Refactor allowed_sender_domains and allow more

A new object 'postfix' is created with a list of allowed_sender_domains.
Any services that expect to send mail this way should add its sender
domain to that list.

Vagrantfile

@@ -13,6 +13,7 @@ Vagrant.configure(2) do |config|
       ansible.verbose = "v"
       ansible.compatibility_mode = "2.0"
       ansible.playbook = "playbook.yml"
+      ansible.ask_vault_pass = true
       ansible.host_vars = {
         "datacoop" => {"ansible_python_interpreter" => "/usr/bin/python3.6"}
       }

ansible.cfg

@@ -1,2 +1,3 @@
 [defaults]
-remote_user = root
+remote_user = root
+inventory = datacoop_hosts

datacoop_hosts

@@ -1,16 +1,3 @@
 ######################################
 ### All hosts
-10.1.1.198 ansible_python_interpreter=/usr/bin/python3
-10.1.1.199 ansible_python_interpreter=/usr/bin/python3
-
-######################################
-### Application servers
-[servers]
-10.1.1.198
-10.1.1.199
-
-[datacoop1]
-10.1.1.198
-
-[datacoop2]
-10.1.1.199
+85.235.225.231 ansible_port=19022 ansible_python_interpreter=/usr/bin/python3

deploy.sh

@@ -0,0 +1,19 @@
+#!/bin/sh
+
+BASE_CMD="ansible-playbook playbook.yml --ask-vault-pass"
+
+if [ -z "$1" ]; then
+    echo "Deploying all!"
+    $BASE_CMD
+else
+    case $1 in
+        "services")
+            if [ -z "$2" ]; then
+                echo "Deploying all services!"
+                $BASE_CMD --tags setup_services
+            else
+                echo "Deploying services: $2"
+                $BASE_CMD --tags setup_services --extra-vars "services=$2"
+            fi
+    esac
+fi

group_vars/all/secrets.yml

@@ -0,0 +1,102 @@
+$ANSIBLE_VAULT;1.1;AES256
+32336562633266653862666430393834306131343538636136643866306639313132383063393335
+3437383263343337323637616330383761346661383065390a396466663135313433643830316439
+65626336303339653730643435353366633839366165393463663031333030356464373338353765
+3662646137623936650a633038376161633737376432306466663938333838333339626235663362
+34303237306533343435346361346461613339323931666461313261623936653936656439663139
+39666639616234653565303235313866636463656237363861636366666433393631366364623534
+39313638363231646539383133383938353439356335313263656362376538623531636166383233
+32653461653965303835613833383736396563306436623762613138343665343461623964666464
+31363836343534616235323238663262343963376133636337333937353732623938616434333666
+37386231356633653034656130383463643065373935633334653766396539326262646465376338
+31346134356162613266393132313839363166623562316230313338373062393535363236363133
+62653261663865323933323061353864643435323538633733363030356636653162616237323839
+33636235396166326336303133613431326231356434383431623366386437303162396234626563
+66333232343234613661363339653234343333323965353537353337303964653066356664303265
+62333237343334333836623566643633656134353034623630323361376562353464636538623664
+65313435316533633834303734636233333164616230393664646261663133323536356338323430
+38623734366530313461653062376136336634386132333138666439326636373536636134333432
+61396432353962366333373961323263633036656362653330393236333737306664633335313438
+34383335313933613930376436323236343539363035323461333366646462623961633933313432
+38656530653336306130313932393162626437383736393162656364333162623831356163303365
+66343433316131313332346537343863343966323765373035306661366633336261306661363966
+39326131336561633463613731396663336639613634636631373435623263353961323539623162
+30383831393164373632336265373662663936336131306563323833643236616338653835633832
+33383530623733386564373935663437613366633536386131363465363466306632373535646661
+62616531363737336536616132343034663038623665666636613232663666303164663661366232
+33626536336435323031663662383836326331633262386634393333373630343431333461393234
+33656664666466623262353533363833616663303637393164633633336438393131366261326230
+63623266353432613832633163663363663964303461386366373236386131376336623138366134
+33626234383661646637323062363265623630663061353630313466626632623062386638643433
+36333262666562396433393866393362303134616664616531386637336233306334383434616238
+62353237396432353335316631336265326135616430383735353638346339623539393064373365
+66336463653139323962333065666363363733376161613434363830663161303735306264396339
+35643535326130313033636135656634303731323030623131613866653932346665343365343537
+30393534346438343833336262646161643665613639373835336438663664643763323735646566
+30303339386131353863643463383333616432333262633962656434343563323165366533643730
+36646431336361316234393731373563656164646437636536353530343731373531373932313633
+61363462386663333465333465363864643039346238303635323362646335363037323437633462
+62373839666639326465383766333462356635636163376366373764373462386430616566386564
+39353662346632623661326238306136373364343231303664626630663761643433393033633335
+62336232376134656537383632643730303330353533626634633138383163356533646461656230
+31373733326436323937373537363839653034356137343864656364313831336235396530373265
+31663035326365373033313030363032343030346635343333656637343961303861393336316134
+35383635393737643935646334373865386637373636303162363562326239326433396466396435
+66336235373238326662323763333733636635313862653233353165346233313663353164383937
+37373934343261373462373832363633323438663536356133343464316563316362343932396234
+30343335396562336433353233306132656239663036663064653235376264653933363636326132
+33353064663930626330386562396564323965393432353430326362616235353464623861313336
+37363333623736306632643931356138373031363938363966616632666236346265323562306538
+39303365613463393964376536383431326661323237616538353333373930616438633630633961
+35303436353231373133666165306534346137396662653736343135303431613438363864616237
+65643338633065663266303232643264316564373066663038306632653962626336346639393061
+33326638323066323264353338636535336363376639646233336234643137646262666238363865
+34623236396437623539653466653331326434643036663930333065393836383265613036393233
+64333530636138356361643635613933313335636662646666656131613834376632313734373261
+66626262373630386337303539323332343831373731643830323661656435626266386633366666
+38626330663635623262336435373432383066393335633261383633343633616564353135613334
+34616663333562643232333133626433313265316561633638633236343334323337643066386363
+33316637303533393165656665373931313666616330316465643531303730333036613965383161
+65346133303835643134643030373966636632663937343434633263633161366236613039313866
+63343362303866313732326438393262643630633461316534313638343230653462636330363437
+36613561366235646465326163343165633764333466643766316235396534363366366238626161
+32656566386130623962643865643562623338353939306463663034653939383864356164316332
+34396661303364323430323764346438393165313430623464373436323337303966613437626136
+34303166396636666237383138636230306161323161343738353062383262373631643637366139
+36313033623162366530366130376338623634363661623965643364666330313066646233303963
+65353137616236396266336238346562343331363964356237356132303734326138646164663961
+62383761663837326431343939666432663132396464646439626364373833653164313931353631
+34633737333961646137663764363763356138396264353534303236633135643936313039303565
+37663937613961643563346130653536653236346165633333383666623961303138363961646138
+36613062346562326537656236343835383663386235353638653861613865333635333161326337
+66343664373262383164313838393261663566393838633364363931653164613663643966643063
+39656261643733663763383339653433616231653737623865353038646331373334666232346334
+39653730613439393532326430623239666239616361313738343738376536303839623938396439
+37393134343333383430303963356563633862336134373962306634613261653131636631626638
+35613635643336306435643832383761353465633537666563333763646338656164333661666462
+38643765313865626535326136343365643362373234326262366332653264363863646539366630
+36623635396635363636373139383530633332386263656339396433653936333834656631373637
+65663564353938623737303332373261623862646566386230313865643835323231373933303165
+39356561656534326661346636633933613532373137393737623737383134333132363436373630
+63653139356565356566663532313736613437623634313236663537376462383465613332656233
+65306131356165366131633432383730356163326561326332346535373738636333333165666365
+31636564303838333061323063653135623162636464656263613538306561303361633864383634
+35613164386334646338613661356134303766393239366530666137376362646263333530623565
+34643166313038376136643032393630303435376631336366343632383735626335333232303463
+33643363313434363633393964323064653966353161636135633264333766386266646366316132
+63303935356138356566306234356435343961356166646430633335386435366666333234636465
+36336439663731643663353732353261313037363231306430373962613838616238313662343761
+33316335316236626631636636386137376263323862306262316366663039396334326564303762
+34623562363839386439366639323662393831653530663463396230663133396466326363303065
+35646635323439323062333864336332333938663536373834663535643832316532313262326265
+63376436356662663165616532613963303030613166663865376531613031383865363864333238
+33616230336263306434643933356530303163653232323331643731353134353939363762303933
+32363061346537666637663733346431643164323364363133316265306336626466353366313635
+66653162643533316162363035373532656239356434623761666663626366663336376539656537
+31323561356363393038323762646633323461666263633937313264346364356439343761623337
+34643731393763323339653636656565663665646431313531616337616363373764626334656264
+66633366346137613032313865666363613530643663373834313731353437373239653332656134
+62376164313138303233623964663234643661336232366165616163313866336230353565393365
+36613361346437336431376164663930393530626339626361323764623635396137396634316364
+31393030323539376233383965366433623562646161643866346138316536613437383035656139
+6533

group_vars/all/secrets.yml.contents

@@ -0,0 +1,42 @@
+# These are the variables contained in secrets.yml
+# Secrets are usually 32 characters or more, matching [a-Z0-9]
+
+postgres_passwords:
+  fider: xxx
+  nextcloud: xxx
+  passit: xxx
+  gitea: xxx
+  matrix: xxx
+  codimd: xxx
+  mailu: xxx
+  ttrss: xxx
+  keycloak: xxx
+
+fider_jwt_secret: xxx
+
+ldap_admin_password: xxx
+ldap_config_password: xxx
+
+passit_secret_key: xxx
+
+docker_password: xxx
+
+mailu_secret_key: xxx
+
+drone_secrets:
+  oauth_client_id: xxx
+  oauth_client_secret: xxx
+  rpc_shared_secret: xxx
+
+restic_secrets:
+  user_secret: xxx
+  encryption_secret: xxx
+
+matrix_secrets:
+  registration_shared_secret: xxx
+  macaroon_secret_key: xxx
+  form_secret: xxx
+
+keycloak_secrets:
+  admin_user: xxx    //used for setting up the initial admin user on first run
+  admin_password: xxx

group_vars/all/vars.yml

@@ -13,3 +13,12 @@ users:
     password: $6$qt3G.E.CxhC$OwBDn4rZUbCz06HLEMBHjgvKjxiv/eeerbklTHi.gpHIn1OejzX3k2.0NM0Dforaw6Yn5Y8Cgn8kL2FdbQLZ3/
     groups:
       - sudo
+
+  reynir:
+    comment: Reynir Björnsson
+    key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDJl8/rikIUnqr9fPF3rE0rjWHCNzte10LvkjGmpdO9ka/NubQ7O25fp08rC+n0d1pUooYwHBAgiv9Hsql6HF9QfNKNUp7IKp7CXWcjb4ga02kuzWGSXjm40Vf0jSadIrJ33M4SeJHTByDGoeYPQBQ7n+qHdwcqJADBQygBuc5sRzxm8i0sbmzF3DJDDVeTJjEY5pfR4vnJlpmU8SC2d1ZkhCjmKCsL0PShntTIt1ztCt0yO71KoHKaNPu1jutGxcU9u7J1pEqcPT6EzU/cQJ4DMVzrGp26nIV0msRl3NeGNjukwXOzAh6KmsmXG7yWFyQmLRqgc/bjUeyhuWJ10vwUbaYVeIef7YrgEOgnkYLIFeWRMhdnwtL/W8g1D66SFx7+iYJj180eTi8Lc8rZm2NaiGynvWlFcJ4PGdTYZsWcFzQ+SaDziNMw1H3IixxdlD8Shw9mxpijJ+A4dH2kkUXyGVsc13zRIU7hq9ax8nrw6HVLGFLn09rEPig+SkyWrqRpRGMBWyqTRJywIV6jk0ll+i8rJZA2McY0rABbACrzXT5VBj5dLKnnRITLDicAYgt7YuEiQ0ffErQrPXXHUVeI0QKnJgplSHxH5QsX9a1Y+NoaoditdMT2bjvEqROi+/JYRycLR/BQV/d2nFPhqwq1x1AFvL4f8UvVH/hxp3PXWw== reynir yubikey
+    password: $6$MiPv.ZFlWnLHGNOb$jdQD9NaPMRUGaP2YHRJNwrMPBGl9qwK0HFhI6x51Xpn7hdzuC4GIwvOw1DJK33sNs/gGP5bWB0izviXkDcq7B0
+    groups:
+      - sudo
+
+volume_root_folder: "/docker-volumes"

playbook.yml

@@ -3,12 +3,34 @@
   gather_facts: False
   become: true
   vars:
-    # Services are the names of the compose files in docker/files/composefiles
+    base_domain: data.coop
+    letsencrypt_email: bestyrelsen@data.coop
+    ldap_dn: "dc=data,dc=coop"
+
     services:
       - nginx-proxy
+      - openldap
       - thelounge
-      - gitea
       - nextcloud
+      - fider
+      - passit
+      - gitea
+      - postfix
+      - matrix_riot
+      - privatebin
+      - codimd
+      - netdata
+      - docker_registry
+      - drone
+      - websites
+      - ulovliglogning-dk
+      - ouroboros
+      - mailu
+      - portainer
+#      - tt-rss
+
+    smtp_host: "postfix"
+    smtp_port: "587"
 
   tasks:
     - import_role:

roles/docker/defaults/main.yml

@@ -0,0 +1,106 @@
+volume_root_folder: "/docker-volumes"
+
+nginx:
+  volume_folder: "{{ volume_root_folder }}/nginx"
+
+ldap:
+  domain: "ldap.{{ base_domain }}"
+  volume_folder: "{{ volume_root_folder }}/openldap"
+
+thelounge:
+  domain: "irc.{{ base_domain }}"
+
+nextcloud:
+  domain: "cloud.{{ base_domain }}"
+
+gitea:
+  domain: "git.{{ base_domain }}"
+  volume_folder: "{{ volume_root_folder }}/gitea"
+
+passit:
+  domain: "passit.{{ base_domain }}"
+  volume_folder: "{{ volume_root_folder }}/passit"
+
+fider:
+  domain: "feedback.{{ base_domain }}"
+
+matrix:
+  domain: "matrix.{{ base_domain }}"
+  volume_folder: "{{ volume_root_folder }}/matrix"
+
+riot:
+  domains: 
+  - "riot.{{ base_domain }}"
+  - "element.{{ base_domain }}"
+  volume_folder: "{{ volume_root_folder }}/riot"
+
+privatebin:
+  domain: "paste.{{ base_domain }}"
+  volume_folder: "{{ volume_root_folder }}/privatebin"
+
+codimd:
+  domain: "oldpad.{{ base_domain }}"
+  volume_folder: "{{ volume_root_folder }}/codimd"
+
+hedgedoc:
+  domain: "pad.{{ base_domain }}"
+  volume_folder: "{{ volume_root_folder }}/hedgedoc"
+
+netdata:
+  domain: "netdata.{{ base_domain }}"
+
+docker_registry:
+  domain: "docker.{{ base_domain }}"
+  volume_folder: "{{ volume_root_folder }}/docker-registry"
+  username: "docker"
+  password: "{{ docker_password }}"
+
+data_coop_website:
+  domains: 
+  - "{{ base_domain }}"
+  - "www.{{ base_domain }}"
+
+cryptohagen_website:
+  domains: 
+  - "cryptohagen.dk"
+  - "www.cryptohagen.dk"
+
+ulovliglogning_website:
+  domains: 
+  - "ulovliglogning.dk"
+  - "www.ulovliglogning.dk"
+  - "ulovlig-logning.dk"
+
+cryptoaarhus_website:
+  domains: 
+  - "cryptoaarhus.dk"
+  - "www.cryptoaarhus.dk"
+
+drone:
+  domain: "drone.{{ base_domain }}"
+  volume_folder: "{{ volume_root_folder }}/drone"
+
+mailu:
+  version: 1.6
+  domain: "mail.{{ base_domain }}"
+  dns: 192.168.203.254
+  subnet: 192.168.203.0/24
+  volume_folder: "{{ volume_root_folder }}/mailu"
+
+portainer:
+  domain: "portainer.{{ base_domain }}"
+  volume_folder: "{{ volume_root_folder }}/portainer"
+
+ttrss:
+  domain: rss.{{ base_domain }}
+  volume_folder: "{{ volume_root_folder }}/tt-rss"
+
+keycloak:
+  domain: sso.{{ base_domain }}
+  volume_folder: "{{ volume_root_folder }}/keycloak"
+
+postfix:
+  allowed_sender_domains:
+  - "services.{{ base_domain }}"
+  - "{{ passit.domain }}"
+  - "{{ fider.domain }}"

roles/docker/files/composefiles/fider.yml

@@ -1,43 +0,0 @@
-version: '3'
-services:
-  db:
-    restart: always
-    image: postgres
-    networks:
-      - fider
-    volumes:
-      - /var/fider/pg_data:/var/lib/postgresql/data
-    environment:
-      POSTGRES_USER: fider
-      POSTGRES_PASSWORD: "SOMESTRONGPASSWORD"
-
-  app:
-    restart: always
-    image: getfider/fider:stable
-    ports:
-      - "9999:3000"
-    networks:
-      - fider
-      - external_services
-    environment:
-      GO_ENV: production
-      DATABASE_URL: postgres://fider:SOMESTRONGPASSWORD@db:5432/fider?sslmode=disable
-      JWT_SECRET: LONGRANDOMSTRING
-
-      EMAIL_NOREPLY: noreply@data.coop
-      EMAIL_SMTP_HOST: smtp.fastmail.com
-      EMAIL_SMTP_PORT: 587
-      EMAIL_SMTP_USERNAME: a_smtp_user
-      EMAIL_SMTP_PASSWORD: password_for_smtp_user
-
-      VIRTUAL_HOST: feedback.data.coop
-      LETSENCRYPT_HOST: feedback.data.coop
-      LETSENCRYPT_EMAIL: valberg@orn.li
-
-    depends_on:
-      - db
-
-networks:
-  fider:
-  external_services:
-    external: true

roles/docker/files/composefiles/gitea.yml

@@ -1,42 +0,0 @@
-version: "2.3"
-
-networks:
-  gitea:
-  external_services:
-    external: true
-
-services:
-  server:
-    image: gitea/gitea:latest
-    environment:
-      - USER_UID=1000
-      - USER_GID=1000
-      - VIRTUAL_HOST=gitea.local
-      - VIRTUAL_PORT=3000
-    restart: always
-    networks:
-      - gitea
-      - external_services
-    volumes:
-      - gitea:/data
-    ports:
-      - "3000:3000"
-      - "222:22"
-    depends_on:
-      - db
-
-  db:
-    image: postgres:9.6
-    restart: always
-    environment:
-      - POSTGRES_USER=gitea
-      - POSTGRES_PASSWORD=gitea
-      - POSTGRES_DB=gitea
-    networks:
-      - gitea
-    volumes:
-      - postgres:/var/lib/postgresql/data
-
-volumes:
-  gitea:
-  postgres:

roles/docker/files/composefiles/nextcloud.yml

@@ -1,38 +0,0 @@
-version: '3'
-services:
-  db:
-    image: postgres
-    restart: always
-    volumes:
-      - db:/var/lib/postgresql/data
-    environment:
-      - POSTGRES_DB=nextcloud
-      - POSTGRES_USER=nextcloud
-    networks:
-      - nextcloud
-  app:
-    image: nextcloud
-    volumes:
-      - nextcloud:/var/www/html
-    restart: always
-    environment: 
-      - POSTGRES_HOST=db
-      - POSTGRES_PASSWORD=hest
-      - POSTGRES_DB=nextcloud
-      - POSTGRES_USER=nextcloud
-      - VIRTUAL_HOST=nextcloud.local
-    depends_on:
-      - db
-    ports:
-      - "80"
-    networks:
-      - nextcloud
-      - external_services
-volumes:
-  nextcloud:
-  db:
-
-networks:
-  external_services:
-    external: true
-  nextcloud:

roles/docker/files/composefiles/nginx-proxy.yml

@@ -1,49 +0,0 @@
----
-version: '3'
-
-services:
-
-  nginx-proxy:
-    image: jwilder/nginx-proxy
-    container_name: nginx-proxy
-    networks:
-      - external_services
-    ports:
-      - "80:80"
-      - "443:443"
-    volumes:
-      - conf:/etc/nginx/conf.d
-      - vhost:/etc/nginx/vhost.d
-      - html:/usr/share/nginx/html
-      - dhparam:/etc/nginx/dhparam
-      - certs:/etc/nginx/certs:ro
-      - /var/run/docker.sock:/tmp/docker.sock:ro
-    restart: always
-
-
-  letsencrypt:
-    image: jrcs/letsencrypt-nginx-proxy-companion
-    container_name: nginx-proxy-le
-    depends_on:
-      - nginx-proxy
-    volumes:
-      - vhost:/etc/nginx/vhost.d
-      - html:/usr/share/nginx/html
-      - dhparam:/etc/nginx/dhparam:ro
-      - certs:/etc/nginx/certs
-      - /var/run/docker.sock:/var/run/docker.sock:ro
-    environment:
-      - NGINX_PROXY_CONTAINER=nginx-proxy
-    restart: always
-
-volumes:
-  conf:
-  vhost:
-  html:
-  dhparam:
-  certs:
-
-networks:
-  external_services:
-    external: true
-

roles/docker/files/composefiles/openldap.yml

@@ -1,61 +0,0 @@
-version: '3'
-services:
-  openldap:
-    image: osixia/openldap:1.2.2
-    container_name: openldap
-    environment:
-      LDAP_LOG_LEVEL: "256"
-      LDAP_ORGANISATION: "data.coop"
-      LDAP_DOMAIN: "data.coop"
-      LDAP_BASE_DN: ""
-      LDAP_ADMIN_PASSWORD: "admin"
-      LDAP_CONFIG_PASSWORD: "config"
-      LDAP_READONLY_USER: "true"
-      LDAP_READONLY_USER_USERNAME: "readonly"
-      LDAP_READONLY_USER_PASSWORD: "readonly"
-      LDAP_RFC2307BIS_SCHEMA: "false"
-      LDAP_BACKEND: "mdb"
-      LDAP_TLS: "true"
-      LDAP_TLS_CRT_FILENAME: "ldap.crt"
-      LDAP_TLS_KEY_FILENAME: "ldap.key"
-      LDAP_TLS_CA_CRT_FILENAME: "ca.crt"
-      LDAP_TLS_ENFORCE: "false"
-      LDAP_TLS_CIPHER_SUITE: "SECURE256:-VERS-SSL3.0"
-      LDAP_TLS_PROTOCOL_MIN: "3.1"
-      LDAP_TLS_VERIFY_CLIENT: "demand"
-      LDAP_REPLICATION: "false"
-      KEEP_EXISTING_CONFIG: "false"
-      LDAP_REMOVE_CONFIG_AFTER_SETUP: "true"
-      LDAP_SSL_HELPER_PREFIX: "ldap"
-    tty: true
-    stdin_open: true
-    volumes:
-      - /var/lib/ldap
-      - /etc/ldap/slapd.d
-      - /container/service/slapd/assets/certs/
-    ports:
-      - "389:389"
-      - "636:636"
-    domainname: "ldap.data.coop" # important: same as hostname
-    hostname: "ldap.data.coop"
-    networks:
-      - external_services
-
-  phpldapadmin:
-    image: osixia/phpldapadmin:latest
-    container_name: phpldapadmin
-    environment:
-      PHPLDAPADMIN_LDAP_HOSTS: "openldap"
-      PHPLDAPADMIN_HTTPS: "false"
-      PHPLDAPADMIN_TRUST_PROXY_SSL: "true"
-      VIRTUAL_HOST: ldap.data.coop
-      LETSENCRYPT_HOST: ldap.data.coop
-      LETSENCRYPT_EMAIL: valberg@orn.li
-    depends_on:
-      - openldap
-    networks:
-      - external_services
-
-networks:
-  external_services:
-    external: true

roles/docker/files/composefiles/thelounge.yml

@@ -1,23 +0,0 @@
-version: '3'
-services:
-  thelounge:
-    image: thelounge/lounge:latest
-    container_name: thelounge
-    restart: always
-    ports:
-      - "9000:9000"
-    volumes:
-      - thelounge:/home/lounge/data # bind lounge config from the host's file system
-    networks:
-      - external_services
-    environment:
-      VIRTUAL_HOST: irc.data.coop
-      LETSENCRYPT_HOST: irc.data.coop
-      LETSENCRYPT_EMAIL: valberg@orn.li
-
-volumes:
-  thelounge:
-
-networks:
-  external_services:
-    external: true

roles/docker/files/configs/docker_registry/nginx.conf

@@ -0,0 +1 @@
+client_max_body_size 10G;

roles/docker/files/configs/matrix/matrix.data.coop.log.config

@@ -0,0 +1,37 @@
+version: 1
+
+formatters:
+    precise:
+        format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
+
+filters:
+    context:
+        (): synapse.util.logcontext.LoggingContextFilter
+        request: ""
+
+handlers:
+    file:
+        class: logging.handlers.RotatingFileHandler
+        formatter: precise
+        filename: /data/homeserver.log
+        maxBytes: 104857600
+        backupCount: 10
+        filters: [context]
+        encoding: utf8
+    console:
+        class: logging.StreamHandler
+        formatter: precise
+        filters: [context]
+
+loggers:
+    synapse:
+        level: WARN
+
+    synapse.storage.SQL:
+        # beware: increasing this to DEBUG will make synapse log sensitive
+        # information such as access tokens.
+        level: INFO
+
+root:
+    level: INFO
+    handlers: [file, console]

roles/docker/files/configs/matrix/vhost-matrix

@@ -0,0 +1,2 @@
+listen 8008;
+client_max_body_size 50M; # default is 1M

roles/docker/files/configs/matrix/vhost-riot

@@ -0,0 +1 @@
+client_max_body_size 50M; # default is 1M

roles/docker/files/configs/matrix/vhost-root

@@ -0,0 +1,14 @@
+location /_matrix {
+      proxy_pass http://0.0.0.0:8008;
+      proxy_set_header X-Forwarded-For $remote_addr;
+}
+
+location /.well-known/matrix/server {
+      default_type application/json;
+      return 200 '{"m.server": "matrix.data.coop:443"}';
+}
+
+location /.well-known/matrix/client {
+      default_type application/json;
+      return 200 '{"m.homeserver": {"base_url": "https://matrix.data.coop"}}';
+}

roles/docker/files/configs/privatebin-conf.php

@@ -0,0 +1,154 @@
+;<?php http_response_code(403); /*
+; config file for PrivateBin
+;
+; An explanation of each setting can be find online at https://github.com/PrivateBin/PrivateBin/wiki/Configuration.
+
+[main]
+; (optional) set a project name to be displayed on the website
+name = "paste.data.coop"
+
+; enable or disable the discussion feature, defaults to true
+discussion = true
+
+; preselect the discussion feature, defaults to false
+opendiscussion = false
+
+; enable or disable the password feature, defaults to true
+password = true
+
+; enable or disable the file upload feature, defaults to false
+fileupload = true
+
+; preselect the burn-after-reading feature, defaults to false
+burnafterreadingselected = false
+
+; which display mode to preselect by default, defaults to "plaintext"
+; make sure the value exists in [formatter_options]
+defaultformatter = "plaintext"
+
+; (optional) set a syntax highlighting theme, as found in css/prettify/
+; syntaxhighlightingtheme = "sons-of-obsidian"
+
+; size limit per paste or comment in bytes, defaults to 2 Mebibytes
+sizelimit = 2097152
+
+; template to include, default is "bootstrap" (tpl/bootstrap.php)
+template = "bootstrap"
+
+; (optional) notice to display
+; notice = "Note: This is a test service: Data may be deleted anytime. Kittens will die if you abuse this service."
+
+; by default PrivateBin will guess the visitors language based on the browsers
+; settings. Optionally you can enable the language selection menu, which uses
+; a session cookie to store the choice until the browser is closed.
+languageselection = false
+
+; set the language your installs defaults to, defaults to English
+; if this is set and language selection is disabled, this will be the only language
+; languagedefault = "en"
+
+; (optional) URL shortener address to offer after a new paste is created
+; it is suggested to only use this with self-hosted shorteners as this will leak
+; the pastes encryption key
+; urlshortener = "https://shortener.example.com/api?link="
+
+; (optional) Let users create a QR code for sharing the paste URL with one click.
+; It works both when a new paste is created and when you view a paste.
+; qrcode = true
+
+; (optional) IP based icons are a weak mechanism to detect if a comment was from
+; a different user when the same username was used in a comment. It might be
+; used to get the IP of a non anonymous comment poster if the server salt is
+; leaked and a SHA256 HMAC rainbow table is generated for all (relevant) IPs.
+; Can be set to one these values: none / vizhash / identicon (default).
+; icon = none
+
+; Content Security Policy headers allow a website to restrict what sources are
+; allowed to be accessed in its context. You need to change this if you added
+; custom scripts from third-party domains to your templates, e.g. tracking
+; scripts or run your site behind certain DDoS-protection services.
+; Check the documentation at https://content-security-policy.com/
+; Note: If you use a bootstrap theme, you can remove the allow-popups from the sandbox restrictions.
+; By default this disallows to load images from third-party servers, e.g. when they are embedded in pastes. If you wish to allow that, you can adjust the policy here. See https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-not-it-load-embedded-images for details.
+; cspheader = "default-src 'none'; manifest-src 'self'; connect-src *; script-src 'self'; style-src 'self'; font-src 'self'; img-src 'self' data:; media-src data:; object-src data:; Referrer-Policy: 'no-referrer'; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals"
+
+; stay compatible with PrivateBin Alpha 0.19, less secure
+; if enabled will use base64.js version 1.7 instead of 2.1.9 and sha1 instead of
+; sha256 in HMAC for the deletion token
+zerobincompatibility = false
+
+[expire]
+; expire value that is selected per default
+; make sure the value exists in [expire_options]
+default = "1day"
+
+[expire_options]
+; Set each one of these to the number of seconds in the expiration period,
+; or 0 if it should never expire
+5min = 300
+10min = 600
+1hour = 3600
+1day = 86400
+1week = 604800
+; Well this is not *exactly* one month, it's 30 days:
+1month = 2592000
+1year = 31536000
+never = 0
+
+[formatter_options]
+; Set available formatters, their order and their labels
+plaintext = "Plain Text"
+syntaxhighlighting = "Source Code"
+markdown = "Markdown"
+
+[traffic]
+; time limit between calls from the same IP address in seconds
+; Set this to 0 to disable rate limiting.
+limit = 10
+
+; (optional) if your website runs behind a reverse proxy or load balancer,
+; set the HTTP header containing the visitors IP address, i.e. X_FORWARDED_FOR
+header = "X_FORWARDED_FOR"
+
+; directory to store the traffic limits in
+dir = PATH "data"
+
+[purge]
+; minimum time limit between two purgings of expired pastes, it is only
+; triggered when pastes are created
+; Set this to 0 to run a purge every time a paste is created.
+limit = 300
+
+; maximum amount of expired pastes to delete in one purge
+; Set this to 0 to disable purging. Set it higher, if you are running a large
+; site
+batchsize = 10
+
+; directory to store the purge limit in
+dir = PATH "data"
+
+[model]
+; name of data model class to load and directory for storage
+; the default model "Filesystem" stores everything in the filesystem
+class = Filesystem
+[model_options]
+dir = PATH "data"
+
+;[model]
+; example of DB configuration for MySQL
+;class = Database
+;[model_options]
+;dsn = "mysql:host=localhost;dbname=privatebin;charset=UTF8"
+;tbl = "privatebin_"	; table prefix
+;usr = "privatebin"
+;pwd = "Z3r0P4ss"
+;opt[12] = true	  ; PDO::ATTR_PERSISTENT
+
+;[model]
+; example of DB configuration for SQLite
+;class = Database
+;[model_options]
+;dsn = "sqlite:" PATH "data/db.sq3"
+;usr = null
+;pwd = null
+;opt[12] = true	; PDO::ATTR_PERSISTENT

roles/docker/files/configs/riot/config.json

@@ -0,0 +1,46 @@
+{
+    "default_hs_url": "https://{{ matrix.domain }}",
+    "default_is_url": "https://vector.im",
+    "brand": "element.data.coop",
+    "integrations_ui_url": "https://scalar.vector.im/",
+    "integrations_rest_url": "https://scalar.vector.im/api",
+    "integrations_widgets_urls": [
+        "https://scalar-staging.riot.im/scalar/api",
+        "https://scalar.vector.im/api"
+    ],
+    "bug_report_endpoint_url": "https://riot.im/bugreports/submit",
+    "features": {
+        "feature_rich_quoting": "enable",
+        "feature_pinning": "enable",
+        "feature_presence_management": "enable",
+        "feature_sticker_messages": "enable",
+        "feature_jitsi": "enable",
+        "feature_tag_panel": "enable",
+        "feature_keybackup": "enable",
+        "feature_custom_status": "enable",
+        "feature_custom_tags": "enable",
+        "feature_lazyloading": "enable",
+        "feature_tabbed_settings": "enable",
+        "feature_sas": "enable"
+    },
+    "welcomeUserId": "",
+    "piwik": false,
+    "roomDirectory": {
+        "servers": [
+            "{{ base_domain }}"
+        ]
+    },
+    "enable_presence_by_hs_url": {
+        "https://{{ matrix.domain }}": false
+    },
+    "terms_and_conditions_links": [
+        {
+            "url": "https://riot.im/privacy",
+            "text": "Privacy Policy"
+        },
+        {
+            "url": "https://matrix.org/docs/guides/riot_im_cookie_policy",
+            "text": "Cookie Policy"
+        }
+    ]
+}

roles/docker/files/configs/riot/riot.im.conf

@@ -0,0 +1 @@
+-c 3500

roles/docker/files/configs/thelounge.js

@@ -0,0 +1,511 @@
+"use strict";
+
+module.exports = {
+        //
+        // Set the server mode.
+        // Public servers does not require authentication.
+        //
+        // Set to 'false' to enable users.
+        //
+        // @type     boolean
+        // @default  false
+        //
+        public: false,
+
+        //
+        // IP address or hostname for the web server to listen on.
+        // Setting this to undefined will listen on all interfaces.
+        //
+        // For UNIX domain sockets, use unix:/absolute/path/to/file.sock.
+        //
+        // @type     string
+        // @default  undefined
+        //
+        host: undefined,
+
+        //
+        // Set the port to listen on.
+        //
+        // @type     int
+        // @default  9000
+        //
+        port: 9000,
+
+        //
+        // Set the local IP to bind to for outgoing connections. Leave to undefined
+        // to let the operating system pick its preferred one.
+        //
+        // @type     string
+        // @default  undefined
+        //
+        bind: undefined,
+
+        //
+        // Sets whether the server is behind a reverse proxy and should honor the
+        // X-Forwarded-For header or not.
+        //
+        // @type     boolean
+        // @default  false
+        //
+        reverseProxy: false,
+
+        //
+        // Set the default theme.
+        // Find out how to add new themes at https://thelounge.github.io/docs/plugins/themes.html
+        //
+        // @type     string
+        // @default  "example"
+        //
+        theme: "example",
+
+        //
+        // Prefetch URLs
+        //
+        // If enabled, The Lounge will try to load thumbnails and site descriptions from
+        // URLs posted in channels.
+        //
+        // @type     boolean
+        // @default  false
+        //
+        prefetch: false,
+
+        //
+        // Store and proxy prefetched images and thumbnails.
+        // This improves security and privacy by not exposing client IP address,
+        // and always loading images from The Lounge instance and making all assets secure,
+        // which in result fixes mixed content warnings.
+        //
+        // If storage is enabled, The Lounge will fetch and store images and thumbnails
+        // in the `${THELOUNGE_HOME}/storage` folder.
+        //
+        // Images are deleted when they are no longer referenced by any message (controlled by maxHistory),
+        // and the folder is cleaned up on every The Lounge restart.
+        //
+        // @type     boolean
+        // @default  false
+        //
+        prefetchStorage: false,
+
+        //
+        // Prefetch URLs Image Preview size limit
+        //
+        // If prefetch is enabled, The Lounge will only display content under the maximum size.
+        // Specified value is in kilobytes. Default value is 2048 kilobytes.
+        //
+        // @type     int
+        // @default  2048
+        //
+        prefetchMaxImageSize: 2048,
+
+        //
+        // Display network
+        //
+        // If set to false network settings will not be shown in the login form.
+        //
+        // @type     boolean
+        // @default  true
+        //
+        displayNetwork: true,
+
+        //
+        // Lock network
+        //
+        // If set to true, users will not be able to modify host, port and tls
+        // settings and will be limited to the configured network.
+        //
+        // @type     boolean
+        // @default  false
+        //
+        lockNetwork: false,
+
+        //
+        // Hex IP
+        //
+        // If enabled, clients' username will be set to their IP encoded has hex.
+        // This is done to share the real user IP address with the server for host masking purposes.
+        //
+        // @type     boolean
+        // @default  false
+        //
+        useHexIp: false,
+
+        //
+        // WEBIRC support
+        //
+        // If enabled, The Lounge will pass the connecting user's host and IP to the
+        // IRC server. Note that this requires to obtain a password from the IRC network
+        // The Lounge will be connecting to and generally involves a lot of trust from the
+        // network you are connecting to.
+        //
+        // Format (standard): {"irc.example.net": "hunter1", "irc.example.org": "passw0rd"}
+        // Format (function):
+        //   {"irc.example.net": function(client, args, trusted) {
+        //       // here, we return a webirc object fed directly to `irc-framework`
+        //       return {username: "thelounge", password: "hunter1", address: args.ip, hostname: "webirc/"+args.hostname};
+        //   }}
+        //
+        // @type     string | function(client, args):object(webirc)
+        // @default  null
+        webirc: null,
+
+        //
+        // Log settings
+        //
+        // Logging has to be enabled per user. If enabled, logs will be stored in
+        // the 'logs/<user>/<network>/' folder.
+        //
+        // @type     object
+        // @default  {}
+        //
+        logs: {
+                //
+                // Timestamp format
+                //
+                // @type     string
+                // @default  "YYYY-MM-DD HH:mm:ss"
+                //
+                format: "YYYY-MM-DD HH:mm:ss",
+
+                //
+                // Timezone
+                //
+                // @type     string
+                // @default  "UTC+00:00"
+                //
+                timezone: "UTC+00:00",
+        },
+
+        //
+        // Maximum number of history lines per channel
+        //
+        // Defines the maximum number of history lines that will be kept in
+        // memory per channel/query, in order to reduce the memory usage of
+        // the server. Setting this to -1 will keep unlimited amount.
+        //
+        // @type     integer
+        // @default  10000
+        maxHistory: 10000,
+
+        //
+        // Default values for the 'Connect' form.
+        //
+        // @type     object
+        // @default  {}
+        //
+        defaults: {
+                //
+                // Name
+                //
+                // @type     string
+                // @default  "Freenode"
+                //
+                name: "Freenode",
+
+                //
+                // Host
+                //
+                // @type     string
+                // @default  "chat.freenode.net"
+                //
+                host: "chat.freenode.net",
+
+                //
+                // Port
+                //
+                // @type     int
+                // @default  6697
+                //
+                port: 6697,
+
+                //
+                // Password
+                //
+                // @type     string
+                // @default  ""
+                //
+                password: "",
+
+                //
+                // Enable TLS/SSL
+                //
+                // @type     boolean
+                // @default  true
+                //
+                tls: true,
+
+                //
+                // Nick
+                //
+                // @type     string
+                // @default  "lounge-user"
+                //
+                nick: "lounge-user",
+
+                //
+                // Username
+                //
+                // @type     string
+                // @default  "lounge-user"
+                //
+                username: "lounge-user",
+
+                //
+                // Real Name
+                //
+                // @type     string
+                // @default  "The Lounge User"
+                //
+                realname: "The Lounge User",
+
+                //
+                // Channels
+                // This is a comma-separated list.
+                //
+                // @type     string
+                // @default  "#thelounge"
+                //
+                join: "#thelounge",
+        },
+
+        //
+        // Set socket.io transports
+        //
+        // @type     array
+        // @default  ["polling", "websocket"]
+        //
+        transports: ["polling", "websocket"],
+
+        //
+        // Run The Lounge using encrypted HTTP/2.
+        // This will fallback to regular HTTPS if HTTP/2 is not supported.
+        //
+        // @type     object
+        // @default  {}
+        //
+        https: {
+                //
+                // Enable HTTP/2 / HTTPS support.
+                //
+                // @type     boolean
+                // @default  false
+                //
+                enable: false,
+
+                //
+                // Path to the key.
+                //
+                // @type     string
+                // @example  "sslcert/key.pem"
+                // @default  ""
+                //
+                key: "",
+
+                //
+                // Path to the certificate.
+                //
+                // @type     string
+                // @example  "sslcert/key-cert.pem"
+                // @default  ""
+                //
+                certificate: "",
+
+                //
+                // Path to the CA bundle.
+                //
+                // @type     string
+                // @example  "sslcert/bundle.pem"
+                // @default  ""
+                //
+                ca: "",
+        },
+
+        //
+        // Default quit and part message if none is provided.
+        //
+        // @type     string
+        // @default  "The Lounge - https://thelounge.github.io"
+        //
+        leaveMessage: "The Lounge - https://thelounge.github.io",
+
+        //
+        // Run The Lounge with identd support.
+        //
+        // @type     object
+        // @default  {}
+        //
+        identd: {
+                //
+                // Run the identd daemon on server start.
+                //
+                // @type     boolean
+                // @default  false
+                //
+                enable: false,
+
+                //
+                // Port to listen for ident requests.
+                //
+                // @type     int
+                // @default  113
+                //
+                port: 113,
+        },
+
+        //
+        // Enable oidentd support using the specified file
+        //
+        // Example: oidentd: "~/.oidentd.conf",
+        //
+        // @type     string
+        // @default  null
+        //
+        oidentd: null,
+
+        //
+        // LDAP authentication settings (only available if public=false)
+        // @type    object
+        // @default {}
+        //
+        // The authentication process works as follows:
+        //
+        //   1. Lounge connects to the LDAP server with its system credentials
+        //   2. It performs a LDAP search query to find the full DN associated to the
+        //      user requesting to log in.
+        //   3. Lounge tries to connect a second time, but this time using the user's
+        //      DN and password. Auth is validated iff this connection is successful.
+        //
+        // The search query takes a couple of parameters in `searchDN`:
+        //   - a base DN `searchDN/base`. Only children nodes of this DN will be likely
+        //     to be returned;
+        //   - a search scope `searchDN/scope` (see LDAP documentation);
+        //   - the query itself, build as (&(<primaryKey>=<username>) <filter>)
+        //     where <username> is the user name provided in the log in request,
+        //     <primaryKey> is provided by the config and <fitler> is a filtering complement
+        //     also given in the config, to filter for instance only for nodes of type
+        //     inetOrgPerson, or whatever LDAP search allows.
+        //
+        // Alternatively, you can specify the `bindDN` parameter. This will make the lounge
+        // ignore searchDN options and assume that the user DN is always:
+        //     <bindDN>,<primaryKey>=<username>
+        // where <username> is the user name provided in the log in request, and <bindDN>
+        // and <primaryKey> are provided by the config.
+        //
+        ldap: {
+                //
+                // Enable LDAP user authentication
+                //
+                // @type     boolean
+                // @default  false
+                //
+                enable: true,
+
+                //
+                // LDAP server URL
+                //
+                // @type     string
+                //
+                url: "ldap://{{ ldap.domain }}",
+
+                //
+                // LDAP connection tls options (only used if scheme is ldaps://)
+                //
+                // @type     object (see nodejs' tls.connect() options)
+                // @default {}
+                //
+                // Example:
+                //   You can use this option in order to force the use of IPv6:
+                //   {
+                //     host: 'my::ip::v6',
+                //     servername: 'example.com'
+                //   }
+                tlsOptions: {},
+
+                //
+                // LDAP base dn, alternative to searchDN
+                //
+                // @type     string
+                //
+                // baseDN: "",
+
+                //
+                // LDAP primary key
+                //
+                // @type     string
+                // @default  "uid"
+                //
+                primaryKey: "uid",
+
+                //
+                // LDAP search dn settings. This defines the procedure by which the
+                // lounge first look for user DN before authenticating her.
+                // Ignored if baseDN is specified
+                //
+                // @type     object
+                //
+                searchDN: {
+
+                        //
+                        // LDAP searching bind DN
+                        // This bind DN is used to query the server for the DN of the user.
+                        // This is supposed to be a system user that has access in read only to
+                        // the DNs of the people that are allowed to log in.
+                        //
+                        // @type     string
+                        //
+                        rootDN: "cn=admin,dc=data,dc=coop",
+
+                        //
+                        // Password of the lounge LDAP system user
+                        //
+                        // @type     string
+                        //
+                        rootPassword: "{{ ldap_admin_password }}",
+
+                        //
+                        // LDAP filter
+                        //
+                        // @type     string
+                        // @default  "uid"
+                        //
+                        //filter: "(objectClass=inetOrgPerson)(memberOf=ou=members,dc=data,dc=coop)",
+                        filter: "(objectClass=inetOrgPerson)",
+
+                        //
+                        // LDAP search base (search only within this node)
+                        //
+                        // @type     string
+                        //
+                        base: "{{ ldap_dn }}",
+
+                        //
+                        // LDAP search scope
+                        //
+                        // @type     string
+                        // @default  "sub"
+                        //
+                        scope: "sub",
+
+                },
+        },
+
+        // Extra debugging
+        //
+        // @type     object
+        // @default  {}
+        //
+        debug: {
+                // Enables extra debugging output provided by irc-framework.
+                //
+                // @type     boolean
+                // @default  false
+                //
+                ircFramework: false,
+
+                // Enables logging raw IRC messages into each server window.
+                //
+                // @type     boolean
+                // @default  false
+                //
+                raw: false,
+        },
+};

roles/docker/files/sso/sso.data.coop.pem

@@ -0,0 +1 @@
+MIICszCCAZsCBgF8WpKKwTANBgkqhkiG9w0BAQsFADAdMRswGQYDVQQDDBJkYXRhLmNvb3Agc2VydmljZXMwHhcNMjExMDA3MTE0MzQ1WhcNMzExMDA3MTE0NTI1WjAdMRswGQYDVQQDDBJkYXRhLmNvb3Agc2VydmljZXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCdV0stfU8aA1bi+GYd/a5DOyoox01BgzWwBFqVjlo80frsOsH8g814eDuMuff/UJy+2YxaozYQGxP+DcOVXi+0Fts9zjRj6wa6HCQqiR/SNUa69fGHcyAo2Tr0faxOyf3QMBqIngTRZB99quNMuAM96RCg25LtDaaWjNVxdHlj78+kU1bQXExp0ZfELlKGtllWP07cyz4nGfZmuK1AiWSsRbDIbyK5dvzw/pMS1kexh6ylnQu1iLqD3vYZBUDX9lPNkavTYZNCEL4ElUvR81S0ko2zkYAUiuVTtTUKucc98dTRhkuV4YCiiW6UQGY/jzmXYBfpzAY3n5eH5iUu/tRXAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAFQc8ytexKiXOIGrSYYtFaF/lxv8AwMgsndv8YxJ+x/cUwN9tdmA8IAZDIS13qBrCOdZE4pJ/09VkYdErcpbtV7PWC3LDv/c2qakyiBUYZj4WgJio+oD0GCqXsby3aqJeVt9cJr4gSsXxn1c+7GV7p/gc/2FFmlWcqMN/2F7LvFvObu55QlppWZrn8kreaUQmRuTTIviFQRmvrmwKyK52LEcK7qoh/v1aHyYDl91gu3nLMEluz6hy3UEPYgpdH1t2C7K0Kjri25pJNGCFrpKjWWveteKazUeDd4adHMiw2MVfeEyTCXEFoaxQS9QmbmhSMRhiHjbdffL7xi//aSh1bo=

roles/docker/tasks/main.yml

@@ -1,13 +1,13 @@
 ---
 - name: add docker gpg key
   apt_key:
-    keyserver: pgp.key-server.io
+    keyserver: pgp.mit.edu
     id: 8D81803C0EBFCD88
     state: present
 
 - name: add docker apt repository
   apt_repository:
-    repo: deb https://download.docker.com/linux/ubuntu artful stable
+    repo: deb https://download.docker.com/linux/ubuntu bionic stable
     state: present
     update_cache: yes
 
@@ -22,6 +22,11 @@
     name: "docker-compose"
     state: present
 
+- name: create folder structure for bind mounts
+  file:
+    name: "{{ volume_root_folder }}"
+    state: directory
+
 - name: setup services
   import_tasks: services.yml
   tags:

roles/docker/tasks/services.yml

@@ -4,8 +4,5 @@
     name: external_services
 
 - name: setup services
-  docker_service:
-    project_name: "{{ item }}"
-    definition:
-        "{{ lookup('file', 'composefiles/{{ item }}.yml') | from_yaml }}"
+  include_tasks: "services/{{ item }}.yml"
   with_items: "{{ services }}"

roles/docker/tasks/services/codimd.yml

@@ -0,0 +1,57 @@
+---
+
+- name: codimd network
+  docker_network:
+    name: codimd
+
+- name: create codimd volume folders
+  file:
+    name: "{{ codimd.volume_folder }}/{{ volume }}"
+    state: directory
+  loop:
+    - "db"
+    - "codimd/uploads"
+
+  loop_control:
+    loop_var: volume
+
+- name: codimd database container
+  docker_container:
+    name: codimd_db
+    image: postgres:10
+    state: started
+    restart_policy: unless-stopped
+    networks:
+      - name: codimd
+    volumes:
+      - "{{ codimd.volume_folder }}/db:/var/lib/postgresql/data"
+    env:
+      POSTGRES_USER: "codimd"
+      POSTGRES_PASSWORD: "{{ postgres_passwords.codimd }}"
+
+- name: codimd app container
+  docker_container:
+    name: codimd_app
+    image: hackmdio/hackmd:1.3.0
+    restart_policy: unless-stopped
+    networks:
+      - name: codimd
+      - name: ldap
+      - name: external_services
+    volumes:
+      - "{{ codimd.volume_folder }}/codimd/uploads:/codimd/public/uploads"
+
+    env:
+      CMD_DB_URL: "postgres://codimd:{{ postgres_passwords.codimd }}@codimd_db:5432/codimd"
+      CMD_ALLOW_EMAIL_REGISTER: "False"
+      CMD_IMAGE_UPLOAD_TYPE: "filesystem"
+      CMD_EMAIL: "False"
+      CMD_LDAP_URL: "ldap://openldap"
+      CMD_LDAP_BINDDN: "cn=admin,dc=data,dc=coop"
+      CMD_LDAP_BINDCREDENTIALS: "{{ ldap_admin_password }}"
+      CMD_LDAP_SEARCHBASE: "dc=data,dc=coop"
+      CMD_LDAP_SEARCHFILTER: "(&(uid={{ '{{username}}' }})(objectClass=inetOrgPerson))"
+      CMD_USECDN: "false"
+      VIRTUAL_HOST: "{{ codimd.domain }}"
+      LETSENCRYPT_HOST: "{{ codimd.domain }}"
+      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"

roles/docker/tasks/services/docker_registry.yml

@@ -0,0 +1,35 @@
+---
+- name: copy docker registry nginx configuration
+  copy:
+    src: "files/configs/docker_registry/nginx.conf"
+    dest: "/docker-volumes/nginx/vhost/{{ docker_registry.domain }}"
+    mode: "0644"
+
+- name: docker registry container
+  docker_container:
+    name: registry
+    image: registry:2
+    restart_policy: always
+    volumes:
+      - "{{ docker_registry.volume_folder }}/registry:/var/lib/registry"
+      - "{{ docker_registry.volume_folder }}/auth:/auth"
+    networks:
+      - name: external_services
+    env:
+      VIRTUAL_HOST: "{{ docker_registry.domain }}"
+      LETSENCRYPT_HOST: "{{ docker_registry.domain }}"
+      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
+      REGISTRY_AUTH: "htpasswd"
+      REGISTRY_AUTH_HTPASSWD_PATH: "/auth/htpasswd"
+      REGISTRY_AUTH_HTPASSWD_REALM: "data.coop docker registry"
+
+- name: generate htpasswd file
+  shell: "docker exec -it registry htpasswd -Bbn docker {{ docker_password }} > {{ docker_registry.volume_folder }}/auth/htpasswd"
+  args:
+    creates: "{{ docker_registry.volume_folder }}/auth/htpasswd"
+
+- name: log in to local registry
+  docker_login:
+    registry: "{{ docker_registry.domain }}"
+    username: "docker"
+    password: "{{ docker_password }}"

roles/docker/tasks/services/drone.yml

@@ -0,0 +1,51 @@
+---
+- name: set up drone with docker runner
+  docker_compose:
+    project_name: drone
+    pull: yes
+    definition:
+      version: "3.6"
+      services:
+        drone:
+          container_name: "drone"
+          image: drone/drone:1
+          restart: unless-stopped
+          networks:
+            - external_services
+            - drone
+          volumes:
+            - "{{ drone.volume_folder }}:/data"
+            - "/var/run/docker.sock:/var/run/docker.sock"
+          environment:
+            DRONE_GITEA_SERVER: "https://{{ gitea.domain }}"
+            DRONE_GITEA_CLIENT_ID: "{{ drone_secrets.oauth_client_id }}"
+            DRONE_GITEA_CLIENT_SECRET: "{{ drone_secrets.oauth_client_secret }}"
+            DRONE_GIT_ALWAYS_AUTH: "true"
+            DRONE_SERVER_HOST: "{{ drone.domain }}"
+            DRONE_SERVER_PROTO: "https"
+            DRONE_RPC_SECRET: "{{ drone_secrets.rpc_shared_secret }}"
+            PLUGIN_CUSTOM_DNS: "91.239.100.100"
+            VIRTUAL_HOST: "{{ drone.domain }}"
+            LETSENCRYPT_HOST: "{{ drone.domain }}"
+            LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
+
+        drone-runner-docker:
+          container_name: "drone-runner-docker"
+          image: "drone/drone-runner-docker:1"
+          restart: unless-stopped
+          networks:
+            - drone
+          volumes:
+            - "/var/run/docker.sock:/var/run/docker.sock"
+          environment:
+            DRONE_RPC_HOST: "{{ drone.domain }}"
+            DRONE_RPC_PROTO: "https"
+            DRONE_RPC_SECRET: "{{ drone_secrets.rpc_shared_secret }}"
+            DRONE_RUNNER_CAPACITY: 2
+            DRONE_RUNNER_NAME: "data.coop_drone_runner"
+
+      networks:
+        drone:
+        external_services:
+          external:
+            name: external_services

roles/docker/tasks/services/fider.yml

@@ -0,0 +1,47 @@
+---
+
+- name: fider network
+  docker_network:
+    name: fider
+
+- name: fider database volume
+  docker_volume:
+    name: fider_db
+
+- name: fider database container
+  docker_container:
+    name: fider_db
+    image: postgres:10
+    state: started
+    restart_policy: always
+    networks:
+      - name: fider
+    volumes:
+      - fider_db:/var/lib/postgresql/data
+    env:
+      POSTGRES_USER: "fider"
+      POSTGRES_PASSWORD: "{{ postgres_passwords.fider }}"
+
+- name: fider app container
+  docker_container:
+    name: fider
+    image: getfider/fider:stable
+    restart_policy: always
+    networks:
+      - name: fider
+      - name: external_services
+      - name: postfix
+    env:
+      GO_ENV: "production"
+      DATABASE_URL: "postgres://fider:{{ postgres_passwords.fider }}@fider_db:5432/fider?sslmode=disable"
+      JWT_SECRET: "{{ fider_jwt_secret }}"
+
+      EMAIL_NOREPLY: noreply@{{ fider.domain }}
+      EMAIL_SMTP_HOST: "{{ smtp_host }}"
+      EMAIL_SMTP_PORT: "{{ smtp_port }}"
+      EMAIL_SMTP_USERNAME: "noop"
+      EMAIL_SMTP_PASSWORD: "noop"
+
+      VIRTUAL_HOST: "{{ fider.domain }}"
+      LETSENCRYPT_HOST: "{{ fider.domain }}"
+      LETSENCRYPT_EMAIL: "{{ letsencrypt_email}}"

roles/docker/tasks/services/gitea.yml

@@ -0,0 +1,23 @@
+---
+- name: gitea network
+  docker_network:
+    name: gitea
+
+# old DNS: 138.68.71.153
+- name: gitea container
+  docker_container:
+    name: gitea
+    image: gitea/gitea:1.12.3
+    restart_policy: unless-stopped
+    networks:
+      - name: gitea
+      - name: external_services
+    volumes:
+      - "{{ gitea.volume_folder }}:/data"
+    published_ports:
+      - "22:22"
+    env:
+      VIRTUAL_HOST: "{{ gitea.domain }}"
+      VIRTUAL_PORT: "3000"
+      LETSENCRYPT_HOST: "{{ gitea.domain }}"
+      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"

roles/docker/tasks/services/hedgedoc.yml

@@ -0,0 +1,66 @@
+---
+- name: create hedgedoc volume folders
+  file:
+    name: "{{ hedgedoc.volume_folder }}/{{ volume }}"
+    state: directory
+  loop:
+    - "db"
+    - "hedgedoc/uploads"
+  loop_control:
+    loop_var: volume
+
+- name: copy sso public certificate
+  copy:
+    src: "files/sso/sso.data.coop.pem"
+    dest: "{{ hedgedoc.volume_folder }}/sso.data.coop.pem"
+    mode: "0644"
+
+- name: setup hedgedoc
+  docker_compose:
+    project_name: "hedgedoc"
+    pull: "yes"
+    definition:
+      services:
+        database:
+          image: "postgres:10-alpine"
+          environment:
+            POSTGRES_USER: "codimd"
+            POSTGRES_PASSWORD: "{{ postgres_passwords.hedgedoc }}"
+            POSTGRES_DB: "codimd"
+          restart: "unless-stopped"
+          networks:
+            - "hedgedoc"
+          volumes:
+            - "{{ hedgedoc.volume_folder }}/db:/var/lib/postgresql/data"
+        
+        app:
+          image: quay.io/hedgedoc/hedgedoc:1.9.0
+          environment:
+            CMD_DB_URL: "postgres://codimd:{{ postgres_passwords.hedgedoc }}@hedgedoc_database_1:5432/codimd"
+            CMD_DOMAIN: "{{ hedgedoc.domain }}"
+            CMD_ALLOW_EMAIL_REGISTER: "False"
+            CMD_IMAGE_UPLOAD_TYPE: "filesystem"
+            CMD_EMAIL: "False"
+            CMD_SAML_IDPCERT: "/sso.data.coop.pem"
+            CMD_SAML_IDPSSOURL: "https://sso.data.coop/auth/realms/datacoop/protocol/saml"
+            CMD_SAML_ISSUER: "hedgedoc"
+            CMD_SAML_IDENTIFIERFORMAT: "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
+            CMD_USECDN: "false"
+            CMD_PROTOCOL_USESSL: "true"
+            VIRTUAL_HOST: "{{ hedgedoc.domain }}"
+            LETSENCRYPT_HOST: "{{ hedgedoc.domain }}"
+            LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
+          volumes:
+            - "{{ hedgedoc.volume_folder }}/hedgedoc/uploads:/hedgedoc/public/uploads"
+            - "{{ hedgedoc.volume_folder }}/sso.data.coop.pem:/sso.data.coop.pem"
+          restart: "unless-stopped"
+          networks: 
+            - "hedgedoc"
+            - "external_services"
+          depends_on:
+            - database
+
+      networks: 
+        hedgedoc:
+        external_services:
+          external: true

roles/docker/tasks/services/keycloak.yml

@@ -0,0 +1,45 @@
+- name: setup keycloak containers for sso.data.coop
+  docker_compose:
+    project_name: "keycloak"
+    pull: "yes"
+    definition:
+      version: "3.6"
+      services:
+
+        postgres:
+          image: "postgres:10"
+          restart: "unless-stopped"
+          networks:
+            - "keycloak"
+          volumes:
+            - "{{ keycloak.volume_folder }}/data:/var/lib/postgresql/data"
+          environment:
+            POSTGRES_USER: "keycloak"
+            POSTGRES_PASSWORD: "{{ postgres_passwords.keycloak }}"
+            POSTGRES_DB: "keycloak"
+
+        app:
+          image: "quay.io/keycloak/keycloak:15.0.2"
+          restart: "unless-stopped"
+          networks:
+            - "keycloak"
+            - "postfix"
+            - "external_services"
+          environment:
+            VIRTUAL_HOST: "{{ keycloak.domain }}"
+            VIRTUAL_PORT: "8080"
+            LETSENCRYPT_HOST: "{{ keycloak.domain }}"
+            LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
+            DB_USER: "keycloak"
+            DB_PASSWORD: "{{ postgres_passwords.keycloak }}"
+            DB_ADDR: "keycloak_postgres_1"
+            #KEYCLOAK_USER: "{{ keycloak_secrets.admin_user }}" # Only used for the first run of the application to set up the admin user
+            #KEYCLOAK_PASSWORD: "{{ keycloak_secrets.admin_password }}"
+            PROXY_ADDRESS_FORWARDING: "true"
+             
+      networks:
+        keycloak:
+        postfix:
+          external: true
+        external_services:
+          external: true

roles/docker/tasks/services/mailu.yml

@@ -0,0 +1,161 @@
+---
+
+- name: create mailu volume folders
+  file:
+    name: "{{ mailu.volume_folder }}/{{ volume }}"
+    state: directory
+  loop:
+    - redis
+    - certs
+    - overrides
+    - data
+    - dkim
+    - mail
+    - filter
+    - dav
+    - webmail
+  loop_control:
+    loop_var: volume
+
+- name: upload mailu.env file
+  template:
+    src: mailu.env.j2
+    dest: "{{ mailu.volume_folder}}/mailu.env"
+
+- name: hard link to Let's Encrypt TLS certificate
+  file:
+    src: "{{ nginx.volume_folder }}/certs/{{ mailu.domain }}/fullchain.pem"
+    dest: "{{ mailu.volume_folder }}/certs/cert.pem"
+    state: hard
+    force: yes
+
+
+- name: hard link to Let's Encrypt TLS key
+  file:
+    src: "{{ nginx.volume_folder }}/certs/{{ mailu.domain }}/key.pem"
+    dest: "{{ mailu.volume_folder }}/certs/key.pem"
+    state: hard
+    force: yes
+
+- name: run mail server containers
+  docker_compose:
+    project_name: mail_server
+    pull: yes
+    definition:
+      version: '3.6'
+      services:
+        redis:
+          image: redis:alpine
+          restart: always
+          volumes:
+            - "{{ mailu.volume_folder }}/redis:/data"
+
+        database:
+          image: mailu/postgresql:{{ mailu.version }}
+          restart: always
+          env_file: "{{ mailu.volume_folder}}/mailu.env"
+          volumes:
+            - "{{ mailu.volume_folder }}/data/psql_db:/data"
+            - "{{ mailu.volume_folder }}/data/psql_backup:/backup"
+          networks:
+            - default
+            - external_services
+
+        front:
+          image: mailu/nginx:{{ mailu.version }}
+          restart: always
+          env_file: "{{ mailu.volume_folder}}/mailu.env"
+          environment:
+            VIRTUAL_HOST: "{{ mailu.domain }}"
+            LETSENCRYPT_HOST: "{{ mailu.domain }}"
+            LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
+          volumes:
+            - "{{ mailu.volume_folder }}/certs:/certs"
+            - "{{ mailu.volume_folder }}/overrides/nginx:/overrides"
+          expose:
+            - "80"
+          ports:
+            - "993:993"
+            - "25:25"
+            - "587:587"
+            - "465:465"
+          networks:
+            - default
+            - external_services
+
+        resolver:
+          image: mailu/unbound:{{ mailu.version }}
+          restart: always
+          env_file: "{{ mailu.volume_folder}}/mailu.env"
+          networks:
+            default:
+              ipv4_address: "{{ mailu.dns }}"
+
+        admin:
+          image: mailu/admin:{{ mailu.version }}
+          restart: always
+          env_file: "{{ mailu.volume_folder}}/mailu.env"
+          volumes:
+            - "{{ mailu.volume_folder }}/data:/data"
+            - "{{ mailu.volume_folder }}/dkim:/dkim"
+          depends_on:
+            - redis
+
+        imap:
+          image: mailu/dovecot:{{ mailu.version }}
+          restart: always
+          env_file: "{{ mailu.volume_folder}}/mailu.env"
+          volumes:
+            - "{{ mailu.volume_folder }}/mail:/mail"
+            - "{{ mailu.volume_folder }}/overrides:/overrides"
+          depends_on:
+            - front
+
+        smtp:
+          image: mailu/postfix:{{ mailu.version }}
+          restart: always
+          env_file: "{{ mailu.volume_folder}}/mailu.env"
+          volumes:
+            - "{{ mailu.volume_folder }}/overrides:/overrides"
+          depends_on:
+            - front
+            - resolver
+          dns:
+            - "{{ mailu.dns }}"
+
+        antispam:
+          image: mailu/rspamd:{{ mailu.version }}
+          restart: always
+          env_file: "{{ mailu.volume_folder}}/mailu.env"
+          volumes:
+            - "{{ mailu.volume_folder }}/filter:/var/lib/rspamd"
+            - "{{ mailu.volume_folder }}/dkim:/dkim"
+            - "{{ mailu.volume_folder }}/overrides/rspamd:/etc/rspamd/override.d"
+          depends_on:
+            - front
+            - resolver
+          dns:
+            - "{{ mailu.dns }}"
+
+        webmail:
+          image: mailu/rainloop:1.6
+          restart: always
+          env_file: "{{ mailu.volume_folder}}/mailu.env"
+          volumes:
+            - "{{ mailu.volume_folder }}/webmail:/data"
+          depends_on:
+            - front
+            - resolver
+          dns:
+            - "{{ mailu.dns }}"
+
+      networks:
+        default:
+          driver: bridge
+          ipam:
+            driver: default
+            config:
+              - subnet: "{{ mailu.subnet }}"
+        external_services:
+          external:
+            name: external_services

roles/docker/tasks/services/matrix_riot.yml

@@ -0,0 +1,125 @@
+---
+- name: create matrix volume folders
+  file:
+    name: "{{ matrix.volume_folder }}/{{ volume }}"
+    state: directory
+    owner: "991"
+    group: "991"
+  loop:
+    - "data"
+    - "data/uploads"
+    - "data/media"
+  loop_control:
+    loop_var: volume
+
+- name: create matrix DB folder
+  file:
+    name: "{{ matrix.volume_folder }}/db"
+    state: "directory"
+
+- name: create riot volume folders
+  file:
+    name: "{{ riot.volume_folder }}/{{ volume }}"
+    state: directory
+  loop:
+    - "data"
+  loop_control:
+    loop_var: volume
+
+- name: upload riot config.json
+  template:
+    src: files/configs/riot/config.json
+    dest: "{{ riot.volume_folder }}/data/config.json"
+
+- name: upload riot.im.conf
+  template:
+    src: files/configs/riot/riot.im.conf
+    dest: "{{ riot.volume_folder }}/data/riot.im.conf"
+
+- name: upload vhost config for root domain
+  template:
+    src: files/configs/matrix/vhost-root
+    dest: "{{ nginx.volume_folder }}/vhost/{{ base_domain }}"
+
+- name: upload vhost config for matrix domain
+  template:
+    src: files/configs/matrix/vhost-matrix
+    dest: "{{ nginx.volume_folder }}/vhost/{{ matrix.domain }}"
+
+- name: upload vhost config for riot domain
+  template:
+    src: files/configs/matrix/vhost-riot
+    dest: "{{ nginx.volume_folder }}/vhost/{{ riot.domains[0] }}"
+
+- name: upload homeserver.yaml
+  template:
+    src: "files/configs/matrix/homeserver.yaml.j2"
+    dest: "{{ matrix.volume_folder }}/data/homeserver.yaml"
+
+- name: upload matrix logging config
+  template:
+    src: "files/configs/matrix/matrix.data.coop.log.config"
+    dest: "{{ matrix.volume_folder }}/data/matrix.data.coop.log.config"
+
+- name: set up matrix and riot
+  docker_compose:
+    project_name: matrix
+    pull: yes
+    definition:
+      version: "3.6"
+      services:
+        matrix_db:
+          container_name: matrix_db
+          image: postgres:10
+          restart: unless-stopped
+          networks:
+            - matrix
+          volumes:
+            - "{{ matrix.volume_folder }}/db:/var/lib/postgresql/data"
+          environment:
+            POSTGRES_USER: "synapse"
+            POSTGRES_PASSWORD: "{{ postgres_passwords.matrix }}"
+
+        matrix_app:
+          container_name: matrix
+          image: matrixdotorg/synapse:v1.47.1
+          restart: unless-stopped
+          networks:
+            - matrix
+            - external_services
+          ports:
+            - 8008
+          volumes:
+            - "{{ matrix.volume_folder }}/data:/data"
+          environment:
+            SYNAPSE_CONFIG_PATH: "/data/homeserver.yaml"
+            SYNAPSE_CACHE_FACTOR: "2"
+            SYNAPSE_LOG_LEVEL: "INFO"
+            VIRTUAL_HOST: "{{ matrix.domain }}"
+            VIRTUAL_PORT: "8008"
+            LETSENCRYPT_HOST: "{{ matrix.domain }}"
+            LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
+
+        riot:
+          container_name: riot_app
+          image: avhost/docker-matrix-riot:v1.9.0
+          restart: unless-stopped
+          networks:
+            - matrix
+            - external_services
+          ports:
+            - 8080
+          volumes:
+            - "{{ riot.volume_folder }}/data:/data"
+          environment:
+            VIRTUAL_HOST: "{{ riot.domains|join(',') }}"
+            VIRTUAL_PORT: "8080"
+            LETSENCRYPT_HOST: "{{ riot.domains|join(',') }}"
+            LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
+
+      networks:
+        external_services:
+          external:
+            name: external_services
+        matrix:
+          name: "matrix"

roles/docker/tasks/services/netdata.yml

@@ -0,0 +1,27 @@
+---
+
+- name: setup netdata docker container for system monitoring
+  docker_container:
+    name: netdata
+    image: netdata/netdata
+    restart_policy: unless-stopped
+    hostname: "hevonen.servers.{{ base_domain }}"
+    capabilities:
+      - SYS_PTRACE
+    security_opts:
+      - apparmor:unconfined
+    volumes:
+      - /proc:/host/proc:ro
+      - /sys:/host/sys:ro
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    networks:
+      - name: external_services
+    env:
+      VIRTUAL_HOST : "{{ netdata.domain }}"
+      LETSENCRYPT_HOST: "{{ netdata.domain }}"
+      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
+      PGID: "999"
+    labels:
+      com.ouroboros.enable: "true"
+
+

roles/docker/tasks/services/nextcloud.yml

@@ -0,0 +1,42 @@
+---
+- name: setup nextcloud containers
+  docker_compose:
+    project_name: "nextcloud"
+    pull: "yes"
+    definition:
+      services:
+        postgres:
+          image: "postgres:10"
+          restart: "unless-stopped"
+          networks:
+            - "nextcloud"
+          volumes:
+            - "{{ nextcloud.volume_folder }}/postgres:/var/lib/postgresql/data"
+          environment: 
+            POSTGRES_DB: "nextcloud"
+            POSTGRES_PASSWORD: "{{ postgres_passwords.nextcloud }}"
+            POSTGRES_USER: "nextcloud"
+        
+        app:
+          image: "nextcloud:22-apache"
+          restart: "unless-stopped"
+          networks:
+            - "nextcloud"
+            - "external_services"
+          volumes:
+          - "{{ nextcloud.volume_folder }}/app:/var/www/html"
+          environment:
+            VIRTUAL_HOST: "{{ nextcloud.domain }}"
+            LETSENCRYPT_HOST: "{{ nextcloud.domain }}"
+            LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
+            POSTGRES_HOST: "nextcloud_postgres_1"
+            POSTGRES_DB: "nextcloud"
+            POSTGRES_USER: "nextcloud"
+            POSTGRES_PASSWORD: "{{ postgres_passwords.nextcloud }}"
+
+      networks:
+          nextcloud:
+          postfix:
+            external: true
+          external_services:
+            external: true

roles/docker/tasks/services/nginx-proxy.yml

@@ -0,0 +1,47 @@
+---
+
+- name: create nginx-proxy volume folders
+  file:
+    name: "{{ nginx.volume_folder }}/{{ volume }}"
+    state: directory
+  loop:
+    - conf
+    - vhost
+    - html
+    - dhparam
+    - certs
+  loop_control:
+    loop_var: volume
+
+- name: nginx proxy container
+  docker_container:
+    name: nginx-proxy
+    image: jwilder/nginx-proxy
+    restart_policy: always
+    networks:
+      - name: external_services
+    published_ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - "{{ nginx.volume_folder }}/conf:/etc/nginx/conf.d"
+      - "{{ nginx.volume_folder }}/vhost:/etc/nginx/vhost.d"
+      - "{{ nginx.volume_folder }}/html:/usr/share/nginx/html"
+      - "{{ nginx.volume_folder }}/dhparam:/etc/nginx/dhparam"
+      - "{{ nginx.volume_folder }}/certs:/etc/nginx/certs:ro"
+      - /var/run/docker.sock:/tmp/docker.sock:ro
+
+- name: nginx letsencrypt container
+  docker_container:
+    name: nginx-proxy-le
+    image: jrcs/letsencrypt-nginx-proxy-companion
+    restart_policy: always
+    volumes:
+      - "{{ nginx.volume_folder }}/vhost:/etc/nginx/vhost.d"
+      - "{{ nginx.volume_folder }}/html:/usr/share/nginx/html"
+      - "{{ nginx.volume_folder }}/dhparam:/etc/nginx/dhparam:ro"
+      - "{{ nginx.volume_folder }}/certs:/etc/nginx/certs"
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    env:
+      NGINX_PROXY_CONTAINER: nginx-proxy
+

roles/docker/tasks/services/openldap.yml

@@ -0,0 +1,71 @@
+---
+- name: create ldap volume folders
+  file:
+    name: "{{ ldap.volume_folder }}/{{ volume }}"
+    state: directory
+  loop:
+    - "var/lib/ldap"
+    - "etc/slapd"
+    - "certs"
+  loop_control:
+    loop_var: volume
+
+- name: Create a network for ldap
+  docker_network:
+    name: ldap
+
+- name: openLDAP container
+  docker_container:
+    name: openldap
+    image: osixia/openldap:1.5.0
+    tty: true
+    interactive: true
+    volumes:
+      - "{{ ldap.volume_folder }}/var/lib/ldap:/var/lib/ldap"
+      - "{{ ldap.volume_folder }}/etc/slapd.d:/etc/ldap/slapd.d"
+      - "{{ ldap.volume_folder }}/certs:/container/service/slapd/assets/certs/"
+    published_ports:
+      - "389:389"
+      - "636:636"
+    hostname: "{{ ldap.domain }}"
+    domainname: "{{ ldap.domain }}" # important: same as hostname
+    networks:
+      - name: ldap
+    env:
+      LDAP_LOG_LEVEL: "256"
+      LDAP_ORGANISATION: "{{ base_domain }}"
+      LDAP_DOMAIN: "{{ base_domain }}"
+      LDAP_BASE_DN: ""
+      LDAP_ADMIN_PASSWORD: "{{ ldap_admin_password }}"
+      LDAP_CONFIG_PASSWORD: "{{ ldap_config_password }}"
+      LDAP_READONLY_USER: "false"
+      LDAP_RFC2307BIS_SCHEMA: "false"
+      LDAP_BACKEND: "mdb"
+      LDAP_TLS: "true"
+      LDAP_TLS_CRT_FILENAME: "ldap.crt"
+      LDAP_TLS_KEY_FILENAME: "ldap.key"
+      LDAP_TLS_CA_CRT_FILENAME: "ca.crt"
+      LDAP_TLS_ENFORCE: "false"
+      LDAP_TLS_CIPHER_SUITE: "SECURE256:-VERS-SSL3.0"
+      LDAP_TLS_PROTOCOL_MIN: "3.1"
+      LDAP_TLS_VERIFY_CLIENT: "demand"
+      LDAP_REPLICATION: "false"
+      KEEP_EXISTING_CONFIG: "false"
+      LDAP_REMOVE_CONFIG_AFTER_SETUP: "true"
+      LDAP_SSL_HELPER_PREFIX: "ldap"
+
+- name: phpLDAPadmin container
+  docker_container:
+    name: phpldapadmin
+    image: osixia/phpldapadmin:0.9.0
+    networks:
+      - name: external_services
+      - name: ldap
+    env:
+      PHPLDAPADMIN_LDAP_HOSTS: "openldap"
+      PHPLDAPADMIN_HTTPS: "false"
+      PHPLDAPADMIN_TRUST_PROXY_SSL: "true"
+
+      VIRTUAL_HOST: "{{ ldap.domain }}"
+      LETSENCRYPT_HOST: "{{ ldap.domain }}"
+      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"

roles/docker/tasks/services/ouroboros.yml

@@ -0,0 +1,18 @@
+---
+- name: ouroboros container
+  docker_container:
+    name: ouroboros
+    image: pyouroboros/ouroboros
+    restart_policy: unless-stopped
+    networks:
+      - name: external_services
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - /root/.docker/config.json:/root/.docker/config.json
+    env:
+      LABEL_ENABLE: "true"
+      LABELS_ONLY: "true"
+      CLEANUP: "true"
+      LATEST: "true"
+      CRON: "*/10 * * * *"
+      

roles/docker/tasks/services/passit.yml

@@ -0,0 +1,47 @@
+---
+
+- name: setup passit containers
+  docker_compose:
+    project_name: "passit"
+    pull: "yes"
+    definition:
+      version: "3.6"
+      services:
+
+        passit_db:
+          image: "postgres:10"
+          restart: "always"
+          networks:
+            - "passit"
+          volumes:
+            - "{{ passit.volume_folder }}/data:/var/lib/postgresql/data"
+          environment:
+            POSTGRES_USER: "passit"
+            POSTGRES_PASSWORD: "{{ postgres_passwords.passit }}"
+
+        passit_app:
+          image: "passit/passit:stable"
+          command: "bin/start.sh"
+          restart: "always"
+          networks:
+            - "passit"
+            - "postfix"
+            - "external_services"
+          environment:
+            DATABASE_URL: "postgres://passit:{{ postgres_passwords.passit }}@passit_db:5432/passit"
+            SECRET_KEY: "{{ passit_secret_key }}"
+            IS_DEBUG: 'False'
+            EMAIL_URL: "smtp://noop@{{ smtp_host }}:{{ smtp_port }}"
+            DEFAULT_FROM_EMAIL: "noreply@{{ passit.domain }}"
+            EMAIL_CONFIRMATION_HOST: "https://{{ passit.domain }}"
+
+            VIRTUAL_HOST: "{{ passit.domain }}"
+            LETSENCRYPT_HOST: "{{ passit.domain }}"
+            LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
+
+      networks:
+        passit:
+        postfix:
+          external: true
+        external_services:
+          external: true

roles/docker/tasks/services/portainer.yml

@@ -0,0 +1,24 @@
+---
+
+- name: create portainer volume folder
+  file:
+    name: "{{ portainer.volume_folder }}"
+    state: directory
+
+- name: run portainer
+  docker_container:
+    name: portainer
+    image: portainer/portainer-ce:2.9.1
+    restart_policy: always
+    networks:
+      - name: external_services
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - "{{ portainer.volume_folder }}:/data"
+    published_ports:
+      - 9001:9000
+    env:
+      VIRTUAL_HOST: "{{ portainer.domain }}"
+      VIRTUAL_PORT: "9000"
+      LETSENCRYPT_HOST: "{{ portainer.domain }}"
+      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"

roles/docker/tasks/services/postfix.yml

@@ -0,0 +1,20 @@
+---
+
+- name: setup network for postfix
+  docker_network:
+    name: postfix
+    ipam_config:
+      - subnet: '172.16.0.0/16'
+        gateway: 172.16.0.1
+
+- name: setup postfix docker container for outgoing mail
+  docker_container:
+    name: postfix
+    image: boky/postfix
+    restart_policy: unless-stopped
+    networks:
+      - name: postfix
+    env:
+      ALLOWED_SENDER_DOMAINS: "{{ postfix.allowed_sender_domains|join(' ') }}"
+      HOSTNAME: "mail.data.coop" # the name the smtp server will identify itself as
+

roles/docker/tasks/services/privatebin.yml

@@ -0,0 +1,31 @@
+---
+
+- name: create privatebin volume folders
+  file:
+    name: "{{ privatebin.volume_folder }}/{{ volume }}"
+    state: directory
+  loop:
+    - cfg
+    - data
+  loop_control:
+    loop_var: volume
+
+- name: upload privatebin config
+  template:
+    src: files/configs/privatebin-conf.php
+    dest: "{{ privatebin.volume_folder }}/cfg/conf.php"
+
+- name: privatebin app container
+  docker_container:
+    name: privatebin
+    image: jgeusebroek/privatebin:latest
+    restart_policy: unless-stopped
+    volumes:
+      - "{{ privatebin.volume_folder }}/cfg:/privatebin/cfg"
+      - "{{ privatebin.volume_folder }}/data:/privatebin/data"
+    networks:
+      - name: external_services
+    env:
+      VIRTUAL_HOST: "{{ privatebin.domain }}"
+      LETSENCRYPT_HOST: "{{ privatebin.domain }}"
+      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"

roles/docker/tasks/services/restic-backup.yml

@@ -0,0 +1,38 @@
+---
+- name: setup restic backup
+  docker_compose:
+    project_name: restic_backup
+    pull: yes
+    definition:
+      version: '3.6'
+      services:
+        restic-backup:
+          image: mazzolino/restic
+          restart: always
+          environment:
+            RUN_ON_STARTUP: "true"
+            BACKUP_CRON: "0 30 3 * * *"
+            RESTIC_REPOSITORY: "rest:https://datacoop:{{ restic_secrets.user_secret }}@restic.graffen.io/datacoop-hevonen" 
+            RESTIC_PASSWORD: "{{ restic_secrets.encryption_secret }}"
+            RESTIC_BACKUP_SOURCES: "/mnt/volumes"
+            RESTIC_BACKUP_ARGS: >-
+              --tag datacoop-volumes
+              --exclude='*.tmp'
+              --verbose
+            RESTIC_FORGET_ARGS: >-
+              --keep-last 10
+              --keep-daily 7
+              --keep-weekly 5
+              --keep-monthly 12
+            TZ: Europe/Copenhagen
+          volumes:
+            - /docker-volumes:/mnt/volumes:ro
+        
+        restic-prune:
+          image: "mazzolino/restic"
+          environment:
+            RUN_ON_STARTUP: "true"
+            PRUNE_CRON: "0 0 4 * * *"
+            RESTIC_REPOSITORY: "rest:https://datacoop:{{ restic_secrets.user_secret }}@restic.graffen.io/datacoop-hevonen"
+            RESTIC_PASSWORD: "{{ restic_secrets.encryption_secret }}"
+            TZ: Europe/copenhagen

roles/docker/tasks/services/thelounge.yml

@@ -0,0 +1,25 @@
+---
+
+- name: thelounge volume
+  docker_volume:
+    name: thelounge
+
+- name: upload thelounge config
+  template:
+    src: files/configs/thelounge.js
+    dest: /var/lib/docker/volumes/thelounge/_data/config.js
+
+- name: thelounge container
+  docker_container:
+    name: thelounge
+    image: thelounge/lounge:latest
+    restart_policy: always
+    volumes:
+      - thelounge:/home/lounge/data
+    networks:
+      - name: external_services
+      - name: ldap
+    env:
+      VIRTUAL_HOST: "{{ thelounge.domain }}"
+      LETSENCRYPT_HOST: "{{ thelounge.domain }}"
+      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"

roles/docker/tasks/services/tt-rss.yml

@@ -0,0 +1,53 @@
+---
+- name: create tt-rss folders
+  file:
+    name: "{{ ttrss.volume_folder }}/{{ volume }}"
+    state: directory
+  loop:
+    - "config"
+    - "db"
+  loop_control:
+    loop_var: volume
+
+- name: "set up tt-rss"
+  docker_compose:
+    project_name: "tt-rss"
+    pull: yes
+    definition:
+      version: "3.6"
+      services:
+        ttrss_db:
+          container_name: "ttrss_db"
+          image: "postgres:11"
+          restart: "unless-stopped"
+          networks:
+            - "ttrss"
+          volumes:
+            - "{{ ttrss.volume_folder }}/db:/var/lib/postgresql/data"
+          environment:
+            POSTGRES_USER: "ttrss"
+            POSTGRES_PASSWORD: "{{ postgres_passwords.ttrss }}"
+
+        ttrss_app:
+          container_name: ttrss_app
+          image: "linuxserver/tt-rss"
+          restart: unless-stopped
+          networks:
+            - ttrss
+            - external_services 
+          volumes: 
+            - "{{ ttrss.volume_folder }}/config:/config"
+          environment:
+            VIRTUAL_HOST: "{{ ttrss.domain }}"
+            LETSENCRYPT_HOST: "{{ ttrss.domain }}"
+            LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
+            TZ: "Europe/Copenhagen"
+          labels:
+            com.ouroboros.enable: "true"   
+
+      networks:     
+        external_services:
+          external:
+            name: external_services
+        ttrss:
+          name: "ttrss"

roles/docker/tasks/services/ulovliglogning-dk.yml

@@ -0,0 +1,13 @@
+- name: setup ulovliglogning.dk website docker container
+  docker_container:
+    name: ulovliglogning_website
+    restart_policy: unless-stopped
+    image: ulovliglogning/ulovliglogning.dk:latest
+    networks:
+      - name: external_services
+    env:
+      VIRTUAL_HOST: "{{ ulovliglogning_website.domains|join(',') }}"
+      LETSENCRYPT_HOST: "{{ ulovliglogning_website.domains|join(',') }}"
+      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
+    labels:
+      com.ouroboros.enable: "true"

roles/docker/tasks/services/websites.yml

@@ -0,0 +1,57 @@
+---
+
+- name: setup data.coop website docker container
+  docker_container:
+    name: data.coop_website
+    image: docker.data.coop/data-coop-website
+    restart_policy: unless-stopped
+    networks:
+      - name: external_services
+    env:
+      VIRTUAL_HOST : "{{ data_coop_website.domains|join(',') }}"
+      LETSENCRYPT_HOST: "{{ data_coop_website.domains|join(',') }}"
+      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
+    labels:
+      com.ouroboros.enable: "true"
+
+- name: setup new data.coop website using hugo
+  docker_container:
+    name: new.data.coop_website
+    image: docker.data.coop/data-coop-website:hugo
+    restart_policy: unless-stopped
+    networks:
+      - name: external_services
+    env:
+      VIRTUAL_HOST : "new.{{ data_coop_website.domains|join(',') }}"
+      LETSENCRYPT_HOST: "new.{{ data_coop_website.domains|join(',') }}"
+      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
+    labels:
+      com.ouroboros.enable: "true"
+
+- name: setup cryptohagen.dk website docker container
+  docker_container:
+    name: cryptohagen_website
+    restart_policy: unless-stopped
+    image: docker.data.coop/cryptohagen-website
+    networks:
+      - name: external_services
+    env:
+      VIRTUAL_HOST : "{{ cryptohagen_website.domains|join(',') }}"
+      LETSENCRYPT_HOST: "{{ cryptohagen_website.domains|join(',') }}"
+      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
+    labels:
+      com.ouroboros.enable: "true"  
+
+- name: setup cryptoaarhus.dk website docker container
+  docker_container:
+    name: cryptoaarhus_website
+    restart_policy: unless-stopped
+    image: docker.data.coop/cryptoaarhus-website
+    networks:
+      - name: external_services
+    env:
+      VIRTUAL_HOST : "{{ cryptoaarhus_website.domains|join(',') }}"
+      LETSENCRYPT_HOST: "{{ cryptoaarhus_website.domains|join(',') }}"
+      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
+    labels:
+      com.ouroboros.enable: "true"

roles/docker/templates/mailu.env.j2

@@ -0,0 +1,160 @@
+# Mailu main configuration file
+#
+# Generated for compose flavor
+#
+# This file is autogenerated by the configuration management wizard.
+# For a detailed list of configuration variables, see the documentation at
+# https://mailu.io
+
+###################################
+# Common configuration variables
+###################################
+
+# Set this to the path where Mailu data and configuration is stored
+# This variable is now set directly in `docker-compose.yml by the setup utility
+# ROOT=/mailu
+
+# Mailu version to run (1.0, 1.1, etc. or master)
+#VERSION=1.6
+
+# Set to a randomly generated 16 bytes string
+SECRET_KEY={{ mailu_secret_key }}
+
+# Address where listening ports should bind
+# This variables are now set directly in `docker-compose.yml by the setup utility
+# PUBLIC_IPV4= 127.0.0.1 (default: 127.0.0.1)
+# PUBLIC_IPV6= ::1 (default: ::1)
+
+# Subnet of the docker network. This should not conflict with any networks to which your system is connected. (Internal and external!)
+SUBNET={{ mailu.subnet }}
+
+# Main mail domain
+DOMAIN=data.coop
+
+# Hostnames for this server, separated with comas
+HOSTNAMES=mail.data.coop
+
+# Postmaster local part (will append the main mail domain)
+POSTMASTER=admin
+
+# Choose how secure connections will behave (value: letsencrypt, cert, notls, mail, mail-letsencrypt)
+TLS_FLAVOR=mail
+
+# Authentication rate limit (per source IP address)
+AUTH_RATELIMIT=120/minute;1200/hour
+
+# Opt-out of statistics, replace with "True" to opt out
+DISABLE_STATISTICS=False
+
+###################################
+# Optional features
+###################################
+
+# Expose the admin interface (value: true, false)
+ADMIN=true
+
+# Choose which webmail to run if any (values: roundcube, rainloop, none)
+WEBMAIL=rainloop
+
+# Dav server implementation (value: radicale, none)
+WEBDAV=radicale
+
+# Antivirus solution (value: clamav, none)
+#ANTIVIRUS=clamav
+
+#Antispam solution
+ANTISPAM=none
+
+###################################
+# Mail settings
+###################################
+
+# Message size limit in bytes
+# Default: accept messages up to 50MB
+# Max attachment size will be 33% smaller
+MESSAGE_SIZE_LIMIT=50000000
+
+# Networks granted relay permissions
+# Use this with care, all hosts in this networks will be able to send mail without authentication!
+RELAYNETS=
+
+# Will relay all outgoing mails if configured
+RELAYHOST=
+
+# Fetchmail delay
+FETCHMAIL_DELAY=600
+
+# Recipient delimiter, character used to delimiter localpart from custom address part
+RECIPIENT_DELIMITER=+
+
+# DMARC rua and ruf email
+DMARC_RUA=admin
+DMARC_RUF=admin
+
+# Welcome email, enable and set a topic and body if you wish to send welcome
+# emails to all users.
+WELCOME=false
+WELCOME_SUBJECT=Welcome to your new email account
+WELCOME_BODY=Welcome to your new email account, if you can read this, then it is configured properly!
+
+# Maildir Compression
+# choose compression-method, default: none (value: bz2, gz)
+COMPRESSION=
+# change compression-level, default: 6 (value: 1-9)
+COMPRESSION_LEVEL=
+
+###################################
+# Web settings
+###################################
+
+# Path to redirect / to
+WEBROOT_REDIRECT=/webmail
+
+# Path to the admin interface if enabled
+WEB_ADMIN=/admin
+
+# Path to the webmail if enabled
+WEB_WEBMAIL=/webmail
+
+# Website name
+SITENAME=data.coop
+
+# Linked Website URL
+WEBSITE=https://mail.data.coop
+
+
+
+###################################
+# Advanced settings
+###################################
+
+# Log driver for front service. Possible values:
+# json-file (default)
+# journald (On systemd platforms, useful for Fail2Ban integration)
+# syslog (Non systemd platforms, Fail2Ban integration. Disables `docker-compose log` for front!)
+# LOG_DRIVER=json-file
+
+# Docker-compose project name, this will prepended to containers names.
+COMPOSE_PROJECT_NAME=mailu
+
+# Default password scheme used for newly created accounts and changed passwords
+# (value: BLF-CRYPT, SHA512-CRYPT, SHA256-CRYPT, MD5-CRYPT, CRYPT)
+PASSWORD_SCHEME=BLF-CRYPT
+
+# Header to take the real ip from
+REAL_IP_HEADER=
+
+# IPs for nginx set_real_ip_from (CIDR list separated by commas)
+REAL_IP_FROM=
+
+# choose wether mailu bounces (no) or rejects (yes) mail when recipient is unknown (value: yes, no)
+REJECT_UNLISTED_RECIPIENT=
+
+# Log level threshold in start.py (value: CRITICAL, ERROR, WARNING, INFO, DEBUG, NOTSET)
+LOG_LEVEL=WARNING
+
+###################################
+# Database settings
+###################################
+DB_FLAVOR=postgresql
+DB_PW={{ postgres_passwords.mailu }}

roles/ubuntu_base/tasks/base.yml

@@ -1,8 +1,18 @@
 ---
-- name: Install necessary packages
+- name: Install necessary packages via apt
   apt:
     name: "{{ packages }}"
   vars:
     packages:
     - aptitude
     - python3-pip
+    - apparmor
+    - haveged
+
+- name: Install necessary packages via pip
+  pip:
+    name: "{{ packages }}"
+  vars:
+    packages:
+      - docker
+      - docker-compose