Last active
April 2, 2023 00:34
-
-
Save jslay88/6752f6109ddacb5d6d32f1ed4b8dfa32 to your computer and use it in GitHub Desktop.
Ansible Playbook for configuring Docker TLS
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| - name: Setup Docker engine with specific configuration and secure TCP socket | |
| hosts: all | |
| become: yes | |
| vars: | |
| ca_key: /etc/docker/ssl/ca-key.pem | |
| ca_cert: /etc/docker/ssl/ca.pem | |
| server_key: /etc/docker/ssl/server-key.pem | |
| server_cert: /etc/docker/ssl/server-cert.pem | |
| client_key: /etc/docker/ssl/client-key.pem | |
| client_cert: /etc/docker/ssl/client-cert.pem | |
| docker_socket: /run/docker.sock | |
| docker_tcp_port: 2376 | |
| tasks: | |
| - name: Delete Docker SSL Directory | |
| ansible.builtin.file: | |
| path: /etc/docker/ssl/ | |
| state: absent | |
| become: yes | |
| tags: | |
| - reset | |
| - name: Install Docker and OpenSSL | |
| apt: | |
| name: | |
| - docker.io | |
| - openssl | |
| state: present | |
| update_cache: yes | |
| - name: Create Docker SSL Directory | |
| file: | |
| path: /etc/docker/ssl | |
| state: directory | |
| - name: Generate CA Key | |
| community.crypto.openssl_privatekey: | |
| path: "{{ ca_key }}" | |
| type: RSA | |
| size: 4096 | |
| become: yes | |
| - name: Generate CA CSR | |
| community.crypto.openssl_csr: | |
| path: "/tmp/ca.csr" | |
| privatekey_path: "{{ ca_key }}" | |
| common_name: "{{ ansible_host }}" | |
| basic_constraints: | |
| - 'CA:TRUE' | |
| basic_constraints_critical: true | |
| become: yes | |
| - name: Generate CA Certificate | |
| community.crypto.x509_certificate: | |
| provider: selfsigned | |
| path: "{{ ca_cert }}" | |
| csr_path: "/tmp/ca.csr" | |
| privatekey_path: "{{ ca_key }}" | |
| selfsigned_digest: sha256 | |
| selfsigned_not_before: 20220331000000Z | |
| selfsigned_not_after: 20330330235959Z | |
| become: yes | |
| - name: Generate Server Key | |
| community.crypto.openssl_privatekey: | |
| path: "{{ server_key }}" | |
| type: RSA | |
| size: 4096 | |
| become: yes | |
| - name: Generate Server CSR | |
| community.crypto.openssl_csr: | |
| path: "/tmp/server.csr" | |
| privatekey_path: "{{ server_key }}" | |
| common_name: "{{ ansible_host }}" | |
| extended_key_usage: | |
| - serverAuth | |
| subject_alt_name: | |
| - "IP:{{ ansible_host }}" | |
| - "IP:127.0.0.1" | |
| become: yes | |
| - name: Generate Server Certificate | |
| community.crypto.x509_certificate: | |
| provider: ownca | |
| path: "{{ server_cert }}" | |
| csr_path: "/tmp/server.csr" | |
| ownca_path: "{{ ca_cert }}" | |
| ownca_privatekey_path: "{{ ca_key }}" | |
| ownca_not_before: "20010101000000Z" | |
| ownca_not_after: "20380119031400Z" | |
| become: yes | |
| notify: "reload and restart docker" | |
| - name: Generate Client Key | |
| community.crypto.openssl_privatekey: | |
| group: docker | |
| mode: 0640 | |
| path: "{{ client_key }}" | |
| type: RSA | |
| size: 4096 | |
| become: yes | |
| - name: Generate Client CSR | |
| community.crypto.openssl_csr: | |
| path: "/tmp/client.csr" | |
| privatekey_path: "{{ client_key }}" | |
| common_name: client | |
| extended_key_usage: | |
| - TLS Web Client Authentication | |
| become: yes | |
| - name: Generate Client Certificate | |
| community.crypto.x509_certificate: | |
| group: docker | |
| provider: ownca | |
| path: "{{ client_cert }}" | |
| csr_path: "/tmp/client.csr" | |
| ownca_path: "{{ ca_cert }}" | |
| ownca_privatekey_path: "{{ ca_key }}" | |
| ownca_not_before: "20010101000000Z" | |
| ownca_not_after: "20380119031400Z" | |
| become: yes | |
| - name: Configure /etc/docker/daemon.json | |
| copy: | |
| content: | | |
| { | |
| "hosts": [ | |
| "unix://{{ docker_socket }}", | |
| "tcp://0.0.0.0:{{ docker_tcp_port }}" | |
| ], | |
| "tlsverify": true, | |
| "tlscacert": "{{ ca_cert }}", | |
| "tlscert": "{{ server_cert }}", | |
| "tlskey": "{{ server_key }}" | |
| } | |
| dest: /etc/docker/daemon.json | |
| owner: root | |
| group: root | |
| mode: 0644 | |
| become: yes | |
| notify: "reload and restart docker" | |
| - name: Remove -H fd:// flag from Docker service file | |
| ansible.builtin.lineinfile: | |
| path: /lib/systemd/system/docker.service | |
| regexp: '^(ExecStart=.*) -H fd://(.*)$' | |
| line: '\1\2' | |
| backrefs: yes | |
| become: yes | |
| notify: "reload and restart docker" | |
| - name: Open Docker TCP port in firewall | |
| ansible.builtin.ufw: | |
| rule: allow | |
| port: "{{ docker_tcp_port }}" | |
| proto: tcp | |
| become: yes | |
| - name: Download CA Certificate | |
| fetch: | |
| dest: ca.pem | |
| flat: true | |
| src: /etc/docker/ssl/ca.pem | |
| - name: Download Client Certificate | |
| fetch: | |
| dest: client-cert.pem | |
| flat: true | |
| src: /etc/docker/ssl/client-cert.pem | |
| - name: Download Client Key | |
| fetch: | |
| dest: client-key.pem | |
| flat: true | |
| src: /etc/docker/ssl/client-key.pem | |
| become: yes | |
| handlers: | |
| - name: Reload systemd configuration | |
| ansible.builtin.systemd: | |
| daemon_reload: yes | |
| become: yes | |
| listen: "reload and restart docker" | |
| - name: Restart Docker service | |
| ansible.builtin.systemd: | |
| name: docker | |
| state: restarted | |
| enabled: yes | |
| become: yes | |
| listen: "reload and restart docker" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment