kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-04-28 18:30:24 +02:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: kevinveenbirkenbach:6282330226c4d279e680300c88013dbadf4192c4
Branches Tags
kevinveenbirkenbach:master
..
compare: kevinveenbirkenbach:bd1395926b925019959c0662b2c2bce543048bfb
Branches Tags
kevinveenbirkenbach:master

No commits in common. "6282330226c4d279e680300c88013dbadf4192c4" and "bd1395926b925019959c0662b2c2bce543048bfb" have entirely different histories.
6282330226 ... bd1395926b

30 changed files with 103 additions and 145 deletions
Show Stats Expand all files Collapse all files

51
group_vars/all/07_applications.yml
View File

@ -82,6 +82,7 @@ defaults_applications:
lam:
version: "latest"
administrator_password: "{{user_administrator_initial_password}}" # CHANGE for security reasons
oauth2_proxy_active: true
openldap:
version: "latest"
network:
@ -93,19 +94,16 @@ defaults_applications:
webinterface: "lam" # The webinterface which should be used. Possible: lam and phpldapadmin
administrator_username: "{{administrator_username}}"
ldap_enabled: True # Should have the same value as applications.ldap.openldap.network.local.
oauth2_proxy:
enabled: true # Activate the OAuth2 Proxy for the LDAP Webinterface
application: lam # Needs to be the same as webinterface
port: 80 # If you use phpldapadmin set it to 8080
# Both need to be set to True to load the ldap_network in the docker compose file
# administrator_password: # CHANGE for security reasons in inventory file
# administrator_database_password: # CHANGE for security reasons in inventory file
## Listmonk
listmonk:
administrator_username: "{{administrator_username}}" # Listmonk administrator account username
public_api_activated: False # Security hole. Can be used for spaming
version: "latest" # Docker Image version
setup: false # Set true in inventory file to execute the setup and initializing procedures
administrator_username: "{{administrator_username}}"
public_api_activated: False # Security hole. Can be used for spaming
version: "latest" # Docker Image version
setup: false # Set true in inventory file to execute the setup and initializing procedures
## MariaDB
mariadb:
@ -114,8 +112,6 @@ defaults_applications:
## Matomo
matomo:
version: "latest"
oauth2_proxy:
enabled: false # Deactivated atm. @todo implement
## Mastodon
mastodon:
@ -137,16 +133,16 @@ defaults_applications:
## Mailu
mailu:
version: "2024.06"
domain: "{{primary_domain}}"
setup: false # Set true in inventory file to execute the setup and initializing procedures
version: "2024.06"
domain: "{{primary_domain}}"
setup: false # Set true in inventory file to execute the setup and initializing procedures
## Moodle
moodle:
site_titel: "Global Learning Academy on {{primary_domain}}"
administrator_name: "{{administrator_username}}"
administrator_email: "{{administrator_email}}"
version: "latest"
site_titel: "Global Learning Academy on {{primary_domain}}"
administrator_name: "{{administrator_username}}"
administrator_email: "{{administrator_email}}"
version: "latest"
## MyBB
mybb:
@ -167,12 +163,9 @@ defaults_applications:
## Open Project
openproject:
version: "13" # Update when available. Sadly no rolling release implemented
oauth2_proxy:
enabled: true # OpenProject doesn't support OIDC, so this procy in combination with LDAP is needed
application: "proxy"
port: "80"
ldap_enabled: True # Enables LDAP by default
version: "13" # Update when available. Sadly no rolling release implemented
oauth2_proxy_active: true
ldap_enabled: True # Enables LDAP by default
## Peertube
peertube:
@ -182,10 +175,7 @@ defaults_applications:
phpmyadmin:
version: "latest"
autologin: false # This is a high security risk. Just activate this option if you know what you're doing
oauth2_proxy:
enabled: true
port: "80"
application: "application"
oauth2_proxy_active: true
## Pixelfed
pixelfed:
@ -208,9 +198,4 @@ defaults_applications:
## YOURLS
yourls:
administrator_username: "{{administrator_username}}"
version: "latest"
oauth2_proxy:
enabled: true
application: "application"
port: "80"
location: "/admin/" # Protects the admin arear
version: "latest"

3
group_vars/all/09_ports.yml
View File

@ -7,7 +7,6 @@ ports:
phpmyadmin: 4181
ldap: 4182
openproject: 4183
yourls: 4184
ldap:
openldap: 389
http:
@ -26,7 +25,7 @@ ports:
roulette-wheel: 8013
joomla: 8014
attendize: 8015
#matrix: 8016 Not used anymore
#matrix: 8016 Not used anymore
baserow: 8017
matomo: 8018
listmonk: 8019

2
group_vars/all/10_networks.yml
View File

@ -50,7 +50,7 @@ defaults_networks:
subnet: 192.168.102.48/28
nextcloud:
subnet: 192.168.102.64/28
openproject:
oauth2_proxy:
subnet: 192.168.102.80/28
peertube:
subnet: 192.168.102.96/28

11
group_vars/all/11_iam.yml
View File

@ -7,7 +7,7 @@
#############################################
# @see https://en.wikipedia.org/wiki/OpenID_Connect
## Helper Variables:
## Private configuration variables:
_oidc_client_realm: "{{ oidc.client.realm if oidc.client is defined and oidc.client.realm is defined else primary_domain }}"
_oidc_client_issuer_url: "https://{{domains.keycloak}}/realms/{{_oidc_client_realm}}"
@ -25,11 +25,18 @@ defaults_oidc:
logout_url: "{{_oidc_client_issuer_url}}/protocol/openid-connect/logout" # Endpoint to log out the user
change_credentials: "{{_oidc_client_issuer_url}}account/account-security/signing-in" # URL for managing or changing user credentials
#############################################
### OAuth2-Proxy ###
#############################################
# The name of the application which the server redirects to. Needs to be defined in role vars.
oauth2_proxy_upstream_application_and_port: "application:80"
oauth2_proxy_active: false
#############################################
### LDAP ###
#############################################
# Helper Variables:
# Helper variables
_ldap_dn_base: "dc={{primary_domain_sld}},dc={{primary_domain_tld}}"
ldap:

6
roles/docker-bigbluebutton/tasks/main.yml
View File

@ -45,17 +45,17 @@
- name: wait for database
pause:
seconds: "{{pause_duration}}"
when: applications.bigbluebutton.setup | bool
when: appplications.bigbluebutton.setup | bool
- name: create admin
command:
cmd: docker compose exec greenlight bundle exec rake admin:create
chdir: "{{docker_compose.directories.instance}}"
when: applications.bigbluebutton.setup | bool
when: appplications.bigbluebutton.setup | bool
ignore_errors: true
register: admin_creation_result
- name: print admin user data
debug:
msg: "{{ admin_creation_result.stdout }}"
when: applications.bigbluebutton.setup | bool
when: appplications.bigbluebutton.setup | bool

4
roles/docker-discourse/templates/docker-compose.yml.j2
View File

@ -7,6 +7,4 @@ services:
{% include 'templates/docker/compose/volumes.yml.j2' %}
redis:
{% include 'templates/docker/compose/networks.yml.j2' %}
discourse_default:
external: true
{% include 'templates/docker/compose/networks.yml.j2' %}

2
roles/docker-keycloak/templates/import/realm.json.j2
View File

@ -836,7 +836,7 @@
"redirectUris": [
{%- set redirect_uris = [] -%}
{%- for application, domain in defaults_domains.items() -%}
{%- if applications[application_id] is defined and applications[application_id].oauth2_proxy.enabled | default(false) | bool -%}
{%- if applications[application] is defined and applications[application].oauth2_proxy_active is defined and applications[application].oauth2_proxy_active -%}
{%- if domain is string -%}
{%- set _ = redirect_uris.append("https://" ~ domain ~ "/*") -%}
{%- else -%}

4
roles/docker-ldap/vars/main.yml
View File

@ -2,6 +2,10 @@ application_id: "ldap"
ldaps_docker_port: 636
ldap_docker_port: 389
# OAuth2 Proxy Configuration
oauth2_proxy_upstream_application_and_port: "{{ applications.ldap.webinterface }}:{% if applications.ldap.webinterface == 'phpldapadmin' %}8080{% else %}80{% endif %}"
oauth2_proxy_active: "{{ applications.ldap.lam.oauth2_proxy_active | bool }}"
enable_wildcard_certificate: false # Activate dedicated Certificate
# Configuration for ldif import

4
roles/docker-listmonk/tasks/main.yml
View File

@ -27,10 +27,10 @@
- name: flush docker service
meta: flush_handlers
when: applications.listmonk.setup |bool
when: appplications.listmonk.setup |bool
- name: setup routine for listmonk
command:
cmd: docker compose run -T --rm application sh -c "yes | ./listmonk --install"
chdir: "{{docker_compose.directories.instance}}"
when: applications.listmonk.setup |bool
when: appplications.listmonk.setup |bool

4
roles/docker-mailu/tasks/main.yml
View File

@ -18,11 +18,11 @@
- name: flush docker service
meta: flush_handlers
when: applications.mailu.setup |bool
when: appplications.mailu.setup |bool
- name: execute database migration
command:
cmd: "docker compose -p mailu exec admin flask mailu admin admin {{primary_domain}} {{mailu_initial_root_password}}"
chdir: "{{docker_compose.directories.instance}}"
ignore_errors: true
when: applications.mailu.setup |bool
when: appplications.mailu.setup |bool

4
roles/docker-mastodon/tasks/main.yml
View File

@ -14,10 +14,10 @@
- name: flush docker service
meta: flush_handlers
when: applications.mastodon.setup |bool
when: appplications.mastodon.setup |bool
- name: setup routine for mastodon
command:
cmd: "docker-compose run --rm web bundle exec rails db:migrate"
chdir: "{{docker_compose.directories.instance}}"
when: applications.mastodon.setup |bool
when: appplications.mastodon.setup |bool

17
roles/docker-matomo/tasks/main.yml
View File

@ -8,28 +8,19 @@
validate_certs: yes
register: site_check
ignore_errors: yes
when: run_once_docker_matomo is not defined
- name: "Determine global_matomo_tracking_enabled based on current value and site reachability"
- name: implement matomo tracking for matomo if matomo is up and tracking enabled
set_fact:
global_matomo_tracking_enabled: "{{ (global_matomo_tracking_enabled | bool) and (site_check is defined and site_check.status == 200) }}"
when: run_once_docker_matomo is not defined
global_matomo_tracking_enabled: true
when: site_check is defined and site_check.status == 200 and global_matomo_tracking_enabled | bool
- name: "include docker-central-database"
include_role:
name: docker-central-database
when: run_once_docker_matomo is not defined
- name: "include role nginx-domain-setup for {{application_id}}"
include_role:
name: nginx-domain-setup
when: run_once_docker_matomo is not defined
- name: "copy docker-compose.yml and env file"
include_tasks: copy-docker-compose-and-env.yml
when: run_once_docker_matomo is not defined
- name: run the docker matomo tasks once
set_fact:
run_once_docker_matomo: true
when: run_once_docker_matomo is not defined
include_tasks: copy-docker-compose-and-env.yml

2
roles/docker-matrix-compose/tasks/create-and-seed-database.yml
View File

@ -10,4 +10,4 @@
when: enable_central_database | bool
- name: "include seed-database-to-backup.yml"
include_tasks: "{{ playbook_dir }}/roles/backup-docker-to-local/tasks/seed-database-to-backup.yml"
include_tasks: ""{{ playbook_dir }}/roles/backup-docker-to-local/tasks/seed-database-to-backup.yml"

4
roles/docker-matrix-compose/tasks/main.yml
View File

@ -137,11 +137,11 @@
cmd: docker compose exec -it synapse register_new_matrix_user -u {{applications.matrix.administrator_username}} -p {{matrix_admin_password}} -a -c /data/homeserver.yaml http://localhost:8008
chdir: "{{ docker_compose.directories.instance }}"
ignore_errors: true
when: applications.matrix.setup | bool
when: appplications.matrix.setup | bool
- name: create chatgpt bot
command:
cmd: docker compose exec -it synapse register_new_matrix_user -u chatgptbot -p {{matrix_chatgpt_bridge_user_password}} -a -c /data/homeserver.yaml http://localhost:8008
chdir: "{{ docker_compose.directories.instance }}"
ignore_errors: true
when: applications.matrix.setup | bool
when: appplications.matrix.setup | bool

4
roles/docker-oauth2-proxy/templates/container.yml.j2
View File

@ -1,4 +1,3 @@
{% if applications[application_id].oauth2_proxy.enabled | default(false) | bool %}
oauth2-proxy:
image: quay.io/oauth2-proxy/oauth2-proxy:{{applications.oauth2_proxy.version}}
restart: {{docker_restart_policy}}
@ -7,5 +6,4 @@
ports:
- {{ports.localhost.oauth2_proxy[application_id]}}:4180/tcp
volumes:
- "{{docker_compose.directories.volumes}}{{applications.oauth2_proxy.configuration_file}}:/oauth2-proxy.cfg"
{% endif %}
- "{{docker_compose.directories.volumes}}{{applications.oauth2_proxy.configuration_file}}:/oauth2-proxy.cfg"

16
roles/docker-oauth2-proxy/templates/endpoint.conf.j2
View File

@ -1,16 +0,0 @@
{# Include OAuth2 Proxy #}
{# Raise the maximal header size. #}
{# Keycloak uses huge headers for authentification #}
proxy_buffer_size 16k;
proxy_buffers 8 16k;
proxy_busy_buffers_size 16k;
large_client_header_buffers 4 16k;
# OAuth2-Proxy-Endpoint
location /oauth2/ {
proxy_pass http://127.0.0.1:{{ports.localhost.oauth2_proxy[application_id]}};
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}

9
roles/docker-oauth2-proxy/templates/following_directives.conf.j2
View File

@ -1,9 +0,0 @@
{# The following directives enforce OAuth2 authentication: #}
auth_request /oauth2/auth;
{# This directive issues an internal sub-request to '/oauth2/auth' for every incoming request. #}
{# The sub-request checks if the client is authenticated. #}
error_page 401 = /oauth2/start;
{# If the authentication check fails (i.e., a 401 Unauthorized is returned), #}
{# this directive redirects the client to '/oauth2/start', which typically initiates the OAuth2 login process. #}

2
roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2
View File

@ -2,7 +2,7 @@ http_address = "0.0.0.0:4180"
cookie_secret = "{{applications.oauth2_proxy.cookie_secret}}"
email_domains = "{{primary_domain}}"
cookie_secure = "false"
upstreams = "http://{{applications[application_id].oauth2_proxy.application}}:{{applications[application_id].oauth2_proxy.port}}"
upstreams = "http://{{oauth2_proxy_upstream_application_and_port}}"
cookie_domains = ["{{domain}}", "{{domains.keycloak}}"] # Required so cookie can be read on all subdomains.
whitelist_domains = [".{{primary_domain}}"] # Required to allow redirection back to original requested target.

6
roles/docker-openproject/vars/main.yml
View File

@ -9,4 +9,8 @@ custom_openproject_image: "custom_openproject"
# The following volume doesn't have a practcical function. It just exist to prevent the creation of unnecessary anonymous volumes
dummy_volume: "{{docker_compose.directories.volumes}}dummy_volume"
dummy_volume: "{{docker_compose.directories.volumes}}dummy_volume"
# OAuth2 Proxy Configuration
oauth2_proxy_upstream_application_and_port: "proxy:80"
oauth2_proxy_active: "{{ applications.openproject.oauth2_proxy_active | bool }}"

3
roles/docker-phpmyadmin/vars/main.yml
View File

@ -1,3 +1,4 @@
application_id: "phpmyadmin"
database_type: "mariadb"
database_host: "{{ 'central-' + database_type if enable_central_database}}"
database_host: "{{ 'central-' + database_type if enable_central_database}}"
oauth2_proxy_active: "{{ applications.phpmyadmin.oauth2_proxy_active | bool }}"

2
roles/docker-yourls/templates/docker-compose.yml.j2
View File

@ -2,8 +2,6 @@ services:
{% include 'roles/docker-central-database/templates/services/' + database_type + '.yml.j2' %}
{% include 'roles/docker-oauth2-proxy/templates/container.yml.j2' %}
application:
image: yourls:{{applications.yourls.version}}
{% include 'roles/docker-compose/templates/services/base.yml.j2' %}

2
roles/health-nginx/templates/health-nginx.py.j2
View File

@ -31,8 +31,10 @@ for filename in os.listdir(config_path):
# Determine expected status codes based on the domain
if domain == '{{domains.listmonk}}':
expected_statuses = [404]
{% if global_matomo_tracking_enabled | bool %}
elif parts[0] == 'www' or domain in redirected_domains:
expected_statuses = [301]
{% endif %}
elif domain == '{{domains.yourls}}':
expected_statuses = [403]

40
roles/nginx-docker-reverse-proxy/templates/domain.conf.j2
View File

@ -2,34 +2,34 @@ server
{
server_name {{domain}};
{% if applications[application_id].oauth2_proxy.enabled | default(false) | bool %}
{% include 'roles/docker-oauth2-proxy/templates/endpoint.conf.j2'%}
{% if oauth2_proxy_active | bool %}
# Include OAuth2 Proxy
# Raise the maximal header size.
# Keycloak uses huge headers for authentification
proxy_buffer_size 16k;
proxy_buffers 8 16k;
proxy_busy_buffers_size 16k;
large_client_header_buffers 4 16k;
# OAuth2-Proxy-Endpoint
location /oauth2/ {
proxy_pass http://127.0.0.1:{{ports.localhost.oauth2_proxy[application_id]}};
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
{% endif %}
{% include 'roles/nginx-modifier-all/templates/global.includes.conf.j2'%}
{% if nginx_docker_reverse_proxy_extra_configuration is defined %}
{# Additional Domain Specific Configuration #}
# Additional Domain Specific Configuration
{{nginx_docker_reverse_proxy_extra_configuration}}
{% endif %}
{% include 'roles/letsencrypt/templates/ssl_header.j2' %}
{% if applications[application_id].oauth2_proxy.enabled | default(false) %}
{% if applications[application_id].oauth2_proxy.location is defined %}
{# Exposed and Unprotected Location #}
{% include 'proxy_pass.conf.j2' %}
{% set oauth2_proxy_enabled = true %}
{% set location = applications[application_id].oauth2_proxy.location %}
{# Gated Location by OAuth2 Proxy #}
{% include 'proxy_pass.conf.j2' %}
{% else %}
{% set oauth2_proxy_enabled = true %}
{# Protected Domain by OAuth2 Proxy #}
{% include 'proxy_pass.conf.j2'%}
{% endif %}
{% else %}
{# Exposed Domain - Not protected by OAuth2 Proxy #}
{% include 'proxy_pass.conf.j2' %}
{% endif %}
{% include 'proxy_pass.conf.j2' %}
}

9
roles/nginx-docker-reverse-proxy/templates/proxy_pass.conf.j2
View File

@ -1,10 +1,11 @@
location {{location | default("/")}}
location /
{
{% if oauth2_proxy_enabled | default(false) | bool %}
{% include 'roles/docker-oauth2-proxy/templates/following_directives.conf.j2'%}
{% if oauth2_proxy_active | bool %}
auth_request /oauth2/auth;
error_page 401 = /oauth2/start;
{% endif %}
proxy_pass http://127.0.0.1:{{http_port}}{{location | default("/")}};
proxy_pass http://127.0.0.1:{{http_port}}/;
# headers
proxy_set_header Host $host;

13
roles/nginx-domain-setup/tasks/main.yml
View File

@ -6,20 +6,13 @@
include_role:
name: nginx-https-recieve-certificate
- name: "Relevant variables for role: {{ role_path | basename }}"
debug:
msg:
domains: "{{domains}}"
applications: "{{applications}}"
when: enable_debug | bool
- name: "copy nginx domain configuration to {{configuration_destination}}"
- name: "copy nginx domain configuration to {{nginx.directories.http.servers}}{{domain}}.conf"
template:
src: "roles/nginx-docker-reverse-proxy/templates/domain.conf.j2"
dest: "{{configuration_destination}}"
dest: "{{nginx.directories.http.servers}}{{domain}}.conf"
notify: restart nginx
- name: "include the docker-oauth2-proxy role {{domain}}"
include_role:
name: docker-oauth2-proxy
when: applications[application_id].oauth2_proxy.enabled | default(false) | bool
when: oauth2_proxy_active | bool

1
roles/nginx-domain-setup/vars/main.yml
View File

@ -1 +0,0 @@
configuration_destination: "{{nginx.directories.http.servers}}{{domain}}.conf"

17
roles/nginx-redirect-www/tasks/main.yml
View File

@ -14,12 +14,22 @@
domain_regex: "^{{nginx.directories.http.servers}}(?!www\\.)[^/]+\\.conf$"
path_regex: "^{{nginx.directories.http.servers}}"
- name: The domains for which a www. redirect will be implemented
debug:
var: filtered_domains
when: enable_debug | bool
# Routine for domains with primary domain included
- name: Set filtered_domains_with_primary_domain
set_fact:
filtered_domains_with_primary_domain: "{{ filtered_domains | select('search', primary_domain + '$') | list }}"
- name: Debug with primary domain
debug:
var: filtered_domains_with_primary_domain
when: enable_debug | bool
- name: Include nginx-redirect-domain role with dynamic domain mappings for domains with {{primary_domain}} included
include_role:
name: nginx-redirect-domain
@ -42,12 +52,9 @@
set_fact:
filtered_domains_without_primary_domain: "{{ filtered_domains | reject('search', primary_domain + '$') | list }}"
- name: "Relevant variables for role: {{ role_path | basename }}"
- name: Debug domains without primary domain
debug:
msg:
filtered_domains_with_primary_domain: "{{filtered_domains_with_primary_domain}}"
filtered_domains: "{{filtered_domains}}"
filtered_domains_without_primary_domain: "{{filtered_domains_without_primary_domain}}"
var: filtered_domains_without_primary_domain
when: enable_debug | bool
- name: Include nginx-redirect-domain role with dynamic domain mappings for domains without primary domain

3
roles/nginx/tasks/main.yml
View File

@ -4,9 +4,6 @@
notify: restart nginx
when: run_once_nginx is not defined
# I assume the following can be deleted
# @todo Delete
- name: install nginx-mod-headers-more for matomo
pacman:
name: nginx-mod-headers-more

1
roles/nginx/templates/nginx.conf.j2
View File

@ -1,5 +1,4 @@
{% if global_matomo_tracking_enabled | bool %}
# @todo Assume this can be removed. Remove.
load_module /usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so;
{% endif %}

2
tasks/update-repository-with-files.yml
View File

@ -4,7 +4,7 @@
- name: "Merge detached_files with applications.oauth2_proxy.configuration_file"
ansible.builtin.set_fact:
merged_detached_files: "{{ detached_files + [applications.oauth2_proxy.configuration_file] }}"
when: applications[application_id].oauth2_proxy.enabled | default(false) | bool
when: oauth2_proxy_active
- name: "backup detached files"
command: >