DEV Community: Jack Kweyunga The latest articles on DEV Community by Jack Kweyunga (@atomax). https://dev.to/atomax https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1285991%2Fafb3cf5a-ed42-4b1f-aaee-1aed5f73cf4e.jpeg DEV Community: Jack Kweyunga https://dev.to/atomax en Strengthen OpenSSH Security through Ansible and GitHub Actions Jack Kweyunga Fri, 20 Sep 2024 18:50:41 +0000 https://dev.to/atomax/strengthen-openssh-security-through-ansible-and-github-actions-6c7 https://dev.to/atomax/strengthen-openssh-security-through-ansible-and-github-actions-6c7 <p>By the end of this article, you will be able to harden the security of a remote OpenSSH server using an Ansible GitHub action. Basic security measures will be applied to the SSH server.</p> <ul> <li><p>Change the SSH port to a custom one</p></li> <li><p>Disable root login</p></li> <li><p>Set an idle timeout interval</p></li> <li><p>Change the maximum login attempts</p></li> <li><p>Disable password authentication</p></li> <li><p>Disable X11 forwarding</p></li> <li><p>Update UFW rules</p></li> </ul> <p>Feel free to add more after. All the source code is available here: <a href="https://github.com/jackkweyunga/ssh-hardening-with-ansible-and-gh-actions" rel="noopener noreferrer">https://github.com/jackkweyunga/ssh-hardening-with-ansible-and-gh-actions</a></p> <p>Let's get started!</p> <h2> Prerequisites </h2> <ul> <li><p>Basic knowledge of Ansible</p></li> <li><p>Basic knowledge of GitHub Actions</p></li> <li><p>A remote Ubuntu server with OpenSSH server installed</p></li> </ul> <h2> Project Structure </h2> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="s">.</span> <span class="s">├── .github</span> <span class="s">│ └── workflows</span> <span class="s">│ ├── ssh.yml</span> <span class="s">│ └── ufw.yml</span> <span class="s">├── ssh</span> <span class="s">│ └── tasks</span> <span class="s">│ └── main.yml</span> <span class="s">├── ufw</span> <span class="s">│ └── tasks</span> <span class="s">│ └── main.yml</span> <span class="s">├── create-sudo-password-ansible-secret.sh</span> <span class="s">├── ssh.yml</span> <span class="s">└── ufw.yml</span> <span class="s">6 directories, 7 files</span> </code></pre> </div> <h2> Ansible playbooks </h2> <h3> The SSH ansible playbook </h3> <p>Let's start by creating an Ansible role. This will perform the hardening tasks for us.</p> <p><code>ssh/tasks/main.yml</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Harden SSH security</span> <span class="na">become</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">block</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install / Update openssh-server (Debian-based systems)</span> <span class="na">ansible.builtin.package</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">openssh-server</span> <span class="na">state</span><span class="pi">:</span> <span class="s">latest</span> <span class="na">when</span><span class="pi">:</span> <span class="s">ansible_os_family == 'Debian'</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Check SSH configuration syntax</span> <span class="na">command</span><span class="pi">:</span> <span class="s">sshd -t</span> <span class="na">register</span><span class="pi">:</span> <span class="s">sshd_config_check</span> <span class="na">ignore_errors</span><span class="pi">:</span> <span class="kc">true</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Ensure SSH service is running</span> <span class="na">ansible.builtin.service</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">ssh</span> <span class="na">state</span><span class="pi">:</span> <span class="s">started</span> <span class="na">enabled</span><span class="pi">:</span> <span class="s">yes</span> <span class="na">when</span><span class="pi">:</span> <span class="s">sshd_config_check.rc != </span><span class="m">0</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Disable root login</span> <span class="na">lineinfile</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/etc/ssh/sshd_config</span> <span class="na">regexp</span><span class="pi">:</span> <span class="s1">'</span><span class="s">^#?PermitRootLogin'</span> <span class="na">line</span><span class="pi">:</span> <span class="s1">'</span><span class="s">PermitRootLogin</span><span class="nv"> </span><span class="s">no'</span> <span class="na">state</span><span class="pi">:</span> <span class="s">present</span> <span class="na">backup</span><span class="pi">:</span> <span class="s">yes</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Disable password authentication</span> <span class="na">lineinfile</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/etc/ssh/sshd_config</span> <span class="na">regexp</span><span class="pi">:</span> <span class="s1">'</span><span class="s">^#?PasswordAuthentication'</span> <span class="na">line</span><span class="pi">:</span> <span class="s1">'</span><span class="s">PasswordAuthentication</span><span class="nv"> </span><span class="s">no'</span> <span class="na">state</span><span class="pi">:</span> <span class="s">present</span> <span class="na">backup</span><span class="pi">:</span> <span class="s">yes</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Disable X11 forwarding</span> <span class="na">lineinfile</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/etc/ssh/sshd_config</span> <span class="na">regexp</span><span class="pi">:</span> <span class="s1">'</span><span class="s">^#?X11Forwarding'</span> <span class="na">line</span><span class="pi">:</span> <span class="s1">'</span><span class="s">X11Forwarding</span><span class="nv"> </span><span class="s">no'</span> <span class="na">state</span><span class="pi">:</span> <span class="s">present</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Set idle timeout interval</span> <span class="na">lineinfile</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/etc/ssh/sshd_config</span> <span class="na">regexp</span><span class="pi">:</span> <span class="s1">'</span><span class="s">^#?ClientAliveInterval'</span> <span class="na">line</span><span class="pi">:</span> <span class="s1">'</span><span class="s">ClientAliveInterval</span><span class="nv"> </span><span class="s">{{</span><span class="nv"> </span><span class="s">ssh_alive_interval</span><span class="nv"> </span><span class="s">}}'</span> <span class="na">state</span><span class="pi">:</span> <span class="s">present</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Set maximum number of login attempts</span> <span class="na">lineinfile</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/etc/ssh/sshd_config</span> <span class="na">regexp</span><span class="pi">:</span> <span class="s1">'</span><span class="s">^#?MaxAuthTries'</span> <span class="na">line</span><span class="pi">:</span> <span class="s1">'</span><span class="s">MaxAuthTries</span><span class="nv"> </span><span class="s">{{</span><span class="nv"> </span><span class="s">ssh_max_auth_tries</span><span class="nv"> </span><span class="s">}}'</span> <span class="na">state</span><span class="pi">:</span> <span class="s">present</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Ensure UFW is installed and enabled (Debian-based systems)</span> <span class="na">ansible.builtin.service</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">ufw</span> <span class="na">state</span><span class="pi">:</span> <span class="s">started</span> <span class="na">when</span><span class="pi">:</span> <span class="s">ansible_os_family == 'Debian'</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Add firewall rule for new SSH port</span> <span class="na">ansible.builtin.ufw</span><span class="pi">:</span> <span class="na">rule</span><span class="pi">:</span> <span class="s">allow</span> <span class="na">port</span><span class="pi">:</span> <span class="s1">'</span><span class="s">{{</span><span class="nv"> </span><span class="s">ssh_new_port</span><span class="nv"> </span><span class="s">}}'</span> <span class="na">proto</span><span class="pi">:</span> <span class="s">tcp</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Enable UFW if not already enabled</span> <span class="na">ansible.builtin.ufw</span><span class="pi">:</span> <span class="na">state</span><span class="pi">:</span> <span class="s">enabled</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Change SSH port to {{ ssh_new_port }}</span> <span class="na">lineinfile</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/etc/ssh/sshd_config</span> <span class="na">regexp</span><span class="pi">:</span> <span class="s1">'</span><span class="s">^#?Port'</span> <span class="na">line</span><span class="pi">:</span> <span class="s1">'</span><span class="s">Port</span><span class="nv"> </span><span class="s">{{</span><span class="nv"> </span><span class="s">ssh_new_port</span><span class="nv"> </span><span class="s">}}'</span> <span class="na">state</span><span class="pi">:</span> <span class="s">present</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Check SSH configuration syntax</span> <span class="na">command</span><span class="pi">:</span> <span class="s">sshd -t</span> <span class="na">register</span><span class="pi">:</span> <span class="s">sshd_config_check_before_restart</span> <span class="na">ignore_errors</span><span class="pi">:</span> <span class="kc">true</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Restart SSH service to apply changes</span> <span class="na">ansible.builtin.service</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">ssh</span> <span class="na">state</span><span class="pi">:</span> <span class="s">restarted</span> <span class="na">when</span><span class="pi">:</span> <span class="s">sshd_config_check_before_restart.rc == </span><span class="m">0</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Reconnect to server using new SSH port</span> <span class="na">become</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">local_action</span><span class="pi">:</span> <span class="na">module</span><span class="pi">:</span> <span class="s">wait_for</span> <span class="na">host</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">inventory_hostname</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">port</span><span class="pi">:</span> <span class="s1">'</span><span class="s">{{</span><span class="nv"> </span><span class="s">ssh_new_port</span><span class="nv"> </span><span class="s">}}'</span> <span class="na">delay</span><span class="pi">:</span> <span class="m">10</span> <span class="na">timeout</span><span class="pi">:</span> <span class="m">300</span> <span class="na">state</span><span class="pi">:</span> <span class="s">started</span> </code></pre> </div> <p>Now, let's define the actual playbook and reference the SSH role within.</p> <p><code>ssh.yml</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">SSH Hardening</span> <span class="na">hosts</span><span class="pi">:</span> <span class="s">all</span> <span class="na">become</span><span class="pi">:</span> <span class="s">yes</span> <span class="na">vars_files</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">secret</span> <span class="na">vars</span><span class="pi">:</span> <span class="na">ssh_new_port</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">lookup('env',</span><span class="nv"> </span><span class="s">'SSH_NEW_PORT')</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">ssh_alive_interval</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">lookup('env',</span><span class="nv"> </span><span class="s">'SSH_ALIVE_INTERVAL')</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">ssh_max_auth_tries</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">lookup('env',</span><span class="nv"> </span><span class="s">'SSH_MAX_AUTH_TRIES')</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">roles</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ssh</span> </code></pre> </div> <h3> The UFW ansible playbook </h3> <p>Let's start by creating an Ansible role to configure UFW and add minimal port rules.</p> <p><code>ufw/tasks/main.yml</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Ensure UFW is installed</span> <span class="na">apt</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">ufw</span> <span class="na">state</span><span class="pi">:</span> <span class="s">present</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Set logging</span> <span class="na">community.general.ufw</span><span class="pi">:</span> <span class="na">logging</span><span class="pi">:</span> <span class="s1">'</span><span class="s">on'</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Limit SSH attempts</span> <span class="na">community.general.ufw</span><span class="pi">:</span> <span class="na">rule</span><span class="pi">:</span> <span class="s">limit</span> <span class="na">port</span><span class="pi">:</span> <span class="m">22</span> <span class="na">proto</span><span class="pi">:</span> <span class="s">tcp</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Limit SSH attempts</span> <span class="na">community.general.ufw</span><span class="pi">:</span> <span class="na">rule</span><span class="pi">:</span> <span class="s">limit</span> <span class="na">port</span><span class="pi">:</span> <span class="m">2222</span> <span class="na">proto</span><span class="pi">:</span> <span class="s">tcp</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Allow SSH</span> <span class="na">ufw</span><span class="pi">:</span> <span class="na">rule</span><span class="pi">:</span> <span class="s">allow</span> <span class="na">port</span><span class="pi">:</span> <span class="m">22</span> <span class="na">proto</span><span class="pi">:</span> <span class="s">tcp</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Allow SSH</span> <span class="na">ufw</span><span class="pi">:</span> <span class="na">rule</span><span class="pi">:</span> <span class="s">allow</span> <span class="na">port</span><span class="pi">:</span> <span class="m">2222</span> <span class="na">proto</span><span class="pi">:</span> <span class="s">tcp</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Allow HTTP</span> <span class="na">ufw</span><span class="pi">:</span> <span class="na">rule</span><span class="pi">:</span> <span class="s">allow</span> <span class="na">port</span><span class="pi">:</span> <span class="m">80</span> <span class="na">proto</span><span class="pi">:</span> <span class="s">tcp</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Allow HTTPS</span> <span class="na">ufw</span><span class="pi">:</span> <span class="na">rule</span><span class="pi">:</span> <span class="s">allow</span> <span class="na">port</span><span class="pi">:</span> <span class="m">443</span> <span class="na">proto</span><span class="pi">:</span> <span class="s">tcp</span> <span class="c1"># - name: Allow custom port (e.g., 8080)</span> <span class="c1"># ufw:</span> <span class="c1"># rule: allow</span> <span class="c1"># port: 8080</span> <span class="c1"># proto: tcp</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Set default incoming policy to deny</span> <span class="na">ufw</span><span class="pi">:</span> <span class="na">default</span><span class="pi">:</span> <span class="s">deny</span> <span class="na">direction</span><span class="pi">:</span> <span class="s">incoming</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Set default outgoing policy to allow</span> <span class="na">ufw</span><span class="pi">:</span> <span class="na">default</span><span class="pi">:</span> <span class="s">allow</span> <span class="na">direction</span><span class="pi">:</span> <span class="s">outgoing</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Enable UFW</span> <span class="na">ufw</span><span class="pi">:</span> <span class="na">state</span><span class="pi">:</span> <span class="s">enabled</span> </code></pre> </div> <p>And of course, the playbook.</p> <p><code>ufw.yml</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Configure UFW Firewall on Ubuntu</span> <span class="na">hosts</span><span class="pi">:</span> <span class="s">all</span> <span class="na">become</span><span class="pi">:</span> <span class="s">yes</span> <span class="na">vars_files</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">secret</span> <span class="na">roles</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ufw</span> </code></pre> </div> <h3> Helper files </h3> <p>Let add a helper file which helps us create a sudo password Ansible secret for the remote server. This allows Ansible to run sudo commands in the automation without exposing the password in logs or source code.</p> <p><code>create-sudo-password-ansible-secret.sh</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="c"># variables</span> <span class="nv">VAULT_PASSWORD</span><span class="o">=</span><span class="si">$(</span>openssl rand <span class="nt">-base64</span> 12<span class="si">)</span> <span class="nv">VAULT_PASSWORD_FILE</span><span class="o">=</span><span class="s2">"ansible/vault.txt"</span> <span class="nv">VAULT_FILE</span><span class="o">=</span><span class="s2">"ansible/secret"</span> <span class="nv">SUDO_PASSWORD</span><span class="o">=</span><span class="s2">"</span><span class="nv">$1</span><span class="s2">"</span> <span class="nv">SUDO_PASSWORD_FILE</span><span class="o">=</span><span class="s2">"/tmp/sudo-password"</span> <span class="c"># sudo passord is required</span> <span class="k">if</span> <span class="o">[</span> <span class="nt">-z</span> <span class="s2">"</span><span class="k">${</span><span class="nv">SUDO_PASSWORD</span><span class="k">}</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Usage: </span><span class="nv">$0</span><span class="s2"> &lt;sudo-password&gt;"</span> <span class="nb">exit </span>1 <span class="k">fi</span> <span class="c"># create vault password file</span> <span class="nb">echo</span> <span class="s2">"</span><span class="k">${</span><span class="nv">VAULT_PASSWORD</span><span class="k">}</span><span class="s2">"</span> <span class="o">&gt;</span> <span class="s2">"</span><span class="k">${</span><span class="nv">VAULT_PASSWORD_FILE</span><span class="k">}</span><span class="s2">"</span> <span class="c"># create a sudo password file</span> <span class="nb">echo</span> <span class="s2">"ansible_sudo_pass: </span><span class="se">\"</span><span class="k">${</span><span class="nv">SUDO_PASSWORD</span><span class="k">}</span><span class="se">\"</span><span class="s2">"</span> <span class="o">&gt;</span> <span class="s2">"</span><span class="k">${</span><span class="nv">SUDO_PASSWORD_FILE</span><span class="k">}</span><span class="s2">"</span> <span class="c"># encrypt sudo password</span> ansible-vault encrypt <span class="nt">--vault-password-file</span> <span class="s2">"</span><span class="k">${</span><span class="nv">VAULT_PASSWORD_FILE</span><span class="k">}</span><span class="s2">"</span> <span class="s2">"</span><span class="k">${</span><span class="nv">SUDO_PASSWORD_FILE</span><span class="k">}</span><span class="s2">"</span> <span class="nt">--output</span> <span class="s2">"</span><span class="k">${</span><span class="nv">VAULT_FILE</span><span class="k">}</span><span class="s2">"</span> </code></pre> </div> <h2> GitHub Actions </h2> <p>After creating the Ansible plays, let's move on to creating the GitHub workflows we’ll be running.</p> <h3> ssh workflow </h3> <p>First, there is the SSH workflow, which will run the SSH playbook when triggered.</p> <p><code>.github/workflows/ssh.yml</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">ssh hardening</span> <span class="na">on</span><span class="pi">:</span> <span class="na">workflow_dispatch</span><span class="pi">:</span> <span class="na">inputs</span><span class="pi">:</span> <span class="na">REMOTE_USER</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">string</span> <span class="na">description</span><span class="pi">:</span> <span class="s1">'</span><span class="s">Remote</span><span class="nv"> </span><span class="s">User'</span> <span class="na">required</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">HOME_DIR</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">string</span> <span class="na">description</span><span class="pi">:</span> <span class="s1">'</span><span class="s">Home</span><span class="nv"> </span><span class="s">Directory'</span> <span class="na">required</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">TARGET_HOST</span><span class="pi">:</span> <span class="na">description</span><span class="pi">:</span> <span class="s1">'</span><span class="s">Target</span><span class="nv"> </span><span class="s">Host'</span> <span class="na">required</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">SSH_PORT</span><span class="pi">:</span> <span class="na">description</span><span class="pi">:</span> <span class="s1">'</span><span class="s">SSH</span><span class="nv"> </span><span class="s">Port'</span> <span class="na">required</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">SSH_NEW_PORT</span><span class="pi">:</span> <span class="na">description</span><span class="pi">:</span> <span class="s1">'</span><span class="s">SSH</span><span class="nv"> </span><span class="s">new</span><span class="nv"> </span><span class="s">Port'</span> <span class="na">required</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">default</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2222"</span> <span class="na">SSH_ALIVE_INTERVAL</span><span class="pi">:</span> <span class="na">description</span><span class="pi">:</span> <span class="s1">'</span><span class="s">SSH</span><span class="nv"> </span><span class="s">Alive</span><span class="nv"> </span><span class="s">Interval'</span> <span class="na">required</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">default</span><span class="pi">:</span> <span class="s2">"</span><span class="s">300"</span> <span class="na">SSH_MAX_AUTH_TRIES</span><span class="pi">:</span> <span class="na">description</span><span class="pi">:</span> <span class="s1">'</span><span class="s">SSH</span><span class="nv"> </span><span class="s">Max</span><span class="nv"> </span><span class="s">Auth</span><span class="nv"> </span><span class="s">Tries'</span> <span class="na">required</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">default</span><span class="pi">:</span> <span class="s2">"</span><span class="s">3"</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">ansible</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">env</span><span class="pi">:</span> <span class="na">SSH_NEW_PORT</span><span class="pi">:</span> <span class="s2">"</span><span class="s">${{</span><span class="nv"> </span><span class="s">inputs.SSH_NEW_PORT</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">SSH_ALIVE_INTERVAL</span><span class="pi">:</span> <span class="s2">"</span><span class="s">${{</span><span class="nv"> </span><span class="s">inputs.SSH_ALIVE_INTERVAL</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">SSH_MAX_AUTH_TRIES</span><span class="pi">:</span> <span class="s2">"</span><span class="s">${{</span><span class="nv"> </span><span class="s">inputs.SSH_MAX_AUTH_TRIES</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v2</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Add SSH Keys</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">cat &lt;&lt; EOF &gt; ansible/ssh-key</span> <span class="s">${{ secrets.SSH_PRIVATE_KEY }}</span> <span class="s">EOF</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Update ssh private key permissions</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">chmod 400 ansible/ssh-key</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install Ansible</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">pip install ansible</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Adding or Override Ansible inventory File</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">cat &lt;&lt; EOF &gt; ansible/inventory.ini</span> <span class="s">[servers]</span> <span class="s">${{ inputs.TARGET_HOST }}</span> <span class="s">EOF</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Adding or Override Ansible Config File</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">cat &lt;&lt; EOF &gt; ./ansible/ansible.cfg</span> <span class="s">[defaults]</span> <span class="s">ansible_python_interpreter='/usr/bin/python3'</span> <span class="s">deprecation_warnings=False</span> <span class="s">inventory=./inventory.ini</span> <span class="s">remote_tmp="/tmp"</span> <span class="s">remote_user="${{ inputs.REMOTE_USER }}"</span> <span class="s">remote_port=${{ inputs.SSH_PORT }}</span> <span class="s">host_key_checking=False</span> <span class="s">private_key_file = ./ssh-key</span> <span class="s">retries=2</span> <span class="s">EOF</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run main playbook</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">sh create-sudo-password-ansible-secret.sh "${{ secrets.SUDO_PASSWORD }}"</span> <span class="s">ANSIBLE_CONFIG=ansible/ansible.cfg ansible-playbook ssh.yml --vault-password-file=ansible/vault.txt</span> </code></pre> </div> <h3> ufw workflow </h3> <p>Next, the UFW workflow will run the UFW playbook when triggered.</p> <p><code>.github/workflows/ufw.yml</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">minimal UFW</span> <span class="na">on</span><span class="pi">:</span> <span class="na">workflow_dispatch</span><span class="pi">:</span> <span class="na">inputs</span><span class="pi">:</span> <span class="na">REMOTE_USER</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">string</span> <span class="na">description</span><span class="pi">:</span> <span class="s1">'</span><span class="s">Remote</span><span class="nv"> </span><span class="s">User'</span> <span class="na">required</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">HOME_DIR</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">string</span> <span class="na">description</span><span class="pi">:</span> <span class="s1">'</span><span class="s">Home</span><span class="nv"> </span><span class="s">Directory'</span> <span class="na">required</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">TARGET_HOST</span><span class="pi">:</span> <span class="na">description</span><span class="pi">:</span> <span class="s1">'</span><span class="s">Target</span><span class="nv"> </span><span class="s">Host'</span> <span class="na">required</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">SSH_PORT</span><span class="pi">:</span> <span class="na">description</span><span class="pi">:</span> <span class="s1">'</span><span class="s">SSH</span><span class="nv"> </span><span class="s">Port'</span> <span class="na">required</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">ansible</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v2</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Add SSH Keys</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">cat &lt;&lt; EOF &gt; ansible/ssh-key</span> <span class="s">${{ secrets.SSH_PRIVATE_KEY }}</span> <span class="s">EOF</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Update ssh private key permissions</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">chmod 400 ansible/ssh-key</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install Ansible</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">pip install ansible</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Adding or Override Ansible inventory File</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">cat &lt;&lt; EOF &gt; ansible/inventory.ini</span> <span class="s">[servers]</span> <span class="s">${{ inputs.TARGET_HOST }}</span> <span class="s">EOF</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Adding or Override Ansible Config File</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">cat &lt;&lt; EOF &gt; ./ansible/ansible.cfg</span> <span class="s">[defaults]</span> <span class="s">ansible_python_interpreter='/usr/bin/python3'</span> <span class="s">deprecation_warnings=False</span> <span class="s">inventory=./inventory.ini</span> <span class="s">remote_tmp="/tmp"</span> <span class="s">remote_user="${{ inputs.REMOTE_USER }}"</span> <span class="s">remote_port=${{ inputs.SSH_PORT }}</span> <span class="s">host_key_checking=False</span> <span class="s">private_key_file = ./ssh-key</span> <span class="s">retries=2</span> <span class="s">EOF</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run main playbook</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">sh create-sudo-password-ansible-secret.sh "${{ secrets.SUDO_PASSWORD }}"</span> <span class="s">ANSIBLE_CONFIG=ansible/ansible.cfg ansible-playbook ufw.yml --vault-password-file=ansible/vault.txt</span> </code></pre> </div> <p>Now that that's done, let's push the repository to GitHub. I assume you have already created a remote GitHub repository for this project.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git init git commit <span class="nt">-m</span> <span class="s2">"initial commit"</span> git push </code></pre> </div> <h3> GitHub secrets </h3> <p>Navigate to Settings, then Secrets and Variables, and finally Actions in your repository. Add the following GitHub secrets:</p> <ul> <li><p><strong>SSH_PRIVATE_KEY</strong>: A private key whose public key is added to the authorized_keys file on the server.</p></li> <li><p><strong>SUDO_PASSWORD</strong>: The password of the remote sudo user</p></li> </ul> <h3> Operation </h3> <p>On GitHub, go to the Actions tab of the repository to verify that the two workflows are available.</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0drldymk7o51nxwup5rh.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0drldymk7o51nxwup5rh.png" width="" height=""></a></p> <p>Select the one you want to start with, click the "Run workflow" button, fill in the form, and click "Run workflow" again. Monitor the progress to debug any errors if they occur and try again.</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F47097iapuov7jblayewp.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F47097iapuov7jblayewp.png" width="" height=""></a></p> <p>Congratulations! You can now change the settings to harden OpenSSH servers for any other remote hosts you have.</p> <p><em>Seeking expert guidance in Ops, DevOps, or DevSecOps? I provide customized consultancy services for personal projects, small teams, and organizations. Whether you require assistance in optimizing operations, improving your CI/CD pipelines, or implementing strong security practices, I am here to support you. Let's collaborate to elevate your projects. Contact me today |</em> <a href="https://www.linkedin.com/in/jackkweyunga/" rel="noopener noreferrer"><strong><em>LinkedIn</em></strong> <em>|</em> <strong><em>GitHu</em></strong></a><a href="https://github.com/jackkweyunga" rel="noopener noreferrer"><strong><em>b</em></strong></a></p> security openssh devops ansible Traefik Proxy Guide: Configuring public Domain Names for Docker Containers Jack Kweyunga Fri, 13 Sep 2024 04:49:28 +0000 https://dev.to/atomax/traefik-proxy-guide-configuring-public-domain-names-for-docker-containers-367m https://dev.to/atomax/traefik-proxy-guide-configuring-public-domain-names-for-docker-containers-367m <h3> Disclaimer </h3> <p>This article introduces Traefik, a modern reverse proxy and load balancer for deploying micro-services. We will cover its basics, key features, configuration, and integration with Docker. By the end, you should understand how to set up and use Traefik in your projects.</p> <p>The final example in this article builds on concepts discussed in my previous article: <a href="https://dev.to/atomax/how-to-automate-deployment-with-ansible-and-github-actions-e2k">How to Automate Deployment with Ansible and GitHub Actions</a>. In that article, I explained how to streamline your deployment process using Ansible for configuration management and GitHub Actions for continuous integration and deployment. If you haven't read it yet, I highly recommend doing so to fully grasp the advanced section of this article. Understanding the automation techniques covered there will be crucial for implementing the final example effectively.</p> <h2> Introduction </h2> <p>Traefik is a modern open-source reverse proxy and load balancer. It’s built with simplicity and flexibility in mind. Traefik excels in a containerized setup, especially with micro-services.</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frbqqdbxhw8wc4lgxh9gt.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frbqqdbxhw8wc4lgxh9gt.png" alt="Traefik Architecture" width="800" height="417"></a></p> <p>(Image source: <a href="https://doc.traefik.io/traefik/" rel="noopener noreferrer">Traefik Documentation</a>)</p> <h3> Key features of Traefik proxy </h3> <p>Traefik comes with amazing features, including:</p> <ul> <li><p>Dynamic configurations</p></li> <li><p>Automatic SSL/TLS</p></li> <li><p>Load balancing</p></li> <li><p>Middleware support</p></li> <li><p>Integration with other platforms</p></li> </ul> <h3> Configuring Traefik </h3> <p>Traefik configurations are written in familiar syntax i.e TOML or YAML .</p> <p>Traefik gives you flexibility on the type of configuration you are comfortable with. It support the following types of configurations;</p> <ol> <li><p><strong>Static configuration</strong> where every or some configurations are defined in a single file; <code>traefik.yml</code></p></li> <li> <p><strong>Dynamic configuration</strong> where different providers are supported and used to automatically detect or create Traefik configurations.</p> <p><em>For example</em>, with the <em>Docker provider,</em> configurations are defined as labels on Docker containers and automatically detected as Traefik configurations.</p> <p>Other supported providers include Swarm, Nomad, Kubernetes, Consul, and many more.</p> </li> </ol> <h2> Traefik &amp; Docker </h2> <p>In this article, our focus is on Traefik’s Docker provider. We are going to install traefik as a docker container and the use it to proxy a python flask application ( also a docker container ).</p> <h3> A Demo project </h3> <p>For this first demo, I’ll explain a simple setup using docker-compose. In the next demo, we will integrate with GitHub Actions and Ansible.</p> <p>Here is the project structure.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>traefik-demo<span class="se">\</span> |-- docker-compose.yml |-- traefik<span class="se">\</span> | |-- certs<span class="se">\</span> | |-- traefik.yml </code></pre> </div> <p>To get started, we need to define a Traefik configuration file. Here is what it should look like:</p> <p><code>traefik.yml</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">global</span><span class="pi">:</span> <span class="na">checkNewVersion</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">sendAnonymousUsage</span><span class="pi">:</span> <span class="kc">false</span> <span class="c1"># true by default</span> <span class="c1"># (Optional) Log information</span> <span class="c1"># ---</span> <span class="c1"># log:</span> <span class="c1"># level: ERROR # DEBUG, INFO, WARNING, ERROR, CRITICAL</span> <span class="c1"># format: common # common, json, logfmt</span> <span class="c1"># filePath: /var/log/traefik/traefik.log</span> <span class="c1"># (Optional) Accesslog</span> <span class="c1"># ---</span> <span class="c1"># accesslog:</span> <span class="c1"># format: common # common, json, logfmt</span> <span class="c1"># filePath: /var/log/traefik/access.log</span> <span class="c1"># (Optional) Enable API and Dashboard</span> <span class="c1"># ---</span> <span class="na">api</span><span class="pi">:</span> <span class="na">dashboard</span><span class="pi">:</span> <span class="kc">true</span> <span class="c1"># true by default</span> <span class="na">insecure</span><span class="pi">:</span> <span class="kc">false</span> <span class="c1"># Don't do this in production!</span> <span class="c1"># Entry Points configuration</span> <span class="c1"># ---</span> <span class="na">entryPoints</span><span class="pi">:</span> <span class="na">web</span><span class="pi">:</span> <span class="na">address</span><span class="pi">:</span> <span class="s">:80</span> <span class="c1"># (Optional) Redirect to HTTPS</span> <span class="c1"># ---</span> <span class="na">http</span><span class="pi">:</span> <span class="na">redirections</span><span class="pi">:</span> <span class="na">entryPoint</span><span class="pi">:</span> <span class="na">to</span><span class="pi">:</span> <span class="s">websecure</span> <span class="na">scheme</span><span class="pi">:</span> <span class="s">https</span> <span class="na">websecure</span><span class="pi">:</span> <span class="na">address</span><span class="pi">:</span> <span class="s">:443</span> <span class="c1"># Configure your CertificateResolver here...</span> <span class="c1"># ---</span> <span class="na">certificatesResolvers</span><span class="pi">:</span> <span class="na">staging</span><span class="pi">:</span> <span class="na">acme</span><span class="pi">:</span> <span class="na">email</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{</span><span class="nv"> </span><span class="s">EMAIL</span><span class="nv"> </span><span class="s">}"</span> <span class="na">storage</span><span class="pi">:</span> <span class="s">/etc/traefik/certs/acme.json</span> <span class="na">caServer</span><span class="pi">:</span> <span class="s2">"</span><span class="s">https://acme-staging-v02.api.letsencrypt.org/directory"</span> <span class="na">tlsChallenge</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">httpChallenge</span><span class="pi">:</span> <span class="na">entryPoint</span><span class="pi">:</span> <span class="s">web</span> <span class="na">production</span><span class="pi">:</span> <span class="na">acme</span><span class="pi">:</span> <span class="na">email</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{</span><span class="nv"> </span><span class="s">EMAIL</span><span class="nv"> </span><span class="s">}"</span> <span class="na">storage</span><span class="pi">:</span> <span class="s">/etc/traefik/certs/acme.json</span> <span class="na">caServer</span><span class="pi">:</span> <span class="s2">"</span><span class="s">https://acme-v02.api.letsencrypt.org/directory"</span> <span class="na">tlsChallenge</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">httpChallenge</span><span class="pi">:</span> <span class="na">entryPoint</span><span class="pi">:</span> <span class="s">web</span> <span class="na">providers</span><span class="pi">:</span> <span class="na">docker</span><span class="pi">:</span> <span class="na">exposedByDefault</span><span class="pi">:</span> <span class="kc">false</span> <span class="c1"># Default is true</span> <span class="na">file</span><span class="pi">:</span> <span class="c1"># watch for dynamic configuration changes</span> <span class="na">directory</span><span class="pi">:</span> <span class="s">/etc/traefik</span> <span class="na">watch</span><span class="pi">:</span> <span class="kc">true</span> </code></pre> </div> <p>For automatic SSL to work, make sure to add a valid email. Replace “{ EMAIL }” with your own email address.</p> <p>Let’s see how the docker compose file would look like.</p> <p><code>docker-compose.yml</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Run traefik webserver, portainer, watchtower </span> <span class="na">services</span><span class="pi">:</span> <span class="na">traefik</span><span class="pi">:</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">traefik"</span> <span class="na">image</span><span class="pi">:</span> <span class="s2">"</span><span class="s">traefik:v2.5"</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">80:80"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">443:443"</span> <span class="c1"># - "59808:8080" # Uncomment this to expose the traefik dashboard</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">/var/run/docker.sock:/var/run/docker.sock</span> <span class="pi">-</span> <span class="s">traefik-ssl-certs:/ssl-certs</span> <span class="pi">-</span> <span class="s">./traefik:/etc/traefik</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">traefik_network</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">always</span> <span class="na">api</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">ghcr.io/jackkweyunga/auto-deploy-flask-to-server:main</span> <span class="na">environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">FLASK_ENV=production</span> <span class="pi">-</span> <span class="s">DEBUG=${DEBUG}</span> <span class="na">expose</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">5000"</span> <span class="na">network</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">traefik_network</span> <span class="na">labels</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">traefik.enable=true</span> <span class="pi">-</span> <span class="s">traefik.http.routers.api.rule=Host(`mydomain.com`)</span> <span class="pi">-</span> <span class="s">traefik.http.routers.api.entrypoints=websecure</span> <span class="pi">-</span> <span class="s">traefik.http.services.api.loadbalancer.server.port=5000</span> <span class="pi">-</span> <span class="s">traefik.http.routers.api.tls.certresolver=production</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">always</span> <span class="na">networks</span><span class="pi">:</span> <span class="na">traefik_network</span><span class="pi">:</span> <span class="na">external</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">volumes</span><span class="pi">:</span> <span class="na">traefik-ssl-certs</span><span class="pi">:</span> </code></pre> </div> <p>Notice that we have defined a <code>traefik_network</code> in the docker-compose file as external. We need to create this network before running the file. Every other Docker container that will be proxied by Traefik must join the <code>traefik_network</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>docker network create traefik_network </code></pre> </div> <p>Notice the labels we added to the API service and that it is also part of the <code>traefik_network</code>. The labels define Traefik configurations. Below is a detailed explanation of each label.</p> <ul> <li> <p><strong><em>traefik.enable=true</em></strong></p> <p>Tells Traefik to proxy this container/service.</p> </li> <li> <p><strong><em>traefik.http.routers.api.rule=Host(<code>mydomain.com</code>)</em></strong></p> <p>Tells Traefik to route all traffic from mydomain.com to this container/service. Ensure proper DNS records are set up to point the domain name to the server running Traefik.</p> </li> <li> <p><strong><em>traefik.http.routers.api.entrypoints=websecure</em></strong></p> <p>Tells Traefik to use a secure entry point for this container/service, as defined in the traefik.yml configuration file. This means using port 443, the secure port.</p> </li> <li> <p><strong><em>traefik.http.services.api.loadbalancer.server.port=5000</em></strong></p> <p>Tells Traefik to direct traffic to port 5000 of the container.</p> </li> <li> <p><strong><em>traefik.http.routers.api.tls.certresolver=production</em></strong></p> <p>Tells Traefik to use the production Let's Encrypt endpoints when fetching SSL certificates. This is also referenced in the traefik.yml configuration file.</p> </li> </ul> <p><strong>NOTE:</strong> For each service, the router name must be unique from router names in other services. The same rule applies to service names. The router name is the part that comes after the dot, like traefik.http.routers.{router name}. If router names of different services are the same, proxying will fail.</p> <p>When the setup runs on the server, Traefik will listen on ports <strong>80</strong> and <strong>443</strong>. Any traffic on port 80 will be redirected to the secure port <strong>443</strong>. Also, when someone visits <code>mydomain.com</code>, a response from the Flask application will be returned.</p> <h2> Add traefik to your CI/CD workflow </h2> <p>Referring to the article <a href="https://dev.to/atomax/how-to-automate-deployment-with-ansible-and-github-actions-e2k">How to Automate Deployment with Ansible and GitHub Actions</a>, where we set up our CI/CD workflow with Ansible and GitHub Actions, we will now build on that and add the Traefik proxy. This will let us assign public domain names to our services.</p> <p>Follow this GitHub repository: <a href="https://github.com/jackkweyunga/auto-deploy-flask-to-server.git" rel="noopener noreferrer">https://github.com/jackkweyunga/auto-deploy-flask-to-server</a></p> <h3> Traefik Ansible role </h3> <p>First, we add a Traefik Ansible role. In this role, we define the automation needed to configure and run Traefik on a remote server. Below is the file structure, which can be added to the structure mentioned in the previous article.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nt">---</span> previous <span class="nt">---</span> .github<span class="se">\</span> workflows<span class="se">\</span> deploy-proxy.yml ansible<span class="se">\</span> proxy.yml traefik<span class="se">\</span> tasks<span class="se">\</span> main.yml templates<span class="se">\</span> traefik.yml.jinja2 </code></pre> </div> <p><code>templates/traefik.yml.jinja2</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">global</span><span class="pi">:</span> <span class="na">checkNewVersion</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">sendAnonymousUsage</span><span class="pi">:</span> <span class="kc">false</span> <span class="c1"># true by default</span> <span class="c1"># (Optional) Log information</span> <span class="c1"># ---</span> <span class="c1"># log:</span> <span class="c1"># level: ERROR # DEBUG, INFO, WARNING, ERROR, CRITICAL</span> <span class="c1"># format: common # common, json, logfmt</span> <span class="c1"># filePath: /var/log/traefik/traefik.log</span> <span class="c1"># (Optional) Accesslog</span> <span class="c1"># ---</span> <span class="c1"># accesslog:</span> <span class="c1"># format: common # common, json, logfmt</span> <span class="c1"># filePath: /var/log/traefik/access.log</span> <span class="c1"># (Optional) Enable API and Dashboard</span> <span class="c1"># ---</span> <span class="na">api</span><span class="pi">:</span> <span class="na">dashboard</span><span class="pi">:</span> <span class="kc">true</span> <span class="c1"># true by default</span> <span class="na">insecure</span><span class="pi">:</span> <span class="kc">false</span> <span class="c1"># Don't do this in production!</span> <span class="c1"># Entry Points configuration</span> <span class="c1"># ---</span> <span class="na">entryPoints</span><span class="pi">:</span> <span class="na">web</span><span class="pi">:</span> <span class="na">address</span><span class="pi">:</span> <span class="s">:80</span> <span class="c1"># (Optional) Redirect to HTTPS</span> <span class="c1"># ---</span> <span class="na">http</span><span class="pi">:</span> <span class="na">redirections</span><span class="pi">:</span> <span class="na">entryPoint</span><span class="pi">:</span> <span class="na">to</span><span class="pi">:</span> <span class="s">websecure</span> <span class="na">scheme</span><span class="pi">:</span> <span class="s">https</span> <span class="na">websecure</span><span class="pi">:</span> <span class="na">address</span><span class="pi">:</span> <span class="s">:443</span> <span class="c1"># Configure your CertificateResolver here...</span> <span class="c1"># ---</span> <span class="na">certificatesResolvers</span><span class="pi">:</span> <span class="na">staging</span><span class="pi">:</span> <span class="na">acme</span><span class="pi">:</span> <span class="na">email</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">EMAIL</span> <span class="pi">}}</span> <span class="na">storage</span><span class="pi">:</span> <span class="s">/etc/traefik/certs/acme.json</span> <span class="na">caServer</span><span class="pi">:</span> <span class="s2">"</span><span class="s">https://acme-staging-v02.api.letsencrypt.org/directory"</span> <span class="na">tlsChallenge</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">httpChallenge</span><span class="pi">:</span> <span class="na">entryPoint</span><span class="pi">:</span> <span class="s">web</span> <span class="na">production</span><span class="pi">:</span> <span class="na">acme</span><span class="pi">:</span> <span class="na">email</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">EMAIL</span> <span class="pi">}}</span> <span class="na">storage</span><span class="pi">:</span> <span class="s">/etc/traefik/certs/acme.json</span> <span class="na">caServer</span><span class="pi">:</span> <span class="s2">"</span><span class="s">https://acme-v02.api.letsencrypt.org/directory"</span> <span class="na">tlsChallenge</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">httpChallenge</span><span class="pi">:</span> <span class="na">entryPoint</span><span class="pi">:</span> <span class="s">web</span> <span class="na">serversTransport</span><span class="pi">:</span> <span class="na">insecureSkipVerify</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">providers</span><span class="pi">:</span> <span class="na">docker</span><span class="pi">:</span> <span class="na">exposedByDefault</span><span class="pi">:</span> <span class="kc">false</span> <span class="c1"># Default is true</span> <span class="na">file</span><span class="pi">:</span> <span class="c1"># watch for dynamic configuration changes</span> <span class="na">directory</span><span class="pi">:</span> <span class="s">/etc/traefik</span> <span class="na">watch</span><span class="pi">:</span> <span class="kc">true</span> </code></pre> </div> <p>This Traefik configuration template allows us to pass variables to it while saving it on the remote server. In this case, an <strong>EMAIL</strong> will be passed.</p> <p><code>tasks/main.yml</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Preparing required files and Directories in /etc/traefik</span> <span class="na">become</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">block</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Create directory</span> <span class="na">file</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/etc/traefik</span> <span class="na">state</span><span class="pi">:</span> <span class="s">directory</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Create directory2</span> <span class="na">file</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/etc/traefik/certs</span> <span class="na">state</span><span class="pi">:</span> <span class="s">directory</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Copy config file</span> <span class="na">ansible.builtin.template</span><span class="pi">:</span> <span class="na">src</span><span class="pi">:</span> <span class="s">templates/traefik.yml.jinja2</span> <span class="na">dest</span><span class="pi">:</span> <span class="s">/etc/traefik/traefik.yaml</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Configuring traefik</span> <span class="na">become</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">block</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Create ssl-certs Volume</span> <span class="na">community.docker.docker_volume</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">traefik-ssl-certs</span> <span class="na">register</span><span class="pi">:</span> <span class="s">v_output</span> <span class="na">ignore_errors</span><span class="pi">:</span> <span class="kc">true</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Debug output</span> <span class="na">ansible.builtin.debug</span><span class="pi">:</span> <span class="na">var</span><span class="pi">:</span> <span class="s">v_output</span> <span class="pi">-</span> <span class="na">block</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Create traefik_network</span> <span class="na">become</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">community.docker.docker_network</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">traefik_network</span> <span class="na">register</span><span class="pi">:</span> <span class="s">n_output</span> <span class="na">ignore_errors</span><span class="pi">:</span> <span class="kc">true</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Debug output</span> <span class="na">ansible.builtin.debug</span><span class="pi">:</span> <span class="na">var</span><span class="pi">:</span> <span class="s">n_output</span> <span class="na">when</span><span class="pi">:</span> <span class="s">v_output</span> <span class="pi">-</span> <span class="na">block</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Deploy Traefik</span> <span class="na">community.docker.docker_container</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">traefik</span> <span class="na">image</span><span class="pi">:</span> <span class="s2">"</span><span class="s">traefik:v2.10"</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">80:80"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">443:443"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">59808:8080"</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">/var/run/docker.sock:/var/run/docker.sock</span> <span class="pi">-</span> <span class="s">traefik-ssl-certs:/ssl-certs</span> <span class="pi">-</span> <span class="s">/etc/traefik:/etc/traefik</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">traefik_network"</span> <span class="c1"># required. Name of the network to operate on.</span> <span class="na">restart_policy</span><span class="pi">:</span> <span class="s">always</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">com.centurylinklabs.watchtower.enable</span><span class="pi">:</span> <span class="s2">"</span><span class="s">false"</span> <span class="na">register</span><span class="pi">:</span> <span class="s">d_output</span> <span class="na">ignore_errors</span><span class="pi">:</span> <span class="kc">true</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Debug output</span> <span class="na">ansible.builtin.debug</span><span class="pi">:</span> <span class="na">var</span><span class="pi">:</span> <span class="s">d_output</span> <span class="na">when</span><span class="pi">:</span> <span class="s">n_output</span> </code></pre> </div> <p>In this task, where the magic happens, we create the required folders, files, Docker volumes, and Docker networks (traefik_network). Then, we use Ansible’s docker_container community plugin to run Traefik on the remote server(s). If you look closely, you'll notice the similarity to the docker-compose.yml we used in the first demo.</p> <p><code>ansible/proxy.yml</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="pi">-</span> <span class="na">hosts</span><span class="pi">:</span> <span class="s">webservers</span> <span class="na">vars_files</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">secret</span> <span class="na">roles</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">traefik</span> <span class="na">vars</span><span class="pi">:</span> <span class="na">EMAIL</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">lookup('ansible.builtin.env',</span><span class="nv"> </span><span class="s">'EMAIL')</span><span class="nv"> </span><span class="s">}}"</span> </code></pre> </div> <p>This is the main Ansible playbook we’ll run to configure Traefik. Notice how it references the Traefik role. We also read the <strong>EMAIL</strong> variable from the environment variable.</p> <p>Now that the Ansible configurations are ready, let's add a GitHub workflow to run Ansible on demand with GitHub Action runners.</p> <h3> Add the proxy GitHub Workflow </h3> <p><code>.github/workflows/deploy-proxy.yml</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">proxy</span> <span class="na">on</span><span class="pi">:</span> <span class="na">workflow_dispatch</span><span class="pi">:</span> <span class="na">inputs</span><span class="pi">:</span> <span class="na">REMOTE_USER</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">string</span> <span class="na">description</span><span class="pi">:</span> <span class="s1">'</span><span class="s">Remote</span><span class="nv"> </span><span class="s">User'</span> <span class="na">required</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">default</span><span class="pi">:</span> <span class="s1">'</span><span class="s">ubuntu'</span> <span class="c1"># Edit here </span> <span class="na">EMAIL</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">string</span> <span class="na">description</span><span class="pi">:</span> <span class="s1">'</span><span class="s">Email</span><span class="nv"> </span><span class="s">for</span><span class="nv"> </span><span class="s">fetching</span><span class="nv"> </span><span class="s">certs'</span> <span class="na">required</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">default</span><span class="pi">:</span> <span class="s1">'</span><span class="s">&lt;put</span><span class="nv"> </span><span class="s">a</span><span class="nv"> </span><span class="s">valid</span><span class="nv"> </span><span class="s">email</span><span class="nv"> </span><span class="s">here&gt;'</span> <span class="c1"># Edit here</span> <span class="na">HOME_DIR</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">string</span> <span class="na">description</span><span class="pi">:</span> <span class="s1">'</span><span class="s">Home</span><span class="nv"> </span><span class="s">Directory'</span> <span class="na">required</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">default</span><span class="pi">:</span> <span class="s1">'</span><span class="s">/home/ubuntu'</span> <span class="c1"># Edit here</span> <span class="na">TARGET_HOST</span><span class="pi">:</span> <span class="na">description</span><span class="pi">:</span> <span class="s1">'</span><span class="s">Target</span><span class="nv"> </span><span class="s">Host'</span> <span class="na">required</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">default</span><span class="pi">:</span> <span class="s2">"</span><span class="s">&lt;</span><span class="nv"> </span><span class="s">ip</span><span class="nv"> </span><span class="s">/</span><span class="nv"> </span><span class="s">domain</span><span class="nv"> </span><span class="s">&gt;"</span> <span class="c1"># Edit here</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">ansible</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">env</span><span class="pi">:</span> <span class="na">EMAIL</span><span class="pi">:</span> <span class="s2">"</span><span class="s">${{</span><span class="nv"> </span><span class="s">inputs.EMAIL</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v2</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Add SSH Keys</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">cat &lt;&lt; EOF &gt; ansible/devops-key</span> <span class="s">${{ secrets.SSH_DEVOPS_KEY_PRIVATE }}</span> <span class="s">EOF</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Update devops private key permissions</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">chmod 400 ansible/devops-key</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install Ansible</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">pip install ansible</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Adding or Override Ansible inventory File</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">cat &lt;&lt; EOF &gt; ansible/inventory.ini</span> <span class="s">[webservers]</span> <span class="s">${{ inputs.TARGET_HOST }}</span> <span class="s">EOF</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Adding or Override Ansible Config File</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">cat &lt;&lt; EOF &gt; ./ansible/ansible.cfg</span> <span class="s">[defaults]</span> <span class="s">ansible_python_interpreter='/usr/bin/python3'</span> <span class="s">deprecation_warnings=False</span> <span class="s">inventory=./inventory.ini</span> <span class="s">remote_tmp="${{ inputs.HOME_DIR }}/.ansible/tmp"</span> <span class="s">remote_user="${{ inputs.REMOTE_USER }}"</span> <span class="s">host_key_checking=False</span> <span class="s">private_key_file = ./devops-key</span> <span class="s">retries=2</span> <span class="s">EOF</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run main playbook</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">sh ansible/create-sudo-password-ansible-secret.sh ${{ secrets.SUDO_PASSWORD }}</span> <span class="s">ANSIBLE_CONFIG=ansible/ansible.cfg ansible-playbook ansible/proxy.yml --vault-password-file=ansible/vault.txt</span> </code></pre> </div> <p>Make sure to edit the <strong>EMAIL</strong> and <strong>TARGET_HOST</strong> inputs.</p> <p>We can now edit the flask-api ansible role to include traefik configurations via container labels.</p> <h3> Update the flask-api Ansible role </h3> <p>Edit <code>ansible/flask-api/files/docker-compose.yml</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">volumes</span><span class="pi">:</span> <span class="na">portainer-data</span><span class="pi">:</span> <span class="c1"># Added networks</span> <span class="na">networks</span><span class="pi">:</span> <span class="na">traefik_network</span><span class="pi">:</span> <span class="na">external</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">services</span><span class="pi">:</span> <span class="na">portainer</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">portainer/portainer-ce:alpine</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">portainer</span> <span class="na">command</span><span class="pi">:</span> <span class="s">-H unix:///var/run/docker.sock</span> <span class="na">expose</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">9000"</span> <span class="na">volumes</span><span class="pi">:</span> <span class="c1"># Connect docker socket to portainer</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">/var/run/docker.sock:/var/run/docker.sock"</span> <span class="c1"># Persist portainer data</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">portainer_data:/data"</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">always</span> <span class="c1"># Added networks</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">traefik_network</span> <span class="c1"># Added lables</span> <span class="na">labels</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.enable=true"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.portainer.rule=Host(`${PORTAINER_DOMAIN}`)"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.portainer.entrypoints=websecure"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.portainer.tls.certresolver=production"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.portainer.tls=true"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.services.portainer.loadbalancer.server.port=9000"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.docker.network=traefik_network"</span> <span class="na">watchtower</span><span class="pi">:</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">watchtower"</span> <span class="na">image</span><span class="pi">:</span> <span class="s2">"</span><span class="s">docker.io/containrrr/watchtower"</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">/var/run/docker.sock:/var/run/docker.sock</span> <span class="c1"># To enable docker authentication, uncomment the line below.</span> <span class="c1"># You also need to make sure you are logged in to docker in the server</span> <span class="c1"># E.g by running: sudo docker login ghcr.io</span> <span class="c1"># - /root/.docker/config.json:/config.json:ro</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">always</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">TZ</span><span class="pi">:</span> <span class="s">Africa/Dar_es_Salaam</span> <span class="na">WATCHTOWER_LIFECYCLE_HOOKS</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1"</span> <span class="c1"># Enable pre/post-update scripts</span> <span class="na">command</span><span class="pi">:</span> <span class="s">--debug --cleanup --interval </span><span class="m">30</span> <span class="na">web</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">ghcr.io/jackkweyunga/auto-deploy-flask-to-server:main</span> <span class="na">environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">FLASK_ENV=production</span> <span class="pi">-</span> <span class="s">DEBUG=${DEBUG}</span> <span class="na">expose</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">5000"</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">always</span> <span class="c1"># Added networks</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">traefik_network</span> <span class="c1"># Added labels</span> <span class="na">labels</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">com.centurylinklabs.watchtower.enable=true</span> <span class="pi">-</span> <span class="s">traefik.enable=true</span> <span class="pi">-</span> <span class="s">traefik.http.routers.api.rule=Host(`${FLASK_API_DOMAIN}`)</span> <span class="pi">-</span> <span class="s">traefik.http.routers.api.entrypoints=websecure</span> <span class="pi">-</span> <span class="s">traefik.http.services.api.loadbalancer.server.port=5000</span> <span class="pi">-</span> <span class="s">traefik.http.routers.api.tls.certresolver=production</span> <span class="na">logging</span><span class="pi">:</span> <span class="na">driver</span><span class="pi">:</span> <span class="s2">"</span><span class="s">json-file"</span> <span class="na">options</span><span class="pi">:</span> <span class="na">max-size</span><span class="pi">:</span> <span class="s2">"</span><span class="s">10m"</span> <span class="na">max-file</span><span class="pi">:</span> <span class="s2">"</span><span class="s">3"</span> <span class="na">deploy</span><span class="pi">:</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">256m"</span> <span class="na">cpus</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0.50"</span> </code></pre> </div> <p>Check all places with the comment #Added ... These sections are due to adding the Traefik proxy configurations.</p> <p>Notice new variables:</p> <ul> <li><p><strong>FLASK_API_DOMAIN</strong>: The domain name of our Flask API, e.g., <em>api.mydomain.com</em></p></li> <li><p><strong>PORTAINER_DOMAIN</strong>: The domain name of our Portainer instance, e.g., <em>portainer.mydomain.com</em></p></li> </ul> <p>As a result, we need to add these variables to <code>ansible/deploy.yml</code> so that we can read them from the environment in GitHub Actions runners.</p> <p>Edit: <code>ansible/deploy.yml</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="pi">-</span> <span class="na">hosts</span><span class="pi">:</span> <span class="s">webservers</span> <span class="c1"># an encrypted ansible secret file containing the sudo password</span> <span class="na">vars_files</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">secret</span> <span class="na">roles</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">services</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">DEBUG</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">lookup('ansible.builtin.env',</span><span class="nv"> </span><span class="s">'DEBUG')</span><span class="nv"> </span><span class="s">}}"</span> <span class="c1"># Added new variables</span> <span class="na">FLASK_API_DOMAIN</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">lookup('ansible.builtin.env',</span><span class="nv"> </span><span class="s">'FLASK_API_DOMAIN')</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">PORTAINER_DOMAIN</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">lookup('ansible.builtin.env',</span><span class="nv"> </span><span class="s">'PORTAINER_DOMAIN')</span><span class="nv"> </span><span class="s">}}"</span> </code></pre> </div> <h3> Update the GitHub workflow for deployment </h3> <p>Finally, we edit the <code>deploy.yml</code> GitHub actions workflow file to include the domains<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">ansible-deploy</span> <span class="na">on</span><span class="pi">:</span> <span class="na">workflow_dispatch</span><span class="pi">:</span> <span class="na">inputs</span><span class="pi">:</span> <span class="na">REMOTE_USER</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">string</span> <span class="na">description</span><span class="pi">:</span> <span class="s1">'</span><span class="s">Remote</span><span class="nv"> </span><span class="s">User'</span> <span class="na">required</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">default</span><span class="pi">:</span> <span class="s1">'</span><span class="s">ubuntu'</span> <span class="na">HOME_DIR</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">string</span> <span class="na">description</span><span class="pi">:</span> <span class="s1">'</span><span class="s">Home</span><span class="nv"> </span><span class="s">Directory'</span> <span class="na">required</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">default</span><span class="pi">:</span> <span class="s1">'</span><span class="s">/home/ubuntu'</span> <span class="na">TARGET_HOST</span><span class="pi">:</span> <span class="na">description</span><span class="pi">:</span> <span class="s1">'</span><span class="s">Target</span><span class="nv"> </span><span class="s">Host'</span> <span class="na">required</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">default</span><span class="pi">:</span> <span class="s2">"</span><span class="s">example.com"</span> <span class="c1"># Change this to your server IP or Domain</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">ansible</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">env</span><span class="pi">:</span> <span class="na">DEBUG</span><span class="pi">:</span> <span class="m">0</span> <span class="c1"># Added new variables</span> <span class="na">FLASK_API_DOMAIN</span><span class="pi">:</span> <span class="s2">"</span><span class="s">api.mydomain.com"</span> <span class="c1"># Add your domain</span> <span class="na">PORTAINER_DOMAIN</span><span class="pi">:</span> <span class="s2">"</span><span class="s">portainer.mydomain.com"</span> <span class="c1"># Add your domain</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v2</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Add SSH Keys</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">cat &lt;&lt; EOF &gt; ansible/devops-key</span> <span class="s">${{ secrets.SSH_DEVOPS_KEY_PRIVATE }}</span> <span class="s">EOF</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Update devops private key permissions</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">chmod 400 ansible/devops-key</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install Ansible</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">pip install ansible</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Adding or Override Ansible inventory File</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">cat &lt;&lt; EOF &gt; ansible/inventory.ini</span> <span class="s">[webservers]</span> <span class="s">${{ inputs.TARGET_HOST }}</span> <span class="s">EOF</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Adding or Override Ansible Config File</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">cat &lt;&lt; EOF &gt; ./ansible/ansible.cfg</span> <span class="s">[defaults]</span> <span class="s">ansible_python_interpreter='/usr/bin/python3'</span> <span class="s">deprecation_warnings=False</span> <span class="s">inventory=./inventory.ini</span> <span class="s">remote_tmp="${{ inputs.HOME_DIR }}/.ansible/tmp"</span> <span class="s">remote_user="${{ inputs.REMOTE_USER }}"</span> <span class="s">host_key_checking=False</span> <span class="s">private_key_file = ./devops-key</span> <span class="s">retries=2</span> <span class="s">EOF</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run deploy playbook</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">sh ansible/create-sudo-password-ansible-secret.sh ${{ secrets.SUDO_PASSWORD }}</span> <span class="s">ANSIBLE_CONFIG=ansible/ansible.cfg ansible-playbook ansible/deploy.yml --vault-password-file=ansible/vault.txt</span> </code></pre> </div> <p>Make sure to add working domain, that have DNS records directing them to the target server.</p> <h3> Operation </h3> <p>To install traefik on a remote server, run the <code>proxy</code> GitHub workflow. After that run the <code>deploy</code> GitHub workflow to update your infrastructure with the newly added traefik configurations and Domain names.</p> <p>After both runs are successful, you can now visit your domains securely (with SSL). If SSL has not activated yet, give it some time and monitor Traefik’s logs in Portainer in case there is an issue.</p> <p>Happy Configuring !</p> <h2> Conclusion </h2> <p>If you have reached this point, it is evident that Traefik significantly enhances your workflow. The Traefik proxy is an outstanding project that integrates seamlessly with containers and can be easily incorporated into your CI/CD pipeline.</p> <p>With the addition of Traefik, our setup is nearly complete. Stay tuned for my next article.</p> <p><em>Seeking expert guidance in Ops, DevOps, or DevSecOps? I provide customized consultancy services for personal projects, small teams, and organizations. Whether you require assistance in optimizing operations, improving your CI/CD pipelines, or implementing strong security practices, I am here to support you. Let's collaborate to elevate your projects. Contact me today |</em> <a href="https://www.linkedin.com/in/jackkweyunga/" rel="noopener noreferrer"><em>LinkedIn</em></a> <em>|</em> <a href="https://github.com/jackkweyunga" rel="noopener noreferrer"><em>GitHub</em></a></p> docker traefik devops How to Automate Deployment with Ansible and GitHub Actions Jack Kweyunga Fri, 06 Sep 2024 13:20:40 +0000 https://dev.to/atomax/how-to-automate-deployment-with-ansible-and-github-actions-e2k https://dev.to/atomax/how-to-automate-deployment-with-ansible-and-github-actions-e2k <h2> Introduction </h2> <p>The world of technology is moving quickly. It's moving so fast that keeping up with everything new can be overwhelming. Therefore, the need to automate some basic tasks is inevitable.</p> <p>Most development jobs today require you to deploy the application you've built (API, chat-bot, web app, etc.) either as a final stage or during development to show real-time progress to your clients. As a developer, you need to understand the deployment process. However, your main focus should be on building the product and its logic.</p> <p>To save time and stay focused, you should automate the deployment process before starting development. Once this is set up, you can concentrate on building the product.</p> <p>Automating deployments is part of DevOps practices that improve an organization's efficiency. It reduces lead time, allowing changes to be shipped faster (in minutes), decreases deployment time since the process is automated, and enhances the overall work experience. This is known as <code>Continuous Delivery</code>, meaning released code is shipped to production faster and automatically. While there's more to the terminology, today we will learn how to automate deployments.</p> <p>Follow up with this GitHub repository: <a href="https://github.com/jackkweyunga/auto-deploy-flask-to-server" rel="noopener noreferrer">https://github.com/jackkweyunga/auto-deploy-flask-to-server</a></p> <h2> Tools </h2> <p>Most of you have already heard of or used <strong>Ansible</strong> and <strong>GitHub Actions</strong> since they are popular tools. If you haven't, don't worry—they are simple and easy to understand. By the end of this article, you'll have a good start.</p> <ul> <li><p><strong>ANSIBLE</strong> is a general-purpose IT automation tool created using Python with a large community around it. It is mostly used for configuration management, provisioning resources, orchestration, and more. <a href="https://www.ansible.com/" rel="noopener noreferrer">Read more</a></p></li> <li><p><strong>GITHUB ACTIONS</strong> is a feature by GitHub that lets you automate workflows such as running tests, builds, and releases based on given triggers. <a href="https://docs.github.com/en/actions" rel="noopener noreferrer">Read more</a></p></li> </ul> <h2> Setup </h2> <p>To accomplish our goal today, we need to package our application so that it's portable and easy to run. This is where Docker comes in. You have likely heard of Docker, and maybe even used it.</p> <p>For this article, we'll be building and deploying a simple Flask API.</p> <p>The folder structure will be as follows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="s">auto-deploy-flask-to-server</span> <span class="s">.github\</span> <span class="s">workflows\</span> <span class="s">docker-image.yml</span> <span class="s">deploy.yml</span> <span class="s">ansible\</span> <span class="s">flask-api\</span> <span class="s">files\</span> <span class="s">docker-compose.yml</span> <span class="s">tasks\</span> <span class="s">main.yml</span> <span class="s">deploy.yml</span> <span class="s">create-sudo-password-ansible-secret.sh</span> <span class="s">Dockerfile</span> <span class="s">app.py</span> <span class="s">requirements.txt</span> <span class="s">docker-compose.dev.yml</span> <span class="s">.dockerignore</span> <span class="s">.gitignore</span> </code></pre> </div> <h2> Application ( Flask API ) </h2> <p>In our <code>app.py</code>, there is a simple Flask route that returns a JSON object with the current time.</p> <p><code>app.py</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">flask</span> <span class="kn">import</span> <span class="n">Flask</span> <span class="kn">from</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">datetime</span> <span class="k">as</span> <span class="n">dt</span> <span class="kn">import</span> <span class="n">os</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">Flask</span><span class="p">(</span><span class="n">__name__</span><span class="p">)</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">heartbeat</span><span class="p">():</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">"</span><span class="s">now</span><span class="sh">"</span><span class="p">:</span> <span class="n">dt</span><span class="p">.</span><span class="nf">utcnow</span><span class="p">()</span> <span class="p">}</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">"</span><span class="s">__main__</span><span class="sh">"</span><span class="p">:</span> <span class="c1"># Get the DEBUG environment variable, defaulting to True if not set. </span> <span class="n">debug</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">DEBUG</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">True</span><span class="sh">"</span><span class="p">).</span><span class="nf">lower</span><span class="p">()</span> <span class="ow">in</span> <span class="p">(</span><span class="sh">"</span><span class="s">true</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">1</span><span class="sh">"</span><span class="p">)</span> <span class="n">app</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span><span class="n">debug</span><span class="o">=</span><span class="n">debug</span><span class="p">)</span> </code></pre> </div> <h2> Docker </h2> <p>This is what the Dockerfile should look like.</p> <p><code>Dockerfile</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="c"># Use an official Python runtime as a parent image</span> <span class="k">FROM</span><span class="s"> python:3.11-slim</span> <span class="c"># Set environment variables</span> <span class="k">ENV</span><span class="s"> PYTHONDONTWRITEBYTECODE=1 \</span> PYTHONUNBUFFERED=1 <span class="c"># Create and set the working directory</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="c"># Copy the requirements file and install dependencies</span> <span class="k">COPY</span><span class="s"> requirements.txt /app/</span> <span class="k">RUN </span>pip <span class="nb">install</span> <span class="nt">--no-cache-dir</span> <span class="nt">-r</span> requirements.txt <span class="c"># Copy the application code to the working directory</span> <span class="k">COPY</span><span class="s"> . /app/</span> <span class="c"># Expose the port the app runs on</span> <span class="k">EXPOSE</span><span class="s"> 5000</span> <span class="c"># Set the environment variable to ensure Python runs in production mode</span> <span class="k">ENV</span><span class="s"> FLASK_ENV=production</span> <span class="c"># Command to run the application</span> <span class="k">CMD</span><span class="s"> ["python", "app.py"]</span> </code></pre> </div> <p>After adding a Dockerfile, we can proceed to test our application image. Use the following docker command to build the image. Solve any occurring errors until the build is successful and the docker image runs correctly.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Build docker image</span> <span class="c"># windows</span> docker build <span class="nt">-t</span> flask_app <span class="nb">.</span> <span class="c"># linux</span> <span class="nb">sudo </span>docker build <span class="nt">-t</span> flask_app <span class="nb">.</span> <span class="c"># Run the image</span> <span class="c"># windows</span> docker run <span class="nt">-rm</span> <span class="nt">-p</span> <span class="s2">"5000:5000"</span> flask_app <span class="c"># linux</span> <span class="nb">sudo </span>docker run <span class="nt">-rm</span> <span class="nt">-p</span> <span class="s2">"5000:5000"</span> flask_app </code></pre> </div> <p>Now let's add content to the <code>docker-image.yml</code> file in the <code>.github/workflows</code> directory. This will automate Docker image builds for our application. For more details about this file, please refer to this article: <a href="https://jackkweyunga.hashnode.dev/upload-docker-images-to-github-a-simple-guide-with-github-actions" rel="noopener noreferrer">Upload Docker Images to GitHub: A Simple Guide with GitHub Actions</a>. This setup will create a Docker image tagged with the commit hash and git branch, whenever we commit our code to GitHub.</p> <p><code>.github/workflows/docker-image.yml</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">name</span><span class="pi">:</span> <span class="s">ci</span> <span class="c1"># Put the name of your choice</span> <span class="na">on</span><span class="pi">:</span> <span class="na">workflow_dispatch</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">main"</span> <span class="c1"># Change to the branch name you are targeting</span> <span class="na">env</span><span class="pi">:</span> <span class="na">REGISTRY</span><span class="pi">:</span> <span class="s">ghcr.io</span> <span class="na">IMAGE_NAME</span><span class="pi">:</span> <span class="s">${{ github.repository }}</span> <span class="c1"># takes the name of the repository. </span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">build-publish-deploy</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">build and push docker</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">permissions</span><span class="pi">:</span> <span class="na">contents</span><span class="pi">:</span> <span class="s">write</span> <span class="na">packages</span><span class="pi">:</span> <span class="s">write</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">checkout</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v3</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Set up Docker Builds</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">docker/setup-buildx-action@v2</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Login to Container registry</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">docker/login-action@v2</span> <span class="na">with</span><span class="pi">:</span> <span class="na">registry</span><span class="pi">:</span> <span class="s">${{ env.REGISTRY }}</span> <span class="na">username</span><span class="pi">:</span> <span class="s">${{ github.actor }}</span> <span class="na">password</span><span class="pi">:</span> <span class="s">${{ secrets.GITHUB_TOKEN }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Extract metadata (tags, labels) for Docker</span> <span class="na">id</span><span class="pi">:</span> <span class="s">meta</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">docker/metadata-action@69f6fc9d46f2f8bf0d5491e4aabe0bb8c6a4678a</span> <span class="na">with</span><span class="pi">:</span> <span class="na">images</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}</span> <span class="na">tags</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">type=ref,event=branch</span> <span class="s">type=ref,event=tag</span> <span class="s">type=ref,event=pr</span> <span class="s">type=sha</span> <span class="na">flavor</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">latest=auto</span> <span class="s">prefix=</span> <span class="s">suffix=</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build and push hash tagged image</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">docker/build-push-action@v2</span> <span class="na">with</span><span class="pi">:</span> <span class="na">context</span><span class="pi">:</span> <span class="s">.</span> <span class="na">push</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">tags</span><span class="pi">:</span> <span class="s">${{ steps.meta.outputs.tags }}</span> <span class="na">labels</span><span class="pi">:</span> <span class="s">${{ steps.meta.outputs.labels }}</span> <span class="na">cache-from</span><span class="pi">:</span> <span class="s">type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest</span> <span class="na">cache-to</span><span class="pi">:</span> <span class="s">type=inline</span> </code></pre> </div> <p>Let us add content to the <code>docker-compose.dev.yml</code> file in the root directory of our project. Use this docker-compose file for testing and development if needed.</p> <p><code>docker-compose.dev.yml</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">services</span><span class="pi">:</span> <span class="na">web</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="s">.</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">flask_app</span> <span class="na">environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">FLASK_ENV=development</span> <span class="pi">-</span> <span class="s">DEBUG=True</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">5000:5000"</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">always</span> <span class="na">logging</span><span class="pi">:</span> <span class="na">driver</span><span class="pi">:</span> <span class="s2">"</span><span class="s">json-file"</span> <span class="na">options</span><span class="pi">:</span> <span class="na">max-size</span><span class="pi">:</span> <span class="s2">"</span><span class="s">10m"</span> <span class="na">max-file</span><span class="pi">:</span> <span class="s2">"</span><span class="s">3"</span> <span class="na">deploy</span><span class="pi">:</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">256m"</span> <span class="na">cpus</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0.50"</span> </code></pre> </div> <p>To run the docker-compose file, run te following commands.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># windows</span> docker compose <span class="nt">-f</span> docker-compose.dev.yml build docker compose <span class="nt">-f</span> docker-compose.dev.yml up <span class="nt">-d</span> <span class="c"># linux</span> <span class="nb">sudo </span>docker compose <span class="nt">-f</span> docker-compose.dev.yml build <span class="nb">sudo </span>doccker compose <span class="nt">-f</span> docker-compose.dev.yml up <span class="nt">-d</span> </code></pre> </div> <h2> Ansible </h2> <p>It's time to finish setting up Ansible in our project. We will be making changes to the contents of the Ansible folder.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="s">ansible\</span> <span class="s">flask-api\</span> <span class="s">files\</span> <span class="s">docker-compose.yml</span> <span class="s">tasks\</span> <span class="s">main.yml</span> <span class="s">deploy.yml</span> <span class="s">create-sudo-password-ansible-secret.sh</span> </code></pre> </div> <p>We've organized ansible in roles. <code>flask-api</code> is an ansible role with all the files and tasks needed to deploy our flask application. But hey, what's an ansible role ?</p> <p><strong>An ansible role</strong> provides a structured way to organize files, vars, templates and tasks related to a given automation.</p> <p>You can always add another role for other automation. For example: A database role</p> <p>Let's add content to the <code>docker-compose.yml</code> file in the <code>ansible/flask-api/files</code> directory, which is our production Docker Compose file. Notice that we no longer set <code>build: .</code>; instead, we use the remote path to the Docker image we built earlier.</p> <p>You might ask yourself why this Docker Compose file look similar to the one in the root directory. Well, this is because your testing and, if possible, development environments should be as close as possible to the production environment. This helps minimize errors and bugs that might occur in production but are not detectable in testing or development. It doesn't eliminate them entirely but reduces them.</p> <p>Additional services are <code>portainer</code> and <code>watchtower</code>.</p> <p><a href="https://github.com/portainer/portainer" rel="noopener noreferrer"><strong>Portainer</strong></a> is a web interface for Docker that helps you manage containers, images, stacks, and more.</p> <p><a href="https://github.com/containrrr/watchtower" rel="noopener noreferrer"><strong>Watchtower</strong></a> is crucial in our setup because it pulls new images after they are published with GitHub Actions. Since we are going to be using <code>ghcr.io</code> , in a public way, we do not need to setup any docker authentication for it. Otherwise, we had to setup docker authentication for private container registries.</p> <p><code>ansible/flask-api/files/docker-compose.yml</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">volumes</span><span class="pi">:</span> <span class="na">portainer-data</span><span class="pi">:</span> <span class="na">services</span><span class="pi">:</span> <span class="na">portainer</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">portainer/portainer-ce:alpine</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">portainer</span> <span class="na">command</span><span class="pi">:</span> <span class="s">-H unix:///var/run/docker.sock</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">9000:9000"</span> <span class="na">volumes</span><span class="pi">:</span> <span class="c1"># Connect docker socket to portainer</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">/var/run/docker.sock:/var/run/docker.sock"</span> <span class="c1"># Persist portainer data</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">portainer-data:/data"</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">always</span> <span class="na">watchtower</span><span class="pi">:</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">watchtower"</span> <span class="na">image</span><span class="pi">:</span> <span class="s2">"</span><span class="s">docker.io/containrrr/watchtower"</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">/var/run/docker.sock:/var/run/docker.sock</span> <span class="c1"># To enable docker authentication, uncomment the line below.</span> <span class="c1"># You also need to make sure you are logged in to docker in the server</span> <span class="c1"># E.g by running: sudo docker login ghcr.io</span> <span class="c1"># - /root/.docker/config.json:/config.json:ro</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">always</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">TZ</span><span class="pi">:</span> <span class="s">Africa/Dar_es_Salaam</span> <span class="na">WATCHTOWER_LIFECYCLE_HOOKS</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1"</span> <span class="c1"># Enable pre/post-update scripts</span> <span class="na">command</span><span class="pi">:</span> <span class="s">--debug --cleanup --interval </span><span class="m">30</span> <span class="na">web</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">ghcr.io/jackkweyunga/auto-deploy-flask-to-server:main</span> <span class="na">environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">FLASK_ENV=production</span> <span class="pi">-</span> <span class="s">DEBUG=${DEBUG}</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">5000:5000"</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">always</span> <span class="na">logging</span><span class="pi">:</span> <span class="na">driver</span><span class="pi">:</span> <span class="s2">"</span><span class="s">json-file"</span> <span class="na">options</span><span class="pi">:</span> <span class="na">max-size</span><span class="pi">:</span> <span class="s2">"</span><span class="s">10m"</span> <span class="na">max-file</span><span class="pi">:</span> <span class="s2">"</span><span class="s">3"</span> <span class="na">deploy</span><span class="pi">:</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">256m"</span> <span class="na">cpus</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0.50"</span> </code></pre> </div> <p>Let's define our task in <code>ansible/flask-api/tasks/main.yml</code>. What does it do?</p> <ul> <li><p>Creates a project directory on the remote server if it doesn't exist. In our case, it's the <code>.flask-api</code> folder.</p></li> <li><p>Copies relevant files to the server. In our case, it's the <code>docker-compose.yml</code> file.</p></li> <li><p>Runs the compose commands to pull and run the services.</p></li> </ul> <p><code>ansible/flask-api/tasks/main.yml</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># main task</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Deploy app</span> <span class="na">become</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">block</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Create a directory if it does not exist</span> <span class="na">ansible.builtin.file</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">lookup('ansible.builtin.env',</span><span class="nv"> </span><span class="s">'HOME_DIR')</span><span class="nv"> </span><span class="s">}}/{{</span><span class="nv"> </span><span class="s">lookup('ansible.builtin.env',</span><span class="nv"> </span><span class="s">'PROJECT_DIR')</span><span class="nv"> </span><span class="s">}}/.flask-app"</span> <span class="na">state</span><span class="pi">:</span> <span class="s">directory</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Copy compose file to server</span> <span class="na">ansible.builtin.copy</span><span class="pi">:</span> <span class="na">src</span><span class="pi">:</span> <span class="s2">"</span><span class="s">files/"</span> <span class="na">dest</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">lookup('ansible.builtin.env',</span><span class="nv"> </span><span class="s">'HOME_DIR')</span><span class="nv"> </span><span class="s">}}/{{</span><span class="nv"> </span><span class="s">lookup('ansible.builtin.env',</span><span class="nv"> </span><span class="s">'PROJECT_DIR')</span><span class="nv"> </span><span class="s">}}/.flask-app/"</span> <span class="c1"># Uncomment this when working with private repositories</span> <span class="c1"># Make sure the environment variables; DOCKER_TOKEN and DOCKER_USERNAME are provided</span> <span class="c1"># </span> <span class="c1"># - name: Login to Docker via vars/main.yaml</span> <span class="c1"># shell: "echo \"{{ lookup('ansible.builtin.env', 'DOCKER_TOKEN') }}\" | docker login ghcr.io -u {{ lookup('ansible.builtin.env', 'DOCKER_USERNAME') }} --password-stdin"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Docker Compose Up</span> <span class="na">community.docker.docker_compose_v2</span><span class="pi">:</span> <span class="na">project_src</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">lookup('ansible.builtin.env',</span><span class="nv"> </span><span class="s">'HOME_DIR')</span><span class="nv"> </span><span class="s">}}/{{</span><span class="nv"> </span><span class="s">lookup('ansible.builtin.env',</span><span class="nv"> </span><span class="s">'PROJECT_DIR')</span><span class="nv"> </span><span class="s">}}/.flask-app"</span> <span class="na">pull</span><span class="pi">:</span> <span class="s2">"</span><span class="s">always"</span> <span class="na">register</span><span class="pi">:</span> <span class="s">output</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Debug output</span> <span class="na">ansible.builtin.debug</span><span class="pi">:</span> <span class="na">var</span><span class="pi">:</span> <span class="s">output</span> </code></pre> </div> <p>For Ansible to run automation tasks, you need to define a playbook. But what is a playbook?</p> <p><strong>A playbook</strong> in Ansible contains a list of tasks and/or roles to be executed against a list of hosts (e.g., web servers).</p> <p>In our setup, we define the playbook <code>ansible/deploy.yml</code> . What does it do?</p> <ul> <li><p>Provides a way to pass sudo password when running privileged <code>sudo</code> commands</p></li> <li><p>Defines the roles to be run</p></li> <li><p>Defines the remote environment variables ( We do not need for this setup )</p></li> </ul> <p><code>ansible/deploy.yml</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="pi">-</span> <span class="na">hosts</span><span class="pi">:</span> <span class="s">webservers</span> <span class="c1"># an encrypted ansible secret file containing the sudo password</span> <span class="na">vars_files</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">secret</span> <span class="na">roles</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">services</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">DEBUG</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">lookup('ansible.builtin.env',</span><span class="nv"> </span><span class="s">'DEBUG')</span><span class="nv"> </span><span class="s">}}"</span> </code></pre> </div> <p>To ensure that the encrypted sudo password is available ( <code>secret</code> ) , we need to run the script <code>create-sudo-password-ansible-secret.sh</code> . What does the script do ?</p> <ul> <li><p>creates the vault password file ( <code>vault.txt</code> )</p></li> <li><p>create the encrypted vars file ( <code>secret</code> ) containing the ansible_sudo_pass which will be passed when running privileged sudo commands with ansible.</p></li> </ul> <p><code>ansible/create-sudo-password-ansible-secret.sh</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="c"># variables</span> <span class="nv">VAULT_PASSWORD</span><span class="o">=</span><span class="si">$(</span>openssl rand <span class="nt">-base64</span> 12<span class="si">)</span> <span class="nv">VAULT_PASSWORD_FILE</span><span class="o">=</span><span class="s2">"ansible/vault.txt"</span> <span class="nv">VAULT_FILE</span><span class="o">=</span><span class="s2">"ansible/secret"</span> <span class="nv">SUDO_PASSWORD</span><span class="o">=</span><span class="s2">"</span><span class="nv">$1</span><span class="s2">"</span> <span class="nv">SUDO_PASSWORD_FILE</span><span class="o">=</span><span class="s2">"/tmp/sudo-password"</span> <span class="c"># sudo passord is required</span> <span class="k">if</span> <span class="o">[</span> <span class="nt">-z</span> <span class="s2">"</span><span class="k">${</span><span class="nv">SUDO_PASSWORD</span><span class="k">}</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Usage: </span><span class="nv">$0</span><span class="s2"> &lt;sudo-password&gt;"</span> <span class="nb">exit </span>1 <span class="k">fi</span> <span class="c"># create vault password file</span> <span class="nb">echo</span> <span class="s2">"</span><span class="k">${</span><span class="nv">VAULT_PASSWORD</span><span class="k">}</span><span class="s2">"</span> <span class="o">&gt;</span> <span class="s2">"</span><span class="k">${</span><span class="nv">VAULT_PASSWORD_FILE</span><span class="k">}</span><span class="s2">"</span> <span class="c"># create a sudo password file</span> <span class="nb">echo</span> <span class="s2">"ansible_sudo_pass: </span><span class="k">${</span><span class="nv">SUDO_PASSWORD</span><span class="k">}</span><span class="s2">"</span> <span class="o">&gt;</span> <span class="s2">"</span><span class="k">${</span><span class="nv">SUDO_PASSWORD_FILE</span><span class="k">}</span><span class="s2">"</span> <span class="c"># encrypt sudo password</span> ansible-vault encrypt <span class="nt">--vault-password-file</span> <span class="s2">"</span><span class="k">${</span><span class="nv">VAULT_PASSWORD_FILE</span><span class="k">}</span><span class="s2">"</span> <span class="s2">"</span><span class="k">${</span><span class="nv">SUDO_PASSWORD_FILE</span><span class="k">}</span><span class="s2">"</span> <span class="nt">--output</span> <span class="s2">"</span><span class="k">${</span><span class="nv">VAULT_FILE</span><span class="k">}</span><span class="s2">"</span> </code></pre> </div> <p>That's it for Ansible. Coming up next: GitHub Actions setup.</p> <h2> GitHub Actions </h2> <p>We previously created a GitHub Actions workflow file <code>.github/workflows/docker-image.yml</code> that builds and publishes a Docker image for us on push events.</p> <p>In this section, we are going to add another workflow, that will run the <code>deploy.yml</code> ansible playbook. Let's add content to the file: <code>.github/workflows/ansible-deploy.yml</code></p> <p><code>.github/workflows/ansible-deploy.yml</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">ansible-deploy</span> <span class="na">on</span><span class="pi">:</span> <span class="na">workflow_dispatch</span><span class="pi">:</span> <span class="na">inputs</span><span class="pi">:</span> <span class="na">REMOTE_USER</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">string</span> <span class="na">description</span><span class="pi">:</span> <span class="s1">'</span><span class="s">Remote</span><span class="nv"> </span><span class="s">User'</span> <span class="na">required</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">default</span><span class="pi">:</span> <span class="s1">'</span><span class="s">ubuntu'</span> <span class="na">HOME_DIR</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">string</span> <span class="na">description</span><span class="pi">:</span> <span class="s1">'</span><span class="s">Home</span><span class="nv"> </span><span class="s">Directory'</span> <span class="na">required</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">default</span><span class="pi">:</span> <span class="s1">'</span><span class="s">/home/ubuntu'</span> <span class="na">TARGET_HOST</span><span class="pi">:</span> <span class="na">description</span><span class="pi">:</span> <span class="s1">'</span><span class="s">Target</span><span class="nv"> </span><span class="s">Host'</span> <span class="na">required</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">default</span><span class="pi">:</span> <span class="s2">"</span><span class="s">example.com"</span> <span class="c1"># Change this to your server IP or Domain</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">ansible</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">env</span><span class="pi">:</span> <span class="na">DEBUG</span><span class="pi">:</span> <span class="m">0</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v2</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Add SSH Keys</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">cat &lt;&lt; EOF &gt; ansible/devops-key</span> <span class="s">${{ secrets.SSH_DEVOPS_KEY_PRIVATE }}</span> <span class="s">EOF</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Update devops private key permissions</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">chmod 400 ansible/devops-key</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install Ansible</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">pip install ansible</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Adding or Override Ansible inventory File</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">cat &lt;&lt; EOF &gt; ansible/inventory.ini</span> <span class="s">[webservers]</span> <span class="s">${{ inputs.TARGET_HOST }}</span> <span class="s">EOF</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Adding or Override Ansible Config File</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">cat &lt;&lt; EOF &gt; ./ansible/ansible.cfg</span> <span class="s">[defaults]</span> <span class="s">ansible_python_interpreter='/usr/bin/python3'</span> <span class="s">deprecation_warnings=False</span> <span class="s">inventory=./inventory.ini</span> <span class="s">remote_tmp="${{ inputs.HOME_DIR }}/.ansible/tmp"</span> <span class="s">remote_user="${{ inputs.REMOTE_USER }}"</span> <span class="s">host_key_checking=False</span> <span class="s">private_key_file = ./devops-key</span> <span class="s">retries=2</span> <span class="s">EOF</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run deploy playbook</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">sh ansible/create-sudo-password-ansible-secret.sh ${{ secrets.SUDO_PASSWORD }}</span> <span class="s">ANSIBLE_CONFIG=ansible/ansible.cfg ansible-playbook ansible/deploy.yml --vault-password-file=ansible/vault.txt</span> </code></pre> </div> <ul> <li><p>The workflow installs Ansible on the GitHub Ubuntu runner.</p></li> <li><p>It creates the Ansible inventory file <code>ansible/inventory.ini</code>, filling it with the target host IP or domain.</p></li> <li><p>It creates the Ansible configuration file <code>ansible/ansible.cfg</code> based on the GitHub Actions inputs and secrets.</p></li> <li><p>It runs the script to create the sudo password Ansible secret.</p></li> <li><p>It runs the Ansible playbook.</p></li> </ul> <p>Notice areas in the YAML file where values are read from the variable <code>secret</code>. This refers to the GitHub Actions secrets. You can edit them by navigating to <code>settings/secrets/actions</code> in your GitHub repository. For this workflow, we need to add the following GitHub secrets:</p> <ul> <li><p><strong>SUDO_PASSWORD:</strong> The password of the remote user</p></li> <li><p><strong>SSH_DEVOPS_KEY_PRIVATE:</strong> The SSH private key with access to the remote server</p></li> </ul> <p>Use GitHub secrets to store private information needed by a workflow. That's it for GitHub Actions. Now, let's review what we have done so far.</p> <h2> Operation </h2> <p>Now that our setup is complete, let's learn how it operates.</p> <ul> <li><p>When you push to the main branch, a new Docker image will be published to the GitHub container registry. If the workflow fails, you need to check and fix the error until it works again.</p></li> <li><p>The workflow <code>ansible-deploy</code> is manually triggered to configure and deploy the application to the server. This is done for the first time and whenever configurations change. There is no need to run it regularly.</p></li> <li><p>Whenever a new image is published, Watchtower will automatically pull the image into the server and continuously update the containers running the image.</p></li> </ul> <p>In this way, we have completed the set up for automated deployments to a server using ansible and GitHub actions.</p> <h2> Conclusion </h2> <p>Wow! It's been quite a journey. If you've made it this far, you've probably learned a thing or two about automated deployments with Ansible and GitHub Actions. If anything is unclear, please ask, and I'll be happy to help. I hope you enjoyed the article.</p> <p><em>Seeking expert guidance in Ops, DevOps, or DevSecOps? I provide customized consultancy services for personal projects, small teams, and organizations. Whether you require assistance in optimizing operations, improving your CI/CD pipelines, or implementing strong security practices, I am here to support you. Let's collaborate to elevate your projects. Contact me today.</em></p> <h2> Whats next ? </h2> <p>One can go further and do the following to improve or scale up the process:</p> <ul> <li><p>Add automated tests that run before an image is built and published.</p></li> <li><p>Add Ansible configuration tests that run when Ansible configurations are updated.</p></li> <li><p>Scale up the setup with Kubernetes and Argo CD (depending on the organization's needs and components).</p></li> </ul> Upload Docker Images to GitHub: A Simple Guide with GitHub Actions Jack Kweyunga Fri, 06 Sep 2024 13:09:42 +0000 https://dev.to/atomax/upload-docker-images-to-github-a-simple-guide-with-github-actions-50ej https://dev.to/atomax/upload-docker-images-to-github-a-simple-guide-with-github-actions-50ej <p>We are going to create a GitHub action that, when triggered, builds and pushes our application image to the GitHub container registry, making it ready for production or testing. Triggers will be manual or on push.</p> <h3> Who is this for. </h3> <ul> <li><p>Docker enthusiasts</p></li> <li><p>GitHub actions users</p></li> <li><p>DevOps practitioners</p></li> </ul> <h3> The process. </h3> <p>First, create a Dockerfile for your project.</p> <p>Test your Dockerfile to ensure it works and successfully builds a functional Docker image.</p> <p>Create the following folder structure at the root of your application. Add a file named <strong>docker-image.yml</strong>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>my-project .github workflows docker-image.yml </code></pre> </div> <p>Add the following content to the <strong>docker-image.yml</strong> file. Change the branch name if it is different from the one you are targeting.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">name</span><span class="pi">:</span> <span class="s">ci</span> <span class="c1"># Put the name of your choice</span> <span class="na">on</span><span class="pi">:</span> <span class="na">workflow_dispatch</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">master"</span> <span class="c1"># Change to the branch name you are targeting</span> <span class="na">env</span><span class="pi">:</span> <span class="na">REGISTRY</span><span class="pi">:</span> <span class="s">ghcr.io</span> <span class="na">IMAGE_NAME</span><span class="pi">:</span> <span class="s">${{ github.repository }}</span> <span class="c1"># takes the name of the repository. </span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">build-publish-deploy</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">build and push docker</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">permissions</span><span class="pi">:</span> <span class="na">contents</span><span class="pi">:</span> <span class="s">write</span> <span class="na">packages</span><span class="pi">:</span> <span class="s">write</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">checkout</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v3</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Set up Docker Builds</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">docker/setup-buildx-action@v2</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Login to Container registry</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">docker/login-action@v2</span> <span class="na">with</span><span class="pi">:</span> <span class="na">registry</span><span class="pi">:</span> <span class="s">${{ env.REGISTRY }}</span> <span class="na">username</span><span class="pi">:</span> <span class="s">${{ github.actor }}</span> <span class="na">password</span><span class="pi">:</span> <span class="s">${{ secrets.GITHUB_TOKEN }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Extract metadata (tags, labels) for Docker</span> <span class="na">id</span><span class="pi">:</span> <span class="s">meta</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">docker/metadata-action@69f6fc9d46f2f8bf0d5491e4aabe0bb8c6a4678a</span> <span class="na">with</span><span class="pi">:</span> <span class="na">images</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}</span> <span class="na">tags</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">type=ref,event=branch</span> <span class="s">type=ref,event=tag</span> <span class="s">type=ref,event=pr</span> <span class="s">type=sha</span> <span class="na">flavor</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">latest=auto</span> <span class="s">prefix=</span> <span class="s">suffix=</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build and push hash tagged image</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">docker/build-push-action@v2</span> <span class="na">with</span><span class="pi">:</span> <span class="na">context</span><span class="pi">:</span> <span class="s">.</span> <span class="na">push</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">tags</span><span class="pi">:</span> <span class="s">${{ steps.meta.outputs.tags }}</span> <span class="na">labels</span><span class="pi">:</span> <span class="s">${{ steps.meta.outputs.labels }}</span> <span class="na">cache-from</span><span class="pi">:</span> <span class="s">type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest</span> <span class="na">cache-to</span><span class="pi">:</span> <span class="s">type=inline</span> </code></pre> </div> <p>Commit your changes and push them to GitHub.</p> <p>After that, visit the Actions tab in your GitHub repository to see available and running GitHub actions. GitHub actions are displayed using the name specified in the docker-image.yml file. In our case, we named our action "<strong>ci</strong>". You can name it whatever you like.</p> <p>By selecting the "<strong>ci"</strong> GitHub action, you can manually trigger it at any time to build and push your application Docker images to GitHub's container registry (ghcr.io) as packages.</p> <h3> Why would you do this? </h3> <p>This process automates your Docker builds using GitHub actions. Automating builds is a key step in setting up a complete CI/CD pipeline for your development workflow. CI/CD boosts the performance of any development team by cutting deployment time, reducing lead time, lowering the change failure rate, and enhancing the overall development experience.</p> <p>All the best 😎</p> docker cicd github githubactions