Compare commits

..

250 commits

Author SHA1 Message Date
reynir fd2d2e025f Merge pull request 'Upgrade element some more' (#221) from upgrade-element into main
Reviewed-on: #221
2024-10-14 08:16:26 +00:00
Reynir Björnsson 7eb0fe0a3d Upgrade element some more
***Upgrading intensifies***
2024-10-14 10:07:32 +02:00
reynir f52f21e62b Merge pull request 'Upgrade element' (#220) from upgrade-element into main
Reviewed-on: #220
2024-10-14 08:04:42 +00:00
Reynir Björnsson ad9615f52e Upgrade element 2024-10-14 10:01:42 +02:00
Viðir Valberg Guðmundsson b96cbe4ad9 Upgrade matrix (synapse) to 1.114.0. Close #219 2024-09-13 09:58:48 +02:00
Viðir Valberg Guðmundsson eee176aec6 Update secrets. 2024-08-04 06:58:21 +02:00
Viðir Valberg Guðmundsson 5502870384 Add data.coop to postfix ALLOWED_SENDER_DOMAINS. 2024-08-03 20:39:24 +02:00
Viðir Valberg Guðmundsson 3689eb7687 Add stripe secrets. 2024-08-03 00:56:22 +02:00
valberg 717db9055c Merge pull request 'Update environment variables re: data.coop/membersystem#38' (#216) from benjaoming/ansible:membersystem-envs into main
Reviewed-on: #216
Reviewed-by: valberg <valberg@orn.li>
2024-08-02 22:53:04 +00:00
valberg 5ff603393b Update roles/docker/defaults/main.yml 2024-08-02 22:52:37 +00:00
Benjamin Bach c00ab53269
Update environment variables re: data.coop/membersystem#38 2024-08-01 13:46:21 +02:00
Viðir Valberg Guðmundsson 8ae844f2df Bump matrix synapse to v1.110.0. 2024-07-15 10:37:50 +02:00
Viðir Valberg Guðmundsson bd0dc90c44 Bump mastodon to 4.2.10. 2024-07-04 21:04:42 +02:00
Viðir Valberg Guðmundsson abca90c219 Bump forgejo to 7.0.5 2024-07-03 22:09:58 +02:00
Viðir Valberg Guðmundsson 3e24254b57 Bump element to v1.11.69. 2024-06-19 21:17:22 +02:00
Viðir Valberg Guðmundsson bd4f92fd65 Bump matrix synapse to v1.109.0. 2024-06-19 21:12:58 +02:00
Viðir Valberg Guðmundsson 1bba1d066b Add matrix notifications to diun. 2024-06-19 20:57:50 +02:00
Viðir Valberg Guðmundsson aeaa48d7ca Bump forgejo to 7.0.4 2024-06-19 20:12:48 +02:00
Víðir Valberg Guðmundsson ed237c9661 Bump mastodon to 4.2.9 2024-05-30 21:12:56 +02:00
Sam A. e633ca13b4
Add hostname to Restic container 2024-03-29 21:01:50 +01:00
Víðir Valberg Guðmundsson 92ca044d06 Adding diun (#208)
Closes #174

Reviewed-on: #208
Co-authored-by: Víðir Valberg Guðmundsson <valberg@orn.li>
Co-committed-by: Víðir Valberg Guðmundsson <valberg@orn.li>
2024-03-28 14:02:24 +00:00
Víðir Valberg Guðmundsson 41116063a2 Bump forgejo to 1.21.8. 2024-03-28 14:33:12 +01:00
valberg 1bfa6bdd1d Merge pull request 'Fix another instance of domain=>remote_domain' (#205) from fix-restic-domain into main
Reviewed-on: #205
Reviewed-by: valberg <valberg@orn.li>
2024-03-08 10:05:06 +00:00
Reynir Björnsson 9a03f71252 Fix another instance of domain=>remote_domain 2024-03-08 10:57:32 +01:00
reynir 00927a19df Merge pull request 'Rename variables to avoid name clash' (#204) from fix-restic-domain into main
Reviewed-on: #204
Reviewed-by: valberg <valberg@orn.li>
2024-03-06 12:40:47 +00:00
Reynir Björnsson a0988aa05d Rename variables to avoid name clash 2024-03-06 13:38:46 +01:00
Víðir Valberg Guðmundsson 4112bb73b6 Bump forgejo to 1.21.7. 2024-03-06 13:35:47 +01:00
Víðir Valberg Guðmundsson e30f1d57d5 Bump mastodon (deployed some time ago). 2024-03-06 13:32:50 +01:00
reynir ebf3608bdc Merge pull request 'Add uptime-kuma push url for restic' (#203) from restic-uptime-kuma into main
Reviewed-on: #203
2024-03-06 12:29:44 +00:00
Reynir Björnsson ce030b2dea Fixup yaml 2024-03-05 09:57:55 +01:00
Reynir Björnsson 4f129168c6 Add uptime-kuma push url for restic 2024-03-05 09:55:04 +01:00
Reynir Björnsson d468e49830 . 2024-03-04 14:15:52 +01:00
Reynir Björnsson ae497f0284 . 2024-03-04 13:30:58 +01:00
Reynir Björnsson ac64706fcb . 2024-03-04 12:48:51 +01:00
Reynir Björnsson 9fb16d3a69 Address comments by @samsapti
We need to use ':' instead of '=' in yaml for environment variable
bindings.
Spurious tab where it should be all spaces
Rename variable mail-from to mail_from to align with existing code style
Nit: change email addresses
2024-03-04 09:20:04 +01:00
Reynir Björnsson 6982d0feaa Restic: send an email on backup failure 2024-03-03 21:17:48 +01:00
Sam A. 1b68766cd6
Improv 2024-03-01 20:53:08 +01:00
Sam A. d90b769640 Merge pull request 'Add uptime kuma as a service we can deploy to a different host for monitoring.' (#196) from add_uptime_data_coop into main
Reviewed-on: #196
Reviewed-by: Sam A. <samsapti@noreply@git.data.coop>
2024-03-01 19:47:57 +00:00
Sam A. f792bf3dd1
Fixes and add Watchtower to Uptime Kuma instance 2024-02-29 20:45:59 +01:00
Víðir Valberg Guðmundsson 266f990d1a Pin forgejo to 1.21.6-0. 2024-02-22 20:44:55 +01:00
Víðir Valberg Guðmundsson 241d63494f Upgrade forgejo to 1.21. Closes #201. 2024-02-21 14:26:28 +01:00
Víðir Valberg Guðmundsson 4c65521447 Mastodon: Fix container name for crontab cleanup jobs 2024-02-21 13:36:31 +01:00
valberg a95c3ea17e Merge pull request 'Forgejo SMTP_ADDR was split into ditto + SMTP_PORT' (#200) from forgejo-smtp-port into main
Reviewed-on: #200
2024-02-21 11:19:01 +00:00
Reynir Björnsson 590597b137 Forgejo SMTP_ADDR was split into ditto + SMTP_PORT
And the default SMTP_PORT is 25 while we use 587 => mail notifications
broke
2024-02-21 11:23:29 +01:00
Sam A. d05a504e61
Move vars around 2024-02-18 17:27:52 +01:00
Sam A. a99b39824c
Merge branch 'main' into add_uptime_data_coop 2024-02-18 17:23:43 +01:00
Sam A. 7aae344da0
Don't specify service settings twice 2024-02-18 17:18:54 +01:00
Víðir Valberg Guðmundsson 26b98681fc Bump mastodon to 4.2.7. 2024-02-16 15:35:12 +01:00
Víðir Valberg Guðmundsson 542268ffc6 Bump mastodon to 4.2.6. 2024-02-14 20:43:05 +01:00
Víðir Valberg Guðmundsson 54a63ca069 Add uptime kuma as a service we can deploy to a different host for monitoring. 2024-02-11 14:50:21 +01:00
Sam A. 46ffcd792c
Add missing bind mount and upgrade WriteFreely, close #192 2024-02-09 22:00:02 +01:00
Víðir Valberg Guðmundsson 068d3bd444 Bump mastodon to 4.2.5. 2024-02-01 18:55:42 +01:00
Sam A. 39fffe71ae
Upgrade Nextcloud to version 28 2024-01-13 15:04:02 +01:00
Sam A. 0fdfd2e76f
Exclude Mastodon cache from backup 2024-01-10 18:03:39 +01:00
Sam A. 9164b39906
Fix Postfix DNS name not found 2023-12-12 22:00:55 +01:00
Sam A. 88c4d99fc0
Upgrade Matrix (Synapse) to v1.98.0 2023-12-12 21:30:47 +01:00
Sam A. 7ef64bd132
Upgrade Element, close #184 2023-12-12 21:16:46 +01:00
Sam A. a3b5f5520d
Correct folder name for webmail overrides 2023-12-10 22:04:09 +01:00
Sam A. dfcca8a3e9
Fix Mailu admin container DNS conflict with OpenLDAP admin 2023-12-10 22:01:04 +01:00
Sam A. f627d1cf32
Upgrade Mailu, close #167 2023-12-10 18:04:50 +01:00
Sam A. c7289b4c5a Merge pull request 'Refactor service deployment + upload Compose files to the server' (#178) from compose-files into main
Reviewed-on: #178
2023-12-09 18:38:11 +00:00
Sam A. bd074929ac
Fix stuff 2023-12-09 19:37:46 +01:00
Sam A. e426c3d6c5
Rename Write Freely compose file 2023-12-07 20:47:11 +01:00
Sam A. 3b8c526da1
Merge branch 'main' into compose-files 2023-12-07 20:39:04 +01:00
Víðir Valberg Guðmundsson 27321a16a2 Fix writefreely mariadb datadir and set user_invites to admin. 2023-12-03 23:49:06 +01:00
valberg 0166d2434d Merge pull request 'Add writefreely instance.' (#179) from writefreely into main
Reviewed-on: #179
2023-12-03 22:31:39 +00:00
Víðir Valberg Guðmundsson 6e4b3e4aa4 Add writefreely instance. 2023-12-03 23:24:33 +01:00
Víðir Valberg Guðmundsson 04d4e38751 Remove some more byro stuff. 2023-12-03 22:20:19 +01:00
Sam A. 4082c6fde3
Add from_vagrant to deploy.sh 2023-11-04 01:20:53 +01:00
Sam A. 85e1da3cbf
Last fixes + install Compose v2 plugin 2023-10-04 22:05:59 +02:00
Sam A. 15fa5d6215
No need for Python Docker bindings since we use Docker cmd 2023-10-04 22:02:11 +02:00
Sam A. 2966e6715b
Add shell to users 2023-10-04 21:44:37 +02:00
Sam A. 5ae78bcd17
Fix magic 2023-10-04 21:34:59 +02:00
Sam A. 3dc4e14c15
Bump Vagrant specs 2023-10-04 19:59:09 +02:00
Sam A. af6a130695
Fix handler and name 2023-10-04 19:58:54 +02:00
Sam A. 98fcc2d634
Include service name in task names in block.yml 2023-10-04 19:44:39 +02:00
Sam A. 3ac2d83971
Magic 2023-10-04 19:43:11 +02:00
Sam A. 3001317e20
Ansible doesn't support looping over a block 2023-10-04 19:35:52 +02:00
Sam A. 301d1b7719
Add missing volume_folder vars 2023-10-04 19:35:09 +02:00
Sam A. f8b4e49f7f
Don't base 'vagrant' on virtualization (prep for Proxmox) 2023-10-04 18:43:33 +02:00
Sam A. d0b23d4ef5
Specify cpus in Vagrantfile 2023-10-04 18:37:57 +02:00
Sam A. 6cb06d43f1
Formatting 2023-10-03 22:13:30 +02:00
Sam A. 62f548d05b
Fix task for single service 2023-10-03 22:00:51 +02:00
Sam A. f067a1b6c2
Convert websites to Compose stacks 2023-10-03 21:45:21 +02:00
Sam A. 52b1d1ccd2
Use a block to deploy all services + add pre_deploy and post_deploy 2023-10-03 21:19:51 +02:00
Sam A. f50831460c
Convert all services to Compose stacks 2023-09-30 18:46:17 +02:00
Sam A. 728455f42a
Convert Netdata to a Compose stack, close #80 2023-09-30 17:19:10 +02:00
Sam A. 85aa718480
Split Matrix and Element into their own Compose stacks 2023-09-30 16:42:16 +02:00
Sam A. a47440b6b5
Move compose files into templates and upload them to the host 2023-09-30 16:25:06 +02:00
Sam A. 3098e1e320 Merge pull request 'Move static files into files/ and Jinja2 templates into templates/' (#169) from move_stuff_around into main
Reviewed-on: #169
2023-09-29 21:09:07 +00:00
Sam A. 656fb6baab
Merge branch 'main' into move_stuff_around 2023-09-29 23:02:07 +02:00
Sam A. 28992b66af
Remove remaining Byro files 2023-09-29 22:56:48 +02:00
Sam A. 136b675ccd
Upgrade Mastodon to 4.2.0, close #176 2023-09-29 21:54:21 +02:00
Sam A. ddb9629dea
Fix spacing and indentation 2023-09-29 21:09:23 +02:00
Víðir Valberg Guðmundsson 1449185591 Remove byro. 2023-09-25 09:48:29 +02:00
Víðir Valberg Guðmundsson 191ba1e011 Bump mastodon to 4.1.9. 2023-09-25 09:48:29 +02:00
Sam A. 2629c7c2f9
Replace another deprecated option for Forgejo 2023-09-23 16:43:31 +02:00
Sam A. 927d1e31ee
Replace deprecated option for Forgejo 2023-09-23 16:38:45 +02:00
Sam A. d662ae321e
Remove CodiMD, close #122 2023-09-16 18:22:48 +02:00
Sam A. 0272b93527
Upgrade Keycloak 2023-09-16 18:01:11 +02:00
Sam A. a372c1a980
Upgrade a bunch of stuff 2023-09-16 17:41:05 +02:00
Víðir Valberg Guðmundsson c50bccfada Upgrade portainer from 2.16.2 to 2.19.0 2023-09-16 14:27:44 +02:00
Sam A. 4e6f18311d
Use subfolders for templates as well 2023-08-05 19:35:55 +02:00
Sam A. a741a0c26c
Switch to Forgejo, close #145 2023-07-26 18:06:40 +02:00
Sam A. bb145efff2
Pull images on website 2023-07-26 17:15:35 +02:00
Sam A. 2a74df91f1 MERGE IT
Reviewed-on: #172
2023-07-26 15:05:11 +00:00
Sam A. 085bb1dfe7
Avoid code duplication 2023-07-26 17:03:33 +02:00
Benjamin Bach 4d09c1ec11
Update ansible task for data.coop website with new branches and docker images 2023-07-25 22:17:35 +02:00
Sam A. f9946e72ca
Merge branch 'main' into move_stuff_around 2023-07-20 18:09:41 +02:00
Sam A. 9126fd8d61
Quote number-like version numbers 2023-07-19 19:38:31 +02:00
Sam A. fc74fa0a3b
Upgrade Gitea to 1.20, close #165 2023-07-19 19:35:28 +02:00
Sam A. 1ebaef9f59
Fix cron job... 2023-07-11 22:52:59 +02:00
Sam A. e2a6d19a32
Fix folder permissions for Mastodon 2023-07-11 22:26:08 +02:00
Sam A. ec73fb702c
Fix cron job name 2023-07-11 22:02:21 +02:00
Sam A. 7d8b96cef0
Add cron jobs to clean cached Mastodon data, close #170 2023-07-11 21:56:04 +02:00
Sam A. 9920676155
Fix sender domains for Postfix 2023-07-11 21:44:05 +02:00
Víðir Valberg Guðmundsson 8c24a02a43 Enable email in matrix. 2023-07-11 21:30:22 +02:00
Sam A. 7d13fc5302
Use service names instead of subdomains for vhost file names 2023-07-09 23:07:23 +02:00
Sam A. ef7c00b748
Fix quote 2023-07-09 20:39:07 +02:00
Sam A. 863b285b07
Move files to their correct directories (files in files, Jinja2 templates in templates) 2023-07-09 20:27:32 +02:00
Sam A. c5857d0ba8
Don't put unnecessary executables in git 2023-07-09 19:51:26 +02:00
Sam A. f5ffd21dd3
Upgrade Nextcloud to version 27, close #164 2023-07-09 19:42:33 +02:00
Sam A. de67592d6e
Upgrade Synapse to v1.87.0, close #166 2023-07-09 19:24:01 +02:00
Víðir Valberg Guðmundsson bc4868cd8e Add byro.data.coop - a possible replacement for our own membersystem. 2023-07-09 11:49:21 +02:00
Víðir Valberg Guðmundsson 1a3ba48c07 Upgrade mastodon to 4.1.4. Close #154 2023-07-09 11:31:39 +02:00
Sam A. 96f65c02da
Add cron job to prune unused Docker data (close #168) 2023-07-07 18:15:01 +02:00
Víðir Valberg Guðmundsson 604c67e28f Point mailu definition to ghcr.io to get images. 2023-07-06 22:15:08 +02:00
Víðir Valberg Guðmundsson 30b52c2747 Upgrade mastodon to 4.0.5. 2023-07-06 22:14:29 +02:00
Víðir Valberg Guðmundsson b2b949ee98 Add www.ulovlig-logning.dk as a valid address for the ulovlig logning website. 2023-04-26 14:04:08 +02:00
Sam A. d8d0d32838
Upgrade Matrix (Synapse) to v1.81.0 2023-04-16 14:26:17 +02:00
Sam A. d2681c27a0
Rename Riot to Element globally 2023-04-08 00:45:30 +02:00
Sam A. f1df97ca04
Upgrade Element 2023-04-08 00:31:38 +02:00
Sam A. 493062b00a
Upgrade Matrix (Synapse) to v1.80.0 2023-04-08 00:15:05 +02:00
Sam A. 863cd56001
Upgrade HedgeDoc and Postfix 2023-04-06 19:10:47 +02:00
Sam A. f7afe5ba00
Fix spacing 2023-03-29 18:27:24 +02:00
Sam A. f9049451e9
Raise message rate limit for Mailu 2023-03-29 18:11:10 +02:00
Sam A. b5d980510d
FIDO bug in Passit should be fixed now 2023-03-26 18:35:30 +02:00
Sam A. b042d555b6
Edit README.md to describe users option 2023-03-14 16:17:02 +01:00
Sam A. 98d57e4cfa
Add SSH key for samsapti 2023-03-14 16:14:53 +01:00
Sam A. b1f1db5b30
Simplify Docker service names for Restic
This simplifies containernames such as "restic_backup_restic-backup_1"
to "restic_backup_1".
2023-03-09 17:50:13 +01:00
Sam A. 9cc70decab
Upgrade Restic 2023-03-09 17:43:25 +01:00
Sam A. 04799e4a8f
Fix mode for Restic SSH directory 2023-03-07 21:54:02 +01:00
reynir 2ca0b8daba Merge pull request 'Fix email setup' (#160) from reynir/ansible:fix-gitea into main
Reviewed-on: #160
2023-03-07 15:03:47 +00:00
Reynir Björnsson 77e4d90589 Fix email setup
Since whenever gomail doesn't like credentials when they're not going to
be used:

    Failed to send a testing email to 'reynir@reynir.dk': gomail: could not send email 1: SMTP server does not support AUTH, but credentials provided
2023-03-07 15:40:58 +01:00
Sam A. 9a255c692c
Merge pull request 'ansible.cfg use persistent connections' (#159) from reynir/ansible:persistent-connections into main
Reviewed-on: #159
2023-03-07 14:39:03 +01:00
Reynir Björnsson 3bddaaa22c ansible.cfg use persistent connections
This makes ansible try to use one ssh connection for everything. This
greatly reduces the number of TCP connections and authentication
attempts.
2023-03-07 13:14:47 +01:00
Sam A. 5cae83c557 Merge pull request 'Remove Pinafore' (#148) from removal/pinafore into main
Reviewed-on: #148
2023-03-07 11:16:32 +00:00
Sam A. e9410c4f8f
Use domain name instead of IP in inventory file 2023-03-06 22:27:53 +01:00
Reynir Björnsson ef5ef78ccb Merge remote-tracking branch 'data.coop/vhs.data.coop' 2023-03-06 20:43:12 +01:00
Sam A. 9d4c7be801
Add known_hosts to Restic's SSH folder 2023-03-06 13:38:52 +01:00
Reynir Björnsson 32f25aeb8f Add vhs.data.coop website 2023-03-06 11:50:59 +01:00
Sam A. 2d11a664b4
Fix Vagrant logic 2023-03-05 23:10:53 +01:00
Sam A. 9a4912f9b5 User Fedder's TrueNAS for Restic backups (#153)
Thanks Fedder!

Co-authored-by: Sam Al-Sapti <sam@sapti.me>
Reviewed-on: #153
2023-03-05 22:01:53 +00:00
Sam A. 2d85dec774 Merge pull request 'Add fedi.dk website' (#155) from reynir/ansible:add-fedi.dk-website into main
Reviewed-on: #155
2023-02-20 18:22:07 +00:00
Reynir Björnsson 82aa6f67aa Add fedi.dk website 2023-02-18 21:09:49 +01:00
Sam A. 31b2bcd35e
Rallly follows SemVer, so pinning to major version 2023-02-11 21:08:16 +01:00
Sam A. b7307c3e8e
Upgrade Rallly, it uses version numbers now 2023-02-11 20:34:07 +01:00
Sam A. b3c2f36a9d
Upgrade Watchtower 2023-02-11 20:31:16 +01:00
Sam A. be450fc8b8
Merge branch 'main' into removal/pinafore 2023-01-22 19:28:08 +01:00
Sam A. 593dddd00e
Upgrade Passit database and temporarily pin Passit due to WebAuthn bug 2023-01-22 02:00:53 +01:00
Sam A. 16aec98808
HedgeDoc image version :1 doesn't exist, but Alpine doesn't have vulnerabilities 2023-01-21 21:49:27 +01:00
Sam A. a5d59b9336
Fix variable 2023-01-21 21:37:37 +01:00
Sam A. 388e0526ca
Set RUN_ON_STARTUP=false for Restic 2023-01-21 21:33:39 +01:00
valberg b445d7db17 Merge pull request 'Enable Watchtower for all services' (#123) from watchtower into main
Reviewed-on: #123
2023-01-21 17:17:55 +00:00
Sam A. 7ca168ae03
Merge branch 'main' into watchtower 2023-01-21 17:33:45 +01:00
Sam A. 209ccf9916 Merge pull request 'Collect even more version numbers in docker/defaults/main.yml' (#143) from unify_more_configurations into main
Reviewed-on: #143
2023-01-21 16:30:07 +00:00
Sam A. f81fab3d11
Quote numbers 2023-01-14 17:31:08 +01:00
Sam A. 9733794292
Revert "Make quotations consistent"
This reverts commit 231af48a40.
2023-01-14 17:24:53 +01:00
Sam A. 2f1c1887ba
Revert "Make quotations consistent"
This reverts commit a10b07fa2c.
2023-01-14 17:21:34 +01:00
Sam A. 34f95f31e4
Remove Pinafore 2023-01-14 17:14:31 +01:00
Sam A. a246dbf497
Merge branch 'main' into unify_more_configurations 2023-01-07 18:21:25 +01:00
Sam A. 58f3df7ed0
Merge branch 'main' into watchtower 2023-01-06 14:53:59 +01:00
Sam A. 1bbf1edf57
Upgrade Rallly 2023-01-06 14:49:23 +01:00
Sam A. 035c683f67 Merge pull request 'Bump matrix client_max_body_size to 1GB' (#140) from matrix-client-max-body-size into main
Reviewed-on: #140
2023-01-06 13:22:58 +00:00
Sam A. 99e2d04829
Set up DKIM for Postfix 2023-01-05 17:02:44 +01:00
Víðir Valberg Guðmundsson 5b2f460cad Bump gitea til 1.18.0. 2023-01-02 22:19:39 +01:00
Sam A. 5bcba6fa59 QoL changes for *Vim users (#144)
Co-authored-by: Sam Al-Sapti <sam@sapti.me>
Reviewed-on: #144
2022-12-29 21:13:31 +00:00
Sam A. f02440048c
Add a way to only deploy users 2022-12-29 17:55:59 +01:00
Sam A. b6f30af8ba
Edit SSH key for samsapti 2022-12-29 17:52:12 +01:00
Víðir Valberg Guðmundsson a7776ab30a Add a new ssh key for valberg. 2022-12-28 20:58:59 +01:00
Sam A. a10b07fa2c
Make quotations consistent 2022-12-28 16:46:52 +01:00
Sam A. 231af48a40
Make quotations consistent 2022-12-28 16:23:23 +01:00
Sam A. d6ce46e2f2
Collect even more version numbers in docker/defaults/main.yml 2022-12-28 16:19:07 +01:00
Sam A. ad9a42f223
Add Nextcloud to allowed sender domains 2022-12-27 21:50:12 +01:00
Sam A. 44eb59fb86
Merge branch 'main' into watchtower 2022-12-27 19:48:32 +01:00
Sam A. 2485c25dc1
Add mailqueue directory to Mailu 2022-12-27 18:32:27 +01:00
Sam A. 35d0844bd7
Upgrade Mailu to 1.9 2022-12-27 18:20:30 +01:00
Sam A. a3d5c70c06
Upgrade Gitea to 1.7.4 2022-12-26 18:19:34 +01:00
Sam A. 7d889b4f02
Upgrade Postfix to v3.5.1 and use Alpine-based image
Alpine is already the default, but it's better to explicitly specify it.
2022-12-26 17:52:09 +01:00
Sam A. 9c559e3322
Revert task name 2022-12-22 19:13:29 +01:00
Sam A. a1ac25b56d
Don't install python bindings for docker-compose twice 2022-12-22 18:25:03 +01:00
Sam A. f1737bb9c8
Allow sso.data.coop to send emails 2022-12-20 22:46:40 +01:00
Reynir Björnsson 7851fe3522 Bump max upload size 2022-12-17 21:43:18 +01:00
Reynir Björnsson 3fb8ecb72f Bump matrix client_max_body_size to 1GB 2022-12-17 21:27:01 +01:00
Sam A. 8fc0a97d23
Remove new-new.data.coop from Ansible 2022-12-14 18:46:03 +01:00
Sam A. 64ec448fc0
Remove new-new.data.coop container 2022-12-14 18:43:49 +01:00
Sam A. b1c9113cb7
Fix git URL 2022-12-13 16:32:33 +01:00
Sam A. 76df6320a4
Upgrade Pinafore to v2.5.0 2022-12-13 16:30:43 +01:00
reynir 99f9615ef2 Use http git.data.coop endpoints for websites (#139)
Gitea is notoriously strict with its http smart git implementation. This required a few fixes in upstream ocaml-git. They are now released, and we don't have to use github or ssh-keys.

Co-authored-by: Reynir Björnsson <reynir@reynir.dk>
Reviewed-on: #139
Co-authored-by: reynir <data.coop@reynir.dk>
Co-committed-by: reynir <data.coop@reynir.dk>
2022-12-13 15:24:32 +00:00
Sam A. 3b8c475bb1
Fix vhost-www 2022-12-07 22:04:31 +01:00
Sam A. 019b646caa
Rename 2022_slides_website due to error 2022-12-07 21:57:36 +01:00
Sam A. cf756ee881
Fix file source 2022-12-07 21:51:51 +01:00
Sam A. 000216d74d
Add vhost config for www.data.coop and move vhost-root copying task to data.coop.yml 2022-12-07 21:49:36 +01:00
Sam A. cd03e98f10
Add missing services to defaults/main.yml 2022-12-07 21:37:54 +01:00
Sam A. cff82acd9f
Don't set base_domain in Vagrantfile
It's already set in playbook.yml according to the vagrant variable.
2022-12-06 19:41:07 +01:00
Sam A. bbd6b6f8da
Upgrade Rallly 2022-12-06 18:18:41 +01:00
Sam A. 2c9c501562
Remove label from Pinafore 2022-12-06 18:06:31 +01:00
Sam A. 0dcc0a6d75
Merge branch 'main' into watchtower 2022-12-06 18:05:15 +01:00
reynir 51c8acc119 Add pinafore (#135)
I don't find any official docker images, so I set up a fork of the repo and build it with drone:

https://git.data.coop/data.coop/pinafore

Co-authored-by: Reynir Björnsson <reynir@reynir.dk>
Reviewed-on: #135
Co-authored-by: reynir <data.coop@reynir.dk>
Co-committed-by: reynir <data.coop@reynir.dk>
2022-12-05 15:37:18 +00:00
Víðir Valberg Guðmundsson 73bf2d41ba Restart all mastodon containers instead of recreating them. 2022-12-04 22:55:00 +01:00
Sam A. c4f3911400 Always recreate Mastodon containers (#134)
Fixes #133.

Co-authored-by: Sam Al-Sapti <sam@sapti.me>
Reviewed-on: #134
Co-authored-by: Sam A. <samsapti@noreply@git.data.coop>
Co-committed-by: Sam A. <samsapti@noreply@git.data.coop>
2022-12-04 21:45:32 +00:00
Víðir Valberg Guðmundsson 759ea93dd3 Mastodon: Split sidekiq queues into different containers. Tune postgresql. Set threads and concurrency on web and streaming. 2022-12-02 23:35:36 +01:00
benjaoming 97e5f264f9 Merge pull request 'Add README.md' (#127) from readme into main
Reviewed-on: #127
2022-11-29 13:58:39 +00:00
Sam A. 6cd0eadade
Apply valberg's suggestions 2022-11-28 19:31:31 +01:00
Sam A. 09215e117a
Add 'Contributing' section 2022-11-28 19:24:49 +01:00
Sam A. 789caed704
Change wording 2022-11-28 18:56:09 +01:00
Sam A. 6a29cdc84d
Apply benjaoming's suggestions 2022-11-28 18:20:12 +01:00
reynir bd9c134e07 deploy.sh: print usage message (#130)
Co-authored-by: reynir <data.coop@reynir.dk>
Co-committed-by: reynir <data.coop@reynir.dk>
2022-11-28 14:27:49 +00:00
Sam A. 3f036ac0ea
Revert "Update README.md"
This reverts commit bef767ebd8.
2022-11-27 21:00:47 +01:00
Sam A. bef767ebd8
Update README.md 2022-11-27 17:35:40 +01:00
Sam A. 3b7732031c
Merge branch 'main' into readme 2022-11-27 17:33:37 +01:00
Sam A. 93b1ed60ae
Update README.md 2022-11-27 17:20:40 +01:00
Sam A. 59dae865c5
Add missing file to codimd 2022-11-27 16:34:20 +01:00
reynir e45eb02208 Don't hardcode domains (#129)
Co-authored-by: Reynir Björnsson <reynir@reynir.dk>
Reviewed-on: #129
Co-authored-by: reynir <data.coop@reynir.dk>
Co-committed-by: reynir <data.coop@reynir.dk>
2022-11-27 14:01:55 +00:00
Sam A. a1e8203d55
Don't hardcode domains 2022-11-26 23:15:09 +01:00
Sam A. ab1f170790
Opt out of Mailu statistics, and don't hardcode domains 2022-11-26 23:01:12 +01:00
Sam A. c8d603b6aa
Add J2Live to README.md 2022-11-26 22:50:32 +01:00
Sam A. f3fd5c7c74
Shorten Jinja2 filter in postfix.yml 2022-11-26 22:48:15 +01:00
Sam A. e983499f9b
Use value_name='service' in setup services task 2022-11-26 22:13:51 +01:00
Sam A. 7c7379c42c
Update README.md 2022-11-26 20:28:19 +01:00
Sam A. a89140ef51
Quality of Life lvl 100 2022-11-26 20:13:31 +01:00
Sam A. bb920407f3
Add depends_on conditions to Mastodon 2022-11-26 17:18:31 +01:00
Sam A. 1356aa54c8
Merge branch 'main' into watchtower 2022-11-26 16:49:53 +01:00
Sam A. 7962a75481
Remove thelounge.js 2022-11-26 16:38:32 +01:00
Sam A. 4611d890f7
Update README.md 2022-11-26 16:32:06 +01:00
Sam A. 5945d6847f
Merge branch 'main' into readme 2022-11-26 16:22:32 +01:00
Sam A. 62d5a3ccca
Add README.md 2022-11-25 23:36:47 +01:00
Sam A. 44b5f91eef
Merge branch 'main' into watchtower 2022-11-25 22:12:47 +01:00
Sam A. 74dfcfb5e8
Keycloak: avoid very long lines :( 2022-11-23 21:09:05 +01:00
Sam A. 221ddd987f
Upgrade Postfix to 3.5.1 and use Alpine-based image 2022-11-23 21:05:01 +01:00
Sam A. 687bff35e9
Pin netdata to v1 2022-11-23 21:00:48 +01:00
Sam A. 9261cb1952
Pin Keycoak to 20.0 (minor version) 2022-11-23 20:34:43 +01:00
Sam A. 1f61909605
Pin HedgeDoc to major version 1
From https://docs.hedgedoc.org/setup/getting-started/#upgrading-hedgedoc

> HedgeDoc follows [Semantic Versioning](https://semver.org/).
> This means that minor and patch releases should not introduce
> user-facing backwards-incompatible changes.
2022-11-23 20:16:36 +01:00
Sam A. d9de1efc9a
Pin Gitea to 1.17 instead of 1.17.3
Gitea's "minor" version change seems to be the one that occasionally
introduces breaking changes, so let's not update that automatically.
Only keep the patch-releases automatically updated.
2022-11-23 20:02:30 +01:00
Sam A. 2fa5bf4982
Merge branch 'main' into watchtower 2022-11-23 19:51:58 +01:00
Sam A. c9ab9f0c66
Watchtower doesn't need external_services network 2022-11-19 18:20:10 +01:00
Sam A. e5dcfea003
Pin Watchtower version 2022-11-19 18:19:43 +01:00
Sam A. 27b918b46b
Remove labels 2022-11-18 21:07:12 +01:00
Sam A. 5d26e1cdea
Fix mount point for Watchtower
The auth file created by the registry login task doesn't need to be
stored in a non-default path.
2022-11-18 20:58:22 +01:00
Sam A. a4a06d8a58
Upgrade Watchtower and disable filter by enable label 2022-11-18 18:59:00 +01:00
129 changed files with 2487 additions and 2341 deletions

View file

@ -42,7 +42,7 @@ use_default_rules: true
# Ansible-lint completely ignores rules or tags listed below # Ansible-lint completely ignores rules or tags listed below
skip_list: skip_list:
- no-log-password - skip_this_tag
# Ansible-lint does not automatically load rules that have the 'opt-in' tag. # Ansible-lint does not automatically load rules that have the 'opt-in' tag.
# You must enable opt-in rules by listing each rule 'id' below. # You must enable opt-in rules by listing each rule 'id' below.

2
.gitignore vendored
View file

@ -1,4 +1,4 @@
playbook.retry *.retry
*.sw* *.sw*
.vagrant/ .vagrant/
*.log *.log

View file

@ -1,12 +1,11 @@
---
repos: repos:
- repo: https://github.com/lyz-code/yamlfix/ #- repo: https://github.com/semaphor-dk/dansabel
rev: 1.1.1 # rev: b72c70351d1a9e32a75db505fcb3aa414f3282f8
hooks: # hooks:
- id: yamlfix # - id: dansabel
- repo: https://github.com/ansible/ansible-lint - repo: https://github.com/ansible/ansible-lint
rev: v6.9.0 rev: v6.9.0
hooks: hooks:
- id: ansible-lint - id: ansible-lint

View file

@ -1,7 +1,3 @@
# Makefile for initializing pre-commit hooks
all: init
init: create_venv install_pre_commit install_ansible_galaxy_modules init: create_venv install_pre_commit install_ansible_galaxy_modules
create_venv: create_venv:

108
README.md Normal file
View file

@ -0,0 +1,108 @@
# data.coop infrastructure
This repository contains the code used to deploy data.coop's services
and websites. We use Ansible to encode our infrastructure setup. Only
the association's administrators have access to deploy the services.
## Deploying
To deploy the services, the included `deploy.sh` script can be used. The
Ansible playbook uses two custom-made roles (in the `roles/` directory):
- `ubuntu_base` - used to configure the host itself and install the
necessary packages
- `docker` - used to deploy our services and websites with Docker
containers
The script has options to deploy only one of the roles. Select services
only can also be specified. By default, the script deploys everything.
Here is a summary of the options that can be used with the script:
```sh
# deploy everything
./deploy.sh
# deploy the ubuntu_base role only
./deploy.sh base
# deploy user setup only
./deploy.sh users
# deploy the docker role only
./deploy.sh services
# deploy SINGLE_SERVICE Docker service only
./deploy.sh services SINGLE_SERVICE
```
`SINGLE_SERVICE` should match one of the service names in the `services`
dictionary in `roles/docker/defaults/main.yml` (e.g. `gitea` or
`data_coop_website`).
## Testing
In order for us to be able to test our setup locally, we use Vagrant to
deploy the services in a virtual machine. To do this, Vagrant and
VirtualBox must both be installed on the development machine. Then, the
services can be deployed locally by using the `vagrant` command-line
tool. The working directory needs to be the root of the repository for
this to work properly.
> Note: As our secrets are contained in an Ansible Vault file, only the
> administrators have the ability to run the deployment in Vagrant.
> However, one could replace the vault file for testing purposes.
Here is a summary of the commands that are available with the `vagrant`
command-line tool:
```sh
# Create and provision the VM
vagrant up
# Re-provision the VM
vagrant provision
# SSH into the VM
vagrant ssh
# Power down the VM
vagrant halt
# Power down and delete the VM
vagrant destroy
```
The `vagrant` command-line tool does not support supplying extra
variables to Ansible on runtime, so to be able to deploy only parts of
the Ansible playbook to Vagrant, the `deploy.sh` script can be used with
the `--vagrant` flag. Here are some examples:
```sh
# deploy the ubuntu_base role only in the Vagrant VM
./deploy.sh --vagrant base
# deploy SINGLE_SERVICE Docker service only in the Vagrant VM
./deploy.sh --vagrant services SINGLE_SERVICE
```
Note that the `--vagrant` flag should be the first argument when using
the script.
## Contributing
If you want to contribute, you can fork the repository and submit a pull
request. We use a pre-commit hook for linting the YAML files before
every commit, so please use that. To initialize pre-commit, you need to
have Python and GNU make installed. Then, just run the following shell
command:
```sh
make init
```
## Nice tools
- [J2Live](https://j2live.ttl255.com/): A live Jinja2 parser, nice to
test out filters

13
Vagrantfile vendored
View file

@ -13,7 +13,8 @@ Vagrant.configure(2) do |config|
config.vm.hostname = "datacoop" config.vm.hostname = "datacoop"
config.vm.provider :virtualbox do |v| config.vm.provider :virtualbox do |v|
v.memory = 4096 v.cpus = 8
v.memory = 16384
end end
config.vm.provision :ansible do |ansible| config.vm.provision :ansible do |ansible|
@ -21,15 +22,17 @@ Vagrant.configure(2) do |config|
ansible.playbook = "playbook.yml" ansible.playbook = "playbook.yml"
ansible.ask_vault_pass = true ansible.ask_vault_pass = true
ansible.verbose = "v" ansible.verbose = "v"
ansible.extra_vars = {
base_domain: "datacoop.devel"
}
# If the VM is already provisioned, we need to use the new port # If the VM is already provisioned, we need to use the new port
if provisioned? if provisioned?
config.ssh.guest_port = PORT config.ssh.guest_port = PORT
ansible.extra_vars = { ansible.extra_vars = {
ansible_port: PORT ansible_port: PORT,
from_vagrant: true
}
else
ansible.extra_vars = {
from_vagrant: true
} }
end end
end end

View file

@ -1,3 +1,8 @@
[defaults] [defaults]
remote_user = root ask_vault_pass = True
inventory = datacoop_hosts inventory = datacoop_hosts
interpreter_python = /usr/bin/python3
remote_user = root
retry_files_enabled = True
use_persistent_connections = True
forks = 10

View file

@ -1,3 +1,5 @@
###################################### [production]
### All hosts hevonen.servers.data.coop ansible_port=19022
85.209.118.131 ansible_port=19022 ansible_python_interpreter=/usr/bin/python3
[monitoring]
uptime.data.coop

View file

@ -1,9 +1,19 @@
#!/bin/sh #!/bin/sh
BASE_CMD="ansible-playbook playbook.yml --ask-vault-pass" usage () {
{
echo "Usage: $0 [--vagrant]"
echo "Usage: $0 [--vagrant] base"
echo "Usage: $0 [--vagrant] users"
echo "Usage: $0 [--vagrant] services [SERVICE]"
} >&2
}
BASE_CMD="ansible-playbook playbook.yml"
if [ "$1" = "--vagrant" ]; then if [ "$1" = "--vagrant" ]; then
BASE_CMD="$BASE_CMD --inventory=vagrant_host" BASE_CMD="$BASE_CMD --verbose --inventory=vagrant_host"
VAGRANT_VAR="from_vagrant"
shift shift
fi fi
@ -20,16 +30,21 @@ else
"services") "services")
if [ -z "$2" ]; then if [ -z "$2" ]; then
echo "Deploying all services!" echo "Deploying all services!"
$BASE_CMD --tags setup_services eval "$BASE_CMD --tags setup_services $(test -z "$VAGRANT_VAR" || printf '%s' "$VAGRANT_VAR=true")"
else else
echo "Deploying service: $2" echo "Deploying service: $2"
$BASE_CMD --tags setup_services --extra-vars "single_service=$2" $BASE_CMD --tags setup_services --extra-vars '{"single_service": "'"$2"'"'"$(test -z "$VAGRANT_VAR" || printf '%s' ', "'"$VAGRANT_VAR"'": true')"'}'
fi fi
;; ;;
"base") "base")
$BASE_CMD --tags base_only eval "$BASE_CMD --tags base_only $(test -z "$VAGRANT_VAR" || printf '%s' "$VAGRANT_VAR=true")"
;;
"users")
eval "$BASE_CMD --tags setup-users $(test -z "$VAGRANT_VAR" || printf '%s' "$VAGRANT_VAR=true")"
;; ;;
*) *)
echo "Command \"$1\" not found!" usage
exit 1
;;
esac esac
fi fi

