data.coop/ansible
8
3
Fork 7
Code Issues 49 Pull requests 7 Projects 1 Releases Wiki Activity

Compare commits

base: data.coop:main
Branches Tags
data.coop:main
data.coop:proxmox
data.coop:diun
data.coop:use_sudo
data.coop:woodpeckerci
data.coop:linting
data.coop:mailman
data.coop:listmonk
data.coop:sshd-password
..
compare: data.coop:listmonk
Branches Tags
data.coop:main
data.coop:proxmox
data.coop:diun
data.coop:use_sudo
data.coop:woodpeckerci
data.coop:linting
data.coop:mailman
data.coop:listmonk
data.coop:sshd-password

1 commit
main ... listmonk

Author SHA1 Message Date
Víðir Valberg Guðmundsson f36b76e293 Listmonk. 2022-05-08 21:22:25 +02:00
127 changed files with 2264 additions and 2744 deletions
Show stats Expand all files Collapse all files

111
.ansible-lint
View file

@ -1,111 +0,0 @@
---
# .ansible-lint
profile: null # min, basic, moderate,safety, shared, production
# exclude_paths included in this file are parsed relative to this file's location
# and not relative to the CWD of execution. CLI arguments passed to the --exclude
# option are parsed relative to the CWD of execution.
exclude_paths:
- .cache/ # implicit unless exclude_paths is defined in config
- .github/
- test/fixtures/formatting-before/
- test/fixtures/formatting-prettier/
# parseable: true
# quiet: true
# strict: true
# verbosity: 1
# Mock modules or roles in order to pass ansible-playbook --syntax-check
mock_modules:
- zuul_return
# note the foo.bar is invalid as being neither a module or a collection
- fake_namespace.fake_collection.fake_module
- fake_namespace.fake_collection.fake_module.fake_submodule
mock_roles:
- mocked_role
- author.role_name # old standalone galaxy role
- fake_namespace.fake_collection.fake_role # role within a collection
# Enable checking of loop variable prefixes in roles
loop_var_prefix: "{role}_"
# Enforce variable names to follow pattern below, in addition to Ansible own
# requirements, like avoiding python identifiers. To disable add `var-naming`
# to skip_list.
# var_naming_pattern: "^[a-z_][a-z0-9_]*$"
use_default_rules: true
# Load custom rules from this specific folder
# rulesdir:
# - ./rule/directory/
# Ansible-lint completely ignores rules or tags listed below
skip_list:
- skip_this_tag
# Ansible-lint does not automatically load rules that have the 'opt-in' tag.
# You must enable opt-in rules by listing each rule 'id' below.
enable_list:
- empty-string-compare # opt-in
- no-log-password # opt-in
- no-same-owner # opt-in
# add yaml here if you want to avoid ignoring yaml checks when yamllint
# library is missing. Normally its absence just skips using that rule.
- yaml
# Report only a subset of tags and fully ignore any others
# tags:
# - jinja[spacing]
# Ansible-lint does not fail on warnings from the rules or tags listed below
warn_list:
- skip_this_tag
- experimental # experimental is included in the implicit list
# - role-name
# - yaml[document-start] # you can also use sub-rule matches
# Some rules can transform files to fix (or make it easier to fix) identified
# errors. `ansible-lint --write` will reformat YAML files and run these transforms.
# By default it will run all transforms (effectively `write_list: ["all"]`).
# You can disable running transforms by setting `write_list: ["none"]`.
# Or only enable a subset of rule transforms by listing rules/tags here.
# write_list:
# - all
# Offline mode disables installation of requirements.yml
offline: false
# Return success if number of violations compared with previous git
# commit has not increased. This feature works only in git
# repositories.
progressive: false
# Define required Ansible's variables to satisfy syntax check
extra_vars:
foo: bar
multiline_string_variable: |
line1
line2
complex_variable: ":{;\t$()"
# Uncomment to enforce action validation with tasks, usually is not
# needed as Ansible syntax check also covers it.
# skip_action_validation: false
# List of additional kind:pattern to be added at the top of the default
# match list, first match determines the file kind.
kinds:
# - playbook: "**/examples/*.{yml,yaml}"
# - galaxy: "**/folder/galaxy.yml"
# - tasks: "**/tasks/*.yml"
# - vars: "**/vars/*.yml"
# - meta: "**/meta/main.yml"
- yaml: "**/*.yaml-too"
# List of additional collections to allow in only-builtins rule.
# only_builtins_allow_collections:
# - example_ns.example_collection
# List of additions modules to allow in only-builtins rule.
# only_builtins_allow_modules:
# - example_module

4
.gitignore vendored
View file

@ -1,6 +1,4 @@
*.retry
playbook.retry
*.sw*
.vagrant/
*.log
.idea/
venv/

14
.pre-commit-config.yaml
View file

@ -1,14 +0,0 @@
repos:
#- repo: https://github.com/semaphor-dk/dansabel
# rev: b72c70351d1a9e32a75db505fcb3aa414f3282f8
# hooks:
# - id: dansabel
- repo: https://github.com/ansible/ansible-lint
rev: v6.9.0
hooks:
- id: ansible-lint
files: \.(yaml|yml)$
additional_dependencies:
- ansible

12
Makefile
View file

@ -1,12 +0,0 @@
init: create_venv install_pre_commit install_ansible_galaxy_modules
create_venv:
python3 -m venv venv
venv/bin/pip install -U pip
venv/bin/pip install ansible pre-commit
install_pre_commit:
venv/bin/pre-commit install
install_ansible_galaxy_modules:
venv/bin/ansible-galaxy collection install community.general

108
README.md
View file

@ -1,108 +0,0 @@
# data.coop infrastructure
This repository contains the code used to deploy data.coop's services
and websites. We use Ansible to encode our infrastructure setup. Only
the association's administrators have access to deploy the services.
## Deploying
To deploy the services, the included `deploy.sh` script can be used. The
Ansible playbook uses two custom-made roles (in the `roles/` directory):
- `ubuntu_base` - used to configure the host itself and install the
necessary packages
- `docker` - used to deploy our services and websites with Docker
containers
The script has options to deploy only one of the roles. Select services
only can also be specified. By default, the script deploys everything.
Here is a summary of the options that can be used with the script:
```sh
# deploy everything
./deploy.sh
# deploy the ubuntu_base role only
./deploy.sh base
# deploy user setup only
./deploy.sh users
# deploy the docker role only
./deploy.sh services
# deploy SINGLE_SERVICE Docker service only
./deploy.sh services SINGLE_SERVICE
```
`SINGLE_SERVICE` should match one of the service names in the `services`
dictionary in `roles/docker/defaults/main.yml` (e.g. `gitea` or
`data_coop_website`).
## Testing
In order for us to be able to test our setup locally, we use Vagrant to
deploy the services in a virtual machine. To do this, Vagrant and
VirtualBox must both be installed on the development machine. Then, the
services can be deployed locally by using the `vagrant` command-line
tool. The working directory needs to be the root of the repository for
this to work properly.
> Note: As our secrets are contained in an Ansible Vault file, only the
> administrators have the ability to run the deployment in Vagrant.
> However, one could replace the vault file for testing purposes.
Here is a summary of the commands that are available with the `vagrant`
command-line tool:
```sh
# Create and provision the VM
vagrant up
# Re-provision the VM
vagrant provision
# SSH into the VM
vagrant ssh
# Power down the VM
vagrant halt
# Power down and delete the VM
vagrant destroy
```
The `vagrant` command-line tool does not support supplying extra
variables to Ansible on runtime, so to be able to deploy only parts of
the Ansible playbook to Vagrant, the `deploy.sh` script can be used with
the `--vagrant` flag. Here are some examples:
```sh
# deploy the ubuntu_base role only in the Vagrant VM
./deploy.sh --vagrant base
# deploy SINGLE_SERVICE Docker service only in the Vagrant VM
./deploy.sh --vagrant services SINGLE_SERVICE
```
Note that the `--vagrant` flag should be the first argument when using
the script.
## Contributing
If you want to contribute, you can fork the repository and submit a pull
request. We use a pre-commit hook for linting the YAML files before
every commit, so please use that. To initialize pre-commit, you need to
have Python and GNU make installed. Then, just run the following shell
command:
```sh
make init
```
## Nice tools
- [J2Live](https://j2live.ttl255.com/): A live Jinja2 parser, nice to
test out filters

48
Vagrantfile vendored
View file

@ -1,38 +1,24 @@
Vagrant.require_version ">= 2.0.0"
PORT = 19022
def provisioned?(vm="default", provider="virtualbox")
File.exist?(".vagrant/machines/#{vm}/#{provider}/action_provision")
end
Vagrant.require_version ">= 1.7.0"
Vagrant.configure(2) do |config|
config.vm.network :private_network, ip: "192.168.56.10"
config.vm.network :forwarded_port, guest: PORT, host: PORT
config.vm.box = "ubuntu/focal64"
config.vm.hostname = "datacoop"
config.vm.provider :virtualbox do |v|
v.cpus = 8
v.memory = 16384
end
config.vm.provision :ansible do |ansible|
ansible.compatibility_mode = "2.0"
ansible.playbook = "playbook.yml"
ansible.ask_vault_pass = true
ansible.verbose = "v"
# If the VM is already provisioned, we need to use the new port
if provisioned?
config.ssh.guest_port = PORT
ansible.extra_vars = {
ansible_port: PORT,
from_vagrant: true
config.vm.define "datacoop" do |datacoop|
datacoop.vm.box = "ubuntu/bionic64"
datacoop.vm.hostname = "datacoop"
datacoop.vm.provider "virtualbox" do |v|
v.memory = 4096
end
datacoop.vm.network "private_network", ip: "192.168.0.42"
datacoop.vm.provision "ansible" do |ansible|
ansible.verbose = "v"
ansible.compatibility_mode = "2.0"
ansible.playbook = "playbook.yml"
ansible.ask_vault_pass = true
ansible.host_vars = {
"datacoop" => {"ansible_python_interpreter" => "/usr/bin/python3.6"}
}
else
ansible.extra_vars = {
from_vagrant: true
ansible.groups = {
"all" => ["datacoop"]
}
end
end

7
ansible.cfg
View file

@ -1,8 +1,3 @@
[defaults]
ask_vault_pass = True
inventory = datacoop_hosts
interpreter_python = /usr/bin/python3
remote_user = root
retry_files_enabled = True
use_persistent_connections = True
forks = 10
inventory = datacoop_hosts

8
datacoop_hosts
View file

@ -1,5 +1,3 @@
[production]
hevonen.servers.data.coop ansible_port=19022
[monitoring]
uptime.data.coop
######################################
### All hosts
85.209.118.131 ansible_port=19022 ansible_python_interpreter=/usr/bin/python3

39
deploy.sh
View file

@ -1,26 +1,6 @@
#!/bin/sh
usage () {
{
echo "Usage: $0 [--vagrant]"
echo "Usage: $0 [--vagrant] base"
echo "Usage: $0 [--vagrant] users"
echo "Usage: $0 [--vagrant] services [SERVICE]"
} >&2
}
BASE_CMD="ansible-playbook playbook.yml"
if [ "$1" = "--vagrant" ]; then
BASE_CMD="$BASE_CMD --verbose --inventory=vagrant_host"
VAGRANT_VAR="from_vagrant"
shift
fi
if [ -z "$(ansible-galaxy collection list community.general 2>/dev/null)" ]; then
echo "Installing community.general modules"
ansible-galaxy collection install community.general
fi
BASE_CMD="ansible-playbook playbook.yml --ask-vault-pass"
if [ -z "$1" ]; then
echo "Deploying all!"
@ -30,21 +10,10 @@ else
"services")
if [ -z "$2" ]; then
echo "Deploying all services!"
eval "$BASE_CMD --tags setup_services $(test -z "$VAGRANT_VAR" || printf '%s' "$VAGRANT_VAR=true")"
$BASE_CMD --tags setup_services
else
echo "Deploying service: $2"
$BASE_CMD --tags setup_services --extra-vars '{"single_service": "'"$2"'"'"$(test -z "$VAGRANT_VAR" || printf '%s' ', "'"$VAGRANT_VAR"'": true')"'}'
echo "Deploying services: $2"
$BASE_CMD --tags setup_services --extra-vars "services=$2"
fi
;;
"base")
eval "$BASE_CMD --tags base_only $(test -z "$VAGRANT_VAR" || printf '%s' "$VAGRANT_VAR=true")"
;;
"users")
eval "$BASE_CMD --tags setup-users $(test -z "$VAGRANT_VAR" || printf '%s' "$VAGRANT_VAR=true")"
;;
*)
usage
exit 1
;;
esac
fi

311
group_vars/all/secrets.yml
View file

@ -1,175 +1,138 @@
$ANSIBLE_VAULT;1.1;AES256
61613366663339336437363136623339356237313933373030613438663430613938306336323139
3234343636653638653533656337313138356538376134330a636566313532303362326466663830
36376130386361306535373936353864303464663136363261356130323730663362303537666363
6437613762336531660a666232663762656162643234663839626663393330646566663933666164
35616164306433613734313132636266646266303464623034323338326534363133393365336334
61376637366435653766316562386337656266366537353863623633356439636331326436313637
61626232626664326163396437353065363735616133393730353936653734323863336263383436
31316339313333356537393266396431393330633161303634653935626562666266326265653761
64613163623137663532623565633434366238373664336330663439373033653861633161613835
31326237396631643836346339326235363663333230326438303334666236363536356237376536
61356163626231366239313065363836393332616537623237333736613161303063313437623564
37316164353436343537316433613763313064636366326130653764346463376330306430316636
32336136333738343361353536623465616339666431343265316564366431623131653435653561
62656662386333613337653831646635323566333131386363313233653861383634623666336430
35636166643063653039656131663664303363343738353662643335356134343336306263313861
35633332346366663932336236636462336662323234316261613333393031353232623435316339
62623063313536333962316463383063376430353163643362393539323830393132343063653963
33363932333532616132343531636434653834366230343238663836643939363931376262323561
64323937616661373434613764396639336366356430373966363266656239666434373635373133
65663530636363356436343765333830633061613337326361303433306231353762373331623463
39323738656335656139633034626432346265353638323539356132663036623965313033326363
34313333636333643465333563336661643536333639373639316439323036333065313662343663
37336532366630383331366338353434383135363162626335643664396262633630636163316330
64656162616236616131396665386136373534343263303933323262373537343339303639663035
37613234666439326333343136663264626465396431613437353564393162333032343538393536
31366564363663313630313033323862336635623862633733333739636461323066663037643131
64393535373364623531356665353833313139626134666230666533666166373265306531336238
63633361373162383665363332626433623861346139393632366366306137396561623437306635
64323462383562643638633437613663656463303064393564626131633161393436336631326131
64343339383030333864373564633766663238626638646438363431623963356464633330636363
36396164303631613137343966323162346135626638623737396635333661623364616335633965
62373733656233646437626236346635396466336438383466393831386539383262653633373531
36343935626338356334666363613137363935343362383265303338366266646233373963656239
65353461323432316366636531353665626534396562343836323563613231393361633162343033
63663436323532396332313735343262653738626664643931386661313136613830373637393632
64366264373838316538663865643166356630323265383139613036323539396136393934353865
32303266303131363836376664343431366633383765383966363365663761653533656265316230
33303466326665633263306562393133303438616538316362336436633963643331613631616130
31616135656231313763336336666632633563636136643062363437323937643834326235653065
63633866663766613234623863643335656333346138386463623565356437356165646538363738
38333366323165353633613365353031653164653435613136663064656330613764386361396236
32346636643462396630303530653364343338393061323336306161646163376464323230326463
35653166326461656539303863333232333166336533613339656234393337383031623065323132
35386233343739663439306134643365373232336539306634623332323939366638383062386361
38303035383462333766393335373731663638316139643231396138326634383839393663323630
38363232303564366462663462383466353664663234313165326539393632343732626166303031
66326662383338376663626166623661613561343035653336376139396633636336313539363639
36333065663737613965383739366561356130396136343337376138393831376234316464336531
35366663616665623732303430346131636437373731386333616162366261336235616134306535
31623130353335326334363334386566346433313166323332303930396465663833393130393131
35333637646335343536626432323539626238636264626563336463386363653834336262303663
34636332656139373231626661663461643336363262326437656531313333333739613363396165
36333532353061616239636235373963653532653838643161633837653733663537633138666233
36343036353866313263633733656634613963643931333838653561623739653639623935663831
35663534653830313236663539356663396165363638613333303366363565666465326339336437
33333936373566383239643663366532666235336533333962333731616366313733643963616161
31323631303566383937303338376332383537313566613761353864326532613933323337306661
61333234333238366437306237366432383066323830373236333431653063613664336433343463
37353033646538343635666564326337656264396163393561303734633739646539396138313464
38333161633938646462383834633662623332333630626531373339373439616138353235363638
39303837313534366338326133323337396339316533663334316330373562643339396665353861
30383433323339306637383731333331383436643531393233353639633238393136626264383664
34333331616330663565376330626535383765613835643964666132303838336165383565303964
38376630623733656361643663393164613766616462623034656631366433326132383033366363
37366232386135356264323936366431356262323664386661356239633836346238613162373937
61376265653865626437303765393662646234343230636538376531313833363136616265346366
34653132333239353865363638366632666133393034623130316566633532326238306532613963
63333534346635643135386139333661326532353435613461636165356339616431346166373632
62376435366238646335323239616666313838643137633632366232366363653234376134363039
33333733343937333366633434313533633463613033636432636265636261396332633162393763
63383263383966663534346330396335663836663132366439376134646138363336323233363339
62626164353832633733326236623865343130643564373830396634306266643637323133633834
66663533376264393835623632313264633464303432333365323365383533666565633831363339
34636533656466373930313461336138313439666634386434383862646563373163613565343136
32646466326461373065306637386631666633633364393630316637636364323966623766633330
34386163633865653734373538336234616161363036333236363735303765376432666632613030
38303532656263613063633865353633646566396661376535623335383931336465306666303963
64613665363662656237366334383632323862346430313030346538643939366362303734636538
63336234383863306633353061653166656231323332313931326637666665396162643930633835
64313233393433653261626364656566313836313634316631646639356438333336376166313161
35316133636635383936616666313764663936653035353333356239313030346339333065343739
66616537383736636234653165333930633239643966326266646365373330313738316131393961
35636161626532323862313261333130653739383062306164633062376566346432663839643831
37363337383761643430323661383039646164323665333765333534663635666262623266313339
64373530646537376136636239333035333461303539386666643366643936303563396132373234
33326130386435346238646430383630656261333630326330376336303638376137646361306630
64303031363435653834393035383135346239663063386239303365373663303764373631316165
62323938323834333763356239386661643136363961373766653930613134313233343166343734
31313664643639316531346333356638666135346231326561666234636539653862366630636134
37326230333237303461326466623764653163393935366361643264366531333630646261333435
33303866383332303730323736353639633533656661643361363537663436656466633664643132
35633263353862376435383031613030303434326135643431396363373933373130343766333765
33646434373961366134323534656264303562313033653930336437376630376135666339306661
65646635346535666538643734313462383631336236393963373631623530383430633438633235
66313062613136326364363434303135363739353464386263303137303534663166326463323732
65323931666331353630643062383061343836383266663035376631613636306564313133343238
38626563663834363739366236323061663165656361626366373366633932386134336665393830
32623733616566336539343039313532643131336439663736343137316264666562636562386364
66343930336531383634663339383931623537313835346566363434343231323565333036333832
30363937393831616537323832393064313330663732393061383437633437366161313131393534
65323663666161363039366663303633663739633832626132306164653266623766313031616230
32653763393636616331313932373935633039313038303762623039303032343738386134346164
64366130336233316330653261333661303839363965663232393233623837633461393239326433
30626235363666623464393935393262666633353337336331393762656333373763633866326664
33313966623438346637643239663535306166383062306332383337613864656664313932623137
30306563386561643435313030393139333063616232363433336431303330643239636663653231
32383762303539633235353464306431653539316630636630626536346235393966366639346563
37333264633832393139663561616633323361316237313863356537336364663666623333633439
33313735613163346562643539393836363566653464363534313637353030613436646432333964
36616137396439333764323634376366366438643337666266323831316139336264336363656364
63646533366562623862383336343633663963363530396532623037646331643435336161656239
36386434326261343462353863653866646265336436613438383835353637626530333932353238
66376632643863616233326235623864616330333730353533326466393434653333333433393664
62313435366537386436306166653932626436323636623430313739656239663662393931316136
38383464326537616230363734643237356333323964376430383364393632313136636333616365
33316139363238303338303165623032623265633461663466363737313362386336393939643066
34303535643261386666666138323938623438643437623933353031633662326562643836353931
61376136356231636164336263653539326134616636356338633835633563373339363964343738
39353864623662303466393132313131666366643266356133336131633862366537353235396366
66306438393963303438353035643866623265376236343636363636316135643466656639396661
38396462353538643466616166383566663431653238376162363764383030373831393336656436
64643635376334363832643063306362313238636431623962376362343365343439343937613564
65613464396433373964373730383833636661303230353238343032323834336435613731656561
66646661363736303430656363323130323130373131346435383137316636333831306164343835
39333730623564383663633664343235333365656366386465316238316535333330363839393465
66383062316366386465383164323462383934646361306136376161316265383564366361343233
30346537313236643665363866313432306233306331366630313862633966613739663964363533
37316634383034366665626130313462663964383962353933633261653066636163333836333064
64623133306432353631323931373235373934356531666663383939346132613265323635333935
64636131383265303662393133336261326265326562663837383564366433323764363430323731
33613333383030663434616665663439326162333832376333613935623139313465303933343239
37633539316133376331316538613035383139643362616363326535656635396263343732373038
64373435613266646661613961313233383063646335616537366633656165656538626631373032
36336463643262343235353533326262653964386662356137366261333566383662366433363436
61346630306233363135623437643634326365386265623436623366323739663136653034616437
38326331393764303262636438633433363332323263396265303631663737393639393361306532
39333664646638333938363130626661656137366637356263376133306363363565353262626564
66363863316166373638666465656630346533333635663432616132653365353463636638376639
63313163323266323136303730643830613239616262656363643935333566633530376566653435
36326431313034303930663534326335663964326263373936373065626634386337353964313162
30646561383839336235636632303832366266393736633136343137633331633730343962343433
63316337613239633339303366613765333634643636313966313362326262643639363161363131
37326130343166323938653265336638643538363031383938313264623539336264303136333031
30313130623634333764616439336631353863623962643935616361646434333665326230323765
37363637333165373631613561353735613135303939636466313761303764393164356662353032
30386662396533653665313337363732623361336638353536636665653437643364353335613035
31663730323065343135303839633363333337396537643135373435636434333566356438303761
31396366373935663763336661363537663636616564376434363166343964616533386339656365
36616364333164396633336366313666663265613436383364306138313335363031613163366330
65396133356262316233383665306262343133643136646432326663363531353664643961656232
66356265333135633836633164626336363363343765346261636162653438643964646239303261
38643238393830346433646338616433373364353864633435646531393562343439373334613138
66396139356164333864356466633131313433633261626630343764373334633638626431323739
36356562363532336239323063636461643864363566336232306331306138333233666534333538
37636232393333316565383263353933363166633930376465613731643630363335376639356336
36343262383535653839616234363835376265356639633138636161346262363330343936663064
39653235373931656366316335363731303038323366646564343466613836333131396231336163
64623038613536303635613963383761313035363261646165336661366238346531363365346562
62343036656430663938336365626336633535313036306231353863313563303935333838396361
37383131613834343233616163396262343561326138386236313162376262636334656565343266
32373230636135626533626433656533353432343461366231313863363034623631333330663238
31613566366361636534323662343363373836396134653439343938376131336430626563353333
62363037613730316563656234323665383464396237656332663166366634303036313236383831
39313164663136663633623336613166633965346632623364383234356630363934366632323434
31343261643731656430356634613831643666383934383164396238666162643838306166653664
62633963366465303662393930383764626462333832653136636461643130363564353566383233
36383331616265383437636430303865323435663939323833643465373836643863346235356266
39666664336263313365383034303637396164663366613263613337626465386632333163373366
62643335656230316432306235393433323933633836333833336639306636353163363663623736
34333165393165633563363762376662326632313766326166353863343937626165393136656436
39646163326262396263343030343263643033333630373233616338323939616137303630613336
36313266323263366436666230316134643161616638376431356438303932303736336432666535
30383963396664306265393031663238346538613038393564363134646237346531383962346638
6237396161373638623639343131346633316265333036323161
66363038343862326134623539343039633439643137613765356439653462333663313866383033
6330386335646539373338376462663636663434373530300a653737336230383036653735373433
31663133393236393130346165326466303762306363613565373865306132336531613064333338
3761356461343638360a396564383335323631666362656363333135373538353637383166383839
62316461616439396631653863623062333730616337663731363762363434336165616137336337
66393162336330343730396639303030343236653234663764353365623139356330303935323764
66666165393463363139653335363365343035313531306330656565643139643062343562386436
39303266656264626361366136636132326136393430623034383639313537663362396166303565
39656330653332363239386362633034616531383835313765323532313361346265653462303463
37623636663862333434663831343361386535383836316636613439616638393163663631656530
64333865626565623331653561633436643732633139316362303838633265343463366638666132
32646132373331663462373935336462663061373363623232303864376464306364313630633439
35643036323564396566613539366462366330643036633436323634653130336235333839306237
61353165663764623066633261633730373732663564323639393535336431316465376562363439
33323131623635396233323766376634663332656136653332323930303237636666383438613938
33313636623437323730396261396135366236396131313930303331303566326264616139353264
30396431613537373063313031343863333565333934653763653130336535353466393866393435
33343233386561656337363363663262663030316163316165343738643733306436333937373163
33353131626338316561303531323061383065643737366661326634306538306634626433363632
66643234363232346462333364316266633538633833653862636235393533366461343334376265
34396631313431306434323637653034626238633733316137346564336561383730613864373034
61633466653165353661393766616437313361653734613165363339366161343031363335336133
66343130383335653730353561626135636434356135333634313730353663396361663863323436
39363331393830653430623837663564333439653931633235633966343966623138316163623539
33616536626632336235363238666562366666386361643066613665356565333666383361356232
61623665386533663738303834323165633966613936393737396334373139303964323764643731
66636234356334383633616331316137343865323264653666623532353135383831306238316232
36353262373763653337333837613264633039623437333538646139326130386662386530336566
34336236656139353361643961616563353538613163333964333564306332636433633933386530
32333138656663343161633033656533633936346636653132316633653731356330353333626139
32303066306166626261363065306635373465663432373262633464656632643362663733346463
32393938346563363334343535396538663430626434363236323938653837313432623335613064
62323565303362323336663462656335643930343235353164316365333735656636616330643061
38316337393934363361616339393463646138626665616538653936616537343630306236636130
36326263343161636464376235396563376561356363393961623436356563666233386331353332
35333563316463316232653238336161316162626334623961626130323331386162356531373030
39646137363431303762323363363463333734613462663831663331633662376432386166373366
32323966633362313236643862303838663663346436323231383561386264303465313232393836
66636566376636306230653735303231346239303863373838356561393638363535363363656263
65306234386233373130356630373334313437613763663037373935383730373136323033346564
64666361346265616362623961616638613135653037623833316361333161633339303064313733
30306666343864323265656637616130653238343365376662313163346235306365313131376166
31666338396632626666323530326132386234336432373736313936653133356564616132393734
65613464663437363366396234393735383639373766623037656538336337623231323236326430
35613737386131316164326330316566356637633238643630333366653130633864356431346336
31653461633636346461626261396234376666373964393135333866363831616331653431373462
65363966333261326234323864363733316438306534336363373164656661313934623937336366
65323535346663633264363638386663383535363236333932356166393338396336366437656132
39663037353137333537333363653965643066343635353137396466333836376339666638336561
33643835646237613164373135393534376539323139323561386565326161643663346462646230
62393565333730343835353131656336343563636465633863363865653033393930333133613733
35613234323662313538623335666463653466633536356534393238343161306634383134313839
38353134336336656431373338383936633431623861383231323062393631666539343338353161
30323338313161343632376138323734363637373966356338383333656435353839633731343838
62376335323163386661623663366163623437373161396538396531643932616232633438663731
62333463373137323363323233353865313634396630613935356162303435656661626464346566
32333563636635366330643537373534383063396137393630356230643036376537373639663336
63353936396439646264313963346532613032613966333837666263383366333132306236303063
36326533353061343930333433326139383331323566313738623131356433623133303462356335
31316331656138356535643334326334346135346531383531343335303463376234666662643135
62646361356261386366656562363232313838656563663133313364616133333432373131313865
64663263663134653736626261663266333733333634653030363265326134323634353764306161
66393564326163663831353830646363343733383534323935363936336232376539373766626264
61623161343862313163383636363262393639656461643637356362613036303065333436323262
38396133346631633763383936353033323538343466383037616566313563343733386535663339
64306266643431303231653532353439386666656266656466623237363532663733643635643562
64366339376664363930343431336138353936326338303362373839373736336430646332643039
39643439376632386165323965653666353766663239623562373837363365336164633035303039
32663163326266363835633964366562386532386530363266363238333332653730326162333663
61636663363032623339373239333538356539356232613234363835636536646666313736653235
35373865633531323037346633393135396233343364383861323362396362393634373165656133
30333062383763613535323834383430363863386339323162316333663638313433386137666634
36306234393539343730343831333336323066316236376130623764393839353432383062303338
34343065616634313234663739336165656563303264666262323839363565666565663330326635
31613064636464653963333132626137366563656537643633363136373039316662366438306630
65383231663232376232633737396666363364623739303065633230633431636438613039336365
62336232623362633030613731646535386439353266393236363965303931353631336661306238
61643265333337333637393230313766626162373739326164643937363330623536663565346331
65373763643964306530323164646333383435363234383039636439366332333366343232393732
65373036636263623239373930393434363232353664323236356366366561623266353635616537
33373761663364653830333166343634356437666631663164636331643736323139303462356133
63616531636136636533633264316130353035333364623862653233333434623139343234653539
38623033313936613162646464373135323964623265343866383938646266636331303063373962
66353233646330663936316635306530653032343764633962656162366539383231346464333339
64636330363065343165333363643636613761646262316234616661636462343761323261656133
39393164383331343436373838383335333932333931323835663031313036396664623135666565
34336134386232636362313764626664663437313464663466343566313530633364333631363465
32386139303132386631333638636636616563643961386436373566363139353563323834333038
61346534636134633566313533313530333238386536633333373035306664336339303364353530
39303364613430336563633464303133306630376634623138666565613036643865383961636333
38656238623931623434663638316534633334393438666238343139646465663862386264333963
36363563396631643338383130633634653937396266653936346339613333646463383463363862
63366233653962393737393366373933303630316263383635623365313566653236376533653363
34313262373565666261343039663966633533333839306631666437376237633636383061303333
36616632623763656533613561336133656562653165346566656535656339313831633935366536
34386631663032376264663963653638663762373137323537666130623563386133393932376434
32303863346262323537626431616665623431643764363764656661313362613266383130363633
31363565393331663433633137646236343736346565396438396163626430646634643339653261
64343064376162636262356436343263623733343363373964326639313332646431343835336433
39313965613532343263663939343662363236353636383438356161373264376661386562323730
61386632636532643933386164376663663262346330303733363464316235323265333036326337
61353935333130343538613930313465333535393039333061383234646539666632626666353533
63363432323864653733376137343766383736623231616465373032323834366330326638626339
66633431306336376132393837396333336462656633653431383362653939633032383237333534
63373266393765343437306236313535316664343639313934666136313863636531613261393263
36636531373936306166636465643132323835336563336265366433656337366662366330333166
61616163656535633934613331656339323263343235636231326136396438373435323830333539
34393463666639306165363164663433663231356335653531616264626237393134383631343066
33346331373161373936333763376664393131363365343733336237366539643063653936623137
64373837636438336437316261343137666532663662303864663963383538653239313162633565
39656130313831343734653832626139303130393862306362326361323564613063333463376637
64623638616636376236323739363538663433303835383866643830393963636132366166386563
36363162363438356364326131393530366135373730396336323063636334356535663363323835
39663564313039303361666237353938636539333434326132393438633963353732623333666431
32613861346263626664623837623365386638373530386638303938656532383230633438363735
38343261663164613364376462356162646231303733376636656263623064303333373230373761
35656466613766343562326361613865313361366631613232653438656564646265316436386530
38313162666437636664336262306463333637626162666337346365363065613065653636663336
30303631623261363633323730633063343233333735326130663039393332623530363333646436
36653232613833653231366535653936613162303531333238326262383165633233633537616663
38393464343233353862353936633363616339623561396661616438326634633539333761316164
32316166623438326435613238336639313363363361383630376331333662303964666238323032
63383638316363643662623535616463356639303937376430656133333431646532336165623665
66633335623265396630643437353861366133656237336462663733643933313332613266653432
34353435313766396166626635313763666366333764383564646538393734636362346531333938
38623865396561353435616433396533656361663266656565363637383235613562656465363730
32623266353335313563306465313261333336343934333235386264373136343666363364353532
35616333373037343432363832313435623130643132633162336264393737313833656335613638
63653232623935343638346464353630393264306232633665343865373839623461343165393564
33643264326664333534316233323937336265386238373963326161323761646531636637353631
32363864333632373165633133306538633933653362313636396364633436343066626163373933
32313235306230313333303062313466333635323864396437643738346631383366383637323561
61616665303733666337316537343137393035623832383539383338623936323135333664303236
36316632313133386634383161363039383134346238613332386130613734666636323538643263
31333166666138313864636130333964336263613430316662333535333038616533373239333564
34383433383830306161666137616533626130353937396530366565373665616565313037366264
3834

31
group_vars/all/secrets.yml.contents
View file

@ -1,17 +1,20 @@
# These are the variables contained in secrets.yml
# Secrets are usually 32 characters or more, matching [a-Z0-9]
---
postgres_passwords:
fider: xxx
nextcloud: xxx
passit: xxx
gitea: xxx
matrix: xxx
codimd: xxx
mailu: xxx
ttrss: xxx
keycloak: xxx
hedgedoc: xxx
mastodon: xxx
rallly: xxx
membersystem: xxx
listmonk: xxx
fider_jwt_secret: xxx
ldap_admin_password: xxx
ldap_config_password: xxx
@ -22,18 +25,14 @@ docker_password: xxx
mailu_secret_key: xxx
nextcloud_secrets:
redis_password: xxx
drone_secrets:
oauth_client_id: xxx
oauth_client_secret: xxx
rpc_shared_secret: xxx
restic_secrets:
repository_password: xxx
ssh_privkey: xxx
uptime_kuma_url: xxx
user_secret: xxx
encryption_secret: xxx
matrix_secrets:
registration_shared_secret: xxx
@ -41,7 +40,7 @@ matrix_secrets:
form_secret: xxx
keycloak_secrets:
admin_user: xxx # used for setting up the initial admin user on first run
admin_user: xxx //used for setting up the initial admin user on first run
admin_password: xxx
mastodon_secrets:
@ -50,11 +49,5 @@ mastodon_secrets:
vapid_private_key: xxx
vapid_public_key: xxx
rallly_secrets:
secret_password: xxx
membersystem_secrets:
secret_key: xxx
diun:
matrix_password: xxx
listmonk_secrets:
admin_password: xxx

23
group_vars/all/vars.yml
View file

@ -1,35 +1,28 @@
# vim: ft=yaml.ansible
---
users:
- name: graffen
comment: Jesper Hess Nielsen
password: '!'
groups: []
ssh_keys: []
password: $6$6bgPWZ76LvB$DZ3ipFsFtL2b1nSC0AQ63k8ibJidyIE9iIsWWzY0fux0ynz9L/o7b2sR2XYSaDuG.jewFV36IGStTF3NCZRC30
groups:
- sudo
keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCbxFVukt5TIzoB0HX2q8b8lHJmXD1juzsWOu5XkexVDlCsvupa1cZ/OVkrIEAbDKk6RmJQj0TJ2O5+v9hbf0TDi0Pi+V8ADZIgO+OW5a4EeXsU72a4CN0nEocQhUPfQuC4IU+F7icoG2/I9jXg7U6p1LhBr8vlC3cNHnrH3yqrakrUR51/iRVIwo4FKvQg7jutaKTyOjlYa1uTdaczvAzNHWEdytCQgFnkzpR9fHvzkA79qHUD9n32rIpJicRJsHY3NnyDGfBcDv+4sLq15sM9jN83duGnSuMMtZgfSriwMUd/UwVReU2ZKxjMLe3WHB7+ZE/p39OJk/gjVfWJVh/za1/teTAwaLLmxh/HFt+AVYWkCj22fUxscl0dh2zy6Ki1Ua3ApChn6v6Gvng6khobFlxawSJZ49+0KoAl1qqFMR1o9EGWvqgDPuITAqJFN+ik0jxcxfmKrG3mbOYM1ikhJd0ER8wbS8e6NowHUBV7PUyDqxP5VM2gum58IYrDqaP2RYYi9vWWnXJJA8J1t+Wp3bF7fdktyVgkd7HQk02uVkxdMQQ802GCrQQuvJhWTCzrgkgrjPY8p0KcbCNt6jYQOUKV0T2vp6PbTJ5XWKb5u7gVXW1xiP9dYzgAr0DroiTK4xIuF80mv1Rfst0ceHAIQVcQ3GcGbh000QUYzbHT2Q== openpgp:0x265EE03C (Graffen)
- name: valberg
comment: Vidir Valberg Gudmundsson
password: $6$qt3G.E.CxhC$OwBDn4rZUbCz06HLEMBHjgvKjxiv/eeerbklTHi.gpHIn1OejzX3k2.0NM0Dforaw6Yn5Y8Cgn8kL2FdbQLZ3/
groups:
- sudo
ssh_keys:
keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUmGeHc6QXDcJHkmVxbTUv04Q3vs20avquoGr6eOkkvYbcgjuFnBOOtvs2Nul1odcvvnHa1nN7DfL8XJamiwsB1B/xe2seaNS1axgwk9XowlVN9pgga8gsC+4gZWBtSObG2GR8n4NtPENzPmW5deNn8dRpTvULPMxZ0VRE9yNQOx8v8w85yYh+vxbbkWGVDYJU23yuJI50U9y6bXxNHinsACDFBeR/giXDlw29TaOaSxz0R6zrRPBoX+V68RyWwBL+KWQKtX2ULtJI40S98Ohd6p41bIxYHCBS/zroqNne8PjYOLcHHsjHUGfTvhcS5a3zdz/iHsvsaOOjFjsydAXH valberg
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC4FRrbTpxwGdlF6RVi/thJaMlaEE0Z9YCQA4Y+KnHbBoVWMjzgbIkSWw3MM+E/iiVnix8SFh4tjDSdFjb8lCvHt/PqhMFhZJ02vhVgSwyU+Ji5ur23i202LB9ua54NLN4kNG8K47U0tKi2/EV6LWl2QdRviAcOUctz6u9XDkkMLUgPEYH384XSTRRj4GJ8+0LRzB2rXqetH3gBe9v1vlv0ETYWvzTnpfZUxcrrqEGtXV9Wa0BZoWLos2oKOsYVjNdLZMoFpmyBxPnqzAi1hr7beblFZKqBkvD7XA9RnERbZn1nxkWufVahppPjKQ+se3esWJCp6ri/vNP4WNKY3hiIoekBLbpvGcP1Te7cAIQXiZOilN92NKKYrzN2gAtsxgqGZw7lI1PE71luGdPir2Evl6hPj6/nnNdEHZWgcmBSPy17uCpVvZYBcDDzj8L3hbkLVQ3kcLZTz6I8BXvuGqoeLvRQpBtn5EaLpCCOmXuKqm+dzHzsOIwh+SA5NA8M3P0=
- name: reynir
comment: Reynir Björnsson
password: $6$MiPv.ZFlWnLHGNOb$jdQD9NaPMRUGaP2YHRJNwrMPBGl9qwK0HFhI6x51Xpn7hdzuC4GIwvOw1DJK33sNs/gGP5bWB0izviXkDcq7B0
groups:
- sudo
ssh_keys:
keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDJl8/rikIUnqr9fPF3rE0rjWHCNzte10LvkjGmpdO9ka/NubQ7O25fp08rC+n0d1pUooYwHBAgiv9Hsql6HF9QfNKNUp7IKp7CXWcjb4ga02kuzWGSXjm40Vf0jSadIrJ33M4SeJHTByDGoeYPQBQ7n+qHdwcqJADBQygBuc5sRzxm8i0sbmzF3DJDDVeTJjEY5pfR4vnJlpmU8SC2d1ZkhCjmKCsL0PShntTIt1ztCt0yO71KoHKaNPu1jutGxcU9u7J1pEqcPT6EzU/cQJ4DMVzrGp26nIV0msRl3NeGNjukwXOzAh6KmsmXG7yWFyQmLRqgc/bjUeyhuWJ10vwUbaYVeIef7YrgEOgnkYLIFeWRMhdnwtL/W8g1D66SFx7+iYJj180eTi8Lc8rZm2NaiGynvWlFcJ4PGdTYZsWcFzQ+SaDziNMw1H3IixxdlD8Shw9mxpijJ+A4dH2kkUXyGVsc13zRIU7hq9ax8nrw6HVLGFLn09rEPig+SkyWrqRpRGMBWyqTRJywIV6jk0ll+i8rJZA2McY0rABbACrzXT5VBj5dLKnnRITLDicAYgt7YuEiQ0ffErQrPXXHUVeI0QKnJgplSHxH5QsX9a1Y+NoaoditdMT2bjvEqROi+/JYRycLR/BQV/d2nFPhqwq1x1AFvL4f8UvVH/hxp3PXWw== reynir yubikey
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPR8t/wNRp7Dt3wr9uZKVTofTDVYrcoQNru5ETxL+37t reynir@spurv
- name: samsapti
comment: Sam Al-Sapti
password: $6$18dN367fG162hQ9A$Aqkf3O24Ve1btzh1PPOPg3uyydv/AQYUxethcoB4klotebJq3/XsydYT7XBuarxfDccVwyPTMlsP3U8VfQpG60
groups:
- sudo
ssh_keys:
- sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIFWZGLov8wPBNxuvnaPK+8vv6wK5hHUVEFzXKsN9QeuBAAAADHNzaDpzYW1zYXB0aQ== ssh:samsapti
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPd/4fQV7CL8/KVwbo/phiV5UdXFBIDlkZ+ps8C7FeRf cardno:14 336 332
volume_root_folder: "/docker-volumes"

39
playbook.yml
View file

@ -1,27 +1,40 @@
# vim: ft=yaml.ansible
---
- hosts: production
gather_facts: true
- hosts: all
gather_facts: False
become: true
vars:
base_domain: data.coop
letsencrypt_email: bestyrelsen@data.coop
ldap_dn: "dc=data,dc=coop"
vagrant: "{{ from_vagrant is defined and from_vagrant }}"
letsencrypt_enabled: "{{ not vagrant }}"
base_domain: "{{ 'datacoop.devel' if vagrant else 'data.coop' }}"
letsencrypt_email: "admin@{{ base_domain }}"
services:
- nginx-proxy
- openldap
- thelounge
- nextcloud
- fider
- passit
- gitea
- postfix
- matrix_riot
- privatebin
- codimd
- netdata
- docker_registry
- drone
- websites
- ulovliglogning-dk
- ouroboros
- mailu
- portainer
- listmonk
# - tt-rss
smtp_host: "postfix"
smtp_port: "587"
services_exclude:
- uptime_kuma
tasks:
- import_role:
name: ubuntu_base
tags:
- base_only
- import_role:
name: docker

292
roles/docker/defaults/main.yml
View file

@ -1,229 +1,117 @@
# vim: ft=yaml.ansible
---
volume_root_folder: "/docker-volumes"
volume_website_folder: "{{ volume_root_folder }}/websites"
services:
### Internal services ###
postfix:
domain: "smtp.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/postfix"
pre_deploy_tasks: true
version: "v3.6.1-alpine"
nginx:
volume_folder: "{{ volume_root_folder }}/nginx"
nginx_proxy:
volume_folder: "{{ volume_root_folder }}/nginx"
pre_deploy_tasks: true
version: "1.3-alpine"
acme_companion_version: "2.2"
ldap:
domain: "ldap.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/openldap"
openldap:
domain: "ldap.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/openldap"
pre_deploy_tasks: true
version: "1.5.0"
phpldapadmin_version: "0.9.0"
thelounge:
domain: "irc.{{ base_domain }}"
netdata:
domain: "netdata.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/netdata"
version: "v1"
nextcloud:
domain: "cloud.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/nextcloud"
portainer:
domain: "portainer.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/portainer"
version: "2.19.0"
gitea:
domain: "git.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/gitea"
keycloak:
domain: sso.{{ base_domain }}
volume_folder: "{{ volume_root_folder }}/keycloak"
version: "22.0"
postgres_version: "10"
allowed_sender_domain: true
passit:
domain: "passit.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/passit"
restic:
volume_folder: "{{ volume_root_folder }}/restic"
pre_deploy_tasks: true
remote_user: dc-user
remote_domain: rynkeby.skovgaard.tel
host_key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBLGol2G+a87ssy0nu/STKBZSiGyhZhZKx/ujfe9IeFo
repository: restic
version: "1.7.0"
disabled_in_vagrant: true
# mail dance
domain: "noreply.{{ base_domain }}"
allowed_sender_domain: true
mail_from: "backup@noreply.{{ base_domain }}"
fider:
domain: "feedback.{{ base_domain }}"
docker_registry:
domain: "docker.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/docker-registry"
pre_deploy_tasks: true
post_deploy_tasks: true
username: "docker"
password: "{{ docker_password }}"
version: "2"
matrix:
domain: "matrix.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/matrix"
### External services ###
nextcloud:
domain: "cloud.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/nextcloud"
pre_deploy_tasks: true
version: 28-apache
postgres_version: "10"
redis_version: 7-alpine
allowed_sender_domain: true
riot:
domains:
- "riot.{{ base_domain }}"
- "element.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/riot"
forgejo:
domain: "git.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/forgejo"
version: "7.0.4"
allowed_sender_domain: true
privatebin:
domain: "paste.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/privatebin"
passit:
domain: "passit.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/passit"
version: stable
postgres_version: 15-alpine
allowed_sender_domain: true
codimd:
domain: "oldpad.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/codimd"
matrix:
domain: "matrix.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/matrix"
pre_deploy_tasks: true
version: v1.109.0
postgres_version: 15-alpine
allowed_sender_domain: true
hedgedoc:
domain: "pad.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/hedgedoc"
element:
domain: "element.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/element"
pre_deploy_tasks: true
version: v1.11.69
netdata:
domain: "netdata.{{ base_domain }}"
privatebin:
domain: "paste.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/privatebin"
pre_deploy_tasks: true
version: "20221009"
docker_registry:
domain: "docker.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/docker-registry"
username: "docker"
password: "{{ docker_password }}"
hedgedoc:
domain: "pad.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/hedgedoc"
pre_deploy_tasks: true
version: 1.9.9-alpine
postgres_version: 10-alpine
data_coop_website:
domains:
- "{{ base_domain }}"
- "www.{{ base_domain }}"
data_coop_website:
domain: "{{ base_domain }}"
www_domain: "www.{{ base_domain }}"
volume_folder: "{{ volume_website_folder }}/datacoop"
pre_deploy_tasks: true
version: stable
staging_domain: "staging.{{ base_domain }}"
staging_version: staging
cryptohagen_website:
domains:
- "cryptohagen.dk"
- "www.cryptohagen.dk"
slides_2022_website:
domain: "2022.slides.{{ base_domain }}"
volume_folder: "{{ volume_website_folder }}/slides-2022"
version: latest
ulovliglogning_website:
domains:
- "ulovliglogning.dk"
- "www.ulovliglogning.dk"
- "ulovlig-logning.dk"
fedi_dk_website:
domain: fedi.dk
volume_folder: "{{ volume_website_folder }}/fedidk"
version: latest
cryptoaarhus_website:
domains:
- "cryptoaarhus.dk"
- "www.cryptoaarhus.dk"
vhs_website:
domain: vhs.data.coop
volume_folder: "{{ volume_website_folder }}/vhs"
version: latest
drone:
domain: "drone.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/drone"
cryptohagen_website:
domains:
- "cryptohagen.dk"
- "www.cryptohagen.dk"
volume_folder: "{{ volume_website_folder }}/cryptohagen"
mailu:
version: 1.6
domain: "mail.{{ base_domain }}"
dns: 192.168.203.254
subnet: 192.168.203.0/24
volume_folder: "{{ volume_root_folder }}/mailu"
ulovliglogning_website:
domains:
- "ulovliglogning.dk"
- "www.ulovliglogning.dk"
- "ulovlig-logning.dk"
- "www.ulovlig-logning.dk"
volume_folder: "{{ volume_website_folder }}/ulovliglogning"
portainer:
domain: "portainer.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/portainer"
cryptoaarhus_website:
domains:
- "cryptoaarhus.dk"
- "www.cryptoaarhus.dk"
volume_folder: "{{ volume_website_folder }}/cryptoaarhus"
ttrss:
domain: rss.{{ base_domain }}
volume_folder: "{{ volume_root_folder }}/tt-rss"
drone:
domain: "drone.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/drone"
version: "1"
keycloak:
domain: sso.{{ base_domain }}
volume_folder: "{{ volume_root_folder }}/keycloak"
mailu:
domain: "mail.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/mailu"
pre_deploy_tasks: true
dns: 192.168.203.254
subnet: 192.168.203.0/24
version: "2.0"
postgres_version: 14-alpine
redis_version: alpine
postfix:
allowed_sender_domains:
- "services.{{ base_domain }}"
- "{{ passit.domain }}"
- "{{ fider.domain }}"
- "{{ gitea.domain }}"
- "{{ mastodon.domain }}"
mastodon:
domain: "social.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/mastodon"
pre_deploy_tasks: true
post_deploy_tasks: true
version: v4.2.9
postgres_version: 14-alpine
redis_version: 6-alpine
allowed_sender_domain: true
mastodon:
domain: "social.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/mastodon"
rallly:
domain: "when.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/rallly"
pre_deploy_tasks: true
version: "2"
postgres_version: 14-alpine
allowed_sender_domain: true
membersystem:
domain: "member.{{ base_domain }}"
django_admins: "Vidir:valberg@orn.li"
volume_folder: "{{ volume_root_folder }}/membersystem"
version: latest
postgres_version: 13-alpine
allowed_sender_domain: true
writefreely:
domain: "write.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/writefreely"
pre_deploy_tasks: true
version: v0.15.0
mariadb_version: "11.2"
allowed_sender_domain: true
watchtower:
volume_folder: "{{ volume_root_folder }}/watchtower"
version: "1.5.3"
diun:
version: "4.28"
volume_folder: "{{ volume_root_folder }}/diun"
matrix_user: "@diun:data.coop"
matrix_room: "#datacoop-services-update:data.coop"
### Uptime monitoring ###
uptime_kuma:
domain: "uptime.{{ base_domain }}"
status_domain: "status.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/uptime_kuma"
pre_deploy_tasks: true
version: "latest"
services_exclude: []
services_include: "{{ services | dict2items | map(attribute='key') | list | difference(services_exclude) }}"
listmonk:
domain: "listmonk.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/listmonk"

0
roles/docker/files/vhost/docker_registry → roles/docker/files/configs/docker_registry/nginx.conf
View file

25
roles/docker/files/configs/listmonk/config.toml.j2 Normal file
View file

@ -0,0 +1,25 @@
[app]
# Interface and port where the app will run its webserver. The default value
# of localhost will only listen to connections from the current machine. To
# listen on all interfaces use '0.0.0.0'. To listen on the default web address
# port, use port 80 (this will require running with elevated permissions).
address = "0.0.0.0:9000"
# BasicAuth authentication for the admin dashboard. This will eventually
# be replaced with a better multi-user, role-based authentication system.
# IMPORTANT: Leave both values empty to disable authentication on admin
# only where an external authentication is already setup.
admin_username = "listmonk"
admin_password = "{{ listmonk_secrets.admin_password }}"
# Database.
[db]
host = "db"
port = 5432
user = "postgres"
password = "{{ postgres_passwords.listmonk }}"
database = "postgres"
ssl_mode = "disable"
max_open = 25
max_idle = 25
max_lifetime = "300s"

4
roles/docker/templates/mastodon/env.j2 → roles/docker/files/configs/mastodon/env_file.j2
View file

@ -14,7 +14,7 @@
# ----------
# This identifies your server and cannot be changed safely later
# ----------
LOCAL_DOMAIN={{ services.mastodon.domain }}
LOCAL_DOMAIN={{ mastodon.domain }}
# Redis
# -----
@ -52,7 +52,7 @@ SMTP_SERVER={{ smtp_host }}
SMTP_PORT={{ smtp_port }}
SMTP_LOGIN=
SMTP_PASSWORD=
SMTP_FROM_ADDRESS=notifications@{{ services.mastodon.domain }}
SMTP_FROM_ADDRESS=notifications@{{ mastodon.domain }}
# File storage (optional)
# -----------------------

0
roles/docker/files/vhost/mastodon → roles/docker/files/configs/mastodon/vhost-mastodon
View file

39
roles/docker/templates/matrix/homeserver.yaml.j2 → roles/docker/files/configs/matrix/homeserver.yaml.j2
View file

@ -44,7 +44,7 @@ pid_file: /data/homeserver.pid
# use synapse with a reverse proxy, this should be the URL to reach
# synapse via the proxy.
#
public_baseurl: "https://{{ services.matrix.domain }}"
public_baseurl: "https://{{ matrix.domain }}"
# Set the soft limit on the number of file descriptors synapse can use
# Zero is used to indicate synapse should set the soft limit to the
@ -339,11 +339,10 @@ database:
user: "synapse"
password: "{{ postgres_passwords.matrix }}"
database: "synapse"
host: "postgres"
host: "matrix_db"
port: "5432"
cp_min: 5
cp_max: 10
allow_unsafe_locale: true
# Number of events to cache in memory.
event_cache_size: "10K"
@ -416,7 +415,7 @@ uploads_path: "/data/uploads"
# The largest allowed upload size in bytes
#
max_upload_size: "512M"
max_upload_size: "50M"
# Maximum number of pixels that will be thumbnailed
#
@ -676,8 +675,15 @@ report_stats: false
## API Configuration ##
room_prejoin_state:
disable_default_event_types: false
# A list of event types that will be included in the room_invite_state
#
room_invite_state_types:
- "m.room.join_rules"
- "m.room.canonical_alias"
- "m.room.avatar"
- "m.room.encryption"
- "m.room.name"
# A list of application service config file to use
#
@ -820,10 +826,23 @@ password_config:
# If your SMTP server requires authentication, the optional smtp_user &
# smtp_pass variables should be used
#
email:
smtp_host: "{{ smtp_host }}"
smtp_port: {{ smtp_port }}
notif_from: "{{ services.matrix.domain }} <no-reply@{{ services.matrix.domain }}>"
#email:
# enable_notifs: false
# smtp_host: "localhost"
# smtp_port: 25
# smtp_user: "exampleusername"
# smtp_pass: "examplepassword"
# require_transport_security: False
# notif_from: "Your Friendly %(app)s Home Server <noreply@example.com>"
# app_name: Matrix
# # if template_dir is unset, uses the example templates that are part of
# # the Synapse distribution.
# #template_dir: res/templates
# notif_template_html: notif_mail.html
# notif_template_text: notif_mail.txt
# notif_for_new_users: True
# riot_base_url: "http://localhost/riot"
#password_providers:
# - module: "ldap_auth_provider.LdapAuthProvider"

0
roles/docker/files/matrix/log.config → roles/docker/files/configs/matrix/matrix.data.coop.log.config
View file

2
roles/docker/files/configs/matrix/vhost-matrix Normal file
View file

@ -0,0 +1,2 @@
listen 8008;
client_max_body_size 50M; # default is 1M

1
roles/docker/files/configs/matrix/vhost-riot Normal file
View file

@ -0,0 +1 @@
client_max_body_size 50M; # default is 1M

0
roles/docker/files/vhost/base_domain → roles/docker/files/configs/matrix/vhost-root
View file

0
roles/docker/files/privatebin/conf.php → roles/docker/files/configs/privatebin-conf.php
View file

12
roles/docker/templates/element/config.json.j2 → roles/docker/files/configs/riot/config.json
View file

@ -1,12 +1,6 @@
{
"default_server_config": {
"m.homeserver": {
"base_url": "https://{{ services.matrix.domain }}"
},
"m.identity_server": {
"base_url": "https://vector.im"
}
},
"default_hs_url": "https://{{ matrix.domain }}",
"default_is_url": "https://vector.im",
"brand": "element.data.coop",
"integrations_ui_url": "https://scalar.vector.im/",
"integrations_rest_url": "https://scalar.vector.im/api",
@ -37,7 +31,7 @@
]
},
"enable_presence_by_hs_url": {
"https://{{ services.matrix.domain }}": false
"https://{{ matrix.domain }}": false
},
"terms_and_conditions_links": [
{

0
roles/docker/files/element/riot.im.conf → roles/docker/files/configs/riot/riot.im.conf
View file

511
roles/docker/files/configs/thelounge.js Normal file
View file

@ -0,0 +1,511 @@
"use strict";
module.exports = {
//
// Set the server mode.
// Public servers does not require authentication.
//
// Set to 'false' to enable users.
//
// @type boolean
// @default false
//
public: false,
//
// IP address or hostname for the web server to listen on.
// Setting this to undefined will listen on all interfaces.
//
// For UNIX domain sockets, use unix:/absolute/path/to/file.sock.
//
// @type string
// @default undefined
//
host: undefined,
//
// Set the port to listen on.
//
// @type int
// @default 9000
//
port: 9000,
//
// Set the local IP to bind to for outgoing connections. Leave to undefined
// to let the operating system pick its preferred one.
//
// @type string
// @default undefined
//
bind: undefined,
//
// Sets whether the server is behind a reverse proxy and should honor the
// X-Forwarded-For header or not.
//
// @type boolean
// @default false
//
reverseProxy: false,
//
// Set the default theme.
// Find out how to add new themes at https://thelounge.github.io/docs/plugins/themes.html
//
// @type string
// @default "example"
//
theme: "example",
//
// Prefetch URLs
//
// If enabled, The Lounge will try to load thumbnails and site descriptions from
// URLs posted in channels.
//
// @type boolean
// @default false
//
prefetch: false,
//
// Store and proxy prefetched images and thumbnails.
// This improves security and privacy by not exposing client IP address,
// and always loading images from The Lounge instance and making all assets secure,
// which in result fixes mixed content warnings.
//
// If storage is enabled, The Lounge will fetch and store images and thumbnails
// in the `${THELOUNGE_HOME}/storage` folder.
//
// Images are deleted when they are no longer referenced by any message (controlled by maxHistory),
// and the folder is cleaned up on every The Lounge restart.
//
// @type boolean
// @default false
//
prefetchStorage: false,
//
// Prefetch URLs Image Preview size limit
//
// If prefetch is enabled, The Lounge will only display content under the maximum size.
// Specified value is in kilobytes. Default value is 2048 kilobytes.
//
// @type int
// @default 2048
//
prefetchMaxImageSize: 2048,
//
// Display network
//
// If set to false network settings will not be shown in the login form.
//
// @type boolean
// @default true
//
displayNetwork: true,
//
// Lock network
//
// If set to true, users will not be able to modify host, port and tls
// settings and will be limited to the configured network.
//
// @type boolean
// @default false
//
lockNetwork: false,
//
// Hex IP
//
// If enabled, clients' username will be set to their IP encoded has hex.
// This is done to share the real user IP address with the server for host masking purposes.
//
// @type boolean
// @default false
//
useHexIp: false,
//
// WEBIRC support
//
// If enabled, The Lounge will pass the connecting user's host and IP to the
// IRC server. Note that this requires to obtain a password from the IRC network
// The Lounge will be connecting to and generally involves a lot of trust from the
// network you are connecting to.
//
// Format (standard): {"irc.example.net": "hunter1", "irc.example.org": "passw0rd"}
// Format (function):
// {"irc.example.net": function(client, args, trusted) {
// // here, we return a webirc object fed directly to `irc-framework`
// return {username: "thelounge", password: "hunter1", address: args.ip, hostname: "webirc/"+args.hostname};
// }}
//
// @type string | function(client, args):object(webirc)
// @default null
webirc: null,
//
// Log settings
//
// Logging has to be enabled per user. If enabled, logs will be stored in
// the 'logs/<user>/<network>/' folder.
//
// @type object
// @default {}
//
logs: {
//
// Timestamp format
//
// @type string
// @default "YYYY-MM-DD HH:mm:ss"
//
format: "YYYY-MM-DD HH:mm:ss",
//
// Timezone
//
// @type string
// @default "UTC+00:00"
//
timezone: "UTC+00:00",
},
//
// Maximum number of history lines per channel
//
// Defines the maximum number of history lines that will be kept in
// memory per channel/query, in order to reduce the memory usage of
// the server. Setting this to -1 will keep unlimited amount.
//
// @type integer
// @default 10000
maxHistory: 10000,
//
// Default values for the 'Connect' form.
//
// @type object
// @default {}
//
defaults: {
//
// Name
//
// @type string
// @default "Freenode"
//
name: "Freenode",
//
// Host
//
// @type string
// @default "chat.freenode.net"
//
host: "chat.freenode.net",
//
// Port
//
// @type int
// @default 6697
//
port: 6697,
//
// Password
//
// @type string
// @default ""
//
password: "",
//
// Enable TLS/SSL
//
// @type boolean
// @default true
//
tls: true,
//
// Nick
//
// @type string
// @default "lounge-user"
//
nick: "lounge-user",
//
// Username
//
// @type string
// @default "lounge-user"
//
username: "lounge-user",
//
// Real Name
//
// @type string
// @default "The Lounge User"
//
realname: "The Lounge User",
//
// Channels
// This is a comma-separated list.
//
// @type string
// @default "#thelounge"
//
join: "#thelounge",
},
//
// Set socket.io transports
//
// @type array
// @default ["polling", "websocket"]
//
transports: ["polling", "websocket"],
//
// Run The Lounge using encrypted HTTP/2.
// This will fallback to regular HTTPS if HTTP/2 is not supported.
//
// @type object
// @default {}
//
https: {
//
// Enable HTTP/2 / HTTPS support.
//
// @type boolean
// @default false
//
enable: false,
//
// Path to the key.
//
// @type string
// @example "sslcert/key.pem"
// @default ""
//
key: "",
//
// Path to the certificate.
//
// @type string
// @example "sslcert/key-cert.pem"
// @default ""
//
certificate: "",
//
// Path to the CA bundle.
//
// @type string
// @example "sslcert/bundle.pem"
// @default ""
//
ca: "",
},
//
// Default quit and part message if none is provided.
//
// @type string
// @default "The Lounge - https://thelounge.github.io"
//
leaveMessage: "The Lounge - https://thelounge.github.io",
//
// Run The Lounge with identd support.
//
// @type object
// @default {}
//
identd: {
//
// Run the identd daemon on server start.
//
// @type boolean
// @default false
//
enable: false,
//
// Port to listen for ident requests.
//
// @type int
// @default 113
//
port: 113,
},
//
// Enable oidentd support using the specified file
//
// Example: oidentd: "~/.oidentd.conf",
//
// @type string
// @default null
//
oidentd: null,
//
// LDAP authentication settings (only available if public=false)
// @type object
// @default {}
//
// The authentication process works as follows:
//
// 1. Lounge connects to the LDAP server with its system credentials
// 2. It performs a LDAP search query to find the full DN associated to the
// user requesting to log in.
// 3. Lounge tries to connect a second time, but this time using the user's
// DN and password. Auth is validated iff this connection is successful.
//
// The search query takes a couple of parameters in `searchDN`:
// - a base DN `searchDN/base`. Only children nodes of this DN will be likely
// to be returned;
// - a search scope `searchDN/scope` (see LDAP documentation);
// - the query itself, build as (&(<primaryKey>=<username>) <filter>)
// where <username> is the user name provided in the log in request,
// <primaryKey> is provided by the config and <fitler> is a filtering complement
// also given in the config, to filter for instance only for nodes of type
// inetOrgPerson, or whatever LDAP search allows.
//
// Alternatively, you can specify the `bindDN` parameter. This will make the lounge
// ignore searchDN options and assume that the user DN is always:
// <bindDN>,<primaryKey>=<username>
// where <username> is the user name provided in the log in request, and <bindDN>
// and <primaryKey> are provided by the config.
//
ldap: {
//
// Enable LDAP user authentication
//
// @type boolean
// @default false
//
enable: true,
//
// LDAP server URL
//
// @type string
//
url: "ldap://{{ ldap.domain }}",
//
// LDAP connection tls options (only used if scheme is ldaps://)
//
// @type object (see nodejs' tls.connect() options)
// @default {}
//
// Example:
// You can use this option in order to force the use of IPv6:
// {
// host: 'my::ip::v6',
// servername: 'example.com'
// }
tlsOptions: {},
//
// LDAP base dn, alternative to searchDN
//
// @type string
//
// baseDN: "",
//
// LDAP primary key
//
// @type string
// @default "uid"
//
primaryKey: "uid",
//
// LDAP search dn settings. This defines the procedure by which the
// lounge first look for user DN before authenticating her.
// Ignored if baseDN is specified
//
// @type object
//
searchDN: {
//
// LDAP searching bind DN
// This bind DN is used to query the server for the DN of the user.
// This is supposed to be a system user that has access in read only to
// the DNs of the people that are allowed to log in.
//
// @type string
//
rootDN: "cn=admin,dc=data,dc=coop",
//
// Password of the lounge LDAP system user
//
// @type string
//
rootPassword: "{{ ldap_admin_password }}",
//
// LDAP filter
//
// @type string
// @default "uid"
//
//filter: "(objectClass=inetOrgPerson)(memberOf=ou=members,dc=data,dc=coop)",
filter: "(objectClass=inetOrgPerson)",
//
// LDAP search base (search only within this node)
//
// @type string
//
base: "{{ ldap_dn }}",
//
// LDAP search scope
//
// @type string
// @default "sub"
//
scope: "sub",
},
},
// Extra debugging
//
// @type object
// @default {}
//
debug: {
// Enables extra debugging output provided by irc-framework.
//
// @type boolean
// @default false
//
ircFramework: false,
// Enables logging raw IRC messages into each server window.
//
// @type boolean
// @default false
//
raw: false,
},
};

20
roles/docker/files/mastodon/postgresql.conf
View file

@ -1,20 +0,0 @@
# DB Version: 14
# OS Type: linux
# DB Type: oltp
# Total Memory (RAM): 16 GB
# Connections num: 300
# Data Storage: hdd
listen_addresses = '*'
max_connections = 300
shared_buffers = 4GB
effective_cache_size = 12GB
maintenance_work_mem = 1GB
checkpoint_completion_target = 0.9
wal_buffers = 16MB
default_statistics_target = 100
random_page_cost = 4
effective_io_concurrency = 2
work_mem = 6990kB
min_wal_size = 2GB
max_wal_size = 8GB

1
roles/docker/files/vhost/element
View file

@ -1 +0,0 @@
client_max_body_size 1G; # default is 1M

2
roles/docker/files/vhost/matrix
View file

@ -1,2 +0,0 @@
listen 8008;
client_max_body_size 1G; # default is 1M

1
roles/docker/files/vhost/nextcloud
View file

@ -1 +0,0 @@
client_max_body_size 1G; # default is 1M

4
roles/docker/files/vhost/uptime_kuma
View file

@ -1,4 +0,0 @@
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;

2
roles/docker/files/vhost/www.base_domain
View file

@ -1,2 +0,0 @@
server_name www.data.coop;
return 301 $scheme://data.coop$request_uri;

6
roles/docker/handlers/main.yml
View file

@ -1,6 +0,0 @@
# vim: ft=yaml.ansible
---
- name: restart nginx
command: docker compose restart proxy
args:
chdir: "{{ services.nginx_proxy.volume_folder }}"

26
roles/docker/tasks/block.yml
View file

@ -1,26 +0,0 @@
# vim: ft=yaml.ansible
---
- name: Create volume folder for service {{ service.name }}
file:
name: "{{ service.vars.volume_folder }}"
state: directory
- name: Upload Compose file for service {{ service.name }}
template:
src: compose-files/{{ service.name }}.yml.j2
dest: "{{ service.vars.volume_folder }}/docker-compose.yml"
owner: root
mode: u=rw,go=
- name: Run pre-deployment tasks for service {{ service.name }}
include_tasks: pre_deploy/{{ service.name }}.yml
when: service.vars.pre_deploy_tasks is defined and service.vars.pre_deploy_tasks
- name: Deploy Compose stack for service {{ service.name }}
command: docker compose up -d --remove-orphans --pull always
args:
chdir: "{{ service.vars.volume_folder }}"
- name: Run post-deployment tasks for service {{ service.name }}
include_tasks: post_deploy/{{ service.name }}.yml
when: service.vars.post_deploy_tasks is defined and service.vars.post_deploy_tasks

37
roles/docker/tasks/main.yml
View file

@ -1,44 +1,33 @@
# vim: ft=yaml.ansible
---
- name: Add Docker PGP key
- name: add docker gpg key
apt_key:
keyserver: pgp.mit.edu
id: 8D81803C0EBFCD88
state: present
- name: Add Docker apt repository
- name: add docker apt repository
apt_repository:
repo: deb https://download.docker.com/linux/ubuntu bionic stable
state: present
update_cache: yes
- name: Install Docker
- name: install docker-ce
apt:
name: "{{ pkgs }}"
state: present
vars:
pkgs:
- docker-ce
- docker-compose-plugin
- name: Configure cron job to prune unused Docker data weekly
cron:
name: Prune unused Docker data
cron_file: ansible_docker_prune
job: 'docker system prune -fa && docker volume prune -fa'
special_time: weekly
user: root
name: docker-ce
state: present
- name: Create folder structure for bind mounts
- name: install docker python bindings
pip:
executable: "pip3"
name: "docker-compose"
state: present
- name: create folder structure for bind mounts
file:
name: "{{ item }}"
name: "{{ volume_root_folder }}"
state: directory
loop:
- "{{ volume_root_folder }}"
- "{{ volume_website_folder }}"
- name: Set up services
- name: setup services
import_tasks: services.yml
tags:
- setup_services

13
roles/docker/tasks/post_deploy/docker_registry.yml
View file

@ -1,13 +0,0 @@
# vim: ft=yaml.ansible
---
- name: Generate htpasswd file
shell: docker compose exec registry htpasswd -Bbn docker {{ docker_password }} > auth/htpasswd
args:
chdir: "{{ services.docker_registry.volume_folder }}"
creates: "{{ services.docker_registry.volume_folder }}/auth/htpasswd"
- name: log in to registry
docker_login:
registry: "{{ 'docker.data.coop' if vagrant else services.docker_registry.domain }}"
username: docker
password: "{{ docker_password }}"

19
roles/docker/tasks/post_deploy/mastodon.yml
View file

@ -1,19 +0,0 @@
# vim: ft=yaml.ansible
---
- name: Configure cron job to remove old Mastodon media daily
cron:
name: Clean Mastodon media data older than a week
cron_file: ansible_mastodon_clean_media
job: docker exec mastodon-web-1 tootctl media remove --days 7
special_time: daily
user: root
state: present
- name: Configure cron job to remove old Mastodon preview cards daily
cron:
name: Clean Mastodon preview card data older than two weeks
cron_file: ansible_mastodon_clean_preview_cards
job: docker exec mastodon-web-1 tootctl preview_cards remove --days 14
special_time: daily
user: root
state: present

11
roles/docker/tasks/pre_deploy/data_coop_website.yml
View file

@ -1,11 +0,0 @@
# vim: ft=yaml.ansible
---
- name: Upload vhost config for root domain
copy:
src: vhost/base_domain
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.data_coop_website.domain }}"
- name: Upload vhost config for WWW domain
copy:
src: vhost/www.base_domain
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.data_coop_website.www_domain }}"

17
roles/docker/tasks/pre_deploy/docker_registry.yml
View file

@ -1,17 +0,0 @@
# vim: ft=yaml.ansible
---
- name: Create subfolders
file:
path: "{{ services.docker_registry.volume_folder }}/{{ volume }}"
state: directory
loop:
- auth
- registry
loop_control:
loop_var: volume
- name: Copy docker registry vhost configuration
copy:
src: vhost/docker_registry
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.docker_registry.domain }}"
mode: "0644"

21
roles/docker/tasks/pre_deploy/element.yml
View file

@ -1,21 +0,0 @@
# vim: ft=yaml.ansible
---
- name: Create subfolder
file:
name: "{{ services.element.volume_folder }}/data"
state: directory
- name: Upload config.json
template:
src: element/config.json.j2
dest: "{{ services.element.volume_folder }}/data/config.json"
- name: Upload riot.im.conf
copy:
src: element/riot.im.conf
dest: "{{ services.element.volume_folder }}/data/riot.im.conf"
- name: Upload vhost config for Element domain
copy:
src: vhost/element
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.element.domain }}"

17
roles/docker/tasks/pre_deploy/hedgedoc.yml
View file

@ -1,17 +0,0 @@
# vim: ft=yaml.ansible
---
- name: Create subfolders
file:
name: "{{ services.hedgedoc.volume_folder }}/{{ volume }}"
state: directory
loop:
- db
- hedgedoc/uploads
loop_control:
loop_var: volume
- name: Copy SSO certificate
copy:
src: sso/sso.data.coop.pem
dest: "{{ services.hedgedoc.volume_folder }}/sso.data.coop.pem"
mode: "0644"

45
roles/docker/tasks/pre_deploy/mailu.yml
View file

@ -1,45 +0,0 @@
# vim: ft=yaml.ansible
---
- name: Create subfolders
file:
name: "{{ services.mailu.volume_folder }}/{{ volume }}"
state: directory
loop:
- redis
- certs
- data
- dkim
- mail
- mailqueue
- filter
- postgres
- webmail
- overrides
- overrides/nginx
- overrides/dovecot
- overrides/postfix
- overrides/rspamd
- overrides/snappymail
loop_control:
loop_var: volume
- name: Upload mailu.env file
template:
src: mailu/env.j2
dest: "{{ services.mailu.volume_folder }}/mailu.env"
- name: Hard link to Let's Encrypt TLS certificate
file:
src: "{{ services.nginx_proxy.volume_folder }}/certs/{{ services.mailu.domain }}/fullchain.pem"
dest: "{{ services.mailu.volume_folder }}/certs/cert.pem"
state: hard
force: true
when: letsencrypt_enabled
- name: Hard link to Let's Encrypt TLS key
file:
src: "{{ services.nginx_proxy.volume_folder }}/certs/{{ services.mailu.domain }}/key.pem"
dest: "{{ services.mailu.volume_folder }}/certs/key.pem"
state: hard
force: true
when: letsencrypt_enabled

45
roles/docker/tasks/pre_deploy/mastodon.yml
View file

@ -1,45 +0,0 @@
# vim: ft=yaml.ansible
---
- name: Create subfolder for Mastodon data
file:
name: "{{ services.mastodon.volume_folder }}/mastodon_data"
state: directory
owner: "991"
mode: u=rwx,g=rx,o=rx
- name: Create subfolder for PostgreSQL data
file:
name: "{{ services.mastodon.volume_folder }}/postgres_data"
state: directory
owner: "70"
mode: u=rwx,go=
- name: Create subfolder for PostgreSQL config
file:
name: "{{ services.mastodon.volume_folder }}/postgres_config"
state: directory
owner: root
mode: u=rwx,g=rx,o=rx
- name: Create subfolder for Redis data
file:
name: "{{ services.mastodon.volume_folder }}/redis_data"
state: directory
owner: "999"
group: "1000"
mode: u=rwx,g=rx,o=rx
- name: Upload mastodon.env file
template:
src: mastodon/env.j2
dest: "{{ services.mastodon.volume_folder }}/mastodon.env"
- name: Upload vhost config for Mastodon domain
copy:
src: vhost/mastodon
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.mastodon.domain }}"
- name: Upload PostgreSQL config
copy:
src: mastodon/postgresql.conf
dest: "{{ services.mastodon.volume_folder }}/postgres_config/postgresql.conf"

34
roles/docker/tasks/pre_deploy/matrix.yml
View file

@ -1,34 +0,0 @@
# vim: ft=yaml.ansible
---
- name: Create subfolders
file:
name: "{{ services.matrix.volume_folder }}/{{ volume }}"
state: directory
owner: "991"
group: "991"
loop:
- data
- data/uploads
- data/media
loop_control:
loop_var: volume
- name: Create Matrix DB subfolder
file:
name: "{{ services.matrix.volume_folder }}/db"
state: directory
- name: Upload vhost config for Matrix domain
copy:
src: vhost/matrix
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.matrix.domain }}"
- name: Upload homeserver.yaml
template:
src: matrix/homeserver.yaml.j2
dest: "{{ services.matrix.volume_folder }}/data/homeserver.yaml"
- name: Upload Matrix logging config
copy:
src: matrix/log.config
dest: "{{ services.matrix.volume_folder }}/data/matrix.data.coop.log.config"

17
roles/docker/tasks/pre_deploy/nextcloud.yml
View file

@ -1,17 +0,0 @@
# vim: ft=yaml.ansible
---
- name: Create subfolders
file:
path: "{{ services.nextcloud.volume_folder }}/{{ volume }}"
state: directory
loop:
- app
- postgres
loop_control:
loop_var: volume
- name: Upload vhost config for Nextcloud domain
copy:
src: vhost/nextcloud
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.nextcloud.domain }}"
notify: "restart nginx"

14
roles/docker/tasks/pre_deploy/nginx_proxy.yml
View file

@ -1,14 +0,0 @@
# vim: ft=yaml.ansible
---
- name: Create subfolders
file:
name: "{{ services.nginx_proxy.volume_folder }}/{{ volume }}"
state: directory
loop:
- conf
- vhost
- html
- dhparam
- certs
loop_control:
loop_var: volume

12
roles/docker/tasks/pre_deploy/openldap.yml
View file

@ -1,12 +0,0 @@
# vim: ft=yaml.ansible
---
- name: Create subfolders
file:
name: "{{ services.openldap.volume_folder }}/{{ volume }}"
state: directory
loop:
- var/lib/ldap
- etc/slapd
- certs
loop_control:
loop_var: volume

13
roles/docker/tasks/pre_deploy/postfix.yml
View file

@ -1,13 +0,0 @@
# vim: ft=yaml.ansible
---
- name: Set up network for Postfix
docker_network:
name: postfix
ipam_config:
- subnet: '172.16.0.0/16'
gateway: 172.16.0.1
- name: Create subfolder
file:
name: "{{ services.postfix.volume_folder }}/dkim"
state: directory

16
roles/docker/tasks/pre_deploy/privatebin.yml
View file

@ -1,16 +0,0 @@
# vim: ft=yaml.ansible
---
- name: Create subfolders
file:
name: "{{ services.privatebin.volume_folder }}/{{ volume }}"
state: directory
loop:
- cfg
- data
loop_control:
loop_var: volume
- name: Upload PrivateBin config
copy:
src: privatebin/conf.php
dest: "{{ services.privatebin.volume_folder }}/cfg/conf.php"

11
roles/docker/tasks/pre_deploy/rallly.yml
View file

@ -1,11 +0,0 @@
# vim: ft=yaml.ansible
---
- name: Create subfolder
file:
name: "{{ services.rallly.volume_folder }}/postgres"
state: directory
- name: Copy rallly.env file
template:
src: rallly/env.j2
dest: "{{ services.rallly.volume_folder }}/rallly.env"

72
roles/docker/tasks/pre_deploy/restic.yml
View file

@ -1,72 +0,0 @@
# vim: ft=yaml.ansible
---
- name: Create SSH directory
file:
path: "{{ services.restic.volume_folder }}/ssh"
owner: root
group: root
mode: '0755'
state: directory
- name: Upload private SSH key
copy:
dest: "{{ services.restic.volume_folder }}/ssh/id_ed25519"
owner: root
group: root
mode: '0600'
content: "{{ restic_secrets.ssh_privkey }}"
- name: Derive public SSH key
shell: >-
ssh-keygen -f {{ services.restic.volume_folder }}/ssh/id_ed25519 -y
> {{ services.restic.volume_folder }}/ssh/id_ed25519.pub
args:
creates: "{{ services.restic.volume_folder }}/ssh/id_ed25519.pub"
- name: Set file permissions on public SSH key
file:
path: "{{ services.restic.volume_folder }}/ssh/id_ed25519.pub"
owner: root
group: root
mode: '0644'
state: touch
- name: Upload SSH config
template:
src: restic/ssh.config.j2
dest: "{{ services.restic.volume_folder }}/ssh/config"
owner: root
group: root
mode: '0600'
- name: Upload SSH known_hosts file
template:
src: restic/ssh.known_hosts.j2
dest: "{{ services.restic.volume_folder }}/ssh/known_hosts"
owner: root
group: root
mode: '0600'
- name: Create scripts directory
file:
path: "{{ services.restic.volume_folder }}/scripts"
owner: root
group: root
mode: '0755'
state: directory
- name: Upload failure.sh script
template:
src: restic/failure.sh.j2
dest: "{{ services.restic.volume_folder }}/scripts/failure.sh"
owner: root
group: root
mode: '0755'
- name: Upload success.sh script
template:
src: restic/success.sh.j2
dest: "{{ services.restic.volume_folder }}/scripts/success.sh"
owner: root
group: root
mode: '0755'

9
roles/docker/tasks/pre_deploy/uptime_kuma.yml
View file

@ -1,9 +0,0 @@
- name: Upload vhost config for uptime domain
copy:
src: vhost/uptime_kuma
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.uptime_kuma.domain }}_location"
- name: Upload vhost config for status domain
copy:
src: vhost/uptime_kuma
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.uptime_kuma.status_domain }}_location"

20
roles/docker/tasks/pre_deploy/writefreely.yml
View file

@ -1,20 +0,0 @@
# vim: ft=yaml.ansible
---
- name: Create subfolder for MariaDB data
file:
name: "{{ services.writefreely.volume_folder }}/db"
owner: "999"
group: "999"
state: directory
- name: Create subfolder for encryption keys
file:
name: "{{ services.writefreely.volume_folder }}/keys"
owner: "2"
group: "2"
state: directory
- name: Upload config.ini
template:
src: "writefreely/config.ini.j2"
dest: "{{ services.writefreely.volume_folder }}/config.ini"

28
roles/docker/tasks/services.yml
View file

@ -1,28 +1,8 @@
# vim: ft=yaml.ansible
---
- name: Set up external services network
- name: setup external services network
docker_network:
name: external_services
- name: Deploy all services
include_tasks:
file: block.yml
vars:
service:
name: "{{ item }}"
vars: "{{ services[item] }}"
loop: "{{ services_include }}"
when: single_service is not defined and
(item.vars.disabled_in_vagrant is not defined or
not (item.vars.disabled_in_vagrant and vagrant))
- name: Deploy single service
include_tasks:
file: block.yml
vars:
service:
name: "{{ single_service }}"
vars: "{{ services[single_service] }}"
when: single_service is defined and single_service in services and
(services[single_service].disabled_in_vagrant is not defined or
not (services[single_service].disabled_in_vagrant and vagrant))
- name: setup services
include_tasks: "services/{{ item }}.yml"
with_items: "{{ services }}"

57
roles/docker/tasks/services/codimd.yml Normal file
View file

@ -0,0 +1,57 @@
---
- name: codimd network
docker_network:
name: codimd
- name: create codimd volume folders
file:
name: "{{ codimd.volume_folder }}/{{ volume }}"
state: directory
loop:
- "db"
- "codimd/uploads"
loop_control:
loop_var: volume
- name: codimd database container
docker_container:
name: codimd_db
image: postgres:10
state: started
restart_policy: unless-stopped
networks:
- name: codimd
volumes:
- "{{ codimd.volume_folder }}/db:/var/lib/postgresql/data"
env:
POSTGRES_USER: "codimd"
POSTGRES_PASSWORD: "{{ postgres_passwords.codimd }}"
- name: codimd app container
docker_container:
name: codimd_app
image: hackmdio/hackmd:1.3.0
restart_policy: unless-stopped
networks:
- name: codimd
- name: ldap
- name: external_services
volumes:
- "{{ codimd.volume_folder }}/codimd/uploads:/codimd/public/uploads"
env:
CMD_DB_URL: "postgres://codimd:{{ postgres_passwords.codimd }}@codimd_db:5432/codimd"
CMD_ALLOW_EMAIL_REGISTER: "False"
CMD_IMAGE_UPLOAD_TYPE: "filesystem"
CMD_EMAIL: "False"
CMD_LDAP_URL: "ldap://openldap"
CMD_LDAP_BINDDN: "cn=admin,dc=data,dc=coop"
CMD_LDAP_BINDCREDENTIALS: "{{ ldap_admin_password }}"
CMD_LDAP_SEARCHBASE: "dc=data,dc=coop"
CMD_LDAP_SEARCHFILTER: "(&(uid={{ '{{username}}' }})(objectClass=inetOrgPerson))"
CMD_USECDN: "false"
VIRTUAL_HOST: "{{ codimd.domain }}"
LETSENCRYPT_HOST: "{{ codimd.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"

35
roles/docker/tasks/services/docker_registry.yml Normal file
View file

@ -0,0 +1,35 @@
---
- name: copy docker registry nginx configuration
copy:
src: "files/configs/docker_registry/nginx.conf"
dest: "/docker-volumes/nginx/vhost/{{ docker_registry.domain }}"
mode: "0644"
- name: docker registry container
docker_container:
name: registry
image: registry:2
restart_policy: always
volumes:
- "{{ docker_registry.volume_folder }}/registry:/var/lib/registry"
- "{{ docker_registry.volume_folder }}/auth:/auth"
networks:
- name: external_services
env:
VIRTUAL_HOST: "{{ docker_registry.domain }}"
LETSENCRYPT_HOST: "{{ docker_registry.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
REGISTRY_AUTH: "htpasswd"
REGISTRY_AUTH_HTPASSWD_PATH: "/auth/htpasswd"
REGISTRY_AUTH_HTPASSWD_REALM: "data.coop docker registry"
- name: generate htpasswd file
shell: "docker exec -it registry htpasswd -Bbn docker {{ docker_password }} > {{ docker_registry.volume_folder }}/auth/htpasswd"
args:
creates: "{{ docker_registry.volume_folder }}/auth/htpasswd"
- name: log in to local registry
docker_login:
registry: "{{ docker_registry.domain }}"
username: "docker"
password: "{{ docker_password }}"

51
roles/docker/tasks/services/drone.yml Normal file
View file

@ -0,0 +1,51 @@
---
- name: set up drone with docker runner
docker_compose:
project_name: drone
pull: yes
definition:
version: "3.6"
services:
drone:
container_name: "drone"
image: drone/drone:1
restart: unless-stopped
networks:
- external_services
- drone
volumes:
- "{{ drone.volume_folder }}:/data"
- "/var/run/docker.sock:/var/run/docker.sock"
environment:
DRONE_GITEA_SERVER: "https://{{ gitea.domain }}"
DRONE_GITEA_CLIENT_ID: "{{ drone_secrets.oauth_client_id }}"
DRONE_GITEA_CLIENT_SECRET: "{{ drone_secrets.oauth_client_secret }}"
DRONE_GIT_ALWAYS_AUTH: "true"
DRONE_SERVER_HOST: "{{ drone.domain }}"
DRONE_SERVER_PROTO: "https"
DRONE_RPC_SECRET: "{{ drone_secrets.rpc_shared_secret }}"
PLUGIN_CUSTOM_DNS: "91.239.100.100"
VIRTUAL_HOST: "{{ drone.domain }}"
LETSENCRYPT_HOST: "{{ drone.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
drone-runner-docker:
container_name: "drone-runner-docker"
image: "drone/drone-runner-docker:1"
restart: unless-stopped
networks:
- drone
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
environment:
DRONE_RPC_HOST: "{{ drone.domain }}"
DRONE_RPC_PROTO: "https"
DRONE_RPC_SECRET: "{{ drone_secrets.rpc_shared_secret }}"
DRONE_RUNNER_CAPACITY: 2
DRONE_RUNNER_NAME: "data.coop_drone_runner"
networks:
drone:
external_services:
external:
name: external_services

47
roles/docker/tasks/services/fider.yml Normal file
View file

@ -0,0 +1,47 @@
---
- name: fider network
docker_network:
name: fider
- name: fider database volume
docker_volume:
name: fider_db
- name: fider database container
docker_container:
name: fider_db
image: postgres:10
state: started
restart_policy: always
networks:
- name: fider
volumes:
- fider_db:/var/lib/postgresql/data
env:
POSTGRES_USER: "fider"
POSTGRES_PASSWORD: "{{ postgres_passwords.fider }}"
- name: fider app container
docker_container:
name: fider
image: getfider/fider:stable
restart_policy: always
networks:
- name: fider
- name: external_services
- name: postfix
env:
GO_ENV: "production"
DATABASE_URL: "postgres://fider:{{ postgres_passwords.fider }}@fider_db:5432/fider?sslmode=disable"
JWT_SECRET: "{{ fider_jwt_secret }}"
EMAIL_NOREPLY: noreply@{{ fider.domain }}
EMAIL_SMTP_HOST: "{{ smtp_host }}"
EMAIL_SMTP_PORT: "{{ smtp_port }}"
EMAIL_SMTP_USERNAME: "noop"
EMAIL_SMTP_PASSWORD: "noop"
VIRTUAL_HOST: "{{ fider.domain }}"
LETSENCRYPT_HOST: "{{ fider.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email}}"

37
roles/docker/tasks/services/gitea.yml Normal file
View file

@ -0,0 +1,37 @@
---
- name: gitea network
docker_network:
name: gitea
# old DNS: 138.68.71.153
- name: gitea container
docker_container:
name: gitea
image: gitea/gitea:1.15.7
restart_policy: unless-stopped
networks:
- name: gitea
- name: postfix
- name: external_services
volumes:
- "{{ gitea.volume_folder }}:/data"
published_ports:
- "22:22"
env:
VIRTUAL_HOST: "{{ gitea.domain }}"
VIRTUAL_PORT: "3000"
LETSENCRYPT_HOST: "{{ gitea.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
# Gitea customization, see: https://docs.gitea.io/en-us/install-with-docker/#customization
# https://docs.gitea.io/en-us/config-cheat-sheet/#security-security
GITEA__mailer__ENABLED: "true"
GITEA__mailer__FROM: "noreply@{{ gitea.domain }}"
GITEA__mailer__MAILER_TYPE: "smtp"
GITEA__mailer__HOST: "{{ smtp_host }}:{{ smtp_port }}"
GITEA__mailer__USER: "noop"
GITEA__mailer__PASSWD: "noop"
GITEA__security__LOGIN_REMEMBER_DAYS: "60"
GITEA__security__PASSWORD_COMPLEXITY: "off"
GITEA__security__MIN_PASSWORD_LENGTH: "8"
GITEA__security__PASSWORD_CHECK_PWN: "true"
GITEA__service__ENABLE_NOTIFY_MAIL: "true"

66
roles/docker/tasks/services/hedgedoc.yml Normal file
View file

@ -0,0 +1,66 @@
---
- name: create hedgedoc volume folders
file:
name: "{{ hedgedoc.volume_folder }}/{{ volume }}"
state: directory
loop:
- "db"
- "hedgedoc/uploads"
loop_control:
loop_var: volume
- name: copy sso public certificate
copy:
src: "files/sso/sso.data.coop.pem"
dest: "{{ hedgedoc.volume_folder }}/sso.data.coop.pem"
mode: "0644"
- name: setup hedgedoc
docker_compose:
project_name: "hedgedoc"
pull: "yes"
definition:
services:
database:
image: "postgres:10-alpine"
environment:
POSTGRES_USER: "codimd"
POSTGRES_PASSWORD: "{{ postgres_passwords.hedgedoc }}"
POSTGRES_DB: "codimd"
restart: "unless-stopped"
networks:
- "hedgedoc"
volumes:
- "{{ hedgedoc.volume_folder }}/db:/var/lib/postgresql/data"
app:
image: quay.io/hedgedoc/hedgedoc:1.9.0
environment:
CMD_DB_URL: "postgres://codimd:{{ postgres_passwords.hedgedoc }}@hedgedoc_database_1:5432/codimd"
CMD_DOMAIN: "{{ hedgedoc.domain }}"
CMD_ALLOW_EMAIL_REGISTER: "False"
CMD_IMAGE_UPLOAD_TYPE: "filesystem"
CMD_EMAIL: "False"
CMD_SAML_IDPCERT: "/sso.data.coop.pem"
CMD_SAML_IDPSSOURL: "https://sso.data.coop/auth/realms/datacoop/protocol/saml"
CMD_SAML_ISSUER: "hedgedoc"
CMD_SAML_IDENTIFIERFORMAT: "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
CMD_USECDN: "false"
CMD_PROTOCOL_USESSL: "true"
VIRTUAL_HOST: "{{ hedgedoc.domain }}"
LETSENCRYPT_HOST: "{{ hedgedoc.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
volumes:
- "{{ hedgedoc.volume_folder }}/hedgedoc/uploads:/hedgedoc/public/uploads"
- "{{ hedgedoc.volume_folder }}/sso.data.coop.pem:/sso.data.coop.pem"
restart: "unless-stopped"
networks:
- "hedgedoc"
- "external_services"
depends_on:
- database
networks:
hedgedoc:
external_services:
external: true

45
roles/docker/tasks/services/keycloak.yml Normal file
View file

@ -0,0 +1,45 @@
- name: setup keycloak containers for sso.data.coop
docker_compose:
project_name: "keycloak"
pull: "yes"
definition:
version: "3.6"
services:
postgres:
image: "postgres:10"
restart: "unless-stopped"
networks:
- "keycloak"
volumes:
- "{{ keycloak.volume_folder }}/data:/var/lib/postgresql/data"
environment:
POSTGRES_USER: "keycloak"
POSTGRES_PASSWORD: "{{ postgres_passwords.keycloak }}"
POSTGRES_DB: "keycloak"
app:
image: "quay.io/keycloak/keycloak:15.0.2"
restart: "unless-stopped"
networks:
- "keycloak"
- "postfix"
- "external_services"
environment:
VIRTUAL_HOST: "{{ keycloak.domain }}"
VIRTUAL_PORT: "8080"
LETSENCRYPT_HOST: "{{ keycloak.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
DB_USER: "keycloak"
DB_PASSWORD: "{{ postgres_passwords.keycloak }}"
DB_ADDR: "keycloak_postgres_1"
#KEYCLOAK_USER: "{{ keycloak_secrets.admin_user }}" # Only used for the first run of the application to set up the admin user
#KEYCLOAK_PASSWORD: "{{ keycloak_secrets.admin_password }}"
PROXY_ADDRESS_FORWARDING: "true"
networks:
keycloak:
postfix:
external: true
external_services:
external: true

62
roles/docker/tasks/services/listmonk.yml Normal file
View file

@ -0,0 +1,62 @@
- name: create listmonk volume folders
file:
name: "{{ listmonk.volume_folder }}/{{ volume }}"
state: directory
loop:
- "postgres_data"
loop_control:
loop_var: volume
- name: Copy listmonk config file
template:
src: files/configs/listmonk/config.toml.j2
dest: "{{ listmonk.volume_folder }}/config.toml"
- name: set up listmonk
docker_compose:
project_name: listmonk
pull: yes
definition:
version: "3.7"
services:
db:
image: postgres:13
networks:
- listmonk
environment:
- "POSTGRES_PASSWORD={{ postgres_passwords.listmonk }}"
restart: unless-stopped
healthcheck:
test: ["CMD-SHELL", "pg_isready -U listmonk"]
interval: 10s
timeout: 5s
retries: 6
volumes:
- "{{ listmonk.volume_folder }}/postgres_data:/var/lib/postgresql/data"
app:
restart: unless-stopped
image: listmonk/listmonk:v2.1.0
ports:
- "9000:9000"
networks:
- listmonk
- external_services
depends_on:
- db
volumes:
- "{{ listmonk.volume_folder }}/config.toml:/listmonk/config.toml"
environment:
TZ: Europe/Copenhagen
VIRTUAL_HOST: "{{ listmonk.domain }}"
VIRTUAL_PORT: "9000"
LETSENCRYPT_HOST: "{{ listmonk.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
networks:
external_services:
external: true
# postfix:
# external: true
listmonk:
internal: true

161
roles/docker/tasks/services/mailu.yml Normal file
View file

@ -0,0 +1,161 @@
---
- name: create mailu volume folders
file:
name: "{{ mailu.volume_folder }}/{{ volume }}"
state: directory
loop:
- redis
- certs
- overrides
- data
- dkim
- mail
- filter
- dav
- webmail
loop_control:
loop_var: volume
- name: upload mailu.env file
template:
src: mailu.env.j2
dest: "{{ mailu.volume_folder}}/mailu.env"
- name: hard link to Let's Encrypt TLS certificate
file:
src: "{{ nginx.volume_folder }}/certs/{{ mailu.domain }}/fullchain.pem"
dest: "{{ mailu.volume_folder }}/certs/cert.pem"
state: hard
force: yes
- name: hard link to Let's Encrypt TLS key
file:
src: "{{ nginx.volume_folder }}/certs/{{ mailu.domain }}/key.pem"
dest: "{{ mailu.volume_folder }}/certs/key.pem"
state: hard
force: yes
- name: run mail server containers
docker_compose:
project_name: mail_server
pull: yes
definition:
version: '3.6'
services:
redis:
image: redis:alpine
restart: always
volumes:
- "{{ mailu.volume_folder }}/redis:/data"
database:
image: mailu/postgresql:{{ mailu.version }}
restart: always
env_file: "{{ mailu.volume_folder}}/mailu.env"
volumes:
- "{{ mailu.volume_folder }}/data/psql_db:/data"
- "{{ mailu.volume_folder }}/data/psql_backup:/backup"
networks:
- default
- external_services
front:
image: mailu/nginx:{{ mailu.version }}
restart: always
env_file: "{{ mailu.volume_folder}}/mailu.env"
environment:
VIRTUAL_HOST: "{{ mailu.domain }}"
LETSENCRYPT_HOST: "{{ mailu.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
volumes:
- "{{ mailu.volume_folder }}/certs:/certs"
- "{{ mailu.volume_folder }}/overrides/nginx:/overrides"
expose:
- "80"
ports:
- "993:993"
- "25:25"
- "587:587"
- "465:465"
networks:
- default
- external_services
resolver:
image: mailu/unbound:{{ mailu.version }}
restart: always
env_file: "{{ mailu.volume_folder}}/mailu.env"
networks:
default:
ipv4_address: "{{ mailu.dns }}"
admin:
image: mailu/admin:{{ mailu.version }}
restart: always
env_file: "{{ mailu.volume_folder}}/mailu.env"
volumes:
- "{{ mailu.volume_folder }}/data:/data"
- "{{ mailu.volume_folder }}/dkim:/dkim"
depends_on:
- redis
imap:
image: mailu/dovecot:{{ mailu.version }}
restart: always
env_file: "{{ mailu.volume_folder}}/mailu.env"
volumes:
- "{{ mailu.volume_folder }}/mail:/mail"
- "{{ mailu.volume_folder }}/overrides:/overrides"
depends_on:
- front
smtp:
image: mailu/postfix:{{ mailu.version }}
restart: always
env_file: "{{ mailu.volume_folder}}/mailu.env"
volumes:
- "{{ mailu.volume_folder }}/overrides:/overrides"
depends_on:
- front
- resolver
dns:
- "{{ mailu.dns }}"
antispam:
image: mailu/rspamd:{{ mailu.version }}
restart: always
env_file: "{{ mailu.volume_folder}}/mailu.env"
volumes:
- "{{ mailu.volume_folder }}/filter:/var/lib/rspamd"
- "{{ mailu.volume_folder }}/dkim:/dkim"
- "{{ mailu.volume_folder }}/overrides/rspamd:/etc/rspamd/override.d"
depends_on:
- front
- resolver
dns:
- "{{ mailu.dns }}"
webmail:
image: mailu/rainloop:1.6
restart: always
env_file: "{{ mailu.volume_folder}}/mailu.env"
volumes:
- "{{ mailu.volume_folder }}/webmail:/data"
depends_on:
- front
- resolver
dns:
- "{{ mailu.dns }}"
networks:
default:
driver: bridge
ipam:
driver: default
config:
- subnet: "{{ mailu.subnet }}"
external_services:
external:
name: external_services

118
roles/docker/tasks/services/mastodon.yml Normal file
View file

@ -0,0 +1,118 @@
- name: create mastodon volume folders
file:
name: "{{ mastodon.volume_folder }}/{{ volume }}"
state: directory
owner: "991"
group: "991"
loop:
- "postgres_data"
- "redis_data"
- "mastodon_data"
loop_control:
loop_var: volume
- name: Copy mastodon environment file
template:
src: files/configs/mastodon/env_file.j2
dest: "{{ mastodon.volume_folder }}/env_file"
- name: upload vhost config for root domain
template:
src: files/configs/mastodon/vhost-mastodon
dest: "{{ nginx.volume_folder }}/vhost/{{ mastodon.domain }}"
- name: set up mastodon
docker_compose:
project_name: mastodon
pull: yes
definition:
version: '3'
services:
db:
restart: always
image: postgres:14-alpine
shm_size: 256mb
networks:
- internal_network
healthcheck:
test: ['CMD', 'pg_isready', '-U', 'postgres']
volumes:
- "{{ mastodon.volume_folder }}/postgres_data:/var/lib/postgresql/data"
environment:
- 'POSTGRES_HOST_AUTH_METHOD=trust'
redis:
restart: always
image: redis:6-alpine
networks:
- internal_network
healthcheck:
test: ['CMD', 'redis-cli', 'ping']
volumes:
- "{{ mastodon.volume_folder }}/redis_data:/data"
web:
image: tootsuite/mastodon
restart: always
env_file: "{{ mastodon.volume_folder }}/env_file"
command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 3000"
networks:
- external_services
- internal_network
healthcheck:
# prettier-ignore
test: ['CMD-SHELL', 'wget -q --spider --proxy=off localhost:3000/health || exit 1']
ports:
- '127.0.0.1:3000:3000'
depends_on:
- db
- redis
volumes:
- "{{ mastodon.volume_folder }}/mastodon_data:/mastodon/public/system"
environment:
VIRTUAL_HOST: "{{ mastodon.domain }}"
VIRTUAL_PORT: "3000"
LETSENCRYPT_HOST: "{{ mastodon.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
streaming:
image: tootsuite/mastodon
restart: always
env_file: "{{ mastodon.volume_folder }}/env_file"
command: node ./streaming
networks:
- external_services
- internal_network
healthcheck:
# prettier-ignore
test: ['CMD-SHELL', 'wget -q --spider --proxy=off localhost:4000/api/v1/streaming/health || exit 1']
ports:
- '127.0.0.1:4000:4000'
depends_on:
- db
- redis
sidekiq:
image: tootsuite/mastodon
restart: always
env_file: "{{ mastodon.volume_folder }}/env_file"
command: bundle exec sidekiq
depends_on:
- db
- redis
networks:
- postfix
- external_services
- internal_network
volumes:
- "{{ mastodon.volume_folder }}/mastodon_data:/mastodon/public/system"
healthcheck:
test: ['CMD-SHELL', "ps aux | grep '[s]idekiq\ 6' || false"]
networks:
external_services:
external: true
postfix:
external: true
internal_network:
internal: true

125
roles/docker/tasks/services/matrix_riot.yml Normal file
View file

@ -0,0 +1,125 @@
---
- name: create matrix volume folders
file:
name: "{{ matrix.volume_folder }}/{{ volume }}"
state: directory
owner: "991"
group: "991"
loop:
- "data"
- "data/uploads"
- "data/media"
loop_control:
loop_var: volume
- name: create matrix DB folder
file:
name: "{{ matrix.volume_folder }}/db"
state: "directory"
- name: create riot volume folders
file:
name: "{{ riot.volume_folder }}/{{ volume }}"
state: directory
loop:
- "data"
loop_control:
loop_var: volume
- name: upload riot config.json
template:
src: files/configs/riot/config.json
dest: "{{ riot.volume_folder }}/data/config.json"
- name: upload riot.im.conf
template:
src: files/configs/riot/riot.im.conf
dest: "{{ riot.volume_folder }}/data/riot.im.conf"
- name: upload vhost config for root domain
template:
src: files/configs/matrix/vhost-root
dest: "{{ nginx.volume_folder }}/vhost/{{ base_domain }}"
- name: upload vhost config for matrix domain
template:
src: files/configs/matrix/vhost-matrix
dest: "{{ nginx.volume_folder }}/vhost/{{ matrix.domain }}"
- name: upload vhost config for riot domain
template:
src: files/configs/matrix/vhost-riot
dest: "{{ nginx.volume_folder }}/vhost/{{ riot.domains[0] }}"
- name: upload homeserver.yaml
template:
src: "files/configs/matrix/homeserver.yaml.j2"
dest: "{{ matrix.volume_folder }}/data/homeserver.yaml"
- name: upload matrix logging config
template:
src: "files/configs/matrix/matrix.data.coop.log.config"
dest: "{{ matrix.volume_folder }}/data/matrix.data.coop.log.config"
- name: set up matrix and riot
docker_compose:
project_name: matrix
pull: yes
definition:
version: "3.6"
services:
matrix_db:
container_name: matrix_db
image: postgres:10
restart: unless-stopped
networks:
- matrix
volumes:
- "{{ matrix.volume_folder }}/db:/var/lib/postgresql/data"
environment:
POSTGRES_USER: "synapse"
POSTGRES_PASSWORD: "{{ postgres_passwords.matrix }}"
matrix_app:
container_name: matrix
image: matrixdotorg/synapse:v1.47.1
restart: unless-stopped
networks:
- matrix
- external_services
ports:
- 8008
volumes:
- "{{ matrix.volume_folder }}/data:/data"
environment:
SYNAPSE_CONFIG_PATH: "/data/homeserver.yaml"
SYNAPSE_CACHE_FACTOR: "2"
SYNAPSE_LOG_LEVEL: "INFO"
VIRTUAL_HOST: "{{ matrix.domain }}"
VIRTUAL_PORT: "8008"
LETSENCRYPT_HOST: "{{ matrix.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
riot:
container_name: riot_app
image: avhost/docker-matrix-riot:v1.9.0
restart: unless-stopped
networks:
- matrix
- external_services
ports:
- 8080
volumes:
- "{{ riot.volume_folder }}/data:/data"
environment:
VIRTUAL_HOST: "{{ riot.domains|join(',') }}"
VIRTUAL_PORT: "8080"
LETSENCRYPT_HOST: "{{ riot.domains|join(',') }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
networks:
external_services:
external:
name: external_services
matrix:
name: "matrix"

27
roles/docker/tasks/services/netdata.yml Normal file
View file

@ -0,0 +1,27 @@
---
- name: setup netdata docker container for system monitoring
docker_container:
name: netdata
image: netdata/netdata
restart_policy: unless-stopped
hostname: "hevonen.servers.{{ base_domain }}"
capabilities:
- SYS_PTRACE
security_opts:
- apparmor:unconfined
volumes:
- /proc:/host/proc:ro
- /sys:/host/sys:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
networks:
- name: external_services
env:
VIRTUAL_HOST : "{{ netdata.domain }}"
LETSENCRYPT_HOST: "{{ netdata.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
PGID: "999"
labels:
com.ouroboros.enable: "true"

42
roles/docker/tasks/services/nextcloud.yml Normal file
View file

@ -0,0 +1,42 @@
---
- name: setup nextcloud containers
docker_compose:
project_name: "nextcloud"
pull: "yes"
definition:
services:
postgres:
image: "postgres:10"
restart: "unless-stopped"
networks:
- "nextcloud"
volumes:
- "{{ nextcloud.volume_folder }}/postgres:/var/lib/postgresql/data"
environment:
POSTGRES_DB: "nextcloud"
POSTGRES_PASSWORD: "{{ postgres_passwords.nextcloud }}"
POSTGRES_USER: "nextcloud"
app:
image: "nextcloud:22-apache"
restart: "unless-stopped"
networks:
- "nextcloud"
- "external_services"
volumes:
- "{{ nextcloud.volume_folder }}/app:/var/www/html"
environment:
VIRTUAL_HOST: "{{ nextcloud.domain }}"
LETSENCRYPT_HOST: "{{ nextcloud.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
POSTGRES_HOST: "nextcloud_postgres_1"
POSTGRES_DB: "nextcloud"
POSTGRES_USER: "nextcloud"
POSTGRES_PASSWORD: "{{ postgres_passwords.nextcloud }}"
networks:
nextcloud:
postfix:
external: true
external_services:
external: true

47
roles/docker/tasks/services/nginx-proxy.yml Normal file
View file

@ -0,0 +1,47 @@
---
- name: create nginx-proxy volume folders
file:
name: "{{ nginx.volume_folder }}/{{ volume }}"
state: directory
loop:
- conf
- vhost
- html
- dhparam
- certs
loop_control:
loop_var: volume
- name: nginx proxy container
docker_container:
name: nginx-proxy
image: jwilder/nginx-proxy
restart_policy: always
networks:
- name: external_services
published_ports:
- "80:80"
- "443:443"
volumes:
- "{{ nginx.volume_folder }}/conf:/etc/nginx/conf.d"
- "{{ nginx.volume_folder }}/vhost:/etc/nginx/vhost.d"
- "{{ nginx.volume_folder }}/html:/usr/share/nginx/html"
- "{{ nginx.volume_folder }}/dhparam:/etc/nginx/dhparam"
- "{{ nginx.volume_folder }}/certs:/etc/nginx/certs:ro"
- /var/run/docker.sock:/tmp/docker.sock:ro
- name: nginx letsencrypt container
docker_container:
name: nginx-proxy-le
image: jrcs/letsencrypt-nginx-proxy-companion
restart_policy: always
volumes:
- "{{ nginx.volume_folder }}/vhost:/etc/nginx/vhost.d"
- "{{ nginx.volume_folder }}/html:/usr/share/nginx/html"
- "{{ nginx.volume_folder }}/dhparam:/etc/nginx/dhparam:ro"
- "{{ nginx.volume_folder }}/certs:/etc/nginx/certs"
- /var/run/docker.sock:/var/run/docker.sock:ro
env:
NGINX_PROXY_CONTAINER: nginx-proxy

71
roles/docker/tasks/services/openldap.yml Normal file
View file

@ -0,0 +1,71 @@
---
- name: create ldap volume folders
file:
name: "{{ ldap.volume_folder }}/{{ volume }}"
state: directory
loop:
- "var/lib/ldap"
- "etc/slapd"
- "certs"
loop_control:
loop_var: volume
- name: Create a network for ldap
docker_network:
name: ldap
- name: openLDAP container
docker_container:
name: openldap
image: osixia/openldap:1.5.0
tty: true
interactive: true
volumes:
- "{{ ldap.volume_folder }}/var/lib/ldap:/var/lib/ldap"
- "{{ ldap.volume_folder }}/etc/slapd.d:/etc/ldap/slapd.d"
- "{{ ldap.volume_folder }}/certs:/container/service/slapd/assets/certs/"
published_ports:
- "389:389"
- "636:636"
hostname: "{{ ldap.domain }}"
domainname: "{{ ldap.domain }}" # important: same as hostname
networks:
- name: ldap
env:
LDAP_LOG_LEVEL: "256"
LDAP_ORGANISATION: "{{ base_domain }}"
LDAP_DOMAIN: "{{ base_domain }}"
LDAP_BASE_DN: ""
LDAP_ADMIN_PASSWORD: "{{ ldap_admin_password }}"
LDAP_CONFIG_PASSWORD: "{{ ldap_config_password }}"
LDAP_READONLY_USER: "false"
LDAP_RFC2307BIS_SCHEMA: "false"
LDAP_BACKEND: "mdb"
LDAP_TLS: "true"
LDAP_TLS_CRT_FILENAME: "ldap.crt"
LDAP_TLS_KEY_FILENAME: "ldap.key"
LDAP_TLS_CA_CRT_FILENAME: "ca.crt"
LDAP_TLS_ENFORCE: "false"
LDAP_TLS_CIPHER_SUITE: "SECURE256:-VERS-SSL3.0"
LDAP_TLS_PROTOCOL_MIN: "3.1"
LDAP_TLS_VERIFY_CLIENT: "demand"
LDAP_REPLICATION: "false"
KEEP_EXISTING_CONFIG: "false"
LDAP_REMOVE_CONFIG_AFTER_SETUP: "true"
LDAP_SSL_HELPER_PREFIX: "ldap"
- name: phpLDAPadmin container
docker_container:
name: phpldapadmin
image: osixia/phpldapadmin:0.9.0
networks:
- name: external_services
- name: ldap
env:
PHPLDAPADMIN_LDAP_HOSTS: "openldap"
PHPLDAPADMIN_HTTPS: "false"
PHPLDAPADMIN_TRUST_PROXY_SSL: "true"
VIRTUAL_HOST: "{{ ldap.domain }}"
LETSENCRYPT_HOST: "{{ ldap.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"

18
roles/docker/tasks/services/ouroboros.yml Normal file
View file

@ -0,0 +1,18 @@
---
- name: ouroboros container
docker_container:
name: ouroboros
image: pyouroboros/ouroboros
restart_policy: unless-stopped
networks:
- name: external_services
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /root/.docker/config.json:/root/.docker/config.json
env:
LABEL_ENABLE: "true"
LABELS_ONLY: "true"
CLEANUP: "true"
LATEST: "true"
CRON: "*/10 * * * *"

47
roles/docker/tasks/services/passit.yml Normal file
View file

@ -0,0 +1,47 @@
---
- name: setup passit containers
docker_compose:
project_name: "passit"
pull: "yes"
definition:
version: "3.6"
services:
passit_db:
image: "postgres:10"
restart: "always"
networks:
- "passit"
volumes:
- "{{ passit.volume_folder }}/data:/var/lib/postgresql/data"
environment:
POSTGRES_USER: "passit"
POSTGRES_PASSWORD: "{{ postgres_passwords.passit }}"
passit_app:
image: "passit/passit:stable"
command: "bin/start.sh"
restart: "always"
networks:
- "passit"
- "postfix"
- "external_services"
environment:
DATABASE_URL: "postgres://passit:{{ postgres_passwords.passit }}@passit_db:5432/passit"
SECRET_KEY: "{{ passit_secret_key }}"
IS_DEBUG: 'False'
EMAIL_URL: "smtp://noop@{{ smtp_host }}:{{ smtp_port }}"
DEFAULT_FROM_EMAIL: "noreply@{{ passit.domain }}"
EMAIL_CONFIRMATION_HOST: "https://{{ passit.domain }}"
VIRTUAL_HOST: "{{ passit.domain }}"
LETSENCRYPT_HOST: "{{ passit.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
networks:
passit:
postfix:
external: true
external_services:
external: true

24
roles/docker/tasks/services/portainer.yml Normal file
View file

@ -0,0 +1,24 @@
---
- name: create portainer volume folder
file:
name: "{{ portainer.volume_folder }}"
state: directory
- name: run portainer
docker_container:
name: portainer
image: portainer/portainer-ce:2.9.1
restart_policy: always
networks:
- name: external_services
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- "{{ portainer.volume_folder }}:/data"
published_ports:
- 9001:9000
env:
VIRTUAL_HOST: "{{ portainer.domain }}"
VIRTUAL_PORT: "9000"
LETSENCRYPT_HOST: "{{ portainer.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"

19
roles/docker/tasks/services/postfix.yml Normal file
View file

@ -0,0 +1,19 @@
---
- name: setup network for postfix
docker_network:
name: postfix
ipam_config:
- subnet: '172.16.0.0/16'
gateway: 172.16.0.1
- name: setup postfix docker container for outgoing mail
docker_container:
name: postfix
image: boky/postfix:v3.5.0
restart_policy: always
networks:
- name: postfix
env:
ALLOWED_SENDER_DOMAINS: "{{ postfix.allowed_sender_domains|join(' ') }}"
HOSTNAME: "smtp.data.coop" # the name the smtp server will identify itself as

31
roles/docker/tasks/services/privatebin.yml Normal file
View file

@ -0,0 +1,31 @@
---
- name: create privatebin volume folders
file:
name: "{{ privatebin.volume_folder }}/{{ volume }}"
state: directory
loop:
- cfg
- data
loop_control:
loop_var: volume
- name: upload privatebin config
template:
src: files/configs/privatebin-conf.php
dest: "{{ privatebin.volume_folder }}/cfg/conf.php"
- name: privatebin app container
docker_container:
name: privatebin
image: jgeusebroek/privatebin:latest
restart_policy: unless-stopped
volumes:
- "{{ privatebin.volume_folder }}/cfg:/privatebin/cfg"
- "{{ privatebin.volume_folder }}/data:/privatebin/data"
networks:
- name: external_services
env:
VIRTUAL_HOST: "{{ privatebin.domain }}"
LETSENCRYPT_HOST: "{{ privatebin.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"

38
roles/docker/tasks/services/restic-backup.yml Normal file
View file

@ -0,0 +1,38 @@
---
- name: setup restic backup
docker_compose:
project_name: restic_backup
pull: yes
definition:
version: '3.6'
services:
restic-backup:
image: mazzolino/restic
restart: always
environment:
RUN_ON_STARTUP: "true"
BACKUP_CRON: "0 30 3 * * *"
RESTIC_REPOSITORY: "rest:https://datacoop:{{ restic_secrets.user_secret }}@restic.graffen.io/datacoop-hevonen"
RESTIC_PASSWORD: "{{ restic_secrets.encryption_secret }}"
RESTIC_BACKUP_SOURCES: "/mnt/volumes"
RESTIC_BACKUP_ARGS: >-
--tag datacoop-volumes
--exclude='*.tmp'
--verbose
RESTIC_FORGET_ARGS: >-
--keep-last 10
--keep-daily 7
--keep-weekly 5
--keep-monthly 12
TZ: Europe/Copenhagen
volumes:
- /docker-volumes:/mnt/volumes:ro
restic-prune:
image: "mazzolino/restic"
environment:
RUN_ON_STARTUP: "true"
PRUNE_CRON: "0 0 4 * * *"
RESTIC_REPOSITORY: "rest:https://datacoop:{{ restic_secrets.user_secret }}@restic.graffen.io/datacoop-hevonen"
RESTIC_PASSWORD: "{{ restic_secrets.encryption_secret }}"
TZ: Europe/copenhagen

25
roles/docker/tasks/services/thelounge.yml Normal file
View file

@ -0,0 +1,25 @@
---
- name: thelounge volume
docker_volume:
name: thelounge
- name: upload thelounge config
template:
src: files/configs/thelounge.js
dest: /var/lib/docker/volumes/thelounge/_data/config.js
- name: thelounge container
docker_container:
name: thelounge
image: thelounge/lounge:latest
restart_policy: always
volumes:
- thelounge:/home/lounge/data
networks:
- name: external_services
- name: ldap
env:
VIRTUAL_HOST: "{{ thelounge.domain }}"
LETSENCRYPT_HOST: "{{ thelounge.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"

53
roles/docker/tasks/services/tt-rss.yml Normal file
View file

@ -0,0 +1,53 @@
---
- name: create tt-rss folders
file:
name: "{{ ttrss.volume_folder }}/{{ volume }}"
state: directory
loop:
- "config"
- "db"
loop_control:
loop_var: volume
- name: "set up tt-rss"
docker_compose:
project_name: "tt-rss"
pull: yes
definition:
version: "3.6"
services:
ttrss_db:
container_name: "ttrss_db"
image: "postgres:11"
restart: "unless-stopped"
networks:
- "ttrss"
volumes:
- "{{ ttrss.volume_folder }}/db:/var/lib/postgresql/data"
environment:
POSTGRES_USER: "ttrss"
POSTGRES_PASSWORD: "{{ postgres_passwords.ttrss }}"
ttrss_app:
container_name: ttrss_app
image: "linuxserver/tt-rss"
restart: unless-stopped
networks:
- ttrss
- external_services
volumes:
- "{{ ttrss.volume_folder }}/config:/config"
environment:
VIRTUAL_HOST: "{{ ttrss.domain }}"
LETSENCRYPT_HOST: "{{ ttrss.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
TZ: "Europe/Copenhagen"
labels:
com.ouroboros.enable: "true"
networks:
external_services:
external:
name: external_services
ttrss:
name: "ttrss"

13
roles/docker/tasks/services/ulovliglogning-dk.yml Normal file
View file

@ -0,0 +1,13 @@
- name: setup ulovliglogning.dk website docker container
docker_container:
name: ulovliglogning_website
restart_policy: unless-stopped
image: ulovliglogning/ulovliglogning.dk:latest
networks:
- name: external_services
env:
VIRTUAL_HOST: "{{ ulovliglogning_website.domains|join(',') }}"
LETSENCRYPT_HOST: "{{ ulovliglogning_website.domains|join(',') }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
labels:
com.ouroboros.enable: "true"

57
roles/docker/tasks/services/websites.yml Normal file
View file

@ -0,0 +1,57 @@
---
- name: setup data.coop website docker container
docker_container:
name: data.coop_website
image: docker.data.coop/data-coop-website
restart_policy: unless-stopped
networks:
- name: external_services
env:
VIRTUAL_HOST : "{{ data_coop_website.domains|join(',') }}"
LETSENCRYPT_HOST: "{{ data_coop_website.domains|join(',') }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
labels:
com.ouroboros.enable: "true"
- name: setup new data.coop website using hugo
docker_container:
name: new.data.coop_website
image: docker.data.coop/data-coop-website:hugo
restart_policy: unless-stopped
networks:
- name: external_services
env:
VIRTUAL_HOST : "new.{{ data_coop_website.domains|join(',') }}"
LETSENCRYPT_HOST: "new.{{ data_coop_website.domains|join(',') }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
labels:
com.ouroboros.enable: "true"
- name: setup cryptohagen.dk website docker container
docker_container:
name: cryptohagen_website
restart_policy: unless-stopped
image: docker.data.coop/cryptohagen-website
networks:
- name: external_services
env:
VIRTUAL_HOST : "{{ cryptohagen_website.domains|join(',') }}"
LETSENCRYPT_HOST: "{{ cryptohagen_website.domains|join(',') }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
labels:
com.ouroboros.enable: "true"
- name: setup cryptoaarhus.dk website docker container
docker_container:
name: cryptoaarhus_website
restart_policy: unless-stopped
image: docker.data.coop/cryptoaarhus-website
networks:
- name: external_services
env:
VIRTUAL_HOST : "{{ cryptoaarhus_website.domains|join(',') }}"
LETSENCRYPT_HOST: "{{ cryptoaarhus_website.domains|join(',') }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
labels:
com.ouroboros.enable: "true"

17
roles/docker/templates/compose-files/cryptoaarhus_website.yml.j2
View file

@ -1,17 +0,0 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
web:
image: docker.data.coop/cryptoaarhus-website
restart: unless-stopped
networks:
- external_services
environment:
VIRTUAL_HOST : "{{ services.cryptoaarhus_website.domains | join(',') }}"
LETSENCRYPT_HOST: "{{ services.cryptoaarhus_website.domains | join(',') }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
networks:
external_services:
external: true

17
roles/docker/templates/compose-files/cryptohagen_website.yml.j2
View file

@ -1,17 +0,0 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
web:
image: docker.data.coop/cryptohagen-website
restart: unless-stopped
networks:
- external_services
environment:
VIRTUAL_HOST : "{{ services.cryptohagen_website.domains | join(',') }}"
LETSENCRYPT_HOST: "{{ services.cryptohagen_website.domains | join(',') }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
networks:
external_services:
external: true

27
roles/docker/templates/compose-files/data_coop_website.yml.j2
View file

@ -1,27 +0,0 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
prod-web:
image: docker.data.coop/data-coop-website:{{ services.data_coop_website.version }}
restart: unless-stopped
networks:
- external_services
environment:
VIRTUAL_HOST: "{{ services.data_coop_website.domain }},{{ services.data_coop_website.www_domain }}"
LETSENCRYPT_HOST: "{{ services.data_coop_website.domain }},{{ services.data_coop_website.www_domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
staging-web:
image: docker.data.coop/data-coop-website:{{ services.data_coop_website.staging_version }}
restart: unless-stopped
networks:
- external_services
environment:
VIRTUAL_HOST: "{{ services.data_coop_website.staging_domain }}"
LETSENCRYPT_HOST: "{{ services.data_coop_website.staging_domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
networks:
external_services:
external: true

26
roles/docker/templates/compose-files/diun.yml.j2
View file

@ -1,26 +0,0 @@
# vim: ft=yaml.ansible
---
version: "3.5"
services:
diun:
image: "ghcr.io/crazy-max/diun:{{ services.diun.version }}"
command: serve
volumes:
- "./data:/data"
- "/var/run/docker.sock:/var/run/docker.sock"
environment:
- "TZ=Europe/Paris"
- "DIUN_WATCH_WORKERS=20"
- "DIUN_WATCH_SCHEDULE=0 */6 * * *"
- "DIUN_WATCH_JITTER=30s"
- "DIUN_PROVIDERS_DOCKER=true"
- "DIUN_PROVIDERS_DOCKER_WATCHBYDEFAULT=true"
- "DIUN_NOTIF_MATRIX_HOMESERVERURL=https://{{ services.matrix.domain }}"
- "DIUN_NOTIF_MATRIX_USER={{ services.diun.matrix_user }}"
- "DIUN_NOTIF_MATRIX_ROOMID={{ services.diun.matrix_room }}"
- "DIUN_NOTIF_MATRIX_PASSWORD={{ diun_secrets.matrix_password }}"
- "DIUN_NOTIF_MATRIX_MSGTYPE=text"
labels:
- "diun.enable=true"
restart: always

23
roles/docker/templates/compose-files/docker_registry.yml.j2
View file

@ -1,23 +0,0 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
app:
image: registry:{{ services.docker_registry.version }}
restart: always
networks:
- external_services
volumes:
- "./registry:/var/lib/registry"
- "./auth:/auth"
environment:
VIRTUAL_HOST: "{{ services.docker_registry.domain }}"
LETSENCRYPT_HOST: "{{ services.docker_registry.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
REGISTRY_AUTH: "htpasswd"
REGISTRY_AUTH_HTPASSWD_PATH: "/auth/htpasswd"
REGISTRY_AUTH_HTPASSWD_REALM: "data.coop docker registry"
networks:
external_services:
external: true

40
roles/docker/templates/compose-files/drone.yml.j2
View file

@ -1,40 +0,0 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
app:
image: drone/drone:{{ services.drone.version }}
restart: unless-stopped
networks:
- default
- external_services
volumes:
- ".:/data"
- "/var/run/docker.sock:/var/run/docker.sock"
environment:
DRONE_GITEA_SERVER: https://{{ services.forgejo.domain }}
DRONE_GITEA_CLIENT_ID: "{{ drone_secrets.oauth_client_id }}"
DRONE_GITEA_CLIENT_SECRET: "{{ drone_secrets.oauth_client_secret }}"
DRONE_GIT_ALWAYS_AUTH: true
DRONE_SERVER_HOST: "{{ services.drone.domain }}"
DRONE_SERVER_PROTO: https
DRONE_RPC_SECRET: "{{ drone_secrets.rpc_shared_secret }}"
VIRTUAL_HOST: "{{ services.drone.domain }}"
LETSENCRYPT_HOST: "{{ services.drone.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
runner:
image: drone/drone-runner-docker:{{ services.drone.version }}
restart: unless-stopped
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
environment:
DRONE_RPC_HOST: "{{ services.drone.domain }}"
DRONE_RPC_PROTO: https
DRONE_RPC_SECRET: "{{ drone_secrets.rpc_shared_secret }}"
DRONE_RUNNER_CAPACITY: 2
DRONE_RUNNER_NAME: data.coop_drone_runner
networks:
external_services:
external: true

22
roles/docker/templates/compose-files/element.yml.j2
View file

@ -1,22 +0,0 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
app:
image: avhost/docker-matrix-element:{{ services.element.version }}
restart: unless-stopped
networks:
- external_services
expose:
- "8080"
volumes:
- "./data:/data"
environment:
VIRTUAL_HOST: "{{ services.element.domain }}"
VIRTUAL_PORT: "8080"
LETSENCRYPT_HOST: "{{ services.element.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
networks:
external_services:
external: true

22
roles/docker/templates/compose-files/fedi_dk_website.yml.j2
View file

@ -1,22 +0,0 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
web:
image: docker.data.coop/unipi:{{ services.fedi_dk_website.version }}
restart: unless-stopped
networks:
- external_services
environment:
VIRTUAL_HOST: "{{ services.fedi_dk_website.domain }}"
LETSENCRYPT_HOST: "{{ services.fedi_dk_website.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
command: --remote=https://git.data.coop/fedi.dk/website.git#main
cap_add:
- NET_ADMIN
devices:
- "/dev/net/tun"
networks:
external_services:
external: true

38
roles/docker/templates/compose-files/forgejo.yml.j2
View file

@ -1,38 +0,0 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
app:
image: codeberg.org/forgejo/forgejo:{{ services.forgejo.version }}
restart: unless-stopped
networks:
- external_services
- postfix
volumes:
- ".:/data"
ports:
- "22:22"
environment:
VIRTUAL_HOST: "{{ services.forgejo.domain }}"
VIRTUAL_PORT: "3000"
LETSENCRYPT_HOST: "{{ services.forgejo.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
# Forgejo customization, see: https://docs.gitea.io/en-us/install-with-docker/#customization
# https://docs.gitea.io/en-us/config-cheat-sheet/#security-security
FORGEJO__mailer__ENABLED: true
FORGEJO__mailer__FROM: noreply@{{ services.forgejo.domain }}
FORGEJO__mailer__PROTOCOL: smtp
FORGEJO__mailer__SMTP_ADDR: "{{ smtp_host }}"
FORGEJO__mailer__SMTP_PORT: "{{ smtp_port }}"
FORGEJO__security__LOGIN_REMEMBER_DAYS: "60"
FORGEJO__security__PASSWORD_COMPLEXITY: off
FORGEJO__security__MIN_PASSWORD_LENGTH: "8"
FORGEJO__security__PASSWORD_CHECK_PWN: true
FORGEJO__service__ENABLE_NOTIFY_MAIL: true
FORGEJO__service__REGISTER_EMAIL_CONFIRM: true
networks:
external_services:
external: true
postfix:
external: true

44
roles/docker/templates/compose-files/hedgedoc.yml.j2
View file

@ -1,44 +0,0 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
db:
image: postgres:{{ services.hedgedoc.postgres_version }}
restart: unless-stopped
volumes:
- "./db:/var/lib/postgresql/data"
environment:
POSTGRES_USER: codimd
POSTGRES_PASSWORD: "{{ postgres_passwords.hedgedoc }}"
POSTGRES_DB: codimd
app:
image: quay.io/hedgedoc/hedgedoc:{{ services.hedgedoc.version }}
volumes:
- "./hedgedoc/uploads:/hedgedoc/public/uploads"
- "./sso.data.coop.pem:/sso.data.coop.pem"
restart: unless-stopped
networks:
- default
- external_services
environment:
CMD_DB_URL: postgres://codimd:{{ postgres_passwords.hedgedoc }}@db:5432/codimd
CMD_DOMAIN: "{{ services.hedgedoc.domain }}"
CMD_ALLOW_EMAIL_REGISTER: False
CMD_IMAGE_UPLOAD_TYPE: filesystem
CMD_EMAIL: False
CMD_SAML_IDPCERT: /sso.data.coop.pem
CMD_SAML_IDPSSOURL: https://{{ services.keycloak.domain }}/auth/realms/datacoop/protocol/saml
CMD_SAML_ISSUER: hedgedoc
CMD_SAML_IDENTIFIERFORMAT: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
CMD_USECDN: false
CMD_PROTOCOL_USESSL: true
VIRTUAL_HOST: "{{ services.hedgedoc.domain }}"
LETSENCRYPT_HOST: "{{ services.hedgedoc.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
depends_on:
- db
networks:
external_services:
external: true

42
roles/docker/templates/compose-files/keycloak.yml.j2
View file

@ -1,42 +0,0 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
db:
image: postgres:{{ services.keycloak.postgres_version }}
restart: unless-stopped
volumes:
- "./data:/var/lib/postgresql/data"
environment:
POSTGRES_USER: keycloak
POSTGRES_PASSWORD: "{{ postgres_passwords.keycloak }}"
POSTGRES_DB: keycloak
app:
image: quay.io/keycloak/keycloak:{{ services.keycloak.version }}
restart: unless-stopped
networks:
- default
- postfix
- external_services
command:
- "start"
- "--db=postgres"
- "--db-url=jdbc:postgresql://db:5432/keycloak"
- "--db-username=keycloak"
- "--db-password={{ postgres_passwords.keycloak }}"
- "--hostname={{ services.keycloak.domain }}"
- "--proxy=edge"
- "--https-port=8080"
- "--http-relative-path=/auth"
environment:
VIRTUAL_HOST: "{{ services.keycloak.domain }}"
VIRTUAL_PORT: "8080"
LETSENCRYPT_HOST: "{{ services.keycloak.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
networks:
postfix:
external: true
external_services:
external: true

146
roles/docker/templates/compose-files/mailu.yml.j2
View file

@ -1,146 +0,0 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
postgres:
image: postgres:{{ services.mailu.postgres_version }}
restart: unless-stopped
environment:
POSTGRES_DB: mailu
POSTGRES_USER: mailu
POSTGRES_PASSWORD: "{{ postgres_passwords.mailu }}"
volumes:
- "./postgres:/var/lib/postgresql/data"
dns:
- "{{ services.mailu.dns }}"
redis:
image: redis:{{ services.mailu.redis_version }}
restart: unless-stopped
volumes:
- "./redis:/data"
depends_on:
- resolver
dns:
- "{{ services.mailu.dns }}"
front:
image: ghcr.io/mailu/nginx:{{ services.mailu.version }}
restart: unless-stopped
env_file: mailu.env
environment:
VIRTUAL_HOST: "{{ services.mailu.domain }}"
LETSENCRYPT_HOST: "{{ services.mailu.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
volumes:
- "./certs:/certs"
- "./overrides/nginx:/overrides:ro"
expose:
- "80"
ports:
- "25:25"
- "465:465"
- "587:587"
- "110:110"
- "995:995"
- "143:143"
- "993:993"
networks:
- default
- webmail
- external_services
depends_on:
- resolver
dns:
- "{{ services.mailu.dns }}"
resolver:
image: ghcr.io/mailu/unbound:{{ services.mailu.version }}
restart: unless-stopped
env_file: mailu.env
networks:
default:
ipv4_address: "{{ services.mailu.dns }}"
admin:
image: ghcr.io/mailu/admin:{{ services.mailu.version }}
restart: unless-stopped
env_file: mailu.env
volumes:
- "./data:/data"
- "./dkim:/dkim"
networks:
default:
aliases:
- admin.mailu
depends_on:
- redis
- resolver
dns:
- "{{ services.mailu.dns }}"
imap:
image: ghcr.io/mailu/dovecot:{{ services.mailu.version }}
restart: unless-stopped
env_file: mailu.env
volumes:
- "./mail:/mail"
- "./overrides/dovecot:/overrides:ro"
depends_on:
- front
- resolver
dns:
- "{{ services.mailu.dns }}"
smtp:
image: ghcr.io/mailu/postfix:{{ services.mailu.version }}
restart: unless-stopped
env_file: mailu.env
volumes:
- "./mailqueue:/queue"
- "./overrides/postfix:/overrides:ro"
depends_on:
- front
- resolver
dns:
- "{{ services.mailu.dns }}"
antispam:
image: ghcr.io/mailu/rspamd:{{ services.mailu.version }}
hostname: antispam
restart: unless-stopped
env_file: mailu.env
volumes:
- "./filter:/var/lib/rspamd"
- "./overrides/rspamd:/overrides:ro"
depends_on:
- front
- redis
- resolver
dns:
- "{{ services.mailu.dns }}"
webmail:
image: ghcr.io/mailu/webmail:{{ services.mailu.version }}
restart: unless-stopped
env_file: mailu.env
volumes:
- "./webmail:/data"
- "./overrides/snappymail:/overrides:ro"
networks:
- webmail
depends_on:
- front
networks:
default:
driver: bridge
ipam:
driver: default
config:
- subnet: "{{ services.mailu.subnet }}"
webmail:
driver: bridge
external_services:
external: true

146
roles/docker/templates/compose-files/mastodon.yml.j2
View file

@ -1,146 +0,0 @@
# vim: ft=yaml.docker-compose
x-sidekiq: &sidekiq
image: tootsuite/mastodon:{{ services.mastodon.version }}
restart: always
env_file: mastodon.env
networks:
- default
- postfix
- external_services
volumes:
- "./mastodon_data:/mastodon/public/system"
healthcheck:
test: ['CMD-SHELL', "ps aux | grep '[s]idekiq\ 6' || false"]
depends_on:
db:
condition: service_healthy
redis:
condition: service_healthy
version: "3.8"
services:
db:
restart: always
image: postgres:{{ services.mastodon.postgres_version }}
shm_size: 256mb
volumes:
- "./postgres_data:/var/lib/postgresql/data"
- "./postgres_config:/config:ro"
command: postgres -c config_file=/config/postgresql.conf
environment:
POSTGRES_HOST_AUTH_METHOD: trust
healthcheck:
test: ['CMD', 'pg_isready', '-U', 'postgres']
redis:
restart: always
image: redis:{{ services.mastodon.redis_version }}
volumes:
- "./redis_data:/data"
healthcheck:
test: ['CMD', 'redis-cli', 'ping']
web:
image: tootsuite/mastodon:{{ services.mastodon.version }}
restart: always
env_file: mastodon.env
command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 3000"
networks:
- default
- external_services
volumes:
- "./mastodon_data:/mastodon/public/system"
environment:
MAX_THREADS: 10
WEB_CONCURRENCY: 3
VIRTUAL_HOST: "{{ services.mastodon.domain }}"
VIRTUAL_PORT: "3000"
VIRTUAL_PATH: /
LETSENCRYPT_HOST: "{{ services.mastodon.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
healthcheck:
test: ['CMD-SHELL', 'wget -q --spider --proxy=off localhost:3000/health || exit 1']
depends_on:
db:
condition: service_healthy
redis:
condition: service_healthy
streaming:
image: tootsuite/mastodon:{{ services.mastodon.version }}
restart: always
env_file: mastodon.env
command: node ./streaming
networks:
- default
- external_services
ports:
- "127.0.0.1:4000:4000"
environment:
DB_POOL: 15
VIRTUAL_HOST: "{{ services.mastodon.domain }}"
VIRTUAL_PORT: "4000"
VIRTUAL_PATH: "/api/v1/streaming"
healthcheck:
test: ['CMD-SHELL', 'wget -q --spider --proxy=off localhost:4000/api/v1/streaming/health || exit 1']
depends_on:
db:
condition: service_healthy
redis:
condition: service_healthy
# sidekiq-default-push-pull: DB_POOL = 25, -c 25 for 25 connections
sidekiq-default-push-pull:
<<: *sidekiq
command: bundle exec sidekiq -c 25 -q default -q push -q pull
environment:
DB_POOL: 25
# sidekiq-default-pull-push: DB_POOL = 25, -c 25 for 25 connections
sidekiq-default-pull-push:
<<: *sidekiq
command: bundle exec sidekiq -c 25 -q default -q pull -q push
environment:
DB_POOL: 25
# sidekiq-pull-default-push: DB_POOL = 25, -c 25 for 25 connections
sidekiq-pull-default-push:
<<: *sidekiq
command: bundle exec sidekiq -c 25 -q pull -q default -q push
environment:
DB_POOL: 25
# sidekiq-push-default-pull: DB_POOL = 25, -c 25 for 25 connections
sidekiq-push-default-pull:
<<: *sidekiq
command: bundle exec sidekiq -c 25 -q push -q default -q pull
environment:
DB_POOL: 25
# sidekiq-push-scheduler: DB_POOL = 5, -c 5 for 5 connections
sidekiq-push-scheduler:
<<: *sidekiq
command: bundle exec sidekiq -c 5 -q push -q scheduler
environment:
DB_POOL: 5
# sidekiq-push-mailers: DB_POOL = 5, -c 5 for 5 connections
sidekiq-push-mailers:
<<: *sidekiq
command: bundle exec sidekiq -c 5 -q push -q mailers
environment:
DB_POOL: 5
# sidekiq-push-ingress: DB_POOL = 10, -c 10 for 10 connections
sidekiq-push-ingress:
<<: *sidekiq
command: bundle exec sidekiq -c 10 -q push -q ingress
environment:
DB_POOL: 10
networks:
external_services:
external: true
postfix:
external: true

36
roles/docker/templates/compose-files/matrix.yml.j2
View file

@ -1,36 +0,0 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
postgres:
image: postgres:{{ services.matrix.postgres_version }}
restart: unless-stopped
volumes:
- "./db:/var/lib/postgresql/data"
environment:
POSTGRES_USER: synapse
POSTGRES_PASSWORD: "{{ postgres_passwords.matrix }}"
synapse:
image: ghcr.io/element-hq/synapse:{{ services.matrix.version }}
restart: unless-stopped
networks:
- default
- external_services
- postfix
volumes:
- "./data:/data"
environment:
SYNAPSE_CONFIG_PATH: /data/homeserver.yaml
SYNAPSE_CACHE_FACTOR: "2"
SYNAPSE_LOG_LEVEL: INFO
VIRTUAL_HOST: "{{ services.matrix.domain }}"
VIRTUAL_PORT: "8008"
LETSENCRYPT_HOST: "{{ services.matrix.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
networks:
external_services:
external: true
postfix:
external: true

44
roles/docker/templates/compose-files/membersystem.yml.j2
View file

@ -1,44 +0,0 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
app:
image: docker.data.coop/membersystem:{{ services.membersystem.version }}
restart: always
user: "$UID:$GID"
tty: true
networks:
- default
- external_services
- postfix
environment:
SECRET_KEY: "{{ membersystem_secrets.secret_key }}"
DATABASE_URL: postgres://postgres:{{ postgres_passwords.membersystem }}@postgres:5432/postgres
POSTGRES_HOST: postgres
POSTGRES_PORT: 5432
EMAIL_BACKEND: django.core.mail.backends.smtp.EmailBackend
EMAIL_URL: smtp://noop@{{ smtp_host }}:{{ smtp_port }}
VIRTUAL_HOST: "{{ services.membersystem.domain }}"
VIRTUAL_PORT: "8000"
LETSENCRYPT_HOST: "{{ services.membersystem.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
ALLOWED_HOSTS: "{{ services.membersystem.domain }}"
CSRF_TRUSTED_ORIGINS: https://{{ services.membersystem.domain }}
DJANGO_ADMINS: "{{ services.membersystem.django_admins }}"
DEFAULT_FROM_EMAIL: noreply@{{ services.membersystem.domain }}
depends_on:
- postgres
postgres:
image: postgres:{{ services.membersystem.postgres_version }}
restart: always
volumes:
- "./postgres/data:/var/lib/postgresql/data"
environment:
POSTGRES_PASSWORD: "{{ postgres_passwords.membersystem }}"
networks:
external_services:
external: true
postfix:
external: true

36
roles/docker/templates/compose-files/netdata.yml.j2
View file

@ -1,36 +0,0 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
app:
image: netdata/netdata:{{ services.netdata.version }}
restart: unless-stopped
hostname: hevonen.servers.{{ base_domain }}
volumes:
- "/proc:/host/proc:ro"
- "/sys:/host/sys:ro"
- "/etc/os-release:/host/etc/os-release:ro"
networks:
- default
- external_services
environment:
VIRTUAL_HOST : "{{ services.netdata.domain }}"
LETSENCRYPT_HOST: "{{ services.netdata.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
PGID: "999"
DOCKER_HOST: "socket_proxy:2375"
cap_add:
- SYS_PTRACE
security_opt:
- apparmor:unconfined
socket-proxy:
image: tecnativa/docker-socket-proxy:latest
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
environment:
CONTAINERS: 1
networks:
external_services:
external: true

59
roles/docker/templates/compose-files/nextcloud.yml.j2
View file

@ -1,59 +0,0 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
postgres:
image: postgres:{{ services.nextcloud.postgres_version }}
restart: unless-stopped
volumes:
- "./postgres:/var/lib/postgresql/data"
environment:
POSTGRES_DB: nextcloud
POSTGRES_PASSWORD: "{{ postgres_passwords.nextcloud }}"
POSTGRES_USER: nextcloud
redis:
image: redis:{{ services.nextcloud.redis_version }}
restart: unless-stopped
command: redis-server --requirepass {{ nextcloud_secrets.redis_password }}
tmpfs:
- /var/lib/redis
cron:
image: nextcloud:{{ services.nextcloud.version }}
restart: unless-stopped
entrypoint: /cron.sh
volumes:
- "./app:/var/www/html"
depends_on:
- postgres
- redis
app:
image: nextcloud:{{ services.nextcloud.version }}
restart: unless-stopped
networks:
- default
- postfix
- external_services
volumes:
- "./app:/var/www/html"
environment:
VIRTUAL_HOST: "{{ services.nextcloud.domain }}"
LETSENCRYPT_HOST: "{{ services.nextcloud.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
POSTGRES_HOST: postgres
POSTGRES_DB: nextcloud
POSTGRES_USER: nextcloud
POSTGRES_PASSWORD: "{{ postgres_passwords.nextcloud }}"
REDIS_HOST: redis
REDIS_HOST_PASSWORD: "{{ nextcloud_secrets.redis_password }}"
depends_on:
- postgres
- redis
networks:
postfix:
external: true
external_services:
external: true

38
roles/docker/templates/compose-files/nginx_proxy.yml.j2
View file

@ -1,38 +0,0 @@
version: "3.8"
services:
proxy:
image: nginxproxy/nginx-proxy:{{ services.nginx_proxy.version }}
restart: always
networks:
- external_services
ports:
- "80:80"
- "443:443"
volumes:
- "./conf:/etc/nginx/conf.d"
- "./vhost:/etc/nginx/vhost.d"
- "./html:/usr/share/nginx/html"
- "./dhparam:/etc/nginx/dhparam"
- "./certs:/etc/nginx/certs:ro"
- "/var/run/docker.sock:/tmp/docker.sock:ro"
labels:
- com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy
{% if letsencrypt_enabled %}
acme:
image: nginxproxy/acme-companion:{{ services.nginx_proxy.acme_companion_version }}
restart: always
volumes:
- "./vhost:/etc/nginx/vhost.d"
- "./html:/usr/share/nginx/html"
- "./dhparam:/etc/nginx/dhparam:ro"
- "./certs:/etc/nginx/certs"
- /var/run/docker.sock:/var/run/docker.sock:ro
depends_on:
- proxy
{% endif %}
networks:
external_services:
external: true

58
roles/docker/templates/compose-files/openldap.yml.j2
View file

@ -1,58 +0,0 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
app:
image: osixia/openldap:{{ services.openldap.version }}
restart: unless-stopped
tty: true
stdin_open: true
volumes:
- "./var/lib/ldap:/var/lib/ldap"
- "./etc/slapd.d:/etc/ldap/slapd.d"
- "./certs:/container/service/slapd/assets/certs/"
ports:
- "389:389"
- "636:636"
hostname: "{{ services.openldap.domain }}"
domainname: "{{ services.openldap.domain }}" # important: same as hostname
environment:
LDAP_LOG_LEVEL: "256"
LDAP_ORGANISATION: "{{ base_domain }}"
LDAP_DOMAIN: "{{ base_domain }}"
LDAP_BASE_DN: ""
LDAP_ADMIN_PASSWORD: "{{ ldap_admin_password }}"
LDAP_CONFIG_PASSWORD: "{{ ldap_config_password }}"
LDAP_READONLY_USER: false
LDAP_RFC2307BIS_SCHEMA: false
LDAP_BACKEND: mdb
LDAP_TLS: true
LDAP_TLS_CRT_FILENAME: ldap.crt
LDAP_TLS_KEY_FILENAME: ldap.key
LDAP_TLS_CA_CRT_FILENAME: ca.crt
LDAP_TLS_ENFORCE: false
LDAP_TLS_CIPHER_SUITE: SECURE256:-VERS-SSL3.0
LDAP_TLS_PROTOCOL_MIN: "3.1"
LDAP_TLS_VERIFY_CLIENT: demand
LDAP_REPLICATION: false
KEEP_EXISTING_CONFIG: false
LDAP_REMOVE_CONFIG_AFTER_SETUP: true
LDAP_SSL_HELPER_PREFIX: ldap
admin:
image: osixia/phpldapadmin:{{ services.openldap.phpldapadmin_version }}
restart: unless-stopped
networks:
- default
- external_services
environment:
PHPLDAPADMIN_LDAP_HOSTS: app
PHPLDAPADMIN_HTTPS: false
PHPLDAPADMIN_TRUST_PROXY_SSL: true
VIRTUAL_HOST: "{{ services.openldap.domain }}"
LETSENCRYPT_HOST: "{{ services.openldap.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
networks:
external_services:
external: true

38
roles/docker/templates/compose-files/passit.yml.j2
View file

@ -1,38 +0,0 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
db:
image: postgres:{{ services.passit.postgres_version }}
restart: always
volumes:
- "./data:/var/lib/postgresql/data"
environment:
POSTGRES_USER: passit
POSTGRES_PASSWORD: "{{ postgres_passwords.passit }}"
app:
image: passit/passit:{{ services.passit.version }}
command: bin/start.sh
restart: always
networks:
- default
- postfix
- external_services
environment:
DATABASE_URL: postgres://passit:{{ postgres_passwords.passit }}@db:5432/passit
SECRET_KEY: "{{ passit_secret_key }}"
IS_DEBUG: "False"
EMAIL_URL: smtp://noop@{{ smtp_host }}:{{ smtp_port }}
DEFAULT_FROM_EMAIL: noreply@{{ services.passit.domain }}
EMAIL_CONFIRMATION_HOST: https://{{ services.passit.domain }}
FIDO_SERVER_ID: "{{ services.passit.domain }}"
VIRTUAL_HOST: "{{ services.passit.domain }}"
LETSENCRYPT_HOST: "{{ services.passit.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
networks:
postfix:
external: true
external_services:
external: true

Some files were not shown because too many files have changed in this diff Show more