

README.md

@@ -3,24 +3,5 @@
 ansible-galaxy install -r requirements.yml
 
 # Install the playbook
-ansible-playbook -i inventory frontend.yaml
-
-# Check the cron jobs
-crontab -u matt -l
-```
-
-TODO: Update the pre/post scripts at /etc/letsencrypt/renewal-hooks to stop/start docker reverse_proxy
-TODO: Update cron to run certbot as root
-
-If the above is done, I'm not sure the blow is needed...
-TODO: Ensure /var/log/letsencrypt, /var/lib/letsencryprt and maybe /etc/letsencrypt are writable as the ansible user.
-Something like
-
-```bash
-chgrp adm /var/log/letsencrypt
-chmod g+rwx /var/log/letsencrypt
-chgrp -R adm /etc/letsencrypt/
-chmod -R g+rwx /etc/letsencrypt/
-chgrp adm /var/lib/letsencrypt
-chmod g+rwx /var/lib/letsencrypt
+ansible-playbook -i inventory -e @secrets.enc --ask-vault-pass frontend.yaml
 ```

frontend.yaml

@@ -81,8 +81,6 @@
         username: "{{ secrets.GITHUB_ACTOR }}"
         password: "{{ secrets.GITHUB_TOKEN }}"
 
-    # NOTE: This will fail on the first run because the container has not been
-    #       uploaded to the registry yet
     - name: Start website
       community.docker.docker_container:
         name: website
@@ -91,3 +89,13 @@
         ports:
           - "3000:3000"
         state: started
+
+    - name: Start watchtower
+      community.docker.docker_container:
+        name: watchtower
+        image: containrrr/watchtower
+        restart_policy: always
+        volumes:
+          - /var/run/docker.sock:/var/run/docker.sock
+          - /home/matt/.docker/config.json:/config.json
+        state: started

inventory

@@ -1,5 +1,2 @@
-[kiosk]
-kiosk@kiosk.local
-
 [frontend]
-rpi4-2.localdomain
+rpi4-2.localdomain

kiosk.yaml

@@ -1,155 +0,0 @@
----
-- name: Setup kiosk
-  hosts: kiosk
-
-  vars:
-    username: kiosk
-
-    docker_add_repo: true
-    docker_users:
-      - "{{ username }}"
-
-
-  roles:
-    - role: geerlingguy.docker
-      become: true
-  
-
-  tasks:
-  # - name: Ensure raspi-config is up to date
-  #   become: true
-  #   shell: "raspi-config nonint do_update"
-  #   changed_when: False
-
-
-
-
-  - name: Set autologin
-    become: true
-    shell: "raspi-config nonint do_boot_behaviour B2"
-    # There is no output from this command, so its difficult to see when the mode has changed
-  
-  - name: Enable overscan
-    become: true
-    shell: "raspi-config nonint do_overscan 1"
-
-  - name: Update packages
-    become: true
-    ansible.builtin.apt:
-      upgrade: safe
-      update_cache: yes
-
-  - name: Install desktop packages
-    become: true
-    ansible.builtin.apt:
-      install_recommends: false
-      state: present
-      pkg:
-      - xserver-xorg
-      - x11-xserver-utils
-      - xinit
-      - xdotool
-      - openbox
-
-  - name: Install chromium
-    become: true
-    ansible.builtin.apt:
-      install_recommends: false
-      state: present
-      name: chromium-browser
-
-  - name: Install userspace apps
-    become: true
-    ansible.builtin.apt:
-      install_recommends: false
-      state: present
-      name: jq
-
-  - name: Configure openbox autostart
-    become: true
-    ansible.builtin.blockinfile:
-      path: /etc/xdg/openbox/autostart
-      block: |
-        # Read environment from ~kiosk/config.json
-        # WEBSITE=$(sed -ne 's/WEBSITE=\(.*\)$/\1/p' /home/kiosksettings)
-        WEBSITE=$(jq .website ~/kiosk/config.json | sed -e 's/^"//' -e 's/"$//')
-        #
-        # Disable screen saver / screen blanking / power management
-        xset s off
-        xset s noblank
-        xset -dpms
-        #
-        # Allow quitting X server with CTRL-ALT-Backspace
-        setxkbmap -option terminate:ctrl_alt_bksp
-        # Start commands script
-        cd /home/kiosk && ./control.sh &
-        #
-        # Start chromium in kiosk mode
-        sed -i 's/"exited_cleanly":false/"exited_cleanly":true/' ~/.config/chromium/'Local State'
-        sed -i 's/"exited_cleanly":false/"exited_cleanly":true/; s/"exit_type":"[^"]\+"/"exit_type":"Normal"/' ~/.config/chromium/Default/Preferences
-        chromium-browser --disable-infobars --kiosk ${WEBSITE:=https://bit.ly/shelford_kiosk}
-
-  - name: Configure openbox-session
-    ansible.builtin.blockinfile:
-      path: /home/{{ username }}/.xinitrc
-      create: true
-      line: "exec openbox-session"
-
-  - name: Start window manager
-    ansible.builtin.lineinfile:
-      path: /home/{{ username }}/.bash_profile
-      create: true
-      line: '[[ -z $DISPLAY && $XDG_VTNR -eq 1 ]] && startx -- -nocursor'
-
-  - name: Setup cron job to reload website on a schedule
-    ansible.builtin.cron:
-      name: "Reload kiosk"
-      minute: "0"
-      hour: "0,2,4,6,8,10,12,14,16,18,20,22"
-      job: "DISPLAY=:0.0 xdotool key ctrl+r"
-  
-  - name: Create kiosk config directory
-    ansible.builtin.file:
-      path: /home/{{ username }}/kiosk
-      state: directory
-      mode: '0777'
-
-  - name: Create named pipe for comms from container
-    command:
-      cmd: mkfifo -m 0666 /home/{{ username }}/commands
-      creates: /home/{{ username }}/commands
-
-  - name: Create commands script to enable piping commands from containers
-    copy:
-      dest: /home/{{ username }}/control.sh
-      mode: 0755
-      owner: "{{ username }}"
-      content: |
-        #!/bin/sh
-        while true
-        do
-          while read -r cmd; do
-            echo Command ${cmd}
-            case $cmd in
-              "restart")
-                sudo reboot
-              ;;
-              *)
-                echo "Unknown command '${cmd}'"
-              ;;
-            esac
-          done < commands
-        done
-
-
-  - name: Start admin console container
-    community.docker.docker_container:
-      name: website
-      image: hub.apptabulous.co.uk/apptabulous/kiosk:latest
-      restart_policy: always
-      ports:
-      - "80:3000"
-      volumes:
-      - "/home/{{ username }}/kiosk:/app/kiosk"
-      - "/home/{{ username }}/commands:/app/commands"
-      state: started