data.coop/ansible
8
3
Fork 7
Code Issues 49 Pull requests 9 Projects 1 Releases Wiki Activity

Compare commits

merge into: data.coop:use_sudo
Branches Tags
data.coop:main
data.coop:reynir-patch-1
data.coop:proxmox
data.coop:diun
data.coop:use_sudo
data.coop:woodpeckerci
data.coop:linting
data.coop:mailman
data.coop:listmonk
data.coop:sshd-password
...
pull from: data.coop:main
Branches Tags
data.coop:reynir-patch-1
data.coop:proxmox
data.coop:main
data.coop:diun
data.coop:use_sudo
data.coop:woodpeckerci
data.coop:linting
data.coop:mailman
data.coop:listmonk
data.coop:sshd-password

141 commits
use_sudo ... main

Author SHA1 Message Date
reynir fd2d2e025f Merge pull request 'Upgrade element some more' (#221) from upgrade-element into main 
Reviewed-on: #221
 2024-10-14 08:16:26 +00:00
Reynir Björnsson 7eb0fe0a3d Upgrade element some more 
***Upgrading intensifies***
 2024-10-14 10:07:32 +02:00
reynir f52f21e62b Merge pull request 'Upgrade element' (#220) from upgrade-element into main 
Reviewed-on: #220
 2024-10-14 08:04:42 +00:00
Reynir Björnsson ad9615f52e Upgrade element 2024-10-14 10:01:42 +02:00
Viðir Valberg Guðmundsson b96cbe4ad9 Upgrade matrix (synapse) to 1.114.0. Close #219 2024-09-13 09:58:48 +02:00
Viðir Valberg Guðmundsson eee176aec6 Update secrets. 2024-08-04 06:58:21 +02:00
Viðir Valberg Guðmundsson 5502870384 Add data.coop to postfix ALLOWED_SENDER_DOMAINS. 2024-08-03 20:39:24 +02:00
Viðir Valberg Guðmundsson 3689eb7687 Add stripe secrets. 2024-08-03 00:56:22 +02:00
valberg 717db9055c Merge pull request 'Update environment variables re: data.coop/membersystem#38' (#216) from benjaoming/ansible:membersystem-envs into main 
Reviewed-on: #216
Reviewed-by: valberg <valberg@orn.li>
 2024-08-02 22:53:04 +00:00
valberg 5ff603393b Update roles/docker/defaults/main.yml 2024-08-02 22:52:37 +00:00
Benjamin Bach c00ab53269
Update environment variables re: data.coop/membersystem#38 2024-08-01 13:46:21 +02:00
Viðir Valberg Guðmundsson 8ae844f2df Bump matrix synapse to v1.110.0. 2024-07-15 10:37:50 +02:00
Viðir Valberg Guðmundsson bd0dc90c44 Bump mastodon to 4.2.10. 2024-07-04 21:04:42 +02:00
Viðir Valberg Guðmundsson abca90c219 Bump forgejo to 7.0.5 2024-07-03 22:09:58 +02:00
Viðir Valberg Guðmundsson 3e24254b57 Bump element to v1.11.69. 2024-06-19 21:17:22 +02:00
Viðir Valberg Guðmundsson bd4f92fd65 Bump matrix synapse to v1.109.0. 2024-06-19 21:12:58 +02:00
Viðir Valberg Guðmundsson 1bba1d066b Add matrix notifications to diun. 2024-06-19 20:57:50 +02:00
Viðir Valberg Guðmundsson aeaa48d7ca Bump forgejo to 7.0.4 2024-06-19 20:12:48 +02:00
Víðir Valberg Guðmundsson ed237c9661 Bump mastodon to 4.2.9 2024-05-30 21:12:56 +02:00
Sam A. e633ca13b4
Add hostname to Restic container 2024-03-29 21:01:50 +01:00
Víðir Valberg Guðmundsson 92ca044d06 Adding diun (#208) 
Closes #174

Reviewed-on: #208
Co-authored-by: Víðir Valberg Guðmundsson <valberg@orn.li>
Co-committed-by: Víðir Valberg Guðmundsson <valberg@orn.li>
 2024-03-28 14:02:24 +00:00
Víðir Valberg Guðmundsson 41116063a2 Bump forgejo to 1.21.8. 2024-03-28 14:33:12 +01:00
valberg 1bfa6bdd1d Merge pull request 'Fix another instance of domain=>remote_domain' (#205) from fix-restic-domain into main 
Reviewed-on: #205
Reviewed-by: valberg <valberg@orn.li>
 2024-03-08 10:05:06 +00:00
Reynir Björnsson 9a03f71252 Fix another instance of domain=>remote_domain 2024-03-08 10:57:32 +01:00
reynir 00927a19df Merge pull request 'Rename variables to avoid name clash' (#204) from fix-restic-domain into main 
Reviewed-on: #204
Reviewed-by: valberg <valberg@orn.li>
 2024-03-06 12:40:47 +00:00
Reynir Björnsson a0988aa05d Rename variables to avoid name clash 2024-03-06 13:38:46 +01:00
Víðir Valberg Guðmundsson 4112bb73b6 Bump forgejo to 1.21.7. 2024-03-06 13:35:47 +01:00
Víðir Valberg Guðmundsson e30f1d57d5 Bump mastodon (deployed some time ago). 2024-03-06 13:32:50 +01:00
reynir ebf3608bdc Merge pull request 'Add uptime-kuma push url for restic' (#203) from restic-uptime-kuma into main 
Reviewed-on: #203
 2024-03-06 12:29:44 +00:00
Reynir Björnsson ce030b2dea Fixup yaml 2024-03-05 09:57:55 +01:00
Reynir Björnsson 4f129168c6 Add uptime-kuma push url for restic 2024-03-05 09:55:04 +01:00
Reynir Björnsson d468e49830 . 2024-03-04 14:15:52 +01:00
Reynir Björnsson ae497f0284 . 2024-03-04 13:30:58 +01:00
Reynir Björnsson ac64706fcb . 2024-03-04 12:48:51 +01:00
Reynir Björnsson 9fb16d3a69 Address comments by @samsapti 
We need to use ':' instead of '=' in yaml for environment variable
bindings.
Spurious tab where it should be all spaces
Rename variable mail-from to mail_from to align with existing code style
Nit: change email addresses
 2024-03-04 09:20:04 +01:00
Reynir Björnsson 6982d0feaa Restic: send an email on backup failure 2024-03-03 21:17:48 +01:00
Sam A. 1b68766cd6
Improv 2024-03-01 20:53:08 +01:00
Sam A. d90b769640 Merge pull request 'Add uptime kuma as a service we can deploy to a different host for monitoring.' (#196) from add_uptime_data_coop into main 
Reviewed-on: #196
Reviewed-by: Sam A. <samsapti@noreply@git.data.coop>
 2024-03-01 19:47:57 +00:00
Sam A. f792bf3dd1
Fixes and add Watchtower to Uptime Kuma instance 2024-02-29 20:45:59 +01:00
Víðir Valberg Guðmundsson 266f990d1a Pin forgejo to 1.21.6-0. 2024-02-22 20:44:55 +01:00
Víðir Valberg Guðmundsson 241d63494f Upgrade forgejo to 1.21. Closes #201. 2024-02-21 14:26:28 +01:00
Víðir Valberg Guðmundsson 4c65521447 Mastodon: Fix container name for crontab cleanup jobs 2024-02-21 13:36:31 +01:00
valberg a95c3ea17e Merge pull request 'Forgejo SMTP_ADDR was split into ditto + SMTP_PORT' (#200) from forgejo-smtp-port into main 
Reviewed-on: #200
 2024-02-21 11:19:01 +00:00
Reynir Björnsson 590597b137 Forgejo SMTP_ADDR was split into ditto + SMTP_PORT 
And the default SMTP_PORT is 25 while we use 587 => mail notifications
broke
 2024-02-21 11:23:29 +01:00
Sam A. d05a504e61
Move vars around 2024-02-18 17:27:52 +01:00
Sam A. a99b39824c
Merge branch 'main' into add_uptime_data_coop 2024-02-18 17:23:43 +01:00
Sam A. 7aae344da0
Don't specify service settings twice 2024-02-18 17:18:54 +01:00
Víðir Valberg Guðmundsson 26b98681fc Bump mastodon to 4.2.7. 2024-02-16 15:35:12 +01:00
Víðir Valberg Guðmundsson 542268ffc6 Bump mastodon to 4.2.6. 2024-02-14 20:43:05 +01:00
Víðir Valberg Guðmundsson 54a63ca069 Add uptime kuma as a service we can deploy to a different host for monitoring. 2024-02-11 14:50:21 +01:00
Sam A. 46ffcd792c
Add missing bind mount and upgrade WriteFreely, close #192 2024-02-09 22:00:02 +01:00
Víðir Valberg Guðmundsson 068d3bd444 Bump mastodon to 4.2.5. 2024-02-01 18:55:42 +01:00
Sam A. 39fffe71ae
Upgrade Nextcloud to version 28 2024-01-13 15:04:02 +01:00
Sam A. 0fdfd2e76f
Exclude Mastodon cache from backup 2024-01-10 18:03:39 +01:00
Sam A. 9164b39906
Fix Postfix DNS name not found 2023-12-12 22:00:55 +01:00
Sam A. 88c4d99fc0
Upgrade Matrix (Synapse) to v1.98.0 2023-12-12 21:30:47 +01:00
Sam A. 7ef64bd132
Upgrade Element, close #184 2023-12-12 21:16:46 +01:00
Sam A. a3b5f5520d
Correct folder name for webmail overrides 2023-12-10 22:04:09 +01:00
Sam A. dfcca8a3e9
Fix Mailu admin container DNS conflict with OpenLDAP admin 2023-12-10 22:01:04 +01:00
Sam A. f627d1cf32
Upgrade Mailu, close #167 2023-12-10 18:04:50 +01:00
Sam A. c7289b4c5a Merge pull request 'Refactor service deployment + upload Compose files to the server' (#178) from compose-files into main 
Reviewed-on: #178
 2023-12-09 18:38:11 +00:00
Sam A. bd074929ac
Fix stuff 2023-12-09 19:37:46 +01:00
Sam A. e426c3d6c5
Rename Write Freely compose file 2023-12-07 20:47:11 +01:00
Sam A. 3b8c526da1
Merge branch 'main' into compose-files 2023-12-07 20:39:04 +01:00
Víðir Valberg Guðmundsson 27321a16a2 Fix writefreely mariadb datadir and set user_invites to admin. 2023-12-03 23:49:06 +01:00
valberg 0166d2434d Merge pull request 'Add writefreely instance.' (#179) from writefreely into main 
Reviewed-on: #179
 2023-12-03 22:31:39 +00:00
Víðir Valberg Guðmundsson 6e4b3e4aa4 Add writefreely instance. 2023-12-03 23:24:33 +01:00
Víðir Valberg Guðmundsson 04d4e38751 Remove some more byro stuff. 2023-12-03 22:20:19 +01:00
Sam A. 4082c6fde3
Add from_vagrant to deploy.sh 2023-11-04 01:20:53 +01:00
Sam A. 85e1da3cbf
Last fixes + install Compose v2 plugin 2023-10-04 22:05:59 +02:00
Sam A. 15fa5d6215
No need for Python Docker bindings since we use Docker cmd 2023-10-04 22:02:11 +02:00
Sam A. 2966e6715b
Add shell to users 2023-10-04 21:44:37 +02:00
Sam A. 5ae78bcd17
Fix magic 2023-10-04 21:34:59 +02:00
Sam A. 3dc4e14c15
Bump Vagrant specs 2023-10-04 19:59:09 +02:00
Sam A. af6a130695
Fix handler and name 2023-10-04 19:58:54 +02:00
Sam A. 98fcc2d634
Include service name in task names in block.yml 2023-10-04 19:44:39 +02:00
Sam A. 3ac2d83971
Magic 2023-10-04 19:43:11 +02:00
Sam A. 3001317e20
Ansible doesn't support looping over a block 2023-10-04 19:35:52 +02:00
Sam A. 301d1b7719
Add missing volume_folder vars 2023-10-04 19:35:09 +02:00
Sam A. f8b4e49f7f
Don't base 'vagrant' on virtualization (prep for Proxmox) 2023-10-04 18:43:33 +02:00
Sam A. d0b23d4ef5
Specify cpus in Vagrantfile 2023-10-04 18:37:57 +02:00
Sam A. 6cb06d43f1
Formatting 2023-10-03 22:13:30 +02:00
Sam A. 62f548d05b
Fix task for single service 2023-10-03 22:00:51 +02:00
Sam A. f067a1b6c2
Convert websites to Compose stacks 2023-10-03 21:45:21 +02:00
Sam A. 52b1d1ccd2
Use a block to deploy all services + add pre_deploy and post_deploy 2023-10-03 21:19:51 +02:00
Sam A. f50831460c
Convert all services to Compose stacks 2023-09-30 18:46:17 +02:00
Sam A. 728455f42a
Convert Netdata to a Compose stack, close #80 2023-09-30 17:19:10 +02:00
Sam A. 85aa718480
Split Matrix and Element into their own Compose stacks 2023-09-30 16:42:16 +02:00
Sam A. a47440b6b5
Move compose files into templates and upload them to the host 2023-09-30 16:25:06 +02:00
Sam A. 3098e1e320 Merge pull request 'Move static files into files/ and Jinja2 templates into templates/' (#169) from move_stuff_around into main 
Reviewed-on: #169
 2023-09-29 21:09:07 +00:00
Sam A. 656fb6baab
Merge branch 'main' into move_stuff_around 2023-09-29 23:02:07 +02:00
Sam A. 28992b66af
Remove remaining Byro files 2023-09-29 22:56:48 +02:00
Sam A. 136b675ccd
Upgrade Mastodon to 4.2.0, close #176 2023-09-29 21:54:21 +02:00
Sam A. ddb9629dea
Fix spacing and indentation 2023-09-29 21:09:23 +02:00
Víðir Valberg Guðmundsson 1449185591 Remove byro. 2023-09-25 09:48:29 +02:00
Víðir Valberg Guðmundsson 191ba1e011 Bump mastodon to 4.1.9. 2023-09-25 09:48:29 +02:00
Sam A. 2629c7c2f9
Replace another deprecated option for Forgejo 2023-09-23 16:43:31 +02:00
Sam A. 927d1e31ee
Replace deprecated option for Forgejo 2023-09-23 16:38:45 +02:00
Sam A. d662ae321e
Remove CodiMD, close #122 2023-09-16 18:22:48 +02:00
Sam A. 0272b93527
Upgrade Keycloak 2023-09-16 18:01:11 +02:00
Sam A. a372c1a980
Upgrade a bunch of stuff 2023-09-16 17:41:05 +02:00
Víðir Valberg Guðmundsson c50bccfada Upgrade portainer from 2.16.2 to 2.19.0 2023-09-16 14:27:44 +02:00
Sam A. 4e6f18311d
Use subfolders for templates as well 2023-08-05 19:35:55 +02:00
Sam A. a741a0c26c
Switch to Forgejo, close #145 2023-07-26 18:06:40 +02:00
Sam A. bb145efff2
Pull images on website 2023-07-26 17:15:35 +02:00
Sam A. 2a74df91f1 MERGE IT 
Reviewed-on: #172
 2023-07-26 15:05:11 +00:00
Sam A. 085bb1dfe7
Avoid code duplication 2023-07-26 17:03:33 +02:00
Benjamin Bach 4d09c1ec11
Update ansible task for data.coop website with new branches and docker images 2023-07-25 22:17:35 +02:00
Sam A. f9946e72ca
Merge branch 'main' into move_stuff_around 2023-07-20 18:09:41 +02:00
Sam A. 9126fd8d61
Quote number-like version numbers 2023-07-19 19:38:31 +02:00
Sam A. fc74fa0a3b
Upgrade Gitea to 1.20, close #165 2023-07-19 19:35:28 +02:00
Sam A. 1ebaef9f59
Fix cron job... 2023-07-11 22:52:59 +02:00
Sam A. e2a6d19a32
Fix folder permissions for Mastodon 2023-07-11 22:26:08 +02:00
Sam A. ec73fb702c
Fix cron job name 2023-07-11 22:02:21 +02:00
Sam A. 7d8b96cef0
Add cron jobs to clean cached Mastodon data, close #170 2023-07-11 21:56:04 +02:00
Sam A. 9920676155
Fix sender domains for Postfix 2023-07-11 21:44:05 +02:00
Víðir Valberg Guðmundsson 8c24a02a43 Enable email in matrix. 2023-07-11 21:30:22 +02:00
Sam A. 7d13fc5302
Use service names instead of subdomains for vhost file names 2023-07-09 23:07:23 +02:00
Sam A. ef7c00b748
Fix quote 2023-07-09 20:39:07 +02:00
Sam A. 863b285b07
Move files to their correct directories (files in files, Jinja2 templates in templates) 2023-07-09 20:27:32 +02:00
Sam A. c5857d0ba8
Don't put unnecessary executables in git 2023-07-09 19:51:26 +02:00
Sam A. f5ffd21dd3
Upgrade Nextcloud to version 27, close #164 2023-07-09 19:42:33 +02:00
Sam A. de67592d6e
Upgrade Synapse to v1.87.0, close #166 2023-07-09 19:24:01 +02:00
Víðir Valberg Guðmundsson bc4868cd8e Add byro.data.coop - a possible replacement for our own membersystem. 2023-07-09 11:49:21 +02:00
Víðir Valberg Guðmundsson 1a3ba48c07 Upgrade mastodon to 4.1.4. Close #154 2023-07-09 11:31:39 +02:00
Sam A. 96f65c02da
Add cron job to prune unused Docker data (close #168) 2023-07-07 18:15:01 +02:00
Víðir Valberg Guðmundsson 604c67e28f Point mailu definition to ghcr.io to get images. 2023-07-06 22:15:08 +02:00
Víðir Valberg Guðmundsson 30b52c2747 Upgrade mastodon to 4.0.5. 2023-07-06 22:14:29 +02:00
Víðir Valberg Guðmundsson b2b949ee98 Add www.ulovlig-logning.dk as a valid address for the ulovlig logning website. 2023-04-26 14:04:08 +02:00
Sam A. d8d0d32838
Upgrade Matrix (Synapse) to v1.81.0 2023-04-16 14:26:17 +02:00
Sam A. d2681c27a0
Rename Riot to Element globally 2023-04-08 00:45:30 +02:00
Sam A. f1df97ca04
Upgrade Element 2023-04-08 00:31:38 +02:00
Sam A. 493062b00a
Upgrade Matrix (Synapse) to v1.80.0 2023-04-08 00:15:05 +02:00
Sam A. 863cd56001
Upgrade HedgeDoc and Postfix 2023-04-06 19:10:47 +02:00
Sam A. f7afe5ba00
Fix spacing 2023-03-29 18:27:24 +02:00
Sam A. f9049451e9
Raise message rate limit for Mailu 2023-03-29 18:11:10 +02:00
Sam A. b5d980510d
FIDO bug in Passit should be fixed now 2023-03-26 18:35:30 +02:00
Sam A. b042d555b6
Edit README.md to describe users option 2023-03-14 16:17:02 +01:00
Sam A. 98d57e4cfa
Add SSH key for samsapti 2023-03-14 16:14:53 +01:00
Sam A. b1f1db5b30
Simplify Docker service names for Restic 
This simplifies containernames such as "restic_backup_restic-backup_1"
to "restic_backup_1".
 2023-03-09 17:50:13 +01:00
Sam A. 9cc70decab
Upgrade Restic 2023-03-09 17:43:25 +01:00
119 changed files with 2118 additions and 1802 deletions
Show stats Expand all files Collapse all files

2
.gitignore vendored
View file

@ -1,4 +1,4 @@
playbook.retry *.retry
*.sw* *.sw*
.vagrant/ .vagrant/
*.log *.log

3
README.md
View file

@ -26,6 +26,9 @@ Here is a summary of the options that can be used with the script:
# deploy the ubuntu_base role only # deploy the ubuntu_base role only
./deploy.sh base ./deploy.sh base
# deploy user setup only
./deploy.sh users
# deploy the docker role only # deploy the docker role only
./deploy.sh services ./deploy.sh services

10
Vagrantfile vendored
View file

@ -13,7 +13,8 @@ Vagrant.configure(2) do |config|
config.vm.hostname = "datacoop" config.vm.hostname = "datacoop"
config.vm.provider :virtualbox do |v| config.vm.provider :virtualbox do |v|
v.memory = 8192 v.cpus = 8
v.memory = 16384
end end
config.vm.provision :ansible do |ansible| config.vm.provision :ansible do |ansible|
@ -26,7 +27,12 @@ Vagrant.configure(2) do |config|
if provisioned? if provisioned?
config.ssh.guest_port = PORT config.ssh.guest_port = PORT
ansible.extra_vars = { ansible.extra_vars = {
ansible_port: PORT ansible_port: PORT,
from_vagrant: true
}
else
ansible.extra_vars = {
from_vagrant: true
} }
end end
end end

6
ansible.cfg
View file

@ -1,4 +1,8 @@
[defaults] [defaults]
remote_user = root ask_vault_pass = True
inventory = datacoop_hosts inventory = datacoop_hosts
interpreter_python = /usr/bin/python3
remote_user = root
retry_files_enabled = True
use_persistent_connections = True use_persistent_connections = True
forks = 10

8
datacoop_hosts
View file

@ -1,3 +1,5 @@
###################################### [production]
### All hosts hevonen.servers.data.coop ansible_port=19022
hevonen.servers.data.coop ansible_port=19022 ansible_python_interpreter=/usr/bin/python3
[monitoring]
uptime.data.coop

12
deploy.sh
View file

@ -4,14 +4,16 @@ usage () {
{ {
echo "Usage: $0 [--vagrant]" echo "Usage: $0 [--vagrant]"
echo "Usage: $0 [--vagrant] base" echo "Usage: $0 [--vagrant] base"
echo "Usage: $0 [--vagrant] users"
echo "Usage: $0 [--vagrant] services [SERVICE]" echo "Usage: $0 [--vagrant] services [SERVICE]"
} >&2 } >&2
} }
BASE_CMD="ansible-playbook playbook.yml --ask-vault-pass" BASE_CMD="ansible-playbook playbook.yml"
if [ "$1" = "--vagrant" ]; then if [ "$1" = "--vagrant" ]; then
BASE_CMD="$BASE_CMD --verbose --inventory=vagrant_host" BASE_CMD="$BASE_CMD --verbose --inventory=vagrant_host"
VAGRANT_VAR="from_vagrant"
shift shift
fi fi
@ -28,17 +30,17 @@ else
"services") "services")
if [ -z "$2" ]; then if [ -z "$2" ]; then
echo "Deploying all services!" echo "Deploying all services!"
$BASE_CMD --tags setup_services eval "$BASE_CMD --tags setup_services $(test -z "$VAGRANT_VAR" || printf '%s' "$VAGRANT_VAR=true")"
else else
echo "Deploying service: $2" echo "Deploying service: $2"
$BASE_CMD --tags setup_services --extra-vars "single_service=$2" $BASE_CMD --tags setup_services --extra-vars '{"single_service": "'"$2"'"'"$(test -z "$VAGRANT_VAR" || printf '%s' ', "'"$VAGRANT_VAR"'": true')"'}'
fi fi
;; ;;
"base") "base")
$BASE_CMD --tags base_only eval "$BASE_CMD --tags base_only $(test -z "$VAGRANT_VAR" || printf '%s' "$VAGRANT_VAR=true")"
;; ;;
"users") "users")
$BASE_CMD --tags setup-users eval "$BASE_CMD --tags setup-users $(test -z "$VAGRANT_VAR" || printf '%s' "$VAGRANT_VAR=true")"
;; ;;
*) *)
usage usage

344
group_vars/all/secrets.yml
View file

@ -1,161 +1,185 @@
$ANSIBLE_VAULT;1.1;AES256 $ANSIBLE_VAULT;1.1;AES256
66636338343431616564613639346264306161343566303835363432623939376366353962656631 31303330643235313132323363306532616164646565636532646131386663633330333335353938
3530626163323838363236356534353065346535333666320a353662643837623033353237313234 6632373337386339323566373163306435663562303663320a666438653936356335653534353464
33653766303862653535343935306261353131623834343230386437356666643839643334623063 37373932623562326430396132316138373930383365313433646536343839636637386232306235
6131626436313434310a623730633262636162623232323632366564613037313232626364633936 6566393031643037340a643463373163663062643932353931646366306566346230336362623561
37346365366537663763623535633234316538643766386566396636653634363432383932333135 30323138333636343165666239393138653462396538386139376432346335373066363366613535
65396435363665613562663861373237343633616637386234303831653130353332623731643737 38623130333434386266393363306139333666393537663161626666323262646364636136393736
38613238386164393762646631383333363035643338626364386161306162383933623433616564 37656438373365353335633237326635636263653534353961396562646535303764613564306133
61383966636438653434356466323835313562313633346663643639643632343131353761656233 39373362343133643536383937386633373437333763636331663761646432663636373738373332
39336262333036306230383038373031633036313564343135353264383963656366353665386139 36383638363539663034303536636264336230636630636331336438333338356431666332313931
30626636336336363634316632356434353436613236626264323531326533656637366436656265 66653738656263613739333835366139633335643661373135396333346361343032303832353562
37613230303530303836616533393035343064663139376261363837626637646365353364373165 61376531343861656532626630623330336362373666343863373738306430616530373565663438
35326462393961313234643866336638393364613863653565616438656565353061633564393134 37373131646233656533633466356162326162616433613964616530393734336438326133373763
66643735303631373665613866643230353462623936656561643961613765323039613531656336 65663266313939363361396231663564663664393363373061646436653535663338336138373961
34643432323131626536623065616137333365623666383438653936396131386566356265313033 66303662323930376564313562376661336162316430316439313565633935323835386561356333
65613765353732666232656433353035363030623461353134393463663362646464616632633931 61393330333965633764633364366336646166353031613438373234333436326330336537643464
35373632623432303930633566626333343465346563643435656537623336373235323637386166 32383732336166303535393837353061353333386363356162323966336138363864663464356430
37356535386564363131643162383835633331363961313636343262333863613765306130353266 62396530393234666339346537616637323334383365663732663365653636383036616263303362
39313566653735646438663739386433313735383730366530336533346465643166323765393334 38623063623035616336346562396263336236376435386264336632336165336463613932383465
34653436653133393665303265373535353430366464653030386234386332343230646263393766 37323634633831363938616137373335653130303465383939303332333131363866303863383965
38363532303761636666346436313539363935626635356166653739643139386138616230313663 62333866333830666361613637333230363566333035366664353034303766633264643365343566
66636634663936616537386332346437363163636465653365643263666164633530623532303331 30326530383562633764643630363963646337363865343431353530353036616434363062313132
31373661303737626632663339306430633037306161313166323430373266643833306365386234 37393661326139613732636236633239653837333063646566653861643635363537386137393434
37663937356333626335653737303634396137303738396533633537653461393630613739363762 64616437363666653664303132666630376665646666323733376164653636623465623964336638
30323739633265303634626237643066626631393639353039306438353830313634333866656461 33623838616330353265333733343261356462613665653530333431343732646136346164626534
62396637656635623466626665353064646233636366313239626438343333353139316432373162 34343463646262623464613832393963633366353835393531653634623234393230343430666161
33373831613937323738383332346364623863613861616538626639633039306232363063653439 62306164616636616461306464333536333265313765326665626331363463363038393935653334
63383132323534633966333730363730653132336261666363323433303339633636336261393863 64646132393835656366643239303063333233303331373961346631633034343136623663666462
61386637656232656161306264313230353161613936313632613066613930376339623530386438 64306262636636346131333662626639323865343435373037306130366566343230656338626537
63306335363031323532303937636432663165366137663339333635653166306538313433306664 62336234373136326330306633306637326239356439326339373839383130623836383338373561
30353536353163393139643032393363623930323834623139316532303363316239303531623165 32646163616336623838373436303464643937333164643639623631393764623064626235303733
34326263643935396239366133353565303039393333303736346434376237313533623034626238 61633063303962343931333437313031653435636432393531393130336234613462343838366363
63356538373238396162323263313262326234653230373866653335396530646439626437393438 35383134303137633833363233376365666538333535306434373139333633386630636161636261
37616565333632343766623065646139653261336438346330383539313235626166313863303530 63373339386364326231366634303962636437353336346461336661396566623034306132326332
62353138333866666331663861346632343232376234633965323138343763626434383163633263 33633434326365353438313362616664393264633937393762336264633061313134656536363062
30313634653535396632393932636236626361623530363563373266353534363431313436663034 37303861663732336238386331363164363436363966393534613332393230666266616364303661
37633763656133666637326138386364336365363735326161393562373364633637636633666539 31323633656332643839616434313066643833616639353562386432663538366563633766393639
61353135613465653031343035303334303532306533383936626565366434343464623766353661 33636534363263633261323533666366366665323437346431653464646233303636366231626535
39623231343033313662643837633735313666313038316162643232366566626333636231613838 33373134333163373633313739626636303830383232616663636639646564643436313331643334
36646630653265633631326535653463613232336265393061313732303833376637363362333134 37663132343030666566333431633136653064626466626362373864613334663737326233313138
62356531373363656335356365373462383263386364353539383938323763323437313530666137 38336261663765633331393766333965613364306136333362626466623235303033396362346365
34353962613930626663343064383235393333343061363039663535653564613331323662313035 36633963333561366265633633303262393832336364333365313336383066363065316133303634
37623466333863613737393738316663303238303164653265366433303864353466313866663762 65363037646566323831363365653937623966323735353439353339616439306534663831653663
37623863633163643139393934333764643261333835663639653664613166336635653236353065 34623537666435313661326631326235313130363938643635666531636165306539663630366265
39363063313264616332386562626130323664643839316334313461643162323130366432343663 65323234613133663337363466336663633464316361656564326136633064373365373239363662
32663637373061383636366663326163656637663366326436396639373332393330393030396262 37323834633163653938633435323763333539396532393664653162643832646535353262336631
62323162646236343764333466343466326530653136653937663866613131663136323133386461 61386237663136336338663165613238663035386361643135333361383666643432396363363132
62336665316232666630623235666566313561333563383133613539303032363736613831353562 66323832643339346534373066326333396232386166383161383764633338373533623236346366
30636433323631386363623062666530623364643437383764613532646331343237646638643665 33373138303864323532363761313762376439343130316432613933353033363536336337363566
66343334643061363764656532623836646231396664616332326436333831663636333763653634 31396133663330323665313033656436396238623630633465313734343063633537323939356337
34646637613961333063363635376137343533336263656661643234626563343035343131643863 62306364633765323834333836316161366531643763333434383062363032653164353037336562
61653031396361623436343336383730373563363666633266626131316538386335623532646533 61653332333062643362386665633665306662356532653031383365356632643861363038383137
31623837383336333263643834613936373835336163616530636661623161346463343565336533 36326666356231396433363538666131353839353366323934343532306532633866623733663138
39653039376437313037393435393634336666383634313534636632656533643433633966366530 33376665333430653533383439373463323661666165333636353434643739386363356536333837
36613139323831383331633232636130333836313831343336376466663532336263363634323837 39313365643039386638623731386635363632376139666638643734303035386564376136656537
38306635613861316234343232303161373531356339613661666434626335313231383439656361 39356162346164313839373931653139386464653232633339616166306235323232336139306538
31353730343965323934666466626439386536323434333266643161613230336133383531643734 32623135666535633462613430646637313030343933653461333230656564396663653364633238
65326133373134306439626138316361313865646663333936383731333336333437376661356639 30336161323431323337636135323539663466323637313366376535666132663662356239366339
39303462653464646231303965313437353161333931306335363864623165366565306331366563 66373830336132336439653637366664656230323834623039306337636433663931373138616466
39383031353866646336363836643735666264636562643838626230393339653362303861333431 30616437376435643535303237313831383534656634353265386565376564623431616263643334
64653930353964653339396562653033373463303431303362313861663064333763306638643839 65613633656533646138663138393831623330363635313662653264646636396461326664633362
66333461316230353433616361313961353637323062623431306635376435346238303962353638 38633765316333373363616563346230393866363365623862333162306263613938373663633963
66356662386631616230336337336366336335613935313535393030373761343465316539303436 31363639613238316334333437326631353830383734393765303037346436343036386437653637
33366136636261336537333964623033383733656666366233363361616365613531383866306538 32636139313464383264376663393730363038343831336565663565383135653139663765303239
37353866396535653166303133333736616537333565613062336330303636376361633537663962 31653036623138316566666461313665663462383662343461353332366634666437363263373864
36613532346330346161303461616365386133303362303739636563633362393837653733323333 30323564343934386666666338373238383333303939626237363131346261386562663566323365
31363264353762316564313362663563653862626164306533636335623631303139343161643863 37316563653231346336343166646661393431363739346237303161363838613237666533353034
34613462313732303830313738323563353338303164306137306535363531353534653061326361 64623435376462613961326333393930346663353737386130346461616638363639386364313266
36653837613264383537643634356537353737373166356366363664333361643038303965313633 34353465326632356233343633636331343638333937303562356133363432323939633865316630
36323839343634383762373636383732643936616661333133353036396464616635626663643230 33353539653162333734653338363764313439376439656435313932626431313930346662633838
35333239323034326435643335393239326230303833363338353865396366313736303836663762 39636463393861396531633833343264393339323133316566356562613932663131633631303065
36353536633630323734356239656339623432366463653365643163393030613466303066613435 31323937663764613563333736313733326639643961653161303237353165343939666461396263
64333934633136313361656435636531646264643138376532353239643537313765636237383332 34323136356632336138643162326163653331616561626263616132393734396237666434326264
33323363353630383431656437353435396638353438343162356538356636353364333839316633 65653837383063306436643466383964386661643336343230393436326139313963633036613065
63623433346437663932663437333338366161346238343166306635653833666564323834623662 31393930386463626131653565393932386462313236623531616235393064656237663837346539
64643633616330626234396564356433383535363733353135393230366630343665633736373031 34333730666337353537613564363531363831323035353532363366363731306335316138366361
63306563623464366230326166373462366361333563636431353736376632323835393363383037 37353438326130366439303136356636653030666464366436366566626464626262663838393462
32656632336335346131613537343665393461323834346564653263613031386366616432353131 34626662396239636536666433636436316535363539636261343131313430613765353836643133
65386461313235663263353561383163366130356631336438333837303234373362343430396462 38653839336663353663313535633231363765636633666363386561303039313438353838643561
64383733616166653465646333633666633138613038373561356634653330626236306631393166 32643131623162386661653464623461623434313733643564343435386636326531633136306139
37636333393762326336643339326232653964646161656161643134386264333764316336643636 38613937336132653238616561356338303264393962306431356463613764613364363738323366
62323032633462633339346665633461303362333232643837653834646463653733663831323233 31326562613764386533353135643737323161616363656362326262653765353764626166363338
35306261323332356531393466383932353239613639383938323731336564336133316237656237 34646231633764383962326135323164326565343034656430326531653231666633666465336231
35613932386132306630626631393434363231356531313338633632633966623965643764376239 62366635356566613766643832386234383766363236306638623133643036643662396430623330
32623033336161323164343364346465376166653432356166343537373630653230646566306463 31396239366338656565346563313430353463366465373534636536393131303166333263613663
35353066653337363136313937336436623266353234666361616265666161383265323936613265 36393864663636333666396566303638646166346665303765343531313661376632623137613131
30303962646436303130373666383062363261326363373761616261613366346438386138653832 32653031343861363831646635356232353836363536613834343663326261623262336336393838
62313065633664306564316638383565363134326662306434363262613435666138623639366533 35623638636538626566353864343362633264366435383633333562366365326432663839613934
62323762636363653161366238343862326364633130313037643838383538323134633031323732 34323466396565303963333531346362363338623537343439666265353332303230356533323834
61326537383730343463363266636332623936343465383466653765333666393133623062383563 61333838356665653138346337336532333931616432353936306261356537663036643064333964
32336138316466383930373966623364353531663533326335626334323530393635656530623865 39643065303032393932323136363264316264386131353035383933386535303632613033633363
37313437333235346438663532316336346261333331363635666166366330636234353966316132 66346437333465653633626235336336353738343036326265376162383163326530373032663335
32613932366561643864376138323233303333633935666561383130363939393063303663393566 66643663666166366165396137383133396635336237343161303666393437303538316661336335
61376331353962363962653738666237646136626163343961343931613861393730373530616461 32396434323532303238303538303864393031303832346161303535386461666161316565646539
62353032656636636237633935343334326637313931313232353632666236326264346330656139 37303261336435323139663962316562346265343064346562393633616666653066623466316634
35376366323732343161303464356231623431616630666131313831636236356532383733313338 61346263366161366232386138666131323162333031623533303739646336623864613333323662
65346664626563633639633266653636323532333338353261396538306364616164356337636534 35363539646433323430313839633363393936356438313037613434663161653964366635363464
62386165373263353935663037656464393235393732376362653136373730316138383630323434 62643539393631386531313966643339383865623065393936666235653035376139656663616336
32333864663861623033343665656633363639326364616466616137313264646236366435323337 65663136326466616161376232316463643834356531336362336163343637326238663836363734
31356266633737666235333761376432333138393931326136633338333836353163383539313335 30363032653962306530633562636161396634363131633065326433363136316666633738343966
36646466333566626336336663356530313936653239383265326538373136636162323132326539 66303939383232373738373965393934653439396666623039353933633935393731653839623737
65373939646663333962366263376631653661633164663766316463303163386236666366303439 35376338363338306332353539313664303962353064306434323530623161323064633766643035
37636432663661613064616137333665633161393733383132316138623062646136623630613535 38363234343036616335393461643964386664616134313831663565633366616633626266393937
31393439343930356437656539653535613264336333346132396463633734333164363065363232 31623435646138646131356164313936656639393532343630663933613066333432666132363338
38623438346632306161646633383534653534353164616532633934363036373338633234373934 30356136303763376465396637613565386661333265633636643435313035313064383936306437
64623933303336346663616166366262383033393633373963356565316461346564623832356639 39626265643862313435343465643063656266373035356538393262363561356433323134333537
37353561343430646361353937613236656232626565346437373236636636376334393262613666 66663233313832326136366163623337373835663961313938636134613933663534333730333761
65356634613165613831376366323732336434303864643435353835376533356539643030613464 39313334346364623431646439386162633961316161393636656139303966626265623035366335
62386635646633633462303163306632323238633938363638363431356637306430313061333632 66666634363036326631376562623039303961663136366461313637343932303338356334383139
63393333336361336161313064376466636135313061363238623965613338343738343030616436 38383133306436303261643535353532383538613764616233363864656665633264623236623537
35633334656362646137313366353564383337346263636164323461613761316464396538363463 31353335343064626465626130356433366531306338623830623139316462316662633665663164
30363461666362653938393637623531636136613538663437306463316562616133633237303035 38363363656237326239633930623862663230623464663031363463356133626166353433633535
32626161393332313331623363653730313763643335393436393265643834303330303836666661 63343231326438383535356235343530393361636465363933356164323565326566303034383466
32623633626563643661353936636335386465373038323466653562333332393433663034643164 63323136643835623563393666333030656534333565316466333266663365346561363937336665
32646234386438313138356530353536656532323730626164636332663663383337633137326461 32323637366138303233373565333932626435306130633064656336623764366130323534333039
64303939323336326630326561623031393634363965636265333033663732643265363638356536 64613934383530343036343334396439373066326264353638353462613266663935343436353130
32323434633262366361306334623835316237353964316438333161366431386633616431343236 38616238313133363732343634663962666435656330396536643836326636373032623734353832
33643436306362363362386631346237393235323366633033323532346366333437303336626139 32313064663164626534336363376131656438623035646263666336633862613833323565656437
33323637663838316635386536306261313135316231643031636536303237353261313638656137 63616463613732663966643039653761633231616462363761336231313335363165646134356137
31636231313763613465663038623462613466383965386665373133343466386563646131643035 38633963393264653139356333626534303936326563326433363164623131393562393533383564
32353430336536653834646638623963306338366663353265623437336433393865336663623637 62646532643366376333373364646139363635323034613262386265383066303365323134633836
62353330646464663532356336393366356137373064383261336632626361653435356361336133 66666536653264393138326436393037373537393561613864343730366135353166633765323938
31383838623637643334373537613763393564373730313465616433316339646163323765346138 38306562326238613331343337306239376165636562666433356266313030613136656162646166
32643837643331363234323661616234383863316262666532376236346362323731303634313765 36303966373931363463383631386136313262633136383637626562353336306465613435336434
36643364346561393834316262663932313034633261343663613965356663633466346461666136 32303136393638396233393232386534643733626539653961366637316135373439386432643264
32376137323066303339316163633732366439333135306564626231366562313662363966633465 63663837306461376461306664366538396436386234366638626263303735323661393839343938
32366135313830663331323132346536363063326338653730396662636532393233626566636565 36393264306132313130326435636266643363616438613538303530306434636331333033323138
39303337346261303738393163366361663565373661663438643934353633643836616430623036 39656337666635363263316363363133616538356336646337373762613666323663656665383733
31333234383964343337383631306537353232656664363665616665393365326135646139646431 31623433396466383939306666373562303330373731323864363266323261383736353465633662
61643663313466636263353933386339613932323565323866376664356332643430373566653666 38356130353233663161623139653465646238363630643239386634623262303836333232303239
65646437343234306333306535633835633130353732376333393234303331313662323332356632 61313930346263643565333534373430653430363965373037646639633638333861346262373433
39303963383061336239616439366165326537336631353330353664386435383763623431313235 65346133636162396332373130356238346438626330373163326632323137333862373436363133
35373330353339363461353138623733316436303137313564333865313032633033393133343265 37373663396461613062616664336662373432383863333536366465313838333835653966353661
31353866306538303630363136373832383339376231303363396338306534333639366663626466 38343336316136316532613661306336636131653236663336396638316136626434303533323365
65383833616163633763636561643135316166373730663236303034643864663632656636623430 38356534353530633766646466663266613735396333386263356662613939373030396436363530
66303466623635353239303163363630303166393335646331653033316338386138326634666537 38333939623534356266323237623835373038663534616532326665346631616665616665666663
32303433306562353838346530326362383935643339383634333263623664386265636235393533 33633266333630646563363637666562336339393138326435373836336566346661646464613730
30323139653236393330373465663463353230356463623434636161666262343437656164623961 39616438373062656130393134353535313232376266386262623862383162366662626231373338
32386535346639663138656534313863373830343464353438316337613562623833333236633135 37373561376435323361316337636239366263656336303636346436373363663164343333656538
31396266353564346464353135636131666664666637616562366165396433363061353132393330 32633835353436623565393538643563646630366633343632633532396433616139303766666435
36363165346363633665353262323964363931343133336435636433363138623666633962323536 30373235373262633134383033363137316366316563613662313437663832356165353661666533
30316334393736383235616465663536373938623732353934336662393437623337386263336365 63343138393230333335323938666566623365623762643563633036613339636537366264333138
37373035373234396130663634666264326433653164303331313965363831393033643737386435 62656265363261663233396266616466333332633266326661373736353135383563313666633765
30653935623166363435623932666637643264343764396334613331303437663333346636633539 37316430633763326438326263643766396137363333353035623036346662303834376463613162
33333331663163373435373437333661633033313566306165623362653764623361383264373331 30363938396638336565303535663831326135393061383634646430343931373135636638333866
36396462386231313834316635643136306435346666666235376636303662616366643832346339 64623032366163386530313563656266376334343835366665633362643339643534643738373839
64393336323663303237613839303739333438653032396432626130323363383961313533326638 34323134636330383963353439376436323530373066623435376230306435333832633964653639
65303837303762313239633238323665363634373161666461363665663437643032326330623730 39373235353262383864303430336635393435656430646233613461306135643230666437393361
32613431653634646437333637393864383030623932346262313563646266373731323163386338 36616134356461616534646535396338656138616636396538373031626136323264323936366633
39383731376135383431653763643931373438386133633837636231653530623566323832663265 61373631306538363437323934316434663735323533656364393135613761326337303833383934
34313065656264633635393633353632333138366436366234386262633030613739656130653062 37383162356162373737336666663430343334356532333335363463623238643662333232333336
36366633376163613735633938316230363031306634326531633938613465323533383730613761 31376639386632626161303232653363626637376630333733343035323539623463626132373763
64356530393761326266646165326131633864653565616464363162353635646434643934656631 36613535623064636163643236383336653934663739326264653362333237303237393335613339
38333835653861653634633361396561663864363331613966653663373838646262633732626366 30323030353632613434393636336562363064306332663931393061393964393661363163326632
64366434346166383339323830383537653365666536376635643031363636333830396537363561 37353434656464333532343263363961613866643338396335656131373134333665353437613837
66343966663062623064356237363933313165656631386461306563343762643237373437613839 37336533366635616138366566666635366634613633616533373966336637303334613731316436
62633034616366366565316264356665343764663162323264393665313261323032303164613230 66376565643033383162373166373665633362313164643530356561383630343531346436343663
66316137636363356337663462346637346435306337323164393166626339343337376661313738 62313836323530623535356532303362333436643434663131653539646331346535666133336162
33393761636239666230306633346462396561353333643262393561356439616338646466383537 37653036376165333364373661386262633030363165353638386139646266623365306338383963
65383037663364623361346161373264396364346537663034643930316135623030353865316630 36373732356364333166386566653835663466346630356438323866636564663966363832613862
38356537633761383238 64623831646261333064663939613763323466336431343861386537633337396637383330333633
32636436343564633365616331626465613163333465373961656631373736373430396633393733
64386534353131666438346362376462636331353761636535663234613731356130666534323735
35636162323234386435646132396366326165663234653637363139303162613832346333383665
64323737306634613530633636643761346461326130663234373363326230616331336430353261
38346630356136333966656562343730356234643537323635653532396337373331363537393662
33373862336232623563636436643239623837623862386638353361383830303365333362353665
33666236363035616363326462376337363736333234613133383636396464306236386238333863
39316237326638663535646361393939393938656335653262633063326132663331343235626364
35366532333161343562383763653130306235633934393066356239653565633962343235643036
62333363323065663137393736383964613061393131376637363031393335306534626230383139
35333437613963386664646336383637323534366635336264333039643861396561373461636439
30323831333335393365383834386138626664653531333830363862363330346466646432656663
62383534343131636331353763356166386339303564353035383466353636636335653333383431
30616133383565623430326534396432376331636161393930366263366539343332666631616530
36383937313164663631626163646339623365653937616634656235303039636439646335616561
31623135366136333766663833333932383032343438376336366533636466353666633437353338
33386166386231353430646665323164363961666538343537313734343465366333383763666666
33326363656134613031393033646435333937353865316161626137633939333934316536643830
37386364356233353964326661386564656132643937366665353139653533336331323138356633
35656562663961343238386132636331636439383236383761306337626262303764656431303964
62646133323361643162313231376633663231313833633964613862353265336538633261643834
62353230316334363363343133626530643832356631353937353334613538616366396438383338
39336366623332363966383535373365666263383231356532346533386262643465306430336462
64623764333861663031

7
group_vars/all/secrets.yml.contents
View file

@ -6,7 +6,6 @@ postgres_passwords:
passit: xxx passit: xxx
gitea: xxx gitea: xxx
matrix: xxx matrix: xxx
codimd: xxx
mailu: xxx mailu: xxx
keycloak: xxx keycloak: xxx
hedgedoc: xxx hedgedoc: xxx
@ -34,6 +33,7 @@ drone_secrets:
restic_secrets: restic_secrets:
repository_password: xxx repository_password: xxx
ssh_privkey: xxx ssh_privkey: xxx
uptime_kuma_url: xxx
matrix_secrets: matrix_secrets:
registration_shared_secret: xxx registration_shared_secret: xxx
@ -55,3 +55,8 @@ rallly_secrets:
membersystem_secrets: membersystem_secrets:
secret_key: xxx secret_key: xxx
stripe_api_key: xxx
stripe_endpoint_secret: xxx
diun:
matrix_password: xxx

3
group_vars/all/vars.yml
View file

@ -31,4 +31,5 @@ users:
groups: groups:
- sudo - sudo
ssh_keys: ssh_keys:
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPd/4fQV7CL8/KVwbo/phiV5UdXFBIDlkZ+ps8C7FeRf - sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIFWZGLov8wPBNxuvnaPK+8vv6wK5hHUVEFzXKsN9QeuBAAAADHNzaDpzYW1zYXB0aQ== ssh:samsapti
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPd/4fQV7CL8/KVwbo/phiV5UdXFBIDlkZ+ps8C7FeRf cardno:14 336 332

7
playbook.yml
View file

@ -1,12 +1,12 @@
# vim: ft=yaml.ansible # vim: ft=yaml.ansible
--- ---
- hosts: all - hosts: production
gather_facts: true gather_facts: true
become: true become: true
vars: vars:
ldap_dn: "dc=data,dc=coop" ldap_dn: "dc=data,dc=coop"
vagrant: "{{ ansible_virtualization_role == 'guest' }}" vagrant: "{{ from_vagrant is defined and from_vagrant }}"
letsencrypt_enabled: "{{ not vagrant }}" letsencrypt_enabled: "{{ not vagrant }}"
base_domain: "{{ 'datacoop.devel' if vagrant else 'data.coop' }}" base_domain: "{{ 'datacoop.devel' if vagrant else 'data.coop' }}"
@ -15,6 +15,9 @@
smtp_host: "postfix" smtp_host: "postfix"
smtp_port: "587" smtp_port: "587"
services_exclude:
- uptime_kuma
tasks: tasks:
- import_role: - import_role:
name: ubuntu_base name: ubuntu_base

168
roles/docker/defaults/main.yml
View file

@ -1,90 +1,86 @@
# vim: ft=yaml.ansible # vim: ft=yaml.ansible
--- ---
volume_root_folder: "/docker-volumes" volume_root_folder: "/docker-volumes"
volume_website_folder: "{{ volume_root_folder }}/websites"
services: services:
### Internal services ### ### Internal services ###
postfix: postfix:
file: postfix.yml
domain: "smtp.{{ base_domain }}" domain: "smtp.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/postfix" volume_folder: "{{ volume_root_folder }}/postfix"
version: "v3.5.1-alpine" pre_deploy_tasks: true
version: "v3.6.1-alpine"
nginx_proxy: nginx_proxy:
file: nginx_proxy.yml
version: "1.0-alpine"
volume_folder: "{{ volume_root_folder }}/nginx" volume_folder: "{{ volume_root_folder }}/nginx"
pre_deploy_tasks: true
nginx_acme_companion: version: "1.3-alpine"
version: "2.2" acme_companion_version: "2.2"
openldap: openldap:
file: openldap.yml
domain: "ldap.{{ base_domain }}" domain: "ldap.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/openldap" volume_folder: "{{ volume_root_folder }}/openldap"
pre_deploy_tasks: true
version: "1.5.0" version: "1.5.0"
phpldapadmin_version: "0.9.0"
phpldapadmin:
version: "0.9.0"
netdata: netdata:
file: netdata.yml
domain: "netdata.{{ base_domain }}" domain: "netdata.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/netdata"
version: "v1" version: "v1"
portainer: portainer:
file: portainer.yml
domain: "portainer.{{ base_domain }}" domain: "portainer.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/portainer" volume_folder: "{{ volume_root_folder }}/portainer"
version: "2.16.2" version: "2.19.0"
keycloak: keycloak:
file: keycloak.yml
domain: sso.{{ base_domain }} domain: sso.{{ base_domain }}
volume_folder: "{{ volume_root_folder }}/keycloak" volume_folder: "{{ volume_root_folder }}/keycloak"
version: "20.0" version: "22.0"
postgres_version: "10" postgres_version: "10"
allowed_sender_domain: true allowed_sender_domain: true
restic: restic:
file: restic_backup.yml
user: dc-user
domain: rynkeby.skovgaard.tel
host_key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBLGol2G+a87ssy0nu/STKBZSiGyhZhZKx/ujfe9IeFo
volume_folder: "{{ volume_root_folder }}/restic" volume_folder: "{{ volume_root_folder }}/restic"
pre_deploy_tasks: true
remote_user: dc-user
remote_domain: rynkeby.skovgaard.tel
host_key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBLGol2G+a87ssy0nu/STKBZSiGyhZhZKx/ujfe9IeFo
repository: restic repository: restic
version: "1.6.0" version: "1.7.0"
disabled_in_vagrant: true disabled_in_vagrant: true
# mail dance
domain: "noreply.{{ base_domain }}"
allowed_sender_domain: true
mail_from: "backup@noreply.{{ base_domain }}"
docker_registry: docker_registry:
file: docker_registry.yml
domain: "docker.{{ base_domain }}" domain: "docker.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/docker-registry" volume_folder: "{{ volume_root_folder }}/docker-registry"
pre_deploy_tasks: true
post_deploy_tasks: true
username: "docker" username: "docker"
password: "{{ docker_password }}" password: "{{ docker_password }}"
version: "2" version: "2"
### External services ### ### External services ###
nextcloud: nextcloud:
file: nextcloud.yml
domain: "cloud.{{ base_domain }}" domain: "cloud.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/nextcloud" volume_folder: "{{ volume_root_folder }}/nextcloud"
version: 25-apache pre_deploy_tasks: true
version: 28-apache
postgres_version: "10" postgres_version: "10"
redis_version: 7-alpine redis_version: 7-alpine
allowed_sender_domain: true allowed_sender_domain: true
gitea: forgejo:
file: gitea.yml
domain: "git.{{ base_domain }}" domain: "git.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/gitea" volume_folder: "{{ volume_root_folder }}/forgejo"
version: 1.18 version: "7.0.5"
allowed_sender_domain: true allowed_sender_domain: true
passit: passit:
file: passit.yml
domain: "passit.{{ base_domain }}" domain: "passit.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/passit" volume_folder: "{{ volume_root_folder }}/passit"
version: stable version: stable
@ -92,122 +88,142 @@ services:
allowed_sender_domain: true allowed_sender_domain: true
matrix: matrix:
file: matrix_riot.yml
domain: "matrix.{{ base_domain }}" domain: "matrix.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/matrix" volume_folder: "{{ volume_root_folder }}/matrix"
version: v1.63.1 pre_deploy_tasks: true
postgres_version: "10" version: v1.114.0
postgres_version: 15-alpine
allowed_sender_domain: true allowed_sender_domain: true
riot: element:
domains: domain: "element.{{ base_domain }}"
- "riot.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/element"
- "element.{{ base_domain }}" pre_deploy_tasks: true
volume_folder: "{{ volume_root_folder }}/riot" version: v1.11.80
version: v1.11.8
privatebin: privatebin:
file: privatebin.yml
domain: "paste.{{ base_domain }}" domain: "paste.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/privatebin" volume_folder: "{{ volume_root_folder }}/privatebin"
version: 20221009 pre_deploy_tasks: true
version: "20221009"
codimd:
file: codimd.yml
domain: "oldpad.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/codimd"
hedgedoc: hedgedoc:
file: hedgedoc.yml
domain: "pad.{{ base_domain }}" domain: "pad.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/hedgedoc" volume_folder: "{{ volume_root_folder }}/hedgedoc"
version: 1.9.6-alpine pre_deploy_tasks: true
version: 1.9.9-alpine
postgres_version: 10-alpine postgres_version: 10-alpine
data_coop_website: data_coop_website:
file: websites/data.coop.yml domain: "{{ base_domain }}"
domains: www_domain: "www.{{ base_domain }}"
- "{{ base_domain }}" volume_folder: "{{ volume_website_folder }}/datacoop"
- "www.{{ base_domain }}" pre_deploy_tasks: true
version: stable
new_data_coop_website: staging_domain: "staging.{{ base_domain }}"
file: websites/new.data.coop.yml staging_version: staging
domain: "new.{{ base_domain }}"
version: hugo
slides_2022_website: slides_2022_website:
file: websites/2022.slides.data.coop.yml
domain: "2022.slides.{{ base_domain }}" domain: "2022.slides.{{ base_domain }}"
volume_folder: "{{ volume_website_folder }}/slides-2022"
version: latest version: latest
fedi_dk_website: fedi_dk_website:
file: websites/fedi.dk.yaml
domain: fedi.dk domain: fedi.dk
volume_folder: "{{ volume_website_folder }}/fedidk"
version: latest version: latest
vhs_website: vhs_website:
file: websites/vhs.data.coop.yaml
domain: vhs.data.coop domain: vhs.data.coop
volume_folder: "{{ volume_website_folder }}/vhs"
version: latest version: latest
cryptohagen_website: cryptohagen_website:
file: websites/cryptohagen.dk.yml
domains: domains:
- "cryptohagen.dk" - "cryptohagen.dk"
- "www.cryptohagen.dk" - "www.cryptohagen.dk"
volume_folder: "{{ volume_website_folder }}/cryptohagen"
ulovliglogning_website: ulovliglogning_website:
file: websites/ulovliglogning.dk.yml
domains: domains:
- "ulovliglogning.dk" - "ulovliglogning.dk"
- "www.ulovliglogning.dk" - "www.ulovliglogning.dk"
- "ulovlig-logning.dk" - "ulovlig-logning.dk"
- "www.ulovlig-logning.dk"
volume_folder: "{{ volume_website_folder }}/ulovliglogning"
cryptoaarhus_website: cryptoaarhus_website:
file: websites/cryptoaarhus.dk.yml
domains: domains:
- "cryptoaarhus.dk" - "cryptoaarhus.dk"
- "www.cryptoaarhus.dk" - "www.cryptoaarhus.dk"
volume_folder: "{{ volume_website_folder }}/cryptoaarhus"
drone: drone:
file: drone.yml
domain: "drone.{{ base_domain }}" domain: "drone.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/drone" volume_folder: "{{ volume_root_folder }}/drone"
version: 1 version: "1"
mailu: mailu:
file: mailu.yml
version: 1.9
domain: "mail.{{ base_domain }}" domain: "mail.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/mailu"
pre_deploy_tasks: true
dns: 192.168.203.254 dns: 192.168.203.254
subnet: 192.168.203.0/24 subnet: 192.168.203.0/24
volume_folder: "{{ volume_root_folder }}/mailu" version: "2.0"
postgres_version: 14-alpine
redis_version: alpine
mastodon: mastodon:
file: mastodon.yml
domain: "social.{{ base_domain }}" domain: "social.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/mastodon" volume_folder: "{{ volume_root_folder }}/mastodon"
version: v4.0.2 pre_deploy_tasks: true
post_deploy_tasks: true
version: v4.2.10
postgres_version: 14-alpine postgres_version: 14-alpine
redis_version: 6-alpine redis_version: 6-alpine
allowed_sender_domain: true allowed_sender_domain: true
rallly: rallly:
file: rallly.yml
domain: "when.{{ base_domain }}" domain: "when.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/rallly" volume_folder: "{{ volume_root_folder }}/rallly"
pre_deploy_tasks: true
version: "2" version: "2"
postgres_version: 14-alpine postgres_version: 14-alpine
allowed_sender_domain: true allowed_sender_domain: true
membersystem: membersystem:
file: membersystem.yml
domain: "member.{{ base_domain }}" domain: "member.{{ base_domain }}"
django_admins: "Vidir:valberg@orn.li" django_admins: "Vidir:valberg@orn.li,Balder:benjaoming@data.coop"
volume_folder: "{{ volume_root_folder }}/membersystem"
version: latest version: latest
postgres_version: 13-alpine postgres_version: 13-alpine
allowed_sender_domain: true allowed_sender_domain: true
writefreely:
domain: "write.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/writefreely"
pre_deploy_tasks: true
version: v0.15.0
mariadb_version: "11.2"
allowed_sender_domain: true
watchtower: watchtower:
file: watchtower.yml volume_folder: "{{ volume_root_folder }}/watchtower"
version: amd64-1.5.3 version: "1.5.3"
diun:
version: "4.28"
volume_folder: "{{ volume_root_folder }}/diun"
matrix_user: "@diun:data.coop"
matrix_room: "#datacoop-services-update:data.coop"
### Uptime monitoring ###
uptime_kuma:
domain: "uptime.{{ base_domain }}"
status_domain: "status.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/uptime_kuma"
pre_deploy_tasks: true
version: "latest"
services_exclude: []
services_include: "{{ services | dict2items | map(attribute='key') | list | difference(services_exclude) }}"

0
roles/docker/files/configs/riot/riot.im.conf → roles/docker/files/element/riot.im.conf
View file

0
roles/docker/files/configs/mastodon/postgresql.conf → roles/docker/files/mastodon/postgresql.conf
View file

0
roles/docker/files/configs/matrix/matrix.data.coop.log.config → roles/docker/files/matrix/log.config
View file

0
roles/docker/files/configs/privatebin-conf.php → roles/docker/files/privatebin/conf.php
View file

0
roles/docker/files/configs/matrix/vhost-root → roles/docker/files/vhost/base_domain
View file

0
roles/docker/files/configs/docker_registry/nginx.conf → roles/docker/files/vhost/docker_registry
View file

0
roles/docker/files/configs/matrix/vhost-riot → roles/docker/files/vhost/element
View file

0
roles/docker/files/configs/mastodon/vhost-mastodon → roles/docker/files/vhost/mastodon
View file

0
roles/docker/files/configs/matrix/vhost-matrix → roles/docker/files/vhost/matrix
View file

0
roles/docker/files/configs/nextcloud/vhost → roles/docker/files/vhost/nextcloud
View file

4
roles/docker/files/vhost/uptime_kuma Normal file
View file

@ -0,0 +1,4 @@
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;

0
roles/docker/files/configs/vhost-www → roles/docker/files/vhost/www.base_domain
View file

10
roles/docker/handlers/main.yml
View file

@ -1,8 +1,6 @@
# vim: ft=yaml.ansible # vim: ft=yaml.ansible
--- ---
- name: "restart nginx" - name: restart nginx
community.docker.docker_container: command: docker compose restart proxy
name: "nginx-proxy" args:
restart: "yes" chdir: "{{ services.nginx_proxy.volume_folder }}"
state: "started"

26
roles/docker/tasks/block.yml Normal file
View file

@ -0,0 +1,26 @@
# vim: ft=yaml.ansible
---
- name: Create volume folder for service {{ service.name }}
file:
name: "{{ service.vars.volume_folder }}"
state: directory
- name: Upload Compose file for service {{ service.name }}
template:
src: compose-files/{{ service.name }}.yml.j2
dest: "{{ service.vars.volume_folder }}/docker-compose.yml"
owner: root
mode: u=rw,go=
- name: Run pre-deployment tasks for service {{ service.name }}
include_tasks: pre_deploy/{{ service.name }}.yml
when: service.vars.pre_deploy_tasks is defined and service.vars.pre_deploy_tasks
- name: Deploy Compose stack for service {{ service.name }}
command: docker compose up -d --remove-orphans --pull always
args:
chdir: "{{ service.vars.volume_folder }}"
- name: Run post-deployment tasks for service {{ service.name }}
include_tasks: post_deploy/{{ service.name }}.yml
when: service.vars.post_deploy_tasks is defined and service.vars.post_deploy_tasks

38
roles/docker/tasks/main.yml
View file

@ -1,38 +1,44 @@
# vim: ft=yaml.ansible # vim: ft=yaml.ansible
--- ---
- name: add docker gpg key - name: Add Docker PGP key
apt_key: apt_key:
keyserver: pgp.mit.edu keyserver: pgp.mit.edu
id: 8D81803C0EBFCD88 id: 8D81803C0EBFCD88
state: present state: present
- name: add docker apt repository - name: Add Docker apt repository
apt_repository: apt_repository:
repo: deb https://download.docker.com/linux/ubuntu bionic stable repo: deb https://download.docker.com/linux/ubuntu bionic stable
state: present state: present
update_cache: yes update_cache: yes
- name: install docker-ce - name: Install Docker
apt: apt:
name: docker-ce name: "{{ pkgs }}"
state: present
- name: install docker python bindings
pip:
executable: pip3
name: "{{ packages }}"
state: present state: present
vars: vars:
packages: pkgs:
- docker - docker-ce
- docker-compose - docker-compose-plugin
- name: create folder structure for bind mounts - name: Configure cron job to prune unused Docker data weekly
cron:
name: Prune unused Docker data
cron_file: ansible_docker_prune
job: 'docker system prune -fa && docker volume prune -fa'
special_time: weekly
user: root
state: present
- name: Create folder structure for bind mounts
file: file:
name: "{{ volume_root_folder }}" name: "{{ item }}"
state: directory state: directory
loop:
- "{{ volume_root_folder }}"
- "{{ volume_website_folder }}"
- name: setup services - name: Set up services
import_tasks: services.yml import_tasks: services.yml
tags: tags:
- setup_services - setup_services

13
roles/docker/tasks/post_deploy/docker_registry.yml Normal file
View file

@ -0,0 +1,13 @@
# vim: ft=yaml.ansible
---
- name: Generate htpasswd file
shell: docker compose exec registry htpasswd -Bbn docker {{ docker_password }} > auth/htpasswd
args:
chdir: "{{ services.docker_registry.volume_folder }}"
creates: "{{ services.docker_registry.volume_folder }}/auth/htpasswd"
- name: log in to registry
docker_login:
registry: "{{ 'docker.data.coop' if vagrant else services.docker_registry.domain }}"
username: docker
password: "{{ docker_password }}"

19
roles/docker/tasks/post_deploy/mastodon.yml Normal file
View file

@ -0,0 +1,19 @@
# vim: ft=yaml.ansible
---
- name: Configure cron job to remove old Mastodon media daily
cron:
name: Clean Mastodon media data older than a week
cron_file: ansible_mastodon_clean_media
job: docker exec mastodon-web-1 tootctl media remove --days 7
special_time: daily
user: root
state: present
- name: Configure cron job to remove old Mastodon preview cards daily
cron:
name: Clean Mastodon preview card data older than two weeks
cron_file: ansible_mastodon_clean_preview_cards
job: docker exec mastodon-web-1 tootctl preview_cards remove --days 14
special_time: daily
user: root
state: present

11
roles/docker/tasks/pre_deploy/data_coop_website.yml Normal file
View file

@ -0,0 +1,11 @@
# vim: ft=yaml.ansible
---
- name: Upload vhost config for root domain
copy:
src: vhost/base_domain
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.data_coop_website.domain }}"
- name: Upload vhost config for WWW domain
copy:
src: vhost/www.base_domain
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.data_coop_website.www_domain }}"

17
roles/docker/tasks/pre_deploy/docker_registry.yml Normal file
View file

@ -0,0 +1,17 @@
# vim: ft=yaml.ansible
---
- name: Create subfolders
file:
path: "{{ services.docker_registry.volume_folder }}/{{ volume }}"
state: directory
loop:
- auth
- registry
loop_control:
loop_var: volume
- name: Copy docker registry vhost configuration
copy:
src: vhost/docker_registry
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.docker_registry.domain }}"
mode: "0644"

21
roles/docker/tasks/pre_deploy/element.yml Normal file
View file

@ -0,0 +1,21 @@
# vim: ft=yaml.ansible
---
- name: Create subfolder
file:
name: "{{ services.element.volume_folder }}/data"
state: directory
- name: Upload config.json
template:
src: element/config.json.j2
dest: "{{ services.element.volume_folder }}/data/config.json"
- name: Upload riot.im.conf
copy:
src: element/riot.im.conf
dest: "{{ services.element.volume_folder }}/data/riot.im.conf"
- name: Upload vhost config for Element domain
copy:
src: vhost/element
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.element.domain }}"

17
roles/docker/tasks/pre_deploy/hedgedoc.yml Normal file
View file

@ -0,0 +1,17 @@
# vim: ft=yaml.ansible
---
- name: Create subfolders
file:
name: "{{ services.hedgedoc.volume_folder }}/{{ volume }}"
state: directory
loop:
- db
- hedgedoc/uploads
loop_control:
loop_var: volume
- name: Copy SSO certificate
copy:
src: sso/sso.data.coop.pem
dest: "{{ services.hedgedoc.volume_folder }}/sso.data.coop.pem"
mode: "0644"

45
roles/docker/tasks/pre_deploy/mailu.yml Normal file
View file

@ -0,0 +1,45 @@
# vim: ft=yaml.ansible
---
- name: Create subfolders
file:
name: "{{ services.mailu.volume_folder }}/{{ volume }}"
state: directory
loop:
- redis
- certs
- data
- dkim
- mail
- mailqueue
- filter
- postgres
- webmail
- overrides
- overrides/nginx
- overrides/dovecot
- overrides/postfix
- overrides/rspamd
- overrides/snappymail
loop_control:
loop_var: volume
- name: Upload mailu.env file
template:
src: mailu/env.j2
dest: "{{ services.mailu.volume_folder }}/mailu.env"
- name: Hard link to Let's Encrypt TLS certificate
file:
src: "{{ services.nginx_proxy.volume_folder }}/certs/{{ services.mailu.domain }}/fullchain.pem"
dest: "{{ services.mailu.volume_folder }}/certs/cert.pem"
state: hard
force: true
when: letsencrypt_enabled
- name: Hard link to Let's Encrypt TLS key
file:
src: "{{ services.nginx_proxy.volume_folder }}/certs/{{ services.mailu.domain }}/key.pem"
dest: "{{ services.mailu.volume_folder }}/certs/key.pem"
state: hard
force: true
when: letsencrypt_enabled

45
roles/docker/tasks/pre_deploy/mastodon.yml Normal file
View file

@ -0,0 +1,45 @@
# vim: ft=yaml.ansible
---
- name: Create subfolder for Mastodon data
file:
name: "{{ services.mastodon.volume_folder }}/mastodon_data"
state: directory
owner: "991"
mode: u=rwx,g=rx,o=rx
- name: Create subfolder for PostgreSQL data
file:
name: "{{ services.mastodon.volume_folder }}/postgres_data"
state: directory
owner: "70"
mode: u=rwx,go=
- name: Create subfolder for PostgreSQL config
file:
name: "{{ services.mastodon.volume_folder }}/postgres_config"
state: directory
owner: root
mode: u=rwx,g=rx,o=rx
- name: Create subfolder for Redis data
file:
name: "{{ services.mastodon.volume_folder }}/redis_data"
state: directory
owner: "999"
group: "1000"
mode: u=rwx,g=rx,o=rx
- name: Upload mastodon.env file
template:
src: mastodon/env.j2
dest: "{{ services.mastodon.volume_folder }}/mastodon.env"
- name: Upload vhost config for Mastodon domain
copy:
src: vhost/mastodon
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.mastodon.domain }}"
- name: Upload PostgreSQL config
copy:
src: mastodon/postgresql.conf
dest: "{{ services.mastodon.volume_folder }}/postgres_config/postgresql.conf"

34
roles/docker/tasks/pre_deploy/matrix.yml Normal file
View file

@ -0,0 +1,34 @@
# vim: ft=yaml.ansible
---
- name: Create subfolders
file:
name: "{{ services.matrix.volume_folder }}/{{ volume }}"
state: directory
owner: "991"
group: "991"
loop:
- data
- data/uploads
- data/media
loop_control:
loop_var: volume
- name: Create Matrix DB subfolder
file:
name: "{{ services.matrix.volume_folder }}/db"
state: directory
- name: Upload vhost config for Matrix domain
copy:
src: vhost/matrix
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.matrix.domain }}"
- name: Upload homeserver.yaml
template:
src: matrix/homeserver.yaml.j2
dest: "{{ services.matrix.volume_folder }}/data/homeserver.yaml"
- name: Upload Matrix logging config
copy:
src: matrix/log.config
dest: "{{ services.matrix.volume_folder }}/data/matrix.data.coop.log.config"

17
roles/docker/tasks/pre_deploy/nextcloud.yml Normal file
View file

@ -0,0 +1,17 @@
# vim: ft=yaml.ansible
---
- name: Create subfolders
file:
path: "{{ services.nextcloud.volume_folder }}/{{ volume }}"
state: directory
loop:
- app
- postgres
loop_control:
loop_var: volume
- name: Upload vhost config for Nextcloud domain
copy:
src: vhost/nextcloud
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.nextcloud.domain }}"
notify: "restart nginx"

14
roles/docker/tasks/pre_deploy/nginx_proxy.yml Normal file
View file

@ -0,0 +1,14 @@
# vim: ft=yaml.ansible
---
- name: Create subfolders
file:
name: "{{ services.nginx_proxy.volume_folder }}/{{ volume }}"
state: directory
loop:
- conf
- vhost
- html
- dhparam
- certs
loop_control:
loop_var: volume

12
roles/docker/tasks/pre_deploy/openldap.yml Normal file
View file

@ -0,0 +1,12 @@
# vim: ft=yaml.ansible
---
- name: Create subfolders
file:
name: "{{ services.openldap.volume_folder }}/{{ volume }}"
state: directory
loop:
- var/lib/ldap
- etc/slapd
- certs
loop_control:
loop_var: volume

13
roles/docker/tasks/pre_deploy/postfix.yml Normal file
View file

@ -0,0 +1,13 @@
# vim: ft=yaml.ansible
---
- name: Set up network for Postfix
docker_network:
name: postfix
ipam_config:
- subnet: '172.16.0.0/16'
gateway: 172.16.0.1
- name: Create subfolder
file:
name: "{{ services.postfix.volume_folder }}/dkim"
state: directory

16
roles/docker/tasks/pre_deploy/privatebin.yml Normal file
View file

@ -0,0 +1,16 @@
# vim: ft=yaml.ansible
---
- name: Create subfolders
file:
name: "{{ services.privatebin.volume_folder }}/{{ volume }}"
state: directory
loop:
- cfg
- data
loop_control:
loop_var: volume
- name: Upload PrivateBin config
copy:
src: privatebin/conf.php
dest: "{{ services.privatebin.volume_folder }}/cfg/conf.php"

11
roles/docker/tasks/pre_deploy/rallly.yml Normal file
View file

@ -0,0 +1,11 @@
# vim: ft=yaml.ansible
---
- name: Create subfolder
file:
name: "{{ services.rallly.volume_folder }}/postgres"
state: directory
- name: Copy rallly.env file
template:
src: rallly/env.j2
dest: "{{ services.rallly.volume_folder }}/rallly.env"

72
roles/docker/tasks/pre_deploy/restic.yml Normal file
View file

@ -0,0 +1,72 @@
# vim: ft=yaml.ansible
---
- name: Create SSH directory
file:
path: "{{ services.restic.volume_folder }}/ssh"
owner: root
group: root
mode: '0755'
state: directory
- name: Upload private SSH key
copy:
dest: "{{ services.restic.volume_folder }}/ssh/id_ed25519"
owner: root
group: root
mode: '0600'
content: "{{ restic_secrets.ssh_privkey }}"
- name: Derive public SSH key
shell: >-
ssh-keygen -f {{ services.restic.volume_folder }}/ssh/id_ed25519 -y
> {{ services.restic.volume_folder }}/ssh/id_ed25519.pub
args:
creates: "{{ services.restic.volume_folder }}/ssh/id_ed25519.pub"
- name: Set file permissions on public SSH key
file:
path: "{{ services.restic.volume_folder }}/ssh/id_ed25519.pub"
owner: root
group: root
mode: '0644'
state: touch
- name: Upload SSH config
template:
src: restic/ssh.config.j2
dest: "{{ services.restic.volume_folder }}/ssh/config"
owner: root
group: root
mode: '0600'
- name: Upload SSH known_hosts file
template:
src: restic/ssh.known_hosts.j2
dest: "{{ services.restic.volume_folder }}/ssh/known_hosts"
owner: root
group: root
mode: '0600'
- name: Create scripts directory
file:
path: "{{ services.restic.volume_folder }}/scripts"
owner: root
group: root
mode: '0755'
state: directory
- name: Upload failure.sh script
template:
src: restic/failure.sh.j2
dest: "{{ services.restic.volume_folder }}/scripts/failure.sh"
owner: root
group: root
mode: '0755'
- name: Upload success.sh script
template:
src: restic/success.sh.j2
dest: "{{ services.restic.volume_folder }}/scripts/success.sh"
owner: root
group: root
mode: '0755'

9
roles/docker/tasks/pre_deploy/uptime_kuma.yml Normal file
View file

@ -0,0 +1,9 @@
- name: Upload vhost config for uptime domain
copy:
src: vhost/uptime_kuma
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.uptime_kuma.domain }}_location"
- name: Upload vhost config for status domain
copy:
src: vhost/uptime_kuma
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.uptime_kuma.status_domain }}_location"

20
roles/docker/tasks/pre_deploy/writefreely.yml Normal file
View file

@ -0,0 +1,20 @@
# vim: ft=yaml.ansible
---
- name: Create subfolder for MariaDB data
file:
name: "{{ services.writefreely.volume_folder }}/db"
owner: "999"
group: "999"
state: directory
- name: Create subfolder for encryption keys
file:
name: "{{ services.writefreely.volume_folder }}/keys"
owner: "2"
group: "2"
state: directory
- name: Upload config.ini
template:
src: "writefreely/config.ini.j2"
dest: "{{ services.writefreely.volume_folder }}/config.ini"

31
roles/docker/tasks/services.yml
View file

@ -1,21 +1,28 @@
# vim: ft=yaml.ansible # vim: ft=yaml.ansible
--- ---
- name: setup external services network - name: Set up external services network
docker_network: docker_network:
name: external_services name: external_services
- name: setup services - name: Deploy all services
include_tasks: "services/{{ item.service.file }}" include_tasks:
loop: "{{ services | dict2items(value_name='service') }}" file: block.yml
vars:
service:
name: "{{ item }}"
vars: "{{ services[item] }}"
loop: "{{ services_include }}"
when: single_service is not defined and when: single_service is not defined and
item.service.file is defined and (item.vars.disabled_in_vagrant is not defined or
(item.service.disabled_in_vagrant is not defined or not (item.vars.disabled_in_vagrant and vagrant))
not (item.service.disabled_in_vagrant and vagrant))
- name: setup single service - name: Deploy single service
include_tasks: "services/{{ services[single_service].file }}" include_tasks:
when: single_service is defined and file: block.yml
single_service in services and vars:
services[single_service].file is defined and service:
name: "{{ single_service }}"
vars: "{{ services[single_service] }}"
when: single_service is defined and single_service in services and
(services[single_service].disabled_in_vagrant is not defined or (services[single_service].disabled_in_vagrant is not defined or
not (services[single_service].disabled_in_vagrant and vagrant)) not (services[single_service].disabled_in_vagrant and vagrant))

55
roles/docker/tasks/services/codimd.yml
View file

@ -1,55 +0,0 @@
# vim: ft=yaml.ansible
---
- name: codimd network
docker_network:
name: codimd
- name: create codimd volume folders
file:
name: "{{ services.codimd.volume_folder }}/{{ volume }}"
state: directory
loop:
- "db"
- "codimd/uploads"
loop_control:
loop_var: volume
- name: codimd database container
docker_container:
name: codimd_db
image: postgres:10
state: started
restart_policy: unless-stopped
networks:
- name: codimd
volumes:
- "{{ services.codimd.volume_folder }}/db:/var/lib/postgresql/data"
env:
POSTGRES_USER: "codimd"
POSTGRES_PASSWORD: "{{ postgres_passwords.codimd }}"
- name: codimd app container
docker_container:
name: codimd_app
image: hackmdio/hackmd:1.3.0
restart_policy: unless-stopped
networks:
- name: codimd
- name: ldap
- name: external_services
volumes:
- "{{ services.codimd.volume_folder }}/codimd/uploads:/codimd/public/uploads"
env:
CMD_DB_URL: "postgres://codimd:{{ postgres_passwords.codimd }}@codimd_db:5432/codimd"
CMD_ALLOW_EMAIL_REGISTER: "False"
CMD_IMAGE_UPLOAD_TYPE: "filesystem"
CMD_EMAIL: "False"
CMD_LDAP_URL: "ldap://openldap"
CMD_LDAP_BINDDN: "cn=admin,dc=data,dc=coop"
CMD_LDAP_BINDCREDENTIALS: "{{ ldap_admin_password }}"
CMD_LDAP_SEARCHBASE: "dc=data,dc=coop"
CMD_LDAP_SEARCHFILTER: "(&(uid={{ '{{username}}' }})(objectClass=inetOrgPerson))"
CMD_USECDN: "false"
VIRTUAL_HOST: "{{ services.codimd.domain }}"
LETSENCRYPT_HOST: "{{ services.codimd.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"

36
roles/docker/tasks/services/docker_registry.yml
View file

@ -1,36 +0,0 @@
# vim: ft=yaml.ansible
---
- name: copy docker registry nginx configuration
copy:
src: "files/configs/docker_registry/nginx.conf"
dest: "/docker-volumes/nginx/vhost/{{ services.docker_registry.domain }}"
mode: "0644"
- name: docker registry container
docker_container:
name: registry
image: registry:{{ services.docker_registry.version }}
restart_policy: always
volumes:
- "{{ services.docker_registry.volume_folder }}/registry:/var/lib/registry"
- "{{ services.docker_registry.volume_folder }}/auth:/auth"
networks:
- name: external_services
env:
VIRTUAL_HOST: "{{ services.docker_registry.domain }}"
LETSENCRYPT_HOST: "{{ services.docker_registry.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
REGISTRY_AUTH: "htpasswd"
REGISTRY_AUTH_HTPASSWD_PATH: "/auth/htpasswd"
REGISTRY_AUTH_HTPASSWD_REALM: "data.coop docker registry"
- name: generate htpasswd file
shell: "docker exec -it registry htpasswd -Bbn docker {{ docker_password }} > {{ services.docker_registry.volume_folder }}/auth/htpasswd"
args:
creates: "{{ services.docker_registry.volume_folder }}/auth/htpasswd"
- name: log in to registry
docker_login:
registry: "{{ 'docker.data.coop' if vagrant else services.docker_registry.domain }}"
username: "docker"
password: "{{ docker_password }}"

52
roles/docker/tasks/services/drone.yml
View file

@ -1,52 +0,0 @@
# vim: ft=yaml.ansible
---
- name: set up drone with docker runner
docker_compose:
project_name: drone
pull: yes
definition:
version: "3.6"
services:
drone:
container_name: "drone"
image: "drone/drone:{{ services.drone.version }}"
restart: unless-stopped
networks:
- external_services
- drone
volumes:
- "{{ services.drone.volume_folder }}:/data"
- "/var/run/docker.sock:/var/run/docker.sock"
environment:
DRONE_GITEA_SERVER: "https://{{ services.gitea.domain }}"
DRONE_GITEA_CLIENT_ID: "{{ drone_secrets.oauth_client_id }}"
DRONE_GITEA_CLIENT_SECRET: "{{ drone_secrets.oauth_client_secret }}"
DRONE_GIT_ALWAYS_AUTH: "true"
DRONE_SERVER_HOST: "{{ services.drone.domain }}"
DRONE_SERVER_PROTO: "https"
DRONE_RPC_SECRET: "{{ drone_secrets.rpc_shared_secret }}"
PLUGIN_CUSTOM_DNS: "91.239.100.100"
VIRTUAL_HOST: "{{ services.drone.domain }}"
LETSENCRYPT_HOST: "{{ services.drone.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
drone-runner-docker:
container_name: "drone-runner-docker"
image: "drone/drone-runner-docker:{{ services.drone.version }}"
restart: unless-stopped
networks:
- drone
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
environment:
DRONE_RPC_HOST: "{{ services.drone.domain }}"
DRONE_RPC_PROTO: "https"
DRONE_RPC_SECRET: "{{ drone_secrets.rpc_shared_secret }}"
DRONE_RUNNER_CAPACITY: 2
DRONE_RUNNER_NAME: "data.coop_drone_runner"
networks:
drone:
external_services:
external:
name: external_services

37
roles/docker/tasks/services/gitea.yml
View file

@ -1,37 +0,0 @@
# vim: ft=yaml.ansible
---
- name: gitea network
docker_network:
name: gitea
# old DNS: 138.68.71.153
- name: gitea container
docker_container:
name: gitea
image: gitea/gitea:{{ services.gitea.version }}
restart_policy: unless-stopped
networks:
- name: gitea
- name: postfix
- name: external_services
volumes:
- "{{ services.gitea.volume_folder }}:/data"
published_ports:
- "22:22"
env:
VIRTUAL_HOST: "{{ services.gitea.domain }}"
VIRTUAL_PORT: "3000"
LETSENCRYPT_HOST: "{{ services.gitea.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
# Gitea customization, see: https://docs.gitea.io/en-us/install-with-docker/#customization
# https://docs.gitea.io/en-us/config-cheat-sheet/#security-security
GITEA__mailer__ENABLED: "true"
GITEA__mailer__FROM: "noreply@{{ services.gitea.domain }}"
GITEA__mailer__MAILER_TYPE: "smtp"
GITEA__mailer__HOST: "{{ smtp_host }}:{{ smtp_port }}"
GITEA__security__LOGIN_REMEMBER_DAYS: "60"
GITEA__security__PASSWORD_COMPLEXITY: "off"
GITEA__security__MIN_PASSWORD_LENGTH: "8"
GITEA__security__PASSWORD_CHECK_PWN: "true"
GITEA__service__ENABLE_NOTIFY_MAIL: "true"
GITEA__service__REGISTER_EMAIL_CONFIRM: "true"

67
roles/docker/tasks/services/hedgedoc.yml
View file

@ -1,67 +0,0 @@
# vim: ft=yaml.ansible
---
- name: create hedgedoc volume folders
file:
name: "{{ services.hedgedoc.volume_folder }}/{{ volume }}"
state: directory
loop:
- "db"
- "hedgedoc/uploads"
loop_control:
loop_var: volume
- name: copy sso public certificate
copy:
src: "files/sso/sso.data.coop.pem"
dest: "{{ services.hedgedoc.volume_folder }}/sso.data.coop.pem"
mode: "0644"
- name: setup hedgedoc
docker_compose:
project_name: "hedgedoc"
pull: "yes"
definition:
services:
database:
image: "postgres:{{ services.hedgedoc.postgres_version }}"
environment:
POSTGRES_USER: "codimd"
POSTGRES_PASSWORD: "{{ postgres_passwords.hedgedoc }}"
POSTGRES_DB: "codimd"
restart: "unless-stopped"
networks:
- "hedgedoc"
volumes:
- "{{ services.hedgedoc.volume_folder }}/db:/var/lib/postgresql/data"
app:
image: "quay.io/hedgedoc/hedgedoc:{{ services.hedgedoc.version }}"
environment:
CMD_DB_URL: "postgres://codimd:{{ postgres_passwords.hedgedoc }}@hedgedoc_database_1:5432/codimd"
CMD_DOMAIN: "{{ services.hedgedoc.domain }}"
CMD_ALLOW_EMAIL_REGISTER: "False"
CMD_IMAGE_UPLOAD_TYPE: "filesystem"
CMD_EMAIL: "False"
CMD_SAML_IDPCERT: "/sso.data.coop.pem"
CMD_SAML_IDPSSOURL: "https://sso.data.coop/auth/realms/datacoop/protocol/saml"
CMD_SAML_ISSUER: "hedgedoc"
CMD_SAML_IDENTIFIERFORMAT: "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
CMD_USECDN: "false"
CMD_PROTOCOL_USESSL: "true"
VIRTUAL_HOST: "{{ services.hedgedoc.domain }}"
LETSENCRYPT_HOST: "{{ services.hedgedoc.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
volumes:
- "{{ services.hedgedoc.volume_folder }}/hedgedoc/uploads:/hedgedoc/public/uploads"
- "{{ services.hedgedoc.volume_folder }}/sso.data.coop.pem:/sso.data.coop.pem"
restart: "unless-stopped"
networks:
- "hedgedoc"
- "external_services"
depends_on:
- database
networks:
hedgedoc:
external_services:
external: true

50
roles/docker/tasks/services/keycloak.yml
View file

@ -1,50 +0,0 @@
# vim: ft=yaml.ansible
---
- name: setup keycloak containers for sso.data.coop
docker_compose:
project_name: "keycloak"
pull: "yes"
definition:
version: "3.6"
services:
postgres:
image: "postgres:{{ services.keycloak.postgres_version }}"
restart: "unless-stopped"
networks:
- "keycloak"
volumes:
- "{{ services.keycloak.volume_folder }}/data:/var/lib/postgresql/data"
environment:
POSTGRES_USER: "keycloak"
POSTGRES_PASSWORD: "{{ postgres_passwords.keycloak }}"
POSTGRES_DB: "keycloak"
app:
image: "quay.io/keycloak/keycloak:{{ services.keycloak.version }}"
restart: "unless-stopped"
networks:
- "keycloak"
- "postfix"
- "external_services"
command:
- "start"
- "--db=postgres"
- "--db-url=jdbc:postgresql://postgres:5432/keycloak"
- "--db-username=keycloak"
- "--db-password={{ postgres_passwords.keycloak }}"
- "--hostname={{ services.keycloak.domain }}"
- "--proxy=edge"
- "--https-port=8080"
- "--http-relative-path=/auth"
environment:
VIRTUAL_HOST: "{{ services.keycloak.domain }}"
VIRTUAL_PORT: "8080"
LETSENCRYPT_HOST: "{{ services.keycloak.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
networks:
keycloak:
postfix:
external: true
external_services:
external: true

181
roles/docker/tasks/services/mailu.yml
View file

@ -1,181 +0,0 @@
# vim: ft=yaml.ansible
---
- name: create mailu volume folders
file:
name: "{{ services.mailu.volume_folder }}/{{ volume }}"
state: directory
loop:
- redis
- certs
- data
- dkim
- mail
- mailqueue
- filter
- postgres
- webmail
- overrides
- overrides/nginx
- overrides/dovecot
- overrides/postfix
- overrides/rspamd
- overrides/rainloop
loop_control:
loop_var: volume
- name: upload mailu.env file
template:
src: mailu.env.j2
dest: "{{ services.mailu.volume_folder}}/mailu.env"
- name: hard link to Let's Encrypt TLS certificate
file:
src: "{{ services.nginx_proxy.volume_folder }}/certs/{{ services.mailu.domain }}/fullchain.pem"
dest: "{{ services.mailu.volume_folder }}/certs/cert.pem"
state: hard
force: yes
when: letsencrypt_enabled
- name: hard link to Let's Encrypt TLS key
file:
src: "{{ services.nginx_proxy.volume_folder }}/certs/{{ services.mailu.domain }}/key.pem"
dest: "{{ services.mailu.volume_folder }}/certs/key.pem"
state: hard
force: yes
when: letsencrypt_enabled
- name: run mail server containers
docker_compose:
project_name: mail_server
pull: yes
definition:
version: '3.6'
services:
postgres:
image: postgres:14-alpine
restart: always
environment:
POSTGRES_DB: mailu
POSTGRES_USER: mailu
POSTGRES_PASSWORD: "{{ postgres_passwords.mailu }}"
volumes:
- "{{ services.mailu.volume_folder }}/postgres:/var/lib/postgresql/data"
dns:
- "{{ services.mailu.dns }}"
redis:
image: redis:alpine
restart: always
volumes:
- "{{ services.mailu.volume_folder }}/redis:/data"
depends_on:
- resolver
dns:
- "{{ services.mailu.dns }}"
front:
image: mailu/nginx:{{ services.mailu.version }}
restart: always
env_file: "{{ services.mailu.volume_folder}}/mailu.env"
environment:
VIRTUAL_HOST: "{{ services.mailu.domain }}"
LETSENCRYPT_HOST: "{{ services.mailu.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
volumes:
- "{{ services.mailu.volume_folder }}/certs:/certs"
- "{{ services.mailu.volume_folder }}/overrides/nginx:/overrides:ro"
expose:
- "80"
ports:
- "993:993"
- "25:25"
- "587:587"
- "465:465"
networks:
- default
- external_services
resolver:
image: mailu/unbound:{{ services.mailu.version }}
restart: always
env_file: "{{ services.mailu.volume_folder}}/mailu.env"
networks:
default:
ipv4_address: "{{ services.mailu.dns }}"
admin:
image: mailu/admin:{{ services.mailu.version }}
restart: always
env_file: "{{ services.mailu.volume_folder}}/mailu.env"
volumes:
- "{{ services.mailu.volume_folder }}/data:/data"
- "{{ services.mailu.volume_folder }}/dkim:/dkim"
depends_on:
- redis
- resolver
dns:
- "{{ services.mailu.dns }}"
imap:
image: mailu/dovecot:{{ services.mailu.version }}
restart: always
env_file: "{{ services.mailu.volume_folder}}/mailu.env"
volumes:
- "{{ services.mailu.volume_folder }}/mail:/mail"
- "{{ services.mailu.volume_folder }}/overrides/dovecot:/overrides:ro"
depends_on:
- front
- resolver
dns:
- "{{ services.mailu.dns }}"
smtp:
image: mailu/postfix:{{ services.mailu.version }}
restart: always
env_file: "{{ services.mailu.volume_folder}}/mailu.env"
volumes:
- "{{ services.mailu.volume_folder }}/mailqueue:/queue"
- "{{ services.mailu.volume_folder }}/overrides/postfix:/overrides:ro"
depends_on:
- front
- resolver
dns:
- "{{ services.mailu.dns }}"
antispam:
image: mailu/rspamd:{{ services.mailu.version }}
hostname: antispam
restart: always
env_file: "{{ services.mailu.volume_folder}}/mailu.env"
volumes:
- "{{ services.mailu.volume_folder }}/filter:/var/lib/rspamd"
- "{{ services.mailu.volume_folder }}/overrides/rspamd:/etc/rspamd/override.d:ro"
depends_on:
- front
- resolver
dns:
- "{{ services.mailu.dns }}"
webmail:
image: mailu/rainloop:{{ services.mailu.version }}
restart: always
env_file: "{{ services.mailu.volume_folder}}/mailu.env"
volumes:
- "{{ services.mailu.volume_folder }}/webmail:/data"
- "{{ services.mailu.volume_folder }}/overrides/rainloop:/overrides:ro"
depends_on:
- imap
- resolver
dns:
- "{{ services.mailu.dns }}"
networks:
default:
driver: bridge
ipam:
driver: default
config:
- subnet: "{{ services.mailu.subnet }}"
external_services:
external:
name: external_services

189
roles/docker/tasks/services/mastodon.yml
View file

@ -1,189 +0,0 @@
# vim: ft=yaml.ansible
---
- name: create mastodon volume folders
file:
name: "{{ services.mastodon.volume_folder }}/{{ volume }}"
state: directory
owner: "991"
group: "991"
loop:
- "postgres_data"
- "postgres_config"
- "redis_data"
- "mastodon_data"
loop_control:
loop_var: volume
- name: Copy mastodon environment file
template:
src: files/configs/mastodon/env_file.j2
dest: "{{ services.mastodon.volume_folder }}/env_file"
- name: Upload vhost config for root domain
template:
src: files/configs/mastodon/vhost-mastodon
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.mastodon.domain }}"
- name: Copy PostgreSQL config
copy:
src: files/configs/mastodon/postgresql.conf
dest: "{{ services.mastodon.volume_folder }}/postgres_config/postgresql.conf"
- name: Set up Mastodon
docker_compose:
project_name: mastodon
pull: true
restarted: true
definition:
x-sidekiq: &sidekiq
image: "tootsuite/mastodon:{{ services.mastodon.version }}"
restart: always
env_file: "{{ services.mastodon.volume_folder }}/env_file"
depends_on:
db:
condition: "service_healthy"
redis:
condition: "service_healthy"
networks:
- postfix
- external_services
- internal_network
volumes:
- "{{ services.mastodon.volume_folder }}/mastodon_data:/mastodon/public/system"
healthcheck:
test: ['CMD-SHELL', "ps aux | grep '[s]idekiq\ 6' || false"]
version: '3'
services:
db:
restart: always
image: "postgres:{{ services.mastodon.postgres_version }}"
shm_size: 256mb
networks:
- internal_network
healthcheck:
test: ['CMD', 'pg_isready', '-U', 'postgres']
volumes:
- "{{ services.mastodon.volume_folder }}/postgres_data:/var/lib/postgresql/data"
- "{{ services.mastodon.volume_folder }}/postgres_config:/config:ro"
command: postgres -c config_file=/config/postgresql.conf
environment:
- 'POSTGRES_HOST_AUTH_METHOD=trust'
redis:
restart: always
image: "redis:{{ services.mastodon.redis_version }}"
networks:
- internal_network
healthcheck:
test: ['CMD', 'redis-cli', 'ping']
volumes:
- "{{ services.mastodon.volume_folder }}/redis_data:/data"
web:
image: "tootsuite/mastodon:{{ services.mastodon.version }}"
restart: always
env_file: "{{ services.mastodon.volume_folder }}/env_file"
command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 3000"
networks:
- external_services
- internal_network
healthcheck:
# prettier-ignore
test: ['CMD-SHELL', 'wget -q --spider --proxy=off localhost:3000/health || exit 1']
depends_on:
db:
condition: "service_healthy"
redis:
condition: "service_healthy"
volumes:
- "{{ services.mastodon.volume_folder }}/mastodon_data:/mastodon/public/system"
environment:
MAX_THREADS: 10
WEB_CONCURRENCY: 3
VIRTUAL_HOST: "{{ services.mastodon.domain }}"
VIRTUAL_PORT: "3000"
VIRTUAL_PATH: "/"
LETSENCRYPT_HOST: "{{ services.mastodon.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
streaming:
image: "tootsuite/mastodon:{{ services.mastodon.version }}"
restart: always
env_file: "{{ services.mastodon.volume_folder }}/env_file"
command: node ./streaming
networks:
- external_services
- internal_network
healthcheck:
# prettier-ignore
test: ['CMD-SHELL', 'wget -q --spider --proxy=off localhost:4000/api/v1/streaming/health || exit 1']
ports:
- '127.0.0.1:4000:4000'
depends_on:
db:
condition: "service_healthy"
redis:
condition: "service_healthy"
environment:
DB_POOL: 15
VIRTUAL_HOST: "{{ services.mastodon.domain }}"
VIRTUAL_PORT: "4000"
VIRTUAL_PATH: "/api/v1/streaming"
# sidekiq-default-push-pull: DB_POOL = 25, -c 25 for 25 connections
sidekiq-default-push-pull:
<<: *sidekiq
command: bundle exec sidekiq -c 25 -q default -q push -q pull
environment:
DB_POOL: 25
# sidekiq-default-pull-push: DB_POOL = 25, -c 25 for 25 connections
sidekiq-default-pull-push:
<<: *sidekiq
command: bundle exec sidekiq -c 25 -q default -q pull -q push
environment:
DB_POOL: 25
# sidekiq-pull-default-push: DB_POOL = 25, -c 25 for 25 connections
sidekiq-pull-default-push:
<<: *sidekiq
command: bundle exec sidekiq -c 25 -q pull -q default -q push
environment:
DB_POOL: 25
# sidekiq-push-default-pull: DB_POOL = 25, -c 25 for 25 connections
sidekiq-push-default-pull:
<<: *sidekiq
command: bundle exec sidekiq -c 25 -q push -q default -q pull
environment:
DB_POOL: 25
# sidekiq-push-scheduler: DB_POOL = 5, -c 5 for 5 connections
sidekiq-push-scheduler:
<<: *sidekiq
command: bundle exec sidekiq -c 5 -q push -q scheduler
environment:
DB_POOL: 5
# sidekiq-push-mailers: DB_POOL = 5, -c 5 for 5 connections
sidekiq-push-mailers:
<<: *sidekiq
command: bundle exec sidekiq -c 5 -q push -q mailers
environment:
DB_POOL: 5
# sidekiq-push-ingress: DB_POOL = 10, -c 10 for 10 connections
sidekiq-push-ingress:
<<: *sidekiq
command: bundle exec sidekiq -c 10 -q push -q ingress
environment:
DB_POOL: 10
networks:
external_services:
external: true
postfix:
external: true
internal_network:
internal: true

120
roles/docker/tasks/services/matrix_riot.yml
View file

@ -1,120 +0,0 @@
# vim: ft=yaml.ansible
---
- name: create matrix volume folders
file:
name: "{{ services.matrix.volume_folder }}/{{ volume }}"
state: directory
owner: "991"
group: "991"
loop:
- "data"
- "data/uploads"
- "data/media"
loop_control:
loop_var: volume
- name: create matrix DB folder
file:
name: "{{ services.matrix.volume_folder }}/db"
state: "directory"
- name: create riot volume folders
file:
name: "{{ services.riot.volume_folder }}/{{ volume }}"
state: directory
loop:
- "data"
loop_control:
loop_var: volume
- name: upload riot config.json
template:
src: files/configs/riot/config.json
dest: "{{ services.riot.volume_folder }}/data/config.json"
- name: upload riot.im.conf
template:
src: files/configs/riot/riot.im.conf
dest: "{{ services.riot.volume_folder }}/data/riot.im.conf"
- name: upload vhost config for matrix domain
template:
src: files/configs/matrix/vhost-matrix
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.matrix.domain }}"
- name: upload vhost config for riot domain
template:
src: files/configs/matrix/vhost-riot
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ item }}"
loop: "{{ services.riot.domains }}"
- name: upload homeserver.yaml
template:
src: "files/configs/matrix/homeserver.yaml.j2"
dest: "{{ services.matrix.volume_folder }}/data/homeserver.yaml"
- name: upload matrix logging config
template:
src: "files/configs/matrix/matrix.data.coop.log.config"
dest: "{{ services.matrix.volume_folder }}/data/matrix.data.coop.log.config"
- name: set up matrix and riot
docker_compose:
project_name: matrix
pull: yes
definition:
version: "3.6"
services:
matrix_db:
container_name: matrix_db
image: "postgres:{{ services.matrix.postgres_version }}"
restart: unless-stopped
networks:
- matrix
volumes:
- "{{ services.matrix.volume_folder }}/db:/var/lib/postgresql/data"
environment:
POSTGRES_USER: "synapse"
POSTGRES_PASSWORD: "{{ postgres_passwords.matrix }}"
matrix_app:
container_name: matrix
image: "matrixdotorg/synapse:{{ services.matrix.version }}"
restart: unless-stopped
networks:
- matrix
- external_services
volumes:
- "{{ services.matrix.volume_folder }}/data:/data"
environment:
SYNAPSE_CONFIG_PATH: "/data/homeserver.yaml"
SYNAPSE_CACHE_FACTOR: "2"
SYNAPSE_LOG_LEVEL: "INFO"
VIRTUAL_HOST: "{{ services.matrix.domain }}"
VIRTUAL_PORT: "8008"
LETSENCRYPT_HOST: "{{ services.matrix.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
riot:
container_name: riot_app
image: "avhost/docker-matrix-riot:{{ services.riot.version }}"
restart: unless-stopped
networks:
- matrix
- external_services
expose:
- 8080
volumes:
- "{{ services.riot.volume_folder }}/data:/data"
environment:
VIRTUAL_HOST: "{{ services.riot.domains|join(',') }}"
VIRTUAL_PORT: "8080"
LETSENCRYPT_HOST: "{{ services.riot.domains|join(',') }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
networks:
external_services:
external:
name: external_services
matrix:
name: "matrix"

52
roles/docker/tasks/services/membersystem.yml
View file

@ -1,52 +0,0 @@
# vim: ft=yaml.ansible
---
- name: run membersystem containers
docker_compose:
project_name: "member.data.coop"
pull: yes
definition:
version: "3"
services:
backend:
image: "docker.data.coop/membersystem:{{ services.membersystem.version }}"
restart: always
user: $UID:$GID
tty: true
depends_on:
- postgres
networks:
- membersystem
- external_services
- postfix
environment:
SECRET_KEY: "{{ membersystem_secrets.secret_key }}"
DATABASE_URL: postgres://postgres:{{ postgres_passwords.membersystem }}@postgres:5432/postgres
POSTGRES_HOST: postgres
POSTGRES_PORT: 5432
EMAIL_BACKEND: "django.core.mail.backends.smtp.EmailBackend"
EMAIL_URL: "smtp://noop@{{ smtp_host }}:{{ smtp_port }}"
VIRTUAL_HOST: "{{ services.membersystem.domain }}"
VIRTUAL_PORT: "8000"
LETSENCRYPT_HOST: "{{ services.membersystem.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
ALLOWED_HOSTS: "{{ services.membersystem.domain }}"
CSRF_TRUSTED_ORIGINS: "https://{{ services.membersystem.domain }}"
DJANGO_ADMINS: "{{ services.membersystem.django_admins }}"
DEFAULT_FROM_EMAIL: "noreply@{{ services.membersystem.domain }}"
postgres:
image: "postgres:{{ services.membersystem.postgres_version }}"
restart: always
volumes:
- "{{ volume_root_folder }}/membersystem/postgres/data:/var/lib/postgresql/data"
networks:
- membersystem
environment:
POSTGRES_PASSWORD: "{{ postgres_passwords.membersystem }}"
networks:
membersystem:
external_services:
external: true
postfix:
external: true

23
roles/docker/tasks/services/netdata.yml
View file

@ -1,23 +0,0 @@
# vim: ft=yaml.ansible
---
- name: setup netdata docker container for system monitoring
docker_container:
name: netdata
image: netdata/netdata:{{ services.netdata.version }}
restart_policy: unless-stopped
hostname: "hevonen.servers.{{ base_domain }}"
capabilities:
- SYS_PTRACE
security_opts:
- apparmor:unconfined
volumes:
- /proc:/host/proc:ro
- /sys:/host/sys:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
networks:
- name: external_services
env:
VIRTUAL_HOST : "{{ services.netdata.domain }}"
LETSENCRYPT_HOST: "{{ services.netdata.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
PGID: "999"

76
roles/docker/tasks/services/nextcloud.yml
View file

@ -1,76 +0,0 @@
# vim: ft=yaml.ansible
---
- name: upload vhost config for cloud.data.coop
template:
src: files/configs/nextcloud/vhost
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.nextcloud.domain }}"
notify: "restart nginx"
- name: setup nextcloud containers
docker_compose:
project_name: "nextcloud"
pull: "yes"
definition:
services:
postgres:
image: "postgres:{{ services.nextcloud.postgres_version }}"
restart: "unless-stopped"
networks:
- "nextcloud"
volumes:
- "{{ services.nextcloud.volume_folder }}/postgres:/var/lib/postgresql/data"
environment:
POSTGRES_DB: "nextcloud"
POSTGRES_PASSWORD: "{{ postgres_passwords.nextcloud }}"
POSTGRES_USER: "nextcloud"
redis:
image: "redis:{{ services.nextcloud.redis_version }}"
restart: "unless-stopped"
command: "redis-server --requirepass {{ nextcloud_secrets.redis_password }}"
tmpfs:
- /var/lib/redis
networks:
- "nextcloud"
cron:
image: "nextcloud:{{ services.nextcloud.version }}"
restart: "unless-stopped"
entrypoint: "/cron.sh"
networks:
- "nextcloud"
volumes:
- "{{ services.nextcloud.volume_folder }}/app:/var/www/html"
depends_on:
- "postgres"
- "redis"
app:
image: "nextcloud:{{ services.nextcloud.version }}"
restart: "unless-stopped"
networks:
- "nextcloud"
- "postfix"
- "external_services"
volumes:
- "{{ services.nextcloud.volume_folder }}/app:/var/www/html"
environment:
VIRTUAL_HOST: "{{ services.nextcloud.domain }}"
LETSENCRYPT_HOST: "{{ services.nextcloud.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
POSTGRES_HOST: "postgres"
POSTGRES_DB: "nextcloud"
POSTGRES_USER: "nextcloud"
POSTGRES_PASSWORD: "{{ postgres_passwords.nextcloud }}"
REDIS_HOST: "redis"
REDIS_HOST_PASSWORD: "{{ nextcloud_secrets.redis_password }}"
depends_on:
- "postgres"
- "redis"
networks:
nextcloud:
postfix:
external: true
external_services:
external: true

48
roles/docker/tasks/services/nginx_proxy.yml
View file

@ -1,48 +0,0 @@
# vim: ft=yaml.ansible
---
- name: create nginx-proxy volume folders
file:
name: "{{ services.nginx_proxy.volume_folder }}/{{ volume }}"
state: directory
loop:
- conf
- vhost
- html
- dhparam
- certs
loop_control:
loop_var: volume
- name: nginx proxy container
docker_container:
name: nginx-proxy
image: nginxproxy/nginx-proxy:{{ services.nginx_proxy.version }}
restart_policy: always
networks:
- name: external_services
published_ports:
- "80:80"
- "443:443"
volumes:
- "{{ services.nginx_proxy.volume_folder }}/conf:/etc/nginx/conf.d"
- "{{ services.nginx_proxy.volume_folder }}/vhost:/etc/nginx/vhost.d"
- "{{ services.nginx_proxy.volume_folder }}/html:/usr/share/nginx/html"
- "{{ services.nginx_proxy.volume_folder }}/dhparam:/etc/nginx/dhparam"
- "{{ services.nginx_proxy.volume_folder }}/certs:/etc/nginx/certs:ro"
- /var/run/docker.sock:/tmp/docker.sock:ro
- name: nginx letsencrypt container
docker_container:
name: nginx-proxy-le
image: nginxproxy/acme-companion:{{ services.nginx_acme_companion.version }}
restart_policy: always
volumes:
- "{{ services.nginx_proxy.volume_folder }}/vhost:/etc/nginx/vhost.d"
- "{{ services.nginx_proxy.volume_folder }}/html:/usr/share/nginx/html"
- "{{ services.nginx_proxy.volume_folder }}/dhparam:/etc/nginx/dhparam:ro"
- "{{ services.nginx_proxy.volume_folder }}/certs:/etc/nginx/certs"
- /var/run/docker.sock:/var/run/docker.sock:ro
env:
NGINX_PROXY_CONTAINER: nginx-proxy
when: letsencrypt_enabled

74
roles/docker/tasks/services/openldap.yml
View file

@ -1,74 +0,0 @@
# vim: ft=yaml.ansible
---
- name: create ldap volume folders
file:
name: "{{ services.openldap.volume_folder }}/{{ volume }}"
state: directory
loop:
- "var/lib/ldap"
- "etc/slapd"
- "certs"
loop_control:
loop_var: volume
- name: Create a network for ldap
docker_network:
name: ldap
- name: openLDAP container
docker_container:
name: openldap
image: osixia/openldap:{{ services.openldap.version }}
tty: true
interactive: true
restart_policy: unless-stopped
volumes:
- "{{ services.openldap.volume_folder }}/var/lib/ldap:/var/lib/ldap"
- "{{ services.openldap.volume_folder }}/etc/slapd.d:/etc/ldap/slapd.d"
- "{{ services.openldap.volume_folder }}/certs:/container/service/slapd/assets/certs/"
published_ports:
- "389:389"
- "636:636"
hostname: "{{ services.openldap.domain }}"
domainname: "{{ services.openldap.domain }}" # important: same as hostname
networks:
- name: ldap
env:
LDAP_LOG_LEVEL: "256"
LDAP_ORGANISATION: "{{ base_domain }}"
LDAP_DOMAIN: "{{ base_domain }}"
LDAP_BASE_DN: ""
LDAP_ADMIN_PASSWORD: "{{ ldap_admin_password }}"
LDAP_CONFIG_PASSWORD: "{{ ldap_config_password }}"
LDAP_READONLY_USER: "false"
LDAP_RFC2307BIS_SCHEMA: "false"
LDAP_BACKEND: "mdb"
LDAP_TLS: "true"
LDAP_TLS_CRT_FILENAME: "ldap.crt"
LDAP_TLS_KEY_FILENAME: "ldap.key"
LDAP_TLS_CA_CRT_FILENAME: "ca.crt"
LDAP_TLS_ENFORCE: "false"
LDAP_TLS_CIPHER_SUITE: "SECURE256:-VERS-SSL3.0"
LDAP_TLS_PROTOCOL_MIN: "3.1"
LDAP_TLS_VERIFY_CLIENT: "demand"
LDAP_REPLICATION: "false"
KEEP_EXISTING_CONFIG: "false"
LDAP_REMOVE_CONFIG_AFTER_SETUP: "true"
LDAP_SSL_HELPER_PREFIX: "ldap"
- name: phpLDAPadmin container
docker_container:
name: phpldapadmin
image: osixia/phpldapadmin:{{ services.phpldapadmin.version }}
restart_policy: unless-stopped
networks:
- name: external_services
- name: ldap
env:
PHPLDAPADMIN_LDAP_HOSTS: "openldap"
PHPLDAPADMIN_HTTPS: "false"
PHPLDAPADMIN_TRUST_PROXY_SSL: "true"
VIRTUAL_HOST: "{{ services.openldap.domain }}"
LETSENCRYPT_HOST: "{{ services.openldap.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"

53
roles/docker/tasks/services/passit.yml
View file

@ -1,53 +0,0 @@
# vim: ft=yaml.ansible
---
- name: Create directory for Passit data
file:
name: "{{ services.passit.volume_folder }}/data"
owner: '70'
group: root
state: directory
- name: setup passit containers
docker_compose:
project_name: "passit"
pull: "yes"
definition:
version: "3.6"
services:
passit_db:
image: "postgres:{{ services.passit.postgres_version }}"
restart: "always"
networks:
- "passit"
volumes:
- "{{ services.passit.volume_folder }}/data:/var/lib/postgresql/data"
environment:
POSTGRES_USER: "passit"
POSTGRES_PASSWORD: "{{ postgres_passwords.passit }}"
passit_app:
image: "passit/passit@sha256:c4b96bc67222936f58f344d5dd1020227ad8e11ad5f82ed3cbf0bcfa8fe9b2e7" #:{{ services.passit.version }}"
command: "bin/start.sh"
restart: "always"
networks:
- "passit"
- "postfix"
- "external_services"
environment:
DATABASE_URL: "postgres://passit:{{ postgres_passwords.passit }}@passit_db:5432/passit"
SECRET_KEY: "{{ passit_secret_key }}"
IS_DEBUG: 'False'
EMAIL_URL: "smtp://noop@{{ smtp_host }}:{{ smtp_port }}"
DEFAULT_FROM_EMAIL: "noreply@{{ services.passit.domain }}"
EMAIL_CONFIRMATION_HOST: "https://{{ services.passit.domain }}"
FIDO_SERVER_ID: "{{ services.passit.domain }}"
VIRTUAL_HOST: "{{ services.passit.domain }}"
LETSENCRYPT_HOST: "{{ services.passit.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
networks:
passit:
postfix:
external: true
external_services:
external: true

22
roles/docker/tasks/services/portainer.yml
View file

@ -1,22 +0,0 @@
# vim: ft=yaml.ansible
---
- name: create portainer volume folder
file:
name: "{{ services.portainer.volume_folder }}"
state: directory
- name: run portainer
docker_container:
name: portainer
image: portainer/portainer-ee:{{ services.portainer.version }}
restart_policy: always
networks:
- name: external_services
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- "{{ services.portainer.volume_folder }}:/data"
env:
VIRTUAL_HOST: "{{ services.portainer.domain }}"
VIRTUAL_PORT: "9000"
LETSENCRYPT_HOST: "{{ services.portainer.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"

28
roles/docker/tasks/services/postfix.yml
View file

@ -1,28 +0,0 @@
# vim: ft=yaml.ansible
---
- name: Set up network for postfix
docker_network:
name: postfix
ipam_config:
- subnet: '172.16.0.0/16'
gateway: 172.16.0.1
- name: Create volume folders for Postfix
file:
name: "{{ services.postfix.volume_folder }}/dkim"
state: directory
- name: Set up Postfix Docker container for outgoing mail from services
docker_container:
name: postfix
image: boky/postfix:{{ services.postfix.version }}
restart_policy: always
networks:
- name: postfix
volumes:
- "{{ services.postfix.volume_folder }}/dkim:/etc/opendkim/keys"
env:
# Get all services which have allowed_sender_domain defined
ALLOWED_SENDER_DOMAINS: "{{ services | dict2items | selectattr('value.allowed_sender_domain', 'true') | map(attribute='value.domain') | join(' ') }}"
HOSTNAME: "{{ services.postfix.domain }}" # the name the smtp server will identify itself as
DKIM_AUTOGENERATE: "true"

31
roles/docker/tasks/services/privatebin.yml
View file

@ -1,31 +0,0 @@
# vim: ft=yaml.ansible
---
- name: create privatebin volume folders
file:
name: "{{ services.privatebin.volume_folder }}/{{ volume }}"
state: directory
loop:
- cfg
- data
loop_control:
loop_var: volume
- name: upload privatebin config
template:
src: files/configs/privatebin-conf.php
dest: "{{ services.privatebin.volume_folder }}/cfg/conf.php"
- name: privatebin app container
docker_container:
name: privatebin
image: jgeusebroek/privatebin:{{ services.privatebin.version }}
restart_policy: unless-stopped
volumes:
- "{{ services.privatebin.volume_folder }}/cfg:/privatebin/cfg"
- "{{ services.privatebin.volume_folder }}/data:/privatebin/data"
networks:
- name: external_services
env:
VIRTUAL_HOST: "{{ services.privatebin.domain }}"
LETSENCRYPT_HOST: "{{ services.privatebin.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"

61
roles/docker/tasks/services/rallly.yml
View file

@ -1,61 +0,0 @@
# vim: ft=yaml.ansible
---
- name: Create rallly volume folders
file:
name: "{{ services.rallly.volume_folder }}/postgres"
state: directory
- name: Copy Rallly environment file
template:
src: files/configs/rallly/env_file.j2
dest: "{{ services.rallly.volume_folder }}/env_file"
- name: Set up Rallly
docker_compose:
project_name: "rallly"
pull: "yes"
definition:
version: "3.8"
services:
rallly_db:
image: "postgres:{{ services.rallly.postgres_version }}"
restart: "always"
shm_size: "256mb"
networks:
rallly_internal:
volumes:
- "{{ services.rallly.volume_folder }}/postgres:/var/lib/postgresql/data"
environment:
POSTGRES_PASSWORD: "{{ postgres_passwords.rallly }}"
POSTGRES_DB: "rallly_db"
healthcheck:
test: ["CMD-SHELL", "pg_isready -U postgres"]
interval: 5s
timeout: 5s
retries: 5
rallly:
image: "lukevella/rallly:{{ services.rallly.version }}"
restart: "always"
networks:
rallly_internal:
external_services:
postfix:
depends_on:
rallly_db:
condition: "service_healthy"
env_file:
- "{{ services.rallly.volume_folder }}/env_file"
environment:
VIRTUAL_HOST: "{{ services.rallly.domain }}"
VIRTUAL_PORT: "3000"
LETSENCRYPT_HOST: "{{ services.rallly.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
networks:
rallly_internal:
internal: true
external_services:
external: true
postfix:
external: true

89
roles/docker/tasks/services/restic_backup.yml
View file

@ -1,89 +0,0 @@
# vim: ft=yaml.ansible
---
- name: Create SSH directory
file:
path: "{{ services.restic.volume_folder }}/ssh"
owner: root
group: root
mode: '0755'
state: directory
- name: Copy private SSH key
copy:
dest: "{{ services.restic.volume_folder }}/ssh/id_ed25519"
owner: root
group: root
mode: '0600'
content: "{{ restic_secrets.ssh_privkey }}"
- name: Derive public SSH key
shell: >-
ssh-keygen -f {{ services.restic.volume_folder }}/ssh/id_ed25519 -y
> {{ services.restic.volume_folder }}/ssh/id_ed25519.pub
args:
creates: "{{ services.restic.volume_folder }}/ssh/id_ed25519.pub"
- name: Set file permissions on public SSH key
file:
path: "{{ services.restic.volume_folder }}/ssh/id_ed25519.pub"
owner: root
group: root
mode: '0644'
state: touch
- name: Create SSH config
template:
src: restic.ssh.config.j2
dest: "{{ services.restic.volume_folder }}/ssh/config"
owner: root
group: root
mode: '0600'
- name: Create SSH known_hosts file
template:
src: restic.ssh.known_hosts.j2
dest: "{{ services.restic.volume_folder }}/ssh/known_hosts"
owner: root
group: root
mode: '0600'
- name: Setup restic backup
docker_compose:
project_name: restic_backup
pull: true
definition:
version: '3.6'
services:
restic-backup:
image: mazzolino/restic:{{ services.restic.version }}
restart: always
environment:
RUN_ON_STARTUP: "false"
BACKUP_CRON: "0 30 3 * * *"
RESTIC_REPOSITORY: "sftp:{{ services.restic.user }}@{{ services.restic.domain }}:{{ services.restic.repository }}"
RESTIC_PASSWORD: "{{ restic_secrets.repository_password }}"
RESTIC_BACKUP_SOURCES: "/mnt/volumes"
RESTIC_BACKUP_ARGS: >-
--tag datacoop-volumes
--exclude '*.tmp'
--verbose
RESTIC_FORGET_ARGS: >-
--keep-last 10
--keep-daily 7
--keep-weekly 5
--keep-monthly 12
TZ: Europe/Copenhagen
volumes:
- "{{ services.restic.volume_folder }}/ssh:/run/secrets/.ssh:ro"
- /docker-volumes:/mnt/volumes:ro
restic-prune:
image: "mazzolino/restic:{{ services.restic.version }}"
environment:
RUN_ON_STARTUP: "false"
PRUNE_CRON: "0 0 4 * * *"
RESTIC_REPOSITORY: "sftp:{{ services.restic.user }}@{{ services.restic.domain }}:{{ services.restic.repository }}"
RESTIC_PASSWORD: "{{ restic_secrets.repository_password }}"
TZ: Europe/copenhagen
volumes:
- "{{ services.restic.volume_folder }}/ssh:/run/secrets/.ssh:ro"

19
roles/docker/tasks/services/websites/2022.slides.data.coop.yml
View file

@ -1,19 +0,0 @@
# vim: ft=yaml.ansible
---
- name: setup 2022.slides.data.coop website using unipi
docker_container:
name: 2022.slides.data.coop_website
image: docker.data.coop/unipi:{{ services.slides_2022_website.version }}
restart_policy: unless-stopped
purge_networks: yes
networks:
- name: external_services
env:
VIRTUAL_HOST: "{{ services.slides_2022_website.domain }}"
LETSENCRYPT_HOST: "{{ services.slides_2022_website.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
command: "--remote=https://git.data.coop/data.coop/slides.git#slides2022"
capabilities:
- NET_ADMIN
devices:
- "/dev/net/tun"

13
roles/docker/tasks/services/websites/cryptoaarhus.dk.yml
View file

@ -1,13 +0,0 @@
# vim: ft=yaml.ansible
---
- name: setup cryptoaarhus.dk website docker container
docker_container:
name: cryptoaarhus_website
restart_policy: unless-stopped
image: docker.data.coop/cryptoaarhus-website
networks:
- name: external_services
env:
VIRTUAL_HOST : "{{ services.cryptoaarhus_website.domains|join(',') }}"
LETSENCRYPT_HOST: "{{ services.cryptoaarhus_website.domains|join(',') }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"

13
roles/docker/tasks/services/websites/cryptohagen.dk.yml
View file

@ -1,13 +0,0 @@
# vim: ft=yaml.ansible
---
- name: setup cryptohagen.dk website docker container
docker_container:
name: cryptohagen_website
restart_policy: unless-stopped
image: docker.data.coop/cryptohagen-website
networks:
- name: external_services
env:
VIRTUAL_HOST : "{{ services.cryptohagen_website.domains|join(',') }}"
LETSENCRYPT_HOST: "{{ services.cryptohagen_website.domains|join(',') }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"

23
roles/docker/tasks/services/websites/data.coop.yml
View file

@ -1,23 +0,0 @@
# vim: ft=yaml.ansible
---
- name: Upload vhost config for root domain
copy:
src: files/configs/matrix/vhost-root
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ base_domain }}"
- name: Upload vhost config for WWW domain
copy:
src: files/configs/vhost-www
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/www.{{ base_domain }}"
- name: setup data.coop website docker container
docker_container:
name: data.coop_website
image: docker.data.coop/data-coop-website
restart_policy: unless-stopped
networks:
- name: external_services
env:
VIRTUAL_HOST : "{{ services.data_coop_website.domains|join(',') }}"
LETSENCRYPT_HOST: "{{ services.data_coop_website.domains|join(',') }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"

13
roles/docker/tasks/services/websites/new.data.coop.yml
View file

@ -1,13 +0,0 @@
# vim: ft=yaml.ansible
---
- name: setup new data.coop website using hugo
docker_container:
name: new.data.coop_website
image: docker.data.coop/data-coop-website:{{ services.new_data_coop_website.version }}
restart_policy: unless-stopped
networks:
- name: external_services
env:
VIRTUAL_HOST : "{{ services.new_data_coop_website.domain }}"
LETSENCRYPT_HOST: "{{ services.new_data_coop_website.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"

13
roles/docker/tasks/services/websites/ulovliglogning.dk.yml
View file

@ -1,13 +0,0 @@
# vim: ft=yaml.ansible
---
- name: setup ulovliglogning.dk website docker container
docker_container:
name: ulovliglogning_website
restart_policy: unless-stopped
image: ulovliglogning/ulovliglogning.dk:latest
networks:
- name: external_services
env:
VIRTUAL_HOST: "{{ services.ulovliglogning_website.domains|join(',') }}"
LETSENCRYPT_HOST: "{{ services.ulovliglogning_website.domains|join(',') }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"

19
roles/docker/tasks/services/websites/vhs.data.coop.yaml
View file

@ -1,19 +0,0 @@
# vim: ft=yaml.ansible
---
- name: setup vhs.data.coop website with unipi
docker_container:
name: vhs.data.coop_website
image: docker.data.coop/unipi:{{ services.vhs_website.version }}
restart_policy: unless-stopped
purge_networks: yes
networks:
- name: external_services
env:
VIRTUAL_HOST: "{{ services.vhs_website.domain }}"
LETSENCRYPT_HOST: "{{ services.vhs_website.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
command: "--remote=https://git.data.coop/vhs.data.coop/website.git#main"
capabilities:
- NET_ADMIN
devices:
- "/dev/net/tun"

17
roles/docker/templates/compose-files/cryptoaarhus_website.yml.j2 Normal file
View file

@ -0,0 +1,17 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
web:
image: docker.data.coop/cryptoaarhus-website
restart: unless-stopped
networks:
- external_services
environment:
VIRTUAL_HOST : "{{ services.cryptoaarhus_website.domains | join(',') }}"
LETSENCRYPT_HOST: "{{ services.cryptoaarhus_website.domains | join(',') }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
networks:
external_services:
external: true

17
roles/docker/templates/compose-files/cryptohagen_website.yml.j2 Normal file
View file

@ -0,0 +1,17 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
web:
image: docker.data.coop/cryptohagen-website
restart: unless-stopped
networks:
- external_services
environment:
VIRTUAL_HOST : "{{ services.cryptohagen_website.domains | join(',') }}"
LETSENCRYPT_HOST: "{{ services.cryptohagen_website.domains | join(',') }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
networks:
external_services:
external: true

27
roles/docker/templates/compose-files/data_coop_website.yml.j2 Normal file
View file

@ -0,0 +1,27 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
prod-web:
image: docker.data.coop/data-coop-website:{{ services.data_coop_website.version }}
restart: unless-stopped
networks:
- external_services
environment:
VIRTUAL_HOST: "{{ services.data_coop_website.domain }},{{ services.data_coop_website.www_domain }}"
LETSENCRYPT_HOST: "{{ services.data_coop_website.domain }},{{ services.data_coop_website.www_domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
staging-web:
image: docker.data.coop/data-coop-website:{{ services.data_coop_website.staging_version }}
restart: unless-stopped
networks:
- external_services
environment:
VIRTUAL_HOST: "{{ services.data_coop_website.staging_domain }}"
LETSENCRYPT_HOST: "{{ services.data_coop_website.staging_domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
networks:
external_services:
external: true

26
roles/docker/templates/compose-files/diun.yml.j2 Normal file
View file

@ -0,0 +1,26 @@
# vim: ft=yaml.ansible
---
version: "3.5"
services:
diun:
image: "ghcr.io/crazy-max/diun:{{ services.diun.version }}"
command: serve
volumes:
- "./data:/data"
- "/var/run/docker.sock:/var/run/docker.sock"
environment:
- "TZ=Europe/Paris"
- "DIUN_WATCH_WORKERS=20"
- "DIUN_WATCH_SCHEDULE=0 */6 * * *"
- "DIUN_WATCH_JITTER=30s"
- "DIUN_PROVIDERS_DOCKER=true"
- "DIUN_PROVIDERS_DOCKER_WATCHBYDEFAULT=true"
- "DIUN_NOTIF_MATRIX_HOMESERVERURL=https://{{ services.matrix.domain }}"
- "DIUN_NOTIF_MATRIX_USER={{ services.diun.matrix_user }}"
- "DIUN_NOTIF_MATRIX_ROOMID={{ services.diun.matrix_room }}"
- "DIUN_NOTIF_MATRIX_PASSWORD={{ diun_secrets.matrix_password }}"
- "DIUN_NOTIF_MATRIX_MSGTYPE=text"
labels:
- "diun.enable=true"
restart: always

23
roles/docker/templates/compose-files/docker_registry.yml.j2 Normal file
View file

@ -0,0 +1,23 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
app:
image: registry:{{ services.docker_registry.version }}
restart: always
networks:
- external_services
volumes:
- "./registry:/var/lib/registry"
- "./auth:/auth"
environment:
VIRTUAL_HOST: "{{ services.docker_registry.domain }}"
LETSENCRYPT_HOST: "{{ services.docker_registry.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
REGISTRY_AUTH: "htpasswd"
REGISTRY_AUTH_HTPASSWD_PATH: "/auth/htpasswd"
REGISTRY_AUTH_HTPASSWD_REALM: "data.coop docker registry"
networks:
external_services:
external: true

40
roles/docker/templates/compose-files/drone.yml.j2 Normal file
View file

@ -0,0 +1,40 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
app:
image: drone/drone:{{ services.drone.version }}
restart: unless-stopped
networks:
- default
- external_services
volumes:
- ".:/data"
- "/var/run/docker.sock:/var/run/docker.sock"
environment:
DRONE_GITEA_SERVER: https://{{ services.forgejo.domain }}
DRONE_GITEA_CLIENT_ID: "{{ drone_secrets.oauth_client_id }}"
DRONE_GITEA_CLIENT_SECRET: "{{ drone_secrets.oauth_client_secret }}"
DRONE_GIT_ALWAYS_AUTH: true
DRONE_SERVER_HOST: "{{ services.drone.domain }}"
DRONE_SERVER_PROTO: https
DRONE_RPC_SECRET: "{{ drone_secrets.rpc_shared_secret }}"
VIRTUAL_HOST: "{{ services.drone.domain }}"
LETSENCRYPT_HOST: "{{ services.drone.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
runner:
image: drone/drone-runner-docker:{{ services.drone.version }}
restart: unless-stopped
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
environment:
DRONE_RPC_HOST: "{{ services.drone.domain }}"
DRONE_RPC_PROTO: https
DRONE_RPC_SECRET: "{{ drone_secrets.rpc_shared_secret }}"
DRONE_RUNNER_CAPACITY: 2
DRONE_RUNNER_NAME: data.coop_drone_runner
networks:
external_services:
external: true

22
roles/docker/templates/compose-files/element.yml.j2 Normal file
View file

@ -0,0 +1,22 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
app:
image: avhost/docker-matrix-element:{{ services.element.version }}
restart: unless-stopped
networks:
- external_services
expose:
- "8080"
volumes:
- "./data:/data"
environment:
VIRTUAL_HOST: "{{ services.element.domain }}"
VIRTUAL_PORT: "8080"
LETSENCRYPT_HOST: "{{ services.element.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
networks:
external_services:
external: true

25
roles/docker/tasks/services/websites/fedi.dk.yaml → roles/docker/templates/compose-files/fedi_dk_website.yml.j2
View file

@ -1,19 +1,22 @@
# vim: ft=yaml.ansible # vim: ft=yaml.docker-compose
--- version: "3.8"
- name: setup fedi.dk website with unipi
docker_container: services:
name: fedi.dk_website web:
image: docker.data.coop/unipi:{{ services.fedi_dk_website.version }} image: docker.data.coop/unipi:{{ services.fedi_dk_website.version }}
restart_policy: unless-stopped restart: unless-stopped
purge_networks: yes
networks: networks:
- name: external_services - external_services
env: environment:
VIRTUAL_HOST: "{{ services.fedi_dk_website.domain }}" VIRTUAL_HOST: "{{ services.fedi_dk_website.domain }}"
LETSENCRYPT_HOST: "{{ services.fedi_dk_website.domain }}" LETSENCRYPT_HOST: "{{ services.fedi_dk_website.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
command: "--remote=https://git.data.coop/fedi.dk/website.git#main" command: --remote=https://git.data.coop/fedi.dk/website.git#main
capabilities: cap_add:
- NET_ADMIN - NET_ADMIN
devices: devices:
- "/dev/net/tun" - "/dev/net/tun"
networks:
external_services:
external: true

38
roles/docker/templates/compose-files/forgejo.yml.j2 Normal file
View file

@ -0,0 +1,38 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
app:
image: codeberg.org/forgejo/forgejo:{{ services.forgejo.version }}
restart: unless-stopped
networks:
- external_services
- postfix
volumes:
- ".:/data"
ports:
- "22:22"
environment:
VIRTUAL_HOST: "{{ services.forgejo.domain }}"
VIRTUAL_PORT: "3000"
LETSENCRYPT_HOST: "{{ services.forgejo.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
# Forgejo customization, see: https://docs.gitea.io/en-us/install-with-docker/#customization
# https://docs.gitea.io/en-us/config-cheat-sheet/#security-security
FORGEJO__mailer__ENABLED: true
FORGEJO__mailer__FROM: noreply@{{ services.forgejo.domain }}
FORGEJO__mailer__PROTOCOL: smtp
FORGEJO__mailer__SMTP_ADDR: "{{ smtp_host }}"
FORGEJO__mailer__SMTP_PORT: "{{ smtp_port }}"
FORGEJO__security__LOGIN_REMEMBER_DAYS: "60"
FORGEJO__security__PASSWORD_COMPLEXITY: off
FORGEJO__security__MIN_PASSWORD_LENGTH: "8"
FORGEJO__security__PASSWORD_CHECK_PWN: true
FORGEJO__service__ENABLE_NOTIFY_MAIL: true
FORGEJO__service__REGISTER_EMAIL_CONFIRM: true
networks:
external_services:
external: true
postfix:
external: true

44
roles/docker/templates/compose-files/hedgedoc.yml.j2 Normal file
View file

@ -0,0 +1,44 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
db:
image: postgres:{{ services.hedgedoc.postgres_version }}
restart: unless-stopped
volumes:
- "./db:/var/lib/postgresql/data"
environment:
POSTGRES_USER: codimd
POSTGRES_PASSWORD: "{{ postgres_passwords.hedgedoc }}"
POSTGRES_DB: codimd
app:
image: quay.io/hedgedoc/hedgedoc:{{ services.hedgedoc.version }}
volumes:
- "./hedgedoc/uploads:/hedgedoc/public/uploads"
- "./sso.data.coop.pem:/sso.data.coop.pem"
restart: unless-stopped
networks:
- default
- external_services
environment:
CMD_DB_URL: postgres://codimd:{{ postgres_passwords.hedgedoc }}@db:5432/codimd
CMD_DOMAIN: "{{ services.hedgedoc.domain }}"
CMD_ALLOW_EMAIL_REGISTER: False
CMD_IMAGE_UPLOAD_TYPE: filesystem
CMD_EMAIL: False
CMD_SAML_IDPCERT: /sso.data.coop.pem
CMD_SAML_IDPSSOURL: https://{{ services.keycloak.domain }}/auth/realms/datacoop/protocol/saml
CMD_SAML_ISSUER: hedgedoc
CMD_SAML_IDENTIFIERFORMAT: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
CMD_USECDN: false
CMD_PROTOCOL_USESSL: true
VIRTUAL_HOST: "{{ services.hedgedoc.domain }}"
LETSENCRYPT_HOST: "{{ services.hedgedoc.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
depends_on:
- db
networks:
external_services:
external: true

42
roles/docker/templates/compose-files/keycloak.yml.j2 Normal file
View file

@ -0,0 +1,42 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
db:
image: postgres:{{ services.keycloak.postgres_version }}
restart: unless-stopped
volumes:
- "./data:/var/lib/postgresql/data"
environment:
POSTGRES_USER: keycloak
POSTGRES_PASSWORD: "{{ postgres_passwords.keycloak }}"
POSTGRES_DB: keycloak
app:
image: quay.io/keycloak/keycloak:{{ services.keycloak.version }}
restart: unless-stopped
networks:
- default
- postfix
- external_services
command:
- "start"
- "--db=postgres"
- "--db-url=jdbc:postgresql://db:5432/keycloak"
- "--db-username=keycloak"
- "--db-password={{ postgres_passwords.keycloak }}"
- "--hostname={{ services.keycloak.domain }}"
- "--proxy=edge"
- "--https-port=8080"
- "--http-relative-path=/auth"
environment:
VIRTUAL_HOST: "{{ services.keycloak.domain }}"
VIRTUAL_PORT: "8080"
LETSENCRYPT_HOST: "{{ services.keycloak.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
networks:
postfix:
external: true
external_services:
external: true

146
roles/docker/templates/compose-files/mailu.yml.j2 Normal file
View file

@ -0,0 +1,146 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
postgres:
image: postgres:{{ services.mailu.postgres_version }}
restart: unless-stopped
environment:
POSTGRES_DB: mailu
POSTGRES_USER: mailu
POSTGRES_PASSWORD: "{{ postgres_passwords.mailu }}"
volumes:
- "./postgres:/var/lib/postgresql/data"
dns:
- "{{ services.mailu.dns }}"
redis:
image: redis:{{ services.mailu.redis_version }}
restart: unless-stopped
volumes:
- "./redis:/data"
depends_on:
- resolver
dns:
- "{{ services.mailu.dns }}"
front:
image: ghcr.io/mailu/nginx:{{ services.mailu.version }}
restart: unless-stopped
env_file: mailu.env
environment:
VIRTUAL_HOST: "{{ services.mailu.domain }}"
LETSENCRYPT_HOST: "{{ services.mailu.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
volumes:
- "./certs:/certs"
- "./overrides/nginx:/overrides:ro"
expose:
- "80"
ports:
- "25:25"
- "465:465"
- "587:587"
- "110:110"
- "995:995"
- "143:143"
- "993:993"
networks:
- default
- webmail
- external_services
depends_on:
- resolver
dns:
- "{{ services.mailu.dns }}"
resolver:
image: ghcr.io/mailu/unbound:{{ services.mailu.version }}
restart: unless-stopped
env_file: mailu.env
networks:
default:
ipv4_address: "{{ services.mailu.dns }}"
admin:
image: ghcr.io/mailu/admin:{{ services.mailu.version }}
restart: unless-stopped
env_file: mailu.env
volumes:
- "./data:/data"
- "./dkim:/dkim"
networks:
default:
aliases:
- admin.mailu
depends_on:
- redis
- resolver
dns:
- "{{ services.mailu.dns }}"
imap:
image: ghcr.io/mailu/dovecot:{{ services.mailu.version }}
restart: unless-stopped
env_file: mailu.env
volumes:
- "./mail:/mail"
- "./overrides/dovecot:/overrides:ro"
depends_on:
- front
- resolver
dns:
- "{{ services.mailu.dns }}"
smtp:
image: ghcr.io/mailu/postfix:{{ services.mailu.version }}
restart: unless-stopped
env_file: mailu.env
volumes:
- "./mailqueue:/queue"
- "./overrides/postfix:/overrides:ro"
depends_on:
- front
- resolver
dns:
- "{{ services.mailu.dns }}"
antispam:
image: ghcr.io/mailu/rspamd:{{ services.mailu.version }}
hostname: antispam
restart: unless-stopped
env_file: mailu.env
volumes:
- "./filter:/var/lib/rspamd"
- "./overrides/rspamd:/overrides:ro"
depends_on:
- front
- redis
- resolver
dns:
- "{{ services.mailu.dns }}"
webmail:
image: ghcr.io/mailu/webmail:{{ services.mailu.version }}
restart: unless-stopped
env_file: mailu.env
volumes:
- "./webmail:/data"
- "./overrides/snappymail:/overrides:ro"
networks:
- webmail
depends_on:
- front
networks:
default:
driver: bridge
ipam:
driver: default
config:
- subnet: "{{ services.mailu.subnet }}"
webmail:
driver: bridge
external_services:
external: true

146
roles/docker/templates/compose-files/mastodon.yml.j2 Normal file
View file

@ -0,0 +1,146 @@
# vim: ft=yaml.docker-compose
x-sidekiq: &sidekiq
image: tootsuite/mastodon:{{ services.mastodon.version }}
restart: always
env_file: mastodon.env
networks:
- default
- postfix
- external_services
volumes:
- "./mastodon_data:/mastodon/public/system"
healthcheck:
test: ['CMD-SHELL', "ps aux | grep '[s]idekiq\ 6' || false"]
depends_on:
db:
condition: service_healthy
redis:
condition: service_healthy
version: "3.8"
services:
db:
restart: always
image: postgres:{{ services.mastodon.postgres_version }}
shm_size: 256mb
volumes:
- "./postgres_data:/var/lib/postgresql/data"
- "./postgres_config:/config:ro"
command: postgres -c config_file=/config/postgresql.conf
environment:
POSTGRES_HOST_AUTH_METHOD: trust
healthcheck:
test: ['CMD', 'pg_isready', '-U', 'postgres']
redis:
restart: always
image: redis:{{ services.mastodon.redis_version }}
volumes:
- "./redis_data:/data"
healthcheck:
test: ['CMD', 'redis-cli', 'ping']
web:
image: tootsuite/mastodon:{{ services.mastodon.version }}
restart: always
env_file: mastodon.env
command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 3000"
networks:
- default
- external_services
volumes:
- "./mastodon_data:/mastodon/public/system"
environment:
MAX_THREADS: 10
WEB_CONCURRENCY: 3
VIRTUAL_HOST: "{{ services.mastodon.domain }}"
VIRTUAL_PORT: "3000"
VIRTUAL_PATH: /
LETSENCRYPT_HOST: "{{ services.mastodon.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
healthcheck:
test: ['CMD-SHELL', 'wget -q --spider --proxy=off localhost:3000/health || exit 1']
depends_on:
db:
condition: service_healthy
redis:
condition: service_healthy
streaming:
image: tootsuite/mastodon:{{ services.mastodon.version }}
restart: always
env_file: mastodon.env
command: node ./streaming
networks:
- default
- external_services
ports:
- "127.0.0.1:4000:4000"
environment:
DB_POOL: 15
VIRTUAL_HOST: "{{ services.mastodon.domain }}"
VIRTUAL_PORT: "4000"
VIRTUAL_PATH: "/api/v1/streaming"
healthcheck:
test: ['CMD-SHELL', 'wget -q --spider --proxy=off localhost:4000/api/v1/streaming/health || exit 1']
depends_on:
db:
condition: service_healthy
redis:
condition: service_healthy
# sidekiq-default-push-pull: DB_POOL = 25, -c 25 for 25 connections
sidekiq-default-push-pull:
<<: *sidekiq
command: bundle exec sidekiq -c 25 -q default -q push -q pull
environment:
DB_POOL: 25
# sidekiq-default-pull-push: DB_POOL = 25, -c 25 for 25 connections
sidekiq-default-pull-push:
<<: *sidekiq
command: bundle exec sidekiq -c 25 -q default -q pull -q push
environment:
DB_POOL: 25
# sidekiq-pull-default-push: DB_POOL = 25, -c 25 for 25 connections
sidekiq-pull-default-push:
<<: *sidekiq
command: bundle exec sidekiq -c 25 -q pull -q default -q push
environment:
DB_POOL: 25
# sidekiq-push-default-pull: DB_POOL = 25, -c 25 for 25 connections
sidekiq-push-default-pull:
<<: *sidekiq
command: bundle exec sidekiq -c 25 -q push -q default -q pull
environment:
DB_POOL: 25
# sidekiq-push-scheduler: DB_POOL = 5, -c 5 for 5 connections
sidekiq-push-scheduler:
<<: *sidekiq
command: bundle exec sidekiq -c 5 -q push -q scheduler
environment:
DB_POOL: 5
# sidekiq-push-mailers: DB_POOL = 5, -c 5 for 5 connections
sidekiq-push-mailers:
<<: *sidekiq
command: bundle exec sidekiq -c 5 -q push -q mailers
environment:
DB_POOL: 5
# sidekiq-push-ingress: DB_POOL = 10, -c 10 for 10 connections
sidekiq-push-ingress:
<<: *sidekiq
command: bundle exec sidekiq -c 10 -q push -q ingress
environment:
DB_POOL: 10
networks:
external_services:
external: true
postfix:
external: true

36
roles/docker/templates/compose-files/matrix.yml.j2 Normal file
View file

@ -0,0 +1,36 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
postgres:
image: postgres:{{ services.matrix.postgres_version }}
restart: unless-stopped
volumes:
- "./db:/var/lib/postgresql/data"
environment:
POSTGRES_USER: synapse
POSTGRES_PASSWORD: "{{ postgres_passwords.matrix }}"
synapse:
image: ghcr.io/element-hq/synapse:{{ services.matrix.version }}
restart: unless-stopped
networks:
- default
- external_services
- postfix
volumes:
- "./data:/data"
environment:
SYNAPSE_CONFIG_PATH: /data/homeserver.yaml
SYNAPSE_CACHE_FACTOR: "2"
SYNAPSE_LOG_LEVEL: INFO
VIRTUAL_HOST: "{{ services.matrix.domain }}"
VIRTUAL_PORT: "8008"
LETSENCRYPT_HOST: "{{ services.matrix.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
networks:
external_services:
external: true
postfix:
external: true

46
roles/docker/templates/compose-files/membersystem.yml.j2 Normal file
View file

@ -0,0 +1,46 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
app:
image: docker.data.coop/membersystem:{{ services.membersystem.version }}
restart: always
user: "$UID:$GID"
tty: true
networks:
- default
- external_services
- postfix
environment:
SECRET_KEY: "{{ membersystem_secrets.secret_key }}"
DATABASE_URL: postgres://postgres:{{ postgres_passwords.membersystem }}@postgres:5432/postgres
POSTGRES_HOST: postgres
POSTGRES_PORT: 5432
EMAIL_BACKEND: django.core.mail.backends.smtp.EmailBackend
EMAIL_URL: smtp://noop@{{ smtp_host }}:{{ smtp_port }}
VIRTUAL_HOST: "{{ services.membersystem.domain }}"
VIRTUAL_PORT: "8000"
LETSENCRYPT_HOST: "{{ services.membersystem.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
ALLOWED_HOSTS: "{{ services.membersystem.domain }}"
CSRF_TRUSTED_ORIGINS: https://{{ services.membersystem.domain }}
DJANGO_ADMINS: "{{ services.membersystem.django_admins }}"
DEFAULT_FROM_EMAIL: noreply@{{ services.membersystem.domain }}
STRIPE_API_KEY: "{{ membersystem_secrets.stripe_api_key }}"
STRIPE_ENDPOINT_SECRET: "{{ membersystem_secrets.stripe_endpoint_secret }}"
depends_on:
- postgres
postgres:
image: postgres:{{ services.membersystem.postgres_version }}
restart: always
volumes:
- "./postgres/data:/var/lib/postgresql/data"
environment:
POSTGRES_PASSWORD: "{{ postgres_passwords.membersystem }}"
networks:
external_services:
external: true
postfix:
external: true

36
roles/docker/templates/compose-files/netdata.yml.j2 Normal file
View file

@ -0,0 +1,36 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
app:
image: netdata/netdata:{{ services.netdata.version }}
restart: unless-stopped
hostname: hevonen.servers.{{ base_domain }}
volumes:
- "/proc:/host/proc:ro"
- "/sys:/host/sys:ro"
- "/etc/os-release:/host/etc/os-release:ro"
networks:
- default
- external_services
environment:
VIRTUAL_HOST : "{{ services.netdata.domain }}"
LETSENCRYPT_HOST: "{{ services.netdata.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
PGID: "999"
DOCKER_HOST: "socket_proxy:2375"
cap_add:
- SYS_PTRACE
security_opt:
- apparmor:unconfined
socket-proxy:
image: tecnativa/docker-socket-proxy:latest
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
environment:
CONTAINERS: 1
networks:
external_services:
external: true

59
roles/docker/templates/compose-files/nextcloud.yml.j2 Normal file
View file

@ -0,0 +1,59 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
postgres:
image: postgres:{{ services.nextcloud.postgres_version }}
restart: unless-stopped
volumes:
- "./postgres:/var/lib/postgresql/data"
environment:
POSTGRES_DB: nextcloud
POSTGRES_PASSWORD: "{{ postgres_passwords.nextcloud }}"
POSTGRES_USER: nextcloud
redis:
image: redis:{{ services.nextcloud.redis_version }}
restart: unless-stopped
command: redis-server --requirepass {{ nextcloud_secrets.redis_password }}
tmpfs:
- /var/lib/redis
cron:
image: nextcloud:{{ services.nextcloud.version }}
restart: unless-stopped
entrypoint: /cron.sh
volumes:
- "./app:/var/www/html"
depends_on:
- postgres
- redis
app:
image: nextcloud:{{ services.nextcloud.version }}
restart: unless-stopped
networks:
- default
- postfix
- external_services
volumes:
- "./app:/var/www/html"
environment:
VIRTUAL_HOST: "{{ services.nextcloud.domain }}"
LETSENCRYPT_HOST: "{{ services.nextcloud.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
POSTGRES_HOST: postgres
POSTGRES_DB: nextcloud
POSTGRES_USER: nextcloud
POSTGRES_PASSWORD: "{{ postgres_passwords.nextcloud }}"
REDIS_HOST: redis
REDIS_HOST_PASSWORD: "{{ nextcloud_secrets.redis_password }}"
depends_on:
- postgres
- redis
networks:
postfix:
external: true
external_services:
external: true

38
roles/docker/templates/compose-files/nginx_proxy.yml.j2 Normal file
View file

@ -0,0 +1,38 @@
version: "3.8"
services:
proxy:
image: nginxproxy/nginx-proxy:{{ services.nginx_proxy.version }}
restart: always
networks:
- external_services
ports:
- "80:80"
- "443:443"
volumes:
- "./conf:/etc/nginx/conf.d"
- "./vhost:/etc/nginx/vhost.d"
- "./html:/usr/share/nginx/html"
- "./dhparam:/etc/nginx/dhparam"
- "./certs:/etc/nginx/certs:ro"
- "/var/run/docker.sock:/tmp/docker.sock:ro"
labels:
- com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy
{% if letsencrypt_enabled %}
acme:
image: nginxproxy/acme-companion:{{ services.nginx_proxy.acme_companion_version }}
restart: always
volumes:
- "./vhost:/etc/nginx/vhost.d"
- "./html:/usr/share/nginx/html"
- "./dhparam:/etc/nginx/dhparam:ro"
- "./certs:/etc/nginx/certs"
- /var/run/docker.sock:/var/run/docker.sock:ro
depends_on:
- proxy
{% endif %}
networks:
external_services:
external: true

58
roles/docker/templates/compose-files/openldap.yml.j2 Normal file
View file

@ -0,0 +1,58 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
app:
image: osixia/openldap:{{ services.openldap.version }}
restart: unless-stopped
tty: true
stdin_open: true
volumes:
- "./var/lib/ldap:/var/lib/ldap"
- "./etc/slapd.d:/etc/ldap/slapd.d"
- "./certs:/container/service/slapd/assets/certs/"
ports:
- "389:389"
- "636:636"
hostname: "{{ services.openldap.domain }}"
domainname: "{{ services.openldap.domain }}" # important: same as hostname
environment:
LDAP_LOG_LEVEL: "256"
LDAP_ORGANISATION: "{{ base_domain }}"
LDAP_DOMAIN: "{{ base_domain }}"
LDAP_BASE_DN: ""
LDAP_ADMIN_PASSWORD: "{{ ldap_admin_password }}"
LDAP_CONFIG_PASSWORD: "{{ ldap_config_password }}"
LDAP_READONLY_USER: false
LDAP_RFC2307BIS_SCHEMA: false
LDAP_BACKEND: mdb
LDAP_TLS: true
LDAP_TLS_CRT_FILENAME: ldap.crt
LDAP_TLS_KEY_FILENAME: ldap.key
LDAP_TLS_CA_CRT_FILENAME: ca.crt
LDAP_TLS_ENFORCE: false
LDAP_TLS_CIPHER_SUITE: SECURE256:-VERS-SSL3.0
LDAP_TLS_PROTOCOL_MIN: "3.1"
LDAP_TLS_VERIFY_CLIENT: demand
LDAP_REPLICATION: false
KEEP_EXISTING_CONFIG: false
LDAP_REMOVE_CONFIG_AFTER_SETUP: true
LDAP_SSL_HELPER_PREFIX: ldap
admin:
image: osixia/phpldapadmin:{{ services.openldap.phpldapadmin_version }}
restart: unless-stopped
networks:
- default
- external_services
environment:
PHPLDAPADMIN_LDAP_HOSTS: app
PHPLDAPADMIN_HTTPS: false
PHPLDAPADMIN_TRUST_PROXY_SSL: true
VIRTUAL_HOST: "{{ services.openldap.domain }}"
LETSENCRYPT_HOST: "{{ services.openldap.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
networks:
external_services:
external: true

38
roles/docker/templates/compose-files/passit.yml.j2 Normal file
View file

@ -0,0 +1,38 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
db:
image: postgres:{{ services.passit.postgres_version }}
restart: always
volumes:
- "./data:/var/lib/postgresql/data"
environment:
POSTGRES_USER: passit
POSTGRES_PASSWORD: "{{ postgres_passwords.passit }}"
app:
image: passit/passit:{{ services.passit.version }}
command: bin/start.sh
restart: always
networks:
- default
- postfix
- external_services
environment:
DATABASE_URL: postgres://passit:{{ postgres_passwords.passit }}@db:5432/passit
SECRET_KEY: "{{ passit_secret_key }}"
IS_DEBUG: "False"
EMAIL_URL: smtp://noop@{{ smtp_host }}:{{ smtp_port }}
DEFAULT_FROM_EMAIL: noreply@{{ services.passit.domain }}
EMAIL_CONFIRMATION_HOST: https://{{ services.passit.domain }}
FIDO_SERVER_ID: "{{ services.passit.domain }}"
VIRTUAL_HOST: "{{ services.passit.domain }}"
LETSENCRYPT_HOST: "{{ services.passit.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
networks:
postfix:
external: true
external_services:
external: true

21
roles/docker/templates/compose-files/portainer.yml.j2 Normal file
View file

@ -0,0 +1,21 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
app:
image: portainer/portainer-ee:{{ services.portainer.version }}
restart: always
networks:
- external_services
volumes:
- ".:/data"
- "/var/run/docker.sock:/var/run/docker.sock:rw"
environment:
VIRTUAL_HOST: "{{ services.portainer.domain }}"
VIRTUAL_PORT: "9000"
LETSENCRYPT_HOST: "{{ services.portainer.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
networks:
external_services:
external: true

22
roles/docker/templates/compose-files/postfix.yml.j2 Normal file
View file

@ -0,0 +1,22 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
app:
image: boky/postfix:{{ services.postfix.version }}
restart: always
networks:
postfix:
aliases:
- postfix
volumes:
- "./dkim:/etc/opendkim/keys"
environment:
# Get all services which have allowed_sender_domain defined
ALLOWED_SENDER_DOMAINS: "data.coop {{ services | dict2items | selectattr('value.allowed_sender_domain', 'true') | map(attribute='value.domain') | join(' ') }}"
HOSTNAME: "{{ services.postfix.domain }}" # the name the smtp server will identify itself as
DKIM_AUTOGENERATE: true
networks:
postfix:
external: true

20
roles/docker/templates/compose-files/privatebin.yml.j2 Normal file
View file

@ -0,0 +1,20 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
app:
image: jgeusebroek/privatebin:{{ services.privatebin.version }}
restart: unless-stopped
volumes:
- "./cfg:/privatebin/cfg"
- "./data:/privatebin/data"
networks:
- external_services
environment:
VIRTUAL_HOST: "{{ services.privatebin.domain }}"
LETSENCRYPT_HOST: "{{ services.privatebin.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
networks:
external_services:
external: true

41
roles/docker/templates/compose-files/rallly.yml.j2 Normal file
View file

@ -0,0 +1,41 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
db:
image: postgres:{{ services.rallly.postgres_version }}
restart: always
shm_size: 256mb
volumes:
- "./postgres:/var/lib/postgresql/data"
environment:
POSTGRES_PASSWORD: "{{ postgres_passwords.rallly }}"
POSTGRES_DB: rallly_db
healthcheck:
test: ["CMD-SHELL", "pg_isready -U postgres"]
interval: 5s
timeout: 5s
retries: 5
app:
image: lukevella/rallly:{{ services.rallly.version }}
restart: always
networks:
- default
- external_services
- postfix
env_file: rallly.env
environment:
VIRTUAL_HOST: "{{ services.rallly.domain }}"
VIRTUAL_PORT: "3000"
LETSENCRYPT_HOST: "{{ services.rallly.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
depends_on:
db:
condition: service_healthy
networks:
external_services:
external: true
postfix:
external: true

50
roles/docker/templates/compose-files/restic.yml.j2 Normal file
View file

@ -0,0 +1,50 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
backup:
image: mazzolino/restic:{{ services.restic.version }}
restart: always
hostname: {{ inventory_hostname_short }}
domainname: {{ inventory_hostname }}
environment:
RUN_ON_STARTUP: false
BACKUP_CRON: "0 30 3 * * *"
RESTIC_REPOSITORY: sftp:{{ services.restic.remote_user }}@{{ services.restic.remote_domain }}:{{ services.restic.repository }}
RESTIC_PASSWORD: "{{ restic_secrets.repository_password }}"
RESTIC_BACKUP_SOURCES: /mnt/volumes
RESTIC_BACKUP_ARGS: >-
--tag datacoop-volumes
--exclude '*.tmp'
--exclude '/mnt/volumes/mastodon/mastodon_data/cache/'
--exclude '/mnt/volumes/restic/'
--verbose
RESTIC_FORGET_ARGS: >-
--keep-last 10
--keep-daily 7
--keep-weekly 5
--keep-monthly 12
TZ: Europe/Copenhagen
POST_COMMANDS_FAILURE: /run/libexec/failure.sh
POST_COMMANDS_SUCCESS: /run/libexec/success.sh
volumes:
- "./ssh:/run/secrets/.ssh:ro"
- "./scripts:/run/libexec:ro"
- "/docker-volumes:/mnt/volumes:ro"
networks:
- postfix
prune:
image: mazzolino/restic:{{ services.restic.version }}
environment:
RUN_ON_STARTUP: false
PRUNE_CRON: "0 30 4 * * *"
RESTIC_REPOSITORY: sftp:{{ services.restic.remote_user }}@{{ services.restic.remote_domain }}:{{ services.restic.repository }}
RESTIC_PASSWORD: "{{ restic_secrets.repository_password }}"
TZ: Europe/copenhagen
volumes:
- "./ssh:/run/secrets/.ssh:ro"
networks:
postfix:
external: true

22
roles/docker/templates/compose-files/slides_2022_website.yml.j2 Normal file
View file

@ -0,0 +1,22 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
web:
image: docker.data.coop/unipi:{{ services.slides_2022_website.version }}
restart: unless-stopped
networks:
- external_services
environment:
VIRTUAL_HOST: "{{ services.slides_2022_website.domain }}"
LETSENCRYPT_HOST: "{{ services.slides_2022_website.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
command: --remote=https://git.data.coop/data.coop/slides.git#slides2022
cap_add:
- NET_ADMIN
devices:
- "/dev/net/tun"
networks:
external_services:
external: true

17
roles/docker/templates/compose-files/ulovliglogning_website.yml.j2 Normal file
View file

@ -0,0 +1,17 @@
# vim: ft=yaml.docker-compose
version: "3.8"
services:
web:
image: ulovliglogning/ulovliglogning.dk:latest
restart: unless-stopped
networks:
- external_services
environment:
VIRTUAL_HOST: "{{ services.ulovliglogning_website.domains | join(',') }}"
LETSENCRYPT_HOST: "{{ services.ulovliglogning_website.domains | join(',') }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
networks:
external_services:
external: true

21
roles/docker/templates/compose-files/uptime_kuma.yml.j2 Normal file
View file

@ -0,0 +1,21 @@
# vim: ft=yaml.docker-compose
version: '3.3'
services:
uptime-kuma:
image: "louislam/uptime-kuma:{{ services.uptime_kuma.version }}"
restart: always
container_name: uptime-kuma
networks:
- external_services
volumes:
- "./uptime-kuma-data:/app/data"
environment:
VIRTUAL_HOST: "{{ services.uptime_kuma.domain }},{{ services.uptime_kuma.status_domain }}"
LETSENCRYPT_HOST: "{{ services.uptime_kuma.domain }},{{ services.uptime_kuma.status_domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
networks:
external_services:
external: true

Some files were not shown because too many files have changed in this diff Show more