WIP: Linting #128
|
|
@ -42,7 +42,7 @@ use_default_rules: true
|
||||||
|
|
||||||
# Ansible-lint completely ignores rules or tags listed below
|
# Ansible-lint completely ignores rules or tags listed below
|
||||||
skip_list:
|
skip_list:
|
||||||
- skip_this_tag
|
- no-log-password
|
||||||
|
|
||||||
# Ansible-lint does not automatically load rules that have the 'opt-in' tag.
|
# Ansible-lint does not automatically load rules that have the 'opt-in' tag.
|
||||||
# You must enable opt-in rules by listing each rule 'id' below.
|
# You must enable opt-in rules by listing each rule 'id' below.
|
||||||
|
|
@ -108,4 +108,4 @@ kinds:
|
||||||
|
|
||||||
# List of additions modules to allow in only-builtins rule.
|
# List of additions modules to allow in only-builtins rule.
|
||||||
# only_builtins_allow_modules:
|
# only_builtins_allow_modules:
|
||||||
# - example_module
|
# - example_module
|
||||||
|
|
|
||||||
|
|
@ -1,14 +1,15 @@
|
||||||
|
---
|
||||||
repos:
|
repos:
|
||||||
|
|
||||||
#- repo: https://github.com/semaphor-dk/dansabel
|
- repo: https://github.com/lyz-code/yamlfix/
|
||||||
# rev: b72c70351d1a9e32a75db505fcb3aa414f3282f8
|
rev: 1.1.1
|
||||||
# hooks:
|
hooks:
|
||||||
# - id: dansabel
|
- id: yamlfix
|
||||||
|
|
||||||
- repo: https://github.com/ansible/ansible-lint
|
- repo: https://github.com/ansible/ansible-lint
|
||||||
rev: v6.9.0
|
rev: v6.9.0
|
||||||
hooks:
|
hooks:
|
||||||
- id: ansible-lint
|
- id: ansible-lint
|
||||||
files: \.(yaml|yml)$
|
files: \.(yaml|yml)$
|
||||||
additional_dependencies:
|
additional_dependencies:
|
||||||
- ansible
|
- ansible
|
||||||
|
|
|
||||||
6
Makefile
6
Makefile
|
|
@ -1,3 +1,7 @@
|
||||||
|
# Makefile for initializing pre-commit hooks
|
||||||
|
|
||||||
|
all: init
|
||||||
|
|
||||||
init: create_venv install_pre_commit install_ansible_galaxy_modules
|
init: create_venv install_pre_commit install_ansible_galaxy_modules
|
||||||
|
|
||||||
create_venv:
|
create_venv:
|
||||||
|
|
@ -9,4 +13,4 @@ install_pre_commit:
|
||||||
venv/bin/pre-commit install
|
venv/bin/pre-commit install
|
||||||
|
|
||||||
install_ansible_galaxy_modules:
|
install_ansible_galaxy_modules:
|
||||||
venv/bin/ansible-galaxy collection install community.general
|
venv/bin/ansible-galaxy collection install community.general
|
||||||
|
|
|
||||||
|
|
@ -12,7 +12,8 @@ users:
|
||||||
groups:
|
groups:
|
||||||
- sudo
|
- sudo
|
||||||
ssh_keys:
|
ssh_keys:
|
||||||
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUmGeHc6QXDcJHkmVxbTUv04Q3vs20avquoGr6eOkkvYbcgjuFnBOOtvs2Nul1odcvvnHa1nN7DfL8XJamiwsB1B/xe2seaNS1axgwk9XowlVN9pgga8gsC+4gZWBtSObG2GR8n4NtPENzPmW5deNn8dRpTvULPMxZ0VRE9yNQOx8v8w85yYh+vxbbkWGVDYJU23yuJI50U9y6bXxNHinsACDFBeR/giXDlw29TaOaSxz0R6zrRPBoX+V68RyWwBL+KWQKtX2ULtJI40S98Ohd6p41bIxYHCBS/zroqNne8PjYOLcHHsjHUGfTvhcS5a3zdz/iHsvsaOOjFjsydAXH valberg
|
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUmGeHc6QXDcJHkmVxbTUv04Q3vs20avquoGr6eOkkvYbcgjuFnBOOtvs2Nul1odcvvnHa1nN7DfL8XJamiwsB1B/xe2seaNS1axgwk9XowlVN9pgga8gsC+4gZWBtSObG2GR8n4NtPENzPmW5deNn8dRpTvULPMxZ0VRE9yNQOx8v8w85yYh+vxbbkWGVDYJU23yuJI50U9y6bXxNHinsACDFBeR/giXDlw29TaOaSxz0R6zrRPBoX+V68RyWwBL+KWQKtX2ULtJI40S98Ohd6p41bIxYHCBS/zroqNne8PjYOLcHHsjHUGfTvhcS5a3zdz/iHsvsaOOjFjsydAXH
|
||||||
|
valberg
|
||||||
|
|
||||||
- name: reynir
|
- name: reynir
|
||||||
comment: Reynir Björnsson
|
comment: Reynir Björnsson
|
||||||
|
|
@ -20,8 +21,10 @@ users:
|
||||||
groups:
|
groups:
|
||||||
- sudo
|
- sudo
|
||||||
ssh_keys:
|
ssh_keys:
|
||||||
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDJl8/rikIUnqr9fPF3rE0rjWHCNzte10LvkjGmpdO9ka/NubQ7O25fp08rC+n0d1pUooYwHBAgiv9Hsql6HF9QfNKNUp7IKp7CXWcjb4ga02kuzWGSXjm40Vf0jSadIrJ33M4SeJHTByDGoeYPQBQ7n+qHdwcqJADBQygBuc5sRzxm8i0sbmzF3DJDDVeTJjEY5pfR4vnJlpmU8SC2d1ZkhCjmKCsL0PShntTIt1ztCt0yO71KoHKaNPu1jutGxcU9u7J1pEqcPT6EzU/cQJ4DMVzrGp26nIV0msRl3NeGNjukwXOzAh6KmsmXG7yWFyQmLRqgc/bjUeyhuWJ10vwUbaYVeIef7YrgEOgnkYLIFeWRMhdnwtL/W8g1D66SFx7+iYJj180eTi8Lc8rZm2NaiGynvWlFcJ4PGdTYZsWcFzQ+SaDziNMw1H3IixxdlD8Shw9mxpijJ+A4dH2kkUXyGVsc13zRIU7hq9ax8nrw6HVLGFLn09rEPig+SkyWrqRpRGMBWyqTRJywIV6jk0ll+i8rJZA2McY0rABbACrzXT5VBj5dLKnnRITLDicAYgt7YuEiQ0ffErQrPXXHUVeI0QKnJgplSHxH5QsX9a1Y+NoaoditdMT2bjvEqROi+/JYRycLR/BQV/d2nFPhqwq1x1AFvL4f8UvVH/hxp3PXWw== reynir yubikey
|
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDJl8/rikIUnqr9fPF3rE0rjWHCNzte10LvkjGmpdO9ka/NubQ7O25fp08rC+n0d1pUooYwHBAgiv9Hsql6HF9QfNKNUp7IKp7CXWcjb4ga02kuzWGSXjm40Vf0jSadIrJ33M4SeJHTByDGoeYPQBQ7n+qHdwcqJADBQygBuc5sRzxm8i0sbmzF3DJDDVeTJjEY5pfR4vnJlpmU8SC2d1ZkhCjmKCsL0PShntTIt1ztCt0yO71KoHKaNPu1jutGxcU9u7J1pEqcPT6EzU/cQJ4DMVzrGp26nIV0msRl3NeGNjukwXOzAh6KmsmXG7yWFyQmLRqgc/bjUeyhuWJ10vwUbaYVeIef7YrgEOgnkYLIFeWRMhdnwtL/W8g1D66SFx7+iYJj180eTi8Lc8rZm2NaiGynvWlFcJ4PGdTYZsWcFzQ+SaDziNMw1H3IixxdlD8Shw9mxpijJ+A4dH2kkUXyGVsc13zRIU7hq9ax8nrw6HVLGFLn09rEPig+SkyWrqRpRGMBWyqTRJywIV6jk0ll+i8rJZA2McY0rABbACrzXT5VBj5dLKnnRITLDicAYgt7YuEiQ0ffErQrPXXHUVeI0QKnJgplSHxH5QsX9a1Y+NoaoditdMT2bjvEqROi+/JYRycLR/BQV/d2nFPhqwq1x1AFvL4f8UvVH/hxp3PXWw==
|
||||||
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPR8t/wNRp7Dt3wr9uZKVTofTDVYrcoQNru5ETxL+37t reynir@spurv
|
reynir yubikey
|
||||||
|
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPR8t/wNRp7Dt3wr9uZKVTofTDVYrcoQNru5ETxL+37t
|
||||||
|
reynir@spurv
|
||||||
|
|
||||||
- name: samsapti
|
- name: samsapti
|
||||||
comment: Sam Al-Sapti
|
comment: Sam Al-Sapti
|
||||||
|
|
@ -29,4 +32,5 @@ users:
|
||||||
groups:
|
groups:
|
||||||
- sudo
|
- sudo
|
||||||
ssh_keys:
|
ssh_keys:
|
||||||
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPd/4fQV7CL8/KVwbo/phiV5UdXFBIDlkZ+ps8C7FeRf samsapti
|
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPd/4fQV7CL8/KVwbo/phiV5UdXFBIDlkZ+ps8C7FeRf
|
||||||
|
samsapti
|
||||||
|
|
|
||||||
17
playbook.yml
17
playbook.yml
|
|
@ -1,22 +1,25 @@
|
||||||
---
|
---
|
||||||
- hosts: all
|
- name: Deploy data.coop services
|
||||||
|
hosts: all
|
||||||
gather_facts: true
|
gather_facts: true
|
||||||
become: true
|
become: true
|
||||||
vars:
|
vars:
|
||||||
base_domain: data.coop
|
base_domain: data.coop
|
||||||
letsencrypt_email: admin@data.coop
|
letsencrypt_email: admin@data.coop
|
||||||
ldap_dn: "dc=data,dc=coop"
|
ldap_dn: dc=data,dc=coop
|
||||||
|
|
||||||
vagrant: "{{ ansible_virtualization_role == 'guest' }}"
|
vagrant: "{{ ansible_virtualization_role == 'guest' }}"
|
||||||
letsencrypt_enabled: "{{ not vagrant }}"
|
letsencrypt_enabled: '{{ not vagrant }}'
|
||||||
|
|
||||||
smtp_host: "postfix"
|
smtp_host: postfix
|
||||||
smtp_port: "587"
|
smtp_port: '587'
|
||||||
|
|
||||||
tasks:
|
tasks:
|
||||||
- import_role:
|
- name: Setup host basics
|
||||||
|
ansible.builtin.import_role:
|
||||||
name: ubuntu_base
|
name: ubuntu_base
|
||||||
tags:
|
tags:
|
||||||
- base_only
|
- base_only
|
||||||
- import_role:
|
- name: Deploy docker containers (services)
|
||||||
|
ansible.builtin.import_role:
|
||||||
name: docker
|
name: docker
|
||||||
|
|
|
||||||
|
|
@ -1,169 +1,169 @@
|
||||||
---
|
---
|
||||||
volume_root_folder: "/docker-volumes"
|
volume_root_folder: /docker-volumes
|
||||||
|
|
||||||
services:
|
services:
|
||||||
|
|
||||||
### Internal services ###
|
### Internal services ###
|
||||||
postfix:
|
postfix:
|
||||||
file: postfix.yml
|
file: postfix.yml
|
||||||
version: "v3.5.0"
|
version: v3.5.0
|
||||||
|
|
||||||
nginx_proxy:
|
nginx_proxy:
|
||||||
file: nginx_proxy.yml
|
file: nginx_proxy.yml
|
||||||
version: "1.0-alpine"
|
version: 1.0-alpine
|
||||||
volume_folder: "{{ volume_root_folder }}/nginx"
|
volume_folder: '{{ volume_root_folder }}/nginx'
|
||||||
|
|
||||||
nginx_acme_companion:
|
nginx_acme_companion:
|
||||||
version: "2.2"
|
version: '2.2'
|
||||||
|
|
||||||
openldap:
|
openldap:
|
||||||
file: openldap.yml
|
file: openldap.yml
|
||||||
domain: "ldap.{{ base_domain }}"
|
domain: ldap.{{ base_domain }}
|
||||||
volume_folder: "{{ volume_root_folder }}/openldap"
|
volume_folder: '{{ volume_root_folder }}/openldap'
|
||||||
version: "1.5.0"
|
version: 1.5.0
|
||||||
|
|
||||||
phpldapadmin:
|
phpldapadmin:
|
||||||
version: "0.9.0"
|
version: 0.9.0
|
||||||
|
|
||||||
netdata:
|
netdata:
|
||||||
file: netdata.yml
|
file: netdata.yml
|
||||||
domain: "netdata.{{ base_domain }}"
|
domain: netdata.{{ base_domain }}
|
||||||
version: "v1"
|
version: v1
|
||||||
|
|
||||||
portainer:
|
portainer:
|
||||||
file: portainer.yml
|
file: portainer.yml
|
||||||
domain: "portainer.{{ base_domain }}"
|
domain: portainer.{{ base_domain }}
|
||||||
volume_folder: "{{ volume_root_folder }}/portainer"
|
volume_folder: '{{ volume_root_folder }}/portainer'
|
||||||
version: "2.16.2"
|
version: 2.16.2
|
||||||
|
|
||||||
keycloak:
|
keycloak:
|
||||||
file: keycloak.yml
|
file: keycloak.yml
|
||||||
domain: sso.{{ base_domain }}
|
domain: sso.{{ base_domain }}
|
||||||
volume_folder: "{{ volume_root_folder }}/keycloak"
|
volume_folder: '{{ volume_root_folder }}/keycloak'
|
||||||
version: "20.0"
|
version: '20.0'
|
||||||
|
|
||||||
restic:
|
restic:
|
||||||
file: restic_backup.yml
|
file: restic_backup.yml
|
||||||
user: "datacoop"
|
user: datacoop
|
||||||
domain: "restic.cannedtuna.org"
|
domain: restic.cannedtuna.org
|
||||||
repository: "datacoop-hevonen"
|
repository: datacoop-hevonen
|
||||||
version: "1.6.0"
|
version: 1.6.0
|
||||||
disabled_in_vagrant: true
|
disabled_in_vagrant: true
|
||||||
|
|
||||||
docker_registry:
|
docker_registry:
|
||||||
file: docker_registry.yml
|
file: docker_registry.yml
|
||||||
domain: "docker.{{ base_domain }}"
|
domain: docker.{{ base_domain }}
|
||||||
volume_folder: "{{ volume_root_folder }}/docker-registry"
|
volume_folder: '{{ volume_root_folder }}/docker-registry'
|
||||||
username: "docker"
|
username: docker
|
||||||
password: "{{ docker_password }}"
|
password: '{{ docker_password }}'
|
||||||
version: "2"
|
version: '2'
|
||||||
|
|
||||||
### External services ###
|
### External services ###
|
||||||
|
|
||||||
nextcloud:
|
nextcloud:
|
||||||
file: nextcloud.yml
|
file: nextcloud.yml
|
||||||
domain: "cloud.{{ base_domain }}"
|
domain: cloud.{{ base_domain }}
|
||||||
volume_folder: "{{ volume_root_folder }}/nextcloud"
|
volume_folder: '{{ volume_root_folder }}/nextcloud'
|
||||||
version: 25-apache
|
version: 25-apache
|
||||||
|
|
||||||
gitea:
|
gitea:
|
||||||
file: gitea.yml
|
file: gitea.yml
|
||||||
domain: "git.{{ base_domain }}"
|
domain: git.{{ base_domain }}
|
||||||
volume_folder: "{{ volume_root_folder }}/gitea"
|
volume_folder: '{{ volume_root_folder }}/gitea'
|
||||||
version: 1.17.3
|
version: 1.17.3
|
||||||
allowed_sender_domain: true
|
allowed_sender_domain: true
|
||||||
|
|
||||||
passit:
|
passit:
|
||||||
file: passit.yml
|
file: passit.yml
|
||||||
domain: "passit.{{ base_domain }}"
|
domain: passit.{{ base_domain }}
|
||||||
volume_folder: "{{ volume_root_folder }}/passit"
|
volume_folder: '{{ volume_root_folder }}/passit'
|
||||||
version: stable
|
version: stable
|
||||||
allowed_sender_domain: true
|
allowed_sender_domain: true
|
||||||
|
|
||||||
matrix:
|
matrix:
|
||||||
file: matrix_riot.yml
|
file: matrix_riot.yml
|
||||||
domain: "matrix.{{ base_domain }}"
|
domain: matrix.{{ base_domain }}
|
||||||
volume_folder: "{{ volume_root_folder }}/matrix"
|
volume_folder: '{{ volume_root_folder }}/matrix'
|
||||||
version: v1.63.1
|
version: v1.63.1
|
||||||
|
|
||||||
riot:
|
riot:
|
||||||
domains:
|
domains:
|
||||||
- "riot.{{ base_domain }}"
|
- riot.{{ base_domain }}
|
||||||
- "element.{{ base_domain }}"
|
- element.{{ base_domain }}
|
||||||
volume_folder: "{{ volume_root_folder }}/riot"
|
volume_folder: '{{ volume_root_folder }}/riot'
|
||||||
version: v1.11.8
|
version: v1.11.8
|
||||||
|
|
||||||
privatebin:
|
privatebin:
|
||||||
file: privatebin.yml
|
file: privatebin.yml
|
||||||
domain: "paste.{{ base_domain }}"
|
domain: paste.{{ base_domain }}
|
||||||
volume_folder: "{{ volume_root_folder }}/privatebin"
|
volume_folder: '{{ volume_root_folder }}/privatebin'
|
||||||
version: 20221009
|
version: 20221009
|
||||||
|
|
||||||
codimd:
|
codimd:
|
||||||
domain: "oldpad.{{ base_domain }}"
|
domain: oldpad.{{ base_domain }}
|
||||||
volume_folder: "{{ volume_root_folder }}/codimd"
|
volume_folder: '{{ volume_root_folder }}/codimd'
|
||||||
|
|
||||||
hedgedoc:
|
hedgedoc:
|
||||||
file: hedgedoc.yml
|
file: hedgedoc.yml
|
||||||
domain: "pad.{{ base_domain }}"
|
domain: pad.{{ base_domain }}
|
||||||
volume_folder: "{{ volume_root_folder }}/hedgedoc"
|
volume_folder: '{{ volume_root_folder }}/hedgedoc'
|
||||||
version: 1.9.6
|
version: 1.9.6
|
||||||
|
|
||||||
data_coop_website:
|
data_coop_website:
|
||||||
file: websites/data.coop.yml
|
file: websites/data.coop.yml
|
||||||
domains:
|
domains:
|
||||||
- "{{ base_domain }}"
|
- '{{ base_domain }}'
|
||||||
- "www.{{ base_domain }}"
|
- www.{{ base_domain }}
|
||||||
|
|
||||||
cryptohagen_website:
|
cryptohagen_website:
|
||||||
file: websites/cryptohagen.dk.yml
|
file: websites/cryptohagen.dk.yml
|
||||||
domains:
|
domains:
|
||||||
- "cryptohagen.dk"
|
- cryptohagen.dk
|
||||||
- "www.cryptohagen.dk"
|
- www.cryptohagen.dk
|
||||||
|
|
||||||
ulovliglogning_website:
|
ulovliglogning_website:
|
||||||
file: websites/ulovliglogning.dk.yml
|
file: websites/ulovliglogning.dk.yml
|
||||||
domains:
|
domains:
|
||||||
- "ulovliglogning.dk"
|
- ulovliglogning.dk
|
||||||
- "www.ulovliglogning.dk"
|
- www.ulovliglogning.dk
|
||||||
- "ulovlig-logning.dk"
|
- ulovlig-logning.dk
|
||||||
|
|
||||||
cryptoaarhus_website:
|
cryptoaarhus_website:
|
||||||
file: websites/cryptoaarhus.dk.yml
|
file: websites/cryptoaarhus.dk.yml
|
||||||
domains:
|
domains:
|
||||||
- "cryptoaarhus.dk"
|
- cryptoaarhus.dk
|
||||||
- "www.cryptoaarhus.dk"
|
- www.cryptoaarhus.dk
|
||||||
|
|
||||||
drone:
|
drone:
|
||||||
file: drone.yml
|
file: drone.yml
|
||||||
domain: "drone.{{ base_domain }}"
|
domain: drone.{{ base_domain }}
|
||||||
volume_folder: "{{ volume_root_folder }}/drone"
|
volume_folder: '{{ volume_root_folder }}/drone'
|
||||||
version: 1
|
version: 1
|
||||||
|
|
||||||
mailu:
|
mailu:
|
||||||
file: mailu.yml
|
file: mailu.yml
|
||||||
version: 1.6
|
version: 1.6
|
||||||
domain: "mail.{{ base_domain }}"
|
domain: mail.{{ base_domain }}
|
||||||
dns: 192.168.203.254
|
dns: 192.168.203.254
|
||||||
subnet: 192.168.203.0/24
|
subnet: 192.168.203.0/24
|
||||||
volume_folder: "{{ volume_root_folder }}/mailu"
|
volume_folder: '{{ volume_root_folder }}/mailu'
|
||||||
|
|
||||||
mastodon:
|
mastodon:
|
||||||
file: mastodon.yml
|
file: mastodon.yml
|
||||||
domain: "social.{{ base_domain }}"
|
domain: social.{{ base_domain }}
|
||||||
volume_folder: "{{ volume_root_folder }}/mastodon"
|
volume_folder: '{{ volume_root_folder }}/mastodon'
|
||||||
version: v4.0.2
|
version: v4.0.2
|
||||||
allowed_sender_domain: true
|
allowed_sender_domain: true
|
||||||
|
|
||||||
rallly:
|
rallly:
|
||||||
file: rallly.yml
|
file: rallly.yml
|
||||||
domain: "when.{{ base_domain }}"
|
domain: when.{{ base_domain }}
|
||||||
volume_folder: "{{ volume_root_folder }}/rallly"
|
volume_folder: '{{ volume_root_folder }}/rallly'
|
||||||
version: a21f92bf74308d66cfcd545d49b81eba0211a222
|
version: a21f92bf74308d66cfcd545d49b81eba0211a222
|
||||||
allowed_sender_domain: true
|
allowed_sender_domain: true
|
||||||
|
|
||||||
membersystem:
|
membersystem:
|
||||||
file: membersystem.yml
|
file: membersystem.yml
|
||||||
domain: "member.{{ base_domain }}"
|
domain: member.{{ base_domain }}
|
||||||
django_admins: "Vidir:valberg@orn.li"
|
django_admins: Vidir:valberg@orn.li
|
||||||
allowed_sender_domain: true
|
allowed_sender_domain: true
|
||||||
|
|
|
||||||
|
|
@ -1,7 +1,6 @@
|
||||||
---
|
---
|
||||||
- name: "restart nginx"
|
- name: Restart nginx
|
||||||
community.docker.docker_container:
|
community.docker.docker_container:
|
||||||
name: "nginx-proxy"
|
name: nginx-proxy
|
||||||
restart: "yes"
|
restart: 'yes'
|
||||||
state: "started"
|
state: started
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -1,33 +1,33 @@
|
||||||
---
|
---
|
||||||
- name: add docker gpg key
|
- name: Add docker gpg key
|
||||||
apt_key:
|
ansible.builtin.apt_key:
|
||||||
keyserver: pgp.mit.edu
|
keyserver: pgp.mit.edu
|
||||||
id: 8D81803C0EBFCD88
|
id: 8D81803C0EBFCD88
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
- name: add docker apt repository
|
- name: Add docker apt repository
|
||||||
apt_repository:
|
ansible.builtin.apt_repository:
|
||||||
repo: deb https://download.docker.com/linux/ubuntu bionic stable
|
repo: deb https://download.docker.com/linux/ubuntu bionic stable
|
||||||
state: present
|
state: present
|
||||||
update_cache: yes
|
update_cache: true
|
||||||
|
|
||||||
- name: install docker-ce
|
- name: Install docker-ce
|
||||||
apt:
|
ansible.builtin.apt:
|
||||||
name: docker-ce
|
name: docker-ce
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
- name: install docker python bindings
|
- name: Install docker python bindings
|
||||||
pip:
|
ansible.builtin.pip:
|
||||||
executable: "pip3"
|
executable: pip3
|
||||||
name: "docker-compose"
|
name: docker-compose
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
- name: create folder structure for bind mounts
|
- name: Create folder structure for bind mounts
|
||||||
file:
|
ansible.builtin.file:
|
||||||
name: "{{ volume_root_folder }}"
|
name: '{{ volume_root_folder }}'
|
||||||
state: directory
|
state: directory
|
||||||
|
|
||||||
- name: setup services
|
- name: Setup services
|
||||||
import_tasks: services.yml
|
ansible.builtin.import_tasks: services.yml
|
||||||
tags:
|
tags:
|
||||||
- setup_services
|
- setup_services
|
||||||
|
|
|
||||||
|
|
@ -1,18 +1,17 @@
|
||||||
---
|
---
|
||||||
- name: setup external services network
|
- name: setup external services network
|
||||||
docker_network:
|
community.docker.docker_network:
|
||||||
name: external_services
|
name: external_services
|
||||||
|
|
||||||
- name: setup services
|
- name: setup services
|
||||||
include_tasks: "services/{{ item.value.file }}"
|
include_tasks: services/{{ docker_service.value.file }}
|
||||||
loop: "{{ services | dict2items }}"
|
loop: '{{ services | dict2items }}'
|
||||||
when: single_service is not defined and
|
loop_control:
|
||||||
item.value.file is defined and
|
loop_var: docker_service
|
||||||
item.value.disabled_in_vagrant is not defined
|
when: single_service is not defined and docker_service.value.file is defined and
|
||||||
|
docker_service.value.disabled_in_vagrant is not defined
|
||||||
|
|
||||||
- name: setup single service
|
- name: setup single service
|
||||||
include_tasks: "services/{{ services[single_service].file }}"
|
include_tasks: services/{{ services[single_service].file }}
|
||||||
when: single_service is defined and
|
when: single_service is defined and single_service in services and services[single_service].file
|
||||||
single_service in services and
|
is defined and services[single_service].disabled_in_vagrant is not defined
|
||||||
services[single_service].file is defined and
|
|
||||||
services[single_service].disabled_in_vagrant is not defined
|
|
||||||
|
|
|
||||||
|
|
@ -1,22 +1,22 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: codimd network
|
- name: codimd network
|
||||||
docker_network:
|
community.docker.docker_network:
|
||||||
name: codimd
|
name: codimd
|
||||||
|
|
||||||
- name: create codimd volume folders
|
- name: create codimd volume folders
|
||||||
file:
|
ansible.builtin.file:
|
||||||
name: "{{ codimd.volume_folder }}/{{ volume }}"
|
name: '{{ codimd.volume_folder }}/{{ volume }}'
|
||||||
state: directory
|
state: directory
|
||||||
loop:
|
loop:
|
||||||
- "db"
|
- db
|
||||||
- "codimd/uploads"
|
- codimd/uploads
|
||||||
|
|
||||||
loop_control:
|
loop_control:
|
||||||
loop_var: volume
|
loop_var: volume
|
||||||
|
|
||||||
- name: codimd database container
|
- name: codimd database container
|
||||||
docker_container:
|
community.docker.docker_container:
|
||||||
name: codimd_db
|
name: codimd_db
|
||||||
image: postgres:10
|
image: postgres:10
|
||||||
state: started
|
state: started
|
||||||
|
|
@ -24,13 +24,13 @@
|
||||||
networks:
|
networks:
|
||||||
- name: codimd
|
- name: codimd
|
||||||
volumes:
|
volumes:
|
||||||
- "{{ codimd.volume_folder }}/db:/var/lib/postgresql/data"
|
- '{{ codimd.volume_folder }}/db:/var/lib/postgresql/data'
|
||||||
env:
|
env:
|
||||||
POSTGRES_USER: "codimd"
|
POSTGRES_USER: codimd
|
||||||
POSTGRES_PASSWORD: "{{ postgres_passwords.codimd }}"
|
POSTGRES_PASSWORD: '{{ postgres_passwords.codimd }}'
|
||||||
|
|
||||||
- name: codimd app container
|
- name: codimd app container
|
||||||
docker_container:
|
community.docker.docker_container:
|
||||||
name: codimd_app
|
name: codimd_app
|
||||||
image: hackmdio/hackmd:1.3.0
|
image: hackmdio/hackmd:1.3.0
|
||||||
restart_policy: unless-stopped
|
restart_policy: unless-stopped
|
||||||
|
|
@ -39,19 +39,19 @@
|
||||||
- name: ldap
|
- name: ldap
|
||||||
- name: external_services
|
- name: external_services
|
||||||
volumes:
|
volumes:
|
||||||
- "{{ codimd.volume_folder }}/codimd/uploads:/codimd/public/uploads"
|
- '{{ codimd.volume_folder }}/codimd/uploads:/codimd/public/uploads'
|
||||||
|
|
||||||
env:
|
env:
|
||||||
CMD_DB_URL: "postgres://codimd:{{ postgres_passwords.codimd }}@codimd_db:5432/codimd"
|
CMD_DB_URL: postgres://codimd:{{ postgres_passwords.codimd }}@codimd_db:5432/codimd
|
||||||
CMD_ALLOW_EMAIL_REGISTER: "False"
|
CMD_ALLOW_EMAIL_REGISTER: 'False'
|
||||||
CMD_IMAGE_UPLOAD_TYPE: "filesystem"
|
CMD_IMAGE_UPLOAD_TYPE: filesystem
|
||||||
CMD_EMAIL: "False"
|
CMD_EMAIL: 'False'
|
||||||
CMD_LDAP_URL: "ldap://openldap"
|
CMD_LDAP_URL: ldap://openldap
|
||||||
CMD_LDAP_BINDDN: "cn=admin,dc=data,dc=coop"
|
CMD_LDAP_BINDDN: cn=admin,dc=data,dc=coop
|
||||||
CMD_LDAP_BINDCREDENTIALS: "{{ ldap_admin_password }}"
|
CMD_LDAP_BINDCREDENTIALS: '{{ ldap_admin_password }}'
|
||||||
CMD_LDAP_SEARCHBASE: "dc=data,dc=coop"
|
CMD_LDAP_SEARCHBASE: dc=data,dc=coop
|
||||||
CMD_LDAP_SEARCHFILTER: "(&(uid={{ '{{username}}' }})(objectClass=inetOrgPerson))"
|
CMD_LDAP_SEARCHFILTER: (&(uid={{ '{{username}}' }})(objectClass=inetOrgPerson))
|
||||||
CMD_USECDN: "false"
|
CMD_USECDN: 'false'
|
||||||
VIRTUAL_HOST: "{{ codimd.domain }}"
|
VIRTUAL_HOST: '{{ codimd.domain }}'
|
||||||
LETSENCRYPT_HOST: "{{ codimd.domain }}"
|
LETSENCRYPT_HOST: '{{ codimd.domain }}'
|
||||||
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
|
||||||
|
|
|
||||||
|
|
@ -1,35 +1,37 @@
|
||||||
---
|
---
|
||||||
- name: copy docker registry nginx configuration
|
- name: copy docker registry nginx configuration
|
||||||
copy:
|
ansible.builtin.copy:
|
||||||
src: "files/configs/docker_registry/nginx.conf"
|
src: files/configs/docker_registry/nginx.conf
|
||||||
dest: "/docker-volumes/nginx/vhost/{{ services.docker_registry.domain }}"
|
dest: /docker-volumes/nginx/vhost/{{ services.docker_registry.domain }}
|
||||||
mode: "0644"
|
mode: '0644'
|
||||||
|
|
||||||
- name: docker registry container
|
- name: docker registry container
|
||||||
docker_container:
|
community.docker.docker_container:
|
||||||
name: registry
|
name: registry
|
||||||
image: registry:{{ services.docker_registry.version }}
|
image: registry:{{ services.docker_registry.version }}
|
||||||
restart_policy: always
|
restart_policy: always
|
||||||
volumes:
|
volumes:
|
||||||
- "{{ services.docker_registry.volume_folder }}/registry:/var/lib/registry"
|
- '{{ services.docker_registry.volume_folder }}/registry:/var/lib/registry'
|
||||||
- "{{ services.docker_registry.volume_folder }}/auth:/auth"
|
- '{{ services.docker_registry.volume_folder }}/auth:/auth'
|
||||||
networks:
|
networks:
|
||||||
- name: external_services
|
- name: external_services
|
||||||
env:
|
env:
|
||||||
VIRTUAL_HOST: "{{ services.docker_registry.domain }}"
|
VIRTUAL_HOST: '{{ services.docker_registry.domain }}'
|
||||||
LETSENCRYPT_HOST: "{{ services.docker_registry.domain }}"
|
LETSENCRYPT_HOST: '{{ services.docker_registry.domain }}'
|
||||||
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
|
||||||
REGISTRY_AUTH: "htpasswd"
|
REGISTRY_AUTH: htpasswd
|
||||||
REGISTRY_AUTH_HTPASSWD_PATH: "/auth/htpasswd"
|
REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd
|
||||||
REGISTRY_AUTH_HTPASSWD_REALM: "data.coop docker registry"
|
REGISTRY_AUTH_HTPASSWD_REALM: data.coop docker registry
|
||||||
|
|
||||||
- name: generate htpasswd file
|
- name: generate htpasswd file
|
||||||
shell: "docker exec -it registry htpasswd -Bbn docker {{ docker_password }} > {{ services.docker_registry.volume_folder }}/auth/htpasswd"
|
shell: docker exec -it registry htpasswd -Bbn docker {{ docker_password }} > services.docker_registry.volume_folder
|
||||||
|
}}/auth/htpasswd
|
||||||
args:
|
args:
|
||||||
creates: "{{ services.docker_registry.volume_folder }}/auth/htpasswd"
|
creates: '{{ services.docker_registry.volume_folder }}/auth/htpasswd'
|
||||||
|
|
||||||
- name: log in to registry
|
- name: log in to registry
|
||||||
docker_login:
|
docker_login:
|
||||||
registry: "{{ 'docker.data.coop' if vagrant else services.docker_registry.domain }}"
|
registry: "{{ 'docker.data.coop' if vagrant else services.docker_registry.domain\
|
||||||
username: "docker"
|
\ }}"
|
||||||
password: "{{ docker_password }}"
|
username: docker
|
||||||
|
password: '{{ docker_password }}'
|
||||||
|
|
|
||||||
|
|
@ -1,51 +1,51 @@
|
||||||
---
|
---
|
||||||
- name: set up drone with docker runner
|
- name: set up drone with docker runner
|
||||||
docker_compose:
|
community.docker.docker_compose:
|
||||||
project_name: drone
|
project_name: drone
|
||||||
pull: yes
|
pull: true
|
||||||
definition:
|
definition:
|
||||||
version: "3.6"
|
version: '3.6'
|
||||||
services:
|
services:
|
||||||
drone:
|
drone:
|
||||||
container_name: "drone"
|
container_name: drone
|
||||||
image: drone/drone:1
|
image: drone/drone:1
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
networks:
|
networks:
|
||||||
- external_services
|
- external_services
|
||||||
- drone
|
- drone
|
||||||
volumes:
|
volumes:
|
||||||
- "{{ services.drone.volume_folder }}:/data"
|
- '{{ services.drone.volume_folder }}:/data'
|
||||||
- "/var/run/docker.sock:/var/run/docker.sock"
|
- /var/run/docker.sock:/var/run/docker.sock
|
||||||
environment:
|
environment:
|
||||||
DRONE_GITEA_SERVER: "https://{{ services.gitea.domain }}"
|
DRONE_GITEA_SERVER: https://{{ services.gitea.domain }}
|
||||||
DRONE_GITEA_CLIENT_ID: "{{ drone_secrets.oauth_client_id }}"
|
DRONE_GITEA_CLIENT_ID: '{{ drone_secrets.oauth_client_id }}'
|
||||||
DRONE_GITEA_CLIENT_SECRET: "{{ drone_secrets.oauth_client_secret }}"
|
DRONE_GITEA_CLIENT_SECRET: '{{ drone_secrets.oauth_client_secret }}'
|
||||||
DRONE_GIT_ALWAYS_AUTH: "true"
|
DRONE_GIT_ALWAYS_AUTH: 'true'
|
||||||
DRONE_SERVER_HOST: "{{ services.drone.domain }}"
|
DRONE_SERVER_HOST: '{{ services.drone.domain }}'
|
||||||
DRONE_SERVER_PROTO: "https"
|
DRONE_SERVER_PROTO: https
|
||||||
DRONE_RPC_SECRET: "{{ drone_secrets.rpc_shared_secret }}"
|
DRONE_RPC_SECRET: '{{ drone_secrets.rpc_shared_secret }}'
|
||||||
PLUGIN_CUSTOM_DNS: "91.239.100.100"
|
PLUGIN_CUSTOM_DNS: 91.239.100.100
|
||||||
VIRTUAL_HOST: "{{ services.drone.domain }}"
|
VIRTUAL_HOST: '{{ services.drone.domain }}'
|
||||||
LETSENCRYPT_HOST: "{{ services.drone.domain }}"
|
LETSENCRYPT_HOST: '{{ services.drone.domain }}'
|
||||||
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
|
||||||
|
|
||||||
drone-runner-docker:
|
drone-runner-docker:
|
||||||
container_name: "drone-runner-docker"
|
container_name: drone-runner-docker
|
||||||
image: "drone/drone-runner-docker:{{ services.drone.version }}"
|
image: drone/drone-runner-docker:{{ services.drone.version }}
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
networks:
|
networks:
|
||||||
- drone
|
- drone
|
||||||
volumes:
|
volumes:
|
||||||
- "/var/run/docker.sock:/var/run/docker.sock"
|
- /var/run/docker.sock:/var/run/docker.sock
|
||||||
environment:
|
environment:
|
||||||
DRONE_RPC_HOST: "{{ services.drone.domain }}"
|
DRONE_RPC_HOST: '{{ services.drone.domain }}'
|
||||||
DRONE_RPC_PROTO: "https"
|
DRONE_RPC_PROTO: https
|
||||||
DRONE_RPC_SECRET: "{{ drone_secrets.rpc_shared_secret }}"
|
DRONE_RPC_SECRET: '{{ drone_secrets.rpc_shared_secret }}'
|
||||||
DRONE_RUNNER_CAPACITY: 2
|
DRONE_RUNNER_CAPACITY: 2
|
||||||
DRONE_RUNNER_NAME: "data.coop_drone_runner"
|
DRONE_RUNNER_NAME: data.coop_drone_runner
|
||||||
|
|
||||||
networks:
|
networks:
|
||||||
drone:
|
drone:
|
||||||
external_services:
|
external_services:
|
||||||
external:
|
external:
|
||||||
name: external_services
|
name: external_services
|
||||||
|
|
|
||||||
|
|
@ -1,11 +1,11 @@
|
||||||
---
|
---
|
||||||
- name: gitea network
|
- name: gitea network
|
||||||
docker_network:
|
community.docker.docker_network:
|
||||||
name: gitea
|
name: gitea
|
||||||
|
|
||||||
# old DNS: 138.68.71.153
|
# old DNS: 138.68.71.153
|
||||||
- name: gitea container
|
- name: gitea container
|
||||||
docker_container:
|
community.docker.docker_container:
|
||||||
name: gitea
|
name: gitea
|
||||||
image: gitea/gitea:{{ services.gitea.version }}
|
image: gitea/gitea:{{ services.gitea.version }}
|
||||||
restart_policy: unless-stopped
|
restart_policy: unless-stopped
|
||||||
|
|
@ -14,25 +14,25 @@
|
||||||
- name: postfix
|
- name: postfix
|
||||||
- name: external_services
|
- name: external_services
|
||||||
volumes:
|
volumes:
|
||||||
- "{{ services.gitea.volume_folder }}:/data"
|
- '{{ services.gitea.volume_folder }}:/data'
|
||||||
published_ports:
|
published_ports:
|
||||||
- "22:22"
|
- 22:22
|
||||||
env:
|
env:
|
||||||
VIRTUAL_HOST: "{{ services.gitea.domain }}"
|
VIRTUAL_HOST: '{{ services.gitea.domain }}'
|
||||||
VIRTUAL_PORT: "3000"
|
VIRTUAL_PORT: '3000'
|
||||||
LETSENCRYPT_HOST: "{{ services.gitea.domain }}"
|
LETSENCRYPT_HOST: '{{ services.gitea.domain }}'
|
||||||
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
|
||||||
# Gitea customization, see: https://docs.gitea.io/en-us/install-with-docker/#customization
|
# Gitea customization, see: https://docs.gitea.io/en-us/install-with-docker/#customization
|
||||||
# https://docs.gitea.io/en-us/config-cheat-sheet/#security-security
|
# https://docs.gitea.io/en-us/config-cheat-sheet/#security-security
|
||||||
GITEA__mailer__ENABLED: "true"
|
GITEA__mailer__ENABLED: 'true'
|
||||||
GITEA__mailer__FROM: "noreply@{{ services.gitea.domain }}"
|
GITEA__mailer__FROM: noreply@{{ services.gitea.domain }}
|
||||||
GITEA__mailer__MAILER_TYPE: "smtp"
|
GITEA__mailer__MAILER_TYPE: smtp
|
||||||
GITEA__mailer__HOST: "{{ smtp_host }}:{{ smtp_port }}"
|
GITEA__mailer__HOST: '{{ smtp_host }}:{{ smtp_port }}'
|
||||||
GITEA__mailer__USER: "noop"
|
GITEA__mailer__USER: noop
|
||||||
GITEA__mailer__PASSWD: "noop"
|
GITEA__mailer__PASSWD: noop
|
||||||
GITEA__security__LOGIN_REMEMBER_DAYS: "60"
|
GITEA__security__LOGIN_REMEMBER_DAYS: '60'
|
||||||
GITEA__security__PASSWORD_COMPLEXITY: "off"
|
GITEA__security__PASSWORD_COMPLEXITY: 'off'
|
||||||
GITEA__security__MIN_PASSWORD_LENGTH: "8"
|
GITEA__security__MIN_PASSWORD_LENGTH: '8'
|
||||||
GITEA__security__PASSWORD_CHECK_PWN: "true"
|
GITEA__security__PASSWORD_CHECK_PWN: 'true'
|
||||||
GITEA__service__ENABLE_NOTIFY_MAIL: "true"
|
GITEA__service__ENABLE_NOTIFY_MAIL: 'true'
|
||||||
GITEA__service__REGISTER_EMAIL_CONFIRM: "true"
|
GITEA__service__REGISTER_EMAIL_CONFIRM: 'true'
|
||||||
|
|
|
||||||
|
|
@ -1,66 +1,65 @@
|
||||||
---
|
---
|
||||||
- name: create hedgedoc volume folders
|
- name: create hedgedoc volume folders
|
||||||
file:
|
ansible.builtin.file:
|
||||||
name: "{{ services.hedgedoc.volume_folder }}/{{ volume }}"
|
name: '{{ services.hedgedoc.volume_folder }}/{{ volume }}'
|
||||||
state: directory
|
state: directory
|
||||||
loop:
|
loop:
|
||||||
- "db"
|
- db
|
||||||
- "hedgedoc/uploads"
|
- hedgedoc/uploads
|
||||||
loop_control:
|
loop_control:
|
||||||
loop_var: volume
|
loop_var: volume
|
||||||
|
|
||||||
- name: copy sso public certificate
|
- name: copy sso public certificate
|
||||||
copy:
|
ansible.builtin.copy:
|
||||||
src: "files/sso/sso.data.coop.pem"
|
src: files/sso/sso.data.coop.pem
|
||||||
dest: "{{ services.hedgedoc.volume_folder }}/sso.data.coop.pem"
|
dest: '{{ services.hedgedoc.volume_folder }}/sso.data.coop.pem'
|
||||||
mode: "0644"
|
mode: '0644'
|
||||||
|
|
||||||
- name: setup hedgedoc
|
- name: setup hedgedoc
|
||||||
docker_compose:
|
community.docker.docker_compose:
|
||||||
project_name: "hedgedoc"
|
project_name: hedgedoc
|
||||||
pull: "yes"
|
pull: true
|
||||||
definition:
|
definition:
|
||||||
services:
|
services:
|
||||||
database:
|
database:
|
||||||
image: "postgres:10-alpine"
|
image: postgres:10-alpine
|
||||||
environment:
|
environment:
|
||||||
POSTGRES_USER: "codimd"
|
POSTGRES_USER: codimd
|
||||||
POSTGRES_PASSWORD: "{{ postgres_passwords.hedgedoc }}"
|
POSTGRES_PASSWORD: '{{ postgres_passwords.hedgedoc }}'
|
||||||
POSTGRES_DB: "codimd"
|
POSTGRES_DB: codimd
|
||||||
restart: "unless-stopped"
|
restart: unless-stopped
|
||||||
networks:
|
networks:
|
||||||
- "hedgedoc"
|
- hedgedoc
|
||||||
volumes:
|
volumes:
|
||||||
- "{{ services.hedgedoc.volume_folder }}/db:/var/lib/postgresql/data"
|
- '{{ services.hedgedoc.volume_folder }}/db:/var/lib/postgresql/data'
|
||||||
|
|
||||||
app:
|
app:
|
||||||
image: quay.io/hedgedoc/hedgedoc:{{ services.hedgedoc.version }}
|
image: quay.io/hedgedoc/hedgedoc:{{ services.hedgedoc.version }}
|
||||||
environment:
|
environment:
|
||||||
CMD_DB_URL: "postgres://codimd:{{ postgres_passwords.hedgedoc }}@hedgedoc_database_1:5432/codimd"
|
CMD_DB_URL: postgres://codimd:{{ postgres_passwords.hedgedoc }}@hedgedoc_database_1:5432/codimd
|
||||||
CMD_DOMAIN: "{{ services.hedgedoc.domain }}"
|
CMD_DOMAIN: '{{ services.hedgedoc.domain }}'
|
||||||
CMD_ALLOW_EMAIL_REGISTER: "False"
|
CMD_ALLOW_EMAIL_REGISTER: 'False'
|
||||||
CMD_IMAGE_UPLOAD_TYPE: "filesystem"
|
CMD_IMAGE_UPLOAD_TYPE: filesystem
|
||||||
CMD_EMAIL: "False"
|
CMD_EMAIL: 'False'
|
||||||
CMD_SAML_IDPCERT: "/sso.data.coop.pem"
|
CMD_SAML_IDPCERT: /sso.data.coop.pem
|
||||||
CMD_SAML_IDPSSOURL: "https://sso.data.coop/auth/realms/datacoop/protocol/saml"
|
CMD_SAML_IDPSSOURL: https://sso.data.coop/auth/realms/datacoop/protocol/saml
|
||||||
CMD_SAML_ISSUER: "hedgedoc"
|
CMD_SAML_ISSUER: hedgedoc
|
||||||
CMD_SAML_IDENTIFIERFORMAT: "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
|
CMD_SAML_IDENTIFIERFORMAT: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
|
||||||
CMD_USECDN: "false"
|
CMD_USECDN: 'false'
|
||||||
CMD_PROTOCOL_USESSL: "true"
|
CMD_PROTOCOL_USESSL: 'true'
|
||||||
VIRTUAL_HOST: "{{ services.hedgedoc.domain }}"
|
VIRTUAL_HOST: '{{ services.hedgedoc.domain }}'
|
||||||
LETSENCRYPT_HOST: "{{ services.hedgedoc.domain }}"
|
LETSENCRYPT_HOST: '{{ services.hedgedoc.domain }}'
|
||||||
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
|
||||||
volumes:
|
volumes:
|
||||||
- "{{ services.hedgedoc.volume_folder }}/hedgedoc/uploads:/hedgedoc/public/uploads"
|
- '{{ services.hedgedoc.volume_folder }}/hedgedoc/uploads:/hedgedoc/public/uploads'
|
||||||
- "{{ services.hedgedoc.volume_folder }}/sso.data.coop.pem:/sso.data.coop.pem"
|
- '{{ services.hedgedoc.volume_folder }}/sso.data.coop.pem:/sso.data.coop.pem'
|
||||||
restart: "unless-stopped"
|
restart: unless-stopped
|
||||||
networks:
|
networks:
|
||||||
- "hedgedoc"
|
- hedgedoc
|
||||||
- "external_services"
|
- external_services
|
||||||
depends_on:
|
depends_on:
|
||||||
- database
|
- database
|
||||||
|
|
||||||
networks:
|
networks:
|
||||||
hedgedoc:
|
hedgedoc:
|
||||||
external_services:
|
external_services:
|
||||||
external: true
|
external: true
|
||||||
|
|
|
||||||
|
|
@ -1,36 +1,40 @@
|
||||||
|
---
|
||||||
- name: setup keycloak containers for sso.data.coop
|
- name: setup keycloak containers for sso.data.coop
|
||||||
docker_compose:
|
community.docker.docker_compose:
|
||||||
project_name: "keycloak"
|
project_name: keycloak
|
||||||
pull: "yes"
|
pull: true
|
||||||
definition:
|
definition:
|
||||||
version: "3.6"
|
version: '3.6'
|
||||||
services:
|
services:
|
||||||
|
|
||||||
postgres:
|
postgres:
|
||||||
image: "postgres:10"
|
image: postgres:10
|
||||||
restart: "unless-stopped"
|
restart: unless-stopped
|
||||||
networks:
|
networks:
|
||||||
- "keycloak"
|
- keycloak
|
||||||
volumes:
|
volumes:
|
||||||
- "{{ services.keycloak.volume_folder }}/data:/var/lib/postgresql/data"
|
- '{{ services.keycloak.volume_folder }}/data:/var/lib/postgresql/data'
|
||||||
environment:
|
environment:
|
||||||
POSTGRES_USER: "keycloak"
|
POSTGRES_USER: keycloak
|
||||||
POSTGRES_PASSWORD: "{{ postgres_passwords.keycloak }}"
|
POSTGRES_PASSWORD: '{{ postgres_passwords.keycloak }}'
|
||||||
POSTGRES_DB: "keycloak"
|
POSTGRES_DB: keycloak
|
||||||
|
|
||||||
app:
|
app:
|
||||||
image: "quay.io/keycloak/keycloak:{{ services.keycloak.version }}"
|
image: quay.io/keycloak/keycloak:{{ services.keycloak.version }}
|
||||||
restart: "unless-stopped"
|
restart: unless-stopped
|
||||||
networks:
|
networks:
|
||||||
- "keycloak"
|
- keycloak
|
||||||
- "postfix"
|
- postfix
|
||||||
- "external_services"
|
- external_services
|
||||||
command: "start --db=postgres --db-url=jdbc:postgresql://postgres:5432/keycloak --db-username=keycloak --db-password={{ postgres_passwords.keycloak }} --hostname={{ services.keycloak.domain }} --proxy=edge --https-port=8080 --http-relative-path=/auth"
|
command: start --db=postgres --db-url=jdbc:postgresql://postgres:5432/keycloak
|
||||||
|
--db-username=keycloak --db-password={{ postgres_passwords.keycloak
|
||||||
|
}} --hostname={{ services.keycloak.domain }} --proxy=edge --https-port=8080
|
||||||
|
--http-relative-path=/auth
|
||||||
environment:
|
environment:
|
||||||
VIRTUAL_HOST: "{{ services.keycloak.domain }}"
|
VIRTUAL_HOST: '{{ services.keycloak.domain }}'
|
||||||
VIRTUAL_PORT: "8080"
|
VIRTUAL_PORT: '8080'
|
||||||
LETSENCRYPT_HOST: "{{ services.keycloak.domain }}"
|
LETSENCRYPT_HOST: '{{ services.keycloak.domain }}'
|
||||||
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
|
||||||
|
|
||||||
networks:
|
networks:
|
||||||
keycloak:
|
keycloak:
|
||||||
|
|
|
||||||
|
|
@ -1,8 +1,8 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: create mailu volume folders
|
- name: create mailu volume folders
|
||||||
file:
|
ansible.builtin.file:
|
||||||
name: "{{ services.mailu.volume_folder }}/{{ volume }}"
|
name: '{{ services.mailu.volume_folder }}/{{ volume }}'
|
||||||
state: directory
|
state: directory
|
||||||
loop:
|
loop:
|
||||||
- redis
|
- redis
|
||||||
|
|
@ -18,30 +18,32 @@
|
||||||
loop_var: volume
|
loop_var: volume
|
||||||
|
|
||||||
- name: upload mailu.env file
|
- name: upload mailu.env file
|
||||||
template:
|
ansible.builtin.template:
|
||||||
src: mailu.env.j2
|
src: mailu.env.j2
|
||||||
dest: "{{ services.mailu.volume_folder}}/mailu.env"
|
dest: '{{ services.mailu.volume_folder}}/mailu.env'
|
||||||
|
|
||||||
- name: hard link to Let's Encrypt TLS certificate
|
- name: hard link to Let's Encrypt TLS certificate
|
||||||
file:
|
ansible.builtin.file:
|
||||||
src: "{{ services.nginx_proxy.volume_folder }}/certs/{{ services.mailu.domain }}/fullchain.pem"
|
src: '{{ services.nginx_proxy.volume_folder }}/certs/{{ services.mailu.domain
|
||||||
dest: "{{ services.mailu.volume_folder }}/certs/cert.pem"
|
}}/fullchain.pem'
|
||||||
|
dest: '{{ services.mailu.volume_folder }}/certs/cert.pem'
|
||||||
state: hard
|
state: hard
|
||||||
force: yes
|
force: true
|
||||||
when: letsencrypt_enabled
|
when: letsencrypt_enabled
|
||||||
|
|
||||||
- name: hard link to Let's Encrypt TLS key
|
- name: hard link to Let's Encrypt TLS key
|
||||||
file:
|
ansible.builtin.file:
|
||||||
src: "{{ services.nginx_proxy.volume_folder }}/certs/{{ services.mailu.domain }}/key.pem"
|
src: '{{ services.nginx_proxy.volume_folder }}/certs/{{ services.mailu.domain
|
||||||
dest: "{{ services.mailu.volume_folder }}/certs/key.pem"
|
}}/key.pem'
|
||||||
|
dest: '{{ services.mailu.volume_folder }}/certs/key.pem'
|
||||||
state: hard
|
state: hard
|
||||||
force: yes
|
force: true
|
||||||
when: letsencrypt_enabled
|
when: letsencrypt_enabled
|
||||||
|
|
||||||
- name: run mail server containers
|
- name: run mail server containers
|
||||||
docker_compose:
|
community.docker.docker_compose:
|
||||||
project_name: mail_server
|
project_name: mail_server
|
||||||
pull: yes
|
pull: true
|
||||||
definition:
|
definition:
|
||||||
version: '3.6'
|
version: '3.6'
|
||||||
services:
|
services:
|
||||||
|
|
@ -49,15 +51,15 @@
|
||||||
image: redis:alpine
|
image: redis:alpine
|
||||||
restart: always
|
restart: always
|
||||||
volumes:
|
volumes:
|
||||||
- "{{ services.mailu.volume_folder }}/redis:/data"
|
- '{{ services.mailu.volume_folder }}/redis:/data'
|
||||||
|
|
||||||
database:
|
database:
|
||||||
image: mailu/postgresql:{{ services.mailu.version }}
|
image: mailu/postgresql:{{ services.mailu.version }}
|
||||||
restart: always
|
restart: always
|
||||||
env_file: "{{ services.mailu.volume_folder}}/mailu.env"
|
env_file: '{{ services.mailu.volume_folder}}/mailu.env'
|
||||||
volumes:
|
volumes:
|
||||||
- "{{ services.mailu.volume_folder }}/data/psql_db:/data"
|
- '{{ services.mailu.volume_folder }}/data/psql_db:/data'
|
||||||
- "{{ services.mailu.volume_folder }}/data/psql_backup:/backup"
|
- '{{ services.mailu.volume_folder }}/data/psql_backup:/backup'
|
||||||
networks:
|
networks:
|
||||||
- default
|
- default
|
||||||
- external_services
|
- external_services
|
||||||
|
|
@ -65,21 +67,21 @@
|
||||||
front:
|
front:
|
||||||
image: mailu/nginx:{{ services.mailu.version }}
|
image: mailu/nginx:{{ services.mailu.version }}
|
||||||
restart: always
|
restart: always
|
||||||
env_file: "{{ services.mailu.volume_folder}}/mailu.env"
|
env_file: '{{ services.mailu.volume_folder}}/mailu.env'
|
||||||
environment:
|
environment:
|
||||||
VIRTUAL_HOST: "{{ services.mailu.domain }}"
|
VIRTUAL_HOST: '{{ services.mailu.domain }}'
|
||||||
LETSENCRYPT_HOST: "{{ services.mailu.domain }}"
|
LETSENCRYPT_HOST: '{{ services.mailu.domain }}'
|
||||||
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
|
||||||
volumes:
|
volumes:
|
||||||
- "{{ services.mailu.volume_folder }}/certs:/certs"
|
- '{{ services.mailu.volume_folder }}/certs:/certs'
|
||||||
- "{{ services.mailu.volume_folder }}/overrides/nginx:/overrides"
|
- '{{ services.mailu.volume_folder }}/overrides/nginx:/overrides'
|
||||||
expose:
|
expose:
|
||||||
- "80"
|
- '80'
|
||||||
ports:
|
ports:
|
||||||
- "993:993"
|
- 993:993
|
||||||
- "25:25"
|
- 25:25
|
||||||
- "587:587"
|
- 587:587
|
||||||
- "465:465"
|
- 465:465
|
||||||
networks:
|
networks:
|
||||||
- default
|
- default
|
||||||
- external_services
|
- external_services
|
||||||
|
|
@ -87,68 +89,68 @@
|
||||||
resolver:
|
resolver:
|
||||||
image: mailu/unbound:{{ services.mailu.version }}
|
image: mailu/unbound:{{ services.mailu.version }}
|
||||||
restart: always
|
restart: always
|
||||||
env_file: "{{ services.mailu.volume_folder}}/mailu.env"
|
env_file: '{{ services.mailu.volume_folder}}/mailu.env'
|
||||||
networks:
|
networks:
|
||||||
default:
|
default:
|
||||||
ipv4_address: "{{ services.mailu.dns }}"
|
ipv4_address: '{{ services.mailu.dns }}'
|
||||||
|
|
||||||
admin:
|
admin:
|
||||||
image: mailu/admin:{{ services.mailu.version }}
|
image: mailu/admin:{{ services.mailu.version }}
|
||||||
restart: always
|
restart: always
|
||||||
env_file: "{{ services.mailu.volume_folder}}/mailu.env"
|
env_file: '{{ services.mailu.volume_folder}}/mailu.env'
|
||||||
volumes:
|
volumes:
|
||||||
- "{{ services.mailu.volume_folder }}/data:/data"
|
- '{{ services.mailu.volume_folder }}/data:/data'
|
||||||
- "{{ services.mailu.volume_folder }}/dkim:/dkim"
|
- '{{ services.mailu.volume_folder }}/dkim:/dkim'
|
||||||
depends_on:
|
depends_on:
|
||||||
- redis
|
- redis
|
||||||
|
|
||||||
imap:
|
imap:
|
||||||
image: mailu/dovecot:{{ services.mailu.version }}
|
image: mailu/dovecot:{{ services.mailu.version }}
|
||||||
restart: always
|
restart: always
|
||||||
env_file: "{{ services.mailu.volume_folder}}/mailu.env"
|
env_file: '{{ services.mailu.volume_folder}}/mailu.env'
|
||||||
volumes:
|
volumes:
|
||||||
- "{{ services.mailu.volume_folder }}/mail:/mail"
|
- '{{ services.mailu.volume_folder }}/mail:/mail'
|
||||||
- "{{ services.mailu.volume_folder }}/overrides:/overrides"
|
- '{{ services.mailu.volume_folder }}/overrides:/overrides'
|
||||||
depends_on:
|
depends_on:
|
||||||
- front
|
- front
|
||||||
|
|
||||||
smtp:
|
smtp:
|
||||||
image: mailu/postfix:{{ services.mailu.version }}
|
image: mailu/postfix:{{ services.mailu.version }}
|
||||||
restart: always
|
restart: always
|
||||||
env_file: "{{ services.mailu.volume_folder}}/mailu.env"
|
env_file: '{{ services.mailu.volume_folder}}/mailu.env'
|
||||||
volumes:
|
volumes:
|
||||||
- "{{ services.mailu.volume_folder }}/overrides:/overrides"
|
- '{{ services.mailu.volume_folder }}/overrides:/overrides'
|
||||||
depends_on:
|
depends_on:
|
||||||
- front
|
- front
|
||||||
- resolver
|
- resolver
|
||||||
dns:
|
dns:
|
||||||
- "{{ services.mailu.dns }}"
|
- '{{ services.mailu.dns }}'
|
||||||
|
|
||||||
antispam:
|
antispam:
|
||||||
image: mailu/rspamd:{{ services.mailu.version }}
|
image: mailu/rspamd:{{ services.mailu.version }}
|
||||||
restart: always
|
restart: always
|
||||||
env_file: "{{ services.mailu.volume_folder}}/mailu.env"
|
env_file: '{{ services.mailu.volume_folder}}/mailu.env'
|
||||||
volumes:
|
volumes:
|
||||||
- "{{ services.mailu.volume_folder }}/filter:/var/lib/rspamd"
|
- '{{ services.mailu.volume_folder }}/filter:/var/lib/rspamd'
|
||||||
- "{{ services.mailu.volume_folder }}/dkim:/dkim"
|
- '{{ services.mailu.volume_folder }}/dkim:/dkim'
|
||||||
- "{{ services.mailu.volume_folder }}/overrides/rspamd:/etc/rspamd/override.d"
|
- '{{ services.mailu.volume_folder }}/overrides/rspamd:/etc/rspamd/override.d'
|
||||||
depends_on:
|
depends_on:
|
||||||
- front
|
- front
|
||||||
- resolver
|
- resolver
|
||||||
dns:
|
dns:
|
||||||
- "{{ services.mailu.dns }}"
|
- '{{ services.mailu.dns }}'
|
||||||
|
|
||||||
webmail:
|
webmail:
|
||||||
image: mailu/rainloop:1.6
|
image: mailu/rainloop:1.6
|
||||||
restart: always
|
restart: always
|
||||||
env_file: "{{ services.mailu.volume_folder}}/mailu.env"
|
env_file: '{{ services.mailu.volume_folder}}/mailu.env'
|
||||||
volumes:
|
volumes:
|
||||||
- "{{ services.mailu.volume_folder }}/webmail:/data"
|
- '{{ services.mailu.volume_folder }}/webmail:/data'
|
||||||
depends_on:
|
depends_on:
|
||||||
- front
|
- front
|
||||||
- resolver
|
- resolver
|
||||||
dns:
|
dns:
|
||||||
- "{{ services.mailu.dns }}"
|
- '{{ services.mailu.dns }}'
|
||||||
|
|
||||||
networks:
|
networks:
|
||||||
default:
|
default:
|
||||||
|
|
@ -156,7 +158,7 @@
|
||||||
ipam:
|
ipam:
|
||||||
driver: default
|
driver: default
|
||||||
config:
|
config:
|
||||||
- subnet: "{{ services.mailu.subnet }}"
|
- subnet: '{{ services.mailu.subnet }}'
|
||||||
external_services:
|
external_services:
|
||||||
external:
|
external:
|
||||||
name: external_services
|
name: external_services
|
||||||
|
|
|
||||||
|
|
@ -1,30 +1,32 @@
|
||||||
|
---
|
||||||
- name: create mastodon volume folders
|
- name: create mastodon volume folders
|
||||||
file:
|
ansible.builtin.file:
|
||||||
name: "{{ services.mastodon.volume_folder }}/{{ volume }}"
|
name: '{{ services.mastodon.volume_folder }}/{{ volume }}'
|
||||||
state: directory
|
state: directory
|
||||||
owner: "991"
|
owner: '991'
|
||||||
group: "991"
|
group: '991'
|
||||||
loop:
|
loop:
|
||||||
- "postgres_data"
|
- postgres_data
|
||||||
- "redis_data"
|
- redis_data
|
||||||
- "mastodon_data"
|
- mastodon_data
|
||||||
loop_control:
|
loop_control:
|
||||||
loop_var: volume
|
loop_var: volume
|
||||||
|
|
||||||
- name: Copy mastodon environment file
|
- name: Copy mastodon environment file
|
||||||
template:
|
ansible.builtin.template:
|
||||||
src: files/configs/mastodon/env_file.j2
|
src: files/configs/mastodon/env_file.j2
|
||||||
dest: "{{ services.mastodon.volume_folder }}/env_file"
|
dest: '{{ services.mastodon.volume_folder }}/env_file'
|
||||||
|
|
||||||
- name: upload vhost config for root domain
|
- name: upload vhost config for root domain
|
||||||
template:
|
ansible.builtin.template:
|
||||||
src: files/configs/mastodon/vhost-mastodon
|
src: files/configs/mastodon/vhost-mastodon
|
||||||
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.mastodon.domain }}"
|
dest: '{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.mastodon.domain
|
||||||
|
}}'
|
||||||
|
|
||||||
- name: set up mastodon
|
- name: set up mastodon
|
||||||
docker_compose:
|
community.docker.docker_compose:
|
||||||
project_name: mastodon
|
project_name: mastodon
|
||||||
pull: yes
|
pull: true
|
||||||
definition:
|
definition:
|
||||||
version: '3'
|
version: '3'
|
||||||
services:
|
services:
|
||||||
|
|
@ -35,11 +37,11 @@
|
||||||
networks:
|
networks:
|
||||||
- internal_network
|
- internal_network
|
||||||
healthcheck:
|
healthcheck:
|
||||||
test: ['CMD', 'pg_isready', '-U', 'postgres']
|
test: [CMD, pg_isready, -U, postgres]
|
||||||
volumes:
|
volumes:
|
||||||
- "{{ services.mastodon.volume_folder }}/postgres_data:/var/lib/postgresql/data"
|
- '{{ services.mastodon.volume_folder }}/postgres_data:/var/lib/postgresql/data'
|
||||||
environment:
|
environment:
|
||||||
- 'POSTGRES_HOST_AUTH_METHOD=trust'
|
- POSTGRES_HOST_AUTH_METHOD=trust
|
||||||
|
|
||||||
redis:
|
redis:
|
||||||
restart: always
|
restart: always
|
||||||
|
|
@ -47,58 +49,59 @@
|
||||||
networks:
|
networks:
|
||||||
- internal_network
|
- internal_network
|
||||||
healthcheck:
|
healthcheck:
|
||||||
test: ['CMD', 'redis-cli', 'ping']
|
test: [CMD, redis-cli, ping]
|
||||||
volumes:
|
volumes:
|
||||||
- "{{ services.mastodon.volume_folder }}/redis_data:/data"
|
- '{{ services.mastodon.volume_folder }}/redis_data:/data'
|
||||||
|
|
||||||
web:
|
web:
|
||||||
image: "tootsuite/mastodon:{{ services.mastodon.version }}"
|
image: tootsuite/mastodon:{{ services.mastodon.version }}
|
||||||
restart: always
|
restart: always
|
||||||
env_file: "{{ services.mastodon.volume_folder }}/env_file"
|
env_file: '{{ services.mastodon.volume_folder }}/env_file'
|
||||||
command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 3000"
|
command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails
|
||||||
|
s -p 3000"
|
||||||
networks:
|
networks:
|
||||||
- external_services
|
- external_services
|
||||||
- internal_network
|
- internal_network
|
||||||
healthcheck:
|
healthcheck:
|
||||||
# prettier-ignore
|
test: |
|
||||||
test: ['CMD-SHELL', 'wget -q --spider --proxy=off localhost:3000/health || exit 1']
|
[CMD-SHELL, wget -q --spider --proxy=off localhost:3000/health || exit 1]
|
||||||
depends_on:
|
depends_on:
|
||||||
- db
|
- db
|
||||||
- redis
|
- redis
|
||||||
volumes:
|
volumes:
|
||||||
- "{{ services.mastodon.volume_folder }}/mastodon_data:/mastodon/public/system"
|
- '{{ services.mastodon.volume_folder }}/mastodon_data:/mastodon/public/system'
|
||||||
environment:
|
environment:
|
||||||
VIRTUAL_HOST: "{{ services.mastodon.domain }}"
|
VIRTUAL_HOST: '{{ services.mastodon.domain }}'
|
||||||
VIRTUAL_PORT: "3000"
|
VIRTUAL_PORT: '3000'
|
||||||
VIRTUAL_PATH: "/"
|
VIRTUAL_PATH: /
|
||||||
LETSENCRYPT_HOST: "{{ services.mastodon.domain }}"
|
LETSENCRYPT_HOST: '{{ services.mastodon.domain }}'
|
||||||
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
|
||||||
|
|
||||||
streaming:
|
streaming:
|
||||||
image: "tootsuite/mastodon:{{ services.mastodon.version }}"
|
image: tootsuite/mastodon:{{ services.mastodon.version }}
|
||||||
restart: always
|
restart: always
|
||||||
env_file: "{{ services.mastodon.volume_folder }}/env_file"
|
env_file: '{{ services.mastodon.volume_folder }}/env_file'
|
||||||
command: node ./streaming
|
command: node ./streaming
|
||||||
networks:
|
networks:
|
||||||
- external_services
|
- external_services
|
||||||
- internal_network
|
- internal_network
|
||||||
healthcheck:
|
healthcheck:
|
||||||
# prettier-ignore
|
test: |
|
||||||
test: ['CMD-SHELL', 'wget -q --spider --proxy=off localhost:4000/api/v1/streaming/health || exit 1']
|
[CMD-SHELL, wget -q --spider --proxy=off localhost:4000/api/v1/streaming/health || exit 1]
|
||||||
ports:
|
ports:
|
||||||
- '127.0.0.1:4000:4000'
|
- 127.0.0.1:4000:4000
|
||||||
depends_on:
|
depends_on:
|
||||||
- db
|
- db
|
||||||
- redis
|
- redis
|
||||||
environment:
|
environment:
|
||||||
VIRTUAL_HOST: "{{ services.mastodon.domain }}"
|
VIRTUAL_HOST: '{{ services.mastodon.domain }}'
|
||||||
VIRTUAL_PORT: "4000"
|
VIRTUAL_PORT: '4000'
|
||||||
VIRTUAL_PATH: "/api/v1/streaming"
|
VIRTUAL_PATH: /api/v1/streaming
|
||||||
|
|
||||||
sidekiq:
|
sidekiq:
|
||||||
image: "tootsuite/mastodon:{{ services.mastodon.version }}"
|
image: tootsuite/mastodon:{{ services.mastodon.version }}
|
||||||
restart: always
|
restart: always
|
||||||
env_file: "{{ services.mastodon.volume_folder }}/env_file"
|
env_file: '{{ services.mastodon.volume_folder }}/env_file'
|
||||||
command: bundle exec sidekiq -c 32
|
command: bundle exec sidekiq -c 32
|
||||||
environment:
|
environment:
|
||||||
DB_POOL: 32
|
DB_POOL: 32
|
||||||
|
|
@ -110,9 +113,9 @@
|
||||||
- external_services
|
- external_services
|
||||||
- internal_network
|
- internal_network
|
||||||
volumes:
|
volumes:
|
||||||
- "{{ services.mastodon.volume_folder }}/mastodon_data:/mastodon/public/system"
|
- '{{ services.mastodon.volume_folder }}/mastodon_data:/mastodon/public/system'
|
||||||
healthcheck:
|
healthcheck:
|
||||||
test: ['CMD-SHELL', "ps aux | grep '[s]idekiq\ 6' || false"]
|
test: [CMD-SHELL, "ps aux | grep '[s]idekiq 6' || false"]
|
||||||
|
|
||||||
networks:
|
networks:
|
||||||
external_services:
|
external_services:
|
||||||
|
|
@ -120,4 +123,4 @@
|
||||||
postfix:
|
postfix:
|
||||||
external: true
|
external: true
|
||||||
internal_network:
|
internal_network:
|
||||||
internal: true
|
internal: true
|
||||||
|
|
|
||||||
|
|
@ -1,73 +1,76 @@
|
||||||
---
|
---
|
||||||
- name: create matrix volume folders
|
- name: create matrix volume folders
|
||||||
file:
|
ansible.builtin.file:
|
||||||
name: "{{ services.matrix.volume_folder }}/{{ volume }}"
|
name: '{{ services.matrix.volume_folder }}/{{ volume }}'
|
||||||
state: directory
|
state: directory
|
||||||
owner: "991"
|
owner: '991'
|
||||||
group: "991"
|
group: '991'
|
||||||
loop:
|
loop:
|
||||||
- "data"
|
- data
|
||||||
- "data/uploads"
|
- data/uploads
|
||||||
- "data/media"
|
- data/media
|
||||||
loop_control:
|
loop_control:
|
||||||
loop_var: volume
|
loop_var: volume
|
||||||
|
|
||||||
- name: create matrix DB folder
|
- name: create matrix DB folder
|
||||||
file:
|
ansible.builtin.file:
|
||||||
name: "{{ services.matrix.volume_folder }}/db"
|
name: '{{ services.matrix.volume_folder }}/db'
|
||||||
state: "directory"
|
state: directory
|
||||||
|
|
||||||
- name: create riot volume folders
|
- name: create riot volume folders
|
||||||
file:
|
ansible.builtin.file:
|
||||||
name: "{{ services.riot.volume_folder }}/{{ volume }}"
|
name: '{{ services.riot.volume_folder }}/{{ volume }}'
|
||||||
state: directory
|
state: directory
|
||||||
loop:
|
loop:
|
||||||
- "data"
|
- data
|
||||||
loop_control:
|
loop_control:
|
||||||
loop_var: volume
|
loop_var: volume
|
||||||
|
|
||||||
- name: upload riot config.json
|
- name: upload riot config.json
|
||||||
template:
|
ansible.builtin.template:
|
||||||
src: files/configs/riot/config.json
|
src: files/configs/riot/config.json
|
||||||
dest: "{{ services.riot.volume_folder }}/data/config.json"
|
dest: '{{ services.riot.volume_folder }}/data/config.json'
|
||||||
|
|
||||||
- name: upload riot.im.conf
|
- name: upload riot.im.conf
|
||||||
template:
|
ansible.builtin.template:
|
||||||
src: files/configs/riot/riot.im.conf
|
src: files/configs/riot/riot.im.conf
|
||||||
dest: "{{ services.riot.volume_folder }}/data/riot.im.conf"
|
dest: '{{ services.riot.volume_folder }}/data/riot.im.conf'
|
||||||
|
|
||||||
- name: upload vhost config for root domain
|
- name: upload vhost config for root domain
|
||||||
template:
|
ansible.builtin.template:
|
||||||
src: files/configs/matrix/vhost-root
|
src: files/configs/matrix/vhost-root
|
||||||
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ base_domain }}"
|
dest: '{{ services.nginx_proxy.volume_folder }}/vhost/{{ base_domain }}'
|
||||||
|
|
||||||
- name: upload vhost config for matrix domain
|
- name: upload vhost config for matrix domain
|
||||||
template:
|
ansible.builtin.template:
|
||||||
src: files/configs/matrix/vhost-matrix
|
src: files/configs/matrix/vhost-matrix
|
||||||
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.matrix.domain }}"
|
dest: '{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.matrix.domain
|
||||||
|
}}'
|
||||||
|
|
||||||
- name: upload vhost config for riot domain
|
- name: upload vhost config for riot domain
|
||||||
template:
|
ansible.builtin.template:
|
||||||
src: files/configs/matrix/vhost-riot
|
src: files/configs/matrix/vhost-riot
|
||||||
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ item }}"
|
dest: '{{ services.nginx_proxy.volume_folder }}/vhost/{{ domain }}'
|
||||||
loop: "{{ services.riot.domains }}"
|
loop: '{{ services.riot.domains }}'
|
||||||
|
loop_control:
|
||||||
|
loop_var: domain
|
||||||
|
|
||||||
- name: upload homeserver.yaml
|
- name: upload homeserver.yaml
|
||||||
template:
|
ansible.builtin.template:
|
||||||
src: "files/configs/matrix/homeserver.yaml.j2"
|
src: files/configs/matrix/homeserver.yaml.j2
|
||||||
dest: "{{ services.matrix.volume_folder }}/data/homeserver.yaml"
|
dest: '{{ services.matrix.volume_folder }}/data/homeserver.yaml'
|
||||||
|
|
||||||
- name: upload matrix logging config
|
- name: upload matrix logging config
|
||||||
template:
|
ansible.builtin.template:
|
||||||
src: "files/configs/matrix/matrix.data.coop.log.config"
|
src: files/configs/matrix/matrix.data.coop.log.config
|
||||||
dest: "{{ services.matrix.volume_folder }}/data/matrix.data.coop.log.config"
|
dest: '{{ services.matrix.volume_folder }}/data/matrix.data.coop.log.config'
|
||||||
|
|
||||||
- name: set up matrix and riot
|
- name: set up matrix and riot
|
||||||
docker_compose:
|
community.docker.docker_compose:
|
||||||
project_name: matrix
|
project_name: matrix
|
||||||
pull: yes
|
pull: true
|
||||||
definition:
|
definition:
|
||||||
version: "3.6"
|
version: '3.6'
|
||||||
services:
|
services:
|
||||||
matrix_db:
|
matrix_db:
|
||||||
container_name: matrix_db
|
container_name: matrix_db
|
||||||
|
|
@ -76,10 +79,10 @@
|
||||||
networks:
|
networks:
|
||||||
- matrix
|
- matrix
|
||||||
volumes:
|
volumes:
|
||||||
- "{{ services.matrix.volume_folder }}/db:/var/lib/postgresql/data"
|
- '{{ services.matrix.volume_folder }}/db:/var/lib/postgresql/data'
|
||||||
environment:
|
environment:
|
||||||
POSTGRES_USER: "synapse"
|
POSTGRES_USER: synapse
|
||||||
POSTGRES_PASSWORD: "{{ postgres_passwords.matrix }}"
|
POSTGRES_PASSWORD: '{{ postgres_passwords.matrix }}'
|
||||||
|
|
||||||
matrix_app:
|
matrix_app:
|
||||||
container_name: matrix
|
container_name: matrix
|
||||||
|
|
@ -89,15 +92,15 @@
|
||||||
- matrix
|
- matrix
|
||||||
- external_services
|
- external_services
|
||||||
volumes:
|
volumes:
|
||||||
- "{{ services.matrix.volume_folder }}/data:/data"
|
- '{{ services.matrix.volume_folder }}/data:/data'
|
||||||
environment:
|
environment:
|
||||||
SYNAPSE_CONFIG_PATH: "/data/homeserver.yaml"
|
SYNAPSE_CONFIG_PATH: /data/homeserver.yaml
|
||||||
SYNAPSE_CACHE_FACTOR: "2"
|
SYNAPSE_CACHE_FACTOR: '2'
|
||||||
SYNAPSE_LOG_LEVEL: "INFO"
|
SYNAPSE_LOG_LEVEL: INFO
|
||||||
VIRTUAL_HOST: "{{ services.matrix.domain }}"
|
VIRTUAL_HOST: '{{ services.matrix.domain }}'
|
||||||
VIRTUAL_PORT: "8008"
|
VIRTUAL_PORT: '8008'
|
||||||
LETSENCRYPT_HOST: "{{ services.matrix.domain }}"
|
LETSENCRYPT_HOST: '{{ services.matrix.domain }}'
|
||||||
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
|
||||||
|
|
||||||
riot:
|
riot:
|
||||||
container_name: riot_app
|
container_name: riot_app
|
||||||
|
|
@ -109,16 +112,16 @@
|
||||||
expose:
|
expose:
|
||||||
- 8080
|
- 8080
|
||||||
volumes:
|
volumes:
|
||||||
- "{{ services.riot.volume_folder }}/data:/data"
|
- '{{ services.riot.volume_folder }}/data:/data'
|
||||||
environment:
|
environment:
|
||||||
VIRTUAL_HOST: "{{ services.riot.domains|join(',') }}"
|
VIRTUAL_HOST: "{{ services.riot.domains|join(',') }}"
|
||||||
VIRTUAL_PORT: "8080"
|
VIRTUAL_PORT: '8080'
|
||||||
LETSENCRYPT_HOST: "{{ services.riot.domains|join(',') }}"
|
LETSENCRYPT_HOST: "{{ services.riot.domains|join(',') }}"
|
||||||
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
|
||||||
|
|
||||||
networks:
|
networks:
|
||||||
external_services:
|
external_services:
|
||||||
external:
|
external:
|
||||||
name: external_services
|
name: external_services
|
||||||
matrix:
|
matrix:
|
||||||
name: "matrix"
|
name: matrix
|
||||||
|
|
|
||||||
|
|
@ -1,11 +1,11 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: run membersystem containers
|
- name: run membersystem containers
|
||||||
docker_compose:
|
community.docker.docker_compose:
|
||||||
project_name: "member.data.coop"
|
project_name: member.data.coop
|
||||||
pull: yes
|
pull: true
|
||||||
definition:
|
definition:
|
||||||
version: "3"
|
version: '3'
|
||||||
services:
|
services:
|
||||||
backend:
|
backend:
|
||||||
image: docker.data.coop/membersystem:latest
|
image: docker.data.coop/membersystem:latest
|
||||||
|
|
@ -19,32 +19,33 @@
|
||||||
- external_services
|
- external_services
|
||||||
- postfix
|
- postfix
|
||||||
environment:
|
environment:
|
||||||
SECRET_KEY: "{{ membersystem_secrets.secret_key }}"
|
SECRET_KEY: '{{ membersystem_secrets.secret_key }}'
|
||||||
DATABASE_URL: postgres://postgres:{{ postgres_passwords.membersystem }}@postgres:5432/postgres
|
DATABASE_URL: postgres://postgres:{{ postgres_passwords.membersystem
|
||||||
|
}}@postgres:5432/postgres
|
||||||
POSTGRES_HOST: postgres
|
POSTGRES_HOST: postgres
|
||||||
POSTGRES_PORT: 5432
|
POSTGRES_PORT: 5432
|
||||||
EMAIL_BACKEND: "django.core.mail.backends.smtp.EmailBackend"
|
EMAIL_BACKEND: django.core.mail.backends.smtp.EmailBackend
|
||||||
EMAIL_URL: "smtp://noop@{{ smtp_host }}:{{ smtp_port }}"
|
EMAIL_URL: smtp://noop@{{ smtp_host }}:{{ smtp_port }}
|
||||||
VIRTUAL_HOST: "{{ services.membersystem.domain }}"
|
VIRTUAL_HOST: '{{ services.membersystem.domain }}'
|
||||||
VIRTUAL_PORT: "8000"
|
VIRTUAL_PORT: '8000'
|
||||||
LETSENCRYPT_HOST: "{{ services.membersystem.domain }}"
|
LETSENCRYPT_HOST: '{{ services.membersystem.domain }}'
|
||||||
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
|
||||||
ALLOWED_HOSTS: "{{ services.membersystem.domain }}"
|
ALLOWED_HOSTS: '{{ services.membersystem.domain }}'
|
||||||
CSRF_TRUSTED_ORIGINS: "https://{{ services.membersystem.domain }}"
|
CSRF_TRUSTED_ORIGINS: https://{{ services.membersystem.domain }}
|
||||||
DJANGO_ADMINS: "{{ services.membersystem.django_admins }}"
|
DJANGO_ADMINS: '{{ services.membersystem.django_admins }}'
|
||||||
DEFAULT_FROM_EMAIL: "noreply@{{ services.membersystem.domain }}"
|
DEFAULT_FROM_EMAIL: noreply@{{ services.membersystem.domain }}
|
||||||
labels:
|
labels:
|
||||||
com.centurylinklabs.watchtower.enable: "true"
|
com.centurylinklabs.watchtower.enable: 'true'
|
||||||
|
|
||||||
postgres:
|
postgres:
|
||||||
image: postgres:13-alpine
|
image: postgres:13-alpine
|
||||||
restart: always
|
restart: always
|
||||||
volumes:
|
volumes:
|
||||||
- "{{ volume_root_folder }}/membersystem/postgres/data:/var/lib/postgresql/data"
|
- '{{ volume_root_folder }}/membersystem/postgres/data:/var/lib/postgresql/data'
|
||||||
networks:
|
networks:
|
||||||
- membersystem
|
- membersystem
|
||||||
environment:
|
environment:
|
||||||
POSTGRES_PASSWORD: "{{ postgres_passwords.membersystem }}"
|
POSTGRES_PASSWORD: '{{ postgres_passwords.membersystem }}'
|
||||||
|
|
||||||
networks:
|
networks:
|
||||||
membersystem:
|
membersystem:
|
||||||
|
|
|
||||||
|
|
@ -1,11 +1,11 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: setup netdata docker container for system monitoring
|
- name: setup netdata docker container for system monitoring
|
||||||
docker_container:
|
community.docker.docker_container:
|
||||||
name: netdata
|
name: netdata
|
||||||
image: netdata/netdata:{{ services.netdata.version }}
|
image: netdata/netdata:{{ services.netdata.version }}
|
||||||
restart_policy: unless-stopped
|
restart_policy: unless-stopped
|
||||||
hostname: "hevonen.servers.{{ base_domain }}"
|
hostname: hevonen.servers.{{ base_domain }}
|
||||||
capabilities:
|
capabilities:
|
||||||
- SYS_PTRACE
|
- SYS_PTRACE
|
||||||
security_opts:
|
security_opts:
|
||||||
|
|
@ -17,11 +17,9 @@
|
||||||
networks:
|
networks:
|
||||||
- name: external_services
|
- name: external_services
|
||||||
env:
|
env:
|
||||||
VIRTUAL_HOST : "{{ services.netdata.domain }}"
|
VIRTUAL_HOST: '{{ services.netdata.domain }}'
|
||||||
LETSENCRYPT_HOST: "{{ services.netdata.domain }}"
|
LETSENCRYPT_HOST: '{{ services.netdata.domain }}'
|
||||||
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
|
||||||
PGID: "999"
|
PGID: '999'
|
||||||
labels:
|
labels:
|
||||||
com.centurylinklabs.watchtower.enable: "true"
|
com.centurylinklabs.watchtower.enable: 'true'
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -1,75 +1,76 @@
|
||||||
---
|
---
|
||||||
- name: upload vhost config for cloud.data.coop
|
- name: upload vhost config for cloud.data.coop
|
||||||
template:
|
ansible.builtin.template:
|
||||||
src: files/configs/nextcloud/vhost
|
src: files/configs/nextcloud/vhost
|
||||||
dest: "{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.nextcloud.domain }}"
|
dest: '{{ services.nginx_proxy.volume_folder }}/vhost/{{ services.nextcloud.domain
|
||||||
notify: "restart nginx"
|
}}'
|
||||||
|
notify: restart nginx
|
||||||
|
|
||||||
- name: setup nextcloud containers
|
- name: setup nextcloud containers
|
||||||
docker_compose:
|
community.docker.docker_compose:
|
||||||
project_name: "nextcloud"
|
project_name: nextcloud
|
||||||
pull: "yes"
|
pull: true
|
||||||
definition:
|
definition:
|
||||||
services:
|
services:
|
||||||
postgres:
|
postgres:
|
||||||
image: "postgres:10"
|
image: postgres:10
|
||||||
restart: "unless-stopped"
|
restart: unless-stopped
|
||||||
networks:
|
networks:
|
||||||
- "nextcloud"
|
- nextcloud
|
||||||
volumes:
|
volumes:
|
||||||
- "{{ services.nextcloud.volume_folder }}/postgres:/var/lib/postgresql/data"
|
- '{{ services.nextcloud.volume_folder }}/postgres:/var/lib/postgresql/data'
|
||||||
environment:
|
environment:
|
||||||
POSTGRES_DB: "nextcloud"
|
POSTGRES_DB: nextcloud
|
||||||
POSTGRES_PASSWORD: "{{ postgres_passwords.nextcloud }}"
|
POSTGRES_PASSWORD: '{{ postgres_passwords.nextcloud }}'
|
||||||
POSTGRES_USER: "nextcloud"
|
POSTGRES_USER: nextcloud
|
||||||
|
|
||||||
redis:
|
redis:
|
||||||
image: "redis:7-alpine"
|
image: redis:7-alpine
|
||||||
restart: "unless-stopped"
|
restart: unless-stopped
|
||||||
command: "redis-server --requirepass {{ nextcloud_secrets.redis_password }}"
|
command: redis-server --requirepass {{ nextcloud_secrets.redis_password
|
||||||
|
}}
|
||||||
tmpfs:
|
tmpfs:
|
||||||
- /var/lib/redis
|
- /var/lib/redis
|
||||||
networks:
|
networks:
|
||||||
- "nextcloud"
|
- nextcloud
|
||||||
|
|
||||||
cron:
|
cron:
|
||||||
image: "nextcloud:{{ services.nextcloud.version }}"
|
image: nextcloud:{{ services.nextcloud.version }}
|
||||||
restart: "unless-stopped"
|
restart: unless-stopped
|
||||||
entrypoint: "/cron.sh"
|
entrypoint: /cron.sh
|
||||||
networks:
|
networks:
|
||||||
- "nextcloud"
|
- nextcloud
|
||||||
volumes:
|
volumes:
|
||||||
- "{{ services.nextcloud.volume_folder }}/app:/var/www/html"
|
- '{{ services.nextcloud.volume_folder }}/app:/var/www/html'
|
||||||
depends_on:
|
depends_on:
|
||||||
- "postgres"
|
- postgres
|
||||||
- "redis"
|
- redis
|
||||||
|
|
||||||
app:
|
app:
|
||||||
image: "nextcloud:{{ services.nextcloud.version }}"
|
image: nextcloud:{{ services.nextcloud.version }}
|
||||||
restart: "unless-stopped"
|
restart: unless-stopped
|
||||||
networks:
|
networks:
|
||||||
- "nextcloud"
|
- nextcloud
|
||||||
- "postfix"
|
- postfix
|
||||||
- "external_services"
|
- external_services
|
||||||
volumes:
|
volumes:
|
||||||
- "{{ services.nextcloud.volume_folder }}/app:/var/www/html"
|
- '{{ services.nextcloud.volume_folder }}/app:/var/www/html'
|
||||||
environment:
|
environment:
|
||||||
VIRTUAL_HOST: "{{ services.nextcloud.domain }}"
|
VIRTUAL_HOST: '{{ services.nextcloud.domain }}'
|
||||||
LETSENCRYPT_HOST: "{{ services.nextcloud.domain }}"
|
LETSENCRYPT_HOST: '{{ services.nextcloud.domain }}'
|
||||||
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
|
||||||
POSTGRES_HOST: "postgres"
|
POSTGRES_HOST: postgres
|
||||||
POSTGRES_DB: "nextcloud"
|
POSTGRES_DB: nextcloud
|
||||||
POSTGRES_USER: "nextcloud"
|
POSTGRES_USER: nextcloud
|
||||||
POSTGRES_PASSWORD: "{{ postgres_passwords.nextcloud }}"
|
POSTGRES_PASSWORD: '{{ postgres_passwords.nextcloud }}'
|
||||||
REDIS_HOST: "redis"
|
REDIS_HOST: redis
|
||||||
REDIS_HOST_PASSWORD: "{{ nextcloud_secrets.redis_password }}"
|
REDIS_HOST_PASSWORD: '{{ nextcloud_secrets.redis_password }}'
|
||||||
depends_on:
|
depends_on:
|
||||||
- "postgres"
|
- postgres
|
||||||
- "redis"
|
- redis
|
||||||
|
|
||||||
networks:
|
networks:
|
||||||
nextcloud:
|
nextcloud:
|
||||||
postfix:
|
postfix:
|
||||||
external: true
|
external: true
|
||||||
external_services:
|
external_services:
|
||||||
external: true
|
external: true
|
||||||
|
|
|
||||||
|
|
@ -1,8 +1,8 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: create nginx-proxy volume folders
|
- name: create nginx-proxy volume folders
|
||||||
file:
|
ansible.builtin.file:
|
||||||
name: "{{ services.nginx_proxy.volume_folder }}/{{ volume }}"
|
name: '{{ services.nginx_proxy.volume_folder }}/{{ volume }}'
|
||||||
state: directory
|
state: directory
|
||||||
loop:
|
loop:
|
||||||
- conf
|
- conf
|
||||||
|
|
@ -14,35 +14,34 @@
|
||||||
loop_var: volume
|
loop_var: volume
|
||||||
|
|
||||||
- name: nginx proxy container
|
- name: nginx proxy container
|
||||||
docker_container:
|
community.docker.docker_container:
|
||||||
name: nginx-proxy
|
name: nginx-proxy
|
||||||
image: nginxproxy/nginx-proxy:{{ services.nginx_proxy.version }}
|
image: nginxproxy/nginx-proxy:{{ services.nginx_proxy.version }}
|
||||||
restart_policy: always
|
restart_policy: always
|
||||||
networks:
|
networks:
|
||||||
- name: external_services
|
- name: external_services
|
||||||
published_ports:
|
published_ports:
|
||||||
- "80:80"
|
- 80:80
|
||||||
- "443:443"
|
- 443:443
|
||||||
volumes:
|
volumes:
|
||||||
- "{{ services.nginx_proxy.volume_folder }}/conf:/etc/nginx/conf.d"
|
- '{{ services.nginx_proxy.volume_folder }}/conf:/etc/nginx/conf.d'
|
||||||
- "{{ services.nginx_proxy.volume_folder }}/vhost:/etc/nginx/vhost.d"
|
- '{{ services.nginx_proxy.volume_folder }}/vhost:/etc/nginx/vhost.d'
|
||||||
- "{{ services.nginx_proxy.volume_folder }}/html:/usr/share/nginx/html"
|
- '{{ services.nginx_proxy.volume_folder }}/html:/usr/share/nginx/html'
|
||||||
- "{{ services.nginx_proxy.volume_folder }}/dhparam:/etc/nginx/dhparam"
|
- '{{ services.nginx_proxy.volume_folder }}/dhparam:/etc/nginx/dhparam'
|
||||||
- "{{ services.nginx_proxy.volume_folder }}/certs:/etc/nginx/certs:ro"
|
- '{{ services.nginx_proxy.volume_folder }}/certs:/etc/nginx/certs:ro'
|
||||||
- /var/run/docker.sock:/tmp/docker.sock:ro
|
- /var/run/docker.sock:/tmp/docker.sock:ro
|
||||||
|
|
||||||
- name: nginx letsencrypt container
|
- name: nginx letsencrypt container
|
||||||
docker_container:
|
community.docker.docker_container:
|
||||||
name: nginx-proxy-le
|
name: nginx-proxy-le
|
||||||
image: nginxproxy/acme-companion:{{ services.nginx_acme_companion.version }}
|
image: nginxproxy/acme-companion:{{ services.nginx_acme_companion.version }}
|
||||||
restart_policy: always
|
restart_policy: always
|
||||||
volumes:
|
volumes:
|
||||||
- "{{ services.nginx_proxy.volume_folder }}/vhost:/etc/nginx/vhost.d"
|
- '{{ services.nginx_proxy.volume_folder }}/vhost:/etc/nginx/vhost.d'
|
||||||
- "{{ services.nginx_proxy.volume_folder }}/html:/usr/share/nginx/html"
|
- '{{ services.nginx_proxy.volume_folder }}/html:/usr/share/nginx/html'
|
||||||
- "{{ services.nginx_proxy.volume_folder }}/dhparam:/etc/nginx/dhparam:ro"
|
- '{{ services.nginx_proxy.volume_folder }}/dhparam:/etc/nginx/dhparam:ro'
|
||||||
- "{{ services.nginx_proxy.volume_folder }}/certs:/etc/nginx/certs"
|
- '{{ services.nginx_proxy.volume_folder }}/certs:/etc/nginx/certs'
|
||||||
- /var/run/docker.sock:/var/run/docker.sock:ro
|
- /var/run/docker.sock:/var/run/docker.sock:ro
|
||||||
env:
|
env:
|
||||||
NGINX_PROXY_CONTAINER: nginx-proxy
|
NGINX_PROXY_CONTAINER: nginx-proxy
|
||||||
when: letsencrypt_enabled
|
when: letsencrypt_enabled
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -1,62 +1,62 @@
|
||||||
---
|
---
|
||||||
- name: create ldap volume folders
|
- name: create ldap volume folders
|
||||||
file:
|
ansible.builtin.file:
|
||||||
name: "{{ services.openldap.volume_folder }}/{{ volume }}"
|
name: '{{ services.openldap.volume_folder }}/{{ volume }}'
|
||||||
state: directory
|
state: directory
|
||||||
loop:
|
loop:
|
||||||
- "var/lib/ldap"
|
- var/lib/ldap
|
||||||
- "etc/slapd"
|
- etc/slapd
|
||||||
- "certs"
|
- certs
|
||||||
loop_control:
|
loop_control:
|
||||||
loop_var: volume
|
loop_var: volume
|
||||||
|
|
||||||
- name: Create a network for ldap
|
- name: Create a network for ldap
|
||||||
docker_network:
|
community.docker.docker_network:
|
||||||
name: ldap
|
name: ldap
|
||||||
|
|
||||||
- name: openLDAP container
|
- name: openLDAP container
|
||||||
docker_container:
|
community.docker.docker_container:
|
||||||
name: openldap
|
name: openldap
|
||||||
image: osixia/openldap:{{ services.openldap.version }}
|
image: osixia/openldap:{{ services.openldap.version }}
|
||||||
tty: true
|
tty: true
|
||||||
interactive: true
|
interactive: true
|
||||||
restart_policy: unless-stopped
|
restart_policy: unless-stopped
|
||||||
volumes:
|
volumes:
|
||||||
- "{{ services.openldap.volume_folder }}/var/lib/ldap:/var/lib/ldap"
|
- '{{ services.openldap.volume_folder }}/var/lib/ldap:/var/lib/ldap'
|
||||||
- "{{ services.openldap.volume_folder }}/etc/slapd.d:/etc/ldap/slapd.d"
|
- '{{ services.openldap.volume_folder }}/etc/slapd.d:/etc/ldap/slapd.d'
|
||||||
- "{{ services.openldap.volume_folder }}/certs:/container/service/slapd/assets/certs/"
|
- '{{ services.openldap.volume_folder }}/certs:/container/service/slapd/assets/certs/'
|
||||||
published_ports:
|
published_ports:
|
||||||
- "389:389"
|
- 389:389
|
||||||
- "636:636"
|
- 636:636
|
||||||
hostname: "{{ services.openldap.domain }}"
|
hostname: '{{ services.openldap.domain }}'
|
||||||
domainname: "{{ services.openldap.domain }}" # important: same as hostname
|
domainname: '{{ services.openldap.domain }}' # important: same as hostname
|
||||||
networks:
|
networks:
|
||||||
- name: ldap
|
- name: ldap
|
||||||
env:
|
env:
|
||||||
LDAP_LOG_LEVEL: "256"
|
LDAP_LOG_LEVEL: '256'
|
||||||
LDAP_ORGANISATION: "{{ base_domain }}"
|
LDAP_ORGANISATION: '{{ base_domain }}'
|
||||||
LDAP_DOMAIN: "{{ base_domain }}"
|
LDAP_DOMAIN: '{{ base_domain }}'
|
||||||
LDAP_BASE_DN: ""
|
LDAP_BASE_DN: ''
|
||||||
LDAP_ADMIN_PASSWORD: "{{ ldap_admin_password }}"
|
LDAP_ADMIN_PASSWORD: '{{ ldap_admin_password }}'
|
||||||
LDAP_CONFIG_PASSWORD: "{{ ldap_config_password }}"
|
LDAP_CONFIG_PASSWORD: '{{ ldap_config_password }}'
|
||||||
LDAP_READONLY_USER: "false"
|
LDAP_READONLY_USER: 'false'
|
||||||
LDAP_RFC2307BIS_SCHEMA: "false"
|
LDAP_RFC2307BIS_SCHEMA: 'false'
|
||||||
LDAP_BACKEND: "mdb"
|
LDAP_BACKEND: mdb
|
||||||
LDAP_TLS: "true"
|
LDAP_TLS: 'true'
|
||||||
LDAP_TLS_CRT_FILENAME: "ldap.crt"
|
LDAP_TLS_CRT_FILENAME: ldap.crt
|
||||||
LDAP_TLS_KEY_FILENAME: "ldap.key"
|
LDAP_TLS_KEY_FILENAME: ldap.key
|
||||||
LDAP_TLS_CA_CRT_FILENAME: "ca.crt"
|
LDAP_TLS_CA_CRT_FILENAME: ca.crt
|
||||||
LDAP_TLS_ENFORCE: "false"
|
LDAP_TLS_ENFORCE: 'false'
|
||||||
LDAP_TLS_CIPHER_SUITE: "SECURE256:-VERS-SSL3.0"
|
LDAP_TLS_CIPHER_SUITE: SECURE256:-VERS-SSL3.0
|
||||||
LDAP_TLS_PROTOCOL_MIN: "3.1"
|
LDAP_TLS_PROTOCOL_MIN: '3.1'
|
||||||
LDAP_TLS_VERIFY_CLIENT: "demand"
|
LDAP_TLS_VERIFY_CLIENT: demand
|
||||||
LDAP_REPLICATION: "false"
|
LDAP_REPLICATION: 'false'
|
||||||
KEEP_EXISTING_CONFIG: "false"
|
KEEP_EXISTING_CONFIG: 'false'
|
||||||
LDAP_REMOVE_CONFIG_AFTER_SETUP: "true"
|
LDAP_REMOVE_CONFIG_AFTER_SETUP: 'true'
|
||||||
LDAP_SSL_HELPER_PREFIX: "ldap"
|
LDAP_SSL_HELPER_PREFIX: ldap
|
||||||
|
|
||||||
- name: phpLDAPadmin container
|
- name: phpLDAPadmin container
|
||||||
docker_container:
|
community.docker.docker_container:
|
||||||
name: phpldapadmin
|
name: phpldapadmin
|
||||||
image: osixia/phpldapadmin:{{ services.phpldapadmin.version }}
|
image: osixia/phpldapadmin:{{ services.phpldapadmin.version }}
|
||||||
restart_policy: unless-stopped
|
restart_policy: unless-stopped
|
||||||
|
|
@ -64,10 +64,10 @@
|
||||||
- name: external_services
|
- name: external_services
|
||||||
- name: ldap
|
- name: ldap
|
||||||
env:
|
env:
|
||||||
PHPLDAPADMIN_LDAP_HOSTS: "openldap"
|
PHPLDAPADMIN_LDAP_HOSTS: openldap
|
||||||
PHPLDAPADMIN_HTTPS: "false"
|
PHPLDAPADMIN_HTTPS: 'false'
|
||||||
PHPLDAPADMIN_TRUST_PROXY_SSL: "true"
|
PHPLDAPADMIN_TRUST_PROXY_SSL: 'true'
|
||||||
|
|
||||||
VIRTUAL_HOST: "{{ services.openldap.domain }}"
|
VIRTUAL_HOST: '{{ services.openldap.domain }}'
|
||||||
LETSENCRYPT_HOST: "{{ services.openldap.domain }}"
|
LETSENCRYPT_HOST: '{{ services.openldap.domain }}'
|
||||||
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
|
||||||
|
|
|
||||||
|
|
@ -1,42 +1,42 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: setup passit containers
|
- name: setup passit containers
|
||||||
docker_compose:
|
community.docker.docker_compose:
|
||||||
project_name: "passit"
|
project_name: passit
|
||||||
pull: "yes"
|
pull: true
|
||||||
definition:
|
definition:
|
||||||
version: "3.6"
|
version: '3.6'
|
||||||
services:
|
services:
|
||||||
passit_db:
|
passit_db:
|
||||||
image: "postgres:10"
|
image: postgres:10
|
||||||
restart: "always"
|
restart: always
|
||||||
networks:
|
networks:
|
||||||
- "passit"
|
- passit
|
||||||
volumes:
|
volumes:
|
||||||
- "{{ services.passit.volume_folder }}/data:/var/lib/postgresql/data"
|
- '{{ services.passit.volume_folder }}/data:/var/lib/postgresql/data'
|
||||||
environment:
|
environment:
|
||||||
POSTGRES_USER: "passit"
|
POSTGRES_USER: passit
|
||||||
POSTGRES_PASSWORD: "{{ postgres_passwords.passit }}"
|
POSTGRES_PASSWORD: '{{ postgres_passwords.passit }}'
|
||||||
|
|
||||||
passit_app:
|
passit_app:
|
||||||
image: "passit/passit:{{ services.passit.version }}"
|
image: passit/passit:{{ services.passit.version }}
|
||||||
command: "bin/start.sh"
|
command: bin/start.sh
|
||||||
restart: "always"
|
restart: always
|
||||||
networks:
|
networks:
|
||||||
- "passit"
|
- passit
|
||||||
- "postfix"
|
- postfix
|
||||||
- "external_services"
|
- external_services
|
||||||
environment:
|
environment:
|
||||||
DATABASE_URL: "postgres://passit:{{ postgres_passwords.passit }}@passit_db:5432/passit"
|
DATABASE_URL: postgres://passit:{{ postgres_passwords.passit }}@passit_db:5432/passit
|
||||||
SECRET_KEY: "{{ passit_secret_key }}"
|
SECRET_KEY: '{{ passit_secret_key }}'
|
||||||
IS_DEBUG: 'False'
|
IS_DEBUG: 'False'
|
||||||
EMAIL_URL: "smtp://noop@{{ smtp_host }}:{{ smtp_port }}"
|
EMAIL_URL: smtp://noop@{{ smtp_host }}:{{ smtp_port }}
|
||||||
DEFAULT_FROM_EMAIL: "noreply@{{ services.passit.domain }}"
|
DEFAULT_FROM_EMAIL: noreply@{{ services.passit.domain }}
|
||||||
EMAIL_CONFIRMATION_HOST: "https://{{ services.passit.domain }}"
|
EMAIL_CONFIRMATION_HOST: https://{{ services.passit.domain }}
|
||||||
FIDO_SERVER_ID: "{{ services.passit.domain }}"
|
FIDO_SERVER_ID: '{{ services.passit.domain }}'
|
||||||
VIRTUAL_HOST: "{{ services.passit.domain }}"
|
VIRTUAL_HOST: '{{ services.passit.domain }}'
|
||||||
LETSENCRYPT_HOST: "{{ services.passit.domain }}"
|
LETSENCRYPT_HOST: '{{ services.passit.domain }}'
|
||||||
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
|
||||||
|
|
||||||
networks:
|
networks:
|
||||||
passit:
|
passit:
|
||||||
|
|
|
||||||
|
|
@ -1,12 +1,12 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: create portainer volume folder
|
- name: create portainer volume folder
|
||||||
file:
|
ansible.builtin.file:
|
||||||
name: "{{ services.portainer.volume_folder }}"
|
name: '{{ services.portainer.volume_folder }}'
|
||||||
state: directory
|
state: directory
|
||||||
|
|
||||||
- name: run portainer
|
- name: run portainer
|
||||||
docker_container:
|
community.docker.docker_container:
|
||||||
name: portainer
|
name: portainer
|
||||||
image: portainer/portainer-ee:{{ services.portainer.version }}
|
image: portainer/portainer-ee:{{ services.portainer.version }}
|
||||||
restart_policy: always
|
restart_policy: always
|
||||||
|
|
@ -14,9 +14,9 @@
|
||||||
- name: external_services
|
- name: external_services
|
||||||
volumes:
|
volumes:
|
||||||
- /var/run/docker.sock:/var/run/docker.sock
|
- /var/run/docker.sock:/var/run/docker.sock
|
||||||
- "{{ services.portainer.volume_folder }}:/data"
|
- '{{ services.portainer.volume_folder }}:/data'
|
||||||
env:
|
env:
|
||||||
VIRTUAL_HOST: "{{ services.portainer.domain }}"
|
VIRTUAL_HOST: '{{ services.portainer.domain }}'
|
||||||
VIRTUAL_PORT: "9000"
|
VIRTUAL_PORT: '9000'
|
||||||
LETSENCRYPT_HOST: "{{ services.portainer.domain }}"
|
LETSENCRYPT_HOST: '{{ services.portainer.domain }}'
|
||||||
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
|
||||||
|
|
|
||||||
|
|
@ -1,20 +1,21 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: setup network for postfix
|
- name: setup network for postfix
|
||||||
docker_network:
|
community.docker.docker_network:
|
||||||
name: postfix
|
name: postfix
|
||||||
ipam_config:
|
ipam_config:
|
||||||
- subnet: '172.16.0.0/16'
|
- subnet: 172.16.0.0/16
|
||||||
gateway: 172.16.0.1
|
gateway: 172.16.0.1
|
||||||
|
|
||||||
- name: setup postfix docker container for outgoing mail
|
- name: setup postfix docker container for outgoing mail
|
||||||
docker_container:
|
community.docker.docker_container:
|
||||||
name: postfix
|
name: postfix
|
||||||
image: boky/postfix:{{ services.postfix.version }}
|
image: boky/postfix:{{ services.postfix.version }}
|
||||||
restart_policy: always
|
restart_policy: always
|
||||||
networks:
|
networks:
|
||||||
- name: postfix
|
- name: postfix
|
||||||
env:
|
env:
|
||||||
# Get all services which have allowed_sender_domain defined
|
# Get all services which have allowed_sender_domain defined
|
||||||
ALLOWED_SENDER_DOMAINS: "{{ services | dict2items | selectattr('value.allowed_sender_domain', 'defined') | map(attribute='value.domain') | list | join(' ') }}"
|
ALLOWED_SENDER_DOMAINS: "{{ services | dict2items | selectattr('value.allowed_sender_domain',\
|
||||||
HOSTNAME: "smtp.data.coop" # the name the smtp server will identify itself as
|
\ 'defined') | map(attribute='value.domain') | list | join(' ') }}"
|
||||||
|
HOSTNAME: smtp.data.coop # the name the smtp server will identify itself as
|
||||||
|
|
|
||||||
|
|
@ -1,8 +1,8 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: create privatebin volume folders
|
- name: create privatebin volume folders
|
||||||
file:
|
ansible.builtin.file:
|
||||||
name: "{{ services.privatebin.volume_folder }}/{{ volume }}"
|
name: '{{ services.privatebin.volume_folder }}/{{ volume }}'
|
||||||
state: directory
|
state: directory
|
||||||
loop:
|
loop:
|
||||||
- cfg
|
- cfg
|
||||||
|
|
@ -11,21 +11,21 @@
|
||||||
loop_var: volume
|
loop_var: volume
|
||||||
|
|
||||||
- name: upload privatebin config
|
- name: upload privatebin config
|
||||||
template:
|
ansible.builtin.template:
|
||||||
src: files/configs/privatebin-conf.php
|
src: files/configs/privatebin-conf.php
|
||||||
dest: "{{ services.privatebin.volume_folder }}/cfg/conf.php"
|
dest: '{{ services.privatebin.volume_folder }}/cfg/conf.php'
|
||||||
|
|
||||||
- name: privatebin app container
|
- name: privatebin app container
|
||||||
docker_container:
|
community.docker.docker_container:
|
||||||
name: privatebin
|
name: privatebin
|
||||||
image: jgeusebroek/privatebin:{{ services.privatebin.version }}
|
image: jgeusebroek/privatebin:{{ services.privatebin.version }}
|
||||||
restart_policy: unless-stopped
|
restart_policy: unless-stopped
|
||||||
volumes:
|
volumes:
|
||||||
- "{{ services.privatebin.volume_folder }}/cfg:/privatebin/cfg"
|
- '{{ services.privatebin.volume_folder }}/cfg:/privatebin/cfg'
|
||||||
- "{{ services.privatebin.volume_folder }}/data:/privatebin/data"
|
- '{{ services.privatebin.volume_folder }}/data:/privatebin/data'
|
||||||
networks:
|
networks:
|
||||||
- name: external_services
|
- name: external_services
|
||||||
env:
|
env:
|
||||||
VIRTUAL_HOST: "{{ services.privatebin.domain }}"
|
VIRTUAL_HOST: '{{ services.privatebin.domain }}'
|
||||||
LETSENCRYPT_HOST: "{{ services.privatebin.domain }}"
|
LETSENCRYPT_HOST: '{{ services.privatebin.domain }}'
|
||||||
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
|
||||||
|
|
|
||||||
|
|
@ -1,58 +1,59 @@
|
||||||
|
---
|
||||||
- name: Create rallly volume folders
|
- name: Create rallly volume folders
|
||||||
file:
|
ansible.builtin.file:
|
||||||
name: "{{ services.rallly.volume_folder }}/postgres"
|
name: '{{ services.rallly.volume_folder }}/postgres'
|
||||||
state: directory
|
state: directory
|
||||||
|
|
||||||
- name: Copy Rallly environment file
|
- name: Copy Rallly environment file
|
||||||
template:
|
ansible.builtin.template:
|
||||||
src: files/configs/rallly/env_file.j2
|
src: files/configs/rallly/env_file.j2
|
||||||
dest: "{{ services.rallly.volume_folder }}/env_file"
|
dest: '{{ services.rallly.volume_folder }}/env_file'
|
||||||
|
|
||||||
- name: Set up Rallly
|
- name: Set up Rallly
|
||||||
docker_compose:
|
community.docker.docker_compose:
|
||||||
project_name: "rallly"
|
project_name: rallly
|
||||||
pull: "yes"
|
pull: true
|
||||||
definition:
|
definition:
|
||||||
version: "3.8"
|
version: '3.8'
|
||||||
services:
|
services:
|
||||||
rallly_db:
|
rallly_db:
|
||||||
image: "postgres:14-alpine"
|
image: postgres:14-alpine
|
||||||
restart: "always"
|
restart: always
|
||||||
shm_size: "256mb"
|
shm_size: 256mb
|
||||||
networks:
|
networks:
|
||||||
rallly_internal:
|
rallly_internal:
|
||||||
volumes:
|
volumes:
|
||||||
- "{{ services.rallly.volume_folder }}/postgres:/var/lib/postgresql/data"
|
- '{{ services.rallly.volume_folder }}/postgres:/var/lib/postgresql/data'
|
||||||
environment:
|
environment:
|
||||||
POSTGRES_PASSWORD: "{{ postgres_passwords.rallly }}"
|
POSTGRES_PASSWORD: '{{ postgres_passwords.rallly }}'
|
||||||
POSTGRES_DB: "rallly_db"
|
POSTGRES_DB: rallly_db
|
||||||
healthcheck:
|
healthcheck:
|
||||||
test: ["CMD-SHELL", "pg_isready -U postgres"]
|
test: [CMD-SHELL, pg_isready -U postgres]
|
||||||
interval: 5s
|
interval: 5s
|
||||||
timeout: 5s
|
timeout: 5s
|
||||||
retries: 5
|
retries: 5
|
||||||
labels:
|
labels:
|
||||||
com.centurylinklabs.watchtower.enable: "true"
|
com.centurylinklabs.watchtower.enable: 'true'
|
||||||
|
|
||||||
rallly:
|
rallly:
|
||||||
image: "lukevella/rallly:{{ services.rallly.version }}"
|
image: lukevella/rallly:{{ services.rallly.version }}
|
||||||
restart: "always"
|
restart: always
|
||||||
networks:
|
networks:
|
||||||
rallly_internal:
|
rallly_internal:
|
||||||
external_services:
|
external_services:
|
||||||
postfix:
|
postfix:
|
||||||
depends_on:
|
depends_on:
|
||||||
rallly_db:
|
rallly_db:
|
||||||
condition: "service_healthy"
|
condition: service_healthy
|
||||||
env_file:
|
env_file:
|
||||||
- "{{ services.rallly.volume_folder }}/env_file"
|
- '{{ services.rallly.volume_folder }}/env_file'
|
||||||
environment:
|
environment:
|
||||||
VIRTUAL_HOST: "{{ services.rallly.domain }}"
|
VIRTUAL_HOST: '{{ services.rallly.domain }}'
|
||||||
VIRTUAL_PORT: "3000"
|
VIRTUAL_PORT: '3000'
|
||||||
LETSENCRYPT_HOST: "{{ services.rallly.domain }}"
|
LETSENCRYPT_HOST: '{{ services.rallly.domain }}'
|
||||||
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
|
||||||
labels:
|
labels:
|
||||||
com.centurylinklabs.watchtower.enable: "true"
|
com.centurylinklabs.watchtower.enable: 'true'
|
||||||
|
|
||||||
networks:
|
networks:
|
||||||
rallly_internal:
|
rallly_internal:
|
||||||
|
|
|
||||||
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
- name: Setup restic backup
|
- name: Setup restic backup
|
||||||
docker_compose:
|
community.docker.docker_compose:
|
||||||
project_name: restic_backup
|
project_name: restic_backup
|
||||||
pull: true
|
pull: true
|
||||||
definition:
|
definition:
|
||||||
|
|
@ -10,11 +10,12 @@
|
||||||
image: mazzolino/restic:{{ services.restic.version }}
|
image: mazzolino/restic:{{ services.restic.version }}
|
||||||
restart: always
|
restart: always
|
||||||
environment:
|
environment:
|
||||||
RUN_ON_STARTUP: "true"
|
RUN_ON_STARTUP: 'true'
|
||||||
BACKUP_CRON: "0 30 3 * * *"
|
BACKUP_CRON: 0 30 3 * * *
|
||||||
RESTIC_REPOSITORY: "rest:https://{{ services.restic.user }}:{{ restic_secrets.user_password }}@{{ services.restic.domain }}/{{ services.restic.repository }}"
|
RESTIC_REPOSITORY: rest:https://{{ services.restic.user }}:{{ restic_secrets.user_password
|
||||||
RESTIC_PASSWORD: "{{ restic_secrets.repository_password }}"
|
}}@{{ services.restic.domain }}/{{ services.restic.repository }}
|
||||||
RESTIC_BACKUP_SOURCES: "/mnt/volumes"
|
RESTIC_PASSWORD: '{{ restic_secrets.repository_password }}'
|
||||||
|
RESTIC_BACKUP_SOURCES: /mnt/volumes
|
||||||
RESTIC_BACKUP_ARGS: >-
|
RESTIC_BACKUP_ARGS: >-
|
||||||
--tag datacoop-volumes
|
--tag datacoop-volumes
|
||||||
--exclude='*.tmp'
|
--exclude='*.tmp'
|
||||||
|
|
@ -29,10 +30,11 @@
|
||||||
- /docker-volumes:/mnt/volumes:ro
|
- /docker-volumes:/mnt/volumes:ro
|
||||||
|
|
||||||
restic-prune:
|
restic-prune:
|
||||||
image: "mazzolino/restic:{{ services.restic.version }}"
|
image: mazzolino/restic:{{ services.restic.version }}
|
||||||
environment:
|
environment:
|
||||||
RUN_ON_STARTUP: "true"
|
RUN_ON_STARTUP: 'true'
|
||||||
PRUNE_CRON: "0 0 4 * * *"
|
PRUNE_CRON: 0 0 4 * * *
|
||||||
RESTIC_REPOSITORY: "rest:https://{{ services.restic.user }}:{{ restic_secrets.user_password }}@{{ services.restic.domain }}/{{ services.restic.repository }}"
|
RESTIC_REPOSITORY: rest:https://{{ services.restic.user }}:{{ restic_secrets.user_password
|
||||||
RESTIC_PASSWORD: "{{ restic_secrets.repository_password }}"
|
}}@{{ services.restic.domain }}/{{ services.restic.repository }}
|
||||||
|
RESTIC_PASSWORD: '{{ restic_secrets.repository_password }}'
|
||||||
TZ: Europe/copenhagen
|
TZ: Europe/copenhagen
|
||||||
|
|
|
||||||
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
- name: watchtower container
|
- name: watchtower container
|
||||||
docker_container:
|
community.docker.docker_container:
|
||||||
name: watchtower
|
name: watchtower
|
||||||
image: containrrr/watchtower:1.4.0
|
image: containrrr/watchtower:1.4.0
|
||||||
restart_policy: unless-stopped
|
restart_policy: unless-stopped
|
||||||
|
|
@ -8,7 +8,7 @@
|
||||||
- name: external_services
|
- name: external_services
|
||||||
volumes:
|
volumes:
|
||||||
- /var/run/docker.sock:/var/run/docker.sock
|
- /var/run/docker.sock:/var/run/docker.sock
|
||||||
- "{{ services.docker_registry.volume_folder }}/auth/config.json:/config.json"
|
- '{{ services.docker_registry.volume_folder }}/auth/config.json:/config.json'
|
||||||
env:
|
env:
|
||||||
WATCHTOWER_LABEL_ENABLE: "true"
|
WATCHTOWER_LABEL_ENABLE: 'true'
|
||||||
WATCHTOWER_POLL_INTERVAL: "60"
|
WATCHTOWER_POLL_INTERVAL: '60'
|
||||||
|
|
|
||||||
|
|
@ -1,23 +1,24 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: setup 2022.slides.data.coop website using unipi
|
- name: setup 2022.slides.data.coop website using unipi
|
||||||
docker_container:
|
community.docker.docker_container:
|
||||||
name: 2022.slides.data.coop_website
|
name: 2022.slides.data.coop_website
|
||||||
image: docker.data.coop/unipi:latest
|
image: docker.data.coop/unipi:latest
|
||||||
restart_policy: unless-stopped
|
restart_policy: unless-stopped
|
||||||
purge_networks: yes
|
purge_networks: true
|
||||||
networks:
|
networks:
|
||||||
- name: external_services
|
- name: external_services
|
||||||
env:
|
env:
|
||||||
VIRTUAL_HOST: "2022.slides.{{ services.data_coop_website.domains|join(',') }}"
|
VIRTUAL_HOST: 2022.slides.{{ services.data_coop_website.domains|join(',')
|
||||||
LETSENCRYPT_HOST: "2022.slides.{{ services.data_coop_website.domains|join(',') }}"
|
}}
|
||||||
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
LETSENCRYPT_HOST: 2022.slides.{{ services.data_coop_website.domains|join(',')
|
||||||
# Temporarily hosting on github
|
}}
|
||||||
command: "--remote=https://github.com/sorbusursina/datacoop-slides.git#slides2022"
|
LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
|
||||||
|
# Temporarily hosting on github
|
||||||
|
command: --remote=https://github.com/sorbusursina/datacoop-slides.git#slides2022
|
||||||
capabilities:
|
capabilities:
|
||||||
- NET_ADMIN
|
- NET_ADMIN
|
||||||
devices:
|
devices:
|
||||||
- "/dev/net/tun"
|
- /dev/net/tun
|
||||||
labels:
|
labels:
|
||||||
com.centurylinklabs.watchtower.enable: "true"
|
com.centurylinklabs.watchtower.enable: 'true'
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -1,15 +1,15 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: setup cryptoaarhus.dk website docker container
|
- name: setup cryptoaarhus.dk website docker container
|
||||||
docker_container:
|
community.docker.docker_container:
|
||||||
name: cryptoaarhus_website
|
name: cryptoaarhus_website
|
||||||
restart_policy: unless-stopped
|
restart_policy: unless-stopped
|
||||||
image: docker.data.coop/cryptoaarhus-website
|
image: docker.data.coop/cryptoaarhus-website
|
||||||
networks:
|
networks:
|
||||||
- name: external_services
|
- name: external_services
|
||||||
env:
|
env:
|
||||||
VIRTUAL_HOST : "{{ services.cryptoaarhus_website.domains|join(',') }}"
|
VIRTUAL_HOST: "{{ services.cryptoaarhus_website.domains|join(',') }}"
|
||||||
LETSENCRYPT_HOST: "{{ services.cryptoaarhus_website.domains|join(',') }}"
|
LETSENCRYPT_HOST: "{{ services.cryptoaarhus_website.domains|join(',') }}"
|
||||||
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
|
||||||
labels:
|
labels:
|
||||||
com.centurylinklabs.watchtower.enable: "true"
|
com.centurylinklabs.watchtower.enable: 'true'
|
||||||
|
|
|
||||||
|
|
@ -1,15 +1,15 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: setup cryptohagen.dk website docker container
|
- name: setup cryptohagen.dk website docker container
|
||||||
docker_container:
|
community.docker.docker_container:
|
||||||
name: cryptohagen_website
|
name: cryptohagen_website
|
||||||
restart_policy: unless-stopped
|
restart_policy: unless-stopped
|
||||||
image: docker.data.coop/cryptohagen-website
|
image: docker.data.coop/cryptohagen-website
|
||||||
networks:
|
networks:
|
||||||
- name: external_services
|
- name: external_services
|
||||||
env:
|
env:
|
||||||
VIRTUAL_HOST : "{{ services.cryptohagen_website.domains|join(',') }}"
|
VIRTUAL_HOST: "{{ services.cryptohagen_website.domains|join(',') }}"
|
||||||
LETSENCRYPT_HOST: "{{ services.cryptohagen_website.domains|join(',') }}"
|
LETSENCRYPT_HOST: "{{ services.cryptohagen_website.domains|join(',') }}"
|
||||||
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
|
||||||
labels:
|
labels:
|
||||||
com.centurylinklabs.watchtower.enable: "true"
|
com.centurylinklabs.watchtower.enable: 'true'
|
||||||
|
|
|
||||||
|
|
@ -1,15 +1,15 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: setup data.coop website docker container
|
- name: setup data.coop website docker container
|
||||||
docker_container:
|
community.docker.docker_container:
|
||||||
name: data.coop_website
|
name: data.coop_website
|
||||||
image: docker.data.coop/data-coop-website
|
image: docker.data.coop/data-coop-website
|
||||||
restart_policy: unless-stopped
|
restart_policy: unless-stopped
|
||||||
networks:
|
networks:
|
||||||
- name: external_services
|
- name: external_services
|
||||||
env:
|
env:
|
||||||
VIRTUAL_HOST : "{{ services.data_coop_website.domains|join(',') }}"
|
VIRTUAL_HOST: "{{ services.data_coop_website.domains|join(',') }}"
|
||||||
LETSENCRYPT_HOST: "{{ services.data_coop_website.domains|join(',') }}"
|
LETSENCRYPT_HOST: "{{ services.data_coop_website.domains|join(',') }}"
|
||||||
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
|
||||||
labels:
|
labels:
|
||||||
com.centurylinklabs.watchtower.enable: "true"
|
com.centurylinklabs.watchtower.enable: 'true'
|
||||||
|
|
|
||||||
|
|
@ -1,21 +1,23 @@
|
||||||
|
---
|
||||||
- name: setup new-new data.coop website using unipi
|
- name: setup new-new data.coop website using unipi
|
||||||
docker_container:
|
community.docker.docker_container:
|
||||||
name: new-new.data.coop_website
|
name: new-new.data.coop_website
|
||||||
image: docker.data.coop/unipi:latest
|
image: docker.data.coop/unipi:latest
|
||||||
restart_policy: unless-stopped
|
restart_policy: unless-stopped
|
||||||
purge_networks: yes
|
purge_networks: true
|
||||||
networks:
|
networks:
|
||||||
- name: external_services
|
- name: external_services
|
||||||
env:
|
env:
|
||||||
VIRTUAL_HOST: "new-new.{{ services.data_coop_website.domains|join(',') }}"
|
VIRTUAL_HOST: new-new.{{ services.data_coop_website.domains | join(',') }}
|
||||||
LETSENCRYPT_HOST: "new-new.{{ services.data_coop_website.domains|join(',') }}"
|
LETSENCRYPT_HOST: new-new.{{ services.data_coop_website.domains | join(',')
|
||||||
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
}}
|
||||||
# The ssh-key is for read-only only
|
LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
|
||||||
command: "--remote=git@git.data.coop:halfd/new-website.git#main --ssh-key ed25519:Ag9RekCyC2eow4P/e5crVvSTQ7dTK46WkG0wqEPVJbU= --ssh-authenticator SHA256:l9kdLkb0kJm46pOJ4tCHCtFUaqV1ImbZWMA5oje10fI"
|
# The ssh-key is for read-only only
|
||||||
|
command: --remote=git@git.data.coop:halfd/new-website.git#main --ssh-key ed25519:Ag9RekCyC2eow4P/e5crVvSTQ7dTK46WkG0wqEPVJbU=
|
||||||
|
--ssh-authenticator SHA256:l9kdLkb0kJm46pOJ4tCHCtFUaqV1ImbZWMA5oje10fI
|
||||||
capabilities:
|
capabilities:
|
||||||
- NET_ADMIN
|
- NET_ADMIN
|
||||||
devices:
|
devices:
|
||||||
- "/dev/net/tun"
|
- /dev/net/tun
|
||||||
labels:
|
labels:
|
||||||
com.centurylinklabs.watchtower.enable: "true"
|
com.centurylinklabs.watchtower.enable: 'true'
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -1,15 +1,15 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: setup new data.coop website using hugo
|
- name: setup new data.coop website using hugo
|
||||||
docker_container:
|
community.docker.docker_container:
|
||||||
name: new.data.coop_website
|
name: new.data.coop_website
|
||||||
image: docker.data.coop/data-coop-website:hugo
|
image: docker.data.coop/data-coop-website:hugo
|
||||||
restart_policy: unless-stopped
|
restart_policy: unless-stopped
|
||||||
networks:
|
networks:
|
||||||
- name: external_services
|
- name: external_services
|
||||||
env:
|
env:
|
||||||
VIRTUAL_HOST : "new.{{ services.data_coop_website.domains|join(',') }}"
|
VIRTUAL_HOST: new.{{ services.data_coop_website.domains|join(',') }}
|
||||||
LETSENCRYPT_HOST: "new.{{ services.data_coop_website.domains|join(',') }}"
|
LETSENCRYPT_HOST: new.{{ services.data_coop_website.domains|join(',') }}
|
||||||
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
|
||||||
labels:
|
labels:
|
||||||
com.centurylinklabs.watchtower.enable: "true"
|
com.centurylinklabs.watchtower.enable: 'true'
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,6 @@
|
||||||
|
---
|
||||||
- name: setup ulovliglogning.dk website docker container
|
- name: setup ulovliglogning.dk website docker container
|
||||||
docker_container:
|
community.docker.docker_container:
|
||||||
name: ulovliglogning_website
|
name: ulovliglogning_website
|
||||||
restart_policy: unless-stopped
|
restart_policy: unless-stopped
|
||||||
image: ulovliglogning/ulovliglogning.dk:latest
|
image: ulovliglogning/ulovliglogning.dk:latest
|
||||||
|
|
@ -8,6 +9,6 @@
|
||||||
env:
|
env:
|
||||||
VIRTUAL_HOST: "{{ services.ulovliglogning_website.domains|join(',') }}"
|
VIRTUAL_HOST: "{{ services.ulovliglogning_website.domains|join(',') }}"
|
||||||
LETSENCRYPT_HOST: "{{ services.ulovliglogning_website.domains|join(',') }}"
|
LETSENCRYPT_HOST: "{{ services.ulovliglogning_website.domains|join(',') }}"
|
||||||
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
|
LETSENCRYPT_EMAIL: '{{ letsencrypt_email }}'
|
||||||
labels:
|
labels:
|
||||||
com.centurylinklabs.watchtower.enable: "true"
|
com.centurylinklabs.watchtower.enable: 'true'
|
||||||
|
|
|
||||||
|
|
@ -1,7 +1,7 @@
|
||||||
---
|
---
|
||||||
- name: Install necessary packages via apt
|
- name: Install necessary packages via apt
|
||||||
apt:
|
ansible.builtin.apt:
|
||||||
name: "{{ packages }}"
|
name: '{{ packages }}'
|
||||||
vars:
|
vars:
|
||||||
packages:
|
packages:
|
||||||
- aptitude
|
- aptitude
|
||||||
|
|
@ -11,13 +11,13 @@
|
||||||
- mosh
|
- mosh
|
||||||
|
|
||||||
- name: Install Dell OpenManage
|
- name: Install Dell OpenManage
|
||||||
apt:
|
ansible.builtin.apt:
|
||||||
name: srvadmin-all
|
name: srvadmin-all
|
||||||
when: not vagrant
|
when: not vagrant
|
||||||
|
|
||||||
- name: Install necessary packages via pip
|
- name: Install necessary packages via pip
|
||||||
pip:
|
ansible.builtin.pip:
|
||||||
name: "{{ packages }}"
|
name: '{{ packages }}'
|
||||||
vars:
|
vars:
|
||||||
packages:
|
packages:
|
||||||
- docker
|
- docker
|
||||||
|
|
|
||||||
|
|
@ -1,18 +1,19 @@
|
||||||
---
|
---
|
||||||
- name: Import dell apt signing key
|
- name: Import dell apt signing key
|
||||||
apt_key:
|
ansible.builtin.apt_key:
|
||||||
id: "1285491434D8786F"
|
id: 1285491434D8786F
|
||||||
keyserver: "keyserver.ubuntu.com"
|
keyserver: keyserver.ubuntu.com
|
||||||
|
|
||||||
- name: Configure dell apt repo
|
- name: Configure dell apt repo
|
||||||
apt_repository:
|
ansible.builtin.apt_repository:
|
||||||
repo: "deb https://linux.dell.com/repo/community/openmanage/10101/focal focal main"
|
repo: deb https://linux.dell.com/repo/community/openmanage/10101/focal focal
|
||||||
|
main
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
- name: Restrict dell apt repo"
|
- name: Restrict dell apt repo"
|
||||||
copy:
|
ansible.builtin.copy:
|
||||||
dest: "/etc/apt/preferences.d/dell"
|
dest: /etc/apt/preferences.d/dell
|
||||||
content: |
|
content: |-
|
||||||
Explanation: Deny all packages from this repo that exist elsewhere
|
Explanation: Deny all packages from this repo that exist elsewhere
|
||||||
Package: *
|
Package: *
|
||||||
Pin: origin "linux.dell.com"
|
Pin: origin "linux.dell.com"
|
||||||
|
|
|
||||||
|
|
@ -1,22 +1,24 @@
|
||||||
---
|
---
|
||||||
- name: Setup firewall with UFW
|
- name: Setup firewall with UFW
|
||||||
community.general.ufw:
|
community.general.ufw:
|
||||||
state: enabled
|
state: enabled
|
||||||
policy: deny
|
policy: deny
|
||||||
|
|
||||||
- name: Allow necessary ports
|
- name: Allow necessary ports
|
||||||
community.general.ufw:
|
community.general.ufw:
|
||||||
rule: allow
|
rule: allow
|
||||||
port: "{{ item.port }}"
|
port: '{{ item.port }}'
|
||||||
proto: "{{ item.proto | default('tcp') }}"
|
proto: "{{ item.proto | default('tcp') }}"
|
||||||
loop:
|
loop:
|
||||||
- port: 22 # Gitea SSH
|
- port: 22 # Gitea SSH
|
||||||
- port: 80 # HTTP
|
- port: 80 # HTTP
|
||||||
- port: 443 # HTTPS
|
- port: 443 # HTTPS
|
||||||
- port: 389 # OpenLDAP
|
- port: 389 # OpenLDAP
|
||||||
- port: 636 # OpenLDAP
|
- port: 636 # OpenLDAP
|
||||||
- port: 25 # Email
|
- port: 25 # Email
|
||||||
- port: 465 # Email
|
- port: 465 # Email
|
||||||
- port: 587 # Email
|
- port: 587 # Email
|
||||||
- port: 993 # Email
|
- port: 993 # Email
|
||||||
- port: 19022 # SSH
|
- port: 19022 # SSH
|
||||||
|
loop_control:
|
||||||
|
loop_var: ubuntu_base_port
|
||||||
|
|
|
||||||
|
|
@ -1,19 +1,25 @@
|
||||||
---
|
---
|
||||||
- import_tasks: ssh-port.yml
|
- name: Set SSH port
|
||||||
|
ansible.builtin.import_tasks: ssh-port.yml
|
||||||
tags: [change-ssh-port]
|
tags: [change-ssh-port]
|
||||||
|
|
||||||
- import_tasks: dell-apt-repo.yml
|
- name: Set up Dell apt repo
|
||||||
|
ansible.builtin.import_tasks: dell-apt-repo.yml
|
||||||
tags: [setup-dell-apt-repo]
|
tags: [setup-dell-apt-repo]
|
||||||
when: not vagrant
|
when: not vagrant
|
||||||
|
|
||||||
- import_tasks: upgrade.yml
|
- name: Make sure system is up to date
|
||||||
|
ansible.builtin.import_tasks: upgrade.yml
|
||||||
tags: [do-full-system-upgrade]
|
tags: [do-full-system-upgrade]
|
||||||
|
|
||||||
- import_tasks: base.yml
|
- name: Install base packages
|
||||||
|
ansible.builtin.import_tasks: base.yml
|
||||||
tags: [install-base-packages]
|
tags: [install-base-packages]
|
||||||
|
|
||||||
- import_tasks: users.yml
|
- name: Setup users
|
||||||
|
ansible.builtin.import_tasks: users.yml
|
||||||
tags: [setup-users]
|
tags: [setup-users]
|
||||||
|
|
||||||
- import_tasks: firewall.yml
|
- name: Setup firewall
|
||||||
|
ansible.builtin.import_tasks: firewall.yml
|
||||||
tags: [setup-firewall]
|
tags: [setup-firewall]
|
||||||
|
|
|
||||||
|
|
@ -1,20 +1,18 @@
|
||||||
---
|
---
|
||||||
- name: Change SSH port on host
|
- name: Change SSH port on host
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: "/etc/ssh/sshd_config"
|
dest: /etc/ssh/sshd_config
|
||||||
regexp: "^#?Port "
|
regexp: '^#?Port '
|
||||||
line: "Port 19022"
|
line: Port 19022
|
||||||
register: ssh_changed
|
register: ssh_changed
|
||||||
|
|
||||||
- name: Restart sshd
|
- name: Restart sshd
|
||||||
service:
|
ansible.builtin.service:
|
||||||
name: sshd
|
name: sshd
|
||||||
state: restarted
|
state: restarted
|
||||||
when: ssh_changed is defined and
|
when: ssh_changed is defined and ssh_changed.changed
|
||||||
ssh_changed.changed
|
|
||||||
|
|
||||||
- name: Change Ansible port to 19022
|
- name: Change Ansible port to 19022
|
||||||
set_fact:
|
ansible.builtin.set_fact:
|
||||||
ansible_port: 19022
|
ansible_port: 19022
|
||||||
when: ssh_changed is defined and
|
when: ssh_changed is defined and ssh_changed.changed
|
||||||
ssh_changed.changed
|
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,5 @@
|
||||||
---
|
---
|
||||||
- name: update and upgrade system via apt
|
- name: Update and upgrade system via apt
|
||||||
apt:
|
ansible.builtin.apt:
|
||||||
update_cache: yes
|
update_cache: true
|
||||||
upgrade: full
|
upgrade: full
|
||||||
|
|
|
||||||
|
|
@ -1,22 +1,27 @@
|
||||||
---
|
---
|
||||||
- name: "Add users"
|
- name: Add users
|
||||||
user:
|
user:
|
||||||
name: "{{ item.name }}"
|
name: '{{ ubuntu_base_user.name }}'
|
||||||
comment: "{{ item.comment }}"
|
comment: '{{ ubuntu_base_user.comment }}'
|
||||||
password: "{{ item.password }}"
|
password: '{{ ubuntu_base_user.password }}'
|
||||||
groups: "{{ item.groups }}"
|
groups: '{{ ubuntu_base_user.groups }}'
|
||||||
update_password: "always"
|
update_password: always
|
||||||
loop: "{{ users | default([]) }}"
|
loop: '{{ users | default([]) }}'
|
||||||
|
loop_control:
|
||||||
|
loop_var: ubuntu_base_user
|
||||||
|
|
||||||
- name: "Add ssh authorized_keys"
|
- name: Add ssh authorized_keys
|
||||||
ansible.posix.authorized_key:
|
ansible.posix.authorized_key:
|
||||||
user: "{{ item.name }}"
|
user: '{{ ubuntu_base_user.name }}'
|
||||||
key: "{{ item.ssh_keys | join('\n') }}"
|
key: "{{ ubuntu_base_user.ssh_keys | join('\n') }}"
|
||||||
exclusive: true
|
exclusive: true
|
||||||
loop: "{{ users | default([]) }}"
|
loop: '{{ users | default([]) }}'
|
||||||
|
loop_control:
|
||||||
|
loop_var: ubuntu_base_user
|
||||||
|
|
||||||
- name: "Add ssh authorized_keys to root user"
|
- name: Add ssh authorized_keys to root user
|
||||||
ansible.posix.authorized_key:
|
ansible.posix.authorized_key:
|
||||||
user: "root"
|
user: root
|
||||||
key: "{{ users | default([]) | map(attribute='ssh_keys') | flatten | join('\n') }}"
|
key: "{{ users | default([]) | map(attribute='ssh_keys') | flatten | join('\n\
|
||||||
|
') }}"
|
||||||
exclusive: true
|
exclusive: true
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue