ansbile tests

Author: Tom Softreck

PRODUCTION.md

@@ -0,0 +1,91 @@
+# Production Deployment Guide
+
+This guide explains how to deploy the application stack in a production environment using Traefik as a reverse proxy with Let's Encrypt SSL certificates.
+
+## Prerequisites
+
+1. A server with Docker and Docker Compose installed
+2. A domain name (e.g., `devopsterminal.com`) with DNS access
+3. Ports 80 and 443 open in your firewall
+
+## Setup Instructions
+
+1. **Update DNS Records**
+   Create the following DNS A records pointing to your server's IP address:
+   - `devopsterminal.com`
+   - `projekt1.devopsterminal.com`
+   - `projekt2.devopsterminal.com`
+   - `traefik.devopsterminal.com`
+
+2. **Update Configuration**
+   - Update the email address in `docker-compose.prod.yml` (search for `[email protected]`)
+   - Update the domain names if you're using a different domain than `devopsterminal.com`
+   - Change the default credentials for the Traefik dashboard (see below)
+
+3. **Change Default Credentials**
+   The default credentials for the Traefik dashboard are:
+   - Username: `admin`
+   - Password: `changeme`
+
+   To generate a new password hash:
+   ```bash
+   echo $(htpasswd -nb admin your-new-password) | sed -e s/\\$/\\$\$/g
+   ```
+   Update the `traefik.http.middlewares.auth.basicauth.users` label in `docker-compose.prod.yml` with the new hash.
+
+4. **Deploy the Stack**
+   ```bash
+   # Create the network if it doesn't exist
+   podman network create prod_network
+   
+   # Create required directories
+   mkdir -p letsencrypt traefik
+   chmod 600 letsencrypt
+   
+   # Start the stack
+   podman-compose -f docker-compose.prod.yml up -d
+   ```
+
+## Accessing Services
+
+- **Project 1**: https://projekt1.devopsterminal.com
+- **Project 2**: https://projekt2.devopsterminal.com
+- **Traefik Dashboard**: https://traefik.devopsterminal.com (requires authentication)
+
+## Monitoring
+
+Traefik logs are available in the container and also mounted to:
+- `./traefik/traefik.log` - Traefik service logs
+- `./traefik/access.log` - Access logs
+
+## Maintenance
+
+### View Logs
+```bash
+podman-compose -f docker-compose.prod.yml logs -f
+```
+
+### Update Containers
+```bash
+podman-compose -f docker-compose.prod.yml pull
+podman-compose -f docker-compose.prod.yml up -d --force-recreate
+```
+
+### Backup and Restore
+
+**Backup Let's Encrypt certificates:**
+```bash
+tar -czvf letsencrypt_backup_$(date +%Y%m%d).tar.gz letsencrypt/
+```
+
+**Restore from backup:**
+```bash
+tar -xzvf letsencrypt_backup_YYYYMMDD.tar.gz
+```
+
+## Security Considerations
+
+1. **Firewall**: Ensure only necessary ports (80, 443) are open to the internet
+2. **Updates**: Regularly update your containers and host system
+3. **Monitoring**: Set up monitoring for your services
+4. **Backups**: Regularly back up your Let's Encrypt certificates and application data

README.md

@@ -116,7 +116,7 @@ services:
     ports:
       - "80:80"
       - "443:443"
-      - "8080:8080"  # Dashboard
+      - "8082:8080"  # Dashboard
 
     volumes:
       - "/var/run/docker.sock:/var/run/docker.sock:ro"
@@ -282,7 +282,7 @@ services:
       - "--entrypoints.web.address=:80"
     ports:
       - "80:80"
-      - "8080:8080"
+      - "8082:8080"
     volumes:
       - "/var/run/docker.sock:/var/run/docker.sock:ro"
     networks:
@@ -356,7 +356,7 @@ docker-compose -f docker-compose-local.yml ps
 ### Testowanie
 ```bash
 # Sprawdź dashboard Traefik
-curl http://localhost:8080
+curl http://localhost:8082
 
 # Testuj aplikacje
 curl http://localhost/sklep
@@ -370,7 +370,7 @@ curl http://localhost/portfolio
 ## Krop 6: Monitoring i Dashboard
 
 ### Dostęp do Dashboard Traefik
-Idź na: `http://twój-ip:8080`
+Idź na: `http://twój-ip:8082`
 
 W dashboard zobaczysz:
 - **HTTP Routers**: Twoje trasy
@@ -431,7 +431,7 @@ case $1 in
     ;;
   dashboard)
     echo "🖥️ Dashboard dostępny na:"
-    echo "http://$(curl -s ifconfig.me):8080"
+    echo "http://$(curl -s ifconfig.me):8082"
     ;;
   *)
     echo "Użycie: $0 {start|stop|restart|rebuild|logs|status|dashboard}"
@@ -550,8 +550,8 @@ ls -la letsencrypt/
 
 #### Dashboard nie działa
 ```bash
-# Sprawdź czy port 8080 jest otwarty
-sudo netstat -tlnp | grep 8080
+# Sprawdź czy port 8082 jest otwarty
+sudo netstat -tlnp | grep 8082
 
 # Sprawdź konfigurację
 docker-compose exec traefik traefik version
@@ -560,13 +560,13 @@ docker-compose exec traefik traefik version
 ### Przydatne komendy debugowania
 ```bash
 # Zobacz wszystkie routery
-curl -s http://localhost:8080/api/http/routers | jq
+curl -s http://localhost:8082/api/http/routers | jq
 
 # Zobacz wszystkie serwisy
-curl -s http://localhost:8080/api/http/services | jq
+curl -s http://localhost:8082/api/http/services | jq
 
 # Status Traefik
-curl -s http://localhost:8080/api/overview
+curl -s http://localhost:8082/api/overview
 ```
 
 ---
@@ -684,7 +684,7 @@ global:
 scrape_configs:
   - job_name: 'traefik'
     static_configs:
-      - targets: ['traefik:8080']
+      - targets: ['traefik:8082']
 ```
 
 ---

ansible/requirements.txt

@@ -0,0 +1,2 @@
+ansible>=2.9
+requests>=2.25.1

ansible/test.yml

@@ -0,0 +1,45 @@
+---
+- name: Test Podman Traefik Setup
+  hosts: localhost
+  connection: local
+  gather_facts: false
+  tasks:
+    - name: Check if Traefik dashboard is accessible
+      uri:
+        url: http://localhost:8083/dashboard/
+        method: GET
+        status_code: 200
+        timeout: 5
+      register: traefik_dashboard
+      ignore_errors: yes
+
+    - name: Check Projekt1 service
+      uri:
+        url: http://localhost:8081/projekt1
+        method: GET
+        status_code: 200
+        return_content: yes
+        timeout: 5
+      register: projekt1_check
+      until: projekt1_check.status == 200
+      retries: 3
+      delay: 2
+
+    - name: Check Projekt2 service
+      uri:
+        url: http://localhost:8081/projekt2
+        method: GET
+        status_code: 200
+        return_content: yes
+        timeout: 5
+      register: projekt2_check
+      until: projekt2_check.status == 200
+      retries: 3
+      delay: 2
+
+    - name: Show test results
+      debug:
+        msg:
+          - "Traefik Dashboard: {{ 'Accessible' if traefik_dashboard.status == 200 else 'Not Accessible' }}"
+          - "Projekt1 Status: {{ projekt1_check.status }} - Content: {{ projekt1_check.content | b64decode | regex_search('>([^<]+)<') | default('No content') }}"
+          - "Projekt2 Status: {{ projekt2_check.status }} - Content: {{ projekt2_check.content | b64decode | regex_search('>([^<]+)<') | default('No content') }}"

docker-compose.prod.yml

@@ -11,7 +11,7 @@ services:
       - "--providers.docker.exposedbydefault=false"
       - "--entrypoints.web.address=:80"
       - "--entrypoints.websecure.address=:443"
-      - "--entrypoints.dashboard.address=:8080"
+      - "--entrypoints.dashboard.address=:8082"
       # Enable automatic HTTPS with Let's Encrypt
       - "--certificatesresolvers.leresolver.acme.httpchallenge=true"
       - "--certificatesresolvers.leresolver.acme.httpchallenge.entrypoint=web"
@@ -22,9 +22,9 @@ services:
       # Use podman network
       - "--providers.docker.network=prod_network"
     ports:
-      - "80:80"
-      - "443:443"
-      - "8080:8080"  # Dashboard - should be restricted in production
+      - "8081:80"        # HTTP traffic (mapped from 80 to 8081)
+      - "8443:443"       # HTTPS traffic (mapped from 443 to 8443)
+      - "8082:8080"      # Dashboard - should be restricted in production
     volumes:
       - "/var/run/docker.sock:/var/run/docker.sock:ro"
       - "./letsencrypt:/letsencrypt"

docker-compose.yml

@@ -3,27 +3,19 @@ version: '3.8'
 services:
   traefik:
     image: traefik:v2.10
-    command:
-      - "--api.insecure=true"
-      - "--providers.docker=true"
-      - "--providers.docker.exposedbydefault=false"
-      - "--entrypoints.web.address=:80"
-      - "--entrypoints.websecure.address=:443"
-      - "--entrypoints.dashboard.address=:8080"
-      - "--certificatesresolvers.myresolver.acme.httpchallenge=true"
-      - "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
-      - "[email protected]"
-      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
-      - "--api.dashboard=true"
-      - "--providers.docker.network=podman"
+    command: --configFile=/etc/traefik/traefik.yml
     ports:
-      - "8082:8080"      # Traefik dashboard
-      - "8081:80"        # HTTP traffic
-      - "8443:443"       # HTTPS traffic
+      - "8081:80"         # HTTP traffic
+      - "8083:8083"      # Traefik dashboard
     volumes:
-      - "/var/run/docker.sock:/var/run/docker.sock:ro"
-      - "./letsencrypt:/letsencrypt"
+      - "./traefik/traefik.yml:/etc/traefik/traefik.yml:ro"
+      - "./traefik/rules.yml:/etc/traefik/rules.yml:ro"
+    networks:
+      - podman
     restart: unless-stopped
+    depends_on:
+      - "projekt1"
+      - "projekt2"
 
   projekt1:
     build: ./projekt1
@@ -45,14 +37,9 @@ services:
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.projekt2.rule=Host(`localhost`) && PathPrefix(`/projekt2`)"
-      - "traefik.http.routers.projekt2.entrypoints=web"
-      - "traefik.http.services.projekt2.loadbalancer.server.port=5000"
-      - "traefik.http.middlewares.strip-prefix.stripprefix.prefixes=/projekt2"
-      - "traefik.http.routers.projekt2.middlewares=strip-prefix@docker"
     restart: unless-stopped
 
 networks:
   podman:
     name: podman
     external: false
-

projekt1/Dockerfile

@@ -2,11 +2,31 @@ FROM python:3.9-slim
 
 WORKDIR /app
 
+# Set environment variables
+ENV PYTHONDONTWRITEBYTECODE 1
+ENV PYTHONUNBUFFERED 1
+ENV FLASK_APP=app.py
+ENV FLASK_ENV=production
+
+# Install system dependencies
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    build-essential \
+    && rm -rf /var/lib/apt/lists/*
+
+# Install Python dependencies
 COPY requirements.txt .
 RUN pip install --no-cache-dir -r requirements.txt
 
+# Copy application code
 COPY . .
 
+# Create a non-root user and switch to it
+RUN adduser --disabled-password --gecos '' appuser && \
+    chown -R appuser:appuser /app
+USER appuser
+
+# Expose the port the app runs on
 EXPOSE 5000
 
-CMD ["python", "app.py"]
+# Command to run the application
+CMD ["gunicorn", "--bind", "0.0.0.0:5000", "app:app"]

projekt1/requirements.txt

@@ -1,2 +1,3 @@
 Flask==2.0.1
 Werkzeug==2.0.1
+gunicorn==20.1.0

projekt2/Dockerfile

@@ -0,0 +1,32 @@
+FROM python:3.9-slim
+
+WORKDIR /app
+
+# Set environment variables
+ENV PYTHONDONTWRITEBYTECODE 1
+ENV PYTHONUNBUFFERED 1
+ENV FLASK_APP=app.py
+ENV FLASK_ENV=production
+
+# Install system dependencies
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    build-essential \
+    && rm -rf /var/lib/apt/lists/*
+
+# Install Python dependencies
+COPY requirements.txt .
+RUN pip install --no-cache-dir -r requirements.txt
+
+# Copy application code
+COPY . .
+
+# Create a non-root user and switch to it
+RUN adduser --disabled-password --gecos '' appuser && \
+    chown -R appuser:appuser /app
+USER appuser
+
+# Expose the port the app runs on
+EXPOSE 5000
+
+# Command to run the application with Gunicorn
+CMD ["gunicorn", "--bind", "0.0.0.0:5000", "--workers", "4", "--worker-class", "gthread", "--threads", "2", "--timeout", "120", "--access-logfile", "-", "--error-logfile", "-", "app:app"]

projekt2/app.py

@@ -0,0 +1,10 @@
+from flask import Flask
+
+app = Flask(__name__)
+
+@app.route('/')
+def hello():
+    return "<h1>Witaj w Projekcie 2!</h1><p>To jest druga aplikacja Flask działająca za pośrednictwem Traefik.</p>"
+
+if __name__ == '__main__':
+    app.run(host='0.0.0.0', port=5000)