From a4a06d8a58bc63d635351875ebd7609178a44a4d Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Fri, 18 Nov 2022 18:59:00 +0100 Subject: [PATCH 01/22] Upgrade Watchtower and disable filter by enable label --- roles/docker/tasks/services/watchtower.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/roles/docker/tasks/services/watchtower.yml b/roles/docker/tasks/services/watchtower.yml index 586ce24..c5c63eb 100644 --- a/roles/docker/tasks/services/watchtower.yml +++ b/roles/docker/tasks/services/watchtower.yml @@ -2,13 +2,12 @@ - name: watchtower container docker_container: name: watchtower - image: containrrr/watchtower:1.4.0 + image: containrrr/watchtower:latest restart_policy: unless-stopped + env: + WATCHTOWER_POLL_INTERVAL: 60 networks: - name: external_services volumes: - /var/run/docker.sock:/var/run/docker.sock - "{{ docker_registry.volume_folder }}/auth/config.json:/config.json" - env: - WATCHTOWER_LABEL_ENABLE: "true" - WATCHTOWER_POLL_INTERVAL: "60" \ No newline at end of file From 5d26e1cdea7f9a24edcda4d1aaf1fd3f34626eab Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Fri, 18 Nov 2022 20:57:15 +0100 Subject: [PATCH 02/22] Fix mount point for Watchtower The auth file created by the registry login task doesn't need to be stored in a non-default path. --- roles/docker/tasks/services/docker_registry.yml | 3 +-- roles/docker/tasks/services/watchtower.yml | 4 ++-- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/roles/docker/tasks/services/docker_registry.yml b/roles/docker/tasks/services/docker_registry.yml index 975db50..a88a707 100644 --- a/roles/docker/tasks/services/docker_registry.yml +++ b/roles/docker/tasks/services/docker_registry.yml @@ -28,9 +28,8 @@ args: creates: "{{ docker_registry.volume_folder }}/auth/htpasswd" -- name: log in to local registry +- name: log in to registry docker_login: registry: "{{ docker_registry.domain }}" username: "docker" password: "{{ docker_password }}" - config_path: "{{ docker_registry.volume_folder }}/auth/config.json" diff --git a/roles/docker/tasks/services/watchtower.yml b/roles/docker/tasks/services/watchtower.yml index c5c63eb..e6afd3d 100644 --- a/roles/docker/tasks/services/watchtower.yml +++ b/roles/docker/tasks/services/watchtower.yml @@ -9,5 +9,5 @@ networks: - name: external_services volumes: - - /var/run/docker.sock:/var/run/docker.sock - - "{{ docker_registry.volume_folder }}/auth/config.json:/config.json" + - "/var/run/docker.sock:/var/run/docker.sock" + - "/root/.docker/config.json:/config.json:ro" From 27b918b46b010d4eb6aee151695fc8b540a0c2b4 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Fri, 18 Nov 2022 21:07:12 +0100 Subject: [PATCH 03/22] Remove labels --- roles/docker/tasks/services/membersystem.yml | 2 -- roles/docker/tasks/services/netdata.yml | 5 ----- roles/docker/tasks/services/rallly.yml | 4 ---- roles/docker/tasks/services/ulovliglogning-dk.yml | 2 -- roles/docker/tasks/services/websites.yml | 13 ------------- 5 files changed, 26 deletions(-) diff --git a/roles/docker/tasks/services/membersystem.yml b/roles/docker/tasks/services/membersystem.yml index b214abb..66a26b0 100644 --- a/roles/docker/tasks/services/membersystem.yml +++ b/roles/docker/tasks/services/membersystem.yml @@ -33,8 +33,6 @@ CSRF_TRUSTED_ORIGINS: "https://{{ membersystem.domain }}" DJANGO_ADMINS: "{{ membersystem.django_admins }}" DEFAULT_FROM_EMAIL: "noreply@{{ membersystem.domain }}" - labels: - com.centurylinklabs.watchtower.enable: "true" postgres: image: postgres:13-alpine diff --git a/roles/docker/tasks/services/netdata.yml b/roles/docker/tasks/services/netdata.yml index c1eb396..5edcb6c 100644 --- a/roles/docker/tasks/services/netdata.yml +++ b/roles/docker/tasks/services/netdata.yml @@ -1,5 +1,4 @@ --- - - name: setup netdata docker container for system monitoring docker_container: name: netdata @@ -21,7 +20,3 @@ LETSENCRYPT_HOST: "{{ netdata.domain }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" PGID: "999" - labels: - com.centurylinklabs.watchtower.enable: "true" - - diff --git a/roles/docker/tasks/services/rallly.yml b/roles/docker/tasks/services/rallly.yml index c5576f5..c083251 100644 --- a/roles/docker/tasks/services/rallly.yml +++ b/roles/docker/tasks/services/rallly.yml @@ -31,8 +31,6 @@ interval: 5s timeout: 5s retries: 5 - labels: - com.centurylinklabs.watchtower.enable: "true" rallly: image: "lukevella/rallly:latest" @@ -51,8 +49,6 @@ VIRTUAL_PORT: "3000" LETSENCRYPT_HOST: "{{ rallly.domain }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" - labels: - com.centurylinklabs.watchtower.enable: "true" networks: rallly_internal: diff --git a/roles/docker/tasks/services/ulovliglogning-dk.yml b/roles/docker/tasks/services/ulovliglogning-dk.yml index 0258df6..9b57bbb 100644 --- a/roles/docker/tasks/services/ulovliglogning-dk.yml +++ b/roles/docker/tasks/services/ulovliglogning-dk.yml @@ -9,5 +9,3 @@ VIRTUAL_HOST: "{{ ulovliglogning_website.domains|join(',') }}" LETSENCRYPT_HOST: "{{ ulovliglogning_website.domains|join(',') }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" - labels: - com.centurylinklabs.watchtower.enable: "true" diff --git a/roles/docker/tasks/services/websites.yml b/roles/docker/tasks/services/websites.yml index 8c1b793..8938e2d 100644 --- a/roles/docker/tasks/services/websites.yml +++ b/roles/docker/tasks/services/websites.yml @@ -11,9 +11,6 @@ VIRTUAL_HOST : "{{ data_coop_website.domains|join(',') }}" LETSENCRYPT_HOST: "{{ data_coop_website.domains|join(',') }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" - labels: - com.centurylinklabs.watchtower.enable: "true" - - name: setup new data.coop website using hugo docker_container: @@ -26,8 +23,6 @@ VIRTUAL_HOST : "new.{{ data_coop_website.domains|join(',') }}" LETSENCRYPT_HOST: "new.{{ data_coop_website.domains|join(',') }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" - labels: - com.centurylinklabs.watchtower.enable: "true" - name: setup new-new data.coop website using unipi docker_container: @@ -47,8 +42,6 @@ - NET_ADMIN devices: - "/dev/net/tun" - labels: - com.centurylinklabs.watchtower.enable: "true" - name: setup 2022.slides.data.coop website using unipi docker_container: @@ -68,8 +61,6 @@ - NET_ADMIN devices: - "/dev/net/tun" - labels: - com.centurylinklabs.watchtower.enable: "true" - name: setup cryptohagen.dk website docker container docker_container: @@ -82,8 +73,6 @@ VIRTUAL_HOST : "{{ cryptohagen_website.domains|join(',') }}" LETSENCRYPT_HOST: "{{ cryptohagen_website.domains|join(',') }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" - labels: - com.centurylinklabs.watchtower.enable: "true" - name: setup cryptoaarhus.dk website docker container docker_container: @@ -96,5 +85,3 @@ VIRTUAL_HOST : "{{ cryptoaarhus_website.domains|join(',') }}" LETSENCRYPT_HOST: "{{ cryptoaarhus_website.domains|join(',') }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" - labels: - com.centurylinklabs.watchtower.enable: "true" From e5dcfea003226494b402bb6fc434f73c98858498 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Sat, 19 Nov 2022 18:19:43 +0100 Subject: [PATCH 04/22] Pin Watchtower version --- roles/docker/tasks/services/watchtower.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/docker/tasks/services/watchtower.yml b/roles/docker/tasks/services/watchtower.yml index e6afd3d..370219a 100644 --- a/roles/docker/tasks/services/watchtower.yml +++ b/roles/docker/tasks/services/watchtower.yml @@ -2,7 +2,7 @@ - name: watchtower container docker_container: name: watchtower - image: containrrr/watchtower:latest + image: containrrr/watchtower:amd64-1.5.1 restart_policy: unless-stopped env: WATCHTOWER_POLL_INTERVAL: 60 From c9ab9f0c66ec3c78a6b6865d565a3cb5bc6551c3 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Sat, 19 Nov 2022 18:20:10 +0100 Subject: [PATCH 05/22] Watchtower doesn't need external_services network --- roles/docker/tasks/services/watchtower.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/roles/docker/tasks/services/watchtower.yml b/roles/docker/tasks/services/watchtower.yml index 370219a..6a03679 100644 --- a/roles/docker/tasks/services/watchtower.yml +++ b/roles/docker/tasks/services/watchtower.yml @@ -6,8 +6,6 @@ restart_policy: unless-stopped env: WATCHTOWER_POLL_INTERVAL: 60 - networks: - - name: external_services volumes: - "/var/run/docker.sock:/var/run/docker.sock" - "/root/.docker/config.json:/config.json:ro" From d9de1efc9af680491cb66963c3294a1d611e54d2 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Wed, 23 Nov 2022 20:02:30 +0100 Subject: [PATCH 06/22] Pin Gitea to 1.17 instead of 1.17.3 Gitea's "minor" version change seems to be the one that occasionally introduces breaking changes, so let's not update that automatically. Only keep the patch-releases automatically updated. --- roles/docker/tasks/services/gitea.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/docker/tasks/services/gitea.yml b/roles/docker/tasks/services/gitea.yml index aeffae1..1b1efdc 100644 --- a/roles/docker/tasks/services/gitea.yml +++ b/roles/docker/tasks/services/gitea.yml @@ -7,7 +7,7 @@ - name: gitea container docker_container: name: gitea - image: gitea/gitea:1.17.3 + image: gitea/gitea:1.17 restart_policy: unless-stopped networks: - name: gitea From 1f619096054d4be4001f3f4181acce83792225f1 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Wed, 23 Nov 2022 20:16:36 +0100 Subject: [PATCH 07/22] Pin HedgeDoc to major version 1 From https://docs.hedgedoc.org/setup/getting-started/#upgrading-hedgedoc > HedgeDoc follows [Semantic Versioning](https://semver.org/). > This means that minor and patch releases should not introduce > user-facing backwards-incompatible changes. --- roles/docker/tasks/services/hedgedoc.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/docker/tasks/services/hedgedoc.yml b/roles/docker/tasks/services/hedgedoc.yml index ea7b38d..96e82dc 100644 --- a/roles/docker/tasks/services/hedgedoc.yml +++ b/roles/docker/tasks/services/hedgedoc.yml @@ -34,7 +34,7 @@ - "{{ hedgedoc.volume_folder }}/db:/var/lib/postgresql/data" app: - image: quay.io/hedgedoc/hedgedoc:1.9.0 + image: quay.io/hedgedoc/hedgedoc:1 environment: CMD_DB_URL: "postgres://codimd:{{ postgres_passwords.hedgedoc }}@hedgedoc_database_1:5432/codimd" CMD_DOMAIN: "{{ hedgedoc.domain }}" @@ -63,4 +63,4 @@ networks: hedgedoc: external_services: - external: true \ No newline at end of file + external: true From 9261cb1952846052934e5c7daa4ddd8e3d5c9c31 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Wed, 23 Nov 2022 20:34:43 +0100 Subject: [PATCH 08/22] Pin Keycoak to 20.0 (minor version) --- roles/docker/tasks/services/keycloak.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/docker/tasks/services/keycloak.yml b/roles/docker/tasks/services/keycloak.yml index 26a5661..b1169ae 100644 --- a/roles/docker/tasks/services/keycloak.yml +++ b/roles/docker/tasks/services/keycloak.yml @@ -19,7 +19,7 @@ POSTGRES_DB: "keycloak" app: - image: "quay.io/keycloak/keycloak:20.0.1" + image: "quay.io/keycloak/keycloak:20.0" restart: "unless-stopped" networks: - "keycloak" From 687bff35e9c90eebb4dfff496d280dd514235ea4 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Wed, 23 Nov 2022 21:00:48 +0100 Subject: [PATCH 09/22] Pin netdata to v1 --- roles/docker/tasks/services/netdata.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/docker/tasks/services/netdata.yml b/roles/docker/tasks/services/netdata.yml index 5edcb6c..3b2a466 100644 --- a/roles/docker/tasks/services/netdata.yml +++ b/roles/docker/tasks/services/netdata.yml @@ -2,7 +2,7 @@ - name: setup netdata docker container for system monitoring docker_container: name: netdata - image: netdata/netdata + image: netdata/netdata:v1 restart_policy: unless-stopped hostname: "hevonen.servers.{{ base_domain }}" capabilities: From 221ddd987fa68b065d6d7250bd2a1ded03da9580 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Wed, 23 Nov 2022 21:05:01 +0100 Subject: [PATCH 10/22] Upgrade Postfix to 3.5.1 and use Alpine-based image --- roles/docker/tasks/services/postfix.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/docker/tasks/services/postfix.yml b/roles/docker/tasks/services/postfix.yml index 9fb9ce8..8b7e77e 100644 --- a/roles/docker/tasks/services/postfix.yml +++ b/roles/docker/tasks/services/postfix.yml @@ -10,7 +10,7 @@ - name: setup postfix docker container for outgoing mail docker_container: name: postfix - image: boky/postfix:v3.5.0 + image: boky/postfix:v3.5.1-alpine restart_policy: always networks: - name: postfix From 74dfcfb5e8043344f80d8c10a5b04df47766a1fc Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Wed, 23 Nov 2022 21:09:05 +0100 Subject: [PATCH 11/22] Keycloak: avoid very long lines :( --- roles/docker/tasks/services/keycloak.yml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/roles/docker/tasks/services/keycloak.yml b/roles/docker/tasks/services/keycloak.yml index b1169ae..ac1f673 100644 --- a/roles/docker/tasks/services/keycloak.yml +++ b/roles/docker/tasks/services/keycloak.yml @@ -25,7 +25,16 @@ - "keycloak" - "postfix" - "external_services" - command: "start --db=postgres --db-url=jdbc:postgresql://postgres:5432/keycloak --db-username=keycloak --db-password={{ postgres_passwords.keycloak }} --hostname={{ keycloak.domain }} --proxy=edge --https-port=8080 --http-relative-path=/auth" + command: + - "start" + - "--db=postgres" + - "--db-url=jdbc:postgresql://postgres:5432/keycloak" + - "--db-username=keycloak" + - "--db-password={{ postgres_passwords.keycloak }}" + - "--hostname={{ keycloak.domain }}" + - "--proxy=edge" + - "--https-port=8080" + - "--http-relative-path=/auth" environment: VIRTUAL_HOST: "{{ keycloak.domain }}" VIRTUAL_PORT: "8080" From 2c9c501562e954f0e033857f5cda7e73be29e9f0 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Tue, 6 Dec 2022 18:06:31 +0100 Subject: [PATCH 12/22] Remove label from Pinafore --- roles/docker/tasks/services/pinafore.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/roles/docker/tasks/services/pinafore.yml b/roles/docker/tasks/services/pinafore.yml index a275f3a..eadb99b 100644 --- a/roles/docker/tasks/services/pinafore.yml +++ b/roles/docker/tasks/services/pinafore.yml @@ -10,5 +10,3 @@ VIRTUAL_PORT: "4002" LETSENCRYPT_HOST: "{{ services.pinafore.domain }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" - labels: - com.centurylinklabs.watchtower.enable: "true" From d6ce46e2f2383dec13bd9bdee4a8f0cb153df72e Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Wed, 28 Dec 2022 16:19:07 +0100 Subject: [PATCH 13/22] Collect even more version numbers in docker/defaults/main.yml --- roles/docker/defaults/main.yml | 11 +++++++++++ roles/docker/tasks/services/drone.yml | 4 ++-- roles/docker/tasks/services/hedgedoc.yml | 4 ++-- roles/docker/tasks/services/keycloak.yml | 3 +-- roles/docker/tasks/services/mastodon.yml | 4 ++-- roles/docker/tasks/services/matrix_riot.yml | 6 +++--- roles/docker/tasks/services/membersystem.yml | 4 ++-- roles/docker/tasks/services/nextcloud.yml | 4 ++-- roles/docker/tasks/services/passit.yml | 2 +- roles/docker/tasks/services/rallly.yml | 2 +- 10 files changed, 27 insertions(+), 17 deletions(-) diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml index 9779f1e..a7bc1d3 100644 --- a/roles/docker/defaults/main.yml +++ b/roles/docker/defaults/main.yml @@ -42,6 +42,7 @@ services: domain: sso.{{ base_domain }} volume_folder: "{{ volume_root_folder }}/keycloak" version: "20.0" + postgres_version: 10 allowed_sender_domain: true restic: @@ -67,6 +68,8 @@ services: domain: "cloud.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/nextcloud" version: 25-apache + postgres_version: 10 + redis_version: 7-alpine allowed_sender_domain: true gitea: @@ -81,6 +84,7 @@ services: domain: "passit.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/passit" version: stable + postgres_version: 10 allowed_sender_domain: true matrix: @@ -88,6 +92,7 @@ services: domain: "matrix.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/matrix" version: v1.63.1 + postgres_version: 10 allowed_sender_domain: true riot: @@ -113,6 +118,7 @@ services: domain: "pad.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/hedgedoc" version: 1.9.6 + postgres_version: 10-alpine data_coop_website: file: websites/data.coop.yml @@ -168,6 +174,8 @@ services: domain: "social.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/mastodon" version: v4.0.2 + postgres_version: 14-alpine + redis_version: 6-alpine allowed_sender_domain: true rallly: @@ -175,6 +183,7 @@ services: domain: "when.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/rallly" version: ac55701890cd866ee946deb25e2b2839fb14900e + postgres_version: 14-alpine allowed_sender_domain: true pinafore: @@ -186,6 +195,8 @@ services: file: membersystem.yml domain: "member.{{ base_domain }}" django_admins: "Vidir:valberg@orn.li" + version: latest + postgres_version: 13-alpine allowed_sender_domain: true watchtower: diff --git a/roles/docker/tasks/services/drone.yml b/roles/docker/tasks/services/drone.yml index 874ce03..5d83007 100644 --- a/roles/docker/tasks/services/drone.yml +++ b/roles/docker/tasks/services/drone.yml @@ -8,7 +8,7 @@ services: drone: container_name: "drone" - image: drone/drone:1 + image: "drone/drone:{{ services.drone.version }}" restart: unless-stopped networks: - external_services @@ -48,4 +48,4 @@ drone: external_services: external: - name: external_services \ No newline at end of file + name: external_services diff --git a/roles/docker/tasks/services/hedgedoc.yml b/roles/docker/tasks/services/hedgedoc.yml index 7508535..3b907a1 100644 --- a/roles/docker/tasks/services/hedgedoc.yml +++ b/roles/docker/tasks/services/hedgedoc.yml @@ -22,7 +22,7 @@ definition: services: database: - image: "postgres:10-alpine" + image: "postgres:{{ services.hedgedoc.postgres_version }}" environment: POSTGRES_USER: "codimd" POSTGRES_PASSWORD: "{{ postgres_passwords.hedgedoc }}" @@ -34,7 +34,7 @@ - "{{ services.hedgedoc.volume_folder }}/db:/var/lib/postgresql/data" app: - image: quay.io/hedgedoc/hedgedoc:{{ services.hedgedoc.version }} + image: "quay.io/hedgedoc/hedgedoc:{{ services.hedgedoc.version }}" environment: CMD_DB_URL: "postgres://codimd:{{ postgres_passwords.hedgedoc }}@hedgedoc_database_1:5432/codimd" CMD_DOMAIN: "{{ services.hedgedoc.domain }}" diff --git a/roles/docker/tasks/services/keycloak.yml b/roles/docker/tasks/services/keycloak.yml index 3f2da44..2603351 100644 --- a/roles/docker/tasks/services/keycloak.yml +++ b/roles/docker/tasks/services/keycloak.yml @@ -5,9 +5,8 @@ definition: version: "3.6" services: - postgres: - image: "postgres:10" + image: "postgres:{{ services.keycloak.postgres_version }}" restart: "unless-stopped" networks: - "keycloak" diff --git a/roles/docker/tasks/services/mastodon.yml b/roles/docker/tasks/services/mastodon.yml index eae1546..656f909 100644 --- a/roles/docker/tasks/services/mastodon.yml +++ b/roles/docker/tasks/services/mastodon.yml @@ -55,7 +55,7 @@ services: db: restart: always - image: postgres:14-alpine + image: "postgres:{{ services.mastodon.postgres_version }}" shm_size: 256mb networks: - internal_network @@ -70,7 +70,7 @@ redis: restart: always - image: redis:6-alpine + image: "redis:{{ services.mastodon.redis_version }}" networks: - internal_network healthcheck: diff --git a/roles/docker/tasks/services/matrix_riot.yml b/roles/docker/tasks/services/matrix_riot.yml index 34f302d..6b5e950 100644 --- a/roles/docker/tasks/services/matrix_riot.yml +++ b/roles/docker/tasks/services/matrix_riot.yml @@ -66,7 +66,7 @@ services: matrix_db: container_name: matrix_db - image: postgres:10 + image: "postgres:{{ services.matrix.postgres_version }}" restart: unless-stopped networks: - matrix @@ -78,7 +78,7 @@ matrix_app: container_name: matrix - image: matrixdotorg/synapse:{{ services.matrix.version }} + image: "matrixdotorg/synapse:{{ services.matrix.version }}" restart: unless-stopped networks: - matrix @@ -96,7 +96,7 @@ riot: container_name: riot_app - image: avhost/docker-matrix-riot:{{ services.riot.version }} + image: "avhost/docker-matrix-riot:{{ services.riot.version }}" restart: unless-stopped networks: - matrix diff --git a/roles/docker/tasks/services/membersystem.yml b/roles/docker/tasks/services/membersystem.yml index ca63851..a56bf59 100644 --- a/roles/docker/tasks/services/membersystem.yml +++ b/roles/docker/tasks/services/membersystem.yml @@ -8,7 +8,7 @@ version: "3" services: backend: - image: docker.data.coop/membersystem:latest + image: "docker.data.coop/membersystem:{{ services.membersystem.version }}" restart: always user: $UID:$GID tty: true @@ -37,7 +37,7 @@ com.centurylinklabs.watchtower.enable: "true" postgres: - image: postgres:13-alpine + image: "postgres:{{ services.membersystem.postgres_version }}" restart: always volumes: - "{{ volume_root_folder }}/membersystem/postgres/data:/var/lib/postgresql/data" diff --git a/roles/docker/tasks/services/nextcloud.yml b/roles/docker/tasks/services/nextcloud.yml index d36f8de..1c938b9 100644 --- a/roles/docker/tasks/services/nextcloud.yml +++ b/roles/docker/tasks/services/nextcloud.yml @@ -12,7 +12,7 @@ definition: services: postgres: - image: "postgres:10" + image: "postgres:{{ services.nextcloud.postgres_version }}" restart: "unless-stopped" networks: - "nextcloud" @@ -24,7 +24,7 @@ POSTGRES_USER: "nextcloud" redis: - image: "redis:7-alpine" + image: "redis:{{ services.nextcloud.redis_version }}" restart: "unless-stopped" command: "redis-server --requirepass {{ nextcloud_secrets.redis_password }}" tmpfs: diff --git a/roles/docker/tasks/services/passit.yml b/roles/docker/tasks/services/passit.yml index 300c099..e76b6ca 100644 --- a/roles/docker/tasks/services/passit.yml +++ b/roles/docker/tasks/services/passit.yml @@ -8,7 +8,7 @@ version: "3.6" services: passit_db: - image: "postgres:10" + image: "postgres:{{ services.passit.postgres_version }}" restart: "always" networks: - "passit" diff --git a/roles/docker/tasks/services/rallly.yml b/roles/docker/tasks/services/rallly.yml index b5e9d2f..22b1127 100644 --- a/roles/docker/tasks/services/rallly.yml +++ b/roles/docker/tasks/services/rallly.yml @@ -16,7 +16,7 @@ version: "3.8" services: rallly_db: - image: "postgres:14-alpine" + image: "postgres:{{ services.rallly.postgres_version }}" restart: "always" shm_size: "256mb" networks: From 231af48a40f46001ea7a1d63c83c5a99765cd9fb Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Wed, 28 Dec 2022 16:23:23 +0100 Subject: [PATCH 14/22] Make quotations consistent --- roles/docker/defaults/main.yml | 48 +++++++++++++++++----------------- 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml index a7bc1d3..e26c2aa 100644 --- a/roles/docker/defaults/main.yml +++ b/roles/docker/defaults/main.yml @@ -7,59 +7,59 @@ services: postfix: file: postfix.yml domain: "smtp.{{ base_domain }}" - version: "v3.5.1-alpine" + version: v3.5.1-alpine nginx_proxy: file: nginx_proxy.yml - version: "1.0-alpine" + version: 1.0-alpine volume_folder: "{{ volume_root_folder }}/nginx" nginx_acme_companion: - version: "2.2" + version: 2.2 openldap: file: openldap.yml domain: "ldap.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/openldap" - version: "1.5.0" + version: 1.5.0 phpldapadmin: - version: "0.9.0" + version: 0.9.0 netdata: file: netdata.yml domain: "netdata.{{ base_domain }}" - version: "v1" + version: v1 portainer: file: portainer.yml domain: "portainer.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/portainer" - version: "2.16.2" + version: 2.16.2 keycloak: file: keycloak.yml domain: sso.{{ base_domain }} volume_folder: "{{ volume_root_folder }}/keycloak" - version: "20.0" + version: 20.0 postgres_version: 10 allowed_sender_domain: true restic: file: restic_backup.yml - user: "datacoop" - domain: "restic.cannedtuna.org" - repository: "datacoop-hevonen" - version: "1.6.0" + user: datacoop + domain: restic.cannedtuna.org + repository: datacoop-hevonen + version: 1.6.0 disabled_in_vagrant: true docker_registry: file: docker_registry.yml domain: "docker.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/docker-registry" - username: "docker" + username: docker password: "{{ docker_password }}" - version: "2" + version: 2 ### External services ### @@ -123,8 +123,8 @@ services: data_coop_website: file: websites/data.coop.yml domains: - - "{{ base_domain }}" - - "www.{{ base_domain }}" + - "{{ base_domain }}" + - "www.{{ base_domain }}" new_data_coop_website: file: websites/new.data.coop.yml @@ -139,21 +139,21 @@ services: cryptohagen_website: file: websites/cryptohagen.dk.yml domains: - - "cryptohagen.dk" - - "www.cryptohagen.dk" + - cryptohagen.dk + - www.cryptohagen.dk ulovliglogning_website: file: websites/ulovliglogning.dk.yml domains: - - "ulovliglogning.dk" - - "www.ulovliglogning.dk" - - "ulovlig-logning.dk" + - ulovliglogning.dk + - www.ulovliglogning.dk + - ulovlig-logning.dk cryptoaarhus_website: file: websites/cryptoaarhus.dk.yml domains: - - "cryptoaarhus.dk" - - "www.cryptoaarhus.dk" + - cryptoaarhus.dk + - www.cryptoaarhus.dk drone: file: drone.yml @@ -194,7 +194,7 @@ services: membersystem: file: membersystem.yml domain: "member.{{ base_domain }}" - django_admins: "Vidir:valberg@orn.li" + django_admins: Vidir:valberg@orn.li version: latest postgres_version: 13-alpine allowed_sender_domain: true From a10b07fa2c33752db08f8ba84d8e99e3ed24904b Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Wed, 28 Dec 2022 16:46:52 +0100 Subject: [PATCH 15/22] Make quotations consistent --- roles/docker/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml index e26c2aa..ba5f2fe 100644 --- a/roles/docker/defaults/main.yml +++ b/roles/docker/defaults/main.yml @@ -1,5 +1,5 @@ --- -volume_root_folder: "/docker-volumes" +volume_root_folder: /docker-volumes services: From 2f1c1887baf80b1f9dc7bfb23bb11b067318af10 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Sat, 14 Jan 2023 17:21:34 +0100 Subject: [PATCH 16/22] Revert "Make quotations consistent" This reverts commit a10b07fa2c33752db08f8ba84d8e99e3ed24904b. --- roles/docker/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml index 46edde4..ead56da 100644 --- a/roles/docker/defaults/main.yml +++ b/roles/docker/defaults/main.yml @@ -1,6 +1,6 @@ # vim: ft=yaml.ansible --- -volume_root_folder: /docker-volumes +volume_root_folder: "/docker-volumes" services: From 9733794292b0da58732648b237dd13c77591dad1 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Sat, 14 Jan 2023 17:22:47 +0100 Subject: [PATCH 17/22] Revert "Make quotations consistent" This reverts commit 231af48a40f46001ea7a1d63c83c5a99765cd9fb. --- roles/docker/defaults/main.yml | 50 ++++++++++++++++------------------ 1 file changed, 23 insertions(+), 27 deletions(-) diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml index ead56da..ee348a0 100644 --- a/roles/docker/defaults/main.yml +++ b/roles/docker/defaults/main.yml @@ -9,59 +9,59 @@ services: file: postfix.yml domain: "smtp.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/postfix" - version: v3.5.1-alpine + version: "v3.5.1-alpine" nginx_proxy: file: nginx_proxy.yml - version: 1.0-alpine + version: "1.0-alpine" volume_folder: "{{ volume_root_folder }}/nginx" nginx_acme_companion: - version: 2.2 + version: "2.2" openldap: file: openldap.yml domain: "ldap.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/openldap" - version: 1.5.0 + version: "1.5.0" phpldapadmin: - version: 0.9.0 + version: "0.9.0" netdata: file: netdata.yml domain: "netdata.{{ base_domain }}" - version: v1 + version: "v1" portainer: file: portainer.yml domain: "portainer.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/portainer" - version: 2.16.2 + version: "2.16.2" keycloak: file: keycloak.yml domain: sso.{{ base_domain }} volume_folder: "{{ volume_root_folder }}/keycloak" - version: 20.0 + version: "20.0" postgres_version: 10 allowed_sender_domain: true restic: file: restic_backup.yml - user: datacoop - domain: restic.cannedtuna.org - repository: datacoop-hevonen - version: 1.6.0 + user: "datacoop" + domain: "restic.cannedtuna.org" + repository: "datacoop-hevonen" + version: "1.6.0" disabled_in_vagrant: true docker_registry: file: docker_registry.yml domain: "docker.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/docker-registry" - username: docker + username: "docker" password: "{{ docker_password }}" - version: 2 + version: "2" ### External services ### @@ -141,21 +141,21 @@ services: cryptohagen_website: file: websites/cryptohagen.dk.yml domains: - - cryptohagen.dk - - www.cryptohagen.dk + - "cryptohagen.dk" + - "www.cryptohagen.dk" ulovliglogning_website: file: websites/ulovliglogning.dk.yml domains: - - ulovliglogning.dk - - www.ulovliglogning.dk - - ulovlig-logning.dk + - "ulovliglogning.dk" + - "www.ulovliglogning.dk" + - "ulovlig-logning.dk" cryptoaarhus_website: file: websites/cryptoaarhus.dk.yml domains: - - cryptoaarhus.dk - - www.cryptoaarhus.dk + - "cryptoaarhus.dk" + - "www.cryptoaarhus.dk" drone: file: drone.yml @@ -184,12 +184,8 @@ services: file: rallly.yml domain: "when.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/rallly" -<<<<<<< HEAD - version: ac55701890cd866ee946deb25e2b2839fb14900e - postgres_version: 14-alpine -======= version: e4482a1edb2fb56292d07ee8811a24f2a0d6b114 ->>>>>>> main + postgres_version: 14-alpine allowed_sender_domain: true pinafore: @@ -200,7 +196,7 @@ services: membersystem: file: membersystem.yml domain: "member.{{ base_domain }}" - django_admins: Vidir:valberg@orn.li + django_admins: "Vidir:valberg@orn.li" version: latest postgres_version: 13-alpine allowed_sender_domain: true From f81fab3d117554d57d2220bba0fe0c91d2a58861 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Sat, 14 Jan 2023 17:31:08 +0100 Subject: [PATCH 18/22] Quote numbers --- roles/docker/defaults/main.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml index ee348a0..75e15e4 100644 --- a/roles/docker/defaults/main.yml +++ b/roles/docker/defaults/main.yml @@ -44,7 +44,7 @@ services: domain: sso.{{ base_domain }} volume_folder: "{{ volume_root_folder }}/keycloak" version: "20.0" - postgres_version: 10 + postgres_version: "10" allowed_sender_domain: true restic: @@ -70,7 +70,7 @@ services: domain: "cloud.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/nextcloud" version: 25-apache - postgres_version: 10 + postgres_version: "10" redis_version: 7-alpine allowed_sender_domain: true @@ -86,7 +86,7 @@ services: domain: "passit.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/passit" version: stable - postgres_version: 10 + postgres_version: "10" allowed_sender_domain: true matrix: @@ -94,7 +94,7 @@ services: domain: "matrix.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/matrix" version: v1.63.1 - postgres_version: 10 + postgres_version: "10" allowed_sender_domain: true riot: From 388e0526ca80cb66386601e0d55e6c64529d13f2 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Sat, 21 Jan 2023 21:33:39 +0100 Subject: [PATCH 19/22] Set RUN_ON_STARTUP=false for Restic --- roles/docker/tasks/services/restic_backup.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/docker/tasks/services/restic_backup.yml b/roles/docker/tasks/services/restic_backup.yml index 655ddb6..20ed075 100644 --- a/roles/docker/tasks/services/restic_backup.yml +++ b/roles/docker/tasks/services/restic_backup.yml @@ -11,7 +11,7 @@ image: mazzolino/restic:{{ services.restic.version }} restart: always environment: - RUN_ON_STARTUP: "true" + RUN_ON_STARTUP: "false" BACKUP_CRON: "0 30 3 * * *" RESTIC_REPOSITORY: "rest:https://{{ services.restic.user }}:{{ restic_secrets.user_password }}@{{ services.restic.domain }}/{{ services.restic.repository }}" RESTIC_PASSWORD: "{{ restic_secrets.repository_password }}" @@ -32,7 +32,7 @@ restic-prune: image: "mazzolino/restic:{{ services.restic.version }}" environment: - RUN_ON_STARTUP: "true" + RUN_ON_STARTUP: "false" PRUNE_CRON: "0 0 4 * * *" RESTIC_REPOSITORY: "rest:https://{{ services.restic.user }}:{{ restic_secrets.user_password }}@{{ services.restic.domain }}/{{ services.restic.repository }}" RESTIC_PASSWORD: "{{ restic_secrets.repository_password }}" From a5d59b93361029c4f959275c3499eff702d58891 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Sat, 21 Jan 2023 21:37:37 +0100 Subject: [PATCH 20/22] Fix variable --- roles/docker/tasks/services/keycloak.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/docker/tasks/services/keycloak.yml b/roles/docker/tasks/services/keycloak.yml index 880a0cd..7c23cfd 100644 --- a/roles/docker/tasks/services/keycloak.yml +++ b/roles/docker/tasks/services/keycloak.yml @@ -32,7 +32,7 @@ - "--db-url=jdbc:postgresql://postgres:5432/keycloak" - "--db-username=keycloak" - "--db-password={{ postgres_passwords.keycloak }}" - - "--hostname={{ keycloak.domain }}" + - "--hostname={{ services.keycloak.domain }}" - "--proxy=edge" - "--https-port=8080" - "--http-relative-path=/auth" From 16aec98808b45be04c2ede44bb2dcf3c7fbea227 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Sat, 21 Jan 2023 21:49:27 +0100 Subject: [PATCH 21/22] HedgeDoc image version :1 doesn't exist, but Alpine doesn't have vulnerabilities --- roles/docker/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml index 555a080..626e9b3 100644 --- a/roles/docker/defaults/main.yml +++ b/roles/docker/defaults/main.yml @@ -119,7 +119,7 @@ services: file: hedgedoc.yml domain: "pad.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/hedgedoc" - version: 1 + version: 1.9.6-alpine postgres_version: 10-alpine data_coop_website: From 593dddd00ec6e43ef7f8af5e9c10ecfd33e253e4 Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Sun, 22 Jan 2023 02:00:53 +0100 Subject: [PATCH 22/22] Upgrade Passit database and temporarily pin Passit due to WebAuthn bug --- roles/docker/defaults/main.yml | 2 +- roles/docker/tasks/services/passit.yml | 9 ++++++++- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml index 626e9b3..79bf170 100644 --- a/roles/docker/defaults/main.yml +++ b/roles/docker/defaults/main.yml @@ -86,7 +86,7 @@ services: domain: "passit.{{ base_domain }}" volume_folder: "{{ volume_root_folder }}/passit" version: stable - postgres_version: "10" + postgres_version: 15-alpine allowed_sender_domain: true matrix: diff --git a/roles/docker/tasks/services/passit.yml b/roles/docker/tasks/services/passit.yml index 60cb7bf..375808f 100644 --- a/roles/docker/tasks/services/passit.yml +++ b/roles/docker/tasks/services/passit.yml @@ -1,5 +1,12 @@ # vim: ft=yaml.ansible --- +- name: Create directory for Passit data + file: + name: "{{ services.passit.volume_folder }}/data" + owner: '70' + group: root + state: directory + - name: setup passit containers docker_compose: project_name: "passit" @@ -19,7 +26,7 @@ POSTGRES_PASSWORD: "{{ postgres_passwords.passit }}" passit_app: - image: "passit/passit:{{ services.passit.version }}" + image: "passit/passit@sha256:c4b96bc67222936f58f344d5dd1020227ad8e11ad5f82ed3cbf0bcfa8fe9b2e7" #:{{ services.passit.version }}" command: "bin/start.sh" restart: "always" networks: