From 7962a754812bc2c98f1f61d302d8e6af88913bb1 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Sat, 26 Nov 2022 16:38:32 +0100 Subject: [PATCH 1/9] Remove thelounge.js --- roles/docker/files/configs/thelounge.js | 511 ------------------------ 1 file changed, 511 deletions(-) delete mode 100644 roles/docker/files/configs/thelounge.js diff --git a/roles/docker/files/configs/thelounge.js b/roles/docker/files/configs/thelounge.js deleted file mode 100644 index 7dcdb25..0000000 --- a/roles/docker/files/configs/thelounge.js +++ /dev/null @@ -1,511 +0,0 @@ -"use strict"; - -module.exports = { - // - // Set the server mode. - // Public servers does not require authentication. - // - // Set to 'false' to enable users. - // - // @type boolean - // @default false - // - public: false, - - // - // IP address or hostname for the web server to listen on. - // Setting this to undefined will listen on all interfaces. - // - // For UNIX domain sockets, use unix:/absolute/path/to/file.sock. - // - // @type string - // @default undefined - // - host: undefined, - - // - // Set the port to listen on. - // - // @type int - // @default 9000 - // - port: 9000, - - // - // Set the local IP to bind to for outgoing connections. Leave to undefined - // to let the operating system pick its preferred one. - // - // @type string - // @default undefined - // - bind: undefined, - - // - // Sets whether the server is behind a reverse proxy and should honor the - // X-Forwarded-For header or not. - // - // @type boolean - // @default false - // - reverseProxy: false, - - // - // Set the default theme. - // Find out how to add new themes at https://thelounge.github.io/docs/plugins/themes.html - // - // @type string - // @default "example" - // - theme: "example", - - // - // Prefetch URLs - // - // If enabled, The Lounge will try to load thumbnails and site descriptions from - // URLs posted in channels. - // - // @type boolean - // @default false - // - prefetch: false, - - // - // Store and proxy prefetched images and thumbnails. - // This improves security and privacy by not exposing client IP address, - // and always loading images from The Lounge instance and making all assets secure, - // which in result fixes mixed content warnings. - // - // If storage is enabled, The Lounge will fetch and store images and thumbnails - // in the `${THELOUNGE_HOME}/storage` folder. - // - // Images are deleted when they are no longer referenced by any message (controlled by maxHistory), - // and the folder is cleaned up on every The Lounge restart. - // - // @type boolean - // @default false - // - prefetchStorage: false, - - // - // Prefetch URLs Image Preview size limit - // - // If prefetch is enabled, The Lounge will only display content under the maximum size. - // Specified value is in kilobytes. Default value is 2048 kilobytes. - // - // @type int - // @default 2048 - // - prefetchMaxImageSize: 2048, - - // - // Display network - // - // If set to false network settings will not be shown in the login form. - // - // @type boolean - // @default true - // - displayNetwork: true, - - // - // Lock network - // - // If set to true, users will not be able to modify host, port and tls - // settings and will be limited to the configured network. - // - // @type boolean - // @default false - // - lockNetwork: false, - - // - // Hex IP - // - // If enabled, clients' username will be set to their IP encoded has hex. - // This is done to share the real user IP address with the server for host masking purposes. - // - // @type boolean - // @default false - // - useHexIp: false, - - // - // WEBIRC support - // - // If enabled, The Lounge will pass the connecting user's host and IP to the - // IRC server. Note that this requires to obtain a password from the IRC network - // The Lounge will be connecting to and generally involves a lot of trust from the - // network you are connecting to. - // - // Format (standard): {"irc.example.net": "hunter1", "irc.example.org": "passw0rd"} - // Format (function): - // {"irc.example.net": function(client, args, trusted) { - // // here, we return a webirc object fed directly to `irc-framework` - // return {username: "thelounge", password: "hunter1", address: args.ip, hostname: "webirc/"+args.hostname}; - // }} - // - // @type string | function(client, args):object(webirc) - // @default null - webirc: null, - - // - // Log settings - // - // Logging has to be enabled per user. If enabled, logs will be stored in - // the 'logs///' folder. - // - // @type object - // @default {} - // - logs: { - // - // Timestamp format - // - // @type string - // @default "YYYY-MM-DD HH:mm:ss" - // - format: "YYYY-MM-DD HH:mm:ss", - - // - // Timezone - // - // @type string - // @default "UTC+00:00" - // - timezone: "UTC+00:00", - }, - - // - // Maximum number of history lines per channel - // - // Defines the maximum number of history lines that will be kept in - // memory per channel/query, in order to reduce the memory usage of - // the server. Setting this to -1 will keep unlimited amount. - // - // @type integer - // @default 10000 - maxHistory: 10000, - - // - // Default values for the 'Connect' form. - // - // @type object - // @default {} - // - defaults: { - // - // Name - // - // @type string - // @default "Freenode" - // - name: "Freenode", - - // - // Host - // - // @type string - // @default "chat.freenode.net" - // - host: "chat.freenode.net", - - // - // Port - // - // @type int - // @default 6697 - // - port: 6697, - - // - // Password - // - // @type string - // @default "" - // - password: "", - - // - // Enable TLS/SSL - // - // @type boolean - // @default true - // - tls: true, - - // - // Nick - // - // @type string - // @default "lounge-user" - // - nick: "lounge-user", - - // - // Username - // - // @type string - // @default "lounge-user" - // - username: "lounge-user", - - // - // Real Name - // - // @type string - // @default "The Lounge User" - // - realname: "The Lounge User", - - // - // Channels - // This is a comma-separated list. - // - // @type string - // @default "#thelounge" - // - join: "#thelounge", - }, - - // - // Set socket.io transports - // - // @type array - // @default ["polling", "websocket"] - // - transports: ["polling", "websocket"], - - // - // Run The Lounge using encrypted HTTP/2. - // This will fallback to regular HTTPS if HTTP/2 is not supported. - // - // @type object - // @default {} - // - https: { - // - // Enable HTTP/2 / HTTPS support. - // - // @type boolean - // @default false - // - enable: false, - - // - // Path to the key. - // - // @type string - // @example "sslcert/key.pem" - // @default "" - // - key: "", - - // - // Path to the certificate. - // - // @type string - // @example "sslcert/key-cert.pem" - // @default "" - // - certificate: "", - - // - // Path to the CA bundle. - // - // @type string - // @example "sslcert/bundle.pem" - // @default "" - // - ca: "", - }, - - // - // Default quit and part message if none is provided. - // - // @type string - // @default "The Lounge - https://thelounge.github.io" - // - leaveMessage: "The Lounge - https://thelounge.github.io", - - // - // Run The Lounge with identd support. - // - // @type object - // @default {} - // - identd: { - // - // Run the identd daemon on server start. - // - // @type boolean - // @default false - // - enable: false, - - // - // Port to listen for ident requests. - // - // @type int - // @default 113 - // - port: 113, - }, - - // - // Enable oidentd support using the specified file - // - // Example: oidentd: "~/.oidentd.conf", - // - // @type string - // @default null - // - oidentd: null, - - // - // LDAP authentication settings (only available if public=false) - // @type object - // @default {} - // - // The authentication process works as follows: - // - // 1. Lounge connects to the LDAP server with its system credentials - // 2. It performs a LDAP