WIP.

2022-11-26 00:11:16 +01:00 · 2022-11-26 00:11:16 +01:00 · d372a6ece6
parent 773df9487c
commit d372a6ece6
24 changed files with 218 additions and 52 deletions
--- a/.ansible-lint
+++ b/.ansible-lint
@ -0,0 +1,111 @@
 ---
 # .ansible-lint
 profile: null # min, basic, moderate,safety, shared, production
 # exclude_paths included in this file are parsed relative to this file's location
 # and not relative to the CWD of execution. CLI arguments passed to the --exclude
 # option are parsed relative to the CWD of execution.
 exclude_paths:
  - .cache/ # implicit unless exclude_paths is defined in config
  - .github/
  - test/fixtures/formatting-before/
  - test/fixtures/formatting-prettier/
 # parseable: true
 # quiet: true
 # strict: true
 # verbosity: 1
 # Mock modules or roles in order to pass ansible-playbook --syntax-check
 mock_modules:
  - zuul_return
  # note the foo.bar is invalid as being neither a module or a collection
  - fake_namespace.fake_collection.fake_module
  - fake_namespace.fake_collection.fake_module.fake_submodule
 mock_roles:
  - mocked_role
  - author.role_name # old standalone galaxy role
  - fake_namespace.fake_collection.fake_role # role within a collection
 # Enable checking of loop variable prefixes in roles
 loop_var_prefix: "{role}_"
 # Enforce variable names to follow pattern below, in addition to Ansible own
 # requirements, like avoiding python identifiers. To disable add `var-naming`
 # to skip_list.
 # var_naming_pattern: "^[a-z_][a-z0-9_]*$"
 use_default_rules: true
 # Load custom rules from this specific folder
 # rulesdir:
 #   - ./rule/directory/
 # Ansible-lint completely ignores rules or tags listed below
 skip_list:
  - skip_this_tag
 # Ansible-lint does not automatically load rules that have the 'opt-in' tag.
 # You must enable opt-in rules by listing each rule 'id' below.
 enable_list:
  - empty-string-compare # opt-in
  - no-log-password # opt-in
  - no-same-owner # opt-in
  # add yaml here if you want to avoid ignoring yaml checks when yamllint
  # library is missing. Normally its absence just skips using that rule.
  - yaml
 # Report only a subset of tags and fully ignore any others
 # tags:
 #   - jinja[spacing]
 # Ansible-lint does not fail on warnings from the rules or tags listed below
 warn_list:
  - skip_this_tag
  - experimental # experimental is included in the implicit list
  # - role-name
  # - yaml[document-start]  # you can also use sub-rule matches
 # Some rules can transform files to fix (or make it easier to fix) identified
 # errors. `ansible-lint --write` will reformat YAML files and run these transforms.
 # By default it will run all transforms (effectively `write_list: ["all"]`).
 # You can disable running transforms by setting `write_list: ["none"]`.
 # Or only enable a subset of rule transforms by listing rules/tags here.
 # write_list:
 #   - all
 # Offline mode disables installation of requirements.yml
 offline: false
 # Return success if number of violations compared with previous git
 # commit has not increased. This feature works only in git
 # repositories.
 progressive: false
 # Define required Ansible's variables to satisfy syntax check
 extra_vars:
  foo: bar
  multiline_string_variable: |
    line1
    line2
  complex_variable: ":{;\t$()"
 # Uncomment to enforce action validation with tasks, usually is not
 # needed as Ansible syntax check also covers it.
 # skip_action_validation: false
 # List of additional kind:pattern to be added at the top of the default
 # match list, first match determines the file kind.
 kinds:
  # - playbook: "**/examples/*.{yml,yaml}"
  # - galaxy: "**/folder/galaxy.yml"
  # - tasks: "**/tasks/*.yml"
  # - vars: "**/vars/*.yml"
  # - meta: "**/meta/main.yml"
  - yaml: "**/*.yaml-too"
 # List of additional collections to allow in only-builtins rule.
 # only_builtins_allow_collections:
 #   - example_ns.example_collection
 # List of additions modules to allow in only-builtins rule.
 # only_builtins_allow_modules:
 #   - example_module
--- a/.gitignore
+++ b/.gitignore
@ -2,3 +2,5 @@ playbook.retry
 *.sw*
 .vagrant/
 *.log
 .idea/
 venv/
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@ -0,0 +1,14 @@
 repos:
 #- repo: https://github.com/semaphor-dk/dansabel
 #  rev: b72c70351d1a9e32a75db505fcb3aa414f3282f8
 #  hooks:
 #  - id: dansabel
 - repo: https://github.com/ansible/ansible-lint
  rev: v6.9.0
  hooks:
  - id: ansible-lint
    files: \.(yaml|yml)$
    additional_dependencies:
      - ansible
--- a/12
+++ b/12
@ -0,0 +1,12 @@
 init: create_venv install_pre_commit install_ansible_galaxy_modules
 create_venv:
 	python3 -m venv venv
 	venv/bin/pip install -U pip
 	venv/bin/pip install ansible pre-commit
 install_pre_commit:
 	venv/bin/pre-commit install
 install_ansible_galaxy_modules:
 	venv/bin/ansible-galaxy collection install community.general
--- a/deploy.sh
+++ b/deploy.sh
@ -18,7 +18,7 @@ else
                $BASE_CMD --tags setup_services
            else
                echo "Deploying services: $2"
-                $BASE_CMD --tags setup_services --extra-vars "services=$2"
+                $BASE_CMD --tags setup_services --extra-vars "enabled_services=$2"
            fi
 	    ;;
        "base")
--- a/playbook.yml
+++ b/playbook.yml
@ -13,6 +13,31 @@
    smtp_host: "postfix"
    smtp_port: "587"
    enabled_services:
      - nginx_proxy
      - postfix
      - openldap
      - keycloak
      - restic_backup
      - nextcloud
      - passit
      - gitea
      - matrix_riot
      - privatebin
      - codimd
      - hedgedoc
      - netdata
      - docker_registry
      - drone
      - websites
      - ulovliglogning-dk
      - watchtower
      - mailu
      - portainer
      - mastodon
      - rallly
      - membersystem
  tasks:
    - import_role:
        name: ubuntu_base
--- a/roles/docker/defaults/main.yml
+++ b/roles/docker/defaults/main.yml
@ -4,6 +4,9 @@ volume_root_folder: "/docker-volumes"
 services:
  ### Internal services ###
  postfix:
    file: postfix.yml
    version: "v3.5.0"
  nginx_proxy:
    file: nginx_proxy.yml
@ -39,16 +42,13 @@ services:
    volume_folder: "{{ volume_root_folder }}/keycloak"
    version: "20.0"
  postfix:
    file: postfix.yml
    version: "v3.5.0"
  restic:
    file: restic_backup.yml
    user: "datacoop"
    domain: "restic.cannedtuna.org"
    repository: "datacoop-hevonen"
    version: "1.6.0"
    disabled_in_vagrant: true
  docker_registry:
    file: docker_registry.yml
@ -71,12 +71,14 @@ services:
    domain: "git.{{ base_domain }}"
    volume_folder: "{{ volume_root_folder }}/gitea"
    version: 1.17.3
    allowed_sender_domain: true
  passit:
    file: passit.yml
    domain: "passit.{{ base_domain }}"
    volume_folder: "{{ volume_root_folder }}/passit"
    version: stable
    allowed_sender_domain: true
  matrix:
    file: matrix_riot.yml
@ -105,7 +107,7 @@ services:
    file: hedgedoc.yml
    domain: "pad.{{ base_domain }}"
    volume_folder: "{{ volume_root_folder }}/hedgedoc"
-    version: 1.9.0
+    version: 1.9.6
  data_coop_website:
    file: websites/data.coop.yml
@ -151,14 +153,17 @@ services:
    domain: "social.{{ base_domain }}"
    volume_folder: "{{ volume_root_folder }}/mastodon"
    version: v4.0.2
    allowed_sender_domain: true
  rallly:
    file: rallly.yml
    domain: "when.{{ base_domain }}"
    volume_folder: "{{ volume_root_folder }}/rallly"
    version: a21f92bf74308d66cfcd545d49b81eba0211a222
    allowed_sender_domain: true
  membersystem:
    file: membersystem.yml
    domain: "member.{{ base_domain }}"
    django_admins: "Vidir:valberg@orn.li"
    allowed_sender_domain: true
--- a/roles/docker/files/configs/mastodon/env_file.j2
+++ b/roles/docker/files/configs/mastodon/env_file.j2
@ -14,7 +14,7 @@
 # ----------
 # This identifies your server and cannot be changed safely later
 # ----------
-LOCAL_DOMAIN={{ mastodon.domain }}
+LOCAL_DOMAIN={{ services.mastodon.domain }}
 # Redis
 # -----
@ -52,7 +52,7 @@ SMTP_SERVER={{ smtp_host }}
 SMTP_PORT={{ smtp_port }}
 SMTP_LOGIN=
 SMTP_PASSWORD=
-SMTP_FROM_ADDRESS=notifications@{{ mastodon.domain }}
+SMTP_FROM_ADDRESS=notifications@{{ services.mastodon.domain }}
 # File storage (optional)
 # -----------------------
--- a/roles/docker/files/configs/matrix/homeserver.yaml.j2
+++ b/roles/docker/files/configs/matrix/homeserver.yaml.j2
@ -44,7 +44,7 @@ pid_file: /data/homeserver.pid
 # use synapse with a reverse proxy, this should be the URL to reach
 # synapse via the proxy.
 #
-public_baseurl: "https://{{ matrix.domain }}"
+public_baseurl: "https://{{ services.matrix.domain }}"
 # Set the soft limit on the number of file descriptors synapse can use
 # Zero is used to indicate synapse should set the soft limit to the
--- a/roles/docker/files/configs/rallly/env_file
+++ b/roles/docker/files/configs/rallly/env_file
@ -1,7 +1,7 @@
-NEXT_PUBLIC_BASE_URL="https://{{ rallly.domain }}"
+NEXT_PUBLIC_BASE_URL="https://{{ services.rallly.domain }}"
 DATABASE_URL="postgres://postgres:{{ postgres_passwords.rallly }}@rallly_db:5432/rallly_db"
 SECRET_PASSWORD="{{ rallly_secrets.secret_password }}"
-SUPPORT_EMAIL="noreply@{{ rallly.domain }}"
+SUPPORT_EMAIL="noreply@{{ services.rallly.domain }}"
 SMTP_HOST="{{ smtp_host }}"
 SMTP_PORT="{{ smtp_port }}"
 SMTP_SECURE="false"
--- a/roles/docker/files/configs/riot/config.json
+++ b/roles/docker/files/configs/riot/config.json
@ -1,7 +1,7 @@
 {
    "default_server_config": {
        "m.homeserver": {
-           "base_url": "https://{{ matrix.domain }}"
+           "base_url": "https://{{ services.matrix.domain }}"
        },
        "m.identity_server": {
           "base_url": "https://vector.im"
@ -37,7 +37,7 @@
        ]
    },
    "enable_presence_by_hs_url": {
-        "https://{{ matrix.domain }}": false
+        "https://{{ services.matrix.domain }}": false
    },
    "terms_and_conditions_links": [
        {
--- a/roles/docker/tasks/services.yml
+++ b/roles/docker/tasks/services.yml
@ -3,7 +3,12 @@
  docker_network:
    name: external_services
 #- name: setup services
 #  include_tasks: "services/{{ item.value.file }}"
 #  loop: "{{ services | dict2items }}"
 #  when: item.key in enabled_services and item.value.file is defined and item.value.disabled_in_vagrant is not defined
 - name: setup services
-  include_tasks: "services/{{ item.value.file }}"
+  include_tasks: "services/{{ services[item].file }}"
-  loop: "{{ services | dict2items }}"
+  loop: "{{ enabled_services }}"
-  when: item.value.file is defined
+  when: item in services and services[item].file is defined and services[item].disabled_in_vagrant is not defined
--- a/roles/docker/tasks/services/docker_registry.yml
+++ b/roles/docker/tasks/services/docker_registry.yml
@ -30,7 +30,6 @@
 - name: log in to registry
  docker_login:
-    registry: "{{ services.docker_registry.domain }}"
+    registry: "{{ 'docker.data.coop' if vagrant else services.docker_registry.domain  }}"
    username: "docker"
    password: "{{ docker_password }}"
    config_path: "{{ services.docker_registry.volume_folder }}/auth/config.json"
--- a/roles/docker/tasks/services/membersystem.yml
+++ b/roles/docker/tasks/services/membersystem.yml
@ -25,14 +25,14 @@
            POSTGRES_PORT: 5432
            EMAIL_BACKEND: "django.core.mail.backends.smtp.EmailBackend"
            EMAIL_URL: "smtp://noop@{{ smtp_host }}:{{ smtp_port }}"
-            VIRTUAL_HOST: "{{ membersystem.domain }}"
+            VIRTUAL_HOST: "{{ services.membersystem.domain }}"
            VIRTUAL_PORT: "8000"
-            LETSENCRYPT_HOST: "{{ membersystem.domain }}"
+            LETSENCRYPT_HOST: "{{ services.membersystem.domain }}"
            LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
-            ALLOWED_HOSTS: "{{ membersystem.domain }}"
+            ALLOWED_HOSTS: "{{ services.membersystem.domain }}"
-            CSRF_TRUSTED_ORIGINS: "https://{{ membersystem.domain }}"
+            CSRF_TRUSTED_ORIGINS: "https://{{ services.membersystem.domain }}"
-            DJANGO_ADMINS: "{{ membersystem.django_admins }}"
+            DJANGO_ADMINS: "{{ services.membersystem.django_admins }}"
-            DEFAULT_FROM_EMAIL: "noreply@{{ membersystem.domain }}"
+            DEFAULT_FROM_EMAIL: "noreply@{{ services.membersystem.domain }}"
          labels:
            com.centurylinklabs.watchtower.enable: "true"
--- a/roles/docker/tasks/services/nextcloud.yml
+++ b/roles/docker/tasks/services/nextcloud.yml
@ -39,7 +39,7 @@
          networks:
            - "nextcloud"
          volumes:
-            - "{{ nextcloud.volume_folder }}/app:/var/www/html"
+            - "{{ services.nextcloud.volume_folder }}/app:/var/www/html"
          depends_on:
            - "postgres"
            - "redis"
@ -54,8 +54,8 @@
          volumes:
            - "{{ services.nextcloud.volume_folder }}/app:/var/www/html"
          environment:
-            VIRTUAL_HOST: "{{ nextcloud.domain }}"
+            VIRTUAL_HOST: "{{ services.nextcloud.domain }}"
-            LETSENCRYPT_HOST: "{{ nextcloud.domain }}"
+            LETSENCRYPT_HOST: "{{ services.nextcloud.domain }}"
            LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
            POSTGRES_HOST: "postgres"
            POSTGRES_DB: "nextcloud"
--- a/roles/docker/tasks/services/postfix.yml
+++ b/roles/docker/tasks/services/postfix.yml
@ -15,13 +15,6 @@
    networks:
      - name: postfix
    env:
-      ALLOWED_SENDER_DOMAINS: "{{ allowed_sender_domains|join(' ') }}"
+      # Get all services which have allowed_sender_domain defined
      ALLOWED_SENDER_DOMAINS: "{{ services | dict2items | selectattr('value.allowed_sender_domain', 'defined') | map(attribute='value.domain') | list | join(' ') }}"
      HOSTNAME: "smtp.data.coop" # the name the smtp server will identify itself as
  vars:
    allowed_sender_domains:
      - "services.{{ base_domain }}"
      - "{{ services.passit.domain }}"
      - "{{ services.gitea.domain }}"
      - "{{ services.mastodon.domain }}"
      - "{{ services.rallly.domain }}"
      - "{{ services.membersystem.domain }}"
--- a/roles/docker/tasks/services/websites/2022.slides.data.coop.yml
+++ b/roles/docker/tasks/services/websites/2022.slides.data.coop.yml
@ -9,8 +9,8 @@
    networks:
      - name: external_services
    env:
-      VIRTUAL_HOST: "2022.slides.{{ data_coop_website.domains|join(',') }}"
+      VIRTUAL_HOST: "2022.slides.{{ services.data_coop_website.domains|join(',') }}"
-      LETSENCRYPT_HOST: "2022.slides.{{ data_coop_website.domains|join(',') }}"
+      LETSENCRYPT_HOST: "2022.slides.{{ services.data_coop_website.domains|join(',') }}"
      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
    # Temporarily hosting on github
    command: "--remote=https://github.com/sorbusursina/datacoop-slides.git#slides2022"
--- a/roles/docker/tasks/services/websites/cryptoaarhus.dk.yml
+++ b/roles/docker/tasks/services/websites/cryptoaarhus.dk.yml
@ -8,8 +8,8 @@
    networks:
      - name: external_services
    env:
-      VIRTUAL_HOST : "{{ cryptoaarhus_website.domains|join(',') }}"
+      VIRTUAL_HOST : "{{ services.cryptoaarhus_website.domains|join(',') }}"
-      LETSENCRYPT_HOST: "{{ cryptoaarhus_website.domains|join(',') }}"
+      LETSENCRYPT_HOST: "{{ services.cryptoaarhus_website.domains|join(',') }}"
      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
    labels:
      com.centurylinklabs.watchtower.enable: "true"
--- a/roles/docker/tasks/services/websites/cryptohagen.dk.yml
+++ b/roles/docker/tasks/services/websites/cryptohagen.dk.yml
@ -8,8 +8,8 @@
    networks:
      - name: external_services
    env:
-      VIRTUAL_HOST : "{{ cryptohagen_website.domains|join(',') }}"
+      VIRTUAL_HOST : "{{ services.cryptohagen_website.domains|join(',') }}"
-      LETSENCRYPT_HOST: "{{ cryptohagen_website.domains|join(',') }}"
+      LETSENCRYPT_HOST: "{{ services.cryptohagen_website.domains|join(',') }}"
      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
    labels:
      com.centurylinklabs.watchtower.enable: "true"
--- a/roles/docker/tasks/services/websites/data.coop.yml
+++ b/roles/docker/tasks/services/websites/data.coop.yml
@ -8,8 +8,8 @@
    networks:
      - name: external_services
    env:
-      VIRTUAL_HOST : "{{ data_coop_website.domains|join(',') }}"
+      VIRTUAL_HOST : "{{ services.data_coop_website.domains|join(',') }}"
-      LETSENCRYPT_HOST: "{{ data_coop_website.domains|join(',') }}"
+      LETSENCRYPT_HOST: "{{ services.data_coop_website.domains|join(',') }}"
      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
    labels:
      com.centurylinklabs.watchtower.enable: "true"
--- a/roles/docker/tasks/services/websites/new-new.data.coop.yml
+++ b/roles/docker/tasks/services/websites/new-new.data.coop.yml
@ -7,8 +7,8 @@
    networks:
      - name: external_services
    env:
-      VIRTUAL_HOST: "new-new.{{ data_coop_website.domains|join(',') }}"
+      VIRTUAL_HOST: "new-new.{{ services.data_coop_website.domains|join(',') }}"
-      LETSENCRYPT_HOST: "new-new.{{ data_coop_website.domains|join(',') }}"
+      LETSENCRYPT_HOST: "new-new.{{ services.data_coop_website.domains|join(',') }}"
      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
    # The ssh-key is for read-only only
    command: "--remote=git@git.data.coop:halfd/new-website.git#main --ssh-key ed25519:Ag9RekCyC2eow4P/e5crVvSTQ7dTK46WkG0wqEPVJbU= --ssh-authenticator SHA256:l9kdLkb0kJm46pOJ4tCHCtFUaqV1ImbZWMA5oje10fI"
--- a/roles/docker/tasks/services/websites/new.data.coop.yml
+++ b/roles/docker/tasks/services/websites/new.data.coop.yml
@ -8,8 +8,8 @@
    networks:
      - name: external_services
    env:
-      VIRTUAL_HOST : "new.{{ data_coop_website.domains|join(',') }}"
+      VIRTUAL_HOST : "new.{{ services.data_coop_website.domains|join(',') }}"
-      LETSENCRYPT_HOST: "new.{{ data_coop_website.domains|join(',') }}"
+      LETSENCRYPT_HOST: "new.{{ services.data_coop_website.domains|join(',') }}"
      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
    labels:
      com.centurylinklabs.watchtower.enable: "true"
--- a/roles/docker/tasks/services/websites/ulovliglogning.dk.yml
+++ b/roles/docker/tasks/services/websites/ulovliglogning.dk.yml
@ -6,8 +6,8 @@
    networks:
      - name: external_services
    env:
-      VIRTUAL_HOST: "{{ ulovliglogning_website.domains|join(',') }}"
+      VIRTUAL_HOST: "{{ services.ulovliglogning_website.domains|join(',') }}"
-      LETSENCRYPT_HOST: "{{ ulovliglogning_website.domains|join(',') }}"
+      LETSENCRYPT_HOST: "{{ services.ulovliglogning_website.domains|join(',') }}"
      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
    labels:
      com.centurylinklabs.watchtower.enable: "true"
--- a/roles/ubuntu_base/tasks/users.yml
+++ b/roles/ubuntu_base/tasks/users.yml
@ -9,14 +9,14 @@
  loop: "{{ users | default([]) }}"
 - name: "Add ssh authorized_keys"
-  authorized_key:
+  ansible.posix.authorized_key:
    user: "{{ item.name }}"
    key: "{{ item.ssh_keys | join('\n') }}"
    exclusive: true
  loop: "{{ users | default([]) }}"
 - name: "Add ssh authorized_keys to root user"
-  authorized_key:
+  ansible.posix.authorized_key:
    user: "root"
    key: "{{ users | default([]) | map(attribute='ssh_keys') | flatten | join('\n') }}"
    exclusive: true