playbook.yml

---
- hosts: all
  become: yes
  become_method: sudo
  tasks:
    - name: 'Add docker repository key'
      apt_key:
        url: https://download.docker.com/linux/ubuntu/gpg
        state: present

    - name: 'Add docker repository'
      apt_repository: repo='deb [arch=amd64] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable' state=present
      when: ansible_distribution == "Ubuntu"

    - name: 'Install docker'
      apt: name=docker-ce state=present update_cache=yes install_recommends=yes allow_unauthenticated=yes
      when: ansible_distribution == "Ubuntu"
      retries: 3
      delay: 20

    - name: 'Ensure Docker service started'
      service: name=docker state=started

    - name: 'Get docker info'
      shell: docker info
      register: docker_info
      changed_when: False

    - name: 'Install pip3'
      apt:
        name: python3-pip
        state: present

    - name: 'Install pexpect python module for ansible expect commands'
      pip:
        name: pexpect

    - name: 'Install docker python module for ansible docker commands'
      pip:
        name: docker

    - name: 'Log into DockerHub'
      docker_login:
        username: '{{dockerhub_username}}'
        password: '{{dockerhub_password}}'

    - name: 'Setup crontab to clean up docker images'
      cron:
        name: 'cleanup docker images'
        minute: '0'
        hour: '0'
        job: '/usr/bin/docker system prune -af >> /var/log/docker-prune.log'

    - name: 'Check file for encrypted file system exists'
      stat:
        path: /cryptfs_file_sparse.img
        get_checksum: False
        get_md5: False
      register: st

    - name: 'Create traefik data directory'
      file:
        path: /data/traefik
        state: directory

    - name: 'Install UFW'
      apt:
        name: ufw
        state: present

    - name: 'Allow OpenSSH through UFW'
      ufw:
        rule: allow
        name: OpenSSH

    - name: 'Copy logrotate script'
      copy:
        src: logrotate.conf
        dest: /etc/

    # Docker swarm ports - Note: all published docker container port will override UFW rules!
    - name: 'Allow secure docker client communication'
      ufw:
        rule: allow
        port: 2376
        proto: tcp
    - name: 'Allow docker swarm communication among nodes - TCP'
      ufw:
        rule: allow
        port: 7946
        proto: tcp
    - name: 'Allow docker swarm communication among nodes - UDP'
      ufw:
        rule: allow
        port: 7946
        proto: udp
    - name: 'Allow docker overlay network traffic'
      ufw:
        rule: allow
        port: 4789
        proto: udp

    - name: 'Deny everything else and enable UFW'
      ufw:
        state: enabled
        default: deny
        direction: incoming

- hosts: docker-manager-first
  become: yes
  become_method: sudo
  tasks:
    - name: 'Allow secure docker swarm node communication (managers only)'
      ufw:
        rule: allow
        port: 2377
        proto: tcp

    - name: 'Create primary swarm manager'
      shell: docker swarm init --advertise-addr {{ ansible_default_ipv4.address }}
      when: "docker_info.stdout.find('Swarm: inactive') != -1"

    - name: 'Get docker swarm manager token'
      shell: docker swarm join-token -q manager
      register: manager_token

    - name: 'Get docker swarm worker token'
      shell: docker swarm join-token -q worker
      register: worker_token

    - name: 'Create acme file for traefik'
      file:
        path: /data/traefik/acme.json
        state: touch
        mode: '600'

- hosts: docker-workers
  become: yes
  become_method: sudo
  tasks:
    - name: 'Join as a worker'
      shell: "docker swarm join --token {{ hostvars['manager1']['worker_token']['stdout'] }} {{ hostvars['manager1']['ansible_default_ipv4']['address'] }}:2377"
      when: "docker_info.stdout.find('Swarm: inactive') != -1"
      retries: 3
      delay: 20

- hosts: docker-manager-first
  become: yes
  become_method: sudo
  tasks:
    - name: 'Label node as data1'
      shell: docker node update --label-add data1=true {{ data1_hostname }}
    #- name: "Label node as data2"
    #  shell: docker node update --label-add data2=true {{ data2_hostname }}
    #- name: "Label node as data3"
    #  shell: docker node update --label-add data3=true {{ data3_hostname }}