data.coop/ansible
8
3
Fork 7
Code Issues 49 Pull requests 9 Projects 1 Releases Wiki Activity

Enable Watchtower for all services #123

Merged
valberg merged 19 commits from watchtower into main 2023-01-21 17:17:56 +00:00
Conversation 16 Commits 19 Files changed 13 +629 -958
45 changed files with 629 additions and 958 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files
Showing only changes of commit 1356aa54c8 - Show all commits

111
.ansible-lint Normal file
View file

@ -0,0 +1,111 @@
---
# .ansible-lint
profile: null # min, basic, moderate,safety, shared, production
# exclude_paths included in this file are parsed relative to this file's location
# and not relative to the CWD of execution. CLI arguments passed to the --exclude
# option are parsed relative to the CWD of execution.
exclude_paths:
- .cache/ # implicit unless exclude_paths is defined in config
- .github/
- test/fixtures/formatting-before/
- test/fixtures/formatting-prettier/
# parseable: true
# quiet: true
# strict: true
# verbosity: 1
# Mock modules or roles in order to pass ansible-playbook --syntax-check
mock_modules:
- zuul_return
# note the foo.bar is invalid as being neither a module or a collection
- fake_namespace.fake_collection.fake_module
- fake_namespace.fake_collection.fake_module.fake_submodule
mock_roles:
- mocked_role
- author.role_name # old standalone galaxy role
- fake_namespace.fake_collection.fake_role # role within a collection
# Enable checking of loop variable prefixes in roles
loop_var_prefix: "{role}_"
# Enforce variable names to follow pattern below, in addition to Ansible own
# requirements, like avoiding python identifiers. To disable add `var-naming`
# to skip_list.
# var_naming_pattern: "^[a-z_][a-z0-9_]*$"
use_default_rules: true
# Load custom rules from this specific folder
# rulesdir:
# - ./rule/directory/
# Ansible-lint completely ignores rules or tags listed below
skip_list:
- skip_this_tag
# Ansible-lint does not automatically load rules that have the 'opt-in' tag.
# You must enable opt-in rules by listing each rule 'id' below.
enable_list:
- empty-string-compare # opt-in
- no-log-password # opt-in
- no-same-owner # opt-in
# add yaml here if you want to avoid ignoring yaml checks when yamllint
# library is missing. Normally its absence just skips using that rule.
- yaml
# Report only a subset of tags and fully ignore any others
# tags:
# - jinja[spacing]
# Ansible-lint does not fail on warnings from the rules or tags listed below
warn_list:
- skip_this_tag
- experimental # experimental is included in the implicit list
# - role-name
# - yaml[document-start] # you can also use sub-rule matches
# Some rules can transform files to fix (or make it easier to fix) identified
# errors. `ansible-lint --write` will reformat YAML files and run these transforms.
# By default it will run all transforms (effectively `write_list: ["all"]`).
# You can disable running transforms by setting `write_list: ["none"]`.
# Or only enable a subset of rule transforms by listing rules/tags here.
# write_list:
# - all
# Offline mode disables installation of requirements.yml
offline: false
# Return success if number of violations compared with previous git
# commit has not increased. This feature works only in git
# repositories.
progressive: false
# Define required Ansible's variables to satisfy syntax check
extra_vars:
foo: bar
multiline_string_variable: |
line1
line2
complex_variable: ":{;\t$()"
# Uncomment to enforce action validation with tasks, usually is not
# needed as Ansible syntax check also covers it.
# skip_action_validation: false
# List of additional kind:pattern to be added at the top of the default
# match list, first match determines the file kind.
kinds:
# - playbook: "**/examples/*.{yml,yaml}"
# - galaxy: "**/folder/galaxy.yml"
# - tasks: "**/tasks/*.yml"
# - vars: "**/vars/*.yml"
# - meta: "**/meta/main.yml"
- yaml: "**/*.yaml-too"
# List of additional collections to allow in only-builtins rule.
# only_builtins_allow_collections:
# - example_ns.example_collection
# List of additions modules to allow in only-builtins rule.
# only_builtins_allow_modules:
# - example_module

2
.gitignore vendored
View file

@ -2,3 +2,5 @@ playbook.retry
*.sw*
.vagrant/
*.log
.idea/
venv/

14
.pre-commit-config.yaml Normal file
View file

@ -0,0 +1,14 @@
repos:
#- repo: https://github.com/semaphor-dk/dansabel
# rev: b72c70351d1a9e32a75db505fcb3aa414f3282f8
# hooks:
# - id: dansabel
- repo: https://github.com/ansible/ansible-lint
rev: v6.9.0
hooks:
- id: ansible-lint
files: \.(yaml|yml)$
additional_dependencies:
- ansible

12
Makefile Normal file
View file

@ -0,0 +1,12 @@
init: create_venv install_pre_commit install_ansible_galaxy_modules
create_venv:
python3 -m venv venv
venv/bin/pip install -U pip
venv/bin/pip install ansible pre-commit
install_pre_commit:
venv/bin/pre-commit install
install_ansible_galaxy_modules:
venv/bin/ansible-galaxy collection install community.general

13
deploy.sh
View file

@ -2,8 +2,13 @@
BASE_CMD="ansible-playbook playbook.yml --ask-vault-pass"
if [ "$1" = "--vagrant" ]; then
BASE_CMD="$BASE_CMD --inventory=vagrant_host"
shift
fi
if [ -z "$(ansible-galaxy collection list community.general 2>/dev/null)" ]; then
echo "Installing community modules"
echo "Installing community.general modules"
ansible-galaxy collection install community.general
fi
@ -17,12 +22,14 @@ else
echo "Deploying all services!"
$BASE_CMD --tags setup_services
else
echo "Deploying services: $2"
$BASE_CMD --tags setup_services --extra-vars "services=$2"
echo "Deploying service: $2"
$BASE_CMD --tags setup_services --extra-vars "single_service=$2"
fi
;;
"base")
$BASE_CMD --tags base_only
;;
*)
echo "Command \"$1\" not found!"
esac
fi

25
playbook.yml
View file

@ -10,31 +10,6 @@
vagrant: "{{ ansible_virtualization_role == 'guest' }}"
letsencrypt_enabled: "{{ not vagrant }}"
services:
- nginx-proxy
- postfix
- openldap
- keycloak
- restic-backup
- nextcloud
- passit
- gitea
- matrix_riot
- privatebin
- codimd
- hedgedoc
- netdata
- docker_registry
- drone
- websites
- ulovliglogning-dk
- watchtower
- mailu
- portainer
- mastodon
- rallly
- membersystem
smtp_host: "postfix"
smtp_port: "587"

235
roles/docker/defaults/main.yml
View file

@ -1,122 +1,169 @@
---
volume_root_folder: "/docker-volumes"
nginx:
volume_folder: "{{ volume_root_folder }}/nginx"
services:
ldap:
domain: "ldap.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/openldap"
### Internal services ###
postfix:
file: postfix.yml
version: "v3.5.1"
nextcloud:
domain: "cloud.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/nextcloud"
nginx_proxy:
file: nginx_proxy.yml
version: "1.0-alpine"
volume_folder: "{{ volume_root_folder }}/nginx"
gitea:
domain: "git.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/gitea"
nginx_acme_companion:
version: "2.2"
passit:
domain: "passit.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/passit"
openldap:
file: openldap.yml
domain: "ldap.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/openldap"
version: "1.5.0"
matrix:
domain: "matrix.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/matrix"
phpldapadmin:
version: "0.9.0"
riot:
domains:
- "riot.{{ base_domain }}"
- "element.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/riot"
netdata:
file: netdata.yml
domain: "netdata.{{ base_domain }}"
version: "v1"
privatebin:
domain: "paste.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/privatebin"
portainer:
file: portainer.yml
domain: "portainer.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/portainer"
version: "2.16.2"
codimd:
domain: "oldpad.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/codimd"
keycloak:
file: keycloak.yml
domain: sso.{{ base_domain }}
volume_folder: "{{ volume_root_folder }}/keycloak"
version: "20.0"
hedgedoc:
domain: "pad.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/hedgedoc"
restic:
file: restic_backup.yml
user: "datacoop"
domain: "restic.cannedtuna.org"
repository: "datacoop-hevonen"
version: "1.6.0"
disabled_in_vagrant: true
netdata:
domain: "netdata.{{ base_domain }}"
docker_registry:
file: docker_registry.yml
domain: "docker.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/docker-registry"
username: "docker"
password: "{{ docker_password }}"
version: "2"
docker_registry:
domain: "docker.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/docker-registry"
username: "docker"
password: "{{ docker_password }}"
### External services ###
data_coop_website:
domains:
- "{{ base_domain }}"
- "www.{{ base_domain }}"
nextcloud:
file: nextcloud.yml
domain: "cloud.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/nextcloud"
version: 25-apache
cryptohagen_website:
domains:
- "cryptohagen.dk"
- "www.cryptohagen.dk"
gitea:
file: gitea.yml
domain: "git.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/gitea"
version: 1.17
allowed_sender_domain: true
ulovliglogning_website:
domains:
- "ulovliglogning.dk"
- "www.ulovliglogning.dk"
- "ulovlig-logning.dk"
passit:
file: passit.yml
domain: "passit.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/passit"
version: stable
allowed_sender_domain: true
cryptoaarhus_website:
domains:
- "cryptoaarhus.dk"
- "www.cryptoaarhus.dk"
matrix:
file: matrix_riot.yml
domain: "matrix.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/matrix"
version: v1.63.1
drone:
domain: "drone.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/drone"
riot:
domains:
- "riot.{{ base_domain }}"
- "element.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/riot"
version: v1.11.8
mailu:
version: 1.6
domain: "mail.{{ base_domain }}"
dns: 192.168.203.254
subnet: 192.168.203.0/24
volume_folder: "{{ volume_root_folder }}/mailu"
privatebin:
file: privatebin.yml
domain: "paste.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/privatebin"
version: 20221009
portainer:
domain: "portainer.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/portainer"
codimd:
domain: "oldpad.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/codimd"
ttrss:
domain: rss.{{ base_domain }}
volume_folder: "{{ volume_root_folder }}/tt-rss"
hedgedoc:
file: hedgedoc.yml
domain: "pad.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/hedgedoc"
version: 1
keycloak:
domain: sso.{{ base_domain }}
volume_folder: "{{ volume_root_folder }}/keycloak"
data_coop_website:
file: websites/data.coop.yml
domains:
- "{{ base_domain }}"
- "www.{{ base_domain }}"
samsapti marked this conversation as resolved Outdated
valberg commented 2023-01-21 12:12:55 +00:00
Outdated
Review
Copy link

Hvorfor ikke 1.9?

Hvorfor ikke 1.9?
samsapti commented 2023-01-21 16:31:03 +00:00
Outdated
Review
Copy link

Fordi den kører SemVer, så minor opgraderinger har ikke breaking changes.

Fordi den kører SemVer, så minor opgraderinger har ikke breaking changes.
postfix:
allowed_sender_domains:
- "services.{{ base_domain }}"
- "{{ passit.domain }}"
- "{{ gitea.domain }}"
- "{{ mastodon.domain }}"
- "{{ rallly.domain }}"
- "{{ membersystem.domain }}"
cryptohagen_website:
file: websites/cryptohagen.dk.yml
domains:
- "cryptohagen.dk"
- "www.cryptohagen.dk"
mastodon:
domain: "social.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/mastodon"
ulovliglogning_website:
file: websites/ulovliglogning.dk.yml
domains:
- "ulovliglogning.dk"
- "www.ulovliglogning.dk"
- "ulovlig-logning.dk"
rallly:
domain: "when.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/rallly"
cryptoaarhus_website:
file: websites/cryptoaarhus.dk.yml
domains:
- "cryptoaarhus.dk"
- "www.cryptoaarhus.dk"
membersystem:
domain: "member.{{ base_domain }}"
django_admins: "Vidir:valberg@orn.li"
drone:
file: drone.yml
domain: "drone.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/drone"
version: 1
restic:
user: "datacoop"
domain: "restic.cannedtuna.org"
repository: "datacoop-hevonen"
mailu:
file: mailu.yml
version: 1.6
domain: "mail.{{ base_domain }}"
dns: 192.168.203.254
subnet: 192.168.203.0/24
volume_folder: "{{ volume_root_folder }}/mailu"
mastodon:
file: mastodon.yml
domain: "social.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/mastodon"
version: v4.0.2
allowed_sender_domain: true
rallly:
file: rallly.yml
domain: "when.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/rallly"
version: a21f92bf74308d66cfcd545d49b81eba0211a222
allowed_sender_domain: true
membersystem:
file: membersystem.yml
domain: "member.{{ base_domain }}"
django_admins: "Vidir:valberg@orn.li"
allowed_sender_domain: true

4
roles/docker/files/configs/mastodon/env_file.j2
View file

@ -14,7 +14,7 @@
# ----------
# This identifies your server and cannot be changed safely later
# ----------
LOCAL_DOMAIN={{ mastodon.domain }}
LOCAL_DOMAIN={{ services.mastodon.domain }}
# Redis
# -----
@ -52,7 +52,7 @@ SMTP_SERVER={{ smtp_host }}
SMTP_PORT={{ smtp_port }}
SMTP_LOGIN=
SMTP_PASSWORD=
SMTP_FROM_ADDRESS=notifications@{{ mastodon.domain }}
SMTP_FROM_ADDRESS=notifications@{{ services.mastodon.domain }}
# File storage (optional)
# -----------------------

2
roles/docker/files/configs/matrix/homeserver.yaml.j2
View file

@ -44,7 +44,7 @@ pid_file: /data/homeserver.pid
# use synapse with a reverse proxy, this should be the URL to reach
# synapse via the proxy.
#
public_baseurl: "https://{{ matrix.domain }}"
public_baseurl: "https://{{ services.matrix.domain }}"
# Set the soft limit on the number of file descriptors synapse can use
# Zero is used to indicate synapse should set the soft limit to the

4
roles/docker/files/configs/rallly/env_file → roles/docker/files/configs/rallly/env_file.j2
View file

@ -1,7 +1,7 @@
NEXT_PUBLIC_BASE_URL="https://{{ rallly.domain }}"
NEXT_PUBLIC_BASE_URL="https://{{ services.rallly.domain }}"
DATABASE_URL="postgres://postgres:{{ postgres_passwords.rallly }}@rallly_db:5432/rallly_db"
SECRET_PASSWORD="{{ rallly_secrets.secret_password }}"
SUPPORT_EMAIL="noreply@{{ rallly.domain }}"
SUPPORT_EMAIL="noreply@{{ services.rallly.domain }}"
SMTP_HOST="{{ smtp_host }}"
SMTP_PORT="{{ smtp_port }}"
SMTP_SECURE="false"

4
roles/docker/files/configs/riot/config.json
View file

@ -1,7 +1,7 @@
{
"default_server_config": {
"m.homeserver": {
"base_url": "https://{{ matrix.domain }}"
"base_url": "https://{{ services.matrix.domain }}"
},
"m.identity_server": {
"base_url": "https://vector.im"
@ -37,7 +37,7 @@
]
},
"enable_presence_by_hs_url": {
"https://{{ matrix.domain }}": false
"https://{{ services.matrix.domain }}": false
},
"terms_and_conditions_links": [
{

511
roles/docker/files/configs/thelounge.js
View file

@ -1,511 +0,0 @@
"use strict";
module.exports = {
//
// Set the server mode.
// Public servers does not require authentication.
//
// Set to 'false' to enable users.
//
// @type boolean
// @default false
//
public: false,
//
// IP address or hostname for the web server to listen on.
// Setting this to undefined will listen on all interfaces.
//
// For UNIX domain sockets, use unix:/absolute/path/to/file.sock.
//
// @type string
// @default undefined
//
host: undefined,
//
// Set the port to listen on.
//
// @type int
// @default 9000
//
port: 9000,
//
// Set the local IP to bind to for outgoing connections. Leave to undefined
// to let the operating system pick its preferred one.
//
// @type string
// @default undefined
//
bind: undefined,
//
// Sets whether the server is behind a reverse proxy and should honor the
// X-Forwarded-For header or not.
//
// @type boolean
// @default false
//
reverseProxy: false,
//
// Set the default theme.
// Find out how to add new themes at https://thelounge.github.io/docs/plugins/themes.html
//
// @type string
// @default "example"
//
theme: "example",
//
// Prefetch URLs
//
// If enabled, The Lounge will try to load thumbnails and site descriptions from
// URLs posted in channels.
//
// @type boolean
// @default false
//
prefetch: false,
//
// Store and proxy prefetched images and thumbnails.
// This improves security and privacy by not exposing client IP address,
// and always loading images from The Lounge instance and making all assets secure,
// which in result fixes mixed content warnings.
//
// If storage is enabled, The Lounge will fetch and store images and thumbnails
// in the `${THELOUNGE_HOME}/storage` folder.
//
// Images are deleted when they are no longer referenced by any message (controlled by maxHistory),
// and the folder is cleaned up on every The Lounge restart.
//
// @type boolean
// @default false
//
prefetchStorage: false,
//
// Prefetch URLs Image Preview size limit
//
// If prefetch is enabled, The Lounge will only display content under the maximum size.
// Specified value is in kilobytes. Default value is 2048 kilobytes.
//
// @type int
// @default 2048
//
prefetchMaxImageSize: 2048,
//
// Display network
//
// If set to false network settings will not be shown in the login form.
//
// @type boolean
// @default true
//
displayNetwork: true,
//
// Lock network
//
// If set to true, users will not be able to modify host, port and tls
// settings and will be limited to the configured network.
//
// @type boolean
// @default false
//
lockNetwork: false,
//
// Hex IP
//
// If enabled, clients' username will be set to their IP encoded has hex.
// This is done to share the real user IP address with the server for host masking purposes.
//
// @type boolean
// @default false
//
useHexIp: false,
//
// WEBIRC support
//
// If enabled, The Lounge will pass the connecting user's host and IP to the
// IRC server. Note that this requires to obtain a password from the IRC network
// The Lounge will be connecting to and generally involves a lot of trust from the
// network you are connecting to.
//
// Format (standard): {"irc.example.net": "hunter1", "irc.example.org": "passw0rd"}
// Format (function):
// {"irc.example.net": function(client, args, trusted) {
// // here, we return a webirc object fed directly to `irc-framework`
// return {username: "thelounge", password: "hunter1", address: args.ip, hostname: "webirc/"+args.hostname};
// }}
//
// @type string | function(client, args):object(webirc)
// @default null
webirc: null,
//
// Log settings
//
// Logging has to be enabled per user. If enabled, logs will be stored in
// the 'logs/<user>/<network>/' folder.
//
// @type object
// @default {}
//
logs: {
//
// Timestamp format
//
// @type string
// @default "YYYY-MM-DD HH:mm:ss"
//
format: "YYYY-MM-DD HH:mm:ss",
//
// Timezone
//
// @type string
// @default "UTC+00:00"
//
timezone: "UTC+00:00",
},
//
// Maximum number of history lines per channel
//
// Defines the maximum number of history lines that will be kept in
// memory per channel/query, in order to reduce the memory usage of
// the server. Setting this to -1 will keep unlimited amount.
//
// @type integer
// @default 10000
maxHistory: 10000,
//
// Default values for the 'Connect' form.
//
// @type object
// @default {}
//
defaults: {
//
// Name
//
// @type string
// @default "Freenode"
//
name: "Freenode",
//
// Host
//
// @type string
// @default "chat.freenode.net"
//
host: "chat.freenode.net",
//
// Port
//
// @type int
// @default 6697
//
port: 6697,
//
// Password
//
// @type string
// @default ""
//
password: "",
//
// Enable TLS/SSL
//
// @type boolean
// @default true
//
tls: true,
//
// Nick
//
// @type string
// @default "lounge-user"
//
nick: "lounge-user",
//
// Username
//
// @type string
// @default "lounge-user"
//
username: "lounge-user",
//
// Real Name
//
// @type string
// @default "The Lounge User"
//
realname: "The Lounge User",
//
// Channels
// This is a comma-separated list.
//
// @type string
// @default "#thelounge"
//
join: "#thelounge",
},
//
// Set socket.io transports
//
// @type array
// @default ["polling", "websocket"]
//
transports: ["polling", "websocket"],
//
// Run The Lounge using encrypted HTTP/2.
// This will fallback to regular HTTPS if HTTP/2 is not supported.
//
// @type object
// @default {}
//
https: {
//
// Enable HTTP/2 / HTTPS support.
//
// @type boolean
// @default false
//
enable: false,
//
// Path to the key.
//
// @type string
// @example "sslcert/key.pem"
// @default ""
//
key: "",
//
// Path to the certificate.
//
// @type string
// @example "sslcert/key-cert.pem"
// @default ""
//
certificate: "",
//
// Path to the CA bundle.
//
// @type string
// @example "sslcert/bundle.pem"
// @default ""
//
ca: "",
},
//
// Default quit and part message if none is provided.
//
// @type string
// @default "The Lounge - https://thelounge.github.io"
//
leaveMessage: "The Lounge - https://thelounge.github.io",
//
// Run The Lounge with identd support.
//
// @type object
// @default {}
//
identd: {
//
// Run the identd daemon on server start.
//
// @type boolean
// @default false
//
enable: false,
//
// Port to listen for ident requests.
//
// @type int
// @default 113
//
port: 113,
},
//
// Enable oidentd support using the specified file
//
// Example: oidentd: "~/.oidentd.conf",
//
// @type string
// @default null
//
oidentd: null,
//
// LDAP authentication settings (only available if public=false)
// @type object
// @default {}
//
// The authentication process works as follows:
//
// 1. Lounge connects to the LDAP server with its system credentials
// 2. It performs a LDAP search query to find the full DN associated to the
// user requesting to log in.
// 3. Lounge tries to connect a second time, but this time using the user's
// DN and password. Auth is validated iff this connection is successful.
//
// The search query takes a couple of parameters in `searchDN`:
// - a base DN `searchDN/base`. Only children nodes of this DN will be likely
// to be returned;
// - a search scope `searchDN/scope` (see LDAP documentation);
// - the query itself, build as (&(<primaryKey>=<username>) <filter>)
// where <username> is the user name provided in the log in request,
// <primaryKey> is provided by the config and <fitler> is a filtering complement
// also given in the config, to filter for instance only for nodes of type
// inetOrgPerson, or whatever LDAP search allows.
//
// Alternatively, you can specify the `bindDN` parameter. This will make the lounge
// ignore searchDN options and assume that the user DN is always:
// <bindDN>,<primaryKey>=<username>
// where <username> is the user name provided in the log in request, and <bindDN>
// and <primaryKey> are provided by the config.
//
ldap: {
//
// Enable LDAP user authentication
//
// @type boolean
// @default false
//
enable: true,
//
// LDAP server URL
//
// @type string
//
url: "ldap://{{ ldap.domain }}",
//
// LDAP connection tls options (only used if scheme is ldaps://)
//
// @type object (see nodejs' tls.connect() options)
// @default {}
//
// Example:
// You can use this option in order to force the use of IPv6:
// {
// host: 'my::ip::v6',
// servername: 'example.com'
// }
tlsOptions: {},
//
// LDAP base dn, alternative to searchDN
//
// @type string
//
// baseDN: "",
//
// LDAP primary key
//
// @type string
// @default "uid"
//
primaryKey: "uid",
//
// LDAP search dn settings. This defines the procedure by which the
// lounge first look for user DN before authenticating her.
// Ignored if baseDN is specified
//
// @type object
//
searchDN: {
//
// LDAP searching bind DN
// This bind DN is used to query the server for the DN of the user.
// This is supposed to be a system user that has access in read only to
// the DNs of the people that are allowed to log in.
//
// @type string
//
rootDN: "cn=admin,dc=data,dc=coop",
//
// Password of the lounge LDAP system user
//
// @type string
//
rootPassword: "{{ ldap_admin_password }}",
//
// LDAP filter
//
// @type string
// @default "uid"
//
//filter: "(objectClass=inetOrgPerson)(memberOf=ou=members,dc=data,dc=coop)",
filter: "(objectClass=inetOrgPerson)",
//
// LDAP search base (search only within this node)
//
// @type string
//
base: "{{ ldap_dn }}",
//
// LDAP search scope
//
// @type string
// @default "sub"
//
scope: "sub",
},
},
// Extra debugging
//
// @type object
// @default {}
//
debug: {
// Enables extra debugging output provided by irc-framework.
//
// @type boolean
// @default false
//
ircFramework: false,
// Enables logging raw IRC messages into each server window.
//
// @type boolean
// @default false
//
raw: false,
},
};

14
roles/docker/tasks/services.yml
View file

@ -4,5 +4,15 @@
name: external_services
- name: setup services
include_tasks: "services/{{ item }}.yml"
with_items: "{{ services }}"
include_tasks: "services/{{ item.value.file }}"
loop: "{{ services | dict2items }}"
when: single_service is not defined and
item.value.file is defined and
item.value.disabled_in_vagrant is not defined
- name: setup single service
include_tasks: "services/{{ services[single_service].file }}"
when: single_service is defined and
single_service in services and
services[single_service].file is defined and
services[single_service].disabled_in_vagrant is not defined

18
roles/docker/tasks/services/docker_registry.yml
View file

@ -2,34 +2,34 @@
- name: copy docker registry nginx configuration
copy:
src: "files/configs/docker_registry/nginx.conf"
dest: "/docker-volumes/nginx/vhost/{{ docker_registry.domain }}"
dest: "/docker-volumes/nginx/vhost/{{ services.docker_registry.domain }}"
mode: "0644"
- name: docker registry container
docker_container:
name: registry
image: registry:2
image: registry:{{ services.docker_registry.version }}
restart_policy: always
volumes:
- "{{ docker_registry.volume_folder }}/registry:/var/lib/registry"
- "{{ docker_registry.volume_folder }}/auth:/auth"
- "{{ services.docker_registry.volume_folder }}/registry:/var/lib/registry"
- "{{ services.docker_registry.volume_folder }}/auth:/auth"
networks:
- name: external_services
env:
VIRTUAL_HOST: "{{ docker_registry.domain }}"
LETSENCRYPT_HOST: "{{ docker_registry.domain }}"
VIRTUAL_HOST: "{{ services.docker_registry.domain }}"
LETSENCRYPT_HOST: "{{ services.docker_registry.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
REGISTRY_AUTH: "htpasswd"
REGISTRY_AUTH_HTPASSWD_PATH: "/auth/htpasswd"
REGISTRY_AUTH_HTPASSWD_REALM: "data.coop docker registry"
- name: generate htpasswd file
shell: "docker exec -it registry htpasswd -Bbn docker {{ docker_password }} > {{ docker_registry.volume_folder }}/auth/htpasswd"
shell: "docker exec -it registry htpasswd -Bbn docker {{ docker_password }} > {{ services.docker_registry.volume_folder }}/auth/htpasswd"
args:
creates: "{{ docker_registry.volume_folder }}/auth/htpasswd"
creates: "{{ services.docker_registry.volume_folder }}/auth/htpasswd"
- name: log in to registry
docker_login:
registry: "docker.data.coop"
registry: "{{ 'docker.data.coop' if vagrant else services.docker_registry.domain }}"
username: "docker"
password: "{{ docker_password }}"

14
roles/docker/tasks/services/drone.yml
View file

@ -14,31 +14,31 @@
- external_services
- drone
volumes:
- "{{ drone.volume_folder }}:/data"
- "{{ services.drone.volume_folder }}:/data"
- "/var/run/docker.sock:/var/run/docker.sock"
environment:
DRONE_GITEA_SERVER: "https://{{ gitea.domain }}"
DRONE_GITEA_SERVER: "https://{{ services.gitea.domain }}"
DRONE_GITEA_CLIENT_ID: "{{ drone_secrets.oauth_client_id }}"
DRONE_GITEA_CLIENT_SECRET: "{{ drone_secrets.oauth_client_secret }}"
DRONE_GIT_ALWAYS_AUTH: "true"
DRONE_SERVER_HOST: "{{ drone.domain }}"
DRONE_SERVER_HOST: "{{ services.drone.domain }}"
DRONE_SERVER_PROTO: "https"
DRONE_RPC_SECRET: "{{ drone_secrets.rpc_shared_secret }}"
PLUGIN_CUSTOM_DNS: "91.239.100.100"
VIRTUAL_HOST: "{{ drone.domain }}"
LETSENCRYPT_HOST: "{{ drone.domain }}"
VIRTUAL_HOST: "{{ services.drone.domain }}"
LETSENCRYPT_HOST: "{{ services.drone.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
drone-runner-docker:
container_name: "drone-runner-docker"
image: "drone/drone-runner-docker:1"
image: "drone/drone-runner-docker:{{ services.drone.version }}"
restart: unless-stopped
networks:
- drone
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
environment:
DRONE_RPC_HOST: "{{ drone.domain }}"
DRONE_RPC_HOST: "{{ services.drone.domain }}"
DRONE_RPC_PROTO: "https"
DRONE_RPC_SECRET: "{{ drone_secrets.rpc_shared_secret }}"
DRONE_RUNNER_CAPACITY: 2

10
roles/docker/tasks/services/gitea.yml
View file

@ -7,25 +7,25 @@
- name: gitea container
docker_container:
name: gitea
image: gitea/gitea:1.17
image: gitea/gitea:{{ services.gitea.version }}
restart_policy: unless-stopped
networks:
- name: gitea
- name: postfix
- name: external_services
volumes:
- "{{ gitea.volume_folder }}:/data"
- "{{ services.gitea.volume_folder }}:/data"
published_ports:
- "22:22"
env:
VIRTUAL_HOST: "{{ gitea.domain }}"
VIRTUAL_HOST: "{{ services.gitea.domain }}"
VIRTUAL_PORT: "3000"
LETSENCRYPT_HOST: "{{ gitea.domain }}"
LETSENCRYPT_HOST: "{{ services.gitea.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
# Gitea customization, see: https://docs.gitea.io/en-us/install-with-docker/#customization
# https://docs.gitea.io/en-us/config-cheat-sheet/#security-security
GITEA__mailer__ENABLED: "true"
GITEA__mailer__FROM: "noreply@{{ gitea.domain }}"
GITEA__mailer__FROM: "noreply@{{ services.gitea.domain }}"
GITEA__mailer__MAILER_TYPE: "smtp"
GITEA__mailer__HOST: "{{ smtp_host }}:{{ smtp_port }}"
GITEA__mailer__USER: "noop"

18
roles/docker/tasks/services/hedgedoc.yml
View file

@ -1,7 +1,7 @@
---
- name: create hedgedoc volume folders
file:
name: "{{ hedgedoc.volume_folder }}/{{ volume }}"
name: "{{ services.hedgedoc.volume_folder }}/{{ volume }}"
state: directory
loop:
- "db"
@ -12,7 +12,7 @@
- name: copy sso public certificate
copy:
src: "files/sso/sso.data.coop.pem"
dest: "{{ hedgedoc.volume_folder }}/sso.data.coop.pem"
dest: "{{ services.hedgedoc.volume_folder }}/sso.data.coop.pem"
mode: "0644"
- name: setup hedgedoc
@ -31,13 +31,13 @@
networks:
- "hedgedoc"
volumes:
- "{{ hedgedoc.volume_folder }}/db:/var/lib/postgresql/data"
- "{{ services.hedgedoc.volume_folder }}/db:/var/lib/postgresql/data"
app:
image: quay.io/hedgedoc/hedgedoc:1
image: quay.io/hedgedoc/hedgedoc:{{ services.hedgedoc.version }}
environment:
CMD_DB_URL: "postgres://codimd:{{ postgres_passwords.hedgedoc }}@hedgedoc_database_1:5432/codimd"
CMD_DOMAIN: "{{ hedgedoc.domain }}"
CMD_DOMAIN: "{{ services.hedgedoc.domain }}"
CMD_ALLOW_EMAIL_REGISTER: "False"
CMD_IMAGE_UPLOAD_TYPE: "filesystem"
CMD_EMAIL: "False"
@ -47,12 +47,12 @@
CMD_SAML_IDENTIFIERFORMAT: "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
CMD_USECDN: "false"
CMD_PROTOCOL_USESSL: "true"
VIRTUAL_HOST: "{{ hedgedoc.domain }}"
LETSENCRYPT_HOST: "{{ hedgedoc.domain }}"
VIRTUAL_HOST: "{{ services.hedgedoc.domain }}"
LETSENCRYPT_HOST: "{{ services.hedgedoc.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
volumes:
- "{{ hedgedoc.volume_folder }}/hedgedoc/uploads:/hedgedoc/public/uploads"
- "{{ hedgedoc.volume_folder }}/sso.data.coop.pem:/sso.data.coop.pem"
- "{{ services.hedgedoc.volume_folder }}/hedgedoc/uploads:/hedgedoc/public/uploads"
- "{{ services.hedgedoc.volume_folder }}/sso.data.coop.pem:/sso.data.coop.pem"
restart: "unless-stopped"
networks:
- "hedgedoc"

8
roles/docker/tasks/services/keycloak.yml
View file

@ -12,14 +12,14 @@
networks:
- "keycloak"
volumes:
- "{{ keycloak.volume_folder }}/data:/var/lib/postgresql/data"
- "{{ services.keycloak.volume_folder }}/data:/var/lib/postgresql/data"
environment:
POSTGRES_USER: "keycloak"
POSTGRES_PASSWORD: "{{ postgres_passwords.keycloak }}"
POSTGRES_DB: "keycloak"
app:
image: "quay.io/keycloak/keycloak:20.0"
image: "quay.io/keycloak/keycloak:{{ services.keycloak.version }}"
restart: "unless-stopped"
networks:
- "keycloak"
@ -36,9 +36,9 @@
- "--https-port=8080"
- "--http-relative-path=/auth"
environment:
VIRTUAL_HOST: "{{ keycloak.domain }}"
VIRTUAL_HOST: "{{ services.keycloak.domain }}"
VIRTUAL_PORT: "8080"
LETSENCRYPT_HOST: "{{ keycloak.domain }}"
LETSENCRYPT_HOST: "{{ services.keycloak.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
networks:

84
roles/docker/tasks/services/mailu.yml
View file

@ -2,7 +2,7 @@
- name: create mailu volume folders
file:
name: "{{ mailu.volume_folder }}/{{ volume }}"
name: "{{ services.mailu.volume_folder }}/{{ volume }}"
state: directory
loop:
- redis
@ -20,20 +20,20 @@
- name: upload mailu.env file
template:
src: mailu.env.j2
dest: "{{ mailu.volume_folder}}/mailu.env"
dest: "{{ services.mailu.volume_folder}}/mailu.env"
- name: hard link to Let's Encrypt TLS certificate
file:
src: "{{ nginx.volume_folder }}/certs/{{ mailu.domain }}/fullchain.pem"
dest: "{{ mailu.volume_folder }}/certs/cert.pem"
src: "{{ services.nginx_proxy.volume_folder }}/certs/{{ services.mailu.domain }}/fullchain.pem"
dest: "{{ services.mailu.volume_folder }}/certs/cert.pem"
state: hard
force: yes
when: letsencrypt_enabled
- name: hard link to Let's Encrypt TLS key
file:
src: "{{ nginx.volume_folder }}/certs/{{ mailu.domain }}/key.pem"
dest: "{{ mailu.volume_folder }}/certs/key.pem"
src: "{{ services.nginx_proxy.volume_folder }}/certs/{{ services.mailu.domain }}/key.pem"
dest: "{{ services.mailu.volume_folder }}/certs/key.pem"
state: hard
force: yes
when: letsencrypt_enabled
@ -49,30 +49,30 @@
image: redis:alpine
restart: always
volumes:
- "{{ mailu.volume_folder }}/redis:/data"
- "{{ services.mailu.volume_folder }}/redis:/data"
database:
image: mailu/postgresql:{{ mailu.version }}
image: mailu/postgresql:{{ services.mailu.version }}
restart: always
env_file: "{{ mailu.volume_folder}}/mailu.env"
env_file: "{{ services.mailu.volume_folder}}/mailu.env"
volumes:
- "{{ mailu.volume_folder }}/data/psql_db:/data"
- "{{ mailu.volume_folder }}/data/psql_backup:/backup"
- "{{ services.mailu.volume_folder }}/data/psql_db:/data"
- "{{ services.mailu.volume_folder }}/data/psql_backup:/backup"
networks:
- default
- external_services
front:
image: mailu/nginx:{{ mailu.version }}
image: mailu/nginx:{{ services.mailu.version }}
restart: always
env_file: "{{ mailu.volume_folder}}/mailu.env"
env_file: "{{ services.mailu.volume_folder}}/mailu.env"
environment:
VIRTUAL_HOST: "{{ mailu.domain }}"
LETSENCRYPT_HOST: "{{ mailu.domain }}"
VIRTUAL_HOST: "{{ services.mailu.domain }}"
LETSENCRYPT_HOST: "{{ services.mailu.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
volumes:
- "{{ mailu.volume_folder }}/certs:/certs"
- "{{ mailu.volume_folder }}/overrides/nginx:/overrides"
- "{{ services.mailu.volume_folder }}/certs:/certs"
- "{{ services.mailu.volume_folder }}/overrides/nginx:/overrides"
expose:
- "80"
ports:
@ -85,70 +85,70 @@
- external_services
resolver:
image: mailu/unbound:{{ mailu.version }}
image: mailu/unbound:{{ services.mailu.version }}
restart: always
env_file: "{{ mailu.volume_folder}}/mailu.env"
env_file: "{{ services.mailu.volume_folder}}/mailu.env"
networks:
default:
ipv4_address: "{{ mailu.dns }}"
ipv4_address: "{{ services.mailu.dns }}"
admin:
image: mailu/admin:{{ mailu.version }}
image: mailu/admin:{{ services.mailu.version }}
restart: always
env_file: "{{ mailu.volume_folder}}/mailu.env"
env_file: "{{ services.mailu.volume_folder}}/mailu.env"
volumes:
- "{{ mailu.volume_folder }}/data:/data"
- "{{ mailu.volume_folder }}/dkim:/dkim"
- "{{ services.mailu.volume_folder }}/data:/data"
- "{{ services.mailu.volume_folder }}/dkim:/dkim"
depends_on:
- redis
imap:
image: mailu/dovecot:{{ mailu.version }}
image: mailu/dovecot:{{ services.mailu.version }}
restart: always
env_file: "{{ mailu.volume_folder}}/mailu.env"
env_file: "{{ services.mailu.volume_folder}}/mailu.env"
volumes:
- "{{ mailu.volume_folder }}/mail:/mail"
- "{{ mailu.volume_folder }}/overrides:/overrides"
- "{{ services.mailu.volume_folder }}/mail:/mail"
- "{{ services.mailu.volume_folder }}/overrides:/overrides"
depends_on:
- front
smtp:
image: mailu/postfix:{{ mailu.version }}
image: mailu/postfix:{{ services.mailu.version }}
restart: always
env_file: "{{ mailu.volume_folder}}/mailu.env"
env_file: "{{ services.mailu.volume_folder}}/mailu.env"
volumes:
- "{{ mailu.volume_folder }}/overrides:/overrides"
- "{{ services.mailu.volume_folder }}/overrides:/overrides"
depends_on:
- front
- resolver
dns:
- "{{ mailu.dns }}"
- "{{ services.mailu.dns }}"
antispam:
image: mailu/rspamd:{{ mailu.version }}
image: mailu/rspamd:{{ services.mailu.version }}
restart: always
env_file: "{{ mailu.volume_folder}}/mailu.env"
env_file: "{{ services.mailu.volume_folder}}/mailu.env"
volumes:
- "{{ mailu.volume_folder }}/filter:/var/lib/rspamd"
- "{{ mailu.volume_folder }}/dkim:/dkim"
- "{{ mailu.volume_folder }}/overrides/rspamd:/etc/rspamd/override.d"
- "{{ services.mailu.volume_folder }}/filter:/var/lib/rspamd"
- "{{ services.mailu.volume_folder }}/dkim:/dkim"
- "{{ services.mailu.volume_folder }}/overrides/rspamd:/etc/rspamd/override.d"
depends_on:
- front
- resolver
dns:
- "{{ mailu.dns }}"
- "{{ services.mailu.dns }}"
webmail:
image: mailu/rainloop:1.6
restart: always
env_file: "{{ mailu.volume_folder}}/mailu.env"
env_file: "{{ services.mailu.volume_folder}}/mailu.env"
volumes:
- "{{ mailu.volume_folder }}/webmail:/data"
- "{{ services.mailu.volume_folder }}/webmail:/data"
depends_on:
- front
- resolver
dns:
- "{{ mailu.dns }}"
- "{{ services.mailu.dns }}"
networks:
default:
@ -156,7 +156,7 @@
ipam:
driver: default
config:
- subnet: "{{ mailu.subnet }}"
- subnet: "{{ services.mailu.subnet }}"
external_services:
external:
name: external_services

36
roles/docker/tasks/services/mastodon.yml
View file

@ -1,6 +1,6 @@
- name: create mastodon volume folders
file:
name: "{{ mastodon.volume_folder }}/{{ volume }}"
name: "{{ services.mastodon.volume_folder }}/{{ volume }}"
state: directory
owner: "991"
group: "991"
@ -14,12 +14,12 @@
- name: Copy mastodon environment file
template:
src: files/configs/mastodon/env_file.j2
dest: "{{ mastodon.volume_folder }}/env_file"
dest: "{{ services.mastodon.volume_folder }}/env_file"
- name: upload vhost config for root domain
template:
src: files/configs/mastodon/vhost-mastodon
dest: "{{ nginx.volume_folder }}/vhost/{{ mastodon.domain }}"
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.mastodon.domain }}"
- name: set up mastodon
docker_compose:
@ -37,7 +37,7 @@
healthcheck:
test: ['CMD', 'pg_isready', '-U', 'postgres']
volumes:
- "{{ mastodon.volume_folder }}/postgres_data:/var/lib/postgresql/data"
- "{{ services.mastodon.volume_folder }}/postgres_data:/var/lib/postgresql/data"
environment:
- 'POSTGRES_HOST_AUTH_METHOD=trust'
@ -49,12 +49,12 @@
healthcheck:
test: ['CMD', 'redis-cli', 'ping']
volumes:
- "{{ mastodon.volume_folder }}/redis_data:/data"
- "{{ services.mastodon.volume_folder }}/redis_data:/data"
web:
image: "tootsuite/mastodon:{{ mastodon_version }}"
image: "tootsuite/mastodon:{{ services.mastodon.version }}"
restart: always
env_file: "{{ mastodon.volume_folder }}/env_file"
env_file: "{{ services.mastodon.volume_folder }}/env_file"
command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 3000"
networks:
- external_services
@ -66,18 +66,18 @@
- db
- redis
volumes:
- "{{ mastodon.volume_folder }}/mastodon_data:/mastodon/public/system"
- "{{ services.mastodon.volume_folder }}/mastodon_data:/mastodon/public/system"
environment:
VIRTUAL_HOST: "{{ mastodon.domain }}"
VIRTUAL_HOST: "{{ services.mastodon.domain }}"
VIRTUAL_PORT: "3000"
VIRTUAL_PATH: "/"
LETSENCRYPT_HOST: "{{ mastodon.domain }}"
LETSENCRYPT_HOST: "{{ services.mastodon.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
streaming:
image: "tootsuite/mastodon:{{ mastodon_version }}"
image: "tootsuite/mastodon:{{ services.mastodon.version }}"
restart: always
env_file: "{{ mastodon.volume_folder }}/env_file"
env_file: "{{ services.mastodon.volume_folder }}/env_file"
command: node ./streaming
networks:
- external_services
@ -91,14 +91,14 @@
- db
- redis
environment:
VIRTUAL_HOST: "{{ mastodon.domain }}"
VIRTUAL_HOST: "{{ services.mastodon.domain }}"
VIRTUAL_PORT: "4000"
VIRTUAL_PATH: "/api/v1/streaming"
sidekiq:
image: "tootsuite/mastodon:{{ mastodon_version }}"
image: "tootsuite/mastodon:{{ services.mastodon.version }}"
restart: always
env_file: "{{ mastodon.volume_folder }}/env_file"
env_file: "{{ services.mastodon.volume_folder }}/env_file"
command: bundle exec sidekiq -c 32
environment:
DB_POOL: 32
@ -110,7 +110,7 @@
- external_services
- internal_network
volumes:
- "{{ mastodon.volume_folder }}/mastodon_data:/mastodon/public/system"
- "{{ services.mastodon.volume_folder }}/mastodon_data:/mastodon/public/system"
healthcheck:
test: ['CMD-SHELL', "ps aux | grep '[s]idekiq\ 6' || false"]
@ -120,6 +120,4 @@
postfix:
external: true
internal_network:
internal: true
vars:
mastodon_version: "v4.0.2"
internal: true

40
roles/docker/tasks/services/matrix_riot.yml
View file

@ -1,7 +1,7 @@
---
- name: create matrix volume folders
file:
name: "{{ matrix.volume_folder }}/{{ volume }}"
name: "{{ services.matrix.volume_folder }}/{{ volume }}"
state: directory
owner: "991"
group: "991"
@ -14,12 +14,12 @@
- name: create matrix DB folder
file:
name: "{{ matrix.volume_folder }}/db"
name: "{{ services.matrix.volume_folder }}/db"
state: "directory"
- name: create riot volume folders
file:
name: "{{ riot.volume_folder }}/{{ volume }}"
name: "{{ services.riot.volume_folder }}/{{ volume }}"
state: directory
loop:
- "data"
@ -29,38 +29,38 @@
- name: upload riot config.json
template:
src: files/configs/riot/config.json
dest: "{{ riot.volume_folder }}/data/config.json"
dest: "{{ services.riot.volume_folder }}/data/config.json"
- name: upload riot.im.conf
template:
src: files/configs/riot/riot.im.conf
dest: "{{ riot.volume_folder }}/data/riot.im.conf"
dest: "{{ services.riot.volume_folder }}/data/riot.im.conf"
- name: upload vhost config for root domain
template:
src: files/configs/matrix/vhost-root
dest: "{{ nginx.volume_folder }}/vhost/{{ base_domain }}"
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ base_domain }}"
- name: upload vhost config for matrix domain
template:
src: files/configs/matrix/vhost-matrix
dest: "{{ nginx.volume_folder }}/vhost/{{ matrix.domain }}"
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.matrix.domain }}"
- name: upload vhost config for riot domain
template:
src: files/configs/matrix/vhost-riot
dest: "{{ nginx.volume_folder }}/vhost/{{ item }}"
loop: "{{ riot.domains }}"
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ item }}"
loop: "{{ services.riot.domains }}"
- name: upload homeserver.yaml
template:
src: "files/configs/matrix/homeserver.yaml.j2"
dest: "{{ matrix.volume_folder }}/data/homeserver.yaml"
dest: "{{ services.matrix.volume_folder }}/data/homeserver.yaml"
- name: upload matrix logging config
template:
src: "files/configs/matrix/matrix.data.coop.log.config"
dest: "{{ matrix.volume_folder }}/data/matrix.data.coop.log.config"
dest: "{{ services.matrix.volume_folder }}/data/matrix.data.coop.log.config"
- name: set up matrix and riot
docker_compose:
@ -76,32 +76,32 @@
networks:
- matrix
volumes:
- "{{ matrix.volume_folder }}/db:/var/lib/postgresql/data"
- "{{ services.matrix.volume_folder }}/db:/var/lib/postgresql/data"
environment:
POSTGRES_USER: "synapse"
POSTGRES_PASSWORD: "{{ postgres_passwords.matrix }}"
matrix_app:
container_name: matrix
image: matrixdotorg/synapse:v1.63.1
image: matrixdotorg/synapse:{{ services.matrix.version }}
restart: unless-stopped
networks:
- matrix
- external_services
volumes:
- "{{ matrix.volume_folder }}/data:/data"
- "{{ services.matrix.volume_folder }}/data:/data"
environment:
SYNAPSE_CONFIG_PATH: "/data/homeserver.yaml"
SYNAPSE_CACHE_FACTOR: "2"
SYNAPSE_LOG_LEVEL: "INFO"
VIRTUAL_HOST: "{{ matrix.domain }}"
VIRTUAL_HOST: "{{ services.matrix.domain }}"
VIRTUAL_PORT: "8008"
LETSENCRYPT_HOST: "{{ matrix.domain }}"
LETSENCRYPT_HOST: "{{ services.matrix.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
riot:
container_name: riot_app
image: avhost/docker-matrix-riot:v1.11.8
image: avhost/docker-matrix-riot:{{ services.riot.version }}
restart: unless-stopped
networks:
- matrix
@ -109,11 +109,11 @@
expose:
- 8080
volumes:
- "{{ riot.volume_folder }}/data:/data"
- "{{ services.riot.volume_folder }}/data:/data"
environment:
VIRTUAL_HOST: "{{ riot.domains|join(',') }}"
VIRTUAL_HOST: "{{ services.riot.domains|join(',') }}"
VIRTUAL_PORT: "8080"
LETSENCRYPT_HOST: "{{ riot.domains|join(',') }}"
LETSENCRYPT_HOST: "{{ services.riot.domains|join(',') }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
networks:

12
roles/docker/tasks/services/membersystem.yml
View file

@ -25,14 +25,14 @@
POSTGRES_PORT: 5432
EMAIL_BACKEND: "django.core.mail.backends.smtp.EmailBackend"
EMAIL_URL: "smtp://noop@{{ smtp_host }}:{{ smtp_port }}"
VIRTUAL_HOST: "{{ membersystem.domain }}"
VIRTUAL_HOST: "{{ services.membersystem.domain }}"
VIRTUAL_PORT: "8000"
LETSENCRYPT_HOST: "{{ membersystem.domain }}"
LETSENCRYPT_HOST: "{{ services.membersystem.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
ALLOWED_HOSTS: "{{ membersystem.domain }}"
CSRF_TRUSTED_ORIGINS: "https://{{ membersystem.domain }}"
DJANGO_ADMINS: "{{ membersystem.django_admins }}"
DEFAULT_FROM_EMAIL: "noreply@{{ membersystem.domain }}"
ALLOWED_HOSTS: "{{ services.membersystem.domain }}"
CSRF_TRUSTED_ORIGINS: "https://{{ services.membersystem.domain }}"
DJANGO_ADMINS: "{{ services.membersystem.django_admins }}"
DEFAULT_FROM_EMAIL: "noreply@{{ services.membersystem.domain }}"
postgres:
samsapti marked this conversation as resolved Outdated
valberg commented 2023-01-21 12:12:44 +00:00
Outdated
Review
Copy link

Den her skal blive - deploy af membersystem afhænger af watchtower :)

Den her skal blive - deploy af membersystem afhænger af watchtower :)
image: postgres:13-alpine

6
roles/docker/tasks/services/netdata.yml
View file

@ -2,7 +2,7 @@
- name: setup netdata docker container for system monitoring
docker_container:
name: netdata
image: netdata/netdata:v1
image: netdata/netdata:{{ services.netdata.version }}
restart_policy: unless-stopped
hostname: "hevonen.servers.{{ base_domain }}"
capabilities:
@ -16,7 +16,7 @@
networks:
- name: external_services
env:
VIRTUAL_HOST : "{{ netdata.domain }}"
LETSENCRYPT_HOST: "{{ netdata.domain }}"
VIRTUAL_HOST : "{{ services.netdata.domain }}"
LETSENCRYPT_HOST: "{{ services.netdata.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
PGID: "999"

16
roles/docker/tasks/services/nextcloud.yml
View file

@ -2,7 +2,7 @@
- name: upload vhost config for cloud.data.coop
template:
src: files/configs/nextcloud/vhost
dest: "{{ nginx.volume_folder }}/vhost/{{ nextcloud.domain }}"
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.nextcloud.domain }}"
notify: "restart nginx"
- name: setup nextcloud containers
@ -17,7 +17,7 @@
networks:
- "nextcloud"
volumes:
- "{{ nextcloud.volume_folder }}/postgres:/var/lib/postgresql/data"
- "{{ services.nextcloud.volume_folder }}/postgres:/var/lib/postgresql/data"
environment:
POSTGRES_DB: "nextcloud"
POSTGRES_PASSWORD: "{{ postgres_passwords.nextcloud }}"
@ -33,29 +33,29 @@
- "nextcloud"
cron:
image: "nextcloud:25-apache"
image: "nextcloud:{{ services.nextcloud.version }}"
restart: "unless-stopped"
entrypoint: "/cron.sh"
networks:
- "nextcloud"
volumes:
- "{{ nextcloud.volume_folder }}/app:/var/www/html"
- "{{ services.nextcloud.volume_folder }}/app:/var/www/html"
depends_on:
- "postgres"
- "redis"
app:
image: "nextcloud:25-apache"
image: "nextcloud:{{ services.nextcloud.version }}"
restart: "unless-stopped"
networks:
- "nextcloud"
- "postfix"
- "external_services"
volumes:
- "{{ nextcloud.volume_folder }}/app:/var/www/html"
- "{{ services.nextcloud.volume_folder }}/app:/var/www/html"
environment:
VIRTUAL_HOST: "{{ nextcloud.domain }}"
LETSENCRYPT_HOST: "{{ nextcloud.domain }}"
VIRTUAL_HOST: "{{ services.nextcloud.domain }}"
LETSENCRYPT_HOST: "{{ services.nextcloud.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
POSTGRES_HOST: "postgres"
POSTGRES_DB: "nextcloud"

48
roles/docker/tasks/services/nginx-proxy.yml
View file

@ -1,48 +0,0 @@
---
- name: create nginx-proxy volume folders
file:
name: "{{ nginx.volume_folder }}/{{ volume }}"
state: directory
loop:
- conf
- vhost
- html
- dhparam
- certs
loop_control:
loop_var: volume
- name: nginx proxy container
docker_container:
name: nginx-proxy
image: nginxproxy/nginx-proxy:1.0-alpine
restart_policy: always
networks:
- name: external_services
published_ports:
- "80:80"
- "443:443"
volumes:
- "{{ nginx.volume_folder }}/conf:/etc/nginx/conf.d"
- "{{ nginx.volume_folder }}/vhost:/etc/nginx/vhost.d"
- "{{ nginx.volume_folder }}/html:/usr/share/nginx/html"
- "{{ nginx.volume_folder }}/dhparam:/etc/nginx/dhparam"
- "{{ nginx.volume_folder }}/certs:/etc/nginx/certs:ro"
- /var/run/docker.sock:/tmp/docker.sock:ro
- name: nginx letsencrypt container
docker_container:
name: nginx-proxy-le
image: nginxproxy/acme-companion:2.2
restart_policy: always
volumes:
- "{{ nginx.volume_folder }}/vhost:/etc/nginx/vhost.d"
- "{{ nginx.volume_folder }}/html:/usr/share/nginx/html"
- "{{ nginx.volume_folder }}/dhparam:/etc/nginx/dhparam:ro"
- "{{ nginx.volume_folder }}/certs:/etc/nginx/certs"
- /var/run/docker.sock:/var/run/docker.sock:ro
env:
NGINX_PROXY_CONTAINER: nginx-proxy
when: letsencrypt_enabled

48
roles/docker/tasks/services/nginx_proxy.yml Normal file
View file

@ -0,0 +1,48 @@
---
- name: create nginx-proxy volume folders
file:
name: "{{ services.nginx_proxy.volume_folder }}/{{ volume }}"
state: directory
loop:
- conf
- vhost
- html
- dhparam
- certs
loop_control:
loop_var: volume
- name: nginx proxy container
docker_container:
name: nginx-proxy
image: nginxproxy/nginx-proxy:{{ services.nginx_proxy.version }}
restart_policy: always
networks:
- name: external_services
published_ports:
- "80:80"
- "443:443"
volumes:
- "{{ services.nginx_proxy.volume_folder }}/conf:/etc/nginx/conf.d"
- "{{ services.nginx_proxy.volume_folder }}/vhost:/etc/nginx/vhost.d"
- "{{ services.nginx_proxy.volume_folder }}/html:/usr/share/nginx/html"
- "{{ services.nginx_proxy.volume_folder }}/dhparam:/etc/nginx/dhparam"
- "{{ services.nginx_proxy.volume_folder }}/certs:/etc/nginx/certs:ro"
- /var/run/docker.sock:/tmp/docker.sock:ro
- name: nginx letsencrypt container
docker_container:
name: nginx-proxy-le
image: nginxproxy/acme-companion:{{ services.nginx_acme_companion.version }}
restart_policy: always
volumes:
- "{{ services.nginx_proxy.volume_folder }}/vhost:/etc/nginx/vhost.d"
- "{{ services.nginx_proxy.volume_folder }}/html:/usr/share/nginx/html"
- "{{ services.nginx_proxy.volume_folder }}/dhparam:/etc/nginx/dhparam:ro"
- "{{ services.nginx_proxy.volume_folder }}/certs:/etc/nginx/certs"
- /var/run/docker.sock:/var/run/docker.sock:ro
env:
NGINX_PROXY_CONTAINER: nginx-proxy
when: letsencrypt_enabled

20
roles/docker/tasks/services/openldap.yml
View file

@ -1,7 +1,7 @@
---
- name: create ldap volume folders
file:
name: "{{ ldap.volume_folder }}/{{ volume }}"
name: "{{ services.openldap.volume_folder }}/{{ volume }}"
state: directory
loop:
- "var/lib/ldap"
@ -17,19 +17,19 @@
- name: openLDAP container
docker_container:
name: openldap
image: osixia/openldap:1.5.0
image: osixia/openldap:{{ services.openldap.version }}
tty: true
interactive: true
restart_policy: unless-stopped
volumes:
- "{{ ldap.volume_folder }}/var/lib/ldap:/var/lib/ldap"
- "{{ ldap.volume_folder }}/etc/slapd.d:/etc/ldap/slapd.d"
- "{{ ldap.volume_folder }}/certs:/container/service/slapd/assets/certs/"
- "{{ services.openldap.volume_folder }}/var/lib/ldap:/var/lib/ldap"
- "{{ services.openldap.volume_folder }}/etc/slapd.d:/etc/ldap/slapd.d"
- "{{ services.openldap.volume_folder }}/certs:/container/service/slapd/assets/certs/"
published_ports:
- "389:389"
- "636:636"
hostname: "{{ ldap.domain }}"
domainname: "{{ ldap.domain }}" # important: same as hostname
hostname: "{{ services.openldap.domain }}"
domainname: "{{ services.openldap.domain }}" # important: same as hostname
networks:
- name: ldap
env:
@ -58,7 +58,7 @@
- name: phpLDAPadmin container
docker_container:
name: phpldapadmin
image: osixia/phpldapadmin:0.9.0
image: osixia/phpldapadmin:{{ services.phpldapadmin.version }}
restart_policy: unless-stopped
networks:
- name: external_services
@ -68,6 +68,6 @@
PHPLDAPADMIN_HTTPS: "false"
PHPLDAPADMIN_TRUST_PROXY_SSL: "true"
VIRTUAL_HOST: "{{ ldap.domain }}"
LETSENCRYPT_HOST: "{{ ldap.domain }}"
VIRTUAL_HOST: "{{ services.openldap.domain }}"
LETSENCRYPT_HOST: "{{ services.openldap.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"

14
roles/docker/tasks/services/passit.yml
View file

@ -13,13 +13,13 @@
networks:
- "passit"
volumes:
- "{{ passit.volume_folder }}/data:/var/lib/postgresql/data"
- "{{ services.passit.volume_folder }}/data:/var/lib/postgresql/data"
environment:
POSTGRES_USER: "passit"
POSTGRES_PASSWORD: "{{ postgres_passwords.passit }}"
passit_app:
image: "passit/passit:stable"
image: "passit/passit:{{ services.passit.version }}"
command: "bin/start.sh"
restart: "always"
networks:
@ -31,11 +31,11 @@
SECRET_KEY: "{{ passit_secret_key }}"
IS_DEBUG: 'False'
EMAIL_URL: "smtp://noop@{{ smtp_host }}:{{ smtp_port }}"
DEFAULT_FROM_EMAIL: "noreply@{{ passit.domain }}"
EMAIL_CONFIRMATION_HOST: "https://{{ passit.domain }}"
FIDO_SERVER_ID: "{{ passit.domain }}"
VIRTUAL_HOST: "{{ passit.domain }}"
LETSENCRYPT_HOST: "{{ passit.domain }}"
DEFAULT_FROM_EMAIL: "noreply@{{ services.passit.domain }}"
EMAIL_CONFIRMATION_HOST: "https://{{ services.passit.domain }}"
FIDO_SERVER_ID: "{{ services.passit.domain }}"
VIRTUAL_HOST: "{{ services.passit.domain }}"
LETSENCRYPT_HOST: "{{ services.passit.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
networks:

10
roles/docker/tasks/services/portainer.yml
View file

@ -2,21 +2,21 @@
- name: create portainer volume folder
file:
name: "{{ portainer.volume_folder }}"
name: "{{ services.portainer.volume_folder }}"
state: directory
- name: run portainer
docker_container:
name: portainer
image: portainer/portainer-ee:2.16.2
image: portainer/portainer-ee:{{ services.portainer.version }}
restart_policy: always
networks:
- name: external_services
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- "{{ portainer.volume_folder }}:/data"
- "{{ services.portainer.volume_folder }}:/data"
env:
VIRTUAL_HOST: "{{ portainer.domain }}"
VIRTUAL_HOST: "{{ services.portainer.domain }}"
VIRTUAL_PORT: "9000"
LETSENCRYPT_HOST: "{{ portainer.domain }}"
LETSENCRYPT_HOST: "{{ services.portainer.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"

5
roles/docker/tasks/services/postfix.yml
View file

@ -10,10 +10,11 @@
- name: setup postfix docker container for outgoing mail
docker_container:
name: postfix
image: boky/postfix:v3.5.1-alpine
image: boky/postfix:{{ services.postfix.version }}
restart_policy: always
networks:
- name: postfix
env:
ALLOWED_SENDER_DOMAINS: "{{ postfix.allowed_sender_domains|join(' ') }}"
# Get all services which have allowed_sender_domain defined
ALLOWED_SENDER_DOMAINS: "{{ services | dict2items | selectattr('value.allowed_sender_domain', 'defined') | map(attribute='value.domain') | list | join(' ') }}"
HOSTNAME: "smtp.data.coop" # the name the smtp server will identify itself as

14
roles/docker/tasks/services/privatebin.yml
View file

@ -2,7 +2,7 @@
- name: create privatebin volume folders
file:
name: "{{ privatebin.volume_folder }}/{{ volume }}"
name: "{{ services.privatebin.volume_folder }}/{{ volume }}"
state: directory
loop:
- cfg
@ -13,19 +13,19 @@
- name: upload privatebin config
template:
src: files/configs/privatebin-conf.php
dest: "{{ privatebin.volume_folder }}/cfg/conf.php"
dest: "{{ services.privatebin.volume_folder }}/cfg/conf.php"
- name: privatebin app container
docker_container:
name: privatebin
image: jgeusebroek/privatebin:latest
image: jgeusebroek/privatebin:{{ services.privatebin.version }}
restart_policy: unless-stopped
volumes:
- "{{ privatebin.volume_folder }}/cfg:/privatebin/cfg"
- "{{ privatebin.volume_folder }}/data:/privatebin/data"
- "{{ services.privatebin.volume_folder }}/cfg:/privatebin/cfg"
- "{{ services.privatebin.volume_folder }}/data:/privatebin/data"
networks:
- name: external_services
env:
VIRTUAL_HOST: "{{ privatebin.domain }}"
LETSENCRYPT_HOST: "{{ privatebin.domain }}"
VIRTUAL_HOST: "{{ services.privatebin.domain }}"
LETSENCRYPT_HOST: "{{ services.privatebin.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"

16
roles/docker/tasks/services/rallly.yml
View file

@ -1,12 +1,12 @@
- name: Create rallly volume folders
file:
name: "{{ rallly.volume_folder }}/postgres"
name: "{{ services.rallly.volume_folder }}/postgres"
state: directory
- name: Copy Rallly environment file
template:
src: files/configs/rallly/env_file
dest: "{{ rallly.volume_folder }}/env_file"
src: files/configs/rallly/env_file.j2
dest: "{{ services.rallly.volume_folder }}/env_file"
- name: Set up Rallly
docker_compose:
@ -22,7 +22,7 @@
networks:
rallly_internal:
volumes:
- "{{ rallly.volume_folder }}/postgres:/var/lib/postgresql/data"
- "{{ services.rallly.volume_folder }}/postgres:/var/lib/postgresql/data"
environment:
POSTGRES_PASSWORD: "{{ postgres_passwords.rallly }}"
POSTGRES_DB: "rallly_db"
@ -33,7 +33,7 @@
retries: 5
rallly:
image: "lukevella/rallly:a21f92bf74308d66cfcd545d49b81eba0211a222"
image: "lukevella/rallly:{{ services.rallly.version }}"
restart: "always"
networks:
rallly_internal:
@ -43,11 +43,11 @@
rallly_db:
condition: "service_healthy"
env_file:
- "{{ rallly.volume_folder }}/env_file"
- "{{ services.rallly.volume_folder }}/env_file"
environment:
VIRTUAL_HOST: "{{ rallly.domain }}"
VIRTUAL_HOST: "{{ services.rallly.domain }}"
VIRTUAL_PORT: "3000"
LETSENCRYPT_HOST: "{{ rallly.domain }}"
LETSENCRYPT_HOST: "{{ services.rallly.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
networks:

9
roles/docker/tasks/services/restic-backup.yml → roles/docker/tasks/services/restic_backup.yml
View file

@ -1,6 +1,5 @@
---
- name: Setup restic backup
when: not vagrant
docker_compose:
project_name: restic_backup
pull: true
@ -8,12 +7,12 @@
version: '3.6'
services:
restic-backup:
image: mazzolino/restic:1.6.0
image: mazzolino/restic:{{ services.restic.version }}
restart: always
environment:
RUN_ON_STARTUP: "true"
BACKUP_CRON: "0 30 3 * * *"
RESTIC_REPOSITORY: "rest:https://{{ restic.user }}:{{ restic_secrets.user_password }}@{{ restic.domain }}/{{ restic.repository }}"
RESTIC_REPOSITORY: "rest:https://{{ services.restic.user }}:{{ restic_secrets.user_password }}@{{ services.restic.domain }}/{{ services.restic.repository }}"
RESTIC_PASSWORD: "{{ restic_secrets.repository_password }}"
RESTIC_BACKUP_SOURCES: "/mnt/volumes"
RESTIC_BACKUP_ARGS: >-
@ -30,10 +29,10 @@
- /docker-volumes:/mnt/volumes:ro
restic-prune:
image: "mazzolino/restic:1.6.0"
image: "mazzolino/restic:{{ services.restic.version }}"
environment:
RUN_ON_STARTUP: "true"
PRUNE_CRON: "0 0 4 * * *"
RESTIC_REPOSITORY: "rest:https://{{ restic.user }}:{{ restic_secrets.user_password }}@{{ restic.domain }}/{{ restic.repository }}"
RESTIC_REPOSITORY: "rest:https://{{ services.restic.user }}:{{ restic_secrets.user_password }}@{{ services.restic.domain }}/{{ services.restic.repository }}"
RESTIC_PASSWORD: "{{ restic_secrets.repository_password }}"
TZ: Europe/copenhagen

2
roles/docker/tasks/services/watchtower.yml
View file

@ -4,6 +4,8 @@
name: watchtower
image: containrrr/watchtower:amd64-1.5.1
samsapti marked this conversation as resolved Outdated
valberg commented 2022-11-19 16:15:53 +00:00
Outdated
Review
Copy link

Let's pin this to a version instead of latest.

Let's pin this to a version instead of latest.
samsapti commented 2022-11-19 16:48:18 +00:00
Outdated
Review
Copy link

Why not latest?

Why not latest?
valberg commented 2022-11-19 17:00:02 +00:00
Outdated
Review
Copy link

Because I want to avoid confusion due to an unintended upgrade.

Because I want to avoid confusion due to an unintended upgrade.
samsapti commented 2022-11-19 17:05:18 +00:00
Outdated
Review
Copy link

I don't fully agree. I think it's better to always use the latest version security-wise, especially when it has access to the Docker socket.

I don't fully agree. I think it's better to always use the latest version security-wise, especially when it has access to the Docker socket.
valberg commented 2022-11-19 17:14:10 +00:00
Outdated
Review
Copy link

I agree, and we should strive to upgrade whenever a new version is available. But I don't want stuff to suddenly break behaviour without us knowing why.

I agree, and we should strive to upgrade whenever a new version is available. But I don't want stuff to suddenly break behaviour without us knowing why.
samsapti commented 2022-11-19 17:17:43 +00:00
Outdated
Review
Copy link

I'll pin it then. GitHub supports RSS feeds for releases, maybe we could use that to be notified about new releases? We could set up notifications in our Matrix channel somehow.

https://github.com/containrrr/watchtower/releases.atom

I'll pin it then. GitHub supports RSS feeds for releases, maybe we could use that to be notified about new releases? We could set up notifications in our Matrix channel somehow. https://github.com/containrrr/watchtower/releases.atom
👍 1
valberg commented 2022-11-19 17:19:28 +00:00
Outdated
Review
Copy link

Sounds like a great idea!

Sounds like a great idea!
👍 1
restart_policy: unless-stopped
networks:
- name: external_services
env:
WATCHTOWER_POLL_INTERVAL: 60
volumes:

87
roles/docker/tasks/services/websites.yml
View file

@ -1,87 +0,0 @@
---
- name: setup data.coop website docker container
docker_container:
name: data.coop_website
image: docker.data.coop/data-coop-website
restart_policy: unless-stopped
networks:
- name: external_services
env:
VIRTUAL_HOST : "{{ data_coop_website.domains|join(',') }}"
LETSENCRYPT_HOST: "{{ data_coop_website.domains|join(',') }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
- name: setup new data.coop website using hugo
docker_container:
name: new.data.coop_website
image: docker.data.coop/data-coop-website:hugo
restart_policy: unless-stopped
networks:
- name: external_services
env:
VIRTUAL_HOST : "new.{{ data_coop_website.domains|join(',') }}"
LETSENCRYPT_HOST: "new.{{ data_coop_website.domains|join(',') }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
- name: setup new-new data.coop website using unipi
docker_container:
name: new-new.data.coop_website
image: docker.data.coop/unipi:latest
restart_policy: unless-stopped
purge_networks: yes
networks:
- name: external_services
env:
VIRTUAL_HOST: "new-new.{{ data_coop_website.domains|join(',') }}"
LETSENCRYPT_HOST: "new-new.{{ data_coop_website.domains|join(',') }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
# The ssh-key is for read-only only
command: "--remote=git@git.data.coop:halfd/new-website.git#main --ssh-key ed25519:Ag9RekCyC2eow4P/e5crVvSTQ7dTK46WkG0wqEPVJbU= --ssh-authenticator SHA256:l9kdLkb0kJm46pOJ4tCHCtFUaqV1ImbZWMA5oje10fI"
capabilities:
- NET_ADMIN
devices:
- "/dev/net/tun"
- name: setup 2022.slides.data.coop website using unipi
docker_container:
name: 2022.slides.data.coop_website
image: docker.data.coop/unipi:latest
restart_policy: unless-stopped
purge_networks: yes
networks:
- name: external_services
env:
VIRTUAL_HOST: "2022.slides.{{ data_coop_website.domains|join(',') }}"
LETSENCRYPT_HOST: "2022.slides.{{ data_coop_website.domains|join(',') }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
# Temporarily hosting on github
command: "--remote=https://github.com/sorbusursina/datacoop-slides.git#slides2022"
capabilities:
- NET_ADMIN
devices:
- "/dev/net/tun"
- name: setup cryptohagen.dk website docker container
docker_container:
name: cryptohagen_website
restart_policy: unless-stopped
image: docker.data.coop/cryptohagen-website
networks:
- name: external_services
env:
VIRTUAL_HOST : "{{ cryptohagen_website.domains|join(',') }}"
LETSENCRYPT_HOST: "{{ cryptohagen_website.domains|join(',') }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
- name: setup cryptoaarhus.dk website docker container
docker_container:
name: cryptoaarhus_website
restart_policy: unless-stopped
image: docker.data.coop/cryptoaarhus-website
networks:
- name: external_services
env:
VIRTUAL_HOST : "{{ cryptoaarhus_website.domains|join(',') }}"
LETSENCRYPT_HOST: "{{ cryptoaarhus_website.domains|join(',') }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"

20
roles/docker/tasks/services/websites/2022.slides.data.coop.yml Normal file
View file

@ -0,0 +1,20 @@
---
- name: setup 2022.slides.data.coop website using unipi
docker_container:
name: 2022.slides.data.coop_website
image: docker.data.coop/unipi:latest
restart_policy: unless-stopped
purge_networks: yes
networks:
- name: external_services
env:
VIRTUAL_HOST: "2022.slides.{{ services.data_coop_website.domains|join(',') }}"
LETSENCRYPT_HOST: "2022.slides.{{ services.data_coop_website.domains|join(',') }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
# Temporarily hosting on github
command: "--remote=https://github.com/sorbusursina/datacoop-slides.git#slides2022"
capabilities:
- NET_ADMIN
devices:
- "/dev/net/tun"

13
roles/docker/tasks/services/websites/cryptoaarhus.dk.yml Normal file
View file

@ -0,0 +1,13 @@
---
- name: setup cryptoaarhus.dk website docker container
docker_container:
name: cryptoaarhus_website
restart_policy: unless-stopped
image: docker.data.coop/cryptoaarhus-website
networks:
- name: external_services
env:
VIRTUAL_HOST : "{{ services.cryptoaarhus_website.domains|join(',') }}"
LETSENCRYPT_HOST: "{{ services.cryptoaarhus_website.domains|join(',') }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"

13
roles/docker/tasks/services/websites/cryptohagen.dk.yml Normal file
View file

@ -0,0 +1,13 @@
---
- name: setup cryptohagen.dk website docker container
docker_container:
name: cryptohagen_website
restart_policy: unless-stopped
image: docker.data.coop/cryptohagen-website
networks:
- name: external_services
env:
VIRTUAL_HOST : "{{ services.cryptohagen_website.domains|join(',') }}"
LETSENCRYPT_HOST: "{{ services.cryptohagen_website.domains|join(',') }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"

13
roles/docker/tasks/services/websites/data.coop.yml Normal file
View file

@ -0,0 +1,13 @@
---
- name: setup data.coop website docker container
docker_container:
name: data.coop_website
image: docker.data.coop/data-coop-website
restart_policy: unless-stopped
networks:
- name: external_services
env:
VIRTUAL_HOST : "{{ services.data_coop_website.domains|join(',') }}"
LETSENCRYPT_HOST: "{{ services.data_coop_website.domains|join(',') }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"

18
roles/docker/tasks/services/websites/new-new.data.coop.yml Normal file
View file

@ -0,0 +1,18 @@
- name: setup new-new data.coop website using unipi
docker_container:
name: new-new.data.coop_website
image: docker.data.coop/unipi:latest
restart_policy: unless-stopped
purge_networks: yes
networks:
- name: external_services
env:
VIRTUAL_HOST: "new-new.{{ services.data_coop_website.domains|join(',') }}"
LETSENCRYPT_HOST: "new-new.{{ services.data_coop_website.domains|join(',') }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
# The ssh-key is for read-only only
command: "--remote=git@git.data.coop:halfd/new-website.git#main --ssh-key ed25519:Ag9RekCyC2eow4P/e5crVvSTQ7dTK46WkG0wqEPVJbU= --ssh-authenticator SHA256:l9kdLkb0kJm46pOJ4tCHCtFUaqV1ImbZWMA5oje10fI"
capabilities:
- NET_ADMIN
devices:
- "/dev/net/tun"

13
roles/docker/tasks/services/websites/new.data.coop.yml Normal file
View file

@ -0,0 +1,13 @@
---
- name: setup new data.coop website using hugo
docker_container:
name: new.data.coop_website
image: docker.data.coop/data-coop-website:hugo
restart_policy: unless-stopped
networks:
- name: external_services
env:
VIRTUAL_HOST : "new.{{ services.data_coop_website.domains|join(',') }}"
LETSENCRYPT_HOST: "new.{{ services.data_coop_website.domains|join(',') }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"

4
roles/docker/tasks/services/ulovliglogning-dk.yml → roles/docker/tasks/services/websites/ulovliglogning.dk.yml
View file

@ -6,6 +6,6 @@
networks:
- name: external_services
env:
VIRTUAL_HOST: "{{ ulovliglogning_website.domains|join(',') }}"
LETSENCRYPT_HOST: "{{ ulovliglogning_website.domains|join(',') }}"
VIRTUAL_HOST: "{{ services.ulovliglogning_website.domains|join(',') }}"
LETSENCRYPT_HOST: "{{ services.ulovliglogning_website.domains|join(',') }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"

2
roles/docker/templates/mailu.env.j2
View file

@ -26,7 +26,7 @@ SECRET_KEY={{ mailu_secret_key }}
# PUBLIC_IPV6= ::1 (default: ::1)
# Subnet of the docker network. This should not conflict with any networks to which your system is connected. (Internal and external!)
SUBNET={{ mailu.subnet }}
SUBNET={{ services.mailu.subnet }}
# Main mail domain
DOMAIN=data.coop

4
roles/ubuntu_base/tasks/users.yml
View file

@ -9,14 +9,14 @@
loop: "{{ users | default([]) }}"
- name: "Add ssh authorized_keys"
authorized_key:
ansible.posix.authorized_key:
user: "{{ item.name }}"
key: "{{ item.ssh_keys | join('\n') }}"
exclusive: true
loop: "{{ users | default([]) }}"
- name: "Add ssh authorized_keys to root user"
authorized_key:
ansible.posix.authorized_key:
user: "root"
key: "{{ users | default([]) | map(attribute='ssh_keys') | flatten | join('\n') }}"
exclusive: true

1
vagrant_host Normal file
View file

@ -0,0 +1 @@
localhost ansible_port=19022