Add hostname to Restic container

Closes #174

Reviewed-on: #208
Co-authored-by: Víðir Valberg Guðmundsson <valberg@orn.li>
Co-committed-by: Víðir Valberg Guðmundsson <valberg@orn.li>

.gitignore

@@ -1,4 +1,4 @@
-playbook.retry
+*.retry
 *.sw*
 .vagrant/
 *.log

README.md

@@ -26,6 +26,9 @@ Here is a summary of the options that can be used with the script:
 # deploy the ubuntu_base role only
 ./deploy.sh base
 
+# deploy user setup only
+./deploy.sh users
+
 # deploy the docker role only
 ./deploy.sh services
 

Vagrantfile

@@ -13,7 +13,8 @@ Vagrant.configure(2) do |config|
   config.vm.hostname = "datacoop"
 
   config.vm.provider :virtualbox do |v|
-    v.memory = 8192
+    v.cpus = 8
+    v.memory = 16384
   end
 
   config.vm.provision :ansible do |ansible|
@@ -26,7 +27,12 @@ Vagrant.configure(2) do |config|
     if provisioned?
       config.ssh.guest_port = PORT
       ansible.extra_vars = {
-        ansible_port: PORT
+        ansible_port: PORT,
+        from_vagrant: true
+      }
+    else
+      ansible.extra_vars = {
+        from_vagrant: true
       }
     end
   end

ansible.cfg

@@ -1,3 +1,8 @@
 [defaults]
-remote_user = root
+ask_vault_pass = True
 inventory = datacoop_hosts
+interpreter_python = /usr/bin/python3
+remote_user = root
+retry_files_enabled = True
+use_persistent_connections = True
+forks = 10

datacoop_hosts

@@ -1,3 +1,5 @@
-######################################
-### All hosts
-85.209.118.131 ansible_port=19022 ansible_python_interpreter=/usr/bin/python3
+[production]
+hevonen.servers.data.coop ansible_port=19022
+
+[monitoring]
+uptime.data.coop

deploy.sh

@@ -4,14 +4,16 @@ usage () {
     {
         echo "Usage: $0 [--vagrant]"
         echo "Usage: $0 [--vagrant] base"
+        echo "Usage: $0 [--vagrant] users"
         echo "Usage: $0 [--vagrant] services [SERVICE]"
     } >&2
 }
 
-BASE_CMD="ansible-playbook playbook.yml --ask-vault-pass"
+BASE_CMD="ansible-playbook playbook.yml"
 
 if [ "$1" = "--vagrant" ]; then
     BASE_CMD="$BASE_CMD --verbose --inventory=vagrant_host"
+    VAGRANT_VAR="from_vagrant"
     shift
 fi
 
@@ -28,17 +30,17 @@ else
         "services")
             if [ -z "$2" ]; then
                 echo "Deploying all services!"
-                $BASE_CMD --tags setup_services
+                eval "$BASE_CMD --tags setup_services $(test -z "$VAGRANT_VAR" || printf '%s' "$VAGRANT_VAR=true")"
             else
                 echo "Deploying service: $2"
-                $BASE_CMD --tags setup_services --extra-vars "single_service=$2"
+                $BASE_CMD --tags setup_services --extra-vars '{"single_service": "'"$2"'"'"$(test -z "$VAGRANT_VAR" || printf '%s' ', "'"$VAGRANT_VAR"'": true')"'}'
             fi
         ;;
         "base")
-            $BASE_CMD --tags base_only
+            eval "$BASE_CMD --tags base_only $(test -z "$VAGRANT_VAR" || printf '%s' "$VAGRANT_VAR=true")"
         ;;
         "users")
-            $BASE_CMD --tags setup-users
+            eval "$BASE_CMD --tags setup-users $(test -z "$VAGRANT_VAR" || printf '%s' "$VAGRANT_VAR=true")"
         ;;
         *)
             usage

group_vars/all/secrets.yml

@@ -1,141 +1,170 @@
 $ANSIBLE_VAULT;1.1;AES256
-66323763353537626539666332316663373864616237386436666239366561366431396430626530
-3132383163653632383133393861373235623931636136390a353132383763626437373065663430
-64643662393961303936323265343663656431666563653633646532373563663263616634333764
-3766333631343961370a373237343531383863336632373862663435643239353934626637356365
-30666332626666333530656135343866613161643034383634373736636436636166346562666331
-30396437306263363564363862303737646232623266653032343230303965366338623238343134
-61353835663136383531663765653038323762313932313733646338623931353865363933333338
-39336434373137353738316336663038366334663231616263633565613464306439356235656630
-33396331313036623661353464626263393962306638353433343535613964353966313462613235
-36383563386461353036323164353539616135353761346361313363373266393464363864373633
-33636637366235383264353765383438646130373162323730663363303862333564383439633261
-64663961363161623037393830616466366632633661393463303732323365353665373435633537
-66356166336232366438333533616233363465623034623233363438346139656138336631366231
-33383238633532323665306338643562636135396566663537643733393931316131623262373164
-66393062376666383734393334646463616162363935343363303165393665613066306431366164
-64326564393464646664663839373563353966663063396434313362623664613834626636363233
-33343562343539663332346361316330383830623436306362373966366438653534313561366539
-34356166623562396361356161303739613230333663613232663861313331663233326633643530
-64353933626237636435303736623063373463326265633236653366303039313233623837306132
-65366235663666316631623361303634383539396661323232616338386133373330646365303238
-39306431366337333764373965623563383061323364396564366435376163663139346164323231
-63366435343761303562393933313263303265383237616261663838333430333935626563666162
-31363264356333663337313833353239316163643961393131346136633561623037636130353166
-38646239623433613031646465326431623461383036356266643534346430363033316230656662
-39643636383863336436363134633336613638356635623035313766633335323731343837393536
-31343861336237356234633366643932323366653461373636646131393935656162613238343263
-32333962333239643733333363303233633333383733336262373463623935663531313830653935
-32346334393463636465383738306163326464373961376436663264356165306463353861306361
-37356134346135633137643634656432633366643761616433393239363831323335356639343337
-37623330363333356466636637336563303465343738363638663837653534303364663935313463
-36653333376233343637346365666364393237306531626165333966393663633165356339663765
-66663361643533616539653833303562373834663932626539383363653338636362383633623534
-36653666343835663530393665383863393133353261616139616362353062623137393565323634
-35356163323432303435626336353866303836623064366464336161636162343862333761343030
-64613165646362643366373730643665303261323635313632353439353736376565333662653437
-38396438366539383765653635326265633535363738323835636563666663386435633331616239
-36313166363138653531373061633966633337643530623333646537383231336639343932653634
-32393335636534333963663035303236356436393637363030313031353832623432656233376430
-64333563333433373334643530366164353765346138303730663561356335613239333136326237
-63356566663033313363646664643639386366383765646230343632623061626334623564613338
-34313633326565353839396164663536613561643232353736303336613864313330323638356364
-30633335323438613636343964323431366364633031643235636330623935363266623939336631
-63393733396332636335366539333939383831663039313933343336663539323435373963666131
-33343638303537636134666236616566356234393031343461376439363133393834363565313065
-63333638393236663538616436386164303732383539393261633135643930643435636637373736
-64653333656235656161303166336233393864386263363330643264636263303563636463316364
-65396231393531343265663234366530396665333830343434316433303361333539303734383934
-35383936363435393231353532613534396231366630366461346235613436373537656335393966
-35666661633364326336666238346261616334303936613864633936613130333030343334396235
-30623136343934633636613062353230323961376639373033386132316132623932343432356266
-31333037656630333761633236303136633235636138653133363430613963393738383032643737
-36363037353630643137396661393736383035663963653465613437663865393565626438353264
-61646330343730656539373866363666393636373962366131306264313364366530653035373031
-61306461323038353261353430323133386135623433306564326237643334326264643932316434
-61623066323935373761616463636537666133303863333161393361626661623632656637336639
-36383538346633393265323130633037616364613934376337326566656237373363393738386366
-36386335646432646234336137623663336637323461663538316232656130633863336330383363
-34646530353539336432633165353039663338653139396365373664393030663164666432313265
-63396563306138383166396366616638373631616637633330666463343035333633346437393664
-64353736626432393632643263616139653131663264313466306664616437323739613936653839
-36653366396336376430623962373361343762363465373133663739313536323263633164373230
-35613466643839643831623138393137316661386234336131633763303731393663373364616131
-36383834633738326234663765383662383832323465383534353834633461333265656539633238
-64646665323938613735366165353361356236636163626535376131303464353365366234646438
-65316531356239663838323130393061646562653464633230353337316133333036626161336432
-66303438633139333964633766366262333235303262653733383934313638343336633566666338
-31633132653738326439326439616630323636666361646634663334366566396234633065626162
-38643565353738616232666330326365633264646637623836323761343866336635393436336331
-33663830643934633163353438343436303030343531666335326236376564333466343163643430
-35393031333834366335656431313033643936313839316431396333386135663761633562626163
-39366438393532363430326432356135356532646162306333663163613031336136353132656538
-31653762386538656663346263663531653063626463326534636337303639303561626334633935
-65666139663461343466643861393762316330316431613765653239316537616434626535396139
-35376434356533656336623839656138386565303266396532303665346264623034643664656137
-62633064356566366438626331633933373630363164373434613233386535633532653130376436
-34353336633966313365373439623633353364393838343335306665383361323766353431393662
-31356533333834383832333031386365316461376563646561646333313063393532303162393231
-61336165663938363437396564626430376362353736623232653430613464626234326234663335
-37373633306533363830353662633038306139626136663839383631623230396333313937653733
-39313163316161326263306530353465336363626530333966343934373866303664316536363466
-33343766393561643864366665353239366336323335656665303735326633323432333938323862
-66656230373937396465323731616133336533383966353564663364303538613362313139343865
-64383233613038626437613162663232373666363062373531373331343237306135333230303636
-31626537633637653961666638393330643932656234316363323339353930303738346336646266
-63346234333833376563656264383834363630613932306262376666356663613831393732636532
-64333638616364633965383034356232373065333232623961643239326565623063386339303064
-64653162663239376335383732383838386631333837323238393366363836373463656639646261
-32616238363463333339393138303333326461666663303238343839376632323539396235373766
-66356464393739616138346235643564386664393130613336343235633531646530306236616361
-61656465666566336132383035393636356134633131666438363661646364323764373961343864
-33613963343961626665353733356432346439646638643939626562326364386533366135306433
-34343961323537333233383633343635383436363232666166336131323262613135393532616161
-38633635646563646563303262383461333439653562383564303261303033376337343831343431
-35343632633138626364313433656364613439633531343136316436613231373233326362663736
-33323664306430336235666238336631303735626630336139353764643366353931306437653039
-34383433323662306164363462333934333463646136386564323764663862366235373632666662
-30386266373830636664613332353265366164353035306232353230393838303363613666396539
-66386663366439373566396334653335633662323230656132666631306432663836616462346264
-63346338666337663062626532353835316135616661323563636662333238653933613530313765
-30303864653037393131626631633338326235656632656339326463383061393635346333373730
-65386631336462363436346166366130383235396664303631383065666566343461393838633739
-63636334333462666131393430663335383466313762666134393062373238653730633864323137
-66643639383265656338323063356463626531346561336164656364633733343731373833376261
-33616663323837333266646635393564383439613630336566383336313036333933333230666230
-34646334306666626138333233343332366237646165636538326264663635373438656431636435
-35666334323035663933333764313564393536663335336561343734343662623939336531303235
-64393333313962333737616639663234393833633332643430326163323865613632663463346635
-35326632626363346536663563616334663366613734616562626165376335613165306531303932
-65623031386563326665303536646531306235613034336263393436363536303565656138303931
-30663237306161626130653663663365323030613635343563653465386561626361353532643737
-36626466626234376462373732653936326363376639613563653361366339363538383431383136
-61303134333665393039633263323238623539653233323732363163353762623730306366306134
-65663661633331393137396661313530663638383236656333393638356164643537663935343063
-34383039363832623663323661663530303534636635653631393536653837333766616161623839
-38383830326266353362613232643036393365633261333933363931313830666537363338633337
-66303166393430653263646338653539316234613432373763393664636631383737306236643431
-33396234386562346165346239343838323133653461646165643538666231323561376166393231
-39333534393961656234373235616332306639373764653164393232363535646239383432343963
-36343134363631626434323335303136346536393266363735316437333165366538373535333866
-36626537636465376533616130363564626238356162623539316133306663333763393033333663
-63383462643938373262643435623132653730346564383537633537303034326366616661393062
-31316532383035383632633535303564626238613438653265366261663033326463316366656266
-65636462323832353565383334646239393636323635623230343537646338613861633532343962
-36616432653936356266626533383433376663373838653533366631386262353337383236373166
-33373139323765326135356431613235346431623931333362663463646630336332616337333535
-34336130366564303136653933303233663538353561396430313937363536663961333431323435
-35316537393462316334366163346663623933653861376637336338383837303233623434353238
-34383866636361333061393630376431323165353036373435646566326461333737313038656135
-31623466316339353463393165626236333763396434396638646461393434353132373030613633
-32393032353730656562666431383236653461656566643332363034636134653737343537306136
-65316437376265323439326234653363353336343631363630613533303837313535306666313461
-63623339383432353739616664396666336638316131653133363066633461646336356636376534
-34663730666436613733336439653031306561616263373235346461306335616166303637343462
-38663364636536663764383164306436373563346562643038613065336366363939376136646332
-65353261346434316534313766633139623937366265316130646138656535303031626230326463
-32653530613139313534316132653531613438313339333163376665666539313661663430353336
-32663930326561646536393232393730386464643364366130356464633934316261643435303734
-39363666333362396266343331633266653539343862386535363736333363623035353866363335
-64626339313631306266373338323163393632353433643036353762396162666562653831623235
-39373332626536323866
+30613439636234396439623634656338666330643936373563656336323831353464353239353661
+6234316535383838653865643964353033623935313432630a666563316534343733363464396635
+34396664643137643136633837656432623633383361633336343562333039326538393034616637
+6634613631636433610a663835343739376534356133323163343132323233643135613333313132
+65373233666535366137343839363938303561653731633038376631386161653038613631396364
+33636131636536306134346336636332393436303063306262333430613137376438626133353963
+66396332363335333436623335613966323730616139353762656662386530356435623831656632
+30333363376132653362323339386437346134323232363336363461323332613962613131386264
+37383435653061653466613834346430656632626338316564656136666266353231363661666461
+32646461313365626232376536376463313531613861363462643062326538326234613332646430
+33383438613961623134343665383638346164653031363435656162306163653232353162343431
+38333239393332613466663231383932316330376535383466643233326134623530306361393639
+63386530643733393033646139613730313239313866343730643337393533366330373363353338
+62313739613531636166663135646262396334373538636634393534616337363337323630666261
+39643164363437653661633666376431303662396431633661663933343666613234326637636231
+38383537333532326636343366343564646630363838323162373339323365666262303836636232
+31343637616261636130656637393633383165353332346239323063646162306235313962363935
+64633639653261363563646664393630666564646165393736363562623231626634326163306630
+37613635306136643334616364303439323332666431386264623265323636623738303364396636
+37626161363466646166633434333265623236633033666562643264303662333363396631646638
+36626636363261313966393235313866353936323064343331626362306162323166323063656433
+63303762346330323031353034356162373433356436663134373930633634366330653233613139
+63363639343833616431633765613938623037323961623663336662666135313466303661316133
+39353664633036323031373862393530653433373062623233313965653735353566306538393439
+30366162663138326535346639393337393362366630343266643035353465663332333539613337
+30666666363134313239306231356663343166363137366636643931313039333732383833313036
+37393064396662623063613462336363386336393839313465323062646535373733326338353766
+31666639303836316266343764336462343765363930326338313635336633323662366238356264
+38613631313434383830333031643938393566633236383861633266326336653033663163336132
+61313132643062666434346333653234393865656463343363313636613364616361353561343739
+38313231333431303664323730626162613264343630356438336636373739653234336666646438
+37636437623336323461613063396137396533353265333034333435306666636261353933613232
+65363632383039666666323030323830333534376362326136313232393732613166303461383933
+62303166396533616538666566356238393265663163343264333664393936613066313665616137
+38613030623937633730646461666233333035323661363835313161613930336237396332623338
+30666166636662613130363430333436613532326437393730376536353963356633393736303065
+31393534646537323037316664313438643836386333613961663031383231663932633934656461
+62313163616635626131663961326438396439383432346337386261313330343330353637376330
+38346532396533326135303264613361663836646163623630323832653032396237353966663661
+36353365313962663832393333336138346335363832396535346336643565366465643565616638
+63616565356663623531323935393334326639626236353338643237343764366464666131393332
+64396665343535323339383434366133613235313866653663313639633930323864646536346232
+65316465643662376264373536393232326666663335316631376433343062646361376165363732
+66326165643163333737313139386461363431353239626236366238343035386663363435366464
+31633738336263633961306436613233303861633263343030336637373165663261316632663537
+31613636663163323365303038373134306264343831326264326261633834393366623061616262
+63393463333833393636666232626662643738653634306364326231343830633834643664353730
+37346131346263356539363630363230626364663161643064323538396131636633623866383939
+66346434323935353632633837363530663438636539616130633532346236343661633766383434
+34343339646662393030323661623665643432376365633435666333316439356631386234303062
+35346631656230346565323130333765663933373638303639363530373431343232393864656639
+33666433366131396464323137393239653531376662646235343962613639343831636261326265
+65663564613766313634653938316339306434663463623563316431633234323330623738646636
+37643535623664323433626561383462393033343232303838333930653366376536353765613036
+35663165623265616630373161336632646435613331373166303632373633313865386134636362
+61636134343839643735636461626663626237613262316564646339323933363864303935353834
+39396637646264633736366336616336643032313237653662646331383963366533373766356539
+35306165306534393463663332336430336635666135643561303935386635393838323865623162
+36323565616232353261303139623465646234313136383436376162376165303664613164356162
+33373237333666616135636231653637396330663930663962636161326664333261343737343735
+37313465396130653138613539376436373237343138636535626632326435383234326466363235
+34646663653038396630353637636166346261346233333632363361326536383634663433613564
+35633864343630333033613133626635313931333031643564396164393135346131343832363861
+61366664363838653438653137383933386233633836323332643531303936353237623734666135
+31356166613664636634336536343032646239643130346564303162356431346539646336323339
+61626236346535336638353134353838333434663838303730613363393365633739383563613434
+64336331306639323061386338656361653636353831346237373134346538623464343562393735
+39333764343139333133393233626564643266373034623764633835383561366265636632633937
+62343635343161363231653138613263313562366439316435633964396161343566316435303465
+39666236316339653839313333396264623636663561653932386638366366663933353761353162
+61343038383939396231346534336361306430373564353633653139306334623630343738636430
+66376631366662313131646130363530323232383535333163363466636262363461633232343532
+63626430336261353861633362396638643937623832386638626334663333363637393637373939
+64303039666432303535636265613564376139333331653336666563663238366639393366363334
+36303635633933333832396562373965653361303034653139643466656534326231383162336366
+31656138656539383539396462326134333331653131306537643962653762373035343235333233
+34373730623663346430303962653061623330653263393633383835663739663961326566323036
+30336365616532303362396230616531386639333636336332366335613935623836616134393033
+62653535396630383436393631396337336163323361663930323532633666663238333366383462
+36393261376262643336643761613731643032626632646332366661626331333233363436613937
+34653731666137313733653863396164323963383037353265373532303137623037343733616537
+66336433343334626536323639636139653931383466633833326234633332613431353432343561
+36626339656536383862623833633634356435393764316633353135326639623534366538313330
+62633333303266613630326330333336353264343937393864393239623664323366373565383334
+37383237376664643065383834633961366632643261343635336335353765353863323131653866
+31326531303461323736303730623638663863353939636437636231636437323730656463633733
+65383934343534383631363162363830386365313935663337366335326131393262353030663765
+30643665383332613030336439346332363135366232303166623534333637366133656437643231
+30306634636430643864363561316334383530613165326663326665613633636237353830393334
+62653333623563626131666166646335663334393662336337333836376631303631666136376332
+37316537356531346464623363653033306537636239633065646533643239653063613835363665
+30383139326465613864316533643033333430326230646334353364633138666532353736313265
+34623733613864646661353730666433613961643261346166303264386435643565373565323864
+61346465336231613865363263303034396439346163393534666439666437353266323565653032
+39386439646438313938356237643831643434666161383632316530356465616632313235643834
+33303865653836303632656663366465333331616634313863656438393838636631313364633637
+38646230643734393733663261326161376536643237626130353831363731306231313864613066
+34623239396362336639363163313161323065653461363563353631613730373830643133336464
+31336439636361363539383539323631303462633833353032373530333539336538363033383363
+32613733623839623938326165356237313165383366646233393933393965613363666532646434
+63316133613130313363303537366230646235663130313538333761633237383262316633366364
+65373664616237316534613831313966623939396331626334313430386638653461386334363939
+35333339643837666264356535643365353331393437313866643034663934336466336534343035
+61313837666662343363613962623462333935353837333336363839623466303534303837396634
+38656330666661356235626130303538666533666563323936633564383164633834353831306634
+36343836353464623962333362353133386563343831336463646635646263383832666232323736
+38613730316634373365343938623237356231643931303333366462373134383137366339613662
+62643832323734363635643634373066303366306366663036623139393761636533326130313336
+30316536396466383463393233363035393335343565323635333665346464366139626165636661
+39363066643437613537653836636363376532643038363063383234353066313737663061363334
+38306563613561663165623630366135303332636133343733343836383865613661393761333031
+62653162626461616564643138613737623632313739393962396439306133646138303936636435
+39393663653865363166316365376562353461633163353734343132343831386434653037323732
+36356162356336616330636630376438636165653439376137313934663939376639396266323962
+37383736333536653438363963316435326632393966383534326337303336386135616636363936
+35393331313938653830646332376631623763383439623633396433633739663038313264323835
+33373664313562366664363630316132643465363964383339363339656237323465626262306364
+33306133373065303135613235623262396365363634316365356364373561363762666235666430
+62336362643564313238363933623366396138646237336336623062326161326536323534326364
+39316162643966616436343737313434616230346237346237363962653033613930623462386431
+38343662356665383763633034393236613733643430313937326335356466376139653533333965
+39386138623134666132663837616637376362303561393133656139653438386363613965393661
+36343566643931393061373031343331336463643034383065383763663234373438383064303232
+64666236313935346237666466333562613935646163653331303661386138313739326538353935
+64323737323532663731353136336138633533386464616362333838396332323563353537613430
+33633631326238366166346437316638363161386562383630623466386564323266333033313461
+63666535363034613232346239636233623130393032353030363334333531646238373262323765
+61373739396162643661353031613663353531653836323730326166383463613330333966336233
+30386136346466336361303237303534373064353230653238363231633530613866663461643465
+30396266356164353063323432663561396564636231346534366661663766613634376235356637
+39313839616336666461313431326430333932623262333437386464636264373430653566386631
+64653866623662363864376663613136306165393863346533303634623936373835633864313462
+61333562646233303232623861366634383466633537383831626334356561353637663038643531
+39386635326366646134333231653737653630356135396634326537633232333166616161653136
+33393562383233656564356530386465623239386666313964343534343466616134373132636631
+39666365393063323838343963366339373434353839383039383238613133636237316365323861
+30626330643665626465666338353030653839383234393237623633646566376361646536353233
+31393235623561323765633835313139313538343761393064353632316335656231353930656437
+31313639313931636633333230653730666638373864326239333561393134356632623138366131
+65356462373336383039316131626562633330666363386631383663343838393435663538343934
+65386339626362623664393532386131303234633466363437383236616463343831353862323961
+39663835313234326137303965663963663761656531653437343234643634316565333762663139
+65393830633237623031303234636134633539316131396135616237316266333437633861303831
+62656630373763343366636635653033666630613533363365636261323661383364343161343439
+35626531346665656263643461306261376238353033343032353731373861333239333862653231
+31336562653133623163353230633331346237356534333534613161323462636639636662623435
+63633035336662376636623339326433393035646539626231363762643532323463316263393736
+62613038333733636362356636373331313661663830633433643039653233626261613739663836
+38643030313338383266323134326337323334343230623331386664333937316266623134336362
+61373037353664623863393233376264616438656332386130316361663665323135386463383763
+33303633356133353439393664363630336133306364363430393232326665393339323265383630
+31656463343064383837333630366465396633393465666235626330343937313630623039383465
+63326361663238653035613935343932623237396362643833313731323830313962616362613539
+32346165303930323739313837643933363863643937346561643930653530393636383036613235
+61376166386563643733333233343437623630323632643463353131386461663936313065313562
+31393032646262386634353436643466323731366631393136393433616332613036666163336635
+37303365633338613630656463663533653336666562653236336264303238383930383132346365
+35386662636439653930343738633265363635626132343030653462306431363234633635643537
+61666363346430653131623762666564313665653262386332396532646339383136383337353863
+38386632316632373338653535323335363265653563376330663239343861346563646366313039
+33306364623536346339393566326533633133393866303535326535306435626531346264616138
+34356231373561633337653663643566633632393330386564393966666365306565316135646163
+63366365383839343134303635376233343865663631633331333230616630366633396231333435
+30366137383238393139336433353764633038616238326136663636656132626538393565393130
+38653765326137393136386233383636383165613235373437353730306564643033306534386666
+61623538663537653166313264303533623162356134393333373732383535386261333535383039
+65613166666230336265366335323434636336663835323034373930393430363065376665666337
+35363265666130653830333536326433316639613638613730666139623137333736663535633032
+33363135376636636536623731323134343237393633333038393364376237386165

group_vars/all/secrets.yml.contents

@@ -1,14 +1,14 @@
 # These are the variables contained in secrets.yml
 # Secrets are usually 32 characters or more, matching [a-Z0-9]
-
+---
 postgres_passwords:
   nextcloud: xxx
   passit: xxx
   gitea: xxx
   matrix: xxx
-  codimd: xxx
   mailu: xxx
   keycloak: xxx
+  hedgedoc: xxx
   mastodon: xxx
   rallly: xxx
   membersystem: xxx
@@ -31,8 +31,9 @@ drone_secrets:
   rpc_shared_secret: xxx
 
 restic_secrets:
-  user_secret: xxx
-  encryption_secret: xxx
+  repository_password: xxx
+  ssh_privkey: xxx
+  uptime_kuma_url: xxx
 
 matrix_secrets:
   registration_shared_secret: xxx

group_vars/all/vars.yml

@@ -31,4 +31,5 @@ users:
     groups:
       - sudo
     ssh_keys:
-      - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPd/4fQV7CL8/KVwbo/phiV5UdXFBIDlkZ+ps8C7FeRf
+      - sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIFWZGLov8wPBNxuvnaPK+8vv6wK5hHUVEFzXKsN9QeuBAAAADHNzaDpzYW1zYXB0aQ== ssh:samsapti
+      - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPd/4fQV7CL8/KVwbo/phiV5UdXFBIDlkZ+ps8C7FeRf cardno:14 336 332

playbook.yml

@@ -1,12 +1,12 @@
 # vim: ft=yaml.ansible
 ---
-- hosts: all
+- hosts: production
   gather_facts: true
   become: true
   vars:
     ldap_dn: "dc=data,dc=coop"
 
-    vagrant: "{{ ansible_virtualization_role == 'guest' }}"
+    vagrant: "{{ from_vagrant is defined and from_vagrant }}"
     letsencrypt_enabled: "{{ not vagrant }}"
 
     base_domain: "{{ 'datacoop.devel' if vagrant else 'data.coop' }}"
@@ -15,6 +15,9 @@
     smtp_host: "postfix"
     smtp_port: "587"
 
+    services_exclude:
+      - uptime_kuma
+
   tasks:
     - import_role:
         name: ubuntu_base

roles/docker/defaults/main.yml

@@ -1,206 +1,227 @@
 # vim: ft=yaml.ansible
 ---
 volume_root_folder: "/docker-volumes"
+volume_website_folder: "{{ volume_root_folder }}/websites"
 
 services:
-
   ### Internal services ###
   postfix:
-    file: postfix.yml
     domain: "smtp.{{ base_domain }}"
     volume_folder: "{{ volume_root_folder }}/postfix"
-    version: "v3.5.1-alpine"
+    pre_deploy_tasks: true
+    version: "v3.6.1-alpine"
 
   nginx_proxy:
-    file: nginx_proxy.yml
-    version: "1.0-alpine"
     volume_folder: "{{ volume_root_folder }}/nginx"
-
-  nginx_acme_companion:
-    version: "2.2"
+    pre_deploy_tasks: true
+    version: "1.3-alpine"
+    acme_companion_version: "2.2"
 
   openldap:
-    file: openldap.yml
     domain: "ldap.{{ base_domain }}"
     volume_folder: "{{ volume_root_folder }}/openldap"
+    pre_deploy_tasks: true
     version: "1.5.0"
-
-  phpldapadmin:
-    version: "0.9.0"
+    phpldapadmin_version: "0.9.0"
 
   netdata:
-    file: netdata.yml
     domain: "netdata.{{ base_domain }}"
+    volume_folder: "{{ volume_root_folder }}/netdata"
     version: "v1"
 
   portainer:
-    file: portainer.yml
     domain: "portainer.{{ base_domain }}"
     volume_folder: "{{ volume_root_folder }}/portainer"
-    version: "2.16.2"
+    version: "2.19.0"
 
   keycloak:
-    file: keycloak.yml
     domain: sso.{{ base_domain }}
     volume_folder: "{{ volume_root_folder }}/keycloak"
-    version: "20.0"
+    version: "22.0"
     postgres_version: "10"
     allowed_sender_domain: true
 
   restic:
-    file: restic_backup.yml
-    user: "datacoop"
-    domain: "restic.cannedtuna.org"
-    repository: "datacoop-hevonen"
-    version: "1.6.0"
+    volume_folder: "{{ volume_root_folder }}/restic"
+    pre_deploy_tasks: true
+    remote_user: dc-user
+    remote_domain: rynkeby.skovgaard.tel
+    host_key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBLGol2G+a87ssy0nu/STKBZSiGyhZhZKx/ujfe9IeFo
+    repository: restic
+    version: "1.7.0"
     disabled_in_vagrant: true
+    # mail dance
+    domain: "noreply.{{ base_domain }}"
+    allowed_sender_domain: true
+    mail_from: "backup@noreply.{{ base_domain }}"
 
   docker_registry:
-    file: docker_registry.yml
     domain: "docker.{{ base_domain }}"
     volume_folder: "{{ volume_root_folder }}/docker-registry"
+    pre_deploy_tasks: true
+    post_deploy_tasks: true
     username: "docker"
     password: "{{ docker_password }}"
     version: "2"
 
   ### External services ###
-
   nextcloud:
-    file: nextcloud.yml
     domain: "cloud.{{ base_domain }}"
     volume_folder: "{{ volume_root_folder }}/nextcloud"
-    version: 25-apache
+    pre_deploy_tasks: true
+    version: 28-apache
     postgres_version: "10"
     redis_version: 7-alpine
     allowed_sender_domain: true
 
-  gitea:
-    file: gitea.yml
+  forgejo:
     domain: "git.{{ base_domain }}"
-    volume_folder: "{{ volume_root_folder }}/gitea"
-    version: 1.18
+    volume_folder: "{{ volume_root_folder }}/forgejo"
+    version: "1.21.8-0"
     allowed_sender_domain: true
 
   passit:
-    file: passit.yml
     domain: "passit.{{ base_domain }}"
     volume_folder: "{{ volume_root_folder }}/passit"
     version: stable
-    postgres_version: "10"
+    postgres_version: 15-alpine
     allowed_sender_domain: true
 
   matrix:
-    file: matrix_riot.yml
     domain: "matrix.{{ base_domain }}"
     volume_folder: "{{ volume_root_folder }}/matrix"
-    version: v1.63.1
-    postgres_version: "10"
+    pre_deploy_tasks: true
+    version: v1.98.0
+    postgres_version: 15-alpine
     allowed_sender_domain: true
 
-  riot:
-    domains:
-      - "riot.{{ base_domain }}"
-      - "element.{{ base_domain }}"
-    volume_folder: "{{ volume_root_folder }}/riot"
-    version: v1.11.8
+  element:
+    domain: "element.{{ base_domain }}"
+    volume_folder: "{{ volume_root_folder }}/element"
+    pre_deploy_tasks: true
+    version: v1.11.51
 
   privatebin:
-    file: privatebin.yml
     domain: "paste.{{ base_domain }}"
     volume_folder: "{{ volume_root_folder }}/privatebin"
-    version: 20221009
-
-  codimd:
-    file: codimd.yml
-    domain: "oldpad.{{ base_domain }}"
-    volume_folder: "{{ volume_root_folder }}/codimd"
+    pre_deploy_tasks: true
+    version: "20221009"
 
   hedgedoc:
-    file: hedgedoc.yml
     domain: "pad.{{ base_domain }}"
     volume_folder: "{{ volume_root_folder }}/hedgedoc"
-    version: 1.9.6-alpine
+    pre_deploy_tasks: true
+    version: 1.9.9-alpine
     postgres_version: 10-alpine
 
   data_coop_website:
-    file: websites/data.coop.yml
-    domains:
-      - "{{ base_domain }}"
-      - "www.{{ base_domain }}"
-
-  new_data_coop_website:
-    file: websites/new.data.coop.yml
-    domain: "new.{{ base_domain }}"
-    version: hugo
+    domain: "{{ base_domain }}"
+    www_domain: "www.{{ base_domain }}"
+    volume_folder: "{{ volume_website_folder }}/datacoop"
+    pre_deploy_tasks: true
+    version: stable
+    staging_domain: "staging.{{ base_domain }}"
+    staging_version: staging
 
   slides_2022_website:
-    file: websites/2022.slides.data.coop.yml
     domain: "2022.slides.{{ base_domain }}"
+    volume_folder: "{{ volume_website_folder }}/slides-2022"
+    version: latest
+
+  fedi_dk_website:
+    domain: fedi.dk
+    volume_folder: "{{ volume_website_folder }}/fedidk"
+    version: latest
+
+  vhs_website:
+    domain: vhs.data.coop
+    volume_folder: "{{ volume_website_folder }}/vhs"
     version: latest
 
   cryptohagen_website:
-    file: websites/cryptohagen.dk.yml
     domains:
       - "cryptohagen.dk"
       - "www.cryptohagen.dk"
+    volume_folder: "{{ volume_website_folder }}/cryptohagen"
 
   ulovliglogning_website:
-    file: websites/ulovliglogning.dk.yml
     domains:
       - "ulovliglogning.dk"
       - "www.ulovliglogning.dk"
       - "ulovlig-logning.dk"
+      - "www.ulovlig-logning.dk"
+    volume_folder: "{{ volume_website_folder }}/ulovliglogning"
 
   cryptoaarhus_website:
-    file: websites/cryptoaarhus.dk.yml
     domains:
       - "cryptoaarhus.dk"
       - "www.cryptoaarhus.dk"
+    volume_folder: "{{ volume_website_folder }}/cryptoaarhus"
 
   drone:
-    file: drone.yml
     domain: "drone.{{ base_domain }}"
     volume_folder: "{{ volume_root_folder }}/drone"
-    version: 1
+    version: "1"
 
   mailu:
-    file: mailu.yml
-    version: 1.9
     domain: "mail.{{ base_domain }}"
+    volume_folder: "{{ volume_root_folder }}/mailu"
+    pre_deploy_tasks: true
     dns: 192.168.203.254
     subnet: 192.168.203.0/24
-    volume_folder: "{{ volume_root_folder }}/mailu"
+    version: "2.0"
+    postgres_version: 14-alpine
+    redis_version: alpine
 
   mastodon:
-    file: mastodon.yml
     domain: "social.{{ base_domain }}"
     volume_folder: "{{ volume_root_folder }}/mastodon"
-    version: v4.0.2
+    pre_deploy_tasks: true
+    post_deploy_tasks: true
+    version: v4.2.8
     postgres_version: 14-alpine
     redis_version: 6-alpine
     allowed_sender_domain: true
 
   rallly:
-    file: rallly.yml
     domain: "when.{{ base_domain }}"
     volume_folder: "{{ volume_root_folder }}/rallly"
-    version: e4482a1edb2fb56292d07ee8811a24f2a0d6b114
+    pre_deploy_tasks: true
+    version: "2"
     postgres_version: 14-alpine
     allowed_sender_domain: true
 
-  pinafore:
-    file: pinafore.yml
-    domain: "pinafore.{{ base_domain }}"
-    version: v2.5.0
-
   membersystem:
-    file: membersystem.yml
     domain: "member.{{ base_domain }}"
     django_admins: "Vidir:valberg@orn.li"
+    volume_folder: "{{ volume_root_folder }}/membersystem"
     version: latest
     postgres_version: 13-alpine
     allowed_sender_domain: true
 
+  writefreely:
+    domain: "write.{{ base_domain }}"
+    volume_folder: "{{ volume_root_folder }}/writefreely"
+    pre_deploy_tasks: true
+    version: v0.15.0
+    mariadb_version: "11.2"
+    allowed_sender_domain: true
+
   watchtower:
-    file: watchtower.yml
-    version: amd64-1.5.1
+    volume_folder: "{{ volume_root_folder }}/watchtower"
+    version: "1.5.3"
+
+  diun:
+    version: "4.27"
+    volume_folder: "{{ volume_root_folder }}/diun"
+
+  ### Uptime monitoring ###
+  uptime_kuma:
+    domain: "uptime.{{ base_domain }}"
+    status_domain: "status.{{ base_domain }}"
+    volume_folder: "{{ volume_root_folder }}/uptime_kuma"
+    pre_deploy_tasks: true
+    version: "latest"
+
+services_exclude: []
+services_include: "{{ services | dict2items | map(attribute='key') | list | difference(services_exclude) }}"

roles/docker/files/vhost/uptime_kuma

@@ -0,0 +1,4 @@
+proxy_set_header   Upgrade $http_upgrade;
+proxy_set_header   Connection "upgrade";
+proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header   Host $host;

roles/docker/handlers/main.yml

@@ -1,8 +1,6 @@
 # vim: ft=yaml.ansible
 ---
-- name: "restart nginx"
-  community.docker.docker_container:
-    name: "nginx-proxy"
-    restart: "yes"
-    state: "started"
-  
+- name: restart nginx
+  command: docker compose restart proxy
+  args:
+    chdir: "{{ services.nginx_proxy.volume_folder }}"

roles/docker/tasks/block.yml

@@ -0,0 +1,26 @@
+# vim: ft=yaml.ansible
+---
+- name: Create volume folder for service {{ service.name }}
+  file:
+    name: "{{ service.vars.volume_folder }}"
+    state: directory
+
+- name: Upload Compose file for service {{ service.name }}
+  template:
+    src: compose-files/{{ service.name }}.yml.j2
+    dest: "{{ service.vars.volume_folder }}/docker-compose.yml"
+    owner: root
+    mode: u=rw,go=
+
+- name: Run pre-deployment tasks for service {{ service.name }}
+  include_tasks: pre_deploy/{{ service.name }}.yml
+  when: service.vars.pre_deploy_tasks is defined and service.vars.pre_deploy_tasks
+
+- name: Deploy Compose stack for service {{ service.name }}
+  command: docker compose up -d --remove-orphans --pull always
+  args:
+    chdir: "{{ service.vars.volume_folder }}"
+
+- name: Run post-deployment tasks for service {{ service.name }}
+  include_tasks: post_deploy/{{ service.name }}.yml
+  when: service.vars.post_deploy_tasks is defined and service.vars.post_deploy_tasks

roles/docker/tasks/main.yml

@@ -1,38 +1,44 @@
 # vim: ft=yaml.ansible
 ---
-- name: add docker gpg key
+- name: Add Docker PGP key
   apt_key:
     keyserver: pgp.mit.edu
     id: 8D81803C0EBFCD88
     state: present
 
-- name: add docker apt repository
+- name: Add Docker apt repository
   apt_repository:
     repo: deb https://download.docker.com/linux/ubuntu bionic stable
     state: present
     update_cache: yes
 
-- name: install docker-ce
+- name: Install Docker
   apt:
-    name: docker-ce
-    state: present
-
-- name: install docker python bindings
-  pip:
-    executable: pip3
-    name: "{{ packages }}"
+    name: "{{ pkgs }}"
     state: present
   vars:
-    packages:
-      - docker
-      - docker-compose
+    pkgs:
+      - docker-ce
+      - docker-compose-plugin
 
-- name: create folder structure for bind mounts
+- name: Configure cron job to prune unused Docker data weekly
+  cron:
+    name: Prune unused Docker data
+    cron_file: ansible_docker_prune
+    job: 'docker system prune -fa && docker volume prune -fa'
+    special_time: weekly
+    user: root
+    state: present
+
+- name: Create folder structure for bind mounts
   file:
-    name: "{{ volume_root_folder }}"
+    name: "{{ item }}"
     state: directory
+  loop:
+    - "{{ volume_root_folder }}"
+    - "{{ volume_website_folder }}"
 
-- name: setup services
+- name: Set up services
   import_tasks: services.yml
   tags:
     - setup_services

roles/docker/tasks/post_deploy/docker_registry.yml

@@ -0,0 +1,13 @@
+# vim: ft=yaml.ansible
+---
+- name: Generate htpasswd file
+  shell: docker compose exec registry htpasswd -Bbn docker {{ docker_password }} > auth/htpasswd
+  args:
+    chdir: "{{ services.docker_registry.volume_folder }}"
+    creates: "{{ services.docker_registry.volume_folder }}/auth/htpasswd"
+
+- name: log in to registry
+  docker_login:
+    registry: "{{ 'docker.data.coop' if vagrant else services.docker_registry.domain }}"
+    username: docker
+    password: "{{ docker_password }}"

roles/docker/tasks/post_deploy/mastodon.yml

@@ -0,0 +1,19 @@
+# vim: ft=yaml.ansible
+---
+- name: Configure cron job to remove old Mastodon media daily
+  cron:
+    name: Clean Mastodon media data older than a week
+    cron_file: ansible_mastodon_clean_media
+    job: docker exec mastodon-web-1 tootctl media remove --days 7
+    special_time: daily
+    user: root
+    state: present
+
+- name: Configure cron job to remove old Mastodon preview cards daily
+  cron:
+    name: Clean Mastodon preview card data older than two weeks
+    cron_file: ansible_mastodon_clean_preview_cards
+    job: docker exec mastodon-web-1 tootctl preview_cards remove --days 14
+    special_time: daily
+    user: root
+    state: present

roles/docker/tasks/pre_deploy/data_coop_website.yml

@@ -0,0 +1,11 @@
+# vim: ft=yaml.ansible
+---
+- name: Upload vhost config for root domain
+  copy:
+    src: vhost/base_domain
+    dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.data_coop_website.domain }}"
+
+- name: Upload vhost config for WWW domain
+  copy:
+    src: vhost/www.base_domain
+    dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.data_coop_website.www_domain }}"

roles/docker/tasks/pre_deploy/docker_registry.yml

@@ -0,0 +1,17 @@
+# vim: ft=yaml.ansible
+---
+- name: Create subfolders
+  file:
+    path: "{{ services.docker_registry.volume_folder }}/{{ volume }}"
+    state: directory
+  loop:
+    - auth
+    - registry
+  loop_control:
+    loop_var: volume
+
+- name: Copy docker registry vhost configuration
+  copy:
+    src: vhost/docker_registry
+    dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.docker_registry.domain }}"
+    mode: "0644"

roles/docker/tasks/pre_deploy/element.yml

@@ -0,0 +1,21 @@
+# vim: ft=yaml.ansible
+---
+- name: Create subfolder
+  file:
+    name: "{{ services.element.volume_folder }}/data"
+    state: directory
+
+- name: Upload config.json
+  template:
+    src: element/config.json.j2
+    dest: "{{ services.element.volume_folder }}/data/config.json"
+
+- name: Upload riot.im.conf
+  copy:
+    src: element/riot.im.conf
+    dest: "{{ services.element.volume_folder }}/data/riot.im.conf"
+
+- name: Upload vhost config for Element domain
+  copy:
+    src: vhost/element
+    dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.element.domain }}"

roles/docker/tasks/pre_deploy/hedgedoc.yml

@@ -0,0 +1,17 @@
+# vim: ft=yaml.ansible
+---
+- name: Create subfolders
+  file:
+    name: "{{ services.hedgedoc.volume_folder }}/{{ volume }}"
+    state: directory
+  loop:
+    - db
+    - hedgedoc/uploads
+  loop_control:
+    loop_var: volume
+
+- name: Copy SSO certificate
+  copy:
+    src: sso/sso.data.coop.pem
+    dest: "{{ services.hedgedoc.volume_folder }}/sso.data.coop.pem"
+    mode: "0644"

roles/docker/tasks/pre_deploy/mailu.yml

@@ -0,0 +1,45 @@
+# vim: ft=yaml.ansible
+---
+- name: Create subfolders
+  file:
+    name: "{{ services.mailu.volume_folder }}/{{ volume }}"
+    state: directory
+  loop:
+    - redis
+    - certs
+    - data
+    - dkim
+    - mail
+    - mailqueue
+    - filter
+    - postgres
+    - webmail
+    - overrides
+    - overrides/nginx
+    - overrides/dovecot
+    - overrides/postfix
+    - overrides/rspamd
+    - overrides/snappymail
+  loop_control:
+    loop_var: volume
+
+- name: Upload mailu.env file
+  template:
+    src: mailu/env.j2
+    dest: "{{ services.mailu.volume_folder }}/mailu.env"
+
+- name: Hard link to Let's Encrypt TLS certificate
+  file:
+    src: "{{ services.nginx_proxy.volume_folder }}/certs/{{ services.mailu.domain }}/fullchain.pem"
+    dest: "{{ services.mailu.volume_folder }}/certs/cert.pem"
+    state: hard
+    force: true
+  when: letsencrypt_enabled
+
+- name: Hard link to Let's Encrypt TLS key
+  file:
+    src: "{{ services.nginx_proxy.volume_folder }}/certs/{{ services.mailu.domain }}/key.pem"
+    dest: "{{ services.mailu.volume_folder }}/certs/key.pem"
+    state: hard
+    force: true
+  when: letsencrypt_enabled

roles/docker/tasks/pre_deploy/mastodon.yml

@@ -0,0 +1,45 @@
+# vim: ft=yaml.ansible
+---
+- name: Create subfolder for Mastodon data
+  file:
+    name: "{{ services.mastodon.volume_folder }}/mastodon_data"
+    state: directory
+    owner: "991"
+    mode: u=rwx,g=rx,o=rx
+
+- name: Create subfolder for PostgreSQL data
+  file:
+    name: "{{ services.mastodon.volume_folder }}/postgres_data"
+    state: directory
+    owner: "70"
+    mode: u=rwx,go=
+
+- name: Create subfolder for PostgreSQL config
+  file:
+    name: "{{ services.mastodon.volume_folder }}/postgres_config"
+    state: directory
+    owner: root
+    mode: u=rwx,g=rx,o=rx
+
+- name: Create subfolder for Redis data
+  file:
+    name: "{{ services.mastodon.volume_folder }}/redis_data"
+    state: directory
+    owner: "999"
+    group: "1000"
+    mode: u=rwx,g=rx,o=rx
+
+- name: Upload mastodon.env file
+  template:
+    src: mastodon/env.j2
+    dest: "{{ services.mastodon.volume_folder }}/mastodon.env"
+
+- name: Upload vhost config for Mastodon domain
+  copy:
+    src: vhost/mastodon
+    dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.mastodon.domain }}"
+
+- name: Upload PostgreSQL config
+  copy:
+    src: mastodon/postgresql.conf
+    dest: "{{ services.mastodon.volume_folder }}/postgres_config/postgresql.conf"

roles/docker/tasks/pre_deploy/matrix.yml

@@ -0,0 +1,34 @@
+# vim: ft=yaml.ansible
+---
+- name: Create subfolders
+  file:
+    name: "{{ services.matrix.volume_folder }}/{{ volume }}"
+    state: directory
+    owner: "991"
+    group: "991"
+  loop:
+    - data
+    - data/uploads
+    - data/media
+  loop_control:
+    loop_var: volume
+
+- name: Create Matrix DB subfolder
+  file:
+    name: "{{ services.matrix.volume_folder }}/db"
+    state: directory
+
+- name: Upload vhost config for Matrix domain
+  copy:
+    src: vhost/matrix
+    dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.matrix.domain }}"
+
+- name: Upload homeserver.yaml
+  template:
+    src: matrix/homeserver.yaml.j2
+    dest: "{{ services.matrix.volume_folder }}/data/homeserver.yaml"
+
+- name: Upload Matrix logging config
+  copy:
+    src: matrix/log.config
+    dest: "{{ services.matrix.volume_folder }}/data/matrix.data.coop.log.config"

roles/docker/tasks/pre_deploy/nextcloud.yml

@@ -0,0 +1,17 @@
+# vim: ft=yaml.ansible
+---
+- name: Create subfolders
+  file:
+    path: "{{ services.nextcloud.volume_folder }}/{{ volume }}"
+    state: directory
+  loop:
+    - app
+    - postgres
+  loop_control:
+    loop_var: volume
+
+- name: Upload vhost config for Nextcloud domain
+  copy:
+    src: vhost/nextcloud
+    dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.nextcloud.domain }}"
+  notify: "restart nginx"

roles/docker/tasks/pre_deploy/nginx_proxy.yml

@@ -0,0 +1,14 @@
+# vim: ft=yaml.ansible
+---
+- name: Create subfolders
+  file:
+    name: "{{ services.nginx_proxy.volume_folder }}/{{ volume }}"
+    state: directory
+  loop:
+    - conf
+    - vhost
+    - html
+    - dhparam
+    - certs
+  loop_control:
+    loop_var: volume

roles/docker/tasks/pre_deploy/openldap.yml

@@ -0,0 +1,12 @@
+# vim: ft=yaml.ansible
+---
+- name: Create subfolders
+  file:
+    name: "{{ services.openldap.volume_folder }}/{{ volume }}"
+    state: directory
+  loop:
+    - var/lib/ldap
+    - etc/slapd
+    - certs
+  loop_control:
+    loop_var: volume

roles/docker/tasks/pre_deploy/postfix.yml

@@ -0,0 +1,13 @@
+# vim: ft=yaml.ansible
+---
+- name: Set up network for Postfix
+  docker_network:
+    name: postfix
+    ipam_config:
+      - subnet: '172.16.0.0/16'
+        gateway: 172.16.0.1
+
+- name: Create subfolder
+  file:
+    name: "{{ services.postfix.volume_folder }}/dkim"
+    state: directory

roles/docker/tasks/pre_deploy/privatebin.yml

@@ -0,0 +1,16 @@
+# vim: ft=yaml.ansible
+---
+- name: Create subfolders
+  file:
+    name: "{{ services.privatebin.volume_folder }}/{{ volume }}"
+    state: directory
+  loop:
+    - cfg
+    - data
+  loop_control:
+    loop_var: volume
+
+- name: Upload PrivateBin config
+  copy:
+    src: privatebin/conf.php
+    dest: "{{ services.privatebin.volume_folder }}/cfg/conf.php"

roles/docker/tasks/pre_deploy/rallly.yml

@@ -0,0 +1,11 @@
+# vim: ft=yaml.ansible
+---
+- name: Create subfolder
+  file:
+    name: "{{ services.rallly.volume_folder }}/postgres"
+    state: directory
+
+- name: Copy rallly.env file
+  template:
+    src: rallly/env.j2
+    dest: "{{ services.rallly.volume_folder }}/rallly.env"

roles/docker/tasks/pre_deploy/restic.yml

@@ -0,0 +1,72 @@
+# vim: ft=yaml.ansible
+---
+- name: Create SSH directory
+  file:
+    path: "{{ services.restic.volume_folder }}/ssh"
+    owner: root
+    group: root
+    mode: '0755'
+    state: directory
+
+- name: Upload private SSH key
+  copy:
+    dest: "{{ services.restic.volume_folder }}/ssh/id_ed25519"
+    owner: root
+    group: root
+    mode: '0600'
+    content: "{{ restic_secrets.ssh_privkey }}"
+
+- name: Derive public SSH key
+  shell: >-
+    ssh-keygen -f {{ services.restic.volume_folder }}/ssh/id_ed25519 -y
+      > {{ services.restic.volume_folder }}/ssh/id_ed25519.pub
+  args:
+    creates: "{{ services.restic.volume_folder }}/ssh/id_ed25519.pub"
+
+- name: Set file permissions on public SSH key
+  file:
+    path: "{{ services.restic.volume_folder }}/ssh/id_ed25519.pub"
+    owner: root
+    group: root
+    mode: '0644'
+    state: touch
+
+- name: Upload SSH config
+  template:
+    src: restic/ssh.config.j2
+    dest: "{{ services.restic.volume_folder }}/ssh/config"
+    owner: root
+    group: root
+    mode: '0600'
+
+- name: Upload SSH known_hosts file
+  template:
+    src: restic/ssh.known_hosts.j2
+    dest: "{{ services.restic.volume_folder }}/ssh/known_hosts"
+    owner: root
+    group: root
+    mode: '0600'
+
+- name: Create scripts directory
+  file:
+    path: "{{ services.restic.volume_folder }}/scripts"
+    owner: root
+    group: root
+    mode: '0755'
+    state: directory
+
+- name: Upload failure.sh script
+  template:
+    src: restic/failure.sh.j2
+    dest: "{{ services.restic.volume_folder }}/scripts/failure.sh"
+    owner: root
+    group: root
+    mode: '0755'
+
+- name: Upload success.sh script
+  template:
+    src: restic/success.sh.j2
+    dest: "{{ services.restic.volume_folder }}/scripts/success.sh"
+    owner: root
+    group: root
+    mode: '0755'

roles/docker/tasks/pre_deploy/uptime_kuma.yml

@@ -0,0 +1,9 @@
+- name: Upload vhost config for uptime domain
+  copy:
+    src: vhost/uptime_kuma
+    dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.uptime_kuma.domain }}_location"
+
+- name: Upload vhost config for status domain
+  copy:
+    src: vhost/uptime_kuma
+    dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.uptime_kuma.status_domain }}_location"

roles/docker/tasks/pre_deploy/writefreely.yml

@@ -0,0 +1,20 @@
+# vim: ft=yaml.ansible
+---
+- name: Create subfolder for MariaDB data
+  file:
+    name: "{{ services.writefreely.volume_folder }}/db"
+    owner: "999"
+    group: "999"
+    state: directory
+
+- name: Create subfolder for encryption keys
+  file:
+    name: "{{ services.writefreely.volume_folder }}/keys"
+    owner: "2"
+    group: "2"
+    state: directory
+
+- name: Upload config.ini
+  template:
+    src: "writefreely/config.ini.j2"
+    dest: "{{ services.writefreely.volume_folder }}/config.ini"

roles/docker/tasks/services.yml

@@ -1,19 +1,28 @@
 # vim: ft=yaml.ansible
 ---
-- name: setup external services network
+- name: Set up external services network
   docker_network:
     name: external_services
 
-- name: setup services
-  include_tasks: "services/{{ item.service.file }}"
-  loop: "{{ services | dict2items(value_name='service') }}"
+- name: Deploy all services
+  include_tasks:
+    file: block.yml
+  vars:
+    service:
+      name: "{{ item }}"
+      vars: "{{ services[item] }}"
+  loop: "{{ services_include }}"
   when: single_service is not defined and
-        item.service.file is defined and
-        item.service.disabled_in_vagrant is not defined
+        (item.vars.disabled_in_vagrant is not defined or
+        not (item.vars.disabled_in_vagrant and vagrant))
 
-- name: setup single service
-  include_tasks: "services/{{ services[single_service].file }}"
-  when: single_service is defined and
-        single_service in services and
-        services[single_service].file is defined and
-        services[single_service].disabled_in_vagrant is not defined
+- name: Deploy single service
+  include_tasks:
+    file: block.yml
+  vars:
+    service:
+      name: "{{ single_service }}"
+      vars: "{{ services[single_service] }}"
+  when: single_service is defined and single_service in services and
+        (services[single_service].disabled_in_vagrant is not defined or
+        not (services[single_service].disabled_in_vagrant and vagrant))

roles/docker/tasks/services/codimd.yml

@@ -1,55 +0,0 @@
-# vim: ft=yaml.ansible
----
-- name: codimd network
-  docker_network:
-    name: codimd
-
-- name: create codimd volume folders
-  file:
-    name: "{{ services.codimd.volume_folder }}/{{ volume }}"
-    state: directory
-  loop:
-    - "db"
-    - "codimd/uploads"
-  loop_control:
-    loop_var: volume
-
-- name: codimd database container
-  docker_container:
-    name: codimd_db
-    image: postgres:10
-    state: started
-    restart_policy: unless-stopped
-    networks:
-      - name: codimd
-    volumes:
-      - "{{ services.codimd.volume_folder }}/db:/var/lib/postgresql/data"
-    env:
-      POSTGRES_USER: "codimd"
-      POSTGRES_PASSWORD: "{{ postgres_passwords.codimd }}"
-
-- name: codimd app container
-  docker_container:
-    name: codimd_app
-    image: hackmdio/hackmd:1.3.0
-    restart_policy: unless-stopped
-    networks:
-      - name: codimd
-      - name: ldap
-      - name: external_services
-    volumes:
-      - "{{ services.codimd.volume_folder }}/codimd/uploads:/codimd/public/uploads"
-    env:
-      CMD_DB_URL: "postgres://codimd:{{ postgres_passwords.codimd }}@codimd_db:5432/codimd"
-      CMD_ALLOW_EMAIL_REGISTER: "False"
-      CMD_IMAGE_UPLOAD_TYPE: "filesystem"
-      CMD_EMAIL: "False"
-      CMD_LDAP_URL: "ldap://openldap"
-      CMD_LDAP_BINDDN: "cn=admin,dc=data,dc=coop"
-      CMD_LDAP_BINDCREDENTIALS: "{{ ldap_admin_password }}"
-      CMD_LDAP_SEARCHBASE: "dc=data,dc=coop"
-      CMD_LDAP_SEARCHFILTER: "(&(uid={{ '{{username}}' }})(objectClass=inetOrgPerson))"
-      CMD_USECDN: "false"
-      VIRTUAL_HOST: "{{ services.codimd.domain }}"
-      LETSENCRYPT_HOST: "{{ services.codimd.domain }}"
-      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"

roles/docker/tasks/services/docker_registry.yml

@@ -1,36 +0,0 @@
-# vim: ft=yaml.ansible
----
-- name: copy docker registry nginx configuration
-  copy:
-    src: "files/configs/docker_registry/nginx.conf"
-    dest: "/docker-volumes/nginx/vhost/{{ services.docker_registry.domain }}"
-    mode: "0644"
-
-- name: docker registry container
-  docker_container:
-    name: registry
-    image: registry:{{ services.docker_registry.version }}
-    restart_policy: always
-    volumes:
-      - "{{ services.docker_registry.volume_folder }}/registry:/var/lib/registry"
-      - "{{ services.docker_registry.volume_folder }}/auth:/auth"
-    networks:
-      - name: external_services
-    env:
-      VIRTUAL_HOST: "{{ services.docker_registry.domain }}"
-      LETSENCRYPT_HOST: "{{ services.docker_registry.domain }}"
-      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
-      REGISTRY_AUTH: "htpasswd"
-      REGISTRY_AUTH_HTPASSWD_PATH: "/auth/htpasswd"
-      REGISTRY_AUTH_HTPASSWD_REALM: "data.coop docker registry"
-
-- name: generate htpasswd file
-  shell: "docker exec -it registry htpasswd -Bbn docker {{ docker_password }} > {{ services.docker_registry.volume_folder }}/auth/htpasswd"
-  args:
-    creates: "{{ services.docker_registry.volume_folder }}/auth/htpasswd"
-
-- name: log in to registry
-  docker_login:
-    registry: "{{ 'docker.data.coop' if vagrant else services.docker_registry.domain  }}"
-    username: "docker"
-    password: "{{ docker_password }}"

roles/docker/tasks/services/drone.yml

@@ -1,52 +0,0 @@
-# vim: ft=yaml.ansible
----
-- name: set up drone with docker runner
-  docker_compose:
-    project_name: drone
-    pull: yes
-    definition:
-      version: "3.6"
-      services:
-        drone:
-          container_name: "drone"
-          image: "drone/drone:{{ services.drone.version }}"
-          restart: unless-stopped
-          networks:
-            - external_services
-            - drone
-          volumes:
-            - "{{ services.drone.volume_folder }}:/data"
-            - "/var/run/docker.sock:/var/run/docker.sock"
-          environment:
-            DRONE_GITEA_SERVER: "https://{{ services.gitea.domain }}"
-            DRONE_GITEA_CLIENT_ID: "{{ drone_secrets.oauth_client_id }}"
-            DRONE_GITEA_CLIENT_SECRET: "{{ drone_secrets.oauth_client_secret }}"
-            DRONE_GIT_ALWAYS_AUTH: "true"
-            DRONE_SERVER_HOST: "{{ services.drone.domain }}"
-            DRONE_SERVER_PROTO: "https"
-            DRONE_RPC_SECRET: "{{ drone_secrets.rpc_shared_secret }}"
-            PLUGIN_CUSTOM_DNS: "91.239.100.100"
-            VIRTUAL_HOST: "{{ services.drone.domain }}"
-            LETSENCRYPT_HOST: "{{ services.drone.domain }}"
-            LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
-
-        drone-runner-docker:
-          container_name: "drone-runner-docker"
-          image: "drone/drone-runner-docker:{{ services.drone.version }}"
-          restart: unless-stopped
-          networks:
-            - drone
-          volumes:
-            - "/var/run/docker.sock:/var/run/docker.sock"
-          environment:
-            DRONE_RPC_HOST: "{{ services.drone.domain }}"
-            DRONE_RPC_PROTO: "https"
-            DRONE_RPC_SECRET: "{{ drone_secrets.rpc_shared_secret }}"
-            DRONE_RUNNER_CAPACITY: 2
-            DRONE_RUNNER_NAME: "data.coop_drone_runner"
-
-      networks:
-        drone:
-        external_services:
-          external:
-            name: external_services

roles/docker/tasks/services/gitea.yml

@@ -1,39 +0,0 @@
-# vim: ft=yaml.ansible
----
-- name: gitea network
-  docker_network:
-    name: gitea
-
-# old DNS: 138.68.71.153
-- name: gitea container
-  docker_container:
-    name: gitea
-    image: gitea/gitea:{{ services.gitea.version }}
-    restart_policy: unless-stopped
-    networks:
-      - name: gitea
-      - name: postfix
-      - name: external_services
-    volumes:
-      - "{{ services.gitea.volume_folder }}:/data"
-    published_ports:
-      - "22:22"
-    env:
-      VIRTUAL_HOST: "{{ services.gitea.domain }}"
-      VIRTUAL_PORT: "3000"
-      LETSENCRYPT_HOST: "{{ services.gitea.domain }}"
-      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
-      # Gitea customization, see: https://docs.gitea.io/en-us/install-with-docker/#customization
-      # https://docs.gitea.io/en-us/config-cheat-sheet/#security-security
-      GITEA__mailer__ENABLED: "true"
-      GITEA__mailer__FROM: "noreply@{{ services.gitea.domain }}"
-      GITEA__mailer__MAILER_TYPE: "smtp"
-      GITEA__mailer__HOST: "{{ smtp_host }}:{{ smtp_port }}"
-      GITEA__mailer__USER: "noop"
-      GITEA__mailer__PASSWD: "noop"
-      GITEA__security__LOGIN_REMEMBER_DAYS: "60"
-      GITEA__security__PASSWORD_COMPLEXITY: "off"
-      GITEA__security__MIN_PASSWORD_LENGTH: "8"
-      GITEA__security__PASSWORD_CHECK_PWN: "true"
-      GITEA__service__ENABLE_NOTIFY_MAIL: "true"
-      GITEA__service__REGISTER_EMAIL_CONFIRM: "true"

roles/docker/tasks/services/hedgedoc.yml

@@ -1,67 +0,0 @@
-# vim: ft=yaml.ansible
----
-- name: create hedgedoc volume folders
-  file:
-    name: "{{ services.hedgedoc.volume_folder }}/{{ volume }}"
-    state: directory
-  loop:
-    - "db"
-    - "hedgedoc/uploads"
-  loop_control:
-    loop_var: volume
-
-- name: copy sso public certificate
-  copy:
-    src: "files/sso/sso.data.coop.pem"
-    dest: "{{ services.hedgedoc.volume_folder }}/sso.data.coop.pem"
-    mode: "0644"
-
-- name: setup hedgedoc
-  docker_compose:
-    project_name: "hedgedoc"
-    pull: "yes"
-    definition:
-      services:
-        database:
-          image: "postgres:{{ services.hedgedoc.postgres_version }}"
-          environment:
-            POSTGRES_USER: "codimd"
-            POSTGRES_PASSWORD: "{{ postgres_passwords.hedgedoc }}"
-            POSTGRES_DB: "codimd"
-          restart: "unless-stopped"
-          networks:
-            - "hedgedoc"
-          volumes:
-            - "{{ services.hedgedoc.volume_folder }}/db:/var/lib/postgresql/data"
-        
-        app:
-          image: "quay.io/hedgedoc/hedgedoc:{{ services.hedgedoc.version }}"
-          environment:
-            CMD_DB_URL: "postgres://codimd:{{ postgres_passwords.hedgedoc }}@hedgedoc_database_1:5432/codimd"
-            CMD_DOMAIN: "{{ services.hedgedoc.domain }}"
-            CMD_ALLOW_EMAIL_REGISTER: "False"
-            CMD_IMAGE_UPLOAD_TYPE: "filesystem"
-            CMD_EMAIL: "False"
-            CMD_SAML_IDPCERT: "/sso.data.coop.pem"
-            CMD_SAML_IDPSSOURL: "https://sso.data.coop/auth/realms/datacoop/protocol/saml"
-            CMD_SAML_ISSUER: "hedgedoc"
-            CMD_SAML_IDENTIFIERFORMAT: "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
-            CMD_USECDN: "false"
-            CMD_PROTOCOL_USESSL: "true"
-            VIRTUAL_HOST: "{{ services.hedgedoc.domain }}"
-            LETSENCRYPT_HOST: "{{ services.hedgedoc.domain }}"
-            LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
-          volumes:
-            - "{{ services.hedgedoc.volume_folder }}/hedgedoc/uploads:/hedgedoc/public/uploads"
-            - "{{ services.hedgedoc.volume_folder }}/sso.data.coop.pem:/sso.data.coop.pem"
-          restart: "unless-stopped"
-          networks: 
-            - "hedgedoc"
-            - "external_services"
-          depends_on:
-            - database
-
-      networks: 
-        hedgedoc:
-        external_services:
-          external: true

roles/docker/tasks/services/keycloak.yml

@@ -1,50 +0,0 @@
-# vim: ft=yaml.ansible
----
-- name: setup keycloak containers for sso.data.coop
-  docker_compose:
-    project_name: "keycloak"
-    pull: "yes"
-    definition:
-      version: "3.6"
-      services:
-        postgres:
-          image: "postgres:{{ services.keycloak.postgres_version }}"
-          restart: "unless-stopped"
-          networks:
-            - "keycloak"
-          volumes:
-            - "{{ services.keycloak.volume_folder }}/data:/var/lib/postgresql/data"
-          environment:
-            POSTGRES_USER: "keycloak"
-            POSTGRES_PASSWORD: "{{ postgres_passwords.keycloak }}"
-            POSTGRES_DB: "keycloak"
-
-        app:
-          image: "quay.io/keycloak/keycloak:{{ services.keycloak.version }}"
-          restart: "unless-stopped"
-          networks:
-            - "keycloak"
-            - "postfix"
-            - "external_services"
-          command:
-            - "start"
-            - "--db=postgres"
-            - "--db-url=jdbc:postgresql://postgres:5432/keycloak"
-            - "--db-username=keycloak"
-            - "--db-password={{ postgres_passwords.keycloak }}"
-            - "--hostname={{ services.keycloak.domain }}"
-            - "--proxy=edge"
-            - "--https-port=8080"
-            - "--http-relative-path=/auth"
-          environment:
-            VIRTUAL_HOST: "{{ services.keycloak.domain }}"
-            VIRTUAL_PORT: "8080"
-            LETSENCRYPT_HOST: "{{ services.keycloak.domain }}"
-            LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
-
-      networks:
-        keycloak:
-        postfix:
-          external: true
-        external_services:
-          external: true

roles/docker/tasks/services/mailu.yml

@@ -1,181 +0,0 @@
-# vim: ft=yaml.ansible
----
-- name: create mailu volume folders
-  file:
-    name: "{{ services.mailu.volume_folder }}/{{ volume }}"
-    state: directory
-  loop:
-    - redis
-    - certs
-    - data
-    - dkim
-    - mail
-    - mailqueue
-    - filter
-    - postgres
-    - webmail
-    - overrides
-    - overrides/nginx
-    - overrides/dovecot
-    - overrides/postfix
-    - overrides/rspamd
-    - overrides/rainloop
-  loop_control:
-    loop_var: volume
-
-- name: upload mailu.env file
-  template:
-    src: mailu.env.j2
-    dest: "{{ services.mailu.volume_folder}}/mailu.env"
-
-- name: hard link to Let's Encrypt TLS certificate
-  file:
-    src: "{{ services.nginx_proxy.volume_folder }}/certs/{{ services.mailu.domain }}/fullchain.pem"
-    dest: "{{ services.mailu.volume_folder }}/certs/cert.pem"
-    state: hard
-    force: yes
-  when: letsencrypt_enabled
-
-- name: hard link to Let's Encrypt TLS key
-  file:
-    src: "{{ services.nginx_proxy.volume_folder }}/certs/{{ services.mailu.domain }}/key.pem"
-    dest: "{{ services.mailu.volume_folder }}/certs/key.pem"
-    state: hard
-    force: yes
-  when: letsencrypt_enabled
-
-- name: run mail server containers
-  docker_compose:
-    project_name: mail_server
-    pull: yes
-    definition:
-      version: '3.6'
-      services:
-        postgres:
-          image: postgres:14-alpine
-          restart: always
-          environment:
-            POSTGRES_DB: mailu
-            POSTGRES_USER: mailu
-            POSTGRES_PASSWORD: "{{ postgres_passwords.mailu }}"
-          volumes:
-            - "{{ services.mailu.volume_folder }}/postgres:/var/lib/postgresql/data"
-          dns:
-            - "{{ services.mailu.dns }}"
-
-        redis:
-          image: redis:alpine
-          restart: always
-          volumes:
-            - "{{ services.mailu.volume_folder }}/redis:/data"
-          depends_on:
-            - resolver
-          dns:
-            - "{{ services.mailu.dns }}"
-
-        front:
-          image: mailu/nginx:{{ services.mailu.version }}
-          restart: always
-          env_file: "{{ services.mailu.volume_folder}}/mailu.env"
-          environment:
-            VIRTUAL_HOST: "{{ services.mailu.domain }}"
-            LETSENCRYPT_HOST: "{{ services.mailu.domain }}"
-            LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
-          volumes:
-            - "{{ services.mailu.volume_folder }}/certs:/certs"
-            - "{{ services.mailu.volume_folder }}/overrides/nginx:/overrides:ro"
-          expose:
-            - "80"
-          ports:
-            - "993:993"
-            - "25:25"
-            - "587:587"
-            - "465:465"
-          networks:
-            - default
-            - external_services
-
-        resolver:
-          image: mailu/unbound:{{ services.mailu.version }}
-          restart: always
-          env_file: "{{ services.mailu.volume_folder}}/mailu.env"
-          networks:
-            default:
-              ipv4_address: "{{ services.mailu.dns }}"
-
-        admin:
-          image: mailu/admin:{{ services.mailu.version }}
-          restart: always
-          env_file: "{{ services.mailu.volume_folder}}/mailu.env"
-          volumes:
-            - "{{ services.mailu.volume_folder }}/data:/data"
-            - "{{ services.mailu.volume_folder }}/dkim:/dkim"
-          depends_on:
-            - redis
-            - resolver
-          dns:
-            - "{{ services.mailu.dns }}"
-
-        imap:
-          image: mailu/dovecot:{{ services.mailu.version }}
-          restart: always
-          env_file: "{{ services.mailu.volume_folder}}/mailu.env"
-          volumes:
-            - "{{ services.mailu.volume_folder }}/mail:/mail"
-            - "{{ services.mailu.volume_folder }}/overrides/dovecot:/overrides:ro"
-          depends_on:
-            - front
-            - resolver
-          dns:
-            - "{{ services.mailu.dns }}"
-
-        smtp:
-          image: mailu/postfix:{{ services.mailu.version }}
-          restart: always
-          env_file: "{{ services.mailu.volume_folder}}/mailu.env"
-          volumes:
-            - "{{ services.mailu.volume_folder }}/mailqueue:/queue"
-            - "{{ services.mailu.volume_folder }}/overrides/postfix:/overrides:ro"
-          depends_on:
-            - front
-            - resolver
-          dns:
-            - "{{ services.mailu.dns }}"
-
-        antispam:
-          image: mailu/rspamd:{{ services.mailu.version }}
-          hostname: antispam
-          restart: always
-          env_file: "{{ services.mailu.volume_folder}}/mailu.env"
-          volumes:
-            - "{{ services.mailu.volume_folder }}/filter:/var/lib/rspamd"
-            - "{{ services.mailu.volume_folder }}/overrides/rspamd:/etc/rspamd/override.d:ro"
-          depends_on:
-            - front
-            - resolver
-          dns:
-            - "{{ services.mailu.dns }}"
-
-        webmail:
-          image: mailu/rainloop:{{ services.mailu.version }}
-          restart: always
-          env_file: "{{ services.mailu.volume_folder}}/mailu.env"
-          volumes:
-            - "{{ services.mailu.volume_folder }}/webmail:/data"
-            - "{{ services.mailu.volume_folder }}/overrides/rainloop:/overrides:ro"
-          depends_on:
-            - imap
-            - resolver
-          dns:
-            - "{{ services.mailu.dns }}"
-
-      networks:
-        default:
-          driver: bridge
-          ipam:
-            driver: default
-            config:
-              - subnet: "{{ services.mailu.subnet }}"
-        external_services:
-          external:
-            name: external_services

roles/docker/tasks/services/mastodon.yml

@@ -1,189 +0,0 @@
-# vim: ft=yaml.ansible
----
-- name: create mastodon volume folders
-  file:
-    name: "{{ services.mastodon.volume_folder }}/{{ volume }}"
-    state: directory
-    owner: "991"
-    group: "991"
-  loop:
-    - "postgres_data"
-    - "postgres_config"
-    - "redis_data"
-    - "mastodon_data"
-  loop_control:
-    loop_var: volume
-
-- name: Copy mastodon environment file
-  template:
-    src: files/configs/mastodon/env_file.j2
-    dest: "{{ services.mastodon.volume_folder }}/env_file"
-
-- name: Upload vhost config for root domain
-  template:
-    src: files/configs/mastodon/vhost-mastodon
-    dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.mastodon.domain }}"
-
-- name: Copy PostgreSQL config
-  copy:
-    src: files/configs/mastodon/postgresql.conf
-    dest: "{{ services.mastodon.volume_folder }}/postgres_config/postgresql.conf"
-
-- name: Set up Mastodon
-  docker_compose:
-    project_name: mastodon
-    pull: true
-    restarted: true
-    definition:
-      x-sidekiq: &sidekiq
-        image: "tootsuite/mastodon:{{ services.mastodon.version }}"
-        restart: always
-        env_file: "{{ services.mastodon.volume_folder }}/env_file"
-        depends_on:
-          db:
-            condition: "service_healthy"
-          redis:
-            condition: "service_healthy"
-        networks:
-          - postfix
-          - external_services
-          - internal_network
-        volumes:
-          - "{{ services.mastodon.volume_folder }}/mastodon_data:/mastodon/public/system"
-        healthcheck:
-          test: ['CMD-SHELL', "ps aux | grep '[s]idekiq\ 6' || false"]
-
-      version: '3'
-      services:
-        db:
-          restart: always
-          image: "postgres:{{ services.mastodon.postgres_version }}"
-          shm_size: 256mb
-          networks:
-            - internal_network
-          healthcheck:
-            test: ['CMD', 'pg_isready', '-U', 'postgres']
-          volumes:
-            - "{{ services.mastodon.volume_folder }}/postgres_data:/var/lib/postgresql/data"
-            - "{{ services.mastodon.volume_folder }}/postgres_config:/config:ro"
-          command: postgres -c config_file=/config/postgresql.conf
-          environment:
-            - 'POSTGRES_HOST_AUTH_METHOD=trust'
-
-        redis:
-          restart: always
-          image: "redis:{{ services.mastodon.redis_version }}"
-          networks:
-            - internal_network
-          healthcheck:
-            test: ['CMD', 'redis-cli', 'ping']
-          volumes:
-            - "{{ services.mastodon.volume_folder }}/redis_data:/data"
-
-        web:
-          image: "tootsuite/mastodon:{{ services.mastodon.version }}"
-          restart: always
-          env_file: "{{ services.mastodon.volume_folder }}/env_file"
-          command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 3000"
-          networks:
-            - external_services
-            - internal_network
-          healthcheck:
-            # prettier-ignore
-            test: ['CMD-SHELL', 'wget -q --spider --proxy=off localhost:3000/health || exit 1']
-          depends_on:
-            db:
-              condition: "service_healthy"
-            redis:
-              condition: "service_healthy"
-          volumes:
-            - "{{ services.mastodon.volume_folder }}/mastodon_data:/mastodon/public/system"
-          environment:
-            MAX_THREADS: 10
-            WEB_CONCURRENCY: 3
-            VIRTUAL_HOST: "{{ services.mastodon.domain }}"
-            VIRTUAL_PORT: "3000"
-            VIRTUAL_PATH: "/"
-            LETSENCRYPT_HOST: "{{ services.mastodon.domain }}"
-            LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
-
-        streaming:
-          image: "tootsuite/mastodon:{{ services.mastodon.version }}"
-          restart: always
-          env_file: "{{ services.mastodon.volume_folder }}/env_file"
-          command: node ./streaming
-          networks:
-            - external_services
-            - internal_network
-          healthcheck:
-            # prettier-ignore
-            test: ['CMD-SHELL', 'wget -q --spider --proxy=off localhost:4000/api/v1/streaming/health || exit 1']
-          ports:
-            - '127.0.0.1:4000:4000'
-          depends_on:
-            db:
-              condition: "service_healthy"
-            redis:
-              condition: "service_healthy"
-          environment:
-            DB_POOL: 15
-            VIRTUAL_HOST: "{{ services.mastodon.domain }}"
-            VIRTUAL_PORT: "4000"
-            VIRTUAL_PATH: "/api/v1/streaming"
-
-        # sidekiq-default-push-pull: DB_POOL = 25, -c 25 for 25 connections
-        sidekiq-default-push-pull:
-          <<: *sidekiq
-          command: bundle exec sidekiq -c 25 -q default -q push -q pull
-          environment:
-            DB_POOL: 25
-
-        # sidekiq-default-pull-push: DB_POOL = 25, -c 25 for 25 connections
-        sidekiq-default-pull-push:
-          <<: *sidekiq
-          command: bundle exec sidekiq -c 25 -q default -q pull -q push
-          environment:
-            DB_POOL: 25
-
-        # sidekiq-pull-default-push: DB_POOL = 25, -c 25 for 25 connections
-        sidekiq-pull-default-push:
-          <<: *sidekiq
-          command: bundle exec sidekiq -c 25 -q pull -q default -q push
-          environment:
-            DB_POOL: 25
-
-        # sidekiq-push-default-pull: DB_POOL = 25, -c 25 for 25 connections
-        sidekiq-push-default-pull:
-          <<: *sidekiq
-          command: bundle exec sidekiq -c 25 -q push -q default -q pull
-          environment:
-            DB_POOL: 25
-
-        # sidekiq-push-scheduler: DB_POOL = 5, -c 5 for 5 connections
-        sidekiq-push-scheduler:
-          <<: *sidekiq
-          command: bundle exec sidekiq -c 5 -q push -q scheduler
-          environment:
-            DB_POOL: 5
-
-        # sidekiq-push-mailers: DB_POOL = 5, -c 5 for 5 connections
-        sidekiq-push-mailers:
-          <<: *sidekiq
-          command: bundle exec sidekiq -c 5 -q push -q mailers
-          environment:
-            DB_POOL: 5
-
-        # sidekiq-push-ingress: DB_POOL = 10, -c 10 for 10 connections
-        sidekiq-push-ingress:
-          <<: *sidekiq
-          command: bundle exec sidekiq -c 10 -q push -q ingress
-          environment:
-            DB_POOL: 10
-
-      networks:
-        external_services:
-          external: true
-        postfix:
-          external: true
-        internal_network:
-          internal: true

roles/docker/tasks/services/matrix_riot.yml

@@ -1,120 +0,0 @@
-# vim: ft=yaml.ansible
----
-- name: create matrix volume folders
-  file:
-    name: "{{ services.matrix.volume_folder }}/{{ volume }}"
-    state: directory
-    owner: "991"
-    group: "991"
-  loop:
-    - "data"
-    - "data/uploads"
-    - "data/media"
-  loop_control:
-    loop_var: volume
-
-- name: create matrix DB folder
-  file:
-    name: "{{ services.matrix.volume_folder }}/db"
-    state: "directory"
-
-- name: create riot volume folders
-  file:
-    name: "{{ services.riot.volume_folder }}/{{ volume }}"
-    state: directory
-  loop:
-    - "data"
-  loop_control:
-    loop_var: volume
-
-- name: upload riot config.json
-  template:
-    src: files/configs/riot/config.json
-    dest: "{{ services.riot.volume_folder }}/data/config.json"
-
-- name: upload riot.im.conf
-  template:
-    src: files/configs/riot/riot.im.conf
-    dest: "{{ services.riot.volume_folder }}/data/riot.im.conf"
-
-- name: upload vhost config for matrix domain
-  template:
-    src: files/configs/matrix/vhost-matrix
-    dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.matrix.domain }}"
-
-- name: upload vhost config for riot domain
-  template:
-    src: files/configs/matrix/vhost-riot
-    dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ item }}"
-  loop: "{{ services.riot.domains }}"
-
-- name: upload homeserver.yaml
-  template:
-    src: "files/configs/matrix/homeserver.yaml.j2"
-    dest: "{{ services.matrix.volume_folder }}/data/homeserver.yaml"
-
-- name: upload matrix logging config
-  template:
-    src: "files/configs/matrix/matrix.data.coop.log.config"
-    dest: "{{ services.matrix.volume_folder }}/data/matrix.data.coop.log.config"
-
-- name: set up matrix and riot
-  docker_compose:
-    project_name: matrix
-    pull: yes
-    definition:
-      version: "3.6"
-      services:
-        matrix_db:
-          container_name: matrix_db
-          image: "postgres:{{ services.matrix.postgres_version }}"
-          restart: unless-stopped
-          networks:
-            - matrix
-          volumes:
-            - "{{ services.matrix.volume_folder }}/db:/var/lib/postgresql/data"
-          environment:
-            POSTGRES_USER: "synapse"
-            POSTGRES_PASSWORD: "{{ postgres_passwords.matrix }}"
-
-        matrix_app:
-          container_name: matrix
-          image: "matrixdotorg/synapse:{{ services.matrix.version }}"
-          restart: unless-stopped
-          networks:
-            - matrix
-            - external_services
-          volumes:
-            - "{{ services.matrix.volume_folder }}/data:/data"
-          environment:
-            SYNAPSE_CONFIG_PATH: "/data/homeserver.yaml"
-            SYNAPSE_CACHE_FACTOR: "2"
-            SYNAPSE_LOG_LEVEL: "INFO"
-            VIRTUAL_HOST: "{{ services.matrix.domain }}"
-            VIRTUAL_PORT: "8008"
-            LETSENCRYPT_HOST: "{{ services.matrix.domain }}"
-            LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
-
-        riot:
-          container_name: riot_app
-          image: "avhost/docker-matrix-riot:{{ services.riot.version }}"
-          restart: unless-stopped
-          networks:
-            - matrix
-            - external_services
-          expose:
-            - 8080
-          volumes:
-            - "{{ services.riot.volume_folder }}/data:/data"
-          environment:
-            VIRTUAL_HOST: "{{ services.riot.domains|join(',') }}"
-            VIRTUAL_PORT: "8080"
-            LETSENCRYPT_HOST: "{{ services.riot.domains|join(',') }}"
-            LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
-
-      networks:
-        external_services:
-          external:
-            name: external_services
-        matrix:
-          name: "matrix"

roles/docker/tasks/services/membersystem.yml

@@ -1,52 +0,0 @@
-# vim: ft=yaml.ansible
----
-- name: run membersystem containers
-  docker_compose:
-    project_name: "member.data.coop"
-    pull: yes
-    definition:
-      version: "3"
-      services:
-        backend:
-          image: "docker.data.coop/membersystem:{{ services.membersystem.version }}"
-          restart: always
-          user: $UID:$GID
-          tty: true
-          depends_on:
-            - postgres
-          networks:
-            - membersystem
-            - external_services
-            - postfix
-          environment:
-            SECRET_KEY: "{{ membersystem_secrets.secret_key }}"
-            DATABASE_URL: postgres://postgres:{{ postgres_passwords.membersystem }}@postgres:5432/postgres
-            POSTGRES_HOST: postgres
-            POSTGRES_PORT: 5432
-            EMAIL_BACKEND: "django.core.mail.backends.smtp.EmailBackend"
-            EMAIL_URL: "smtp://noop@{{ smtp_host }}:{{ smtp_port }}"
-            VIRTUAL_HOST: "{{ services.membersystem.domain }}"
-            VIRTUAL_PORT: "8000"
-            LETSENCRYPT_HOST: "{{ services.membersystem.domain }}"
-            LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
-            ALLOWED_HOSTS: "{{ services.membersystem.domain }}"
-            CSRF_TRUSTED_ORIGINS: "https://{{ services.membersystem.domain }}"
-            DJANGO_ADMINS: "{{ services.membersystem.django_admins }}"
-            DEFAULT_FROM_EMAIL: "noreply@{{ services.membersystem.domain }}"
-
-        postgres:
-          image: "postgres:{{ services.membersystem.postgres_version }}"
-          restart: always
-          volumes:
-            - "{{ volume_root_folder }}/membersystem/postgres/data:/var/lib/postgresql/data"
-          networks:
-            - membersystem
-          environment:
-            POSTGRES_PASSWORD: "{{ postgres_passwords.membersystem }}"
-
-      networks:
-        membersystem:
-        external_services:
-          external: true
-        postfix:
-          external: true

roles/docker/tasks/services/netdata.yml

@@ -1,23 +0,0 @@
-# vim: ft=yaml.ansible
----
-- name: setup netdata docker container for system monitoring
-  docker_container:
-    name: netdata
-    image: netdata/netdata:{{ services.netdata.version }}
-    restart_policy: unless-stopped
-    hostname: "hevonen.servers.{{ base_domain }}"
-    capabilities:
-      - SYS_PTRACE
-    security_opts:
-      - apparmor:unconfined
-    volumes:
-      - /proc:/host/proc:ro
-      - /sys:/host/sys:ro
-      - /var/run/docker.sock:/var/run/docker.sock:ro
-    networks:
-      - name: external_services
-    env:
-      VIRTUAL_HOST : "{{ services.netdata.domain }}"
-      LETSENCRYPT_HOST: "{{ services.netdata.domain }}"
-      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
-      PGID: "999"

roles/docker/tasks/services/nextcloud.yml

@@ -1,76 +0,0 @@
-# vim: ft=yaml.ansible
----
-- name: upload vhost config for cloud.data.coop
-  template:
-    src: files/configs/nextcloud/vhost
-    dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.nextcloud.domain }}"
-  notify: "restart nginx"
-
-- name: setup nextcloud containers
-  docker_compose:
-    project_name: "nextcloud"
-    pull: "yes"
-    definition:
-      services:
-        postgres:
-          image: "postgres:{{ services.nextcloud.postgres_version }}"
-          restart: "unless-stopped"
-          networks:
-            - "nextcloud"
-          volumes:
-            - "{{ services.nextcloud.volume_folder }}/postgres:/var/lib/postgresql/data"
-          environment: 
-            POSTGRES_DB: "nextcloud"
-            POSTGRES_PASSWORD: "{{ postgres_passwords.nextcloud }}"
-            POSTGRES_USER: "nextcloud"
-
-        redis:
-          image: "redis:{{ services.nextcloud.redis_version }}"
-          restart: "unless-stopped"
-          command: "redis-server --requirepass {{ nextcloud_secrets.redis_password }}"
-          tmpfs:
-            - /var/lib/redis
-          networks:
-            - "nextcloud"
-
-        cron:
-          image: "nextcloud:{{ services.nextcloud.version }}"
-          restart: "unless-stopped"
-          entrypoint: "/cron.sh"
-          networks:
-            - "nextcloud"
-          volumes:
-            - "{{ services.nextcloud.volume_folder }}/app:/var/www/html"
-          depends_on:
-            - "postgres"
-            - "redis"
-        
-        app:
-          image: "nextcloud:{{ services.nextcloud.version }}"
-          restart: "unless-stopped"
-          networks:
-            - "nextcloud"
-            - "postfix"
-            - "external_services"
-          volumes:
-            - "{{ services.nextcloud.volume_folder }}/app:/var/www/html"
-          environment:
-            VIRTUAL_HOST: "{{ services.nextcloud.domain }}"
-            LETSENCRYPT_HOST: "{{ services.nextcloud.domain }}"
-            LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
-            POSTGRES_HOST: "postgres"
-            POSTGRES_DB: "nextcloud"
-            POSTGRES_USER: "nextcloud"
-            POSTGRES_PASSWORD: "{{ postgres_passwords.nextcloud }}"
-            REDIS_HOST: "redis"
-            REDIS_HOST_PASSWORD: "{{ nextcloud_secrets.redis_password }}"
-          depends_on:
-            - "postgres"
-            - "redis"
-
-      networks:
-          nextcloud:
-          postfix:
-            external: true
-          external_services:
-            external: true

roles/docker/tasks/services/nginx_proxy.yml

@@ -1,48 +0,0 @@
-# vim: ft=yaml.ansible
----
-- name: create nginx-proxy volume folders
-  file:
-    name: "{{ services.nginx_proxy.volume_folder }}/{{ volume }}"
-    state: directory
-  loop:
-    - conf
-    - vhost
-    - html
-    - dhparam
-    - certs
-  loop_control:
-    loop_var: volume
-
-- name: nginx proxy container
-  docker_container:
-    name: nginx-proxy
-    image: nginxproxy/nginx-proxy:{{ services.nginx_proxy.version }}
-    restart_policy: always
-    networks:
-      - name: external_services
-    published_ports:
-      - "80:80"
-      - "443:443"
-    volumes:
-      - "{{ services.nginx_proxy.volume_folder }}/conf:/etc/nginx/conf.d"
-      - "{{ services.nginx_proxy.volume_folder }}/vhost:/etc/nginx/vhost.d"
-      - "{{ services.nginx_proxy.volume_folder }}/html:/usr/share/nginx/html"
-      - "{{ services.nginx_proxy.volume_folder }}/dhparam:/etc/nginx/dhparam"
-      - "{{ services.nginx_proxy.volume_folder }}/certs:/etc/nginx/certs:ro"
-      - /var/run/docker.sock:/tmp/docker.sock:ro
-
-- name: nginx letsencrypt container
-  docker_container:
-    name: nginx-proxy-le
-    image: nginxproxy/acme-companion:{{ services.nginx_acme_companion.version }}
-    restart_policy: always
-    volumes:
-      - "{{ services.nginx_proxy.volume_folder }}/vhost:/etc/nginx/vhost.d"
-      - "{{ services.nginx_proxy.volume_folder }}/html:/usr/share/nginx/html"
-      - "{{ services.nginx_proxy.volume_folder }}/dhparam:/etc/nginx/dhparam:ro"
-      - "{{ services.nginx_proxy.volume_folder }}/certs:/etc/nginx/certs"
-      - /var/run/docker.sock:/var/run/docker.sock:ro
-    env:
-      NGINX_PROXY_CONTAINER: nginx-proxy
-  when: letsencrypt_enabled
-

roles/docker/tasks/services/openldap.yml

@@ -1,74 +0,0 @@
-# vim: ft=yaml.ansible
----
-- name: create ldap volume folders
-  file:
-    name: "{{ services.openldap.volume_folder }}/{{ volume }}"
-    state: directory
-  loop:
-    - "var/lib/ldap"
-    - "etc/slapd"
-    - "certs"
-  loop_control:
-    loop_var: volume
-
-- name: Create a network for ldap
-  docker_network:
-    name: ldap
-
-- name: openLDAP container
-  docker_container:
-    name: openldap
-    image: osixia/openldap:{{ services.openldap.version }}
-    tty: true
-    interactive: true
-    restart_policy: unless-stopped
-    volumes:
-      - "{{ services.openldap.volume_folder }}/var/lib/ldap:/var/lib/ldap"
-      - "{{ services.openldap.volume_folder }}/etc/slapd.d:/etc/ldap/slapd.d"
-      - "{{ services.openldap.volume_folder }}/certs:/container/service/slapd/assets/certs/"
-    published_ports:
-      - "389:389"
-      - "636:636"
-    hostname: "{{ services.openldap.domain }}"
-    domainname: "{{ services.openldap.domain }}" # important: same as hostname
-    networks:
-      - name: ldap
-    env:
-      LDAP_LOG_LEVEL: "256"
-      LDAP_ORGANISATION: "{{ base_domain }}"
-      LDAP_DOMAIN: "{{ base_domain }}"
-      LDAP_BASE_DN: ""
-      LDAP_ADMIN_PASSWORD: "{{ ldap_admin_password }}"
-      LDAP_CONFIG_PASSWORD: "{{ ldap_config_password }}"
-      LDAP_READONLY_USER: "false"
-      LDAP_RFC2307BIS_SCHEMA: "false"
-      LDAP_BACKEND: "mdb"
-      LDAP_TLS: "true"
-      LDAP_TLS_CRT_FILENAME: "ldap.crt"
-      LDAP_TLS_KEY_FILENAME: "ldap.key"
-      LDAP_TLS_CA_CRT_FILENAME: "ca.crt"
-      LDAP_TLS_ENFORCE: "false"
-      LDAP_TLS_CIPHER_SUITE: "SECURE256:-VERS-SSL3.0"
-      LDAP_TLS_PROTOCOL_MIN: "3.1"
-      LDAP_TLS_VERIFY_CLIENT: "demand"
-      LDAP_REPLICATION: "false"
-      KEEP_EXISTING_CONFIG: "false"
-      LDAP_REMOVE_CONFIG_AFTER_SETUP: "true"
-      LDAP_SSL_HELPER_PREFIX: "ldap"
-
-- name: phpLDAPadmin container
-  docker_container:
-    name: phpldapadmin
-    image: osixia/phpldapadmin:{{ services.phpldapadmin.version }}
-    restart_policy: unless-stopped
-    networks:
-      - name: external_services
-      - name: ldap
-    env:
-      PHPLDAPADMIN_LDAP_HOSTS: "openldap"
-      PHPLDAPADMIN_HTTPS: "false"
-      PHPLDAPADMIN_TRUST_PROXY_SSL: "true"
-
-      VIRTUAL_HOST: "{{ services.openldap.domain }}"
-      LETSENCRYPT_HOST: "{{ services.openldap.domain }}"
-      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"

roles/docker/tasks/services/passit.yml

@@ -1,46 +0,0 @@
-# vim: ft=yaml.ansible
----
-- name: setup passit containers
-  docker_compose:
-    project_name: "passit"
-    pull: "yes"
-    definition:
-      version: "3.6"
-      services:
-        passit_db:
-          image: "postgres:{{ services.passit.postgres_version }}"
-          restart: "always"
-          networks:
-            - "passit"
-          volumes:
-            - "{{ services.passit.volume_folder }}/data:/var/lib/postgresql/data"
-          environment:
-            POSTGRES_USER: "passit"
-            POSTGRES_PASSWORD: "{{ postgres_passwords.passit }}"
-
-        passit_app:
-          image: "passit/passit:{{ services.passit.version }}"
-          command: "bin/start.sh"
-          restart: "always"
-          networks:
-            - "passit"
-            - "postfix"
-            - "external_services"
-          environment:
-            DATABASE_URL: "postgres://passit:{{ postgres_passwords.passit }}@passit_db:5432/passit"
-            SECRET_KEY: "{{ passit_secret_key }}"
-            IS_DEBUG: 'False'
-            EMAIL_URL: "smtp://noop@{{ smtp_host }}:{{ smtp_port }}"
-            DEFAULT_FROM_EMAIL: "noreply@{{ services.passit.domain }}"
-            EMAIL_CONFIRMATION_HOST: "https://{{ services.passit.domain }}"
-            FIDO_SERVER_ID: "{{ services.passit.domain }}"
-            VIRTUAL_HOST: "{{ services.passit.domain }}"
-            LETSENCRYPT_HOST: "{{ services.passit.domain }}"
-            LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
-
-      networks:
-        passit:
-        postfix:
-          external: true
-        external_services:
-          external: true

roles/docker/tasks/services/pinafore.yml

@@ -1,14 +0,0 @@
-# vim: ft=yaml.ansible
----
-- name: Set up Pinafore
-  docker_container:
-    name: pinafore
-    image: "docker.data.coop/pinafore:{{ services.pinafore.version }}"
-    restart_policy: unless-stopped
-    networks:
-      - name: external_services
-    env:
-      VIRTUAL_HOST: "{{ services.pinafore.domain }}"
-      VIRTUAL_PORT: "4002"
-      LETSENCRYPT_HOST: "{{ services.pinafore.domain }}"
-      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"

roles/docker/tasks/services/portainer.yml

@@ -1,22 +0,0 @@
-# vim: ft=yaml.ansible
----
-- name: create portainer volume folder
-  file:
-    name: "{{ services.portainer.volume_folder }}"
-    state: directory
-
-- name: run portainer
-  docker_container:
-    name: portainer
-    image: portainer/portainer-ee:{{ services.portainer.version }}
-    restart_policy: always
-    networks:
-      - name: external_services
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock
-      - "{{ services.portainer.volume_folder }}:/data"
-    env:
-      VIRTUAL_HOST: "{{ services.portainer.domain }}"
-      VIRTUAL_PORT: "9000"
-      LETSENCRYPT_HOST: "{{ services.portainer.domain }}"
-      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"

roles/docker/tasks/services/postfix.yml

@@ -1,28 +0,0 @@
-# vim: ft=yaml.ansible
----
-- name: Set up network for postfix
-  docker_network:
-    name: postfix
-    ipam_config:
-      - subnet: '172.16.0.0/16'
-        gateway: 172.16.0.1
-
-- name: Create volume folders for Postfix
-  file:
-    name: "{{ services.postfix.volume_folder }}/dkim"
-    state: directory
-
-- name: Set up Postfix Docker container for outgoing mail from services
-  docker_container:
-    name: postfix
-    image: boky/postfix:{{ services.postfix.version }}
-    restart_policy: always
-    networks:
-      - name: postfix
-    volumes:
-      - "{{ services.postfix.volume_folder }}/dkim:/etc/opendkim/keys"
-    env:
-      # Get all services which have allowed_sender_domain defined
-      ALLOWED_SENDER_DOMAINS: "{{ services | dict2items | selectattr('value.allowed_sender_domain', 'true') | map(attribute='value.domain') | join(' ') }}"
-      HOSTNAME: "{{ services.postfix.domain }}" # the name the smtp server will identify itself as
-      DKIM_AUTOGENERATE: "true"

roles/docker/tasks/services/privatebin.yml

@@ -1,31 +0,0 @@
-# vim: ft=yaml.ansible
----
-- name: create privatebin volume folders
-  file:
-    name: "{{ services.privatebin.volume_folder }}/{{ volume }}"
-    state: directory
-  loop:
-    - cfg
-    - data
-  loop_control:
-    loop_var: volume
-
-- name: upload privatebin config
-  template:
-    src: files/configs/privatebin-conf.php
-    dest: "{{ services.privatebin.volume_folder }}/cfg/conf.php"
-
-- name: privatebin app container
-  docker_container:
-    name: privatebin
-    image: jgeusebroek/privatebin:{{ services.privatebin.version }}
-    restart_policy: unless-stopped
-    volumes:
-      - "{{ services.privatebin.volume_folder }}/cfg:/privatebin/cfg"
-      - "{{ services.privatebin.volume_folder }}/data:/privatebin/data"
-    networks:
-      - name: external_services
-    env:
-      VIRTUAL_HOST: "{{ services.privatebin.domain }}"
-      LETSENCRYPT_HOST: "{{ services.privatebin.domain }}"
-      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"

roles/docker/tasks/services/rallly.yml

@@ -1,61 +0,0 @@
-# vim: ft=yaml.ansible
----
-- name: Create rallly volume folders
-  file:
-    name: "{{ services.rallly.volume_folder }}/postgres"
-    state: directory
-
-- name: Copy Rallly environment file
-  template:
-    src: files/configs/rallly/env_file.j2
-    dest: "{{ services.rallly.volume_folder }}/env_file"
-
-- name: Set up Rallly
-  docker_compose:
-    project_name: "rallly"
-    pull: "yes"
-    definition:
-      version: "3.8"
-      services:
-        rallly_db:
-          image: "postgres:{{ services.rallly.postgres_version }}"
-          restart: "always"
-          shm_size: "256mb"
-          networks:
-            rallly_internal:
-          volumes:
-            - "{{ services.rallly.volume_folder }}/postgres:/var/lib/postgresql/data"
-          environment:
-            POSTGRES_PASSWORD: "{{ postgres_passwords.rallly }}"
-            POSTGRES_DB: "rallly_db"
-          healthcheck:
-            test: ["CMD-SHELL", "pg_isready -U postgres"]
-            interval: 5s
-            timeout: 5s
-            retries: 5
-
-        rallly:
-          image: "lukevella/rallly:{{ services.rallly.version }}"
-          restart: "always"
-          networks:
-            rallly_internal:
-            external_services:
-            postfix:
-          depends_on:
-            rallly_db:
-              condition: "service_healthy"
-          env_file:
-            - "{{ services.rallly.volume_folder }}/env_file"
-          environment:
-            VIRTUAL_HOST: "{{ services.rallly.domain }}"
-            VIRTUAL_PORT: "3000"
-            LETSENCRYPT_HOST: "{{ services.rallly.domain }}"
-            LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
-
-      networks:
-        rallly_internal:
-          internal: true
-        external_services:
-          external: true
-        postfix:
-          external: true

roles/docker/tasks/services/restic_backup.yml

@@ -1,39 +0,0 @@
-# vim: ft=yaml.ansible
----
-- name: Setup restic backup
-  docker_compose:
-    project_name: restic_backup
-    pull: true
-    definition:
-      version: '3.6'
-      services:
-        restic-backup:
-          image: mazzolino/restic:{{ services.restic.version }}
-          restart: always
-          environment:
-            RUN_ON_STARTUP: "false"
-            BACKUP_CRON: "0 30 3 * * *"
-            RESTIC_REPOSITORY: "rest:https://{{ services.restic.user }}:{{ restic_secrets.user_password }}@{{ services.restic.domain }}/{{ services.restic.repository }}"
-            RESTIC_PASSWORD: "{{ restic_secrets.repository_password }}"
-            RESTIC_BACKUP_SOURCES: "/mnt/volumes"
-            RESTIC_BACKUP_ARGS: >-
-              --tag datacoop-volumes
-              --exclude='*.tmp'
-              --verbose
-            RESTIC_FORGET_ARGS: >-
-              --keep-last 10
-              --keep-daily 7
-              --keep-weekly 5
-              --keep-monthly 12
-            TZ: Europe/Copenhagen
-          volumes:
-            - /docker-volumes:/mnt/volumes:ro
-
-        restic-prune:
-          image: "mazzolino/restic:{{ services.restic.version }}"
-          environment:
-            RUN_ON_STARTUP: "false"
-            PRUNE_CRON: "0 0 4 * * *"
-            RESTIC_REPOSITORY: "rest:https://{{ services.restic.user }}:{{ restic_secrets.user_password }}@{{ services.restic.domain }}/{{ services.restic.repository }}"
-            RESTIC_PASSWORD: "{{ restic_secrets.repository_password }}"
-            TZ: Europe/copenhagen

roles/docker/tasks/services/websites/2022.slides.data.coop.yml

@@ -1,19 +0,0 @@
-# vim: ft=yaml.ansible
----
-- name: setup 2022.slides.data.coop website using unipi
-  docker_container:
-    name: 2022.slides.data.coop_website
-    image: docker.data.coop/unipi:{{ services.slides_2022_website.version }}
-    restart_policy: unless-stopped
-    purge_networks: yes
-    networks:
-      - name: external_services
-    env:
-      VIRTUAL_HOST: "{{ services.slides_2022_website.domain }}"
-      LETSENCRYPT_HOST: "{{ services.slides_2022_website.domain }}"
-      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
-    command: "--remote=https://git.data.coop/data.coop/slides.git#slides2022"
-    capabilities:
-      - NET_ADMIN
-    devices:
-      - "/dev/net/tun"

roles/docker/tasks/services/websites/cryptoaarhus.dk.yml

@@ -1,13 +0,0 @@
-# vim: ft=yaml.ansible
----
-- name: setup cryptoaarhus.dk website docker container
-  docker_container:
-    name: cryptoaarhus_website
-    restart_policy: unless-stopped
-    image: docker.data.coop/cryptoaarhus-website
-    networks:
-      - name: external_services
-    env:
-      VIRTUAL_HOST : "{{ services.cryptoaarhus_website.domains|join(',') }}"
-      LETSENCRYPT_HOST: "{{ services.cryptoaarhus_website.domains|join(',') }}"
-      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"

roles/docker/tasks/services/websites/cryptohagen.dk.yml

@@ -1,13 +0,0 @@
-# vim: ft=yaml.ansible
----
-- name: setup cryptohagen.dk website docker container
-  docker_container:
-    name: cryptohagen_website
-    restart_policy: unless-stopped
-    image: docker.data.coop/cryptohagen-website
-    networks:
-      - name: external_services
-    env:
-      VIRTUAL_HOST : "{{ services.cryptohagen_website.domains|join(',') }}"
-      LETSENCRYPT_HOST: "{{ services.cryptohagen_website.domains|join(',') }}"
-      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"

roles/docker/tasks/services/websites/data.coop.yml

@@ -1,23 +0,0 @@
-# vim: ft=yaml.ansible
----
-- name: Upload vhost config for root domain
-  copy:
-    src: files/configs/matrix/vhost-root
-    dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ base_domain }}"
-
-- name: Upload vhost config for WWW domain
-  copy:
-    src: files/configs/vhost-www
-    dest: "{{ services.nginx_proxy.volume_folder }}/vhost/www.{{ base_domain }}"
-
-- name: setup data.coop website docker container
-  docker_container:
-    name: data.coop_website
-    image: docker.data.coop/data-coop-website
-    restart_policy: unless-stopped
-    networks:
-      - name: external_services
-    env:
-      VIRTUAL_HOST : "{{ services.data_coop_website.domains|join(',') }}"
-      LETSENCRYPT_HOST: "{{ services.data_coop_website.domains|join(',') }}"
-      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"

roles/docker/tasks/services/websites/new.data.coop.yml

@@ -1,13 +0,0 @@
-# vim: ft=yaml.ansible
----
-- name: setup new data.coop website using hugo
-  docker_container:
-    name: new.data.coop_website
-    image: docker.data.coop/data-coop-website:{{ services.new_data_coop_website.version }}
-    restart_policy: unless-stopped
-    networks:
-      - name: external_services
-    env:
-      VIRTUAL_HOST : "{{ services.new_data_coop_website.domain }}"
-      LETSENCRYPT_HOST: "{{ services.new_data_coop_website.domain }}"
-      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"

roles/docker/tasks/services/websites/ulovliglogning.dk.yml

@@ -1,13 +0,0 @@
-# vim: ft=yaml.ansible
----
-- name: setup ulovliglogning.dk website docker container
-  docker_container:
-    name: ulovliglogning_website
-    restart_policy: unless-stopped
-    image: ulovliglogning/ulovliglogning.dk:latest
-    networks:
-      - name: external_services
-    env:
-      VIRTUAL_HOST: "{{ services.ulovliglogning_website.domains|join(',') }}"
-      LETSENCRYPT_HOST: "{{ services.ulovliglogning_website.domains|join(',') }}"
-      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"

roles/docker/templates/compose-files/cryptoaarhus_website.yml.j2

@@ -0,0 +1,17 @@
+# vim: ft=yaml.docker-compose
+version: "3.8"
+
+services:
+  web:
+    image: docker.data.coop/cryptoaarhus-website
+    restart: unless-stopped
+    networks:
+      - external_services
+    environment:
+      VIRTUAL_HOST : "{{ services.cryptoaarhus_website.domains | join(',') }}"
+      LETSENCRYPT_HOST: "{{ services.cryptoaarhus_website.domains | join(',') }}"
+      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
+
+networks:
+  external_services:
+    external: true

roles/docker/templates/compose-files/cryptohagen_website.yml.j2

@@ -0,0 +1,17 @@
+# vim: ft=yaml.docker-compose
+version: "3.8"
+
+services:
+  web:
+    image: docker.data.coop/cryptohagen-website
+    restart: unless-stopped
+    networks:
+      - external_services
+    environment:
+      VIRTUAL_HOST : "{{ services.cryptohagen_website.domains | join(',') }}"
+      LETSENCRYPT_HOST: "{{ services.cryptohagen_website.domains | join(',') }}"
+      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
+
+networks:
+  external_services:
+    external: true

roles/docker/templates/compose-files/data_coop_website.yml.j2

@@ -0,0 +1,27 @@
+# vim: ft=yaml.docker-compose
+version: "3.8"
+
+services:
+  prod-web:
+    image: docker.data.coop/data-coop-website:{{ services.data_coop_website.version }}
+    restart: unless-stopped
+    networks:
+      - external_services
+    environment:
+      VIRTUAL_HOST: "{{ services.data_coop_website.domain }},{{ services.data_coop_website.www_domain }}"
+      LETSENCRYPT_HOST: "{{ services.data_coop_website.domain }},{{ services.data_coop_website.www_domain }}"
+      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
+
+  staging-web:
+    image: docker.data.coop/data-coop-website:{{ services.data_coop_website.staging_version }}
+    restart: unless-stopped
+    networks:
+      - external_services
+    environment:
+      VIRTUAL_HOST: "{{ services.data_coop_website.staging_domain }}"
+      LETSENCRYPT_HOST: "{{ services.data_coop_website.staging_domain }}"
+      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
+
+networks:
+  external_services:
+    external: true

roles/docker/templates/compose-files/diun.yml.j2

@@ -0,0 +1,21 @@
+# vim: ft=yaml.ansible
+---
+version: "3.5"
+
+services:
+  diun:
+    image: "ghcr.io/crazy-max/diun:{{ services.diun.version }}"
+    command: serve
+    volumes:
+      - "./data:/data"
+      - "/var/run/docker.sock:/var/run/docker.sock"
+    environment:
+      - "TZ=Europe/Paris"
+      - "DIUN_WATCH_WORKERS=20"
+      - "DIUN_WATCH_SCHEDULE=0 */6 * * *"
+      - "DIUN_WATCH_JITTER=30s"
+      - "DIUN_PROVIDERS_DOCKER=true"
+      - "DIUN_PROVIDERS_DOCKER_WATCHBYDEFAULT=true"
+    labels:
+      - "diun.enable=true"
+    restart: always

roles/docker/templates/compose-files/docker_registry.yml.j2

@@ -0,0 +1,23 @@
+# vim: ft=yaml.docker-compose
+version: "3.8"
+
+services:
+  app:
+    image: registry:{{ services.docker_registry.version }}
+    restart: always
+    networks:
+      - external_services
+    volumes:
+      - "./registry:/var/lib/registry"
+      - "./auth:/auth"
+    environment:
+      VIRTUAL_HOST: "{{ services.docker_registry.domain }}"
+      LETSENCRYPT_HOST: "{{ services.docker_registry.domain }}"
+      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
+      REGISTRY_AUTH: "htpasswd"
+      REGISTRY_AUTH_HTPASSWD_PATH: "/auth/htpasswd"
+      REGISTRY_AUTH_HTPASSWD_REALM: "data.coop docker registry"
+
+networks:
+  external_services:
+    external: true

roles/docker/templates/compose-files/drone.yml.j2

@@ -0,0 +1,40 @@
+# vim: ft=yaml.docker-compose
+version: "3.8"
+
+services:
+  app:
+    image: drone/drone:{{ services.drone.version }}
+    restart: unless-stopped
+    networks:
+      - default
+      - external_services
+    volumes:
+      - ".:/data"
+      - "/var/run/docker.sock:/var/run/docker.sock"
+    environment:
+      DRONE_GITEA_SERVER: https://{{ services.forgejo.domain }}
+      DRONE_GITEA_CLIENT_ID: "{{ drone_secrets.oauth_client_id }}"
+      DRONE_GITEA_CLIENT_SECRET: "{{ drone_secrets.oauth_client_secret }}"
+      DRONE_GIT_ALWAYS_AUTH: true
+      DRONE_SERVER_HOST: "{{ services.drone.domain }}"
+      DRONE_SERVER_PROTO: https
+      DRONE_RPC_SECRET: "{{ drone_secrets.rpc_shared_secret }}"
+      VIRTUAL_HOST: "{{ services.drone.domain }}"
+      LETSENCRYPT_HOST: "{{ services.drone.domain }}"
+      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
+
+  runner:
+    image: drone/drone-runner-docker:{{ services.drone.version }}
+    restart: unless-stopped
+    volumes:
+      - "/var/run/docker.sock:/var/run/docker.sock"
+    environment:
+      DRONE_RPC_HOST: "{{ services.drone.domain }}"
+      DRONE_RPC_PROTO: https
+      DRONE_RPC_SECRET: "{{ drone_secrets.rpc_shared_secret }}"
+      DRONE_RUNNER_CAPACITY: 2
+      DRONE_RUNNER_NAME: data.coop_drone_runner
+
+networks:
+  external_services:
+    external: true

roles/docker/templates/compose-files/element.yml.j2

@@ -0,0 +1,22 @@
+# vim: ft=yaml.docker-compose
+version: "3.8"
+
+services:
+  app:
+    image: avhost/docker-matrix-element:{{ services.element.version }}
+    restart: unless-stopped
+    networks:
+      - external_services
+    expose:
+      - "8080"
+    volumes:
+      - "./data:/data"
+    environment:
+      VIRTUAL_HOST: "{{ services.element.domain }}"
+      VIRTUAL_PORT: "8080"
+      LETSENCRYPT_HOST: "{{ services.element.domain }}"
+      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
+
+networks:
+  external_services:
+    external: true

roles/docker/templates/compose-files/fedi_dk_website.yml.j2

@@ -0,0 +1,22 @@
+# vim: ft=yaml.docker-compose
+version: "3.8"
+
+services:
+  web:
+    image: docker.data.coop/unipi:{{ services.fedi_dk_website.version }}
+    restart: unless-stopped
+    networks:
+      - external_services
+    environment:
+      VIRTUAL_HOST: "{{ services.fedi_dk_website.domain }}"
+      LETSENCRYPT_HOST: "{{ services.fedi_dk_website.domain }}"
+      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
+    command: --remote=https://git.data.coop/fedi.dk/website.git#main
+    cap_add:
+      - NET_ADMIN
+    devices:
+      - "/dev/net/tun"
+
+networks:
+  external_services:
+    external: true

roles/docker/templates/compose-files/forgejo.yml.j2

@@ -0,0 +1,38 @@
+# vim: ft=yaml.docker-compose
+version: "3.8"
+
+services:
+  app:
+    image: codeberg.org/forgejo/forgejo:{{ services.forgejo.version }}
+    restart: unless-stopped
+    networks:
+      - external_services
+      - postfix
+    volumes:
+      - ".:/data"
+    ports:
+      - "22:22"
+    environment:
+      VIRTUAL_HOST: "{{ services.forgejo.domain }}"
+      VIRTUAL_PORT: "3000"
+      LETSENCRYPT_HOST: "{{ services.forgejo.domain }}"
+      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
+      # Forgejo customization, see: https://docs.gitea.io/en-us/install-with-docker/#customization
+      # https://docs.gitea.io/en-us/config-cheat-sheet/#security-security
+      FORGEJO__mailer__ENABLED: true
+      FORGEJO__mailer__FROM: noreply@{{ services.forgejo.domain }}
+      FORGEJO__mailer__PROTOCOL: smtp
+      FORGEJO__mailer__SMTP_ADDR: "{{ smtp_host }}"
+      FORGEJO__mailer__SMTP_PORT: "{{ smtp_port }}"
+      FORGEJO__security__LOGIN_REMEMBER_DAYS: "60"
+      FORGEJO__security__PASSWORD_COMPLEXITY: off
+      FORGEJO__security__MIN_PASSWORD_LENGTH: "8"
+      FORGEJO__security__PASSWORD_CHECK_PWN: true
+      FORGEJO__service__ENABLE_NOTIFY_MAIL: true
+      FORGEJO__service__REGISTER_EMAIL_CONFIRM: true
+
+networks:
+  external_services:
+    external: true
+  postfix:
+    external: true

roles/docker/templates/compose-files/hedgedoc.yml.j2

@@ -0,0 +1,44 @@
+# vim: ft=yaml.docker-compose
+version: "3.8"
+
+services:
+  db:
+    image: postgres:{{ services.hedgedoc.postgres_version }}
+    restart: unless-stopped
+    volumes:
+      - "./db:/var/lib/postgresql/data"
+    environment:
+      POSTGRES_USER: codimd
+      POSTGRES_PASSWORD: "{{ postgres_passwords.hedgedoc }}"
+      POSTGRES_DB: codimd
+
+  app:
+    image: quay.io/hedgedoc/hedgedoc:{{ services.hedgedoc.version }}
+    volumes:
+      - "./hedgedoc/uploads:/hedgedoc/public/uploads"
+      - "./sso.data.coop.pem:/sso.data.coop.pem"
+    restart: unless-stopped
+    networks:
+      - default
+      - external_services
+    environment:
+      CMD_DB_URL: postgres://codimd:{{ postgres_passwords.hedgedoc }}@db:5432/codimd
+      CMD_DOMAIN: "{{ services.hedgedoc.domain }}"
+      CMD_ALLOW_EMAIL_REGISTER: False
+      CMD_IMAGE_UPLOAD_TYPE: filesystem
+      CMD_EMAIL: False
+      CMD_SAML_IDPCERT: /sso.data.coop.pem
+      CMD_SAML_IDPSSOURL: https://{{ services.keycloak.domain }}/auth/realms/datacoop/protocol/saml
+      CMD_SAML_ISSUER: hedgedoc
+      CMD_SAML_IDENTIFIERFORMAT: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
+      CMD_USECDN: false
+      CMD_PROTOCOL_USESSL: true
+      VIRTUAL_HOST: "{{ services.hedgedoc.domain }}"
+      LETSENCRYPT_HOST: "{{ services.hedgedoc.domain }}"
+      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
+    depends_on:
+      - db
+
+networks:
+  external_services:
+    external: true

roles/docker/templates/compose-files/keycloak.yml.j2

@@ -0,0 +1,42 @@
+# vim: ft=yaml.docker-compose
+version: "3.8"
+
+services:
+  db:
+    image: postgres:{{ services.keycloak.postgres_version }}
+    restart: unless-stopped
+    volumes:
+      - "./data:/var/lib/postgresql/data"
+    environment:
+      POSTGRES_USER: keycloak
+      POSTGRES_PASSWORD: "{{ postgres_passwords.keycloak }}"
+      POSTGRES_DB: keycloak
+
+  app:
+    image: quay.io/keycloak/keycloak:{{ services.keycloak.version }}
+    restart: unless-stopped
+    networks:
+      - default
+      - postfix
+      - external_services
+    command:
+      - "start"
+      - "--db=postgres"
+      - "--db-url=jdbc:postgresql://db:5432/keycloak"
+      - "--db-username=keycloak"
+      - "--db-password={{ postgres_passwords.keycloak }}"
+      - "--hostname={{ services.keycloak.domain }}"
+      - "--proxy=edge"
+      - "--https-port=8080"
+      - "--http-relative-path=/auth"
+    environment:
+      VIRTUAL_HOST: "{{ services.keycloak.domain }}"
+      VIRTUAL_PORT: "8080"
+      LETSENCRYPT_HOST: "{{ services.keycloak.domain }}"
+      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
+
+networks:
+  postfix:
+    external: true
+  external_services:
+    external: true

roles/docker/templates/compose-files/mailu.yml.j2

@@ -0,0 +1,146 @@
+# vim: ft=yaml.docker-compose
+version: "3.8"
+
+services:
+  postgres:
+    image: postgres:{{ services.mailu.postgres_version }}
+    restart: unless-stopped
+    environment:
+      POSTGRES_DB: mailu
+      POSTGRES_USER: mailu
+      POSTGRES_PASSWORD: "{{ postgres_passwords.mailu }}"
+    volumes:
+      - "./postgres:/var/lib/postgresql/data"
+    dns:
+      - "{{ services.mailu.dns }}"
+
+  redis:
+    image: redis:{{ services.mailu.redis_version }}
+    restart: unless-stopped
+    volumes:
+      - "./redis:/data"
+    depends_on:
+      - resolver
+    dns:
+      - "{{ services.mailu.dns }}"
+
+  front:
+    image: ghcr.io/mailu/nginx:{{ services.mailu.version }}
+    restart: unless-stopped
+    env_file: mailu.env
+    environment:
+      VIRTUAL_HOST: "{{ services.mailu.domain }}"
+      LETSENCRYPT_HOST: "{{ services.mailu.domain }}"
+      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
+    volumes:
+      - "./certs:/certs"
+      - "./overrides/nginx:/overrides:ro"
+    expose:
+      - "80"
+    ports:
+      - "25:25"
+      - "465:465"
+      - "587:587"
+      - "110:110"
+      - "995:995"
+      - "143:143"
+      - "993:993"
+    networks:
+      - default
+      - webmail
+      - external_services
+    depends_on:
+      - resolver
+    dns:
+      - "{{ services.mailu.dns }}"
+
+  resolver:
+    image: ghcr.io/mailu/unbound:{{ services.mailu.version }}
+    restart: unless-stopped
+    env_file: mailu.env
+    networks:
+      default:
+        ipv4_address: "{{ services.mailu.dns }}"
+
+  admin:
+    image: ghcr.io/mailu/admin:{{ services.mailu.version }}
+    restart: unless-stopped
+    env_file: mailu.env
+    volumes:
+      - "./data:/data"
+      - "./dkim:/dkim"
+    networks:
+      default:
+        aliases:
+          - admin.mailu
+    depends_on:
+      - redis
+      - resolver
+    dns:
+      - "{{ services.mailu.dns }}"
+
+  imap:
+    image: ghcr.io/mailu/dovecot:{{ services.mailu.version }}
+    restart: unless-stopped
+    env_file: mailu.env
+    volumes:
+      - "./mail:/mail"
+      - "./overrides/dovecot:/overrides:ro"
+    depends_on:
+      - front
+      - resolver
+    dns:
+      - "{{ services.mailu.dns }}"
+
+  smtp:
+    image: ghcr.io/mailu/postfix:{{ services.mailu.version }}
+    restart: unless-stopped
+    env_file: mailu.env
+    volumes:
+      - "./mailqueue:/queue"
+      - "./overrides/postfix:/overrides:ro"
+    depends_on:
+      - front
+      - resolver
+    dns:
+      - "{{ services.mailu.dns }}"
+
+
+  antispam:
+    image: ghcr.io/mailu/rspamd:{{ services.mailu.version }}
+    hostname: antispam
+    restart: unless-stopped
+    env_file: mailu.env
+    volumes:
+      - "./filter:/var/lib/rspamd"
+      - "./overrides/rspamd:/overrides:ro"
+    depends_on:
+      - front
+      - redis
+      - resolver
+    dns:
+      - "{{ services.mailu.dns }}"
+
+  webmail:
+    image: ghcr.io/mailu/webmail:{{ services.mailu.version }}
+    restart: unless-stopped
+    env_file: mailu.env
+    volumes:
+      - "./webmail:/data"
+      - "./overrides/snappymail:/overrides:ro"
+    networks:
+      - webmail
+    depends_on:
+      - front
+
+networks:
+  default:
+    driver: bridge
+    ipam:
+      driver: default
+      config:
+        - subnet: "{{ services.mailu.subnet }}"
+  webmail:
+    driver: bridge
+  external_services:
+    external: true

roles/docker/templates/compose-files/mastodon.yml.j2

@@ -0,0 +1,146 @@
+# vim: ft=yaml.docker-compose
+x-sidekiq: &sidekiq
+  image: tootsuite/mastodon:{{ services.mastodon.version }}
+  restart: always
+  env_file: mastodon.env
+  networks:
+    - default
+    - postfix
+    - external_services
+  volumes:
+    - "./mastodon_data:/mastodon/public/system"
+  healthcheck:
+    test: ['CMD-SHELL', "ps aux | grep '[s]idekiq\ 6' || false"]
+  depends_on:
+    db:
+      condition: service_healthy
+    redis:
+      condition: service_healthy
+
+version: "3.8"
+
+services:
+  db:
+    restart: always
+    image: postgres:{{ services.mastodon.postgres_version }}
+    shm_size: 256mb
+    volumes:
+      - "./postgres_data:/var/lib/postgresql/data"
+      - "./postgres_config:/config:ro"
+    command: postgres -c config_file=/config/postgresql.conf
+    environment:
+      POSTGRES_HOST_AUTH_METHOD: trust
+    healthcheck:
+      test: ['CMD', 'pg_isready', '-U', 'postgres']
+
+  redis:
+    restart: always
+    image: redis:{{ services.mastodon.redis_version }}
+    volumes:
+      - "./redis_data:/data"
+    healthcheck:
+      test: ['CMD', 'redis-cli', 'ping']
+
+  web:
+    image: tootsuite/mastodon:{{ services.mastodon.version }}
+    restart: always
+    env_file: mastodon.env
+    command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 3000"
+    networks:
+      - default
+      - external_services
+    volumes:
+      - "./mastodon_data:/mastodon/public/system"
+    environment:
+      MAX_THREADS: 10
+      WEB_CONCURRENCY: 3
+      VIRTUAL_HOST: "{{ services.mastodon.domain }}"
+      VIRTUAL_PORT: "3000"
+      VIRTUAL_PATH: /
+      LETSENCRYPT_HOST: "{{ services.mastodon.domain }}"
+      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
+    healthcheck:
+      test: ['CMD-SHELL', 'wget -q --spider --proxy=off localhost:3000/health || exit 1']
+    depends_on:
+      db:
+        condition: service_healthy
+      redis:
+        condition: service_healthy
+
+  streaming:
+    image: tootsuite/mastodon:{{ services.mastodon.version }}
+    restart: always
+    env_file: mastodon.env
+    command: node ./streaming
+    networks:
+      - default
+      - external_services
+    ports:
+      - "127.0.0.1:4000:4000"
+    environment:
+      DB_POOL: 15
+      VIRTUAL_HOST: "{{ services.mastodon.domain }}"
+      VIRTUAL_PORT: "4000"
+      VIRTUAL_PATH: "/api/v1/streaming"
+    healthcheck:
+      test: ['CMD-SHELL', 'wget -q --spider --proxy=off localhost:4000/api/v1/streaming/health || exit 1']
+    depends_on:
+      db:
+        condition: service_healthy
+      redis:
+        condition: service_healthy
+
+  # sidekiq-default-push-pull: DB_POOL = 25, -c 25 for 25 connections
+  sidekiq-default-push-pull:
+    <<: *sidekiq
+    command: bundle exec sidekiq -c 25 -q default -q push -q pull
+    environment:
+      DB_POOL: 25
+
+  # sidekiq-default-pull-push: DB_POOL = 25, -c 25 for 25 connections
+  sidekiq-default-pull-push:
+    <<: *sidekiq
+    command: bundle exec sidekiq -c 25 -q default -q pull -q push
+    environment:
+      DB_POOL: 25
+
+  # sidekiq-pull-default-push: DB_POOL = 25, -c 25 for 25 connections
+  sidekiq-pull-default-push:
+    <<: *sidekiq
+    command: bundle exec sidekiq -c 25 -q pull -q default -q push
+    environment:
+      DB_POOL: 25
+
+  # sidekiq-push-default-pull: DB_POOL = 25, -c 25 for 25 connections
+  sidekiq-push-default-pull:
+    <<: *sidekiq
+    command: bundle exec sidekiq -c 25 -q push -q default -q pull
+    environment:
+      DB_POOL: 25
+
+  # sidekiq-push-scheduler: DB_POOL = 5, -c 5 for 5 connections
+  sidekiq-push-scheduler:
+    <<: *sidekiq
+    command: bundle exec sidekiq -c 5 -q push -q scheduler
+    environment:
+      DB_POOL: 5
+
+  # sidekiq-push-mailers: DB_POOL = 5, -c 5 for 5 connections
+  sidekiq-push-mailers:
+    <<: *sidekiq
+    command: bundle exec sidekiq -c 5 -q push -q mailers
+    environment:
+      DB_POOL: 5
+
+  # sidekiq-push-ingress: DB_POOL = 10, -c 10 for 10 connections
+  sidekiq-push-ingress:
+    <<: *sidekiq
+    command: bundle exec sidekiq -c 10 -q push -q ingress
+    environment:
+      DB_POOL: 10
+
+networks:
+  external_services:
+    external: true
+  postfix:
+    external: true

roles/docker/templates/compose-files/matrix.yml.j2

@@ -0,0 +1,36 @@
+# vim: ft=yaml.docker-compose
+version: "3.8"
+
+services:
+  postgres:
+    image: postgres:{{ services.matrix.postgres_version }}
+    restart: unless-stopped
+    volumes:
+      - "./db:/var/lib/postgresql/data"
+    environment:
+      POSTGRES_USER: synapse
+      POSTGRES_PASSWORD: "{{ postgres_passwords.matrix }}"
+
+  synapse:
+    image: matrixdotorg/synapse:{{ services.matrix.version }}
+    restart: unless-stopped
+    networks:
+      - default
+      - external_services
+      - postfix
+    volumes:
+      - "./data:/data"
+    environment:
+      SYNAPSE_CONFIG_PATH: /data/homeserver.yaml
+      SYNAPSE_CACHE_FACTOR: "2"
+      SYNAPSE_LOG_LEVEL: INFO
+      VIRTUAL_HOST: "{{ services.matrix.domain }}"
+      VIRTUAL_PORT: "8008"
+      LETSENCRYPT_HOST: "{{ services.matrix.domain }}"
+      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
+
+networks:
+  external_services:
+    external: true
+  postfix:
+    external: true

roles/docker/templates/compose-files/membersystem.yml.j2

@@ -0,0 +1,44 @@
+# vim: ft=yaml.docker-compose
+version: "3.8"
+
+services:
+  app:
+    image: docker.data.coop/membersystem:{{ services.membersystem.version }}
+    restart: always
+    user: "$UID:$GID"
+    tty: true
+    networks:
+      - default
+      - external_services
+      - postfix
+    environment:
+      SECRET_KEY: "{{ membersystem_secrets.secret_key }}"
+      DATABASE_URL: postgres://postgres:{{ postgres_passwords.membersystem }}@postgres:5432/postgres
+      POSTGRES_HOST: postgres
+      POSTGRES_PORT: 5432
+      EMAIL_BACKEND: django.core.mail.backends.smtp.EmailBackend
+      EMAIL_URL: smtp://noop@{{ smtp_host }}:{{ smtp_port }}
+      VIRTUAL_HOST: "{{ services.membersystem.domain }}"
+      VIRTUAL_PORT: "8000"
+      LETSENCRYPT_HOST: "{{ services.membersystem.domain }}"
+      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
+      ALLOWED_HOSTS: "{{ services.membersystem.domain }}"
+      CSRF_TRUSTED_ORIGINS: https://{{ services.membersystem.domain }}
+      DJANGO_ADMINS: "{{ services.membersystem.django_admins }}"
+      DEFAULT_FROM_EMAIL: noreply@{{ services.membersystem.domain }}
+    depends_on:
+      - postgres
+
+  postgres:
+    image: postgres:{{ services.membersystem.postgres_version }}
+    restart: always
+    volumes:
+      - "./postgres/data:/var/lib/postgresql/data"
+    environment:
+      POSTGRES_PASSWORD: "{{ postgres_passwords.membersystem }}"
+
+networks:
+  external_services:
+    external: true
+  postfix:
+    external: true

roles/docker/templates/compose-files/netdata.yml.j2

@@ -0,0 +1,36 @@
+# vim: ft=yaml.docker-compose
+version: "3.8"
+
+services: 
+  app:
+    image: netdata/netdata:{{ services.netdata.version }}
+    restart: unless-stopped
+    hostname: hevonen.servers.{{ base_domain }}
+    volumes: 
+      - "/proc:/host/proc:ro"
+      - "/sys:/host/sys:ro"
+      - "/etc/os-release:/host/etc/os-release:ro"
+    networks:
+      - default
+      - external_services
+    environment:
+      VIRTUAL_HOST : "{{ services.netdata.domain }}"
+      LETSENCRYPT_HOST: "{{ services.netdata.domain }}"
+      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
+      PGID: "999"
+      DOCKER_HOST: "socket_proxy:2375"
+    cap_add:
+      - SYS_PTRACE
+    security_opt:
+      - apparmor:unconfined
+
+  socket-proxy:
+    image: tecnativa/docker-socket-proxy:latest
+    volumes:
+      - "/var/run/docker.sock:/var/run/docker.sock:ro"
+    environment:
+      CONTAINERS: 1
+
+networks:
+  external_services:
+    external: true

roles/docker/templates/compose-files/nextcloud.yml.j2

@@ -0,0 +1,59 @@
+# vim: ft=yaml.docker-compose
+version: "3.8"
+
+services:
+  postgres:
+    image: postgres:{{ services.nextcloud.postgres_version }}
+    restart: unless-stopped
+    volumes:
+      - "./postgres:/var/lib/postgresql/data"
+    environment:
+      POSTGRES_DB: nextcloud
+      POSTGRES_PASSWORD: "{{ postgres_passwords.nextcloud }}"
+      POSTGRES_USER: nextcloud
+
+  redis:
+    image: redis:{{ services.nextcloud.redis_version }}
+    restart: unless-stopped
+    command: redis-server --requirepass {{ nextcloud_secrets.redis_password }}
+    tmpfs:
+      - /var/lib/redis
+
+  cron:
+    image: nextcloud:{{ services.nextcloud.version }}
+    restart: unless-stopped
+    entrypoint: /cron.sh
+    volumes:
+      - "./app:/var/www/html"
+    depends_on:
+      - postgres
+      - redis
+
+  app:
+    image: nextcloud:{{ services.nextcloud.version }}
+    restart: unless-stopped
+    networks:
+      - default
+      - postfix
+      - external_services
+    volumes:
+      - "./app:/var/www/html"
+    environment:
+      VIRTUAL_HOST: "{{ services.nextcloud.domain }}"
+      LETSENCRYPT_HOST: "{{ services.nextcloud.domain }}"
+      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
+      POSTGRES_HOST: postgres
+      POSTGRES_DB: nextcloud
+      POSTGRES_USER: nextcloud
+      POSTGRES_PASSWORD: "{{ postgres_passwords.nextcloud }}"
+      REDIS_HOST: redis
+      REDIS_HOST_PASSWORD: "{{ nextcloud_secrets.redis_password }}"
+    depends_on:
+      - postgres
+      - redis
+
+networks:
+  postfix:
+    external: true
+  external_services:
+    external: true

roles/docker/templates/compose-files/nginx_proxy.yml.j2

@@ -0,0 +1,38 @@
+version: "3.8"
+
+services:
+  proxy:
+    image: nginxproxy/nginx-proxy:{{ services.nginx_proxy.version }}
+    restart: always
+    networks:
+      - external_services
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - "./conf:/etc/nginx/conf.d"
+      - "./vhost:/etc/nginx/vhost.d"
+      - "./html:/usr/share/nginx/html"
+      - "./dhparam:/etc/nginx/dhparam"
+      - "./certs:/etc/nginx/certs:ro"
+      - "/var/run/docker.sock:/tmp/docker.sock:ro"
+    labels:
+      - com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy
+
+{% if letsencrypt_enabled %}
+  acme:
+    image: nginxproxy/acme-companion:{{ services.nginx_proxy.acme_companion_version }}
+    restart: always
+    volumes:
+      - "./vhost:/etc/nginx/vhost.d"
+      - "./html:/usr/share/nginx/html"
+      - "./dhparam:/etc/nginx/dhparam:ro"
+      - "./certs:/etc/nginx/certs"
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    depends_on:
+      - proxy
+{% endif %}
+
+networks:
+  external_services:
+    external: true

roles/docker/templates/compose-files/openldap.yml.j2

@@ -0,0 +1,58 @@
+# vim: ft=yaml.docker-compose
+version: "3.8"
+
+services:
+  app:
+    image: osixia/openldap:{{ services.openldap.version }}
+    restart: unless-stopped
+    tty: true
+    stdin_open: true
+    volumes:
+      - "./var/lib/ldap:/var/lib/ldap"
+      - "./etc/slapd.d:/etc/ldap/slapd.d"
+      - "./certs:/container/service/slapd/assets/certs/"
+    ports:
+      - "389:389"
+      - "636:636"
+    hostname: "{{ services.openldap.domain }}"
+    domainname: "{{ services.openldap.domain }}" # important: same as hostname
+    environment:
+      LDAP_LOG_LEVEL: "256"
+      LDAP_ORGANISATION: "{{ base_domain }}"
+      LDAP_DOMAIN: "{{ base_domain }}"
+      LDAP_BASE_DN: ""
+      LDAP_ADMIN_PASSWORD: "{{ ldap_admin_password }}"
+      LDAP_CONFIG_PASSWORD: "{{ ldap_config_password }}"
+      LDAP_READONLY_USER: false
+      LDAP_RFC2307BIS_SCHEMA: false
+      LDAP_BACKEND: mdb
+      LDAP_TLS: true
+      LDAP_TLS_CRT_FILENAME: ldap.crt
+      LDAP_TLS_KEY_FILENAME: ldap.key
+      LDAP_TLS_CA_CRT_FILENAME: ca.crt
+      LDAP_TLS_ENFORCE: false
+      LDAP_TLS_CIPHER_SUITE: SECURE256:-VERS-SSL3.0
+      LDAP_TLS_PROTOCOL_MIN: "3.1"
+      LDAP_TLS_VERIFY_CLIENT: demand
+      LDAP_REPLICATION: false
+      KEEP_EXISTING_CONFIG: false
+      LDAP_REMOVE_CONFIG_AFTER_SETUP: true
+      LDAP_SSL_HELPER_PREFIX: ldap
+
+  admin:
+    image: osixia/phpldapadmin:{{ services.openldap.phpldapadmin_version }}
+    restart: unless-stopped
+    networks:
+      - default
+      - external_services
+    environment:
+      PHPLDAPADMIN_LDAP_HOSTS: app
+      PHPLDAPADMIN_HTTPS: false
+      PHPLDAPADMIN_TRUST_PROXY_SSL: true
+      VIRTUAL_HOST: "{{ services.openldap.domain }}"
+      LETSENCRYPT_HOST: "{{ services.openldap.domain }}"
+      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
+
+networks:
+  external_services:
+    external: true

roles/docker/templates/compose-files/passit.yml.j2

@@ -0,0 +1,38 @@
+# vim: ft=yaml.docker-compose
+version: "3.8"
+
+services:
+  db:
+    image: postgres:{{ services.passit.postgres_version }}
+    restart: always
+    volumes:
+      - "./data:/var/lib/postgresql/data"
+    environment:
+      POSTGRES_USER: passit
+      POSTGRES_PASSWORD: "{{ postgres_passwords.passit }}"
+
+  app:
+    image: passit/passit:{{ services.passit.version }}
+    command: bin/start.sh
+    restart: always
+    networks:
+      - default
+      - postfix
+      - external_services
+    environment:
+      DATABASE_URL: postgres://passit:{{ postgres_passwords.passit }}@db:5432/passit
+      SECRET_KEY: "{{ passit_secret_key }}"
+      IS_DEBUG: "False"
+      EMAIL_URL: smtp://noop@{{ smtp_host }}:{{ smtp_port }}
+      DEFAULT_FROM_EMAIL: noreply@{{ services.passit.domain }}
+      EMAIL_CONFIRMATION_HOST: https://{{ services.passit.domain }}
+      FIDO_SERVER_ID: "{{ services.passit.domain }}"
+      VIRTUAL_HOST: "{{ services.passit.domain }}"
+      LETSENCRYPT_HOST: "{{ services.passit.domain }}"
+      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
+
+networks:
+  postfix:
+    external: true
+  external_services:
+    external: true

roles/docker/templates/compose-files/portainer.yml.j2

@@ -0,0 +1,21 @@
+# vim: ft=yaml.docker-compose
+version: "3.8"
+
+services:
+  app:
+    image: portainer/portainer-ee:{{ services.portainer.version }}
+    restart: always
+    networks:
+      - external_services
+    volumes:
+      - ".:/data"
+      - "/var/run/docker.sock:/var/run/docker.sock:rw"
+    environment:
+      VIRTUAL_HOST: "{{ services.portainer.domain }}"
+      VIRTUAL_PORT: "9000"
+      LETSENCRYPT_HOST: "{{ services.portainer.domain }}"
+      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
+
+networks:
+  external_services:
+    external: true

roles/docker/templates/compose-files/postfix.yml.j2

@@ -0,0 +1,22 @@
+# vim: ft=yaml.docker-compose
+version: "3.8"
+
+services:
+  app:
+    image: boky/postfix:{{ services.postfix.version }}
+    restart: always
+    networks:
+      postfix:
+        aliases:
+          - postfix
+    volumes:
+      - "./dkim:/etc/opendkim/keys"
+    environment:
+      # Get all services which have allowed_sender_domain defined
+      ALLOWED_SENDER_DOMAINS: "{{ services | dict2items | selectattr('value.allowed_sender_domain', 'true') | map(attribute='value.domain') | join(' ') }}"
+      HOSTNAME: "{{ services.postfix.domain }}" # the name the smtp server will identify itself as
+      DKIM_AUTOGENERATE: true
+
+networks:
+  postfix:
+    external: true

roles/docker/templates/compose-files/privatebin.yml.j2

@@ -0,0 +1,20 @@
+# vim: ft=yaml.docker-compose
+version: "3.8"
+
+services:
+  app:
+    image: jgeusebroek/privatebin:{{ services.privatebin.version }}
+    restart: unless-stopped
+    volumes:
+      - "./cfg:/privatebin/cfg"
+      - "./data:/privatebin/data"
+    networks:
+      - external_services
+    environment:
+      VIRTUAL_HOST: "{{ services.privatebin.domain }}"
+      LETSENCRYPT_HOST: "{{ services.privatebin.domain }}"
+      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
+
+networks:
+  external_services:
+    external: true

roles/docker/templates/compose-files/rallly.yml.j2

@@ -0,0 +1,41 @@
+# vim: ft=yaml.docker-compose
+version: "3.8"
+
+services:
+  db:
+    image: postgres:{{ services.rallly.postgres_version }}
+    restart: always
+    shm_size: 256mb
+    volumes:
+      - "./postgres:/var/lib/postgresql/data"
+    environment:
+      POSTGRES_PASSWORD: "{{ postgres_passwords.rallly }}"
+      POSTGRES_DB: rallly_db
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U postgres"]
+      interval: 5s
+      timeout: 5s
+      retries: 5
+
+  app:
+    image: lukevella/rallly:{{ services.rallly.version }}
+    restart: always
+    networks:
+      - default
+      - external_services
+      - postfix
+    env_file: rallly.env
+    environment:
+      VIRTUAL_HOST: "{{ services.rallly.domain }}"
+      VIRTUAL_PORT: "3000"
+      LETSENCRYPT_HOST: "{{ services.rallly.domain }}"
+      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
+    depends_on:
+      db:
+        condition: service_healthy
+
+networks:
+  external_services:
+    external: true
+  postfix:
+    external: true

roles/docker/templates/compose-files/restic.yml.j2

@@ -0,0 +1,50 @@
+# vim: ft=yaml.docker-compose
+version: "3.8"
+
+services:
+  backup:
+    image: mazzolino/restic:{{ services.restic.version }}
+    restart: always
+    hostname: {{ inventory_hostname_short }}
+    domainname: {{ inventory_hostname }}
+    environment:
+      RUN_ON_STARTUP: false
+      BACKUP_CRON: "0 30 3 * * *"
+      RESTIC_REPOSITORY: sftp:{{ services.restic.remote_user }}@{{ services.restic.remote_domain }}:{{ services.restic.repository }}
+      RESTIC_PASSWORD: "{{ restic_secrets.repository_password }}"
+      RESTIC_BACKUP_SOURCES: /mnt/volumes
+      RESTIC_BACKUP_ARGS: >-
+        --tag datacoop-volumes
+        --exclude '*.tmp'
+        --exclude '/mnt/volumes/mastodon/mastodon_data/cache/'
+        --exclude '/mnt/volumes/restic/'
+        --verbose
+      RESTIC_FORGET_ARGS: >-
+        --keep-last 10
+        --keep-daily 7
+        --keep-weekly 5
+        --keep-monthly 12
+      TZ: Europe/Copenhagen
+      POST_COMMANDS_FAILURE: /run/libexec/failure.sh
+      POST_COMMANDS_SUCCESS: /run/libexec/success.sh
+    volumes:
+      - "./ssh:/run/secrets/.ssh:ro"
+      - "./scripts:/run/libexec:ro"
+      - "/docker-volumes:/mnt/volumes:ro"
+    networks:
+      - postfix
+
+  prune:
+    image: mazzolino/restic:{{ services.restic.version }}
+    environment:
+      RUN_ON_STARTUP: false
+      PRUNE_CRON: "0 30 4 * * *"
+      RESTIC_REPOSITORY: sftp:{{ services.restic.remote_user }}@{{ services.restic.remote_domain }}:{{ services.restic.repository }}
+      RESTIC_PASSWORD: "{{ restic_secrets.repository_password }}"
+      TZ: Europe/copenhagen
+    volumes:
+      - "./ssh:/run/secrets/.ssh:ro"
+
+networks:
+  postfix:
+    external: true

roles/docker/templates/compose-files/slides_2022_website.yml.j2

@@ -0,0 +1,22 @@
+# vim: ft=yaml.docker-compose
+version: "3.8"
+
+services:
+  web:
+    image: docker.data.coop/unipi:{{ services.slides_2022_website.version }}
+    restart: unless-stopped
+    networks:
+      - external_services
+    environment:
+      VIRTUAL_HOST: "{{ services.slides_2022_website.domain }}"
+      LETSENCRYPT_HOST: "{{ services.slides_2022_website.domain }}"
+      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
+    command: --remote=https://git.data.coop/data.coop/slides.git#slides2022
+    cap_add:
+      - NET_ADMIN
+    devices:
+      - "/dev/net/tun"
+
+networks:
+  external_services:
+    external: true

roles/docker/templates/compose-files/ulovliglogning_website.yml.j2

@@ -0,0 +1,17 @@
+# vim: ft=yaml.docker-compose
+version: "3.8"
+
+services:
+  web:
+    image: ulovliglogning/ulovliglogning.dk:latest
+    restart: unless-stopped
+    networks:
+      - external_services
+    environment:
+      VIRTUAL_HOST: "{{ services.ulovliglogning_website.domains | join(',') }}"
+      LETSENCRYPT_HOST: "{{ services.ulovliglogning_website.domains | join(',') }}"
+      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
+
+networks:
+  external_services:
+    external: true

roles/docker/templates/compose-files/uptime_kuma.yml.j2

@@ -0,0 +1,21 @@
+# vim: ft=yaml.docker-compose
+version: '3.3'
+
+services:
+  uptime-kuma:
+    image: "louislam/uptime-kuma:{{ services.uptime_kuma.version }}"
+    restart: always
+    container_name: uptime-kuma
+    networks:
+        - external_services
+    volumes:
+      - "./uptime-kuma-data:/app/data"
+    environment:
+      VIRTUAL_HOST: "{{ services.uptime_kuma.domain }},{{ services.uptime_kuma.status_domain }}"
+      LETSENCRYPT_HOST: "{{ services.uptime_kuma.domain }},{{ services.uptime_kuma.status_domain }}"
+      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
+
+
+networks:
+  external_services:
+    external: true