m5p3nc3r/ansible-playbooks
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add watchtower and secrets

Browse Source
This commit is contained in:
Matt Spencer
2024-10-19 12:33:16 +01:00
parent 0ce8f1e8fb
commit f8e1ec8b72
4 changed files with 12 additions and 181 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
README.md
View File

@@ -3,24 +3,5 @@
ansible-galaxy install -r requirements.yml ansible-galaxy install -r requirements.yml
# Install the playbook # Install the playbook
ansible-playbook -i inventory frontend.yaml ansible-playbook -i inventory -e @secrets.enc --ask-vault-pass frontend.yaml
# Check the cron jobs
crontab -u matt -l
```
TODO: Update the pre/post scripts at /etc/letsencrypt/renewal-hooks to stop/start docker reverse_proxy
TODO: Update cron to run certbot as root
If the above is done, I'm not sure the blow is needed...
TODO: Ensure /var/log/letsencrypt, /var/lib/letsencryprt and maybe /etc/letsencrypt are writable as the ansible user.
Something like
```bash
chgrp adm /var/log/letsencrypt
chmod g+rwx /var/log/letsencrypt
chgrp -R adm /etc/letsencrypt/
chmod -R g+rwx /etc/letsencrypt/
chgrp adm /var/lib/letsencrypt
chmod g+rwx /var/lib/letsencrypt
``` ```

12
frontend.yaml
View File

@@ -81,8 +81,6 @@
username: "{{ secrets.GITHUB_ACTOR }}" username: "{{ secrets.GITHUB_ACTOR }}"
password: "{{ secrets.GITHUB_TOKEN }}" password: "{{ secrets.GITHUB_TOKEN }}"
# NOTE: This will fail on the first run because the container has not been
# uploaded to the registry yet
- name: Start website - name: Start website
community.docker.docker_container: community.docker.docker_container:
name: website name: website
@@ -91,3 +89,13 @@
ports: ports:
- "3000:3000" - "3000:3000"
state: started state: started
- name: Start watchtower
community.docker.docker_container:
name: watchtower
image: containrrr/watchtower
restart_policy: always
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /home/matt/.docker/config.json:/config.json
state: started

3
inventory
View File

@@ -1,5 +1,2 @@
[kiosk]
kiosk@kiosk.local
[frontend] [frontend]
rpi4-2.localdomain rpi4-2.localdomain

155
kiosk.yaml
View File

@@ -1,155 +0,0 @@
---
- name: Setup kiosk
hosts: kiosk
vars:
username: kiosk
docker_add_repo: true
docker_users:
- "{{ username }}"
roles:
- role: geerlingguy.docker
become: true
tasks:
# - name: Ensure raspi-config is up to date
# become: true
# shell: "raspi-config nonint do_update"
# changed_when: False
- name: Set autologin
become: true
shell: "raspi-config nonint do_boot_behaviour B2"
# There is no output from this command, so its difficult to see when the mode has changed
- name: Enable overscan
become: true
shell: "raspi-config nonint do_overscan 1"
- name: Update packages
become: true
ansible.builtin.apt:
upgrade: safe
update_cache: yes
- name: Install desktop packages
become: true
ansible.builtin.apt:
install_recommends: false
state: present
pkg:
- xserver-xorg
- x11-xserver-utils
- xinit
- xdotool
- openbox
- name: Install chromium
become: true
ansible.builtin.apt:
install_recommends: false
state: present
name: chromium-browser
- name: Install userspace apps
become: true
ansible.builtin.apt:
install_recommends: false
state: present
name: jq
- name: Configure openbox autostart
become: true
ansible.builtin.blockinfile:
path: /etc/xdg/openbox/autostart
block: |
# Read environment from ~kiosk/config.json
# WEBSITE=$(sed -ne 's/WEBSITE=\(.*\)$/\1/p' /home/kiosksettings)
WEBSITE=$(jq .website ~/kiosk/config.json | sed -e 's/^"//' -e 's/"$//')
#
# Disable screen saver / screen blanking / power management
xset s off
xset s noblank
xset -dpms
#
# Allow quitting X server with CTRL-ALT-Backspace
setxkbmap -option terminate:ctrl_alt_bksp
# Start commands script
cd /home/kiosk && ./control.sh &
#
# Start chromium in kiosk mode
sed -i 's/"exited_cleanly":false/"exited_cleanly":true/' ~/.config/chromium/'Local State'
sed -i 's/"exited_cleanly":false/"exited_cleanly":true/; s/"exit_type":"[^"]\+"/"exit_type":"Normal"/' ~/.config/chromium/Default/Preferences
chromium-browser --disable-infobars --kiosk ${WEBSITE:=https://bit.ly/shelford_kiosk}
- name: Configure openbox-session
ansible.builtin.blockinfile:
path: /home/{{ username }}/.xinitrc
create: true
line: "exec openbox-session"
- name: Start window manager
ansible.builtin.lineinfile:
path: /home/{{ username }}/.bash_profile
create: true
line: '[[ -z $DISPLAY && $XDG_VTNR -eq 1 ]] && startx -- -nocursor'
- name: Setup cron job to reload website on a schedule
ansible.builtin.cron:
name: "Reload kiosk"
minute: "0"
hour: "0,2,4,6,8,10,12,14,16,18,20,22"
job: "DISPLAY=:0.0 xdotool key ctrl+r"
- name: Create kiosk config directory
ansible.builtin.file:
path: /home/{{ username }}/kiosk
state: directory
mode: '0777'
- name: Create named pipe for comms from container
command:
cmd: mkfifo -m 0666 /home/{{ username }}/commands
creates: /home/{{ username }}/commands
- name: Create commands script to enable piping commands from containers
copy:
dest: /home/{{ username }}/control.sh
mode: 0755
owner: "{{ username }}"
content: |
#!/bin/sh
while true
do
while read -r cmd; do
echo Command ${cmd}
case $cmd in
"restart")
sudo reboot
;;
*)
echo "Unknown command '${cmd}'"
;;
esac
done < commands
done
- name: Start admin console container
community.docker.docker_container:
name: website
image: hub.apptabulous.co.uk/apptabulous/kiosk:latest
restart_policy: always
ports:
- "80:3000"
volumes:
- "/home/{{ username }}/kiosk:/app/kiosk"
- "/home/{{ username }}/commands:/app/commands"
state: started