search query to find the full DN associated to the - // user requesting to log in. - // 3. Lounge tries to connect a second time, but this time using the user's - // DN and password. Auth is validated iff this connection is successful. - // - // The search query takes a couple of parameters in `searchDN`: - // - a base DN `searchDN/base`. Only children nodes of this DN will be likely - // to be returned; - // - a search scope `searchDN/scope` (see LDAP documentation); - // - the query itself, build as (&(=) ) - // where is the user name provided in the log in request, - // is provided by the config and is a filtering complement - // also given in the config, to filter for instance only for nodes of type - // inetOrgPerson, or whatever LDAP search allows. - // - // Alternatively, you can specify the `bindDN` parameter. This will make the lounge - // ignore searchDN options and assume that the user DN is always: - // ,= - // where is the user name provided in the log in request, and - // and are provided by the config. - // - ldap: { - // - // Enable LDAP user authentication - // - // @type boolean - // @default false - // - enable: true, - - // - // LDAP server URL - // - // @type string - // - url: "ldap://{{ services.openldap.domain }}", - - // - // LDAP connection tls options (only used if scheme is ldaps://) - // - // @type object (see nodejs' tls.connect() options) - // @default {} - // - // Example: - // You can use this option in order to force the use of IPv6: - // { - // host: 'my::ip::v6', - // servername: 'example.com' - // } - tlsOptions: {}, - - // - // LDAP base dn, alternative to searchDN - // - // @type string - // - // baseDN: "", - - // - // LDAP primary key - // - // @type string - // @default "uid" - // - primaryKey: "uid", - - // - // LDAP search dn settings. This defines the procedure by which the - // lounge first look for user DN before authenticating her. - // Ignored if baseDN is specified - // - // @type object - // - searchDN: { - - // - // LDAP searching bind DN - // This bind DN is used to query the server for the DN of the user. - // This is supposed to be a system user that has access in read only to - // the DNs of the people that are allowed to log in. - // - // @type string - // - rootDN: "cn=admin,dc=data,dc=coop", - - // - // Password of the lounge LDAP system user - // - // @type string - // - rootPassword: "{{ ldap_admin_password }}", - - // - // LDAP filter - // - // @type string - // @default "uid" - // - //filter: "(objectClass=inetOrgPerson)(memberOf=ou=members,dc=data,dc=coop)", - filter: "(objectClass=inetOrgPerson)", - - // - // LDAP search base (search only within this node) - // - // @type string - // - base: "{{ ldap_dn }}", - - // - // LDAP search scope - // - // @type string - // @default "sub" - // - scope: "sub", - - }, - }, - - // Extra debugging - // - // @type object - // @default {} - // - debug: { - // Enables extra debugging output provided by irc-framework. - // - // @type boolean - // @default false - // - ircFramework: false, - - // Enables logging raw IRC messages into each server window. - // - // @type boolean - // @default false - // - raw: false, - }, -}; From bb920407f37ad4b09c6ce39312ab9f271916132a Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Sat, 26 Nov 2022 17:18:31 +0100 Subject: [PATCH 2/9] Add depends_on conditions to Mastodon --- roles/docker/tasks/services/mastodon.yml | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/roles/docker/tasks/services/mastodon.yml b/roles/docker/tasks/services/mastodon.yml index baeea09..92f11a7 100644 --- a/roles/docker/tasks/services/mastodon.yml +++ b/roles/docker/tasks/services/mastodon.yml @@ -63,8 +63,10 @@ # prettier-ignore test: ['CMD-SHELL', 'wget -q --spider --proxy=off localhost:3000/health || exit 1'] depends_on: - - db - - redis + db: + condition: "service_healthy" + redis: + condition: "service_healthy" volumes: - "{{ services.mastodon.volume_folder }}/mastodon_data:/mastodon/public/system" environment: @@ -88,8 +90,10 @@ ports: - '127.0.0.1:4000:4000' depends_on: - - db - - redis + db: + condition: "service_healthy" + redis: + condition: "service_healthy" environment: VIRTUAL_HOST: "{{ services.mastodon.domain }}" VIRTUAL_PORT: "4000" @@ -103,8 +107,10 @@ environment: DB_POOL: 32 depends_on: - - db - - redis + db: + condition: "service_healthy" + redis: + condition: "service_healthy" networks: - postfix - external_services @@ -120,4 +126,4 @@ postfix: external: true internal_network: - internal: true \ No newline at end of file + internal: true From a89140ef5157bc3e967fb67036269176551844a4 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Sat, 26 Nov 2022 20:09:34 +0100 Subject: [PATCH 3/9] Quality of Life lvl 100 --- deploy.sh | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/deploy.sh b/deploy.sh index 939b92b..72d00f7 100755 --- a/deploy.sh +++ b/deploy.sh @@ -25,11 +25,13 @@ else echo "Deploying service: $2" $BASE_CMD --tags setup_services --extra-vars "single_service=$2" fi - ;; + ;; "base") $BASE_CMD --tags base_only - ;; + ;; *) - echo "Command \"$1\" not found!" + echo >&2 "Command \"$1\" not found!" + exit 1 + ;; esac fi From e983499f9b8269bdac6a6d7762b92afb4a81ddfb Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Sat, 26 Nov 2022 22:13:51 +0100 Subject: [PATCH 4/9] Use value_name='service' in setup services task --- roles/docker/tasks/services.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/docker/tasks/services.yml b/roles/docker/tasks/services.yml index e183bbf..c41f5e4 100644 --- a/roles/docker/tasks/services.yml +++ b/roles/docker/tasks/services.yml @@ -4,11 +4,11 @@ name: external_services - name: setup services - include_tasks: "services/{{ item.value.file }}" - loop: "{{ services | dict2items }}" + include_tasks: "services/{{ item.service.file }}" + loop: "{{ services | dict2items(value_name='service') }}" when: single_service is not defined and - item.value.file is defined and - item.value.disabled_in_vagrant is not defined + item.service.file is defined and + item.service.disabled_in_vagrant is not defined - name: setup single service include_tasks: "services/{{ services[single_service].file }}" From f3fd5c7c7498518e551feb625663f0b0c83994b7 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Sat, 26 Nov 2022 22:48:15 +0100 Subject: [PATCH 5/9] Shorten Jinja2 filter in postfix.yml --- roles/docker/tasks/services/postfix.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/docker/tasks/services/postfix.yml b/roles/docker/tasks/services/postfix.yml index c565686..0959556 100644 --- a/roles/docker/tasks/services/postfix.yml +++ b/roles/docker/tasks/services/postfix.yml @@ -16,5 +16,5 @@ - name: postfix env: # Get all services which have allowed_sender_domain defined - ALLOWED_SENDER_DOMAINS: "{{ services | dict2items | selectattr('value.allowed_sender_domain', 'defined') | map(attribute='value.domain') | list | join(' ') }}" + ALLOWED_SENDER_DOMAINS: "{{ services | dict2items | selectattr('value.allowed_sender_domain', 'true') | map(attribute='value.domain') | join(' ') }}" HOSTNAME: "smtp.data.coop" # the name the smtp server will identify itself as From ab1f170790f2f3f1bb3fbe1b57a7e6b15605f6ab Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Sat, 26 Nov 2022 23:01:12 +0100 Subject: [PATCH 6/9] Opt out of Mailu statistics, and don't hardcode domains --- roles/docker/tasks/services/postfix.yml | 2 +- roles/docker/templates/mailu.env.j2 | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/roles/docker/tasks/services/postfix.yml b/roles/docker/tasks/services/postfix.yml index 0959556..77dc727 100644 --- a/roles/docker/tasks/services/postfix.yml +++ b/roles/docker/tasks/services/postfix.yml @@ -17,4 +17,4 @@ env: # Get all services which have allowed_sender_domain defined ALLOWED_SENDER_DOMAINS: "{{ services | dict2items | selectattr('value.allowed_sender_domain', 'true') | map(attribute='value.domain') | join(' ') }}" - HOSTNAME: "smtp.data.coop" # the name the smtp server will identify itself as + HOSTNAME: "smtp.{{ base_domain }}" # the name the smtp server will identify itself as diff --git a/roles/docker/templates/mailu.env.j2 b/roles/docker/templates/mailu.env.j2 index 68c63fb..aa353e0 100644 --- a/roles/docker/templates/mailu.env.j2 +++ b/roles/docker/templates/mailu.env.j2 @@ -29,10 +29,10 @@ SECRET_KEY={{ mailu_secret_key }} SUBNET={{ services.mailu.subnet }} # Main mail domain -DOMAIN=data.coop +DOMAIN={{ base_domain }} # Hostnames for this server, separated with comas -HOSTNAMES=mail.data.coop +HOSTNAMES=mail.{{ base_domain }} # Postmaster local part (will append the main mail domain) POSTMASTER=admin @@ -44,7 +44,7 @@ TLS_FLAVOR=mail AUTH_RATELIMIT=120/minute;1200/hour # Opt-out of statistics, replace with "True" to opt out -DISABLE_STATISTICS=False +DISABLE_STATISTICS=True ################################### # Optional features @@ -117,10 +117,10 @@ WEB_ADMIN=/admin WEB_WEBMAIL=/webmail # Website name -SITENAME=data.coop +SITENAME={{ base_domain }} # Linked Website URL -WEBSITE=https://mail.data.coop +WEBSITE=https://mail.{{ base_domain }} From a1e8203d5523ca567eb8787b92e9661835215da2 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Sat, 26 Nov 2022 23:15:09 +0100 Subject: [PATCH 7/9] Don't hardcode domains --- roles/docker/templates/mailu.env.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/docker/templates/mailu.env.j2 b/roles/docker/templates/mailu.env.j2 index aa353e0..52a4865 100644 --- a/roles/docker/templates/mailu.env.j2 +++ b/roles/docker/templates/mailu.env.j2 @@ -32,7 +32,7 @@ SUBNET={{ services.mailu.subnet }} DOMAIN={{ base_domain }} # Hostnames for this server, separated with comas -HOSTNAMES=mail.{{ base_domain }} +HOSTNAMES={{ services.mailu.domain }} # Postmaster local part (will append the main mail domain) POSTMASTER=admin @@ -120,7 +120,7 @@ WEB_WEBMAIL=/webmail SITENAME={{ base_domain }} # Linked Website URL -WEBSITE=https://mail.{{ base_domain }} +WEBSITE=https://{{ services.mailu.domain }} From e45eb022082a71f23ede56e79681ab7c62c57e85 Mon Sep 17 00:00:00 2001 From: reynir Date: Sun, 27 Nov 2022 14:01:55 +0000 Subject: [PATCH 8/9] Don't hardcode domains (#129) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Reynir Björnsson Reviewed-on: https://git.data.coop/data.coop/ansible/pulls/129 Co-authored-by: reynir Co-committed-by: reynir --- roles/docker/defaults/main.yml | 1 + roles/docker/tasks/services/postfix.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml index 2a23950..2acddce 100644 --- a/roles/docker/defaults/main.yml +++ b/roles/docker/defaults/main.yml @@ -6,6 +6,7 @@ services: ### Internal services ### postfix: file: postfix.yml + domain: "smtp.{{ base_domain }}" version: "v3.5.0" nginx_proxy: diff --git a/roles/docker/tasks/services/postfix.yml b/roles/docker/tasks/services/postfix.yml index 77dc727..1fb67df 100644 --- a/roles/docker/tasks/services/postfix.yml +++ b/roles/docker/tasks/services/postfix.yml @@ -17,4 +17,4 @@ env: # Get all services which have allowed_sender_domain defined ALLOWED_SENDER_DOMAINS: "{{ services | dict2items | selectattr('value.allowed_sender_domain', 'true') | map(attribute='value.domain') | join(' ') }}" - HOSTNAME: "smtp.{{ base_domain }}" # the name the smtp server will identify itself as + HOSTNAME: "{{ services.postfix.domain }}" # the name the smtp server will identify itself as From 59dae865c57852cb9a8f4c50e33898b5fd245de5 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Sun, 27 Nov 2022 16:34:20 +0100 Subject: [PATCH 9/9] Add missing file to codimd --- roles/docker/defaults/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml index 2acddce..b3ad3ce 100644 --- a/roles/docker/defaults/main.yml +++ b/roles/docker/defaults/main.yml @@ -101,6 +101,7 @@ services: version: 20221009 codimd: + file: codimd.yml domain: "oldpad.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/codimd"