Merge pull request 'Refactor service deployment + upload Compose files to the server' (#178) from compose-files into main
Reviewed-on: #178
This commit is contained in:
commit
c7289b4c5a
10
Vagrantfile
vendored
10
Vagrantfile
vendored
|
@ -13,7 +13,8 @@ Vagrant.configure(2) do |config|
|
||||||
config.vm.hostname = "datacoop"
|
config.vm.hostname = "datacoop"
|
||||||
|
|
||||||
config.vm.provider :virtualbox do |v|
|
config.vm.provider :virtualbox do |v|
|
||||||
v.memory = 8192
|
v.cpus = 8
|
||||||
|
v.memory = 16384
|
||||||
end
|
end
|
||||||
|
|
||||||
config.vm.provision :ansible do |ansible|
|
config.vm.provision :ansible do |ansible|
|
||||||
|
@ -26,7 +27,12 @@ Vagrant.configure(2) do |config|
|
||||||
if provisioned?
|
if provisioned?
|
||||||
config.ssh.guest_port = PORT
|
config.ssh.guest_port = PORT
|
||||||
ansible.extra_vars = {
|
ansible.extra_vars = {
|
||||||
ansible_port: PORT
|
ansible_port: PORT,
|
||||||
|
from_vagrant: true
|
||||||
|
}
|
||||||
|
else
|
||||||
|
ansible.extra_vars = {
|
||||||
|
from_vagrant: true
|
||||||
}
|
}
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -13,6 +13,7 @@ BASE_CMD="ansible-playbook playbook.yml --ask-vault-pass"
|
||||||
|
|
||||||
if [ "$1" = "--vagrant" ]; then
|
if [ "$1" = "--vagrant" ]; then
|
||||||
BASE_CMD="$BASE_CMD --verbose --inventory=vagrant_host"
|
BASE_CMD="$BASE_CMD --verbose --inventory=vagrant_host"
|
||||||
|
VAGRANT_VAR="from_vagrant"
|
||||||
shift
|
shift
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
@ -29,17 +30,17 @@ else
|
||||||
"services")
|
"services")
|
||||||
if [ -z "$2" ]; then
|
if [ -z "$2" ]; then
|
||||||
echo "Deploying all services!"
|
echo "Deploying all services!"
|
||||||
$BASE_CMD --tags setup_services
|
eval "$BASE_CMD --tags setup_services $(test -z "$VAGRANT_VAR" || printf '%s' "$VAGRANT_VAR=true")"
|
||||||
else
|
else
|
||||||
echo "Deploying service: $2"
|
echo "Deploying service: $2"
|
||||||
$BASE_CMD --tags setup_services --extra-vars "single_service=$2"
|
$BASE_CMD --tags setup_services --extra-vars '{"single_service": "'"$2"'"'"$(test -z "$VAGRANT_VAR" || printf '%s' ', "'"$VAGRANT_VAR"'": true')"'}'
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
"base")
|
"base")
|
||||||
$BASE_CMD --tags base_only
|
eval "$BASE_CMD --tags base_only $(test -z "$VAGRANT_VAR" || printf '%s' "$VAGRANT_VAR=true")"
|
||||||
;;
|
;;
|
||||||
"users")
|
"users")
|
||||||
$BASE_CMD --tags setup-users
|
eval "$BASE_CMD --tags setup-users $(test -z "$VAGRANT_VAR" || printf '%s' "$VAGRANT_VAR=true")"
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
usage
|
usage
|
||||||
|
|
|
@ -6,7 +6,7 @@
|
||||||
vars:
|
vars:
|
||||||
ldap_dn: "dc=data,dc=coop"
|
ldap_dn: "dc=data,dc=coop"
|
||||||
|
|
||||||
vagrant: "{{ ansible_virtualization_role == 'guest' }}"
|
vagrant: "{{ from_vagrant is defined and from_vagrant }}"
|
||||||
letsencrypt_enabled: "{{ not vagrant }}"
|
letsencrypt_enabled: "{{ not vagrant }}"
|
||||||
|
|
||||||
base_domain: "{{ 'datacoop.devel' if vagrant else 'data.coop' }}"
|
base_domain: "{{ 'datacoop.devel' if vagrant else 'data.coop' }}"
|
||||||
|
|
|
@ -1,46 +1,41 @@
|
||||||
# vim: ft=yaml.ansible
|
# vim: ft=yaml.ansible
|
||||||
---
|
---
|
||||||
volume_root_folder: "/docker-volumes"
|
volume_root_folder: "/docker-volumes"
|
||||||
|
volume_website_folder: "{{ volume_root_folder }}/websites"
|
||||||
|
|
||||||
services:
|
services:
|
||||||
|
|
||||||
### Internal services ###
|
### Internal services ###
|
||||||
postfix:
|
postfix:
|
||||||
file: postfix.yml
|
|
||||||
domain: "smtp.{{ base_domain }}"
|
domain: "smtp.{{ base_domain }}"
|
||||||
volume_folder: "{{ volume_root_folder }}/postfix"
|
volume_folder: "{{ volume_root_folder }}/postfix"
|
||||||
|
pre_deploy_tasks: true
|
||||||
version: "v3.6.1-alpine"
|
version: "v3.6.1-alpine"
|
||||||
|
|
||||||
nginx_proxy:
|
nginx_proxy:
|
||||||
file: nginx_proxy.yml
|
|
||||||
version: "1.3-alpine"
|
|
||||||
volume_folder: "{{ volume_root_folder }}/nginx"
|
volume_folder: "{{ volume_root_folder }}/nginx"
|
||||||
|
pre_deploy_tasks: true
|
||||||
nginx_acme_companion:
|
version: "1.3-alpine"
|
||||||
version: "2.2"
|
acme_companion_version: "2.2"
|
||||||
|
|
||||||
openldap:
|
openldap:
|
||||||
file: openldap.yml
|
|
||||||
domain: "ldap.{{ base_domain }}"
|
domain: "ldap.{{ base_domain }}"
|
||||||
volume_folder: "{{ volume_root_folder }}/openldap"
|
volume_folder: "{{ volume_root_folder }}/openldap"
|
||||||
|
pre_deploy_tasks: true
|
||||||
version: "1.5.0"
|
version: "1.5.0"
|
||||||
|
phpldapadmin_version: "0.9.0"
|
||||||
phpldapadmin:
|
|
||||||
version: "0.9.0"
|
|
||||||
|
|
||||||
netdata:
|
netdata:
|
||||||
file: netdata.yml
|
|
||||||
domain: "netdata.{{ base_domain }}"
|
domain: "netdata.{{ base_domain }}"
|
||||||
|
volume_folder: "{{ volume_root_folder }}/netdata"
|
||||||
version: "v1"
|
version: "v1"
|
||||||
|
|
||||||
portainer:
|
portainer:
|
||||||
file: portainer.yml
|
|
||||||
domain: "portainer.{{ base_domain }}"
|
domain: "portainer.{{ base_domain }}"
|
||||||
volume_folder: "{{ volume_root_folder }}/portainer"
|
volume_folder: "{{ volume_root_folder }}/portainer"
|
||||||
version: "2.19.0"
|
version: "2.19.0"
|
||||||
|
|
||||||
keycloak:
|
keycloak:
|
||||||
file: keycloak.yml
|
|
||||||
domain: sso.{{ base_domain }}
|
domain: sso.{{ base_domain }}
|
||||||
volume_folder: "{{ volume_root_folder }}/keycloak"
|
volume_folder: "{{ volume_root_folder }}/keycloak"
|
||||||
version: "22.0"
|
version: "22.0"
|
||||||
|
@ -48,19 +43,20 @@ services:
|
||||||
allowed_sender_domain: true
|
allowed_sender_domain: true
|
||||||
|
|
||||||
restic:
|
restic:
|
||||||
file: restic_backup.yml
|
volume_folder: "{{ volume_root_folder }}/restic"
|
||||||
|
pre_deploy_tasks: true
|
||||||
user: dc-user
|
user: dc-user
|
||||||
domain: rynkeby.skovgaard.tel
|
domain: rynkeby.skovgaard.tel
|
||||||
host_key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBLGol2G+a87ssy0nu/STKBZSiGyhZhZKx/ujfe9IeFo
|
host_key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBLGol2G+a87ssy0nu/STKBZSiGyhZhZKx/ujfe9IeFo
|
||||||
volume_folder: "{{ volume_root_folder }}/restic"
|
|
||||||
repository: restic
|
repository: restic
|
||||||
version: "1.7.0"
|
version: "1.7.0"
|
||||||
disabled_in_vagrant: true
|
disabled_in_vagrant: true
|
||||||
|
|
||||||
docker_registry:
|
docker_registry:
|
||||||
file: docker_registry.yml
|
|
||||||
domain: "docker.{{ base_domain }}"
|
domain: "docker.{{ base_domain }}"
|
||||||
volume_folder: "{{ volume_root_folder }}/docker-registry"
|
volume_folder: "{{ volume_root_folder }}/docker-registry"
|
||||||
|
pre_deploy_tasks: true
|
||||||
|
post_deploy_tasks: true
|
||||||
username: "docker"
|
username: "docker"
|
||||||
password: "{{ docker_password }}"
|
password: "{{ docker_password }}"
|
||||||
version: "2"
|
version: "2"
|
||||||
|
@ -68,23 +64,21 @@ services:
|
||||||
### External services ###
|
### External services ###
|
||||||
|
|
||||||
nextcloud:
|
nextcloud:
|
||||||
file: nextcloud.yml
|
|
||||||
domain: "cloud.{{ base_domain }}"
|
domain: "cloud.{{ base_domain }}"
|
||||||
volume_folder: "{{ volume_root_folder }}/nextcloud"
|
volume_folder: "{{ volume_root_folder }}/nextcloud"
|
||||||
|
pre_deploy_tasks: true
|
||||||
version: 27-apache
|
version: 27-apache
|
||||||
postgres_version: "10"
|
postgres_version: "10"
|
||||||
redis_version: 7-alpine
|
redis_version: 7-alpine
|
||||||
allowed_sender_domain: true
|
allowed_sender_domain: true
|
||||||
|
|
||||||
forgejo:
|
forgejo:
|
||||||
file: forgejo.yml
|
|
||||||
domain: "git.{{ base_domain }}"
|
domain: "git.{{ base_domain }}"
|
||||||
volume_folder: "{{ volume_root_folder }}/forgejo"
|
volume_folder: "{{ volume_root_folder }}/forgejo"
|
||||||
version: "1.20"
|
version: "1.20"
|
||||||
allowed_sender_domain: true
|
allowed_sender_domain: true
|
||||||
|
|
||||||
passit:
|
passit:
|
||||||
file: passit.yml
|
|
||||||
domain: "passit.{{ base_domain }}"
|
domain: "passit.{{ base_domain }}"
|
||||||
volume_folder: "{{ volume_root_folder }}/passit"
|
volume_folder: "{{ volume_root_folder }}/passit"
|
||||||
version: stable
|
version: stable
|
||||||
|
@ -92,123 +86,123 @@ services:
|
||||||
allowed_sender_domain: true
|
allowed_sender_domain: true
|
||||||
|
|
||||||
matrix:
|
matrix:
|
||||||
file: matrix_element.yml
|
|
||||||
domain: "matrix.{{ base_domain }}"
|
domain: "matrix.{{ base_domain }}"
|
||||||
volume_folder: "{{ volume_root_folder }}/matrix"
|
volume_folder: "{{ volume_root_folder }}/matrix"
|
||||||
|
pre_deploy_tasks: true
|
||||||
version: v1.90.0
|
version: v1.90.0
|
||||||
postgres_version: 15-alpine
|
postgres_version: 15-alpine
|
||||||
allowed_sender_domain: true
|
allowed_sender_domain: true
|
||||||
|
|
||||||
element:
|
element:
|
||||||
domains:
|
domain: "element.{{ base_domain }}"
|
||||||
- "riot.{{ base_domain }}"
|
|
||||||
- "element.{{ base_domain }}"
|
|
||||||
volume_folder: "{{ volume_root_folder }}/element"
|
volume_folder: "{{ volume_root_folder }}/element"
|
||||||
|
pre_deploy_tasks: true
|
||||||
version: v1.11.43
|
version: v1.11.43
|
||||||
|
|
||||||
privatebin:
|
privatebin:
|
||||||
file: privatebin.yml
|
|
||||||
domain: "paste.{{ base_domain }}"
|
domain: "paste.{{ base_domain }}"
|
||||||
volume_folder: "{{ volume_root_folder }}/privatebin"
|
volume_folder: "{{ volume_root_folder }}/privatebin"
|
||||||
|
pre_deploy_tasks: true
|
||||||
version: "20221009"
|
version: "20221009"
|
||||||
|
|
||||||
hedgedoc:
|
hedgedoc:
|
||||||
file: hedgedoc.yml
|
|
||||||
domain: "pad.{{ base_domain }}"
|
domain: "pad.{{ base_domain }}"
|
||||||
volume_folder: "{{ volume_root_folder }}/hedgedoc"
|
volume_folder: "{{ volume_root_folder }}/hedgedoc"
|
||||||
|
pre_deploy_tasks: true
|
||||||
version: 1.9.9-alpine
|
version: 1.9.9-alpine
|
||||||
postgres_version: 10-alpine
|
postgres_version: 10-alpine
|
||||||
|
|
||||||
data_coop_website:
|
data_coop_website:
|
||||||
file: websites/data.coop.yml
|
|
||||||
domain: "{{ base_domain }}"
|
domain: "{{ base_domain }}"
|
||||||
www_domain: "www.{{ base_domain }}"
|
www_domain: "www.{{ base_domain }}"
|
||||||
|
volume_folder: "{{ volume_website_folder }}/datacoop"
|
||||||
|
pre_deploy_tasks: true
|
||||||
version: stable
|
version: stable
|
||||||
staging_domain: "staging.{{ base_domain }}"
|
staging_domain: "staging.{{ base_domain }}"
|
||||||
staging_version: staging
|
staging_version: staging
|
||||||
|
|
||||||
slides_2022_website:
|
slides_2022_website:
|
||||||
file: websites/2022.slides.data.coop.yml
|
|
||||||
domain: "2022.slides.{{ base_domain }}"
|
domain: "2022.slides.{{ base_domain }}"
|
||||||
|
volume_folder: "{{ volume_website_folder }}/slides-2022"
|
||||||
version: latest
|
version: latest
|
||||||
|
|
||||||
fedi_dk_website:
|
fedi_dk_website:
|
||||||
file: websites/fedi.dk.yaml
|
|
||||||
domain: fedi.dk
|
domain: fedi.dk
|
||||||
|
volume_folder: "{{ volume_website_folder }}/fedidk"
|
||||||
version: latest
|
version: latest
|
||||||
|
|
||||||
vhs_website:
|
vhs_website:
|
||||||
file: websites/vhs.data.coop.yaml
|
|
||||||
domain: vhs.data.coop
|
domain: vhs.data.coop
|
||||||
|
volume_folder: "{{ volume_website_folder }}/vhs"
|
||||||
version: latest
|
version: latest
|
||||||
|
|
||||||
cryptohagen_website:
|
cryptohagen_website:
|
||||||
file: websites/cryptohagen.dk.yml
|
|
||||||
domains:
|
domains:
|
||||||
- "cryptohagen.dk"
|
- "cryptohagen.dk"
|
||||||
- "www.cryptohagen.dk"
|
- "www.cryptohagen.dk"
|
||||||
|
volume_folder: "{{ volume_website_folder }}/cryptohagen"
|
||||||
|
|
||||||
ulovliglogning_website:
|
ulovliglogning_website:
|
||||||
file: websites/ulovliglogning.dk.yml
|
|
||||||
domains:
|
domains:
|
||||||
- "ulovliglogning.dk"
|
- "ulovliglogning.dk"
|
||||||
- "www.ulovliglogning.dk"
|
- "www.ulovliglogning.dk"
|
||||||
- "ulovlig-logning.dk"
|
- "ulovlig-logning.dk"
|
||||||
- "www.ulovlig-logning.dk"
|
- "www.ulovlig-logning.dk"
|
||||||
|
volume_folder: "{{ volume_website_folder }}/ulovliglogning"
|
||||||
|
|
||||||
cryptoaarhus_website:
|
cryptoaarhus_website:
|
||||||
file: websites/cryptoaarhus.dk.yml
|
|
||||||
domains:
|
domains:
|
||||||
- "cryptoaarhus.dk"
|
- "cryptoaarhus.dk"
|
||||||
- "www.cryptoaarhus.dk"
|
- "www.cryptoaarhus.dk"
|
||||||
|
volume_folder: "{{ volume_website_folder }}/cryptoaarhus"
|
||||||
|
|
||||||
drone:
|
drone:
|
||||||
file: drone.yml
|
|
||||||
domain: "drone.{{ base_domain }}"
|
domain: "drone.{{ base_domain }}"
|
||||||
volume_folder: "{{ volume_root_folder }}/drone"
|
volume_folder: "{{ volume_root_folder }}/drone"
|
||||||
version: "1"
|
version: "1"
|
||||||
|
|
||||||
mailu:
|
mailu:
|
||||||
file: mailu.yml
|
|
||||||
version: "1.9"
|
|
||||||
domain: "mail.{{ base_domain }}"
|
domain: "mail.{{ base_domain }}"
|
||||||
|
volume_folder: "{{ volume_root_folder }}/mailu"
|
||||||
|
pre_deploy_tasks: true
|
||||||
dns: 192.168.203.254
|
dns: 192.168.203.254
|
||||||
subnet: 192.168.203.0/24
|
subnet: 192.168.203.0/24
|
||||||
volume_folder: "{{ volume_root_folder }}/mailu"
|
version: "1.9"
|
||||||
|
|
||||||
mastodon:
|
mastodon:
|
||||||
file: mastodon.yml
|
|
||||||
domain: "social.{{ base_domain }}"
|
domain: "social.{{ base_domain }}"
|
||||||
volume_folder: "{{ volume_root_folder }}/mastodon"
|
volume_folder: "{{ volume_root_folder }}/mastodon"
|
||||||
|
pre_deploy_tasks: true
|
||||||
|
post_deploy_tasks: true
|
||||||
version: v4.2.0
|
version: v4.2.0
|
||||||
postgres_version: 14-alpine
|
postgres_version: 14-alpine
|
||||||
redis_version: 6-alpine
|
redis_version: 6-alpine
|
||||||
allowed_sender_domain: true
|
allowed_sender_domain: true
|
||||||
|
|
||||||
rallly:
|
rallly:
|
||||||
file: rallly.yml
|
|
||||||
domain: "when.{{ base_domain }}"
|
domain: "when.{{ base_domain }}"
|
||||||
volume_folder: "{{ volume_root_folder }}/rallly"
|
volume_folder: "{{ volume_root_folder }}/rallly"
|
||||||
|
pre_deploy_tasks: true
|
||||||
version: "2"
|
version: "2"
|
||||||
postgres_version: 14-alpine
|
postgres_version: 14-alpine
|
||||||
allowed_sender_domain: true
|
allowed_sender_domain: true
|
||||||
|
|
||||||
membersystem:
|
membersystem:
|
||||||
file: membersystem.yml
|
|
||||||
domain: "member.{{ base_domain }}"
|
domain: "member.{{ base_domain }}"
|
||||||
django_admins: "Vidir:valberg@orn.li"
|
django_admins: "Vidir:valberg@orn.li"
|
||||||
|
volume_folder: "{{ volume_root_folder }}/membersystem"
|
||||||
version: latest
|
version: latest
|
||||||
postgres_version: 13-alpine
|
postgres_version: 13-alpine
|
||||||
allowed_sender_domain: true
|
allowed_sender_domain: true
|
||||||
|
|
||||||
watchtower:
|
|
||||||
file: watchtower.yml
|
|
||||||
version: "1.5.3"
|
|
||||||
|
|
||||||
writefreely:
|
writefreely:
|
||||||
file: writefreely.yml
|
|
||||||
domain: "write.{{ base_domain }}"
|
domain: "write.{{ base_domain }}"
|
||||||
volume_folder: "{{ volume_root_folder }}/writefreely"
|
volume_folder: "{{ volume_root_folder }}/writefreely"
|
||||||
|
pre_deploy_tasks: true
|
||||||
version: latest
|
version: latest
|
||||||
mariadb_version: 11.2
|
mariadb_version: "11.2"
|
||||||
allowed_sender_domain: true
|
allowed_sender_domain: true
|
||||||
|
|
||||||
|
watchtower:
|
||||||
|
volume_folder: "{{ volume_root_folder }}/watchtower"
|
||||||
|
version: "1.5.3"
|
||||||
|
|
|
@ -1,7 +1,6 @@
|
||||||
# vim: ft=yaml.ansible
|
# vim: ft=yaml.ansible
|
||||||
---
|
---
|
||||||
- name: "restart nginx"
|
- name: restart nginx
|
||||||
community.docker.docker_container:
|
command: docker compose restart proxy
|
||||||
name: "nginx-proxy"
|
args:
|
||||||
restart: "yes"
|
chdir: "{{ services.nginx_proxy.volume_folder }}"
|
||||||
state: "started"
|
|
||||||
|
|
26
roles/docker/tasks/block.yml
Normal file
26
roles/docker/tasks/block.yml
Normal file
|
@ -0,0 +1,26 @@
|
||||||
|
# vim: ft=yaml.ansible
|
||||||
|
---
|
||||||
|
- name: Create volume folder for service {{ service.name }}
|
||||||
|
file:
|
||||||
|
name: "{{ service.vars.volume_folder }}"
|
||||||
|
state: directory
|
||||||
|
|
||||||
|
- name: Upload Compose file for service {{ service.name }}
|
||||||
|
template:
|
||||||
|
src: compose-files/{{ service.name }}.yml.j2
|
||||||
|
dest: "{{ service.vars.volume_folder }}/docker-compose.yml"
|
||||||
|
owner: root
|
||||||
|
mode: u=rw,go=
|
||||||
|
|
||||||
|
- name: Run pre-deployment tasks for service {{ service.name }}
|
||||||
|
include_tasks: pre_deploy/{{ service.name }}.yml
|
||||||
|
when: service.vars.pre_deploy_tasks is defined and service.vars.pre_deploy_tasks
|
||||||
|
|
||||||
|
- name: Deploy Compose stack for service {{ service.name }}
|
||||||
|
command: docker compose up -d --remove-orphans --pull always
|
||||||
|
args:
|
||||||
|
chdir: "{{ service.vars.volume_folder }}"
|
||||||
|
|
||||||
|
- name: Run post-deployment tasks for service {{ service.name }}
|
||||||
|
include_tasks: post_deploy/{{ service.name }}.yml
|
||||||
|
when: service.vars.post_deploy_tasks is defined and service.vars.post_deploy_tasks
|
|
@ -1,31 +1,25 @@
|
||||||
# vim: ft=yaml.ansible
|
# vim: ft=yaml.ansible
|
||||||
---
|
---
|
||||||
- name: add docker gpg key
|
- name: Add Docker PGP key
|
||||||
apt_key:
|
apt_key:
|
||||||
keyserver: pgp.mit.edu
|
keyserver: pgp.mit.edu
|
||||||
id: 8D81803C0EBFCD88
|
id: 8D81803C0EBFCD88
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
- name: add docker apt repository
|
- name: Add Docker apt repository
|
||||||
apt_repository:
|
apt_repository:
|
||||||
repo: deb https://download.docker.com/linux/ubuntu bionic stable
|
repo: deb https://download.docker.com/linux/ubuntu bionic stable
|
||||||
state: present
|
state: present
|
||||||
update_cache: yes
|
update_cache: yes
|
||||||
|
|
||||||
- name: install docker-ce
|
- name: Install Docker
|
||||||
apt:
|
apt:
|
||||||
name: docker-ce
|
name: "{{ pkgs }}"
|
||||||
state: present
|
|
||||||
|
|
||||||
- name: install docker python bindings
|
|
||||||
pip:
|
|
||||||
executable: pip3
|
|
||||||
name: "{{ packages }}"
|
|
||||||
state: present
|
state: present
|
||||||
vars:
|
vars:
|
||||||
packages:
|
pkgs:
|
||||||
- docker
|
- docker-ce
|
||||||
- docker-compose
|
- docker-compose-plugin
|
||||||
|
|
||||||
- name: Configure cron job to prune unused Docker data weekly
|
- name: Configure cron job to prune unused Docker data weekly
|
||||||
cron:
|
cron:
|
||||||
|
@ -36,12 +30,15 @@
|
||||||
user: root
|
user: root
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
- name: create folder structure for bind mounts
|
- name: Create folder structure for bind mounts
|
||||||
file:
|
file:
|
||||||
name: "{{ volume_root_folder }}"
|
name: "{{ item }}"
|
||||||
state: directory
|
state: directory
|
||||||
|
loop:
|
||||||
|
- "{{ volume_root_folder }}"
|
||||||
|
- "{{ volume_website_folder }}"
|
||||||
|
|
||||||
- name: setup services
|
- name: Set up services
|
||||||
import_tasks: services.yml
|
import_tasks: services.yml
|
||||||
tags:
|
tags:
|
||||||
- setup_services
|
- setup_services
|
||||||
|
|
13
roles/docker/tasks/post_deploy/docker_registry.yml
Normal file
13
roles/docker/tasks/post_deploy/docker_registry.yml
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
# vim: ft=yaml.ansible
|
||||||
|
---
|
||||||
|
- name: Generate htpasswd file
|
||||||
|
shell: docker compose exec registry htpasswd -Bbn docker {{ docker_password }} > auth/htpasswd
|
||||||
|
args:
|
||||||
|
chdir: "{{ services.docker_registry.volume_folder }}"
|
||||||
|
creates: "{{ services.docker_registry.volume_folder }}/auth/htpasswd"
|
||||||
|
|
||||||
|
- name: log in to registry
|
||||||
|
docker_login:
|
||||||
|
registry: "{{ 'docker.data.coop' if vagrant else services.docker_registry.domain }}"
|
||||||
|
username: docker
|
||||||
|
password: "{{ docker_password }}"
|
19
roles/docker/tasks/post_deploy/mastodon.yml
Normal file
19
roles/docker/tasks/post_deploy/mastodon.yml
Normal file
|
@ -0,0 +1,19 @@
|
||||||
|
# vim: ft=yaml.ansible
|
||||||
|
---
|
||||||
|
- name: Configure cron job to remove old Mastodon media daily
|
||||||
|
cron:
|
||||||
|
name: Clean Mastodon media data older than a week
|
||||||
|
cron_file: ansible_mastodon_clean_media
|
||||||
|
job: docker exec mastodon_web_1 tootctl media remove --days 7
|
||||||
|
special_time: daily
|
||||||
|
user: root
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- name: Configure cron job to remove old Mastodon preview cards daily
|
||||||
|
cron:
|
||||||
|
name: Clean Mastodon preview card data older than two weeks
|
||||||
|
cron_file: ansible_mastodon_clean_preview_cards
|
||||||
|
job: docker exec mastodon_web_1 tootctl preview_cards remove --days 14
|
||||||
|
special_time: daily
|
||||||
|
user: root
|
||||||
|
state: present
|
11
roles/docker/tasks/pre_deploy/data_coop_website.yml
Normal file
11
roles/docker/tasks/pre_deploy/data_coop_website.yml
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
# vim: ft=yaml.ansible
|
||||||
|
---
|
||||||
|
- name: Upload vhost config for root domain
|
||||||
|
copy:
|
||||||
|
src: vhost/base_domain
|
||||||
|
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.data_coop_website.domain }}"
|
||||||
|
|
||||||
|
- name: Upload vhost config for WWW domain
|
||||||
|
copy:
|
||||||
|
src: vhost/www.base_domain
|
||||||
|
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.data_coop_website.www_domain }}"
|
17
roles/docker/tasks/pre_deploy/docker_registry.yml
Normal file
17
roles/docker/tasks/pre_deploy/docker_registry.yml
Normal file
|
@ -0,0 +1,17 @@
|
||||||
|
# vim: ft=yaml.ansible
|
||||||
|
---
|
||||||
|
- name: Create subfolders
|
||||||
|
file:
|
||||||
|
path: "{{ services.docker_registry.volume_folder }}/{{ volume }}"
|
||||||
|
state: directory
|
||||||
|
loop:
|
||||||
|
- auth
|
||||||
|
- registry
|
||||||
|
loop_control:
|
||||||
|
loop_var: volume
|
||||||
|
|
||||||
|
- name: Copy docker registry vhost configuration
|
||||||
|
copy:
|
||||||
|
src: vhost/docker_registry
|
||||||
|
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.docker_registry.domain }}"
|
||||||
|
mode: "0644"
|
21
roles/docker/tasks/pre_deploy/element.yml
Normal file
21
roles/docker/tasks/pre_deploy/element.yml
Normal file
|
@ -0,0 +1,21 @@
|
||||||
|
# vim: ft=yaml.ansible
|
||||||
|
---
|
||||||
|
- name: Create subfolder
|
||||||
|
file:
|
||||||
|
name: "{{ services.element.volume_folder }}/data"
|
||||||
|
state: directory
|
||||||
|
|
||||||
|
- name: Upload config.json
|
||||||
|
template:
|
||||||
|
src: element/config.json.j2
|
||||||
|
dest: "{{ services.element.volume_folder }}/data/config.json"
|
||||||
|
|
||||||
|
- name: Upload riot.im.conf
|
||||||
|
copy:
|
||||||
|
src: element/riot.im.conf
|
||||||
|
dest: "{{ services.element.volume_folder }}/data/riot.im.conf"
|
||||||
|
|
||||||
|
- name: Upload vhost config for Element domain
|
||||||
|
copy:
|
||||||
|
src: vhost/element
|
||||||
|
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.element.domain }}"
|
17
roles/docker/tasks/pre_deploy/hedgedoc.yml
Normal file
17
roles/docker/tasks/pre_deploy/hedgedoc.yml
Normal file
|
@ -0,0 +1,17 @@
|
||||||
|
# vim: ft=yaml.ansible
|
||||||
|
---
|
||||||
|
- name: Create subfolders
|
||||||
|
file:
|
||||||
|
name: "{{ services.hedgedoc.volume_folder }}/{{ volume }}"
|
||||||
|
state: directory
|
||||||
|
loop:
|
||||||
|
- db
|
||||||
|
- hedgedoc/uploads
|
||||||
|
loop_control:
|
||||||
|
loop_var: volume
|
||||||
|
|
||||||
|
- name: Copy SSO certificate
|
||||||
|
copy:
|
||||||
|
src: sso/sso.data.coop.pem
|
||||||
|
dest: "{{ services.hedgedoc.volume_folder }}/sso.data.coop.pem"
|
||||||
|
mode: "0644"
|
45
roles/docker/tasks/pre_deploy/mailu.yml
Normal file
45
roles/docker/tasks/pre_deploy/mailu.yml
Normal file
|
@ -0,0 +1,45 @@
|
||||||
|
# vim: ft=yaml.ansible
|
||||||
|
---
|
||||||
|
- name: Create subfolders
|
||||||
|
file:
|
||||||
|
name: "{{ services.mailu.volume_folder }}/{{ volume }}"
|
||||||
|
state: directory
|
||||||
|
loop:
|
||||||
|
- redis
|
||||||
|
- certs
|
||||||
|
- data
|
||||||
|
- dkim
|
||||||
|
- mail
|
||||||
|
- mailqueue
|
||||||
|
- filter
|
||||||
|
- postgres
|
||||||
|
- webmail
|
||||||
|
- overrides
|
||||||
|
- overrides/nginx
|
||||||
|
- overrides/dovecot
|
||||||
|
- overrides/postfix
|
||||||
|
- overrides/rspamd
|
||||||
|
- overrides/rainloop
|
||||||
|
loop_control:
|
||||||
|
loop_var: volume
|
||||||
|
|
||||||
|
- name: Upload mailu.env file
|
||||||
|
template:
|
||||||
|
src: mailu/env.j2
|
||||||
|
dest: "{{ services.mailu.volume_folder }}/mailu.env"
|
||||||
|
|
||||||
|
- name: Hard link to Let's Encrypt TLS certificate
|
||||||
|
file:
|
||||||
|
src: "{{ services.nginx_proxy.volume_folder }}/certs/{{ services.mailu.domain }}/fullchain.pem"
|
||||||
|
dest: "{{ services.mailu.volume_folder }}/certs/cert.pem"
|
||||||
|
state: hard
|
||||||
|
force: true
|
||||||
|
when: letsencrypt_enabled
|
||||||
|
|
||||||
|
- name: Hard link to Let's Encrypt TLS key
|
||||||
|
file:
|
||||||
|
src: "{{ services.nginx_proxy.volume_folder }}/certs/{{ services.mailu.domain }}/key.pem"
|
||||||
|
dest: "{{ services.mailu.volume_folder }}/certs/key.pem"
|
||||||
|
state: hard
|
||||||
|
force: true
|
||||||
|
when: letsencrypt_enabled
|
45
roles/docker/tasks/pre_deploy/mastodon.yml
Normal file
45
roles/docker/tasks/pre_deploy/mastodon.yml
Normal file
|
@ -0,0 +1,45 @@
|
||||||
|
# vim: ft=yaml.ansible
|
||||||
|
---
|
||||||
|
- name: Create subfolder for Mastodon data
|
||||||
|
file:
|
||||||
|
name: "{{ services.mastodon.volume_folder }}/mastodon_data"
|
||||||
|
state: directory
|
||||||
|
owner: "991"
|
||||||
|
mode: u=rwx,g=rx,o=rx
|
||||||
|
|
||||||
|
- name: Create subfolder for PostgreSQL data
|
||||||
|
file:
|
||||||
|
name: "{{ services.mastodon.volume_folder }}/postgres_data"
|
||||||
|
state: directory
|
||||||
|
owner: "70"
|
||||||
|
mode: u=rwx,go=
|
||||||
|
|
||||||
|
- name: Create subfolder for PostgreSQL config
|
||||||
|
file:
|
||||||
|
name: "{{ services.mastodon.volume_folder }}/postgres_config"
|
||||||
|
state: directory
|
||||||
|
owner: root
|
||||||
|
mode: u=rwx,g=rx,o=rx
|
||||||
|
|
||||||
|
- name: Create subfolder for Redis data
|
||||||
|
file:
|
||||||
|
name: "{{ services.mastodon.volume_folder }}/redis_data"
|
||||||
|
state: directory
|
||||||
|
owner: "999"
|
||||||
|
group: "1000"
|
||||||
|
mode: u=rwx,g=rx,o=rx
|
||||||
|
|
||||||
|
- name: Upload mastodon.env file
|
||||||
|
template:
|
||||||
|
src: mastodon/env.j2
|
||||||
|
dest: "{{ services.mastodon.volume_folder }}/mastodon.env"
|
||||||
|
|
||||||
|
- name: Upload vhost config for Mastodon domain
|
||||||
|
copy:
|
||||||
|
src: vhost/mastodon
|
||||||
|
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.mastodon.domain }}"
|
||||||
|
|
||||||
|
- name: Upload PostgreSQL config
|
||||||
|
copy:
|
||||||
|
src: mastodon/postgresql.conf
|
||||||
|
dest: "{{ services.mastodon.volume_folder }}/postgres_config/postgresql.conf"
|
34
roles/docker/tasks/pre_deploy/matrix.yml
Normal file
34
roles/docker/tasks/pre_deploy/matrix.yml
Normal file
|
@ -0,0 +1,34 @@
|
||||||
|
# vim: ft=yaml.ansible
|
||||||
|
---
|
||||||
|
- name: Create subfolders
|
||||||
|
file:
|
||||||
|
name: "{{ services.matrix.volume_folder }}/{{ volume }}"
|
||||||
|
state: directory
|
||||||
|
owner: "991"
|
||||||
|
group: "991"
|
||||||
|
loop:
|
||||||
|
- data
|
||||||
|
- data/uploads
|
||||||
|
- data/media
|
||||||
|
loop_control:
|
||||||
|
loop_var: volume
|
||||||
|
|
||||||
|
- name: Create Matrix DB subfolder
|
||||||
|
file:
|
||||||
|
name: "{{ services.matrix.volume_folder }}/db"
|
||||||
|
state: directory
|
||||||
|
|
||||||
|
- name: Upload vhost config for Matrix domain
|
||||||
|
copy:
|
||||||
|
src: vhost/matrix
|
||||||
|
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.matrix.domain }}"
|
||||||
|
|
||||||
|
- name: Upload homeserver.yaml
|
||||||
|
template:
|
||||||
|
src: matrix/homeserver.yaml.j2
|
||||||
|
dest: "{{ services.matrix.volume_folder }}/data/homeserver.yaml"
|
||||||
|
|
||||||
|
- name: Upload Matrix logging config
|
||||||
|
copy:
|
||||||
|
src: matrix/log.config
|
||||||
|
dest: "{{ services.matrix.volume_folder }}/data/matrix.data.coop.log.config"
|
17
roles/docker/tasks/pre_deploy/nextcloud.yml
Normal file
17
roles/docker/tasks/pre_deploy/nextcloud.yml
Normal file
|
@ -0,0 +1,17 @@
|
||||||
|
# vim: ft=yaml.ansible
|
||||||
|
---
|
||||||
|
- name: Create subfolders
|
||||||
|
file:
|
||||||
|
path: "{{ services.nextcloud.volume_folder }}/{{ volume }}"
|
||||||
|
state: directory
|
||||||
|
loop:
|
||||||
|
- app
|
||||||
|
- postgres
|
||||||
|
loop_control:
|
||||||
|
loop_var: volume
|
||||||
|
|
||||||
|
- name: Upload vhost config for Nextcloud domain
|
||||||
|
copy:
|
||||||
|
src: vhost/nextcloud
|
||||||
|
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.nextcloud.domain }}"
|
||||||
|
notify: "restart nginx"
|
14
roles/docker/tasks/pre_deploy/nginx_proxy.yml
Normal file
14
roles/docker/tasks/pre_deploy/nginx_proxy.yml
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
# vim: ft=yaml.ansible
|
||||||
|
---
|
||||||
|
- name: Create subfolders
|
||||||
|
file:
|
||||||
|
name: "{{ services.nginx_proxy.volume_folder }}/{{ volume }}"
|
||||||
|
state: directory
|
||||||
|
loop:
|
||||||
|
- conf
|
||||||
|
- vhost
|
||||||
|
- html
|
||||||
|
- dhparam
|
||||||
|
- certs
|
||||||
|
loop_control:
|
||||||
|
loop_var: volume
|
12
roles/docker/tasks/pre_deploy/openldap.yml
Normal file
12
roles/docker/tasks/pre_deploy/openldap.yml
Normal file
|
@ -0,0 +1,12 @@
|
||||||
|
# vim: ft=yaml.ansible
|
||||||
|
---
|
||||||
|
- name: Create subfolders
|
||||||
|
file:
|
||||||
|
name: "{{ services.openldap.volume_folder }}/{{ volume }}"
|
||||||
|
state: directory
|
||||||
|
loop:
|
||||||
|
- var/lib/ldap
|
||||||
|
- etc/slapd
|
||||||
|
- certs
|
||||||
|
loop_control:
|
||||||
|
loop_var: volume
|
13
roles/docker/tasks/pre_deploy/postfix.yml
Normal file
13
roles/docker/tasks/pre_deploy/postfix.yml
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
# vim: ft=yaml.ansible
|
||||||
|
---
|
||||||
|
- name: Set up network for Postfix
|
||||||
|
docker_network:
|
||||||
|
name: postfix
|
||||||
|
ipam_config:
|
||||||
|
- subnet: '172.16.0.0/16'
|
||||||
|
gateway: 172.16.0.1
|
||||||
|
|
||||||
|
- name: Create subfolder
|
||||||
|
file:
|
||||||
|
name: "{{ services.postfix.volume_folder }}/dkim"
|
||||||
|
state: directory
|
16
roles/docker/tasks/pre_deploy/privatebin.yml
Normal file
16
roles/docker/tasks/pre_deploy/privatebin.yml
Normal file
|
@ -0,0 +1,16 @@
|
||||||
|
# vim: ft=yaml.ansible
|
||||||
|
---
|
||||||
|
- name: Create subfolders
|
||||||
|
file:
|
||||||
|
name: "{{ services.privatebin.volume_folder }}/{{ volume }}"
|
||||||
|
state: directory
|
||||||
|
loop:
|
||||||
|
- cfg
|
||||||
|
- data
|
||||||
|
loop_control:
|
||||||
|
loop_var: volume
|
||||||
|
|
||||||
|
- name: Upload PrivateBin config
|
||||||
|
copy:
|
||||||
|
src: privatebin/conf.php
|
||||||
|
dest: "{{ services.privatebin.volume_folder }}/cfg/conf.php"
|
11
roles/docker/tasks/pre_deploy/rallly.yml
Normal file
11
roles/docker/tasks/pre_deploy/rallly.yml
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
# vim: ft=yaml.ansible
|
||||||
|
---
|
||||||
|
- name: Create subfolder
|
||||||
|
file:
|
||||||
|
name: "{{ services.rallly.volume_folder }}/postgres"
|
||||||
|
state: directory
|
||||||
|
|
||||||
|
- name: Copy rallly.env file
|
||||||
|
template:
|
||||||
|
src: rallly/env.j2
|
||||||
|
dest: "{{ services.rallly.volume_folder }}/rallly.env"
|
48
roles/docker/tasks/pre_deploy/restic.yml
Normal file
48
roles/docker/tasks/pre_deploy/restic.yml
Normal file
|
@ -0,0 +1,48 @@
|
||||||
|
# vim: ft=yaml.ansible
|
||||||
|
---
|
||||||
|
- name: Create SSH directory
|
||||||
|
file:
|
||||||
|
path: "{{ services.restic.volume_folder }}/ssh"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: '0755'
|
||||||
|
state: directory
|
||||||
|
|
||||||
|
- name: Upload private SSH key
|
||||||
|
copy:
|
||||||
|
dest: "{{ services.restic.volume_folder }}/ssh/id_ed25519"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: '0600'
|
||||||
|
content: "{{ restic_secrets.ssh_privkey }}"
|
||||||
|
|
||||||
|
- name: Derive public SSH key
|
||||||
|
shell: >-
|
||||||
|
ssh-keygen -f {{ services.restic.volume_folder }}/ssh/id_ed25519 -y
|
||||||
|
> {{ services.restic.volume_folder }}/ssh/id_ed25519.pub
|
||||||
|
args:
|
||||||
|
creates: "{{ services.restic.volume_folder }}/ssh/id_ed25519.pub"
|
||||||
|
|
||||||
|
- name: Set file permissions on public SSH key
|
||||||
|
file:
|
||||||
|
path: "{{ services.restic.volume_folder }}/ssh/id_ed25519.pub"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: '0644'
|
||||||
|
state: touch
|
||||||
|
|
||||||
|
- name: Upload SSH config
|
||||||
|
template:
|
||||||
|
src: restic/ssh.config.j2
|
||||||
|
dest: "{{ services.restic.volume_folder }}/ssh/config"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: '0600'
|
||||||
|
|
||||||
|
- name: Upload SSH known_hosts file
|
||||||
|
template:
|
||||||
|
src: restic/ssh.known_hosts.j2
|
||||||
|
dest: "{{ services.restic.volume_folder }}/ssh/known_hosts"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: '0600'
|
11
roles/docker/tasks/pre_deploy/writefreely.yml
Normal file
11
roles/docker/tasks/pre_deploy/writefreely.yml
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
# vim: ft=yaml.ansible
|
||||||
|
---
|
||||||
|
- name: Create subfolder for MariaDB data
|
||||||
|
file:
|
||||||
|
name: "{{ services.writefreely.volume_folder }}/db"
|
||||||
|
state: directory
|
||||||
|
|
||||||
|
- name: Upload config.ini
|
||||||
|
template:
|
||||||
|
src: "writefreely/config.ini.j2"
|
||||||
|
dest: "{{ services.writefreely.volume_folder }}/config.ini"
|
|
@ -1,21 +1,24 @@
|
||||||
# vim: ft=yaml.ansible
|
# vim: ft=yaml.ansible
|
||||||
---
|
---
|
||||||
- name: setup external services network
|
- name: Set up external services network
|
||||||
docker_network:
|
docker_network:
|
||||||
name: external_services
|
name: external_services
|
||||||
|
|
||||||
- name: setup services
|
- name: Deploy all services
|
||||||
include_tasks: "services/{{ item.service.file }}"
|
include_tasks:
|
||||||
loop: "{{ services | dict2items(value_name='service') }}"
|
file: block.yml
|
||||||
|
vars:
|
||||||
|
service: "{{ item }}"
|
||||||
|
loop: "{{ services | dict2items(key_name='name', value_name='vars') }}"
|
||||||
when: single_service is not defined and
|
when: single_service is not defined and
|
||||||
item.service.file is defined and
|
(item.vars.disabled_in_vagrant is not defined or
|
||||||
(item.service.disabled_in_vagrant is not defined or
|
not (item.vars.disabled_in_vagrant and vagrant))
|
||||||
not (item.service.disabled_in_vagrant and vagrant))
|
|
||||||
|
|
||||||
- name: setup single service
|
- name: Deploy single service
|
||||||
include_tasks: "services/{{ services[single_service].file }}"
|
include_tasks:
|
||||||
when: single_service is defined and
|
file: block.yml
|
||||||
single_service in services and
|
vars:
|
||||||
services[single_service].file is defined and
|
service: "{{ {single_service: services[single_service]} | dict2items(key_name='name', value_name='vars') | join }}"
|
||||||
|
when: single_service is defined and single_service in services and
|
||||||
(services[single_service].disabled_in_vagrant is not defined or
|
(services[single_service].disabled_in_vagrant is not defined or
|
||||||
not (services[single_service].disabled_in_vagrant and vagrant))
|
not (services[single_service].disabled_in_vagrant and vagrant))
|
||||||
|
|
|
@ -1,36 +0,0 @@
|
||||||
# vim: ft=yaml.ansible
|
|
||||||
---
|
|
||||||
- name: copy docker registry vhost configuration
|
|
||||||
copy:
|
|
||||||
src: vhost/docker_registry
|
|
||||||
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.docker_registry.domain }}"
|
|
||||||
mode: "0644"
|
|
||||||
|
|
||||||
- name: docker registry container
|
|
||||||
docker_container:
|
|
||||||
name: registry
|
|
||||||
image: registry:{{ services.docker_registry.version }}
|
|
||||||
restart_policy: always
|
|
||||||
volumes:
|
|
||||||
- "{{ services.docker_registry.volume_folder }}/registry:/var/lib/registry"
|
|
||||||
- "{{ services.docker_registry.volume_folder }}/auth:/auth"
|
|
||||||
networks:
|
|
||||||
- name: external_services
|
|
||||||
env:
|
|
||||||
VIRTUAL_HOST: "{{ services.docker_registry.domain }}"
|
|
||||||
LETSENCRYPT_HOST: "{{ services.docker_registry.domain }}"
|
|
||||||
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
|
||||||
REGISTRY_AUTH: "htpasswd"
|
|
||||||
REGISTRY_AUTH_HTPASSWD_PATH: "/auth/htpasswd"
|
|
||||||
REGISTRY_AUTH_HTPASSWD_REALM: "data.coop docker registry"
|
|
||||||
|
|
||||||
- name: generate htpasswd file
|
|
||||||
shell: "docker exec -it registry htpasswd -Bbn docker {{ docker_password }} > {{ services.docker_registry.volume_folder }}/auth/htpasswd"
|
|
||||||
args:
|
|
||||||
creates: "{{ services.docker_registry.volume_folder }}/auth/htpasswd"
|
|
||||||
|
|
||||||
- name: log in to registry
|
|
||||||
docker_login:
|
|
||||||
registry: "{{ 'docker.data.coop' if vagrant else services.docker_registry.domain }}"
|
|
||||||
username: "docker"
|
|
||||||
password: "{{ docker_password }}"
|
|
|
@ -1,52 +0,0 @@
|
||||||
# vim: ft=yaml.ansible
|
|
||||||
---
|
|
||||||
- name: set up drone with docker runner
|
|
||||||
docker_compose:
|
|
||||||
project_name: drone
|
|
||||||
pull: yes
|
|
||||||
definition:
|
|
||||||
version: "3.6"
|
|
||||||
services:
|
|
||||||
drone:
|
|
||||||
container_name: "drone"
|
|
||||||
image: "drone/drone:{{ services.drone.version }}"
|
|
||||||
restart: unless-stopped
|
|
||||||
networks:
|
|
||||||
- external_services
|
|
||||||
- drone
|
|
||||||
volumes:
|
|
||||||
- "{{ services.drone.volume_folder }}:/data"
|
|
||||||
- "/var/run/docker.sock:/var/run/docker.sock"
|
|
||||||
environment:
|
|
||||||
DRONE_GITEA_SERVER: "https://{{ services.forgejo.domain }}"
|
|
||||||
DRONE_GITEA_CLIENT_ID: "{{ drone_secrets.oauth_client_id }}"
|
|
||||||
DRONE_GITEA_CLIENT_SECRET: "{{ drone_secrets.oauth_client_secret }}"
|
|
||||||
DRONE_GIT_ALWAYS_AUTH: "true"
|
|
||||||
DRONE_SERVER_HOST: "{{ services.drone.domain }}"
|
|
||||||
DRONE_SERVER_PROTO: "https"
|
|
||||||
DRONE_RPC_SECRET: "{{ drone_secrets.rpc_shared_secret }}"
|
|
||||||
PLUGIN_CUSTOM_DNS: "91.239.100.100"
|
|
||||||
VIRTUAL_HOST: "{{ services.drone.domain }}"
|
|
||||||
LETSENCRYPT_HOST: "{{ services.drone.domain }}"
|
|
||||||
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
|
||||||
|
|
||||||
drone-runner-docker:
|
|
||||||
container_name: "drone-runner-docker"
|
|
||||||
image: "drone/drone-runner-docker:{{ services.drone.version }}"
|
|
||||||
restart: unless-stopped
|
|
||||||
networks:
|
|
||||||
- drone
|
|
||||||
volumes:
|
|
||||||
- "/var/run/docker.sock:/var/run/docker.sock"
|
|
||||||
environment:
|
|
||||||
DRONE_RPC_HOST: "{{ services.drone.domain }}"
|
|
||||||
DRONE_RPC_PROTO: "https"
|
|
||||||
DRONE_RPC_SECRET: "{{ drone_secrets.rpc_shared_secret }}"
|
|
||||||
DRONE_RUNNER_CAPACITY: 2
|
|
||||||
DRONE_RUNNER_NAME: "data.coop_drone_runner"
|
|
||||||
|
|
||||||
networks:
|
|
||||||
drone:
|
|
||||||
external_services:
|
|
||||||
external:
|
|
||||||
name: external_services
|
|
|
@ -1,37 +0,0 @@
|
||||||
# vim: ft=yaml.ansible
|
|
||||||
---
|
|
||||||
- name: Create Docker network for Forgejo
|
|
||||||
docker_network:
|
|
||||||
name: forgejo
|
|
||||||
|
|
||||||
# old DNS: 138.68.71.153
|
|
||||||
- name: Set up Forgejo container
|
|
||||||
docker_container:
|
|
||||||
name: forgejo
|
|
||||||
image: codeberg.org/forgejo/forgejo:{{ services.forgejo.version }}
|
|
||||||
restart_policy: unless-stopped
|
|
||||||
networks:
|
|
||||||
- name: forgejo
|
|
||||||
- name: postfix
|
|
||||||
- name: external_services
|
|
||||||
volumes:
|
|
||||||
- "{{ services.forgejo.volume_folder }}:/data"
|
|
||||||
published_ports:
|
|
||||||
- "22:22"
|
|
||||||
env:
|
|
||||||
VIRTUAL_HOST: "{{ services.forgejo.domain }}"
|
|
||||||
VIRTUAL_PORT: "3000"
|
|
||||||
LETSENCRYPT_HOST: "{{ services.forgejo.domain }}"
|
|
||||||
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
|
||||||
# Forgejo customization, see: https://docs.gitea.io/en-us/install-with-docker/#customization
|
|
||||||
# https://docs.gitea.io/en-us/config-cheat-sheet/#security-security
|
|
||||||
FORGEJO__mailer__ENABLED: "true"
|
|
||||||
FORGEJO__mailer__FROM: "noreply@{{ services.forgejo.domain }}"
|
|
||||||
FORGEJO__mailer__PROTOCOL: "smtp"
|
|
||||||
FORGEJO__mailer__SMTP_ADDR: "{{ smtp_host }}:{{ smtp_port }}"
|
|
||||||
FORGEJO__security__LOGIN_REMEMBER_DAYS: "60"
|
|
||||||
FORGEJO__security__PASSWORD_COMPLEXITY: "off"
|
|
||||||
FORGEJO__security__MIN_PASSWORD_LENGTH: "8"
|
|
||||||
FORGEJO__security__PASSWORD_CHECK_PWN: "true"
|
|
||||||
FORGEJO__service__ENABLE_NOTIFY_MAIL: "true"
|
|
||||||
FORGEJO__service__REGISTER_EMAIL_CONFIRM: "true"
|
|
|
@ -1,67 +0,0 @@
|
||||||
# vim: ft=yaml.ansible
|
|
||||||
---
|
|
||||||
- name: create hedgedoc volume folders
|
|
||||||
file:
|
|
||||||
name: "{{ services.hedgedoc.volume_folder }}/{{ volume }}"
|
|
||||||
state: directory
|
|
||||||
loop:
|
|
||||||
- "db"
|
|
||||||
- "hedgedoc/uploads"
|
|
||||||
loop_control:
|
|
||||||
loop_var: volume
|
|
||||||
|
|
||||||
- name: copy sso public certificate
|
|
||||||
copy:
|
|
||||||
src: sso/sso.data.coop.pem
|
|
||||||
dest: "{{ services.hedgedoc.volume_folder }}/sso.data.coop.pem"
|
|
||||||
mode: "0644"
|
|
||||||
|
|
||||||
- name: setup hedgedoc
|
|
||||||
docker_compose:
|
|
||||||
project_name: "hedgedoc"
|
|
||||||
pull: "yes"
|
|
||||||
definition:
|
|
||||||
services:
|
|
||||||
database:
|
|
||||||
image: "postgres:{{ services.hedgedoc.postgres_version }}"
|
|
||||||
environment:
|
|
||||||
POSTGRES_USER: "codimd"
|
|
||||||
POSTGRES_PASSWORD: "{{ postgres_passwords.hedgedoc }}"
|
|
||||||
POSTGRES_DB: "codimd"
|
|
||||||
restart: "unless-stopped"
|
|
||||||
networks:
|
|
||||||
- "hedgedoc"
|
|
||||||
volumes:
|
|
||||||
- "{{ services.hedgedoc.volume_folder }}/db:/var/lib/postgresql/data"
|
|
||||||
|
|
||||||
app:
|
|
||||||
image: "quay.io/hedgedoc/hedgedoc:{{ services.hedgedoc.version }}"
|
|
||||||
environment:
|
|
||||||
CMD_DB_URL: "postgres://codimd:{{ postgres_passwords.hedgedoc }}@hedgedoc_database_1:5432/codimd"
|
|
||||||
CMD_DOMAIN: "{{ services.hedgedoc.domain }}"
|
|
||||||
CMD_ALLOW_EMAIL_REGISTER: "False"
|
|
||||||
CMD_IMAGE_UPLOAD_TYPE: "filesystem"
|
|
||||||
CMD_EMAIL: "False"
|
|
||||||
CMD_SAML_IDPCERT: "/sso.data.coop.pem"
|
|
||||||
CMD_SAML_IDPSSOURL: "https://sso.data.coop/auth/realms/datacoop/protocol/saml"
|
|
||||||
CMD_SAML_ISSUER: "hedgedoc"
|
|
||||||
CMD_SAML_IDENTIFIERFORMAT: "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
|
|
||||||
CMD_USECDN: "false"
|
|
||||||
CMD_PROTOCOL_USESSL: "true"
|
|
||||||
VIRTUAL_HOST: "{{ services.hedgedoc.domain }}"
|
|
||||||
LETSENCRYPT_HOST: "{{ services.hedgedoc.domain }}"
|
|
||||||
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
|
||||||
volumes:
|
|
||||||
- "{{ services.hedgedoc.volume_folder }}/hedgedoc/uploads:/hedgedoc/public/uploads"
|
|
||||||
- "{{ services.hedgedoc.volume_folder }}/sso.data.coop.pem:/sso.data.coop.pem"
|
|
||||||
restart: "unless-stopped"
|
|
||||||
networks:
|
|
||||||
- "hedgedoc"
|
|
||||||
- "external_services"
|
|
||||||
depends_on:
|
|
||||||
- database
|
|
||||||
|
|
||||||
networks:
|
|
||||||
hedgedoc:
|
|
||||||
external_services:
|
|
||||||
external: true
|
|
|
@ -1,50 +0,0 @@
|
||||||
# vim: ft=yaml.ansible
|
|
||||||
---
|
|
||||||
- name: setup keycloak containers for sso.data.coop
|
|
||||||
docker_compose:
|
|
||||||
project_name: "keycloak"
|
|
||||||
pull: "yes"
|
|
||||||
definition:
|
|
||||||
version: "3.6"
|
|
||||||
services:
|
|
||||||
postgres:
|
|
||||||
image: "postgres:{{ services.keycloak.postgres_version }}"
|
|
||||||
restart: "unless-stopped"
|
|
||||||
networks:
|
|
||||||
- "keycloak"
|
|
||||||
volumes:
|
|
||||||
- "{{ services.keycloak.volume_folder }}/data:/var/lib/postgresql/data"
|
|
||||||
environment:
|
|
||||||
POSTGRES_USER: "keycloak"
|
|
||||||
POSTGRES_PASSWORD: "{{ postgres_passwords.keycloak }}"
|
|
||||||
POSTGRES_DB: "keycloak"
|
|
||||||
|
|
||||||
app:
|
|
||||||
image: "quay.io/keycloak/keycloak:{{ services.keycloak.version }}"
|
|
||||||
restart: "unless-stopped"
|
|
||||||
networks:
|
|
||||||
- "keycloak"
|
|
||||||
- "postfix"
|
|
||||||
- "external_services"
|
|
||||||
command:
|
|
||||||
- "start"
|
|
||||||
- "--db=postgres"
|
|
||||||
- "--db-url=jdbc:postgresql://postgres:5432/keycloak"
|
|
||||||
- "--db-username=keycloak"
|
|
||||||
- "--db-password={{ postgres_passwords.keycloak }}"
|
|
||||||
- "--hostname={{ services.keycloak.domain }}"
|
|
||||||
- "--proxy=edge"
|
|
||||||
- "--https-port=8080"
|
|
||||||
- "--http-relative-path=/auth"
|
|
||||||
environment:
|
|
||||||
VIRTUAL_HOST: "{{ services.keycloak.domain }}"
|
|
||||||
VIRTUAL_PORT: "8080"
|
|
||||||
LETSENCRYPT_HOST: "{{ services.keycloak.domain }}"
|
|
||||||
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
|
||||||
|
|
||||||
networks:
|
|
||||||
keycloak:
|
|
||||||
postfix:
|
|
||||||
external: true
|
|
||||||
external_services:
|
|
||||||
external: true
|
|
|
@ -1,181 +0,0 @@
|
||||||
# vim: ft=yaml.ansible
|
|
||||||
---
|
|
||||||
- name: create mailu volume folders
|
|
||||||
file:
|
|
||||||
name: "{{ services.mailu.volume_folder }}/{{ volume }}"
|
|
||||||
state: directory
|
|
||||||
loop:
|
|
||||||
- redis
|
|
||||||
- certs
|
|
||||||
- data
|
|
||||||
- dkim
|
|
||||||
- mail
|
|
||||||
- mailqueue
|
|
||||||
- filter
|
|
||||||
- postgres
|
|
||||||
- webmail
|
|
||||||
- overrides
|
|
||||||
- overrides/nginx
|
|
||||||
- overrides/dovecot
|
|
||||||
- overrides/postfix
|
|
||||||
- overrides/rspamd
|
|
||||||
- overrides/rainloop
|
|
||||||
loop_control:
|
|
||||||
loop_var: volume
|
|
||||||
|
|
||||||
- name: upload mailu.env file
|
|
||||||
template:
|
|
||||||
src: mailu/env.j2
|
|
||||||
dest: "{{ services.mailu.volume_folder }}/mailu.env"
|
|
||||||
|
|
||||||
- name: hard link to Let's Encrypt TLS certificate
|
|
||||||
file:
|
|
||||||
src: "{{ services.nginx_proxy.volume_folder }}/certs/{{ services.mailu.domain }}/fullchain.pem"
|
|
||||||
dest: "{{ services.mailu.volume_folder }}/certs/cert.pem"
|
|
||||||
state: hard
|
|
||||||
force: yes
|
|
||||||
when: letsencrypt_enabled
|
|
||||||
|
|
||||||
- name: hard link to Let's Encrypt TLS key
|
|
||||||
file:
|
|
||||||
src: "{{ services.nginx_proxy.volume_folder }}/certs/{{ services.mailu.domain }}/key.pem"
|
|
||||||
dest: "{{ services.mailu.volume_folder }}/certs/key.pem"
|
|
||||||
state: hard
|
|
||||||
force: yes
|
|
||||||
when: letsencrypt_enabled
|
|
||||||
|
|
||||||
- name: run mail server containers
|
|
||||||
docker_compose:
|
|
||||||
project_name: mail_server
|
|
||||||
pull: yes
|
|
||||||
definition:
|
|
||||||
version: '3.6'
|
|
||||||
services:
|
|
||||||
postgres:
|
|
||||||
image: postgres:14-alpine
|
|
||||||
restart: always
|
|
||||||
environment:
|
|
||||||
POSTGRES_DB: mailu
|
|
||||||
POSTGRES_USER: mailu
|
|
||||||
POSTGRES_PASSWORD: "{{ postgres_passwords.mailu }}"
|
|
||||||
volumes:
|
|
||||||
- "{{ services.mailu.volume_folder }}/postgres:/var/lib/postgresql/data"
|
|
||||||
dns:
|
|
||||||
- "{{ services.mailu.dns }}"
|
|
||||||
|
|
||||||
redis:
|
|
||||||
image: redis:alpine
|
|
||||||
restart: always
|
|
||||||
volumes:
|
|
||||||
- "{{ services.mailu.volume_folder }}/redis:/data"
|
|
||||||
depends_on:
|
|
||||||
- resolver
|
|
||||||
dns:
|
|
||||||
- "{{ services.mailu.dns }}"
|
|
||||||
|
|
||||||
front:
|
|
||||||
image: ghcr.io/mailu/nginx:{{ services.mailu.version }}
|
|
||||||
restart: always
|
|
||||||
env_file: "{{ services.mailu.volume_folder }}/mailu.env"
|
|
||||||
environment:
|
|
||||||
VIRTUAL_HOST: "{{ services.mailu.domain }}"
|
|
||||||
LETSENCRYPT_HOST: "{{ services.mailu.domain }}"
|
|
||||||
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
|
||||||
volumes:
|
|
||||||
- "{{ services.mailu.volume_folder }}/certs:/certs"
|
|
||||||
- "{{ services.mailu.volume_folder }}/overrides/nginx:/overrides:ro"
|
|
||||||
expose:
|
|
||||||
- "80"
|
|
||||||
ports:
|
|
||||||
- "993:993"
|
|
||||||
- "25:25"
|
|
||||||
- "587:587"
|
|
||||||
- "465:465"
|
|
||||||
networks:
|
|
||||||
- default
|
|
||||||
- external_services
|
|
||||||
|
|
||||||
resolver:
|
|
||||||
image: ghcr.io/mailu/unbound:{{ services.mailu.version }}
|
|
||||||
restart: always
|
|
||||||
env_file: "{{ services.mailu.volume_folder }}/mailu.env"
|
|
||||||
networks:
|
|
||||||
default:
|
|
||||||
ipv4_address: "{{ services.mailu.dns }}"
|
|
||||||
|
|
||||||
admin:
|
|
||||||
image: ghcr.io/mailu/admin:{{ services.mailu.version }}
|
|
||||||
restart: always
|
|
||||||
env_file: "{{ services.mailu.volume_folder }}/mailu.env"
|
|
||||||
volumes:
|
|
||||||
- "{{ services.mailu.volume_folder }}/data:/data"
|
|
||||||
- "{{ services.mailu.volume_folder }}/dkim:/dkim"
|
|
||||||
depends_on:
|
|
||||||
- redis
|
|
||||||
- resolver
|
|
||||||
dns:
|
|
||||||
- "{{ services.mailu.dns }}"
|
|
||||||
|
|
||||||
imap:
|
|
||||||
image: ghcr.io/mailu/dovecot:{{ services.mailu.version }}
|
|
||||||
restart: always
|
|
||||||
env_file: "{{ services.mailu.volume_folder }}/mailu.env"
|
|
||||||
volumes:
|
|
||||||
- "{{ services.mailu.volume_folder }}/mail:/mail"
|
|
||||||
- "{{ services.mailu.volume_folder }}/overrides/dovecot:/overrides:ro"
|
|
||||||
depends_on:
|
|
||||||
- front
|
|
||||||
- resolver
|
|
||||||
dns:
|
|
||||||
- "{{ services.mailu.dns }}"
|
|
||||||
|
|
||||||
smtp:
|
|
||||||
image: ghcr.io/mailu/postfix:{{ services.mailu.version }}
|
|
||||||
restart: always
|
|
||||||
env_file: "{{ services.mailu.volume_folder }}/mailu.env"
|
|
||||||
volumes:
|
|
||||||
- "{{ services.mailu.volume_folder }}/mailqueue:/queue"
|
|
||||||
- "{{ services.mailu.volume_folder }}/overrides/postfix:/overrides:ro"
|
|
||||||
depends_on:
|
|
||||||
- front
|
|
||||||
- resolver
|
|
||||||
dns:
|
|
||||||
- "{{ services.mailu.dns }}"
|
|
||||||
|
|
||||||
antispam:
|
|
||||||
image: ghcr.io/mailu/rspamd:{{ services.mailu.version }}
|
|
||||||
hostname: antispam
|
|
||||||
restart: always
|
|
||||||
env_file: "{{ services.mailu.volume_folder }}/mailu.env"
|
|
||||||
volumes:
|
|
||||||
- "{{ services.mailu.volume_folder }}/filter:/var/lib/rspamd"
|
|
||||||
- "{{ services.mailu.volume_folder }}/overrides/rspamd:/etc/rspamd/override.d:ro"
|
|
||||||
depends_on:
|
|
||||||
- front
|
|
||||||
- resolver
|
|
||||||
dns:
|
|
||||||
- "{{ services.mailu.dns }}"
|
|
||||||
|
|
||||||
webmail:
|
|
||||||
image: ghcr.io/mailu/rainloop:{{ services.mailu.version }}
|
|
||||||
restart: always
|
|
||||||
env_file: "{{ services.mailu.volume_folder }}/mailu.env"
|
|
||||||
volumes:
|
|
||||||
- "{{ services.mailu.volume_folder }}/webmail:/data"
|
|
||||||
- "{{ services.mailu.volume_folder }}/overrides/rainloop:/overrides:ro"
|
|
||||||
depends_on:
|
|
||||||
- imap
|
|
||||||
- resolver
|
|
||||||
dns:
|
|
||||||
- "{{ services.mailu.dns }}"
|
|
||||||
|
|
||||||
networks:
|
|
||||||
default:
|
|
||||||
driver: bridge
|
|
||||||
ipam:
|
|
||||||
driver: default
|
|
||||||
config:
|
|
||||||
- subnet: "{{ services.mailu.subnet }}"
|
|
||||||
external_services:
|
|
||||||
external:
|
|
||||||
name: external_services
|
|
|
@ -1,222 +0,0 @@
|
||||||
# vim: ft=yaml.ansible
|
|
||||||
---
|
|
||||||
- name: Create volume folder for Mastodon data
|
|
||||||
file:
|
|
||||||
name: "{{ services.mastodon.volume_folder }}/mastodon_data"
|
|
||||||
state: directory
|
|
||||||
owner: "991"
|
|
||||||
mode: u=rwx,g=rx,o=rx
|
|
||||||
|
|
||||||
- name: Create volume folder for PostgreSQL data
|
|
||||||
file:
|
|
||||||
name: "{{ services.mastodon.volume_folder }}/postgres_data"
|
|
||||||
state: directory
|
|
||||||
owner: "70"
|
|
||||||
mode: u=rwx,go=
|
|
||||||
|
|
||||||
- name: Create volume folder for PostgreSQL config
|
|
||||||
file:
|
|
||||||
name: "{{ services.mastodon.volume_folder }}/postgres_config"
|
|
||||||
state: directory
|
|
||||||
owner: root
|
|
||||||
mode: u=rwx,g=rx,o=rx
|
|
||||||
|
|
||||||
- name: Create volume folder for Redis data
|
|
||||||
file:
|
|
||||||
name: "{{ services.mastodon.volume_folder }}/redis_data"
|
|
||||||
state: directory
|
|
||||||
owner: "999"
|
|
||||||
group: "1000"
|
|
||||||
mode: u=rwx,g=rx,o=rx
|
|
||||||
|
|
||||||
- name: Copy mastodon environment file
|
|
||||||
template:
|
|
||||||
src: mastodon/env.j2
|
|
||||||
dest: "{{ services.mastodon.volume_folder }}/env_file"
|
|
||||||
|
|
||||||
- name: Upload vhost config for root domain
|
|
||||||
copy:
|
|
||||||
src: vhost/mastodon
|
|
||||||
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.mastodon.domain }}"
|
|
||||||
|
|
||||||
- name: Copy PostgreSQL config
|
|
||||||
copy:
|
|
||||||
src: mastodon/postgresql.conf
|
|
||||||
dest: "{{ services.mastodon.volume_folder }}/postgres_config/postgresql.conf"
|
|
||||||
|
|
||||||
- name: Set up Mastodon
|
|
||||||
docker_compose:
|
|
||||||
project_name: mastodon
|
|
||||||
pull: true
|
|
||||||
restarted: true
|
|
||||||
definition:
|
|
||||||
x-sidekiq: &sidekiq
|
|
||||||
image: "tootsuite/mastodon:{{ services.mastodon.version }}"
|
|
||||||
restart: always
|
|
||||||
env_file: "{{ services.mastodon.volume_folder }}/env_file"
|
|
||||||
depends_on:
|
|
||||||
db:
|
|
||||||
condition: "service_healthy"
|
|
||||||
redis:
|
|
||||||
condition: "service_healthy"
|
|
||||||
networks:
|
|
||||||
- postfix
|
|
||||||
- external_services
|
|
||||||
- internal_network
|
|
||||||
volumes:
|
|
||||||
- "{{ services.mastodon.volume_folder }}/mastodon_data:/mastodon/public/system"
|
|
||||||
healthcheck:
|
|
||||||
test: ['CMD-SHELL', "ps aux | grep '[s]idekiq\ 6' || false"]
|
|
||||||
|
|
||||||
version: '3'
|
|
||||||
services:
|
|
||||||
db:
|
|
||||||
restart: always
|
|
||||||
image: "postgres:{{ services.mastodon.postgres_version }}"
|
|
||||||
shm_size: 256mb
|
|
||||||
networks:
|
|
||||||
- internal_network
|
|
||||||
healthcheck:
|
|
||||||
test: ['CMD', 'pg_isready', '-U', 'postgres']
|
|
||||||
volumes:
|
|
||||||
- "{{ services.mastodon.volume_folder }}/postgres_data:/var/lib/postgresql/data"
|
|
||||||
- "{{ services.mastodon.volume_folder }}/postgres_config:/config:ro"
|
|
||||||
command: postgres -c config_file=/config/postgresql.conf
|
|
||||||
environment:
|
|
||||||
- 'POSTGRES_HOST_AUTH_METHOD=trust'
|
|
||||||
|
|
||||||
redis:
|
|
||||||
restart: always
|
|
||||||
image: "redis:{{ services.mastodon.redis_version }}"
|
|
||||||
networks:
|
|
||||||
- internal_network
|
|
||||||
healthcheck:
|
|
||||||
test: ['CMD', 'redis-cli', 'ping']
|
|
||||||
volumes:
|
|
||||||
- "{{ services.mastodon.volume_folder }}/redis_data:/data"
|
|
||||||
|
|
||||||
web:
|
|
||||||
image: "tootsuite/mastodon:{{ services.mastodon.version }}"
|
|
||||||
restart: always
|
|
||||||
env_file: "{{ services.mastodon.volume_folder }}/env_file"
|
|
||||||
command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 3000"
|
|
||||||
networks:
|
|
||||||
- external_services
|
|
||||||
- internal_network
|
|
||||||
healthcheck:
|
|
||||||
# prettier-ignore
|
|
||||||
test: ['CMD-SHELL', 'wget -q --spider --proxy=off localhost:3000/health || exit 1']
|
|
||||||
depends_on:
|
|
||||||
db:
|
|
||||||
condition: "service_healthy"
|
|
||||||
redis:
|
|
||||||
condition: "service_healthy"
|
|
||||||
volumes:
|
|
||||||
- "{{ services.mastodon.volume_folder }}/mastodon_data:/mastodon/public/system"
|
|
||||||
environment:
|
|
||||||
MAX_THREADS: 10
|
|
||||||
WEB_CONCURRENCY: 3
|
|
||||||
VIRTUAL_HOST: "{{ services.mastodon.domain }}"
|
|
||||||
VIRTUAL_PORT: "3000"
|
|
||||||
VIRTUAL_PATH: "/"
|
|
||||||
LETSENCRYPT_HOST: "{{ services.mastodon.domain }}"
|
|
||||||
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
|
||||||
|
|
||||||
streaming:
|
|
||||||
image: "tootsuite/mastodon:{{ services.mastodon.version }}"
|
|
||||||
restart: always
|
|
||||||
env_file: "{{ services.mastodon.volume_folder }}/env_file"
|
|
||||||
command: node ./streaming
|
|
||||||
networks:
|
|
||||||
- external_services
|
|
||||||
- internal_network
|
|
||||||
healthcheck:
|
|
||||||
# prettier-ignore
|
|
||||||
test: ['CMD-SHELL', 'wget -q --spider --proxy=off localhost:4000/api/v1/streaming/health || exit 1']
|
|
||||||
ports:
|
|
||||||
- '127.0.0.1:4000:4000'
|
|
||||||
depends_on:
|
|
||||||
db:
|
|
||||||
condition: "service_healthy"
|
|
||||||
redis:
|
|
||||||
condition: "service_healthy"
|
|
||||||
environment:
|
|
||||||
DB_POOL: 15
|
|
||||||
VIRTUAL_HOST: "{{ services.mastodon.domain }}"
|
|
||||||
VIRTUAL_PORT: "4000"
|
|
||||||
VIRTUAL_PATH: "/api/v1/streaming"
|
|
||||||
|
|
||||||
# sidekiq-default-push-pull: DB_POOL = 25, -c 25 for 25 connections
|
|
||||||
sidekiq-default-push-pull:
|
|
||||||
<<: *sidekiq
|
|
||||||
command: bundle exec sidekiq -c 25 -q default -q push -q pull
|
|
||||||
environment:
|
|
||||||
DB_POOL: 25
|
|
||||||
|
|
||||||
# sidekiq-default-pull-push: DB_POOL = 25, -c 25 for 25 connections
|
|
||||||
sidekiq-default-pull-push:
|
|
||||||
<<: *sidekiq
|
|
||||||
command: bundle exec sidekiq -c 25 -q default -q pull -q push
|
|
||||||
environment:
|
|
||||||
DB_POOL: 25
|
|
||||||
|
|
||||||
# sidekiq-pull-default-push: DB_POOL = 25, -c 25 for 25 connections
|
|
||||||
sidekiq-pull-default-push:
|
|
||||||
<<: *sidekiq
|
|
||||||
command: bundle exec sidekiq -c 25 -q pull -q default -q push
|
|
||||||
environment:
|
|
||||||
DB_POOL: 25
|
|
||||||
|
|
||||||
# sidekiq-push-default-pull: DB_POOL = 25, -c 25 for 25 connections
|
|
||||||
sidekiq-push-default-pull:
|
|
||||||
<<: *sidekiq
|
|
||||||
command: bundle exec sidekiq -c 25 -q push -q default -q pull
|
|
||||||
environment:
|
|
||||||
DB_POOL: 25
|
|
||||||
|
|
||||||
# sidekiq-push-scheduler: DB_POOL = 5, -c 5 for 5 connections
|
|
||||||
sidekiq-push-scheduler:
|
|
||||||
<<: *sidekiq
|
|
||||||
command: bundle exec sidekiq -c 5 -q push -q scheduler
|
|
||||||
environment:
|
|
||||||
DB_POOL: 5
|
|
||||||
|
|
||||||
# sidekiq-push-mailers: DB_POOL = 5, -c 5 for 5 connections
|
|
||||||
sidekiq-push-mailers:
|
|
||||||
<<: *sidekiq
|
|
||||||
command: bundle exec sidekiq -c 5 -q push -q mailers
|
|
||||||
environment:
|
|
||||||
DB_POOL: 5
|
|
||||||
|
|
||||||
# sidekiq-push-ingress: DB_POOL = 10, -c 10 for 10 connections
|
|
||||||
sidekiq-push-ingress:
|
|
||||||
<<: *sidekiq
|
|
||||||
command: bundle exec sidekiq -c 10 -q push -q ingress
|
|
||||||
environment:
|
|
||||||
DB_POOL: 10
|
|
||||||
|
|
||||||
networks:
|
|
||||||
external_services:
|
|
||||||
external: true
|
|
||||||
postfix:
|
|
||||||
external: true
|
|
||||||
internal_network:
|
|
||||||
internal: true
|
|
||||||
|
|
||||||
- name: Configure cron job to remove old Mastodon media daily
|
|
||||||
cron:
|
|
||||||
name: Clean Mastodon media data older than a week
|
|
||||||
cron_file: ansible_mastodon_clean_media
|
|
||||||
job: docker exec mastodon_web_1 tootctl media remove --days 7
|
|
||||||
special_time: daily
|
|
||||||
user: root
|
|
||||||
state: present
|
|
||||||
|
|
||||||
- name: Configure cron job to remove old Mastodon preview cards daily
|
|
||||||
cron:
|
|
||||||
name: Clean Mastodon preview card data older than two weeks
|
|
||||||
cron_file: ansible_mastodon_clean_preview_cards
|
|
||||||
job: docker exec mastodon_web_1 tootctl preview_cards remove --days 14
|
|
||||||
special_time: daily
|
|
||||||
user: root
|
|
||||||
state: present
|
|
|
@ -1,120 +0,0 @@
|
||||||
# vim: ft=yaml.ansible
|
|
||||||
---
|
|
||||||
- name: Create Matrix volume folders
|
|
||||||
file:
|
|
||||||
name: "{{ services.matrix.volume_folder }}/{{ volume }}"
|
|
||||||
state: directory
|
|
||||||
owner: "991"
|
|
||||||
group: "991"
|
|
||||||
loop:
|
|
||||||
- "data"
|
|
||||||
- "data/uploads"
|
|
||||||
- "data/media"
|
|
||||||
loop_control:
|
|
||||||
loop_var: volume
|
|
||||||
|
|
||||||
- name: Create Matrix DB folder
|
|
||||||
file:
|
|
||||||
name: "{{ services.matrix.volume_folder }}/db"
|
|
||||||
state: "directory"
|
|
||||||
|
|
||||||
- name: Create Element volume folders
|
|
||||||
file:
|
|
||||||
name: "{{ services.element.volume_folder }}/{{ volume }}"
|
|
||||||
state: directory
|
|
||||||
loop:
|
|
||||||
- "data"
|
|
||||||
loop_control:
|
|
||||||
loop_var: volume
|
|
||||||
|
|
||||||
- name: Upload Element config.json
|
|
||||||
template:
|
|
||||||
src: element/config.json.j2
|
|
||||||
dest: "{{ services.element.volume_folder }}/data/config.json"
|
|
||||||
|
|
||||||
- name: Upload Element riot.im.conf
|
|
||||||
copy:
|
|
||||||
src: element/riot.im.conf
|
|
||||||
dest: "{{ services.element.volume_folder }}/data/riot.im.conf"
|
|
||||||
|
|
||||||
- name: upload vhost config for matrix domain
|
|
||||||
copy:
|
|
||||||
src: vhost/matrix
|
|
||||||
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.matrix.domain }}"
|
|
||||||
|
|
||||||
- name: Upload vhost config for Element domain
|
|
||||||
copy:
|
|
||||||
src: vhost/element
|
|
||||||
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ item }}"
|
|
||||||
loop: "{{ services.element.domains }}"
|
|
||||||
|
|
||||||
- name: Upload homeserver.yaml
|
|
||||||
template:
|
|
||||||
src: matrix/homeserver.yaml.j2
|
|
||||||
dest: "{{ services.matrix.volume_folder }}/data/homeserver.yaml"
|
|
||||||
|
|
||||||
- name: upload matrix logging config
|
|
||||||
copy:
|
|
||||||
src: matrix/log.config
|
|
||||||
dest: "{{ services.matrix.volume_folder }}/data/matrix.data.coop.log.config"
|
|
||||||
|
|
||||||
- name: Set up Matrix and Element
|
|
||||||
docker_compose:
|
|
||||||
project_name: matrix
|
|
||||||
pull: true
|
|
||||||
definition:
|
|
||||||
version: "3.6"
|
|
||||||
services:
|
|
||||||
postgres:
|
|
||||||
image: "postgres:{{ services.matrix.postgres_version }}"
|
|
||||||
restart: unless-stopped
|
|
||||||
networks:
|
|
||||||
- matrix
|
|
||||||
volumes:
|
|
||||||
- "{{ services.matrix.volume_folder }}/db:/var/lib/postgresql/data"
|
|
||||||
environment:
|
|
||||||
POSTGRES_USER: "synapse"
|
|
||||||
POSTGRES_PASSWORD: "{{ postgres_passwords.matrix }}"
|
|
||||||
|
|
||||||
synapse:
|
|
||||||
image: "matrixdotorg/synapse:{{ services.matrix.version }}"
|
|
||||||
restart: unless-stopped
|
|
||||||
networks:
|
|
||||||
- matrix
|
|
||||||
- external_services
|
|
||||||
- postfix
|
|
||||||
volumes:
|
|
||||||
- "{{ services.matrix.volume_folder }}/data:/data"
|
|
||||||
environment:
|
|
||||||
SYNAPSE_CONFIG_PATH: "/data/homeserver.yaml"
|
|
||||||
SYNAPSE_CACHE_FACTOR: "2"
|
|
||||||
SYNAPSE_LOG_LEVEL: "INFO"
|
|
||||||
VIRTUAL_HOST: "{{ services.matrix.domain }}"
|
|
||||||
VIRTUAL_PORT: "8008"
|
|
||||||
LETSENCRYPT_HOST: "{{ services.matrix.domain }}"
|
|
||||||
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
|
||||||
|
|
||||||
element:
|
|
||||||
image: "avhost/docker-matrix-element:{{ services.element.version }}"
|
|
||||||
restart: unless-stopped
|
|
||||||
networks:
|
|
||||||
- matrix
|
|
||||||
- external_services
|
|
||||||
expose:
|
|
||||||
- 8080
|
|
||||||
volumes:
|
|
||||||
- "{{ services.element.volume_folder }}/data:/data"
|
|
||||||
environment:
|
|
||||||
VIRTUAL_HOST: "{{ services.element.domains | join(',') }}"
|
|
||||||
VIRTUAL_PORT: "8080"
|
|
||||||
LETSENCRYPT_HOST: "{{ services.element.domains | join(',') }}"
|
|
||||||
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
|
||||||
|
|
||||||
networks:
|
|
||||||
external_services:
|
|
||||||
external:
|
|
||||||
name: external_services
|
|
||||||
postfix:
|
|
||||||
external: true
|
|
||||||
matrix:
|
|
||||||
name: "matrix"
|
|
|
@ -1,52 +0,0 @@
|
||||||
# vim: ft=yaml.ansible
|
|
||||||
---
|
|
||||||
- name: run membersystem containers
|
|
||||||
docker_compose:
|
|
||||||
project_name: "member.data.coop"
|
|
||||||
pull: yes
|
|
||||||
definition:
|
|
||||||
version: "3"
|
|
||||||
services:
|
|
||||||
backend:
|
|
||||||
image: "docker.data.coop/membersystem:{{ services.membersystem.version }}"
|
|
||||||
restart: always
|
|
||||||
user: $UID:$GID
|
|
||||||
tty: true
|
|
||||||
depends_on:
|
|
||||||
- postgres
|
|
||||||
networks:
|
|
||||||
- membersystem
|
|
||||||
- external_services
|
|
||||||
- postfix
|
|
||||||
environment:
|
|
||||||
SECRET_KEY: "{{ membersystem_secrets.secret_key }}"
|
|
||||||
DATABASE_URL: postgres://postgres:{{ postgres_passwords.membersystem }}@postgres:5432/postgres
|
|
||||||
POSTGRES_HOST: postgres
|
|
||||||
POSTGRES_PORT: 5432
|
|
||||||
EMAIL_BACKEND: "django.core.mail.backends.smtp.EmailBackend"
|
|
||||||
EMAIL_URL: "smtp://noop@{{ smtp_host }}:{{ smtp_port }}"
|
|
||||||
VIRTUAL_HOST: "{{ services.membersystem.domain }}"
|
|
||||||
VIRTUAL_PORT: "8000"
|
|
||||||
LETSENCRYPT_HOST: "{{ services.membersystem.domain }}"
|
|
||||||
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
|
||||||
ALLOWED_HOSTS: "{{ services.membersystem.domain }}"
|
|
||||||
CSRF_TRUSTED_ORIGINS: "https://{{ services.membersystem.domain }}"
|
|
||||||
DJANGO_ADMINS: "{{ services.membersystem.django_admins }}"
|
|
||||||
DEFAULT_FROM_EMAIL: "noreply@{{ services.membersystem.domain }}"
|
|
||||||
|
|
||||||
postgres:
|
|
||||||
image: "postgres:{{ services.membersystem.postgres_version }}"
|
|
||||||
restart: always
|
|
||||||
volumes:
|
|
||||||
- "{{ volume_root_folder }}/membersystem/postgres/data:/var/lib/postgresql/data"
|
|
||||||
networks:
|
|
||||||
- membersystem
|
|
||||||
environment:
|
|
||||||
POSTGRES_PASSWORD: "{{ postgres_passwords.membersystem }}"
|
|
||||||
|
|
||||||
networks:
|
|
||||||
membersystem:
|
|
||||||
external_services:
|
|
||||||
external: true
|
|
||||||
postfix:
|
|
||||||
external: true
|
|
|
@ -1,23 +0,0 @@
|
||||||
# vim: ft=yaml.ansible
|
|
||||||
---
|
|
||||||
- name: setup netdata docker container for system monitoring
|
|
||||||
docker_container:
|
|
||||||
name: netdata
|
|
||||||
image: netdata/netdata:{{ services.netdata.version }}
|
|
||||||
restart_policy: unless-stopped
|
|
||||||
hostname: "hevonen.servers.{{ base_domain }}"
|
|
||||||
capabilities:
|
|
||||||
- SYS_PTRACE
|
|
||||||
security_opts:
|
|
||||||
- apparmor:unconfined
|
|
||||||
volumes:
|
|
||||||
- /proc:/host/proc:ro
|
|
||||||
- /sys:/host/sys:ro
|
|
||||||
- /var/run/docker.sock:/var/run/docker.sock:ro
|
|
||||||
networks:
|
|
||||||
- name: external_services
|
|
||||||
env:
|
|
||||||
VIRTUAL_HOST : "{{ services.netdata.domain }}"
|
|
||||||
LETSENCRYPT_HOST: "{{ services.netdata.domain }}"
|
|
||||||
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
|
||||||
PGID: "999"
|
|
|
@ -1,76 +0,0 @@
|
||||||
# vim: ft=yaml.ansible
|
|
||||||
---
|
|
||||||
- name: upload vhost config for cloud.data.coop
|
|
||||||
copy:
|
|
||||||
src: vhost/nextcloud
|
|
||||||
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.nextcloud.domain }}"
|
|
||||||
notify: "restart nginx"
|
|
||||||
|
|
||||||
- name: setup nextcloud containers
|
|
||||||
docker_compose:
|
|
||||||
project_name: "nextcloud"
|
|
||||||
pull: "yes"
|
|
||||||
definition:
|
|
||||||
services:
|
|
||||||
postgres:
|
|
||||||
image: "postgres:{{ services.nextcloud.postgres_version }}"
|
|
||||||
restart: "unless-stopped"
|
|
||||||
networks:
|
|
||||||
- "nextcloud"
|
|
||||||
volumes:
|
|
||||||
- "{{ services.nextcloud.volume_folder }}/postgres:/var/lib/postgresql/data"
|
|
||||||
environment:
|
|
||||||
POSTGRES_DB: "nextcloud"
|
|
||||||
POSTGRES_PASSWORD: "{{ postgres_passwords.nextcloud }}"
|
|
||||||
POSTGRES_USER: "nextcloud"
|
|
||||||
|
|
||||||
redis:
|
|
||||||
image: "redis:{{ services.nextcloud.redis_version }}"
|
|
||||||
restart: "unless-stopped"
|
|
||||||
command: "redis-server --requirepass {{ nextcloud_secrets.redis_password }}"
|
|
||||||
tmpfs:
|
|
||||||
- /var/lib/redis
|
|
||||||
networks:
|
|
||||||
- "nextcloud"
|
|
||||||
|
|
||||||
cron:
|
|
||||||
image: "nextcloud:{{ services.nextcloud.version }}"
|
|
||||||
restart: "unless-stopped"
|
|
||||||
entrypoint: "/cron.sh"
|
|
||||||
networks:
|
|
||||||
- "nextcloud"
|
|
||||||
volumes:
|
|
||||||
- "{{ services.nextcloud.volume_folder }}/app:/var/www/html"
|
|
||||||
depends_on:
|
|
||||||
- "postgres"
|
|
||||||
- "redis"
|
|
||||||
|
|
||||||
app:
|
|
||||||
image: "nextcloud:{{ services.nextcloud.version }}"
|
|
||||||
restart: "unless-stopped"
|
|
||||||
networks:
|
|
||||||
- "nextcloud"
|
|
||||||
- "postfix"
|
|
||||||
- "external_services"
|
|
||||||
volumes:
|
|
||||||
- "{{ services.nextcloud.volume_folder }}/app:/var/www/html"
|
|
||||||
environment:
|
|
||||||
VIRTUAL_HOST: "{{ services.nextcloud.domain }}"
|
|
||||||
LETSENCRYPT_HOST: "{{ services.nextcloud.domain }}"
|
|
||||||
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
|
||||||
POSTGRES_HOST: "postgres"
|
|
||||||
POSTGRES_DB: "nextcloud"
|
|
||||||
POSTGRES_USER: "nextcloud"
|
|
||||||
POSTGRES_PASSWORD: "{{ postgres_passwords.nextcloud }}"
|
|
||||||
REDIS_HOST: "redis"
|
|
||||||
REDIS_HOST_PASSWORD: "{{ nextcloud_secrets.redis_password }}"
|
|
||||||
depends_on:
|
|
||||||
- "postgres"
|
|
||||||
- "redis"
|
|
||||||
|
|
||||||
networks:
|
|
||||||
nextcloud:
|
|
||||||
postfix:
|
|
||||||
external: true
|
|
||||||
external_services:
|
|
||||||
external: true
|
|
|
@ -1,48 +0,0 @@
|
||||||
# vim: ft=yaml.ansible
|
|
||||||
---
|
|
||||||
- name: create nginx-proxy volume folders
|
|
||||||
file:
|
|
||||||
name: "{{ services.nginx_proxy.volume_folder }}/{{ volume }}"
|
|
||||||
state: directory
|
|
||||||
loop:
|
|
||||||
- conf
|
|
||||||
- vhost
|
|
||||||
- html
|
|
||||||
- dhparam
|
|
||||||
- certs
|
|
||||||
loop_control:
|
|
||||||
loop_var: volume
|
|
||||||
|
|
||||||
- name: nginx proxy container
|
|
||||||
docker_container:
|
|
||||||
name: nginx-proxy
|
|
||||||
image: nginxproxy/nginx-proxy:{{ services.nginx_proxy.version }}
|
|
||||||
restart_policy: always
|
|
||||||
networks:
|
|
||||||
- name: external_services
|
|
||||||
published_ports:
|
|
||||||
- "80:80"
|
|
||||||
- "443:443"
|
|
||||||
volumes:
|
|
||||||
- "{{ services.nginx_proxy.volume_folder }}/conf:/etc/nginx/conf.d"
|
|
||||||
- "{{ services.nginx_proxy.volume_folder }}/vhost:/etc/nginx/vhost.d"
|
|
||||||
- "{{ services.nginx_proxy.volume_folder }}/html:/usr/share/nginx/html"
|
|
||||||
- "{{ services.nginx_proxy.volume_folder }}/dhparam:/etc/nginx/dhparam"
|
|
||||||
- "{{ services.nginx_proxy.volume_folder }}/certs:/etc/nginx/certs:ro"
|
|
||||||
- /var/run/docker.sock:/tmp/docker.sock:ro
|
|
||||||
|
|
||||||
- name: nginx letsencrypt container
|
|
||||||
docker_container:
|
|
||||||
name: nginx-proxy-le
|
|
||||||
image: nginxproxy/acme-companion:{{ services.nginx_acme_companion.version }}
|
|
||||||
restart_policy: always
|
|
||||||
volumes:
|
|
||||||
- "{{ services.nginx_proxy.volume_folder }}/vhost:/etc/nginx/vhost.d"
|
|
||||||
- "{{ services.nginx_proxy.volume_folder }}/html:/usr/share/nginx/html"
|
|
||||||
- "{{ services.nginx_proxy.volume_folder }}/dhparam:/etc/nginx/dhparam:ro"
|
|
||||||
- "{{ services.nginx_proxy.volume_folder }}/certs:/etc/nginx/certs"
|
|
||||||
- /var/run/docker.sock:/var/run/docker.sock:ro
|
|
||||||
env:
|
|
||||||
NGINX_PROXY_CONTAINER: nginx-proxy
|
|
||||||
when: letsencrypt_enabled
|
|
||||||
|
|
|
@ -1,74 +0,0 @@
|
||||||
# vim: ft=yaml.ansible
|
|
||||||
---
|
|
||||||
- name: create ldap volume folders
|
|
||||||
file:
|
|
||||||
name: "{{ services.openldap.volume_folder }}/{{ volume }}"
|
|
||||||
state: directory
|
|
||||||
loop:
|
|
||||||
- "var/lib/ldap"
|
|
||||||
- "etc/slapd"
|
|
||||||
- "certs"
|
|
||||||
loop_control:
|
|
||||||
loop_var: volume
|
|
||||||
|
|
||||||
- name: Create a network for ldap
|
|
||||||
docker_network:
|
|
||||||
name: ldap
|
|
||||||
|
|
||||||
- name: openLDAP container
|
|
||||||
docker_container:
|
|
||||||
name: openldap
|
|
||||||
image: osixia/openldap:{{ services.openldap.version }}
|
|
||||||
tty: true
|
|
||||||
interactive: true
|
|
||||||
restart_policy: unless-stopped
|
|
||||||
volumes:
|
|
||||||
- "{{ services.openldap.volume_folder }}/var/lib/ldap:/var/lib/ldap"
|
|
||||||
- "{{ services.openldap.volume_folder }}/etc/slapd.d:/etc/ldap/slapd.d"
|
|
||||||
- "{{ services.openldap.volume_folder }}/certs:/container/service/slapd/assets/certs/"
|
|
||||||
published_ports:
|
|
||||||
- "389:389"
|
|
||||||
- "636:636"
|
|
||||||
hostname: "{{ services.openldap.domain }}"
|
|
||||||
domainname: "{{ services.openldap.domain }}" # important: same as hostname
|
|
||||||
networks:
|
|
||||||
- name: ldap
|
|
||||||
env:
|
|
||||||
LDAP_LOG_LEVEL: "256"
|
|
||||||
LDAP_ORGANISATION: "{{ base_domain }}"
|
|
||||||
LDAP_DOMAIN: "{{ base_domain }}"
|
|
||||||
LDAP_BASE_DN: ""
|
|
||||||
LDAP_ADMIN_PASSWORD: "{{ ldap_admin_password }}"
|
|
||||||
LDAP_CONFIG_PASSWORD: "{{ ldap_config_password }}"
|
|
||||||
LDAP_READONLY_USER: "false"
|
|
||||||
LDAP_RFC2307BIS_SCHEMA: "false"
|
|
||||||
LDAP_BACKEND: "mdb"
|
|
||||||
LDAP_TLS: "true"
|
|
||||||
LDAP_TLS_CRT_FILENAME: "ldap.crt"
|
|
||||||
LDAP_TLS_KEY_FILENAME: "ldap.key"
|
|
||||||
LDAP_TLS_CA_CRT_FILENAME: "ca.crt"
|
|
||||||
LDAP_TLS_ENFORCE: "false"
|
|
||||||
LDAP_TLS_CIPHER_SUITE: "SECURE256:-VERS-SSL3.0"
|
|
||||||
LDAP_TLS_PROTOCOL_MIN: "3.1"
|
|
||||||
LDAP_TLS_VERIFY_CLIENT: "demand"
|
|
||||||
LDAP_REPLICATION: "false"
|
|
||||||
KEEP_EXISTING_CONFIG: "false"
|
|
||||||
LDAP_REMOVE_CONFIG_AFTER_SETUP: "true"
|
|
||||||
LDAP_SSL_HELPER_PREFIX: "ldap"
|
|
||||||
|
|
||||||
- name: phpLDAPadmin container
|
|
||||||
docker_container:
|
|
||||||
name: phpldapadmin
|
|
||||||
image: osixia/phpldapadmin:{{ services.phpldapadmin.version }}
|
|
||||||
restart_policy: unless-stopped
|
|
||||||
networks:
|
|
||||||
- name: external_services
|
|
||||||
- name: ldap
|
|
||||||
env:
|
|
||||||
PHPLDAPADMIN_LDAP_HOSTS: "openldap"
|
|
||||||
PHPLDAPADMIN_HTTPS: "false"
|
|
||||||
PHPLDAPADMIN_TRUST_PROXY_SSL: "true"
|
|
||||||
|
|
||||||
VIRTUAL_HOST: "{{ services.openldap.domain }}"
|
|
||||||
LETSENCRYPT_HOST: "{{ services.openldap.domain }}"
|
|
||||||
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
|
|
@ -1,53 +0,0 @@
|
||||||
# vim: ft=yaml.ansible
|
|
||||||
---
|
|
||||||
- name: Create directory for Passit data
|
|
||||||
file:
|
|
||||||
name: "{{ services.passit.volume_folder }}/data"
|
|
||||||
owner: '70'
|
|
||||||
group: root
|
|
||||||
state: directory
|
|
||||||
|
|
||||||
- name: setup passit containers
|
|
||||||
docker_compose:
|
|
||||||
project_name: "passit"
|
|
||||||
pull: "yes"
|
|
||||||
definition:
|
|
||||||
version: "3.6"
|
|
||||||
services:
|
|
||||||
passit_db:
|
|
||||||
image: "postgres:{{ services.passit.postgres_version }}"
|
|
||||||
restart: "always"
|
|
||||||
networks:
|
|
||||||
- "passit"
|
|
||||||
volumes:
|
|
||||||
- "{{ services.passit.volume_folder }}/data:/var/lib/postgresql/data"
|
|
||||||
environment:
|
|
||||||
POSTGRES_USER: "passit"
|
|
||||||
POSTGRES_PASSWORD: "{{ postgres_passwords.passit }}"
|
|
||||||
|
|
||||||
passit_app:
|
|
||||||
image: "passit/passit:{{ services.passit.version }}"
|
|
||||||
command: "bin/start.sh"
|
|
||||||
restart: "always"
|
|
||||||
networks:
|
|
||||||
- "passit"
|
|
||||||
- "postfix"
|
|
||||||
- "external_services"
|
|
||||||
environment:
|
|
||||||
DATABASE_URL: "postgres://passit:{{ postgres_passwords.passit }}@passit_db:5432/passit"
|
|
||||||
SECRET_KEY: "{{ passit_secret_key }}"
|
|
||||||
IS_DEBUG: 'False'
|
|
||||||
EMAIL_URL: "smtp://noop@{{ smtp_host }}:{{ smtp_port }}"
|
|
||||||
DEFAULT_FROM_EMAIL: "noreply@{{ services.passit.domain }}"
|
|
||||||
EMAIL_CONFIRMATION_HOST: "https://{{ services.passit.domain }}"
|
|
||||||
FIDO_SERVER_ID: "{{ services.passit.domain }}"
|
|
||||||
VIRTUAL_HOST: "{{ services.passit.domain }}"
|
|
||||||
LETSENCRYPT_HOST: "{{ services.passit.domain }}"
|
|
||||||
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
|
||||||
|
|
||||||
networks:
|
|
||||||
passit:
|
|
||||||
postfix:
|
|
||||||
external: true
|
|
||||||
external_services:
|
|
||||||
external: true
|
|
|
@ -1,22 +0,0 @@
|
||||||
# vim: ft=yaml.ansible
|
|
||||||
---
|
|
||||||
- name: create portainer volume folder
|
|
||||||
file:
|
|
||||||
name: "{{ services.portainer.volume_folder }}"
|
|
||||||
state: directory
|
|
||||||
|
|
||||||
- name: run portainer
|
|
||||||
docker_container:
|
|
||||||
name: portainer
|
|
||||||
image: portainer/portainer-ee:{{ services.portainer.version }}
|
|
||||||
restart_policy: always
|
|
||||||
networks:
|
|
||||||
- name: external_services
|
|
||||||
volumes:
|
|
||||||
- /var/run/docker.sock:/var/run/docker.sock
|
|
||||||
- "{{ services.portainer.volume_folder }}:/data"
|
|
||||||
env:
|
|
||||||
VIRTUAL_HOST: "{{ services.portainer.domain }}"
|
|
||||||
VIRTUAL_PORT: "9000"
|
|
||||||
LETSENCRYPT_HOST: "{{ services.portainer.domain }}"
|
|
||||||
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
|
|
@ -1,28 +0,0 @@
|
||||||
# vim: ft=yaml.ansible
|
|
||||||
---
|
|
||||||
- name: Set up network for postfix
|
|
||||||
docker_network:
|
|
||||||
name: postfix
|
|
||||||
ipam_config:
|
|
||||||
- subnet: '172.16.0.0/16'
|
|
||||||
gateway: 172.16.0.1
|
|
||||||
|
|
||||||
- name: Create volume folders for Postfix
|
|
||||||
file:
|
|
||||||
name: "{{ services.postfix.volume_folder }}/dkim"
|
|
||||||
state: directory
|
|
||||||
|
|
||||||
- name: Set up Postfix Docker container for outgoing mail from services
|
|
||||||
docker_container:
|
|
||||||
name: postfix
|
|
||||||
image: boky/postfix:{{ services.postfix.version }}
|
|
||||||
restart_policy: always
|
|
||||||
networks:
|
|
||||||
- name: postfix
|
|
||||||
volumes:
|
|
||||||
- "{{ services.postfix.volume_folder }}/dkim:/etc/opendkim/keys"
|
|
||||||
env:
|
|
||||||
# Get all services which have allowed_sender_domain defined
|
|
||||||
ALLOWED_SENDER_DOMAINS: "{{ services | dict2items | selectattr('value.allowed_sender_domain', 'true') | map(attribute='value.domain') | join(' ') }}"
|
|
||||||
HOSTNAME: "{{ services.postfix.domain }}" # the name the smtp server will identify itself as
|
|
||||||
DKIM_AUTOGENERATE: "true"
|
|
|
@ -1,31 +0,0 @@
|
||||||
# vim: ft=yaml.ansible
|
|
||||||
---
|
|
||||||
- name: create privatebin volume folders
|
|
||||||
file:
|
|
||||||
name: "{{ services.privatebin.volume_folder }}/{{ volume }}"
|
|
||||||
state: directory
|
|
||||||
loop:
|
|
||||||
- cfg
|
|
||||||
- data
|
|
||||||
loop_control:
|
|
||||||
loop_var: volume
|
|
||||||
|
|
||||||
- name: upload privatebin config
|
|
||||||
copy:
|
|
||||||
src: privatebin/conf.php
|
|
||||||
dest: "{{ services.privatebin.volume_folder }}/cfg/conf.php"
|
|
||||||
|
|
||||||
- name: privatebin app container
|
|
||||||
docker_container:
|
|
||||||
name: privatebin
|
|
||||||
image: jgeusebroek/privatebin:{{ services.privatebin.version }}
|
|
||||||
restart_policy: unless-stopped
|
|
||||||
volumes:
|
|
||||||
- "{{ services.privatebin.volume_folder }}/cfg:/privatebin/cfg"
|
|
||||||
- "{{ services.privatebin.volume_folder }}/data:/privatebin/data"
|
|
||||||
networks:
|
|
||||||
- name: external_services
|
|
||||||
env:
|
|
||||||
VIRTUAL_HOST: "{{ services.privatebin.domain }}"
|
|
||||||
LETSENCRYPT_HOST: "{{ services.privatebin.domain }}"
|
|
||||||
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
|
|
@ -1,61 +0,0 @@
|
||||||
# vim: ft=yaml.ansible
|
|
||||||
---
|
|
||||||
- name: Create Rallly volume folders
|
|
||||||
file:
|
|
||||||
name: "{{ services.rallly.volume_folder }}/postgres"
|
|
||||||
state: directory
|
|
||||||
|
|
||||||
- name: Copy Rallly environment file
|
|
||||||
template:
|
|
||||||
src: rallly/env.j2
|
|
||||||
dest: "{{ services.rallly.volume_folder }}/env_file"
|
|
||||||
|
|
||||||
- name: Set up Rallly
|
|
||||||
docker_compose:
|
|
||||||
project_name: "rallly"
|
|
||||||
pull: "yes"
|
|
||||||
definition:
|
|
||||||
version: "3.8"
|
|
||||||
services:
|
|
||||||
rallly_db:
|
|
||||||
image: "postgres:{{ services.rallly.postgres_version }}"
|
|
||||||
restart: "always"
|
|
||||||
shm_size: "256mb"
|
|
||||||
networks:
|
|
||||||
rallly_internal:
|
|
||||||
volumes:
|
|
||||||
- "{{ services.rallly.volume_folder }}/postgres:/var/lib/postgresql/data"
|
|
||||||
environment:
|
|
||||||
POSTGRES_PASSWORD: "{{ postgres_passwords.rallly }}"
|
|
||||||
POSTGRES_DB: "rallly_db"
|
|
||||||
healthcheck:
|
|
||||||
test: ["CMD-SHELL", "pg_isready -U postgres"]
|
|
||||||
interval: 5s
|
|
||||||
timeout: 5s
|
|
||||||
retries: 5
|
|
||||||
|
|
||||||
rallly:
|
|
||||||
image: "lukevella/rallly:{{ services.rallly.version }}"
|
|
||||||
restart: "always"
|
|
||||||
networks:
|
|
||||||
rallly_internal:
|
|
||||||
external_services:
|
|
||||||
postfix:
|
|
||||||
depends_on:
|
|
||||||
rallly_db:
|
|
||||||
condition: "service_healthy"
|
|
||||||
env_file:
|
|
||||||
- "{{ services.rallly.volume_folder }}/env_file"
|
|
||||||
environment:
|
|
||||||
VIRTUAL_HOST: "{{ services.rallly.domain }}"
|
|
||||||
VIRTUAL_PORT: "3000"
|
|
||||||
LETSENCRYPT_HOST: "{{ services.rallly.domain }}"
|
|
||||||
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
|
||||||
|
|
||||||
networks:
|
|
||||||
rallly_internal:
|
|
||||||
internal: true
|
|
||||||
external_services:
|
|
||||||
external: true
|
|
||||||
postfix:
|
|
||||||
external: true
|
|
|
@ -1,89 +0,0 @@
|
||||||
# vim: ft=yaml.ansible
|
|
||||||
---
|
|
||||||
- name: Create SSH directory
|
|
||||||
file:
|
|
||||||
path: "{{ services.restic.volume_folder }}/ssh"
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: '0755'
|
|
||||||
state: directory
|
|
||||||
|
|
||||||
- name: Copy private SSH key
|
|
||||||
copy:
|
|
||||||
dest: "{{ services.restic.volume_folder }}/ssh/id_ed25519"
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: '0600'
|
|
||||||
content: "{{ restic_secrets.ssh_privkey }}"
|
|
||||||
|
|
||||||
- name: Derive public SSH key
|
|
||||||
shell: >-
|
|
||||||
ssh-keygen -f {{ services.restic.volume_folder }}/ssh/id_ed25519 -y
|
|
||||||
> {{ services.restic.volume_folder }}/ssh/id_ed25519.pub
|
|
||||||
args:
|
|
||||||
creates: "{{ services.restic.volume_folder }}/ssh/id_ed25519.pub"
|
|
||||||
|
|
||||||
- name: Set file permissions on public SSH key
|
|
||||||
file:
|
|
||||||
path: "{{ services.restic.volume_folder }}/ssh/id_ed25519.pub"
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: '0644'
|
|
||||||
state: touch
|
|
||||||
|
|
||||||
- name: Create SSH config
|
|
||||||
template:
|
|
||||||
src: restic/ssh.config.j2
|
|
||||||
dest: "{{ services.restic.volume_folder }}/ssh/config"
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: '0600'
|
|
||||||
|
|
||||||
- name: Create SSH known_hosts file
|
|
||||||
template:
|
|
||||||
src: restic/ssh.known_hosts.j2
|
|
||||||
dest: "{{ services.restic.volume_folder }}/ssh/known_hosts"
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: '0600'
|
|
||||||
|
|
||||||
- name: Setup restic backup
|
|
||||||
docker_compose:
|
|
||||||
project_name: restic
|
|
||||||
pull: true
|
|
||||||
definition:
|
|
||||||
version: '3.6'
|
|
||||||
services:
|
|
||||||
backup:
|
|
||||||
image: mazzolino/restic:{{ services.restic.version }}
|
|
||||||
restart: always
|
|
||||||
environment:
|
|
||||||
RUN_ON_STARTUP: "false"
|
|
||||||
BACKUP_CRON: "0 30 3 * * *"
|
|
||||||
RESTIC_REPOSITORY: "sftp:{{ services.restic.user }}@{{ services.restic.domain }}:{{ services.restic.repository }}"
|
|
||||||
RESTIC_PASSWORD: "{{ restic_secrets.repository_password }}"
|
|
||||||
RESTIC_BACKUP_SOURCES: "/mnt/volumes"
|
|
||||||
RESTIC_BACKUP_ARGS: >-
|
|
||||||
--tag datacoop-volumes
|
|
||||||
--exclude '*.tmp'
|
|
||||||
--verbose
|
|
||||||
RESTIC_FORGET_ARGS: >-
|
|
||||||
--keep-last 10
|
|
||||||
--keep-daily 7
|
|
||||||
--keep-weekly 5
|
|
||||||
--keep-monthly 12
|
|
||||||
TZ: Europe/Copenhagen
|
|
||||||
volumes:
|
|
||||||
- "{{ services.restic.volume_folder }}/ssh:/run/secrets/.ssh:ro"
|
|
||||||
- /docker-volumes:/mnt/volumes:ro
|
|
||||||
|
|
||||||
prune:
|
|
||||||
image: "mazzolino/restic:{{ services.restic.version }}"
|
|
||||||
environment:
|
|
||||||
RUN_ON_STARTUP: "false"
|
|
||||||
PRUNE_CRON: "0 0 4 * * *"
|
|
||||||
RESTIC_REPOSITORY: "sftp:{{ services.restic.user }}@{{ services.restic.domain }}:{{ services.restic.repository }}"
|
|
||||||
RESTIC_PASSWORD: "{{ restic_secrets.repository_password }}"
|
|
||||||
TZ: Europe/copenhagen
|
|
||||||
volumes:
|
|
||||||
- "{{ services.restic.volume_folder }}/ssh:/run/secrets/.ssh:ro"
|
|
|
@ -1,19 +0,0 @@
|
||||||
# vim: ft=yaml.ansible
|
|
||||||
---
|
|
||||||
- name: setup 2022.slides.data.coop website using unipi
|
|
||||||
docker_container:
|
|
||||||
name: 2022.slides.data.coop_website
|
|
||||||
image: docker.data.coop/unipi:{{ services.slides_2022_website.version }}
|
|
||||||
restart_policy: unless-stopped
|
|
||||||
purge_networks: yes
|
|
||||||
networks:
|
|
||||||
- name: external_services
|
|
||||||
env:
|
|
||||||
VIRTUAL_HOST: "{{ services.slides_2022_website.domain }}"
|
|
||||||
LETSENCRYPT_HOST: "{{ services.slides_2022_website.domain }}"
|
|
||||||
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
|
||||||
command: "--remote=https://git.data.coop/data.coop/slides.git#slides2022"
|
|
||||||
capabilities:
|
|
||||||
- NET_ADMIN
|
|
||||||
devices:
|
|
||||||
- "/dev/net/tun"
|
|
|
@ -1,13 +0,0 @@
|
||||||
# vim: ft=yaml.ansible
|
|
||||||
---
|
|
||||||
- name: setup cryptoaarhus.dk website docker container
|
|
||||||
docker_container:
|
|
||||||
name: cryptoaarhus_website
|
|
||||||
restart_policy: unless-stopped
|
|
||||||
image: docker.data.coop/cryptoaarhus-website
|
|
||||||
networks:
|
|
||||||
- name: external_services
|
|
||||||
env:
|
|
||||||
VIRTUAL_HOST : "{{ services.cryptoaarhus_website.domains|join(',') }}"
|
|
||||||
LETSENCRYPT_HOST: "{{ services.cryptoaarhus_website.domains|join(',') }}"
|
|
||||||
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
|
|
@ -1,13 +0,0 @@
|
||||||
# vim: ft=yaml.ansible
|
|
||||||
---
|
|
||||||
- name: setup cryptohagen.dk website docker container
|
|
||||||
docker_container:
|
|
||||||
name: cryptohagen_website
|
|
||||||
restart_policy: unless-stopped
|
|
||||||
image: docker.data.coop/cryptohagen-website
|
|
||||||
networks:
|
|
||||||
- name: external_services
|
|
||||||
env:
|
|
||||||
VIRTUAL_HOST : "{{ services.cryptohagen_website.domains|join(',') }}"
|
|
||||||
LETSENCRYPT_HOST: "{{ services.cryptohagen_website.domains|join(',') }}"
|
|
||||||
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
|
|
@ -1,47 +0,0 @@
|
||||||
# vim: ft=yaml.ansible
|
|
||||||
---
|
|
||||||
- name: Upload vhost config for root domain
|
|
||||||
copy:
|
|
||||||
<<<<<<< HEAD
|
|
||||||
src: vhost/base_domain
|
|
||||||
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ base_domain }}"
|
|
||||||
|
|
||||||
- name: Upload vhost config for WWW domain
|
|
||||||
copy:
|
|
||||||
src: vhost/www.base_domain
|
|
||||||
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/www.{{ base_domain }}"
|
|
||||||
=======
|
|
||||||
src: files/configs/matrix/vhost-root
|
|
||||||
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.data_coop_website.domain }}"
|
|
||||||
|
|
||||||
- name: Upload vhost config for WWW domain
|
|
||||||
copy:
|
|
||||||
src: files/configs/vhost-www
|
|
||||||
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.data_coop_website.www_domain }}"
|
|
||||||
>>>>>>> main
|
|
||||||
|
|
||||||
- name: setup data.coop website docker container
|
|
||||||
docker_container:
|
|
||||||
name: "{{ services.data_coop_website.domain }}_website"
|
|
||||||
image: docker.data.coop/data-coop-website:{{ services.data_coop_website.version }}
|
|
||||||
pull: true
|
|
||||||
restart_policy: unless-stopped
|
|
||||||
networks:
|
|
||||||
- name: external_services
|
|
||||||
env:
|
|
||||||
VIRTUAL_HOST: "{{ services.data_coop_website.domain }},{{ services.data_coop_website.www_domain }}"
|
|
||||||
LETSENCRYPT_HOST: "{{ services.data_coop_website.domain }},{{ services.data_coop_website.www_domain }}"
|
|
||||||
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
|
||||||
|
|
||||||
- name: setup staging data.coop website using hugo
|
|
||||||
docker_container:
|
|
||||||
name: "{{ services.data_coop_website.staging_domain }}_website"
|
|
||||||
image: docker.data.coop/data-coop-website:{{ services.data_coop_website.staging_version }}
|
|
||||||
pull: true
|
|
||||||
restart_policy: unless-stopped
|
|
||||||
networks:
|
|
||||||
- name: external_services
|
|
||||||
env:
|
|
||||||
VIRTUAL_HOST: "{{ services.data_coop_website.staging_domain }}"
|
|
||||||
LETSENCRYPT_HOST: "{{ services.data_coop_website.staging_domain }}"
|
|
||||||
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
|
|
@ -1,13 +0,0 @@
|
||||||
# vim: ft=yaml.ansible
|
|
||||||
---
|
|
||||||
- name: setup ulovliglogning.dk website docker container
|
|
||||||
docker_container:
|
|
||||||
name: ulovliglogning_website
|
|
||||||
restart_policy: unless-stopped
|
|
||||||
image: ulovliglogning/ulovliglogning.dk:latest
|
|
||||||
networks:
|
|
||||||
- name: external_services
|
|
||||||
env:
|
|
||||||
VIRTUAL_HOST: "{{ services.ulovliglogning_website.domains|join(',') }}"
|
|
||||||
LETSENCRYPT_HOST: "{{ services.ulovliglogning_website.domains|join(',') }}"
|
|
||||||
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
|
|
@ -1,19 +0,0 @@
|
||||||
# vim: ft=yaml.ansible
|
|
||||||
---
|
|
||||||
- name: setup vhs.data.coop website with unipi
|
|
||||||
docker_container:
|
|
||||||
name: vhs.data.coop_website
|
|
||||||
image: docker.data.coop/unipi:{{ services.vhs_website.version }}
|
|
||||||
restart_policy: unless-stopped
|
|
||||||
purge_networks: yes
|
|
||||||
networks:
|
|
||||||
- name: external_services
|
|
||||||
env:
|
|
||||||
VIRTUAL_HOST: "{{ services.vhs_website.domain }}"
|
|
||||||
LETSENCRYPT_HOST: "{{ services.vhs_website.domain }}"
|
|
||||||
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
|
||||||
command: "--remote=https://git.data.coop/vhs.data.coop/website.git#main"
|
|
||||||
capabilities:
|
|
||||||
- NET_ADMIN
|
|
||||||
devices:
|
|
||||||
- "/dev/net/tun"
|
|
|
@ -1,65 +0,0 @@
|
||||||
# vim: ft=yaml.ansible
|
|
||||||
---
|
|
||||||
- name: Create volume folder for MariaDB data
|
|
||||||
file:
|
|
||||||
name: "{{ services.writefreely.volume_folder }}/mariadb_data"
|
|
||||||
state: directory
|
|
||||||
|
|
||||||
- name: Upload config.ini
|
|
||||||
template:
|
|
||||||
src: "writefreely/config.ini.j2"
|
|
||||||
dest: "{{ services.writefreely.volume_folder }}/config.ini"
|
|
||||||
|
|
||||||
- name: setup writefreely containers
|
|
||||||
docker_compose:
|
|
||||||
project_name: "writefreely"
|
|
||||||
pull: "yes"
|
|
||||||
definition:
|
|
||||||
version: "3.6"
|
|
||||||
|
|
||||||
networks:
|
|
||||||
external_services:
|
|
||||||
external: true
|
|
||||||
internal_writefreely:
|
|
||||||
internal: true
|
|
||||||
|
|
||||||
services:
|
|
||||||
writefreely-web:
|
|
||||||
container_name: "writefreely-web"
|
|
||||||
image: "writeas/writefreely:{{ services.writefreely.version }}"
|
|
||||||
|
|
||||||
volumes:
|
|
||||||
- "{{ services.writefreely.volume_folder }}/config.ini:/go/config.ini"
|
|
||||||
|
|
||||||
networks:
|
|
||||||
- "internal_writefreely"
|
|
||||||
- "external_services"
|
|
||||||
|
|
||||||
ports:
|
|
||||||
- "8080:8080"
|
|
||||||
|
|
||||||
depends_on:
|
|
||||||
- "writefreely-db"
|
|
||||||
|
|
||||||
environment:
|
|
||||||
VIRTUAL_HOST: "{{ services.writefreely.domain }}"
|
|
||||||
LETSENCRYPT_HOST: "{{ services.writefreely.domain }}"
|
|
||||||
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
|
||||||
|
|
||||||
restart: unless-stopped
|
|
||||||
|
|
||||||
writefreely-db:
|
|
||||||
container_name: "writefreely-db"
|
|
||||||
image: "mariadb:{{ services.writefreely.mariadb_version }}"
|
|
||||||
|
|
||||||
volumes:
|
|
||||||
- "{{ services.writefreely.volume_folder }}/mariadb_data:/var/lib/mysql"
|
|
||||||
|
|
||||||
networks:
|
|
||||||
- "internal_writefreely"
|
|
||||||
|
|
||||||
environment:
|
|
||||||
- MYSQL_DATABASE=writefreely
|
|
||||||
- MYSQL_ROOT_PASSWORD={{ writefreely_secrets.db_password }}
|
|
||||||
|
|
||||||
restart: unless-stopped
|
|
|
@ -0,0 +1,17 @@
|
||||||
|
# vim: ft=yaml.docker-compose
|
||||||
|
version: "3.8"
|
||||||
|
|
||||||
|
services:
|
||||||
|
web:
|
||||||
|
image: docker.data.coop/cryptoaarhus-website
|
||||||
|
restart: unless-stopped
|
||||||
|
networks:
|
||||||
|
- external_services
|
||||||
|
environment:
|
||||||
|
VIRTUAL_HOST : "{{ services.cryptoaarhus_website.domains | join(',') }}"
|
||||||
|
LETSENCRYPT_HOST: "{{ services.cryptoaarhus_website.domains | join(',') }}"
|
||||||
|
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
||||||
|
|
||||||
|
networks:
|
||||||
|
external_services:
|
||||||
|
external: true
|
|
@ -0,0 +1,17 @@
|
||||||
|
# vim: ft=yaml.docker-compose
|
||||||
|
version: "3.8"
|
||||||
|
|
||||||
|
services:
|
||||||
|
web:
|
||||||
|
image: docker.data.coop/cryptohagen-website
|
||||||
|
restart: unless-stopped
|
||||||
|
networks:
|
||||||
|
- external_services
|
||||||
|
environment:
|
||||||
|
VIRTUAL_HOST : "{{ services.cryptohagen_website.domains | join(',') }}"
|
||||||
|
LETSENCRYPT_HOST: "{{ services.cryptohagen_website.domains | join(',') }}"
|
||||||
|
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
||||||
|
|
||||||
|
networks:
|
||||||
|
external_services:
|
||||||
|
external: true
|
|
@ -0,0 +1,27 @@
|
||||||
|
# vim: ft=yaml.docker-compose
|
||||||
|
version: "3.8"
|
||||||
|
|
||||||
|
services:
|
||||||
|
prod-web:
|
||||||
|
image: docker.data.coop/data-coop-website:{{ services.data_coop_website.version }}
|
||||||
|
restart: unless-stopped
|
||||||
|
networks:
|
||||||
|
- external_services
|
||||||
|
environment:
|
||||||
|
VIRTUAL_HOST: "{{ services.data_coop_website.domain }},{{ services.data_coop_website.www_domain }}"
|
||||||
|
LETSENCRYPT_HOST: "{{ services.data_coop_website.domain }},{{ services.data_coop_website.www_domain }}"
|
||||||
|
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
||||||
|
|
||||||
|
staging-web:
|
||||||
|
image: docker.data.coop/data-coop-website:{{ services.data_coop_website.staging_version }}
|
||||||
|
restart: unless-stopped
|
||||||
|
networks:
|
||||||
|
- external_services
|
||||||
|
environment:
|
||||||
|
VIRTUAL_HOST: "{{ services.data_coop_website.staging_domain }}"
|
||||||
|
LETSENCRYPT_HOST: "{{ services.data_coop_website.staging_domain }}"
|
||||||
|
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
||||||
|
|
||||||
|
networks:
|
||||||
|
external_services:
|
||||||
|
external: true
|
23
roles/docker/templates/compose-files/docker_registry.yml.j2
Normal file
23
roles/docker/templates/compose-files/docker_registry.yml.j2
Normal file
|
@ -0,0 +1,23 @@
|
||||||
|
# vim: ft=yaml.docker-compose
|
||||||
|
version: "3.8"
|
||||||
|
|
||||||
|
services:
|
||||||
|
app:
|
||||||
|
image: registry:{{ services.docker_registry.version }}
|
||||||
|
restart: always
|
||||||
|
networks:
|
||||||
|
- external_services
|
||||||
|
volumes:
|
||||||
|
- "./registry:/var/lib/registry"
|
||||||
|
- "./auth:/auth"
|
||||||
|
environment:
|
||||||
|
VIRTUAL_HOST: "{{ services.docker_registry.domain }}"
|
||||||
|
LETSENCRYPT_HOST: "{{ services.docker_registry.domain }}"
|
||||||
|
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
||||||
|
REGISTRY_AUTH: "htpasswd"
|
||||||
|
REGISTRY_AUTH_HTPASSWD_PATH: "/auth/htpasswd"
|
||||||
|
REGISTRY_AUTH_HTPASSWD_REALM: "data.coop docker registry"
|
||||||
|
|
||||||
|
networks:
|
||||||
|
external_services:
|
||||||
|
external: true
|
40
roles/docker/templates/compose-files/drone.yml.j2
Normal file
40
roles/docker/templates/compose-files/drone.yml.j2
Normal file
|
@ -0,0 +1,40 @@
|
||||||
|
# vim: ft=yaml.docker-compose
|
||||||
|
version: "3.8"
|
||||||
|
|
||||||
|
services:
|
||||||
|
app:
|
||||||
|
image: drone/drone:{{ services.drone.version }}
|
||||||
|
restart: unless-stopped
|
||||||
|
networks:
|
||||||
|
- default
|
||||||
|
- external_services
|
||||||
|
volumes:
|
||||||
|
- ".:/data"
|
||||||
|
- "/var/run/docker.sock:/var/run/docker.sock"
|
||||||
|
environment:
|
||||||
|
DRONE_GITEA_SERVER: https://{{ services.forgejo.domain }}
|
||||||
|
DRONE_GITEA_CLIENT_ID: "{{ drone_secrets.oauth_client_id }}"
|
||||||
|
DRONE_GITEA_CLIENT_SECRET: "{{ drone_secrets.oauth_client_secret }}"
|
||||||
|
DRONE_GIT_ALWAYS_AUTH: true
|
||||||
|
DRONE_SERVER_HOST: "{{ services.drone.domain }}"
|
||||||
|
DRONE_SERVER_PROTO: https
|
||||||
|
DRONE_RPC_SECRET: "{{ drone_secrets.rpc_shared_secret }}"
|
||||||
|
VIRTUAL_HOST: "{{ services.drone.domain }}"
|
||||||
|
LETSENCRYPT_HOST: "{{ services.drone.domain }}"
|
||||||
|
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
||||||
|
|
||||||
|
runner:
|
||||||
|
image: drone/drone-runner-docker:{{ services.drone.version }}
|
||||||
|
restart: unless-stopped
|
||||||
|
volumes:
|
||||||
|
- "/var/run/docker.sock:/var/run/docker.sock"
|
||||||
|
environment:
|
||||||
|
DRONE_RPC_HOST: "{{ services.drone.domain }}"
|
||||||
|
DRONE_RPC_PROTO: https
|
||||||
|
DRONE_RPC_SECRET: "{{ drone_secrets.rpc_shared_secret }}"
|
||||||
|
DRONE_RUNNER_CAPACITY: 2
|
||||||
|
DRONE_RUNNER_NAME: data.coop_drone_runner
|
||||||
|
|
||||||
|
networks:
|
||||||
|
external_services:
|
||||||
|
external: true
|
22
roles/docker/templates/compose-files/element.yml.j2
Normal file
22
roles/docker/templates/compose-files/element.yml.j2
Normal file
|
@ -0,0 +1,22 @@
|
||||||
|
# vim: ft=yaml.docker-compose
|
||||||
|
version: "3.8"
|
||||||
|
|
||||||
|
services:
|
||||||
|
app:
|
||||||
|
image: avhost/docker-matrix-element:{{ services.element.version }}
|
||||||
|
restart: unless-stopped
|
||||||
|
networks:
|
||||||
|
- external_services
|
||||||
|
expose:
|
||||||
|
- "8080"
|
||||||
|
volumes:
|
||||||
|
- "./data:/data"
|
||||||
|
environment:
|
||||||
|
VIRTUAL_HOST: "{{ services.element.domain }}"
|
||||||
|
VIRTUAL_PORT: "8080"
|
||||||
|
LETSENCRYPT_HOST: "{{ services.element.domain }}"
|
||||||
|
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
||||||
|
|
||||||
|
networks:
|
||||||
|
external_services:
|
||||||
|
external: true
|
|
@ -1,19 +1,22 @@
|
||||||
# vim: ft=yaml.ansible
|
# vim: ft=yaml.docker-compose
|
||||||
---
|
version: "3.8"
|
||||||
- name: setup fedi.dk website with unipi
|
|
||||||
docker_container:
|
services:
|
||||||
name: fedi.dk_website
|
web:
|
||||||
image: docker.data.coop/unipi:{{ services.fedi_dk_website.version }}
|
image: docker.data.coop/unipi:{{ services.fedi_dk_website.version }}
|
||||||
restart_policy: unless-stopped
|
restart: unless-stopped
|
||||||
purge_networks: yes
|
|
||||||
networks:
|
networks:
|
||||||
- name: external_services
|
- external_services
|
||||||
env:
|
environment:
|
||||||
VIRTUAL_HOST: "{{ services.fedi_dk_website.domain }}"
|
VIRTUAL_HOST: "{{ services.fedi_dk_website.domain }}"
|
||||||
LETSENCRYPT_HOST: "{{ services.fedi_dk_website.domain }}"
|
LETSENCRYPT_HOST: "{{ services.fedi_dk_website.domain }}"
|
||||||
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
||||||
command: "--remote=https://git.data.coop/fedi.dk/website.git#main"
|
command: --remote=https://git.data.coop/fedi.dk/website.git#main
|
||||||
capabilities:
|
cap_add:
|
||||||
- NET_ADMIN
|
- NET_ADMIN
|
||||||
devices:
|
devices:
|
||||||
- "/dev/net/tun"
|
- "/dev/net/tun"
|
||||||
|
|
||||||
|
networks:
|
||||||
|
external_services:
|
||||||
|
external: true
|
37
roles/docker/templates/compose-files/forgejo.yml.j2
Normal file
37
roles/docker/templates/compose-files/forgejo.yml.j2
Normal file
|
@ -0,0 +1,37 @@
|
||||||
|
# vim: ft=yaml.docker-compose
|
||||||
|
version: "3.8"
|
||||||
|
|
||||||
|
services:
|
||||||
|
app:
|
||||||
|
image: codeberg.org/forgejo/forgejo:{{ services.forgejo.version }}
|
||||||
|
restart: unless-stopped
|
||||||
|
networks:
|
||||||
|
- external_services
|
||||||
|
- postfix
|
||||||
|
volumes:
|
||||||
|
- ".:/data"
|
||||||
|
ports:
|
||||||
|
- "22:22"
|
||||||
|
environment:
|
||||||
|
VIRTUAL_HOST: "{{ services.forgejo.domain }}"
|
||||||
|
VIRTUAL_PORT: "3000"
|
||||||
|
LETSENCRYPT_HOST: "{{ services.forgejo.domain }}"
|
||||||
|
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
||||||
|
# Forgejo customization, see: https://docs.gitea.io/en-us/install-with-docker/#customization
|
||||||
|
# https://docs.gitea.io/en-us/config-cheat-sheet/#security-security
|
||||||
|
FORGEJO__mailer__ENABLED: true
|
||||||
|
FORGEJO__mailer__FROM: noreply@{{ services.forgejo.domain }}
|
||||||
|
FORGEJO__mailer__PROTOCOL: smtp
|
||||||
|
FORGEJO__mailer__SMTP_ADDR: "{{ smtp_host }}:{{ smtp_port }}"
|
||||||
|
FORGEJO__security__LOGIN_REMEMBER_DAYS: "60"
|
||||||
|
FORGEJO__security__PASSWORD_COMPLEXITY: off
|
||||||
|
FORGEJO__security__MIN_PASSWORD_LENGTH: "8"
|
||||||
|
FORGEJO__security__PASSWORD_CHECK_PWN: true
|
||||||
|
FORGEJO__service__ENABLE_NOTIFY_MAIL: true
|
||||||
|
FORGEJO__service__REGISTER_EMAIL_CONFIRM: true
|
||||||
|
|
||||||
|
networks:
|
||||||
|
external_services:
|
||||||
|
external: true
|
||||||
|
postfix:
|
||||||
|
external: true
|
44
roles/docker/templates/compose-files/hedgedoc.yml.j2
Normal file
44
roles/docker/templates/compose-files/hedgedoc.yml.j2
Normal file
|
@ -0,0 +1,44 @@
|
||||||
|
# vim: ft=yaml.docker-compose
|
||||||
|
version: "3.8"
|
||||||
|
|
||||||
|
services:
|
||||||
|
db:
|
||||||
|
image: postgres:{{ services.hedgedoc.postgres_version }}
|
||||||
|
restart: unless-stopped
|
||||||
|
volumes:
|
||||||
|
- "./db:/var/lib/postgresql/data"
|
||||||
|
environment:
|
||||||
|
POSTGRES_USER: codimd
|
||||||
|
POSTGRES_PASSWORD: "{{ postgres_passwords.hedgedoc }}"
|
||||||
|
POSTGRES_DB: codimd
|
||||||
|
|
||||||
|
app:
|
||||||
|
image: quay.io/hedgedoc/hedgedoc:{{ services.hedgedoc.version }}
|
||||||
|
volumes:
|
||||||
|
- "./hedgedoc/uploads:/hedgedoc/public/uploads"
|
||||||
|
- "./sso.data.coop.pem:/sso.data.coop.pem"
|
||||||
|
restart: unless-stopped
|
||||||
|
networks:
|
||||||
|
- default
|
||||||
|
- external_services
|
||||||
|
environment:
|
||||||
|
CMD_DB_URL: postgres://codimd:{{ postgres_passwords.hedgedoc }}@db:5432/codimd
|
||||||
|
CMD_DOMAIN: "{{ services.hedgedoc.domain }}"
|
||||||
|
CMD_ALLOW_EMAIL_REGISTER: False
|
||||||
|
CMD_IMAGE_UPLOAD_TYPE: filesystem
|
||||||
|
CMD_EMAIL: False
|
||||||
|
CMD_SAML_IDPCERT: /sso.data.coop.pem
|
||||||
|
CMD_SAML_IDPSSOURL: https://{{ services.keycloak.domain }}/auth/realms/datacoop/protocol/saml
|
||||||
|
CMD_SAML_ISSUER: hedgedoc
|
||||||
|
CMD_SAML_IDENTIFIERFORMAT: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
|
||||||
|
CMD_USECDN: false
|
||||||
|
CMD_PROTOCOL_USESSL: true
|
||||||
|
VIRTUAL_HOST: "{{ services.hedgedoc.domain }}"
|
||||||
|
LETSENCRYPT_HOST: "{{ services.hedgedoc.domain }}"
|
||||||
|
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
||||||
|
depends_on:
|
||||||
|
- db
|
||||||
|
|
||||||
|
networks:
|
||||||
|
external_services:
|
||||||
|
external: true
|
42
roles/docker/templates/compose-files/keycloak.yml.j2
Normal file
42
roles/docker/templates/compose-files/keycloak.yml.j2
Normal file
|
@ -0,0 +1,42 @@
|
||||||
|
# vim: ft=yaml.docker-compose
|
||||||
|
version: "3.8"
|
||||||
|
|
||||||
|
services:
|
||||||
|
db:
|
||||||
|
image: postgres:{{ services.keycloak.postgres_version }}
|
||||||
|
restart: unless-stopped
|
||||||
|
volumes:
|
||||||
|
- "./data:/var/lib/postgresql/data"
|
||||||
|
environment:
|
||||||
|
POSTGRES_USER: keycloak
|
||||||
|
POSTGRES_PASSWORD: "{{ postgres_passwords.keycloak }}"
|
||||||
|
POSTGRES_DB: keycloak
|
||||||
|
|
||||||
|
app:
|
||||||
|
image: quay.io/keycloak/keycloak:{{ services.keycloak.version }}
|
||||||
|
restart: unless-stopped
|
||||||
|
networks:
|
||||||
|
- default
|
||||||
|
- postfix
|
||||||
|
- external_services
|
||||||
|
command:
|
||||||
|
- "start"
|
||||||
|
- "--db=postgres"
|
||||||
|
- "--db-url=jdbc:postgresql://db:5432/keycloak"
|
||||||
|
- "--db-username=keycloak"
|
||||||
|
- "--db-password={{ postgres_passwords.keycloak }}"
|
||||||
|
- "--hostname={{ services.keycloak.domain }}"
|
||||||
|
- "--proxy=edge"
|
||||||
|
- "--https-port=8080"
|
||||||
|
- "--http-relative-path=/auth"
|
||||||
|
environment:
|
||||||
|
VIRTUAL_HOST: "{{ services.keycloak.domain }}"
|
||||||
|
VIRTUAL_PORT: "8080"
|
||||||
|
LETSENCRYPT_HOST: "{{ services.keycloak.domain }}"
|
||||||
|
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
||||||
|
|
||||||
|
networks:
|
||||||
|
postfix:
|
||||||
|
external: true
|
||||||
|
external_services:
|
||||||
|
external: true
|
131
roles/docker/templates/compose-files/mailu.yml.j2
Normal file
131
roles/docker/templates/compose-files/mailu.yml.j2
Normal file
|
@ -0,0 +1,131 @@
|
||||||
|
# vim: ft=yaml.docker-compose
|
||||||
|
version: '3.6'
|
||||||
|
|
||||||
|
services:
|
||||||
|
postgres:
|
||||||
|
image: postgres:14-alpine
|
||||||
|
restart: always
|
||||||
|
environment:
|
||||||
|
POSTGRES_DB: mailu
|
||||||
|
POSTGRES_USER: mailu
|
||||||
|
POSTGRES_PASSWORD: "{{ postgres_passwords.mailu }}"
|
||||||
|
volumes:
|
||||||
|
- "./postgres:/var/lib/postgresql/data"
|
||||||
|
dns:
|
||||||
|
- "{{ services.mailu.dns }}"
|
||||||
|
|
||||||
|
redis:
|
||||||
|
image: redis:alpine
|
||||||
|
restart: always
|
||||||
|
volumes:
|
||||||
|
- "./redis:/data"
|
||||||
|
depends_on:
|
||||||
|
- resolver
|
||||||
|
dns:
|
||||||
|
- "{{ services.mailu.dns }}"
|
||||||
|
|
||||||
|
front:
|
||||||
|
image: ghcr.io/mailu/nginx:{{ services.mailu.version }}
|
||||||
|
restart: always
|
||||||
|
env_file: mailu.env
|
||||||
|
environment:
|
||||||
|
VIRTUAL_HOST: "{{ services.mailu.domain }}"
|
||||||
|
LETSENCRYPT_HOST: "{{ services.mailu.domain }}"
|
||||||
|
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
||||||
|
volumes:
|
||||||
|
- "./certs:/certs"
|
||||||
|
- "./overrides/nginx:/overrides:ro"
|
||||||
|
expose:
|
||||||
|
- "80"
|
||||||
|
ports:
|
||||||
|
- "993:993"
|
||||||
|
- "25:25"
|
||||||
|
- "587:587"
|
||||||
|
- "465:465"
|
||||||
|
networks:
|
||||||
|
- default
|
||||||
|
- external_services
|
||||||
|
|
||||||
|
resolver:
|
||||||
|
image: ghcr.io/mailu/unbound:{{ services.mailu.version }}
|
||||||
|
restart: always
|
||||||
|
env_file: mailu.env
|
||||||
|
networks:
|
||||||
|
default:
|
||||||
|
ipv4_address: "{{ services.mailu.dns }}"
|
||||||
|
|
||||||
|
admin:
|
||||||
|
image: ghcr.io/mailu/admin:{{ services.mailu.version }}
|
||||||
|
restart: always
|
||||||
|
env_file: "{{ services.mailu.volume_folder }}/mailu.env"
|
||||||
|
volumes:
|
||||||
|
- "./data:/data"
|
||||||
|
- "./dkim:/dkim"
|
||||||
|
depends_on:
|
||||||
|
- redis
|
||||||
|
- resolver
|
||||||
|
dns:
|
||||||
|
- "{{ services.mailu.dns }}"
|
||||||
|
|
||||||
|
imap:
|
||||||
|
image: ghcr.io/mailu/dovecot:{{ services.mailu.version }}
|
||||||
|
restart: always
|
||||||
|
env_file: mailu.env
|
||||||
|
volumes:
|
||||||
|
- "./mail:/mail"
|
||||||
|
- "./overrides/dovecot:/overrides:ro"
|
||||||
|
depends_on:
|
||||||
|
- front
|
||||||
|
- resolver
|
||||||
|
dns:
|
||||||
|
- "{{ services.mailu.dns }}"
|
||||||
|
|
||||||
|
smtp:
|
||||||
|
image: ghcr.io/mailu/postfix:{{ services.mailu.version }}
|
||||||
|
restart: always
|
||||||
|
env_file: mailu.env
|
||||||
|
volumes:
|
||||||
|
- "./mailqueue:/queue"
|
||||||
|
- "./overrides/postfix:/overrides:ro"
|
||||||
|
depends_on:
|
||||||
|
- front
|
||||||
|
- resolver
|
||||||
|
dns:
|
||||||
|
- "{{ services.mailu.dns }}"
|
||||||
|
|
||||||
|
antispam:
|
||||||
|
image: ghcr.io/mailu/rspamd:{{ services.mailu.version }}
|
||||||
|
hostname: antispam
|
||||||
|
restart: always
|
||||||
|
env_file: mailu.env
|
||||||
|
volumes:
|
||||||
|
- "./filter:/var/lib/rspamd"
|
||||||
|
- "./overrides/rspamd:/etc/rspamd/override.d:ro"
|
||||||
|
depends_on:
|
||||||
|
- front
|
||||||
|
- resolver
|
||||||
|
dns:
|
||||||
|
- "{{ services.mailu.dns }}"
|
||||||
|
|
||||||
|
webmail:
|
||||||
|
image: ghcr.io/mailu/rainloop:{{ services.mailu.version }}
|
||||||
|
restart: always
|
||||||
|
env_file: mailu.env
|
||||||
|
volumes:
|
||||||
|
- "./webmail:/data"
|
||||||
|
- "./overrides/rainloop:/overrides:ro"
|
||||||
|
depends_on:
|
||||||
|
- imap
|
||||||
|
- resolver
|
||||||
|
dns:
|
||||||
|
- "{{ services.mailu.dns }}"
|
||||||
|
|
||||||
|
networks:
|
||||||
|
default:
|
||||||
|
driver: bridge
|
||||||
|
ipam:
|
||||||
|
driver: default
|
||||||
|
config:
|
||||||
|
- subnet: "{{ services.mailu.subnet }}"
|
||||||
|
external_services:
|
||||||
|
external: true
|
146
roles/docker/templates/compose-files/mastodon.yml.j2
Normal file
146
roles/docker/templates/compose-files/mastodon.yml.j2
Normal file
|
@ -0,0 +1,146 @@
|
||||||
|
# vim: ft=yaml.docker-compose
|
||||||
|
x-sidekiq: &sidekiq
|
||||||
|
image: tootsuite/mastodon:{{ services.mastodon.version }}
|
||||||
|
restart: always
|
||||||
|
env_file: mastodon.env
|
||||||
|
networks:
|
||||||
|
- default
|
||||||
|
- postfix
|
||||||
|
- external_services
|
||||||
|
volumes:
|
||||||
|
- "./mastodon_data:/mastodon/public/system"
|
||||||
|
healthcheck:
|
||||||
|
test: ['CMD-SHELL', "ps aux | grep '[s]idekiq\ 6' || false"]
|
||||||
|
depends_on:
|
||||||
|
db:
|
||||||
|
condition: service_healthy
|
||||||
|
redis:
|
||||||
|
condition: service_healthy
|
||||||
|
|
||||||
|
version: "3.8"
|
||||||
|
|
||||||
|
services:
|
||||||
|
db:
|
||||||
|
restart: always
|
||||||
|
image: postgres:{{ services.mastodon.postgres_version }}
|
||||||
|
shm_size: 256mb
|
||||||
|
volumes:
|
||||||
|
- "./postgres_data:/var/lib/postgresql/data"
|
||||||
|
- "./postgres_config:/config:ro"
|
||||||
|
command: postgres -c config_file=/config/postgresql.conf
|
||||||
|
environment:
|
||||||
|
POSTGRES_HOST_AUTH_METHOD: trust
|
||||||
|
healthcheck:
|
||||||
|
test: ['CMD', 'pg_isready', '-U', 'postgres']
|
||||||
|
|
||||||
|
redis:
|
||||||
|
restart: always
|
||||||
|
image: redis:{{ services.mastodon.redis_version }}
|
||||||
|
volumes:
|
||||||
|
- "./redis_data:/data"
|
||||||
|
healthcheck:
|
||||||
|
test: ['CMD', 'redis-cli', 'ping']
|
||||||
|
|
||||||
|
web:
|
||||||
|
image: tootsuite/mastodon:{{ services.mastodon.version }}
|
||||||
|
restart: always
|
||||||
|
env_file: mastodon.env
|
||||||
|
command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 3000"
|
||||||
|
networks:
|
||||||
|
- default
|
||||||
|
- external_services
|
||||||
|
volumes:
|
||||||
|
- "./mastodon_data:/mastodon/public/system"
|
||||||
|
environment:
|
||||||
|
MAX_THREADS: 10
|
||||||
|
WEB_CONCURRENCY: 3
|
||||||
|
VIRTUAL_HOST: "{{ services.mastodon.domain }}"
|
||||||
|
VIRTUAL_PORT: "3000"
|
||||||
|
VIRTUAL_PATH: /
|
||||||
|
LETSENCRYPT_HOST: "{{ services.mastodon.domain }}"
|
||||||
|
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
||||||
|
healthcheck:
|
||||||
|
test: ['CMD-SHELL', 'wget -q --spider --proxy=off localhost:3000/health || exit 1']
|
||||||
|
depends_on:
|
||||||
|
db:
|
||||||
|
condition: service_healthy
|
||||||
|
redis:
|
||||||
|
condition: service_healthy
|
||||||
|
|
||||||
|
streaming:
|
||||||
|
image: tootsuite/mastodon:{{ services.mastodon.version }}
|
||||||
|
restart: always
|
||||||
|
env_file: mastodon.env
|
||||||
|
command: node ./streaming
|
||||||
|
networks:
|
||||||
|
- default
|
||||||
|
- external_services
|
||||||
|
ports:
|
||||||
|
- "127.0.0.1:4000:4000"
|
||||||
|
environment:
|
||||||
|
DB_POOL: 15
|
||||||
|
VIRTUAL_HOST: "{{ services.mastodon.domain }}"
|
||||||
|
VIRTUAL_PORT: "4000"
|
||||||
|
VIRTUAL_PATH: "/api/v1/streaming"
|
||||||
|
healthcheck:
|
||||||
|
test: ['CMD-SHELL', 'wget -q --spider --proxy=off localhost:4000/api/v1/streaming/health || exit 1']
|
||||||
|
depends_on:
|
||||||
|
db:
|
||||||
|
condition: service_healthy
|
||||||
|
redis:
|
||||||
|
condition: service_healthy
|
||||||
|
|
||||||
|
# sidekiq-default-push-pull: DB_POOL = 25, -c 25 for 25 connections
|
||||||
|
sidekiq-default-push-pull:
|
||||||
|
<<: *sidekiq
|
||||||
|
command: bundle exec sidekiq -c 25 -q default -q push -q pull
|
||||||
|
environment:
|
||||||
|
DB_POOL: 25
|
||||||
|
|
||||||
|
# sidekiq-default-pull-push: DB_POOL = 25, -c 25 for 25 connections
|
||||||
|
sidekiq-default-pull-push:
|
||||||
|
<<: *sidekiq
|
||||||
|
command: bundle exec sidekiq -c 25 -q default -q pull -q push
|
||||||
|
environment:
|
||||||
|
DB_POOL: 25
|
||||||
|
|
||||||
|
# sidekiq-pull-default-push: DB_POOL = 25, -c 25 for 25 connections
|
||||||
|
sidekiq-pull-default-push:
|
||||||
|
<<: *sidekiq
|
||||||
|
command: bundle exec sidekiq -c 25 -q pull -q default -q push
|
||||||
|
environment:
|
||||||
|
DB_POOL: 25
|
||||||
|
|
||||||
|
# sidekiq-push-default-pull: DB_POOL = 25, -c 25 for 25 connections
|
||||||
|
sidekiq-push-default-pull:
|
||||||
|
<<: *sidekiq
|
||||||
|
command: bundle exec sidekiq -c 25 -q push -q default -q pull
|
||||||
|
environment:
|
||||||
|
DB_POOL: 25
|
||||||
|
|
||||||
|
# sidekiq-push-scheduler: DB_POOL = 5, -c 5 for 5 connections
|
||||||
|
sidekiq-push-scheduler:
|
||||||
|
<<: *sidekiq
|
||||||
|
command: bundle exec sidekiq -c 5 -q push -q scheduler
|
||||||
|
environment:
|
||||||
|
DB_POOL: 5
|
||||||
|
|
||||||
|
# sidekiq-push-mailers: DB_POOL = 5, -c 5 for 5 connections
|
||||||
|
sidekiq-push-mailers:
|
||||||
|
<<: *sidekiq
|
||||||
|
command: bundle exec sidekiq -c 5 -q push -q mailers
|
||||||
|
environment:
|
||||||
|
DB_POOL: 5
|
||||||
|
|
||||||
|
# sidekiq-push-ingress: DB_POOL = 10, -c 10 for 10 connections
|
||||||
|
sidekiq-push-ingress:
|
||||||
|
<<: *sidekiq
|
||||||
|
command: bundle exec sidekiq -c 10 -q push -q ingress
|
||||||
|
environment:
|
||||||
|
DB_POOL: 10
|
||||||
|
|
||||||
|
networks:
|
||||||
|
external_services:
|
||||||
|
external: true
|
||||||
|
postfix:
|
||||||
|
external: true
|
36
roles/docker/templates/compose-files/matrix.yml.j2
Normal file
36
roles/docker/templates/compose-files/matrix.yml.j2
Normal file
|
@ -0,0 +1,36 @@
|
||||||
|
# vim: ft=yaml.docker-compose
|
||||||
|
version: "3.8"
|
||||||
|
|
||||||
|
services:
|
||||||
|
postgres:
|
||||||
|
image: postgres:{{ services.matrix.postgres_version }}
|
||||||
|
restart: unless-stopped
|
||||||
|
volumes:
|
||||||
|
- "./db:/var/lib/postgresql/data"
|
||||||
|
environment:
|
||||||
|
POSTGRES_USER: synapse
|
||||||
|
POSTGRES_PASSWORD: "{{ postgres_passwords.matrix }}"
|
||||||
|
|
||||||
|
synapse:
|
||||||
|
image: matrixdotorg/synapse:{{ services.matrix.version }}
|
||||||
|
restart: unless-stopped
|
||||||
|
networks:
|
||||||
|
- default
|
||||||
|
- external_services
|
||||||
|
- postfix
|
||||||
|
volumes:
|
||||||
|
- "./data:/data"
|
||||||
|
environment:
|
||||||
|
SYNAPSE_CONFIG_PATH: /data/homeserver.yaml
|
||||||
|
SYNAPSE_CACHE_FACTOR: "2"
|
||||||
|
SYNAPSE_LOG_LEVEL: INFO
|
||||||
|
VIRTUAL_HOST: "{{ services.matrix.domain }}"
|
||||||
|
VIRTUAL_PORT: "8008"
|
||||||
|
LETSENCRYPT_HOST: "{{ services.matrix.domain }}"
|
||||||
|
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
||||||
|
|
||||||
|
networks:
|
||||||
|
external_services:
|
||||||
|
external: true
|
||||||
|
postfix:
|
||||||
|
external: true
|
44
roles/docker/templates/compose-files/membersystem.yml.j2
Normal file
44
roles/docker/templates/compose-files/membersystem.yml.j2
Normal file
|
@ -0,0 +1,44 @@
|
||||||
|
# vim: ft=yaml.docker-compose
|
||||||
|
version: "3.8"
|
||||||
|
|
||||||
|
services:
|
||||||
|
app:
|
||||||
|
image: docker.data.coop/membersystem:{{ services.membersystem.version }}
|
||||||
|
restart: always
|
||||||
|
user: "$UID:$GID"
|
||||||
|
tty: true
|
||||||
|
networks:
|
||||||
|
- default
|
||||||
|
- external_services
|
||||||
|
- postfix
|
||||||
|
environment:
|
||||||
|
SECRET_KEY: "{{ membersystem_secrets.secret_key }}"
|
||||||
|
DATABASE_URL: postgres://postgres:{{ postgres_passwords.membersystem }}@postgres:5432/postgres
|
||||||
|
POSTGRES_HOST: postgres
|
||||||
|
POSTGRES_PORT: 5432
|
||||||
|
EMAIL_BACKEND: django.core.mail.backends.smtp.EmailBackend
|
||||||
|
EMAIL_URL: smtp://noop@{{ smtp_host }}:{{ smtp_port }}
|
||||||
|
VIRTUAL_HOST: "{{ services.membersystem.domain }}"
|
||||||
|
VIRTUAL_PORT: "8000"
|
||||||
|
LETSENCRYPT_HOST: "{{ services.membersystem.domain }}"
|
||||||
|
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
||||||
|
ALLOWED_HOSTS: "{{ services.membersystem.domain }}"
|
||||||
|
CSRF_TRUSTED_ORIGINS: https://{{ services.membersystem.domain }}
|
||||||
|
DJANGO_ADMINS: "{{ services.membersystem.django_admins }}"
|
||||||
|
DEFAULT_FROM_EMAIL: noreply@{{ services.membersystem.domain }}
|
||||||
|
depends_on:
|
||||||
|
- postgres
|
||||||
|
|
||||||
|
postgres:
|
||||||
|
image: postgres:{{ services.membersystem.postgres_version }}
|
||||||
|
restart: always
|
||||||
|
volumes:
|
||||||
|
- "./postgres/data:/var/lib/postgresql/data"
|
||||||
|
environment:
|
||||||
|
POSTGRES_PASSWORD: "{{ postgres_passwords.membersystem }}"
|
||||||
|
|
||||||
|
networks:
|
||||||
|
external_services:
|
||||||
|
external: true
|
||||||
|
postfix:
|
||||||
|
external: true
|
36
roles/docker/templates/compose-files/netdata.yml.j2
Normal file
36
roles/docker/templates/compose-files/netdata.yml.j2
Normal file
|
@ -0,0 +1,36 @@
|
||||||
|
# vim: ft=yaml.docker-compose
|
||||||
|
version: "3.8"
|
||||||
|
|
||||||
|
services:
|
||||||
|
app:
|
||||||
|
image: netdata/netdata:{{ services.netdata.version }}
|
||||||
|
restart: unless-stopped
|
||||||
|
hostname: hevonen.servers.{{ base_domain }}
|
||||||
|
volumes:
|
||||||
|
- "/proc:/host/proc:ro"
|
||||||
|
- "/sys:/host/sys:ro"
|
||||||
|
- "/etc/os-release:/host/etc/os-release:ro"
|
||||||
|
networks:
|
||||||
|
- default
|
||||||
|
- external_services
|
||||||
|
environment:
|
||||||
|
VIRTUAL_HOST : "{{ services.netdata.domain }}"
|
||||||
|
LETSENCRYPT_HOST: "{{ services.netdata.domain }}"
|
||||||
|
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
||||||
|
PGID: "999"
|
||||||
|
DOCKER_HOST: "socket_proxy:2375"
|
||||||
|
cap_add:
|
||||||
|
- SYS_PTRACE
|
||||||
|
security_opt:
|
||||||
|
- apparmor:unconfined
|
||||||
|
|
||||||
|
socket-proxy:
|
||||||
|
image: tecnativa/docker-socket-proxy:latest
|
||||||
|
volumes:
|
||||||
|
- "/var/run/docker.sock:/var/run/docker.sock:ro"
|
||||||
|
environment:
|
||||||
|
CONTAINERS: 1
|
||||||
|
|
||||||
|
networks:
|
||||||
|
external_services:
|
||||||
|
external: true
|
59
roles/docker/templates/compose-files/nextcloud.yml.j2
Normal file
59
roles/docker/templates/compose-files/nextcloud.yml.j2
Normal file
|
@ -0,0 +1,59 @@
|
||||||
|
# vim: ft=yaml.docker-compose
|
||||||
|
version: "3.8"
|
||||||
|
|
||||||
|
services:
|
||||||
|
postgres:
|
||||||
|
image: postgres:{{ services.nextcloud.postgres_version }}
|
||||||
|
restart: unless-stopped
|
||||||
|
volumes:
|
||||||
|
- "./postgres:/var/lib/postgresql/data"
|
||||||
|
environment:
|
||||||
|
POSTGRES_DB: nextcloud
|
||||||
|
POSTGRES_PASSWORD: "{{ postgres_passwords.nextcloud }}"
|
||||||
|
POSTGRES_USER: nextcloud
|
||||||
|
|
||||||
|
redis:
|
||||||
|
image: redis:{{ services.nextcloud.redis_version }}
|
||||||
|
restart: unless-stopped
|
||||||
|
command: redis-server --requirepass {{ nextcloud_secrets.redis_password }}
|
||||||
|
tmpfs:
|
||||||
|
- /var/lib/redis
|
||||||
|
|
||||||
|
cron:
|
||||||
|
image: nextcloud:{{ services.nextcloud.version }}
|
||||||
|
restart: unless-stopped
|
||||||
|
entrypoint: /cron.sh
|
||||||
|
volumes:
|
||||||
|
- "./app:/var/www/html"
|
||||||
|
depends_on:
|
||||||
|
- postgres
|
||||||
|
- redis
|
||||||
|
|
||||||
|
app:
|
||||||
|
image: nextcloud:{{ services.nextcloud.version }}
|
||||||
|
restart: unless-stopped
|
||||||
|
networks:
|
||||||
|
- default
|
||||||
|
- postfix
|
||||||
|
- external_services
|
||||||
|
volumes:
|
||||||
|
- "./app:/var/www/html"
|
||||||
|
environment:
|
||||||
|
VIRTUAL_HOST: "{{ services.nextcloud.domain }}"
|
||||||
|
LETSENCRYPT_HOST: "{{ services.nextcloud.domain }}"
|
||||||
|
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
||||||
|
POSTGRES_HOST: postgres
|
||||||
|
POSTGRES_DB: nextcloud
|
||||||
|
POSTGRES_USER: nextcloud
|
||||||
|
POSTGRES_PASSWORD: "{{ postgres_passwords.nextcloud }}"
|
||||||
|
REDIS_HOST: redis
|
||||||
|
REDIS_HOST_PASSWORD: "{{ nextcloud_secrets.redis_password }}"
|
||||||
|
depends_on:
|
||||||
|
- postgres
|
||||||
|
- redis
|
||||||
|
|
||||||
|
networks:
|
||||||
|
postfix:
|
||||||
|
external: true
|
||||||
|
external_services:
|
||||||
|
external: true
|
38
roles/docker/templates/compose-files/nginx_proxy.yml.j2
Normal file
38
roles/docker/templates/compose-files/nginx_proxy.yml.j2
Normal file
|
@ -0,0 +1,38 @@
|
||||||
|
version: "3.8"
|
||||||
|
|
||||||
|
services:
|
||||||
|
proxy:
|
||||||
|
image: nginxproxy/nginx-proxy:{{ services.nginx_proxy.version }}
|
||||||
|
restart: always
|
||||||
|
networks:
|
||||||
|
- external_services
|
||||||
|
ports:
|
||||||
|
- "80:80"
|
||||||
|
- "443:443"
|
||||||
|
volumes:
|
||||||
|
- "./conf:/etc/nginx/conf.d"
|
||||||
|
- "./vhost:/etc/nginx/vhost.d"
|
||||||
|
- "./html:/usr/share/nginx/html"
|
||||||
|
- "./dhparam:/etc/nginx/dhparam"
|
||||||
|
- "./certs:/etc/nginx/certs:ro"
|
||||||
|
- "/var/run/docker.sock:/tmp/docker.sock:ro"
|
||||||
|
labels:
|
||||||
|
- com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy
|
||||||
|
|
||||||
|
{% if letsencrypt_enabled %}
|
||||||
|
acme:
|
||||||
|
image: nginxproxy/acme-companion:{{ services.nginx_proxy.acme_companion_version }}
|
||||||
|
restart: always
|
||||||
|
volumes:
|
||||||
|
- "./vhost:/etc/nginx/vhost.d"
|
||||||
|
- "./html:/usr/share/nginx/html"
|
||||||
|
- "./dhparam:/etc/nginx/dhparam:ro"
|
||||||
|
- "./certs:/etc/nginx/certs"
|
||||||
|
- /var/run/docker.sock:/var/run/docker.sock:ro
|
||||||
|
depends_on:
|
||||||
|
- proxy
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
networks:
|
||||||
|
external_services:
|
||||||
|
external: true
|
58
roles/docker/templates/compose-files/openldap.yml.j2
Normal file
58
roles/docker/templates/compose-files/openldap.yml.j2
Normal file
|
@ -0,0 +1,58 @@
|
||||||
|
# vim: ft=yaml.docker-compose
|
||||||
|
version: "3.8"
|
||||||
|
|
||||||
|
services:
|
||||||
|
app:
|
||||||
|
image: osixia/openldap:{{ services.openldap.version }}
|
||||||
|
restart: unless-stopped
|
||||||
|
tty: true
|
||||||
|
stdin_open: true
|
||||||
|
volumes:
|
||||||
|
- "./var/lib/ldap:/var/lib/ldap"
|
||||||
|
- "./etc/slapd.d:/etc/ldap/slapd.d"
|
||||||
|
- "./certs:/container/service/slapd/assets/certs/"
|
||||||
|
ports:
|
||||||
|
- "389:389"
|
||||||
|
- "636:636"
|
||||||
|
hostname: "{{ services.openldap.domain }}"
|
||||||
|
domainname: "{{ services.openldap.domain }}" # important: same as hostname
|
||||||
|
environment:
|
||||||
|
LDAP_LOG_LEVEL: "256"
|
||||||
|
LDAP_ORGANISATION: "{{ base_domain }}"
|
||||||
|
LDAP_DOMAIN: "{{ base_domain }}"
|
||||||
|
LDAP_BASE_DN: ""
|
||||||
|
LDAP_ADMIN_PASSWORD: "{{ ldap_admin_password }}"
|
||||||
|
LDAP_CONFIG_PASSWORD: "{{ ldap_config_password }}"
|
||||||
|
LDAP_READONLY_USER: false
|
||||||
|
LDAP_RFC2307BIS_SCHEMA: false
|
||||||
|
LDAP_BACKEND: mdb
|
||||||
|
LDAP_TLS: true
|
||||||
|
LDAP_TLS_CRT_FILENAME: ldap.crt
|
||||||
|
LDAP_TLS_KEY_FILENAME: ldap.key
|
||||||
|
LDAP_TLS_CA_CRT_FILENAME: ca.crt
|
||||||
|
LDAP_TLS_ENFORCE: false
|
||||||
|
LDAP_TLS_CIPHER_SUITE: SECURE256:-VERS-SSL3.0
|
||||||
|
LDAP_TLS_PROTOCOL_MIN: "3.1"
|
||||||
|
LDAP_TLS_VERIFY_CLIENT: demand
|
||||||
|
LDAP_REPLICATION: false
|
||||||
|
KEEP_EXISTING_CONFIG: false
|
||||||
|
LDAP_REMOVE_CONFIG_AFTER_SETUP: true
|
||||||
|
LDAP_SSL_HELPER_PREFIX: ldap
|
||||||
|
|
||||||
|
admin:
|
||||||
|
image: osixia/phpldapadmin:{{ services.openldap.phpldapadmin_version }}
|
||||||
|
restart: unless-stopped
|
||||||
|
networks:
|
||||||
|
- default
|
||||||
|
- external_services
|
||||||
|
environment:
|
||||||
|
PHPLDAPADMIN_LDAP_HOSTS: app
|
||||||
|
PHPLDAPADMIN_HTTPS: false
|
||||||
|
PHPLDAPADMIN_TRUST_PROXY_SSL: true
|
||||||
|
VIRTUAL_HOST: "{{ services.openldap.domain }}"
|
||||||
|
LETSENCRYPT_HOST: "{{ services.openldap.domain }}"
|
||||||
|
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
||||||
|
|
||||||
|
networks:
|
||||||
|
external_services:
|
||||||
|
external: true
|
38
roles/docker/templates/compose-files/passit.yml.j2
Normal file
38
roles/docker/templates/compose-files/passit.yml.j2
Normal file
|
@ -0,0 +1,38 @@
|
||||||
|
# vim: ft=yaml.docker-compose
|
||||||
|
version: "3.8"
|
||||||
|
|
||||||
|
services:
|
||||||
|
db:
|
||||||
|
image: postgres:{{ services.passit.postgres_version }}
|
||||||
|
restart: always
|
||||||
|
volumes:
|
||||||
|
- "./data:/var/lib/postgresql/data"
|
||||||
|
environment:
|
||||||
|
POSTGRES_USER: passit
|
||||||
|
POSTGRES_PASSWORD: "{{ postgres_passwords.passit }}"
|
||||||
|
|
||||||
|
app:
|
||||||
|
image: passit/passit:{{ services.passit.version }}
|
||||||
|
command: bin/start.sh
|
||||||
|
restart: always
|
||||||
|
networks:
|
||||||
|
- default
|
||||||
|
- postfix
|
||||||
|
- external_services
|
||||||
|
environment:
|
||||||
|
DATABASE_URL: postgres://passit:{{ postgres_passwords.passit }}@db:5432/passit
|
||||||
|
SECRET_KEY: "{{ passit_secret_key }}"
|
||||||
|
IS_DEBUG: "False"
|
||||||
|
EMAIL_URL: smtp://noop@{{ smtp_host }}:{{ smtp_port }}
|
||||||
|
DEFAULT_FROM_EMAIL: noreply@{{ services.passit.domain }}
|
||||||
|
EMAIL_CONFIRMATION_HOST: https://{{ services.passit.domain }}
|
||||||
|
FIDO_SERVER_ID: "{{ services.passit.domain }}"
|
||||||
|
VIRTUAL_HOST: "{{ services.passit.domain }}"
|
||||||
|
LETSENCRYPT_HOST: "{{ services.passit.domain }}"
|
||||||
|
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
||||||
|
|
||||||
|
networks:
|
||||||
|
postfix:
|
||||||
|
external: true
|
||||||
|
external_services:
|
||||||
|
external: true
|
21
roles/docker/templates/compose-files/portainer.yml.j2
Normal file
21
roles/docker/templates/compose-files/portainer.yml.j2
Normal file
|
@ -0,0 +1,21 @@
|
||||||
|
# vim: ft=yaml.docker-compose
|
||||||
|
version: "3.8"
|
||||||
|
|
||||||
|
services:
|
||||||
|
app:
|
||||||
|
image: portainer/portainer-ee:{{ services.portainer.version }}
|
||||||
|
restart: always
|
||||||
|
networks:
|
||||||
|
- external_services
|
||||||
|
volumes:
|
||||||
|
- ".:/data"
|
||||||
|
- "/var/run/docker.sock:/var/run/docker.sock:rw"
|
||||||
|
environment:
|
||||||
|
VIRTUAL_HOST: "{{ services.portainer.domain }}"
|
||||||
|
VIRTUAL_PORT: "9000"
|
||||||
|
LETSENCRYPT_HOST: "{{ services.portainer.domain }}"
|
||||||
|
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
||||||
|
|
||||||
|
networks:
|
||||||
|
external_services:
|
||||||
|
external: true
|
20
roles/docker/templates/compose-files/postfix.yml.j2
Normal file
20
roles/docker/templates/compose-files/postfix.yml.j2
Normal file
|
@ -0,0 +1,20 @@
|
||||||
|
# vim: ft=yaml.docker-compose
|
||||||
|
version: "3.8"
|
||||||
|
|
||||||
|
services:
|
||||||
|
app:
|
||||||
|
image: boky/postfix:{{ services.postfix.version }}
|
||||||
|
restart: always
|
||||||
|
networks:
|
||||||
|
- postfix
|
||||||
|
volumes:
|
||||||
|
- "./dkim:/etc/opendkim/keys"
|
||||||
|
environment:
|
||||||
|
# Get all services which have allowed_sender_domain defined
|
||||||
|
ALLOWED_SENDER_DOMAINS: "{{ services | dict2items | selectattr('value.allowed_sender_domain', 'true') | map(attribute='value.domain') | join(' ') }}"
|
||||||
|
HOSTNAME: "{{ services.postfix.domain }}" # the name the smtp server will identify itself as
|
||||||
|
DKIM_AUTOGENERATE: true
|
||||||
|
|
||||||
|
networks:
|
||||||
|
postfix:
|
||||||
|
external: true
|
20
roles/docker/templates/compose-files/privatebin.yml.j2
Normal file
20
roles/docker/templates/compose-files/privatebin.yml.j2
Normal file
|
@ -0,0 +1,20 @@
|
||||||
|
# vim: ft=yaml.docker-compose
|
||||||
|
version: "3.8"
|
||||||
|
|
||||||
|
services:
|
||||||
|
app:
|
||||||
|
image: jgeusebroek/privatebin:{{ services.privatebin.version }}
|
||||||
|
restart: unless-stopped
|
||||||
|
volumes:
|
||||||
|
- "./cfg:/privatebin/cfg"
|
||||||
|
- "./data:/privatebin/data"
|
||||||
|
networks:
|
||||||
|
- external_services
|
||||||
|
environment:
|
||||||
|
VIRTUAL_HOST: "{{ services.privatebin.domain }}"
|
||||||
|
LETSENCRYPT_HOST: "{{ services.privatebin.domain }}"
|
||||||
|
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
||||||
|
|
||||||
|
networks:
|
||||||
|
external_services:
|
||||||
|
external: true
|
41
roles/docker/templates/compose-files/rallly.yml.j2
Normal file
41
roles/docker/templates/compose-files/rallly.yml.j2
Normal file
|
@ -0,0 +1,41 @@
|
||||||
|
# vim: ft=yaml.docker-compose
|
||||||
|
version: "3.8"
|
||||||
|
|
||||||
|
services:
|
||||||
|
db:
|
||||||
|
image: postgres:{{ services.rallly.postgres_version }}
|
||||||
|
restart: always
|
||||||
|
shm_size: 256mb
|
||||||
|
volumes:
|
||||||
|
- "./postgres:/var/lib/postgresql/data"
|
||||||
|
environment:
|
||||||
|
POSTGRES_PASSWORD: "{{ postgres_passwords.rallly }}"
|
||||||
|
POSTGRES_DB: rallly_db
|
||||||
|
healthcheck:
|
||||||
|
test: ["CMD-SHELL", "pg_isready -U postgres"]
|
||||||
|
interval: 5s
|
||||||
|
timeout: 5s
|
||||||
|
retries: 5
|
||||||
|
|
||||||
|
app:
|
||||||
|
image: lukevella/rallly:{{ services.rallly.version }}
|
||||||
|
restart: always
|
||||||
|
networks:
|
||||||
|
- default
|
||||||
|
- external_services
|
||||||
|
- postfix
|
||||||
|
env_file: rallly.env
|
||||||
|
environment:
|
||||||
|
VIRTUAL_HOST: "{{ services.rallly.domain }}"
|
||||||
|
VIRTUAL_PORT: "3000"
|
||||||
|
LETSENCRYPT_HOST: "{{ services.rallly.domain }}"
|
||||||
|
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
||||||
|
depends_on:
|
||||||
|
db:
|
||||||
|
condition: service_healthy
|
||||||
|
|
||||||
|
networks:
|
||||||
|
external_services:
|
||||||
|
external: true
|
||||||
|
postfix:
|
||||||
|
external: true
|
37
roles/docker/templates/compose-files/restic.yml.j2
Normal file
37
roles/docker/templates/compose-files/restic.yml.j2
Normal file
|
@ -0,0 +1,37 @@
|
||||||
|
# vim: ft=yaml.docker-compose
|
||||||
|
version: "3.8"
|
||||||
|
|
||||||
|
services:
|
||||||
|
backup:
|
||||||
|
image: mazzolino/restic:{{ services.restic.version }}
|
||||||
|
restart: always
|
||||||
|
environment:
|
||||||
|
RUN_ON_STARTUP: false
|
||||||
|
BACKUP_CRON: "0 30 3 * * *"
|
||||||
|
RESTIC_REPOSITORY: sftp:{{ services.restic.user }}@{{ services.restic.domain }}:{{ services.restic.repository }}
|
||||||
|
RESTIC_PASSWORD: "{{ restic_secrets.repository_password }}"
|
||||||
|
RESTIC_BACKUP_SOURCES: /mnt/volumes
|
||||||
|
RESTIC_BACKUP_ARGS: >-
|
||||||
|
--tag datacoop-volumes
|
||||||
|
--exclude '*.tmp'
|
||||||
|
--verbose
|
||||||
|
RESTIC_FORGET_ARGS: >-
|
||||||
|
--keep-last 10
|
||||||
|
--keep-daily 7
|
||||||
|
--keep-weekly 5
|
||||||
|
--keep-monthly 12
|
||||||
|
TZ: Europe/Copenhagen
|
||||||
|
volumes:
|
||||||
|
- "./ssh:/run/secrets/.ssh:ro"
|
||||||
|
- "/docker-volumes:/mnt/volumes:ro"
|
||||||
|
|
||||||
|
prune:
|
||||||
|
image: mazzolino/restic:{{ services.restic.version }}
|
||||||
|
environment:
|
||||||
|
RUN_ON_STARTUP: false
|
||||||
|
PRUNE_CRON: "0 30 4 * * *"
|
||||||
|
RESTIC_REPOSITORY: sftp:{{ services.restic.user }}@{{ services.restic.domain }}:{{ services.restic.repository }}
|
||||||
|
RESTIC_PASSWORD: "{{ restic_secrets.repository_password }}"
|
||||||
|
TZ: Europe/copenhagen
|
||||||
|
volumes:
|
||||||
|
- "./ssh:/run/secrets/.ssh:ro"
|
|
@ -0,0 +1,22 @@
|
||||||
|
# vim: ft=yaml.docker-compose
|
||||||
|
version: "3.8"
|
||||||
|
|
||||||
|
services:
|
||||||
|
web:
|
||||||
|
image: docker.data.coop/unipi:{{ services.slides_2022_website.version }}
|
||||||
|
restart: unless-stopped
|
||||||
|
networks:
|
||||||
|
- external_services
|
||||||
|
environment:
|
||||||
|
VIRTUAL_HOST: "{{ services.slides_2022_website.domain }}"
|
||||||
|
LETSENCRYPT_HOST: "{{ services.slides_2022_website.domain }}"
|
||||||
|
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
||||||
|
command: --remote=https://git.data.coop/data.coop/slides.git#slides2022
|
||||||
|
cap_add:
|
||||||
|
- NET_ADMIN
|
||||||
|
devices:
|
||||||
|
- "/dev/net/tun"
|
||||||
|
|
||||||
|
networks:
|
||||||
|
external_services:
|
||||||
|
external: true
|
|
@ -0,0 +1,17 @@
|
||||||
|
# vim: ft=yaml.docker-compose
|
||||||
|
version: "3.8"
|
||||||
|
|
||||||
|
services:
|
||||||
|
web:
|
||||||
|
image: ulovliglogning/ulovliglogning.dk:latest
|
||||||
|
restart: unless-stopped
|
||||||
|
networks:
|
||||||
|
- external_services
|
||||||
|
environment:
|
||||||
|
VIRTUAL_HOST: "{{ services.ulovliglogning_website.domains | join(',') }}"
|
||||||
|
LETSENCRYPT_HOST: "{{ services.ulovliglogning_website.domains | join(',') }}"
|
||||||
|
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
||||||
|
|
||||||
|
networks:
|
||||||
|
external_services:
|
||||||
|
external: true
|
22
roles/docker/templates/compose-files/vhs_website.yml.j2
Normal file
22
roles/docker/templates/compose-files/vhs_website.yml.j2
Normal file
|
@ -0,0 +1,22 @@
|
||||||
|
# vim: ft=yaml.docker-compose
|
||||||
|
version: "3.8"
|
||||||
|
|
||||||
|
services:
|
||||||
|
web:
|
||||||
|
image: docker.data.coop/unipi:{{ services.vhs_website.version }}
|
||||||
|
restart: unless-stopped
|
||||||
|
networks:
|
||||||
|
- external_services
|
||||||
|
environment:
|
||||||
|
VIRTUAL_HOST: "{{ services.vhs_website.domain }}"
|
||||||
|
LETSENCRYPT_HOST: "{{ services.vhs_website.domain }}"
|
||||||
|
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
||||||
|
command: --remote=https://git.data.coop/vhs.data.coop/website.git#main
|
||||||
|
cap_add:
|
||||||
|
- NET_ADMIN
|
||||||
|
devices:
|
||||||
|
- "/dev/net/tun"
|
||||||
|
|
||||||
|
networks:
|
||||||
|
external_services:
|
||||||
|
external: true
|
|
@ -1,14 +1,12 @@
|
||||||
# vim: ft=yaml.ansible
|
# vim: ft=yaml.docker-compose
|
||||||
---
|
version: "3.8"
|
||||||
- name: watchtower container
|
|
||||||
docker_container:
|
services:
|
||||||
name: watchtower
|
app:
|
||||||
image: containrrr/watchtower:{{ services.watchtower.version }}
|
image: containrrr/watchtower:{{ services.watchtower.version }}
|
||||||
restart_policy: unless-stopped
|
restart: unless-stopped
|
||||||
networks:
|
environment:
|
||||||
- name: external_services
|
|
||||||
env:
|
|
||||||
WATCHTOWER_POLL_INTERVAL: "60"
|
WATCHTOWER_POLL_INTERVAL: "60"
|
||||||
volumes:
|
volumes:
|
||||||
- "/var/run/docker.sock:/var/run/docker.sock"
|
|
||||||
- "/root/.docker/config.json:/config.json:ro"
|
- "/root/.docker/config.json:/config.json:ro"
|
||||||
|
- "/var/run/docker.sock:/var/run/docker.sock"
|
31
roles/docker/templates/compose-files/writefreely.yml.j2
Normal file
31
roles/docker/templates/compose-files/writefreely.yml.j2
Normal file
|
@ -0,0 +1,31 @@
|
||||||
|
# vim: ft=yaml.docker-compose
|
||||||
|
version: "3.8"
|
||||||
|
|
||||||
|
services:
|
||||||
|
db:
|
||||||
|
image: "mariadb:{{ services.writefreely.mariadb_version }}"
|
||||||
|
restart: unless-stopped
|
||||||
|
volumes:
|
||||||
|
- "./db:/var/lib/mysql"
|
||||||
|
environment:
|
||||||
|
- MYSQL_DATABASE=writefreely
|
||||||
|
- MYSQL_ROOT_PASSWORD={{ writefreely_secrets.db_password }}
|
||||||
|
|
||||||
|
app:
|
||||||
|
image: "writeas/writefreely:{{ services.writefreely.version }}"
|
||||||
|
restart: unless-stopped
|
||||||
|
networks:
|
||||||
|
- default
|
||||||
|
- external_services
|
||||||
|
volumes:
|
||||||
|
- "./config.ini:/go/config.ini"
|
||||||
|
environment:
|
||||||
|
VIRTUAL_HOST: "{{ services.writefreely.domain }}"
|
||||||
|
LETSENCRYPT_HOST: "{{ services.writefreely.domain }}"
|
||||||
|
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
||||||
|
depends_on:
|
||||||
|
- db
|
||||||
|
|
||||||
|
networks:
|
||||||
|
external_services:
|
||||||
|
external: true
|
|
@ -127,7 +127,7 @@ WEBSITE=https://{{ services.mailu.domain }}
|
||||||
# LOG_DRIVER=json-file
|
# LOG_DRIVER=json-file
|
||||||
|
|
||||||
# Docker-compose project name, this will prepended to containers names.
|
# Docker-compose project name, this will prepended to containers names.
|
||||||
COMPOSE_PROJECT_NAME=mail_server
|
COMPOSE_PROJECT_NAME=mailu
|
||||||
|
|
||||||
# Number of rounds used by the password hashing scheme
|
# Number of rounds used by the password hashing scheme
|
||||||
CREDENTIAL_ROUNDS=12
|
CREDENTIAL_ROUNDS=12
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
NEXT_PUBLIC_BASE_URL="https://{{ services.rallly.domain }}"
|
NEXT_PUBLIC_BASE_URL="https://{{ services.rallly.domain }}"
|
||||||
DATABASE_URL="postgres://postgres:{{ postgres_passwords.rallly }}@rallly_db:5432/rallly_db"
|
DATABASE_URL="postgres://postgres:{{ postgres_passwords.rallly }}@db:5432/rallly_db"
|
||||||
SECRET_PASSWORD="{{ rallly_secrets.secret_password }}"
|
SECRET_PASSWORD="{{ rallly_secrets.secret_password }}"
|
||||||
SUPPORT_EMAIL="noreply@{{ services.rallly.domain }}"
|
SUPPORT_EMAIL="noreply@{{ services.rallly.domain }}"
|
||||||
SMTP_HOST="{{ smtp_host }}"
|
SMTP_HOST="{{ smtp_host }}"
|
||||||
|
|
|
@ -9,14 +9,14 @@ type = mysql
|
||||||
username = root
|
username = root
|
||||||
password = {{ writefreely_secrets.db_password }}
|
password = {{ writefreely_secrets.db_password }}
|
||||||
database = writefreely
|
database = writefreely
|
||||||
host = writefreely-db
|
host = db
|
||||||
port = 3306
|
port = 3306
|
||||||
tls = false
|
tls = false
|
||||||
|
|
||||||
[app]
|
[app]
|
||||||
site_name = data.coop
|
site_name = data.coop
|
||||||
site_description =
|
site_description =
|
||||||
host = https://write.data.coop
|
host = https://{{ services.writefreely.domain }}
|
||||||
theme = write
|
theme = write
|
||||||
editor =
|
editor =
|
||||||
disable_js = false
|
disable_js = false
|
||||||
|
|
|
@ -6,7 +6,8 @@
|
||||||
comment: "{{ item.comment }}"
|
comment: "{{ item.comment }}"
|
||||||
password: "{{ item.password }}"
|
password: "{{ item.password }}"
|
||||||
groups: "{{ item.groups }}"
|
groups: "{{ item.groups }}"
|
||||||
update_password: "always"
|
update_password: always
|
||||||
|
shell: /bin/bash
|
||||||
loop: "{{ users | default([]) }}"
|
loop: "{{ users | default([]) }}"
|
||||||
|
|
||||||
- name: "Add ssh authorized_keys"
|
- name: "Add ssh authorized_keys"
|
||||||
|
|
Loading…
Reference in a new issue