From a4a06d8a58bc63d635351875ebd7609178a44a4d Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Fri, 18 Nov 2022 18:59:00 +0100 Subject: [PATCH 01/22] Upgrade Watchtower and disable filter by enable label --- roles/docker/tasks/services/watchtower.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/roles/docker/tasks/services/watchtower.yml b/roles/docker/tasks/services/watchtower.yml index 586ce249..c5c63ebf 100644 --- a/roles/docker/tasks/services/watchtower.yml +++ b/roles/docker/tasks/services/watchtower.yml @@ -2,13 +2,12 @@ - name: watchtower container docker_container: name: watchtower - image: containrrr/watchtower:1.4.0 + image: containrrr/watchtower:latest restart_policy: unless-stopped + env: + WATCHTOWER_POLL_INTERVAL: 60 networks: - name: external_services volumes: - /var/run/docker.sock:/var/run/docker.sock - "{{ docker_registry.volume_folder }}/auth/config.json:/config.json" - env: - WATCHTOWER_LABEL_ENABLE: "true" - WATCHTOWER_POLL_INTERVAL: "60" \ No newline at end of file From 5d26e1cdea7f9a24edcda4d1aaf1fd3f34626eab Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Fri, 18 Nov 2022 20:57:15 +0100 Subject: [PATCH 02/22] Fix mount point for Watchtower The auth file created by the registry login task doesn't need to be stored in a non-default path. --- roles/docker/tasks/services/docker_registry.yml | 3 +-- roles/docker/tasks/services/watchtower.yml | 4 ++-- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/roles/docker/tasks/services/docker_registry.yml b/roles/docker/tasks/services/docker_registry.yml index 975db503..a88a7074 100644 --- a/roles/docker/tasks/services/docker_registry.yml +++ b/roles/docker/tasks/services/docker_registry.yml @@ -28,9 +28,8 @@ args: creates: "{{ docker_registry.volume_folder }}/auth/htpasswd" -- name: log in to local registry +- name: log in to registry docker_login: registry: "{{ docker_registry.domain }}" username: "docker" password: "{{ docker_password }}" - config_path: "{{ docker_registry.volume_folder }}/auth/config.json" diff --git a/roles/docker/tasks/services/watchtower.yml b/roles/docker/tasks/services/watchtower.yml index c5c63ebf..e6afd3d6 100644 --- a/roles/docker/tasks/services/watchtower.yml +++ b/roles/docker/tasks/services/watchtower.yml @@ -9,5 +9,5 @@ networks: - name: external_services volumes: - - /var/run/docker.sock:/var/run/docker.sock - - "{{ docker_registry.volume_folder }}/auth/config.json:/config.json" + - "/var/run/docker.sock:/var/run/docker.sock" + - "/root/.docker/config.json:/config.json:ro" From 27b918b46b010d4eb6aee151695fc8b540a0c2b4 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Fri, 18 Nov 2022 21:07:12 +0100 Subject: [PATCH 03/22] Remove labels --- roles/docker/tasks/services/membersystem.yml | 2 -- roles/docker/tasks/services/netdata.yml | 5 ----- roles/docker/tasks/services/rallly.yml | 4 ---- roles/docker/tasks/services/ulovliglogning-dk.yml | 2 -- roles/docker/tasks/services/websites.yml | 13 ------------- 5 files changed, 26 deletions(-) diff --git a/roles/docker/tasks/services/membersystem.yml b/roles/docker/tasks/services/membersystem.yml index b214abb5..66a26b01 100644 --- a/roles/docker/tasks/services/membersystem.yml +++ b/roles/docker/tasks/services/membersystem.yml @@ -33,8 +33,6 @@ CSRF_TRUSTED_ORIGINS: "https://{{ membersystem.domain }}" DJANGO_ADMINS: "{{ membersystem.django_admins }}" DEFAULT_FROM_EMAIL: "noreply@{{ membersystem.domain }}" - labels: - com.centurylinklabs.watchtower.enable: "true" postgres: image: postgres:13-alpine diff --git a/roles/docker/tasks/services/netdata.yml b/roles/docker/tasks/services/netdata.yml index c1eb3967..5edcb6c8 100644 --- a/roles/docker/tasks/services/netdata.yml +++ b/roles/docker/tasks/services/netdata.yml @@ -1,5 +1,4 @@ --- - - name: setup netdata docker container for system monitoring docker_container: name: netdata @@ -21,7 +20,3 @@ LETSENCRYPT_HOST: "{{ netdata.domain }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" PGID: "999" - labels: - com.centurylinklabs.watchtower.enable: "true" - - diff --git a/roles/docker/tasks/services/rallly.yml b/roles/docker/tasks/services/rallly.yml index c5576f5e..c0832512 100644 --- a/roles/docker/tasks/services/rallly.yml +++ b/roles/docker/tasks/services/rallly.yml @@ -31,8 +31,6 @@ interval: 5s timeout: 5s retries: 5 - labels: - com.centurylinklabs.watchtower.enable: "true" rallly: image: "lukevella/rallly:latest" @@ -51,8 +49,6 @@ VIRTUAL_PORT: "3000" LETSENCRYPT_HOST: "{{ rallly.domain }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" - labels: - com.centurylinklabs.watchtower.enable: "true" networks: rallly_internal: diff --git a/roles/docker/tasks/services/ulovliglogning-dk.yml b/roles/docker/tasks/services/ulovliglogning-dk.yml index 0258df61..9b57bbb5 100644 --- a/roles/docker/tasks/services/ulovliglogning-dk.yml +++ b/roles/docker/tasks/services/ulovliglogning-dk.yml @@ -9,5 +9,3 @@ VIRTUAL_HOST: "{{ ulovliglogning_website.domains|join(',') }}" LETSENCRYPT_HOST: "{{ ulovliglogning_website.domains|join(',') }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" - labels: - com.centurylinklabs.watchtower.enable: "true" diff --git a/roles/docker/tasks/services/websites.yml b/roles/docker/tasks/services/websites.yml index 8c1b7931..8938e2dc 100644 --- a/roles/docker/tasks/services/websites.yml +++ b/roles/docker/tasks/services/websites.yml @@ -11,9 +11,6 @@ VIRTUAL_HOST : "{{ data_coop_website.domains|join(',') }}" LETSENCRYPT_HOST: "{{ data_coop_website.domains|join(',') }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" - labels: - com.centurylinklabs.watchtower.enable: "true" - - name: setup new data.coop website using hugo docker_container: @@ -26,8 +23,6 @@ VIRTUAL_HOST : "new.{{ data_coop_website.domains|join(',') }}" LETSENCRYPT_HOST: "new.{{ data_coop_website.domains|join(',') }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" - labels: - com.centurylinklabs.watchtower.enable: "true" - name: setup new-new data.coop website using unipi docker_container: @@ -47,8 +42,6 @@ - NET_ADMIN devices: - "/dev/net/tun" - labels: - com.centurylinklabs.watchtower.enable: "true" - name: setup 2022.slides.data.coop website using unipi docker_container: @@ -68,8 +61,6 @@ - NET_ADMIN devices: - "/dev/net/tun" - labels: - com.centurylinklabs.watchtower.enable: "true" - name: setup cryptohagen.dk website docker container docker_container: @@ -82,8 +73,6 @@ VIRTUAL_HOST : "{{ cryptohagen_website.domains|join(',') }}" LETSENCRYPT_HOST: "{{ cryptohagen_website.domains|join(',') }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" - labels: - com.centurylinklabs.watchtower.enable: "true" - name: setup cryptoaarhus.dk website docker container docker_container: @@ -96,5 +85,3 @@ VIRTUAL_HOST : "{{ cryptoaarhus_website.domains|join(',') }}" LETSENCRYPT_HOST: "{{ cryptoaarhus_website.domains|join(',') }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" - labels: - com.centurylinklabs.watchtower.enable: "true" From e5dcfea003226494b402bb6fc434f73c98858498 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Sat, 19 Nov 2022 18:19:43 +0100 Subject: [PATCH 04/22] Pin Watchtower version --- roles/docker/tasks/services/watchtower.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/docker/tasks/services/watchtower.yml b/roles/docker/tasks/services/watchtower.yml index e6afd3d6..370219ac 100644 --- a/roles/docker/tasks/services/watchtower.yml +++ b/roles/docker/tasks/services/watchtower.yml @@ -2,7 +2,7 @@ - name: watchtower container docker_container: name: watchtower - image: containrrr/watchtower:latest + image: containrrr/watchtower:amd64-1.5.1 restart_policy: unless-stopped env: WATCHTOWER_POLL_INTERVAL: 60 From c9ab9f0c66ec3c78a6b6865d565a3cb5bc6551c3 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Sat, 19 Nov 2022 18:20:10 +0100 Subject: [PATCH 05/22] Watchtower doesn't need external_services network --- roles/docker/tasks/services/watchtower.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/roles/docker/tasks/services/watchtower.yml b/roles/docker/tasks/services/watchtower.yml index 370219ac..6a036795 100644 --- a/roles/docker/tasks/services/watchtower.yml +++ b/roles/docker/tasks/services/watchtower.yml @@ -6,8 +6,6 @@ restart_policy: unless-stopped env: WATCHTOWER_POLL_INTERVAL: 60 - networks: - - name: external_services volumes: - "/var/run/docker.sock:/var/run/docker.sock" - "/root/.docker/config.json:/config.json:ro" From d9de1efc9af680491cb66963c3294a1d611e54d2 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Wed, 23 Nov 2022 20:02:30 +0100 Subject: [PATCH 06/22] Pin Gitea to 1.17 instead of 1.17.3 Gitea's "minor" version change seems to be the one that occasionally introduces breaking changes, so let's not update that automatically. Only keep the patch-releases automatically updated. --- roles/docker/tasks/services/gitea.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/docker/tasks/services/gitea.yml b/roles/docker/tasks/services/gitea.yml index aeffae18..1b1efdc5 100644 --- a/roles/docker/tasks/services/gitea.yml +++ b/roles/docker/tasks/services/gitea.yml @@ -7,7 +7,7 @@ - name: gitea container docker_container: name: gitea - image: gitea/gitea:1.17.3 + image: gitea/gitea:1.17 restart_policy: unless-stopped networks: - name: gitea From 1f619096054d4be4001f3f4181acce83792225f1 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Wed, 23 Nov 2022 20:16:36 +0100 Subject: [PATCH 07/22] Pin HedgeDoc to major version 1 From https://docs.hedgedoc.org/setup/getting-started/#upgrading-hedgedoc > HedgeDoc follows [Semantic Versioning](https://semver.org/). > This means that minor and patch releases should not introduce > user-facing backwards-incompatible changes. --- roles/docker/tasks/services/hedgedoc.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/docker/tasks/services/hedgedoc.yml b/roles/docker/tasks/services/hedgedoc.yml index ea7b38d3..96e82dc0 100644 --- a/roles/docker/tasks/services/hedgedoc.yml +++ b/roles/docker/tasks/services/hedgedoc.yml @@ -34,7 +34,7 @@ - "{{ hedgedoc.volume_folder }}/db:/var/lib/postgresql/data" app: - image: quay.io/hedgedoc/hedgedoc:1.9.0 + image: quay.io/hedgedoc/hedgedoc:1 environment: CMD_DB_URL: "postgres://codimd:{{ postgres_passwords.hedgedoc }}@hedgedoc_database_1:5432/codimd" CMD_DOMAIN: "{{ hedgedoc.domain }}" @@ -63,4 +63,4 @@ networks: hedgedoc: external_services: - external: true \ No newline at end of file + external: true From 9261cb1952846052934e5c7daa4ddd8e3d5c9c31 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Wed, 23 Nov 2022 20:34:43 +0100 Subject: [PATCH 08/22] Pin Keycoak to 20.0 (minor version) --- roles/docker/tasks/services/keycloak.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/docker/tasks/services/keycloak.yml b/roles/docker/tasks/services/keycloak.yml index 26a56618..b1169ae8 100644 --- a/roles/docker/tasks/services/keycloak.yml +++ b/roles/docker/tasks/services/keycloak.yml @@ -19,7 +19,7 @@ POSTGRES_DB: "keycloak" app: - image: "quay.io/keycloak/keycloak:20.0.1" + image: "quay.io/keycloak/keycloak:20.0" restart: "unless-stopped" networks: - "keycloak" From 687bff35e9c90eebb4dfff496d280dd514235ea4 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Wed, 23 Nov 2022 21:00:48 +0100 Subject: [PATCH 09/22] Pin netdata to v1 --- roles/docker/tasks/services/netdata.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/docker/tasks/services/netdata.yml b/roles/docker/tasks/services/netdata.yml index 5edcb6c8..3b2a466c 100644 --- a/roles/docker/tasks/services/netdata.yml +++ b/roles/docker/tasks/services/netdata.yml @@ -2,7 +2,7 @@ - name: setup netdata docker container for system monitoring docker_container: name: netdata - image: netdata/netdata + image: netdata/netdata:v1 restart_policy: unless-stopped hostname: "hevonen.servers.{{ base_domain }}" capabilities: From 221ddd987fa68b065d6d7250bd2a1ded03da9580 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Wed, 23 Nov 2022 21:05:01 +0100 Subject: [PATCH 10/22] Upgrade Postfix to 3.5.1 and use Alpine-based image --- roles/docker/tasks/services/postfix.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/docker/tasks/services/postfix.yml b/roles/docker/tasks/services/postfix.yml index 9fb9ce88..8b7e77ea 100644 --- a/roles/docker/tasks/services/postfix.yml +++ b/roles/docker/tasks/services/postfix.yml @@ -10,7 +10,7 @@ - name: setup postfix docker container for outgoing mail docker_container: name: postfix - image: boky/postfix:v3.5.0 + image: boky/postfix:v3.5.1-alpine restart_policy: always networks: - name: postfix From 74dfcfb5e8043344f80d8c10a5b04df47766a1fc Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Wed, 23 Nov 2022 21:09:05 +0100 Subject: [PATCH 11/22] Keycloak: avoid very long lines :( --- roles/docker/tasks/services/keycloak.yml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/roles/docker/tasks/services/keycloak.yml b/roles/docker/tasks/services/keycloak.yml index b1169ae8..ac1f6730 100644 --- a/roles/docker/tasks/services/keycloak.yml +++ b/roles/docker/tasks/services/keycloak.yml @@ -25,7 +25,16 @@ - "keycloak" - "postfix" - "external_services" - command: "start --db=postgres --db-url=jdbc:postgresql://postgres:5432/keycloak --db-username=keycloak --db-password={{ postgres_passwords.keycloak }} --hostname={{ keycloak.domain }} --proxy=edge --https-port=8080 --http-relative-path=/auth" + command: + - "start" + - "--db=postgres" + - "--db-url=jdbc:postgresql://postgres:5432/keycloak" + - "--db-username=keycloak" + - "--db-password={{ postgres_passwords.keycloak }}" + - "--hostname={{ keycloak.domain }}" + - "--proxy=edge" + - "--https-port=8080" + - "--http-relative-path=/auth" environment: VIRTUAL_HOST: "{{ keycloak.domain }}" VIRTUAL_PORT: "8080" From 2c9c501562e954f0e033857f5cda7e73be29e9f0 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Tue, 6 Dec 2022 18:06:31 +0100 Subject: [PATCH 12/22] Remove label from Pinafore --- roles/docker/tasks/services/pinafore.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/roles/docker/tasks/services/pinafore.yml b/roles/docker/tasks/services/pinafore.yml index a275f3a1..eadb99b2 100644 --- a/roles/docker/tasks/services/pinafore.yml +++ b/roles/docker/tasks/services/pinafore.yml @@ -10,5 +10,3 @@ VIRTUAL_PORT: "4002" LETSENCRYPT_HOST: "{{ services.pinafore.domain }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" - labels: - com.centurylinklabs.watchtower.enable: "true" From d6ce46e2f2383dec13bd9bdee4a8f0cb153df72e Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Wed, 28 Dec 2022 16:19:07 +0100 Subject: [PATCH 13/22] Collect even more version numbers in docker/defaults/main.yml --- roles/docker/defaults/main.yml | 11 +++++++++++ roles/docker/tasks/services/drone.yml | 4 ++-- roles/docker/tasks/services/hedgedoc.yml | 4 ++-- roles/docker/tasks/services/keycloak.yml | 3 +-- roles/docker/tasks/services/mastodon.yml | 4 ++-- roles/docker/tasks/services/matrix_riot.yml | 6 +++--- roles/docker/tasks/services/membersystem.yml | 4 ++-- roles/docker/tasks/services/nextcloud.yml | 4 ++-- roles/docker/tasks/services/passit.yml | 2 +- roles/docker/tasks/services/rallly.yml | 2 +- 10 files changed, 27 insertions(+), 17 deletions(-) diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml index 9779f1e6..a7bc1d39 100644 --- a/roles/docker/defaults/main.yml +++ b/roles/docker/defaults/main.yml @@ -42,6 +42,7 @@ services: domain: sso.{{ base_domain }} volume_folder: "{{ volume_root_folder }}/keycloak" version: "20.0" + postgres_version: 10 allowed_sender_domain: true restic: @@ -67,6 +68,8 @@ services: domain: "cloud.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/nextcloud" version: 25-apache + postgres_version: 10 + redis_version: 7-alpine allowed_sender_domain: true gitea: @@ -81,6 +84,7 @@ services: domain: "passit.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/passit" version: stable + postgres_version: 10 allowed_sender_domain: true matrix: @@ -88,6 +92,7 @@ services: domain: "matrix.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/matrix" version: v1.63.1 + postgres_version: 10 allowed_sender_domain: true riot: @@ -113,6 +118,7 @@ services: domain: "pad.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/hedgedoc" version: 1.9.6 + postgres_version: 10-alpine data_coop_website: file: websites/data.coop.yml @@ -168,6 +174,8 @@ services: domain: "social.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/mastodon" version: v4.0.2 + postgres_version: 14-alpine + redis_version: 6-alpine allowed_sender_domain: true rallly: @@ -175,6 +183,7 @@ services: domain: "when.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/rallly" version: ac55701890cd866ee946deb25e2b2839fb14900e + postgres_version: 14-alpine allowed_sender_domain: true pinafore: @@ -186,6 +195,8 @@ services: file: membersystem.yml domain: "member.{{ base_domain }}" django_admins: "Vidir:valberg@orn.li" + version: latest + postgres_version: 13-alpine allowed_sender_domain: true watchtower: diff --git a/roles/docker/tasks/services/drone.yml b/roles/docker/tasks/services/drone.yml index 874ce03e..5d830079 100644 --- a/roles/docker/tasks/services/drone.yml +++ b/roles/docker/tasks/services/drone.yml @@ -8,7 +8,7 @@ services: drone: container_name: "drone" - image: drone/drone:1 + image: "drone/drone:{{ services.drone.version }}" restart: unless-stopped networks: - external_services @@ -48,4 +48,4 @@ drone: external_services: external: - name: external_services \ No newline at end of file + name: external_services diff --git a/roles/docker/tasks/services/hedgedoc.yml b/roles/docker/tasks/services/hedgedoc.yml index 7508535c..3b907a1e 100644 --- a/roles/docker/tasks/services/hedgedoc.yml +++ b/roles/docker/tasks/services/hedgedoc.yml @@ -22,7 +22,7 @@ definition: services: database: - image: "postgres:10-alpine" + image: "postgres:{{ services.hedgedoc.postgres_version }}" environment: POSTGRES_USER: "codimd" POSTGRES_PASSWORD: "{{ postgres_passwords.hedgedoc }}" @@ -34,7 +34,7 @@ - "{{ services.hedgedoc.volume_folder }}/db:/var/lib/postgresql/data" app: - image: quay.io/hedgedoc/hedgedoc:{{ services.hedgedoc.version }} + image: "quay.io/hedgedoc/hedgedoc:{{ services.hedgedoc.version }}" environment: CMD_DB_URL: "postgres://codimd:{{ postgres_passwords.hedgedoc }}@hedgedoc_database_1:5432/codimd" CMD_DOMAIN: "{{ services.hedgedoc.domain }}" diff --git a/roles/docker/tasks/services/keycloak.yml b/roles/docker/tasks/services/keycloak.yml index 3f2da44b..26033514 100644 --- a/roles/docker/tasks/services/keycloak.yml +++ b/roles/docker/tasks/services/keycloak.yml @@ -5,9 +5,8 @@ definition: version: "3.6" services: - postgres: - image: "postgres:10" + image: "postgres:{{ services.keycloak.postgres_version }}" restart: "unless-stopped" networks: - "keycloak" diff --git a/roles/docker/tasks/services/mastodon.yml b/roles/docker/tasks/services/mastodon.yml index eae1546f..656f9098 100644 --- a/roles/docker/tasks/services/mastodon.yml +++ b/roles/docker/tasks/services/mastodon.yml @@ -55,7 +55,7 @@ services: db: restart: always - image: postgres:14-alpine + image: "postgres:{{ services.mastodon.postgres_version }}" shm_size: 256mb networks: - internal_network @@ -70,7 +70,7 @@ redis: restart: always - image: redis:6-alpine + image: "redis:{{ services.mastodon.redis_version }}" networks: - internal_network healthcheck: diff --git a/roles/docker/tasks/services/matrix_riot.yml b/roles/docker/tasks/services/matrix_riot.yml index 34f302d4..6b5e9504 100644 --- a/roles/docker/tasks/services/matrix_riot.yml +++ b/roles/docker/tasks/services/matrix_riot.yml @@ -66,7 +66,7 @@ services: matrix_db: container_name: matrix_db - image: postgres:10 + image: "postgres:{{ services.matrix.postgres_version }}" restart: unless-stopped networks: - matrix @@ -78,7 +78,7 @@ matrix_app: container_name: matrix - image: matrixdotorg/synapse:{{ services.matrix.version }} + image: "matrixdotorg/synapse:{{ services.matrix.version }}" restart: unless-stopped networks: - matrix @@ -96,7 +96,7 @@ riot: container_name: riot_app - image: avhost/docker-matrix-riot:{{ services.riot.version }} + image: "avhost/docker-matrix-riot:{{ services.riot.version }}" restart: unless-stopped networks: - matrix diff --git a/roles/docker/tasks/services/membersystem.yml b/roles/docker/tasks/services/membersystem.yml index ca63851e..a56bf59f 100644 --- a/roles/docker/tasks/services/membersystem.yml +++ b/roles/docker/tasks/services/membersystem.yml @@ -8,7 +8,7 @@ version: "3" services: backend: - image: docker.data.coop/membersystem:latest + image: "docker.data.coop/membersystem:{{ services.membersystem.version }}" restart: always user: $UID:$GID tty: true @@ -37,7 +37,7 @@ com.centurylinklabs.watchtower.enable: "true" postgres: - image: postgres:13-alpine + image: "postgres:{{ services.membersystem.postgres_version }}" restart: always volumes: - "{{ volume_root_folder }}/membersystem/postgres/data:/var/lib/postgresql/data" diff --git a/roles/docker/tasks/services/nextcloud.yml b/roles/docker/tasks/services/nextcloud.yml index d36f8def..1c938b9d 100644 --- a/roles/docker/tasks/services/nextcloud.yml +++ b/roles/docker/tasks/services/nextcloud.yml @@ -12,7 +12,7 @@ definition: services: postgres: - image: "postgres:10" + image: "postgres:{{ services.nextcloud.postgres_version }}" restart: "unless-stopped" networks: - "nextcloud" @@ -24,7 +24,7 @@ POSTGRES_USER: "nextcloud" redis: - image: "redis:7-alpine" + image: "redis:{{ services.nextcloud.redis_version }}" restart: "unless-stopped" command: "redis-server --requirepass {{ nextcloud_secrets.redis_password }}" tmpfs: diff --git a/roles/docker/tasks/services/passit.yml b/roles/docker/tasks/services/passit.yml index 300c0996..e76b6cab 100644 --- a/roles/docker/tasks/services/passit.yml +++ b/roles/docker/tasks/services/passit.yml @@ -8,7 +8,7 @@ version: "3.6" services: passit_db: - image: "postgres:10" + image: "postgres:{{ services.passit.postgres_version }}" restart: "always" networks: - "passit" diff --git a/roles/docker/tasks/services/rallly.yml b/roles/docker/tasks/services/rallly.yml index b5e9d2f2..22b11277 100644 --- a/roles/docker/tasks/services/rallly.yml +++ b/roles/docker/tasks/services/rallly.yml @@ -16,7 +16,7 @@ version: "3.8" services: rallly_db: - image: "postgres:14-alpine" + image: "postgres:{{ services.rallly.postgres_version }}" restart: "always" shm_size: "256mb" networks: From 231af48a40f46001ea7a1d63c83c5a99765cd9fb Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Wed, 28 Dec 2022 16:23:23 +0100 Subject: [PATCH 14/22] Make quotations consistent --- roles/docker/defaults/main.yml | 48 +++++++++++++++++----------------- 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml index a7bc1d39..e26c2aa8 100644 --- a/roles/docker/defaults/main.yml +++ b/roles/docker/defaults/main.yml @@ -7,59 +7,59 @@ services: postfix: file: postfix.yml domain: "smtp.{{ base_domain }}" - version: "v3.5.1-alpine" + version: v3.5.1-alpine nginx_proxy: file: nginx_proxy.yml - version: "1.0-alpine" + version: 1.0-alpine volume_folder: "{{ volume_root_folder }}/nginx" nginx_acme_companion: - version: "2.2" + version: 2.2 openldap: file: openldap.yml domain: "ldap.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/openldap" - version: "1.5.0" + version: 1.5.0 phpldapadmin: - version: "0.9.0" + version: 0.9.0 netdata: file: netdata.yml domain: "netdata.{{ base_domain }}" - version: "v1" + version: v1 portainer: file: portainer.yml domain: "portainer.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/portainer" - version: "2.16.2" + version: 2.16.2 keycloak: file: keycloak.yml domain: sso.{{ base_domain }} volume_folder: "{{ volume_root_folder }}/keycloak" - version: "20.0" + version: 20.0 postgres_version: 10 allowed_sender_domain: true restic: file: restic_backup.yml - user: "datacoop" - domain: "restic.cannedtuna.org" - repository: "datacoop-hevonen" - version: "1.6.0" + user: datacoop + domain: restic.cannedtuna.org + repository: datacoop-hevonen + version: 1.6.0 disabled_in_vagrant: true docker_registry: file: docker_registry.yml domain: "docker.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/docker-registry" - username: "docker" + username: docker password: "{{ docker_password }}" - version: "2" + version: 2 ### External services ### @@ -123,8 +123,8 @@ services: data_coop_website: file: websites/data.coop.yml domains: - - "{{ base_domain }}" - - "www.{{ base_domain }}" + - "{{ base_domain }}" + - "www.{{ base_domain }}" new_data_coop_website: file: websites/new.data.coop.yml @@ -139,21 +139,21 @@ services: cryptohagen_website: file: websites/cryptohagen.dk.yml domains: - - "cryptohagen.dk" - - "www.cryptohagen.dk" + - cryptohagen.dk + - www.cryptohagen.dk ulovliglogning_website: file: websites/ulovliglogning.dk.yml domains: - - "ulovliglogning.dk" - - "www.ulovliglogning.dk" - - "ulovlig-logning.dk" + - ulovliglogning.dk + - www.ulovliglogning.dk + - ulovlig-logning.dk cryptoaarhus_website: file: websites/cryptoaarhus.dk.yml domains: - - "cryptoaarhus.dk" - - "www.cryptoaarhus.dk" + - cryptoaarhus.dk + - www.cryptoaarhus.dk drone: file: drone.yml @@ -194,7 +194,7 @@ services: membersystem: file: membersystem.yml domain: "member.{{ base_domain }}" - django_admins: "Vidir:valberg@orn.li" + django_admins: Vidir:valberg@orn.li version: latest postgres_version: 13-alpine allowed_sender_domain: true From a10b07fa2c33752db08f8ba84d8e99e3ed24904b Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Wed, 28 Dec 2022 16:46:52 +0100 Subject: [PATCH 15/22] Make quotations consistent --- roles/docker/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml index e26c2aa8..ba5f2fec 100644 --- a/roles/docker/defaults/main.yml +++ b/roles/docker/defaults/main.yml @@ -1,5 +1,5 @@ --- -volume_root_folder: "/docker-volumes" +volume_root_folder: /docker-volumes services: From 2f1c1887baf80b1f9dc7bfb23bb11b067318af10 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Sat, 14 Jan 2023 17:21:34 +0100 Subject: [PATCH 16/22] Revert "Make quotations consistent" This reverts commit a10b07fa2c33752db08f8ba84d8e99e3ed24904b. --- roles/docker/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml index 46edde40..ead56da6 100644 --- a/roles/docker/defaults/main.yml +++ b/roles/docker/defaults/main.yml @@ -1,6 +1,6 @@ # vim: ft=yaml.ansible --- -volume_root_folder: /docker-volumes +volume_root_folder: "/docker-volumes" services: From 9733794292b0da58732648b237dd13c77591dad1 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Sat, 14 Jan 2023 17:22:47 +0100 Subject: [PATCH 17/22] Revert "Make quotations consistent" This reverts commit 231af48a40f46001ea7a1d63c83c5a99765cd9fb. --- roles/docker/defaults/main.yml | 50 ++++++++++++++++------------------ 1 file changed, 23 insertions(+), 27 deletions(-) diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml index ead56da6..ee348a0f 100644 --- a/roles/docker/defaults/main.yml +++ b/roles/docker/defaults/main.yml @@ -9,59 +9,59 @@ services: file: postfix.yml domain: "smtp.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/postfix" - version: v3.5.1-alpine + version: "v3.5.1-alpine" nginx_proxy: file: nginx_proxy.yml - version: 1.0-alpine + version: "1.0-alpine" volume_folder: "{{ volume_root_folder }}/nginx" nginx_acme_companion: - version: 2.2 + version: "2.2" openldap: file: openldap.yml domain: "ldap.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/openldap" - version: 1.5.0 + version: "1.5.0" phpldapadmin: - version: 0.9.0 + version: "0.9.0" netdata: file: netdata.yml domain: "netdata.{{ base_domain }}" - version: v1 + version: "v1" portainer: file: portainer.yml domain: "portainer.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/portainer" - version: 2.16.2 + version: "2.16.2" keycloak: file: keycloak.yml domain: sso.{{ base_domain }} volume_folder: "{{ volume_root_folder }}/keycloak" - version: 20.0 + version: "20.0" postgres_version: 10 allowed_sender_domain: true restic: file: restic_backup.yml - user: datacoop - domain: restic.cannedtuna.org - repository: datacoop-hevonen - version: 1.6.0 + user: "datacoop" + domain: "restic.cannedtuna.org" + repository: "datacoop-hevonen" + version: "1.6.0" disabled_in_vagrant: true docker_registry: file: docker_registry.yml domain: "docker.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/docker-registry" - username: docker + username: "docker" password: "{{ docker_password }}" - version: 2 + version: "2" ### External services ### @@ -141,21 +141,21 @@ services: cryptohagen_website: file: websites/cryptohagen.dk.yml domains: - - cryptohagen.dk - - www.cryptohagen.dk + - "cryptohagen.dk" + - "www.cryptohagen.dk" ulovliglogning_website: file: websites/ulovliglogning.dk.yml domains: - - ulovliglogning.dk - - www.ulovliglogning.dk - - ulovlig-logning.dk + - "ulovliglogning.dk" + - "www.ulovliglogning.dk" + - "ulovlig-logning.dk" cryptoaarhus_website: file: websites/cryptoaarhus.dk.yml domains: - - cryptoaarhus.dk - - www.cryptoaarhus.dk + - "cryptoaarhus.dk" + - "www.cryptoaarhus.dk" drone: file: drone.yml @@ -184,12 +184,8 @@ services: file: rallly.yml domain: "when.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/rallly" -<<<<<<< HEAD - version: ac55701890cd866ee946deb25e2b2839fb14900e - postgres_version: 14-alpine -======= version: e4482a1edb2fb56292d07ee8811a24f2a0d6b114 ->>>>>>> main + postgres_version: 14-alpine allowed_sender_domain: true pinafore: @@ -200,7 +196,7 @@ services: membersystem: file: membersystem.yml domain: "member.{{ base_domain }}" - django_admins: Vidir:valberg@orn.li + django_admins: "Vidir:valberg@orn.li" version: latest postgres_version: 13-alpine allowed_sender_domain: true From f81fab3d117554d57d2220bba0fe0c91d2a58861 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Sat, 14 Jan 2023 17:31:08 +0100 Subject: [PATCH 18/22] Quote numbers --- roles/docker/defaults/main.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml index ee348a0f..75e15e4c 100644 --- a/roles/docker/defaults/main.yml +++ b/roles/docker/defaults/main.yml @@ -44,7 +44,7 @@ services: domain: sso.{{ base_domain }} volume_folder: "{{ volume_root_folder }}/keycloak" version: "20.0" - postgres_version: 10 + postgres_version: "10" allowed_sender_domain: true restic: @@ -70,7 +70,7 @@ services: domain: "cloud.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/nextcloud" version: 25-apache - postgres_version: 10 + postgres_version: "10" redis_version: 7-alpine allowed_sender_domain: true @@ -86,7 +86,7 @@ services: domain: "passit.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/passit" version: stable - postgres_version: 10 + postgres_version: "10" allowed_sender_domain: true matrix: @@ -94,7 +94,7 @@ services: domain: "matrix.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/matrix" version: v1.63.1 - postgres_version: 10 + postgres_version: "10" allowed_sender_domain: true riot: From 388e0526ca80cb66386601e0d55e6c64529d13f2 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Sat, 21 Jan 2023 21:33:39 +0100 Subject: [PATCH 19/22] Set RUN_ON_STARTUP=false for Restic --- roles/docker/tasks/services/restic_backup.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/docker/tasks/services/restic_backup.yml b/roles/docker/tasks/services/restic_backup.yml index 655ddb6d..20ed0754 100644 --- a/roles/docker/tasks/services/restic_backup.yml +++ b/roles/docker/tasks/services/restic_backup.yml @@ -11,7 +11,7 @@ image: mazzolino/restic:{{ services.restic.version }} restart: always environment: - RUN_ON_STARTUP: "true" + RUN_ON_STARTUP: "false" BACKUP_CRON: "0 30 3 * * *" RESTIC_REPOSITORY: "rest:https://{{ services.restic.user }}:{{ restic_secrets.user_password }}@{{ services.restic.domain }}/{{ services.restic.repository }}" RESTIC_PASSWORD: "{{ restic_secrets.repository_password }}" @@ -32,7 +32,7 @@ restic-prune: image: "mazzolino/restic:{{ services.restic.version }}" environment: - RUN_ON_STARTUP: "true" + RUN_ON_STARTUP: "false" PRUNE_CRON: "0 0 4 * * *" RESTIC_REPOSITORY: "rest:https://{{ services.restic.user }}:{{ restic_secrets.user_password }}@{{ services.restic.domain }}/{{ services.restic.repository }}" RESTIC_PASSWORD: "{{ restic_secrets.repository_password }}" From a5d59b93361029c4f959275c3499eff702d58891 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Sat, 21 Jan 2023 21:37:37 +0100 Subject: [PATCH 20/22] Fix variable --- roles/docker/tasks/services/keycloak.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/docker/tasks/services/keycloak.yml b/roles/docker/tasks/services/keycloak.yml index 880a0cd0..7c23cfdd 100644 --- a/roles/docker/tasks/services/keycloak.yml +++ b/roles/docker/tasks/services/keycloak.yml @@ -32,7 +32,7 @@ - "--db-url=jdbc:postgresql://postgres:5432/keycloak" - "--db-username=keycloak" - "--db-password={{ postgres_passwords.keycloak }}" - - "--hostname={{ keycloak.domain }}" + - "--hostname={{ services.keycloak.domain }}" - "--proxy=edge" - "--https-port=8080" - "--http-relative-path=/auth" From 16aec98808b45be04c2ede44bb2dcf3c7fbea227 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Sat, 21 Jan 2023 21:49:27 +0100 Subject: [PATCH 21/22] HedgeDoc image version :1 doesn't exist, but Alpine doesn't have vulnerabilities --- roles/docker/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml index 555a080d..626e9b35 100644 --- a/roles/docker/defaults/main.yml +++ b/roles/docker/defaults/main.yml @@ -119,7 +119,7 @@ services: file: hedgedoc.yml domain: "pad.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/hedgedoc" - version: 1 + version: 1.9.6-alpine postgres_version: 10-alpine data_coop_website: From 593dddd00ec6e43ef7f8af5e9c10ecfd33e253e4 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Sun, 22 Jan 2023 02:00:53 +0100 Subject: [PATCH 22/22] Upgrade Passit database and temporarily pin Passit due to WebAuthn bug --- roles/docker/defaults/main.yml | 2 +- roles/docker/tasks/services/passit.yml | 9 ++++++++- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml index 626e9b35..79bf170f 100644 --- a/roles/docker/defaults/main.yml +++ b/roles/docker/defaults/main.yml @@ -86,7 +86,7 @@ services: domain: "passit.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/passit" version: stable - postgres_version: "10" + postgres_version: 15-alpine allowed_sender_domain: true matrix: diff --git a/roles/docker/tasks/services/passit.yml b/roles/docker/tasks/services/passit.yml index 60cb7bf3..375808f3 100644 --- a/roles/docker/tasks/services/passit.yml +++ b/roles/docker/tasks/services/passit.yml @@ -1,5 +1,12 @@ # vim: ft=yaml.ansible --- +- name: Create directory for Passit data + file: + name: "{{ services.passit.volume_folder }}/data" + owner: '70' + group: root + state: directory + - name: setup passit containers docker_compose: project_name: "passit" @@ -19,7 +26,7 @@ POSTGRES_PASSWORD: "{{ postgres_passwords.passit }}" passit_app: - image: "passit/passit:{{ services.passit.version }}" + image: "passit/passit@sha256:c4b96bc67222936f58f344d5dd1020227ad8e11ad5f82ed3cbf0bcfa8fe9b2e7" #:{{ services.passit.version }}" command: "bin/start.sh" restart: "always" networks: