112 changed files with 605 additions and 955 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,6 +1,6 @@
 *.retry
 *.sw*
 .vagrant/
 *.log
 .idea/
 .vscode/
 venv/
--- a/39
+++ b/39
@ -0,0 +1,39 @@
 Vagrant.require_version ">= 2.0.0"
 PORT = 19022
 def provisioned?(vm="default", provider="virtualbox")
  File.exist?(".vagrant/machines/#{vm}/#{provider}/action_provision")
 end
 Vagrant.configure(2) do |config|
  config.vm.network :private_network, ip: "192.168.56.10"
  config.vm.network :forwarded_port, guest: PORT, host: PORT
  config.vm.box = "ubuntu/focal64"
  config.vm.hostname = "datacoop"
  config.vm.provider :virtualbox do |v|
    v.cpus = 8
    v.memory = 16384
  end
  config.vm.provision :ansible do |ansible|
    ansible.compatibility_mode = "2.0"
    ansible.playbook = "playbook.yml"
    ansible.ask_vault_pass = true
    ansible.verbose = "v"
    # If the VM is already provisioned, we need to use the new port
    if provisioned?
      config.ssh.guest_port = PORT
      ansible.extra_vars = {
        ansible_port: PORT,
        from_vagrant: true
      }
    else
      ansible.extra_vars = {
        from_vagrant: true
      }
    end
  end
 end
--- a/ansible.cfg
+++ b/ansible.cfg
@ -1,8 +1,8 @@
 [defaults]
 ask_vault_pass = True
-inventory = inventory.ini
+inventory = datacoop_hosts
 interpreter_python = /usr/bin/python3
-remote_user = ansible
+remote_user = root
 retry_files_enabled = True
 use_persistent_connections = True
 forks = 10
--- a/cloud-init/cloud.cfg
+++ b/cloud-init/cloud.cfg
@ -1,117 +0,0 @@
 # cloud-config
 # The top level settings are used as module
 # and system configuration.
 # A set of users which may be applied and/or used by various modules
 # when a 'default' entry is found it will reference the 'default_user'
 # from the distro configuration specified below
 users:
  - default
 # If this is set, 'root' will not be able to ssh in and they
 # will get a message to login instead as the default $user
 disable_root: true
 # This will cause the set+update hostname module to not operate (if true)
 preserve_hostname: false
 apt:
  # This prevents cloud-init from rewriting apt's sources.list file,
  # which has been a source of surprise.
  preserve_sources_list: true
 # If you use datasource_list array, keep array items in a single line.
 # If you use multi line array, ds-identify script won't read array items.
 # Example datasource config
 # datasource:
 #    Ec2:
 #      metadata_urls: [ 'blah.com' ]
 #      timeout: 5 # (defaults to 50 seconds)
 #      max_wait: 10 # (defaults to 120 seconds)
 # The modules that run in the 'init' stage
 cloud_init_modules:
 - migrator
 - seed_random
 - bootcmd
 - write-files
 - growpart
 - resizefs
 - disk_setup
 - mounts
 - set_hostname
 - update_hostname
 - update_etc_hosts
 - ca-certs
 - rsyslog
 - users-groups
 - ssh
 # The modules that run in the 'config' stage
 cloud_config_modules:
 - snap
 - ssh-import-id
 - keyboard
 - locale
 - set-passwords
 - grub-dpkg
 - apt-pipelining
 - apt-configure
 - ntp
 - timezone
 - disable-ec2-metadata
 - runcmd
 - byobu
 # The modules that run in the 'final' stage
 cloud_final_modules:
 - package-update-upgrade-install
 - fan
 - landscape
 - lxd
 - write-files-deferred
 - puppet
 - chef
 - mcollective
 - salt-minion
 - reset_rmc
 - refresh_rmc_and_interface
 - rightscale_userdata
 - scripts-vendor
 - scripts-per-once
 - scripts-per-boot
 - scripts-per-instance
 - scripts-user
 - ssh-authkey-fingerprints
 - keys-to-console
 - install-hotplug
 - phone-home
 - final-message
 - power-state-change
 # System and/or distro specific settings
 # (not accessible to handlers/transforms)
 system_info:
   # This will affect which distro class gets used
   distro: debian
   # Default user name + that default users groups (if added/used)
   default_user:
     name: ansible
     lock_passwd: True
     gecos: Ansible User
     groups: []
     sudo: ["ALL=(ALL) NOPASSWD:ALL"]
     shell: /bin/bash
   # Other config here will be given to the distro class and/or path classes
   paths:
      cloud_dir: /var/lib/cloud/
      templates_dir: /etc/cloud/templates/
   package_mirrors:
     - arches: [default]
       failsafe:
         primary: https://deb.debian.org/debian
         security: https://deb.debian.org/debian-security
   ssh_svcname: ssh
--- a/5
+++ b/5
@ -0,0 +1,5 @@
 [production]
 hevonen.servers.data.coop ansible_port=19022
 [monitoring]
 uptime.data.coop
--- a/deploy.sh
+++ b/deploy.sh
@ -2,15 +2,20 @@
 usage () {
    {
-        echo "Usage: $0"
+        echo "Usage: $0 [--vagrant]"
-        echo "Usage: $0 base"
+        echo "Usage: $0 [--vagrant] base"
-        echo "Usage: $0 users"
+        echo "Usage: $0 [--vagrant] users"
-        echo "Usage: $0 services [--deploy] [SERVICE]"
+        echo "Usage: $0 [--vagrant] services [SERVICE]"
    } >&2
 }
 BASE_CMD="ansible-playbook playbook.yml"
-DEPLOY="false"
+
 if [ "$1" = "--vagrant" ]; then
    BASE_CMD="$BASE_CMD --verbose --inventory=vagrant_host"
    VAGRANT_VAR="from_vagrant"
    shift
 fi
 if [ -z "$(ansible-galaxy collection list community.general 2>/dev/null)" ]; then
    echo "Installing community.general modules"
@ -23,24 +28,19 @@ if [ -z "$1" ]; then
 else
    case $1 in
        "services")
            if [ -n "$2" && "$2" = "--deploy" ]; then
                DEPLOY="true"
                shift
            fi
            if [ -z "$2" ]; then
                echo "Deploying all services!"
-                $BASE_CMD --tags setup_services --extra-vars "deploy_services=$DEPLOY"
+                eval "$BASE_CMD --tags setup_services $(test -z "$VAGRANT_VAR" || printf '%s' "$VAGRANT_VAR=true")"
            else
                echo "Deploying service: $2"
-                $BASE_CMD --tags setup_services --extra-vars "deploy_services=$DEPLOY" --extra-vars "single_service=$2"
+                $BASE_CMD --tags setup_services --extra-vars '{"single_service": "'"$2"'"'"$(test -z "$VAGRANT_VAR" || printf '%s' ', "'"$VAGRANT_VAR"'": true')"'}'
            fi
        ;;
        "base")
-            $BASE_CMD --tags base_only
+            eval "$BASE_CMD --tags base_only $(test -z "$VAGRANT_VAR" || printf '%s' "$VAGRANT_VAR=true")"
        ;;
        "users")
-            $BASE_CMD --tags setup-users
+            eval "$BASE_CMD --tags setup-users $(test -z "$VAGRANT_VAR" || printf '%s' "$VAGRANT_VAR=true")"
        ;;
        *)
            usage
--- a/group_vars/all/vars.yml
+++ b/group_vars/all/vars.yml
@ -1,17 +1,24 @@
 # vim: ft=yaml.ansible
 # code: language=ansible
 ---
 users:
-  - name: ansible
+  - name: graffen
-    comment: Ansible User
+    comment: Jesper Hess Nielsen
-    password_lock: true
+    password: '!'
    groups: []
    ssh_keys: []
  - name: valberg
    comment: Vidir Valberg Gudmundsson
    password: $6$qt3G.E.CxhC$OwBDn4rZUbCz06HLEMBHjgvKjxiv/eeerbklTHi.gpHIn1OejzX3k2.0NM0Dforaw6Yn5Y8Cgn8kL2FdbQLZ3/
    groups:
      - sudo
    ssh_keys:
      - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUmGeHc6QXDcJHkmVxbTUv04Q3vs20avquoGr6eOkkvYbcgjuFnBOOtvs2Nul1odcvvnHa1nN7DfL8XJamiwsB1B/xe2seaNS1axgwk9XowlVN9pgga8gsC+4gZWBtSObG2GR8n4NtPENzPmW5deNn8dRpTvULPMxZ0VRE9yNQOx8v8w85yYh+vxbbkWGVDYJU23yuJI50U9y6bXxNHinsACDFBeR/giXDlw29TaOaSxz0R6zrRPBoX+V68RyWwBL+KWQKtX2ULtJI40S98Ohd6p41bIxYHCBS/zroqNne8PjYOLcHHsjHUGfTvhcS5a3zdz/iHsvsaOOjFjsydAXH valberg
      - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC4FRrbTpxwGdlF6RVi/thJaMlaEE0Z9YCQA4Y+KnHbBoVWMjzgbIkSWw3MM+E/iiVnix8SFh4tjDSdFjb8lCvHt/PqhMFhZJ02vhVgSwyU+Ji5ur23i202LB9ua54NLN4kNG8K47U0tKi2/EV6LWl2QdRviAcOUctz6u9XDkkMLUgPEYH384XSTRRj4GJ8+0LRzB2rXqetH3gBe9v1vlv0ETYWvzTnpfZUxcrrqEGtXV9Wa0BZoWLos2oKOsYVjNdLZMoFpmyBxPnqzAi1hr7beblFZKqBkvD7XA9RnERbZn1nxkWufVahppPjKQ+se3esWJCp6ri/vNP4WNKY3hiIoekBLbpvGcP1Te7cAIQXiZOilN92NKKYrzN2gAtsxgqGZw7lI1PE71luGdPir2Evl6hPj6/nnNdEHZWgcmBSPy17uCpVvZYBcDDzj8L3hbkLVQ3kcLZTz6I8BXvuGqoeLvRQpBtn5EaLpCCOmXuKqm+dzHzsOIwh+SA5NA8M3P0=
  - name: reynir
    comment: Reynir Björnsson
    password: $6$MiPv.ZFlWnLHGNOb$jdQD9NaPMRUGaP2YHRJNwrMPBGl9qwK0HFhI6x51Xpn7hdzuC4GIwvOw1DJK33sNs/gGP5bWB0izviXkDcq7B0
    password_lock: false
    groups:
      - sudo
    ssh_keys:
@ -21,19 +28,8 @@ users:
  - name: samsapti
    comment: Sam Al-Sapti
    password: $6$18dN367fG162hQ9A$Aqkf3O24Ve1btzh1PPOPg3uyydv/AQYUxethcoB4klotebJq3/XsydYT7XBuarxfDccVwyPTMlsP3U8VfQpG60
    password_lock: false
    groups:
      - sudo
    ssh_keys:
      - sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIFWZGLov8wPBNxuvnaPK+8vv6wK5hHUVEFzXKsN9QeuBAAAADHNzaDpzYW1zYXB0aQ== ssh:samsapti
      - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPd/4fQV7CL8/KVwbo/phiV5UdXFBIDlkZ+ps8C7FeRf cardno:14 336 332
  - name: valberg
    comment: Vidir Valberg Gudmundsson
    password: $6$qt3G.E.CxhC$OwBDn4rZUbCz06HLEMBHjgvKjxiv/eeerbklTHi.gpHIn1OejzX3k2.0NM0Dforaw6Yn5Y8Cgn8kL2FdbQLZ3/
    password_lock: false
    groups:
      - sudo
    ssh_keys:
      - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUmGeHc6QXDcJHkmVxbTUv04Q3vs20avquoGr6eOkkvYbcgjuFnBOOtvs2Nul1odcvvnHa1nN7DfL8XJamiwsB1B/xe2seaNS1axgwk9XowlVN9pgga8gsC+4gZWBtSObG2GR8n4NtPENzPmW5deNn8dRpTvULPMxZ0VRE9yNQOx8v8w85yYh+vxbbkWGVDYJU23yuJI50U9y6bXxNHinsACDFBeR/giXDlw29TaOaSxz0R6zrRPBoX+V68RyWwBL+KWQKtX2ULtJI40S98Ohd6p41bIxYHCBS/zroqNne8PjYOLcHHsjHUGfTvhcS5a3zdz/iHsvsaOOjFjsydAXH valberg
      - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC4FRrbTpxwGdlF6RVi/thJaMlaEE0Z9YCQA4Y+KnHbBoVWMjzgbIkSWw3MM+E/iiVnix8SFh4tjDSdFjb8lCvHt/PqhMFhZJ02vhVgSwyU+Ji5ur23i202LB9ua54NLN4kNG8K47U0tKi2/EV6LWl2QdRviAcOUctz6u9XDkkMLUgPEYH384XSTRRj4GJ8+0LRzB2rXqetH3gBe9v1vlv0ETYWvzTnpfZUxcrrqEGtXV9Wa0BZoWLos2oKOsYVjNdLZMoFpmyBxPnqzAi1hr7beblFZKqBkvD7XA9RnERbZn1nxkWufVahppPjKQ+se3esWJCp6ri/vNP4WNKY3hiIoekBLbpvGcP1Te7cAIQXiZOilN92NKKYrzN2gAtsxgqGZw7lI1PE71luGdPir2Evl6hPj6/nnNdEHZWgcmBSPy17uCpVvZYBcDDzj8L3hbkLVQ3kcLZTz6I8BXvuGqoeLvRQpBtn5EaLpCCOmXuKqm+dzHzsOIwh+SA5NA8M3P0=
--- a/group_vars/monitoring/vars.yml
+++ b/group_vars/monitoring/vars.yml
@ -1,10 +0,0 @@
 # vim: ft=yaml.ansible
 # code: language=ansible
 ---
 base_domain: data.coop
 letsencrypt_email: admin@data.coop
 services_include:
  - nginx_proxy
  - uptime_kuma
  - watchtower
--- a/group_vars/production/vars.yml
+++ b/group_vars/production/vars.yml
@ -1,13 +0,0 @@
 # vim: ft=yaml.ansible
 # code: language=ansible
 ---
 base_domain: data.coop
 letsencrypt_email: admin@data.coop
 services_exclude:
  - uptime_kuma
 smtp_host: "postfix"
 smtp_port: "587"
 ldap_dn: "dc=data,dc=coop"
--- a/group_vars/staging/vars.yml
+++ b/group_vars/staging/vars.yml
@ -1,13 +0,0 @@
 # vim: ft=yaml.ansible
 # code: language=ansible
 ---
 base_domain: staging.data.coop
 letsencrypt_email: admin@data.coop
 services_exclude:
  - uptime_kuma
 smtp_host: "postfix"
 smtp_port: "587"
 ldap_dn: "dc=staging,dc=data,dc=coop"
--- a/host_vars/cavall.yml
+++ b/host_vars/cavall.yml
@ -1,8 +0,0 @@
 # vim: ft=yaml.ansible
 # code: language=ansible
 ---
 hostname: "{{ inventory_hostname }}"
 fqdn: "{{ hostname }}.servers.data.coop"
 ansible_host: "{{ fqdn }}"
 ansible_port: 22
--- a/host_vars/folald.yml
+++ b/host_vars/folald.yml
@ -1,12 +0,0 @@
 # vim: ft=yaml.ansible
 # code: language=ansible
 ---
 vm_host: cavall
 vm_type: control
 hostname: "{{ inventory_hostname }}"
 fqdn: "{{ hostname }}.vm.{{ vm_host }}.servers.data.coop"
 ansible_host: "{{ fqdn }}"
 ansible_port: 19022
 internal_ipv4: 10.2.1.5
--- a/host_vars/hestur.yml
+++ b/host_vars/hestur.yml
@ -1,11 +0,0 @@
 # vim: ft=yaml.ansible
 # code: language=ansible
 ---
 vm_host: cloud
 vm_type: uptime
 hostname: "{{ inventory_hostname }}"
 fqdn: "{{ hostname }}.vm.{{ vm_host }}.servers.data.coop"
 ansible_host: "{{ fqdn }}"
 ansible_port: 22
--- a/host_vars/poltre.yml
+++ b/host_vars/poltre.yml
@ -1,12 +0,0 @@
 # vim: ft=yaml.ansible
 # code: language=ansible
 ---
 vm_host: cavall
 vm_type: app
 hostname: "{{ inventory_hostname }}"
 fqdn: "{{ hostname }}.vm.{{ vm_host }}.servers.data.coop"
 ansible_host: "{{ fqdn }}"
 ansible_port: 19022
 internal_ipv4: 10.2.1.2
--- a/host_vars/varsa.yml
+++ b/host_vars/varsa.yml
@ -1,12 +0,0 @@
 # vim: ft=yaml.ansible
 # code: language=ansible
 ---
 vm_host: cavall
 vm_type: app
 hostname: "{{ inventory_hostname }}"
 fqdn: "{{ hostname }}.vm.{{ vm_host }}.servers.data.coop"
 ansible_host: "{{ fqdn }}"
 ansible_port: 19022
 internal_ipv4: 10.2.1.3
--- a/inventory.ini
+++ b/inventory.ini
@ -1,23 +0,0 @@
 [proxmox]
 cavall
 [monitoring]
 hestur
 [production]
 poltre
 [staging]
 varsa
 [control]
 folald
 [virtual:children]
 monitoring
 production
 staging
 control
 [physical:children]
 proxmox
--- a/playbook.yml
+++ b/playbook.yml
@ -0,0 +1,27 @@
 # vim: ft=yaml.ansible
 ---
 - hosts: production
  gather_facts: true
  become: true
  vars:
    ldap_dn: "dc=data,dc=coop"
    vagrant: "{{ from_vagrant is defined and from_vagrant }}"
    letsencrypt_enabled: "{{ not vagrant }}"
    base_domain: "{{ 'datacoop.devel' if vagrant else 'data.coop' }}"
    letsencrypt_email: "admin@{{ base_domain }}"
    smtp_host: "postfix"
    smtp_port: "587"
    services_exclude:
      - uptime_kuma
  tasks:
    - import_role:
        name: ubuntu_base
      tags:
        - base_only
    - import_role:
        name: docker
--- a/proxmox/etc/network/interfaces
+++ b/proxmox/etc/network/interfaces
@ -1,67 +0,0 @@
 # network interface settings; autogenerated
 # Please do NOT modify this file directly, unless you know what
 # you're doing.
 #
 # If you want to manage parts of the network configuration manually,
 # please utilize the 'source' or 'source-directory' directives to do
 # so.
 # PVE will preserve these directives, but will NOT read its network
 # configuration from sourced files, so do not attempt to move any of
 # the PVE managed interfaces into external files!
 auto lo
 iface lo inet loopback
 auto eno1
 iface eno1 inet manual
 auto eno2
 iface eno2 inet manual
 iface eno3 inet manual
 iface eno4 inet manual
 auto bond0
 iface bond0 inet manual
 	bond-slaves eno1 eno2
 	bond-miimon 100
 	bond-mode 802.3ad
 	bond-xmit-hash-policy layer2+3
 auto vmbr0
 iface vmbr0 inet static
 	address 85.209.118.134/28
 	gateway 85.209.118.129
 	bridge-ports bond0
 	bridge-stp off
 	bridge-fd 0
 #Main bridge for public VMs
 iface vmbr0 inet6 static
 	address 2a09:94c4:55d1:7680::86/64
 	gateway 2a09:94c4:55d1:7680::1
 auto vmbr1
 iface vmbr1 inet manual
 	address 10.2.1.1/24
 	bridge-ports none
 	bridge-stp off
 	bridge-fd 0
 #Internal bridge for VMs
 auto vmbr2
 iface vmbr2 inet static
 	address 192.168.1.1/24
 	bridge-ports none
 	bridge-stp off
 	bridge-fd 0
 #NAT bridge for VMs that need masquerading
 	post-up   echo 1 > /proc/sys/net/ipv4/ip_forward
 	post-up   iptables -t nat -A POSTROUTING -s '192.168.1.0/24' -o vmbr0 -j MASQUERADE
 	post-up   iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 19022 -j DNAT --to 192.168.1.144:19022
 	post-down iptables -t nat -D POSTROUTING -s '192.168.1.0/24' -o vmbr0 -j MASQUERADE
 	post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 19022 -j DNAT --to 192.168.1.144:19022
 source /etc/network/interfaces.d/*
--- a/roles/docker/defaults/main.yml
+++ b/roles/docker/defaults/main.yml
@ -1,6 +1,229 @@
 # vim: ft=yaml.ansible
 # code: language=ansible
 ---
-docker_rootless: false
+volume_root_folder: "/docker-volumes"
-docker_rootless_user: rootlessdocker
+volume_website_folder: "{{ volume_root_folder }}/websites"
-docker_rootless_user_uid: 1102
+
 services:
  ### Internal services ###
  postfix:
    domain: "smtp.{{ base_domain }}"
    volume_folder: "{{ volume_root_folder }}/postfix"
    pre_deploy_tasks: true
    version: "v3.6.1-alpine"
  nginx_proxy:
    volume_folder: "{{ volume_root_folder }}/nginx"
    pre_deploy_tasks: true
    version: "1.3-alpine"
    acme_companion_version: "2.2"
  openldap:
    domain: "ldap.{{ base_domain }}"
    volume_folder: "{{ volume_root_folder }}/openldap"
    pre_deploy_tasks: true
    version: "1.5.0"
    phpldapadmin_version: "0.9.0"
  netdata:
    domain: "netdata.{{ base_domain }}"
    volume_folder: "{{ volume_root_folder }}/netdata"
    version: "v1"
  portainer:
    domain: "portainer.{{ base_domain }}"
    volume_folder: "{{ volume_root_folder }}/portainer"
    version: "2.19.0"
  keycloak:
    domain: sso.{{ base_domain }}
    volume_folder: "{{ volume_root_folder }}/keycloak"
    version: "22.0"
    postgres_version: "10"
    allowed_sender_domain: true
  restic:
    volume_folder: "{{ volume_root_folder }}/restic"
    pre_deploy_tasks: true
    remote_user: dc-user
    remote_domain: rynkeby.skovgaard.tel
    host_key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBLGol2G+a87ssy0nu/STKBZSiGyhZhZKx/ujfe9IeFo
    repository: restic
    version: "1.7.0"
    disabled_in_vagrant: true
    # mail dance
    domain: "noreply.{{ base_domain }}"
    allowed_sender_domain: true
    mail_from: "backup@noreply.{{ base_domain }}"
  docker_registry:
    domain: "docker.{{ base_domain }}"
    volume_folder: "{{ volume_root_folder }}/docker-registry"
    pre_deploy_tasks: true
    post_deploy_tasks: true
    username: "docker"
    password: "{{ docker_password }}"
    version: "2"
  ### External services ###
  nextcloud:
    domain: "cloud.{{ base_domain }}"
    volume_folder: "{{ volume_root_folder }}/nextcloud"
    pre_deploy_tasks: true
    version: 28-apache
    postgres_version: "10"
    redis_version: 7-alpine
    allowed_sender_domain: true
  forgejo:
    domain: "git.{{ base_domain }}"
    volume_folder: "{{ volume_root_folder }}/forgejo"
    version: "7.0.5"
    allowed_sender_domain: true
  passit:
    domain: "passit.{{ base_domain }}"
    volume_folder: "{{ volume_root_folder }}/passit"
    version: stable
    postgres_version: 15-alpine
    allowed_sender_domain: true
  matrix:
    domain: "matrix.{{ base_domain }}"
    volume_folder: "{{ volume_root_folder }}/matrix"
    pre_deploy_tasks: true
    version: v1.114.0
    postgres_version: 15-alpine
    allowed_sender_domain: true
  element:
    domain: "element.{{ base_domain }}"
    volume_folder: "{{ volume_root_folder }}/element"
    pre_deploy_tasks: true
    version: v1.11.80
  privatebin:
    domain: "paste.{{ base_domain }}"
    volume_folder: "{{ volume_root_folder }}/privatebin"
    pre_deploy_tasks: true
    version: "20221009"
  hedgedoc:
    domain: "pad.{{ base_domain }}"
    volume_folder: "{{ volume_root_folder }}/hedgedoc"
    pre_deploy_tasks: true
    version: 1.9.9-alpine
    postgres_version: 10-alpine
  data_coop_website:
    domain: "{{ base_domain }}"
    www_domain: "www.{{ base_domain }}"
    volume_folder: "{{ volume_website_folder }}/datacoop"
    pre_deploy_tasks: true
    version: stable
    staging_domain: "staging.{{ base_domain }}"
    staging_version: staging
  slides_2022_website:
    domain: "2022.slides.{{ base_domain }}"
    volume_folder: "{{ volume_website_folder }}/slides-2022"
    version: latest
  fedi_dk_website:
    domain: fedi.dk
    volume_folder: "{{ volume_website_folder }}/fedidk"
    version: latest
  vhs_website:
    domain: vhs.data.coop
    volume_folder: "{{ volume_website_folder }}/vhs"
    version: latest
  cryptohagen_website:
    domains:
      - "cryptohagen.dk"
      - "www.cryptohagen.dk"
    volume_folder: "{{ volume_website_folder }}/cryptohagen"
  ulovliglogning_website:
    domains:
      - "ulovliglogning.dk"
      - "www.ulovliglogning.dk"
      - "ulovlig-logning.dk"
      - "www.ulovlig-logning.dk"
    volume_folder: "{{ volume_website_folder }}/ulovliglogning"
  cryptoaarhus_website:
    domains:
      - "cryptoaarhus.dk"
      - "www.cryptoaarhus.dk"
    volume_folder: "{{ volume_website_folder }}/cryptoaarhus"
  drone:
    domain: "drone.{{ base_domain }}"
    volume_folder: "{{ volume_root_folder }}/drone"
    version: "1"
  mailu:
    domain: "mail.{{ base_domain }}"
    volume_folder: "{{ volume_root_folder }}/mailu"
    pre_deploy_tasks: true
    dns: 192.168.203.254
    subnet: 192.168.203.0/24
    version: "2.0"
    postgres_version: 14-alpine
    redis_version: alpine
  mastodon:
    domain: "social.{{ base_domain }}"
    volume_folder: "{{ volume_root_folder }}/mastodon"
    pre_deploy_tasks: true
    post_deploy_tasks: true
    version: v4.2.10
    postgres_version: 14-alpine
    redis_version: 6-alpine
    allowed_sender_domain: true
  rallly:
    domain: "when.{{ base_domain }}"
    volume_folder: "{{ volume_root_folder }}/rallly"
    pre_deploy_tasks: true
    version: "2"
    postgres_version: 14-alpine
    allowed_sender_domain: true
  membersystem:
    domain: "member.{{ base_domain }}"
    django_admins: "Vidir:valberg@orn.li,Balder:benjaoming@data.coop"
    volume_folder: "{{ volume_root_folder }}/membersystem"
    version: latest
    postgres_version: 13-alpine
    allowed_sender_domain: true
  writefreely:
    domain: "write.{{ base_domain }}"
    volume_folder: "{{ volume_root_folder }}/writefreely"
    pre_deploy_tasks: true
    version: v0.15.0
    mariadb_version: "11.2"
    allowed_sender_domain: true
  watchtower:
    volume_folder: "{{ volume_root_folder }}/watchtower"
    version: "1.5.3"
  diun:
    version: "4.28"
    volume_folder: "{{ volume_root_folder }}/diun"
    matrix_user: "@diun:data.coop"
    matrix_room: "#datacoop-services-update:data.coop"
  ### Uptime monitoring ###
  uptime_kuma:
    domain: "uptime.{{ base_domain }}"
    status_domain: "status.{{ base_domain }}"
    volume_folder: "{{ volume_root_folder }}/uptime_kuma"
    pre_deploy_tasks: true
    version: "latest"
 services_exclude: []
 services_include: "{{ services | dict2items | map(attribute='key') | list | difference(services_exclude) }}"
--- a/roles/services/files/element/riot.im.conf
+++ b/roles/services/files/element/riot.im.conf
--- a/roles/services/files/mastodon/postgresql.conf
+++ b/roles/services/files/mastodon/postgresql.conf
--- a/roles/services/files/matrix/log.config
+++ b/roles/services/files/matrix/log.config
--- a/roles/services/files/privatebin/conf.php
+++ b/roles/services/files/privatebin/conf.php
--- a/roles/services/files/sso/sso.data.coop.pem
+++ b/roles/services/files/sso/sso.data.coop.pem
--- a/roles/services/files/vhost/base_domain
+++ b/roles/services/files/vhost/base_domain
--- a/roles/services/files/vhost/docker_registry
+++ b/roles/services/files/vhost/docker_registry
--- a/roles/services/files/vhost/element
+++ b/roles/services/files/vhost/element
--- a/roles/services/files/vhost/mastodon
+++ b/roles/services/files/vhost/mastodon
--- a/roles/services/files/vhost/matrix
+++ b/roles/services/files/vhost/matrix
--- a/roles/services/files/vhost/nextcloud
+++ b/roles/services/files/vhost/nextcloud
--- a/roles/services/files/vhost/uptime_kuma
+++ b/roles/services/files/vhost/uptime_kuma
--- a/roles/services/files/vhost/www.base_domain
+++ b/roles/services/files/vhost/www.base_domain
--- a/roles/services/handlers/main.yml
+++ b/roles/services/handlers/main.yml
@ -1,5 +1,4 @@
 # vim: ft=yaml.ansible
 # code: language=ansible
 ---
 - name: restart nginx
  command: docker compose restart proxy
--- a/roles/docker/tasks/block.yml
+++ b/roles/docker/tasks/block.yml
@ -0,0 +1,26 @@
 # vim: ft=yaml.ansible
 ---
 - name: Create volume folder for service {{ service.name }}
  file:
    name: "{{ service.vars.volume_folder }}"
    state: directory
 - name: Upload Compose file for service {{ service.name }}
  template:
    src: compose-files/{{ service.name }}.yml.j2
    dest: "{{ service.vars.volume_folder }}/docker-compose.yml"
    owner: root
    mode: u=rw,go=
 - name: Run pre-deployment tasks for service {{ service.name }}
  include_tasks: pre_deploy/{{ service.name }}.yml
  when: service.vars.pre_deploy_tasks is defined and service.vars.pre_deploy_tasks
 - name: Deploy Compose stack for service {{ service.name }}
  command: docker compose up -d --remove-orphans --pull always
  args:
    chdir: "{{ service.vars.volume_folder }}"
 - name: Run post-deployment tasks for service {{ service.name }}
  include_tasks: post_deploy/{{ service.name }}.yml
  when: service.vars.post_deploy_tasks is defined and service.vars.post_deploy_tasks
--- a/roles/docker/tasks/main.yml
+++ b/roles/docker/tasks/main.yml
@ -1,114 +1,44 @@
 # vim: ft=yaml.ansible
 # code: language=ansible
 ---
- name: Add Docker apt PGP key
+- name: Add Docker PGP key
-  ansible.builtin.apt_key:
+  apt_key:
-    id: 9DC858229FC7DD38854AE2D88D81803C0EBFCD88
+    keyserver: pgp.mit.edu
-    url: https://download.docker.com/linux/debian/gpg
+    id: 8D81803C0EBFCD88
    state: present
 - name: Add Docker apt repository
-  ansible.builtin.apt_repository:
+  apt_repository:
-    filename: docker
+    repo: deb https://download.docker.com/linux/ubuntu bionic stable
    repo: "deb [arch=amd64] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable"
    state: present
-    update_cache: true
+    update_cache: yes
 - name: Install Docker
-  ansible.builtin.apt:
+  apt:
-    name:
+    name: "{{ pkgs }}"
-      - containerd.io
+    state: present
  vars:
    pkgs:
      - docker-ce
      - docker-ce-cli
      - docker-buildx-plugin
      - docker-compose-plugin
    state: present
 - name: Create group for Docker socket
  ansible.builtin.group:
    name: docker
    state: present
 - name: Configure rootful Docker
  when: not docker_rootless
  block:
    - name: Make sure Docker is running
      ansible.builtin.service:
        name: docker
        enabled: true
        state: started
 - name: Configure cron job to prune unused Docker data weekly
-      ansible.builtin.cron:
+  cron:
    name: Prune unused Docker data
    cron_file: ansible_docker_prune
-        job: docker system prune -fa --volumes --filter "until=6h"
+    job: 'docker system prune -fa && docker volume prune -fa'
    special_time: weekly
    user: root
    state: present
- name: Configure rootless Docker
+- name: Create folder structure for bind mounts
-  when: docker_rootless
+  file:
-  block:
+    name: "{{ item }}"
-    - name: Make sure rootful Docker is stopped and disabled
+    state: directory
-      ansible.builtin.systemd_service:
+  loop:
-        name: docker
+    - "{{ volume_root_folder }}"
-        enabled: false
+    - "{{ volume_website_folder }}"
        scope: system
        state: stopped
-    - name: Install packages needed by rootless Docker
+- name: Set up services
-      ansible.builtin.apt:
+  import_tasks: services.yml
-        name:
+  tags:
-          - docker-ce-rootless-extras
+    - setup_services
          - uidmap
          - dbus-user-session
          - fuse-overlayfs
          - slirp4netns
        state: present
    - name: Create user for rootless Docker
      ansible.builtin.user:
        name: "{{ docker_rootless_user }}"
        uid: "{{ docker_rootless_user_uid }}"
        comment: Rootless Docker User
        groups:
          - docker
        state: present
    - name: Enable lingering for Docker user
      ansible.builtin.command:
        cmd: loginctl enable-linger {{ docker_rootless_user }}
        creates: /var/lib/systemd/linger/{{ docker_rootless_user }}
    - name: Set DOCKER_HOST environment variable globally
      ansible.builtin.lineinfile:
        path: /etc/profile
        regexp: '^export DOCKER_HOST='
        line: export DOCKER_HOST=unix:///run/user/{{ docker_rootless_user_uid }}/docker.sock
        state: present
    - name: Run rootless Docker setup script
      ansible.builtin.command:
        cmd: dockerd-rootless-setuptool.sh install
        creates: /home/{{ docker_rootless_user }}/.config/systemd/user/docker.service
      become: true
      become_user: "{{ docker_rootless_user }}"
    - name: Make sure rootless Docker is running
      ansible.builtin.systemd_service:
        name: docker.service
        enabled: true
        scope: user
        state: started
      become: true
      become_user: "{{ docker_rootless_user }}"
    - name: Configure cron job to prune unused Docker data weekly
      ansible.builtin.cron:
        name: Prune unused Docker data
        cron_file: ansible_docker_rootless_prune
        job: docker --host unix:///run/user/{{ docker_rootless_user_uid }}/docker.sock system prune -fa --volumes --filter "until=6h"
        special_time: weekly
        user: "{{ docker_rootless_user }}"
        state: present
--- a/roles/services/tasks/post_deploy/docker_registry.yml
+++ b/roles/services/tasks/post_deploy/docker_registry.yml
@ -1,5 +1,4 @@
 # vim: ft=yaml.ansible
 # code: language=ansible
 ---
 - name: Generate htpasswd file
  shell: docker compose exec registry htpasswd -Bbn docker {{ docker_password }} > auth/htpasswd
@ -9,6 +8,6 @@
 - name: log in to registry
  docker_login:
-    registry: docker.data.coop
+    registry: "{{ 'docker.data.coop' if vagrant else services.docker_registry.domain }}"
    username: docker
    password: "{{ docker_password }}"
--- a/roles/docker/tasks/post_deploy/mastodon.yml
+++ b/roles/docker/tasks/post_deploy/mastodon.yml
@ -0,0 +1,19 @@
 # vim: ft=yaml.ansible
 ---
 - name: Configure cron job to remove old Mastodon media daily
  cron:
    name: Clean Mastodon media data older than a week
    cron_file: ansible_mastodon_clean_media
    job: docker exec mastodon-web-1 tootctl media remove --days 7
    special_time: daily
    user: root
    state: present
 - name: Configure cron job to remove old Mastodon preview cards daily
  cron:
    name: Clean Mastodon preview card data older than two weeks
    cron_file: ansible_mastodon_clean_preview_cards
    job: docker exec mastodon-web-1 tootctl preview_cards remove --days 14
    special_time: daily
    user: root
    state: present
--- a/roles/services/tasks/pre_deploy/data_coop_website.yml
+++ b/roles/services/tasks/pre_deploy/data_coop_website.yml
@ -1,5 +1,4 @@
 # vim: ft=yaml.ansible
 # code: language=ansible
 ---
 - name: Upload vhost config for root domain
  copy:
--- a/roles/services/tasks/pre_deploy/docker_registry.yml
+++ b/roles/services/tasks/pre_deploy/docker_registry.yml
@ -1,5 +1,4 @@
 # vim: ft=yaml.ansible
 # code: language=ansible
 ---
 - name: Create subfolders
  file:
--- a/roles/services/tasks/pre_deploy/element.yml
+++ b/roles/services/tasks/pre_deploy/element.yml
@ -1,5 +1,4 @@
 # vim: ft=yaml.ansible
 # code: language=ansible
 ---
 - name: Create subfolder
  file:
--- a/roles/services/tasks/pre_deploy/hedgedoc.yml
+++ b/roles/services/tasks/pre_deploy/hedgedoc.yml
@ -1,5 +1,4 @@
 # vim: ft=yaml.ansible
 # code: language=ansible
 ---
 - name: Create subfolders
  file:
--- a/roles/services/tasks/pre_deploy/mailu.yml
+++ b/roles/services/tasks/pre_deploy/mailu.yml
@ -1,5 +1,4 @@
 # vim: ft=yaml.ansible
 # code: language=ansible
 ---
 - name: Create subfolders
  file:
@ -35,7 +34,7 @@
    dest: "{{ services.mailu.volume_folder }}/certs/cert.pem"
    state: hard
    force: true
-  ignore_errors: true
+  when: letsencrypt_enabled
 - name: Hard link to Let's Encrypt TLS key
  file:
@ -43,4 +42,4 @@
    dest: "{{ services.mailu.volume_folder }}/certs/key.pem"
    state: hard
    force: true
-  ignore_errors: true
+  when: letsencrypt_enabled
--- a/roles/services/tasks/pre_deploy/mastodon.yml
+++ b/roles/services/tasks/pre_deploy/mastodon.yml
@ -1,5 +1,4 @@
 # vim: ft=yaml.ansible
 # code: language=ansible
 ---
 - name: Create subfolder for Mastodon data
  file:
@ -44,21 +43,3 @@
  copy:
    src: mastodon/postgresql.conf
    dest: "{{ services.mastodon.volume_folder }}/postgres_config/postgresql.conf"
 - name: Configure cron job to remove old Mastodon media daily
  ansible.builtin.cron:
    name: Clean Mastodon media data older than a week
    cron_file: ansible_mastodon_clean_media
    job: docker compose -f {{ services.mastodon.volume_folder }}/docker-compose.yml exec web tootctl media remove --days 7
    special_time: daily
    user: root
    state: present
 - name: Configure cron job to remove old Mastodon preview cards daily
  ansible.builtin.cron:
    name: Clean Mastodon preview card data older than two weeks
    cron_file: ansible_mastodon_clean_preview_cards
    job: docker compose -f {{ services.mastodon.volume_folder }}/docker-compose.yml exec web tootctl preview_cards remove --days 14
    special_time: daily
    user: root
    state: present
--- a/roles/services/tasks/pre_deploy/matrix.yml
+++ b/roles/services/tasks/pre_deploy/matrix.yml
@ -1,5 +1,4 @@
 # vim: ft=yaml.ansible
 # code: language=ansible
 ---
 - name: Create subfolders
  file:
--- a/roles/services/tasks/pre_deploy/nextcloud.yml
+++ b/roles/services/tasks/pre_deploy/nextcloud.yml
@ -1,5 +1,4 @@
 # vim: ft=yaml.ansible
 # code: language=ansible
 ---
 - name: Create subfolders
  file:
--- a/roles/services/tasks/pre_deploy/nginx_proxy.yml
+++ b/roles/services/tasks/pre_deploy/nginx_proxy.yml
@ -1,5 +1,4 @@
 # vim: ft=yaml.ansible
 # code: language=ansible
 ---
 - name: Create subfolders
  file:
--- a/roles/services/tasks/pre_deploy/openldap.yml
+++ b/roles/services/tasks/pre_deploy/openldap.yml
@ -1,5 +1,4 @@
 # vim: ft=yaml.ansible
 # code: language=ansible
 ---
 - name: Create subfolders
  file:
--- a/roles/services/tasks/pre_deploy/postfix.yml
+++ b/roles/services/tasks/pre_deploy/postfix.yml
@ -1,5 +1,4 @@
 # vim: ft=yaml.ansible
 # code: language=ansible
 ---
 - name: Set up network for Postfix
  docker_network:
--- a/roles/services/tasks/pre_deploy/privatebin.yml
+++ b/roles/services/tasks/pre_deploy/privatebin.yml
@ -1,5 +1,4 @@
 # vim: ft=yaml.ansible
 # code: language=ansible
 ---
 - name: Create subfolders
  file:
--- a/roles/services/tasks/pre_deploy/rallly.yml
+++ b/roles/services/tasks/pre_deploy/rallly.yml
@ -1,5 +1,4 @@
 # vim: ft=yaml.ansible
 # code: language=ansible
 ---
 - name: Create subfolder
  file:
--- a/roles/services/tasks/pre_deploy/restic.yml
+++ b/roles/services/tasks/pre_deploy/restic.yml
@ -1,5 +1,4 @@
 # vim: ft=yaml.ansible
 # code: language=ansible
 ---
 - name: Create SSH directory
  file:
--- a/roles/services/tasks/pre_deploy/uptime_kuma.yml
+++ b/roles/services/tasks/pre_deploy/uptime_kuma.yml
--- a/roles/services/tasks/pre_deploy/writefreely.yml
+++ b/roles/services/tasks/pre_deploy/writefreely.yml
@ -1,5 +1,4 @@
 # vim: ft=yaml.ansible
 # code: language=ansible
 ---
 - name: Create subfolder for MariaDB data
  file:
--- a/roles/services/tasks/services.yml
+++ b/roles/services/tasks/services.yml
@ -1,5 +1,4 @@
 # vim: ft=yaml.ansible
 # code: language=ansible
 ---
 - name: Set up external services network
  docker_network:
@ -13,7 +12,9 @@
      name: "{{ item }}"
      vars: "{{ services[item] }}"
  loop: "{{ services_include }}"
-  when: single_service is not defined
+  when: single_service is not defined and
        (item.vars.disabled_in_vagrant is not defined or
        not (item.vars.disabled_in_vagrant and vagrant))
 - name: Deploy single service
  include_tasks:
@ -22,4 +23,6 @@
    service:
      name: "{{ single_service }}"
      vars: "{{ services[single_service] }}"
-  when: single_service is defined and single_service in services
+  when: single_service is defined and single_service in services and
        (services[single_service].disabled_in_vagrant is not defined or
        not (services[single_service].disabled_in_vagrant and vagrant))
--- a/roles/services/templates/compose-files/cryptoaarhus_website.yml.j2
+++ b/roles/services/templates/compose-files/cryptoaarhus_website.yml.j2
@ -1,6 +1,4 @@
-{# code: language=ansible-jinja #}
+# vim: ft=yaml.docker-compose
 # THIS FILE IS MANAGED BY ANSIBLE
 version: "3.8"
 services:
--- a/roles/services/templates/compose-files/cryptohagen_website.yml.j2
+++ b/roles/services/templates/compose-files/cryptohagen_website.yml.j2
@ -1,6 +1,4 @@
-{# code: language=ansible-jinja #}
+# vim: ft=yaml.docker-compose
 # THIS FILE IS MANAGED BY ANSIBLE
 version: "3.8"
 services:
--- a/roles/services/templates/compose-files/data_coop_website.yml.j2
+++ b/roles/services/templates/compose-files/data_coop_website.yml.j2
@ -1,6 +1,4 @@
-{# code: language=ansible-jinja #}
+# vim: ft=yaml.docker-compose
 # THIS FILE IS MANAGED BY ANSIBLE
 version: "3.8"
 services:
--- a/roles/services/templates/compose-files/diun.yml.j2
+++ b/roles/services/templates/compose-files/diun.yml.j2
@ -1,6 +1,5 @@
-{# code: language=ansible-jinja #}
+# vim: ft=yaml.ansible
-# THIS FILE IS MANAGED BY ANSIBLE
+---
 version: "3.5"
 services:
--- a/roles/services/templates/compose-files/docker_registry.yml.j2
+++ b/roles/services/templates/compose-files/docker_registry.yml.j2
@ -1,6 +1,4 @@
-{# code: language=ansible-jinja #}
+# vim: ft=yaml.docker-compose
 # THIS FILE IS MANAGED BY ANSIBLE
 version: "3.8"
 services:
--- a/roles/services/templates/compose-files/drone.yml.j2
+++ b/roles/services/templates/compose-files/drone.yml.j2
@ -1,6 +1,4 @@
-{# code: language=ansible-jinja #}
+# vim: ft=yaml.docker-compose
 # THIS FILE IS MANAGED BY ANSIBLE
 version: "3.8"
 services:
--- a/roles/services/templates/compose-files/element.yml.j2
+++ b/roles/services/templates/compose-files/element.yml.j2
@ -1,6 +1,4 @@
-{# code: language=ansible-jinja #}
+# vim: ft=yaml.docker-compose
 # THIS FILE IS MANAGED BY ANSIBLE
 version: "3.8"
 services:
--- a/roles/services/templates/compose-files/fedi_dk_website.yml.j2
+++ b/roles/services/templates/compose-files/fedi_dk_website.yml.j2
@ -1,6 +1,4 @@
-{# code: language=ansible-jinja #}
+# vim: ft=yaml.docker-compose
 # THIS FILE IS MANAGED BY ANSIBLE
 version: "3.8"
 services:
--- a/roles/services/templates/compose-files/forgejo.yml.j2
+++ b/roles/services/templates/compose-files/forgejo.yml.j2
@ -1,6 +1,4 @@
-{# code: language=ansible-jinja #}
+# vim: ft=yaml.docker-compose
 # THIS FILE IS MANAGED BY ANSIBLE
 version: "3.8"
 services:
--- a/roles/services/templates/compose-files/hedgedoc.yml.j2
+++ b/roles/services/templates/compose-files/hedgedoc.yml.j2
@ -1,6 +1,4 @@
-{# code: language=ansible-jinja #}
+# vim: ft=yaml.docker-compose
 # THIS FILE IS MANAGED BY ANSIBLE
 version: "3.8"
 services:
--- a/roles/services/templates/compose-files/keycloak.yml.j2
+++ b/roles/services/templates/compose-files/keycloak.yml.j2
@ -1,6 +1,4 @@
-{# code: language=ansible-jinja #}
+# vim: ft=yaml.docker-compose
 # THIS FILE IS MANAGED BY ANSIBLE
 version: "3.8"
 services:
--- a/roles/services/templates/compose-files/mailu.yml.j2
+++ b/roles/services/templates/compose-files/mailu.yml.j2
@ -1,6 +1,4 @@
-{# code: language=ansible-jinja #}
+# vim: ft=yaml.docker-compose
 # THIS FILE IS MANAGED BY ANSIBLE
 version: "3.8"
 services:
--- a/roles/services/templates/compose-files/mastodon.yml.j2
+++ b/roles/services/templates/compose-files/mastodon.yml.j2
@ -1,6 +1,4 @@
-{# code: language=ansible-jinja #}
+# vim: ft=yaml.docker-compose
 # THIS FILE IS MANAGED BY ANSIBLE
 x-sidekiq: &sidekiq
  image: tootsuite/mastodon:{{ services.mastodon.version }}
  restart: always
--- a/roles/services/templates/compose-files/matrix.yml.j2
+++ b/roles/services/templates/compose-files/matrix.yml.j2
@ -1,6 +1,4 @@
-{# code: language=ansible-jinja #}
+# vim: ft=yaml.docker-compose
 # THIS FILE IS MANAGED BY ANSIBLE
 version: "3.8"
 services:
--- a/roles/services/templates/compose-files/membersystem.yml.j2
+++ b/roles/services/templates/compose-files/membersystem.yml.j2
@ -1,6 +1,4 @@
-{# code: language=ansible-jinja #}
+# vim: ft=yaml.docker-compose
 # THIS FILE IS MANAGED BY ANSIBLE
 version: "3.8"
 services:
--- a/roles/services/templates/compose-files/netdata.yml.j2
+++ b/roles/services/templates/compose-files/netdata.yml.j2
@ -1,6 +1,4 @@
-{# code: language=ansible-jinja #}
+# vim: ft=yaml.docker-compose
 # THIS FILE IS MANAGED BY ANSIBLE
 version: "3.8"
 services: 
--- a/roles/services/templates/compose-files/nextcloud.yml.j2
+++ b/roles/services/templates/compose-files/nextcloud.yml.j2
@ -1,6 +1,4 @@
-{# code: language=ansible-jinja #}
+# vim: ft=yaml.docker-compose
 # THIS FILE IS MANAGED BY ANSIBLE
 version: "3.8"
 services:
--- a/roles/services/templates/compose-files/nginx_proxy.yml.j2
+++ b/roles/services/templates/compose-files/nginx_proxy.yml.j2
@ -1,6 +1,3 @@
 {# code: language=ansible-jinja #}
 # THIS FILE IS MANAGED BY ANSIBLE
 version: "3.8"
 services:
@ -22,6 +19,7 @@ services:
    labels:
      - com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy
 {% if letsencrypt_enabled %}
  acme:
    image: nginxproxy/acme-companion:{{ services.nginx_proxy.acme_companion_version }}
    restart: always
@ -33,6 +31,7 @@ services:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    depends_on:
      - proxy
 {% endif %}
 networks:
  external_services:
--- a/roles/services/templates/compose-files/openldap.yml.j2
+++ b/roles/services/templates/compose-files/openldap.yml.j2
@ -1,6 +1,4 @@
-{# code: language=ansible-jinja #}
+# vim: ft=yaml.docker-compose
 # THIS FILE IS MANAGED BY ANSIBLE
 version: "3.8"
 services:
--- a/roles/services/templates/compose-files/passit.yml.j2
+++ b/roles/services/templates/compose-files/passit.yml.j2
@ -1,6 +1,4 @@
-{# code: language=ansible-jinja #}
+# vim: ft=yaml.docker-compose
 # THIS FILE IS MANAGED BY ANSIBLE
 version: "3.8"
 services:
--- a/roles/services/templates/compose-files/portainer.yml.j2
+++ b/roles/services/templates/compose-files/portainer.yml.j2
@ -1,6 +1,4 @@
-{# code: language=ansible-jinja #}
+# vim: ft=yaml.docker-compose
 # THIS FILE IS MANAGED BY ANSIBLE
 version: "3.8"
 services:
--- a/roles/services/templates/compose-files/postfix.yml.j2
+++ b/roles/services/templates/compose-files/postfix.yml.j2
@ -1,6 +1,4 @@
-{# code: language=ansible-jinja #}
+# vim: ft=yaml.docker-compose
 # THIS FILE IS MANAGED BY ANSIBLE
 version: "3.8"
 services:
--- a/roles/services/templates/compose-files/privatebin.yml.j2
+++ b/roles/services/templates/compose-files/privatebin.yml.j2
@ -1,6 +1,4 @@
-{# code: language=ansible-jinja #}
+# vim: ft=yaml.docker-compose
 # THIS FILE IS MANAGED BY ANSIBLE
 version: "3.8"
 services:
--- a/roles/services/templates/compose-files/rallly.yml.j2
+++ b/roles/services/templates/compose-files/rallly.yml.j2
@ -1,6 +1,4 @@
-{# code: language=ansible-jinja #}
+# vim: ft=yaml.docker-compose
 # THIS FILE IS MANAGED BY ANSIBLE
 version: "3.8"
 services:
--- a/roles/services/templates/compose-files/restic.yml.j2
+++ b/roles/services/templates/compose-files/restic.yml.j2
@ -1,14 +1,12 @@
-{# code: language=ansible-jinja #}
+# vim: ft=yaml.docker-compose
 # THIS FILE IS MANAGED BY ANSIBLE
 version: "3.8"
 services:
  backup:
    image: mazzolino/restic:{{ services.restic.version }}
    restart: always
-    hostname: {{ hostname }}
+    hostname: {{ inventory_hostname_short }}
-    domainname: {{ fqdn }}
+    domainname: {{ inventory_hostname }}
    environment:
      RUN_ON_STARTUP: false
      BACKUP_CRON: "0 30 3 * * *"
--- a/roles/services/templates/compose-files/slides_2022_website.yml.j2
+++ b/roles/services/templates/compose-files/slides_2022_website.yml.j2
@ -1,6 +1,4 @@
-{# code: language=ansible-jinja #}
+# vim: ft=yaml.docker-compose
 # THIS FILE IS MANAGED BY ANSIBLE
 version: "3.8"
 services:
--- a/roles/services/templates/compose-files/ulovliglogning_website.yml.j2
+++ b/roles/services/templates/compose-files/ulovliglogning_website.yml.j2
@ -1,6 +1,4 @@
-{# code: language=ansible-jinja #}
+# vim: ft=yaml.docker-compose
 # THIS FILE IS MANAGED BY ANSIBLE
 version: "3.8"
 services:
--- a/roles/services/templates/compose-files/uptime_kuma.yml.j2
+++ b/roles/services/templates/compose-files/uptime_kuma.yml.j2
@ -1,6 +1,4 @@
-{# code: language=ansible-jinja #}
+# vim: ft=yaml.docker-compose
 # THIS FILE IS MANAGED BY ANSIBLE
 version: '3.3'
 services:
--- a/roles/services/templates/compose-files/vhs_website.yml.j2
+++ b/roles/services/templates/compose-files/vhs_website.yml.j2
@ -1,6 +1,4 @@
-{# code: language=ansible-jinja #}
+# vim: ft=yaml.docker-compose
 # THIS FILE IS MANAGED BY ANSIBLE
 version: "3.8"
 services:
--- a/roles/services/templates/compose-files/watchtower.yml.j2
+++ b/roles/services/templates/compose-files/watchtower.yml.j2
@ -1,6 +1,4 @@
-{# code: language=ansible-jinja #}
+# vim: ft=yaml.docker-compose
 # THIS FILE IS MANAGED BY ANSIBLE
 version: "3.8"
 services:
--- a/roles/services/templates/compose-files/writefreely.yml.j2
+++ b/roles/services/templates/compose-files/writefreely.yml.j2
@ -1,6 +1,4 @@
-{# code: language=ansible-jinja #}
+# vim: ft=yaml.docker-compose
 # THIS FILE IS MANAGED BY ANSIBLE
 version: "3.8"
 services:
--- a/roles/services/templates/element/config.json.j2
+++ b/roles/services/templates/element/config.json.j2
--- a/roles/services/templates/mailu/env.j2
+++ b/roles/services/templates/mailu/env.j2
--- a/roles/services/templates/mastodon/env.j2
+++ b/roles/services/templates/mastodon/env.j2
--- a/roles/services/templates/matrix/homeserver.yaml.j2
+++ b/roles/services/templates/matrix/homeserver.yaml.j2
--- a/roles/services/templates/rallly/env.j2
+++ b/roles/services/templates/rallly/env.j2
--- a/roles/services/templates/restic/failure.sh.j2
+++ b/roles/services/templates/restic/failure.sh.j2
--- a/roles/services/templates/restic/ssh.config.j2
+++ b/roles/services/templates/restic/ssh.config.j2
--- a/roles/services/templates/restic/ssh.known_hosts.j2
+++ b/roles/services/templates/restic/ssh.known_hosts.j2
--- a/roles/services/templates/restic/success.sh.j2
+++ b/roles/services/templates/restic/success.sh.j2
--- a/roles/services/templates/writefreely/config.ini.j2
+++ b/roles/services/templates/writefreely/config.ini.j2
--- a/roles/services/defaults/main.yml
+++ b/roles/services/defaults/main.yml
@ -1,232 +0,0 @@
 # vim: ft=yaml.ansible
 # code: language=ansible
 ---
 volume_root_folder: "/docker-volumes"
 volume_website_folder: "{{ volume_root_folder }}/websites"
 services:
  ### Internal services ###
  postfix:
    domain: "smtp.{{ base_domain }}"
    volume_folder: "{{ volume_root_folder }}/postfix"
    pre_deploy_tasks: true
    version: "v3.6.1-alpine"
  nginx_proxy:
    volume_folder: "{{ volume_root_folder }}/nginx"
    pre_deploy_tasks: true
    version: "1.3-alpine"
    acme_companion_version: "2.2"
  openldap:
    domain: "ldap.{{ base_domain }}"
    volume_folder: "{{ volume_root_folder }}/openldap"
    pre_deploy_tasks: true
    version: "1.5.0"
    phpldapadmin_version: "0.9.0"
  netdata:
    domain: "netdata.{{ base_domain }}"
    volume_folder: "{{ volume_root_folder }}/netdata"
    version: "v1"
  portainer:
    domain: "portainer.{{ base_domain }}"
    volume_folder: "{{ volume_root_folder }}/portainer"
    version: "2.19.0"
  keycloak:
    domain: sso.{{ base_domain }}
    volume_folder: "{{ volume_root_folder }}/keycloak"
    version: "22.0"
    postgres_version: "10"
    allowed_sender_domain: true
  restic:
    volume_folder: "{{ volume_root_folder }}/restic"
    pre_deploy_tasks: true
    remote_user: dc-user
    remote_domain: rynkeby.skovgaard.tel
    host_key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBLGol2G+a87ssy0nu/STKBZSiGyhZhZKx/ujfe9IeFo
    repository: restic
    version: "1.7.0"
    disabled_in_vagrant: true
    # mail dance
    domain: "noreply.{{ base_domain }}"
    allowed_sender_domain: true
    mail_from: "backup@noreply.{{ base_domain }}"
  docker_registry:
    domain: "docker.{{ base_domain }}"
    volume_folder: "{{ volume_root_folder }}/docker-registry"
    pre_deploy_tasks: true
    post_deploy_tasks: true
    username: "docker"
    password: "{{ docker_password }}"
    version: "2"
  ### External services ###
  nextcloud:
    domain: "cloud.{{ base_domain }}"
    volume_folder: "{{ volume_root_folder }}/nextcloud"
    pre_deploy_tasks: true
    version: 28-apache
    postgres_version: "10"
    redis_version: 7-alpine
    allowed_sender_domain: true
  forgejo:
    domain: "git.{{ base_domain }}"
    volume_folder: "{{ volume_root_folder }}/forgejo"
    version: "7.0.5"
    allowed_sender_domain: true
  passit:
    domain: "passit.{{ base_domain }}"
    volume_folder: "{{ volume_root_folder }}/passit"
    version: stable
    postgres_version: 15-alpine
    allowed_sender_domain: true
  matrix:
    domain: "matrix.{{ base_domain }}"
    volume_folder: "{{ volume_root_folder }}/matrix"
    pre_deploy_tasks: true
    version: v1.114.0
    postgres_version: 15-alpine
    allowed_sender_domain: true
  element:
    domain: "element.{{ base_domain }}"
    volume_folder: "{{ volume_root_folder }}/element"
    pre_deploy_tasks: true
    version: v1.11.80
  privatebin:
    domain: "paste.{{ base_domain }}"
    volume_folder: "{{ volume_root_folder }}/privatebin"
    pre_deploy_tasks: true
    version: "20221009"
  hedgedoc:
    domain: "pad.{{ base_domain }}"
    volume_folder: "{{ volume_root_folder }}/hedgedoc"
    pre_deploy_tasks: true
    version: 1.9.9-alpine
    postgres_version: 10-alpine
  data_coop_website:
    domain: "{{ base_domain }}"
    www_domain: "www.{{ base_domain }}"
    volume_folder: "{{ volume_website_folder }}/datacoop"
    pre_deploy_tasks: true
    version: stable
    staging_domain: "staging.{{ base_domain }}"
    staging_version: staging
  slides_2022_website:
    domain: "2022.slides.{{ base_domain }}"
    volume_folder: "{{ volume_website_folder }}/slides-2022"
    version: latest
  fedi_dk_website:
    domain: fedi.dk
    volume_folder: "{{ volume_website_folder }}/fedidk"
    version: latest
  vhs_website:
    domain: vhs.data.coop
    volume_folder: "{{ volume_website_folder }}/vhs"
    version: latest
  cryptohagen_website:
    domains:
      - "cryptohagen.dk"
      - "www.cryptohagen.dk"
    volume_folder: "{{ volume_website_folder }}/cryptohagen"
  ulovliglogning_website:
    domains:
      - "ulovliglogning.dk"
      - "www.ulovliglogning.dk"
      - "ulovlig-logning.dk"
      - "www.ulovlig-logning.dk"
    volume_folder: "{{ volume_website_folder }}/ulovliglogning"
  cryptoaarhus_website:
    domains:
      - "cryptoaarhus.dk"
      - "www.cryptoaarhus.dk"
    volume_folder: "{{ volume_website_folder }}/cryptoaarhus"
  drone:
    domain: "drone.{{ base_domain }}"
    volume_folder: "{{ volume_root_folder }}/drone"
    version: "1"
  mailu:
    domain: "mail.{{ base_domain }}"
    volume_folder: "{{ volume_root_folder }}/mailu"
    pre_deploy_tasks: true
    dns: 192.168.203.254
    subnet: 192.168.203.0/24
    version: "2.0"
    postgres_version: 14-alpine
    redis_version: alpine
  mastodon:
    domain: "social.{{ base_domain }}"
    volume_folder: "{{ volume_root_folder }}/mastodon"
    pre_deploy_tasks: true
    post_deploy_tasks: true
    version: v4.2.10
    postgres_version: 14-alpine
    redis_version: 6-alpine
    allowed_sender_domain: true
  rallly:
    domain: "when.{{ base_domain }}"
    volume_folder: "{{ volume_root_folder }}/rallly"
    pre_deploy_tasks: true
    version: "2"
    postgres_version: 14-alpine
    allowed_sender_domain: true
  membersystem:
    domain: "member.{{ base_domain }}"
    django_admins: "Vidir:valberg@orn.li,Balder:benjaoming@data.coop"
    volume_folder: "{{ volume_root_folder }}/membersystem"
    version: latest
    postgres_version: 13-alpine
    allowed_sender_domain: true
  writefreely:
    domain: "write.{{ base_domain }}"
    volume_folder: "{{ volume_root_folder }}/writefreely"
    pre_deploy_tasks: true
    version: v0.15.0
    mariadb_version: "11.2"
    allowed_sender_domain: true
  watchtower:
    volume_folder: "{{ volume_root_folder }}/watchtower"
    version: "1.5.3"
  diun:
    version: "4.28"
    volume_folder: "{{ volume_root_folder }}/diun"
    matrix_user: "@diun:data.coop"
    matrix_room: "#datacoop-services-update:data.coop"
  ### Uptime monitoring ###
  uptime_kuma:
    domain: "uptime.{{ base_domain }}"
    status_domain: "status.{{ base_domain }}"
    volume_folder: "{{ volume_root_folder }}/uptime_kuma"
    pre_deploy_tasks: true
    version: "latest"
 services_exclude:
  - uptime_kuma
 services_include: "{{ services | dict2items | map(attribute='key') | community.general.lists_difference(services_exclude) }}"
--- a/roles/services/tasks/block.yml
+++ b/roles/services/tasks/block.yml
@ -1,30 +0,0 @@
 # vim: ft=yaml.ansible
 # code: language=ansible
 ---
 - name: Create volume folder for service '{{ service.name }}'
  file:
    name: "{{ service.vars.volume_folder }}"
    state: directory
 - name: Upload Compose file for service '{{ service.name }}'
  template:
    src: compose-files/{{ service.name }}.yml.j2
    dest: "{{ service.vars.volume_folder }}/docker-compose.yml"
    owner: root
    mode: u=rw,go=
 - name: Run pre-deployment tasks for service '{{ service.name }}'
  ansible.builtin.include_tasks: pre_deploy/{{ service.name }}.yml
  when: service.vars.pre_deploy_tasks is defined and service.vars.pre_deploy_tasks
 - name: Deploy service '{{ service.name }}'
  when: deploy_services is defined and deploy_services
  block:
    - name: Deploy Compose stack for service '{{ service.name }}'
      ansible.builtin.command:
        cmd: docker compose up -d --remove-orphans
        chdir: "{{ service.vars.volume_folder }}"
    - name: Run post-deployment tasks for service '{{ service.name }}'
      ansible.builtin.include_tasks: post_deploy/{{ service.name }}.yml
      when: service.vars.post_deploy_tasks is defined and service.vars.post_deploy_tasks
--- a/roles/services/tasks/main.yml
+++ b/roles/services/tasks/main.yml
@ -1,15 +0,0 @@
 # vim: ft=yaml.ansible
 # code: language=ansible
 ---
 - name: Create folder structure for bind mounts
  file:
    name: "{{ item }}"
    state: directory
  loop:
    - "{{ volume_root_folder }}"
    - "{{ volume_website_folder }}"
 - name: Set up services
  import_tasks: services.yml
  tags:
    - setup_services
--- a/roles/ubuntu_base/tasks/base.yml
+++ b/roles/ubuntu_base/tasks/base.yml
@ -0,0 +1,17 @@
 # vim: ft=yaml.ansible
 ---
 - name: Install necessary packages via apt
  apt:
    name: "{{ packages }}"
  vars:
    packages:
      - aptitude
      - python3-pip
      - apparmor
      - haveged
      - mosh
 - name: Install Dell OpenManage
  apt:
    name: srvadmin-all
  when: not vagrant and not skip_dell_apt_repo
--- a/roles/ubuntu_base/tasks/dell-apt-repo.yml
+++ b/roles/ubuntu_base/tasks/dell-apt-repo.yml
@ -0,0 +1,20 @@
 # vim: ft=yaml.ansible
 ---
 - name: Import dell apt signing key
  apt_key:
    id: "1285491434D8786F"
    keyserver: "keyserver.ubuntu.com"
 - name: Configure dell apt repo
  apt_repository:
    repo: "deb https://linux.dell.com/repo/community/openmanage/10101/focal focal main"
    state: present
 - name: Restrict dell apt repo"
  copy:
    dest: "/etc/apt/preferences.d/dell"
    content: |
      Explanation: Deny all packages from this repo that exist elsewhere
      Package: *
      Pin: origin "linux.dell.com"
      Pin-Priority: 400
--- a/Show more
+++ b/Show more