├── .github
    ├── FUNDING.yml
    └── workflows
    │   └── lint.yml
├── .gitignore
├── .yamllint.yml
├── LICENSE
├── README.md
├── hosts.example.ini
├── playbook.yml
└── roles
    ├── docker
        ├── handlers
        │   └── main.yml
        └── tasks
        │   └── main.yml
    ├── traefik
        ├── tasks
        │   └── main.yml
        └── templates
        │   └── traefik.yml.j2
    └── watchtower
        └── tasks
            └── main.yml


/.github/FUNDING.yml:
--------------------------------------------------------------------------------
1 | github: guillaumebriday
2 | 


--------------------------------------------------------------------------------
/.github/workflows/lint.yml:
--------------------------------------------------------------------------------
 1 | name: Lint
 2 | 
 3 | on: [push]
 4 | 
 5 | jobs:
 6 |   yamllint:
 7 |     runs-on: ubuntu-latest
 8 |     steps:
 9 |       - uses: actions/checkout@master
10 |       - uses: ibiqlik/action-yamllint@master
11 |         with:
12 |           file_or_dir: .
13 |           config_file: .yamllint.yml
14 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | hosts.ini
2 | playbook.retry
3 | 


--------------------------------------------------------------------------------
/.yamllint.yml:
--------------------------------------------------------------------------------
1 | extends: default
2 | 
3 | rules:
4 |   line-length: disable
5 |   document-start: disable
6 |   truthy: disable
7 |   braces: { min-spaces-inside: 1, max-spaces-inside: 1 }
8 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2019 Guillaume Briday
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Ansible: Multiple applications with Traefik 2.x and Docker
 2 | 
 3 | ![](https://github.com/guillaumebriday/traefik-docker-ansible/workflows/Lint/badge.svg)
 4 | 
 5 | This is an [Ansible](https://www.ansible.com) playbook to install multiple applications on a single Ubuntu server with [Docker](https://www.docker.com) and [Traefik 2.x](https://traefik.io) updated with [Watchtower](https://github.com/v2tec/watchtower).
 6 | 
 7 | ## Requirements
 8 | 
 9 | + Ansible >= 2.5
10 | 
11 | ## Tools
12 | 
13 | This playbook is designed to install a bunch of useful tools:
14 | 
15 | + [Docker](https://www.docker.com)
16 | + [Traefik 2.x](https://traefik.io)
17 | + [Watchtower](https://github.com/containrrr/watchtower)
18 | 
19 | ## Installing on production
20 | 
21 | Copy the hosts example file and change the values to your needs:
22 | 
23 | ```bash
24 | $ cp hosts.example.ini hosts.ini
25 | ```
26 | 
27 | Setup your variables in the `playbook.yml` file.
28 | 
29 | Then run the playbook:
30 | 
31 | ```bash
32 | $ ansible-playbook -i hosts.ini playbook.yml
33 | 
34 | # For one role only
35 | $ ansible-playbook -i hosts.ini playbook.yml --tags "traefik"
36 | ```
37 | 
38 | ### Example
39 | 
40 | I use this playbook to deploy Traefik and Docker in production to host [self-hosted services](https://github.com/guillaumebriday/selfhosted-services).
41 | 
42 | ## Contributing
43 | 
44 | Do not hesitate to contribute to the project by adapting or adding features ! Bug reports or pull requests are welcome.
45 | 
46 | ## License
47 | 
48 | This project is released under the [MIT](http://opensource.org/licenses/MIT) license.
49 | 


--------------------------------------------------------------------------------
/hosts.example.ini:
--------------------------------------------------------------------------------
 1 | [webservers]
 2 | example.com
 3 | 
 4 | [webservers:vars]
 5 | ansible_python_interpreter=/usr/bin/python3
 6 | 
 7 | gandi_api_key=your-gandi-api-key
 8 | acme_email=your@email.com
 9 | acme_domain=example.com
10 | acme_provider=example # Comment this line to completly disable acme
11 | 
12 | traefik_api_url=dashboard.example.com
13 | traefik_api_user=demo
14 | traefik_api_password=my-secret-password
15 | 
16 | WATCHTOWER_NOTIFICATIONS=slack
17 | WATCHTOWER_NOTIFICATION_SLACK_HOOK_URL=https://hooks.slack.com/services/xxx/yyyyyyyyyyyyyyy
18 | WATCHTOWER_NOTIFICATION_SLACK_IDENTIFIER=watchtower-server-1
19 | 


--------------------------------------------------------------------------------
/playbook.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - name: Provisionning webservers group
 3 |   hosts: webservers
 4 |   become: yes
 5 |   vars:
 6 |     user: root
 7 |     group: docker
 8 |     traefik_dir: /var/www/traefik
 9 |   roles:
10 |     - { role: docker, tags: docker }
11 |     - { role: traefik, tags: traefik }
12 |     - { role: watchtower, tags: watchtower }
13 | 


--------------------------------------------------------------------------------
/roles/docker/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: start docker
3 |   service:
4 |     name: docker
5 |     state: started
6 |     enabled: true
7 | 


