From 022800425d8541f5113e57e0d4d4560b666931b3 Mon Sep 17 00:00:00 2001 From: Kevin Veen-Birkenbach Date: Fri, 15 Aug 2025 15:15:48 +0200 Subject: [PATCH] THE HUGE REFACTORING CALENDER WEEK 33; Optimized Matrix and during this updated variables, and implemented better reset and cleanup mode handling, also solved some initial setup bugs --- group_vars/all/00_general.yml | 2 +- group_vars/all/01_modes.yml | 4 +- group_vars/all/06_nginx.yml | 51 +++--- group_vars/all/07_paths.yml | 8 +- group_vars/all/13_ldap.yml | 12 +- roles/cmp-docker-oauth2/tasks/main.yml | 2 +- .../templates/services/mariadb.yml.j2 | 2 +- .../templates/services/postgres.yml.j2 | 2 +- roles/docker-compose/tasks/01_core.yml | 16 ++ roles/docker-compose/tasks/01_reset.yml | 11 -- roles/docker-compose/tasks/02_reset.yml | 16 ++ .../{02_repository.yml => 03_repository.yml} | 0 .../tasks/{03_files.yml => 04_files.yml} | 0 .../{04_ensure_up.yml => 05_ensure_up.yml} | 0 roles/docker-compose/tasks/main.yml | 22 +-- roles/docker-compose/vars/docker-compose.yml | 2 +- roles/docker-compose/vars/main.yml | 3 +- roles/docker-container/tasks/main.yml | 4 +- roles/docker-container/templates/base.yml.j2 | 2 +- .../templates/healthcheck/msmtp_curl.yml.j2 | 2 +- roles/docker-core/README.md | 5 - roles/docker-core/Todo.md | 2 - roles/docker-core/handlers/main.yml | 3 - roles/docker-core/tasks/01_core.yml | 26 --- .../drv-msi-keyboard-color/tasks/01_core.yml | 2 +- roles/pkgmgr-install/tasks/01_core.yml | 2 + roles/pkgmgr-install/tasks/main.yml | 20 ++- roles/srv-proxy-6-6-domain/vars/main.yml | 2 +- .../handlers/main.yml | 2 +- roles/srv-proxy-6-6-tls-deploy/tasks/main.yml | 6 +- .../srv-proxy-6-6-tls-deploy.service.j2 | 2 +- roles/srv-proxy-6-6-tls-deploy/vars/main.yml | 2 +- .../templates/location/html.conf.j2 | 2 +- .../templates/vhost/basic.conf.j2 | 2 +- roles/srv-web-6-6-tls-renew/tasks/01_core.yml | 4 +- roles/srv-web-7-4-core/Todo.md | 2 + roles/srv-web-7-4-core/tasks/01_core.yml | 75 ++++----- roles/srv-web-7-4-core/tasks/02_cleanup.yml | 8 + roles/srv-web-7-4-core/tasks/02_reset.yml | 4 - .../tasks/03_cache_directories.yml | 28 ---- roles/srv-web-7-4-core/tasks/03_reset.yml | 9 ++ .../srv-web-7-4-core/tasks/04_directories.yml | 36 +++++ .../srv-web-7-4-core/templates/nginx.conf.j2 | 8 +- roles/srv-web-7-6-composer/tasks/main.yml | 4 +- roles/srv-web-7-7-certbot/tasks/main.yml | 41 ----- roles/srv-web-7-7-inj-compose/tasks/main.yml | 40 ++--- .../templates/location.lua.j2 | 4 +- roles/srv-web-7-7-inj-css/tasks/01_core.yml | 4 +- .../templates/location.conf.j2 | 2 +- roles/srv-web-7-7-inj-css/vars/main.yml | 2 +- .../tasks/01_deploy.yml | 8 +- .../templates/head_sub.j2 | 2 +- roles/srv-web-7-7-inj-desktop/vars/main.yml | 4 +- .../srv-web-7-7-inj-javascript/tasks/main.yml | 4 +- .../srv-web-7-7-inj-logout/tasks/01_core.yml | 2 +- .../tasks/02_deploy.yml | 16 ++ roles/srv-web-7-7-inj-logout/tasks/deploy.yml | 16 -- roles/srv-web-7-7-inj-logout/tasks/main.yml | 4 +- .../templates/head_sub.j2 | 2 +- roles/srv-web-7-7-inj-logout/vars/main.yml | 4 +- .../srv-web-7-7-letsencrypt/tasks/01_core.yml | 2 +- roles/svc-bkp-rmt-2-loc/tasks/main.yml | 3 +- .../templates/sys-bkp-rmt-2-loc.service.j2 | 2 +- roles/svc-bkp-rmt-2-loc/vars/main.yml | 2 +- roles/svc-db-openldap/tasks/main.yml | 8 +- roles/svc-db-postgres/schema/main.yml | 2 +- roles/svc-db-postgres/tasks/01_core.yml | 19 +-- roles/svc-db-postgres/tasks/02_init.yml | 93 ++++++----- roles/svc-db-postgres/tasks/main.yml | 5 +- roles/svc-db-postgres/templates/Dockerfile.j2 | 4 +- .../templates/docker-compose.yml.j2 | 10 +- roles/svc-db-postgres/templates/env.j2 | 2 +- roles/svc-db-postgres/vars/main.yml | 30 ++-- roles/svc-opt-ssd-hdd/schema/main.yml | 2 +- .../templates/svc-opt-ssd-hdd.service.j2 | 2 +- roles/svc-opt-ssd-hdd/vars/main.yml | 2 +- roles/svc-prx-openresty/config/main.yml | 5 +- roles/svc-prx-openresty/docs/DEBUG.md | 12 +- roles/svc-prx-openresty/handlers/main.yml | 9 +- .../templates/docker-compose.yml.j2 | 16 +- roles/svc-prx-openresty/vars/main.yml | 7 +- roles/sys-alm-email/vars/main.yml | 2 +- roles/sys-bkp-docker-2-loc/tasks/01_core.yml | 2 +- .../tasks/04_seed-database-to-backup.yml | 3 + ...sys-bkp-docker-2-loc-everything.service.j2 | 2 +- .../templates/sys-bkp-docker-2-loc.service.j2 | 2 +- roles/sys-bkp-docker-2-loc/vars/main.yml | 2 +- .../templates/sys-cln-backups.service.j2 | 2 +- roles/sys-cln-bkps-service/vars/main.yml | 2 +- roles/sys-cln-bkps-timer/tasks/01_core.yml | 2 +- roles/sys-cln-certs/tasks/01_core.yml | 2 +- roles/sys-cln-disc-space/tasks/main.yml | 2 +- .../templates/sys-cln-disc-space.service.j2 | 2 +- .../templates/sys-cln-disc-space.sh.j2 | 2 +- roles/sys-cln-disc-space/vars/main.yml | 2 +- .../tasks/remove_deprecated_nginx_configs.yml | 4 +- roles/sys-cln-faild-bkps/tasks/01_core.yml | 2 +- .../templates/sys-cln-faild-bkps.service.j2 | 2 +- roles/sys-hlth-btrfs/README.md | 2 +- roles/sys-hlth-btrfs/tasks/main.yml | 2 +- roles/sys-hlth-btrfs/vars/main.yml | 2 +- .../templates/sys-hlth-csp.service.j2 | 2 +- roles/sys-hlth-csp/vars/main.yml | 2 +- roles/sys-hlth-disc-space/tasks/main.yml | 2 +- roles/sys-hlth-disc-space/vars/main.yml | 2 +- roles/sys-hlth-docker-container/README.md | 2 +- .../tasks/01_core.yml | 2 +- roles/sys-hlth-docker-container/vars/main.yml | 2 +- .../sys-hlth-docker-volumes/tasks/01_core.yml | 2 +- roles/sys-hlth-docker-volumes/vars/main.yml | 2 +- roles/sys-hlth-journalctl/tasks/01_core.yml | 2 +- roles/sys-hlth-journalctl/vars/main.yml | 2 +- roles/sys-hlth-msmtp/vars/main.yml | 2 +- roles/sys-hlth-webserver/tasks/01_core.yml | 2 +- .../templates/sys-hlth-webserver.py.j2 | 2 +- roles/sys-hlth-webserver/vars/main.yml | 2 +- roles/sys-lock/tasks/main.yml | 4 +- roles/sys-rpr-btrfs-blnc/tasks/01_core.yml | 2 +- roles/sys-rpr-docker-hard/tasks/01_core.yml | 2 +- .../templates/sys-rpr-docker-hard.service.j2 | 4 +- roles/sys-rpr-docker-hard/vars/main.yml | 2 +- roles/sys-rpr-docker-soft/tasks/01_core.yml | 2 +- .../templates/sys-rpr-docker-soft.service.j2 | 4 +- roles/sys-rpr-docker-soft/vars/main.yml | 2 +- .../README.md | 0 .../meta/main.yml | 0 roles/sys-svc-certbot/tasks/01_core.yml | 8 + roles/sys-svc-certbot/tasks/02_no_webroot.yml | 21 +++ roles/sys-svc-certbot/tasks/main.yml | 4 + .../Administration.md | 0 roles/sys-svc-docker/README.md | 44 +++++ roles/sys-svc-docker/handlers/main.yml | 6 + .../meta/main.yml | 0 roles/sys-svc-docker/tasks/01_core.yml | 25 +++ roles/sys-svc-docker/tasks/02_cleanup.yml | 3 + roles/sys-svc-docker/tasks/03_reset.yml | 4 + .../tasks/main.yml | 2 +- roles/sys-systemctl/README.md | 52 ++++++ roles/sys-systemctl/meta/main.yml | 24 +++ roles/sys-systemctl/tasks/01_reset.yml | 12 ++ roles/sys-systemctl/tasks/main.yml | 6 + roles/sys-systemctl/vars/main.yml | 1 + roles/sys-timer/meta/main.yml | 1 - roles/sys-timer/tasks/01_reset.yml | 26 --- roles/sys-timer/tasks/main.yml | 14 +- roles/sys-timer/templates/dummy.timer.j2 | 6 +- roles/sys-timer/vars/main.yml | 2 +- roles/update-compose/tasks/01_core.yml | 4 +- .../templates/update-docker.service.j2 | 4 +- roles/update-docker/vars/main.yml | 2 +- roles/user-administrator/tasks/01_core.yml | 14 +- roles/user/tasks/main.yml | 24 +-- roles/user/vars/main.yml | 2 + roles/web-app-akaunting/Installation.md | 2 +- roles/web-app-attendize/tasks/main.yml | 4 +- roles/web-app-bigbluebutton/tasks/main.yml | 6 +- roles/web-app-bigbluebutton/templates/env.j2 | 10 +- roles/web-app-bluesky/tasks/main.yml | 2 +- roles/web-app-collabora/tasks/main.yml | 2 +- .../web-app-collabora/templates/nginx.conf.j2 | 2 +- roles/web-app-coturn/tasks/main.yml | 2 +- roles/web-app-discourse/tasks/01_core.yml | 2 +- roles/web-app-discourse/tasks/02_reset.yml | 2 +- .../web-app-discourse/templates/config.yml.j2 | 6 +- roles/web-app-elk/tasks/main.yml | 2 +- roles/web-app-espocrm/tasks/main.yml | 2 +- .../templates/docker-compose.yml.j2 | 4 +- roles/web-app-friendica/tasks/main.yml | 2 +- roles/web-app-friendica/templates/env.j2 | 2 +- roles/web-app-funkwhale/tasks/main.yml | 2 +- roles/web-app-funkwhale/templates/env.j2 | 2 +- roles/web-app-fusiondirectory/tasks/main.yml | 2 +- roles/web-app-gitea/tasks/main.yml | 2 +- roles/web-app-gitea/templates/env.j2 | 4 +- roles/web-app-gitlab/tasks/main.yml | 2 +- .../templates/docker-compose.yml.j2 | 2 +- roles/web-app-jenkins/tasks/main.yml | 2 +- .../templates/docker-compose.yml.j2 | 2 +- roles/web-app-joomla/tasks/main.yml | 2 +- roles/web-app-keycloak/tasks/main.yml | 4 +- roles/web-app-keycloak/templates/env.j2 | 2 +- .../templates/import/realm.json.j2 | 2 +- roles/web-app-lam/tasks/main.yml | 2 +- roles/web-app-libretranslate/tasks/main.yml | 2 +- roles/web-app-listmonk/tasks/main.yml | 2 +- roles/web-app-mailu/tasks/01_core.yml | 2 +- .../templates/docker-compose.yml.j2 | 2 +- roles/web-app-mailu/templates/env.j2 | 8 +- roles/web-app-mastodon/Administration.md | 6 +- roles/web-app-mastodon/tasks/main.yml | 2 +- roles/web-app-mastodon/templates/env.j2 | 12 +- roles/web-app-matomo/tasks/constructor.yml | 2 +- roles/web-app-matrix/tasks/01_docker.yml | 120 ++++++++++++++ ...se.yml => 02_create-and-seed-database.yml} | 2 +- roles/web-app-matrix/tasks/03_webserver.yml | 33 ++++ roles/web-app-matrix/tasks/main.yml | 153 +----------------- .../templates/docker-compose.yml.j2 | 52 +++--- .../templates/element.config.json.j2 | 4 +- .../templates/mautrix/facebook.config.yml.j2 | 2 +- .../templates/mautrix/instagram.config.yml.j2 | 2 +- .../templates/mautrix/signal.config.yml.j2 | 2 +- .../templates/mautrix/slack.config.yml.j2 | 2 +- .../templates/mautrix/telegram.config.yml.j2 | 2 +- .../templates/mautrix/whatsapp.config.yml.j2 | 2 +- roles/web-app-matrix/templates/nginx.conf.j2 | 12 +- .../templates/synapse/homeserver.yaml.j2 | 24 +-- .../templates/synapse/log.config.j2 | 2 +- roles/web-app-matrix/templates/well-known.j2 | 2 +- roles/web-app-matrix/vars/main.yml | 49 ++++-- roles/web-app-mediawiki/tasks/main.yml | 2 +- roles/web-app-mig/tasks/01_core.yml | 2 +- roles/web-app-mobilizon/tasks/main.yml | 2 +- roles/web-app-moodle/tasks/03_oidc.yml | 2 +- roles/web-app-moodle/tasks/main.yml | 2 +- roles/web-app-mybb/tasks/main.yml | 4 +- roles/web-app-mybb/tasks/setup-domain.yml | 8 +- .../templates/docker-compose.yml.j2 | 4 +- roles/web-app-mybb/vars/main.yml | 2 +- roles/web-app-navigator/tasks/main.yml | 2 +- roles/web-app-nextcloud/docs/Update.md | 4 +- roles/web-app-nextcloud/tasks/main.yml | 4 +- .../templates/config/oidc.config.php.j2 | 10 +- .../templates/docker-compose.yml.j2 | 4 +- .../templates/nginx/host.conf.j2 | 2 +- roles/web-app-nextcloud/vars/main.yml | 2 +- roles/web-app-nextcloud/vars/system.yml | 2 +- roles/web-app-oauth2-proxy/tasks/main.yml | 4 +- .../templates/container.yml.j2 | 2 +- roles/web-app-openproject/tasks/main.yml | 2 +- roles/web-app-openproject/templates/env.j2 | 2 +- roles/web-app-peertube/Administration.md | 2 +- .../web-app-peertube/tasks/create-domains.yml | 6 +- roles/web-app-peertube/tasks/main.yml | 2 +- roles/web-app-peertube/templates/env.j2 | 2 +- .../templates/peertube.conf.j2 | 2 +- roles/web-app-pgadmin/tasks/main.yml | 2 +- roles/web-app-pgadmin/vars/db_config.yml | 2 +- roles/web-app-phpldapadmin/tasks/main.yml | 2 +- roles/web-app-phpmyadmin/tasks/main.yml | 2 +- roles/web-app-pixelfed/Administration.md | 2 +- roles/web-app-pixelfed/tasks/main.yml | 2 +- roles/web-app-pixelfed/templates/env.j2 | 10 +- roles/web-app-port-ui/tasks/01_core.yml | 2 +- .../templates/menu/applications.yml.j2 | 4 +- roles/web-app-pretix/tasks/main.yml | 2 +- .../templates/docker-compose.yml.j2 | 2 +- roles/web-app-snipe-it/tasks/main.yml | 2 +- roles/web-app-sphinx/tasks/main.yml | 2 +- roles/web-app-syncope/tasks/main.yml | 8 +- roles/web-app-syncope/templates/proxy.conf | 2 +- roles/web-app-taiga/tasks/main.yml | 2 +- roles/web-app-taiga/templates/env.j2 | 8 +- roles/web-app-wordpress/tasks/main.yml | 2 +- roles/web-app-yourls/tasks/main.yml | 2 +- .../tasks/redirect-domain.yml | 2 +- roles/web-svc-asset/tasks/main.yml | 4 +- roles/web-svc-asset/vars/main.yml | 2 +- roles/web-svc-cdn/tasks/01_core.yml | 4 +- roles/web-svc-cdn/templates/nginx.conf.j2 | 4 +- roles/web-svc-file/tasks/main.yml | 6 +- roles/web-svc-file/templates/nginx.conf.j2 | 6 +- roles/web-svc-html/tasks/main.yml | 8 +- roles/web-svc-html/templates/nginx.conf.j2 | 6 +- roles/web-svc-html/vars/main.yml | 2 +- roles/web-svc-legal/tasks/main.yml | 6 +- roles/web-svc-logout/tasks/main.yml | 2 +- roles/web-svc-simpleicons/tasks/main.yml | 2 +- tasks/stages/02_server.yml | 2 + tasks/utils/run_once.yml | 2 +- tasks/utils/update-repository-with-files.yml | 8 +- templates/roles/web-app/tasks/main.yml.j2 | 4 +- 271 files changed, 1098 insertions(+), 916 deletions(-) create mode 100644 roles/docker-compose/tasks/01_core.yml delete mode 100644 roles/docker-compose/tasks/01_reset.yml create mode 100644 roles/docker-compose/tasks/02_reset.yml rename roles/docker-compose/tasks/{02_repository.yml => 03_repository.yml} (100%) rename roles/docker-compose/tasks/{03_files.yml => 04_files.yml} (100%) rename roles/docker-compose/tasks/{04_ensure_up.yml => 05_ensure_up.yml} (100%) delete mode 100644 roles/docker-core/README.md delete mode 100644 roles/docker-core/Todo.md delete mode 100644 roles/docker-core/handlers/main.yml delete mode 100644 roles/docker-core/tasks/01_core.yml create mode 100644 roles/srv-web-7-4-core/Todo.md create mode 100644 roles/srv-web-7-4-core/tasks/02_cleanup.yml delete mode 100644 roles/srv-web-7-4-core/tasks/02_reset.yml delete mode 100644 roles/srv-web-7-4-core/tasks/03_cache_directories.yml create mode 100644 roles/srv-web-7-4-core/tasks/03_reset.yml create mode 100644 roles/srv-web-7-4-core/tasks/04_directories.yml delete mode 100644 roles/srv-web-7-7-certbot/tasks/main.yml create mode 100644 roles/srv-web-7-7-inj-logout/tasks/02_deploy.yml delete mode 100644 roles/srv-web-7-7-inj-logout/tasks/deploy.yml rename roles/{srv-web-7-7-certbot => sys-svc-certbot}/README.md (100%) rename roles/{srv-web-7-7-certbot => sys-svc-certbot}/meta/main.yml (100%) create mode 100644 roles/sys-svc-certbot/tasks/01_core.yml create mode 100644 roles/sys-svc-certbot/tasks/02_no_webroot.yml create mode 100644 roles/sys-svc-certbot/tasks/main.yml rename roles/{docker-core => sys-svc-docker}/Administration.md (100%) create mode 100644 roles/sys-svc-docker/README.md create mode 100644 roles/sys-svc-docker/handlers/main.yml rename roles/{docker-core => sys-svc-docker}/meta/main.yml (100%) create mode 100644 roles/sys-svc-docker/tasks/01_core.yml create mode 100644 roles/sys-svc-docker/tasks/02_cleanup.yml create mode 100644 roles/sys-svc-docker/tasks/03_reset.yml rename roles/{docker-core => sys-svc-docker}/tasks/main.yml (64%) create mode 100644 roles/sys-systemctl/README.md create mode 100644 roles/sys-systemctl/meta/main.yml create mode 100644 roles/sys-systemctl/tasks/01_reset.yml create mode 100644 roles/sys-systemctl/tasks/main.yml create mode 100644 roles/sys-systemctl/vars/main.yml delete mode 100644 roles/sys-timer/tasks/01_reset.yml create mode 100644 roles/user/vars/main.yml create mode 100644 roles/web-app-matrix/tasks/01_docker.yml rename roles/web-app-matrix/tasks/{create-and-seed-database.yml => 02_create-and-seed-database.yml} (91%) create mode 100644 roles/web-app-matrix/tasks/03_webserver.yml diff --git a/group_vars/all/00_general.yml b/group_vars/all/00_general.yml index 7bbe0dac..6d27751a 100644 --- a/group_vars/all/00_general.yml +++ b/group_vars/all/00_general.yml @@ -29,7 +29,7 @@ WEB_PORT: "{{ 443 if WEB_PROTOCOL == 'https' else 80 }}" # Defaul # Domain PRIMARY_DOMAIN: "localhost" # Primary Domain of the server -PRIMARY_DOMAIN_tld: "{{ (PRIMARY_DOMAIN == 'localhost') | ternary('localhost', PRIMARY_DOMAIN.split('.')[-1]) }}" # Top Level Domain of the server +PRIMARY_DOMAIN_TLD: "{{ (PRIMARY_DOMAIN == 'localhost') | ternary('localhost', PRIMARY_DOMAIN.split('.')[-1]) }}" # Top Level Domain of the server PRIMARY_DOMAIN_SLD: "{{ (PRIMARY_DOMAIN == 'localhost') | ternary('localhost', PRIMARY_DOMAIN.split('.')[-2]) }}" # Second Level Domain of the server # Server Tact Variables diff --git a/group_vars/all/01_modes.yml b/group_vars/all/01_modes.yml index f748e158..d8438465 100644 --- a/group_vars/all/01_modes.yml +++ b/group_vars/all/01_modes.yml @@ -1,9 +1,9 @@ # Mode # The following modes can be combined with each other -MODE_RESET: false # Cleans up all Infinito.Nexus files. It's necessary to run to whole playbook and not particial roles when using this function. MODE_TEST: false # Executes test routines instead of productive routines MODE_UPDATE: true # Executes updates MODE_BACKUP: true # Activates the backup before the update procedure MODE_CLEANUP: true # Cleanup unused files and configurations -MODE_DEBUG: false # This enables debugging in ansible and in the apps, You SHOULD NOT enable this on production servers \ No newline at end of file +MODE_DEBUG: false # This enables debugging in ansible and in the apps, You SHOULD NOT enable this on production servers +MODE_RESET: false # Cleans up all Infinito.Nexus files. It's necessary to run to whole playbook and not particial roles when using this function. \ No newline at end of file diff --git a/group_vars/all/06_nginx.yml b/group_vars/all/06_nginx.yml index 3b8e89f1..cd235535 100644 --- a/group_vars/all/06_nginx.yml +++ b/group_vars/all/06_nginx.yml @@ -1,27 +1,32 @@ # Webserver Configuration # Helper -_nginx_www_dir: /var/www/ +_nginx_www_dir: "{{ applications | get_app_conf('svc-prx-openresty','docker.volumes.www') }}" +_nginx_dir: "{{ applications | get_app_conf('svc-prx-openresty','docker.volumes.nginx') }}" +_nginx_conf_dir: "{{ _nginx_dir }}conf.d/" +_nginx_http_dir: "{{ _nginx_conf_dir }}http/" + ## Nginx-Specific Path Configurations -nginx: - files: - configuration: "/etc/nginx/nginx.conf" - directories: - configuration: "/etc/nginx/conf.d/" # Configuration directory - http: - global: "/etc/nginx/conf.d/http/global/" # Contains global configurations which will be loaded into the http block - servers: "/etc/nginx/conf.d/http/servers/" # Contains one configuration per domain - maps: "/etc/nginx/conf.d/http/maps/" # Contains mappings - streams: "/etc/nginx/conf.d/streams/" # Contains streams configuration e.g. for ldaps - data: - www: "{{ _nginx_www_dir }}" - well_known: "/usr/share/nginx/well-known/" # Path where well-known files are stored - html: "{{ _nginx_www_dir }}public_html/" # Path where the static homepage files are stored - files: "{{ _nginx_www_dir }}public_files/" # Path where the web accessable files are stored - cdn: "{{ _nginx_www_dir }}public_cdn/" # Contains files which will be accessable via the content delivery network - global: "{{ _nginx_www_dir }}global/" # Directory containing files which will be globaly accessable - cache: - general: "/tmp/cache_nginx_general/" # Directory which nginx uses to cache general data - image: "/tmp/cache_nginx_image/" # Directory which nginx uses to cache images - user: "http" # Default nginx user in ArchLinux - \ No newline at end of file +NGINX: + FILES: + CONFIGURATION: "{{ _nginx_dir }}nginx.conf" + DIRECTORIES: + CONFIGURATION: "{{ _nginx_conf_dir }}" # Configuration directory + HTTP: + GLOBAL: "{{ _nginx_http_dir }}global/" # Contains global configurations which will be loaded into the http block + SERVERS: "{{ _nginx_http_dir }}servers/" # Contains one configuration per domain + MAPS: "{{ _nginx_http_dir }}maps/" # Contains mappings + STREAMS: "{{ _nginx_conf_dir }}streams/" # Contains streams configuration e.g. for ldaps + DATA: + WWW: "{{ _nginx_www_dir }}" + WELL_KNOWN: "/usr/share/nginx/well-known/" # Path where well-known files are stored + HTML: "{{ _nginx_www_dir }}public_html/" # Path where the static homepage files are stored + FILES: "{{ _nginx_www_dir }}public_files/" # Path where the web accessable files are stored + CDN: "{{ _nginx_www_dir }}public_cdn/" # Contains files which will be accessable via the content delivery network + GLOBAL: "{{ _nginx_www_dir }}global/" # Directory containing files which will be globaly accessable, @Todo remove this when css migrated to CDN + CACHE: + GENERAL: "/tmp/cache_nginx_general/" # Directory which nginx uses to cache general data + IMAGE: "/tmp/cache_nginx_image/" # Directory which nginx uses to cache images + USER: "http" # Default nginx user in ArchLinux + +# @todo It propably makes sense to distinguish between target and source mount path, so that the config files can be stored in the openresty volumes folder diff --git a/group_vars/all/07_paths.yml b/group_vars/all/07_paths.yml index 7eeacef0..68cba46c 100644 --- a/group_vars/all/07_paths.yml +++ b/group_vars/all/07_paths.yml @@ -1,6 +1,6 @@ # Path Variables for Key Directories and Scripts -path_administrator_home: "/home/administrator/" -path_administrator_scripts: "/opt/scripts/" -path_docker_compose_instances: "/opt/docker/" -path_system_lock_script: "/opt/scripts/sys-lock.py" \ No newline at end of file +PATH_ADMINISTRATOR_HOME: "/home/administrator/" +PATH_ADMINISTRATOR_SCRIPTS: "/opt/scripts/" +PATH_DOCKER_COMPOSE_INSTANCES: "/opt/docker/" +PATH_SYSTEM_LOCK_SCRIPT: "/opt/scripts/sys-lock.py" \ No newline at end of file diff --git a/group_vars/all/13_ldap.yml b/group_vars/all/13_ldap.yml index 6d3e127d..fc513f47 100644 --- a/group_vars/all/13_ldap.yml +++ b/group_vars/all/13_ldap.yml @@ -5,7 +5,7 @@ # Helper Variables: # Keep in mind to mapp this variables if there is ever the possibility for the user to define them in the inventory -_ldap_dn_base: "dc={{PRIMARY_DOMAIN_SLD}},dc={{PRIMARY_DOMAIN_tld}}" +LDAP_DN_BASE: "dc={{ PRIMARY_DOMAIN_SLD }},dc={{ PRIMARY_DOMAIN_TLD }}" _ldap_docker_network_enabled: "{{ applications | get_app_conf('svc-db-openldap', 'network.docker') }}" _ldap_protocol: "{{ 'ldap' if _ldap_docker_network_enabled else 'ldaps' }}" _ldap_server_port: "{{ ports.localhost[_ldap_protocol]['svc-db-openldap'] }}" @@ -22,14 +22,14 @@ ldap: # This is the top-level naming context for your directory, used as the # default search base for most operations (e.g. adding users, groups). # Example: “dc=example,dc=com” - root: "{{_ldap_dn_base}}" + root: "{{ LDAP_DN_BASE }}" administrator: # ------------------------------------------------------------------------- # Data-Tree Administrator Bind DN # The DN used to authenticate for regular directory operations under # the data tree (adding users, modifying attributes, creating OUs, etc.). # Typically: “cn=admin,dc=example,dc=com” - data: "cn={{ applications['svc-db-openldap'].users.administrator.username }},{{ _ldap_dn_base }}" + data: "cn={{ applications['svc-db-openldap'].users.administrator.username }},{{ LDAP_DN_BASE }}" # ------------------------------------------------------------------------- # Config-Tree Administrator Bind DN @@ -47,9 +47,9 @@ ldap: # – groups: Contains organizational or business groups (e.g., departments, teams). # – roles: Contains application-specific RBAC roles # (e.g., "cn=app1-user", "cn=yourls-admin"). - users: "ou=users,{{ _ldap_dn_base }}" - groups: "ou=groups,{{ _ldap_dn_base }}" - roles: "ou=roles,{{ _ldap_dn_base }}" + users: "ou=users,{{ LDAP_DN_BASE }}" + groups: "ou=groups,{{ LDAP_DN_BASE }}" + roles: "ou=roles,{{ LDAP_DN_BASE }}" # ------------------------------------------------------------------------- # Additional Notes diff --git a/roles/cmp-docker-oauth2/tasks/main.yml b/roles/cmp-docker-oauth2/tasks/main.yml index 9c481b88..f3eba447 100644 --- a/roles/cmp-docker-oauth2/tasks/main.yml +++ b/roles/cmp-docker-oauth2/tasks/main.yml @@ -10,7 +10,7 @@ - name: "set oauth2_proxy_application_id (Needed due to lazzy loading issue)" set_fact: oauth2_proxy_application_id: "{{ application_id }}" - - name: "include the web-app-oauth2-proxy role {{domain}}" + - name: "include the web-app-oauth2-proxy role {{ domain }}" include_tasks: "{{ playbook_dir }}/roles/web-app-oauth2-proxy/tasks/main.yml" when: applications | get_app_conf(application_id, 'features.oauth2', False) diff --git a/roles/cmp-rdbms/templates/services/mariadb.yml.j2 b/roles/cmp-rdbms/templates/services/mariadb.yml.j2 index 525c98df..2ab27fb4 100644 --- a/roles/cmp-rdbms/templates/services/mariadb.yml.j2 +++ b/roles/cmp-rdbms/templates/services/mariadb.yml.j2 @@ -6,7 +6,7 @@ logging: driver: journald image: mariadb - restart: {{DOCKER_RESTART_POLICY}} + restart: {{ DOCKER_RESTART_POLICY }} env_file: - {{database_env}} command: "--transaction-isolation=READ-COMMITTED --binlog-format=ROW" diff --git a/roles/cmp-rdbms/templates/services/postgres.yml.j2 b/roles/cmp-rdbms/templates/services/postgres.yml.j2 index 26787c9c..23aea5d0 100644 --- a/roles/cmp-rdbms/templates/services/postgres.yml.j2 +++ b/roles/cmp-rdbms/templates/services/postgres.yml.j2 @@ -6,7 +6,7 @@ container_name: {{ application_id | get_entity_name }}-database env_file: - {{database_env}} - restart: {{DOCKER_RESTART_POLICY}} + restart: {{ DOCKER_RESTART_POLICY }} healthcheck: test: ["CMD-SHELL", "pg_isready -U {{database_name}}"] interval: 10s diff --git a/roles/docker-compose/tasks/01_core.yml b/roles/docker-compose/tasks/01_core.yml new file mode 100644 index 00000000..2fc6c44e --- /dev/null +++ b/roles/docker-compose/tasks/01_core.yml @@ -0,0 +1,16 @@ +- name: "Load docker container role" + include_role: + name: docker-container + + when: run_once_docker_container is not defined +- name: "reset (if enabled)" + include_tasks: 02_reset.yml + when: MODE_RESET | bool + +- name: "create {{ PATH_DOCKER_COMPOSE_INSTANCES }}" + file: + path: "{{ PATH_DOCKER_COMPOSE_INSTANCES }}" + state: directory + mode: 0700 + owner: root + group: root \ No newline at end of file diff --git a/roles/docker-compose/tasks/01_reset.yml b/roles/docker-compose/tasks/01_reset.yml deleted file mode 100644 index 0799fd54..00000000 --- a/roles/docker-compose/tasks/01_reset.yml +++ /dev/null @@ -1,11 +0,0 @@ -# It is necessary to shut the projects down, when reset is activated. -# Otherwise it can lead to this bug: -# https://github.com/ansible/ansible/issues/10244 -- name: shut down docker compose project - command: - cmd: "docker-compose -p {{ application_id }} down" - -- name: "Remove {{ docker_compose.directories.instance }} and all its contents" - file: - path: "{{ docker_compose.directories.instance }}" - state: absent \ No newline at end of file diff --git a/roles/docker-compose/tasks/02_reset.yml b/roles/docker-compose/tasks/02_reset.yml new file mode 100644 index 00000000..767e27a4 --- /dev/null +++ b/roles/docker-compose/tasks/02_reset.yml @@ -0,0 +1,16 @@ +# It is necessary to shut the projects down, when reset is activated. +# Otherwise it can lead to this bug: +# https://github.com/ansible/ansible/issues/10244 +- name: "pkgmgr install '{{ DOCKER_COMPOSE_DOWN_ALL_PACKAGE }}'" + include_role: + name: pkgmgr-install + vars: + package_name: "{{ DOCKER_COMPOSE_DOWN_ALL_PACKAGE }}" + +- name: Shutdown all docker compose instances in '{{ PATH_DOCKER_COMPOSE_INSTANCES }}' with '{{ DOCKER_COMPOSE_DOWN_ALL_PACKAGE }}' + command: "{{ DOCKER_COMPOSE_DOWN_ALL_PACKAGE }} {{ PATH_DOCKER_COMPOSE_INSTANCES }}" + +- name: "Remove directory '{{ PATH_DOCKER_COMPOSE_INSTANCES }}' and all its contents" + file: + path: "{{ PATH_DOCKER_COMPOSE_INSTANCES }}" + state: absent diff --git a/roles/docker-compose/tasks/02_repository.yml b/roles/docker-compose/tasks/03_repository.yml similarity index 100% rename from roles/docker-compose/tasks/02_repository.yml rename to roles/docker-compose/tasks/03_repository.yml diff --git a/roles/docker-compose/tasks/03_files.yml b/roles/docker-compose/tasks/04_files.yml similarity index 100% rename from roles/docker-compose/tasks/03_files.yml rename to roles/docker-compose/tasks/04_files.yml diff --git a/roles/docker-compose/tasks/04_ensure_up.yml b/roles/docker-compose/tasks/05_ensure_up.yml similarity index 100% rename from roles/docker-compose/tasks/04_ensure_up.yml rename to roles/docker-compose/tasks/05_ensure_up.yml diff --git a/roles/docker-compose/tasks/main.yml b/roles/docker-compose/tasks/main.yml index 12bb14df..74f7a51e 100644 --- a/roles/docker-compose/tasks/main.yml +++ b/roles/docker-compose/tasks/main.yml @@ -1,16 +1,10 @@ - block: - - include_role: - name: docker-container - when: run_once_docker_container is not defined + - include_tasks: 01_core.yml - include_tasks: utils/run_once.yml when: run_once_docker_compose is not defined -- name: "Load variables from {{ docker_compose_variable_file }} for whole play" - include_vars: "{{ docker_compose_variable_file }}" - -- name: "reset (if enabled)" - include_tasks: 01_reset.yml - when: MODE_RESET | bool +- name: "Load variables from {{ DOCKER_COMPOSE_VARIABLE_FILE }} for whole play" + include_vars: "{{ DOCKER_COMPOSE_VARIABLE_FILE }}" # This could lead to problems in docker-compose directories which are based on a git repository # @todo Verify that this isn't the case. E.g. in accounting @@ -21,15 +15,15 @@ mode: '0755' with_dict: "{{ docker_compose.directories }}" -- name: "Include routines to set up a git repository based installation for '{{application_id}}'." - include_tasks: "02_repository.yml" +- name: "Include routines to set up a git repository based installation for '{{ application_id }}'." + include_tasks: "03_repository.yml" when: docker_pull_git_repository | bool - block: - - name: "Include file management routines for '{{application_id}}'." - include_tasks: "03_files.yml" + - name: "Include file management routines for '{{ application_id }}'." + include_tasks: "04_files.yml" - name: "Ensure that {{ docker_compose.directories.instance }} is up" - include_tasks: "04_ensure_up.yml" + include_tasks: "05_ensure_up.yml" when: not docker_compose_skipp_file_creation | bool - name: "flush docker compose for '{{ application_id }}'" diff --git a/roles/docker-compose/vars/docker-compose.yml b/roles/docker-compose/vars/docker-compose.yml index e08088e8..a1deb96f 100644 --- a/roles/docker-compose/vars/docker-compose.yml +++ b/roles/docker-compose/vars/docker-compose.yml @@ -1,2 +1,2 @@ # @See https://chatgpt.com/share/67a23d18-fb54-800f-983c-d6d00752b0b4 -docker_compose: "{{ application_id | get_docker_paths(path_docker_compose_instances) }}" \ No newline at end of file +docker_compose: "{{ application_id | get_docker_paths(PATH_DOCKER_COMPOSE_INSTANCES) }}" \ No newline at end of file diff --git a/roles/docker-compose/vars/main.yml b/roles/docker-compose/vars/main.yml index aa431aee..e2c34e17 100644 --- a/roles/docker-compose/vars/main.yml +++ b/roles/docker-compose/vars/main.yml @@ -1 +1,2 @@ -docker_compose_variable_file: "{{ role_path }}/vars/docker-compose.yml" +DOCKER_COMPOSE_VARIABLE_FILE: "{{ role_path }}/vars/docker-compose.yml" +DOCKER_COMPOSE_DOWN_ALL_PACKAGE: "docodol" \ No newline at end of file diff --git a/roles/docker-container/tasks/main.yml b/roles/docker-container/tasks/main.yml index ca11051f..8a1085b2 100644 --- a/roles/docker-container/tasks/main.yml +++ b/roles/docker-container/tasks/main.yml @@ -1,6 +1,6 @@ - block: - include_role: - name: docker-core - when: run_once_docker_core is not defined + name: sys-svc-docker + when: run_once_sys_svc_docker is not defined - include_tasks: utils/run_once.yml when: run_once_docker_container is not defined diff --git a/roles/docker-container/templates/base.yml.j2 b/roles/docker-container/templates/base.yml.j2 index f963ee43..cd8872e2 100644 --- a/roles/docker-container/templates/base.yml.j2 +++ b/roles/docker-container/templates/base.yml.j2 @@ -1,6 +1,6 @@ {# Base for docker services #} - restart: {{DOCKER_RESTART_POLICY}} + restart: {{ DOCKER_RESTART_POLICY }} {% if application_id | has_env %} env_file: - "{{docker_compose.files.env}}" diff --git a/roles/docker-container/templates/healthcheck/msmtp_curl.yml.j2 b/roles/docker-container/templates/healthcheck/msmtp_curl.yml.j2 index b84e93ed..1f67b4c5 100644 --- a/roles/docker-container/templates/healthcheck/msmtp_curl.yml.j2 +++ b/roles/docker-container/templates/healthcheck/msmtp_curl.yml.j2 @@ -16,7 +16,7 @@ - CMD-SHELL - > if [ ! -f /tmp/email_sent ]; then - echo 'Subject: testmessage from {{domains | get_domain(application_id)}}\n\nSUCCESSFULL' | msmtp -t {{users.blackhole.email}} && touch /tmp/email_sent; + echo 'Subject: testmessage from {{ domains | get_domain(application_id) }}\n\nSUCCESSFULL' | msmtp -t {{ users.blackhole.email }} && touch /tmp/email_sent; fi && curl -f http://localhost:80/ || exit 1 interval: 1m diff --git a/roles/docker-core/README.md b/roles/docker-core/README.md deleted file mode 100644 index 5727c3e9..00000000 --- a/roles/docker-core/README.md +++ /dev/null @@ -1,5 +0,0 @@ -# Docker Server - -This role is part of the [Infinito.Nexus Project](https://s.infinito.nexus/code), maintained and developed by [Kevin Veen-Birkenbach](https://www.veen.world/). - -Enjoy using this role and happy containerizing! 🎉 \ No newline at end of file diff --git a/roles/docker-core/Todo.md b/roles/docker-core/Todo.md deleted file mode 100644 index 15efc1c4..00000000 --- a/roles/docker-core/Todo.md +++ /dev/null @@ -1,2 +0,0 @@ -# Todos -- Add cleanup service for docker system prune -f \ No newline at end of file diff --git a/roles/docker-core/handlers/main.yml b/roles/docker-core/handlers/main.yml deleted file mode 100644 index 92e62bf8..00000000 --- a/roles/docker-core/handlers/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -- name: docker restart - service: name=docker.service state=restarted enabled=yes diff --git a/roles/docker-core/tasks/01_core.yml b/roles/docker-core/tasks/01_core.yml deleted file mode 100644 index b0b0c5c5..00000000 --- a/roles/docker-core/tasks/01_core.yml +++ /dev/null @@ -1,26 +0,0 @@ -- name: Include backup, repair, health and user dependencies - include_role: - name: "{{ item }}" - loop: - - sys-bkp-docker-2-loc - - user-administrator - - sys-hlth-docker-container - - sys-hlth-docker-volumes - - sys-rpr-docker-soft - - sys-rpr-docker-hard - -- name: docker & docker compose install - community.general.pacman: - name: - - 'docker' - - 'docker-compose' - state: present - notify: docker restart - -- name: "create {{path_docker_compose_instances}}" - file: - path: "{{path_docker_compose_instances}}" - state: directory - mode: 0700 - owner: root - group: root diff --git a/roles/drv-msi-keyboard-color/tasks/01_core.yml b/roles/drv-msi-keyboard-color/tasks/01_core.yml index 00a763c7..f0dcd495 100644 --- a/roles/drv-msi-keyboard-color/tasks/01_core.yml +++ b/roles/drv-msi-keyboard-color/tasks/01_core.yml @@ -30,7 +30,7 @@ set_fact: service_name: "{{ role_name }}" -- name: "include role for sys-timer for {{service_name}}" +- name: "include role for sys-timer for {{ service_name }}" include_role: name: sys-timer vars: diff --git a/roles/pkgmgr-install/tasks/01_core.yml b/roles/pkgmgr-install/tasks/01_core.yml index 63e7ebee..78ec8118 100644 --- a/roles/pkgmgr-install/tasks/01_core.yml +++ b/roles/pkgmgr-install/tasks/01_core.yml @@ -7,3 +7,5 @@ shell: | source ~/.venvs/pkgmgr/bin/activate pkgmgr update pkgmgr + register: pkgmgr_update + changed_when: "'already up to date' not in (pkgmgr_update.stdout | lower)" diff --git a/roles/pkgmgr-install/tasks/main.yml b/roles/pkgmgr-install/tasks/main.yml index a2ce6840..3a2d9fa0 100644 --- a/roles/pkgmgr-install/tasks/main.yml +++ b/roles/pkgmgr-install/tasks/main.yml @@ -5,11 +5,25 @@ when: run_once_pkgmgr_install is not defined - name: update {{ package_name }} - shell: | + ansible.builtin.shell: | source ~/.venvs/pkgmgr/bin/activate pkgmgr update {{ package_name }} --dependencies --clone-mode https + args: + executable: /bin/bash notify: "{{ package_notify | default(omit,true) }}" register: pkgmgr_update_result - changed_when: "'No command defined and neither main.sh nor main.py found' not in pkgmgr_update_result.stdout" - failed_when: pkgmgr_update_result.rc != 0 and 'No command defined and neither main.sh nor main.py found' not in pkgmgr_update_result.stdout + # Mark changed only if it's not "already up to date" and not "no command defined..." + changed_when: > + ('already up to date' not in ((pkgmgr_update_result.stdout | default('') | lower) + ~ ' ' ~ (pkgmgr_update_result.stderr | default('') | lower))) + and + ('no command defined' not in ((pkgmgr_update_result.stdout | default('') | lower) + ~ ' ' ~ (pkgmgr_update_result.stderr | default('') | lower))) + + # Fail only on real errors; allow the "no command defined..." case + failed_when: > + (pkgmgr_update_result.rc != 0) + and + ('no command defined' not in ((pkgmgr_update_result.stdout | default('') | lower) + ~ ' ' ~ (pkgmgr_update_result.stderr | default('') | lower))) diff --git a/roles/srv-proxy-6-6-domain/vars/main.yml b/roles/srv-proxy-6-6-domain/vars/main.yml index 6a6c2417..0f821587 100644 --- a/roles/srv-proxy-6-6-domain/vars/main.yml +++ b/roles/srv-proxy-6-6-domain/vars/main.yml @@ -1 +1 @@ -configuration_destination: "{{nginx.directories.http.servers}}{{domain}}.conf" \ No newline at end of file +configuration_destination: "{{ NGINX.DIRECTORIES.HTTP.SERVERS }}{{ domain }}.conf" \ No newline at end of file diff --git a/roles/srv-proxy-6-6-tls-deploy/handlers/main.yml b/roles/srv-proxy-6-6-tls-deploy/handlers/main.yml index 0095eb85..2403b797 100644 --- a/roles/srv-proxy-6-6-tls-deploy/handlers/main.yml +++ b/roles/srv-proxy-6-6-tls-deploy/handlers/main.yml @@ -1,7 +1,7 @@ --- - name: "restart srv-proxy-6-6-tls-deploy service" systemd: - name: srv-proxy-6-6-tls-deploy.{{application_id}}{{ SYS_SERVICE_SUFFIX }} + name: srv-proxy-6-6-tls-deploy.{{ application_id }}{{ SYS_SERVICE_SUFFIX }} state: restarted enabled: yes daemon_reload: yes \ No newline at end of file diff --git a/roles/srv-proxy-6-6-tls-deploy/tasks/main.yml b/roles/srv-proxy-6-6-tls-deploy/tasks/main.yml index c79d0fe2..8ce2cd69 100644 --- a/roles/srv-proxy-6-6-tls-deploy/tasks/main.yml +++ b/roles/srv-proxy-6-6-tls-deploy/tasks/main.yml @@ -14,14 +14,14 @@ - name: configure srv-proxy-6-6-tls-deploy service template: src: "srv-proxy-6-6-tls-deploy.service.j2" - dest: "/etc/systemd/system/srv-proxy-6-6-tls-deploy.{{application_id}}{{ SYS_SERVICE_SUFFIX }}" + dest: "/etc/systemd/system/srv-proxy-6-6-tls-deploy.{{ application_id }}{{ SYS_SERVICE_SUFFIX }}" notify: restart srv-proxy-6-6-tls-deploy service -- name: "include role for sys-timer for {{service_name}}" +- name: "include role for sys-timer for {{ service_name }}" include_role: name: sys-timer vars: on_calendar: "{{on_calendar_deploy_certificates}}" - service_name: "srv-proxy-6-6-tls-deploy.{{application_id}}" + service_name: "srv-proxy-6-6-tls-deploy.{{ application_id }}" persistent: "true" diff --git a/roles/srv-proxy-6-6-tls-deploy/templates/srv-proxy-6-6-tls-deploy.service.j2 b/roles/srv-proxy-6-6-tls-deploy/templates/srv-proxy-6-6-tls-deploy.service.j2 index 57a59485..07e53750 100644 --- a/roles/srv-proxy-6-6-tls-deploy/templates/srv-proxy-6-6-tls-deploy.service.j2 +++ b/roles/srv-proxy-6-6-tls-deploy/templates/srv-proxy-6-6-tls-deploy.service.j2 @@ -4,4 +4,4 @@ OnFailure=sys-alm-compose.infinito@%n.service [Service] Type=oneshot -ExecStart=/usr/bin/bash {{path_administrator_scripts}}/srv-proxy-6-6-tls-deploy.sh {{ssl_cert_folder}} {{docker_compose.directories.instance}} +ExecStart=/usr/bin/bash {{ PATH_ADMINISTRATOR_SCRIPTS }}/srv-proxy-6-6-tls-deploy.sh {{ssl_cert_folder}} {{docker_compose.directories.instance}} diff --git a/roles/srv-proxy-6-6-tls-deploy/vars/main.yml b/roles/srv-proxy-6-6-tls-deploy/vars/main.yml index 3f49829c..f67072c1 100644 --- a/roles/srv-proxy-6-6-tls-deploy/vars/main.yml +++ b/roles/srv-proxy-6-6-tls-deploy/vars/main.yml @@ -1 +1 @@ -nginx_docker_cert_deploy_script: "{{path_administrator_scripts}}srv-proxy-6-6-tls-deploy.sh" \ No newline at end of file +nginx_docker_cert_deploy_script: "{{ PATH_ADMINISTRATOR_SCRIPTS }}srv-proxy-6-6-tls-deploy.sh" \ No newline at end of file diff --git a/roles/srv-proxy-7-4-core/templates/location/html.conf.j2 b/roles/srv-proxy-7-4-core/templates/location/html.conf.j2 index 93f10801..aa6dcfa0 100644 --- a/roles/srv-proxy-7-4-core/templates/location/html.conf.j2 +++ b/roles/srv-proxy-7-4-core/templates/location/html.conf.j2 @@ -21,7 +21,7 @@ location {{location}} # WebSocket specific header proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; + proxy_set_header Connection "upgrade"; # timeouts proxy_connect_timeout 5s; diff --git a/roles/srv-proxy-7-4-core/templates/vhost/basic.conf.j2 b/roles/srv-proxy-7-4-core/templates/vhost/basic.conf.j2 index df65ba38..1f1f2877 100644 --- a/roles/srv-proxy-7-4-core/templates/vhost/basic.conf.j2 +++ b/roles/srv-proxy-7-4-core/templates/vhost/basic.conf.j2 @@ -1,6 +1,6 @@ server { - server_name {{domain}}; + server_name {{ domain }}; {% if applications | get_app_conf(application_id, 'features.oauth2', False) %} {% include 'roles/web-app-oauth2-proxy/templates/endpoint.conf.j2'%} diff --git a/roles/srv-web-6-6-tls-renew/tasks/01_core.yml b/roles/srv-web-6-6-tls-renew/tasks/01_core.yml index 8efbeec8..18f29326 100644 --- a/roles/srv-web-6-6-tls-renew/tasks/01_core.yml +++ b/roles/srv-web-6-6-tls-renew/tasks/01_core.yml @@ -2,7 +2,7 @@ include_role: name: '{{ item }}' loop: - - srv-web-7-7-certbot + - sys-svc-certbot - srv-web-7-4-core - sys-alm-compose @@ -22,7 +22,7 @@ set_fact: service_name: "{{ role_name }}" -- name: "include role for sys-timer for {{service_name}}" +- name: "include role for sys-timer for {{ service_name }}" include_role: name: sys-timer vars: diff --git a/roles/srv-web-7-4-core/Todo.md b/roles/srv-web-7-4-core/Todo.md new file mode 100644 index 00000000..49b6fb55 --- /dev/null +++ b/roles/srv-web-7-4-core/Todo.md @@ -0,0 +1,2 @@ +# To-dos +- It could make sense to merge this role with svc-prx-openresty \ No newline at end of file diff --git a/roles/srv-web-7-4-core/tasks/01_core.yml b/roles/srv-web-7-4-core/tasks/01_core.yml index f6676840..b44b99f3 100644 --- a/roles/srv-web-7-4-core/tasks/01_core.yml +++ b/roles/srv-web-7-4-core/tasks/01_core.yml @@ -1,3 +1,27 @@ +- name: "cleanup (if enabled)" + include_tasks: 02_cleanup.yml + when: > + MODE_CLEANUP | bool or + MODE_RESET | bool + +- name: "reset (if enabled)" + include_tasks: 03_reset.yml + when: MODE_RESET | bool + +- name: "Load docker compose handlers" + include_tasks: "{{ playbook_dir }}/tasks/utils/load_handlers.yml" + vars: + handler_role_name: "docker-compose" + +- name: "Include tasks to create directories" + include_tasks: 04_directories.yml + +- name: create nginx config file + template: + src: nginx.conf.j2 + dest: "{{ NGINX.FILES.CONFIGURATION }}" + notify: docker compose up + - name: Include health dependencies include_role: name: "{{ item }}" @@ -5,6 +29,7 @@ - sys-hlth-webserver - sys-hlth-csp vars: + # Extra flush is for performance reasons not necessary flush_handlers: false - name: Include openresty @@ -13,50 +38,12 @@ # Inside openresty their is a validation that it doesn't run multiple times include_role: name: svc-prx-openresty - public: false + # Explicit set to guaranty that application_id will not be overwritten. # Should be anyhow the default case - when: run_once_svc_prx_openresty is not defined + public: false -- name: "reset (if enabled)" - include_tasks: 02_reset.yml - when: MODE_RESET | bool - -- name: Ensure nginx configuration directories are present - file: - path: "{{ item }}" - state: directory - owner: "{{nginx.user}}" - group: "{{nginx.user}}" - mode: '0755' - recurse: yes - loop: > - {{ - [ nginx.directories.configuration ] + - ( nginx.directories.http.values() | list ) + - [ nginx.directories.streams ] - }} - -- name: Ensure nginx data storage directories are present - file: - path: "{{ item }}" - state: directory - recurse: yes - owner: "{{nginx.user}}" - group: "{{nginx.user}}" - mode: '0755' - loop: > - {{ nginx.directories.data.values() | list }} - async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}" - poll: "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}" - -- name: "Include tasks to create cache directories" - include_tasks: 03_cache_directories.yml - when: run_once_nginx_reverse_proxy is not defined - -- name: create nginx config file - template: - src: nginx.conf.j2 - dest: "{{ nginx.files.configuration }}" - notify: restart openresty - \ No newline at end of file + vars: + # Flush openresty handler on first run, so that openresty is up, before openresty related handlers are triggered + flush_handlers: true + when: run_once_svc_prx_openresty is not defined \ No newline at end of file diff --git a/roles/srv-web-7-4-core/tasks/02_cleanup.yml b/roles/srv-web-7-4-core/tasks/02_cleanup.yml new file mode 100644 index 00000000..39ef6126 --- /dev/null +++ b/roles/srv-web-7-4-core/tasks/02_cleanup.yml @@ -0,0 +1,8 @@ +- name: Cleanup all NGINX cache directories + become: true + ansible.builtin.file: + path: "{{ item.value }}" + state: absent + loop: "{{ NGINX.DIRECTORIES.CACHE | dict2items }}" + loop_control: + label: "{{ item.key }}" \ No newline at end of file diff --git a/roles/srv-web-7-4-core/tasks/02_reset.yml b/roles/srv-web-7-4-core/tasks/02_reset.yml deleted file mode 100644 index e7169bdd..00000000 --- a/roles/srv-web-7-4-core/tasks/02_reset.yml +++ /dev/null @@ -1,4 +0,0 @@ -- name: "Delete {{nginx.directories.configuration}} directory, when MODE_RESET" - file: - path: "{{ nginx.directories.configuration }}" - state: absent \ No newline at end of file diff --git a/roles/srv-web-7-4-core/tasks/03_cache_directories.yml b/roles/srv-web-7-4-core/tasks/03_cache_directories.yml deleted file mode 100644 index fd70b25b..00000000 --- a/roles/srv-web-7-4-core/tasks/03_cache_directories.yml +++ /dev/null @@ -1,28 +0,0 @@ -- name: Cleanup all NGINX cache directories - become: true - ansible.builtin.file: - path: "{{ item.value }}" - state: absent - when: - - MODE_CLEANUP | bool - loop: "{{ nginx.directories.cache | dict2items }}" - loop_control: - label: "{{ item.key }}" - -- name: Ensure all NGINX cache directories exist - become: true - ansible.builtin.file: - path: "{{ item.value }}" - state: directory - owner: "{{ nginx.user }}" - group: "{{ nginx.user }}" - mode: '0700' - loop: "{{ nginx.directories.cache | dict2items }}" - loop_control: - label: "{{ item.key }}" - async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}" - poll: "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}" - -- name: run the nginx_reverse_proxy tasks once - set_fact: - run_once_nginx_reverse_proxy: true \ No newline at end of file diff --git a/roles/srv-web-7-4-core/tasks/03_reset.yml b/roles/srv-web-7-4-core/tasks/03_reset.yml new file mode 100644 index 00000000..18a748f9 --- /dev/null +++ b/roles/srv-web-7-4-core/tasks/03_reset.yml @@ -0,0 +1,9 @@ +- name: Delete NGINX config paths + file: + path: "{{ item }}" + state: absent + loop: + - "{{ NGINX.DIRECTORIES.CONFIGURATION }}" + - "{{ NGINX.FILES.CONFIGURATION }}" + loop_control: + label: "{{ item }}" diff --git a/roles/srv-web-7-4-core/tasks/04_directories.yml b/roles/srv-web-7-4-core/tasks/04_directories.yml new file mode 100644 index 00000000..a4681a70 --- /dev/null +++ b/roles/srv-web-7-4-core/tasks/04_directories.yml @@ -0,0 +1,36 @@ +- name: Ensure nginx configuration directories are present + file: + path: "{{ item }}" + state: directory + owner: "{{ NGINX.USER }}" + group: "{{ NGINX.USER }}" + mode: '0755' + recurse: yes + loop: > + {{ + ( NGINX.DIRECTORIES.HTTP.values() | list ) + + [ NGINX.DIRECTORIES.STREAMS ] + }} + +- name: Ensure all NGINX cache directories exist + become: true + ansible.builtin.file: + path: "{{ item.value }}" + state: directory + owner: "{{ NGINX.USER }}" + group: "{{ NGINX.USER }}" + mode: '0700' + loop: "{{ NGINX.DIRECTORIES.CACHE | dict2items }}" + loop_control: + label: "{{ item.key }}" + +- name: Ensure nginx data storage directories are present + file: + path: "{{ item }}" + state: directory + recurse: yes + owner: "{{ NGINX.USER }}" + group: "{{ NGINX.USER }}" + mode: '0755' + loop: > + {{ NGINX.DIRECTORIES.DATA.values() | list }} diff --git a/roles/srv-web-7-4-core/templates/nginx.conf.j2 b/roles/srv-web-7-4-core/templates/nginx.conf.j2 index be989c59..9850629e 100644 --- a/roles/srv-web-7-4-core/templates/nginx.conf.j2 +++ b/roles/srv-web-7-4-core/templates/nginx.conf.j2 @@ -14,8 +14,8 @@ http default_type text/html; {# caching #} - proxy_cache_path {{ nginx.directories.cache.general }} levels=1:2 keys_zone=cache:20m max_size=20g inactive=14d use_temp_path=off; - proxy_cache_path {{ nginx.directories.cache.image }} levels=1:2 keys_zone=imgcache:10m inactive=60m use_temp_path=off; + proxy_cache_path {{ NGINX.DIRECTORIES.CACHE.GENERAL }} levels=1:2 keys_zone=cache:20m max_size=20g inactive=14d use_temp_path=off; + proxy_cache_path {{ NGINX.DIRECTORIES.CACHE.IMAGE }} levels=1:2 keys_zone=imgcache:10m inactive=60m use_temp_path=off; # -------------------------------------------------------------------------------- # Tweak the hash table used to store your server_name entries: @@ -54,12 +54,12 @@ http gzip_types application/atom+xml application/javascript application/xml+rss application/x-javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy text/javascript text/xml; types_hash_max_size 4096; - {% for dir in nginx.directories.http.values() %} + {% for dir in NGINX.DIRECTORIES.HTTP.values() %} include {{ dir }}*.conf; {% endfor %} } # For port proxies stream{ - include {{nginx.directories.streams}}*.conf; + include {{NGINX.DIRECTORIES.STREAMS}}*.conf; } diff --git a/roles/srv-web-7-6-composer/tasks/main.yml b/roles/srv-web-7-6-composer/tasks/main.yml index 6f5d29b6..e261978f 100644 --- a/roles/srv-web-7-6-composer/tasks/main.yml +++ b/roles/srv-web-7-6-composer/tasks/main.yml @@ -1,9 +1,9 @@ # run_once_srv_web_7_6_composer: deactivated -- name: "include role srv-web-7-7-inj-compose for {{domain}}" +- name: "include role srv-web-7-7-inj-compose for {{ domain }}" include_role: name: srv-web-7-7-inj-compose -- name: "include role srv-web-6-6-tls-core for {{domain}}" +- name: "include role srv-web-6-6-tls-core for {{ domain }}" include_role: name: srv-web-6-6-tls-core diff --git a/roles/srv-web-7-7-certbot/tasks/main.yml b/roles/srv-web-7-7-certbot/tasks/main.yml deleted file mode 100644 index c93b8659..00000000 --- a/roles/srv-web-7-7-certbot/tasks/main.yml +++ /dev/null @@ -1,41 +0,0 @@ -- name: install certbot - community.general.pacman: - name: certbot - state: present - when: run_once_srv_web_7_7_certbot is not defined - -- name: install certbot DNS plugin - community.general.pacman: - name: "certbot-dns-{{ CERTBOT_ACME_CHALLENGE_METHOD }}" - state: present - when: - - run_once_srv_web_7_7_certbot is not defined - - CERTBOT_ACME_CHALLENGE_METHOD != 'webroot' - -- name: Ensure /etc/certbot directory exists - file: - path: "{{ CERTBOT_CREDENTIALS_DIR }}" - state: directory - owner: root - group: root - mode: '0755' - when: - - run_once_srv_web_7_7_certbot is not defined - - CERTBOT_ACME_CHALLENGE_METHOD != 'webroot' - -- name: Install plugin credentials file - copy: - dest: "{{ CERTBOT_CREDENTIALS_FILE }}" - content: | - dns_{{ CERTBOT_ACME_CHALLENGE_METHOD }}_api_token = {{ CERTBOT_DNS_API_TOKEN }} - owner: root - group: root - mode: '0600' - when: - - run_once_srv_web_7_7_certbot is not defined - - CERTBOT_ACME_CHALLENGE_METHOD != 'webroot' - -- name: run the certbot role once - set_fact: - run_once_srv_web_7_7_certbot: true - when: run_once_srv_web_7_7_certbot is not defined \ No newline at end of file diff --git a/roles/srv-web-7-7-inj-compose/tasks/main.yml b/roles/srv-web-7-7-inj-compose/tasks/main.yml index 70c64eda..09a8382b 100644 --- a/roles/srv-web-7-7-inj-compose/tasks/main.yml +++ b/roles/srv-web-7-7-inj-compose/tasks/main.yml @@ -1,3 +1,12 @@ +- name: Set inj_enabled dictionary + set_fact: + inj_enabled: + javascript: "{{ applications | get_app_conf(application_id, 'features.javascript', False) }}" + logout: "{{ (applications | get_app_conf(application_id, 'features.logout', False) or domain == PRIMARY_DOMAIN) }}" + css: "{{ applications | get_app_conf(application_id, 'features.css', False) }}" + matomo: "{{ applications | get_app_conf(application_id, 'features.matomo', False) }}" + desktop: "{{ applications | get_app_conf(application_id, 'features.desktop', False) }}" + - block: - name: Include dependency 'srv-web-7-4-core' include_role: @@ -6,28 +15,19 @@ - include_tasks: utils/run_once.yml when: run_once_srv_web_7_7_inj_compose is not defined -- name: Set inj_enabled dictionary - set_fact: - inj_enabled: - javascript: "{{ applications | get_app_conf(application_id, 'features.javascript', False) }}" - logout: "{{ (applications | get_app_conf(application_id, 'features.logout', False) or domain == PRIMARY_DOMAIN) }}" - css: "{{ applications | get_app_conf(application_id, 'features.css', False) }}" - matomo: "{{ applications | get_app_conf(application_id, 'features.matomo', False) }}" - port_ui: "{{ applications | get_app_conf(application_id, 'features.desktop', False) }}" - - name: "Activate Portfolio iFrame notifier for {{ domain }}" include_role: name: srv-web-7-7-inj-desktop - public: true # Expose variables so that they can be used in template - when: inj_enabled.port_ui + public: true # Vars used in templates + when: inj_enabled.desktop -- name: "Load CDN for {{domain}}" +- name: "Load CDN for {{ domain }}" include_role: name: web-svc-cdn public: false - # ATM just the Logout is using the CDN. when: - inj_enabled.logout + - inj_enabled.desktop - application_id != 'web-svc-cdn' - run_once_web_svc_cdn is not defined @@ -41,23 +41,14 @@ vars: handler_role_name: "{{ item }}" -- name: Set inj_enabled dictionary - set_fact: - inj_enabled: - javascript: "{{ applications | get_app_conf(application_id, 'features.javascript', False) }}" - logout: "{{ (applications | get_app_conf(application_id, 'features.logout', False) or domain == PRIMARY_DOMAIN) }}" - css: "{{ applications | get_app_conf(application_id, 'features.css', False) }}" - matomo: "{{ applications | get_app_conf(application_id, 'features.matomo', False) }}" - port_ui: "{{ applications | get_app_conf(application_id, 'features.desktop', False) }}" - -- name: "Activate Corporate CSS for {{domain}}" +- name: "Activate Corporate CSS for {{ domain }}" include_role: name: srv-web-7-7-inj-css when: - inj_enabled.css - run_once_srv_web_7_7_inj_css is not defined -- name: "Activate Matomo Tracking for {{domain}}" +- name: "Activate Matomo Tracking for {{ domain }}" include_role: name: srv-web-7-7-inj-matomo when: inj_enabled.matomo @@ -70,4 +61,5 @@ - name: "Activate logout proxy for {{ domain }}" include_role: name: srv-web-7-7-inj-logout + public: true # Vars used in templates when: inj_enabled.logout diff --git a/roles/srv-web-7-7-inj-compose/templates/location.lua.j2 b/roles/srv-web-7-7-inj-compose/templates/location.lua.j2 index 343948f6..5eb9468e 100644 --- a/roles/srv-web-7-7-inj-compose/templates/location.lua.j2 +++ b/roles/srv-web-7-7-inj-compose/templates/location.lua.j2 @@ -44,7 +44,7 @@ body_filter_by_lua_block { local head_snippets = {} {% for head_feature in ['css', 'matomo', 'desktop', 'javascript', 'logout' ] %} - {% if applications | get_app_conf(application_id, 'features.' ~ head_feature, false) | bool %} + {% if applications | get_app_conf(application_id, 'features.' ~ head_feature, false) %} head_snippets[#head_snippets + 1] = [=[ {%- include "roles/srv-web-7-7-inj-" ~ head_feature ~ "/templates/head_sub.j2" -%} ]=] @@ -59,7 +59,7 @@ body_filter_by_lua_block { local body_snippets = {} {% for body_feature in ['matomo', 'logout', 'desktop'] %} - {% if applications | get_app_conf(application_id, 'features.' ~ body_feature, false) | bool %} + {% if applications | get_app_conf(application_id, 'features.' ~ body_feature, false) %} body_snippets[#body_snippets + 1] = [=[ {%- include "roles/srv-web-7-7-inj-" ~ body_feature ~ "/templates/body_sub.j2" -%} ]=] diff --git a/roles/srv-web-7-7-inj-css/tasks/01_core.yml b/roles/srv-web-7-7-inj-css/tasks/01_core.yml index a74c55ad..46542112 100644 --- a/roles/srv-web-7-7-inj-css/tasks/01_core.yml +++ b/roles/srv-web-7-7-inj-css/tasks/01_core.yml @@ -15,8 +15,8 @@ template: src: global.css.j2 dest: "{{ global_css_destination }}" - owner: "{{ nginx.user }}" - group: "{{ nginx.user }}" + owner: "{{ NGINX.USER }}" + group: "{{ NGINX.USER }}" mode: '0644' - name: Get stat for global.css diff --git a/roles/srv-web-7-7-inj-css/templates/location.conf.j2 b/roles/srv-web-7-7-inj-css/templates/location.conf.j2 index eadb50f2..6cbd34c1 100644 --- a/roles/srv-web-7-7-inj-css/templates/location.conf.j2 +++ b/roles/srv-web-7-7-inj-css/templates/location.conf.j2 @@ -1,3 +1,3 @@ location = /global.css { - root {{nginx.directories.data.cdn}}; + root {{NGINX.DIRECTORIES.DATA.CDN}}; } \ No newline at end of file diff --git a/roles/srv-web-7-7-inj-css/vars/main.yml b/roles/srv-web-7-7-inj-css/vars/main.yml index 048b731b..83b491f6 100644 --- a/roles/srv-web-7-7-inj-css/vars/main.yml +++ b/roles/srv-web-7-7-inj-css/vars/main.yml @@ -1,4 +1,4 @@ -global_css_destination: "{{nginx.directories.data.cdn}}global.css" +global_css_destination: "{{NGINX.DIRECTORIES.DATA.CDN}}global.css" global_css_base_color: "{{ design.css.colors.base }}" global_css_count: 7 global_css_shades: 100 \ No newline at end of file diff --git a/roles/srv-web-7-7-inj-desktop/tasks/01_deploy.yml b/roles/srv-web-7-7-inj-desktop/tasks/01_deploy.yml index 153be3b4..82ae7684 100644 --- a/roles/srv-web-7-7-inj-desktop/tasks/01_deploy.yml +++ b/roles/srv-web-7-7-inj-desktop/tasks/01_deploy.yml @@ -1,14 +1,14 @@ - name: Deploy iframe-handler.js template: src: iframe-handler.js.j2 - dest: "{{ inj_port_ui_js_destination }}" - owner: "{{ nginx.user }}" - group: "{{ nginx.user }}" + dest: "{{ INJ_DESKTOP_JS_FILE_DESTINATION }}" + owner: "{{ NGINX.USER }}" + group: "{{ NGINX.USER }}" mode: '0644' - name: Get stat for iframe-handler.js stat: - path: "{{ inj_port_ui_js_destination }}" + path: "{{ INJ_DESKTOP_JS_FILE_DESTINATION }}" register: inj_port_ui_js_stat - name: Set inj_port_ui_js_version diff --git a/roles/srv-web-7-7-inj-desktop/templates/head_sub.j2 b/roles/srv-web-7-7-inj-desktop/templates/head_sub.j2 index 4b0fcb83..f4a3f642 100644 --- a/roles/srv-web-7-7-inj-desktop/templates/head_sub.j2 +++ b/roles/srv-web-7-7-inj-desktop/templates/head_sub.j2 @@ -1 +1 @@ - \ No newline at end of file + \ No newline at end of file diff --git a/roles/srv-web-7-7-inj-desktop/vars/main.yml b/roles/srv-web-7-7-inj-desktop/vars/main.yml index f9e693f6..ca67d07b 100644 --- a/roles/srv-web-7-7-inj-desktop/vars/main.yml +++ b/roles/srv-web-7-7-inj-desktop/vars/main.yml @@ -1,2 +1,2 @@ -inj_port_ui_file_name: "iframe-handler.js" -inj_port_ui_js_destination: "{{ [ nginx.directories.data.cdn, inj_port_ui_file_name ] | path_join }}" +INJ_DESKTOP_JS_FILE_NAME: "iframe-handler.js" +INJ_DESKTOP_JS_FILE_DESTINATION: "{{ [ NGINX.DIRECTORIES.DATA.CDN, INJ_DESKTOP_JS_FILE_NAME ] | path_join }}" diff --git a/roles/srv-web-7-7-inj-javascript/tasks/main.yml b/roles/srv-web-7-7-inj-javascript/tasks/main.yml index c07422f4..4c2ece47 100644 --- a/roles/srv-web-7-7-inj-javascript/tasks/main.yml +++ b/roles/srv-web-7-7-inj-javascript/tasks/main.yml @@ -11,11 +11,11 @@ set_fact: javascript_code: "{{ lookup('template', modifier_javascript_template_file) }}" -- name: "Collapse Javascript code into one-liner for '{{application_id}}'" +- name: "Collapse Javascript code into one-liner for '{{ application_id }}'" set_fact: javascript_code_one_liner: "{{ javascript_code | to_one_liner }}" -- name: "Append Javascript CSP hash for '{{application_id}}'" +- name: "Append Javascript CSP hash for '{{ application_id }}'" set_fact: applications: "{{ applications | append_csp_hash(application_id, javascript_code_one_liner) }}" changed_when: false diff --git a/roles/srv-web-7-7-inj-logout/tasks/01_core.yml b/roles/srv-web-7-7-inj-logout/tasks/01_core.yml index 0d172025..d920cb76 100644 --- a/roles/srv-web-7-7-inj-logout/tasks/01_core.yml +++ b/roles/srv-web-7-7-inj-logout/tasks/01_core.yml @@ -5,4 +5,4 @@ - run_once_srv_web_7_4_core is not defined - name: "deploy the logout.js" - include_tasks: "deploy.yml" \ No newline at end of file + include_tasks: "02_deploy.yml" \ No newline at end of file diff --git a/roles/srv-web-7-7-inj-logout/tasks/02_deploy.yml b/roles/srv-web-7-7-inj-logout/tasks/02_deploy.yml new file mode 100644 index 00000000..84906509 --- /dev/null +++ b/roles/srv-web-7-7-inj-logout/tasks/02_deploy.yml @@ -0,0 +1,16 @@ +- name: Deploy logout.js + template: + src: logout.js.j2 + dest: "{{ INJ_LOGOUT_JS_DESTINATION }}" + owner: "{{ NGINX.USER }}" + group: "{{ NGINX.USER }}" + mode: '0644' + +- name: Get stat for logout.js + stat: + path: "{{ INJ_LOGOUT_JS_DESTINATION }}" + register: INJ_LOGOUT_JS_STAT + +- name: Set INJ_LOGOUT_JS_VERSION + set_fact: + INJ_LOGOUT_JS_VERSION: "{{ INJ_LOGOUT_JS_STAT.stat.mtime }}" diff --git a/roles/srv-web-7-7-inj-logout/tasks/deploy.yml b/roles/srv-web-7-7-inj-logout/tasks/deploy.yml deleted file mode 100644 index e4451697..00000000 --- a/roles/srv-web-7-7-inj-logout/tasks/deploy.yml +++ /dev/null @@ -1,16 +0,0 @@ -- name: Deploy logout.js - template: - src: logout.js.j2 - dest: "{{ inj_logout_js_destination }}" - owner: "{{ nginx.user }}" - group: "{{ nginx.user }}" - mode: '0644' - -- name: Get stat for logout.js - stat: - path: "{{ inj_logout_js_destination }}" - register: inj_logout_js_stat - -- name: Set inj_logout_js_version - set_fact: - inj_logout_js_version: "{{ inj_logout_js_stat.stat.mtime }}" diff --git a/roles/srv-web-7-7-inj-logout/tasks/main.yml b/roles/srv-web-7-7-inj-logout/tasks/main.yml index 967194b8..c16960b6 100644 --- a/roles/srv-web-7-7-inj-logout/tasks/main.yml +++ b/roles/srv-web-7-7-inj-logout/tasks/main.yml @@ -8,11 +8,11 @@ set_fact: logout_code: "{{ lookup('template', 'logout_one_liner.js.j2') }}" -- name: "Collapse logout code into one-liner for '{{application_id}}'" +- name: "Collapse logout code into one-liner for '{{ application_id }}'" set_fact: logout_code_one_liner: "{{ logout_code | to_one_liner }}" -- name: "Append logout CSP hash for '{{application_id}}'" +- name: "Append logout CSP hash for '{{ application_id }}'" set_fact: applications: "{{ applications | append_csp_hash(application_id, logout_code_one_liner) }}" changed_when: false diff --git a/roles/srv-web-7-7-inj-logout/templates/head_sub.j2 b/roles/srv-web-7-7-inj-logout/templates/head_sub.j2 index 2ad7de47..317ac0a7 100644 --- a/roles/srv-web-7-7-inj-logout/templates/head_sub.j2 +++ b/roles/srv-web-7-7-inj-logout/templates/head_sub.j2 @@ -1 +1 @@ - \ No newline at end of file + \ No newline at end of file diff --git a/roles/srv-web-7-7-inj-logout/vars/main.yml b/roles/srv-web-7-7-inj-logout/vars/main.yml index a02fea80..385f6e8f 100644 --- a/roles/srv-web-7-7-inj-logout/vars/main.yml +++ b/roles/srv-web-7-7-inj-logout/vars/main.yml @@ -1,2 +1,2 @@ -inj_logout_file_name: "logout.js" -inj_logout_js_destination: "{{ [ nginx.directories.data.cdn, inj_logout_file_name ] | path_join }}" \ No newline at end of file +INJ_LOGOUT_JS_FILE_NAME: "logout.js" +INJ_LOGOUT_JS_DESTINATION: "{{ [ NGINX.DIRECTORIES.DATA.CDN, INJ_LOGOUT_JS_FILE_NAME ] | path_join }}" \ No newline at end of file diff --git a/roles/srv-web-7-7-letsencrypt/tasks/01_core.yml b/roles/srv-web-7-7-letsencrypt/tasks/01_core.yml index 73639b5d..b6b43284 100644 --- a/roles/srv-web-7-7-letsencrypt/tasks/01_core.yml +++ b/roles/srv-web-7-7-letsencrypt/tasks/01_core.yml @@ -6,7 +6,7 @@ - name: create nginx letsencrypt config file template: src: "letsencrypt.conf.j2" - dest: "{{nginx.directories.http.global}}letsencrypt.conf" + dest: "{{NGINX.DIRECTORIES.HTTP.GLOBAL}}letsencrypt.conf" notify: restart openresty - name: "Set CAA records for all base domains" diff --git a/roles/svc-bkp-rmt-2-loc/tasks/main.yml b/roles/svc-bkp-rmt-2-loc/tasks/main.yml index 96e5b041..1d66b63f 100644 --- a/roles/svc-bkp-rmt-2-loc/tasks/main.yml +++ b/roles/svc-bkp-rmt-2-loc/tasks/main.yml @@ -6,7 +6,6 @@ - dev-git - sys-alm-compose - sys-lock - - user-root - sys-rst-daemon - include_tasks: utils/run_once.yml when: run_once_svc_bkp_rmt_2_loc is not defined @@ -39,7 +38,7 @@ set_fact: service_name: "{{ role_name }}" -- name: "include role for sys-timer for {{service_name}}" +- name: "include role for sys-timer for {{ service_name }}" include_role: name: sys-timer vars: diff --git a/roles/svc-bkp-rmt-2-loc/templates/sys-bkp-rmt-2-loc.service.j2 b/roles/svc-bkp-rmt-2-loc/templates/sys-bkp-rmt-2-loc.service.j2 index 7d5c8640..919ac087 100644 --- a/roles/svc-bkp-rmt-2-loc/templates/sys-bkp-rmt-2-loc.service.j2 +++ b/roles/svc-bkp-rmt-2-loc/templates/sys-bkp-rmt-2-loc.service.j2 @@ -4,5 +4,5 @@ OnFailure=sys-alm-compose.infinito@%n.service sys-cln-faild-bkps{{ SYS_SERVICE_S [Service] Type=oneshot -ExecStartPre=/bin/sh -c '/usr/bin/python {{ path_system_lock_script }} {{ system_maintenance_services | join(' ') }} --ignore {{system_maintenance_backup_services| join(' ') }} --timeout "{{system_maintenance_lock_timeout_backup_services}}"' +ExecStartPre=/bin/sh -c '/usr/bin/python {{ PATH_SYSTEM_LOCK_SCRIPT }} {{ system_maintenance_services | join(' ') }} --ignore {{system_maintenance_backup_services| join(' ') }} --timeout "{{system_maintenance_lock_timeout_backup_services}}"' ExecStart=/bin/sh -c '/usr/bin/bash {{docker_backup_remote_to_local_folder}}sys-bkp-rmt-2-loc-multi-provider.sh' diff --git a/roles/svc-bkp-rmt-2-loc/vars/main.yml b/roles/svc-bkp-rmt-2-loc/vars/main.yml index 53b09563..fa565f41 100644 --- a/roles/svc-bkp-rmt-2-loc/vars/main.yml +++ b/roles/svc-bkp-rmt-2-loc/vars/main.yml @@ -1,3 +1,3 @@ application_id: svc-bkp-rmt-2-loc -docker_backup_remote_to_local_folder: '{{ path_administrator_scripts }}{{ application_id }}/' +docker_backup_remote_to_local_folder: '{{ PATH_ADMINISTRATOR_SCRIPTS }}{{ application_id }}/' rmt2loc_backup_providers: "{{ applications | get_app_conf(application_id, 'backup_providers') }}" \ No newline at end of file diff --git a/roles/svc-db-openldap/tasks/main.yml b/roles/svc-db-openldap/tasks/main.yml index 8fb893e6..ce8e5aa8 100644 --- a/roles/svc-db-openldap/tasks/main.yml +++ b/roles/svc-db-openldap/tasks/main.yml @@ -4,16 +4,16 @@ include_role: name: docker-compose -- name: Create {{domains | get_domain(application_id)}}.conf if LDAP is exposed to internet +- name: Create {{ domains | get_domain(application_id) }}.conf if LDAP is exposed to internet template: src: "nginx.stream.conf.j2" - dest: "{{nginx.directories.streams}}{{domains | get_domain(application_id)}}.conf" + dest: "{{NGINX.DIRECTORIES.STREAMS}}{{ domains | get_domain(application_id) }}.conf" notify: restart openresty when: applications | get_app_conf(application_id, 'network.public', True) | bool -- name: Remove {{domains | get_domain(application_id)}}.conf if LDAP is not exposed to internet +- name: Remove {{ domains | get_domain(application_id) }}.conf if LDAP is not exposed to internet file: - path: "{{ nginx.directories.streams }}{{ domains | get_domain(application_id) }}.conf" + path: "{{ NGINX.DIRECTORIES.STREAMS }}{{ domains | get_domain(application_id) }}.conf" state: absent when: not applications | get_app_conf(application_id, 'network.public', True) | bool diff --git a/roles/svc-db-postgres/schema/main.yml b/roles/svc-db-postgres/schema/main.yml index b3ec7de3..e8a96ead 100644 --- a/roles/svc-db-postgres/schema/main.yml +++ b/roles/svc-db-postgres/schema/main.yml @@ -1,5 +1,5 @@ credentials: - postgres_password: + POSTGRES_PASSWORD: description: "Password for the PostgreSQL superuser 'postgres'" algorithm: "bcrypt" validation: "^\\$2[aby]\\$.{56}$" \ No newline at end of file diff --git a/roles/svc-db-postgres/tasks/01_core.yml b/roles/svc-db-postgres/tasks/01_core.yml index cdb4755e..97e6d247 100644 --- a/roles/svc-db-postgres/tasks/01_core.yml +++ b/roles/svc-db-postgres/tasks/01_core.yml @@ -1,26 +1,21 @@ -- name: Include dependency 'docker-core' +- name: Include dependency 'sys-svc-docker' include_role: - name: docker-core - when: run_once_docker_core is not defined + name: sys-svc-docker + when: run_once_sys_svc_docker is not defined - name: Create Docker network for PostgreSQL community.docker.docker_network: - name: "{{ postgres_network_name }}" + name: "{{ POSTGRES_NETWORK_NAME }}" state: present ipam_config: - - subnet: "{{ postgres_subnet }}" + - subnet: "{{ POSTGRES_SUBNET }}" - name: "include docker-compose role" include_role: name: docker-compose - -- name: Wait for Postgres inside the container - shell: "docker exec {{ postgres_name }} pg_isready -U postgres" - register: pg_ready - until: pg_ready.rc == 0 - retries: 30 - delay: 5 + vars: + docker_compose_flush_handlers: true - name: install python-psycopg2 community.general.pacman: diff --git a/roles/svc-db-postgres/tasks/02_init.yml b/roles/svc-db-postgres/tasks/02_init.yml index 319de1ea..c497b4c7 100644 --- a/roles/svc-db-postgres/tasks/02_init.yml +++ b/roles/svc-db-postgres/tasks/02_init.yml @@ -1,11 +1,10 @@ --- -- name: "Wait until Postgres is listening on port {{ postgres_port }}" - wait_for: - host: "{{ postgres_local_host }}" - port: "{{ postgres_port }}" - delay: 5 - timeout: 300 - state: started +- name: Wait for Postgres inside the container + shell: "docker exec {{ POSTGRES_CONTAINER }} pg_isready -U postgres" + register: pg_ready + until: pg_ready.rc == 0 + retries: 30 + delay: 5 # 1) Create the database - name: "Create database: {{ database_name }}" @@ -13,13 +12,13 @@ name: "{{ database_name }}" state: present login_user: postgres - login_password: "{{ applications | get_app_conf(application_id, 'credentials.postgres_password', True) }}" - login_host: "{{ postgres_local_host }}" - login_port: "{{ postgres_port }}" + login_password: "{{ applications | get_app_conf(application_id, 'credentials.POSTGRES_PASSWORD', True) }}" + login_host: "{{ POSTGRES_LOCAL_HOST }}" + login_port: "{{ POSTGRES_PORT }}" register: postgresql_result until: postgresql_result is succeeded - retries: "{{ postgres_retry_retries }}" - delay: "{{ postgres_retry_delay }}" + retries: "{{ POSTGRES_RETRIES }}" + delay: "{{ POSTGRES_DELAY }}" # 2) Create the database user (with password) - name: "Create database user: {{ database_username }}" @@ -29,29 +28,29 @@ db: "{{ database_name }}" state: present login_user: postgres - login_password: "{{ applications | get_app_conf(application_id, 'credentials.postgres_password', True) }}" - login_host: "{{ postgres_local_host }}" - login_port: "{{ postgres_port }}" + login_password: "{{ applications | get_app_conf(application_id, 'credentials.POSTGRES_PASSWORD', True) }}" + login_host: "{{ POSTGRES_LOCAL_HOST }}" + login_port: "{{ POSTGRES_PORT }}" register: postgresql_result until: postgresql_result is succeeded - retries: "{{ postgres_retry_retries }}" - delay: "{{ postgres_retry_delay }}" + retries: "{{ POSTGRES_RETRIES }}" + delay: "{{ POSTGRES_DELAY }}" # 3) Enable LOGIN for the role (removes NOLOGIN) - name: "Enable login for role {{ database_username }}" community.postgresql.postgresql_query: db: postgres login_user: postgres - login_password: "{{ applications | get_app_conf(application_id, 'credentials.postgres_password', True) }}" - login_host: "{{ postgres_local_host }}" - login_port: "{{ postgres_port }}" + login_password: "{{ applications | get_app_conf(application_id, 'credentials.POSTGRES_PASSWORD', True) }}" + login_host: "{{ POSTGRES_LOCAL_HOST }}" + login_port: "{{ POSTGRES_PORT }}" query: | ALTER ROLE "{{ database_username }}" WITH LOGIN; register: postgresql_result until: postgresql_result is succeeded - retries: "{{ postgres_retry_retries }}" - delay: "{{ postgres_retry_delay }}" + retries: "{{ POSTGRES_RETRIES }}" + delay: "{{ POSTGRES_DELAY }}" # 4) Grant ALL privileges on all tables in the public schema - name: "Grant ALL privileges on tables in public schema to {{ database_username }}" @@ -64,13 +63,13 @@ schema: public state: present login_user: postgres - login_password: "{{ applications | get_app_conf(application_id, 'credentials.postgres_password', True) }}" - login_host: "{{ postgres_local_host }}" - login_port: "{{ postgres_port }}" + login_password: "{{ applications | get_app_conf(application_id, 'credentials.POSTGRES_PASSWORD', True) }}" + login_host: "{{ POSTGRES_LOCAL_HOST }}" + login_port: "{{ POSTGRES_PORT }}" register: postgresql_result until: postgresql_result is succeeded - retries: "{{ postgres_retry_retries }}" - delay: "{{ postgres_retry_delay }}" + retries: "{{ POSTGRES_RETRIES }}" + delay: "{{ POSTGRES_DELAY }}" # 5) Grant ALL privileges at the database level - name: "Grant all privileges on database {{ database_name }} to {{ database_username }}" @@ -81,22 +80,22 @@ privs: ALL state: present login_user: postgres - login_password: "{{ applications | get_app_conf(application_id, 'credentials.postgres_password', True) }}" - login_host: "{{ postgres_local_host }}" - login_port: "{{ postgres_port }}" + login_password: "{{ applications | get_app_conf(application_id, 'credentials.POSTGRES_PASSWORD', True) }}" + login_host: "{{ POSTGRES_LOCAL_HOST }}" + login_port: "{{ POSTGRES_PORT }}" register: postgresql_result until: postgresql_result is succeeded - retries: "{{ postgres_retry_retries }}" - delay: "{{ postgres_retry_delay }}" + retries: "{{ POSTGRES_RETRIES }}" + delay: "{{ POSTGRES_DELAY }}" # 6) Grant USAGE/CREATE on schema and set default privileges - name: "Set comprehensive schema privileges for {{ database_username }}" community.postgresql.postgresql_query: db: "{{ database_name }}" login_user: postgres - login_password: "{{ applications | get_app_conf(application_id, 'credentials.postgres_password', True) }}" - login_host: "{{ postgres_local_host }}" - login_port: "{{ postgres_port }}" + login_password: "{{ applications | get_app_conf(application_id, 'credentials.POSTGRES_PASSWORD', True) }}" + login_host: "{{ POSTGRES_LOCAL_HOST }}" + login_port: "{{ POSTGRES_PORT }}" query: | GRANT USAGE ON SCHEMA public TO "{{ database_username }}"; GRANT CREATE ON SCHEMA public TO "{{ database_username }}"; @@ -104,8 +103,8 @@ GRANT ALL PRIVILEGES ON TABLES TO "{{ database_username }}"; register: postgresql_result until: postgresql_result is succeeded - retries: "{{ postgres_retry_retries }}" - delay: "{{ postgres_retry_delay }}" + retries: "{{ POSTGRES_RETRIES }}" + delay: "{{ POSTGRES_DELAY }}" # 7) Ensure PostGIS and related extensions are installed (if enabled) - name: "Ensure PostGIS-related extensions are installed" @@ -114,9 +113,9 @@ ext: "{{ item }}" state: present login_user: postgres - login_password: "{{ applications | get_app_conf(application_id, 'credentials.postgres_password', True) }}" - login_host: "{{ postgres_local_host }}" - login_port: "{{ postgres_port }}" + login_password: "{{ applications | get_app_conf(application_id, 'credentials.POSTGRES_PASSWORD', True) }}" + login_host: "{{ POSTGRES_LOCAL_HOST }}" + login_port: "{{ POSTGRES_PORT }}" loop: - postgis - pg_trgm @@ -124,8 +123,8 @@ when: postgres_gis_enabled | bool register: postgresql_result until: postgresql_result is succeeded - retries: "{{ postgres_retry_retries }}" - delay: "{{ postgres_retry_delay }}" + retries: "{{ POSTGRES_RETRIES }}" + delay: "{{ POSTGRES_DELAY }}" # 8) Ensure pgvector (vector) extension is installed (for Discourse‑AI, pgvector, …) - name: "Ensure pgvector (vector) extension is installed" @@ -134,10 +133,10 @@ ext: vector state: present login_user: postgres - login_password: "{{ applications | get_app_conf(application_id, 'credentials.postgres_password', True) }}" - login_host: "{{ postgres_local_host }}" - login_port: "{{ postgres_port }}" + login_password: "{{ applications | get_app_conf(application_id, 'credentials.POSTGRES_PASSWORD', True) }}" + login_host: "{{ POSTGRES_LOCAL_HOST }}" + login_port: "{{ POSTGRES_PORT }}" register: postgresql_result until: postgresql_result is succeeded - retries: "{{ postgres_retry_retries }}" - delay: "{{ postgres_retry_delay }}" + retries: "{{ POSTGRES_RETRIES }}" + delay: "{{ POSTGRES_DELAY }}" diff --git a/roles/svc-db-postgres/tasks/main.yml b/roles/svc-db-postgres/tasks/main.yml index b84ad421..a1cdca47 100644 --- a/roles/svc-db-postgres/tasks/main.yml +++ b/roles/svc-db-postgres/tasks/main.yml @@ -1,6 +1,9 @@ - block: - include_tasks: 01_core.yml - include_tasks: utils/run_once.yml + vars: + # Force the flush of the pg handler on the first run + flush_handlers: true when: run_once_svc_db_postgres is not defined - include_tasks: "{{ playbook_dir }}/tasks/utils/load_handlers.yml" @@ -10,4 +13,4 @@ - name: "Initialize database for '{{ database_name }}'" include_tasks: 02_init.yml - when: postgres_init | bool \ No newline at end of file + when: POSTGRES_INIT | bool \ No newline at end of file diff --git a/roles/svc-db-postgres/templates/Dockerfile.j2 b/roles/svc-db-postgres/templates/Dockerfile.j2 index e7447403..b838bce3 100644 --- a/roles/svc-db-postgres/templates/Dockerfile.j2 +++ b/roles/svc-db-postgres/templates/Dockerfile.j2 @@ -1,6 +1,6 @@ -FROM {{ postgres_image }}:{{ postgres_version }} +FROM {{ POSTGRES_IMAGE }}:{{ POSTGRES_VERSION }} -{% if postgres_pg_vector_enabled %} +{% if POSTGRES_VECTOR_ENABLED %} RUN apt-get update \ && apt-get install -y --no-install-recommends \ build-essential \ diff --git a/roles/svc-db-postgres/templates/docker-compose.yml.j2 b/roles/svc-db-postgres/templates/docker-compose.yml.j2 index 331d8cbc..a6b785e0 100644 --- a/roles/svc-db-postgres/templates/docker-compose.yml.j2 +++ b/roles/svc-db-postgres/templates/docker-compose.yml.j2 @@ -1,15 +1,15 @@ {% include 'roles/docker-compose/templates/base.yml.j2' %} postgres: - container_name: "{{ postgres_name }}" - image: "{{ postgres_custom_image_name }}" + container_name: "{{ POSTGRES_CONTAINER }}" + image: "{{ POSTGRES_CUSTOM_IMAGE_NAME }}" build: context: . dockerfile: Dockerfile {% include 'roles/docker-container/templates/base.yml.j2' %} -{% if postgres_expose_local %} +{% if POSTGRES_EXPOSE_LOCAL %} ports: - - "{{ postgres_local_host }}:{{ postgres_port }}:5432" + - "{{ POSTGRES_LOCAL_HOST }}:{{ POSTGRES_PORT }}:5432" {% endif %} volumes: - "data:/var/lib/postgresql/data" @@ -17,6 +17,6 @@ {% include 'roles/docker-compose/templates/volumes.yml.j2' %} data: - name: "{{ postgres_volume }}" + name: "{{ POSTGRES_VOLUME }}" {% include 'roles/docker-compose/templates/networks.yml.j2' %} \ No newline at end of file diff --git a/roles/svc-db-postgres/templates/env.j2 b/roles/svc-db-postgres/templates/env.j2 index 413533d7..ba7bcf12 100644 --- a/roles/svc-db-postgres/templates/env.j2 +++ b/roles/svc-db-postgres/templates/env.j2 @@ -1,3 +1,3 @@ -POSTGRES_PASSWORD="{{ postgres_password }}" +POSTGRES_PASSWORD="{{ POSTGRES_PASSWORD }}" # Necessary for web-app-matrix POSTGRES_INITDB_ARGS="--encoding=UTF8 --locale=C" \ No newline at end of file diff --git a/roles/svc-db-postgres/vars/main.yml b/roles/svc-db-postgres/vars/main.yml index 711b21ce..932e2e2f 100644 --- a/roles/svc-db-postgres/vars/main.yml +++ b/roles/svc-db-postgres/vars/main.yml @@ -8,18 +8,18 @@ docker_compose_flush_handlers: true database_type: "{{ application_id | get_entity_name }}" ## Postgres -postgres_volume: "{{ applications | get_app_conf(application_id, 'docker.volumes.data', True) }}" -postgres_name: "{{ applications | get_app_conf(application_id, 'docker.services.postgres.name', True) }}" -postgres_image: "{{ applications | get_app_conf(application_id, 'docker.services.postgres.image', True) }}" -postgres_subnet: "{{ networks.local['svc-db-postgres'].subnet }}" -postgres_network_name: "{{ applications | get_app_conf(application_id, 'docker.network', True) }}" -postgres_version: "{{ applications | get_app_conf(application_id, 'docker.services.postgres.version', True) }}" -postgres_password: "{{ applications | get_app_conf(application_id, 'credentials.postgres_password', True) }}" -postgres_port: "{{ database_port | default(ports.localhost.database[ application_id ]) }}" -postgres_init: "{{ database_username is defined and database_password is defined and database_name is defined }}" -postgres_expose_local: True # Exposes the db to localhost, almost everytime neccessary -postgres_custom_image_name: "postgres_custom" -postgres_local_host: "127.0.0.1" -postgres_pg_vector_enabled: True # Required by discourse, propably in a later step it makes sense to define this as a configuration option in config/main.yml -postgres_retry_retries: 5 -postgres_retry_delay: 2 \ No newline at end of file +POSTGRES_VOLUME: "{{ applications | get_app_conf(application_id, 'docker.volumes.data', True) }}" +POSTGRES_CONTAINER: "{{ applications | get_app_conf(application_id, 'docker.services.postgres.name', True) }}" +POSTGRES_IMAGE: "{{ applications | get_app_conf(application_id, 'docker.services.postgres.image', True) }}" +POSTGRES_SUBNET: "{{ networks.local['svc-db-postgres'].subnet }}" +POSTGRES_NETWORK_NAME: "{{ applications | get_app_conf(application_id, 'docker.network', True) }}" +POSTGRES_VERSION: "{{ applications | get_app_conf(application_id, 'docker.services.postgres.version', True) }}" +POSTGRES_PASSWORD: "{{ applications | get_app_conf(application_id, 'credentials.POSTGRES_PASSWORD', True) }}" +POSTGRES_PORT: "{{ database_port | default(ports.localhost.database[ application_id ]) }}" +POSTGRES_INIT: "{{ database_username is defined and database_password is defined and database_name is defined }}" +POSTGRES_EXPOSE_LOCAL: True # Exposes the db to localhost, almost everytime neccessary +POSTGRES_CUSTOM_IMAGE_NAME: "postgres_custom" +POSTGRES_LOCAL_HOST: "127.0.0.1" +POSTGRES_VECTOR_ENABLED: True # Required by discourse, propably in a later step it makes sense to define this as a configuration option in config/main.yml +POSTGRES_RETRIES: 5 +POSTGRES_DELAY: 2 \ No newline at end of file diff --git a/roles/svc-opt-ssd-hdd/schema/main.yml b/roles/svc-opt-ssd-hdd/schema/main.yml index cf244f42..e52da4ce 100644 --- a/roles/svc-opt-ssd-hdd/schema/main.yml +++ b/roles/svc-opt-ssd-hdd/schema/main.yml @@ -1,5 +1,5 @@ credentials: - postgres_password: + POSTGRES_PASSWORD: description: "Password for the PostgreSQL superuser 'postgres'" algorithm: "bcrypt" validation: "^\\$2[aby]\\$.{56}$" diff --git a/roles/svc-opt-ssd-hdd/templates/svc-opt-ssd-hdd.service.j2 b/roles/svc-opt-ssd-hdd/templates/svc-opt-ssd-hdd.service.j2 index 17858cec..5c632011 100644 --- a/roles/svc-opt-ssd-hdd/templates/svc-opt-ssd-hdd.service.j2 +++ b/roles/svc-opt-ssd-hdd/templates/svc-opt-ssd-hdd.service.j2 @@ -4,5 +4,5 @@ OnFailure=sys-alm-compose.infinito@%n.service [Service] Type=oneshot -ExecStartPre=/bin/sh -c '/usr/bin/python {{ path_system_lock_script }} {{ system_maintenance_services | join(' ') }} --ignore svc-opt-ssd-hdd svc-bkp-rmt-2-loc --timeout "{{system_maintenance_lock_timeout_storage_optimizer}}"' +ExecStartPre=/bin/sh -c '/usr/bin/python {{ PATH_SYSTEM_LOCK_SCRIPT }} {{ system_maintenance_services | join(' ') }} --ignore svc-opt-ssd-hdd svc-bkp-rmt-2-loc --timeout "{{system_maintenance_lock_timeout_storage_optimizer}}"' ExecStart=/bin/sh -c '/usr/bin/python {{storage_optimizer_script}} --rapid-storage-path {{path_rapid_storage}} --mass-storage-path {{path_mass_storage}}' \ No newline at end of file diff --git a/roles/svc-opt-ssd-hdd/vars/main.yml b/roles/svc-opt-ssd-hdd/vars/main.yml index c0d18c43..c53de733 100644 --- a/roles/svc-opt-ssd-hdd/vars/main.yml +++ b/roles/svc-opt-ssd-hdd/vars/main.yml @@ -1,5 +1,5 @@ application_id: svc-opt-ssd-hdd -storage_optimizer_directory: '{{ path_administrator_scripts }}{{ application_id }}/' +storage_optimizer_directory: '{{ PATH_ADMINISTRATOR_SCRIPTS }}{{ application_id }}/' storage_optimizer_script: '{{ storage_optimizer_directory }}{{ application_id }}.py' path_rapid_storage: "{{ applications | get_app_conf(application_id, 'volumes.rapid_storage') }}" path_mass_storage: "{{ applications | get_app_conf(application_id, 'volumes.mass_storage') }}" diff --git a/roles/svc-prx-openresty/config/main.yml b/roles/svc-prx-openresty/config/main.yml index 1a3cfbe1..15fb726c 100644 --- a/roles/svc-prx-openresty/config/main.yml +++ b/roles/svc-prx-openresty/config/main.yml @@ -1,4 +1,7 @@ docker: services: openresty: - name: "openresty" \ No newline at end of file + name: "openresty" + volumes: + www: "/var/www/" + nginx: "/etc/nginx/" \ No newline at end of file diff --git a/roles/svc-prx-openresty/docs/DEBUG.md b/roles/svc-prx-openresty/docs/DEBUG.md index 8904d3dd..506826bd 100644 --- a/roles/svc-prx-openresty/docs/DEBUG.md +++ b/roles/svc-prx-openresty/docs/DEBUG.md @@ -9,7 +9,7 @@ This document provides commands and tips to validate and inspect the OpenResty ( * **Quick syntax check (quiet):** ```bash - docker exec {{ openresty_container }} openresty -t -q + docker exec {{ OPENRESTY_CONTAINER }} openresty -t -q ``` *Returns only errors.* @@ -17,13 +17,13 @@ This document provides commands and tips to validate and inspect the OpenResty ( * **Detailed syntax check (show warnings):** ```bash - docker exec {{ openresty_container }} openresty -t + docker exec {{ OPENRESTY_CONTAINER }} openresty -t ``` or: ```bash - docker exec {{ openresty_container }} nginx -t + docker exec {{ OPENRESTY_CONTAINER }} nginx -t ``` --- @@ -34,9 +34,9 @@ To see the full configuration after all `include` directives are processed: ```bash # Within the running container -docker exec {{ openresty_container }} openresty -T +docker exec {{ OPENRESTY_CONTAINER }} openresty -T # or equivalently -docker exec {{ openresty_container }} nginx -T +docker exec {{ OPENRESTY_CONTAINER }} nginx -T ``` This outputs every directive from `nginx.conf` and all files in `conf.d` in the order Nginx will use them. @@ -103,5 +103,5 @@ That way you’ll see exactly which domains your server is serving and which nam * After fixing issues, reload without downtime: ```bash - docker exec {{ openresty_container }} openresty -s reload + docker exec {{ OPENRESTY_CONTAINER }} openresty -s reload ``` \ No newline at end of file diff --git a/roles/svc-prx-openresty/handlers/main.yml b/roles/svc-prx-openresty/handlers/main.yml index d8481d16..05410ccc 100644 --- a/roles/svc-prx-openresty/handlers/main.yml +++ b/roles/svc-prx-openresty/handlers/main.yml @@ -1,12 +1,15 @@ --- - name: Validate OpenResty configuration command: > - docker exec {{ openresty_container }} openresty -t -q + docker exec {{ OPENRESTY_CONTAINER }} openresty -t -q register: openresty_test changed_when: false - failed_when: openresty_test.rc != 0 + failed_when: > + openresty_test.rc != 0 and + ('is not running' not in ((openresty_test.stderr | default('')) | lower)) and + ('no such container' not in ((openresty_test.stderr | default('')) | lower)) listen: restart openresty - name: Restart OpenResty container - command: docker restart {{ openresty_container }} + command: docker restart {{ OPENRESTY_CONTAINER }} listen: restart openresty diff --git a/roles/svc-prx-openresty/templates/docker-compose.yml.j2 b/roles/svc-prx-openresty/templates/docker-compose.yml.j2 index 650d5723..17aa1458 100644 --- a/roles/svc-prx-openresty/templates/docker-compose.yml.j2 +++ b/roles/svc-prx-openresty/templates/docker-compose.yml.j2 @@ -1,15 +1,15 @@ {% include 'roles/docker-compose/templates/base.yml.j2' %} openresty: - container_name: {{ openresty_container }} - image: {{ openresty_image }}:{{ openresty_version }} + container_name: {{ OPENRESTY_CONTAINER }} + image: {{ OPENRESTY_IMAGE }}:{{ OPENRESTY_VERSION }} network_mode: "host" volumes: - - {{ nginx.files.configuration }}:/usr/local/openresty/nginx/conf/nginx.conf:ro - - {{ nginx.directories.configuration }}:/usr/local/openresty/nginx/conf/conf.d:ro - - {{ nginx.files.configuration }}:{{ nginx.files.configuration }}:ro - - {{ nginx.directories.configuration }}:{{ nginx.directories.configuration }}:ro - - {{ nginx.directories.data.www }}:{{ nginx.directories.data.www }}:ro - - {{ nginx.directories.data.well_known }}:{{ nginx.directories.data.well_known }}:ro + - {{ NGINX.FILES.CONFIGURATION }}:/usr/local/openresty/nginx/conf/nginx.conf:ro + - {{ NGINX.DIRECTORIES.CONFIGURATION }}:/usr/local/openresty/nginx/conf/conf.d:ro + - {{ NGINX.FILES.CONFIGURATION }}:{{ NGINX.FILES.CONFIGURATION }}:ro + - {{ NGINX.DIRECTORIES.CONFIGURATION }}:{{ NGINX.DIRECTORIES.CONFIGURATION }}:ro + - {{ NGINX.DIRECTORIES.DATA.WWW }}:{{ NGINX.DIRECTORIES.DATA.WWW }}:ro + - {{ NGINX.DIRECTORIES.DATA.WELL_KNOWN }}:{{ NGINX.DIRECTORIES.DATA.WELL_KNOWN }}:ro - {{ LETSENCRYPT_WEBROOT_PATH }}:{{ LETSENCRYPT_WEBROOT_PATH }}:ro - {{ LETSENCRYPT_BASE_PATH }}:{{ LETSENCRYPT_BASE_PATH }}:ro command: ["openresty", "-g", "daemon off;"] \ No newline at end of file diff --git a/roles/svc-prx-openresty/vars/main.yml b/roles/svc-prx-openresty/vars/main.yml index 4c650551..e9117775 100644 --- a/roles/svc-prx-openresty/vars/main.yml +++ b/roles/svc-prx-openresty/vars/main.yml @@ -5,6 +5,7 @@ application_id: "svc-prx-openresty" database_type: "" # Openresty -openresty_image: "openresty/openresty" -openresty_version: "alpine" -openresty_container: "{{ applications | get_app_conf(application_id, 'docker.services.openresty.name', True) }}" +OPENRESTY_IMAGE: "openresty/openresty" +OPENRESTY_VERSION: "alpine" +OPENRESTY_CONTAINER: "{{ applications | get_app_conf(application_id, 'docker.services.openresty.name', True) }}" + diff --git a/roles/sys-alm-email/vars/main.yml b/roles/sys-alm-email/vars/main.yml index 40a29b02..8b4f6bc2 100644 --- a/roles/sys-alm-email/vars/main.yml +++ b/roles/sys-alm-email/vars/main.yml @@ -1 +1 @@ -systemd_notifier_email_folder: '{{path_administrator_scripts}}sys-alm-email/' +systemd_notifier_email_folder: '{{ PATH_ADMINISTRATOR_SCRIPTS }}sys-alm-email/' diff --git a/roles/sys-bkp-docker-2-loc/tasks/01_core.yml b/roles/sys-bkp-docker-2-loc/tasks/01_core.yml index b6e342c3..27ea4e0b 100644 --- a/roles/sys-bkp-docker-2-loc/tasks/01_core.yml +++ b/roles/sys-bkp-docker-2-loc/tasks/01_core.yml @@ -30,7 +30,7 @@ set_fact: service_name: "{{ role_name }}" -- name: "include role for sys-timer for {{service_name}}" +- name: "include role for sys-timer for {{ service_name }}" include_role: name: sys-timer vars: diff --git a/roles/sys-bkp-docker-2-loc/tasks/04_seed-database-to-backup.yml b/roles/sys-bkp-docker-2-loc/tasks/04_seed-database-to-backup.yml index ba45c9d1..82ed628e 100644 --- a/roles/sys-bkp-docker-2-loc/tasks/04_seed-database-to-backup.yml +++ b/roles/sys-bkp-docker-2-loc/tasks/04_seed-database-to-backup.yml @@ -12,6 +12,7 @@ database_username: "{{ database_username | default('undefined') }}" database_password: "{{ database_password | default('undefined') }}" when: MODE_DEBUG | bool + no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}" - name: "fail if not all required database variables are defined" fail: @@ -25,6 +26,7 @@ database_name is defined and database_username is defined and database_password is defined) + no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}" - name: "seed database values in directory {{ backup_docker_to_local_folder }}" command: > @@ -40,6 +42,7 @@ - database_name is defined - database_username is defined - database_password is defined + no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}" - name: Set file permissions for databases.csv to be readable, writable, and executable by root only ansible.builtin.file: diff --git a/roles/sys-bkp-docker-2-loc/templates/sys-bkp-docker-2-loc-everything.service.j2 b/roles/sys-bkp-docker-2-loc/templates/sys-bkp-docker-2-loc-everything.service.j2 index 30bb0c58..cd9f1dd3 100644 --- a/roles/sys-bkp-docker-2-loc/templates/sys-bkp-docker-2-loc-everything.service.j2 +++ b/roles/sys-bkp-docker-2-loc/templates/sys-bkp-docker-2-loc-everything.service.j2 @@ -4,6 +4,6 @@ OnFailure=sys-alm-compose.infinito@%n.service sys-cln-faild-bkps{{ SYS_SERVICE_S [Service] Type=oneshot -ExecStartPre=/bin/sh -c '/usr/bin/python {{ path_system_lock_script }} {{ system_maintenance_services | join(' ') }} --ignore {{ system_maintenance_backup_services | reject('equalto', 'sys-bkp-docker-2-loc') | join(' ') }} --timeout "{{system_maintenance_lock_timeout_backup_services}}"' +ExecStartPre=/bin/sh -c '/usr/bin/python {{ PATH_SYSTEM_LOCK_SCRIPT }} {{ system_maintenance_services | join(' ') }} --ignore {{ system_maintenance_backup_services | reject('equalto', 'sys-bkp-docker-2-loc') | join(' ') }} --timeout "{{system_maintenance_lock_timeout_backup_services}}"' ExecStart=/bin/sh -c '{{ bkp_docker_2_loc_exec }} --everything' ExecStartPost=/bin/sh -c '/bin/systemctl start sys-rpr-docker-soft{{ SYS_SERVICE_SUFFIX }} &' \ No newline at end of file diff --git a/roles/sys-bkp-docker-2-loc/templates/sys-bkp-docker-2-loc.service.j2 b/roles/sys-bkp-docker-2-loc/templates/sys-bkp-docker-2-loc.service.j2 index e75c8eab..1dcfbde7 100644 --- a/roles/sys-bkp-docker-2-loc/templates/sys-bkp-docker-2-loc.service.j2 +++ b/roles/sys-bkp-docker-2-loc/templates/sys-bkp-docker-2-loc.service.j2 @@ -4,6 +4,6 @@ OnFailure=sys-alm-compose.infinito@%n.service sys-cln-faild-bkps{{ SYS_SERVICE_S [Service] Type=oneshot -ExecStartPre=/bin/sh -c '/usr/bin/python {{ path_system_lock_script }} {{ system_maintenance_services | join(' ') }} --ignore {{ system_maintenance_backup_services | reject('equalto', 'sys-bkp-docker-2-loc-everything') | join(' ') }} --timeout "{{system_maintenance_lock_timeout_backup_services}}"' +ExecStartPre=/bin/sh -c '/usr/bin/python {{ PATH_SYSTEM_LOCK_SCRIPT }} {{ system_maintenance_services | join(' ') }} --ignore {{ system_maintenance_backup_services | reject('equalto', 'sys-bkp-docker-2-loc-everything') | join(' ') }} --timeout "{{system_maintenance_lock_timeout_backup_services}}"' ExecStart=/bin/sh -c '{{ bkp_docker_2_loc_exec }}' ExecStartPost=/bin/sh -c '/bin/systemctl start sys-rpr-docker-soft{{ SYS_SERVICE_SUFFIX }} &' \ No newline at end of file diff --git a/roles/sys-bkp-docker-2-loc/vars/main.yml b/roles/sys-bkp-docker-2-loc/vars/main.yml index dd473776..c976e2c7 100644 --- a/roles/sys-bkp-docker-2-loc/vars/main.yml +++ b/roles/sys-bkp-docker-2-loc/vars/main.yml @@ -42,5 +42,5 @@ bkp_docker_2_loc_cli_args_list: bkp_docker_2_loc_exec: >- /usr/bin/python {{ backup_docker_to_local_folder }}backup-docker-to-local.py - --compose-dir {{ path_docker_compose_instances }} + --compose-dir {{ PATH_DOCKER_COMPOSE_INSTANCES }} {{ bkp_docker_2_loc_cli_args_list | select('string') | join(' ') }} \ No newline at end of file diff --git a/roles/sys-cln-bkps-service/templates/sys-cln-backups.service.j2 b/roles/sys-cln-bkps-service/templates/sys-cln-backups.service.j2 index 9916cdd5..c1a6b2e9 100644 --- a/roles/sys-cln-bkps-service/templates/sys-cln-backups.service.j2 +++ b/roles/sys-cln-bkps-service/templates/sys-cln-backups.service.j2 @@ -4,5 +4,5 @@ OnFailure=sys-alm-compose.infinito@%n.service [Service] Type=oneshot -ExecStartPre=/bin/sh -c '/usr/bin/python {{ path_system_lock_script }} {{ system_maintenance_services | join(' ') }} --ignore {{system_maintenance_cleanup_services| join(' ') }} --timeout "{{system_maintenance_lock_timeout_backup_services}}"' +ExecStartPre=/bin/sh -c '/usr/bin/python {{ PATH_SYSTEM_LOCK_SCRIPT }} {{ system_maintenance_services | join(' ') }} --ignore {{system_maintenance_cleanup_services| join(' ') }} --timeout "{{system_maintenance_lock_timeout_backup_services}}"' ExecStart=/bin/sh -c '/usr/bin/python {{cleanup_backups_directory}}sys-cln-backups.py --backups-folder-path {{backups_folder_path}} --maximum-backup-size-percent {{size_percent_maximum_backup}}' \ No newline at end of file diff --git a/roles/sys-cln-bkps-service/vars/main.yml b/roles/sys-cln-bkps-service/vars/main.yml index fe31198a..b811adac 100644 --- a/roles/sys-cln-bkps-service/vars/main.yml +++ b/roles/sys-cln-bkps-service/vars/main.yml @@ -1,2 +1,2 @@ -cleanup_backups_directory: '{{path_administrator_scripts}}sys-cln-backups/' +cleanup_backups_directory: '{{ PATH_ADMINISTRATOR_SCRIPTS }}sys-cln-backups/' diff --git a/roles/sys-cln-bkps-timer/tasks/01_core.yml b/roles/sys-cln-bkps-timer/tasks/01_core.yml index bce244de..b32a8330 100644 --- a/roles/sys-cln-bkps-timer/tasks/01_core.yml +++ b/roles/sys-cln-bkps-timer/tasks/01_core.yml @@ -9,7 +9,7 @@ set_fact: service_name: "sys-cln-backups" -- name: "include role for sys-timer for {{service_name}}" +- name: "include role for sys-timer for {{ service_name }}" include_role: name: sys-timer vars: diff --git a/roles/sys-cln-certs/tasks/01_core.yml b/roles/sys-cln-certs/tasks/01_core.yml index b654355f..f0f1eb6b 100644 --- a/roles/sys-cln-certs/tasks/01_core.yml +++ b/roles/sys-cln-certs/tasks/01_core.yml @@ -21,7 +21,7 @@ set_fact: service_name: "{{ role_name }}" -- name: "include role for sys-timer for {{service_name}}" +- name: "include role for sys-timer for {{ service_name }}" include_role: name: sys-timer vars: diff --git a/roles/sys-cln-disc-space/tasks/main.yml b/roles/sys-cln-disc-space/tasks/main.yml index 08938ff6..f1443a8b 100644 --- a/roles/sys-cln-disc-space/tasks/main.yml +++ b/roles/sys-cln-disc-space/tasks/main.yml @@ -30,7 +30,7 @@ set_fact: service_name: "{{ role_name }}" -- name: "include role for sys-timer for {{service_name}}" +- name: "include role for sys-timer for {{ service_name }}" include_role: name: sys-timer vars: diff --git a/roles/sys-cln-disc-space/templates/sys-cln-disc-space.service.j2 b/roles/sys-cln-disc-space/templates/sys-cln-disc-space.service.j2 index 691ff05d..7a00f0fd 100644 --- a/roles/sys-cln-disc-space/templates/sys-cln-disc-space.service.j2 +++ b/roles/sys-cln-disc-space/templates/sys-cln-disc-space.service.j2 @@ -4,5 +4,5 @@ OnFailure=sys-alm-compose.infinito@%n.service [Service] Type=oneshot -ExecStartPre=/bin/sh -c '/usr/bin/python {{ path_system_lock_script }} {{ system_maintenance_services | join(' ') }} --ignore {{system_maintenance_cleanup_services| join(' ') }} --timeout "{{system_maintenance_lock_timeout_backup_services}}"' +ExecStartPre=/bin/sh -c '/usr/bin/python {{ PATH_SYSTEM_LOCK_SCRIPT }} {{ system_maintenance_services | join(' ') }} --ignore {{system_maintenance_cleanup_services| join(' ') }} --timeout "{{system_maintenance_lock_timeout_backup_services}}"' ExecStart=/bin/sh -c '/bin/bash {{cleanup_disc_space_folder}}sys-cln-disc-space.sh {{size_percent_cleanup_disc_space}}' \ No newline at end of file diff --git a/roles/sys-cln-disc-space/templates/sys-cln-disc-space.sh.j2 b/roles/sys-cln-disc-space/templates/sys-cln-disc-space.sh.j2 index c0213af2..1e607bda 100644 --- a/roles/sys-cln-disc-space/templates/sys-cln-disc-space.sh.j2 +++ b/roles/sys-cln-disc-space/templates/sys-cln-disc-space.sh.j2 @@ -24,7 +24,7 @@ if [ "$force_freeing" = true ]; then {% if backups_folder_path is defined and size_percent_maximum_backup is defined %} echo "cleaning up backups" && - python {{path_administrator_scripts}}sys-cln-backups/sys-cln-backups.py --backups-folder-path {{backups_folder_path}} --maximum-backup-size-percent {{size_percent_maximum_backup}} || exit 2 + python {{ PATH_ADMINISTRATOR_SCRIPTS }}sys-cln-backups/sys-cln-backups.py --backups-folder-path {{backups_folder_path}} --maximum-backup-size-percent {{size_percent_maximum_backup}} || exit 2 {% endif %} if pacman -Qs $package > /dev/null ; then diff --git a/roles/sys-cln-disc-space/vars/main.yml b/roles/sys-cln-disc-space/vars/main.yml index 84ad3eae..29b4c061 100644 --- a/roles/sys-cln-disc-space/vars/main.yml +++ b/roles/sys-cln-disc-space/vars/main.yml @@ -1 +1 @@ -cleanup_disc_space_folder: '{{ path_administrator_scripts }}sys-cln-disc-space/' +cleanup_disc_space_folder: '{{ PATH_ADMINISTRATOR_SCRIPTS }}sys-cln-disc-space/' diff --git a/roles/sys-cln-domains/tasks/remove_deprecated_nginx_configs.yml b/roles/sys-cln-domains/tasks/remove_deprecated_nginx_configs.yml index 377c1d37..3f0534df 100644 --- a/roles/sys-cln-domains/tasks/remove_deprecated_nginx_configs.yml +++ b/roles/sys-cln-domains/tasks/remove_deprecated_nginx_configs.yml @@ -1,7 +1,7 @@ --- - name: Find matching nginx configs for {{ domain }} ansible.builtin.find: - paths: "{{ nginx.directories.http.servers }}" + paths: "{{ NGINX.DIRECTORIES.HTTP.SERVERS }}" patterns: "*.{{ domain }}.conf" register: find_result @@ -15,6 +15,6 @@ - name: Remove exact nginx config for {{ domain }} ansible.builtin.file: - path: "{{ nginx.directories.http.servers }}{{ domain }}.conf" + path: "{{ NGINX.DIRECTORIES.HTTP.SERVERS }}{{ domain }}.conf" state: absent notify: restart openresty \ No newline at end of file diff --git a/roles/sys-cln-faild-bkps/tasks/01_core.yml b/roles/sys-cln-faild-bkps/tasks/01_core.yml index fe0b942e..5244cd68 100644 --- a/roles/sys-cln-faild-bkps/tasks/01_core.yml +++ b/roles/sys-cln-faild-bkps/tasks/01_core.yml @@ -33,7 +33,7 @@ set_fact: service_name: "{{ role_name }}" -- name: "include role for sys-timer for {{service_name}}" +- name: "include role for sys-timer for {{ service_name }}" include_role: name: sys-timer vars: diff --git a/roles/sys-cln-faild-bkps/templates/sys-cln-faild-bkps.service.j2 b/roles/sys-cln-faild-bkps/templates/sys-cln-faild-bkps.service.j2 index 6606f05c..021bf34e 100644 --- a/roles/sys-cln-faild-bkps/templates/sys-cln-faild-bkps.service.j2 +++ b/roles/sys-cln-faild-bkps/templates/sys-cln-faild-bkps.service.j2 @@ -4,5 +4,5 @@ OnFailure=sys-alm-compose.infinito@%n.service [Service] Type=oneshot -ExecStartPre=/bin/sh -c '/usr/bin/python {{ path_system_lock_script }} {{ system_maintenance_services | join(' ') }} --ignore {{system_maintenance_cleanup_services| join(' ') }} --timeout "{{system_maintenance_lock_timeout_cleanup_services}}"' +ExecStartPre=/bin/sh -c '/usr/bin/python {{ PATH_SYSTEM_LOCK_SCRIPT }} {{ system_maintenance_services | join(' ') }} --ignore {{system_maintenance_cleanup_services| join(' ') }} --timeout "{{system_maintenance_lock_timeout_cleanup_services}}"' ExecStart=/bin/sh -c '/usr/bin/yes | /usr/bin/bash {{backup_docker_to_local_cleanup_script}}' \ No newline at end of file diff --git a/roles/sys-hlth-btrfs/README.md b/roles/sys-hlth-btrfs/README.md index eab9032a..dbcb2f9c 100644 --- a/roles/sys-hlth-btrfs/README.md +++ b/roles/sys-hlth-btrfs/README.md @@ -11,6 +11,6 @@ Checks the health of all mounted Btrfs filesystems by inspecting device error co ## Usage Just include this role in your playbook; it will: -1. Deploy a small shell script under `{{ path_administrator_scripts }}/sys-hlth-btrfs/`. +1. Deploy a small shell script under `{{ PATH_ADMINISTRATOR_SCRIPTS }}/sys-hlth-btrfs/`. 2. Install a `.service` and `.timer` unit. 3. Send alerts via `sys-alm-compose` if any filesystem shows errors. diff --git a/roles/sys-hlth-btrfs/tasks/main.yml b/roles/sys-hlth-btrfs/tasks/main.yml index 42c1e81d..ec4bdd75 100644 --- a/roles/sys-hlth-btrfs/tasks/main.yml +++ b/roles/sys-hlth-btrfs/tasks/main.yml @@ -29,7 +29,7 @@ set_fact: service_name: "{{ role_name }}" -- name: "include role for sys-timer for {{service_name}}" +- name: "include role for sys-timer for {{ service_name }}" include_role: name: sys-timer vars: diff --git a/roles/sys-hlth-btrfs/vars/main.yml b/roles/sys-hlth-btrfs/vars/main.yml index 170d0826..869c7980 100644 --- a/roles/sys-hlth-btrfs/vars/main.yml +++ b/roles/sys-hlth-btrfs/vars/main.yml @@ -1 +1 @@ -docker_health_btrfs_folder: '{{path_administrator_scripts}}sys-hlth-btrfs/' +docker_health_btrfs_folder: '{{ PATH_ADMINISTRATOR_SCRIPTS }}sys-hlth-btrfs/' diff --git a/roles/sys-hlth-csp/templates/sys-hlth-csp.service.j2 b/roles/sys-hlth-csp/templates/sys-hlth-csp.service.j2 index 3e523b60..88b1a20c 100644 --- a/roles/sys-hlth-csp/templates/sys-hlth-csp.service.j2 +++ b/roles/sys-hlth-csp/templates/sys-hlth-csp.service.j2 @@ -5,4 +5,4 @@ OnFailure=sys-alm-compose.infinito@%n.service [Service] Type=oneshot ExecStart=/usr/bin/python3 {{ health_csp_crawler_script }} \ - --nginx-config-dir={{ nginx.directories.http.servers }} \ No newline at end of file + --nginx-config-dir={{ NGINX.DIRECTORIES.HTTP.SERVERS }} \ No newline at end of file diff --git a/roles/sys-hlth-csp/vars/main.yml b/roles/sys-hlth-csp/vars/main.yml index 8a11ed9a..c147877d 100644 --- a/roles/sys-hlth-csp/vars/main.yml +++ b/roles/sys-hlth-csp/vars/main.yml @@ -1,3 +1,3 @@ -health_csp_crawler_folder: '{{ path_administrator_scripts }}sys-hlth-csp/' +health_csp_crawler_folder: '{{ PATH_ADMINISTRATOR_SCRIPTS }}sys-hlth-csp/' health_csp_crawler_script: '{{ health_csp_crawler_folder }}sys-hlth-csp.py' diff --git a/roles/sys-hlth-disc-space/tasks/main.yml b/roles/sys-hlth-disc-space/tasks/main.yml index d63ff8ac..9591879c 100644 --- a/roles/sys-hlth-disc-space/tasks/main.yml +++ b/roles/sys-hlth-disc-space/tasks/main.yml @@ -27,7 +27,7 @@ set_fact: service_name: "{{ role_name }}" -- name: "include role for sys-timer for {{service_name}}" +- name: "include role for sys-timer for {{ service_name }}" include_role: name: sys-timer vars: diff --git a/roles/sys-hlth-disc-space/vars/main.yml b/roles/sys-hlth-disc-space/vars/main.yml index 29818224..38b6d645 100644 --- a/roles/sys-hlth-disc-space/vars/main.yml +++ b/roles/sys-hlth-disc-space/vars/main.yml @@ -1 +1 @@ -health_disc_space_folder: '{{path_administrator_scripts}}sys-hlth-disc-space/' +health_disc_space_folder: '{{ PATH_ADMINISTRATOR_SCRIPTS }}sys-hlth-disc-space/' diff --git a/roles/sys-hlth-docker-container/README.md b/roles/sys-hlth-docker-container/README.md index cbfdb7e2..45ee2c32 100644 --- a/roles/sys-hlth-docker-container/README.md +++ b/roles/sys-hlth-docker-container/README.md @@ -18,7 +18,7 @@ The primary purpose of this role is to ensure that Docker-based services remain - **Automated Health Checks:** Detects containers in `unhealthy` state or exited with non-zero exit codes. - **Systemd Integration:** Installs a one-shot service and timer to run health checks on a schedule. - **Alerting Support:** Works with the [`sys-alm-compose`](../sys-alm-compose/README.md) role for failure notifications. -- **Configurable Script Location:** Controlled via the `path_administrator_scripts` variable. +- **Configurable Script Location:** Controlled via the `PATH_ADMINISTRATOR_SCRIPTS` variable. ## Further Resources diff --git a/roles/sys-hlth-docker-container/tasks/01_core.yml b/roles/sys-hlth-docker-container/tasks/01_core.yml index 63b0d679..ede058a0 100644 --- a/roles/sys-hlth-docker-container/tasks/01_core.yml +++ b/roles/sys-hlth-docker-container/tasks/01_core.yml @@ -24,7 +24,7 @@ set_fact: service_name: "{{ role_name }}" -- name: "include role for sys-timer for {{service_name}}" +- name: "include role for sys-timer for {{ service_name }}" include_role: name: sys-timer vars: diff --git a/roles/sys-hlth-docker-container/vars/main.yml b/roles/sys-hlth-docker-container/vars/main.yml index 97396055..983f44f0 100644 --- a/roles/sys-hlth-docker-container/vars/main.yml +++ b/roles/sys-hlth-docker-container/vars/main.yml @@ -1 +1 @@ -health_docker_container_folder: '{{path_administrator_scripts}}sys-hlth-docker-container/' +health_docker_container_folder: '{{ PATH_ADMINISTRATOR_SCRIPTS }}sys-hlth-docker-container/' diff --git a/roles/sys-hlth-docker-volumes/tasks/01_core.yml b/roles/sys-hlth-docker-volumes/tasks/01_core.yml index c3e24d65..251c1153 100644 --- a/roles/sys-hlth-docker-volumes/tasks/01_core.yml +++ b/roles/sys-hlth-docker-volumes/tasks/01_core.yml @@ -24,7 +24,7 @@ set_fact: service_name: "{{ role_name }}" -- name: "include role for sys-timer for {{service_name}}" +- name: "include role for sys-timer for {{ service_name }}" include_role: name: sys-timer vars: diff --git a/roles/sys-hlth-docker-volumes/vars/main.yml b/roles/sys-hlth-docker-volumes/vars/main.yml index ca37c6cf..16f2f195 100644 --- a/roles/sys-hlth-docker-volumes/vars/main.yml +++ b/roles/sys-hlth-docker-volumes/vars/main.yml @@ -1 +1 @@ -health_docker_volumes_folder: '{{path_administrator_scripts}}sys-hlth-docker-volumes/' +health_docker_volumes_folder: '{{ PATH_ADMINISTRATOR_SCRIPTS }}sys-hlth-docker-volumes/' diff --git a/roles/sys-hlth-journalctl/tasks/01_core.yml b/roles/sys-hlth-journalctl/tasks/01_core.yml index 7ffbcaa7..ace92877 100644 --- a/roles/sys-hlth-journalctl/tasks/01_core.yml +++ b/roles/sys-hlth-journalctl/tasks/01_core.yml @@ -24,7 +24,7 @@ set_fact: service_name: "{{ role_name }}" -- name: "include role for sys-timer for {{service_name}}" +- name: "include role for sys-timer for {{ service_name }}" include_role: name: sys-timer vars: diff --git a/roles/sys-hlth-journalctl/vars/main.yml b/roles/sys-hlth-journalctl/vars/main.yml index 60e130dc..9a88dc8a 100644 --- a/roles/sys-hlth-journalctl/vars/main.yml +++ b/roles/sys-hlth-journalctl/vars/main.yml @@ -1,2 +1,2 @@ -health_journalctl_folder: '{{path_administrator_scripts}}sys-hlth-journalctl/' +health_journalctl_folder: '{{ PATH_ADMINISTRATOR_SCRIPTS }}sys-hlth-journalctl/' diff --git a/roles/sys-hlth-msmtp/vars/main.yml b/roles/sys-hlth-msmtp/vars/main.yml index 48c2b250..e3eaf795 100644 --- a/roles/sys-hlth-msmtp/vars/main.yml +++ b/roles/sys-hlth-msmtp/vars/main.yml @@ -1,2 +1,2 @@ -health_msmtp_folder: '{{ path_administrator_scripts }}sys-hlth-msmtp/' +health_msmtp_folder: '{{ PATH_ADMINISTRATOR_SCRIPTS }}sys-hlth-msmtp/' diff --git a/roles/sys-hlth-webserver/tasks/01_core.yml b/roles/sys-hlth-webserver/tasks/01_core.yml index ca51d2f9..9769c7c6 100644 --- a/roles/sys-hlth-webserver/tasks/01_core.yml +++ b/roles/sys-hlth-webserver/tasks/01_core.yml @@ -34,7 +34,7 @@ set_fact: service_name: "{{ role_name }}" -- name: "include role for sys-timer for {{service_name}}" +- name: "include role for sys-timer for {{ service_name }}" include_role: name: sys-timer vars: diff --git a/roles/sys-hlth-webserver/templates/sys-hlth-webserver.py.j2 b/roles/sys-hlth-webserver/templates/sys-hlth-webserver.py.j2 index e90ee983..66408bdc 100644 --- a/roles/sys-hlth-webserver/templates/sys-hlth-webserver.py.j2 +++ b/roles/sys-hlth-webserver/templates/sys-hlth-webserver.py.j2 @@ -24,7 +24,7 @@ def get_expected_statuses(domain: str, parts: list[str], redirected_domains: set return [200, 302, 301] # file in which fqdn server configs are deposit -config_path = '{{nginx.directories.http.servers}}' +config_path = '{{ NGINX.DIRECTORIES.HTTP.SERVERS }}' # Initialize the error counter error_counter = 0 diff --git a/roles/sys-hlth-webserver/vars/main.yml b/roles/sys-hlth-webserver/vars/main.yml index 81f86970..104e315d 100644 --- a/roles/sys-hlth-webserver/vars/main.yml +++ b/roles/sys-hlth-webserver/vars/main.yml @@ -1 +1 @@ -health_nginx_folder: '{{ path_administrator_scripts }}sys-hlth-webserver/' +health_nginx_folder: '{{ PATH_ADMINISTRATOR_SCRIPTS }}sys-hlth-webserver/' diff --git a/roles/sys-lock/tasks/main.yml b/roles/sys-lock/tasks/main.yml index bac617c4..5706af01 100644 --- a/roles/sys-lock/tasks/main.yml +++ b/roles/sys-lock/tasks/main.yml @@ -1,8 +1,8 @@ --- -- name: create {{path_system_lock_script}} +- name: create {{ PATH_SYSTEM_LOCK_SCRIPT }} copy: src: sys-lock.py - dest: "{{path_system_lock_script}}" + dest: "{{ PATH_SYSTEM_LOCK_SCRIPT }}" when: run_once_sys_lock is not defined ## Runtime Variable Setting diff --git a/roles/sys-rpr-btrfs-blnc/tasks/01_core.yml b/roles/sys-rpr-btrfs-blnc/tasks/01_core.yml index 68a05944..027270e9 100644 --- a/roles/sys-rpr-btrfs-blnc/tasks/01_core.yml +++ b/roles/sys-rpr-btrfs-blnc/tasks/01_core.yml @@ -19,7 +19,7 @@ set_fact: service_name: "{{ role_name }}" -- name: "include role for sys-timer for {{service_name}}" +- name: "include role for sys-timer for {{ service_name }}" include_role: name: sys-timer vars: diff --git a/roles/sys-rpr-docker-hard/tasks/01_core.yml b/roles/sys-rpr-docker-hard/tasks/01_core.yml index 1d13f844..25012be5 100644 --- a/roles/sys-rpr-docker-hard/tasks/01_core.yml +++ b/roles/sys-rpr-docker-hard/tasks/01_core.yml @@ -24,7 +24,7 @@ set_fact: service_name: "{{ role_name }}" -- name: "include role for sys-timer for {{service_name}}" +- name: "include role for sys-timer for {{ service_name }}" include_role: name: sys-timer vars: diff --git a/roles/sys-rpr-docker-hard/templates/sys-rpr-docker-hard.service.j2 b/roles/sys-rpr-docker-hard/templates/sys-rpr-docker-hard.service.j2 index 724a271d..143d7cc5 100644 --- a/roles/sys-rpr-docker-hard/templates/sys-rpr-docker-hard.service.j2 +++ b/roles/sys-rpr-docker-hard/templates/sys-rpr-docker-hard.service.j2 @@ -4,5 +4,5 @@ OnFailure=sys-alm-compose.infinito@%n.service [Service] Type=oneshot -ExecStartPre=/bin/sh -c '/usr/bin/python {{ path_system_lock_script }} {{ system_maintenance_services | join(' ') }} --ignore {{system_maintenance_cleanup_services | join(' ') }} sys-rpr-docker-hard --timeout "{{system_maintenance_lock_timeout_restart_docker}}"' -ExecStart=/bin/sh -c '/usr/bin/python {{restart_docker_script}} {{path_docker_compose_instances}}' \ No newline at end of file +ExecStartPre=/bin/sh -c '/usr/bin/python {{ PATH_SYSTEM_LOCK_SCRIPT }} {{ system_maintenance_services | join(' ') }} --ignore {{system_maintenance_cleanup_services | join(' ') }} sys-rpr-docker-hard --timeout "{{system_maintenance_lock_timeout_restart_docker}}"' +ExecStart=/bin/sh -c '/usr/bin/python {{restart_docker_script}} {{ PATH_DOCKER_COMPOSE_INSTANCES }}' \ No newline at end of file diff --git a/roles/sys-rpr-docker-hard/vars/main.yml b/roles/sys-rpr-docker-hard/vars/main.yml index fd4edd35..b61e5d29 100644 --- a/roles/sys-rpr-docker-hard/vars/main.yml +++ b/roles/sys-rpr-docker-hard/vars/main.yml @@ -1,3 +1,3 @@ -restart_docker_folder: '{{path_administrator_scripts}}sys-rpr-docker-hard/' +restart_docker_folder: '{{ PATH_ADMINISTRATOR_SCRIPTS }}sys-rpr-docker-hard/' restart_docker_script: '{{restart_docker_folder}}sys-rpr-docker-hard.py' diff --git a/roles/sys-rpr-docker-soft/tasks/01_core.yml b/roles/sys-rpr-docker-soft/tasks/01_core.yml index d8067461..13176e05 100644 --- a/roles/sys-rpr-docker-soft/tasks/01_core.yml +++ b/roles/sys-rpr-docker-soft/tasks/01_core.yml @@ -25,7 +25,7 @@ set_fact: service_name: "{{ role_name }}" -- name: "include role for sys-timer for {{service_name}}" +- name: "include role for sys-timer for {{ service_name }}" include_role: name: sys-timer vars: diff --git a/roles/sys-rpr-docker-soft/templates/sys-rpr-docker-soft.service.j2 b/roles/sys-rpr-docker-soft/templates/sys-rpr-docker-soft.service.j2 index 5b3c5416..f140901d 100644 --- a/roles/sys-rpr-docker-soft/templates/sys-rpr-docker-soft.service.j2 +++ b/roles/sys-rpr-docker-soft/templates/sys-rpr-docker-soft.service.j2 @@ -4,5 +4,5 @@ OnFailure=sys-alm-compose.infinito@%n.service [Service] Type=oneshot -ExecStartPre=/bin/sh -c '/usr/bin/python {{ path_system_lock_script }} {{ system_maintenance_services | join(' ') }} --ignore {{system_maintenance_cleanup_services| join(' ') }} sys-rpr-docker-soft --timeout "{{system_maintenance_lock_timeout_heal_docker}}"' -ExecStart=/bin/sh -c '/bin/python {{heal_docker}}sys-rpr-docker-soft.py {{path_docker_compose_instances}}' \ No newline at end of file +ExecStartPre=/bin/sh -c '/usr/bin/python {{ PATH_SYSTEM_LOCK_SCRIPT }} {{ system_maintenance_services | join(' ') }} --ignore {{system_maintenance_cleanup_services| join(' ') }} sys-rpr-docker-soft --timeout "{{system_maintenance_lock_timeout_heal_docker}}"' +ExecStart=/bin/sh -c '/bin/python {{heal_docker}}sys-rpr-docker-soft.py {{ PATH_DOCKER_COMPOSE_INSTANCES }}' \ No newline at end of file diff --git a/roles/sys-rpr-docker-soft/vars/main.yml b/roles/sys-rpr-docker-soft/vars/main.yml index c2a3ea14..63c63b58 100644 --- a/roles/sys-rpr-docker-soft/vars/main.yml +++ b/roles/sys-rpr-docker-soft/vars/main.yml @@ -1,2 +1,2 @@ -heal_docker: '{{path_administrator_scripts}}sys-rpr-docker-soft/' +heal_docker: '{{ PATH_ADMINISTRATOR_SCRIPTS }}sys-rpr-docker-soft/' diff --git a/roles/srv-web-7-7-certbot/README.md b/roles/sys-svc-certbot/README.md similarity index 100% rename from roles/srv-web-7-7-certbot/README.md rename to roles/sys-svc-certbot/README.md diff --git a/roles/srv-web-7-7-certbot/meta/main.yml b/roles/sys-svc-certbot/meta/main.yml similarity index 100% rename from roles/srv-web-7-7-certbot/meta/main.yml rename to roles/sys-svc-certbot/meta/main.yml diff --git a/roles/sys-svc-certbot/tasks/01_core.yml b/roles/sys-svc-certbot/tasks/01_core.yml new file mode 100644 index 00000000..3290893a --- /dev/null +++ b/roles/sys-svc-certbot/tasks/01_core.yml @@ -0,0 +1,8 @@ +- name: install certbot + community.general.pacman: + name: certbot + state: present + +- name: "Include tasks for 'No-Webroot-ACME-CHALLENGE-METHOD'" + include_tasks: 02_no_webroot.yml + when: CERTBOT_ACME_CHALLENGE_METHOD != 'webroot' \ No newline at end of file diff --git a/roles/sys-svc-certbot/tasks/02_no_webroot.yml b/roles/sys-svc-certbot/tasks/02_no_webroot.yml new file mode 100644 index 00000000..ba7a3d54 --- /dev/null +++ b/roles/sys-svc-certbot/tasks/02_no_webroot.yml @@ -0,0 +1,21 @@ +- name: install certbot DNS plugin + community.general.pacman: + name: "certbot-dns-{{ CERTBOT_ACME_CHALLENGE_METHOD }}" + state: present + +- name: Ensure /etc/certbot directory exists + file: + path: "{{ CERTBOT_CREDENTIALS_DIR }}" + state: directory + owner: root + group: root + mode: '0755' + +- name: Install plugin credentials file + copy: + dest: "{{ CERTBOT_CREDENTIALS_FILE }}" + content: | + dns_{{ CERTBOT_ACME_CHALLENGE_METHOD }}_api_token = {{ CERTBOT_DNS_API_TOKEN }} + owner: root + group: root + mode: '0600' \ No newline at end of file diff --git a/roles/sys-svc-certbot/tasks/main.yml b/roles/sys-svc-certbot/tasks/main.yml new file mode 100644 index 00000000..d042854a --- /dev/null +++ b/roles/sys-svc-certbot/tasks/main.yml @@ -0,0 +1,4 @@ +- block: + - include_tasks: 01_core.yml + - include_tasks: utils/run_once.yml + when: run_once_sys_svc_certbot is not defined diff --git a/roles/docker-core/Administration.md b/roles/sys-svc-docker/Administration.md similarity index 100% rename from roles/docker-core/Administration.md rename to roles/sys-svc-docker/Administration.md diff --git a/roles/sys-svc-docker/README.md b/roles/sys-svc-docker/README.md new file mode 100644 index 00000000..eb3da6ce --- /dev/null +++ b/roles/sys-svc-docker/README.md @@ -0,0 +1,44 @@ +# Docker Server + +## Description + +This role installs and maintains the Docker service, including Docker Compose, on Linux systems. +It is part of the [Infinito.Nexus Project](https://s.infinito.nexus/code), maintained and developed by [Kevin Veen-Birkenbach](https://www.veen.world/). + +## Overview + +The role ensures that Docker and Docker Compose are present, integrates essential backup, repair, and health check roles, and supports cleanup or full reset modes for a fresh Docker environment. +When enabled via `MODE_CLEANUP` or `MODE_RESET`, it will automatically prune unused Docker resources. +`MODE_RESET` additionally restarts the Docker service after cleanup. + +## Features + +- **Automated Installation** + Installs Docker and Docker Compose via the system package manager. + +- **Integrated Dependencies** + Includes backup, repair, and health check sub-roles: + - `sys-bkp-docker-2-loc` + - `user-administrator` + - `sys-hlth-docker-container` + - `sys-hlth-docker-volumes` + - `sys-rpr-docker-soft` + - `sys-rpr-docker-hard` + +- **Cleanup & Reset Modes** + - `MODE_CLEANUP`: Removes unused Docker containers, networks, images, and volumes. + - `MODE_RESET`: Performs cleanup and restarts the Docker service. + +- **Handler Integration** + Restart handler ensures the Docker daemon is reloaded when necessary. + +## License + +This role is released under the Infinito.Nexus NonCommercial License (CNCL). +See [license details](https://s.infinito.nexus/license). + +## Author Information + +Kevin Veen-Birkenbach +Consulting & Coaching Solutions +[https://www.veen.world](https://www.veen.world) diff --git a/roles/sys-svc-docker/handlers/main.yml b/roles/sys-svc-docker/handlers/main.yml new file mode 100644 index 00000000..84d905b4 --- /dev/null +++ b/roles/sys-svc-docker/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: docker restart + service: + name: docker.service + state: restarted + enabled: yes diff --git a/roles/docker-core/meta/main.yml b/roles/sys-svc-docker/meta/main.yml similarity index 100% rename from roles/docker-core/meta/main.yml rename to roles/sys-svc-docker/meta/main.yml diff --git a/roles/sys-svc-docker/tasks/01_core.yml b/roles/sys-svc-docker/tasks/01_core.yml new file mode 100644 index 00000000..6db5026c --- /dev/null +++ b/roles/sys-svc-docker/tasks/01_core.yml @@ -0,0 +1,25 @@ +- name: docker & docker compose install + community.general.pacman: + name: + - 'docker' + - 'docker-compose' + state: present + notify: docker restart + +- name: "Load cleanup tasks when MODE_CLEANUP or MODE_RESET is enabled" + include_tasks: "02_cleanup.yml" + when: MODE_CLEANUP | bool or MODE_RESET | bool + +- name: "Load reset tasks when MODE_RESET is enabled" + include_tasks: "03_reset.yml" + when: MODE_RESET | bool + +- name: Include backup, repair and health services for docker + include_role: + name: "{{ item }}" + loop: + - sys-bkp-docker-2-loc + - sys-hlth-docker-container + - sys-hlth-docker-volumes + - sys-rpr-docker-soft + - sys-rpr-docker-hard \ No newline at end of file diff --git a/roles/sys-svc-docker/tasks/02_cleanup.yml b/roles/sys-svc-docker/tasks/02_cleanup.yml new file mode 100644 index 00000000..91effbfa --- /dev/null +++ b/roles/sys-svc-docker/tasks/02_cleanup.yml @@ -0,0 +1,3 @@ +- name: Prune Docker resources + become: true + ansible.builtin.command: docker system prune -f \ No newline at end of file diff --git a/roles/sys-svc-docker/tasks/03_reset.yml b/roles/sys-svc-docker/tasks/03_reset.yml new file mode 100644 index 00000000..e6023ae0 --- /dev/null +++ b/roles/sys-svc-docker/tasks/03_reset.yml @@ -0,0 +1,4 @@ +- name: Trigger Docker restart + ansible.builtin.debug: + msg: "MODE_RESET is enabled → restarting Docker" + notify: Restart Docker \ No newline at end of file diff --git a/roles/docker-core/tasks/main.yml b/roles/sys-svc-docker/tasks/main.yml similarity index 64% rename from roles/docker-core/tasks/main.yml rename to roles/sys-svc-docker/tasks/main.yml index c782215a..e31fc687 100644 --- a/roles/docker-core/tasks/main.yml +++ b/roles/sys-svc-docker/tasks/main.yml @@ -2,4 +2,4 @@ - block: - include_tasks: 01_core.yml - include_tasks: utils/run_once.yml - when: run_once_docker_core is not defined + when: run_once_sys_svc_docker is not defined diff --git a/roles/sys-systemctl/README.md b/roles/sys-systemctl/README.md new file mode 100644 index 00000000..7a43187f --- /dev/null +++ b/roles/sys-systemctl/README.md @@ -0,0 +1,52 @@ +# sys-systemctl + +Utility role to reset/clean up **systemd** units for a given software stack. +It can install a unit-file remover tool, delete units that match a configured suffix, and reload the systemd daemon. The role is designed to run **once per play** and is commonly included by other roles (e.g., timer/service roles) to ensure a clean state before (re)deployment. + +## Overview + +When `MODE_RESET` is enabled, the role will: + +1. Install the configured remover tool/package (via `pkgmgr-install`). +2. Remove all unit files that match the configured suffix for the current software. +3. Reload the systemd daemon to apply changes. + +A run-once guard (`run_once_sys_systemctl`) prevents repeated execution within the same play run. + +## Features + +- **Idempotent cleanup** of systemd unit files based on a suffix. +- **Pluggable remover tool** via `UNIT_SUFFIX_REMOVER_PACKAGE`. +- **Daemon reload** to immediately apply changes. +- **Run-once safety** across the play to avoid redundant work. + +## Variables + +| Variable | Type | Default | Description | +|-----------------------------|---------|-------------|---------------------------------------------------------------------------------------------| +| `MODE_RESET` | bool | `false` | If `true`, executes the reset/cleanup tasks. | +| `SYS_SERVICE_SUFFIX` | string | *required* | Suffix used to identify unit files belonging to the software stack (e.g., `.infinito.nexus`). | +| `SOFTWARE_NAME` | string | *required* | Logical software identifier passed to the remover tool. | +| `UNIT_SUFFIX_REMOVER_PACKAGE` | string| `"unsure"` | Package/command used to remove the unit files. Must provide a CLI compatible with `-s`. | + +> **Note:** The role expects the remover tool to support a command pattern like: +> ``` +> -s '' +> ``` +> Replace `UNIT_SUFFIX_REMOVER_PACKAGE` with your actual utility (or wrapper script) that removes all matching unit files. + +## Tasks Flow + +- `tasks/main.yml` + - Includes `tasks/01_reset.yml` **only when** `MODE_RESET` is `true`. + - Loads `utils/run_once.yml` once to set `run_once_sys_systemctl`. + +- `tasks/01_reset.yml` + - Installs `UNIT_SUFFIX_REMOVER_PACKAGE` via `pkgmgr-install`. + - Executes the remover command to purge unit files for `SOFTWARE_NAME` / `SYS_SERVICE_SUFFIX`. + - Runs `systemctl daemon-reload`. + +## Dependencies + +- `pkgmgr-install` (role): used to install `UNIT_SUFFIX_REMOVER_PACKAGE`. + diff --git a/roles/sys-systemctl/meta/main.yml b/roles/sys-systemctl/meta/main.yml new file mode 100644 index 00000000..fc7b74e5 --- /dev/null +++ b/roles/sys-systemctl/meta/main.yml @@ -0,0 +1,24 @@ +--- +galaxy_info: + author: "Kevin Veen-Birkenbach" + description: "Utility role to reset/clean up systemd units for a given software stack." + license: "Infinito.Nexus NonCommercial License" + license_url: "https://s.infinito.nexus/license" + company: | + Kevin Veen-Birkenbach + Consulting & Coaching Solutions + https://www.veen.world + min_ansible_version: "2.9" + platforms: + - name: Linux + versions: + - all + galaxy_tags: + - systemd + - services + - cleanup + - reset + - automation + repository: "https://s.infinito.nexus/code" + issue_tracker_url: "https://s.infinito.nexus/issues" + documentation: "https://docs.infinito.nexus" diff --git a/roles/sys-systemctl/tasks/01_reset.yml b/roles/sys-systemctl/tasks/01_reset.yml new file mode 100644 index 00000000..719f5599 --- /dev/null +++ b/roles/sys-systemctl/tasks/01_reset.yml @@ -0,0 +1,12 @@ +- name: "pkgmgr install '{{ SYS_SERVICE_SUFFIX }}'" + include_role: + name: pkgmgr-install + vars: + package_name: "{{ UNIT_SUFFIX_REMOVER_PACKAGE }}" + +- name: Remove all '{{ SYS_SERVICE_SUFFIX }}' files with '{{ UNIT_SUFFIX_REMOVER_PACKAGE }}' + command: "{{ UNIT_SUFFIX_REMOVER_PACKAGE }} -s '{{ SOFTWARE_NAME }}'" + +- name: Reload systemd daemon + command: systemctl daemon-reload + become: true \ No newline at end of file diff --git a/roles/sys-systemctl/tasks/main.yml b/roles/sys-systemctl/tasks/main.yml new file mode 100644 index 00000000..39fb8ef8 --- /dev/null +++ b/roles/sys-systemctl/tasks/main.yml @@ -0,0 +1,6 @@ +- block: + - name: "reset (if enabled)" + include_tasks: 01_reset.yml + when: MODE_RESET | bool + - include_tasks: utils/run_once.yml + when: run_once_sys_systemctl is not defined \ No newline at end of file diff --git a/roles/sys-systemctl/vars/main.yml b/roles/sys-systemctl/vars/main.yml new file mode 100644 index 00000000..c3478465 --- /dev/null +++ b/roles/sys-systemctl/vars/main.yml @@ -0,0 +1 @@ +UNIT_SUFFIX_REMOVER_PACKAGE: "unsure" \ No newline at end of file diff --git a/roles/sys-timer/meta/main.yml b/roles/sys-timer/meta/main.yml index 44290ab4..f6a2c14e 100644 --- a/roles/sys-timer/meta/main.yml +++ b/roles/sys-timer/meta/main.yml @@ -22,4 +22,3 @@ galaxy_info: repository: "https://s.infinito.nexus/code" issue_tracker_url: "https://s.infinito.nexus/issues" documentation: "https://docs.infinito.nexus" -dependencies: [] diff --git a/roles/sys-timer/tasks/01_reset.yml b/roles/sys-timer/tasks/01_reset.yml deleted file mode 100644 index 9ebfdefe..00000000 --- a/roles/sys-timer/tasks/01_reset.yml +++ /dev/null @@ -1,26 +0,0 @@ -- name: Find all {{ SYS_SERVICE_SUFFIX }} units - find: - paths: /etc/systemd/system - patterns: '*.{{ SYS_SERVICE_SUFFIX }}' - register: infinito_timers - -- name: Disable and stop each infinito timer - systemd: - name: "{{ item.path | basename }}" - enabled: no - state: stopped - loop: "{{ infinito_timers.files }}" - loop_control: - label: "{{ item.path | basename }}" - -- name: Remove all {{ SYS_SERVICE_SUFFIX }} files - file: - path: "{{ item.path }}" - state: absent - loop: "{{ infinito_timers.files }}" - loop_control: - label: "{{ item.path | basename }}" - -- name: Reload systemd daemon - command: systemctl daemon-reload - become: true diff --git a/roles/sys-timer/tasks/main.yml b/roles/sys-timer/tasks/main.yml index b871ebce..2e8b4bc9 100644 --- a/roles/sys-timer/tasks/main.yml +++ b/roles/sys-timer/tasks/main.yml @@ -1,11 +1,9 @@ - -- name: "reset (if enabled)" - include_tasks: 01_reset.yml - when: MODE_RESET | bool and run_once_sys_timer is not defined - -- name: run {{ role_name }} once - set_fact: - run_once_sys_timer: true +- block: + - name: "Include sys-systemctl" + include_role: + name: sys-systemctl + when: run_once_sys_systemctl is not defined + - include_tasks: utils/run_once.yml when: run_once_sys_timer is not defined - name: create {{ sys_timer_file }} diff --git a/roles/sys-timer/templates/dummy.timer.j2 b/roles/sys-timer/templates/dummy.timer.j2 index e9970bda..d3c0f6af 100644 --- a/roles/sys-timer/templates/dummy.timer.j2 +++ b/roles/sys-timer/templates/dummy.timer.j2 @@ -1,9 +1,9 @@ [Unit] -Description=Timer to start {{service_name}}{{ SYS_SERVICE_SUFFIX }} +Description=Timer to start {{ service_name }}{{ SYS_SERVICE_SUFFIX }} [Timer] -OnCalendar={{on_calendar}} -RandomizedDelaySec={{RANDOMIZED_DELAY_SEC}} +OnCalendar={{ on_calendar }} +RandomizedDelaySec={{ RANDOMIZED_DELAY_SEC }} Persistent={{ persistent | default('false') }} [Install] diff --git a/roles/sys-timer/vars/main.yml b/roles/sys-timer/vars/main.yml index 3137148b..fd4c6129 100644 --- a/roles/sys-timer/vars/main.yml +++ b/roles/sys-timer/vars/main.yml @@ -1 +1 @@ -sys_timer_file: "{{ service_name }}{{ SYS_TIMER_SUFFIX }}" \ No newline at end of file +sys_timer_file: "{{ service_name }}{{ SYS_TIMER_SUFFIX }}" \ No newline at end of file diff --git a/roles/update-compose/tasks/01_core.yml b/roles/update-compose/tasks/01_core.yml index 3f6f1631..31ec0993 100644 --- a/roles/update-compose/tasks/01_core.yml +++ b/roles/update-compose/tasks/01_core.yml @@ -1,7 +1,7 @@ --- -- name: "Check if {{ path_docker_compose_instances }} directory exists" +- name: "Check if {{ PATH_DOCKER_COMPOSE_INSTANCES }} directory exists" stat: - path: "{{ path_docker_compose_instances }}" + path: "{{ PATH_DOCKER_COMPOSE_INSTANCES }}" register: docker_compose_directory_stat - name: "Update with pacman" diff --git a/roles/update-docker/templates/update-docker.service.j2 b/roles/update-docker/templates/update-docker.service.j2 index a5f9a884..6f8c40da 100644 --- a/roles/update-docker/templates/update-docker.service.j2 +++ b/roles/update-docker/templates/update-docker.service.j2 @@ -4,5 +4,5 @@ OnFailure=sys-alm-compose.infinito@%n.service [Service] Type=oneshot -ExecStartPre=/bin/sh -c '/usr/bin/python {{ path_system_lock_script }} {{ system_maintenance_services | join(' ') }} --ignore {{system_maintenance_cleanup_services | join(' ') }} update-docker --timeout "{{system_maintenance_lock_timeout_heal_docker}}"' -ExecStart=/bin/sh -c '/usr/bin/python {{update_docker_script}} {{path_docker_compose_instances}}' \ No newline at end of file +ExecStartPre=/bin/sh -c '/usr/bin/python {{ PATH_SYSTEM_LOCK_SCRIPT }} {{ system_maintenance_services | join(' ') }} --ignore {{system_maintenance_cleanup_services | join(' ') }} update-docker --timeout "{{system_maintenance_lock_timeout_heal_docker}}"' +ExecStart=/bin/sh -c '/usr/bin/python {{update_docker_script}} {{ PATH_DOCKER_COMPOSE_INSTANCES }}' \ No newline at end of file diff --git a/roles/update-docker/vars/main.yml b/roles/update-docker/vars/main.yml index 3fabb35d..5ad37d38 100644 --- a/roles/update-docker/vars/main.yml +++ b/roles/update-docker/vars/main.yml @@ -1,2 +1,2 @@ -update_docker_script: '{{path_administrator_scripts}}update-docker.py' +update_docker_script: '{{ PATH_ADMINISTRATOR_SCRIPTS }}update-docker.py' application_id: update-docker diff --git a/roles/user-administrator/tasks/01_core.yml b/roles/user-administrator/tasks/01_core.yml index 1a2e0a43..29a469a1 100644 --- a/roles/user-administrator/tasks/01_core.yml +++ b/roles/user-administrator/tasks/01_core.yml @@ -13,26 +13,26 @@ ssh_key_type: rsa ssh_key_bits: 8192 -- name: "set correct rights for {{path_administrator_home}}" +- name: "set correct rights for {{ PATH_ADMINISTRATOR_HOME }}" file: - path: "{{path_administrator_home}}" + path: "{{ PATH_ADMINISTRATOR_HOME }}" state: directory owner: administrator group: administrator mode: 0700 -- name: "create {{path_administrator_scripts}}" +- name: "create {{ PATH_ADMINISTRATOR_SCRIPTS }}" file: - path: "{{path_administrator_home}}scripts" + path: "{{ PATH_ADMINISTRATOR_HOME }}scripts" state: directory owner: administrator group: administrator mode: 0700 -- name: create {{path_administrator_home}}.ssh/authorized_keys +- name: create {{ PATH_ADMINISTRATOR_HOME }}.ssh/authorized_keys copy: - src: "{{ inventory_dir }}/files/{{ inventory_hostname }}{{path_administrator_home}}.ssh/authorized_keys" - dest: "{{path_administrator_home}}.ssh/authorized_keys" + src: "{{ inventory_dir }}/files/{{ inventory_hostname }}{{ PATH_ADMINISTRATOR_HOME }}.ssh/authorized_keys" + dest: "{{ PATH_ADMINISTRATOR_HOME }}.ssh/authorized_keys" owner: administrator group: administrator mode: '0644' diff --git a/roles/user/tasks/main.yml b/roles/user/tasks/main.yml index b5a625a8..f25b014d 100644 --- a/roles/user/tasks/main.yml +++ b/roles/user/tasks/main.yml @@ -1,14 +1,14 @@ # run_once_user: deactivated -- name: create .bashrc - template: - src: "bashrc.j2" - dest: "{{ '/root/.bashrc' if user_name == 'root' else '/home/' ~ user_name ~ '/.bashrc' }}" - owner: "{{user_name}}" - group: "{{user_name}}" -- name: create .bash_profile - template: - src: "bash_profile.j2" - dest: "{{ '/root/.bash_profile' if user_name == 'root' else '/home/' ~ user_name ~ '/.bash_profile' }}" - owner: "{{user_name}}" - group: "{{user_name}}" \ No newline at end of file +- name: Deploy shell dotfiles + ansible.builtin.template: + src: "{{ item }}.j2" + dest: "{{ user_home }}/.{{ item }}" + owner: "{{ user_name }}" + group: "{{ user_group }}" + mode: "0644" + loop: + - bashrc + - bash_profile + loop_control: + label: ".{{ item }}" diff --git a/roles/user/vars/main.yml b/roles/user/vars/main.yml new file mode 100644 index 00000000..1fcd14e3 --- /dev/null +++ b/roles/user/vars/main.yml @@ -0,0 +1,2 @@ +user_group: "{{ user_name }}" +user_home: "{{ (user_name == 'root') | ternary('/root', '/home/' ~ user_name) }}" \ No newline at end of file diff --git a/roles/web-app-akaunting/Installation.md b/roles/web-app-akaunting/Installation.md index 141ddcc1..e1585373 100644 --- a/roles/web-app-akaunting/Installation.md +++ b/roles/web-app-akaunting/Installation.md @@ -3,7 +3,7 @@ 1. **Navigate to the Docker Compose Directory** Change into the directory where the Docker Compose files reside. ```bash - cd {{path_docker_compose_instances}}akaunting/ + cd {{ PATH_DOCKER_COMPOSE_INSTANCES }}akaunting/ ``` 2. **Set Environment Variables** diff --git a/roles/web-app-attendize/tasks/main.yml b/roles/web-app-attendize/tasks/main.yml index a42ac46f..613660fa 100644 --- a/roles/web-app-attendize/tasks/main.yml +++ b/roles/web-app-attendize/tasks/main.yml @@ -15,10 +15,10 @@ vars: docker_compose_flush_handlers: true -- name: "For '{{ application_id }}': configure {{domains | get_domain(application_id)}}.conf" +- name: "For '{{ application_id }}': configure {{ domains | get_domain(application_id) }}.conf" template: src: roles/srv-proxy-7-4-core/templates/vhost/basic.conf.j2 - dest: "{{nginx.directories.http.servers}}{{domains | get_domain(application_id)}}.conf" + dest: "{{ NGINX.DIRECTORIES.HTTP.SERVERS }}{{ domains | get_domain(application_id) }}.conf" notify: restart openresty - name: "For '{{ application_id }}': include tasks update-repository-with-files.yml" diff --git a/roles/web-app-bigbluebutton/tasks/main.yml b/roles/web-app-bigbluebutton/tasks/main.yml index df5c766c..85a40424 100644 --- a/roles/web-app-bigbluebutton/tasks/main.yml +++ b/roles/web-app-bigbluebutton/tasks/main.yml @@ -9,7 +9,7 @@ oauth2_proxy_enabled: false proxy_lua_enabled: false -- name: "load docker, proxy for '{{application_id}}'" +- name: "load docker, proxy for '{{ application_id }}'" include_role: name: cmp-docker-proxy vars: @@ -24,7 +24,7 @@ - name: configure websocket_upgrade.conf copy: src: "websocket_upgrade.conf" - dest: "{{nginx.directories.http.maps}}websocket_upgrade.conf" + dest: "{{NGINX.DIRECTORIES.HTTP.MAPS}}websocket_upgrade.conf" notify: restart openresty - name: "Set BBB Facts" @@ -50,7 +50,7 @@ include_tasks: "01_docker-compose.yml" - name: Ensure all containers in instance are running - include_tasks: "{{ playbook_dir }}/roles/docker-compose/tasks/04_ensure_up.yml" + include_tasks: "{{ playbook_dir }}/roles/docker-compose/tasks/05_ensure_up.yml" - name: flush docker service meta: flush_handlers diff --git a/roles/web-app-bigbluebutton/templates/env.j2 b/roles/web-app-bigbluebutton/templates/env.j2 index d2c4c513..f153c0c0 100644 --- a/roles/web-app-bigbluebutton/templates/env.j2 +++ b/roles/web-app-bigbluebutton/templates/env.j2 @@ -37,7 +37,7 @@ FSESL_PASSWORD={{applications | get_app_conf(application_id, 'credentials.fsesl_ # CONNECTION # ==================================== -DOMAIN={{domains | get_domain(application_id)}} +DOMAIN={{ domains | get_domain(application_id) }} EXTERNAL_IPv4={{ networks.internet.ip4 }} # The following line is not tested and could lead to bugs: @@ -50,7 +50,7 @@ STUN_PORT={{ ports.public.stun[application_id] }} # TURN SERVER # uncomment and adjust following two lines to add an external TURN server -TURN_SERVER=turns:{{domains | get_domain(application_id)}}:{{ ports.public.turn[application_id] }}?transport=tcp +TURN_SERVER=turns:{{ domains | get_domain(application_id) }}:{{ ports.public.turn[application_id] }}?transport=tcp TURN_SECRET={{applications | get_app_conf(application_id, 'credentials.turn_secret', True)}} # Allowed SIP IPs @@ -287,9 +287,9 @@ DEFAULT_REGISTRATION=invite ### EXTERNAL AUTHENTICATION METHODS # @See https://docs.bigbluebutton.org/greenlight/v3/external-authentication/ # -OPENID_CONNECT_CLIENT_ID={{oidc.client.id}} -OPENID_CONNECT_CLIENT_SECRET={{oidc.client.secret}} -OPENID_CONNECT_ISSUER={{oidc.client.issuer_url}} +OPENID_CONNECT_CLIENT_ID={{ oidc.client.id }} +OPENID_CONNECT_CLIENT_SECRET={{ oidc.client.secret }} +OPENID_CONNECT_ISSUER={{ oidc.client.issuer_url }} OPENID_CONNECT_REDIRECT={{ domains | get_url(application_id, WEB_PROTOCOL) }} # OPENID_CONNECT_UID_FIELD=sub default {% endif %} \ No newline at end of file diff --git a/roles/web-app-bluesky/tasks/main.yml b/roles/web-app-bluesky/tasks/main.yml index 876ae1e3..58678345 100644 --- a/roles/web-app-bluesky/tasks/main.yml +++ b/roles/web-app-bluesky/tasks/main.yml @@ -2,7 +2,7 @@ include_role: name: docker-compose -- name: "include role srv-proxy-6-6-domain for {{application_id}}" +- name: "include role srv-proxy-6-6-domain for {{ application_id }}" include_role: name: srv-proxy-6-6-domain vars: diff --git a/roles/web-app-collabora/tasks/main.yml b/roles/web-app-collabora/tasks/main.yml index e67276e7..287c1c67 100644 --- a/roles/web-app-collabora/tasks/main.yml +++ b/roles/web-app-collabora/tasks/main.yml @@ -1,7 +1,7 @@ - name: create collabora proxy configuration file template: src: "nginx.conf.j2" - dest: "{{nginx.directories.http.servers}}{{domains | get_domain(application_id)}}.conf" + dest: "{{ NGINX.DIRECTORIES.HTTP.SERVERS }}{{ domains | get_domain(application_id) }}.conf" notify: restart openresty - name: "Include docker-compose role" diff --git a/roles/web-app-collabora/templates/nginx.conf.j2 b/roles/web-app-collabora/templates/nginx.conf.j2 index 9fea319f..e814b903 100644 --- a/roles/web-app-collabora/templates/nginx.conf.j2 +++ b/roles/web-app-collabora/templates/nginx.conf.j2 @@ -1,5 +1,5 @@ server { - server_name {{domain}}; + server_name {{ domain }}; {% include 'roles/srv-web-7-7-letsencrypt/templates/ssl_header.j2' %} diff --git a/roles/web-app-coturn/tasks/main.yml b/roles/web-app-coturn/tasks/main.yml index 15a8c7ac..5278a660 100644 --- a/roles/web-app-coturn/tasks/main.yml +++ b/roles/web-app-coturn/tasks/main.yml @@ -1,4 +1,4 @@ --- -- name: "load docker, db and proxy for {{application_id}}" +- name: "load docker, db and proxy for {{ application_id }}" include_role: name: cmp-db-docker-proxy diff --git a/roles/web-app-discourse/tasks/01_core.yml b/roles/web-app-discourse/tasks/01_core.yml index eb28c652..e86e26f2 100644 --- a/roles/web-app-discourse/tasks/01_core.yml +++ b/roles/web-app-discourse/tasks/01_core.yml @@ -8,7 +8,7 @@ name: which state: present -- name: "load docker, db and proxy for {{application_id}}" +- name: "load docker, db and proxy for {{ application_id }}" include_role: name: cmp-db-docker-proxy diff --git a/roles/web-app-discourse/tasks/02_reset.yml b/roles/web-app-discourse/tasks/02_reset.yml index 0e96df1d..b4636ddb 100644 --- a/roles/web-app-discourse/tasks/02_reset.yml +++ b/roles/web-app-discourse/tasks/02_reset.yml @@ -1,7 +1,7 @@ - name: "Load database variables for reset function" include_vars: "{{playbook_dir}}/roles/cmp-rdbms/vars/main.yml" -- name: "cleanup central database from {{application_id}}_default network" +- name: "cleanup central database from {{ application_id }}_default network" command: cmd: "docker network disconnect {{applications | get_app_conf(application_id, 'network', True)}} {{ database_host }}" ignore_errors: true diff --git a/roles/web-app-discourse/templates/config.yml.j2 b/roles/web-app-discourse/templates/config.yml.j2 index 786e6378..aa1cf89d 100644 --- a/roles/web-app-discourse/templates/config.yml.j2 +++ b/roles/web-app-discourse/templates/config.yml.j2 @@ -137,9 +137,9 @@ run: # OIDC Activation - exec: rails r "SiteSetting.openid_connect_enabled = true" - exec: rails r "SiteSetting.openid_connect_discovery_document = '{{oidc.client.discovery_document}}'" - - exec: rails r "SiteSetting.openid_connect_client_id = '{{oidc.client.id}}'" - - exec: rails r "SiteSetting.openid_connect_client_secret = '{{oidc.client.secret}}'" - - exec: rails r "SiteSetting.openid_connect_rp_initiated_logout_redirect = 'https://{{domains | get_domain(application_id)}}'" + - exec: rails r "SiteSetting.openid_connect_client_id = '{{ oidc.client.id }}'" + - exec: rails r "SiteSetting.openid_connect_client_secret = '{{ oidc.client.secret }}'" + - exec: rails r "SiteSetting.openid_connect_rp_initiated_logout_redirect = 'https://{{ domains | get_domain(application_id) }}'" - exec: rails r "SiteSetting.openid_connect_allow_association_change = false" - exec: rails r "SiteSetting.openid_connect_rp_initiated_logout = true" {% endif %} diff --git a/roles/web-app-elk/tasks/main.yml b/roles/web-app-elk/tasks/main.yml index 281ca261..74202d83 100644 --- a/roles/web-app-elk/tasks/main.yml +++ b/roles/web-app-elk/tasks/main.yml @@ -1,6 +1,6 @@ --- -- name: "include role srv-proxy-6-6-domain for {{application_id}}" +- name: "include role srv-proxy-6-6-domain for {{ application_id }}" include_role: name: srv-proxy-6-6-domain vars: diff --git a/roles/web-app-espocrm/tasks/main.yml b/roles/web-app-espocrm/tasks/main.yml index ebb74724..eadd8c37 100644 --- a/roles/web-app-espocrm/tasks/main.yml +++ b/roles/web-app-espocrm/tasks/main.yml @@ -1,5 +1,5 @@ --- -- name: "load docker, db and proxy for {{application_id}}" +- name: "load docker, db and proxy for {{ application_id }}" include_role: name: cmp-db-docker-proxy vars: diff --git a/roles/web-app-espocrm/templates/docker-compose.yml.j2 b/roles/web-app-espocrm/templates/docker-compose.yml.j2 index 985ac323..01fd5c28 100644 --- a/roles/web-app-espocrm/templates/docker-compose.yml.j2 +++ b/roles/web-app-espocrm/templates/docker-compose.yml.j2 @@ -13,7 +13,7 @@ daemon: image: "{{ espocrm_image }}:{{ espocrm_version }}" - restart: {{DOCKER_RESTART_POLICY}} + restart: {{ DOCKER_RESTART_POLICY }} logging: driver: journald entrypoint: docker-daemon.sh @@ -23,7 +23,7 @@ websocket: image: "{{ espocrm_image }}:{{ espocrm_version }}" - restart: {{DOCKER_RESTART_POLICY}} + restart: {{ DOCKER_RESTART_POLICY }} logging: driver: journald environment: diff --git a/roles/web-app-friendica/tasks/main.yml b/roles/web-app-friendica/tasks/main.yml index 309ea18c..546cd45e 100644 --- a/roles/web-app-friendica/tasks/main.yml +++ b/roles/web-app-friendica/tasks/main.yml @@ -1,5 +1,5 @@ --- -- name: "load docker, db and proxy for {{application_id}}" +- name: "load docker, db and proxy for {{ application_id }}" include_role: name: cmp-db-docker-proxy diff --git a/roles/web-app-friendica/templates/env.j2 b/roles/web-app-friendica/templates/env.j2 index 035786e6..0f5f8c57 100644 --- a/roles/web-app-friendica/templates/env.j2 +++ b/roles/web-app-friendica/templates/env.j2 @@ -2,7 +2,7 @@ # @see https://hub.docker.com/_/friendica FRIENDICA_URL={{ domains | get_url(application_id, WEB_PROTOCOL) }} -HOSTNAME={{domains | get_domain(application_id)}} +HOSTNAME={{ domains | get_domain(application_id) }} FRIENDICA_NO_VALIDATION={{friendica_no_validation | lower}} # Debugging diff --git a/roles/web-app-funkwhale/tasks/main.yml b/roles/web-app-funkwhale/tasks/main.yml index 60b18bb4..b0a77e2a 100644 --- a/roles/web-app-funkwhale/tasks/main.yml +++ b/roles/web-app-funkwhale/tasks/main.yml @@ -1,5 +1,5 @@ --- -- name: "load docker, db and proxy for {{application_id}}" +- name: "load docker, db and proxy for {{ application_id }}" include_role: name: cmp-db-docker-proxy diff --git a/roles/web-app-funkwhale/templates/env.j2 b/roles/web-app-funkwhale/templates/env.j2 index fb285822..e330f8d6 100644 --- a/roles/web-app-funkwhale/templates/env.j2 +++ b/roles/web-app-funkwhale/templates/env.j2 @@ -36,7 +36,7 @@ FUNKWHALE_WEB_WORKERS=4 # Replace this by the definitive, public domain you will use for # your instance. It cannot be changed after initial deployment # without breaking your instance. -FUNKWHALE_HOSTNAME={{domains | get_domain(application_id)}} +FUNKWHALE_HOSTNAME={{ domains | get_domain(application_id) }} FUNKWHALE_PROTOCOL={{ WEB_PROTOCOL }} # Log level (debug, info, warning, error, critical) diff --git a/roles/web-app-fusiondirectory/tasks/main.yml b/roles/web-app-fusiondirectory/tasks/main.yml index e1332819..675d0745 100644 --- a/roles/web-app-fusiondirectory/tasks/main.yml +++ b/roles/web-app-fusiondirectory/tasks/main.yml @@ -1,3 +1,3 @@ -- name: "load docker, db and proxy for {{application_id}}" +- name: "load docker, db and proxy for {{ application_id }}" include_role: name: cmp-db-docker-proxy diff --git a/roles/web-app-gitea/tasks/main.yml b/roles/web-app-gitea/tasks/main.yml index 51abe489..0fe3228b 100644 --- a/roles/web-app-gitea/tasks/main.yml +++ b/roles/web-app-gitea/tasks/main.yml @@ -1,5 +1,5 @@ --- -- name: "load docker, db and proxy for {{application_id}}" +- name: "load docker, db and proxy for {{ application_id }}" include_role: name: cmp-db-docker-proxy diff --git a/roles/web-app-gitea/templates/env.j2 b/roles/web-app-gitea/templates/env.j2 index 8d4d750e..f4903edb 100644 --- a/roles/web-app-gitea/templates/env.j2 +++ b/roles/web-app-gitea/templates/env.j2 @@ -2,7 +2,7 @@ # @see https://docs.gitea.com/next/administration/config-cheat-sheet#repository-repository # General -DOMAIN={{domains | get_domain(application_id)}} +DOMAIN={{ domains | get_domain(application_id) }} RUN_MODE="{{ 'dev' if (ENVIRONMENT | lower) == 'development' else 'prod' }}" ROOT_URL="{{ domains | get_url(application_id, WEB_PROTOCOL) }}/" APP_NAME="{{ applications | get_app_conf(application_id, 'title', True) }}" @@ -23,7 +23,7 @@ DB_PASSWD={{database_password}} # SSH SSH_PORT={{ports.public.ssh[application_id]}} SSH_LISTEN_PORT=22 -SSH_DOMAIN={{domains | get_domain(application_id)}} +SSH_DOMAIN={{ domains | get_domain(application_id) }} # Mail Configuration # @see https://docs.gitea.com/next/installation/install-with-docker#managing-deployments-with-environment-variables diff --git a/roles/web-app-gitlab/tasks/main.yml b/roles/web-app-gitlab/tasks/main.yml index 15a8c7ac..5278a660 100644 --- a/roles/web-app-gitlab/tasks/main.yml +++ b/roles/web-app-gitlab/tasks/main.yml @@ -1,4 +1,4 @@ --- -- name: "load docker, db and proxy for {{application_id}}" +- name: "load docker, db and proxy for {{ application_id }}" include_role: name: cmp-db-docker-proxy diff --git a/roles/web-app-gitlab/templates/docker-compose.yml.j2 b/roles/web-app-gitlab/templates/docker-compose.yml.j2 index 2a70c106..d333b3f9 100644 --- a/roles/web-app-gitlab/templates/docker-compose.yml.j2 +++ b/roles/web-app-gitlab/templates/docker-compose.yml.j2 @@ -2,7 +2,7 @@ web: image: "{{ gitlab_image }}:{{ gitlab_version }}" - hostname: '{{domains | get_domain(application_id)}}' + hostname: '{{ domains | get_domain(application_id) }}' {% include 'roles/docker-container/templates/base.yml.j2' %} ports: - "127.0.0.1:{{ports.localhost.http[application_id]}}:80" diff --git a/roles/web-app-jenkins/tasks/main.yml b/roles/web-app-jenkins/tasks/main.yml index 46fcb632..b66886f5 100644 --- a/roles/web-app-jenkins/tasks/main.yml +++ b/roles/web-app-jenkins/tasks/main.yml @@ -1,4 +1,4 @@ -- name: "load docker, db and proxy for {{application_id}}" +- name: "load docker, db and proxy for {{ application_id }}" include_role: name: cmp-db-docker-proxy diff --git a/roles/web-app-jenkins/templates/docker-compose.yml.j2 b/roles/web-app-jenkins/templates/docker-compose.yml.j2 index 6b3aae78..55b25f31 100644 --- a/roles/web-app-jenkins/templates/docker-compose.yml.j2 +++ b/roles/web-app-jenkins/templates/docker-compose.yml.j2 @@ -1,7 +1,7 @@ {% include 'roles/docker-compose/templates/base.yml.j2' %} application: image: jenkins/jenkins:lts - restart: "{{DOCKER_RESTART_POLICY}}" + restart: "{{ DOCKER_RESTART_POLICY }}" ports: - "127.0.0.1:{{ports.localhost.http[application_id]}}:8080" volumes: diff --git a/roles/web-app-joomla/tasks/main.yml b/roles/web-app-joomla/tasks/main.yml index 07393343..789d51a6 100644 --- a/roles/web-app-joomla/tasks/main.yml +++ b/roles/web-app-joomla/tasks/main.yml @@ -1,5 +1,5 @@ --- -- name: "load docker, db and proxy for {{application_id}}" +- name: "load docker, db and proxy for {{ application_id }}" include_role: name: cmp-db-docker-proxy loop: "{{ domains }}" diff --git a/roles/web-app-keycloak/tasks/main.yml b/roles/web-app-keycloak/tasks/main.yml index e4588c6c..c0267ffc 100644 --- a/roles/web-app-keycloak/tasks/main.yml +++ b/roles/web-app-keycloak/tasks/main.yml @@ -1,8 +1,8 @@ --- -- name: "create import files for {{application_id}}" +- name: "create import files for {{ application_id }}" include_tasks: 01_import.yml -- name: "load docker, db and proxy for {{application_id}}" +- name: "load docker, db and proxy for {{ application_id }}" include_role: name: cmp-db-docker-proxy diff --git a/roles/web-app-keycloak/templates/env.j2 b/roles/web-app-keycloak/templates/env.j2 index 8924f975..304d120a 100644 --- a/roles/web-app-keycloak/templates/env.j2 +++ b/roles/web-app-keycloak/templates/env.j2 @@ -2,7 +2,7 @@ # Documentation can be found here: # @see https://www.keycloak.org/server/containers -KC_HOSTNAME= https://{{domains | get_domain(application_id)}} +KC_HOSTNAME= https://{{ domains | get_domain(application_id) }} KC_HTTP_ENABLED= true # Health Checks diff --git a/roles/web-app-keycloak/templates/import/realm.json.j2 b/roles/web-app-keycloak/templates/import/realm.json.j2 index ff0be4a3..38e76524 100644 --- a/roles/web-app-keycloak/templates/import/realm.json.j2 +++ b/roles/web-app-keycloak/templates/import/realm.json.j2 @@ -832,7 +832,7 @@ "enabled": true, "alwaysDisplayInConsole": false, "clientAuthenticatorType": "desktop-secret", - "secret": "{{oidc.client.secret}}", + "secret": "{{ oidc.client.secret }}", {# The following line should be covered by 02_update_client_redirects.yml #} "redirectUris": {{ domains | redirect_uris(applications, WEB_PROTOCOL) | tojson }}, "webOrigins": [ diff --git a/roles/web-app-lam/tasks/main.yml b/roles/web-app-lam/tasks/main.yml index 2d18ad3a..a769b271 100644 --- a/roles/web-app-lam/tasks/main.yml +++ b/roles/web-app-lam/tasks/main.yml @@ -1,3 +1,3 @@ -- name: "load docker, proxy for '{{application_id}}'" +- name: "load docker, proxy for '{{ application_id }}'" include_role: name: cmp-docker-proxy diff --git a/roles/web-app-libretranslate/tasks/main.yml b/roles/web-app-libretranslate/tasks/main.yml index ad824e04..1ac28d42 100644 --- a/roles/web-app-libretranslate/tasks/main.yml +++ b/roles/web-app-libretranslate/tasks/main.yml @@ -1,4 +1,4 @@ -- name: "load docker, db and proxy for {{application_id}}" +- name: "load docker, db and proxy for {{ application_id }}" include_role: name: cmp-db-docker-proxy when: run_once_web_app_libretranslate is not defined diff --git a/roles/web-app-listmonk/tasks/main.yml b/roles/web-app-listmonk/tasks/main.yml index eace915a..c0fb1f29 100644 --- a/roles/web-app-listmonk/tasks/main.yml +++ b/roles/web-app-listmonk/tasks/main.yml @@ -1,5 +1,5 @@ --- -- name: "load docker, db and proxy for {{application_id}}" +- name: "load docker, db and proxy for {{ application_id }}" include_role: name: cmp-db-docker-proxy vars: diff --git a/roles/web-app-mailu/tasks/01_core.yml b/roles/web-app-mailu/tasks/01_core.yml index bebd6fa3..1943b8ec 100644 --- a/roles/web-app-mailu/tasks/01_core.yml +++ b/roles/web-app-mailu/tasks/01_core.yml @@ -1,4 +1,4 @@ -- name: "load docker, db and proxy for {{application_id}}" +- name: "load docker, db and proxy for {{ application_id }}" include_role: name: cmp-db-docker-proxy diff --git a/roles/web-app-mailu/templates/docker-compose.yml.j2 b/roles/web-app-mailu/templates/docker-compose.yml.j2 index 402f3da3..97909808 100644 --- a/roles/web-app-mailu/templates/docker-compose.yml.j2 +++ b/roles/web-app-mailu/templates/docker-compose.yml.j2 @@ -82,7 +82,7 @@ container_name: {{mailu_name}}_oletools image: {{docker_source}}/oletools:{{ mailu_version }} hostname: oletools - restart: {{DOCKER_RESTART_POLICY}} + restart: {{ DOCKER_RESTART_POLICY }} depends_on: - resolver dns: diff --git a/roles/web-app-mailu/templates/env.j2 b/roles/web-app-mailu/templates/env.j2 index 0b5aa245..371a437a 100644 --- a/roles/web-app-mailu/templates/env.j2 +++ b/roles/web-app-mailu/templates/env.j2 @@ -168,17 +168,17 @@ AUTH_REQUIRE_TOKENS=True OIDC_ENABLED={{ applications | get_app_conf(application_id, 'features.oidc', False) | string | capitalize }} # OpenID Connect provider configuration URL -OIDC_PROVIDER_INFO_URL={{oidc.client.issuer_url}} +OIDC_PROVIDER_INFO_URL={{ oidc.client.issuer_url }} # OpenID Connect Client ID for Mailu -OIDC_CLIENT_ID={{oidc.client.id}} +OIDC_CLIENT_ID={{ oidc.client.id }} # OpenID Connect Client secret for Mailu -OIDC_CLIENT_SECRET={{oidc.client.secret}} +OIDC_CLIENT_SECRET={{ oidc.client.secret }} # Label text for OpenID Connect login button. Default: OpenID Connect -OIDC_BUTTON_NAME={{oidc.button_text}} +OIDC_BUTTON_NAME={{ oidc.button_text }} # Disable TLS certificate verification for the OIDC client. Possible values: True, False OIDC_VERIFY_SSL=True diff --git a/roles/web-app-mastodon/Administration.md b/roles/web-app-mastodon/Administration.md index 203ff6eb..902c475e 100644 --- a/roles/web-app-mastodon/Administration.md +++ b/roles/web-app-mastodon/Administration.md @@ -2,11 +2,11 @@ ## 🗑️ Cleanup (Remove Instance & Volumes) ```bash -cd {{path_docker_compose_instances}}mastodon/ +cd {{ PATH_DOCKER_COMPOSE_INSTANCES }}mastodon/ docker-compose down docker volume rm mastodon_data mastodon_database mastodon_redis -cd {{path_docker_compose_instances}} && -rm -vR {{path_docker_compose_instances}}mastodon +cd {{ PATH_DOCKER_COMPOSE_INSTANCES }} && +rm -vR {{ PATH_DOCKER_COMPOSE_INSTANCES }}mastodon ``` ## 🔍 Access Mastodon Terminal diff --git a/roles/web-app-mastodon/tasks/main.yml b/roles/web-app-mastodon/tasks/main.yml index d591429f..0fd9b3bc 100644 --- a/roles/web-app-mastodon/tasks/main.yml +++ b/roles/web-app-mastodon/tasks/main.yml @@ -12,7 +12,7 @@ client_max_body_size: "80m" vhost_flavour: "ws_generic" -- name: "load docker and db for {{application_id}}" +- name: "load docker and db for {{ application_id }}" include_role: name: cmp-db-docker vars: diff --git a/roles/web-app-mastodon/templates/env.j2 b/roles/web-app-mastodon/templates/env.j2 index f565a854..69bd4332 100644 --- a/roles/web-app-mastodon/templates/env.j2 +++ b/roles/web-app-mastodon/templates/env.j2 @@ -3,7 +3,7 @@ # @see https://github.com/mastodon/mastodon/blob/main/.env.production.sample -LOCAL_DOMAIN={{domains | get_domain(application_id)}} +LOCAL_DOMAIN={{ domains | get_domain(application_id) }} ALTERNATE_DOMAINS="{{ domains['web-app-mastodon'][1:] | join(',') }}" SINGLE_USER_MODE={{ applications | get_app_conf(application_id, 'single_user_mode', True) }} @@ -60,16 +60,16 @@ SMTP_FROM_ADDRESS=Mastodon <{{ users['no-reply'].email }}> # @see https://stackoverflow.com/questions/72081776/how-mastodon-configured-login-using-sso OIDC_ENABLED={{ applications | get_app_conf(application_id, 'features.oidc', False) | string | lower }} -OIDC_DISPLAY_NAME="{{oidc.button_text}}" -OIDC_ISSUER={{oidc.client.issuer_url}} +OIDC_DISPLAY_NAME="{{ oidc.button_text }}" +OIDC_ISSUER={{ oidc.client.issuer_url }} OIDC_DISCOVERY=true OIDC_SCOPE="openid,profile,email" # @see https://stackoverflow.com/questions/72108087/how-to-set-the-username-of-mastodon-by-log-in-via-keycloak OIDC_UID_FIELD={{oidc.attributes.username}} -OIDC_CLIENT_ID={{oidc.client.id}} -OIDC_REDIRECT_URI=https://{{domains | get_domain(application_id)}}/auth/auth/openid_connect/callback +OIDC_CLIENT_ID={{ oidc.client.id }} +OIDC_REDIRECT_URI=https://{{ domains | get_domain(application_id) }}/auth/auth/openid_connect/callback OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED=true -OIDC_CLIENT_SECRET={{oidc.client.secret}} +OIDC_CLIENT_SECRET={{ oidc.client.secret }} # uncomment to only use OIDC for login / registration buttons OMNIAUTH_ONLY=true ALLOW_UNSAFE_AUTH_PROVIDER_REATTACH=true diff --git a/roles/web-app-matomo/tasks/constructor.yml b/roles/web-app-matomo/tasks/constructor.yml index 974600c5..37f0911a 100644 --- a/roles/web-app-matomo/tasks/constructor.yml +++ b/roles/web-app-matomo/tasks/constructor.yml @@ -1,4 +1,4 @@ -- name: "load docker, db and proxy for {{application_id}}" +- name: "load docker, db and proxy for {{ application_id }}" include_role: name: cmp-db-docker-proxy diff --git a/roles/web-app-matrix/tasks/01_docker.yml b/roles/web-app-matrix/tasks/01_docker.yml new file mode 100644 index 00000000..dcc6dc02 --- /dev/null +++ b/roles/web-app-matrix/tasks/01_docker.yml @@ -0,0 +1,120 @@ +- name: "load docker and db for {{ application_id }}" + include_role: + name: cmp-db-docker + vars: + docker_compose_flush_handlers: false + +- name: include 02_create-and-seed-database.yml for multiple bridges + include_tasks: 02_create-and-seed-database.yml + vars: + database_password: "{{ item.database_password }}" + database_username: "{{ item.database_username }}" + database_name: "{{ item.database_name }}" + loop: "{{ MATRIX_BRIDGES }}" + +# The following taks are necessary because a clean setup is necessary +- name: shut down docker compose project + command: + cmd: docker-compose -p "{{ MATRIX_PROJECT }}" down + chdir: "{{ docker_compose.directories.instance }}" + +- name: "cleanup project folder" + file: + path: "{{ docker_compose.directories.instance }}mautrix/" + state: absent + +- name: "create bridge folders" + file: + path: "{{ docker_compose.directories.instance }}mautrix/{{ item.bridge_name }}" + state: directory + mode: "0755" + loop: "{{ MATRIX_BRIDGES }}" + +- name: add multiple mautrix bridge configuration + template: + src: "mautrix/{{ item.bridge_name }}.config.yml.j2" + dest: "{{ docker_compose.directories.instance }}mautrix/{{ item.bridge_name }}/config.yaml" + loop: "{{ MATRIX_BRIDGES }}" + notify: docker compose up + +- name: add element configuration + template: + src: "element.config.json.j2" + dest: "{{ MATRIX_ELEMENT_CONFIG_PATH_HOST }}" + notify: docker compose up + +- name: add synapse homeserver configuration + template: + src: "synapse/homeserver.yaml.j2" + dest: "{{ MATRIX_SYNAPSE_CONFIG_PATH_HOST }}" + notify: docker compose up + +- name: add synapse log configuration + template: + src: "synapse/log.config.j2" + dest: "{{ MATRIX_SYNAPSE_LOG_PATH_HOST }}" + notify: docker compose up + +# https://github.com/matrix-org/synapse/issues/6303 +- name: set correct folder permissions + command: + cmd: "docker run --rm --mount type=volume,src={{ MATRIX_SYNAPSE_VOLUME }},dst=/data -e SYNAPSE_SERVER_NAME={{ MATRIX_SYNAPSE_DOMAIN }} -e SYNAPSE_REPORT_STATS=no --entrypoint /bin/sh matrixdotorg/synapse:latest -c 'chown -vR 991:991 /data'" + +- name: add docker-compose.yml + template: + src: "docker-compose.yml.j2" + dest: "{{ docker_compose.directories.instance }}docker-compose.yml" + notify: docker compose up + +# Pull image when update is wished. +# @todo This should be moved to update-docker +- name: docker compose pull + command: + cmd: docker-compose -p "{{ MATRIX_PROJECT }}" pull + chdir: "{{ docker_compose.directories.instance }}" + when: MODE_UPDATE | bool + +- name: docker compose up + command: + cmd: "docker-compose -p {{ MATRIX_PROJECT }} up -d --remove-orphans" + chdir: "{{ docker_compose.directories.instance }}" + environment: + COMPOSE_HTTP_TIMEOUT: 600 + DOCKER_CLIENT_TIMEOUT: 600 + register: result + until: result is succeeded + retries: 12 + delay: 30 + +- name: wait for registration files + wait_for: + path: "{{ docker_compose.directories.instance }}mautrix/{{ item.bridge_name }}/registration.yaml" + state: present + timeout: 120 + loop: "{{ MATRIX_BRIDGES }}" + +- name: "change file permissions" + file: + path: "{{ docker_compose.directories.instance }}mautrix/{{ item.bridge_name }}/registration.yaml" + mode: "0755" + loop: "{{ MATRIX_BRIDGES }}" + async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}" + poll: "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}" + +- name: create admin account + command: + cmd: docker compose exec -it synapse register_new_matrix_user -u {{applications | get_app_conf(application_id, 'users.administrator.username', True)}} -p {{applications | get_app_conf(application_id, 'credentials.administrator_password', True)}} -a -c {{ MATRIX_SYNAPSE_CONFIG_PATH_CONTAINER }} http://localhost:8008 + chdir: "{{ docker_compose.directories.instance }}" + ignore_errors: true + when: applications | get_app_conf(application_id, 'setup', True) | bool + async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}" + poll: "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}" + +- name: create chatgpt bot + command: + cmd: docker compose exec -it synapse register_new_matrix_user -u chatgptbot -p {{applications | get_app_conf(application_id, 'credentials.chatgpt_bridge_user_password', True)}} -a -c {{ MATRIX_SYNAPSE_CONFIG_PATH_CONTAINER }} http://localhost:8008 + chdir: "{{ docker_compose.directories.instance }}" + ignore_errors: true + when: applications | get_app_conf(application_id, 'setup', True) | bool + async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}" + poll: "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}" \ No newline at end of file diff --git a/roles/web-app-matrix/tasks/create-and-seed-database.yml b/roles/web-app-matrix/tasks/02_create-and-seed-database.yml similarity index 91% rename from roles/web-app-matrix/tasks/create-and-seed-database.yml rename to roles/web-app-matrix/tasks/02_create-and-seed-database.yml index 8004e262..8d8ae102 100644 --- a/roles/web-app-matrix/tasks/create-and-seed-database.yml +++ b/roles/web-app-matrix/tasks/02_create-and-seed-database.yml @@ -6,7 +6,7 @@ # - database_password - name: "create {{database_name}} database" include_role: - name: svc-db-postgres + name: "svc-db-{{ database_type }}" when: applications | get_app_conf(application_id, 'features.central_database', False) - name: "include 04_seed-database-to-backup.yml" diff --git a/roles/web-app-matrix/tasks/03_webserver.yml b/roles/web-app-matrix/tasks/03_webserver.yml new file mode 100644 index 00000000..e26720b1 --- /dev/null +++ b/roles/web-app-matrix/tasks/03_webserver.yml @@ -0,0 +1,33 @@ +- name: create {{ MATRIX_WELL_KNOWN_DIRECTORY }} + file: + path: "{{ MATRIX_WELL_KNOWN_DIRECTORY }}" + state: directory + mode: '0755' + +- name: create {{ MATRIX_WELL_KNOWN_FILE }} + template: + src: "well-known.j2" + dest: "{{ MATRIX_WELL_KNOWN_FILE }}" + +- name: "include role srv-proxy-6-6-domain for {{ MATRIX_ELEMENT_DOMAIN }}" + include_role: + name: srv-proxy-6-6-domain + vars: + domain: "{{ MATRIX_ELEMENT_DOMAIN }}" + http_port: "{{ MATRIX_ELEMENT_PORT }}" + +- name: "include role for {{ application_id }} to receive certs & do modification routines for {{ MATRIX_SYNAPSE_DOMAIN }}" + include_role: + name: srv-web-7-6-composer + vars: + domain: "{{ MATRIX_SYNAPSE_DOMAIN }}" + http_port: "{{ MATRIX_SYNAPSE_PORT }}" + +- name: create {{ MATRIX_SYNAPSE_DOMAIN }}.conf + template: + src: "templates/nginx.conf.j2" + dest: "{{ NGINX.DIRECTORIES.HTTP.SERVERS }}{{ MATRIX_SYNAPSE_DOMAIN }}.conf" + vars: + domain: "{{ MATRIX_SYNAPSE_DOMAIN }}" # Didn't work in the past. May it works now. This does not seem to work @todo Check how to solve without declaring set_fact, seems a bug at templates + http_port: "{{ MATRIX_SYNAPSE_PORT }}" + notify: restart openresty \ No newline at end of file diff --git a/roles/web-app-matrix/tasks/main.yml b/roles/web-app-matrix/tasks/main.yml index fcf5b9f7..ba408f4f 100644 --- a/roles/web-app-matrix/tasks/main.yml +++ b/roles/web-app-matrix/tasks/main.yml @@ -5,154 +5,13 @@ - name: Filter enabled bridges and register as fact set_fact: - bridges: "{{ bridges_configuration | filter_enabled_bridges(applications | get_app_conf(application_id, 'plugins', True)) }}" + MATRIX_BRIDGES: "{{ bridges_configuration | filter_enabled_bridges(applications | get_app_conf(application_id, 'plugins', True)) }}" changed_when: false -- name: "include role for {{application_id}} to receive certs & do modification routines" - include_role: - name: srv-web-7-6-composer - vars: - domain: "{{domains[application_id].synapse}}" - http_port: "{{ports.localhost.http['web-app-matrix_synapse']}}" +# Order of the following tasks is important otherwise handlers are flushed wrongly -- name: "load docker and db for {{application_id}}" - include_role: - name: cmp-db-docker - vars: - docker_compose_flush_handlers: false +- name: "Include Docker Tasks for '{{ application_id }}'" + include_tasks: 01_docker.yml -- name: create {{well_known_directory}} - file: - path: "{{well_known_directory}}" - state: directory - mode: '0755' - -- name: create {{well_known_directory}}server - template: - src: "well-known.j2" - dest: "{{well_known_directory}}server" - -- name: create {{domains[application_id].synapse}}.conf - template: - src: "templates/nginx.conf.j2" - dest: "{{nginx.directories.http.servers}}{{domains[application_id].synapse}}.conf" - vars: - domain: "{{domains[application_id].synapse}}" # Didn't work in the past. May it works now. This does not seem to work @todo Check how to solve without declaring set_fact, seems a bug at templates - http_port: "{{ports.localhost.http['web-app-matrix_synapse']}}" - notify: restart openresty - -- name: "include role srv-proxy-6-6-domain for {{application_id}}" - include_role: - name: srv-proxy-6-6-domain - vars: - domain: "{{domains[application_id].element}}" - http_port: "{{ports.localhost.http['web-app-matrix_element']}}" - -- name: include create-and-seed-database.yml for multiple bridges - include_tasks: create-and-seed-database.yml - vars: - database_password: "{{ item.database_password }}" - database_username: "{{ item.database_username }}" - database_name: "{{ item.database_name }}" - loop: "{{ bridges }}" - -# The following taks are necessary because a clean setup is necessary -- name: shut down docker compose project - command: - cmd: docker-compose -p "{{ matrix_project }}" down - chdir: "{{ docker_compose.directories.instance }}" - -- name: "cleanup project folder" - file: - path: "{{docker_compose.directories.instance}}mautrix/" - state: absent - -- name: "create bridge folders" - file: - path: "{{docker_compose.directories.instance}}mautrix/{{item.bridge_name}}" - state: directory - mode: "0755" - loop: "{{ bridges }}" - -- name: add multiple mautrix bridge configuration - template: - src: "mautrix/{{item.bridge_name}}.config.yml.j2" - dest: "{{docker_compose.directories.instance}}mautrix/{{item.bridge_name}}/config.yaml" - loop: "{{ bridges }}" - notify: docker compose up - -- name: add element configuration - template: - src: "element.config.json.j2" - dest: "{{docker_compose.directories.instance}}element-config.json" - notify: docker compose up - -- name: add synapse homeserver configuration - template: - src: "synapse/homeserver.yaml.j2" - dest: "{{docker_compose.directories.instance}}homeserver.yaml" - notify: docker compose up - -- name: add synapse log configuration - template: - src: "synapse/log.config.j2" - dest: "{{docker_compose.directories.instance}}{{domains[application_id].synapse}}.log.config" - notify: docker compose up - -# https://github.com/matrix-org/synapse/issues/6303 -- name: set correct folder permissions - command: - cmd: "docker run --rm --mount type=volume,src=matrix_synapse_data,dst=/data -e SYNAPSE_SERVER_NAME={{domains[application_id].synapse}} -e SYNAPSE_REPORT_STATS=no --entrypoint /bin/sh matrixdotorg/synapse:latest -c 'chown -vR 991:991 /data'" - -- name: add docker-compose.yml - template: - src: "docker-compose.yml.j2" - dest: "{{docker_compose.directories.instance}}docker-compose.yml" - notify: docker compose up - -# Pull image when update is wished. -# @todo This should be moved to update-docker -- name: docker compose pull - command: - cmd: docker-compose -p "{{ matrix_project }}" pull - chdir: "{{docker_compose.directories.instance}}" - when: MODE_UPDATE | bool - -- name: docker compose up - command: - cmd: "docker-compose -p {{ matrix_project }} up -d --remove-orphans" - chdir: "{{docker_compose.directories.instance}}" - environment: - COMPOSE_HTTP_TIMEOUT: 600 - DOCKER_CLIENT_TIMEOUT: 600 - register: result - until: result is succeeded - retries: 12 - delay: 30 - -- name: wait for registration files - wait_for: - path: "{{docker_compose.directories.instance}}mautrix/{{item.bridge_name}}/registration.yaml" - state: present - timeout: 120 - loop: "{{ bridges }}" - -- name: "change file permissions" - file: - path: "{{docker_compose.directories.instance}}mautrix/{{item.bridge_name}}/registration.yaml" - mode: "0755" - loop: "{{ bridges }}" - -- name: create admin account - command: - cmd: docker compose exec -it synapse register_new_matrix_user -u {{applications | get_app_conf(application_id, 'users.administrator.username', True)}} -p {{applications | get_app_conf(application_id, 'credentials.administrator_password', True)}} -a -c /data/homeserver.yaml http://localhost:8008 - chdir: "{{ docker_compose.directories.instance }}" - ignore_errors: true - when: applications | get_app_conf(application_id, 'setup', True) | bool - -- name: create chatgpt bot - command: - cmd: docker compose exec -it synapse register_new_matrix_user -u chatgptbot -p {{applications | get_app_conf(application_id, 'credentials.chatgpt_bridge_user_password', True)}} -a -c /data/homeserver.yaml http://localhost:8008 - chdir: "{{ docker_compose.directories.instance }}" - ignore_errors: true - when: applications | get_app_conf(application_id, 'setup', True) | bool \ No newline at end of file +- name: "Include Webserver Tasks for '{{ application_id }}'" + include_tasks: 03_webserver.yml \ No newline at end of file diff --git a/roles/web-app-matrix/templates/docker-compose.yml.j2 b/roles/web-app-matrix/templates/docker-compose.yml.j2 index f6cdea72..71b3c45d 100644 --- a/roles/web-app-matrix/templates/docker-compose.yml.j2 +++ b/roles/web-app-matrix/templates/docker-compose.yml.j2 @@ -1,27 +1,27 @@ {% include 'roles/docker-compose/templates/base.yml.j2' %} synapse: {% set container_port = 8008 %} - image: "{{ matrix_synapse_image }}:{{ matrix_synapse_version }}" - container_name: {{ matrix_synapse_name }} - restart: {{DOCKER_RESTART_POLICY}} + image: "{{ MATRIX_SYNAPSE_IMAGE }}:{{ MATRIX_SYNAPSE_VERSION }}" + container_name: {{ MATRIX_SYNAPSE_NAME }} + restart: {{ DOCKER_RESTART_POLICY }} logging: driver: journald volumes: - synapse_data:/data - - ./homeserver.yaml:/data/homeserver.yaml:ro - - ./{{domains[application_id].synapse}}.log.config:/data/{{domains[application_id].synapse}}.log.config:ro -{% for item in bridges %} - - {{docker_compose.directories.instance}}mautrix/{{item.bridge_name}}/registration.yaml:{{registration_file_folder}}{{item.bridge_name}}.registration.yaml:ro + - {{ MATRIX_SYNAPSE_CONFIG_PATH_HOST }}:{{ MATRIX_SYNAPSE_CONFIG_PATH_CONTAINER }}:ro + - {{ MATRIX_SYNAPSE_LOG_PATH_HOST }}:{{ MATRIX_SYNAPSE_LOG_PATH_CONTAINER }}:ro +{% for item in MATRIX_BRIDGES %} + - {{ docker_compose.directories.instance }}mautrix/{{ item.bridge_name }}/registration.yaml:{{ MATRIX_REGISTRATION_FILE_FOLDER }}{{ item.bridge_name }}.registration.yaml:ro {% endfor %} environment: - - SYNAPSE_SERVER_NAME={{domains[application_id].synapse}} + - SYNAPSE_SERVER_NAME={{ MATRIX_SYNAPSE_DOMAIN }} - SYNAPSE_REPORT_STATS=no ports: - "127.0.0.1:{{ports.localhost.http['web-app-matrix_synapse']}}:{{ container_port }}" {% include 'roles/docker-container/templates/healthcheck/curl.yml.j2' %} -{% if bridges | length > 0 %} -{% for item in bridges %} - mautrix-{{item.bridge_name}}: +{% if MATRIX_BRIDGES | length > 0 %} +{% for item in MATRIX_BRIDGES %} + mautrix-{{ item.bridge_name }}: condition: service_healthy {% endfor %} {% else %} @@ -30,25 +30,25 @@ {% include 'roles/docker-container/templates/networks.yml.j2' %} element: {% set container_port = 80 %} - image: "{{ matrix_element_image }}:{{ matrix_element_version }}" - container_name: {{ matrix_element_name }} - restart: {{DOCKER_RESTART_POLICY}} + image: "{{ MATRIX_ELEMENT_IMAGE }}:{{ MATRIX_ELEMENT_VERSION }}" + container_name: {{ MATRIX_ELEMENT_NAME }} + restart: {{ DOCKER_RESTART_POLICY }} volumes: - - ./element-config.json:/app/config.json + - {{ MATRIX_ELEMENT_CONFIG_PATH_HOST }}:/app/config.json ports: - - "127.0.0.1:{{ports.localhost.http['web-app-matrix_element']}}:{{ container_port }}" + - "127.0.0.1:{{ MATRIX_ELEMENT_PORT }}:{{ container_port }}" {% include 'roles/docker-container/templates/healthcheck/wget.yml.j2' %} {% include 'roles/docker-container/templates/networks.yml.j2' %} -{% for item in bridges %} - mautrix-{{item.bridge_name}}: - container_name: matrix-{{item.bridge_name}} +{% for item in MATRIX_BRIDGES %} + mautrix-{{ item.bridge_name }}: + container_name: matrix-{{ item.bridge_name }} image: dock.mau.dev/mautrix/{{ item.bridge_name }}:latest - restart: {{DOCKER_RESTART_POLICY}} + restart: {{ DOCKER_RESTART_POLICY }} volumes: - - ./mautrix/{{item.bridge_name}}:/data + - ./mautrix/{{ item.bridge_name }}:/data healthcheck: - test: ["CMD-SHELL", "test -f {{registration_file_folder}}registration.yaml || exit 1"] + test: ["CMD-SHELL", "test -f {{ MATRIX_REGISTRATION_FILE_FOLDER }}registration.yaml || exit 1"] interval: 1m timeout: 10s retries: 3 @@ -56,7 +56,7 @@ {% endfor %} {% if applications | get_app_conf(application_id, 'plugins.chatgpt', True) | bool %} matrix-chatgpt-bot: - restart: {{DOCKER_RESTART_POLICY}} + restart: {{ DOCKER_RESTART_POLICY }} container_name: matrix-chatgpt image: ghcr.io/matrixgpt/matrix-chatgpt-bot:latest volumes: @@ -81,10 +81,10 @@ KEYV_URL: '' KEYV_BOT_ENCRYPTION: 'false' KEYV_BOT_STORAGE: 'true' - MATRIX_HOMESERVER_URL: '{{ WEB_PROTOCOL }}://{{ domains[application_id].synapse }}' + MATRIX_HOMESERVER_URL: '{{ MATRIX_SYNAPSE_URL }}' MATRIX_BOT_USERNAME: '@chatgptbot:{{applications | get_app_conf(application_id, 'server_name', True)}}' MATRIX_ACCESS_TOKEN: '{{ applications | get_app_conf(application_id, 'credentials.chatgpt_bridge_access_token', True) | default('') }}' - MATRIX_BOT_PASSWORD: '{{applications | get_app_conf(application_id, 'credentials.chatgpt_bridge_user_password', True)}}' + MATRIX_BOT_PASSWORD: '{{ applications | get_app_conf(application_id, 'credentials.chatgpt_bridge_user_password', True) }}' MATRIX_DEFAULT_PREFIX: '!chatgpt' MATRIX_DEFAULT_PREFIX_REPLY: 'false' #MATRIX_BLACKLIST: '' @@ -98,7 +98,7 @@ {% include 'roles/docker-compose/templates/volumes.yml.j2' %} synapse_data: - name: {{ matrix_synapse_data }} + name: {{ MATRIX_SYNAPSE_VOLUME }} {% if applications | get_app_conf(application_id, 'plugins.chatgpt', True) | bool %} chatgpt_data: {% endif %} diff --git a/roles/web-app-matrix/templates/element.config.json.j2 b/roles/web-app-matrix/templates/element.config.json.j2 index 5623d167..ce928dd9 100644 --- a/roles/web-app-matrix/templates/element.config.json.j2 +++ b/roles/web-app-matrix/templates/element.config.json.j2 @@ -1,8 +1,8 @@ { "default_server_config": { "m.homeserver": { - "base_url": "{{ WEB_PROTOCOL }}://{{domains[application_id].synapse}}", - "server_name": "{{domains[application_id].synapse}}" + "base_url": "{{ MATRIX_SYNAPSE_URL }}", + "server_name": "{{ MATRIX_SYNAPSE_DOMAIN }}" }, "m.identity_server": { "base_url": "{{ WEB_PROTOCOL }}://{{ PRIMARY_DOMAIN }}" diff --git a/roles/web-app-matrix/templates/mautrix/facebook.config.yml.j2 b/roles/web-app-matrix/templates/mautrix/facebook.config.yml.j2 index c5cfd983..a55823bb 100644 --- a/roles/web-app-matrix/templates/mautrix/facebook.config.yml.j2 +++ b/roles/web-app-matrix/templates/mautrix/facebook.config.yml.j2 @@ -143,7 +143,7 @@ bridge: sync_direct_chat_list: false # Servers to always allow double puppeting from double_puppet_server_map: - {{applications | get_app_conf(application_id, 'server_name', True)}}: {{domains[application_id].synapse}} + {{applications | get_app_conf(application_id, 'server_name', True)}}: {{ MATRIX_SYNAPSE_DOMAIN }} # Allow using double puppeting from any server with a valid client .well-known file. double_puppet_allow_discovery: false # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth diff --git a/roles/web-app-matrix/templates/mautrix/instagram.config.yml.j2 b/roles/web-app-matrix/templates/mautrix/instagram.config.yml.j2 index 0732c8b0..1f0e5593 100644 --- a/roles/web-app-matrix/templates/mautrix/instagram.config.yml.j2 +++ b/roles/web-app-matrix/templates/mautrix/instagram.config.yml.j2 @@ -134,7 +134,7 @@ bridge: double_puppet_allow_discovery: false # Servers to allow double puppeting from, even if double_puppet_allow_discovery is false. double_puppet_server_map: - {{applications | get_app_conf(application_id, 'server_name', True)}}: {{ WEB_PROTOCOL }}://{{ domains[application_id].synapse }} + {{applications | get_app_conf(application_id, 'server_name', True)}}: {{ MATRIX_SYNAPSE_URL }} # Shared secret for https://github.com/devture/matrix-synapse-shared-secret-auth # # If set, custom puppets will be enabled automatically for local users diff --git a/roles/web-app-matrix/templates/mautrix/signal.config.yml.j2 b/roles/web-app-matrix/templates/mautrix/signal.config.yml.j2 index e5ef5960..52d51fbb 100644 --- a/roles/web-app-matrix/templates/mautrix/signal.config.yml.j2 +++ b/roles/web-app-matrix/templates/mautrix/signal.config.yml.j2 @@ -141,7 +141,7 @@ bridge: federate_rooms: true # Servers to always allow double puppeting from double_puppet_server_map: - {{applications | get_app_conf(application_id, 'server_name', True)}}: {{ WEB_PROTOCOL }}://{{ domains[application_id].synapse }} + {{applications | get_app_conf(application_id, 'server_name', True)}}: {{ MATRIX_SYNAPSE_URL }} # Allow using double puppeting from any server with a valid client .well-known file. double_puppet_allow_discovery: false # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth diff --git a/roles/web-app-matrix/templates/mautrix/slack.config.yml.j2 b/roles/web-app-matrix/templates/mautrix/slack.config.yml.j2 index 917f096f..5e59fb6d 100644 --- a/roles/web-app-matrix/templates/mautrix/slack.config.yml.j2 +++ b/roles/web-app-matrix/templates/mautrix/slack.config.yml.j2 @@ -118,7 +118,7 @@ bridge: # Servers to always allow double puppeting from double_puppet_server_map: - {{applications | get_app_conf(application_id, 'server_name', True)}}: {{ WEB_PROTOCOL }}://{{ domains[application_id].synapse }} + {{applications | get_app_conf(application_id, 'server_name', True)}}: {{ MATRIX_SYNAPSE_URL }} # Allow using double puppeting from any server with a valid client .well-known file. double_puppet_allow_discovery: false # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth diff --git a/roles/web-app-matrix/templates/mautrix/telegram.config.yml.j2 b/roles/web-app-matrix/templates/mautrix/telegram.config.yml.j2 index 5984b640..3338ab95 100644 --- a/roles/web-app-matrix/templates/mautrix/telegram.config.yml.j2 +++ b/roles/web-app-matrix/templates/mautrix/telegram.config.yml.j2 @@ -198,7 +198,7 @@ bridge: sync_direct_chat_list: false # Servers to always allow double puppeting from double_puppet_server_map: - {{applications | get_app_conf(application_id, 'server_name', True)}}: {{ WEB_PROTOCOL }}://{{ domains[application_id].synapse }} + {{applications | get_app_conf(application_id, 'server_name', True)}}: {{ MATRIX_SYNAPSE_URL }} # Allow using double puppeting from any server with a valid client .well-known file. double_puppet_allow_discovery: false # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth diff --git a/roles/web-app-matrix/templates/mautrix/whatsapp.config.yml.j2 b/roles/web-app-matrix/templates/mautrix/whatsapp.config.yml.j2 index ba3f0683..84edbf02 100644 --- a/roles/web-app-matrix/templates/mautrix/whatsapp.config.yml.j2 +++ b/roles/web-app-matrix/templates/mautrix/whatsapp.config.yml.j2 @@ -236,7 +236,7 @@ bridge: force_active_delivery_receipts: false # Servers to always allow double puppeting from double_puppet_server_map: - {{applications | get_app_conf(application_id, 'server_name', True)}}: {{ WEB_PROTOCOL }}://{{ domains[application_id].synapse }} + {{applications | get_app_conf(application_id, 'server_name', True)}}: {{ MATRIX_SYNAPSE_URL }} # Allow using double puppeting from any server with a valid client .well-known file. double_puppet_allow_discovery: false # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth diff --git a/roles/web-app-matrix/templates/nginx.conf.j2 b/roles/web-app-matrix/templates/nginx.conf.j2 index 93d224e5..18620f58 100644 --- a/roles/web-app-matrix/templates/nginx.conf.j2 +++ b/roles/web-app-matrix/templates/nginx.conf.j2 @@ -1,16 +1,16 @@ server { {# Somehow .j2 doesn't interpretate the passed variable right. For this reasons this redeclaration is necessary #} {# Could be that this is related to the set_fact use #} - {% set domain = domains[application_id].synapse %} - {% set http_port = ports.localhost.http['web-app-matrix_synapse'] %} - {% set federation_port = ports.public.federation['web-app-matrix_synapse'] %} + {% set domain = MATRIX_SYNAPSE_DOMAIN | mandatory("MATRIX_SYNAPSE_DOMAIN is required") %} + {% set http_port = MATRIX_SYNAPSE_PORT | mandatory("MATRIX_PORT is required") %} + {% set FEDERATION_PORT = http_port %} - server_name {{domains[application_id].synapse}}; + server_name {{ domain }}; {% include 'roles/srv-web-7-7-letsencrypt/templates/ssl_header.j2' %} # For the federation port - listen {{ federation_port }} ssl default_server; - listen [::]:{{ federation_port }} ssl default_server; + listen {{ FEDERATION_PORT }} ssl default_server; + listen [::]:{{ FEDERATION_PORT }} ssl default_server; {% include 'roles/srv-web-7-7-inj-compose/templates/server.conf.j2'%} diff --git a/roles/web-app-matrix/templates/synapse/homeserver.yaml.j2 b/roles/web-app-matrix/templates/synapse/homeserver.yaml.j2 index ad219c6c..4ebde375 100644 --- a/roles/web-app-matrix/templates/synapse/homeserver.yaml.j2 +++ b/roles/web-app-matrix/templates/synapse/homeserver.yaml.j2 @@ -18,15 +18,15 @@ database: host: "{{database_host}}" cp_min: 5 cp_max: 10 -log_config: "/data/{{domains[application_id].synapse}}.log.config" +log_config: "{{ MATRIX_SYNAPSE_LOG_PATH_CONTAINER }}" media_store_path: "/data/media_store" registration_shared_secret: "{{applications | get_app_conf(application_id, 'credentials.registration_shared_secret', True)}}" report_stats: true macaroon_secret_key: "{{applications | get_app_conf(application_id, 'credentials.macaroon_secret_key', True)}}" form_secret: "{{applications | get_app_conf(application_id, 'credentials.form_secret', True)}}" -signing_key_path: "/data/{{domains[application_id].synapse}}.signing.key" +signing_key_path: "/data/{{ MATRIX_SYNAPSE_DOMAIN }}.signing.key" web_client_location: "{{ WEB_PROTOCOL }}://{{domains[application_id].element}}" -public_baseurl: "{{ WEB_PROTOCOL }}://{{domains[application_id].synapse}}" +public_baseurl: "{{ MATRIX_SYNAPSE_URL }}" trusted_key_servers: - server_name: "matrix.org" admin_contact: 'mailto:{{ users.administrator.email }}' @@ -40,20 +40,20 @@ email: #require_transport_security: true enable_tls: "{{ system_email.tls | upper }}" notif_from: "Your Friendly %(app)s homeserver <{{ users['no-reply'].email }}>" - app_name: "Matrix on {{domains[application_id].synapse}}" + app_name: "Matrix on {{ MATRIX_SYNAPSE_DOMAIN }}" enable_notifs: true notif_for_new_users: false - client_base_url: "{{domains[application_id].synapse}}" + client_base_url: "{{ MATRIX_SYNAPSE_DOMAIN }}" validation_token_lifetime: 15m {% if applications | get_app_conf(application_id, 'features.oidc', False) %} # @See https://matrix-org.github.io/synapse/latest/openid.html oidc_providers: - idp_id: keycloak - idp_name: "{{oidc.button_text}}" - issuer: "{{oidc.client.issuer_url}}" - client_id: "{{oidc.client.id}}" - client_secret: "{{oidc.client.secret}}" + idp_name: "{{ oidc.button_text }}" + issuer: "{{ oidc.client.issuer_url }}" + client_id: "{{ oidc.client.id }}" + client_secret: "{{ oidc.client.secret }}" scopes: ["openid", "profile"] user_mapping_provider: config: @@ -62,9 +62,9 @@ oidc_providers: backchannel_logout_enabled: true {% endif %} -{% if bridges | bool %} +{% if MATRIX_BRIDGES | bool %} app_service_config_files: -{% for item in bridges %} - - {{registration_file_folder}}{{item.bridge_name}}.registration.yaml +{% for item in MATRIX_BRIDGES %} + - {{ MATRIX_REGISTRATION_FILE_FOLDER }}{{ item.bridge_name }}.registration.yaml {% endfor %} {% endif %} \ No newline at end of file diff --git a/roles/web-app-matrix/templates/synapse/log.config.j2 b/roles/web-app-matrix/templates/synapse/log.config.j2 index fba8335f..ff531984 100644 --- a/roles/web-app-matrix/templates/synapse/log.config.j2 +++ b/roles/web-app-matrix/templates/synapse/log.config.j2 @@ -8,7 +8,7 @@ handlers: file: class: logging.handlers.RotatingFileHandler formatter: precise - filename: /data/{{domains[application_id].synapse}}.homeserver.log + filename: /data/{{ MATRIX_SYNAPSE_DOMAIN }}.homeserver.log maxBytes: 10485760 backupCount: 3 console: diff --git a/roles/web-app-matrix/templates/well-known.j2 b/roles/web-app-matrix/templates/well-known.j2 index 7cb9e4c7..a38af450 100644 --- a/roles/web-app-matrix/templates/well-known.j2 +++ b/roles/web-app-matrix/templates/well-known.j2 @@ -1,3 +1,3 @@ { - "m.server": "{{domains[application_id].synapse}}:{{ WEB_PORT }}" + "m.server": "{{ MATRIX_SYNAPSE_DOMAIN }}:{{ WEB_PORT }}" } \ No newline at end of file diff --git a/roles/web-app-matrix/vars/main.yml b/roles/web-app-matrix/vars/main.yml index 982cb3d3..90506f11 100644 --- a/roles/web-app-matrix/vars/main.yml +++ b/roles/web-app-matrix/vars/main.yml @@ -1,20 +1,37 @@ --- # General -application_id: "web-app-matrix" -database_type: "postgres" -registration_file_folder: "/data/" - -# Matrix -matrix_synapse_version: "{{ applications | get_app_conf(application_id, 'docker.services.synapse.version', True) }}" -matrix_synapse_image: "{{ applications | get_app_conf(application_id, 'docker.services.synapse.image', True) }}" -matrix_synapse_name: "{{ applications | get_app_conf(application_id, 'docker.services.synapse.name', True) }}" -matrix_synapse_data: "{{ applications | get_app_conf(application_id, 'docker.volumes.synapse', True) }}" -matrix_element_version: "{{ applications | get_app_conf(application_id, 'docker.services.element.version', True) }}" -matrix_element_image: "{{ applications | get_app_conf(application_id, 'docker.services.element.image', True) }}" -matrix_element_name: "{{ applications | get_app_conf(application_id, 'docker.services.element.name', True) }}" -matrix_project: "{{ application_id | get_entity_name }}" +application_id: "web-app-matrix" +database_type: "postgres" # Webserver -well_known_directory: "{{nginx.directories.data.well_known}}/matrix/" -location_upload: "~ ^/_matrix/media/v3/" -client_max_body_size: "{{ applications | get_app_conf(application_id, 'server.client_max_body_size') }}" +location_upload: "~ ^/_matrix/media/v3/" +client_max_body_size: "{{ applications | get_app_conf(application_id, 'server.client_max_body_size') }}" + +# Matrix + +## General +MATRIX_WELL_KNOWN_DIRECTORY: "{{ NGINX.DIRECTORIES.DATA.WELL_KNOWN }}/matrix/" +MATRIX_WELL_KNOWN_FILE: "{{ MATRIX_WELL_KNOWN_DIRECTORY }}server" +MATRIX_PROJECT: "{{ application_id | get_entity_name }}" +MATRIX_REGISTRATION_FILE_FOLDER: "/data/" + +## Synapse +MATRIX_SYNAPSE_VERSION: "{{ applications | get_app_conf(application_id, 'docker.services.synapse.version') }}" +MATRIX_SYNAPSE_IMAGE: "{{ applications | get_app_conf(application_id, 'docker.services.synapse.image') }}" +MATRIX_SYNAPSE_NAME: "{{ applications | get_app_conf(application_id, 'docker.services.synapse.name') }}" +MATRIX_SYNAPSE_VOLUME: "{{ applications | get_app_conf(application_id, 'docker.volumes.synapse') }}" +MATRIX_SYNAPSE_DOMAIN: "{{ domains[application_id].synapse }}" +MATRIX_SYNAPSE_PORT: "{{ ports.localhost.http['web-app-matrix_synapse'] }}" +MATRIX_SYNAPSE_CONFIG_PATH_HOST: "{{ docker_compose.directories.config }}homeserver.yaml" +MATRIX_SYNAPSE_CONFIG_PATH_CONTAINER: "/data/homeserver.yaml" +MATRIX_SYNAPSE_LOG_PATH_HOST: "{{ docker_compose.directories.config }}{{ MATRIX_SYNAPSE_DOMAIN }}.log.config" +MATRIX_SYNAPSE_LOG_PATH_CONTAINER: "/data/{{ MATRIX_SYNAPSE_DOMAIN }}.log.config" +MATRIX_SYNAPSE_URL: "{{ WEB_PROTOCOL }}://{{ MATRIX_SYNAPSE_DOMAIN }}" + +## Element +MATRIX_ELEMENT_VERSION: "{{ applications | get_app_conf(application_id, 'docker.services.element.version') }}" +MATRIX_ELEMENT_IMAGE: "{{ applications | get_app_conf(application_id, 'docker.services.element.image') }}" +MATRIX_ELEMENT_NAME: "{{ applications | get_app_conf(application_id, 'docker.services.element.name') }}" +MATRIX_ELEMENT_DOMAIN: "{{ domains[application_id].element }}" +MATRIX_ELEMENT_PORT: "{{ ports.localhost.http['web-app-matrix_element'] }}" +MATRIX_ELEMENT_CONFIG_PATH_HOST: "{{ docker_compose.directories.config }}element-config.json" \ No newline at end of file diff --git a/roles/web-app-mediawiki/tasks/main.yml b/roles/web-app-mediawiki/tasks/main.yml index bf3b2c14..b53daf34 100644 --- a/roles/web-app-mediawiki/tasks/main.yml +++ b/roles/web-app-mediawiki/tasks/main.yml @@ -1,5 +1,5 @@ --- -- name: "load docker, db and proxy for {{application_id}}" +- name: "load docker, db and proxy for {{ application_id }}" include_role: name: cmp-db-docker-proxy diff --git a/roles/web-app-mig/tasks/01_core.yml b/roles/web-app-mig/tasks/01_core.yml index f8fdd8cb..470944fb 100644 --- a/roles/web-app-mig/tasks/01_core.yml +++ b/roles/web-app-mig/tasks/01_core.yml @@ -16,7 +16,7 @@ set_fact: mig_roles_meta_list: "{{ mig_roles_meta_volume }}list.json" -- name: "load docker, proxy for '{{application_id}}'" +- name: "load docker, proxy for '{{ application_id }}'" include_role: name: cmp-docker-proxy diff --git a/roles/web-app-mobilizon/tasks/main.yml b/roles/web-app-mobilizon/tasks/main.yml index 12a96a5b..60e1b0c2 100644 --- a/roles/web-app-mobilizon/tasks/main.yml +++ b/roles/web-app-mobilizon/tasks/main.yml @@ -1,5 +1,5 @@ --- -- name: "load docker, db and proxy for {{application_id}}" +- name: "load docker, db and proxy for {{ application_id }}" include_role: name: cmp-db-docker-proxy diff --git a/roles/web-app-moodle/tasks/03_oidc.yml b/roles/web-app-moodle/tasks/03_oidc.yml index 74053323..41d2c5bb 100644 --- a/roles/web-app-moodle/tasks/03_oidc.yml +++ b/roles/web-app-moodle/tasks/03_oidc.yml @@ -25,7 +25,7 @@ - { name: "clientauthmethod", value: 1 } - { name: "clientid", value: "{{ oidc.client.id }}" } - { name: "clientsecret", value: "{{ oidc.client.secret }}" } - - { name: "opname", value: "{{oidc.button_text}}" } + - { name: "opname", value: "{{ oidc.button_text }}" } - { name: "oidcscope", value: "openid profile email" } - { name: "authendpoint", value: "{{ oidc.client.authorize_url }}" } - { name: "tokenendpoint", value: "{{ oidc.client.token_url }}" } diff --git a/roles/web-app-moodle/tasks/main.yml b/roles/web-app-moodle/tasks/main.yml index f6c30be3..55373bd8 100644 --- a/roles/web-app-moodle/tasks/main.yml +++ b/roles/web-app-moodle/tasks/main.yml @@ -1,5 +1,5 @@ --- -- name: "load docker, db and proxy for {{application_id}}" +- name: "load docker, db and proxy for {{ application_id }}" include_role: name: cmp-db-docker-proxy diff --git a/roles/web-app-mybb/tasks/main.yml b/roles/web-app-mybb/tasks/main.yml index 0cea1926..fa9b5952 100644 --- a/roles/web-app-mybb/tasks/main.yml +++ b/roles/web-app-mybb/tasks/main.yml @@ -6,13 +6,13 @@ - include_tasks: utils/run_once.yml when: run_once_web_app_mybb is not defined -- name: "include tasks setup-domain.yml with {{domains | get_domain(application_id)}}" +- name: "include tasks setup-domain.yml with {{ domains | get_domain(application_id) }}" include_tasks: setup-domain.yml loop: "{{ mybb_domains + [source_domain] }}" loop_control: loop_var: domain -- name: "load docker and db for {{application_id}}" +- name: "load docker and db for {{ application_id }}" include_role: name: cmp-db-docker diff --git a/roles/web-app-mybb/tasks/setup-domain.yml b/roles/web-app-mybb/tasks/setup-domain.yml index 73d3431f..94636324 100644 --- a/roles/web-app-mybb/tasks/setup-domain.yml +++ b/roles/web-app-mybb/tasks/setup-domain.yml @@ -2,12 +2,12 @@ include_role: name: srv-web-6-6-tls-core vars: - domain: "{{domains | get_domain(application_id)}}" + domain: "{{ domains | get_domain(application_id) }}" -- name: configure {{domains | get_domain(application_id)}}.conf +- name: configure {{ domains | get_domain(application_id) }}.conf template: src: "roles/srv-proxy-7-4-core/templates/vhost/basic.conf.j2" - dest: "{{nginx.directories.http.servers}}{{domains | get_domain(application_id)}}.conf" + dest: "{{ NGINX.DIRECTORIES.HTTP.SERVERS }}{{ domains | get_domain(application_id) }}.conf" notify: restart openresty vars: - proxy_extra_configuration: "sub_filter '{{source_domain}}' '{{domains | get_domain(application_id)}}';" + proxy_extra_configuration: "sub_filter '{{source_domain}}' '{{ domains | get_domain(application_id) }}';" diff --git a/roles/web-app-mybb/templates/docker-compose.yml.j2 b/roles/web-app-mybb/templates/docker-compose.yml.j2 index cdad81b8..aae98ece 100644 --- a/roles/web-app-mybb/templates/docker-compose.yml.j2 +++ b/roles/web-app-mybb/templates/docker-compose.yml.j2 @@ -6,7 +6,7 @@ tag: "mybb_application" image: {{ mybb_image }}:{{ mybb_version }} container_name: {{ mybb_name }} - restart: {{DOCKER_RESTART_POLICY}} + restart: {{ DOCKER_RESTART_POLICY }} volumes: - data:/var/www/html {% include 'roles/docker-container/templates/depends_on/dmbs_excl.yml.j2' %} @@ -18,7 +18,7 @@ options: tag: "mybb_server" image: nginx:mainline - restart: {{DOCKER_RESTART_POLICY}} + restart: {{ DOCKER_RESTART_POLICY }} ports: - "127.0.0.1:{{ports.localhost.http[application_id]}}:80" volumes: diff --git a/roles/web-app-mybb/vars/main.yml b/roles/web-app-mybb/vars/main.yml index 02c9f953..a0143aae 100644 --- a/roles/web-app-mybb/vars/main.yml +++ b/roles/web-app-mybb/vars/main.yml @@ -2,7 +2,7 @@ application_id: "web-app-mybb" docker_compose_instance_confd_directory: "{{docker_compose.directories.instance}}conf.d/" docker_compose_instance_confd_defaultconf_file: "{{docker_compose_instance_confd_directory}}default.conf" -target_mount_conf_d_directory: "{{nginx.directories.http.servers}}" +target_mount_conf_d_directory: "{{ NGINX.DIRECTORIES.HTTP.SERVERS }}" source_domain: "mybb.{{ PRIMARY_DOMAIN }}" database_type: "mariadb" mybb_version: "{{ applications | get_app_conf(application_id, 'docker.services.mybb.version', True) }}" diff --git a/roles/web-app-navigator/tasks/main.yml b/roles/web-app-navigator/tasks/main.yml index dea98ae0..13b6ecfa 100644 --- a/roles/web-app-navigator/tasks/main.yml +++ b/roles/web-app-navigator/tasks/main.yml @@ -14,7 +14,7 @@ command: pkgmgr path infinito register: path_infinito_output -- name: "load docker, proxy for '{{application_id}}'" +- name: "load docker, proxy for '{{ application_id }}'" include_role: name: cmp-docker-proxy diff --git a/roles/web-app-nextcloud/docs/Update.md b/roles/web-app-nextcloud/docs/Update.md index 21705c27..1d656e52 100644 --- a/roles/web-app-nextcloud/docs/Update.md +++ b/roles/web-app-nextcloud/docs/Update.md @@ -41,10 +41,10 @@ and disable any non-functioning apps. ## Recover Latest Backup 💾 ```bash -cd {{path_docker_compose_instances}}nextcloud && +cd {{ PATH_DOCKER_COMPOSE_INSTANCES }}nextcloud && docker-compose down && docker-compose exec -i database mysql -u nextcloud -pPASSWORT nextcloud < "/Backups/$(sha256sum /etc/machine-id | head -c 64)/sys-bkp-docker-2-loc/latest/nextcloud_database/sql/backup.sql" && -cd {{path_administrator_scripts}}sys-bkp-docker-2-loc && +cd {{ PATH_ADMINISTRATOR_SCRIPTS }}sys-bkp-docker-2-loc && bash ./recover-web-app-from-local.sh "nextcloud_data" "$(sha256sum /etc/machine-id | head -c 64)" ``` diff --git a/roles/web-app-nextcloud/tasks/main.yml b/roles/web-app-nextcloud/tasks/main.yml index 6d57fa5a..c310d8eb 100644 --- a/roles/web-app-nextcloud/tasks/main.yml +++ b/roles/web-app-nextcloud/tasks/main.yml @@ -1,5 +1,5 @@ --- -- name: "include role for {{application_id}} to receive certs & do modification routines" +- name: "include role for {{ application_id }} to receive certs & do modification routines" include_role: name: srv-web-7-6-composer @@ -9,7 +9,7 @@ dest: "{{ nextcloud_host_nginx_path }}" notify: restart openresty -- name: "load docker and db for {{application_id}}" +- name: "load docker and db for {{ application_id }}" include_role: name: cmp-db-docker vars: diff --git a/roles/web-app-nextcloud/templates/config/oidc.config.php.j2 b/roles/web-app-nextcloud/templates/config/oidc.config.php.j2 index c71b2d0a..e41cc506 100644 --- a/roles/web-app-nextcloud/templates/config/oidc.config.php.j2 +++ b/roles/web-app-nextcloud/templates/config/oidc.config.php.j2 @@ -11,17 +11,17 @@ return array ( 'lost_password_link' => 'disabled', // URL of provider. All other URLs are auto-discovered from .well-known - 'oidc_login_provider_url' => '{{oidc.client.issuer_url}}', + 'oidc_login_provider_url' => '{{ oidc.client.issuer_url }}', // Client ID and secret registered with the provider - 'oidc_login_client_id' => '{{oidc.client.id}}', - 'oidc_login_client_secret' => '{{oidc.client.secret}}', + 'oidc_login_client_id' => '{{ oidc.client.id }}', + 'oidc_login_client_secret' => '{{ oidc.client.secret }}', // Automatically redirect the login page to the provider 'oidc_login_auto_redirect' => true, // Redirect to this page after logging out the user - 'oidc_login_logout_url' => 'https://{{domains | get_domain(application_id)}}', + 'oidc_login_logout_url' => 'https://{{ domains | get_domain(application_id) }}', // If set to true the user will be redirected to the // logout endpoint of the OIDC provider after logout @@ -36,7 +36,7 @@ return array ( 'oidc_login_default_quota' => '{{applications | get_app_conf(application_id, 'default_quota', True)}}', // Login button text - 'oidc_login_button_text' => '{{oidc.button_text}}', + 'oidc_login_button_text' => '{{ oidc.button_text }}', // Hide the NextCloud password change form. 'oidc_login_hide_password_form' => true, diff --git a/roles/web-app-nextcloud/templates/docker-compose.yml.j2 b/roles/web-app-nextcloud/templates/docker-compose.yml.j2 index 0bb743c3..6dbb651b 100644 --- a/roles/web-app-nextcloud/templates/docker-compose.yml.j2 +++ b/roles/web-app-nextcloud/templates/docker-compose.yml.j2 @@ -37,7 +37,7 @@ container_name: "{{ nextcloud_proxy_name }}" logging: driver: journald - restart: {{DOCKER_RESTART_POLICY}} + restart: {{ DOCKER_RESTART_POLICY }} ports: - "127.0.0.1:{{ports.localhost.http[application_id]}}:{{ container_port }}" volumes: @@ -53,7 +53,7 @@ cron: container_name: "{{ nextcloud_cron_name }}" image: "{{ nextcloud_image }}:{{ nextcloud_version }}" - restart: {{DOCKER_RESTART_POLICY}} + restart: {{ DOCKER_RESTART_POLICY }} logging: driver: journald volumes: diff --git a/roles/web-app-nextcloud/templates/nginx/host.conf.j2 b/roles/web-app-nextcloud/templates/nginx/host.conf.j2 index 29ca7207..6ff93c48 100644 --- a/roles/web-app-nextcloud/templates/nginx/host.conf.j2 +++ b/roles/web-app-nextcloud/templates/nginx/host.conf.j2 @@ -2,7 +2,7 @@ server { - server_name {{domain}}; + server_name {{ domain }}; {% include 'roles/srv-web-7-7-letsencrypt/templates/ssl_header.j2' %} diff --git a/roles/web-app-nextcloud/vars/main.yml b/roles/web-app-nextcloud/vars/main.yml index 656babab..e5e2ad2f 100644 --- a/roles/web-app-nextcloud/vars/main.yml +++ b/roles/web-app-nextcloud/vars/main.yml @@ -23,7 +23,7 @@ nextcloud_control_node_plugin_tasks_directory: "{{role_path}}/tasks/plugins/" ## Host Paths nextcloud_host_config_additives_directory: "{{ docker_compose.directories.volumes }}infinito/" # This folder is the path to which the additive configurations will be copied nextcloud_host_include_instructions_file: "{{ docker_compose.directories.volumes }}includes.php" # Path to the instruction file on the host. Responsible for loading the additional configurations -nextcloud_host_nginx_path: "{{ nginx.directories.http.servers }}{{ domains | get_domain(application_id) }}.conf" # Nginx path for proxy conf +nextcloud_host_nginx_path: "{{ NGINX.DIRECTORIES.HTTP.SERVERS }}{{ domains | get_domain(application_id) }}.conf" # Nginx path for proxy conf # Docker diff --git a/roles/web-app-nextcloud/vars/system.yml b/roles/web-app-nextcloud/vars/system.yml index 9d75f3b2..583386c3 100644 --- a/roles/web-app-nextcloud/vars/system.yml +++ b/roles/web-app-nextcloud/vars/system.yml @@ -15,7 +15,7 @@ nextcloud_system_config: value: "{{ HOST_LL | upper }}" - parameter: "trusted_domains 0" - value: "{{domains | get_domain(application_id)}}" + value: "{{ domains | get_domain(application_id) }}" - parameter: "overwrite.cli.url" value: "{{ domains | get_url(application_id, WEB_PROTOCOL) }}" \ No newline at end of file diff --git a/roles/web-app-oauth2-proxy/tasks/main.yml b/roles/web-app-oauth2-proxy/tasks/main.yml index b13588e3..2327b822 100644 --- a/roles/web-app-oauth2-proxy/tasks/main.yml +++ b/roles/web-app-oauth2-proxy/tasks/main.yml @@ -5,9 +5,9 @@ It is a helper role only. Direct use would lead to confusion due to application_id mismatch. when: role_name == "web-app-oauth2-proxy" -- name: "Transfering oauth2-proxy-keycloak.cfg.j2 to {{( application_id | get_docker_paths(path_docker_compose_instances) ).directories.volumes }}" +- name: "Transfering oauth2-proxy-keycloak.cfg.j2 to {{( application_id | get_docker_paths(PATH_DOCKER_COMPOSE_INSTANCES) ).directories.volumes }}" template: src: "{{ playbook_dir }}/roles/web-app-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2" - dest: "{{( application_id | get_docker_paths(path_docker_compose_instances) ).directories.volumes }}{{applications | get_app_conf('web-app-oauth2-proxy','configuration_file')}}" + dest: "{{( application_id | get_docker_paths(PATH_DOCKER_COMPOSE_INSTANCES) ).directories.volumes }}{{applications | get_app_conf('web-app-oauth2-proxy','configuration_file')}}" notify: - docker compose up \ No newline at end of file diff --git a/roles/web-app-oauth2-proxy/templates/container.yml.j2 b/roles/web-app-oauth2-proxy/templates/container.yml.j2 index a133308a..fe1ed952 100644 --- a/roles/web-app-oauth2-proxy/templates/container.yml.j2 +++ b/roles/web-app-oauth2-proxy/templates/container.yml.j2 @@ -1,7 +1,7 @@ {% if applications | get_app_conf(application_id, 'features.oauth2', False) %} oauth2-proxy: image: quay.io/oauth2-proxy/oauth2-proxy:{{applications['web-app-oauth2-proxy'].version}} - restart: {{DOCKER_RESTART_POLICY}} + restart: {{ DOCKER_RESTART_POLICY }} command: --config /oauth2-proxy.cfg hostname: oauth2-proxy ports: diff --git a/roles/web-app-openproject/tasks/main.yml b/roles/web-app-openproject/tasks/main.yml index 2523c2ac..62d64862 100644 --- a/roles/web-app-openproject/tasks/main.yml +++ b/roles/web-app-openproject/tasks/main.yml @@ -1,5 +1,5 @@ --- -- name: "load docker, db and proxy for {{application_id}}" +- name: "load docker, db and proxy for {{ application_id }}" include_role: name: cmp-db-docker-proxy diff --git a/roles/web-app-openproject/templates/env.j2 b/roles/web-app-openproject/templates/env.j2 index 22dcdc96..092905a7 100644 --- a/roles/web-app-openproject/templates/env.j2 +++ b/roles/web-app-openproject/templates/env.j2 @@ -7,7 +7,7 @@ # https://www.openproject.org/docs/installation-and-operations/configuration/environment/ # OPENPROJECT_HTTPS=true -OPENPROJECT_HOST__NAME={{domains | get_domain(application_id)}} +OPENPROJECT_HOST__NAME={{ domains | get_domain(application_id) }} OPENPROJECT_RAILS__RELATIVE__URL__ROOT= IMAP_ENABLED=false POSTGRES_PASSWORD="{{ database_password }}" diff --git a/roles/web-app-peertube/Administration.md b/roles/web-app-peertube/Administration.md index c7b161b2..2934f461 100644 --- a/roles/web-app-peertube/Administration.md +++ b/roles/web-app-peertube/Administration.md @@ -7,7 +7,7 @@ watch -n 2 "docker ps -a | grep peertube" ## clean rebuild ```bash -cd {{path_docker_compose_instances}}peertube/ && +cd {{ PATH_DOCKER_COMPOSE_INSTANCES }}peertube/ && docker-compose down docker volume rm peertube_assets peertube_config peertube_data peertube_database peertube_redis docker-compose up -d diff --git a/roles/web-app-peertube/tasks/create-domains.yml b/roles/web-app-peertube/tasks/create-domains.yml index 005d410e..45652dc8 100644 --- a/roles/web-app-peertube/tasks/create-domains.yml +++ b/roles/web-app-peertube/tasks/create-domains.yml @@ -1,9 +1,9 @@ -- name: "include role for {{application_id}} to receive certs & do modification routines" +- name: "include role for {{ application_id }} to receive certs & do modification routines" include_role: name: srv-web-7-6-composer -- name: configure {{domain}}.conf +- name: configure {{ domain }}.conf template: src: "templates/peertube.conf.j2" - dest: "{{nginx.directories.http.servers}}{{domain}}.conf" + dest: "{{ NGINX.DIRECTORIES.HTTP.SERVERS }}{{ domain }}.conf" notify: restart openresty \ No newline at end of file diff --git a/roles/web-app-peertube/tasks/main.yml b/roles/web-app-peertube/tasks/main.yml index 1170abbb..261a34c6 100644 --- a/roles/web-app-peertube/tasks/main.yml +++ b/roles/web-app-peertube/tasks/main.yml @@ -9,7 +9,7 @@ http_port: "{{ ports.localhost.http[application_id] }}" ws_port: "{{ ports.localhost.http[application_id] }}" -- name: "load docker and db for {{application_id}}" +- name: "load docker and db for {{ application_id }}" include_role: name: cmp-db-docker diff --git a/roles/web-app-peertube/templates/env.j2 b/roles/web-app-peertube/templates/env.j2 index a378a0dd..bc412fd3 100644 --- a/roles/web-app-peertube/templates/env.j2 +++ b/roles/web-app-peertube/templates/env.j2 @@ -8,7 +8,7 @@ PEERTUBE_DB_SSL=false PEERTUBE_DB_HOSTNAME={{database_host}} # PeerTube server configuration -PEERTUBE_WEBSERVER_HOSTNAME={{domains | get_domain(application_id)}} +PEERTUBE_WEBSERVER_HOSTNAME={{ domains | get_domain(application_id) }} PEERTUBE_TRUST_PROXY=["127.0.0.1", "loopback"] PEERTUBE_SECRET={{applications | get_app_conf(application_id, 'credentials.secret', True)}} diff --git a/roles/web-app-peertube/templates/peertube.conf.j2 b/roles/web-app-peertube/templates/peertube.conf.j2 index fac278e1..e4649c52 100644 --- a/roles/web-app-peertube/templates/peertube.conf.j2 +++ b/roles/web-app-peertube/templates/peertube.conf.j2 @@ -1,5 +1,5 @@ server { - server_name {{domain}}; + server_name {{ domain }}; {% include 'roles/srv-web-7-7-letsencrypt/templates/ssl_header.j2' %} diff --git a/roles/web-app-pgadmin/tasks/main.yml b/roles/web-app-pgadmin/tasks/main.yml index 6f4fc523..125d4dba 100644 --- a/roles/web-app-pgadmin/tasks/main.yml +++ b/roles/web-app-pgadmin/tasks/main.yml @@ -1,5 +1,5 @@ --- -- name: "load docker, proxy for '{{application_id}}'" +- name: "load docker, proxy for '{{ application_id }}'" include_role: name: cmp-docker-proxy diff --git a/roles/web-app-pgadmin/vars/db_config.yml b/roles/web-app-pgadmin/vars/db_config.yml index 668e8528..4f4352b8 100644 --- a/roles/web-app-pgadmin/vars/db_config.yml +++ b/roles/web-app-pgadmin/vars/db_config.yml @@ -9,6 +9,6 @@ pgadmin_servers: port: "{{ database_port }}" username: "postgres" maintenance_db: "postgres" - password: "{{ applications['svc-db-postgres'].credentials.postgres_password }}" + password: "{{ applications['svc-db-postgres'].credentials.POSTGRES_PASSWORD }}" # Here you can add more databases \ No newline at end of file diff --git a/roles/web-app-phpldapadmin/tasks/main.yml b/roles/web-app-phpldapadmin/tasks/main.yml index a2a7e64d..ad73b756 100644 --- a/roles/web-app-phpldapadmin/tasks/main.yml +++ b/roles/web-app-phpldapadmin/tasks/main.yml @@ -1,3 +1,3 @@ -- name: "load docker, proxy for '{{application_id}}'" +- name: "load docker, proxy for '{{ application_id }}'" include_role: name: cmp-docker-proxy \ No newline at end of file diff --git a/roles/web-app-phpmyadmin/tasks/main.yml b/roles/web-app-phpmyadmin/tasks/main.yml index 4f8b5d7a..1339daae 100644 --- a/roles/web-app-phpmyadmin/tasks/main.yml +++ b/roles/web-app-phpmyadmin/tasks/main.yml @@ -1,4 +1,4 @@ --- -- name: "load docker, proxy for '{{application_id}}'" +- name: "load docker, proxy for '{{ application_id }}'" include_role: name: cmp-docker-proxy diff --git a/roles/web-app-pixelfed/Administration.md b/roles/web-app-pixelfed/Administration.md index d4100863..a5d581ba 100644 --- a/roles/web-app-pixelfed/Administration.md +++ b/roles/web-app-pixelfed/Administration.md @@ -101,7 +101,7 @@ docker volume rm pixelfed_application_data pixelfed_database pixelfed_redis To update your Pixelfed instance, navigate to the directory where your `docker-compose.yml` file is located and run these commands: ```bash -cd {{path_docker_compose_instances}}pixelfed/ && +cd {{ PATH_DOCKER_COMPOSE_INSTANCES }}pixelfed/ && docker-compose down && docker network prune -f && docker-compose pull && diff --git a/roles/web-app-pixelfed/tasks/main.yml b/roles/web-app-pixelfed/tasks/main.yml index 15a8c7ac..5278a660 100644 --- a/roles/web-app-pixelfed/tasks/main.yml +++ b/roles/web-app-pixelfed/tasks/main.yml @@ -1,4 +1,4 @@ --- -- name: "load docker, db and proxy for {{application_id}}" +- name: "load docker, db and proxy for {{ application_id }}" include_role: name: cmp-db-docker-proxy diff --git a/roles/web-app-pixelfed/templates/env.j2 b/roles/web-app-pixelfed/templates/env.j2 index 91e4d60f..96654784 100644 --- a/roles/web-app-pixelfed/templates/env.j2 +++ b/roles/web-app-pixelfed/templates/env.j2 @@ -6,9 +6,9 @@ APP_NAME="{{ pixelfed_titel }}" APP_ENV={{ ENVIRONMENT | lower }} APP_DEBUG={{MODE_DEBUG | string | lower }} APP_URL={{ domains | get_url(application_id, WEB_PROTOCOL) }} -APP_DOMAIN="{{domains | get_domain(application_id)}}" -ADMIN_DOMAIN="{{domains | get_domain(application_id)}}" -SESSION_DOMAIN="{{domains | get_domain(application_id)}}" +APP_DOMAIN="{{ domains | get_domain(application_id) }}" +ADMIN_DOMAIN="{{ domains | get_domain(application_id) }}" +SESSION_DOMAIN="{{ domains | get_domain(application_id) }}" OPEN_REGISTRATION=false ENFORCE_EMAIL_VERIFICATION=false @@ -147,8 +147,8 @@ PF_OIDC_PROFILE_URL="{{ oidc.client.user_info_url }}" PF_OIDC_LOGOUT_URL="{{oidc.client.logout_url}}" PF_OIDC_USERNAME_FIELD="{{oidc.attributes.username}}" PF_OIDC_FIELD_ID="{{oidc.attributes.username}}" -PF_OIDC_CLIENT_SECRET={{oidc.client.secret}} -PF_OIDC_CLIENT_ID={{oidc.client.id}} +PF_OIDC_CLIENT_SECRET={{ oidc.client.secret }} +PF_OIDC_CLIENT_ID={{ oidc.client.id }} PF_OIDC_SCOPES="openid profile email" {% endif %} \ No newline at end of file diff --git a/roles/web-app-port-ui/tasks/01_core.yml b/roles/web-app-port-ui/tasks/01_core.yml index 83abea09..6f49e37a 100644 --- a/roles/web-app-port-ui/tasks/01_core.yml +++ b/roles/web-app-port-ui/tasks/01_core.yml @@ -1,7 +1,7 @@ - name: "Validate configuration" include_tasks: "02_validate.yml" -- name: "load docker, proxy for '{{application_id}}'" +- name: "load docker, proxy for '{{ application_id }}'" include_role: name: cmp-docker-proxy diff --git a/roles/web-app-port-ui/templates/menu/applications.yml.j2 b/roles/web-app-port-ui/templates/menu/applications.yml.j2 index 2c3fdfc0..363b8a62 100644 --- a/roles/web-app-port-ui/templates/menu/applications.yml.j2 +++ b/roles/web-app-port-ui/templates/menu/applications.yml.j2 @@ -38,13 +38,13 @@ applications: description: Update your personal admin settings icon: class: fa-solid fa-user-gear - url: {{ keycloak_url }}/realms/{{oidc.client.id}}/account + url: {{ keycloak_url }}/realms/{{ oidc.client.id }}/account iframe: {{ applications | get_app_conf( 'web-app-keycloak', 'features.desktop', False) }} - name: Logout description: End your admin session securely icon: class: fa-solid fa-right-from-bracket - url: {{ keycloak_url }}/realms/{{oidc.client.id}}/protocol/openid-connect/logout + url: {{ keycloak_url }}/realms/{{ oidc.client.id }}/protocol/openid-connect/logout iframe: false {% endif %} diff --git a/roles/web-app-pretix/tasks/main.yml b/roles/web-app-pretix/tasks/main.yml index 0c2efe3d..7369fdcd 100644 --- a/roles/web-app-pretix/tasks/main.yml +++ b/roles/web-app-pretix/tasks/main.yml @@ -1,6 +1,6 @@ --- - block: - - name: "load docker and db for {{application_id}}" + - name: "load docker and db for {{ application_id }}" include_role: name: cmp-db-docker - include_tasks: utils/run_once.yml diff --git a/roles/web-app-roulette-wheel/templates/docker-compose.yml.j2 b/roles/web-app-roulette-wheel/templates/docker-compose.yml.j2 index f143683e..42fd9a37 100644 --- a/roles/web-app-roulette-wheel/templates/docker-compose.yml.j2 +++ b/roles/web-app-roulette-wheel/templates/docker-compose.yml.j2 @@ -5,6 +5,6 @@ context: . ports: - 127.0.0.1:{{ports.localhost.http[application_id]}}:8080 - restart: {{DOCKER_RESTART_POLICY}} + restart: {{ DOCKER_RESTART_POLICY }} {% include 'roles/docker-compose/templates/networks.yml.j2' %} \ No newline at end of file diff --git a/roles/web-app-snipe-it/tasks/main.yml b/roles/web-app-snipe-it/tasks/main.yml index 9e10a6e9..c1f1107d 100644 --- a/roles/web-app-snipe-it/tasks/main.yml +++ b/roles/web-app-snipe-it/tasks/main.yml @@ -1,5 +1,5 @@ --- -- name: "load docker, db and proxy for {{application_id}}" +- name: "load docker, db and proxy for {{ application_id }}" include_role: name: cmp-db-docker-proxy diff --git a/roles/web-app-sphinx/tasks/main.yml b/roles/web-app-sphinx/tasks/main.yml index aeb900b7..e75ebc17 100644 --- a/roles/web-app-sphinx/tasks/main.yml +++ b/roles/web-app-sphinx/tasks/main.yml @@ -13,7 +13,7 @@ command: pkgmgr path infinito-sphinx register: path_infinito_sphinx_output -- name: "load docker, proxy for '{{application_id}}'" +- name: "load docker, proxy for '{{ application_id }}'" include_role: name: cmp-docker-proxy diff --git a/roles/web-app-syncope/tasks/main.yml b/roles/web-app-syncope/tasks/main.yml index cde07813..42165351 100644 --- a/roles/web-app-syncope/tasks/main.yml +++ b/roles/web-app-syncope/tasks/main.yml @@ -1,16 +1,16 @@ --- -- name: "include role for {{application_id}} to receive certs & do modification routines" +- name: "include role for {{ application_id }} to receive certs & do modification routines" include_role: name: srv-web-7-6-composer -- name: "load docker and db for {{application_id}}" +- name: "load docker and db for {{ application_id }}" include_role: name: cmp-db-docker -- name: configure {{domain}}.conf +- name: configure {{ domain }}.conf template: src: "templates/proxy.conf.j2" - dest: "{{nginx.directories.http.servers}}{{domain}}.conf" + dest: "{{ NGINX.DIRECTORIES.HTTP.SERVERS }}{{ domain }}.conf" notify: restart openresty - name: "create {{docker_compose.files.env}}" diff --git a/roles/web-app-syncope/templates/proxy.conf b/roles/web-app-syncope/templates/proxy.conf index 2fd72f68..8f13e696 100644 --- a/roles/web-app-syncope/templates/proxy.conf +++ b/roles/web-app-syncope/templates/proxy.conf @@ -1,6 +1,6 @@ server { - server_name {{domain}}; + server_name {{ domain }}; {% if applications | get_app_conf(application_id, 'features.oauth2', False) %} {% include 'roles/web-app-oauth2-proxy/templates/endpoint.conf.j2'%} diff --git a/roles/web-app-taiga/tasks/main.yml b/roles/web-app-taiga/tasks/main.yml index ef509746..932eca13 100644 --- a/roles/web-app-taiga/tasks/main.yml +++ b/roles/web-app-taiga/tasks/main.yml @@ -1,5 +1,5 @@ --- -- name: "load docker, db and proxy for {{application_id}}" +- name: "load docker, db and proxy for {{ application_id }}" include_role: name: cmp-db-docker-proxy diff --git a/roles/web-app-taiga/templates/env.j2 b/roles/web-app-taiga/templates/env.j2 index b3468a65..bdeb6639 100644 --- a/roles/web-app-taiga/templates/env.j2 +++ b/roles/web-app-taiga/templates/env.j2 @@ -1,6 +1,6 @@ # Taiga's URLs - Variables to define where Taiga should be served TAIGA_SITES_SCHEME = https # serve Taiga using "http" or "https" (secured) connection -TAIGA_SITES_DOMAIN = "{{domains | get_domain(application_id)}}" # Taiga's base URL +TAIGA_SITES_DOMAIN = "{{ domains | get_domain(application_id) }}" # Taiga's base URL TAIGA_SUBPATH = "" # it'll be appended to the TAIGA_DOMAIN (use either "" or a "/subpath") WEBSOCKETS_SCHEME = wss # events connection protocol (use either "ws" or "wss") @@ -73,9 +73,9 @@ ENABLE_OPENID=True OPENID_URL="{{oidc.client.authorize_url}}" OPENID_USER_URL="{{oidc.client.user_info_url}}" OPENID_TOKEN_URL="{{oidc.client.token_url}}" -OPENID_CLIENT_ID="{{oidc.client.id}}" -OPENID_CLIENT_SECRET="{{oidc.client.secret}}" -OPENID_NAME="{{oidc.button_text}}" +OPENID_CLIENT_ID="{{ oidc.client.id }}" +OPENID_CLIENT_SECRET="{{ oidc.client.secret }}" +OPENID_NAME="{{ oidc.button_text }}" OPENID_USERNAME_FIELD="{{oidc.attributes.username}}" # Optional: # OPENID_ID_FIELD="sub" diff --git a/roles/web-app-wordpress/tasks/main.yml b/roles/web-app-wordpress/tasks/main.yml index 75347b1b..82ff660a 100644 --- a/roles/web-app-wordpress/tasks/main.yml +++ b/roles/web-app-wordpress/tasks/main.yml @@ -9,7 +9,7 @@ proxy_extra_configuration: "client_max_body_size {{ wordpress_max_upload_size }};" http_port: "{{ ports.localhost.http[application_id] }}" -- name: "load docker and db for {{application_id}}" +- name: "load docker and db for {{ application_id }}" include_role: name: cmp-db-docker vars: diff --git a/roles/web-app-yourls/tasks/main.yml b/roles/web-app-yourls/tasks/main.yml index 94075d9c..859e503f 100644 --- a/roles/web-app-yourls/tasks/main.yml +++ b/roles/web-app-yourls/tasks/main.yml @@ -1,5 +1,5 @@ --- -- name: "load docker, db and proxy for {{application_id}}" +- name: "load docker, db and proxy for {{ application_id }}" include_role: name: cmp-db-docker-proxy diff --git a/roles/web-opt-rdr-domains/tasks/redirect-domain.yml b/roles/web-opt-rdr-domains/tasks/redirect-domain.yml index 6927477c..2a415d6f 100644 --- a/roles/web-opt-rdr-domains/tasks/redirect-domain.yml +++ b/roles/web-opt-rdr-domains/tasks/redirect-domain.yml @@ -5,5 +5,5 @@ - name: "Deploying NGINX redirect configuration for {{ domain }}" template: src: redirect.domain.nginx.conf.j2 - dest: "{{ nginx.directories.http.servers }}{{ domain }}.conf" + dest: "{{ NGINX.DIRECTORIES.HTTP.SERVERS }}{{ domain }}.conf" notify: restart openresty \ No newline at end of file diff --git a/roles/web-svc-asset/tasks/main.yml b/roles/web-svc-asset/tasks/main.yml index 79ecbb29..4a76adf0 100644 --- a/roles/web-svc-asset/tasks/main.yml +++ b/roles/web-svc-asset/tasks/main.yml @@ -3,5 +3,5 @@ ansible.builtin.copy: src: "{{ source_directory }}" dest: "{{ target_directory }}" - owner: "{{ nginx.user }}" - group: "{{ nginx.user }}" + owner: "{{ NGINX.USER }}" + group: "{{ NGINX.USER }}" diff --git a/roles/web-svc-asset/vars/main.yml b/roles/web-svc-asset/vars/main.yml index 2d7b578d..42166da1 100644 --- a/roles/web-svc-asset/vars/main.yml +++ b/roles/web-svc-asset/vars/main.yml @@ -1,3 +1,3 @@ application_id: "web-svc-asset" # Application identifier source_directory: "{{ applications | get_app_conf(application_id, 'source_directory', True) }}/" # Source directory from which the files are coming from -target_directory: "{{ nginx.directories.data.files }}assets" # Directory to which the files will be copied +target_directory: "{{ NGINX.DIRECTORIES.DATA.FILES }}assets" # Directory to which the files will be copied diff --git a/roles/web-svc-cdn/tasks/01_core.yml b/roles/web-svc-cdn/tasks/01_core.yml index 63f2ff08..fef8ffd6 100644 --- a/roles/web-svc-cdn/tasks/01_core.yml +++ b/roles/web-svc-cdn/tasks/01_core.yml @@ -5,7 +5,7 @@ - srv-web-7-6-https - dev-git -- name: "include role for {{application_id}} to receive certs & do modification routines" +- name: "include role for {{ application_id }} to receive certs & do modification routines" include_role: name: srv-web-7-6-composer vars: @@ -14,5 +14,5 @@ - name: "generate '{{ CDN_NGINX_FILE }}'" template: src: "nginx.conf.j2" - dest: "{{ nginx.directories.http.servers }}{{ CDN_NGINX_FILE }}" + dest: "{{ NGINX.DIRECTORIES.HTTP.SERVERS }}{{ CDN_NGINX_FILE }}" notify: restart openresty \ No newline at end of file diff --git a/roles/web-svc-cdn/templates/nginx.conf.j2 b/roles/web-svc-cdn/templates/nginx.conf.j2 index 0be047ca..ecd973a7 100644 --- a/roles/web-svc-cdn/templates/nginx.conf.j2 +++ b/roles/web-svc-cdn/templates/nginx.conf.j2 @@ -12,7 +12,7 @@ server location / { - alias {{ nginx.directories.data.cdn }}; {# Path to your file directory #} + alias {{ NGINX.DIRECTORIES.DATA.CDN }}; {# Path to your file directory #} autoindex on; {# Enable directory listing #} autoindex_exact_size off; {# Display sizes in a human-readable format #} autoindex_localtime on; {# Show local time #} @@ -20,7 +20,7 @@ server } location /.well-known/ { - alias {{nginx.directories.data.well_known}}; + alias {{NGINX.DIRECTORIES.DATA.WELL_KNOWN}}; allow all; default_type "text/plain"; autoindex on; diff --git a/roles/web-svc-file/tasks/main.yml b/roles/web-svc-file/tasks/main.yml index 3603208d..8786edfe 100644 --- a/roles/web-svc-file/tasks/main.yml +++ b/roles/web-svc-file/tasks/main.yml @@ -8,15 +8,15 @@ - include_tasks: utils/run_once.yml when: run_once_web_svc_file is not defined -- name: "include role for {{application_id}} to receive certs & do modification routines" +- name: "include role for {{ application_id }} to receive certs & do modification routines" include_role: name: srv-web-7-6-composer vars: domain: "{{ domains | get_domain(application_id) }}" http_port: "{{ ports.localhost.http[application_id] }}" -- name: "generate {{domains | get_domain(application_id)}}.conf" +- name: "generate {{ domains | get_domain(application_id) }}.conf" template: src: "nginx.conf.j2" - dest: "{{ nginx.directories.http.servers }}{{ domains | get_domain(application_id) }}.conf" + dest: "{{ NGINX.DIRECTORIES.HTTP.SERVERS }}{{ domains | get_domain(application_id) }}.conf" notify: restart openresty diff --git a/roles/web-svc-file/templates/nginx.conf.j2 b/roles/web-svc-file/templates/nginx.conf.j2 index 060882ea..a9c36d32 100644 --- a/roles/web-svc-file/templates/nginx.conf.j2 +++ b/roles/web-svc-file/templates/nginx.conf.j2 @@ -1,6 +1,6 @@ server { - server_name {{domains | get_domain(application_id)}}; + server_name {{ domains | get_domain(application_id) }}; {% include 'roles/srv-web-7-7-letsencrypt/templates/ssl_header.j2' %} @@ -12,7 +12,7 @@ server location / { - alias {{nginx.directories.data.files}}; {# Path to your file directory #} + alias {{NGINX.DIRECTORIES.DATA.FILES}}; {# Path to your file directory #} autoindex on; {# Enable directory listing #} autoindex_exact_size off; {# Display sizes in a human-readable format #} autoindex_localtime on; {# Show local time #} @@ -20,7 +20,7 @@ server } location /.well-known/ { - alias {{nginx.directories.data.well_known}}; + alias {{NGINX.DIRECTORIES.DATA.WELL_KNOWN}}; allow all; default_type "text/plain"; autoindex on; diff --git a/roles/web-svc-html/tasks/main.yml b/roles/web-svc-html/tasks/main.yml index 549fe618..598733e1 100644 --- a/roles/web-svc-html/tasks/main.yml +++ b/roles/web-svc-html/tasks/main.yml @@ -8,15 +8,15 @@ - include_tasks: utils/run_once.yml when: run_once_web_svc_html is not defined -- name: "include role for {{application_id}} to receive certs & do modification routines" +- name: "include role for {{ application_id }} to receive certs & do modification routines" include_role: name: srv-web-7-6-composer vars: - domain: "{{domains | get_domain(application_id)}}" + domain: "{{ domains | get_domain(application_id) }}" http_port: "{{ ports.localhost.http[application_id] }}" -- name: "generate {{domains | get_domain(application_id)}}.conf" +- name: "generate {{ domains | get_domain(application_id) }}.conf" template: src: "nginx.conf.j2" - dest: "{{nginx.directories.http.servers}}{{domains | get_domain(application_id)}}.conf" + dest: "{{ NGINX.DIRECTORIES.HTTP.SERVERS }}{{ domains | get_domain(application_id) }}.conf" notify: restart openresty diff --git a/roles/web-svc-html/templates/nginx.conf.j2 b/roles/web-svc-html/templates/nginx.conf.j2 index d9e04ef4..c4db40a4 100644 --- a/roles/web-svc-html/templates/nginx.conf.j2 +++ b/roles/web-svc-html/templates/nginx.conf.j2 @@ -1,6 +1,6 @@ server { - server_name {{domains | get_domain(application_id)}}; + server_name {{ domains | get_domain(application_id) }}; {% include 'roles/srv-web-7-7-letsencrypt/templates/ssl_header.j2' %} @@ -12,13 +12,13 @@ server location / { - root {{nginx.directories.data.html}}; + root {{NGINX.DIRECTORIES.DATA.HTML}}; index index.html index.htm; {% include 'roles/srv-web-7-7-inj-compose/templates/location.lua.j2' %} } location /.well-known/ { - alias {{nginx.directories.data.well_known}}; + alias {{NGINX.DIRECTORIES.DATA.WELL_KNOWN}}; allow all; default_type "text/plain"; autoindex on; diff --git a/roles/web-svc-html/vars/main.yml b/roles/web-svc-html/vars/main.yml index 5ac8d613..f277de2f 100644 --- a/roles/web-svc-html/vars/main.yml +++ b/roles/web-svc-html/vars/main.yml @@ -1,2 +1,2 @@ application_id: "web-svc-html" -domain: "{{domains | get_domain(application_id)}}" +domain: "{{ domains | get_domain(application_id) }}" diff --git a/roles/web-svc-legal/tasks/main.yml b/roles/web-svc-legal/tasks/main.yml index 85b776e8..34580d75 100644 --- a/roles/web-svc-legal/tasks/main.yml +++ b/roles/web-svc-legal/tasks/main.yml @@ -2,6 +2,6 @@ - name: copy imprint.html template: src: "imprint.html.j2" - dest: "{{nginx.directories.data.html}}imprint.html" - owner: "{{nginx.user}}" - group: "{{nginx.user}}" \ No newline at end of file + dest: "{{NGINX.DIRECTORIES.DATA.HTML}}imprint.html" + owner: "{{ NGINX.USER }}" + group: "{{ NGINX.USER }}" \ No newline at end of file diff --git a/roles/web-svc-logout/tasks/main.yml b/roles/web-svc-logout/tasks/main.yml index 2c223016..9cc61c4e 100644 --- a/roles/web-svc-logout/tasks/main.yml +++ b/roles/web-svc-logout/tasks/main.yml @@ -1,6 +1,6 @@ --- - block: - - name: "load docker, proxy for '{{application_id}}'" + - name: "load docker, proxy for '{{ application_id }}'" include_role: name: cmp-docker-proxy diff --git a/roles/web-svc-simpleicons/tasks/main.yml b/roles/web-svc-simpleicons/tasks/main.yml index 527f9677..2774db25 100644 --- a/roles/web-svc-simpleicons/tasks/main.yml +++ b/roles/web-svc-simpleicons/tasks/main.yml @@ -1,6 +1,6 @@ --- - block: - - name: "load docker, proxy for '{{application_id}}'" + - name: "load docker, proxy for '{{ application_id }}'" include_role: name: cmp-docker-proxy diff --git a/tasks/stages/02_server.yml b/tasks/stages/02_server.yml index 98ce6bdb..188e51f1 100644 --- a/tasks/stages/02_server.yml +++ b/tasks/stages/02_server.yml @@ -3,6 +3,8 @@ include_role: name: "{{ item }}" loop: + - user-administrator + - user-root - sys-svc-sshd - sys-svc-journalctl - sys-hlth-disc-space diff --git a/tasks/utils/run_once.yml b/tasks/utils/run_once.yml index 5a512579..b320b9c4 100644 --- a/tasks/utils/run_once.yml +++ b/tasks/utils/run_once.yml @@ -4,7 +4,7 @@ - name: "Ensure that {{ docker_compose.directories.instance }} is up" # This is a little hack to guaranty that the docker containers are allways up # It isn't the cleanest solution to have it here but it should fullfill their purpose - include_tasks: "{{ playbook_dir }}/roles/docker-compose/tasks/04_ensure_up.yml" + include_tasks: "{{ playbook_dir }}/roles/docker-compose/tasks/05_ensure_up.yml" when: - docker_compose is defined - (application_id | get_entity_name) == (docker_compose.directories.instance | basename) diff --git a/tasks/utils/update-repository-with-files.yml b/tasks/utils/update-repository-with-files.yml index c12e09d7..7b4c5ca9 100644 --- a/tasks/utils/update-repository-with-files.yml +++ b/tasks/utils/update-repository-with-files.yml @@ -9,7 +9,7 @@ - name: "backup detached files" command: > - mv "{{docker_compose.directories.instance}}{{ item }}" "/tmp/{{application_id}}-{{ item }}.backup" + mv "{{docker_compose.directories.instance}}{{ item }}" "/tmp/{{ application_id }}-{{ item }}.backup" args: removes: "{{docker_compose.directories.instance}}{{ item }}" become: true @@ -24,14 +24,14 @@ - name: "restore detached files" command: > - mv "/tmp/{{application_id}}-{{ item }}.backup" "{{docker_compose.directories.instance}}{{ item }}" + mv "/tmp/{{ application_id }}-{{ item }}.backup" "{{docker_compose.directories.instance}}{{ item }}" args: - removes: "/tmp/{{application_id}}-{{ item }}.backup" + removes: "/tmp/{{ application_id }}-{{ item }}.backup" become: true loop: "{{ merged_detached_files | default(detached_files) }}" - name: "copy {{ detached_files }} templates to server" - template: + template: src: "{{ item }}.j2" dest: "{{docker_compose.directories.instance}}{{ item }}" loop: "{{ detached_files }}" diff --git a/templates/roles/web-app/tasks/main.yml.j2 b/templates/roles/web-app/tasks/main.yml.j2 index 6726ba70..d94c8374 100644 --- a/templates/roles/web-app/tasks/main.yml.j2 +++ b/templates/roles/web-app/tasks/main.yml.j2 @@ -2,14 +2,14 @@ {% if database_type | bool %} {% raw %} # Default: Loading; Docker, Database and Reverse Proxy -- name: "load docker, db and proxy for '{{application_id}}'" +- name: "load docker, db and proxy for '{{ application_id }}'" include_role: name: cmp-db-docker-proxy when: run_once_docker_{% endraw %}{{ application_id | replace("_", "-") }}{% raw %} is not defined {% endraw %} {% else %} {% raw %} -- name: "load docker, proxy for '{{application_id}}'" +- name: "load docker, proxy for '{{ application_id }}'" include_role: name: cmp-db-docker-proxy when: run_once_docker_{% endraw %}{{ application_id | replace("_", "-") }}{% raw %} is not defined