Upgrade

This required restructuring users.yml.

ansible.cfg

@@ -1,2 +1,3 @@
 [defaults]
 remote_user = root
+inventory = datacoop_hosts

datacoop_hosts

@@ -1,3 +1,3 @@
 ######################################
 ### All hosts
-85.235.225.231 ansible_port=19022 ansible_python_interpreter=/usr/bin/python3
+85.209.118.131 ansible_port=19022 ansible_python_interpreter=/usr/bin/python3

deploy.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 
-BASE_CMD="ansible-playbook playbook.yml -i datacoop_hosts --ask-vault-pass"
+BASE_CMD="ansible-playbook playbook.yml --ask-vault-pass"
 
 if [ -z "$1" ]; then
     echo "Deploying all!"

group_vars/all/secrets.yml

@@ -1,73 +1,144 @@
 $ANSIBLE_VAULT;1.1;AES256
-34376131343263336262656463373830643861336631626539643663333239313831626236306530
+31306164623264616463396230366434306365373135343931323331383866613138316334316538
-3335623130653432636133356363656465346366303062370a346130326536366638633536613161
+3438343537333866353334646637633731643132323163340a613034626335613934396235666163
-62623334363537636634373231353564396362343330623562383939373538633066616565306235
+36333730376435393436323937323036366137366231626263376165306137613961383933383436
-3332323863353334640a396462313862366362366535383737376333383361303065383937396530
+3166393134323736390a383666623161316133313163383036356264353733643562663362616161
-38326331396333396263363762346331356431623532343938613834663830393337646666336435
+31393930613562613735643438303561346538386461333435393334376133376539643139376435
-66356439333434356165613030306138666163653934386233663362646534303737323030636234
+31363737343234353234356430663531643861306463663739626666373336663339613361393531
-31616132613830363136666639386462363135656432373236393034316664363637663336366435
+38663237366566663135393661386334316661303163613837313837316666343065643430363535
-64373238633064623735666335636231656231666434383066313336303137333663333031363638
+61333633616532613033383366386461386638363466323333306532363232333030616563616561
-31643733336535383338376631656439633962653262356335383638373764353530643234303935
+63346633333666373861333737383934336562613134376632303761363838346630333364643437
-62383930393634613530643739643335616164633038326638356135623561326165376530363461
+31386332353830333036326530656530653339316137396538386639396638643231396237653430
-37373032393331653261373538633065333662393366666161396638383932393331623766343035
+30303733333337663130333239643161666634613231623066323333373865303730326265646666
-30333335663039323931306162313538373334393335306132626336643363323839633761383063
+30666430656266343530326133633962613764646335313738333232313334633138366237373339
-35343632363837383132656437303138303764316439343663303964396463363638336533653930
+61396363343131376237656438343138333031306262383635306564343734663037323634616436
-39303236353766373131623363653835666439333164366563346164626464633633363163323864
+38306633316262393965336332636466643261666133373166366636306161363839616439343831
-65363961393237666433623565343832306663323862666333343665376135646132363466616364
+33646262616134626564396237663662343761326366666539626135343365396666666631376363
-62356331666432336661343762333961333634396466333465633164326239386266643230393566
+32616562336533343733613536373038643862623863616463633537303237363839613830323832
-36376461373631636630303861313538333834646461663539623738636636626537656438646431
+32323038306266363031656134376636316431663962653731613761363666313437313832363565
-38383436393238363038313563633634396335346138626666366437333433383039363332623639
+65643339626165663864383035376164323834333762656438656462386234623461663034616330
-31396165346431333838393164616339656634346561313737306562343562323030613266633263
+35373633626239393966333236613536623230326262633835383635633066393132343964633736
-61333263653938653034356631333664323630306461346532626533363665363133376232316132
+64353161323630313461323565333535613532663137376461333133633564326665356430303536
-61346431383230656134373630653264363430383561313866363235333435633966386266653964
+63636135393137346135306339373839336438333334306461366330353264613766366564613933
-33363534343634343232373036633330613038303437333033313061313932373739343663303931
+66383065343134623564333730656362336662326535643330636533666435643364353665653137
-34333833386638353436653831623835323032303134366635613735643662636336616464313330
+35346365373735663466373832343431646533663231643461343839643235396239326261303333
-36633335613630663233326166633565386238656236633261396235363165656333333235643137
+62346463646162646566623838613864303535643834383331346532343134663163653038376463
-32623461663562313533333835396233383330613661646431646365343430626662326638653330
+30626531646364363763613937386235363136326336386636333337656462303032386239613661
-38646232386263356566373561353130616539346630613363313163363262356264653233313862
+62656661313538663639393132363862316530396532383538326166626662633765353062396438
-34386331363236386534353534616531643264613764343362646366393435383332653664353363
+37396666333036343964386139313031393835336362316336626135373561396330383135333238
-62333935363132373434613038353632643336633136656266316466373734646234636638316265
+65643166656533383138353134633565396435333230306432343834643063303035363435633035
-62646261396465623561633964313065626361316630353965616233356565343834656563353830
+35636163626130363134383663653834646332666232326236633861346166333266306336353465
-38346361336237646331366632633130613330336637326163663463386233643734356165666431
+63363263376533303531343164303739663737616433346537653638663334343830323363343731
-61396263656237333138356231306437653337656133663031303031616437633564613733316264
+38373963666466323664396236326663343334313235346436363933656666613530303231653731
-63633930353033636235653961393330326635626666626235336334653762373262633739356263
+34323465636135383166333533613431333531626163366137393332643765306461333037616161
-32323532333463653937386430663437303238313130643435353739393639303033343865323736
+37383737653532626237633331306639343339356238393964353335333637353466393463366235
-35366139643166626364373663333266376133636433653261316566366630396666336637326664
+31633965303433333631313362626263633334326630653461353666356165333933363735323339
-30343039633133626435363364346666613732666335313865326234366136366130616334396338
+33333465613962363763653838306630626261613266366237663430353332626661396364396336
-61663461623432303930623261336464643830303631396430363637383838616432356634303332
+66376564616664363764623566323365313833653931343965613532306362373139323038366336
-61346536313035376139313638393737393136643366366364363862383335353533313534366534
+62653738303037656639636430383734333634666233363736303065396438306636383364383466
-61356136366465373530393835613834366665653334376539303462336138646438653039306261
+66303438313536666665633537316432313132356434353864383033343666306162626464626334
-36613736323566636634666331396463623439323063356232306631616135623231336439303739
+36363036376234663665666664316633383861313365363561383538393061353537633030353265
-65393837653837336235396532323465656463636238643038383363616633383866333633663831
+66303030306562626565626231663037323939386365393365376537633263343935363136366634
-61363634356634636265663837306232303362313564323463303363323931396438646337363161
+33613036343439386334333639363637313566623733643437363666333066393262373331666336
-61313033343532336563393632373830326631616462616263346363636566663966396330386464
+39653662303634343561616162386433653365326530386333366664353237356466333063386332
-62613039323065343838653439303333396536366537313335353834613338623961646235633764
+32623135336131663236383730636363333038356135633337646464396235373866323739326365
-30333032323333663530613736313765343364363433366436666134623663653336386632333437
+66313739376538356536396561333033623339306331656561643637316439383363346338636463
-64386639636237333138323431333234316432366236613530376234636438356531636630396431
+32666161323530643535333366313334323532666435633061333934623462666638383837333537
-63643833366136363962346632616161363565336163313764383030303337346565613939383563
+37363031303661616366616363633361323031346362393664653039323865656433633262386265
-65306137633965326534356666346238363137323233336561643333386265613863396338383134
+61383233393033623834353965663837646663633133353936373237356636303037656463323264
-35363135303232376364306234323435356330333061613663326563343533636165356537336536
+36636161326339313666373134633139326365646265643164623430636138666130663934633037
-61656131343966346365396133666662393930663237643134383963303766306534633034356335
+63653038373965316535633136663031383230393565396339316538656230646366373435363763
-37633732393266633965616330643061616664336430643630633033326335643438373737653164
+61383364343566663538323234373633393065633866613338363233373532313232356266333464
-34633737303533666335306466306330343233326531343065666138633166383664333130653864
+35646239373531373465333564343463616633346633393434363231633438386337663438396233
-37623730333532633936316461333066313065316664383934343731616430366135346138663531
+64323437346662616431383365636430386537316535303130633539303933303664663764333066
-33353134333934376663336366663036383630393031303731653332373335333131633136616537
+37306662393463363564373836333533616130646364396532363033626131363836353762616565
-33666266373439346633373735643339653333626237623530346436306438396332613863346264
+37623537346632633739666138616361636364643262613836646162656564373462386564333736
-30346431393735326566393633626535383538343866653262653330366330623930646631663961
+66613861646666656632396139316361343333373438366664663639336337366530366561626364
-38656138313932623131613537376139666137653063313339666333313364343738306439656264
+61646663633666393135613530373064313135613636623462616661353565653931643039626134
-32346533646465376135376531383132396337653966393133316436616563613135353863653064
+64666537303437653838613463653465643737383962643937343632356565333734373634396465
-31373466616135393036333037623164346539323463333037613030386666396363353364396439
+37383865313031636164626361346365373530626636343735636261343533636235663863346238
-39616536646638623739623834363662643566393430623632646434336162316362653434343337
+39353035326464383433633833613739616561336631663537323634623661653965326263633966
-36623334303866343533623538663531303366343136636631376334653636313264376330313836
+64353232363263323564323464353633343232643133323565653366633035646234666130613364
-66333131343062373138663330313633623166303337306466313362343034316364666666373965
+37643361373430643064386335636237333839653163623631663230613935613563353433366435
-36373933343338646333373962623034353631623535306230346663373530346438386334303536
+36303739316663363832316663666263663566373063633632303734333066613135633532346265
-62366666646263303764303330353835633163363666303133333730343263613039346162356532
+32396466626433383037346465653534643738613130616362396630373131653739373636356163
-37323133613037313430366238313261633165643563666239623730653164666264633964626461
+39333437393364363130313561303736373038343362636137333537316530363039316261313561
-31323536623335636333393338333166346336323132373466396432613133613933356232373532
+61343238623731623032346664326639353565386230333565373233333362306665663166666161
-30653564323031636231343232646165653163393663663731313033323763663965356466366562
+65323436303438663861303735643135336361336332643838393865623539633462396131366536
-33303830656238653164646161366265636566393436323135356630393033316337363361306363
+65363030376534333263323664353536316239363835343063363662613939656437343733306239
-30393766636237336466353431616130653961326431323161313234333963643032393061303265
+35663331643463336465313137306631613732623864356233303439343930646430643138643064
-33396664336535353164643462303636616265306338333634376664323837303238623638313266
+33643963643764393466393963613539363137313634333661356437383231636162396365366239
-37643861343034646532626164353238373031633861623663316638333039643036353932323962
+31313561373137626434323061343064613862376139303031623735383566343462616265313832
-39616136653639313232326362663834333363633562646563393561396464383765616230333230
+35623365343037643435343638363836373963383934653434333635346430613763613863636630
-39663939326332333362
+61313533303631333564383530653333326464626536646334323761343131373835323261316466
+64663431376632366437663430316138333238313637666634373132643430306635616331656364
+39666461663830666634363938653638663238343837336466383539656162366332626235303332
+32393738376266323330383932666564333337353866313134326634373263346233646238303639
+62393661636431343663393135656439353137396535663131323264636261393436356234393139
+36623830323435653733353066613461626338626438626533363938666139643037373264393735
+33326363303936346362646532626531343039386133643439613239636232636138636161623861
+37373030656336303430656536396332613763313338653337326334303664356136626336383065
+37326332623231353939623763616464663166336163616235663639353863386238363933616234
+30373737653661626464666233363438343566323530613866346261333262316332303437303239
+61616138303432393566356463643730323765323430303065656532353338636533326438653533
+33613332333664366333663735323332386234376137613837643434646539653964303432393864
+38333332343536313865303331623330393039383136643932373331356436373634663737626239
+34626133363236343931383665333634303763323265613931653865636439353362623264323033
+30633133643933393161306233343734646431326538663164616361626266646565663939366261
+30623932356433303765343730646166653362626463323564656163613131646466323336643938
+64613232666261396232316332386165383465356639663762373138323066643232396266323738
+61633938393131366431613966383133356334383830653264383739346333366564666135326431
+31306230333933656339626461643365316465616334336133666431616461383632383436356534
+39376430616235326337373566383463396131613537643535376230303832333565353737353130
+65383365636362393863373334336366356164346637323231643336393336613636376235333437
+62336562343132623565303130393562383736303439313235323631343539343836623337646331
+65633535373139663231633337626263363936366238633231666533646539343334313964643061
+33623739643262333232653335393561353739323433313466393432353665333339653761393635
+36383238653936383836396436383861353365373033316434353965656635666338626539643638
+36313162376666653933363036666564363563353836613637653266313936333731653563326330
+31626366386535376262626565333034396338326163376237366564336430643765613539613236
+37313036383631663363663064393365313538313663386563613864626365376330356333356562
+37386432393230353666613339343736336236653865353036356536626265636135373431383534
+63346436326131346230326564336436616430636664326231663464616334366461623733353734
+34646633653030366535373961633663353239373162303431303238366133393066663161616361
+62366262626131386163616534383064326466643437366631366464326366306666326637306263
+32663637363562336637333230346432353562323233373065303534666239656263356462393465
+36626436393232646362643731613636643436323261656566396136376538633930383566396139
+66356562613237303533353063616433346231623931656362623733356537663661616361653438
+30383937623565306635663235656239303865643933343231366463636331653337316231383763
+64643332626339386265633965396239383161366133626538346365316130323561656237353164
+33643365353435386632366231343533623964343938336431386462316638333132353231363836
+36666666643335353432353638613663613961343163653039393362396361626162633862363233
+64313865356562643765303739366338313039643738373134326634613532343832366532656136
+34656237376232646565366466336432376264303039333339393538666133313633393761353966
+32636430633137663336353839616431646232636436336661643039643566613835373030626465
+31313630346562313365376539346164313265653934383662663863376434383363323435383364
+32626632333666303232323563613663363063386238303865323935313639623839393331323562
+34666661366139633933366164663532653131666162663632396130333737313663383464316431
+30366133666437363466316536356232353832356136643036663463316338343435316535353762
+31356233633734616134373161316436353938323537663562376230376361653561316139343933
+64346336613764366334666162316533363930623735363461663965646566303530313061623662
+38643964326135363234343762626164353161323962636530656533353032333264333036396265
+39366263643535343731353065336130333430663135323665613638303863343138313033356630
+64363430663537306334636435346335653261643339636436383261346461353034633636373337
+34343534636234306662616564616134636530363362326639346138393430343562386166663539
+65656136373438623436663836646132363530316630393533356539343463616232353938663165
+30306135333130643666616161303530626436626463663931346362303530666665646131656462
+62643037373138313635643939636230663731386565333165333865383936376438323536383666
+64313335653364346664653239633164393133376138333231353032623966393437373064616462
+36336639316463623432653861666261346531623264336535616633646335663837383236343031
+36303237636234356631663538626535356536333336323964313862353432356533633161306439
+61366364643137633839313964383538343763616163346434356633386563323636353138336234
+38393438653637386364613734373837366562356266383238663764656263383737353034343232
+35386166396163323738666137616564666638616532366564366432326532623833313939646665
+64656634336635303235303465396462626565386133623866306532353730323932613361346330
+38376362656466343562636539313264643330353139336139653866383935373930636230393161
+39396662653637636637333965623763343136623632396535623131303764353539393362663165
+64326337663137326432373864643438653836303538653138643534383765653239353633393162
+35653465636437393135303238343664386633396239323437396531656332653534383834356438
+32373463653863333161326266306135356238343737623735383764313366663136363533663936
+64656561646661336261633161633532353766333230306565616638343330643033613366363566
+63396463386266346161376535363339653437306664626134303037656663356432333466393332
+66613365306536333134643763376166646561326330326335363235393437313632326162333136
+35643833376365616337376365343230343437333461356135333338363966666435323831616135
+623538643430323665623033623939656232

group_vars/all/secrets.yml.contents

@@ -10,6 +10,8 @@ postgres_passwords:
   codimd: xxx
   mailu: xxx
   ttrss: xxx
+  keycloak: xxx
+  mastodon: xxx
 
 fider_jwt_secret: xxx
 
@@ -30,3 +32,23 @@ drone_secrets:
 restic_secrets:
   user_secret: xxx
   encryption_secret: xxx
+
+matrix_secrets:
+  registration_shared_secret: xxx
+  macaroon_secret_key: xxx
+  form_secret: xxx
+
+keycloak_secrets:
+  admin_user: xxx    //used for setting up the initial admin user on first run
+  admin_password: xxx
+
+mastodon_secrets:
+  secret_key_base: xxx
+  otp_secret: xxx
+  vapid_private_key: xxx
+  vapid_public_key: xxx
+
+mailman_secrets:
+  postgres_password: xxx
+  hyperkitty_api_key: xxx
+  django_secret_key: xxx

group_vars/all/vars.yml

@@ -1,24 +1,28 @@
 ---
 users:
-  graffen:
+  - name: graffen
     comment: Jesper Hess Nielsen
-    key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCbxFVukt5TIzoB0HX2q8b8lHJmXD1juzsWOu5XkexVDlCsvupa1cZ/OVkrIEAbDKk6RmJQj0TJ2O5+v9hbf0TDi0Pi+V8ADZIgO+OW5a4EeXsU72a4CN0nEocQhUPfQuC4IU+F7icoG2/I9jXg7U6p1LhBr8vlC3cNHnrH3yqrakrUR51/iRVIwo4FKvQg7jutaKTyOjlYa1uTdaczvAzNHWEdytCQgFnkzpR9fHvzkA79qHUD9n32rIpJicRJsHY3NnyDGfBcDv+4sLq15sM9jN83duGnSuMMtZgfSriwMUd/UwVReU2ZKxjMLe3WHB7+ZE/p39OJk/gjVfWJVh/za1/teTAwaLLmxh/HFt+AVYWkCj22fUxscl0dh2zy6Ki1Ua3ApChn6v6Gvng6khobFlxawSJZ49+0KoAl1qqFMR1o9EGWvqgDPuITAqJFN+ik0jxcxfmKrG3mbOYM1ikhJd0ER8wbS8e6NowHUBV7PUyDqxP5VM2gum58IYrDqaP2RYYi9vWWnXJJA8J1t+Wp3bF7fdktyVgkd7HQk02uVkxdMQQ802GCrQQuvJhWTCzrgkgrjPY8p0KcbCNt6jYQOUKV0T2vp6PbTJ5XWKb5u7gVXW1xiP9dYzgAr0DroiTK4xIuF80mv1Rfst0ceHAIQVcQ3GcGbh000QUYzbHT2Q== openpgp:0x265EE03C (Graffen)
     password: $6$6bgPWZ76LvB$DZ3ipFsFtL2b1nSC0AQ63k8ibJidyIE9iIsWWzY0fux0ynz9L/o7b2sR2XYSaDuG.jewFV36IGStTF3NCZRC30
     groups:
       - sudo
+    keys:
+      - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCbxFVukt5TIzoB0HX2q8b8lHJmXD1juzsWOu5XkexVDlCsvupa1cZ/OVkrIEAbDKk6RmJQj0TJ2O5+v9hbf0TDi0Pi+V8ADZIgO+OW5a4EeXsU72a4CN0nEocQhUPfQuC4IU+F7icoG2/I9jXg7U6p1LhBr8vlC3cNHnrH3yqrakrUR51/iRVIwo4FKvQg7jutaKTyOjlYa1uTdaczvAzNHWEdytCQgFnkzpR9fHvzkA79qHUD9n32rIpJicRJsHY3NnyDGfBcDv+4sLq15sM9jN83duGnSuMMtZgfSriwMUd/UwVReU2ZKxjMLe3WHB7+ZE/p39OJk/gjVfWJVh/za1/teTAwaLLmxh/HFt+AVYWkCj22fUxscl0dh2zy6Ki1Ua3ApChn6v6Gvng6khobFlxawSJZ49+0KoAl1qqFMR1o9EGWvqgDPuITAqJFN+ik0jxcxfmKrG3mbOYM1ikhJd0ER8wbS8e6NowHUBV7PUyDqxP5VM2gum58IYrDqaP2RYYi9vWWnXJJA8J1t+Wp3bF7fdktyVgkd7HQk02uVkxdMQQ802GCrQQuvJhWTCzrgkgrjPY8p0KcbCNt6jYQOUKV0T2vp6PbTJ5XWKb5u7gVXW1xiP9dYzgAr0DroiTK4xIuF80mv1Rfst0ceHAIQVcQ3GcGbh000QUYzbHT2Q== openpgp:0x265EE03C (Graffen)
 
-  valberg:
+  - name: valberg
     comment: Vidir Valberg Gudmundsson
-    key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUmGeHc6QXDcJHkmVxbTUv04Q3vs20avquoGr6eOkkvYbcgjuFnBOOtvs2Nul1odcvvnHa1nN7DfL8XJamiwsB1B/xe2seaNS1axgwk9XowlVN9pgga8gsC+4gZWBtSObG2GR8n4NtPENzPmW5deNn8dRpTvULPMxZ0VRE9yNQOx8v8w85yYh+vxbbkWGVDYJU23yuJI50U9y6bXxNHinsACDFBeR/giXDlw29TaOaSxz0R6zrRPBoX+V68RyWwBL+KWQKtX2ULtJI40S98Ohd6p41bIxYHCBS/zroqNne8PjYOLcHHsjHUGfTvhcS5a3zdz/iHsvsaOOjFjsydAXH valberg
     password: $6$qt3G.E.CxhC$OwBDn4rZUbCz06HLEMBHjgvKjxiv/eeerbklTHi.gpHIn1OejzX3k2.0NM0Dforaw6Yn5Y8Cgn8kL2FdbQLZ3/
     groups:
       - sudo
+    keys:
+      - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUmGeHc6QXDcJHkmVxbTUv04Q3vs20avquoGr6eOkkvYbcgjuFnBOOtvs2Nul1odcvvnHa1nN7DfL8XJamiwsB1B/xe2seaNS1axgwk9XowlVN9pgga8gsC+4gZWBtSObG2GR8n4NtPENzPmW5deNn8dRpTvULPMxZ0VRE9yNQOx8v8w85yYh+vxbbkWGVDYJU23yuJI50U9y6bXxNHinsACDFBeR/giXDlw29TaOaSxz0R6zrRPBoX+V68RyWwBL+KWQKtX2ULtJI40S98Ohd6p41bIxYHCBS/zroqNne8PjYOLcHHsjHUGfTvhcS5a3zdz/iHsvsaOOjFjsydAXH valberg
 
-  reynir:
+  - name: reynir
     comment: Reynir Björnsson
-    key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDJl8/rikIUnqr9fPF3rE0rjWHCNzte10LvkjGmpdO9ka/NubQ7O25fp08rC+n0d1pUooYwHBAgiv9Hsql6HF9QfNKNUp7IKp7CXWcjb4ga02kuzWGSXjm40Vf0jSadIrJ33M4SeJHTByDGoeYPQBQ7n+qHdwcqJADBQygBuc5sRzxm8i0sbmzF3DJDDVeTJjEY5pfR4vnJlpmU8SC2d1ZkhCjmKCsL0PShntTIt1ztCt0yO71KoHKaNPu1jutGxcU9u7J1pEqcPT6EzU/cQJ4DMVzrGp26nIV0msRl3NeGNjukwXOzAh6KmsmXG7yWFyQmLRqgc/bjUeyhuWJ10vwUbaYVeIef7YrgEOgnkYLIFeWRMhdnwtL/W8g1D66SFx7+iYJj180eTi8Lc8rZm2NaiGynvWlFcJ4PGdTYZsWcFzQ+SaDziNMw1H3IixxdlD8Shw9mxpijJ+A4dH2kkUXyGVsc13zRIU7hq9ax8nrw6HVLGFLn09rEPig+SkyWrqRpRGMBWyqTRJywIV6jk0ll+i8rJZA2McY0rABbACrzXT5VBj5dLKnnRITLDicAYgt7YuEiQ0ffErQrPXXHUVeI0QKnJgplSHxH5QsX9a1Y+NoaoditdMT2bjvEqROi+/JYRycLR/BQV/d2nFPhqwq1x1AFvL4f8UvVH/hxp3PXWw== reynir yubikey
     password: $6$MiPv.ZFlWnLHGNOb$jdQD9NaPMRUGaP2YHRJNwrMPBGl9qwK0HFhI6x51Xpn7hdzuC4GIwvOw1DJK33sNs/gGP5bWB0izviXkDcq7B0
     groups:
       - sudo
+    keys:
+      - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDJl8/rikIUnqr9fPF3rE0rjWHCNzte10LvkjGmpdO9ka/NubQ7O25fp08rC+n0d1pUooYwHBAgiv9Hsql6HF9QfNKNUp7IKp7CXWcjb4ga02kuzWGSXjm40Vf0jSadIrJ33M4SeJHTByDGoeYPQBQ7n+qHdwcqJADBQygBuc5sRzxm8i0sbmzF3DJDDVeTJjEY5pfR4vnJlpmU8SC2d1ZkhCjmKCsL0PShntTIt1ztCt0yO71KoHKaNPu1jutGxcU9u7J1pEqcPT6EzU/cQJ4DMVzrGp26nIV0msRl3NeGNjukwXOzAh6KmsmXG7yWFyQmLRqgc/bjUeyhuWJ10vwUbaYVeIef7YrgEOgnkYLIFeWRMhdnwtL/W8g1D66SFx7+iYJj180eTi8Lc8rZm2NaiGynvWlFcJ4PGdTYZsWcFzQ+SaDziNMw1H3IixxdlD8Shw9mxpijJ+A4dH2kkUXyGVsc13zRIU7hq9ax8nrw6HVLGFLn09rEPig+SkyWrqRpRGMBWyqTRJywIV6jk0ll+i8rJZA2McY0rABbACrzXT5VBj5dLKnnRITLDicAYgt7YuEiQ0ffErQrPXXHUVeI0QKnJgplSHxH5QsX9a1Y+NoaoditdMT2bjvEqROi+/JYRycLR/BQV/d2nFPhqwq1x1AFvL4f8UvVH/hxp3PXWw== reynir yubikey
+      - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPR8t/wNRp7Dt3wr9uZKVTofTDVYrcoQNru5ETxL+37t reynir@spurv
 
 volume_root_folder: "/docker-volumes"

roles/docker/defaults/main.yml

@@ -12,6 +12,7 @@ thelounge:
 
 nextcloud:
   domain: "cloud.{{ base_domain }}"
+  volume_folder: "{{ volume_root_folder }}/nextcloud"
 
 gitea:
   domain: "git.{{ base_domain }}"
@@ -39,9 +40,13 @@ privatebin:
   volume_folder: "{{ volume_root_folder }}/privatebin"
 
 codimd:
-  domain: "pad.{{ base_domain }}"
+  domain: "oldpad.{{ base_domain }}"
   volume_folder: "{{ volume_root_folder }}/codimd"
 
+hedgedoc:
+  domain: "pad.{{ base_domain }}"
+  volume_folder: "{{ volume_root_folder }}/hedgedoc"
+
 netdata:
   domain: "netdata.{{ base_domain }}"
 
@@ -76,13 +81,22 @@ drone:
   domain: "drone.{{ base_domain }}"
   volume_folder: "{{ volume_root_folder }}/drone"
 
+mail_subnet_base: "192.168.203"
+
 mailu:
   version: 1.6
   domain: "mail.{{ base_domain }}"
-  dns: 192.168.203.254
+  dns: "{{ mail_subnet_base }}.254"
-  subnet: 192.168.203.0/24
+  subnet: "{{ mail_subnet_base }}.0/24"
   volume_folder: "{{ volume_root_folder }}/mailu"
 
+mailman:
+  domain: "lists.{{ base_domain }}"
+  volume_folder: "{{ volume_root_folder }}/mailman"
+  core_ip: "{{ mail_subnet_base }}.12"
+  web_ip: "{{ mail_subnet_base }}.13"
+  database_ip: "{{ mail_subnet_base }}.14"
+
 portainer:
   domain: "portainer.{{ base_domain }}"
   volume_folder: "{{ volume_root_folder }}/portainer"
@@ -90,3 +104,19 @@ portainer:
 ttrss:
   domain: rss.{{ base_domain }}
   volume_folder: "{{ volume_root_folder }}/tt-rss"
+
+keycloak:
+  domain: sso.{{ base_domain }}
+  volume_folder: "{{ volume_root_folder }}/keycloak"
+
+postfix:
+  allowed_sender_domains:
+  - "services.{{ base_domain }}"
+  - "{{ passit.domain }}"
+  - "{{ fider.domain }}"
+  - "{{ gitea.domain }}"
+  - "{{ mastodon.domain }}"
+
+mastodon:
+  domain: "social.{{ base_domain }}"
+  volume_folder: "{{ volume_root_folder }}/mastodon"

roles/docker/files/configs/mastodon/env_file.j2

@@ -0,0 +1,59 @@
+# This is a sample configuration file. You can generate your configuration
+# with the `rake mastodon:setup` interactive setup wizard, but to customize
+# your setup even further, you'll need to edit it manually. This sample does
+# not demonstrate all available configuration options. Please look at
+# https://docs.joinmastodon.org/admin/config/ for the full documentation.
+
+# Note that this file accepts slightly different syntax depending on whether
+# you are using `docker-compose` or not. In particular, if you use
+# `docker-compose`, the value of each declared variable will be taken verbatim,
+# including surrounding quotes.
+# See: https://github.com/mastodon/mastodon/issues/16895
+
+# Federation
+# ----------
+# This identifies your server and cannot be changed safely later
+# ----------
+LOCAL_DOMAIN={{ mastodon.domain }}
+
+# Redis
+# -----
+REDIS_HOST=redis
+REDIS_PORT=6379
+
+# PostgreSQL
+# ----------
+DB_HOST=db
+DB_USER=postgres
+DB_NAME=mastodon
+DB_PASS={{ postgres_passwords.mastodon }}
+DB_PORT=5432
+
+# ------------------------
+ES_ENABLED=false
+
+# Secrets
+# -------
+# Make sure to use `rake secret` to generate secrets
+# -------
+SECRET_KEY_BASE={{ mastodon_secrets.secret_key_base }}
+OTP_SECRET={{ mastodon_secrets.otp_secret }}
+
+# Web Push
+# --------
+# Generate with `rake mastodon:webpush:generate_vapid_key`
+# --------
+VAPID_PRIVATE_KEY={{ mastodon_secrets.vapid_private_key }}
+VAPID_PUBLIC_KEY={{ mastodon_secrets.vapid_public_key }}
+
+# Sending mail
+# ------------
+SMTP_SERVER={{ smtp_host }}
+SMTP_PORT={{ smtp_port }}
+SMTP_LOGIN=
+SMTP_PASSWORD=
+SMTP_FROM_ADDRESS=notifications@{{ mastodon.domain }}
+
+# File storage (optional)
+# -----------------------
+S3_ENABLED=false

roles/docker/files/configs/mastodon/vhost-mastodon

@@ -0,0 +1,2 @@
+listen 3000;
+client_max_body_size 50M; # default is 1M

roles/docker/files/configs/matrix/homeserver.yaml.j2

@@ -577,7 +577,7 @@ turn_allow_guests: True
 ## Registration ##
 
 # Enable registration for new users.
-enable_registration: True
+enable_registration: False
 
 # The user must provide all of the below types of 3PID when registering.
 #
@@ -604,7 +604,7 @@ enable_registration: True
 # If set, allows registration by anyone who also has the shared
 # secret, even if registration is otherwise disabled.
 #
-registration_shared_secret: "jnJ5gfTj_qi#H0:vnPZx7OH*Qz.9u4cxpq.wHcHEAfuhcMgpxG"
+registration_shared_secret: "{{ matrix_secrets.registration_shared_secret }}"
 
 # Set the number of bcrypt rounds used to generate password hash.
 # Larger numbers increase the work factor needed to generate the hash.
@@ -699,7 +699,7 @@ track_appservice_user_ips: False
 # the registration_shared_secret is used, if one is given; otherwise,
 # a secret key is derived from the signing key.
 #
-macaroon_secret_key: "PLawJ8o.Q_.pR3Rr.vJO3=F&eAe=b~g6hVOKbrRrSl#w5Eqr8X"
+macaroon_secret_key: "{{ matrix_secrets.macaroon_secret_key }}"
 
 # Used to enable access token expiration.
 #
@@ -709,7 +709,7 @@ expire_access_token: False
 # falsification of values. Must be specified for the User Consent
 # forms to work.
 #
-form_secret: "ssHGS0,URi,oQ8~Upfi53meultXQ-Vo-r5XgKjP.u42qL;WGc-"
+form_secret: "{{ matrix_secrets.form_secret }}"
 
 ## Signing Keys ##
 

roles/docker/files/mailman/mailman-extra.cfg

@@ -0,0 +1,10 @@
+[mta]
+incoming: mailman.mta.postfix.LMTP
+outgoing: mailman.mta.deliver.deliver
+# mailman-core hostname or IP from the Postfix server
+lmtp_host: localhost
+lmtp_port: 8024
+# Postfix server's hostname or IP from mailman-core
+smtp_host: smtp
+smtp_port: 25
+configuration: /etc/postfix-mailman.cfg

roles/docker/files/mailman/postfix.cf

@@ -0,0 +1,11 @@
+append_at_myorigin=no
+append_dot_mydomain=no
+recipient_delimiter = +
+unknown_local_recipient_reject_code = 550
+owner_request_special = no
+virtual_mailbox_maps = regexp:/opt/mailman-core-data/postfix_lmtp \$virtual_alias_maps
+transport_maps = regexp:/opt/mailman-core-data/postfix_lmtp
+local_recipient_maps = regexp:/opt/mailman-core-data/postfix_lmtp
+relay_domains = regexp:/opt/mailman-core-data/postfix_domains
+always_add_missing_headers = yes
+local_header_rewrite_clients = permit_sasl_authenticated

roles/docker/files/sso/sso.data.coop.pem

@@ -0,0 +1 @@
+MIICszCCAZsCBgF8WpKKwTANBgkqhkiG9w0BAQsFADAdMRswGQYDVQQDDBJkYXRhLmNvb3Agc2VydmljZXMwHhcNMjExMDA3MTE0MzQ1WhcNMzExMDA3MTE0NTI1WjAdMRswGQYDVQQDDBJkYXRhLmNvb3Agc2VydmljZXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCdV0stfU8aA1bi+GYd/a5DOyoox01BgzWwBFqVjlo80frsOsH8g814eDuMuff/UJy+2YxaozYQGxP+DcOVXi+0Fts9zjRj6wa6HCQqiR/SNUa69fGHcyAo2Tr0faxOyf3QMBqIngTRZB99quNMuAM96RCg25LtDaaWjNVxdHlj78+kU1bQXExp0ZfELlKGtllWP07cyz4nGfZmuK1AiWSsRbDIbyK5dvzw/pMS1kexh6ylnQu1iLqD3vYZBUDX9lPNkavTYZNCEL4ElUvR81S0ko2zkYAUiuVTtTUKucc98dTRhkuV4YCiiW6UQGY/jzmXYBfpzAY3n5eH5iUu/tRXAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAFQc8ytexKiXOIGrSYYtFaF/lxv8AwMgsndv8YxJ+x/cUwN9tdmA8IAZDIS13qBrCOdZE4pJ/09VkYdErcpbtV7PWC3LDv/c2qakyiBUYZj4WgJio+oD0GCqXsby3aqJeVt9cJr4gSsXxn1c+7GV7p/gc/2FFmlWcqMN/2F7LvFvObu55QlppWZrn8kreaUQmRuTTIviFQRmvrmwKyK52LEcK7qoh/v1aHyYDl91gu3nLMEluz6hy3UEPYgpdH1t2C7K0Kjri25pJNGCFrpKjWWveteKazUeDd4adHMiw2MVfeEyTCXEFoaxQS9QmbmhSMRhiHjbdffL7xi//aSh1bo=

roles/docker/tasks/services/gitea.yml

@@ -7,10 +7,11 @@
 - name: gitea container
   docker_container:
     name: gitea
-    image: gitea/gitea:1.12.3
+    image: gitea/gitea:1.15.7
     restart_policy: unless-stopped
     networks:
       - name: gitea
+      - name: postfix
       - name: external_services
     volumes:
       - "{{ gitea.volume_folder }}:/data"
@@ -21,3 +22,16 @@
       VIRTUAL_PORT: "3000"
       LETSENCRYPT_HOST: "{{ gitea.domain }}"
       LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
+      # Gitea customization, see: https://docs.gitea.io/en-us/install-with-docker/#customization
+      # https://docs.gitea.io/en-us/config-cheat-sheet/#security-security
+      GITEA__mailer__ENABLED: "true"
+      GITEA__mailer__FROM: "noreply@{{ gitea.domain }}"
+      GITEA__mailer__MAILER_TYPE: "smtp"
+      GITEA__mailer__HOST: "{{ smtp_host }}:{{ smtp_port }}"
+      GITEA__mailer__USER: "noop"
+      GITEA__mailer__PASSWD: "noop"
+      GITEA__security__LOGIN_REMEMBER_DAYS: "60"
+      GITEA__security__PASSWORD_COMPLEXITY: "off"
+      GITEA__security__MIN_PASSWORD_LENGTH: "8"
+      GITEA__security__PASSWORD_CHECK_PWN: "true"
+      GITEA__service__ENABLE_NOTIFY_MAIL: "true"

roles/docker/tasks/services/hedgedoc.yml

@@ -0,0 +1,66 @@
+---
+- name: create hedgedoc volume folders
+  file:
+    name: "{{ hedgedoc.volume_folder }}/{{ volume }}"
+    state: directory
+  loop:
+    - "db"
+    - "hedgedoc/uploads"
+  loop_control:
+    loop_var: volume
+
+- name: copy sso public certificate
+  copy:
+    src: "files/sso/sso.data.coop.pem"
+    dest: "{{ hedgedoc.volume_folder }}/sso.data.coop.pem"
+    mode: "0644"
+
+- name: setup hedgedoc
+  docker_compose:
+    project_name: "hedgedoc"
+    pull: "yes"
+    definition:
+      services:
+        database:
+          image: "postgres:10-alpine"
+          environment:
+            POSTGRES_USER: "codimd"
+            POSTGRES_PASSWORD: "{{ postgres_passwords.hedgedoc }}"
+            POSTGRES_DB: "codimd"
+          restart: "unless-stopped"
+          networks:
+            - "hedgedoc"
+          volumes:
+            - "{{ hedgedoc.volume_folder }}/db:/var/lib/postgresql/data"
+        
+        app:
+          image: quay.io/hedgedoc/hedgedoc:1.9.0
+          environment:
+            CMD_DB_URL: "postgres://codimd:{{ postgres_passwords.hedgedoc }}@hedgedoc_database_1:5432/codimd"
+            CMD_DOMAIN: "{{ hedgedoc.domain }}"
+            CMD_ALLOW_EMAIL_REGISTER: "False"
+            CMD_IMAGE_UPLOAD_TYPE: "filesystem"
+            CMD_EMAIL: "False"
+            CMD_SAML_IDPCERT: "/sso.data.coop.pem"
+            CMD_SAML_IDPSSOURL: "https://sso.data.coop/auth/realms/datacoop/protocol/saml"
+            CMD_SAML_ISSUER: "hedgedoc"
+            CMD_SAML_IDENTIFIERFORMAT: "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
+            CMD_USECDN: "false"
+            CMD_PROTOCOL_USESSL: "true"
+            VIRTUAL_HOST: "{{ hedgedoc.domain }}"
+            LETSENCRYPT_HOST: "{{ hedgedoc.domain }}"
+            LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
+          volumes:
+            - "{{ hedgedoc.volume_folder }}/hedgedoc/uploads:/hedgedoc/public/uploads"
+            - "{{ hedgedoc.volume_folder }}/sso.data.coop.pem:/sso.data.coop.pem"
+          restart: "unless-stopped"
+          networks: 
+            - "hedgedoc"
+            - "external_services"
+          depends_on:
+            - database
+
+      networks: 
+        hedgedoc:
+        external_services:
+          external: true

roles/docker/tasks/services/keycloak.yml

@@ -0,0 +1,45 @@
+- name: setup keycloak containers for sso.data.coop
+  docker_compose:
+    project_name: "keycloak"
+    pull: "yes"
+    definition:
+      version: "3.6"
+      services:
+
+        postgres:
+          image: "postgres:10"
+          restart: "unless-stopped"
+          networks:
+            - "keycloak"
+          volumes:
+            - "{{ keycloak.volume_folder }}/data:/var/lib/postgresql/data"
+          environment:
+            POSTGRES_USER: "keycloak"
+            POSTGRES_PASSWORD: "{{ postgres_passwords.keycloak }}"
+            POSTGRES_DB: "keycloak"
+
+        app:
+          image: "quay.io/keycloak/keycloak:15.0.2"
+          restart: "unless-stopped"
+          networks:
+            - "keycloak"
+            - "postfix"
+            - "external_services"
+          environment:
+            VIRTUAL_HOST: "{{ keycloak.domain }}"
+            VIRTUAL_PORT: "8080"
+            LETSENCRYPT_HOST: "{{ keycloak.domain }}"
+            LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
+            DB_USER: "keycloak"
+            DB_PASSWORD: "{{ postgres_passwords.keycloak }}"
+            DB_ADDR: "keycloak_postgres_1"
+            #KEYCLOAK_USER: "{{ keycloak_secrets.admin_user }}" # Only used for the first run of the application to set up the admin user
+            #KEYCLOAK_PASSWORD: "{{ keycloak_secrets.admin_password }}"
+            PROXY_ADDRESS_FORWARDING: "true"
+             
+      networks:
+        keycloak:
+        postfix:
+          external: true
+        external_services:
+          external: true

roles/docker/tasks/services/mailman.yml

@@ -0,0 +1,97 @@
+---
+
+- name: copy nginx configuration to link static files
+  template:
+    src: "templates/mailman/nginx_vhost"
+    dest: "{{ nginx.volume_folder }}/vhost/lists.data.coop"
+    mode: "0644"
+
+- name: run mailman server containers
+  docker_compose:
+    project_name: "mailman"
+    definition:
+      version: '3'
+
+      services:
+
+        mailman-core:
+          image: maxking/mailman-core:0.3.11
+          volumes:
+            - "{{ volume_root_folder }}/mailman/core:/opt/mailman"
+          stop_grace_period: 30s
+          links:
+            - mailman-web:mailmain-web
+            - database:database
+          depends_on:
+            - database
+          environment:
+            DATABASE_URL: "postgres://mailman:{{ mailman_secrets.postgres_password }}@172.19.199.4/mailmandb"
+            DATABASE_TYPE: "postgres"
+            DATABASE_CLASS: "mailman.database.postgresql.PostgreSQLDatabase"
+            HYPERKITTY_API_KEY: "{{ mailman_secrets.hyperkitty_api_key }}"
+            HYPERKITTY_URL: http://172.19.199.3:8000/hyperkitty
+            MTA: "postfix"
+            SMTP_HOST: "{{ smtp_host }}"
+            SMTP_PORT: "{{ smtp_port }}"
+            SMTP_HOST_USER: "noop"
+            MM_HOSTNAME: "172.19.199.2"
+          networks:
+            mailman:
+              ipv4_address: 172.19.199.2
+            postfix:
+            external_services:
+
+        mailman-web:
+          image: maxking/mailman-web:0.3.11
+          depends_on:
+            - database
+          links:
+            - database:database
+          volumes:
+            - "{{ volume_root_folder }}/mailman/web:/opt/mailman-web-data"
+          environment:
+            DATABASE_TYPE: "postgres"
+            DATABASE_URL: "postgres://mailman:{{ mailman_secrets.postgres_password }}@172.19.199.4/mailmandb"
+            HYPERKITTY_API_KEY: "{{ mailman_secrets.hyperkitty_api_key }}"
+            DJANGO_ALLOWED_HOSTS: "lists.data.coop"
+            SERVE_FROM_DOMAIN: "lists.data.coop"
+            MAILMAN_ADMIN_USER: "valberg"
+            MAILMAN_ADMIN_EMAIL: "valberg@orn.li"
+            MAILMAN_REST_URL: "http://172.19.199.2:8001"
+            SECRET_KEY: "{{ mailman_secrets.django_secret_key }}"
+            SMTP_HOST: "{{ smtp_host }}"
+            SMTP_PORT: "{{ smtp_port }}"
+            VIRTUAL_HOST: "lists.data.coop"
+            VIRTUAL_PORT: 8000
+            LETSENCRYPT_HOST: "lists.data.coop"
+            LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
+          networks:
+            mailman:
+              ipv4_address: 172.19.199.3
+            postfix:
+            external_services:
+
+        database:
+          image: postgres:13
+          restart: always
+          environment:
+            POSTGRES_DB: mailmandb
+            POSTGRES_USER: mailman
+            POSTGRES_PASSWORD: "{{ mailman_secrets.postgres_password }}"
+          volumes:
+            - "{{ volume_root_folder }}/mailman/database:/var/lib/postgresql/data"
+          networks:
+            mailman:
+              ipv4_address: 172.19.199.4
+
+      networks:
+        mailman:
+          driver: bridge
+          ipam:
+            driver: default
+            config:
+              - subnet: 172.19.199.0/24
+        postfix:
+          external: true
+        external_services:
+          external: true

roles/docker/tasks/services/mailu.yml

@@ -1,6 +1,6 @@
 ---
 
-- name: create mailu volume folders
+- name: "[Mailu] create mailu volume folders"
   file:
     name: "{{ mailu.volume_folder }}/{{ volume }}"
     state: directory
@@ -17,12 +17,12 @@
   loop_control:
     loop_var: volume
 
-- name: upload mailu.env file
+- name: "[Mailu] upload mailu.env file"
   template:
     src: mailu.env.j2
     dest: "{{ mailu.volume_folder}}/mailu.env"
 
-- name: hard link to Let's Encrypt TLS certificate
+- name: "[Mailu] hard link to Let's Encrypt TLS certificate"
   file:
     src: "{{ nginx.volume_folder }}/certs/{{ mailu.domain }}/fullchain.pem"
     dest: "{{ mailu.volume_folder }}/certs/cert.pem"
@@ -30,20 +30,40 @@
     force: yes
 
 
-- name: hard link to Let's Encrypt TLS key
+- name: "[Mailu] hard link to Let's Encrypt TLS key"
   file:
     src: "{{ nginx.volume_folder }}/certs/{{ mailu.domain }}/key.pem"
     dest: "{{ mailu.volume_folder }}/certs/key.pem"
     state: hard
     force: yes
 
-- name: run mail server containers
+- name: "[Mailman] copy nginx configuration to link static files"
+  template:
+    src: mailman/nginx_vhost.j2
+    dest: "{{ nginx.volume_folder }}/vhost/{{ mailman.domain }}"
+    mode: "0644"
+
+- name: "[Mailman] copy postfix override"
+  copy:
+    src: mailman/postfix.cf
+    dest: "{{ mailu.volume_folder }}/overrides/postfix.cf"
+    mode: "0644"
+
+- name: "[Mailman] copy mailman config"
+  copy:
+    src: mailman/mailman-extra.cfg
+    dest: "{{ mailman.volume_folder }}/core/mailman-extra.cfg"
+    mode: "0644"
+
+- name: Start containers
   docker_compose:
     project_name: mail_server
     pull: yes
     definition:
       version: '3.6'
       services:
+
+        ### Mailu containers ###
         redis:
           image: redis:alpine
           restart: always
@@ -117,6 +137,7 @@
           env_file: "{{ mailu.volume_folder}}/mailu.env"
           volumes:
             - "{{ mailu.volume_folder }}/overrides:/overrides"
+            - "{{ mailman.volume_folder }}/core/var/data:/opt/mailman-core-data/"
           depends_on:
             - front
             - resolver
@@ -149,6 +170,73 @@
           dns:
             - "{{ mailu.dns }}"
 
+        ### Mailman containers ###
+        mailman-core:
+          image: maxking/mailman-core:0.4
+          volumes:
+            - "{{ mailman.volume_folder }}/core:/opt/mailman"
+          stop_grace_period: 30s
+          links:
+            - mailman-web:mailmain-web
+            - database:database
+          depends_on:
+            - database
+          environment:
+            DATABASE_URL: "postgres://mailman:{{ mailman_secrets.postgres_password }}@{{ mailman.database_ip }}/mailmandb"
+            DATABASE_TYPE: "postgres"
+            DATABASE_CLASS: "mailman.database.postgresql.PostgreSQLDatabase"
+            HYPERKITTY_API_KEY: "{{ mailman_secrets.hyperkitty_api_key }}"
+            HYPERKITTY_URL: "http://{{ mailman.web_ip }}:8000/hyperkitty"
+            MTA: "postfix"
+            SMTP_HOST: smtp
+            MM_HOSTNAME: "{{ mailman.core_ip }}"
+          networks:
+            default:
+              ipv4_address: "{{ mailman.core_ip }}"
+            external_services:
+
+        mailman-web:
+          image: maxking/mailman-web:0.4
+          depends_on:
+            - database
+          links:
+            - database:database
+          volumes:
+            - "{{ mailman.volume_folder }}/web:/opt/mailman-web-data"
+          environment:
+            DATABASE_TYPE: "postgres"
+            DATABASE_URL: "postgres://mailman:{{ mailman_secrets.postgres_password }}@{{ mailman.database_ip }}/mailmandb"
+            HYPERKITTY_API_KEY: "{{ mailman_secrets.hyperkitty_api_key }}"
+            DJANGO_ALLOWED_HOSTS: "{{ mailman.domain }}"
+            SERVE_FROM_DOMAIN: "{{ mailman.domain }}"
+            MAILMAN_ADMIN_USER: "valberg"
+            MAILMAN_ADMIN_EMAIL: "valberg@orn.li"
+            MAILMAN_REST_URL: "http://{{ mailman.core_ip }}:8001"
+            MAILMAN_HOST_IP: "{{ mailman.core_ip }}"
+            SECRET_KEY: "{{ mailman_secrets.django_secret_key }}"
+            SMTP_HOST: smtp
+            VIRTUAL_HOST: "{{ mailman.domain }}"
+            VIRTUAL_PORT: 8000
+            LETSENCRYPT_HOST: "{{ mailman.domain }}"
+            LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
+          networks:
+            default:
+              ipv4_address: "{{ mailman.web_ip }}"
+            external_services:
+
+        mailman-database:
+          image: postgres:13
+          restart: always
+          environment:
+            POSTGRES_DB: mailmandb
+            POSTGRES_USER: mailman
+            POSTGRES_PASSWORD: "{{ mailman_secrets.postgres_password }}"
+          volumes:
+            - "{{ mailman.volume_folder }}/database:/var/lib/postgresql/data"
+          networks:
+            default:
+              ipv4_address: "{{ mailman.database_ip }}"
+
       networks:
         default:
           driver: bridge

roles/docker/tasks/services/mastodon.yml

@@ -0,0 +1,118 @@
+- name: create mastodon volume folders
+  file:
+    name: "{{ mastodon.volume_folder }}/{{ volume }}"
+    state: directory
+    owner: "991"
+    group: "991"
+  loop:
+    - "postgres_data"
+    - "redis_data"
+    - "mastodon_data"
+  loop_control:
+    loop_var: volume
+
+- name: Copy mastodon environment file
+  template:
+    src: files/configs/mastodon/env_file.j2
+    dest: "{{ mastodon.volume_folder }}/env_file"
+
+- name: upload vhost config for root domain
+  template:
+    src: files/configs/mastodon/vhost-mastodon
+    dest: "{{ nginx.volume_folder }}/vhost/{{ mastodon.domain }}"
+
+- name: set up mastodon
+  docker_compose:
+    project_name: mastodon
+    pull: yes
+    definition:
+      version: '3'
+      services:
+        db:
+          restart: always
+          image: postgres:14-alpine
+          shm_size: 256mb
+          networks:
+            - internal_network
+          healthcheck:
+            test: ['CMD', 'pg_isready', '-U', 'postgres']
+          volumes:
+            - "{{ mastodon.volume_folder }}/postgres_data:/var/lib/postgresql/data"
+          environment:
+            - 'POSTGRES_HOST_AUTH_METHOD=trust'
+
+        redis:
+          restart: always
+          image: redis:6-alpine
+          networks:
+            - internal_network
+          healthcheck:
+            test: ['CMD', 'redis-cli', 'ping']
+          volumes:
+            - "{{ mastodon.volume_folder }}/redis_data:/data"
+
+        web:
+          image: tootsuite/mastodon
+          restart: always
+          env_file: "{{ mastodon.volume_folder }}/env_file"
+          command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 3000"
+          networks:
+            - external_services
+            - internal_network
+          healthcheck:
+            # prettier-ignore
+            test: ['CMD-SHELL', 'wget -q --spider --proxy=off localhost:3000/health || exit 1']
+          ports:
+            - '127.0.0.1:3000:3000'
+          depends_on:
+            - db
+            - redis
+          volumes:
+            - "{{ mastodon.volume_folder }}/mastodon_data:/mastodon/public/system"
+          environment:
+            VIRTUAL_HOST: "{{ mastodon.domain }}"
+            VIRTUAL_PORT: "3000"
+            LETSENCRYPT_HOST: "{{ mastodon.domain }}"
+            LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
+
+        streaming:
+          image: tootsuite/mastodon
+          restart: always
+          env_file: "{{ mastodon.volume_folder }}/env_file"
+          command: node ./streaming
+          networks:
+            - external_services
+            - internal_network
+          healthcheck:
+            # prettier-ignore
+            test: ['CMD-SHELL', 'wget -q --spider --proxy=off localhost:4000/api/v1/streaming/health || exit 1']
+          ports:
+            - '127.0.0.1:4000:4000'
+          depends_on:
+            - db
+            - redis
+
+        sidekiq:
+          image: tootsuite/mastodon
+          restart: always
+          env_file: "{{ mastodon.volume_folder }}/env_file"
+          command: bundle exec sidekiq
+          depends_on:
+            - db
+            - redis
+          networks:
+            - postfix
+            - external_services
+            - internal_network
+          volumes:
+            - "{{ mastodon.volume_folder }}/mastodon_data:/mastodon/public/system"
+          healthcheck:
+            test: ['CMD-SHELL', "ps aux | grep '[s]idekiq\ 6' || false"]
+
+      networks:
+        external_services:
+          external: true
+        postfix:
+          external: true
+        internal_network:
+          internal: true

roles/docker/tasks/services/matrix_riot.yml

@@ -53,7 +53,7 @@
 
 - name: upload homeserver.yaml
   template:
-    src: "files/configs/matrix/homeserver.yaml"
+    src: "files/configs/matrix/homeserver.yaml.j2"
     dest: "{{ matrix.volume_folder }}/data/homeserver.yaml"
 
 - name: upload matrix logging config
@@ -82,7 +82,7 @@
 
         matrix_app:
           container_name: matrix
-          image: matrixdotorg/synapse:v1.18.0
+          image: matrixdotorg/synapse:v1.47.1
           restart: unless-stopped
           networks:
             - matrix
@@ -102,7 +102,7 @@
 
         riot:
           container_name: riot_app
-          image: avhost/docker-matrix-riot:v1.7.3
+          image: avhost/docker-matrix-riot:v1.9.0
           restart: unless-stopped
           networks:
             - matrix

roles/docker/tasks/services/nextcloud.yml

@@ -1,48 +1,42 @@
 ---
-
+- name: setup nextcloud containers
-- name: nextcloud network
+  docker_compose:
-  docker_network:
+    project_name: "nextcloud"
-    name: nextcloud
+    pull: "yes"
-
+    definition:
-- name: nextcloud database volume
+      services:
-  docker_volume:
+        postgres:
-    name: nextcloud_db
+          image: "postgres:10"
-
+          restart: "unless-stopped"
-- name: nextcloud database container
-  docker_container:
-    name: nextcloud_db
-    image: postgres:10
-    state: started
-    restart_policy: always
           networks:
-      - name: nextcloud
+            - "nextcloud"
           volumes:
-      - nextcloud_db:/var/lib/postgresql/data
+            - "{{ nextcloud.volume_folder }}/postgres:/var/lib/postgresql/data"
-    env:
+          environment: 
-      POSTGRES_DB: somethingelse
+            POSTGRES_DB: "nextcloud"
-      POSTGRES_USER: nextcloud
             POSTGRES_PASSWORD: "{{ postgres_passwords.nextcloud }}"
+            POSTGRES_USER: "nextcloud"
         
-- name: nextcloud app volume
+        app:
-  docker_volume:
+          image: "nextcloud:22-apache"
-    name: nextcloud_app
+          restart: "unless-stopped"
-
-- name: nextcloud app container
-  docker_container:
-    name: nextcloud_app
-    image: nextcloud:apache
-    state: started
-    restart_policy: always
           networks:
-      - name: nextcloud
+            - "nextcloud"
-      - name: external_services
+            - "external_services"
           volumes:
-      - nextcloud_app:/var/www/html
+          - "{{ nextcloud.volume_folder }}/app:/var/www/html"
-    env:
+          environment:
             VIRTUAL_HOST: "{{ nextcloud.domain }}"
             LETSENCRYPT_HOST: "{{ nextcloud.domain }}"
             LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
-      POSTGRES_HOST: nextcloud_db
+            POSTGRES_HOST: "nextcloud_postgres_1"
-      POSTGRES_DB: nextcloud
+            POSTGRES_DB: "nextcloud"
-      POSTGRES_USER: nextcloud
+            POSTGRES_USER: "nextcloud"
             POSTGRES_PASSWORD: "{{ postgres_passwords.nextcloud }}"
+
+      networks:
+          nextcloud:
+          postfix:
+            external: true
+          external_services:
+            external: true

roles/docker/tasks/services/nginx-proxy.yml

@@ -29,6 +29,7 @@
       - "{{ nginx.volume_folder }}/html:/usr/share/nginx/html"
       - "{{ nginx.volume_folder }}/dhparam:/etc/nginx/dhparam"
       - "{{ nginx.volume_folder }}/certs:/etc/nginx/certs:ro"
+      - "{{ volume_root_folder }}:/docker-volumes/:ro"
       - /var/run/docker.sock:/tmp/docker.sock:ro
 
 - name: nginx letsencrypt container

roles/docker/tasks/services/openldap.yml

@@ -17,7 +17,7 @@
 - name: openLDAP container
   docker_container:
     name: openldap
-    image: osixia/openldap:1.2.2
+    image: osixia/openldap:1.5.0
     tty: true
     interactive: true
     volumes:
@@ -57,7 +57,7 @@
 - name: phpLDAPadmin container
   docker_container:
     name: phpldapadmin
-    image: osixia/phpldapadmin:latest
+    image: osixia/phpldapadmin:0.9.0
     networks:
       - name: external_services
       - name: ldap

roles/docker/tasks/services/portainer.yml

@@ -8,7 +8,7 @@
 - name: run portainer
   docker_container:
     name: portainer
-    image: portainer/portainer-ce:2.0.1
+    image: portainer/portainer-ce:2.9.1
     restart_policy: always
     networks:
       - name: external_services

roles/docker/tasks/services/postfix.yml

@@ -8,12 +8,23 @@
         gateway: 172.16.0.1
 
 - name: setup postfix docker container for outgoing mail
+  vars:
+    mynetworks:
+      - 127.0.0.0/8
+      - 10.0.0.0/8
+      - 172.16.0.0/12
+      - 192.168.0.0/16
+      - 172.19.199.2
+      - 172.19.199.3
+    allowed_sender_domains:
+      - "{{ base_domain }}"
+      - "lists.data.coop"
   docker_container:
     name: postfix
-    image: boky/postfix
+    image: boky/postfix:v3.5.0
-    restart_policy: unless-stopped
+    restart_policy: always
     networks:
       - name: postfix
     env:
-      ALLOWED_SENDER_DOMAINS: "{{ base_domain }}"
+      ALLOWED_SENDER_DOMAINS: "{{ postfix.allowed_sender_domains|join(' ') }}"
-
+      HOSTNAME: "smtp.data.coop" # the name the smtp server will identify itself as

roles/docker/templates/mailman/nginx_vhost.j2

@@ -0,0 +1,3 @@
+location /static/ {
+    alias {{ volume_root_folder }}/mailman/web/static/;
+}

roles/ubuntu_base/tasks/base.yml

@@ -8,6 +8,7 @@
     - python3-pip
     - apparmor
     - haveged
+    - mosh
 
 - name: Install necessary packages via pip
   pip:

roles/ubuntu_base/tasks/users.yml

@@ -1,21 +1,25 @@
 ---
 - name: "Add users"
   user:
-    name: "{{ item.key }}"
+    name: "{{ item.name }}"
-    comment: "{{ item.value.comment }}"
+    comment: "{{ item.comment }}"
-    password: "{{ item.value.password }}"
+    password: "{{ item.password }}"
     update_password: "on_create"
-    groups:  "{{ item.value.groups }}"
+    groups:  "{{ item.groups }}"
-  with_dict: "{{ users | default({}) }}"
+  loop: "{{ users | default([]) }}"
 
 - name: "Add ssh authorized_keys"
   authorized_key:
-    user: "{{ item.key }}"
+    user: "{{ item.0.name }}"
-    key: "{{ item.value.key }}"
+    key: "{{ item.1 }}"
-  with_dict: "{{ users | default({}) }}"
+  with_subelements:
+  - "{{ users | default([]) }}"
+  - keys
 
 - name: "Add ssh authorized_keys to root user"
   authorized_key:
     user: "root"
-    key: "{{ item.value.key }}"
+    key: "{{ item.1 }}"
-  with_dict: "{{ users | default({}) }}"
+  with_subelements:
+  - "{{ users | default([]) }}"
+  - keys