Compare commits

...

168 commits

Author SHA1 Message Date
Reynir Björnsson 6e57f1d0c2 Refactor allowed_sender_domains and allow more
A new object 'postfix' is created with a list of allowed_sender_domains.
Any services that expect to send mail this way should add its sender
domain to that list.
2022-01-20 13:36:48 +00:00
Reynir Björnsson 68c82a785b Upgrade synapse to v1.47.1 2021-11-23 13:12:15 +01:00
Jesper Hess 682e205c0b Bump OpenLDAP to 1.5.0 and phpLDAPAdmin to 0.9.0 2021-10-11 18:53:22 +02:00
Jesper Hess e64c858df8 Bump portainer version to 2.9.1 2021-10-11 18:52:39 +02:00
Jesper Hess c0bd431d3c Change default sender domain to @services.data.coop so as not to cause issues with our @data.coop emails 2021-10-10 18:03:09 +02:00
Jesper Hess a5a2d38b0c Bump Synapse to v1.44.0 and Element to v1.9.0 2021-10-10 15:25:54 +02:00
Jesper Hess c34d9fcb90 Add Hedgedoc
- Add Hedgedoc as a replacement for CodiMD.
- Integrate it with the new SSO system
2021-10-09 22:42:35 +02:00
Jesper Hess 5294b5f230 Merge pull request 'Add keycloak service' (#66) from keycloak into master
Reviewed-on: data.coop/ansible#66
2021-10-09 12:20:18 +00:00
Jesper Hess 270b7aa0e1 Merge branch 'master' into keycloak 2021-10-09 12:19:45 +00:00
Jesper Hess b6c2db6434
Switch NextCloud to docker_compose in Ansible + upgrade to v22 2021-10-09 14:13:18 +02:00
Jesper Hess 2af5165349
Upgrade portainer to 2.9.0 2021-10-07 20:59:38 +02:00
Jesper Hess ca6c3a96a1
Comment out the KEYCLOAK_USER and KEYCLOAK_PASSWORD since they mess up things after first run 2021-10-07 20:58:31 +02:00
Jesper Hess e6ee76ddde Merge branch 'master' into keycloak 2021-10-07 11:31:07 +00:00
Jesper Hess 19e7a397e3 Merge pull request 'Bump element to v1.8.4' (#65) from element.v1.8.4 into master
Reviewed-on: data.coop/ansible#65
2021-10-07 11:26:56 +00:00
Jesper Hess 2c8482a5ab Merge branch 'master' into element.v1.8.4 2021-10-07 11:26:42 +00:00
Jesper Hess 3999db2eff
Add keycloak service 2021-10-07 13:20:30 +02:00
Reynir Björnsson 43f39c981d Bump element to v1.8.4
See https://matrix.org/blog/2021/09/13/vulnerability-disclosure-key-sharing
2021-09-14 15:30:08 +02:00
Jesper Hess b39df6003b
Disable Matrix registrations and move Matrix secrets to Ansible vault.
Fixes #46
2021-07-03 09:12:18 +02:00
Jesper Hess 0ef4f972ed
Update Element -> 1.7.29 & Synapse -> 1.34.0 2021-05-28 06:23:46 +02:00
Jesper Hess 9b1dc31163 Merge pull request 'Use inventory in ansible.cfg' (#60) from hosts into master
Reviewed-on: data.coop/ansible#60
2021-03-05 07:49:59 +00:00
Reynir Björnsson 62cc00bea7 Use inventory in ansible.cfg 2021-03-04 13:52:25 +01:00
Víðir Valberg Guðmundsson 30b9580d3c Add required pip packages. 2021-02-01 21:06:39 +01:00
Víðir Valberg Guðmundsson 9e5c18f839 Rename docker_service tasks to docker_compose. 2021-02-01 21:06:23 +01:00
Víðir Valberg Guðmundsson 068502773e Fix matrix_riot service. 2021-02-01 20:51:28 +01:00
valberg fbebeef57b Merge pull request 'Migrate Passit to docker_service & set correct volume folder path' (#54) from passit-cleanup into master
Reviewed-on: data.coop/ansible#54
2021-01-31 10:30:23 +00:00
Jesper Hess a692e7d2cb
Migrate Passit to docker_service & set correct volume folder path 2021-01-28 14:01:19 +01:00
Jesper Hess 406e19a95c
Document new secrets needed in secrets.yml 2021-01-27 13:17:48 +01:00
Víðir Valberg Guðmundsson cec959a47e Upgrade portainer to 2.0.1. 2021-01-26 21:59:26 +01:00
valberg c8cc5b7534 Merge pull request 'Backup of /docker-volumes folder' (#53) from restic_backup into master
Reviewed-on: data.coop/ansible#53
2021-01-26 19:45:13 +00:00
Jesper Hess 9ae295896f
Use docker_service ansible command 2021-01-26 20:40:22 +01:00
Jesper Hess 6d2fbdbbb6
Fix secret for restic repo 2021-01-26 20:19:34 +01:00
Jesper Hess 3fe7d162aa
Use correct volume folder 2021-01-26 20:01:05 +01:00
Jesper Hess 86de1fd24e
Initial work on restic container for backup 2021-01-26 19:57:06 +01:00
Víðir Valberg Guðmundsson a4966e74fe Remove deni key. 2021-01-19 23:08:56 +01:00
valberg cf6fe970eb Merge pull request 'Change YAML to use lists instead of comma-separated strings for domains because it looks nicer' (#51) from domain_lists into master
Reviewed-on: data.coop/ansible#51
2020-12-17 08:20:50 +00:00
Jesper Hess f5293c016d
Change YAML to use lists instead of comma-separated strings for domains because it looks nicer 2020-12-17 08:43:24 +01:00
reynir e9f1d800a1 Merge pull request 'Update cryptoaarhus.dk domains' (#49) from cryptoaarhus.dk into master
Reviewed-on: data.coop/ansible#49
2020-12-11 08:57:32 +00:00
Reynir Björnsson fe5fa81f44 Update cryptoaarhus.dk domains 2020-12-10 16:25:26 +01:00
Jesper Hess bb5c77e602
Fix typo 2020-11-27 10:48:02 +01:00
Jesper Hess 21e2b743ef Merge pull request 'Bump Matrix max upload size to a whopping 50 MB' (#45) from matrix-max-upload-size into master
Reviewed-on: data.coop/ansible#45

All good, thanks!
2020-11-27 09:37:58 +00:00
Reynir Björnsson 8d88016efd Matrix: up nginx client_max_body_size to 50MB
Then it's consistent with max_upload_size (sort of - modulo overhead in
http)
2020-11-27 10:36:51 +01:00
Jesper Hess 2ac2d8b8da
Change ouroboros interval to 10min to hopefully fly under the new docker hub rate limit. 2020-11-23 08:25:35 +01:00
Reynir Björnsson a78641674d cryptoaarhus_website: Add cryptoaarhus.dk domain 2020-11-05 08:47:58 +01:00
Reynir Björnsson 03cde007bc Bump Matrix max upload size to a whopping 50 MB 2020-10-19 10:01:00 +02:00
reynir d40b3ad9ab Merge pull request 'Add cryptoaarhus website' (#36) from reynir/ansible:cryptoaarhus.dk into master
Reviewed-on: data.coop/ansible#36
2020-09-28 13:54:15 +00:00
reynir 5738a8c40f Merge branch 'master' into cryptoaarhus.dk 2020-09-28 12:29:11 +00:00
Jesper Hess 5559a2c776 Merge pull request 'Allow fetching data.coop's public rooms over federation' (#44) from carl/ansible:synapse-room-list into master
Reviewed-on: data.coop/ansible#44
2020-09-23 19:31:15 +00:00
Carl Bordum Hansen 653a0603d5 Allow fetching data.coop's public rooms over federation 2020-09-23 20:47:31 +02:00
Reynir Björnsson 9a0fe69789 Add cryptoaarhus website 2020-09-11 18:44:15 +02:00
Jesper Hess 8bec174a46
Switch riot.data.coop->element.data.coop in riot's config.json 2020-08-31 18:57:49 +02:00
Jesper Hess 3e098546ef
Update gitea to v 1.12.3 2020-08-31 18:24:47 +02:00
Jesper Hess e7d69cd6df Merge pull request 'Gitea network werent autocreated' (#40) from rluch/ansible:rluch/fix-initially-missing-gitea-network into master 2020-08-31 05:50:05 +00:00
Jesper Hess 7926c861b2 Merge pull request 'Add element.data.coop for riot' (#42) from reynir/ansible:element into master 2020-08-31 05:49:20 +00:00
Reynir Björnsson d49a57792f Add element.data.coop for riot
Riot was renamed to element recently.
2020-08-23 11:33:45 +02:00
Jesper Hess 99cb94c94a
Update Riot and Synapse to latest 2020-08-15 17:21:12 +02:00
Jesper Hess ad243a5777
Fix problem with new.data.coop overwriting the old site 2020-06-10 20:15:13 +02:00
Vidir Valberg Gudmundsson 4cf48f13c0 Add new data.coop website. Fix postfix container for newest ansible. Comment out tt-rss. 2020-05-29 23:36:07 +02:00
Jesper Hess 5a5bb50e09
Upgrade synapse and riot to latest 2020-05-08 15:43:58 +02:00
Rasmus Lundsgaard Christiansen d49b943fd2 Gitea network werent autocreated 2020-04-12 16:34:52 +02:00
Jesper Hess 4f07b8edb2
Add file showing the variables contained in secrets.yml 2020-04-11 16:28:38 +02:00
Jesper Hess 09617dd35a
Move postfix network config to postfix.yml file instead of base services.yml file 2020-03-04 18:05:48 +01:00
Jesper Hess 98d4ab69cc Add ulovlig-logning.dk 2020-03-04 09:39:36 +00:00
Jesper Hess b454583e2c Merge pull request 'Upgrade Drone' (#39) from drone-upgrade into master 2020-03-02 09:43:50 +00:00
Jesper Hess f2a6aab2fe
Drone is working now 2020-03-01 13:47:09 +01:00
Jesper Hess e0f01bb78e
Upgrade Drone initial steps 2020-03-01 08:03:05 +01:00
Vidir Valberg Gudmundsson d51edc2922 Upgrade gitea. 2020-02-27 09:44:33 +01:00
Vidir Valberg Gudmundsson 47d7abe631 Upgrade synapse and riot. 2020-02-26 20:55:21 +01:00
Vidir Valberg Gudmundsson 6e94ac766b Upgrade portainer. 2020-02-26 20:27:05 +01:00
Jesper Hess 5f1bbae3de
Increase rate limiting for outgoing mails to support the needs of ulovliglogning 2020-02-06 21:47:43 +01:00
Jesper Hess cd2424999f
Add www.[domain] to hosted websites 2020-01-14 08:11:19 +01:00
Jesper Hess 4e0332cc79
Add www.[domain] to hosted websites 2020-01-14 08:10:03 +01:00
Jesper Hess ef3e0993da
Add www.[domain] to hosted websites 2020-01-14 07:58:32 +01:00
valberg 625e83e0d3 Merge branch 'add-ulovliglogning-website' of data.coop/ansible into master 2020-01-13 18:25:21 +00:00
Jesper Hess 1adc11e9c4 Add ulovliglogning.dk website to the stack 2020-01-13 19:24:54 +01:00
Jesper Hess 447b82326c
Add ulovliglogning.dk website to the stack 2020-01-13 17:29:09 +01:00
Jesper Hess edfd530afe
Upgrade Synapse to v1.7.1 and Riot v1.5.6 2019-12-19 11:18:41 +01:00
Jesper Hess 67443d23d4 Merge branch 'master' of deni/ansible into master 2019-11-28 10:26:50 +00:00
Denis Smajlović 9195016a40 Add user deni 2019-11-24 17:49:06 +00:00
valberg 2e5dc7158d Merge branch 'mailu-smtps' of reynir/ansible into master 2019-11-21 18:39:40 +00:00
Reynir Björnsson 6331805793 Add smtps port 2019-11-19 11:10:05 +01:00
Jesper Hess 97fe0e16ef Merge branch 'upgrade-matrix-riot' of data.coop/ansible into master
As above. Just forgot to merge :)
2019-11-11 09:03:31 +00:00
Jesper Hess 3f2c7b1547
Upgrade Synapse to v1.5.1 and Riot to v1.5.3 2019-11-11 09:56:02 +01:00
Jesper Hess 71664653b0
Upgrade to Synapse 1.0.0 and Riot-Web 1.2.1 2019-06-12 14:33:35 +02:00
Jesper Hess 57cf5103c5
Upgrade to Matrix 0.99.5 and Riot 1.2.0 2019-05-30 19:59:37 +02:00
Jesper Hess 5566be7da9
Make netdata update via ouroboros 2019-05-30 18:53:26 +02:00
Jesper Hess 70632c26c2
Add tt-rss service 2019-04-25 12:05:28 +02:00
Jesper Hess fb67e038a8
Upgrade riot to 1.0.7 2019-04-10 18:01:58 +02:00
Jesper Hess 999f266af5
Update synapse to v0.99.3 2019-04-10 17:53:46 +02:00
Jesper Hess e42937736e
Enable group/community creation for all matrix users 2019-04-10 17:46:39 +02:00
Jesper Hess ba28b1eb0c
Add SYNAPSE_CACHE_FACTOR env var 2019-03-30 09:35:04 +01:00
Jesper Hess 1f69fdc3b4
Rewrite matrix/riot to use docker_service 2019-03-15 19:34:27 +01:00
Víðir Valberg Guðmundsson ada37f206a Adding networks to mailu database container. 2019-03-15 18:19:21 +01:00
Víðir Valberg Guðmundsson 8b10f40edd Add portainer. 2019-03-15 12:38:36 +01:00
Jesper Hess 59319938b8
Upgrade riot to 1.0.3 2019-03-13 06:37:22 +01:00
Jesper Hess be65327ea9
Pin specific version of matrix 2019-03-11 17:34:34 +01:00
Jesper Hess 0775a77979
Reduce log level to WARN in Synapse 2019-03-10 21:15:21 +01:00
Jesper Hess fff9f1e9da
Extract matrix config to file, make sure everything still works as before 2019-03-07 21:28:54 +01:00
Jesper Hess fb0efacf40
Add volume folder for matrix 2019-03-07 13:23:10 +01:00
Jesper Hess 8b5e8a276b
Reduce log level to hopefully lighten the load 2019-03-05 20:00:20 +01:00
Jesper Hess 05eb677c3f
Add quotes in a couple of places 2019-03-05 15:17:53 +01:00
Víðir Valberg Guðmundsson a43c52e71e Fix stuff to get mailu to work. 2019-03-05 15:10:24 +01:00
Jesper Hess 02aa4e185f
Move docker_volumes variable def to more logical place 2019-03-05 14:47:58 +01:00
Reynir Björnsson 1ad44e19d3
Add reynir 2019-03-05 14:46:37 +01:00
Víðir Valberg Guðmundsson 6ffdac0c25 Fix mailu version variable. 2019-03-05 13:19:41 +01:00
Víðir Valberg Guðmundsson d0dd46e4f2 Rename to indicate j2 template. 2019-03-05 13:17:49 +01:00
valberg 85f60399d9 Merge branch 'service/mailu' of data.coop/ansible into master 2019-03-05 12:14:02 +00:00
Víðir Valberg Guðmundsson 6488abf0af Add mailu to services. 2019-03-05 13:13:16 +01:00
Víðir Valberg Guðmundsson 8a0a2bf0a0 Merge branch 'master' into service/mailu 2019-03-05 13:10:24 +01:00
Víðir Valberg Guðmundsson ae78c942d7 Use ansible_service to run mailu containers with docker compose. 2019-03-05 13:07:57 +01:00
Jesper Hess 0f398cef3f
Upgrade riot to 1.0.1 2019-03-05 10:59:32 +01:00
Jesper Hess d5602af999
Add haveged to base system packages 2019-03-05 10:31:31 +01:00
Jesper Hess 0c5ed48600
Upgrade CodiMD 2019-03-05 10:06:10 +01:00
Jesper Hess ae2873e4d9
vhost config file for matrix domain 2019-03-05 09:06:19 +01:00
Jesper Hess 4db622313d
Publish port for nginx to forward connections to 2019-03-05 09:04:47 +01:00
Jesper Hess fef1951d57
Add necessary nginx configs to get matrix federation to work 2019-03-05 08:37:16 +01:00
Jesper Hess 1f8b1827ff
Rearrange matrix+riot ansible script, move volumes to host mounts. 2019-03-05 08:36:30 +01:00
Jesper Hess 55c8e77254
Move openldap to volume mounts 2019-03-04 18:21:14 +01:00
Jesper Hess 2f413b3e99
Switch out watchtower with Ouroboros 2019-03-04 16:28:51 +01:00
Jesper Hess 9ff11808ce
Add watchtower to manage auto-update of containers 2019-03-03 15:45:35 +01:00
Jesper Hess 0c1e94323c
Add drone CI/CD pipeline 2019-03-03 15:17:08 +01:00
Jesper Hess 787f47d45e
Set restart policy on containers that were missing it 2019-03-03 07:38:00 +01:00
Víðir Valberg Guðmundsson f5bc79e636 Add network. 2019-03-02 23:25:07 +01:00
Víðir Valberg Guðmundsson f734e7608b Merge branch 'master' into service/mailu 2019-03-02 23:10:36 +01:00
Víðir Valberg Guðmundsson d25555d107 Initial mailu setup 2019-03-02 23:05:00 +01:00
Jesper Hess 1cd9b67b4e
Configure gitea container as per old server 2019-03-02 21:30:54 +01:00
Jesper Hess 24a3f4ab3d
Add volume folder for gitea 2019-03-02 21:16:00 +01:00
Jesper Hess 454fc751d2
Add VIRTUAL_PORT to gitea 2019-03-02 21:16:00 +01:00
Jesper Hess e30f05d3e4
Clean up gitea docker 2019-03-02 21:15:59 +01:00
Jesper Hess ea8804d31c
Add cryptohagen.dk website 2019-03-02 19:51:32 +01:00
Jesper Hess e118b30873
Deploy https://data.coop as a container 2019-03-02 19:24:42 +01:00
Jesper Hess 1400b18930
Set up authentication for local registry + log in 2019-03-02 19:15:37 +01:00
Jesper Hess 3b596c5701
Add docker registry container 2019-03-02 18:29:15 +01:00
Jesper Hess 92baab22a9
Rename of server in netdata 2019-02-28 20:51:30 +01:00
Jesper Hess eb36b822b3
Add netdata as docker container 2019-02-28 08:38:23 +01:00
Jesper Hess 53046bb85f
Add apparmor package 2019-02-28 08:28:54 +01:00
Jesper Hess df913b2622
Fix missing quotes in ENV variables 2019-02-28 08:22:38 +01:00
Víðir Valberg Guðmundsson 14e72b2a5c Pinning riot container. 2019-02-16 00:38:44 +01:00
Víðir Valberg Guðmundsson 200304dd17 Remove some redundancy. 2019-02-15 10:21:06 +01:00
Víðir Valberg Guðmundsson e5427616dc Adding some stuff to deploy.sh to make things easier - I think 2019-02-15 10:19:24 +01:00
valberg 8d1f3a4955 Merge branch 'codimd' of data.coop/ansible into master 2019-02-15 09:03:42 +00:00
Víðir Valberg Guðmundsson 3a2ac5cb6b Getting codimd to work. 2019-02-14 22:52:55 +01:00
Jesper Hess dcf8fe8087
Add codimd service. LDAP isn't working just yet 2019-02-13 21:17:48 +01:00
Víðir Valberg Guðmundsson fce600d56c Moving nginx volumes to bind volumes. 2019-02-13 10:36:04 +01:00
Víðir Valberg Guðmundsson 3def4b490b Some small fixes to privatebin. 2019-02-13 10:35:45 +01:00
Jesper Hess 6a47214cd6
Add pastebin to service list 2019-02-13 10:15:24 +01:00
Jesper Hess c7fe698bc2 Merge branch 'privatebin' of data.coop/ansible into master
Resolves #8
2019-02-13 09:10:39 +00:00
Jesper Hess 26792454f4
Finalise privatebin service setup 2019-02-13 10:05:00 +01:00
Jesper Hess ca183eaf4d
Add privatebin config file 2019-02-13 10:04:40 +01:00
Jesper Hess d9921adae0
Add /docker-volumes folder structure for bind mounts 2019-02-13 10:04:22 +01:00
Víðir Valberg Guðmundsson 79149a4cba Adding some missing matrix stuff. Trying to get federation to work. 2019-02-13 09:49:22 +01:00
Jesper Hess 7a1e2c4b02
Fix typo 2019-02-13 08:54:05 +01:00
Jesper Hess 83935a8649
Add privatebin service 2019-02-13 08:50:42 +01:00
Víðir Valberg Guðmundsson fefbabcc33 Add postfix container. Get passit running with that. Fider is still not working. 2019-02-10 08:59:53 +01:00
valberg 0675539530 Merge branch 'matrix-riot' of data.coop/ansible into master 2019-02-09 21:47:13 +00:00
Víðir Valberg Guðmundsson 027c18f070 Update riot config. 2019-02-09 22:46:32 +01:00
Jesper Hess 76a0b411e9
Still fixing stuff 2019-02-09 18:49:03 +01:00
Jesper Hess 6805197c31
Fixing riot and matrix stuff 2019-02-09 17:00:47 +01:00
Jesper Hess ec930a6f0f
Add hostname for riot 2019-02-09 16:00:04 +01:00
Jesper Hess 8066a0e67d
Remove ssl requirement from matrix config 2019-02-09 15:56:20 +01:00
Jesper Hess f30f07eacb
Add riot.im.conf and stuff to matrix role 2019-02-09 15:43:15 +01:00
Jesper Hess e371b11e84
Add config.json for riot 2019-02-09 15:18:09 +01:00
Jesper Hess 3d09c8592f
Add matrix base_domain and set in synapse config 2019-02-09 15:07:16 +01:00
Jesper Hess ac7b6a17cb
Make vagrant ask for ansible vault password 2019-02-09 15:00:15 +01:00
Jesper Hess 5f1e4e02ef
Use bionic release of docker for Ubuntu 2019-02-09 14:59:45 +01:00
Víðir Valberg Guðmundsson f97eb0e8ed
Initial matrix/riot stuff. 2019-02-09 14:34:04 +01:00
Víðir Valberg Guðmundsson 05f5628de2 Hardcoding ldap filters for now. 2019-02-09 14:33:21 +01:00
Víðir Valberg Guðmundsson 69d53c26e9 Update server address. Remove published ports (nginx proxy does it). 2019-02-09 12:21:53 +01:00
Víðir Valberg Guðmundsson b2a532c258 Get rid of all docker compose files and use ansible modules to create resources. 2019-01-26 17:54:45 +01:00
53 changed files with 3412 additions and 280 deletions

1
Vagrantfile vendored
View file

@ -13,6 +13,7 @@ Vagrant.configure(2) do |config|
ansible.verbose = "v"
ansible.compatibility_mode = "2.0"
ansible.playbook = "playbook.yml"
ansible.ask_vault_pass = true
ansible.host_vars = {
"datacoop" => {"ansible_python_interpreter" => "/usr/bin/python3.6"}
}

View file

@ -1,2 +1,3 @@
[defaults]
remote_user = root
remote_user = root
inventory = datacoop_hosts

View file

@ -1,16 +1,3 @@
######################################
### All hosts
10.1.1.198 ansible_python_interpreter=/usr/bin/python3
10.1.1.199 ansible_python_interpreter=/usr/bin/python3
######################################
### Application servers
[servers]
10.1.1.198
10.1.1.199
[datacoop1]
10.1.1.198
[datacoop2]
10.1.1.199
85.235.225.231 ansible_port=19022 ansible_python_interpreter=/usr/bin/python3

19
deploy.sh Normal file → Executable file
View file

@ -0,0 +1,19 @@
#!/bin/sh
BASE_CMD="ansible-playbook playbook.yml --ask-vault-pass"
if [ -z "$1" ]; then
echo "Deploying all!"
$BASE_CMD
else
case $1 in
"services")
if [ -z "$2" ]; then
echo "Deploying all services!"
$BASE_CMD --tags setup_services
else
echo "Deploying services: $2"
$BASE_CMD --tags setup_services --extra-vars "services=$2"
fi
esac
fi

102
group_vars/all/secrets.yml Normal file
View file

@ -0,0 +1,102 @@
$ANSIBLE_VAULT;1.1;AES256
32336562633266653862666430393834306131343538636136643866306639313132383063393335
3437383263343337323637616330383761346661383065390a396466663135313433643830316439
65626336303339653730643435353366633839366165393463663031333030356464373338353765
3662646137623936650a633038376161633737376432306466663938333838333339626235663362
34303237306533343435346361346461613339323931666461313261623936653936656439663139
39666639616234653565303235313866636463656237363861636366666433393631366364623534
39313638363231646539383133383938353439356335313263656362376538623531636166383233
32653461653965303835613833383736396563306436623762613138343665343461623964666464
31363836343534616235323238663262343963376133636337333937353732623938616434333666
37386231356633653034656130383463643065373935633334653766396539326262646465376338
31346134356162613266393132313839363166623562316230313338373062393535363236363133
62653261663865323933323061353864643435323538633733363030356636653162616237323839
33636235396166326336303133613431326231356434383431623366386437303162396234626563
66333232343234613661363339653234343333323965353537353337303964653066356664303265
62333237343334333836623566643633656134353034623630323361376562353464636538623664
65313435316533633834303734636233333164616230393664646261663133323536356338323430
38623734366530313461653062376136336634386132333138666439326636373536636134333432
61396432353962366333373961323263633036656362653330393236333737306664633335313438
34383335313933613930376436323236343539363035323461333366646462623961633933313432
38656530653336306130313932393162626437383736393162656364333162623831356163303365
66343433316131313332346537343863343966323765373035306661366633336261306661363966
39326131336561633463613731396663336639613634636631373435623263353961323539623162
30383831393164373632336265373662663936336131306563323833643236616338653835633832
33383530623733386564373935663437613366633536386131363465363466306632373535646661
62616531363737336536616132343034663038623665666636613232663666303164663661366232
33626536336435323031663662383836326331633262386634393333373630343431333461393234
33656664666466623262353533363833616663303637393164633633336438393131366261326230
63623266353432613832633163663363663964303461386366373236386131376336623138366134
33626234383661646637323062363265623630663061353630313466626632623062386638643433
36333262666562396433393866393362303134616664616531386637336233306334383434616238
62353237396432353335316631336265326135616430383735353638346339623539393064373365
66336463653139323962333065666363363733376161613434363830663161303735306264396339
35643535326130313033636135656634303731323030623131613866653932346665343365343537
30393534346438343833336262646161643665613639373835336438663664643763323735646566
30303339386131353863643463383333616432333262633962656434343563323165366533643730
36646431336361316234393731373563656164646437636536353530343731373531373932313633
61363462386663333465333465363864643039346238303635323362646335363037323437633462
62373839666639326465383766333462356635636163376366373764373462386430616566386564
39353662346632623661326238306136373364343231303664626630663761643433393033633335
62336232376134656537383632643730303330353533626634633138383163356533646461656230
31373733326436323937373537363839653034356137343864656364313831336235396530373265
31663035326365373033313030363032343030346635343333656637343961303861393336316134
35383635393737643935646334373865386637373636303162363562326239326433396466396435
66336235373238326662323763333733636635313862653233353165346233313663353164383937
37373934343261373462373832363633323438663536356133343464316563316362343932396234
30343335396562336433353233306132656239663036663064653235376264653933363636326132
33353064663930626330386562396564323965393432353430326362616235353464623861313336
37363333623736306632643931356138373031363938363966616632666236346265323562306538
39303365613463393964376536383431326661323237616538353333373930616438633630633961
35303436353231373133666165306534346137396662653736343135303431613438363864616237
65643338633065663266303232643264316564373066663038306632653962626336346639393061
33326638323066323264353338636535336363376639646233336234643137646262666238363865
34623236396437623539653466653331326434643036663930333065393836383265613036393233
64333530636138356361643635613933313335636662646666656131613834376632313734373261
66626262373630386337303539323332343831373731643830323661656435626266386633366666
38626330663635623262336435373432383066393335633261383633343633616564353135613334
34616663333562643232333133626433313265316561633638633236343334323337643066386363
33316637303533393165656665373931313666616330316465643531303730333036613965383161
65346133303835643134643030373966636632663937343434633263633161366236613039313866
63343362303866313732326438393262643630633461316534313638343230653462636330363437
36613561366235646465326163343165633764333466643766316235396534363366366238626161
32656566386130623962643865643562623338353939306463663034653939383864356164316332
34396661303364323430323764346438393165313430623464373436323337303966613437626136
34303166396636666237383138636230306161323161343738353062383262373631643637366139
36313033623162366530366130376338623634363661623965643364666330313066646233303963
65353137616236396266336238346562343331363964356237356132303734326138646164663961
62383761663837326431343939666432663132396464646439626364373833653164313931353631
34633737333961646137663764363763356138396264353534303236633135643936313039303565
37663937613961643563346130653536653236346165633333383666623961303138363961646138
36613062346562326537656236343835383663386235353638653861613865333635333161326337
66343664373262383164313838393261663566393838633364363931653164613663643966643063
39656261643733663763383339653433616231653737623865353038646331373334666232346334
39653730613439393532326430623239666239616361313738343738376536303839623938396439
37393134343333383430303963356563633862336134373962306634613261653131636631626638
35613635643336306435643832383761353465633537666563333763646338656164333661666462
38643765313865626535326136343365643362373234326262366332653264363863646539366630
36623635396635363636373139383530633332386263656339396433653936333834656631373637
65663564353938623737303332373261623862646566386230313865643835323231373933303165
39356561656534326661346636633933613532373137393737623737383134333132363436373630
63653139356565356566663532313736613437623634313236663537376462383465613332656233
65306131356165366131633432383730356163326561326332346535373738636333333165666365
31636564303838333061323063653135623162636464656263613538306561303361633864383634
35613164386334646338613661356134303766393239366530666137376362646263333530623565
34643166313038376136643032393630303435376631336366343632383735626335333232303463
33643363313434363633393964323064653966353161636135633264333766386266646366316132
63303935356138356566306234356435343961356166646430633335386435366666333234636465
36336439663731643663353732353261313037363231306430373962613838616238313662343761
33316335316236626631636636386137376263323862306262316366663039396334326564303762
34623562363839386439366639323662393831653530663463396230663133396466326363303065
35646635323439323062333864336332333938663536373834663535643832316532313262326265
63376436356662663165616532613963303030613166663865376531613031383865363864333238
33616230336263306434643933356530303163653232323331643731353134353939363762303933
32363061346537666637663733346431643164323364363133316265306336626466353366313635
66653162643533316162363035373532656239356434623761666663626366663336376539656537
31323561356363393038323762646633323461666263633937313264346364356439343761623337
34643731393763323339653636656565663665646431313531616337616363373764626334656264
66633366346137613032313865666363613530643663373834313731353437373239653332656134
62376164313138303233623964663234643661336232366165616163313866336230353565393365
36613361346437336431376164663930393530626339626361323764623635396137396634316364
31393030323539376233383965366433623562646161643866346138316536613437383035656139
6533

View file

@ -0,0 +1,42 @@
# These are the variables contained in secrets.yml
# Secrets are usually 32 characters or more, matching [a-Z0-9]
postgres_passwords:
fider: xxx
nextcloud: xxx
passit: xxx
gitea: xxx
matrix: xxx
codimd: xxx
mailu: xxx
ttrss: xxx
keycloak: xxx
fider_jwt_secret: xxx
ldap_admin_password: xxx
ldap_config_password: xxx
passit_secret_key: xxx
docker_password: xxx
mailu_secret_key: xxx
drone_secrets:
oauth_client_id: xxx
oauth_client_secret: xxx
rpc_shared_secret: xxx
restic_secrets:
user_secret: xxx
encryption_secret: xxx
matrix_secrets:
registration_shared_secret: xxx
macaroon_secret_key: xxx
form_secret: xxx
keycloak_secrets:
admin_user: xxx //used for setting up the initial admin user on first run
admin_password: xxx

View file

@ -13,3 +13,12 @@ users:
password: $6$qt3G.E.CxhC$OwBDn4rZUbCz06HLEMBHjgvKjxiv/eeerbklTHi.gpHIn1OejzX3k2.0NM0Dforaw6Yn5Y8Cgn8kL2FdbQLZ3/
groups:
- sudo
reynir:
comment: Reynir Björnsson
key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDJl8/rikIUnqr9fPF3rE0rjWHCNzte10LvkjGmpdO9ka/NubQ7O25fp08rC+n0d1pUooYwHBAgiv9Hsql6HF9QfNKNUp7IKp7CXWcjb4ga02kuzWGSXjm40Vf0jSadIrJ33M4SeJHTByDGoeYPQBQ7n+qHdwcqJADBQygBuc5sRzxm8i0sbmzF3DJDDVeTJjEY5pfR4vnJlpmU8SC2d1ZkhCjmKCsL0PShntTIt1ztCt0yO71KoHKaNPu1jutGxcU9u7J1pEqcPT6EzU/cQJ4DMVzrGp26nIV0msRl3NeGNjukwXOzAh6KmsmXG7yWFyQmLRqgc/bjUeyhuWJ10vwUbaYVeIef7YrgEOgnkYLIFeWRMhdnwtL/W8g1D66SFx7+iYJj180eTi8Lc8rZm2NaiGynvWlFcJ4PGdTYZsWcFzQ+SaDziNMw1H3IixxdlD8Shw9mxpijJ+A4dH2kkUXyGVsc13zRIU7hq9ax8nrw6HVLGFLn09rEPig+SkyWrqRpRGMBWyqTRJywIV6jk0ll+i8rJZA2McY0rABbACrzXT5VBj5dLKnnRITLDicAYgt7YuEiQ0ffErQrPXXHUVeI0QKnJgplSHxH5QsX9a1Y+NoaoditdMT2bjvEqROi+/JYRycLR/BQV/d2nFPhqwq1x1AFvL4f8UvVH/hxp3PXWw== reynir yubikey
password: $6$MiPv.ZFlWnLHGNOb$jdQD9NaPMRUGaP2YHRJNwrMPBGl9qwK0HFhI6x51Xpn7hdzuC4GIwvOw1DJK33sNs/gGP5bWB0izviXkDcq7B0
groups:
- sudo
volume_root_folder: "/docker-volumes"

View file

@ -3,12 +3,34 @@
gather_facts: False
become: true
vars:
# Services are the names of the compose files in docker/files/composefiles
base_domain: data.coop
letsencrypt_email: bestyrelsen@data.coop
ldap_dn: "dc=data,dc=coop"
services:
- nginx-proxy
- openldap
- thelounge
- gitea
- nextcloud
- fider
- passit
- gitea
- postfix
- matrix_riot
- privatebin
- codimd
- netdata
- docker_registry
- drone
- websites
- ulovliglogning-dk
- ouroboros
- mailu
- portainer
# - tt-rss
smtp_host: "postfix"
smtp_port: "587"
tasks:
- import_role:

View file

@ -0,0 +1,106 @@
volume_root_folder: "/docker-volumes"
nginx:
volume_folder: "{{ volume_root_folder }}/nginx"
ldap:
domain: "ldap.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/openldap"
thelounge:
domain: "irc.{{ base_domain }}"
nextcloud:
domain: "cloud.{{ base_domain }}"
gitea:
domain: "git.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/gitea"
passit:
domain: "passit.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/passit"
fider:
domain: "feedback.{{ base_domain }}"
matrix:
domain: "matrix.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/matrix"
riot:
domains:
- "riot.{{ base_domain }}"
- "element.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/riot"
privatebin:
domain: "paste.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/privatebin"
codimd:
domain: "oldpad.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/codimd"
hedgedoc:
domain: "pad.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/hedgedoc"
netdata:
domain: "netdata.{{ base_domain }}"
docker_registry:
domain: "docker.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/docker-registry"
username: "docker"
password: "{{ docker_password }}"
data_coop_website:
domains:
- "{{ base_domain }}"
- "www.{{ base_domain }}"
cryptohagen_website:
domains:
- "cryptohagen.dk"
- "www.cryptohagen.dk"
ulovliglogning_website:
domains:
- "ulovliglogning.dk"
- "www.ulovliglogning.dk"
- "ulovlig-logning.dk"
cryptoaarhus_website:
domains:
- "cryptoaarhus.dk"
- "www.cryptoaarhus.dk"
drone:
domain: "drone.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/drone"
mailu:
version: 1.6
domain: "mail.{{ base_domain }}"
dns: 192.168.203.254
subnet: 192.168.203.0/24
volume_folder: "{{ volume_root_folder }}/mailu"
portainer:
domain: "portainer.{{ base_domain }}"
volume_folder: "{{ volume_root_folder }}/portainer"
ttrss:
domain: rss.{{ base_domain }}
volume_folder: "{{ volume_root_folder }}/tt-rss"
keycloak:
domain: sso.{{ base_domain }}
volume_folder: "{{ volume_root_folder }}/keycloak"
postfix:
allowed_sender_domains:
- "services.{{ base_domain }}"
- "{{ passit.domain }}"
- "{{ fider.domain }}"

View file

@ -1,43 +0,0 @@
version: '3'
services:
db:
restart: always
image: postgres
networks:
- fider
volumes:
- /var/fider/pg_data:/var/lib/postgresql/data
environment:
POSTGRES_USER: fider
POSTGRES_PASSWORD: "SOMESTRONGPASSWORD"
app:
restart: always
image: getfider/fider:stable
ports:
- "9999:3000"
networks:
- fider
- external_services
environment:
GO_ENV: production
DATABASE_URL: postgres://fider:SOMESTRONGPASSWORD@db:5432/fider?sslmode=disable
JWT_SECRET: LONGRANDOMSTRING
EMAIL_NOREPLY: noreply@data.coop
EMAIL_SMTP_HOST: smtp.fastmail.com
EMAIL_SMTP_PORT: 587
EMAIL_SMTP_USERNAME: a_smtp_user
EMAIL_SMTP_PASSWORD: password_for_smtp_user
VIRTUAL_HOST: feedback.data.coop
LETSENCRYPT_HOST: feedback.data.coop
LETSENCRYPT_EMAIL: valberg@orn.li
depends_on:
- db
networks:
fider:
external_services:
external: true

View file

@ -1,42 +0,0 @@
version: "2.3"
networks:
gitea:
external_services:
external: true
services:
server:
image: gitea/gitea:latest
environment:
- USER_UID=1000
- USER_GID=1000
- VIRTUAL_HOST=gitea.local
- VIRTUAL_PORT=3000
restart: always
networks:
- gitea
- external_services
volumes:
- gitea:/data
ports:
- "3000:3000"
- "222:22"
depends_on:
- db
db:
image: postgres:9.6
restart: always
environment:
- POSTGRES_USER=gitea
- POSTGRES_PASSWORD=gitea
- POSTGRES_DB=gitea
networks:
- gitea
volumes:
- postgres:/var/lib/postgresql/data
volumes:
gitea:
postgres:

View file

@ -1,38 +0,0 @@
version: '3'
services:
db:
image: postgres
restart: always
volumes:
- db:/var/lib/postgresql/data
environment:
- POSTGRES_DB=nextcloud
- POSTGRES_USER=nextcloud
networks:
- nextcloud
app:
image: nextcloud
volumes:
- nextcloud:/var/www/html
restart: always
environment:
- POSTGRES_HOST=db
- POSTGRES_PASSWORD=hest
- POSTGRES_DB=nextcloud
- POSTGRES_USER=nextcloud
- VIRTUAL_HOST=nextcloud.local
depends_on:
- db
ports:
- "80"
networks:
- nextcloud
- external_services
volumes:
nextcloud:
db:
networks:
external_services:
external: true
nextcloud:

View file

@ -1,49 +0,0 @@
---
version: '3'
services:
nginx-proxy:
image: jwilder/nginx-proxy
container_name: nginx-proxy
networks:
- external_services
ports:
- "80:80"
- "443:443"
volumes:
- conf:/etc/nginx/conf.d
- vhost:/etc/nginx/vhost.d
- html:/usr/share/nginx/html
- dhparam:/etc/nginx/dhparam
- certs:/etc/nginx/certs:ro
- /var/run/docker.sock:/tmp/docker.sock:ro
restart: always
letsencrypt:
image: jrcs/letsencrypt-nginx-proxy-companion
container_name: nginx-proxy-le
depends_on:
- nginx-proxy
volumes:
- vhost:/etc/nginx/vhost.d
- html:/usr/share/nginx/html
- dhparam:/etc/nginx/dhparam:ro
- certs:/etc/nginx/certs
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- NGINX_PROXY_CONTAINER=nginx-proxy
restart: always
volumes:
conf:
vhost:
html:
dhparam:
certs:
networks:
external_services:
external: true

View file

@ -1,61 +0,0 @@
version: '3'
services:
openldap:
image: osixia/openldap:1.2.2
container_name: openldap
environment:
LDAP_LOG_LEVEL: "256"
LDAP_ORGANISATION: "data.coop"
LDAP_DOMAIN: "data.coop"
LDAP_BASE_DN: ""
LDAP_ADMIN_PASSWORD: "admin"
LDAP_CONFIG_PASSWORD: "config"
LDAP_READONLY_USER: "true"
LDAP_READONLY_USER_USERNAME: "readonly"
LDAP_READONLY_USER_PASSWORD: "readonly"
LDAP_RFC2307BIS_SCHEMA: "false"
LDAP_BACKEND: "mdb"
LDAP_TLS: "true"
LDAP_TLS_CRT_FILENAME: "ldap.crt"
LDAP_TLS_KEY_FILENAME: "ldap.key"
LDAP_TLS_CA_CRT_FILENAME: "ca.crt"
LDAP_TLS_ENFORCE: "false"
LDAP_TLS_CIPHER_SUITE: "SECURE256:-VERS-SSL3.0"
LDAP_TLS_PROTOCOL_MIN: "3.1"
LDAP_TLS_VERIFY_CLIENT: "demand"
LDAP_REPLICATION: "false"
KEEP_EXISTING_CONFIG: "false"
LDAP_REMOVE_CONFIG_AFTER_SETUP: "true"
LDAP_SSL_HELPER_PREFIX: "ldap"
tty: true
stdin_open: true
volumes:
- /var/lib/ldap
- /etc/ldap/slapd.d
- /container/service/slapd/assets/certs/
ports:
- "389:389"
- "636:636"
domainname: "ldap.data.coop" # important: same as hostname
hostname: "ldap.data.coop"
networks:
- external_services
phpldapadmin:
image: osixia/phpldapadmin:latest
container_name: phpldapadmin
environment:
PHPLDAPADMIN_LDAP_HOSTS: "openldap"
PHPLDAPADMIN_HTTPS: "false"
PHPLDAPADMIN_TRUST_PROXY_SSL: "true"
VIRTUAL_HOST: ldap.data.coop
LETSENCRYPT_HOST: ldap.data.coop
LETSENCRYPT_EMAIL: valberg@orn.li
depends_on:
- openldap
networks:
- external_services
networks:
external_services:
external: true

View file

@ -1,23 +0,0 @@
version: '3'
services:
thelounge:
image: thelounge/lounge:latest
container_name: thelounge
restart: always
ports:
- "9000:9000"
volumes:
- thelounge:/home/lounge/data # bind lounge config from the host's file system
networks:
- external_services
environment:
VIRTUAL_HOST: irc.data.coop
LETSENCRYPT_HOST: irc.data.coop
LETSENCRYPT_EMAIL: valberg@orn.li
volumes:
thelounge:
networks:
external_services:
external: true

View file

@ -0,0 +1 @@
client_max_body_size 10G;

File diff suppressed because it is too large Load diff

View file

@ -0,0 +1,37 @@
version: 1
formatters:
precise:
format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
filters:
context:
(): synapse.util.logcontext.LoggingContextFilter
request: ""
handlers:
file:
class: logging.handlers.RotatingFileHandler
formatter: precise
filename: /data/homeserver.log
maxBytes: 104857600
backupCount: 10
filters: [context]
encoding: utf8
console:
class: logging.StreamHandler
formatter: precise
filters: [context]
loggers:
synapse:
level: WARN
synapse.storage.SQL:
# beware: increasing this to DEBUG will make synapse log sensitive
# information such as access tokens.
level: INFO
root:
level: INFO
handlers: [file, console]

View file

@ -0,0 +1,2 @@
listen 8008;
client_max_body_size 50M; # default is 1M

View file

@ -0,0 +1 @@
client_max_body_size 50M; # default is 1M

View file

@ -0,0 +1,14 @@
location /_matrix {
proxy_pass http://0.0.0.0:8008;
proxy_set_header X-Forwarded-For $remote_addr;
}
location /.well-known/matrix/server {
default_type application/json;
return 200 '{"m.server": "matrix.data.coop:443"}';
}
location /.well-known/matrix/client {
default_type application/json;
return 200 '{"m.homeserver": {"base_url": "https://matrix.data.coop"}}';
}

View file

@ -0,0 +1,154 @@
;<?php http_response_code(403); /*
; config file for PrivateBin
;
; An explanation of each setting can be find online at https://github.com/PrivateBin/PrivateBin/wiki/Configuration.
[main]
; (optional) set a project name to be displayed on the website
name = "paste.data.coop"
; enable or disable the discussion feature, defaults to true
discussion = true
; preselect the discussion feature, defaults to false
opendiscussion = false
; enable or disable the password feature, defaults to true
password = true
; enable or disable the file upload feature, defaults to false
fileupload = true
; preselect the burn-after-reading feature, defaults to false
burnafterreadingselected = false
; which display mode to preselect by default, defaults to "plaintext"
; make sure the value exists in [formatter_options]
defaultformatter = "plaintext"
; (optional) set a syntax highlighting theme, as found in css/prettify/
; syntaxhighlightingtheme = "sons-of-obsidian"
; size limit per paste or comment in bytes, defaults to 2 Mebibytes
sizelimit = 2097152
; template to include, default is "bootstrap" (tpl/bootstrap.php)
template = "bootstrap"
; (optional) notice to display
; notice = "Note: This is a test service: Data may be deleted anytime. Kittens will die if you abuse this service."
; by default PrivateBin will guess the visitors language based on the browsers
; settings. Optionally you can enable the language selection menu, which uses
; a session cookie to store the choice until the browser is closed.
languageselection = false
; set the language your installs defaults to, defaults to English
; if this is set and language selection is disabled, this will be the only language
; languagedefault = "en"
; (optional) URL shortener address to offer after a new paste is created
; it is suggested to only use this with self-hosted shorteners as this will leak
; the pastes encryption key
; urlshortener = "https://shortener.example.com/api?link="
; (optional) Let users create a QR code for sharing the paste URL with one click.
; It works both when a new paste is created and when you view a paste.
; qrcode = true
; (optional) IP based icons are a weak mechanism to detect if a comment was from
; a different user when the same username was used in a comment. It might be
; used to get the IP of a non anonymous comment poster if the server salt is
; leaked and a SHA256 HMAC rainbow table is generated for all (relevant) IPs.
; Can be set to one these values: none / vizhash / identicon (default).
; icon = none
; Content Security Policy headers allow a website to restrict what sources are
; allowed to be accessed in its context. You need to change this if you added
; custom scripts from third-party domains to your templates, e.g. tracking
; scripts or run your site behind certain DDoS-protection services.
; Check the documentation at https://content-security-policy.com/
; Note: If you use a bootstrap theme, you can remove the allow-popups from the sandbox restrictions.
; By default this disallows to load images from third-party servers, e.g. when they are embedded in pastes. If you wish to allow that, you can adjust the policy here. See https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-not-it-load-embedded-images for details.
; cspheader = "default-src 'none'; manifest-src 'self'; connect-src *; script-src 'self'; style-src 'self'; font-src 'self'; img-src 'self' data:; media-src data:; object-src data:; Referrer-Policy: 'no-referrer'; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals"
; stay compatible with PrivateBin Alpha 0.19, less secure
; if enabled will use base64.js version 1.7 instead of 2.1.9 and sha1 instead of
; sha256 in HMAC for the deletion token
zerobincompatibility = false
[expire]
; expire value that is selected per default
; make sure the value exists in [expire_options]
default = "1day"
[expire_options]
; Set each one of these to the number of seconds in the expiration period,
; or 0 if it should never expire
5min = 300
10min = 600
1hour = 3600
1day = 86400
1week = 604800
; Well this is not *exactly* one month, it's 30 days:
1month = 2592000
1year = 31536000
never = 0
[formatter_options]
; Set available formatters, their order and their labels
plaintext = "Plain Text"
syntaxhighlighting = "Source Code"
markdown = "Markdown"
[traffic]
; time limit between calls from the same IP address in seconds
; Set this to 0 to disable rate limiting.
limit = 10
; (optional) if your website runs behind a reverse proxy or load balancer,
; set the HTTP header containing the visitors IP address, i.e. X_FORWARDED_FOR
header = "X_FORWARDED_FOR"
; directory to store the traffic limits in
dir = PATH "data"
[purge]
; minimum time limit between two purgings of expired pastes, it is only
; triggered when pastes are created
; Set this to 0 to run a purge every time a paste is created.
limit = 300
; maximum amount of expired pastes to delete in one purge
; Set this to 0 to disable purging. Set it higher, if you are running a large
; site
batchsize = 10
; directory to store the purge limit in
dir = PATH "data"
[model]
; name of data model class to load and directory for storage
; the default model "Filesystem" stores everything in the filesystem
class = Filesystem
[model_options]
dir = PATH "data"
;[model]
; example of DB configuration for MySQL
;class = Database
;[model_options]
;dsn = "mysql:host=localhost;dbname=privatebin;charset=UTF8"
;tbl = "privatebin_" ; table prefix
;usr = "privatebin"
;pwd = "Z3r0P4ss"
;opt[12] = true ; PDO::ATTR_PERSISTENT
;[model]
; example of DB configuration for SQLite
;class = Database
;[model_options]
;dsn = "sqlite:" PATH "data/db.sq3"
;usr = null
;pwd = null
;opt[12] = true ; PDO::ATTR_PERSISTENT

View file

@ -0,0 +1,46 @@
{
"default_hs_url": "https://{{ matrix.domain }}",
"default_is_url": "https://vector.im",
"brand": "element.data.coop",
"integrations_ui_url": "https://scalar.vector.im/",
"integrations_rest_url": "https://scalar.vector.im/api",
"integrations_widgets_urls": [
"https://scalar-staging.riot.im/scalar/api",
"https://scalar.vector.im/api"
],
"bug_report_endpoint_url": "https://riot.im/bugreports/submit",
"features": {
"feature_rich_quoting": "enable",
"feature_pinning": "enable",
"feature_presence_management": "enable",
"feature_sticker_messages": "enable",
"feature_jitsi": "enable",
"feature_tag_panel": "enable",
"feature_keybackup": "enable",
"feature_custom_status": "enable",
"feature_custom_tags": "enable",
"feature_lazyloading": "enable",
"feature_tabbed_settings": "enable",
"feature_sas": "enable"
},
"welcomeUserId": "",
"piwik": false,
"roomDirectory": {
"servers": [
"{{ base_domain }}"
]
},
"enable_presence_by_hs_url": {
"https://{{ matrix.domain }}": false
},
"terms_and_conditions_links": [
{
"url": "https://riot.im/privacy",
"text": "Privacy Policy"
},
{
"url": "https://matrix.org/docs/guides/riot_im_cookie_policy",
"text": "Cookie Policy"
}
]
}

View file

@ -0,0 +1 @@
-c 3500

View file

@ -0,0 +1,511 @@
"use strict";
module.exports = {
//
// Set the server mode.
// Public servers does not require authentication.
//
// Set to 'false' to enable users.
//
// @type boolean
// @default false
//
public: false,
//
// IP address or hostname for the web server to listen on.
// Setting this to undefined will listen on all interfaces.
//
// For UNIX domain sockets, use unix:/absolute/path/to/file.sock.
//
// @type string
// @default undefined
//
host: undefined,
//
// Set the port to listen on.
//
// @type int
// @default 9000
//
port: 9000,
//
// Set the local IP to bind to for outgoing connections. Leave to undefined
// to let the operating system pick its preferred one.
//
// @type string
// @default undefined
//
bind: undefined,
//
// Sets whether the server is behind a reverse proxy and should honor the
// X-Forwarded-For header or not.
//
// @type boolean
// @default false
//
reverseProxy: false,
//
// Set the default theme.
// Find out how to add new themes at https://thelounge.github.io/docs/plugins/themes.html
//
// @type string
// @default "example"
//
theme: "example",
//
// Prefetch URLs
//
// If enabled, The Lounge will try to load thumbnails and site descriptions from
// URLs posted in channels.
//
// @type boolean
// @default false
//
prefetch: false,
//
// Store and proxy prefetched images and thumbnails.
// This improves security and privacy by not exposing client IP address,
// and always loading images from The Lounge instance and making all assets secure,
// which in result fixes mixed content warnings.
//
// If storage is enabled, The Lounge will fetch and store images and thumbnails
// in the `${THELOUNGE_HOME}/storage` folder.
//
// Images are deleted when they are no longer referenced by any message (controlled by maxHistory),
// and the folder is cleaned up on every The Lounge restart.
//
// @type boolean
// @default false
//
prefetchStorage: false,
//
// Prefetch URLs Image Preview size limit
//
// If prefetch is enabled, The Lounge will only display content under the maximum size.
// Specified value is in kilobytes. Default value is 2048 kilobytes.
//
// @type int
// @default 2048
//
prefetchMaxImageSize: 2048,
//
// Display network
//
// If set to false network settings will not be shown in the login form.
//
// @type boolean
// @default true
//
displayNetwork: true,
//
// Lock network
//
// If set to true, users will not be able to modify host, port and tls
// settings and will be limited to the configured network.
//
// @type boolean
// @default false
//
lockNetwork: false,
//
// Hex IP
//
// If enabled, clients' username will be set to their IP encoded has hex.
// This is done to share the real user IP address with the server for host masking purposes.
//
// @type boolean
// @default false
//
useHexIp: false,
//
// WEBIRC support
//
// If enabled, The Lounge will pass the connecting user's host and IP to the
// IRC server. Note that this requires to obtain a password from the IRC network
// The Lounge will be connecting to and generally involves a lot of trust from the
// network you are connecting to.
//
// Format (standard): {"irc.example.net": "hunter1", "irc.example.org": "passw0rd"}
// Format (function):
// {"irc.example.net": function(client, args, trusted) {
// // here, we return a webirc object fed directly to `irc-framework`
// return {username: "thelounge", password: "hunter1", address: args.ip, hostname: "webirc/"+args.hostname};
// }}
//
// @type string | function(client, args):object(webirc)
// @default null
webirc: null,
//
// Log settings
//
// Logging has to be enabled per user. If enabled, logs will be stored in
// the 'logs/<user>/<network>/' folder.
//
// @type object
// @default {}
//
logs: {
//
// Timestamp format
//
// @type string
// @default "YYYY-MM-DD HH:mm:ss"
//
format: "YYYY-MM-DD HH:mm:ss",
//
// Timezone
//
// @type string
// @default "UTC+00:00"
//
timezone: "UTC+00:00",
},
//
// Maximum number of history lines per channel
//
// Defines the maximum number of history lines that will be kept in
// memory per channel/query, in order to reduce the memory usage of
// the server. Setting this to -1 will keep unlimited amount.
//
// @type integer
// @default 10000
maxHistory: 10000,
//
// Default values for the 'Connect' form.
//
// @type object
// @default {}
//
defaults: {
//
// Name
//
// @type string
// @default "Freenode"
//
name: "Freenode",
//
// Host
//
// @type string
// @default "chat.freenode.net"
//
host: "chat.freenode.net",
//
// Port
//
// @type int
// @default 6697
//
port: 6697,
//
// Password
//
// @type string
// @default ""
//
password: "",
//
// Enable TLS/SSL
//
// @type boolean
// @default true
//
tls: true,
//
// Nick
//
// @type string
// @default "lounge-user"
//
nick: "lounge-user",
//
// Username
//
// @type string
// @default "lounge-user"
//
username: "lounge-user",
//
// Real Name
//
// @type string
// @default "The Lounge User"
//
realname: "The Lounge User",
//
// Channels
// This is a comma-separated list.
//
// @type string
// @default "#thelounge"
//
join: "#thelounge",
},
//
// Set socket.io transports
//
// @type array
// @default ["polling", "websocket"]
//
transports: ["polling", "websocket"],
//
// Run The Lounge using encrypted HTTP/2.
// This will fallback to regular HTTPS if HTTP/2 is not supported.
//
// @type object
// @default {}
//
https: {
//
// Enable HTTP/2 / HTTPS support.
//
// @type boolean
// @default false
//
enable: false,
//
// Path to the key.
//
// @type string
// @example "sslcert/key.pem"
// @default ""
//
key: "",
//
// Path to the certificate.
//
// @type string
// @example "sslcert/key-cert.pem"
// @default ""
//
certificate: "",
//
// Path to the CA bundle.
//
// @type string
// @example "sslcert/bundle.pem"
// @default ""
//
ca: "",
},
//
// Default quit and part message if none is provided.
//
// @type string
// @default "The Lounge - https://thelounge.github.io"
//
leaveMessage: "The Lounge - https://thelounge.github.io",
//
// Run The Lounge with identd support.
//
// @type object
// @default {}
//
identd: {
//
// Run the identd daemon on server start.
//
// @type boolean
// @default false
//
enable: false,
//
// Port to listen for ident requests.
//
// @type int
// @default 113
//
port: 113,
},
//
// Enable oidentd support using the specified file
//
// Example: oidentd: "~/.oidentd.conf",
//
// @type string
// @default null
//
oidentd: null,
//
// LDAP authentication settings (only available if public=false)
// @type object
// @default {}
//
// The authentication process works as follows:
//
// 1. Lounge connects to the LDAP server with its system credentials
// 2. It performs a LDAP search query to find the full DN associated to the
// user requesting to log in.
// 3. Lounge tries to connect a second time, but this time using the user's
// DN and password. Auth is validated iff this connection is successful.
//
// The search query takes a couple of parameters in `searchDN`:
// - a base DN `searchDN/base`. Only children nodes of this DN will be likely
// to be returned;
// - a search scope `searchDN/scope` (see LDAP documentation);
// - the query itself, build as (&(<primaryKey>=<username>) <filter>)
// where <username> is the user name provided in the log in request,
// <primaryKey> is provided by the config and <fitler> is a filtering complement
// also given in the config, to filter for instance only for nodes of type
// inetOrgPerson, or whatever LDAP search allows.
//
// Alternatively, you can specify the `bindDN` parameter. This will make the lounge
// ignore searchDN options and assume that the user DN is always:
// <bindDN>,<primaryKey>=<username>
// where <username> is the user name provided in the log in request, and <bindDN>
// and <primaryKey> are provided by the config.
//
ldap: {
//
// Enable LDAP user authentication
//
// @type boolean
// @default false
//
enable: true,
//
// LDAP server URL
//
// @type string
//
url: "ldap://{{ ldap.domain }}",
//
// LDAP connection tls options (only used if scheme is ldaps://)
//
// @type object (see nodejs' tls.connect() options)
// @default {}
//
// Example:
// You can use this option in order to force the use of IPv6:
// {
// host: 'my::ip::v6',
// servername: 'example.com'
// }
tlsOptions: {},
//
// LDAP base dn, alternative to searchDN
//
// @type string
//
// baseDN: "",
//
// LDAP primary key
//
// @type string
// @default "uid"
//
primaryKey: "uid",
//
// LDAP search dn settings. This defines the procedure by which the
// lounge first look for user DN before authenticating her.
// Ignored if baseDN is specified
//
// @type object
//
searchDN: {
//
// LDAP searching bind DN
// This bind DN is used to query the server for the DN of the user.
// This is supposed to be a system user that has access in read only to
// the DNs of the people that are allowed to log in.
//
// @type string
//
rootDN: "cn=admin,dc=data,dc=coop",
//
// Password of the lounge LDAP system user
//
// @type string
//
rootPassword: "{{ ldap_admin_password }}",
//
// LDAP filter
//
// @type string
// @default "uid"
//
//filter: "(objectClass=inetOrgPerson)(memberOf=ou=members,dc=data,dc=coop)",
filter: "(objectClass=inetOrgPerson)",
//
// LDAP search base (search only within this node)
//
// @type string
//
base: "{{ ldap_dn }}",
//
// LDAP search scope
//
// @type string
// @default "sub"
//
scope: "sub",
},
},
// Extra debugging
//
// @type object
// @default {}
//
debug: {
// Enables extra debugging output provided by irc-framework.
//
// @type boolean
// @default false
//
ircFramework: false,
// Enables logging raw IRC messages into each server window.
//
// @type boolean
// @default false
//
raw: false,
},
};

View file

@ -0,0 +1 @@
MIICszCCAZsCBgF8WpKKwTANBgkqhkiG9w0BAQsFADAdMRswGQYDVQQDDBJkYXRhLmNvb3Agc2VydmljZXMwHhcNMjExMDA3MTE0MzQ1WhcNMzExMDA3MTE0NTI1WjAdMRswGQYDVQQDDBJkYXRhLmNvb3Agc2VydmljZXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCdV0stfU8aA1bi+GYd/a5DOyoox01BgzWwBFqVjlo80frsOsH8g814eDuMuff/UJy+2YxaozYQGxP+DcOVXi+0Fts9zjRj6wa6HCQqiR/SNUa69fGHcyAo2Tr0faxOyf3QMBqIngTRZB99quNMuAM96RCg25LtDaaWjNVxdHlj78+kU1bQXExp0ZfELlKGtllWP07cyz4nGfZmuK1AiWSsRbDIbyK5dvzw/pMS1kexh6ylnQu1iLqD3vYZBUDX9lPNkavTYZNCEL4ElUvR81S0ko2zkYAUiuVTtTUKucc98dTRhkuV4YCiiW6UQGY/jzmXYBfpzAY3n5eH5iUu/tRXAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAFQc8ytexKiXOIGrSYYtFaF/lxv8AwMgsndv8YxJ+x/cUwN9tdmA8IAZDIS13qBrCOdZE4pJ/09VkYdErcpbtV7PWC3LDv/c2qakyiBUYZj4WgJio+oD0GCqXsby3aqJeVt9cJr4gSsXxn1c+7GV7p/gc/2FFmlWcqMN/2F7LvFvObu55QlppWZrn8kreaUQmRuTTIviFQRmvrmwKyK52LEcK7qoh/v1aHyYDl91gu3nLMEluz6hy3UEPYgpdH1t2C7K0Kjri25pJNGCFrpKjWWveteKazUeDd4adHMiw2MVfeEyTCXEFoaxQS9QmbmhSMRhiHjbdffL7xi//aSh1bo=

View file

@ -1,13 +1,13 @@
---
- name: add docker gpg key
apt_key:
keyserver: pgp.key-server.io
keyserver: pgp.mit.edu
id: 8D81803C0EBFCD88
state: present
- name: add docker apt repository
apt_repository:
repo: deb https://download.docker.com/linux/ubuntu artful stable
repo: deb https://download.docker.com/linux/ubuntu bionic stable
state: present
update_cache: yes
@ -22,6 +22,11 @@
name: "docker-compose"
state: present
- name: create folder structure for bind mounts
file:
name: "{{ volume_root_folder }}"
state: directory
- name: setup services
import_tasks: services.yml
tags:

View file

@ -4,8 +4,5 @@
name: external_services
- name: setup services
docker_service:
project_name: "{{ item }}"
definition:
"{{ lookup('file', 'composefiles/{{ item }}.yml') | from_yaml }}"
include_tasks: "services/{{ item }}.yml"
with_items: "{{ services }}"

View file

@ -0,0 +1,57 @@
---
- name: codimd network
docker_network:
name: codimd
- name: create codimd volume folders
file:
name: "{{ codimd.volume_folder }}/{{ volume }}"
state: directory
loop:
- "db"
- "codimd/uploads"
loop_control:
loop_var: volume
- name: codimd database container
docker_container:
name: codimd_db
image: postgres:10
state: started
restart_policy: unless-stopped
networks:
- name: codimd
volumes:
- "{{ codimd.volume_folder }}/db:/var/lib/postgresql/data"
env:
POSTGRES_USER: "codimd"
POSTGRES_PASSWORD: "{{ postgres_passwords.codimd }}"
- name: codimd app container
docker_container:
name: codimd_app
image: hackmdio/hackmd:1.3.0
restart_policy: unless-stopped
networks:
- name: codimd
- name: ldap
- name: external_services
volumes:
- "{{ codimd.volume_folder }}/codimd/uploads:/codimd/public/uploads"
env:
CMD_DB_URL: "postgres://codimd:{{ postgres_passwords.codimd }}@codimd_db:5432/codimd"
CMD_ALLOW_EMAIL_REGISTER: "False"
CMD_IMAGE_UPLOAD_TYPE: "filesystem"
CMD_EMAIL: "False"
CMD_LDAP_URL: "ldap://openldap"
CMD_LDAP_BINDDN: "cn=admin,dc=data,dc=coop"
CMD_LDAP_BINDCREDENTIALS: "{{ ldap_admin_password }}"
CMD_LDAP_SEARCHBASE: "dc=data,dc=coop"
CMD_LDAP_SEARCHFILTER: "(&(uid={{ '{{username}}' }})(objectClass=inetOrgPerson))"
CMD_USECDN: "false"
VIRTUAL_HOST: "{{ codimd.domain }}"
LETSENCRYPT_HOST: "{{ codimd.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"

View file

@ -0,0 +1,35 @@
---
- name: copy docker registry nginx configuration
copy:
src: "files/configs/docker_registry/nginx.conf"
dest: "/docker-volumes/nginx/vhost/{{ docker_registry.domain }}"
mode: "0644"
- name: docker registry container
docker_container:
name: registry
image: registry:2
restart_policy: always
volumes:
- "{{ docker_registry.volume_folder }}/registry:/var/lib/registry"
- "{{ docker_registry.volume_folder }}/auth:/auth"
networks:
- name: external_services
env:
VIRTUAL_HOST: "{{ docker_registry.domain }}"
LETSENCRYPT_HOST: "{{ docker_registry.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
REGISTRY_AUTH: "htpasswd"
REGISTRY_AUTH_HTPASSWD_PATH: "/auth/htpasswd"
REGISTRY_AUTH_HTPASSWD_REALM: "data.coop docker registry"
- name: generate htpasswd file
shell: "docker exec -it registry htpasswd -Bbn docker {{ docker_password }} > {{ docker_registry.volume_folder }}/auth/htpasswd"
args:
creates: "{{ docker_registry.volume_folder }}/auth/htpasswd"
- name: log in to local registry
docker_login:
registry: "{{ docker_registry.domain }}"
username: "docker"
password: "{{ docker_password }}"

View file

@ -0,0 +1,51 @@
---
- name: set up drone with docker runner
docker_compose:
project_name: drone
pull: yes
definition:
version: "3.6"
services:
drone:
container_name: "drone"
image: drone/drone:1
restart: unless-stopped
networks:
- external_services
- drone
volumes:
- "{{ drone.volume_folder }}:/data"
- "/var/run/docker.sock:/var/run/docker.sock"
environment:
DRONE_GITEA_SERVER: "https://{{ gitea.domain }}"
DRONE_GITEA_CLIENT_ID: "{{ drone_secrets.oauth_client_id }}"
DRONE_GITEA_CLIENT_SECRET: "{{ drone_secrets.oauth_client_secret }}"
DRONE_GIT_ALWAYS_AUTH: "true"
DRONE_SERVER_HOST: "{{ drone.domain }}"
DRONE_SERVER_PROTO: "https"
DRONE_RPC_SECRET: "{{ drone_secrets.rpc_shared_secret }}"
PLUGIN_CUSTOM_DNS: "91.239.100.100"
VIRTUAL_HOST: "{{ drone.domain }}"
LETSENCRYPT_HOST: "{{ drone.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
drone-runner-docker:
container_name: "drone-runner-docker"
image: "drone/drone-runner-docker:1"
restart: unless-stopped
networks:
- drone
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
environment:
DRONE_RPC_HOST: "{{ drone.domain }}"
DRONE_RPC_PROTO: "https"
DRONE_RPC_SECRET: "{{ drone_secrets.rpc_shared_secret }}"
DRONE_RUNNER_CAPACITY: 2
DRONE_RUNNER_NAME: "data.coop_drone_runner"
networks:
drone:
external_services:
external:
name: external_services

View file

@ -0,0 +1,47 @@
---
- name: fider network
docker_network:
name: fider
- name: fider database volume
docker_volume:
name: fider_db
- name: fider database container
docker_container:
name: fider_db
image: postgres:10
state: started
restart_policy: always
networks:
- name: fider
volumes:
- fider_db:/var/lib/postgresql/data
env:
POSTGRES_USER: "fider"
POSTGRES_PASSWORD: "{{ postgres_passwords.fider }}"
- name: fider app container
docker_container:
name: fider
image: getfider/fider:stable
restart_policy: always
networks:
- name: fider
- name: external_services
- name: postfix
env:
GO_ENV: "production"
DATABASE_URL: "postgres://fider:{{ postgres_passwords.fider }}@fider_db:5432/fider?sslmode=disable"
JWT_SECRET: "{{ fider_jwt_secret }}"
EMAIL_NOREPLY: noreply@{{ fider.domain }}
EMAIL_SMTP_HOST: "{{ smtp_host }}"
EMAIL_SMTP_PORT: "{{ smtp_port }}"
EMAIL_SMTP_USERNAME: "noop"
EMAIL_SMTP_PASSWORD: "noop"
VIRTUAL_HOST: "{{ fider.domain }}"
LETSENCRYPT_HOST: "{{ fider.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email}}"

View file

@ -0,0 +1,23 @@
---
- name: gitea network
docker_network:
name: gitea
# old DNS: 138.68.71.153
- name: gitea container
docker_container:
name: gitea
image: gitea/gitea:1.12.3
restart_policy: unless-stopped
networks:
- name: gitea
- name: external_services
volumes:
- "{{ gitea.volume_folder }}:/data"
published_ports:
- "22:22"
env:
VIRTUAL_HOST: "{{ gitea.domain }}"
VIRTUAL_PORT: "3000"
LETSENCRYPT_HOST: "{{ gitea.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"

View file

@ -0,0 +1,66 @@
---
- name: create hedgedoc volume folders
file:
name: "{{ hedgedoc.volume_folder }}/{{ volume }}"
state: directory
loop:
- "db"
- "hedgedoc/uploads"
loop_control:
loop_var: volume
- name: copy sso public certificate
copy:
src: "files/sso/sso.data.coop.pem"
dest: "{{ hedgedoc.volume_folder }}/sso.data.coop.pem"
mode: "0644"
- name: setup hedgedoc
docker_compose:
project_name: "hedgedoc"
pull: "yes"
definition:
services:
database:
image: "postgres:10-alpine"
environment:
POSTGRES_USER: "codimd"
POSTGRES_PASSWORD: "{{ postgres_passwords.hedgedoc }}"
POSTGRES_DB: "codimd"
restart: "unless-stopped"
networks:
- "hedgedoc"
volumes:
- "{{ hedgedoc.volume_folder }}/db:/var/lib/postgresql/data"
app:
image: quay.io/hedgedoc/hedgedoc:1.9.0
environment:
CMD_DB_URL: "postgres://codimd:{{ postgres_passwords.hedgedoc }}@hedgedoc_database_1:5432/codimd"
CMD_DOMAIN: "{{ hedgedoc.domain }}"
CMD_ALLOW_EMAIL_REGISTER: "False"
CMD_IMAGE_UPLOAD_TYPE: "filesystem"
CMD_EMAIL: "False"
CMD_SAML_IDPCERT: "/sso.data.coop.pem"
CMD_SAML_IDPSSOURL: "https://sso.data.coop/auth/realms/datacoop/protocol/saml"
CMD_SAML_ISSUER: "hedgedoc"
CMD_SAML_IDENTIFIERFORMAT: "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
CMD_USECDN: "false"
CMD_PROTOCOL_USESSL: "true"
VIRTUAL_HOST: "{{ hedgedoc.domain }}"
LETSENCRYPT_HOST: "{{ hedgedoc.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
volumes:
- "{{ hedgedoc.volume_folder }}/hedgedoc/uploads:/hedgedoc/public/uploads"
- "{{ hedgedoc.volume_folder }}/sso.data.coop.pem:/sso.data.coop.pem"
restart: "unless-stopped"
networks:
- "hedgedoc"
- "external_services"
depends_on:
- database
networks:
hedgedoc:
external_services:
external: true

View file

@ -0,0 +1,45 @@
- name: setup keycloak containers for sso.data.coop
docker_compose:
project_name: "keycloak"
pull: "yes"
definition:
version: "3.6"
services:
postgres:
image: "postgres:10"
restart: "unless-stopped"
networks:
- "keycloak"
volumes:
- "{{ keycloak.volume_folder }}/data:/var/lib/postgresql/data"
environment:
POSTGRES_USER: "keycloak"
POSTGRES_PASSWORD: "{{ postgres_passwords.keycloak }}"
POSTGRES_DB: "keycloak"
app:
image: "quay.io/keycloak/keycloak:15.0.2"
restart: "unless-stopped"
networks:
- "keycloak"
- "postfix"
- "external_services"
environment:
VIRTUAL_HOST: "{{ keycloak.domain }}"
VIRTUAL_PORT: "8080"
LETSENCRYPT_HOST: "{{ keycloak.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
DB_USER: "keycloak"
DB_PASSWORD: "{{ postgres_passwords.keycloak }}"
DB_ADDR: "keycloak_postgres_1"
#KEYCLOAK_USER: "{{ keycloak_secrets.admin_user }}" # Only used for the first run of the application to set up the admin user
#KEYCLOAK_PASSWORD: "{{ keycloak_secrets.admin_password }}"
PROXY_ADDRESS_FORWARDING: "true"
networks:
keycloak:
postfix:
external: true
external_services:
external: true

View file

@ -0,0 +1,161 @@
---
- name: create mailu volume folders
file:
name: "{{ mailu.volume_folder }}/{{ volume }}"
state: directory
loop:
- redis
- certs
- overrides
- data
- dkim
- mail
- filter
- dav
- webmail
loop_control:
loop_var: volume
- name: upload mailu.env file
template:
src: mailu.env.j2
dest: "{{ mailu.volume_folder}}/mailu.env"
- name: hard link to Let's Encrypt TLS certificate
file:
src: "{{ nginx.volume_folder }}/certs/{{ mailu.domain }}/fullchain.pem"
dest: "{{ mailu.volume_folder }}/certs/cert.pem"
state: hard
force: yes
- name: hard link to Let's Encrypt TLS key
file:
src: "{{ nginx.volume_folder }}/certs/{{ mailu.domain }}/key.pem"
dest: "{{ mailu.volume_folder }}/certs/key.pem"
state: hard
force: yes
- name: run mail server containers
docker_compose:
project_name: mail_server
pull: yes
definition:
version: '3.6'
services:
redis:
image: redis:alpine
restart: always
volumes:
- "{{ mailu.volume_folder }}/redis:/data"
database:
image: mailu/postgresql:{{ mailu.version }}
restart: always
env_file: "{{ mailu.volume_folder}}/mailu.env"
volumes:
- "{{ mailu.volume_folder }}/data/psql_db:/data"
- "{{ mailu.volume_folder }}/data/psql_backup:/backup"
networks:
- default
- external_services
front:
image: mailu/nginx:{{ mailu.version }}
restart: always
env_file: "{{ mailu.volume_folder}}/mailu.env"
environment:
VIRTUAL_HOST: "{{ mailu.domain }}"
LETSENCRYPT_HOST: "{{ mailu.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
volumes:
- "{{ mailu.volume_folder }}/certs:/certs"
- "{{ mailu.volume_folder }}/overrides/nginx:/overrides"
expose:
- "80"
ports:
- "993:993"
- "25:25"
- "587:587"
- "465:465"
networks:
- default
- external_services
resolver:
image: mailu/unbound:{{ mailu.version }}
restart: always
env_file: "{{ mailu.volume_folder}}/mailu.env"
networks:
default:
ipv4_address: "{{ mailu.dns }}"
admin:
image: mailu/admin:{{ mailu.version }}
restart: always
env_file: "{{ mailu.volume_folder}}/mailu.env"
volumes:
- "{{ mailu.volume_folder }}/data:/data"
- "{{ mailu.volume_folder }}/dkim:/dkim"
depends_on:
- redis
imap:
image: mailu/dovecot:{{ mailu.version }}
restart: always
env_file: "{{ mailu.volume_folder}}/mailu.env"
volumes:
- "{{ mailu.volume_folder }}/mail:/mail"
- "{{ mailu.volume_folder }}/overrides:/overrides"
depends_on:
- front
smtp:
image: mailu/postfix:{{ mailu.version }}
restart: always
env_file: "{{ mailu.volume_folder}}/mailu.env"
volumes:
- "{{ mailu.volume_folder }}/overrides:/overrides"
depends_on:
- front
- resolver
dns:
- "{{ mailu.dns }}"
antispam:
image: mailu/rspamd:{{ mailu.version }}
restart: always
env_file: "{{ mailu.volume_folder}}/mailu.env"
volumes:
- "{{ mailu.volume_folder }}/filter:/var/lib/rspamd"
- "{{ mailu.volume_folder }}/dkim:/dkim"
- "{{ mailu.volume_folder }}/overrides/rspamd:/etc/rspamd/override.d"
depends_on:
- front
- resolver
dns:
- "{{ mailu.dns }}"
webmail:
image: mailu/rainloop:1.6
restart: always
env_file: "{{ mailu.volume_folder}}/mailu.env"
volumes:
- "{{ mailu.volume_folder }}/webmail:/data"
depends_on:
- front
- resolver
dns:
- "{{ mailu.dns }}"
networks:
default:
driver: bridge
ipam:
driver: default
config:
- subnet: "{{ mailu.subnet }}"
external_services:
external:
name: external_services

View file

@ -0,0 +1,125 @@
---
- name: create matrix volume folders
file:
name: "{{ matrix.volume_folder }}/{{ volume }}"
state: directory
owner: "991"
group: "991"
loop:
- "data"
- "data/uploads"
- "data/media"
loop_control:
loop_var: volume
- name: create matrix DB folder
file:
name: "{{ matrix.volume_folder }}/db"
state: "directory"
- name: create riot volume folders
file:
name: "{{ riot.volume_folder }}/{{ volume }}"
state: directory
loop:
- "data"
loop_control:
loop_var: volume
- name: upload riot config.json
template:
src: files/configs/riot/config.json
dest: "{{ riot.volume_folder }}/data/config.json"
- name: upload riot.im.conf
template:
src: files/configs/riot/riot.im.conf
dest: "{{ riot.volume_folder }}/data/riot.im.conf"
- name: upload vhost config for root domain
template:
src: files/configs/matrix/vhost-root
dest: "{{ nginx.volume_folder }}/vhost/{{ base_domain }}"
- name: upload vhost config for matrix domain
template:
src: files/configs/matrix/vhost-matrix
dest: "{{ nginx.volume_folder }}/vhost/{{ matrix.domain }}"
- name: upload vhost config for riot domain
template:
src: files/configs/matrix/vhost-riot
dest: "{{ nginx.volume_folder }}/vhost/{{ riot.domains[0] }}"
- name: upload homeserver.yaml
template:
src: "files/configs/matrix/homeserver.yaml.j2"
dest: "{{ matrix.volume_folder }}/data/homeserver.yaml"
- name: upload matrix logging config
template:
src: "files/configs/matrix/matrix.data.coop.log.config"
dest: "{{ matrix.volume_folder }}/data/matrix.data.coop.log.config"
- name: set up matrix and riot
docker_compose:
project_name: matrix
pull: yes
definition:
version: "3.6"
services:
matrix_db:
container_name: matrix_db
image: postgres:10
restart: unless-stopped
networks:
- matrix
volumes:
- "{{ matrix.volume_folder }}/db:/var/lib/postgresql/data"
environment:
POSTGRES_USER: "synapse"
POSTGRES_PASSWORD: "{{ postgres_passwords.matrix }}"
matrix_app:
container_name: matrix
image: matrixdotorg/synapse:v1.47.1
restart: unless-stopped
networks:
- matrix
- external_services
ports:
- 8008
volumes:
- "{{ matrix.volume_folder }}/data:/data"
environment:
SYNAPSE_CONFIG_PATH: "/data/homeserver.yaml"
SYNAPSE_CACHE_FACTOR: "2"
SYNAPSE_LOG_LEVEL: "INFO"
VIRTUAL_HOST: "{{ matrix.domain }}"
VIRTUAL_PORT: "8008"
LETSENCRYPT_HOST: "{{ matrix.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
riot:
container_name: riot_app
image: avhost/docker-matrix-riot:v1.9.0
restart: unless-stopped
networks:
- matrix
- external_services
ports:
- 8080
volumes:
- "{{ riot.volume_folder }}/data:/data"
environment:
VIRTUAL_HOST: "{{ riot.domains|join(',') }}"
VIRTUAL_PORT: "8080"
LETSENCRYPT_HOST: "{{ riot.domains|join(',') }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
networks:
external_services:
external:
name: external_services
matrix:
name: "matrix"

View file

@ -0,0 +1,27 @@
---
- name: setup netdata docker container for system monitoring
docker_container:
name: netdata
image: netdata/netdata
restart_policy: unless-stopped
hostname: "hevonen.servers.{{ base_domain }}"
capabilities:
- SYS_PTRACE
security_opts:
- apparmor:unconfined
volumes:
- /proc:/host/proc:ro
- /sys:/host/sys:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
networks:
- name: external_services
env:
VIRTUAL_HOST : "{{ netdata.domain }}"
LETSENCRYPT_HOST: "{{ netdata.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
PGID: "999"
labels:
com.ouroboros.enable: "true"

View file

@ -0,0 +1,42 @@
---
- name: setup nextcloud containers
docker_compose:
project_name: "nextcloud"
pull: "yes"
definition:
services:
postgres:
image: "postgres:10"
restart: "unless-stopped"
networks:
- "nextcloud"
volumes:
- "{{ nextcloud.volume_folder }}/postgres:/var/lib/postgresql/data"
environment:
POSTGRES_DB: "nextcloud"
POSTGRES_PASSWORD: "{{ postgres_passwords.nextcloud }}"
POSTGRES_USER: "nextcloud"
app:
image: "nextcloud:22-apache"
restart: "unless-stopped"
networks:
- "nextcloud"
- "external_services"
volumes:
- "{{ nextcloud.volume_folder }}/app:/var/www/html"
environment:
VIRTUAL_HOST: "{{ nextcloud.domain }}"
LETSENCRYPT_HOST: "{{ nextcloud.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
POSTGRES_HOST: "nextcloud_postgres_1"
POSTGRES_DB: "nextcloud"
POSTGRES_USER: "nextcloud"
POSTGRES_PASSWORD: "{{ postgres_passwords.nextcloud }}"
networks:
nextcloud:
postfix:
external: true
external_services:
external: true

View file

@ -0,0 +1,47 @@
---
- name: create nginx-proxy volume folders
file:
name: "{{ nginx.volume_folder }}/{{ volume }}"
state: directory
loop:
- conf
- vhost
- html
- dhparam
- certs
loop_control:
loop_var: volume
- name: nginx proxy container
docker_container:
name: nginx-proxy
image: jwilder/nginx-proxy
restart_policy: always
networks:
- name: external_services
published_ports:
- "80:80"
- "443:443"
volumes:
- "{{ nginx.volume_folder }}/conf:/etc/nginx/conf.d"
- "{{ nginx.volume_folder }}/vhost:/etc/nginx/vhost.d"
- "{{ nginx.volume_folder }}/html:/usr/share/nginx/html"
- "{{ nginx.volume_folder }}/dhparam:/etc/nginx/dhparam"
- "{{ nginx.volume_folder }}/certs:/etc/nginx/certs:ro"
- /var/run/docker.sock:/tmp/docker.sock:ro
- name: nginx letsencrypt container
docker_container:
name: nginx-proxy-le
image: jrcs/letsencrypt-nginx-proxy-companion
restart_policy: always
volumes:
- "{{ nginx.volume_folder }}/vhost:/etc/nginx/vhost.d"
- "{{ nginx.volume_folder }}/html:/usr/share/nginx/html"
- "{{ nginx.volume_folder }}/dhparam:/etc/nginx/dhparam:ro"
- "{{ nginx.volume_folder }}/certs:/etc/nginx/certs"
- /var/run/docker.sock:/var/run/docker.sock:ro
env:
NGINX_PROXY_CONTAINER: nginx-proxy

View file

@ -0,0 +1,71 @@
---
- name: create ldap volume folders
file:
name: "{{ ldap.volume_folder }}/{{ volume }}"
state: directory
loop:
- "var/lib/ldap"
- "etc/slapd"
- "certs"
loop_control:
loop_var: volume
- name: Create a network for ldap
docker_network:
name: ldap
- name: openLDAP container
docker_container:
name: openldap
image: osixia/openldap:1.5.0
tty: true
interactive: true
volumes:
- "{{ ldap.volume_folder }}/var/lib/ldap:/var/lib/ldap"
- "{{ ldap.volume_folder }}/etc/slapd.d:/etc/ldap/slapd.d"
- "{{ ldap.volume_folder }}/certs:/container/service/slapd/assets/certs/"
published_ports:
- "389:389"
- "636:636"
hostname: "{{ ldap.domain }}"
domainname: "{{ ldap.domain }}" # important: same as hostname
networks:
- name: ldap
env:
LDAP_LOG_LEVEL: "256"
LDAP_ORGANISATION: "{{ base_domain }}"
LDAP_DOMAIN: "{{ base_domain }}"
LDAP_BASE_DN: ""
LDAP_ADMIN_PASSWORD: "{{ ldap_admin_password }}"
LDAP_CONFIG_PASSWORD: "{{ ldap_config_password }}"
LDAP_READONLY_USER: "false"
LDAP_RFC2307BIS_SCHEMA: "false"
LDAP_BACKEND: "mdb"
LDAP_TLS: "true"
LDAP_TLS_CRT_FILENAME: "ldap.crt"
LDAP_TLS_KEY_FILENAME: "ldap.key"
LDAP_TLS_CA_CRT_FILENAME: "ca.crt"
LDAP_TLS_ENFORCE: "false"
LDAP_TLS_CIPHER_SUITE: "SECURE256:-VERS-SSL3.0"
LDAP_TLS_PROTOCOL_MIN: "3.1"
LDAP_TLS_VERIFY_CLIENT: "demand"
LDAP_REPLICATION: "false"
KEEP_EXISTING_CONFIG: "false"
LDAP_REMOVE_CONFIG_AFTER_SETUP: "true"
LDAP_SSL_HELPER_PREFIX: "ldap"
- name: phpLDAPadmin container
docker_container:
name: phpldapadmin
image: osixia/phpldapadmin:0.9.0
networks:
- name: external_services
- name: ldap
env:
PHPLDAPADMIN_LDAP_HOSTS: "openldap"
PHPLDAPADMIN_HTTPS: "false"
PHPLDAPADMIN_TRUST_PROXY_SSL: "true"
VIRTUAL_HOST: "{{ ldap.domain }}"
LETSENCRYPT_HOST: "{{ ldap.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"

View file

@ -0,0 +1,18 @@
---
- name: ouroboros container
docker_container:
name: ouroboros
image: pyouroboros/ouroboros
restart_policy: unless-stopped
networks:
- name: external_services
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /root/.docker/config.json:/root/.docker/config.json
env:
LABEL_ENABLE: "true"
LABELS_ONLY: "true"
CLEANUP: "true"
LATEST: "true"
CRON: "*/10 * * * *"

View file

@ -0,0 +1,47 @@
---
- name: setup passit containers
docker_compose:
project_name: "passit"
pull: "yes"
definition:
version: "3.6"
services:
passit_db:
image: "postgres:10"
restart: "always"
networks:
- "passit"
volumes:
- "{{ passit.volume_folder }}/data:/var/lib/postgresql/data"
environment:
POSTGRES_USER: "passit"
POSTGRES_PASSWORD: "{{ postgres_passwords.passit }}"
passit_app:
image: "passit/passit:stable"
command: "bin/start.sh"
restart: "always"
networks:
- "passit"
- "postfix"
- "external_services"
environment:
DATABASE_URL: "postgres://passit:{{ postgres_passwords.passit }}@passit_db:5432/passit"
SECRET_KEY: "{{ passit_secret_key }}"
IS_DEBUG: 'False'
EMAIL_URL: "smtp://noop@{{ smtp_host }}:{{ smtp_port }}"
DEFAULT_FROM_EMAIL: "noreply@{{ passit.domain }}"
EMAIL_CONFIRMATION_HOST: "https://{{ passit.domain }}"
VIRTUAL_HOST: "{{ passit.domain }}"
LETSENCRYPT_HOST: "{{ passit.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
networks:
passit:
postfix:
external: true
external_services:
external: true

View file

@ -0,0 +1,24 @@
---
- name: create portainer volume folder
file:
name: "{{ portainer.volume_folder }}"
state: directory
- name: run portainer
docker_container:
name: portainer
image: portainer/portainer-ce:2.9.1
restart_policy: always
networks:
- name: external_services
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- "{{ portainer.volume_folder }}:/data"
published_ports:
- 9001:9000
env:
VIRTUAL_HOST: "{{ portainer.domain }}"
VIRTUAL_PORT: "9000"
LETSENCRYPT_HOST: "{{ portainer.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"

View file

@ -0,0 +1,20 @@
---
- name: setup network for postfix
docker_network:
name: postfix
ipam_config:
- subnet: '172.16.0.0/16'
gateway: 172.16.0.1
- name: setup postfix docker container for outgoing mail
docker_container:
name: postfix
image: boky/postfix
restart_policy: unless-stopped
networks:
- name: postfix
env:
ALLOWED_SENDER_DOMAINS: "{{ postfix.allowed_sender_domains|join(' ') }}"
HOSTNAME: "mail.data.coop" # the name the smtp server will identify itself as

View file

@ -0,0 +1,31 @@
---
- name: create privatebin volume folders
file:
name: "{{ privatebin.volume_folder }}/{{ volume }}"
state: directory
loop:
- cfg
- data
loop_control:
loop_var: volume
- name: upload privatebin config
template:
src: files/configs/privatebin-conf.php
dest: "{{ privatebin.volume_folder }}/cfg/conf.php"
- name: privatebin app container
docker_container:
name: privatebin
image: jgeusebroek/privatebin:latest
restart_policy: unless-stopped
volumes:
- "{{ privatebin.volume_folder }}/cfg:/privatebin/cfg"
- "{{ privatebin.volume_folder }}/data:/privatebin/data"
networks:
- name: external_services
env:
VIRTUAL_HOST: "{{ privatebin.domain }}"
LETSENCRYPT_HOST: "{{ privatebin.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"

View file

@ -0,0 +1,38 @@
---
- name: setup restic backup
docker_compose:
project_name: restic_backup
pull: yes
definition:
version: '3.6'
services:
restic-backup:
image: mazzolino/restic
restart: always
environment:
RUN_ON_STARTUP: "true"
BACKUP_CRON: "0 30 3 * * *"
RESTIC_REPOSITORY: "rest:https://datacoop:{{ restic_secrets.user_secret }}@restic.graffen.io/datacoop-hevonen"
RESTIC_PASSWORD: "{{ restic_secrets.encryption_secret }}"
RESTIC_BACKUP_SOURCES: "/mnt/volumes"
RESTIC_BACKUP_ARGS: >-
--tag datacoop-volumes
--exclude='*.tmp'
--verbose
RESTIC_FORGET_ARGS: >-
--keep-last 10
--keep-daily 7
--keep-weekly 5
--keep-monthly 12
TZ: Europe/Copenhagen
volumes:
- /docker-volumes:/mnt/volumes:ro
restic-prune:
image: "mazzolino/restic"
environment:
RUN_ON_STARTUP: "true"
PRUNE_CRON: "0 0 4 * * *"
RESTIC_REPOSITORY: "rest:https://datacoop:{{ restic_secrets.user_secret }}@restic.graffen.io/datacoop-hevonen"
RESTIC_PASSWORD: "{{ restic_secrets.encryption_secret }}"
TZ: Europe/copenhagen

View file

@ -0,0 +1,25 @@
---
- name: thelounge volume
docker_volume:
name: thelounge
- name: upload thelounge config
template:
src: files/configs/thelounge.js
dest: /var/lib/docker/volumes/thelounge/_data/config.js
- name: thelounge container
docker_container:
name: thelounge
image: thelounge/lounge:latest
restart_policy: always
volumes:
- thelounge:/home/lounge/data
networks:
- name: external_services
- name: ldap
env:
VIRTUAL_HOST: "{{ thelounge.domain }}"
LETSENCRYPT_HOST: "{{ thelounge.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"

View file

@ -0,0 +1,53 @@
---
- name: create tt-rss folders
file:
name: "{{ ttrss.volume_folder }}/{{ volume }}"
state: directory
loop:
- "config"
- "db"
loop_control:
loop_var: volume
- name: "set up tt-rss"
docker_compose:
project_name: "tt-rss"
pull: yes
definition:
version: "3.6"
services:
ttrss_db:
container_name: "ttrss_db"
image: "postgres:11"
restart: "unless-stopped"
networks:
- "ttrss"
volumes:
- "{{ ttrss.volume_folder }}/db:/var/lib/postgresql/data"
environment:
POSTGRES_USER: "ttrss"
POSTGRES_PASSWORD: "{{ postgres_passwords.ttrss }}"
ttrss_app:
container_name: ttrss_app
image: "linuxserver/tt-rss"
restart: unless-stopped
networks:
- ttrss
- external_services
volumes:
- "{{ ttrss.volume_folder }}/config:/config"
environment:
VIRTUAL_HOST: "{{ ttrss.domain }}"
LETSENCRYPT_HOST: "{{ ttrss.domain }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
TZ: "Europe/Copenhagen"
labels:
com.ouroboros.enable: "true"
networks:
external_services:
external:
name: external_services
ttrss:
name: "ttrss"

View file

@ -0,0 +1,13 @@
- name: setup ulovliglogning.dk website docker container
docker_container:
name: ulovliglogning_website
restart_policy: unless-stopped
image: ulovliglogning/ulovliglogning.dk:latest
networks:
- name: external_services
env:
VIRTUAL_HOST: "{{ ulovliglogning_website.domains|join(',') }}"
LETSENCRYPT_HOST: "{{ ulovliglogning_website.domains|join(',') }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
labels:
com.ouroboros.enable: "true"

View file

@ -0,0 +1,57 @@
---
- name: setup data.coop website docker container
docker_container:
name: data.coop_website
image: docker.data.coop/data-coop-website
restart_policy: unless-stopped
networks:
- name: external_services
env:
VIRTUAL_HOST : "{{ data_coop_website.domains|join(',') }}"
LETSENCRYPT_HOST: "{{ data_coop_website.domains|join(',') }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
labels:
com.ouroboros.enable: "true"
- name: setup new data.coop website using hugo
docker_container:
name: new.data.coop_website
image: docker.data.coop/data-coop-website:hugo
restart_policy: unless-stopped
networks:
- name: external_services
env:
VIRTUAL_HOST : "new.{{ data_coop_website.domains|join(',') }}"
LETSENCRYPT_HOST: "new.{{ data_coop_website.domains|join(',') }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
labels:
com.ouroboros.enable: "true"
- name: setup cryptohagen.dk website docker container
docker_container:
name: cryptohagen_website
restart_policy: unless-stopped
image: docker.data.coop/cryptohagen-website
networks:
- name: external_services
env:
VIRTUAL_HOST : "{{ cryptohagen_website.domains|join(',') }}"
LETSENCRYPT_HOST: "{{ cryptohagen_website.domains|join(',') }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
labels:
com.ouroboros.enable: "true"
- name: setup cryptoaarhus.dk website docker container
docker_container:
name: cryptoaarhus_website
restart_policy: unless-stopped
image: docker.data.coop/cryptoaarhus-website
networks:
- name: external_services
env:
VIRTUAL_HOST : "{{ cryptoaarhus_website.domains|join(',') }}"
LETSENCRYPT_HOST: "{{ cryptoaarhus_website.domains|join(',') }}"
LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"
labels:
com.ouroboros.enable: "true"

View file

@ -0,0 +1,160 @@
# Mailu main configuration file
#
# Generated for compose flavor
#
# This file is autogenerated by the configuration management wizard.
# For a detailed list of configuration variables, see the documentation at
# https://mailu.io
###################################
# Common configuration variables
###################################
# Set this to the path where Mailu data and configuration is stored
# This variable is now set directly in `docker-compose.yml by the setup utility
# ROOT=/mailu
# Mailu version to run (1.0, 1.1, etc. or master)
#VERSION=1.6
# Set to a randomly generated 16 bytes string
SECRET_KEY={{ mailu_secret_key }}
# Address where listening ports should bind
# This variables are now set directly in `docker-compose.yml by the setup utility
# PUBLIC_IPV4= 127.0.0.1 (default: 127.0.0.1)
# PUBLIC_IPV6= ::1 (default: ::1)
# Subnet of the docker network. This should not conflict with any networks to which your system is connected. (Internal and external!)
SUBNET={{ mailu.subnet }}
# Main mail domain
DOMAIN=data.coop
# Hostnames for this server, separated with comas
HOSTNAMES=mail.data.coop
# Postmaster local part (will append the main mail domain)
POSTMASTER=admin
# Choose how secure connections will behave (value: letsencrypt, cert, notls, mail, mail-letsencrypt)
TLS_FLAVOR=mail
# Authentication rate limit (per source IP address)
AUTH_RATELIMIT=120/minute;1200/hour
# Opt-out of statistics, replace with "True" to opt out
DISABLE_STATISTICS=False
###################################
# Optional features
###################################
# Expose the admin interface (value: true, false)
ADMIN=true
# Choose which webmail to run if any (values: roundcube, rainloop, none)
WEBMAIL=rainloop
# Dav server implementation (value: radicale, none)
WEBDAV=radicale
# Antivirus solution (value: clamav, none)
#ANTIVIRUS=clamav
#Antispam solution
ANTISPAM=none
###################################
# Mail settings
###################################
# Message size limit in bytes
# Default: accept messages up to 50MB
# Max attachment size will be 33% smaller
MESSAGE_SIZE_LIMIT=50000000
# Networks granted relay permissions
# Use this with care, all hosts in this networks will be able to send mail without authentication!
RELAYNETS=
# Will relay all outgoing mails if configured
RELAYHOST=
# Fetchmail delay
FETCHMAIL_DELAY=600
# Recipient delimiter, character used to delimiter localpart from custom address part
RECIPIENT_DELIMITER=+
# DMARC rua and ruf email
DMARC_RUA=admin
DMARC_RUF=admin
# Welcome email, enable and set a topic and body if you wish to send welcome
# emails to all users.
WELCOME=false
WELCOME_SUBJECT=Welcome to your new email account
WELCOME_BODY=Welcome to your new email account, if you can read this, then it is configured properly!
# Maildir Compression
# choose compression-method, default: none (value: bz2, gz)
COMPRESSION=
# change compression-level, default: 6 (value: 1-9)
COMPRESSION_LEVEL=
###################################
# Web settings
###################################
# Path to redirect / to
WEBROOT_REDIRECT=/webmail
# Path to the admin interface if enabled
WEB_ADMIN=/admin
# Path to the webmail if enabled
WEB_WEBMAIL=/webmail
# Website name
SITENAME=data.coop
# Linked Website URL
WEBSITE=https://mail.data.coop
###################################
# Advanced settings
###################################
# Log driver for front service. Possible values:
# json-file (default)
# journald (On systemd platforms, useful for Fail2Ban integration)
# syslog (Non systemd platforms, Fail2Ban integration. Disables `docker-compose log` for front!)
# LOG_DRIVER=json-file
# Docker-compose project name, this will prepended to containers names.
COMPOSE_PROJECT_NAME=mailu
# Default password scheme used for newly created accounts and changed passwords
# (value: BLF-CRYPT, SHA512-CRYPT, SHA256-CRYPT, MD5-CRYPT, CRYPT)
PASSWORD_SCHEME=BLF-CRYPT
# Header to take the real ip from
REAL_IP_HEADER=
# IPs for nginx set_real_ip_from (CIDR list separated by commas)
REAL_IP_FROM=
# choose wether mailu bounces (no) or rejects (yes) mail when recipient is unknown (value: yes, no)
REJECT_UNLISTED_RECIPIENT=
# Log level threshold in start.py (value: CRITICAL, ERROR, WARNING, INFO, DEBUG, NOTSET)
LOG_LEVEL=WARNING
###################################
# Database settings
###################################
DB_FLAVOR=postgresql
DB_PW={{ postgres_passwords.mailu }}

View file

@ -1,8 +1,18 @@
---
- name: Install necessary packages
- name: Install necessary packages via apt
apt:
name: "{{ packages }}"
vars:
packages:
- aptitude
- python3-pip
- apparmor
- haveged
- name: Install necessary packages via pip
pip:
name: "{{ packages }}"
vars:
packages:
- docker
- docker-compose