diff --git a/Makefile b/Makefile index 7daff935..e8dcd952 100644 --- a/Makefile +++ b/Makefile @@ -1,12 +1,13 @@ # Makefile for j2render -TEMPLATE=./templates/vars/applications.yml.j2 +ROLES_DIR=./roles OUTPUT=./group_vars/all/11_applications.yml +SCRIPT=./cli/generate_default_applications.py build: - @echo "🔧 Building rendered file from $(TEMPLATE)..." + @echo "🔧 Generating $(OUTPUT) from roles in $(ROLES_DIR)..." @mkdir -p $(dir $(OUTPUT)) - j2r $(TEMPLATE) $(OUTPUT) + python3 $(SCRIPT) --roles-dir $(ROLES_DIR) --output-file $(OUTPUT) @echo "✅ Output written to $(OUTPUT)" install: build diff --git a/cli/__init__.py b/cli/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/cli/generate_default_applications.py b/cli/generate_default_applications.py new file mode 100644 index 00000000..407e4dc2 --- /dev/null +++ b/cli/generate_default_applications.py @@ -0,0 +1,59 @@ +#!/usr/bin/env python3 + +import argparse +import os +import yaml +from pathlib import Path + +def load_yaml_file(path): + """Load a YAML file if it exists, otherwise return an empty dict.""" + if not path.exists(): + return {} + with path.open("r", encoding="utf-8") as f: + return yaml.safe_load(f) or {} + +def main(): + parser = argparse.ArgumentParser(description="Generate default_applications YAML from docker roles.") + parser.add_argument("--roles-dir", default="roles", help="Path to the roles directory (default: roles)") + parser.add_argument("--output-file", default="group_vars/all/11_applications.yml", help="Path to output YAML file") + + args = parser.parse_args() + cwd = Path.cwd() + roles_dir = (cwd / args.roles_dir).resolve() + output_file = (cwd / args.output_file).resolve() + + output_file.parent.mkdir(parents=True, exist_ok=True) + + result = {"default_applications": {}} + + for role_dir in sorted(roles_dir.glob("docker-*")): + role_name = role_dir.name + vars_main = role_dir / "vars" / "main.yml" + config_file = role_dir / "vars" / "configuration.yml" + + if not vars_main.exists(): + print(f"[!] Skipping {role_name}: vars/main.yml missing") + continue + + vars_data = load_yaml_file(vars_main) + application_id = vars_data.get("application_id") + + if not application_id: + print(f"[!] Skipping {role_name}: application_id not defined in vars/main.yml") + continue + + if not config_file.exists(): + print(f"[!] Skipping {role_name}: vars/configuration.yml missing") + continue + + config_data = load_yaml_file(config_file) + if config_data: + result["default_applications"][application_id] = config_data + + with output_file.open("w", encoding="utf-8") as f: + yaml.dump(result, f, sort_keys=False) + + print(f"✅ Generated: {output_file.relative_to(cwd)}") + +if __name__ == "__main__": + main() diff --git a/roles/client-browser-chromium/templates/configuration.yml.j2 b/roles/client-browser-chromium/templates/configuration.yml.j2 new file mode 100644 index 00000000..06df2d64 --- /dev/null +++ b/roles/client-browser-chromium/templates/configuration.yml.j2 @@ -0,0 +1,23 @@ +# Concerning configuration options checkout: +# https://chromeenterprise.google/policies/#ExtensionSettings +chromium: + password_manager_enabled: false + default_installation_mode: allowed + plugins: + # UBlock Origin + - id: "cjpalhdlnbpafiamejdnhcphjbkeiagm" + update_url: "https://clients2.google.com/service/update2/crx" + incognito: true + installation_mode: "force_installed" + + # KeepassXC + - id: "ddkjiahejlhfcafbddmgiahcphecmpfh" + update_url: "https://clients2.google.com/service/update2/crx" + incognito: false + installation_mode: "force_installed" + + # Dark Mode Extension + - id: "dmghijelimhndkbmpgbldicpogfkceaj" + update_url: "https://clients2.google.com/service/update2/crx" + incognito: true + installation_mode: "force_installed" diff --git a/roles/client-browser-chromium/templates/extensions_policy.json.j2 b/roles/client-browser-chromium/templates/extensions_policy.json.j2 index 6f511cd3..eac276fc 100644 --- a/roles/client-browser-chromium/templates/extensions_policy.json.j2 +++ b/roles/client-browser-chromium/templates/extensions_policy.json.j2 @@ -1,8 +1,20 @@ { "ExtensionInstallForcelist": [ - {% for plugin in applications[application_id].plugins -%} - "{{ plugin }}"{% if not loop.last %},{% endif %} + {% for plugin in applications[application_id].chromium.plugins -%} + "{{ plugin.id }};{{ plugin.update_url }}"{% if not loop.last %},{% endif %} {% endfor %} ], - "PasswordManagerEnabled": false -} \ No newline at end of file + "ExtensionSettings": { + "*": { + "installation_mode": "{{ applications[application_id].default_installation_mode }}" + } + {% for plugin in applications[application_id].chromium.plugins -%}, + "{{ plugin.id }}": { + "installation_mode": "{{ plugin.installation_mode }}", + "update_url": "{{ plugin.update_url }}", + "incognito_mode": "{{ 'enabled' if plugin.incognito else 'disabled' }}" + } + {% endfor %} + }, + "PasswordManagerEnabled": {{ applications[application_id].password_manager_enabled }} +} diff --git a/roles/client-browser-firefox/vars/configuration.yml b/roles/client-browser-firefox/vars/configuration.yml new file mode 100644 index 00000000..db5131dd --- /dev/null +++ b/roles/client-browser-firefox/vars/configuration.yml @@ -0,0 +1,3 @@ +plugins: # Plugins to be installed in Firefox + - "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi" # U-Block Origine Plugin + - "https://addons.mozilla.org/firefox/downloads/latest/keepassxc-browser/latest.xpi" # KeepassXC Plugin \ No newline at end of file diff --git a/roles/client-gnome/vars/configuration.yml b/roles/client-gnome/vars/configuration.yml new file mode 100644 index 00000000..274d861f --- /dev/null +++ b/roles/client-gnome/vars/configuration.yml @@ -0,0 +1,4 @@ +plugins: + - [enable,nasa_apod@elinvention.ovh,https://github.com/Elinvention/gnome-shell-extension-nasa-apod.git] + - [disable,dash-to-dock@micxgx.gmail.com,''] + - [enable, dash-to-panel@jderose9.github.com,''] \ No newline at end of file diff --git a/roles/client-gnome/vars/main.yml b/roles/client-gnome/vars/main.yml new file mode 100644 index 00000000..08d787fc --- /dev/null +++ b/roles/client-gnome/vars/main.yml @@ -0,0 +1 @@ +application_id: gnome \ No newline at end of file diff --git a/roles/client-libreoffice/vars/configuration.yml b/roles/client-libreoffice/vars/configuration.yml new file mode 100644 index 00000000..73e41fcf --- /dev/null +++ b/roles/client-libreoffice/vars/configuration.yml @@ -0,0 +1 @@ +flavor: "fresh" # Libre Office flavor, fresh for new, still for stable diff --git a/roles/client-libreoffice/vars/main.yml b/roles/client-libreoffice/vars/main.yml new file mode 100644 index 00000000..6e09709a --- /dev/null +++ b/roles/client-libreoffice/vars/main.yml @@ -0,0 +1 @@ +application_id: "libreoffice" \ No newline at end of file diff --git a/roles/docker-akaunting/meta/schema.yml b/roles/docker-akaunting/meta/schema.yml new file mode 100644 index 00000000..069492a3 --- /dev/null +++ b/roles/docker-akaunting/meta/schema.yml @@ -0,0 +1,9 @@ +credentials: + database_password: + description: "Database password for MariaDB" + algorithm: "bcrypt" + validation: "^\\$2[aby]\\$.{56}$" + setup_admin_password: + description: "Initial admin user password for Akaunting" + algorithm: "sha256" + validation: "^[a-f0-9]{64}$" \ No newline at end of file diff --git a/roles/docker-akaunting/templates/env.j2 b/roles/docker-akaunting/templates/env.j2 index 14cab9f9..31ac0d5f 100644 --- a/roles/docker-akaunting/templates/env.j2 +++ b/roles/docker-akaunting/templates/env.j2 @@ -14,9 +14,9 @@ DB_PASSWORD={{database_password}} DB_PREFIX=asd_ # These define the first company to exist on this instance. They are only used during setup. -COMPANY_NAME={{applications.akaunting.company_name}} -COMPANY_EMAIL={{applications.akaunting.company_email}} +COMPANY_NAME={{applications[application_id].company_name}} +COMPANY_EMAIL={{applications[application_id].company_email}} # This will be the first administrative user created on setup. ADMIN_EMAIL={{applications.akaunting.setup_admin_email}} -ADMIN_PASSWORD={{akaunting_setup_admin_password}} +ADMIN_PASSWORD={{applications[application_id].credentials.setup_admin_password}} diff --git a/roles/docker-akaunting/vars/configuration.yml b/roles/docker-akaunting/vars/configuration.yml new file mode 100644 index 00000000..70a3db24 --- /dev/null +++ b/roles/docker-akaunting/vars/configuration.yml @@ -0,0 +1,12 @@ +version: "latest" +company_name: "{{primary_domain}}" +company_email: "{{users.administrator.email}}" +setup_admin_email: "{{users.administrator.email}}" +features: + matomo: true + css: true + landingpage_iframe: false + central_database: true +credentials: +# database_password: Needs to be defined in inventory file +# setup_admin_password: Needs to be defined in inventory file \ No newline at end of file diff --git a/roles/docker-akaunting/vars/main.yml b/roles/docker-akaunting/vars/main.yml index 72c13464..4b48ed08 100644 --- a/roles/docker-akaunting/vars/main.yml +++ b/roles/docker-akaunting/vars/main.yml @@ -1,4 +1,4 @@ application_id: "akaunting" database_type: "mariadb" -database_password: "{{akaunting_database_password}}" +database_password: "{{ applications[application_id]].credentials.database_password }}" docker_repository_address: "https://github.com/akaunting/docker.git" diff --git a/roles/docker-attendize/meta/schema.yml b/roles/docker-attendize/meta/schema.yml new file mode 100644 index 00000000..cd880863 --- /dev/null +++ b/roles/docker-attendize/meta/schema.yml @@ -0,0 +1,5 @@ +credentials: + database_password: + description: "Database password for MariaDB used by Attendize" + algorithm: "bcrypt" + validation: "^\\$2[aby]\\$.{56}$" \ No newline at end of file diff --git a/roles/docker-attendize/vars/configuration.yml b/roles/docker-attendize/vars/configuration.yml new file mode 100644 index 00000000..c7a594f8 --- /dev/null +++ b/roles/docker-attendize/vars/configuration.yml @@ -0,0 +1,9 @@ +version: "latest" +credentials: +# database_password: Password for the database + +features: + matomo: true + css: true + landingpage_iframe: false + central_database: true diff --git a/roles/docker-attendize/vars/main.yml b/roles/docker-attendize/vars/main.yml index 64e50705..2433152c 100644 --- a/roles/docker-attendize/vars/main.yml +++ b/roles/docker-attendize/vars/main.yml @@ -1,5 +1,5 @@ --- application_id: "attendize" database_type: "mariadb" -database_password: "{{attendize_database_password}}" +database_password: "{{applications[application_id].credentials.database_password}}" docker_repository_address: "https://github.com/Attendize/Attendize.git" \ No newline at end of file diff --git a/roles/docker-baserow/meta/schema.yml b/roles/docker-baserow/meta/schema.yml new file mode 100644 index 00000000..ec3ae3b6 --- /dev/null +++ b/roles/docker-baserow/meta/schema.yml @@ -0,0 +1,5 @@ +credentials: + database_password: + description: "Password for the PostgreSQL database used by Baserow" + algorithm: "bcrypt" + validation: "^\\$2[aby]\\$.{56}$" \ No newline at end of file diff --git a/roles/docker-baserow/vars/configuration.yml b/roles/docker-baserow/vars/configuration.yml new file mode 100644 index 00000000..543b25e0 --- /dev/null +++ b/roles/docker-baserow/vars/configuration.yml @@ -0,0 +1,6 @@ +version: "latest" +features: + matomo: true + css: true + landingpage_iframe: true + central_database: true \ No newline at end of file diff --git a/roles/docker-bigbluebutton/TODO.md b/roles/docker-bigbluebutton/TODO.md new file mode 100644 index 00000000..a61585eb --- /dev/null +++ b/roles/docker-bigbluebutton/TODO.md @@ -0,0 +1,2 @@ +# Todo +- Propper implement and test the LDAP integration, the configuration values just had been set during refactoring \ No newline at end of file diff --git a/roles/docker-bigbluebutton/meta/schema.yml b/roles/docker-bigbluebutton/meta/schema.yml new file mode 100644 index 00000000..8f90f369 --- /dev/null +++ b/roles/docker-bigbluebutton/meta/schema.yml @@ -0,0 +1,25 @@ +credentials: + shared_secret: + description: "Shared secret for BigBlueButton API authentication" + algorithm: "sha256" + validation: "^[a-f0-9]{64}$" + etherpad_api_key: + description: "API key for Etherpad integration" + algorithm: "plain" + validation: "^[a-zA-Z0-9]{32}$" + rails_secret: + description: "Secret key for Rails backend" + algorithm: "random_hex" + validation: "^[a-f0-9]{128}$" + postgresql_secret: + description: "Password for PostgreSQL user" + algorithm: "bcrypt" + validation: "^\\$2[aby]\\$.{56}$" + fsesl_password: + description: "Password for FreeSWITCH ESL connection" + algorithm: "plain" + validation: "^.{8,}$" + turn_secret: + description: "TURN server shared secret" + algorithm: "sha1" + validation: "^[a-f0-9]{40}$" \ No newline at end of file diff --git a/roles/docker-bigbluebutton/vars/configuration.yml b/roles/docker-bigbluebutton/vars/configuration.yml new file mode 100644 index 00000000..02046d51 --- /dev/null +++ b/roles/docker-bigbluebutton/vars/configuration.yml @@ -0,0 +1,21 @@ +enable_greenlight: "true" +setup: false # Set to true in inventory file for initial setup +credentials: +# shared_secret: # Needs to be defined in inventory file +# etherpad_api_key: # Needs to be defined in inventory file +# rails_secret: # Needs to be defined in inventory file +# postgresql_secret: # Needs to be defined in inventory file +# fsesl_password: # Needs to be defined in inventory file +# turn_secret: # Needs to be defined in inventory file +database: + name: "multiple_databases" + username: "postgres2" +urls: + api: "{{ web_protocol }}://{{domains.bigbluebutton}}/bigbluebutton/" # API Address used by Nextcloud Integration +features: + matomo: true + css: true + landingpage_iframe: false + ldap: false + oidc: true + central_database: false \ No newline at end of file diff --git a/roles/docker-bluesky/meta/schema.yml b/roles/docker-bluesky/meta/schema.yml new file mode 100644 index 00000000..1198e498 --- /dev/null +++ b/roles/docker-bluesky/meta/schema.yml @@ -0,0 +1,13 @@ +credentials: + jwt_secret: + description: "Secret used for JWT signing (base64, 64 bytes)" + algorithm: "plain" + validation: "^[A-Za-z0-9+/=]{86,}$" # 64 bytes base64 = ~86 characters without newline + plc_rotation_key_k256_private_key_hex: + description: "PLC rotation key in hex format (32 bytes)" + algorithm: "sha256" + validation: "^[a-f0-9]{64}$" + admin_password: + description: "Initial admin password for Bluesky PDS" + algorithm: "plain" + validation: "^.{12,}$" \ No newline at end of file diff --git a/roles/docker-bluesky/templates/env.j2 b/roles/docker-bluesky/templates/env.j2 index 0dda6ae4..433c3b55 100644 --- a/roles/docker-bluesky/templates/env.j2 +++ b/roles/docker-bluesky/templates/env.j2 @@ -4,9 +4,9 @@ PDS_SERVICE_DID="did:web:{{domains.bluesky_api}}" # See https://mattdyson.org/blog/2024/11/self-hosting-bluesky-pds/ PDS_SERVICE_HANDLE_DOMAINS=".{{primary_domain}}" -PDS_JWT_SECRET="{{applications.bluesky.pds.jwt_secret}}" -PDS_ADMIN_PASSWORD="{{applications.bluesky.pds.admin_password}}" -PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX="{{applications.bluesky.pds.plc_rotation_key_k256_private_key_hex}}" +PDS_JWT_SECRET="{{applications.bluesky.credentials.jwt_secret}}" +PDS_ADMIN_PASSWORD="{{applications.bluesky.credentials.admin_password}}" +PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX="{{applications.bluesky.credentials.plc_rotation_key_k256_private_key_hex}}" PDS_CRAWLERS=https://bsky.network PDS_EMAIL_SMTP_URL=smtps://{{ users['no-reply'].email }}:{{ users['no-reply'].mailu_token }}@{{system_email.host}}:{{system_email.port}}/ PDS_EMAIL_FROM_ADDRESS={{ users['no-reply'].email }} diff --git a/roles/docker-bluesky/vars/configuration.yml b/roles/docker-bluesky/vars/configuration.yml new file mode 100644 index 00000000..3fad6419 --- /dev/null +++ b/roles/docker-bluesky/vars/configuration.yml @@ -0,0 +1,14 @@ +users: + administrator: + email: "{{users.administrator.email}}" +pds: + version: "latest" +credentials: + #jwt_secret: # Needs to be defined in inventory file - Use: openssl rand -base64 64 | tr -d '\n' + #plc_rotation_key_k256_private_key_hex: # Needs to be defined in inventory file - Use: openssl rand -hex 32 + #admin_password: # Needs to be defined in inventory file - Use: openssl rand -base64 16 +features: + matomo: true + css: true + landingpage_iframe: true + central_database: true \ No newline at end of file diff --git a/roles/docker-central-database/tasks/main.yml b/roles/docker-central-database/tasks/main.yml index 756a9a14..812f9ec1 100644 --- a/roles/docker-central-database/tasks/main.yml +++ b/roles/docker-central-database/tasks/main.yml @@ -10,7 +10,7 @@ name: docker-compose # The following env file will just be used from the dedicated mariadb container -# and not the central-mariadb-database +# and not the {{capplications.mariadb.hostname }}-database - name: "Create {{database_env}}" template: src: "env/{{database_type}}.env.j2" diff --git a/roles/docker-central-database/templates/configuration.yml.j2 b/roles/docker-central-database/templates/configuration.yml.j2 new file mode 100644 index 00000000..e5559102 --- /dev/null +++ b/roles/docker-central-database/templates/configuration.yml.j2 @@ -0,0 +1,3 @@ +# Jinja2 configuration template +# Define your variables here + diff --git a/roles/docker-coturn/TODO.md b/roles/docker-coturn/TODO.md new file mode 100644 index 00000000..eb5bfbde --- /dev/null +++ b/roles/docker-coturn/TODO.md @@ -0,0 +1,2 @@ +# Todo +- Implement this role \ No newline at end of file diff --git a/roles/docker-coturn/vars/configuration.yml.j2 b/roles/docker-coturn/vars/configuration.yml.j2 new file mode 100644 index 00000000..222e2209 --- /dev/null +++ b/roles/docker-coturn/vars/configuration.yml.j2 @@ -0,0 +1,4 @@ +user: turnuser +credentials: + # password: # Need to be defined in invetory file + # secret: # Need to be defined in invetory file diff --git a/roles/docker-coturn/vars/main.yml b/roles/docker-coturn/vars/main.yml index 4e8722ac..2763974f 100644 --- a/roles/docker-coturn/vars/main.yml +++ b/roles/docker-coturn/vars/main.yml @@ -1,3 +1,3 @@ application_id: "coturn" -#database_password: "{{gitea_database_password}}" +#database_password: "{{applications[application_id].credentials.database_password}}" #database_type: "mariadb" \ No newline at end of file diff --git a/roles/docker-discourse/meta/schema.yml b/roles/docker-discourse/meta/schema.yml new file mode 100644 index 00000000..aaaa73bb --- /dev/null +++ b/roles/docker-discourse/meta/schema.yml @@ -0,0 +1,5 @@ +credentials: + database_password: + description: "Password for the Discourse PostgreSQL database" + algorithm: "bcrypt" + validation: "^\\$2[aby]\\$.{56}$" \ No newline at end of file diff --git a/roles/docker-discourse/vars/configuration.yml b/roles/docker-discourse/vars/configuration.yml new file mode 100644 index 00000000..fb6ca445 --- /dev/null +++ b/roles/docker-discourse/vars/configuration.yml @@ -0,0 +1,11 @@ +network: "discourse_default" # Name of the docker network +container: "discourse_application" # Name of the container application +repository: "discourse_repository" # Name of the repository folder +credentials: +# database_password: # Needs to be defined in inventory file +features: + matomo: true + css: true + landingpage_iframe: false + oidc: true + central_database: true \ No newline at end of file diff --git a/roles/docker-discourse/vars/main.yml b/roles/docker-discourse/vars/main.yml index 9db00ec6..11e11381 100644 --- a/roles/docker-discourse/vars/main.yml +++ b/roles/docker-discourse/vars/main.yml @@ -1,5 +1,5 @@ application_id: "discourse" -database_password: "{{ applications.discourse.credentials.database.password }}" +database_password: "{{ applications.discourse.credentials.database_password }}" database_type: "postgres" docker_repository_directory : "{{docker_compose.directories.services}}{{applications.discourse.repository}}/" discourse_application_yml_destination: "{{docker_repository_directory }}containers/{{applications.discourse.container}}.yml" \ No newline at end of file diff --git a/roles/docker-elk/TODO.md b/roles/docker-elk/TODO.md index 47744e43..08315f9e 100644 --- a/roles/docker-elk/TODO.md +++ b/roles/docker-elk/TODO.md @@ -1 +1,2 @@ +# Todo - implement \ No newline at end of file diff --git a/roles/docker-elk/templates/configuration.yml.j2 b/roles/docker-elk/templates/configuration.yml.j2 new file mode 100644 index 00000000..e5559102 --- /dev/null +++ b/roles/docker-elk/templates/configuration.yml.j2 @@ -0,0 +1,3 @@ +# Jinja2 configuration template +# Define your variables here + diff --git a/roles/docker-espocrm/meta/schema.yml b/roles/docker-espocrm/meta/schema.yml new file mode 100644 index 00000000..c0996a60 --- /dev/null +++ b/roles/docker-espocrm/meta/schema.yml @@ -0,0 +1,9 @@ +credentials: + administrator_password: + description: "Initial password for the EspoCRM administrator user" + algorithm: "sha256" + validation: "^[a-f0-9]{64}$" + database_password: + description: "Password for the EspoCRM database user" + algorithm: "bcrypt" + validation: "^\\$2[aby]\\$.{56}$" \ No newline at end of file diff --git a/roles/docker-espocrm/templates/env.j2 b/roles/docker-espocrm/templates/env.j2 index 70d8dd2a..fdf120f2 100644 --- a/roles/docker-espocrm/templates/env.j2 +++ b/roles/docker-espocrm/templates/env.j2 @@ -20,7 +20,7 @@ CRON_DISABLED=true # Initial admin account # ------------------------------------------------ ESPOCRM_ADMIN_USERNAME={{ applications[application_id].users.administrator.username }} -ESPOCRM_ADMIN_PASSWORD={{ applications[application_id].credentials.administrator.password }} +ESPOCRM_ADMIN_PASSWORD={{ applications[application_id].credentials.administrator_password }} # Public base URL of the EspoCRM instance ESPOCRM_SITE_URL={{ web_protocol }}://{{ domains[application_id] }} diff --git a/roles/docker-espocrm/vars/configuration.yml b/roles/docker-espocrm/vars/configuration.yml new file mode 100644 index 00000000..40329de1 --- /dev/null +++ b/roles/docker-espocrm/vars/configuration.yml @@ -0,0 +1,17 @@ +version: "latest" +users: + administrator: + username: "{{ users.administrator.username }}" + email: "{{ users.administrator.email }}" + +credentials: +# administrator_password: # Set in inventory file +# database_password: # Set in your inventory file + +features: + matomo: true + css: false + landingpage_iframe: false + ldap: false + oidc: true + central_database: true \ No newline at end of file diff --git a/roles/docker-espocrm/vars/main.yml b/roles/docker-espocrm/vars/main.yml index 9d52dcaf..2bdc9abb 100644 --- a/roles/docker-espocrm/vars/main.yml +++ b/roles/docker-espocrm/vars/main.yml @@ -1,5 +1,5 @@ application_id: "espocrm" # Password for the espocrm DB user (taken from inventory applications dict) -database_password: "{{ applications[application_id].credentials.database.password }}" +database_password: "{{ applications[application_id].credentials.database_password }}" # EspoCRM uses MySQL/MariaDB database_type: "mariadb" \ No newline at end of file diff --git a/roles/docker-friendica/Administration.md b/roles/docker-friendica/Administration.md index d4526093..c4a27085 100644 --- a/roles/docker-friendica/Administration.md +++ b/roles/docker-friendica/Administration.md @@ -8,7 +8,7 @@ The following environment variables need to be defined for successful operation: To completely reset Friendica, including its database and volumes, run: ```bash -docker exec -i central-mariadb mariadb -u root -p"${DB_ROOT_PASSWORD}" -e "DROP DATABASE IF EXISTS friendica; CREATE DATABASE friendica;" +docker exec -i {{capplications.mariadb.hostname }} mariadb -u root -p"${DB_ROOT_PASSWORD}" -e "DROP DATABASE IF EXISTS friendica; CREATE DATABASE friendica;" docker compose down rm -rv /mnt/hdd/data/docker/volumes/friendica_data docker volume rm friendica_data @@ -19,7 +19,7 @@ docker volume rm friendica_data ## Manual Method: 1. Connect to the MariaDB instance: ```bash - docker exec -it central-mariadb mariadb -u root -p + docker exec -it {{capplications.mariadb.hostname }} mariadb -u root -p ``` 2. Run the following commands: ```sql @@ -31,7 +31,7 @@ docker volume rm friendica_data ## Automatic Method: ```bash DB_ROOT_PASSWORD="your_root_password" -docker exec -i central-mariadb mariadb -u root -p"${DB_ROOT_PASSWORD}" -e "DROP DATABASE IF EXISTS friendica; CREATE DATABASE friendica;" +docker exec -i {{capplications.mariadb.hostname }} mariadb -u root -p"${DB_ROOT_PASSWORD}" -e "DROP DATABASE IF EXISTS friendica; CREATE DATABASE friendica;" ``` ## Enter the Application Container 🔍 diff --git a/roles/docker-friendica/meta/schema.yml b/roles/docker-friendica/meta/schema.yml new file mode 100644 index 00000000..bb3349b1 --- /dev/null +++ b/roles/docker-friendica/meta/schema.yml @@ -0,0 +1,5 @@ +credentials: + database_password: + description: "Password for the Friendica database user" + algorithm: "bcrypt" + validation: "^\\$2[aby]\\$.{56}$" \ No newline at end of file diff --git a/roles/docker-friendica/vars/configuration.yml b/roles/docker-friendica/vars/configuration.yml new file mode 100644 index 00000000..6edfdb3b --- /dev/null +++ b/roles/docker-friendica/vars/configuration.yml @@ -0,0 +1,7 @@ +version: "latest" +features: + matomo: true + css: true + landingpage_iframe: true + oidc: true + central_database: true \ No newline at end of file diff --git a/roles/docker-friendica/vars/main.yml b/roles/docker-friendica/vars/main.yml index 817aa6aa..64803208 100644 --- a/roles/docker-friendica/vars/main.yml +++ b/roles/docker-friendica/vars/main.yml @@ -1,4 +1,4 @@ application_id: "friendica" -database_password: "{{friendica_database_password}}" +database_password: "{{ applications[application_id].credentials.database_password }}" database_type: "mariadb" -no_validation: "{{applications[application_id].features.oidc}}" # Email validation is not neccessary if OIDC is active \ No newline at end of file +no_validation: "{{ applications[application_id].features.oidc }}" # Email validation is not neccessary if OIDC is active \ No newline at end of file diff --git a/roles/docker-funkwhale/meta/schema.yml b/roles/docker-funkwhale/meta/schema.yml new file mode 100644 index 00000000..cca1a977 --- /dev/null +++ b/roles/docker-funkwhale/meta/schema.yml @@ -0,0 +1,9 @@ +credentials: + database_password: + description: "Password for the Funkwhale PostgreSQL database" + algorithm: "bcrypt" + validation: "^\\$2[aby]\\$.{56}$" + django_secret: + description: "Django SECRET_KEY used for cryptographic signing" + algorithm: "sha256" + validation: "^[a-f0-9]{64}$" \ No newline at end of file diff --git a/roles/docker-funkwhale/templates/env.j2 b/roles/docker-funkwhale/templates/env.j2 index 05102b04..f2b31498 100644 --- a/roles/docker-funkwhale/templates/env.j2 +++ b/roles/docker-funkwhale/templates/env.j2 @@ -98,7 +98,7 @@ STATIC_ROOT={{static_root}} DJANGO_SETTINGS_MODULE=config.settings.production # Generate one using `openssl rand -base64 45`, for example -DJANGO_SECRET_KEY={{funkwhale_django_secret}} +DJANGO_SECRET_KEY={{applications[application_id].credentials.django_secret}} {% if applications[application_id].features.ldap | bool %} # LDAP settings diff --git a/roles/docker-funkwhale/vars/configuration.yml b/roles/docker-funkwhale/vars/configuration.yml new file mode 100644 index 00000000..ca9ecc46 --- /dev/null +++ b/roles/docker-funkwhale/vars/configuration.yml @@ -0,0 +1,10 @@ +version: "1.4.0" +features: + matomo: true + css: true + landingpage_iframe: true + ldap: true + central_database: true +credentials: +# database_password: # Needs to be defined in inventory file +# django_secret: # Needs to be defined in inventory file \ No newline at end of file diff --git a/roles/docker-funkwhale/vars/main.yml b/roles/docker-funkwhale/vars/main.yml index 28cb58aa..a63a56a4 100644 --- a/roles/docker-funkwhale/vars/main.yml +++ b/roles/docker-funkwhale/vars/main.yml @@ -1,6 +1,6 @@ application_id: "funkwhale" nginx_docker_reverse_proxy_extra_configuration: "client_max_body_size 512M;" -database_password: "{{funkwhale_database_password}}" +database_password: "{{applications[application_id].credentials.database_password}}" database_type: "postgres" media_root: "/srv/funkwhale/data/" static_root: "{{media_root}}static" diff --git a/roles/docker-gitea/meta/schema.yml b/roles/docker-gitea/meta/schema.yml new file mode 100644 index 00000000..6646ac89 --- /dev/null +++ b/roles/docker-gitea/meta/schema.yml @@ -0,0 +1,5 @@ +credentials: + database_password: + description: "Password for the Gitea database user" + algorithm: "bcrypt" + validation: "^\\$2[aby]\\$.{56}$" diff --git a/roles/docker-gitea/vars/configuration.yml b/roles/docker-gitea/vars/configuration.yml new file mode 100644 index 00000000..669269a3 --- /dev/null +++ b/roles/docker-gitea/vars/configuration.yml @@ -0,0 +1,11 @@ +version: "latest" # Use latest docker image +configuration: + repository: + enable_push_create_user: True # Allow users to push local repositories to Gitea and have them automatically created for a user. + default_private: last # Default private when creating a new repository: last, private, public + default_push_create_private: True # Default private when creating a new repository with push-to-create. +features: + matomo: true + css: true + landingpage_iframe: true + central_database: true \ No newline at end of file diff --git a/roles/docker-gitea/vars/main.yml b/roles/docker-gitea/vars/main.yml index 9022a965..ef2ba7c3 100644 --- a/roles/docker-gitea/vars/main.yml +++ b/roles/docker-gitea/vars/main.yml @@ -1,3 +1,3 @@ application_id: "gitea" -database_password: "{{gitea_database_password}}" +database_password: "{{applications[application_id].credentials.database_password}}" database_type: "mariadb" \ No newline at end of file diff --git a/roles/docker-gitlab/meta/schema.yml b/roles/docker-gitlab/meta/schema.yml new file mode 100644 index 00000000..5f164570 --- /dev/null +++ b/roles/docker-gitlab/meta/schema.yml @@ -0,0 +1,10 @@ +credentials: + database_password: + description: "Password for the GitLab PostgreSQL database" + algorithm: "bcrypt" + validation: "^\\$2[aby]\\$.{56}$" + + initial_root_password: + description: "Initial password for the GitLab root user" + algorithm: "sha256" + validation: "^[a-f0-9]{64}$" \ No newline at end of file diff --git a/roles/docker-gitlab/vars/configuration.yml b/roles/docker-gitlab/vars/configuration.yml new file mode 100644 index 00000000..543b25e0 --- /dev/null +++ b/roles/docker-gitlab/vars/configuration.yml @@ -0,0 +1,6 @@ +version: "latest" +features: + matomo: true + css: true + landingpage_iframe: true + central_database: true \ No newline at end of file diff --git a/roles/docker-gitlab/vars/main.yml b/roles/docker-gitlab/vars/main.yml index c7e1bd90..e6820f5d 100644 --- a/roles/docker-gitlab/vars/main.yml +++ b/roles/docker-gitlab/vars/main.yml @@ -1,3 +1,3 @@ application_id: "gitlab" -database_password: "{{gitlab_database_password}}" +database_password: "{{applications[application_id].credentials.database_password}}" database_type: "postgres" \ No newline at end of file diff --git a/roles/docker-jenkins/Todo.md b/roles/docker-jenkins/Todo.md new file mode 100644 index 00000000..eb5bfbde --- /dev/null +++ b/roles/docker-jenkins/Todo.md @@ -0,0 +1,2 @@ +# Todo +- Implement this role \ No newline at end of file diff --git a/roles/docker-jenkins/vars/configuration.yml b/roles/docker-jenkins/vars/configuration.yml new file mode 100644 index 00000000..e5559102 --- /dev/null +++ b/roles/docker-jenkins/vars/configuration.yml @@ -0,0 +1,3 @@ +# Jinja2 configuration template +# Define your variables here + diff --git a/roles/docker-joomla/meta/schema.yml b/roles/docker-joomla/meta/schema.yml new file mode 100644 index 00000000..6f59e72b --- /dev/null +++ b/roles/docker-joomla/meta/schema.yml @@ -0,0 +1,5 @@ +credentials: + database_password: + description: "Password for the Joomla database user" + algorithm: "bcrypt" + validation: "^\\$2[aby]\\$.{56}$" \ No newline at end of file diff --git a/roles/docker-joomla/vars/configuration.yml b/roles/docker-joomla/vars/configuration.yml new file mode 100644 index 00000000..074ddcb8 --- /dev/null +++ b/roles/docker-joomla/vars/configuration.yml @@ -0,0 +1,5 @@ +version: "latest" +features: + matomo: true + css: true + landingpage_iframe: true \ No newline at end of file diff --git a/roles/docker-keycloak/meta/schema.yml b/roles/docker-keycloak/meta/schema.yml new file mode 100644 index 00000000..1355466e --- /dev/null +++ b/roles/docker-keycloak/meta/schema.yml @@ -0,0 +1,10 @@ +credentials: + database_password: + description: "Password for the Keycloak PostgreSQL database" + algorithm: "bcrypt" + validation: "^\\$2[aby]\\$.{56}$" + + administrator_password: + description: "Password for the Keycloak administrator user (used in bootstrap and CLI access)" + algorithm: "sha256" + validation: "^[a-f0-9]{64}$" \ No newline at end of file diff --git a/roles/docker-keycloak/templates/env.j2 b/roles/docker-keycloak/templates/env.j2 index bc548616..ab5748f1 100644 --- a/roles/docker-keycloak/templates/env.j2 +++ b/roles/docker-keycloak/templates/env.j2 @@ -10,13 +10,13 @@ KC_HTTP_ENABLED= true KC_HEALTH_ENABLED= true KC_METRICS_ENABLED= true -KEYCLOAK_ADMIN= "{{applications.keycloak.users.administrator.username}}" -KEYCLOAK_ADMIN_PASSWORD= "{{applications.keycloak.administrator_password}}" +KEYCLOAK_ADMIN= "{{applications[application_id].users.administrator.username}}" +KEYCLOAK_ADMIN_PASSWORD= "{{applications[application_id].credentials.administrator_password}}" KC_DB= postgres KC_DB_URL= {{database_url_jdbc}} KC_DB_USERNAME= {{database_username}} KC_DB_PASSWORD= {{database_password}} # If the initial administrator already exists and the environment variables are still present at startup, an error message stating the failed creation of the initial administrator is shown in the logs. Keycloak ignores the values and starts up correctly. -KC_BOOTSTRAP_ADMIN_USERNAME= {{users.administrator.username}} -KC_BOOTSTRAP_ADMIN_PASSWORD= {{users.administrator.password}} \ No newline at end of file +KC_BOOTSTRAP_ADMIN_USERNAME= "{{applications[application_id].users.administrator.username}}" +KC_BOOTSTRAP_ADMIN_PASSWORD= "{{applications[application_id].credentials.administrator_password}}" \ No newline at end of file diff --git a/roles/docker-keycloak/vars/configuration.yml b/roles/docker-keycloak/vars/configuration.yml new file mode 100644 index 00000000..7ea25cf6 --- /dev/null +++ b/roles/docker-keycloak/vars/configuration.yml @@ -0,0 +1,15 @@ +version: "latest" +users: + administrator: + username: "{{users.administrator.username}}" # Administrator Username for Keycloak +import_realm: True # If True realm will be imported. If false skip. +credentials: +# database_password: # Needs to be defined in inventory file +# administrator_password: # Needs to be defined in inventory file +features: + matomo: true + css: true + landingpage_iframe: true + ldap: true + central_database: true + recaptcha: true \ No newline at end of file diff --git a/roles/docker-keycloak/vars/main.yml b/roles/docker-keycloak/vars/main.yml index 29518e3a..964939d6 100644 --- a/roles/docker-keycloak/vars/main.yml +++ b/roles/docker-keycloak/vars/main.yml @@ -1,6 +1,6 @@ application_id: "keycloak" database_type: "postgres" -database_password: "{{applications.keycloak.credentials.database.password}}" +database_password: "{{applications[application_id].credentials.database_password}}" container_name: "{{application_id}}_application" realm: "{{primary_domain}}" # This is the name of the default realm which is used by the applications import_directory_host: "{{docker_compose.directories.volumes}}import/" # Directory in which keycloack import files are placed on the host diff --git a/roles/docker-lam/meta/schema.yml b/roles/docker-lam/meta/schema.yml new file mode 100644 index 00000000..180f92b7 --- /dev/null +++ b/roles/docker-lam/meta/schema.yml @@ -0,0 +1,10 @@ +credentials: + oauth2_proxy_cookie_secret: + description: "Secret used to encrypt OAuth2 proxy cookies (hex-encoded, 16 bytes)" + algorithm: "sha256" + validation: "^[a-f0-9]{32}$" + + administrator_password: + description: "Initial password for the LAM administrator" + algorithm: "sha256" + validation: "^[a-f0-9]{64}$" \ No newline at end of file diff --git a/roles/docker-lam/vars/configuration.yml b/roles/docker-lam/vars/configuration.yml new file mode 100644 index 00000000..833c89c2 --- /dev/null +++ b/roles/docker-lam/vars/configuration.yml @@ -0,0 +1,14 @@ +version: "latest" +oauth2_proxy: + application: application # Needs to be the same as webinterface + port: 80 # application port +credentials: +# oauth2_proxy_cookie_secret: None # Set via openssl rand -hex 16 +# administrator_password: "None" # CHANGE for security reasons +features: + matomo: true + css: true + landingpage_iframe: true + ldap: true + central_database: false + oauth2: false \ No newline at end of file diff --git a/roles/docker-ldap/meta/schema.yml b/roles/docker-ldap/meta/schema.yml new file mode 100644 index 00000000..14f51a47 --- /dev/null +++ b/roles/docker-ldap/meta/schema.yml @@ -0,0 +1,10 @@ +credentials: + administrator_password: + description: "Initial password for the LDAP administrator (e.g. cn=admin,dc=example,dc=com)" + algorithm: "sha256" + validation: "^[a-f0-9]{64}$" + + administrator_database_password: + description: "Password used internally for the database-backed directory admin" + algorithm: "bcrypt" + validation: "^\\$2[aby]\\$.{56}$" \ No newline at end of file diff --git a/roles/docker-ldap/templates/env.j2 b/roles/docker-ldap/templates/env.j2 index c5bcd08d..3519caf8 100644 --- a/roles/docker-ldap/templates/env.j2 +++ b/roles/docker-ldap/templates/env.j2 @@ -3,8 +3,8 @@ # GENERAL ## Database -LDAP_ADMIN_USERNAME= {{applications.ldap.users.administrator.username}} # LDAP database admin user. -LDAP_ADMIN_PASSWORD= {{applications.ldap.administrator_database_password}} # LDAP database admin password. +LDAP_ADMIN_USERNAME= {{applications[application_id].administrator.username}} # LDAP database admin user. +LDAP_ADMIN_PASSWORD= {{applications[application_id].credentials.administrator_database_password}} # LDAP database admin password. ## Users LDAP_USERS= ' ' # Comma separated list of LDAP users to create in the default LDAP tree. Default: user01,user02 @@ -14,8 +14,8 @@ LDAP_ROOT= {{ldap.dn.root}} # LDAP baseDN (or su ## Admin LDAP_ADMIN_DN= {{ldap.dn.administrator}} LDAP_CONFIG_ADMIN_ENABLED= yes -LDAP_CONFIG_ADMIN_USERNAME= {{applications.ldap.users.administrator.username}} -LDAP_CONFIG_ADMIN_PASSWORD= {{applications.ldap.administrator_password}} +LDAP_CONFIG_ADMIN_USERNAME= {{applications[application_id].administrator.username}} +LDAP_CONFIG_ADMIN_PASSWORD= {{applications[application_id].credentials.administrator_password}} # Network LDAP_PORT_NUMBER= {{ldap_docker_port}} # Route to default port diff --git a/roles/docker-ldap/vars/configuration.yml b/roles/docker-ldap/vars/configuration.yml new file mode 100644 index 00000000..7f94b2d6 --- /dev/null +++ b/roles/docker-ldap/vars/configuration.yml @@ -0,0 +1,15 @@ +version: "latest" +network: + local: True # Activates local network. Necessary for LDIF import routines + docker: True # Activates docker network to allow other docker containers to connect + public: False # Set to true in inventory file if you want to expose the LDAP port to the internet +hostname: "ldap" # Hostname of the LDAP Server in the central_ldap network +webinterface: "lam" # The webinterface which should be used. Possible: lam and phpldapadmin +users: + administrator: + username: "{{users.administrator.username}}" # Administrator username +credentials: +# administrator_password: # CHANGE for security reasons in inventory file +# administrator_database_password: # CHANGE for security reasons in inventory file +features: + ldap: true diff --git a/roles/docker-listmonk/meta/schema.yml b/roles/docker-listmonk/meta/schema.yml new file mode 100644 index 00000000..149f98f7 --- /dev/null +++ b/roles/docker-listmonk/meta/schema.yml @@ -0,0 +1,20 @@ +credentials: + database_password: + description: "Password for the Listmonk PostgreSQL database user" + algorithm: "bcrypt" + validation: "^\\$2[aby]\\$.{56}$" + + administrator_password: + description: "Initial password for the Listmonk administrator account" + algorithm: "sha256" + validation: "^[a-f0-9]{64}$" + + hcaptcha_site_key: + description: "Public site key used by Listmonk to render hCaptcha" + algorithm: "plain" + validation: "^[0-9a-zA-Z_-]{32,}$" + + hcaptcha_secret: + description: "Private hCaptcha secret key for server-side verification" + algorithm: "plain" + validation: "^[0-9a-zA-Z_-]{32,}$" diff --git a/roles/docker-listmonk/templates/env.j2 b/roles/docker-listmonk/templates/env.j2 index 45dc4837..835cacfd 100644 --- a/roles/docker-listmonk/templates/env.j2 +++ b/roles/docker-listmonk/templates/env.j2 @@ -3,4 +3,4 @@ TZ={{ HOST_TIMEZONE }} # Administrator setup LISTMONK_ADMIN_USER={{ applications[application_id].users.administrator.username }} -LISTMONK_ADMIN_PASSWORD={{ applications[application_id].users.administrator.password }} +LISTMONK_ADMIN_PASSWORD={{ applications[application_id].credentials.administrator_password }} \ No newline at end of file diff --git a/roles/docker-listmonk/vars/configuration.yml b/roles/docker-listmonk/vars/configuration.yml new file mode 100644 index 00000000..4fa87a32 --- /dev/null +++ b/roles/docker-listmonk/vars/configuration.yml @@ -0,0 +1,11 @@ +users: + administrator: + username: "{{users.administrator.username}}" # Listmonk administrator account username +public_api_activated: False # Security hole. Can be used for spaming +version: "latest" # Docker Image version +features: + matomo: true + css: true + landingpage_iframe: true + central_database: true + oidc: true \ No newline at end of file diff --git a/roles/docker-listmonk/vars/main.yml b/roles/docker-listmonk/vars/main.yml index dea782e1..67cc0709 100644 --- a/roles/docker-listmonk/vars/main.yml +++ b/roles/docker-listmonk/vars/main.yml @@ -1,5 +1,5 @@ application_id: "listmonk" -database_password: "{{applications[application_id].credentials.database.password}}" +database_password: "{{applications[application_id].credentials.database_password}}" database_type: "postgres" listmonk_settings: @@ -25,10 +25,10 @@ listmonk_settings: value: 'true' - key: "security.captcha_key" - value: '"{{ applications[application_id].credentials.hcaptcha.site_key }}"' + value: '"{{ applications[application_id].credentials.hcaptcha_site_key }}"' - key: "security.captcha_secret" - value: '"{{ applications[application_id].credentials.hcaptcha.secret }}"' + value: '"{{ applications[application_id].credentials.hcaptcha_secret }}"' # SMTP servers - key: "smtp" diff --git a/roles/docker-mailu/meta/schema.yml b/roles/docker-mailu/meta/schema.yml new file mode 100644 index 00000000..88b02f6c --- /dev/null +++ b/roles/docker-mailu/meta/schema.yml @@ -0,0 +1,25 @@ +credentials: + secret_key: + description: "Secret key for cryptographic operations in Mailu (must be a 16-byte random string, hex-encoded)" + algorithm: "sha256" + validation: "^[a-f0-9]{32}$" + + database_password: + description: "Password for the Mailu PostgreSQL or MariaDB database user" + algorithm: "bcrypt" + validation: "^\\$2[aby]\\$.{56}$" + + api_token: + description: "Authentication token for accessing the Mailu RESTful API (minimum 3 characters)" + algorithm: "plain" + validation: "^.{3,}$" + + initial_administrator_password: + description: "Initial password for the Mailu administrator account (used during setup)" + algorithm: "sha256" + validation: "^[a-f0-9]{64}$" + + dkim_public_key: + description: "Public DKIM key for DNS configuration (TXT record)" + algorithm: "plain" + validation: "^.{64,}$" \ No newline at end of file diff --git a/roles/docker-mailu/vars/configuration.yml b/roles/docker-mailu/vars/configuration.yml new file mode 100644 index 00000000..d2c65174 --- /dev/null +++ b/roles/docker-mailu/vars/configuration.yml @@ -0,0 +1,20 @@ +version: "2024.06" # Docker Image Version +users: + administrator: + email: "{{users.administrator.email}}" # Administrator Email for DNS Records +oidc: + email_by_username: true # If true, then the mail is set by the username. If wrong then the OIDC user email is used + enable_user_creation: true # Users will be created if not existing +domain: "{{primary_domain}}" # The main domain from which mails will be send \ email suffix behind @ +credentials: +# secret_key: # Set to a randomly generated 16 bytes string +# database_password: # Needs to be set in inventory file +# api_token: # Configures the authentication token. The minimum length is 3 characters. This is a mandatory setting for using the RESTful API. +# initial_administrator_password: # Initial administrator password for setup +# dkim_public_key: # Must be set in inventory file +features: + matomo: true + css: true + landingpage_iframe: false # Deactivated mailu iframe loading until keycloak supports it + oidc: true + central_database: false # Deactivate central database for mailu, I don't know why the database deactivation is necessary \ No newline at end of file diff --git a/roles/docker-mailu/vars/main.yml b/roles/docker-mailu/vars/main.yml index 2aba753c..54ee4875 100644 --- a/roles/docker-mailu/vars/main.yml +++ b/roles/docker-mailu/vars/main.yml @@ -1,7 +1,7 @@ application_id: "mailu" # Database Configuration -database_password: "{{applications.mailu.credentials.database.password}}" +database_password: "{{applications.mailu.credentials.database_password}}" database_type: "mariadb" cert_mount_directory: "{{docker_compose.directories.volumes}}certs/" diff --git a/roles/docker-mariadb/Administration.md b/roles/docker-mariadb/Administration.md index 2a05ed1e..cf53cb01 100644 --- a/roles/docker-mariadb/Administration.md +++ b/roles/docker-mariadb/Administration.md @@ -2,5 +2,5 @@ ## Execute SQL commands ```bash -docker exec -it central-mariadb mariadb -u root -p +docker exec -it {{capplications.mariadb.hostname }} mariadb -u root -p ``` \ No newline at end of file diff --git a/roles/docker-mariadb/meta/main.yml b/roles/docker-mariadb/meta/main.yml new file mode 100644 index 00000000..ec625ebd --- /dev/null +++ b/roles/docker-mariadb/meta/main.yml @@ -0,0 +1,26 @@ +--- +galaxy_info: + author: "Kevin Veen-Birkenbach" + description: >- + The Docker MariaDB Role offers an easy and efficient way to deploy a MariaDB server inside a Docker container. + Manage your data securely and effectively, making it ideal for production or local development. + license: "CyMaIS NonCommercial License (CNCL)" + license_url: "https://s.veen.world/cncl" + company: | + Kevin Veen-Birkenbach + Consulting & Coaching Solutions + https://www.veen.world + min_ansible_version: "2.9" + platforms: + - name: Docker + versions: + - "latest" + galaxy_tags: + - mariadb + - docker + - database + - administration + - central-database + repository: "https://s.veen.world/cymais" + issue_tracker_url: "https://s.veen.world/cymaisissues" + documentation: "https://s.veen.world/cymais" diff --git a/roles/docker-mariadb/meta/schema.yml b/roles/docker-mariadb/meta/schema.yml new file mode 100644 index 00000000..df367386 --- /dev/null +++ b/roles/docker-mariadb/meta/schema.yml @@ -0,0 +1,5 @@ +credentials: + root_password: + description: "Password for the MariaDB root user" + algorithm: "bcrypt" + validation: "^\\$2[aby]\\$.{56}$" \ No newline at end of file diff --git a/roles/docker-mariadb/tasks/main.yml b/roles/docker-mariadb/tasks/main.yml index 488ff95e..cf4726d6 100644 --- a/roles/docker-mariadb/tasks/main.yml +++ b/roles/docker-mariadb/tasks/main.yml @@ -8,11 +8,11 @@ - name: install MariaDB docker_container: - name: central-mariadb + name: "{{capplications.mariadb.hostname }}" image: "mariadb:{{applications.mariadb.version}}" #could lead to problems with nextcloud detach: yes env: - MARIADB_ROOT_PASSWORD: "{{central_mariadb_root_password}}" + MARIADB_ROOT_PASSWORD: "{{applications.mariadb.credentials.root_password}}" MARIADB_AUTO_UPGRADE: "1" networks: - name: central_mariadb @@ -23,7 +23,7 @@ command: "--transaction-isolation=READ-COMMITTED --binlog-format=ROW" #for nextcloud restart_policy: "{{docker_restart_policy}}" healthcheck: - test: "/usr/bin/mariadb --user=root --password={{central_mariadb_root_password}} --execute \"SHOW DATABASES;\"" + test: "/usr/bin/mariadb --user=root --password={{applications.mariadb.credentials.root_password}} --execute \"SHOW DATABASES;\"" interval: 3s timeout: 1s retries: 5 @@ -38,7 +38,7 @@ - name: Wait until the MariaDB container is healthy community.docker.docker_container_info: - name: central-mariadb + name: "{{capplications.mariadb.hostname }}" register: db_info until: db_info.containers[0].State.Health.Status == "healthy" retries: 30 @@ -53,7 +53,7 @@ name: "{{ database_name }}" state: present login_user: root - login_password: "{{ central_mariadb_root_password }}" + login_password: "{{ applications.mariadb.credentials.root_password }}" login_host: 127.0.0.1 login_port: "{{database_port}}" @@ -65,13 +65,13 @@ priv: '{{database_name}}.*:ALL' state: present login_user: root - login_password: "{{central_mariadb_root_password}}" + login_password: "{{applications.mariadb.credentials.root_password}}" login_host: 127.0.0.1 login_port: "{{database_port}}" - name: Grant database privileges ansible.builtin.shell: - cmd: "docker exec central-mariadb mariadb -u root -p{{ central_mariadb_root_password }} -e \"GRANT ALL PRIVILEGES ON {{database_name}}.* TO '{{database_username}}'@'%';\"" + cmd: "docker exec {{capplications.mariadb.hostname }} mariadb -u root -p{{ applications.mariadb.credentials.root_password }} -e \"GRANT ALL PRIVILEGES ON {{database_name}}.* TO '{{database_username}}'@'%';\"" args: executable: /bin/bash diff --git a/roles/docker-mariadb/vars/configuration.yml b/roles/docker-mariadb/vars/configuration.yml new file mode 100644 index 00000000..f1b4f6b4 --- /dev/null +++ b/roles/docker-mariadb/vars/configuration.yml @@ -0,0 +1 @@ +version: "latest" \ No newline at end of file diff --git a/roles/docker-mastodon/meta/schema.yml b/roles/docker-mastodon/meta/schema.yml new file mode 100644 index 00000000..6102f030 --- /dev/null +++ b/roles/docker-mastodon/meta/schema.yml @@ -0,0 +1,40 @@ +credentials: + database_password: + description: "Password for the Mastodon PostgreSQL database user" + algorithm: "bcrypt" + validation: "^\\$2[aby]\\$.{56}$" + + secret_key_base: + description: "Main secret key used to verify the integrity of signed cookies and tokens" + algorithm: "sha256" + validation: "^[a-f0-9]{64}$" + + otp_secret: + description: "OTP secret used for two-factor authentication" + algorithm: "sha256" + validation: "^[a-f0-9]{64}$" + + vapid_private_key: + description: "Private VAPID key used for web push notifications" + algorithm: "plain" + validation: "^[-_a-zA-Z0-9]{30,}$" + + vapid_public_key: + description: "Public VAPID key used for web push notifications" + algorithm: "plain" + validation: "^[-_a-zA-Z0-9]{30,}$" + + active_record_encryption_deterministic_key: + description: "Deterministic encryption key for Active Record encryption" + algorithm: "sha256" + validation: "^[a-f0-9]{64}$" + + active_record_encryption_key_derivation_salt: + description: "Key derivation salt for Active Record encryption" + algorithm: "sha256" + validation: "^[a-f0-9]{64}$" + + active_record_encryption_primary_key: + description: "Primary encryption key for Active Record encrypted columns" + algorithm: "sha256" + validation: "^[a-f0-9]{64}$" diff --git a/roles/docker-mastodon/templates/env.j2 b/roles/docker-mastodon/templates/env.j2 index 84254bc2..c07e2b93 100644 --- a/roles/docker-mastodon/templates/env.j2 +++ b/roles/docker-mastodon/templates/env.j2 @@ -20,8 +20,8 @@ OTP_SECRET= {{applications.mastodon.credentials.otp_secret}} # -------- # Generate with `bundle exec rails mastodon:webpush:generate_vapid_key` # -------- -VAPID_PRIVATE_KEY= {{applications.mastodon.credentials.vapid.private_key}} -VAPID_PUBLIC_KEY= {{applications.mastodon.credentials.vapid.public_key}} +VAPID_PRIVATE_KEY= {{applications.mastodon.credentials.vapid_private_key}} +VAPID_PUBLIC_KEY= {{applications.mastodon.credentials.vapid_public_key}} # Encryption secrets # ------------------ @@ -29,9 +29,9 @@ VAPID_PUBLIC_KEY= {{applications.mastodon.credentials.vapid.public_key}} # These are private/secret values, do not share outside hosting environment # Use `bin/rails db:encryption:init` to generate fresh secrets # Do NOT change these secrets once in use, as this would cause data loss and other issues -ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY= {{applications.mastodon.credentials.active_record_encryption.deterministic_key}} -ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT= {{applications.mastodon.credentials.active_record_encryption.key_derivation_salt}} -ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY= {{applications.mastodon.credentials.active_record_encryption.primary_key}} +ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY= {{applications.mastodon.credentials.active_record_encryption_deterministic_key}} +ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT= {{applications.mastodon.credentials.active_record_encryption_key_derivation_salt}} +ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY= {{applications.mastodon.credentials.active_record_encryption_primary_key}} DB_HOST={{database_host}} DB_PORT={{database_port}} diff --git a/roles/docker-mastodon/vars/configuration.yml b/roles/docker-mastodon/vars/configuration.yml new file mode 100644 index 00000000..b1e0f0cd --- /dev/null +++ b/roles/docker-mastodon/vars/configuration.yml @@ -0,0 +1,19 @@ +version: "latest" +single_user_mode: false # Set true for initial setup +setup: false # Set true in inventory file to execute the setup and initializing procedures +credentials: +# Check out the README.md of the docker-mastodon role to get detailled instructions about how to setup the credentials +# database_password: +# secret_key_base: +# otp_secret: +# vapid_private_key: +# vapid_public_key: +# active_record_encryption_deterministic_key: +# active_record_encryption_key_derivation_salt: +# active_record_encryption_primary_key: +features: + matomo: true + css: true + landingpage_iframe: false + oidc: true + central_database: true diff --git a/roles/docker-mastodon/vars/main.yml b/roles/docker-mastodon/vars/main.yml index 9e226ad7..e17a89c1 100644 --- a/roles/docker-mastodon/vars/main.yml +++ b/roles/docker-mastodon/vars/main.yml @@ -1,3 +1,3 @@ application_id: "mastodon" -database_password: "{{applications[application_id].credentials.database.password}}" +database_password: "{{applications[application_id].credentials.database_password}}" database_type: "postgres" \ No newline at end of file diff --git a/roles/docker-matomo/meta/schema.yml b/roles/docker-matomo/meta/schema.yml new file mode 100644 index 00000000..2b5e6fd0 --- /dev/null +++ b/roles/docker-matomo/meta/schema.yml @@ -0,0 +1,15 @@ +credentials: + database_password: + description: "Password for the Matomo database user" + algorithm: "bcrypt" + validation: "^\\$2[aby]\\$.{56}$" + + auth_token: + description: "Authentication token for the Matomo HTTP API (used for automation and integrations)" + algorithm: "sha256" + validation: "^[a-f0-9]{64}$" + + oauth2_proxy_cookie_secret: + description: "Secret used to encrypt cookies in the OAuth2 Proxy (hex-encoded, 16 bytes)" + algorithm: "sha256" + validation: "^[a-f0-9]{32}$" \ No newline at end of file diff --git a/roles/docker-matomo/vars/configuration.yml b/roles/docker-matomo/vars/configuration.yml new file mode 100644 index 00000000..76958a39 --- /dev/null +++ b/roles/docker-matomo/vars/configuration.yml @@ -0,0 +1,7 @@ +version: "latest" +features: + matomo: true + css: false + landingpage_iframe: false + central_database: true + oauth2: false \ No newline at end of file diff --git a/roles/docker-matomo/vars/main.yml b/roles/docker-matomo/vars/main.yml index 34f10859..7c6e3f0e 100644 --- a/roles/docker-matomo/vars/main.yml +++ b/roles/docker-matomo/vars/main.yml @@ -1,7 +1,7 @@ --- application_id: "matomo" database_type: "mariadb" -database_password: "{{applications.matomo.credentials.database.password}}" +database_password: "{{applications.matomo.credentials.database_password}}" # I don't know if this is still necessary -domain: "{{domains.matomo}}" \ No newline at end of file +domain: "{{domains.matomo}}" \ No newline at end of file diff --git a/roles/docker-matrix-ansible/README.md b/roles/docker-matrix-ansible/README.md index e3095956..a5a8a8cf 100644 --- a/roles/docker-matrix-ansible/README.md +++ b/roles/docker-matrix-ansible/README.md @@ -1,4 +1,4 @@ -# Matrix (Ansible) +# Matrix (Ansible - Deprecated) ## Warning This role is experimental and may not be actively maintained. Use it with caution in production environments. For a more stable deployment, please consider using the Matrix Compose role or another alternative solution. diff --git a/roles/docker-matrix-ansible/templates/vars.yml.j2 b/roles/docker-matrix-ansible/templates/vars.yml.j2 index bb0dd0ed..63e8f74d 100644 --- a/roles/docker-matrix-ansible/templates/vars.yml.j2 +++ b/roles/docker-matrix-ansible/templates/vars.yml.j2 @@ -18,7 +18,7 @@ matrix_homeserver_implementation: synapse # A secret used as a base, for generating various other secrets. # You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`). -matrix_homeserver_generic_secret_key: "{{matrix_generic_secret_key}}" +matrix_homeserver_generic_secret_key: "{{applications[application_id].credentials.generic_secret_key}}" # By default, the playbook manages its own Traefik (https://doc.traefik.io/traefik/) reverse-proxy server. # It will retrieve SSL certificates for you on-demand and forward requests to all other components. @@ -52,7 +52,7 @@ devture_traefik_config_certificatesResolvers_acme_email: "{{users.administrator. # # The playbook creates additional Postgres users and databases (one for each enabled service) # using this superuser account. -devture_postgres_connection_password: "{{matrix_database_password}}" +devture_postgres_connection_password: "{{applications[application_id].credentials.database_password}}" # By default, we configure Coturn's external IP address using the value specified for `ansible_host` in your `inventory/hosts` file. # If this value is an external IP address, you can skip this section. diff --git a/roles/docker-matrix-compose/Administration.md b/roles/docker-matrix-compose/Administration.md index 16d58fff..77a125b3 100644 --- a/roles/docker-matrix-compose/Administration.md +++ b/roles/docker-matrix-compose/Administration.md @@ -3,7 +3,7 @@ ## Cleanup ``` # Cleanup Database -for db in matrix mautrix_whatsapp_bridge mautrix_telegram_bridge mautrix_signal_bridge mautrix_slack_bridge; do python reset-database-in-central-postgres.py $db; done +for db in matrix applications[application_id].credentials.mautrix_whatsapp_bridge applications[application_id].credentials.mautrix_telegram_bridge applications[application_id].credentials.mautrix_signal_bridge applications[application_id].credentials.mautrix_slack_bridge; do python reset-database-in-central-postgres.py $db; done # Cleanup Docker and Volumes docker compose down -v ``` \ No newline at end of file diff --git a/roles/docker-matrix-compose/Installation.md b/roles/docker-matrix-compose/Installation.md index 5f96f6e9..ff8e9e43 100644 --- a/roles/docker-matrix-compose/Installation.md +++ b/roles/docker-matrix-compose/Installation.md @@ -15,7 +15,7 @@ For login with Token checkout [this guide](https://docs.mau.fi/bridges/go/slack/ ### ChatGPT - Create API Token: https://platform.openai.com/api-keys -- Set ``matrix_chatgpt_bridge_access_token`` +- Set ``applications[application_id].credentials.chatgpt_bridge_access_token`` ## Debug: - https://federationtester.matrix.org/ \ No newline at end of file diff --git a/roles/docker-matrix-compose/meta/schema.yml b/roles/docker-matrix-compose/meta/schema.yml new file mode 100644 index 00000000..abb981ae --- /dev/null +++ b/roles/docker-matrix-compose/meta/schema.yml @@ -0,0 +1,90 @@ +credentials: + administrator_password: + description: "Initial administrator password for the Matrix homeserver" + algorithm: "sha256" + validation: "^[a-f0-9]{64}$" + + generic_secret_key: + description: "Generic secret used by Synapse for key signing and session management" + algorithm: "sha256" + validation: "^[a-f0-9]{64}$" + + database_password: + description: "Password for the Matrix PostgreSQL database" + algorithm: "bcrypt" + validation: "^\\$2[aby]\\$.{56}$" + + registration_shared_secret: + description: "Secret token used to allow shared registration from external sources" + algorithm: "sha256" + validation: "^[a-f0-9]{64}$" + + macaroon_secret_key: + description: "Secret key used to sign macaroon tokens for authentication" + algorithm: "sha256" + validation: "^[a-f0-9]{64}$" + + form_secret: + description: "Secret for form token protection (used in web registration flows)" + algorithm: "sha256" + validation: "^[a-f0-9]{64}$" + + chatgpt_bridge_openai_api_key: + description: "API key for accessing OpenAI via the Matrix ChatGPT bridge" + algorithm: "plain" + validation: "^sk-[a-zA-Z0-9]{40,}$" + + chatgpt_bridge_access_token: + description: "Access token used by the ChatGPT bridge for authentication" + algorithm: "plain" + validation: "^[a-zA-Z0-9-_]{20,}$" + + chatgpt_bridge_user_password: + description: "Matrix user password used by the ChatGPT bridge" + algorithm: "sha256" + validation: "^[a-f0-9]{64}$" + + mautrix_facebook_bridge_database_password: + description: "Database password for the mautrix-facebook bridge" + algorithm: "bcrypt" + validation: "^\\$2[aby]\\$.{56}$" + + mautrix_instagram_bridge_database_password: + description: "Database password for the mautrix-instagram bridge" + algorithm: "bcrypt" + validation: "^\\$2[aby]\\$.{56}$" + + mautrix_signal_bridge_database_password: + description: "Database password for the mautrix-signal bridge" + algorithm: "bcrypt" + validation: "^\\$2[aby]\\$.{56}$" + + mautrix_slack_bridge_database_password: + description: "Database password for the mautrix-slack bridge" + algorithm: "bcrypt" + validation: "^\\$2[aby]\\$.{56}$" + + mautrix_telegram_bridge_database_password: + description: "Database password for the mautrix-telegram bridge" + algorithm: "bcrypt" + validation: "^\\$2[aby]\\$.{56}$" + + mautrix_telgegram_bridge_api_id: + description: "Telegram API ID for the mautrix-telegram bridge" + algorithm: "plain" + validation: "^\\d{5,}$" + + mautrix_telgegram_bridge_api_pin: + description: "Telegram API hash or PIN for the mautrix-telegram bridge" + algorithm: "plain" + validation: "^[a-zA-Z0-9]{10,}$" + + mautrix_whatsapp_bridge_database_password: + description: "Database password for the mautrix-whatsapp bridge" + algorithm: "bcrypt" + validation: "^\\$2[aby]\\$.{56}$" + + mautrix_whatsapp_bridge_provisioning_shared_secret: + description: "Shared secret for the mautrix-whatsapp bridge provisioning endpoint" + algorithm: "sha256" + validation: "^[a-f0-9]{64}$" \ No newline at end of file diff --git a/roles/docker-matrix-compose/tasks/main.yml b/roles/docker-matrix-compose/tasks/main.yml index 67b4629a..0e42f3c1 100644 --- a/roles/docker-matrix-compose/tasks/main.yml +++ b/roles/docker-matrix-compose/tasks/main.yml @@ -134,14 +134,14 @@ - name: create admin account command: - cmd: docker compose exec -it synapse register_new_matrix_user -u {{applications.matrix.users.administrator.username}} -p {{matrix_admin_password}} -a -c /data/homeserver.yaml http://localhost:8008 + cmd: docker compose exec -it synapse register_new_matrix_user -u {{applications.matrix.users.administrator.username}} -p {{applications[application_id].credentials.administrator_password}} -a -c /data/homeserver.yaml http://localhost:8008 chdir: "{{ docker_compose.directories.instance }}" ignore_errors: true when: applications.matrix.setup | bool - name: create chatgpt bot command: - cmd: docker compose exec -it synapse register_new_matrix_user -u chatgptbot -p {{matrix_chatgpt_bridge_user_password}} -a -c /data/homeserver.yaml http://localhost:8008 + cmd: docker compose exec -it synapse register_new_matrix_user -u chatgptbot -p {{applications[application_id].credentials.chatgpt_bridge_user_password}} -a -c /data/homeserver.yaml http://localhost:8008 chdir: "{{ docker_compose.directories.instance }}" ignore_errors: true when: applications.matrix.setup | bool \ No newline at end of file diff --git a/roles/docker-matrix-compose/templates/docker-compose.yml.j2 b/roles/docker-matrix-compose/templates/docker-compose.yml.j2 index a6f67387..fe154d57 100644 --- a/roles/docker-matrix-compose/templates/docker-compose.yml.j2 +++ b/roles/docker-matrix-compose/templates/docker-compose.yml.j2 @@ -70,7 +70,7 @@ services: # volumes: # - chatgpt_data:/storage # environment: -# OPENAI_API_KEY: '{{matrix_chatgpt_bridge_openai_api_key}}' +# OPENAI_API_KEY: '{{applications[application_id].credentials.chatgpt_bridge_openai_api_key}}' # # Uncomment the next two lines if you are using Azure OpenAI API # # OPENAI_AZURE: 'false' # # CHATGPT_REVERSE_PROXY: 'your-completion-endpoint-here' @@ -91,8 +91,8 @@ services: # KEYV_BOT_STORAGE: 'true' # MATRIX_HOMESERVER_URL: 'https://{{domains.matrix_synapse}}' # MATRIX_BOT_USERNAME: '@chatgptbot:{{applications.matrix.server_name}}' -# MATRIX_ACCESS_TOKEN: '{{ matrix_chatgpt_bridge_access_token | default('') }}' -# MATRIX_BOT_PASSWORD: '{{matrix_chatgpt_bridge_user_password}}' +# MATRIX_ACCESS_TOKEN: '{{ applications[application_id].credentials.chatgpt_bridge_access_token | default('') }}' +# MATRIX_BOT_PASSWORD: '{{applications[application_id].credentials.chatgpt_bridge_user_password}}' # MATRIX_DEFAULT_PREFIX: '!chatgpt' # MATRIX_DEFAULT_PREFIX_REPLY: 'false' # #MATRIX_BLACKLIST: '' diff --git a/roles/docker-matrix-compose/templates/mautrix/facebook.config.yml.j2 b/roles/docker-matrix-compose/templates/mautrix/facebook.config.yml.j2 index 7500c806..ea9abf4e 100644 --- a/roles/docker-matrix-compose/templates/mautrix/facebook.config.yml.j2 +++ b/roles/docker-matrix-compose/templates/mautrix/facebook.config.yml.j2 @@ -39,7 +39,7 @@ appservice: # Format examples: # SQLite: sqlite:filename.db # Postgres: postgres://username:password@hostname/dbname - database: postgres://mautrix_facebook_bridge:{{mautrix_facebook_bridge_database_password}}@{{database_host}}/mautrix_facebook_bridge + database: postgres://mautrix_facebook_bridge:{{applications[application_id].credentials.mautrix_facebook_bridge_database_password}}@{{database_host}}/mautrix_facebook_bridge # Additional arguments for asyncpg.create_pool() or sqlite3.connect() # https://magicstack.github.io/asyncpg/current/api/index.html#asyncpg.pool.create_pool # https://docs.python.org/3/library/sqlite3.html#sqlite3.connect @@ -154,7 +154,7 @@ bridge: # If using this for other servers than the bridge's server, # you must also set the URL in the double_puppet_server_map. login_shared_secret_map: - {{applications.matrix.server_name}}: {{matrix_registration_shared_secret}} + {{applications.matrix.server_name}}: {{applications[application_id].credentials.registration_shared_secret}} # Should presence from Facebook be bridged? This doesn't use the same API as the Android app, # so it might be more suspicious to Facebook. presence_from_facebook: false diff --git a/roles/docker-matrix-compose/templates/mautrix/instagram.config.yml.j2 b/roles/docker-matrix-compose/templates/mautrix/instagram.config.yml.j2 index 98423a64..43192e97 100644 --- a/roles/docker-matrix-compose/templates/mautrix/instagram.config.yml.j2 +++ b/roles/docker-matrix-compose/templates/mautrix/instagram.config.yml.j2 @@ -42,7 +42,7 @@ appservice: # Format examples: # SQLite: sqlite:filename.db # Postgres: postgres://username:password@hostname/dbname - database: postgres://mautrix_instagram_bridge:{{mautrix_instagram_bridge_database_password}}@{{database_host}}/mautrix_instagram_bridge + database: postgres://mautrix_instagram_bridge:{{applications[application_id].credentials.mautrix_instagram_bridge_database_password}}@{{database_host}}/mautrix_instagram_bridge # Additional arguments for asyncpg.create_pool() or sqlite3.connect() # https://magicstack.github.io/asyncpg/current/api/index.html#asyncpg.pool.create_pool # https://docs.python.org/3/library/sqlite3.html#sqlite3.connect @@ -143,7 +143,7 @@ bridge: # If using this for other servers than the bridge's server, # you must also set the URL in the double_puppet_server_map. login_shared_secret_map: - {{applications.matrix.server_name}}: {{matrix_registration_shared_secret}} + {{applications.matrix.server_name}}: {{applications[application_id].credentials.registration_shared_secret}} # Whether or not created rooms should have federation enabled. # If false, created portal rooms will never be federated. federate_rooms: true diff --git a/roles/docker-matrix-compose/templates/mautrix/signal.config.yml.j2 b/roles/docker-matrix-compose/templates/mautrix/signal.config.yml.j2 index 4a4a6574..369cafcc 100644 --- a/roles/docker-matrix-compose/templates/mautrix/signal.config.yml.j2 +++ b/roles/docker-matrix-compose/templates/mautrix/signal.config.yml.j2 @@ -43,7 +43,7 @@ appservice: # https://github.com/mattn/go-sqlite3#connection-string # Postgres: Connection string. For example, postgres://user:password@host/database?sslmode=disable # To connect via Unix socket, use something like postgres:///dbname?host=/var/run/postgresql - uri: postgres://mautrix_signal_bridge:{{mautrix_signal_bridge_database_password}}@{{database_host}}/mautrix_signal_bridge?sslmode=disable + uri: postgres://mautrix_signal_bridge:{{applications[application_id].credentials.mautrix_signal_bridge_database_password}}@{{database_host}}/mautrix_signal_bridge?sslmode=disable # Maximum number of connections. Mostly relevant for Postgres. max_open_conns: 20 max_idle_conns: 2 @@ -150,7 +150,7 @@ bridge: # instead of users having to find an access token and run `login-matrix` # manually. login_shared_secret_map: - {{applications.matrix.server_name}}: {{matrix_registration_shared_secret}} + {{applications.matrix.server_name}}: {{applications[application_id].credentials.registration_shared_secret}} # Maximum time for handling Matrix events. Duration strings formatted for https://pkg.go.dev/time#ParseDuration # Null means there's no enforced timeout. diff --git a/roles/docker-matrix-compose/templates/mautrix/slack.config.yml.j2 b/roles/docker-matrix-compose/templates/mautrix/slack.config.yml.j2 index 00faff47..d2ecf717 100644 --- a/roles/docker-matrix-compose/templates/mautrix/slack.config.yml.j2 +++ b/roles/docker-matrix-compose/templates/mautrix/slack.config.yml.j2 @@ -43,7 +43,7 @@ appservice: # https://github.com/mattn/go-sqlite3#connection-string # Postgres: Connection string. For example, postgres://user:password@host/database?sslmode=disable # To connect via Unix socket, use something like postgres:///dbname?host=/var/run/postgresql - uri: postgres://mautrix_slack_bridge:{{mautrix_slack_bridge_database_password}}@{{database_host}}/mautrix_slack_bridge?sslmode=disable + uri: postgres://mautrix_slack_bridge:{{applications[application_id].credentials.mautrix_slack_bridge_database_password}}@{{database_host}}/mautrix_slack_bridge?sslmode=disable # Maximum number of connections. Mostly relevant for Postgres. max_open_conns: 20 max_idle_conns: 2 @@ -127,7 +127,7 @@ bridge: # instead of users having to find an access token and run `login-matrix` # manually. login_shared_secret_map: - {{applications.matrix.server_name}}: {{matrix_registration_shared_secret}} + {{applications.matrix.server_name}}: {{applications[application_id].credentials.registration_shared_secret}} message_handling_timeout: # Send an error message after this timeout, but keep waiting for the response until the deadline. diff --git a/roles/docker-matrix-compose/templates/mautrix/telegram.config.yml.j2 b/roles/docker-matrix-compose/templates/mautrix/telegram.config.yml.j2 index 554846df..13f31b04 100644 --- a/roles/docker-matrix-compose/templates/mautrix/telegram.config.yml.j2 +++ b/roles/docker-matrix-compose/templates/mautrix/telegram.config.yml.j2 @@ -42,7 +42,7 @@ appservice: # Format examples: # SQLite: sqlite:filename.db # Postgres: postgres://username:password@hostname/dbname - database: postgres://mautrix_telegram_bridge:{{mautrix_telegram_bridge_database_password}}@{{database_host}}/mautrix_telegram_bridge + database: postgres://mautrix_telegram_bridge:{{applications[application_id].credentials.mautrix_telegram_bridge_database_password}}@{{database_host}}/mautrix_telegram_bridge # Additional arguments for asyncpg.create_pool() or sqlite3.connect() # https://magicstack.github.io/asyncpg/current/api/index.html#asyncpg.pool.create_pool # https://docs.python.org/3/library/sqlite3.html#sqlite3.connect @@ -209,7 +209,7 @@ bridge: # If using this for other servers than the bridge's server, # you must also set the URL in the double_puppet_server_map. login_shared_secret_map: - {{applications.matrix.server_name}}: {{matrix_registration_shared_secret}} + {{applications.matrix.server_name}}: {{applications[application_id].credentials.registration_shared_secret}} # Set to false to disable link previews in messages sent to Telegram. telegram_link_preview: true # Whether or not the !tg join command should do a HTTP request @@ -564,8 +564,8 @@ bridge: # Telegram config telegram: # Get your own API keys at https://my.telegram.org/apps - api_id: {{mautrix_telgegram_bridge_api_id}} - api_hash: {{mautrix_telgegram_bridge_api_pin}} + api_id: {{applications[application_id].credentials.mautrix_telgegram_bridge_api_id}} + api_hash: {{applications[application_id].credentials.mautrix_telgegram_bridge_api_pin}} # (Optional) Create your own bot at https://t.me/BotFather bot_token: disabled diff --git a/roles/docker-matrix-compose/templates/mautrix/whatsapp.config.yml.j2 b/roles/docker-matrix-compose/templates/mautrix/whatsapp.config.yml.j2 index a0a2b231..cfb20402 100644 --- a/roles/docker-matrix-compose/templates/mautrix/whatsapp.config.yml.j2 +++ b/roles/docker-matrix-compose/templates/mautrix/whatsapp.config.yml.j2 @@ -42,7 +42,7 @@ appservice: # https://github.com/mattn/go-sqlite3#connection-string # Postgres: Connection string. For example, postgres://user:password@host/database?sslmode=disable # To connect via Unix socket, use something like postgres:///dbname?host=/var/run/postgresql - uri: postgres://mautrix_whatsapp_bridge:{{mautrix_whatsapp_bridge_database_password}}@{{database_host}}/mautrix_whatsapp_bridge?sslmode=disable + uri: postgres://mautrix_whatsapp_bridge:{{applications[application_id].credentials.mautrix_whatsapp_bridge_database_password}}@{{database_host}}/mautrix_whatsapp_bridge?sslmode=disable # Maximum number of connections. Mostly relevant for Postgres. max_open_conns: 20 max_idle_conns: 2 @@ -245,7 +245,7 @@ bridge: # instead of users having to find an access token and run `login-matrix` # manually. login_shared_secret_map: - {{applications.matrix.server_name}}: {{matrix_registration_shared_secret}} + {{applications.matrix.server_name}}: {{applications[application_id].credentials.registration_shared_secret}} # Whether to explicitly set the avatar and room name for private chat portal rooms. # If set to `default`, this will be enabled in encrypted rooms and disabled in unencrypted rooms. # If set to `always`, all DM rooms will have explicit names and avatars set. diff --git a/roles/docker-matrix-compose/templates/synapse/homeserver.yaml.j2 b/roles/docker-matrix-compose/templates/synapse/homeserver.yaml.j2 index 1191e78e..2bf4a163 100644 --- a/roles/docker-matrix-compose/templates/synapse/homeserver.yaml.j2 +++ b/roles/docker-matrix-compose/templates/synapse/homeserver.yaml.j2 @@ -19,10 +19,10 @@ database: cp_max: 10 log_config: "/data/{{domains.matrix_synapse}}.log.config" media_store_path: "/data/media_store" -registration_shared_secret: "{{matrix_registration_shared_secret}}" +registration_shared_secret: "{{applications[application_id].credentials.registration_shared_secret}}" report_stats: true -macaroon_secret_key: "{{matrix_macaroon_secret_key}}" -form_secret: "{{matrix_form_secret}}" +macaroon_secret_key: "{{applications[application_id].credentials.macaroon_secret_key}}" +form_secret: "{{applications[application_id].credentials.form_secret}}" signing_key_path: "/data/{{domains.matrix_synapse}}.signing.key" web_client_location: "{{ web_protocol }}://{{domains.matrix_element}}" public_baseurl: "{{ web_protocol }}://{{domains.matrix_synapse}}" diff --git a/roles/docker-matrix-compose/vars/configuration.yml b/roles/docker-matrix-compose/vars/configuration.yml new file mode 100644 index 00000000..4ab2290c --- /dev/null +++ b/roles/docker-matrix-compose/vars/configuration.yml @@ -0,0 +1,18 @@ + +users: + administrator: + username: "{{users.administrator.username}}" # Accountname of the matrix admin +playbook_tags: "setup-all,start" # For the initial update use: install-all,ensure-matrix-users-created,start +role: "compose" # Role to setup Matrix. Valid values: ansible, compose +server_name: "{{primary_domain}}" # Adress for the account names etc. +synapse: + version: "latest" +element: + version: "latest" +setup: false # Set true in inventory file to execute the setup and initializing procedures +features: + matomo: true + css: true + landingpage_iframe: false + oidc: false # Deactivated OIDC due to this issue https://github.com/matrix-org/synapse/issues/10492 + central_database: true \ No newline at end of file diff --git a/roles/docker-matrix-compose/vars/main.yml b/roles/docker-matrix-compose/vars/main.yml index 2aca1c72..d8c143b9 100644 --- a/roles/docker-matrix-compose/vars/main.yml +++ b/roles/docker-matrix-compose/vars/main.yml @@ -1,39 +1,39 @@ --- application_id: "matrix" -database_password: "{{matrix_database_password}}" +database_password: "{{applications[application_id].credentials.database_password}}" database_type: "postgres" registration_file_folder: "/data/" well_known_directory: "{{nginx.directories.data.well_known}}/matrix/" bridges: - - database_password: "{{ mautrix_whatsapp_bridge_database_password }}" + - database_password: "{{ applications[application_id].credentials.mautrix_whatsapp_bridge_database_password }}" database_username: "mautrix_whatsapp_bridge" database_name: "mautrix_whatsapp_bridge" bridge_name: "whatsapp" - - database_password: "{{ mautrix_telegram_bridge_database_password }}" + - database_password: "{{ applications[application_id].credentials.mautrix_telegram_bridge_database_password }}" database_username: "mautrix_telegram_bridge" database_name: "mautrix_telegram_bridge" bridge_name: "telegram" - - database_password: "{{ mautrix_signal_bridge_database_password }}" + - database_password: "{{ applications[application_id].credentials.mautrix_signal_bridge_database_password }}" database_username: "mautrix_signal_bridge" database_name: "mautrix_signal_bridge" bridge_name: "signal" # Deactivated temporary, due to bug which is hard to find # @todo Reactivate -# - database_password: "{{ mautrix_slack_bridge_database_password }}" +# - database_password: "{{ applications[application_id].credentials.mautrix_slack_bridge_database_password }}" # database_username: "mautrix_slack_bridge" # database_name: "mautrix_slack_bridge" # bridge_name: "slack" - - database_password: "{{ mautrix_facebook_bridge_database_password }}" + - database_password: "{{ applications[application_id].credentials.mautrix_facebook_bridge_database_password }}" database_username: "mautrix_facebook_bridge" database_name: "mautrix_facebook_bridge" bridge_name: "facebook" - - database_password: "{{ mautrix_instagram_bridge_database_password }}" + - database_password: "{{ applications[application_id].credentials.mautrix_instagram_bridge_database_password }}" database_username: "mautrix_instagram_bridge" database_name: "mautrix_instagram_bridge" bridge_name: "instagram" \ No newline at end of file diff --git a/roles/docker-mediawiki/TODO.md b/roles/docker-mediawiki/TODO.md new file mode 100644 index 00000000..00084ef4 --- /dev/null +++ b/roles/docker-mediawiki/TODO.md @@ -0,0 +1,2 @@ +# Todo +- This role needs to be updated to the new role structure \ No newline at end of file diff --git a/roles/docker-moodle/meta/schema.yml b/roles/docker-moodle/meta/schema.yml new file mode 100644 index 00000000..7e95f55b --- /dev/null +++ b/roles/docker-moodle/meta/schema.yml @@ -0,0 +1,10 @@ +credentials: + database_password: + description: "Password for the Moodle database user" + algorithm: "bcrypt" + validation: "^\\$2[aby]\\$.{56}$" + + user_password: + description: "Initial password for the Moodle admin user" + algorithm: "sha256" + validation: "^[a-f0-9]{64}$" \ No newline at end of file diff --git a/roles/docker-moodle/templates/env.j2 b/roles/docker-moodle/templates/env.j2 index 7ef768e3..b2f46d56 100644 --- a/roles/docker-moodle/templates/env.j2 +++ b/roles/docker-moodle/templates/env.j2 @@ -2,12 +2,12 @@ MOODLE_DATABASE_HOST={{database_host}} MOODLE_DATABASE_PORT_NUMBER={{database_port}} MOODLE_DATABASE_USER={{database_username}} MOODLE_DATABASE_NAME={{database_name}} -MOODLE_DATABASE_PASSWORD={{database_password}} +applications[application_id].credentials.database_password={{database_password}} ALLOW_EMPTY_PASSWORD=no MOODLE_SITE_NAME="{{applications.moodle.site_titel}}" MOODLE_SSLPROXY=yes MOODLE_REVERSE_PROXY=yes MOODLE_USERNAME={{applications.moodle.administrator_name}} -MOODLE_PASSWORD={{moodle_user_password}} +MOODLE_PASSWORD={{applications[application_id].credentials.user_password}} MOODLE_EMAIL={{applications.moodle.users.administrator.email}} BITNAMI_DEBUG={% if enable_debug | bool %}true{% else %}false{% endif %} \ No newline at end of file diff --git a/roles/docker-moodle/vars/configuration.yml b/roles/docker-moodle/vars/configuration.yml new file mode 100644 index 00000000..260d995e --- /dev/null +++ b/roles/docker-moodle/vars/configuration.yml @@ -0,0 +1,11 @@ +site_titel: "Global Learning Academy on {{primary_domain}}" +users: + administrator: + username: "{{users.administrator.username}}" + email: "{{users.administrator.email}}" +version: "latest" +features: + matomo: true + css: true + landingpage_iframe: false + central_database: true \ No newline at end of file diff --git a/roles/docker-moodle/vars/main.yml b/roles/docker-moodle/vars/main.yml index 1e2ac917..873016eb 100644 --- a/roles/docker-moodle/vars/main.yml +++ b/roles/docker-moodle/vars/main.yml @@ -1,4 +1,4 @@ --- application_id: "moodle" -database_password: "{{moodle_database_password}}" +database_password: "{{applications[application_id].credentials.database_password}}" database_type: "mariadb" \ No newline at end of file diff --git a/roles/docker-mybb/Todo.md b/roles/docker-mybb/Todo.md new file mode 100644 index 00000000..2c7e19b7 --- /dev/null +++ b/roles/docker-mybb/Todo.md @@ -0,0 +1,2 @@ +# Todo +- Optimize the role for the new role structure. But propably discourse is sufficient and this role isn't needed anymore. \ No newline at end of file diff --git a/roles/docker-mybb/vars/configuration.yml b/roles/docker-mybb/vars/configuration.yml new file mode 100644 index 00000000..cd38d23d --- /dev/null +++ b/roles/docker-mybb/vars/configuration.yml @@ -0,0 +1,7 @@ + +version: "latest" +features: + matomo: true + css: true + landingpage_iframe: false + central_database: true diff --git a/roles/docker-nextcloud/meta/schema.yml b/roles/docker-nextcloud/meta/schema.yml new file mode 100644 index 00000000..d5436076 --- /dev/null +++ b/roles/docker-nextcloud/meta/schema.yml @@ -0,0 +1,10 @@ +credentials: + database_password: + description: "Password for the Nextcloud database user" + algorithm: "bcrypt" + validation: "^\\$2[aby]\\$.{56}$" + + administrator_password: + description: "Initial password for the Nextcloud administrator (change immediately and enable 2FA)" + algorithm: "sha256" + validation: "^[a-f0-9]{64}$" \ No newline at end of file diff --git a/roles/docker-nextcloud/templates/env.j2 b/roles/docker-nextcloud/templates/env.j2 index 0fde9372..74ec432d 100644 --- a/roles/docker-nextcloud/templates/env.j2 +++ b/roles/docker-nextcloud/templates/env.j2 @@ -25,7 +25,7 @@ MAIL_DOMAIN= "{{system_email.domain}}" # Initial Admin Data NEXTCLOUD_ADMIN_USER= "{{applications[application_id].users.administrator.username}}" -NEXTCLOUD_ADMIN_PASSWORD= "{{applications[application_id].users.administrator.password}}" +NEXTCLOUD_ADMIN_PASSWORD= "{{applications[application_id].credentials.administrator_password}}" # Security diff --git a/roles/docker-nextcloud/vars/configuration.yml b/roles/docker-nextcloud/vars/configuration.yml new file mode 100644 index 00000000..689d72a5 --- /dev/null +++ b/roles/docker-nextcloud/vars/configuration.yml @@ -0,0 +1,223 @@ +version: "production" # @see https://nextcloud.com/blog/nextcloud-release-channels-and-how-to-track-them/ +ldap: + enabled: True # Enables LDAP by default +oidc: + enabled: "{{ applications.nextcloud.features.oidc | default(true) }}" # Activate OIDC for Nextcloud + # floavor decides which OICD plugin should be used. + # Available options: oidc_login, sociallogin + # @see https://apps.nextcloud.com/apps/oidc_login + # @see https://apps.nextcloud.com/apps/sociallogin + flavor: "oidc_login" # Keeping on sociallogin because the other option is not implemented yet +credentials: +# database_password: Null # Needs to be set in inventory file +# administrator_password: None # Keep in mind to change the password fast after creation and activate 2FA +features: + matomo: true + css: true + landingpage_iframe: false + ldap: true + oidc: true + central_database: true +users: + administrator: + username: "{{users.administrator.username}}" +default_quota: '1000000000' # Quota to assign if no quota is specified in the OIDC response (bytes) +legacy_login_mask: + enabled: False # If true, then legacy login mask is shown. Otherwise just SSO +container: + application: "nextcloud-application" # Nextcloud application container name + proxy: "nextcloud-web" # Nextcloud Proxy Container Name +performance: + php: + memory_limit: "{{ ((ansible_memtotal_mb | int) / 30)|int }}M" # Dynamic set memory limit + upload_limit: "5G" # Set upload limit to 5GB for big media files + opcache_memory_consumption: "{{ ((ansible_memtotal_mb | int) / 30)|int }}M" # Dynamic set memory consumption +plugins: +# List for Nextcloud Plugin Routine +# Decides if plugins should be activated or deactivated + appointments: + # Nextcloud appointments: handles scheduling and appointment management (https://apps.nextcloud.com/apps/appointments) + enabled: true + bbb: + # Nextcloud BigBlueButton integration: enables video conferencing using BigBlueButton (https://apps.nextcloud.com/apps/bbb) + enabled: "{{ 'bigbluebutton' in group_names | lower }}" + #- bookmarks + # # Nextcloud Bookmarks: manage and share your bookmarks easily (https://apps.nextcloud.com/apps/bookmarks) + # enabled: false + calendar: + # Nextcloud calendar: manages calendar events and scheduling (https://apps.nextcloud.com/apps/calendar) + enabled: true + cfg_share_links: + # Nextcloud share links configuration: customizes sharing settings and link options (https://apps.nextcloud.com/apps/cfg_share_links) + enabled: true + collectives: + # Nextcloud collectives: supports collaborative group management and sharing (https://apps.nextcloud.com/apps/collectives) + enabled: true + contacts: + # Nextcloud contacts: manages address book and contact information (https://apps.nextcloud.com/apps/contacts) + enabled: true + cospend: + # Nextcloud cospend: manages shared expenses and spending tracking (https://apps.nextcloud.com/apps/cospend) + enabled: true + deck: + # Nextcloud Deck: organizes tasks and projects using Kanban boards (https://apps.nextcloud.com/apps/deck) + # When Taiga is activated, this plugin is deactivated, because Taiga is the prefered application. + enabled: "{{ 'taiga' not in group_names | lower }}" + drawio: + # Nextcloud draw.io: integrates diagram creation and editing tools (https://apps.nextcloud.com/apps/drawio) + enabled: true + duplicatefinder: + # Nextcloud duplicate finder: scans and identifies duplicate files (https://apps.nextcloud.com/apps/duplicatefinder) + enabled: true + emlviewer: + # Nextcloud EML Viewer: previews and manages EML email files (https://apps.nextcloud.com/apps/emlviewer) + enabled: true + event_update_notification: + # Nextcloud event update notification: sends alerts when events are updated (https://apps.nextcloud.com/apps/event_update_notification) + enabled: true + epubviewer: + # Nextcloud EPUB Viewer: enables reading and previewing EPUB e-books (https://apps.nextcloud.com/apps/epubviewer) + enabled: true + external: + # Nextcloud External: Adds links to external services (https://apps.nextcloud.com/apps/external) + enabled: true + #files_accesscontrol + # # Nextcloud Files Access Control: restricts file access based on defined rules (https://apps.nextcloud.com/apps/files_accesscontrol) + # enabled: false + #files_archive + # # Nextcloud Files Archive: compresses and archives files for efficient storage (https://apps.nextcloud.com/apps/files_archive) + # enabled: false + #files_automatedtagging + # # Nextcloud Files Automated Tagging: automatically tags files to improve organization (https://apps.nextcloud.com/apps/files_automatedtagging) + # enabled: false + files_bpm: + # Nextcloud Files BPM: integrates business process management for file workflows (https://apps.nextcloud.com/apps/files_bpm) + enabled: true + files_downloadactivity: + # Nextcloud Files Download Activity: tracks and logs file download events (https://apps.nextcloud.com/apps/files_downloadactivity) + enabled: true + files_linkeditor: + # Nextcloud files link editor: allows customization of shared file links (https://apps.nextcloud.com/apps/files_linkeditor) + enabled: true + files_mindmap: + # Nextcloud Files Mindmap: visualizes file relationships as mind maps (https://apps.nextcloud.com/apps/files_mindmap) + enabled: true + files_texteditor: + # Nextcloud Files Text Editor: provides an online editor for text files (https://apps.nextcloud.com/apps/files_texteditor) + # Not available for Nextcloud < 27 + enabled: false + fileslibreofficeedit: + # Nextcloud LibreOffice integration: allows online editing of documents with LibreOffice (https://apps.nextcloud.com/apps/fileslibreofficeedit) + enabled: true + forms: + # Nextcloud forms: facilitates creation of forms and surveys (https://apps.nextcloud.com/apps/forms) + enabled: true + gestion: + # Nextcloud Gestion: manages administrative tasks and workflows (https://apps.nextcloud.com/apps/gestion) + enabled: true + groupfolders: + # Nextcloud Group Folders: centralizes shared folders for group collaboration (https://apps.nextcloud.com/apps/groupfolders) + enabled: true + gpxpod: + # Nextcloud GPX pod: visualizes GPS tracks and GPX data (https://apps.nextcloud.com/apps/gpxpod) + enabled: true + integration_discourse: + # Nextcloud Integration Discourse: connects Nextcloud with Discourse forums (https://apps.nextcloud.com/apps/integration_discourse) + enabled: false + integration_gitlab: + # Nextcloud Integration GitLab: connects Nextcloud with GitLab repositories (https://apps.nextcloud.com/apps/integration_gitlab) + enabled: "{{ 'gitlab' in group_names | lower }}" + integration_github: + # Nextcloud Integration GitHub: integrates GitHub repositories with Nextcloud (https://apps.nextcloud.com/apps/integration_github) + enabled: false + integration_google: + # Nextcloud Integration Google: connects Google services with Nextcloud (https://apps.nextcloud.com/apps/integration_google) + enabled: true + integration_mastodon: + # Nextcloud Integration Mastodon: connects Nextcloud with the Mastodon social network (https://apps.nextcloud.com/apps/integration_mastodon) + enabled: "{{ 'mastodon' in group_names | lower }}" + integration_openai: + # Nextcloud Integration OpenAI: brings OpenAI functionalities into Nextcloud (https://apps.nextcloud.com/apps/integration_openai) + enabled: false + integration_openproject: + # Nextcloud Integration OpenProject: integrates project management features from OpenProject (https://apps.nextcloud.com/apps/integration_openproject) + enabled: "{{ 'openproject' in group_names | lower }}" + integration_peertube: + # Nextcloud Integration PeerTube: connects to PeerTube for video sharing (https://apps.nextcloud.com/apps/integration_peertube) + enabled: "{{ 'peertube' in group_names | lower }}" + #keeweb + # # Nextcloud KeeWeb: integrates the KeeWeb password manager within Nextcloud (https://apps.nextcloud.com/apps/keeweb) + # # This isn't maintained anymore. The alternatives don't support keepass files + # enabled: false + keeporsweep: + # Nextcloud keep or sweep: helps manage and clean up files and data (https://apps.nextcloud.com/apps/keeporsweep) + enabled: true + mail: + # Nextcloud mail: integrated email client for managing mail accounts (https://apps.nextcloud.com/apps/mail) + enabled: true + maps: + # Nextcloud maps: provides mapping and location services integration (https://apps.nextcloud.com/apps/maps) + enabled: true + metadata: + # Nextcloud Metadata: manages and displays file metadata for enhanced organization (https://apps.nextcloud.com/apps/metadata) + enabled: true + news: + # Nextcloud News: aggregates and displays news feeds directly in Nextcloud (https://apps.nextcloud.com/apps/news) + enabled: true + oidc_login: + # Nextcloud User OIDC: integrates OpenID Connect for user authentication (https://apps.nextcloud.com/apps/oidc_login) + enabled: "{{ _applications_nextcloud_oidc_flavor=='oidc_login' | lower }}" + incompatible_plugins: + - user_oidc # Will be disabled + - sociallogin # Will be disabled + phonetrack: + # Nextcloud phone track: tracks and monitors mobile device usage (https://apps.nextcloud.com/apps/phonetrack) + enabled: true + polls: + # Nextcloud polls: facilitates creation and management of user polls (https://apps.nextcloud.com/apps/polls) + enabled: true + quota_warning: + # Nextcloud quota warning: notifies users when storage limits are reached (https://apps.nextcloud.com/apps/quota_warning) + enabled: true + recognize: + # Nextcloud recognize: performs image recognition tasks (https://apps.nextcloud.com/apps/recognize) + enabled: false # Deactivated because it let to bugs + richdocuments: + # Nextcloud Rich Documents: provides collaborative document editing capabilities (https://apps.nextcloud.com/apps/richdocuments) + enabled: false # @todo To set it default to true activate https://hub.docker.com/r/collabora/code before + sociallogin: + # Nextcloud social login: allows authentication using social networks (https://apps.nextcloud.com/apps/sociallogin) + enabled: "{{ _applications_nextcloud_oidc_flavor=='sociallogin' | lower }}" + incompatible_plugins: + - user_oidc # Will be disabled + - oidc_login # Will be disabled + spreed: + # Nextcloud Spreed: offers video conferencing and chat functionalities (https://apps.nextcloud.com/apps/spreed) + enabled: false # @todo to activate it first implement docker-coturn and activate it + tables: + # Nextcloud tables: allows creation and editing of tables within the interface (https://apps.nextcloud.com/apps/tables) + enabled: true + tasks: + # Nextcloud tasks: manages personal or group tasks and to-do lists (https://apps.nextcloud.com/apps/tasks) + enabled: true + #terms_of_service + # # Nextcloud Terms of Service: manages user acceptance of terms and conditions (https://apps.nextcloud.com/apps/terms_of_service) + # enabled: false + twofactor_nextcloud_notification: + # Nextcloud two-factor notification: sends notifications for two-factor authentication events (https://apps.nextcloud.com/apps/twofactor_nextcloud_notification) + enabled: "{{ not applications.nextcloud.features.oidc | default(true) }}" # Deactivate 2FA if oidc is active + twofactor_totp: + # Nextcloud two-factor TOTP: provides time-based one-time password authentication (https://apps.nextcloud.com/apps/twofactor_totp) + enabled: "{{ not applications.nextcloud.features.oidc | default(true) }}" # Deactivate 2FA if oidc is active + user_ldap: + # Nextcloud user LDAP: integrates LDAP for user management and authentication (https://apps.nextcloud.com/apps/user_ldap) + enabled: "{{ applications.nextcloud.features.ldap | default(true) }}" + user_oidc: + # Nextcloud User OIDC: integrates OpenID Connect for user authentication (https://apps.nextcloud.com/apps/user_oidc) + enabled: "{{ _applications_nextcloud_oidc_flavor=='user_oidc' | lower }}" + incompatible_plugins: + - oidc_login + - sociallogin + whiteboard: + # Nextcloud Whiteboard: provides a collaborative drawing and brainstorming tool (https://apps.nextcloud.com/apps/whiteboard) + enabled: true \ No newline at end of file diff --git a/roles/docker-nextcloud/vars/main.yml b/roles/docker-nextcloud/vars/main.yml index 8b6abcb1..8cd99ccf 100644 --- a/roles/docker-nextcloud/vars/main.yml +++ b/roles/docker-nextcloud/vars/main.yml @@ -3,7 +3,7 @@ application_id: "nextcloud" # Application identifier # Database -database_password: "{{applications.nextcloud.credentials.database.password}}" # Database password +database_password: "{{applications.nextcloud.credentials.database_password}}" # Database password database_type: "mariadb" # Database flavor # Networking diff --git a/roles/docker-oauth2-proxy/Todo.md b/roles/docker-oauth2-proxy/Todo.md new file mode 100644 index 00000000..1185fb58 --- /dev/null +++ b/roles/docker-oauth2-proxy/Todo.md @@ -0,0 +1,2 @@ +# Todo +- Implement RBAC based authentification for admins \ No newline at end of file diff --git a/roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2 b/roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2 index 31c3fe4d..431490a3 100644 --- a/roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2 +++ b/roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2 @@ -1,5 +1,5 @@ http_address = "0.0.0.0:4180" -cookie_secret = "{{applications[application_id].oauth2_proxy.cookie_secret}}" +cookie_secret = "{{ applications[application_id].credentials.oauth2_proxy_cookie_secret }}" email_domains = "{{primary_domain}}" cookie_secure = "true" # True is necessary to force the cookie set via https upstreams = "http://{{applications[application_id].oauth2_proxy.application}}:{{applications[application_id].oauth2_proxy.port}}" @@ -16,5 +16,5 @@ provider_display_name = "Keycloak" # role restrictions #cookie_roles = "realm_access.roles" -#allowed_groups = "{{applications.oauth2_proxy.allowed_roles}}" # This is not correct here. needs to be placed in applications @todo move there when implementing +#allowed_groups = "{{applications.oauth2_proxy.allowed_roles}}" # This is not correct here. needs to be placed in applications @todo move there when implementing # @see https://chatgpt.com/share/67f42607-bf68-800f-b587-bd56fe9067b5 \ No newline at end of file diff --git a/roles/docker-oauth2-proxy/vars/configuration.yml b/roles/docker-oauth2-proxy/vars/configuration.yml new file mode 100644 index 00000000..857fbd34 --- /dev/null +++ b/roles/docker-oauth2-proxy/vars/configuration.yml @@ -0,0 +1,8 @@ +configuration_file: "oauth2-proxy-keycloak.cfg" # Needs to be set true in the roles which use it +version: "latest" # Docker Image version +redirect_url: "{{ web_protocol }}://{{domains.keycloak}}/auth/realms/{{primary_domain}}/protocol/openid-connect/auth" # The redirect URL for the OAuth2 flow. It should match the redirect URL configured in Keycloak. +allowed_roles: admin # Restrict it default to admin role. Use the vars/main.yml to open the specific role for other groups +features: + matomo: true + css: true + landingpage_iframe: false \ No newline at end of file diff --git a/roles/docker-openproject/meta/schema.yml b/roles/docker-openproject/meta/schema.yml new file mode 100644 index 00000000..090f4744 --- /dev/null +++ b/roles/docker-openproject/meta/schema.yml @@ -0,0 +1,10 @@ +credentials: + database_password: + description: "Password for the OpenProject PostgreSQL database" + algorithm: "bcrypt" + validation: "^\\$2[aby]\\$.{56}$" + + oauth2_proxy_cookie_secret: + description: "Secret used to encrypt cookies for the OAuth2 proxy (hex-encoded, 16 bytes)" + algorithm: "sha256" + validation: "^[a-f0-9]{32}$" \ No newline at end of file diff --git a/roles/docker-openproject/vars/configuration.yml b/roles/docker-openproject/vars/configuration.yml new file mode 100644 index 00000000..e7566768 --- /dev/null +++ b/roles/docker-openproject/vars/configuration.yml @@ -0,0 +1,15 @@ +version: "13" # Update when available. Sadly no rolling release implemented +oauth2_proxy: + application: "proxy" + port: "80" +ldap: + filters: + administrators: True # Set true to filter administrators + users: False # Set true to filter users +features: + matomo: true + css: true + landingpage_iframe: false + ldap: true + central_database: true + oauth2: true \ No newline at end of file diff --git a/roles/docker-openproject/vars/main.yml b/roles/docker-openproject/vars/main.yml index 1c2a1717..c449b338 100644 --- a/roles/docker-openproject/vars/main.yml +++ b/roles/docker-openproject/vars/main.yml @@ -1,6 +1,6 @@ application_id: "openproject" docker_repository_address: "https://github.com/opf/openproject-deploy" -database_password: "{{ applications[application_id].credentials.database.password }}" +database_password: "{{ applications[application_id].credentials.database_password }}" database_type: "postgres" openproject_plugins_service: "{{docker_compose.directories.services}}plugins/" diff --git a/roles/docker-peertube/meta/schema.yml b/roles/docker-peertube/meta/schema.yml new file mode 100644 index 00000000..c13f5451 --- /dev/null +++ b/roles/docker-peertube/meta/schema.yml @@ -0,0 +1,10 @@ +credentials: + database_password: + description: "Password for the PeerTube PostgreSQL database" + algorithm: "bcrypt" + validation: "^\\$2[aby]\\$.{56}$" + + secret: + description: "PeerTube secret used for session signing and CSRF protection" + algorithm: "sha256" + validation: "^[a-f0-9]{64}$" \ No newline at end of file diff --git a/roles/docker-peertube/templates/env.j2 b/roles/docker-peertube/templates/env.j2 index c81c7f14..a2d07e5f 100644 --- a/roles/docker-peertube/templates/env.j2 +++ b/roles/docker-peertube/templates/env.j2 @@ -1,9 +1,9 @@ # Database / Postgres service configuration POSTGRES_USER={{database_username}} -POSTGRES_PASSWORD={{peertube_database_password}} +POSTGRES_PASSWORD={{applications[application_id].credentials.database_password}} POSTGRES_DB={{database_name}} PEERTUBE_DB_USERNAME={{database_username}} -PEERTUBE_DB_PASSWORD={{peertube_database_password}} +PEERTUBE_DB_PASSWORD={{applications[application_id].credentials.database_password}} PEERTUBE_DB_SSL=false PEERTUBE_DB_HOSTNAME={{database_host}} @@ -11,7 +11,7 @@ PEERTUBE_DB_HOSTNAME={{database_host}} PEERTUBE_WEBSERVER_HOSTNAME={{domains[application_id]}} PEERTUBE_TRUST_PROXY=["127.0.0.1", "loopback"] -PEERTUBE_SECRET={{peertube_secret}} +applications[application_id].credentials.secret={{applications[application_id].credentials.secret}} # E-mail configuration PEERTUBE_SMTP_USERNAME={{ users['no-reply'].email }} diff --git a/roles/docker-peertube/vars/configuration.yml b/roles/docker-peertube/vars/configuration.yml new file mode 100644 index 00000000..0d650ffe --- /dev/null +++ b/roles/docker-peertube/vars/configuration.yml @@ -0,0 +1,6 @@ +version: "bookworm" +features: + matomo: true + css: true + landingpage_iframe: false + central_database: true \ No newline at end of file diff --git a/roles/docker-peertube/vars/main.yml b/roles/docker-peertube/vars/main.yml index 5e741448..262b1f80 100644 --- a/roles/docker-peertube/vars/main.yml +++ b/roles/docker-peertube/vars/main.yml @@ -1,3 +1,3 @@ application_id: "peertube" database_type: "postgres" -database_password: "{{peertube_database_password}}" \ No newline at end of file +database_password: "{{applications[application_id].credentials.database_password}}" \ No newline at end of file diff --git a/roles/docker-pgadmin/meta/schema.yml b/roles/docker-pgadmin/meta/schema.yml new file mode 100644 index 00000000..5776137d --- /dev/null +++ b/roles/docker-pgadmin/meta/schema.yml @@ -0,0 +1,10 @@ +credentials: + oauth2_proxy_cookie_secret: + description: "Secret used by OAuth2 Proxy to encrypt browser cookies (16 bytes hex-encoded)" + algorithm: "sha256" + validation: "^[a-f0-9]{32}$" + + administrator_password: + description: "Initial password for the pgAdmin administrator login" + algorithm: "sha256" + validation: "^[a-f0-9]{64}$" \ No newline at end of file diff --git a/roles/docker-pgadmin/tasks/configuration.yml b/roles/docker-pgadmin/tasks/configuration.yml index 8ee21eae..d10c1e02 100644 --- a/roles/docker-pgadmin/tasks/configuration.yml +++ b/roles/docker-pgadmin/tasks/configuration.yml @@ -3,7 +3,7 @@ - name: "loading database configuration variables" include_vars: - file: "{{ role_path }}/vars/configuration.yml" + file: "{{ role_path }}/vars/db_config.yml" - name: "Render servers.json file" template: diff --git a/roles/docker-pgadmin/templates/env.j2 b/roles/docker-pgadmin/templates/env.j2 index 313b6853..8a50caba 100644 --- a/roles/docker-pgadmin/templates/env.j2 +++ b/roles/docker-pgadmin/templates/env.j2 @@ -7,7 +7,7 @@ PGADMIN_DISABLE_POSTFIX=True PGADMIN_DEFAULT_EMAIL={{ applications[application_id].users.administrator.email }} # Default login password for server mode -PGADMIN_DEFAULT_PASSWORD={{ applications[application_id].users.administrator.password }} +PGADMIN_DEFAULT_PASSWORD={{ applications[application_id].credentials.administrator_password }} {% if applications[application_id].server_mode | bool %} # Load server connection settings from this JSON file diff --git a/roles/docker-pgadmin/vars/configuration.yml b/roles/docker-pgadmin/vars/configuration.yml index de88fc5c..bd5fa27f 100644 --- a/roles/docker-pgadmin/vars/configuration.yml +++ b/roles/docker-pgadmin/vars/configuration.yml @@ -1,14 +1,15 @@ -pgadmin_host_server_file: "{{docker_compose.directories.volumes}}servers.json" -pgadmin_docker_server_file: "/pgadmin4/servers.json" -pgadmin_host_password_file: "{{docker_compose.directories.volumes}}.pgpass" -pgadmin_docker_password_file: "/pgpass" - -pgadmin_servers: - - name: "Central Postgres Database" - host: "{{ database_host }}" - port: "{{ database_port }}" - username: "postgres" - maintenance_db: "postgres" - password: "{{ central_postgres_password }}" - -# Here you can add more databases \ No newline at end of file +version: "latest" +server_mode: False # If true then the preconfigured database file is loaded. Recommended False. True is a security risk. +master_password_required: True # Master password is required. Recommended True. False is a security risk. +users: + administrator: + email: "{{ users.administrator.email }}" # Initial login email address +oauth2_proxy: + application: "application" + port: "80" +features: + matomo: true + css: true + landingpage_iframe: false + central_database: true + oauth2: true \ No newline at end of file diff --git a/roles/docker-pgadmin/vars/db_config.yml b/roles/docker-pgadmin/vars/db_config.yml new file mode 100644 index 00000000..9e9915c8 --- /dev/null +++ b/roles/docker-pgadmin/vars/db_config.yml @@ -0,0 +1,14 @@ +pgadmin_host_server_file: "{{docker_compose.directories.volumes}}servers.json" +pgadmin_docker_server_file: "/pgadmin4/servers.json" +pgadmin_host_password_file: "{{docker_compose.directories.volumes}}.pgpass" +pgadmin_docker_password_file: "/pgpass" + +pgadmin_servers: + - name: "Central Postgres Database" + host: "{{ database_host }}" + port: "{{ database_port }}" + username: "postgres" + maintenance_db: "postgres" + password: "{{ applications.postgres.credentials.postgres_password }}" + +# Here you can add more databases \ No newline at end of file diff --git a/roles/docker-phpldapadmin/Todo.md b/roles/docker-phpldapadmin/Todo.md new file mode 100644 index 00000000..c38771fc --- /dev/null +++ b/roles/docker-phpldapadmin/Todo.md @@ -0,0 +1,2 @@ +# Todo +- Change the version from dev to a stable or productive version \ No newline at end of file diff --git a/roles/docker-phpldapadmin/meta/schema.yml b/roles/docker-phpldapadmin/meta/schema.yml new file mode 100644 index 00000000..e3127fca --- /dev/null +++ b/roles/docker-phpldapadmin/meta/schema.yml @@ -0,0 +1,5 @@ +credentials: + oauth2_proxy_cookie_secret: + description: "Secret used by OAuth2 Proxy to encrypt session cookies (16 bytes hex-encoded)" + algorithm: "sha256" + validation: "^[a-f0-9]{32}$" \ No newline at end of file diff --git a/roles/docker-phpldapadmin/vars/configuration.yml b/roles/docker-phpldapadmin/vars/configuration.yml new file mode 100644 index 00000000..a957101f --- /dev/null +++ b/roles/docker-phpldapadmin/vars/configuration.yml @@ -0,0 +1,10 @@ +version: "2.0.0-dev" +oauth2_proxy: + application: application # Needs to be the same as webinterface + port: 8080 # application port +features: + matomo: true + css: true + landingpage_iframe: false + ldap: true + oauth2: true \ No newline at end of file diff --git a/roles/docker-phpmyadmin/meta/schema.yml b/roles/docker-phpmyadmin/meta/schema.yml new file mode 100644 index 00000000..e3127fca --- /dev/null +++ b/roles/docker-phpmyadmin/meta/schema.yml @@ -0,0 +1,5 @@ +credentials: + oauth2_proxy_cookie_secret: + description: "Secret used by OAuth2 Proxy to encrypt session cookies (16 bytes hex-encoded)" + algorithm: "sha256" + validation: "^[a-f0-9]{32}$" \ No newline at end of file diff --git a/roles/docker-phpmyadmin/templates/env.j2 b/roles/docker-phpmyadmin/templates/env.j2 index f8b0e5fb..cc73cea8 100644 --- a/roles/docker-phpmyadmin/templates/env.j2 +++ b/roles/docker-phpmyadmin/templates/env.j2 @@ -1,7 +1,7 @@ # Configuration @see https://hub.docker.com/_/phpmyadmin -PMA_HOST= central-mariadb +PMA_HOST={{applications.mariadb.hostname}} {% if applications[application_id].autologin | bool %} PMA_USER= root -PMA_PASSWORD= "{{central_mariadb_root_password}}" +PMA_PASSWORD= "{{applications.mariadb.credentials.root_password}}" {% endif %} \ No newline at end of file diff --git a/roles/docker-phpmyadmin/vars/configuration.yml b/roles/docker-phpmyadmin/vars/configuration.yml new file mode 100644 index 00000000..f6709be7 --- /dev/null +++ b/roles/docker-phpmyadmin/vars/configuration.yml @@ -0,0 +1,12 @@ +version: "latest" # Use the latest phpmyadmin version +autologin: false # This is a high security risk. Just activate this option if you know what you're doing +oauth2_proxy: + port: "80" + application: "application" +features: + matomo: true + css: false + landingpage_iframe: false + central_database: true + oauth2: true +hostname: central-mariadb \ No newline at end of file diff --git a/roles/docker-pixelfed/meta/schema.yml b/roles/docker-pixelfed/meta/schema.yml new file mode 100644 index 00000000..052a2e26 --- /dev/null +++ b/roles/docker-pixelfed/meta/schema.yml @@ -0,0 +1,10 @@ +credentials: + database_password: + description: "Password for the Pixelfed database user" + algorithm: "bcrypt" + validation: "^\\$2[aby]\\$.{56}$" + + app_key: + description: "Application key used for encryption in Pixelfed (.env APP_KEY)" + algorithm: "plain" + validation: "^base64:[A-Za-z0-9+/=]{40,}$" \ No newline at end of file diff --git a/roles/docker-pixelfed/templates/env.j2 b/roles/docker-pixelfed/templates/env.j2 index 82b339c4..45235cb6 100644 --- a/roles/docker-pixelfed/templates/env.j2 +++ b/roles/docker-pixelfed/templates/env.j2 @@ -1,5 +1,5 @@ ## Crypto -APP_KEY={{pixelfed_app_key}} +APP_KEY={{applications[application_id].credentials.app_key}} ## General Settings APP_NAME="{{applications.pixelfed.titel}}" diff --git a/roles/docker-pixelfed/vars/configuration.yml b/roles/docker-pixelfed/vars/configuration.yml new file mode 100644 index 00000000..0ec398f2 --- /dev/null +++ b/roles/docker-pixelfed/vars/configuration.yml @@ -0,0 +1,7 @@ +titel: "Pictures on {{primary_domain}}" +version: "latest" +features: + matomo: true + css: true + landingpage_iframe: false + central_database: true \ No newline at end of file diff --git a/roles/docker-pixelfed/vars/main.yml b/roles/docker-pixelfed/vars/main.yml index 0f9129f1..a5020ddf 100644 --- a/roles/docker-pixelfed/vars/main.yml +++ b/roles/docker-pixelfed/vars/main.yml @@ -1,4 +1,4 @@ application_id: "pixelfed" nginx_docker_reverse_proxy_extra_configuration: "client_max_body_size 512M;" database_type: "mariadb" -database_password: "{{pixelfed_database_password}}" +database_password: "{{applications[application_id].credentials.database_password}}" diff --git a/roles/docker-portfolio/templates/config.yaml.j2 b/roles/docker-portfolio/templates/config.yaml.j2 index 784265c0..f2f83fe3 100644 --- a/roles/docker-portfolio/templates/config.yaml.j2 +++ b/roles/docker-portfolio/templates/config.yaml.j2 @@ -28,7 +28,7 @@ accounts: class: fa-brands fa-mastodon url: "{{ web_protocol }}://{{ service_provider.contact.mastodon.split('@')[2] }}/@{{ service_provider.contact.mastodon.split('@')[1] }}" identifier: "{{service_provider.contact.mastodon}}" - iframe: {{ applications | is_feature_enabled('iframe','mastodon') }} + iframe: {{ applications | is_feature_enabled('landing_page_iframe','mastodon') }} {% endif %} {% if service_provider.contact.bluesky is defined and service_provider.contact.bluesky != "" %} @@ -52,7 +52,7 @@ accounts: class: fa-solid fa-camera identifier: "{{service_provider.contact.pixelfed}}" url: "{{ web_protocol }}://{{ service_provider.contact.pixelfed.split('@')[2] }}/@{{ service_provider.contact.pixelfed.split('@')[1] }}" - iframe: {{ applications | is_feature_enabled('iframe','pixelfed') }} + iframe: {{ applications | is_feature_enabled('landing_page_iframe','pixelfed') }} {% endif %} {% if service_provider.contact.peertube is defined and service_provider.contact.peertube != "" %} @@ -64,7 +64,7 @@ accounts: class: fa-solid fa-video identifier: "{{service_provider.contact.peertube}}" url: "{{ web_protocol }}://{{ service_provider.contact.peertube.split('@')[2] }}/@{{ service_provider.contact.peertube.split('@')[1] }}" - iframe: {{ applications | is_feature_enabled('iframe','peertube') }} + iframe: {{ applications | is_feature_enabled('landing_page_iframe','peertube') }} {% endif %} {% if service_provider.contact.wordpress is defined and service_provider.contact.wordpress != "" %} @@ -76,7 +76,7 @@ accounts: class: fa-solid fa-blog identifier: "{{service_provider.contact.wordpress}}" url: "{{ web_protocol }}://{{ service_provider.contact.wordpress.split('@')[2] }}/@{{ service_provider.contact.wordpress.split('@')[1] }}" - iframe: {{ applications | is_feature_enabled('iframe','wordpress') }} + iframe: {{ applications | is_feature_enabled('landing_page_iframe','wordpress') }} {% endif %} {% if service_provider.contact.source_code is defined and service_provider.contact.source_code != "" %} @@ -98,7 +98,7 @@ accounts: class: fas fa-network-wired identifier: "{{service_provider.contact.friendica}}" url: "{{ web_protocol }}://{{ service_provider.contact.friendica.split('@')[2] }}/@{{ service_provider.contact.friendica.split('@')[1] }}" - iframe: {{ applications | is_feature_enabled('iframe','friendica') }} + iframe: {{ applications | is_feature_enabled('landing_page_iframe','friendica') }} {% endif %} diff --git a/roles/docker-portfolio/templates/footer_menu.yaml.j2 b/roles/docker-portfolio/templates/footer_menu.yaml.j2 index f0903b97..be2526a9 100644 --- a/roles/docker-portfolio/templates/footer_menu.yaml.j2 +++ b/roles/docker-portfolio/templates/footer_menu.yaml.j2 @@ -37,13 +37,13 @@ icon: class: fa-solid fa-shield-halved url: https://{{domains.keycloak}}/admin - iframe: {{ applications | is_feature_enabled('iframe','keycloak') }} + iframe: {{ applications | is_feature_enabled('landing_page_iframe','keycloak') }} - name: Profile description: Update your personal admin settings icon: class: fa-solid fa-user-gear url: https://{{ domains.keycloak }}/realms/{{oidc.client.id}}/account - iframe: {{ applications | is_feature_enabled('iframe','keycloak') }} + iframe: {{ applications | is_feature_enabled('landing_page_iframe','keycloak') }} - name: Logout description: End your admin session securely icon: @@ -113,7 +113,7 @@ icon: class: fas fa-book url: https://{{domains.sphinx}} - iframe: {{ applications | is_feature_enabled('iframe','sphinx') }} + iframe: {{ applications | is_feature_enabled('landing_page_iframe','sphinx') }} {% endif %} @@ -124,7 +124,7 @@ icon: class: "fas fa-chalkboard-teacher" url: https://{{domains.presentation}} - iframe: {{ applications | is_feature_enabled('iframe','presentation') }} + iframe: {{ applications | is_feature_enabled('landing_page_iframe','presentation') }} {% endif %} diff --git a/roles/docker-portfolio/vars/configuration.yml b/roles/docker-portfolio/vars/configuration.yml new file mode 100644 index 00000000..9a687dbe --- /dev/null +++ b/roles/docker-portfolio/vars/configuration.yml @@ -0,0 +1,4 @@ +features: + matomo: true + css: true + landingpage_iframe: false \ No newline at end of file diff --git a/roles/docker-postgres/Administration.md b/roles/docker-postgres/Administration.md index c1fa7d60..e169dda4 100644 --- a/roles/docker-postgres/Administration.md +++ b/roles/docker-postgres/Administration.md @@ -3,5 +3,5 @@ ## Root Access To access the database via the root account execute the following on the server: ```bash -docker exec -it central-postgres psql -U postgres +docker exec -it "{{ applications.postgres.hostname }}" psql -U postgres ``` \ No newline at end of file diff --git a/roles/docker-postgres/meta/main.yml b/roles/docker-postgres/meta/main.yml index 11dcd9bf..7a0498b5 100644 --- a/roles/docker-postgres/meta/main.yml +++ b/roles/docker-postgres/meta/main.yml @@ -6,7 +6,10 @@ galaxy_info: Manage your data securely and effectively, making it ideal for production or local development. license: "CyMaIS NonCommercial License (CNCL)" license_url: "https://s.veen.world/cncl" - company: "Kevin Veen-Birkenbach Consulting & Coaching Solutions" + company: | + Kevin Veen-Birkenbach + Consulting & Coaching Solutions + https://www.veen.world min_ansible_version: "2.9" platforms: - name: Docker diff --git a/roles/docker-postgres/meta/schema.yml b/roles/docker-postgres/meta/schema.yml new file mode 100644 index 00000000..b3ec7de3 --- /dev/null +++ b/roles/docker-postgres/meta/schema.yml @@ -0,0 +1,5 @@ +credentials: + postgres_password: + description: "Password for the PostgreSQL superuser 'postgres'" + algorithm: "bcrypt" + validation: "^\\$2[aby]\\$.{56}$" \ No newline at end of file diff --git a/roles/docker-postgres/tasks/main.yml b/roles/docker-postgres/tasks/main.yml index 27d5f1b9..4cde2b9f 100644 --- a/roles/docker-postgres/tasks/main.yml +++ b/roles/docker-postgres/tasks/main.yml @@ -8,11 +8,11 @@ - name: Install PostgreSQL docker_container: - name: central-postgres + name: "{{ applications.postgres.hostname }}" image: "postgres:{{applications.postgres.version}}" detach: yes env: - POSTGRES_PASSWORD: "{{ central_postgres_password }}" + POSTGRES_PASSWORD: "{{ applications.postgres.credentials.postgres_password }}" POSTGRES_INITDB_ARGS: "--encoding=UTF8 --locale=C" # Necessary for docker-matrix networks: - name: central_postgres @@ -31,7 +31,7 @@ when: run_once_docker_postgres is not defined - name: Wait for Postgres inside the container - shell: docker exec central-postgres pg_isready -U postgres + shell: "docker exec {{ applications.postgres.hostname }} pg_isready -U postgres" register: pg_ready until: pg_ready.rc == 0 retries: 30 @@ -52,7 +52,7 @@ name: "{{ database_name }}" state: present login_user: postgres - login_password: "{{ central_postgres_password }}" + login_password: "{{ applications.postgres.credentials.postgres_password }}" login_host: 127.0.0.1 login_port: "{{database_port}}" @@ -63,7 +63,7 @@ db: "{{ database_name }}" state: present login_user: postgres - login_password: "{{ central_postgres_password }}" + login_password: "{{ applications.postgres.credentials.postgres_password }}" login_host: 127.0.0.1 login_port: "{{database_port}}" @@ -76,7 +76,7 @@ type: table state: present login_user: postgres - login_password: "{{ central_postgres_password }}" + login_password: "{{ applications.postgres.credentials.postgres_password }}" login_host: 127.0.0.1 login_port: "{{database_port}}" @@ -88,7 +88,7 @@ type: database state: present login_user: postgres - login_password: "{{ central_postgres_password }}" + login_password: "{{ applications.postgres.credentials.postgres_password }}" login_host: 127.0.0.1 login_port: "{{database_port}}" @@ -102,7 +102,7 @@ schema: public state: present login_user: postgres - login_password: "{{ central_postgres_password }}" + login_password: "{{ applications.postgres.credentials.postgres_password }}" login_host: 127.0.0.1 login_port: "{{database_port}}" @@ -110,7 +110,7 @@ postgresql_query: db: "{{ database_name }}" login_user: postgres - login_password: "{{ central_postgres_password }}" + login_password: "{{ applications.postgres.credentials.postgres_password }}" login_host: 127.0.0.1 login_port: "{{database_port}}" query: | diff --git a/roles/docker-postgres/vars/configuration.yml b/roles/docker-postgres/vars/configuration.yml new file mode 100644 index 00000000..4fc992c5 --- /dev/null +++ b/roles/docker-postgres/vars/configuration.yml @@ -0,0 +1,2 @@ +# Please set an version in your inventory file - Rolling release for postgres isn't recommended +version: "latest" \ No newline at end of file diff --git a/roles/docker-postgres/vars/main.yml b/roles/docker-postgres/vars/main.yml new file mode 100644 index 00000000..759a85b4 --- /dev/null +++ b/roles/docker-postgres/vars/main.yml @@ -0,0 +1,2 @@ +application_id: postgres +hostname: central-postgres \ No newline at end of file diff --git a/roles/docker-presentation/vars/configuration.yml b/roles/docker-presentation/vars/configuration.yml new file mode 100644 index 00000000..04faf2cb --- /dev/null +++ b/roles/docker-presentation/vars/configuration.yml @@ -0,0 +1,4 @@ +features: + matomo: true + css: true + landingpage_iframe: true \ No newline at end of file diff --git a/roles/docker-snipe_it/meta/schema.yml b/roles/docker-snipe_it/meta/schema.yml new file mode 100644 index 00000000..6228bf35 --- /dev/null +++ b/roles/docker-snipe_it/meta/schema.yml @@ -0,0 +1,10 @@ +credentials: + database_password: + description: "Password for the Snipe-IT database user" + algorithm: "bcrypt" + validation: "^\\$2[aby]\\$.{56}$" + + app_key: + description: "Application encryption key for Snipe-IT (.env APP_KEY)" + algorithm: "plain" + validation: "^base64:[A-Za-z0-9+/=]{40,}$" diff --git a/roles/docker-snipe_it/templates/env.j2 b/roles/docker-snipe_it/templates/env.j2 index 36494e52..c3670720 100644 --- a/roles/docker-snipe_it/templates/env.j2 +++ b/roles/docker-snipe_it/templates/env.j2 @@ -4,7 +4,7 @@ APP_ENV=production APP_DEBUG={{enable_debug | string | lower }} # Please regenerate the APP_KEY value by calling `docker compose run --rm app php artisan key:generate --show`. Copy paste the value here -APP_KEY={{applications.snipe_it.app_key}} +APP_KEY={{applications[application_id].credentials.app_key}} APP_URL=https://{{domains[application_id]}} # https://en.wikipedia.org/wiki/List_of_tz_database_time_zones - TZ identifier APP_TIMEZONE='{{ HOST_TIMEZONE }}' diff --git a/roles/docker-snipe_it/vars/configuration.yml b/roles/docker-snipe_it/vars/configuration.yml new file mode 100644 index 00000000..fefc0bb7 --- /dev/null +++ b/roles/docker-snipe_it/vars/configuration.yml @@ -0,0 +1,6 @@ +version: "latest" +features: + matomo: true + css: true + landingpage_iframe: false + central_database: true \ No newline at end of file diff --git a/roles/docker-snipe_it/vars/main.yml b/roles/docker-snipe_it/vars/main.yml index 52fd95b0..1ab0f88e 100644 --- a/roles/docker-snipe_it/vars/main.yml +++ b/roles/docker-snipe_it/vars/main.yml @@ -1,3 +1,3 @@ -application_id: "snipe_it" -database_password: "{{applications.snipe_it.credentials.database.password}}" -database_type: "mariadb" \ No newline at end of file +application_id: "snipe_it" +database_password: "{{applications.snipe_it.credentials.database_password}}" +database_type: "mariadb" \ No newline at end of file diff --git a/roles/docker-sphinx/templates/configuration.yml b/roles/docker-sphinx/templates/configuration.yml new file mode 100644 index 00000000..2eca0e8e --- /dev/null +++ b/roles/docker-sphinx/templates/configuration.yml @@ -0,0 +1,4 @@ +features: + matomo: true + css: true + landingpage_iframe: false \ No newline at end of file diff --git a/roles/docker-syncope/vars/configuration.yml b/roles/docker-syncope/vars/configuration.yml new file mode 100644 index 00000000..5c545de1 --- /dev/null +++ b/roles/docker-syncope/vars/configuration.yml @@ -0,0 +1,12 @@ +# syncope: +# version: "latest" +# credentials: +# anonymous: +# password: # Set in environment file +# database: +# password: # Set in environment file +# administrator: +# password: "{{ users.administrator.password }}" +# users: +# administrator: +# username: "{{ users.administrator.username }}" \ No newline at end of file diff --git a/roles/docker-syncope/vars/main.yml b/roles/docker-syncope/vars/main.yml index 17587503..fb1891d6 100644 --- a/roles/docker-syncope/vars/main.yml +++ b/roles/docker-syncope/vars/main.yml @@ -1,7 +1,7 @@ # General Configuration application_id: syncope database_type: "postgres" -database_password: {{ domains[application_id].credentials.database.password }} +database_password: {{ domains[application_id].credentials.database_password }} # Application Specific syncope_keymaster_address: http://localhost:8080/syncope/rest/keymaster @@ -14,4 +14,4 @@ syncope_anonymous_user: {{ domains[application_id].users.anonymous.usern syncope_anonymous_password: {{ domains[application_id].credentials.anonymous.password }} syncope_administrator_user: {{ domains[application_id].users.administrator.username }} -syncope_administrator_password: {{ domains[application_id].credentials.administrator.password }} \ No newline at end of file +syncope_administrator_password: {{ domains[application_id].credentials.administrator_password }} \ No newline at end of file diff --git a/roles/docker-taiga/meta/schema.yml b/roles/docker-taiga/meta/schema.yml new file mode 100644 index 00000000..9a024413 --- /dev/null +++ b/roles/docker-taiga/meta/schema.yml @@ -0,0 +1,10 @@ +credentials: + database_password: + description: "Password for the Taiga PostgreSQL database user" + algorithm: "bcrypt" + validation: "^\\$2[aby]\\$.{56}$" + + secret_key: + description: "Django SECRET_KEY used for cryptographic signing in Taiga" + algorithm: "sha256" + validation: "^[a-f0-9]{64}$" \ No newline at end of file diff --git a/roles/docker-taiga/templates/configuration.yml b/roles/docker-taiga/templates/configuration.yml new file mode 100644 index 00000000..038e3ee7 --- /dev/null +++ b/roles/docker-taiga/templates/configuration.yml @@ -0,0 +1,14 @@ +version: "latest" +oidc: + # Taiga doesn't have a functioning oidc support at the moment + # See + # - https://community.taiga.io/t/taiga-and-oidc-plugin/4866 + # + # Due to this reason this plutin is deactivated atm +flavor: 'taigaio' # Potential flavors: robrotheram, taigaio +features: + matomo: true + css: true + landingpage_iframe: false + oidc: false + central_database: true diff --git a/roles/docker-taiga/templates/env.j2 b/roles/docker-taiga/templates/env.j2 index f7e4f6e3..7c12f10b 100644 --- a/roles/docker-taiga/templates/env.j2 +++ b/roles/docker-taiga/templates/env.j2 @@ -6,8 +6,8 @@ TAIGA_SUBPATH = "" # it'll be appended to the TAIGA_DOMAIN (use either WEBSOCKETS_SCHEME = wss # events connection protocol (use either "ws" or "wss") # Taiga's Secret Key - Variable to provide cryptographic signing -TAIGA_SECRET_KEY = "{{taiga_secret_key}}" # Please, change it to an unpredictable value!! -SECRET_KEY = "{{taiga_secret_key}}" +applications[application_id].credentials.secret_key = "{{applications[application_id].credentials.secret_key}}" # Please, change it to an unpredictable value!! +SECRET_KEY = "{{applications[application_id].credentials.secret_key}}" # Taiga's Database settings - Variables to create the Taiga database and connect to it POSTGRES_USER = "{{database_username}}" # user to connect to PostgreSQL diff --git a/roles/docker-taiga/vars/main.yml b/roles/docker-taiga/vars/main.yml index 7da120db..a9788297 100644 --- a/roles/docker-taiga/vars/main.yml +++ b/roles/docker-taiga/vars/main.yml @@ -1,6 +1,6 @@ application_id: "taiga" database_type: "postgres" -database_password: "{{taiga_database_password}}" +database_password: "{{applications[application_id].credentials.database_password}}" docker_repository_address: "https://github.com/taigaio/taiga-docker" email_backend: "smtp" ## use an SMTP server or display the emails in the console (either "smtp" or "console") docker_compose_init: "{{docker_compose.directories.instance}}docker-compose-inits.yml.j2" diff --git a/roles/docker-wordpress/meta/schema.yml b/roles/docker-wordpress/meta/schema.yml new file mode 100644 index 00000000..cb92954a --- /dev/null +++ b/roles/docker-wordpress/meta/schema.yml @@ -0,0 +1,10 @@ +credentials: + database_password: + description: "Password for the WordPress database user" + algorithm: "bcrypt" + validation: "^\\$2[aby]\\$.{56}$" + + administrator_password: + description: "Initial password for the WordPress admin account" + algorithm: "sha256" + validation: "^[a-f0-9]{64}$" \ No newline at end of file diff --git a/roles/docker-wordpress/tasks/install.yml b/roles/docker-wordpress/tasks/install.yml index 35a47294..1de8703b 100644 --- a/roles/docker-wordpress/tasks/install.yml +++ b/roles/docker-wordpress/tasks/install.yml @@ -4,9 +4,9 @@ wp core install --url="{{ web_protocol }}://{{ domains[application_id][0] }}" --title="{{ applications[application_id].title }}" - --admin_user="{{ applications[application_id].credentials.administrator.username }}" - --admin_password="{{ applications[application_id].credentials.administrator.password }}" - --admin_email="{{ applications[application_id].credentials.administrator.email }}" + --admin_user="{{ applications[application_id].users.administrator.username }}" + --admin_password="{{ applications[application_id].credentials.administrator_password }}" + --admin_email="{{ applications[application_id].users.administrator.email }}" --path="{{ wordpress_docker_html_path }}" args: chdir: "{{ docker_compose.directories.instance }}" diff --git a/roles/docker-wordpress/vars/configuration.yml b/roles/docker-wordpress/vars/configuration.yml new file mode 100644 index 00000000..b26416f2 --- /dev/null +++ b/roles/docker-wordpress/vars/configuration.yml @@ -0,0 +1,19 @@ +title: "Blog" # Wordpress titel +users: # Credentials + administrator: # Wordpress administrator + username: "{{users.administrator.username}}" # Username of the wordpress administrator + email: "{{users.administrator.email}}" # Email of the wordpress adminsitrator +plugins: + wp-discourse: + enabled: "{{ 'discourse' in group_names | lower }}" + daggerhart-openid-connect-generic: + enabled: true + activitypub: + enabled: true + +features: + matomo: true + css: false + landingpage_iframe: false + oidc: true + central_database: true \ No newline at end of file diff --git a/roles/docker-wordpress/vars/main.yml b/roles/docker-wordpress/vars/main.yml index 31c9d49d..e07ad9b9 100644 --- a/roles/docker-wordpress/vars/main.yml +++ b/roles/docker-wordpress/vars/main.yml @@ -1,7 +1,7 @@ application_id: "wordpress" wordpress_max_upload_size: "64M" database_type: "mariadb" -database_password: "{{applications[application_id].credentials.database.password}}" +database_password: "{{applications[application_id].credentials.database_password}}" wordpress_custom_image: "wordpress_custom" wordpress_docker_html_path: "/var/www/html" host_msmtp_conf: "{{docker_compose.directories.config}}msmtprc.conf" \ No newline at end of file diff --git a/roles/docker-xmpp/templates/configuration.yml.j2 b/roles/docker-xmpp/templates/configuration.yml.j2 new file mode 100644 index 00000000..e5559102 --- /dev/null +++ b/roles/docker-xmpp/templates/configuration.yml.j2 @@ -0,0 +1,3 @@ +# Jinja2 configuration template +# Define your variables here + diff --git a/roles/docker-yourls/meta/schema.yml b/roles/docker-yourls/meta/schema.yml new file mode 100644 index 00000000..804ac7e9 --- /dev/null +++ b/roles/docker-yourls/meta/schema.yml @@ -0,0 +1,15 @@ +credentials: + administrator_password: + description: "Initial password for the YOURLS administrator account" + algorithm: "sha256" + validation: "^[a-f0-9]{64}$" + + database_password: + description: "Password for the YOURLS database user" + algorithm: "bcrypt" + validation: "^\\$2[aby]\\$.{56}$" + + oauth2_proxy_cookie_secret: + description: "Secret used by OAuth2 Proxy to encrypt browser cookies (16 bytes hex-encoded)" + algorithm: "sha256" + validation: "^[a-f0-9]{32}$" diff --git a/roles/docker-yourls/templates/env.j2 b/roles/docker-yourls/templates/env.j2 index a6889c30..26785e02 100644 --- a/roles/docker-yourls/templates/env.j2 +++ b/roles/docker-yourls/templates/env.j2 @@ -4,4 +4,4 @@ YOURLS_DB_PASS: "{{database_password}}" YOURLS_DB_NAME: "{{database_name}}" YOURLS_SITE: "{{ web_protocol }}://{{domains[application_id]}}" YOURLS_USER: "{{applications.yourls.users.administrator.username}}" -YOURLS_PASS: "{{yourls_administrator_password}}" \ No newline at end of file +YOURLS_PASS: "{{applications[application_id].credentials.administrator_password}}" \ No newline at end of file diff --git a/roles/docker-yourls/vars/configuration.yml b/roles/docker-yourls/vars/configuration.yml new file mode 100644 index 00000000..15aa7082 --- /dev/null +++ b/roles/docker-yourls/vars/configuration.yml @@ -0,0 +1,14 @@ +users: + administrator: + username: "{{users.administrator.username}}" +version: "latest" +oauth2_proxy: + application: "application" + port: "80" + location: "/admin/" # Protects the admin area +features: + matomo: true + css: true + landingpage_iframe: false + central_database: true + oauth2: true \ No newline at end of file diff --git a/roles/docker-yourls/vars/main.yml b/roles/docker-yourls/vars/main.yml index 812bb740..4b0d4a25 100644 --- a/roles/docker-yourls/vars/main.yml +++ b/roles/docker-yourls/vars/main.yml @@ -1,3 +1,3 @@ application_id: "yourls" database_type: "mariadb" -database_password: "{{yourls_database_password}}" \ No newline at end of file +database_password: "{{applications[application_id].credentials.database_password}}" \ No newline at end of file diff --git a/roles/nginx-docker-reverse-proxy/templates/headers/content_security_policy.conf.j2 b/roles/nginx-docker-reverse-proxy/templates/headers/content_security_policy.conf.j2 index 5e9de568..707947f9 100644 --- a/roles/nginx-docker-reverse-proxy/templates/headers/content_security_policy.conf.j2 +++ b/roles/nginx-docker-reverse-proxy/templates/headers/content_security_policy.conf.j2 @@ -12,7 +12,7 @@ {# frame-ancestors: Restricts which origins can embed this site in a frame or iframe #} {%- set frame_ancestors = "frame-ancestors 'self'" %} -{%- if applications | is_feature_enabled('iframe', application_id) | bool %} +{%- if applications | is_feature_enabled('landing_page_iframe', application_id) | bool %} {%- set frame_ancestors = frame_ancestors + " " + web_protocol + "://" + primary_domain %} {%- endif %} {%- set csp_parts = csp_parts + [frame_ancestors + ";"] %} diff --git a/roles/nginx-serve-assets/templates/configuration.yml.j2 b/roles/nginx-serve-assets/templates/configuration.yml.j2 new file mode 100644 index 00000000..666deb80 --- /dev/null +++ b/roles/nginx-serve-assets/templates/configuration.yml.j2 @@ -0,0 +1,4 @@ + +assets_server: + source_directory: "{{ playbook_dir }}/assets" # Directory from which the assets will be copied + url: "{{ web_protocol }}://{{domains.file_server}}/assets" # Public address of the assets directory \ No newline at end of file diff --git a/roles/nginx-serve-files/vars/configuration.yml b/roles/nginx-serve-files/vars/configuration.yml new file mode 100644 index 00000000..04faf2cb --- /dev/null +++ b/roles/nginx-serve-files/vars/configuration.yml @@ -0,0 +1,4 @@ +features: + matomo: true + css: true + landingpage_iframe: true \ No newline at end of file diff --git a/roles/nginx-serve-files/vars/main.yml b/roles/nginx-serve-files/vars/main.yml index df5f011c..1913de5e 100644 --- a/roles/nginx-serve-files/vars/main.yml +++ b/roles/nginx-serve-files/vars/main.yml @@ -1,2 +1,2 @@ application_id: "file_server" -domain: "{{domains[application_id]}}" \ No newline at end of file +domain: "{{ domains[application_id] }}" \ No newline at end of file diff --git a/roles/nginx-serve-html/vars/configuration.yml b/roles/nginx-serve-html/vars/configuration.yml new file mode 100644 index 00000000..0ae90f39 --- /dev/null +++ b/roles/nginx-serve-html/vars/configuration.yml @@ -0,0 +1,4 @@ +features: + matomo: true + css: true + landingpage_iframe: false \ No newline at end of file diff --git a/templates/docker/compose/networks.yml.j2 b/templates/docker/compose/networks.yml.j2 index e4226955..9bce2262 100644 --- a/templates/docker/compose/networks.yml.j2 +++ b/templates/docker/compose/networks.yml.j2 @@ -1,6 +1,6 @@ {# This template needs to be included in docker-compose.yml #} networks: -{% if applications | is_feature_enabled('database',application_id) | bool and database_type is defined %} +{% if applications | is_feature_enabled('central_database',application_id) | bool and database_type is defined %} central_{{ database_type }}: external: true {% endif %} diff --git a/templates/docker/container/networks.yml.j2 b/templates/docker/container/networks.yml.j2 index b6006fce..8232cd04 100644 --- a/templates/docker/container/networks.yml.j2 +++ b/templates/docker/container/networks.yml.j2 @@ -1,6 +1,6 @@ {# This template needs to be included in docker-compose.yml containers #} networks: -{% if applications | is_feature_enabled('database',application_id) | bool and database_type is defined %} +{% if applications | is_feature_enabled('central_database',application_id) | bool and database_type is defined %} central_{{ database_type }}: {% endif %} {% if applications[application_id].get('features', {}).get('ldap', false) | bool and applications.ldap.network.docker|bool %} diff --git a/templates/vars/applications.yml.j2 b/templates/vars/applications.yml.j2 index 23c24257..83244eef 100644 --- a/templates/vars/applications.yml.j2 +++ b/templates/vars/applications.yml.j2 @@ -1,6 +1,3 @@ -{% import "features.yml.j2" as features %}{% raw %} -# Docker Applications - ## Docker Role Specific Parameters docker_restart_policy: "unless-stopped" @@ -12,874 +9,4 @@ docker_restart_policy: "unless-stopped" # If other applications depend on this variables, propably it makes sense to define it in e.g. IMA or other variable files. # helper -_applications_nextcloud_oidc_flavor: "{{ applications.nextcloud.oidc.flavor | default('oidc_login' if applications.nextcloud.features.ldap | default(true) else 'sociallogin') }}" - -# applications - -defaults_applications: - - ## Akaunting - akaunting: - version: "latest" - company_name: "{{primary_domain}}" - company_email: "{{users.administrator.email}}" - setup_admin_email: "{{users.administrator.email}}" -{% endraw %}{{ features.render_features({ - 'matomo': true, - 'css': true, - 'iframe': false, - 'database': true, -}) }}{% raw %} - - ## Assets Server - assets_server: - source_directory: "{{ playbook_dir }}/assets" # Directory from which the assets will be copied - url: "{{ web_protocol }}://{{domains.file_server}}/assets" # Public address of the assets directory - ## Attendize - attendize: - version: "latest" -{% endraw %}{{ features.render_features({ - 'matomo': true, - 'css': true, - 'iframe': false, - 'database': true, -}) }}{% raw %} - - ## Baserow - baserow: - version: "latest" -{% endraw %}{{ features.render_features({ - 'matomo': true, - 'css': true, - 'iframe': true, - 'database': true, -}) }}{% raw %} - - ## Big Blue Button - bigbluebutton: - enable_greenlight: "true" - setup: false # Set to true in inventory file for initial setup -# @todo LDAP needs to get propper implemented and tested, just set values during refactoring -{% endraw %}{{ features.render_features({ - 'matomo': true, - 'css': true, - 'iframe': false, - 'ldap': false, - 'oidc': true, - 'database': false, -}) }}{% raw %} - credentials: -# shared_secret: # Needs to be defined in inventory file -# etherpad_api_key: # Needs to be defined in inventory file -# rails_secret: # Needs to be defined in inventory file -# postgresql_secret: # Needs to be defined in inventory file -# fsesl_password: # Needs to be defined in inventory file -# turn_secret: # Needs to be defined in inventory file - database: - name: "multiple_databases" - username: "postgres2" - urls: - api: "{{ web_protocol }}://{{domains.bigbluebutton}}/bigbluebutton/" # API Address used by Nextcloud Integration - - ## Bluesky - bluesky: - users: - administrator: - email: "{{users.administrator.email}}" - pds: - version: "latest" - #jwt_secret: # Needs to be defined in inventory file - Use: openssl rand -base64 64 | tr -d '\n' - #plc_rotation_key_k256_private_key_hex: # Needs to be defined in inventory file - Use: openssl rand -hex 32 - #admin_password: # Needs to be defined in inventory file - Use: openssl rand -base64 16 -{% endraw %}{{ features.render_features({ - 'matomo': true, - 'css': true, - 'iframe': true, - 'database': true, -}) }}{% raw %} - - # Chromium Browser - chromium: - plugins: # Plugins to be installed in Chromium - - "cjpalhdlnbpafiamejdnhcphjbkeiagm;https://clients2.google.com/service/update2/crx" # U-Block Origine Plugin - - "oboonakemofpalcgghocfoadofidjkkk;https://clients2.google.com/service/update2/crx" # KeepassXC Plugin - - coturn: # @todo implement - credentials: - user: turnuser - # password: # Need to be defined in invetory file - # secret: # Need to be defined in invetory file - - ## Discourse: - discourse: - network: "discourse_default" # Name of the docker network - container: "discourse_application" # Name of the container application - repository: "discourse_repository" # Name of the repository folder - credentials: - database: -# password: # Needs to be defined in inventory file - master_api: -# key: # Needs to be defined in inventory file - username: "{{ users.administrator.username }}" # Username for the Master API -{% endraw %}{{ features.render_features({ - 'matomo': true, - 'css': true, - 'iframe': false, - 'oidc': true, - 'database': true, -}) }}{% raw %} - - ## EspoCRM - espocrm: - version: "latest" - users: - administrator: - username: "{{ users.administrator.username }}" - email: "{{ users.administrator.email }}" - - credentials: - administrator: - password: "{{ users.administrator.password }}" - database: - # password: # Set in your inventory file - -{% endraw %}{{ features.render_features({ - 'matomo': true, - 'css': false, - 'iframe': false, - 'ldap': false, - 'oidc': true, - 'database': true -}) }}{% raw %} - - - ## File Server - file_server: -{% endraw %}{{ features.render_features({ - 'matomo': true, - 'css': true, - 'iframe': true, -}) }}{% raw %} - - # Firefox Browser - firefox: - plugins: # Plugins to be installed in Firefox - - "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi" # U-Block Origine Plugin - - "https://addons.mozilla.org/firefox/downloads/latest/keepassxc-browser/latest.xpi" # KeepassXC Plugin - - ## Friendica - friendica: - version: "latest" -{% endraw %}{{ features.render_features({ - 'matomo': true, - 'css': true, - 'iframe': true, - 'oidc': true, - 'database': true, -}) }}{% raw %} - - ## Funkwhale - funkwhale: - version: "1.4.0" -{% endraw %}{{ features.render_features({ - 'matomo': true, - 'css': true, - 'iframe': true, - 'ldap': true, - 'database': true, -}) }}{% raw %} - - ## Gitea - gitea: - version: "latest" # Use latest docker image - configuration: - repository: - enable_push_create_user: True # Allow users to push local repositories to Gitea and have them automatically created for a user. - default_private: last # Default private when creating a new repository: last, private, public - default_push_create_private: True # Default private when creating a new repository with push-to-create. -{% endraw %}{{ features.render_features({ - 'matomo': true, - 'css': true, - 'iframe': true, - 'database': true, -}) }}{% raw %} - - ## Gitlab - gitlab: - version: "latest" -{% endraw %}{{ features.render_features({ - 'matomo': true, - 'css': true, - 'iframe': true, - 'database': true, -}) }}{% raw %} - - ## Gnome - gnome: - plugins: - - [enable,nasa_apod@elinvention.ovh,https://github.com/Elinvention/gnome-shell-extension-nasa-apod.git] - - [disable,dash-to-dock@micxgx.gmail.com,''] - - [enable, dash-to-panel@jderose9.github.com,''] - - ## Joomla - joomla: - version: "latest" -{% endraw %}{{ features.render_features({ - 'matomo': true, - 'css': true, - 'iframe': true, -}) }}{% raw %} - - ## HTML Server - html_server: -{% endraw %}{{ features.render_features({ - 'matomo': true, - 'css': true, - 'iframe': false, -}) }}{% raw %} - - ## Keycloak - keycloak: - version: "latest" - users: - administrator: - username: "{{users.administrator.username}}" # Administrator Username for Keycloak - import_realm: True # If True realm will be imported. If false skip. -# database_password: # Needs to be defined in inventory file -# administrator_password: # Needs to be defined in inventory file -{% endraw %}{{ features.render_features({ - 'matomo': true, - 'css': true, - 'iframe': true, - 'ldap': true, - 'database': true, - 'recaptcha': true, -}) }}{% raw %} - - # LDAP Account Manager - lam: - version: "latest" -# administrator_password: "{{users.administrator.password}}" # CHANGE for security reasons - oauth2_proxy: - application: application # Needs to be the same as webinterface - port: 80 # application port -# cookie_secret: None # Set via openssl rand -hex 16 -{% endraw %}{{ features.render_features({ - 'matomo': true, - 'css': true, - 'iframe': true, - 'ldap': true, - 'database': false, - 'oauth2': false, -}) }}{% raw %} - - ## LDAP - ldap: - version: "latest" - network: - local: True # Activates local network. Necessary for LDIF import routines - docker: True # Activates docker network to allow other docker containers to connect - public: False # Set to true in inventory file if you want to expose the LDAP port to the internet - hostname: "ldap" # Hostname of the LDAP Server in the central_ldap network - webinterface: "lam" # The webinterface which should be used. Possible: lam and phpldapadmin - users: - administrator: - username: "{{users.administrator.username}}" # Administrator username - # administrator_password: # CHANGE for security reasons in inventory file - # administrator_database_password: # CHANGE for security reasons in inventory file -{% endraw %}{{ features.render_features({ - 'ldap': true, -}) }}{% raw %} - - ## Libre Office - libreoffice: - flavor: "fresh" # Libre Office flavor, fresh for new, still for stable - - ## Listmonk - listmonk: - users: - administrator: - username: "{{users.administrator.username}}" # Listmonk administrator account username -# password: "{{users.administrator.password}}" # Password to initialized Listmonk administrator with - credentials: - database: -# password: "" # Database password - hcaptcha: -# site_key: -# secret: - public_api_activated: False # Security hole. Can be used for spaming - version: "latest" # Docker Image version - -{% endraw %}{{ features.render_features({ - 'matomo': true, - 'css': true, - 'iframe': true, - 'database': true, - 'oidc': true -}) }}{% raw %} - - mailu: - version: "2024.06" # Docker Image Version - users: - administrator: - email: "{{users.administrator.email}}" # Administrator Email for DNS Records - oidc: - email_by_username: true # If true, then the mail is set by the username. If wrong then the OIDC user email is used - enable_user_creation: true # Users will be created if not existing - domain: "{{primary_domain}}" # The main domain from which mails will be send \ email suffix behind @ - credentials: -# secret_key: # Set to a randomly generated 16 bytes string -# database_password: # Needs to be set in inventory file -# api_token: # Configures the authentication token. The minimum length is 3 characters. This is a mandatory setting for using the RESTful API. -# initial_administrator_password: # Initial administrator password for setup -# dkim_public_key: # Must be set in inventory file -{% endraw %}{{ features.render_features({ - 'matomo': true, - 'css': true, - 'iframe': false, - 'oidc': true, - 'database': false -}) }}{% raw %} -# Deactivate central database for mailu, I don't know why the database deactivation is necessary -# Deactivated mailu iframe loading until keycloak supports it - - ## MariaDB - mariadb: - version: "latest" - - ## Matomo - matomo: - version: "latest" - oauth2_proxy: -# cookie_secret: None # Set via openssl rand -hex 16 -# database_password: Null # Needs to be set in inventory file -# auth_token: Null # Needs to be set in inventory file -{% endraw %}{{ features.render_features({ - 'matomo': false, - 'css': false, - 'iframe': false, - 'database': true, - 'oauth2': false, -}) }}{% raw %} - - ## Mastodon - mastodon: - version: "latest" - single_user_mode: false # Set true for initial setup - setup: false # Set true in inventory file to execute the setup and initializing procedures - credentials: -# Check out the README.md of the docker-mastodon role to get detailled instructions about how to setup the credentials -# database_password: -# secret_key_base: -# otp_secret: -# vapid: -# private_key: -# public_key: -# active_record_encryption: -# deterministic_key: -# key_derivation_salt: -# primary_key: -{% endraw %}{{ features.render_features({ - 'matomo': true, - 'css': true, - 'iframe': false, - 'oidc': true, - 'database': true, -}) }}{% raw %} - - ## Matrix - matrix: - users: - administrator: - username: "{{users.administrator.username}}" # Accountname of the matrix admin - playbook_tags: "setup-all,start" # For the initial update use: install-all,ensure-matrix-users-created,start - role: "compose" # Role to setup Matrix. Valid values: ansible, compose - server_name: "{{primary_domain}}" # Adress for the account names etc. - synapse: - version: "latest" - element: - version: "latest" - setup: false # Set true in inventory file to execute the setup and initializing procedures -{% endraw %}{{ features.render_features({ - 'matomo': true, - 'css': true, - 'iframe': false, - 'oidc': false, - 'database': true, -}) }}{% raw %} -# Deactivated OIDC due to this issue https://github.com/matrix-org/synapse/issues/10492 - - ## Moodle - moodle: - site_titel: "Global Learning Academy on {{primary_domain}}" - users: - administrator: - username: "{{users.administrator.username}}" - email: "{{users.administrator.email}}" - version: "latest" -{% endraw %}{{ features.render_features({ - 'matomo': true, - 'css': true, - 'iframe': false, - 'database': true, -}) }}{% raw %} - - ## MyBB - mybb: - version: "latest" -{% endraw %}{{ features.render_features({ - 'matomo': true, - 'css': true, - 'iframe': false, - 'database': true, -}) }}{% raw %} - - ## Nextcloud - nextcloud: - version: "production" # @see https://nextcloud.com/blog/nextcloud-release-channels-and-how-to-track-them/ - ldap: - enabled: True # Enables LDAP by default - oidc: - enabled: "{{ applications.nextcloud.features.oidc | default(true) }}" # Activate OIDC for Nextcloud - # floavor decides which OICD plugin should be used. - # Available options: oidc_login, sociallogin - # @see https://apps.nextcloud.com/apps/oidc_login - # @see https://apps.nextcloud.com/apps/sociallogin - flavor: "oidc_login" # Keeping on sociallogin because the other option is not implemented yet -{% endraw %}{{ features.render_features({ - 'matomo': true, - 'css': true, - 'iframe': false, - 'ldap': true, - 'oidc': true, - 'database': true, -}) }}{% raw %} - credentials: -# database_password: Null # Needs to be set in inventory file - users: - administrator: - username: "{{users.administrator.username}}" - password: "{{users.administrator.password}}" # Keep in mind to change the password fast after creation and activate 2FA - default_quota: '1000000000' # Quota to assign if no quota is specified in the OIDC response (bytes) - legacy_login_mask: - enabled: False # If true, then legacy login mask is shown. Otherwise just SSO - container: - application: "nextcloud-application" # Nextcloud application container name - proxy: "nextcloud-web" # Nextcloud Proxy Container Name - performance: - php: - memory_limit: "{{ ((ansible_memtotal_mb | int) / 30)|int }}M" # Dynamic set memory limit - upload_limit: "5G" # Set upload limit to 5GB for big media files - opcache_memory_consumption: "{{ ((ansible_memtotal_mb | int) / 30)|int }}M" # Dynamic set memory consumption - plugins: - # List for Nextcloud Plugin Routine - # Decides if plugins should be activated or deactivated - appointments: - # Nextcloud appointments: handles scheduling and appointment management (https://apps.nextcloud.com/apps/appointments) - enabled: true - bbb: - # Nextcloud BigBlueButton integration: enables video conferencing using BigBlueButton (https://apps.nextcloud.com/apps/bbb) - enabled: "{{ 'bigbluebutton' in group_names | lower }}" - #- bookmarks - # # Nextcloud Bookmarks: manage and share your bookmarks easily (https://apps.nextcloud.com/apps/bookmarks) - # enabled: false - calendar: - # Nextcloud calendar: manages calendar events and scheduling (https://apps.nextcloud.com/apps/calendar) - enabled: true - cfg_share_links: - # Nextcloud share links configuration: customizes sharing settings and link options (https://apps.nextcloud.com/apps/cfg_share_links) - enabled: true - collectives: - # Nextcloud collectives: supports collaborative group management and sharing (https://apps.nextcloud.com/apps/collectives) - enabled: true - contacts: - # Nextcloud contacts: manages address book and contact information (https://apps.nextcloud.com/apps/contacts) - enabled: true - cospend: - # Nextcloud cospend: manages shared expenses and spending tracking (https://apps.nextcloud.com/apps/cospend) - enabled: true - deck: - # Nextcloud Deck: organizes tasks and projects using Kanban boards (https://apps.nextcloud.com/apps/deck) - # When Taiga is activated, this plugin is deactivated, because Taiga is the prefered application. - enabled: "{{ 'taiga' not in group_names | lower }}" - drawio: - # Nextcloud draw.io: integrates diagram creation and editing tools (https://apps.nextcloud.com/apps/drawio) - enabled: true - duplicatefinder: - # Nextcloud duplicate finder: scans and identifies duplicate files (https://apps.nextcloud.com/apps/duplicatefinder) - enabled: true - emlviewer: - # Nextcloud EML Viewer: previews and manages EML email files (https://apps.nextcloud.com/apps/emlviewer) - enabled: true - event_update_notification: - # Nextcloud event update notification: sends alerts when events are updated (https://apps.nextcloud.com/apps/event_update_notification) - enabled: true - epubviewer: - # Nextcloud EPUB Viewer: enables reading and previewing EPUB e-books (https://apps.nextcloud.com/apps/epubviewer) - enabled: true - external: - # Nextcloud External: Adds links to external services (https://apps.nextcloud.com/apps/external) - enabled: true - #files_accesscontrol - # # Nextcloud Files Access Control: restricts file access based on defined rules (https://apps.nextcloud.com/apps/files_accesscontrol) - # enabled: false - #files_archive - # # Nextcloud Files Archive: compresses and archives files for efficient storage (https://apps.nextcloud.com/apps/files_archive) - # enabled: false - #files_automatedtagging - # # Nextcloud Files Automated Tagging: automatically tags files to improve organization (https://apps.nextcloud.com/apps/files_automatedtagging) - # enabled: false - files_bpm: - # Nextcloud Files BPM: integrates business process management for file workflows (https://apps.nextcloud.com/apps/files_bpm) - enabled: true - files_downloadactivity: - # Nextcloud Files Download Activity: tracks and logs file download events (https://apps.nextcloud.com/apps/files_downloadactivity) - enabled: true - files_linkeditor: - # Nextcloud files link editor: allows customization of shared file links (https://apps.nextcloud.com/apps/files_linkeditor) - enabled: true - files_mindmap: - # Nextcloud Files Mindmap: visualizes file relationships as mind maps (https://apps.nextcloud.com/apps/files_mindmap) - enabled: true - files_texteditor: - # Nextcloud Files Text Editor: provides an online editor for text files (https://apps.nextcloud.com/apps/files_texteditor) - # Not available for Nextcloud < 27 - enabled: false - fileslibreofficeedit: - # Nextcloud LibreOffice integration: allows online editing of documents with LibreOffice (https://apps.nextcloud.com/apps/fileslibreofficeedit) - enabled: true - forms: - # Nextcloud forms: facilitates creation of forms and surveys (https://apps.nextcloud.com/apps/forms) - enabled: true - gestion: - # Nextcloud Gestion: manages administrative tasks and workflows (https://apps.nextcloud.com/apps/gestion) - enabled: true - groupfolders: - # Nextcloud Group Folders: centralizes shared folders for group collaboration (https://apps.nextcloud.com/apps/groupfolders) - enabled: true - gpxpod: - # Nextcloud GPX pod: visualizes GPS tracks and GPX data (https://apps.nextcloud.com/apps/gpxpod) - enabled: true - integration_discourse: - # Nextcloud Integration Discourse: connects Nextcloud with Discourse forums (https://apps.nextcloud.com/apps/integration_discourse) - enabled: false - integration_gitlab: - # Nextcloud Integration GitLab: connects Nextcloud with GitLab repositories (https://apps.nextcloud.com/apps/integration_gitlab) - enabled: "{{ 'gitlab' in group_names | lower }}" - integration_github: - # Nextcloud Integration GitHub: integrates GitHub repositories with Nextcloud (https://apps.nextcloud.com/apps/integration_github) - enabled: false - integration_google: - # Nextcloud Integration Google: connects Google services with Nextcloud (https://apps.nextcloud.com/apps/integration_google) - enabled: true - integration_mastodon: - # Nextcloud Integration Mastodon: connects Nextcloud with the Mastodon social network (https://apps.nextcloud.com/apps/integration_mastodon) - enabled: "{{ 'mastodon' in group_names | lower }}" - integration_openai: - # Nextcloud Integration OpenAI: brings OpenAI functionalities into Nextcloud (https://apps.nextcloud.com/apps/integration_openai) - enabled: false - integration_openproject: - # Nextcloud Integration OpenProject: integrates project management features from OpenProject (https://apps.nextcloud.com/apps/integration_openproject) - enabled: "{{ 'openproject' in group_names | lower }}" - integration_peertube: - # Nextcloud Integration PeerTube: connects to PeerTube for video sharing (https://apps.nextcloud.com/apps/integration_peertube) - enabled: "{{ 'peertube' in group_names | lower }}" - #keeweb - # # Nextcloud KeeWeb: integrates the KeeWeb password manager within Nextcloud (https://apps.nextcloud.com/apps/keeweb) - # # This isn't maintained anymore. The alternatives don't support keepass files - # enabled: false - keeporsweep: - # Nextcloud keep or sweep: helps manage and clean up files and data (https://apps.nextcloud.com/apps/keeporsweep) - enabled: true - mail: - # Nextcloud mail: integrated email client for managing mail accounts (https://apps.nextcloud.com/apps/mail) - enabled: true - maps: - # Nextcloud maps: provides mapping and location services integration (https://apps.nextcloud.com/apps/maps) - enabled: true - metadata: - # Nextcloud Metadata: manages and displays file metadata for enhanced organization (https://apps.nextcloud.com/apps/metadata) - enabled: true - news: - # Nextcloud News: aggregates and displays news feeds directly in Nextcloud (https://apps.nextcloud.com/apps/news) - enabled: true - oidc_login: - # Nextcloud User OIDC: integrates OpenID Connect for user authentication (https://apps.nextcloud.com/apps/oidc_login) - enabled: "{{ _applications_nextcloud_oidc_flavor=='oidc_login' | lower }}" - incompatible_plugins: - - user_oidc # Will be disabled - - sociallogin # Will be disabled - phonetrack: - # Nextcloud phone track: tracks and monitors mobile device usage (https://apps.nextcloud.com/apps/phonetrack) - enabled: true - polls: - # Nextcloud polls: facilitates creation and management of user polls (https://apps.nextcloud.com/apps/polls) - enabled: true - quota_warning: - # Nextcloud quota warning: notifies users when storage limits are reached (https://apps.nextcloud.com/apps/quota_warning) - enabled: true - recognize: - # Nextcloud recognize: performs image recognition tasks (https://apps.nextcloud.com/apps/recognize) - enabled: false # Deactivated because it let to bugs - richdocuments: - # Nextcloud Rich Documents: provides collaborative document editing capabilities (https://apps.nextcloud.com/apps/richdocuments) - enabled: false # @todo To set it default to true activate https://hub.docker.com/r/collabora/code before - sociallogin: - # Nextcloud social login: allows authentication using social networks (https://apps.nextcloud.com/apps/sociallogin) - enabled: "{{ _applications_nextcloud_oidc_flavor=='sociallogin' | lower }}" - incompatible_plugins: - - user_oidc # Will be disabled - - oidc_login # Will be disabled - spreed: - # Nextcloud Spreed: offers video conferencing and chat functionalities (https://apps.nextcloud.com/apps/spreed) - enabled: false # @todo to activate it first implement docker-coturn and activate it - tables: - # Nextcloud tables: allows creation and editing of tables within the interface (https://apps.nextcloud.com/apps/tables) - enabled: true - tasks: - # Nextcloud tasks: manages personal or group tasks and to-do lists (https://apps.nextcloud.com/apps/tasks) - enabled: true - #terms_of_service - # # Nextcloud Terms of Service: manages user acceptance of terms and conditions (https://apps.nextcloud.com/apps/terms_of_service) - # enabled: false - twofactor_nextcloud_notification: - # Nextcloud two-factor notification: sends notifications for two-factor authentication events (https://apps.nextcloud.com/apps/twofactor_nextcloud_notification) - enabled: "{{ not applications.nextcloud.features.oidc | default(true) }}" # Deactivate 2FA if oidc is active - twofactor_totp: - # Nextcloud two-factor TOTP: provides time-based one-time password authentication (https://apps.nextcloud.com/apps/twofactor_totp) - enabled: "{{ not applications.nextcloud.features.oidc | default(true) }}" # Deactivate 2FA if oidc is active - user_ldap: - # Nextcloud user LDAP: integrates LDAP for user management and authentication (https://apps.nextcloud.com/apps/user_ldap) - enabled: "{{ applications.nextcloud.features.ldap | default(true) }}" - user_oidc: - # Nextcloud User OIDC: integrates OpenID Connect for user authentication (https://apps.nextcloud.com/apps/user_oidc) - enabled: "{{ _applications_nextcloud_oidc_flavor=='user_oidc' | lower }}" - incompatible_plugins: - - oidc_login - - sociallogin - whiteboard: - # Nextcloud Whiteboard: provides a collaborative drawing and brainstorming tool (https://apps.nextcloud.com/apps/whiteboard) - enabled: true - - ## OAuth2 Proxy - oauth2_proxy: - configuration_file: "oauth2-proxy-keycloak.cfg" # Needs to be set true in the roles which use it - version: "latest" # Docker Image version - redirect_url: "{{ web_protocol }}://{{domains.keycloak}}/auth/realms/{{primary_domain}}/protocol/openid-connect/auth" # The redirect URL for the OAuth2 flow. It should match the redirect URL configured in Keycloak. - allowed_roles: admin # Restrict it default to admin role. Use the vars/main.yml to open the specific role for other groups -{% endraw %}{{ features.render_features({ - 'matomo': true, - 'css': true, - 'iframe': false, -}) }}{% raw %} - - ## Open Project - openproject: - version: "13" # Update when available. Sadly no rolling release implemented - oauth2_proxy: - application: "proxy" - port: "80" -# cookie_secret: None # Set via openssl rand -hex 16 - ldap: - filters: - administrators: True # Set true to filter administrators - users: False # Set true to filter users -{% endraw %}{{ features.render_features({ - 'matomo': true, - 'css': true, - 'iframe': false, - 'ldap': true, - 'database': true, - 'oauth2': true, -}) }}{% raw %} - - ## Peertube - peertube: - version: "bookworm" -{% endraw %}{{ features.render_features({ - 'matomo': true, - 'css': true, - 'iframe': false, - 'database': true, -}) }}{% raw %} - - ## PgAdmin - pgadmin: - version: "latest" - server_mode: False # If true then the preconfigured database file is loaded. Recommended False. True is a security risk. - master_password_required: True # Master password is required. Recommended True. False is a security risk. - users: - administrator: - email: "{{ users.administrator.email }}" # Initial login email address - password: "{{ users.administrator.password }}" # Initial login password – should be overridden in inventory for security - oauth2_proxy: - application: "application" - port: "80" -# cookie_secret: None # Set via: openssl rand -hex 16 -{% endraw %}{{ features.render_features({ - 'matomo': true, - 'css': true, - 'iframe': false, - 'database': true, - 'oauth2': true, -}) }}{% raw %} - - ## phpLDAPadmin - phpldapadmin: - version: "2.0.0-dev" # @todo Attention: Change this as fast as released to latest - oauth2_proxy: - application: application # Needs to be the same as webinterface - port: 8080 # application port -# cookie_secret: None # Set via openssl rand -hex 16 -{% endraw %}{{ features.render_features({ - 'matomo': true, - 'css': true, - 'iframe': false, - 'ldap': true, - 'oauth2': true, -}) }}{% raw %} - - ## PHPMyAdmin - phpmyadmin: - version: "latest" # Use the latest phpmyadmin version - autologin: false # This is a high security risk. Just activate this option if you know what you're doing - oauth2_proxy: - port: "80" - application: "application" -# cookie_secret: None # Set via openssl rand -hex 16 -{% endraw %}{{ features.render_features({ - 'matomo': true, - 'css': false, - 'iframe': false, - 'database': true, - 'oauth2': true, -}) }}{% raw %} - - ## Pixelfed - pixelfed: - titel: "Pictures on {{primary_domain}}" - version: "latest" -{% endraw %}{{ features.render_features({ - 'matomo': true, - 'css': true, - 'iframe': false, - 'database': true, -}) }}{% raw %} - - ## Postgres - # Please set an version in your inventory file - Rolling release for postgres isn't recommended - postgres: - version: "latest" - - portfolio: -{% endraw %}{{ features.render_features({ - 'matomo': true, - 'css': true, - 'iframe': false, -}) }}{% raw %} - - ## Presentation - presentation: -{% endraw %}{{ features.render_features({ - 'matomo': true, - 'css': true, - 'iframe': true, -}) }}{% raw %} - - # Snipe-IT - snipe_it: - version: "latest" -{% endraw %}{{ features.render_features({ - 'matomo': true, - 'css': true, - 'iframe': false, - 'database': true, -}) }}{% raw %} - - ## Sphinx - sphinx: -{% endraw %}{{ features.render_features({ - 'matomo': true, - 'css': true, - 'iframe': false, -}) }}{% raw %} - -# syncope: -# version: "latest" -# credentials: -# anonymous: -# password: # Set in environment file -# database: -# password: # Set in environment file -# administrator: -# password: "{{ users.administrator.password }}" -# users: -# administrator: -# username: "{{ users.administrator.username }}" - - - ## Taiga - taiga: - version: "latest" - oidc: - # Taiga doesn't have a functioning oidc support at the moment - # See - # - https://community.taiga.io/t/taiga-and-oidc-plugin/4866 - # - # Due to this reason this plutin is deactivated atm - flavor: 'taigaio' # Potential flavors: robrotheram, taigaio -{% endraw %}{{ features.render_features({ - 'matomo': true, - 'css': true, - 'iframe': false, - 'oidc': false, - 'database': true, -}) }}{% raw %} - - ## YOURLS - yourls: - users: - administrator: - username: "{{users.administrator.username}}" - version: "latest" - oauth2_proxy: - application: "application" - port: "80" - location: "/admin/" # Protects the admin area -# cookie_secret: None # Set via openssl rand -hex 16 -{% endraw %}{{ features.render_features({ - 'matomo': true, - 'css': true, - 'iframe': false, - 'database': true, - 'oauth2': true, -}) }}{% raw %} - - wordpress: -# Deactivate Global theming for wordpress role -# due to the reason that wordpress has to much different themes -# and one styling for all is not possible. -# -# May a solution could be to generate a template or css file dedicated -# for wordpress based on the theming values and import it. - title: "Blog" # Wordpress titel - credentials: # Credentials - administrator: # Wordpress administrator - username: "{{users.administrator.username}}" # Username of the wordpress administrator -# password: # Password of the wordpress administrator - email: "{{users.administrator.email}}" # Email of the wordpress adminsitrator - plugins: - wp-discourse: - enabled: "{{ 'discourse' in group_names | lower }}" - daggerhart-openid-connect-generic: - enabled: true - activitypub: - enabled: true - -{% endraw %}{{ features.render_features({ - 'matomo': true, - 'css': false, - 'iframe': false, - 'oidc': true, - 'database': true, -}) }}{% raw %} \ No newline at end of file +_applications_nextcloud_oidc_flavor: "{{ applications.nextcloud.oidc.flavor | default('oidc_login' if applications.nextcloud.features.ldap | default(true) else 'sociallogin') }}" \ No newline at end of file diff --git a/templates/vars/features.yml.j2 b/templates/vars/features.yml.j2 index 9902ed77..00146e78 100644 --- a/templates/vars/features.yml.j2 +++ b/templates/vars/features.yml.j2 @@ -11,10 +11,8 @@ 'recaptcha': 'Enables recaptcha functionality' } %} {%- for key, comment in feature_map.items() %} - {%- if key in options %} - + {%- if key in options %} {{ key }}: {{ options[key] }} # {{ comment }} - {%- endif %} {%- endfor %} {% endmacro %} diff --git a/tests/unit/test_generate_default_applications.py b/tests/unit/test_generate_default_applications.py new file mode 100644 index 00000000..efe7eb77 --- /dev/null +++ b/tests/unit/test_generate_default_applications.py @@ -0,0 +1,46 @@ +import os +import unittest +import tempfile +import shutil +import yaml +from pathlib import Path +from unittest.mock import patch +import importlib.util + +class TestGenerateDefaultApplications(unittest.TestCase): + def setUp(self): + # Determine script location + self.script_path = Path(__file__).resolve().parent.parent.parent / "cli" / "generate_default_applications.py" + spec = importlib.util.spec_from_file_location("generate_default_applications", self.script_path) + self.gda = importlib.util.module_from_spec(spec) + spec.loader.exec_module(self.gda) + + # Setup fake Ansible role structure + self.temp_dir = Path(tempfile.mkdtemp()) + self.roles_dir = self.temp_dir / "roles" + self.output_file = self.temp_dir / "group_vars" / "all" / "11_applications.yml" + (self.roles_dir / "docker-testapp" / "vars").mkdir(parents=True, exist_ok=True) + (self.roles_dir / "docker-testapp" / "tasks").mkdir(parents=True, exist_ok=True) + + # Populate vars/main.yml and vars/configuration.yml + (self.roles_dir / "docker-testapp" / "vars" / "main.yml").write_text("application_id: testapp\n") + (self.roles_dir / "docker-testapp" / "vars" / "configuration.yml").write_text("foo: bar\nbaz: 123\n") + (self.roles_dir / "docker-testapp" / "tasks" / "main.yml").write_text("# dummy task") + + def tearDown(self): + shutil.rmtree(self.temp_dir) + + def test_extracts_and_writes_configuration(self): + self.gda.generate_default_applications( + roles_dir=self.roles_dir, + output_file=self.output_file + ) + + self.assertTrue(self.output_file.exists()) + result = yaml.safe_load(self.output_file.read_text()) + self.assertIn("testapp", result) + self.assertEqual(result["testapp"]["foo"], "bar") + self.assertEqual(result["testapp"]["baz"], 123) + +if __name__ == "__main__": + unittest.main() \ No newline at end of file