Add fedi.dk website

Upgrade Passit database and temporarily pin Passit due to WebAuthn bug
HedgeDoc image version :1 doesn't exist, but Alpine doesn't have vulnerabilities
2023-02-18 21:09:49 +01:00 · 2023-01-22 02:00:53 +01:00 · 2023-01-21 21:49:27 +01:00 · 2023-01-21 21:37:37 +01:00 · 2023-01-21 21:33:39 +01:00 · 2023-01-21 17:17:55 +00:00
16 changed files with 76 additions and 66 deletions
--- a/roles/docker/defaults/main.yml
+++ b/roles/docker/defaults/main.yml
@ -9,59 +9,59 @@ services:
    file: postfix.yml
    domain: "smtp.{{ base_domain }}"
    volume_folder: "{{ volume_root_folder }}/postfix"
-    version: v3.5.1-alpine
+    version: "v3.5.1-alpine"
  nginx_proxy:
    file: nginx_proxy.yml
-    version: 1.0-alpine
+    version: "1.0-alpine"
    volume_folder: "{{ volume_root_folder }}/nginx"
  nginx_acme_companion:
-    version: 2.2
+    version: "2.2"
  openldap:
    file: openldap.yml
    domain: "ldap.{{ base_domain }}"
    volume_folder: "{{ volume_root_folder }}/openldap"
-    version: 1.5.0
+    version: "1.5.0"
  phpldapadmin:
-    version: 0.9.0
+    version: "0.9.0"
  netdata:
    file: netdata.yml
    domain: "netdata.{{ base_domain }}"
-    version: v1
+    version: "v1"
  portainer:
    file: portainer.yml
    domain: "portainer.{{ base_domain }}"
    volume_folder: "{{ volume_root_folder }}/portainer"
-    version: 2.16.2
+    version: "2.16.2"
  keycloak:
    file: keycloak.yml
    domain: sso.{{ base_domain }}
    volume_folder: "{{ volume_root_folder }}/keycloak"
-    version: 20.0
+    version: "20.0"
-    postgres_version: 10
+    postgres_version: "10"
    allowed_sender_domain: true
  restic:
    file: restic_backup.yml
-    user: datacoop
+    user: "datacoop"
-    domain: restic.cannedtuna.org
+    domain: "restic.cannedtuna.org"
-    repository: datacoop-hevonen
+    repository: "datacoop-hevonen"
-    version: 1.6.0
+    version: "1.6.0"
    disabled_in_vagrant: true
  docker_registry:
    file: docker_registry.yml
    domain: "docker.{{ base_domain }}"
    volume_folder: "{{ volume_root_folder }}/docker-registry"
-    username: docker
+    username: "docker"
    password: "{{ docker_password }}"
-    version: 2
+    version: "2"
  ### External services ###
@ -70,7 +70,7 @@ services:
    domain: "cloud.{{ base_domain }}"
    volume_folder: "{{ volume_root_folder }}/nextcloud"
    version: 25-apache
-    postgres_version: 10
+    postgres_version: "10"
    redis_version: 7-alpine
    allowed_sender_domain: true
@ -78,7 +78,7 @@ services:
    file: gitea.yml
    domain: "git.{{ base_domain }}"
    volume_folder: "{{ volume_root_folder }}/gitea"
-    version: 1.18.0
+    version: 1.18
    allowed_sender_domain: true
  passit:
@ -86,7 +86,7 @@ services:
    domain: "passit.{{ base_domain }}"
    volume_folder: "{{ volume_root_folder }}/passit"
    version: stable
-    postgres_version: 10
+    postgres_version: 15-alpine
    allowed_sender_domain: true
  matrix:
@ -94,7 +94,7 @@ services:
    domain: "matrix.{{ base_domain }}"
    volume_folder: "{{ volume_root_folder }}/matrix"
    version: v1.63.1
-    postgres_version: 10
+    postgres_version: "10"
    allowed_sender_domain: true
  riot:
@ -119,7 +119,7 @@ services:
    file: hedgedoc.yml
    domain: "pad.{{ base_domain }}"
    volume_folder: "{{ volume_root_folder }}/hedgedoc"
-    version: 1.9.6
+    version: 1.9.6-alpine
    postgres_version: 10-alpine
  data_coop_website:
@ -138,24 +138,29 @@ services:
    domain: "2022.slides.{{ base_domain }}"
    version: latest
  fedi_dk_website:
    file: websites/fedi.dk.yaml
    domain: fedi.dk
    version: latest
  cryptohagen_website:
    file: websites/cryptohagen.dk.yml
    domains:
-      - cryptohagen.dk
+      - "cryptohagen.dk"
-      - www.cryptohagen.dk
+      - "www.cryptohagen.dk"
  ulovliglogning_website:
    file: websites/ulovliglogning.dk.yml
    domains:
-      - ulovliglogning.dk
+      - "ulovliglogning.dk"
-      - www.ulovliglogning.dk
+      - "www.ulovliglogning.dk"
-      - ulovlig-logning.dk
+      - "ulovlig-logning.dk"
  cryptoaarhus_website:
    file: websites/cryptoaarhus.dk.yml
    domains:
-      - cryptoaarhus.dk
+      - "cryptoaarhus.dk"
-      - www.cryptoaarhus.dk
+      - "www.cryptoaarhus.dk"
  drone:
    file: drone.yml
@ -184,12 +189,8 @@ services:
    file: rallly.yml
    domain: "when.{{ base_domain }}"
    volume_folder: "{{ volume_root_folder }}/rallly"
 <<<<<<< HEAD
    version: ac55701890cd866ee946deb25e2b2839fb14900e
    postgres_version: 14-alpine
 =======
    version: e4482a1edb2fb56292d07ee8811a24f2a0d6b114
->>>>>>> main
+    postgres_version: 14-alpine
    allowed_sender_domain: true
  pinafore:
@ -200,7 +201,7 @@ services:
  membersystem:
    file: membersystem.yml
    domain: "member.{{ base_domain }}"
-    django_admins: Vidir:valberg@orn.li
+    django_admins: "Vidir:valberg@orn.li"
    version: latest
    postgres_version: 13-alpine
    allowed_sender_domain: true
--- a/roles/docker/tasks/services/keycloak.yml
+++ b/roles/docker/tasks/services/keycloak.yml
@ -26,7 +26,16 @@
            - "keycloak"
            - "postfix"
            - "external_services"
-          command: "start --db=postgres --db-url=jdbc:postgresql://postgres:5432/keycloak --db-username=keycloak --db-password={{ postgres_passwords.keycloak }} --hostname={{ services.keycloak.domain }} --proxy=edge --https-port=8080 --http-relative-path=/auth"
+          command:
            - "start"
            - "--db=postgres"
            - "--db-url=jdbc:postgresql://postgres:5432/keycloak"
            - "--db-username=keycloak"
            - "--db-password={{ postgres_passwords.keycloak }}"
            - "--hostname={{ services.keycloak.domain }}"
            - "--proxy=edge"
            - "--https-port=8080"
            - "--http-relative-path=/auth"
          environment:
            VIRTUAL_HOST: "{{ services.keycloak.domain }}"
            VIRTUAL_PORT: "8080"
--- a/roles/docker/tasks/services/membersystem.yml
+++ b/roles/docker/tasks/services/membersystem.yml
@ -33,8 +33,6 @@
            CSRF_TRUSTED_ORIGINS: "https://{{ services.membersystem.domain }}"
            DJANGO_ADMINS: "{{ services.membersystem.django_admins }}"
            DEFAULT_FROM_EMAIL: "noreply@{{ services.membersystem.domain }}"
          labels:
            com.centurylinklabs.watchtower.enable: "true"
        postgres:
          image: "postgres:{{ services.membersystem.postgres_version }}"
--- a/roles/docker/tasks/services/netdata.yml
+++ b/roles/docker/tasks/services/netdata.yml
@ -21,7 +21,3 @@
      LETSENCRYPT_HOST: "{{ services.netdata.domain }}"
      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
      PGID: "999"
    labels:
      com.centurylinklabs.watchtower.enable: "true"
--- a/roles/docker/tasks/services/passit.yml
+++ b/roles/docker/tasks/services/passit.yml
@ -1,5 +1,12 @@
 # vim: ft=yaml.ansible
 ---
 - name: Create directory for Passit data
  file:
    name: "{{ services.passit.volume_folder }}/data"
    owner: '70'
    group: root
    state: directory
 - name: setup passit containers
  docker_compose:
    project_name: "passit"
@ -19,7 +26,7 @@
            POSTGRES_PASSWORD: "{{ postgres_passwords.passit }}"
        passit_app:
-          image: "passit/passit:{{ services.passit.version }}"
+          image: "passit/passit@sha256:c4b96bc67222936f58f344d5dd1020227ad8e11ad5f82ed3cbf0bcfa8fe9b2e7" #:{{ services.passit.version }}"
          command: "bin/start.sh"
          restart: "always"
          networks:
--- a/roles/docker/tasks/services/pinafore.yml
+++ b/roles/docker/tasks/services/pinafore.yml
@ -12,5 +12,3 @@
      VIRTUAL_PORT: "4002"
      LETSENCRYPT_HOST: "{{ services.pinafore.domain }}"
      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
    labels:
      com.centurylinklabs.watchtower.enable: "true"
--- a/roles/docker/tasks/services/rallly.yml
+++ b/roles/docker/tasks/services/rallly.yml
@ -33,8 +33,6 @@
            interval: 5s
            timeout: 5s
            retries: 5
          labels:
            com.centurylinklabs.watchtower.enable: "true"
        rallly:
          image: "lukevella/rallly:{{ services.rallly.version }}"
@ -53,8 +51,6 @@
            VIRTUAL_PORT: "3000"
            LETSENCRYPT_HOST: "{{ services.rallly.domain }}"
            LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
          labels:
            com.centurylinklabs.watchtower.enable: "true"
      networks:
        rallly_internal:
--- a/roles/docker/tasks/services/restic_backup.yml
+++ b/roles/docker/tasks/services/restic_backup.yml
@ -11,7 +11,7 @@
          image: mazzolino/restic:{{ services.restic.version }}
          restart: always
          environment:
-            RUN_ON_STARTUP: "true"
+            RUN_ON_STARTUP: "false"
            BACKUP_CRON: "0 30 3 * * *"
            RESTIC_REPOSITORY: "rest:https://{{ services.restic.user }}:{{ restic_secrets.user_password }}@{{ services.restic.domain }}/{{ services.restic.repository }}"
            RESTIC_PASSWORD: "{{ restic_secrets.repository_password }}"
@ -32,7 +32,7 @@
        restic-prune:
          image: "mazzolino/restic:{{ services.restic.version }}"
          environment:
-            RUN_ON_STARTUP: "true"
+            RUN_ON_STARTUP: "false"
            PRUNE_CRON: "0 0 4 * * *"
            RESTIC_REPOSITORY: "rest:https://{{ services.restic.user }}:{{ restic_secrets.user_password }}@{{ services.restic.domain }}/{{ services.restic.repository }}"
            RESTIC_PASSWORD: "{{ restic_secrets.repository_password }}"
--- a/roles/docker/tasks/services/watchtower.yml
+++ b/roles/docker/tasks/services/watchtower.yml
@ -7,9 +7,8 @@
    restart_policy: unless-stopped
    networks:
      - name: external_services
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - "{{ services.docker_registry.volume_folder }}/auth/config.json:/config.json"
    env:
      WATCHTOWER_LABEL_ENABLE: "true"
      WATCHTOWER_POLL_INTERVAL: "60"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock"
      - "/root/.docker/config.json:/config.json:ro"
--- a/roles/docker/tasks/services/websites/2022.slides.data.coop.yml
+++ b/roles/docker/tasks/services/websites/2022.slides.data.coop.yml
@ -17,6 +17,3 @@
      - NET_ADMIN
    devices:
      - "/dev/net/tun"
    labels:
      com.centurylinklabs.watchtower.enable: "true"
--- a/roles/docker/tasks/services/websites/cryptoaarhus.dk.yml
+++ b/roles/docker/tasks/services/websites/cryptoaarhus.dk.yml
@ -11,5 +11,3 @@
      VIRTUAL_HOST : "{{ services.cryptoaarhus_website.domains|join(',') }}"
      LETSENCRYPT_HOST: "{{ services.cryptoaarhus_website.domains|join(',') }}"
      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
    labels:
      com.centurylinklabs.watchtower.enable: "true"
--- a/roles/docker/tasks/services/websites/cryptohagen.dk.yml
+++ b/roles/docker/tasks/services/websites/cryptohagen.dk.yml
@ -11,5 +11,3 @@
      VIRTUAL_HOST : "{{ services.cryptohagen_website.domains|join(',') }}"
      LETSENCRYPT_HOST: "{{ services.cryptohagen_website.domains|join(',') }}"
      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
    labels:
      com.centurylinklabs.watchtower.enable: "true"
--- a/roles/docker/tasks/services/websites/data.coop.yml
+++ b/roles/docker/tasks/services/websites/data.coop.yml
@ -21,5 +21,3 @@
      VIRTUAL_HOST : "{{ services.data_coop_website.domains|join(',') }}"
      LETSENCRYPT_HOST: "{{ services.data_coop_website.domains|join(',') }}"
      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
    labels:
      com.centurylinklabs.watchtower.enable: "true"
--- a/roles/docker/tasks/services/websites/fedi.dk.yaml
+++ b/roles/docker/tasks/services/websites/fedi.dk.yaml
@ -0,0 +1,19 @@
 # vim: ft=yaml.ansible
 ---
 - name: setup fedi.dk website with unipi
  docker_container:
    name: fedi.dk_website
    image: docker.data.coop/unipi:{{ services.fedi_dk_website.version }}
    restart_policy: unless-stopped
    purge_networks: yes
    networks:
      - name: external_services
    env:
      VIRTUAL_HOST: "{{ services.fedi_dk_website.domain }}"
      LETSENCRYPT_HOST: "{{ services.fedi_dk_website.domain }}"
      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
    command: "--remote=https://git.data.coop/fedi.dk/website.git#main"
    capabilities:
      - NET_ADMIN
    devices:
      - "/dev/net/tun"
--- a/roles/docker/tasks/services/websites/new.data.coop.yml
+++ b/roles/docker/tasks/services/websites/new.data.coop.yml
@ -11,5 +11,3 @@
      VIRTUAL_HOST : "{{ services.new_data_coop_website.domain }}"
      LETSENCRYPT_HOST: "{{ services.new_data_coop_website.domain }}"
      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
    labels:
      com.centurylinklabs.watchtower.enable: "true"
--- a/roles/docker/tasks/services/websites/ulovliglogning.dk.yml
+++ b/roles/docker/tasks/services/websites/ulovliglogning.dk.yml
@ -11,5 +11,3 @@
      VIRTUAL_HOST: "{{ services.ulovliglogning_website.domains|join(',') }}"
      LETSENCRYPT_HOST: "{{ services.ulovliglogning_website.domains|join(',') }}"
      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
    labels:
      com.centurylinklabs.watchtower.enable: "true"
Author	SHA1	Message	Date
Reynir Björnsson	82aa6f67aa	Add fedi.dk website	2023-02-18 21:09:49 +01:00
Sam A.	593dddd00e	Upgrade Passit database and temporarily pin Passit due to WebAuthn bug	2023-01-22 02:00:53 +01:00
Sam A.	16aec98808	HedgeDoc image version :1 doesn't exist, but Alpine doesn't have vulnerabilities	2023-01-21 21:49:27 +01:00
Sam A.	a5d59b9336	Fix variable	2023-01-21 21:37:37 +01:00
Sam A.	388e0526ca	Set RUN_ON_STARTUP=false for Restic	2023-01-21 21:33:39 +01:00
valberg	b445d7db17	Merge pull request 'Enable Watchtower for all services' (#123 ) from watchtower into main Reviewed-on: data.coop/ansible#123	2023-01-21 17:17:55 +00:00
Sam A.	7ca168ae03	Merge branch 'main' into watchtower	2023-01-21 17:33:45 +01:00
Sam A.	209ccf9916	Merge pull request 'Collect even more version numbers in docker/defaults/main.yml' (#143 ) from unify_more_configurations into main Reviewed-on: data.coop/ansible#143	2023-01-21 16:30:07 +00:00
Sam A.	f81fab3d11	Quote numbers	2023-01-14 17:31:08 +01:00
Sam A.	9733794292	Revert "Make quotations consistent" This reverts commit `231af48a40`.	2023-01-14 17:24:53 +01:00
Sam A.	58f3df7ed0	Merge branch 'main' into watchtower	2023-01-06 14:53:59 +01:00
Sam A.	44eb59fb86	Merge branch 'main' into watchtower	2022-12-27 19:48:32 +01:00
Sam A.	2c9c501562	Remove label from Pinafore	2022-12-06 18:06:31 +01:00
Sam A.	0dcc0a6d75	Merge branch 'main' into watchtower	2022-12-06 18:05:15 +01:00
Sam A.	1356aa54c8	Merge branch 'main' into watchtower	2022-11-26 16:49:53 +01:00
Sam A.	44b5f91eef	Merge branch 'main' into watchtower	2022-11-25 22:12:47 +01:00
Sam A.	74dfcfb5e8	Keycloak: avoid very long lines :(	2022-11-23 21:09:05 +01:00
Sam A.	221ddd987f	Upgrade Postfix to 3.5.1 and use Alpine-based image	2022-11-23 21:05:01 +01:00
Sam A.	687bff35e9	Pin netdata to v1	2022-11-23 21:00:48 +01:00
Sam A.	9261cb1952	Pin Keycoak to 20.0 (minor version)	2022-11-23 20:34:43 +01:00
Sam A.	1f61909605	Pin HedgeDoc to major version 1 From https://docs.hedgedoc.org/setup/getting-started/#upgrading-hedgedoc > HedgeDoc follows [Semantic Versioning](https://semver.org/). > This means that minor and patch releases should not introduce > user-facing backwards-incompatible changes.	2022-11-23 20:16:36 +01:00
Sam A.	d9de1efc9a	Pin Gitea to 1.17 instead of 1.17.3 Gitea's "minor" version change seems to be the one that occasionally introduces breaking changes, so let's not update that automatically. Only keep the patch-releases automatically updated.	2022-11-23 20:02:30 +01:00
Sam A.	2fa5bf4982	Merge branch 'main' into watchtower	2022-11-23 19:51:58 +01:00
Sam A.	c9ab9f0c66	Watchtower doesn't need external_services network	2022-11-19 18:20:10 +01:00
Sam A.	e5dcfea003	Pin Watchtower version	2022-11-19 18:19:43 +01:00
Sam A.	27b918b46b	Remove labels	2022-11-18 21:07:12 +01:00
Sam A.	5d26e1cdea	Fix mount point for Watchtower The auth file created by the registry login task doesn't need to be stored in a non-default path.	2022-11-18 20:58:22 +01:00
Sam A.	a4a06d8a58	Upgrade Watchtower and disable filter by enable label	2022-11-18 18:59:00 +01:00