diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml index 46cca1b..e0365ce 100644 --- a/roles/docker/defaults/main.yml +++ b/roles/docker/defaults/main.yml @@ -13,24 +13,21 @@ services: nginx_proxy: file: nginx_proxy.yml - version: "1.3-alpine" volume_folder: "{{ volume_root_folder }}/nginx" - - nginx_acme_companion: - version: "2.2" + version: "1.3-alpine" + acme_companion_version: "2.2" openldap: file: openldap.yml domain: "ldap.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/openldap" version: "1.5.0" - - phpldapadmin: - version: "0.9.0" + phpldapadmin_version: "0.9.0" netdata: file: netdata.yml domain: "netdata.{{ base_domain }}" + volume_folder: "{{ volume_root_folder }}/netdata" version: "v1" portainer: @@ -196,17 +193,12 @@ services: file: membersystem.yml domain: "member.{{ base_domain }}" django_admins: "Vidir:valberg@orn.li" + volume_folder: "{{ volume_root_folder }}/membersystem" version: latest postgres_version: 13-alpine allowed_sender_domain: true - byro: - file: byro.yml - domain: "byro.{{ base_domain }}" - postgres_version: 14-alpine - volume_folder: "{{ volume_root_folder }}/byro-data" - allowed_sender_domain: true - watchtower: file: watchtower.yml + volume_folder: "{{ volume_root_folder }}/watchtower" version: "1.5.3" diff --git a/roles/docker/tasks/services/docker_registry.yml b/roles/docker/tasks/services/docker_registry.yml index 3adee6d..3ef9542 100644 --- a/roles/docker/tasks/services/docker_registry.yml +++ b/roles/docker/tasks/services/docker_registry.yml @@ -1,32 +1,36 @@ # vim: ft=yaml.ansible --- -- name: copy docker registry vhost configuration +- name: Create Docker registry volume folders + file: + path: "{{ services.docker_registry.volume_folder }}/{{ volume }}" + state: directory + loop: + - auth + - registry + loop_control: + loop_var: volume + +- name: Copy docker registry vhost configuration copy: src: vhost/docker_registry dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.docker_registry.domain }}" mode: "0644" -- name: docker registry container - docker_container: - name: registry - image: registry:{{ services.docker_registry.version }} - restart_policy: always - volumes: - - "{{ services.docker_registry.volume_folder }}/registry:/var/lib/registry" - - "{{ services.docker_registry.volume_folder }}/auth:/auth" - networks: - - name: external_services - env: - VIRTUAL_HOST: "{{ services.docker_registry.domain }}" - LETSENCRYPT_HOST: "{{ services.docker_registry.domain }}" - LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" - REGISTRY_AUTH: "htpasswd" - REGISTRY_AUTH_HTPASSWD_PATH: "/auth/htpasswd" - REGISTRY_AUTH_HTPASSWD_REALM: "data.coop docker registry" +- name: Upload Compose file for Docker registry + template: + src: compose-files/docker_registry.yml.j2 + dest: "{{ services.docker_registry.volume_folder }}/docker-compose.yml" -- name: generate htpasswd file - shell: "docker exec -it registry htpasswd -Bbn docker {{ docker_password }} > {{ services.docker_registry.volume_folder }}/auth/htpasswd" +- name: Deploy Docker registry + docker_compose: + project_src: "{{ services.docker_registry.volume_folder }}" + pull: true + state: present + +- name: Generate htpasswd file + shell: "docker compose exec registry htpasswd -Bbn docker {{ docker_password }} > auth/htpasswd" args: + chdir: "{{ services.docker_registry.volume_folder }}" creates: "{{ services.docker_registry.volume_folder }}/auth/htpasswd" - name: log in to registry diff --git a/roles/docker/tasks/services/drone.yml b/roles/docker/tasks/services/drone.yml index de8720e..8e4fa25 100644 --- a/roles/docker/tasks/services/drone.yml +++ b/roles/docker/tasks/services/drone.yml @@ -1,5 +1,10 @@ # vim: ft=yaml.ansible --- +- name: Create Drone volume folder + file: + path: "{{ services.drone.volume_folder }}" + state: directory + - name: Upload Compose file for Drone template: src: compose-files/drone.yml.j2 diff --git a/roles/docker/tasks/services/forgejo.yml b/roles/docker/tasks/services/forgejo.yml index 9978b82..826a190 100644 --- a/roles/docker/tasks/services/forgejo.yml +++ b/roles/docker/tasks/services/forgejo.yml @@ -1,37 +1,17 @@ # vim: ft=yaml.ansible --- -- name: Create Docker network for Forgejo - docker_network: - name: forgejo +- name: Create Forgejo volume folder + file: + name: "{{ services.portainer.volume_folder }}" + state: directory -# old DNS: 138.68.71.153 -- name: Set up Forgejo container - docker_container: - name: forgejo - image: codeberg.org/forgejo/forgejo:{{ services.forgejo.version }} - restart_policy: unless-stopped - networks: - - name: forgejo - - name: postfix - - name: external_services - volumes: - - "{{ services.forgejo.volume_folder }}:/data" - published_ports: - - "22:22" - env: - VIRTUAL_HOST: "{{ services.forgejo.domain }}" - VIRTUAL_PORT: "3000" - LETSENCRYPT_HOST: "{{ services.forgejo.domain }}" - LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" - # Forgejo customization, see: https://docs.gitea.io/en-us/install-with-docker/#customization - # https://docs.gitea.io/en-us/config-cheat-sheet/#security-security - FORGEJO__mailer__ENABLED: "true" - FORGEJO__mailer__FROM: "noreply@{{ services.forgejo.domain }}" - FORGEJO__mailer__PROTOCOL: "smtp" - FORGEJO__mailer__SMTP_ADDR: "{{ smtp_host }}:{{ smtp_port }}" - FORGEJO__security__LOGIN_REMEMBER_DAYS: "60" - FORGEJO__security__PASSWORD_COMPLEXITY: "off" - FORGEJO__security__MIN_PASSWORD_LENGTH: "8" - FORGEJO__security__PASSWORD_CHECK_PWN: "true" - FORGEJO__service__ENABLE_NOTIFY_MAIL: "true" - FORGEJO__service__REGISTER_EMAIL_CONFIRM: "true" +- name: Upload Compose file for Forgejo + template: + src: compose-files/forgejo.yml.j2 + dest: "{{ services.forgejo.volume_folder }}/docker-compose.yml" + +- name: Deploy Forgejo + docker_compose: + project_src: "{{ services.forgejo.volume_folder }}" + pull: true + state: present diff --git a/roles/docker/tasks/services/keycloak.yml b/roles/docker/tasks/services/keycloak.yml index 45feb25..ff341b9 100644 --- a/roles/docker/tasks/services/keycloak.yml +++ b/roles/docker/tasks/services/keycloak.yml @@ -1,5 +1,10 @@ # vim: ft=yaml.ansible --- +- name: Create Keycloak volume folder + file: + path: "{{ services.keycloak.volume_folder }}/data" + state: directory + - name: Upload Compose file for for Keycloak template: src: compose-files/keycloak.yml.j2 diff --git a/roles/docker/tasks/services/membersystem.yml b/roles/docker/tasks/services/membersystem.yml index ba9135e..357c169 100644 --- a/roles/docker/tasks/services/membersystem.yml +++ b/roles/docker/tasks/services/membersystem.yml @@ -1,5 +1,10 @@ # vim: ft=yaml.ansible --- +- name: Create Membersystem volume folder + file: + name: "{{ services.membersystem.volume_folder }}" + state: directory + - name: Upload Compose file for Membersystem template: src: compose-files/membersystem.yml.j2 diff --git a/roles/docker/tasks/services/netdata.yml b/roles/docker/tasks/services/netdata.yml index 3631c99..e5234b6 100644 --- a/roles/docker/tasks/services/netdata.yml +++ b/roles/docker/tasks/services/netdata.yml @@ -1,5 +1,10 @@ # vim: ft=yaml.ansible --- +- name: Create Netdata volume folder + file: + path: "{{ services.netdata.volume_folder }}" + state: directory + - name: Upload Compose file for Netdata template: src: compose-files/netdata.yml.j2 diff --git a/roles/docker/tasks/services/nextcloud.yml b/roles/docker/tasks/services/nextcloud.yml index acfa587..7273bcf 100644 --- a/roles/docker/tasks/services/nextcloud.yml +++ b/roles/docker/tasks/services/nextcloud.yml @@ -1,5 +1,15 @@ # vim: ft=yaml.ansible --- +- name: Create Nextcloud volume folders + file: + path: "{{ services.nextcloud.volume_folder }}/{{ volume }}" + state: directory + loop: + - app + - postgres + loop_control: + loop_var: volume + - name: upload vhost config for cloud.data.coop copy: src: vhost/nextcloud diff --git a/roles/docker/tasks/services/nginx_proxy.yml b/roles/docker/tasks/services/nginx_proxy.yml index 2f92611..6865952 100644 --- a/roles/docker/tasks/services/nginx_proxy.yml +++ b/roles/docker/tasks/services/nginx_proxy.yml @@ -13,36 +13,13 @@ loop_control: loop_var: volume -- name: nginx proxy container - docker_container: - name: nginx-proxy - image: nginxproxy/nginx-proxy:{{ services.nginx_proxy.version }} - restart_policy: always - networks: - - name: external_services - published_ports: - - "80:80" - - "443:443" - volumes: - - "{{ services.nginx_proxy.volume_folder }}/conf:/etc/nginx/conf.d" - - "{{ services.nginx_proxy.volume_folder }}/vhost:/etc/nginx/vhost.d" - - "{{ services.nginx_proxy.volume_folder }}/html:/usr/share/nginx/html" - - "{{ services.nginx_proxy.volume_folder }}/dhparam:/etc/nginx/dhparam" - - "{{ services.nginx_proxy.volume_folder }}/certs:/etc/nginx/certs:ro" - - /var/run/docker.sock:/tmp/docker.sock:ro - -- name: nginx letsencrypt container - docker_container: - name: nginx-proxy-le - image: nginxproxy/acme-companion:{{ services.nginx_acme_companion.version }} - restart_policy: always - volumes: - - "{{ services.nginx_proxy.volume_folder }}/vhost:/etc/nginx/vhost.d" - - "{{ services.nginx_proxy.volume_folder }}/html:/usr/share/nginx/html" - - "{{ services.nginx_proxy.volume_folder }}/dhparam:/etc/nginx/dhparam:ro" - - "{{ services.nginx_proxy.volume_folder }}/certs:/etc/nginx/certs" - - /var/run/docker.sock:/var/run/docker.sock:ro - env: - NGINX_PROXY_CONTAINER: nginx-proxy - when: letsencrypt_enabled +- name: Upload Compose file for nginx-proxy + template: + src: compose-files/nginx_proxy.yml.j2 + dest: "{{ services.nginx_proxy.volume_folder }}/docker-compose.yml" +- name: Deploy nginx-proxy + docker_compose: + project_src: "{{ services.nginx_proxy.volume_folder }}" + pull: true + state: present diff --git a/roles/docker/tasks/services/openldap.yml b/roles/docker/tasks/services/openldap.yml index 4aace81..b477a5b 100644 --- a/roles/docker/tasks/services/openldap.yml +++ b/roles/docker/tasks/services/openldap.yml @@ -1,74 +1,23 @@ # vim: ft=yaml.ansible --- -- name: create ldap volume folders +- name: Create OpenLDAP volume folders file: name: "{{ services.openldap.volume_folder }}/{{ volume }}" state: directory loop: - - "var/lib/ldap" - - "etc/slapd" - - "certs" + - var/lib/ldap + - etc/slapd + - certs loop_control: loop_var: volume -- name: Create a network for ldap - docker_network: - name: ldap +- name: Upload Compose file for OpenLDAP + template: + src: compose-files/openldap.yml.j2 + dest: "{{ services.openldap.volume_folder }}/docker-compose.yml" -- name: openLDAP container - docker_container: - name: openldap - image: osixia/openldap:{{ services.openldap.version }} - tty: true - interactive: true - restart_policy: unless-stopped - volumes: - - "{{ services.openldap.volume_folder }}/var/lib/ldap:/var/lib/ldap" - - "{{ services.openldap.volume_folder }}/etc/slapd.d:/etc/ldap/slapd.d" - - "{{ services.openldap.volume_folder }}/certs:/container/service/slapd/assets/certs/" - published_ports: - - "389:389" - - "636:636" - hostname: "{{ services.openldap.domain }}" - domainname: "{{ services.openldap.domain }}" # important: same as hostname - networks: - - name: ldap - env: - LDAP_LOG_LEVEL: "256" - LDAP_ORGANISATION: "{{ base_domain }}" - LDAP_DOMAIN: "{{ base_domain }}" - LDAP_BASE_DN: "" - LDAP_ADMIN_PASSWORD: "{{ ldap_admin_password }}" - LDAP_CONFIG_PASSWORD: "{{ ldap_config_password }}" - LDAP_READONLY_USER: "false" - LDAP_RFC2307BIS_SCHEMA: "false" - LDAP_BACKEND: "mdb" - LDAP_TLS: "true" - LDAP_TLS_CRT_FILENAME: "ldap.crt" - LDAP_TLS_KEY_FILENAME: "ldap.key" - LDAP_TLS_CA_CRT_FILENAME: "ca.crt" - LDAP_TLS_ENFORCE: "false" - LDAP_TLS_CIPHER_SUITE: "SECURE256:-VERS-SSL3.0" - LDAP_TLS_PROTOCOL_MIN: "3.1" - LDAP_TLS_VERIFY_CLIENT: "demand" - LDAP_REPLICATION: "false" - KEEP_EXISTING_CONFIG: "false" - LDAP_REMOVE_CONFIG_AFTER_SETUP: "true" - LDAP_SSL_HELPER_PREFIX: "ldap" - -- name: phpLDAPadmin container - docker_container: - name: phpldapadmin - image: osixia/phpldapadmin:{{ services.phpldapadmin.version }} - restart_policy: unless-stopped - networks: - - name: external_services - - name: ldap - env: - PHPLDAPADMIN_LDAP_HOSTS: "openldap" - PHPLDAPADMIN_HTTPS: "false" - PHPLDAPADMIN_TRUST_PROXY_SSL: "true" - - VIRTUAL_HOST: "{{ services.openldap.domain }}" - LETSENCRYPT_HOST: "{{ services.openldap.domain }}" - LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" +- name: Deploy OpenLDAP + docker_compose: + project_src: "{{ services.openldap.volume_folder }}" + pull: true + state: present diff --git a/roles/docker/tasks/services/portainer.yml b/roles/docker/tasks/services/portainer.yml index dae0e87..5f158c9 100644 --- a/roles/docker/tasks/services/portainer.yml +++ b/roles/docker/tasks/services/portainer.yml @@ -5,18 +5,13 @@ name: "{{ services.portainer.volume_folder }}" state: directory -- name: run portainer - docker_container: - name: portainer - image: portainer/portainer-ee:{{ services.portainer.version }} - restart_policy: always - networks: - - name: external_services - volumes: - - /var/run/docker.sock:/var/run/docker.sock - - "{{ services.portainer.volume_folder }}:/data" - env: - VIRTUAL_HOST: "{{ services.portainer.domain }}" - VIRTUAL_PORT: "9000" - LETSENCRYPT_HOST: "{{ services.portainer.domain }}" - LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" +- name: Upload Compose file for Portainer + template: + src: compose-files/portainer.yml.j2 + dest: "{{ services.portainer.volume_folder }}/docker-compose.yml" + +- name: Deploy Portainer + docker_compose: + project_src: "{{ services.portainer.volume_folder }}" + pull: true + state: present diff --git a/roles/docker/tasks/services/postfix.yml b/roles/docker/tasks/services/postfix.yml index ece525e..5298b15 100644 --- a/roles/docker/tasks/services/postfix.yml +++ b/roles/docker/tasks/services/postfix.yml @@ -1,6 +1,6 @@ # vim: ft=yaml.ansible --- -- name: Set up network for postfix +- name: Set up network for Postfix docker_network: name: postfix ipam_config: @@ -12,17 +12,13 @@ name: "{{ services.postfix.volume_folder }}/dkim" state: directory -- name: Set up Postfix Docker container for outgoing mail from services - docker_container: - name: postfix - image: boky/postfix:{{ services.postfix.version }} - restart_policy: always - networks: - - name: postfix - volumes: - - "{{ services.postfix.volume_folder }}/dkim:/etc/opendkim/keys" - env: - # Get all services which have allowed_sender_domain defined - ALLOWED_SENDER_DOMAINS: "{{ services | dict2items | selectattr('value.allowed_sender_domain', 'true') | map(attribute='value.domain') | join(' ') }}" - HOSTNAME: "{{ services.postfix.domain }}" # the name the smtp server will identify itself as - DKIM_AUTOGENERATE: "true" +- name: Upload Compose file for Postfix + template: + src: compose-files/postfix.yml.j2 + dest: "{{ services.forgejo.volume_folder }}/docker-compose.yml" + +- name: Deploy Postfix + docker_compose: + project_src: "{{ services.postfix.volume_folder }}" + pull: true + state: present diff --git a/roles/docker/tasks/services/privatebin.yml b/roles/docker/tasks/services/privatebin.yml index 354d81c..09d648c 100644 --- a/roles/docker/tasks/services/privatebin.yml +++ b/roles/docker/tasks/services/privatebin.yml @@ -15,17 +15,13 @@ src: privatebin/conf.php dest: "{{ services.privatebin.volume_folder }}/cfg/conf.php" -- name: privatebin app container - docker_container: - name: privatebin - image: jgeusebroek/privatebin:{{ services.privatebin.version }} - restart_policy: unless-stopped - volumes: - - "{{ services.privatebin.volume_folder }}/cfg:/privatebin/cfg" - - "{{ services.privatebin.volume_folder }}/data:/privatebin/data" - networks: - - name: external_services - env: - VIRTUAL_HOST: "{{ services.privatebin.domain }}" - LETSENCRYPT_HOST: "{{ services.privatebin.domain }}" - LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" +- name: Upload Compose file for PrivateBin + template: + src: compose-files/privatebin.yml.j2 + dest: "{{ services.privatebin.volume_folder }}/docker-compose.yml" + +- name: Deploy PrivateBin + docker_compose: + project_src: "{{ services.private.volume_folder }}" + pull: true + state: present diff --git a/roles/docker/tasks/services/watchtower.yml b/roles/docker/tasks/services/watchtower.yml index c64c7f2..e528024 100644 --- a/roles/docker/tasks/services/watchtower.yml +++ b/roles/docker/tasks/services/watchtower.yml @@ -1,14 +1,17 @@ # vim: ft=yaml.ansible --- -- name: watchtower container - docker_container: - name: watchtower - image: containrrr/watchtower:{{ services.watchtower.version }} - restart_policy: unless-stopped - networks: - - name: external_services - env: - WATCHTOWER_POLL_INTERVAL: "60" - volumes: - - "/var/run/docker.sock:/var/run/docker.sock" - - "/root/.docker/config.json:/config.json:ro" +- name: Create Watchtower volume folder + file: + name: "{{ services.watchtower.volume_folder }}" + state: directory + +- name: Upload Compose file for Watchtower + template: + src: compose-files/watchtower.yml.j2 + dest: "{{ services.watchtower.volume_folder }}/docker-compose.yml" + +- name: Deploy Watchtower + docker_compose: + project_src: "{{ services.watchtower.volume_folder }}" + pull: true + state: present diff --git a/roles/docker/templates/compose-files/docker_registry.yml.j2 b/roles/docker/templates/compose-files/docker_registry.yml.j2 new file mode 100644 index 0000000..1e0d69c --- /dev/null +++ b/roles/docker/templates/compose-files/docker_registry.yml.j2 @@ -0,0 +1,23 @@ +# vim: ft=yaml.docker-compose +version: "3.8" + +services: + app: + image: registry:{{ services.docker_registry.version }} + restart: always + networks: + - external_services + volumes: + - "./registry:/var/lib/registry" + - "./auth:/auth" + environment: + VIRTUAL_HOST: "{{ services.docker_registry.domain }}" + LETSENCRYPT_HOST: "{{ services.docker_registry.domain }}" + LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" + REGISTRY_AUTH: "htpasswd" + REGISTRY_AUTH_HTPASSWD_PATH: "/auth/htpasswd" + REGISTRY_AUTH_HTPASSWD_REALM: "data.coop docker registry" + +networks: + external_services: + external: true diff --git a/roles/docker/templates/compose-files/drone.yml.j2 b/roles/docker/templates/compose-files/drone.yml.j2 index d62eb4b..377720a 100644 --- a/roles/docker/templates/compose-files/drone.yml.j2 +++ b/roles/docker/templates/compose-files/drone.yml.j2 @@ -2,7 +2,7 @@ version: "3.8" services: - drone: + app: image: drone/drone:{{ services.drone.version }} restart: unless-stopped networks: diff --git a/roles/docker/templates/compose-files/element.yml.j2 b/roles/docker/templates/compose-files/element.yml.j2 index 2a875ce..5f615ea 100644 --- a/roles/docker/templates/compose-files/element.yml.j2 +++ b/roles/docker/templates/compose-files/element.yml.j2 @@ -2,7 +2,7 @@ version: "3.8" services: - element: + app: image: avhost/docker-matrix-element:{{ services.element.version }} restart: unless-stopped networks: diff --git a/roles/docker/templates/compose-files/forgejo.yml.j2 b/roles/docker/templates/compose-files/forgejo.yml.j2 new file mode 100644 index 0000000..530b463 --- /dev/null +++ b/roles/docker/templates/compose-files/forgejo.yml.j2 @@ -0,0 +1,37 @@ +# vim: ft=yaml.docker-compose +version: "3.8" + +services: + app: + image: codeberg.org/forgejo/forgejo:{{ services.forgejo.version }} + restart: unless-stopped + networks: + - external_services + - postfix + volumes: + - ".:/data" + ports: + - "22:22" + environment: + VIRTUAL_HOST: "{{ services.forgejo.domain }}" + VIRTUAL_PORT: "3000" + LETSENCRYPT_HOST: "{{ services.forgejo.domain }}" + LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" + # Forgejo customization, see: https://docs.gitea.io/en-us/install-with-docker/#customization + # https://docs.gitea.io/en-us/config-cheat-sheet/#security-security + FORGEJO__mailer__ENABLED: true + FORGEJO__mailer__FROM: noreply@{{ services.forgejo.domain }} + FORGEJO__mailer__PROTOCOL: smtp + FORGEJO__mailer__SMTP_ADDR: "{{ smtp_host }}:{{ smtp_port }}" + FORGEJO__security__LOGIN_REMEMBER_DAYS: "60" + FORGEJO__security__PASSWORD_COMPLEXITY: off + FORGEJO__security__MIN_PASSWORD_LENGTH: "8" + FORGEJO__security__PASSWORD_CHECK_PWN: true + FORGEJO__service__ENABLE_NOTIFY_MAIL: true + FORGEJO__service__REGISTER_EMAIL_CONFIRM: true + +networks: + external_services: + external: true + postfix: + external: true diff --git a/roles/docker/templates/compose-files/nginx_proxy.yml.j2 b/roles/docker/templates/compose-files/nginx_proxy.yml.j2 new file mode 100644 index 0000000..ffee37a --- /dev/null +++ b/roles/docker/templates/compose-files/nginx_proxy.yml.j2 @@ -0,0 +1,38 @@ +version: "3.8" + +services: + proxy: + image: nginxproxy/nginx-proxy:{{ services.nginx_proxy.version }} + restart: always + networks: + - external_services + ports: + - "80:80" + - "443:443" + volumes: + - "./conf:/etc/nginx/conf.d" + - "./vhost:/etc/nginx/vhost.d" + - "./html:/usr/share/nginx/html" + - "./dhparam:/etc/nginx/dhparam" + - "./certs:/etc/nginx/certs:ro" + - "/var/run/docker.sock:/tmp/docker.sock:ro" + labels: + - com.github.nginx-proxy.nginx + +{% if letsencrypt_enabled %} + acme: + image: nginxproxy/acme-companion:{{ services.nginx_proxy.acme_companion_version }} + restart: always + volumes: + - "./vhost:/etc/nginx/vhost.d" + - "./html:/usr/share/nginx/html" + - "./dhparam:/etc/nginx/dhparam:ro" + - "./certs:/etc/nginx/certs" + - /var/run/docker.sock:/var/run/docker.sock:ro + depends_on: + - proxy +{% endif %} + +networks: + external_services: + external: true diff --git a/roles/docker/templates/compose-files/openldap.yml.j2 b/roles/docker/templates/compose-files/openldap.yml.j2 new file mode 100644 index 0000000..a951cc1 --- /dev/null +++ b/roles/docker/templates/compose-files/openldap.yml.j2 @@ -0,0 +1,58 @@ +# vim: ft=yaml.docker-compose +version: "3.8" + +services: + app: + image: osixia/openldap:{{ services.openldap.version }} + tty: true + stdin_open: true + policy: unless-stopped + volumes: + - "./var/lib/ldap:/var/lib/ldap" + - "./etc/slapd.d:/etc/ldap/slapd.d" + - "./certs:/container/service/slapd/assets/certs/" + ports: + - "389:389" + - "636:636" + hostname: "{{ services.openldap.domain }}" + domainname: "{{ services.openldap.domain }}" # important: same as hostname + environment: + LDAP_LOG_LEVEL: "256" + LDAP_ORGANISATION: "{{ base_domain }}" + LDAP_DOMAIN: "{{ base_domain }}" + LDAP_BASE_DN: "" + LDAP_ADMIN_PASSWORD: "{{ ldap_admin_password }}" + LDAP_CONFIG_PASSWORD: "{{ ldap_config_password }}" + LDAP_READONLY_USER: false + LDAP_RFC2307BIS_SCHEMA: false + LDAP_BACKEND: mdb + LDAP_TLS: true + LDAP_TLS_CRT_FILENAME: ldap.crt + LDAP_TLS_KEY_FILENAME: ldap.key + LDAP_TLS_CA_CRT_FILENAME: ca.crt + LDAP_TLS_ENFORCE: false + LDAP_TLS_CIPHER_SUITE: SECURE256:-VERS-SSL3.0 + LDAP_TLS_PROTOCOL_MIN: "3.1" + LDAP_TLS_VERIFY_CLIENT: demand + LDAP_REPLICATION: false + KEEP_EXISTING_CONFIG: false + LDAP_REMOVE_CONFIG_AFTER_SETUP: true + LDAP_SSL_HELPER_PREFIX: ldap + + admin: + image: osixia/phpldapadmin:{{ services.openldap.phpldapadmin_version }} + restart: unless-stopped + networks: + - default + - external_services + environment: + PHPLDAPADMIN_LDAP_HOSTS: app + PHPLDAPADMIN_HTTPS: false + PHPLDAPADMIN_TRUST_PROXY_SSL: true + VIRTUAL_HOST: "{{ services.openldap.domain }}" + LETSENCRYPT_HOST: "{{ services.openldap.domain }}" + LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" + +networks: + external_services: + external: true diff --git a/roles/docker/templates/compose-files/portainer.yml.j2 b/roles/docker/templates/compose-files/portainer.yml.j2 new file mode 100644 index 0000000..5bbba8c --- /dev/null +++ b/roles/docker/templates/compose-files/portainer.yml.j2 @@ -0,0 +1,21 @@ +# vim: ft=yaml.docker-compose +version: "3.8" + +services: + app: + image: portainer/portainer-ee:{{ services.portainer.version }} + restart: always + networks: + - external_services + volumes: + - ".:/data" + - "/var/run/docker.sock:/var/run/docker.sock:rw" + environment: + VIRTUAL_HOST: "{{ services.portainer.domain }}" + VIRTUAL_PORT: "9000" + LETSENCRYPT_HOST: "{{ services.portainer.domain }}" + LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" + +networks: + external_services: + external: true diff --git a/roles/docker/templates/compose-files/postfix.yml.j2 b/roles/docker/templates/compose-files/postfix.yml.j2 new file mode 100644 index 0000000..89f25ba --- /dev/null +++ b/roles/docker/templates/compose-files/postfix.yml.j2 @@ -0,0 +1,20 @@ +# vim: ft=yaml.docker-compose +version: "3.8" + +services: + app: + image: boky/postfix:{{ services.postfix.version }} + restart: always + networks: + - postfix + volumes: + - "./dkim:/etc/opendkim/keys" + environment: + # Get all services which have allowed_sender_domain defined + ALLOWED_SENDER_DOMAINS: "{{ services | dict2items | selectattr('value.allowed_sender_domain', 'true') | map(attribute='value.domain') | join(' ') }}" + HOSTNAME: "{{ services.postfix.domain }}" # the name the smtp server will identify itself as + DKIM_AUTOGENERATE: true + +networks: + postfix: + external: true diff --git a/roles/docker/templates/compose-files/privatebin.yml.j2 b/roles/docker/templates/compose-files/privatebin.yml.j2 new file mode 100644 index 0000000..717515d --- /dev/null +++ b/roles/docker/templates/compose-files/privatebin.yml.j2 @@ -0,0 +1,20 @@ +# vim: ft=yaml.docker-compose +version: "3.8" + +services: + app: + image: jgeusebroek/privatebin:{{ services.privatebin.version }} + restart: unless-stopped + volumes: + - "./cfg:/privatebin/cfg" + - "./data:/privatebin/data" + networks: + - external_services + environment: + VIRTUAL_HOST: "{{ services.privatebin.domain }}" + LETSENCRYPT_HOST: "{{ services.privatebin.domain }}" + LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" + +networks: + external_services: + external: true diff --git a/roles/docker/templates/compose-files/rallly.yml.j2 b/roles/docker/templates/compose-files/rallly.yml.j2 index f8cf987..11a912d 100644 --- a/roles/docker/templates/compose-files/rallly.yml.j2 +++ b/roles/docker/templates/compose-files/rallly.yml.j2 @@ -17,7 +17,7 @@ services: timeout: 5s retries: 5 - rallly: + app: image: lukevella/rallly:{{ services.rallly.version }} restart: always networks: diff --git a/roles/docker/templates/compose-files/watchtower.yml.j2 b/roles/docker/templates/compose-files/watchtower.yml.j2 new file mode 100644 index 0000000..642b6aa --- /dev/null +++ b/roles/docker/templates/compose-files/watchtower.yml.j2 @@ -0,0 +1,12 @@ +# vim: ft=yaml.docker-compose +version: "3.8" + +services: + app: + image: containrrr/watchtower:{{ services.watchtower.version }} + restart: unless-stopped + environment: + WATCHTOWER_POLL_INTERVAL: "60" + volumes: + - "/root/.docker/config.json:/config.json:ro" + - "/var/run/docker.sock:/var/run/docker.sock"