From a4a06d8a58bc63d635351875ebd7609178a44a4d Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Fri, 18 Nov 2022 18:59:00 +0100 Subject: [PATCH 01/56] Upgrade Watchtower and disable filter by enable label --- roles/docker/tasks/services/watchtower.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/roles/docker/tasks/services/watchtower.yml b/roles/docker/tasks/services/watchtower.yml index 586ce24..c5c63eb 100644 --- a/roles/docker/tasks/services/watchtower.yml +++ b/roles/docker/tasks/services/watchtower.yml @@ -2,13 +2,12 @@ - name: watchtower container docker_container: name: watchtower - image: containrrr/watchtower:1.4.0 + image: containrrr/watchtower:latest restart_policy: unless-stopped + env: + WATCHTOWER_POLL_INTERVAL: 60 networks: - name: external_services volumes: - /var/run/docker.sock:/var/run/docker.sock - "{{ docker_registry.volume_folder }}/auth/config.json:/config.json" - env: - WATCHTOWER_LABEL_ENABLE: "true" - WATCHTOWER_POLL_INTERVAL: "60" \ No newline at end of file From 5d26e1cdea7f9a24edcda4d1aaf1fd3f34626eab Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Fri, 18 Nov 2022 20:57:15 +0100 Subject: [PATCH 02/56] Fix mount point for Watchtower The auth file created by the registry login task doesn't need to be stored in a non-default path. --- roles/docker/tasks/services/docker_registry.yml | 3 +-- roles/docker/tasks/services/watchtower.yml | 4 ++-- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/roles/docker/tasks/services/docker_registry.yml b/roles/docker/tasks/services/docker_registry.yml index 975db50..a88a707 100644 --- a/roles/docker/tasks/services/docker_registry.yml +++ b/roles/docker/tasks/services/docker_registry.yml @@ -28,9 +28,8 @@ args: creates: "{{ docker_registry.volume_folder }}/auth/htpasswd" -- name: log in to local registry +- name: log in to registry docker_login: registry: "{{ docker_registry.domain }}" username: "docker" password: "{{ docker_password }}" - config_path: "{{ docker_registry.volume_folder }}/auth/config.json" diff --git a/roles/docker/tasks/services/watchtower.yml b/roles/docker/tasks/services/watchtower.yml index c5c63eb..e6afd3d 100644 --- a/roles/docker/tasks/services/watchtower.yml +++ b/roles/docker/tasks/services/watchtower.yml @@ -9,5 +9,5 @@ networks: - name: external_services volumes: - - /var/run/docker.sock:/var/run/docker.sock - - "{{ docker_registry.volume_folder }}/auth/config.json:/config.json" + - "/var/run/docker.sock:/var/run/docker.sock" + - "/root/.docker/config.json:/config.json:ro" From 27b918b46b010d4eb6aee151695fc8b540a0c2b4 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Fri, 18 Nov 2022 21:07:12 +0100 Subject: [PATCH 03/56] Remove labels --- roles/docker/tasks/services/membersystem.yml | 2 -- roles/docker/tasks/services/netdata.yml | 5 ----- roles/docker/tasks/services/rallly.yml | 4 ---- roles/docker/tasks/services/ulovliglogning-dk.yml | 2 -- roles/docker/tasks/services/websites.yml | 13 ------------- 5 files changed, 26 deletions(-) diff --git a/roles/docker/tasks/services/membersystem.yml b/roles/docker/tasks/services/membersystem.yml index b214abb..66a26b0 100644 --- a/roles/docker/tasks/services/membersystem.yml +++ b/roles/docker/tasks/services/membersystem.yml @@ -33,8 +33,6 @@ CSRF_TRUSTED_ORIGINS: "https://{{ membersystem.domain }}" DJANGO_ADMINS: "{{ membersystem.django_admins }}" DEFAULT_FROM_EMAIL: "noreply@{{ membersystem.domain }}" - labels: - com.centurylinklabs.watchtower.enable: "true" postgres: image: postgres:13-alpine diff --git a/roles/docker/tasks/services/netdata.yml b/roles/docker/tasks/services/netdata.yml index c1eb396..5edcb6c 100644 --- a/roles/docker/tasks/services/netdata.yml +++ b/roles/docker/tasks/services/netdata.yml @@ -1,5 +1,4 @@ --- - - name: setup netdata docker container for system monitoring docker_container: name: netdata @@ -21,7 +20,3 @@ LETSENCRYPT_HOST: "{{ netdata.domain }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" PGID: "999" - labels: - com.centurylinklabs.watchtower.enable: "true" - - diff --git a/roles/docker/tasks/services/rallly.yml b/roles/docker/tasks/services/rallly.yml index c5576f5..c083251 100644 --- a/roles/docker/tasks/services/rallly.yml +++ b/roles/docker/tasks/services/rallly.yml @@ -31,8 +31,6 @@ interval: 5s timeout: 5s retries: 5 - labels: - com.centurylinklabs.watchtower.enable: "true" rallly: image: "lukevella/rallly:latest" @@ -51,8 +49,6 @@ VIRTUAL_PORT: "3000" LETSENCRYPT_HOST: "{{ rallly.domain }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" - labels: - com.centurylinklabs.watchtower.enable: "true" networks: rallly_internal: diff --git a/roles/docker/tasks/services/ulovliglogning-dk.yml b/roles/docker/tasks/services/ulovliglogning-dk.yml index 0258df6..9b57bbb 100644 --- a/roles/docker/tasks/services/ulovliglogning-dk.yml +++ b/roles/docker/tasks/services/ulovliglogning-dk.yml @@ -9,5 +9,3 @@ VIRTUAL_HOST: "{{ ulovliglogning_website.domains|join(',') }}" LETSENCRYPT_HOST: "{{ ulovliglogning_website.domains|join(',') }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" - labels: - com.centurylinklabs.watchtower.enable: "true" diff --git a/roles/docker/tasks/services/websites.yml b/roles/docker/tasks/services/websites.yml index 8c1b793..8938e2d 100644 --- a/roles/docker/tasks/services/websites.yml +++ b/roles/docker/tasks/services/websites.yml @@ -11,9 +11,6 @@ VIRTUAL_HOST : "{{ data_coop_website.domains|join(',') }}" LETSENCRYPT_HOST: "{{ data_coop_website.domains|join(',') }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" - labels: - com.centurylinklabs.watchtower.enable: "true" - - name: setup new data.coop website using hugo docker_container: @@ -26,8 +23,6 @@ VIRTUAL_HOST : "new.{{ data_coop_website.domains|join(',') }}" LETSENCRYPT_HOST: "new.{{ data_coop_website.domains|join(',') }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" - labels: - com.centurylinklabs.watchtower.enable: "true" - name: setup new-new data.coop website using unipi docker_container: @@ -47,8 +42,6 @@ - NET_ADMIN devices: - "/dev/net/tun" - labels: - com.centurylinklabs.watchtower.enable: "true" - name: setup 2022.slides.data.coop website using unipi docker_container: @@ -68,8 +61,6 @@ - NET_ADMIN devices: - "/dev/net/tun" - labels: - com.centurylinklabs.watchtower.enable: "true" - name: setup cryptohagen.dk website docker container docker_container: @@ -82,8 +73,6 @@ VIRTUAL_HOST : "{{ cryptohagen_website.domains|join(',') }}" LETSENCRYPT_HOST: "{{ cryptohagen_website.domains|join(',') }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" - labels: - com.centurylinklabs.watchtower.enable: "true" - name: setup cryptoaarhus.dk website docker container docker_container: @@ -96,5 +85,3 @@ VIRTUAL_HOST : "{{ cryptoaarhus_website.domains|join(',') }}" LETSENCRYPT_HOST: "{{ cryptoaarhus_website.domains|join(',') }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" - labels: - com.centurylinklabs.watchtower.enable: "true" From e5dcfea003226494b402bb6fc434f73c98858498 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Sat, 19 Nov 2022 18:19:43 +0100 Subject: [PATCH 04/56] Pin Watchtower version --- roles/docker/tasks/services/watchtower.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/docker/tasks/services/watchtower.yml b/roles/docker/tasks/services/watchtower.yml index e6afd3d..370219a 100644 --- a/roles/docker/tasks/services/watchtower.yml +++ b/roles/docker/tasks/services/watchtower.yml @@ -2,7 +2,7 @@ - name: watchtower container docker_container: name: watchtower - image: containrrr/watchtower:latest + image: containrrr/watchtower:amd64-1.5.1 restart_policy: unless-stopped env: WATCHTOWER_POLL_INTERVAL: 60 From c9ab9f0c66ec3c78a6b6865d565a3cb5bc6551c3 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Sat, 19 Nov 2022 18:20:10 +0100 Subject: [PATCH 05/56] Watchtower doesn't need external_services network --- roles/docker/tasks/services/watchtower.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/roles/docker/tasks/services/watchtower.yml b/roles/docker/tasks/services/watchtower.yml index 370219a..6a03679 100644 --- a/roles/docker/tasks/services/watchtower.yml +++ b/roles/docker/tasks/services/watchtower.yml @@ -6,8 +6,6 @@ restart_policy: unless-stopped env: WATCHTOWER_POLL_INTERVAL: 60 - networks: - - name: external_services volumes: - "/var/run/docker.sock:/var/run/docker.sock" - "/root/.docker/config.json:/config.json:ro" From d9de1efc9af680491cb66963c3294a1d611e54d2 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Wed, 23 Nov 2022 20:02:30 +0100 Subject: [PATCH 06/56] Pin Gitea to 1.17 instead of 1.17.3 Gitea's "minor" version change seems to be the one that occasionally introduces breaking changes, so let's not update that automatically. Only keep the patch-releases automatically updated. --- roles/docker/tasks/services/gitea.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/docker/tasks/services/gitea.yml b/roles/docker/tasks/services/gitea.yml index aeffae1..1b1efdc 100644 --- a/roles/docker/tasks/services/gitea.yml +++ b/roles/docker/tasks/services/gitea.yml @@ -7,7 +7,7 @@ - name: gitea container docker_container: name: gitea - image: gitea/gitea:1.17.3 + image: gitea/gitea:1.17 restart_policy: unless-stopped networks: - name: gitea From 1f619096054d4be4001f3f4181acce83792225f1 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Wed, 23 Nov 2022 20:16:36 +0100 Subject: [PATCH 07/56] Pin HedgeDoc to major version 1 From https://docs.hedgedoc.org/setup/getting-started/#upgrading-hedgedoc > HedgeDoc follows [Semantic Versioning](https://semver.org/). > This means that minor and patch releases should not introduce > user-facing backwards-incompatible changes. --- roles/docker/tasks/services/hedgedoc.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/docker/tasks/services/hedgedoc.yml b/roles/docker/tasks/services/hedgedoc.yml index ea7b38d..96e82dc 100644 --- a/roles/docker/tasks/services/hedgedoc.yml +++ b/roles/docker/tasks/services/hedgedoc.yml @@ -34,7 +34,7 @@ - "{{ hedgedoc.volume_folder }}/db:/var/lib/postgresql/data" app: - image: quay.io/hedgedoc/hedgedoc:1.9.0 + image: quay.io/hedgedoc/hedgedoc:1 environment: CMD_DB_URL: "postgres://codimd:{{ postgres_passwords.hedgedoc }}@hedgedoc_database_1:5432/codimd" CMD_DOMAIN: "{{ hedgedoc.domain }}" @@ -63,4 +63,4 @@ networks: hedgedoc: external_services: - external: true \ No newline at end of file + external: true From 9261cb1952846052934e5c7daa4ddd8e3d5c9c31 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Wed, 23 Nov 2022 20:34:43 +0100 Subject: [PATCH 08/56] Pin Keycoak to 20.0 (minor version) --- roles/docker/tasks/services/keycloak.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/docker/tasks/services/keycloak.yml b/roles/docker/tasks/services/keycloak.yml index 26a5661..b1169ae 100644 --- a/roles/docker/tasks/services/keycloak.yml +++ b/roles/docker/tasks/services/keycloak.yml @@ -19,7 +19,7 @@ POSTGRES_DB: "keycloak" app: - image: "quay.io/keycloak/keycloak:20.0.1" + image: "quay.io/keycloak/keycloak:20.0" restart: "unless-stopped" networks: - "keycloak" From 687bff35e9c90eebb4dfff496d280dd514235ea4 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Wed, 23 Nov 2022 21:00:48 +0100 Subject: [PATCH 09/56] Pin netdata to v1 --- roles/docker/tasks/services/netdata.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/docker/tasks/services/netdata.yml b/roles/docker/tasks/services/netdata.yml index 5edcb6c..3b2a466 100644 --- a/roles/docker/tasks/services/netdata.yml +++ b/roles/docker/tasks/services/netdata.yml @@ -2,7 +2,7 @@ - name: setup netdata docker container for system monitoring docker_container: name: netdata - image: netdata/netdata + image: netdata/netdata:v1 restart_policy: unless-stopped hostname: "hevonen.servers.{{ base_domain }}" capabilities: From 221ddd987fa68b065d6d7250bd2a1ded03da9580 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Wed, 23 Nov 2022 21:05:01 +0100 Subject: [PATCH 10/56] Upgrade Postfix to 3.5.1 and use Alpine-based image --- roles/docker/tasks/services/postfix.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/docker/tasks/services/postfix.yml b/roles/docker/tasks/services/postfix.yml index 9fb9ce8..8b7e77e 100644 --- a/roles/docker/tasks/services/postfix.yml +++ b/roles/docker/tasks/services/postfix.yml @@ -10,7 +10,7 @@ - name: setup postfix docker container for outgoing mail docker_container: name: postfix - image: boky/postfix:v3.5.0 + image: boky/postfix:v3.5.1-alpine restart_policy: always networks: - name: postfix From 74dfcfb5e8043344f80d8c10a5b04df47766a1fc Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Wed, 23 Nov 2022 21:09:05 +0100 Subject: [PATCH 11/56] Keycloak: avoid very long lines :( --- roles/docker/tasks/services/keycloak.yml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/roles/docker/tasks/services/keycloak.yml b/roles/docker/tasks/services/keycloak.yml index b1169ae..ac1f673 100644 --- a/roles/docker/tasks/services/keycloak.yml +++ b/roles/docker/tasks/services/keycloak.yml @@ -25,7 +25,16 @@ - "keycloak" - "postfix" - "external_services" - command: "start --db=postgres --db-url=jdbc:postgresql://postgres:5432/keycloak --db-username=keycloak --db-password={{ postgres_passwords.keycloak }} --hostname={{ keycloak.domain }} --proxy=edge --https-port=8080 --http-relative-path=/auth" + command: + - "start" + - "--db=postgres" + - "--db-url=jdbc:postgresql://postgres:5432/keycloak" + - "--db-username=keycloak" + - "--db-password={{ postgres_passwords.keycloak }}" + - "--hostname={{ keycloak.domain }}" + - "--proxy=edge" + - "--https-port=8080" + - "--http-relative-path=/auth" environment: VIRTUAL_HOST: "{{ keycloak.domain }}" VIRTUAL_PORT: "8080" From 2c9c501562e954f0e033857f5cda7e73be29e9f0 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Tue, 6 Dec 2022 18:06:31 +0100 Subject: [PATCH 12/56] Remove label from Pinafore --- roles/docker/tasks/services/pinafore.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/roles/docker/tasks/services/pinafore.yml b/roles/docker/tasks/services/pinafore.yml index a275f3a..eadb99b 100644 --- a/roles/docker/tasks/services/pinafore.yml +++ b/roles/docker/tasks/services/pinafore.yml @@ -10,5 +10,3 @@ VIRTUAL_PORT: "4002" LETSENCRYPT_HOST: "{{ services.pinafore.domain }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" - labels: - com.centurylinklabs.watchtower.enable: "true" From 3fb8ecb72ffdb43377e67c6f95adf0f151e3dfb4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Reynir=20Bj=C3=B6rnsson?= Date: Sat, 17 Dec 2022 21:27:01 +0100 Subject: [PATCH 13/56] Bump matrix client_max_body_size to 1GB --- roles/docker/files/configs/matrix/vhost-matrix | 2 +- roles/docker/files/configs/matrix/vhost-riot | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/docker/files/configs/matrix/vhost-matrix b/roles/docker/files/configs/matrix/vhost-matrix index a597770..b65c59c 100644 --- a/roles/docker/files/configs/matrix/vhost-matrix +++ b/roles/docker/files/configs/matrix/vhost-matrix @@ -1,2 +1,2 @@ listen 8008; -client_max_body_size 50M; # default is 1M +client_max_body_size 1G; # default is 1M diff --git a/roles/docker/files/configs/matrix/vhost-riot b/roles/docker/files/configs/matrix/vhost-riot index 66b77ed..dec55e8 100644 --- a/roles/docker/files/configs/matrix/vhost-riot +++ b/roles/docker/files/configs/matrix/vhost-riot @@ -1 +1 @@ -client_max_body_size 50M; # default is 1M +client_max_body_size 1G; # default is 1M From 7851fe3522cbb250a9e76dd9212046b4d1c0ec7e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Reynir=20Bj=C3=B6rnsson?= Date: Sat, 17 Dec 2022 21:43:18 +0100 Subject: [PATCH 14/56] Bump max upload size --- roles/docker/files/configs/matrix/homeserver.yaml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/docker/files/configs/matrix/homeserver.yaml.j2 b/roles/docker/files/configs/matrix/homeserver.yaml.j2 index 4b8c3aa..73ba3f3 100644 --- a/roles/docker/files/configs/matrix/homeserver.yaml.j2 +++ b/roles/docker/files/configs/matrix/homeserver.yaml.j2 @@ -416,7 +416,7 @@ uploads_path: "/data/uploads" # The largest allowed upload size in bytes # -max_upload_size: "50M" +max_upload_size: "512M" # Maximum number of pixels that will be thumbnailed # From ad9a42f223e34818dd03b95b26bfbd67e97ab762 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Tue, 27 Dec 2022 21:50:12 +0100 Subject: [PATCH 15/56] Add Nextcloud to allowed sender domains --- roles/docker/defaults/main.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml index 4266323..9779f1e 100644 --- a/roles/docker/defaults/main.yml +++ b/roles/docker/defaults/main.yml @@ -67,6 +67,7 @@ services: domain: "cloud.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/nextcloud" version: 25-apache + allowed_sender_domain: true gitea: file: gitea.yml @@ -87,11 +88,12 @@ services: domain: "matrix.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/matrix" version: v1.63.1 + allowed_sender_domain: true riot: domains: - - "riot.{{ base_domain }}" - - "element.{{ base_domain }}" + - "riot.{{ base_domain }}" + - "element.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/riot" version: v1.11.8 From d6ce46e2f2383dec13bd9bdee4a8f0cb153df72e Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Wed, 28 Dec 2022 16:19:07 +0100 Subject: [PATCH 16/56] Collect even more version numbers in docker/defaults/main.yml --- roles/docker/defaults/main.yml | 11 +++++++++++ roles/docker/tasks/services/drone.yml | 4 ++-- roles/docker/tasks/services/hedgedoc.yml | 4 ++-- roles/docker/tasks/services/keycloak.yml | 3 +-- roles/docker/tasks/services/mastodon.yml | 4 ++-- roles/docker/tasks/services/matrix_riot.yml | 6 +++--- roles/docker/tasks/services/membersystem.yml | 4 ++-- roles/docker/tasks/services/nextcloud.yml | 4 ++-- roles/docker/tasks/services/passit.yml | 2 +- roles/docker/tasks/services/rallly.yml | 2 +- 10 files changed, 27 insertions(+), 17 deletions(-) diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml index 9779f1e..a7bc1d3 100644 --- a/roles/docker/defaults/main.yml +++ b/roles/docker/defaults/main.yml @@ -42,6 +42,7 @@ services: domain: sso.{{ base_domain }} volume_folder: "{{ volume_root_folder }}/keycloak" version: "20.0" + postgres_version: 10 allowed_sender_domain: true restic: @@ -67,6 +68,8 @@ services: domain: "cloud.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/nextcloud" version: 25-apache + postgres_version: 10 + redis_version: 7-alpine allowed_sender_domain: true gitea: @@ -81,6 +84,7 @@ services: domain: "passit.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/passit" version: stable + postgres_version: 10 allowed_sender_domain: true matrix: @@ -88,6 +92,7 @@ services: domain: "matrix.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/matrix" version: v1.63.1 + postgres_version: 10 allowed_sender_domain: true riot: @@ -113,6 +118,7 @@ services: domain: "pad.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/hedgedoc" version: 1.9.6 + postgres_version: 10-alpine data_coop_website: file: websites/data.coop.yml @@ -168,6 +174,8 @@ services: domain: "social.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/mastodon" version: v4.0.2 + postgres_version: 14-alpine + redis_version: 6-alpine allowed_sender_domain: true rallly: @@ -175,6 +183,7 @@ services: domain: "when.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/rallly" version: ac55701890cd866ee946deb25e2b2839fb14900e + postgres_version: 14-alpine allowed_sender_domain: true pinafore: @@ -186,6 +195,8 @@ services: file: membersystem.yml domain: "member.{{ base_domain }}" django_admins: "Vidir:valberg@orn.li" + version: latest + postgres_version: 13-alpine allowed_sender_domain: true watchtower: diff --git a/roles/docker/tasks/services/drone.yml b/roles/docker/tasks/services/drone.yml index 874ce03..5d83007 100644 --- a/roles/docker/tasks/services/drone.yml +++ b/roles/docker/tasks/services/drone.yml @@ -8,7 +8,7 @@ services: drone: container_name: "drone" - image: drone/drone:1 + image: "drone/drone:{{ services.drone.version }}" restart: unless-stopped networks: - external_services @@ -48,4 +48,4 @@ drone: external_services: external: - name: external_services \ No newline at end of file + name: external_services diff --git a/roles/docker/tasks/services/hedgedoc.yml b/roles/docker/tasks/services/hedgedoc.yml index 7508535..3b907a1 100644 --- a/roles/docker/tasks/services/hedgedoc.yml +++ b/roles/docker/tasks/services/hedgedoc.yml @@ -22,7 +22,7 @@ definition: services: database: - image: "postgres:10-alpine" + image: "postgres:{{ services.hedgedoc.postgres_version }}" environment: POSTGRES_USER: "codimd" POSTGRES_PASSWORD: "{{ postgres_passwords.hedgedoc }}" @@ -34,7 +34,7 @@ - "{{ services.hedgedoc.volume_folder }}/db:/var/lib/postgresql/data" app: - image: quay.io/hedgedoc/hedgedoc:{{ services.hedgedoc.version }} + image: "quay.io/hedgedoc/hedgedoc:{{ services.hedgedoc.version }}" environment: CMD_DB_URL: "postgres://codimd:{{ postgres_passwords.hedgedoc }}@hedgedoc_database_1:5432/codimd" CMD_DOMAIN: "{{ services.hedgedoc.domain }}" diff --git a/roles/docker/tasks/services/keycloak.yml b/roles/docker/tasks/services/keycloak.yml index 3f2da44..2603351 100644 --- a/roles/docker/tasks/services/keycloak.yml +++ b/roles/docker/tasks/services/keycloak.yml @@ -5,9 +5,8 @@ definition: version: "3.6" services: - postgres: - image: "postgres:10" + image: "postgres:{{ services.keycloak.postgres_version }}" restart: "unless-stopped" networks: - "keycloak" diff --git a/roles/docker/tasks/services/mastodon.yml b/roles/docker/tasks/services/mastodon.yml index eae1546..656f909 100644 --- a/roles/docker/tasks/services/mastodon.yml +++ b/roles/docker/tasks/services/mastodon.yml @@ -55,7 +55,7 @@ services: db: restart: always - image: postgres:14-alpine + image: "postgres:{{ services.mastodon.postgres_version }}" shm_size: 256mb networks: - internal_network @@ -70,7 +70,7 @@ redis: restart: always - image: redis:6-alpine + image: "redis:{{ services.mastodon.redis_version }}" networks: - internal_network healthcheck: diff --git a/roles/docker/tasks/services/matrix_riot.yml b/roles/docker/tasks/services/matrix_riot.yml index 34f302d..6b5e950 100644 --- a/roles/docker/tasks/services/matrix_riot.yml +++ b/roles/docker/tasks/services/matrix_riot.yml @@ -66,7 +66,7 @@ services: matrix_db: container_name: matrix_db - image: postgres:10 + image: "postgres:{{ services.matrix.postgres_version }}" restart: unless-stopped networks: - matrix @@ -78,7 +78,7 @@ matrix_app: container_name: matrix - image: matrixdotorg/synapse:{{ services.matrix.version }} + image: "matrixdotorg/synapse:{{ services.matrix.version }}" restart: unless-stopped networks: - matrix @@ -96,7 +96,7 @@ riot: container_name: riot_app - image: avhost/docker-matrix-riot:{{ services.riot.version }} + image: "avhost/docker-matrix-riot:{{ services.riot.version }}" restart: unless-stopped networks: - matrix diff --git a/roles/docker/tasks/services/membersystem.yml b/roles/docker/tasks/services/membersystem.yml index ca63851..a56bf59 100644 --- a/roles/docker/tasks/services/membersystem.yml +++ b/roles/docker/tasks/services/membersystem.yml @@ -8,7 +8,7 @@ version: "3" services: backend: - image: docker.data.coop/membersystem:latest + image: "docker.data.coop/membersystem:{{ services.membersystem.version }}" restart: always user: $UID:$GID tty: true @@ -37,7 +37,7 @@ com.centurylinklabs.watchtower.enable: "true" postgres: - image: postgres:13-alpine + image: "postgres:{{ services.membersystem.postgres_version }}" restart: always volumes: - "{{ volume_root_folder }}/membersystem/postgres/data:/var/lib/postgresql/data" diff --git a/roles/docker/tasks/services/nextcloud.yml b/roles/docker/tasks/services/nextcloud.yml index d36f8de..1c938b9 100644 --- a/roles/docker/tasks/services/nextcloud.yml +++ b/roles/docker/tasks/services/nextcloud.yml @@ -12,7 +12,7 @@ definition: services: postgres: - image: "postgres:10" + image: "postgres:{{ services.nextcloud.postgres_version }}" restart: "unless-stopped" networks: - "nextcloud" @@ -24,7 +24,7 @@ POSTGRES_USER: "nextcloud" redis: - image: "redis:7-alpine" + image: "redis:{{ services.nextcloud.redis_version }}" restart: "unless-stopped" command: "redis-server --requirepass {{ nextcloud_secrets.redis_password }}" tmpfs: diff --git a/roles/docker/tasks/services/passit.yml b/roles/docker/tasks/services/passit.yml index 300c099..e76b6ca 100644 --- a/roles/docker/tasks/services/passit.yml +++ b/roles/docker/tasks/services/passit.yml @@ -8,7 +8,7 @@ version: "3.6" services: passit_db: - image: "postgres:10" + image: "postgres:{{ services.passit.postgres_version }}" restart: "always" networks: - "passit" diff --git a/roles/docker/tasks/services/rallly.yml b/roles/docker/tasks/services/rallly.yml index b5e9d2f..22b1127 100644 --- a/roles/docker/tasks/services/rallly.yml +++ b/roles/docker/tasks/services/rallly.yml @@ -16,7 +16,7 @@ version: "3.8" services: rallly_db: - image: "postgres:14-alpine" + image: "postgres:{{ services.rallly.postgres_version }}" restart: "always" shm_size: "256mb" networks: From 231af48a40f46001ea7a1d63c83c5a99765cd9fb Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Wed, 28 Dec 2022 16:23:23 +0100 Subject: [PATCH 17/56] Make quotations consistent --- roles/docker/defaults/main.yml | 48 +++++++++++++++++----------------- 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml index a7bc1d3..e26c2aa 100644 --- a/roles/docker/defaults/main.yml +++ b/roles/docker/defaults/main.yml @@ -7,59 +7,59 @@ services: postfix: file: postfix.yml domain: "smtp.{{ base_domain }}" - version: "v3.5.1-alpine" + version: v3.5.1-alpine nginx_proxy: file: nginx_proxy.yml - version: "1.0-alpine" + version: 1.0-alpine volume_folder: "{{ volume_root_folder }}/nginx" nginx_acme_companion: - version: "2.2" + version: 2.2 openldap: file: openldap.yml domain: "ldap.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/openldap" - version: "1.5.0" + version: 1.5.0 phpldapadmin: - version: "0.9.0" + version: 0.9.0 netdata: file: netdata.yml domain: "netdata.{{ base_domain }}" - version: "v1" + version: v1 portainer: file: portainer.yml domain: "portainer.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/portainer" - version: "2.16.2" + version: 2.16.2 keycloak: file: keycloak.yml domain: sso.{{ base_domain }} volume_folder: "{{ volume_root_folder }}/keycloak" - version: "20.0" + version: 20.0 postgres_version: 10 allowed_sender_domain: true restic: file: restic_backup.yml - user: "datacoop" - domain: "restic.cannedtuna.org" - repository: "datacoop-hevonen" - version: "1.6.0" + user: datacoop + domain: restic.cannedtuna.org + repository: datacoop-hevonen + version: 1.6.0 disabled_in_vagrant: true docker_registry: file: docker_registry.yml domain: "docker.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/docker-registry" - username: "docker" + username: docker password: "{{ docker_password }}" - version: "2" + version: 2 ### External services ### @@ -123,8 +123,8 @@ services: data_coop_website: file: websites/data.coop.yml domains: - - "{{ base_domain }}" - - "www.{{ base_domain }}" + - "{{ base_domain }}" + - "www.{{ base_domain }}" new_data_coop_website: file: websites/new.data.coop.yml @@ -139,21 +139,21 @@ services: cryptohagen_website: file: websites/cryptohagen.dk.yml domains: - - "cryptohagen.dk" - - "www.cryptohagen.dk" + - cryptohagen.dk + - www.cryptohagen.dk ulovliglogning_website: file: websites/ulovliglogning.dk.yml domains: - - "ulovliglogning.dk" - - "www.ulovliglogning.dk" - - "ulovlig-logning.dk" + - ulovliglogning.dk + - www.ulovliglogning.dk + - ulovlig-logning.dk cryptoaarhus_website: file: websites/cryptoaarhus.dk.yml domains: - - "cryptoaarhus.dk" - - "www.cryptoaarhus.dk" + - cryptoaarhus.dk + - www.cryptoaarhus.dk drone: file: drone.yml @@ -194,7 +194,7 @@ services: membersystem: file: membersystem.yml domain: "member.{{ base_domain }}" - django_admins: "Vidir:valberg@orn.li" + django_admins: Vidir:valberg@orn.li version: latest postgres_version: 13-alpine allowed_sender_domain: true From a10b07fa2c33752db08f8ba84d8e99e3ed24904b Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Wed, 28 Dec 2022 16:46:52 +0100 Subject: [PATCH 18/56] Make quotations consistent --- roles/docker/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml index e26c2aa..ba5f2fe 100644 --- a/roles/docker/defaults/main.yml +++ b/roles/docker/defaults/main.yml @@ -1,5 +1,5 @@ --- -volume_root_folder: "/docker-volumes" +volume_root_folder: /docker-volumes services: From a7776ab30afa3e6eebf0480092e8bf64495c0859 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=AD=C3=B0ir=20Valberg=20Gu=C3=B0mundsson?= Date: Wed, 28 Dec 2022 20:58:59 +0100 Subject: [PATCH 19/56] Add a new ssh key for valberg. --- group_vars/all/vars.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index b665dc0..8ba8341 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -13,6 +13,7 @@ users: - sudo ssh_keys: - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUmGeHc6QXDcJHkmVxbTUv04Q3vs20avquoGr6eOkkvYbcgjuFnBOOtvs2Nul1odcvvnHa1nN7DfL8XJamiwsB1B/xe2seaNS1axgwk9XowlVN9pgga8gsC+4gZWBtSObG2GR8n4NtPENzPmW5deNn8dRpTvULPMxZ0VRE9yNQOx8v8w85yYh+vxbbkWGVDYJU23yuJI50U9y6bXxNHinsACDFBeR/giXDlw29TaOaSxz0R6zrRPBoX+V68RyWwBL+KWQKtX2ULtJI40S98Ohd6p41bIxYHCBS/zroqNne8PjYOLcHHsjHUGfTvhcS5a3zdz/iHsvsaOOjFjsydAXH valberg + - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC4FRrbTpxwGdlF6RVi/thJaMlaEE0Z9YCQA4Y+KnHbBoVWMjzgbIkSWw3MM+E/iiVnix8SFh4tjDSdFjb8lCvHt/PqhMFhZJ02vhVgSwyU+Ji5ur23i202LB9ua54NLN4kNG8K47U0tKi2/EV6LWl2QdRviAcOUctz6u9XDkkMLUgPEYH384XSTRRj4GJ8+0LRzB2rXqetH3gBe9v1vlv0ETYWvzTnpfZUxcrrqEGtXV9Wa0BZoWLos2oKOsYVjNdLZMoFpmyBxPnqzAi1hr7beblFZKqBkvD7XA9RnERbZn1nxkWufVahppPjKQ+se3esWJCp6ri/vNP4WNKY3hiIoekBLbpvGcP1Te7cAIQXiZOilN92NKKYrzN2gAtsxgqGZw7lI1PE71luGdPir2Evl6hPj6/nnNdEHZWgcmBSPy17uCpVvZYBcDDzj8L3hbkLVQ3kcLZTz6I8BXvuGqoeLvRQpBtn5EaLpCCOmXuKqm+dzHzsOIwh+SA5NA8M3P0= - name: reynir comment: Reynir Björnsson From b6f30af8ba162029e9bc50b48e9e2899970616ba Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Thu, 29 Dec 2022 17:52:12 +0100 Subject: [PATCH 20/56] Edit SSH key for samsapti --- group_vars/all/vars.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index 8ba8341..f69bc09 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -30,4 +30,4 @@ users: groups: - sudo ssh_keys: - - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPd/4fQV7CL8/KVwbo/phiV5UdXFBIDlkZ+ps8C7FeRf samsapti + - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPd/4fQV7CL8/KVwbo/phiV5UdXFBIDlkZ+ps8C7FeRf From f02440048cd1542c1a050a2f5d15c222e1540990 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Thu, 29 Dec 2022 17:55:59 +0100 Subject: [PATCH 21/56] Add a way to only deploy users --- deploy.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/deploy.sh b/deploy.sh index d66caa2..5777829 100755 --- a/deploy.sh +++ b/deploy.sh @@ -37,6 +37,9 @@ else "base") $BASE_CMD --tags base_only ;; + "users") + $BASE_CMD --tags setup-users + ;; *) usage exit 1 From 5bcba6fa59eb7f08e3124d014d7bd49bc70f4160 Mon Sep 17 00:00:00 2001 From: Sam A Date: Thu, 29 Dec 2022 21:13:31 +0000 Subject: [PATCH 22/56] QoL changes for *Vim users (#144) Co-authored-by: Sam Al-Sapti Reviewed-on: https://git.data.coop/data.coop/ansible/pulls/144 --- group_vars/all/vars.yml | 1 + playbook.yml | 1 + roles/docker/defaults/main.yml | 1 + roles/docker/handlers/main.yml | 3 ++- roles/docker/tasks/main.yml | 1 + roles/docker/tasks/services.yml | 1 + roles/docker/tasks/services/codimd.yml | 1 + roles/docker/tasks/services/docker_registry.yml | 1 + roles/docker/tasks/services/drone.yml | 1 + roles/docker/tasks/services/gitea.yml | 1 + roles/docker/tasks/services/hedgedoc.yml | 1 + roles/docker/tasks/services/keycloak.yml | 2 ++ roles/docker/tasks/services/mailu.yml | 1 + roles/docker/tasks/services/mastodon.yml | 2 ++ roles/docker/tasks/services/matrix_riot.yml | 1 + roles/docker/tasks/services/membersystem.yml | 2 +- roles/docker/tasks/services/netdata.yml | 2 +- roles/docker/tasks/services/nextcloud.yml | 1 + roles/docker/tasks/services/nginx_proxy.yml | 2 +- roles/docker/tasks/services/openldap.yml | 1 + roles/docker/tasks/services/passit.yml | 2 +- roles/docker/tasks/services/pinafore.yml | 2 ++ roles/docker/tasks/services/portainer.yml | 2 +- roles/docker/tasks/services/postfix.yml | 2 +- roles/docker/tasks/services/privatebin.yml | 2 +- roles/docker/tasks/services/rallly.yml | 2 ++ roles/docker/tasks/services/restic_backup.yml | 1 + roles/docker/tasks/services/watchtower.yml | 1 + roles/docker/tasks/services/websites/2022.slides.data.coop.yml | 1 + roles/docker/tasks/services/websites/cryptoaarhus.dk.yml | 2 +- roles/docker/tasks/services/websites/cryptohagen.dk.yml | 2 +- roles/docker/tasks/services/websites/data.coop.yml | 1 + roles/docker/tasks/services/websites/new.data.coop.yml | 1 + roles/docker/tasks/services/websites/ulovliglogning.dk.yml | 2 ++ roles/ubuntu_base/tasks/base.yml | 1 + roles/ubuntu_base/tasks/dell-apt-repo.yml | 1 + roles/ubuntu_base/tasks/firewall.yml | 1 + roles/ubuntu_base/tasks/main.yml | 1 + roles/ubuntu_base/tasks/ssh-port.yml | 1 + roles/ubuntu_base/tasks/upgrade.yml | 1 + roles/ubuntu_base/tasks/users.yml | 1 + 41 files changed, 47 insertions(+), 10 deletions(-) diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index f69bc09..b811cfb 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -1,3 +1,4 @@ +# vim: ft=yaml.ansible --- users: - name: graffen diff --git a/playbook.yml b/playbook.yml index f2c5a1d..d2ce5af 100644 --- a/playbook.yml +++ b/playbook.yml @@ -1,3 +1,4 @@ +# vim: ft=yaml.ansible --- - hosts: all gather_facts: true diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml index 9779f1e..8fe76a2 100644 --- a/roles/docker/defaults/main.yml +++ b/roles/docker/defaults/main.yml @@ -1,3 +1,4 @@ +# vim: ft=yaml.ansible --- volume_root_folder: "/docker-volumes" diff --git a/roles/docker/handlers/main.yml b/roles/docker/handlers/main.yml index 8958588..e37a19f 100644 --- a/roles/docker/handlers/main.yml +++ b/roles/docker/handlers/main.yml @@ -1,7 +1,8 @@ +# vim: ft=yaml.ansible --- - name: "restart nginx" community.docker.docker_container: name: "nginx-proxy" restart: "yes" state: "started" - \ No newline at end of file + diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index 148ff67..6b1b29b 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -1,3 +1,4 @@ +# vim: ft=yaml.ansible --- - name: add docker gpg key apt_key: diff --git a/roles/docker/tasks/services.yml b/roles/docker/tasks/services.yml index c41f5e4..c05c6b6 100644 --- a/roles/docker/tasks/services.yml +++ b/roles/docker/tasks/services.yml @@ -1,3 +1,4 @@ +# vim: ft=yaml.ansible --- - name: setup external services network docker_network: diff --git a/roles/docker/tasks/services/codimd.yml b/roles/docker/tasks/services/codimd.yml index 6e13c21..55fb18a 100644 --- a/roles/docker/tasks/services/codimd.yml +++ b/roles/docker/tasks/services/codimd.yml @@ -1,3 +1,4 @@ +# vim: ft=yaml.ansible --- - name: codimd network docker_network: diff --git a/roles/docker/tasks/services/docker_registry.yml b/roles/docker/tasks/services/docker_registry.yml index 660e684..79c03b7 100644 --- a/roles/docker/tasks/services/docker_registry.yml +++ b/roles/docker/tasks/services/docker_registry.yml @@ -1,3 +1,4 @@ +# vim: ft=yaml.ansible --- - name: copy docker registry nginx configuration copy: diff --git a/roles/docker/tasks/services/drone.yml b/roles/docker/tasks/services/drone.yml index 874ce03..157b2a0 100644 --- a/roles/docker/tasks/services/drone.yml +++ b/roles/docker/tasks/services/drone.yml @@ -1,3 +1,4 @@ +# vim: ft=yaml.ansible --- - name: set up drone with docker runner docker_compose: diff --git a/roles/docker/tasks/services/gitea.yml b/roles/docker/tasks/services/gitea.yml index 514cc9e..e0234b8 100644 --- a/roles/docker/tasks/services/gitea.yml +++ b/roles/docker/tasks/services/gitea.yml @@ -1,3 +1,4 @@ +# vim: ft=yaml.ansible --- - name: gitea network docker_network: diff --git a/roles/docker/tasks/services/hedgedoc.yml b/roles/docker/tasks/services/hedgedoc.yml index 7508535..7e0826c 100644 --- a/roles/docker/tasks/services/hedgedoc.yml +++ b/roles/docker/tasks/services/hedgedoc.yml @@ -1,3 +1,4 @@ +# vim: ft=yaml.ansible --- - name: create hedgedoc volume folders file: diff --git a/roles/docker/tasks/services/keycloak.yml b/roles/docker/tasks/services/keycloak.yml index 3f2da44..2cb4784 100644 --- a/roles/docker/tasks/services/keycloak.yml +++ b/roles/docker/tasks/services/keycloak.yml @@ -1,3 +1,5 @@ +# vim: ft=yaml.ansible +--- - name: setup keycloak containers for sso.data.coop docker_compose: project_name: "keycloak" diff --git a/roles/docker/tasks/services/mailu.yml b/roles/docker/tasks/services/mailu.yml index 745f040..9cc449a 100644 --- a/roles/docker/tasks/services/mailu.yml +++ b/roles/docker/tasks/services/mailu.yml @@ -1,3 +1,4 @@ +# vim: ft=yaml.ansible --- - name: create mailu volume folders file: diff --git a/roles/docker/tasks/services/mastodon.yml b/roles/docker/tasks/services/mastodon.yml index eae1546..18d8133 100644 --- a/roles/docker/tasks/services/mastodon.yml +++ b/roles/docker/tasks/services/mastodon.yml @@ -1,3 +1,5 @@ +# vim: ft=yaml.ansible +--- - name: create mastodon volume folders file: name: "{{ services.mastodon.volume_folder }}/{{ volume }}" diff --git a/roles/docker/tasks/services/matrix_riot.yml b/roles/docker/tasks/services/matrix_riot.yml index 34f302d..7571adc 100644 --- a/roles/docker/tasks/services/matrix_riot.yml +++ b/roles/docker/tasks/services/matrix_riot.yml @@ -1,3 +1,4 @@ +# vim: ft=yaml.ansible --- - name: create matrix volume folders file: diff --git a/roles/docker/tasks/services/membersystem.yml b/roles/docker/tasks/services/membersystem.yml index ca63851..bf084fe 100644 --- a/roles/docker/tasks/services/membersystem.yml +++ b/roles/docker/tasks/services/membersystem.yml @@ -1,5 +1,5 @@ +# vim: ft=yaml.ansible --- - - name: run membersystem containers docker_compose: project_name: "member.data.coop" diff --git a/roles/docker/tasks/services/netdata.yml b/roles/docker/tasks/services/netdata.yml index e1a7bbe..3b45b65 100644 --- a/roles/docker/tasks/services/netdata.yml +++ b/roles/docker/tasks/services/netdata.yml @@ -1,5 +1,5 @@ +# vim: ft=yaml.ansible --- - - name: setup netdata docker container for system monitoring docker_container: name: netdata diff --git a/roles/docker/tasks/services/nextcloud.yml b/roles/docker/tasks/services/nextcloud.yml index d36f8de..1e06a26 100644 --- a/roles/docker/tasks/services/nextcloud.yml +++ b/roles/docker/tasks/services/nextcloud.yml @@ -1,3 +1,4 @@ +# vim: ft=yaml.ansible --- - name: upload vhost config for cloud.data.coop template: diff --git a/roles/docker/tasks/services/nginx_proxy.yml b/roles/docker/tasks/services/nginx_proxy.yml index 8081ab6..2f92611 100644 --- a/roles/docker/tasks/services/nginx_proxy.yml +++ b/roles/docker/tasks/services/nginx_proxy.yml @@ -1,5 +1,5 @@ +# vim: ft=yaml.ansible --- - - name: create nginx-proxy volume folders file: name: "{{ services.nginx_proxy.volume_folder }}/{{ volume }}" diff --git a/roles/docker/tasks/services/openldap.yml b/roles/docker/tasks/services/openldap.yml index a768235..4aace81 100644 --- a/roles/docker/tasks/services/openldap.yml +++ b/roles/docker/tasks/services/openldap.yml @@ -1,3 +1,4 @@ +# vim: ft=yaml.ansible --- - name: create ldap volume folders file: diff --git a/roles/docker/tasks/services/passit.yml b/roles/docker/tasks/services/passit.yml index 300c099..c04f266 100644 --- a/roles/docker/tasks/services/passit.yml +++ b/roles/docker/tasks/services/passit.yml @@ -1,5 +1,5 @@ +# vim: ft=yaml.ansible --- - - name: setup passit containers docker_compose: project_name: "passit" diff --git a/roles/docker/tasks/services/pinafore.yml b/roles/docker/tasks/services/pinafore.yml index a275f3a..1234329 100644 --- a/roles/docker/tasks/services/pinafore.yml +++ b/roles/docker/tasks/services/pinafore.yml @@ -1,3 +1,5 @@ +# vim: ft=yaml.ansible +--- - name: Set up Pinafore docker_container: name: pinafore diff --git a/roles/docker/tasks/services/portainer.yml b/roles/docker/tasks/services/portainer.yml index 005da7f..dae0e87 100644 --- a/roles/docker/tasks/services/portainer.yml +++ b/roles/docker/tasks/services/portainer.yml @@ -1,5 +1,5 @@ +# vim: ft=yaml.ansible --- - - name: create portainer volume folder file: name: "{{ services.portainer.volume_folder }}" diff --git a/roles/docker/tasks/services/postfix.yml b/roles/docker/tasks/services/postfix.yml index 1fb67df..f44da25 100644 --- a/roles/docker/tasks/services/postfix.yml +++ b/roles/docker/tasks/services/postfix.yml @@ -1,5 +1,5 @@ +# vim: ft=yaml.ansible --- - - name: setup network for postfix docker_network: name: postfix diff --git a/roles/docker/tasks/services/privatebin.yml b/roles/docker/tasks/services/privatebin.yml index bede175..fbbad29 100644 --- a/roles/docker/tasks/services/privatebin.yml +++ b/roles/docker/tasks/services/privatebin.yml @@ -1,5 +1,5 @@ +# vim: ft=yaml.ansible --- - - name: create privatebin volume folders file: name: "{{ services.privatebin.volume_folder }}/{{ volume }}" diff --git a/roles/docker/tasks/services/rallly.yml b/roles/docker/tasks/services/rallly.yml index b5e9d2f..13ce7b9 100644 --- a/roles/docker/tasks/services/rallly.yml +++ b/roles/docker/tasks/services/rallly.yml @@ -1,3 +1,5 @@ +# vim: ft=yaml.ansible +--- - name: Create rallly volume folders file: name: "{{ services.rallly.volume_folder }}/postgres" diff --git a/roles/docker/tasks/services/restic_backup.yml b/roles/docker/tasks/services/restic_backup.yml index 9dddb49..655ddb6 100644 --- a/roles/docker/tasks/services/restic_backup.yml +++ b/roles/docker/tasks/services/restic_backup.yml @@ -1,3 +1,4 @@ +# vim: ft=yaml.ansible --- - name: Setup restic backup docker_compose: diff --git a/roles/docker/tasks/services/watchtower.yml b/roles/docker/tasks/services/watchtower.yml index 7641b0b..1a65656 100644 --- a/roles/docker/tasks/services/watchtower.yml +++ b/roles/docker/tasks/services/watchtower.yml @@ -1,3 +1,4 @@ +# vim: ft=yaml.ansible --- - name: watchtower container docker_container: diff --git a/roles/docker/tasks/services/websites/2022.slides.data.coop.yml b/roles/docker/tasks/services/websites/2022.slides.data.coop.yml index 36cf17d..09e0690 100644 --- a/roles/docker/tasks/services/websites/2022.slides.data.coop.yml +++ b/roles/docker/tasks/services/websites/2022.slides.data.coop.yml @@ -1,3 +1,4 @@ +# vim: ft=yaml.ansible --- - name: setup 2022.slides.data.coop website using unipi docker_container: diff --git a/roles/docker/tasks/services/websites/cryptoaarhus.dk.yml b/roles/docker/tasks/services/websites/cryptoaarhus.dk.yml index 28d6997..d059c3c 100644 --- a/roles/docker/tasks/services/websites/cryptoaarhus.dk.yml +++ b/roles/docker/tasks/services/websites/cryptoaarhus.dk.yml @@ -1,5 +1,5 @@ +# vim: ft=yaml.ansible --- - - name: setup cryptoaarhus.dk website docker container docker_container: name: cryptoaarhus_website diff --git a/roles/docker/tasks/services/websites/cryptohagen.dk.yml b/roles/docker/tasks/services/websites/cryptohagen.dk.yml index dcca218..b65794f 100644 --- a/roles/docker/tasks/services/websites/cryptohagen.dk.yml +++ b/roles/docker/tasks/services/websites/cryptohagen.dk.yml @@ -1,5 +1,5 @@ +# vim: ft=yaml.ansible --- - - name: setup cryptohagen.dk website docker container docker_container: name: cryptohagen_website diff --git a/roles/docker/tasks/services/websites/data.coop.yml b/roles/docker/tasks/services/websites/data.coop.yml index 58d8af0..475240f 100644 --- a/roles/docker/tasks/services/websites/data.coop.yml +++ b/roles/docker/tasks/services/websites/data.coop.yml @@ -1,3 +1,4 @@ +# vim: ft=yaml.ansible --- - name: Upload vhost config for root domain copy: diff --git a/roles/docker/tasks/services/websites/new.data.coop.yml b/roles/docker/tasks/services/websites/new.data.coop.yml index 90ba65c..aa89969 100644 --- a/roles/docker/tasks/services/websites/new.data.coop.yml +++ b/roles/docker/tasks/services/websites/new.data.coop.yml @@ -1,3 +1,4 @@ +# vim: ft=yaml.ansible --- - name: setup new data.coop website using hugo docker_container: diff --git a/roles/docker/tasks/services/websites/ulovliglogning.dk.yml b/roles/docker/tasks/services/websites/ulovliglogning.dk.yml index 7abec88..4f4c8ca 100644 --- a/roles/docker/tasks/services/websites/ulovliglogning.dk.yml +++ b/roles/docker/tasks/services/websites/ulovliglogning.dk.yml @@ -1,3 +1,5 @@ +# vim: ft=yaml.ansible +--- - name: setup ulovliglogning.dk website docker container docker_container: name: ulovliglogning_website diff --git a/roles/ubuntu_base/tasks/base.yml b/roles/ubuntu_base/tasks/base.yml index 3289b2c..f53f924 100644 --- a/roles/ubuntu_base/tasks/base.yml +++ b/roles/ubuntu_base/tasks/base.yml @@ -1,3 +1,4 @@ +# vim: ft=yaml.ansible --- - name: Install necessary packages via apt apt: diff --git a/roles/ubuntu_base/tasks/dell-apt-repo.yml b/roles/ubuntu_base/tasks/dell-apt-repo.yml index b7d9d48..2472e91 100644 --- a/roles/ubuntu_base/tasks/dell-apt-repo.yml +++ b/roles/ubuntu_base/tasks/dell-apt-repo.yml @@ -1,3 +1,4 @@ +# vim: ft=yaml.ansible --- - name: Import dell apt signing key apt_key: diff --git a/roles/ubuntu_base/tasks/firewall.yml b/roles/ubuntu_base/tasks/firewall.yml index 17860a8..85c359a 100644 --- a/roles/ubuntu_base/tasks/firewall.yml +++ b/roles/ubuntu_base/tasks/firewall.yml @@ -1,3 +1,4 @@ +# vim: ft=yaml.ansible --- - name: Setup firewall with UFW community.general.ufw: diff --git a/roles/ubuntu_base/tasks/main.yml b/roles/ubuntu_base/tasks/main.yml index a34d5b0..e6a1f15 100644 --- a/roles/ubuntu_base/tasks/main.yml +++ b/roles/ubuntu_base/tasks/main.yml @@ -1,3 +1,4 @@ +# vim: ft=yaml.ansible --- - import_tasks: ssh-port.yml tags: [change-ssh-port] diff --git a/roles/ubuntu_base/tasks/ssh-port.yml b/roles/ubuntu_base/tasks/ssh-port.yml index 1935168..e02302b 100644 --- a/roles/ubuntu_base/tasks/ssh-port.yml +++ b/roles/ubuntu_base/tasks/ssh-port.yml @@ -1,3 +1,4 @@ +# vim: ft=yaml.ansible --- - name: Change SSH port on host lineinfile: diff --git a/roles/ubuntu_base/tasks/upgrade.yml b/roles/ubuntu_base/tasks/upgrade.yml index c4cd33b..0ccc7d6 100644 --- a/roles/ubuntu_base/tasks/upgrade.yml +++ b/roles/ubuntu_base/tasks/upgrade.yml @@ -1,3 +1,4 @@ +# vim: ft=yaml.ansible --- - name: update and upgrade system via apt apt: diff --git a/roles/ubuntu_base/tasks/users.yml b/roles/ubuntu_base/tasks/users.yml index deea339..8ef07b6 100644 --- a/roles/ubuntu_base/tasks/users.yml +++ b/roles/ubuntu_base/tasks/users.yml @@ -1,3 +1,4 @@ +# vim: ft=yaml.ansible --- - name: "Add users" user: From 5b2f460cad1d075851058f91b3b9685712f5c1aa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=AD=C3=B0ir=20Valberg=20Gu=C3=B0mundsson?= Date: Mon, 2 Jan 2023 22:19:39 +0100 Subject: [PATCH 23/56] Bump gitea til 1.18.0. --- roles/docker/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml index 8fe76a2..bc88a26 100644 --- a/roles/docker/defaults/main.yml +++ b/roles/docker/defaults/main.yml @@ -74,7 +74,7 @@ services: file: gitea.yml domain: "git.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/gitea" - version: 1.17.4 + version: 1.18.0 allowed_sender_domain: true passit: From 99e2d0482931e497fe6720869027a09b400972ed Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Thu, 5 Jan 2023 16:10:44 +0100 Subject: [PATCH 24/56] Set up DKIM for Postfix --- roles/docker/defaults/main.yml | 1 + roles/docker/tasks/services/postfix.yml | 12 ++++++++++-- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml index bc88a26..f43f9a3 100644 --- a/roles/docker/defaults/main.yml +++ b/roles/docker/defaults/main.yml @@ -8,6 +8,7 @@ services: postfix: file: postfix.yml domain: "smtp.{{ base_domain }}" + volume_folder: "{{ volume_root_folder }}/postfix" version: "v3.5.1-alpine" nginx_proxy: diff --git a/roles/docker/tasks/services/postfix.yml b/roles/docker/tasks/services/postfix.yml index f44da25..ece525e 100644 --- a/roles/docker/tasks/services/postfix.yml +++ b/roles/docker/tasks/services/postfix.yml @@ -1,20 +1,28 @@ # vim: ft=yaml.ansible --- -- name: setup network for postfix +- name: Set up network for postfix docker_network: name: postfix ipam_config: - subnet: '172.16.0.0/16' gateway: 172.16.0.1 -- name: setup postfix docker container for outgoing mail +- name: Create volume folders for Postfix + file: + name: "{{ services.postfix.volume_folder }}/dkim" + state: directory + +- name: Set up Postfix Docker container for outgoing mail from services docker_container: name: postfix image: boky/postfix:{{ services.postfix.version }} restart_policy: always networks: - name: postfix + volumes: + - "{{ services.postfix.volume_folder }}/dkim:/etc/opendkim/keys" env: # Get all services which have allowed_sender_domain defined ALLOWED_SENDER_DOMAINS: "{{ services | dict2items | selectattr('value.allowed_sender_domain', 'true') | map(attribute='value.domain') | join(' ') }}" HOSTNAME: "{{ services.postfix.domain }}" # the name the smtp server will identify itself as + DKIM_AUTOGENERATE: "true" From 1bbf1edf571a430e2e524519b66650874843074f Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Fri, 6 Jan 2023 14:49:23 +0100 Subject: [PATCH 25/56] Upgrade Rallly --- roles/docker/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml index f43f9a3..99b57d3 100644 --- a/roles/docker/defaults/main.yml +++ b/roles/docker/defaults/main.yml @@ -176,7 +176,7 @@ services: file: rallly.yml domain: "when.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/rallly" - version: ac55701890cd866ee946deb25e2b2839fb14900e + version: e4482a1edb2fb56292d07ee8811a24f2a0d6b114 allowed_sender_domain: true pinafore: From 34f95f31e4227abda9026f100ffa35a53f2d8679 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Sat, 14 Jan 2023 17:14:31 +0100 Subject: [PATCH 26/56] Remove Pinafore --- roles/docker/defaults/main.yml | 5 ----- roles/docker/tasks/services/pinafore.yml | 16 ---------------- 2 files changed, 21 deletions(-) delete mode 100644 roles/docker/tasks/services/pinafore.yml diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml index 99b57d3..aabe07a 100644 --- a/roles/docker/defaults/main.yml +++ b/roles/docker/defaults/main.yml @@ -179,11 +179,6 @@ services: version: e4482a1edb2fb56292d07ee8811a24f2a0d6b114 allowed_sender_domain: true - pinafore: - file: pinafore.yml - domain: "pinafore.{{ base_domain }}" - version: v2.5.0 - membersystem: file: membersystem.yml domain: "member.{{ base_domain }}" diff --git a/roles/docker/tasks/services/pinafore.yml b/roles/docker/tasks/services/pinafore.yml deleted file mode 100644 index 1234329..0000000 --- a/roles/docker/tasks/services/pinafore.yml +++ /dev/null @@ -1,16 +0,0 @@ -# vim: ft=yaml.ansible ---- -- name: Set up Pinafore - docker_container: - name: pinafore - image: "docker.data.coop/pinafore:{{ services.pinafore.version }}" - restart_policy: unless-stopped - networks: - - name: external_services - env: - VIRTUAL_HOST: "{{ services.pinafore.domain }}" - VIRTUAL_PORT: "4002" - LETSENCRYPT_HOST: "{{ services.pinafore.domain }}" - LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" - labels: - com.centurylinklabs.watchtower.enable: "true" From 2f1c1887baf80b1f9dc7bfb23bb11b067318af10 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Sat, 14 Jan 2023 17:21:34 +0100 Subject: [PATCH 27/56] Revert "Make quotations consistent" This reverts commit a10b07fa2c33752db08f8ba84d8e99e3ed24904b. --- roles/docker/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml index 46edde4..ead56da 100644 --- a/roles/docker/defaults/main.yml +++ b/roles/docker/defaults/main.yml @@ -1,6 +1,6 @@ # vim: ft=yaml.ansible --- -volume_root_folder: /docker-volumes +volume_root_folder: "/docker-volumes" services: From 9733794292b0da58732648b237dd13c77591dad1 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Sat, 14 Jan 2023 17:22:47 +0100 Subject: [PATCH 28/56] Revert "Make quotations consistent" This reverts commit 231af48a40f46001ea7a1d63c83c5a99765cd9fb. --- roles/docker/defaults/main.yml | 50 ++++++++++++++++------------------ 1 file changed, 23 insertions(+), 27 deletions(-) diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml index ead56da..ee348a0 100644 --- a/roles/docker/defaults/main.yml +++ b/roles/docker/defaults/main.yml @@ -9,59 +9,59 @@ services: file: postfix.yml domain: "smtp.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/postfix" - version: v3.5.1-alpine + version: "v3.5.1-alpine" nginx_proxy: file: nginx_proxy.yml - version: 1.0-alpine + version: "1.0-alpine" volume_folder: "{{ volume_root_folder }}/nginx" nginx_acme_companion: - version: 2.2 + version: "2.2" openldap: file: openldap.yml domain: "ldap.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/openldap" - version: 1.5.0 + version: "1.5.0" phpldapadmin: - version: 0.9.0 + version: "0.9.0" netdata: file: netdata.yml domain: "netdata.{{ base_domain }}" - version: v1 + version: "v1" portainer: file: portainer.yml domain: "portainer.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/portainer" - version: 2.16.2 + version: "2.16.2" keycloak: file: keycloak.yml domain: sso.{{ base_domain }} volume_folder: "{{ volume_root_folder }}/keycloak" - version: 20.0 + version: "20.0" postgres_version: 10 allowed_sender_domain: true restic: file: restic_backup.yml - user: datacoop - domain: restic.cannedtuna.org - repository: datacoop-hevonen - version: 1.6.0 + user: "datacoop" + domain: "restic.cannedtuna.org" + repository: "datacoop-hevonen" + version: "1.6.0" disabled_in_vagrant: true docker_registry: file: docker_registry.yml domain: "docker.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/docker-registry" - username: docker + username: "docker" password: "{{ docker_password }}" - version: 2 + version: "2" ### External services ### @@ -141,21 +141,21 @@ services: cryptohagen_website: file: websites/cryptohagen.dk.yml domains: - - cryptohagen.dk - - www.cryptohagen.dk + - "cryptohagen.dk" + - "www.cryptohagen.dk" ulovliglogning_website: file: websites/ulovliglogning.dk.yml domains: - - ulovliglogning.dk - - www.ulovliglogning.dk - - ulovlig-logning.dk + - "ulovliglogning.dk" + - "www.ulovliglogning.dk" + - "ulovlig-logning.dk" cryptoaarhus_website: file: websites/cryptoaarhus.dk.yml domains: - - cryptoaarhus.dk - - www.cryptoaarhus.dk + - "cryptoaarhus.dk" + - "www.cryptoaarhus.dk" drone: file: drone.yml @@ -184,12 +184,8 @@ services: file: rallly.yml domain: "when.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/rallly" -<<<<<<< HEAD - version: ac55701890cd866ee946deb25e2b2839fb14900e - postgres_version: 14-alpine -======= version: e4482a1edb2fb56292d07ee8811a24f2a0d6b114 ->>>>>>> main + postgres_version: 14-alpine allowed_sender_domain: true pinafore: @@ -200,7 +196,7 @@ services: membersystem: file: membersystem.yml domain: "member.{{ base_domain }}" - django_admins: Vidir:valberg@orn.li + django_admins: "Vidir:valberg@orn.li" version: latest postgres_version: 13-alpine allowed_sender_domain: true From f81fab3d117554d57d2220bba0fe0c91d2a58861 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Sat, 14 Jan 2023 17:31:08 +0100 Subject: [PATCH 29/56] Quote numbers --- roles/docker/defaults/main.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml index ee348a0..75e15e4 100644 --- a/roles/docker/defaults/main.yml +++ b/roles/docker/defaults/main.yml @@ -44,7 +44,7 @@ services: domain: sso.{{ base_domain }} volume_folder: "{{ volume_root_folder }}/keycloak" version: "20.0" - postgres_version: 10 + postgres_version: "10" allowed_sender_domain: true restic: @@ -70,7 +70,7 @@ services: domain: "cloud.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/nextcloud" version: 25-apache - postgres_version: 10 + postgres_version: "10" redis_version: 7-alpine allowed_sender_domain: true @@ -86,7 +86,7 @@ services: domain: "passit.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/passit" version: stable - postgres_version: 10 + postgres_version: "10" allowed_sender_domain: true matrix: @@ -94,7 +94,7 @@ services: domain: "matrix.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/matrix" version: v1.63.1 - postgres_version: 10 + postgres_version: "10" allowed_sender_domain: true riot: From 388e0526ca80cb66386601e0d55e6c64529d13f2 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Sat, 21 Jan 2023 21:33:39 +0100 Subject: [PATCH 30/56] Set RUN_ON_STARTUP=false for Restic --- roles/docker/tasks/services/restic_backup.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/docker/tasks/services/restic_backup.yml b/roles/docker/tasks/services/restic_backup.yml index 655ddb6..20ed075 100644 --- a/roles/docker/tasks/services/restic_backup.yml +++ b/roles/docker/tasks/services/restic_backup.yml @@ -11,7 +11,7 @@ image: mazzolino/restic:{{ services.restic.version }} restart: always environment: - RUN_ON_STARTUP: "true" + RUN_ON_STARTUP: "false" BACKUP_CRON: "0 30 3 * * *" RESTIC_REPOSITORY: "rest:https://{{ services.restic.user }}:{{ restic_secrets.user_password }}@{{ services.restic.domain }}/{{ services.restic.repository }}" RESTIC_PASSWORD: "{{ restic_secrets.repository_password }}" @@ -32,7 +32,7 @@ restic-prune: image: "mazzolino/restic:{{ services.restic.version }}" environment: - RUN_ON_STARTUP: "true" + RUN_ON_STARTUP: "false" PRUNE_CRON: "0 0 4 * * *" RESTIC_REPOSITORY: "rest:https://{{ services.restic.user }}:{{ restic_secrets.user_password }}@{{ services.restic.domain }}/{{ services.restic.repository }}" RESTIC_PASSWORD: "{{ restic_secrets.repository_password }}" From a5d59b93361029c4f959275c3499eff702d58891 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Sat, 21 Jan 2023 21:37:37 +0100 Subject: [PATCH 31/56] Fix variable --- roles/docker/tasks/services/keycloak.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/docker/tasks/services/keycloak.yml b/roles/docker/tasks/services/keycloak.yml index 880a0cd..7c23cfd 100644 --- a/roles/docker/tasks/services/keycloak.yml +++ b/roles/docker/tasks/services/keycloak.yml @@ -32,7 +32,7 @@ - "--db-url=jdbc:postgresql://postgres:5432/keycloak" - "--db-username=keycloak" - "--db-password={{ postgres_passwords.keycloak }}" - - "--hostname={{ keycloak.domain }}" + - "--hostname={{ services.keycloak.domain }}" - "--proxy=edge" - "--https-port=8080" - "--http-relative-path=/auth" From 16aec98808b45be04c2ede44bb2dcf3c7fbea227 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Sat, 21 Jan 2023 21:49:27 +0100 Subject: [PATCH 32/56] HedgeDoc image version :1 doesn't exist, but Alpine doesn't have vulnerabilities --- roles/docker/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml index 555a080..626e9b3 100644 --- a/roles/docker/defaults/main.yml +++ b/roles/docker/defaults/main.yml @@ -119,7 +119,7 @@ services: file: hedgedoc.yml domain: "pad.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/hedgedoc" - version: 1 + version: 1.9.6-alpine postgres_version: 10-alpine data_coop_website: From 593dddd00ec6e43ef7f8af5e9c10ecfd33e253e4 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Sun, 22 Jan 2023 02:00:53 +0100 Subject: [PATCH 33/56] Upgrade Passit database and temporarily pin Passit due to WebAuthn bug --- roles/docker/defaults/main.yml | 2 +- roles/docker/tasks/services/passit.yml | 9 ++++++++- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml index 626e9b3..79bf170 100644 --- a/roles/docker/defaults/main.yml +++ b/roles/docker/defaults/main.yml @@ -86,7 +86,7 @@ services: domain: "passit.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/passit" version: stable - postgres_version: "10" + postgres_version: 15-alpine allowed_sender_domain: true matrix: diff --git a/roles/docker/tasks/services/passit.yml b/roles/docker/tasks/services/passit.yml index 60cb7bf..375808f 100644 --- a/roles/docker/tasks/services/passit.yml +++ b/roles/docker/tasks/services/passit.yml @@ -1,5 +1,12 @@ # vim: ft=yaml.ansible --- +- name: Create directory for Passit data + file: + name: "{{ services.passit.volume_folder }}/data" + owner: '70' + group: root + state: directory + - name: setup passit containers docker_compose: project_name: "passit" @@ -19,7 +26,7 @@ POSTGRES_PASSWORD: "{{ postgres_passwords.passit }}" passit_app: - image: "passit/passit:{{ services.passit.version }}" + image: "passit/passit@sha256:c4b96bc67222936f58f344d5dd1020227ad8e11ad5f82ed3cbf0bcfa8fe9b2e7" #:{{ services.passit.version }}" command: "bin/start.sh" restart: "always" networks: From b3c2f36a9dc469480ef180d292e3de0841854acb Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Sat, 11 Feb 2023 20:31:16 +0100 Subject: [PATCH 34/56] Upgrade Watchtower --- roles/docker/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml index 79bf170..31675e4 100644 --- a/roles/docker/defaults/main.yml +++ b/roles/docker/defaults/main.yml @@ -203,4 +203,4 @@ services: watchtower: file: watchtower.yml - version: amd64-1.5.1 + version: amd64-1.5.3 From b7307c3e8e281edc0f6c1e3eb49cc598e4042606 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Sat, 11 Feb 2023 20:34:07 +0100 Subject: [PATCH 35/56] Upgrade Rallly, it uses version numbers now --- roles/docker/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml index 31675e4..6bd20ac 100644 --- a/roles/docker/defaults/main.yml +++ b/roles/docker/defaults/main.yml @@ -184,7 +184,7 @@ services: file: rallly.yml domain: "when.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/rallly" - version: e4482a1edb2fb56292d07ee8811a24f2a0d6b114 + version: "2.1" postgres_version: 14-alpine allowed_sender_domain: true From 31b2bcd35e1f4b506fd2127da5a65acb24952fbc Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Sat, 11 Feb 2023 21:08:16 +0100 Subject: [PATCH 36/56] Rallly follows SemVer, so pinning to major version --- roles/docker/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml index 6bd20ac..7c10e88 100644 --- a/roles/docker/defaults/main.yml +++ b/roles/docker/defaults/main.yml @@ -184,7 +184,7 @@ services: file: rallly.yml domain: "when.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/rallly" - version: "2.1" + version: "2" postgres_version: 14-alpine allowed_sender_domain: true From 82aa6f67aa16b67e4080a5905bb6da1889b6145b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Reynir=20Bj=C3=B6rnsson?= Date: Sat, 18 Feb 2023 21:09:49 +0100 Subject: [PATCH 37/56] Add fedi.dk website --- roles/docker/defaults/main.yml | 5 +++++ .../tasks/services/websites/fedi.dk.yaml | 19 +++++++++++++++++++ 2 files changed, 24 insertions(+) create mode 100644 roles/docker/tasks/services/websites/fedi.dk.yaml diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml index 79bf170..e5a15f3 100644 --- a/roles/docker/defaults/main.yml +++ b/roles/docker/defaults/main.yml @@ -138,6 +138,11 @@ services: domain: "2022.slides.{{ base_domain }}" version: latest + fedi_dk_website: + file: websites/fedi.dk.yaml + domain: fedi.dk + version: latest + cryptohagen_website: file: websites/cryptohagen.dk.yml domains: diff --git a/roles/docker/tasks/services/websites/fedi.dk.yaml b/roles/docker/tasks/services/websites/fedi.dk.yaml new file mode 100644 index 0000000..f4b97b2 --- /dev/null +++ b/roles/docker/tasks/services/websites/fedi.dk.yaml @@ -0,0 +1,19 @@ +# vim: ft=yaml.ansible +--- +- name: setup fedi.dk website with unipi + docker_container: + name: fedi.dk_website + image: docker.data.coop/unipi:{{ services.fedi_dk_website.version }} + restart_policy: unless-stopped + purge_networks: yes + networks: + - name: external_services + env: + VIRTUAL_HOST: "{{ services.fedi_dk_website.domain }}" + LETSENCRYPT_HOST: "{{ services.fedi_dk_website.domain }}" + LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" + command: "--remote=https://git.data.coop/fedi.dk/website.git#main" + capabilities: + - NET_ADMIN + devices: + - "/dev/net/tun" From 9a4912f9b5f774bbd0c1c1e58f4bb9336e97e882 Mon Sep 17 00:00:00 2001 From: Sam A Date: Sun, 5 Mar 2023 22:01:53 +0000 Subject: [PATCH 38/56] User Fedder's TrueNAS for Restic backups (#153) Thanks Fedder! Co-authored-by: Sam Al-Sapti Reviewed-on: https://git.data.coop/data.coop/ansible/pulls/153 --- group_vars/all/secrets.yml | 300 ++++++++++-------- group_vars/all/secrets.yml.contents | 7 +- roles/docker/defaults/main.yml | 7 +- roles/docker/tasks/services/restic_backup.yml | 48 ++- roles/docker/templates/restic.ssh.config.j2 | 3 + 5 files changed, 216 insertions(+), 149 deletions(-) create mode 100644 roles/docker/templates/restic.ssh.config.j2 diff --git a/group_vars/all/secrets.yml b/group_vars/all/secrets.yml index cbe0bab..67f4422 100644 --- a/group_vars/all/secrets.yml +++ b/group_vars/all/secrets.yml @@ -1,141 +1,161 @@ $ANSIBLE_VAULT;1.1;AES256 -66323763353537626539666332316663373864616237386436666239366561366431396430626530 -3132383163653632383133393861373235623931636136390a353132383763626437373065663430 -64643662393961303936323265343663656431666563653633646532373563663263616634333764 -3766333631343961370a373237343531383863336632373862663435643239353934626637356365 -30666332626666333530656135343866613161643034383634373736636436636166346562666331 -30396437306263363564363862303737646232623266653032343230303965366338623238343134 -61353835663136383531663765653038323762313932313733646338623931353865363933333338 -39336434373137353738316336663038366334663231616263633565613464306439356235656630 -33396331313036623661353464626263393962306638353433343535613964353966313462613235 -36383563386461353036323164353539616135353761346361313363373266393464363864373633 -33636637366235383264353765383438646130373162323730663363303862333564383439633261 -64663961363161623037393830616466366632633661393463303732323365353665373435633537 -66356166336232366438333533616233363465623034623233363438346139656138336631366231 -33383238633532323665306338643562636135396566663537643733393931316131623262373164 -66393062376666383734393334646463616162363935343363303165393665613066306431366164 -64326564393464646664663839373563353966663063396434313362623664613834626636363233 -33343562343539663332346361316330383830623436306362373966366438653534313561366539 -34356166623562396361356161303739613230333663613232663861313331663233326633643530 -64353933626237636435303736623063373463326265633236653366303039313233623837306132 -65366235663666316631623361303634383539396661323232616338386133373330646365303238 -39306431366337333764373965623563383061323364396564366435376163663139346164323231 -63366435343761303562393933313263303265383237616261663838333430333935626563666162 -31363264356333663337313833353239316163643961393131346136633561623037636130353166 -38646239623433613031646465326431623461383036356266643534346430363033316230656662 -39643636383863336436363134633336613638356635623035313766633335323731343837393536 -31343861336237356234633366643932323366653461373636646131393935656162613238343263 -32333962333239643733333363303233633333383733336262373463623935663531313830653935 -32346334393463636465383738306163326464373961376436663264356165306463353861306361 -37356134346135633137643634656432633366643761616433393239363831323335356639343337 -37623330363333356466636637336563303465343738363638663837653534303364663935313463 -36653333376233343637346365666364393237306531626165333966393663633165356339663765 -66663361643533616539653833303562373834663932626539383363653338636362383633623534 -36653666343835663530393665383863393133353261616139616362353062623137393565323634 -35356163323432303435626336353866303836623064366464336161636162343862333761343030 -64613165646362643366373730643665303261323635313632353439353736376565333662653437 -38396438366539383765653635326265633535363738323835636563666663386435633331616239 -36313166363138653531373061633966633337643530623333646537383231336639343932653634 -32393335636534333963663035303236356436393637363030313031353832623432656233376430 -64333563333433373334643530366164353765346138303730663561356335613239333136326237 -63356566663033313363646664643639386366383765646230343632623061626334623564613338 -34313633326565353839396164663536613561643232353736303336613864313330323638356364 -30633335323438613636343964323431366364633031643235636330623935363266623939336631 -63393733396332636335366539333939383831663039313933343336663539323435373963666131 -33343638303537636134666236616566356234393031343461376439363133393834363565313065 -63333638393236663538616436386164303732383539393261633135643930643435636637373736 -64653333656235656161303166336233393864386263363330643264636263303563636463316364 -65396231393531343265663234366530396665333830343434316433303361333539303734383934 -35383936363435393231353532613534396231366630366461346235613436373537656335393966 -35666661633364326336666238346261616334303936613864633936613130333030343334396235 -30623136343934633636613062353230323961376639373033386132316132623932343432356266 -31333037656630333761633236303136633235636138653133363430613963393738383032643737 -36363037353630643137396661393736383035663963653465613437663865393565626438353264 -61646330343730656539373866363666393636373962366131306264313364366530653035373031 -61306461323038353261353430323133386135623433306564326237643334326264643932316434 -61623066323935373761616463636537666133303863333161393361626661623632656637336639 -36383538346633393265323130633037616364613934376337326566656237373363393738386366 -36386335646432646234336137623663336637323461663538316232656130633863336330383363 -34646530353539336432633165353039663338653139396365373664393030663164666432313265 -63396563306138383166396366616638373631616637633330666463343035333633346437393664 -64353736626432393632643263616139653131663264313466306664616437323739613936653839 -36653366396336376430623962373361343762363465373133663739313536323263633164373230 -35613466643839643831623138393137316661386234336131633763303731393663373364616131 -36383834633738326234663765383662383832323465383534353834633461333265656539633238 -64646665323938613735366165353361356236636163626535376131303464353365366234646438 -65316531356239663838323130393061646562653464633230353337316133333036626161336432 -66303438633139333964633766366262333235303262653733383934313638343336633566666338 -31633132653738326439326439616630323636666361646634663334366566396234633065626162 -38643565353738616232666330326365633264646637623836323761343866336635393436336331 -33663830643934633163353438343436303030343531666335326236376564333466343163643430 -35393031333834366335656431313033643936313839316431396333386135663761633562626163 -39366438393532363430326432356135356532646162306333663163613031336136353132656538 -31653762386538656663346263663531653063626463326534636337303639303561626334633935 -65666139663461343466643861393762316330316431613765653239316537616434626535396139 -35376434356533656336623839656138386565303266396532303665346264623034643664656137 -62633064356566366438626331633933373630363164373434613233386535633532653130376436 -34353336633966313365373439623633353364393838343335306665383361323766353431393662 -31356533333834383832333031386365316461376563646561646333313063393532303162393231 -61336165663938363437396564626430376362353736623232653430613464626234326234663335 -37373633306533363830353662633038306139626136663839383631623230396333313937653733 -39313163316161326263306530353465336363626530333966343934373866303664316536363466 -33343766393561643864366665353239366336323335656665303735326633323432333938323862 -66656230373937396465323731616133336533383966353564663364303538613362313139343865 -64383233613038626437613162663232373666363062373531373331343237306135333230303636 -31626537633637653961666638393330643932656234316363323339353930303738346336646266 -63346234333833376563656264383834363630613932306262376666356663613831393732636532 -64333638616364633965383034356232373065333232623961643239326565623063386339303064 -64653162663239376335383732383838386631333837323238393366363836373463656639646261 -32616238363463333339393138303333326461666663303238343839376632323539396235373766 -66356464393739616138346235643564386664393130613336343235633531646530306236616361 -61656465666566336132383035393636356134633131666438363661646364323764373961343864 -33613963343961626665353733356432346439646638643939626562326364386533366135306433 -34343961323537333233383633343635383436363232666166336131323262613135393532616161 -38633635646563646563303262383461333439653562383564303261303033376337343831343431 -35343632633138626364313433656364613439633531343136316436613231373233326362663736 -33323664306430336235666238336631303735626630336139353764643366353931306437653039 -34383433323662306164363462333934333463646136386564323764663862366235373632666662 -30386266373830636664613332353265366164353035306232353230393838303363613666396539 -66386663366439373566396334653335633662323230656132666631306432663836616462346264 -63346338666337663062626532353835316135616661323563636662333238653933613530313765 -30303864653037393131626631633338326235656632656339326463383061393635346333373730 -65386631336462363436346166366130383235396664303631383065666566343461393838633739 -63636334333462666131393430663335383466313762666134393062373238653730633864323137 -66643639383265656338323063356463626531346561336164656364633733343731373833376261 -33616663323837333266646635393564383439613630336566383336313036333933333230666230 -34646334306666626138333233343332366237646165636538326264663635373438656431636435 -35666334323035663933333764313564393536663335336561343734343662623939336531303235 -64393333313962333737616639663234393833633332643430326163323865613632663463346635 -35326632626363346536663563616334663366613734616562626165376335613165306531303932 -65623031386563326665303536646531306235613034336263393436363536303565656138303931 -30663237306161626130653663663365323030613635343563653465386561626361353532643737 -36626466626234376462373732653936326363376639613563653361366339363538383431383136 -61303134333665393039633263323238623539653233323732363163353762623730306366306134 -65663661633331393137396661313530663638383236656333393638356164643537663935343063 -34383039363832623663323661663530303534636635653631393536653837333766616161623839 -38383830326266353362613232643036393365633261333933363931313830666537363338633337 -66303166393430653263646338653539316234613432373763393664636631383737306236643431 -33396234386562346165346239343838323133653461646165643538666231323561376166393231 -39333534393961656234373235616332306639373764653164393232363535646239383432343963 -36343134363631626434323335303136346536393266363735316437333165366538373535333866 -36626537636465376533616130363564626238356162623539316133306663333763393033333663 -63383462643938373262643435623132653730346564383537633537303034326366616661393062 -31316532383035383632633535303564626238613438653265366261663033326463316366656266 -65636462323832353565383334646239393636323635623230343537646338613861633532343962 -36616432653936356266626533383433376663373838653533366631386262353337383236373166 -33373139323765326135356431613235346431623931333362663463646630336332616337333535 -34336130366564303136653933303233663538353561396430313937363536663961333431323435 -35316537393462316334366163346663623933653861376637336338383837303233623434353238 -34383866636361333061393630376431323165353036373435646566326461333737313038656135 -31623466316339353463393165626236333763396434396638646461393434353132373030613633 -32393032353730656562666431383236653461656566643332363034636134653737343537306136 -65316437376265323439326234653363353336343631363630613533303837313535306666313461 -63623339383432353739616664396666336638316131653133363066633461646336356636376534 -34663730666436613733336439653031306561616263373235346461306335616166303637343462 -38663364636536663764383164306436373563346562643038613065336366363939376136646332 -65353261346434316534313766633139623937366265316130646138656535303031626230326463 -32653530613139313534316132653531613438313339333163376665666539313661663430353336 -32663930326561646536393232393730386464643364366130356464633934316261643435303734 -39363666333362396266343331633266653539343862386535363736333363623035353866363335 -64626339313631306266373338323163393632353433643036353762396162666562653831623235 -39373332626536323866 +66636338343431616564613639346264306161343566303835363432623939376366353962656631 +3530626163323838363236356534353065346535333666320a353662643837623033353237313234 +33653766303862653535343935306261353131623834343230386437356666643839643334623063 +6131626436313434310a623730633262636162623232323632366564613037313232626364633936 +37346365366537663763623535633234316538643766386566396636653634363432383932333135 +65396435363665613562663861373237343633616637386234303831653130353332623731643737 +38613238386164393762646631383333363035643338626364386161306162383933623433616564 +61383966636438653434356466323835313562313633346663643639643632343131353761656233 +39336262333036306230383038373031633036313564343135353264383963656366353665386139 +30626636336336363634316632356434353436613236626264323531326533656637366436656265 +37613230303530303836616533393035343064663139376261363837626637646365353364373165 +35326462393961313234643866336638393364613863653565616438656565353061633564393134 +66643735303631373665613866643230353462623936656561643961613765323039613531656336 +34643432323131626536623065616137333365623666383438653936396131386566356265313033 +65613765353732666232656433353035363030623461353134393463663362646464616632633931 +35373632623432303930633566626333343465346563643435656537623336373235323637386166 +37356535386564363131643162383835633331363961313636343262333863613765306130353266 +39313566653735646438663739386433313735383730366530336533346465643166323765393334 +34653436653133393665303265373535353430366464653030386234386332343230646263393766 +38363532303761636666346436313539363935626635356166653739643139386138616230313663 +66636634663936616537386332346437363163636465653365643263666164633530623532303331 +31373661303737626632663339306430633037306161313166323430373266643833306365386234 +37663937356333626335653737303634396137303738396533633537653461393630613739363762 +30323739633265303634626237643066626631393639353039306438353830313634333866656461 +62396637656635623466626665353064646233636366313239626438343333353139316432373162 +33373831613937323738383332346364623863613861616538626639633039306232363063653439 +63383132323534633966333730363730653132336261666363323433303339633636336261393863 +61386637656232656161306264313230353161613936313632613066613930376339623530386438 +63306335363031323532303937636432663165366137663339333635653166306538313433306664 +30353536353163393139643032393363623930323834623139316532303363316239303531623165 +34326263643935396239366133353565303039393333303736346434376237313533623034626238 +63356538373238396162323263313262326234653230373866653335396530646439626437393438 +37616565333632343766623065646139653261336438346330383539313235626166313863303530 +62353138333866666331663861346632343232376234633965323138343763626434383163633263 +30313634653535396632393932636236626361623530363563373266353534363431313436663034 +37633763656133666637326138386364336365363735326161393562373364633637636633666539 +61353135613465653031343035303334303532306533383936626565366434343464623766353661 +39623231343033313662643837633735313666313038316162643232366566626333636231613838 +36646630653265633631326535653463613232336265393061313732303833376637363362333134 +62356531373363656335356365373462383263386364353539383938323763323437313530666137 +34353962613930626663343064383235393333343061363039663535653564613331323662313035 +37623466333863613737393738316663303238303164653265366433303864353466313866663762 +37623863633163643139393934333764643261333835663639653664613166336635653236353065 +39363063313264616332386562626130323664643839316334313461643162323130366432343663 +32663637373061383636366663326163656637663366326436396639373332393330393030396262 +62323162646236343764333466343466326530653136653937663866613131663136323133386461 +62336665316232666630623235666566313561333563383133613539303032363736613831353562 +30636433323631386363623062666530623364643437383764613532646331343237646638643665 +66343334643061363764656532623836646231396664616332326436333831663636333763653634 +34646637613961333063363635376137343533336263656661643234626563343035343131643863 +61653031396361623436343336383730373563363666633266626131316538386335623532646533 +31623837383336333263643834613936373835336163616530636661623161346463343565336533 +39653039376437313037393435393634336666383634313534636632656533643433633966366530 +36613139323831383331633232636130333836313831343336376466663532336263363634323837 +38306635613861316234343232303161373531356339613661666434626335313231383439656361 +31353730343965323934666466626439386536323434333266643161613230336133383531643734 +65326133373134306439626138316361313865646663333936383731333336333437376661356639 +39303462653464646231303965313437353161333931306335363864623165366565306331366563 +39383031353866646336363836643735666264636562643838626230393339653362303861333431 +64653930353964653339396562653033373463303431303362313861663064333763306638643839 +66333461316230353433616361313961353637323062623431306635376435346238303962353638 +66356662386631616230336337336366336335613935313535393030373761343465316539303436 +33366136636261336537333964623033383733656666366233363361616365613531383866306538 +37353866396535653166303133333736616537333565613062336330303636376361633537663962 +36613532346330346161303461616365386133303362303739636563633362393837653733323333 +31363264353762316564313362663563653862626164306533636335623631303139343161643863 +34613462313732303830313738323563353338303164306137306535363531353534653061326361 +36653837613264383537643634356537353737373166356366363664333361643038303965313633 +36323839343634383762373636383732643936616661333133353036396464616635626663643230 +35333239323034326435643335393239326230303833363338353865396366313736303836663762 +36353536633630323734356239656339623432366463653365643163393030613466303066613435 +64333934633136313361656435636531646264643138376532353239643537313765636237383332 +33323363353630383431656437353435396638353438343162356538356636353364333839316633 +63623433346437663932663437333338366161346238343166306635653833666564323834623662 +64643633616330626234396564356433383535363733353135393230366630343665633736373031 +63306563623464366230326166373462366361333563636431353736376632323835393363383037 +32656632336335346131613537343665393461323834346564653263613031386366616432353131 +65386461313235663263353561383163366130356631336438333837303234373362343430396462 +64383733616166653465646333633666633138613038373561356634653330626236306631393166 +37636333393762326336643339326232653964646161656161643134386264333764316336643636 +62323032633462633339346665633461303362333232643837653834646463653733663831323233 +35306261323332356531393466383932353239613639383938323731336564336133316237656237 +35613932386132306630626631393434363231356531313338633632633966623965643764376239 +32623033336161323164343364346465376166653432356166343537373630653230646566306463 +35353066653337363136313937336436623266353234666361616265666161383265323936613265 +30303962646436303130373666383062363261326363373761616261613366346438386138653832 +62313065633664306564316638383565363134326662306434363262613435666138623639366533 +62323762636363653161366238343862326364633130313037643838383538323134633031323732 +61326537383730343463363266636332623936343465383466653765333666393133623062383563 +32336138316466383930373966623364353531663533326335626334323530393635656530623865 +37313437333235346438663532316336346261333331363635666166366330636234353966316132 +32613932366561643864376138323233303333633935666561383130363939393063303663393566 +61376331353962363962653738666237646136626163343961343931613861393730373530616461 +62353032656636636237633935343334326637313931313232353632666236326264346330656139 +35376366323732343161303464356231623431616630666131313831636236356532383733313338 +65346664626563633639633266653636323532333338353261396538306364616164356337636534 +62386165373263353935663037656464393235393732376362653136373730316138383630323434 +32333864663861623033343665656633363639326364616466616137313264646236366435323337 +31356266633737666235333761376432333138393931326136633338333836353163383539313335 +36646466333566626336336663356530313936653239383265326538373136636162323132326539 +65373939646663333962366263376631653661633164663766316463303163386236666366303439 +37636432663661613064616137333665633161393733383132316138623062646136623630613535 +31393439343930356437656539653535613264336333346132396463633734333164363065363232 +38623438346632306161646633383534653534353164616532633934363036373338633234373934 +64623933303336346663616166366262383033393633373963356565316461346564623832356639 +37353561343430646361353937613236656232626565346437373236636636376334393262613666 +65356634613165613831376366323732336434303864643435353835376533356539643030613464 +62386635646633633462303163306632323238633938363638363431356637306430313061333632 +63393333336361336161313064376466636135313061363238623965613338343738343030616436 +35633334656362646137313366353564383337346263636164323461613761316464396538363463 +30363461666362653938393637623531636136613538663437306463316562616133633237303035 +32626161393332313331623363653730313763643335393436393265643834303330303836666661 +32623633626563643661353936636335386465373038323466653562333332393433663034643164 +32646234386438313138356530353536656532323730626164636332663663383337633137326461 +64303939323336326630326561623031393634363965636265333033663732643265363638356536 +32323434633262366361306334623835316237353964316438333161366431386633616431343236 +33643436306362363362386631346237393235323366633033323532346366333437303336626139 +33323637663838316635386536306261313135316231643031636536303237353261313638656137 +31636231313763613465663038623462613466383965386665373133343466386563646131643035 +32353430336536653834646638623963306338366663353265623437336433393865336663623637 +62353330646464663532356336393366356137373064383261336632626361653435356361336133 +31383838623637643334373537613763393564373730313465616433316339646163323765346138 +32643837643331363234323661616234383863316262666532376236346362323731303634313765 +36643364346561393834316262663932313034633261343663613965356663633466346461666136 +32376137323066303339316163633732366439333135306564626231366562313662363966633465 +32366135313830663331323132346536363063326338653730396662636532393233626566636565 +39303337346261303738393163366361663565373661663438643934353633643836616430623036 +31333234383964343337383631306537353232656664363665616665393365326135646139646431 +61643663313466636263353933386339613932323565323866376664356332643430373566653666 +65646437343234306333306535633835633130353732376333393234303331313662323332356632 +39303963383061336239616439366165326537336631353330353664386435383763623431313235 +35373330353339363461353138623733316436303137313564333865313032633033393133343265 +31353866306538303630363136373832383339376231303363396338306534333639366663626466 +65383833616163633763636561643135316166373730663236303034643864663632656636623430 +66303466623635353239303163363630303166393335646331653033316338386138326634666537 +32303433306562353838346530326362383935643339383634333263623664386265636235393533 +30323139653236393330373465663463353230356463623434636161666262343437656164623961 +32386535346639663138656534313863373830343464353438316337613562623833333236633135 +31396266353564346464353135636131666664666637616562366165396433363061353132393330 +36363165346363633665353262323964363931343133336435636433363138623666633962323536 +30316334393736383235616465663536373938623732353934336662393437623337386263336365 +37373035373234396130663634666264326433653164303331313965363831393033643737386435 +30653935623166363435623932666637643264343764396334613331303437663333346636633539 +33333331663163373435373437333661633033313566306165623362653764623361383264373331 +36396462386231313834316635643136306435346666666235376636303662616366643832346339 +64393336323663303237613839303739333438653032396432626130323363383961313533326638 +65303837303762313239633238323665363634373161666461363665663437643032326330623730 +32613431653634646437333637393864383030623932346262313563646266373731323163386338 +39383731376135383431653763643931373438386133633837636231653530623566323832663265 +34313065656264633635393633353632333138366436366234386262633030613739656130653062 +36366633376163613735633938316230363031306634326531633938613465323533383730613761 +64356530393761326266646165326131633864653565616464363162353635646434643934656631 +38333835653861653634633361396561663864363331613966653663373838646262633732626366 +64366434346166383339323830383537653365666536376635643031363636333830396537363561 +66343966663062623064356237363933313165656631386461306563343762643237373437613839 +62633034616366366565316264356665343764663162323264393665313261323032303164613230 +66316137636363356337663462346637346435306337323164393166626339343337376661313738 +33393761636239666230306633346462396561353333643262393561356439616338646466383537 +65383037663364623361346161373264396364346537663034643930316135623030353865316630 +38356537633761383238 diff --git a/group_vars/all/secrets.yml.contents b/group_vars/all/secrets.yml.contents index e56296d..5bd4105 100644 --- a/group_vars/all/secrets.yml.contents +++ b/group_vars/all/secrets.yml.contents @@ -1,6 +1,6 @@ # These are the variables contained in secrets.yml # Secrets are usually 32 characters or more, matching [a-Z0-9] - +--- postgres_passwords: nextcloud: xxx passit: xxx @@ -9,6 +9,7 @@ postgres_passwords: codimd: xxx mailu: xxx keycloak: xxx + hedgedoc: xxx mastodon: xxx rallly: xxx membersystem: xxx @@ -31,8 +32,8 @@ drone_secrets: rpc_shared_secret: xxx restic_secrets: - user_secret: xxx - encryption_secret: xxx + repository_password: xxx + ssh_privkey: xxx matrix_secrets: registration_shared_secret: xxx diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml index f6d83ee..bb055cb 100644 --- a/roles/docker/defaults/main.yml +++ b/roles/docker/defaults/main.yml @@ -49,9 +49,10 @@ services: restic: file: restic_backup.yml - user: "datacoop" - domain: "restic.cannedtuna.org" - repository: "datacoop-hevonen" + user: "dc-user" + domain: "rynkeby.skovgaard.tel" + volume_folder: "{{ volume_root_folder }}/restic" + repository: "restic" version: "1.6.0" disabled_in_vagrant: true diff --git a/roles/docker/tasks/services/restic_backup.yml b/roles/docker/tasks/services/restic_backup.yml index 20ed075..3ce61f6 100644 --- a/roles/docker/tasks/services/restic_backup.yml +++ b/roles/docker/tasks/services/restic_backup.yml @@ -1,5 +1,44 @@ # vim: ft=yaml.ansible --- +- name: Create SSH directory + file: + path: "{{ services.restic.volume_folder }}/ssh" + owner: root + group: root + mode: '0700' + state: directory + +- name: Copy private SSH key + copy: + dest: "{{ services.restic.volume_folder }}/ssh/id_ed25519" + owner: root + group: root + mode: '0600' + content: "{{ restic_secrets.ssh_privkey }}" + +- name: Derive public SSH key + shell: >- + ssh-keygen -f {{ services.restic.volume_folder }}/ssh/id_ed25519 -y + > {{ services.restic.volume_folder }}/ssh/id_ed25519.pub + args: + creates: "{{ services.restic.volume_folder }}/ssh/id_ed25519.pub" + +- name: Set file permissions on public SSH key + file: + path: "{{ services.restic.volume_folder }}/ssh/id_ed25519.pub" + owner: root + group: root + mode: '0644' + state: touch + +- name: Create SSH config + template: + src: restic.ssh.config.j2 + dest: "{{ services.restic.volume_folder }}/ssh/config" + owner: root + group: root + mode: '0600' + - name: Setup restic backup docker_compose: project_name: restic_backup @@ -13,12 +52,12 @@ environment: RUN_ON_STARTUP: "false" BACKUP_CRON: "0 30 3 * * *" - RESTIC_REPOSITORY: "rest:https://{{ services.restic.user }}:{{ restic_secrets.user_password }}@{{ services.restic.domain }}/{{ services.restic.repository }}" + RESTIC_REPOSITORY: "sftp:{{ services.restic.user }}@{{ services.restic.domain }}:{{ services.restic.repository }}" RESTIC_PASSWORD: "{{ restic_secrets.repository_password }}" RESTIC_BACKUP_SOURCES: "/mnt/volumes" RESTIC_BACKUP_ARGS: >- --tag datacoop-volumes - --exclude='*.tmp' + --exclude '*.tmp' --verbose RESTIC_FORGET_ARGS: >- --keep-last 10 @@ -27,6 +66,7 @@ --keep-monthly 12 TZ: Europe/Copenhagen volumes: + - "{{ services.restic.volume_folder }}/ssh:/run/secrets/.ssh:ro" - /docker-volumes:/mnt/volumes:ro restic-prune: @@ -34,6 +74,8 @@ environment: RUN_ON_STARTUP: "false" PRUNE_CRON: "0 0 4 * * *" - RESTIC_REPOSITORY: "rest:https://{{ services.restic.user }}:{{ restic_secrets.user_password }}@{{ services.restic.domain }}/{{ services.restic.repository }}" + RESTIC_REPOSITORY: "sftp:{{ services.restic.user }}@{{ services.restic.domain }}:{{ services.restic.repository }}" RESTIC_PASSWORD: "{{ restic_secrets.repository_password }}" TZ: Europe/copenhagen + volumes: + - "{{ services.restic.volume_folder }}/ssh:/run/secrets/.ssh:ro" diff --git a/roles/docker/templates/restic.ssh.config.j2 b/roles/docker/templates/restic.ssh.config.j2 new file mode 100644 index 0000000..1b6b024 --- /dev/null +++ b/roles/docker/templates/restic.ssh.config.j2 @@ -0,0 +1,3 @@ +Host {{ services.restic.domain }} + ServerAliveInterval 60 + ServerAliveCountMax 240 From 2d11a664b4300edc95ca18c246cef373c86ca4c8 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Sun, 5 Mar 2023 23:10:53 +0100 Subject: [PATCH 39/56] Fix Vagrant logic --- roles/docker/tasks/services.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/roles/docker/tasks/services.yml b/roles/docker/tasks/services.yml index c05c6b6..3b441e9 100644 --- a/roles/docker/tasks/services.yml +++ b/roles/docker/tasks/services.yml @@ -9,11 +9,13 @@ loop: "{{ services | dict2items(value_name='service') }}" when: single_service is not defined and item.service.file is defined and - item.service.disabled_in_vagrant is not defined + (item.service.disabled_in_vagrant is not defined or + not (item.service.disabled_in_vagrant and vagrant)) - name: setup single service include_tasks: "services/{{ services[single_service].file }}" when: single_service is defined and single_service in services and services[single_service].file is defined and - services[single_service].disabled_in_vagrant is not defined + (services[single_service].disabled_in_vagrant is not defined or + not (services[single_service].disabled_in_vagrant and vagrant)) From 32f25aeb8ff3c4758e5e7cd356a02fc30cd054e3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Reynir=20Bj=C3=B6rnsson?= Date: Mon, 6 Mar 2023 11:50:59 +0100 Subject: [PATCH 40/56] Add vhs.data.coop website --- roles/docker/defaults/main.yml | 5 +++++ .../services/websites/vhs.data.coop.yaml | 19 +++++++++++++++++++ 2 files changed, 24 insertions(+) create mode 100644 roles/docker/tasks/services/websites/vhs.data.coop.yaml diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml index bb055cb..2dce397 100644 --- a/roles/docker/defaults/main.yml +++ b/roles/docker/defaults/main.yml @@ -144,6 +144,11 @@ services: domain: fedi.dk version: latest + vhs_website: + file: websites/vhs.data.coop.yaml + domain: vhs.data.coop + version: latest + cryptohagen_website: file: websites/cryptohagen.dk.yml domains: diff --git a/roles/docker/tasks/services/websites/vhs.data.coop.yaml b/roles/docker/tasks/services/websites/vhs.data.coop.yaml new file mode 100644 index 0000000..f3b951a --- /dev/null +++ b/roles/docker/tasks/services/websites/vhs.data.coop.yaml @@ -0,0 +1,19 @@ +# vim: ft=yaml.ansible +--- +- name: setup vhs.data.coop website with unipi + docker_container: + name: vhs.data.coop_website + image: docker.data.coop/unipi:{{ services.vhs_website.version }} + restart_policy: unless-stopped + purge_networks: yes + networks: + - name: external_services + env: + VIRTUAL_HOST: "{{ services.vhs_website.domain }}" + LETSENCRYPT_HOST: "{{ services.vhs_website.domain }}" + LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" + command: "--remote=https://git.data.coop/vhs.data.coop/website.git#main" + capabilities: + - NET_ADMIN + devices: + - "/dev/net/tun" From 9d4c7be8019ef4ea122884cff96801fb69f1d942 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Mon, 6 Mar 2023 13:33:18 +0100 Subject: [PATCH 41/56] Add known_hosts to Restic's SSH folder --- roles/docker/defaults/main.yml | 7 ++++--- roles/docker/tasks/services/restic_backup.yml | 8 ++++++++ roles/docker/templates/restic.ssh.known_hosts.j2 | 1 + 3 files changed, 13 insertions(+), 3 deletions(-) create mode 100644 roles/docker/templates/restic.ssh.known_hosts.j2 diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml index bb055cb..ac062cb 100644 --- a/roles/docker/defaults/main.yml +++ b/roles/docker/defaults/main.yml @@ -49,10 +49,11 @@ services: restic: file: restic_backup.yml - user: "dc-user" - domain: "rynkeby.skovgaard.tel" + user: dc-user + domain: rynkeby.skovgaard.tel + host_key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBLGol2G+a87ssy0nu/STKBZSiGyhZhZKx/ujfe9IeFo volume_folder: "{{ volume_root_folder }}/restic" - repository: "restic" + repository: restic version: "1.6.0" disabled_in_vagrant: true diff --git a/roles/docker/tasks/services/restic_backup.yml b/roles/docker/tasks/services/restic_backup.yml index 3ce61f6..b193a2f 100644 --- a/roles/docker/tasks/services/restic_backup.yml +++ b/roles/docker/tasks/services/restic_backup.yml @@ -39,6 +39,14 @@ group: root mode: '0600' +- name: Create SSH known_hosts file + template: + src: restic.ssh.known_hosts.j2 + dest: "{{ services.restic.volume_folder }}/ssh/known_hosts" + owner: root + group: root + mode: '0600' + - name: Setup restic backup docker_compose: project_name: restic_backup diff --git a/roles/docker/templates/restic.ssh.known_hosts.j2 b/roles/docker/templates/restic.ssh.known_hosts.j2 new file mode 100644 index 0000000..19ac263 --- /dev/null +++ b/roles/docker/templates/restic.ssh.known_hosts.j2 @@ -0,0 +1 @@ +{{ services.restic.domain }} {{ services.restic.host_key }} From e9410c4f8fe1610bc003fb8a0fcf58f4296b8d64 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Mon, 6 Mar 2023 22:27:53 +0100 Subject: [PATCH 42/56] Use domain name instead of IP in inventory file --- datacoop_hosts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/datacoop_hosts b/datacoop_hosts index d7d1e3e..4fe371b 100644 --- a/datacoop_hosts +++ b/datacoop_hosts @@ -1,3 +1,3 @@ ###################################### ### All hosts -85.209.118.131 ansible_port=19022 ansible_python_interpreter=/usr/bin/python3 +hevonen.servers.data.coop ansible_port=19022 ansible_python_interpreter=/usr/bin/python3 From 3bddaaa22c7b10a940aa8e9d9d062a0488b9aa67 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Reynir=20Bj=C3=B6rnsson?= Date: Tue, 7 Mar 2023 13:14:47 +0100 Subject: [PATCH 43/56] ansible.cfg use persistent connections This makes ansible try to use one ssh connection for everything. This greatly reduces the number of TCP connections and authentication attempts. --- ansible.cfg | 1 + 1 file changed, 1 insertion(+) diff --git a/ansible.cfg b/ansible.cfg index d69e51f..42063be 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,3 +1,4 @@ [defaults] remote_user = root inventory = datacoop_hosts +use_persistent_connections = True From 77e4d90589b2410b134e98b362db68624c0fb8aa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Reynir=20Bj=C3=B6rnsson?= Date: Tue, 7 Mar 2023 15:40:58 +0100 Subject: [PATCH 44/56] Fix email setup Since whenever gomail doesn't like credentials when they're not going to be used: Failed to send a testing email to 'reynir@reynir.dk': gomail: could not send email 1: SMTP server does not support AUTH, but credentials provided --- roles/docker/tasks/services/gitea.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/roles/docker/tasks/services/gitea.yml b/roles/docker/tasks/services/gitea.yml index e0234b8..95f65e2 100644 --- a/roles/docker/tasks/services/gitea.yml +++ b/roles/docker/tasks/services/gitea.yml @@ -29,8 +29,6 @@ GITEA__mailer__FROM: "noreply@{{ services.gitea.domain }}" GITEA__mailer__MAILER_TYPE: "smtp" GITEA__mailer__HOST: "{{ smtp_host }}:{{ smtp_port }}" - GITEA__mailer__USER: "noop" - GITEA__mailer__PASSWD: "noop" GITEA__security__LOGIN_REMEMBER_DAYS: "60" GITEA__security__PASSWORD_COMPLEXITY: "off" GITEA__security__MIN_PASSWORD_LENGTH: "8" From 04799e4a8f194a67c260f0901b34eb48ad5786ab Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Tue, 7 Mar 2023 21:54:02 +0100 Subject: [PATCH 45/56] Fix mode for Restic SSH directory --- roles/docker/tasks/services/restic_backup.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/docker/tasks/services/restic_backup.yml b/roles/docker/tasks/services/restic_backup.yml index b193a2f..e32a228 100644 --- a/roles/docker/tasks/services/restic_backup.yml +++ b/roles/docker/tasks/services/restic_backup.yml @@ -5,7 +5,7 @@ path: "{{ services.restic.volume_folder }}/ssh" owner: root group: root - mode: '0700' + mode: '0755' state: directory - name: Copy private SSH key From 9cc70decab216d8864099ec12642aaab6feb441b Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Thu, 9 Mar 2023 17:43:25 +0100 Subject: [PATCH 46/56] Upgrade Restic --- roles/docker/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml index af940df..a21f5c0 100644 --- a/roles/docker/defaults/main.yml +++ b/roles/docker/defaults/main.yml @@ -54,7 +54,7 @@ services: host_key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBLGol2G+a87ssy0nu/STKBZSiGyhZhZKx/ujfe9IeFo volume_folder: "{{ volume_root_folder }}/restic" repository: restic - version: "1.6.0" + version: "1.7.0" disabled_in_vagrant: true docker_registry: From b1f1db5b30ce93fcc40cc7dae32570fe6e02fca6 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Thu, 9 Mar 2023 17:50:13 +0100 Subject: [PATCH 47/56] Simplify Docker service names for Restic This simplifies containernames such as "restic_backup_restic-backup_1" to "restic_backup_1". --- roles/docker/tasks/services/restic_backup.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/docker/tasks/services/restic_backup.yml b/roles/docker/tasks/services/restic_backup.yml index e32a228..8fce1b5 100644 --- a/roles/docker/tasks/services/restic_backup.yml +++ b/roles/docker/tasks/services/restic_backup.yml @@ -49,12 +49,12 @@ - name: Setup restic backup docker_compose: - project_name: restic_backup + project_name: restic pull: true definition: version: '3.6' services: - restic-backup: + backup: image: mazzolino/restic:{{ services.restic.version }} restart: always environment: @@ -77,7 +77,7 @@ - "{{ services.restic.volume_folder }}/ssh:/run/secrets/.ssh:ro" - /docker-volumes:/mnt/volumes:ro - restic-prune: + prune: image: "mazzolino/restic:{{ services.restic.version }}" environment: RUN_ON_STARTUP: "false" From 98d57e4cfafaa2304f7a7d0cb00bc2ff20e7557d Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Tue, 14 Mar 2023 16:14:53 +0100 Subject: [PATCH 48/56] Add SSH key for samsapti --- group_vars/all/vars.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index b811cfb..cbcbb96 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -31,4 +31,5 @@ users: groups: - sudo ssh_keys: - - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPd/4fQV7CL8/KVwbo/phiV5UdXFBIDlkZ+ps8C7FeRf + - sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIFWZGLov8wPBNxuvnaPK+8vv6wK5hHUVEFzXKsN9QeuBAAAADHNzaDpzYW1zYXB0aQ== ssh:samsapti + - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPd/4fQV7CL8/KVwbo/phiV5UdXFBIDlkZ+ps8C7FeRf cardno:14 336 332 From b042d555b61596fd95f13c2b7dd18b29d57535ba Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Tue, 14 Mar 2023 16:17:02 +0100 Subject: [PATCH 49/56] Edit README.md to describe users option --- README.md | 3 +++ deploy.sh | 1 + 2 files changed, 4 insertions(+) diff --git a/README.md b/README.md index 97e3b76..b165120 100644 --- a/README.md +++ b/README.md @@ -26,6 +26,9 @@ Here is a summary of the options that can be used with the script: # deploy the ubuntu_base role only ./deploy.sh base +# deploy user setup only +./deploy.sh users + # deploy the docker role only ./deploy.sh services diff --git a/deploy.sh b/deploy.sh index 5777829..ee10734 100755 --- a/deploy.sh +++ b/deploy.sh @@ -4,6 +4,7 @@ usage () { { echo "Usage: $0 [--vagrant]" echo "Usage: $0 [--vagrant] base" + echo "Usage: $0 [--vagrant] users" echo "Usage: $0 [--vagrant] services [SERVICE]" } >&2 } From b5d980510dda3187ea49fb7905faac7d247d6252 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Sun, 26 Mar 2023 18:35:30 +0200 Subject: [PATCH 50/56] FIDO bug in Passit should be fixed now --- roles/docker/tasks/services/passit.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/docker/tasks/services/passit.yml b/roles/docker/tasks/services/passit.yml index 375808f..58e87a6 100644 --- a/roles/docker/tasks/services/passit.yml +++ b/roles/docker/tasks/services/passit.yml @@ -26,7 +26,7 @@ POSTGRES_PASSWORD: "{{ postgres_passwords.passit }}" passit_app: - image: "passit/passit@sha256:c4b96bc67222936f58f344d5dd1020227ad8e11ad5f82ed3cbf0bcfa8fe9b2e7" #:{{ services.passit.version }}" + image: "passit/passit:{{ services.passit.version }}" command: "bin/start.sh" restart: "always" networks: From f9049451e9d4c1a552b734b2a9ed2ae0fa38c4cf Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Wed, 29 Mar 2023 18:11:10 +0200 Subject: [PATCH 51/56] Raise message rate limit for Mailu --- roles/docker/templates/mailu.env.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/docker/templates/mailu.env.j2 b/roles/docker/templates/mailu.env.j2 index aee7777..9b7f782 100644 --- a/roles/docker/templates/mailu.env.j2 +++ b/roles/docker/templates/mailu.env.j2 @@ -61,7 +61,7 @@ ANTIVIRUS=none MESSAGE_SIZE_LIMIT=50000000 # Message rate limit (per user) -MESSAGE_RATELIMIT=200/day +MESSAGE_RATELIMIT=1000/day # Networks granted relay permissions # Use this with care, all hosts in this networks will be able to send mail without authentication! From f7afe5ba0057e22460f206c2f15c2b4ca618912e Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Wed, 29 Mar 2023 18:27:24 +0200 Subject: [PATCH 52/56] Fix spacing --- roles/docker/tasks/services/mailu.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/roles/docker/tasks/services/mailu.yml b/roles/docker/tasks/services/mailu.yml index 9cc449a..4fd86f2 100644 --- a/roles/docker/tasks/services/mailu.yml +++ b/roles/docker/tasks/services/mailu.yml @@ -26,7 +26,7 @@ - name: upload mailu.env file template: src: mailu.env.j2 - dest: "{{ services.mailu.volume_folder}}/mailu.env" + dest: "{{ services.mailu.volume_folder }}/mailu.env" - name: hard link to Let's Encrypt TLS certificate file: @@ -76,7 +76,7 @@ front: image: mailu/nginx:{{ services.mailu.version }} restart: always - env_file: "{{ services.mailu.volume_folder}}/mailu.env" + env_file: "{{ services.mailu.volume_folder }}/mailu.env" environment: VIRTUAL_HOST: "{{ services.mailu.domain }}" LETSENCRYPT_HOST: "{{ services.mailu.domain }}" @@ -98,7 +98,7 @@ resolver: image: mailu/unbound:{{ services.mailu.version }} restart: always - env_file: "{{ services.mailu.volume_folder}}/mailu.env" + env_file: "{{ services.mailu.volume_folder }}/mailu.env" networks: default: ipv4_address: "{{ services.mailu.dns }}" @@ -119,7 +119,7 @@ imap: image: mailu/dovecot:{{ services.mailu.version }} restart: always - env_file: "{{ services.mailu.volume_folder}}/mailu.env" + env_file: "{{ services.mailu.volume_folder }}/mailu.env" volumes: - "{{ services.mailu.volume_folder }}/mail:/mail" - "{{ services.mailu.volume_folder }}/overrides/dovecot:/overrides:ro" @@ -132,7 +132,7 @@ smtp: image: mailu/postfix:{{ services.mailu.version }} restart: always - env_file: "{{ services.mailu.volume_folder}}/mailu.env" + env_file: "{{ services.mailu.volume_folder }}/mailu.env" volumes: - "{{ services.mailu.volume_folder }}/mailqueue:/queue" - "{{ services.mailu.volume_folder }}/overrides/postfix:/overrides:ro" @@ -146,7 +146,7 @@ image: mailu/rspamd:{{ services.mailu.version }} hostname: antispam restart: always - env_file: "{{ services.mailu.volume_folder}}/mailu.env" + env_file: "{{ services.mailu.volume_folder }}/mailu.env" volumes: - "{{ services.mailu.volume_folder }}/filter:/var/lib/rspamd" - "{{ services.mailu.volume_folder }}/overrides/rspamd:/etc/rspamd/override.d:ro" @@ -159,7 +159,7 @@ webmail: image: mailu/rainloop:{{ services.mailu.version }} restart: always - env_file: "{{ services.mailu.volume_folder}}/mailu.env" + env_file: "{{ services.mailu.volume_folder }}/mailu.env" volumes: - "{{ services.mailu.volume_folder }}/webmail:/data" - "{{ services.mailu.volume_folder }}/overrides/rainloop:/overrides:ro" From 863cd56001a00983a2c344719a25e37789fd2cbc Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Thu, 6 Apr 2023 19:10:47 +0200 Subject: [PATCH 53/56] Upgrade HedgeDoc and Postfix --- roles/docker/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml index a21f5c0..2152b60 100644 --- a/roles/docker/defaults/main.yml +++ b/roles/docker/defaults/main.yml @@ -9,7 +9,7 @@ services: file: postfix.yml domain: "smtp.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/postfix" - version: "v3.5.1-alpine" + version: "v3.6.1-alpine" nginx_proxy: file: nginx_proxy.yml @@ -121,7 +121,7 @@ services: file: hedgedoc.yml domain: "pad.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/hedgedoc" - version: 1.9.6-alpine + version: 1.9.7-alpine postgres_version: 10-alpine data_coop_website: From 493062b00a721d100953cf97655ae5575ebc6132 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Sat, 8 Apr 2023 00:15:05 +0200 Subject: [PATCH 54/56] Upgrade Matrix (Synapse) to v1.80.0 --- roles/docker/defaults/main.yml | 4 ++-- .../files/configs/matrix/homeserver.yaml.j2 | 13 +++---------- roles/docker/tasks/services/matrix_riot.yml | 15 ++++++--------- 3 files changed, 11 insertions(+), 21 deletions(-) diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml index 2152b60..848f005 100644 --- a/roles/docker/defaults/main.yml +++ b/roles/docker/defaults/main.yml @@ -95,8 +95,8 @@ services: file: matrix_riot.yml domain: "matrix.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/matrix" - version: v1.63.1 - postgres_version: "10" + version: v1.80.0 + postgres_version: 15-alpine allowed_sender_domain: true riot: diff --git a/roles/docker/files/configs/matrix/homeserver.yaml.j2 b/roles/docker/files/configs/matrix/homeserver.yaml.j2 index 73ba3f3..b474901 100644 --- a/roles/docker/files/configs/matrix/homeserver.yaml.j2 +++ b/roles/docker/files/configs/matrix/homeserver.yaml.j2 @@ -339,7 +339,7 @@ database: user: "synapse" password: "{{ postgres_passwords.matrix }}" database: "synapse" - host: "matrix_db" + host: "postgres" port: "5432" cp_min: 5 cp_max: 10 @@ -676,15 +676,8 @@ report_stats: false ## API Configuration ## -# A list of event types that will be included in the room_invite_state -# -room_invite_state_types: - - "m.room.join_rules" - - "m.room.canonical_alias" - - "m.room.avatar" - - "m.room.encryption" - - "m.room.name" - +room_prejoin_state: + disable_default_event_types: false # A list of application service config file to use # diff --git a/roles/docker/tasks/services/matrix_riot.yml b/roles/docker/tasks/services/matrix_riot.yml index 600d81c..d24c4d8 100644 --- a/roles/docker/tasks/services/matrix_riot.yml +++ b/roles/docker/tasks/services/matrix_riot.yml @@ -61,12 +61,11 @@ - name: set up matrix and riot docker_compose: project_name: matrix - pull: yes + pull: true definition: version: "3.6" services: - matrix_db: - container_name: matrix_db + postgres: image: "postgres:{{ services.matrix.postgres_version }}" restart: unless-stopped networks: @@ -77,8 +76,7 @@ POSTGRES_USER: "synapse" POSTGRES_PASSWORD: "{{ postgres_passwords.matrix }}" - matrix_app: - container_name: matrix + synapse: image: "matrixdotorg/synapse:{{ services.matrix.version }}" restart: unless-stopped networks: @@ -95,8 +93,7 @@ LETSENCRYPT_HOST: "{{ services.matrix.domain }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" - riot: - container_name: riot_app + element: image: "avhost/docker-matrix-riot:{{ services.riot.version }}" restart: unless-stopped networks: @@ -107,9 +104,9 @@ volumes: - "{{ services.riot.volume_folder }}/data:/data" environment: - VIRTUAL_HOST: "{{ services.riot.domains|join(',') }}" + VIRTUAL_HOST: "{{ services.riot.domains | join(',') }}" VIRTUAL_PORT: "8080" - LETSENCRYPT_HOST: "{{ services.riot.domains|join(',') }}" + LETSENCRYPT_HOST: "{{ services.riot.domains | join(',') }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" networks: From f1df97ca0445d43bfc6c8b43789b4274ec82f80e Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Sat, 8 Apr 2023 00:31:38 +0200 Subject: [PATCH 55/56] Upgrade Element --- roles/docker/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml index 848f005..c0a185a 100644 --- a/roles/docker/defaults/main.yml +++ b/roles/docker/defaults/main.yml @@ -104,7 +104,7 @@ services: - "riot.{{ base_domain }}" - "element.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/riot" - version: v1.11.8 + version: v1.11.28 privatebin: file: privatebin.yml From d2681c27a0bfd5e885f4dec483f446d3cee376fd Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Sat, 8 Apr 2023 00:35:49 +0200 Subject: [PATCH 56/56] Rename Riot to Element globally --- roles/docker/defaults/main.yml | 6 +-- .../configs/{riot => element}/config.json | 0 .../configs/{riot => element}/riot.im.conf | 0 .../matrix/{vhost-riot => vhost-element} | 0 .../{matrix_riot.yml => matrix_element.yml} | 38 +++++++++---------- 5 files changed, 22 insertions(+), 22 deletions(-) rename roles/docker/files/configs/{riot => element}/config.json (100%) rename roles/docker/files/configs/{riot => element}/riot.im.conf (100%) rename roles/docker/files/configs/matrix/{vhost-riot => vhost-element} (100%) rename roles/docker/tasks/services/{matrix_riot.yml => matrix_element.yml} (73%) diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml index c0a185a..ac2c9b4 100644 --- a/roles/docker/defaults/main.yml +++ b/roles/docker/defaults/main.yml @@ -92,18 +92,18 @@ services: allowed_sender_domain: true matrix: - file: matrix_riot.yml + file: matrix_element.yml domain: "matrix.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/matrix" version: v1.80.0 postgres_version: 15-alpine allowed_sender_domain: true - riot: + element: domains: - "riot.{{ base_domain }}" - "element.{{ base_domain }}" - volume_folder: "{{ volume_root_folder }}/riot" + volume_folder: "{{ volume_root_folder }}/element" version: v1.11.28 privatebin: diff --git a/roles/docker/files/configs/riot/config.json b/roles/docker/files/configs/element/config.json similarity index 100% rename from roles/docker/files/configs/riot/config.json rename to roles/docker/files/configs/element/config.json diff --git a/roles/docker/files/configs/riot/riot.im.conf b/roles/docker/files/configs/element/riot.im.conf similarity index 100% rename from roles/docker/files/configs/riot/riot.im.conf rename to roles/docker/files/configs/element/riot.im.conf diff --git a/roles/docker/files/configs/matrix/vhost-riot b/roles/docker/files/configs/matrix/vhost-element similarity index 100% rename from roles/docker/files/configs/matrix/vhost-riot rename to roles/docker/files/configs/matrix/vhost-element diff --git a/roles/docker/tasks/services/matrix_riot.yml b/roles/docker/tasks/services/matrix_element.yml similarity index 73% rename from roles/docker/tasks/services/matrix_riot.yml rename to roles/docker/tasks/services/matrix_element.yml index d24c4d8..62df3f3 100644 --- a/roles/docker/tasks/services/matrix_riot.yml +++ b/roles/docker/tasks/services/matrix_element.yml @@ -1,6 +1,6 @@ # vim: ft=yaml.ansible --- -- name: create matrix volume folders +- name: Create Matrix volume folders file: name: "{{ services.matrix.volume_folder }}/{{ volume }}" state: directory @@ -13,42 +13,42 @@ loop_control: loop_var: volume -- name: create matrix DB folder +- name: Create Matrix DB folder file: name: "{{ services.matrix.volume_folder }}/db" state: "directory" -- name: create riot volume folders +- name: Create Element volume folders file: - name: "{{ services.riot.volume_folder }}/{{ volume }}" + name: "{{ services.element.volume_folder }}/{{ volume }}" state: directory loop: - "data" loop_control: loop_var: volume -- name: upload riot config.json +- name: Upload Element config.json template: - src: files/configs/riot/config.json - dest: "{{ services.riot.volume_folder }}/data/config.json" + src: files/configs/element/config.json + dest: "{{ services.element.volume_folder }}/data/config.json" -- name: upload riot.im.conf +- name: Upload Element riot.im.conf template: - src: files/configs/riot/riot.im.conf - dest: "{{ services.riot.volume_folder }}/data/riot.im.conf" + src: files/configs/element/riot.im.conf + dest: "{{ services.element.volume_folder }}/data/riot.im.conf" - name: upload vhost config for matrix domain template: src: files/configs/matrix/vhost-matrix dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.matrix.domain }}" -- name: upload vhost config for riot domain +- name: Upload vhost config for Element domain template: - src: files/configs/matrix/vhost-riot + src: files/configs/matrix/vhost-element dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ item }}" - loop: "{{ services.riot.domains }}" + loop: "{{ services.element.domains }}" -- name: upload homeserver.yaml +- name: Upload homeserver.yaml template: src: "files/configs/matrix/homeserver.yaml.j2" dest: "{{ services.matrix.volume_folder }}/data/homeserver.yaml" @@ -58,7 +58,7 @@ src: "files/configs/matrix/matrix.data.coop.log.config" dest: "{{ services.matrix.volume_folder }}/data/matrix.data.coop.log.config" -- name: set up matrix and riot +- name: Set up Matrix and Element docker_compose: project_name: matrix pull: true @@ -94,7 +94,7 @@ LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" element: - image: "avhost/docker-matrix-riot:{{ services.riot.version }}" + image: "avhost/docker-matrix-element:{{ services.element.version }}" restart: unless-stopped networks: - matrix @@ -102,11 +102,11 @@ expose: - 8080 volumes: - - "{{ services.riot.volume_folder }}/data:/data" + - "{{ services.element.volume_folder }}/data:/data" environment: - VIRTUAL_HOST: "{{ services.riot.domains | join(',') }}" + VIRTUAL_HOST: "{{ services.element.domains | join(',') }}" VIRTUAL_PORT: "8080" - LETSENCRYPT_HOST: "{{ services.riot.domains | join(',') }}" + LETSENCRYPT_HOST: "{{ services.element.domains | join(',') }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" networks: