Platform Docker tatooine
Étape 7 du DR bootstrap. Stack platform = fondation services internes (PKI, reverse proxy, SSO, secrets). Pré-requis pour tous les services applicatifs futurs (GitLab, Plex, Monitoring, etc.).
Contexte
Host : tatooine (10.0.2.10, DMZ). Stack Docker Compose orchestré via Ansible
role docker_host qui :
- Pull tous services matchant
x-meta.target=DOCKER_HOST(label compose) - Génère stacks dans
/opt/docker/<service>/à partir templates - Lance
docker compose up -dper stack - Health-check post-deploy
Stack tatooine (~ordre boot logique):
| Service | Image | Ports | Rôle |
|---|---|---|---|
| step-ca | smallstep/step-ca:latest | 8443 | PKI interne — issue certs *.minfra.in |
| traefik | traefik:v3 | 80/443/8080 | Reverse proxy + ACME auto via step-ca |
| postgres | postgres:16-alpine | 5432 | DB Authentik |
| redis | redis:alpine | 6379 | Cache Authentik |
| authentik-server / worker | ghcr.io/goauthentik/server | 9000 | SSO OIDC/SAML provider |
| vaultwarden | vaultwarden/server:latest | 8082 | Bitwarden self-hosted |
| portainer | portainer/portainer-ce:latest | 9000/9443 | UI Docker mgmt |
| vision | localhost/vision:latest | 4321 | Dashboard runbooks/DRP |
Prérequis
- tatooine VM up (cf
08-vms-terraform) - NFS mount /mnt/nas opérationnel (cf
10-nfs-mount-vms) - DNS Unbound résout
tatooine.minfra.in→10.0.2.10(cf09-opnsense-config) - Docker + compose plugin baked dans template (cf
06-template-debian12)
Lancer
task platform:docker DOCKER_HOST=tatooineIdempotent :
- pull images si update disponible
- recreate containers si compose change
- skip si conformes
Trust root CA step-ca (1×, post-platform up)
Pour que naboo + clients fassent confiance aux certs *.minfra.in:
task platform:get-root-ca
# CA téléchargée → ~/minfra-output/root_ca.crt
# Import naboo (WSL Ubuntu)
sudo cp ~/minfra-output/root_ca.crt /usr/local/share/ca-certificates/minfra-root-ca.crt
sudo update-ca-certificates
# Test
curl https://tatooine.minfra.in/ # doit valider certVérifier post-deploy
ssh -o ProxyJump=root@10.0.1.1 packer@tatooine.minfra.in '
docker ps --format "table {{.Names}}\t{{.Status}}"
docker exec traefik traefik healthcheck
curl -sI http://localhost:9000/ # Authentik
curl -sI http://localhost:8082/ # Vaultwarden
'URLs services (via Traefik *.minfra.in)
- https://traefik.minfra.in/ — Dashboard Traefik
- https://authentik.minfra.in/ — SSO IDP
- https://vaultwarden.minfra.in/ — Secrets vault
- https://portainer.minfra.in/ — Docker UI
- https://vision.minfra.in/ — Dashboard runbooks
Exposer un service publique (via endor Traefik externe)
Pour exposer un service sur *.sta4ck.eu (Internet) :
task expose NAME=vault BACKEND=https://10.0.2.10:8082 AUTH=authentik
# → ajoute config Traefik endor + cert Let's EncryptRetirer :
task unexpose NAME=vaultHors périmètre
- K8s migration — Phase 9 (k3s ou k0s), stack restera Docker Compose en backup
- Multi-host swarm — pas pertinent home lab
- Backups DB postgres auto — cron à mettre, dump vers
/mnt/nas/backups/ - Monitoring Prometheus — déployé sur kalevala (séparé)