carl/ansible
1
0
Fork 0
forked from data.coop/ansible
Code Issues Pull requests Releases Wiki Activity

Merge branch 'main' into watchtower

Browse source
This commit is contained in:
Sam A. 2022-11-26 16:49:53 +01:00
parent 44b5f91eef 7962a75481
commit 1356aa54c8
Signed by untrusted user: samsapti
GPG key ID: CBBBE7371E81C4EA
45 changed files with 629 additions and 958 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

111
.ansible-lint Normal file
View file

@ -0,0 +1,111 @@
---
# .ansible-lint
profile: null # min, basic, moderate,safety, shared, production
# exclude_paths included in this file are parsed relative to this file's location
# and not relative to the CWD of execution. CLI arguments passed to the --exclude
# option are parsed relative to the CWD of execution.
exclude_paths:
- .cache/ # implicit unless exclude_paths is defined in config
- .github/
- test/fixtures/formatting-before/
- test/fixtures/formatting-prettier/
# parseable: true
# quiet: true
# strict: true
# verbosity: 1
# Mock modules or roles in order to pass ansible-playbook --syntax-check
mock_modules:
- zuul_return
# note the foo.bar is invalid as being neither a module or a collection
- fake_namespace.fake_collection.fake_module
- fake_namespace.fake_collection.fake_module.fake_submodule
mock_roles:
- mocked_role
- author.role_name # old standalone galaxy role
- fake_namespace.fake_collection.fake_role # role within a collection
# Enable checking of loop variable prefixes in roles
loop_var_prefix: "{role}_"
# Enforce variable names to follow pattern below, in addition to Ansible own
# requirements, like avoiding python identifiers. To disable add `var-naming`
# to skip_list.
# var_naming_pattern: "^[a-z_][a-z0-9_]*$"
use_default_rules: true
# Load custom rules from this specific folder
# rulesdir:
# - ./rule/directory/
# Ansible-lint completely ignores rules or tags listed below
skip_list:
- skip_this_tag
# Ansible-lint does not automatically load rules that have the 'opt-in' tag.
# You must enable opt-in rules by listing each rule 'id' below.
enable_list:
- empty-string-compare # opt-in
- no-log-password # opt-in
- no-same-owner # opt-in
# add yaml here if you want to avoid ignoring yaml checks when yamllint
# library is missing. Normally its absence just skips using that rule.
- yaml
# Report only a subset of tags and fully ignore any others
# tags:
# - jinja[spacing]
# Ansible-lint does not fail on warnings from the rules or tags listed below
warn_list:
- skip_this_tag
- experimental # experimental is included in the implicit list
# - role-name
# - yaml[document-start] # you can also use sub-rule matches
# Some rules can transform files to fix (or make it easier to fix) identified
# errors. `ansible-lint --write` will reformat YAML files and run these transforms.
# By default it will run all transforms (effectively `write_list: ["all"]`).
# You can disable running transforms by setting `write_list: ["none"]`.
# Or only enable a subset of rule transforms by listing rules/tags here.
# write_list:
# - all
# Offline mode disables installation of requirements.yml
offline: false
# Return success if number of violations compared with previous git
# commit has not increased. This feature works only in git
# repositories.
progressive: false
# Define required Ansible's variables to satisfy syntax check
extra_vars:
foo: bar
multiline_string_variable: |
line1
line2
complex_variable: ":{;\t$()"
# Uncomment to enforce action validation with tasks, usually is not
# needed as Ansible syntax check also covers it.
# skip_action_validation: false
# List of additional kind:pattern to be added at the top of the default
# match list, first match determines the file kind.
kinds:
# - playbook: "**/examples/*.{yml,yaml}"
# - galaxy: "**/folder/galaxy.yml"
# - tasks: "**/tasks/*.yml"
# - vars: "**/vars/*.yml"
# - meta: "**/meta/main.yml"
- yaml: "**/*.yaml-too"
# List of additional collections to allow in only-builtins rule.
# only_builtins_allow_collections:
# - example_ns.example_collection
# List of additions modules to allow in only-builtins rule.
# only_builtins_allow_modules:
# - example_module

2
.gitignore vendored
View file

@ -2,3 +2,5 @@ playbook.retry
*.sw* *.sw*
.vagrant/ .vagrant/
*.log *.log
.idea/
venv/

14
.pre-commit-config.yaml Normal file
View file

@ -0,0 +1,14 @@
repos:
#- repo: https://github.com/semaphor-dk/dansabel
# rev: b72c70351d1a9e32a75db505fcb3aa414f3282f8
# hooks:
# - id: dansabel
- repo: https://github.com/ansible/ansible-lint
rev: v6.9.0
hooks:
- id: ansible-lint
files: \.(yaml|yml)$
additional_dependencies:
- ansible

12
Makefile Normal file
View file

@ -0,0 +1,12 @@
init: create_venv install_pre_commit install_ansible_galaxy_modules
create_venv:
python3 -m venv venv
venv/bin/pip install -U pip
venv/bin/pip install ansible pre-commit
install_pre_commit:
venv/bin/pre-commit install
install_ansible_galaxy_modules:
venv/bin/ansible-galaxy collection install community.general

13
deploy.sh
View file

@ -2,8 +2,13 @@
BASE_CMD="ansible-playbook playbook.yml --ask-vault-pass" BASE_CMD="ansible-playbook playbook.yml --ask-vault-pass"
if [ "$1" = "--vagrant" ]; then
BASE_CMD="$BASE_CMD --inventory=vagrant_host"
shift
fi
if [ -z "$(ansible-galaxy collection list community.general 2>/dev/null)" ]; then if [ -z "$(ansible-galaxy collection list community.general 2>/dev/null)" ]; then
echo "Installing community modules" echo "Installing community.general modules"
ansible-galaxy collection install community.general ansible-galaxy collection install community.general
fi fi
@ -17,12 +22,14 @@ else
echo "Deploying all services!" echo "Deploying all services!"
$BASE_CMD --tags setup_services $BASE_CMD --tags setup_services
else else
echo "Deploying services: $2" echo "Deploying service: $2"
$BASE_CMD --tags setup_services --extra-vars "services=$2" $BASE_CMD --tags setup_services --extra-vars "single_service=$2"
fi fi
;; ;;
"base") "base")
$BASE_CMD --tags base_only $BASE_CMD --tags base_only
;; ;;
*)
echo "Command \"$1\" not found!"
esac esac
fi fi

25
playbook.yml
View file

@ -10,31 +10,6 @@
vagrant: "{{ ansible_virtualization_role == 'guest' }}" vagrant: "{{ ansible_virtualization_role == 'guest' }}"
letsencrypt_enabled: "{{ not vagrant }}" letsencrypt_enabled: "{{ not vagrant }}"
services:
- nginx-proxy
- postfix
- openldap
- keycloak
- restic-backup
- nextcloud
- passit
- gitea
- matrix_riot
- privatebin
- codimd
- hedgedoc
- netdata
- docker_registry
- drone
- websites
- ulovliglogning-dk
- watchtower
- mailu
- portainer
- mastodon
- rallly
- membersystem
smtp_host: "postfix" smtp_host: "postfix"
smtp_port: "587" smtp_port: "587"

235
roles/docker/defaults/main.yml
View file

@ -1,122 +1,169 @@
--- ---
volume_root_folder: "/docker-volumes" volume_root_folder: "/docker-volumes"
nginx: services:
volume_folder: "{{ volume_root_folder }}/nginx"
ldap: ### Internal services ###
domain: "ldap.{{ base_domain }}" postfix:
volume_folder: "{{ volume_root_folder }}/openldap" file: postfix.yml
version: "v3.5.1"
nextcloud: nginx_proxy:
domain: "cloud.{{ base_domain }}" file: nginx_proxy.yml
volume_folder: "{{ volume_root_folder }}/nextcloud" version: "1.0-alpine"
volume_folder: "{{ volume_root_folder }}/nginx"
gitea: nginx_acme_companion:
domain: "git.{{ base_domain }}" version: "2.2"
volume_folder: "{{ volume_root_folder }}/gitea"
passit: openldap:
domain: "passit.{{ base_domain }}" file: openldap.yml
volume_folder: "{{ volume_root_folder }}/passit" domain: "ldap.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/openldap"
version: "1.5.0"
matrix: phpldapadmin:
domain: "matrix.{{ base_domain }}" version: "0.9.0"
volume_folder: "{{ volume_root_folder }}/matrix"
riot: netdata:
domains: file: netdata.yml
- "riot.{{ base_domain }}" domain: "netdata.{{ base_domain }}"
- "element.{{ base_domain }}" version: "v1"
volume_folder: "{{ volume_root_folder }}/riot"
privatebin: portainer:
domain: "paste.{{ base_domain }}" file: portainer.yml
volume_folder: "{{ volume_root_folder }}/privatebin" domain: "portainer.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/portainer"
version: "2.16.2"
codimd: keycloak:
domain: "oldpad.{{ base_domain }}" file: keycloak.yml
volume_folder: "{{ volume_root_folder }}/codimd" domain: sso.{{ base_domain }}
volume_folder: "{{ volume_root_folder }}/keycloak"
version: "20.0"
hedgedoc: restic:
domain: "pad.{{ base_domain }}" file: restic_backup.yml
volume_folder: "{{ volume_root_folder }}/hedgedoc" user: "datacoop"
domain: "restic.cannedtuna.org"
repository: "datacoop-hevonen"
version: "1.6.0"
disabled_in_vagrant: true
netdata: docker_registry:
domain: "netdata.{{ base_domain }}" file: docker_registry.yml
domain: "docker.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/docker-registry"
username: "docker"
password: "{{ docker_password }}"
version: "2"
docker_registry: ### External services ###
domain: "docker.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/docker-registry"
username: "docker"
password: "{{ docker_password }}"
data_coop_website: nextcloud:
domains: file: nextcloud.yml
- "{{ base_domain }}" domain: "cloud.{{ base_domain }}"
- "www.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/nextcloud"
version: 25-apache
cryptohagen_website: gitea:
domains: file: gitea.yml
- "cryptohagen.dk" domain: "git.{{ base_domain }}"
- "www.cryptohagen.dk" volume_folder: "{{ volume_root_folder }}/gitea"
version: 1.17
allowed_sender_domain: true
ulovliglogning_website: passit:
domains: file: passit.yml
- "ulovliglogning.dk" domain: "passit.{{ base_domain }}"
- "www.ulovliglogning.dk" volume_folder: "{{ volume_root_folder }}/passit"
- "ulovlig-logning.dk" version: stable
allowed_sender_domain: true
cryptoaarhus_website: matrix:
domains: file: matrix_riot.yml
- "cryptoaarhus.dk" domain: "matrix.{{ base_domain }}"
- "www.cryptoaarhus.dk" volume_folder: "{{ volume_root_folder }}/matrix"
version: v1.63.1
drone: riot:
domain: "drone.{{ base_domain }}" domains:
volume_folder: "{{ volume_root_folder }}/drone" - "riot.{{ base_domain }}"
- "element.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/riot"
version: v1.11.8
mailu: privatebin:
version: 1.6 file: privatebin.yml
domain: "mail.{{ base_domain }}" domain: "paste.{{ base_domain }}"
dns: 192.168.203.254 volume_folder: "{{ volume_root_folder }}/privatebin"
subnet: 192.168.203.0/24 version: 20221009
volume_folder: "{{ volume_root_folder }}/mailu"
portainer: codimd:
domain: "portainer.{{ base_domain }}" domain: "oldpad.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/portainer" volume_folder: "{{ volume_root_folder }}/codimd"
ttrss: hedgedoc:
domain: rss.{{ base_domain }} file: hedgedoc.yml
volume_folder: "{{ volume_root_folder }}/tt-rss" domain: "pad.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/hedgedoc"
version: 1
keycloak: data_coop_website:
domain: sso.{{ base_domain }} file: websites/data.coop.yml
volume_folder: "{{ volume_root_folder }}/keycloak" domains:
- "{{ base_domain }}"
- "www.{{ base_domain }}"
postfix: cryptohagen_website:
allowed_sender_domains: file: websites/cryptohagen.dk.yml
- "services.{{ base_domain }}" domains:
- "{{ passit.domain }}" - "cryptohagen.dk"
- "{{ gitea.domain }}" - "www.cryptohagen.dk"
- "{{ mastodon.domain }}"
- "{{ rallly.domain }}"
- "{{ membersystem.domain }}"
mastodon: ulovliglogning_website:
domain: "social.{{ base_domain }}" file: websites/ulovliglogning.dk.yml
volume_folder: "{{ volume_root_folder }}/mastodon" domains:
- "ulovliglogning.dk"
- "www.ulovliglogning.dk"
- "ulovlig-logning.dk"
rallly: cryptoaarhus_website:
domain: "when.{{ base_domain }}" file: websites/cryptoaarhus.dk.yml
volume_folder: "{{ volume_root_folder }}/rallly" domains:
- "cryptoaarhus.dk"
- "www.cryptoaarhus.dk"
membersystem: drone:
domain: "member.{{ base_domain }}" file: drone.yml
django_admins: "Vidir:valberg@orn.li" domain: "drone.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/drone"
version: 1
restic: mailu:
user: "datacoop" file: mailu.yml
domain: "restic.cannedtuna.org" version: 1.6
repository: "datacoop-hevonen" domain: "mail.{{ base_domain }}"
dns: 192.168.203.254
subnet: 192.168.203.0/24
volume_folder: "{{ volume_root_folder }}/mailu"
mastodon:
file: mastodon.yml
domain: "social.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/mastodon"
version: v4.0.2
allowed_sender_domain: true
rallly:
file: rallly.yml
domain: "when.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/rallly"
version: a21f92bf74308d66cfcd545d49b81eba0211a222
allowed_sender_domain: true
membersystem:
file: membersystem.yml
domain: "member.{{ base_domain }}"
django_admins: "Vidir:valberg@orn.li"
allowed_sender_domain: true

4
roles/docker/files/configs/mastodon/env_file.j2
View file

@ -14,7 +14,7 @@
# ---------- # ----------
# This identifies your server and cannot be changed safely later # This identifies your server and cannot be changed safely later
# ---------- # ----------
LOCAL_DOMAIN={{ mastodon.domain }} LOCAL_DOMAIN={{ services.mastodon.domain }}
# Redis # Redis
# ----- # -----
@ -52,7 +52,7 @@ SMTP_SERVER={{ smtp_host }}
SMTP_PORT={{ smtp_port }} SMTP_PORT={{ smtp_port }}
SMTP_LOGIN= SMTP_LOGIN=
SMTP_PASSWORD= SMTP_PASSWORD=
SMTP_FROM_ADDRESS=notifications@{{ mastodon.domain }} SMTP_FROM_ADDRESS=notifications@{{ services.mastodon.domain }}
# File storage (optional) # File storage (optional)
# ----------------------- # -----------------------

2
roles/docker/files/configs/matrix/homeserver.yaml.j2
View file

@ -44,7 +44,7 @@ pid_file: /data/homeserver.pid
# use synapse with a reverse proxy, this should be the URL to reach # use synapse with a reverse proxy, this should be the URL to reach
# synapse via the proxy. # synapse via the proxy.
# #
public_baseurl: "https://{{ matrix.domain }}" public_baseurl: "https://{{ services.matrix.domain }}"
# Set the soft limit on the number of file descriptors synapse can use # Set the soft limit on the number of file descriptors synapse can use
# Zero is used to indicate synapse should set the soft limit to the # Zero is used to indicate synapse should set the soft limit to the

4
roles/docker/files/configs/rallly/env_file → roles/docker/files/configs/rallly/env_file.j2
View file

@ -1,7 +1,7 @@
NEXT_PUBLIC_BASE_URL="https://{{ rallly.domain }}" NEXT_PUBLIC_BASE_URL="https://{{ services.rallly.domain }}"
DATABASE_URL="postgres://postgres:{{ postgres_passwords.rallly }}@rallly_db:5432/rallly_db" DATABASE_URL="postgres://postgres:{{ postgres_passwords.rallly }}@rallly_db:5432/rallly_db"
SECRET_PASSWORD="{{ rallly_secrets.secret_password }}" SECRET_PASSWORD="{{ rallly_secrets.secret_password }}"
SUPPORT_EMAIL="noreply@{{ rallly.domain }}" SUPPORT_EMAIL="noreply@{{ services.rallly.domain }}"
SMTP_HOST="{{ smtp_host }}" SMTP_HOST="{{ smtp_host }}"
SMTP_PORT="{{ smtp_port }}" SMTP_PORT="{{ smtp_port }}"
SMTP_SECURE="false" SMTP_SECURE="false"

4
roles/docker/files/configs/riot/config.json
View file

@ -1,7 +1,7 @@
{ {
"default_server_config": { "default_server_config": {
"m.homeserver": { "m.homeserver": {
"base_url": "https://{{ matrix.domain }}" "base_url": "https://{{ services.matrix.domain }}"
}, },
"m.identity_server": { "m.identity_server": {
"base_url": "https://vector.im" "base_url": "https://vector.im"
@ -37,7 +37,7 @@
] ]
}, },
"enable_presence_by_hs_url": { "enable_presence_by_hs_url": {
"https://{{ matrix.domain }}": false "https://{{ services.matrix.domain }}": false
}, },
"terms_and_conditions_links": [ "terms_and_conditions_links": [
{ {

511
roles/docker/files/configs/thelounge.js
View file

@ -1,511 +0,0 @@
"use strict";
module.exports = {
//
// Set the server mode.
// Public servers does not require authentication.
//
// Set to 'false' to enable users.
//
// @type boolean
// @default false
//
public: false,
//
// IP address or hostname for the web server to listen on.
// Setting this to undefined will listen on all interfaces.
//
// For UNIX domain sockets, use unix:/absolute/path/to/file.sock.
//
// @type string
// @default undefined
//
host: undefined,
//
// Set the port to listen on.
//
// @type int
// @default 9000
//
port: 9000,
//
// Set the local IP to bind to for outgoing connections. Leave to undefined
// to let the operating system pick its preferred one.
//
// @type string
// @default undefined
//
bind: undefined,
//
// Sets whether the server is behind a reverse proxy and should honor the
// X-Forwarded-For header or not.
//
// @type boolean
// @default false
//
reverseProxy: false,
//
// Set the default theme.
// Find out how to add new themes at https://thelounge.github.io/docs/plugins/themes.html
//
// @type string
// @default "example"
//
theme: "example",
//
// Prefetch URLs
//
// If enabled, The Lounge will try to load thumbnails and site descriptions from
// URLs posted in channels.
//
// @type boolean
// @default false
//
prefetch: false,
//
// Store and proxy prefetched images and thumbnails.
// This improves security and privacy by not exposing client IP address,
// and always loading images from The Lounge instance and making all assets secure,
// which in result fixes mixed content warnings.
//
// If storage is enabled, The Lounge will fetch and store images and thumbnails
// in the `${THELOUNGE_HOME}/storage` folder.
//
// Images are deleted when they are no longer referenced by any message (controlled by maxHistory),
// and the folder is cleaned up on every The Lounge restart.
//
// @type boolean
// @default false
//
prefetchStorage: false,
//
// Prefetch URLs Image Preview size limit
//
// If prefetch is enabled, The Lounge will only display content under the maximum size.
// Specified value is in kilobytes. Default value is 2048 kilobytes.
//
// @type int
// @default 2048
//
prefetchMaxImageSize: 2048,
//
// Display network
//
// If set to false network settings will not be shown in the login form.
//
// @type boolean
// @default true
//
displayNetwork: true,
//
// Lock network
//
// If set to true, users will not be able to modify host, port and tls
// settings and will be limited to the configured network.
//
// @type boolean
// @default false
//
lockNetwork: false,
//
// Hex IP
//
// If enabled, clients' username will be set to their IP encoded has hex.
// This is done to share the real user IP address with the server for host masking purposes.
//
// @type boolean
// @default false
//
useHexIp: false,
//
// WEBIRC support
//
// If enabled, The Lounge will pass the connecting user's host and IP to the
// IRC server. Note that this requires to obtain a password from the IRC network
// The Lounge will be connecting to and generally involves a lot of trust from the
// network you are connecting to.
//
// Format (standard): {"irc.example.net": "hunter1", "irc.example.org": "passw0rd"}
// Format (function):
// {"irc.example.net": function(client, args, trusted) {
// // here, we return a webirc object fed directly to `irc-framework`
// return {username: "thelounge", password: "hunter1", address: args.ip, hostname: "webirc/"+args.hostname};
// }}
//
// @type string | function(client, args):object(webirc)
// @default null
webirc: null,
//
// Log settings
//
// Logging has to be enabled per user. If enabled, logs will be stored in
// the 'logs/<user>/<network>/' folder.
//
// @type object
// @default {}
//
logs: {
//
// Timestamp format
//
// @type string
// @default "YYYY-MM-DD HH:mm:ss"
//
format: "YYYY-MM-DD HH:mm:ss",
//
// Timezone
//
// @type string
// @default "UTC+00:00"
//
timezone: "UTC+00:00",
},
//
// Maximum number of history lines per channel
//
// Defines the maximum number of history lines that will be kept in
// memory per channel/query, in order to reduce the memory usage of
// the server. Setting this to -1 will keep unlimited amount.
//
// @type integer
// @default 10000
maxHistory: 10000,
//
// Default values for the 'Connect' form.
//
// @type object
// @default {}
//
defaults: {
//
// Name
//
// @type string
// @default "Freenode"
//
name: "Freenode",
//
// Host
//
// @type string
// @default "chat.freenode.net"
//
host: "chat.freenode.net",
//
// Port
//
// @type int
// @default 6697
//
port: 6697,
//
// Password
//
// @type string
// @default ""
//
password: "",
//
// Enable TLS/SSL
//
// @type boolean
// @default true
//
tls: true,
//
// Nick
//
// @type string
// @default "lounge-user"
//
nick: "lounge-user",
//
// Username
//
// @type string
// @default "lounge-user"
//
username: "lounge-user",
//
// Real Name
//
// @type string
// @default "The Lounge User"
//
realname: "The Lounge User",
//
// Channels
// This is a comma-separated list.
//
// @type string
// @default "#thelounge"
//
join: "#thelounge",
},
//
// Set socket.io transports
//
// @type array
// @default ["polling", "websocket"]
//
transports: ["polling", "websocket"],
//
// Run The Lounge using encrypted HTTP/2.
// This will fallback to regular HTTPS if HTTP/2 is not supported.
//
// @type object
// @default {}
//
https: {
//
// Enable HTTP/2 / HTTPS support.
//
// @type boolean
// @default false
//
enable: false,
//
// Path to the key.
//
// @type string
// @example "sslcert/key.pem"
// @default ""
//
key: "",
//
// Path to the certificate.
//
// @type string
// @example "sslcert/key-cert.pem"
// @default ""
//
certificate: "",
//
// Path to the CA bundle.
//
// @type string
// @example "sslcert/bundle.pem"
// @default ""
//
ca: "",
},
//
// Default quit and part message if none is provided.
//
// @type string
// @default "The Lounge - https://thelounge.github.io"
//
leaveMessage: "The Lounge - https://thelounge.github.io",
//
// Run The Lounge with identd support.
//
// @type object
// @default {}
//
identd: {
//
// Run the identd daemon on server start.
//
// @type boolean
// @default false
//
enable: false,
//
// Port to listen for ident requests.
//
// @type int
// @default 113
//
port: 113,
},
//
// Enable oidentd support using the specified file
//
// Example: oidentd: "~/.oidentd.conf",
//
// @type string
// @default null
//
oidentd: null,
//
// LDAP authentication settings (only available if public=false)
// @type object
// @default {}
//
// The authentication process works as follows:
//
// 1. Lounge connects to the LDAP server with its system credentials
// 2. It performs a LDAP search query to find the full DN associated to the
// user requesting to log in.
// 3. Lounge tries to connect a second time, but this time using the user's
// DN and password. Auth is validated iff this connection is successful.
//
// The search query takes a couple of parameters in `searchDN`:
// - a base DN `searchDN/base`. Only children nodes of this DN will be likely
// to be returned;
// - a search scope `searchDN/scope` (see LDAP documentation);
// - the query itself, build as (&(<primaryKey>=<username>) <filter>)
// where <username> is the user name provided in the log in request,
// <primaryKey> is provided by the config and <fitler> is a filtering complement
// also given in the config, to filter for instance only for nodes of type
// inetOrgPerson, or whatever LDAP search allows.
//
// Alternatively, you can specify the `bindDN` parameter. This will make the lounge
// ignore searchDN options and assume that the user DN is always:
// <bindDN>,<primaryKey>=<username>
// where <username> is the user name provided in the log in request, and <bindDN>
// and <primaryKey> are provided by the config.
//
ldap: {
//
// Enable LDAP user authentication
//
// @type boolean
// @default false
//
enable: true,
//
// LDAP server URL
//
// @type string
//
url: "ldap://{{ ldap.domain }}",
//
// LDAP connection tls options (only used if scheme is ldaps://)
//
// @type object (see nodejs' tls.connect() options)
// @default {}
//
// Example:
// You can use this option in order to force the use of IPv6:
// {
// host: 'my::ip::v6',
// servername: 'example.com'
// }
tlsOptions: {},
//
// LDAP base dn, alternative to searchDN
//
// @type string
//
// baseDN: "",
//
// LDAP primary key
//
// @type string
// @default "uid"
//
primaryKey: "uid",
//
// LDAP search dn settings. This defines the procedure by which the
// lounge first look for user DN before authenticating her.
// Ignored if baseDN is specified
//
// @type object
//
searchDN: {
//
// LDAP searching bind DN
// This bind DN is used to query the server for the DN of the user.
// This is supposed to be a system user that has access in read only to
// the DNs of the people that are allowed to log in.
//
// @type string
//
rootDN: "cn=admin,dc=data,dc=coop",
//
// Password of the lounge LDAP system user
//
// @type string
//
rootPassword: "{{ ldap_admin_password }}",
//
// LDAP filter
//
// @type string
// @default "uid"
//
//filter: "(objectClass=inetOrgPerson)(memberOf=ou=members,dc=data,dc=coop)",
filter: "(objectClass=inetOrgPerson)",
//
// LDAP search base (search only within this node)
//
// @type string
//
base: "{{ ldap_dn }}",
//
// LDAP search scope
//
// @type string
// @default "sub"
//
scope: "sub",
},
},
// Extra debugging
//
// @type object
// @default {}
//
debug: {
// Enables extra debugging output provided by irc-framework.
//
// @type boolean
// @default false
//
ircFramework: false,
// Enables logging raw IRC messages into each server window.
//
// @type boolean
// @default false
//
raw: false,
},
};

14
roles/docker/tasks/services.yml
View file

@ -4,5 +4,15 @@
name: external_services name: external_services
- name: setup services - name: setup services
include_tasks: "services/{{ item }}.yml" include_tasks: "services/{{ item.value.file }}"
with_items: "{{ services }}" loop: "{{ services | dict2items }}"
when: single_service is not defined and
item.value.file is defined and
item.value.disabled_in_vagrant is not defined
- name: setup single service
include_tasks: "services/{{ services[single_service].file }}"
when: single_service is defined and
single_service in services and
services[single_service].file is defined and
services[single_service].disabled_in_vagrant is not defined

18
roles/docker/tasks/services/docker_registry.yml
View file

@ -2,34 +2,34 @@
- name: copy docker registry nginx configuration - name: copy docker registry nginx configuration
copy: copy:
src: "files/configs/docker_registry/nginx.conf" src: "files/configs/docker_registry/nginx.conf"
dest: "/docker-volumes/nginx/vhost/{{ docker_registry.domain }}" dest: "/docker-volumes/nginx/vhost/{{ services.docker_registry.domain }}"
mode: "0644" mode: "0644"
- name: docker registry container - name: docker registry container
docker_container: docker_container:
name: registry name: registry
image: registry:2 image: registry:{{ services.docker_registry.version }}
restart_policy: always restart_policy: always
volumes: volumes:
- "{{ docker_registry.volume_folder }}/registry:/var/lib/registry" - "{{ services.docker_registry.volume_folder }}/registry:/var/lib/registry"
- "{{ docker_registry.volume_folder }}/auth:/auth" - "{{ services.docker_registry.volume_folder }}/auth:/auth"
networks: networks:
- name: external_services - name: external_services
env: env:
VIRTUAL_HOST: "{{ docker_registry.domain }}" VIRTUAL_HOST: "{{ services.docker_registry.domain }}"
LETSENCRYPT_HOST: "{{ docker_registry.domain }}" LETSENCRYPT_HOST: "{{ services.docker_registry.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
REGISTRY_AUTH: "htpasswd" REGISTRY_AUTH: "htpasswd"
REGISTRY_AUTH_HTPASSWD_PATH: "/auth/htpasswd" REGISTRY_AUTH_HTPASSWD_PATH: "/auth/htpasswd"
REGISTRY_AUTH_HTPASSWD_REALM: "data.coop docker registry" REGISTRY_AUTH_HTPASSWD_REALM: "data.coop docker registry"
- name: generate htpasswd file - name: generate htpasswd file
shell: "docker exec -it registry htpasswd -Bbn docker {{ docker_password }} > {{ docker_registry.volume_folder }}/auth/htpasswd" shell: "docker exec -it registry htpasswd -Bbn docker {{ docker_password }} > {{ services.docker_registry.volume_folder }}/auth/htpasswd"
args: args:
creates: "{{ docker_registry.volume_folder }}/auth/htpasswd" creates: "{{ services.docker_registry.volume_folder }}/auth/htpasswd"
- name: log in to registry - name: log in to registry
docker_login: docker_login:
registry: "docker.data.coop" registry: "{{ 'docker.data.coop' if vagrant else services.docker_registry.domain }}"
username: "docker" username: "docker"
password: "{{ docker_password }}" password: "{{ docker_password }}"

14
roles/docker/tasks/services/drone.yml
View file

@ -14,31 +14,31 @@
- external_services - external_services
- drone - drone
volumes: volumes:
- "{{ drone.volume_folder }}:/data" - "{{ services.drone.volume_folder }}:/data"
- "/var/run/docker.sock:/var/run/docker.sock" - "/var/run/docker.sock:/var/run/docker.sock"
environment: environment:
DRONE_GITEA_SERVER: "https://{{ gitea.domain }}" DRONE_GITEA_SERVER: "https://{{ services.gitea.domain }}"
DRONE_GITEA_CLIENT_ID: "{{ drone_secrets.oauth_client_id }}" DRONE_GITEA_CLIENT_ID: "{{ drone_secrets.oauth_client_id }}"
DRONE_GITEA_CLIENT_SECRET: "{{ drone_secrets.oauth_client_secret }}" DRONE_GITEA_CLIENT_SECRET: "{{ drone_secrets.oauth_client_secret }}"
DRONE_GIT_ALWAYS_AUTH: "true" DRONE_GIT_ALWAYS_AUTH: "true"
DRONE_SERVER_HOST: "{{ drone.domain }}" DRONE_SERVER_HOST: "{{ services.drone.domain }}"
DRONE_SERVER_PROTO: "https" DRONE_SERVER_PROTO: "https"
DRONE_RPC_SECRET: "{{ drone_secrets.rpc_shared_secret }}" DRONE_RPC_SECRET: "{{ drone_secrets.rpc_shared_secret }}"
PLUGIN_CUSTOM_DNS: "91.239.100.100" PLUGIN_CUSTOM_DNS: "91.239.100.100"
VIRTUAL_HOST: "{{ drone.domain }}" VIRTUAL_HOST: "{{ services.drone.domain }}"
LETSENCRYPT_HOST: "{{ drone.domain }}" LETSENCRYPT_HOST: "{{ services.drone.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
drone-runner-docker: drone-runner-docker:
container_name: "drone-runner-docker" container_name: "drone-runner-docker"
image: "drone/drone-runner-docker:1" image: "drone/drone-runner-docker:{{ services.drone.version }}"
restart: unless-stopped restart: unless-stopped
networks: networks:
- drone - drone
volumes: volumes:
- "/var/run/docker.sock:/var/run/docker.sock" - "/var/run/docker.sock:/var/run/docker.sock"
environment: environment:
DRONE_RPC_HOST: "{{ drone.domain }}" DRONE_RPC_HOST: "{{ services.drone.domain }}"
DRONE_RPC_PROTO: "https" DRONE_RPC_PROTO: "https"
DRONE_RPC_SECRET: "{{ drone_secrets.rpc_shared_secret }}" DRONE_RPC_SECRET: "{{ drone_secrets.rpc_shared_secret }}"
DRONE_RUNNER_CAPACITY: 2 DRONE_RUNNER_CAPACITY: 2

10
roles/docker/tasks/services/gitea.yml
View file

@ -7,25 +7,25 @@
- name: gitea container - name: gitea container
docker_container: docker_container:
name: gitea name: gitea
image: gitea/gitea:1.17 image: gitea/gitea:{{ services.gitea.version }}
restart_policy: unless-stopped restart_policy: unless-stopped
networks: networks:
- name: gitea - name: gitea
- name: postfix - name: postfix
- name: external_services - name: external_services
volumes: volumes:
- "{{ gitea.volume_folder }}:/data" - "{{ services.gitea.volume_folder }}:/data"
published_ports: published_ports:
- "22:22" - "22:22"
env: env:
VIRTUAL_HOST: "{{ gitea.domain }}" VIRTUAL_HOST: "{{ services.gitea.domain }}"
VIRTUAL_PORT: "3000" VIRTUAL_PORT: "3000"
LETSENCRYPT_HOST: "{{ gitea.domain }}" LETSENCRYPT_HOST: "{{ services.gitea.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
# Gitea customization, see: https://docs.gitea.io/en-us/install-with-docker/#customization # Gitea customization, see: https://docs.gitea.io/en-us/install-with-docker/#customization
# https://docs.gitea.io/en-us/config-cheat-sheet/#security-security # https://docs.gitea.io/en-us/config-cheat-sheet/#security-security
GITEA__mailer__ENABLED: "true" GITEA__mailer__ENABLED: "true"
GITEA__mailer__FROM: "noreply@{{ gitea.domain }}" GITEA__mailer__FROM: "noreply@{{ services.gitea.domain }}"
GITEA__mailer__MAILER_TYPE: "smtp" GITEA__mailer__MAILER_TYPE: "smtp"
GITEA__mailer__HOST: "{{ smtp_host }}:{{ smtp_port }}" GITEA__mailer__HOST: "{{ smtp_host }}:{{ smtp_port }}"
GITEA__mailer__USER: "noop" GITEA__mailer__USER: "noop"

18
roles/docker/tasks/services/hedgedoc.yml
View file

@ -1,7 +1,7 @@
--- ---
- name: create hedgedoc volume folders - name: create hedgedoc volume folders
file: file:
name: "{{ hedgedoc.volume_folder }}/{{ volume }}" name: "{{ services.hedgedoc.volume_folder }}/{{ volume }}"
state: directory state: directory
loop: loop:
- "db" - "db"
@ -12,7 +12,7 @@
- name: copy sso public certificate - name: copy sso public certificate
copy: copy:
src: "files/sso/sso.data.coop.pem" src: "files/sso/sso.data.coop.pem"
dest: "{{ hedgedoc.volume_folder }}/sso.data.coop.pem" dest: "{{ services.hedgedoc.volume_folder }}/sso.data.coop.pem"
mode: "0644" mode: "0644"
- name: setup hedgedoc - name: setup hedgedoc
@ -31,13 +31,13 @@
networks: networks:
- "hedgedoc" - "hedgedoc"
volumes: volumes:
- "{{ hedgedoc.volume_folder }}/db:/var/lib/postgresql/data" - "{{ services.hedgedoc.volume_folder }}/db:/var/lib/postgresql/data"
app: app:
image: quay.io/hedgedoc/hedgedoc:1 image: quay.io/hedgedoc/hedgedoc:{{ services.hedgedoc.version }}
environment: environment:
CMD_DB_URL: "postgres://codimd:{{ postgres_passwords.hedgedoc }}@hedgedoc_database_1:5432/codimd" CMD_DB_URL: "postgres://codimd:{{ postgres_passwords.hedgedoc }}@hedgedoc_database_1:5432/codimd"
CMD_DOMAIN: "{{ hedgedoc.domain }}" CMD_DOMAIN: "{{ services.hedgedoc.domain }}"
CMD_ALLOW_EMAIL_REGISTER: "False" CMD_ALLOW_EMAIL_REGISTER: "False"
CMD_IMAGE_UPLOAD_TYPE: "filesystem" CMD_IMAGE_UPLOAD_TYPE: "filesystem"
CMD_EMAIL: "False" CMD_EMAIL: "False"
@ -47,12 +47,12 @@
CMD_SAML_IDENTIFIERFORMAT: "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" CMD_SAML_IDENTIFIERFORMAT: "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
CMD_USECDN: "false" CMD_USECDN: "false"
CMD_PROTOCOL_USESSL: "true" CMD_PROTOCOL_USESSL: "true"
VIRTUAL_HOST: "{{ hedgedoc.domain }}" VIRTUAL_HOST: "{{ services.hedgedoc.domain }}"
LETSENCRYPT_HOST: "{{ hedgedoc.domain }}" LETSENCRYPT_HOST: "{{ services.hedgedoc.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
volumes: volumes:
- "{{ hedgedoc.volume_folder }}/hedgedoc/uploads:/hedgedoc/public/uploads" - "{{ services.hedgedoc.volume_folder }}/hedgedoc/uploads:/hedgedoc/public/uploads"
- "{{ hedgedoc.volume_folder }}/sso.data.coop.pem:/sso.data.coop.pem" - "{{ services.hedgedoc.volume_folder }}/sso.data.coop.pem:/sso.data.coop.pem"
restart: "unless-stopped" restart: "unless-stopped"
networks: networks:
- "hedgedoc" - "hedgedoc"

8
roles/docker/tasks/services/keycloak.yml
View file

@ -12,14 +12,14 @@
networks: networks:
- "keycloak" - "keycloak"
volumes: volumes:
- "{{ keycloak.volume_folder }}/data:/var/lib/postgresql/data" - "{{ services.keycloak.volume_folder }}/data:/var/lib/postgresql/data"
environment: environment:
POSTGRES_USER: "keycloak" POSTGRES_USER: "keycloak"
POSTGRES_PASSWORD: "{{ postgres_passwords.keycloak }}" POSTGRES_PASSWORD: "{{ postgres_passwords.keycloak }}"
POSTGRES_DB: "keycloak" POSTGRES_DB: "keycloak"
app: app:
image: "quay.io/keycloak/keycloak:20.0" image: "quay.io/keycloak/keycloak:{{ services.keycloak.version }}"
restart: "unless-stopped" restart: "unless-stopped"
networks: networks:
- "keycloak" - "keycloak"
@ -36,9 +36,9 @@
- "--https-port=8080" - "--https-port=8080"
- "--http-relative-path=/auth" - "--http-relative-path=/auth"
environment: environment:
VIRTUAL_HOST: "{{ keycloak.domain }}" VIRTUAL_HOST: "{{ services.keycloak.domain }}"
VIRTUAL_PORT: "8080" VIRTUAL_PORT: "8080"
LETSENCRYPT_HOST: "{{ keycloak.domain }}" LETSENCRYPT_HOST: "{{ services.keycloak.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
networks: networks:

84
roles/docker/tasks/services/mailu.yml
View file

@ -2,7 +2,7 @@
- name: create mailu volume folders - name: create mailu volume folders
file: file:
name: "{{ mailu.volume_folder }}/{{ volume }}" name: "{{ services.mailu.volume_folder }}/{{ volume }}"
state: directory state: directory
loop: loop:
- redis - redis
@ -20,20 +20,20 @@
- name: upload mailu.env file - name: upload mailu.env file
template: template:
src: mailu.env.j2 src: mailu.env.j2
dest: "{{ mailu.volume_folder}}/mailu.env" dest: "{{ services.mailu.volume_folder}}/mailu.env"
- name: hard link to Let's Encrypt TLS certificate - name: hard link to Let's Encrypt TLS certificate
file: file:
src: "{{ nginx.volume_folder }}/certs/{{ mailu.domain }}/fullchain.pem" src: "{{ services.nginx_proxy.volume_folder }}/certs/{{ services.mailu.domain }}/fullchain.pem"
dest: "{{ mailu.volume_folder }}/certs/cert.pem" dest: "{{ services.mailu.volume_folder }}/certs/cert.pem"
state: hard state: hard
force: yes force: yes
when: letsencrypt_enabled when: letsencrypt_enabled
- name: hard link to Let's Encrypt TLS key - name: hard link to Let's Encrypt TLS key
file: file:
src: "{{ nginx.volume_folder }}/certs/{{ mailu.domain }}/key.pem" src: "{{ services.nginx_proxy.volume_folder }}/certs/{{ services.mailu.domain }}/key.pem"
dest: "{{ mailu.volume_folder }}/certs/key.pem" dest: "{{ services.mailu.volume_folder }}/certs/key.pem"
state: hard state: hard
force: yes force: yes
when: letsencrypt_enabled when: letsencrypt_enabled
@ -49,30 +49,30 @@
image: redis:alpine image: redis:alpine
restart: always restart: always
volumes: volumes:
- "{{ mailu.volume_folder }}/redis:/data" - "{{ services.mailu.volume_folder }}/redis:/data"
database: database:
image: mailu/postgresql:{{ mailu.version }} image: mailu/postgresql:{{ services.mailu.version }}
restart: always restart: always
env_file: "{{ mailu.volume_folder}}/mailu.env" env_file: "{{ services.mailu.volume_folder}}/mailu.env"
volumes: volumes:
- "{{ mailu.volume_folder }}/data/psql_db:/data" - "{{ services.mailu.volume_folder }}/data/psql_db:/data"
- "{{ mailu.volume_folder }}/data/psql_backup:/backup" - "{{ services.mailu.volume_folder }}/data/psql_backup:/backup"
networks: networks:
- default - default
- external_services - external_services
front: front:
image: mailu/nginx:{{ mailu.version }} image: mailu/nginx:{{ services.mailu.version }}
restart: always restart: always
env_file: "{{ mailu.volume_folder}}/mailu.env" env_file: "{{ services.mailu.volume_folder}}/mailu.env"
environment: environment:
VIRTUAL_HOST: "{{ mailu.domain }}" VIRTUAL_HOST: "{{ services.mailu.domain }}"
LETSENCRYPT_HOST: "{{ mailu.domain }}" LETSENCRYPT_HOST: "{{ services.mailu.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
volumes: volumes:
- "{{ mailu.volume_folder }}/certs:/certs" - "{{ services.mailu.volume_folder }}/certs:/certs"
- "{{ mailu.volume_folder }}/overrides/nginx:/overrides" - "{{ services.mailu.volume_folder }}/overrides/nginx:/overrides"
expose: expose:
- "80" - "80"
ports: ports:
@ -85,70 +85,70 @@
- external_services - external_services
resolver: resolver:
image: mailu/unbound:{{ mailu.version }} image: mailu/unbound:{{ services.mailu.version }}
restart: always restart: always
env_file: "{{ mailu.volume_folder}}/mailu.env" env_file: "{{ services.mailu.volume_folder}}/mailu.env"
networks: networks:
default: default:
ipv4_address: "{{ mailu.dns }}" ipv4_address: "{{ services.mailu.dns }}"
admin: admin:
image: mailu/admin:{{ mailu.version }} image: mailu/admin:{{ services.mailu.version }}
restart: always restart: always
env_file: "{{ mailu.volume_folder}}/mailu.env" env_file: "{{ services.mailu.volume_folder}}/mailu.env"
volumes: volumes:
- "{{ mailu.volume_folder }}/data:/data" - "{{ services.mailu.volume_folder }}/data:/data"
- "{{ mailu.volume_folder }}/dkim:/dkim" - "{{ services.mailu.volume_folder }}/dkim:/dkim"
depends_on: depends_on:
- redis - redis
imap: imap:
image: mailu/dovecot:{{ mailu.version }} image: mailu/dovecot:{{ services.mailu.version }}
restart: always restart: always
env_file: "{{ mailu.volume_folder}}/mailu.env" env_file: "{{ services.mailu.volume_folder}}/mailu.env"
volumes: volumes:
- "{{ mailu.volume_folder }}/mail:/mail" - "{{ services.mailu.volume_folder }}/mail:/mail"
- "{{ mailu.volume_folder }}/overrides:/overrides" - "{{ services.mailu.volume_folder }}/overrides:/overrides"
depends_on: depends_on:
- front - front
smtp: smtp:
image: mailu/postfix:{{ mailu.version }} image: mailu/postfix:{{ services.mailu.version }}
restart: always restart: always
env_file: "{{ mailu.volume_folder}}/mailu.env" env_file: "{{ services.mailu.volume_folder}}/mailu.env"
volumes: volumes:
- "{{ mailu.volume_folder }}/overrides:/overrides" - "{{ services.mailu.volume_folder }}/overrides:/overrides"
depends_on: depends_on:
- front - front
- resolver - resolver
dns: dns:
- "{{ mailu.dns }}" - "{{ services.mailu.dns }}"
antispam: antispam:
image: mailu/rspamd:{{ mailu.version }} image: mailu/rspamd:{{ services.mailu.version }}
restart: always restart: always
env_file: "{{ mailu.volume_folder}}/mailu.env" env_file: "{{ services.mailu.volume_folder}}/mailu.env"
volumes: volumes:
- "{{ mailu.volume_folder }}/filter:/var/lib/rspamd" - "{{ services.mailu.volume_folder }}/filter:/var/lib/rspamd"
- "{{ mailu.volume_folder }}/dkim:/dkim" - "{{ services.mailu.volume_folder }}/dkim:/dkim"
- "{{ mailu.volume_folder }}/overrides/rspamd:/etc/rspamd/override.d" - "{{ services.mailu.volume_folder }}/overrides/rspamd:/etc/rspamd/override.d"
depends_on: depends_on:
- front - front
- resolver - resolver
dns: dns:
- "{{ mailu.dns }}" - "{{ services.mailu.dns }}"
webmail: webmail:
image: mailu/rainloop:1.6 image: mailu/rainloop:1.6
restart: always restart: always
env_file: "{{ mailu.volume_folder}}/mailu.env" env_file: "{{ services.mailu.volume_folder}}/mailu.env"
volumes: volumes:
- "{{ mailu.volume_folder }}/webmail:/data" - "{{ services.mailu.volume_folder }}/webmail:/data"
depends_on: depends_on:
- front - front
- resolver - resolver
dns: dns:
- "{{ mailu.dns }}" - "{{ services.mailu.dns }}"
networks: networks:
default: default:
@ -156,7 +156,7 @@
ipam: ipam:
driver: default driver: default
config: config:
- subnet: "{{ mailu.subnet }}" - subnet: "{{ services.mailu.subnet }}"
external_services: external_services:
external: external:
name: external_services name: external_services

34
roles/docker/tasks/services/mastodon.yml
View file

@ -1,6 +1,6 @@
- name: create mastodon volume folders - name: create mastodon volume folders
file: file:
name: "{{ mastodon.volume_folder }}/{{ volume }}" name: "{{ services.mastodon.volume_folder }}/{{ volume }}"
state: directory state: directory
owner: "991" owner: "991"
group: "991" group: "991"
@ -14,12 +14,12 @@
- name: Copy mastodon environment file - name: Copy mastodon environment file
template: template:
src: files/configs/mastodon/env_file.j2 src: files/configs/mastodon/env_file.j2
dest: "{{ mastodon.volume_folder }}/env_file" dest: "{{ services.mastodon.volume_folder }}/env_file"
- name: upload vhost config for root domain - name: upload vhost config for root domain
template: template:
src: files/configs/mastodon/vhost-mastodon src: files/configs/mastodon/vhost-mastodon
dest: "{{ nginx.volume_folder }}/vhost/{{ mastodon.domain }}" dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.mastodon.domain }}"
- name: set up mastodon - name: set up mastodon
docker_compose: docker_compose:
@ -37,7 +37,7 @@
healthcheck: healthcheck:
test: ['CMD', 'pg_isready', '-U', 'postgres'] test: ['CMD', 'pg_isready', '-U', 'postgres']
volumes: volumes:
- "{{ mastodon.volume_folder }}/postgres_data:/var/lib/postgresql/data" - "{{ services.mastodon.volume_folder }}/postgres_data:/var/lib/postgresql/data"
environment: environment:
- 'POSTGRES_HOST_AUTH_METHOD=trust' - 'POSTGRES_HOST_AUTH_METHOD=trust'
@ -49,12 +49,12 @@
healthcheck: healthcheck:
test: ['CMD', 'redis-cli', 'ping'] test: ['CMD', 'redis-cli', 'ping']
volumes: volumes:
- "{{ mastodon.volume_folder }}/redis_data:/data" - "{{ services.mastodon.volume_folder }}/redis_data:/data"
web: web:
image: "tootsuite/mastodon:{{ mastodon_version }}" image: "tootsuite/mastodon:{{ services.mastodon.version }}"
restart: always restart: always
env_file: "{{ mastodon.volume_folder }}/env_file" env_file: "{{ services.mastodon.volume_folder }}/env_file"
command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 3000" command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 3000"
networks: networks:
- external_services - external_services
@ -66,18 +66,18 @@
- db - db
- redis - redis
volumes: volumes:
- "{{ mastodon.volume_folder }}/mastodon_data:/mastodon/public/system" - "{{ services.mastodon.volume_folder }}/mastodon_data:/mastodon/public/system"
environment: environment:
VIRTUAL_HOST: "{{ mastodon.domain }}" VIRTUAL_HOST: "{{ services.mastodon.domain }}"
VIRTUAL_PORT: "3000" VIRTUAL_PORT: "3000"
VIRTUAL_PATH: "/" VIRTUAL_PATH: "/"
LETSENCRYPT_HOST: "{{ mastodon.domain }}" LETSENCRYPT_HOST: "{{ services.mastodon.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
streaming: streaming:
image: "tootsuite/mastodon:{{ mastodon_version }}" image: "tootsuite/mastodon:{{ services.mastodon.version }}"
restart: always restart: always
env_file: "{{ mastodon.volume_folder }}/env_file" env_file: "{{ services.mastodon.volume_folder }}/env_file"
command: node ./streaming command: node ./streaming
networks: networks:
- external_services - external_services
@ -91,14 +91,14 @@
- db - db
- redis - redis
environment: environment:
VIRTUAL_HOST: "{{ mastodon.domain }}" VIRTUAL_HOST: "{{ services.mastodon.domain }}"
VIRTUAL_PORT: "4000" VIRTUAL_PORT: "4000"
VIRTUAL_PATH: "/api/v1/streaming" VIRTUAL_PATH: "/api/v1/streaming"
sidekiq: sidekiq:
image: "tootsuite/mastodon:{{ mastodon_version }}" image: "tootsuite/mastodon:{{ services.mastodon.version }}"
restart: always restart: always
env_file: "{{ mastodon.volume_folder }}/env_file" env_file: "{{ services.mastodon.volume_folder }}/env_file"
command: bundle exec sidekiq -c 32 command: bundle exec sidekiq -c 32
environment: environment:
DB_POOL: 32 DB_POOL: 32
@ -110,7 +110,7 @@
- external_services - external_services
- internal_network - internal_network
volumes: volumes:
- "{{ mastodon.volume_folder }}/mastodon_data:/mastodon/public/system" - "{{ services.mastodon.volume_folder }}/mastodon_data:/mastodon/public/system"
healthcheck: healthcheck:
test: ['CMD-SHELL', "ps aux | grep '[s]idekiq\ 6' || false"] test: ['CMD-SHELL', "ps aux | grep '[s]idekiq\ 6' || false"]
@ -121,5 +121,3 @@
external: true external: true
internal_network: internal_network:
internal: true internal: true
vars:
mastodon_version: "v4.0.2"

40
roles/docker/tasks/services/matrix_riot.yml
View file

@ -1,7 +1,7 @@
--- ---
- name: create matrix volume folders - name: create matrix volume folders
file: file:
name: "{{ matrix.volume_folder }}/{{ volume }}" name: "{{ services.matrix.volume_folder }}/{{ volume }}"
state: directory state: directory
owner: "991" owner: "991"
group: "991" group: "991"
@ -14,12 +14,12 @@
- name: create matrix DB folder - name: create matrix DB folder
file: file:
name: "{{ matrix.volume_folder }}/db" name: "{{ services.matrix.volume_folder }}/db"
state: "directory" state: "directory"
- name: create riot volume folders - name: create riot volume folders
file: file:
name: "{{ riot.volume_folder }}/{{ volume }}" name: "{{ services.riot.volume_folder }}/{{ volume }}"
state: directory state: directory
loop: loop:
- "data" - "data"
@ -29,38 +29,38 @@
- name: upload riot config.json - name: upload riot config.json
template: template:
src: files/configs/riot/config.json src: files/configs/riot/config.json
dest: "{{ riot.volume_folder }}/data/config.json" dest: "{{ services.riot.volume_folder }}/data/config.json"
- name: upload riot.im.conf - name: upload riot.im.conf
template: template:
src: files/configs/riot/riot.im.conf src: files/configs/riot/riot.im.conf
dest: "{{ riot.volume_folder }}/data/riot.im.conf" dest: "{{ services.riot.volume_folder }}/data/riot.im.conf"
- name: upload vhost config for root domain - name: upload vhost config for root domain
template: template:
src: files/configs/matrix/vhost-root src: files/configs/matrix/vhost-root
dest: "{{ nginx.volume_folder }}/vhost/{{ base_domain }}" dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ base_domain }}"
- name: upload vhost config for matrix domain - name: upload vhost config for matrix domain
template: template:
src: files/configs/matrix/vhost-matrix src: files/configs/matrix/vhost-matrix
dest: "{{ nginx.volume_folder }}/vhost/{{ matrix.domain }}" dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.matrix.domain }}"
- name: upload vhost config for riot domain - name: upload vhost config for riot domain
template: template:
src: files/configs/matrix/vhost-riot src: files/configs/matrix/vhost-riot
dest: "{{ nginx.volume_folder }}/vhost/{{ item }}" dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ item }}"
loop: "{{ riot.domains }}" loop: "{{ services.riot.domains }}"
- name: upload homeserver.yaml - name: upload homeserver.yaml
template: template:
src: "files/configs/matrix/homeserver.yaml.j2" src: "files/configs/matrix/homeserver.yaml.j2"
dest: "{{ matrix.volume_folder }}/data/homeserver.yaml" dest: "{{ services.matrix.volume_folder }}/data/homeserver.yaml"
- name: upload matrix logging config - name: upload matrix logging config
template: template:
src: "files/configs/matrix/matrix.data.coop.log.config" src: "files/configs/matrix/matrix.data.coop.log.config"
dest: "{{ matrix.volume_folder }}/data/matrix.data.coop.log.config" dest: "{{ services.matrix.volume_folder }}/data/matrix.data.coop.log.config"
- name: set up matrix and riot - name: set up matrix and riot
docker_compose: docker_compose:
@ -76,32 +76,32 @@
networks: networks:
- matrix - matrix
volumes: volumes:
- "{{ matrix.volume_folder }}/db:/var/lib/postgresql/data" - "{{ services.matrix.volume_folder }}/db:/var/lib/postgresql/data"
environment: environment:
POSTGRES_USER: "synapse" POSTGRES_USER: "synapse"
POSTGRES_PASSWORD: "{{ postgres_passwords.matrix }}" POSTGRES_PASSWORD: "{{ postgres_passwords.matrix }}"
matrix_app: matrix_app:
container_name: matrix container_name: matrix
image: matrixdotorg/synapse:v1.63.1 image: matrixdotorg/synapse:{{ services.matrix.version }}
restart: unless-stopped restart: unless-stopped
networks: networks:
- matrix - matrix
- external_services - external_services
volumes: volumes:
- "{{ matrix.volume_folder }}/data:/data" - "{{ services.matrix.volume_folder }}/data:/data"
environment: environment:
SYNAPSE_CONFIG_PATH: "/data/homeserver.yaml" SYNAPSE_CONFIG_PATH: "/data/homeserver.yaml"
SYNAPSE_CACHE_FACTOR: "2" SYNAPSE_CACHE_FACTOR: "2"
SYNAPSE_LOG_LEVEL: "INFO" SYNAPSE_LOG_LEVEL: "INFO"
VIRTUAL_HOST: "{{ matrix.domain }}" VIRTUAL_HOST: "{{ services.matrix.domain }}"
VIRTUAL_PORT: "8008" VIRTUAL_PORT: "8008"
LETSENCRYPT_HOST: "{{ matrix.domain }}" LETSENCRYPT_HOST: "{{ services.matrix.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
riot: riot:
container_name: riot_app container_name: riot_app
image: avhost/docker-matrix-riot:v1.11.8 image: avhost/docker-matrix-riot:{{ services.riot.version }}
restart: unless-stopped restart: unless-stopped
networks: networks:
- matrix - matrix
@ -109,11 +109,11 @@
expose: expose:
- 8080 - 8080
volumes: volumes:
- "{{ riot.volume_folder }}/data:/data" - "{{ services.riot.volume_folder }}/data:/data"
environment: environment:
VIRTUAL_HOST: "{{ riot.domains|join(',') }}" VIRTUAL_HOST: "{{ services.riot.domains|join(',') }}"
VIRTUAL_PORT: "8080" VIRTUAL_PORT: "8080"
LETSENCRYPT_HOST: "{{ riot.domains|join(',') }}" LETSENCRYPT_HOST: "{{ services.riot.domains|join(',') }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
networks: networks:

12
roles/docker/tasks/services/membersystem.yml
View file

@ -25,14 +25,14 @@
POSTGRES_PORT: 5432 POSTGRES_PORT: 5432
EMAIL_BACKEND: "django.core.mail.backends.smtp.EmailBackend" EMAIL_BACKEND: "django.core.mail.backends.smtp.EmailBackend"
EMAIL_URL: "smtp://noop@{{ smtp_host }}:{{ smtp_port }}" EMAIL_URL: "smtp://noop@{{ smtp_host }}:{{ smtp_port }}"
VIRTUAL_HOST: "{{ membersystem.domain }}" VIRTUAL_HOST: "{{ services.membersystem.domain }}"
VIRTUAL_PORT: "8000" VIRTUAL_PORT: "8000"
LETSENCRYPT_HOST: "{{ membersystem.domain }}" LETSENCRYPT_HOST: "{{ services.membersystem.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
ALLOWED_HOSTS: "{{ membersystem.domain }}" ALLOWED_HOSTS: "{{ services.membersystem.domain }}"
CSRF_TRUSTED_ORIGINS: "https://{{ membersystem.domain }}" CSRF_TRUSTED_ORIGINS: "https://{{ services.membersystem.domain }}"
DJANGO_ADMINS: "{{ membersystem.django_admins }}" DJANGO_ADMINS: "{{ services.membersystem.django_admins }}"
DEFAULT_FROM_EMAIL: "noreply@{{ membersystem.domain }}" DEFAULT_FROM_EMAIL: "noreply@{{ services.membersystem.domain }}"
postgres: postgres:
image: postgres:13-alpine image: postgres:13-alpine

6
roles/docker/tasks/services/netdata.yml
View file

@ -2,7 +2,7 @@
- name: setup netdata docker container for system monitoring - name: setup netdata docker container for system monitoring
docker_container: docker_container:
name: netdata name: netdata
image: netdata/netdata:v1 image: netdata/netdata:{{ services.netdata.version }}
restart_policy: unless-stopped restart_policy: unless-stopped
hostname: "hevonen.servers.{{ base_domain }}" hostname: "hevonen.servers.{{ base_domain }}"
capabilities: capabilities:
@ -16,7 +16,7 @@
networks: networks:
- name: external_services - name: external_services
env: env:
VIRTUAL_HOST : "{{ netdata.domain }}" VIRTUAL_HOST : "{{ services.netdata.domain }}"
LETSENCRYPT_HOST: "{{ netdata.domain }}" LETSENCRYPT_HOST: "{{ services.netdata.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
PGID: "999" PGID: "999"

16
roles/docker/tasks/services/nextcloud.yml
View file

@ -2,7 +2,7 @@
- name: upload vhost config for cloud.data.coop - name: upload vhost config for cloud.data.coop
template: template:
src: files/configs/nextcloud/vhost src: files/configs/nextcloud/vhost
dest: "{{ nginx.volume_folder }}/vhost/{{ nextcloud.domain }}" dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.nextcloud.domain }}"
notify: "restart nginx" notify: "restart nginx"
- name: setup nextcloud containers - name: setup nextcloud containers
@ -17,7 +17,7 @@
networks: networks:
- "nextcloud" - "nextcloud"
volumes: volumes:
- "{{ nextcloud.volume_folder }}/postgres:/var/lib/postgresql/data" - "{{ services.nextcloud.volume_folder }}/postgres:/var/lib/postgresql/data"
environment: environment:
POSTGRES_DB: "nextcloud" POSTGRES_DB: "nextcloud"
POSTGRES_PASSWORD: "{{ postgres_passwords.nextcloud }}" POSTGRES_PASSWORD: "{{ postgres_passwords.nextcloud }}"
@ -33,29 +33,29 @@
- "nextcloud" - "nextcloud"
cron: cron:
image: "nextcloud:25-apache" image: "nextcloud:{{ services.nextcloud.version }}"
restart: "unless-stopped" restart: "unless-stopped"
entrypoint: "/cron.sh" entrypoint: "/cron.sh"
networks: networks:
- "nextcloud" - "nextcloud"
volumes: volumes:
- "{{ nextcloud.volume_folder }}/app:/var/www/html" - "{{ services.nextcloud.volume_folder }}/app:/var/www/html"
depends_on: depends_on:
- "postgres" - "postgres"
- "redis" - "redis"
app: app:
image: "nextcloud:25-apache" image: "nextcloud:{{ services.nextcloud.version }}"
restart: "unless-stopped" restart: "unless-stopped"
networks: networks:
- "nextcloud" - "nextcloud"
- "postfix" - "postfix"
- "external_services" - "external_services"
volumes: volumes:
- "{{ nextcloud.volume_folder }}/app:/var/www/html" - "{{ services.nextcloud.volume_folder }}/app:/var/www/html"
environment: environment:
VIRTUAL_HOST: "{{ nextcloud.domain }}" VIRTUAL_HOST: "{{ services.nextcloud.domain }}"
LETSENCRYPT_HOST: "{{ nextcloud.domain }}" LETSENCRYPT_HOST: "{{ services.nextcloud.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
POSTGRES_HOST: "postgres" POSTGRES_HOST: "postgres"
POSTGRES_DB: "nextcloud" POSTGRES_DB: "nextcloud"

48
roles/docker/tasks/services/nginx-proxy.yml
View file

@ -1,48 +0,0 @@
---
- name: create nginx-proxy volume folders
file:
name: "{{ nginx.volume_folder }}/{{ volume }}"
state: directory
loop:
- conf
- vhost
- html
- dhparam
- certs
loop_control:
loop_var: volume
- name: nginx proxy container
docker_container:
name: nginx-proxy
image: nginxproxy/nginx-proxy:1.0-alpine
restart_policy: always
networks:
- name: external_services
published_ports:
- "80:80"
- "443:443"
volumes:
- "{{ nginx.volume_folder }}/conf:/etc/nginx/conf.d"
- "{{ nginx.volume_folder }}/vhost:/etc/nginx/vhost.d"
- "{{ nginx.volume_folder }}/html:/usr/share/nginx/html"
- "{{ nginx.volume_folder }}/dhparam:/etc/nginx/dhparam"
- "{{ nginx.volume_folder }}/certs:/etc/nginx/certs:ro"
- /var/run/docker.sock:/tmp/docker.sock:ro
- name: nginx letsencrypt container
docker_container:
name: nginx-proxy-le
image: nginxproxy/acme-companion:2.2
restart_policy: always
volumes:
- "{{ nginx.volume_folder }}/vhost:/etc/nginx/vhost.d"
- "{{ nginx.volume_folder }}/html:/usr/share/nginx/html"
- "{{ nginx.volume_folder }}/dhparam:/etc/nginx/dhparam:ro"
- "{{ nginx.volume_folder }}/certs:/etc/nginx/certs"
- /var/run/docker.sock:/var/run/docker.sock:ro
env:
NGINX_PROXY_CONTAINER: nginx-proxy
when: letsencrypt_enabled

48
roles/docker/tasks/services/nginx_proxy.yml Normal file
View file

@ -0,0 +1,48 @@
---
- name: create nginx-proxy volume folders
file:
name: "{{ services.nginx_proxy.volume_folder }}/{{ volume }}"
state: directory
loop:
- conf
- vhost
- html
- dhparam
- certs
loop_control:
loop_var: volume
- name: nginx proxy container
docker_container:
name: nginx-proxy
image: nginxproxy/nginx-proxy:{{ services.nginx_proxy.version }}
restart_policy: always
networks:
- name: external_services
published_ports:
- "80:80"
- "443:443"
volumes:
- "{{ services.nginx_proxy.volume_folder }}/conf:/etc/nginx/conf.d"
- "{{ services.nginx_proxy.volume_folder }}/vhost:/etc/nginx/vhost.d"
- "{{ services.nginx_proxy.volume_folder }}/html:/usr/share/nginx/html"
- "{{ services.nginx_proxy.volume_folder }}/dhparam:/etc/nginx/dhparam"
- "{{ services.nginx_proxy.volume_folder }}/certs:/etc/nginx/certs:ro"
- /var/run/docker.sock:/tmp/docker.sock:ro
- name: nginx letsencrypt container
docker_container:
name: nginx-proxy-le
image: nginxproxy/acme-companion:{{ services.nginx_acme_companion.version }}
restart_policy: always
volumes:
- "{{ services.nginx_proxy.volume_folder }}/vhost:/etc/nginx/vhost.d"
- "{{ services.nginx_proxy.volume_folder }}/html:/usr/share/nginx/html"
- "{{ services.nginx_proxy.volume_folder }}/dhparam:/etc/nginx/dhparam:ro"
- "{{ services.nginx_proxy.volume_folder }}/certs:/etc/nginx/certs"
- /var/run/docker.sock:/var/run/docker.sock:ro
env:
NGINX_PROXY_CONTAINER: nginx-proxy
when: letsencrypt_enabled

20
roles/docker/tasks/services/openldap.yml
View file

@ -1,7 +1,7 @@
--- ---
- name: create ldap volume folders - name: create ldap volume folders
file: file:
name: "{{ ldap.volume_folder }}/{{ volume }}" name: "{{ services.openldap.volume_folder }}/{{ volume }}"
state: directory state: directory
loop: loop:
- "var/lib/ldap" - "var/lib/ldap"
@ -17,19 +17,19 @@
- name: openLDAP container - name: openLDAP container
docker_container: docker_container:
name: openldap name: openldap
image: osixia/openldap:1.5.0 image: osixia/openldap:{{ services.openldap.version }}
tty: true tty: true
interactive: true interactive: true
restart_policy: unless-stopped restart_policy: unless-stopped
volumes: volumes:
- "{{ ldap.volume_folder }}/var/lib/ldap:/var/lib/ldap" - "{{ services.openldap.volume_folder }}/var/lib/ldap:/var/lib/ldap"
- "{{ ldap.volume_folder }}/etc/slapd.d:/etc/ldap/slapd.d" - "{{ services.openldap.volume_folder }}/etc/slapd.d:/etc/ldap/slapd.d"
- "{{ ldap.volume_folder }}/certs:/container/service/slapd/assets/certs/" - "{{ services.openldap.volume_folder }}/certs:/container/service/slapd/assets/certs/"
published_ports: published_ports:
- "389:389" - "389:389"
- "636:636" - "636:636"
hostname: "{{ ldap.domain }}" hostname: "{{ services.openldap.domain }}"
domainname: "{{ ldap.domain }}" # important: same as hostname domainname: "{{ services.openldap.domain }}" # important: same as hostname
networks: networks:
- name: ldap - name: ldap
env: env:
@ -58,7 +58,7 @@
- name: phpLDAPadmin container - name: phpLDAPadmin container
docker_container: docker_container:
name: phpldapadmin name: phpldapadmin
image: osixia/phpldapadmin:0.9.0 image: osixia/phpldapadmin:{{ services.phpldapadmin.version }}
restart_policy: unless-stopped restart_policy: unless-stopped
networks: networks:
- name: external_services - name: external_services
@ -68,6 +68,6 @@
PHPLDAPADMIN_HTTPS: "false" PHPLDAPADMIN_HTTPS: "false"
PHPLDAPADMIN_TRUST_PROXY_SSL: "true" PHPLDAPADMIN_TRUST_PROXY_SSL: "true"
VIRTUAL_HOST: "{{ ldap.domain }}" VIRTUAL_HOST: "{{ services.openldap.domain }}"
LETSENCRYPT_HOST: "{{ ldap.domain }}" LETSENCRYPT_HOST: "{{ services.openldap.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"

14
roles/docker/tasks/services/passit.yml
View file

@ -13,13 +13,13 @@
networks: networks:
- "passit" - "passit"
volumes: volumes:
- "{{ passit.volume_folder }}/data:/var/lib/postgresql/data" - "{{ services.passit.volume_folder }}/data:/var/lib/postgresql/data"
environment: environment:
POSTGRES_USER: "passit" POSTGRES_USER: "passit"
POSTGRES_PASSWORD: "{{ postgres_passwords.passit }}" POSTGRES_PASSWORD: "{{ postgres_passwords.passit }}"
passit_app: passit_app:
image: "passit/passit:stable" image: "passit/passit:{{ services.passit.version }}"
command: "bin/start.sh" command: "bin/start.sh"
restart: "always" restart: "always"
networks: networks:
@ -31,11 +31,11 @@
SECRET_KEY: "{{ passit_secret_key }}" SECRET_KEY: "{{ passit_secret_key }}"
IS_DEBUG: 'False' IS_DEBUG: 'False'
EMAIL_URL: "smtp://noop@{{ smtp_host }}:{{ smtp_port }}" EMAIL_URL: "smtp://noop@{{ smtp_host }}:{{ smtp_port }}"
DEFAULT_FROM_EMAIL: "noreply@{{ passit.domain }}" DEFAULT_FROM_EMAIL: "noreply@{{ services.passit.domain }}"
EMAIL_CONFIRMATION_HOST: "https://{{ passit.domain }}" EMAIL_CONFIRMATION_HOST: "https://{{ services.passit.domain }}"
FIDO_SERVER_ID: "{{ passit.domain }}" FIDO_SERVER_ID: "{{ services.passit.domain }}"
VIRTUAL_HOST: "{{ passit.domain }}" VIRTUAL_HOST: "{{ services.passit.domain }}"
LETSENCRYPT_HOST: "{{ passit.domain }}" LETSENCRYPT_HOST: "{{ services.passit.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
networks: networks:

10
roles/docker/tasks/services/portainer.yml
View file

@ -2,21 +2,21 @@
- name: create portainer volume folder - name: create portainer volume folder
file: file:
name: "{{ portainer.volume_folder }}" name: "{{ services.portainer.volume_folder }}"
state: directory state: directory
- name: run portainer - name: run portainer
docker_container: docker_container:
name: portainer name: portainer
image: portainer/portainer-ee:2.16.2 image: portainer/portainer-ee:{{ services.portainer.version }}
restart_policy: always restart_policy: always
networks: networks:
- name: external_services - name: external_services
volumes: volumes:
- /var/run/docker.sock:/var/run/docker.sock - /var/run/docker.sock:/var/run/docker.sock
- "{{ portainer.volume_folder }}:/data" - "{{ services.portainer.volume_folder }}:/data"
env: env:
VIRTUAL_HOST: "{{ portainer.domain }}" VIRTUAL_HOST: "{{ services.portainer.domain }}"
VIRTUAL_PORT: "9000" VIRTUAL_PORT: "9000"
LETSENCRYPT_HOST: "{{ portainer.domain }}" LETSENCRYPT_HOST: "{{ services.portainer.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"

5
roles/docker/tasks/services/postfix.yml
View file

@ -10,10 +10,11 @@
- name: setup postfix docker container for outgoing mail - name: setup postfix docker container for outgoing mail
docker_container: docker_container:
name: postfix name: postfix
image: boky/postfix:v3.5.1-alpine image: boky/postfix:{{ services.postfix.version }}
restart_policy: always restart_policy: always
networks: networks:
- name: postfix - name: postfix
env: env:
ALLOWED_SENDER_DOMAINS: "{{ postfix.allowed_sender_domains|join(' ') }}" # Get all services which have allowed_sender_domain defined
ALLOWED_SENDER_DOMAINS: "{{ services | dict2items | selectattr('value.allowed_sender_domain', 'defined') | map(attribute='value.domain') | list | join(' ') }}"
HOSTNAME: "smtp.data.coop" # the name the smtp server will identify itself as HOSTNAME: "smtp.data.coop" # the name the smtp server will identify itself as

14
roles/docker/tasks/services/privatebin.yml
View file

@ -2,7 +2,7 @@
- name: create privatebin volume folders - name: create privatebin volume folders
file: file:
name: "{{ privatebin.volume_folder }}/{{ volume }}" name: "{{ services.privatebin.volume_folder }}/{{ volume }}"
state: directory state: directory
loop: loop:
- cfg - cfg
@ -13,19 +13,19 @@
- name: upload privatebin config - name: upload privatebin config
template: template:
src: files/configs/privatebin-conf.php src: files/configs/privatebin-conf.php
dest: "{{ privatebin.volume_folder }}/cfg/conf.php" dest: "{{ services.privatebin.volume_folder }}/cfg/conf.php"
- name: privatebin app container - name: privatebin app container
docker_container: docker_container:
name: privatebin name: privatebin
image: jgeusebroek/privatebin:latest image: jgeusebroek/privatebin:{{ services.privatebin.version }}
restart_policy: unless-stopped restart_policy: unless-stopped
volumes: volumes:
- "{{ privatebin.volume_folder }}/cfg:/privatebin/cfg" - "{{ services.privatebin.volume_folder }}/cfg:/privatebin/cfg"
- "{{ privatebin.volume_folder }}/data:/privatebin/data" - "{{ services.privatebin.volume_folder }}/data:/privatebin/data"
networks: networks:
- name: external_services - name: external_services
env: env:
VIRTUAL_HOST: "{{ privatebin.domain }}" VIRTUAL_HOST: "{{ services.privatebin.domain }}"
LETSENCRYPT_HOST: "{{ privatebin.domain }}" LETSENCRYPT_HOST: "{{ services.privatebin.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"

16
roles/docker/tasks/services/rallly.yml
View file

@ -1,12 +1,12 @@
- name: Create rallly volume folders - name: Create rallly volume folders
file: file:
name: "{{ rallly.volume_folder }}/postgres" name: "{{ services.rallly.volume_folder }}/postgres"
state: directory state: directory
- name: Copy Rallly environment file - name: Copy Rallly environment file
template: template:
src: files/configs/rallly/env_file src: files/configs/rallly/env_file.j2
dest: "{{ rallly.volume_folder }}/env_file" dest: "{{ services.rallly.volume_folder }}/env_file"
- name: Set up Rallly - name: Set up Rallly
docker_compose: docker_compose:
@ -22,7 +22,7 @@
networks: networks:
rallly_internal: rallly_internal:
volumes: volumes:
- "{{ rallly.volume_folder }}/postgres:/var/lib/postgresql/data" - "{{ services.rallly.volume_folder }}/postgres:/var/lib/postgresql/data"
environment: environment:
POSTGRES_PASSWORD: "{{ postgres_passwords.rallly }}" POSTGRES_PASSWORD: "{{ postgres_passwords.rallly }}"
POSTGRES_DB: "rallly_db" POSTGRES_DB: "rallly_db"
@ -33,7 +33,7 @@
retries: 5 retries: 5
rallly: rallly:
image: "lukevella/rallly:a21f92bf74308d66cfcd545d49b81eba0211a222" image: "lukevella/rallly:{{ services.rallly.version }}"
restart: "always" restart: "always"
networks: networks:
rallly_internal: rallly_internal:
@ -43,11 +43,11 @@
rallly_db: rallly_db:
condition: "service_healthy" condition: "service_healthy"
env_file: env_file:
- "{{ rallly.volume_folder }}/env_file" - "{{ services.rallly.volume_folder }}/env_file"
environment: environment:
VIRTUAL_HOST: "{{ rallly.domain }}" VIRTUAL_HOST: "{{ services.rallly.domain }}"
VIRTUAL_PORT: "3000" VIRTUAL_PORT: "3000"
LETSENCRYPT_HOST: "{{ rallly.domain }}" LETSENCRYPT_HOST: "{{ services.rallly.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
networks: networks:

9
roles/docker/tasks/services/restic-backup.yml → roles/docker/tasks/services/restic_backup.yml
View file

@ -1,6 +1,5 @@
--- ---
- name: Setup restic backup - name: Setup restic backup
when: not vagrant
docker_compose: docker_compose:
project_name: restic_backup project_name: restic_backup
pull: true pull: true
@ -8,12 +7,12 @@
version: '3.6' version: '3.6'
services: services:
restic-backup: restic-backup:
image: mazzolino/restic:1.6.0 image: mazzolino/restic:{{ services.restic.version }}
restart: always restart: always
environment: environment:
RUN_ON_STARTUP: "true" RUN_ON_STARTUP: "true"
BACKUP_CRON: "0 30 3 * * *" BACKUP_CRON: "0 30 3 * * *"
RESTIC_REPOSITORY: "rest:https://{{ restic.user }}:{{ restic_secrets.user_password }}@{{ restic.domain }}/{{ restic.repository }}" RESTIC_REPOSITORY: "rest:https://{{ services.restic.user }}:{{ restic_secrets.user_password }}@{{ services.restic.domain }}/{{ services.restic.repository }}"
RESTIC_PASSWORD: "{{ restic_secrets.repository_password }}" RESTIC_PASSWORD: "{{ restic_secrets.repository_password }}"
RESTIC_BACKUP_SOURCES: "/mnt/volumes" RESTIC_BACKUP_SOURCES: "/mnt/volumes"
RESTIC_BACKUP_ARGS: >- RESTIC_BACKUP_ARGS: >-
@ -30,10 +29,10 @@
- /docker-volumes:/mnt/volumes:ro - /docker-volumes:/mnt/volumes:ro
restic-prune: restic-prune:
image: "mazzolino/restic:1.6.0" image: "mazzolino/restic:{{ services.restic.version }}"
environment: environment:
RUN_ON_STARTUP: "true" RUN_ON_STARTUP: "true"
PRUNE_CRON: "0 0 4 * * *" PRUNE_CRON: "0 0 4 * * *"
RESTIC_REPOSITORY: "rest:https://{{ restic.user }}:{{ restic_secrets.user_password }}@{{ restic.domain }}/{{ restic.repository }}" RESTIC_REPOSITORY: "rest:https://{{ services.restic.user }}:{{ restic_secrets.user_password }}@{{ services.restic.domain }}/{{ services.restic.repository }}"
RESTIC_PASSWORD: "{{ restic_secrets.repository_password }}" RESTIC_PASSWORD: "{{ restic_secrets.repository_password }}"
TZ: Europe/copenhagen TZ: Europe/copenhagen

2
roles/docker/tasks/services/watchtower.yml
View file

@ -4,6 +4,8 @@
name: watchtower name: watchtower
image: containrrr/watchtower:amd64-1.5.1 image: containrrr/watchtower:amd64-1.5.1
restart_policy: unless-stopped restart_policy: unless-stopped
networks:
- name: external_services
env: env:
WATCHTOWER_POLL_INTERVAL: 60 WATCHTOWER_POLL_INTERVAL: 60
volumes: volumes:

87
roles/docker/tasks/services/websites.yml
View file

@ -1,87 +0,0 @@
---
- name: setup data.coop website docker container
docker_container:
name: data.coop_website
image: docker.data.coop/data-coop-website
restart_policy: unless-stopped
networks:
- name: external_services
env:
VIRTUAL_HOST : "{{ data_coop_website.domains|join(',') }}"
LETSENCRYPT_HOST: "{{ data_coop_website.domains|join(',') }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
- name: setup new data.coop website using hugo
docker_container:
name: new.data.coop_website
image: docker.data.coop/data-coop-website:hugo
restart_policy: unless-stopped
networks:
- name: external_services
env:
VIRTUAL_HOST : "new.{{ data_coop_website.domains|join(',') }}"
LETSENCRYPT_HOST: "new.{{ data_coop_website.domains|join(',') }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
- name: setup new-new data.coop website using unipi
docker_container:
name: new-new.data.coop_website
image: docker.data.coop/unipi:latest
restart_policy: unless-stopped
purge_networks: yes
networks:
- name: external_services
env:
VIRTUAL_HOST: "new-new.{{ data_coop_website.domains|join(',') }}"
LETSENCRYPT_HOST: "new-new.{{ data_coop_website.domains|join(',') }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
# The ssh-key is for read-only only
command: "--remote=git@git.data.coop:halfd/new-website.git#main --ssh-key ed25519:Ag9RekCyC2eow4P/e5crVvSTQ7dTK46WkG0wqEPVJbU= --ssh-authenticator SHA256:l9kdLkb0kJm46pOJ4tCHCtFUaqV1ImbZWMA5oje10fI"
capabilities:
- NET_ADMIN
devices:
- "/dev/net/tun"
- name: setup 2022.slides.data.coop website using unipi
docker_container:
name: 2022.slides.data.coop_website
image: docker.data.coop/unipi:latest
restart_policy: unless-stopped
purge_networks: yes
networks:
- name: external_services
env:
VIRTUAL_HOST: "2022.slides.{{ data_coop_website.domains|join(',') }}"
LETSENCRYPT_HOST: "2022.slides.{{ data_coop_website.domains|join(',') }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
# Temporarily hosting on github
command: "--remote=https://github.com/sorbusursina/datacoop-slides.git#slides2022"
capabilities:
- NET_ADMIN
devices:
- "/dev/net/tun"
- name: setup cryptohagen.dk website docker container
docker_container:
name: cryptohagen_website
restart_policy: unless-stopped
image: docker.data.coop/cryptohagen-website
networks:
- name: external_services
env:
VIRTUAL_HOST : "{{ cryptohagen_website.domains|join(',') }}"
LETSENCRYPT_HOST: "{{ cryptohagen_website.domains|join(',') }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
- name: setup cryptoaarhus.dk website docker container
docker_container:
name: cryptoaarhus_website
restart_policy: unless-stopped
image: docker.data.coop/cryptoaarhus-website
networks:
- name: external_services
env:
VIRTUAL_HOST : "{{ cryptoaarhus_website.domains|join(',') }}"
LETSENCRYPT_HOST: "{{ cryptoaarhus_website.domains|join(',') }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"

20
roles/docker/tasks/services/websites/2022.slides.data.coop.yml Normal file
View file

@ -0,0 +1,20 @@
---
- name: setup 2022.slides.data.coop website using unipi
docker_container:
name: 2022.slides.data.coop_website
image: docker.data.coop/unipi:latest
restart_policy: unless-stopped
purge_networks: yes
networks:
- name: external_services
env:
VIRTUAL_HOST: "2022.slides.{{ services.data_coop_website.domains|join(',') }}"
LETSENCRYPT_HOST: "2022.slides.{{ services.data_coop_website.domains|join(',') }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
# Temporarily hosting on github
command: "--remote=https://github.com/sorbusursina/datacoop-slides.git#slides2022"
capabilities:
- NET_ADMIN
devices:
- "/dev/net/tun"

13
roles/docker/tasks/services/websites/cryptoaarhus.dk.yml Normal file
View file

@ -0,0 +1,13 @@
---
- name: setup cryptoaarhus.dk website docker container
docker_container:
name: cryptoaarhus_website
restart_policy: unless-stopped
image: docker.data.coop/cryptoaarhus-website
networks:
- name: external_services
env:
VIRTUAL_HOST : "{{ services.cryptoaarhus_website.domains|join(',') }}"
LETSENCRYPT_HOST: "{{ services.cryptoaarhus_website.domains|join(',') }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"

13
roles/docker/tasks/services/websites/cryptohagen.dk.yml Normal file
View file

@ -0,0 +1,13 @@
---
- name: setup cryptohagen.dk website docker container
docker_container:
name: cryptohagen_website
restart_policy: unless-stopped
image: docker.data.coop/cryptohagen-website
networks:
- name: external_services
env:
VIRTUAL_HOST : "{{ services.cryptohagen_website.domains|join(',') }}"
LETSENCRYPT_HOST: "{{ services.cryptohagen_website.domains|join(',') }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"

13
roles/docker/tasks/services/websites/data.coop.yml Normal file
View file

@ -0,0 +1,13 @@
---
- name: setup data.coop website docker container
docker_container:
name: data.coop_website
image: docker.data.coop/data-coop-website
restart_policy: unless-stopped
networks:
- name: external_services
env:
VIRTUAL_HOST : "{{ services.data_coop_website.domains|join(',') }}"
LETSENCRYPT_HOST: "{{ services.data_coop_website.domains|join(',') }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"

18
roles/docker/tasks/services/websites/new-new.data.coop.yml Normal file
View file

@ -0,0 +1,18 @@
- name: setup new-new data.coop website using unipi
docker_container:
name: new-new.data.coop_website
image: docker.data.coop/unipi:latest
restart_policy: unless-stopped
purge_networks: yes
networks:
- name: external_services
env:
VIRTUAL_HOST: "new-new.{{ services.data_coop_website.domains|join(',') }}"
LETSENCRYPT_HOST: "new-new.{{ services.data_coop_website.domains|join(',') }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
# The ssh-key is for read-only only
command: "--remote=git@git.data.coop:halfd/new-website.git#main --ssh-key ed25519:Ag9RekCyC2eow4P/e5crVvSTQ7dTK46WkG0wqEPVJbU= --ssh-authenticator SHA256:l9kdLkb0kJm46pOJ4tCHCtFUaqV1ImbZWMA5oje10fI"
capabilities:
- NET_ADMIN
devices:
- "/dev/net/tun"

13
roles/docker/tasks/services/websites/new.data.coop.yml Normal file
View file

@ -0,0 +1,13 @@
---
- name: setup new data.coop website using hugo
docker_container:
name: new.data.coop_website
image: docker.data.coop/data-coop-website:hugo
restart_policy: unless-stopped
networks:
- name: external_services
env:
VIRTUAL_HOST : "new.{{ services.data_coop_website.domains|join(',') }}"
LETSENCRYPT_HOST: "new.{{ services.data_coop_website.domains|join(',') }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"

4
roles/docker/tasks/services/ulovliglogning-dk.yml → roles/docker/tasks/services/websites/ulovliglogning.dk.yml
View file

@ -6,6 +6,6 @@
networks: networks:
- name: external_services - name: external_services
env: env:
VIRTUAL_HOST: "{{ ulovliglogning_website.domains|join(',') }}" VIRTUAL_HOST: "{{ services.ulovliglogning_website.domains|join(',') }}"
LETSENCRYPT_HOST: "{{ ulovliglogning_website.domains|join(',') }}" LETSENCRYPT_HOST: "{{ services.ulovliglogning_website.domains|join(',') }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"

2
roles/docker/templates/mailu.env.j2
View file

@ -26,7 +26,7 @@ SECRET_KEY={{ mailu_secret_key }}
# PUBLIC_IPV6= ::1 (default: ::1) # PUBLIC_IPV6= ::1 (default: ::1)
# Subnet of the docker network. This should not conflict with any networks to which your system is connected. (Internal and external!) # Subnet of the docker network. This should not conflict with any networks to which your system is connected. (Internal and external!)
SUBNET={{ mailu.subnet }} SUBNET={{ services.mailu.subnet }}
# Main mail domain # Main mail domain
DOMAIN=data.coop DOMAIN=data.coop

4
roles/ubuntu_base/tasks/users.yml
View file

@ -9,14 +9,14 @@
loop: "{{ users | default([]) }}" loop: "{{ users | default([]) }}"
- name: "Add ssh authorized_keys" - name: "Add ssh authorized_keys"
authorized_key: ansible.posix.authorized_key:
user: "{{ item.name }}" user: "{{ item.name }}"
key: "{{ item.ssh_keys | join('\n') }}" key: "{{ item.ssh_keys | join('\n') }}"
exclusive: true exclusive: true
loop: "{{ users | default([]) }}" loop: "{{ users | default([]) }}"
- name: "Add ssh authorized_keys to root user" - name: "Add ssh authorized_keys to root user"
authorized_key: ansible.posix.authorized_key:
user: "root" user: "root"
key: "{{ users | default([]) | map(attribute='ssh_keys') | flatten | join('\n') }}" key: "{{ users | default([]) | map(attribute='ssh_keys') | flatten | join('\n') }}"
exclusive: true exclusive: true

1
vagrant_host Normal file
View file

@ -0,0 +1 @@
localhost ansible_port=19022