generated from netr0m/ansible-role-template
-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.yml
196 lines (185 loc) · 5.76 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
---
# Domain name
svc_domain: local
# Environment
svc_env: "{{ lookup('env', 'ENVIRONMENT') | default('production') }}"
# Username of the user owning the files
svc_user_name: 'butler'
# Group name of the group that should own the files
svc_group_name: 'butlers'
# Optionally provide the UID of the user. If absent, the UID will be looked up
svc_user_uid: undefined
# Optionally provide the GID of the group. If absent, the GID will be looked up
svc_group_gid: undefined
# Timezone
svc_tz: Etc/UTC
### Directories ###
# Manage directories
svc_manage_directories: true
# Directory to store service data
svc_directory:
path: '/opt/svc'
# Default permissions
owner: "{{ svc_user_name }}"
group: "{{ svc_group_name }}"
mode: 740
# Subdirectories
svc_subdirectories:
cfg:
path: "{{ svc_directory.path }}/cfg"
log:
path: "{{ svc_directory.path }}/log"
data:
path: "{{ svc_directory.path }}/data"
### Access Control Lists ###
# Define ACL definitions. See https://docs.ansible.com/ansible/latest/collections/ansible/posix/acl_module.html.
# path and entity are required. etype defaults to 'user', 'permissions' default to 'r', 'state' defaults to 'present'
svc_acl_entries: []
# - path: /opt/svc
# entity: "myuser"
# permissions: "r"
# recursive: true
# - path: /opt/svc
# entity: "myuser"
# permissions: "rwx"
# default: true
# - path: /opt/some_dir/myfile.ext
# entity: "{{ svc_group_name }}"
# etype: "group"
# state: "absent"
# - path: /opt/some_dir/myfile.ext
# entity: "myuser"
### Packages ###
# Manage packages
svc_manage_packages: true
# Shared packages to install
svc_packages_shared:
- acl
# Packages to install. See vars/<ansible_os_family>.yml
svc_packages: "{{ svc_packages_shared }}"
# Pip packages to install
svc_packages_pip:
- 'docker'
### Services ###
# Default restart policy
svc_restart_policy: 'always'
# Whether to force pull container images
svc_force_pull: false
# Default logging driver for Docker containers
svc_log_driver: local
# Default logging options - see https://docs.docker.com/config/containers/logging/configure/
svc_log_options:
max-size: 20m
max-file: '5'
compress: 'true'
# Manage docker networks
svc_manage_docker_networks: true
# Configure Traefik
svc_use_traefik: true
### Traefik ###
# Directories for Traefik
svc_traefik_directories:
cfg:
path: "{{ svc_subdirectories.cfg.path }}/traefik"
log:
path: "{{ svc_subdirectories.log.path }}/traefik"
# Log level
svc_traefik_log_level: 'INFO'
# Whether to enable the Traefik dashboard
svc_traefik_enable_dashboard: true
# Whether to enable DEBUG mode
svc_traefik_debug: false
# Whether to allow insecure access
svc_traefik_insecure: false
# Whether to expose Docker containers by default
svc_traefik_exposed_by_default: false
# Whether to automatically retrieve TLS certificates. Requires 'svc_traefik_dns_challenge_provider' and 'svc_traefik_acme_settings'.
svc_traefik_automatic_https: true
# Challenge provider to use for automatic TLS certificate acquisition. See https://doc.traefik.io/traefik/https/acme/#providers
svc_traefik_dns_challenge_provider: 'cloudflare'
# Whether to use the staging servers (recommended for testing)
svc_traefik_letsencrypt_staging: false
# Environment variables for Traefik to automatically acquire TLS certificates
svc_traefik_acme_settings:
CF_DNS_API_TOKEN: "{{ lookup('env', 'CF_DNS_API_TOKEN') | default('undefined') }}"
# traefik container hostname
svc_traefik_container_hostname: traefik
# traefik version
svc_traefik_version: latest
# traefik container image
svc_traefik_container_image: "traefik:{{ svc_traefik_version }}"
# traefik container memory
svc_traefik_container_memory: 1g
# traefik container ports
svc_traefik_container_ports:
http: 80
https: 443
# Used as the 'average' parameter for the rate limiting middleware
svc_traefik_middleware_rate_limit_average: 50
# Used as the 'burst' parameter for the rate limiting middleware
svc_traefik_middleware_rate_limit_burst: 100
# Extra hosts for Traefik. See templates/etc/traefik/config/http.yml
svc_traefik_extra_hosts: []
# - name: example
# shortname: ex
# middlewares: []
# protocol: https
# ip_addr: 10.10.10.10
# port: 8080
# Extra middlewares for Traefik. See templates/etc/traefik/config/http.yml.j2
svc_traefik_extra_middlewares: {}
# example-mwr:
# headers:
# customRequestHeaders:
# Authorization: ''
# X-Forwarded-Proto: 'https'
# Extra entrypoints for Traefik. See templates/etc/traefik/traefik.yml.j2
svc_traefik_extra_entrypoints: []
# - name: dns
# port: 53
# - name: dnsUdp
# port: 53/udp
# Extra certificates for Traefik. See templates/etc/traefik/traefik.yml.j2
# First entry in the list will be used as the default, if any
svc_traefik_extra_certificates: []
# - crt: /etc/traefik/tls/domain.tld.crt
# key: /etc/traefik/tls/domain.tld.key
### Docker Socket Proxy ###
# socketproxy container hostname
svc_socketproxy_container_hostname: "socket-proxy"
# # socketproxy version
svc_socketproxy_version: "0.1.1"
# socketproxy container image
svc_socketproxy_container_image: "ghcr.io/tecnativa/docker-socket-proxy:{{ svc_socketproxy_version }}"
# socketproxy container memory
svc_socketproxy_container_memory: 1g
# socketproxy container restart policy
svc_socketproxy_restart_policy: "unless-stopped"
# Settings for the docker socket proxy. See https://github.com/Tecnativa/docker-socket-proxy#grant-or-revoke-access-to-certain-api-sections
socket_proxy_settings:
LOG_LEVEL: "info"
EVENTS: "1"
PING: "1"
VERSION: "1"
CONTAINERS: "1"
IMAGES: "0"
NETWORKS: "0"
VOLUMES: "0"
POST: "0"
SERVICES: "0"
INFO: "0"
TASKS: "0"
AUTH: "0"
SECRETS: "0"
BUILD: "0"
COMMIT: "0"
CONFIGS: "0"
DISTRIBUTION: "0"
EXEC: "0"
GRPC: "0"
NODES: "0"
PLUGINS: "0"
SESSION: "0"
SWARM: "0"
SYSTEM: "0"
...