kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-02-22 04:29:38 +01:00
Code Issues Packages Projects Releases Wiki Activity

Big code and variable refactoring

Browse Source
This commit is contained in:
Kevin Veen-Birkenbach 2025-01-29 14:20:34 +01:00
parent 13429d8e68
commit aca3399e9d
43 changed files with 519 additions and 503 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

343
group_vars/all
View File

@ -1,343 +0,0 @@
# General
pause_duration: "120" # Database delay to wait for the central database before continue tasks
ip4_address: "127.0.0.1" # Change thie in inventory to the ip address of your server
backups_folder_path: "/Backups/" # Path to the backups folder
## Domain
primary_domain_tld: "localhost" # Top Level Domain of the server
primary_domain_sld: "cymais" # Second Level Domain of the server
primary_domain: "{{primary_domain_sld}}.{{primary_domain_tld}}" # Primary Domain of the server
# Administrator
administrator_username: "administrator" # Username of the administrator
administrator_email: "{{administrator_username}}@{{primary_domain}}" # Email of the administrator
#user_administrator_initial_password: EXAMPLE_PASSWORD_123456 # Example initialisation password needs to be set in inventory file
# Email Configuration
system_email_local: no-reply
system_email_domain: "{{primary_domain}}"
system_email_username: "{{system_email_local}}@{{system_email_domain}}"
system_email_host: "mail.{{primary_domain}}"
system_email_smtp_port: 465
system_email_tls: true
system_email_start_tls: false
system_email_from: "{{system_email_username}}"
system_email_smtp: true
# Test Email
test_email: "test@{{primary_domain}}"
# Mode
# The following modes can be combined with each other
mode_reset: false # Cleans up all CyMaIS files. It's necessary to run to whole playbook and not particial roles when using this function.
mode_debug: false # Prints well formated debug information
mode_test: false # Executes test routines instead of productive routines
mode_update: true # Executes updates
mode_backup: true # Activates the backup before the update procedure
mode_setup: false # Execute the setup and initializing procedures
# Server Tact Variables
## Ours in which the server is "awake" (100% working). Rest of the time is reserved for maintanance
hours_server_awake: "0..23"
## Random delay for systemd timers to avoid peak loads.
randomized_delay_sec: "5min"
## Schedule for Health Checks
on_calendar_health_btrfs: "*-*-* 00:00:00" # Check once per day the btrfs for errors
on_calendar_health_journalctl: "*-*-* 00:00:00" # Check once per day the journalctl for errors
on_calendar_health_disc_space: "*-*-* 06,12,18,00:00:00" # Check four times per day if there is sufficient disc space
on_calendar_health_docker_container: "*-*-* {{ hours_server_awake }}:00:00" # Check once per hour if the docker containers are healthy
on_calendar_health_docker_volumes: "*-*-* {{ hours_server_awake }}:15:00" # Check once per hour if the docker volumes are healthy
on_calendar_health_nginx: "*-*-* {{ hours_server_awake }}:45:00" # Check once per hour if all webservices are available
## Schedule for Cleanup Tasks
on_calendar_cleanup_backups: "*-*-* 00,06,12,18:30:00" # Cleanup backups every 6 hours, MUST be called before disc space cleanup
on_calendar_cleanup_disc_space: "*-*-* 07,13,19,01:30:00" # Cleanup disc space every 6 hours
## Schedule for Backup Tasks
on_calendar_backup_docker_to_local: "*-*-* 03:30:00"
on_calendar_backup_remote_to_local: "*-*-* 21:30:00"
## Schedule for Maintenance Tasks
on_calendar_heal_docker: "*-*-* {{ hours_server_awake }}:30:00" # Heal unhealthy docker instances once per hour
on_calendar_renew_lets_encrypt_certificates: "*-*-* 12,00:30:00" # Renew Mailu certificates twice per day
on_calendar_deploy_certificates: "*-*-* 13,01:30:00" # Deploy letsencrypt certificates twice per day to docker containers
on_calendar_msi_keyboard_color: "*-*-* *:*:00" # Change the keyboard color every minute
on_calendar_cleanup_failed_docker: "*-*-* 12:00:00" # Clean up failed docker backups every noon
on_calendar_btrfs_auto_balancer: "Sat *-*-01..07 00:00:00" # Execute btrfs auto balancer every first Saturday of a month
on_calendar_restart_docker: "Sun *-*-* 08:00:00" # Restart docker instances every Sunday at 8:00 AM
# Storage Space-Related Configurations
size_percent_maximum_backup: 75 # Maximum storage space in percent for backups
size_percent_cleanup_disc_space: 85 # Threshold for triggering cleanup actions
size_percent_disc_space_warning: 90 # Warning threshold in percent for free disk space
# Path Variables for Key Directories and Scripts
path_administrator_home: "/home/administrator/"
path_administrator_scripts: "{{path_administrator_home}}scripts/"
path_docker_volumes: "{{path_administrator_home}}volumes/docker/"
path_docker_compose_instances: "{{path_administrator_home}}docker-compose/"
path_system_lock_script: "{{path_administrator_scripts}}system-maintenance-lock.py"
# Runtime Variables for Process Control
activate_all_timers: false # Activates all timers, independend if the handlers had been triggered
nginx_matomo_tracking: false # Activates matomo tracking on all html pages
# System maintenance Services
## Timeouts to wait for other services to stop
system_maintenance_lock_timeout_cleanup_services: "15min"
system_maintenance_lock_timeout_storage_optimizer: "10min"
system_maintenance_lock_timeout_backup_services: "1h"
system_maintenance_lock_timeout_heal_docker: "30min"
system_maintenance_lock_timeout_update_docker: "2min"
system_maintenance_lock_timeout_restart_docker: "{{system_maintenance_lock_timeout_update_docker}}"
## Services
### Defined Services for Backup Tasks
system_maintenance_backup_services:
- "backup-docker-to-local"
- "backup-remote-to-local"
- "backup-data-to-usb"
- "backup-docker-to-local-everything"
### Defined Services for System Cleanup
system_maintenance_cleanup_services:
- "cleanup-backups"
- "cleanup-disc-space"
- "cleanup-failed-docker-backups"
### Services that Manipulate the System
system_maintenance_manipulation_services:
- "heal-docker"
- "update-docker"
- "system-storage-optimizer"
- "restart-docker"
## Total System Maintenance Services
system_maintenance_services: "{{ system_maintenance_backup_services + system_maintenance_cleanup_services + system_maintenance_manipulation_services }}"
### Define Variables for Docker Volume Health services
whitelisted_anonymous_docker_volumes: []
# Webserver Configuration
## Nginx-Specific Path Configurations
nginx_configuration_directory: "/etc/nginx/conf.d/" # General configuration dir
nginx_servers_directory: "{{nginx_configuration_directory}}servers/" # Contains server blogs
nginx_maps_directory: "{{nginx_configuration_directory}}maps/" # Contains mappins
nginx_streams_directory: "{{nginx_configuration_directory}}streams/" # Contains streams configuration e.g. for ldaps
nginx_well_known_root: "/usr/share/nginx/well-known/" # Path where well-known files are stored
nginx_homepage_root: "/usr/share/nginx/homepage/" # Path where the static homepage files are stored
## Nginx static repository
nginx_static_repository_address: NULL #This should contain the url to an git repository which has a static homepage included and an index.html file
## Domains
### Service Domains
domain_akaunting: "accounting.{{primary_domain}}"
domain_attendize: "tickets.{{primary_domain}}"
domain_baserow: "baserow.{{primary_domain}}"
domain_bigbluebutton: "meet.{{primary_domain}}"
domain_bluesky_api: "bluesky.{{primary_domain}}"
domain_bluesky_web: "bskyweb.{{primary_domain}}"
domain_discourse: "forum.{{primary_domain}}"
domain_elk: "elk.{{primary_domain}}"
domain_friendica: "friendica.{{primary_domain}}"
domain_funkwhale: "music.{{primary_domain}}"
domain_gitea: "git.{{primary_domain}}"
domain_gitlab: "gitlab.{{primary_domain}}"
domain_keycloak: "auth.{{primary_domain}}"
domain_ldap: "ldap.{{primary_domain}}"
domain_listmonk: "newsletter.{{primary_domain}}"
domain_mailu: "{{system_email_host}}"
domain_mastodon: "microblog.{{primary_domain}}"
domains_mastodon_alternates: ["mastodon.{{primary_domain}}"]
domain_matomo: "matomo.{{primary_domain}}"
domain_matrix_synapse: "matrix.{{primary_domain}}"
domain_matrix_element: "element.{{primary_domain}}"
domain_moodle: "academy.{{primary_domain}}"
domain_mediawiki: "wiki.{{primary_domain}}"
domain_nextcloud: "cloud.{{primary_domain}}"
domain_openproject: "project.{{primary_domain}}"
domain_peertube: "video.{{primary_domain}}"
domains_peertube: []
domain_phpmyadmin: "phpmyadmin.{{primary_domain}}"
domain_pixelfed: "picture.{{primary_domain}}"
domain_portfolio: "{{primary_domain}}"
domain_roulette: "roulette.{{primary_domain}}"
domain_taiga: "kanban.{{primary_domain}}"
domain_yourls: "s.{{primary_domain}}"
domains_wordpress: ["wordpress.{{primary_domain}}","blog.{{primary_domain}}"]
### Domain Redirects
redirect_domain_mappings:
- { source: "akaunting.{{primary_domain}}", target: "{{domain_akaunting}}" }
- { source: "bbb.{{primary_domain}}", target: "{{domain_bigbluebutton}}" }
- { source: "discourse.{{primary_domain}}", target: "{{domain_discourse}}" }
- { source: "funkwhale.{{primary_domain}}", target: "{{domain_funkwhale}}" }
- { source: "gitea.{{primary_domain}}", target: "{{domain_gitea}}" }
- { source: "keycloak.{{primary_domain}}", target: "{{domain_keycloak}}" }
- { source: "listmonk.{{primary_domain}}", target: "{{domain_listmonk}}" }
- { source: "moodle.{{primary_domain}}", target: "{{domain_moodle}}" }
- { source: "nextcloud.{{primary_domain}}", target: "{{domain_nextcloud}}" }
- { source: "openproject.{{primary_domain}}", target: "{{domain_openproject}}" }
- { source: "peertube.{{primary_domain}}", target: "{{domain_peertube}}" }
- { source: "pictures.{{primary_domain}}", target: "{{domain_pixelfed}}" }
- { source: "pixelfed.{{primary_domain}}", target: "{{domain_pixelfed}}" }
- { source: "short.{{primary_domain}}", target: "{{domain_yourls}}" }
- { source: "taiga.{{primary_domain}}", target: "{{domain_taiga}}" }
- { source: "videos.{{primary_domain}}", target: "{{domain_peertube}}" }
## Docker Applications
### Enable Central MariaDB
enable_central_database: true
enable_central_database_mailu: "{{enable_central_database}}"
### Enable Storage Optimizer for Docker Volumes
enable_system_storage_optimizer: true
### Docker Role Specific Parameters
docker_restart_policy: "unless-stopped"
#### Akaunting
akaunting_version: "latest"
akaunting_company_name: "{{primary_domain}}"
akaunting_company_email: "{{administrator_email}}"
akaunting_setup_admin_email: "{{administrator_email}}"
#### Attendize
attendize_version: "latest"
#### Baserow
baserow_version: "latest"
#### Big Blue Button
bigbluebutton_enable_greenlight: "true"
#### Bluesky
bluesky_administrator_email: "{{administrator_email}}"
bluesky_pds_version: "latest"
#### Friendica
friendica_version: "latest"
#### Funkwhale
funkwhale_version: "1.4.0"
#### Gitea
gitea_version: "latest"
#### Gitlab
gitlab_version: "latest"
#### Joomla
joomla_version: "latest"
#### Keycloak
keycloak_version: "latest"
keycloak_administrator_username: "{{administrator_username}}" # Administrator Username for Keycloak
##### Keycloak Client Configuration
oidc_client_active: true # Implement OpenID Connect https://en.wikipedia.org/wiki/OpenID_Connect
oidc_client_id: "{{primary_domain}}"
oidc_client_realm: "{{primary_domain}}"
oidc_client_issuer_url: "https://{{domain_keycloak}}/realms/{{oidc_client_realm}}"
oidc_client_discovery_document: "{{oidc_client_issuer_url}}/.well-known/openid-configuration"
oidc_client_authorize_url: "https://auth.veen.world/realms/veen.world/protocol/openid-connect/auth"
oidc_client_toke_url: "https://auth.veen.world/realms/veen.world/protocol/openid-connect/token"
oidc_client_user_info_url: "https://auth.veen.world/realms/veen.world/protocol/openid-connect/userinfo"
oidc_client_logout_url: "https://auth.veen.world/realms/veen.world/protocol/openid-connect/logout"
# oidc_client_secret: "{{oidc_client_secret}}" # Default use wildcard for primary domain, subdomain client specific configuration in vars files in the roles is possible
#### LDAP
ldap_lam_version: "latest"
ldap_openldap_version: "latest"
ldap_phpldapadmin_version: "2.0.0-dev" # @todo Attention: Change this as fast as released to latest
ldap_webinterface: "lam" # The webinterface which should be used. Possible: lam and phpldapadmin
ldap_administrator_username: "{{administrator_username}}"
ldap_administrator_password: "{{user_administrator_initial_password}}" # CHANGE for security reasons
ldap_administrator_database_password: "{{user_administrator_initial_password}}" # CHANGE for security reasons
ldap_lam_administrator_password: "{{user_administrator_initial_password}}" # CHANGE for security reasons
#### Listmonk
listmonk_admin_username: "{{administrator_username}}"
listmonk_public_api_activated: False # Security hole. Can be used for spaming
listmonk_version: "latest"
#### MariaDB
mariadb_version: "latest"
#### Matomo
matomo_version: "latest"
#### Mastodon
mastodon_version: "latest"
mastodon_single_user_mode: false
#### Matrix
matrix_administrator_username: "{{administrator_username}}" # Accountname of the matrix admin
matrix_playbook_tags: "setup-all,start" # For the initial update use: install-all,ensure-matrix-users-created,start
matrix_role: "compose" # Role to setup Matrix. Valid values: ansible, compose
matrix_server_name: "{{primary_domain}}" # Adress for the account names etc.
matrix_synapse_version: "latest"
matrix_element_version: "latest"
#### Mailu
mailu_version: "2024.06"
mailu_domain: "{{primary_domain}}"
mailu_subnet: "192.168.203.0/24"
#### Moodle
moodle_site_name: "Global Learning Academy on {{primary_domain}}"
moodle_administrator_name: "{{administrator_username}}"
moodle_administrator_email: "{{administrator_email}}"
moodle_version: "latest"
#### MyBB
mybb_version: "latest"
#### Nextcloud
nextcloud_version: "production" # @see https://nextcloud.com/blog/nextcloud-release-channels-and-how-to-track-them/
#### OAuth2 Proxy
oauth2_configuration_file: "oauth2-proxy-keycloak.cfg"
oauth2_proxy_active: false # Needs to be set true in the roles which use it
oauth2_version: "latest"
oauth2_proxy_redirect_url: "https://{{domain_keycloak}}/auth/realms/{{primary_domain}}/protocol/openid-connect/auth" # The redirect URL for the OAuth2 flow. It should match the redirect URL configured in Keycloak.
# oauth2_proxy_port: >= 4180 # This ports should be defined in the roles. They are for the local mapping on the host and need to be defined in the playbook for transparancy.
oauth2_proxy_upstream_application_and_port: "application:80" # The name of the application which the server redirects to. Needs to be defined in role vars.
oauth2_proxy_allowed_roles: admin # Restrict it default to admin role. Use the vars/main.yml to open the specific role for other groups
#oauth2_proxy_cookie_secret: "{{oauth2_proxy_cookie_secret}}" # Default use wildcard for primary domain, subdomain client specific configuration in vars files in the roles is possible openssl rand -hex 16
#### Peertube
peertube_version: "bookworm"
#### PHPMyAdmin
phpmyadmin_version: "latest"
phpmyadmin_autologin: false # This is a high security risk. Just activate this option if you know what you're doing
#### Pixelfed
pixelfed_app_name: "Pictures on {{primary_domain}}"
pixelfed_version: "latest"
#### Postgres
# Please set an version in your inventory file - Rolling release for postgres isn't recommended
postgres_database_version: "latest"
#### Taiga
taiga_version: "latest"
#### YOURLS
yourls_administrator_username: "{{administrator_username}}"
yourls_version: "latest"

35
group_vars/all/00_general.yml Normal file
View File

@ -0,0 +1,35 @@
# General
pause_duration: "120" # Database delay to wait for the central database before continue tasks
ip4_address: "127.0.0.1" # Change thie in inventory to the ip address of your server
backups_folder_path: "/Backups/" # Path to the backups folder
## Domain
primary_domain_tld: "localhost" # Top Level Domain of the server
primary_domain_sld: "cymais" # Second Level Domain of the server
primary_domain: "{{primary_domain_sld}}.{{primary_domain_tld}}" # Primary Domain of the server
# Administrator
administrator_username: "administrator" # Username of the administrator
administrator_email: "{{administrator_username}}@{{primary_domain}}" # Email of the administrator
#user_administrator_initial_password: EXAMPLE_PASSWORD_123456 # Example initialisation password needs to be set in inventory file
# Test Email
test_email: "test@{{primary_domain}}"
# Server Tact Variables
## Ours in which the server is "awake" (100% working). Rest of the time is reserved for maintanance
hours_server_awake: "0..23"
## Random delay for systemd timers to avoid peak loads.
randomized_delay_sec: "5min"
# Storage Space-Related Configurations
size_percent_maximum_backup: 75 # Maximum storage space in percent for backups
size_percent_cleanup_disc_space: 85 # Threshold for triggering cleanup actions
size_percent_disc_space_warning: 90 # Warning threshold in percent for free disk space
# Runtime Variables for Process Control
activate_all_timers: false # Activates all timers, independend if the handlers had been triggered
nginx_matomo_tracking: false # Activates matomo tracking on all html pages

9
group_vars/all/01_mode.yml Normal file
View File

@ -0,0 +1,9 @@
# Mode
# The following modes can be combined with each other
mode_reset: false # Cleans up all CyMaIS files. It's necessary to run to whole playbook and not particial roles when using this function.
mode_debug: false # Prints well formated debug information
mode_test: false # Executes test routines instead of productive routines
mode_update: true # Executes updates
mode_backup: true # Activates the backup before the update procedure
mode_setup: false # Execute the setup and initializing procedures

57
group_vars/all/02_domains.yml Normal file
View File

@ -0,0 +1,57 @@
# Domains
## Service Domains
default_domains:
akaunting: "accounting.{{primary_domain}}"
attendize: "tickets.{{primary_domain}}"
baserow: "baserow.{{primary_domain}}"
bigbluebutton: "meet.{{primary_domain}}"
bluesky_api: "bluesky.{{primary_domain}}"
bluesky_web: "bskyweb.{{primary_domain}}"
discourse: "forum.{{primary_domain}}"
elk: "elk.{{primary_domain}}"
friendica: "friendica.{{primary_domain}}"
funkwhale: "music.{{primary_domain}}"
gitea: "git.{{primary_domain}}"
gitlab: "gitlab.{{primary_domain}}"
keycloak: "auth.{{primary_domain}}"
ldap: "ldap.{{primary_domain}}"
listmonk: "newsletter.{{primary_domain}}"
mailu: "{{system_email.host}}"
mastodon: "microblog.{{primary_domain}}"
mastodon_alternates: ["mastodon.{{primary_domain}}"]
matomo: "matomo.{{primary_domain}}"
matrix_synapse: "matrix.{{primary_domain}}"
matrix_element: "element.{{primary_domain}}"
moodle: "academy.{{primary_domain}}"
mediawiki: "wiki.{{primary_domain}}"
nextcloud: "cloud.{{primary_domain}}"
openproject: "project.{{primary_domain}}"
peertube: "video.{{primary_domain}}"
peertube_alternates: []
phpmyadmin: "phpmyadmin.{{primary_domain}}"
pixelfed: "picture.{{primary_domain}}"
portfolio: "{{primary_domain}}"
roulette: "roulette.{{primary_domain}}"
taiga: "kanban.{{primary_domain}}"
yourls: "s.{{primary_domain}}"
wordpress: ["wordpress.{{primary_domain}}","blog.{{primary_domain}}"]
## Domain Redirects
redirect_domain_mappings:
- { source: "akaunting.{{primary_domain}}", target: "{{domains.akaunting}}" }
- { source: "bbb.{{primary_domain}}", target: "{{domains.bigbluebutton}}" }
- { source: "discourse.{{primary_domain}}", target: "{{domains.discourse}}" }
- { source: "funkwhale.{{primary_domain}}", target: "{{domains.funkwhale}}" }
- { source: "gitea.{{primary_domain}}", target: "{{domains.gitea}}" }
- { source: "keycloak.{{primary_domain}}", target: "{{domains.keycloak}}" }
- { source: "listmonk.{{primary_domain}}", target: "{{domains.listmonk}}" }
- { source: "moodle.{{primary_domain}}", target: "{{domains.moodle}}" }
- { source: "nextcloud.{{primary_domain}}", target: "{{domains.nextcloud}}" }
- { source: "openproject.{{primary_domain}}", target: "{{domains.openproject}}" }
- { source: "peertube.{{primary_domain}}", target: "{{domains.peertube}}" }
- { source: "pictures.{{primary_domain}}", target: "{{domains.pixelfed}}" }
- { source: "pixelfed.{{primary_domain}}", target: "{{domains.pixelfed}}" }
- { source: "short.{{primary_domain}}", target: "{{domains.yourls}}" }
- { source: "taiga.{{primary_domain}}", target: "{{domains.taiga}}" }
- { source: "videos.{{primary_domain}}", target: "{{domains.peertube}}" }

11
group_vars/all/03_system_email.yml Normal file
View File

@ -0,0 +1,11 @@
# Email Configuration
default_system_email:
local: no-reply
domain: "{{primary_domain}}"
username: "{{system_email.local}}@{{system_email.domain}}"
host: "mail.{{primary_domain}}"
smtp_port: 465
tls: true
start_tls: false
from: "{{system_email.username}}"
smtp: true

38
group_vars/all/04_maintenace.yml Normal file
View File

@ -0,0 +1,38 @@
# System maintenance Services
## Timeouts to wait for other services to stop
system_maintenance_lock_timeout_cleanup_services: "15min"
system_maintenance_lock_timeout_storage_optimizer: "10min"
system_maintenance_lock_timeout_backup_services: "1h"
system_maintenance_lock_timeout_heal_docker: "30min"
system_maintenance_lock_timeout_update_docker: "2min"
system_maintenance_lock_timeout_restart_docker: "{{system_maintenance_lock_timeout_update_docker}}"
## Services
### Defined Services for Backup Tasks
system_maintenance_backup_services:
- "backup-docker-to-local"
- "backup-remote-to-local"
- "backup-data-to-usb"
- "backup-docker-to-local-everything"
### Defined Services for System Cleanup
system_maintenance_cleanup_services:
- "cleanup-backups"
- "cleanup-disc-space"
- "cleanup-failed-docker-backups"
### Services that Manipulate the System
system_maintenance_manipulation_services:
- "heal-docker"
- "update-docker"
- "system-storage-optimizer"
- "restart-docker"
## Total System Maintenance Services
system_maintenance_services: "{{ system_maintenance_backup_services + system_maintenance_cleanup_services + system_maintenance_manipulation_services }}"
### Define Variables for Docker Volume Health services
whitelisted_anonymous_docker_volumes: []

12
group_vars/all/05_nginx.yml Normal file
View File

@ -0,0 +1,12 @@
# Webserver Configuration
## Nginx-Specific Path Configurations
nginx_configuration_directory: "/etc/nginx/conf.d/" # General configuration dir
nginx_servers_directory: "{{nginx_configuration_directory}}servers/" # Contains server blogs
nginx_maps_directory: "{{nginx_configuration_directory}}maps/" # Contains mappins
nginx_streams_directory: "{{nginx_configuration_directory}}streams/" # Contains streams configuration e.g. for ldaps
nginx_well_known_root: "/usr/share/nginx/well-known/" # Path where well-known files are stored
nginx_homepage_root: "/usr/share/nginx/homepage/" # Path where the static homepage files are stored
## Nginx static repository
nginx_static_repository_address: NULL #This should contain the url to an git repository which has a static homepage included and an index.html file

7
group_vars/all/06_paths.yml Normal file
View File

@ -0,0 +1,7 @@
# Path Variables for Key Directories and Scripts
path_administrator_home: "/home/administrator/"
path_administrator_scripts: "/opt/scripts/"
#path_docker_volumes: "{{path_administrator_home}}volumes/docker/"
path_docker_compose_instances: "/opt/docker/"
path_system_lock_script: "/opt/scripts/system-maintenance-lock.py"

144
group_vars/all/07_applications.yml Normal file
View File

@ -0,0 +1,144 @@
# Docker Applications
## Enable Central MariaDB
enable_central_database: true
enable_central_database_mailu: "{{enable_central_database}}"
## Enable Storage Optimizer for Docker Volumes
enable_system_storage_optimizer: true
## Docker Role Specific Parameters
docker_restart_policy: "unless-stopped"
## Akaunting
akaunting_version: "latest"
akaunting_company_name: "{{primary_domain}}"
akaunting_company_email: "{{administrator_email}}"
akaunting_setup_admin_email: "{{administrator_email}}"
## Attendize
attendize_version: "latest"
## Baserow
baserow_version: "latest"
## Big Blue Button
bigbluebutton_enable_greenlight: "true"
## Bluesky
bluesky_administrator_email: "{{administrator_email}}"
bluesky_pds_version: "latest"
## Friendica
friendica_version: "latest"
## Funkwhale
funkwhale_version: "1.4.0"
## Gitea
gitea_version: "latest"
## Gitlab
gitlab_version: "latest"
## Joomla
joomla_version: "latest"
## Keycloak
keycloak_version: "latest"
keycloak_administrator_username: "{{administrator_username}}" # Administrator Username for Keycloak
### Keycloak Client Configuration
oidc_client_active: true # Implement OpenID Connect https://en.wikipedia.org/wiki/OpenID_Connect
oidc_client_id: "{{primary_domain}}"
oidc_client_realm: "{{primary_domain}}"
oidc_client_issuer_url: "https://{{domains.keycloak}}/realms/{{oidc_client_realm}}"
oidc_client_discovery_document: "{{oidc_client_issuer_url}}/.well-known/openid-configuration"
oidc_client_authorize_url: "{{oidc_client_issuer_url}}/protocol/openid-connect/auth"
oidc_client_toke_url: "{{oidc_client_issuer_url}}/protocol/openid-connect/token"
oidc_client_user_info_url: "{{oidc_client_issuer_url}}/protocol/openid-connect/userinfo"
oidc_client_logout_url: "{{oidc_client_issuer_url}}/protocol/openid-connect/logout"
# oidc_client_secret: "{{oidc_client_secret}}" # Default use wildcard for primary domain, subdomain client specific configuration in vars files in the roles is possible
## LDAP
ldap_lam_version: "latest"
ldap_openldap_version: "latest"
ldap_phpldapadmin_version: "2.0.0-dev" # @todo Attention: Change this as fast as released to latest
ldap_webinterface: "lam" # The webinterface which should be used. Possible: lam and phpldapadmin
ldap_administrator_username: "{{administrator_username}}"
ldap_administrator_password: "{{user_administrator_initial_password}}" # CHANGE for security reasons
ldap_administrator_database_password: "{{user_administrator_initial_password}}" # CHANGE for security reasons
ldap_lam_administrator_password: "{{user_administrator_initial_password}}" # CHANGE for security reasons
ldap_expose_to_internet: false # Set to true if you want to expose the LDAP port to the internet. Keep in mind to
## Listmonk
listmonk_admin_username: "{{administrator_username}}"
listmonk_public_api_activated: False # Security hole. Can be used for spaming
listmonk_version: "latest"
## MariaDB
mariadb_version: "latest"
## Matomo
matomo_version: "latest"
## Mastodon
mastodon_version: "latest"
mastodon_single_user_mode: false
## Matrix
matrix_administrator_username: "{{administrator_username}}" # Accountname of the matrix admin
matrix_playbook_tags: "setup-all,start" # For the initial update use: install-all,ensure-matrix-users-created,start
matrix_role: "compose" # Role to setup Matrix. Valid values: ansible, compose
matrix_server_name: "{{primary_domain}}" # Adress for the account names etc.
matrix_synapse_version: "latest"
matrix_element_version: "latest"
## Mailu
mailu_version: "2024.06"
mailu_domain: "{{primary_domain}}"
mailu_subnet: "192.168.203.0/24"
## Moodle
moodle_site_name: "Global Learning Academy on {{primary_domain}}"
moodle_administrator_name: "{{administrator_username}}"
moodle_administrator_email: "{{administrator_email}}"
moodle_version: "latest"
## MyBB
mybb_version: "latest"
## Nextcloud
nextcloud_version: "production" # @see https://nextcloud.com/blog/nextcloud-release-channels-and-how-to-track-them/
## OAuth2 Proxy
oauth2_configuration_file: "oauth2-proxy-keycloak.cfg"
oauth2_proxy_active: false # Needs to be set true in the roles which use it
oauth2_version: "latest"
oauth2_proxy_redirect_url: "https://{{domains.keycloak}}/auth/realms/{{primary_domain}}/protocol/openid-connect/auth" # The redirect URL for the OAuth2 flow. It should match the redirect URL configured in Keycloak.
# oauth2_proxy_port: >= 4180 # This ports should be defined in the roles. They are for the local mapping on the host and need to be defined in the playbook for transparancy.
oauth2_proxy_upstream_application_and_port: "application:80" # The name of the application which the server redirects to. Needs to be defined in role vars.
oauth2_proxy_allowed_roles: admin # Restrict it default to admin role. Use the vars/main.yml to open the specific role for other groups
#oauth2_proxy_cookie_secret: "{{oauth2_proxy_cookie_secret}}" # Default use wildcard for primary domain, subdomain client specific configuration in vars files in the roles is possible openssl rand -hex 16
## Peertube
peertube_version: "bookworm"
## PHPMyAdmin
phpmyadmin_version: "latest"
phpmyadmin_autologin: false # This is a high security risk. Just activate this option if you know what you're doing
## Pixelfed
pixelfed_app_name: "Pictures on {{primary_domain}}"
pixelfed_version: "latest"
## Postgres
# Please set an version in your inventory file - Rolling release for postgres isn't recommended
postgres_database_version: "latest"
## Taiga
taiga_version: "latest"
## YOURLS
yourls_administrator_username: "{{administrator_username}}"
yourls_version: "latest"

25
group_vars/all/08_on_calendar.yml Normal file
View File

@ -0,0 +1,25 @@
## Schedule for Health Checks
on_calendar_health_btrfs: "*-*-* 00:00:00" # Check once per day the btrfs for errors
on_calendar_health_journalctl: "*-*-* 00:00:00" # Check once per day the journalctl for errors
on_calendar_health_disc_space: "*-*-* 06,12,18,00:00:00" # Check four times per day if there is sufficient disc space
on_calendar_health_docker_container: "*-*-* {{ hours_server_awake }}:00:00" # Check once per hour if the docker containers are healthy
on_calendar_health_docker_volumes: "*-*-* {{ hours_server_awake }}:15:00" # Check once per hour if the docker volumes are healthy
on_calendar_health_nginx: "*-*-* {{ hours_server_awake }}:45:00" # Check once per hour if all webservices are available
## Schedule for Cleanup Tasks
on_calendar_cleanup_backups: "*-*-* 00,06,12,18:30:00" # Cleanup backups every 6 hours, MUST be called before disc space cleanup
on_calendar_cleanup_disc_space: "*-*-* 07,13,19,01:30:00" # Cleanup disc space every 6 hours
## Schedule for Backup Tasks
on_calendar_backup_docker_to_local: "*-*-* 03:30:00"
on_calendar_backup_remote_to_local: "*-*-* 21:30:00"
## Schedule for Maintenance Tasks
on_calendar_heal_docker: "*-*-* {{ hours_server_awake }}:30:00" # Heal unhealthy docker instances once per hour
on_calendar_renew_lets_encrypt_certificates: "*-*-* 12,00:30:00" # Renew Mailu certificates twice per day
on_calendar_deploy_certificates: "*-*-* 13,01:30:00" # Deploy letsencrypt certificates twice per day to docker containers
on_calendar_msi_keyboard_color: "*-*-* *:*:00" # Change the keyboard color every minute
on_calendar_cleanup_failed_docker: "*-*-* 12:00:00" # Clean up failed docker backups every noon
on_calendar_btrfs_auto_balancer: "Sat *-*-01..07 00:00:00" # Execute btrfs auto balancer every first Saturday of a month
on_calendar_restart_docker: "Sun *-*-* 08:00:00" # Restart docker instances every Sunday at 8:00 AM

9
playbook.constructor.yml
View File

@ -1,4 +1,13 @@
---
- name: Merge variables
hosts: all
tasks:
- name: Merge domain definitions
set_fact:
domains: "{{ default_domains | combine(domains | default({}, true)) }}"
- name: Merge system_email definitions
set_fact:
system_email: "{{ default_system_email | combine(system_email | default({}, true)) }}"
- name: update device
hosts: all

72
playbook.servers.yml
View File

@ -21,7 +21,7 @@
roles:
- role: docker-nextcloud
vars:
domain: "{{domain_nextcloud}}"
domain: "{{domains.nextcloud}}"
http_port: 8001
- name: setup gitea hosts
@ -30,7 +30,7 @@
roles:
- role: docker-gitea
vars:
domain: "{{domain_gitea}}"
domain: "{{domains.gitea}}"
http_port: 8002
ssh_port: 2201
run_mode: prod
@ -50,7 +50,7 @@
roles:
- role: docker-mediawiki
vars:
domain: "{{domain_mediawiki}}"
domain: "{{domains.mediawiki}}"
http_port: 8004
- name: setup mybb hosts
@ -68,7 +68,7 @@
roles:
- role: docker-yourls
vars:
domain: "{{domain_yourls}}"
domain: "{{domains.yourls}}"
http_port: 8006
- name: setup mailu hosts
@ -77,7 +77,7 @@
roles:
- role: docker-mailu
vars:
domain: "{{domain_mailu}}"
domain: "{{domains.mailu}}"
http_port: 8007
enable_central_database: "{{enable_central_database_mailu}}"
@ -87,7 +87,7 @@
roles:
- role: docker-elk
vars:
domain: "{{domain_elk}}"
domain: "{{domains.elk}}"
http_port: 8008
- name: setup mastodon hosts
@ -96,7 +96,7 @@
roles:
- role: docker-mastodon
vars:
domain: "{{domain_mastodon}}"
domain: "{{domains.mastodon}}"
domains: "{{ [domain] + domains_mastodon_alternates }}"
http_port: 8009
stream_port: 4001
@ -107,7 +107,7 @@
roles:
- role: docker-pixelfed
vars:
domain: "{{domain_pixelfed}}"
domain: "{{domains.pixelfed}}"
http_port: 8010
- name: setup peertube hosts
@ -116,8 +116,8 @@
roles:
- role: docker-peertube
vars:
domain: "{{domain_peertube}}"
domains: "{{ [domain] + domains_peertube }}"
domain: "{{domains.peertube}}"
domains: "{{ [domain] + peertube_alternates }}"
http_port: 8011
- name: setup bigbluebutton hosts
@ -126,7 +126,7 @@
roles:
- role: docker-bigbluebutton
vars:
domain: "{{domain_bigbluebutton}}"
domain: "{{domains.bigbluebutton}}"
- name: setup funkwhale hosts
hosts: funkwhale
@ -134,7 +134,7 @@
roles:
- role: docker-funkwhale
vars:
domain: "{{domain_funkwhale}}"
domain: "{{domains.funkwhale}}"
http_port: 8012
- name: setup roulette-wheel hosts
@ -143,7 +143,7 @@
roles:
- role: docker-roulette-wheel
vars:
domain: "{{domain_roulette}}"
domain: "{{domains.roulette}}"
http_port: 8013
- name: setup joomla hosts
@ -161,7 +161,7 @@
roles:
- role: docker-attendize
vars:
domain: "{{domain_attendize}}"
domain: "{{domains.attendize}}"
http_port: 8015
mail_interface_http_port: 8016
@ -171,7 +171,7 @@
roles:
- role: docker-baserow
vars:
domain: "{{domain_baserow}}"
domain: "{{domains.baserow}}"
http_port: 8017
- name: setup matomo hosts
@ -180,7 +180,7 @@
roles:
- role: docker-matomo
vars:
domain: "{{domain_matomo}}"
domain: "{{domains.matomo}}"
http_port: 8018
- name: setup listmonk
@ -189,7 +189,7 @@
roles:
- role: docker-listmonk
vars:
domain: "{{domain_listmonk}}"
domain: "{{domains.listmonk}}"
http_port: 8019
- name: setup discourse
@ -198,7 +198,7 @@
roles:
- role: docker-discourse
vars:
domain: "{{domain_discourse}}"
domain: "{{domains.discourse}}"
http_port: 8020
- name: setup matrix
@ -209,16 +209,16 @@
when: matrix_role == 'ansible'
vars:
domains:
- "{{domain_matrix_element}}"
- "{{domain_matrix_synapse}}"
element_domain: "{{domain_matrix_element}}"
synapse_domain: "{{domain_matrix_synapse}}"
- "{{domains.matrix_element}}"
- "{{domains.matrix_synapse}}"
element_domain: "{{domains.matrix_element}}"
synapse_domain: "{{domains.matrix_synapse}}"
http_port: 8021
- role: docker-matrix-compose
when: matrix_role == 'compose'
vars:
element_domain: "{{domain_matrix_element}}"
synapse_domain: "{{domain_matrix_synapse}}"
element_domain: "{{domains.matrix_element}}"
synapse_domain: "{{domains.matrix_synapse}}"
synapse_http_port: 8021
element_http_port: 8022
@ -228,7 +228,7 @@
roles:
- role: docker-openproject
vars:
domain: "{{domain_openproject}}"
domain: "{{domains.openproject}}"
http_port: 8023
oauth2_proxy_port: 4180
@ -238,7 +238,7 @@
roles:
- role: docker-gitlab
vars:
domain: "{{domain_gitlab}}"
domain: "{{domains.gitlab}}"
http_port: 8024
ssh_port: 2202
@ -248,7 +248,7 @@
roles:
- role: docker-akaunting
vars:
domain: "{{domain_akaunting}}"
domain: "{{domains.akaunting}}"
http_port: 8025
- name: setup moodle instance
@ -257,7 +257,7 @@
roles:
- role: docker-moodle
vars:
domain: "{{domain_moodle}}"
domain: "{{domains.moodle}}"
http_port: 8026
- name: setup taiga instance
@ -266,7 +266,7 @@
roles:
- role: docker-taiga
vars:
domain: "{{domain_taiga}}"
domain: "{{domains.taiga}}"
http_port: 8027
- name: setup friendica hosts
@ -275,7 +275,7 @@
roles:
- role: docker-friendica
vars:
domain: "{{domain_friendica}}"
domain: "{{domains.friendica}}"
http_port: 8028
- name: setup portfolio
@ -284,7 +284,7 @@
roles:
- role: docker-portfolio
vars:
domain: "{{domain_portfolio}}"
domain: "{{domains.portfolio}}"
http_port: 8029
- name: setup bluesky
@ -293,8 +293,8 @@
roles:
- role: docker-bluesky
vars:
domain_api: "{{domain_bluesky_api}}"
domain_web: "{{domain_bluesky_web}}"
domain_api: "{{domains.bluesky_api}}"
domain_web: "{{domains.bluesky_web}}"
http_port_api: 8030
http_port_web: 8031
@ -304,7 +304,7 @@
roles:
- role: docker-keycloak
vars:
domain: "{{domain_keycloak}}"
domain: "{{domains.keycloak}}"
http_port: 8032
- name: setup ldap
@ -313,7 +313,7 @@
roles:
- role: docker-ldap
vars:
domain: "{{domain_ldap}}"
domain: "{{domains.ldap}}"
http_port: 8033
oauth2_proxy_port: 4182
@ -323,7 +323,7 @@
roles:
- role: docker-phpmyadmin
vars:
domain: "{{domain_phpmyadmin}}"
domain: "{{domains.phpmyadmin}}"
http_port: 8034
oauth2_proxy_port: 4181

12
roles/docker-baserow/templates/env.j2
View File

@ -2,12 +2,12 @@
BASEROW_PUBLIC_URL=https://{{ domain }}
# Email Server Configuration
EMAIL_SMTP={{ system_email_smtp | upper }}
EMAIL_SMTP_HOST={{ system_email_host }}
EMAIL_SMTP_PORT={{ system_email_smtp_port }}
EMAIL_SMTP_USER={{system_email_username}}
EMAIL_SMTP_PASSWORD={{ system_email_password }}
EMAIL_SMTP_USE_TLS={{ system_email_tls | upper }}
EMAIL_SMTP={{ system_email.smtp | upper }}
EMAIL_SMTP_HOST={{ system_email.host }}
EMAIL_SMTP_PORT={{ system_email.smtp_port }}
EMAIL_SMTP_USER={{system_email.username}}
EMAIL_SMTP_PASSWORD={{ system_email.password }}
EMAIL_SMTP_USE_TLS={{ system_email.tls | upper }}
DATABASE_USER={{ database_username }}
DATABASE_NAME={{ database_name }}

5
roles/docker-bigbluebutton/tasks/main.yml
View File

@ -1,6 +1,7 @@
---
- name: "include docker/compose/common.yml"
include_tasks: docker/compose/common.yml
- name: "include docker-compose role"
include_role:
name: docker-compose
- name: "include task certbot-matomo.yml"
include_tasks: certbot-matomo.yml

18
roles/docker-bigbluebutton/templates/env.j2
View File

@ -201,19 +201,19 @@ ALLOW_GREENLIGHT_ACCOUNTS=true
# Emails are required for the basic features of Greenlight to function.
# Please refer to your SMTP provider to get the values for the variables below
SMTP_SERVER={{system_email_host}}
SMTP_SERVER={{system_email.host}}
SMTP_DOMAIN={{domain}}
SMTP_PORT={{system_email_smtp_port}}
SMTP_USERNAME={{system_email_username}}
SMTP_PASSWORD={{system_email_password}}
SMTP_PORT={{system_email.smtp_port}}
SMTP_USERNAME={{system_email.username}}
SMTP_PASSWORD={{system_email.password}}
SMTP_AUTH=plain
SMTP_OPENSSL_VERIFY_MODE=none
SMTP_STARTTLS_AUTO={{system_email_start_tls | lower}}
SMTP_STARTTLS={{system_email_start_tls | lower}}
SMTP_TLS={{system_email_tls | lower}}
SMTP_STARTTLS_AUTO={{system_email.start_tls | lower}}
SMTP_STARTTLS={{system_email.start_tls | lower}}
SMTP_TLS={{system_email.tls | lower}}
SMTP_SSL_VERIFY=true
SMTP_SENDER={{system_email_from}}
SMTP_SENDER_EMAIL={{system_email_from}}
SMTP_SENDER={{system_email.from}}
SMTP_SENDER_EMAIL={{system_email.from}}
# Prefix for the applications root URL.
# Useful for deploying the application to a subdirectory, which is highly recommended

5
roles/docker-bluesky/tasks/main.yml
View File

@ -1,6 +1,7 @@
---
- name: "include docker/compose/common.yml"
include_tasks: docker/compose/common.yml
- name: "include docker-compose role"
include_role:
name: docker-compose
- name: "Include tasks for API domain"
include_tasks: nginx-docker-proxy-domain.yml

6
roles/docker-bluesky/templates/docker-compose.yml.j2
View File

@ -7,7 +7,7 @@ services:
- {{pdsadmin_file_path}}:/usr/local/bin/pdsadmin:ro
environment:
# Geben Sie hier Ihre Domain und Konfigurationsdetails an
PDS_HOSTNAME: "{{domain_api}}"
PDS_HOSTNAME: "{{domains.api}}"
PDS_ADMIN_EMAIL: "{{bluesky_administrator_email}}"
PDS_SERVICE_DID: "did:web:{{domain_api}}"
# See https://mattdyson.org/blog/2024/11/self-hosting-bluesky-pds/
@ -16,8 +16,8 @@ services:
PDS_ADMIN_PASSWORD: "{{bluesky_pds_admin_password}}"
PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX: "{{bluesky_pds_plc_rotation_key_k256_private_key_hex}}"
PDS_CRAWLERS: https://bsky.network
PDS_EMAIL_SMTP_URL: smtps://{{system_email_username}}:{{system_email_password}}@{{system_email_host}}:{{system_email_smtp_port}}/
PDS_EMAIL_FROM_ADDRESS: {{system_email_from}}
PDS_EMAIL_SMTP_URL: smtps://{{system_email.username}}:{{system_email.password}}@{{system_email.host}}:{{system_email.smtp_port}}/
PDS_EMAIL_FROM_ADDRESS: {{system_email.from}}
LOG_ENABLED: true
PDS_BLOBSTORE_DISK_LOCATION: /opt/pds/blocks
# -- DEFAULT VALUES ---

0
vars/docker-common.yml.j2 → roles/docker-compose/defaults/main.yml
View File

14
tasks/docker/compose/common.yml → roles/docker-compose/tasks/main.yml
View File

@ -1,6 +1,3 @@
- name: include docker vars
include_vars: vars/docker-common.yml.j2
- name: load docker compose dependencies
include_role:
name: docker-compose
@ -15,4 +12,13 @@
file:
path: "{{docker_compose_instance_directory}}"
state: directory
mode: 0755
mode: 0755
- name: flush docker service
meta: flush_handlers
when: run_once_docker_compose is not defined
- name: run the docker tasks once
set_fact:
run_once_docker_compose: true
when: run_once_docker_compose is not defined

14
roles/docker-discourse/templates/discourse_application.yml.j2
View File

@ -52,13 +52,13 @@ env:
# SMTP ADDRESS, username, and password are required
# WARNING the char '#' in SMTP password can cause problems!
DISCOURSE_SMTP_ADDRESS: {{ system_email_host }}
DISCOURSE_SMTP_PORT: {{ system_email_smtp_port }}
DISCOURSE_SMTP_USER_NAME: {{system_email_username}}
DISCOURSE_SMTP_PASSWORD: {{ system_email_password }}
DISCOURSE_SMTP_ENABLE_START_TLS: {{ system_email_start_tls | upper }}
DISCOURSE_SMTP_DOMAIN: {{ system_email_domain }}
DISCOURSE_NOTIFICATION_EMAIL: {{system_email_from}}
DISCOURSE_SMTP_ADDRESS: {{ system_email.host }}
DISCOURSE_SMTP_PORT: {{ system_email.smtp_port }}
DISCOURSE_SMTP_USER_NAME: {{system_email.username}}
DISCOURSE_SMTP_PASSWORD: {{ system_email.password }}
DISCOURSE_SMTP_ENABLE_START_TLS: {{ system_email.start_tls | upper }}
DISCOURSE_SMTP_DOMAIN: {{ system_email.domain }}
DISCOURSE_NOTIFICATION_EMAIL: {{system_email.from}}
# Database Configuration
DISCOURSE_DB_USERNAME: {{ database_username }}

16
roles/docker-friendica/templates/docker-compose.yml.j2
View File

@ -43,14 +43,14 @@ services:
MYSQL_PASSWORD: {{database_password}}
# Email Configuration
SMTP: {{system_email_host}}
SMTP_DOMAIN: {{system_email_domain}}
SMTP_PORT: {{system_email_smtp_port}}
SMTP_AUTH_USER: {{system_email_username}}
SMTP_AUTH_PASS: {{system_email_password}}
SMTP_TLS: {{ 'on' if system_email_tls else 'off' }}
SMTP_STARTTLS: {{ 'on' if system_email_start_tls else 'off' }}
SMTP_FROM: {{system_email_local}}
SMTP: {{system_email.host}}
SMTP_DOMAIN: {{system_email.domain}}
SMTP_PORT: {{system_email.smtp_port}}
SMTP_AUTH_USER: {{system_email.username}}
SMTP_AUTH_PASS: {{system_email.password}}
SMTP_TLS: {{ 'on' if system_email.tls else 'off' }}
SMTP_STARTTLS: {{ 'on' if system_email.start_tls else 'off' }}
SMTP_FROM: {{system_email.local}}
# Administrator Credentials
FRIENDICA_ADMIN_MAIL: {{administrator_email}}

4
roles/docker-funkwhale/templates/env.j2
View File

@ -53,14 +53,14 @@ LOGLEVEL=error
# (returns `noreply%40youremail.host`)
# EMAIL_CONFIG=smtp://user:password@youremail.host:25
# EMAIL_CONFIG=smtp+ssl://user:password@youremail.host:465
EMAIL_CONFIG=smtp+tls://{{system_email_local}}:{{system_email_password}}@{{system_email_host}}:{{system_email_smtp_port}}
EMAIL_CONFIG=smtp+tls://{{system_email.local}}:{{system_email.password}}@{{system_email.host}}:{{system_email.smtp_port}}
# Make e-mail verification mandatory before using the service
# Doesn't apply to admins.
# ACCOUNT_EMAIL_VERIFICATION_ENFORCE=false
# The e-mail address to use to send system e-mails.
DEFAULT_FROM_EMAIL={{system_email_from}}
DEFAULT_FROM_EMAIL={{system_email.from}}
# Depending on the reverse proxy used in front of your funkwhale instance,
# the API will use different kind of headers to serve audio files

14
roles/docker-ldap/tasks/main.yml
View File

@ -1,15 +1,23 @@
---
- name: "include docker/compose/common.yml"
include_tasks: docker/compose/common.yml
- name: "include docker-compose role"
include_role:
name: docker-compose
- name: "include tasks nginx-docker-proxy-domain.yml"
include_tasks: nginx-docker-proxy-domain.yml
- name: create {{domain}}.conf
- name: Create {{domain}}.conf if LDAP is exposed to internet
template:
src: "nginx.stream.conf.j2"
dest: "{{nginx_streams_directory}}{{domain}}.conf"
notify: restart nginx
when: ldap_expose_to_internet | bool
- name: Remove {{domain}}.conf if LDAP is not exposed to internet
file:
path: "{{ nginx_streams_directory }}{{ domain }}.conf"
state: absent
when: not ldap_expose_to_internet | bool
- name: "create {{docker_compose_instance_directory}}"
file:

1
roles/docker-ldap/templates/docker-compose.yml.j2
View File

@ -79,6 +79,7 @@ services:
retries: 3
start_period: 20s
{% include 'templates/docker/container/networks.yml.j2' %}
central_ldap:
{% include 'templates/docker/compose/volumes.yml.j2' %}
data:

10
roles/docker-mastodon/templates/.env.production.j2
View File

@ -16,14 +16,14 @@ REDIS_HOST=redis
REDIS_PORT=6379
REDIS_PASSWORD=
SMTP_SERVER={{system_email_host}}
SMTP_PORT={{system_email_smtp_port}}
SMTP_LOGIN={{system_email_username}}
SMTP_PASSWORD={{system_email_password}}
SMTP_SERVER={{system_email.host}}
SMTP_PORT={{system_email.smtp_port}}
SMTP_LOGIN={{system_email.username}}
SMTP_PASSWORD={{system_email.password}}
SMTP_AUTH_METHOD=plain
SMTP_OPENSSL_VERIFY_MODE=none
SMTP_ENABLE_STARTTLS=auto
SMTP_FROM_ADDRESS=Mastodon <{{system_email_from}}>
SMTP_FROM_ADDRESS=Mastodon <{{system_email.from}}>
ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY= {{mastodon_active_record_encryption_deterministic_key}}
ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT={{mastodon_active_record_encryption_key_derivation_salt}}

4
roles/docker-matrix-compose/templates/element.config.json.j2
View File

@ -1,8 +1,8 @@
{
"default_server_config": {
"m.homeserver": {
"base_url": "https://{{domain_matrix_synapse}}",
"server_name": "{{domain_matrix_synapse}}"
"base_url": "https://{{domains.matrix_synapse}}",
"server_name": "{{domains.matrix_synapse}}"
},
"m.identity_server": {
"base_url": "https://{{primary_domain}}"

18
roles/docker-matrix-compose/templates/synapse/homeserver.yaml.j2
View File

@ -17,13 +17,13 @@ database:
host: "{{database_host}}"
cp_min: 5
cp_max: 10
log_config: "/data/{{domain_matrix_synapse}}.log.config"
log_config: "/data/{{domains.matrix_synapse}}.log.config"
media_store_path: "/data/media_store"
registration_shared_secret: "{{matrix_registration_shared_secret}}"
report_stats: true
macaroon_secret_key: "{{matrix_macaroon_secret_key}}"
form_secret: "{{matrix_form_secret}}"
signing_key_path: "/data/{{domain_matrix_synapse}}.signing.key"
signing_key_path: "/data/{{domains.matrix_synapse}}.signing.key"
web_client_location: "https://{{element_domain}}"
public_baseurl: "https://{{synapse_domain}}"
trusted_key_servers:
@ -31,18 +31,18 @@ trusted_key_servers:
admin_contact: 'mailto:{{administrator_email}}'
email:
smtp_host: "{{system_email_host}}"
smtp_port: "{{system_email_smtp_port}}"
smtp_user: "{{system_email_from}}"
smtp_pass: "{{system_email_password}}"
smtp_host: "{{system_email.host}}"
smtp_port: "{{system_email.smtp_port}}"
smtp_user: "{{system_email.from}}"
smtp_pass: "{{system_email.password}}"
#force_tls: true
#require_transport_security: true
enable_tls: "{{ system_email_tls | upper }}"
notif_from: "Your Friendly %(app)s homeserver <{{system_email_from}}>"
enable_tls: "{{ system_email.tls | upper }}"
notif_from: "Your Friendly %(app)s homeserver <{{system_email.from}}>"
app_name: "Matrix on {{synapse_domain}}"
enable_notifs: true
notif_for_new_users: false
client_base_url: "{{domain_matrix_synapse}}"
client_base_url: "{{domains.matrix_synapse}}"
validation_token_lifetime: 15m
app_service_config_files:

4
roles/docker-nextcloud/tasks/main.yml
View File

@ -11,10 +11,10 @@
dest: "{{nginx_servers_directory}}{{domain}}.conf"
notify: restart nginx
- name: configure nginx.conf
- name: create nginx.conf
template:
src: "templates/nginx.conf.j2"
dest: "{{path_docker_volumes}}nextcloud/nginx.conf"
dest: "{{docker_compose_instance_directory}}nginx.conf"
notify: docker compose project setup
- name: add docker-compose.yml

2
roles/docker-nextcloud/tasks/oidc_tasks.yml
View File

@ -20,7 +20,7 @@
command: >
docker-compose exec -u www-data application /var/www/html/occ
config:app:set sociallogin custom_providers
--value='{"custom_oidc":[{"name":"{{domain_keycloak}}","title":"keycloak","authorizeUrl":"{{oidc_client_authorize_url}}","tokenUrl":"{{oidc_client_toke_url}}","displayNameClaim":"","userInfoUrl":"{{oidc_client_user_info_url}}","logoutUrl":"{{oidc_client_logout_url}}","clientId":"{{oidc_client_id}}","clientSecret":"{{oidc_client_secret}}","scope":"openid","groupsClaim":"","style":"","defaultGroup":""}]}'
--value='{"custom_oidc":[{"name":"{{domains.keycloak}}","title":"keycloak","authorizeUrl":"{{oidc_client_authorize_url}}","tokenUrl":"{{oidc_client_toke_url}}","displayNameClaim":"","userInfoUrl":"{{oidc_client_user_info_url}}","logoutUrl":"{{oidc_client_logout_url}}","clientId":"{{oidc_client_id}}","clientSecret":"{{oidc_client_secret}}","scope":"openid","groupsClaim":"","style":"","defaultGroup":""}]}'
# This configuration defines custom OpenID Connect (OIDC) providers for authentication.
# In this case, it sets up a Keycloak provider with details like URLs for authorization,
# token retrieval, user info, and logout, as well as the client ID and secret.

14
roles/docker-nextcloud/templates/docker-compose.yml.j2
View File

@ -25,15 +25,15 @@ services:
PHP_MEMORY_LIMIT: 1G # Required for plugin duplicate finder
# Email Configuration
SMTP_HOST: {{system_email_host}}
SMTP_SECURE: {{ 'ssl' if system_email_tls else '' }}
SMTP_PORT: {{system_email_smtp_port}}
SMTP_NAME: {{system_email_username}}
SMTP_PASSWORD: {{system_email_password}}
SMTP_HOST: {{system_email.host}}
SMTP_SECURE: {{ 'ssl' if system_email.tls else '' }}
SMTP_PORT: {{system_email.smtp_port}}
SMTP_NAME: {{system_email.username}}
SMTP_PASSWORD: {{system_email.password}}
# Email from configuration
MAIL_FROM_ADDRESS: no-reply
MAIL_DOMAIN: {{system_email_domain}}
MAIL_DOMAIN: {{system_email.domain}}
{% include 'templates/docker/container/depends-on-database-redis.yml.j2' %}
{% include 'templates/docker/container/networks.yml.j2' %}
@ -47,7 +47,7 @@ services:
ports:
- "127.0.0.1:{{http_port}}:80"
volumes:
- "{{path_docker_volumes}}nextcloud/nginx.conf:/etc/nginx/nginx.conf:ro"
- "{{docker_compose_instance_directory}}/nginx.conf:/etc/nginx/nginx.conf:ro"
volumes_from:
- application
healthcheck:

2
roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2
View File

@ -3,7 +3,7 @@ cookie_secret = "{{oauth2_proxy_cookie_secret}}"
email_domains = "{{primary_domain}}"
cookie_secure = "false"
upstreams = "http://{{oauth2_proxy_upstream_application_and_port}}"
cookie_domains = ["{{domain}}", "{{domain_keycloak}}"] # Required so cookie can be read on all subdomains.
cookie_domains = ["{{domain}}", "{{domains.keycloak}}"] # Required so cookie can be read on all subdomains.
whitelist_domains = [".{{primary_domain}}"] # Required to allow redirection back to original requested target.
# keycloak provider

2
roles/docker-openproject/templates/docker-compose.yml.j2
View File

@ -114,7 +114,7 @@ services:
container_name: openproject-seeder
restart: on-failure
{% include 'templates/docker/container/networks.yml.j2' %}
central_ldap:
{% include 'templates/docker/compose/networks.yml.j2' %}
{% include 'templates/docker/compose/volumes.yml.j2' %}

16
roles/docker-peertube/templates/env.j2
View File

@ -14,11 +14,11 @@ PEERTUBE_TRUST_PROXY=["127.0.0.1", "loopback"]
PEERTUBE_SECRET={{peertube_secret}}
# E-mail configuration
PEERTUBE_SMTP_USERNAME={{system_email_username}}
PEERTUBE_SMTP_PASSWORD={{system_email_password}}
PEERTUBE_SMTP_HOSTNAME={{system_email_host}}
PEERTUBE_SMTP_PORT={{system_email_smtp_port}}
PEERTUBE_SMTP_FROM={{system_email_from}}
PEERTUBE_SMTP_TLS={{ system_email_tls | lower }}
PEERTUBE_SMTP_DISABLE_STARTTLS={{ 'false' if system_email_start_tls else 'true' }}
PEERTUBE_ADMIN_EMAIL={{system_email_from}}
PEERTUBE_SMTP_USERNAME={{system_email.username}}
PEERTUBE_SMTP_PASSWORD={{system_email.password}}
PEERTUBE_SMTP_HOSTNAME={{system_email.host}}
PEERTUBE_SMTP_PORT={{system_email.smtp_port}}
PEERTUBE_SMTP_FROM={{system_email.from}}
PEERTUBE_SMTP_TLS={{ system_email.tls | lower }}
PEERTUBE_SMTP_DISABLE_STARTTLS={{ 'false' if system_email.start_tls else 'true' }}
PEERTUBE_ADMIN_EMAIL={{system_email.from}}

5
roles/docker-phpmyadmin/tasks/main.yml
View File

@ -1,6 +1,7 @@
---
- name: "include docker/compose/common.yml"
include_tasks: docker/compose/common.yml
- name: "include docker-compose role"
include_role:
name: docker-compose
- name: "include tasks nginx-docker-proxy-domain.yml"
include_tasks: nginx-docker-proxy-domain.yml

12
roles/docker-pixelfed/templates/env.j2
View File

@ -46,15 +46,15 @@ RESTRICTED_INSTANCE=false
## Mail
MAIL_DRIVER=log
MAIL_HOST={{system_email_host}}
MAIL_PORT={{system_email_smtp_port}}
MAIL_FROM_ADDRESS="{{system_email_from}}"
MAIL_HOST={{system_email.host}}
MAIL_PORT={{system_email.smtp_port}}
MAIL_FROM_ADDRESS="{{system_email.from}}"
MAIL_FROM_NAME="Pixelfed"
MAIL_USERNAME={{system_email_username}}
MAIL_PASSWORD={{system_email_password}}
MAIL_USERNAME={{system_email.username}}
MAIL_PASSWORD={{system_email.password}}
# Not sure if the following is correct
# Checkout: https://github.com/pixelfed/pixelfed/blob/dev/.env.docker
MAIL_ENCRYPTION={{ 'ssl' if system_email_start_tls else 'tls' }}
MAIL_ENCRYPTION={{ 'ssl' if system_email.start_tls else 'tls' }}
## Databases (MySQL)
DB_CONNECTION=mysql

5
roles/docker-portfolio/tasks/main.yml
View File

@ -1,6 +1,7 @@
---
- name: "include docker/compose/common.yml"
include_tasks: docker/compose/common.yml
- name: "include docker-compose role"
include_role:
name: docker-compose
- name: "include tasks nginx-docker-proxy-domain.yml"
include_tasks: nginx-docker-proxy-domain.yml

5
roles/docker-roulette-wheel/tasks/main.yml
View File

@ -1,6 +1,7 @@
---
- name: "include docker/compose/common.yml"
include_tasks: docker/compose/common.yml
- name: "include docker-compose role"
include_role:
name: docker-compose
- name: pull app repository
git:

14
roles/docker-taiga/templates/.env.j2
View File

@ -13,14 +13,14 @@ POSTGRES_PASSWORD={{database_password}} # database user's password
# Taiga's SMTP settings - Variables to send Taiga's emails to the users
EMAIL_BACKEND = console # use an SMTP server or display the emails in the console (either "smtp" or "console")
EMAIL_HOST = {{system_email_host}} # SMTP server address
EMAIL_PORT = {{system_email_smtp_port}} # default SMTP port
EMAIL_HOST_USER = {{system_email_username}} # user to connect the SMTP server
EMAIL_HOST_PASSWORD = {{system_email_password}} # SMTP user's password
EMAIL_DEFAULT_FROM = {{system_email_from}} # default email address for the automated emails
EMAIL_HOST = {{system_email.host}} # SMTP server address
EMAIL_PORT = {{system_email.smtp_port}} # default SMTP port
EMAIL_HOST_USER = {{system_email.username}} # user to connect the SMTP server
EMAIL_HOST_PASSWORD = {{system_email.password}} # SMTP user's password
EMAIL_DEFAULT_FROM = {{system_email.from}} # default email address for the automated emails
# EMAIL_USE_TLS/EMAIL_USE_SSL are mutually exclusive (only set one of those to True)
EMAIL_USE_TLS={{ system_email_tls | lower | capitalize }} # use TLS (secure) connection with the SMTP server
EMAIL_USE_SSL={{ 'False' if system_email_start_tls else 'True' }} # use implicit TLS (secure) connection with the SMTP server
EMAIL_USE_TLS={{ system_email.tls | lower | capitalize }} # use TLS (secure) connection with the SMTP server
EMAIL_USE_SSL={{ 'False' if system_email.start_tls else 'True' }} # use implicit TLS (secure) connection with the SMTP server
# Taiga's RabbitMQ settings - Variables to leave messages for the realtime and asynchronous events
RABBITMQ_USER=taiga # user to connect to RabbitMQ

9
roles/docker/tasks/main.yml
View File

@ -16,15 +16,6 @@
group: administrator
when: run_once_docker is not defined
- name: "create {{path_docker_volumes}}"
file:
path: "{{path_docker_volumes}}"
state: directory
mode: 0700
owner: administrator
group: administrator
when: run_once_docker is not defined
- name: flush docker service
meta: flush_handlers
when: run_once_docker is not defined

8
roles/health-nginx/templates/health-nginx.py.j2
View File

@ -25,17 +25,17 @@ for filename in os.listdir(config_path):
# Default: Expect status code 200 or 302 for a domain
expected_statuses = [200,302]
redirected_domains = [domain['source'] for domain in {{redirect_domain_mappings}}]
redirected_domains.append("{{domain_mailu}}")
redirected_domains = [domain['source'] for domain in {{redirect_domains_mappings}}]
redirected_domains.append("{{domains.mailu}}")
# Determine expected status codes based on the domain
if domain == '{{domain_listmonk}}':
if domain == '{{domains.listmonk}}':
expected_statuses = [404]
{% if nginx_matomo_tracking | bool %}
elif parts[0] == 'www' or domain in redirected_domains:
expected_statuses = [301]
{% endif %}
elif domain == '{{domain_yourls}}':
elif domain == '{{domains.yourls}}':
expected_statuses = [403]
try:

14
roles/systemd-notifier-email/templates/msmtprc.conf.j2
View File

@ -2,8 +2,8 @@
defaults
auth on
logfile ~/.msmtp.log
tls_starttls {{ 'on' if system_email_start_tls else 'off' }}
{% if system_email_tls %}
tls_starttls {{ 'on' if system_email.start_tls else 'off' }}
{% if system_email.tls %}
tls on
tls_trust_file /etc/ssl/certs/ca-certificates.crt
{% else %}
@ -11,10 +11,10 @@ tls off
{% endif %}
account system_email
host {{system_email_host}}
port {{system_email_smtp_port}}
from {{system_email_from}}
user {{system_email_username}}
password {{system_email_password}}
host {{system_email.host}}
port {{system_email.smtp_port}}
from {{system_email.from}}
user {{system_email.username}}
password {{system_email.password}}
account default : system_email

2
roles/systemd-notifier-email/templates/systemd-notifier-email.sh.j2
View File

@ -2,7 +2,7 @@
/usr/bin/sendmail -t <<ERRMAIL
To: {{administrator_email}}
From: systemd <{{system_email_from}}>
From: systemd <{{system_email.from}}>
Subject: $1
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset=UTF-8

5
tasks/docker/compose/database.yml
View File

@ -1,8 +1,9 @@
- name: include docker vars/docker-database.yml.j2
include_vars: vars/docker-database.yml.j2
- name: "include docker/compose/common.yml"
include_tasks: docker/compose/common.yml
- name: "include docker-compose role"
include_role:
name: docker-compose
- name: create central database
include_role: