From 0f44e65bf18539f2f27436ecb0d3497ae8a409df Mon Sep 17 00:00:00 2001 From: Kevin Veen-Birkenbach Date: Tue, 18 Feb 2025 21:00:14 +0100 Subject: [PATCH] Optimized LDAP integration, keycloak realm import and health checks for docker images --- group_vars/all/07_applications.yml | 45 ++++++++++--------- group_vars/all/11_iam.yml | 4 -- roles/docker-funkwhale/templates/env.j2 | 4 +- roles/docker-funkwhale/vars/main.yml | 1 - roles/docker-keycloak/tasks/main.yml | 14 ++++++ .../templates/docker-compose.yml.j2 | 10 ++++- roles/docker-keycloak/templates/env.j2 | 9 ++++ .../realm.json.j2} | 0 roles/docker-keycloak/vars/main.yml | 12 ++--- roles/docker-ldap/handlers/main.yml | 2 +- .../templates/docker-compose.yml.j2 | 2 +- roles/docker-ldap/templates/lam.env.j2 | 2 +- roles/docker-ldap/vars/main.yml | 1 - .../templates/docker-compose.yml.j2 | 2 + roles/docker-matomo/README.md | 8 ---- .../templates/docker-compose.yml.j2 | 5 +++ roles/docker-matomo/templates/env.j2 | 3 ++ .../templates/docker-compose.yml.j2 | 13 +++--- roles/docker-nextcloud/vars/main.yml | 3 +- roles/docker-openproject/vars/main.yml | 4 +- .../templates/docker-compose.yml.j2 | 6 +++ .../templates/docker-compose.yml.j2 | 5 +++ .../templates/docker-compose.yml.j2 | 6 ++- .../templates/docker-compose.yml.j2 | 7 ++- templates/docker/compose/networks.yml.j2 | 4 +- templates/docker/container/networks.yml.j2 | 2 +- 26 files changed, 111 insertions(+), 63 deletions(-) rename roles/docker-keycloak/templates/{realm-export.json.j2 => import/realm.json.j2} (100%) diff --git a/group_vars/all/07_applications.yml b/group_vars/all/07_applications.yml index 8bf160c2..26e5c3aa 100644 --- a/group_vars/all/07_applications.yml +++ b/group_vars/all/07_applications.yml @@ -54,7 +54,8 @@ defaults_applications: ## Funkwhale funkwhale: - version: "1.4.0" + version: "1.4.0" + ldap_enabled: True # Enables LDAP by default ## Gitea gitea: @@ -70,11 +71,11 @@ defaults_applications: ## Keycloak keycloak: - version: "latest" - administrator_username: "{{administrator_username}}" # Administrator Username for Keycloak -# database_password: # Needs to be defined in inventory file -# administrator_password: # Needs to be defined in inventory file - + version: "latest" + administrator_username: "{{administrator_username}}" # Administrator Username for Keycloak + ldap_enabled: True # Enables LDAP by default +# database_password: # Needs to be defined in inventory file +# administrator_password: # Needs to be defined in inventory file ## LDAP ldap: @@ -92,15 +93,17 @@ defaults_applications: version: "2.0.0-dev" # @todo Attention: Change this as fast as released to latest webinterface: "lam" # The webinterface which should be used. Possible: lam and phpldapadmin administrator_username: "{{administrator_username}}" - # administrator_password: # CHANGE for security reasons in inventory file - # administrator_database_password: # CHANGE for security reasons in inventory file + ldap_enabled: True # Should have the same value as applications.ldap.openldap.network.local. + # Both need to be set to True to load the ldap_network in the docker compose file + # administrator_password: # CHANGE for security reasons in inventory file + # administrator_database_password: # CHANGE for security reasons in inventory file ## Listmonk listmonk: administrator_username: "{{administrator_username}}" - public_api_activated: False # Security hole. Can be used for spaming - version: "latest" - setup: false # Set true in inventory file to execute the setup and initializing procedures + public_api_activated: False # Security hole. Can be used for spaming + version: "latest" # Docker Image version + setup: false # Set true in inventory file to execute the setup and initializing procedures ## MariaDB mariadb: @@ -148,19 +151,21 @@ defaults_applications: ## Nextcloud nextcloud: version: "production" # @see https://nextcloud.com/blog/nextcloud-release-channels-and-how-to-track-them/ + ldap_enabled: True # Enables LDAP by default ## OAuth2 Proxy oauth2_proxy: - configuration_file: "oauth2-proxy-keycloak.cfg" # Needs to be set true in the roles which use it - version: "latest" - redirect_url: "https://{{domains.keycloak}}/auth/realms/{{primary_domain}}/protocol/openid-connect/auth" # The redirect URL for the OAuth2 flow. It should match the redirect URL configured in Keycloak. - allowed_roles: admin # Restrict it default to admin role. Use the vars/main.yml to open the specific role for other groups - cookie_secret: "{{ applications.oauth2_proxy.cookie_secret if applications.oauth2_proxy is defined else '' }}" # Default use wildcard for primary domain, subdomain client specific configuration in vars files in the roles is possible openssl rand -hex 16 + configuration_file: "oauth2-proxy-keycloak.cfg" # Needs to be set true in the roles which use it + version: "latest" # Docker Image version + redirect_url: "https://{{domains.keycloak}}/auth/realms/{{primary_domain}}/protocol/openid-connect/auth" # The redirect URL for the OAuth2 flow. It should match the redirect URL configured in Keycloak. + allowed_roles: admin # Restrict it default to admin role. Use the vars/main.yml to open the specific role for other groups + cookie_secret: "{{ applications.oauth2_proxy.cookie_secret if applications.oauth2_proxy is defined else '' }}" # Default use wildcard for primary domain, subdomain client specific configuration in vars files in the roles is possible openssl rand -hex 16 ## Open Project openproject: - version: "13" # Update when available. Sadly no rolling release implemented + version: "13" # Update when available. Sadly no rolling release implemented oauth2_proxy_active: true + ldap_enabled: True # Enables LDAP by default ## Peertube peertube: @@ -174,8 +179,8 @@ defaults_applications: ## Pixelfed pixelfed: - titel: "Pictures on {{primary_domain}}" - version: "latest" + titel: "Pictures on {{primary_domain}}" + version: "latest" ## Postgres # Please set an version in your inventory file - Rolling release for postgres isn't recommended @@ -188,7 +193,7 @@ defaults_applications: ## Taiga taiga: - version: "latest" + version: "latest" ## YOURLS yourls: diff --git a/group_vars/all/11_iam.yml b/group_vars/all/11_iam.yml index 1dd631d4..60dc953b 100644 --- a/group_vars/all/11_iam.yml +++ b/group_vars/all/11_iam.yml @@ -39,10 +39,6 @@ oauth2_proxy_active: false # Helper variables _ldap_dn_base: "dc={{primary_domain_sld}},dc={{primary_domain_tld}}" - -# This leads to that the role gets configured to use ldap -ldap_enabled: false - ldap: # Enables LDAP for all roles in play if true enabled: true diff --git a/roles/docker-funkwhale/templates/env.j2 b/roles/docker-funkwhale/templates/env.j2 index a33cb656..7c96d481 100644 --- a/roles/docker-funkwhale/templates/env.j2 +++ b/roles/docker-funkwhale/templates/env.j2 @@ -100,7 +100,7 @@ DJANGO_SETTINGS_MODULE=config.settings.production # Generate one using `openssl rand -base64 45`, for example DJANGO_SECRET_KEY={{funkwhale_django_secret}} -{% if ldap_enabled | bool %} +{% if applications[application_id].ldap_enabled | bool %} # LDAP settings # Use the following options to allow authentication on your Funkwhale instance # using a LDAP directory. @@ -110,7 +110,7 @@ DJANGO_SECRET_KEY={{funkwhale_django_secret}} LDAP_ENABLED = True LDAP_SERVER_URI = "{{ldap.server.uri}}" LDAP_BIND_DN = "{{ldap.dn.bind}}" -LDAP_BIND_PASSWORD = "{{ldap.dn.bind_credential}}" +LDAP_BIND_PASSWORD = "{{ldap.bind_credential}}" LDAP_SEARCH_FILTER = "(|(cn={0})(mail={0}))" LDAP_START_TLS = False LDAP_ROOT_DN = "{{ldap.dn.root}}" diff --git a/roles/docker-funkwhale/vars/main.yml b/roles/docker-funkwhale/vars/main.yml index b1c25da6..28cb58aa 100644 --- a/roles/docker-funkwhale/vars/main.yml +++ b/roles/docker-funkwhale/vars/main.yml @@ -2,7 +2,6 @@ application_id: "funkwhale" nginx_docker_reverse_proxy_extra_configuration: "client_max_body_size 512M;" database_password: "{{funkwhale_database_password}}" database_type: "postgres" -ldap_enabled: True media_root: "/srv/funkwhale/data/" static_root: "{{media_root}}static" celeryd_concurrency: 1 diff --git a/roles/docker-keycloak/tasks/main.yml b/roles/docker-keycloak/tasks/main.yml index 12db0a7d..e43ab138 100644 --- a/roles/docker-keycloak/tasks/main.yml +++ b/roles/docker-keycloak/tasks/main.yml @@ -8,3 +8,17 @@ - name: "copy docker-compose.yml and env file" include_tasks: copy-docker-compose-and-env.yml + +- name: "create directory {{import_directory_host}}" + file: + path: "{{import_directory_host}}" + state: directory + mode: 0755 + +- name: "Copy import files to {{ import_directory_host }}" + template: + src: "{{ item }}" + dest: "{{ import_directory_host }}/{{ item | basename | regex_replace('\\.j2$', '') }}" + mode: '770' + loop: "{{ lookup('fileglob', '{{ role_path }}/templates/import/*.j2', wantlist=True) }}" + notify: docker compose project setup \ No newline at end of file diff --git a/roles/docker-keycloak/templates/docker-compose.yml.j2 b/roles/docker-keycloak/templates/docker-compose.yml.j2 index 4dd8a82b..125933fa 100644 --- a/roles/docker-keycloak/templates/docker-compose.yml.j2 +++ b/roles/docker-keycloak/templates/docker-compose.yml.j2 @@ -4,11 +4,19 @@ services: application: image: quay.io/keycloak/keycloak:{{applications.keycloak.version}} - command: start + container_name: {{container_name}} + command: start --import-realm # imports realms on startup {% include 'roles/docker-compose/templates/services/base.yml.j2' %} ports: - "127.0.0.1:{{http_port}}:8080" + volumes: + - "{{import_directory_host}}:{{import_directory_docker}}" {% include 'templates/docker/container/depends-on-just-database.yml.j2' %} {% include 'templates/docker/container/networks.yml.j2' %} + healthcheck: + test: ["CMD", "sh", "-c", "exec 3<>/dev/tcp/localhost/9000 && echo -e 'GET /health/live HTTP/1.1\\r\\nHost: {{domains.keycloak}}\\r\\nConnection: close\\r\\n\\r\\n' >&3 && cat <&3"] + interval: 30s + timeout: 10s + retries: 3 {% include 'templates/docker/compose/networks.yml.j2' %} \ No newline at end of file diff --git a/roles/docker-keycloak/templates/env.j2 b/roles/docker-keycloak/templates/env.j2 index e9eb7cfe..2d0371d3 100644 --- a/roles/docker-keycloak/templates/env.j2 +++ b/roles/docker-keycloak/templates/env.j2 @@ -1,6 +1,15 @@ +# Environment File for Keycloak +# Documentation can be found here: +# @see https://www.keycloak.org/server/containers + KC_HOSTNAME= https://{{domain}} KC_HTTP_ENABLED= true + +# Health Checks +# @see https://quarkus.io/guides/smallrye-health KC_HEALTH_ENABLED= true +KC_METRICS_ENABLED= true + KEYCLOAK_ADMIN= "{{applications.keycloak.administrator_username}}" KEYCLOAK_ADMIN_PASSWORD= "{{applications.keycloak.administrator_password}}" KC_DB= postgres diff --git a/roles/docker-keycloak/templates/realm-export.json.j2 b/roles/docker-keycloak/templates/import/realm.json.j2 similarity index 100% rename from roles/docker-keycloak/templates/realm-export.json.j2 rename to roles/docker-keycloak/templates/import/realm.json.j2 diff --git a/roles/docker-keycloak/vars/main.yml b/roles/docker-keycloak/vars/main.yml index 476b972a..a516877b 100644 --- a/roles/docker-keycloak/vars/main.yml +++ b/roles/docker-keycloak/vars/main.yml @@ -1,5 +1,7 @@ -application_id: "keycloak" -database_type: "postgres" -database_password: "{{applications.keycloak.database_password}}" -ldap_enabled: True -realm: "{{primary_domain}}" # This is the name of the default realm which is used by the applications \ No newline at end of file +application_id: "keycloak" +database_type: "postgres" +database_password: "{{applications.keycloak.database_password}}" +container_name: "{{application_id}}_application" +realm: "{{primary_domain}}" # This is the name of the default realm which is used by the applications +import_directory_host: "{{docker_compose.directories.volumes}}import/" # Directory in which keycloack import files are placed on the host +import_directory_docker: "/opt/keycloak/data/import/" # Directory in which keycloack import files are placed in the running docker container \ No newline at end of file diff --git a/roles/docker-ldap/handlers/main.yml b/roles/docker-ldap/handlers/main.yml index 67503cf0..db39155c 100644 --- a/roles/docker-ldap/handlers/main.yml +++ b/roles/docker-ldap/handlers/main.yml @@ -19,7 +19,7 @@ - name: "Import Access Roles to OpenLDAP" shell: > - docker exec -i openldap ldapadd -x -D "{{ldap.dn.bind}}" -w "{{ldap.dn.bind_credential}}" -c -f "{{ldif_docker_path}}04_access_profiles.ldif" + docker exec -i openldap ldapadd -x -D "{{ldap.dn.bind}}" -w "{{ldap.bind_credential}}" -c -f "{{ldif_docker_path}}04_access_profiles.ldif" register: ldapadd_result changed_when: "'adding new entry' in ldapadd_result.stdout" # Allow return code 0 (all entries added) or 68 (entry already exists) diff --git a/roles/docker-ldap/templates/docker-compose.yml.j2 b/roles/docker-ldap/templates/docker-compose.yml.j2 index 1b71d79a..f6486910 100644 --- a/roles/docker-ldap/templates/docker-compose.yml.j2 +++ b/roles/docker-ldap/templates/docker-compose.yml.j2 @@ -34,7 +34,7 @@ services: - '{{ldif_host_path}}:{{ldif_docker_path}}:ro' # Mounting all ldif files for import healthcheck: test: > - ldapsearch -x -H ldap://localhost:{{ldap_docker_port}} -b "{{ldap.dn.root}}" -D "{{ldap.dn.bind}}" -w "{{ldap.dn.bind_credential}}" + ldapsearch -x -H ldap://localhost:{{ldap_docker_port}} -b "{{ldap.dn.root}}" -D "{{ldap.dn.bind}}" -w "{{ldap.bind_credential}}" interval: 30s timeout: 10s retries: 3 diff --git a/roles/docker-ldap/templates/lam.env.j2 b/roles/docker-ldap/templates/lam.env.j2 index d14d5341..5ccb745b 100644 --- a/roles/docker-ldap/templates/lam.env.j2 +++ b/roles/docker-ldap/templates/lam.env.j2 @@ -10,4 +10,4 @@ LAM_CONFIGURATION_DATABASE= files LDAP_SERVER= {{ldap.server.domain}} # domain of LDAP database root entry LDAP_BASE_DN= {{ldap.dn.root}} # LDAP base DN to overwrite value generated by LDAP_DOMAIN LDAP_USER= {{ldap.dn.bind}} # LDAP admin user (set as login user for LAM) -LDAP_ADMIN_PASSWORD= {{ldap.dn.bind_credential}} # LDAP admin password \ No newline at end of file +LDAP_ADMIN_PASSWORD= {{ldap.bind_credential}} # LDAP admin password \ No newline at end of file diff --git a/roles/docker-ldap/vars/main.yml b/roles/docker-ldap/vars/main.yml index 91dd5768..f7853aa7 100644 --- a/roles/docker-ldap/vars/main.yml +++ b/roles/docker-ldap/vars/main.yml @@ -1,7 +1,6 @@ application_id: "ldap" ldaps_docker_port: 636 ldap_docker_port: 389 -ldap_enabled: True # OAuth2 Proxy Configuration oauth2_proxy_upstream_application_and_port: "{{ applications.ldap.webinterface }}:{% if applications.ldap.webinterface == 'phpldapadmin' %}8080{% else %}80{% endif %}" diff --git a/roles/docker-listmonk/templates/docker-compose.yml.j2 b/roles/docker-listmonk/templates/docker-compose.yml.j2 index ec1a8c47..4162eab7 100644 --- a/roles/docker-listmonk/templates/docker-compose.yml.j2 +++ b/roles/docker-listmonk/templates/docker-compose.yml.j2 @@ -11,6 +11,8 @@ services: - {{docker_compose.directories.config}}config.toml:/listmonk/config.toml {% include 'templates/docker/container/networks.yml.j2' %} {% include 'templates/docker/container/depends-on-just-database.yml.j2' %} + healthcheck: + test: ['CMD-SHELL', 'wget -q --spider --proxy=off localhost:9000/health || exit 1'] {% include 'templates/docker/compose/volumes-just-database.yml.j2' %} diff --git a/roles/docker-matomo/README.md b/roles/docker-matomo/README.md index 304d3186..84ea8be5 100644 --- a/roles/docker-matomo/README.md +++ b/roles/docker-matomo/README.md @@ -8,14 +8,6 @@ This Ansible role deploys a [Matomo](https://matomo.org/) analytics platform ins - Nginx installed for reverse proxy configuration. - Certbot installed for SSL certificate generation. -## Role Variables - -- `domain`: The domain where Matomo will be accessible. -- `administrator_email`: The email used for SSL certificate registration. -- `path_docker_compose_instances`: Path to store Docker Compose files. -- `http_port`: The host port that Matomo will be accessible on. -- `matomo_database_password`: Password for the Matomo database. - ## AI Generated This script was created with the help of ChatGPT. The full conversation is [here](https://chat.openai.com/share/49e0c7e4-a2af-4a04-adad-7a735bdd85c4) available. diff --git a/roles/docker-matomo/templates/docker-compose.yml.j2 b/roles/docker-matomo/templates/docker-compose.yml.j2 index e7a8579e..5e21faab 100644 --- a/roles/docker-matomo/templates/docker-compose.yml.j2 +++ b/roles/docker-matomo/templates/docker-compose.yml.j2 @@ -11,6 +11,11 @@ services: - data:/var/www/html {% include 'templates/docker/container/depends-on-just-database.yml.j2' %} {% include 'templates/docker/container/networks.yml.j2' %} + healthcheck: + test: ["CMD", "bash", "-c", "exec 3<>/dev/tcp/localhost/80 && echo -e 'GET / HTTP/1.1\\r\\nHost: localhost\\r\\nConnection: close\\r\\n\\r\\n' >&3 && cat <&3 | grep -q 'HTTP/1.1'"] + interval: 30s + timeout: 10s + retries: 3 {% include 'templates/docker/compose/volumes.yml.j2' %} data: diff --git a/roles/docker-matomo/templates/env.j2 b/roles/docker-matomo/templates/env.j2 index a4ca7282..1410fe51 100644 --- a/roles/docker-matomo/templates/env.j2 +++ b/roles/docker-matomo/templates/env.j2 @@ -1,3 +1,6 @@ +# Environment File for Matomo +# @see https://hub.docker.com/_/matomo/ + MATOMO_DATABASE_HOST= "{{database_host}}:{{database_port}}" MATOMO_DATABASE_ADAPTER= "mysql" MATOMO_DATABASE_USERNAME= "{{database_username}}" diff --git a/roles/docker-moodle/templates/docker-compose.yml.j2 b/roles/docker-moodle/templates/docker-compose.yml.j2 index 19d2491a..d113073b 100644 --- a/roles/docker-moodle/templates/docker-compose.yml.j2 +++ b/roles/docker-moodle/templates/docker-compose.yml.j2 @@ -10,17 +10,14 @@ services: volumes: - 'moodle:/bitnami/moodle' - 'data:/bitnami/moodledata' -# Healthcheck is not possible due to missing curl and wget in container -# @todo implement healthcheck -# healthcheck: -# test: ["CMD", "curl", "-f", "http://127.0.0.1:8080"] -# interval: 1m -# timeout: 10s -# retries: 3 + healthcheck: + test: ["CMD", "bash", "-c", "exec 3<>/dev/tcp/localhost/8080 && echo -e 'GET / HTTP/1.1\\r\\nHost: localhost\\r\\nConnection: close\\r\\n\\r\\n' >&3 && cat <&3 | grep -q 'HTTP/1.1'"] + interval: 30s + timeout: 10s + retries: 3 {% include 'templates/docker/container/depends-on-just-database.yml.j2' %} {% include 'templates/docker/container/networks.yml.j2' %} - {% include 'templates/docker/compose/volumes.yml.j2' %} moodle: data: diff --git a/roles/docker-nextcloud/vars/main.yml b/roles/docker-nextcloud/vars/main.yml index b0f355d7..caf1ec0f 100644 --- a/roles/docker-nextcloud/vars/main.yml +++ b/roles/docker-nextcloud/vars/main.yml @@ -3,5 +3,4 @@ application_id: "nextcloud" database_password: "{{nextcloud_database_password}}" database_type: "mariadb" nextcloud_application_container_name: "nextcloud-application" -nextcloud_nginx_container_name: "nextcloud-web" -ldap_enabled: True \ No newline at end of file +nextcloud_nginx_container_name: "nextcloud-web" \ No newline at end of file diff --git a/roles/docker-openproject/vars/main.yml b/roles/docker-openproject/vars/main.yml index 412144a9..d27c98d9 100644 --- a/roles/docker-openproject/vars/main.yml +++ b/roles/docker-openproject/vars/main.yml @@ -13,6 +13,4 @@ dummy_volume: "{{docker_compose.directories.volu # OAuth2 Proxy Configuration oauth2_proxy_upstream_application_and_port: "proxy:80" -oauth2_proxy_active: "{{ applications.openproject.oauth2_proxy_active | bool }}" - -ldap_enabled: True \ No newline at end of file +oauth2_proxy_active: "{{ applications.openproject.oauth2_proxy_active | bool }}" \ No newline at end of file diff --git a/roles/docker-peertube/templates/docker-compose.yml.j2 b/roles/docker-peertube/templates/docker-compose.yml.j2 index fea5be83..95401f1c 100644 --- a/roles/docker-peertube/templates/docker-compose.yml.j2 +++ b/roles/docker-peertube/templates/docker-compose.yml.j2 @@ -16,6 +16,12 @@ services: - config:/config {% include 'templates/docker/container/depends-on-database-redis.yml.j2' %} {% include 'templates/docker/container/networks.yml.j2' %} + healthcheck: + # This just tests if the service is running on port 9000. It doesn't check if there is an 200 or e.g. an 404 response + test: ["CMD", "bash", "-c", "exec 3<>/dev/tcp/localhost/9000 && echo -e 'GET / HTTP/1.1\\r\\nHost: localhost\\r\\nConnection: close\\r\\n\\r\\n' >&3 && cat <&3 | grep -q 'HTTP/1.1'"] + interval: 30s + timeout: 10s + retries: 3 {% include 'templates/docker/compose/volumes.yml.j2' %} assets: diff --git a/roles/docker-phpmyadmin/templates/docker-compose.yml.j2 b/roles/docker-phpmyadmin/templates/docker-compose.yml.j2 index c114c2c1..24cb6ac5 100644 --- a/roles/docker-phpmyadmin/templates/docker-compose.yml.j2 +++ b/roles/docker-phpmyadmin/templates/docker-compose.yml.j2 @@ -10,5 +10,10 @@ services: - "127.0.0.1:{{http_port}}:80" {% include 'templates/docker/container/depends-on-just-database.yml.j2' %} {% include 'templates/docker/container/networks.yml.j2' %} + healthcheck: + test: ["CMD", "bash", "-c", "exec 3<>/dev/tcp/localhost/80 && echo -e 'GET / HTTP/1.1\\r\\nHost: localhost\\r\\nConnection: close\\r\\n\\r\\n' >&3 && cat <&3 | grep -q 'HTTP/1.1'"] + interval: 30s + timeout: 10s + retries: 3 {% include 'templates/docker/compose/networks.yml.j2' %} \ No newline at end of file diff --git a/roles/docker-portfolio/templates/docker-compose.yml.j2 b/roles/docker-portfolio/templates/docker-compose.yml.j2 index 4cf0781b..77eaa4a8 100644 --- a/roles/docker-portfolio/templates/docker-compose.yml.j2 +++ b/roles/docker-portfolio/templates/docker-compose.yml.j2 @@ -11,5 +11,9 @@ services: - ./app:/app restart: unless-stopped {% include 'templates/docker/container/networks.yml.j2' %} - + healthcheck: + test: ["CMD", "bash", "-c", "exec 3<>/dev/tcp/localhost/5000 && echo -e 'GET / HTTP/1.1\\r\\nHost: localhost\\r\\nConnection: close\\r\\n\\r\\n' >&3 && cat <&3 | grep -q 'HTTP/1.1'"] + interval: 30s + timeout: 10s + retries: 3 {% include 'templates/docker/compose/networks.yml.j2' %} \ No newline at end of file diff --git a/roles/docker-snipe_it/templates/docker-compose.yml.j2 b/roles/docker-snipe_it/templates/docker-compose.yml.j2 index 56785eb9..af97be3f 100644 --- a/roles/docker-snipe_it/templates/docker-compose.yml.j2 +++ b/roles/docker-snipe_it/templates/docker-compose.yml.j2 @@ -13,7 +13,12 @@ services: - "127.0.0.1:{{ports.localhost.http.snipe_it}}:80" {% include 'templates/docker/container/depends-on-database-redis.yml.j2' %} {% include 'templates/docker/container/networks.yml.j2' %} - + healthcheck: + test: ["CMD", "bash", "-c", "exec 3<>/dev/tcp/localhost/80 && echo -e 'GET / HTTP/1.1\\r\\nHost: localhost\\r\\nConnection: close\\r\\n\\r\\n' >&3 && cat <&3 | grep -q 'HTTP/1.1'"] + interval: 30s + timeout: 10s + retries: 3 + {% include 'templates/docker/compose/volumes.yml.j2' %} redis: data: diff --git a/templates/docker/compose/networks.yml.j2 b/templates/docker/compose/networks.yml.j2 index 4d4cc6f0..340ef14d 100644 --- a/templates/docker/compose/networks.yml.j2 +++ b/templates/docker/compose/networks.yml.j2 @@ -4,12 +4,12 @@ networks: central_{{ database_type }}: external: true {% endif %} -{% if ldap_enabled | bool and applications.ldap.openldap.network.local | bool %} +{% if applications[application_id].ldap_enabled is defined and applications[application_id].ldap_enabled | bool and applications.ldap.openldap.network.local | bool %} central_ldap: external: true {% endif %} default: -{% if application_id in networks.local and networks.local[application_id].subnet is defined %} +{% if applications[application_id].ldap_enabled is defined and applications[application_id].ldap_enabled | bool and applications.ldap.openldap.network.local | bool %} driver: bridge ipam: driver: default diff --git a/templates/docker/container/networks.yml.j2 b/templates/docker/container/networks.yml.j2 index 8c4ea9cd..09764bf6 100644 --- a/templates/docker/container/networks.yml.j2 +++ b/templates/docker/container/networks.yml.j2 @@ -3,7 +3,7 @@ {% if enable_central_database | bool and database_type is defined %} central_{{ database_type }}: {% endif %} -{% if ldap_enabled | bool and applications.ldap.openldap.network.local | bool %} +{% if applications[application_id].ldap_enabled is defined and applications[application_id].ldap_enabled | bool and applications.ldap.openldap.network.local | bool %} central_ldap: {% endif %} default: