kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-03-12 04:32:39 +01:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: kevinveenbirkenbach:13429d8e6843c11db2c34c6da3cec9dc7639dce2
Branches Tags
kevinveenbirkenbach:master
...
compare: kevinveenbirkenbach:c515c2f43988d395205d6a739dd0bbf43d0faf16
Branches Tags
kevinveenbirkenbach:master

9 Commits
13429d8e68 ... c515c2f439

Author SHA1 Message Date
Kevin Veen-Birkenbach
c515c2f439 Optimized conditions for certificate cleanup 2025-01-29 17:15:30 +01:00
Kevin Veen-Birkenbach
21728ab60f Added cleanup mode for certs and solved peertube variable bug 2025-01-29 17:01:54 +01:00
Kevin Veen-Birkenbach
6c9a069cf0 changed variable name 2025-01-29 16:52:09 +01:00
Kevin Veen-Birkenbach
4d1a71befd Optimized instructions and default values for wildcard certificates 2025-01-29 16:45:09 +01:00
Kevin Veen-Birkenbach
eb6fdd29d3 Implemented draft for wildcard certificate 2025-01-29 15:52:40 +01:00
Kevin Veen-Birkenbach
eaed9837d1 Replaced domains name 2025-01-29 15:03:51 +01:00
Kevin Veen-Birkenbach
077e38e6a4 Set variable global 2025-01-29 14:42:13 +01:00
Kevin Veen-Birkenbach
7ff03ef46b Solved minor bugs which appeared during refactoring 2025-01-29 14:34:46 +01:00
Kevin Veen-Birkenbach
aca3399e9d Big code and variable refactoring 2025-01-29 14:20:34 +01:00
57 changed files with 727 additions and 635 deletions
Show Stats Expand all files Collapse all files

343
group_vars/all
View File

@ -1,343 +0,0 @@
# General
pause_duration: "120" # Database delay to wait for the central database before continue tasks
ip4_address: "127.0.0.1" # Change thie in inventory to the ip address of your server
backups_folder_path: "/Backups/" # Path to the backups folder
## Domain
primary_domain_tld: "localhost" # Top Level Domain of the server
primary_domain_sld: "cymais" # Second Level Domain of the server
primary_domain: "{{primary_domain_sld}}.{{primary_domain_tld}}" # Primary Domain of the server
# Administrator
administrator_username: "administrator" # Username of the administrator
administrator_email: "{{administrator_username}}@{{primary_domain}}" # Email of the administrator
#user_administrator_initial_password: EXAMPLE_PASSWORD_123456 # Example initialisation password needs to be set in inventory file
# Email Configuration
system_email_local: no-reply
system_email_domain: "{{primary_domain}}"
system_email_username: "{{system_email_local}}@{{system_email_domain}}"
system_email_host: "mail.{{primary_domain}}"
system_email_smtp_port: 465
system_email_tls: true
system_email_start_tls: false
system_email_from: "{{system_email_username}}"
system_email_smtp: true
# Test Email
test_email: "test@{{primary_domain}}"
# Mode
# The following modes can be combined with each other
mode_reset: false # Cleans up all CyMaIS files. It's necessary to run to whole playbook and not particial roles when using this function.
mode_debug: false # Prints well formated debug information
mode_test: false # Executes test routines instead of productive routines
mode_update: true # Executes updates
mode_backup: true # Activates the backup before the update procedure
mode_setup: false # Execute the setup and initializing procedures
# Server Tact Variables
## Ours in which the server is "awake" (100% working). Rest of the time is reserved for maintanance
hours_server_awake: "0..23"
## Random delay for systemd timers to avoid peak loads.
randomized_delay_sec: "5min"
## Schedule for Health Checks
on_calendar_health_btrfs: "*-*-* 00:00:00" # Check once per day the btrfs for errors
on_calendar_health_journalctl: "*-*-* 00:00:00" # Check once per day the journalctl for errors
on_calendar_health_disc_space: "*-*-* 06,12,18,00:00:00" # Check four times per day if there is sufficient disc space
on_calendar_health_docker_container: "*-*-* {{ hours_server_awake }}:00:00" # Check once per hour if the docker containers are healthy
on_calendar_health_docker_volumes: "*-*-* {{ hours_server_awake }}:15:00" # Check once per hour if the docker volumes are healthy
on_calendar_health_nginx: "*-*-* {{ hours_server_awake }}:45:00" # Check once per hour if all webservices are available
## Schedule for Cleanup Tasks
on_calendar_cleanup_backups: "*-*-* 00,06,12,18:30:00" # Cleanup backups every 6 hours, MUST be called before disc space cleanup
on_calendar_cleanup_disc_space: "*-*-* 07,13,19,01:30:00" # Cleanup disc space every 6 hours
## Schedule for Backup Tasks
on_calendar_backup_docker_to_local: "*-*-* 03:30:00"
on_calendar_backup_remote_to_local: "*-*-* 21:30:00"
## Schedule for Maintenance Tasks
on_calendar_heal_docker: "*-*-* {{ hours_server_awake }}:30:00" # Heal unhealthy docker instances once per hour
on_calendar_renew_lets_encrypt_certificates: "*-*-* 12,00:30:00" # Renew Mailu certificates twice per day
on_calendar_deploy_certificates: "*-*-* 13,01:30:00" # Deploy letsencrypt certificates twice per day to docker containers
on_calendar_msi_keyboard_color: "*-*-* *:*:00" # Change the keyboard color every minute
on_calendar_cleanup_failed_docker: "*-*-* 12:00:00" # Clean up failed docker backups every noon
on_calendar_btrfs_auto_balancer: "Sat *-*-01..07 00:00:00" # Execute btrfs auto balancer every first Saturday of a month
on_calendar_restart_docker: "Sun *-*-* 08:00:00" # Restart docker instances every Sunday at 8:00 AM
# Storage Space-Related Configurations
size_percent_maximum_backup: 75 # Maximum storage space in percent for backups
size_percent_cleanup_disc_space: 85 # Threshold for triggering cleanup actions
size_percent_disc_space_warning: 90 # Warning threshold in percent for free disk space
# Path Variables for Key Directories and Scripts
path_administrator_home: "/home/administrator/"
path_administrator_scripts: "{{path_administrator_home}}scripts/"
path_docker_volumes: "{{path_administrator_home}}volumes/docker/"
path_docker_compose_instances: "{{path_administrator_home}}docker-compose/"
path_system_lock_script: "{{path_administrator_scripts}}system-maintenance-lock.py"
# Runtime Variables for Process Control
activate_all_timers: false # Activates all timers, independend if the handlers had been triggered
nginx_matomo_tracking: false # Activates matomo tracking on all html pages
# System maintenance Services
## Timeouts to wait for other services to stop
system_maintenance_lock_timeout_cleanup_services: "15min"
system_maintenance_lock_timeout_storage_optimizer: "10min"
system_maintenance_lock_timeout_backup_services: "1h"
system_maintenance_lock_timeout_heal_docker: "30min"
system_maintenance_lock_timeout_update_docker: "2min"
system_maintenance_lock_timeout_restart_docker: "{{system_maintenance_lock_timeout_update_docker}}"
## Services
### Defined Services for Backup Tasks
system_maintenance_backup_services:
- "backup-docker-to-local"
- "backup-remote-to-local"
- "backup-data-to-usb"
- "backup-docker-to-local-everything"
### Defined Services for System Cleanup
system_maintenance_cleanup_services:
- "cleanup-backups"
- "cleanup-disc-space"
- "cleanup-failed-docker-backups"
### Services that Manipulate the System
system_maintenance_manipulation_services:
- "heal-docker"
- "update-docker"
- "system-storage-optimizer"
- "restart-docker"
## Total System Maintenance Services
system_maintenance_services: "{{ system_maintenance_backup_services + system_maintenance_cleanup_services + system_maintenance_manipulation_services }}"
### Define Variables for Docker Volume Health services
whitelisted_anonymous_docker_volumes: []
# Webserver Configuration
## Nginx-Specific Path Configurations
nginx_configuration_directory: "/etc/nginx/conf.d/" # General configuration dir
nginx_servers_directory: "{{nginx_configuration_directory}}servers/" # Contains server blogs
nginx_maps_directory: "{{nginx_configuration_directory}}maps/" # Contains mappins
nginx_streams_directory: "{{nginx_configuration_directory}}streams/" # Contains streams configuration e.g. for ldaps
nginx_well_known_root: "/usr/share/nginx/well-known/" # Path where well-known files are stored
nginx_homepage_root: "/usr/share/nginx/homepage/" # Path where the static homepage files are stored
## Nginx static repository
nginx_static_repository_address: NULL #This should contain the url to an git repository which has a static homepage included and an index.html file
## Domains
### Service Domains
domain_akaunting: "accounting.{{primary_domain}}"
domain_attendize: "tickets.{{primary_domain}}"
domain_baserow: "baserow.{{primary_domain}}"
domain_bigbluebutton: "meet.{{primary_domain}}"
domain_bluesky_api: "bluesky.{{primary_domain}}"
domain_bluesky_web: "bskyweb.{{primary_domain}}"
domain_discourse: "forum.{{primary_domain}}"
domain_elk: "elk.{{primary_domain}}"
domain_friendica: "friendica.{{primary_domain}}"
domain_funkwhale: "music.{{primary_domain}}"
domain_gitea: "git.{{primary_domain}}"
domain_gitlab: "gitlab.{{primary_domain}}"
domain_keycloak: "auth.{{primary_domain}}"
domain_ldap: "ldap.{{primary_domain}}"
domain_listmonk: "newsletter.{{primary_domain}}"
domain_mailu: "{{system_email_host}}"
domain_mastodon: "microblog.{{primary_domain}}"
domains_mastodon_alternates: ["mastodon.{{primary_domain}}"]
domain_matomo: "matomo.{{primary_domain}}"
domain_matrix_synapse: "matrix.{{primary_domain}}"
domain_matrix_element: "element.{{primary_domain}}"
domain_moodle: "academy.{{primary_domain}}"
domain_mediawiki: "wiki.{{primary_domain}}"
domain_nextcloud: "cloud.{{primary_domain}}"
domain_openproject: "project.{{primary_domain}}"
domain_peertube: "video.{{primary_domain}}"
domains_peertube: []
domain_phpmyadmin: "phpmyadmin.{{primary_domain}}"
domain_pixelfed: "picture.{{primary_domain}}"
domain_portfolio: "{{primary_domain}}"
domain_roulette: "roulette.{{primary_domain}}"
domain_taiga: "kanban.{{primary_domain}}"
domain_yourls: "s.{{primary_domain}}"
domains_wordpress: ["wordpress.{{primary_domain}}","blog.{{primary_domain}}"]
### Domain Redirects
redirect_domain_mappings:
- { source: "akaunting.{{primary_domain}}", target: "{{domain_akaunting}}" }
- { source: "bbb.{{primary_domain}}", target: "{{domain_bigbluebutton}}" }
- { source: "discourse.{{primary_domain}}", target: "{{domain_discourse}}" }
- { source: "funkwhale.{{primary_domain}}", target: "{{domain_funkwhale}}" }
- { source: "gitea.{{primary_domain}}", target: "{{domain_gitea}}" }
- { source: "keycloak.{{primary_domain}}", target: "{{domain_keycloak}}" }
- { source: "listmonk.{{primary_domain}}", target: "{{domain_listmonk}}" }
- { source: "moodle.{{primary_domain}}", target: "{{domain_moodle}}" }
- { source: "nextcloud.{{primary_domain}}", target: "{{domain_nextcloud}}" }
- { source: "openproject.{{primary_domain}}", target: "{{domain_openproject}}" }
- { source: "peertube.{{primary_domain}}", target: "{{domain_peertube}}" }
- { source: "pictures.{{primary_domain}}", target: "{{domain_pixelfed}}" }
- { source: "pixelfed.{{primary_domain}}", target: "{{domain_pixelfed}}" }
- { source: "short.{{primary_domain}}", target: "{{domain_yourls}}" }
- { source: "taiga.{{primary_domain}}", target: "{{domain_taiga}}" }
- { source: "videos.{{primary_domain}}", target: "{{domain_peertube}}" }
## Docker Applications
### Enable Central MariaDB
enable_central_database: true
enable_central_database_mailu: "{{enable_central_database}}"
### Enable Storage Optimizer for Docker Volumes
enable_system_storage_optimizer: true
### Docker Role Specific Parameters
docker_restart_policy: "unless-stopped"
#### Akaunting
akaunting_version: "latest"
akaunting_company_name: "{{primary_domain}}"
akaunting_company_email: "{{administrator_email}}"
akaunting_setup_admin_email: "{{administrator_email}}"
#### Attendize
attendize_version: "latest"
#### Baserow
baserow_version: "latest"
#### Big Blue Button
bigbluebutton_enable_greenlight: "true"
#### Bluesky
bluesky_administrator_email: "{{administrator_email}}"
bluesky_pds_version: "latest"
#### Friendica
friendica_version: "latest"
#### Funkwhale
funkwhale_version: "1.4.0"
#### Gitea
gitea_version: "latest"
#### Gitlab
gitlab_version: "latest"
#### Joomla
joomla_version: "latest"
#### Keycloak
keycloak_version: "latest"
keycloak_administrator_username: "{{administrator_username}}" # Administrator Username for Keycloak
##### Keycloak Client Configuration
oidc_client_active: true # Implement OpenID Connect https://en.wikipedia.org/wiki/OpenID_Connect
oidc_client_id: "{{primary_domain}}"
oidc_client_realm: "{{primary_domain}}"
oidc_client_issuer_url: "https://{{domain_keycloak}}/realms/{{oidc_client_realm}}"
oidc_client_discovery_document: "{{oidc_client_issuer_url}}/.well-known/openid-configuration"
oidc_client_authorize_url: "https://auth.veen.world/realms/veen.world/protocol/openid-connect/auth"
oidc_client_toke_url: "https://auth.veen.world/realms/veen.world/protocol/openid-connect/token"
oidc_client_user_info_url: "https://auth.veen.world/realms/veen.world/protocol/openid-connect/userinfo"
oidc_client_logout_url: "https://auth.veen.world/realms/veen.world/protocol/openid-connect/logout"
# oidc_client_secret: "{{oidc_client_secret}}" # Default use wildcard for primary domain, subdomain client specific configuration in vars files in the roles is possible
#### LDAP
ldap_lam_version: "latest"
ldap_openldap_version: "latest"
ldap_phpldapadmin_version: "2.0.0-dev" # @todo Attention: Change this as fast as released to latest
ldap_webinterface: "lam" # The webinterface which should be used. Possible: lam and phpldapadmin
ldap_administrator_username: "{{administrator_username}}"
ldap_administrator_password: "{{user_administrator_initial_password}}" # CHANGE for security reasons
ldap_administrator_database_password: "{{user_administrator_initial_password}}" # CHANGE for security reasons
ldap_lam_administrator_password: "{{user_administrator_initial_password}}" # CHANGE for security reasons
#### Listmonk
listmonk_admin_username: "{{administrator_username}}"
listmonk_public_api_activated: False # Security hole. Can be used for spaming
listmonk_version: "latest"
#### MariaDB
mariadb_version: "latest"
#### Matomo
matomo_version: "latest"
#### Mastodon
mastodon_version: "latest"
mastodon_single_user_mode: false
#### Matrix
matrix_administrator_username: "{{administrator_username}}" # Accountname of the matrix admin
matrix_playbook_tags: "setup-all,start" # For the initial update use: install-all,ensure-matrix-users-created,start
matrix_role: "compose" # Role to setup Matrix. Valid values: ansible, compose
matrix_server_name: "{{primary_domain}}" # Adress for the account names etc.
matrix_synapse_version: "latest"
matrix_element_version: "latest"
#### Mailu
mailu_version: "2024.06"
mailu_domain: "{{primary_domain}}"
mailu_subnet: "192.168.203.0/24"
#### Moodle
moodle_site_name: "Global Learning Academy on {{primary_domain}}"
moodle_administrator_name: "{{administrator_username}}"
moodle_administrator_email: "{{administrator_email}}"
moodle_version: "latest"
#### MyBB
mybb_version: "latest"
#### Nextcloud
nextcloud_version: "production" # @see https://nextcloud.com/blog/nextcloud-release-channels-and-how-to-track-them/
#### OAuth2 Proxy
oauth2_configuration_file: "oauth2-proxy-keycloak.cfg"
oauth2_proxy_active: false # Needs to be set true in the roles which use it
oauth2_version: "latest"
oauth2_proxy_redirect_url: "https://{{domain_keycloak}}/auth/realms/{{primary_domain}}/protocol/openid-connect/auth" # The redirect URL for the OAuth2 flow. It should match the redirect URL configured in Keycloak.
# oauth2_proxy_port: >= 4180 # This ports should be defined in the roles. They are for the local mapping on the host and need to be defined in the playbook for transparancy.
oauth2_proxy_upstream_application_and_port: "application:80" # The name of the application which the server redirects to. Needs to be defined in role vars.
oauth2_proxy_allowed_roles: admin # Restrict it default to admin role. Use the vars/main.yml to open the specific role for other groups
#oauth2_proxy_cookie_secret: "{{oauth2_proxy_cookie_secret}}" # Default use wildcard for primary domain, subdomain client specific configuration in vars files in the roles is possible openssl rand -hex 16
#### Peertube
peertube_version: "bookworm"
#### PHPMyAdmin
phpmyadmin_version: "latest"
phpmyadmin_autologin: false # This is a high security risk. Just activate this option if you know what you're doing
#### Pixelfed
pixelfed_app_name: "Pictures on {{primary_domain}}"
pixelfed_version: "latest"
#### Postgres
# Please set an version in your inventory file - Rolling release for postgres isn't recommended
postgres_database_version: "latest"
#### Taiga
taiga_version: "latest"
#### YOURLS
yourls_administrator_username: "{{administrator_username}}"
yourls_version: "latest"

44
group_vars/all/00_general.yml Normal file
View File

@ -0,0 +1,44 @@
# General
pause_duration: "120" # Database delay to wait for the central database before continue tasks
ip4_address: "127.0.0.1" # Change thie in inventory to the ip address of your server
backups_folder_path: "/Backups/" # Path to the backups folder
## Domain
primary_domain_tld: "localhost" # Top Level Domain of the server
primary_domain_sld: "cymais" # Second Level Domain of the server
primary_domain: "{{primary_domain_sld}}.{{primary_domain_tld}}" # Primary Domain of the server
# Administrator
administrator_username: "administrator" # Username of the administrator
administrator_email: "{{administrator_username}}@{{primary_domain}}" # Email of the administrator
#user_administrator_initial_password: EXAMPLE_PASSWORD_123456 # Example initialisation password needs to be set in inventory file
# Test Email
test_email: "test@{{primary_domain}}"
# Server Tact Variables
## Ours in which the server is "awake" (100% working). Rest of the time is reserved for maintanance
hours_server_awake: "0..23"
## Random delay for systemd timers to avoid peak loads.
randomized_delay_sec: "5min"
# Storage Space-Related Configurations
size_percent_maximum_backup: 75 # Maximum storage space in percent for backups
size_percent_cleanup_disc_space: 85 # Threshold for triggering cleanup actions
size_percent_disc_space_warning: 90 # Warning threshold in percent for free disk space
# Runtime Variables for Process Control
activate_all_timers: false # Activates all timers, independend if the handlers had been triggered
nginx_matomo_tracking: false # Activates matomo tracking on all html pages
# One Wildcard Certificate for All Subdomains
# Enables a single Let's Encrypt wildcard certificate for all subdomains instead of individual certificates.
# Default: false (recommended for automatic setup).
# Setting this to true requires additional manual configuration.
# Using a wildcard certificate can improve performance by reducing TLS handshakes.
# To enable, update your inventory file.
# For detailed setup instructions, visit:
# https://github.com/kevinveenbirkenbach/cymais/tree/master/roles/nginx-docker-cert-deploy
enable_one_letsencrypt_cert_for_all: false

10
group_vars/all/01_modes.yml Normal file
View File

@ -0,0 +1,10 @@
# Mode
# The following modes can be combined with each other
mode_reset: false # Cleans up all CyMaIS files. It's necessary to run to whole playbook and not particial roles when using this function.
mode_debug: false # Prints well formated debug information
mode_test: false # Executes test routines instead of productive routines
mode_update: true # Executes updates
mode_backup: true # Activates the backup before the update procedure
mode_setup: false # Execute the setup and initializing procedures
mode_cleanup: false # Cleanup unused files and configurations

11
group_vars/all/02_system_email.yml Normal file
View File

@ -0,0 +1,11 @@
# Email Configuration
default_system_email:
local: no-reply
domain: "{{primary_domain}}"
username: "no-reply@{{primary_domain}}"
host: "mail.{{primary_domain}}"
smtp_port: 465
tls: true
start_tls: false
from: "no-reply@{{primary_domain}}"
smtp: true

57
group_vars/all/03_domains.yml Normal file
View File

@ -0,0 +1,57 @@
# Domains
## Service Domains
default_domains:
akaunting: "accounting.{{primary_domain}}"
attendize: "tickets.{{primary_domain}}"
baserow: "baserow.{{primary_domain}}"
bigbluebutton: "meet.{{primary_domain}}"
bluesky_api: "bluesky.{{primary_domain}}"
bluesky_web: "bskyweb.{{primary_domain}}"
discourse: "forum.{{primary_domain}}"
elk: "elk.{{primary_domain}}"
friendica: "friendica.{{primary_domain}}"
funkwhale: "music.{{primary_domain}}"
gitea: "git.{{primary_domain}}"
gitlab: "gitlab.{{primary_domain}}"
keycloak: "auth.{{primary_domain}}"
ldap: "ldap.{{primary_domain}}"
listmonk: "newsletter.{{primary_domain}}"
mailu: "{{system_email.host}}"
mastodon: "microblog.{{primary_domain}}"
mastodon_alternates: ["mastodon.{{primary_domain}}"]
matomo: "matomo.{{primary_domain}}"
matrix_synapse: "matrix.{{primary_domain}}"
matrix_element: "element.{{primary_domain}}"
moodle: "academy.{{primary_domain}}"
mediawiki: "wiki.{{primary_domain}}"
nextcloud: "cloud.{{primary_domain}}"
openproject: "project.{{primary_domain}}"
peertube: "video.{{primary_domain}}"
peertube_alternates: []
phpmyadmin: "phpmyadmin.{{primary_domain}}"
pixelfed: "picture.{{primary_domain}}"
portfolio: "{{primary_domain}}"
roulette: "roulette.{{primary_domain}}"
taiga: "kanban.{{primary_domain}}"
yourls: "s.{{primary_domain}}"
wordpress: ["wordpress.{{primary_domain}}","blog.{{primary_domain}}"]
## Domain Redirects
redirect_domain_mappings:
- { source: "akaunting.{{primary_domain}}", target: "{{domains.akaunting}}" }
- { source: "bbb.{{primary_domain}}", target: "{{domains.bigbluebutton}}" }
- { source: "discourse.{{primary_domain}}", target: "{{domains.discourse}}" }
- { source: "funkwhale.{{primary_domain}}", target: "{{domains.funkwhale}}" }
- { source: "gitea.{{primary_domain}}", target: "{{domains.gitea}}" }
- { source: "keycloak.{{primary_domain}}", target: "{{domains.keycloak}}" }
- { source: "listmonk.{{primary_domain}}", target: "{{domains.listmonk}}" }
- { source: "moodle.{{primary_domain}}", target: "{{domains.moodle}}" }
- { source: "nextcloud.{{primary_domain}}", target: "{{domains.nextcloud}}" }
- { source: "openproject.{{primary_domain}}", target: "{{domains.openproject}}" }
- { source: "peertube.{{primary_domain}}", target: "{{domains.peertube}}" }
- { source: "pictures.{{primary_domain}}", target: "{{domains.pixelfed}}" }
- { source: "pixelfed.{{primary_domain}}", target: "{{domains.pixelfed}}" }
- { source: "short.{{primary_domain}}", target: "{{domains.yourls}}" }
- { source: "taiga.{{primary_domain}}", target: "{{domains.taiga}}" }
- { source: "videos.{{primary_domain}}", target: "{{domains.peertube}}" }

38
group_vars/all/04_maintenace.yml Normal file
View File

@ -0,0 +1,38 @@
# System maintenance Services
## Timeouts to wait for other services to stop
system_maintenance_lock_timeout_cleanup_services: "15min"
system_maintenance_lock_timeout_storage_optimizer: "10min"
system_maintenance_lock_timeout_backup_services: "1h"
system_maintenance_lock_timeout_heal_docker: "30min"
system_maintenance_lock_timeout_update_docker: "2min"
system_maintenance_lock_timeout_restart_docker: "{{system_maintenance_lock_timeout_update_docker}}"
## Services
### Defined Services for Backup Tasks
system_maintenance_backup_services:
- "backup-docker-to-local"
- "backup-remote-to-local"
- "backup-data-to-usb"
- "backup-docker-to-local-everything"
### Defined Services for System Cleanup
system_maintenance_cleanup_services:
- "cleanup-backups"
- "cleanup-disc-space"
- "cleanup-failed-docker-backups"
### Services that Manipulate the System
system_maintenance_manipulation_services:
- "heal-docker"
- "update-docker"
- "system-storage-optimizer"
- "restart-docker"
## Total System Maintenance Services
system_maintenance_services: "{{ system_maintenance_backup_services + system_maintenance_cleanup_services + system_maintenance_manipulation_services }}"
### Define Variables for Docker Volume Health services
whitelisted_anonymous_docker_volumes: []

12
group_vars/all/05_nginx.yml Normal file
View File

@ -0,0 +1,12 @@
# Webserver Configuration
## Nginx-Specific Path Configurations
nginx_configuration_directory: "/etc/nginx/conf.d/" # General configuration dir
nginx_servers_directory: "{{nginx_configuration_directory}}servers/" # Contains server blogs
nginx_maps_directory: "{{nginx_configuration_directory}}maps/" # Contains mappins
nginx_streams_directory: "{{nginx_configuration_directory}}streams/" # Contains streams configuration e.g. for ldaps
nginx_well_known_root: "/usr/share/nginx/well-known/" # Path where well-known files are stored
nginx_homepage_root: "/usr/share/nginx/homepage/" # Path where the static homepage files are stored
## Nginx static repository
nginx_static_repository_address: NULL #This should contain the url to an git repository which has a static homepage included and an index.html file

6
group_vars/all/06_paths.yml Normal file
View File

@ -0,0 +1,6 @@
# Path Variables for Key Directories and Scripts
path_administrator_home: "/home/administrator/"
path_administrator_scripts: "/opt/scripts/"
path_docker_compose_instances: "/opt/docker/"
path_system_lock_script: "/opt/scripts/system-maintenance-lock.py"

144
group_vars/all/07_applications.yml Normal file
View File

@ -0,0 +1,144 @@
# Docker Applications
## Enable Central MariaDB
enable_central_database: true
enable_central_database_mailu: "{{enable_central_database}}"
## Enable Storage Optimizer for Docker Volumes
enable_system_storage_optimizer: true
## Docker Role Specific Parameters
docker_restart_policy: "unless-stopped"
## Akaunting
akaunting_version: "latest"
akaunting_company_name: "{{primary_domain}}"
akaunting_company_email: "{{administrator_email}}"
akaunting_setup_admin_email: "{{administrator_email}}"
## Attendize
attendize_version: "latest"
## Baserow
baserow_version: "latest"
## Big Blue Button
bigbluebutton_enable_greenlight: "true"
## Bluesky
bluesky_administrator_email: "{{administrator_email}}"
bluesky_pds_version: "latest"
## Friendica
friendica_version: "latest"
## Funkwhale
funkwhale_version: "1.4.0"
## Gitea
gitea_version: "latest"
## Gitlab
gitlab_version: "latest"
## Joomla
joomla_version: "latest"
## Keycloak
keycloak_version: "latest"
keycloak_administrator_username: "{{administrator_username}}" # Administrator Username for Keycloak
### Keycloak Client Configuration
oidc_client_active: true # Implement OpenID Connect https://en.wikipedia.org/wiki/OpenID_Connect
oidc_client_id: "{{primary_domain}}"
oidc_client_realm: "{{primary_domain}}"
oidc_client_issuer_url: "https://{{domains.keycloak}}/realms/{{oidc_client_realm}}"
oidc_client_discovery_document: "{{oidc_client_issuer_url}}/.well-known/openid-configuration"
oidc_client_authorize_url: "{{oidc_client_issuer_url}}/protocol/openid-connect/auth"
oidc_client_toke_url: "{{oidc_client_issuer_url}}/protocol/openid-connect/token"
oidc_client_user_info_url: "{{oidc_client_issuer_url}}/protocol/openid-connect/userinfo"
oidc_client_logout_url: "{{oidc_client_issuer_url}}/protocol/openid-connect/logout"
# oidc_client_secret: "{{oidc_client_secret}}" # Default use wildcard for primary domain, subdomain client specific configuration in vars files in the roles is possible
## LDAP
ldap_lam_version: "latest"
ldap_openldap_version: "latest"
ldap_phpldapadmin_version: "2.0.0-dev" # @todo Attention: Change this as fast as released to latest
ldap_webinterface: "lam" # The webinterface which should be used. Possible: lam and phpldapadmin
ldap_administrator_username: "{{administrator_username}}"
ldap_administrator_password: "{{user_administrator_initial_password}}" # CHANGE for security reasons
ldap_administrator_database_password: "{{user_administrator_initial_password}}" # CHANGE for security reasons
ldap_lam_administrator_password: "{{user_administrator_initial_password}}" # CHANGE for security reasons
ldap_expose_to_internet: false # Set to true if you want to expose the LDAP port to the internet. Keep in mind to
## Listmonk
listmonk_admin_username: "{{administrator_username}}"
listmonk_public_api_activated: False # Security hole. Can be used for spaming
listmonk_version: "latest"
## MariaDB
mariadb_version: "latest"
## Matomo
matomo_version: "latest"
## Mastodon
mastodon_version: "latest"
mastodon_single_user_mode: false
## Matrix
matrix_administrator_username: "{{administrator_username}}" # Accountname of the matrix admin
matrix_playbook_tags: "setup-all,start" # For the initial update use: install-all,ensure-matrix-users-created,start
matrix_role: "compose" # Role to setup Matrix. Valid values: ansible, compose
matrix_server_name: "{{primary_domain}}" # Adress for the account names etc.
matrix_synapse_version: "latest"
matrix_element_version: "latest"
## Mailu
mailu_version: "2024.06"
mailu_domain: "{{primary_domain}}"
mailu_subnet: "192.168.203.0/24"
## Moodle
moodle_site_name: "Global Learning Academy on {{primary_domain}}"
moodle_administrator_name: "{{administrator_username}}"
moodle_administrator_email: "{{administrator_email}}"
moodle_version: "latest"
## MyBB
mybb_version: "latest"
## Nextcloud
nextcloud_version: "production" # @see https://nextcloud.com/blog/nextcloud-release-channels-and-how-to-track-them/
## OAuth2 Proxy
oauth2_configuration_file: "oauth2-proxy-keycloak.cfg"
oauth2_proxy_active: false # Needs to be set true in the roles which use it
oauth2_version: "latest"
oauth2_proxy_redirect_url: "https://{{domains.keycloak}}/auth/realms/{{primary_domain}}/protocol/openid-connect/auth" # The redirect URL for the OAuth2 flow. It should match the redirect URL configured in Keycloak.
# oauth2_proxy_port: >= 4180 # This ports should be defined in the roles. They are for the local mapping on the host and need to be defined in the playbook for transparancy.
oauth2_proxy_upstream_application_and_port: "application:80" # The name of the application which the server redirects to. Needs to be defined in role vars.
oauth2_proxy_allowed_roles: admin # Restrict it default to admin role. Use the vars/main.yml to open the specific role for other groups
#oauth2_proxy_cookie_secret: "{{oauth2_proxy_cookie_secret}}" # Default use wildcard for primary domain, subdomain client specific configuration in vars files in the roles is possible openssl rand -hex 16
## Peertube
peertube_version: "bookworm"
## PHPMyAdmin
phpmyadmin_version: "latest"
phpmyadmin_autologin: false # This is a high security risk. Just activate this option if you know what you're doing
## Pixelfed
pixelfed_app_name: "Pictures on {{primary_domain}}"
pixelfed_version: "latest"
## Postgres
# Please set an version in your inventory file - Rolling release for postgres isn't recommended
postgres_database_version: "latest"
## Taiga
taiga_version: "latest"
## YOURLS
yourls_administrator_username: "{{administrator_username}}"
yourls_version: "latest"

25
group_vars/all/08_on_calendar.yml Normal file
View File

@ -0,0 +1,25 @@
## Schedule for Health Checks
on_calendar_health_btrfs: "*-*-* 00:00:00" # Check once per day the btrfs for errors
on_calendar_health_journalctl: "*-*-* 00:00:00" # Check once per day the journalctl for errors
on_calendar_health_disc_space: "*-*-* 06,12,18,00:00:00" # Check four times per day if there is sufficient disc space
on_calendar_health_docker_container: "*-*-* {{ hours_server_awake }}:00:00" # Check once per hour if the docker containers are healthy
on_calendar_health_docker_volumes: "*-*-* {{ hours_server_awake }}:15:00" # Check once per hour if the docker volumes are healthy
on_calendar_health_nginx: "*-*-* {{ hours_server_awake }}:45:00" # Check once per hour if all webservices are available
## Schedule for Cleanup Tasks
on_calendar_cleanup_backups: "*-*-* 00,06,12,18:30:00" # Cleanup backups every 6 hours, MUST be called before disc space cleanup
on_calendar_cleanup_disc_space: "*-*-* 07,13,19,01:30:00" # Cleanup disc space every 6 hours
## Schedule for Backup Tasks
on_calendar_backup_docker_to_local: "*-*-* 03:30:00"
on_calendar_backup_remote_to_local: "*-*-* 21:30:00"
## Schedule for Maintenance Tasks
on_calendar_heal_docker: "*-*-* {{ hours_server_awake }}:30:00" # Heal unhealthy docker instances once per hour
on_calendar_renew_lets_encrypt_certificates: "*-*-* 12,00:30:00" # Renew Mailu certificates twice per day
on_calendar_deploy_certificates: "*-*-* 13,01:30:00" # Deploy letsencrypt certificates twice per day to docker containers
on_calendar_msi_keyboard_color: "*-*-* *:*:00" # Change the keyboard color every minute
on_calendar_cleanup_failed_docker: "*-*-* 12:00:00" # Clean up failed docker backups every noon
on_calendar_btrfs_auto_balancer: "Sat *-*-01..07 00:00:00" # Execute btrfs auto balancer every first Saturday of a month
on_calendar_restart_docker: "Sun *-*-* 08:00:00" # Restart docker instances every Sunday at 8:00 AM

9
playbook.constructor.yml
View File

@ -1,4 +1,13 @@
---
- name: Merge variables
hosts: all
tasks:
- name: Merge system_email definitions
set_fact:
system_email: "{{ default_system_email | combine(system_email | default({}, true)) }}"
- name: Merge domain definitions
set_fact:
domains: "{{ default_domains | combine(domains | default({}, true)) }}"
- name: update device
hosts: all

84
playbook.servers.yml
View File

@ -21,7 +21,7 @@
roles:
- role: docker-nextcloud
vars:
domain: "{{domain_nextcloud}}"
domain: "{{domains.nextcloud}}"
http_port: 8001
- name: setup gitea hosts
@ -30,7 +30,7 @@
roles:
- role: docker-gitea
vars:
domain: "{{domain_gitea}}"
domain: "{{domains.gitea}}"
http_port: 8002
ssh_port: 2201
run_mode: prod
@ -41,7 +41,7 @@
roles:
- role: docker-wordpress
vars:
domains: "{{domains_wordpress}}"
wordpress_domains: "{{domains.wordpress}}"
http_port: 8003
- name: setup mediawiki hosts
@ -50,7 +50,7 @@
roles:
- role: docker-mediawiki
vars:
domain: "{{domain_mediawiki}}"
domain: "{{domains.mediawiki}}"
http_port: 8004
- name: setup mybb hosts
@ -59,7 +59,7 @@
roles:
- role: docker-mybb
vars:
domains: "{{domains_mybb}}"
mybb_domains: "{{domains.mybb}}"
http_port: 8005
- name: setup yourls hosts
@ -68,7 +68,7 @@
roles:
- role: docker-yourls
vars:
domain: "{{domain_yourls}}"
domain: "{{domains.yourls}}"
http_port: 8006
- name: setup mailu hosts
@ -77,7 +77,7 @@
roles:
- role: docker-mailu
vars:
domain: "{{domain_mailu}}"
domain: "{{domains.mailu}}"
http_port: 8007
enable_central_database: "{{enable_central_database_mailu}}"
@ -87,7 +87,7 @@
roles:
- role: docker-elk
vars:
domain: "{{domain_elk}}"
domain: "{{domains.elk}}"
http_port: 8008
- name: setup mastodon hosts
@ -96,10 +96,10 @@
roles:
- role: docker-mastodon
vars:
domain: "{{domain_mastodon}}"
domains: "{{ [domain] + domains_mastodon_alternates }}"
http_port: 8009
stream_port: 4001
domain: "{{domains.mastodon}}"
mastodon_domains: "{{ [domain] + domains.mastodon_alternates }}"
http_port: 8009
stream_port: 4001
- name: setup pixelfed hosts
hosts: pixelfed
@ -107,7 +107,7 @@
roles:
- role: docker-pixelfed
vars:
domain: "{{domain_pixelfed}}"
domain: "{{domains.pixelfed}}"
http_port: 8010
- name: setup peertube hosts
@ -116,9 +116,9 @@
roles:
- role: docker-peertube
vars:
domain: "{{domain_peertube}}"
domains: "{{ [domain] + domains_peertube }}"
http_port: 8011
domain: "{{domains.peertube}}"
peertube_domains: "{{ [domain] + domains.peertube_alternates }}"
http_port: 8011
- name: setup bigbluebutton hosts
hosts: bigbluebutton
@ -126,7 +126,7 @@
roles:
- role: docker-bigbluebutton
vars:
domain: "{{domain_bigbluebutton}}"
domain: "{{domains.bigbluebutton}}"
- name: setup funkwhale hosts
hosts: funkwhale
@ -134,7 +134,7 @@
roles:
- role: docker-funkwhale
vars:
domain: "{{domain_funkwhale}}"
domain: "{{domains.funkwhale}}"
http_port: 8012
- name: setup roulette-wheel hosts
@ -143,7 +143,7 @@
roles:
- role: docker-roulette-wheel
vars:
domain: "{{domain_roulette}}"
domain: "{{domains.roulette}}"
http_port: 8013
- name: setup joomla hosts
@ -161,7 +161,7 @@
roles:
- role: docker-attendize
vars:
domain: "{{domain_attendize}}"
domain: "{{domains.attendize}}"
http_port: 8015
mail_interface_http_port: 8016
@ -171,7 +171,7 @@
roles:
- role: docker-baserow
vars:
domain: "{{domain_baserow}}"
domain: "{{domains.baserow}}"
http_port: 8017
- name: setup matomo hosts
@ -180,7 +180,7 @@
roles:
- role: docker-matomo
vars:
domain: "{{domain_matomo}}"
domain: "{{domains.matomo}}"
http_port: 8018
- name: setup listmonk
@ -189,7 +189,7 @@
roles:
- role: docker-listmonk
vars:
domain: "{{domain_listmonk}}"
domain: "{{domains.listmonk}}"
http_port: 8019
- name: setup discourse
@ -198,7 +198,7 @@
roles:
- role: docker-discourse
vars:
domain: "{{domain_discourse}}"
domain: "{{domains.discourse}}"
http_port: 8020
- name: setup matrix
@ -209,16 +209,16 @@
when: matrix_role == 'ansible'
vars:
domains:
- "{{domain_matrix_element}}"
- "{{domain_matrix_synapse}}"
element_domain: "{{domain_matrix_element}}"
synapse_domain: "{{domain_matrix_synapse}}"
- "{{domains.matrix_element}}"
- "{{domains.matrix_synapse}}"
element_domain: "{{domains.matrix_element}}"
synapse_domain: "{{domains.matrix_synapse}}"
http_port: 8021
- role: docker-matrix-compose
when: matrix_role == 'compose'
vars:
element_domain: "{{domain_matrix_element}}"
synapse_domain: "{{domain_matrix_synapse}}"
element_domain: "{{domains.matrix_element}}"
synapse_domain: "{{domains.matrix_synapse}}"
synapse_http_port: 8021
element_http_port: 8022
@ -228,7 +228,7 @@
roles:
- role: docker-openproject
vars:
domain: "{{domain_openproject}}"
domain: "{{domains.openproject}}"
http_port: 8023
oauth2_proxy_port: 4180
@ -238,7 +238,7 @@
roles:
- role: docker-gitlab
vars:
domain: "{{domain_gitlab}}"
domain: "{{domains.gitlab}}"
http_port: 8024
ssh_port: 2202
@ -248,7 +248,7 @@
roles:
- role: docker-akaunting
vars:
domain: "{{domain_akaunting}}"
domain: "{{domains.akaunting}}"
http_port: 8025
- name: setup moodle instance
@ -257,7 +257,7 @@
roles:
- role: docker-moodle
vars:
domain: "{{domain_moodle}}"
domain: "{{domains.moodle}}"
http_port: 8026
- name: setup taiga instance
@ -266,7 +266,7 @@
roles:
- role: docker-taiga
vars:
domain: "{{domain_taiga}}"
domain: "{{domains.taiga}}"
http_port: 8027
- name: setup friendica hosts
@ -275,7 +275,7 @@
roles:
- role: docker-friendica
vars:
domain: "{{domain_friendica}}"
domain: "{{domains.friendica}}"
http_port: 8028
- name: setup portfolio
@ -284,7 +284,7 @@
roles:
- role: docker-portfolio
vars:
domain: "{{domain_portfolio}}"
domain: "{{domains.portfolio}}"
http_port: 8029
- name: setup bluesky
@ -293,8 +293,8 @@
roles:
- role: docker-bluesky
vars:
domain_api: "{{domain_bluesky_api}}"
domain_web: "{{domain_bluesky_web}}"
domain_api: "{{domains.bluesky_api}}"
domain_web: "{{domains.bluesky_web}}"
http_port_api: 8030
http_port_web: 8031
@ -304,7 +304,7 @@
roles:
- role: docker-keycloak
vars:
domain: "{{domain_keycloak}}"
domain: "{{domains.keycloak}}"
http_port: 8032
- name: setup ldap
@ -313,7 +313,7 @@
roles:
- role: docker-ldap
vars:
domain: "{{domain_ldap}}"
domain: "{{domains.ldap}}"
http_port: 8033
oauth2_proxy_port: 4182
@ -323,7 +323,7 @@
roles:
- role: docker-phpmyadmin
vars:
domain: "{{domain_phpmyadmin}}"
domain: "{{domains.phpmyadmin}}"
http_port: 8034
oauth2_proxy_port: 4181

12
roles/docker-baserow/templates/env.j2
View File

@ -2,12 +2,12 @@
BASEROW_PUBLIC_URL=https://{{ domain }}
# Email Server Configuration
EMAIL_SMTP={{ system_email_smtp | upper }}
EMAIL_SMTP_HOST={{ system_email_host }}
EMAIL_SMTP_PORT={{ system_email_smtp_port }}
EMAIL_SMTP_USER={{system_email_username}}
EMAIL_SMTP_PASSWORD={{ system_email_password }}
EMAIL_SMTP_USE_TLS={{ system_email_tls | upper }}
EMAIL_SMTP={{ system_email.smtp | upper }}
EMAIL_SMTP_HOST={{ system_email.host }}
EMAIL_SMTP_PORT={{ system_email.smtp_port }}
EMAIL_SMTP_USER={{system_email.username}}
EMAIL_SMTP_PASSWORD={{ system_email.password }}
EMAIL_SMTP_USE_TLS={{ system_email.tls | upper }}
DATABASE_USER={{ database_username }}
DATABASE_NAME={{ database_name }}

5
roles/docker-bigbluebutton/tasks/main.yml
View File

@ -1,6 +1,7 @@
---
- name: "include docker/compose/common.yml"
include_tasks: docker/compose/common.yml
- name: "include docker-compose role"
include_role:
name: docker-compose
- name: "include task certbot-matomo.yml"
include_tasks: certbot-matomo.yml

18
roles/docker-bigbluebutton/templates/env.j2
View File

@ -201,19 +201,19 @@ ALLOW_GREENLIGHT_ACCOUNTS=true
# Emails are required for the basic features of Greenlight to function.
# Please refer to your SMTP provider to get the values for the variables below
SMTP_SERVER={{system_email_host}}
SMTP_SERVER={{system_email.host}}
SMTP_DOMAIN={{domain}}
SMTP_PORT={{system_email_smtp_port}}
SMTP_USERNAME={{system_email_username}}
SMTP_PASSWORD={{system_email_password}}
SMTP_PORT={{system_email.smtp_port}}
SMTP_USERNAME={{system_email.username}}
SMTP_PASSWORD={{system_email.password}}
SMTP_AUTH=plain
SMTP_OPENSSL_VERIFY_MODE=none
SMTP_STARTTLS_AUTO={{system_email_start_tls | lower}}
SMTP_STARTTLS={{system_email_start_tls | lower}}
SMTP_TLS={{system_email_tls | lower}}
SMTP_STARTTLS_AUTO={{system_email.start_tls | lower}}
SMTP_STARTTLS={{system_email.start_tls | lower}}
SMTP_TLS={{system_email.tls | lower}}
SMTP_SSL_VERIFY=true
SMTP_SENDER={{system_email_from}}
SMTP_SENDER_EMAIL={{system_email_from}}
SMTP_SENDER={{system_email.from}}
SMTP_SENDER_EMAIL={{system_email.from}}
# Prefix for the applications root URL.
# Useful for deploying the application to a subdirectory, which is highly recommended

9
roles/docker-bigbluebutton/templates/nginx-proxy.conf.j2
View File

@ -1,11 +1,6 @@
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
http2 on;
server_name {{domain}};
ssl_certificate /etc/letsencrypt/live/{{domain}}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{domain}}/privkey.pem;
{% include 'roles/letsencrypt/templates/ssl_header.j2' %}
location / {
proxy_http_version 1.1;

5
roles/docker-bluesky/tasks/main.yml
View File

@ -1,6 +1,7 @@
---
- name: "include docker/compose/common.yml"
include_tasks: docker/compose/common.yml
- name: "include docker-compose role"
include_role:
name: docker-compose
- name: "Include tasks for API domain"
include_tasks: nginx-docker-proxy-domain.yml

6
roles/docker-bluesky/templates/docker-compose.yml.j2
View File

@ -7,7 +7,7 @@ services:
- {{pdsadmin_file_path}}:/usr/local/bin/pdsadmin:ro
environment:
# Geben Sie hier Ihre Domain und Konfigurationsdetails an
PDS_HOSTNAME: "{{domain_api}}"
PDS_HOSTNAME: "{{domains.api}}"
PDS_ADMIN_EMAIL: "{{bluesky_administrator_email}}"
PDS_SERVICE_DID: "did:web:{{domain_api}}"
# See https://mattdyson.org/blog/2024/11/self-hosting-bluesky-pds/
@ -16,8 +16,8 @@ services:
PDS_ADMIN_PASSWORD: "{{bluesky_pds_admin_password}}"
PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX: "{{bluesky_pds_plc_rotation_key_k256_private_key_hex}}"
PDS_CRAWLERS: https://bsky.network
PDS_EMAIL_SMTP_URL: smtps://{{system_email_username}}:{{system_email_password}}@{{system_email_host}}:{{system_email_smtp_port}}/
PDS_EMAIL_FROM_ADDRESS: {{system_email_from}}
PDS_EMAIL_SMTP_URL: smtps://{{system_email.username}}:{{system_email.password}}@{{system_email.host}}:{{system_email.smtp_port}}/
PDS_EMAIL_FROM_ADDRESS: {{system_email.from}}
LOG_ENABLED: true
PDS_BLOBSTORE_DISK_LOCATION: /opt/pds/blocks
# -- DEFAULT VALUES ---

24
roles/docker-compose/tasks/main.yml Normal file
View File

@ -0,0 +1,24 @@
- name: "Set global docker_compose_instance_directory: {{ path_docker_compose_instances }}{{ docker_compose_project_name }}/"
set_fact:
docker_compose_instance_directory: "{{ path_docker_compose_instances }}{{ docker_compose_project_name }}/"
- name: "remove {{ docker_compose_instance_directory }} and all its contents"
file:
path: "{{ docker_compose_instance_directory }}"
state: absent
when: mode_reset | bool
- name: "create {{docker_compose_instance_directory}}"
file:
path: "{{docker_compose_instance_directory}}"
state: directory
mode: 0755
- name: flush docker service
meta: flush_handlers
when: run_once_docker_compose is not defined
- name: run the docker tasks once
set_fact:
run_once_docker_compose: true
when: run_once_docker_compose is not defined

14
roles/docker-discourse/templates/discourse_application.yml.j2
View File

@ -52,13 +52,13 @@ env:
# SMTP ADDRESS, username, and password are required
# WARNING the char '#' in SMTP password can cause problems!
DISCOURSE_SMTP_ADDRESS: {{ system_email_host }}
DISCOURSE_SMTP_PORT: {{ system_email_smtp_port }}
DISCOURSE_SMTP_USER_NAME: {{system_email_username}}
DISCOURSE_SMTP_PASSWORD: {{ system_email_password }}
DISCOURSE_SMTP_ENABLE_START_TLS: {{ system_email_start_tls | upper }}
DISCOURSE_SMTP_DOMAIN: {{ system_email_domain }}
DISCOURSE_NOTIFICATION_EMAIL: {{system_email_from}}
DISCOURSE_SMTP_ADDRESS: {{ system_email.host }}
DISCOURSE_SMTP_PORT: {{ system_email.smtp_port }}
DISCOURSE_SMTP_USER_NAME: {{system_email.username}}
DISCOURSE_SMTP_PASSWORD: {{ system_email.password }}
DISCOURSE_SMTP_ENABLE_START_TLS: {{ system_email.start_tls | upper }}
DISCOURSE_SMTP_DOMAIN: {{ system_email.domain }}
DISCOURSE_NOTIFICATION_EMAIL: {{system_email.from}}
# Database Configuration
DISCOURSE_DB_USERNAME: {{ database_username }}

16
roles/docker-friendica/templates/docker-compose.yml.j2
View File

@ -43,14 +43,14 @@ services:
MYSQL_PASSWORD: {{database_password}}
# Email Configuration
SMTP: {{system_email_host}}
SMTP_DOMAIN: {{system_email_domain}}
SMTP_PORT: {{system_email_smtp_port}}
SMTP_AUTH_USER: {{system_email_username}}
SMTP_AUTH_PASS: {{system_email_password}}
SMTP_TLS: {{ 'on' if system_email_tls else 'off' }}
SMTP_STARTTLS: {{ 'on' if system_email_start_tls else 'off' }}
SMTP_FROM: {{system_email_local}}
SMTP: {{system_email.host}}
SMTP_DOMAIN: {{system_email.domain}}
SMTP_PORT: {{system_email.smtp_port}}
SMTP_AUTH_USER: {{system_email.username}}
SMTP_AUTH_PASS: {{system_email.password}}
SMTP_TLS: {{ 'on' if system_email.tls else 'off' }}
SMTP_STARTTLS: {{ 'on' if system_email.start_tls else 'off' }}
SMTP_FROM: {{system_email.local}}
# Administrator Credentials
FRIENDICA_ADMIN_MAIL: {{administrator_email}}

4
roles/docker-funkwhale/templates/env.j2
View File

@ -53,14 +53,14 @@ LOGLEVEL=error
# (returns `noreply%40youremail.host`)
# EMAIL_CONFIG=smtp://user:password@youremail.host:25
# EMAIL_CONFIG=smtp+ssl://user:password@youremail.host:465
EMAIL_CONFIG=smtp+tls://{{system_email_local}}:{{system_email_password}}@{{system_email_host}}:{{system_email_smtp_port}}
EMAIL_CONFIG=smtp+tls://{{system_email.local}}:{{system_email.password}}@{{system_email.host}}:{{system_email.smtp_port}}
# Make e-mail verification mandatory before using the service
# Doesn't apply to admins.
# ACCOUNT_EMAIL_VERIFICATION_ENFORCE=false
# The e-mail address to use to send system e-mails.
DEFAULT_FROM_EMAIL={{system_email_from}}
DEFAULT_FROM_EMAIL={{system_email.from}}
# Depending on the reverse proxy used in front of your funkwhale instance,
# the API will use different kind of headers to serve audio files

14
roles/docker-ldap/tasks/main.yml
View File

@ -1,15 +1,23 @@
---
- name: "include docker/compose/common.yml"
include_tasks: docker/compose/common.yml
- name: "include docker-compose role"
include_role:
name: docker-compose
- name: "include tasks nginx-docker-proxy-domain.yml"
include_tasks: nginx-docker-proxy-domain.yml
- name: create {{domain}}.conf
- name: Create {{domain}}.conf if LDAP is exposed to internet
template:
src: "nginx.stream.conf.j2"
dest: "{{nginx_streams_directory}}{{domain}}.conf"
notify: restart nginx
when: ldap_expose_to_internet | bool
- name: Remove {{domain}}.conf if LDAP is not exposed to internet
file:
path: "{{ nginx_streams_directory }}{{ domain }}.conf"
state: absent
when: not ldap_expose_to_internet | bool
- name: "create {{docker_compose_instance_directory}}"
file:

1
roles/docker-ldap/templates/docker-compose.yml.j2
View File

@ -79,6 +79,7 @@ services:
retries: 3
start_period: 20s
{% include 'templates/docker/container/networks.yml.j2' %}
central_ldap:
{% include 'templates/docker/compose/volumes.yml.j2' %}
data:

3
roles/docker-ldap/templates/nginx.stream.conf.j2
View File

@ -3,8 +3,7 @@ server {
proxy_pass 127.0.0.1:{{ldap_localhost_port}};
# SSL Configuration for LDAPS
ssl_certificate /etc/letsencrypt/live/{{domain}}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{domain}}/privkey.pem;
{% include 'roles/letsencrypt/templates/ssl_credentials.j2' %}
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
}

4
roles/docker-ldap/vars/main.yml
View File

@ -7,4 +7,6 @@ ldap_localhost_port: 389
# OAuth2 Proxy Configuration
oauth2_proxy_upstream_application_and_port: "{{ ldap_webinterface }}:{% if ldap_webinterface == 'phpldapadmin' %}8080{% else %}80{% endif %}"
oauth2_proxy_active: true
oauth2_proxy_active: true
enable_one_letsencrypt_cert_for_all: false

9
roles/docker-mailu/vars/main.yml
View File

@ -1,4 +1,5 @@
docker_compose_project_name: "mailu"
database_password: "{{mailu_database_password}}"
database_type: "mariadb"
cert_mount_directory: "{{docker_compose_instance_directory}}/certs/"
docker_compose_project_name: "mailu"
database_password: "{{mailu_database_password}}"
database_type: "mariadb"
cert_mount_directory: "{{docker_compose_instance_directory}}/certs/"
enable_one_letsencrypt_cert_for_all: false

2
roles/docker-mastodon/tasks/main.yml
View File

@ -4,7 +4,7 @@
- name: "include create-domains.yml"
include_tasks: create-domains.yml
loop: "{{ domains }}"
loop: "{{ mastodon_domains }}"
loop_control:
loop_var: domain

12
roles/docker-mastodon/templates/.env.production.j2
View File

@ -1,5 +1,5 @@
LOCAL_DOMAIN={{domain}}
ALTERNATE_DOMAINS="{{ domains_mastodon_alternates | join(',') }}"
ALTERNATE_DOMAINS="{{ domains.mastodon_alternates | join(',') }}"
SINGLE_USER_MODE={{mastodon_single_user_mode}}
SECRET_KEY_BASE={{mastodon_secret_key_base}}
OTP_SECRET={{mastodon_otp_secret}}
@ -16,14 +16,14 @@ REDIS_HOST=redis
REDIS_PORT=6379
REDIS_PASSWORD=
SMTP_SERVER={{system_email_host}}
SMTP_PORT={{system_email_smtp_port}}
SMTP_LOGIN={{system_email_username}}
SMTP_PASSWORD={{system_email_password}}
SMTP_SERVER={{system_email.host}}
SMTP_PORT={{system_email.smtp_port}}
SMTP_LOGIN={{system_email.username}}
SMTP_PASSWORD={{system_email.password}}
SMTP_AUTH_METHOD=plain
SMTP_OPENSSL_VERIFY_MODE=none
SMTP_ENABLE_STARTTLS=auto
SMTP_FROM_ADDRESS=Mastodon <{{system_email_from}}>
SMTP_FROM_ADDRESS=Mastodon <{{system_email.from}}>
ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY= {{mastodon_active_record_encryption_deterministic_key}}
ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT={{mastodon_active_record_encryption_key_derivation_salt}}

4
roles/docker-matrix-compose/templates/element.config.json.j2
View File

@ -1,8 +1,8 @@
{
"default_server_config": {
"m.homeserver": {
"base_url": "https://{{domain_matrix_synapse}}",
"server_name": "{{domain_matrix_synapse}}"
"base_url": "https://{{domains.matrix_synapse}}",
"server_name": "{{domains.matrix_synapse}}"
},
"m.identity_server": {
"base_url": "https://{{primary_domain}}"

18
roles/docker-matrix-compose/templates/synapse/homeserver.yaml.j2
View File

@ -17,13 +17,13 @@ database:
host: "{{database_host}}"
cp_min: 5
cp_max: 10
log_config: "/data/{{domain_matrix_synapse}}.log.config"
log_config: "/data/{{domains.matrix_synapse}}.log.config"
media_store_path: "/data/media_store"
registration_shared_secret: "{{matrix_registration_shared_secret}}"
report_stats: true
macaroon_secret_key: "{{matrix_macaroon_secret_key}}"
form_secret: "{{matrix_form_secret}}"
signing_key_path: "/data/{{domain_matrix_synapse}}.signing.key"
signing_key_path: "/data/{{domains.matrix_synapse}}.signing.key"
web_client_location: "https://{{element_domain}}"
public_baseurl: "https://{{synapse_domain}}"
trusted_key_servers:
@ -31,18 +31,18 @@ trusted_key_servers:
admin_contact: 'mailto:{{administrator_email}}'
email:
smtp_host: "{{system_email_host}}"
smtp_port: "{{system_email_smtp_port}}"
smtp_user: "{{system_email_from}}"
smtp_pass: "{{system_email_password}}"
smtp_host: "{{system_email.host}}"
smtp_port: "{{system_email.smtp_port}}"
smtp_user: "{{system_email.from}}"
smtp_pass: "{{system_email.password}}"
#force_tls: true
#require_transport_security: true
enable_tls: "{{ system_email_tls | upper }}"
notif_from: "Your Friendly %(app)s homeserver <{{system_email_from}}>"
enable_tls: "{{ system_email.tls | upper }}"
notif_from: "Your Friendly %(app)s homeserver <{{system_email.from}}>"
app_name: "Matrix on {{synapse_domain}}"
enable_notifs: true
notif_for_new_users: false
client_base_url: "{{domain_matrix_synapse}}"
client_base_url: "{{domains.matrix_synapse}}"
validation_token_lifetime: 15m
app_service_config_files:

2
roles/docker-mybb/tasks/main.yml
View File

@ -4,7 +4,7 @@
- name: "include tasks create-proxy-with-domain-replace.yml"
include_tasks: create-proxy-with-domain-replace.yml
loop: "{{ domains + [source_domain] }}"
loop: "{{ mybb_domains + [source_domain] }}"
loop_control:
loop_var: domain

4
roles/docker-nextcloud/tasks/main.yml
View File

@ -11,10 +11,10 @@
dest: "{{nginx_servers_directory}}{{domain}}.conf"
notify: restart nginx
- name: configure nginx.conf
- name: create nginx.conf
template:
src: "templates/nginx.conf.j2"
dest: "{{path_docker_volumes}}nextcloud/nginx.conf"
dest: "{{docker_compose_instance_directory}}nginx.conf"
notify: docker compose project setup
- name: add docker-compose.yml

2
roles/docker-nextcloud/tasks/oidc_tasks.yml
View File

@ -20,7 +20,7 @@
command: >
docker-compose exec -u www-data application /var/www/html/occ
config:app:set sociallogin custom_providers
--value='{"custom_oidc":[{"name":"{{domain_keycloak}}","title":"keycloak","authorizeUrl":"{{oidc_client_authorize_url}}","tokenUrl":"{{oidc_client_toke_url}}","displayNameClaim":"","userInfoUrl":"{{oidc_client_user_info_url}}","logoutUrl":"{{oidc_client_logout_url}}","clientId":"{{oidc_client_id}}","clientSecret":"{{oidc_client_secret}}","scope":"openid","groupsClaim":"","style":"","defaultGroup":""}]}'
--value='{"custom_oidc":[{"name":"{{domains.keycloak}}","title":"keycloak","authorizeUrl":"{{oidc_client_authorize_url}}","tokenUrl":"{{oidc_client_toke_url}}","displayNameClaim":"","userInfoUrl":"{{oidc_client_user_info_url}}","logoutUrl":"{{oidc_client_logout_url}}","clientId":"{{oidc_client_id}}","clientSecret":"{{oidc_client_secret}}","scope":"openid","groupsClaim":"","style":"","defaultGroup":""}]}'
# This configuration defines custom OpenID Connect (OIDC) providers for authentication.
# In this case, it sets up a Keycloak provider with details like URLs for authorization,
# token retrieval, user info, and logout, as well as the client ID and secret.

14
roles/docker-nextcloud/templates/docker-compose.yml.j2
View File

@ -25,15 +25,15 @@ services:
PHP_MEMORY_LIMIT: 1G # Required for plugin duplicate finder
# Email Configuration
SMTP_HOST: {{system_email_host}}
SMTP_SECURE: {{ 'ssl' if system_email_tls else '' }}
SMTP_PORT: {{system_email_smtp_port}}
SMTP_NAME: {{system_email_username}}
SMTP_PASSWORD: {{system_email_password}}
SMTP_HOST: {{system_email.host}}
SMTP_SECURE: {{ 'ssl' if system_email.tls else '' }}
SMTP_PORT: {{system_email.smtp_port}}
SMTP_NAME: {{system_email.username}}
SMTP_PASSWORD: {{system_email.password}}
# Email from configuration
MAIL_FROM_ADDRESS: no-reply
MAIL_DOMAIN: {{system_email_domain}}
MAIL_DOMAIN: {{system_email.domain}}
{% include 'templates/docker/container/depends-on-database-redis.yml.j2' %}
{% include 'templates/docker/container/networks.yml.j2' %}
@ -47,7 +47,7 @@ services:
ports:
- "127.0.0.1:{{http_port}}:80"
volumes:
- "{{path_docker_volumes}}nextcloud/nginx.conf:/etc/nginx/nginx.conf:ro"
- "{{docker_compose_instance_directory}}/nginx.conf:/etc/nginx/nginx.conf:ro"
volumes_from:
- application
healthcheck:

2
roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2
View File

@ -3,7 +3,7 @@ cookie_secret = "{{oauth2_proxy_cookie_secret}}"
email_domains = "{{primary_domain}}"
cookie_secure = "false"
upstreams = "http://{{oauth2_proxy_upstream_application_and_port}}"
cookie_domains = ["{{domain}}", "{{domain_keycloak}}"] # Required so cookie can be read on all subdomains.
cookie_domains = ["{{domain}}", "{{domains.keycloak}}"] # Required so cookie can be read on all subdomains.
whitelist_domains = [".{{primary_domain}}"] # Required to allow redirection back to original requested target.
# keycloak provider

2
roles/docker-openproject/templates/docker-compose.yml.j2
View File

@ -114,7 +114,7 @@ services:
container_name: openproject-seeder
restart: on-failure
{% include 'templates/docker/container/networks.yml.j2' %}
central_ldap:
{% include 'templates/docker/compose/networks.yml.j2' %}
{% include 'templates/docker/compose/volumes.yml.j2' %}

2
roles/docker-peertube/tasks/main.yml
View File

@ -4,7 +4,7 @@
- name: "include create-domains.yml"
include_tasks: create-domains.yml
loop: "{{ domains }}"
loop: "{{ peertube_domains }}"
loop_control:
loop_var: domain

16
roles/docker-peertube/templates/env.j2
View File

@ -14,11 +14,11 @@ PEERTUBE_TRUST_PROXY=["127.0.0.1", "loopback"]
PEERTUBE_SECRET={{peertube_secret}}
# E-mail configuration
PEERTUBE_SMTP_USERNAME={{system_email_username}}
PEERTUBE_SMTP_PASSWORD={{system_email_password}}
PEERTUBE_SMTP_HOSTNAME={{system_email_host}}
PEERTUBE_SMTP_PORT={{system_email_smtp_port}}
PEERTUBE_SMTP_FROM={{system_email_from}}
PEERTUBE_SMTP_TLS={{ system_email_tls | lower }}
PEERTUBE_SMTP_DISABLE_STARTTLS={{ 'false' if system_email_start_tls else 'true' }}
PEERTUBE_ADMIN_EMAIL={{system_email_from}}
PEERTUBE_SMTP_USERNAME={{system_email.username}}
PEERTUBE_SMTP_PASSWORD={{system_email.password}}
PEERTUBE_SMTP_HOSTNAME={{system_email.host}}
PEERTUBE_SMTP_PORT={{system_email.smtp_port}}
PEERTUBE_SMTP_FROM={{system_email.from}}
PEERTUBE_SMTP_TLS={{ system_email.tls | lower }}
PEERTUBE_SMTP_DISABLE_STARTTLS={{ 'false' if system_email.start_tls else 'true' }}
PEERTUBE_ADMIN_EMAIL={{system_email.from}}

5
roles/docker-phpmyadmin/tasks/main.yml
View File

@ -1,6 +1,7 @@
---
- name: "include docker/compose/common.yml"
include_tasks: docker/compose/common.yml
- name: "include docker-compose role"
include_role:
name: docker-compose
- name: "include tasks nginx-docker-proxy-domain.yml"
include_tasks: nginx-docker-proxy-domain.yml

12
roles/docker-pixelfed/templates/env.j2
View File

@ -46,15 +46,15 @@ RESTRICTED_INSTANCE=false
## Mail
MAIL_DRIVER=log
MAIL_HOST={{system_email_host}}
MAIL_PORT={{system_email_smtp_port}}
MAIL_FROM_ADDRESS="{{system_email_from}}"
MAIL_HOST={{system_email.host}}
MAIL_PORT={{system_email.smtp_port}}
MAIL_FROM_ADDRESS="{{system_email.from}}"
MAIL_FROM_NAME="Pixelfed"
MAIL_USERNAME={{system_email_username}}
MAIL_PASSWORD={{system_email_password}}
MAIL_USERNAME={{system_email.username}}
MAIL_PASSWORD={{system_email.password}}
# Not sure if the following is correct
# Checkout: https://github.com/pixelfed/pixelfed/blob/dev/.env.docker
MAIL_ENCRYPTION={{ 'ssl' if system_email_start_tls else 'tls' }}
MAIL_ENCRYPTION={{ 'ssl' if system_email.start_tls else 'tls' }}
## Databases (MySQL)
DB_CONNECTION=mysql

5
roles/docker-portfolio/tasks/main.yml
View File

@ -1,6 +1,7 @@
---
- name: "include docker/compose/common.yml"
include_tasks: docker/compose/common.yml
- name: "include docker-compose role"
include_role:
name: docker-compose
- name: "include tasks nginx-docker-proxy-domain.yml"
include_tasks: nginx-docker-proxy-domain.yml

5
roles/docker-roulette-wheel/tasks/main.yml
View File

@ -1,6 +1,7 @@
---
- name: "include docker/compose/common.yml"
include_tasks: docker/compose/common.yml
- name: "include docker-compose role"
include_role:
name: docker-compose
- name: pull app repository
git:

14
roles/docker-taiga/templates/.env.j2
View File

@ -13,14 +13,14 @@ POSTGRES_PASSWORD={{database_password}} # database user's password
# Taiga's SMTP settings - Variables to send Taiga's emails to the users
EMAIL_BACKEND = console # use an SMTP server or display the emails in the console (either "smtp" or "console")
EMAIL_HOST = {{system_email_host}} # SMTP server address
EMAIL_PORT = {{system_email_smtp_port}} # default SMTP port
EMAIL_HOST_USER = {{system_email_username}} # user to connect the SMTP server
EMAIL_HOST_PASSWORD = {{system_email_password}} # SMTP user's password
EMAIL_DEFAULT_FROM = {{system_email_from}} # default email address for the automated emails
EMAIL_HOST = {{system_email.host}} # SMTP server address
EMAIL_PORT = {{system_email.smtp_port}} # default SMTP port
EMAIL_HOST_USER = {{system_email.username}} # user to connect the SMTP server
EMAIL_HOST_PASSWORD = {{system_email.password}} # SMTP user's password
EMAIL_DEFAULT_FROM = {{system_email.from}} # default email address for the automated emails
# EMAIL_USE_TLS/EMAIL_USE_SSL are mutually exclusive (only set one of those to True)
EMAIL_USE_TLS={{ system_email_tls | lower | capitalize }} # use TLS (secure) connection with the SMTP server
EMAIL_USE_SSL={{ 'False' if system_email_start_tls else 'True' }} # use implicit TLS (secure) connection with the SMTP server
EMAIL_USE_TLS={{ system_email.tls | lower | capitalize }} # use TLS (secure) connection with the SMTP server
EMAIL_USE_SSL={{ 'False' if system_email.start_tls else 'True' }} # use implicit TLS (secure) connection with the SMTP server
# Taiga's RabbitMQ settings - Variables to leave messages for the realtime and asynchronous events
RABBITMQ_USER=taiga # user to connect to RabbitMQ

2
roles/docker-wordpress/tasks/main.yml
View File

@ -4,7 +4,7 @@
- name: "include tasks nginx-docker-proxy-domain.yml"
include_tasks: nginx-docker-proxy-domain.yml
loop: "{{ domains }}"
loop: "{{ wordpress_domains }}"
loop_control:
loop_var: domain
vars:

9
roles/docker/tasks/main.yml
View File

@ -16,15 +16,6 @@
group: administrator
when: run_once_docker is not defined
- name: "create {{path_docker_volumes}}"
file:
path: "{{path_docker_volumes}}"
state: directory
mode: 0700
owner: administrator
group: administrator
when: run_once_docker is not defined
- name: flush docker service
meta: flush_handlers
when: run_once_docker is not defined

6
roles/health-nginx/templates/health-nginx.py.j2
View File

@ -26,16 +26,16 @@ for filename in os.listdir(config_path):
expected_statuses = [200,302]
redirected_domains = [domain['source'] for domain in {{redirect_domain_mappings}}]
redirected_domains.append("{{domain_mailu}}")
redirected_domains.append("{{domains.mailu}}")
# Determine expected status codes based on the domain
if domain == '{{domain_listmonk}}':
if domain == '{{domains.listmonk}}':
expected_statuses = [404]
{% if nginx_matomo_tracking | bool %}
elif parts[0] == 'www' or domain in redirected_domains:
expected_statuses = [301]
{% endif %}
elif domain == '{{domain_yourls}}':
elif domain == '{{domains.yourls}}':
expected_statuses = [403]
try:

4
roles/letsencrypt/templates/ssl_credentials.j2 Normal file
View File

@ -0,0 +1,4 @@
{% set ssl_cert_folder = primary_domain if enable_one_letsencrypt_cert_for_all else domain %}
ssl_certificate /etc/letsencrypt/live/{{ ssl_cert_folder }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ ssl_cert_folder }}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/{{ ssl_cert_folder }}/chain.pem;

5
roles/letsencrypt/templates/ssl_header.j2
View File

@ -8,6 +8,5 @@ ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=15768000;
ssl_stapling on;
ssl_stapling_verify on;
ssl_certificate /etc/letsencrypt/live/{{domain}}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{domain}}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/{{domain}}/chain.pem;
{% include 'roles/letsencrypt/templates/ssl_credentials.j2' %}

215
roles/nginx-docker-cert-deploy/README.md
View File

@ -1,103 +1,158 @@
# Nginx Docker Cert Deploy Role
🎉 **Author**: Kevin Veen-Birkenbach ([veen.world](https://www.veen.world))
🎉 **Author**: [Kevin Veen-Birkenbach](https://www.veen.world)
This Ansible role simplifies the deployment of Let's Encrypt certificates into Docker Compose setups with Nginx. It ensures that certificates are copied, directories are created, and Nginx services are reloaded or restarted as needed.
This Ansible role simplifies the deployment of **Let's Encrypt certificates** into **Docker Compose** setups with Nginx. It supports both **individual certificates per subdomain** and a **single wildcard certificate** for all subdomains.
---
## 🚀 **Features**
- Copies Let's Encrypt certificates to the target directory.
- Automatically reloads or restarts Nginx services in all Docker Compose containers.
- Configures and manages a `systemd` service for automated deployment.
- Supports periodic execution via a `systemd` timer.
- Handles dependent services like `systemd-notifier`.
- Automatically deploys **Let's Encrypt certificates** to Docker Compose setups.
- Supports both **single-domain certificates** and **one wildcard certificate** for all subdomains.
- **Copies certificates** to the target directory inside the container.
- Automatically **reloads or restarts Nginx services** when certificates are updated.
- **Configures and manages a `systemd` service** for automated certificate deployment.
- **Includes a `systemd` timer** for scheduled renewals.
- **Handles dependent services** like `systemd-notifier`.
---
## 🔧 **Variables**
## 📋 **Configuration Options**
The following variables can be customized:
| Variable | Description | Default Value |
|-----------------------------------|------------------------------------------------|-----------------------------------------|
| `cert_mount_directory` | Target directory to mount certificates. | `{{docker_compose_instance_directory}}/certs/` |
| `nginx_docker_cert_deploy_script` | Path to the deployment script. | `{{path_administrator_scripts}}nginx-docker-cert-deploy.sh` |
| `docker_compose_project_name` | Name of the Docker Compose project. | None (must be defined in playbook) |
| `on_calendar_deploy_certificates` | `systemd` timer schedule for certificate updates. | None (must be defined in playbook) |
---
## 📋 **Tasks Overview**
### Main Tasks
1. **Add Deployment Script**:
Copies the `nginx-docker-cert-deploy.sh` script to the administrator scripts directory.
2. **Create Certificate Directory**:
Ensures the `cert_mount_directory` exists with proper permissions.
3. **Configure Systemd Service**:
Deploys a `systemd` service file for the deployment process.
4. **Include `systemd-timer` Role**:
Schedules automatic deployment tasks using a `systemd` timer.
### Handlers
- **Restart Service**:
Restarts the `nginx-docker-cert-deploy` service when configuration changes.
---
## 📂 **File Structure**
```
roles/
nginx-docker-cert-deploy/
vars/
main.yml
handlers/
main.yml
files/
nginx-docker-cert-deploy.sh
tasks/
main.yml
templates/
nginx-docker-cert-deploy.service.j2
meta/
main.yml
```
---
## 📖 **Usage Example**
Here's an example of how to use this role in your playbook:
### 🔹 **One Wildcard Certificate for All Subdomains**
By default, each subdomain gets its own certificate. You can **enable a wildcard certificate** by setting:
```yaml
- name: Deploy Let's Encrypt certificates to Docker Compose
hosts: all
roles:
- role: nginx-docker-cert-deploy
vars:
domain: "example.com"
docker_compose_instance_directory: "/home/administrator/docker-compose/nginx"
docker_compose_project_name: "nginx"
on_calendar_deploy_certificates: "daily"
enable_one_letsencrypt_cert_for_all: true
```
📌 **Pros & Cons of a Wildcard Certificate:**
**Improves performance** by reducing TLS handshakes.
**Simplifies certificate management** (one cert for all subdomains).
**Requires manual DNS challenge setup** for Let's Encrypt.
**Needs additional configuration for automation** (see below).
If enabled, update your inventory file and follow the **manual wildcard certificate setup** below.
---
## 🔧 **Tasks Overview**
### **1⃣ Main Tasks**
1. **Add Deployment Script**
- Copies `nginx-docker-cert-deploy.sh` to the administrator scripts directory.
2. **Create Certificate Directory**
- Ensures `cert_mount_directory` exists with proper permissions.
3. **Configure `systemd` Service**
- Deploys a `systemd` service file for the deployment process.
4. **Include `systemd-timer` Role**
- Schedules automatic certificate deployment using a `systemd` timer.
### **2⃣ Handlers**
- **Restart Nginx Service**
- Restarts `nginx-docker-cert-deploy` whenever a certificate update occurs.
---
## **🔐 Wildcard Certificate Setup with Let's Encrypt**
If you enabled `enable_one_letsencrypt_cert_for_all`, follow these steps to manually request a **wildcard certificate**.
### **1⃣ Run the Certbot Command 🖥️**
```sh
certbot certonly --manual --preferred-challenges=dns --agree-tos \
--email administrator@primary_domain -d primary_domain -d "*.primary_domain"
```
### **2⃣ Add DNS TXT Record for Validation 📜**
Certbot will prompt you to add a DNS TXT record:
```
Please create a TXT record under the name:
_acme-challenge.primary_domain.
with the following value:
9oVizYIYVGlZ3VtWQIKRS5UghyXiqGoUNlCtIE7LiA
```
**Go to your DNS provider** and create a new **TXT record**:
- **Host:** `_acme-challenge.primary_domain`
- **Value:** `"9oVizYIYVGlZ3VtWQIKRS5UghyXiqGoUNlCtIE7LiA"`
- **TTL:** Set to **300 seconds (or lowest possible)**
**Verify the DNS record** before continuing:
```sh
dig TXT _acme-challenge.primary_domain @8.8.8.8
```
### **3⃣ Complete the Certificate Request ✅**
Once the DNS changes have propagated, **press Enter** in the Certbot terminal.
If successful, Certbot will save the certificates under:
```
/etc/letsencrypt/live/primary_domain/
```
- **fullchain.pem** → The certificate
- **privkey.pem** → The private key
---
## **📂 File & Directory Structure**
```sh
roles/nginx-docker-cert-deploy/
├── files/
│ ├── nginx-docker-cert-deploy.sh # Deployment script
├── handlers/
│ ├── main.yml # Restart Nginx handler
├── meta/
│ ├── main.yml # Dependencies
├── tasks/
│ ├── main.yml # Main Ansible tasks
├── templates/
│ ├── nginx-docker-cert-deploy.service.j2 # Systemd service template
├── vars/
│ ├── main.yml # Variable definitions
```
---
## 🛠️ **Dependencies**
## **🔧 Deploying Certificates into Docker Containers**
The role **automates copying certificates** into Docker Compose setups.
This role depends on:
### **1⃣ Deployment Script (`nginx-docker-cert-deploy.sh`)**
This script:
- **Copies certificates** to the correct container directory.
- **Reloads Nginx** inside all running containers.
- **Restarts containers if needed**.
- `systemd-notifier`: Notifies about failures in the `systemd` service.
**Usage:**
```sh
sh nginx-docker-cert-deploy.sh primary_domain /path/to/docker/compose
```
### **2⃣ Systemd Service & Timer**
The role includes a **`systemd` service** that runs the deployment script whenever certificates are updated.
Example `nginx-docker-cert-deploy.service.j2`:
```ini
[Unit]
Description=Let's Encrypt deploy to {{docker_compose_instance_directory}}
OnFailure=systemd-notifier.cymais@%n.service
[Service]
Type=oneshot
ExecStart=/usr/bin/bash {{path_administrator_scripts}}/nginx-docker-cert-deploy.sh {{primary_domain}} {{docker_compose_instance_directory}}
```
---
Feel free to contribute, report issues, or suggest improvements! 😊
## 🎯 **Summary**
| Feature | Description |
|---------|------------|
| **Single-domain & wildcard support** | Use individual certs or a wildcard certificate |
| **Automated renewal** | Cronjob or systemd timer ensures auto-renewals |
| **Docker-ready** | Deploys certificates directly into Docker containers |
| **Supports Nginx & Mailu** | Compatible with multiple services |
| **Systemd integration** | Automates deployment via `systemd` |
🚀 **Now your Nginx setup is fully automated and secured with Let's Encrypt!** 🎉
```

14
roles/systemd-notifier-email/templates/msmtprc.conf.j2
View File

@ -2,8 +2,8 @@
defaults
auth on
logfile ~/.msmtp.log
tls_starttls {{ 'on' if system_email_start_tls else 'off' }}
{% if system_email_tls %}
tls_starttls {{ 'on' if system_email.start_tls else 'off' }}
{% if system_email.tls %}
tls on
tls_trust_file /etc/ssl/certs/ca-certificates.crt
{% else %}
@ -11,10 +11,10 @@ tls off
{% endif %}
account system_email
host {{system_email_host}}
port {{system_email_smtp_port}}
from {{system_email_from}}
user {{system_email_username}}
password {{system_email_password}}
host {{system_email.host}}
port {{system_email.smtp_port}}
from {{system_email.from}}
user {{system_email.username}}
password {{system_email.password}}
account default : system_email

2
roles/systemd-notifier-email/templates/systemd-notifier-email.sh.j2
View File

@ -2,7 +2,7 @@
/usr/bin/sendmail -t <<ERRMAIL
To: {{administrator_email}}
From: systemd <{{system_email_from}}>
From: systemd <{{system_email.from}}>
Subject: $1
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset=UTF-8

9
roles/user-administrator/tasks/main.yml
View File

@ -46,15 +46,6 @@
notify: sshd restart
when: run_once_user_administrator is not defined
- name: "create {{path_administrator_home}}volumes/"
file:
path: "{{path_administrator_home}}volumes"
state: directory
owner: administrator
group: administrator
mode: 0700
when: run_once_user_administrator is not defined
- name: run the user_administrator tasks once
set_fact:
run_once_user_administrator: true

18
tasks/docker/compose/common.yml
View File

@ -1,18 +0,0 @@
- name: include docker vars
include_vars: vars/docker-common.yml.j2
- name: load docker compose dependencies
include_role:
name: docker-compose
- name: "remove {{ docker_compose_instance_directory }} and all its contents"
file:
path: "{{ docker_compose_instance_directory }}"
state: absent
when: mode_reset | bool
- name: "create {{docker_compose_instance_directory}}"
file:
path: "{{docker_compose_instance_directory}}"
state: directory
mode: 0755

5
tasks/docker/compose/database.yml
View File

@ -1,8 +1,9 @@
- name: include docker vars/docker-database.yml.j2
include_vars: vars/docker-database.yml.j2
- name: "include docker/compose/common.yml"
include_tasks: docker/compose/common.yml
- name: "include docker-compose role"
include_role:
name: docker-compose
- name: create central database
include_role:

24
tasks/recieve-certbot-certificate.yml
View File

@ -2,4 +2,26 @@
command: >-
certbot certonly --agree-tos --email {{ administrator_email }}
--non-interactive --webroot -w /var/lib/letsencrypt/ -d {{ domain }}
{{ '--test-cert' if mode_test | bool else '' }}
{{ '--test-cert' if mode_test | bool else '' }}
when: not enable_one_letsencrypt_cert_for_all
- name: "recieve certbot certificate for *{{ primary_domain }}"
command: >-
certbot certonly --agree-tos --email {{ administrator_email }}
--non-interactive --webroot -w /var/lib/letsencrypt/ -d {{ primary_domain }} -d *.{{ primary_domain }}
{{ '--test-cert' if mode_test | bool else '' }}
when: enable_one_letsencrypt_cert_for_all and run_once_recieve_certificate is not defined
- name: "Cleanup dedicated cert for {{ domain }}"
command: >-
certbot delete --cert-name {{ domain }} --non-interactive
when:
- mode_cleanup
- enable_one_letsencrypt_cert_for_all
- domain != primary_domain
ignore_errors: true
- name: run the recieve_certificate tasks once
set_fact:
run_once_recieve_certificate: true
when: run_once_recieve_certificate is not defined

1
vars/docker-common.yml.j2
View File

@ -1 +0,0 @@
docker_compose_instance_directory: "{{ path_docker_compose_instances + docker_compose_project_name + '/' }}"