diff --git a/.ansible-lint b/.ansible-lint index 03e5b4f..6aeb90d 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -42,7 +42,7 @@ use_default_rules: true # Ansible-lint completely ignores rules or tags listed below skip_list: - - skip_this_tag + - no-log-password # Ansible-lint does not automatically load rules that have the 'opt-in' tag. # You must enable opt-in rules by listing each rule 'id' below. @@ -108,4 +108,4 @@ kinds: # List of additions modules to allow in only-builtins rule. # only_builtins_allow_modules: -# - example_module \ No newline at end of file +# - example_module diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 6b4fbd3..57a8a6f 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,14 +1,15 @@ +--- repos: -#- repo: https://github.com/semaphor-dk/dansabel -# rev: b72c70351d1a9e32a75db505fcb3aa414f3282f8 -# hooks: -# - id: dansabel + - repo: https://github.com/lyz-code/yamlfix/ + rev: 1.1.1 + hooks: + - id: yamlfix -- repo: https://github.com/ansible/ansible-lint - rev: v6.9.0 - hooks: - - id: ansible-lint - files: \.(yaml|yml)$ - additional_dependencies: - - ansible + - repo: https://github.com/ansible/ansible-lint + rev: v6.9.0 + hooks: + - id: ansible-lint + files: \.(yaml|yml)$ + additional_dependencies: + - ansible diff --git a/Makefile b/Makefile index 4c47f67..339e356 100644 --- a/Makefile +++ b/Makefile @@ -1,3 +1,7 @@ +# Makefile for initializing pre-commit hooks + +all: init + init: create_venv install_pre_commit install_ansible_galaxy_modules create_venv: @@ -9,4 +13,4 @@ install_pre_commit: venv/bin/pre-commit install install_ansible_galaxy_modules: - venv/bin/ansible-galaxy collection install community.general \ No newline at end of file + venv/bin/ansible-galaxy collection install community.general diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index b665dc0..b97d83a 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -12,7 +12,8 @@ users: groups: - sudo ssh_keys: - - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUmGeHc6QXDcJHkmVxbTUv04Q3vs20avquoGr6eOkkvYbcgjuFnBOOtvs2Nul1odcvvnHa1nN7DfL8XJamiwsB1B/xe2seaNS1axgwk9XowlVN9pgga8gsC+4gZWBtSObG2GR8n4NtPENzPmW5deNn8dRpTvULPMxZ0VRE9yNQOx8v8w85yYh+vxbbkWGVDYJU23yuJI50U9y6bXxNHinsACDFBeR/giXDlw29TaOaSxz0R6zrRPBoX+V68RyWwBL+KWQKtX2ULtJI40S98Ohd6p41bIxYHCBS/zroqNne8PjYOLcHHsjHUGfTvhcS5a3zdz/iHsvsaOOjFjsydAXH valberg + - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUmGeHc6QXDcJHkmVxbTUv04Q3vs20avquoGr6eOkkvYbcgjuFnBOOtvs2Nul1odcvvnHa1nN7DfL8XJamiwsB1B/xe2seaNS1axgwk9XowlVN9pgga8gsC+4gZWBtSObG2GR8n4NtPENzPmW5deNn8dRpTvULPMxZ0VRE9yNQOx8v8w85yYh+vxbbkWGVDYJU23yuJI50U9y6bXxNHinsACDFBeR/giXDlw29TaOaSxz0R6zrRPBoX+V68RyWwBL+KWQKtX2ULtJI40S98Ohd6p41bIxYHCBS/zroqNne8PjYOLcHHsjHUGfTvhcS5a3zdz/iHsvsaOOjFjsydAXH + valberg - name: reynir comment: Reynir Björnsson @@ -20,8 +21,10 @@ users: groups: - sudo ssh_keys: - - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDJl8/rikIUnqr9fPF3rE0rjWHCNzte10LvkjGmpdO9ka/NubQ7O25fp08rC+n0d1pUooYwHBAgiv9Hsql6HF9QfNKNUp7IKp7CXWcjb4ga02kuzWGSXjm40Vf0jSadIrJ33M4SeJHTByDGoeYPQBQ7n+qHdwcqJADBQygBuc5sRzxm8i0sbmzF3DJDDVeTJjEY5pfR4vnJlpmU8SC2d1ZkhCjmKCsL0PShntTIt1ztCt0yO71KoHKaNPu1jutGxcU9u7J1pEqcPT6EzU/cQJ4DMVzrGp26nIV0msRl3NeGNjukwXOzAh6KmsmXG7yWFyQmLRqgc/bjUeyhuWJ10vwUbaYVeIef7YrgEOgnkYLIFeWRMhdnwtL/W8g1D66SFx7+iYJj180eTi8Lc8rZm2NaiGynvWlFcJ4PGdTYZsWcFzQ+SaDziNMw1H3IixxdlD8Shw9mxpijJ+A4dH2kkUXyGVsc13zRIU7hq9ax8nrw6HVLGFLn09rEPig+SkyWrqRpRGMBWyqTRJywIV6jk0ll+i8rJZA2McY0rABbACrzXT5VBj5dLKnnRITLDicAYgt7YuEiQ0ffErQrPXXHUVeI0QKnJgplSHxH5QsX9a1Y+NoaoditdMT2bjvEqROi+/JYRycLR/BQV/d2nFPhqwq1x1AFvL4f8UvVH/hxp3PXWw== reynir yubikey - - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPR8t/wNRp7Dt3wr9uZKVTofTDVYrcoQNru5ETxL+37t reynir@spurv + - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDJl8/rikIUnqr9fPF3rE0rjWHCNzte10LvkjGmpdO9ka/NubQ7O25fp08rC+n0d1pUooYwHBAgiv9Hsql6HF9QfNKNUp7IKp7CXWcjb4ga02kuzWGSXjm40Vf0jSadIrJ33M4SeJHTByDGoeYPQBQ7n+qHdwcqJADBQygBuc5sRzxm8i0sbmzF3DJDDVeTJjEY5pfR4vnJlpmU8SC2d1ZkhCjmKCsL0PShntTIt1ztCt0yO71KoHKaNPu1jutGxcU9u7J1pEqcPT6EzU/cQJ4DMVzrGp26nIV0msRl3NeGNjukwXOzAh6KmsmXG7yWFyQmLRqgc/bjUeyhuWJ10vwUbaYVeIef7YrgEOgnkYLIFeWRMhdnwtL/W8g1D66SFx7+iYJj180eTi8Lc8rZm2NaiGynvWlFcJ4PGdTYZsWcFzQ+SaDziNMw1H3IixxdlD8Shw9mxpijJ+A4dH2kkUXyGVsc13zRIU7hq9ax8nrw6HVLGFLn09rEPig+SkyWrqRpRGMBWyqTRJywIV6jk0ll+i8rJZA2McY0rABbACrzXT5VBj5dLKnnRITLDicAYgt7YuEiQ0ffErQrPXXHUVeI0QKnJgplSHxH5QsX9a1Y+NoaoditdMT2bjvEqROi+/JYRycLR/BQV/d2nFPhqwq1x1AFvL4f8UvVH/hxp3PXWw== + reynir yubikey + - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPR8t/wNRp7Dt3wr9uZKVTofTDVYrcoQNru5ETxL+37t + reynir@spurv - name: samsapti comment: Sam Al-Sapti @@ -29,4 +32,5 @@ users: groups: - sudo ssh_keys: - - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPd/4fQV7CL8/KVwbo/phiV5UdXFBIDlkZ+ps8C7FeRf samsapti + - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPd/4fQV7CL8/KVwbo/phiV5UdXFBIDlkZ+ps8C7FeRf + samsapti diff --git a/playbook.yml b/playbook.yml index 1ce47fb..799b189 100644 --- a/playbook.yml +++ b/playbook.yml @@ -1,22 +1,25 @@ --- -- hosts: all +- name: Deploy data.coop services + hosts: all gather_facts: true become: true vars: base_domain: data.coop letsencrypt_email: admin@data.coop - ldap_dn: "dc=data,dc=coop" + ldap_dn: dc=data,dc=coop vagrant: "{{ ansible_virtualization_role == 'guest' }}" - letsencrypt_enabled: "{{ not vagrant }}" + letsencrypt_enabled: '{{ not vagrant }}' - smtp_host: "postfix" - smtp_port: "587" + smtp_host: postfix + smtp_port: '587' tasks: - - import_role: + - name: Setup host basics + ansible.builtin.import_role: name: ubuntu_base tags: - base_only - - import_role: + - name: Deploy docker containers (services) + ansible.builtin.import_role: name: docker diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml index 2a23950..fe906e9 100644 --- a/roles/docker/defaults/main.yml +++ b/roles/docker/defaults/main.yml @@ -1,169 +1,169 @@ --- -volume_root_folder: "/docker-volumes" +volume_root_folder: /docker-volumes services: - ### Internal services ### + ### Internal services ### postfix: file: postfix.yml - version: "v3.5.0" + version: v3.5.0 nginx_proxy: file: nginx_proxy.yml - version: "1.0-alpine" - volume_folder: "{{ volume_root_folder }}/nginx" + version: 1.0-alpine + volume_folder: '{{ volume_root_folder }}/nginx' nginx_acme_companion: - version: "2.2" + version: '2.2' openldap: file: openldap.yml - domain: "ldap.{{ base_domain }}" - volume_folder: "{{ volume_root_folder }}/openldap" - version: "1.5.0" + domain: ldap.{{ base_domain }} + volume_folder: '{{ volume_root_folder }}/openldap' + version: 1.5.0 phpldapadmin: - version: "0.9.0" + version: 0.9.0 netdata: file: netdata.yml - domain: "netdata.{{ base_domain }}" - version: "v1" + domain: netdata.{{ base_domain }} + version: v1 portainer: file: portainer.yml - domain: "portainer.{{ base_domain }}" - volume_folder: "{{ volume_root_folder }}/portainer" - version: "2.16.2" + domain: portainer.{{ base_domain }} + volume_folder: '{{ volume_root_folder }}/portainer' + version: 2.16.2 keycloak: file: keycloak.yml domain: sso.{{ base_domain }} - volume_folder: "{{ volume_root_folder }}/keycloak" - version: "20.0" + volume_folder: '{{ volume_root_folder }}/keycloak' + version: '20.0' restic: file: restic_backup.yml - user: "datacoop" - domain: "restic.cannedtuna.org" - repository: "datacoop-hevonen" - version: "1.6.0" + user: datacoop + domain: restic.cannedtuna.org + repository: datacoop-hevonen + version: 1.6.0 disabled_in_vagrant: true docker_registry: file: docker_registry.yml - domain: "docker.{{ base_domain }}" - volume_folder: "{{ volume_root_folder }}/docker-registry" - username: "docker" - password: "{{ docker_password }}" - version: "2" + domain: docker.{{ base_domain }} + volume_folder: '{{ volume_root_folder }}/docker-registry' + username: docker + password: '{{ docker_password }}' + version: '2' - ### External services ### + ### External services ### nextcloud: file: nextcloud.yml - domain: "cloud.{{ base_domain }}" - volume_folder: "{{ volume_root_folder }}/nextcloud" + domain: cloud.{{ base_domain }} + volume_folder: '{{ volume_root_folder }}/nextcloud' version: 25-apache gitea: file: gitea.yml - domain: "git.{{ base_domain }}" - volume_folder: "{{ volume_root_folder }}/gitea" + domain: git.{{ base_domain }} + volume_folder: '{{ volume_root_folder }}/gitea' version: 1.17.3 allowed_sender_domain: true passit: file: passit.yml - domain: "passit.{{ base_domain }}" - volume_folder: "{{ volume_root_folder }}/passit" + domain: passit.{{ base_domain }} + volume_folder: '{{ volume_root_folder }}/passit' version: stable allowed_sender_domain: true matrix: file: matrix_riot.yml - domain: "matrix.{{ base_domain }}" - volume_folder: "{{ volume_root_folder }}/matrix" + domain: matrix.{{ base_domain }} + volume_folder: '{{ volume_root_folder }}/matrix' version: v1.63.1 riot: domains: - - "riot.{{ base_domain }}" - - "element.{{ base_domain }}" - volume_folder: "{{ volume_root_folder }}/riot" + - riot.{{ base_domain }} + - element.{{ base_domain }} + volume_folder: '{{ volume_root_folder }}/riot' version: v1.11.8 privatebin: file: privatebin.yml - domain: "paste.{{ base_domain }}" - volume_folder: "{{ volume_root_folder }}/privatebin" + domain: paste.{{ base_domain }} + volume_folder: '{{ volume_root_folder }}/privatebin' version: 20221009 codimd: - domain: "oldpad.{{ base_domain }}" - volume_folder: "{{ volume_root_folder }}/codimd" + domain: oldpad.{{ base_domain }} + volume_folder: '{{ volume_root_folder }}/codimd' hedgedoc: file: hedgedoc.yml - domain: "pad.{{ base_domain }}" - volume_folder: "{{ volume_root_folder }}/hedgedoc" + domain: pad.{{ base_domain }} + volume_folder: '{{ volume_root_folder }}/hedgedoc' version: 1.9.6 data_coop_website: file: websites/data.coop.yml domains: - - "{{ base_domain }}" - - "www.{{ base_domain }}" + - '{{ base_domain }}' + - www.{{ base_domain }} cryptohagen_website: file: websites/cryptohagen.dk.yml domains: - - "cryptohagen.dk" - - "www.cryptohagen.dk" + - cryptohagen.dk + - www.cryptohagen.dk ulovliglogning_website: file: websites/ulovliglogning.dk.yml domains: - - "ulovliglogning.dk" - - "www.ulovliglogning.dk" - - "ulovlig-logning.dk" + - ulovliglogning.dk + - www.ulovliglogning.dk + - ulovlig-logning.dk cryptoaarhus_website: file: websites/cryptoaarhus.dk.yml domains: - - "cryptoaarhus.dk" - - "www.cryptoaarhus.dk" + - cryptoaarhus.dk + - www.cryptoaarhus.dk drone: file: drone.yml - domain: "drone.{{ base_domain }}" - volume_folder: "{{ volume_root_folder }}/drone" + domain: drone.{{ base_domain }} + volume_folder: '{{ volume_root_folder }}/drone' version: 1 mailu: file: mailu.yml version: 1.6 - domain: "mail.{{ base_domain }}" + domain: mail.{{ base_domain }} dns: 192.168.203.254 subnet: 192.168.203.0/24 - volume_folder: "{{ volume_root_folder }}/mailu" + volume_folder: '{{ volume_root_folder }}/mailu' mastodon: file: mastodon.yml - domain: "social.{{ base_domain }}" - volume_folder: "{{ volume_root_folder }}/mastodon" + domain: social.{{ base_domain }} + volume_folder: '{{ volume_root_folder }}/mastodon' version: v4.0.2 allowed_sender_domain: true rallly: file: rallly.yml - domain: "when.{{ base_domain }}" - volume_folder: "{{ volume_root_folder }}/rallly" + domain: when.{{ base_domain }} + volume_folder: '{{ volume_root_folder }}/rallly' version: a21f92bf74308d66cfcd545d49b81eba0211a222 allowed_sender_domain: true membersystem: file: membersystem.yml - domain: "member.{{ base_domain }}" - django_admins: "Vidir:valberg@orn.li" + domain: member.{{ base_domain }} + django_admins: Vidir:valberg@orn.li allowed_sender_domain: true diff --git a/roles/docker/handlers/main.yml b/roles/docker/handlers/main.yml index 8958588..02aa6dc 100644 --- a/roles/docker/handlers/main.yml +++ b/roles/docker/handlers/main.yml @@ -1,7 +1,6 @@ --- -- name: "restart nginx" +- name: Restart nginx community.docker.docker_container: - name: "nginx-proxy" - restart: "yes" - state: "started" - \ No newline at end of file + name: nginx-proxy + restart: 'yes' + state: started diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index a54eaa1..2579c5b 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -1,33 +1,33 @@ --- -- name: add docker gpg key - apt_key: +- name: Add docker gpg key + ansible.builtin.apt_key: keyserver: pgp.mit.edu id: 8D81803C0EBFCD88 state: present -- name: add docker apt repository - apt_repository: +- name: Add docker apt repository + ansible.builtin.apt_repository: repo: deb https://download.docker.com/linux/ubuntu bionic stable state: present - update_cache: yes + update_cache: true -- name: install docker-ce - apt: +- name: Install docker-ce + ansible.builtin.apt: name: docker-ce state: present -- name: install docker python bindings - pip: - executable: "pip3" - name: "docker-compose" +- name: Install docker python bindings + ansible.builtin.pip: + executable: pip3 + name: docker-compose state: present -- name: create folder structure for bind mounts - file: - name: "{{ volume_root_folder }}" +- name: Create folder structure for bind mounts + ansible.builtin.file: + name: '{{ volume_root_folder }}' state: directory -- name: setup services - import_tasks: services.yml +- name: Setup services + ansible.builtin.import_tasks: services.yml tags: - setup_services diff --git a/roles/docker/tasks/services.yml b/roles/docker/tasks/services.yml index e183bbf..37fe862 100644 --- a/roles/docker/tasks/services.yml +++ b/roles/docker/tasks/services.yml @@ -1,18 +1,17 @@ --- - name: setup external services network - docker_network: + community.docker.docker_network: name: external_services - name: setup services - include_tasks: "services/{{ item.value.file }}" - loop: "{{ services | dict2items }}" - when: single_service is not defined and - item.value.file is defined and - item.value.disabled_in_vagrant is not defined + include_tasks: services/{{ docker_service.value.file }} + loop: '{{ services | dict2items }}' + loop_control: + loop_var: docker_service + when: single_service is not defined and docker_service.value.file is defined and + docker_service.value.disabled_in_vagrant is not defined - name: setup single service - include_tasks: "services/{{ services[single_service].file }}" - when: single_service is defined and - single_service in services and - services[single_service].file is defined and - services[single_service].disabled_in_vagrant is not defined + include_tasks: services/{{ services[single_service].file }} + when: single_service is defined and single_service in services and services[single_service].file + is defined and services[single_service].disabled_in_vagrant is not defined diff --git a/roles/docker/tasks/services/codimd.yml b/roles/docker/tasks/services/codimd.yml index 1e0e950..805b862 100644 --- a/roles/docker/tasks/services/codimd.yml +++ b/roles/docker/tasks/services/codimd.yml @@ -1,22 +1,22 @@ --- - name: codimd network - docker_network: + community.docker.docker_network: name: codimd - name: create codimd volume folders - file: - name: "{{ codimd.volume_folder }}/{{ volume }}" + ansible.builtin.file: + name: '{{ codimd.volume_folder }}/{{ volume }}' state: directory loop: - - "db" - - "codimd/uploads" + - db + - codimd/uploads loop_control: loop_var: volume - name: codimd database container - docker_container: + community.docker.docker_container: name: codimd_db image: postgres:10 state: started @@ -24,13 +24,13 @@ networks: - name: codimd volumes: - - "{{ codimd.volume_folder }}/db:/var/lib/postgresql/data" + - '{{ codimd.volume_folder }}/db:/var/lib/postgresql/data' env: - POSTGRES_USER: "codimd" - POSTGRES_PASSWORD: "{{ postgres_passwords.codimd }}" + POSTGRES_USER: codimd + POSTGRES_PASSWORD: '{{ postgres_passwords.codimd }}' - name: codimd app container - docker_container: + community.docker.docker_container: name: codimd_app image: hackmdio/hackmd:1.3.0 restart_policy: unless-stopped @@ -39,19 +39,19 @@ - name: ldap - name: external_services volumes: - - "{{ codimd.volume_folder }}/codimd/uploads:/codimd/public/uploads" + - '{{ codimd.volume_folder }}/codimd/uploads:/codimd/public/uploads' env: - CMD_DB_URL: "postgres://codimd:{{ postgres_passwords.codimd }}@codimd_db:5432/codimd" - CMD_ALLOW_EMAIL_REGISTER: "False" - CMD_IMAGE_UPLOAD_TYPE: "filesystem" - CMD_EMAIL: "False" - CMD_LDAP_URL: "ldap://openldap" - CMD_LDAP_BINDDN: "cn=admin,dc=data,dc=coop" - CMD_LDAP_BINDCREDENTIALS: "{{ ldap_admin_password }}" - CMD_LDAP_SEARCHBASE: "dc=data,dc=coop" - CMD_LDAP_SEARCHFILTER: "(&(uid={{ '{{username}}' }})(objectClass=inetOrgPerson))" - CMD_USECDN: "false" - VIRTUAL_HOST: "{{ codimd.domain }}" - LETSENCRYPT_HOST: "{{ codimd.domain }}" - LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" + CMD_DB_URL: postgres://codimd:{{ postgres_passwords.codimd }}@codimd_db:5432/codimd + CMD_ALLOW_EMAIL_REGISTER: 'False' + CMD_IMAGE_UPLOAD_TYPE: filesystem + CMD_EMAIL: 'False' + CMD_LDAP_URL: ldap://openldap + CMD_LDAP_BINDDN: cn=admin,dc=data,dc=coop + CMD_LDAP_BINDCREDENTIALS: '{{ ldap_admin_password }}' + CMD_LDAP_SEARCHBASE: dc=data,dc=coop + CMD_LDAP_SEARCHFILTER: (&(uid={{ '{{username}}' }})(objectClass=inetOrgPerson)) + CMD_USECDN: 'false' + VIRTUAL_HOST: '{{ codimd.domain }}' + LETSENCRYPT_HOST: '{{ codimd.domain }}' + LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}' diff --git a/roles/docker/tasks/services/docker_registry.yml b/roles/docker/tasks/services/docker_registry.yml index 660e684..cd3c8c3 100644 --- a/roles/docker/tasks/services/docker_registry.yml +++ b/roles/docker/tasks/services/docker_registry.yml @@ -1,35 +1,37 @@ --- - name: copy docker registry nginx configuration - copy: - src: "files/configs/docker_registry/nginx.conf" - dest: "/docker-volumes/nginx/vhost/{{ services.docker_registry.domain }}" - mode: "0644" + ansible.builtin.copy: + src: files/configs/docker_registry/nginx.conf + dest: /docker-volumes/nginx/vhost/{{ services.docker_registry.domain }} + mode: '0644' - name: docker registry container - docker_container: + community.docker.docker_container: name: registry image: registry:{{ services.docker_registry.version }} restart_policy: always volumes: - - "{{ services.docker_registry.volume_folder }}/registry:/var/lib/registry" - - "{{ services.docker_registry.volume_folder }}/auth:/auth" + - '{{ services.docker_registry.volume_folder }}/registry:/var/lib/registry' + - '{{ services.docker_registry.volume_folder }}/auth:/auth' networks: - name: external_services env: - VIRTUAL_HOST: "{{ services.docker_registry.domain }}" - LETSENCRYPT_HOST: "{{ services.docker_registry.domain }}" - LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" - REGISTRY_AUTH: "htpasswd" - REGISTRY_AUTH_HTPASSWD_PATH: "/auth/htpasswd" - REGISTRY_AUTH_HTPASSWD_REALM: "data.coop docker registry" + VIRTUAL_HOST: '{{ services.docker_registry.domain }}' + LETSENCRYPT_HOST: '{{ services.docker_registry.domain }}' + LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}' + REGISTRY_AUTH: htpasswd + REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd + REGISTRY_AUTH_HTPASSWD_REALM: data.coop docker registry - name: generate htpasswd file - shell: "docker exec -it registry htpasswd -Bbn docker {{ docker_password }} > {{ services.docker_registry.volume_folder }}/auth/htpasswd" + shell: docker exec -it registry htpasswd -Bbn docker {{ docker_password }} > services.docker_registry.volume_folder + }}/auth/htpasswd args: - creates: "{{ services.docker_registry.volume_folder }}/auth/htpasswd" + creates: '{{ services.docker_registry.volume_folder }}/auth/htpasswd' - name: log in to registry docker_login: - registry: "{{ 'docker.data.coop' if vagrant else services.docker_registry.domain }}" - username: "docker" - password: "{{ docker_password }}" + registry: "{{ 'docker.data.coop' if vagrant else services.docker_registry.domain\ + \ }}" + username: docker + password: '{{ docker_password }}' diff --git a/roles/docker/tasks/services/drone.yml b/roles/docker/tasks/services/drone.yml index 874ce03..1080dea 100644 --- a/roles/docker/tasks/services/drone.yml +++ b/roles/docker/tasks/services/drone.yml @@ -1,51 +1,51 @@ --- - name: set up drone with docker runner - docker_compose: + community.docker.docker_compose: project_name: drone - pull: yes + pull: true definition: - version: "3.6" + version: '3.6' services: drone: - container_name: "drone" + container_name: drone image: drone/drone:1 restart: unless-stopped networks: - external_services - drone volumes: - - "{{ services.drone.volume_folder }}:/data" - - "/var/run/docker.sock:/var/run/docker.sock" + - '{{ services.drone.volume_folder }}:/data' + - /var/run/docker.sock:/var/run/docker.sock environment: - DRONE_GITEA_SERVER: "https://{{ services.gitea.domain }}" - DRONE_GITEA_CLIENT_ID: "{{ drone_secrets.oauth_client_id }}" - DRONE_GITEA_CLIENT_SECRET: "{{ drone_secrets.oauth_client_secret }}" - DRONE_GIT_ALWAYS_AUTH: "true" - DRONE_SERVER_HOST: "{{ services.drone.domain }}" - DRONE_SERVER_PROTO: "https" - DRONE_RPC_SECRET: "{{ drone_secrets.rpc_shared_secret }}" - PLUGIN_CUSTOM_DNS: "91.239.100.100" - VIRTUAL_HOST: "{{ services.drone.domain }}" - LETSENCRYPT_HOST: "{{ services.drone.domain }}" - LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" + DRONE_GITEA_SERVER: https://{{ services.gitea.domain }} + DRONE_GITEA_CLIENT_ID: '{{ drone_secrets.oauth_client_id }}' + DRONE_GITEA_CLIENT_SECRET: '{{ drone_secrets.oauth_client_secret }}' + DRONE_GIT_ALWAYS_AUTH: 'true' + DRONE_SERVER_HOST: '{{ services.drone.domain }}' + DRONE_SERVER_PROTO: https + DRONE_RPC_SECRET: '{{ drone_secrets.rpc_shared_secret }}' + PLUGIN_CUSTOM_DNS: 91.239.100.100 + VIRTUAL_HOST: '{{ services.drone.domain }}' + LETSENCRYPT_HOST: '{{ services.drone.domain }}' + LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}' drone-runner-docker: - container_name: "drone-runner-docker" - image: "drone/drone-runner-docker:{{ services.drone.version }}" + container_name: drone-runner-docker + image: drone/drone-runner-docker:{{ services.drone.version }} restart: unless-stopped networks: - drone volumes: - - "/var/run/docker.sock:/var/run/docker.sock" + - /var/run/docker.sock:/var/run/docker.sock environment: - DRONE_RPC_HOST: "{{ services.drone.domain }}" - DRONE_RPC_PROTO: "https" - DRONE_RPC_SECRET: "{{ drone_secrets.rpc_shared_secret }}" + DRONE_RPC_HOST: '{{ services.drone.domain }}' + DRONE_RPC_PROTO: https + DRONE_RPC_SECRET: '{{ drone_secrets.rpc_shared_secret }}' DRONE_RUNNER_CAPACITY: 2 - DRONE_RUNNER_NAME: "data.coop_drone_runner" + DRONE_RUNNER_NAME: data.coop_drone_runner networks: drone: external_services: external: - name: external_services \ No newline at end of file + name: external_services diff --git a/roles/docker/tasks/services/gitea.yml b/roles/docker/tasks/services/gitea.yml index 514cc9e..8404c0e 100644 --- a/roles/docker/tasks/services/gitea.yml +++ b/roles/docker/tasks/services/gitea.yml @@ -1,11 +1,11 @@ --- - name: gitea network - docker_network: + community.docker.docker_network: name: gitea # old DNS: 138.68.71.153 - name: gitea container - docker_container: + community.docker.docker_container: name: gitea image: gitea/gitea:{{ services.gitea.version }} restart_policy: unless-stopped @@ -14,25 +14,25 @@ - name: postfix - name: external_services volumes: - - "{{ services.gitea.volume_folder }}:/data" + - '{{ services.gitea.volume_folder }}:/data' published_ports: - - "22:22" + - 22:22 env: - VIRTUAL_HOST: "{{ services.gitea.domain }}" - VIRTUAL_PORT: "3000" - LETSENCRYPT_HOST: "{{ services.gitea.domain }}" - LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" - # Gitea customization, see: https://docs.gitea.io/en-us/install-with-docker/#customization - # https://docs.gitea.io/en-us/config-cheat-sheet/#security-security - GITEA__mailer__ENABLED: "true" - GITEA__mailer__FROM: "noreply@{{ services.gitea.domain }}" - GITEA__mailer__MAILER_TYPE: "smtp" - GITEA__mailer__HOST: "{{ smtp_host }}:{{ smtp_port }}" - GITEA__mailer__USER: "noop" - GITEA__mailer__PASSWD: "noop" - GITEA__security__LOGIN_REMEMBER_DAYS: "60" - GITEA__security__PASSWORD_COMPLEXITY: "off" - GITEA__security__MIN_PASSWORD_LENGTH: "8" - GITEA__security__PASSWORD_CHECK_PWN: "true" - GITEA__service__ENABLE_NOTIFY_MAIL: "true" - GITEA__service__REGISTER_EMAIL_CONFIRM: "true" + VIRTUAL_HOST: '{{ services.gitea.domain }}' + VIRTUAL_PORT: '3000' + LETSENCRYPT_HOST: '{{ services.gitea.domain }}' + LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}' +# Gitea customization, see: https://docs.gitea.io/en-us/install-with-docker/#customization +# https://docs.gitea.io/en-us/config-cheat-sheet/#security-security + GITEA__mailer__ENABLED: 'true' + GITEA__mailer__FROM: noreply@{{ services.gitea.domain }} + GITEA__mailer__MAILER_TYPE: smtp + GITEA__mailer__HOST: '{{ smtp_host }}:{{ smtp_port }}' + GITEA__mailer__USER: noop + GITEA__mailer__PASSWD: noop + GITEA__security__LOGIN_REMEMBER_DAYS: '60' + GITEA__security__PASSWORD_COMPLEXITY: 'off' + GITEA__security__MIN_PASSWORD_LENGTH: '8' + GITEA__security__PASSWORD_CHECK_PWN: 'true' + GITEA__service__ENABLE_NOTIFY_MAIL: 'true' + GITEA__service__REGISTER_EMAIL_CONFIRM: 'true' diff --git a/roles/docker/tasks/services/hedgedoc.yml b/roles/docker/tasks/services/hedgedoc.yml index 7508535..7cefb53 100644 --- a/roles/docker/tasks/services/hedgedoc.yml +++ b/roles/docker/tasks/services/hedgedoc.yml @@ -1,66 +1,65 @@ --- - name: create hedgedoc volume folders - file: - name: "{{ services.hedgedoc.volume_folder }}/{{ volume }}" + ansible.builtin.file: + name: '{{ services.hedgedoc.volume_folder }}/{{ volume }}' state: directory loop: - - "db" - - "hedgedoc/uploads" + - db + - hedgedoc/uploads loop_control: loop_var: volume - name: copy sso public certificate - copy: - src: "files/sso/sso.data.coop.pem" - dest: "{{ services.hedgedoc.volume_folder }}/sso.data.coop.pem" - mode: "0644" + ansible.builtin.copy: + src: files/sso/sso.data.coop.pem + dest: '{{ services.hedgedoc.volume_folder }}/sso.data.coop.pem' + mode: '0644' - name: setup hedgedoc - docker_compose: - project_name: "hedgedoc" - pull: "yes" + community.docker.docker_compose: + project_name: hedgedoc + pull: true definition: services: database: - image: "postgres:10-alpine" + image: postgres:10-alpine environment: - POSTGRES_USER: "codimd" - POSTGRES_PASSWORD: "{{ postgres_passwords.hedgedoc }}" - POSTGRES_DB: "codimd" - restart: "unless-stopped" + POSTGRES_USER: codimd + POSTGRES_PASSWORD: '{{ postgres_passwords.hedgedoc }}' + POSTGRES_DB: codimd + restart: unless-stopped networks: - - "hedgedoc" + - hedgedoc volumes: - - "{{ services.hedgedoc.volume_folder }}/db:/var/lib/postgresql/data" - + - '{{ services.hedgedoc.volume_folder }}/db:/var/lib/postgresql/data' app: image: quay.io/hedgedoc/hedgedoc:{{ services.hedgedoc.version }} environment: - CMD_DB_URL: "postgres://codimd:{{ postgres_passwords.hedgedoc }}@hedgedoc_database_1:5432/codimd" - CMD_DOMAIN: "{{ services.hedgedoc.domain }}" - CMD_ALLOW_EMAIL_REGISTER: "False" - CMD_IMAGE_UPLOAD_TYPE: "filesystem" - CMD_EMAIL: "False" - CMD_SAML_IDPCERT: "/sso.data.coop.pem" - CMD_SAML_IDPSSOURL: "https://sso.data.coop/auth/realms/datacoop/protocol/saml" - CMD_SAML_ISSUER: "hedgedoc" - CMD_SAML_IDENTIFIERFORMAT: "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" - CMD_USECDN: "false" - CMD_PROTOCOL_USESSL: "true" - VIRTUAL_HOST: "{{ services.hedgedoc.domain }}" - LETSENCRYPT_HOST: "{{ services.hedgedoc.domain }}" - LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" + CMD_DB_URL: postgres://codimd:{{ postgres_passwords.hedgedoc }}@hedgedoc_database_1:5432/codimd + CMD_DOMAIN: '{{ services.hedgedoc.domain }}' + CMD_ALLOW_EMAIL_REGISTER: 'False' + CMD_IMAGE_UPLOAD_TYPE: filesystem + CMD_EMAIL: 'False' + CMD_SAML_IDPCERT: /sso.data.coop.pem + CMD_SAML_IDPSSOURL: https://sso.data.coop/auth/realms/datacoop/protocol/saml + CMD_SAML_ISSUER: hedgedoc + CMD_SAML_IDENTIFIERFORMAT: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + CMD_USECDN: 'false' + CMD_PROTOCOL_USESSL: 'true' + VIRTUAL_HOST: '{{ services.hedgedoc.domain }}' + LETSENCRYPT_HOST: '{{ services.hedgedoc.domain }}' + LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}' volumes: - - "{{ services.hedgedoc.volume_folder }}/hedgedoc/uploads:/hedgedoc/public/uploads" - - "{{ services.hedgedoc.volume_folder }}/sso.data.coop.pem:/sso.data.coop.pem" - restart: "unless-stopped" - networks: - - "hedgedoc" - - "external_services" + - '{{ services.hedgedoc.volume_folder }}/hedgedoc/uploads:/hedgedoc/public/uploads' + - '{{ services.hedgedoc.volume_folder }}/sso.data.coop.pem:/sso.data.coop.pem' + restart: unless-stopped + networks: + - hedgedoc + - external_services depends_on: - database - networks: + networks: hedgedoc: external_services: external: true diff --git a/roles/docker/tasks/services/keycloak.yml b/roles/docker/tasks/services/keycloak.yml index 3f2da44..2840506 100644 --- a/roles/docker/tasks/services/keycloak.yml +++ b/roles/docker/tasks/services/keycloak.yml @@ -1,36 +1,40 @@ +--- - name: setup keycloak containers for sso.data.coop - docker_compose: - project_name: "keycloak" - pull: "yes" + community.docker.docker_compose: + project_name: keycloak + pull: true definition: - version: "3.6" + version: '3.6' services: postgres: - image: "postgres:10" - restart: "unless-stopped" + image: postgres:10 + restart: unless-stopped networks: - - "keycloak" + - keycloak volumes: - - "{{ services.keycloak.volume_folder }}/data:/var/lib/postgresql/data" + - '{{ services.keycloak.volume_folder }}/data:/var/lib/postgresql/data' environment: - POSTGRES_USER: "keycloak" - POSTGRES_PASSWORD: "{{ postgres_passwords.keycloak }}" - POSTGRES_DB: "keycloak" + POSTGRES_USER: keycloak + POSTGRES_PASSWORD: '{{ postgres_passwords.keycloak }}' + POSTGRES_DB: keycloak app: - image: "quay.io/keycloak/keycloak:{{ services.keycloak.version }}" - restart: "unless-stopped" + image: quay.io/keycloak/keycloak:{{ services.keycloak.version }} + restart: unless-stopped networks: - - "keycloak" - - "postfix" - - "external_services" - command: "start --db=postgres --db-url=jdbc:postgresql://postgres:5432/keycloak --db-username=keycloak --db-password={{ postgres_passwords.keycloak }} --hostname={{ services.keycloak.domain }} --proxy=edge --https-port=8080 --http-relative-path=/auth" + - keycloak + - postfix + - external_services + command: start --db=postgres --db-url=jdbc:postgresql://postgres:5432/keycloak + --db-username=keycloak --db-password={{ postgres_passwords.keycloak + }} --hostname={{ services.keycloak.domain }} --proxy=edge --https-port=8080 + --http-relative-path=/auth environment: - VIRTUAL_HOST: "{{ services.keycloak.domain }}" - VIRTUAL_PORT: "8080" - LETSENCRYPT_HOST: "{{ services.keycloak.domain }}" - LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" + VIRTUAL_HOST: '{{ services.keycloak.domain }}' + VIRTUAL_PORT: '8080' + LETSENCRYPT_HOST: '{{ services.keycloak.domain }}' + LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}' networks: keycloak: diff --git a/roles/docker/tasks/services/mailu.yml b/roles/docker/tasks/services/mailu.yml index c1119c7..279d6a0 100644 --- a/roles/docker/tasks/services/mailu.yml +++ b/roles/docker/tasks/services/mailu.yml @@ -1,8 +1,8 @@ --- - name: create mailu volume folders - file: - name: "{{ services.mailu.volume_folder }}/{{ volume }}" + ansible.builtin.file: + name: '{{ services.mailu.volume_folder }}/{{ volume }}' state: directory loop: - redis @@ -18,30 +18,32 @@ loop_var: volume - name: upload mailu.env file - template: + ansible.builtin.template: src: mailu.env.j2 - dest: "{{ services.mailu.volume_folder}}/mailu.env" + dest: '{{ services.mailu.volume_folder}}/mailu.env' - name: hard link to Let's Encrypt TLS certificate - file: - src: "{{ services.nginx_proxy.volume_folder }}/certs/{{ services.mailu.domain }}/fullchain.pem" - dest: "{{ services.mailu.volume_folder }}/certs/cert.pem" + ansible.builtin.file: + src: '{{ services.nginx_proxy.volume_folder }}/certs/{{ services.mailu.domain + }}/fullchain.pem' + dest: '{{ services.mailu.volume_folder }}/certs/cert.pem' state: hard - force: yes + force: true when: letsencrypt_enabled - name: hard link to Let's Encrypt TLS key - file: - src: "{{ services.nginx_proxy.volume_folder }}/certs/{{ services.mailu.domain }}/key.pem" - dest: "{{ services.mailu.volume_folder }}/certs/key.pem" + ansible.builtin.file: + src: '{{ services.nginx_proxy.volume_folder }}/certs/{{ services.mailu.domain + }}/key.pem' + dest: '{{ services.mailu.volume_folder }}/certs/key.pem' state: hard - force: yes + force: true when: letsencrypt_enabled - name: run mail server containers - docker_compose: + community.docker.docker_compose: project_name: mail_server - pull: yes + pull: true definition: version: '3.6' services: @@ -49,15 +51,15 @@ image: redis:alpine restart: always volumes: - - "{{ services.mailu.volume_folder }}/redis:/data" + - '{{ services.mailu.volume_folder }}/redis:/data' database: image: mailu/postgresql:{{ services.mailu.version }} restart: always - env_file: "{{ services.mailu.volume_folder}}/mailu.env" + env_file: '{{ services.mailu.volume_folder}}/mailu.env' volumes: - - "{{ services.mailu.volume_folder }}/data/psql_db:/data" - - "{{ services.mailu.volume_folder }}/data/psql_backup:/backup" + - '{{ services.mailu.volume_folder }}/data/psql_db:/data' + - '{{ services.mailu.volume_folder }}/data/psql_backup:/backup' networks: - default - external_services @@ -65,21 +67,21 @@ front: image: mailu/nginx:{{ services.mailu.version }} restart: always - env_file: "{{ services.mailu.volume_folder}}/mailu.env" + env_file: '{{ services.mailu.volume_folder}}/mailu.env' environment: - VIRTUAL_HOST: "{{ services.mailu.domain }}" - LETSENCRYPT_HOST: "{{ services.mailu.domain }}" - LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" + VIRTUAL_HOST: '{{ services.mailu.domain }}' + LETSENCRYPT_HOST: '{{ services.mailu.domain }}' + LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}' volumes: - - "{{ services.mailu.volume_folder }}/certs:/certs" - - "{{ services.mailu.volume_folder }}/overrides/nginx:/overrides" + - '{{ services.mailu.volume_folder }}/certs:/certs' + - '{{ services.mailu.volume_folder }}/overrides/nginx:/overrides' expose: - - "80" + - '80' ports: - - "993:993" - - "25:25" - - "587:587" - - "465:465" + - 993:993 + - 25:25 + - 587:587 + - 465:465 networks: - default - external_services @@ -87,68 +89,68 @@ resolver: image: mailu/unbound:{{ services.mailu.version }} restart: always - env_file: "{{ services.mailu.volume_folder}}/mailu.env" + env_file: '{{ services.mailu.volume_folder}}/mailu.env' networks: default: - ipv4_address: "{{ services.mailu.dns }}" + ipv4_address: '{{ services.mailu.dns }}' admin: image: mailu/admin:{{ services.mailu.version }} restart: always - env_file: "{{ services.mailu.volume_folder}}/mailu.env" + env_file: '{{ services.mailu.volume_folder}}/mailu.env' volumes: - - "{{ services.mailu.volume_folder }}/data:/data" - - "{{ services.mailu.volume_folder }}/dkim:/dkim" + - '{{ services.mailu.volume_folder }}/data:/data' + - '{{ services.mailu.volume_folder }}/dkim:/dkim' depends_on: - redis imap: image: mailu/dovecot:{{ services.mailu.version }} restart: always - env_file: "{{ services.mailu.volume_folder}}/mailu.env" + env_file: '{{ services.mailu.volume_folder}}/mailu.env' volumes: - - "{{ services.mailu.volume_folder }}/mail:/mail" - - "{{ services.mailu.volume_folder }}/overrides:/overrides" + - '{{ services.mailu.volume_folder }}/mail:/mail' + - '{{ services.mailu.volume_folder }}/overrides:/overrides' depends_on: - front smtp: image: mailu/postfix:{{ services.mailu.version }} restart: always - env_file: "{{ services.mailu.volume_folder}}/mailu.env" + env_file: '{{ services.mailu.volume_folder}}/mailu.env' volumes: - - "{{ services.mailu.volume_folder }}/overrides:/overrides" + - '{{ services.mailu.volume_folder }}/overrides:/overrides' depends_on: - front - resolver dns: - - "{{ services.mailu.dns }}" + - '{{ services.mailu.dns }}' antispam: image: mailu/rspamd:{{ services.mailu.version }} restart: always - env_file: "{{ services.mailu.volume_folder}}/mailu.env" + env_file: '{{ services.mailu.volume_folder}}/mailu.env' volumes: - - "{{ services.mailu.volume_folder }}/filter:/var/lib/rspamd" - - "{{ services.mailu.volume_folder }}/dkim:/dkim" - - "{{ services.mailu.volume_folder }}/overrides/rspamd:/etc/rspamd/override.d" + - '{{ services.mailu.volume_folder }}/filter:/var/lib/rspamd' + - '{{ services.mailu.volume_folder }}/dkim:/dkim' + - '{{ services.mailu.volume_folder }}/overrides/rspamd:/etc/rspamd/override.d' depends_on: - front - resolver dns: - - "{{ services.mailu.dns }}" + - '{{ services.mailu.dns }}' webmail: image: mailu/rainloop:1.6 restart: always - env_file: "{{ services.mailu.volume_folder}}/mailu.env" + env_file: '{{ services.mailu.volume_folder}}/mailu.env' volumes: - - "{{ services.mailu.volume_folder }}/webmail:/data" + - '{{ services.mailu.volume_folder }}/webmail:/data' depends_on: - front - resolver dns: - - "{{ services.mailu.dns }}" + - '{{ services.mailu.dns }}' networks: default: @@ -156,7 +158,7 @@ ipam: driver: default config: - - subnet: "{{ services.mailu.subnet }}" + - subnet: '{{ services.mailu.subnet }}' external_services: external: name: external_services diff --git a/roles/docker/tasks/services/mastodon.yml b/roles/docker/tasks/services/mastodon.yml index baeea09..bc5b9c1 100644 --- a/roles/docker/tasks/services/mastodon.yml +++ b/roles/docker/tasks/services/mastodon.yml @@ -1,30 +1,32 @@ +--- - name: create mastodon volume folders - file: - name: "{{ services.mastodon.volume_folder }}/{{ volume }}" + ansible.builtin.file: + name: '{{ services.mastodon.volume_folder }}/{{ volume }}' state: directory - owner: "991" - group: "991" + owner: '991' + group: '991' loop: - - "postgres_data" - - "redis_data" - - "mastodon_data" + - postgres_data + - redis_data + - mastodon_data loop_control: loop_var: volume - name: Copy mastodon environment file - template: + ansible.builtin.template: src: files/configs/mastodon/env_file.j2 - dest: "{{ services.mastodon.volume_folder }}/env_file" + dest: '{{ services.mastodon.volume_folder }}/env_file' - name: upload vhost config for root domain - template: + ansible.builtin.template: src: files/configs/mastodon/vhost-mastodon - dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.mastodon.domain }}" + dest: '{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.mastodon.domain + }}' - name: set up mastodon - docker_compose: + community.docker.docker_compose: project_name: mastodon - pull: yes + pull: true definition: version: '3' services: @@ -35,11 +37,11 @@ networks: - internal_network healthcheck: - test: ['CMD', 'pg_isready', '-U', 'postgres'] + test: [CMD, pg_isready, -U, postgres] volumes: - - "{{ services.mastodon.volume_folder }}/postgres_data:/var/lib/postgresql/data" + - '{{ services.mastodon.volume_folder }}/postgres_data:/var/lib/postgresql/data' environment: - - 'POSTGRES_HOST_AUTH_METHOD=trust' + - POSTGRES_HOST_AUTH_METHOD=trust redis: restart: always @@ -47,58 +49,59 @@ networks: - internal_network healthcheck: - test: ['CMD', 'redis-cli', 'ping'] + test: [CMD, redis-cli, ping] volumes: - - "{{ services.mastodon.volume_folder }}/redis_data:/data" + - '{{ services.mastodon.volume_folder }}/redis_data:/data' web: - image: "tootsuite/mastodon:{{ services.mastodon.version }}" + image: tootsuite/mastodon:{{ services.mastodon.version }} restart: always - env_file: "{{ services.mastodon.volume_folder }}/env_file" - command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 3000" + env_file: '{{ services.mastodon.volume_folder }}/env_file' + command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails + s -p 3000" networks: - external_services - internal_network healthcheck: - # prettier-ignore - test: ['CMD-SHELL', 'wget -q --spider --proxy=off localhost:3000/health || exit 1'] + test: | + [CMD-SHELL, wget -q --spider --proxy=off localhost:3000/health || exit 1] depends_on: - db - redis volumes: - - "{{ services.mastodon.volume_folder }}/mastodon_data:/mastodon/public/system" + - '{{ services.mastodon.volume_folder }}/mastodon_data:/mastodon/public/system' environment: - VIRTUAL_HOST: "{{ services.mastodon.domain }}" - VIRTUAL_PORT: "3000" - VIRTUAL_PATH: "/" - LETSENCRYPT_HOST: "{{ services.mastodon.domain }}" - LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" + VIRTUAL_HOST: '{{ services.mastodon.domain }}' + VIRTUAL_PORT: '3000' + VIRTUAL_PATH: / + LETSENCRYPT_HOST: '{{ services.mastodon.domain }}' + LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}' streaming: - image: "tootsuite/mastodon:{{ services.mastodon.version }}" + image: tootsuite/mastodon:{{ services.mastodon.version }} restart: always - env_file: "{{ services.mastodon.volume_folder }}/env_file" + env_file: '{{ services.mastodon.volume_folder }}/env_file' command: node ./streaming networks: - external_services - internal_network healthcheck: - # prettier-ignore - test: ['CMD-SHELL', 'wget -q --spider --proxy=off localhost:4000/api/v1/streaming/health || exit 1'] + test: | + [CMD-SHELL, wget -q --spider --proxy=off localhost:4000/api/v1/streaming/health || exit 1] ports: - - '127.0.0.1:4000:4000' + - 127.0.0.1:4000:4000 depends_on: - db - redis environment: - VIRTUAL_HOST: "{{ services.mastodon.domain }}" - VIRTUAL_PORT: "4000" - VIRTUAL_PATH: "/api/v1/streaming" + VIRTUAL_HOST: '{{ services.mastodon.domain }}' + VIRTUAL_PORT: '4000' + VIRTUAL_PATH: /api/v1/streaming sidekiq: - image: "tootsuite/mastodon:{{ services.mastodon.version }}" + image: tootsuite/mastodon:{{ services.mastodon.version }} restart: always - env_file: "{{ services.mastodon.volume_folder }}/env_file" + env_file: '{{ services.mastodon.volume_folder }}/env_file' command: bundle exec sidekiq -c 32 environment: DB_POOL: 32 @@ -110,9 +113,9 @@ - external_services - internal_network volumes: - - "{{ services.mastodon.volume_folder }}/mastodon_data:/mastodon/public/system" + - '{{ services.mastodon.volume_folder }}/mastodon_data:/mastodon/public/system' healthcheck: - test: ['CMD-SHELL', "ps aux | grep '[s]idekiq\ 6' || false"] + test: [CMD-SHELL, "ps aux | grep '[s]idekiq 6' || false"] networks: external_services: @@ -120,4 +123,4 @@ postfix: external: true internal_network: - internal: true \ No newline at end of file + internal: true diff --git a/roles/docker/tasks/services/matrix_riot.yml b/roles/docker/tasks/services/matrix_riot.yml index 666c544..296418b 100644 --- a/roles/docker/tasks/services/matrix_riot.yml +++ b/roles/docker/tasks/services/matrix_riot.yml @@ -1,73 +1,76 @@ --- - name: create matrix volume folders - file: - name: "{{ services.matrix.volume_folder }}/{{ volume }}" + ansible.builtin.file: + name: '{{ services.matrix.volume_folder }}/{{ volume }}' state: directory - owner: "991" - group: "991" + owner: '991' + group: '991' loop: - - "data" - - "data/uploads" - - "data/media" + - data + - data/uploads + - data/media loop_control: loop_var: volume - name: create matrix DB folder - file: - name: "{{ services.matrix.volume_folder }}/db" - state: "directory" + ansible.builtin.file: + name: '{{ services.matrix.volume_folder }}/db' + state: directory - name: create riot volume folders - file: - name: "{{ services.riot.volume_folder }}/{{ volume }}" + ansible.builtin.file: + name: '{{ services.riot.volume_folder }}/{{ volume }}' state: directory loop: - - "data" + - data loop_control: loop_var: volume - name: upload riot config.json - template: + ansible.builtin.template: src: files/configs/riot/config.json - dest: "{{ services.riot.volume_folder }}/data/config.json" + dest: '{{ services.riot.volume_folder }}/data/config.json' - name: upload riot.im.conf - template: + ansible.builtin.template: src: files/configs/riot/riot.im.conf - dest: "{{ services.riot.volume_folder }}/data/riot.im.conf" + dest: '{{ services.riot.volume_folder }}/data/riot.im.conf' - name: upload vhost config for root domain - template: + ansible.builtin.template: src: files/configs/matrix/vhost-root - dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ base_domain }}" + dest: '{{ services.nginx_proxy.volume_folder }}/vhost/{{ base_domain }}' - name: upload vhost config for matrix domain - template: + ansible.builtin.template: src: files/configs/matrix/vhost-matrix - dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.matrix.domain }}" + dest: '{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.matrix.domain + }}' - name: upload vhost config for riot domain - template: + ansible.builtin.template: src: files/configs/matrix/vhost-riot - dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ item }}" - loop: "{{ services.riot.domains }}" + dest: '{{ services.nginx_proxy.volume_folder }}/vhost/{{ domain }}' + loop: '{{ services.riot.domains }}' + loop_control: + loop_var: domain - name: upload homeserver.yaml - template: - src: "files/configs/matrix/homeserver.yaml.j2" - dest: "{{ services.matrix.volume_folder }}/data/homeserver.yaml" + ansible.builtin.template: + src: files/configs/matrix/homeserver.yaml.j2 + dest: '{{ services.matrix.volume_folder }}/data/homeserver.yaml' - name: upload matrix logging config - template: - src: "files/configs/matrix/matrix.data.coop.log.config" - dest: "{{ services.matrix.volume_folder }}/data/matrix.data.coop.log.config" + ansible.builtin.template: + src: files/configs/matrix/matrix.data.coop.log.config + dest: '{{ services.matrix.volume_folder }}/data/matrix.data.coop.log.config' - name: set up matrix and riot - docker_compose: + community.docker.docker_compose: project_name: matrix - pull: yes + pull: true definition: - version: "3.6" + version: '3.6' services: matrix_db: container_name: matrix_db @@ -76,10 +79,10 @@ networks: - matrix volumes: - - "{{ services.matrix.volume_folder }}/db:/var/lib/postgresql/data" + - '{{ services.matrix.volume_folder }}/db:/var/lib/postgresql/data' environment: - POSTGRES_USER: "synapse" - POSTGRES_PASSWORD: "{{ postgres_passwords.matrix }}" + POSTGRES_USER: synapse + POSTGRES_PASSWORD: '{{ postgres_passwords.matrix }}' matrix_app: container_name: matrix @@ -89,15 +92,15 @@ - matrix - external_services volumes: - - "{{ services.matrix.volume_folder }}/data:/data" + - '{{ services.matrix.volume_folder }}/data:/data' environment: - SYNAPSE_CONFIG_PATH: "/data/homeserver.yaml" - SYNAPSE_CACHE_FACTOR: "2" - SYNAPSE_LOG_LEVEL: "INFO" - VIRTUAL_HOST: "{{ services.matrix.domain }}" - VIRTUAL_PORT: "8008" - LETSENCRYPT_HOST: "{{ services.matrix.domain }}" - LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" + SYNAPSE_CONFIG_PATH: /data/homeserver.yaml + SYNAPSE_CACHE_FACTOR: '2' + SYNAPSE_LOG_LEVEL: INFO + VIRTUAL_HOST: '{{ services.matrix.domain }}' + VIRTUAL_PORT: '8008' + LETSENCRYPT_HOST: '{{ services.matrix.domain }}' + LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}' riot: container_name: riot_app @@ -109,16 +112,16 @@ expose: - 8080 volumes: - - "{{ services.riot.volume_folder }}/data:/data" + - '{{ services.riot.volume_folder }}/data:/data' environment: VIRTUAL_HOST: "{{ services.riot.domains|join(',') }}" - VIRTUAL_PORT: "8080" + VIRTUAL_PORT: '8080' LETSENCRYPT_HOST: "{{ services.riot.domains|join(',') }}" - LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" + LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}' networks: external_services: external: name: external_services matrix: - name: "matrix" + name: matrix diff --git a/roles/docker/tasks/services/membersystem.yml b/roles/docker/tasks/services/membersystem.yml index ca63851..351780d 100644 --- a/roles/docker/tasks/services/membersystem.yml +++ b/roles/docker/tasks/services/membersystem.yml @@ -1,11 +1,11 @@ --- - name: run membersystem containers - docker_compose: - project_name: "member.data.coop" - pull: yes + community.docker.docker_compose: + project_name: member.data.coop + pull: true definition: - version: "3" + version: '3' services: backend: image: docker.data.coop/membersystem:latest @@ -19,32 +19,33 @@ - external_services - postfix environment: - SECRET_KEY: "{{ membersystem_secrets.secret_key }}" - DATABASE_URL: postgres://postgres:{{ postgres_passwords.membersystem }}@postgres:5432/postgres + SECRET_KEY: '{{ membersystem_secrets.secret_key }}' + DATABASE_URL: postgres://postgres:{{ postgres_passwords.membersystem + }}@postgres:5432/postgres POSTGRES_HOST: postgres POSTGRES_PORT: 5432 - EMAIL_BACKEND: "django.core.mail.backends.smtp.EmailBackend" - EMAIL_URL: "smtp://noop@{{ smtp_host }}:{{ smtp_port }}" - VIRTUAL_HOST: "{{ services.membersystem.domain }}" - VIRTUAL_PORT: "8000" - LETSENCRYPT_HOST: "{{ services.membersystem.domain }}" - LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" - ALLOWED_HOSTS: "{{ services.membersystem.domain }}" - CSRF_TRUSTED_ORIGINS: "https://{{ services.membersystem.domain }}" - DJANGO_ADMINS: "{{ services.membersystem.django_admins }}" - DEFAULT_FROM_EMAIL: "noreply@{{ services.membersystem.domain }}" + EMAIL_BACKEND: django.core.mail.backends.smtp.EmailBackend + EMAIL_URL: smtp://noop@{{ smtp_host }}:{{ smtp_port }} + VIRTUAL_HOST: '{{ services.membersystem.domain }}' + VIRTUAL_PORT: '8000' + LETSENCRYPT_HOST: '{{ services.membersystem.domain }}' + LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}' + ALLOWED_HOSTS: '{{ services.membersystem.domain }}' + CSRF_TRUSTED_ORIGINS: https://{{ services.membersystem.domain }} + DJANGO_ADMINS: '{{ services.membersystem.django_admins }}' + DEFAULT_FROM_EMAIL: noreply@{{ services.membersystem.domain }} labels: - com.centurylinklabs.watchtower.enable: "true" + com.centurylinklabs.watchtower.enable: 'true' postgres: image: postgres:13-alpine restart: always volumes: - - "{{ volume_root_folder }}/membersystem/postgres/data:/var/lib/postgresql/data" + - '{{ volume_root_folder }}/membersystem/postgres/data:/var/lib/postgresql/data' networks: - membersystem environment: - POSTGRES_PASSWORD: "{{ postgres_passwords.membersystem }}" + POSTGRES_PASSWORD: '{{ postgres_passwords.membersystem }}' networks: membersystem: diff --git a/roles/docker/tasks/services/netdata.yml b/roles/docker/tasks/services/netdata.yml index e1a7bbe..9956ba0 100644 --- a/roles/docker/tasks/services/netdata.yml +++ b/roles/docker/tasks/services/netdata.yml @@ -1,11 +1,11 @@ --- - name: setup netdata docker container for system monitoring - docker_container: + community.docker.docker_container: name: netdata image: netdata/netdata:{{ services.netdata.version }} restart_policy: unless-stopped - hostname: "hevonen.servers.{{ base_domain }}" + hostname: hevonen.servers.{{ base_domain }} capabilities: - SYS_PTRACE security_opts: @@ -17,11 +17,9 @@ networks: - name: external_services env: - VIRTUAL_HOST : "{{ services.netdata.domain }}" - LETSENCRYPT_HOST: "{{ services.netdata.domain }}" - LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" - PGID: "999" + VIRTUAL_HOST: '{{ services.netdata.domain }}' + LETSENCRYPT_HOST: '{{ services.netdata.domain }}' + LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}' + PGID: '999' labels: - com.centurylinklabs.watchtower.enable: "true" - - + com.centurylinklabs.watchtower.enable: 'true' diff --git a/roles/docker/tasks/services/nextcloud.yml b/roles/docker/tasks/services/nextcloud.yml index d36f8de..2acbeac 100644 --- a/roles/docker/tasks/services/nextcloud.yml +++ b/roles/docker/tasks/services/nextcloud.yml @@ -1,75 +1,76 @@ --- - name: upload vhost config for cloud.data.coop - template: + ansible.builtin.template: src: files/configs/nextcloud/vhost - dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.nextcloud.domain }}" - notify: "restart nginx" + dest: '{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.nextcloud.domain + }}' + notify: restart nginx - name: setup nextcloud containers - docker_compose: - project_name: "nextcloud" - pull: "yes" + community.docker.docker_compose: + project_name: nextcloud + pull: true definition: services: postgres: - image: "postgres:10" - restart: "unless-stopped" + image: postgres:10 + restart: unless-stopped networks: - - "nextcloud" + - nextcloud volumes: - - "{{ services.nextcloud.volume_folder }}/postgres:/var/lib/postgresql/data" - environment: - POSTGRES_DB: "nextcloud" - POSTGRES_PASSWORD: "{{ postgres_passwords.nextcloud }}" - POSTGRES_USER: "nextcloud" + - '{{ services.nextcloud.volume_folder }}/postgres:/var/lib/postgresql/data' + environment: + POSTGRES_DB: nextcloud + POSTGRES_PASSWORD: '{{ postgres_passwords.nextcloud }}' + POSTGRES_USER: nextcloud redis: - image: "redis:7-alpine" - restart: "unless-stopped" - command: "redis-server --requirepass {{ nextcloud_secrets.redis_password }}" + image: redis:7-alpine + restart: unless-stopped + command: redis-server --requirepass {{ nextcloud_secrets.redis_password + }} tmpfs: - /var/lib/redis networks: - - "nextcloud" + - nextcloud cron: - image: "nextcloud:{{ services.nextcloud.version }}" - restart: "unless-stopped" - entrypoint: "/cron.sh" + image: nextcloud:{{ services.nextcloud.version }} + restart: unless-stopped + entrypoint: /cron.sh networks: - - "nextcloud" + - nextcloud volumes: - - "{{ services.nextcloud.volume_folder }}/app:/var/www/html" + - '{{ services.nextcloud.volume_folder }}/app:/var/www/html' depends_on: - - "postgres" - - "redis" - + - postgres + - redis app: - image: "nextcloud:{{ services.nextcloud.version }}" - restart: "unless-stopped" + image: nextcloud:{{ services.nextcloud.version }} + restart: unless-stopped networks: - - "nextcloud" - - "postfix" - - "external_services" + - nextcloud + - postfix + - external_services volumes: - - "{{ services.nextcloud.volume_folder }}/app:/var/www/html" + - '{{ services.nextcloud.volume_folder }}/app:/var/www/html' environment: - VIRTUAL_HOST: "{{ services.nextcloud.domain }}" - LETSENCRYPT_HOST: "{{ services.nextcloud.domain }}" - LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" - POSTGRES_HOST: "postgres" - POSTGRES_DB: "nextcloud" - POSTGRES_USER: "nextcloud" - POSTGRES_PASSWORD: "{{ postgres_passwords.nextcloud }}" - REDIS_HOST: "redis" - REDIS_HOST_PASSWORD: "{{ nextcloud_secrets.redis_password }}" + VIRTUAL_HOST: '{{ services.nextcloud.domain }}' + LETSENCRYPT_HOST: '{{ services.nextcloud.domain }}' + LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}' + POSTGRES_HOST: postgres + POSTGRES_DB: nextcloud + POSTGRES_USER: nextcloud + POSTGRES_PASSWORD: '{{ postgres_passwords.nextcloud }}' + REDIS_HOST: redis + REDIS_HOST_PASSWORD: '{{ nextcloud_secrets.redis_password }}' depends_on: - - "postgres" - - "redis" + - postgres + - redis networks: - nextcloud: - postfix: - external: true - external_services: - external: true + nextcloud: + postfix: + external: true + external_services: + external: true diff --git a/roles/docker/tasks/services/nginx_proxy.yml b/roles/docker/tasks/services/nginx_proxy.yml index 8081ab6..5b1794a 100644 --- a/roles/docker/tasks/services/nginx_proxy.yml +++ b/roles/docker/tasks/services/nginx_proxy.yml @@ -1,8 +1,8 @@ --- - name: create nginx-proxy volume folders - file: - name: "{{ services.nginx_proxy.volume_folder }}/{{ volume }}" + ansible.builtin.file: + name: '{{ services.nginx_proxy.volume_folder }}/{{ volume }}' state: directory loop: - conf @@ -14,35 +14,34 @@ loop_var: volume - name: nginx proxy container - docker_container: + community.docker.docker_container: name: nginx-proxy image: nginxproxy/nginx-proxy:{{ services.nginx_proxy.version }} restart_policy: always networks: - name: external_services published_ports: - - "80:80" - - "443:443" + - 80:80 + - 443:443 volumes: - - "{{ services.nginx_proxy.volume_folder }}/conf:/etc/nginx/conf.d" - - "{{ services.nginx_proxy.volume_folder }}/vhost:/etc/nginx/vhost.d" - - "{{ services.nginx_proxy.volume_folder }}/html:/usr/share/nginx/html" - - "{{ services.nginx_proxy.volume_folder }}/dhparam:/etc/nginx/dhparam" - - "{{ services.nginx_proxy.volume_folder }}/certs:/etc/nginx/certs:ro" + - '{{ services.nginx_proxy.volume_folder }}/conf:/etc/nginx/conf.d' + - '{{ services.nginx_proxy.volume_folder }}/vhost:/etc/nginx/vhost.d' + - '{{ services.nginx_proxy.volume_folder }}/html:/usr/share/nginx/html' + - '{{ services.nginx_proxy.volume_folder }}/dhparam:/etc/nginx/dhparam' + - '{{ services.nginx_proxy.volume_folder }}/certs:/etc/nginx/certs:ro' - /var/run/docker.sock:/tmp/docker.sock:ro - name: nginx letsencrypt container - docker_container: + community.docker.docker_container: name: nginx-proxy-le image: nginxproxy/acme-companion:{{ services.nginx_acme_companion.version }} restart_policy: always volumes: - - "{{ services.nginx_proxy.volume_folder }}/vhost:/etc/nginx/vhost.d" - - "{{ services.nginx_proxy.volume_folder }}/html:/usr/share/nginx/html" - - "{{ services.nginx_proxy.volume_folder }}/dhparam:/etc/nginx/dhparam:ro" - - "{{ services.nginx_proxy.volume_folder }}/certs:/etc/nginx/certs" + - '{{ services.nginx_proxy.volume_folder }}/vhost:/etc/nginx/vhost.d' + - '{{ services.nginx_proxy.volume_folder }}/html:/usr/share/nginx/html' + - '{{ services.nginx_proxy.volume_folder }}/dhparam:/etc/nginx/dhparam:ro' + - '{{ services.nginx_proxy.volume_folder }}/certs:/etc/nginx/certs' - /var/run/docker.sock:/var/run/docker.sock:ro env: NGINX_PROXY_CONTAINER: nginx-proxy when: letsencrypt_enabled - diff --git a/roles/docker/tasks/services/openldap.yml b/roles/docker/tasks/services/openldap.yml index a768235..136e6c8 100644 --- a/roles/docker/tasks/services/openldap.yml +++ b/roles/docker/tasks/services/openldap.yml @@ -1,62 +1,62 @@ --- - name: create ldap volume folders - file: - name: "{{ services.openldap.volume_folder }}/{{ volume }}" + ansible.builtin.file: + name: '{{ services.openldap.volume_folder }}/{{ volume }}' state: directory loop: - - "var/lib/ldap" - - "etc/slapd" - - "certs" + - var/lib/ldap + - etc/slapd + - certs loop_control: loop_var: volume - name: Create a network for ldap - docker_network: + community.docker.docker_network: name: ldap - name: openLDAP container - docker_container: + community.docker.docker_container: name: openldap image: osixia/openldap:{{ services.openldap.version }} tty: true interactive: true restart_policy: unless-stopped volumes: - - "{{ services.openldap.volume_folder }}/var/lib/ldap:/var/lib/ldap" - - "{{ services.openldap.volume_folder }}/etc/slapd.d:/etc/ldap/slapd.d" - - "{{ services.openldap.volume_folder }}/certs:/container/service/slapd/assets/certs/" + - '{{ services.openldap.volume_folder }}/var/lib/ldap:/var/lib/ldap' + - '{{ services.openldap.volume_folder }}/etc/slapd.d:/etc/ldap/slapd.d' + - '{{ services.openldap.volume_folder }}/certs:/container/service/slapd/assets/certs/' published_ports: - - "389:389" - - "636:636" - hostname: "{{ services.openldap.domain }}" - domainname: "{{ services.openldap.domain }}" # important: same as hostname + - 389:389 + - 636:636 + hostname: '{{ services.openldap.domain }}' + domainname: '{{ services.openldap.domain }}' # important: same as hostname networks: - name: ldap env: - LDAP_LOG_LEVEL: "256" - LDAP_ORGANISATION: "{{ base_domain }}" - LDAP_DOMAIN: "{{ base_domain }}" - LDAP_BASE_DN: "" - LDAP_ADMIN_PASSWORD: "{{ ldap_admin_password }}" - LDAP_CONFIG_PASSWORD: "{{ ldap_config_password }}" - LDAP_READONLY_USER: "false" - LDAP_RFC2307BIS_SCHEMA: "false" - LDAP_BACKEND: "mdb" - LDAP_TLS: "true" - LDAP_TLS_CRT_FILENAME: "ldap.crt" - LDAP_TLS_KEY_FILENAME: "ldap.key" - LDAP_TLS_CA_CRT_FILENAME: "ca.crt" - LDAP_TLS_ENFORCE: "false" - LDAP_TLS_CIPHER_SUITE: "SECURE256:-VERS-SSL3.0" - LDAP_TLS_PROTOCOL_MIN: "3.1" - LDAP_TLS_VERIFY_CLIENT: "demand" - LDAP_REPLICATION: "false" - KEEP_EXISTING_CONFIG: "false" - LDAP_REMOVE_CONFIG_AFTER_SETUP: "true" - LDAP_SSL_HELPER_PREFIX: "ldap" + LDAP_LOG_LEVEL: '256' + LDAP_ORGANISATION: '{{ base_domain }}' + LDAP_DOMAIN: '{{ base_domain }}' + LDAP_BASE_DN: '' + LDAP_ADMIN_PASSWORD: '{{ ldap_admin_password }}' + LDAP_CONFIG_PASSWORD: '{{ ldap_config_password }}' + LDAP_READONLY_USER: 'false' + LDAP_RFC2307BIS_SCHEMA: 'false' + LDAP_BACKEND: mdb + LDAP_TLS: 'true' + LDAP_TLS_CRT_FILENAME: ldap.crt + LDAP_TLS_KEY_FILENAME: ldap.key + LDAP_TLS_CA_CRT_FILENAME: ca.crt + LDAP_TLS_ENFORCE: 'false' + LDAP_TLS_CIPHER_SUITE: SECURE256:-VERS-SSL3.0 + LDAP_TLS_PROTOCOL_MIN: '3.1' + LDAP_TLS_VERIFY_CLIENT: demand + LDAP_REPLICATION: 'false' + KEEP_EXISTING_CONFIG: 'false' + LDAP_REMOVE_CONFIG_AFTER_SETUP: 'true' + LDAP_SSL_HELPER_PREFIX: ldap - name: phpLDAPadmin container - docker_container: + community.docker.docker_container: name: phpldapadmin image: osixia/phpldapadmin:{{ services.phpldapadmin.version }} restart_policy: unless-stopped @@ -64,10 +64,10 @@ - name: external_services - name: ldap env: - PHPLDAPADMIN_LDAP_HOSTS: "openldap" - PHPLDAPADMIN_HTTPS: "false" - PHPLDAPADMIN_TRUST_PROXY_SSL: "true" + PHPLDAPADMIN_LDAP_HOSTS: openldap + PHPLDAPADMIN_HTTPS: 'false' + PHPLDAPADMIN_TRUST_PROXY_SSL: 'true' - VIRTUAL_HOST: "{{ services.openldap.domain }}" - LETSENCRYPT_HOST: "{{ services.openldap.domain }}" - LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" + VIRTUAL_HOST: '{{ services.openldap.domain }}' + LETSENCRYPT_HOST: '{{ services.openldap.domain }}' + LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}' diff --git a/roles/docker/tasks/services/passit.yml b/roles/docker/tasks/services/passit.yml index 300c099..bc5cfe9 100644 --- a/roles/docker/tasks/services/passit.yml +++ b/roles/docker/tasks/services/passit.yml @@ -1,42 +1,42 @@ --- - name: setup passit containers - docker_compose: - project_name: "passit" - pull: "yes" + community.docker.docker_compose: + project_name: passit + pull: true definition: - version: "3.6" + version: '3.6' services: passit_db: - image: "postgres:10" - restart: "always" + image: postgres:10 + restart: always networks: - - "passit" + - passit volumes: - - "{{ services.passit.volume_folder }}/data:/var/lib/postgresql/data" + - '{{ services.passit.volume_folder }}/data:/var/lib/postgresql/data' environment: - POSTGRES_USER: "passit" - POSTGRES_PASSWORD: "{{ postgres_passwords.passit }}" + POSTGRES_USER: passit + POSTGRES_PASSWORD: '{{ postgres_passwords.passit }}' passit_app: - image: "passit/passit:{{ services.passit.version }}" - command: "bin/start.sh" - restart: "always" + image: passit/passit:{{ services.passit.version }} + command: bin/start.sh + restart: always networks: - - "passit" - - "postfix" - - "external_services" + - passit + - postfix + - external_services environment: - DATABASE_URL: "postgres://passit:{{ postgres_passwords.passit }}@passit_db:5432/passit" - SECRET_KEY: "{{ passit_secret_key }}" + DATABASE_URL: postgres://passit:{{ postgres_passwords.passit }}@passit_db:5432/passit + SECRET_KEY: '{{ passit_secret_key }}' IS_DEBUG: 'False' - EMAIL_URL: "smtp://noop@{{ smtp_host }}:{{ smtp_port }}" - DEFAULT_FROM_EMAIL: "noreply@{{ services.passit.domain }}" - EMAIL_CONFIRMATION_HOST: "https://{{ services.passit.domain }}" - FIDO_SERVER_ID: "{{ services.passit.domain }}" - VIRTUAL_HOST: "{{ services.passit.domain }}" - LETSENCRYPT_HOST: "{{ services.passit.domain }}" - LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" + EMAIL_URL: smtp://noop@{{ smtp_host }}:{{ smtp_port }} + DEFAULT_FROM_EMAIL: noreply@{{ services.passit.domain }} + EMAIL_CONFIRMATION_HOST: https://{{ services.passit.domain }} + FIDO_SERVER_ID: '{{ services.passit.domain }}' + VIRTUAL_HOST: '{{ services.passit.domain }}' + LETSENCRYPT_HOST: '{{ services.passit.domain }}' + LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}' networks: passit: diff --git a/roles/docker/tasks/services/portainer.yml b/roles/docker/tasks/services/portainer.yml index 005da7f..b226d6f 100644 --- a/roles/docker/tasks/services/portainer.yml +++ b/roles/docker/tasks/services/portainer.yml @@ -1,12 +1,12 @@ --- - name: create portainer volume folder - file: - name: "{{ services.portainer.volume_folder }}" + ansible.builtin.file: + name: '{{ services.portainer.volume_folder }}' state: directory - name: run portainer - docker_container: + community.docker.docker_container: name: portainer image: portainer/portainer-ee:{{ services.portainer.version }} restart_policy: always @@ -14,9 +14,9 @@ - name: external_services volumes: - /var/run/docker.sock:/var/run/docker.sock - - "{{ services.portainer.volume_folder }}:/data" + - '{{ services.portainer.volume_folder }}:/data' env: - VIRTUAL_HOST: "{{ services.portainer.domain }}" - VIRTUAL_PORT: "9000" - LETSENCRYPT_HOST: "{{ services.portainer.domain }}" - LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" + VIRTUAL_HOST: '{{ services.portainer.domain }}' + VIRTUAL_PORT: '9000' + LETSENCRYPT_HOST: '{{ services.portainer.domain }}' + LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}' diff --git a/roles/docker/tasks/services/postfix.yml b/roles/docker/tasks/services/postfix.yml index c565686..fbd69b9 100644 --- a/roles/docker/tasks/services/postfix.yml +++ b/roles/docker/tasks/services/postfix.yml @@ -1,20 +1,21 @@ --- - name: setup network for postfix - docker_network: + community.docker.docker_network: name: postfix ipam_config: - - subnet: '172.16.0.0/16' + - subnet: 172.16.0.0/16 gateway: 172.16.0.1 - name: setup postfix docker container for outgoing mail - docker_container: + community.docker.docker_container: name: postfix image: boky/postfix:{{ services.postfix.version }} restart_policy: always networks: - name: postfix env: - # Get all services which have allowed_sender_domain defined - ALLOWED_SENDER_DOMAINS: "{{ services | dict2items | selectattr('value.allowed_sender_domain', 'defined') | map(attribute='value.domain') | list | join(' ') }}" - HOSTNAME: "smtp.data.coop" # the name the smtp server will identify itself as +# Get all services which have allowed_sender_domain defined + ALLOWED_SENDER_DOMAINS: "{{ services | dict2items | selectattr('value.allowed_sender_domain',\ + \ 'defined') | map(attribute='value.domain') | list | join(' ') }}" + HOSTNAME: smtp.data.coop # the name the smtp server will identify itself as diff --git a/roles/docker/tasks/services/privatebin.yml b/roles/docker/tasks/services/privatebin.yml index bede175..5048dd7 100644 --- a/roles/docker/tasks/services/privatebin.yml +++ b/roles/docker/tasks/services/privatebin.yml @@ -1,8 +1,8 @@ --- - name: create privatebin volume folders - file: - name: "{{ services.privatebin.volume_folder }}/{{ volume }}" + ansible.builtin.file: + name: '{{ services.privatebin.volume_folder }}/{{ volume }}' state: directory loop: - cfg @@ -11,21 +11,21 @@ loop_var: volume - name: upload privatebin config - template: + ansible.builtin.template: src: files/configs/privatebin-conf.php - dest: "{{ services.privatebin.volume_folder }}/cfg/conf.php" + dest: '{{ services.privatebin.volume_folder }}/cfg/conf.php' - name: privatebin app container - docker_container: + community.docker.docker_container: name: privatebin image: jgeusebroek/privatebin:{{ services.privatebin.version }} restart_policy: unless-stopped volumes: - - "{{ services.privatebin.volume_folder }}/cfg:/privatebin/cfg" - - "{{ services.privatebin.volume_folder }}/data:/privatebin/data" + - '{{ services.privatebin.volume_folder }}/cfg:/privatebin/cfg' + - '{{ services.privatebin.volume_folder }}/data:/privatebin/data' networks: - name: external_services env: - VIRTUAL_HOST: "{{ services.privatebin.domain }}" - LETSENCRYPT_HOST: "{{ services.privatebin.domain }}" - LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" + VIRTUAL_HOST: '{{ services.privatebin.domain }}' + LETSENCRYPT_HOST: '{{ services.privatebin.domain }}' + LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}' diff --git a/roles/docker/tasks/services/rallly.yml b/roles/docker/tasks/services/rallly.yml index b5e9d2f..f7334d7 100644 --- a/roles/docker/tasks/services/rallly.yml +++ b/roles/docker/tasks/services/rallly.yml @@ -1,58 +1,59 @@ +--- - name: Create rallly volume folders - file: - name: "{{ services.rallly.volume_folder }}/postgres" + ansible.builtin.file: + name: '{{ services.rallly.volume_folder }}/postgres' state: directory - name: Copy Rallly environment file - template: + ansible.builtin.template: src: files/configs/rallly/env_file.j2 - dest: "{{ services.rallly.volume_folder }}/env_file" + dest: '{{ services.rallly.volume_folder }}/env_file' - name: Set up Rallly - docker_compose: - project_name: "rallly" - pull: "yes" + community.docker.docker_compose: + project_name: rallly + pull: true definition: - version: "3.8" + version: '3.8' services: rallly_db: - image: "postgres:14-alpine" - restart: "always" - shm_size: "256mb" + image: postgres:14-alpine + restart: always + shm_size: 256mb networks: rallly_internal: volumes: - - "{{ services.rallly.volume_folder }}/postgres:/var/lib/postgresql/data" + - '{{ services.rallly.volume_folder }}/postgres:/var/lib/postgresql/data' environment: - POSTGRES_PASSWORD: "{{ postgres_passwords.rallly }}" - POSTGRES_DB: "rallly_db" + POSTGRES_PASSWORD: '{{ postgres_passwords.rallly }}' + POSTGRES_DB: rallly_db healthcheck: - test: ["CMD-SHELL", "pg_isready -U postgres"] + test: [CMD-SHELL, pg_isready -U postgres] interval: 5s timeout: 5s retries: 5 labels: - com.centurylinklabs.watchtower.enable: "true" + com.centurylinklabs.watchtower.enable: 'true' rallly: - image: "lukevella/rallly:{{ services.rallly.version }}" - restart: "always" + image: lukevella/rallly:{{ services.rallly.version }} + restart: always networks: rallly_internal: external_services: postfix: depends_on: rallly_db: - condition: "service_healthy" + condition: service_healthy env_file: - - "{{ services.rallly.volume_folder }}/env_file" + - '{{ services.rallly.volume_folder }}/env_file' environment: - VIRTUAL_HOST: "{{ services.rallly.domain }}" - VIRTUAL_PORT: "3000" - LETSENCRYPT_HOST: "{{ services.rallly.domain }}" - LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" + VIRTUAL_HOST: '{{ services.rallly.domain }}' + VIRTUAL_PORT: '3000' + LETSENCRYPT_HOST: '{{ services.rallly.domain }}' + LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}' labels: - com.centurylinklabs.watchtower.enable: "true" + com.centurylinklabs.watchtower.enable: 'true' networks: rallly_internal: diff --git a/roles/docker/tasks/services/restic_backup.yml b/roles/docker/tasks/services/restic_backup.yml index 9dddb49..854e453 100644 --- a/roles/docker/tasks/services/restic_backup.yml +++ b/roles/docker/tasks/services/restic_backup.yml @@ -1,6 +1,6 @@ --- - name: Setup restic backup - docker_compose: + community.docker.docker_compose: project_name: restic_backup pull: true definition: @@ -10,11 +10,12 @@ image: mazzolino/restic:{{ services.restic.version }} restart: always environment: - RUN_ON_STARTUP: "true" - BACKUP_CRON: "0 30 3 * * *" - RESTIC_REPOSITORY: "rest:https://{{ services.restic.user }}:{{ restic_secrets.user_password }}@{{ services.restic.domain }}/{{ services.restic.repository }}" - RESTIC_PASSWORD: "{{ restic_secrets.repository_password }}" - RESTIC_BACKUP_SOURCES: "/mnt/volumes" + RUN_ON_STARTUP: 'true' + BACKUP_CRON: 0 30 3 * * * + RESTIC_REPOSITORY: rest:https://{{ services.restic.user }}:{{ restic_secrets.user_password + }}@{{ services.restic.domain }}/{{ services.restic.repository }} + RESTIC_PASSWORD: '{{ restic_secrets.repository_password }}' + RESTIC_BACKUP_SOURCES: /mnt/volumes RESTIC_BACKUP_ARGS: >- --tag datacoop-volumes --exclude='*.tmp' @@ -29,10 +30,11 @@ - /docker-volumes:/mnt/volumes:ro restic-prune: - image: "mazzolino/restic:{{ services.restic.version }}" + image: mazzolino/restic:{{ services.restic.version }} environment: - RUN_ON_STARTUP: "true" - PRUNE_CRON: "0 0 4 * * *" - RESTIC_REPOSITORY: "rest:https://{{ services.restic.user }}:{{ restic_secrets.user_password }}@{{ services.restic.domain }}/{{ services.restic.repository }}" - RESTIC_PASSWORD: "{{ restic_secrets.repository_password }}" + RUN_ON_STARTUP: 'true' + PRUNE_CRON: 0 0 4 * * * + RESTIC_REPOSITORY: rest:https://{{ services.restic.user }}:{{ restic_secrets.user_password + }}@{{ services.restic.domain }}/{{ services.restic.repository }} + RESTIC_PASSWORD: '{{ restic_secrets.repository_password }}' TZ: Europe/copenhagen diff --git a/roles/docker/tasks/services/watchtower.yml b/roles/docker/tasks/services/watchtower.yml index 87d3f4d..8a43b0f 100644 --- a/roles/docker/tasks/services/watchtower.yml +++ b/roles/docker/tasks/services/watchtower.yml @@ -1,6 +1,6 @@ --- - name: watchtower container - docker_container: + community.docker.docker_container: name: watchtower image: containrrr/watchtower:1.4.0 restart_policy: unless-stopped @@ -8,7 +8,7 @@ - name: external_services volumes: - /var/run/docker.sock:/var/run/docker.sock - - "{{ services.docker_registry.volume_folder }}/auth/config.json:/config.json" + - '{{ services.docker_registry.volume_folder }}/auth/config.json:/config.json' env: - WATCHTOWER_LABEL_ENABLE: "true" - WATCHTOWER_POLL_INTERVAL: "60" \ No newline at end of file + WATCHTOWER_LABEL_ENABLE: 'true' + WATCHTOWER_POLL_INTERVAL: '60' diff --git a/roles/docker/tasks/services/websites/2022.slides.data.coop.yml b/roles/docker/tasks/services/websites/2022.slides.data.coop.yml index 260af82..29331dd 100644 --- a/roles/docker/tasks/services/websites/2022.slides.data.coop.yml +++ b/roles/docker/tasks/services/websites/2022.slides.data.coop.yml @@ -1,23 +1,24 @@ --- - name: setup 2022.slides.data.coop website using unipi - docker_container: + community.docker.docker_container: name: 2022.slides.data.coop_website image: docker.data.coop/unipi:latest restart_policy: unless-stopped - purge_networks: yes + purge_networks: true networks: - name: external_services env: - VIRTUAL_HOST: "2022.slides.{{ services.data_coop_website.domains|join(',') }}" - LETSENCRYPT_HOST: "2022.slides.{{ services.data_coop_website.domains|join(',') }}" - LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" - # Temporarily hosting on github - command: "--remote=https://github.com/sorbusursina/datacoop-slides.git#slides2022" + VIRTUAL_HOST: 2022.slides.{{ services.data_coop_website.domains|join(',') + }} + LETSENCRYPT_HOST: 2022.slides.{{ services.data_coop_website.domains|join(',') + }} + LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}' +# Temporarily hosting on github + command: --remote=https://github.com/sorbusursina/datacoop-slides.git#slides2022 capabilities: - NET_ADMIN devices: - - "/dev/net/tun" + - /dev/net/tun labels: - com.centurylinklabs.watchtower.enable: "true" - + com.centurylinklabs.watchtower.enable: 'true' diff --git a/roles/docker/tasks/services/websites/cryptoaarhus.dk.yml b/roles/docker/tasks/services/websites/cryptoaarhus.dk.yml index 28d6997..0bd2d11 100644 --- a/roles/docker/tasks/services/websites/cryptoaarhus.dk.yml +++ b/roles/docker/tasks/services/websites/cryptoaarhus.dk.yml @@ -1,15 +1,15 @@ --- - name: setup cryptoaarhus.dk website docker container - docker_container: + community.docker.docker_container: name: cryptoaarhus_website restart_policy: unless-stopped image: docker.data.coop/cryptoaarhus-website networks: - name: external_services env: - VIRTUAL_HOST : "{{ services.cryptoaarhus_website.domains|join(',') }}" + VIRTUAL_HOST: "{{ services.cryptoaarhus_website.domains|join(',') }}" LETSENCRYPT_HOST: "{{ services.cryptoaarhus_website.domains|join(',') }}" - LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" + LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}' labels: - com.centurylinklabs.watchtower.enable: "true" + com.centurylinklabs.watchtower.enable: 'true' diff --git a/roles/docker/tasks/services/websites/cryptohagen.dk.yml b/roles/docker/tasks/services/websites/cryptohagen.dk.yml index dcca218..541aaa1 100644 --- a/roles/docker/tasks/services/websites/cryptohagen.dk.yml +++ b/roles/docker/tasks/services/websites/cryptohagen.dk.yml @@ -1,15 +1,15 @@ --- - name: setup cryptohagen.dk website docker container - docker_container: + community.docker.docker_container: name: cryptohagen_website restart_policy: unless-stopped image: docker.data.coop/cryptohagen-website networks: - name: external_services env: - VIRTUAL_HOST : "{{ services.cryptohagen_website.domains|join(',') }}" + VIRTUAL_HOST: "{{ services.cryptohagen_website.domains|join(',') }}" LETSENCRYPT_HOST: "{{ services.cryptohagen_website.domains|join(',') }}" - LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" + LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}' labels: - com.centurylinklabs.watchtower.enable: "true" + com.centurylinklabs.watchtower.enable: 'true' diff --git a/roles/docker/tasks/services/websites/data.coop.yml b/roles/docker/tasks/services/websites/data.coop.yml index 2492757..757157a 100644 --- a/roles/docker/tasks/services/websites/data.coop.yml +++ b/roles/docker/tasks/services/websites/data.coop.yml @@ -1,15 +1,15 @@ --- - name: setup data.coop website docker container - docker_container: + community.docker.docker_container: name: data.coop_website image: docker.data.coop/data-coop-website restart_policy: unless-stopped networks: - name: external_services env: - VIRTUAL_HOST : "{{ services.data_coop_website.domains|join(',') }}" + VIRTUAL_HOST: "{{ services.data_coop_website.domains|join(',') }}" LETSENCRYPT_HOST: "{{ services.data_coop_website.domains|join(',') }}" - LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" + LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}' labels: - com.centurylinklabs.watchtower.enable: "true" + com.centurylinklabs.watchtower.enable: 'true' diff --git a/roles/docker/tasks/services/websites/new-new.data.coop.yml b/roles/docker/tasks/services/websites/new-new.data.coop.yml index 05ff1f3..8dc690e 100644 --- a/roles/docker/tasks/services/websites/new-new.data.coop.yml +++ b/roles/docker/tasks/services/websites/new-new.data.coop.yml @@ -1,21 +1,23 @@ +--- - name: setup new-new data.coop website using unipi - docker_container: + community.docker.docker_container: name: new-new.data.coop_website image: docker.data.coop/unipi:latest restart_policy: unless-stopped - purge_networks: yes + purge_networks: true networks: - name: external_services env: - VIRTUAL_HOST: "new-new.{{ services.data_coop_website.domains|join(',') }}" - LETSENCRYPT_HOST: "new-new.{{ services.data_coop_website.domains|join(',') }}" - LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" - # The ssh-key is for read-only only - command: "--remote=git@git.data.coop:halfd/new-website.git#main --ssh-key ed25519:Ag9RekCyC2eow4P/e5crVvSTQ7dTK46WkG0wqEPVJbU= --ssh-authenticator SHA256:l9kdLkb0kJm46pOJ4tCHCtFUaqV1ImbZWMA5oje10fI" + VIRTUAL_HOST: new-new.{{ services.data_coop_website.domains | join(',') }} + LETSENCRYPT_HOST: new-new.{{ services.data_coop_website.domains | join(',') + }} + LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}' +# The ssh-key is for read-only only + command: --remote=git@git.data.coop:halfd/new-website.git#main --ssh-key ed25519:Ag9RekCyC2eow4P/e5crVvSTQ7dTK46WkG0wqEPVJbU= + --ssh-authenticator SHA256:l9kdLkb0kJm46pOJ4tCHCtFUaqV1ImbZWMA5oje10fI capabilities: - NET_ADMIN devices: - - "/dev/net/tun" + - /dev/net/tun labels: - com.centurylinklabs.watchtower.enable: "true" - + com.centurylinklabs.watchtower.enable: 'true' diff --git a/roles/docker/tasks/services/websites/new.data.coop.yml b/roles/docker/tasks/services/websites/new.data.coop.yml index f70596a..a9b42d2 100644 --- a/roles/docker/tasks/services/websites/new.data.coop.yml +++ b/roles/docker/tasks/services/websites/new.data.coop.yml @@ -1,15 +1,15 @@ --- - name: setup new data.coop website using hugo - docker_container: + community.docker.docker_container: name: new.data.coop_website image: docker.data.coop/data-coop-website:hugo restart_policy: unless-stopped networks: - name: external_services env: - VIRTUAL_HOST : "new.{{ services.data_coop_website.domains|join(',') }}" - LETSENCRYPT_HOST: "new.{{ services.data_coop_website.domains|join(',') }}" - LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" + VIRTUAL_HOST: new.{{ services.data_coop_website.domains|join(',') }} + LETSENCRYPT_HOST: new.{{ services.data_coop_website.domains|join(',') }} + LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}' labels: - com.centurylinklabs.watchtower.enable: "true" + com.centurylinklabs.watchtower.enable: 'true' diff --git a/roles/docker/tasks/services/websites/ulovliglogning.dk.yml b/roles/docker/tasks/services/websites/ulovliglogning.dk.yml index 7abec88..25dd2ad 100644 --- a/roles/docker/tasks/services/websites/ulovliglogning.dk.yml +++ b/roles/docker/tasks/services/websites/ulovliglogning.dk.yml @@ -1,5 +1,6 @@ +--- - name: setup ulovliglogning.dk website docker container - docker_container: + community.docker.docker_container: name: ulovliglogning_website restart_policy: unless-stopped image: ulovliglogning/ulovliglogning.dk:latest @@ -8,6 +9,6 @@ env: VIRTUAL_HOST: "{{ services.ulovliglogning_website.domains|join(',') }}" LETSENCRYPT_HOST: "{{ services.ulovliglogning_website.domains|join(',') }}" - LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" + LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}' labels: - com.centurylinklabs.watchtower.enable: "true" + com.centurylinklabs.watchtower.enable: 'true' diff --git a/roles/ubuntu_base/tasks/base.yml b/roles/ubuntu_base/tasks/base.yml index 63e452c..17dacb6 100644 --- a/roles/ubuntu_base/tasks/base.yml +++ b/roles/ubuntu_base/tasks/base.yml @@ -1,7 +1,7 @@ --- - name: Install necessary packages via apt - apt: - name: "{{ packages }}" + ansible.builtin.apt: + name: '{{ packages }}' vars: packages: - aptitude @@ -11,13 +11,13 @@ - mosh - name: Install Dell OpenManage - apt: + ansible.builtin.apt: name: srvadmin-all when: not vagrant - name: Install necessary packages via pip - pip: - name: "{{ packages }}" + ansible.builtin.pip: + name: '{{ packages }}' vars: packages: - docker diff --git a/roles/ubuntu_base/tasks/dell-apt-repo.yml b/roles/ubuntu_base/tasks/dell-apt-repo.yml index b7d9d48..a5f3943 100644 --- a/roles/ubuntu_base/tasks/dell-apt-repo.yml +++ b/roles/ubuntu_base/tasks/dell-apt-repo.yml @@ -1,18 +1,19 @@ --- - name: Import dell apt signing key - apt_key: - id: "1285491434D8786F" - keyserver: "keyserver.ubuntu.com" + ansible.builtin.apt_key: + id: 1285491434D8786F + keyserver: keyserver.ubuntu.com - name: Configure dell apt repo - apt_repository: - repo: "deb https://linux.dell.com/repo/community/openmanage/10101/focal focal main" + ansible.builtin.apt_repository: + repo: deb https://linux.dell.com/repo/community/openmanage/10101/focal focal + main state: present - name: Restrict dell apt repo" - copy: - dest: "/etc/apt/preferences.d/dell" - content: | + ansible.builtin.copy: + dest: /etc/apt/preferences.d/dell + content: |- Explanation: Deny all packages from this repo that exist elsewhere Package: * Pin: origin "linux.dell.com" diff --git a/roles/ubuntu_base/tasks/firewall.yml b/roles/ubuntu_base/tasks/firewall.yml index 17860a8..2713e94 100644 --- a/roles/ubuntu_base/tasks/firewall.yml +++ b/roles/ubuntu_base/tasks/firewall.yml @@ -1,22 +1,24 @@ --- - name: Setup firewall with UFW - community.general.ufw: + community.general.ufw: state: enabled policy: deny - name: Allow necessary ports community.general.ufw: rule: allow - port: "{{ item.port }}" + port: '{{ item.port }}' proto: "{{ item.proto | default('tcp') }}" loop: - - port: 22 # Gitea SSH - - port: 80 # HTTP - - port: 443 # HTTPS - - port: 389 # OpenLDAP - - port: 636 # OpenLDAP - - port: 25 # Email - - port: 465 # Email - - port: 587 # Email - - port: 993 # Email - - port: 19022 # SSH + - port: 22 # Gitea SSH + - port: 80 # HTTP + - port: 443 # HTTPS + - port: 389 # OpenLDAP + - port: 636 # OpenLDAP + - port: 25 # Email + - port: 465 # Email + - port: 587 # Email + - port: 993 # Email + - port: 19022 # SSH + loop_control: + loop_var: ubuntu_base_port diff --git a/roles/ubuntu_base/tasks/main.yml b/roles/ubuntu_base/tasks/main.yml index a34d5b0..056a0e5 100644 --- a/roles/ubuntu_base/tasks/main.yml +++ b/roles/ubuntu_base/tasks/main.yml @@ -1,19 +1,25 @@ --- -- import_tasks: ssh-port.yml +- name: Set SSH port + ansible.builtin.import_tasks: ssh-port.yml tags: [change-ssh-port] -- import_tasks: dell-apt-repo.yml +- name: Set up Dell apt repo + ansible.builtin.import_tasks: dell-apt-repo.yml tags: [setup-dell-apt-repo] when: not vagrant -- import_tasks: upgrade.yml +- name: Make sure system is up to date + ansible.builtin.import_tasks: upgrade.yml tags: [do-full-system-upgrade] -- import_tasks: base.yml +- name: Install base packages + ansible.builtin.import_tasks: base.yml tags: [install-base-packages] -- import_tasks: users.yml +- name: Setup users + ansible.builtin.import_tasks: users.yml tags: [setup-users] -- import_tasks: firewall.yml +- name: Setup firewall + ansible.builtin.import_tasks: firewall.yml tags: [setup-firewall] diff --git a/roles/ubuntu_base/tasks/ssh-port.yml b/roles/ubuntu_base/tasks/ssh-port.yml index 1935168..0ec8bbc 100644 --- a/roles/ubuntu_base/tasks/ssh-port.yml +++ b/roles/ubuntu_base/tasks/ssh-port.yml @@ -1,20 +1,18 @@ --- - name: Change SSH port on host - lineinfile: - dest: "/etc/ssh/sshd_config" - regexp: "^#?Port " - line: "Port 19022" + ansible.builtin.lineinfile: + dest: /etc/ssh/sshd_config + regexp: '^#?Port ' + line: Port 19022 register: ssh_changed - name: Restart sshd - service: + ansible.builtin.service: name: sshd state: restarted - when: ssh_changed is defined and - ssh_changed.changed + when: ssh_changed is defined and ssh_changed.changed - name: Change Ansible port to 19022 - set_fact: + ansible.builtin.set_fact: ansible_port: 19022 - when: ssh_changed is defined and - ssh_changed.changed + when: ssh_changed is defined and ssh_changed.changed diff --git a/roles/ubuntu_base/tasks/upgrade.yml b/roles/ubuntu_base/tasks/upgrade.yml index c4cd33b..e71403b 100644 --- a/roles/ubuntu_base/tasks/upgrade.yml +++ b/roles/ubuntu_base/tasks/upgrade.yml @@ -1,5 +1,5 @@ --- -- name: update and upgrade system via apt - apt: - update_cache: yes +- name: Update and upgrade system via apt + ansible.builtin.apt: + update_cache: true upgrade: full diff --git a/roles/ubuntu_base/tasks/users.yml b/roles/ubuntu_base/tasks/users.yml index deea339..49a20a5 100644 --- a/roles/ubuntu_base/tasks/users.yml +++ b/roles/ubuntu_base/tasks/users.yml @@ -1,22 +1,27 @@ --- -- name: "Add users" +- name: Add users user: - name: "{{ item.name }}" - comment: "{{ item.comment }}" - password: "{{ item.password }}" - groups: "{{ item.groups }}" - update_password: "always" - loop: "{{ users | default([]) }}" + name: '{{ ubuntu_base_user.name }}' + comment: '{{ ubuntu_base_user.comment }}' + password: '{{ ubuntu_base_user.password }}' + groups: '{{ ubuntu_base_user.groups }}' + update_password: always + loop: '{{ users | default([]) }}' + loop_control: + loop_var: ubuntu_base_user -- name: "Add ssh authorized_keys" +- name: Add ssh authorized_keys ansible.posix.authorized_key: - user: "{{ item.name }}" - key: "{{ item.ssh_keys | join('\n') }}" + user: '{{ ubuntu_base_user.name }}' + key: "{{ ubuntu_base_user.ssh_keys | join('\n') }}" exclusive: true - loop: "{{ users | default([]) }}" + loop: '{{ users | default([]) }}' + loop_control: + loop_var: ubuntu_base_user -- name: "Add ssh authorized_keys to root user" +- name: Add ssh authorized_keys to root user ansible.posix.authorized_key: - user: "root" - key: "{{ users | default([]) | map(attribute='ssh_keys') | flatten | join('\n') }}" + user: root + key: "{{ users | default([]) | map(attribute='ssh_keys') | flatten | join('\n\ + ') }}" exclusive: true