From 714f2b1d3b3f2a75a3935b3ac3b245d1cdf6ab7e Mon Sep 17 00:00:00 2001 From: Nils Cant Date: Sun, 2 Nov 2025 15:29:45 +0100 Subject: [PATCH] Update --- defaults/main.yml | 2 +- tasks/apt.yml | 14 ++++++++++---- tasks/docker.yml | 22 +++++++++++----------- tasks/main.yml | 4 ++-- tasks/tls.yml | 40 ---------------------------------------- 5 files changed, 24 insertions(+), 58 deletions(-) delete mode 100644 tasks/tls.yml diff --git a/defaults/main.yml b/defaults/main.yml index 2ec75b5..a3fb33f 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1 +1 @@ -docker_storage_driver: overlay2 +docker_allowed_users: [] diff --git a/tasks/apt.yml b/tasks/apt.yml index 1531934..f2fca92 100644 --- a/tasks/apt.yml +++ b/tasks/apt.yml @@ -3,14 +3,20 @@ apt: name: ['apt-transport-https', 'ca-certificates', 'gpg'] +#- name: Add docker apt key +# apt_key: +# keyserver: hkp://p80.pool.sks-keyservers.net:80 +# id: 9DC858229FC7DD38854AE2D88D81803C0EBFCD88 + - name: Add docker apt key - apt_key: - keyserver: hkp://p80.pool.sks-keyservers.net:80 - id: 9DC858229FC7DD38854AE2D88D81803C0EBFCD88 + copy: + src: docker.asc + dest: /etc/apt/keyrings/docker.asc + mode: 0644 - name: Add docker repository apt_repository: - repo: "deb [arch=amd64] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable" + repo: "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable" - name: Install docker CE apt: name=docker-ce state=latest diff --git a/tasks/docker.yml b/tasks/docker.yml index 59cb213..ba93b4e 100644 --- a/tasks/docker.yml +++ b/tasks/docker.yml @@ -1,13 +1,13 @@ --- -- name: Create docker systemd drop-in directory - file: - path: /etc/systemd/system/docker.service.d - state: directory +#- name: Create docker systemd drop-in directory +# file: +# path: /etc/systemd/system/docker.service.d +# state: directory -- name: Configure docker startup options - template: - src: docker-systemd-conf.j2 - dest: /etc/systemd/system/docker.service.d/exec.conf - notify: - - restart docker - - systemctl daemon-reload +#- name: Configure docker startup options +# template: +# src: docker-systemd-conf.j2 +# dest: /etc/systemd/system/docker.service.d/exec.conf +# notify: +# - restart docker +# - systemctl daemon-reload diff --git a/tasks/main.yml b/tasks/main.yml index ac80716..bddb09d 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,4 +1,4 @@ --- - import_tasks: apt.yml -- import_tasks: tls.yml -- import_tasks: docker.yml +#- import_tasks: docker.yml +- import_tasks: users.yml diff --git a/tasks/tls.yml b/tasks/tls.yml deleted file mode 100644 index d8a3362..0000000 --- a/tasks/tls.yml +++ /dev/null @@ -1,40 +0,0 @@ ---- -- name: Docker TLS directory - file: - path: /etc/docker/tls - state: directory - -- name: Openssl docker ext config file - copy: - content: "subjectAltName = DNS:{{ ansible_fqdn}},IP:127.0.0.1" - dest: "/etc/docker/tls/extfile.cnf" - -- name: Generate server CA and server TLS certificates - shell: | - openssl req -new -days 7300 -batch -newkey rsa:4096 -keyout ca.key -nodes -subj "/commonName={{ ansible_fqdn }} docker CA/" -x509 -out ca.pem - openssl genrsa -out server.key 4096 - openssl req -subj "/CN={{ ansible_fqdn }}" -sha256 -new -key server.key -out server.csr - openssl x509 -req -days 3650 -sha256 -in server.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out server.pem -extfile extfile.cnf - args: - chdir: /etc/docker/tls - creates: /etc/docker/tls/*.pem - -- name: TLS client extfile - copy: - content: "extendedKeyUsage = clientAuth" - dest: /etc/docker/tls/client-extfile.cnf - -- name: Docker client certificate directory - file: - path: "/root/.docker/{{ ansible_fqdn }}" - state: directory - -- name: Generate and sign client TLS certificate - shell: | - openssl genrsa -out "/root/.docker/{{ ansible_fqdn }}/key.pem" 4096 - openssl req -subj '/CN=client' -new -key "/root/.docker/{{ ansible_fqdn }}/key.pem" -out "/root/.docker/{{ ansible_fqdn }}/client.csr" - openssl x509 -req -days 3650 -sha256 -in "/root/.docker/{{ ansible_fqdn }}/client.csr" -CA ca.pem -CAkey ca.key -CAcreateserial -out "/root/.docker/{{ ansible_fqdn }}/cert.pem" -extfile client-extfile.cnf - cp /etc/docker/tls/ca.pem "/root/.docker/{{ ansible_fqdn }}" - args: - chdir: /etc/docker/tls - creates: "/root/.docker/{{ ansible_fqdn }}/cert.pem"