View file

@ -1,141 +1,185 @@
$ANSIBLE_VAULT;1.1;AES256 $ANSIBLE_VAULT;1.1;AES256
35343731613336373363633564396639393230633664336338396164303238316564326663643638 31303330643235313132323363306532616164646565636532646131386663633330333335353938
3365306264343434623836656435653436396636353866620a646336316338373866313362363664 6632373337386339323566373163306435663562303663320a666438653936356335653534353464
65363931633031613362383337643038636435303739376131643564633831316435653937353061 37373932623562326430396132316138373930383365313433646536343839636637386232306235
6330306330383865640a643937326634393437313864326361373634373930623464613363663831 6566393031643037340a643463373163663062643932353931646366306566346230336362623561
37373230366262323261316134326333663262643764623639306239623066613335616531613662 30323138333636343165666239393138653462396538386139376432346335373066363366613535
32343331313266363630343465376332303862353834653262306536623538383662366562616635 38623130333434386266393363306139333666393537663161626666323262646364636136393736
34636561663366323434356337376261373039353931636139656437346165656663653233333266 37656438373365353335633237326635636263653534353961396562646535303764613564306133
62353961626665636463396566626330383836383030363032303563633466326339626263306165 39373362343133643536383937386633373437333763636331663761646432663636373738373332
31313266636330653933363630396166333339376564333133623237373962386164616332616438 36383638363539663034303536636264336230636630636331336438333338356431666332313931
39623132663766633331306636613532333739613938333435393633386166333335393565633963 66653738656263613739333835366139633335643661373135396333346361343032303832353562
30363165643038623962353762323338306466353031383531623066363632363033383639393537 61376531343861656532626630623330336362373666343863373738306430616530373565663438
31333037626638353830653538373634666432346166373661313531656466383263323262373565 37373131646233656533633466356162326162616433613964616530393734336438326133373763
38383766343030643939633830343332666165643661363631633963393632666632643361656139 65663266313939363361396231663564663664393363373061646436653535663338336138373961
35346131363539613137396465306663363836666662303932646262383231363634373231373333 66303662323930376564313562376661336162316430316439313565633935323835386561356333
34366636346530383736393532646563643139343764333661663033316432386632393139326439 61393330333965633764633364366336646166353031613438373234333436326330336537643464
39303661333732376433663539383662363232313135663838616231343863326631353434326337 32383732336166303535393837353061353333386363356162323966336138363864663464356430
36313335393262663932666365336334396131393362636637653630653965643662626434323736 62396530393234666339346537616637323334383365663732663365653636383036616263303362
65663966306661646131643962336366643235353863646136613463323337663865323262613461 38623063623035616336346562396263336236376435386264336632336165336463613932383465
33363636386665646538333334373564396333316665343566653662666331666236303438343962 37323634633831363938616137373335653130303465383939303332333131363866303863383965
63396164316561363132306237336365313835346663616339666538643033356637633432383331 62333866333830666361613637333230363566333035366664353034303766633264643365343566
64363964356264643038396139383838616131383466666565383131663331336530663832306635 30326530383562633764643630363963646337363865343431353530353036616434363062313132
30643630623861633939646665326262393635626265323261653339646263386334353064393534 37393661326139613732636236633239653837333063646566653861643635363537386137393434
63303464623433333863386136626566336135346561343964323436643739343037383839373332 64616437363666653664303132666630376665646666323733376164653636623465623964336638
34656439333538653461663764323265303064643165663263316164396633623232626535353863 33623838616330353265333733343261356462613665653530333431343732646136346164626534
64643766623032653838306134376131623564363735386531383732346438343932353966333062 34343463646262623464613832393963633366353835393531653634623234393230343430666161
30613166623138333865343735663530346635383162616635326330636161303863626539663166 62306164616636616461306464333536333265313765326665626331363463363038393935653334
31336333643765303635643862666234643538313033663563663034343632653466626661343639 64646132393835656366643239303063333233303331373961346631633034343136623663666462
33656436393738326135363166623633366331633065373633313864353333316131346664353532 64306262636636346131333662626639323865343435373037306130366566343230656338626537
66646239373166376361326664646263616263323632636235353864656438383038663662376164 62336234373136326330306633306637326239356439326339373839383130623836383338373561
37336431306166366561623836373938366336623866653730353861333431383832313039313739 32646163616336623838373436303464643937333164643639623631393764623064626235303733
61616435666236373463616162653732373766336365313930383665363661356565613461373165 61633063303962343931333437313031653435636432393531393130336234613462343838366363
66636537333333633832366234633066366537646138346233313233376135666666336264316435 35383134303137633833363233376365666538333535306434373139333633386630636161636261
64613030323430343764336465353334633836653133343532386435636136336638313162626462 63373339386364326231366634303962636437353336346461336661396566623034306132326332
33363830396462616662313030316166646531643238363130613036666631643737306138326234 33633434326365353438313362616664393264633937393762336264633061313134656536363062
65323763636363393031616633633338653531633639356238316236303264303034623632626261 37303861663732336238386331363164363436363966393534613332393230666266616364303661
36626639633234396230356236643766306232646230623665633866643434313334303265323465 31323633656332643839616434313066643833616639353562386432663538366563633766393639
66386461323563343236633864396562306165616338306334353563656461346464353930646161 33636534363263633261323533666366366665323437346431653464646233303636366231626535
36653064613736346237363362663835656365616334363238376566316137303737316630316363 33373134333163373633313739626636303830383232616663636639646564643436313331643334
65393139313832353461313634393931633761666531316333373762373265613464303365326338 37663132343030666566333431633136653064626466626362373864613334663737326233313138
66393165366334636431353836336535636233336332336664613263613465393235363235623037 38336261663765633331393766333965613364306136333362626466623235303033396362346365
61313037633761366661303663636364346131326334393765646262393863363062333739376466 36633963333561366265633633303262393832336364333365313336383066363065316133303634
65653434336532323365376233646365323537313131306661306363313864326361646432326632 65363037646566323831363365653937623966323735353439353339616439306534663831653663
64383533313833333466313231353863656634623135386631363864363834633035636632366164 34623537666435313661326631326235313130363938643635666531636165306539663630366265
66356539353264633461396132336435353234333132376130616335613136356364643165346537 65323234613133663337363466336663633464316361656564326136633064373365373239363662
62366630363439336432353066323238363233613032343635663731613134393639656535333736 37323834633163653938633435323763333539396532393664653162643832646535353262336631
32623733333866393565366661643030376137646437616336386530363230376637316436313763 61386237663136336338663165613238663035386361643135333361383666643432396363363132
36323532643763363864336634623132343530333531363231383130333064653233363339646136 66323832643339346534373066326333396232386166383161383764633338373533623236346366
35343165623864646530633731373539356665316164653365303965663862313462313362643637 33373138303864323532363761313762376439343130316432613933353033363536336337363566
34633163363833626635613634633938656334366366316266636532613065333436663633656530 31396133663330323665313033656436396238623630633465313734343063633537323939356337
65623561326565643739303931323539643337373736646663363362646139323333346237353731 62306364633765323834333836316161366531643763333434383062363032653164353037336562
32643739626561396664646537376139326339626235336464343964613761396430343461346639 61653332333062643362386665633665306662356532653031383365356632643861363038383137
33326631373030653637393865333837386432333634653066353366613334396639626631653737 36326666356231396433363538666131353839353366323934343532306532633866623733663138
34353831386366636663323761656431663965303561636236366538393261653333396537326461 33376665333430653533383439373463323661666165333636353434643739386363356536333837
31323332613737646364616565393534306131323234633933636638333637623661343334383561 39313365643039386638623731386635363632376139666638643734303035386564376136656537
30323464373365626662323062363135333932666163323235633131303566323964343734383238 39356162346164313839373931653139386464653232633339616166306235323232336139306538
32376435363737373336363363613738366337626162333236643738373266633933363162303833 32623135666535633462613430646637313030343933653461333230656564396663653364633238
37366631343933313934313463363834643835333766663361303335313539363839663231333963 30336161323431323337636135323539663466323637313366376535666132663662356239366339
66326261323631386532346637376132646263303466383330373833633034373933616538306330 66373830336132336439653637366664656230323834623039306337636433663931373138616466
33386334306330346161633131386130636634643531633233376337343637363235356135383366 30616437376435643535303237313831383534656634353265386565376564623431616263643334
31366463323831636438646262613239663830333531386330326131643032653033336339643561 65613633656533646138663138393831623330363635313662653264646636396461326664633362
64636439323065343564306163303134623439343963383136633864623633363364646535666565 38633765316333373363616563346230393866363365623862333162306263613938373663633963
31393564316234343066303664396534386537303364343234303832346331326430386432636332 31363639613238316334333437326631353830383734393765303037346436343036386437653637
38316565346433663639646330393339303530623636386332633666656363376239383535386134 32636139313464383264376663393730363038343831336565663565383135653139663765303239
35376135306461333237383562356162326338363435643133653838343535326535326337376130 31653036623138316566666461313665663462383662343461353332366634666437363263373864
37306462633835666132653466373163613566633863343363653539343239316233616661633532 30323564343934386666666338373238383333303939626237363131346261386562663566323365
64386538363163653963363331623531313237636431343934643136656536323734636261656333 37316563653231346336343166646661393431363739346237303161363838613237666533353034
39636132613431653562393238346565323330656539666230643566633663316239353436383566 64623435376462613961326333393930346663353737386130346461616638363639386364313266
64303535353031636662643062326565313837393932346431326137316337376361363338383533 34353465326632356233343633636331343638333937303562356133363432323939633865316630
34613632323230393233666437346466626232363636636636393836333832633335393734343565 33353539653162333734653338363764313439376439656435313932626431313930346662633838
33333461343530333135663436343333623966363230666330323562363136383166666665333861 39636463393861396531633833343264393339323133316566356562613932663131633631303065
65366436643363383331353361656434336631396437616562303861666263353533313738326138 31323937663764613563333736313733326639643961653161303237353165343939666461396263
33653735333230636437643038633763343063336262386663313237653661346262653834616665 34323136356632336138643162326163653331616561626263616132393734396237666434326264
37343834323937623761386639653736313232323166373561643235336261306430393533376139 65653837383063306436643466383964386661643336343230393436326139313963633036613065
31653132613331626435623333343862393038643364616236626466333338646639663930663436 31393930386463626131653565393932386462313236623531616235393064656237663837346539
66636462646130653537343739646437363130313766636438663130616665333232396331303531 34333730666337353537613564363531363831323035353532363366363731306335316138366361
30373762343531383239653132633363386239643666316166363931326563343633653433383538 37353438326130366439303136356636653030666464366436366566626464626262663838393462
36333733626363626464636435626131653439313862666230393334353938356436376664323961 34626662396239636536666433636436316535363539636261343131313430613765353836643133
62326566646463396536633265333461306430616437646630363239653333643732366430373133 38653839336663353663313535633231363765636633666363386561303039313438353838643561
32323636636161623932376235383430366661636439643565366532376239613366303039376434 32643131623162386661653464623461623434313733643564343435386636326531633136306139
39646437363636633265313838616463383231643030643732306364333161656236303131333533 38613937336132653238616561356338303264393962306431356463613764613364363738323366
62343539613264383830306639303164643233653032616566646163656564356262323065303134 31326562613764386533353135643737323161616363656362326262653765353764626166363338
61613563646538316232353833636536633435336663326262663062663030326234316131353835 34646231633764383962326135323164326565343034656430326531653231666633666465336231
34363564306335356633343438396434363261646665653665633235303932383266393630623238 62366635356566613766643832386234383766363236306638623133643036643662396430623330
31323037336566633035366464386232616561383566343061343031623630383238643433376231 31396239366338656565346563313430353463366465373534636536393131303166333263613663
64633634616133386138326138393138353937363332646637663363363064393065336438303932 36393864663636333666396566303638646166346665303765343531313661376632623137613131
38393139306330396338646233366235316435313838633563353838303832616630633731323535 32653031343861363831646635356232353836363536613834343663326261623262336336393838
31393039306630613734343433633662343831313336616561656136323039333235383733363364 35623638636538626566353864343362633264366435383633333562366365326432663839613934
66383836363239376539316362646232356636336665316664653565653439353932663433346438 34323466396565303963333531346362363338623537343439666265353332303230356533323834
65306365623334656133636332393265643163313939363537323738646664326364343064396337 61333838356665653138346337336532333931616432353936306261356537663036643064333964
37383637383064643763363135386434316664306231376462653066653063313962316231386162 39643065303032393932323136363264316264386131353035383933386535303632613033633363
63343533386262616631333233316330666263656532306466623733343764646361666165393863 66346437333465653633626235336336353738343036326265376162383163326530373032663335
62326435346532623635343535353263626566313061643563613937346562643962386565396439 66643663666166366165396137383133396635336237343161303666393437303538316661336335
62616661626464613366656462353932323732313062363566316562396134346433376237326664 32396434323532303238303538303864393031303832346161303535386461666161316565646539
39333238346464393930653435363336333365323537356531313830626437303736333635356534 37303261336435323139663962316562346265343064346562393633616666653066623466316634
62653766323065373662366162333363343466373135623262663436626438306337333365633633 61346263366161366232386138666131323162333031623533303739646336623864613333323662
37333931623434666564366430666462343162303030643733623637656337393763393437656335 35363539646433323430313839633363393936356438313037613434663161653964366635363464
36393162363765383464316562306532336265373130623566646134666337333133363863373964 62643539393631386531313966643339383865623065393936666235653035376139656663616336
33666437323733396139653436323262383336306561643738366463646461646462333338623662 65663136326466616161376232316463643834356531336362336163343637326238663836363734
30656135343934633335376634326533313663653761656235626165313834356464636535326439 30363032653962306530633562636161396634363131633065326433363136316666633738343966
32343834316433393236353739646663393930663635646366623835633363653662626535366361 66303939383232373738373965393934653439396666623039353933633935393731653839623737
64626561613064646431306634393330333265366530353063653132353735663564326563323961 35376338363338306332353539313664303962353064306434323530623161323064633766643035
39663535346539326165313263383933653633306330303930376336316632636537363437663063 38363234343036616335393461643964386664616134313831663565633366616633626266393937
64376465663634363838623230386139636231353665616165323065633661343339373432373732 31623435646138646131356164313936656639393532343630663933613066333432666132363338
63356130653535303934396335306566646538383938636331333362353534366632663930393732 30356136303763376465396637613565386661333265633636643435313035313064383936306437
37353365343532646137343631383833616430326631323564666361323934383839303130636333 39626265643862313435343465643063656266373035356538393262363561356433323134333537
38653139303663356337376261616463303665623431613963643137356439326162386337326161 66663233313832326136366163623337373835663961313938636134613933663534333730333761
61383434383534353732343733326139313462396432366336653139363466653336626338366365 39313334346364623431646439386162633961316161393636656139303966626265623035366335
31386438333438633465666337393732343533373363646234383265323132303433316135396232 66666634363036326631376562623039303961663136366461313637343932303338356334383139
39373764333863626634343636306533393361643135323531383963366137626464353064613065 38383133306436303261643535353532383538613764616233363864656665633264623236623537
61623063303865646161363432643765323361363364383635646538636232353337636235613861 31353335343064626465626130356433366531306338623830623139316462316662633665663164
36396631383639633263303131383537326464313433663032346230386432633864613335616533 38363363656237326239633930623862663230623464663031363463356133626166353433633535
61373238363930653866643933623561613363333139373135633332643563613838346434623033 63343231326438383535356235343530393361636465363933356164323565326566303034383466
34353161396433663632656633356536323662386332626566393636323463363334613234376137 63323136643835623563393666333030656534333565316466333266663365346561363937336665
38643465656262656236666332383361616164366230323936346565303961333761613136353435 32323637366138303233373565333932626435306130633064656336623764366130323534333039
63643839636464323362396235333738626132393030393737373438393032323931643936306239 64613934383530343036343334396439373066326264353638353462613266663935343436353130
31643537353462626238306563316132663139393635356631373839653462613238323831303537 38616238313133363732343634663962666435656330396536643836326636373032623734353832
33626362636362383530386333343266383061646436353635396230396231343364323631343037 32313064663164626534336363376131656438623035646263666336633862613833323565656437
65663363656463393234313465386233663635626333346132353539366464653532333830326661 63616463613732663966643039653761633231616462363761336231313335363165646134356137
64343136323366346239373737666435366363663237663039636631656266333562376532396661 38633963393264653139356333626534303936326563326433363164623131393562393533383564
35666430626233333166356139613233306536303365313262363366316135326662636166393031 62646532643366376333373364646139363635323034613262386265383066303365323134633836
38356661396232366236303732326666353864353735336161326663623030343766633266623236 66666536653264393138326436393037373537393561613864343730366135353166633765323938
65626237636133626335656663323533386236353164303230313237643130386133613466613933 38306562326238613331343337306239376165636562666433356266313030613136656162646166
31343261356632643265623866373965326561363538326336656561373631373938343334653662 36303966373931363463383631386136313262633136383637626562353336306465613435336434
32616366373839373737393262633064666437303538386363616431386138346439353534623631 32303136393638396233393232386534643733626539653961366637316135373439386432643264
63323063346564646462313034623630396462623565646430363338393239343761396235303863 63663837306461376461306664366538396436386234366638626263303735323661393839343938
31636531323732303230626437363764306631366363643766633734353336373564393731366238 36393264306132313130326435636266643363616438613538303530306434636331333033323138
32623563633661646465396136396462663363376333613434666632383637616133626132616362 39656337666635363263316363363133616538356336646337373762613666323663656665383733
61343032643966323539353033643136616463353563666462313731386261633333623832643439 31623433396466383939306666373562303330373731323864363266323261383736353465633662
38323666666330356538313730306334336433613364313065313761636261363433356438323136 38356130353233663161623139653465646238363630643239386634623262303836333232303239
61343233643138646263626333306265366239613266646663323733636162323332643531643331 61313930346263643565333534373430653430363965373037646639633638333861346262373433
39396433636233366365336166356661623132656261656666386361326164643634366436303737 65346133636162396332373130356238346438626330373163326632323137333862373436363133
61653832373162356634313163363233323964303738366266376665346365396635343332396166 37373663396461613062616664336662373432383863333536366465313838333835653966353661
35393263373732313734353332663238326563366534623131386233633365303664616562386231 38343336316136316532613661306336636131653236663336396638316136626434303533323365
36326138356230663731306339666138343161386331313137313861633039303930623663646333 38356534353530633766646466663266613735396333386263356662613939373030396436363530
65336461653033333332323162363539663366653762303266656366386665396463626265303264 38333939623534356266323237623835373038663534616532326665346631616665616665666663
35666437663966663130633663643861326563336466633133646562383230363332646639616436 33633266333630646563363637666562336339393138326435373836336566346661646464613730
36656137653061303262633736653433343838323666646261386266353735326564386465646334 39616438373062656130393134353535313232376266386262623862383162366662626231373338
34633339336336613531666132633832363838343333353862333136616532613462343364616539 37373561376435323361316337636239366263656336303636346436373363663164343333656538
37363437613236323235383936613763383966366265303731303034373430333936366339323437 32633835353436623565393538643563646630366633343632633532396433616139303766666435
32303537653062663233 30373235373262633134383033363137316366316563613662313437663832356165353661666533
63343138393230333335323938666566623365623762643563633036613339636537366264333138
62656265363261663233396266616466333332633266326661373736353135383563313666633765
37316430633763326438326263643766396137363333353035623036346662303834376463613162
30363938396638336565303535663831326135393061383634646430343931373135636638333866
64623032366163386530313563656266376334343835366665633362643339643534643738373839
34323134636330383963353439376436323530373066623435376230306435333832633964653639
39373235353262383864303430336635393435656430646233613461306135643230666437393361
36616134356461616534646535396338656138616636396538373031626136323264323936366633
61373631306538363437323934316434663735323533656364393135613761326337303833383934
37383162356162373737336666663430343334356532333335363463623238643662333232333336
31376639386632626161303232653363626637376630333733343035323539623463626132373763
36613535623064636163643236383336653934663739326264653362333237303237393335613339
30323030353632613434393636336562363064306332663931393061393964393661363163326632
37353434656464333532343263363961613866643338396335656131373134333665353437613837
37336533366635616138366566666635366634613633616533373966336637303334613731316436
66376565643033383162373166373665633362313164643530356561383630343531346436343663
62313836323530623535356532303362333436643434663131653539646331346535666133336162
37653036376165333364373661386262633030363165353638386139646266623365306338383963
36373732356364333166386566653835663466346630356438323866636564663966363832613862
64623831646261333064663939613763323466336431343861386537633337396637383330333633
32636436343564633365616331626465613163333465373961656631373736373430396633393733
64386534353131666438346362376462636331353761636535663234613731356130666534323735
35636162323234386435646132396366326165663234653637363139303162613832346333383665
64323737306634613530633636643761346461326130663234373363326230616331336430353261
38346630356136333966656562343730356234643537323635653532396337373331363537393662
33373862336232623563636436643239623837623862386638353361383830303365333362353665
33666236363035616363326462376337363736333234613133383636396464306236386238333863
39316237326638663535646361393939393938656335653262633063326132663331343235626364
35366532333161343562383763653130306235633934393066356239653565633962343235643036
62333363323065663137393736383964613061393131376637363031393335306534626230383139
35333437613963386664646336383637323534366635336264333039643861396561373461636439
30323831333335393365383834386138626664653531333830363862363330346466646432656663
62383534343131636331353763356166386339303564353035383466353636636335653333383431
30616133383565623430326534396432376331636161393930366263366539343332666631616530
36383937313164663631626163646339623365653937616634656235303039636439646335616561
31623135366136333766663833333932383032343438376336366533636466353666633437353338
33386166386231353430646665323164363961666538343537313734343465366333383763666666
33326363656134613031393033646435333937353865316161626137633939333934316536643830
37386364356233353964326661386564656132643937366665353139653533336331323138356633
35656562663961343238386132636331636439383236383761306337626262303764656431303964
62646133323361643162313231376633663231313833633964613862353265336538633261643834
62353230316334363363343133626530643832356631353937353334613538616366396438383338
39336366623332363966383535373365666263383231356532346533386262643465306430336462
64623764333861663031

View file

@ -1,14 +1,14 @@
# These are the variables contained in secrets.yml # These are the variables contained in secrets.yml
# Secrets are usually 32 characters or more, matching [a-Z0-9] # Secrets are usually 32 characters or more, matching [a-Z0-9]
---
postgres_passwords: postgres_passwords:
nextcloud: xxx nextcloud: xxx
passit: xxx passit: xxx
gitea: xxx gitea: xxx
matrix: xxx matrix: xxx
codimd: xxx
mailu: xxx mailu: xxx
keycloak: xxx keycloak: xxx
hedgedoc: xxx
mastodon: xxx mastodon: xxx
rallly: xxx rallly: xxx
membersystem: xxx membersystem: xxx
@ -31,8 +31,9 @@ drone_secrets:
rpc_shared_secret: xxx rpc_shared_secret: xxx
restic_secrets: restic_secrets:
user_secret: xxx repository_password: xxx
encryption_secret: xxx ssh_privkey: xxx
uptime_kuma_url: xxx
matrix_secrets: matrix_secrets:
registration_shared_secret: xxx registration_shared_secret: xxx
@ -54,3 +55,8 @@ rallly_secrets:
membersystem_secrets: membersystem_secrets:
secret_key: xxx secret_key: xxx
stripe_api_key: xxx
stripe_endpoint_secret: xxx
diun:
matrix_password: xxx

View file

@ -1,3 +1,4 @@
# vim: ft=yaml.ansible
--- ---
users: users:
- name: graffen - name: graffen
@ -12,8 +13,8 @@ users:
groups: groups:
- sudo - sudo
ssh_keys: ssh_keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUmGeHc6QXDcJHkmVxbTUv04Q3vs20avquoGr6eOkkvYbcgjuFnBOOtvs2Nul1odcvvnHa1nN7DfL8XJamiwsB1B/xe2seaNS1axgwk9XowlVN9pgga8gsC+4gZWBtSObG2GR8n4NtPENzPmW5deNn8dRpTvULPMxZ0VRE9yNQOx8v8w85yYh+vxbbkWGVDYJU23yuJI50U9y6bXxNHinsACDFBeR/giXDlw29TaOaSxz0R6zrRPBoX+V68RyWwBL+KWQKtX2ULtJI40S98Ohd6p41bIxYHCBS/zroqNne8PjYOLcHHsjHUGfTvhcS5a3zdz/iHsvsaOOjFjsydAXH - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUmGeHc6QXDcJHkmVxbTUv04Q3vs20avquoGr6eOkkvYbcgjuFnBOOtvs2Nul1odcvvnHa1nN7DfL8XJamiwsB1B/xe2seaNS1axgwk9XowlVN9pgga8gsC+4gZWBtSObG2GR8n4NtPENzPmW5deNn8dRpTvULPMxZ0VRE9yNQOx8v8w85yYh+vxbbkWGVDYJU23yuJI50U9y6bXxNHinsACDFBeR/giXDlw29TaOaSxz0R6zrRPBoX+V68RyWwBL+KWQKtX2ULtJI40S98Ohd6p41bIxYHCBS/zroqNne8PjYOLcHHsjHUGfTvhcS5a3zdz/iHsvsaOOjFjsydAXH valberg
valberg - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC4FRrbTpxwGdlF6RVi/thJaMlaEE0Z9YCQA4Y+KnHbBoVWMjzgbIkSWw3MM+E/iiVnix8SFh4tjDSdFjb8lCvHt/PqhMFhZJ02vhVgSwyU+Ji5ur23i202LB9ua54NLN4kNG8K47U0tKi2/EV6LWl2QdRviAcOUctz6u9XDkkMLUgPEYH384XSTRRj4GJ8+0LRzB2rXqetH3gBe9v1vlv0ETYWvzTnpfZUxcrrqEGtXV9Wa0BZoWLos2oKOsYVjNdLZMoFpmyBxPnqzAi1hr7beblFZKqBkvD7XA9RnERbZn1nxkWufVahppPjKQ+se3esWJCp6ri/vNP4WNKY3hiIoekBLbpvGcP1Te7cAIQXiZOilN92NKKYrzN2gAtsxgqGZw7lI1PE71luGdPir2Evl6hPj6/nnNdEHZWgcmBSPy17uCpVvZYBcDDzj8L3hbkLVQ3kcLZTz6I8BXvuGqoeLvRQpBtn5EaLpCCOmXuKqm+dzHzsOIwh+SA5NA8M3P0=
- name: reynir - name: reynir
comment: Reynir Björnsson comment: Reynir Björnsson
@ -21,10 +22,8 @@ users:
groups: groups:
- sudo - sudo
ssh_keys: ssh_keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDJl8/rikIUnqr9fPF3rE0rjWHCNzte10LvkjGmpdO9ka/NubQ7O25fp08rC+n0d1pUooYwHBAgiv9Hsql6HF9QfNKNUp7IKp7CXWcjb4ga02kuzWGSXjm40Vf0jSadIrJ33M4SeJHTByDGoeYPQBQ7n+qHdwcqJADBQygBuc5sRzxm8i0sbmzF3DJDDVeTJjEY5pfR4vnJlpmU8SC2d1ZkhCjmKCsL0PShntTIt1ztCt0yO71KoHKaNPu1jutGxcU9u7J1pEqcPT6EzU/cQJ4DMVzrGp26nIV0msRl3NeGNjukwXOzAh6KmsmXG7yWFyQmLRqgc/bjUeyhuWJ10vwUbaYVeIef7YrgEOgnkYLIFeWRMhdnwtL/W8g1D66SFx7+iYJj180eTi8Lc8rZm2NaiGynvWlFcJ4PGdTYZsWcFzQ+SaDziNMw1H3IixxdlD8Shw9mxpijJ+A4dH2kkUXyGVsc13zRIU7hq9ax8nrw6HVLGFLn09rEPig+SkyWrqRpRGMBWyqTRJywIV6jk0ll+i8rJZA2McY0rABbACrzXT5VBj5dLKnnRITLDicAYgt7YuEiQ0ffErQrPXXHUVeI0QKnJgplSHxH5QsX9a1Y+NoaoditdMT2bjvEqROi+/JYRycLR/BQV/d2nFPhqwq1x1AFvL4f8UvVH/hxp3PXWw== - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDJl8/rikIUnqr9fPF3rE0rjWHCNzte10LvkjGmpdO9ka/NubQ7O25fp08rC+n0d1pUooYwHBAgiv9Hsql6HF9QfNKNUp7IKp7CXWcjb4ga02kuzWGSXjm40Vf0jSadIrJ33M4SeJHTByDGoeYPQBQ7n+qHdwcqJADBQygBuc5sRzxm8i0sbmzF3DJDDVeTJjEY5pfR4vnJlpmU8SC2d1ZkhCjmKCsL0PShntTIt1ztCt0yO71KoHKaNPu1jutGxcU9u7J1pEqcPT6EzU/cQJ4DMVzrGp26nIV0msRl3NeGNjukwXOzAh6KmsmXG7yWFyQmLRqgc/bjUeyhuWJ10vwUbaYVeIef7YrgEOgnkYLIFeWRMhdnwtL/W8g1D66SFx7+iYJj180eTi8Lc8rZm2NaiGynvWlFcJ4PGdTYZsWcFzQ+SaDziNMw1H3IixxdlD8Shw9mxpijJ+A4dH2kkUXyGVsc13zRIU7hq9ax8nrw6HVLGFLn09rEPig+SkyWrqRpRGMBWyqTRJywIV6jk0ll+i8rJZA2McY0rABbACrzXT5VBj5dLKnnRITLDicAYgt7YuEiQ0ffErQrPXXHUVeI0QKnJgplSHxH5QsX9a1Y+NoaoditdMT2bjvEqROi+/JYRycLR/BQV/d2nFPhqwq1x1AFvL4f8UvVH/hxp3PXWw== reynir yubikey
reynir yubikey - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPR8t/wNRp7Dt3wr9uZKVTofTDVYrcoQNru5ETxL+37t reynir@spurv
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPR8t/wNRp7Dt3wr9uZKVTofTDVYrcoQNru5ETxL+37t
reynir@spurv
- name: samsapti - name: samsapti
comment: Sam Al-Sapti comment: Sam Al-Sapti
@ -32,5 +31,5 @@ users:
groups: groups:
- sudo - sudo
ssh_keys: ssh_keys:
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPd/4fQV7CL8/KVwbo/phiV5UdXFBIDlkZ+ps8C7FeRf - sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIFWZGLov8wPBNxuvnaPK+8vv6wK5hHUVEFzXKsN9QeuBAAAADHNzaDpzYW1zYXB0aQ== ssh:samsapti
samsapti - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPd/4fQV7CL8/KVwbo/phiV5UdXFBIDlkZ+ps8C7FeRf cardno:14 336 332

View file

@ -1,25 +1,27 @@
# vim: ft=yaml.ansible
--- ---
- name: Deploy data.coop services - hosts: production
hosts: all
gather_facts: true gather_facts: true
become: true become: true
vars: vars:
base_domain: data.coop ldap_dn: "dc=data,dc=coop"
letsencrypt_email: admin@data.coop
ldap_dn: dc=data,dc=coop
vagrant: "{{ ansible_virtualization_role == 'guest' }}" vagrant: "{{ from_vagrant is defined and from_vagrant }}"
letsencrypt_enabled: '{{ not vagrant }}' letsencrypt_enabled: "{{ not vagrant }}"
smtp_host: postfix base_domain: "{{ 'datacoop.devel' if vagrant else 'data.coop' }}"
smtp_port: '587' letsencrypt_email: "admin@{{ base_domain }}"
smtp_host: "postfix"
smtp_port: "587"
services_exclude:
- uptime_kuma
tasks: tasks:
- name: Setup host basics - import_role:
ansible.builtin.import_role:
name: ubuntu_base name: ubuntu_base
tags: tags:
- base_only - base_only
- name: Deploy docker containers (services) - import_role:
ansible.builtin.import_role:
name: docker name: docker

View file

@ -1,169 +1,229 @@
# vim: ft=yaml.ansible
--- ---
volume_root_folder: /docker-volumes volume_root_folder: "/docker-volumes"
volume_website_folder: "{{ volume_root_folder }}/websites"
services: services:
### Internal services ### ### Internal services ###
postfix: postfix:
file: postfix.yml domain: "smtp.{{ base_domain }}"
version: v3.5.0 volume_folder: "{{ volume_root_folder }}/postfix"
pre_deploy_tasks: true
version: "v3.6.1-alpine"
nginx_proxy: nginx_proxy:
file: nginx_proxy.yml volume_folder: "{{ volume_root_folder }}/nginx"
version: 1.0-alpine pre_deploy_tasks: true
volume_folder: '{{ volume_root_folder }}/nginx' version: "1.3-alpine"
acme_companion_version: "2.2"
nginx_acme_companion:
version: '2.2'
openldap: openldap:
file: openldap.yml domain: "ldap.{{ base_domain }}"
domain: ldap.{{ base_domain }} volume_folder: "{{ volume_root_folder }}/openldap"
volume_folder: '{{ volume_root_folder }}/openldap' pre_deploy_tasks: true
version: 1.5.0 version: "1.5.0"
phpldapadmin_version: "0.9.0"
phpldapadmin:
version: 0.9.0
netdata: netdata:
file: netdata.yml domain: "netdata.{{ base_domain }}"
domain: netdata.{{ base_domain }} volume_folder: "{{ volume_root_folder }}/netdata"
version: v1 version: "v1"
portainer: portainer:
file: portainer.yml domain: "portainer.{{ base_domain }}"
domain: portainer.{{ base_domain }} volume_folder: "{{ volume_root_folder }}/portainer"
volume_folder: '{{ volume_root_folder }}/portainer' version: "2.19.0"
version: 2.16.2
keycloak: keycloak:
file: keycloak.yml
domain: sso.{{ base_domain }} domain: sso.{{ base_domain }}
volume_folder: '{{ volume_root_folder }}/keycloak' volume_folder: "{{ volume_root_folder }}/keycloak"
version: '20.0' version: "22.0"
postgres_version: "10"
allowed_sender_domain: true
restic: restic:
file: restic_backup.yml volume_folder: "{{ volume_root_folder }}/restic"
user: datacoop pre_deploy_tasks: true
domain: restic.cannedtuna.org remote_user: dc-user
repository: datacoop-hevonen remote_domain: rynkeby.skovgaard.tel
version: 1.6.0 host_key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBLGol2G+a87ssy0nu/STKBZSiGyhZhZKx/ujfe9IeFo
repository: restic
version: "1.7.0"
disabled_in_vagrant: true disabled_in_vagrant: true
# mail dance
domain: "noreply.{{ base_domain }}"
allowed_sender_domain: true
mail_from: "backup@noreply.{{ base_domain }}"
docker_registry: docker_registry:
file: docker_registry.yml domain: "docker.{{ base_domain }}"
domain: docker.{{ base_domain }} volume_folder: "{{ volume_root_folder }}/docker-registry"
volume_folder: '{{ volume_root_folder }}/docker-registry' pre_deploy_tasks: true
username: docker post_deploy_tasks: true
password: '{{ docker_password }}' username: "docker"
version: '2' password: "{{ docker_password }}"
version: "2"
### External services ### ### External services ###
nextcloud: nextcloud:
file: nextcloud.yml domain: "cloud.{{ base_domain }}"
domain: cloud.{{ base_domain }} volume_folder: "{{ volume_root_folder }}/nextcloud"
volume_folder: '{{ volume_root_folder }}/nextcloud' pre_deploy_tasks: true
version: 25-apache version: 28-apache
postgres_version: "10"
redis_version: 7-alpine
allowed_sender_domain: true
gitea: forgejo:
file: gitea.yml domain: "git.{{ base_domain }}"
domain: git.{{ base_domain }} volume_folder: "{{ volume_root_folder }}/forgejo"
volume_folder: '{{ volume_root_folder }}/gitea' version: "7.0.5"
version: 1.17.3
allowed_sender_domain: true allowed_sender_domain: true
passit: passit:
file: passit.yml domain: "passit.{{ base_domain }}"
domain: passit.{{ base_domain }} volume_folder: "{{ volume_root_folder }}/passit"
volume_folder: '{{ volume_root_folder }}/passit'
version: stable version: stable
postgres_version: 15-alpine
allowed_sender_domain: true allowed_sender_domain: true
matrix: matrix:
file: matrix_riot.yml domain: "matrix.{{ base_domain }}"
domain: matrix.{{ base_domain }} volume_folder: "{{ volume_root_folder }}/matrix"
volume_folder: '{{ volume_root_folder }}/matrix' pre_deploy_tasks: true
version: v1.63.1 version: v1.114.0
postgres_version: 15-alpine
allowed_sender_domain: true
riot: element:
domains: domain: "element.{{ base_domain }}"
- riot.{{ base_domain }} volume_folder: "{{ volume_root_folder }}/element"
- element.{{ base_domain }} pre_deploy_tasks: true
volume_folder: '{{ volume_root_folder }}/riot' version: v1.11.80
version: v1.11.8
privatebin: privatebin:
file: privatebin.yml domain: "paste.{{ base_domain }}"
domain: paste.{{ base_domain }} volume_folder: "{{ volume_root_folder }}/privatebin"
volume_folder: '{{ volume_root_folder }}/privatebin' pre_deploy_tasks: true
version: 20221009 version: "20221009"
codimd:
domain: oldpad.{{ base_domain }}
volume_folder: '{{ volume_root_folder }}/codimd'
hedgedoc: hedgedoc:
file: hedgedoc.yml domain: "pad.{{ base_domain }}"
domain: pad.{{ base_domain }} volume_folder: "{{ volume_root_folder }}/hedgedoc"
volume_folder: '{{ volume_root_folder }}/hedgedoc' pre_deploy_tasks: true
version: 1.9.6 version: 1.9.9-alpine
postgres_version: 10-alpine
data_coop_website: data_coop_website:
file: websites/data.coop.yml domain: "{{ base_domain }}"
domains: www_domain: "www.{{ base_domain }}"
- '{{ base_domain }}' volume_folder: "{{ volume_website_folder }}/datacoop"
- www.{{ base_domain }} pre_deploy_tasks: true
version: stable
staging_domain: "staging.{{ base_domain }}"
staging_version: staging
slides_2022_website:
domain: "2022.slides.{{ base_domain }}"
volume_folder: "{{ volume_website_folder }}/slides-2022"
version: latest
fedi_dk_website:
domain: fedi.dk
volume_folder: "{{ volume_website_folder }}/fedidk"
version: latest
vhs_website:
domain: vhs.data.coop
volume_folder: "{{ volume_website_folder }}/vhs"
version: latest
cryptohagen_website: cryptohagen_website:
file: websites/cryptohagen.dk.yml
domains: domains:
- cryptohagen.dk - "cryptohagen.dk"
- www.cryptohagen.dk - "www.cryptohagen.dk"
volume_folder: "{{ volume_website_folder }}/cryptohagen"
ulovliglogning_website: ulovliglogning_website:
file: websites/ulovliglogning.dk.yml
domains: domains:
- ulovliglogning.dk - "ulovliglogning.dk"
- www.ulovliglogning.dk - "www.ulovliglogning.dk"
- ulovlig-logning.dk - "ulovlig-logning.dk"
- "www.ulovlig-logning.dk"
volume_folder: "{{ volume_website_folder }}/ulovliglogning"
cryptoaarhus_website: cryptoaarhus_website:
file: websites/cryptoaarhus.dk.yml
domains: domains:
- cryptoaarhus.dk - "cryptoaarhus.dk"
- www.cryptoaarhus.dk - "www.cryptoaarhus.dk"
volume_folder: "{{ volume_website_folder }}/cryptoaarhus"
drone: drone:
file: drone.yml domain: "drone.{{ base_domain }}"
domain: drone.{{ base_domain }} volume_folder: "{{ volume_root_folder }}/drone"
volume_folder: '{{ volume_root_folder }}/drone' version: "1"
version: 1
mailu: mailu:
file: mailu.yml domain: "mail.{{ base_domain }}"
version: 1.6 volume_folder: "{{ volume_root_folder }}/mailu"
domain: mail.{{ base_domain }} pre_deploy_tasks: true
dns: 192.168.203.254 dns: 192.168.203.254
subnet: 192.168.203.0/24 subnet: 192.168.203.0/24
volume_folder: '{{ volume_root_folder }}/mailu' version: "2.0"
postgres_version: 14-alpine
redis_version: alpine
mastodon: mastodon:
file: mastodon.yml domain: "social.{{ base_domain }}"
domain: social.{{ base_domain }} volume_folder: "{{ volume_root_folder }}/mastodon"
volume_folder: '{{ volume_root_folder }}/mastodon' pre_deploy_tasks: true
version: v4.0.2 post_deploy_tasks: true
version: v4.2.10
postgres_version: 14-alpine
redis_version: 6-alpine
allowed_sender_domain: true allowed_sender_domain: true
rallly: rallly:
file: rallly.yml domain: "when.{{ base_domain }}"
domain: when.{{ base_domain }} volume_folder: "{{ volume_root_folder }}/rallly"
volume_folder: '{{ volume_root_folder }}/rallly' pre_deploy_tasks: true
version: a21f92bf74308d66cfcd545d49b81eba0211a222 version: "2"
postgres_version: 14-alpine
allowed_sender_domain: true allowed_sender_domain: true
membersystem: membersystem:
file: membersystem.yml domain: "member.{{ base_domain }}"
domain: member.{{ base_domain }} django_admins: "Vidir:valberg@orn.li,Balder:benjaoming@data.coop"
django_admins: Vidir:valberg@orn.li volume_folder: "{{ volume_root_folder }}/membersystem"
version: latest
postgres_version: 13-alpine
allowed_sender_domain: true allowed_sender_domain: true
writefreely:
domain: "write.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/writefreely"
pre_deploy_tasks: true
version: v0.15.0
mariadb_version: "11.2"
allowed_sender_domain: true
watchtower:
volume_folder: "{{ volume_root_folder }}/watchtower"
version: "1.5.3"
diun:
version: "4.28"
volume_folder: "{{ volume_root_folder }}/diun"
matrix_user: "@diun:data.coop"
matrix_room: "#datacoop-services-update:data.coop"
### Uptime monitoring ###
uptime_kuma:
domain: "uptime.{{ base_domain }}"
status_domain: "status.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/uptime_kuma"
pre_deploy_tasks: true
version: "latest"
services_exclude: []
services_include: "{{ services | dict2items | map(attribute='key') | list | difference(services_exclude) }}"

View file

@ -1,2 +0,0 @@
listen 8008;
client_max_body_size 50M; # default is 1M

View file

@ -1 +0,0 @@
client_max_body_size 50M; # default is 1M

View file

@ -1,511 +0,0 @@
"use strict";
module.exports = {
//
// Set the server mode.
// Public servers does not require authentication.
//
// Set to 'false' to enable users.
//
// @type boolean
// @default false
//
public: false,
//
// IP address or hostname for the web server to listen on.
// Setting this to undefined will listen on all interfaces.
//
// For UNIX domain sockets, use unix:/absolute/path/to/file.sock.
//
// @type string
// @default undefined
//
host: undefined,
//
// Set the port to listen on.
//
// @type int
// @default 9000
//
port: 9000,
//
// Set the local IP to bind to for outgoing connections. Leave to undefined
// to let the operating system pick its preferred one.
//
// @type string
// @default undefined
//
bind: undefined,
//
// Sets whether the server is behind a reverse proxy and should honor the
// X-Forwarded-For header or not.
//
// @type boolean
// @default false
//
reverseProxy: false,
//
// Set the default theme.
// Find out how to add new themes at https://thelounge.github.io/docs/plugins/themes.html
//
// @type string
// @default "example"
//
theme: "example",
//
// Prefetch URLs
//
// If enabled, The Lounge will try to load thumbnails and site descriptions from
// URLs posted in channels.
//
// @type boolean
// @default false
//
prefetch: false,
//
// Store and proxy prefetched images and thumbnails.
// This improves security and privacy by not exposing client IP address,
// and always loading images from The Lounge instance and making all assets secure,
// which in result fixes mixed content warnings.
//
// If storage is enabled, The Lounge will fetch and store images and thumbnails
// in the `${THELOUNGE_HOME}/storage` folder.
//
// Images are deleted when they are no longer referenced by any message (controlled by maxHistory),
// and the folder is cleaned up on every The Lounge restart.
//
// @type boolean
// @default false
//
prefetchStorage: false,
//
// Prefetch URLs Image Preview size limit
//
// If prefetch is enabled, The Lounge will only display content under the maximum size.
// Specified value is in kilobytes. Default value is 2048 kilobytes.
//
// @type int
// @default 2048
//
prefetchMaxImageSize: 2048,
//
// Display network
//
// If set to false network settings will not be shown in the login form.
//
// @type boolean
// @default true
//
displayNetwork: true,
//
// Lock network
//
// If set to true, users will not be able to modify host, port and tls
// settings and will be limited to the configured network.
//
// @type boolean
// @default false
//
lockNetwork: false,
//
// Hex IP
//
// If enabled, clients' username will be set to their IP encoded has hex.
// This is done to share the real user IP address with the server for host masking purposes.
//
// @type boolean
// @default false
//
useHexIp: false,
//
// WEBIRC support
//
// If enabled, The Lounge will pass the connecting user's host and IP to the
// IRC server. Note that this requires to obtain a password from the IRC network
// The Lounge will be connecting to and generally involves a lot of trust from the
// network you are connecting to.
//
// Format (standard): {"irc.example.net": "hunter1", "irc.example.org": "passw0rd"}
// Format (function):
// {"irc.example.net": function(client, args, trusted) {
// // here, we return a webirc object fed directly to `irc-framework`
// return {username: "thelounge", password: "hunter1", address: args.ip, hostname: "webirc/"+args.hostname};
// }}
//
// @type string | function(client, args):object(webirc)
// @default null
webirc: null,
//
// Log settings
//
// Logging has to be enabled per user. If enabled, logs will be stored in
// the 'logs/<user>/<network>/' folder.
//
// @type object
// @default {}
//
logs: {
//
// Timestamp format
//
// @type string
// @default "YYYY-MM-DD HH:mm:ss"
//
format: "YYYY-MM-DD HH:mm:ss",
//
// Timezone
//
// @type string
// @default "UTC+00:00"
//
timezone: "UTC+00:00",
},
//
// Maximum number of history lines per channel
//
// Defines the maximum number of history lines that will be kept in
// memory per channel/query, in order to reduce the memory usage of
// the server. Setting this to -1 will keep unlimited amount.
//
// @type integer
// @default 10000
maxHistory: 10000,
//
// Default values for the 'Connect' form.
//
// @type object
// @default {}
//
defaults: {
//
// Name
//
// @type string
// @default "Freenode"
//
name: "Freenode",
//
// Host
//
// @type string
// @default "chat.freenode.net"
//
host: "chat.freenode.net",
//
// Port
//
// @type int
// @default 6697
//
port: 6697,
//
// Password
//
// @type string
// @default ""
//
password: "",
//
// Enable TLS/SSL
//
// @type boolean
// @default true
//
tls: true,
//
// Nick
//
// @type string
// @default "lounge-user"
//
nick: "lounge-user",
//
// Username
//
// @type string
// @default "lounge-user"
//
username: "lounge-user",
//
// Real Name
//
// @type string
// @default "The Lounge User"
//
realname: "The Lounge User",
//
// Channels
// This is a comma-separated list.
//
// @type string
// @default "#thelounge"
//
join: "#thelounge",
},
//
// Set socket.io transports
//
// @type array
// @default ["polling", "websocket"]
//
transports: ["polling", "websocket"],
//
// Run The Lounge using encrypted HTTP/2.
// This will fallback to regular HTTPS if HTTP/2 is not supported.
//
// @type object
// @default {}
//
https: {
//
// Enable HTTP/2 / HTTPS support.
//
// @type boolean
// @default false
//
enable: false,
//
// Path to the key.
//
// @type string
// @example "sslcert/key.pem"
// @default ""
//
key: "",
//
// Path to the certificate.
//
// @type string
// @example "sslcert/key-cert.pem"
// @default ""
//
certificate: "",
//
// Path to the CA bundle.
//
// @type string
// @example "sslcert/bundle.pem"
// @default ""
//
ca: "",
},
//
// Default quit and part message if none is provided.
//
// @type string
// @default "The Lounge - https://thelounge.github.io"
//
leaveMessage: "The Lounge - https://thelounge.github.io",
//
// Run The Lounge with identd support.
//
// @type object
// @default {}
//
identd: {
//
// Run the identd daemon on server start.
//
// @type boolean
// @default false
//
enable: false,
//
// Port to listen for ident requests.
//
// @type int
// @default 113
//
port: 113,
},
//
// Enable oidentd support using the specified file
//
// Example: oidentd: "~/.oidentd.conf",
//
// @type string
// @default null
//
oidentd: null,
//
// LDAP authentication settings (only available if public=false)
// @type object
// @default {}
//
// The authentication process works as follows:
//
// 1. Lounge connects to the LDAP server with its system credentials
// 2. It performs a LDAP search query to find the full DN associated to the
// user requesting to log in.
// 3. Lounge tries to connect a second time, but this time using the user's
// DN and password. Auth is validated iff this connection is successful.
//
// The search query takes a couple of parameters in `searchDN`:
// - a base DN `searchDN/base`. Only children nodes of this DN will be likely
// to be returned;
// - a search scope `searchDN/scope` (see LDAP documentation);
// - the query itself, build as (&(<primaryKey>=<username>) <filter>)
// where <username> is the user name provided in the log in request,
// <primaryKey> is provided by the config and <fitler> is a filtering complement
// also given in the config, to filter for instance only for nodes of type
// inetOrgPerson, or whatever LDAP search allows.
//
// Alternatively, you can specify the `bindDN` parameter. This will make the lounge
// ignore searchDN options and assume that the user DN is always:
// <bindDN>,<primaryKey>=<username>
// where <username> is the user name provided in the log in request, and <bindDN>
// and <primaryKey> are provided by the config.
//
ldap: {
//
// Enable LDAP user authentication
//
// @type boolean
// @default false
//
enable: true,
//
// LDAP server URL
//
// @type string
//
url: "ldap://{{ services.openldap.domain }}",
//
// LDAP connection tls options (only used if scheme is ldaps://)
//
// @type object (see nodejs' tls.connect() options)
// @default {}
//
// Example:
// You can use this option in order to force the use of IPv6:
// {
// host: 'my::ip::v6',
// servername: 'example.com'
// }
tlsOptions: {},
//
// LDAP base dn, alternative to searchDN
//
// @type string
//
// baseDN: "",
//
// LDAP primary key
//
// @type string
// @default "uid"
//
primaryKey: "uid",
//
// LDAP search dn settings. This defines the procedure by which the
// lounge first look for user DN before authenticating her.
// Ignored if baseDN is specified
//
// @type object
//
searchDN: {
//
// LDAP searching bind DN
// This bind DN is used to query the server for the DN of the user.
// This is supposed to be a system user that has access in read only to
// the DNs of the people that are allowed to log in.
//
// @type string
//
rootDN: "cn=admin,dc=data,dc=coop",
//
// Password of the lounge LDAP system user
//
// @type string
//
rootPassword: "{{ ldap_admin_password }}",
//
// LDAP filter
//
// @type string
// @default "uid"
//
//filter: "(objectClass=inetOrgPerson)(memberOf=ou=members,dc=data,dc=coop)",
filter: "(objectClass=inetOrgPerson)",
//
// LDAP search base (search only within this node)
//
// @type string
//
base: "{{ ldap_dn }}",
//
// LDAP search scope
//
// @type string
// @default "sub"
//
scope: "sub",
},
},
// Extra debugging
//
// @type object
// @default {}
//
debug: {
// Enables extra debugging output provided by irc-framework.
//
// @type boolean
// @default false
//
ircFramework: false,
// Enables logging raw IRC messages into each server window.
//
// @type boolean
// @default false
//
raw: false,
},
};

