data.coop
/
ansible
8
3
Fork 7
Code Issues 49 Pull Requests 7 Projects 1 Releases Wiki Activity

Compare commits

base: data.coop:main
Branches Tags
data.coop:main
data.coop:proxmox
data.coop:diun
data.coop:use_sudo
data.coop:woodpeckerci
data.coop:linting
data.coop:mailman
data.coop:listmonk
data.coop:sshd-password
..
compare: data.coop:listmonk
Branches Tags
data.coop:main
data.coop:proxmox
data.coop:diun
data.coop:use_sudo
data.coop:woodpeckerci
data.coop:linting
data.coop:mailman
data.coop:listmonk
data.coop:sshd-password

1 Commits
main ... listmonk

Author SHA1 Message Date
Víðir Valberg Guðmundsson f36b76e293 Listmonk. 2022-05-08 21:22:25 +02:00
127 changed files with 2264 additions and 2729 deletions
Show Stats Expand all files Collapse all files

111
.ansible-lint
View File

@ -1,111 +0,0 @@
---
# .ansible-lint
profile: null # min, basic, moderate,safety, shared, production
# exclude_paths included in this file are parsed relative to this file's location
# and not relative to the CWD of execution. CLI arguments passed to the --exclude
# option are parsed relative to the CWD of execution.
exclude_paths:
- .cache/ # implicit unless exclude_paths is defined in config
- .github/
- test/fixtures/formatting-before/
- test/fixtures/formatting-prettier/
# parseable: true
# quiet: true
# strict: true
# verbosity: 1
# Mock modules or roles in order to pass ansible-playbook --syntax-check
mock_modules:
- zuul_return
# note the foo.bar is invalid as being neither a module or a collection
- fake_namespace.fake_collection.fake_module
- fake_namespace.fake_collection.fake_module.fake_submodule
mock_roles:
- mocked_role
- author.role_name # old standalone galaxy role
- fake_namespace.fake_collection.fake_role # role within a collection
# Enable checking of loop variable prefixes in roles
loop_var_prefix: "{role}_"
# Enforce variable names to follow pattern below, in addition to Ansible own
# requirements, like avoiding python identifiers. To disable add `var-naming`
# to skip_list.
# var_naming_pattern: "^[a-z_][a-z0-9_]*$"
use_default_rules: true
# Load custom rules from this specific folder
# rulesdir:
# - ./rule/directory/
# Ansible-lint completely ignores rules or tags listed below
skip_list:
- skip_this_tag
# Ansible-lint does not automatically load rules that have the 'opt-in' tag.
# You must enable opt-in rules by listing each rule 'id' below.
enable_list:
- empty-string-compare # opt-in
- no-log-password # opt-in
- no-same-owner # opt-in
# add yaml here if you want to avoid ignoring yaml checks when yamllint
# library is missing. Normally its absence just skips using that rule.
- yaml
# Report only a subset of tags and fully ignore any others
# tags:
# - jinja[spacing]
# Ansible-lint does not fail on warnings from the rules or tags listed below
warn_list:
- skip_this_tag
- experimental # experimental is included in the implicit list
# - role-name
# - yaml[document-start] # you can also use sub-rule matches
# Some rules can transform files to fix (or make it easier to fix) identified
# errors. `ansible-lint --write` will reformat YAML files and run these transforms.
# By default it will run all transforms (effectively `write_list: ["all"]`).
# You can disable running transforms by setting `write_list: ["none"]`.
# Or only enable a subset of rule transforms by listing rules/tags here.
# write_list:
# - all
# Offline mode disables installation of requirements.yml
offline: false
# Return success if number of violations compared with previous git
# commit has not increased. This feature works only in git
# repositories.
progressive: false
# Define required Ansible's variables to satisfy syntax check
extra_vars:
foo: bar
multiline_string_variable: |
line1
line2
complex_variable: ":{;\t$()"
# Uncomment to enforce action validation with tasks, usually is not
# needed as Ansible syntax check also covers it.
# skip_action_validation: false
# List of additional kind:pattern to be added at the top of the default
# match list, first match determines the file kind.
kinds:
# - playbook: "**/examples/*.{yml,yaml}"
# - galaxy: "**/folder/galaxy.yml"
# - tasks: "**/tasks/*.yml"
# - vars: "**/vars/*.yml"
# - meta: "**/meta/main.yml"
- yaml: "**/*.yaml-too"
# List of additional collections to allow in only-builtins rule.
# only_builtins_allow_collections:
# - example_ns.example_collection
# List of additions modules to allow in only-builtins rule.
# only_builtins_allow_modules:
# - example_module

4
.gitignore vendored
View File

@ -1,6 +1,4 @@
*.retry
playbook.retry
*.sw*
.vagrant/
*.log
.idea/
venv/

14
.pre-commit-config.yaml
View File

@ -1,14 +0,0 @@
repos:
#- repo: https://github.com/semaphor-dk/dansabel
# rev: b72c70351d1a9e32a75db505fcb3aa414f3282f8
# hooks:
# - id: dansabel
- repo: https://github.com/ansible/ansible-lint
rev: v6.9.0
hooks:
- id: ansible-lint
files: \.(yaml|yml)$
additional_dependencies:
- ansible

12
Makefile
View File

@ -1,12 +0,0 @@
init: create_venv install_pre_commit install_ansible_galaxy_modules
create_venv:
python3 -m venv venv
venv/bin/pip install -U pip
venv/bin/pip install ansible pre-commit
install_pre_commit:
venv/bin/pre-commit install
install_ansible_galaxy_modules:
venv/bin/ansible-galaxy collection install community.general

108
README.md
View File

@ -1,108 +0,0 @@
# data.coop infrastructure
This repository contains the code used to deploy data.coop's services
and websites. We use Ansible to encode our infrastructure setup. Only
the association's administrators have access to deploy the services.
## Deploying
To deploy the services, the included `deploy.sh` script can be used. The
Ansible playbook uses two custom-made roles (in the `roles/` directory):
- `ubuntu_base` - used to configure the host itself and install the
necessary packages
- `docker` - used to deploy our services and websites with Docker
containers
The script has options to deploy only one of the roles. Select services
only can also be specified. By default, the script deploys everything.
Here is a summary of the options that can be used with the script:
```sh
# deploy everything
./deploy.sh
# deploy the ubuntu_base role only
./deploy.sh base
# deploy user setup only
./deploy.sh users
# deploy the docker role only
./deploy.sh services
# deploy SINGLE_SERVICE Docker service only
./deploy.sh services SINGLE_SERVICE
```
`SINGLE_SERVICE` should match one of the service names in the `services`
dictionary in `roles/docker/defaults/main.yml` (e.g. `gitea` or
`data_coop_website`).
## Testing
In order for us to be able to test our setup locally, we use Vagrant to
deploy the services in a virtual machine. To do this, Vagrant and
VirtualBox must both be installed on the development machine. Then, the
services can be deployed locally by using the `vagrant` command-line
tool. The working directory needs to be the root of the repository for
this to work properly.
> Note: As our secrets are contained in an Ansible Vault file, only the
> administrators have the ability to run the deployment in Vagrant.
> However, one could replace the vault file for testing purposes.
Here is a summary of the commands that are available with the `vagrant`
command-line tool:
```sh
# Create and provision the VM
vagrant up
# Re-provision the VM
vagrant provision
# SSH into the VM
vagrant ssh
# Power down the VM
vagrant halt
# Power down and delete the VM
vagrant destroy
```
The `vagrant` command-line tool does not support supplying extra
variables to Ansible on runtime, so to be able to deploy only parts of
the Ansible playbook to Vagrant, the `deploy.sh` script can be used with
the `--vagrant` flag. Here are some examples:
```sh
# deploy the ubuntu_base role only in the Vagrant VM
./deploy.sh --vagrant base
# deploy SINGLE_SERVICE Docker service only in the Vagrant VM
./deploy.sh --vagrant services SINGLE_SERVICE
```
Note that the `--vagrant` flag should be the first argument when using
the script.
## Contributing
If you want to contribute, you can fork the repository and submit a pull
request. We use a pre-commit hook for linting the YAML files before
every commit, so please use that. To initialize pre-commit, you need to
have Python and GNU make installed. Then, just run the following shell
command:
```sh
make init
```
## Nice tools
- [J2Live](https://j2live.ttl255.com/): A live Jinja2 parser, nice to
test out filters

48
Vagrantfile vendored
View File

@ -1,38 +1,24 @@
Vagrant.require_version ">= 2.0.0"
PORT = 19022
def provisioned?(vm="default", provider="virtualbox")
File.exist?(".vagrant/machines/#{vm}/#{provider}/action_provision")
end
Vagrant.require_version ">= 1.7.0"
Vagrant.configure(2) do |config|
config.vm.network :private_network, ip: "192.168.56.10"
config.vm.network :forwarded_port, guest: PORT, host: PORT
config.vm.box = "ubuntu/focal64"
config.vm.hostname = "datacoop"
config.vm.provider :virtualbox do |v|
v.cpus = 8
v.memory = 16384
end
config.vm.provision :ansible do |ansible|
ansible.compatibility_mode = "2.0"
ansible.playbook = "playbook.yml"
ansible.ask_vault_pass = true
ansible.verbose = "v"
# If the VM is already provisioned, we need to use the new port
if provisioned?
config.ssh.guest_port = PORT
ansible.extra_vars = {
ansible_port: PORT,
from_vagrant: true
config.vm.define "datacoop" do |datacoop|
datacoop.vm.box = "ubuntu/bionic64"
datacoop.vm.hostname = "datacoop"
datacoop.vm.provider "virtualbox" do |v|
v.memory = 4096
end
datacoop.vm.network "private_network", ip: "192.168.0.42"
datacoop.vm.provision "ansible" do |ansible|
ansible.verbose = "v"
ansible.compatibility_mode = "2.0"
ansible.playbook = "playbook.yml"
ansible.ask_vault_pass = true
ansible.host_vars = {
"datacoop" => {"ansible_python_interpreter" => "/usr/bin/python3.6"}
}
else
ansible.extra_vars = {
from_vagrant: true
ansible.groups = {
"all" => ["datacoop"]
}
end
end

7
ansible.cfg
View File

@ -1,8 +1,3 @@
[defaults]
ask_vault_pass = True
inventory = datacoop_hosts
interpreter_python = /usr/bin/python3
remote_user = root
retry_files_enabled = True
use_persistent_connections = True
forks = 10
inventory = datacoop_hosts

8
datacoop_hosts
View File

@ -1,5 +1,3 @@
[production]
hevonen.servers.data.coop ansible_port=19022
[monitoring]
uptime.data.coop
######################################
### All hosts
85.209.118.131 ansible_port=19022 ansible_python_interpreter=/usr/bin/python3

39
deploy.sh
View File

@ -1,26 +1,6 @@
#!/bin/sh
usage () {
{
echo "Usage: $0 [--vagrant]"
echo "Usage: $0 [--vagrant] base"
echo "Usage: $0 [--vagrant] users"
echo "Usage: $0 [--vagrant] services [SERVICE]"
} >&2
}
BASE_CMD="ansible-playbook playbook.yml"
if [ "$1" = "--vagrant" ]; then
BASE_CMD="$BASE_CMD --verbose --inventory=vagrant_host"
VAGRANT_VAR="from_vagrant"
shift
fi
if [ -z "$(ansible-galaxy collection list community.general 2>/dev/null)" ]; then
echo "Installing community.general modules"
ansible-galaxy collection install community.general
fi
BASE_CMD="ansible-playbook playbook.yml --ask-vault-pass"
if [ -z "$1" ]; then
echo "Deploying all!"
@ -30,21 +10,10 @@ else
"services")
if [ -z "$2" ]; then
echo "Deploying all services!"
eval "$BASE_CMD --tags setup_services $(test -z "$VAGRANT_VAR" || printf '%s' "$VAGRANT_VAR=true")"
$BASE_CMD --tags setup_services
else
echo "Deploying service: $2"
$BASE_CMD --tags setup_services --extra-vars '{"single_service": "'"$2"'"'"$(test -z "$VAGRANT_VAR" || printf '%s' ', "'"$VAGRANT_VAR"'": true')"'}'
echo "Deploying services: $2"
$BASE_CMD --tags setup_services --extra-vars "services=$2"
fi
;;
"base")
eval "$BASE_CMD --tags base_only $(test -z "$VAGRANT_VAR" || printf '%s' "$VAGRANT_VAR=true")"
;;
"users")
eval "$BASE_CMD --tags setup-users $(test -z "$VAGRANT_VAR" || printf '%s' "$VAGRANT_VAR=true")"
;;
*)
usage
exit 1
;;
esac
fi

306
group_vars/all/secrets.yml
View File

@ -1,170 +1,138 @@
$ANSIBLE_VAULT;1.1;AES256
30613439636234396439623634656338666330643936373563656336323831353464353239353661
6234316535383838653865643964353033623935313432630a666563316534343733363464396635
34396664643137643136633837656432623633383361633336343562333039326538393034616637
6634613631636433610a663835343739376534356133323163343132323233643135613333313132
65373233666535366137343839363938303561653731633038376631386161653038613631396364
33636131636536306134346336636332393436303063306262333430613137376438626133353963
66396332363335333436623335613966323730616139353762656662386530356435623831656632
30333363376132653362323339386437346134323232363336363461323332613962613131386264
37383435653061653466613834346430656632626338316564656136666266353231363661666461
32646461313365626232376536376463313531613861363462643062326538326234613332646430
33383438613961623134343665383638346164653031363435656162306163653232353162343431
38333239393332613466663231383932316330376535383466643233326134623530306361393639
63386530643733393033646139613730313239313866343730643337393533366330373363353338
62313739613531636166663135646262396334373538636634393534616337363337323630666261
39643164363437653661633666376431303662396431633661663933343666613234326637636231
38383537333532326636343366343564646630363838323162373339323365666262303836636232
31343637616261636130656637393633383165353332346239323063646162306235313962363935
64633639653261363563646664393630666564646165393736363562623231626634326163306630
37613635306136643334616364303439323332666431386264623265323636623738303364396636
37626161363466646166633434333265623236633033666562643264303662333363396631646638
36626636363261313966393235313866353936323064343331626362306162323166323063656433
63303762346330323031353034356162373433356436663134373930633634366330653233613139
63363639343833616431633765613938623037323961623663336662666135313466303661316133
39353664633036323031373862393530653433373062623233313965653735353566306538393439
30366162663138326535346639393337393362366630343266643035353465663332333539613337
30666666363134313239306231356663343166363137366636643931313039333732383833313036
37393064396662623063613462336363386336393839313465323062646535373733326338353766
31666639303836316266343764336462343765363930326338313635336633323662366238356264
38613631313434383830333031643938393566633236383861633266326336653033663163336132
61313132643062666434346333653234393865656463343363313636613364616361353561343739
38313231333431303664323730626162613264343630356438336636373739653234336666646438
37636437623336323461613063396137396533353265333034333435306666636261353933613232
65363632383039666666323030323830333534376362326136313232393732613166303461383933
62303166396533616538666566356238393265663163343264333664393936613066313665616137
38613030623937633730646461666233333035323661363835313161613930336237396332623338
30666166636662613130363430333436613532326437393730376536353963356633393736303065
31393534646537323037316664313438643836386333613961663031383231663932633934656461
62313163616635626131663961326438396439383432346337386261313330343330353637376330
38346532396533326135303264613361663836646163623630323832653032396237353966663661
36353365313962663832393333336138346335363832396535346336643565366465643565616638
63616565356663623531323935393334326639626236353338643237343764366464666131393332
64396665343535323339383434366133613235313866653663313639633930323864646536346232
65316465643662376264373536393232326666663335316631376433343062646361376165363732
66326165643163333737313139386461363431353239626236366238343035386663363435366464
31633738336263633961306436613233303861633263343030336637373165663261316632663537
31613636663163323365303038373134306264343831326264326261633834393366623061616262
63393463333833393636666232626662643738653634306364326231343830633834643664353730
37346131346263356539363630363230626364663161643064323538396131636633623866383939
66346434323935353632633837363530663438636539616130633532346236343661633766383434
34343339646662393030323661623665643432376365633435666333316439356631386234303062
35346631656230346565323130333765663933373638303639363530373431343232393864656639
33666433366131396464323137393239653531376662646235343962613639343831636261326265
65663564613766313634653938316339306434663463623563316431633234323330623738646636
37643535623664323433626561383462393033343232303838333930653366376536353765613036
35663165623265616630373161336632646435613331373166303632373633313865386134636362
61636134343839643735636461626663626237613262316564646339323933363864303935353834
39396637646264633736366336616336643032313237653662646331383963366533373766356539
35306165306534393463663332336430336635666135643561303935386635393838323865623162
36323565616232353261303139623465646234313136383436376162376165303664613164356162
33373237333666616135636231653637396330663930663962636161326664333261343737343735
37313465396130653138613539376436373237343138636535626632326435383234326466363235
34646663653038396630353637636166346261346233333632363361326536383634663433613564
35633864343630333033613133626635313931333031643564396164393135346131343832363861
61366664363838653438653137383933386233633836323332643531303936353237623734666135
31356166613664636634336536343032646239643130346564303162356431346539646336323339
61626236346535336638353134353838333434663838303730613363393365633739383563613434
64336331306639323061386338656361653636353831346237373134346538623464343562393735
39333764343139333133393233626564643266373034623764633835383561366265636632633937
62343635343161363231653138613263313562366439316435633964396161343566316435303465
39666236316339653839313333396264623636663561653932386638366366663933353761353162
61343038383939396231346534336361306430373564353633653139306334623630343738636430
66376631366662313131646130363530323232383535333163363466636262363461633232343532
63626430336261353861633362396638643937623832386638626334663333363637393637373939
64303039666432303535636265613564376139333331653336666563663238366639393366363334
36303635633933333832396562373965653361303034653139643466656534326231383162336366
31656138656539383539396462326134333331653131306537643962653762373035343235333233
34373730623663346430303962653061623330653263393633383835663739663961326566323036
30336365616532303362396230616531386639333636336332366335613935623836616134393033
62653535396630383436393631396337336163323361663930323532633666663238333366383462
36393261376262643336643761613731643032626632646332366661626331333233363436613937
34653731666137313733653863396164323963383037353265373532303137623037343733616537
66336433343334626536323639636139653931383466633833326234633332613431353432343561
36626339656536383862623833633634356435393764316633353135326639623534366538313330
62633333303266613630326330333336353264343937393864393239623664323366373565383334
37383237376664643065383834633961366632643261343635336335353765353863323131653866
31326531303461323736303730623638663863353939636437636231636437323730656463633733
65383934343534383631363162363830386365313935663337366335326131393262353030663765
30643665383332613030336439346332363135366232303166623534333637366133656437643231
30306634636430643864363561316334383530613165326663326665613633636237353830393334
62653333623563626131666166646335663334393662336337333836376631303631666136376332
37316537356531346464623363653033306537636239633065646533643239653063613835363665
30383139326465613864316533643033333430326230646334353364633138666532353736313265
34623733613864646661353730666433613961643261346166303264386435643565373565323864
61346465336231613865363263303034396439346163393534666439666437353266323565653032
39386439646438313938356237643831643434666161383632316530356465616632313235643834
33303865653836303632656663366465333331616634313863656438393838636631313364633637
38646230643734393733663261326161376536643237626130353831363731306231313864613066
34623239396362336639363163313161323065653461363563353631613730373830643133336464
31336439636361363539383539323631303462633833353032373530333539336538363033383363
32613733623839623938326165356237313165383366646233393933393965613363666532646434
63316133613130313363303537366230646235663130313538333761633237383262316633366364
65373664616237316534613831313966623939396331626334313430386638653461386334363939
35333339643837666264356535643365353331393437313866643034663934336466336534343035
61313837666662343363613962623462333935353837333336363839623466303534303837396634
38656330666661356235626130303538666533666563323936633564383164633834353831306634
36343836353464623962333362353133386563343831336463646635646263383832666232323736
38613730316634373365343938623237356231643931303333366462373134383137366339613662
62643832323734363635643634373066303366306366663036623139393761636533326130313336
30316536396466383463393233363035393335343565323635333665346464366139626165636661
39363066643437613537653836636363376532643038363063383234353066313737663061363334
38306563613561663165623630366135303332636133343733343836383865613661393761333031
62653162626461616564643138613737623632313739393962396439306133646138303936636435
39393663653865363166316365376562353461633163353734343132343831386434653037323732
36356162356336616330636630376438636165653439376137313934663939376639396266323962
37383736333536653438363963316435326632393966383534326337303336386135616636363936
35393331313938653830646332376631623763383439623633396433633739663038313264323835
33373664313562366664363630316132643465363964383339363339656237323465626262306364
33306133373065303135613235623262396365363634316365356364373561363762666235666430
62336362643564313238363933623366396138646237336336623062326161326536323534326364
39316162643966616436343737313434616230346237346237363962653033613930623462386431
38343662356665383763633034393236613733643430313937326335356466376139653533333965
39386138623134666132663837616637376362303561393133656139653438386363613965393661
36343566643931393061373031343331336463643034383065383763663234373438383064303232
64666236313935346237666466333562613935646163653331303661386138313739326538353935
64323737323532663731353136336138633533386464616362333838396332323563353537613430
33633631326238366166346437316638363161386562383630623466386564323266333033313461
63666535363034613232346239636233623130393032353030363334333531646238373262323765
61373739396162643661353031613663353531653836323730326166383463613330333966336233
30386136346466336361303237303534373064353230653238363231633530613866663461643465
30396266356164353063323432663561396564636231346534366661663766613634376235356637
39313839616336666461313431326430333932623262333437386464636264373430653566386631
64653866623662363864376663613136306165393863346533303634623936373835633864313462
61333562646233303232623861366634383466633537383831626334356561353637663038643531
39386635326366646134333231653737653630356135396634326537633232333166616161653136
33393562383233656564356530386465623239386666313964343534343466616134373132636631
39666365393063323838343963366339373434353839383039383238613133636237316365323861
30626330643665626465666338353030653839383234393237623633646566376361646536353233
31393235623561323765633835313139313538343761393064353632316335656231353930656437
31313639313931636633333230653730666638373864326239333561393134356632623138366131
65356462373336383039316131626562633330666363386631383663343838393435663538343934
65386339626362623664393532386131303234633466363437383236616463343831353862323961
39663835313234326137303965663963663761656531653437343234643634316565333762663139
65393830633237623031303234636134633539316131396135616237316266333437633861303831
62656630373763343366636635653033666630613533363365636261323661383364343161343439
35626531346665656263643461306261376238353033343032353731373861333239333862653231
31336562653133623163353230633331346237356534333534613161323462636639636662623435
63633035336662376636623339326433393035646539626231363762643532323463316263393736
62613038333733636362356636373331313661663830633433643039653233626261613739663836
38643030313338383266323134326337323334343230623331386664333937316266623134336362
61373037353664623863393233376264616438656332386130316361663665323135386463383763
33303633356133353439393664363630336133306364363430393232326665393339323265383630
31656463343064383837333630366465396633393465666235626330343937313630623039383465
63326361663238653035613935343932623237396362643833313731323830313962616362613539
32346165303930323739313837643933363863643937346561643930653530393636383036613235
61376166386563643733333233343437623630323632643463353131386461663936313065313562
31393032646262386634353436643466323731366631393136393433616332613036666163336635
37303365633338613630656463663533653336666562653236336264303238383930383132346365
35386662636439653930343738633265363635626132343030653462306431363234633635643537
61666363346430653131623762666564313665653262386332396532646339383136383337353863
38386632316632373338653535323335363265653563376330663239343861346563646366313039
33306364623536346339393566326533633133393866303535326535306435626531346264616138
34356231373561633337653663643566633632393330386564393966666365306565316135646163
63366365383839343134303635376233343865663631633331333230616630366633396231333435
30366137383238393139336433353764633038616238326136663636656132626538393565393130
38653765326137393136386233383636383165613235373437353730306564643033306534386666
61623538663537653166313264303533623162356134393333373732383535386261333535383039
65613166666230336265366335323434636336663835323034373930393430363065376665666337
35363265666130653830333536326433316639613638613730666139623137333736663535633032
33363135376636636536623731323134343237393633333038393364376237386165
66363038343862326134623539343039633439643137613765356439653462333663313866383033
6330386335646539373338376462663636663434373530300a653737336230383036653735373433
31663133393236393130346165326466303762306363613565373865306132336531613064333338
3761356461343638360a396564383335323631666362656363333135373538353637383166383839
62316461616439396631653863623062333730616337663731363762363434336165616137336337
66393162336330343730396639303030343236653234663764353365623139356330303935323764
66666165393463363139653335363365343035313531306330656565643139643062343562386436
39303266656264626361366136636132326136393430623034383639313537663362396166303565
39656330653332363239386362633034616531383835313765323532313361346265653462303463
37623636663862333434663831343361386535383836316636613439616638393163663631656530
64333865626565623331653561633436643732633139316362303838633265343463366638666132
32646132373331663462373935336462663061373363623232303864376464306364313630633439
35643036323564396566613539366462366330643036633436323634653130336235333839306237
61353165663764623066633261633730373732663564323639393535336431316465376562363439
33323131623635396233323766376634663332656136653332323930303237636666383438613938
33313636623437323730396261396135366236396131313930303331303566326264616139353264
30396431613537373063313031343863333565333934653763653130336535353466393866393435
33343233386561656337363363663262663030316163316165343738643733306436333937373163
33353131626338316561303531323061383065643737366661326634306538306634626433363632
66643234363232346462333364316266633538633833653862636235393533366461343334376265
34396631313431306434323637653034626238633733316137346564336561383730613864373034
61633466653165353661393766616437313361653734613165363339366161343031363335336133
66343130383335653730353561626135636434356135333634313730353663396361663863323436
39363331393830653430623837663564333439653931633235633966343966623138316163623539
33616536626632336235363238666562366666386361643066613665356565333666383361356232
61623665386533663738303834323165633966613936393737396334373139303964323764643731
66636234356334383633616331316137343865323264653666623532353135383831306238316232
36353262373763653337333837613264633039623437333538646139326130386662386530336566
34336236656139353361643961616563353538613163333964333564306332636433633933386530
32333138656663343161633033656533633936346636653132316633653731356330353333626139
32303066306166626261363065306635373465663432373262633464656632643362663733346463
32393938346563363334343535396538663430626434363236323938653837313432623335613064
62323565303362323336663462656335643930343235353164316365333735656636616330643061
38316337393934363361616339393463646138626665616538653936616537343630306236636130
36326263343161636464376235396563376561356363393961623436356563666233386331353332
35333563316463316232653238336161316162626334623961626130323331386162356531373030
39646137363431303762323363363463333734613462663831663331633662376432386166373366
32323966633362313236643862303838663663346436323231383561386264303465313232393836
66636566376636306230653735303231346239303863373838356561393638363535363363656263
65306234386233373130356630373334313437613763663037373935383730373136323033346564
64666361346265616362623961616638613135653037623833316361333161633339303064313733
30306666343864323265656637616130653238343365376662313163346235306365313131376166
31666338396632626666323530326132386234336432373736313936653133356564616132393734
65613464663437363366396234393735383639373766623037656538336337623231323236326430
35613737386131316164326330316566356637633238643630333366653130633864356431346336
31653461633636346461626261396234376666373964393135333866363831616331653431373462
65363966333261326234323864363733316438306534336363373164656661313934623937336366
65323535346663633264363638386663383535363236333932356166393338396336366437656132
39663037353137333537333363653965643066343635353137396466333836376339666638336561
33643835646237613164373135393534376539323139323561386565326161643663346462646230
62393565333730343835353131656336343563636465633863363865653033393930333133613733
35613234323662313538623335666463653466633536356534393238343161306634383134313839
38353134336336656431373338383936633431623861383231323062393631666539343338353161
30323338313161343632376138323734363637373966356338383333656435353839633731343838
62376335323163386661623663366163623437373161396538396531643932616232633438663731
62333463373137323363323233353865313634396630613935356162303435656661626464346566
32333563636635366330643537373534383063396137393630356230643036376537373639663336
63353936396439646264313963346532613032613966333837666263383366333132306236303063
36326533353061343930333433326139383331323566313738623131356433623133303462356335
31316331656138356535643334326334346135346531383531343335303463376234666662643135
62646361356261386366656562363232313838656563663133313364616133333432373131313865
64663263663134653736626261663266333733333634653030363265326134323634353764306161
66393564326163663831353830646363343733383534323935363936336232376539373766626264
61623161343862313163383636363262393639656461643637356362613036303065333436323262
38396133346631633763383936353033323538343466383037616566313563343733386535663339
64306266643431303231653532353439386666656266656466623237363532663733643635643562
64366339376664363930343431336138353936326338303362373839373736336430646332643039
39643439376632386165323965653666353766663239623562373837363365336164633035303039
32663163326266363835633964366562386532386530363266363238333332653730326162333663
61636663363032623339373239333538356539356232613234363835636536646666313736653235
35373865633531323037346633393135396233343364383861323362396362393634373165656133
30333062383763613535323834383430363863386339323162316333663638313433386137666634
36306234393539343730343831333336323066316236376130623764393839353432383062303338
34343065616634313234663739336165656563303264666262323839363565666565663330326635
31613064636464653963333132626137366563656537643633363136373039316662366438306630
65383231663232376232633737396666363364623739303065633230633431636438613039336365
62336232623362633030613731646535386439353266393236363965303931353631336661306238
61643265333337333637393230313766626162373739326164643937363330623536663565346331
65373763643964306530323164646333383435363234383039636439366332333366343232393732
65373036636263623239373930393434363232353664323236356366366561623266353635616537
33373761663364653830333166343634356437666631663164636331643736323139303462356133
63616531636136636533633264316130353035333364623862653233333434623139343234653539
38623033313936613162646464373135323964623265343866383938646266636331303063373962
66353233646330663936316635306530653032343764633962656162366539383231346464333339
64636330363065343165333363643636613761646262316234616661636462343761323261656133
39393164383331343436373838383335333932333931323835663031313036396664623135666565
34336134386232636362313764626664663437313464663466343566313530633364333631363465
32386139303132386631333638636636616563643961386436373566363139353563323834333038
61346534636134633566313533313530333238386536633333373035306664336339303364353530
39303364613430336563633464303133306630376634623138666565613036643865383961636333
38656238623931623434663638316534633334393438666238343139646465663862386264333963
36363563396631643338383130633634653937396266653936346339613333646463383463363862
63366233653962393737393366373933303630316263383635623365313566653236376533653363
34313262373565666261343039663966633533333839306631666437376237633636383061303333
36616632623763656533613561336133656562653165346566656535656339313831633935366536
34386631663032376264663963653638663762373137323537666130623563386133393932376434
32303863346262323537626431616665623431643764363764656661313362613266383130363633
31363565393331663433633137646236343736346565396438396163626430646634643339653261
64343064376162636262356436343263623733343363373964326639313332646431343835336433
39313965613532343263663939343662363236353636383438356161373264376661386562323730
61386632636532643933386164376663663262346330303733363464316235323265333036326337
61353935333130343538613930313465333535393039333061383234646539666632626666353533
63363432323864653733376137343766383736623231616465373032323834366330326638626339
66633431306336376132393837396333336462656633653431383362653939633032383237333534
63373266393765343437306236313535316664343639313934666136313863636531613261393263
36636531373936306166636465643132323835336563336265366433656337366662366330333166
61616163656535633934613331656339323263343235636231326136396438373435323830333539
34393463666639306165363164663433663231356335653531616264626237393134383631343066
33346331373161373936333763376664393131363365343733336237366539643063653936623137
64373837636438336437316261343137666532663662303864663963383538653239313162633565
39656130313831343734653832626139303130393862306362326361323564613063333463376637
64623638616636376236323739363538663433303835383866643830393963636132366166386563
36363162363438356364326131393530366135373730396336323063636334356535663363323835
39663564313039303361666237353938636539333434326132393438633963353732623333666431
32613861346263626664623837623365386638373530386638303938656532383230633438363735
38343261663164613364376462356162646231303733376636656263623064303333373230373761
35656466613766343562326361613865313361366631613232653438656564646265316436386530
38313162666437636664336262306463333637626162666337346365363065613065653636663336
30303631623261363633323730633063343233333735326130663039393332623530363333646436
36653232613833653231366535653936613162303531333238326262383165633233633537616663
38393464343233353862353936633363616339623561396661616438326634633539333761316164
32316166623438326435613238336639313363363361383630376331333662303964666238323032
63383638316363643662623535616463356639303937376430656133333431646532336165623665
66633335623265396630643437353861366133656237336462663733643933313332613266653432
34353435313766396166626635313763666366333764383564646538393734636362346531333938
38623865396561353435616433396533656361663266656565363637383235613562656465363730
32623266353335313563306465313261333336343934333235386264373136343666363364353532
35616333373037343432363832313435623130643132633162336264393737313833656335613638
63653232623935343638346464353630393264306232633665343865373839623461343165393564
33643264326664333534316233323937336265386238373963326161323761646531636637353631
32363864333632373165633133306538633933653362313636396364633436343066626163373933
32313235306230313333303062313466333635323864396437643738346631383366383637323561
61616665303733666337316537343137393035623832383539383338623936323135333664303236
36316632313133386634383161363039383134346238613332386130613734666636323538643263
31333166666138313864636130333964336263613430316662333535333038616533373239333564
34383433383830306161666137616533626130353937396530366565373665616565313037366264
3834

28
group_vars/all/secrets.yml.contents
View File

@ -1,17 +1,20 @@
# These are the variables contained in secrets.yml
# Secrets are usually 32 characters or more, matching [a-Z0-9]
---
postgres_passwords:
fider: xxx
nextcloud: xxx
passit: xxx
gitea: xxx
matrix: xxx
codimd: xxx
mailu: xxx
ttrss: xxx
keycloak: xxx
hedgedoc: xxx
mastodon: xxx
rallly: xxx
membersystem: xxx
listmonk: xxx
fider_jwt_secret: xxx
ldap_admin_password: xxx
ldap_config_password: xxx
@ -22,18 +25,14 @@ docker_password: xxx
mailu_secret_key: xxx
nextcloud_secrets:
redis_password: xxx
drone_secrets:
oauth_client_id: xxx
oauth_client_secret: xxx
rpc_shared_secret: xxx
restic_secrets:
repository_password: xxx
ssh_privkey: xxx
uptime_kuma_url: xxx
user_secret: xxx
encryption_secret: xxx
matrix_secrets:
registration_shared_secret: xxx
@ -41,7 +40,7 @@ matrix_secrets:
form_secret: xxx
keycloak_secrets:
admin_user: xxx # used for setting up the initial admin user on first run
admin_user: xxx //used for setting up the initial admin user on first run
admin_password: xxx
mastodon_secrets:
@ -50,8 +49,5 @@ mastodon_secrets:
vapid_private_key: xxx
vapid_public_key: xxx
rallly_secrets:
secret_password: xxx
membersystem_secrets:
secret_key: xxx
listmonk_secrets:
admin_password: xxx

23
group_vars/all/vars.yml
View File

@ -1,35 +1,28 @@
# vim: ft=yaml.ansible
---
users:
- name: graffen
comment: Jesper Hess Nielsen
password: '!'
groups: []
ssh_keys: []
password: $6$6bgPWZ76LvB$DZ3ipFsFtL2b1nSC0AQ63k8ibJidyIE9iIsWWzY0fux0ynz9L/o7b2sR2XYSaDuG.jewFV36IGStTF3NCZRC30
groups:
- sudo
keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCbxFVukt5TIzoB0HX2q8b8lHJmXD1juzsWOu5XkexVDlCsvupa1cZ/OVkrIEAbDKk6RmJQj0TJ2O5+v9hbf0TDi0Pi+V8ADZIgO+OW5a4EeXsU72a4CN0nEocQhUPfQuC4IU+F7icoG2/I9jXg7U6p1LhBr8vlC3cNHnrH3yqrakrUR51/iRVIwo4FKvQg7jutaKTyOjlYa1uTdaczvAzNHWEdytCQgFnkzpR9fHvzkA79qHUD9n32rIpJicRJsHY3NnyDGfBcDv+4sLq15sM9jN83duGnSuMMtZgfSriwMUd/UwVReU2ZKxjMLe3WHB7+ZE/p39OJk/gjVfWJVh/za1/teTAwaLLmxh/HFt+AVYWkCj22fUxscl0dh2zy6Ki1Ua3ApChn6v6Gvng6khobFlxawSJZ49+0KoAl1qqFMR1o9EGWvqgDPuITAqJFN+ik0jxcxfmKrG3mbOYM1ikhJd0ER8wbS8e6NowHUBV7PUyDqxP5VM2gum58IYrDqaP2RYYi9vWWnXJJA8J1t+Wp3bF7fdktyVgkd7HQk02uVkxdMQQ802GCrQQuvJhWTCzrgkgrjPY8p0KcbCNt6jYQOUKV0T2vp6PbTJ5XWKb5u7gVXW1xiP9dYzgAr0DroiTK4xIuF80mv1Rfst0ceHAIQVcQ3GcGbh000QUYzbHT2Q== openpgp:0x265EE03C (Graffen)
- name: valberg
comment: Vidir Valberg Gudmundsson
password: $6$qt3G.E.CxhC$OwBDn4rZUbCz06HLEMBHjgvKjxiv/eeerbklTHi.gpHIn1OejzX3k2.0NM0Dforaw6Yn5Y8Cgn8kL2FdbQLZ3/
groups:
- sudo
ssh_keys:
keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUmGeHc6QXDcJHkmVxbTUv04Q3vs20avquoGr6eOkkvYbcgjuFnBOOtvs2Nul1odcvvnHa1nN7DfL8XJamiwsB1B/xe2seaNS1axgwk9XowlVN9pgga8gsC+4gZWBtSObG2GR8n4NtPENzPmW5deNn8dRpTvULPMxZ0VRE9yNQOx8v8w85yYh+vxbbkWGVDYJU23yuJI50U9y6bXxNHinsACDFBeR/giXDlw29TaOaSxz0R6zrRPBoX+V68RyWwBL+KWQKtX2ULtJI40S98Ohd6p41bIxYHCBS/zroqNne8PjYOLcHHsjHUGfTvhcS5a3zdz/iHsvsaOOjFjsydAXH valberg
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC4FRrbTpxwGdlF6RVi/thJaMlaEE0Z9YCQA4Y+KnHbBoVWMjzgbIkSWw3MM+E/iiVnix8SFh4tjDSdFjb8lCvHt/PqhMFhZJ02vhVgSwyU+Ji5ur23i202LB9ua54NLN4kNG8K47U0tKi2/EV6LWl2QdRviAcOUctz6u9XDkkMLUgPEYH384XSTRRj4GJ8+0LRzB2rXqetH3gBe9v1vlv0ETYWvzTnpfZUxcrrqEGtXV9Wa0BZoWLos2oKOsYVjNdLZMoFpmyBxPnqzAi1hr7beblFZKqBkvD7XA9RnERbZn1nxkWufVahppPjKQ+se3esWJCp6ri/vNP4WNKY3hiIoekBLbpvGcP1Te7cAIQXiZOilN92NKKYrzN2gAtsxgqGZw7lI1PE71luGdPir2Evl6hPj6/nnNdEHZWgcmBSPy17uCpVvZYBcDDzj8L3hbkLVQ3kcLZTz6I8BXvuGqoeLvRQpBtn5EaLpCCOmXuKqm+dzHzsOIwh+SA5NA8M3P0=
- name: reynir
comment: Reynir Björnsson
password: $6$MiPv.ZFlWnLHGNOb$jdQD9NaPMRUGaP2YHRJNwrMPBGl9qwK0HFhI6x51Xpn7hdzuC4GIwvOw1DJK33sNs/gGP5bWB0izviXkDcq7B0
groups:
- sudo
ssh_keys:
keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDJl8/rikIUnqr9fPF3rE0rjWHCNzte10LvkjGmpdO9ka/NubQ7O25fp08rC+n0d1pUooYwHBAgiv9Hsql6HF9QfNKNUp7IKp7CXWcjb4ga02kuzWGSXjm40Vf0jSadIrJ33M4SeJHTByDGoeYPQBQ7n+qHdwcqJADBQygBuc5sRzxm8i0sbmzF3DJDDVeTJjEY5pfR4vnJlpmU8SC2d1ZkhCjmKCsL0PShntTIt1ztCt0yO71KoHKaNPu1jutGxcU9u7J1pEqcPT6EzU/cQJ4DMVzrGp26nIV0msRl3NeGNjukwXOzAh6KmsmXG7yWFyQmLRqgc/bjUeyhuWJ10vwUbaYVeIef7YrgEOgnkYLIFeWRMhdnwtL/W8g1D66SFx7+iYJj180eTi8Lc8rZm2NaiGynvWlFcJ4PGdTYZsWcFzQ+SaDziNMw1H3IixxdlD8Shw9mxpijJ+A4dH2kkUXyGVsc13zRIU7hq9ax8nrw6HVLGFLn09rEPig+SkyWrqRpRGMBWyqTRJywIV6jk0ll+i8rJZA2McY0rABbACrzXT5VBj5dLKnnRITLDicAYgt7YuEiQ0ffErQrPXXHUVeI0QKnJgplSHxH5QsX9a1Y+NoaoditdMT2bjvEqROi+/JYRycLR/BQV/d2nFPhqwq1x1AFvL4f8UvVH/hxp3PXWw== reynir yubikey
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPR8t/wNRp7Dt3wr9uZKVTofTDVYrcoQNru5ETxL+37t reynir@spurv
- name: samsapti
comment: Sam Al-Sapti
password: $6$18dN367fG162hQ9A$Aqkf3O24Ve1btzh1PPOPg3uyydv/AQYUxethcoB4klotebJq3/XsydYT7XBuarxfDccVwyPTMlsP3U8VfQpG60
groups:
- sudo
ssh_keys:
- sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIFWZGLov8wPBNxuvnaPK+8vv6wK5hHUVEFzXKsN9QeuBAAAADHNzaDpzYW1zYXB0aQ== ssh:samsapti
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPd/4fQV7CL8/KVwbo/phiV5UdXFBIDlkZ+ps8C7FeRf cardno:14 336 332
volume_root_folder: "/docker-volumes"

39
playbook.yml
View File

@ -1,27 +1,40 @@
# vim: ft=yaml.ansible
---
- hosts: production
gather_facts: true
- hosts: all
gather_facts: False
become: true
vars:
base_domain: data.coop
letsencrypt_email: bestyrelsen@data.coop
ldap_dn: "dc=data,dc=coop"
vagrant: "{{ from_vagrant is defined and from_vagrant }}"
letsencrypt_enabled: "{{ not vagrant }}"
base_domain: "{{ 'datacoop.devel' if vagrant else 'data.coop' }}"
letsencrypt_email: "admin@{{ base_domain }}"
services:
- nginx-proxy
- openldap
- thelounge
- nextcloud
- fider
- passit
- gitea
- postfix
- matrix_riot
- privatebin
- codimd
- netdata
- docker_registry
- drone
- websites
- ulovliglogning-dk
- ouroboros
- mailu
- portainer
- listmonk
# - tt-rss
smtp_host: "postfix"
smtp_port: "587"
services_exclude:
- uptime_kuma
tasks:
- import_role:
name: ubuntu_base
tags:
- base_only
- import_role:
name: docker

290
roles/docker/defaults/main.yml
View File

@ -1,227 +1,117 @@
# vim: ft=yaml.ansible
---
volume_root_folder: "/docker-volumes"
volume_website_folder: "{{ volume_root_folder }}/websites"
services:
### Internal services ###
postfix:
domain: "smtp.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/postfix"
pre_deploy_tasks: true
version: "v3.6.1-alpine"
nginx:
volume_folder: "{{ volume_root_folder }}/nginx"
nginx_proxy:
volume_folder: "{{ volume_root_folder }}/nginx"
pre_deploy_tasks: true
version: "1.3-alpine"
acme_companion_version: "2.2"
ldap:
domain: "ldap.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/openldap"
openldap:
domain: "ldap.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/openldap"
pre_deploy_tasks: true
version: "1.5.0"
phpldapadmin_version: "0.9.0"
thelounge:
domain: "irc.{{ base_domain }}"
netdata:
domain: "netdata.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/netdata"
version: "v1"
nextcloud:
domain: "cloud.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/nextcloud"
portainer:
domain: "portainer.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/portainer"
version: "2.19.0"
gitea:
domain: "git.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/gitea"
keycloak:
domain: sso.{{ base_domain }}
volume_folder: "{{ volume_root_folder }}/keycloak"
version: "22.0"
postgres_version: "10"
allowed_sender_domain: true
passit:
domain: "passit.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/passit"
restic:
volume_folder: "{{ volume_root_folder }}/restic"
pre_deploy_tasks: true
remote_user: dc-user
remote_domain: rynkeby.skovgaard.tel
host_key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBLGol2G+a87ssy0nu/STKBZSiGyhZhZKx/ujfe9IeFo
repository: restic
version: "1.7.0"
disabled_in_vagrant: true
# mail dance
domain: "noreply.{{ base_domain }}"
allowed_sender_domain: true
mail_from: "backup@noreply.{{ base_domain }}"
fider:
domain: "feedback.{{ base_domain }}"
docker_registry:
domain: "docker.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/docker-registry"
pre_deploy_tasks: true
post_deploy_tasks: true
username: "docker"
password: "{{ docker_password }}"
version: "2"
matrix:
domain: "matrix.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/matrix"
### External services ###
nextcloud:
domain: "cloud.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/nextcloud"
pre_deploy_tasks: true
version: 28-apache
postgres_version: "10"
redis_version: 7-alpine
allowed_sender_domain: true
riot:
domains:
- "riot.{{ base_domain }}"
- "element.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/riot"
forgejo:
domain: "git.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/forgejo"
version: "1.21.8-0"
allowed_sender_domain: true
privatebin:
domain: "paste.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/privatebin"
passit:
domain: "passit.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/passit"
version: stable
postgres_version: 15-alpine
allowed_sender_domain: true
codimd:
domain: "oldpad.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/codimd"
matrix:
domain: "matrix.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/matrix"
pre_deploy_tasks: true
version: v1.98.0
postgres_version: 15-alpine
allowed_sender_domain: true
hedgedoc:
domain: "pad.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/hedgedoc"
element:
domain: "element.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/element"
pre_deploy_tasks: true
version: v1.11.51
netdata:
domain: "netdata.{{ base_domain }}"
privatebin:
domain: "paste.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/privatebin"
pre_deploy_tasks: true
version: "20221009"
docker_registry:
domain: "docker.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/docker-registry"
username: "docker"
password: "{{ docker_password }}"
hedgedoc:
domain: "pad.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/hedgedoc"
pre_deploy_tasks: true
version: 1.9.9-alpine
postgres_version: 10-alpine
data_coop_website:
domains:
- "{{ base_domain }}"
- "www.{{ base_domain }}"
data_coop_website:
domain: "{{ base_domain }}"
www_domain: "www.{{ base_domain }}"
volume_folder: "{{ volume_website_folder }}/datacoop"
pre_deploy_tasks: true
version: stable
staging_domain: "staging.{{ base_domain }}"
staging_version: staging
cryptohagen_website:
domains:
- "cryptohagen.dk"
- "www.cryptohagen.dk"
slides_2022_website:
domain: "2022.slides.{{ base_domain }}"
volume_folder: "{{ volume_website_folder }}/slides-2022"
version: latest
ulovliglogning_website:
domains:
- "ulovliglogning.dk"
- "www.ulovliglogning.dk"
- "ulovlig-logning.dk"
fedi_dk_website:
domain: fedi.dk
volume_folder: "{{ volume_website_folder }}/fedidk"
version: latest
cryptoaarhus_website:
domains:
- "cryptoaarhus.dk"
- "www.cryptoaarhus.dk"
vhs_website:
domain: vhs.data.coop
volume_folder: "{{ volume_website_folder }}/vhs"
version: latest
drone:
domain: "drone.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/drone"
cryptohagen_website:
domains:
- "cryptohagen.dk"
- "www.cryptohagen.dk"
volume_folder: "{{ volume_website_folder }}/cryptohagen"
mailu:
version: 1.6
domain: "mail.{{ base_domain }}"
dns: 192.168.203.254
subnet: 192.168.203.0/24
volume_folder: "{{ volume_root_folder }}/mailu"
ulovliglogning_website:
domains:
- "ulovliglogning.dk"
- "www.ulovliglogning.dk"
- "ulovlig-logning.dk"
- "www.ulovlig-logning.dk"
volume_folder: "{{ volume_website_folder }}/ulovliglogning"
portainer:
domain: "portainer.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/portainer"
cryptoaarhus_website:
domains:
- "cryptoaarhus.dk"
- "www.cryptoaarhus.dk"
volume_folder: "{{ volume_website_folder }}/cryptoaarhus"
ttrss:
domain: rss.{{ base_domain }}
volume_folder: "{{ volume_root_folder }}/tt-rss"
drone:
domain: "drone.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/drone"
version: "1"
keycloak:
domain: sso.{{ base_domain }}
volume_folder: "{{ volume_root_folder }}/keycloak"
mailu:
domain: "mail.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/mailu"
pre_deploy_tasks: true
dns: 192.168.203.254
subnet: 192.168.203.0/24
version: "2.0"
postgres_version: 14-alpine
redis_version: alpine
postfix:
allowed_sender_domains:
- "services.{{ base_domain }}"
- "{{ passit.domain }}"
- "{{ fider.domain }}"
- "{{ gitea.domain }}"
- "{{ mastodon.domain }}"
mastodon:
domain: "social.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/mastodon"
pre_deploy_tasks: true
post_deploy_tasks: true
version: v4.2.9
postgres_version: 14-alpine
redis_version: 6-alpine
allowed_sender_domain: true
mastodon:
domain: "social.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/mastodon"
rallly:
domain: "when.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/rallly"
pre_deploy_tasks: true
version: "2"
postgres_version: 14-alpine
allowed_sender_domain: true
membersystem:
domain: "member.{{ base_domain }}"
django_admins: "Vidir:valberg@orn.li"
volume_folder: "{{ volume_root_folder }}/membersystem"
version: latest
postgres_version: 13-alpine
allowed_sender_domain: true
writefreely:
domain: "write.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/writefreely"
pre_deploy_tasks: true
version: v0.15.0
mariadb_version: "11.2"
allowed_sender_domain: true
watchtower:
volume_folder: "{{ volume_root_folder }}/watchtower"
version: "1.5.3"
diun:
version: "4.27"
volume_folder: "{{ volume_root_folder }}/diun"
### Uptime monitoring ###
uptime_kuma:
domain: "uptime.{{ base_domain }}"
status_domain: "status.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/uptime_kuma"
pre_deploy_tasks: true
version: "latest"
services_exclude: []
services_include: "{{ services | dict2items | map(attribute='key') | list | difference(services_exclude) }}"
listmonk:
domain: "listmonk.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/listmonk"

0
roles/docker/files/vhost/docker_registry → roles/docker/files/configs/docker_registry/nginx.conf
View File

25
roles/docker/files/configs/listmonk/config.toml.j2 Normal file
View File

@ -0,0 +1,25 @@
[app]
# Interface and port where the app will run its webserver. The default value
# of localhost will only listen to connections from the current machine. To
# listen on all interfaces use '0.0.0.0'. To listen on the default web address
# port, use port 80 (this will require running with elevated permissions).
address = "0.0.0.0:9000"
# BasicAuth authentication for the admin dashboard. This will eventually
# be replaced with a better multi-user, role-based authentication system.
# IMPORTANT: Leave both values empty to disable authentication on admin
# only where an external authentication is already setup.
admin_username = "listmonk"
admin_password = "{{ listmonk_secrets.admin_password }}"
# Database.
[db]
host = "db"
port = 5432
user = "postgres"
password = "{{ postgres_passwords.listmonk }}"
database = "postgres"
ssl_mode = "disable"
max_open = 25
max_idle = 25
max_lifetime = "300s"

4
roles/docker/templates/mastodon/env.j2 → roles/docker/files/configs/mastodon/env_file.j2
View File

@ -14,7 +14,7 @@
# ----------
# This identifies your server and cannot be changed safely later
# ----------
LOCAL_DOMAIN={{ services.mastodon.domain }}
LOCAL_DOMAIN={{ mastodon.domain }}
# Redis
# -----
@ -52,7 +52,7 @@ SMTP_SERVER={{ smtp_host }}
SMTP_PORT={{ smtp_port }}
SMTP_LOGIN=
SMTP_PASSWORD=
SMTP_FROM_ADDRESS=notifications@{{ services.mastodon.domain }}
SMTP_FROM_ADDRESS=notifications@{{ mastodon.domain }}
# File storage (optional)
# -----------------------

0
roles/docker/files/vhost/mastodon → roles/docker/files/configs/mastodon/vhost-mastodon
View File

39
roles/docker/templates/matrix/homeserver.yaml.j2 → roles/docker/files/configs/matrix/homeserver.yaml.j2
View File

@ -44,7 +44,7 @@ pid_file: /data/homeserver.pid
# use synapse with a reverse proxy, this should be the URL to reach
# synapse via the proxy.
#
public_baseurl: "https://{{ services.matrix.domain }}"
public_baseurl: "https://{{ matrix.domain }}"
# Set the soft limit on the number of file descriptors synapse can use
# Zero is used to indicate synapse should set the soft limit to the
@ -339,11 +339,10 @@ database:
user: "synapse"
password: "{{ postgres_passwords.matrix }}"
database: "synapse"
host: "postgres"
host: "matrix_db"
port: "5432"
cp_min: 5
cp_max: 10
allow_unsafe_locale: true
# Number of events to cache in memory.
event_cache_size: "10K"
@ -416,7 +415,7 @@ uploads_path: "/data/uploads"
# The largest allowed upload size in bytes
#
max_upload_size: "512M"
max_upload_size: "50M"
# Maximum number of pixels that will be thumbnailed
#
@ -676,8 +675,15 @@ report_stats: false
## API Configuration ##
room_prejoin_state:
disable_default_event_types: false
# A list of event types that will be included in the room_invite_state
#
room_invite_state_types:
- "m.room.join_rules"
- "m.room.canonical_alias"
- "m.room.avatar"
- "m.room.encryption"
- "m.room.name"
# A list of application service config file to use
#
@ -820,10 +826,23 @@ password_config:
# If your SMTP server requires authentication, the optional smtp_user &
# smtp_pass variables should be used
#
email:
smtp_host: "{{ smtp_host }}"
smtp_port: {{ smtp_port }}
notif_from: "{{ services.matrix.domain }} <no-reply@{{ services.matrix.domain }}>"
#email:
# enable_notifs: false
# smtp_host: "localhost"
# smtp_port: 25
# smtp_user: "exampleusername"
# smtp_pass: "examplepassword"
# require_transport_security: False
# notif_from: "Your Friendly %(app)s Home Server <noreply@example.com>"
# app_name: Matrix
# # if template_dir is unset, uses the example templates that are part of
# # the Synapse distribution.
# #template_dir: res/templates
# notif_template_html: notif_mail.html
# notif_template_text: notif_mail.txt
# notif_for_new_users: True
# riot_base_url: "http://localhost/riot"
#password_providers:
# - module: "ldap_auth_provider.LdapAuthProvider"

0
roles/docker/files/matrix/log.config → roles/docker/files/configs/matrix/matrix.data.coop.log.config
View File

2
roles/docker/files/configs/matrix/vhost-matrix Normal file
View File

@ -0,0 +1,2 @@
listen 8008;
client_max_body_size 50M; # default is 1M

1
roles/docker/files/configs/matrix/vhost-riot Normal file
View File

@ -0,0 +1 @@
client_max_body_size 50M; # default is 1M

0
roles/docker/files/vhost/base_domain → roles/docker/files/configs/matrix/vhost-root
View File

0
roles/docker/files/privatebin/conf.php → roles/docker/files/configs/privatebin-conf.php
View File

12
roles/docker/templates/element/config.json.j2 → roles/docker/files/configs/riot/config.json
View File

@ -1,12 +1,6 @@
{
"default_server_config": {
"m.homeserver": {
"base_url": "https://{{ services.matrix.domain }}"
},
"m.identity_server": {
"base_url": "https://vector.im"
}
},
"default_hs_url": "https://{{ matrix.domain }}",
"default_is_url": "https://vector.im",
"brand": "element.data.coop",
"integrations_ui_url": "https://scalar.vector.im/",
"integrations_rest_url": "https://scalar.vector.im/api",
@ -37,7 +31,7 @@
]
},
"enable_presence_by_hs_url": {
"https://{{ services.matrix.domain }}": false
"https://{{ matrix.domain }}": false
},
"terms_and_conditions_links": [
{

0
roles/docker/files/element/riot.im.conf → roles/docker/files/configs/riot/riot.im.conf
View File

511
roles/docker/files/configs/thelounge.js Normal file
View File

@ -0,0 +1,511 @@
"use strict";
module.exports = {
//
// Set the server mode.
// Public servers does not require authentication.
//
// Set to 'false' to enable users.
//
// @type boolean
// @default false
//
public: false,
//
// IP address or hostname for the web server to listen on.
// Setting this to undefined will listen on all interfaces.
//
// For UNIX domain sockets, use unix:/absolute/path/to/file.sock.
//
// @type string
// @default undefined
//
host: undefined,
//
// Set the port to listen on.
//
// @type int
// @default 9000
//
port: 9000,
//
// Set the local IP to bind to for outgoing connections. Leave to undefined
// to let the operating system pick its preferred one.
//
// @type string
// @default undefined
//
bind: undefined,
//
// Sets whether the server is behind a reverse proxy and should honor the
// X-Forwarded-For header or not.
//
// @type boolean
// @default false
//
reverseProxy: false,
//
// Set the default theme.
// Find out how to add new themes at https://thelounge.github.io/docs/plugins/themes.html
//
// @type string
// @default "example"
//
theme: "example",
//
// Prefetch URLs
//
// If enabled, The Lounge will try to load thumbnails and site descriptions from
// URLs posted in channels.
//
// @type boolean
// @default false
//
prefetch: false,
//
// Store and proxy prefetched images and thumbnails.
// This improves security and privacy by not exposing client IP address,
// and always loading images from The Lounge instance and making all assets secure,
// which in result fixes mixed content warnings.
//
// If storage is enabled, The Lounge will fetch and store images and thumbnails
// in the `${THELOUNGE_HOME}/storage` folder.
//
// Images are deleted when they are no longer referenced by any message (controlled by maxHistory),
// and the folder is cleaned up on every The Lounge restart.
//
// @type boolean
// @default false
//
prefetchStorage: false,
//
// Prefetch URLs Image Preview size limit
//
// If prefetch is enabled, The Lounge will only display content under the maximum size.
// Specified value is in kilobytes. Default value is 2048 kilobytes.
//
// @type int
// @default 2048
//
prefetchMaxImageSize: 2048,
//
// Display network
//
// If set to false network settings will not be shown in the login form.
//
// @type boolean
// @default true
//
displayNetwork: true,
//
// Lock network
//
// If set to true, users will not be able to modify host, port and tls
// settings and will be limited to the configured network.
//
// @type boolean
// @default false
//
lockNetwork: false,
//
// Hex IP
//
// If enabled, clients' username will be set to their IP encoded has hex.
// This is done to share the real user IP address with the server for host masking purposes.
//
// @type boolean
// @default false
//
useHexIp: false,
//
// WEBIRC support
//
// If enabled, The Lounge will pass the connecting user's host and IP to the
// IRC server. Note that this requires to obtain a password from the IRC network
// The Lounge will be connecting to and generally involves a lot of trust from the
// network you are connecting to.
//
// Format (standard): {"irc.example.net": "hunter1", "irc.example.org": "passw0rd"}
// Format (function):
// {"irc.example.net": function(client, args, trusted) {
// // here, we return a webirc object fed directly to `irc-framework`
// return {username: "thelounge", password: "hunter1", address: args.ip, hostname: "webirc/"+args.hostname};
// }}
//
// @type string | function(client, args):object(webirc)
// @default null
webirc: null,
//
// Log settings
//
// Logging has to be enabled per user. If enabled, logs will be stored in
// the 'logs/<user>/<network>/' folder.
//
// @type object
// @default {}
//
logs: {
//
// Timestamp format
//
// @type string
// @default "YYYY-MM-DD HH:mm:ss"
//
format: "YYYY-MM-DD HH:mm:ss",
//
// Timezone
//
// @type string
// @default "UTC+00:00"
//
timezone: "UTC+00:00",
},
//
// Maximum number of history lines per channel
//
// Defines the maximum number of history lines that will be kept in
// memory per channel/query, in order to reduce the memory usage of
// the server. Setting this to -1 will keep unlimited amount.
//
// @type integer
// @default 10000
maxHistory: 10000,
//
// Default values for the 'Connect' form.
//
// @type object
// @default {}
//
defaults: {
//
// Name
//
// @type string
// @default "Freenode"
//
name: "Freenode",
//
// Host
//
// @type string
// @default "chat.freenode.net"
//
host: "chat.freenode.net",
//
// Port
//
// @type int
// @default 6697
//
port: 6697,
//
// Password
//
// @type string
// @default ""
//
password: "",
//
// Enable TLS/SSL
//
// @type boolean
// @default true
//
tls: true,
//
// Nick
//
// @type string
// @default "lounge-user"
//
nick: "lounge-user",
//
// Username
//
// @type string
// @default "lounge-user"
//
username: "lounge-user",
//
// Real Name
//
// @type string
// @default "The Lounge User"
//
realname: "The Lounge User",
//
// Channels
// This is a comma-separated list.
//
// @type string
// @default "#thelounge"
//
join: "#thelounge",
},
//
// Set socket.io transports
//
// @type array
// @default ["polling", "websocket"]
//
transports: ["polling", "websocket"],
//
// Run The Lounge using encrypted HTTP/2.
// This will fallback to regular HTTPS if HTTP/2 is not supported.
//
// @type object
// @default {}
//
https: {
//
// Enable HTTP/2 / HTTPS support.
//
// @type boolean
// @default false
//
enable: false,
//
// Path to the key.
//
// @type string
// @example "sslcert/key.pem"
// @default ""
//
key: "",
//
// Path to the certificate.
//
// @type string
// @example "sslcert/key-cert.pem"
// @default ""
//
certificate: "",
//
// Path to the CA bundle.
//
// @type string
// @example "sslcert/bundle.pem"
// @default ""
//
ca: "",
},
//
// Default quit and part message if none is provided.
//
// @type string
// @default "The Lounge - https://thelounge.github.io"
//
leaveMessage: "The Lounge - https://thelounge.github.io",
//
// Run The Lounge with identd support.
//
// @type object
// @default {}
//
identd: {
//
// Run the identd daemon on server start.
//
// @type boolean
// @default false
//
enable: false,
//
// Port to listen for ident requests.
//
// @type int
// @default 113
//
port: 113,
},
//
// Enable oidentd support using the specified file
//
// Example: oidentd: "~/.oidentd.conf",
//
// @type string
// @default null
//
oidentd: null,
//
// LDAP authentication settings (only available if public=false)
// @type object
// @default {}
//
// The authentication process works as follows:
//
// 1. Lounge connects to the LDAP server with its system credentials
// 2. It performs a LDAP search query to find the full DN associated to the
// user requesting to log in.
// 3. Lounge tries to connect a second time, but this time using the user's
// DN and password. Auth is validated iff this connection is successful.
//
// The search query takes a couple of parameters in `searchDN`:
// - a base DN `searchDN/base`. Only children nodes of this DN will be likely
// to be returned;
// - a search scope `searchDN/scope` (see LDAP documentation);
// - the query itself, build as (&(<primaryKey>=<username>) <filter>)
// where <username> is the user name provided in the log in request,
// <primaryKey> is provided by the config and <fitler> is a filtering complement
// also given in the config, to filter for instance only for nodes of type
// inetOrgPerson, or whatever LDAP search allows.
//
// Alternatively, you can specify the `bindDN` parameter. This will make the lounge
// ignore searchDN options and assume that the user DN is always:
// <bindDN>,<primaryKey>=<username>
// where <username> is the user name provided in the log in request, and <bindDN>
// and <primaryKey> are provided by the config.
//
ldap: {
//
// Enable LDAP user authentication
//
// @type boolean
// @default false
//
enable: true,
//
// LDAP server URL
//
// @type string
//
url: "ldap://{{ ldap.domain }}",
//
// LDAP connection tls options (only used if scheme is ldaps://)
//
// @type object (see nodejs' tls.connect() options)
// @default {}
//
// Example:
// You can use this option in order to force the use of IPv6:
// {
// host: 'my::ip::v6',
// servername: 'example.com'
// }
tlsOptions: {},
//
// LDAP base dn, alternative to searchDN
//
// @type string
//
// baseDN: "",
//
// LDAP primary key
//
// @type string
// @default "uid"
//
primaryKey: "uid",
//
// LDAP search dn settings. This defines the procedure by which the
// lounge first look for user DN before authenticating her.
// Ignored if baseDN is specified
//
// @type object
//
searchDN: {
//
// LDAP searching bind DN
// This bind DN is used to query the server for the DN of the user.
// This is supposed to be a system user that has access in read only to
// the DNs of the people that are allowed to log in.
//
// @type string
//
rootDN: "cn=admin,dc=data,dc=coop",
//
// Password of the lounge LDAP system user
//
// @type string
//
rootPassword: "{{ ldap_admin_password }}",
//
// LDAP filter
//
// @type string
// @default "uid"
//
//filter: "(objectClass=inetOrgPerson)(memberOf=ou=members,dc=data,dc=coop)",
filter: "(objectClass=inetOrgPerson)",
//
// LDAP search base (search only within this node)
//
// @type string
//
base: "{{ ldap_dn }}",
//
// LDAP search scope
//
// @type string
// @default "sub"
//
scope: "sub",
},
},
// Extra debugging
//
// @type object
// @default {}
//
debug: {
// Enables extra debugging output provided by irc-framework.
//
// @type boolean
// @default false
//
ircFramework: false,
// Enables logging raw IRC messages into each server window.
//
// @type boolean
// @default false
//
raw: false,
},
};

20
roles/docker/files/mastodon/postgresql.conf
View File

@ -1,20 +0,0 @@
# DB Version: 14
# OS Type: linux
# DB Type: oltp
# Total Memory (RAM): 16 GB
# Connections num: 300
# Data Storage: hdd
listen_addresses = '*'
max_connections = 300
shared_buffers = 4GB
effective_cache_size = 12GB
maintenance_work_mem = 1GB
checkpoint_completion_target = 0.9
wal_buffers = 16MB
default_statistics_target = 100
random_page_cost = 4
effective_io_concurrency = 2
work_mem = 6990kB
min_wal_size = 2GB
max_wal_size = 8GB

1
roles/docker/files/vhost/element
View File

@ -1 +0,0 @@
client_max_body_size 1G; # default is 1M

2
roles/docker/files/vhost/matrix
View File

@ -1,2 +0,0 @@
listen 8008;
client_max_body_size 1G; # default is 1M

1
roles/docker/files/vhost/nextcloud
View File

@ -1 +0,0 @@
client_max_body_size 1G; # default is 1M

4
roles/docker/files/vhost/uptime_kuma
View File

@ -1,4 +0,0 @@
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;

2
roles/docker/files/vhost/www.base_domain
View File

@ -1,2 +0,0 @@
server_name www.data.coop;
return 301 $scheme://data.coop$request_uri;

6
roles/docker/handlers/main.yml
View File

@ -1,6 +0,0 @@
# vim: ft=yaml.ansible
---
- name: restart nginx
command: docker compose restart proxy
args:
chdir: "{{ services.nginx_proxy.volume_folder }}"

26
roles/docker/tasks/block.yml
View File

@ -1,26 +0,0 @@
# vim: ft=yaml.ansible
---
- name: Create volume folder for service {{ service.name }}
file:
name: "{{ service.vars.volume_folder }}"
state: directory
- name: Upload Compose file for service {{ service.name }}
template:
src: compose-files/{{ service.name }}.yml.j2
dest: "{{ service.vars.volume_folder }}/docker-compose.yml"
owner: root
mode: u=rw,go=
- name: Run pre-deployment tasks for service {{ service.name }}
include_tasks: pre_deploy/{{ service.name }}.yml
when: service.vars.pre_deploy_tasks is defined and service.vars.pre_deploy_tasks
- name: Deploy Compose stack for service {{ service.name }}
command: docker compose up -d --remove-orphans --pull always
args:
chdir: "{{ service.vars.volume_folder }}"
- name: Run post-deployment tasks for service {{ service.name }}
include_tasks: post_deploy/{{ service.name }}.yml
when: service.vars.post_deploy_tasks is defined and service.vars.post_deploy_tasks

37
roles/docker/tasks/main.yml
View File

@ -1,44 +1,33 @@
# vim: ft=yaml.ansible
---
- name: Add Docker PGP key
- name: add docker gpg key
apt_key:
keyserver: pgp.mit.edu
id: 8D81803C0EBFCD88
state: present
- name: Add Docker apt repository
- name: add docker apt repository
apt_repository:
repo: deb https://download.docker.com/linux/ubuntu bionic stable
state: present
update_cache: yes
- name: Install Docker
- name: install docker-ce
apt:
name: "{{ pkgs }}"
state: present
vars:
pkgs:
- docker-ce
- docker-compose-plugin
- name: Configure cron job to prune unused Docker data weekly
cron:
name: Prune unused Docker data
cron_file: ansible_docker_prune
job: 'docker system prune -fa && docker volume prune -fa'
special_time: weekly
user: root
name: docker-ce
state: present
- name: Create folder structure for bind mounts
- name: install docker python bindings
pip:
executable: "pip3"
name: "docker-compose"
state: present
- name: create folder structure for bind mounts
file:
name: "{{ item }}"
name: "{{ volume_root_folder }}"
state: directory
loop:
- "{{ volume_root_folder }}"
- "{{ volume_website_folder }}"
- name: Set up services
- name: setup services
import_tasks: services.yml
tags:
- setup_services

13
roles/docker/tasks/post_deploy/docker_registry.yml
View File

@ -1,13 +0,0 @@
# vim: ft=yaml.ansible
---
- name: Generate htpasswd file
shell: docker compose exec registry htpasswd -Bbn docker {{ docker_password }} > auth/htpasswd
args:
chdir: "{{ services.docker_registry.volume_folder }}"
creates: "{{ services.docker_registry.volume_folder }}/auth/htpasswd"
- name: log in to registry
docker_login:
registry: "{{ 'docker.data.coop' if vagrant else services.docker_registry.domain }}"
username: docker
password: "{{ docker_password }}"

19
roles/docker/tasks/post_deploy/mastodon.yml
View File

@ -1,19 +0,0 @@
# vim: ft=yaml.ansible
---
- name: Configure cron job to remove old Mastodon media daily
cron:
name: Clean Mastodon media data older than a week
cron_file: ansible_mastodon_clean_media
job: docker exec mastodon-web-1 tootctl media remove --days 7
special_time: daily
user: root
state: present
- name: Configure cron job to remove old Mastodon preview cards daily
cron:
name: Clean Mastodon preview card data older than two weeks
cron_file: ansible_mastodon_clean_preview_cards
job: docker exec mastodon-web-1 tootctl preview_cards remove --days 14
special_time: daily
user: root
state: present

11
roles/docker/tasks/pre_deploy/data_coop_website.yml
View File

@ -1,11 +0,0 @@
# vim: ft=yaml.ansible
---
- name: Upload vhost config for root domain
copy:
src: vhost/base_domain
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.data_coop_website.domain }}"
- name: Upload vhost config for WWW domain
copy:
src: vhost/www.base_domain
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.data_coop_website.www_domain }}"

17
roles/docker/tasks/pre_deploy/docker_registry.yml
View File

@ -1,17 +0,0 @@
# vim: ft=yaml.ansible
---
- name: Create subfolders
file:
path: "{{ services.docker_registry.volume_folder }}/{{ volume }}"
state: directory
loop:
- auth
- registry
loop_control:
loop_var: volume
- name: Copy docker registry vhost configuration
copy:
src: vhost/docker_registry
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.docker_registry.domain }}"
mode: "0644"

21
roles/docker/tasks/pre_deploy/element.yml
View File

@ -1,21 +0,0 @@
# vim: ft=yaml.ansible
---
- name: Create subfolder
file:
name: "{{ services.element.volume_folder }}/data"
state: directory
- name: Upload config.json
template:
src: element/config.json.j2
dest: "{{ services.element.volume_folder }}/data/config.json"
- name: Upload riot.im.conf
copy:
src: element/riot.im.conf
dest: "{{ services.element.volume_folder }}/data/riot.im.conf"
- name: Upload vhost config for Element domain
copy:
src: vhost/element
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.element.domain }}"

17
roles/docker/tasks/pre_deploy/hedgedoc.yml
View File

@ -1,17 +0,0 @@
# vim: ft=yaml.ansible
---
- name: Create subfolders
file:
name: "{{ services.hedgedoc.volume_folder }}/{{ volume }}"
state: directory
loop:
- db
- hedgedoc/uploads
loop_control:
loop_var: volume
- name: Copy SSO certificate
copy:
src: sso/sso.data.coop.pem
dest: "{{ services.hedgedoc.volume_folder }}/sso.data.coop.pem"
mode: "0644"

45
roles/docker/tasks/pre_deploy/mailu.yml
View File

@ -1,45 +0,0 @@
# vim: ft=yaml.ansible
---
- name: Create subfolders
file:
name: "{{ services.mailu.volume_folder }}/{{ volume }}"
state: directory
loop:
- redis
- certs
- data
- dkim
- mail
- mailqueue
- filter
- postgres
- webmail
- overrides
- overrides/nginx
- overrides/dovecot
- overrides/postfix
- overrides/rspamd
- overrides/snappymail
loop_control:
loop_var: volume
- name: Upload mailu.env file
template:
src: mailu/env.j2
dest: "{{ services.mailu.volume_folder }}/mailu.env"
- name: Hard link to Let's Encrypt TLS certificate
file:
src: "{{ services.nginx_proxy.volume_folder }}/certs/{{ services.mailu.domain }}/fullchain.pem"
dest: "{{ services.mailu.volume_folder }}/certs/cert.pem"
state: hard
force: true
when: letsencrypt_enabled
- name: Hard link to Let's Encrypt TLS key
file:
src: "{{ services.nginx_proxy.volume_folder }}/certs/{{ services.mailu.domain }}/key.pem"
dest: "{{ services.mailu.volume_folder }}/certs/key.pem"
state: hard
force: true
when: letsencrypt_enabled

45
roles/docker/tasks/pre_deploy/mastodon.yml
View File

@ -1,45 +0,0 @@
# vim: ft=yaml.ansible
---
- name: Create subfolder for Mastodon data
file:
name: "{{ services.mastodon.volume_folder }}/mastodon_data"
state: directory
owner: "991"
mode: u=rwx,g=rx,o=rx
- name: Create subfolder for PostgreSQL data
file:
name: "{{ services.mastodon.volume_folder }}/postgres_data"
state: directory
owner: "70"
mode: u=rwx,go=
- name: Create subfolder for PostgreSQL config
file:
name: "{{ services.mastodon.volume_folder }}/postgres_config"
state: directory
owner: root
mode: u=rwx,g=rx,o=rx
- name: Create subfolder for Redis data
file:
name: "{{ services.mastodon.volume_folder }}/redis_data"
state: directory
owner: "999"
group: "1000"
mode: u=rwx,g=rx,o=rx
- name: Upload mastodon.env file
template:
src: mastodon/env.j2
dest: "{{ services.mastodon.volume_folder }}/mastodon.env"
- name: Upload vhost config for Mastodon domain
copy:
src: vhost/mastodon
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.mastodon.domain }}"
- name: Upload PostgreSQL config
copy:
src: mastodon/postgresql.conf
dest: "{{ services.mastodon.volume_folder }}/postgres_config/postgresql.conf"

34
roles/docker/tasks/pre_deploy/matrix.yml
View File

@ -1,34 +0,0 @@
# vim: ft=yaml.ansible
---
- name: Create subfolders
file:
name: "{{ services.matrix.volume_folder }}/{{ volume }}"
state: directory
owner: "991"
group: "991"
loop:
- data
- data/uploads
- data/media
loop_control:
loop_var: volume
- name: Create Matrix DB subfolder
file:
name: "{{ services.matrix.volume_folder }}/db"
state: directory
- name: Upload vhost config for Matrix domain
copy:
src: vhost/matrix
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.matrix.domain }}"
- name: Upload homeserver.yaml
template:
src: matrix/homeserver.yaml.j2
dest: "{{ services.matrix.volume_folder }}/data/homeserver.yaml"
- name: Upload Matrix logging config
copy:
src: matrix/log.config
dest: "{{ services.matrix.volume_folder }}/data/matrix.data.coop.log.config"

17
roles/docker/tasks/pre_deploy/nextcloud.yml
View File

@ -1,17 +0,0 @@
# vim: ft=yaml.ansible
---
- name: Create subfolders
file:
path: "{{ services.nextcloud.volume_folder }}/{{ volume }}"
state: directory
loop:
- app
- postgres
loop_control:
loop_var: volume
- name: Upload vhost config for Nextcloud domain
copy:
src: vhost/nextcloud
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.nextcloud.domain }}"
notify: "restart nginx"

14
roles/docker/tasks/pre_deploy/nginx_proxy.yml
View File

@ -1,14 +0,0 @@
# vim: ft=yaml.ansible
---
- name: Create subfolders
file:
name: "{{ services.nginx_proxy.volume_folder }}/{{ volume }}"
state: directory
loop:
- conf
- vhost
- html
- dhparam
- certs
loop_control:
loop_var: volume

12
roles/docker/tasks/pre_deploy/openldap.yml
View File

@ -1,12 +0,0 @@
# vim: ft=yaml.ansible
---
- name: Create subfolders
file:
name: "{{ services.openldap.volume_folder }}/{{ volume }}"
state: directory
loop:
- var/lib/ldap
- etc/slapd
- certs
loop_control:
loop_var: volume

13
roles/docker/tasks/pre_deploy/postfix.yml
View File

@ -1,13 +0,0 @@
# vim: ft=yaml.ansible
---
- name: Set up network for Postfix
docker_network:
name: postfix
ipam_config:
- subnet: '172.16.0.0/16'
gateway: 172.16.0.1
- name: Create subfolder
file:
name: "{{ services.postfix.volume_folder }}/dkim"
state: directory

16
roles/docker/tasks/pre_deploy/privatebin.yml
View File

@ -1,16 +0,0 @@
# vim: ft=yaml.ansible
---
- name: Create subfolders
file:
name: "{{ services.privatebin.volume_folder }}/{{ volume }}"
state: directory
loop:
- cfg
- data
loop_control:
loop_var: volume
- name: Upload PrivateBin config
copy:
src: privatebin/conf.php
dest: "{{ services.privatebin.volume_folder }}/cfg/conf.php"

11
roles/docker/tasks/pre_deploy/rallly.yml
View File

@ -1,11 +0,0 @@
# vim: ft=yaml.ansible
---
- name: Create subfolder
file:
name: "{{ services.rallly.volume_folder }}/postgres"
state: directory
- name: Copy rallly.env file
template:
src: rallly/env.j2
dest: "{{ services.rallly.volume_folder }}/rallly.env"

72
roles/docker/tasks/pre_deploy/restic.yml
View File

@ -1,72 +0,0 @@
# vim: ft=yaml.ansible
---
- name: Create SSH directory
file:
path: "{{ services.restic.volume_folder }}/ssh"
owner: root
group: root
mode: '0755'
state: directory
- name: Upload private SSH key
copy:
dest: "{{ services.restic.volume_folder }}/ssh/id_ed25519"
owner: root
group: root
mode: '0600'
content: "{{ restic_secrets.ssh_privkey }}"
- name: Derive public SSH key
shell: >-
ssh-keygen -f {{ services.restic.volume_folder }}/ssh/id_ed25519 -y
> {{ services.restic.volume_folder }}/ssh/id_ed25519.pub
args:
creates: "{{ services.restic.volume_folder }}/ssh/id_ed25519.pub"
- name: Set file permissions on public SSH key
file:
path: "{{ services.restic.volume_folder }}/ssh/id_ed25519.pub"
owner: root
group: root
mode: '0644'
state: touch
- name: Upload SSH config
template:
src: restic/ssh.config.j2
dest: "{{ services.restic.volume_folder }}/ssh/config"
owner: root
group: root
mode: '0600'
- name: Upload SSH known_hosts file
template:
src: restic/ssh.known_hosts.j2
dest: "{{ services.restic.volume_folder }}/ssh/known_hosts"
owner: root
group: root
mode: '0600'
- name: Create scripts directory
file:
path: "{{ services.restic.volume_folder }}/scripts"
owner: root
group: root
mode: '0755'
state: directory
- name: Upload failure.sh script
template:
src: restic/failure.sh.j2
dest: "{{ services.restic.volume_folder }}/scripts/failure.sh"
owner: root
group: root
mode: '0755'
- name: Upload success.sh script
template:
src: restic/success.sh.j2
dest: "{{ services.restic.volume_folder }}/scripts/success.sh"
owner: root
group: root
mode: '0755'

9
roles/docker/tasks/pre_deploy/uptime_kuma.yml
View File

@ -1,9 +0,0 @@
- name: Upload vhost config for uptime domain
copy:
src: vhost/uptime_kuma
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.uptime_kuma.domain }}_location"
- name: Upload vhost config for status domain
copy:
src: vhost/uptime_kuma
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.uptime_kuma.status_domain }}_location"

20
roles/docker/tasks/pre_deploy/writefreely.yml
View File

@ -1,20 +0,0 @@
# vim: ft=yaml.ansible
---
- name: Create subfolder for MariaDB data
file:
name: "{{ services.writefreely.volume_folder }}/db"
owner: "999"
group: "999"
state: directory
- name: Create subfolder for encryption keys
file:
name: "{{ services.writefreely.volume_folder }}/keys"
owner: "2"
group: "2"
state: directory
- name: Upload config.ini
template:
src: "writefreely/config.ini.j2"
dest: "{{ services.writefreely.volume_folder }}/config.ini"

28
roles/docker/tasks/services.yml
View File

@ -1,28 +1,8 @@
# vim: ft=yaml.ansible
---
- name: Set up external services network
- name: setup external services network
docker_network:
name: external_services
- name: Deploy all services
include_tasks:
file: block.yml
vars:
service:
name: "{{ item }}"
vars: "{{ services[item] }}"
loop: "{{ services_include }}"
when: single_service is not defined and
(item.vars.disabled_in_vagrant is not defined or
not (item.vars.disabled_in_vagrant and vagrant))
- name: Deploy single service
include_tasks:
file: block.yml
vars:
service:
name: "{{ single_service }}"
vars: "{{ services[single_service] }}"
when: single_service is defined and single_service in services and
(services[single_service].disabled_in_vagrant is not defined or
not (services[single_service].disabled_in_vagrant and vagrant))
- name: setup services
include_tasks: "services/{{ item }}.yml"
with_items: "{{ services }}"

57
roles/docker/tasks/services/codimd.yml Normal file
View File

@ -0,0 +1,57 @@
---
- name: codimd network
docker_network:
name: codimd
- name: create codimd volume folders
file:
name: "{{ codimd.volume_folder }}/{{ volume }}"
state: directory
loop:
- "db"
- "codimd/uploads"
loop_control:
loop_var: volume
- name: codimd database container
docker_container:
name: codimd_db
image: postgres:10
state: started
restart_policy: unless-stopped
networks:
- name: codimd
volumes:
- "{{ codimd.volume_folder }}/db:/var/lib/postgresql/data"
env:
POSTGRES_USER: "codimd"
POSTGRES_PASSWORD: "{{ postgres_passwords.codimd }}"
- name: codimd app container
docker_container:
name: codimd_app
image: hackmdio/hackmd:1.3.0
restart_policy: unless-stopped
networks:
- name: codimd
- name: ldap
- name: external_services
volumes:
- "{{ codimd.volume_folder }}/codimd/uploads:/codimd/public/uploads"
env:
CMD_DB_URL: "postgres://codimd:{{ postgres_passwords.codimd }}@codimd_db:5432/codimd"
CMD_ALLOW_EMAIL_REGISTER: "False"
CMD_IMAGE_UPLOAD_TYPE: "filesystem"
CMD_EMAIL: "False"
CMD_LDAP_URL: "ldap://openldap"
CMD_LDAP_BINDDN: "cn=admin,dc=data,dc=coop"
CMD_LDAP_BINDCREDENTIALS: "{{ ldap_admin_password }}"
CMD_LDAP_SEARCHBASE: "dc=data,dc=coop"
CMD_LDAP_SEARCHFILTER: "(&(uid={{ '{{username}}' }})(objectClass=inetOrgPerson))"
CMD_USECDN: "false"
VIRTUAL_HOST: "{{ codimd.domain }}"
LETSENCRYPT_HOST: "{{ codimd.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"

35
roles/docker/tasks/services/docker_registry.yml Normal file
View File

@ -0,0 +1,35 @@
---
- name: copy docker registry nginx configuration
copy:
src: "files/configs/docker_registry/nginx.conf"
dest: "/docker-volumes/nginx/vhost/{{ docker_registry.domain }}"
mode: "0644"
- name: docker registry container
docker_container:
name: registry
image: registry:2
restart_policy: always
volumes:
- "{{ docker_registry.volume_folder }}/registry:/var/lib/registry"
- "{{ docker_registry.volume_folder }}/auth:/auth"
networks:
- name: external_services
env:
VIRTUAL_HOST: "{{ docker_registry.domain }}"
LETSENCRYPT_HOST: "{{ docker_registry.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
REGISTRY_AUTH: "htpasswd"
REGISTRY_AUTH_HTPASSWD_PATH: "/auth/htpasswd"
REGISTRY_AUTH_HTPASSWD_REALM: "data.coop docker registry"
- name: generate htpasswd file
shell: "docker exec -it registry htpasswd -Bbn docker {{ docker_password }} > {{ docker_registry.volume_folder }}/auth/htpasswd"
args:
creates: "{{ docker_registry.volume_folder }}/auth/htpasswd"
- name: log in to local registry
docker_login:
registry: "{{ docker_registry.domain }}"
username: "docker"
password: "{{ docker_password }}"

51
roles/docker/tasks/services/drone.yml Normal file
View File

@ -0,0 +1,51 @@
---
- name: set up drone with docker runner
docker_compose:
project_name: drone
pull: yes
definition:
version: "3.6"
services:
drone:
container_name: "drone"
image: drone/drone:1
restart: unless-stopped
networks:
- external_services
- drone
volumes:
- "{{ drone.volume_folder }}:/data"
- "/var/run/docker.sock:/var/run/docker.sock"
environment:
DRONE_GITEA_SERVER: "https://{{ gitea.domain }}"
DRONE_GITEA_CLIENT_ID: "{{ drone_secrets.oauth_client_id }}"
DRONE_GITEA_CLIENT_SECRET: "{{ drone_secrets.oauth_client_secret }}"
DRONE_GIT_ALWAYS_AUTH: "true"
DRONE_SERVER_HOST: "{{ drone.domain }}"
DRONE_SERVER_PROTO: "https"
DRONE_RPC_SECRET: "{{ drone_secrets.rpc_shared_secret }}"
PLUGIN_CUSTOM_DNS: "91.239.100.100"
VIRTUAL_HOST: "{{ drone.domain }}"
LETSENCRYPT_HOST: "{{ drone.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
drone-runner-docker:
container_name: "drone-runner-docker"
image: "drone/drone-runner-docker:1"
restart: unless-stopped
networks:
- drone
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
environment:
DRONE_RPC_HOST: "{{ drone.domain }}"
DRONE_RPC_PROTO: "https"
DRONE_RPC_SECRET: "{{ drone_secrets.rpc_shared_secret }}"
DRONE_RUNNER_CAPACITY: 2
DRONE_RUNNER_NAME: "data.coop_drone_runner"
networks:
drone:
external_services:
external:
name: external_services

47
roles/docker/tasks/services/fider.yml Normal file
View File

@ -0,0 +1,47 @@
---
- name: fider network
docker_network:
name: fider
- name: fider database volume
docker_volume:
name: fider_db
- name: fider database container
docker_container:
name: fider_db
image: postgres:10
state: started
restart_policy: always
networks:
- name: fider
volumes:
- fider_db:/var/lib/postgresql/data
env:
POSTGRES_USER: "fider"
POSTGRES_PASSWORD: "{{ postgres_passwords.fider }}"
- name: fider app container
docker_container:
name: fider
image: getfider/fider:stable
restart_policy: always
networks:
- name: fider
- name: external_services
- name: postfix
env:
GO_ENV: "production"
DATABASE_URL: "postgres://fider:{{ postgres_passwords.fider }}@fider_db:5432/fider?sslmode=disable"
JWT_SECRET: "{{ fider_jwt_secret }}"
EMAIL_NOREPLY: noreply@{{ fider.domain }}
EMAIL_SMTP_HOST: "{{ smtp_host }}"
EMAIL_SMTP_PORT: "{{ smtp_port }}"
EMAIL_SMTP_USERNAME: "noop"
EMAIL_SMTP_PASSWORD: "noop"
VIRTUAL_HOST: "{{ fider.domain }}"
LETSENCRYPT_HOST: "{{ fider.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email}}"

37
roles/docker/tasks/services/gitea.yml Normal file
View File

@ -0,0 +1,37 @@
---
- name: gitea network
docker_network:
name: gitea
# old DNS: 138.68.71.153
- name: gitea container
docker_container:
name: gitea
image: gitea/gitea:1.15.7
restart_policy: unless-stopped
networks:
- name: gitea
- name: postfix
- name: external_services
volumes:
- "{{ gitea.volume_folder }}:/data"
published_ports:
- "22:22"
env:
VIRTUAL_HOST: "{{ gitea.domain }}"
VIRTUAL_PORT: "3000"
LETSENCRYPT_HOST: "{{ gitea.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
# Gitea customization, see: https://docs.gitea.io/en-us/install-with-docker/#customization
# https://docs.gitea.io/en-us/config-cheat-sheet/#security-security
GITEA__mailer__ENABLED: "true"
GITEA__mailer__FROM: "noreply@{{ gitea.domain }}"
GITEA__mailer__MAILER_TYPE: "smtp"
GITEA__mailer__HOST: "{{ smtp_host }}:{{ smtp_port }}"
GITEA__mailer__USER: "noop"
GITEA__mailer__PASSWD: "noop"
GITEA__security__LOGIN_REMEMBER_DAYS: "60"
GITEA__security__PASSWORD_COMPLEXITY: "off"
GITEA__security__MIN_PASSWORD_LENGTH: "8"
GITEA__security__PASSWORD_CHECK_PWN: "true"
GITEA__service__ENABLE_NOTIFY_MAIL: "true"

66
roles/docker/tasks/services/hedgedoc.yml Normal file
View File

@ -0,0 +1,66 @@
---
- name: create hedgedoc volume folders
file:
name: "{{ hedgedoc.volume_folder }}/{{ volume }}"
state: directory
loop:
- "db"
- "hedgedoc/uploads"
loop_control:
loop_var: volume
- name: copy sso public certificate
copy:
src: "files/sso/sso.data.coop.pem"
dest: "{{ hedgedoc.volume_folder }}/sso.data.coop.pem"
mode: "0644"
- name: setup hedgedoc
docker_compose:
project_name: "hedgedoc"
pull: "yes"
definition:
services:
database:
image: "postgres:10-alpine"
environment:
POSTGRES_USER: "codimd"
POSTGRES_PASSWORD: "{{ postgres_passwords.hedgedoc }}"
POSTGRES_DB: "codimd"
restart: "unless-stopped"
networks:
- "hedgedoc"
volumes:
- "{{ hedgedoc.volume_folder }}/db:/var/lib/postgresql/data"
app:
image: quay.io/hedgedoc/hedgedoc:1.9.0
environment:
CMD_DB_URL: "postgres://codimd:{{ postgres_passwords.hedgedoc }}@hedgedoc_database_1:5432/codimd"
CMD_DOMAIN: "{{ hedgedoc.domain }}"
CMD_ALLOW_EMAIL_REGISTER: "False"
CMD_IMAGE_UPLOAD_TYPE: "filesystem"
CMD_EMAIL: "False"
CMD_SAML_IDPCERT: "/sso.data.coop.pem"
CMD_SAML_IDPSSOURL: "https://sso.data.coop/auth/realms/datacoop/protocol/saml"
CMD_SAML_ISSUER: "hedgedoc"
CMD_SAML_IDENTIFIERFORMAT: "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
CMD_USECDN: "false"
CMD_PROTOCOL_USESSL: "true"
VIRTUAL_HOST: "{{ hedgedoc.domain }}"
LETSENCRYPT_HOST: "{{ hedgedoc.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
volumes:
- "{{ hedgedoc.volume_folder }}/hedgedoc/uploads:/hedgedoc/public/uploads"
- "{{ hedgedoc.volume_folder }}/sso.data.coop.pem:/sso.data.coop.pem"
restart: "unless-stopped"
networks:
- "hedgedoc"
- "external_services"
depends_on:
- database
networks:
hedgedoc:
external_services:
external: true

45
roles/docker/tasks/services/keycloak.yml Normal file
View File

@ -0,0 +1,45 @@
- name: setup keycloak containers for sso.data.coop
docker_compose:
project_name: "keycloak"
pull: "yes"
definition:
version: "3.6"
services:
postgres:
image: "postgres:10"
restart: "unless-stopped"
networks:
- "keycloak"
volumes:
- "{{ keycloak.volume_folder }}/data:/var/lib/postgresql/data"
environment:
POSTGRES_USER: "keycloak"
POSTGRES_PASSWORD: "{{ postgres_passwords.keycloak }}"
POSTGRES_DB: "keycloak"
app:
image: "quay.io/keycloak/keycloak:15.0.2"
restart: "unless-stopped"
networks:
- "keycloak"
- "postfix"
- "external_services"
environment:
VIRTUAL_HOST: "{{ keycloak.domain }}"
VIRTUAL_PORT: "8080"
LETSENCRYPT_HOST: "{{ keycloak.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
DB_USER: "keycloak"
DB_PASSWORD: "{{ postgres_passwords.keycloak }}"
DB_ADDR: "keycloak_postgres_1"
#KEYCLOAK_USER: "{{ keycloak_secrets.admin_user }}" # Only used for the first run of the application to set up the admin user
#KEYCLOAK_PASSWORD: "{{ keycloak_secrets.admin_password }}"
PROXY_ADDRESS_FORWARDING: "true"
networks:
keycloak:
postfix:
external: true
external_services:
external: true

62
roles/docker/tasks/services/listmonk.yml Normal file
View File

@ -0,0 +1,62 @@
- name: create listmonk volume folders
file:
name: "{{ listmonk.volume_folder }}/{{ volume }}"
state: directory
loop:
- "postgres_data"
loop_control:
loop_var: volume
- name: Copy listmonk config file
template:
src: files/configs/listmonk/config.toml.j2
dest: "{{ listmonk.volume_folder }}/config.toml"
- name: set up listmonk
docker_compose:
project_name: listmonk
pull: yes
definition:
version: "3.7"
services:
db:
image: postgres:13
networks:
- listmonk
environment:
- "POSTGRES_PASSWORD={{ postgres_passwords.listmonk }}"
restart: unless-stopped
healthcheck:
test: ["CMD-SHELL", "pg_isready -U listmonk"]
interval: 10s
timeout: 5s
retries: 6
volumes:
- "{{ listmonk.volume_folder }}/postgres_data:/var/lib/postgresql/data"
app:
restart: unless-stopped
image: listmonk/listmonk:v2.1.0
ports:
- "9000:9000"
networks:
- listmonk
- external_services
depends_on:
- db
volumes:
- "{{ listmonk.volume_folder }}/config.toml:/listmonk/config.toml"
environment:
TZ: Europe/Copenhagen
VIRTUAL_HOST: "{{ listmonk.domain }}"
VIRTUAL_PORT: "9000"
LETSENCRYPT_HOST: "{{ listmonk.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
networks:
external_services:
external: true
# postfix:
# external: true
listmonk:
internal: true

161
roles/docker/tasks/services/mailu.yml Normal file
View File

@ -0,0 +1,161 @@
---
- name: create mailu volume folders
file:
name: "{{ mailu.volume_folder }}/{{ volume }}"
state: directory
loop:
- redis
- certs
- overrides
- data
- dkim
- mail
- filter
- dav
- webmail
loop_control:
loop_var: volume
- name: upload mailu.env file
template:
src: mailu.env.j2
dest: "{{ mailu.volume_folder}}/mailu.env"
- name: hard link to Let's Encrypt TLS certificate
file:
src: "{{ nginx.volume_folder }}/certs/{{ mailu.domain }}/fullchain.pem"
dest: "{{ mailu.volume_folder }}/certs/cert.pem"
state: hard
force: yes
- name: hard link to Let's Encrypt TLS key
file:
src: "{{ nginx.volume_folder }}/certs/{{ mailu.domain }}/key.pem"
dest: "{{ mailu.volume_folder }}/certs/key.pem"
state: hard
force: yes
- name: run mail server containers
docker_compose:
project_name: mail_server
pull: yes
definition:
version: '3.6'
services:
redis:
image: redis:alpine
restart: always
volumes:
- "{{ mailu.volume_folder }}/redis:/data"
database:
image: mailu/postgresql:{{ mailu.version }}
restart: always
env_file: "{{ mailu.volume_folder}}/mailu.env"
volumes:
- "{{ mailu.volume_folder }}/data/psql_db:/data"
- "{{ mailu.volume_folder }}/data/psql_backup:/backup"
networks:
- default
- external_services
front:
image: mailu/nginx:{{ mailu.version }}
restart: always
env_file: "{{ mailu.volume_folder}}/mailu.env"
environment:
VIRTUAL_HOST: "{{ mailu.domain }}"
LETSENCRYPT_HOST: "{{ mailu.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
volumes:
- "{{ mailu.volume_folder }}/certs:/certs"
- "{{ mailu.volume_folder }}/overrides/nginx:/overrides"
expose:
- "80"
ports:
- "993:993"
- "25:25"
- "587:587"
- "465:465"
networks:
- default
- external_services
resolver:
image: mailu/unbound:{{ mailu.version }}
restart: always
env_file: "{{ mailu.volume_folder}}/mailu.env"
networks:
default:
ipv4_address: "{{ mailu.dns }}"
admin:
image: mailu/admin:{{ mailu.version }}
restart: always
env_file: "{{ mailu.volume_folder}}/mailu.env"
volumes:
- "{{ mailu.volume_folder }}/data:/data"
- "{{ mailu.volume_folder }}/dkim:/dkim"
depends_on:
- redis
imap:
image: mailu/dovecot:{{ mailu.version }}
restart: always
env_file: "{{ mailu.volume_folder}}/mailu.env"
volumes:
- "{{ mailu.volume_folder }}/mail:/mail"
- "{{ mailu.volume_folder }}/overrides:/overrides"
depends_on:
- front
smtp:
image: mailu/postfix:{{ mailu.version }}
restart: always
env_file: "{{ mailu.volume_folder}}/mailu.env"
volumes:
- "{{ mailu.volume_folder }}/overrides:/overrides"
depends_on:
- front
- resolver
dns:
- "{{ mailu.dns }}"
antispam:
image: mailu/rspamd:{{ mailu.version }}
restart: always
env_file: "{{ mailu.volume_folder}}/mailu.env"
volumes:
- "{{ mailu.volume_folder }}/filter:/var/lib/rspamd"
- "{{ mailu.volume_folder }}/dkim:/dkim"
- "{{ mailu.volume_folder }}/overrides/rspamd:/etc/rspamd/override.d"
depends_on:
- front
- resolver
dns:
- "{{ mailu.dns }}"
webmail:
image: mailu/rainloop:1.6
restart: always
env_file: "{{ mailu.volume_folder}}/mailu.env"
volumes:
- "{{ mailu.volume_folder }}/webmail:/data"
depends_on:
- front
- resolver
dns:
- "{{ mailu.dns }}"
networks:
default:
driver: bridge
ipam:
driver: default
config:
- subnet: "{{ mailu.subnet }}"
external_services:
external:
name: external_services

118
roles/docker/tasks/services/mastodon.yml Normal file
View File

@ -0,0 +1,118 @@
- name: create mastodon volume folders
file:
name: "{{ mastodon.volume_folder }}/{{ volume }}"
state: directory
owner: "991"
group: "991"
loop:
- "postgres_data"
- "redis_data"
- "mastodon_data"
loop_control:
loop_var: volume
- name: Copy mastodon environment file
template:
src: files/configs/mastodon/env_file.j2
dest: "{{ mastodon.volume_folder }}/env_file"
- name: upload vhost config for root domain
template:
src: files/configs/mastodon/vhost-mastodon
dest: "{{ nginx.volume_folder }}/vhost/{{ mastodon.domain }}"
- name: set up mastodon
docker_compose:
project_name: mastodon
pull: yes
definition:
version: '3'
services:
db:
restart: always
image: postgres:14-alpine
shm_size: 256mb
networks:
- internal_network
healthcheck:
test: ['CMD', 'pg_isready', '-U', 'postgres']
volumes:
- "{{ mastodon.volume_folder }}/postgres_data:/var/lib/postgresql/data"
environment:
- 'POSTGRES_HOST_AUTH_METHOD=trust'
redis:
restart: always
image: redis:6-alpine
networks:
- internal_network
healthcheck:
test: ['CMD', 'redis-cli', 'ping']
volumes:
- "{{ mastodon.volume_folder }}/redis_data:/data"
web:
image: tootsuite/mastodon
restart: always
env_file: "{{ mastodon.volume_folder }}/env_file"
command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 3000"
networks:
- external_services
- internal_network
healthcheck:
# prettier-ignore
test: ['CMD-SHELL', 'wget -q --spider --proxy=off localhost:3000/health || exit 1']
ports:
- '127.0.0.1:3000:3000'
depends_on:
- db
- redis
volumes:
- "{{ mastodon.volume_folder }}/mastodon_data:/mastodon/public/system"
environment:
VIRTUAL_HOST: "{{ mastodon.domain }}"
VIRTUAL_PORT: "3000"
LETSENCRYPT_HOST: "{{ mastodon.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
streaming:
image: tootsuite/mastodon
restart: always
env_file: "{{ mastodon.volume_folder }}/env_file"
command: node ./streaming
networks:
- external_services
- internal_network
healthcheck:
# prettier-ignore
test: ['CMD-SHELL', 'wget -q --spider --proxy=off localhost:4000/api/v1/streaming/health || exit 1']
ports:
- '127.0.0.1:4000:4000'
depends_on:
- db
- redis
sidekiq:
image: tootsuite/mastodon
restart: always
env_file: "{{ mastodon.volume_folder }}/env_file"
command: bundle exec sidekiq
depends_on:
- db
- redis
networks:
- postfix
- external_services
- internal_network
volumes:
- "{{ mastodon.volume_folder }}/mastodon_data:/mastodon/public/system"
healthcheck:
test: ['CMD-SHELL', "ps aux | grep '[s]idekiq\ 6' || false"]
networks:
external_services:
external: true
postfix:
external: true
internal_network:
internal: true

125
roles/docker/tasks/services/matrix_riot.yml Normal file
View File

@ -0,0 +1,125 @@
---
- name: create matrix volume folders
file:
name: "{{ matrix.volume_folder }}/{{ volume }}"
state: directory
owner: "991"
group: "991"
loop:
- "data"
- "data/uploads"
- "data/media"
loop_control:
loop_var: volume
- name: create matrix DB folder
file:
name: "{{ matrix.volume_folder }}/db"
state: "directory"
- name: create riot volume folders
file:
name: "{{ riot.volume_folder }}/{{ volume }}"
state: directory
loop:
- "data"
loop_control:
loop_var: volume
- name: upload riot config.json
template:
src: files/configs/riot/config.json
dest: "{{ riot.volume_folder }}/data/config.json"
- name: upload riot.im.conf
template:
src: files/configs/riot/riot.im.conf
dest: "{{ riot.volume_folder }}/data/riot.im.conf"
- name: upload vhost config for root domain
template:
src: files/configs/matrix/vhost-root
dest: "{{ nginx.volume_folder }}/vhost/{{ base_domain }}"
- name: upload vhost config for matrix domain
template:
src: files/configs/matrix/vhost-matrix
dest: "{{ nginx.volume_folder }}/vhost/{{ matrix.domain }}"
- name: upload vhost config for riot domain
template:
src: files/configs/matrix/vhost-riot
dest: "{{ nginx.volume_folder }}/vhost/{{ riot.domains[0] }}"
- name: upload homeserver.yaml
template:
src: "files/configs/matrix/homeserver.yaml.j2"
dest: "{{ matrix.volume_folder }}/data/homeserver.yaml"
- name: upload matrix logging config
template:
src: "files/configs/matrix/matrix.data.coop.log.config"
dest: "{{ matrix.volume_folder }}/data/matrix.data.coop.log.config"
- name: set up matrix and riot
docker_compose:
project_name: matrix
pull: yes
definition:
version: "3.6"
services:
matrix_db:
container_name: matrix_db
image: postgres:10
restart: unless-stopped
networks:
- matrix
volumes:
- "{{ matrix.volume_folder }}/db:/var/lib/postgresql/data"
environment:
POSTGRES_USER: "synapse"
POSTGRES_PASSWORD: "{{ postgres_passwords.matrix }}"
matrix_app:
container_name: matrix
image: matrixdotorg/synapse:v1.47.1
restart: unless-stopped
networks:
- matrix
- external_services
ports:
- 8008
volumes:
- "{{ matrix.volume_folder }}/data:/data"
environment:
SYNAPSE_CONFIG_PATH: "/data/homeserver.yaml"
SYNAPSE_CACHE_FACTOR: "2"
SYNAPSE_LOG_LEVEL: "INFO"
VIRTUAL_HOST: "{{ matrix.domain }}"
VIRTUAL_PORT: "8008"
LETSENCRYPT_HOST: "{{ matrix.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
riot:
container_name: riot_app
image: avhost/docker-matrix-riot:v1.9.0
restart: unless-stopped
networks:
- matrix
- external_services
ports:
- 8080
volumes:
- "{{ riot.volume_folder }}/data:/data"
environment:
VIRTUAL_HOST: "{{ riot.domains|join(',') }}"
VIRTUAL_PORT: "8080"
LETSENCRYPT_HOST: "{{ riot.domains|join(',') }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
networks:
external_services:
external:
name: external_services
matrix:
name: "matrix"

27
roles/docker/tasks/services/netdata.yml Normal file
View File

@ -0,0 +1,27 @@
---
- name: setup netdata docker container for system monitoring
docker_container:
name: netdata
image: netdata/netdata
restart_policy: unless-stopped
hostname: "hevonen.servers.{{ base_domain }}"
capabilities:
- SYS_PTRACE
security_opts:
- apparmor:unconfined
volumes:
- /proc:/host/proc:ro
- /sys:/host/sys:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
networks:
- name: external_services
env:
VIRTUAL_HOST : "{{ netdata.domain }}"
LETSENCRYPT_HOST: "{{ netdata.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
PGID: "999"
labels:
com.ouroboros.enable: "true"

42
roles/docker/tasks/services/nextcloud.yml Normal file
View File

@ -0,0 +1,42 @@
---
- name: setup nextcloud containers
docker_compose:
project_name: "nextcloud"
pull: "yes"
definition:
services:
postgres:
image: "postgres:10"
restart: "unless-stopped"
networks:
- "nextcloud"
volumes:
- "{{ nextcloud.volume_folder }}/postgres:/var/lib/postgresql/data"
environment:
POSTGRES_DB: "nextcloud"
POSTGRES_PASSWORD: "{{ postgres_passwords.nextcloud }}"
POSTGRES_USER: "nextcloud"
app:
image: "nextcloud:22-apache"
restart: "unless-stopped"
networks:
- "nextcloud"
- "external_services"
volumes:
- "{{ nextcloud.volume_folder }}/app:/var/www/html"
environment:
VIRTUAL_HOST: "{{ nextcloud.domain }}"
LETSENCRYPT_HOST: "{{ nextcloud.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
POSTGRES_HOST: "nextcloud_postgres_1"
POSTGRES_DB: "nextcloud"
POSTGRES_USER: "nextcloud"
POSTGRES_PASSWORD: "{{ postgres_passwords.nextcloud }}"
networks:
nextcloud:
postfix:
external: true
external_services:
external: true

47
roles/docker/tasks/services/nginx-proxy.yml Normal file
View File

@ -0,0 +1,47 @@
---
- name: create nginx-proxy volume folders
file:
name: "{{ nginx.volume_folder }}/{{ volume }}"
state: directory
loop:
- conf
- vhost
- html
- dhparam
- certs
loop_control:
loop_var: volume
- name: nginx proxy container
docker_container:
name: nginx-proxy
image: jwilder/nginx-proxy
restart_policy: always
networks:
- name: external_services
published_ports:
- "80:80"
- "443:443"
volumes:
- "{{ nginx.volume_folder }}/conf:/etc/nginx/conf.d"
- "{{ nginx.volume_folder }}/vhost:/etc/nginx/vhost.d"
- "{{ nginx.volume_folder }}/html:/usr/share/nginx/html"
- "{{ nginx.volume_folder }}/dhparam:/etc/nginx/dhparam"
- "{{ nginx.volume_folder }}/certs:/etc/nginx/certs:ro"
- /var/run/docker.sock:/tmp/docker.sock:ro
- name: nginx letsencrypt container
docker_container:
name: nginx-proxy-le
image: jrcs/letsencrypt-nginx-proxy-companion
restart_policy: always
volumes:
- "{{ nginx.volume_folder }}/vhost:/etc/nginx/vhost.d"
- "{{ nginx.volume_folder }}/html:/usr/share/nginx/html"
- "{{ nginx.volume_folder }}/dhparam:/etc/nginx/dhparam:ro"
- "{{ nginx.volume_folder }}/certs:/etc/nginx/certs"
- /var/run/docker.sock:/var/run/docker.sock:ro
env:
NGINX_PROXY_CONTAINER: nginx-proxy

71
roles/docker/tasks/services/openldap.yml Normal file
View File

@ -0,0 +1,71 @@
---
- name: create ldap volume folders
file:
name: "{{ ldap.volume_folder }}/{{ volume }}"
state: directory
loop:
- "var/lib/ldap"
- "etc/slapd"
- "certs"
loop_control:
loop_var: volume
- name: Create a network for ldap
docker_network:
name: ldap
- name: openLDAP container
docker_container:
name: openldap
image: osixia/openldap:1.5.0
tty: true
interactive: true
volumes:
- "{{ ldap.volume_folder }}/var/lib/ldap:/var/lib/ldap"
- "{{ ldap.volume_folder }}/etc/slapd.d:/etc/ldap/slapd.d"
- "{{ ldap.volume_folder }}/certs:/container/service/slapd/assets/certs/"
published_ports:
- "389:389"
- "636:636"
hostname: "{{ ldap.domain }}"
domainname: "{{ ldap.domain }}" # important: same as hostname
networks:
- name: ldap
env:
LDAP_LOG_LEVEL: "256"
LDAP_ORGANISATION: "{{ base_domain }}"
LDAP_DOMAIN: "{{ base_domain }}"
LDAP_BASE_DN: ""
LDAP_ADMIN_PASSWORD: "{{ ldap_admin_password }}"
LDAP_CONFIG_PASSWORD: "{{ ldap_config_password }}"
LDAP_READONLY_USER: "false"
LDAP_RFC2307BIS_SCHEMA: "false"
LDAP_BACKEND: "mdb"
LDAP_TLS: "true"
LDAP_TLS_CRT_FILENAME: "ldap.crt"
LDAP_TLS_KEY_FILENAME: "ldap.key"
LDAP_TLS_CA_CRT_FILENAME: "ca.crt"
LDAP_TLS_ENFORCE: "false"
LDAP_TLS_CIPHER_SUITE: "SECURE256:-VERS-SSL3.0"
LDAP_TLS_PROTOCOL_MIN: "3.1"
LDAP_TLS_VERIFY_CLIENT: "demand"
LDAP_REPLICATION: "false"
KEEP_EXISTING_CONFIG: "false"
LDAP_REMOVE_CONFIG_AFTER_SETUP: "true"
LDAP_SSL_HELPER_PREFIX: "ldap"
- name: phpLDAPadmin container
docker_container:
name: phpldapadmin
image: osixia/phpldapadmin:0.9.0
networks:
- name: external_services
- name: ldap
env:
PHPLDAPADMIN_LDAP_HOSTS: "openldap"
PHPLDAPADMIN_HTTPS: "false"
PHPLDAPADMIN_TRUST_PROXY_SSL: "true"
VIRTUAL_HOST: "{{ ldap.domain }}"
LETSENCRYPT_HOST: "{{ ldap.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"

18
roles/docker/tasks/services/ouroboros.yml Normal file
View File

@ -0,0 +1,18 @@
---
- name: ouroboros container
docker_container:
name: ouroboros
image: pyouroboros/ouroboros
restart_policy: unless-stopped
networks:
- name: external_services
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /root/.docker/config.json:/root/.docker/config.json
env:
LABEL_ENABLE: "true"
LABELS_ONLY: "true"
CLEANUP: "true"
LATEST: "true"
CRON: "*/10 * * * *"

47
roles/docker/tasks/services/passit.yml Normal file
View File

@ -0,0 +1,47 @@
---
- name: setup passit containers
docker_compose:
project_name: "passit"
pull: "yes"
definition:
version: "3.6"
services:
passit_db:
image: "postgres:10"
restart: "always"
networks:
- "passit"
volumes:
- "{{ passit.volume_folder }}/data:/var/lib/postgresql/data"
environment:
POSTGRES_USER: "passit"
POSTGRES_PASSWORD: "{{ postgres_passwords.passit }}"
passit_app:
image: "passit/passit:stable"
command: "bin/start.sh"
restart: "always"
networks:
- "passit"
- "postfix"
- "external_services"
environment:
DATABASE_URL: "postgres://passit:{{ postgres_passwords.passit }}@passit_db:5432/passit"
SECRET_KEY: "{{ passit_secret_key }}"
IS_DEBUG: 'False'
EMAIL_URL: "smtp://noop@{{ smtp_host }}:{{ smtp_port }}"
DEFAULT_FROM_EMAIL: "noreply@{{ passit.domain }}"
EMAIL_CONFIRMATION_HOST: "https://{{ passit.domain }}"
VIRTUAL_HOST: "{{ passit.domain }}"
LETSENCRYPT_HOST: "{{ passit.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
networks:
passit:
postfix:
external: true
external_services:
external: true

24
roles/docker/tasks/services/portainer.yml Normal file
View File

@ -0,0 +1,24 @@
---
- name: create portainer volume folder
file:
name: "{{ portainer.volume_folder }}"
state: directory
- name: run portainer
docker_container:
name: portainer
image: portainer/portainer-ce:2.9.1
restart_policy: always
networks:
- name: external_services
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- "{{ portainer.volume_folder }}:/data"
published_ports:
- 9001:9000
env:
VIRTUAL_HOST: "{{ portainer.domain }}"
VIRTUAL_PORT: "9000"
LETSENCRYPT_HOST: "{{ portainer.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"

19
roles/docker/tasks/services/postfix.yml Normal file
View File

@ -0,0 +1,19 @@
---
- name: setup network for postfix
docker_network:
name: postfix
ipam_config:
- subnet: '172.16.0.0/16'
gateway: 172.16.0.1
- name: setup postfix docker container for outgoing mail
docker_container:
name: postfix
image: boky/postfix:v3.5.0
restart_policy: always
networks:
- name: postfix
env:
ALLOWED_SENDER_DOMAINS: "{{ postfix.allowed_sender_domains|join(' ') }}"
HOSTNAME: "smtp.data.coop" # the name the smtp server will identify itself as

31
roles/docker/tasks/services/privatebin.yml Normal file
View File

@ -0,0 +1,31 @@
---
- name: create privatebin volume folders
file:
name: "{{ privatebin.volume_folder }}/{{ volume }}"
state: directory
loop:
- cfg
- data
loop_control:
loop_var: volume
- name: upload privatebin config
template:
src: files/configs/privatebin-conf.php
dest: "{{ privatebin.volume_folder }}/cfg/conf.php"
- name: privatebin app container
docker_container:
name: privatebin
image: jgeusebroek/privatebin:latest
restart_policy: unless-stopped
volumes:
- "{{ privatebin.volume_folder }}/cfg:/privatebin/cfg"
- "{{ privatebin.volume_folder }}/data:/privatebin/data"
networks:
- name: external_services
env:
VIRTUAL_HOST: "{{ privatebin.domain }}"
LETSENCRYPT_HOST: "{{ privatebin.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"

38
roles/docker/tasks/services/restic-backup.yml Normal file
View File

@ -0,0 +1,38 @@
---
- name: setup restic backup
docker_compose:
project_name: restic_backup
pull: yes
definition:
version: '3.6'
services:
restic-backup:
image: mazzolino/restic
restart: always
environment:
RUN_ON_STARTUP: "true"
BACKUP_CRON: "0 30 3 * * *"
RESTIC_REPOSITORY: "rest:https://datacoop:{{ restic_secrets.user_secret }}@restic.graffen.io/datacoop-hevonen"
RESTIC_PASSWORD: "{{ restic_secrets.encryption_secret }}"
RESTIC_BACKUP_SOURCES: "/mnt/volumes"
RESTIC_BACKUP_ARGS: >-
--tag datacoop-volumes
--exclude='*.tmp'
--verbose
RESTIC_FORGET_ARGS: >-
--keep-last 10
--keep-daily 7
--keep-weekly 5
--keep-monthly 12
TZ: Europe/Copenhagen
volumes:
- /docker-volumes:/mnt/volumes:ro
restic-prune:
image: "mazzolino/restic"
environment:
RUN_ON_STARTUP: "true"
PRUNE_CRON: "0 0 4 * * *"
RESTIC_REPOSITORY: "rest:https://datacoop:{{ restic_secrets.user_secret }}@restic.graffen.io/datacoop-hevonen"
RESTIC_PASSWORD: "{{ restic_secrets.encryption_secret }}"
TZ: Europe/copenhagen

25
roles/docker/tasks/services/thelounge.yml Normal file
View File

@ -0,0 +1,25 @@
---
- name: thelounge volume
docker_volume:
name: thelounge
- name: upload thelounge config
template:
src: files/configs/thelounge.js
dest: /var/lib/docker/volumes/thelounge/_data/config.js
- name: thelounge container
docker_container:
name: thelounge
image: thelounge/lounge:latest
restart_policy: always
volumes:
- thelounge:/home/lounge/data
networks:
- name: external_services
- name: ldap
env:
VIRTUAL_HOST: "{{ thelounge.domain }}"
LETSENCRYPT_HOST: "{{ thelounge.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"

53
roles/docker/tasks/services/tt-rss.yml Normal file
View File

@ -0,0 +1,53 @@
---
- name: create tt-rss folders
file:
name: "{{ ttrss.volume_folder }}/{{ volume }}"
state: directory
loop:
- "config"
- "db"
loop_control:
loop_var: volume
- name: "set up tt-rss"
docker_compose:
project_name: "tt-rss"
pull: yes
definition:
version: "3.6"
services:
ttrss_db:
container_name: "ttrss_db"
image: "postgres:11"
restart: "unless-stopped"
networks:
- "ttrss"
volumes:
- "{{ ttrss.volume_folder }}/db:/var/lib/postgresql/data"
environment:
POSTGRES_USER: "ttrss"
POSTGRES_PASSWORD: "{{ postgres_passwords.ttrss }}"
ttrss_app:
container_name: ttrss_app
image: "linuxserver/tt-rss"
restart: unless-stopped
networks:
- ttrss
- external_services
volumes:
- "{{ ttrss.volume_folder }}/config:/config"
environment:
VIRTUAL_HOST: "{{ ttrss.domain }}"
LETSENCRYPT_HOST: "{{ ttrss.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
TZ: "Europe/Copenhagen"
labels:
com.ouroboros.enable: "true"
networks:
external_services:
external:
name: external_services
ttrss:
name: "ttrss"

13
roles/docker/tasks/services/ulovliglogning-dk.yml Normal file
View File

@ -0,0 +1,13 @@
- name: setup ulovliglogning.dk website docker container
docker_container:
name: ulovliglogning_website
restart_policy: unless-stopped
image: ulovliglogning/ulovliglogning.dk:latest
networks:
- name: external_services
env:
VIRTUAL_HOST: "{{ ulovliglogning_website.domains|join(',') }}"
LETSENCRYPT_HOST: "{{ ulovliglogning_website.domains|join(',') }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
labels:
com.ouroboros.enable: "true"

57
roles/docker/tasks/services/websites.yml Normal file
View File

@ -0,0 +1,57 @@
---
- name: setup data.coop website docker container
docker_container:
name: data.coop_website
image: docker.data.coop/data-coop-website
restart_policy: unless-stopped
networks:
- name: external_services
env:
VIRTUAL_HOST : "{{ data_coop_website.domains|join(',') }}"
LETSENCRYPT_HOST: "{{ data_coop_website.domains|join(',') }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
labels:
com.ouroboros.enable: "true"
- name: setup new data.coop website using hugo
docker_container:
name: new.data.coop_website
image: docker.data.coop/data-coop-website:hugo
restart_policy: unless-stopped
networks:
- name: external_services
env:
VIRTUAL_HOST : "new.{{ data_coop_website.domains|join(',') }}"
LETSENCRYPT_HOST: "new.{{ data_coop_website.domains|join(',') }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
labels:
com.ouroboros.enable: "true"
- name: setup cryptohagen.dk website docker container
docker_container:
name: cryptohagen_website
restart_policy: unless-stopped
image: docker.data.coop/cryptohagen-website
networks:
- name: external_services
env:
VIRTUAL_HOST : "{{ cryptohagen_website.domains|join(',') }}"
LETSENCRYPT_HOST: "{{ cryptohagen_website.domains|join(',') }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
labels:
com.ouroboros.enable: "true"
- name: setup cryptoaarhus.dk website docker container
docker_container:
name: cryptoaarhus_website
restart_policy: unless-stopped
image: docker.data.coop/cryptoaarhus-website
networks:
- name: external_services
env:
VIRTUAL_HOST : "{{ cryptoaarhus_website.domains|join(',') }}"
LETSENCRYPT_HOST: "{{ cryptoaarhus_website.domains|join(',') }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
labels:
com.ouroboros.enable: "true"

17
roles/docker/templates/compose-files/cryptoaarhus_website.yml.j2
View File

@ -1,17 +0,0 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
web:
image: docker.data.coop/cryptoaarhus-website
restart: unless-stopped
networks:
- external_services
environment:
VIRTUAL_HOST : "{{ services.cryptoaarhus_website.domains | join(',') }}"
LETSENCRYPT_HOST: "{{ services.cryptoaarhus_website.domains | join(',') }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
networks:
external_services:
external: true

17
roles/docker/templates/compose-files/cryptohagen_website.yml.j2
View File

@ -1,17 +0,0 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
web:
image: docker.data.coop/cryptohagen-website
restart: unless-stopped
networks:
- external_services
environment:
VIRTUAL_HOST : "{{ services.cryptohagen_website.domains | join(',') }}"
LETSENCRYPT_HOST: "{{ services.cryptohagen_website.domains | join(',') }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
networks:
external_services:
external: true

27
roles/docker/templates/compose-files/data_coop_website.yml.j2
View File

@ -1,27 +0,0 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
prod-web:
image: docker.data.coop/data-coop-website:{{ services.data_coop_website.version }}
restart: unless-stopped
networks:
- external_services
environment:
VIRTUAL_HOST: "{{ services.data_coop_website.domain }},{{ services.data_coop_website.www_domain }}"
LETSENCRYPT_HOST: "{{ services.data_coop_website.domain }},{{ services.data_coop_website.www_domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
staging-web:
image: docker.data.coop/data-coop-website:{{ services.data_coop_website.staging_version }}
restart: unless-stopped
networks:
- external_services
environment:
VIRTUAL_HOST: "{{ services.data_coop_website.staging_domain }}"
LETSENCRYPT_HOST: "{{ services.data_coop_website.staging_domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
networks:
external_services:
external: true

21
roles/docker/templates/compose-files/diun.yml.j2
View File

@ -1,21 +0,0 @@
# vim: ft=yaml.ansible
---
version: "3.5"
services:
diun:
image: "ghcr.io/crazy-max/diun:{{ services.diun.version }}"
command: serve
volumes:
- "./data:/data"
- "/var/run/docker.sock:/var/run/docker.sock"
environment:
- "TZ=Europe/Paris"
- "DIUN_WATCH_WORKERS=20"
- "DIUN_WATCH_SCHEDULE=0 */6 * * *"
- "DIUN_WATCH_JITTER=30s"
- "DIUN_PROVIDERS_DOCKER=true"
- "DIUN_PROVIDERS_DOCKER_WATCHBYDEFAULT=true"
labels:
- "diun.enable=true"
restart: always

23
roles/docker/templates/compose-files/docker_registry.yml.j2
View File

@ -1,23 +0,0 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
app:
image: registry:{{ services.docker_registry.version }}
restart: always
networks:
- external_services
volumes:
- "./registry:/var/lib/registry"
- "./auth:/auth"
environment:
VIRTUAL_HOST: "{{ services.docker_registry.domain }}"
LETSENCRYPT_HOST: "{{ services.docker_registry.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
REGISTRY_AUTH: "htpasswd"
REGISTRY_AUTH_HTPASSWD_PATH: "/auth/htpasswd"
REGISTRY_AUTH_HTPASSWD_REALM: "data.coop docker registry"
networks:
external_services:
external: true

40
roles/docker/templates/compose-files/drone.yml.j2
View File

@ -1,40 +0,0 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
app:
image: drone/drone:{{ services.drone.version }}
restart: unless-stopped
networks:
- default
- external_services
volumes:
- ".:/data"
- "/var/run/docker.sock:/var/run/docker.sock"
environment:
DRONE_GITEA_SERVER: https://{{ services.forgejo.domain }}
DRONE_GITEA_CLIENT_ID: "{{ drone_secrets.oauth_client_id }}"
DRONE_GITEA_CLIENT_SECRET: "{{ drone_secrets.oauth_client_secret }}"
DRONE_GIT_ALWAYS_AUTH: true
DRONE_SERVER_HOST: "{{ services.drone.domain }}"
DRONE_SERVER_PROTO: https
DRONE_RPC_SECRET: "{{ drone_secrets.rpc_shared_secret }}"
VIRTUAL_HOST: "{{ services.drone.domain }}"
LETSENCRYPT_HOST: "{{ services.drone.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
runner:
image: drone/drone-runner-docker:{{ services.drone.version }}
restart: unless-stopped
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
environment:
DRONE_RPC_HOST: "{{ services.drone.domain }}"
DRONE_RPC_PROTO: https
DRONE_RPC_SECRET: "{{ drone_secrets.rpc_shared_secret }}"
DRONE_RUNNER_CAPACITY: 2
DRONE_RUNNER_NAME: data.coop_drone_runner
networks:
external_services:
external: true

22
roles/docker/templates/compose-files/element.yml.j2
View File

@ -1,22 +0,0 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
app:
image: avhost/docker-matrix-element:{{ services.element.version }}
restart: unless-stopped
networks:
- external_services
expose:
- "8080"
volumes:
- "./data:/data"
environment:
VIRTUAL_HOST: "{{ services.element.domain }}"
VIRTUAL_PORT: "8080"
LETSENCRYPT_HOST: "{{ services.element.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
networks:
external_services:
external: true

22
roles/docker/templates/compose-files/fedi_dk_website.yml.j2
View File

@ -1,22 +0,0 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
web:
image: docker.data.coop/unipi:{{ services.fedi_dk_website.version }}
restart: unless-stopped
networks:
- external_services
environment:
VIRTUAL_HOST: "{{ services.fedi_dk_website.domain }}"
LETSENCRYPT_HOST: "{{ services.fedi_dk_website.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
command: --remote=https://git.data.coop/fedi.dk/website.git#main
cap_add:
- NET_ADMIN
devices:
- "/dev/net/tun"
networks:
external_services:
external: true

38
roles/docker/templates/compose-files/forgejo.yml.j2
View File

@ -1,38 +0,0 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
app:
image: codeberg.org/forgejo/forgejo:{{ services.forgejo.version }}
restart: unless-stopped
networks:
- external_services
- postfix
volumes:
- ".:/data"
ports:
- "22:22"
environment:
VIRTUAL_HOST: "{{ services.forgejo.domain }}"
VIRTUAL_PORT: "3000"
LETSENCRYPT_HOST: "{{ services.forgejo.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
# Forgejo customization, see: https://docs.gitea.io/en-us/install-with-docker/#customization
# https://docs.gitea.io/en-us/config-cheat-sheet/#security-security
FORGEJO__mailer__ENABLED: true
FORGEJO__mailer__FROM: noreply@{{ services.forgejo.domain }}
FORGEJO__mailer__PROTOCOL: smtp
FORGEJO__mailer__SMTP_ADDR: "{{ smtp_host }}"
FORGEJO__mailer__SMTP_PORT: "{{ smtp_port }}"
FORGEJO__security__LOGIN_REMEMBER_DAYS: "60"
FORGEJO__security__PASSWORD_COMPLEXITY: off
FORGEJO__security__MIN_PASSWORD_LENGTH: "8"
FORGEJO__security__PASSWORD_CHECK_PWN: true
FORGEJO__service__ENABLE_NOTIFY_MAIL: true
FORGEJO__service__REGISTER_EMAIL_CONFIRM: true
networks:
external_services:
external: true
postfix:
external: true

44
roles/docker/templates/compose-files/hedgedoc.yml.j2
View File

@ -1,44 +0,0 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
db:
image: postgres:{{ services.hedgedoc.postgres_version }}
restart: unless-stopped
volumes:
- "./db:/var/lib/postgresql/data"
environment:
POSTGRES_USER: codimd
POSTGRES_PASSWORD: "{{ postgres_passwords.hedgedoc }}"
POSTGRES_DB: codimd
app:
image: quay.io/hedgedoc/hedgedoc:{{ services.hedgedoc.version }}
volumes:
- "./hedgedoc/uploads:/hedgedoc/public/uploads"
- "./sso.data.coop.pem:/sso.data.coop.pem"
restart: unless-stopped
networks:
- default
- external_services
environment:
CMD_DB_URL: postgres://codimd:{{ postgres_passwords.hedgedoc }}@db:5432/codimd
CMD_DOMAIN: "{{ services.hedgedoc.domain }}"
CMD_ALLOW_EMAIL_REGISTER: False
CMD_IMAGE_UPLOAD_TYPE: filesystem
CMD_EMAIL: False
CMD_SAML_IDPCERT: /sso.data.coop.pem
CMD_SAML_IDPSSOURL: https://{{ services.keycloak.domain }}/auth/realms/datacoop/protocol/saml
CMD_SAML_ISSUER: hedgedoc
CMD_SAML_IDENTIFIERFORMAT: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
CMD_USECDN: false
CMD_PROTOCOL_USESSL: true
VIRTUAL_HOST: "{{ services.hedgedoc.domain }}"
LETSENCRYPT_HOST: "{{ services.hedgedoc.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
depends_on:
- db
networks:
external_services:
external: true

42
roles/docker/templates/compose-files/keycloak.yml.j2
View File

@ -1,42 +0,0 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
db:
image: postgres:{{ services.keycloak.postgres_version }}
restart: unless-stopped
volumes:
- "./data:/var/lib/postgresql/data"
environment:
POSTGRES_USER: keycloak
POSTGRES_PASSWORD: "{{ postgres_passwords.keycloak }}"
POSTGRES_DB: keycloak
app:
image: quay.io/keycloak/keycloak:{{ services.keycloak.version }}
restart: unless-stopped
networks:
- default
- postfix
- external_services
command:
- "start"
- "--db=postgres"
- "--db-url=jdbc:postgresql://db:5432/keycloak"
- "--db-username=keycloak"
- "--db-password={{ postgres_passwords.keycloak }}"
- "--hostname={{ services.keycloak.domain }}"
- "--proxy=edge"
- "--https-port=8080"
- "--http-relative-path=/auth"
environment:
VIRTUAL_HOST: "{{ services.keycloak.domain }}"
VIRTUAL_PORT: "8080"
LETSENCRYPT_HOST: "{{ services.keycloak.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
networks:
postfix:
external: true
external_services:
external: true

146
roles/docker/templates/compose-files/mailu.yml.j2
View File

@ -1,146 +0,0 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
postgres:
image: postgres:{{ services.mailu.postgres_version }}
restart: unless-stopped
environment:
POSTGRES_DB: mailu
POSTGRES_USER: mailu
POSTGRES_PASSWORD: "{{ postgres_passwords.mailu }}"
volumes:
- "./postgres:/var/lib/postgresql/data"
dns:
- "{{ services.mailu.dns }}"
redis:
image: redis:{{ services.mailu.redis_version }}
restart: unless-stopped
volumes:
- "./redis:/data"
depends_on:
- resolver
dns:
- "{{ services.mailu.dns }}"
front:
image: ghcr.io/mailu/nginx:{{ services.mailu.version }}
restart: unless-stopped
env_file: mailu.env
environment:
VIRTUAL_HOST: "{{ services.mailu.domain }}"
LETSENCRYPT_HOST: "{{ services.mailu.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
volumes:
- "./certs:/certs"
- "./overrides/nginx:/overrides:ro"
expose:
- "80"
ports:
- "25:25"
- "465:465"
- "587:587"
- "110:110"
- "995:995"
- "143:143"
- "993:993"
networks:
- default
- webmail
- external_services
depends_on:
- resolver
dns:
- "{{ services.mailu.dns }}"
resolver:
image: ghcr.io/mailu/unbound:{{ services.mailu.version }}
restart: unless-stopped
env_file: mailu.env
networks:
default:
ipv4_address: "{{ services.mailu.dns }}"
admin:
image: ghcr.io/mailu/admin:{{ services.mailu.version }}
restart: unless-stopped
env_file: mailu.env
volumes:
- "./data:/data"
- "./dkim:/dkim"
networks:
default:
aliases:
- admin.mailu
depends_on:
- redis
- resolver
dns:
- "{{ services.mailu.dns }}"
imap:
image: ghcr.io/mailu/dovecot:{{ services.mailu.version }}
restart: unless-stopped
env_file: mailu.env
volumes:
- "./mail:/mail"
- "./overrides/dovecot:/overrides:ro"
depends_on:
- front
- resolver
dns:
- "{{ services.mailu.dns }}"
smtp:
image: ghcr.io/mailu/postfix:{{ services.mailu.version }}
restart: unless-stopped
env_file: mailu.env
volumes:
- "./mailqueue:/queue"
- "./overrides/postfix:/overrides:ro"
depends_on:
- front
- resolver
dns:
- "{{ services.mailu.dns }}"
antispam:
image: ghcr.io/mailu/rspamd:{{ services.mailu.version }}
hostname: antispam
restart: unless-stopped
env_file: mailu.env
volumes:
- "./filter:/var/lib/rspamd"
- "./overrides/rspamd:/overrides:ro"
depends_on:
- front
- redis
- resolver
dns:
- "{{ services.mailu.dns }}"
webmail:
image: ghcr.io/mailu/webmail:{{ services.mailu.version }}
restart: unless-stopped
env_file: mailu.env
volumes:
- "./webmail:/data"
- "./overrides/snappymail:/overrides:ro"
networks:
- webmail
depends_on:
- front
networks:
default:
driver: bridge
ipam:
driver: default
config:
- subnet: "{{ services.mailu.subnet }}"
webmail:
driver: bridge
external_services:
external: true

146
roles/docker/templates/compose-files/mastodon.yml.j2
View File

@ -1,146 +0,0 @@
# vim: ft=yaml.docker-compose
x-sidekiq: &sidekiq
image: tootsuite/mastodon:{{ services.mastodon.version }}
restart: always
env_file: mastodon.env
networks:
- default
- postfix
- external_services
volumes:
- "./mastodon_data:/mastodon/public/system"
healthcheck:
test: ['CMD-SHELL', "ps aux | grep '[s]idekiq\ 6' || false"]
depends_on:
db:
condition: service_healthy
redis:
condition: service_healthy
version: "3.8"
services:
db:
restart: always
image: postgres:{{ services.mastodon.postgres_version }}
shm_size: 256mb
volumes:
- "./postgres_data:/var/lib/postgresql/data"
- "./postgres_config:/config:ro"
command: postgres -c config_file=/config/postgresql.conf
environment:
POSTGRES_HOST_AUTH_METHOD: trust
healthcheck:
test: ['CMD', 'pg_isready', '-U', 'postgres']
redis:
restart: always
image: redis:{{ services.mastodon.redis_version }}
volumes:
- "./redis_data:/data"
healthcheck:
test: ['CMD', 'redis-cli', 'ping']
web:
image: tootsuite/mastodon:{{ services.mastodon.version }}
restart: always
env_file: mastodon.env
command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 3000"
networks:
- default
- external_services
volumes:
- "./mastodon_data:/mastodon/public/system"
environment:
MAX_THREADS: 10
WEB_CONCURRENCY: 3
VIRTUAL_HOST: "{{ services.mastodon.domain }}"
VIRTUAL_PORT: "3000"
VIRTUAL_PATH: /
LETSENCRYPT_HOST: "{{ services.mastodon.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
healthcheck:
test: ['CMD-SHELL', 'wget -q --spider --proxy=off localhost:3000/health || exit 1']
depends_on:
db:
condition: service_healthy
redis:
condition: service_healthy
streaming:
image: tootsuite/mastodon:{{ services.mastodon.version }}
restart: always
env_file: mastodon.env
command: node ./streaming
networks:
- default
- external_services
ports:
- "127.0.0.1:4000:4000"
environment:
DB_POOL: 15
VIRTUAL_HOST: "{{ services.mastodon.domain }}"
VIRTUAL_PORT: "4000"
VIRTUAL_PATH: "/api/v1/streaming"
healthcheck:
test: ['CMD-SHELL', 'wget -q --spider --proxy=off localhost:4000/api/v1/streaming/health || exit 1']
depends_on:
db:
condition: service_healthy
redis:
condition: service_healthy
# sidekiq-default-push-pull: DB_POOL = 25, -c 25 for 25 connections
sidekiq-default-push-pull:
<<: *sidekiq
command: bundle exec sidekiq -c 25 -q default -q push -q pull
environment:
DB_POOL: 25
# sidekiq-default-pull-push: DB_POOL = 25, -c 25 for 25 connections
sidekiq-default-pull-push:
<<: *sidekiq
command: bundle exec sidekiq -c 25 -q default -q pull -q push
environment:
DB_POOL: 25
# sidekiq-pull-default-push: DB_POOL = 25, -c 25 for 25 connections
sidekiq-pull-default-push:
<<: *sidekiq
command: bundle exec sidekiq -c 25 -q pull -q default -q push
environment:
DB_POOL: 25
# sidekiq-push-default-pull: DB_POOL = 25, -c 25 for 25 connections
sidekiq-push-default-pull:
<<: *sidekiq
command: bundle exec sidekiq -c 25 -q push -q default -q pull
environment:
DB_POOL: 25
# sidekiq-push-scheduler: DB_POOL = 5, -c 5 for 5 connections
sidekiq-push-scheduler:
<<: *sidekiq
command: bundle exec sidekiq -c 5 -q push -q scheduler
environment:
DB_POOL: 5
# sidekiq-push-mailers: DB_POOL = 5, -c 5 for 5 connections
sidekiq-push-mailers:
<<: *sidekiq
command: bundle exec sidekiq -c 5 -q push -q mailers
environment:
DB_POOL: 5
# sidekiq-push-ingress: DB_POOL = 10, -c 10 for 10 connections
sidekiq-push-ingress:
<<: *sidekiq
command: bundle exec sidekiq -c 10 -q push -q ingress
environment:
DB_POOL: 10
networks:
external_services:
external: true
postfix:
external: true

36
roles/docker/templates/compose-files/matrix.yml.j2
View File

@ -1,36 +0,0 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
postgres:
image: postgres:{{ services.matrix.postgres_version }}
restart: unless-stopped
volumes:
- "./db:/var/lib/postgresql/data"
environment:
POSTGRES_USER: synapse
POSTGRES_PASSWORD: "{{ postgres_passwords.matrix }}"
synapse:
image: matrixdotorg/synapse:{{ services.matrix.version }}
restart: unless-stopped
networks:
- default
- external_services
- postfix
volumes:
- "./data:/data"
environment:
SYNAPSE_CONFIG_PATH: /data/homeserver.yaml
SYNAPSE_CACHE_FACTOR: "2"
SYNAPSE_LOG_LEVEL: INFO
VIRTUAL_HOST: "{{ services.matrix.domain }}"
VIRTUAL_PORT: "8008"
LETSENCRYPT_HOST: "{{ services.matrix.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
networks:
external_services:
external: true
postfix:
external: true

44
roles/docker/templates/compose-files/membersystem.yml.j2
View File

@ -1,44 +0,0 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
app:
image: docker.data.coop/membersystem:{{ services.membersystem.version }}
restart: always
user: "$UID:$GID"
tty: true
networks:
- default
- external_services
- postfix
environment:
SECRET_KEY: "{{ membersystem_secrets.secret_key }}"
DATABASE_URL: postgres://postgres:{{ postgres_passwords.membersystem }}@postgres:5432/postgres
POSTGRES_HOST: postgres
POSTGRES_PORT: 5432
EMAIL_BACKEND: django.core.mail.backends.smtp.EmailBackend
EMAIL_URL: smtp://noop@{{ smtp_host }}:{{ smtp_port }}
VIRTUAL_HOST: "{{ services.membersystem.domain }}"
VIRTUAL_PORT: "8000"
LETSENCRYPT_HOST: "{{ services.membersystem.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
ALLOWED_HOSTS: "{{ services.membersystem.domain }}"
CSRF_TRUSTED_ORIGINS: https://{{ services.membersystem.domain }}
DJANGO_ADMINS: "{{ services.membersystem.django_admins }}"
DEFAULT_FROM_EMAIL: noreply@{{ services.membersystem.domain }}
depends_on:
- postgres
postgres:
image: postgres:{{ services.membersystem.postgres_version }}
restart: always
volumes:
- "./postgres/data:/var/lib/postgresql/data"
environment:
POSTGRES_PASSWORD: "{{ postgres_passwords.membersystem }}"
networks:
external_services:
external: true
postfix:
external: true

36
roles/docker/templates/compose-files/netdata.yml.j2
View File

@ -1,36 +0,0 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
app:
image: netdata/netdata:{{ services.netdata.version }}
restart: unless-stopped
hostname: hevonen.servers.{{ base_domain }}
volumes:
- "/proc:/host/proc:ro"
- "/sys:/host/sys:ro"
- "/etc/os-release:/host/etc/os-release:ro"
networks:
- default
- external_services
environment:
VIRTUAL_HOST : "{{ services.netdata.domain }}"
LETSENCRYPT_HOST: "{{ services.netdata.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
PGID: "999"
DOCKER_HOST: "socket_proxy:2375"
cap_add:
- SYS_PTRACE
security_opt:
- apparmor:unconfined
socket-proxy:
image: tecnativa/docker-socket-proxy:latest
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
environment:
CONTAINERS: 1
networks:
external_services:
external: true

59
roles/docker/templates/compose-files/nextcloud.yml.j2
View File

@ -1,59 +0,0 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
postgres:
image: postgres:{{ services.nextcloud.postgres_version }}
restart: unless-stopped
volumes:
- "./postgres:/var/lib/postgresql/data"
environment:
POSTGRES_DB: nextcloud
POSTGRES_PASSWORD: "{{ postgres_passwords.nextcloud }}"
POSTGRES_USER: nextcloud
redis:
image: redis:{{ services.nextcloud.redis_version }}
restart: unless-stopped
command: redis-server --requirepass {{ nextcloud_secrets.redis_password }}
tmpfs:
- /var/lib/redis
cron:
image: nextcloud:{{ services.nextcloud.version }}
restart: unless-stopped
entrypoint: /cron.sh
volumes:
- "./app:/var/www/html"
depends_on:
- postgres
- redis
app:
image: nextcloud:{{ services.nextcloud.version }}
restart: unless-stopped
networks:
- default
- postfix
- external_services
volumes:
- "./app:/var/www/html"
environment:
VIRTUAL_HOST: "{{ services.nextcloud.domain }}"
LETSENCRYPT_HOST: "{{ services.nextcloud.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
POSTGRES_HOST: postgres
POSTGRES_DB: nextcloud
POSTGRES_USER: nextcloud
POSTGRES_PASSWORD: "{{ postgres_passwords.nextcloud }}"
REDIS_HOST: redis
REDIS_HOST_PASSWORD: "{{ nextcloud_secrets.redis_password }}"
depends_on:
- postgres
- redis
networks:
postfix:
external: true
external_services:
external: true

38
roles/docker/templates/compose-files/nginx_proxy.yml.j2
View File

@ -1,38 +0,0 @@
version: "3.8"
services:
proxy:
image: nginxproxy/nginx-proxy:{{ services.nginx_proxy.version }}
restart: always
networks:
- external_services
ports:
- "80:80"
- "443:443"
volumes:
- "./conf:/etc/nginx/conf.d"
- "./vhost:/etc/nginx/vhost.d"
- "./html:/usr/share/nginx/html"
- "./dhparam:/etc/nginx/dhparam"
- "./certs:/etc/nginx/certs:ro"
- "/var/run/docker.sock:/tmp/docker.sock:ro"
labels:
- com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy
{% if letsencrypt_enabled %}
acme:
image: nginxproxy/acme-companion:{{ services.nginx_proxy.acme_companion_version }}
restart: always
volumes:
- "./vhost:/etc/nginx/vhost.d"
- "./html:/usr/share/nginx/html"
- "./dhparam:/etc/nginx/dhparam:ro"
- "./certs:/etc/nginx/certs"
- /var/run/docker.sock:/var/run/docker.sock:ro
depends_on:
- proxy
{% endif %}
networks:
external_services:
external: true

58
roles/docker/templates/compose-files/openldap.yml.j2
View File

@ -1,58 +0,0 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
app:
image: osixia/openldap:{{ services.openldap.version }}
restart: unless-stopped
tty: true
stdin_open: true
volumes:
- "./var/lib/ldap:/var/lib/ldap"
- "./etc/slapd.d:/etc/ldap/slapd.d"
- "./certs:/container/service/slapd/assets/certs/"
ports:
- "389:389"
- "636:636"
hostname: "{{ services.openldap.domain }}"
domainname: "{{ services.openldap.domain }}" # important: same as hostname
environment:
LDAP_LOG_LEVEL: "256"
LDAP_ORGANISATION: "{{ base_domain }}"
LDAP_DOMAIN: "{{ base_domain }}"
LDAP_BASE_DN: ""
LDAP_ADMIN_PASSWORD: "{{ ldap_admin_password }}"
LDAP_CONFIG_PASSWORD: "{{ ldap_config_password }}"
LDAP_READONLY_USER: false
LDAP_RFC2307BIS_SCHEMA: false
LDAP_BACKEND: mdb
LDAP_TLS: true
LDAP_TLS_CRT_FILENAME: ldap.crt
LDAP_TLS_KEY_FILENAME: ldap.key
LDAP_TLS_CA_CRT_FILENAME: ca.crt
LDAP_TLS_ENFORCE: false
LDAP_TLS_CIPHER_SUITE: SECURE256:-VERS-SSL3.0
LDAP_TLS_PROTOCOL_MIN: "3.1"
LDAP_TLS_VERIFY_CLIENT: demand
LDAP_REPLICATION: false
KEEP_EXISTING_CONFIG: false
LDAP_REMOVE_CONFIG_AFTER_SETUP: true
LDAP_SSL_HELPER_PREFIX: ldap
admin:
image: osixia/phpldapadmin:{{ services.openldap.phpldapadmin_version }}
restart: unless-stopped
networks:
- default
- external_services
environment:
PHPLDAPADMIN_LDAP_HOSTS: app
PHPLDAPADMIN_HTTPS: false
PHPLDAPADMIN_TRUST_PROXY_SSL: true
VIRTUAL_HOST: "{{ services.openldap.domain }}"
LETSENCRYPT_HOST: "{{ services.openldap.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
networks:
external_services:
external: true

38
roles/docker/templates/compose-files/passit.yml.j2
View File

@ -1,38 +0,0 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
db:
image: postgres:{{ services.passit.postgres_version }}
restart: always
volumes:
- "./data:/var/lib/postgresql/data"
environment:
POSTGRES_USER: passit
POSTGRES_PASSWORD: "{{ postgres_passwords.passit }}"
app:
image: passit/passit:{{ services.passit.version }}
command: bin/start.sh
restart: always
networks:
- default
- postfix
- external_services
environment:
DATABASE_URL: postgres://passit:{{ postgres_passwords.passit }}@db:5432/passit
SECRET_KEY: "{{ passit_secret_key }}"
IS_DEBUG: "False"
EMAIL_URL: smtp://noop@{{ smtp_host }}:{{ smtp_port }}
DEFAULT_FROM_EMAIL: noreply@{{ services.passit.domain }}
EMAIL_CONFIRMATION_HOST: https://{{ services.passit.domain }}
FIDO_SERVER_ID: "{{ services.passit.domain }}"
VIRTUAL_HOST: "{{ services.passit.domain }}"
LETSENCRYPT_HOST: "{{ services.passit.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
networks:
postfix:
external: true
external_services:
external: true

Some files were not shown because too many files have changed in this diff Show More