--------------------------------------------------------------------------------
/roles/docker/tasks/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - name: Install packages to allow apt to use a repository over HTTPS
 3 |   apt:
 4 |     pkg: "{{ item }}"
 5 |     state: present
 6 |   loop:
 7 |     - apt-transport-https
 8 |     - ca-certificates
 9 |     - software-properties-common
10 | 
11 | - name: Add GPG key for Docker
12 |   apt_key:
13 |     url: https://download.docker.com/linux/ubuntu/gpg
14 |     state: present
15 | 
16 | - name: Add the Docker repository to the apt sources list
17 |   apt_repository:
18 |     repo: "deb [arch=amd64] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable"
19 | 
20 | - name: Install Docker
21 |   apt:
22 |     name: docker-ce
23 |     state: present
24 |     update_cache: yes
25 |   notify:
26 |     - start docker
27 | 
28 | - name: Add the Python client for Docker
29 |   pip:
30 |     name: docker-py
31 | 
32 | - name: Add the default user to the docker group
33 |   user:
34 |     name: "{{ user }}"
35 |     group: docker
36 | 


--------------------------------------------------------------------------------
/roles/traefik/tasks/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - name: Ensures traefik dir exists
 3 |   file:
 4 |     path: "{{ traefik_dir }}"
 5 |     state: directory
 6 |     owner: "{{ user }}"
 7 |     group: "{{ group }}"
 8 | 
 9 | - name: Ensures acme.json file exists
10 |   file:
11 |     path: "{{ traefik_dir }}/acme.json"
12 |     state: touch
13 |     mode: 0600
14 | 
15 | - name: Adding traefik.yml file
16 |   template:
17 |     src: traefik.yml.j2
18 |     dest: "{{ traefik_dir }}/traefik.yml"
19 |     mode: 0600
20 | 
21 | - name: Create the web network
22 |   docker_network:
23 |     name: web
24 | 
25 | - name: Create the traefik container
26 |   docker_container:
27 |     name: traefik
28 |     image: traefik:2.2
29 |     restart_policy: unless-stopped
30 |     recreate: true
31 |     networks:
32 |       - name: web
33 |     ports:
34 |       - "80:80"
35 |       - "443:443"
36 |     volumes:
37 |       - "{{ traefik_dir }}/traefik.yml:/etc/traefik/traefik.yml"
38 |       - "{{ traefik_dir }}/acme.json:/acme.json"
39 |       - /var/run/docker.sock:/var/run/docker.sock
40 |     labels:
41 |       traefik.enable: "true"
42 |       traefik.http.routers.traefik.rule: "Host(`{{ traefik_api_url }}`)"
43 |       traefik.http.routers.traefik.entrypoints: "websecure"
44 |       traefik.http.routers.traefik.service: "api@internal"
45 |       traefik.http.routers.traefik.middlewares: "auth"
46 |       traefik.http.middlewares.auth.basicauth.users: "{{ traefik_api_user }}:{{ traefik_api_password | password_hash('blowfish','1234567890123456789012') }}"
47 |     env:
48 |       GANDIV5_API_KEY: "{{ gandi_api_key }}"
49 | 


--------------------------------------------------------------------------------
/roles/traefik/templates/traefik.yml.j2:
--------------------------------------------------------------------------------
 1 | global:
 2 |   checkNewVersion: false
 3 |   sendAnonymousUsage: false
 4 | 
 5 | log:
 6 |   level: ERROR
 7 | 
 8 | api:
 9 |   dashboard: true
10 | 
11 | entryPoints:
12 |   web:
13 |     address: :80
14 |     http:
15 |       redirections:
16 |         entryPoint:
17 |           to: websecure
18 |           scheme: https
19 |   websecure:
20 |     address: :443
21 |     http:
22 |       tls:
23 |         certResolver: le
24 |         domains:
25 |           - main: "{{ acme_domain }}"
26 |             sans:
27 |               - "*.{{ acme_domain }}"
28 | 
29 | certificatesResolvers:
30 |   le:
31 |     acme:
32 |       email: "{{ acme_email }}"
33 |       storage: acme.json
34 |       dnsChallenge:
35 |         provider: "{{ acme_provider }}"
36 |         delayBeforeCheck: 5
37 |         resolvers:
38 |           - 1.1.1.1:53
39 |           - 8.8.8.8:53
40 | 
41 | providers:
42 |   docker:
43 |     network: web
44 |     exposedByDefault: false
45 | 


--------------------------------------------------------------------------------
/roles/watchtower/tasks/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - name: Create the Watchtower container
 3 |   docker_container:
 4 |     name: watchtower
 5 |     image: containrrr/watchtower
 6 |     restart_policy: unless-stopped
 7 |     volumes:
 8 |       - /var/run/docker.sock:/var/run/docker.sock
 9 |       - /etc/localtime:/etc/localtime:ro
10 |     # Update containers every day at 5:00 a.m.
11 |     command: --schedule "0 0 5 * * *" --cleanup
12 |     env:
13 |       WATCHTOWER_NOTIFICATIONS: "{{ WATCHTOWER_NOTIFICATIONS }}"
14 |       WATCHTOWER_NOTIFICATION_SLACK_HOOK_URL: "{{ WATCHTOWER_NOTIFICATION_SLACK_HOOK_URL }}"
15 |       WATCHTOWER_NOTIFICATION_SLACK_IDENTIFIER: "{{ WATCHTOWER_NOTIFICATION_SLACK_IDENTIFIER }}"
16 | 


--------------------------------------------------------------------------------