diff --git a/ansible.cfg b/ansible.cfg index aca582b7..0c5eed0d 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,2 +1,2 @@ [defaults] -remote_user = root \ No newline at end of file +remote_user = root diff --git a/group_vars/all/secrets.yml b/group_vars/all/secrets.yml new file mode 100644 index 00000000..6c36fb6d --- /dev/null +++ b/group_vars/all/secrets.yml @@ -0,0 +1,38 @@ +$ANSIBLE_VAULT;1.1;AES256 +63323530623531666436636366633932313030663465316462623730383562623961373734303630 +3961356564343865353430353539626531396462376164360a383662633337353765356364366464 +38363066303165666562393735663435393130396463333131396232386236363566653737323937 +3562643633636633310a353731626562616230363536646538303636633262643366653566393538 +39393639313933666330326235333661356335343031353935623737616432333633356533383266 +64346438333630306634396534613534303038396662653035623832393339613232333465376436 +35623037616532353061373635356536336437303666343239643236323530333534343331346639 +34663335383962656534613739626538303663316437613338336562393866313862326336313464 +64316438653233663063623938663864623235623463626666653366393062303639653733656534 +35333161633638363564386338623739643366346462326434626336323766646462306535616534 +31313063343032373732333762626233326233376137656164646666303962633034386437376131 +61353235333164333632393964343962323930383861353434336236663437373333373065626635 +35396261393031363339656665373235383134383930383238323363323961366162313161653731 +33333635303638356338633166646463356533653065663035316563636139303137333733343138 +37346164613235373965376131623732376463323265346234376565343364393262306362633933 +36633563373932653663353063636238643665363666663536613562626632643235643934663465 +63316162316234633561623965353166613939386136333261383830653431616662626366393838 +31373861653962633065636637616631623832326565396533386331633034636666336234353662 +62356631383334373631306163643161623333363264626436396437666234313637356666663334 +34623039376632663839363539386661356666663030663239653634373237313066333337313837 +34373530313834303038303839393566643538383138363035613066393239666165303162303932 +33653462353638353033303364316433333564303565646165643065626163306365383836333665 +30636234373636316265633965356232343762643362613966303063636439396439616130633835 +36353062383032333431616434373133633038386530646531363439306263343464313762383866 +66313237323336666162393439333737663434353466643631353039343433306264393030356362 +63643030666433633631613733376330383034313632303263646439316635656334346439636334 +31343235353366646566626431313734666232633539316363396665383434663532356330613462 +35653037336532643236326534303335623265633633363462653638316637356230356236383365 +66346361653236346366306462383364323662616664393365313238323936303062316136386664 +30306366663235353630646537623237623631646139396533633439353839356637386437396132 +36626139316335653333313037666231353734623436316563633763396637313233333938376130 +30326364383833376161326563633166373631643762663063353764313665616335663233316336 +61393735343734653136613539613262343331343938363364343530656234393839313830303133 +38363630343262646230366234313538306430646161626534353030396661626336326230376261 +65303231616238393430643533366630613361653431336432383331376533616665326537626336 +34313439623232326166373636633135303766636133303465656332653633356339363761623833 +63313762346233623338356466623638316466646436323238663434666232343765 diff --git a/group_vars/all.yml b/group_vars/all/vars.yml similarity index 100% rename from group_vars/all.yml rename to group_vars/all/vars.yml diff --git a/playbook.yml b/playbook.yml index 3d1ff8b1..fd6d5271 100644 --- a/playbook.yml +++ b/playbook.yml @@ -3,12 +3,18 @@ gather_facts: False become: true vars: - # Services are the names of the compose files in docker/files/composefiles + base_domain: data.coop + letsencrypt_email: bestyrelsen@data.coop + ldap_dn: "dc=data,dc=coop" + services: - nginx-proxy + - openldap - thelounge - - gitea - nextcloud + - fider + - passit + - gitea tasks: - import_role: diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml new file mode 100644 index 00000000..109fb63d --- /dev/null +++ b/roles/docker/defaults/main.yml @@ -0,0 +1,14 @@ +ldap: + domain: "ldap.{{ base_domain }}" + +thelounge: + domain: "irc.{{ base_domain }}" + +nextcloud: + domain: "cloud.{{ base_domain }}" + +passit: + domain: "passit.{{ base_domain }}" + +fider: + domain: "feedback.{{ base_domain }}" diff --git a/roles/docker/files/composefiles/fider.yml b/roles/docker/files/composefiles/fider.yml deleted file mode 100644 index 66737128..00000000 --- a/roles/docker/files/composefiles/fider.yml +++ /dev/null @@ -1,43 +0,0 @@ -version: '3' -services: - db: - restart: always - image: postgres - networks: - - fider - volumes: - - /var/fider/pg_data:/var/lib/postgresql/data - environment: - POSTGRES_USER: fider - POSTGRES_PASSWORD: "SOMESTRONGPASSWORD" - - app: - restart: always - image: getfider/fider:stable - ports: - - "9999:3000" - networks: - - fider - - external_services - environment: - GO_ENV: production - DATABASE_URL: postgres://fider:SOMESTRONGPASSWORD@db:5432/fider?sslmode=disable - JWT_SECRET: LONGRANDOMSTRING - - EMAIL_NOREPLY: noreply@data.coop - EMAIL_SMTP_HOST: smtp.fastmail.com - EMAIL_SMTP_PORT: 587 - EMAIL_SMTP_USERNAME: a_smtp_user - EMAIL_SMTP_PASSWORD: password_for_smtp_user - - VIRTUAL_HOST: feedback.data.coop - LETSENCRYPT_HOST: feedback.data.coop - LETSENCRYPT_EMAIL: valberg@orn.li - - depends_on: - - db - -networks: - fider: - external_services: - external: true diff --git a/roles/docker/files/composefiles/gitea.yml b/roles/docker/files/composefiles/gitea.yml deleted file mode 100644 index 1cec5dd0..00000000 --- a/roles/docker/files/composefiles/gitea.yml +++ /dev/null @@ -1,42 +0,0 @@ -version: "2.3" - -networks: - gitea: - external_services: - external: true - -services: - server: - image: gitea/gitea:latest - environment: - - USER_UID=1000 - - USER_GID=1000 - - VIRTUAL_HOST=gitea.local - - VIRTUAL_PORT=3000 - restart: always - networks: - - gitea - - external_services - volumes: - - gitea:/data - ports: - - "3000:3000" - - "222:22" - depends_on: - - db - - db: - image: postgres:9.6 - restart: always - environment: - - POSTGRES_USER=gitea - - POSTGRES_PASSWORD=gitea - - POSTGRES_DB=gitea - networks: - - gitea - volumes: - - postgres:/var/lib/postgresql/data - -volumes: - gitea: - postgres: diff --git a/roles/docker/files/composefiles/nextcloud.yml b/roles/docker/files/composefiles/nextcloud.yml deleted file mode 100644 index 2a094d5e..00000000 --- a/roles/docker/files/composefiles/nextcloud.yml +++ /dev/null @@ -1,38 +0,0 @@ -version: '3' -services: - db: - image: postgres - restart: always - volumes: - - db:/var/lib/postgresql/data - environment: - - POSTGRES_DB=nextcloud - - POSTGRES_USER=nextcloud - networks: - - nextcloud - app: - image: nextcloud - volumes: - - nextcloud:/var/www/html - restart: always - environment: - - POSTGRES_HOST=db - - POSTGRES_PASSWORD=hest - - POSTGRES_DB=nextcloud - - POSTGRES_USER=nextcloud - - VIRTUAL_HOST=nextcloud.local - depends_on: - - db - ports: - - "80" - networks: - - nextcloud - - external_services -volumes: - nextcloud: - db: - -networks: - external_services: - external: true - nextcloud: diff --git a/roles/docker/files/composefiles/thelounge.yml b/roles/docker/files/composefiles/thelounge.yml deleted file mode 100644 index 639fa04b..00000000 --- a/roles/docker/files/composefiles/thelounge.yml +++ /dev/null @@ -1,23 +0,0 @@ -version: '3' -services: - thelounge: - image: thelounge/lounge:latest - container_name: thelounge - restart: always - ports: - - "9000:9000" - volumes: - - thelounge:/home/lounge/data # bind lounge config from the host's file system - networks: - - external_services - environment: - VIRTUAL_HOST: irc.data.coop - LETSENCRYPT_HOST: irc.data.coop - LETSENCRYPT_EMAIL: valberg@orn.li - -volumes: - thelounge: - -networks: - external_services: - external: true diff --git a/roles/docker/files/configs/thelounge.js b/roles/docker/files/configs/thelounge.js new file mode 100644 index 00000000..f3195999 --- /dev/null +++ b/roles/docker/files/configs/thelounge.js @@ -0,0 +1,510 @@ +"use strict"; + +module.exports = { + // + // Set the server mode. + // Public servers does not require authentication. + // + // Set to 'false' to enable users. + // + // @type boolean + // @default false + // + public: false, + + // + // IP address or hostname for the web server to listen on. + // Setting this to undefined will listen on all interfaces. + // + // For UNIX domain sockets, use unix:/absolute/path/to/file.sock. + // + // @type string + // @default undefined + // + host: undefined, + + // + // Set the port to listen on. + // + // @type int + // @default 9000 + // + port: 9000, + + // + // Set the local IP to bind to for outgoing connections. Leave to undefined + // to let the operating system pick its preferred one. + // + // @type string + // @default undefined + // + bind: undefined, + + // + // Sets whether the server is behind a reverse proxy and should honor the + // X-Forwarded-For header or not. + // + // @type boolean + // @default false + // + reverseProxy: false, + + // + // Set the default theme. + // Find out how to add new themes at https://thelounge.github.io/docs/plugins/themes.html + // + // @type string + // @default "example" + // + theme: "example", + + // + // Prefetch URLs + // + // If enabled, The Lounge will try to load thumbnails and site descriptions from + // URLs posted in channels. + // + // @type boolean + // @default false + // + prefetch: false, + + // + // Store and proxy prefetched images and thumbnails. + // This improves security and privacy by not exposing client IP address, + // and always loading images from The Lounge instance and making all assets secure, + // which in result fixes mixed content warnings. + // + // If storage is enabled, The Lounge will fetch and store images and thumbnails + // in the `${THELOUNGE_HOME}/storage` folder. + // + // Images are deleted when they are no longer referenced by any message (controlled by maxHistory), + // and the folder is cleaned up on every The Lounge restart. + // + // @type boolean + // @default false + // + prefetchStorage: false, + + // + // Prefetch URLs Image Preview size limit + // + // If prefetch is enabled, The Lounge will only display content under the maximum size. + // Specified value is in kilobytes. Default value is 2048 kilobytes. + // + // @type int + // @default 2048 + // + prefetchMaxImageSize: 2048, + + // + // Display network + // + // If set to false network settings will not be shown in the login form. + // + // @type boolean + // @default true + // + displayNetwork: true, + + // + // Lock network + // + // If set to true, users will not be able to modify host, port and tls + // settings and will be limited to the configured network. + // + // @type boolean + // @default false + // + lockNetwork: false, + + // + // Hex IP + // + // If enabled, clients' username will be set to their IP encoded has hex. + // This is done to share the real user IP address with the server for host masking purposes. + // + // @type boolean + // @default false + // + useHexIp: false, + + // + // WEBIRC support + // + // If enabled, The Lounge will pass the connecting user's host and IP to the + // IRC server. Note that this requires to obtain a password from the IRC network + // The Lounge will be connecting to and generally involves a lot of trust from the + // network you are connecting to. + // + // Format (standard): {"irc.example.net": "hunter1", "irc.example.org": "passw0rd"} + // Format (function): + // {"irc.example.net": function(client, args, trusted) { + // // here, we return a webirc object fed directly to `irc-framework` + // return {username: "thelounge", password: "hunter1", address: args.ip, hostname: "webirc/"+args.hostname}; + // }} + // + // @type string | function(client, args):object(webirc) + // @default null + webirc: null, + + // + // Log settings + // + // Logging has to be enabled per user. If enabled, logs will be stored in + // the 'logs///' folder. + // + // @type object + // @default {} + // + logs: { + // + // Timestamp format + // + // @type string + // @default "YYYY-MM-DD HH:mm:ss" + // + format: "YYYY-MM-DD HH:mm:ss", + + // + // Timezone + // + // @type string + // @default "UTC+00:00" + // + timezone: "UTC+00:00", + }, + + // + // Maximum number of history lines per channel + // + // Defines the maximum number of history lines that will be kept in + // memory per channel/query, in order to reduce the memory usage of + // the server. Setting this to -1 will keep unlimited amount. + // + // @type integer + // @default 10000 + maxHistory: 10000, + + // + // Default values for the 'Connect' form. + // + // @type object + // @default {} + // + defaults: { + // + // Name + // + // @type string + // @default "Freenode" + // + name: "Freenode", + + // + // Host + // + // @type string + // @default "chat.freenode.net" + // + host: "chat.freenode.net", + + // + // Port + // + // @type int + // @default 6697 + // + port: 6697, + + // + // Password + // + // @type string + // @default "" + // + password: "", + + // + // Enable TLS/SSL + // + // @type boolean + // @default true + // + tls: true, + + // + // Nick + // + // @type string + // @default "lounge-user" + // + nick: "lounge-user", + + // + // Username + // + // @type string + // @default "lounge-user" + // + username: "lounge-user", + + // + // Real Name + // + // @type string + // @default "The Lounge User" + // + realname: "The Lounge User", + + // + // Channels + // This is a comma-separated list. + // + // @type string + // @default "#thelounge" + // + join: "#thelounge", + }, + + // + // Set socket.io transports + // + // @type array + // @default ["polling", "websocket"] + // + transports: ["polling", "websocket"], + + // + // Run The Lounge using encrypted HTTP/2. + // This will fallback to regular HTTPS if HTTP/2 is not supported. + // + // @type object + // @default {} + // + https: { + // + // Enable HTTP/2 / HTTPS support. + // + // @type boolean + // @default false + // + enable: false, + + // + // Path to the key. + // + // @type string + // @example "sslcert/key.pem" + // @default "" + // + key: "", + + // + // Path to the certificate. + // + // @type string + // @example "sslcert/key-cert.pem" + // @default "" + // + certificate: "", + + // + // Path to the CA bundle. + // + // @type string + // @example "sslcert/bundle.pem" + // @default "" + // + ca: "", + }, + + // + // Default quit and part message if none is provided. + // + // @type string + // @default "The Lounge - https://thelounge.github.io" + // + leaveMessage: "The Lounge - https://thelounge.github.io", + + // + // Run The Lounge with identd support. + // + // @type object + // @default {} + // + identd: { + // + // Run the identd daemon on server start. + // + // @type boolean + // @default false + // + enable: false, + + // + // Port to listen for ident requests. + // + // @type int + // @default 113 + // + port: 113, + }, + + // + // Enable oidentd support using the specified file + // + // Example: oidentd: "~/.oidentd.conf", + // + // @type string + // @default null + // + oidentd: null, + + // + // LDAP authentication settings (only available if public=false) + // @type object + // @default {} + // + // The authentication process works as follows: + // + // 1. Lounge connects to the LDAP server with its system credentials + // 2. It performs a LDAP search query to find the full DN associated to the + // user requesting to log in. + // 3. Lounge tries to connect a second time, but this time using the user's + // DN and password. Auth is validated iff this connection is successful. + // + // The search query takes a couple of parameters in `searchDN`: + // - a base DN `searchDN/base`. Only children nodes of this DN will be likely + // to be returned; + // - a search scope `searchDN/scope` (see LDAP documentation); + // - the query itself, build as (&(=) ) + // where is the user name provided in the log in request, + // is provided by the config and is a filtering complement + // also given in the config, to filter for instance only for nodes of type + // inetOrgPerson, or whatever LDAP search allows. + // + // Alternatively, you can specify the `bindDN` parameter. This will make the lounge + // ignore searchDN options and assume that the user DN is always: + // ,= + // where is the user name provided in the log in request, and + // and are provided by the config. + // + ldap: { + // + // Enable LDAP user authentication + // + // @type boolean + // @default false + // + enable: true, + + // + // LDAP server URL + // + // @type string + // + url: "ldap://{{ ldap.domain }}", + + // + // LDAP connection tls options (only used if scheme is ldaps://) + // + // @type object (see nodejs' tls.connect() options) + // @default {} + // + // Example: + // You can use this option in order to force the use of IPv6: + // { + // host: 'my::ip::v6', + // servername: 'example.com' + // } + tlsOptions: {}, + + // + // LDAP base dn, alternative to searchDN + // + // @type string + // + baseDN: "{{ ldap_dn }}", + + // + // LDAP primary key + // + // @type string + // @default "uid" + // + primaryKey: "uid", + + // + // LDAP search dn settings. This defines the procedure by which the + // lounge first look for user DN before authenticating her. + // Ignored if baseDN is specified + // + // @type object + // + searchDN: { + + // + // LDAP searching bind DN + // This bind DN is used to query the server for the DN of the user. + // This is supposed to be a system user that has access in read only to + // the DNs of the people that are allowed to log in. + // + // @type string + // + rootDN: "", + + // + // Password of the lounge LDAP system user + // + // @type string + // + rootPassword: "", + + // + // LDAP filter + // + // @type string + // @default "uid" + // + filter: "uid", + + // + // LDAP search base (search only within this node) + // + // @type string + // + base: "", + + // + // LDAP search scope + // + // @type string + // @default "sub" + // + scope: "sub", + + }, + }, + + // Extra debugging + // + // @type object + // @default {} + // + debug: { + // Enables extra debugging output provided by irc-framework. + // + // @type boolean + // @default false + // + ircFramework: false, + + // Enables logging raw IRC messages into each server window. + // + // @type boolean + // @default false + // + raw: false, + }, +}; diff --git a/roles/docker/tasks/services.yml b/roles/docker/tasks/services.yml index 642fc085..45c9233e 100644 --- a/roles/docker/tasks/services.yml +++ b/roles/docker/tasks/services.yml @@ -4,8 +4,5 @@ name: external_services - name: setup services - docker_service: - project_name: "{{ item }}" - definition: - "{{ lookup('file', 'composefiles/{{ item }}.yml') | from_yaml }}" + include_tasks: "services/{{ item }}.yml" with_items: "{{ services }}" diff --git a/roles/docker/tasks/services/fider.yml b/roles/docker/tasks/services/fider.yml new file mode 100644 index 00000000..6fee7ec2 --- /dev/null +++ b/roles/docker/tasks/services/fider.yml @@ -0,0 +1,48 @@ +--- + +- name: fider network + docker_network: + name: fider + +- name: fider database volume + docker_volume: + name: fider_db + +- name: fider database container + docker_container: + name: fider_db + image: postgres:10 + state: started + restart_policy: always + networks: + - name: fider + volumes: + - fider_db:/var/lib/postgresql/data + env: + POSTGRES_DB: somethingelse + POSTGRES_USER: fider + POSTGRES_PASSWORD: "{{ postgres_passwords.fider }}" + +- name: fider app container + docker_container: + image: getfider/fider:stable + restart_policy: always + published_ports: + - "9999:3000" + networks: + - name: fider + - name: external_services + env: + GO_ENV: production + DATABASE_URL: postgres://fider:{{ postgres_passwords.fider }}@fider_db:5432/fider?sslmode=disable + JWT_SECRET: "{{ fider_jwt_secret }}" + + EMAIL_NOREPLY: noreply@{{ fider.domain }} + EMAIL_SMTP_HOST: "{{ smtp_host }}" + EMAIL_SMTP_PORT: "{{ smtp_port }}" + EMAIL_SMTP_USERNAME: "{{ smtp_username }}" + EMAIL_SMTP_PASSWORD: "{{ smtp_password }}" + + VIRTUAL_HOST: "{{ fider.domain }}" + LETSENCRYPT_HOST: "{{ fider.domain }}" + LETSENCRYPT_EMAIL: "{{ letsencrypt_email}}" diff --git a/roles/docker/tasks/services/gitea.yml b/roles/docker/tasks/services/gitea.yml new file mode 100644 index 00000000..4d08c26d --- /dev/null +++ b/roles/docker/tasks/services/gitea.yml @@ -0,0 +1,50 @@ +--- + +- name: gitea network + docker_network: + name: gitea + +- name: gitea app volume + docker_volume: + name: gitea + +- name: gitea database volume + docker_volume: + name: gitea_db + +- name: gitea database container + docker_container: + name: gitea_db + image: postgres:10 + state: started + restart_policy: always + networks: + - name: gitea + volumes: + - gitea_db:/var/lib/postgresql/data + env: + POSTGRES_DB: somethingelse + POSTGRES_USER: gitea + POSTGRES_PASSWORD: "{{ postgres_passwords.gitea }}" + +- name: gitea container + docker_container: + name: gitea + image: gitea/gitea:latest + restart_policy: always + networks: + - name: gitea + - name: external_services + volumes: + - gitea:/data + published_ports: + - "3000:3000" + - "222:22" + env: + VIRTUAL_HOST: "{{ gitea.domain }}" + LETSENCRYPT_HOST: "{{ gitea.domain }}" + LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" + POSTGRES_HOST: gitea_db + POSTGRES_DB: gitea + POSTGRES_USER: gitea + POSTGRES_PASSWORD: "{{ postgres_passwords.gitea }}" diff --git a/roles/docker/tasks/services/nextcloud.yml b/roles/docker/tasks/services/nextcloud.yml new file mode 100644 index 00000000..396ec65a --- /dev/null +++ b/roles/docker/tasks/services/nextcloud.yml @@ -0,0 +1,50 @@ +--- + +- name: nextcloud network + docker_network: + name: nextcloud + +- name: nextcloud database volume + docker_volume: + name: nextcloud_db + +- name: nextcloud database container + docker_container: + name: nextcloud_db + image: postgres:10 + state: started + restart_policy: always + networks: + - name: nextcloud + volumes: + - nextcloud_db:/var/lib/postgresql/data + env: + POSTGRES_DB: somethingelse + POSTGRES_USER: nextcloud + POSTGRES_PASSWORD: "{{ postgres_passwords.nextcloud }}" + +- name: nextcloud app volume + docker_volume: + name: nextcloud_app + +- name: nextcloud app container + docker_container: + name: nextcloud_app + image: nextcloud:apache + state: started + restart_policy: always + networks: + - name: nextcloud + - name: external_services + volumes: + - nextcloud_app:/var/www/html + published_ports: + - "80" + env: + VIRTUAL_HOST: "{{ nextcloud.domain }}" + LETSENCRYPT_HOST: "{{ nextcloud.domain }}" + LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" + POSTGRES_HOST: nextcloud_db + POSTGRES_DB: nextcloud + POSTGRES_USER: nextcloud + POSTGRES_PASSWORD: "{{ postgres_passwords.nextcloud }}" diff --git a/roles/docker/files/composefiles/nginx-proxy.yml b/roles/docker/tasks/services/nginx-proxy.yml similarity index 55% rename from roles/docker/files/composefiles/nginx-proxy.yml rename to roles/docker/tasks/services/nginx-proxy.yml index 32b9db27..a97edd28 100644 --- a/roles/docker/files/composefiles/nginx-proxy.yml +++ b/roles/docker/tasks/services/nginx-proxy.yml @@ -1,14 +1,24 @@ --- -version: '3' -services: +- docker_volume: + name: "{{ volume }}" + with_items: + - conf + - vhost + - html + - dhparam + - certs + loop_control: + loop_var: volume - nginx-proxy: +- name: nginx proxy container + docker_container: + name: nginx-proxy image: jwilder/nginx-proxy - container_name: nginx-proxy + restart_policy: always networks: - - external_services - ports: + - name: external_services + published_ports: - "80:80" - "443:443" volumes: @@ -18,32 +28,17 @@ services: - dhparam:/etc/nginx/dhparam - certs:/etc/nginx/certs:ro - /var/run/docker.sock:/tmp/docker.sock:ro - restart: always - - letsencrypt: +- name: nginx letsencrypt container + docker_container: + name: nginx-proxy-le image: jrcs/letsencrypt-nginx-proxy-companion - container_name: nginx-proxy-le - depends_on: - - nginx-proxy + restart_policy: always volumes: - vhost:/etc/nginx/vhost.d - html:/usr/share/nginx/html - dhparam:/etc/nginx/dhparam:ro - certs:/etc/nginx/certs - /var/run/docker.sock:/var/run/docker.sock:ro - environment: - - NGINX_PROXY_CONTAINER=nginx-proxy - restart: always - -volumes: - conf: - vhost: - html: - dhparam: - certs: - -networks: - external_services: - external: true - + env: + NGINX_PROXY_CONTAINER: nginx-proxy diff --git a/roles/docker/files/composefiles/openldap.yml b/roles/docker/tasks/services/openldap.yml similarity index 53% rename from roles/docker/files/composefiles/openldap.yml rename to roles/docker/tasks/services/openldap.yml index d1908c3e..dcdfef56 100644 --- a/roles/docker/files/composefiles/openldap.yml +++ b/roles/docker/tasks/services/openldap.yml @@ -1,18 +1,34 @@ -version: '3' -services: - openldap: +--- + +- name: Create a network for ldap + docker_network: + name: ldap + +- name: openLDAP container + docker_container: + name: openldap image: osixia/openldap:1.2.2 - container_name: openldap - environment: + tty: true + interactive: true + volumes: + - /var/lib/ldap + - /etc/ldap/slapd.d + - /container/service/slapd/assets/certs/ + published_ports: + - "389:389" + - "636:636" + hostname: "{{ ldap.domain }}" + domainname: "{{ ldap.domain }}" # important: same as hostname + networks: + - name: ldap + env: LDAP_LOG_LEVEL: "256" - LDAP_ORGANISATION: "data.coop" - LDAP_DOMAIN: "data.coop" + LDAP_ORGANISATION: "{{ base_domain }}" + LDAP_DOMAIN: "{{ base_domain }}" LDAP_BASE_DN: "" - LDAP_ADMIN_PASSWORD: "admin" - LDAP_CONFIG_PASSWORD: "config" - LDAP_READONLY_USER: "true" - LDAP_READONLY_USER_USERNAME: "readonly" - LDAP_READONLY_USER_PASSWORD: "readonly" + LDAP_ADMIN_PASSWORD: "{{ ldap_admin_password }}" + LDAP_CONFIG_PASSWORD: "{{ ldap_config_password }}" + LDAP_READONLY_USER: "false" LDAP_RFC2307BIS_SCHEMA: "false" LDAP_BACKEND: "mdb" LDAP_TLS: "true" @@ -27,35 +43,19 @@ services: KEEP_EXISTING_CONFIG: "false" LDAP_REMOVE_CONFIG_AFTER_SETUP: "true" LDAP_SSL_HELPER_PREFIX: "ldap" - tty: true - stdin_open: true - volumes: - - /var/lib/ldap - - /etc/ldap/slapd.d - - /container/service/slapd/assets/certs/ - ports: - - "389:389" - - "636:636" - domainname: "ldap.data.coop" # important: same as hostname - hostname: "ldap.data.coop" - networks: - - external_services - phpldapadmin: +- name: phpLDAPadmin container + docker_container: + name: phpldapadmin image: osixia/phpldapadmin:latest - container_name: phpldapadmin - environment: + networks: + - name: external_services + - name: ldap + env: PHPLDAPADMIN_LDAP_HOSTS: "openldap" PHPLDAPADMIN_HTTPS: "false" PHPLDAPADMIN_TRUST_PROXY_SSL: "true" - VIRTUAL_HOST: ldap.data.coop - LETSENCRYPT_HOST: ldap.data.coop - LETSENCRYPT_EMAIL: valberg@orn.li - depends_on: - - openldap - networks: - - external_services -networks: - external_services: - external: true + VIRTUAL_HOST: "{{ ldap.domain }}" + LETSENCRYPT_HOST: "{{ ldap.domain }}" + LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" diff --git a/roles/docker/tasks/services/passit.yml b/roles/docker/tasks/services/passit.yml new file mode 100644 index 00000000..9ea5df64 --- /dev/null +++ b/roles/docker/tasks/services/passit.yml @@ -0,0 +1,46 @@ +--- + +- name: passit network + docker_network: + name: passit + +- name: passit database volume + docker_volume: + name: passit_db + +- name: passit database container + docker_container: + name: passit_db + image: postgres:10 + state: started + restart_policy: always + networks: + - name: passit + volumes: + - passit_db:/var/lib/postgresql/data + env: + POSTGRES_DB: somethingelse + POSTGRES_USER: passit + POSTGRES_PASSWORD: "{{ postgres_passwords.passit }}" + +- name: passit app container + docker_container: + image: passit/passit:stable + command: bin/start.sh + restart_policy: always + published_ports: + - "8000:8080" + networks: + - name: passit + - name: external_services + env: + DATABASE_URL: "postgres://passit:{{ postgres_passwords.passit }}@db:5432/passit" + SECRET_KEY: "{{ passit_secret_key }}" + IS_DEBUG: 'False' + EMAIL_URL: smtp://{{ smtp_user }}:{{ smtp_password }}@{{ smtp_host }}:{{ smtp_port}} + DEFAULT_FROM_EMAIL: "noreply@{{ passit.domain }}" + EMAIL_CONFIRMATION_HOST: "https://{{ passit.domain }}" + + VIRTUAL_HOST: "{{ passit.domain }}" + LETSENCRYPT_HOST: "{{ passit.domain }}" + LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" diff --git a/roles/docker/tasks/services/thelounge.yml b/roles/docker/tasks/services/thelounge.yml new file mode 100644 index 00000000..8b0de528 --- /dev/null +++ b/roles/docker/tasks/services/thelounge.yml @@ -0,0 +1,27 @@ +--- + +- name: thelounge volume + docker_volume: + name: thelounge + +- name: upload thelounge config + template: + src: files/configs/thelounge.js + dest: /var/lib/docker/volumes/thelounge/_data/config.js + +- name: thelounge container + docker_container: + name: thelounge + image: thelounge/lounge:latest + restart_policy: always + published_ports: + - "9000:9000" + volumes: + - thelounge:/home/lounge/data + networks: + - name: external_services + - name: ldap + env: + VIRTUAL_HOST: "{{ thelounge.domain }}" + LETSENCRYPT_HOST: "{{ thelounge.domain }}" + LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"