forked from unitoo/configurations
daemon.json example for docker; update swarm configuration for manager and worker
This commit is contained in:
parent
9de95d45d5
commit
12e501ad19
3 changed files with 58 additions and 14 deletions
|
@ -16,6 +16,7 @@ packages:
|
||||||
- iptables-persistent
|
- iptables-persistent
|
||||||
- unattended-upgrades
|
- unattended-upgrades
|
||||||
- apt-listchanges
|
- apt-listchanges
|
||||||
|
- auditd
|
||||||
|
|
||||||
write_files:
|
write_files:
|
||||||
- path: /etc/iptables/rules.v4
|
- path: /etc/iptables/rules.v4
|
||||||
|
@ -83,6 +84,23 @@ write_files:
|
||||||
APT::Periodic::Update-Package-Lists "1";
|
APT::Periodic::Update-Package-Lists "1";
|
||||||
APT::Periodic::Unattended-Upgrade "1";
|
APT::Periodic::Unattended-Upgrade "1";
|
||||||
APT::Periodic::AutocleanInterval "7";
|
APT::Periodic::AutocleanInterval "7";
|
||||||
|
- path: /etc/audit/rules.d/docker.rules
|
||||||
|
permissions: 0640
|
||||||
|
owner: root:root
|
||||||
|
content: |
|
||||||
|
-w /etc/docker -k docker
|
||||||
|
-w /etc/default/docker -k docker
|
||||||
|
-w /etc/docker/daemon.json -k docker
|
||||||
|
-w /etc/containerd/config.toml -k docker
|
||||||
|
-w /lib/systemd/system/docker.service -k docker
|
||||||
|
-w /lib/systemd/system/docker.socket -k docker
|
||||||
|
-w /run/containerd -k docker
|
||||||
|
-w /usr/bin/containerd -k docker
|
||||||
|
-w /usr/bin/containerd-shim -k docker
|
||||||
|
-w /usr/bin/containerd-shim-runc-v1 -k docker
|
||||||
|
-w /usr/bin/containerd-shim-runc-v2 -k docker
|
||||||
|
-w /usr/bin/runc -k docker
|
||||||
|
-w /var/lib/docker -k docker
|
||||||
|
|
||||||
runcmd:
|
runcmd:
|
||||||
- 'iptables-restore < /etc/iptables/rules.v4'
|
- 'iptables-restore < /etc/iptables/rules.v4'
|
||||||
|
@ -109,10 +127,10 @@ runcmd:
|
||||||
|
|
||||||
- [sed, -r, -i, 's/\/\/Unattended-Upgrade::Mail\ "";/Unattended-Upgrade::Mail\ "root";/', /etc/apt/apt.conf.d/50unattended-upgrades]
|
- [sed, -r, -i, 's/\/\/Unattended-Upgrade::Mail\ "";/Unattended-Upgrade::Mail\ "root";/', /etc/apt/apt.conf.d/50unattended-upgrades]
|
||||||
|
|
||||||
- [mkdir, -p, /usr/local/apt-keys]
|
# - [mkdir, -p, /usr/local/apt-keys]
|
||||||
- [gpg, --fetch-keys, https://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/key.txt]
|
# - [gpg, --fetch-keys, https://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/key.txt]
|
||||||
- 'gpg --export 569130E8CA20FBC4CB3FDE555898470A764B32C9 | tee /usr/local/apt-keys/yggdrasil-keyring.gpg > /dev/null'
|
# - 'gpg --export 569130E8CA20FBC4CB3FDE555898470A764B32C9 | tee /usr/local/apt-keys/yggdrasil-keyring.gpg > /dev/null'
|
||||||
- "echo 'deb [signed-by=/usr/local/apt-keys/yggdrasil-keyring.gpg] http://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/ debian yggdrasil' | tee /etc/apt/sources.list.d/yggdrasil.list"
|
# - "echo 'deb [signed-by=/usr/local/apt-keys/yggdrasil-keyring.gpg] http://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/ debian yggdrasil' | tee /etc/apt/sources.list.d/yggdrasil.list"
|
||||||
|
|
||||||
- [mkdir, -p, /etc/apt/keyrings]
|
- [mkdir, -p, /etc/apt/keyrings]
|
||||||
- "curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg"
|
- "curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg"
|
||||||
|
@ -120,10 +138,12 @@ runcmd:
|
||||||
- [chmod, a+r, /etc/apt/keyrings/docker.gpg]
|
- [chmod, a+r, /etc/apt/keyrings/docker.gpg]
|
||||||
|
|
||||||
- [apt-get, update]
|
- [apt-get, update]
|
||||||
- 'apt-get install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin yggdrasil'
|
- 'apt-get install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin'
|
||||||
|
|
||||||
- [sed, -r, -i, 's/Peers:\s\[\]/Peers: [\n\ttls:\/\/[2001:470:1f13:e56::64]:39575\n\ttls:\/\/s2.i2pd.xyz:39575\n\ttls:\/\/51.255.223.60:54232\n\ttls:\/\/45.147.198.155:6010\n\ttls:\/\/ygg1.ezdomain.ru:11130\n\ttls:\/\/ygg.mkg20001.io:443\n ]/', /etc/yggdrasil.conf]
|
- [curl, https://git.unitoo.it/unitoo/configurations/raw/branch/master/docker/etc/docker/daemon.json, --output, /etc/docker/daemon.json]
|
||||||
- [sed, -r, -i, 's/AllowedPublicKeys:\s\[\]/AllowedPublicKeys: [\n"9939ce2585a046ce869e523c9efedb01b55fa032637d5237631ab4e09cafcb33"\n]/', /etc/yggdrasil.conf]
|
|
||||||
|
# - [sed, -r, -i, 's/Peers:\s\[\]/Peers: [\n\ttls:\/\/[2001:470:1f13:e56::64]:39575\n\ttls:\/\/s2.i2pd.xyz:39575\n\ttls:\/\/51.255.223.60:54232\n\ttls:\/\/45.147.198.155:6010\n\ttls:\/\/ygg1.ezdomain.ru:11130\n\ttls:\/\/ygg.mkg20001.io:443\n ]/', /etc/yggdrasil.conf]
|
||||||
|
# - [sed, -r, -i, 's/AllowedPublicKeys:\s\[\]/AllowedPublicKeys: [\n"9939ce2585a046ce869e523c9efedb01b55fa032637d5237631ab4e09cafcb33"\n]/', /etc/yggdrasil.conf]
|
||||||
#- [systemctl, enable, --now, yggdrasil]
|
#- [systemctl, enable, --now, yggdrasil]
|
||||||
|
|
||||||
- [timedatectl, set-timezone, Europe/Rome]
|
- [timedatectl, set-timezone, Europe/Rome]
|
||||||
|
|
|
@ -17,6 +17,7 @@ packages:
|
||||||
- glusterfs-client
|
- glusterfs-client
|
||||||
- unattended-upgrades
|
- unattended-upgrades
|
||||||
- apt-listchanges
|
- apt-listchanges
|
||||||
|
- auditd
|
||||||
|
|
||||||
write_files:
|
write_files:
|
||||||
- path: /etc/iptables/rules.v4
|
- path: /etc/iptables/rules.v4
|
||||||
|
@ -81,6 +82,23 @@ write_files:
|
||||||
append: true
|
append: true
|
||||||
content: |
|
content: |
|
||||||
/swapfile swap swap defaults 0 0
|
/swapfile swap swap defaults 0 0
|
||||||
|
- path: /etc/audit/rules.d/docker.rules
|
||||||
|
permissions: 0640
|
||||||
|
owner: root:root
|
||||||
|
content: |
|
||||||
|
-w /etc/docker -k docker
|
||||||
|
-w /etc/default/docker -k docker
|
||||||
|
-w /etc/docker/daemon.json -k docker
|
||||||
|
-w /etc/containerd/config.toml -k docker
|
||||||
|
-w /lib/systemd/system/docker.service -k docker
|
||||||
|
-w /lib/systemd/system/docker.socket -k docker
|
||||||
|
-w /run/containerd -k docker
|
||||||
|
-w /usr/bin/containerd -k docker
|
||||||
|
-w /usr/bin/containerd-shim -k docker
|
||||||
|
-w /usr/bin/containerd-shim-runc-v1 -k docker
|
||||||
|
-w /usr/bin/containerd-shim-runc-v2 -k docker
|
||||||
|
-w /usr/bin/runc -k docker
|
||||||
|
-w /var/lib/docker -k docker
|
||||||
- path: /etc/hosts
|
- path: /etc/hosts
|
||||||
append: true
|
append: true
|
||||||
content: |
|
content: |
|
||||||
|
@ -113,10 +131,10 @@ runcmd:
|
||||||
|
|
||||||
- [sed, -r, -i, 's/\/\/Unattended-Upgrade::Mail\ "";/Unattended-Upgrade::Mail\ "root";/', /etc/apt/apt.conf.d/50unattended-upgrades]
|
- [sed, -r, -i, 's/\/\/Unattended-Upgrade::Mail\ "";/Unattended-Upgrade::Mail\ "root";/', /etc/apt/apt.conf.d/50unattended-upgrades]
|
||||||
|
|
||||||
- [mkdir, -p, /usr/local/apt-keys]
|
# - [mkdir, -p, /usr/local/apt-keys]
|
||||||
- [gpg, --fetch-keys, https://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/key.txt]
|
# - [gpg, --fetch-keys, https://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/key.txt]
|
||||||
- 'gpg --export 569130E8CA20FBC4CB3FDE555898470A764B32C9 | tee /usr/local/apt-keys/yggdrasil-keyring.gpg > /dev/null'
|
# - 'gpg --export 569130E8CA20FBC4CB3FDE555898470A764B32C9 | tee /usr/local/apt-keys/yggdrasil-keyring.gpg > /dev/null'
|
||||||
- "echo 'deb [signed-by=/usr/local/apt-keys/yggdrasil-keyring.gpg] http://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/ debian yggdrasil' | tee /etc/apt/sources.list.d/yggdrasil.list"
|
# - "echo 'deb [signed-by=/usr/local/apt-keys/yggdrasil-keyring.gpg] http://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/ debian yggdrasil' | tee /etc/apt/sources.list.d/yggdrasil.list"
|
||||||
|
|
||||||
- [mkdir, -p, /etc/apt/keyrings]
|
- [mkdir, -p, /etc/apt/keyrings]
|
||||||
- "curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg"
|
- "curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg"
|
||||||
|
@ -124,12 +142,14 @@ runcmd:
|
||||||
- [chmod, a+r, /etc/apt/keyrings/docker.gpg]
|
- [chmod, a+r, /etc/apt/keyrings/docker.gpg]
|
||||||
|
|
||||||
- [apt-get, update]
|
- [apt-get, update]
|
||||||
- 'apt-get install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin yggdrasil'
|
- 'apt-get install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin'
|
||||||
|
|
||||||
- [sed, -r, -i, 's/Peers:\s\[\]/Peers: [\n\ttls:\/\/[2001:470:1f13:e56::64]:39575\n\ttls:\/\/s2.i2pd.xyz:39575\n\ttls:\/\/51.255.223.60:54232\n\ttls:\/\/45.147.198.155:6010\n\ttls:\/\/ygg1.ezdomain.ru:11130\n\ttls:\/\/ygg.mkg20001.io:443\n ]/', /etc/yggdrasil.conf]
|
# - [sed, -r, -i, 's/Peers:\s\[\]/Peers: [\n\ttls:\/\/[2001:470:1f13:e56::64]:39575\n\ttls:\/\/s2.i2pd.xyz:39575\n\ttls:\/\/51.255.223.60:54232\n\ttls:\/\/45.147.198.155:6010\n\ttls:\/\/ygg1.ezdomain.ru:11130\n\ttls:\/\/ygg.mkg20001.io:443\n ]/', /etc/yggdrasil.conf]
|
||||||
- [sed, -r, -i, 's/AllowedPublicKeys:\s\[\]/AllowedPublicKeys: [\n"9939ce2585a046ce869e523c9efedb01b55fa032637d5237631ab4e09cafcb33"\n]/', /etc/yggdrasil.conf]
|
# - [sed, -r, -i, 's/AllowedPublicKeys:\s\[\]/AllowedPublicKeys: [\n"9939ce2585a046ce869e523c9efedb01b55fa032637d5237631ab4e09cafcb33"\n]/', /etc/yggdrasil.conf]
|
||||||
#- [systemctl, enable, --now, yggdrasil]
|
#- [systemctl, enable, --now, yggdrasil]
|
||||||
|
|
||||||
|
- [curl, https://git.unitoo.it/unitoo/configurations/raw/branch/master/docker/etc/docker/daemon.json, --output, /etc/docker/daemon.json]
|
||||||
|
|
||||||
- [timedatectl, set-timezone, Europe/Rome]
|
- [timedatectl, set-timezone, Europe/Rome]
|
||||||
|
|
||||||
- [mkdir, /mnt/swarm-data]
|
- [mkdir, /mnt/swarm-data]
|
||||||
|
|
4
docker/etc/docker/daemon.json
Normal file
4
docker/etc/docker/daemon.json
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
{
|
||||||
|
"userland-proxy": false,
|
||||||
|
"icc": false
|
||||||
|
}
|
Loading…
Reference in a new issue