ansible/.gitignore

@@ -0,0 +1 @@
+roles/nginx/files/ssl/*

ansible/README.md

@@ -0,0 +1,31 @@
+# Ansible Playbook to install uptime kuma using docker
+
+This playbook comes with three roles
+
+1. docker (to install docker)
+2. nginx (to install nginx using docker with ssl)
+3. uptime kuma (to install uptime kuma using docker)
+
+To see more info see docker-compose, tasks and config files 
+I will try to make this readme better
+
+## To run it
+1. install ansible see [here](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html)
+2. run `ansible-galaxy install -r ansible-requirements.yml` to get requirements
+3. prepare inventory hosts
+4. put your certificates in files section in nginx role with this structure below:
+```
+ansible -> roles -> nginx -> ssl -> <uptime kuma domain>.fullchain.pem
+ansible -> roles -> nginx -> ssl -> <uptime kuma domain>.privkey.pem
+```
+5. to run playbook
+```bash
+ansible-playbook ./playbook.yml -i <your inventory path> -e "kuma_domain=<uptime kuma domain>" -e "kuma_image_os=<alpine or debian>" -e "kuma_image_version=<version>"
+```
+you can use other ansible playbook options too
+
+> Note: Replace `<uptime kuma domain>` with your desired domain for uptime kuma
+> replace `<version>` with a version from https://github.com/louislam/uptime-kuma/releases
+> replace `<alpine or debian>` with one of options
+> `-e "kuma_image_os=<alpine or debian>" -e "kuma_image_version=<version>"` is not required and you can remove this part or change only one of them (kuma_image_os is debian & kuma_image_version is 1 by default)
+> If you are not using root user as your ansible_user use -bK option to become root

ansible/ansible-requirements.yml

@@ -0,0 +1,6 @@
+roles:
+  - src: geerlingguy.docker
+  - src: geerlingguy.pip
+
+collections:
+  - name: community.docker

ansible/playbook.yml

@@ -0,0 +1,14 @@
+- name: install uptime kuma with nginx connected
+  hosts: all
+
+  vars:
+    pip_install_packages:
+      - name: docker
+    docker_compose_version: "v2.0.1"
+
+  roles:
+    - {role: geerlingguy.docker,      tags: ["docker"]}
+    - {role: geerlingguy.pip,         tags: ["docker"]}
+    - {role: kuma,                    tags: ["kuma"]}
+    - {role: nginx,                   tags: ["nginx"]}
+

ansible/roles/nginx/tasks/main.yml

@@ -0,0 +1,22 @@
+- name: Ensure Volumes & Files directories exists
+  file:
+    dest: "{{item}}"
+    state: directory
+  loop:
+    - /compose
+    - /compose/volumes
+    - /compose/volumes/nginx
+    - /compose/volumes/nginx/log/{{ kuma_domain }}
+
+- name: Ensure nginx config directory exist
+  copy:
+    src: ssl
+    dest: /compose/volumes/nginx/ssl
+    mode: 'preserve'
+    group: root
+    owner: root
+
+- name: Ensure config files are updated
+  template:
+    src: "nginx.conf"
+    dest: /compose/volumes/nginx/nginx.conf

ansible/roles/nginx/templates/nginx.conf

@@ -0,0 +1,88 @@
+user nginx;
+worker_processes auto;
+
+pid         /var/run/nginx.pid;
+error_log   /var/log/nginx/error.log;
+
+events {
+    worker_connections 2048;
+}
+
+http {
+    sendfile on;
+    tcp_nopush on;
+    tcp_nodelay on;
+    keepalive_timeout 65;
+    types_hash_max_size 2048;
+    server_tokens off;
+
+    default_type application/octet-stream;
+
+    ### SSL Settings for all servers (https://ssl-config.mozilla.org/#server=nginx&server-version=1.17.2&config=intermediate)
+    # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
+    ssl_certificate     /etc/nginx/ssl/{{ kuma_domain }}.fullchain.pem;
+    ssl_certificate_key /etc/nginx/ssl/{{ kuma_domain }}.privkey.pem;
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
+    ssl_session_tickets off;
+
+    # intermediate configuration
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers off;
+
+    # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /etc/nginx/ssl/dhparam.pem (TODO: check if it's secure to use others DH parameters!)
+    # openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096
+    ssl_dhparam /etc/nginx/ssl/dhparam.pem;
+
+    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+    add_header Strict-Transport-Security "max-age=63072000" always;
+
+    # OCSP stapling
+    ssl_stapling on;
+    ssl_stapling_verify on;
+
+    log_format main '$remote_addr - $remote_user [$time_local] "$request_method $scheme://$host$request_uri $server_protocol" $status $body_bytes_sent '
+                 '"$http_referer" "$http_user_agent" $request_time $upstream_response_time UPA:$upstream_addr BYS:$bytes_sent BYR:$request_length';
+    access_log  /var/log/nginx/access.log main;
+
+    ### Set additional headers to be send to upstream
+    proxy_set_header    Host                $http_host;
+    proxy_set_header    X-Real-IP           $remote_addr;
+    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
+    proxy_set_header    X-Forwarded-Proto   $scheme;
+
+    # Remove Headers that gonna be sent to client
+    proxy_hide_header   X-Powered-By;
+    proxy_hide_header   Server;
+
+    # Redirect HTTP request to HTTPS
+    server {
+      listen              80 default_server;
+      server_name         {{ kuma_domain }};
+      return 302 https://$host$request_uri;
+    }
+
+    server {
+        server_name     {{ kuma_domain }};
+        listen          443 ssl http2 default_server;
+
+        access_log      /var/log/nginx/{{ kuma_domain }}.access.log main;
+        error_log       /var/log/nginx/{{ kuma_domain }}.error.log;
+
+        location / {
+            # rewrite ^/(.*)/$ /$1 permanent;
+            ### redirect urls with trailing slash to non-trailing slash
+            # https://serverfault.dev/questions/597302/removing-the-trailing-slash-from-a-url-with-nginx
+            # location ~ (?<no_slash>.+)/$ {
+            #     return 302 https://$host$no_slash;
+            # }
+	        proxy_set_header   X-Real-IP $remote_addr;
+            proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_pass         http://uptime-kuma:3001/;
+            proxy_http_version 1.1;
+            proxy_set_header   Upgrade $http_upgrade;
+            proxy_set_header   Connection "upgrade";
+        }
+    }
+}

ansible/roles/uptime-kuma/defaults/main.yml

@@ -0,0 +1,3 @@
+---
+kuma_image_version: '1'
+kuma_image_os: 'debian'

ansible/roles/uptime-kuma/tasks/main.yml

@@ -0,0 +1,23 @@
+- name: Ensure Volumes & Files directories exists
+  file:
+    dest: "{{item}}"
+    state: directory
+  loop:
+    - /compose
+    - /compose/kuma
+    - /compose/volumes
+    - /compose/volumes/kuma
+
+- name: Ensure docker-compose file has been updated
+  template:
+    src: "{{item}}"
+    dest: /compose/kuma/
+  loop:
+    - docker-compose.yml
+
+- name: Ensure uptime-kuma is up
+  community.docker.docker_compose:
+    state: present
+    project_src: /compose/kuma
+    pull: yes
+

ansible/roles/uptime-kuma/templates/docker-compose.yml

@@ -0,0 +1,29 @@
+version: '3.3'
+services:
+    uptime-kuma:
+        restart: always
+        networks:
+            - uptime-kuma
+        expose:
+            - 3001
+        volumes:
+            - '/compose/volumes/uptime-kuma:/app/data'
+        container_name: uptime-kuma
+        image: 'louislam/uptime-kuma:{{kuma_image_version}}-{{kuma_image_os}}'
+
+    nginx:
+        ports:
+            - 443:443
+            - 80:80
+        networks:
+            - uptime-kuma
+        depends_on:
+            - uptime-kuma
+        restart: always
+        image: nginx:stable-alpine
+        volumes:
+            - '/compose/volumes/nginx/:/etc/nginx/'
+            - '/compose/volumes/nginx/log/{{ kuma_domain }}:/var/log/nginx/{{ kuma_domain }}/'
+
+networks:
+    uptime-kuma: