daemon.json example for docker; update swarm configuration for manager and worker

This commit is contained in:
Claudio Maradonna 2022-09-22 14:32:15 +02:00
parent 9de95d45d5
commit 12e501ad19
Signed by: claudiomaradonna
GPG key ID: B1EDCB4C3B05C387
3 changed files with 58 additions and 14 deletions

View file

@ -16,6 +16,7 @@ packages:
- iptables-persistent - iptables-persistent
- unattended-upgrades - unattended-upgrades
- apt-listchanges - apt-listchanges
- auditd
write_files: write_files:
- path: /etc/iptables/rules.v4 - path: /etc/iptables/rules.v4
@ -83,6 +84,23 @@ write_files:
APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1"; APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::AutocleanInterval "7"; APT::Periodic::AutocleanInterval "7";
- path: /etc/audit/rules.d/docker.rules
permissions: 0640
owner: root:root
content: |
-w /etc/docker -k docker
-w /etc/default/docker -k docker
-w /etc/docker/daemon.json -k docker
-w /etc/containerd/config.toml -k docker
-w /lib/systemd/system/docker.service -k docker
-w /lib/systemd/system/docker.socket -k docker
-w /run/containerd -k docker
-w /usr/bin/containerd -k docker
-w /usr/bin/containerd-shim -k docker
-w /usr/bin/containerd-shim-runc-v1 -k docker
-w /usr/bin/containerd-shim-runc-v2 -k docker
-w /usr/bin/runc -k docker
-w /var/lib/docker -k docker
runcmd: runcmd:
- 'iptables-restore < /etc/iptables/rules.v4' - 'iptables-restore < /etc/iptables/rules.v4'
@ -109,10 +127,10 @@ runcmd:
- [sed, -r, -i, 's/\/\/Unattended-Upgrade::Mail\ "";/Unattended-Upgrade::Mail\ "root";/', /etc/apt/apt.conf.d/50unattended-upgrades] - [sed, -r, -i, 's/\/\/Unattended-Upgrade::Mail\ "";/Unattended-Upgrade::Mail\ "root";/', /etc/apt/apt.conf.d/50unattended-upgrades]
- [mkdir, -p, /usr/local/apt-keys] # - [mkdir, -p, /usr/local/apt-keys]
- [gpg, --fetch-keys, https://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/key.txt] # - [gpg, --fetch-keys, https://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/key.txt]
- 'gpg --export 569130E8CA20FBC4CB3FDE555898470A764B32C9 | tee /usr/local/apt-keys/yggdrasil-keyring.gpg > /dev/null' # - 'gpg --export 569130E8CA20FBC4CB3FDE555898470A764B32C9 | tee /usr/local/apt-keys/yggdrasil-keyring.gpg > /dev/null'
- "echo 'deb [signed-by=/usr/local/apt-keys/yggdrasil-keyring.gpg] http://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/ debian yggdrasil' | tee /etc/apt/sources.list.d/yggdrasil.list" # - "echo 'deb [signed-by=/usr/local/apt-keys/yggdrasil-keyring.gpg] http://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/ debian yggdrasil' | tee /etc/apt/sources.list.d/yggdrasil.list"
- [mkdir, -p, /etc/apt/keyrings] - [mkdir, -p, /etc/apt/keyrings]
- "curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg" - "curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg"
@ -120,10 +138,12 @@ runcmd:
- [chmod, a+r, /etc/apt/keyrings/docker.gpg] - [chmod, a+r, /etc/apt/keyrings/docker.gpg]
- [apt-get, update] - [apt-get, update]
- 'apt-get install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin yggdrasil' - 'apt-get install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin'
- [sed, -r, -i, 's/Peers:\s\[\]/Peers: [\n\ttls:\/\/[2001:470:1f13:e56::64]:39575\n\ttls:\/\/s2.i2pd.xyz:39575\n\ttls:\/\/51.255.223.60:54232\n\ttls:\/\/45.147.198.155:6010\n\ttls:\/\/ygg1.ezdomain.ru:11130\n\ttls:\/\/ygg.mkg20001.io:443\n ]/', /etc/yggdrasil.conf] - [curl, https://git.unitoo.it/unitoo/configurations/raw/branch/master/docker/etc/docker/daemon.json, --output, /etc/docker/daemon.json]
- [sed, -r, -i, 's/AllowedPublicKeys:\s\[\]/AllowedPublicKeys: [\n"9939ce2585a046ce869e523c9efedb01b55fa032637d5237631ab4e09cafcb33"\n]/', /etc/yggdrasil.conf]
# - [sed, -r, -i, 's/Peers:\s\[\]/Peers: [\n\ttls:\/\/[2001:470:1f13:e56::64]:39575\n\ttls:\/\/s2.i2pd.xyz:39575\n\ttls:\/\/51.255.223.60:54232\n\ttls:\/\/45.147.198.155:6010\n\ttls:\/\/ygg1.ezdomain.ru:11130\n\ttls:\/\/ygg.mkg20001.io:443\n ]/', /etc/yggdrasil.conf]
# - [sed, -r, -i, 's/AllowedPublicKeys:\s\[\]/AllowedPublicKeys: [\n"9939ce2585a046ce869e523c9efedb01b55fa032637d5237631ab4e09cafcb33"\n]/', /etc/yggdrasil.conf]
#- [systemctl, enable, --now, yggdrasil] #- [systemctl, enable, --now, yggdrasil]
- [timedatectl, set-timezone, Europe/Rome] - [timedatectl, set-timezone, Europe/Rome]

View file

@ -17,6 +17,7 @@ packages:
- glusterfs-client - glusterfs-client
- unattended-upgrades - unattended-upgrades
- apt-listchanges - apt-listchanges
- auditd
write_files: write_files:
- path: /etc/iptables/rules.v4 - path: /etc/iptables/rules.v4
@ -81,6 +82,23 @@ write_files:
append: true append: true
content: | content: |
/swapfile swap swap defaults 0 0 /swapfile swap swap defaults 0 0
- path: /etc/audit/rules.d/docker.rules
permissions: 0640
owner: root:root
content: |
-w /etc/docker -k docker
-w /etc/default/docker -k docker
-w /etc/docker/daemon.json -k docker
-w /etc/containerd/config.toml -k docker
-w /lib/systemd/system/docker.service -k docker
-w /lib/systemd/system/docker.socket -k docker
-w /run/containerd -k docker
-w /usr/bin/containerd -k docker
-w /usr/bin/containerd-shim -k docker
-w /usr/bin/containerd-shim-runc-v1 -k docker
-w /usr/bin/containerd-shim-runc-v2 -k docker
-w /usr/bin/runc -k docker
-w /var/lib/docker -k docker
- path: /etc/hosts - path: /etc/hosts
append: true append: true
content: | content: |
@ -113,10 +131,10 @@ runcmd:
- [sed, -r, -i, 's/\/\/Unattended-Upgrade::Mail\ "";/Unattended-Upgrade::Mail\ "root";/', /etc/apt/apt.conf.d/50unattended-upgrades] - [sed, -r, -i, 's/\/\/Unattended-Upgrade::Mail\ "";/Unattended-Upgrade::Mail\ "root";/', /etc/apt/apt.conf.d/50unattended-upgrades]
- [mkdir, -p, /usr/local/apt-keys] # - [mkdir, -p, /usr/local/apt-keys]
- [gpg, --fetch-keys, https://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/key.txt] # - [gpg, --fetch-keys, https://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/key.txt]
- 'gpg --export 569130E8CA20FBC4CB3FDE555898470A764B32C9 | tee /usr/local/apt-keys/yggdrasil-keyring.gpg > /dev/null' # - 'gpg --export 569130E8CA20FBC4CB3FDE555898470A764B32C9 | tee /usr/local/apt-keys/yggdrasil-keyring.gpg > /dev/null'
- "echo 'deb [signed-by=/usr/local/apt-keys/yggdrasil-keyring.gpg] http://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/ debian yggdrasil' | tee /etc/apt/sources.list.d/yggdrasil.list" # - "echo 'deb [signed-by=/usr/local/apt-keys/yggdrasil-keyring.gpg] http://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/ debian yggdrasil' | tee /etc/apt/sources.list.d/yggdrasil.list"
- [mkdir, -p, /etc/apt/keyrings] - [mkdir, -p, /etc/apt/keyrings]
- "curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg" - "curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg"
@ -124,12 +142,14 @@ runcmd:
- [chmod, a+r, /etc/apt/keyrings/docker.gpg] - [chmod, a+r, /etc/apt/keyrings/docker.gpg]
- [apt-get, update] - [apt-get, update]
- 'apt-get install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin yggdrasil' - 'apt-get install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin'
- [sed, -r, -i, 's/Peers:\s\[\]/Peers: [\n\ttls:\/\/[2001:470:1f13:e56::64]:39575\n\ttls:\/\/s2.i2pd.xyz:39575\n\ttls:\/\/51.255.223.60:54232\n\ttls:\/\/45.147.198.155:6010\n\ttls:\/\/ygg1.ezdomain.ru:11130\n\ttls:\/\/ygg.mkg20001.io:443\n ]/', /etc/yggdrasil.conf] # - [sed, -r, -i, 's/Peers:\s\[\]/Peers: [\n\ttls:\/\/[2001:470:1f13:e56::64]:39575\n\ttls:\/\/s2.i2pd.xyz:39575\n\ttls:\/\/51.255.223.60:54232\n\ttls:\/\/45.147.198.155:6010\n\ttls:\/\/ygg1.ezdomain.ru:11130\n\ttls:\/\/ygg.mkg20001.io:443\n ]/', /etc/yggdrasil.conf]
- [sed, -r, -i, 's/AllowedPublicKeys:\s\[\]/AllowedPublicKeys: [\n"9939ce2585a046ce869e523c9efedb01b55fa032637d5237631ab4e09cafcb33"\n]/', /etc/yggdrasil.conf] # - [sed, -r, -i, 's/AllowedPublicKeys:\s\[\]/AllowedPublicKeys: [\n"9939ce2585a046ce869e523c9efedb01b55fa032637d5237631ab4e09cafcb33"\n]/', /etc/yggdrasil.conf]
#- [systemctl, enable, --now, yggdrasil] #- [systemctl, enable, --now, yggdrasil]
- [curl, https://git.unitoo.it/unitoo/configurations/raw/branch/master/docker/etc/docker/daemon.json, --output, /etc/docker/daemon.json]
- [timedatectl, set-timezone, Europe/Rome] - [timedatectl, set-timezone, Europe/Rome]
- [mkdir, /mnt/swarm-data] - [mkdir, /mnt/swarm-data]

View file

@ -0,0 +1,4 @@
{
"userland-proxy": false,
"icc": false
}