View file

@ -0,0 +1,20 @@
# DB Version: 14
# OS Type: linux
# DB Type: oltp
# Total Memory (RAM): 16 GB
# Connections num: 300
# Data Storage: hdd
listen_addresses = '*'
max_connections = 300
shared_buffers = 4GB
effective_cache_size = 12GB
maintenance_work_mem = 1GB
checkpoint_completion_target = 0.9
wal_buffers = 16MB
default_statistics_target = 100
random_page_cost = 4
effective_io_concurrency = 2
work_mem = 6990kB
min_wal_size = 2GB
max_wal_size = 8GB

View file

@ -0,0 +1,2 @@
listen 8008;
client_max_body_size 1G; # default is 1M

View file

@ -0,0 +1 @@
client_max_body_size 1G; # default is 1M

View file

@ -0,0 +1,4 @@
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;

View file

@ -0,0 +1,2 @@
server_name www.data.coop;
return 301 $scheme://data.coop$request_uri;

View file

@ -1,6 +1,6 @@
# vim: ft=yaml.ansible
--- ---
- name: Restart nginx - name: restart nginx
community.docker.docker_container: command: docker compose restart proxy
name: nginx-proxy args:
restart: 'yes' chdir: "{{ services.nginx_proxy.volume_folder }}"
state: started

View file

@ -0,0 +1,26 @@
# vim: ft=yaml.ansible
---
- name: Create volume folder for service {{ service.name }}
file:
name: "{{ service.vars.volume_folder }}"
state: directory
- name: Upload Compose file for service {{ service.name }}
template:
src: compose-files/{{ service.name }}.yml.j2
dest: "{{ service.vars.volume_folder }}/docker-compose.yml"
owner: root
mode: u=rw,go=
- name: Run pre-deployment tasks for service {{ service.name }}
include_tasks: pre_deploy/{{ service.name }}.yml
when: service.vars.pre_deploy_tasks is defined and service.vars.pre_deploy_tasks
- name: Deploy Compose stack for service {{ service.name }}
command: docker compose up -d --remove-orphans --pull always
args:
chdir: "{{ service.vars.volume_folder }}"
- name: Run post-deployment tasks for service {{ service.name }}
include_tasks: post_deploy/{{ service.name }}.yml
when: service.vars.post_deploy_tasks is defined and service.vars.post_deploy_tasks

View file

@ -1,33 +1,44 @@
# vim: ft=yaml.ansible
--- ---
- name: Add docker gpg key - name: Add Docker PGP key
ansible.builtin.apt_key: apt_key:
keyserver: pgp.mit.edu keyserver: pgp.mit.edu
id: 8D81803C0EBFCD88 id: 8D81803C0EBFCD88
state: present state: present
- name: Add docker apt repository - name: Add Docker apt repository
ansible.builtin.apt_repository: apt_repository:
repo: deb https://download.docker.com/linux/ubuntu bionic stable repo: deb https://download.docker.com/linux/ubuntu bionic stable
state: present state: present
update_cache: true update_cache: yes
- name: Install docker-ce - name: Install Docker
ansible.builtin.apt: apt:
name: docker-ce name: "{{ pkgs }}"
state: present state: present
vars:
pkgs:
- docker-ce
- docker-compose-plugin
- name: Install docker python bindings - name: Configure cron job to prune unused Docker data weekly
ansible.builtin.pip: cron:
executable: pip3 name: Prune unused Docker data
name: docker-compose cron_file: ansible_docker_prune
job: 'docker system prune -fa && docker volume prune -fa'
special_time: weekly
user: root
state: present state: present
- name: Create folder structure for bind mounts - name: Create folder structure for bind mounts
ansible.builtin.file: file:
name: '{{ volume_root_folder }}' name: "{{ item }}"
state: directory state: directory
loop:
- "{{ volume_root_folder }}"
- "{{ volume_website_folder }}"
- name: Setup services - name: Set up services
ansible.builtin.import_tasks: services.yml import_tasks: services.yml
tags: tags:
- setup_services - setup_services

View file

@ -0,0 +1,13 @@
# vim: ft=yaml.ansible
---
- name: Generate htpasswd file
shell: docker compose exec registry htpasswd -Bbn docker {{ docker_password }} > auth/htpasswd
args:
chdir: "{{ services.docker_registry.volume_folder }}"
creates: "{{ services.docker_registry.volume_folder }}/auth/htpasswd"
- name: log in to registry
docker_login:
registry: "{{ 'docker.data.coop' if vagrant else services.docker_registry.domain }}"
username: docker
password: "{{ docker_password }}"

View file

@ -0,0 +1,19 @@
# vim: ft=yaml.ansible
---
- name: Configure cron job to remove old Mastodon media daily
cron:
name: Clean Mastodon media data older than a week
cron_file: ansible_mastodon_clean_media
job: docker exec mastodon-web-1 tootctl media remove --days 7
special_time: daily
user: root
state: present
- name: Configure cron job to remove old Mastodon preview cards daily
cron:
name: Clean Mastodon preview card data older than two weeks
cron_file: ansible_mastodon_clean_preview_cards
job: docker exec mastodon-web-1 tootctl preview_cards remove --days 14
special_time: daily
user: root
state: present

View file

@ -0,0 +1,11 @@
# vim: ft=yaml.ansible
---
- name: Upload vhost config for root domain
copy:
src: vhost/base_domain
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.data_coop_website.domain }}"
- name: Upload vhost config for WWW domain
copy:
src: vhost/www.base_domain
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.data_coop_website.www_domain }}"

View file

@ -0,0 +1,17 @@
# vim: ft=yaml.ansible
---
- name: Create subfolders
file:
path: "{{ services.docker_registry.volume_folder }}/{{ volume }}"
state: directory
loop:
- auth
- registry
loop_control:
loop_var: volume
- name: Copy docker registry vhost configuration
copy:
src: vhost/docker_registry
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.docker_registry.domain }}"
mode: "0644"

View file

@ -0,0 +1,21 @@
# vim: ft=yaml.ansible
---
- name: Create subfolder
file:
name: "{{ services.element.volume_folder }}/data"
state: directory
- name: Upload config.json
template:
src: element/config.json.j2
dest: "{{ services.element.volume_folder }}/data/config.json"
- name: Upload riot.im.conf
copy:
src: element/riot.im.conf
dest: "{{ services.element.volume_folder }}/data/riot.im.conf"
- name: Upload vhost config for Element domain
copy:
src: vhost/element
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.element.domain }}"

View file

@ -0,0 +1,17 @@
# vim: ft=yaml.ansible
---
- name: Create subfolders
file:
name: "{{ services.hedgedoc.volume_folder }}/{{ volume }}"
state: directory
loop:
- db
- hedgedoc/uploads
loop_control:
loop_var: volume
- name: Copy SSO certificate
copy:
src: sso/sso.data.coop.pem
dest: "{{ services.hedgedoc.volume_folder }}/sso.data.coop.pem"
mode: "0644"

View file

@ -0,0 +1,45 @@
# vim: ft=yaml.ansible
---
- name: Create subfolders
file:
name: "{{ services.mailu.volume_folder }}/{{ volume }}"
state: directory
loop:
- redis
- certs
- data
- dkim
- mail
- mailqueue
- filter
- postgres
- webmail
- overrides
- overrides/nginx
- overrides/dovecot
- overrides/postfix
- overrides/rspamd
- overrides/snappymail
loop_control:
loop_var: volume
- name: Upload mailu.env file
template:
src: mailu/env.j2
dest: "{{ services.mailu.volume_folder }}/mailu.env"
- name: Hard link to Let's Encrypt TLS certificate
file:
src: "{{ services.nginx_proxy.volume_folder }}/certs/{{ services.mailu.domain }}/fullchain.pem"
dest: "{{ services.mailu.volume_folder }}/certs/cert.pem"
state: hard
force: true
when: letsencrypt_enabled
- name: Hard link to Let's Encrypt TLS key
file:
src: "{{ services.nginx_proxy.volume_folder }}/certs/{{ services.mailu.domain }}/key.pem"
dest: "{{ services.mailu.volume_folder }}/certs/key.pem"
state: hard
force: true
when: letsencrypt_enabled

View file

@ -0,0 +1,45 @@
# vim: ft=yaml.ansible
---
- name: Create subfolder for Mastodon data
file:
name: "{{ services.mastodon.volume_folder }}/mastodon_data"
state: directory
owner: "991"
mode: u=rwx,g=rx,o=rx
- name: Create subfolder for PostgreSQL data
file:
name: "{{ services.mastodon.volume_folder }}/postgres_data"
state: directory
owner: "70"
mode: u=rwx,go=
- name: Create subfolder for PostgreSQL config
file:
name: "{{ services.mastodon.volume_folder }}/postgres_config"
state: directory
owner: root
mode: u=rwx,g=rx,o=rx
- name: Create subfolder for Redis data
file:
name: "{{ services.mastodon.volume_folder }}/redis_data"
state: directory
owner: "999"
group: "1000"
mode: u=rwx,g=rx,o=rx
- name: Upload mastodon.env file
template:
src: mastodon/env.j2
dest: "{{ services.mastodon.volume_folder }}/mastodon.env"
- name: Upload vhost config for Mastodon domain
copy:
src: vhost/mastodon
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.mastodon.domain }}"
- name: Upload PostgreSQL config
copy:
src: mastodon/postgresql.conf
dest: "{{ services.mastodon.volume_folder }}/postgres_config/postgresql.conf"

View file

@ -0,0 +1,34 @@
# vim: ft=yaml.ansible
---
- name: Create subfolders
file:
name: "{{ services.matrix.volume_folder }}/{{ volume }}"
state: directory
owner: "991"
group: "991"
loop:
- data
- data/uploads
- data/media
loop_control:
loop_var: volume
- name: Create Matrix DB subfolder
file:
name: "{{ services.matrix.volume_folder }}/db"
state: directory
- name: Upload vhost config for Matrix domain
copy:
src: vhost/matrix
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.matrix.domain }}"
- name: Upload homeserver.yaml
template:
src: matrix/homeserver.yaml.j2
dest: "{{ services.matrix.volume_folder }}/data/homeserver.yaml"
- name: Upload Matrix logging config
copy:
src: matrix/log.config
dest: "{{ services.matrix.volume_folder }}/data/matrix.data.coop.log.config"

View file

@ -0,0 +1,17 @@
# vim: ft=yaml.ansible
---
- name: Create subfolders
file:
path: "{{ services.nextcloud.volume_folder }}/{{ volume }}"
state: directory
loop:
- app
- postgres
loop_control:
loop_var: volume
- name: Upload vhost config for Nextcloud domain
copy:
src: vhost/nextcloud
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.nextcloud.domain }}"
notify: "restart nginx"

View file

@ -0,0 +1,14 @@
# vim: ft=yaml.ansible
---
- name: Create subfolders
file:
name: "{{ services.nginx_proxy.volume_folder }}/{{ volume }}"
state: directory
loop:
- conf
- vhost
- html
- dhparam
- certs
loop_control:
loop_var: volume

View file

@ -0,0 +1,12 @@
# vim: ft=yaml.ansible
---
- name: Create subfolders
file:
name: "{{ services.openldap.volume_folder }}/{{ volume }}"
state: directory
loop:
- var/lib/ldap
- etc/slapd
- certs
loop_control:
loop_var: volume

View file

@ -0,0 +1,13 @@
# vim: ft=yaml.ansible
---
- name: Set up network for Postfix
docker_network:
name: postfix
ipam_config:
- subnet: '172.16.0.0/16'
gateway: 172.16.0.1
- name: Create subfolder
file:
name: "{{ services.postfix.volume_folder }}/dkim"
state: directory

View file

@ -0,0 +1,16 @@
# vim: ft=yaml.ansible
---
- name: Create subfolders
file:
name: "{{ services.privatebin.volume_folder }}/{{ volume }}"
state: directory
loop:
- cfg
- data
loop_control:
loop_var: volume
- name: Upload PrivateBin config
copy:
src: privatebin/conf.php
dest: "{{ services.privatebin.volume_folder }}/cfg/conf.php"

View file

@ -0,0 +1,11 @@
# vim: ft=yaml.ansible
---
- name: Create subfolder
file:
name: "{{ services.rallly.volume_folder }}/postgres"
state: directory
- name: Copy rallly.env file
template:
src: rallly/env.j2
dest: "{{ services.rallly.volume_folder }}/rallly.env"

View file

@ -0,0 +1,72 @@
# vim: ft=yaml.ansible
---
- name: Create SSH directory
file:
path: "{{ services.restic.volume_folder }}/ssh"
owner: root
group: root
mode: '0755'
state: directory
- name: Upload private SSH key
copy:
dest: "{{ services.restic.volume_folder }}/ssh/id_ed25519"
owner: root
group: root
mode: '0600'
content: "{{ restic_secrets.ssh_privkey }}"
- name: Derive public SSH key
shell: >-
ssh-keygen -f {{ services.restic.volume_folder }}/ssh/id_ed25519 -y
> {{ services.restic.volume_folder }}/ssh/id_ed25519.pub
args:
creates: "{{ services.restic.volume_folder }}/ssh/id_ed25519.pub"
- name: Set file permissions on public SSH key
file:
path: "{{ services.restic.volume_folder }}/ssh/id_ed25519.pub"
owner: root
group: root
mode: '0644'
state: touch
- name: Upload SSH config
template:
src: restic/ssh.config.j2
dest: "{{ services.restic.volume_folder }}/ssh/config"
owner: root
group: root
mode: '0600'
- name: Upload SSH known_hosts file
template:
src: restic/ssh.known_hosts.j2
dest: "{{ services.restic.volume_folder }}/ssh/known_hosts"
owner: root
group: root
mode: '0600'
- name: Create scripts directory
file:
path: "{{ services.restic.volume_folder }}/scripts"
owner: root
group: root
mode: '0755'
state: directory
- name: Upload failure.sh script
template:
src: restic/failure.sh.j2
dest: "{{ services.restic.volume_folder }}/scripts/failure.sh"
owner: root
group: root
mode: '0755'
- name: Upload success.sh script
template:
src: restic/success.sh.j2
dest: "{{ services.restic.volume_folder }}/scripts/success.sh"
owner: root
group: root
mode: '0755'

View file

@ -0,0 +1,9 @@
- name: Upload vhost config for uptime domain
copy:
src: vhost/uptime_kuma
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.uptime_kuma.domain }}_location"
- name: Upload vhost config for status domain
copy:
src: vhost/uptime_kuma
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.uptime_kuma.status_domain }}_location"

View file

@ -0,0 +1,20 @@
# vim: ft=yaml.ansible
---
- name: Create subfolder for MariaDB data
file:
name: "{{ services.writefreely.volume_folder }}/db"
owner: "999"
group: "999"
state: directory
- name: Create subfolder for encryption keys
file:
name: "{{ services.writefreely.volume_folder }}/keys"
owner: "2"
group: "2"
state: directory
- name: Upload config.ini
template:
src: "writefreely/config.ini.j2"
dest: "{{ services.writefreely.volume_folder }}/config.ini"

View file

@ -1,17 +1,28 @@
# vim: ft=yaml.ansible
--- ---
- name: setup external services network - name: Set up external services network
community.docker.docker_network: docker_network:
name: external_services name: external_services
- name: setup services - name: Deploy all services
include_tasks: services/{{ docker_service.value.file }} include_tasks:
loop: '{{ services | dict2items }}' file: block.yml
loop_control: vars:
loop_var: docker_service service:
when: single_service is not defined and docker_service.value.file is defined and name: "{{ item }}"
docker_service.value.disabled_in_vagrant is not defined vars: "{{ services[item] }}"
loop: "{{ services_include }}"
when: single_service is not defined and
(item.vars.disabled_in_vagrant is not defined or
not (item.vars.disabled_in_vagrant and vagrant))
- name: setup single service - name: Deploy single service
include_tasks: services/{{ services[single_service].file }} include_tasks:
when: single_service is defined and single_service in services and services[single_service].file file: block.yml
is defined and services[single_service].disabled_in_vagrant is not defined vars:
service:
name: "{{ single_service }}"
vars: "{{ services[single_service] }}"
when: single_service is defined and single_service in services and
(services[single_service].disabled_in_vagrant is not defined or
not (services[single_service].disabled_in_vagrant and vagrant))

View file

@ -1,57 +0,0 @@
---
- name: codimd network
community.docker.docker_network:
name: codimd
- name: create codimd volume folders
ansible.builtin.file:
name: '{{ codimd.volume_folder }}/{{ volume }}'
state: directory
loop:
- db
- codimd/uploads
loop_control:
loop_var: volume
- name: codimd database container
community.docker.docker_container:
name: codimd_db
image: postgres:10
state: started
restart_policy: unless-stopped
networks:
- name: codimd
volumes:
- '{{ codimd.volume_folder }}/db:/var/lib/postgresql/data'
env:
POSTGRES_USER: codimd
POSTGRES_PASSWORD: '{{ postgres_passwords.codimd }}'
- name: codimd app container
community.docker.docker_container:
name: codimd_app
image: hackmdio/hackmd:1.3.0
restart_policy: unless-stopped
networks:
- name: codimd
- name: ldap
- name: external_services
volumes:
- '{{ codimd.volume_folder }}/codimd/uploads:/codimd/public/uploads'
env:
CMD_DB_URL: postgres://codimd:{{ postgres_passwords.codimd }}@codimd_db:5432/codimd
CMD_ALLOW_EMAIL_REGISTER: 'False'
CMD_IMAGE_UPLOAD_TYPE: filesystem
CMD_EMAIL: 'False'
CMD_LDAP_URL: ldap://openldap
CMD_LDAP_BINDDN: cn=admin,dc=data,dc=coop
CMD_LDAP_BINDCREDENTIALS: '{{ ldap_admin_password }}'
CMD_LDAP_SEARCHBASE: dc=data,dc=coop
CMD_LDAP_SEARCHFILTER: (&(uid={{ '{{username}}' }})(objectClass=inetOrgPerson))
CMD_USECDN: 'false'
VIRTUAL_HOST: '{{ codimd.domain }}'
LETSENCRYPT_HOST: '{{ codimd.domain }}'
LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'

View file

@ -1,37 +0,0 @@
---
- name: copy docker registry nginx configuration
ansible.builtin.copy:
src: files/configs/docker_registry/nginx.conf
dest: /docker-volumes/nginx/vhost/{{ services.docker_registry.domain }}
mode: '0644'
- name: docker registry container
community.docker.docker_container:
name: registry
image: registry:{{ services.docker_registry.version }}
restart_policy: always
volumes:
- '{{ services.docker_registry.volume_folder }}/registry:/var/lib/registry'
- '{{ services.docker_registry.volume_folder }}/auth:/auth'
networks:
- name: external_services
env:
VIRTUAL_HOST: '{{ services.docker_registry.domain }}'
LETSENCRYPT_HOST: '{{ services.docker_registry.domain }}'
LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
REGISTRY_AUTH: htpasswd
REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd
REGISTRY_AUTH_HTPASSWD_REALM: data.coop docker registry
- name: generate htpasswd file
shell: docker exec -it registry htpasswd -Bbn docker {{ docker_password }} > services.docker_registry.volume_folder
}}/auth/htpasswd
args:
creates: '{{ services.docker_registry.volume_folder }}/auth/htpasswd'
- name: log in to registry
docker_login:
registry: "{{ 'docker.data.coop' if vagrant else services.docker_registry.domain\
\ }}"
username: docker
password: '{{ docker_password }}'

View file

@ -1,51 +0,0 @@
---
- name: set up drone with docker runner
community.docker.docker_compose:
project_name: drone
pull: true
definition:
version: '3.6'
services:
drone:
container_name: drone
image: drone/drone:1
restart: unless-stopped
networks:
- external_services
- drone
volumes:
- '{{ services.drone.volume_folder }}:/data'
- /var/run/docker.sock:/var/run/docker.sock
environment:
DRONE_GITEA_SERVER: https://{{ services.gitea.domain }}
DRONE_GITEA_CLIENT_ID: '{{ drone_secrets.oauth_client_id }}'
DRONE_GITEA_CLIENT_SECRET: '{{ drone_secrets.oauth_client_secret }}'
DRONE_GIT_ALWAYS_AUTH: 'true'
DRONE_SERVER_HOST: '{{ services.drone.domain }}'
DRONE_SERVER_PROTO: https
DRONE_RPC_SECRET: '{{ drone_secrets.rpc_shared_secret }}'
PLUGIN_CUSTOM_DNS: 91.239.100.100
VIRTUAL_HOST: '{{ services.drone.domain }}'
LETSENCRYPT_HOST: '{{ services.drone.domain }}'
LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
drone-runner-docker:
container_name: drone-runner-docker
image: drone/drone-runner-docker:{{ services.drone.version }}
restart: unless-stopped
networks:
- drone
volumes:
- /var/run/docker.sock:/var/run/docker.sock
environment:
DRONE_RPC_HOST: '{{ services.drone.domain }}'
DRONE_RPC_PROTO: https
DRONE_RPC_SECRET: '{{ drone_secrets.rpc_shared_secret }}'
DRONE_RUNNER_CAPACITY: 2
DRONE_RUNNER_NAME: data.coop_drone_runner
networks:
drone:
external_services:
external:
name: external_services

View file

@ -1,38 +0,0 @@
---
- name: gitea network
community.docker.docker_network:
name: gitea
# old DNS: 138.68.71.153
- name: gitea container
community.docker.docker_container:
name: gitea
image: gitea/gitea:{{ services.gitea.version }}
restart_policy: unless-stopped
networks:
- name: gitea
- name: postfix
- name: external_services
volumes:
- '{{ services.gitea.volume_folder }}:/data'
published_ports:
- 22:22
env:
VIRTUAL_HOST: '{{ services.gitea.domain }}'
VIRTUAL_PORT: '3000'
LETSENCRYPT_HOST: '{{ services.gitea.domain }}'
LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
# Gitea customization, see: https://docs.gitea.io/en-us/install-with-docker/#customization
# https://docs.gitea.io/en-us/config-cheat-sheet/#security-security
GITEA__mailer__ENABLED: 'true'
GITEA__mailer__FROM: noreply@{{ services.gitea.domain }}
GITEA__mailer__MAILER_TYPE: smtp
GITEA__mailer__HOST: '{{ smtp_host }}:{{ smtp_port }}'
GITEA__mailer__USER: noop
GITEA__mailer__PASSWD: noop
GITEA__security__LOGIN_REMEMBER_DAYS: '60'
GITEA__security__PASSWORD_COMPLEXITY: 'off'
GITEA__security__MIN_PASSWORD_LENGTH: '8'
GITEA__security__PASSWORD_CHECK_PWN: 'true'
GITEA__service__ENABLE_NOTIFY_MAIL: 'true'
GITEA__service__REGISTER_EMAIL_CONFIRM: 'true'

View file

@ -1,65 +0,0 @@
---
- name: create hedgedoc volume folders
ansible.builtin.file:
name: '{{ services.hedgedoc.volume_folder }}/{{ volume }}'
state: directory
loop:
- db
- hedgedoc/uploads
loop_control:
loop_var: volume
- name: copy sso public certificate
ansible.builtin.copy:
src: files/sso/sso.data.coop.pem
dest: '{{ services.hedgedoc.volume_folder }}/sso.data.coop.pem'
mode: '0644'
- name: setup hedgedoc
community.docker.docker_compose:
project_name: hedgedoc
pull: true
definition:
services:
database:
image: postgres:10-alpine
environment:
POSTGRES_USER: codimd
POSTGRES_PASSWORD: '{{ postgres_passwords.hedgedoc }}'
POSTGRES_DB: codimd
restart: unless-stopped
networks:
- hedgedoc
volumes:
- '{{ services.hedgedoc.volume_folder }}/db:/var/lib/postgresql/data'
app:
image: quay.io/hedgedoc/hedgedoc:{{ services.hedgedoc.version }}
environment:
CMD_DB_URL: postgres://codimd:{{ postgres_passwords.hedgedoc }}@hedgedoc_database_1:5432/codimd
CMD_DOMAIN: '{{ services.hedgedoc.domain }}'
CMD_ALLOW_EMAIL_REGISTER: 'False'
CMD_IMAGE_UPLOAD_TYPE: filesystem
CMD_EMAIL: 'False'
CMD_SAML_IDPCERT: /sso.data.coop.pem
CMD_SAML_IDPSSOURL: https://sso.data.coop/auth/realms/datacoop/protocol/saml
CMD_SAML_ISSUER: hedgedoc
CMD_SAML_IDENTIFIERFORMAT: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
CMD_USECDN: 'false'
CMD_PROTOCOL_USESSL: 'true'
VIRTUAL_HOST: '{{ services.hedgedoc.domain }}'
LETSENCRYPT_HOST: '{{ services.hedgedoc.domain }}'
LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
volumes:
- '{{ services.hedgedoc.volume_folder }}/hedgedoc/uploads:/hedgedoc/public/uploads'
- '{{ services.hedgedoc.volume_folder }}/sso.data.coop.pem:/sso.data.coop.pem'
restart: unless-stopped
networks:
- hedgedoc
- external_services
depends_on:
- database
networks:
hedgedoc:
external_services:
external: true

View file

@ -1,44 +0,0 @@
---
- name: setup keycloak containers for sso.data.coop
community.docker.docker_compose:
project_name: keycloak
pull: true
definition:
version: '3.6'
services:
postgres:
image: postgres:10
restart: unless-stopped
networks:
- keycloak
volumes:
- '{{ services.keycloak.volume_folder }}/data:/var/lib/postgresql/data'
environment:
POSTGRES_USER: keycloak
POSTGRES_PASSWORD: '{{ postgres_passwords.keycloak }}'
POSTGRES_DB: keycloak
app:
image: quay.io/keycloak/keycloak:{{ services.keycloak.version }}
restart: unless-stopped
networks:
- keycloak
- postfix
- external_services
command: start --db=postgres --db-url=jdbc:postgresql://postgres:5432/keycloak
--db-username=keycloak --db-password={{ postgres_passwords.keycloak
}} --hostname={{ services.keycloak.domain }} --proxy=edge --https-port=8080
--http-relative-path=/auth
environment:
VIRTUAL_HOST: '{{ services.keycloak.domain }}'
VIRTUAL_PORT: '8080'
LETSENCRYPT_HOST: '{{ services.keycloak.domain }}'
LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
networks:
keycloak:
postfix:
external: true
external_services:
external: true

View file

@ -1,164 +0,0 @@
---
- name: create mailu volume folders
ansible.builtin.file:
name: '{{ services.mailu.volume_folder }}/{{ volume }}'
state: directory
loop:
- redis
- certs
- overrides
- data
- dkim
- mail
- filter
- dav
- webmail
loop_control:
loop_var: volume
- name: upload mailu.env file
ansible.builtin.template:
src: mailu.env.j2
dest: '{{ services.mailu.volume_folder}}/mailu.env'
- name: hard link to Let's Encrypt TLS certificate
ansible.builtin.file:
src: '{{ services.nginx_proxy.volume_folder }}/certs/{{ services.mailu.domain
}}/fullchain.pem'
dest: '{{ services.mailu.volume_folder }}/certs/cert.pem'
state: hard
force: true
when: letsencrypt_enabled
- name: hard link to Let's Encrypt TLS key
ansible.builtin.file:
src: '{{ services.nginx_proxy.volume_folder }}/certs/{{ services.mailu.domain
}}/key.pem'
dest: '{{ services.mailu.volume_folder }}/certs/key.pem'
state: hard
force: true
when: letsencrypt_enabled
- name: run mail server containers
community.docker.docker_compose:
project_name: mail_server
pull: true
definition:
version: '3.6'
services:
redis:
image: redis:alpine
restart: always
volumes:
- '{{ services.mailu.volume_folder }}/redis:/data'
database:
image: mailu/postgresql:{{ services.mailu.version }}
restart: always
env_file: '{{ services.mailu.volume_folder}}/mailu.env'
volumes:
- '{{ services.mailu.volume_folder }}/data/psql_db:/data'
- '{{ services.mailu.volume_folder }}/data/psql_backup:/backup'
networks:
- default
- external_services
front:
image: mailu/nginx:{{ services.mailu.version }}
restart: always
env_file: '{{ services.mailu.volume_folder}}/mailu.env'
environment:
VIRTUAL_HOST: '{{ services.mailu.domain }}'
LETSENCRYPT_HOST: '{{ services.mailu.domain }}'
LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
volumes:
- '{{ services.mailu.volume_folder }}/certs:/certs'
- '{{ services.mailu.volume_folder }}/overrides/nginx:/overrides'
expose:
- '80'
ports:
- 993:993
- 25:25
- 587:587
- 465:465
networks:
- default
- external_services
resolver:
image: mailu/unbound:{{ services.mailu.version }}
restart: always
env_file: '{{ services.mailu.volume_folder}}/mailu.env'
networks:
default:
ipv4_address: '{{ services.mailu.dns }}'
admin:
image: mailu/admin:{{ services.mailu.version }}
restart: always
env_file: '{{ services.mailu.volume_folder}}/mailu.env'
volumes:
- '{{ services.mailu.volume_folder }}/data:/data'
- '{{ services.mailu.volume_folder }}/dkim:/dkim'
depends_on:
- redis
imap:
image: mailu/dovecot:{{ services.mailu.version }}
restart: always
env_file: '{{ services.mailu.volume_folder}}/mailu.env'
volumes:
- '{{ services.mailu.volume_folder }}/mail:/mail'
- '{{ services.mailu.volume_folder }}/overrides:/overrides'
depends_on:
- front
smtp:
image: mailu/postfix:{{ services.mailu.version }}
restart: always
env_file: '{{ services.mailu.volume_folder}}/mailu.env'
volumes:
- '{{ services.mailu.volume_folder }}/overrides:/overrides'
depends_on:
- front
- resolver
dns:
- '{{ services.mailu.dns }}'
antispam:
image: mailu/rspamd:{{ services.mailu.version }}
restart: always
env_file: '{{ services.mailu.volume_folder}}/mailu.env'
volumes:
- '{{ services.mailu.volume_folder }}/filter:/var/lib/rspamd'
- '{{ services.mailu.volume_folder }}/dkim:/dkim'
- '{{ services.mailu.volume_folder }}/overrides/rspamd:/etc/rspamd/override.d'
depends_on:
- front
- resolver
dns:
- '{{ services.mailu.dns }}'
webmail:
image: mailu/rainloop:1.6
restart: always
env_file: '{{ services.mailu.volume_folder}}/mailu.env'
volumes:
- '{{ services.mailu.volume_folder }}/webmail:/data'
depends_on:
- front
- resolver
dns:
- '{{ services.mailu.dns }}'
networks:
default:
driver: bridge
ipam:
driver: default
config:
- subnet: '{{ services.mailu.subnet }}'
external_services:
external:
name: external_services

View file

@ -1,126 +0,0 @@
---
- name: create mastodon volume folders
ansible.builtin.file:
name: '{{ services.mastodon.volume_folder }}/{{ volume }}'
state: directory
owner: '991'
group: '991'
loop:
- postgres_data
- redis_data
- mastodon_data
loop_control:
loop_var: volume
- name: Copy mastodon environment file
ansible.builtin.template:
src: files/configs/mastodon/env_file.j2
dest: '{{ services.mastodon.volume_folder }}/env_file'
- name: upload vhost config for root domain
ansible.builtin.template:
src: files/configs/mastodon/vhost-mastodon
dest: '{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.mastodon.domain
}}'
- name: set up mastodon
community.docker.docker_compose:
project_name: mastodon
pull: true
definition:
version: '3'
services:
db:
restart: always
image: postgres:14-alpine
shm_size: 256mb
networks:
- internal_network
healthcheck:
test: [CMD, pg_isready, -U, postgres]
volumes:
- '{{ services.mastodon.volume_folder }}/postgres_data:/var/lib/postgresql/data'
environment:
- POSTGRES_HOST_AUTH_METHOD=trust
redis:
restart: always
image: redis:6-alpine
networks:
- internal_network
healthcheck:
test: [CMD, redis-cli, ping]
volumes:
- '{{ services.mastodon.volume_folder }}/redis_data:/data'
web:
image: tootsuite/mastodon:{{ services.mastodon.version }}
restart: always
env_file: '{{ services.mastodon.volume_folder }}/env_file'
command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails
s -p 3000"
networks:
- external_services
- internal_network
healthcheck:
test: |
[CMD-SHELL, wget -q --spider --proxy=off localhost:3000/health || exit 1]
depends_on:
- db
- redis
volumes:
- '{{ services.mastodon.volume_folder }}/mastodon_data:/mastodon/public/system'
environment:
VIRTUAL_HOST: '{{ services.mastodon.domain }}'
VIRTUAL_PORT: '3000'
VIRTUAL_PATH: /
LETSENCRYPT_HOST: '{{ services.mastodon.domain }}'
LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
streaming:
image: tootsuite/mastodon:{{ services.mastodon.version }}
restart: always
env_file: '{{ services.mastodon.volume_folder }}/env_file'
command: node ./streaming
networks:
- external_services
- internal_network
healthcheck:
test: |
[CMD-SHELL, wget -q --spider --proxy=off localhost:4000/api/v1/streaming/health || exit 1]
ports:
- 127.0.0.1:4000:4000
depends_on:
- db
- redis
environment:
VIRTUAL_HOST: '{{ services.mastodon.domain }}'
VIRTUAL_PORT: '4000'
VIRTUAL_PATH: /api/v1/streaming
sidekiq:
image: tootsuite/mastodon:{{ services.mastodon.version }}
restart: always
env_file: '{{ services.mastodon.volume_folder }}/env_file'
command: bundle exec sidekiq -c 32
environment:
DB_POOL: 32
depends_on:
- db
- redis
networks:
- postfix
- external_services
- internal_network
volumes:
- '{{ services.mastodon.volume_folder }}/mastodon_data:/mastodon/public/system'
healthcheck:
test: [CMD-SHELL, "ps aux | grep '[s]idekiq 6' || false"]
networks:
external_services:
external: true
postfix:
external: true
internal_network:
internal: true

View file

@ -1,127 +0,0 @@
---
- name: create matrix volume folders
ansible.builtin.file:
name: '{{ services.matrix.volume_folder }}/{{ volume }}'
state: directory
owner: '991'
group: '991'
loop:
- data
- data/uploads
- data/media
loop_control:
loop_var: volume
- name: create matrix DB folder
ansible.builtin.file:
name: '{{ services.matrix.volume_folder }}/db'
state: directory
- name: create riot volume folders
ansible.builtin.file:
name: '{{ services.riot.volume_folder }}/{{ volume }}'
state: directory
loop:
- data
loop_control:
loop_var: volume
- name: upload riot config.json
ansible.builtin.template:
src: files/configs/riot/config.json
dest: '{{ services.riot.volume_folder }}/data/config.json'
- name: upload riot.im.conf
ansible.builtin.template:
src: files/configs/riot/riot.im.conf
dest: '{{ services.riot.volume_folder }}/data/riot.im.conf'
- name: upload vhost config for root domain
ansible.builtin.template:
src: files/configs/matrix/vhost-root
dest: '{{ services.nginx_proxy.volume_folder }}/vhost/{{ base_domain }}'
- name: upload vhost config for matrix domain
ansible.builtin.template:
src: files/configs/matrix/vhost-matrix
dest: '{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.matrix.domain
}}'
- name: upload vhost config for riot domain
ansible.builtin.template:
src: files/configs/matrix/vhost-riot
dest: '{{ services.nginx_proxy.volume_folder }}/vhost/{{ domain }}'
loop: '{{ services.riot.domains }}'
loop_control:
loop_var: domain
- name: upload homeserver.yaml
ansible.builtin.template:
src: files/configs/matrix/homeserver.yaml.j2
dest: '{{ services.matrix.volume_folder }}/data/homeserver.yaml'
- name: upload matrix logging config
ansible.builtin.template:
src: files/configs/matrix/matrix.data.coop.log.config
dest: '{{ services.matrix.volume_folder }}/data/matrix.data.coop.log.config'
- name: set up matrix and riot
community.docker.docker_compose:
project_name: matrix
pull: true
definition:
version: '3.6'
services:
matrix_db:
container_name: matrix_db
image: postgres:10
restart: unless-stopped
networks:
- matrix
volumes:
- '{{ services.matrix.volume_folder }}/db:/var/lib/postgresql/data'
environment:
POSTGRES_USER: synapse
POSTGRES_PASSWORD: '{{ postgres_passwords.matrix }}'
matrix_app:
container_name: matrix
image: matrixdotorg/synapse:{{ services.matrix.version }}
restart: unless-stopped
networks:
- matrix
- external_services
volumes:
- '{{ services.matrix.volume_folder }}/data:/data'
environment:
SYNAPSE_CONFIG_PATH: /data/homeserver.yaml
SYNAPSE_CACHE_FACTOR: '2'
SYNAPSE_LOG_LEVEL: INFO
VIRTUAL_HOST: '{{ services.matrix.domain }}'
VIRTUAL_PORT: '8008'
LETSENCRYPT_HOST: '{{ services.matrix.domain }}'
LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
riot:
container_name: riot_app
image: avhost/docker-matrix-riot:{{ services.riot.version }}
restart: unless-stopped
networks:
- matrix
- external_services
expose:
- 8080
volumes:
- '{{ services.riot.volume_folder }}/data:/data'
environment:
VIRTUAL_HOST: "{{ services.riot.domains|join(',') }}"
VIRTUAL_PORT: '8080'
LETSENCRYPT_HOST: "{{ services.riot.domains|join(',') }}"
LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
networks:
external_services:
external:
name: external_services
matrix:
name: matrix

View file

@ -1,55 +0,0 @@
---
- name: run membersystem containers
community.docker.docker_compose:
project_name: member.data.coop
pull: true
definition:
version: '3'
services:
backend:
image: docker.data.coop/membersystem:latest
restart: always
user: $UID:$GID
tty: true
depends_on:
- postgres
networks:
- membersystem
- external_services
- postfix
environment:
SECRET_KEY: '{{ membersystem_secrets.secret_key }}'
DATABASE_URL: postgres://postgres:{{ postgres_passwords.membersystem
}}@postgres:5432/postgres
POSTGRES_HOST: postgres
POSTGRES_PORT: 5432
EMAIL_BACKEND: django.core.mail.backends.smtp.EmailBackend
EMAIL_URL: smtp://noop@{{ smtp_host }}:{{ smtp_port }}
VIRTUAL_HOST: '{{ services.membersystem.domain }}'
VIRTUAL_PORT: '8000'
LETSENCRYPT_HOST: '{{ services.membersystem.domain }}'
LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
ALLOWED_HOSTS: '{{ services.membersystem.domain }}'
CSRF_TRUSTED_ORIGINS: https://{{ services.membersystem.domain }}
DJANGO_ADMINS: '{{ services.membersystem.django_admins }}'
DEFAULT_FROM_EMAIL: noreply@{{ services.membersystem.domain }}
labels:
com.centurylinklabs.watchtower.enable: 'true'
postgres:
image: postgres:13-alpine
restart: always
volumes:
- '{{ volume_root_folder }}/membersystem/postgres/data:/var/lib/postgresql/data'
networks:
- membersystem
environment:
POSTGRES_PASSWORD: '{{ postgres_passwords.membersystem }}'
networks:
membersystem:
external_services:
external: true
postfix:
external: true

View file

@ -1,25 +0,0 @@
---
- name: setup netdata docker container for system monitoring
community.docker.docker_container:
name: netdata
image: netdata/netdata:{{ services.netdata.version }}
restart_policy: unless-stopped
hostname: hevonen.servers.{{ base_domain }}
capabilities:
- SYS_PTRACE
security_opts:
- apparmor:unconfined
volumes:
- /proc:/host/proc:ro
- /sys:/host/sys:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
networks:
- name: external_services
env:
VIRTUAL_HOST: '{{ services.netdata.domain }}'
LETSENCRYPT_HOST: '{{ services.netdata.domain }}'
LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
PGID: '999'
labels:
com.centurylinklabs.watchtower.enable: 'true'

View file

@ -1,76 +0,0 @@
---
- name: upload vhost config for cloud.data.coop
ansible.builtin.template:
src: files/configs/nextcloud/vhost
dest: '{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.nextcloud.domain
}}'
notify: restart nginx
- name: setup nextcloud containers
community.docker.docker_compose:
project_name: nextcloud
pull: true
definition:
services:
postgres:
image: postgres:10
restart: unless-stopped
networks:
- nextcloud
volumes:
- '{{ services.nextcloud.volume_folder }}/postgres:/var/lib/postgresql/data'
environment:
POSTGRES_DB: nextcloud
POSTGRES_PASSWORD: '{{ postgres_passwords.nextcloud }}'
POSTGRES_USER: nextcloud
redis:
image: redis:7-alpine
restart: unless-stopped
command: redis-server --requirepass {{ nextcloud_secrets.redis_password
}}
tmpfs:
- /var/lib/redis
networks:
- nextcloud
cron:
image: nextcloud:{{ services.nextcloud.version }}
restart: unless-stopped
entrypoint: /cron.sh
networks:
- nextcloud
volumes:
- '{{ services.nextcloud.volume_folder }}/app:/var/www/html'
depends_on:
- postgres
- redis
app:
image: nextcloud:{{ services.nextcloud.version }}
restart: unless-stopped
networks:
- nextcloud
- postfix
- external_services
volumes:
- '{{ services.nextcloud.volume_folder }}/app:/var/www/html'
environment:
VIRTUAL_HOST: '{{ services.nextcloud.domain }}'
LETSENCRYPT_HOST: '{{ services.nextcloud.domain }}'
LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
POSTGRES_HOST: postgres
POSTGRES_DB: nextcloud
POSTGRES_USER: nextcloud
POSTGRES_PASSWORD: '{{ postgres_passwords.nextcloud }}'
REDIS_HOST: redis
REDIS_HOST_PASSWORD: '{{ nextcloud_secrets.redis_password }}'
depends_on:
- postgres
- redis
networks:
nextcloud:
postfix:
external: true
external_services:
external: true

View file

@ -1,47 +0,0 @@
---
- name: create nginx-proxy volume folders
ansible.builtin.file:
name: '{{ services.nginx_proxy.volume_folder }}/{{ volume }}'
state: directory
loop:
- conf
- vhost
- html
- dhparam
- certs
loop_control:
loop_var: volume
- name: nginx proxy container
community.docker.docker_container:
name: nginx-proxy
image: nginxproxy/nginx-proxy:{{ services.nginx_proxy.version }}
restart_policy: always
networks:
- name: external_services
published_ports:
- 80:80
- 443:443
volumes:
- '{{ services.nginx_proxy.volume_folder }}/conf:/etc/nginx/conf.d'
- '{{ services.nginx_proxy.volume_folder }}/vhost:/etc/nginx/vhost.d'
- '{{ services.nginx_proxy.volume_folder }}/html:/usr/share/nginx/html'
- '{{ services.nginx_proxy.volume_folder }}/dhparam:/etc/nginx/dhparam'
- '{{ services.nginx_proxy.volume_folder }}/certs:/etc/nginx/certs:ro'
- /var/run/docker.sock:/tmp/docker.sock:ro
- name: nginx letsencrypt container
community.docker.docker_container:
name: nginx-proxy-le
image: nginxproxy/acme-companion:{{ services.nginx_acme_companion.version }}
restart_policy: always
volumes:
- '{{ services.nginx_proxy.volume_folder }}/vhost:/etc/nginx/vhost.d'
- '{{ services.nginx_proxy.volume_folder }}/html:/usr/share/nginx/html'
- '{{ services.nginx_proxy.volume_folder }}/dhparam:/etc/nginx/dhparam:ro'
- '{{ services.nginx_proxy.volume_folder }}/certs:/etc/nginx/certs'
- /var/run/docker.sock:/var/run/docker.sock:ro
env:
NGINX_PROXY_CONTAINER: nginx-proxy
when: letsencrypt_enabled

View file

@ -1,73 +0,0 @@
---
- name: create ldap volume folders
ansible.builtin.file:
name: '{{ services.openldap.volume_folder }}/{{ volume }}'
state: directory
loop:
- var/lib/ldap
- etc/slapd
- certs
loop_control:
loop_var: volume
- name: Create a network for ldap
community.docker.docker_network:
name: ldap
- name: openLDAP container
community.docker.docker_container:
name: openldap
image: osixia/openldap:{{ services.openldap.version }}
tty: true
interactive: true
restart_policy: unless-stopped
volumes:
- '{{ services.openldap.volume_folder }}/var/lib/ldap:/var/lib/ldap'
- '{{ services.openldap.volume_folder }}/etc/slapd.d:/etc/ldap/slapd.d'
- '{{ services.openldap.volume_folder }}/certs:/container/service/slapd/assets/certs/'
published_ports:
- 389:389
- 636:636
hostname: '{{ services.openldap.domain }}'
domainname: '{{ services.openldap.domain }}' # important: same as hostname
networks:
- name: ldap
env:
LDAP_LOG_LEVEL: '256'
LDAP_ORGANISATION: '{{ base_domain }}'
LDAP_DOMAIN: '{{ base_domain }}'
LDAP_BASE_DN: ''
LDAP_ADMIN_PASSWORD: '{{ ldap_admin_password }}'
LDAP_CONFIG_PASSWORD: '{{ ldap_config_password }}'
LDAP_READONLY_USER: 'false'
LDAP_RFC2307BIS_SCHEMA: 'false'
LDAP_BACKEND: mdb
LDAP_TLS: 'true'
LDAP_TLS_CRT_FILENAME: ldap.crt
LDAP_TLS_KEY_FILENAME: ldap.key
LDAP_TLS_CA_CRT_FILENAME: ca.crt
LDAP_TLS_ENFORCE: 'false'
LDAP_TLS_CIPHER_SUITE: SECURE256:-VERS-SSL3.0
LDAP_TLS_PROTOCOL_MIN: '3.1'
LDAP_TLS_VERIFY_CLIENT: demand
LDAP_REPLICATION: 'false'
KEEP_EXISTING_CONFIG: 'false'
LDAP_REMOVE_CONFIG_AFTER_SETUP: 'true'
LDAP_SSL_HELPER_PREFIX: ldap
- name: phpLDAPadmin container
community.docker.docker_container:
name: phpldapadmin
image: osixia/phpldapadmin:{{ services.phpldapadmin.version }}
restart_policy: unless-stopped
networks:
- name: external_services
- name: ldap
env:
PHPLDAPADMIN_LDAP_HOSTS: openldap
PHPLDAPADMIN_HTTPS: 'false'
PHPLDAPADMIN_TRUST_PROXY_SSL: 'true'
VIRTUAL_HOST: '{{ services.openldap.domain }}'
LETSENCRYPT_HOST: '{{ services.openldap.domain }}'
LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'

View file

@ -1,46 +0,0 @@
---
- name: setup passit containers
community.docker.docker_compose:
project_name: passit
pull: true
definition:
version: '3.6'
services:
passit_db:
image: postgres:10
restart: always
networks:
- passit
volumes:
- '{{ services.passit.volume_folder }}/data:/var/lib/postgresql/data'
environment:
POSTGRES_USER: passit
POSTGRES_PASSWORD: '{{ postgres_passwords.passit }}'
passit_app:
image: passit/passit:{{ services.passit.version }}
command: bin/start.sh
restart: always
networks:
- passit
- postfix
- external_services
environment:
DATABASE_URL: postgres://passit:{{ postgres_passwords.passit }}@passit_db:5432/passit
SECRET_KEY: '{{ passit_secret_key }}'
IS_DEBUG: 'False'
EMAIL_URL: smtp://noop@{{ smtp_host }}:{{ smtp_port }}
DEFAULT_FROM_EMAIL: noreply@{{ services.passit.domain }}
EMAIL_CONFIRMATION_HOST: https://{{ services.passit.domain }}
FIDO_SERVER_ID: '{{ services.passit.domain }}'
VIRTUAL_HOST: '{{ services.passit.domain }}'
LETSENCRYPT_HOST: '{{ services.passit.domain }}'
LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
networks:
passit:
postfix:
external: true
external_services:
external: true

View file

@ -1,22 +0,0 @@
---
- name: create portainer volume folder
ansible.builtin.file:
name: '{{ services.portainer.volume_folder }}'
state: directory
- name: run portainer
community.docker.docker_container:
name: portainer
image: portainer/portainer-ee:{{ services.portainer.version }}
restart_policy: always
networks:
- name: external_services
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- '{{ services.portainer.volume_folder }}:/data'
env:
VIRTUAL_HOST: '{{ services.portainer.domain }}'
VIRTUAL_PORT: '9000'
LETSENCRYPT_HOST: '{{ services.portainer.domain }}'
LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'

View file

@ -1,21 +0,0 @@
---
- name: setup network for postfix
community.docker.docker_network:
name: postfix
ipam_config:
- subnet: 172.16.0.0/16
gateway: 172.16.0.1
- name: setup postfix docker container for outgoing mail
community.docker.docker_container:
name: postfix
image: boky/postfix:{{ services.postfix.version }}
restart_policy: always
networks:
- name: postfix
env:
# Get all services which have allowed_sender_domain defined
ALLOWED_SENDER_DOMAINS: "{{ services | dict2items | selectattr('value.allowed_sender_domain',\
\ 'defined') | map(attribute='value.domain') | list | join(' ') }}"
HOSTNAME: smtp.data.coop # the name the smtp server will identify itself as

View file

@ -1,31 +0,0 @@
---
- name: create privatebin volume folders
ansible.builtin.file:
name: '{{ services.privatebin.volume_folder }}/{{ volume }}'
state: directory
loop:
- cfg
- data
loop_control:
loop_var: volume
- name: upload privatebin config
ansible.builtin.template:
src: files/configs/privatebin-conf.php
dest: '{{ services.privatebin.volume_folder }}/cfg/conf.php'
- name: privatebin app container
community.docker.docker_container:
name: privatebin
image: jgeusebroek/privatebin:{{ services.privatebin.version }}
restart_policy: unless-stopped
volumes:
- '{{ services.privatebin.volume_folder }}/cfg:/privatebin/cfg'
- '{{ services.privatebin.volume_folder }}/data:/privatebin/data'
networks:
- name: external_services
env:
VIRTUAL_HOST: '{{ services.privatebin.domain }}'
LETSENCRYPT_HOST: '{{ services.privatebin.domain }}'
LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'

View file

@ -1,64 +0,0 @@
---
- name: Create rallly volume folders
ansible.builtin.file:
name: '{{ services.rallly.volume_folder }}/postgres'
state: directory
- name: Copy Rallly environment file
ansible.builtin.template:
src: files/configs/rallly/env_file.j2
dest: '{{ services.rallly.volume_folder }}/env_file'
- name: Set up Rallly
community.docker.docker_compose:
project_name: rallly
pull: true
definition:
version: '3.8'
services:
rallly_db:
image: postgres:14-alpine
restart: always
shm_size: 256mb
networks:
rallly_internal:
volumes:
- '{{ services.rallly.volume_folder }}/postgres:/var/lib/postgresql/data'
environment:
POSTGRES_PASSWORD: '{{ postgres_passwords.rallly }}'
POSTGRES_DB: rallly_db
healthcheck:
test: [CMD-SHELL, pg_isready -U postgres]
interval: 5s
timeout: 5s
retries: 5
labels:
com.centurylinklabs.watchtower.enable: 'true'
rallly:
image: lukevella/rallly:{{ services.rallly.version }}
restart: always
networks:
rallly_internal:
external_services:
postfix:
depends_on:
rallly_db:
condition: service_healthy
env_file:
- '{{ services.rallly.volume_folder }}/env_file'
environment:
VIRTUAL_HOST: '{{ services.rallly.domain }}'
VIRTUAL_PORT: '3000'
LETSENCRYPT_HOST: '{{ services.rallly.domain }}'
LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
labels:
com.centurylinklabs.watchtower.enable: 'true'
networks:
rallly_internal:
internal: true
external_services:
external: true
postfix:
external: true

View file

@ -1,40 +0,0 @@
---
- name: Setup restic backup
community.docker.docker_compose:
project_name: restic_backup
pull: true
definition:
version: '3.6'
services:
restic-backup:
image: mazzolino/restic:{{ services.restic.version }}
restart: always
environment:
RUN_ON_STARTUP: 'true'
BACKUP_CRON: 0 30 3 * * *
RESTIC_REPOSITORY: rest:https://{{ services.restic.user }}:{{ restic_secrets.user_password
}}@{{ services.restic.domain }}/{{ services.restic.repository }}
RESTIC_PASSWORD: '{{ restic_secrets.repository_password }}'
RESTIC_BACKUP_SOURCES: /mnt/volumes
RESTIC_BACKUP_ARGS: >-
--tag datacoop-volumes
--exclude='*.tmp'
--verbose
RESTIC_FORGET_ARGS: >-
--keep-last 10
--keep-daily 7
--keep-weekly 5
--keep-monthly 12
TZ: Europe/Copenhagen
volumes:
- /docker-volumes:/mnt/volumes:ro
restic-prune:
image: mazzolino/restic:{{ services.restic.version }}
environment:
RUN_ON_STARTUP: 'true'
PRUNE_CRON: 0 0 4 * * *
RESTIC_REPOSITORY: rest:https://{{ services.restic.user }}:{{ restic_secrets.user_password
}}@{{ services.restic.domain }}/{{ services.restic.repository }}
RESTIC_PASSWORD: '{{ restic_secrets.repository_password }}'
TZ: Europe/copenhagen

View file

@ -1,14 +0,0 @@
---
- name: watchtower container
community.docker.docker_container:
name: watchtower
image: containrrr/watchtower:1.4.0
restart_policy: unless-stopped
networks:
- name: external_services
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- '{{ services.docker_registry.volume_folder }}/auth/config.json:/config.json'
env:
WATCHTOWER_LABEL_ENABLE: 'true'
WATCHTOWER_POLL_INTERVAL: '60'

View file

@ -1,24 +0,0 @@
---
- name: setup 2022.slides.data.coop website using unipi
community.docker.docker_container:
name: 2022.slides.data.coop_website
image: docker.data.coop/unipi:latest
restart_policy: unless-stopped
purge_networks: true
networks:
- name: external_services
env:
VIRTUAL_HOST: 2022.slides.{{ services.data_coop_website.domains|join(',')
}}
LETSENCRYPT_HOST: 2022.slides.{{ services.data_coop_website.domains|join(',')
}}
LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
# Temporarily hosting on github
command: --remote=https://github.com/sorbusursina/datacoop-slides.git#slides2022
capabilities:
- NET_ADMIN
devices:
- /dev/net/tun
labels:
com.centurylinklabs.watchtower.enable: 'true'

View file

@ -1,15 +0,0 @@
---
- name: setup cryptoaarhus.dk website docker container
community.docker.docker_container:
name: cryptoaarhus_website
restart_policy: unless-stopped
image: docker.data.coop/cryptoaarhus-website
networks:
- name: external_services
env:
VIRTUAL_HOST: "{{ services.cryptoaarhus_website.domains|join(',') }}"
LETSENCRYPT_HOST: "{{ services.cryptoaarhus_website.domains|join(',') }}"
LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
labels:
com.centurylinklabs.watchtower.enable: 'true'

View file

@ -1,15 +0,0 @@
---
- name: setup cryptohagen.dk website docker container
community.docker.docker_container:
name: cryptohagen_website
restart_policy: unless-stopped
image: docker.data.coop/cryptohagen-website
networks:
- name: external_services
env:
VIRTUAL_HOST: "{{ services.cryptohagen_website.domains|join(',') }}"
LETSENCRYPT_HOST: "{{ services.cryptohagen_website.domains|join(',') }}"
LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
labels:
com.centurylinklabs.watchtower.enable: 'true'

View file

@ -1,15 +0,0 @@
---
- name: setup data.coop website docker container
community.docker.docker_container:
name: data.coop_website
image: docker.data.coop/data-coop-website
restart_policy: unless-stopped
networks:
- name: external_services
env:
VIRTUAL_HOST: "{{ services.data_coop_website.domains|join(',') }}"
LETSENCRYPT_HOST: "{{ services.data_coop_website.domains|join(',') }}"
LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
labels:
com.centurylinklabs.watchtower.enable: 'true'

View file

@ -1,23 +0,0 @@
---
- name: setup new-new data.coop website using unipi
community.docker.docker_container:
name: new-new.data.coop_website
image: docker.data.coop/unipi:latest
restart_policy: unless-stopped
purge_networks: true
networks:
- name: external_services
env:
VIRTUAL_HOST: new-new.{{ services.data_coop_website.domains | join(',') }}
LETSENCRYPT_HOST: new-new.{{ services.data_coop_website.domains | join(',')
}}
LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
# The ssh-key is for read-only only
command: --remote=git@git.data.coop:halfd/new-website.git#main --ssh-key ed25519:Ag9RekCyC2eow4P/e5crVvSTQ7dTK46WkG0wqEPVJbU=
--ssh-authenticator SHA256:l9kdLkb0kJm46pOJ4tCHCtFUaqV1ImbZWMA5oje10fI
capabilities:
- NET_ADMIN
devices:
- /dev/net/tun
labels:
com.centurylinklabs.watchtower.enable: 'true'

View file

@ -1,15 +0,0 @@
---
- name: setup new data.coop website using hugo
community.docker.docker_container:
name: new.data.coop_website
image: docker.data.coop/data-coop-website:hugo
restart_policy: unless-stopped
networks:
- name: external_services
env:
VIRTUAL_HOST: new.{{ services.data_coop_website.domains|join(',') }}
LETSENCRYPT_HOST: new.{{ services.data_coop_website.domains|join(',') }}
LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
labels:
com.centurylinklabs.watchtower.enable: 'true'

View file

@ -1,14 +0,0 @@
---
- name: setup ulovliglogning.dk website docker container
community.docker.docker_container:
name: ulovliglogning_website
restart_policy: unless-stopped
image: ulovliglogning/ulovliglogning.dk:latest
networks:
- name: external_services
env:
VIRTUAL_HOST: "{{ services.ulovliglogning_website.domains|join(',') }}"
LETSENCRYPT_HOST: "{{ services.ulovliglogning_website.domains|join(',') }}"
LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
labels:
com.centurylinklabs.watchtower.enable: 'true'

View file

@ -0,0 +1,17 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
web:
image: docker.data.coop/cryptoaarhus-website
restart: unless-stopped
networks:
- external_services
environment:
VIRTUAL_HOST : "{{ services.cryptoaarhus_website.domains | join(',') }}"
LETSENCRYPT_HOST: "{{ services.cryptoaarhus_website.domains | join(',') }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
networks:
external_services:
external: true

View file

@ -0,0 +1,17 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
web:
image: docker.data.coop/cryptohagen-website
restart: unless-stopped
networks:
- external_services
environment:
VIRTUAL_HOST : "{{ services.cryptohagen_website.domains | join(',') }}"
LETSENCRYPT_HOST: "{{ services.cryptohagen_website.domains | join(',') }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
networks:
external_services:
external: true

View file

@ -0,0 +1,27 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
prod-web:
image: docker.data.coop/data-coop-website:{{ services.data_coop_website.version }}
restart: unless-stopped
networks:
- external_services
environment:
VIRTUAL_HOST: "{{ services.data_coop_website.domain }},{{ services.data_coop_website.www_domain }}"
LETSENCRYPT_HOST: "{{ services.data_coop_website.domain }},{{ services.data_coop_website.www_domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
staging-web:
image: docker.data.coop/data-coop-website:{{ services.data_coop_website.staging_version }}
restart: unless-stopped
networks:
- external_services
environment:
VIRTUAL_HOST: "{{ services.data_coop_website.staging_domain }}"
LETSENCRYPT_HOST: "{{ services.data_coop_website.staging_domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
networks:
external_services:
external: true

View file

@ -0,0 +1,26 @@
# vim: ft=yaml.ansible
---
version: "3.5"
services:
diun:
image: "ghcr.io/crazy-max/diun:{{ services.diun.version }}"
command: serve
volumes:
- "./data:/data"
- "/var/run/docker.sock:/var/run/docker.sock"
environment:
- "TZ=Europe/Paris"
- "DIUN_WATCH_WORKERS=20"
- "DIUN_WATCH_SCHEDULE=0 */6 * * *"
- "DIUN_WATCH_JITTER=30s"
- "DIUN_PROVIDERS_DOCKER=true"
- "DIUN_PROVIDERS_DOCKER_WATCHBYDEFAULT=true"
- "DIUN_NOTIF_MATRIX_HOMESERVERURL=https://{{ services.matrix.domain }}"
- "DIUN_NOTIF_MATRIX_USER={{ services.diun.matrix_user }}"
- "DIUN_NOTIF_MATRIX_ROOMID={{ services.diun.matrix_room }}"
- "DIUN_NOTIF_MATRIX_PASSWORD={{ diun_secrets.matrix_password }}"
- "DIUN_NOTIF_MATRIX_MSGTYPE=text"
labels:
- "diun.enable=true"
restart: always

View file

@ -0,0 +1,23 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
app:
image: registry:{{ services.docker_registry.version }}
restart: always
networks:
- external_services
volumes:
- "./registry:/var/lib/registry"
- "./auth:/auth"
environment:
VIRTUAL_HOST: "{{ services.docker_registry.domain }}"
LETSENCRYPT_HOST: "{{ services.docker_registry.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
REGISTRY_AUTH: "htpasswd"
REGISTRY_AUTH_HTPASSWD_PATH: "/auth/htpasswd"
REGISTRY_AUTH_HTPASSWD_REALM: "data.coop docker registry"
networks:
external_services:
external: true

View file

@ -0,0 +1,40 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
app:
image: drone/drone:{{ services.drone.version }}
restart: unless-stopped
networks:
- default
- external_services
volumes:
- ".:/data"
- "/var/run/docker.sock:/var/run/docker.sock"
environment:
DRONE_GITEA_SERVER: https://{{ services.forgejo.domain }}
DRONE_GITEA_CLIENT_ID: "{{ drone_secrets.oauth_client_id }}"
DRONE_GITEA_CLIENT_SECRET: "{{ drone_secrets.oauth_client_secret }}"
DRONE_GIT_ALWAYS_AUTH: true
DRONE_SERVER_HOST: "{{ services.drone.domain }}"
DRONE_SERVER_PROTO: https
DRONE_RPC_SECRET: "{{ drone_secrets.rpc_shared_secret }}"
VIRTUAL_HOST: "{{ services.drone.domain }}"
LETSENCRYPT_HOST: "{{ services.drone.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
runner:
image: drone/drone-runner-docker:{{ services.drone.version }}
restart: unless-stopped
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
environment:
DRONE_RPC_HOST: "{{ services.drone.domain }}"
DRONE_RPC_PROTO: https
DRONE_RPC_SECRET: "{{ drone_secrets.rpc_shared_secret }}"
DRONE_RUNNER_CAPACITY: 2
DRONE_RUNNER_NAME: data.coop_drone_runner
networks:
external_services:
external: true

View file

@ -0,0 +1,22 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
app:
image: avhost/docker-matrix-element:{{ services.element.version }}
restart: unless-stopped
networks:
- external_services
expose:
- "8080"
volumes:
- "./data:/data"
environment:
VIRTUAL_HOST: "{{ services.element.domain }}"
VIRTUAL_PORT: "8080"
LETSENCRYPT_HOST: "{{ services.element.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
networks:
external_services:
external: true

View file

@ -0,0 +1,22 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
web:
image: docker.data.coop/unipi:{{ services.fedi_dk_website.version }}
restart: unless-stopped
networks:
- external_services
environment:
VIRTUAL_HOST: "{{ services.fedi_dk_website.domain }}"
LETSENCRYPT_HOST: "{{ services.fedi_dk_website.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
command: --remote=https://git.data.coop/fedi.dk/website.git#main
cap_add:
- NET_ADMIN
devices:
- "/dev/net/tun"
networks:
external_services:
external: true

View file

@ -0,0 +1,38 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
app:
image: codeberg.org/forgejo/forgejo:{{ services.forgejo.version }}
restart: unless-stopped
networks:
- external_services
- postfix
volumes:
- ".:/data"
ports:
- "22:22"
environment:
VIRTUAL_HOST: "{{ services.forgejo.domain }}"
VIRTUAL_PORT: "3000"
LETSENCRYPT_HOST: "{{ services.forgejo.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
# Forgejo customization, see: https://docs.gitea.io/en-us/install-with-docker/#customization
# https://docs.gitea.io/en-us/config-cheat-sheet/#security-security
FORGEJO__mailer__ENABLED: true
FORGEJO__mailer__FROM: noreply@{{ services.forgejo.domain }}
FORGEJO__mailer__PROTOCOL: smtp
FORGEJO__mailer__SMTP_ADDR: "{{ smtp_host }}"
FORGEJO__mailer__SMTP_PORT: "{{ smtp_port }}"
FORGEJO__security__LOGIN_REMEMBER_DAYS: "60"
FORGEJO__security__PASSWORD_COMPLEXITY: off
FORGEJO__security__MIN_PASSWORD_LENGTH: "8"
FORGEJO__security__PASSWORD_CHECK_PWN: true
FORGEJO__service__ENABLE_NOTIFY_MAIL: true
FORGEJO__service__REGISTER_EMAIL_CONFIRM: true
networks:
external_services:
external: true
postfix:
external: true

View file

@ -0,0 +1,44 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
db:
image: postgres:{{ services.hedgedoc.postgres_version }}
restart: unless-stopped
volumes:
- "./db:/var/lib/postgresql/data"
environment:
POSTGRES_USER: codimd
POSTGRES_PASSWORD: "{{ postgres_passwords.hedgedoc }}"
POSTGRES_DB: codimd
app:
image: quay.io/hedgedoc/hedgedoc:{{ services.hedgedoc.version }}
volumes:
- "./hedgedoc/uploads:/hedgedoc/public/uploads"
- "./sso.data.coop.pem:/sso.data.coop.pem"
restart: unless-stopped
networks:
- default
- external_services
environment:
CMD_DB_URL: postgres://codimd:{{ postgres_passwords.hedgedoc }}@db:5432/codimd
CMD_DOMAIN: "{{ services.hedgedoc.domain }}"
CMD_ALLOW_EMAIL_REGISTER: False
CMD_IMAGE_UPLOAD_TYPE: filesystem
CMD_EMAIL: False
CMD_SAML_IDPCERT: /sso.data.coop.pem
CMD_SAML_IDPSSOURL: https://{{ services.keycloak.domain }}/auth/realms/datacoop/protocol/saml
CMD_SAML_ISSUER: hedgedoc
CMD_SAML_IDENTIFIERFORMAT: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
CMD_USECDN: false
CMD_PROTOCOL_USESSL: true
VIRTUAL_HOST: "{{ services.hedgedoc.domain }}"
LETSENCRYPT_HOST: "{{ services.hedgedoc.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
depends_on:
- db
networks:
external_services:
external: true

View file

@ -0,0 +1,42 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
db:
image: postgres:{{ services.keycloak.postgres_version }}
restart: unless-stopped
volumes:
- "./data:/var/lib/postgresql/data"
environment:
POSTGRES_USER: keycloak
POSTGRES_PASSWORD: "{{ postgres_passwords.keycloak }}"
POSTGRES_DB: keycloak
app:
image: quay.io/keycloak/keycloak:{{ services.keycloak.version }}
restart: unless-stopped
networks:
- default
- postfix
- external_services
command:
- "start"
- "--db=postgres"
- "--db-url=jdbc:postgresql://db:5432/keycloak"
- "--db-username=keycloak"
- "--db-password={{ postgres_passwords.keycloak }}"
- "--hostname={{ services.keycloak.domain }}"
- "--proxy=edge"
- "--https-port=8080"
- "--http-relative-path=/auth"
environment:
VIRTUAL_HOST: "{{ services.keycloak.domain }}"
VIRTUAL_PORT: "8080"
LETSENCRYPT_HOST: "{{ services.keycloak.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
networks:
postfix:
external: true
external_services:
external: true

View file

@ -0,0 +1,146 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
postgres:
image: postgres:{{ services.mailu.postgres_version }}
restart: unless-stopped
environment:
POSTGRES_DB: mailu
POSTGRES_USER: mailu
POSTGRES_PASSWORD: "{{ postgres_passwords.mailu }}"
volumes:
- "./postgres:/var/lib/postgresql/data"
dns:
- "{{ services.mailu.dns }}"
redis:
image: redis:{{ services.mailu.redis_version }}
restart: unless-stopped
volumes:
- "./redis:/data"
depends_on:
- resolver
dns:
- "{{ services.mailu.dns }}"
front:
image: ghcr.io/mailu/nginx:{{ services.mailu.version }}
restart: unless-stopped
env_file: mailu.env
environment:
VIRTUAL_HOST: "{{ services.mailu.domain }}"
LETSENCRYPT_HOST: "{{ services.mailu.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
volumes:
- "./certs:/certs"
- "./overrides/nginx:/overrides:ro"
expose:
- "80"
ports:
- "25:25"
- "465:465"
- "587:587"
- "110:110"
- "995:995"
- "143:143"
- "993:993"
networks:
- default
- webmail
- external_services
depends_on:
- resolver
dns:
- "{{ services.mailu.dns }}"
resolver:
image: ghcr.io/mailu/unbound:{{ services.mailu.version }}
restart: unless-stopped
env_file: mailu.env
networks:
default:
ipv4_address: "{{ services.mailu.dns }}"
admin:
image: ghcr.io/mailu/admin:{{ services.mailu.version }}
restart: unless-stopped
env_file: mailu.env
volumes:
- "./data:/data"
- "./dkim:/dkim"
networks:
default:
aliases:
- admin.mailu
depends_on:
- redis
- resolver
dns:
- "{{ services.mailu.dns }}"
imap:
image: ghcr.io/mailu/dovecot:{{ services.mailu.version }}
restart: unless-stopped
env_file: mailu.env
volumes:
- "./mail:/mail"
- "./overrides/dovecot:/overrides:ro"
depends_on:
- front
- resolver
dns:
- "{{ services.mailu.dns }}"
smtp:
image: ghcr.io/mailu/postfix:{{ services.mailu.version }}
restart: unless-stopped
env_file: mailu.env
volumes:
- "./mailqueue:/queue"
- "./overrides/postfix:/overrides:ro"
depends_on:
- front
- resolver
dns:
- "{{ services.mailu.dns }}"
antispam:
image: ghcr.io/mailu/rspamd:{{ services.mailu.version }}
hostname: antispam
restart: unless-stopped
env_file: mailu.env
volumes:
- "./filter:/var/lib/rspamd"
- "./overrides/rspamd:/overrides:ro"
depends_on:
- front
- redis
- resolver
dns:
- "{{ services.mailu.dns }}"
webmail:
image: ghcr.io/mailu/webmail:{{ services.mailu.version }}
restart: unless-stopped
env_file: mailu.env
volumes:
- "./webmail:/data"
- "./overrides/snappymail:/overrides:ro"
networks:
- webmail
depends_on:
- front
networks:
default:
driver: bridge
ipam:
driver: default
config:
- subnet: "{{ services.mailu.subnet }}"
webmail:
driver: bridge
external_services:
external: true

View file

@ -0,0 +1,146 @@
# vim: ft=yaml.docker-compose
x-sidekiq: &sidekiq
image: tootsuite/mastodon:{{ services.mastodon.version }}
restart: always
env_file: mastodon.env
networks:
- default
- postfix
- external_services
volumes:
- "./mastodon_data:/mastodon/public/system"
healthcheck:
test: ['CMD-SHELL', "ps aux | grep '[s]idekiq\ 6' || false"]
depends_on:
db:
condition: service_healthy
redis:
condition: service_healthy
version: "3.8"
services:
db:
restart: always
image: postgres:{{ services.mastodon.postgres_version }}
shm_size: 256mb
volumes:
- "./postgres_data:/var/lib/postgresql/data"
- "./postgres_config:/config:ro"
command: postgres -c config_file=/config/postgresql.conf
environment:
POSTGRES_HOST_AUTH_METHOD: trust
healthcheck:
test: ['CMD', 'pg_isready', '-U', 'postgres']
redis:
restart: always
image: redis:{{ services.mastodon.redis_version }}
volumes:
- "./redis_data:/data"
healthcheck:
test: ['CMD', 'redis-cli', 'ping']
web:
image: tootsuite/mastodon:{{ services.mastodon.version }}
restart: always
env_file: mastodon.env
command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 3000"
networks:
- default
- external_services
volumes:
- "./mastodon_data:/mastodon/public/system"
environment:
MAX_THREADS: 10
WEB_CONCURRENCY: 3
VIRTUAL_HOST: "{{ services.mastodon.domain }}"
VIRTUAL_PORT: "3000"
VIRTUAL_PATH: /
LETSENCRYPT_HOST: "{{ services.mastodon.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
healthcheck:
test: ['CMD-SHELL', 'wget -q --spider --proxy=off localhost:3000/health || exit 1']
depends_on:
db:
condition: service_healthy
redis:
condition: service_healthy
streaming:
image: tootsuite/mastodon:{{ services.mastodon.version }}
restart: always
env_file: mastodon.env
command: node ./streaming
networks:
- default
- external_services
ports:
- "127.0.0.1:4000:4000"
environment:
DB_POOL: 15
VIRTUAL_HOST: "{{ services.mastodon.domain }}"
VIRTUAL_PORT: "4000"
VIRTUAL_PATH: "/api/v1/streaming"
healthcheck:
test: ['CMD-SHELL', 'wget -q --spider --proxy=off localhost:4000/api/v1/streaming/health || exit 1']
depends_on:
db:
condition: service_healthy
redis:
condition: service_healthy
# sidekiq-default-push-pull: DB_POOL = 25, -c 25 for 25 connections
sidekiq-default-push-pull:
<<: *sidekiq
command: bundle exec sidekiq -c 25 -q default -q push -q pull
environment:
DB_POOL: 25
# sidekiq-default-pull-push: DB_POOL = 25, -c 25 for 25 connections
sidekiq-default-pull-push:
<<: *sidekiq
command: bundle exec sidekiq -c 25 -q default -q pull -q push
environment:
DB_POOL: 25
# sidekiq-pull-default-push: DB_POOL = 25, -c 25 for 25 connections
sidekiq-pull-default-push:
<<: *sidekiq
command: bundle exec sidekiq -c 25 -q pull -q default -q push
environment:
DB_POOL: 25
# sidekiq-push-default-pull: DB_POOL = 25, -c 25 for 25 connections
sidekiq-push-default-pull:
<<: *sidekiq
command: bundle exec sidekiq -c 25 -q push -q default -q pull
environment:
DB_POOL: 25
# sidekiq-push-scheduler: DB_POOL = 5, -c 5 for 5 connections
sidekiq-push-scheduler:
<<: *sidekiq
command: bundle exec sidekiq -c 5 -q push -q scheduler
environment:
DB_POOL: 5
# sidekiq-push-mailers: DB_POOL = 5, -c 5 for 5 connections
sidekiq-push-mailers:
<<: *sidekiq
command: bundle exec sidekiq -c 5 -q push -q mailers
environment:
DB_POOL: 5
# sidekiq-push-ingress: DB_POOL = 10, -c 10 for 10 connections
sidekiq-push-ingress:
<<: *sidekiq
command: bundle exec sidekiq -c 10 -q push -q ingress
environment:
DB_POOL: 10
networks:
external_services:
external: true
postfix:
external: true

View file

@ -0,0 +1,36 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
postgres:
image: postgres:{{ services.matrix.postgres_version }}
restart: unless-stopped
volumes:
- "./db:/var/lib/postgresql/data"
environment:
POSTGRES_USER: synapse
POSTGRES_PASSWORD: "{{ postgres_passwords.matrix }}"
synapse:
image: ghcr.io/element-hq/synapse:{{ services.matrix.version }}
restart: unless-stopped
networks:
- default
- external_services
- postfix
volumes:
- "./data:/data"
environment:
SYNAPSE_CONFIG_PATH: /data/homeserver.yaml
SYNAPSE_CACHE_FACTOR: "2"
SYNAPSE_LOG_LEVEL: INFO
VIRTUAL_HOST: "{{ services.matrix.domain }}"
VIRTUAL_PORT: "8008"
LETSENCRYPT_HOST: "{{ services.matrix.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
networks:
external_services:
external: true
postfix:
external: true

View file

@ -0,0 +1,46 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
app:
image: docker.data.coop/membersystem:{{ services.membersystem.version }}
restart: always
user: "$UID:$GID"
tty: true
networks:
- default
- external_services
- postfix
environment:
SECRET_KEY: "{{ membersystem_secrets.secret_key }}"
DATABASE_URL: postgres://postgres:{{ postgres_passwords.membersystem }}@postgres:5432/postgres
POSTGRES_HOST: postgres
POSTGRES_PORT: 5432
EMAIL_BACKEND: django.core.mail.backends.smtp.EmailBackend
EMAIL_URL: smtp://noop@{{ smtp_host }}:{{ smtp_port }}
VIRTUAL_HOST: "{{ services.membersystem.domain }}"
VIRTUAL_PORT: "8000"
LETSENCRYPT_HOST: "{{ services.membersystem.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
ALLOWED_HOSTS: "{{ services.membersystem.domain }}"
CSRF_TRUSTED_ORIGINS: https://{{ services.membersystem.domain }}
DJANGO_ADMINS: "{{ services.membersystem.django_admins }}"
DEFAULT_FROM_EMAIL: noreply@{{ services.membersystem.domain }}
STRIPE_API_KEY: "{{ membersystem_secrets.stripe_api_key }}"
STRIPE_ENDPOINT_SECRET: "{{ membersystem_secrets.stripe_endpoint_secret }}"
depends_on:
- postgres
postgres:
image: postgres:{{ services.membersystem.postgres_version }}
restart: always
volumes:
- "./postgres/data:/var/lib/postgresql/data"
environment:
POSTGRES_PASSWORD: "{{ postgres_passwords.membersystem }}"
networks:
external_services:
external: true
postfix:
external: true

View file

@ -0,0 +1,36 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
app:
image: netdata/netdata:{{ services.netdata.version }}
restart: unless-stopped
hostname: hevonen.servers.{{ base_domain }}
volumes:
- "/proc:/host/proc:ro"
- "/sys:/host/sys:ro"
- "/etc/os-release:/host/etc/os-release:ro"
networks:
- default
- external_services
environment:
VIRTUAL_HOST : "{{ services.netdata.domain }}"
LETSENCRYPT_HOST: "{{ services.netdata.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
PGID: "999"
DOCKER_HOST: "socket_proxy:2375"
cap_add:
- SYS_PTRACE
security_opt:
- apparmor:unconfined
socket-proxy:
image: tecnativa/docker-socket-proxy:latest
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
environment:
CONTAINERS: 1
networks:
external_services:
external: true

View file

@ -0,0 +1,59 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
postgres:
image: postgres:{{ services.nextcloud.postgres_version }}
restart: unless-stopped
volumes:
- "./postgres:/var/lib/postgresql/data"
environment:
POSTGRES_DB: nextcloud
POSTGRES_PASSWORD: "{{ postgres_passwords.nextcloud }}"
POSTGRES_USER: nextcloud
redis:
image: redis:{{ services.nextcloud.redis_version }}
restart: unless-stopped
command: redis-server --requirepass {{ nextcloud_secrets.redis_password }}
tmpfs:
- /var/lib/redis
cron:
image: nextcloud:{{ services.nextcloud.version }}
restart: unless-stopped
entrypoint: /cron.sh
volumes:
- "./app:/var/www/html"
depends_on:
- postgres
- redis
app:
image: nextcloud:{{ services.nextcloud.version }}
restart: unless-stopped
networks:
- default
- postfix
- external_services
volumes:
- "./app:/var/www/html"
environment:
VIRTUAL_HOST: "{{ services.nextcloud.domain }}"
LETSENCRYPT_HOST: "{{ services.nextcloud.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
POSTGRES_HOST: postgres
POSTGRES_DB: nextcloud
POSTGRES_USER: nextcloud
POSTGRES_PASSWORD: "{{ postgres_passwords.nextcloud }}"
REDIS_HOST: redis
REDIS_HOST_PASSWORD: "{{ nextcloud_secrets.redis_password }}"
depends_on:
- postgres
- redis
networks:
postfix:
external: true
external_services:
external: true

View file

@ -0,0 +1,38 @@
version: "3.8"
services:
proxy:
image: nginxproxy/nginx-proxy:{{ services.nginx_proxy.version }}
restart: always
networks:
- external_services
ports:
- "80:80"
- "443:443"
volumes:
- "./conf:/etc/nginx/conf.d"
- "./vhost:/etc/nginx/vhost.d"
- "./html:/usr/share/nginx/html"
- "./dhparam:/etc/nginx/dhparam"
- "./certs:/etc/nginx/certs:ro"
- "/var/run/docker.sock:/tmp/docker.sock:ro"
labels:
- com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy
{% if letsencrypt_enabled %}
acme:
image: nginxproxy/acme-companion:{{ services.nginx_proxy.acme_companion_version }}
restart: always
volumes:
- "./vhost:/etc/nginx/vhost.d"
- "./html:/usr/share/nginx/html"
- "./dhparam:/etc/nginx/dhparam:ro"
- "./certs:/etc/nginx/certs"
- /var/run/docker.sock:/var/run/docker.sock:ro
depends_on:
- proxy
{% endif %}
networks:
external_services:
external: true

View file

@ -0,0 +1,58 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
app:
image: osixia/openldap:{{ services.openldap.version }}
restart: unless-stopped
tty: true
stdin_open: true
volumes:
- "./var/lib/ldap:/var/lib/ldap"
- "./etc/slapd.d:/etc/ldap/slapd.d"
- "./certs:/container/service/slapd/assets/certs/"
ports:
- "389:389"
- "636:636"
hostname: "{{ services.openldap.domain }}"
domainname: "{{ services.openldap.domain }}" # important: same as hostname
environment:
LDAP_LOG_LEVEL: "256"
LDAP_ORGANISATION: "{{ base_domain }}"
LDAP_DOMAIN: "{{ base_domain }}"
LDAP_BASE_DN: ""
LDAP_ADMIN_PASSWORD: "{{ ldap_admin_password }}"
LDAP_CONFIG_PASSWORD: "{{ ldap_config_password }}"
LDAP_READONLY_USER: false
LDAP_RFC2307BIS_SCHEMA: false
LDAP_BACKEND: mdb
LDAP_TLS: true
LDAP_TLS_CRT_FILENAME: ldap.crt
LDAP_TLS_KEY_FILENAME: ldap.key
LDAP_TLS_CA_CRT_FILENAME: ca.crt
LDAP_TLS_ENFORCE: false
LDAP_TLS_CIPHER_SUITE: SECURE256:-VERS-SSL3.0
LDAP_TLS_PROTOCOL_MIN: "3.1"
LDAP_TLS_VERIFY_CLIENT: demand
LDAP_REPLICATION: false
KEEP_EXISTING_CONFIG: false
LDAP_REMOVE_CONFIG_AFTER_SETUP: true
LDAP_SSL_HELPER_PREFIX: ldap
admin:
image: osixia/phpldapadmin:{{ services.openldap.phpldapadmin_version }}
restart: unless-stopped
networks:
- default
- external_services
environment:
PHPLDAPADMIN_LDAP_HOSTS: app
PHPLDAPADMIN_HTTPS: false
PHPLDAPADMIN_TRUST_PROXY_SSL: true
VIRTUAL_HOST: "{{ services.openldap.domain }}"
LETSENCRYPT_HOST: "{{ services.openldap.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
networks:
external_services:
external: true

View file

@ -0,0 +1,38 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
db:
image: postgres:{{ services.passit.postgres_version }}
restart: always
volumes:
- "./data:/var/lib/postgresql/data"
environment:
POSTGRES_USER: passit
POSTGRES_PASSWORD: "{{ postgres_passwords.passit }}"
app:
image: passit/passit:{{ services.passit.version }}
command: bin/start.sh
restart: always
networks:
- default
- postfix
- external_services
environment:
DATABASE_URL: postgres://passit:{{ postgres_passwords.passit }}@db:5432/passit
SECRET_KEY: "{{ passit_secret_key }}"
IS_DEBUG: "False"
EMAIL_URL: smtp://noop@{{ smtp_host }}:{{ smtp_port }}
DEFAULT_FROM_EMAIL: noreply@{{ services.passit.domain }}
EMAIL_CONFIRMATION_HOST: https://{{ services.passit.domain }}
FIDO_SERVER_ID: "{{ services.passit.domain }}"
VIRTUAL_HOST: "{{ services.passit.domain }}"
LETSENCRYPT_HOST: "{{ services.passit.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
networks:
postfix:
external: true
external_services:
external: true

View file

@ -0,0 +1,21 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
app:
image: portainer/portainer-ee:{{ services.portainer.version }}
restart: always
networks:
- external_services
volumes:
- ".:/data"
- "/var/run/docker.sock:/var/run/docker.sock:rw"
environment:
VIRTUAL_HOST: "{{ services.portainer.domain }}"
VIRTUAL_PORT: "9000"
LETSENCRYPT_HOST: "{{ services.portainer.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
networks:
external_services:
external: true

Some files were not shown because too many files have changed in this diff Show more