This commit is contained in:
Víðir Valberg Guðmundsson 2022-11-26 09:52:41 +01:00
parent 8b1b3e1e3c
commit 62850cfba0
42 changed files with 737 additions and 712 deletions

View file

@ -1,14 +1,15 @@
---
repos: repos:
#- repo: https://github.com/semaphor-dk/dansabel - repo: https://github.com/lyz-code/yamlfix/
# rev: b72c70351d1a9e32a75db505fcb3aa414f3282f8 rev: master
# hooks: hooks:
# - id: dansabel - id: yamlfix
- repo: https://github.com/ansible/ansible-lint - repo: https://github.com/ansible/ansible-lint
rev: v6.9.0 rev: v6.9.0
hooks: hooks:
- id: ansible-lint - id: ansible-lint
files: \.(yaml|yml)$ files: \.(yaml|yml)$
additional_dependencies: additional_dependencies:
- ansible - ansible

View file

@ -12,7 +12,8 @@ users:
groups: groups:
- sudo - sudo
ssh_keys: ssh_keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUmGeHc6QXDcJHkmVxbTUv04Q3vs20avquoGr6eOkkvYbcgjuFnBOOtvs2Nul1odcvvnHa1nN7DfL8XJamiwsB1B/xe2seaNS1axgwk9XowlVN9pgga8gsC+4gZWBtSObG2GR8n4NtPENzPmW5deNn8dRpTvULPMxZ0VRE9yNQOx8v8w85yYh+vxbbkWGVDYJU23yuJI50U9y6bXxNHinsACDFBeR/giXDlw29TaOaSxz0R6zrRPBoX+V68RyWwBL+KWQKtX2ULtJI40S98Ohd6p41bIxYHCBS/zroqNne8PjYOLcHHsjHUGfTvhcS5a3zdz/iHsvsaOOjFjsydAXH valberg - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUmGeHc6QXDcJHkmVxbTUv04Q3vs20avquoGr6eOkkvYbcgjuFnBOOtvs2Nul1odcvvnHa1nN7DfL8XJamiwsB1B/xe2seaNS1axgwk9XowlVN9pgga8gsC+4gZWBtSObG2GR8n4NtPENzPmW5deNn8dRpTvULPMxZ0VRE9yNQOx8v8w85yYh+vxbbkWGVDYJU23yuJI50U9y6bXxNHinsACDFBeR/giXDlw29TaOaSxz0R6zrRPBoX+V68RyWwBL+KWQKtX2ULtJI40S98Ohd6p41bIxYHCBS/zroqNne8PjYOLcHHsjHUGfTvhcS5a3zdz/iHsvsaOOjFjsydAXH
valberg
- name: reynir - name: reynir
comment: Reynir Björnsson comment: Reynir Björnsson
@ -20,8 +21,10 @@ users:
groups: groups:
- sudo - sudo
ssh_keys: ssh_keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDJl8/rikIUnqr9fPF3rE0rjWHCNzte10LvkjGmpdO9ka/NubQ7O25fp08rC+n0d1pUooYwHBAgiv9Hsql6HF9QfNKNUp7IKp7CXWcjb4ga02kuzWGSXjm40Vf0jSadIrJ33M4SeJHTByDGoeYPQBQ7n+qHdwcqJADBQygBuc5sRzxm8i0sbmzF3DJDDVeTJjEY5pfR4vnJlpmU8SC2d1ZkhCjmKCsL0PShntTIt1ztCt0yO71KoHKaNPu1jutGxcU9u7J1pEqcPT6EzU/cQJ4DMVzrGp26nIV0msRl3NeGNjukwXOzAh6KmsmXG7yWFyQmLRqgc/bjUeyhuWJ10vwUbaYVeIef7YrgEOgnkYLIFeWRMhdnwtL/W8g1D66SFx7+iYJj180eTi8Lc8rZm2NaiGynvWlFcJ4PGdTYZsWcFzQ+SaDziNMw1H3IixxdlD8Shw9mxpijJ+A4dH2kkUXyGVsc13zRIU7hq9ax8nrw6HVLGFLn09rEPig+SkyWrqRpRGMBWyqTRJywIV6jk0ll+i8rJZA2McY0rABbACrzXT5VBj5dLKnnRITLDicAYgt7YuEiQ0ffErQrPXXHUVeI0QKnJgplSHxH5QsX9a1Y+NoaoditdMT2bjvEqROi+/JYRycLR/BQV/d2nFPhqwq1x1AFvL4f8UvVH/hxp3PXWw== reynir yubikey - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDJl8/rikIUnqr9fPF3rE0rjWHCNzte10LvkjGmpdO9ka/NubQ7O25fp08rC+n0d1pUooYwHBAgiv9Hsql6HF9QfNKNUp7IKp7CXWcjb4ga02kuzWGSXjm40Vf0jSadIrJ33M4SeJHTByDGoeYPQBQ7n+qHdwcqJADBQygBuc5sRzxm8i0sbmzF3DJDDVeTJjEY5pfR4vnJlpmU8SC2d1ZkhCjmKCsL0PShntTIt1ztCt0yO71KoHKaNPu1jutGxcU9u7J1pEqcPT6EzU/cQJ4DMVzrGp26nIV0msRl3NeGNjukwXOzAh6KmsmXG7yWFyQmLRqgc/bjUeyhuWJ10vwUbaYVeIef7YrgEOgnkYLIFeWRMhdnwtL/W8g1D66SFx7+iYJj180eTi8Lc8rZm2NaiGynvWlFcJ4PGdTYZsWcFzQ+SaDziNMw1H3IixxdlD8Shw9mxpijJ+A4dH2kkUXyGVsc13zRIU7hq9ax8nrw6HVLGFLn09rEPig+SkyWrqRpRGMBWyqTRJywIV6jk0ll+i8rJZA2McY0rABbACrzXT5VBj5dLKnnRITLDicAYgt7YuEiQ0ffErQrPXXHUVeI0QKnJgplSHxH5QsX9a1Y+NoaoditdMT2bjvEqROi+/JYRycLR/BQV/d2nFPhqwq1x1AFvL4f8UvVH/hxp3PXWw==
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPR8t/wNRp7Dt3wr9uZKVTofTDVYrcoQNru5ETxL+37t reynir@spurv reynir yubikey
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPR8t/wNRp7Dt3wr9uZKVTofTDVYrcoQNru5ETxL+37t
reynir@spurv
- name: samsapti - name: samsapti
comment: Sam Al-Sapti comment: Sam Al-Sapti
@ -29,4 +32,5 @@ users:
groups: groups:
- sudo - sudo
ssh_keys: ssh_keys:
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPd/4fQV7CL8/KVwbo/phiV5UdXFBIDlkZ+ps8C7FeRf samsapti - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPd/4fQV7CL8/KVwbo/phiV5UdXFBIDlkZ+ps8C7FeRf
samsapti

View file

@ -5,13 +5,13 @@
vars: vars:
base_domain: data.coop base_domain: data.coop
letsencrypt_email: admin@data.coop letsencrypt_email: admin@data.coop
ldap_dn: "dc=data,dc=coop" ldap_dn: dc=data,dc=coop
vagrant: "{{ ansible_virtualization_role == 'guest' }}" vagrant: "{{ ansible_virtualization_role == 'guest' }}"
letsencrypt_enabled: "{{ not vagrant }}" letsencrypt_enabled: '{{ not vagrant }}'
smtp_host: "postfix" smtp_host: postfix
smtp_port: "587" smtp_port: '587'
tasks: tasks:
- import_role: - import_role:

View file

@ -1,169 +1,169 @@
--- ---
volume_root_folder: "/docker-volumes" volume_root_folder: /docker-volumes
services: services:
### Internal services ### ### Internal services ###
postfix: postfix:
file: postfix.yml file: postfix.yml
version: "v3.5.0" version: v3.5.0
nginx_proxy: nginx_proxy:
file: nginx_proxy.yml file: nginx_proxy.yml
version: "1.0-alpine" version: 1.0-alpine
volume_folder: "{{ volume_root_folder }}/nginx" volume_folder: '{{ volume_root_folder }}/nginx'
nginx_acme_companion: nginx_acme_companion:
version: "2.2" version: '2.2'
openldap: openldap:
file: openldap.yml file: openldap.yml
domain: "ldap.{{ base_domain }}" domain: ldap.{{ base_domain }}
volume_folder: "{{ volume_root_folder }}/openldap" volume_folder: '{{ volume_root_folder }}/openldap'
version: "1.5.0" version: 1.5.0
phpldapadmin: phpldapadmin:
version: "0.9.0" version: 0.9.0
netdata: netdata:
file: netdata.yml file: netdata.yml
domain: "netdata.{{ base_domain }}" domain: netdata.{{ base_domain }}
version: "v1" version: v1
portainer: portainer:
file: portainer.yml file: portainer.yml
domain: "portainer.{{ base_domain }}" domain: portainer.{{ base_domain }}
volume_folder: "{{ volume_root_folder }}/portainer" volume_folder: '{{ volume_root_folder }}/portainer'
version: "2.16.2" version: 2.16.2
keycloak: keycloak:
file: keycloak.yml file: keycloak.yml
domain: sso.{{ base_domain }} domain: sso.{{ base_domain }}
volume_folder: "{{ volume_root_folder }}/keycloak" volume_folder: '{{ volume_root_folder }}/keycloak'
version: "20.0" version: '20.0'
restic: restic:
file: restic_backup.yml file: restic_backup.yml
user: "datacoop" user: datacoop
domain: "restic.cannedtuna.org" domain: restic.cannedtuna.org
repository: "datacoop-hevonen" repository: datacoop-hevonen
version: "1.6.0" version: 1.6.0
disabled_in_vagrant: true disabled_in_vagrant: true
docker_registry: docker_registry:
file: docker_registry.yml file: docker_registry.yml
domain: "docker.{{ base_domain }}" domain: docker.{{ base_domain }}
volume_folder: "{{ volume_root_folder }}/docker-registry" volume_folder: '{{ volume_root_folder }}/docker-registry'
username: "docker" username: docker
password: "{{ docker_password }}" password: '{{ docker_password }}'
version: "2" version: '2'
### External services ### ### External services ###
nextcloud: nextcloud:
file: nextcloud.yml file: nextcloud.yml
domain: "cloud.{{ base_domain }}" domain: cloud.{{ base_domain }}
volume_folder: "{{ volume_root_folder }}/nextcloud" volume_folder: '{{ volume_root_folder }}/nextcloud'
version: 25-apache version: 25-apache
gitea: gitea:
file: gitea.yml file: gitea.yml
domain: "git.{{ base_domain }}" domain: git.{{ base_domain }}
volume_folder: "{{ volume_root_folder }}/gitea" volume_folder: '{{ volume_root_folder }}/gitea'
version: 1.17.3 version: 1.17.3
allowed_sender_domain: true allowed_sender_domain: true
passit: passit:
file: passit.yml file: passit.yml
domain: "passit.{{ base_domain }}" domain: passit.{{ base_domain }}
volume_folder: "{{ volume_root_folder }}/passit" volume_folder: '{{ volume_root_folder }}/passit'
version: stable version: stable
allowed_sender_domain: true allowed_sender_domain: true
matrix: matrix:
file: matrix_riot.yml file: matrix_riot.yml
domain: "matrix.{{ base_domain }}" domain: matrix.{{ base_domain }}
volume_folder: "{{ volume_root_folder }}/matrix" volume_folder: '{{ volume_root_folder }}/matrix'
version: v1.63.1 version: v1.63.1
riot: riot:
domains: domains:
- "riot.{{ base_domain }}" - riot.{{ base_domain }}
- "element.{{ base_domain }}" - element.{{ base_domain }}
volume_folder: "{{ volume_root_folder }}/riot" volume_folder: '{{ volume_root_folder }}/riot'
version: v1.11.8 version: v1.11.8
privatebin: privatebin:
file: privatebin.yml file: privatebin.yml
domain: "paste.{{ base_domain }}" domain: paste.{{ base_domain }}
volume_folder: "{{ volume_root_folder }}/privatebin" volume_folder: '{{ volume_root_folder }}/privatebin'
version: 20221009 version: 20221009
codimd: codimd:
domain: "oldpad.{{ base_domain }}" domain: oldpad.{{ base_domain }}
volume_folder: "{{ volume_root_folder }}/codimd" volume_folder: '{{ volume_root_folder }}/codimd'
hedgedoc: hedgedoc:
file: hedgedoc.yml file: hedgedoc.yml
domain: "pad.{{ base_domain }}" domain: pad.{{ base_domain }}
volume_folder: "{{ volume_root_folder }}/hedgedoc" volume_folder: '{{ volume_root_folder }}/hedgedoc'
version: 1.9.6 version: 1.9.6
data_coop_website: data_coop_website:
file: websites/data.coop.yml file: websites/data.coop.yml
domains: domains:
- "{{ base_domain }}" - '{{ base_domain }}'
- "www.{{ base_domain }}" - www.{{ base_domain }}
cryptohagen_website: cryptohagen_website:
file: websites/cryptohagen.dk.yml file: websites/cryptohagen.dk.yml
domains: domains:
- "cryptohagen.dk" - cryptohagen.dk
- "www.cryptohagen.dk" - www.cryptohagen.dk
ulovliglogning_website: ulovliglogning_website:
file: websites/ulovliglogning.dk.yml file: websites/ulovliglogning.dk.yml
domains: domains:
- "ulovliglogning.dk" - ulovliglogning.dk
- "www.ulovliglogning.dk" - www.ulovliglogning.dk
- "ulovlig-logning.dk" - ulovlig-logning.dk
cryptoaarhus_website: cryptoaarhus_website:
file: websites/cryptoaarhus.dk.yml file: websites/cryptoaarhus.dk.yml
domains: domains:
- "cryptoaarhus.dk" - cryptoaarhus.dk
- "www.cryptoaarhus.dk" - www.cryptoaarhus.dk
drone: drone:
file: drone.yml file: drone.yml
domain: "drone.{{ base_domain }}" domain: drone.{{ base_domain }}
volume_folder: "{{ volume_root_folder }}/drone" volume_folder: '{{ volume_root_folder }}/drone'
version: 1 version: 1
mailu: mailu:
file: mailu.yml file: mailu.yml
version: 1.6 version: 1.6
domain: "mail.{{ base_domain }}" domain: mail.{{ base_domain }}
dns: 192.168.203.254 dns: 192.168.203.254
subnet: 192.168.203.0/24 subnet: 192.168.203.0/24
volume_folder: "{{ volume_root_folder }}/mailu" volume_folder: '{{ volume_root_folder }}/mailu'
mastodon: mastodon:
file: mastodon.yml file: mastodon.yml
domain: "social.{{ base_domain }}" domain: social.{{ base_domain }}
volume_folder: "{{ volume_root_folder }}/mastodon" volume_folder: '{{ volume_root_folder }}/mastodon'
version: v4.0.2 version: v4.0.2
allowed_sender_domain: true allowed_sender_domain: true
rallly: rallly:
file: rallly.yml file: rallly.yml
domain: "when.{{ base_domain }}" domain: when.{{ base_domain }}
volume_folder: "{{ volume_root_folder }}/rallly" volume_folder: '{{ volume_root_folder }}/rallly'
version: a21f92bf74308d66cfcd545d49b81eba0211a222 version: a21f92bf74308d66cfcd545d49b81eba0211a222
allowed_sender_domain: true allowed_sender_domain: true
membersystem: membersystem:
file: membersystem.yml file: membersystem.yml
domain: "member.{{ base_domain }}" domain: member.{{ base_domain }}
django_admins: "Vidir:valberg@orn.li" django_admins: Vidir:valberg@orn.li
allowed_sender_domain: true allowed_sender_domain: true

View file

@ -1,7 +1,6 @@
--- ---
- name: "restart nginx" - name: restart nginx
community.docker.docker_container: community.docker.docker_container:
name: "nginx-proxy" name: nginx-proxy
restart: "yes" restart: 'yes'
state: "started" state: started

View file

@ -6,25 +6,25 @@
state: present state: present
- name: add docker apt repository - name: add docker apt repository
apt_repository: ansible.builtin.apt_repository:
repo: deb https://download.docker.com/linux/ubuntu bionic stable repo: deb https://download.docker.com/linux/ubuntu bionic stable
state: present state: present
update_cache: yes update_cache: true
- name: install docker-ce - name: install docker-ce
apt: ansible.builtin.apt:
name: docker-ce name: docker-ce
state: present state: present
- name: install docker python bindings - name: install docker python bindings
pip: pip:
executable: "pip3" executable: pip3
name: "docker-compose" name: docker-compose
state: present state: present
- name: create folder structure for bind mounts - name: create folder structure for bind mounts
file: ansible.builtin.file:
name: "{{ volume_root_folder }}" name: '{{ volume_root_folder }}'
state: directory state: directory
- name: setup services - name: setup services

View file

@ -1,18 +1,15 @@
--- ---
- name: setup external services network - name: setup external services network
docker_network: community.docker.docker_network:
name: external_services name: external_services
- name: setup services - name: setup services
include_tasks: "services/{{ item.value.file }}" include_tasks: services/{{ item.value.file }}
loop: "{{ services | dict2items }}" loop: '{{ services | dict2items }}'
when: single_service is not defined and when: single_service is not defined and item.value.file is defined and item.value.disabled_in_vagrant
item.value.file is defined and is not defined
item.value.disabled_in_vagrant is not defined
- name: setup single service - name: setup single service
include_tasks: "services/{{ services[single_service].file }}" include_tasks: services/{{ services[single_service].file }}
when: single_service is defined and when: single_service is defined and single_service in services and services[single_service].file
single_service in services and is defined and services[single_service].disabled_in_vagrant is not defined
services[single_service].file is defined and
services[single_service].disabled_in_vagrant is not defined

View file

@ -1,22 +1,22 @@
--- ---
- name: codimd network - name: codimd network
docker_network: community.docker.docker_network:
name: codimd name: codimd
- name: create codimd volume folders - name: create codimd volume folders
file: ansible.builtin.file:
name: "{{ codimd.volume_folder }}/{{ volume }}" name: '{{ codimd.volume_folder }}/{{ volume }}'
state: directory state: directory
loop: loop:
- "db" - db
- "codimd/uploads" - codimd/uploads
loop_control: loop_control:
loop_var: volume loop_var: volume
- name: codimd database container - name: codimd database container
docker_container: community.docker.docker_container:
name: codimd_db name: codimd_db
image: postgres:10 image: postgres:10
state: started state: started
@ -24,13 +24,13 @@
networks: networks:
- name: codimd - name: codimd
volumes: volumes:
- "{{ codimd.volume_folder }}/db:/var/lib/postgresql/data" - '{{ codimd.volume_folder }}/db:/var/lib/postgresql/data'
env: env:
POSTGRES_USER: "codimd" POSTGRES_USER: codimd
POSTGRES_PASSWORD: "{{ postgres_passwords.codimd }}" POSTGRES_PASSWORD: '{{ postgres_passwords.codimd }}'
- name: codimd app container - name: codimd app container
docker_container: community.docker.docker_container:
name: codimd_app name: codimd_app
image: hackmdio/hackmd:1.3.0 image: hackmdio/hackmd:1.3.0
restart_policy: unless-stopped restart_policy: unless-stopped
@ -39,19 +39,19 @@
- name: ldap - name: ldap
- name: external_services - name: external_services
volumes: volumes:
- "{{ codimd.volume_folder }}/codimd/uploads:/codimd/public/uploads" - '{{ codimd.volume_folder }}/codimd/uploads:/codimd/public/uploads'
env: env:
CMD_DB_URL: "postgres://codimd:{{ postgres_passwords.codimd }}@codimd_db:5432/codimd" CMD_DB_URL: postgres://codimd:{{ postgres_passwords.codimd }}@codimd_db:5432/codimd
CMD_ALLOW_EMAIL_REGISTER: "False" CMD_ALLOW_EMAIL_REGISTER: 'False'
CMD_IMAGE_UPLOAD_TYPE: "filesystem" CMD_IMAGE_UPLOAD_TYPE: filesystem
CMD_EMAIL: "False" CMD_EMAIL: 'False'
CMD_LDAP_URL: "ldap://openldap" CMD_LDAP_URL: ldap://openldap
CMD_LDAP_BINDDN: "cn=admin,dc=data,dc=coop" CMD_LDAP_BINDDN: cn=admin,dc=data,dc=coop
CMD_LDAP_BINDCREDENTIALS: "{{ ldap_admin_password }}" CMD_LDAP_BINDCREDENTIALS: '{{ ldap_admin_password }}'
CMD_LDAP_SEARCHBASE: "dc=data,dc=coop" CMD_LDAP_SEARCHBASE: dc=data,dc=coop
CMD_LDAP_SEARCHFILTER: "(&(uid={{ '{{username}}' }})(objectClass=inetOrgPerson))" CMD_LDAP_SEARCHFILTER: (&(uid={{ '{{username}}' }})(objectClass=inetOrgPerson))
CMD_USECDN: "false" CMD_USECDN: 'false'
VIRTUAL_HOST: "{{ codimd.domain }}" VIRTUAL_HOST: '{{ codimd.domain }}'
LETSENCRYPT_HOST: "{{ codimd.domain }}" LETSENCRYPT_HOST: '{{ codimd.domain }}'
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'

View file

@ -1,35 +1,37 @@
--- ---
- name: copy docker registry nginx configuration - name: copy docker registry nginx configuration
copy: ansible.builtin.copy:
src: "files/configs/docker_registry/nginx.conf" src: files/configs/docker_registry/nginx.conf
dest: "/docker-volumes/nginx/vhost/{{ services.docker_registry.domain }}" dest: /docker-volumes/nginx/vhost/{{ services.docker_registry.domain }}
mode: "0644" mode: '0644'
- name: docker registry container - name: docker registry container
docker_container: community.docker.docker_container:
name: registry name: registry
image: registry:{{ services.docker_registry.version }} image: registry:{{ services.docker_registry.version }}
restart_policy: always restart_policy: always
volumes: volumes:
- "{{ services.docker_registry.volume_folder }}/registry:/var/lib/registry" - '{{ services.docker_registry.volume_folder }}/registry:/var/lib/registry'
- "{{ services.docker_registry.volume_folder }}/auth:/auth" - '{{ services.docker_registry.volume_folder }}/auth:/auth'
networks: networks:
- name: external_services - name: external_services
env: env:
VIRTUAL_HOST: "{{ services.docker_registry.domain }}" VIRTUAL_HOST: '{{ services.docker_registry.domain }}'
LETSENCRYPT_HOST: "{{ services.docker_registry.domain }}" LETSENCRYPT_HOST: '{{ services.docker_registry.domain }}'
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
REGISTRY_AUTH: "htpasswd" REGISTRY_AUTH: htpasswd
REGISTRY_AUTH_HTPASSWD_PATH: "/auth/htpasswd" REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd
REGISTRY_AUTH_HTPASSWD_REALM: "data.coop docker registry" REGISTRY_AUTH_HTPASSWD_REALM: data.coop docker registry
- name: generate htpasswd file - name: generate htpasswd file
shell: "docker exec -it registry htpasswd -Bbn docker {{ docker_password }} > {{ services.docker_registry.volume_folder }}/auth/htpasswd" shell: docker exec -it registry htpasswd -Bbn docker {{ docker_password }} > {{
services.docker_registry.volume_folder }}/auth/htpasswd
args: args:
creates: "{{ services.docker_registry.volume_folder }}/auth/htpasswd" creates: '{{ services.docker_registry.volume_folder }}/auth/htpasswd'
- name: log in to registry - name: log in to registry
docker_login: docker_login:
registry: "{{ 'docker.data.coop' if vagrant else services.docker_registry.domain }}" registry: "{{ 'docker.data.coop' if vagrant else services.docker_registry.domain\
username: "docker" \ }}"
password: "{{ docker_password }}" username: docker
password: '{{ docker_password }}'

View file

@ -1,51 +1,51 @@
--- ---
- name: set up drone with docker runner - name: set up drone with docker runner
docker_compose: community.docker.docker_compose:
project_name: drone project_name: drone
pull: yes pull: true
definition: definition:
version: "3.6" version: '3.6'
services: services:
drone: drone:
container_name: "drone" container_name: drone
image: drone/drone:1 image: drone/drone:1
restart: unless-stopped restart: unless-stopped
networks: networks:
- external_services - external_services
- drone - drone
volumes: volumes:
- "{{ services.drone.volume_folder }}:/data" - '{{ services.drone.volume_folder }}:/data'
- "/var/run/docker.sock:/var/run/docker.sock" - /var/run/docker.sock:/var/run/docker.sock
environment: environment:
DRONE_GITEA_SERVER: "https://{{ services.gitea.domain }}" DRONE_GITEA_SERVER: https://{{ services.gitea.domain }}
DRONE_GITEA_CLIENT_ID: "{{ drone_secrets.oauth_client_id }}" DRONE_GITEA_CLIENT_ID: '{{ drone_secrets.oauth_client_id }}'
DRONE_GITEA_CLIENT_SECRET: "{{ drone_secrets.oauth_client_secret }}" DRONE_GITEA_CLIENT_SECRET: '{{ drone_secrets.oauth_client_secret }}'
DRONE_GIT_ALWAYS_AUTH: "true" DRONE_GIT_ALWAYS_AUTH: 'true'
DRONE_SERVER_HOST: "{{ services.drone.domain }}" DRONE_SERVER_HOST: '{{ services.drone.domain }}'
DRONE_SERVER_PROTO: "https" DRONE_SERVER_PROTO: https
DRONE_RPC_SECRET: "{{ drone_secrets.rpc_shared_secret }}" DRONE_RPC_SECRET: '{{ drone_secrets.rpc_shared_secret }}'
PLUGIN_CUSTOM_DNS: "91.239.100.100" PLUGIN_CUSTOM_DNS: 91.239.100.100
VIRTUAL_HOST: "{{ services.drone.domain }}" VIRTUAL_HOST: '{{ services.drone.domain }}'
LETSENCRYPT_HOST: "{{ services.drone.domain }}" LETSENCRYPT_HOST: '{{ services.drone.domain }}'
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
drone-runner-docker: drone-runner-docker:
container_name: "drone-runner-docker" container_name: drone-runner-docker
image: "drone/drone-runner-docker:{{ services.drone.version }}" image: drone/drone-runner-docker:{{ services.drone.version }}
restart: unless-stopped restart: unless-stopped
networks: networks:
- drone - drone
volumes: volumes:
- "/var/run/docker.sock:/var/run/docker.sock" - /var/run/docker.sock:/var/run/docker.sock
environment: environment:
DRONE_RPC_HOST: "{{ services.drone.domain }}" DRONE_RPC_HOST: '{{ services.drone.domain }}'
DRONE_RPC_PROTO: "https" DRONE_RPC_PROTO: https
DRONE_RPC_SECRET: "{{ drone_secrets.rpc_shared_secret }}" DRONE_RPC_SECRET: '{{ drone_secrets.rpc_shared_secret }}'
DRONE_RUNNER_CAPACITY: 2 DRONE_RUNNER_CAPACITY: 2
DRONE_RUNNER_NAME: "data.coop_drone_runner" DRONE_RUNNER_NAME: data.coop_drone_runner
networks: networks:
drone: drone:
external_services: external_services:
external: external:
name: external_services name: external_services

View file

@ -1,11 +1,11 @@
--- ---
- name: gitea network - name: gitea network
docker_network: community.docker.docker_network:
name: gitea name: gitea
# old DNS: 138.68.71.153 # old DNS: 138.68.71.153
- name: gitea container - name: gitea container
docker_container: community.docker.docker_container:
name: gitea name: gitea
image: gitea/gitea:{{ services.gitea.version }} image: gitea/gitea:{{ services.gitea.version }}
restart_policy: unless-stopped restart_policy: unless-stopped
@ -14,25 +14,25 @@
- name: postfix - name: postfix
- name: external_services - name: external_services
volumes: volumes:
- "{{ services.gitea.volume_folder }}:/data" - '{{ services.gitea.volume_folder }}:/data'
published_ports: published_ports:
- "22:22" - 22:22
env: env:
VIRTUAL_HOST: "{{ services.gitea.domain }}" VIRTUAL_HOST: '{{ services.gitea.domain }}'
VIRTUAL_PORT: "3000" VIRTUAL_PORT: '3000'
LETSENCRYPT_HOST: "{{ services.gitea.domain }}" LETSENCRYPT_HOST: '{{ services.gitea.domain }}'
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
# Gitea customization, see: https://docs.gitea.io/en-us/install-with-docker/#customization # Gitea customization, see: https://docs.gitea.io/en-us/install-with-docker/#customization
# https://docs.gitea.io/en-us/config-cheat-sheet/#security-security # https://docs.gitea.io/en-us/config-cheat-sheet/#security-security
GITEA__mailer__ENABLED: "true" GITEA__mailer__ENABLED: 'true'
GITEA__mailer__FROM: "noreply@{{ services.gitea.domain }}" GITEA__mailer__FROM: noreply@{{ services.gitea.domain }}
GITEA__mailer__MAILER_TYPE: "smtp" GITEA__mailer__MAILER_TYPE: smtp
GITEA__mailer__HOST: "{{ smtp_host }}:{{ smtp_port }}" GITEA__mailer__HOST: '{{ smtp_host }}:{{ smtp_port }}'
GITEA__mailer__USER: "noop" GITEA__mailer__USER: noop
GITEA__mailer__PASSWD: "noop" GITEA__mailer__PASSWD: noop
GITEA__security__LOGIN_REMEMBER_DAYS: "60" GITEA__security__LOGIN_REMEMBER_DAYS: '60'
GITEA__security__PASSWORD_COMPLEXITY: "off" GITEA__security__PASSWORD_COMPLEXITY: 'off'
GITEA__security__MIN_PASSWORD_LENGTH: "8" GITEA__security__MIN_PASSWORD_LENGTH: '8'
GITEA__security__PASSWORD_CHECK_PWN: "true" GITEA__security__PASSWORD_CHECK_PWN: 'true'
GITEA__service__ENABLE_NOTIFY_MAIL: "true" GITEA__service__ENABLE_NOTIFY_MAIL: 'true'
GITEA__service__REGISTER_EMAIL_CONFIRM: "true" GITEA__service__REGISTER_EMAIL_CONFIRM: 'true'

View file

@ -1,66 +1,65 @@
--- ---
- name: create hedgedoc volume folders - name: create hedgedoc volume folders
file: ansible.builtin.file:
name: "{{ services.hedgedoc.volume_folder }}/{{ volume }}" name: '{{ services.hedgedoc.volume_folder }}/{{ volume }}'
state: directory state: directory
loop: loop:
- "db" - db
- "hedgedoc/uploads" - hedgedoc/uploads
loop_control: loop_control:
loop_var: volume loop_var: volume
- name: copy sso public certificate - name: copy sso public certificate
copy: ansible.builtin.copy:
src: "files/sso/sso.data.coop.pem" src: files/sso/sso.data.coop.pem
dest: "{{ services.hedgedoc.volume_folder }}/sso.data.coop.pem" dest: '{{ services.hedgedoc.volume_folder }}/sso.data.coop.pem'
mode: "0644" mode: '0644'
- name: setup hedgedoc - name: setup hedgedoc
docker_compose: community.docker.docker_compose:
project_name: "hedgedoc" project_name: hedgedoc
pull: "yes" pull: true
definition: definition:
services: services:
database: database:
image: "postgres:10-alpine" image: postgres:10-alpine
environment: environment:
POSTGRES_USER: "codimd" POSTGRES_USER: codimd
POSTGRES_PASSWORD: "{{ postgres_passwords.hedgedoc }}" POSTGRES_PASSWORD: '{{ postgres_passwords.hedgedoc }}'
POSTGRES_DB: "codimd" POSTGRES_DB: codimd
restart: "unless-stopped" restart: unless-stopped
networks: networks:
- "hedgedoc" - hedgedoc
volumes: volumes:
- "{{ services.hedgedoc.volume_folder }}/db:/var/lib/postgresql/data" - '{{ services.hedgedoc.volume_folder }}/db:/var/lib/postgresql/data'
app: app:
image: quay.io/hedgedoc/hedgedoc:{{ services.hedgedoc.version }} image: quay.io/hedgedoc/hedgedoc:{{ services.hedgedoc.version }}
environment: environment:
CMD_DB_URL: "postgres://codimd:{{ postgres_passwords.hedgedoc }}@hedgedoc_database_1:5432/codimd" CMD_DB_URL: postgres://codimd:{{ postgres_passwords.hedgedoc }}@hedgedoc_database_1:5432/codimd
CMD_DOMAIN: "{{ services.hedgedoc.domain }}" CMD_DOMAIN: '{{ services.hedgedoc.domain }}'
CMD_ALLOW_EMAIL_REGISTER: "False" CMD_ALLOW_EMAIL_REGISTER: 'False'
CMD_IMAGE_UPLOAD_TYPE: "filesystem" CMD_IMAGE_UPLOAD_TYPE: filesystem
CMD_EMAIL: "False" CMD_EMAIL: 'False'
CMD_SAML_IDPCERT: "/sso.data.coop.pem" CMD_SAML_IDPCERT: /sso.data.coop.pem
CMD_SAML_IDPSSOURL: "https://sso.data.coop/auth/realms/datacoop/protocol/saml" CMD_SAML_IDPSSOURL: https://sso.data.coop/auth/realms/datacoop/protocol/saml
CMD_SAML_ISSUER: "hedgedoc" CMD_SAML_ISSUER: hedgedoc
CMD_SAML_IDENTIFIERFORMAT: "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" CMD_SAML_IDENTIFIERFORMAT: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
CMD_USECDN: "false" CMD_USECDN: 'false'
CMD_PROTOCOL_USESSL: "true" CMD_PROTOCOL_USESSL: 'true'
VIRTUAL_HOST: "{{ services.hedgedoc.domain }}" VIRTUAL_HOST: '{{ services.hedgedoc.domain }}'
LETSENCRYPT_HOST: "{{ services.hedgedoc.domain }}" LETSENCRYPT_HOST: '{{ services.hedgedoc.domain }}'
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
volumes: volumes:
- "{{ services.hedgedoc.volume_folder }}/hedgedoc/uploads:/hedgedoc/public/uploads" - '{{ services.hedgedoc.volume_folder }}/hedgedoc/uploads:/hedgedoc/public/uploads'
- "{{ services.hedgedoc.volume_folder }}/sso.data.coop.pem:/sso.data.coop.pem" - '{{ services.hedgedoc.volume_folder }}/sso.data.coop.pem:/sso.data.coop.pem'
restart: "unless-stopped" restart: unless-stopped
networks: networks:
- "hedgedoc" - hedgedoc
- "external_services" - external_services
depends_on: depends_on:
- database - database
networks: networks:
hedgedoc: hedgedoc:
external_services: external_services:
external: true external: true

View file

@ -1,36 +1,40 @@
---
- name: setup keycloak containers for sso.data.coop - name: setup keycloak containers for sso.data.coop
docker_compose: community.docker.docker_compose:
project_name: "keycloak" project_name: keycloak
pull: "yes" pull: true
definition: definition:
version: "3.6" version: '3.6'
services: services:
postgres: postgres:
image: "postgres:10" image: postgres:10
restart: "unless-stopped" restart: unless-stopped
networks: networks:
- "keycloak" - keycloak
volumes: volumes:
- "{{ services.keycloak.volume_folder }}/data:/var/lib/postgresql/data" - '{{ services.keycloak.volume_folder }}/data:/var/lib/postgresql/data'
environment: environment:
POSTGRES_USER: "keycloak" POSTGRES_USER: keycloak
POSTGRES_PASSWORD: "{{ postgres_passwords.keycloak }}" POSTGRES_PASSWORD: '{{ postgres_passwords.keycloak }}'
POSTGRES_DB: "keycloak" POSTGRES_DB: keycloak
app: app:
image: "quay.io/keycloak/keycloak:{{ services.keycloak.version }}" image: quay.io/keycloak/keycloak:{{ services.keycloak.version }}
restart: "unless-stopped" restart: unless-stopped
networks: networks:
- "keycloak" - keycloak
- "postfix" - postfix
- "external_services" - external_services
command: "start --db=postgres --db-url=jdbc:postgresql://postgres:5432/keycloak --db-username=keycloak --db-password={{ postgres_passwords.keycloak }} --hostname={{ services.keycloak.domain }} --proxy=edge --https-port=8080 --http-relative-path=/auth" command: start --db=postgres --db-url=jdbc:postgresql://postgres:5432/keycloak
--db-username=keycloak --db-password={{ postgres_passwords.keycloak
}} --hostname={{ services.keycloak.domain }} --proxy=edge --https-port=8080
--http-relative-path=/auth
environment: environment:
VIRTUAL_HOST: "{{ services.keycloak.domain }}" VIRTUAL_HOST: '{{ services.keycloak.domain }}'
VIRTUAL_PORT: "8080" VIRTUAL_PORT: '8080'
LETSENCRYPT_HOST: "{{ services.keycloak.domain }}" LETSENCRYPT_HOST: '{{ services.keycloak.domain }}'
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
networks: networks:
keycloak: keycloak:

View file

@ -1,8 +1,8 @@
--- ---
- name: create mailu volume folders - name: create mailu volume folders
file: ansible.builtin.file:
name: "{{ services.mailu.volume_folder }}/{{ volume }}" name: '{{ services.mailu.volume_folder }}/{{ volume }}'
state: directory state: directory
loop: loop:
- redis - redis
@ -18,30 +18,32 @@
loop_var: volume loop_var: volume
- name: upload mailu.env file - name: upload mailu.env file
template: ansible.builtin.template:
src: mailu.env.j2 src: mailu.env.j2
dest: "{{ services.mailu.volume_folder}}/mailu.env" dest: '{{ services.mailu.volume_folder}}/mailu.env'
- name: hard link to Let's Encrypt TLS certificate - name: hard link to Let's Encrypt TLS certificate
file: ansible.builtin.file:
src: "{{ services.nginx_proxy.volume_folder }}/certs/{{ services.mailu.domain }}/fullchain.pem" src: '{{ services.nginx_proxy.volume_folder }}/certs/{{ services.mailu.domain
dest: "{{ services.mailu.volume_folder }}/certs/cert.pem" }}/fullchain.pem'
dest: '{{ services.mailu.volume_folder }}/certs/cert.pem'
state: hard state: hard
force: yes force: true
when: letsencrypt_enabled when: letsencrypt_enabled
- name: hard link to Let's Encrypt TLS key - name: hard link to Let's Encrypt TLS key
file: ansible.builtin.file:
src: "{{ services.nginx_proxy.volume_folder }}/certs/{{ services.mailu.domain }}/key.pem" src: '{{ services.nginx_proxy.volume_folder }}/certs/{{ services.mailu.domain
dest: "{{ services.mailu.volume_folder }}/certs/key.pem" }}/key.pem'
dest: '{{ services.mailu.volume_folder }}/certs/key.pem'
state: hard state: hard
force: yes force: true
when: letsencrypt_enabled when: letsencrypt_enabled
- name: run mail server containers - name: run mail server containers
docker_compose: community.docker.docker_compose:
project_name: mail_server project_name: mail_server
pull: yes pull: true
definition: definition:
version: '3.6' version: '3.6'
services: services:
@ -49,15 +51,15 @@
image: redis:alpine image: redis:alpine
restart: always restart: always
volumes: volumes:
- "{{ services.mailu.volume_folder }}/redis:/data" - '{{ services.mailu.volume_folder }}/redis:/data'
database: database:
image: mailu/postgresql:{{ services.mailu.version }} image: mailu/postgresql:{{ services.mailu.version }}
restart: always restart: always
env_file: "{{ services.mailu.volume_folder}}/mailu.env" env_file: '{{ services.mailu.volume_folder}}/mailu.env'
volumes: volumes:
- "{{ services.mailu.volume_folder }}/data/psql_db:/data" - '{{ services.mailu.volume_folder }}/data/psql_db:/data'
- "{{ services.mailu.volume_folder }}/data/psql_backup:/backup" - '{{ services.mailu.volume_folder }}/data/psql_backup:/backup'
networks: networks:
- default - default
- external_services - external_services
@ -65,21 +67,21 @@
front: front:
image: mailu/nginx:{{ services.mailu.version }} image: mailu/nginx:{{ services.mailu.version }}
restart: always restart: always
env_file: "{{ services.mailu.volume_folder}}/mailu.env" env_file: '{{ services.mailu.volume_folder}}/mailu.env'
environment: environment:
VIRTUAL_HOST: "{{ services.mailu.domain }}" VIRTUAL_HOST: '{{ services.mailu.domain }}'
LETSENCRYPT_HOST: "{{ services.mailu.domain }}" LETSENCRYPT_HOST: '{{ services.mailu.domain }}'
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
volumes: volumes:
- "{{ services.mailu.volume_folder }}/certs:/certs" - '{{ services.mailu.volume_folder }}/certs:/certs'
- "{{ services.mailu.volume_folder }}/overrides/nginx:/overrides" - '{{ services.mailu.volume_folder }}/overrides/nginx:/overrides'
expose: expose:
- "80" - '80'
ports: ports:
- "993:993" - 993:993
- "25:25" - 25:25
- "587:587" - 587:587
- "465:465" - 465:465
networks: networks:
- default - default
- external_services - external_services
@ -87,68 +89,68 @@
resolver: resolver:
image: mailu/unbound:{{ services.mailu.version }} image: mailu/unbound:{{ services.mailu.version }}
restart: always restart: always
env_file: "{{ services.mailu.volume_folder}}/mailu.env" env_file: '{{ services.mailu.volume_folder}}/mailu.env'
networks: networks:
default: default:
ipv4_address: "{{ services.mailu.dns }}" ipv4_address: '{{ services.mailu.dns }}'
admin: admin:
image: mailu/admin:{{ services.mailu.version }} image: mailu/admin:{{ services.mailu.version }}
restart: always restart: always
env_file: "{{ services.mailu.volume_folder}}/mailu.env" env_file: '{{ services.mailu.volume_folder}}/mailu.env'
volumes: volumes:
- "{{ services.mailu.volume_folder }}/data:/data" - '{{ services.mailu.volume_folder }}/data:/data'
- "{{ services.mailu.volume_folder }}/dkim:/dkim" - '{{ services.mailu.volume_folder }}/dkim:/dkim'
depends_on: depends_on:
- redis - redis
imap: imap:
image: mailu/dovecot:{{ services.mailu.version }} image: mailu/dovecot:{{ services.mailu.version }}
restart: always restart: always
env_file: "{{ services.mailu.volume_folder}}/mailu.env" env_file: '{{ services.mailu.volume_folder}}/mailu.env'
volumes: volumes:
- "{{ services.mailu.volume_folder }}/mail:/mail" - '{{ services.mailu.volume_folder }}/mail:/mail'
- "{{ services.mailu.volume_folder }}/overrides:/overrides" - '{{ services.mailu.volume_folder }}/overrides:/overrides'
depends_on: depends_on:
- front - front
smtp: smtp:
image: mailu/postfix:{{ services.mailu.version }} image: mailu/postfix:{{ services.mailu.version }}
restart: always restart: always
env_file: "{{ services.mailu.volume_folder}}/mailu.env" env_file: '{{ services.mailu.volume_folder}}/mailu.env'
volumes: volumes:
- "{{ services.mailu.volume_folder }}/overrides:/overrides" - '{{ services.mailu.volume_folder }}/overrides:/overrides'
depends_on: depends_on:
- front - front
- resolver - resolver
dns: dns:
- "{{ services.mailu.dns }}" - '{{ services.mailu.dns }}'
antispam: antispam:
image: mailu/rspamd:{{ services.mailu.version }} image: mailu/rspamd:{{ services.mailu.version }}
restart: always restart: always
env_file: "{{ services.mailu.volume_folder}}/mailu.env" env_file: '{{ services.mailu.volume_folder}}/mailu.env'
volumes: volumes:
- "{{ services.mailu.volume_folder }}/filter:/var/lib/rspamd" - '{{ services.mailu.volume_folder }}/filter:/var/lib/rspamd'
- "{{ services.mailu.volume_folder }}/dkim:/dkim" - '{{ services.mailu.volume_folder }}/dkim:/dkim'
- "{{ services.mailu.volume_folder }}/overrides/rspamd:/etc/rspamd/override.d" - '{{ services.mailu.volume_folder }}/overrides/rspamd:/etc/rspamd/override.d'
depends_on: depends_on:
- front - front
- resolver - resolver
dns: dns:
- "{{ services.mailu.dns }}" - '{{ services.mailu.dns }}'
webmail: webmail:
image: mailu/rainloop:1.6 image: mailu/rainloop:1.6
restart: always restart: always
env_file: "{{ services.mailu.volume_folder}}/mailu.env" env_file: '{{ services.mailu.volume_folder}}/mailu.env'
volumes: volumes:
- "{{ services.mailu.volume_folder }}/webmail:/data" - '{{ services.mailu.volume_folder }}/webmail:/data'
depends_on: depends_on:
- front - front
- resolver - resolver
dns: dns:
- "{{ services.mailu.dns }}" - '{{ services.mailu.dns }}'
networks: networks:
default: default:
@ -156,7 +158,7 @@
ipam: ipam:
driver: default driver: default
config: config:
- subnet: "{{ services.mailu.subnet }}" - subnet: '{{ services.mailu.subnet }}'
external_services: external_services:
external: external:
name: external_services name: external_services

View file

@ -1,30 +1,32 @@
---
- name: create mastodon volume folders - name: create mastodon volume folders
file: ansible.builtin.file:
name: "{{ services.mastodon.volume_folder }}/{{ volume }}" name: '{{ services.mastodon.volume_folder }}/{{ volume }}'
state: directory state: directory
owner: "991" owner: '991'
group: "991" group: '991'
loop: loop:
- "postgres_data" - postgres_data
- "redis_data" - redis_data
- "mastodon_data" - mastodon_data
loop_control: loop_control:
loop_var: volume loop_var: volume
- name: Copy mastodon environment file - name: Copy mastodon environment file
template: ansible.builtin.template:
src: files/configs/mastodon/env_file.j2 src: files/configs/mastodon/env_file.j2
dest: "{{ services.mastodon.volume_folder }}/env_file" dest: '{{ services.mastodon.volume_folder }}/env_file'
- name: upload vhost config for root domain - name: upload vhost config for root domain
template: ansible.builtin.template:
src: files/configs/mastodon/vhost-mastodon src: files/configs/mastodon/vhost-mastodon
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.mastodon.domain }}" dest: '{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.mastodon.domain
}}'
- name: set up mastodon - name: set up mastodon
docker_compose: community.docker.docker_compose:
project_name: mastodon project_name: mastodon
pull: yes pull: true
definition: definition:
version: '3' version: '3'
services: services:
@ -35,11 +37,11 @@
networks: networks:
- internal_network - internal_network
healthcheck: healthcheck:
test: ['CMD', 'pg_isready', '-U', 'postgres'] test: [CMD, pg_isready, -U, postgres]
volumes: volumes:
- "{{ services.mastodon.volume_folder }}/postgres_data:/var/lib/postgresql/data" - '{{ services.mastodon.volume_folder }}/postgres_data:/var/lib/postgresql/data'
environment: environment:
- 'POSTGRES_HOST_AUTH_METHOD=trust' - POSTGRES_HOST_AUTH_METHOD=trust
redis: redis:
restart: always restart: always
@ -47,58 +49,59 @@
networks: networks:
- internal_network - internal_network
healthcheck: healthcheck:
test: ['CMD', 'redis-cli', 'ping'] test: [CMD, redis-cli, ping]
volumes: volumes:
- "{{ services.mastodon.volume_folder }}/redis_data:/data" - '{{ services.mastodon.volume_folder }}/redis_data:/data'
web: web:
image: "tootsuite/mastodon:{{ services.mastodon.version }}" image: tootsuite/mastodon:{{ services.mastodon.version }}
restart: always restart: always
env_file: "{{ services.mastodon.volume_folder }}/env_file" env_file: '{{ services.mastodon.volume_folder }}/env_file'
command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 3000" command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails
s -p 3000"
networks: networks:
- external_services - external_services
- internal_network - internal_network
healthcheck: healthcheck:
# prettier-ignore test: |
test: ['CMD-SHELL', 'wget -q --spider --proxy=off localhost:3000/health || exit 1'] [CMD-SHELL, wget -q --spider --proxy=off localhost:3000/health || exit 1]
depends_on: depends_on:
- db - db
- redis - redis
volumes: volumes:
- "{{ services.mastodon.volume_folder }}/mastodon_data:/mastodon/public/system" - '{{ services.mastodon.volume_folder }}/mastodon_data:/mastodon/public/system'
environment: environment:
VIRTUAL_HOST: "{{ services.mastodon.domain }}" VIRTUAL_HOST: '{{ services.mastodon.domain }}'
VIRTUAL_PORT: "3000" VIRTUAL_PORT: '3000'
VIRTUAL_PATH: "/" VIRTUAL_PATH: /
LETSENCRYPT_HOST: "{{ services.mastodon.domain }}" LETSENCRYPT_HOST: '{{ services.mastodon.domain }}'
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
streaming: streaming:
image: "tootsuite/mastodon:{{ services.mastodon.version }}" image: tootsuite/mastodon:{{ services.mastodon.version }}
restart: always restart: always
env_file: "{{ services.mastodon.volume_folder }}/env_file" env_file: '{{ services.mastodon.volume_folder }}/env_file'
command: node ./streaming command: node ./streaming
networks: networks:
- external_services - external_services
- internal_network - internal_network
healthcheck: healthcheck:
# prettier-ignore test: |
test: ['CMD-SHELL', 'wget -q --spider --proxy=off localhost:4000/api/v1/streaming/health || exit 1'] [CMD-SHELL, wget -q --spider --proxy=off localhost:4000/api/v1/streaming/health || exit 1]
ports: ports:
- '127.0.0.1:4000:4000' - 127.0.0.1:4000:4000
depends_on: depends_on:
- db - db
- redis - redis
environment: environment:
VIRTUAL_HOST: "{{ services.mastodon.domain }}" VIRTUAL_HOST: '{{ services.mastodon.domain }}'
VIRTUAL_PORT: "4000" VIRTUAL_PORT: '4000'
VIRTUAL_PATH: "/api/v1/streaming" VIRTUAL_PATH: /api/v1/streaming
sidekiq: sidekiq:
image: "tootsuite/mastodon:{{ services.mastodon.version }}" image: tootsuite/mastodon:{{ services.mastodon.version }}
restart: always restart: always
env_file: "{{ services.mastodon.volume_folder }}/env_file" env_file: '{{ services.mastodon.volume_folder }}/env_file'
command: bundle exec sidekiq -c 32 command: bundle exec sidekiq -c 32
environment: environment:
DB_POOL: 32 DB_POOL: 32
@ -110,9 +113,9 @@
- external_services - external_services
- internal_network - internal_network
volumes: volumes:
- "{{ services.mastodon.volume_folder }}/mastodon_data:/mastodon/public/system" - '{{ services.mastodon.volume_folder }}/mastodon_data:/mastodon/public/system'
healthcheck: healthcheck:
test: ['CMD-SHELL', "ps aux | grep '[s]idekiq\ 6' || false"] test: [CMD-SHELL, "ps aux | grep '[s]idekiq 6' || false"]
networks: networks:
external_services: external_services:
@ -120,4 +123,4 @@
postfix: postfix:
external: true external: true
internal_network: internal_network:
internal: true internal: true

View file

@ -1,73 +1,74 @@
--- ---
- name: create matrix volume folders - name: create matrix volume folders
file: ansible.builtin.file:
name: "{{ services.matrix.volume_folder }}/{{ volume }}" name: '{{ services.matrix.volume_folder }}/{{ volume }}'
state: directory state: directory
owner: "991" owner: '991'
group: "991" group: '991'
loop: loop:
- "data" - data
- "data/uploads" - data/uploads
- "data/media" - data/media
loop_control: loop_control:
loop_var: volume loop_var: volume
- name: create matrix DB folder - name: create matrix DB folder
file: ansible.builtin.file:
name: "{{ services.matrix.volume_folder }}/db" name: '{{ services.matrix.volume_folder }}/db'
state: "directory" state: directory
- name: create riot volume folders - name: create riot volume folders
file: ansible.builtin.file:
name: "{{ services.riot.volume_folder }}/{{ volume }}" name: '{{ services.riot.volume_folder }}/{{ volume }}'
state: directory state: directory
loop: loop:
- "data" - data
loop_control: loop_control:
loop_var: volume loop_var: volume
- name: upload riot config.json - name: upload riot config.json
template: ansible.builtin.template:
src: files/configs/riot/config.json src: files/configs/riot/config.json
dest: "{{ services.riot.volume_folder }}/data/config.json" dest: '{{ services.riot.volume_folder }}/data/config.json'
- name: upload riot.im.conf - name: upload riot.im.conf
template: ansible.builtin.template:
src: files/configs/riot/riot.im.conf src: files/configs/riot/riot.im.conf
dest: "{{ services.riot.volume_folder }}/data/riot.im.conf" dest: '{{ services.riot.volume_folder }}/data/riot.im.conf'
- name: upload vhost config for root domain - name: upload vhost config for root domain
template: ansible.builtin.template:
src: files/configs/matrix/vhost-root src: files/configs/matrix/vhost-root
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ base_domain }}" dest: '{{ services.nginx_proxy.volume_folder }}/vhost/{{ base_domain }}'
- name: upload vhost config for matrix domain - name: upload vhost config for matrix domain
template: ansible.builtin.template:
src: files/configs/matrix/vhost-matrix src: files/configs/matrix/vhost-matrix
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.matrix.domain }}" dest: '{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.matrix.domain
}}'
- name: upload vhost config for riot domain - name: upload vhost config for riot domain
template: ansible.builtin.template:
src: files/configs/matrix/vhost-riot src: files/configs/matrix/vhost-riot
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ item }}" dest: '{{ services.nginx_proxy.volume_folder }}/vhost/{{ item }}'
loop: "{{ services.riot.domains }}" loop: '{{ services.riot.domains }}'
- name: upload homeserver.yaml - name: upload homeserver.yaml
template: ansible.builtin.template:
src: "files/configs/matrix/homeserver.yaml.j2" src: files/configs/matrix/homeserver.yaml.j2
dest: "{{ services.matrix.volume_folder }}/data/homeserver.yaml" dest: '{{ services.matrix.volume_folder }}/data/homeserver.yaml'
- name: upload matrix logging config - name: upload matrix logging config
template: ansible.builtin.template:
src: "files/configs/matrix/matrix.data.coop.log.config" src: files/configs/matrix/matrix.data.coop.log.config
dest: "{{ services.matrix.volume_folder }}/data/matrix.data.coop.log.config" dest: '{{ services.matrix.volume_folder }}/data/matrix.data.coop.log.config'
- name: set up matrix and riot - name: set up matrix and riot
docker_compose: community.docker.docker_compose:
project_name: matrix project_name: matrix
pull: yes pull: true
definition: definition:
version: "3.6" version: '3.6'
services: services:
matrix_db: matrix_db:
container_name: matrix_db container_name: matrix_db
@ -76,10 +77,10 @@
networks: networks:
- matrix - matrix
volumes: volumes:
- "{{ services.matrix.volume_folder }}/db:/var/lib/postgresql/data" - '{{ services.matrix.volume_folder }}/db:/var/lib/postgresql/data'
environment: environment:
POSTGRES_USER: "synapse" POSTGRES_USER: synapse
POSTGRES_PASSWORD: "{{ postgres_passwords.matrix }}" POSTGRES_PASSWORD: '{{ postgres_passwords.matrix }}'
matrix_app: matrix_app:
container_name: matrix container_name: matrix
@ -89,15 +90,15 @@
- matrix - matrix
- external_services - external_services
volumes: volumes:
- "{{ services.matrix.volume_folder }}/data:/data" - '{{ services.matrix.volume_folder }}/data:/data'
environment: environment:
SYNAPSE_CONFIG_PATH: "/data/homeserver.yaml" SYNAPSE_CONFIG_PATH: /data/homeserver.yaml
SYNAPSE_CACHE_FACTOR: "2" SYNAPSE_CACHE_FACTOR: '2'
SYNAPSE_LOG_LEVEL: "INFO" SYNAPSE_LOG_LEVEL: INFO
VIRTUAL_HOST: "{{ services.matrix.domain }}" VIRTUAL_HOST: '{{ services.matrix.domain }}'
VIRTUAL_PORT: "8008" VIRTUAL_PORT: '8008'
LETSENCRYPT_HOST: "{{ services.matrix.domain }}" LETSENCRYPT_HOST: '{{ services.matrix.domain }}'
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
riot: riot:
container_name: riot_app container_name: riot_app
@ -109,16 +110,16 @@
expose: expose:
- 8080 - 8080
volumes: volumes:
- "{{ services.riot.volume_folder }}/data:/data" - '{{ services.riot.volume_folder }}/data:/data'
environment: environment:
VIRTUAL_HOST: "{{ services.riot.domains|join(',') }}" VIRTUAL_HOST: "{{ services.riot.domains|join(',') }}"
VIRTUAL_PORT: "8080" VIRTUAL_PORT: '8080'
LETSENCRYPT_HOST: "{{ services.riot.domains|join(',') }}" LETSENCRYPT_HOST: "{{ services.riot.domains|join(',') }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
networks: networks:
external_services: external_services:
external: external:
name: external_services name: external_services
matrix: matrix:
name: "matrix" name: matrix

View file

@ -1,11 +1,11 @@
--- ---
- name: run membersystem containers - name: run membersystem containers
docker_compose: community.docker.docker_compose:
project_name: "member.data.coop" project_name: member.data.coop
pull: yes pull: true
definition: definition:
version: "3" version: '3'
services: services:
backend: backend:
image: docker.data.coop/membersystem:latest image: docker.data.coop/membersystem:latest
@ -19,32 +19,33 @@
- external_services - external_services
- postfix - postfix
environment: environment:
SECRET_KEY: "{{ membersystem_secrets.secret_key }}" SECRET_KEY: '{{ membersystem_secrets.secret_key }}'
DATABASE_URL: postgres://postgres:{{ postgres_passwords.membersystem }}@postgres:5432/postgres DATABASE_URL: postgres://postgres:{{ postgres_passwords.membersystem
}}@postgres:5432/postgres
POSTGRES_HOST: postgres POSTGRES_HOST: postgres
POSTGRES_PORT: 5432 POSTGRES_PORT: 5432
EMAIL_BACKEND: "django.core.mail.backends.smtp.EmailBackend" EMAIL_BACKEND: django.core.mail.backends.smtp.EmailBackend
EMAIL_URL: "smtp://noop@{{ smtp_host }}:{{ smtp_port }}" EMAIL_URL: smtp://noop@{{ smtp_host }}:{{ smtp_port }}
VIRTUAL_HOST: "{{ services.membersystem.domain }}" VIRTUAL_HOST: '{{ services.membersystem.domain }}'
VIRTUAL_PORT: "8000" VIRTUAL_PORT: '8000'
LETSENCRYPT_HOST: "{{ services.membersystem.domain }}" LETSENCRYPT_HOST: '{{ services.membersystem.domain }}'
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
ALLOWED_HOSTS: "{{ services.membersystem.domain }}" ALLOWED_HOSTS: '{{ services.membersystem.domain }}'
CSRF_TRUSTED_ORIGINS: "https://{{ services.membersystem.domain }}" CSRF_TRUSTED_ORIGINS: https://{{ services.membersystem.domain }}
DJANGO_ADMINS: "{{ services.membersystem.django_admins }}" DJANGO_ADMINS: '{{ services.membersystem.django_admins }}'
DEFAULT_FROM_EMAIL: "noreply@{{ services.membersystem.domain }}" DEFAULT_FROM_EMAIL: noreply@{{ services.membersystem.domain }}
labels: labels:
com.centurylinklabs.watchtower.enable: "true" com.centurylinklabs.watchtower.enable: 'true'
postgres: postgres:
image: postgres:13-alpine image: postgres:13-alpine
restart: always restart: always
volumes: volumes:
- "{{ volume_root_folder }}/membersystem/postgres/data:/var/lib/postgresql/data" - '{{ volume_root_folder }}/membersystem/postgres/data:/var/lib/postgresql/data'
networks: networks:
- membersystem - membersystem
environment: environment:
POSTGRES_PASSWORD: "{{ postgres_passwords.membersystem }}" POSTGRES_PASSWORD: '{{ postgres_passwords.membersystem }}'
networks: networks:
membersystem: membersystem:

View file

@ -1,11 +1,11 @@
--- ---
- name: setup netdata docker container for system monitoring - name: setup netdata docker container for system monitoring
docker_container: community.docker.docker_container:
name: netdata name: netdata
image: netdata/netdata:{{ services.netdata.version }} image: netdata/netdata:{{ services.netdata.version }}
restart_policy: unless-stopped restart_policy: unless-stopped
hostname: "hevonen.servers.{{ base_domain }}" hostname: hevonen.servers.{{ base_domain }}
capabilities: capabilities:
- SYS_PTRACE - SYS_PTRACE
security_opts: security_opts:
@ -17,11 +17,9 @@
networks: networks:
- name: external_services - name: external_services
env: env:
VIRTUAL_HOST : "{{ services.netdata.domain }}" VIRTUAL_HOST: '{{ services.netdata.domain }}'
LETSENCRYPT_HOST: "{{ services.netdata.domain }}" LETSENCRYPT_HOST: '{{ services.netdata.domain }}'
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
PGID: "999" PGID: '999'
labels: labels:
com.centurylinklabs.watchtower.enable: "true" com.centurylinklabs.watchtower.enable: 'true'

View file

@ -1,75 +1,76 @@
--- ---
- name: upload vhost config for cloud.data.coop - name: upload vhost config for cloud.data.coop
template: ansible.builtin.template:
src: files/configs/nextcloud/vhost src: files/configs/nextcloud/vhost
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.nextcloud.domain }}" dest: '{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.nextcloud.domain
notify: "restart nginx" }}'
notify: restart nginx
- name: setup nextcloud containers - name: setup nextcloud containers
docker_compose: community.docker.docker_compose:
project_name: "nextcloud" project_name: nextcloud
pull: "yes" pull: true
definition: definition:
services: services:
postgres: postgres:
image: "postgres:10" image: postgres:10
restart: "unless-stopped" restart: unless-stopped
networks: networks:
- "nextcloud" - nextcloud
volumes: volumes:
- "{{ services.nextcloud.volume_folder }}/postgres:/var/lib/postgresql/data" - '{{ services.nextcloud.volume_folder }}/postgres:/var/lib/postgresql/data'
environment: environment:
POSTGRES_DB: "nextcloud" POSTGRES_DB: nextcloud
POSTGRES_PASSWORD: "{{ postgres_passwords.nextcloud }}" POSTGRES_PASSWORD: '{{ postgres_passwords.nextcloud }}'
POSTGRES_USER: "nextcloud" POSTGRES_USER: nextcloud
redis: redis:
image: "redis:7-alpine" image: redis:7-alpine
restart: "unless-stopped" restart: unless-stopped
command: "redis-server --requirepass {{ nextcloud_secrets.redis_password }}" command: redis-server --requirepass {{ nextcloud_secrets.redis_password
}}
tmpfs: tmpfs:
- /var/lib/redis - /var/lib/redis
networks: networks:
- "nextcloud" - nextcloud
cron: cron:
image: "nextcloud:{{ services.nextcloud.version }}" image: nextcloud:{{ services.nextcloud.version }}
restart: "unless-stopped" restart: unless-stopped
entrypoint: "/cron.sh" entrypoint: /cron.sh
networks: networks:
- "nextcloud" - nextcloud
volumes: volumes:
- "{{ services.nextcloud.volume_folder }}/app:/var/www/html" - '{{ services.nextcloud.volume_folder }}/app:/var/www/html'
depends_on: depends_on:
- "postgres" - postgres
- "redis" - redis
app: app:
image: "nextcloud:{{ services.nextcloud.version }}" image: nextcloud:{{ services.nextcloud.version }}
restart: "unless-stopped" restart: unless-stopped
networks: networks:
- "nextcloud" - nextcloud
- "postfix" - postfix
- "external_services" - external_services
volumes: volumes:
- "{{ services.nextcloud.volume_folder }}/app:/var/www/html" - '{{ services.nextcloud.volume_folder }}/app:/var/www/html'
environment: environment:
VIRTUAL_HOST: "{{ services.nextcloud.domain }}" VIRTUAL_HOST: '{{ services.nextcloud.domain }}'
LETSENCRYPT_HOST: "{{ services.nextcloud.domain }}" LETSENCRYPT_HOST: '{{ services.nextcloud.domain }}'
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
POSTGRES_HOST: "postgres" POSTGRES_HOST: postgres
POSTGRES_DB: "nextcloud" POSTGRES_DB: nextcloud
POSTGRES_USER: "nextcloud" POSTGRES_USER: nextcloud
POSTGRES_PASSWORD: "{{ postgres_passwords.nextcloud }}" POSTGRES_PASSWORD: '{{ postgres_passwords.nextcloud }}'
REDIS_HOST: "redis" REDIS_HOST: redis
REDIS_HOST_PASSWORD: "{{ nextcloud_secrets.redis_password }}" REDIS_HOST_PASSWORD: '{{ nextcloud_secrets.redis_password }}'
depends_on: depends_on:
- "postgres" - postgres
- "redis" - redis
networks: networks:
nextcloud: nextcloud:
postfix: postfix:
external: true external: true
external_services: external_services:
external: true external: true

View file

@ -1,8 +1,8 @@
--- ---
- name: create nginx-proxy volume folders - name: create nginx-proxy volume folders
file: ansible.builtin.file:
name: "{{ services.nginx_proxy.volume_folder }}/{{ volume }}" name: '{{ services.nginx_proxy.volume_folder }}/{{ volume }}'
state: directory state: directory
loop: loop:
- conf - conf
@ -14,35 +14,34 @@
loop_var: volume loop_var: volume
- name: nginx proxy container - name: nginx proxy container
docker_container: community.docker.docker_container:
name: nginx-proxy name: nginx-proxy
image: nginxproxy/nginx-proxy:{{ services.nginx_proxy.version }} image: nginxproxy/nginx-proxy:{{ services.nginx_proxy.version }}
restart_policy: always restart_policy: always
networks: networks:
- name: external_services - name: external_services
published_ports: published_ports:
- "80:80" - 80:80
- "443:443" - 443:443
volumes: volumes:
- "{{ services.nginx_proxy.volume_folder }}/conf:/etc/nginx/conf.d" - '{{ services.nginx_proxy.volume_folder }}/conf:/etc/nginx/conf.d'
- "{{ services.nginx_proxy.volume_folder }}/vhost:/etc/nginx/vhost.d" - '{{ services.nginx_proxy.volume_folder }}/vhost:/etc/nginx/vhost.d'
- "{{ services.nginx_proxy.volume_folder }}/html:/usr/share/nginx/html" - '{{ services.nginx_proxy.volume_folder }}/html:/usr/share/nginx/html'
- "{{ services.nginx_proxy.volume_folder }}/dhparam:/etc/nginx/dhparam" - '{{ services.nginx_proxy.volume_folder }}/dhparam:/etc/nginx/dhparam'
- "{{ services.nginx_proxy.volume_folder }}/certs:/etc/nginx/certs:ro" - '{{ services.nginx_proxy.volume_folder }}/certs:/etc/nginx/certs:ro'
- /var/run/docker.sock:/tmp/docker.sock:ro - /var/run/docker.sock:/tmp/docker.sock:ro
- name: nginx letsencrypt container - name: nginx letsencrypt container
docker_container: community.docker.docker_container:
name: nginx-proxy-le name: nginx-proxy-le
image: nginxproxy/acme-companion:{{ services.nginx_acme_companion.version }} image: nginxproxy/acme-companion:{{ services.nginx_acme_companion.version }}
restart_policy: always restart_policy: always
volumes: volumes:
- "{{ services.nginx_proxy.volume_folder }}/vhost:/etc/nginx/vhost.d" - '{{ services.nginx_proxy.volume_folder }}/vhost:/etc/nginx/vhost.d'
- "{{ services.nginx_proxy.volume_folder }}/html:/usr/share/nginx/html" - '{{ services.nginx_proxy.volume_folder }}/html:/usr/share/nginx/html'
- "{{ services.nginx_proxy.volume_folder }}/dhparam:/etc/nginx/dhparam:ro" - '{{ services.nginx_proxy.volume_folder }}/dhparam:/etc/nginx/dhparam:ro'
- "{{ services.nginx_proxy.volume_folder }}/certs:/etc/nginx/certs" - '{{ services.nginx_proxy.volume_folder }}/certs:/etc/nginx/certs'
- /var/run/docker.sock:/var/run/docker.sock:ro - /var/run/docker.sock:/var/run/docker.sock:ro
env: env:
NGINX_PROXY_CONTAINER: nginx-proxy NGINX_PROXY_CONTAINER: nginx-proxy
when: letsencrypt_enabled when: letsencrypt_enabled

View file

@ -1,62 +1,62 @@
--- ---
- name: create ldap volume folders - name: create ldap volume folders
file: ansible.builtin.file:
name: "{{ services.openldap.volume_folder }}/{{ volume }}" name: '{{ services.openldap.volume_folder }}/{{ volume }}'
state: directory state: directory
loop: loop:
- "var/lib/ldap" - var/lib/ldap
- "etc/slapd" - etc/slapd
- "certs" - certs
loop_control: loop_control:
loop_var: volume loop_var: volume
- name: Create a network for ldap - name: Create a network for ldap
docker_network: community.docker.docker_network:
name: ldap name: ldap
- name: openLDAP container - name: openLDAP container
docker_container: community.docker.docker_container:
name: openldap name: openldap
image: osixia/openldap:{{ services.openldap.version }} image: osixia/openldap:{{ services.openldap.version }}
tty: true tty: true
interactive: true interactive: true
restart_policy: unless-stopped restart_policy: unless-stopped
volumes: volumes:
- "{{ services.openldap.volume_folder }}/var/lib/ldap:/var/lib/ldap" - '{{ services.openldap.volume_folder }}/var/lib/ldap:/var/lib/ldap'
- "{{ services.openldap.volume_folder }}/etc/slapd.d:/etc/ldap/slapd.d" - '{{ services.openldap.volume_folder }}/etc/slapd.d:/etc/ldap/slapd.d'
- "{{ services.openldap.volume_folder }}/certs:/container/service/slapd/assets/certs/" - '{{ services.openldap.volume_folder }}/certs:/container/service/slapd/assets/certs/'
published_ports: published_ports:
- "389:389" - 389:389
- "636:636" - 636:636
hostname: "{{ services.openldap.domain }}" hostname: '{{ services.openldap.domain }}'
domainname: "{{ services.openldap.domain }}" # important: same as hostname domainname: '{{ services.openldap.domain }}' # important: same as hostname
networks: networks:
- name: ldap - name: ldap
env: env:
LDAP_LOG_LEVEL: "256" LDAP_LOG_LEVEL: '256'
LDAP_ORGANISATION: "{{ base_domain }}" LDAP_ORGANISATION: '{{ base_domain }}'
LDAP_DOMAIN: "{{ base_domain }}" LDAP_DOMAIN: '{{ base_domain }}'
LDAP_BASE_DN: "" LDAP_BASE_DN: ''
LDAP_ADMIN_PASSWORD: "{{ ldap_admin_password }}" LDAP_ADMIN_PASSWORD: '{{ ldap_admin_password }}'
LDAP_CONFIG_PASSWORD: "{{ ldap_config_password }}" LDAP_CONFIG_PASSWORD: '{{ ldap_config_password }}'
LDAP_READONLY_USER: "false" LDAP_READONLY_USER: 'false'
LDAP_RFC2307BIS_SCHEMA: "false" LDAP_RFC2307BIS_SCHEMA: 'false'
LDAP_BACKEND: "mdb" LDAP_BACKEND: mdb
LDAP_TLS: "true" LDAP_TLS: 'true'
LDAP_TLS_CRT_FILENAME: "ldap.crt" LDAP_TLS_CRT_FILENAME: ldap.crt
LDAP_TLS_KEY_FILENAME: "ldap.key" LDAP_TLS_KEY_FILENAME: ldap.key
LDAP_TLS_CA_CRT_FILENAME: "ca.crt" LDAP_TLS_CA_CRT_FILENAME: ca.crt
LDAP_TLS_ENFORCE: "false" LDAP_TLS_ENFORCE: 'false'
LDAP_TLS_CIPHER_SUITE: "SECURE256:-VERS-SSL3.0" LDAP_TLS_CIPHER_SUITE: SECURE256:-VERS-SSL3.0
LDAP_TLS_PROTOCOL_MIN: "3.1" LDAP_TLS_PROTOCOL_MIN: '3.1'
LDAP_TLS_VERIFY_CLIENT: "demand" LDAP_TLS_VERIFY_CLIENT: demand
LDAP_REPLICATION: "false" LDAP_REPLICATION: 'false'
KEEP_EXISTING_CONFIG: "false" KEEP_EXISTING_CONFIG: 'false'
LDAP_REMOVE_CONFIG_AFTER_SETUP: "true" LDAP_REMOVE_CONFIG_AFTER_SETUP: 'true'
LDAP_SSL_HELPER_PREFIX: "ldap" LDAP_SSL_HELPER_PREFIX: ldap
- name: phpLDAPadmin container - name: phpLDAPadmin container
docker_container: community.docker.docker_container:
name: phpldapadmin name: phpldapadmin
image: osixia/phpldapadmin:{{ services.phpldapadmin.version }} image: osixia/phpldapadmin:{{ services.phpldapadmin.version }}
restart_policy: unless-stopped restart_policy: unless-stopped
@ -64,10 +64,10 @@
- name: external_services - name: external_services
- name: ldap - name: ldap
env: env:
PHPLDAPADMIN_LDAP_HOSTS: "openldap" PHPLDAPADMIN_LDAP_HOSTS: openldap
PHPLDAPADMIN_HTTPS: "false" PHPLDAPADMIN_HTTPS: 'false'
PHPLDAPADMIN_TRUST_PROXY_SSL: "true" PHPLDAPADMIN_TRUST_PROXY_SSL: 'true'
VIRTUAL_HOST: "{{ services.openldap.domain }}" VIRTUAL_HOST: '{{ services.openldap.domain }}'
LETSENCRYPT_HOST: "{{ services.openldap.domain }}" LETSENCRYPT_HOST: '{{ services.openldap.domain }}'
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'

View file

@ -1,42 +1,42 @@
--- ---
- name: setup passit containers - name: setup passit containers
docker_compose: community.docker.docker_compose:
project_name: "passit" project_name: passit
pull: "yes" pull: true
definition: definition:
version: "3.6" version: '3.6'
services: services:
passit_db: passit_db:
image: "postgres:10" image: postgres:10
restart: "always" restart: always
networks: networks:
- "passit" - passit
volumes: volumes:
- "{{ services.passit.volume_folder }}/data:/var/lib/postgresql/data" - '{{ services.passit.volume_folder }}/data:/var/lib/postgresql/data'
environment: environment:
POSTGRES_USER: "passit" POSTGRES_USER: passit
POSTGRES_PASSWORD: "{{ postgres_passwords.passit }}" POSTGRES_PASSWORD: '{{ postgres_passwords.passit }}'
passit_app: passit_app:
image: "passit/passit:{{ services.passit.version }}" image: passit/passit:{{ services.passit.version }}
command: "bin/start.sh" command: bin/start.sh
restart: "always" restart: always
networks: networks:
- "passit" - passit
- "postfix" - postfix
- "external_services" - external_services
environment: environment:
DATABASE_URL: "postgres://passit:{{ postgres_passwords.passit }}@passit_db:5432/passit" DATABASE_URL: postgres://passit:{{ postgres_passwords.passit }}@passit_db:5432/passit
SECRET_KEY: "{{ passit_secret_key }}" SECRET_KEY: '{{ passit_secret_key }}'
IS_DEBUG: 'False' IS_DEBUG: 'False'
EMAIL_URL: "smtp://noop@{{ smtp_host }}:{{ smtp_port }}" EMAIL_URL: smtp://noop@{{ smtp_host }}:{{ smtp_port }}
DEFAULT_FROM_EMAIL: "noreply@{{ services.passit.domain }}" DEFAULT_FROM_EMAIL: noreply@{{ services.passit.domain }}
EMAIL_CONFIRMATION_HOST: "https://{{ services.passit.domain }}" EMAIL_CONFIRMATION_HOST: https://{{ services.passit.domain }}
FIDO_SERVER_ID: "{{ services.passit.domain }}" FIDO_SERVER_ID: '{{ services.passit.domain }}'
VIRTUAL_HOST: "{{ services.passit.domain }}" VIRTUAL_HOST: '{{ services.passit.domain }}'
LETSENCRYPT_HOST: "{{ services.passit.domain }}" LETSENCRYPT_HOST: '{{ services.passit.domain }}'
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
networks: networks:
passit: passit:

View file

@ -1,12 +1,12 @@
--- ---
- name: create portainer volume folder - name: create portainer volume folder
file: ansible.builtin.file:
name: "{{ services.portainer.volume_folder }}" name: '{{ services.portainer.volume_folder }}'
state: directory state: directory
- name: run portainer - name: run portainer
docker_container: community.docker.docker_container:
name: portainer name: portainer
image: portainer/portainer-ee:{{ services.portainer.version }} image: portainer/portainer-ee:{{ services.portainer.version }}
restart_policy: always restart_policy: always
@ -14,9 +14,9 @@
- name: external_services - name: external_services
volumes: volumes:
- /var/run/docker.sock:/var/run/docker.sock - /var/run/docker.sock:/var/run/docker.sock
- "{{ services.portainer.volume_folder }}:/data" - '{{ services.portainer.volume_folder }}:/data'
env: env:
VIRTUAL_HOST: "{{ services.portainer.domain }}" VIRTUAL_HOST: '{{ services.portainer.domain }}'
VIRTUAL_PORT: "9000" VIRTUAL_PORT: '9000'
LETSENCRYPT_HOST: "{{ services.portainer.domain }}" LETSENCRYPT_HOST: '{{ services.portainer.domain }}'
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'

View file

@ -1,20 +1,21 @@
--- ---
- name: setup network for postfix - name: setup network for postfix
docker_network: community.docker.docker_network:
name: postfix name: postfix
ipam_config: ipam_config:
- subnet: '172.16.0.0/16' - subnet: 172.16.0.0/16
gateway: 172.16.0.1 gateway: 172.16.0.1
- name: setup postfix docker container for outgoing mail - name: setup postfix docker container for outgoing mail
docker_container: community.docker.docker_container:
name: postfix name: postfix
image: boky/postfix:{{ services.postfix.version }} image: boky/postfix:{{ services.postfix.version }}
restart_policy: always restart_policy: always
networks: networks:
- name: postfix - name: postfix
env: env:
# Get all services which have allowed_sender_domain defined # Get all services which have allowed_sender_domain defined
ALLOWED_SENDER_DOMAINS: "{{ services | dict2items | selectattr('value.allowed_sender_domain', 'defined') | map(attribute='value.domain') | list | join(' ') }}" ALLOWED_SENDER_DOMAINS: "{{ services | dict2items | selectattr('value.allowed_sender_domain',\
HOSTNAME: "smtp.data.coop" # the name the smtp server will identify itself as \ 'defined') | map(attribute='value.domain') | list | join(' ') }}"
HOSTNAME: smtp.data.coop # the name the smtp server will identify itself as

View file

@ -1,8 +1,8 @@
--- ---
- name: create privatebin volume folders - name: create privatebin volume folders
file: ansible.builtin.file:
name: "{{ services.privatebin.volume_folder }}/{{ volume }}" name: '{{ services.privatebin.volume_folder }}/{{ volume }}'
state: directory state: directory
loop: loop:
- cfg - cfg
@ -11,21 +11,21 @@
loop_var: volume loop_var: volume
- name: upload privatebin config - name: upload privatebin config
template: ansible.builtin.template:
src: files/configs/privatebin-conf.php src: files/configs/privatebin-conf.php
dest: "{{ services.privatebin.volume_folder }}/cfg/conf.php" dest: '{{ services.privatebin.volume_folder }}/cfg/conf.php'
- name: privatebin app container - name: privatebin app container
docker_container: community.docker.docker_container:
name: privatebin name: privatebin
image: jgeusebroek/privatebin:{{ services.privatebin.version }} image: jgeusebroek/privatebin:{{ services.privatebin.version }}
restart_policy: unless-stopped restart_policy: unless-stopped
volumes: volumes:
- "{{ services.privatebin.volume_folder }}/cfg:/privatebin/cfg" - '{{ services.privatebin.volume_folder }}/cfg:/privatebin/cfg'
- "{{ services.privatebin.volume_folder }}/data:/privatebin/data" - '{{ services.privatebin.volume_folder }}/data:/privatebin/data'
networks: networks:
- name: external_services - name: external_services
env: env:
VIRTUAL_HOST: "{{ services.privatebin.domain }}" VIRTUAL_HOST: '{{ services.privatebin.domain }}'
LETSENCRYPT_HOST: "{{ services.privatebin.domain }}" LETSENCRYPT_HOST: '{{ services.privatebin.domain }}'
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'

View file

@ -1,58 +1,59 @@
---
- name: Create rallly volume folders - name: Create rallly volume folders
file: ansible.builtin.file:
name: "{{ services.rallly.volume_folder }}/postgres" name: '{{ services.rallly.volume_folder }}/postgres'
state: directory state: directory
- name: Copy Rallly environment file - name: Copy Rallly environment file
template: ansible.builtin.template:
src: files/configs/rallly/env_file.j2 src: files/configs/rallly/env_file.j2
dest: "{{ services.rallly.volume_folder }}/env_file" dest: '{{ services.rallly.volume_folder }}/env_file'
- name: Set up Rallly - name: Set up Rallly
docker_compose: community.docker.docker_compose:
project_name: "rallly" project_name: rallly
pull: "yes" pull: true
definition: definition:
version: "3.8" version: '3.8'
services: services:
rallly_db: rallly_db:
image: "postgres:14-alpine" image: postgres:14-alpine
restart: "always" restart: always
shm_size: "256mb" shm_size: 256mb
networks: networks:
rallly_internal: rallly_internal:
volumes: volumes:
- "{{ services.rallly.volume_folder }}/postgres:/var/lib/postgresql/data" - '{{ services.rallly.volume_folder }}/postgres:/var/lib/postgresql/data'
environment: environment:
POSTGRES_PASSWORD: "{{ postgres_passwords.rallly }}" POSTGRES_PASSWORD: '{{ postgres_passwords.rallly }}'
POSTGRES_DB: "rallly_db" POSTGRES_DB: rallly_db
healthcheck: healthcheck:
test: ["CMD-SHELL", "pg_isready -U postgres"] test: [CMD-SHELL, pg_isready -U postgres]
interval: 5s interval: 5s
timeout: 5s timeout: 5s
retries: 5 retries: 5
labels: labels:
com.centurylinklabs.watchtower.enable: "true" com.centurylinklabs.watchtower.enable: 'true'
rallly: rallly:
image: "lukevella/rallly:{{ services.rallly.version }}" image: lukevella/rallly:{{ services.rallly.version }}
restart: "always" restart: always
networks: networks:
rallly_internal: rallly_internal:
external_services: external_services:
postfix: postfix:
depends_on: depends_on:
rallly_db: rallly_db:
condition: "service_healthy" condition: service_healthy
env_file: env_file:
- "{{ services.rallly.volume_folder }}/env_file" - '{{ services.rallly.volume_folder }}/env_file'
environment: environment:
VIRTUAL_HOST: "{{ services.rallly.domain }}" VIRTUAL_HOST: '{{ services.rallly.domain }}'
VIRTUAL_PORT: "3000" VIRTUAL_PORT: '3000'
LETSENCRYPT_HOST: "{{ services.rallly.domain }}" LETSENCRYPT_HOST: '{{ services.rallly.domain }}'
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
labels: labels:
com.centurylinklabs.watchtower.enable: "true" com.centurylinklabs.watchtower.enable: 'true'
networks: networks:
rallly_internal: rallly_internal:

View file

@ -1,6 +1,6 @@
--- ---
- name: Setup restic backup - name: Setup restic backup
docker_compose: community.docker.docker_compose:
project_name: restic_backup project_name: restic_backup
pull: true pull: true
definition: definition:
@ -10,11 +10,12 @@
image: mazzolino/restic:{{ services.restic.version }} image: mazzolino/restic:{{ services.restic.version }}
restart: always restart: always
environment: environment:
RUN_ON_STARTUP: "true" RUN_ON_STARTUP: 'true'
BACKUP_CRON: "0 30 3 * * *" BACKUP_CRON: 0 30 3 * * *
RESTIC_REPOSITORY: "rest:https://{{ services.restic.user }}:{{ restic_secrets.user_password }}@{{ services.restic.domain }}/{{ services.restic.repository }}" RESTIC_REPOSITORY: rest:https://{{ services.restic.user }}:{{ restic_secrets.user_password
RESTIC_PASSWORD: "{{ restic_secrets.repository_password }}" }}@{{ services.restic.domain }}/{{ services.restic.repository }}
RESTIC_BACKUP_SOURCES: "/mnt/volumes" RESTIC_PASSWORD: '{{ restic_secrets.repository_password }}'
RESTIC_BACKUP_SOURCES: /mnt/volumes
RESTIC_BACKUP_ARGS: >- RESTIC_BACKUP_ARGS: >-
--tag datacoop-volumes --tag datacoop-volumes
--exclude='*.tmp' --exclude='*.tmp'
@ -29,10 +30,11 @@
- /docker-volumes:/mnt/volumes:ro - /docker-volumes:/mnt/volumes:ro
restic-prune: restic-prune:
image: "mazzolino/restic:{{ services.restic.version }}" image: mazzolino/restic:{{ services.restic.version }}
environment: environment:
RUN_ON_STARTUP: "true" RUN_ON_STARTUP: 'true'
PRUNE_CRON: "0 0 4 * * *" PRUNE_CRON: 0 0 4 * * *
RESTIC_REPOSITORY: "rest:https://{{ services.restic.user }}:{{ restic_secrets.user_password }}@{{ services.restic.domain }}/{{ services.restic.repository }}" RESTIC_REPOSITORY: rest:https://{{ services.restic.user }}:{{ restic_secrets.user_password
RESTIC_PASSWORD: "{{ restic_secrets.repository_password }}" }}@{{ services.restic.domain }}/{{ services.restic.repository }}
RESTIC_PASSWORD: '{{ restic_secrets.repository_password }}'
TZ: Europe/copenhagen TZ: Europe/copenhagen

View file

@ -1,6 +1,6 @@
--- ---
- name: watchtower container - name: watchtower container
docker_container: community.docker.docker_container:
name: watchtower name: watchtower
image: containrrr/watchtower:1.4.0 image: containrrr/watchtower:1.4.0
restart_policy: unless-stopped restart_policy: unless-stopped
@ -8,7 +8,7 @@
- name: external_services - name: external_services
volumes: volumes:
- /var/run/docker.sock:/var/run/docker.sock - /var/run/docker.sock:/var/run/docker.sock
- "{{ services.docker_registry.volume_folder }}/auth/config.json:/config.json" - '{{ services.docker_registry.volume_folder }}/auth/config.json:/config.json'
env: env:
WATCHTOWER_LABEL_ENABLE: "true" WATCHTOWER_LABEL_ENABLE: 'true'
WATCHTOWER_POLL_INTERVAL: "60" WATCHTOWER_POLL_INTERVAL: '60'

View file

@ -1,23 +1,24 @@
--- ---
- name: setup 2022.slides.data.coop website using unipi - name: setup 2022.slides.data.coop website using unipi
docker_container: community.docker.docker_container:
name: 2022.slides.data.coop_website name: 2022.slides.data.coop_website
image: docker.data.coop/unipi:latest image: docker.data.coop/unipi:latest
restart_policy: unless-stopped restart_policy: unless-stopped
purge_networks: yes purge_networks: true
networks: networks:
- name: external_services - name: external_services
env: env:
VIRTUAL_HOST: "2022.slides.{{ services.data_coop_website.domains|join(',') }}" VIRTUAL_HOST: 2022.slides.{{ services.data_coop_website.domains|join(',')
LETSENCRYPT_HOST: "2022.slides.{{ services.data_coop_website.domains|join(',') }}" }}
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" LETSENCRYPT_HOST: 2022.slides.{{ services.data_coop_website.domains|join(',')
# Temporarily hosting on github }}
command: "--remote=https://github.com/sorbusursina/datacoop-slides.git#slides2022" LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
# Temporarily hosting on github
command: --remote=https://github.com/sorbusursina/datacoop-slides.git#slides2022
capabilities: capabilities:
- NET_ADMIN - NET_ADMIN
devices: devices:
- "/dev/net/tun" - /dev/net/tun
labels: labels:
com.centurylinklabs.watchtower.enable: "true" com.centurylinklabs.watchtower.enable: 'true'

View file

@ -1,15 +1,15 @@
--- ---
- name: setup cryptoaarhus.dk website docker container - name: setup cryptoaarhus.dk website docker container
docker_container: community.docker.docker_container:
name: cryptoaarhus_website name: cryptoaarhus_website
restart_policy: unless-stopped restart_policy: unless-stopped
image: docker.data.coop/cryptoaarhus-website image: docker.data.coop/cryptoaarhus-website
networks: networks:
- name: external_services - name: external_services
env: env:
VIRTUAL_HOST : "{{ services.cryptoaarhus_website.domains|join(',') }}" VIRTUAL_HOST: "{{ services.cryptoaarhus_website.domains|join(',') }}"
LETSENCRYPT_HOST: "{{ services.cryptoaarhus_website.domains|join(',') }}" LETSENCRYPT_HOST: "{{ services.cryptoaarhus_website.domains|join(',') }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
labels: labels:
com.centurylinklabs.watchtower.enable: "true" com.centurylinklabs.watchtower.enable: 'true'

View file

@ -1,15 +1,15 @@
--- ---
- name: setup cryptohagen.dk website docker container - name: setup cryptohagen.dk website docker container
docker_container: community.docker.docker_container:
name: cryptohagen_website name: cryptohagen_website
restart_policy: unless-stopped restart_policy: unless-stopped
image: docker.data.coop/cryptohagen-website image: docker.data.coop/cryptohagen-website
networks: networks:
- name: external_services - name: external_services
env: env:
VIRTUAL_HOST : "{{ services.cryptohagen_website.domains|join(',') }}" VIRTUAL_HOST: "{{ services.cryptohagen_website.domains|join(',') }}"
LETSENCRYPT_HOST: "{{ services.cryptohagen_website.domains|join(',') }}" LETSENCRYPT_HOST: "{{ services.cryptohagen_website.domains|join(',') }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
labels: labels:
com.centurylinklabs.watchtower.enable: "true" com.centurylinklabs.watchtower.enable: 'true'

View file

@ -1,15 +1,15 @@
--- ---
- name: setup data.coop website docker container - name: setup data.coop website docker container
docker_container: community.docker.docker_container:
name: data.coop_website name: data.coop_website
image: docker.data.coop/data-coop-website image: docker.data.coop/data-coop-website
restart_policy: unless-stopped restart_policy: unless-stopped
networks: networks:
- name: external_services - name: external_services
env: env:
VIRTUAL_HOST : "{{ services.data_coop_website.domains|join(',') }}" VIRTUAL_HOST: "{{ services.data_coop_website.domains|join(',') }}"
LETSENCRYPT_HOST: "{{ services.data_coop_website.domains|join(',') }}" LETSENCRYPT_HOST: "{{ services.data_coop_website.domains|join(',') }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
labels: labels:
com.centurylinklabs.watchtower.enable: "true" com.centurylinklabs.watchtower.enable: 'true'

View file

@ -1,21 +1,23 @@
---
- name: setup new-new data.coop website using unipi - name: setup new-new data.coop website using unipi
docker_container: community.docker.docker_container:
name: new-new.data.coop_website name: new-new.data.coop_website
image: docker.data.coop/unipi:latest image: docker.data.coop/unipi:latest
restart_policy: unless-stopped restart_policy: unless-stopped
purge_networks: yes purge_networks: true
networks: networks:
- name: external_services - name: external_services
env: env:
VIRTUAL_HOST: "new-new.{{ services.data_coop_website.domains|join(',') }}" VIRTUAL_HOST: new-new.{{ services.data_coop_website.domains|join(',') }}
LETSENCRYPT_HOST: "new-new.{{ services.data_coop_website.domains|join(',') }}" LETSENCRYPT_HOST: new-new.{{ services.data_coop_website.domains|join(',')
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" }}
# The ssh-key is for read-only only LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
command: "--remote=git@git.data.coop:halfd/new-website.git#main --ssh-key ed25519:Ag9RekCyC2eow4P/e5crVvSTQ7dTK46WkG0wqEPVJbU= --ssh-authenticator SHA256:l9kdLkb0kJm46pOJ4tCHCtFUaqV1ImbZWMA5oje10fI" # The ssh-key is for read-only only
command: --remote=git@git.data.coop:halfd/new-website.git#main --ssh-key ed25519:Ag9RekCyC2eow4P/e5crVvSTQ7dTK46WkG0wqEPVJbU=
--ssh-authenticator SHA256:l9kdLkb0kJm46pOJ4tCHCtFUaqV1ImbZWMA5oje10fI
capabilities: capabilities:
- NET_ADMIN - NET_ADMIN
devices: devices:
- "/dev/net/tun" - /dev/net/tun
labels: labels:
com.centurylinklabs.watchtower.enable: "true" com.centurylinklabs.watchtower.enable: 'true'

View file

@ -1,15 +1,15 @@
--- ---
- name: setup new data.coop website using hugo - name: setup new data.coop website using hugo
docker_container: community.docker.docker_container:
name: new.data.coop_website name: new.data.coop_website
image: docker.data.coop/data-coop-website:hugo image: docker.data.coop/data-coop-website:hugo
restart_policy: unless-stopped restart_policy: unless-stopped
networks: networks:
- name: external_services - name: external_services
env: env:
VIRTUAL_HOST : "new.{{ services.data_coop_website.domains|join(',') }}" VIRTUAL_HOST: new.{{ services.data_coop_website.domains|join(',') }}
LETSENCRYPT_HOST: "new.{{ services.data_coop_website.domains|join(',') }}" LETSENCRYPT_HOST: new.{{ services.data_coop_website.domains|join(',') }}
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
labels: labels:
com.centurylinklabs.watchtower.enable: "true" com.centurylinklabs.watchtower.enable: 'true'

View file

@ -1,5 +1,6 @@
---
- name: setup ulovliglogning.dk website docker container - name: setup ulovliglogning.dk website docker container
docker_container: community.docker.docker_container:
name: ulovliglogning_website name: ulovliglogning_website
restart_policy: unless-stopped restart_policy: unless-stopped
image: ulovliglogning/ulovliglogning.dk:latest image: ulovliglogning/ulovliglogning.dk:latest
@ -8,6 +9,6 @@
env: env:
VIRTUAL_HOST: "{{ services.ulovliglogning_website.domains|join(',') }}" VIRTUAL_HOST: "{{ services.ulovliglogning_website.domains|join(',') }}"
LETSENCRYPT_HOST: "{{ services.ulovliglogning_website.domains|join(',') }}" LETSENCRYPT_HOST: "{{ services.ulovliglogning_website.domains|join(',') }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
labels: labels:
com.centurylinklabs.watchtower.enable: "true" com.centurylinklabs.watchtower.enable: 'true'

View file

@ -1,7 +1,7 @@
--- ---
- name: Install necessary packages via apt - name: Install necessary packages via apt
apt: ansible.builtin.apt:
name: "{{ packages }}" name: '{{ packages }}'
vars: vars:
packages: packages:
- aptitude - aptitude
@ -11,13 +11,13 @@
- mosh - mosh
- name: Install Dell OpenManage - name: Install Dell OpenManage
apt: ansible.builtin.apt:
name: srvadmin-all name: srvadmin-all
when: not vagrant when: not vagrant
- name: Install necessary packages via pip - name: Install necessary packages via pip
pip: pip:
name: "{{ packages }}" name: '{{ packages }}'
vars: vars:
packages: packages:
- docker - docker

View file

@ -1,18 +1,19 @@
--- ---
- name: Import dell apt signing key - name: Import dell apt signing key
apt_key: apt_key:
id: "1285491434D8786F" id: 1285491434D8786F
keyserver: "keyserver.ubuntu.com" keyserver: keyserver.ubuntu.com
- name: Configure dell apt repo - name: Configure dell apt repo
apt_repository: ansible.builtin.apt_repository:
repo: "deb https://linux.dell.com/repo/community/openmanage/10101/focal focal main" repo: deb https://linux.dell.com/repo/community/openmanage/10101/focal focal
main
state: present state: present
- name: Restrict dell apt repo" - name: Restrict dell apt repo"
copy: ansible.builtin.copy:
dest: "/etc/apt/preferences.d/dell" dest: /etc/apt/preferences.d/dell
content: | content: |-
Explanation: Deny all packages from this repo that exist elsewhere Explanation: Deny all packages from this repo that exist elsewhere
Package: * Package: *
Pin: origin "linux.dell.com" Pin: origin "linux.dell.com"

View file

@ -1,22 +1,22 @@
--- ---
- name: Setup firewall with UFW - name: Setup firewall with UFW
community.general.ufw: community.general.ufw:
state: enabled state: enabled
policy: deny policy: deny
- name: Allow necessary ports - name: Allow necessary ports
community.general.ufw: community.general.ufw:
rule: allow rule: allow
port: "{{ item.port }}" port: '{{ item.port }}'
proto: "{{ item.proto | default('tcp') }}" proto: "{{ item.proto | default('tcp') }}"
loop: loop:
- port: 22 # Gitea SSH - port: 22 # Gitea SSH
- port: 80 # HTTP - port: 80 # HTTP
- port: 443 # HTTPS - port: 443 # HTTPS
- port: 389 # OpenLDAP - port: 389 # OpenLDAP
- port: 636 # OpenLDAP - port: 636 # OpenLDAP
- port: 25 # Email - port: 25 # Email
- port: 465 # Email - port: 465 # Email
- port: 587 # Email - port: 587 # Email
- port: 993 # Email - port: 993 # Email
- port: 19022 # SSH - port: 19022 # SSH

View file

@ -1,19 +1,25 @@
--- ---
- import_tasks: ssh-port.yml - name: Set SSH port
ansible.builtin.import_tasks: ssh-port.yml
tags: [change-ssh-port] tags: [change-ssh-port]
- import_tasks: dell-apt-repo.yml - name: Set up Dell apt repo
ansible.builtin.import_tasks: dell-apt-repo.yml
tags: [setup-dell-apt-repo] tags: [setup-dell-apt-repo]
when: not vagrant when: not vagrant
- import_tasks: upgrade.yml - name: Make sure system is up to date
ansible.builtin.import_tasks: upgrade.yml
tags: [do-full-system-upgrade] tags: [do-full-system-upgrade]
- import_tasks: base.yml - name: Install base packages
ansible.builtin.import_tasks: base.yml
tags: [install-base-packages] tags: [install-base-packages]
- import_tasks: users.yml - name: Setup users
ansible.builtin.import_tasks: users.yml
tags: [setup-users] tags: [setup-users]
- import_tasks: firewall.yml - name: Setup firewall
ansible.builtin.import_tasks: firewall.yml
tags: [setup-firewall] tags: [setup-firewall]

View file

@ -1,20 +1,18 @@
--- ---
- name: Change SSH port on host - name: Change SSH port on host
lineinfile: ansible.builtin.lineinfile:
dest: "/etc/ssh/sshd_config" dest: /etc/ssh/sshd_config
regexp: "^#?Port " regexp: '^#?Port '
line: "Port 19022" line: Port 19022
register: ssh_changed register: ssh_changed
- name: Restart sshd - name: Restart sshd
service: ansible.builtin.service:
name: sshd name: sshd
state: restarted state: restarted
when: ssh_changed is defined and when: ssh_changed is defined and ssh_changed.changed
ssh_changed.changed
- name: Change Ansible port to 19022 - name: Change Ansible port to 19022
set_fact: ansible.builtin.set_fact:
ansible_port: 19022 ansible_port: 19022
when: ssh_changed is defined and when: ssh_changed is defined and ssh_changed.changed
ssh_changed.changed

View file

@ -1,5 +1,5 @@
--- ---
- name: update and upgrade system via apt - name: Update and upgrade system via apt
apt: ansible.builtin.apt:
update_cache: yes update_cache: true
upgrade: full upgrade: full

View file

@ -1,22 +1,23 @@
--- ---
- name: "Add users" - name: Add users
user: user:
name: "{{ item.name }}" name: '{{ item.name }}'
comment: "{{ item.comment }}" comment: '{{ item.comment }}'
password: "{{ item.password }}" password: '{{ item.password }}'
groups: "{{ item.groups }}" groups: '{{ item.groups }}'
update_password: "always" update_password: always
loop: "{{ users | default([]) }}" loop: '{{ users | default([]) }}'
- name: "Add ssh authorized_keys" - name: Add ssh authorized_keys
ansible.posix.authorized_key: ansible.posix.authorized_key:
user: "{{ item.name }}" user: '{{ item.name }}'
key: "{{ item.ssh_keys | join('\n') }}" key: "{{ item.ssh_keys | join('\n') }}"
exclusive: true exclusive: true
loop: "{{ users | default([]) }}" loop: '{{ users | default([]) }}'
- name: "Add ssh authorized_keys to root user" - name: Add ssh authorized_keys to root user
ansible.posix.authorized_key: ansible.posix.authorized_key:
user: "root" user: root
key: "{{ users | default([]) | map(attribute='ssh_keys') | flatten | join('\n') }}" key: "{{ users | default([]) | map(attribute='ssh_keys') | flatten | join('\n\
') }}"
exclusive: true exclusive: true