kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-03-12 04:32:39 +01:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: kevinveenbirkenbach:ea30612de960b21fe1954d27f23a9f91128188da
Branches Tags
kevinveenbirkenbach:master
..
compare: kevinveenbirkenbach:eaeab18103c4b691d585547466b1222c3c3f64f1
Branches Tags
kevinveenbirkenbach:master

9 Commits
ea30612de9 ... eaeab18103

Author SHA1 Message Date
Kevin Veen-Birkenbach
eaeab18103 Solved merge variable bug 2025-02-06 21:18:25 +01:00
Kevin Veen-Birkenbach
e641539a94 Updated Mastodon README.md 2025-02-06 18:55:30 +01:00
Kevin Veen-Birkenbach
bd68e42312 Adapted URLs and SSO naming 2025-02-06 18:47:04 +01:00
Kevin Veen-Birkenbach
95f3fdb130 Implemented OIDC für mastodon 2025-02-06 18:19:42 +01:00
Kevin Veen-Birkenbach
31ee369a90 Solved bugs for not to internet exposed ldap 2025-02-06 17:15:33 +01:00
Kevin Veen-Birkenbach
f5c9c3edba solved locale network bugs of ldap 2025-02-06 16:27:00 +01:00
Kevin Veen-Birkenbach
4192c153a2 implemented password redirect url for mailu 2025-02-06 16:01:12 +01:00
Kevin Veen-Birkenbach
280ef536da Added detailled logging for nginx 2025-02-06 15:47:18 +01:00
Kevin Veen-Birkenbach
b788a7e32b Implemented OIDC for mailu 2025-02-06 15:02:33 +01:00
27 changed files with 315 additions and 136 deletions
Show Stats Expand all files Collapse all files

8
group_vars/all/00_general.yml
View File

@ -1,7 +1,6 @@
# General
pause_duration: "120" # Database delay to wait for the central database before continue tasks
backups_folder_path: "/Backups/" # Path to the backups folder
timezone: "UTC"
locale: "en"
@ -26,14 +25,8 @@ hours_server_awake: "0..23"
## Random delay for systemd timers to avoid peak loads.
randomized_delay_sec: "5min"
# Storage Space-Related Configurations
size_percent_maximum_backup: 75 # Maximum storage space in percent for backups
size_percent_cleanup_disc_space: 85 # Threshold for triggering cleanup actions
size_percent_disc_space_warning: 90 # Warning threshold in percent for free disk space
# Runtime Variables for Process Control
activate_all_timers: false # Activates all timers, independend if the handlers had been triggered
nginx_matomo_tracking: false # Activates matomo tracking on all html pages
# One Wildcard Certificate for All Subdomains
# Enables a single Let's Encrypt wildcard certificate for all subdomains instead of individual certificates.
@ -46,4 +39,5 @@ nginx_matomo_tracking: false # Activates matomo tracking on all
enable_wildcard_certificate: false
# This enables debugging in ansible and in the apps
# You SHOULD NOT enable this on production servers
enable_debug: false

4
group_vars/all/05_nginx.yml
View File

@ -13,4 +13,6 @@ nginx:
homepage: "/usr/share/nginx/homepage/" # Path where the static homepage files are stored. @todo Move this variable to the role
## Nginx static repository
nginx_static_repository_address: NULL #This should contain the url to an git repository which has a static homepage included and an index.html file. @todo move this variable to the role
nginx_static_repository_address: NULL #This should contain the url to an git repository which has a static homepage included and an index.html file. @todo move this variable to the role
nginx_matomo_tracking: false # Activates matomo tracking on all html pages

32
group_vars/all/07_applications.yml
View File

@ -1,31 +1,14 @@
# Docker Applications
## Enable Central MariaDB
enable_central_database: true
enable_central_database_mailu: "{{enable_central_database}}"
## Enable Storage Optimizer for Docker Volumes
enable_system_storage_optimizer: true
## Docker Role Specific Parameters
docker_restart_policy: "unless-stopped"
### Keycloak Client Configuration
oidc_client_active: true # Implement OpenID Connect https://en.wikipedia.org/wiki/OpenID_Connect
oidc_client_id: "{{primary_domain}}"
oidc_client_realm: "{{primary_domain}}"
oidc_client_issuer_url: "https://{{domains.keycloak}}/realms/{{oidc_client_realm}}"
oidc_client_discovery_document: "{{oidc_client_issuer_url}}/.well-known/openid-configuration"
oidc_client_authorize_url: "{{oidc_client_issuer_url}}/protocol/openid-connect/auth"
oidc_client_toke_url: "{{oidc_client_issuer_url}}/protocol/openid-connect/token"
oidc_client_user_info_url: "{{oidc_client_issuer_url}}/protocol/openid-connect/userinfo"
oidc_client_logout_url: "{{oidc_client_issuer_url}}/protocol/openid-connect/logout"
# oidc_client_secret: "{{oidc_client_secret}}" # Default use wildcard for primary domain, subdomain client specific configuration in vars files in the roles is possible
##############################################
## Private Helper variables ###
##############################################
ldap_network_enabled: false # Activate LDAP network for insecure communitation on localhot between different container instances. Set in vars/main.yml
oauth2_proxy_upstream_application_and_port: "application:80" # The name of the application which the server redirects to. Needs to be defined in role vars.
oauth2_proxy_active: false
# By default don't expose openldap to the internet, just if explicit configured
_ldap_openldap_expose_to_internet: "{{ applications.ldap.openldap.expose_to_internet if applications.ldap is defined and applications.ldap.openldap is defined else false}}"
defaults_applications:
@ -86,13 +69,14 @@ defaults_applications:
administrator_password: "{{user_administrator_initial_password}}" # CHANGE for security reasons
openldap:
version: "latest"
expose_to_internet: false # Set to true if you want to expose the LDAP port to the internet. Keep in mind to
expose_to_internet: "{{_ldap_openldap_expose_to_internet}}" # Set to true if you want to expose the LDAP port to the internet
domain: "{{domains.ldap if _ldap_openldap_expose_to_internet else 'openldap'}}" # Mapping for public or locale access
phpldapadmin:
version: "2.0.0-dev" # @todo Attention: Change this as fast as released to latest
webinterface: "lam" # The webinterface which should be used. Possible: lam and phpldapadmin
administrator_username: "{{administrator_username}}"
administrator_password: "{{user_administrator_initial_password}}" # CHANGE for security reasons
administrator_database_password: "{{user_administrator_initial_password}}" # CHANGE for security reasons
administrator_database_password: "{{user_administrator_initial_password}}" # CHANGE for security reasons
## Listmonk
listmonk:

39
group_vars/all/11_iam.yml Normal file
View File

@ -0,0 +1,39 @@
#############################################
### Identity and Access Management (IAM) ###
#############################################
#############################################
### OIDC ###
#############################################
# @see https://en.wikipedia.org/wiki/OpenID_Connect
## Private configuration variables:
_oidc_client_realm: "{{ oidc.client.realm if oidc.client is defined and oidc.client.realm is defined else primary_domain }}"
_oidc_client_issuer_url: "https://{{domains.keycloak}}/realms/{{_oidc_client_realm}}"
defaults_oidc:
enabled: true
client:
id: "{{primary_domain}}"
# secret: # Define in inventory file
realm: "{{_oidc_client_realm}}"
issuer_url: "{{_oidc_client_issuer_url}}"
discovery_document: "{{_oidc_client_issuer_url}}/.well-known/openid-configuration"
authorize_url: "{{_oidc_client_issuer_url}}/protocol/openid-connect/auth"
toke_url: "{{_oidc_client_issuer_url}}/protocol/openid-connect/token"
user_info_url: "{{_oidc_client_issuer_url}}/protocol/openid-connect/userinfo"
logout_url: "{{_oidc_client_issuer_url}}/protocol/openid-connect/logout"
change_credentials: "{{_oidc_client_issuer_url}}account/account-security/signing-in"
#############################################
### OAuth2-Proxy ###
#############################################
# The name of the application which the server redirects to. Needs to be defined in role vars.
oauth2_proxy_upstream_application_and_port: "application:80"
oauth2_proxy_active: false
#############################################
### LDAP ###
#############################################
# Activate LDAP network for insecure communitation on localhot between different container instances. Set in vars/main.yml
ldap_network_enabled: false

13
group_vars/all/12_storage.yml Normal file
View File

@ -0,0 +1,13 @@
## Enable Central Postgress and MariaDB instead of dedicated container per application
enable_central_database: true
enable_central_database_mailu: "{{enable_central_database}}"
## Enable Storage Optimizer for Docker Volumes
enable_system_storage_optimizer: true
backups_folder_path: "/Backups/" # Path to the backups folder
# Storage Space-Related Configurations
size_percent_maximum_backup: 75 # Maximum storage space in percent for backups
size_percent_cleanup_disc_space: 85 # Threshold for triggering cleanup actions
size_percent_disc_space_warning: 90 # Warning threshold in percent for free disk space

26
playbook.constructor.yml
View File

@ -8,20 +8,38 @@
- name: Merge domain definitions
set_fact:
domains: "{{ defaults_domains | combine(domains | default({}, true), recursive=True) }}"
- name: Merge redirect domain definitions
- name: Merge redirect domain definitions into dictionary
set_fact:
redirect_domain_mappings: >-
combined_mapping: >-
{{
(defaults_redirect_domain_mappings | items2dict(key_name='source', value_name='target'))
| combine((redirect_domain_mappings | items2dict(key_name='source', value_name='target')), recursive=True)
| dict2items
| combine(
(redirect_domain_mappings | items2dict(key_name='source', value_name='target')),
recursive=True
)
}}
- name: Transform combined mapping to list with source and target keys
set_fact:
redirect_domain_mappings: "{{ redirect_domain_mappings | default([]) + [ {'source': item.key, 'target': item.value} ] }}"
loop: "{{ combined_mapping | dict2items }}"
- name: Merge application definitions
set_fact:
applications: "{{ defaults_applications | combine(applications | default({}, true), recursive=True) }}"
- name: Merge networks definitions
set_fact:
networks: "{{ defaults_networks | combine(networks | default({}, true), recursive=True) }}"
- name: Merge oidc configuration
set_fact:
oidc: "{{ defaults_oidc | combine(oidc | default({}, true), recursive=True) }}"
- name: print oidc dict
debug:
var: oidc
when: enable_debug | bool
- name: update device
hosts: all

8
roles/docker-bigbluebutton/templates/env.j2
View File

@ -282,12 +282,12 @@ HELP_URL=https://docs.bigbluebutton.org/greenlight/gl-overview.html
# approval - For approve/decline registration
DEFAULT_REGISTRATION=invite
{% if oidc_client_active | bool %}
{% if oidc.enabled | bool %}
### EXTERNAL AUTHENTICATION METHODS
# @See https://docs.bigbluebutton.org/greenlight/v3/external-authentication/
#
OPENID_CONNECT_CLIENT_ID={{oidc_client_id}}
OPENID_CONNECT_CLIENT_SECRET={{oidc_client_secret}}
OPENID_CONNECT_ISSUER={{oidc_client_issuer_url}}
OPENID_CONNECT_CLIENT_ID={{oidc.client.id}}
OPENID_CONNECT_CLIENT_SECRET={{oidc.client.secret}}
OPENID_CONNECT_ISSUER={{oidc.client.issuer_url}}
OPENID_CONNECT_REDIRECT=https://{{domain}}
{% endif %}

8
roles/docker-discourse/templates/discourse_application.yml.j2
View File

@ -112,16 +112,16 @@ run:
## If you want to set the 'From' email address for your first registration, uncomment and change:
## After getting the first signup email, re-comment the line. It only needs to run once.
#- exec: rails r "SiteSetting.notification_email='info@unconfigured.discourse.org'"
{% if oidc_client_active | bool %}
{% if oidc.enabled | bool %}
# Deactivate Default Login
- exec: rails r "SiteSetting.enable_local_logins = false"
- exec: rails r "SiteSetting.enable_passkeys = false" # https://meta.discourse.org/t/passwordless-login-using-passkeys/285589
# OIDC Activation
- exec: rails r "SiteSetting.openid_connect_enabled = true"
- exec: rails r "SiteSetting.openid_connect_discovery_document = '{{oidc_client_discovery_document}}'"
- exec: rails r "SiteSetting.openid_connect_client_id = '{{oidc_client_id}}'"
- exec: rails r "SiteSetting.openid_connect_client_secret = '{{oidc_client_secret}}'"
- exec: rails r "SiteSetting.openid_connect_discovery_document = '{{oidc.client.discovery_document}}'"
- exec: rails r "SiteSetting.openid_connect_client_id = '{{oidc.client.id}}'"
- exec: rails r "SiteSetting.openid_connect_client_secret = '{{oidc.client.secret}}'"
- exec: rails r "SiteSetting.openid_connect_rp_initiated_logout_redirect = 'https://{{domain}}'"
- exec: rails r "SiteSetting.openid_connect_allow_association_change = false"
- exec: rails r "SiteSetting.openid_connect_rp_initiated_logout = true"

7
roles/docker-keycloak/vars/main.yml
View File

@ -1,3 +1,4 @@
application_id: "keycloak"
database_type: "postgres"
database_password: "{{keycloak_database_password}}"
application_id: "keycloak"
database_type: "postgres"
database_password: "{{keycloak_database_password}}"
ldap_network_enabled: true # Activate LDAP network

9
roles/docker-ldap/tasks/main.yml
View File

@ -19,6 +19,11 @@
state: absent
when: not applications.ldap.openldap.expose_to_internet | bool
- name: create docker network for LDAP, so that other applications can access it
docker_network:
name: central_ldap
state: present
- name: "create {{docker_compose.files.docker_compose}}"
template:
src: "docker-compose.yml.j2"
@ -40,6 +45,7 @@
mode: '770'
force: yes
notify: docker compose project setup
when: applications.ldap.webinterface == 'phpldapadmin'
- name: "create {{docker_compose.directories.env}}lam.env"
template:
@ -47,4 +53,5 @@
dest: "{{docker_compose.directories.env}}lam.env"
mode: '770'
force: yes
notify: docker compose project setup
notify: docker compose project setup
when: applications.ldap.webinterface == 'lam'

2
roles/docker-ldap/templates/docker-compose.yml.j2
View File

@ -25,9 +25,11 @@ services:
image: bitnami/openldap:{{applications.ldap.openldap.version}}
container_name: openldap
{% include 'roles/docker-compose/templates/services/base.yml.j2' %}
{% if applications.ldap.openldap.expose_to_internet | bool %}
ports:
- 127.0.0.1:{{ldap_localhost_port}}:{{ldap_localhost_port}} # Expose just on localhost so that nginx stream proxy can use it
- 127.0.0.1:{{ldap_secure_localhost_port}}:{{ldap_secure_localhost_port}} # Expose just on localhost
{% endif %}
volumes:
- 'data:/bitnami/openldap'
healthcheck:

2
roles/docker-ldap/templates/lam.env.j2
View File

@ -7,7 +7,7 @@ LAM_PASSWORD= {{applications.ldap.lam.administrator_password}}
LAM_CONFIGURATION_DATABASE= files # configuration database (files or mysql) @todo implement mariadb
# LDAP Configuration
LDAP_SERVER= {{domain}} # domain of LDAP database root entry, will be converted to dc=...,dc=...
LDAP_SERVER= {{applications.ldap.openldap.domain}} # domain of LDAP database root entry, will be converted to dc=...,dc=...
LDAP_BASE_DN= {{ldap_root}} # LDAP base DN to overwrite value generated by LDAP_DOMAIN
LDAP_USER= {{ldap_admin_dn}} # LDAP admin user (set as login user for LAM)
LDAP_ADMIN_PASSWORD= {{applications.ldap.administrator_database_password}} # LDAP admin password

2
roles/docker-ldap/vars/main.yml
View File

@ -11,4 +11,4 @@ oauth2_proxy_active: true
enable_wildcard_certificate: false # Activate dedicated Certificate
ldap_network_enabled: true # Activate LDAP network
ldap_network_enabled: true # Activate LDAP network

101
roles/docker-mailu/README.md
View File

@ -1,8 +1,8 @@
# Mailu Server Docker Role
# Mailu Server Docker Role 🚀
This guide provides instructions for setting up, operating, and maintaining the Mailu server docker role.
This guide provides instructions for setting up, operating, and maintaining the [Mailu](https://mailu.io/) server Docker role.
## Table of Contents
## Table of Contents 📖
- [Setup](#setup)
- [Fetchmail Issues](#fetchmail-issues)
@ -16,24 +16,25 @@ This guide provides instructions for setting up, operating, and maintaining the
- [Updates](#updates)
- [Queue Management](#queue-management)
- [Spam Issues](#spam-issues)
- [OIDC Support](#oidc-support)
- [To-Do](#to-do)
- [References](#references)
## Setup
## Setup ⚙️
### Fetchmail Issues
### Fetchmail Issues 📨
Fetchmail might not work properly with large amounts of data. For more information, refer to this [issue](https://github.com/Mailu/Mailu/issues/1719).
#### Deactivating Fetchmail
#### Deactivating Fetchmail
Before uninstalling Fetchmail, ensure you remove all fetched accounts from the administration panel.
#### Fetchmail Security Concerns
#### Fetchmail Security Concerns 🔐
There are known security concerns with Fetchmail as stated in the [German Wikipedia](https://de.wikipedia.org/wiki/Fetchmail). If you require Fetchmail functions in the future, consider creating a Docker container for [Getmail](https://en.wikipedia.org/wiki/Getmail) as it is considered more secure.
#### Fetchmail Workaround
#### Fetchmail Workaround 🔄
If you need to receive emails from another account, follow these steps:
@ -41,7 +42,7 @@ If you need to receive emails from another account, follow these steps:
2. Export all data from your original account.
3. Import all data to your new account.
### Port Management
### Port Management 🌐
Check for any port conflicts and manually change the conflicting ports if necessary. Use the following command to verify:
@ -49,7 +50,7 @@ Check for any port conflicts and manually change the conflicting ports if necess
netstat -tulpn
```
### Admin Account Creation
### Admin Account Creation 👤
To use Mailu, create the primary administrator user account, `admin@{{hostname}}`, using the command below. Replace `PASSWORD` with your preferred password:
@ -57,11 +58,11 @@ To use Mailu, create the primary administrator user account, `admin@{{hostname}}
docker-compose -p mailu exec admin flask mailu admin {{admin}} {{hostname}} PASSWORD
```
### CLI User Management
### CLI User Management 🛠️
For managing users, follow the instructions in the official [Mailu CLI documentation](https://mailu.io/master/cli.html).
### Starting the Server
### Starting the Server ▶️
To start the server, use the following command:
@ -69,9 +70,9 @@ To start the server, use the following command:
docker-compose -p mailu up -d
```
## Debugging
## Debugging 🕵️‍♂️
### Database Access
### Database Access 📂
To access the database, use the following command:
@ -79,7 +80,7 @@ To access the database, use the following command:
docker-compose exec -it database mysql -u root -D mailu -p
```
### Container Access
### Container Access 🖥️
To access the front container, use this command:
@ -87,15 +88,15 @@ To access the front container, use this command:
docker-compose exec -it front /bin/bash
```
### Restarting Services
### Restarting Services 🔄
To restart all services, use the following command:
```bash
docker-compose restart
docker-compose restart
```
### Resending Queued Mails
### Resending Queued Mails ✉️
To resend queued mails, use this command:
@ -103,63 +104,69 @@ To resend queued mails, use this command:
docker-compose exec -it smtp postqueue -f
```
## Testing
## Testing 🧪
Use the following tools for testing:
- SSL-Tools Mailserver Test (URL: https://de.ssl-tools.net/mailservers/)
- TestEmail.de (URL: http://testemail.de/)
- [SSL-Tools Mailserver Test](https://de.ssl-tools.net/mailservers/)
- [TestEmail.de](http://testemail.de/)
## Updates
## Updates 🔄
For instructions on updating your Mailu setup, follow the official [Mailu maintenance guide](https://mailu.io/master/maintain.html).
## Queue Management
## Queue Management 📬
To manage the Postfix email queue in Mailu, you can use the following commands:
- **Display the email queue**: This command shows all queued emails.
- **Display the email queue**:
```bash
docker compose exec -it smtp postqueue -p
```
- **Delete all emails in the queue**: To remove all queued emails permanently, use the command:
- **Delete all emails in the queue**:
```bash
docker compose exec -it smtp postsuper -d ALL
```
These commands can help control the email queue, especially for clearing out emails with delivery issues or delays.
## Spam Issues 🚨
## Spam Issues
### Inspect
### Inspect 🔎
Use the following tools to monitor your domain and email deliverability:
- [Google Postmaster](https://postmaster.google.com/) - Analyzes deliverability and spam issues for Gmail.
- [Yahoo Postmaster](https://postmaster.yahooinc.com) - Provides insights and delivery reports for Yahoo.
### Blacklist Check
### Blacklist Check 🚫
If your domain is blacklisted, you can check the status with these services and take steps to remove your domain if necessary:
- [Spamhaus](https://check.spamhaus.org/) - One of the most widely used blacklists for spam.
- [Barracuda](https://www.barracudacentral.org/lookups) - Checks if your IP is on the Barracuda blacklist.
- [Spamhaus](https://check.spamhaus.org/)
- [Barracuda](https://www.barracudacentral.org/lookups)
### Cloudmark Reset Request
### Cloudmark Reset Request 🔄
If your IP or domain is flagged by Cloudmark, you can submit a **reset request** to help restore deliverability:
If your IP or domain is flagged by Cloudmark, you can submit a **reset request**:
- [Cloudmark Reset](https://csi.cloudmark.com/en/reset/)
## To-Do
## OIDC Support 🔐
- Implement two-factor authentication in Roundcube Webmail. More information can be found [here](https://blog.kuepper.nrw/2019/03/30/roundcube-webmail-mit-zwei-faktor-authentifizierung/).
- Integrate Nextcloud 15 and newer with Mailu. Learn more about this [here](https://mailu.io/master/faq.html#i-want-to-integrate-nextcloud-15-and-newer-with-mailu).
- User authentication with Nextcloud. Find more information [here](https://docs.nextcloud.com/server/9.0/admin_manual/configuration_user/user_auth_ftp_smb_imap.html).
This role now supports OpenID Connect (OIDC) authentication with [Mailu-OIDC](https://github.com/heviat/Mailu-OIDC)! 🎉
## References
To enable OIDC authentication, simply set the following variable:
```yaml
oidc:
enabled: true
```
For more details, check out the [Mailu-OIDC repository](https://github.com/heviat/Mailu-OIDC/tree/2024.06).
## References 🔗
- [Mailu compose setup guide](https://mailu.io/1.7/compose/setup.html)
- [SysPass issue #1299](https://github.com/nuxsmin/sysPass/issues/1299)
- [Mailu issue #1719](https://github.com/Mailu/Mailu/issues/1719)
@ -169,8 +176,18 @@ If your IP or domain is flagged by Cloudmark, you can submit a **reset request**
- [Mailu GitHub repository](https://github.com/Mailu/Mailu)
- [Plesk support article on RoundCube connection issue](https://support.plesk.com/hc/en-us/articles/115001264814-Unable-to-log-into-RoundCube-Connection-to-storage-server-failed)
- [Gist by marienfressinaud](https://gist.github.com/marienfressinaud/f284a59b18aad395eb0de2d22836ae6b)
- [Implementing OpenID with Mailu](https://github.com/heviat/Mailu-OIDC)
For more information about this role, visit the [GitHub repository](https://github.com/kevinveenbirkenbach/cymais/tree/master/roles/docker-mailu).
---
This README.md was optimized with [Chat-GPT](https://chat.openai.com/share/d1ad5ce7-3aa1-4a14-a959-63393b39374a)
For more information about this role, visit the GitHub repositories:
- [Mailu](https://github.com/kevinveenbirkenbach/cymais/tree/master/roles/docker-mailu)
- [Mailu-OIDC](https://github.com/heviat/Mailu-OIDC)
### About this Role ✨
This Mailu Docker role was developed by **[Kevin Veen-Birkenbach](https://veen.world)**.
This `README.md` was optimized with the help of [ChatGPT](https://chat.openai.com)🚀 and this conversations:
- https://chat.openai.com/share/d1ad5ce7-3aa1-4a14-a959-63393b39374a
- https://chatgpt.com/share/67a4bffb-9330-800f-aed5-715c6a8ced2f

