diff --git a/group_vars/all/secrets.yml b/group_vars/all/secrets.yml index 38e524d..322080c 100644 --- a/group_vars/all/secrets.yml +++ b/group_vars/all/secrets.yml @@ -1,54 +1,73 @@ $ANSIBLE_VAULT;1.1;AES256 -62313439613039363637356330653731356138373839373435306535656137646266633764393537 -3737663637343865303232643632613934313137613536640a633634356338353764366365626266 -66323064346539663435646265346665616465353363623732303563303838356364643734393231 -3161633362383363390a376530393463643838303238386139313661366335386439373734333835 -63323034303732386430313265306465636630356330303431663761363461623530643933393831 -62666438316266396432353663633331343137643265333966636436373730343938623732653030 -62383536373139366239363535353463643961313839376436663830613738303262646639396131 -66656532616231636537623162373965356537336436613130366464393461343730646664356466 -38313439373332306265643039666532363863333364666233333861363832316637383432343464 -64366536613364363265333938643438313837643936323536636335613064623639393437303466 -31333539373130376230323964636335393166306662626131636462656632623635393036663437 -37333735616665383431623266393365613433323335313161316161373637616563626637333861 -37326532303638653139383639383166323361363334306361663261366661613038633464323337 -31393538653830333865373064383837626261663163623664653938303230616334363861346132 -63353036313164313265313134633861633937323335303830336232363939613635303764313063 -33666161356366636139633138653736333662303364333838663033633163613136616639376532 -31373131326264383666326566303930636166653463313630376235663638663937663765306439 -31663039323663633735326266393263633937373339383537623835306431333636316664303864 -63653564313339376135303237626366666164623738626439613562616338663539393635396437 -30333036353035613131613034666262346233336563343531633033343163326264326563643235 -62663538623532333432656435306462663362353630346133373262633630306262626362653733 -65363031346339393632396664363362346236373035376632663466343034376566666563353231 -36623538303262323265616237326630666662646634383962656533636165326665316366643231 -39303465313135616238653664366637356361393165356430636137366236643938316430613838 -65353331636564373136393930303537386335653766363632646433353962613033656434313063 -35653365366332316434373665316230646665613166656230313832356136346439326232343166 -38323934396561386138323739396166303132396234386435633965663139643234396434333163 -66346634393330306638383430616433333361623861623864356563366162313830393334616138 -32346633396662636633373637363262656165316434333139346530303562356236306637643365 -65613361373637383936633431396636356634656333343537353762383537353035616131633732 -38303736636136393039613537613831633139363338656239613261383637653332333737323034 -61303839636330396139346436336663643531613364383134613061646136646236636364636662 -33666564623731343264306638303333326463323363306439333762306434306235643530663931 -63623932373737373539393230326538643739653734306131366365303638313263316635633439 -34343231663761393266636537353330643361306139653734383466666662623931616665663239 -65633136636333316266616433396166326333303033646162656466363931313539343035623666 -63346162386533373334633261383237376330643738663761636166653033303933613630653835 -66313439663732356539363833616338356337666335316136623231383161656362653561653565 -33616437643533386263393733636666373237663132343432636664633535653535316134313266 -66363362383662313632633535613635656364323939313466303634646237653061353766373831 -62303366366564653231613863633564303637346262336535386366663034663832663762666132 -64333630666463653266333430386135386436643939393964303230366538336562333737616639 -65646566663363313430396132653832646263393739656564653138353637373362613261366230 -62616561303735316230626134353266613938326563326232623361656364623062326365343534 -62346433373965336430326632333634306463343934393830393165393933323439393534386665 -32373235353037626638343066386563663431356465353039353338643835653166333761386433 -64333338306661346436373238646134653233666565653834303935303235653661343366653563 -63356566633730303033376230356363326561663232386161333566616334623236663562613234 -63646561623565366332313837353461313566653531356662613663323065613035323731323832 -31386166623935373139356239353037633363313531396466363735613332653430396161303366 -37376238333831306231393433313734303839376132656532616461356662383430303532373937 -39303634303762373736626439323830353665343162363531376134616466303762633535343866 -3162 +34376131343263336262656463373830643861336631626539643663333239313831626236306530 +3335623130653432636133356363656465346366303062370a346130326536366638633536613161 +62623334363537636634373231353564396362343330623562383939373538633066616565306235 +3332323863353334640a396462313862366362366535383737376333383361303065383937396530 +38326331396333396263363762346331356431623532343938613834663830393337646666336435 +66356439333434356165613030306138666163653934386233663362646534303737323030636234 +31616132613830363136666639386462363135656432373236393034316664363637663336366435 +64373238633064623735666335636231656231666434383066313336303137333663333031363638 +31643733336535383338376631656439633962653262356335383638373764353530643234303935 +62383930393634613530643739643335616164633038326638356135623561326165376530363461 +37373032393331653261373538633065333662393366666161396638383932393331623766343035 +30333335663039323931306162313538373334393335306132626336643363323839633761383063 +35343632363837383132656437303138303764316439343663303964396463363638336533653930 +39303236353766373131623363653835666439333164366563346164626464633633363163323864 +65363961393237666433623565343832306663323862666333343665376135646132363466616364 +62356331666432336661343762333961333634396466333465633164326239386266643230393566 +36376461373631636630303861313538333834646461663539623738636636626537656438646431 +38383436393238363038313563633634396335346138626666366437333433383039363332623639 +31396165346431333838393164616339656634346561313737306562343562323030613266633263 +61333263653938653034356631333664323630306461346532626533363665363133376232316132 +61346431383230656134373630653264363430383561313866363235333435633966386266653964 +33363534343634343232373036633330613038303437333033313061313932373739343663303931 +34333833386638353436653831623835323032303134366635613735643662636336616464313330 +36633335613630663233326166633565386238656236633261396235363165656333333235643137 +32623461663562313533333835396233383330613661646431646365343430626662326638653330 +38646232386263356566373561353130616539346630613363313163363262356264653233313862 +34386331363236386534353534616531643264613764343362646366393435383332653664353363 +62333935363132373434613038353632643336633136656266316466373734646234636638316265 +62646261396465623561633964313065626361316630353965616233356565343834656563353830 +38346361336237646331366632633130613330336637326163663463386233643734356165666431 +61396263656237333138356231306437653337656133663031303031616437633564613733316264 +63633930353033636235653961393330326635626666626235336334653762373262633739356263 +32323532333463653937386430663437303238313130643435353739393639303033343865323736 +35366139643166626364373663333266376133636433653261316566366630396666336637326664 +30343039633133626435363364346666613732666335313865326234366136366130616334396338 +61663461623432303930623261336464643830303631396430363637383838616432356634303332 +61346536313035376139313638393737393136643366366364363862383335353533313534366534 +61356136366465373530393835613834366665653334376539303462336138646438653039306261 +36613736323566636634666331396463623439323063356232306631616135623231336439303739 +65393837653837336235396532323465656463636238643038383363616633383866333633663831 +61363634356634636265663837306232303362313564323463303363323931396438646337363161 +61313033343532336563393632373830326631616462616263346363636566663966396330386464 +62613039323065343838653439303333396536366537313335353834613338623961646235633764 +30333032323333663530613736313765343364363433366436666134623663653336386632333437 +64386639636237333138323431333234316432366236613530376234636438356531636630396431 +63643833366136363962346632616161363565336163313764383030303337346565613939383563 +65306137633965326534356666346238363137323233336561643333386265613863396338383134 +35363135303232376364306234323435356330333061613663326563343533636165356537336536 +61656131343966346365396133666662393930663237643134383963303766306534633034356335 +37633732393266633965616330643061616664336430643630633033326335643438373737653164 +34633737303533666335306466306330343233326531343065666138633166383664333130653864 +37623730333532633936316461333066313065316664383934343731616430366135346138663531 +33353134333934376663336366663036383630393031303731653332373335333131633136616537 +33666266373439346633373735643339653333626237623530346436306438396332613863346264 +30346431393735326566393633626535383538343866653262653330366330623930646631663961 +38656138313932623131613537376139666137653063313339666333313364343738306439656264 +32346533646465376135376531383132396337653966393133316436616563613135353863653064 +31373466616135393036333037623164346539323463333037613030386666396363353364396439 +39616536646638623739623834363662643566393430623632646434336162316362653434343337 +36623334303866343533623538663531303366343136636631376334653636313264376330313836 +66333131343062373138663330313633623166303337306466313362343034316364666666373965 +36373933343338646333373962623034353631623535306230346663373530346438386334303536 +62366666646263303764303330353835633163363666303133333730343263613039346162356532 +37323133613037313430366238313261633165643563666239623730653164666264633964626461 +31323536623335636333393338333166346336323132373466396432613133613933356232373532 +30653564323031636231343232646165653163393663663731313033323763663965356466366562 +33303830656238653164646161366265636566393436323135356630393033316337363361306363 +30393766636237336466353431616130653961326431323161313234333963643032393061303265 +33396664336535353164643462303636616265306338333634376664323837303238623638313266 +37643861343034646532626164353238373031633861623663316638333039643036353932323962 +39616136653639313232326362663834333363633562646563393561396464383765616230333230 +39663939326332333362 diff --git a/group_vars/all/secrets.yml.contents b/group_vars/all/secrets.yml.contents new file mode 100644 index 0000000..b200303 --- /dev/null +++ b/group_vars/all/secrets.yml.contents @@ -0,0 +1,32 @@ +# These are the variables contained in secrets.yml +# Secrets are usually 32 characters or more, matching [a-Z0-9] + +postgres_passwords: + fider: xxx + nextcloud: xxx + passit: xxx + gitea: xxx + matrix: xxx + codimd: xxx + mailu: xxx + ttrss: xxx + +fider_jwt_secret: xxx + +ldap_admin_password: xxx +ldap_config_password: xxx + +passit_secret_key: xxx + +docker_password: xxx + +mailu_secret_key: xxx + +drone_secrets: + oauth_client_id: xxx + oauth_client_secret: xxx + rpc_shared_secret: xxx + +restic_secrets: + user_secret: xxx + encryption_secret: xxx diff --git a/playbook.yml b/playbook.yml index 49b352f..f92730e 100644 --- a/playbook.yml +++ b/playbook.yml @@ -23,9 +23,11 @@ - docker_registry - drone - websites + - ulovliglogning-dk - ouroboros - mailu - portainer +# - tt-rss smtp_host: "postfix" smtp_port: "587" diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml index 566abab..2e1cd68 100644 --- a/roles/docker/defaults/main.yml +++ b/roles/docker/defaults/main.yml @@ -19,6 +19,7 @@ gitea: passit: domain: "passit.{{ base_domain }}" + volume_folder: "{{ volume_root_folder }}/passit" fider: domain: "feedback.{{ base_domain }}" @@ -28,7 +29,9 @@ matrix: volume_folder: "{{ volume_root_folder }}/matrix" riot: - domain: "riot.{{ base_domain }}" + domains: + - "riot.{{ base_domain }}" + - "element.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/riot" privatebin: @@ -49,10 +52,25 @@ docker_registry: password: "{{ docker_password }}" data_coop_website: - domain: "{{ base_domain }}" + domains: + - "{{ base_domain }}" + - "www.{{ base_domain }}" cryptohagen_website: - domain: "cryptohagen.dk" + domains: + - "cryptohagen.dk" + - "www.cryptohagen.dk" + +ulovliglogning_website: + domains: + - "ulovliglogning.dk" + - "www.ulovliglogning.dk" + - "ulovlig-logning.dk" + +cryptoaarhus_website: + domains: + - "cryptoaarhus.dk" + - "www.cryptoaarhus.dk" drone: domain: "drone.{{ base_domain }}" @@ -69,3 +87,6 @@ portainer: domain: "portainer.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/portainer" +ttrss: + domain: rss.{{ base_domain }} + volume_folder: "{{ volume_root_folder }}/tt-rss" diff --git a/roles/docker/files/configs/matrix/homeserver.yaml b/roles/docker/files/configs/matrix/homeserver.yaml index dbb8b39..a4dc01a 100644 --- a/roles/docker/files/configs/matrix/homeserver.yaml +++ b/roles/docker/files/configs/matrix/homeserver.yaml @@ -54,6 +54,10 @@ soft_file_limit: 0 # Set to false to disable presence tracking on this homeserver. use_presence: true +# If set to 'false', forbids any other homeserver to fetch the server's public +# rooms directory via federation. +allow_public_rooms_over_federation: true + # The GC threshold parameters to pass to `gc.set_threshold`, if defined # #gc_thresholds: [700, 10, 10] @@ -411,7 +415,7 @@ uploads_path: "/data/uploads" # The largest allowed upload size in bytes # -max_upload_size: "10M" +max_upload_size: "50M" # Maximum number of pixels that will be thumbnailed # @@ -881,7 +885,7 @@ password_config: # Whether to allow non server admins to create groups on this server # -enable_group_creation: false +enable_group_creation: true # If enabled, non server admins can only create groups with local parts # starting with this prefix diff --git a/roles/docker/files/configs/matrix/vhost-matrix b/roles/docker/files/configs/matrix/vhost-matrix index 36b8434..a597770 100644 --- a/roles/docker/files/configs/matrix/vhost-matrix +++ b/roles/docker/files/configs/matrix/vhost-matrix @@ -1 +1,2 @@ -listen 8008; \ No newline at end of file +listen 8008; +client_max_body_size 50M; # default is 1M diff --git a/roles/docker/files/configs/matrix/vhost-riot b/roles/docker/files/configs/matrix/vhost-riot new file mode 100644 index 0000000..66b77ed --- /dev/null +++ b/roles/docker/files/configs/matrix/vhost-riot @@ -0,0 +1 @@ +client_max_body_size 50M; # default is 1M diff --git a/roles/docker/files/configs/riot/config.json b/roles/docker/files/configs/riot/config.json index a7dbfc9..ed9f5fb 100644 --- a/roles/docker/files/configs/riot/config.json +++ b/roles/docker/files/configs/riot/config.json @@ -1,7 +1,7 @@ { "default_hs_url": "https://{{ matrix.domain }}", "default_is_url": "https://vector.im", - "brand": "riot.data.coop", + "brand": "element.data.coop", "integrations_ui_url": "https://scalar.vector.im/", "integrations_rest_url": "https://scalar.vector.im/api", "integrations_widgets_urls": [ diff --git a/roles/docker/tasks/services.yml b/roles/docker/tasks/services.yml index 5728069..45c9233 100644 --- a/roles/docker/tasks/services.yml +++ b/roles/docker/tasks/services.yml @@ -3,14 +3,6 @@ docker_network: name: external_services -- name: setup network for postfix - docker_network: - name: postfix - ipam_options: - subnet: '172.16.0.0/16' - gateway: 172.16.0.1 - - - name: setup services include_tasks: "services/{{ item }}.yml" with_items: "{{ services }}" diff --git a/roles/docker/tasks/services/drone.yml b/roles/docker/tasks/services/drone.yml index ad05c46..62bdbaa 100644 --- a/roles/docker/tasks/services/drone.yml +++ b/roles/docker/tasks/services/drone.yml @@ -1,21 +1,51 @@ --- -- name: Drone container - docker_container: - name: drone - image: drone/drone:latest - restart_policy: unless-stopped - networks: - - name: external_services - volumes: - - "{{ drone.volume_folder }}:/data" - - "/var/run/docker.sock:/var/run/docker.sock" - env: - DRONE_GITEA_SERVER: "https://{{ gitea.domain }}" - DRONE_GITEA_ALWAYS_AUTH: "False" - DRONE_RUNNER_CAPACITY: "2" - DRONE_SERVER_HOST: "{{ drone.domain }}" - DRONE_SERVER_PROTO: "https" - PLUGIN_CUSTOM_DNS: "91.239.100.100" - VIRTUAL_HOST: "{{ drone.domain }}" - LETSENCRYPT_HOST: "{{ drone.domain }}" - LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" +- name: set up drone with docker runner + docker_compose: + project_name: drone + pull: yes + definition: + version: "3.6" + services: + drone: + container_name: "drone" + image: drone/drone:1 + restart: unless-stopped + networks: + - external_services + - drone + volumes: + - "{{ drone.volume_folder }}:/data" + - "/var/run/docker.sock:/var/run/docker.sock" + environment: + DRONE_GITEA_SERVER: "https://{{ gitea.domain }}" + DRONE_GITEA_CLIENT_ID: "{{ drone_secrets.oauth_client_id }}" + DRONE_GITEA_CLIENT_SECRET: "{{ drone_secrets.oauth_client_secret }}" + DRONE_GIT_ALWAYS_AUTH: "true" + DRONE_SERVER_HOST: "{{ drone.domain }}" + DRONE_SERVER_PROTO: "https" + DRONE_RPC_SECRET: "{{ drone_secrets.rpc_shared_secret }}" + PLUGIN_CUSTOM_DNS: "91.239.100.100" + VIRTUAL_HOST: "{{ drone.domain }}" + LETSENCRYPT_HOST: "{{ drone.domain }}" + LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" + + drone-runner-docker: + container_name: "drone-runner-docker" + image: "drone/drone-runner-docker:1" + restart: unless-stopped + networks: + - drone + volumes: + - "/var/run/docker.sock:/var/run/docker.sock" + environment: + DRONE_RPC_HOST: "{{ drone.domain }}" + DRONE_RPC_PROTO: "https" + DRONE_RPC_SECRET: "{{ drone_secrets.rpc_shared_secret }}" + DRONE_RUNNER_CAPACITY: 2 + DRONE_RUNNER_NAME: "data.coop_drone_runner" + + networks: + drone: + external_services: + external: + name: external_services \ No newline at end of file diff --git a/roles/docker/tasks/services/gitea.yml b/roles/docker/tasks/services/gitea.yml index 1e38263..cd98662 100644 --- a/roles/docker/tasks/services/gitea.yml +++ b/roles/docker/tasks/services/gitea.yml @@ -1,9 +1,13 @@ --- +- name: gitea network + docker_network: + name: gitea + # old DNS: 138.68.71.153 - name: gitea container docker_container: name: gitea - image: gitea/gitea:latest + image: gitea/gitea:1.12.3 restart_policy: unless-stopped networks: - name: gitea diff --git a/roles/docker/tasks/services/mailu.yml b/roles/docker/tasks/services/mailu.yml index 0e2b4ab..e53d92c 100644 --- a/roles/docker/tasks/services/mailu.yml +++ b/roles/docker/tasks/services/mailu.yml @@ -38,7 +38,7 @@ force: yes - name: run mail server containers - docker_service: + docker_compose: project_name: mail_server pull: yes definition: @@ -78,6 +78,7 @@ - "993:993" - "25:25" - "587:587" + - "465:465" networks: - default - external_services diff --git a/roles/docker/tasks/services/matrix_riot.yml b/roles/docker/tasks/services/matrix_riot.yml index a170d8e..016cc6e 100644 --- a/roles/docker/tasks/services/matrix_riot.yml +++ b/roles/docker/tasks/services/matrix_riot.yml @@ -46,6 +46,11 @@ src: files/configs/matrix/vhost-matrix dest: "{{ nginx.volume_folder }}/vhost/{{ matrix.domain }}" +- name: upload vhost config for riot domain + template: + src: files/configs/matrix/vhost-riot + dest: "{{ nginx.volume_folder }}/vhost/{{ riot.domains[0] }}" + - name: upload homeserver.yaml template: src: "files/configs/matrix/homeserver.yaml" @@ -57,7 +62,7 @@ dest: "{{ matrix.volume_folder }}/data/matrix.data.coop.log.config" - name: set up matrix and riot - docker_service: + docker_compose: project_name: matrix pull: yes definition: @@ -77,17 +82,18 @@ matrix_app: container_name: matrix - image: matrixdotorg/synapse:v0.99.2 + image: matrixdotorg/synapse:v1.18.0 restart: unless-stopped networks: - matrix - - external_services + - external_services ports: - 8008 - volumes: + volumes: - "{{ matrix.volume_folder }}/data:/data" environment: SYNAPSE_CONFIG_PATH: "/data/homeserver.yaml" + SYNAPSE_CACHE_FACTOR: "2" SYNAPSE_LOG_LEVEL: "INFO" VIRTUAL_HOST: "{{ matrix.domain }}" VIRTUAL_PORT: "8008" @@ -96,7 +102,7 @@ riot: container_name: riot_app - image: avhost/docker-matrix-riot:v1.0.3 + image: avhost/docker-matrix-riot:v1.7.3 restart: unless-stopped networks: - matrix @@ -104,14 +110,14 @@ ports: - 8080 volumes: - - "{{ riot.volume_folder }}/data:/data" + - "{{ riot.volume_folder }}/data:/data" environment: - VIRTUAL_HOST: "{{ riot.domain }}" + VIRTUAL_HOST: "{{ riot.domains|join(',') }}" VIRTUAL_PORT: "8080" - LETSENCRYPT_HOST: "{{ riot.domain }}" + LETSENCRYPT_HOST: "{{ riot.domains|join(',') }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" - networks: + networks: external_services: external: name: external_services diff --git a/roles/docker/tasks/services/netdata.yml b/roles/docker/tasks/services/netdata.yml index adfa1ab..80068eb 100644 --- a/roles/docker/tasks/services/netdata.yml +++ b/roles/docker/tasks/services/netdata.yml @@ -21,5 +21,7 @@ LETSENCRYPT_HOST: "{{ netdata.domain }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" PGID: "999" + labels: + com.ouroboros.enable: "true" diff --git a/roles/docker/tasks/services/ouroboros.yml b/roles/docker/tasks/services/ouroboros.yml index c5aae9f..a85f074 100644 --- a/roles/docker/tasks/services/ouroboros.yml +++ b/roles/docker/tasks/services/ouroboros.yml @@ -14,5 +14,5 @@ LABELS_ONLY: "true" CLEANUP: "true" LATEST: "true" - CRON: "*/1 * * * *" + CRON: "*/10 * * * *" \ No newline at end of file diff --git a/roles/docker/tasks/services/passit.yml b/roles/docker/tasks/services/passit.yml index fd972ef..5855c90 100644 --- a/roles/docker/tasks/services/passit.yml +++ b/roles/docker/tasks/services/passit.yml @@ -1,45 +1,47 @@ --- -- name: passit network - docker_network: - name: passit +- name: setup passit containers + docker_compose: + project_name: "passit" + pull: "yes" + definition: + version: "3.6" + services: -- name: passit database volume - docker_volume: - name: passit_db + passit_db: + image: "postgres:10" + restart: "always" + networks: + - "passit" + volumes: + - "{{ passit.volume_folder }}/data:/var/lib/postgresql/data" + environment: + POSTGRES_USER: "passit" + POSTGRES_PASSWORD: "{{ postgres_passwords.passit }}" -- name: passit database container - docker_container: - name: passit_db - image: postgres:10 - state: started - restart_policy: always - networks: - - name: passit - volumes: - - passit_db:/var/lib/postgresql/data - env: - POSTGRES_USER: passit - POSTGRES_PASSWORD: "{{ postgres_passwords.passit }}" + passit_app: + image: "passit/passit:stable" + command: "bin/start.sh" + restart: "always" + networks: + - "passit" + - "postfix" + - "external_services" + environment: + DATABASE_URL: "postgres://passit:{{ postgres_passwords.passit }}@passit_db:5432/passit" + SECRET_KEY: "{{ passit_secret_key }}" + IS_DEBUG: 'False' + EMAIL_URL: "smtp://noop@{{ smtp_host }}:{{ smtp_port }}" + DEFAULT_FROM_EMAIL: "noreply@{{ passit.domain }}" + EMAIL_CONFIRMATION_HOST: "https://{{ passit.domain }}" -- name: passit app container - docker_container: - name: passit - image: passit/passit:stable - command: bin/start.sh - restart_policy: always - networks: - - name: passit - - name: postfix - - name: external_services - env: - DATABASE_URL: "postgres://passit:{{ postgres_passwords.passit }}@passit_db:5432/passit" - SECRET_KEY: "{{ passit_secret_key }}" - IS_DEBUG: 'False' - EMAIL_URL: smtp://noop@{{ smtp_host }}:{{ smtp_port }} - DEFAULT_FROM_EMAIL: "noreply@{{ passit.domain }}" - EMAIL_CONFIRMATION_HOST: "https://{{ passit.domain }}" + VIRTUAL_HOST: "{{ passit.domain }}" + LETSENCRYPT_HOST: "{{ passit.domain }}" + LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" - VIRTUAL_HOST: "{{ passit.domain }}" - LETSENCRYPT_HOST: "{{ passit.domain }}" - LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" + networks: + passit: + postfix: + external: true + external_services: + external: true \ No newline at end of file diff --git a/roles/docker/tasks/services/portainer.yml b/roles/docker/tasks/services/portainer.yml index b13dcff..c042bf2 100644 --- a/roles/docker/tasks/services/portainer.yml +++ b/roles/docker/tasks/services/portainer.yml @@ -8,7 +8,7 @@ - name: run portainer docker_container: name: portainer - image: portainer/portainer + image: portainer/portainer-ce:2.0.1 restart_policy: always networks: - name: external_services @@ -19,5 +19,6 @@ - 9001:9000 env: VIRTUAL_HOST: "{{ portainer.domain }}" + VIRTUAL_PORT: "9000" LETSENCRYPT_HOST: "{{ portainer.domain }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" diff --git a/roles/docker/tasks/services/postfix.yml b/roles/docker/tasks/services/postfix.yml index 59d5472..3ab9d3c 100644 --- a/roles/docker/tasks/services/postfix.yml +++ b/roles/docker/tasks/services/postfix.yml @@ -1,5 +1,12 @@ --- +- name: setup network for postfix + docker_network: + name: postfix + ipam_config: + - subnet: '172.16.0.0/16' + gateway: 172.16.0.1 + - name: setup postfix docker container for outgoing mail docker_container: name: postfix diff --git a/roles/docker/tasks/services/restic-backup.yml b/roles/docker/tasks/services/restic-backup.yml new file mode 100644 index 0000000..379e510 --- /dev/null +++ b/roles/docker/tasks/services/restic-backup.yml @@ -0,0 +1,38 @@ +--- +- name: setup restic backup + docker_compose: + project_name: restic_backup + pull: yes + definition: + version: '3.6' + services: + restic-backup: + image: mazzolino/restic + restart: always + environment: + RUN_ON_STARTUP: "true" + BACKUP_CRON: "0 30 3 * * *" + RESTIC_REPOSITORY: "rest:https://datacoop:{{ restic_secrets.user_secret }}@restic.graffen.io/datacoop-hevonen" + RESTIC_PASSWORD: "{{ restic_secrets.encryption_secret }}" + RESTIC_BACKUP_SOURCES: "/mnt/volumes" + RESTIC_BACKUP_ARGS: >- + --tag datacoop-volumes + --exclude='*.tmp' + --verbose + RESTIC_FORGET_ARGS: >- + --keep-last 10 + --keep-daily 7 + --keep-weekly 5 + --keep-monthly 12 + TZ: Europe/Copenhagen + volumes: + - /docker-volumes:/mnt/volumes:ro + + restic-prune: + image: "mazzolino/restic" + environment: + RUN_ON_STARTUP: "true" + PRUNE_CRON: "0 0 4 * * *" + RESTIC_REPOSITORY: "rest:https://datacoop:{{ restic_secrets.user_secret }}@restic.graffen.io/datacoop-hevonen" + RESTIC_PASSWORD: "{{ restic_secrets.encryption_secret }}" + TZ: Europe/copenhagen diff --git a/roles/docker/tasks/services/tt-rss.yml b/roles/docker/tasks/services/tt-rss.yml new file mode 100644 index 0000000..e4e7c8a --- /dev/null +++ b/roles/docker/tasks/services/tt-rss.yml @@ -0,0 +1,53 @@ +--- +- name: create tt-rss folders + file: + name: "{{ ttrss.volume_folder }}/{{ volume }}" + state: directory + loop: + - "config" + - "db" + loop_control: + loop_var: volume + +- name: "set up tt-rss" + docker_compose: + project_name: "tt-rss" + pull: yes + definition: + version: "3.6" + services: + ttrss_db: + container_name: "ttrss_db" + image: "postgres:11" + restart: "unless-stopped" + networks: + - "ttrss" + volumes: + - "{{ ttrss.volume_folder }}/db:/var/lib/postgresql/data" + environment: + POSTGRES_USER: "ttrss" + POSTGRES_PASSWORD: "{{ postgres_passwords.ttrss }}" + + ttrss_app: + container_name: ttrss_app + image: "linuxserver/tt-rss" + restart: unless-stopped + networks: + - ttrss + - external_services + volumes: + - "{{ ttrss.volume_folder }}/config:/config" + environment: + VIRTUAL_HOST: "{{ ttrss.domain }}" + LETSENCRYPT_HOST: "{{ ttrss.domain }}" + LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" + TZ: "Europe/Copenhagen" + labels: + com.ouroboros.enable: "true" + + networks: + external_services: + external: + name: external_services + ttrss: + name: "ttrss" diff --git a/roles/docker/tasks/services/ulovliglogning-dk.yml b/roles/docker/tasks/services/ulovliglogning-dk.yml new file mode 100644 index 0000000..7ae903f --- /dev/null +++ b/roles/docker/tasks/services/ulovliglogning-dk.yml @@ -0,0 +1,13 @@ +- name: setup ulovliglogning.dk website docker container + docker_container: + name: ulovliglogning_website + restart_policy: unless-stopped + image: ulovliglogning/ulovliglogning.dk:latest + networks: + - name: external_services + env: + VIRTUAL_HOST: "{{ ulovliglogning_website.domains|join(',') }}" + LETSENCRYPT_HOST: "{{ ulovliglogning_website.domains|join(',') }}" + LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" + labels: + com.ouroboros.enable: "true" diff --git a/roles/docker/tasks/services/websites.yml b/roles/docker/tasks/services/websites.yml index 2436da2..0d99509 100644 --- a/roles/docker/tasks/services/websites.yml +++ b/roles/docker/tasks/services/websites.yml @@ -8,11 +8,25 @@ networks: - name: external_services env: - VIRTUAL_HOST : "{{ data_coop_website.domain }}" - LETSENCRYPT_HOST: "{{ data_coop_website.domain }}" + VIRTUAL_HOST : "{{ data_coop_website.domains|join(',') }}" + LETSENCRYPT_HOST: "{{ data_coop_website.domains|join(',') }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" labels: - com.ouroboros.enable: "true" + com.ouroboros.enable: "true" + +- name: setup new data.coop website using hugo + docker_container: + name: new.data.coop_website + image: docker.data.coop/data-coop-website:hugo + restart_policy: unless-stopped + networks: + - name: external_services + env: + VIRTUAL_HOST : "new.{{ data_coop_website.domains|join(',') }}" + LETSENCRYPT_HOST: "new.{{ data_coop_website.domains|join(',') }}" + LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" + labels: + com.ouroboros.enable: "true" - name: setup cryptohagen.dk website docker container docker_container: @@ -22,8 +36,22 @@ networks: - name: external_services env: - VIRTUAL_HOST : "{{ cryptohagen_website.domain }}" - LETSENCRYPT_HOST: "{{ cryptohagen_website.domain }}" + VIRTUAL_HOST : "{{ cryptohagen_website.domains|join(',') }}" + LETSENCRYPT_HOST: "{{ cryptohagen_website.domains|join(',') }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" labels: com.ouroboros.enable: "true" + +- name: setup cryptoaarhus.dk website docker container + docker_container: + name: cryptoaarhus_website + restart_policy: unless-stopped + image: docker.data.coop/cryptoaarhus-website + networks: + - name: external_services + env: + VIRTUAL_HOST : "{{ cryptoaarhus_website.domains|join(',') }}" + LETSENCRYPT_HOST: "{{ cryptoaarhus_website.domains|join(',') }}" + LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" + labels: + com.ouroboros.enable: "true" diff --git a/roles/docker/templates/mailu.env.j2 b/roles/docker/templates/mailu.env.j2 index 168fc93..c04392c 100644 --- a/roles/docker/templates/mailu.env.j2 +++ b/roles/docker/templates/mailu.env.j2 @@ -41,7 +41,7 @@ POSTMASTER=admin TLS_FLAVOR=mail # Authentication rate limit (per source IP address) -AUTH_RATELIMIT=10/minute;1000/hour +AUTH_RATELIMIT=120/minute;1200/hour # Opt-out of statistics, replace with "True" to opt out DISABLE_STATISTICS=False diff --git a/roles/ubuntu_base/tasks/base.yml b/roles/ubuntu_base/tasks/base.yml index d6a59c8..7ddff51 100644 --- a/roles/ubuntu_base/tasks/base.yml +++ b/roles/ubuntu_base/tasks/base.yml @@ -1,5 +1,5 @@ --- -- name: Install necessary packages +- name: Install necessary packages via apt apt: name: "{{ packages }}" vars: @@ -8,4 +8,11 @@ - python3-pip - apparmor - haveged - \ No newline at end of file + +- name: Install necessary packages via pip + pip: + name: "{{ packages }}" + vars: + packages: + - docker + - docker-compose \ No newline at end of file