diff --git a/.ansible-lint b/.ansible-lint new file mode 100644 index 0000000..03e5b4f --- /dev/null +++ b/.ansible-lint @@ -0,0 +1,111 @@ +--- +# .ansible-lint + +profile: null # min, basic, moderate,safety, shared, production + +# exclude_paths included in this file are parsed relative to this file's location +# and not relative to the CWD of execution. CLI arguments passed to the --exclude +# option are parsed relative to the CWD of execution. +exclude_paths: + - .cache/ # implicit unless exclude_paths is defined in config + - .github/ + - test/fixtures/formatting-before/ + - test/fixtures/formatting-prettier/ +# parseable: true +# quiet: true +# strict: true +# verbosity: 1 + +# Mock modules or roles in order to pass ansible-playbook --syntax-check +mock_modules: + - zuul_return + # note the foo.bar is invalid as being neither a module or a collection + - fake_namespace.fake_collection.fake_module + - fake_namespace.fake_collection.fake_module.fake_submodule +mock_roles: + - mocked_role + - author.role_name # old standalone galaxy role + - fake_namespace.fake_collection.fake_role # role within a collection + +# Enable checking of loop variable prefixes in roles +loop_var_prefix: "{role}_" + +# Enforce variable names to follow pattern below, in addition to Ansible own +# requirements, like avoiding python identifiers. To disable add `var-naming` +# to skip_list. +# var_naming_pattern: "^[a-z_][a-z0-9_]*$" + +use_default_rules: true +# Load custom rules from this specific folder +# rulesdir: +# - ./rule/directory/ + +# Ansible-lint completely ignores rules or tags listed below +skip_list: + - skip_this_tag + +# Ansible-lint does not automatically load rules that have the 'opt-in' tag. +# You must enable opt-in rules by listing each rule 'id' below. +enable_list: + - empty-string-compare # opt-in + - no-log-password # opt-in + - no-same-owner # opt-in + # add yaml here if you want to avoid ignoring yaml checks when yamllint + # library is missing. Normally its absence just skips using that rule. + - yaml +# Report only a subset of tags and fully ignore any others +# tags: +# - jinja[spacing] + +# Ansible-lint does not fail on warnings from the rules or tags listed below +warn_list: + - skip_this_tag + - experimental # experimental is included in the implicit list + # - role-name + # - yaml[document-start] # you can also use sub-rule matches + +# Some rules can transform files to fix (or make it easier to fix) identified +# errors. `ansible-lint --write` will reformat YAML files and run these transforms. +# By default it will run all transforms (effectively `write_list: ["all"]`). +# You can disable running transforms by setting `write_list: ["none"]`. +# Or only enable a subset of rule transforms by listing rules/tags here. +# write_list: +# - all + +# Offline mode disables installation of requirements.yml +offline: false + +# Return success if number of violations compared with previous git +# commit has not increased. This feature works only in git +# repositories. +progressive: false + +# Define required Ansible's variables to satisfy syntax check +extra_vars: + foo: bar + multiline_string_variable: | + line1 + line2 + complex_variable: ":{;\t$()" + +# Uncomment to enforce action validation with tasks, usually is not +# needed as Ansible syntax check also covers it. +# skip_action_validation: false + +# List of additional kind:pattern to be added at the top of the default +# match list, first match determines the file kind. +kinds: + # - playbook: "**/examples/*.{yml,yaml}" + # - galaxy: "**/folder/galaxy.yml" + # - tasks: "**/tasks/*.yml" + # - vars: "**/vars/*.yml" + # - meta: "**/meta/main.yml" + - yaml: "**/*.yaml-too" + +# List of additional collections to allow in only-builtins rule. +# only_builtins_allow_collections: +# - example_ns.example_collection + +# List of additions modules to allow in only-builtins rule. +# only_builtins_allow_modules: +# - example_module \ No newline at end of file diff --git a/.gitignore b/.gitignore index 9e0226e..6a544c3 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,5 @@ playbook.retry *.sw* .vagrant/ *.log +.idea/ +venv/ diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..6b4fbd3 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,14 @@ +repos: + +#- repo: https://github.com/semaphor-dk/dansabel +# rev: b72c70351d1a9e32a75db505fcb3aa414f3282f8 +# hooks: +# - id: dansabel + +- repo: https://github.com/ansible/ansible-lint + rev: v6.9.0 + hooks: + - id: ansible-lint + files: \.(yaml|yml)$ + additional_dependencies: + - ansible diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..4c47f67 --- /dev/null +++ b/Makefile @@ -0,0 +1,12 @@ +init: create_venv install_pre_commit install_ansible_galaxy_modules + +create_venv: + python3 -m venv venv + venv/bin/pip install -U pip + venv/bin/pip install ansible pre-commit + +install_pre_commit: + venv/bin/pre-commit install + +install_ansible_galaxy_modules: + venv/bin/ansible-galaxy collection install community.general \ No newline at end of file diff --git a/deploy.sh b/deploy.sh index 70095a1..83da6e8 100755 --- a/deploy.sh +++ b/deploy.sh @@ -2,8 +2,13 @@ BASE_CMD="ansible-playbook playbook.yml --ask-vault-pass" +if [ "$1" = "--vagrant" ]; then + BASE_CMD="$BASE_CMD --inventory=vagrant_host" + shift +fi + if [ -z "$(ansible-galaxy collection list community.general 2>/dev/null)" ]; then - echo "Installing community modules" + echo "Installing community.general modules" ansible-galaxy collection install community.general fi @@ -17,8 +22,8 @@ else echo "Deploying all services!" $BASE_CMD --tags setup_services else - echo "Deploying services: $2" - $BASE_CMD --tags setup_services --extra-vars "services=$2" + echo "Deploying service: $2" + $BASE_CMD --tags setup_services --extra-vars "single_service=$2" fi ;; "base") diff --git a/playbook.yml b/playbook.yml index 66068c2..1ce47fb 100644 --- a/playbook.yml +++ b/playbook.yml @@ -10,31 +10,6 @@ vagrant: "{{ ansible_virtualization_role == 'guest' }}" letsencrypt_enabled: "{{ not vagrant }}" - services: - - nginx-proxy - - postfix - - openldap - - keycloak - - restic-backup - - nextcloud - - passit - - gitea - - matrix_riot - - privatebin - - codimd - - hedgedoc - - netdata - - docker_registry - - drone - - websites - - ulovliglogning-dk - - watchtower - - mailu - - portainer - - mastodon - - rallly - - membersystem - smtp_host: "postfix" smtp_port: "587" diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml index e890544..2a23950 100644 --- a/roles/docker/defaults/main.yml +++ b/roles/docker/defaults/main.yml @@ -1,122 +1,169 @@ --- volume_root_folder: "/docker-volumes" -nginx: - volume_folder: "{{ volume_root_folder }}/nginx" +services: -ldap: - domain: "ldap.{{ base_domain }}" - volume_folder: "{{ volume_root_folder }}/openldap" + ### Internal services ### + postfix: + file: postfix.yml + version: "v3.5.0" -nextcloud: - domain: "cloud.{{ base_domain }}" - volume_folder: "{{ volume_root_folder }}/nextcloud" + nginx_proxy: + file: nginx_proxy.yml + version: "1.0-alpine" + volume_folder: "{{ volume_root_folder }}/nginx" -gitea: - domain: "git.{{ base_domain }}" - volume_folder: "{{ volume_root_folder }}/gitea" + nginx_acme_companion: + version: "2.2" -passit: - domain: "passit.{{ base_domain }}" - volume_folder: "{{ volume_root_folder }}/passit" + openldap: + file: openldap.yml + domain: "ldap.{{ base_domain }}" + volume_folder: "{{ volume_root_folder }}/openldap" + version: "1.5.0" -matrix: - domain: "matrix.{{ base_domain }}" - volume_folder: "{{ volume_root_folder }}/matrix" + phpldapadmin: + version: "0.9.0" -riot: - domains: - - "riot.{{ base_domain }}" - - "element.{{ base_domain }}" - volume_folder: "{{ volume_root_folder }}/riot" + netdata: + file: netdata.yml + domain: "netdata.{{ base_domain }}" + version: "v1" -privatebin: - domain: "paste.{{ base_domain }}" - volume_folder: "{{ volume_root_folder }}/privatebin" + portainer: + file: portainer.yml + domain: "portainer.{{ base_domain }}" + volume_folder: "{{ volume_root_folder }}/portainer" + version: "2.16.2" -codimd: - domain: "oldpad.{{ base_domain }}" - volume_folder: "{{ volume_root_folder }}/codimd" + keycloak: + file: keycloak.yml + domain: sso.{{ base_domain }} + volume_folder: "{{ volume_root_folder }}/keycloak" + version: "20.0" -hedgedoc: - domain: "pad.{{ base_domain }}" - volume_folder: "{{ volume_root_folder }}/hedgedoc" + restic: + file: restic_backup.yml + user: "datacoop" + domain: "restic.cannedtuna.org" + repository: "datacoop-hevonen" + version: "1.6.0" + disabled_in_vagrant: true -netdata: - domain: "netdata.{{ base_domain }}" + docker_registry: + file: docker_registry.yml + domain: "docker.{{ base_domain }}" + volume_folder: "{{ volume_root_folder }}/docker-registry" + username: "docker" + password: "{{ docker_password }}" + version: "2" -docker_registry: - domain: "docker.{{ base_domain }}" - volume_folder: "{{ volume_root_folder }}/docker-registry" - username: "docker" - password: "{{ docker_password }}" + ### External services ### -data_coop_website: - domains: - - "{{ base_domain }}" - - "www.{{ base_domain }}" + nextcloud: + file: nextcloud.yml + domain: "cloud.{{ base_domain }}" + volume_folder: "{{ volume_root_folder }}/nextcloud" + version: 25-apache -cryptohagen_website: - domains: - - "cryptohagen.dk" - - "www.cryptohagen.dk" + gitea: + file: gitea.yml + domain: "git.{{ base_domain }}" + volume_folder: "{{ volume_root_folder }}/gitea" + version: 1.17.3 + allowed_sender_domain: true -ulovliglogning_website: - domains: - - "ulovliglogning.dk" - - "www.ulovliglogning.dk" - - "ulovlig-logning.dk" + passit: + file: passit.yml + domain: "passit.{{ base_domain }}" + volume_folder: "{{ volume_root_folder }}/passit" + version: stable + allowed_sender_domain: true -cryptoaarhus_website: - domains: - - "cryptoaarhus.dk" - - "www.cryptoaarhus.dk" + matrix: + file: matrix_riot.yml + domain: "matrix.{{ base_domain }}" + volume_folder: "{{ volume_root_folder }}/matrix" + version: v1.63.1 -drone: - domain: "drone.{{ base_domain }}" - volume_folder: "{{ volume_root_folder }}/drone" + riot: + domains: + - "riot.{{ base_domain }}" + - "element.{{ base_domain }}" + volume_folder: "{{ volume_root_folder }}/riot" + version: v1.11.8 -mailu: - version: 1.6 - domain: "mail.{{ base_domain }}" - dns: 192.168.203.254 - subnet: 192.168.203.0/24 - volume_folder: "{{ volume_root_folder }}/mailu" + privatebin: + file: privatebin.yml + domain: "paste.{{ base_domain }}" + volume_folder: "{{ volume_root_folder }}/privatebin" + version: 20221009 -portainer: - domain: "portainer.{{ base_domain }}" - volume_folder: "{{ volume_root_folder }}/portainer" + codimd: + domain: "oldpad.{{ base_domain }}" + volume_folder: "{{ volume_root_folder }}/codimd" -ttrss: - domain: rss.{{ base_domain }} - volume_folder: "{{ volume_root_folder }}/tt-rss" + hedgedoc: + file: hedgedoc.yml + domain: "pad.{{ base_domain }}" + volume_folder: "{{ volume_root_folder }}/hedgedoc" + version: 1.9.6 -keycloak: - domain: sso.{{ base_domain }} - volume_folder: "{{ volume_root_folder }}/keycloak" + data_coop_website: + file: websites/data.coop.yml + domains: + - "{{ base_domain }}" + - "www.{{ base_domain }}" -postfix: - allowed_sender_domains: - - "services.{{ base_domain }}" - - "{{ passit.domain }}" - - "{{ gitea.domain }}" - - "{{ mastodon.domain }}" - - "{{ rallly.domain }}" - - "{{ membersystem.domain }}" + cryptohagen_website: + file: websites/cryptohagen.dk.yml + domains: + - "cryptohagen.dk" + - "www.cryptohagen.dk" -mastodon: - domain: "social.{{ base_domain }}" - volume_folder: "{{ volume_root_folder }}/mastodon" + ulovliglogning_website: + file: websites/ulovliglogning.dk.yml + domains: + - "ulovliglogning.dk" + - "www.ulovliglogning.dk" + - "ulovlig-logning.dk" -rallly: - domain: "when.{{ base_domain }}" - volume_folder: "{{ volume_root_folder }}/rallly" + cryptoaarhus_website: + file: websites/cryptoaarhus.dk.yml + domains: + - "cryptoaarhus.dk" + - "www.cryptoaarhus.dk" -membersystem: - domain: "member.{{ base_domain }}" - django_admins: "Vidir:valberg@orn.li" + drone: + file: drone.yml + domain: "drone.{{ base_domain }}" + volume_folder: "{{ volume_root_folder }}/drone" + version: 1 -restic: - user: "datacoop" - domain: "restic.cannedtuna.org" - repository: "datacoop-hevonen" + mailu: + file: mailu.yml + version: 1.6 + domain: "mail.{{ base_domain }}" + dns: 192.168.203.254 + subnet: 192.168.203.0/24 + volume_folder: "{{ volume_root_folder }}/mailu" + + mastodon: + file: mastodon.yml + domain: "social.{{ base_domain }}" + volume_folder: "{{ volume_root_folder }}/mastodon" + version: v4.0.2 + allowed_sender_domain: true + + rallly: + file: rallly.yml + domain: "when.{{ base_domain }}" + volume_folder: "{{ volume_root_folder }}/rallly" + version: a21f92bf74308d66cfcd545d49b81eba0211a222 + allowed_sender_domain: true + + membersystem: + file: membersystem.yml + domain: "member.{{ base_domain }}" + django_admins: "Vidir:valberg@orn.li" + allowed_sender_domain: true diff --git a/roles/docker/files/configs/mastodon/env_file.j2 b/roles/docker/files/configs/mastodon/env_file.j2 index e894d0d..58436c4 100644 --- a/roles/docker/files/configs/mastodon/env_file.j2 +++ b/roles/docker/files/configs/mastodon/env_file.j2 @@ -14,7 +14,7 @@ # ---------- # This identifies your server and cannot be changed safely later # ---------- -LOCAL_DOMAIN={{ mastodon.domain }} +LOCAL_DOMAIN={{ services.mastodon.domain }} # Redis # ----- @@ -52,7 +52,7 @@ SMTP_SERVER={{ smtp_host }} SMTP_PORT={{ smtp_port }} SMTP_LOGIN= SMTP_PASSWORD= -SMTP_FROM_ADDRESS=notifications@{{ mastodon.domain }} +SMTP_FROM_ADDRESS=notifications@{{ services.mastodon.domain }} # File storage (optional) # ----------------------- diff --git a/roles/docker/files/configs/matrix/homeserver.yaml.j2 b/roles/docker/files/configs/matrix/homeserver.yaml.j2 index 44c22c2..4b8c3aa 100644 --- a/roles/docker/files/configs/matrix/homeserver.yaml.j2 +++ b/roles/docker/files/configs/matrix/homeserver.yaml.j2 @@ -44,7 +44,7 @@ pid_file: /data/homeserver.pid # use synapse with a reverse proxy, this should be the URL to reach # synapse via the proxy. # -public_baseurl: "https://{{ matrix.domain }}" +public_baseurl: "https://{{ services.matrix.domain }}" # Set the soft limit on the number of file descriptors synapse can use # Zero is used to indicate synapse should set the soft limit to the diff --git a/roles/docker/files/configs/rallly/env_file.j2 b/roles/docker/files/configs/rallly/env_file.j2 index e0cced2..6403696 100644 --- a/roles/docker/files/configs/rallly/env_file.j2 +++ b/roles/docker/files/configs/rallly/env_file.j2 @@ -1,7 +1,7 @@ -NEXT_PUBLIC_BASE_URL="https://{{ rallly.domain }}" +NEXT_PUBLIC_BASE_URL="https://{{ services.rallly.domain }}" DATABASE_URL="postgres://postgres:{{ postgres_passwords.rallly }}@rallly_db:5432/rallly_db" SECRET_PASSWORD="{{ rallly_secrets.secret_password }}" -SUPPORT_EMAIL="noreply@{{ rallly.domain }}" +SUPPORT_EMAIL="noreply@{{ services.rallly.domain }}" SMTP_HOST="{{ smtp_host }}" SMTP_PORT="{{ smtp_port }}" SMTP_SECURE="false" diff --git a/roles/docker/files/configs/riot/config.json b/roles/docker/files/configs/riot/config.json index 0ea4d1a..f88e420 100644 --- a/roles/docker/files/configs/riot/config.json +++ b/roles/docker/files/configs/riot/config.json @@ -1,7 +1,7 @@ { "default_server_config": { "m.homeserver": { - "base_url": "https://{{ matrix.domain }}" + "base_url": "https://{{ services.matrix.domain }}" }, "m.identity_server": { "base_url": "https://vector.im" @@ -37,7 +37,7 @@ ] }, "enable_presence_by_hs_url": { - "https://{{ matrix.domain }}": false + "https://{{ services.matrix.domain }}": false }, "terms_and_conditions_links": [ { diff --git a/roles/docker/files/configs/thelounge.js b/roles/docker/files/configs/thelounge.js index b181e4c..7dcdb25 100644 --- a/roles/docker/files/configs/thelounge.js +++ b/roles/docker/files/configs/thelounge.js @@ -404,7 +404,7 @@ module.exports = { // // @type string // - url: "ldap://{{ ldap.domain }}", + url: "ldap://{{ services.openldap.domain }}", // // LDAP connection tls options (only used if scheme is ldaps://) diff --git a/roles/docker/tasks/services.yml b/roles/docker/tasks/services.yml index 45c9233..e183bbf 100644 --- a/roles/docker/tasks/services.yml +++ b/roles/docker/tasks/services.yml @@ -4,5 +4,15 @@ name: external_services - name: setup services - include_tasks: "services/{{ item }}.yml" - with_items: "{{ services }}" + include_tasks: "services/{{ item.value.file }}" + loop: "{{ services | dict2items }}" + when: single_service is not defined and + item.value.file is defined and + item.value.disabled_in_vagrant is not defined + +- name: setup single service + include_tasks: "services/{{ services[single_service].file }}" + when: single_service is defined and + single_service in services and + services[single_service].file is defined and + services[single_service].disabled_in_vagrant is not defined diff --git a/roles/docker/tasks/services/docker_registry.yml b/roles/docker/tasks/services/docker_registry.yml index 3e53802..660e684 100644 --- a/roles/docker/tasks/services/docker_registry.yml +++ b/roles/docker/tasks/services/docker_registry.yml @@ -2,34 +2,34 @@ - name: copy docker registry nginx configuration copy: src: "files/configs/docker_registry/nginx.conf" - dest: "/docker-volumes/nginx/vhost/{{ docker_registry.domain }}" + dest: "/docker-volumes/nginx/vhost/{{ services.docker_registry.domain }}" mode: "0644" - name: docker registry container docker_container: name: registry - image: registry:2 + image: registry:{{ services.docker_registry.version }} restart_policy: always volumes: - - "{{ docker_registry.volume_folder }}/registry:/var/lib/registry" - - "{{ docker_registry.volume_folder }}/auth:/auth" + - "{{ services.docker_registry.volume_folder }}/registry:/var/lib/registry" + - "{{ services.docker_registry.volume_folder }}/auth:/auth" networks: - name: external_services env: - VIRTUAL_HOST: "{{ docker_registry.domain }}" - LETSENCRYPT_HOST: "{{ docker_registry.domain }}" + VIRTUAL_HOST: "{{ services.docker_registry.domain }}" + LETSENCRYPT_HOST: "{{ services.docker_registry.domain }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" REGISTRY_AUTH: "htpasswd" REGISTRY_AUTH_HTPASSWD_PATH: "/auth/htpasswd" REGISTRY_AUTH_HTPASSWD_REALM: "data.coop docker registry" - name: generate htpasswd file - shell: "docker exec -it registry htpasswd -Bbn docker {{ docker_password }} > {{ docker_registry.volume_folder }}/auth/htpasswd" + shell: "docker exec -it registry htpasswd -Bbn docker {{ docker_password }} > {{ services.docker_registry.volume_folder }}/auth/htpasswd" args: - creates: "{{ docker_registry.volume_folder }}/auth/htpasswd" + creates: "{{ services.docker_registry.volume_folder }}/auth/htpasswd" - name: log in to registry docker_login: - registry: "docker.data.coop" + registry: "{{ 'docker.data.coop' if vagrant else services.docker_registry.domain }}" username: "docker" password: "{{ docker_password }}" diff --git a/roles/docker/tasks/services/drone.yml b/roles/docker/tasks/services/drone.yml index 62bdbaa..874ce03 100644 --- a/roles/docker/tasks/services/drone.yml +++ b/roles/docker/tasks/services/drone.yml @@ -14,31 +14,31 @@ - external_services - drone volumes: - - "{{ drone.volume_folder }}:/data" + - "{{ services.drone.volume_folder }}:/data" - "/var/run/docker.sock:/var/run/docker.sock" environment: - DRONE_GITEA_SERVER: "https://{{ gitea.domain }}" + DRONE_GITEA_SERVER: "https://{{ services.gitea.domain }}" DRONE_GITEA_CLIENT_ID: "{{ drone_secrets.oauth_client_id }}" DRONE_GITEA_CLIENT_SECRET: "{{ drone_secrets.oauth_client_secret }}" DRONE_GIT_ALWAYS_AUTH: "true" - DRONE_SERVER_HOST: "{{ drone.domain }}" + DRONE_SERVER_HOST: "{{ services.drone.domain }}" DRONE_SERVER_PROTO: "https" DRONE_RPC_SECRET: "{{ drone_secrets.rpc_shared_secret }}" PLUGIN_CUSTOM_DNS: "91.239.100.100" - VIRTUAL_HOST: "{{ drone.domain }}" - LETSENCRYPT_HOST: "{{ drone.domain }}" + VIRTUAL_HOST: "{{ services.drone.domain }}" + LETSENCRYPT_HOST: "{{ services.drone.domain }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" drone-runner-docker: container_name: "drone-runner-docker" - image: "drone/drone-runner-docker:1" + image: "drone/drone-runner-docker:{{ services.drone.version }}" restart: unless-stopped networks: - drone volumes: - "/var/run/docker.sock:/var/run/docker.sock" environment: - DRONE_RPC_HOST: "{{ drone.domain }}" + DRONE_RPC_HOST: "{{ services.drone.domain }}" DRONE_RPC_PROTO: "https" DRONE_RPC_SECRET: "{{ drone_secrets.rpc_shared_secret }}" DRONE_RUNNER_CAPACITY: 2 diff --git a/roles/docker/tasks/services/gitea.yml b/roles/docker/tasks/services/gitea.yml index aeffae1..514cc9e 100644 --- a/roles/docker/tasks/services/gitea.yml +++ b/roles/docker/tasks/services/gitea.yml @@ -7,25 +7,25 @@ - name: gitea container docker_container: name: gitea - image: gitea/gitea:1.17.3 + image: gitea/gitea:{{ services.gitea.version }} restart_policy: unless-stopped networks: - name: gitea - name: postfix - name: external_services volumes: - - "{{ gitea.volume_folder }}:/data" + - "{{ services.gitea.volume_folder }}:/data" published_ports: - "22:22" env: - VIRTUAL_HOST: "{{ gitea.domain }}" + VIRTUAL_HOST: "{{ services.gitea.domain }}" VIRTUAL_PORT: "3000" - LETSENCRYPT_HOST: "{{ gitea.domain }}" + LETSENCRYPT_HOST: "{{ services.gitea.domain }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" # Gitea customization, see: https://docs.gitea.io/en-us/install-with-docker/#customization # https://docs.gitea.io/en-us/config-cheat-sheet/#security-security GITEA__mailer__ENABLED: "true" - GITEA__mailer__FROM: "noreply@{{ gitea.domain }}" + GITEA__mailer__FROM: "noreply@{{ services.gitea.domain }}" GITEA__mailer__MAILER_TYPE: "smtp" GITEA__mailer__HOST: "{{ smtp_host }}:{{ smtp_port }}" GITEA__mailer__USER: "noop" diff --git a/roles/docker/tasks/services/hedgedoc.yml b/roles/docker/tasks/services/hedgedoc.yml index 7a68f37..7508535 100644 --- a/roles/docker/tasks/services/hedgedoc.yml +++ b/roles/docker/tasks/services/hedgedoc.yml @@ -1,7 +1,7 @@ --- - name: create hedgedoc volume folders file: - name: "{{ hedgedoc.volume_folder }}/{{ volume }}" + name: "{{ services.hedgedoc.volume_folder }}/{{ volume }}" state: directory loop: - "db" @@ -12,7 +12,7 @@ - name: copy sso public certificate copy: src: "files/sso/sso.data.coop.pem" - dest: "{{ hedgedoc.volume_folder }}/sso.data.coop.pem" + dest: "{{ services.hedgedoc.volume_folder }}/sso.data.coop.pem" mode: "0644" - name: setup hedgedoc @@ -31,13 +31,13 @@ networks: - "hedgedoc" volumes: - - "{{ hedgedoc.volume_folder }}/db:/var/lib/postgresql/data" + - "{{ services.hedgedoc.volume_folder }}/db:/var/lib/postgresql/data" app: - image: quay.io/hedgedoc/hedgedoc:1.9.6 + image: quay.io/hedgedoc/hedgedoc:{{ services.hedgedoc.version }} environment: CMD_DB_URL: "postgres://codimd:{{ postgres_passwords.hedgedoc }}@hedgedoc_database_1:5432/codimd" - CMD_DOMAIN: "{{ hedgedoc.domain }}" + CMD_DOMAIN: "{{ services.hedgedoc.domain }}" CMD_ALLOW_EMAIL_REGISTER: "False" CMD_IMAGE_UPLOAD_TYPE: "filesystem" CMD_EMAIL: "False" @@ -47,12 +47,12 @@ CMD_SAML_IDENTIFIERFORMAT: "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" CMD_USECDN: "false" CMD_PROTOCOL_USESSL: "true" - VIRTUAL_HOST: "{{ hedgedoc.domain }}" - LETSENCRYPT_HOST: "{{ hedgedoc.domain }}" + VIRTUAL_HOST: "{{ services.hedgedoc.domain }}" + LETSENCRYPT_HOST: "{{ services.hedgedoc.domain }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" volumes: - - "{{ hedgedoc.volume_folder }}/hedgedoc/uploads:/hedgedoc/public/uploads" - - "{{ hedgedoc.volume_folder }}/sso.data.coop.pem:/sso.data.coop.pem" + - "{{ services.hedgedoc.volume_folder }}/hedgedoc/uploads:/hedgedoc/public/uploads" + - "{{ services.hedgedoc.volume_folder }}/sso.data.coop.pem:/sso.data.coop.pem" restart: "unless-stopped" networks: - "hedgedoc" diff --git a/roles/docker/tasks/services/keycloak.yml b/roles/docker/tasks/services/keycloak.yml index 26a5661..3f2da44 100644 --- a/roles/docker/tasks/services/keycloak.yml +++ b/roles/docker/tasks/services/keycloak.yml @@ -12,24 +12,24 @@ networks: - "keycloak" volumes: - - "{{ keycloak.volume_folder }}/data:/var/lib/postgresql/data" + - "{{ services.keycloak.volume_folder }}/data:/var/lib/postgresql/data" environment: POSTGRES_USER: "keycloak" POSTGRES_PASSWORD: "{{ postgres_passwords.keycloak }}" POSTGRES_DB: "keycloak" app: - image: "quay.io/keycloak/keycloak:20.0.1" + image: "quay.io/keycloak/keycloak:{{ services.keycloak.version }}" restart: "unless-stopped" networks: - "keycloak" - "postfix" - "external_services" - command: "start --db=postgres --db-url=jdbc:postgresql://postgres:5432/keycloak --db-username=keycloak --db-password={{ postgres_passwords.keycloak }} --hostname={{ keycloak.domain }} --proxy=edge --https-port=8080 --http-relative-path=/auth" + command: "start --db=postgres --db-url=jdbc:postgresql://postgres:5432/keycloak --db-username=keycloak --db-password={{ postgres_passwords.keycloak }} --hostname={{ services.keycloak.domain }} --proxy=edge --https-port=8080 --http-relative-path=/auth" environment: - VIRTUAL_HOST: "{{ keycloak.domain }}" + VIRTUAL_HOST: "{{ services.keycloak.domain }}" VIRTUAL_PORT: "8080" - LETSENCRYPT_HOST: "{{ keycloak.domain }}" + LETSENCRYPT_HOST: "{{ services.keycloak.domain }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" networks: diff --git a/roles/docker/tasks/services/mailu.yml b/roles/docker/tasks/services/mailu.yml index 3c28dee..c1119c7 100644 --- a/roles/docker/tasks/services/mailu.yml +++ b/roles/docker/tasks/services/mailu.yml @@ -2,7 +2,7 @@ - name: create mailu volume folders file: - name: "{{ mailu.volume_folder }}/{{ volume }}" + name: "{{ services.mailu.volume_folder }}/{{ volume }}" state: directory loop: - redis @@ -20,20 +20,20 @@ - name: upload mailu.env file template: src: mailu.env.j2 - dest: "{{ mailu.volume_folder}}/mailu.env" + dest: "{{ services.mailu.volume_folder}}/mailu.env" - name: hard link to Let's Encrypt TLS certificate file: - src: "{{ nginx.volume_folder }}/certs/{{ mailu.domain }}/fullchain.pem" - dest: "{{ mailu.volume_folder }}/certs/cert.pem" + src: "{{ services.nginx_proxy.volume_folder }}/certs/{{ services.mailu.domain }}/fullchain.pem" + dest: "{{ services.mailu.volume_folder }}/certs/cert.pem" state: hard force: yes when: letsencrypt_enabled - name: hard link to Let's Encrypt TLS key file: - src: "{{ nginx.volume_folder }}/certs/{{ mailu.domain }}/key.pem" - dest: "{{ mailu.volume_folder }}/certs/key.pem" + src: "{{ services.nginx_proxy.volume_folder }}/certs/{{ services.mailu.domain }}/key.pem" + dest: "{{ services.mailu.volume_folder }}/certs/key.pem" state: hard force: yes when: letsencrypt_enabled @@ -49,30 +49,30 @@ image: redis:alpine restart: always volumes: - - "{{ mailu.volume_folder }}/redis:/data" + - "{{ services.mailu.volume_folder }}/redis:/data" database: - image: mailu/postgresql:{{ mailu.version }} + image: mailu/postgresql:{{ services.mailu.version }} restart: always - env_file: "{{ mailu.volume_folder}}/mailu.env" + env_file: "{{ services.mailu.volume_folder}}/mailu.env" volumes: - - "{{ mailu.volume_folder }}/data/psql_db:/data" - - "{{ mailu.volume_folder }}/data/psql_backup:/backup" + - "{{ services.mailu.volume_folder }}/data/psql_db:/data" + - "{{ services.mailu.volume_folder }}/data/psql_backup:/backup" networks: - default - external_services front: - image: mailu/nginx:{{ mailu.version }} + image: mailu/nginx:{{ services.mailu.version }} restart: always - env_file: "{{ mailu.volume_folder}}/mailu.env" + env_file: "{{ services.mailu.volume_folder}}/mailu.env" environment: - VIRTUAL_HOST: "{{ mailu.domain }}" - LETSENCRYPT_HOST: "{{ mailu.domain }}" + VIRTUAL_HOST: "{{ services.mailu.domain }}" + LETSENCRYPT_HOST: "{{ services.mailu.domain }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" volumes: - - "{{ mailu.volume_folder }}/certs:/certs" - - "{{ mailu.volume_folder }}/overrides/nginx:/overrides" + - "{{ services.mailu.volume_folder }}/certs:/certs" + - "{{ services.mailu.volume_folder }}/overrides/nginx:/overrides" expose: - "80" ports: @@ -85,70 +85,70 @@ - external_services resolver: - image: mailu/unbound:{{ mailu.version }} + image: mailu/unbound:{{ services.mailu.version }} restart: always - env_file: "{{ mailu.volume_folder}}/mailu.env" + env_file: "{{ services.mailu.volume_folder}}/mailu.env" networks: default: - ipv4_address: "{{ mailu.dns }}" + ipv4_address: "{{ services.mailu.dns }}" admin: - image: mailu/admin:{{ mailu.version }} + image: mailu/admin:{{ services.mailu.version }} restart: always - env_file: "{{ mailu.volume_folder}}/mailu.env" + env_file: "{{ services.mailu.volume_folder}}/mailu.env" volumes: - - "{{ mailu.volume_folder }}/data:/data" - - "{{ mailu.volume_folder }}/dkim:/dkim" + - "{{ services.mailu.volume_folder }}/data:/data" + - "{{ services.mailu.volume_folder }}/dkim:/dkim" depends_on: - redis imap: - image: mailu/dovecot:{{ mailu.version }} + image: mailu/dovecot:{{ services.mailu.version }} restart: always - env_file: "{{ mailu.volume_folder}}/mailu.env" + env_file: "{{ services.mailu.volume_folder}}/mailu.env" volumes: - - "{{ mailu.volume_folder }}/mail:/mail" - - "{{ mailu.volume_folder }}/overrides:/overrides" + - "{{ services.mailu.volume_folder }}/mail:/mail" + - "{{ services.mailu.volume_folder }}/overrides:/overrides" depends_on: - front smtp: - image: mailu/postfix:{{ mailu.version }} + image: mailu/postfix:{{ services.mailu.version }} restart: always - env_file: "{{ mailu.volume_folder}}/mailu.env" + env_file: "{{ services.mailu.volume_folder}}/mailu.env" volumes: - - "{{ mailu.volume_folder }}/overrides:/overrides" + - "{{ services.mailu.volume_folder }}/overrides:/overrides" depends_on: - front - resolver dns: - - "{{ mailu.dns }}" + - "{{ services.mailu.dns }}" antispam: - image: mailu/rspamd:{{ mailu.version }} + image: mailu/rspamd:{{ services.mailu.version }} restart: always - env_file: "{{ mailu.volume_folder}}/mailu.env" + env_file: "{{ services.mailu.volume_folder}}/mailu.env" volumes: - - "{{ mailu.volume_folder }}/filter:/var/lib/rspamd" - - "{{ mailu.volume_folder }}/dkim:/dkim" - - "{{ mailu.volume_folder }}/overrides/rspamd:/etc/rspamd/override.d" + - "{{ services.mailu.volume_folder }}/filter:/var/lib/rspamd" + - "{{ services.mailu.volume_folder }}/dkim:/dkim" + - "{{ services.mailu.volume_folder }}/overrides/rspamd:/etc/rspamd/override.d" depends_on: - front - resolver dns: - - "{{ mailu.dns }}" + - "{{ services.mailu.dns }}" webmail: image: mailu/rainloop:1.6 restart: always - env_file: "{{ mailu.volume_folder}}/mailu.env" + env_file: "{{ services.mailu.volume_folder}}/mailu.env" volumes: - - "{{ mailu.volume_folder }}/webmail:/data" + - "{{ services.mailu.volume_folder }}/webmail:/data" depends_on: - front - resolver dns: - - "{{ mailu.dns }}" + - "{{ services.mailu.dns }}" networks: default: @@ -156,7 +156,7 @@ ipam: driver: default config: - - subnet: "{{ mailu.subnet }}" + - subnet: "{{ services.mailu.subnet }}" external_services: external: name: external_services diff --git a/roles/docker/tasks/services/mastodon.yml b/roles/docker/tasks/services/mastodon.yml index 7da21df..baeea09 100644 --- a/roles/docker/tasks/services/mastodon.yml +++ b/roles/docker/tasks/services/mastodon.yml @@ -1,6 +1,6 @@ - name: create mastodon volume folders file: - name: "{{ mastodon.volume_folder }}/{{ volume }}" + name: "{{ services.mastodon.volume_folder }}/{{ volume }}" state: directory owner: "991" group: "991" @@ -14,12 +14,12 @@ - name: Copy mastodon environment file template: src: files/configs/mastodon/env_file.j2 - dest: "{{ mastodon.volume_folder }}/env_file" + dest: "{{ services.mastodon.volume_folder }}/env_file" - name: upload vhost config for root domain template: src: files/configs/mastodon/vhost-mastodon - dest: "{{ nginx.volume_folder }}/vhost/{{ mastodon.domain }}" + dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.mastodon.domain }}" - name: set up mastodon docker_compose: @@ -37,7 +37,7 @@ healthcheck: test: ['CMD', 'pg_isready', '-U', 'postgres'] volumes: - - "{{ mastodon.volume_folder }}/postgres_data:/var/lib/postgresql/data" + - "{{ services.mastodon.volume_folder }}/postgres_data:/var/lib/postgresql/data" environment: - 'POSTGRES_HOST_AUTH_METHOD=trust' @@ -49,12 +49,12 @@ healthcheck: test: ['CMD', 'redis-cli', 'ping'] volumes: - - "{{ mastodon.volume_folder }}/redis_data:/data" + - "{{ services.mastodon.volume_folder }}/redis_data:/data" web: - image: "tootsuite/mastodon:{{ mastodon_version }}" + image: "tootsuite/mastodon:{{ services.mastodon.version }}" restart: always - env_file: "{{ mastodon.volume_folder }}/env_file" + env_file: "{{ services.mastodon.volume_folder }}/env_file" command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 3000" networks: - external_services @@ -66,18 +66,18 @@ - db - redis volumes: - - "{{ mastodon.volume_folder }}/mastodon_data:/mastodon/public/system" + - "{{ services.mastodon.volume_folder }}/mastodon_data:/mastodon/public/system" environment: - VIRTUAL_HOST: "{{ mastodon.domain }}" + VIRTUAL_HOST: "{{ services.mastodon.domain }}" VIRTUAL_PORT: "3000" VIRTUAL_PATH: "/" - LETSENCRYPT_HOST: "{{ mastodon.domain }}" + LETSENCRYPT_HOST: "{{ services.mastodon.domain }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" streaming: - image: "tootsuite/mastodon:{{ mastodon_version }}" + image: "tootsuite/mastodon:{{ services.mastodon.version }}" restart: always - env_file: "{{ mastodon.volume_folder }}/env_file" + env_file: "{{ services.mastodon.volume_folder }}/env_file" command: node ./streaming networks: - external_services @@ -91,14 +91,14 @@ - db - redis environment: - VIRTUAL_HOST: "{{ mastodon.domain }}" + VIRTUAL_HOST: "{{ services.mastodon.domain }}" VIRTUAL_PORT: "4000" VIRTUAL_PATH: "/api/v1/streaming" sidekiq: - image: "tootsuite/mastodon:{{ mastodon_version }}" + image: "tootsuite/mastodon:{{ services.mastodon.version }}" restart: always - env_file: "{{ mastodon.volume_folder }}/env_file" + env_file: "{{ services.mastodon.volume_folder }}/env_file" command: bundle exec sidekiq -c 32 environment: DB_POOL: 32 @@ -110,7 +110,7 @@ - external_services - internal_network volumes: - - "{{ mastodon.volume_folder }}/mastodon_data:/mastodon/public/system" + - "{{ services.mastodon.volume_folder }}/mastodon_data:/mastodon/public/system" healthcheck: test: ['CMD-SHELL', "ps aux | grep '[s]idekiq\ 6' || false"] @@ -120,6 +120,4 @@ postfix: external: true internal_network: - internal: true - vars: - mastodon_version: "v4.0.2" \ No newline at end of file + internal: true \ No newline at end of file diff --git a/roles/docker/tasks/services/matrix_riot.yml b/roles/docker/tasks/services/matrix_riot.yml index 362b851..666c544 100644 --- a/roles/docker/tasks/services/matrix_riot.yml +++ b/roles/docker/tasks/services/matrix_riot.yml @@ -1,7 +1,7 @@ --- - name: create matrix volume folders file: - name: "{{ matrix.volume_folder }}/{{ volume }}" + name: "{{ services.matrix.volume_folder }}/{{ volume }}" state: directory owner: "991" group: "991" @@ -14,12 +14,12 @@ - name: create matrix DB folder file: - name: "{{ matrix.volume_folder }}/db" + name: "{{ services.matrix.volume_folder }}/db" state: "directory" - name: create riot volume folders file: - name: "{{ riot.volume_folder }}/{{ volume }}" + name: "{{ services.riot.volume_folder }}/{{ volume }}" state: directory loop: - "data" @@ -29,38 +29,38 @@ - name: upload riot config.json template: src: files/configs/riot/config.json - dest: "{{ riot.volume_folder }}/data/config.json" + dest: "{{ services.riot.volume_folder }}/data/config.json" - name: upload riot.im.conf template: src: files/configs/riot/riot.im.conf - dest: "{{ riot.volume_folder }}/data/riot.im.conf" + dest: "{{ services.riot.volume_folder }}/data/riot.im.conf" - name: upload vhost config for root domain template: src: files/configs/matrix/vhost-root - dest: "{{ nginx.volume_folder }}/vhost/{{ base_domain }}" + dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ base_domain }}" - name: upload vhost config for matrix domain template: src: files/configs/matrix/vhost-matrix - dest: "{{ nginx.volume_folder }}/vhost/{{ matrix.domain }}" + dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.matrix.domain }}" - name: upload vhost config for riot domain template: src: files/configs/matrix/vhost-riot - dest: "{{ nginx.volume_folder }}/vhost/{{ item }}" - loop: "{{ riot.domains }}" + dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ item }}" + loop: "{{ services.riot.domains }}" - name: upload homeserver.yaml template: src: "files/configs/matrix/homeserver.yaml.j2" - dest: "{{ matrix.volume_folder }}/data/homeserver.yaml" + dest: "{{ services.matrix.volume_folder }}/data/homeserver.yaml" - name: upload matrix logging config template: src: "files/configs/matrix/matrix.data.coop.log.config" - dest: "{{ matrix.volume_folder }}/data/matrix.data.coop.log.config" + dest: "{{ services.matrix.volume_folder }}/data/matrix.data.coop.log.config" - name: set up matrix and riot docker_compose: @@ -76,32 +76,32 @@ networks: - matrix volumes: - - "{{ matrix.volume_folder }}/db:/var/lib/postgresql/data" + - "{{ services.matrix.volume_folder }}/db:/var/lib/postgresql/data" environment: POSTGRES_USER: "synapse" POSTGRES_PASSWORD: "{{ postgres_passwords.matrix }}" matrix_app: container_name: matrix - image: matrixdotorg/synapse:v1.63.1 + image: matrixdotorg/synapse:{{ services.matrix.version }} restart: unless-stopped networks: - matrix - external_services volumes: - - "{{ matrix.volume_folder }}/data:/data" + - "{{ services.matrix.volume_folder }}/data:/data" environment: SYNAPSE_CONFIG_PATH: "/data/homeserver.yaml" SYNAPSE_CACHE_FACTOR: "2" SYNAPSE_LOG_LEVEL: "INFO" - VIRTUAL_HOST: "{{ matrix.domain }}" + VIRTUAL_HOST: "{{ services.matrix.domain }}" VIRTUAL_PORT: "8008" - LETSENCRYPT_HOST: "{{ matrix.domain }}" + LETSENCRYPT_HOST: "{{ services.matrix.domain }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" riot: container_name: riot_app - image: avhost/docker-matrix-riot:v1.11.8 + image: avhost/docker-matrix-riot:{{ services.riot.version }} restart: unless-stopped networks: - matrix @@ -109,11 +109,11 @@ expose: - 8080 volumes: - - "{{ riot.volume_folder }}/data:/data" + - "{{ services.riot.volume_folder }}/data:/data" environment: - VIRTUAL_HOST: "{{ riot.domains|join(',') }}" + VIRTUAL_HOST: "{{ services.riot.domains|join(',') }}" VIRTUAL_PORT: "8080" - LETSENCRYPT_HOST: "{{ riot.domains|join(',') }}" + LETSENCRYPT_HOST: "{{ services.riot.domains|join(',') }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" networks: diff --git a/roles/docker/tasks/services/membersystem.yml b/roles/docker/tasks/services/membersystem.yml index 671b026..ca63851 100644 --- a/roles/docker/tasks/services/membersystem.yml +++ b/roles/docker/tasks/services/membersystem.yml @@ -25,14 +25,14 @@ POSTGRES_PORT: 5432 EMAIL_BACKEND: "django.core.mail.backends.smtp.EmailBackend" EMAIL_URL: "smtp://noop@{{ smtp_host }}:{{ smtp_port }}" - VIRTUAL_HOST: "{{ membersystem.domain }}" + VIRTUAL_HOST: "{{ services.membersystem.domain }}" VIRTUAL_PORT: "8000" - LETSENCRYPT_HOST: "{{ membersystem.domain }}" + LETSENCRYPT_HOST: "{{ services.membersystem.domain }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" - ALLOWED_HOSTS: "{{ membersystem.domain }}" - CSRF_TRUSTED_ORIGINS: "https://{{ membersystem.domain }}" - DJANGO_ADMINS: "{{ membersystem.django_admins }}" - DEFAULT_FROM_EMAIL: "noreply@{{ membersystem.domain }}" + ALLOWED_HOSTS: "{{ services.membersystem.domain }}" + CSRF_TRUSTED_ORIGINS: "https://{{ services.membersystem.domain }}" + DJANGO_ADMINS: "{{ services.membersystem.django_admins }}" + DEFAULT_FROM_EMAIL: "noreply@{{ services.membersystem.domain }}" labels: com.centurylinklabs.watchtower.enable: "true" diff --git a/roles/docker/tasks/services/netdata.yml b/roles/docker/tasks/services/netdata.yml index c1eb396..e1a7bbe 100644 --- a/roles/docker/tasks/services/netdata.yml +++ b/roles/docker/tasks/services/netdata.yml @@ -3,7 +3,7 @@ - name: setup netdata docker container for system monitoring docker_container: name: netdata - image: netdata/netdata + image: netdata/netdata:{{ services.netdata.version }} restart_policy: unless-stopped hostname: "hevonen.servers.{{ base_domain }}" capabilities: @@ -17,8 +17,8 @@ networks: - name: external_services env: - VIRTUAL_HOST : "{{ netdata.domain }}" - LETSENCRYPT_HOST: "{{ netdata.domain }}" + VIRTUAL_HOST : "{{ services.netdata.domain }}" + LETSENCRYPT_HOST: "{{ services.netdata.domain }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" PGID: "999" labels: diff --git a/roles/docker/tasks/services/nextcloud.yml b/roles/docker/tasks/services/nextcloud.yml index 05ae410..d36f8de 100644 --- a/roles/docker/tasks/services/nextcloud.yml +++ b/roles/docker/tasks/services/nextcloud.yml @@ -2,7 +2,7 @@ - name: upload vhost config for cloud.data.coop template: src: files/configs/nextcloud/vhost - dest: "{{ nginx.volume_folder }}/vhost/{{ nextcloud.domain }}" + dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.nextcloud.domain }}" notify: "restart nginx" - name: setup nextcloud containers @@ -17,7 +17,7 @@ networks: - "nextcloud" volumes: - - "{{ nextcloud.volume_folder }}/postgres:/var/lib/postgresql/data" + - "{{ services.nextcloud.volume_folder }}/postgres:/var/lib/postgresql/data" environment: POSTGRES_DB: "nextcloud" POSTGRES_PASSWORD: "{{ postgres_passwords.nextcloud }}" @@ -33,29 +33,29 @@ - "nextcloud" cron: - image: "nextcloud:25-apache" + image: "nextcloud:{{ services.nextcloud.version }}" restart: "unless-stopped" entrypoint: "/cron.sh" networks: - "nextcloud" volumes: - - "{{ nextcloud.volume_folder }}/app:/var/www/html" + - "{{ services.nextcloud.volume_folder }}/app:/var/www/html" depends_on: - "postgres" - "redis" app: - image: "nextcloud:25-apache" + image: "nextcloud:{{ services.nextcloud.version }}" restart: "unless-stopped" networks: - "nextcloud" - "postfix" - "external_services" volumes: - - "{{ nextcloud.volume_folder }}/app:/var/www/html" + - "{{ services.nextcloud.volume_folder }}/app:/var/www/html" environment: - VIRTUAL_HOST: "{{ nextcloud.domain }}" - LETSENCRYPT_HOST: "{{ nextcloud.domain }}" + VIRTUAL_HOST: "{{ services.nextcloud.domain }}" + LETSENCRYPT_HOST: "{{ services.nextcloud.domain }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" POSTGRES_HOST: "postgres" POSTGRES_DB: "nextcloud" diff --git a/roles/docker/tasks/services/nginx-proxy.yml b/roles/docker/tasks/services/nginx-proxy.yml deleted file mode 100644 index 6dfbf75..0000000 --- a/roles/docker/tasks/services/nginx-proxy.yml +++ /dev/null @@ -1,48 +0,0 @@ ---- - -- name: create nginx-proxy volume folders - file: - name: "{{ nginx.volume_folder }}/{{ volume }}" - state: directory - loop: - - conf - - vhost - - html - - dhparam - - certs - loop_control: - loop_var: volume - -- name: nginx proxy container - docker_container: - name: nginx-proxy - image: nginxproxy/nginx-proxy:1.0-alpine - restart_policy: always - networks: - - name: external_services - published_ports: - - "80:80" - - "443:443" - volumes: - - "{{ nginx.volume_folder }}/conf:/etc/nginx/conf.d" - - "{{ nginx.volume_folder }}/vhost:/etc/nginx/vhost.d" - - "{{ nginx.volume_folder }}/html:/usr/share/nginx/html" - - "{{ nginx.volume_folder }}/dhparam:/etc/nginx/dhparam" - - "{{ nginx.volume_folder }}/certs:/etc/nginx/certs:ro" - - /var/run/docker.sock:/tmp/docker.sock:ro - -- name: nginx letsencrypt container - docker_container: - name: nginx-proxy-le - image: nginxproxy/acme-companion:2.2 - restart_policy: always - volumes: - - "{{ nginx.volume_folder }}/vhost:/etc/nginx/vhost.d" - - "{{ nginx.volume_folder }}/html:/usr/share/nginx/html" - - "{{ nginx.volume_folder }}/dhparam:/etc/nginx/dhparam:ro" - - "{{ nginx.volume_folder }}/certs:/etc/nginx/certs" - - /var/run/docker.sock:/var/run/docker.sock:ro - env: - NGINX_PROXY_CONTAINER: nginx-proxy - when: letsencrypt_enabled - diff --git a/roles/docker/tasks/services/nginx_proxy.yml b/roles/docker/tasks/services/nginx_proxy.yml new file mode 100644 index 0000000..8081ab6 --- /dev/null +++ b/roles/docker/tasks/services/nginx_proxy.yml @@ -0,0 +1,48 @@ +--- + +- name: create nginx-proxy volume folders + file: + name: "{{ services.nginx_proxy.volume_folder }}/{{ volume }}" + state: directory + loop: + - conf + - vhost + - html + - dhparam + - certs + loop_control: + loop_var: volume + +- name: nginx proxy container + docker_container: + name: nginx-proxy + image: nginxproxy/nginx-proxy:{{ services.nginx_proxy.version }} + restart_policy: always + networks: + - name: external_services + published_ports: + - "80:80" + - "443:443" + volumes: + - "{{ services.nginx_proxy.volume_folder }}/conf:/etc/nginx/conf.d" + - "{{ services.nginx_proxy.volume_folder }}/vhost:/etc/nginx/vhost.d" + - "{{ services.nginx_proxy.volume_folder }}/html:/usr/share/nginx/html" + - "{{ services.nginx_proxy.volume_folder }}/dhparam:/etc/nginx/dhparam" + - "{{ services.nginx_proxy.volume_folder }}/certs:/etc/nginx/certs:ro" + - /var/run/docker.sock:/tmp/docker.sock:ro + +- name: nginx letsencrypt container + docker_container: + name: nginx-proxy-le + image: nginxproxy/acme-companion:{{ services.nginx_acme_companion.version }} + restart_policy: always + volumes: + - "{{ services.nginx_proxy.volume_folder }}/vhost:/etc/nginx/vhost.d" + - "{{ services.nginx_proxy.volume_folder }}/html:/usr/share/nginx/html" + - "{{ services.nginx_proxy.volume_folder }}/dhparam:/etc/nginx/dhparam:ro" + - "{{ services.nginx_proxy.volume_folder }}/certs:/etc/nginx/certs" + - /var/run/docker.sock:/var/run/docker.sock:ro + env: + NGINX_PROXY_CONTAINER: nginx-proxy + when: letsencrypt_enabled + diff --git a/roles/docker/tasks/services/openldap.yml b/roles/docker/tasks/services/openldap.yml index b08fade..a768235 100644 --- a/roles/docker/tasks/services/openldap.yml +++ b/roles/docker/tasks/services/openldap.yml @@ -1,7 +1,7 @@ --- - name: create ldap volume folders file: - name: "{{ ldap.volume_folder }}/{{ volume }}" + name: "{{ services.openldap.volume_folder }}/{{ volume }}" state: directory loop: - "var/lib/ldap" @@ -17,19 +17,19 @@ - name: openLDAP container docker_container: name: openldap - image: osixia/openldap:1.5.0 + image: osixia/openldap:{{ services.openldap.version }} tty: true interactive: true restart_policy: unless-stopped volumes: - - "{{ ldap.volume_folder }}/var/lib/ldap:/var/lib/ldap" - - "{{ ldap.volume_folder }}/etc/slapd.d:/etc/ldap/slapd.d" - - "{{ ldap.volume_folder }}/certs:/container/service/slapd/assets/certs/" + - "{{ services.openldap.volume_folder }}/var/lib/ldap:/var/lib/ldap" + - "{{ services.openldap.volume_folder }}/etc/slapd.d:/etc/ldap/slapd.d" + - "{{ services.openldap.volume_folder }}/certs:/container/service/slapd/assets/certs/" published_ports: - "389:389" - "636:636" - hostname: "{{ ldap.domain }}" - domainname: "{{ ldap.domain }}" # important: same as hostname + hostname: "{{ services.openldap.domain }}" + domainname: "{{ services.openldap.domain }}" # important: same as hostname networks: - name: ldap env: @@ -58,7 +58,7 @@ - name: phpLDAPadmin container docker_container: name: phpldapadmin - image: osixia/phpldapadmin:0.9.0 + image: osixia/phpldapadmin:{{ services.phpldapadmin.version }} restart_policy: unless-stopped networks: - name: external_services @@ -68,6 +68,6 @@ PHPLDAPADMIN_HTTPS: "false" PHPLDAPADMIN_TRUST_PROXY_SSL: "true" - VIRTUAL_HOST: "{{ ldap.domain }}" - LETSENCRYPT_HOST: "{{ ldap.domain }}" + VIRTUAL_HOST: "{{ services.openldap.domain }}" + LETSENCRYPT_HOST: "{{ services.openldap.domain }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" diff --git a/roles/docker/tasks/services/passit.yml b/roles/docker/tasks/services/passit.yml index 3214ae2..300c099 100644 --- a/roles/docker/tasks/services/passit.yml +++ b/roles/docker/tasks/services/passit.yml @@ -13,13 +13,13 @@ networks: - "passit" volumes: - - "{{ passit.volume_folder }}/data:/var/lib/postgresql/data" + - "{{ services.passit.volume_folder }}/data:/var/lib/postgresql/data" environment: POSTGRES_USER: "passit" POSTGRES_PASSWORD: "{{ postgres_passwords.passit }}" passit_app: - image: "passit/passit:stable" + image: "passit/passit:{{ services.passit.version }}" command: "bin/start.sh" restart: "always" networks: @@ -31,11 +31,11 @@ SECRET_KEY: "{{ passit_secret_key }}" IS_DEBUG: 'False' EMAIL_URL: "smtp://noop@{{ smtp_host }}:{{ smtp_port }}" - DEFAULT_FROM_EMAIL: "noreply@{{ passit.domain }}" - EMAIL_CONFIRMATION_HOST: "https://{{ passit.domain }}" - FIDO_SERVER_ID: "{{ passit.domain }}" - VIRTUAL_HOST: "{{ passit.domain }}" - LETSENCRYPT_HOST: "{{ passit.domain }}" + DEFAULT_FROM_EMAIL: "noreply@{{ services.passit.domain }}" + EMAIL_CONFIRMATION_HOST: "https://{{ services.passit.domain }}" + FIDO_SERVER_ID: "{{ services.passit.domain }}" + VIRTUAL_HOST: "{{ services.passit.domain }}" + LETSENCRYPT_HOST: "{{ services.passit.domain }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" networks: diff --git a/roles/docker/tasks/services/portainer.yml b/roles/docker/tasks/services/portainer.yml index acadd75..005da7f 100644 --- a/roles/docker/tasks/services/portainer.yml +++ b/roles/docker/tasks/services/portainer.yml @@ -2,21 +2,21 @@ - name: create portainer volume folder file: - name: "{{ portainer.volume_folder }}" + name: "{{ services.portainer.volume_folder }}" state: directory - name: run portainer docker_container: name: portainer - image: portainer/portainer-ee:2.16.2 + image: portainer/portainer-ee:{{ services.portainer.version }} restart_policy: always networks: - name: external_services volumes: - /var/run/docker.sock:/var/run/docker.sock - - "{{ portainer.volume_folder }}:/data" + - "{{ services.portainer.volume_folder }}:/data" env: - VIRTUAL_HOST: "{{ portainer.domain }}" + VIRTUAL_HOST: "{{ services.portainer.domain }}" VIRTUAL_PORT: "9000" - LETSENCRYPT_HOST: "{{ portainer.domain }}" + LETSENCRYPT_HOST: "{{ services.portainer.domain }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" diff --git a/roles/docker/tasks/services/postfix.yml b/roles/docker/tasks/services/postfix.yml index 9fb9ce8..c565686 100644 --- a/roles/docker/tasks/services/postfix.yml +++ b/roles/docker/tasks/services/postfix.yml @@ -10,10 +10,11 @@ - name: setup postfix docker container for outgoing mail docker_container: name: postfix - image: boky/postfix:v3.5.0 + image: boky/postfix:{{ services.postfix.version }} restart_policy: always networks: - name: postfix env: - ALLOWED_SENDER_DOMAINS: "{{ postfix.allowed_sender_domains|join(' ') }}" + # Get all services which have allowed_sender_domain defined + ALLOWED_SENDER_DOMAINS: "{{ services | dict2items | selectattr('value.allowed_sender_domain', 'defined') | map(attribute='value.domain') | list | join(' ') }}" HOSTNAME: "smtp.data.coop" # the name the smtp server will identify itself as diff --git a/roles/docker/tasks/services/privatebin.yml b/roles/docker/tasks/services/privatebin.yml index 3d0f7ad..bede175 100644 --- a/roles/docker/tasks/services/privatebin.yml +++ b/roles/docker/tasks/services/privatebin.yml @@ -2,7 +2,7 @@ - name: create privatebin volume folders file: - name: "{{ privatebin.volume_folder }}/{{ volume }}" + name: "{{ services.privatebin.volume_folder }}/{{ volume }}" state: directory loop: - cfg @@ -13,19 +13,19 @@ - name: upload privatebin config template: src: files/configs/privatebin-conf.php - dest: "{{ privatebin.volume_folder }}/cfg/conf.php" + dest: "{{ services.privatebin.volume_folder }}/cfg/conf.php" - name: privatebin app container docker_container: name: privatebin - image: jgeusebroek/privatebin:latest + image: jgeusebroek/privatebin:{{ services.privatebin.version }} restart_policy: unless-stopped volumes: - - "{{ privatebin.volume_folder }}/cfg:/privatebin/cfg" - - "{{ privatebin.volume_folder }}/data:/privatebin/data" + - "{{ services.privatebin.volume_folder }}/cfg:/privatebin/cfg" + - "{{ services.privatebin.volume_folder }}/data:/privatebin/data" networks: - name: external_services env: - VIRTUAL_HOST: "{{ privatebin.domain }}" - LETSENCRYPT_HOST: "{{ privatebin.domain }}" + VIRTUAL_HOST: "{{ services.privatebin.domain }}" + LETSENCRYPT_HOST: "{{ services.privatebin.domain }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" diff --git a/roles/docker/tasks/services/rallly.yml b/roles/docker/tasks/services/rallly.yml index 915e70f..b5e9d2f 100644 --- a/roles/docker/tasks/services/rallly.yml +++ b/roles/docker/tasks/services/rallly.yml @@ -1,12 +1,12 @@ - name: Create rallly volume folders file: - name: "{{ rallly.volume_folder }}/postgres" + name: "{{ services.rallly.volume_folder }}/postgres" state: directory - name: Copy Rallly environment file template: src: files/configs/rallly/env_file.j2 - dest: "{{ rallly.volume_folder }}/env_file" + dest: "{{ services.rallly.volume_folder }}/env_file" - name: Set up Rallly docker_compose: @@ -22,7 +22,7 @@ networks: rallly_internal: volumes: - - "{{ rallly.volume_folder }}/postgres:/var/lib/postgresql/data" + - "{{ services.rallly.volume_folder }}/postgres:/var/lib/postgresql/data" environment: POSTGRES_PASSWORD: "{{ postgres_passwords.rallly }}" POSTGRES_DB: "rallly_db" @@ -35,7 +35,7 @@ com.centurylinklabs.watchtower.enable: "true" rallly: - image: "lukevella/rallly:a21f92bf74308d66cfcd545d49b81eba0211a222" + image: "lukevella/rallly:{{ services.rallly.version }}" restart: "always" networks: rallly_internal: @@ -45,11 +45,11 @@ rallly_db: condition: "service_healthy" env_file: - - "{{ rallly.volume_folder }}/env_file" + - "{{ services.rallly.volume_folder }}/env_file" environment: - VIRTUAL_HOST: "{{ rallly.domain }}" + VIRTUAL_HOST: "{{ services.rallly.domain }}" VIRTUAL_PORT: "3000" - LETSENCRYPT_HOST: "{{ rallly.domain }}" + LETSENCRYPT_HOST: "{{ services.rallly.domain }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" labels: com.centurylinklabs.watchtower.enable: "true" diff --git a/roles/docker/tasks/services/restic-backup.yml b/roles/docker/tasks/services/restic_backup.yml similarity index 68% rename from roles/docker/tasks/services/restic-backup.yml rename to roles/docker/tasks/services/restic_backup.yml index c745292..9dddb49 100644 --- a/roles/docker/tasks/services/restic-backup.yml +++ b/roles/docker/tasks/services/restic_backup.yml @@ -1,6 +1,5 @@ --- - name: Setup restic backup - when: not vagrant docker_compose: project_name: restic_backup pull: true @@ -8,12 +7,12 @@ version: '3.6' services: restic-backup: - image: mazzolino/restic:1.6.0 + image: mazzolino/restic:{{ services.restic.version }} restart: always environment: RUN_ON_STARTUP: "true" BACKUP_CRON: "0 30 3 * * *" - RESTIC_REPOSITORY: "rest:https://{{ restic.user }}:{{ restic_secrets.user_password }}@{{ restic.domain }}/{{ restic.repository }}" + RESTIC_REPOSITORY: "rest:https://{{ services.restic.user }}:{{ restic_secrets.user_password }}@{{ services.restic.domain }}/{{ services.restic.repository }}" RESTIC_PASSWORD: "{{ restic_secrets.repository_password }}" RESTIC_BACKUP_SOURCES: "/mnt/volumes" RESTIC_BACKUP_ARGS: >- @@ -30,10 +29,10 @@ - /docker-volumes:/mnt/volumes:ro restic-prune: - image: "mazzolino/restic:1.6.0" + image: "mazzolino/restic:{{ services.restic.version }}" environment: RUN_ON_STARTUP: "true" PRUNE_CRON: "0 0 4 * * *" - RESTIC_REPOSITORY: "rest:https://{{ restic.user }}:{{ restic_secrets.user_password }}@{{ restic.domain }}/{{ restic.repository }}" + RESTIC_REPOSITORY: "rest:https://{{ services.restic.user }}:{{ restic_secrets.user_password }}@{{ services.restic.domain }}/{{ services.restic.repository }}" RESTIC_PASSWORD: "{{ restic_secrets.repository_password }}" TZ: Europe/copenhagen diff --git a/roles/docker/tasks/services/watchtower.yml b/roles/docker/tasks/services/watchtower.yml index 586ce24..87d3f4d 100644 --- a/roles/docker/tasks/services/watchtower.yml +++ b/roles/docker/tasks/services/watchtower.yml @@ -8,7 +8,7 @@ - name: external_services volumes: - /var/run/docker.sock:/var/run/docker.sock - - "{{ docker_registry.volume_folder }}/auth/config.json:/config.json" + - "{{ services.docker_registry.volume_folder }}/auth/config.json:/config.json" env: WATCHTOWER_LABEL_ENABLE: "true" WATCHTOWER_POLL_INTERVAL: "60" \ No newline at end of file diff --git a/roles/docker/tasks/services/websites.yml b/roles/docker/tasks/services/websites.yml deleted file mode 100644 index 8c1b793..0000000 --- a/roles/docker/tasks/services/websites.yml +++ /dev/null @@ -1,100 +0,0 @@ ---- - -- name: setup data.coop website docker container - docker_container: - name: data.coop_website - image: docker.data.coop/data-coop-website - restart_policy: unless-stopped - networks: - - name: external_services - env: - VIRTUAL_HOST : "{{ data_coop_website.domains|join(',') }}" - LETSENCRYPT_HOST: "{{ data_coop_website.domains|join(',') }}" - LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" - labels: - com.centurylinklabs.watchtower.enable: "true" - - -- name: setup new data.coop website using hugo - docker_container: - name: new.data.coop_website - image: docker.data.coop/data-coop-website:hugo - restart_policy: unless-stopped - networks: - - name: external_services - env: - VIRTUAL_HOST : "new.{{ data_coop_website.domains|join(',') }}" - LETSENCRYPT_HOST: "new.{{ data_coop_website.domains|join(',') }}" - LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" - labels: - com.centurylinklabs.watchtower.enable: "true" - -- name: setup new-new data.coop website using unipi - docker_container: - name: new-new.data.coop_website - image: docker.data.coop/unipi:latest - restart_policy: unless-stopped - purge_networks: yes - networks: - - name: external_services - env: - VIRTUAL_HOST: "new-new.{{ data_coop_website.domains|join(',') }}" - LETSENCRYPT_HOST: "new-new.{{ data_coop_website.domains|join(',') }}" - LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" - # The ssh-key is for read-only only - command: "--remote=git@git.data.coop:halfd/new-website.git#main --ssh-key ed25519:Ag9RekCyC2eow4P/e5crVvSTQ7dTK46WkG0wqEPVJbU= --ssh-authenticator SHA256:l9kdLkb0kJm46pOJ4tCHCtFUaqV1ImbZWMA5oje10fI" - capabilities: - - NET_ADMIN - devices: - - "/dev/net/tun" - labels: - com.centurylinklabs.watchtower.enable: "true" - -- name: setup 2022.slides.data.coop website using unipi - docker_container: - name: 2022.slides.data.coop_website - image: docker.data.coop/unipi:latest - restart_policy: unless-stopped - purge_networks: yes - networks: - - name: external_services - env: - VIRTUAL_HOST: "2022.slides.{{ data_coop_website.domains|join(',') }}" - LETSENCRYPT_HOST: "2022.slides.{{ data_coop_website.domains|join(',') }}" - LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" - # Temporarily hosting on github - command: "--remote=https://github.com/sorbusursina/datacoop-slides.git#slides2022" - capabilities: - - NET_ADMIN - devices: - - "/dev/net/tun" - labels: - com.centurylinklabs.watchtower.enable: "true" - -- name: setup cryptohagen.dk website docker container - docker_container: - name: cryptohagen_website - restart_policy: unless-stopped - image: docker.data.coop/cryptohagen-website - networks: - - name: external_services - env: - VIRTUAL_HOST : "{{ cryptohagen_website.domains|join(',') }}" - LETSENCRYPT_HOST: "{{ cryptohagen_website.domains|join(',') }}" - LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" - labels: - com.centurylinklabs.watchtower.enable: "true" - -- name: setup cryptoaarhus.dk website docker container - docker_container: - name: cryptoaarhus_website - restart_policy: unless-stopped - image: docker.data.coop/cryptoaarhus-website - networks: - - name: external_services - env: - VIRTUAL_HOST : "{{ cryptoaarhus_website.domains|join(',') }}" - LETSENCRYPT_HOST: "{{ cryptoaarhus_website.domains|join(',') }}" - LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" - labels: - com.centurylinklabs.watchtower.enable: "true" diff --git a/roles/docker/tasks/services/websites/2022.slides.data.coop.yml b/roles/docker/tasks/services/websites/2022.slides.data.coop.yml new file mode 100644 index 0000000..260af82 --- /dev/null +++ b/roles/docker/tasks/services/websites/2022.slides.data.coop.yml @@ -0,0 +1,23 @@ +--- + +- name: setup 2022.slides.data.coop website using unipi + docker_container: + name: 2022.slides.data.coop_website + image: docker.data.coop/unipi:latest + restart_policy: unless-stopped + purge_networks: yes + networks: + - name: external_services + env: + VIRTUAL_HOST: "2022.slides.{{ services.data_coop_website.domains|join(',') }}" + LETSENCRYPT_HOST: "2022.slides.{{ services.data_coop_website.domains|join(',') }}" + LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" + # Temporarily hosting on github + command: "--remote=https://github.com/sorbusursina/datacoop-slides.git#slides2022" + capabilities: + - NET_ADMIN + devices: + - "/dev/net/tun" + labels: + com.centurylinklabs.watchtower.enable: "true" + diff --git a/roles/docker/tasks/services/websites/cryptoaarhus.dk.yml b/roles/docker/tasks/services/websites/cryptoaarhus.dk.yml new file mode 100644 index 0000000..28d6997 --- /dev/null +++ b/roles/docker/tasks/services/websites/cryptoaarhus.dk.yml @@ -0,0 +1,15 @@ +--- + +- name: setup cryptoaarhus.dk website docker container + docker_container: + name: cryptoaarhus_website + restart_policy: unless-stopped + image: docker.data.coop/cryptoaarhus-website + networks: + - name: external_services + env: + VIRTUAL_HOST : "{{ services.cryptoaarhus_website.domains|join(',') }}" + LETSENCRYPT_HOST: "{{ services.cryptoaarhus_website.domains|join(',') }}" + LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" + labels: + com.centurylinklabs.watchtower.enable: "true" diff --git a/roles/docker/tasks/services/websites/cryptohagen.dk.yml b/roles/docker/tasks/services/websites/cryptohagen.dk.yml new file mode 100644 index 0000000..dcca218 --- /dev/null +++ b/roles/docker/tasks/services/websites/cryptohagen.dk.yml @@ -0,0 +1,15 @@ +--- + +- name: setup cryptohagen.dk website docker container + docker_container: + name: cryptohagen_website + restart_policy: unless-stopped + image: docker.data.coop/cryptohagen-website + networks: + - name: external_services + env: + VIRTUAL_HOST : "{{ services.cryptohagen_website.domains|join(',') }}" + LETSENCRYPT_HOST: "{{ services.cryptohagen_website.domains|join(',') }}" + LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" + labels: + com.centurylinklabs.watchtower.enable: "true" diff --git a/roles/docker/tasks/services/websites/data.coop.yml b/roles/docker/tasks/services/websites/data.coop.yml new file mode 100644 index 0000000..2492757 --- /dev/null +++ b/roles/docker/tasks/services/websites/data.coop.yml @@ -0,0 +1,15 @@ +--- + +- name: setup data.coop website docker container + docker_container: + name: data.coop_website + image: docker.data.coop/data-coop-website + restart_policy: unless-stopped + networks: + - name: external_services + env: + VIRTUAL_HOST : "{{ services.data_coop_website.domains|join(',') }}" + LETSENCRYPT_HOST: "{{ services.data_coop_website.domains|join(',') }}" + LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" + labels: + com.centurylinklabs.watchtower.enable: "true" diff --git a/roles/docker/tasks/services/websites/new-new.data.coop.yml b/roles/docker/tasks/services/websites/new-new.data.coop.yml new file mode 100644 index 0000000..05ff1f3 --- /dev/null +++ b/roles/docker/tasks/services/websites/new-new.data.coop.yml @@ -0,0 +1,21 @@ +- name: setup new-new data.coop website using unipi + docker_container: + name: new-new.data.coop_website + image: docker.data.coop/unipi:latest + restart_policy: unless-stopped + purge_networks: yes + networks: + - name: external_services + env: + VIRTUAL_HOST: "new-new.{{ services.data_coop_website.domains|join(',') }}" + LETSENCRYPT_HOST: "new-new.{{ services.data_coop_website.domains|join(',') }}" + LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" + # The ssh-key is for read-only only + command: "--remote=git@git.data.coop:halfd/new-website.git#main --ssh-key ed25519:Ag9RekCyC2eow4P/e5crVvSTQ7dTK46WkG0wqEPVJbU= --ssh-authenticator SHA256:l9kdLkb0kJm46pOJ4tCHCtFUaqV1ImbZWMA5oje10fI" + capabilities: + - NET_ADMIN + devices: + - "/dev/net/tun" + labels: + com.centurylinklabs.watchtower.enable: "true" + diff --git a/roles/docker/tasks/services/websites/new.data.coop.yml b/roles/docker/tasks/services/websites/new.data.coop.yml new file mode 100644 index 0000000..f70596a --- /dev/null +++ b/roles/docker/tasks/services/websites/new.data.coop.yml @@ -0,0 +1,15 @@ +--- + +- name: setup new data.coop website using hugo + docker_container: + name: new.data.coop_website + image: docker.data.coop/data-coop-website:hugo + restart_policy: unless-stopped + networks: + - name: external_services + env: + VIRTUAL_HOST : "new.{{ services.data_coop_website.domains|join(',') }}" + LETSENCRYPT_HOST: "new.{{ services.data_coop_website.domains|join(',') }}" + LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" + labels: + com.centurylinklabs.watchtower.enable: "true" diff --git a/roles/docker/tasks/services/ulovliglogning-dk.yml b/roles/docker/tasks/services/websites/ulovliglogning.dk.yml similarity index 69% rename from roles/docker/tasks/services/ulovliglogning-dk.yml rename to roles/docker/tasks/services/websites/ulovliglogning.dk.yml index 0258df6..7abec88 100644 --- a/roles/docker/tasks/services/ulovliglogning-dk.yml +++ b/roles/docker/tasks/services/websites/ulovliglogning.dk.yml @@ -6,8 +6,8 @@ networks: - name: external_services env: - VIRTUAL_HOST: "{{ ulovliglogning_website.domains|join(',') }}" - LETSENCRYPT_HOST: "{{ ulovliglogning_website.domains|join(',') }}" + VIRTUAL_HOST: "{{ services.ulovliglogning_website.domains|join(',') }}" + LETSENCRYPT_HOST: "{{ services.ulovliglogning_website.domains|join(',') }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" labels: com.centurylinklabs.watchtower.enable: "true" diff --git a/roles/docker/templates/mailu.env.j2 b/roles/docker/templates/mailu.env.j2 index c04392c..68c63fb 100644 --- a/roles/docker/templates/mailu.env.j2 +++ b/roles/docker/templates/mailu.env.j2 @@ -26,7 +26,7 @@ SECRET_KEY={{ mailu_secret_key }} # PUBLIC_IPV6= ::1 (default: ::1) # Subnet of the docker network. This should not conflict with any networks to which your system is connected. (Internal and external!) -SUBNET={{ mailu.subnet }} +SUBNET={{ services.mailu.subnet }} # Main mail domain DOMAIN=data.coop diff --git a/roles/ubuntu_base/tasks/users.yml b/roles/ubuntu_base/tasks/users.yml index 010666e..deea339 100644 --- a/roles/ubuntu_base/tasks/users.yml +++ b/roles/ubuntu_base/tasks/users.yml @@ -9,14 +9,14 @@ loop: "{{ users | default([]) }}" - name: "Add ssh authorized_keys" - authorized_key: + ansible.posix.authorized_key: user: "{{ item.name }}" key: "{{ item.ssh_keys | join('\n') }}" exclusive: true loop: "{{ users | default([]) }}" - name: "Add ssh authorized_keys to root user" - authorized_key: + ansible.posix.authorized_key: user: "root" key: "{{ users | default([]) | map(attribute='ssh_keys') | flatten | join('\n') }}" exclusive: true diff --git a/vagrant_host b/vagrant_host new file mode 100644 index 0000000..e247254 --- /dev/null +++ b/vagrant_host @@ -0,0 +1 @@ +localhost ansible_port=19022