20
roles/docker-mailu/templates/docker-compose.yml.j2
View File

@ -6,13 +6,13 @@ services:
# Core services
resolver:
image: ghcr.io/mailu/unbound:{{applications.mailu.version}}
image: {{docker_source}}/unbound:{{applications.mailu.version}}
{% include 'roles/docker-compose/templates/services/base.yml.j2' %}
{% include 'templates/docker/container/networks.yml.j2' %}
ipv4_address: {{networks.local.mailu.dns}}
front:
image: ghcr.io/mailu/nginx:{{applications.mailu.version}}
image: {{docker_source}}/nginx:{{applications.mailu.version}}
{% include 'roles/docker-compose/templates/services/base.yml.j2' %}
ports:
- "127.0.0.1:{{ http_port }}:80"
@ -37,7 +37,7 @@ services:
- {{networks.local.mailu.dns}}
admin:
image: ghcr.io/mailu/admin:{{applications.mailu.version}}
image: {{docker_source}}/admin:{{applications.mailu.version}}
{% include 'roles/docker-compose/templates/services/base.yml.j2' %}
volumes:
- "admin_data:/data"
@ -52,7 +52,7 @@ services:
{% include 'templates/docker/container/networks.yml.j2' %}
imap:
image: ghcr.io/mailu/dovecot:{{applications.mailu.version}}
image: {{docker_source}}/dovecot:{{applications.mailu.version}}
{% include 'roles/docker-compose/templates/services/base.yml.j2' %}
volumes:
- "dovecot_mail:/mail"
@ -65,7 +65,7 @@ services:
{% include 'templates/docker/container/networks.yml.j2' %}
smtp:
image: ghcr.io/mailu/postfix:{{applications.mailu.version}}
image: {{docker_source}}/postfix:{{applications.mailu.version}}
{% include 'roles/docker-compose/templates/services/base.yml.j2' %}
volumes:
- "{{docker_compose.directories.volumes}}overrides:/overrides:ro"
@ -78,7 +78,7 @@ services:
{% include 'templates/docker/container/networks.yml.j2' %}
oletools:
image: ghcr.io/mailu/oletools:{{applications.mailu.version}}
image: {{docker_source}}/oletools:{{applications.mailu.version}}
hostname: oletools
restart: {{docker_restart_policy}}
depends_on:
@ -89,7 +89,7 @@ services:
noinet:
antispam:
image: ghcr.io/mailu/rspamd:{{applications.mailu.version}}
image: {{docker_source}}/rspamd:{{applications.mailu.version}}
{% include 'roles/docker-compose/templates/services/base.yml.j2' %}
volumes:
- "filter:/var/lib/rspamd"
@ -119,7 +119,7 @@ services:
{% include 'templates/docker/container/networks.yml.j2' %}
webdav:
image: ghcr.io/mailu/radicale:{{applications.mailu.version}}
image: {{docker_source}}/radicale:{{applications.mailu.version}}
{% include 'roles/docker-compose/templates/services/base.yml.j2' %}
volumes:
- "webdav_data:/data"
@ -131,7 +131,7 @@ services:
radicale:
fetchmail:
image: ghcr.io/mailu/fetchmail:{{applications.mailu.version}}
image: {{docker_source}}/fetchmail:{{applications.mailu.version}}
volumes:
- "admin_data:/data"
{% include 'roles/docker-compose/templates/services/base.yml.j2' %}
@ -145,7 +145,7 @@ services:
{% include 'templates/docker/container/networks.yml.j2' %}
webmail:
image: ghcr.io/mailu/webmail:{{applications.mailu.version}}
image: {{docker_source}}/webmail:{{applications.mailu.version}}
{% include 'roles/docker-compose/templates/services/base.yml.j2' %}
volumes:
- "webmail_data:/data"

29
roles/docker-mailu/templates/env.j2
View File

@ -148,4 +148,31 @@ SQLALCHEMY_DATABASE_URI=mysql+mysqlconnector://{{database_username}}:{{database_
API_TOKEN={{mailu_api_token}}
# Activated https://mailu.io/master/configuration.html#advanced-settings
AUTH_REQUIRE_TOKENS=True
AUTH_REQUIRE_TOKENS=True
{% if oidc.enabled | bool %}
###################################
# OpenID Connect settings
###################################
# @see https://github.com/heviat/Mailu-OIDC/tree/master
# Enable OpenID Connect. Possible values: True, False
OIDC_ENABLED={{ oidc.enabled | string | capitalize }}
# OpenID Connect provider configuration URL
OIDC_PROVIDER_INFO_URL={{oidc.client.issuer_url}}
# OpenID redirect URL if HOSTNAME not matching your login url
OIDC_REDIRECT_URL=https://{{domain}}
# OpenID Connect Client ID for Mailu
OIDC_CLIENT_ID={{oidc.client.id}}
# OpenID Connect Client secret for Mailu
OIDC_CLIENT_SECRET={{oidc.client.secret}}
# Label text for OpenID Connect login button. Default: OpenID Connect
OIDC_BUTTON_NAME=OpenID Connect
# Disable TLS certificate verification for the OIDC client. Possible values: True, False
OIDC_VERIFY_SSL=True
# Enable redirect to OIDC provider for password change. Possible values: True, False
OIDC_CHANGE_PASSWORD_REDIRECT_ENABLED=True
# Redirect URL for password change. Defaults to provider issuer url appended by /.well-known/change-password
OIDC_CHANGE_PASSWORD_REDIRECT_URL={{oidc.client.change_credentials}}
{% endif %}

6
roles/docker-mailu/vars/main.yml
View File

@ -7,4 +7,8 @@ enable_wildcard_certificate: false
# I don't know why this configuration is necessary.
# Propabldy due to a database migration problem, or dificulties to configure an external db in mailu
# @todo research
enable_central_database: "{{enable_central_database_mailu}}"
enable_central_database: "{{enable_central_database_mailu}}"
# Use dedicated source for oidc if activated
# @see https://github.com/heviat/Mailu-OIDC/tree/2024.06
docker_source: "{{ 'ghcr.io/heviat' if oidc.enabled | bool else 'ghcr.io/mailu' }}"

60
roles/docker-mastodon/README.md
View File

@ -1,16 +1,24 @@
# docker mastodon
# 🚀 Docker Mastodon with OIDC Support
## create configuration
## 📌 Overview
This project provides a **Docker-based setup for Mastodon**, including full **OIDC (OpenID Connect) authentication support**. It is maintained by **[Kevin Veen-Birkenbach](https://www.veen.world)**.
This README and some parts of the code were created with the assistance of ChatGPT. You can follow the discussion and evolution of this project in [this conversation](https://chatgpt.com/c/67a4e19b-3884-800f-9d45-621dda2a6572).
## ⚙️ Configuration & Setup
### 🔧 Create Configuration
Run the following command to generate a new configuration setup:
```bash
docker-compose run --rm web bundle exec rake mastodon:setup
```
## Setup with existing configuration
```bash
### 🔄 Setup with an Existing Configuration
```bash
docker-compose run --rm web bundle exec rails db:migrate
```
## cleanup
### 🗑️ Cleanup (Remove Instance & Volumes)
```bash
cd {{path_docker_compose_instances}}mastodon/
docker-compose down
@ -19,33 +27,45 @@ cd {{path_docker_compose_instances}} &&
rm -vR {{path_docker_compose_instances}}mastodon
```
## access terminal
### 🔍 Access Mastodon Terminal
```bash
docker-compose exec -it web /bin/bash
```
## set rights
After setting up mastodon you need to give the rights
### 🛠️ Set File Permissions
After setting up Mastodon, apply the correct file permissions:
```bash
docker-compose exec -it -u root web chown -R 991:991 public
```
### Running Database Migrations
To ensure all required database tables and structures are in place after an update, you can run database migrations directly within the Mastodon web container. Use the following command:
## 📦 Database Management
### 🏗️ Running Database Migrations
Ensure all required database structures are up to date:
```bash
docker compose exec -it web bash -c "RAILS_ENV=production bin/rails db:migrate"
```
This command enters the web container and runs migrations in production mode, updating the database structure to match the current version of the Mastodon software. If your Mastodon web container is named differently in your `docker-compose.yml`, replace `web` with the appropriate container name.
## 🚀 Performance Optimization
### 🗑️ Delete Cache & Recompile Assets
```bash
docker-compose exec web bundle exec rails assets:precompile
docker-compose restart
```
This ensures your Mastodon instance is loading the latest assets after updates.
## 🔐 OIDC (OpenID Connect) Authentication Support
This Mastodon role now **fully supports OpenID Connect (OIDC)**, allowing seamless authentication via identity providers like **Keycloak, Auth0, Google, or other OIDC-compliant services**.
## 📚 Further Reading
- [Mastodon with Docker & Traefik](https://goneuland.de/mastodon-mit-docker-und-traefik-installieren/)
- [Mastodon Configuration Guide](https://gist.github.com/TrillCyborg/84939cd4013ace9960031b803a0590c4)
- [Check Website Availability](https://www.2daygeek.com/linux-command-check-website-is-up-down-alive/)
- [Personal Mastodon Setup](https://vitobotta.com/2022/11/07/setting-up-a-personal-mastodon-instance/)
- [Scaling a Mastodon Server](https://www.digitalocean.com/community/tutorials/how-to-scale-your-mastodon-server)
- [Mastodon GitHub Issues](https://github.com/mastodon/mastodon/issues/7958)
## further information
- https://goneuland.de/mastodon-mit-docker-und-traefik-installieren/
- https://gist.github.com/TrillCyborg/84939cd4013ace9960031b803a0590c4
- https://www.2daygeek.com/linux-command-check-website-is-up-down-alive/
- https://vitobotta.com/2022/11/07/setting-up-a-personal-mastodon-instance/
- https://www.digitalocean.com/community/tutorials/how-to-scale-your-mastodon-server

26
roles/docker-mastodon/templates/env.j2
View File

@ -1,3 +1,5 @@
# @see https://docs.joinmastodon.org/admin/config
LOCAL_DOMAIN={{domain}}
ALTERNATE_DOMAINS="{{ domains.mastodon_alternates | join(',') }}"
SINGLE_USER_MODE={{applications.mastodon.single_user_mode}}
@ -27,4 +29,26 @@ SMTP_FROM_ADDRESS=Mastodon <{{system_email.from}}>
ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY= {{mastodon_active_record_encryption_deterministic_key}}
ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT={{mastodon_active_record_encryption_key_derivation_salt}}
ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY={{mastodon_active_record_encryption_primary_key}}
ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY={{mastodon_active_record_encryption_primary_key}}
{% if oidc.enabled | bool %}
###################################
# OpenID Connect settings
###################################
# @see https://github.com/mastodon/mastodon/pull/16221
# @see https://stackoverflow.com/questions/72081776/how-mastodon-configured-login-using-sso
OIDC_ENABLED={{ oidc.enabled | string | lower }}
OIDC_DISPLAY_NAME="{{primary_domain | upper}} SSO"
OIDC_ISSUER={{oidc.client.issuer_url}}
OIDC_DISCOVERY=true
OIDC_SCOPE="openid,profile,email"
OIDC_UID_FIELD=preferred_username # @see https://stackoverflow.com/questions/72108087/how-to-set-the-username-of-mastodon-by-log-in-via-keycloak
OIDC_CLIENT_ID={{oidc.client.id}}
OIDC_REDIRECT_URI=https://{{domain}}/auth/auth/openid_connect/callback
OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED=true
OIDC_CLIENT_SECRET={{oidc.client.secret}}
OMNIAUTH_ONLY=true # uncomment to only use OIDC for login / registration buttons
ALLOW_UNSAFE_AUTH_PROVIDER_REATTACH=true
ONE_CLICK_SSO_LOGIN=true
{% endif %}

2
roles/docker-nextcloud/tasks/main.yml
View File

@ -35,4 +35,4 @@
# @todo activate
#- name: Include OIDC-specific tasks if OIDC client is active
# include_tasks: oidc_tasks.yml
# when: oidc_client_active | bool
# when: oidc.enabled | bool

2
roles/docker-nextcloud/tasks/oidc_tasks.yml
View File

@ -20,7 +20,7 @@
command: >
docker-compose exec -u www-data application /var/www/html/occ
config:app:set sociallogin custom_providers
--value='{"custom_oidc":[{"name":"{{domains.keycloak}}","title":"keycloak","authorizeUrl":"{{oidc_client_authorize_url}}","tokenUrl":"{{oidc_client_toke_url}}","displayNameClaim":"","userInfoUrl":"{{oidc_client_user_info_url}}","logoutUrl":"{{oidc_client_logout_url}}","clientId":"{{oidc_client_id}}","clientSecret":"{{oidc_client_secret}}","scope":"openid","groupsClaim":"","style":"","defaultGroup":""}]}'
--value='{"custom_oidc":[{"name":"{{domains.keycloak}}","title":"keycloak","authorizeUrl":"{{oidc.client.authorize_url}}","tokenUrl":"{{oidc.client.toke_url}}","displayNameClaim":"","userInfoUrl":"{{oidc.client.user_info_url}}","logoutUrl":"{{oidc.client.logout_url}}","clientId":"{{oidc.client.id}}","clientSecret":"{{oidc.client.secret}}","scope":"openid","groupsClaim":"","style":"","defaultGroup":""}]}'
# This configuration defines custom OpenID Connect (OIDC) providers for authentication.
# In this case, it sets up a Keycloak provider with details like URLs for authorization,
# token retrieval, user info, and logout, as well as the client ID and secret.

8
roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2
View File

@ -3,14 +3,14 @@ cookie_secret = "{{applications.oauth2_proxy.cookie_secret}}"
email_domains = "{{primary_domain}}"
cookie_secure = "false"
upstreams = "http://{{oauth2_proxy_upstream_application_and_port}}"
cookie_domains = ["{{domain}}", "{{domains.keycloak}}"] # Required so cookie can be read on all subdomains.
cookie_domains = ["{{domain}}", "{{domains.keycloak}}"] # Required so cookie can be read on all subdomains.
whitelist_domains = [".{{primary_domain}}"] # Required to allow redirection back to original requested target.
# keycloak provider
client_secret = "{{oidc_client_secret}}"
client_id = "{{oidc_client_id}}"
client_secret = "{{oidc.client.secret}}"
client_id = "{{oidc.client.id}}"
redirect_url = "https://{{domain}}/oauth2/callback"
oidc_issuer_url = "{{oidc_client_issuer_url}}"
oidc_issuer_url = "{{oidc.client.issuer_url}}"
provider = "oidc"
provider_display_name = "Keycloak"

15
roles/nginx/README.md
View File

@ -1,9 +1,22 @@
# role nginx
This role sets up an nginx server. It was developed by [Kevin Veen-Birkenbach](https://www.veen.world).
## Debug
## debug
### General Debugging
```bash
journalctl -f -u nginx
```
### Detailled Debugging
Set ``enable_debugenable_debug: true``.
#### Follow logs of one host
```bash
journalctl -u nginx -f | grep "<<hostname>>"
```
### Activate detailled Debugging:
## performance
- https://www.monitis.com/blog/6-best-practices-for-optimizing-your-nginx-performance/
- https://www.nginx.com/blog/tuning-nginx/

1
roles/nginx/tasks/main.yml
View File

@ -35,7 +35,6 @@
- name: "include task certbot-matomo.yml"
include_tasks: certbot-matomo.yml
when: run_once_nginx is not defined
vars:
domain: "{{primary_domain}}"
when: run_once_nginx is not defined

16
roles/nginx/templates/nginx.conf.j2
View File

@ -17,8 +17,22 @@ http
# caching
proxy_cache_path /tmp/cache levels=1:2 keys_zone=cache:20m max_size=20g inactive=14d use_temp_path=off;
# logs
# logging and debugging
{% if enable_debug | bool %}
# individual log format for better debugging
log_format debug '$host - $remote_addr [$time_local] '
'"$request" $status $body_bytes_sent '
'"Referer: $http_referer" '
'"User-Agent: $http_user_agent" '
'"ReqTime: $request_time" "UpstreamTime: $upstream_response_time" '
'"ReqLength: $request_length" "BytesSent: $bytes_sent" '
'"ConnRequests: $connection_requests" '
'"X-Forwarded-For: $http_x_forwarded_for" '
'"Scheme: $scheme" "Protocol: $server_protocol" "ServerName: $server_name"';
access_log syslog:server=unix:/dev/log debug;
{% else %}
access_log syslog:server=unix:/dev/log;
{% endif %}
error_log syslog:server=unix:/dev/log;
sendfile on;

3
templates/docker/compose/networks.yml.j2
View File

@ -4,8 +4,9 @@ networks:
central_{{ database_type }}:
external: true
{% endif %}
{% if ldap_network_enabled %}
{% if ldap_network_enabled | bool %}
central_ldap:
external: true
{% endif %}
default:
{% if application_id in networks.local and networks.local[application_id].subnet is defined %}

2
templates/docker/container/networks.yml.j2
View File

@ -3,7 +3,7 @@
{% if enable_central_database | bool and database_type is defined %}
central_{{ database_type }}:
{% endif %}
{% if ldap_network_enabled %}
{% if ldap_network_enabled | bool %}
central_ldap:
{% endif %}
default: