Upgrade mailman containers. Add some actual secrets. Add (probably wrong) ips to postfix mynetworks variable.

Reviewed-on: #54

group_vars/all/secrets.yml

@@ -1,54 +1,87 @@
 $ANSIBLE_VAULT;1.1;AES256
-62313439613039363637356330653731356138373839373435306535656137646266633764393537
-3737663637343865303232643632613934313137613536640a633634356338353764366365626266
-66323064346539663435646265346665616465353363623732303563303838356364643734393231
-3161633362383363390a376530393463643838303238386139313661366335386439373734333835
-63323034303732386430313265306465636630356330303431663761363461623530643933393831
-62666438316266396432353663633331343137643265333966636436373730343938623732653030
-62383536373139366239363535353463643961313839376436663830613738303262646639396131
-66656532616231636537623162373965356537336436613130366464393461343730646664356466
-38313439373332306265643039666532363863333364666233333861363832316637383432343464
-64366536613364363265333938643438313837643936323536636335613064623639393437303466
-31333539373130376230323964636335393166306662626131636462656632623635393036663437
-37333735616665383431623266393365613433323335313161316161373637616563626637333861
-37326532303638653139383639383166323361363334306361663261366661613038633464323337
-31393538653830333865373064383837626261663163623664653938303230616334363861346132
-63353036313164313265313134633861633937323335303830336232363939613635303764313063
-33666161356366636139633138653736333662303364333838663033633163613136616639376532
-31373131326264383666326566303930636166653463313630376235663638663937663765306439
-31663039323663633735326266393263633937373339383537623835306431333636316664303864
-63653564313339376135303237626366666164623738626439613562616338663539393635396437
-30333036353035613131613034666262346233336563343531633033343163326264326563643235
-62663538623532333432656435306462663362353630346133373262633630306262626362653733
-65363031346339393632396664363362346236373035376632663466343034376566666563353231
-36623538303262323265616237326630666662646634383962656533636165326665316366643231
-39303465313135616238653664366637356361393165356430636137366236643938316430613838
-65353331636564373136393930303537386335653766363632646433353962613033656434313063
-35653365366332316434373665316230646665613166656230313832356136346439326232343166
-38323934396561386138323739396166303132396234386435633965663139643234396434333163
-66346634393330306638383430616433333361623861623864356563366162313830393334616138
-32346633396662636633373637363262656165316434333139346530303562356236306637643365
-65613361373637383936633431396636356634656333343537353762383537353035616131633732
-38303736636136393039613537613831633139363338656239613261383637653332333737323034
-61303839636330396139346436336663643531613364383134613061646136646236636364636662
-33666564623731343264306638303333326463323363306439333762306434306235643530663931
-63623932373737373539393230326538643739653734306131366365303638313263316635633439
-34343231663761393266636537353330643361306139653734383466666662623931616665663239
-65633136636333316266616433396166326333303033646162656466363931313539343035623666
-63346162386533373334633261383237376330643738663761636166653033303933613630653835
-66313439663732356539363833616338356337666335316136623231383161656362653561653565
-33616437643533386263393733636666373237663132343432636664633535653535316134313266
-66363362383662313632633535613635656364323939313466303634646237653061353766373831
-62303366366564653231613863633564303637346262336535386366663034663832663762666132
-64333630666463653266333430386135386436643939393964303230366538336562333737616639
-65646566663363313430396132653832646263393739656564653138353637373362613261366230
-62616561303735316230626134353266613938326563326232623361656364623062326365343534
-62346433373965336430326632333634306463343934393830393165393933323439393534386665
-32373235353037626638343066386563663431356465353039353338643835653166333761386433
-64333338306661346436373238646134653233666565653834303935303235653661343366653563
-63356566633730303033376230356363326561663232386161333566616334623236663562613234
-63646561623565366332313837353461313566653531356662613663323065613035323731323832
-31386166623935373139356239353037633363313531396466363735613332653430396161303366
-37376238333831306231393433313734303839376132656532616461356662383430303532373937
-39303634303762373736626439323830353665343162363531376134616466303762633535343866
-3162
+62393230613162353938306335363361323162356461613234306332653236326632323038663738
+3832663036633166373961623738323162363532633638350a636565346534616431343862356534
+62306562623663623438623263636262303938303562343463333365613834623434623232303531
+6135343464616438360a383163343838323762626435346564313364376566356638623165363537
+65616337373633613530393361613561333939666131316366303761303964343762306462633038
+36303332336633653432613036346332663863376531623561343433383662623861633862363230
+65316536626365303764393839626364326539336637643631336439653761633730636562653066
+62353637633365336237663935383937633732363830623232376463326132353062336232363539
+64376632616631353138376263383162353866316366316562666538383538633038373535663033
+32663363383037666663373335306138623032343939313436656531616234303763396630663639
+66656538393538666166386635643563633465306662366436383936306233376361663331353630
+64333731396134646236653963356435656535613365353635383734346131383066356431663061
+37333533623439623164323738363035633664353831363162376331613965613635653663303339
+36623035633865633131363061346366643865636433303733613731643863333764313135616433
+30396636653734656631323562343330653839346461653037353439636135316134396533383731
+62303164366366616163656462346264383633353164333335613034363636373339613538376166
+38333238666334656632376465346538323938653661656130313232656137316463346430663134
+36636465356661666138616530326436326238383834336635663963363530316335613233396334
+36346634656331623039383266303437323239646563326161653831363833653338386533616231
+39613939393334353536613262643030323535396634363330396465303230646133356238373865
+62316630303366643965363835336563393838373933393435616532636338376265303830376162
+64653931343464656532373831666663326532373631376265636338323430396666383736636438
+37346535373761663338653035653738396430316261326333313532653638393535386139376266
+32333037303831653364336130646462616537383035633338653435633938303638633364336635
+33343963666162356534656635316261353930336431323539393066333930323236396566356330
+62333162353965616465396365616630313363636135633835353939633662363664343266373562
+36636666343765653530653435316466356139323236356638383230623730643637613633633565
+32353234656233353734653233323563313764613333653331333232653730396635633438633362
+34306337653732646236346361663937616332353765613131393339393766313131633561376430
+62386662393864303865303438616637303363646462313634383431373736643230653665636165
+39636638656534363862633134663962383138656637386462356261336465386431343036646233
+64666166346334333862653035303461626235633830623639643166373238373136343061303837
+39633133653761646231653639653262366334373963343236363233373635306638653865653730
+34616230343637616232313639333136313231393133346532353761623038656531376337333339
+63316364386162616438303263653936643135316661633266613033366232383232356331336133
+35313836363361363637383637643831313238613136396637386136633061666430313963633933
+37343663666130326139643663313534313835643162363566396430363831343965613363366161
+30353165313932623536393734306461616662663763333031623738383437643862623632656161
+31323432633962613366306435626339663638633931323161373331353635306536623836376432
+37373033306530623162316430613933366331303766386538396666346464363662646639643634
+31373064646630343035326336376464663231343239643137353731303761643037313561313039
+32613631353862376230316130333936376565373961383838383932396363396533316530383830
+37386139396637613131366161376431323565643434333531656330643331653734393038303336
+31366538663231623937653730326264633531623333363932656138396637303932333662383935
+39323437396361613038376335353732333839383965313262643165363635386231666634653665
+63333034663735623438393063333064363133396537646433383861613337313631633634343063
+34303065343965343633653331393131613334356162323466656164343730323032396134303763
+63393835646361316530643932613531326235313961663937653264656535623932303038616662
+39336136346361636132303434373461333466333833313139346531303837306238613664613731
+33363766393862663336383930326638346132326138623537656263366262353637626436313736
+32643837303761336230353037663235323265313939323436323736366565663533626365376361
+62633730373864386438653137326136373866363164616633636137356133643330623035323838
+33326137393937383833346537633361383966313230636133363663373638373864393838636161
+64386631366530653063656634336537396330633763336235393538356139323565336134326337
+61633330333164643166373064623032356135623336393262386461646535326462393638373866
+37626266393962393564306530336462323137386434626363383365366238636235356432323533
+65343262666162643932393061363531346464393363623037366639376536386234646135646330
+36623837356637353132643435633632356266323830653866393636316130306538336334376234
+36303265363037306436346666376337653837373839313732386131306535666639653733353737
+66353531623431663532623865373931656233333234356532363730643234633963653435356237
+61633134333536616235626666333738613637366264613961333663336330653132313234653132
+39383336623736333634633863356366383430306465373932366534626131343236336439343663
+38643133626566366163653164356436313661626432653435616630336563386466383939613038
+30336433663563343532663032633161363535643962646161396531646130343431663863633736
+33656437363432623135313163323064353863303164656661633161616536313165383939663935
+65393164363533663934643034316332643137643861333233303062333138633337323330323865
+63633538626537363739623132336466393835316565633936616562656466316363623432303231
+37383465393034346130616632616539653735323730633035333138373632313662373566373265
+63623761323763616634343966386233306435633965633764363133306531363739613039386231
+39376432656662653165373162623565393964396538653065343164663233313465363537663963
+35326461313761363734306664623265663335333661633732626233323332383335613437633936
+66383031363332353937303165643864666236356133643861373032613366333837356434613437
+63346637316465306330306135343338623238363139633939653730323961353630353365323938
+30373165336337303434316336363737623439306633306363383433383666653661613030393466
+35323762616664393838396365636334626130663839666438633361356164663562303930623664
+39653235646230363031613061383563663761636131623064633265363737633433623130316234
+32643836393530373535353732373730303932313131653465353432353065326566633965656531
+64323462616638646234636662346532663964366538653934646538303237366531613939666338
+64643666626338333036363234663664326439306432353833633637373439616661666434313831
+34383334386538656564653862333565623165316439666235376535396232336263663033396532
+31393866636661303934306536343065366265376131326238616338336161646139393464346534
+34643664646535316133636236356430316434613762313738623066653336616339383366653934
+32663930333366623032663838656632643532303136663664303035346237616630653262346461
+33343066346233313534323831646139636263306132666563333963633664323463333262316664
+65636635333562636333303964666164393533653033336539663162333764376362373165613734
+6366393631666464616334646262316161363136646334356133

group_vars/all/secrets.yml.contents

@@ -0,0 +1,37 @@
+# These are the variables contained in secrets.yml
+# Secrets are usually 32 characters or more, matching [a-Z0-9]
+
+postgres_passwords:
+  fider: xxx
+  nextcloud: xxx
+  passit: xxx
+  gitea: xxx
+  matrix: xxx
+  codimd: xxx
+  mailu: xxx
+  ttrss: xxx
+
+fider_jwt_secret: xxx
+
+ldap_admin_password: xxx
+ldap_config_password: xxx
+
+passit_secret_key: xxx
+
+docker_password: xxx
+
+mailu_secret_key: xxx
+
+drone_secrets:
+  oauth_client_id: xxx
+  oauth_client_secret: xxx
+  rpc_shared_secret: xxx
+
+restic_secrets:
+  user_secret: xxx
+  encryption_secret: xxx
+
+mailman_secrets:
+  postgres_password: xxx
+  hyperkitty_api_key: xxx
+  django_secret_key: xxx

playbook.yml

@@ -23,9 +23,11 @@
       - docker_registry
       - drone
       - websites
+      - ulovliglogning-dk
       - ouroboros
       - mailu
       - portainer
+#      - tt-rss
 
     smtp_host: "postfix"
     smtp_port: "587"

roles/docker/defaults/main.yml

@@ -19,6 +19,7 @@ gitea:
 
 passit:
   domain: "passit.{{ base_domain }}"
+  volume_folder: "{{ volume_root_folder }}/passit"
 
 fider:
   domain: "feedback.{{ base_domain }}"
@@ -28,7 +29,9 @@ matrix:
   volume_folder: "{{ volume_root_folder }}/matrix"
 
 riot:
-  domain: "riot.{{ base_domain }}"
+  domains: 
+  - "riot.{{ base_domain }}"
+  - "element.{{ base_domain }}"
   volume_folder: "{{ volume_root_folder }}/riot"
 
 privatebin:
@@ -49,10 +52,25 @@ docker_registry:
   password: "{{ docker_password }}"
 
 data_coop_website:
-  domain: "{{ base_domain }}"
+  domains: 
+  - "{{ base_domain }}"
+  - "www.{{ base_domain }}"
 
 cryptohagen_website:
-  domain: "cryptohagen.dk"
+  domains: 
+  - "cryptohagen.dk"
+  - "www.cryptohagen.dk"
+
+ulovliglogning_website:
+  domains: 
+  - "ulovliglogning.dk"
+  - "www.ulovliglogning.dk"
+  - "ulovlig-logning.dk"
+
+cryptoaarhus_website:
+  domains: 
+  - "cryptoaarhus.dk"
+  - "www.cryptoaarhus.dk"
 
 drone:
   domain: "drone.{{ base_domain }}"
@@ -69,3 +87,6 @@ portainer:
   domain: "portainer.{{ base_domain }}"
   volume_folder: "{{ volume_root_folder }}/portainer"
 
+ttrss:
+  domain: rss.{{ base_domain }}
+  volume_folder: "{{ volume_root_folder }}/tt-rss"

roles/docker/files/configs/matrix/homeserver.yaml

@@ -54,6 +54,10 @@ soft_file_limit: 0
 # Set to false to disable presence tracking on this homeserver.
 use_presence: true
 
+# If set to 'false', forbids any other homeserver to fetch the server's public
+# rooms directory via federation.
+allow_public_rooms_over_federation: true
+
 # The GC threshold parameters to pass to `gc.set_threshold`, if defined
 #
 #gc_thresholds: [700, 10, 10]
@@ -411,7 +415,7 @@ uploads_path: "/data/uploads"
 
 # The largest allowed upload size in bytes
 #
-max_upload_size: "10M"
+max_upload_size: "50M"
 
 # Maximum number of pixels that will be thumbnailed
 #
@@ -881,7 +885,7 @@ password_config:
 
 # Whether to allow non server admins to create groups on this server
 #
-enable_group_creation: false
+enable_group_creation: true
 
 # If enabled, non server admins can only create groups with local parts
 # starting with this prefix

roles/docker/files/configs/matrix/vhost-matrix

@@ -1 +1,2 @@
-listen 8008;
+listen 8008;
+client_max_body_size 50M; # default is 1M

roles/docker/files/configs/matrix/vhost-riot

@@ -0,0 +1 @@
+client_max_body_size 50M; # default is 1M

roles/docker/files/configs/riot/config.json

@@ -1,7 +1,7 @@
 {
     "default_hs_url": "https://{{ matrix.domain }}",
     "default_is_url": "https://vector.im",
-    "brand": "riot.data.coop",
+    "brand": "element.data.coop",
     "integrations_ui_url": "https://scalar.vector.im/",
     "integrations_rest_url": "https://scalar.vector.im/api",
     "integrations_widgets_urls": [

roles/docker/tasks/services.yml

@@ -3,14 +3,6 @@
   docker_network:
     name: external_services
 
-- name: setup network for postfix
-  docker_network:
-    name: postfix
-    ipam_options:
-      subnet: '172.16.0.0/16'
-      gateway: 172.16.0.1
-
-
 - name: setup services
   include_tasks: "services/{{ item }}.yml"
   with_items: "{{ services }}"

roles/docker/tasks/services/drone.yml

@@ -1,21 +1,51 @@
 ---
-- name: Drone container
-  docker_container:
-    name: drone
-    image: drone/drone:latest
-    restart_policy: unless-stopped
-    networks:
-      - name: external_services
-    volumes:
-      - "{{ drone.volume_folder }}:/data"
-      - "/var/run/docker.sock:/var/run/docker.sock"
-    env:
-      DRONE_GITEA_SERVER: "https://{{ gitea.domain }}"
-      DRONE_GITEA_ALWAYS_AUTH: "False"
-      DRONE_RUNNER_CAPACITY: "2"
-      DRONE_SERVER_HOST: "{{ drone.domain }}"
-      DRONE_SERVER_PROTO: "https"
-      PLUGIN_CUSTOM_DNS: "91.239.100.100"
-      VIRTUAL_HOST: "{{ drone.domain }}"
-      LETSENCRYPT_HOST: "{{ drone.domain }}"
-      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
+- name: set up drone with docker runner
+  docker_compose:
+    project_name: drone
+    pull: yes
+    definition:
+      version: "3.6"
+      services:
+        drone:
+          container_name: "drone"
+          image: drone/drone:1
+          restart: unless-stopped
+          networks:
+            - external_services
+            - drone
+          volumes:
+            - "{{ drone.volume_folder }}:/data"
+            - "/var/run/docker.sock:/var/run/docker.sock"
+          environment:
+            DRONE_GITEA_SERVER: "https://{{ gitea.domain }}"
+            DRONE_GITEA_CLIENT_ID: "{{ drone_secrets.oauth_client_id }}"
+            DRONE_GITEA_CLIENT_SECRET: "{{ drone_secrets.oauth_client_secret }}"
+            DRONE_GIT_ALWAYS_AUTH: "true"
+            DRONE_SERVER_HOST: "{{ drone.domain }}"
+            DRONE_SERVER_PROTO: "https"
+            DRONE_RPC_SECRET: "{{ drone_secrets.rpc_shared_secret }}"
+            PLUGIN_CUSTOM_DNS: "91.239.100.100"
+            VIRTUAL_HOST: "{{ drone.domain }}"
+            LETSENCRYPT_HOST: "{{ drone.domain }}"
+            LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
+
+        drone-runner-docker:
+          container_name: "drone-runner-docker"
+          image: "drone/drone-runner-docker:1"
+          restart: unless-stopped
+          networks:
+            - drone
+          volumes:
+            - "/var/run/docker.sock:/var/run/docker.sock"
+          environment:
+            DRONE_RPC_HOST: "{{ drone.domain }}"
+            DRONE_RPC_PROTO: "https"
+            DRONE_RPC_SECRET: "{{ drone_secrets.rpc_shared_secret }}"
+            DRONE_RUNNER_CAPACITY: 2
+            DRONE_RUNNER_NAME: "data.coop_drone_runner"
+
+      networks:
+        drone:
+        external_services:
+          external:
+            name: external_services

roles/docker/tasks/services/gitea.yml

@@ -1,9 +1,13 @@
 ---
+- name: gitea network
+  docker_network:
+    name: gitea
+
 # old DNS: 138.68.71.153
 - name: gitea container
   docker_container:
     name: gitea
-    image: gitea/gitea:latest
+    image: gitea/gitea:1.12.3
     restart_policy: unless-stopped
     networks:
       - name: gitea

roles/docker/tasks/services/mailman.yml

@@ -1,68 +1,72 @@
 ---
 
 - name: run mailman server containers
-  docker_service:
+  docker_compose:
+    project_name: "mailman"
     definition:
       version: '2'
 
       services:
-        mailman-core:
-          image: maxking/mailman-core:0.2
-          container_name: mailman-core
-          hostname: mailman-core
-          volumes:
-            - /opt/mailman/core:/opt/mailman/
-          stop_grace_period: 30s
-          links:
-            - database:database
-          depends_on:
-            - database
-          environment:
-            - DATABASE_URL=postgres://mailman:mailmanpass@database/mailmandb
-            - DATABASE_TYPE=postgres
-            - DATABASE_CLASS=mailman.database.postgresql.PostgreSQLDatabase
-            - HYPERKITTY_API_KEY={{ hyperkitty_api_key }}
-          networks:
-            mailman:
-              ipv4_address: 172.19.199.2
-
         mailman-web:
-          image: maxking/mailman-web:0.2
-          container_name: mailman-web
-          hostname: mailman-web
+          image: maxking/mailman-web:0.3.5
           depends_on:
             - database
           links:
-            - mailman-core:mailman-core
             - database:database
           volumes:
             - /opt/mailman/web:/opt/mailman-web-data
           environment:
-            - DATABASE_TYPE=postgres
-            - DATABASE_URL=postgres://mailman:{{ postgresql}}@database/mailmandb
-            - HYPERKITTY_API_KEY={{ hyperkitty_api_key }}
+            DATABASE_TYPE: "postgres"
+            DATABASE_URL: "postgres://mailman:{{ mailman_secrets.postgres_password }}@database/mailmandb"
+            HYPERKITTY_API_KEY: "{{ mailman_secrets.hyperkitty_api_key }}"
+            SERVE_FROM_DOMAIN: "lists.data.coop"
+            MAILMAN_ADMIN_USER: "valberg"
+            MAILMAN_ADMIN_EMAIL: "valberg@orn.li"
+            SECRET_KEY: "{{ mailman_secrets.django_secret_key }}"
+            VIRTUAL_HOST: "lists.data.coop"
+            VIRTUAL_PORT: 8000
+            LETSENCRYPT_HOST: "lists.data.coop"
+            LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
           networks:
-            mailman:
-              ipv4_address: 172.19.199.3
+            - "mailman"
+            - "postfix"
+            - "external_services"
+
+        mailman-core:
+          image: maxking/mailman-core:0.3
+          volumes:
+            - /opt/mailman/core:/opt/mailman/
+          stop_grace_period: 30s
+          links:
+            - mailman-web:mailmain-web
+            - database:database
+          depends_on:
+            - database
+          environment:
+            DATABASE_URL: "postgres://mailman:{{ mailman_secrets.postgres_password }}@database/mailmandb"
+            DATABASE_TYPE: "postgres"
+            DATABASE_CLASS: "mailman.database.postgresql.PostgreSQLDatabase"
+            HYPERKITTY_API_KEY: "{{ mailman_secrets.hyperkitty_api_key }}"
+          networks:
+            - "mailman"
+            - "postfix"
+            - "external_services"
 
         database:
           environment:
             POSTGRES_DB: mailmandb
             POSTGRES_USER: mailman
-            POSTGRES_PASSWORD: mailmanpass
+            POSTGRES_PASSWORD: "{{ mailman_secrets.postgres_password }}"
           restart: always
-          image: postgres:9.6-alpine
+          image: postgres:13
           volumes:
             - /opt/mailman/database:/var/lib/postgresql/data
           networks:
-            mailman:
-              ipv4_address: 172.19.199.4
+            - "mailman"
 
       networks:
-         mailman:
-           driver: bridge
-           ipam:
-             driver: default
-             config:
-             -
-      subnet: 172.19.199.0/24
+        mailman:
+        postfix:
+          external: true
+        external_services:
+          external: true

roles/docker/tasks/services/mailu.yml

@@ -38,7 +38,7 @@
     force: yes
 
 - name: run mail server containers
-  docker_service:
+  docker_compose:
     project_name: mail_server
     pull: yes
     definition:
@@ -78,6 +78,7 @@
             - "993:993"
             - "25:25"
             - "587:587"
+            - "465:465"
           networks:
             - default
             - external_services

roles/docker/tasks/services/matrix_riot.yml

@@ -46,6 +46,11 @@
     src: files/configs/matrix/vhost-matrix
     dest: "{{ nginx.volume_folder }}/vhost/{{ matrix.domain }}"
 
+- name: upload vhost config for riot domain
+  template:
+    src: files/configs/matrix/vhost-riot
+    dest: "{{ nginx.volume_folder }}/vhost/{{ riot.domains[0] }}"
+
 - name: upload homeserver.yaml
   template:
     src: "files/configs/matrix/homeserver.yaml"
@@ -57,7 +62,7 @@
     dest: "{{ matrix.volume_folder }}/data/matrix.data.coop.log.config"
 
 - name: set up matrix and riot
-  docker_service:
+  docker_compose:
     project_name: matrix
     pull: yes
     definition:
@@ -77,17 +82,18 @@
 
         matrix_app:
           container_name: matrix
-          image: matrixdotorg/synapse:v0.99.2
+          image: matrixdotorg/synapse:v1.18.0
           restart: unless-stopped
           networks:
             - matrix
-            - external_services 
+            - external_services
           ports:
             - 8008
-          volumes: 
+          volumes:
             - "{{ matrix.volume_folder }}/data:/data"
           environment:
             SYNAPSE_CONFIG_PATH: "/data/homeserver.yaml"
+            SYNAPSE_CACHE_FACTOR: "2"
             SYNAPSE_LOG_LEVEL: "INFO"
             VIRTUAL_HOST: "{{ matrix.domain }}"
             VIRTUAL_PORT: "8008"
@@ -96,7 +102,7 @@
 
         riot:
           container_name: riot_app
-          image: avhost/docker-matrix-riot:v1.0.3
+          image: avhost/docker-matrix-riot:v1.7.3
           restart: unless-stopped
           networks:
             - matrix
@@ -104,14 +110,14 @@
           ports:
             - 8080
           volumes:
-            - "{{ riot.volume_folder }}/data:/data"  
+            - "{{ riot.volume_folder }}/data:/data"
           environment:
-            VIRTUAL_HOST: "{{ riot.domain }}"
+            VIRTUAL_HOST: "{{ riot.domains|join(',') }}"
             VIRTUAL_PORT: "8080"
-            LETSENCRYPT_HOST: "{{ riot.domain }}"
+            LETSENCRYPT_HOST: "{{ riot.domains|join(',') }}"
             LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
 
-      networks:     
+      networks:
         external_services:
           external:
             name: external_services

roles/docker/tasks/services/netdata.yml

@@ -21,5 +21,7 @@
       LETSENCRYPT_HOST: "{{ netdata.domain }}"
       LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
       PGID: "999"
+    labels:
+      com.ouroboros.enable: "true"
 
 

roles/docker/tasks/services/ouroboros.yml

@@ -14,5 +14,5 @@
       LABELS_ONLY: "true"
       CLEANUP: "true"
       LATEST: "true"
-      CRON: "*/1 * * * *"
+      CRON: "*/10 * * * *"
       

roles/docker/tasks/services/passit.yml

@@ -1,45 +1,47 @@
 ---
 
-- name: passit network
-  docker_network:
-    name: passit
+- name: setup passit containers
+  docker_compose:
+    project_name: "passit"
+    pull: "yes"
+    definition:
+      version: "3.6"
+      services:
 
-- name: passit database volume
-  docker_volume:
-    name: passit_db
+        passit_db:
+          image: "postgres:10"
+          restart: "always"
+          networks:
+            - "passit"
+          volumes:
+            - "{{ passit.volume_folder }}/data:/var/lib/postgresql/data"
+          environment:
+            POSTGRES_USER: "passit"
+            POSTGRES_PASSWORD: "{{ postgres_passwords.passit }}"
 
-- name: passit database container
-  docker_container:
-    name: passit_db
-    image: postgres:10
-    state: started
-    restart_policy: always
-    networks:
-      - name: passit
-    volumes:
-      - passit_db:/var/lib/postgresql/data
-    env:
-      POSTGRES_USER: passit
-      POSTGRES_PASSWORD: "{{ postgres_passwords.passit }}"
+        passit_app:
+          image: "passit/passit:stable"
+          command: "bin/start.sh"
+          restart: "always"
+          networks:
+            - "passit"
+            - "postfix"
+            - "external_services"
+          environment:
+            DATABASE_URL: "postgres://passit:{{ postgres_passwords.passit }}@passit_db:5432/passit"
+            SECRET_KEY: "{{ passit_secret_key }}"
+            IS_DEBUG: 'False'
+            EMAIL_URL: "smtp://noop@{{ smtp_host }}:{{ smtp_port }}"
+            DEFAULT_FROM_EMAIL: "noreply@{{ passit.domain }}"
+            EMAIL_CONFIRMATION_HOST: "https://{{ passit.domain }}"
 
-- name: passit app container
-  docker_container:
-    name: passit
-    image: passit/passit:stable
-    command: bin/start.sh
-    restart_policy: always
-    networks:
-      - name: passit
-      - name: postfix
-      - name: external_services
-    env:
-      DATABASE_URL: "postgres://passit:{{ postgres_passwords.passit }}@passit_db:5432/passit"
-      SECRET_KEY: "{{ passit_secret_key }}"
-      IS_DEBUG: 'False'
-      EMAIL_URL: smtp://noop@{{ smtp_host }}:{{ smtp_port }}
-      DEFAULT_FROM_EMAIL: "noreply@{{ passit.domain }}"
-      EMAIL_CONFIRMATION_HOST: "https://{{ passit.domain }}"
+            VIRTUAL_HOST: "{{ passit.domain }}"
+            LETSENCRYPT_HOST: "{{ passit.domain }}"
+            LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
 
-      VIRTUAL_HOST: "{{ passit.domain }}"
-      LETSENCRYPT_HOST: "{{ passit.domain }}"
-      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
+      networks:
+        passit:
+        postfix:
+          external: true
+        external_services:
+          external: true

roles/docker/tasks/services/portainer.yml

@@ -8,7 +8,7 @@
 - name: run portainer
   docker_container:
     name: portainer
-    image: portainer/portainer
+    image: portainer/portainer-ce:2.0.1
     restart_policy: always
     networks:
       - name: external_services
@@ -19,5 +19,6 @@
       - 9001:9000
     env:
       VIRTUAL_HOST: "{{ portainer.domain }}"
+      VIRTUAL_PORT: "9000"
       LETSENCRYPT_HOST: "{{ portainer.domain }}"
       LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"

roles/docker/tasks/services/postfix.yml

@@ -1,6 +1,21 @@
 ---
 
+- name: setup network for postfix
+  docker_network:
+    name: postfix
+    ipam_config:
+      - subnet: '172.16.0.0/16'
+        gateway: 172.16.0.1
+
 - name: setup postfix docker container for outgoing mail
+  vars:
+    mynetworks:
+      - 127.0.0.0/8
+      - 10.0.0.0/8
+      - 172.16.0.0/12
+      - 192.168.0.0/16
+      - 172.19.199.2
+      - 172.19.199.3
   docker_container:
     name: postfix
     image: boky/postfix
@@ -9,4 +24,4 @@
       - name: postfix
     env:
       ALLOWED_SENDER_DOMAINS: "{{ base_domain }}"
-
+      MYNETWORKS: "{{ mynetworks|join(',') }}"

roles/docker/tasks/services/restic-backup.yml

@@ -0,0 +1,38 @@
+---
+- name: setup restic backup
+  docker_compose:
+    project_name: restic_backup
+    pull: yes
+    definition:
+      version: '3.6'
+      services:
+        restic-backup:
+          image: mazzolino/restic
+          restart: always
+          environment:
+            RUN_ON_STARTUP: "true"
+            BACKUP_CRON: "0 30 3 * * *"
+            RESTIC_REPOSITORY: "rest:https://datacoop:{{ restic_secrets.user_secret }}@restic.graffen.io/datacoop-hevonen" 
+            RESTIC_PASSWORD: "{{ restic_secrets.encryption_secret }}"
+            RESTIC_BACKUP_SOURCES: "/mnt/volumes"
+            RESTIC_BACKUP_ARGS: >-
+              --tag datacoop-volumes
+              --exclude='*.tmp'
+              --verbose
+            RESTIC_FORGET_ARGS: >-
+              --keep-last 10
+              --keep-daily 7
+              --keep-weekly 5
+              --keep-monthly 12
+            TZ: Europe/Copenhagen
+          volumes:
+            - /docker-volumes:/mnt/volumes:ro
+        
+        restic-prune:
+          image: "mazzolino/restic"
+          environment:
+            RUN_ON_STARTUP: "true"
+            PRUNE_CRON: "0 0 4 * * *"
+            RESTIC_REPOSITORY: "rest:https://datacoop:{{ restic_secrets.user_secret }}@restic.graffen.io/datacoop-hevonen"
+            RESTIC_PASSWORD: "{{ restic_secrets.encryption_secret }}"
+            TZ: Europe/copenhagen

roles/docker/tasks/services/tt-rss.yml

@@ -0,0 +1,53 @@
+---
+- name: create tt-rss folders
+  file:
+    name: "{{ ttrss.volume_folder }}/{{ volume }}"
+    state: directory
+  loop:
+    - "config"
+    - "db"
+  loop_control:
+    loop_var: volume
+
+- name: "set up tt-rss"
+  docker_compose:
+    project_name: "tt-rss"
+    pull: yes
+    definition:
+      version: "3.6"
+      services:
+        ttrss_db:
+          container_name: "ttrss_db"
+          image: "postgres:11"
+          restart: "unless-stopped"
+          networks:
+            - "ttrss"
+          volumes:
+            - "{{ ttrss.volume_folder }}/db:/var/lib/postgresql/data"
+          environment:
+            POSTGRES_USER: "ttrss"
+            POSTGRES_PASSWORD: "{{ postgres_passwords.ttrss }}"
+
+        ttrss_app:
+          container_name: ttrss_app
+          image: "linuxserver/tt-rss"
+          restart: unless-stopped
+          networks:
+            - ttrss
+            - external_services 
+          volumes: 
+            - "{{ ttrss.volume_folder }}/config:/config"
+          environment:
+            VIRTUAL_HOST: "{{ ttrss.domain }}"
+            LETSENCRYPT_HOST: "{{ ttrss.domain }}"
+            LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
+            TZ: "Europe/Copenhagen"
+          labels:
+            com.ouroboros.enable: "true"   
+
+      networks:     
+        external_services:
+          external:
+            name: external_services
+        ttrss:
+          name: "ttrss"

roles/docker/tasks/services/ulovliglogning-dk.yml

@@ -0,0 +1,13 @@
+- name: setup ulovliglogning.dk website docker container
+  docker_container:
+    name: ulovliglogning_website
+    restart_policy: unless-stopped
+    image: ulovliglogning/ulovliglogning.dk:latest
+    networks:
+      - name: external_services
+    env:
+      VIRTUAL_HOST: "{{ ulovliglogning_website.domains|join(',') }}"
+      LETSENCRYPT_HOST: "{{ ulovliglogning_website.domains|join(',') }}"
+      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
+    labels:
+      com.ouroboros.enable: "true"

roles/docker/tasks/services/websites.yml

@@ -8,11 +8,25 @@
     networks:
       - name: external_services
     env:
-      VIRTUAL_HOST : "{{ data_coop_website.domain }}"
-      LETSENCRYPT_HOST: "{{ data_coop_website.domain }}"
+      VIRTUAL_HOST : "{{ data_coop_website.domains|join(',') }}"
+      LETSENCRYPT_HOST: "{{ data_coop_website.domains|join(',') }}"
       LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
     labels:
-      com.ouroboros.enable: "true"    
+      com.ouroboros.enable: "true"
+
+- name: setup new data.coop website using hugo
+  docker_container:
+    name: new.data.coop_website
+    image: docker.data.coop/data-coop-website:hugo
+    restart_policy: unless-stopped
+    networks:
+      - name: external_services
+    env:
+      VIRTUAL_HOST : "new.{{ data_coop_website.domains|join(',') }}"
+      LETSENCRYPT_HOST: "new.{{ data_coop_website.domains|join(',') }}"
+      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
+    labels:
+      com.ouroboros.enable: "true"
 
 - name: setup cryptohagen.dk website docker container
   docker_container:
@@ -22,8 +36,22 @@
     networks:
       - name: external_services
     env:
-      VIRTUAL_HOST : "{{ cryptohagen_website.domain }}"
-      LETSENCRYPT_HOST: "{{ cryptohagen_website.domain }}"
+      VIRTUAL_HOST : "{{ cryptohagen_website.domains|join(',') }}"
+      LETSENCRYPT_HOST: "{{ cryptohagen_website.domains|join(',') }}"
       LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
     labels:
       com.ouroboros.enable: "true"  
+
+- name: setup cryptoaarhus.dk website docker container
+  docker_container:
+    name: cryptoaarhus_website
+    restart_policy: unless-stopped
+    image: docker.data.coop/cryptoaarhus-website
+    networks:
+      - name: external_services
+    env:
+      VIRTUAL_HOST : "{{ cryptoaarhus_website.domains|join(',') }}"
+      LETSENCRYPT_HOST: "{{ cryptoaarhus_website.domains|join(',') }}"
+      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
+    labels:
+      com.ouroboros.enable: "true"

roles/docker/templates/mailu.env.j2

@@ -41,7 +41,7 @@ POSTMASTER=admin
 TLS_FLAVOR=mail
 
 # Authentication rate limit (per source IP address)
-AUTH_RATELIMIT=10/minute;1000/hour
+AUTH_RATELIMIT=120/minute;1200/hour
 
 # Opt-out of statistics, replace with "True" to opt out
 DISABLE_STATISTICS=False

roles/ubuntu_base/tasks/base.yml

@@ -1,5 +1,5 @@
 ---
-- name: Install necessary packages
+- name: Install necessary packages via apt
   apt:
     name: "{{ packages }}"
   vars:
@@ -8,4 +8,11 @@
     - python3-pip
     - apparmor
     - haveged
-    
+
+- name: Install necessary packages via pip
+  pip:
+    name: "{{ packages }}"
+  vars:
+    packages:
+      - docker
+      - docker-compose