From 3ee003f94cea4acfffdbdeacbdcbff1e59a522b8 Mon Sep 17 00:00:00 2001 From: Marty Oehme Date: Sun, 19 Dec 2021 10:09:25 +0100 Subject: [PATCH 01/66] Fix blog upstream setting Removed setting the landingpage upstream accidentally, switched its alias to blog instead. --- roles/blog/defaults/main.yml | 2 +- roles/blog/templates/upstream.json.j2 | 2 -- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/roles/blog/defaults/main.yml b/roles/blog/defaults/main.yml index f0057a2..fcf9a0f 100644 --- a/roles/blog/defaults/main.yml +++ b/roles/blog/defaults/main.yml @@ -8,4 +8,4 @@ blog_upstream_file_dir: "{{ docker_stack_files_dir }}/{{ stack_name }}" blog_use_https: true # the subdomain link blog will be reachable under -# subdomain_alias: blog +subdomain_alias: blog diff --git a/roles/blog/templates/upstream.json.j2 b/roles/blog/templates/upstream.json.j2 index 6c6c59d..a8af36a 100644 --- a/roles/blog/templates/upstream.json.j2 +++ b/roles/blog/templates/upstream.json.j2 @@ -9,8 +9,6 @@ {% else %} "{{ stack_name }}.{{ server_domain }}" {% endif %} - , - "{{ server_domain }}" ] } ], From 06bb34891edcb2e02320b8c9a0ecaaa8a18156e3 Mon Sep 17 00:00:00 2001 From: Marty Oehme Date: Mon, 20 Dec 2021 11:47:11 +0100 Subject: [PATCH 02/66] Add simple ci deployment --- roles/gitea/defaults/main.yml | 9 +++++ roles/gitea/handlers/main.yml | 38 ++++++++++++++++++++ roles/gitea/tasks/Ubuntu.yml | 12 +++++++ roles/gitea/tasks/main.yml | 22 ++++++++++++ roles/gitea/templates/docker-stack.yml.j2 | 42 +++++++++++++++++++++++ roles/gitea/templates/upstream_ci.json.j2 | 39 +++++++++++++++++++++ 6 files changed, 162 insertions(+) create mode 100644 roles/gitea/tasks/Ubuntu.yml create mode 100644 roles/gitea/templates/upstream_ci.json.j2 diff --git a/roles/gitea/defaults/main.yml b/roles/gitea/defaults/main.yml index 136085a..1bace83 100644 --- a/roles/gitea/defaults/main.yml +++ b/roles/gitea/defaults/main.yml @@ -9,6 +9,7 @@ gitea_use_https: true # the subdomain link gitea will be reachable under subdomain_alias: git +subdomain_ci_alias: ci gitea_db_database: gitea gitea_db_username: gitea @@ -22,3 +23,11 @@ gitea_app_admin_email: myadmin@mydomain.mytld # gitea_smtp_username: my@username.com # gitea_smtp_password: # gitea_smtp_force_tls: false # forces tls if it is on a non-traditional tls port. Overwrites starttls so should generally be off + +gitea_use_ci: false +# gitea_ci_github_client: +# gitea_ci_github_secret: +# gitea_ci_gitlab_client: +# gitea_ci_gitlab_secret: +# gitea_ci_gitea_client: +# gitea_ci_gitea_secret: diff --git a/roles/gitea/handlers/main.yml b/roles/gitea/handlers/main.yml index 68ebab7..c45c3a5 100644 --- a/roles/gitea/handlers/main.yml +++ b/roles/gitea/handlers/main.yml @@ -23,6 +23,14 @@ become: yes listen: "update gitea upstream" +- name: Update ci upstream template + ansible.builtin.template: + src: upstream_ci.json.j2 + dest: "{{ gitea_upstream_file_dir }}/upstream_ci.json" + mode: '0600' + become: yes + listen: "update gitea upstream" + # figure out if upstream id exists - name: check {{ stack_name }} upstream community.docker.docker_container_exec: @@ -53,6 +61,36 @@ become: yes listen: "update gitea upstream" +# figure out if upstream id exists +- name: check {{ stack_name }}_ci upstream + community.docker.docker_container_exec: + container: "{{ caddy_container_id }}" + command: > + curl localhost:2019/id/{{ stack_name }}_ci_upstream/ + changed_when: False + register: result + become: yes + listen: "update gitea upstream" + +# upstream for ci already exists, patch it +- name: remove old {{ stack_name }}_ci upstream + community.docker.docker_container_exec: + container: "{{ caddy_container_id }}" + command: > + curl -X DELETE localhost:2019/id/{{ stack_name }}_ci_upstream/ + become: yes + when: (result.stdout | from_json)['error'] is not defined + listen: "update gitea upstream" +# +# upstream for ci has to be created +- name: add {{ stack_name }}_ci upstream + community.docker.docker_container_exec: + container: "{{ caddy_container_id }}" + command: > + curl -X POST -H "Content-Type: application/json" -d @{{ gitea_upstream_file_dir }}/upstream_ci.json localhost:2019/config/apps/http/servers/{{ (gitea_use_https == True) | ternary(caddy_https_server_name, caddy_http_server_name) }}/routes/0/ + become: yes + listen: "update gitea upstream" + - name: Ensure upstream directory is gone again ansible.builtin.file: path: "{{ gitea_upstream_file_dir }}" diff --git a/roles/gitea/tasks/Ubuntu.yml b/roles/gitea/tasks/Ubuntu.yml new file mode 100644 index 0000000..a67147d --- /dev/null +++ b/roles/gitea/tasks/Ubuntu.yml @@ -0,0 +1,12 @@ +--- +## install requisites +- name: Ensure openssl installed + ansible.builtin.package: + name: "openssl" + state: present + become: yes + tags: + - apt + - download + - packages + diff --git a/roles/gitea/tasks/main.yml b/roles/gitea/tasks/main.yml index 3529038..a766f61 100644 --- a/roles/gitea/tasks/main.yml +++ b/roles/gitea/tasks/main.yml @@ -1,4 +1,26 @@ --- +## Prepare woodpecker ci +- name: "Select tasks for {{ ansible_distribution }} {{ ansible_distribution_major_version }}" + include_tasks: "{{ distribution }}" + with_first_found: + - "{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml" + - "{{ ansible_distribution }}.yml" + - "{{ ansible_os_family }}.yml" + loop_control: + loop_var: distribution + when: gitea_use_ci == True + +- name: Generate agent key + ansible.builtin.shell: openssl rand -hex 32 + register: gitea_woodpecker_agent_secret + when: gitea_use_ci == True + +- name: Set agent key + ansible.builtin.set_fact: + gitea_woodpecker_agent_secret: "{{ gitea_woodpecker_agent_secret.stdout }}" + when: gitea_woodpecker_agent_secret.stdout is not undefined and not None + +## Prepare gitea - name: Ensure git user exists with ssh key ansible.builtin.user: name: "{{ gitea_git_username }}" diff --git a/roles/gitea/templates/docker-stack.yml.j2 b/roles/gitea/templates/docker-stack.yml.j2 index aa1cb81..80a33eb 100644 --- a/roles/gitea/templates/docker-stack.yml.j2 +++ b/roles/gitea/templates/docker-stack.yml.j2 @@ -56,9 +56,51 @@ services: - POSTGRES_PASSWORD={{ gitea_db_password }} - POSTGRES_DB={{ gitea_db_database }} +{% if gitea_use_ci %} + wp-server: + image: woodpeckerci/woodpecker-server:latest + networks: + - "{{ docker_swarm_public_network_name }}" + - backend + volumes: + - woodpecker:/var/lib/woodpecker/ + environment: + - WOODPECKER_OPEN=true + - "WOODPECKER_HOST={{ (gitea_use_https == True) | ternary('https', 'http') }}://{{ (subdomain_ci_alias is not undefined and not none) | ternary(subdomain_ci_alias, stack_name + '_ci') }}.{{server_domain}}" + - WOODPECKER_AGENT_SECRET={{ gitea_woodpecker_agent_secret }} +{% if gitea_ci_github_client is not undefined and not None and gitea_ci_github_secret is not undefined and not None %} + - WOODPECKER_GITHUB=true + - WOODPECKER_GITHUB_CLIENT={{ gitea_ci_github_client }} + - WOODPECKER_GITHUB_SECRET={{ gitea_ci_github_secret }} +{% endif %} +{% if gitea_ci_gitlab_client is not undefined and not None and gitea_ci_gitlab_secret is not undefined and not None %} + - WOODPECKER_GITLAB=true + - WOODPECKER_gitlab_CLIENT={{ gitea_ci_gitlab_client }} + - WOODPECKER_gitlab_SECRET={{ gitea_ci_gitlab_secret }} +{% endif %} +{% if gitea_ci_gitea_client is not undefined and not None and gitea_ci_gitea_secret is not undefined and not None %} + - WOODPECKER_GITEA=true + - "WOODPECKER_GITEA_URL={{ (gitea_use_https == True) | ternary('https', 'http') }}://{{ (subdomain_alias is not undefined and not none) | ternary(subdomain_alias, stack_name) }}.{{server_domain}}" + - WOODPECKER_GITEA_CLIENT={{ gitea_ci_gitea_client }} + - WOODPECKER_GITEA_SECRET={{ gitea_ci_gitea_secret }} +{% endif %} + + wp-agent: + image: woodpeckerci/woodpecker-agent:latest + networks: + - backend + command: agent + volumes: + - /var/run/docker.sock:/var/run/docker.sock + environment: + - WOODPECKER_SERVER=wp-server:9000 + - WOODPECKER_AGENT_SECRET={{ gitea_woodpecker_agent_secret }} +{% endif %} + volumes: data: db: + woodpecker: networks: "{{ docker_swarm_public_network_name }}": diff --git a/roles/gitea/templates/upstream_ci.json.j2 b/roles/gitea/templates/upstream_ci.json.j2 new file mode 100644 index 0000000..9c5ee64 --- /dev/null +++ b/roles/gitea/templates/upstream_ci.json.j2 @@ -0,0 +1,39 @@ +{ + "@id": "{{ stack_name }}_ci_upstream", +{% if server_domain is not undefined and not none %} + "match": [ + { + "host": [ +{% if subdomain_ci_alias is not undefined and not none %} + "{{ subdomain_ci_alias }}.{{ server_domain }}" +{% else %} + "{{ stack_name }}_ci.{{ server_domain }}" +{% endif %} + ] + } + ], +{% else %} + "match": [ + { + "path": [ +{% if subdomain_ci_alias is not undefined and not none %} + "/{{ subdomain_ci_alias }}*" +{% else %} + "/{{ stack_name }}_ci*" +{% endif %} + ] + } + ], +{% endif %} + "handle": [ + { + "handler": "reverse_proxy", + "upstreams": [ + { + "dial": "{{ stack_name }}_wp-server:8000" + } + ] + } + ] +} + From 1e0643352de5d2d5ed80bad18645a84e5419e3f1 Mon Sep 17 00:00:00 2001 From: Marty Oehme Date: Sat, 22 Jan 2022 10:48:31 +0100 Subject: [PATCH 03/66] Fix gitea admin setup, Add healthcheck Added healthcheck to gitea database contaier. Fixed initial admin setup checks - uses correct in-container user and fixed fail checks. --- roles/gitea/tasks/main.yml | 10 ++++++---- roles/gitea/templates/docker-stack.yml.j2 | 6 ++++++ 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/roles/gitea/tasks/main.yml b/roles/gitea/tasks/main.yml index a766f61..9278a4f 100644 --- a/roles/gitea/tasks/main.yml +++ b/roles/gitea/tasks/main.yml @@ -10,6 +10,7 @@ loop_var: distribution when: gitea_use_ci == True +# TODO only generate when no existing (check with docker inspect?) - name: Generate agent key ansible.builtin.shell: openssl rand -hex 32 register: gitea_woodpecker_agent_secret @@ -105,13 +106,14 @@ - name: Look for existing admin user community.docker.docker_container_exec: container: "{{ gitea_app_container_name['stdout'] }}" + user: git command: > gitea admin user list --admin become: yes - until: "'connection refused' not in gitea_admin_list and 'Failed to run app' not in gitea_admin_list" - retries: 5 + until: "'connection refused' not in gitea_admin_list['stdout'] and 'Failed to run app' not in gitea_admin_list['stdout']" + retries: 10 delay: 10 - changed_when: gitea_admin_list['stdout_lines'] | length <= 1 - failed_when: gitea_admin_list['rc'] == 1 and gitea_admin_list['attempts'] >= 5 + changed_when: gitea_admin_list['stdout_lines'] | length <= 1 and 'Username' in gitea_admin_list['stdout'] + failed_when: (gitea_admin_list['rc'] == 1 and gitea_admin_list['attempts'] >= 5) or 'Gitea is not supposed to be run as root' in gitea_admin_list['stdout'] register: gitea_admin_list notify: "no admin user" diff --git a/roles/gitea/templates/docker-stack.yml.j2 b/roles/gitea/templates/docker-stack.yml.j2 index 80a33eb..fa4cff9 100644 --- a/roles/gitea/templates/docker-stack.yml.j2 +++ b/roles/gitea/templates/docker-stack.yml.j2 @@ -47,6 +47,12 @@ services: db: image: postgres:13 + healthcheck: + test: ["CMD", "pg_isready", "-q", "-U", "{{ gitea_db_username }}"] + interval: 1m + timeout: 10s + retries: 3 + start_period: 1m volumes: - db:/var/lib/postgresql/data networks: From 32b1b13ef42836ed6ba4a4483c6c8867effb6ecf Mon Sep 17 00:00:00 2001 From: Marty Oehme Date: Sun, 23 Jan 2022 13:54:56 +0100 Subject: [PATCH 04/66] Add ntfy role Installs and configures the ntfysh server to enable notifications. --- group_vars/testing.yml | 1 + roles/ntfy/README.md | 42 ++++++++++++++++++++++ roles/ntfy/defaults/main.yml | 20 +++++++++++ roles/ntfy/handlers/main.yml | 46 ++++++++++++++++++++++++ roles/ntfy/meta/main.yml | 14 ++++++++ roles/ntfy/tasks/main.yml | 38 ++++++++++++++++++++ roles/ntfy/templates/docker-stack.yml.j2 | 25 +++++++++++++ roles/ntfy/templates/server.yml.j2 | 15 ++++++++ roles/ntfy/templates/upstream.json.j2 | 40 +++++++++++++++++++++ roles/ntfy/vars/main.yml | 7 ++++ site.yml | 5 +++ 11 files changed, 253 insertions(+) create mode 100644 roles/ntfy/README.md create mode 100644 roles/ntfy/defaults/main.yml create mode 100644 roles/ntfy/handlers/main.yml create mode 100644 roles/ntfy/meta/main.yml create mode 100644 roles/ntfy/tasks/main.yml create mode 100644 roles/ntfy/templates/docker-stack.yml.j2 create mode 100644 roles/ntfy/templates/server.yml.j2 create mode 100644 roles/ntfy/templates/upstream.json.j2 create mode 100644 roles/ntfy/vars/main.yml diff --git a/group_vars/testing.yml b/group_vars/testing.yml index 13676f5..c27a1ff 100644 --- a/group_vars/testing.yml +++ b/group_vars/testing.yml @@ -12,6 +12,7 @@ landingpage_use_https: no miniflux_use_https: no monica_use_https: no nextcloud_use_https: no +ntfy_use_https: no searx_use_https: no shaarli_use_https: no traggo_use_https: no diff --git a/roles/ntfy/README.md b/roles/ntfy/README.md new file mode 100644 index 0000000..df9bd6d --- /dev/null +++ b/roles/ntfy/README.md @@ -0,0 +1,42 @@ +# ntfy + +A self-hosted notifications service. + +Can take messages sent to the server through simple POST requests on specific topics and +blasts them out to any subscribed receiver on Android, Web, Commandline, or even in other applications. + +Thus can function as a simple cross-platform push message service that fits very well into unix workflows. + +## Defaults + +``` +ntfy_upstream_file_dir: "{{ docker_stack_files_dir }}/{{ stack_name }}" +``` + +The on-target directory where the proxy configuration file should be stashed. + +``` +ntfy_use_https: true +``` + +Whether the service should be reachable through http (port 80) or through https (port 443) and provision an https certificate. +Usually you will want this to stay `true`, +especially on the public facing web. + +``` +ntfy_version: latest +``` + +The docker image version to be used in stack creation. + +``` +subdomain_alias: push +``` + +If the deployed container should be served over a uri that is not the stack name. +By default, it will be set to `push.yourdomain.com` - +if this option is not set it will be served on `ntfy.yourdomain.com` instead. + +The individual `ntfy` options to be changed are very well described on +[the ntfy documentation](https://ntfy.sh/docs/config/). +Together with the default variables for this role it should be easy to find a good pair of settings. diff --git a/roles/ntfy/defaults/main.yml b/roles/ntfy/defaults/main.yml new file mode 100644 index 0000000..14089c2 --- /dev/null +++ b/roles/ntfy/defaults/main.yml @@ -0,0 +1,20 @@ +--- + +ntfy_version: latest + +ntfy_upstream_file_dir: "{{ docker_stack_files_dir }}/{{ stack_name }}" + +ntfy_use_https: true + +subdomain_alias: push + +ntfy_global_topic_limit: "15000" +ntfy_visitor_subscription_limit: "30" +ntfy_visitor_request_limit_burst: "60" +ntfy_visitor_request_limit_replenish: "10s" +ntfy_cache_duration: "12h" +ntfy_attachment_total_size_limit: "5G" +ntfy_attachment_file_size_limit: "15M" +ntfy_attachment_expiry_duration: "5h" +ntfy_visitor_attachment_total_size_limit: "500M" +ntfy_visitor_attachment_daily_bandwidth_limit: "1G" diff --git a/roles/ntfy/handlers/main.yml b/roles/ntfy/handlers/main.yml new file mode 100644 index 0000000..de1b807 --- /dev/null +++ b/roles/ntfy/handlers/main.yml @@ -0,0 +1,46 @@ +## Register reverse proxy +- name: Ensure upstream directory exists + ansible.builtin.file: + path: "{{ ntfy_upstream_file_dir }}" + state: directory + mode: '0755' + become: yes + listen: "update ntfy upstream" + +- name: Update upstream template + ansible.builtin.template: + src: upstream.json.j2 + dest: "{{ ntfy_upstream_file_dir }}/upstream.json" + become: yes + listen: "update ntfy upstream" + +# figure out if upstream id exists +- name: check {{ stack_name }} upstream + community.docker.docker_container_exec: + container: "{{ caddy_container_id }}" + command: > + curl localhost:2019/id/{{ stack_name }}_upstream/ + changed_when: False + register: result + become: yes + listen: "update ntfy upstream" + +# upstream already exists, patch it +- name: remove old {{ stack_name }} upstream + community.docker.docker_container_exec: + container: "{{ caddy_container_id }}" + command: > + curl -X DELETE localhost:2019/id/{{ stack_name }}_upstream/ + become: yes + when: (result.stdout | from_json)['error'] is not defined + listen: "update ntfy upstream" + +# upstream has to be created +- name: add {{ stack_name }} upstream + community.docker.docker_container_exec: + container: "{{ caddy_container_id }}" + command: > + curl -X POST -H "Content-Type: application/json" -d @{{ ntfy_upstream_file_dir }}/upstream.json localhost:2019/config/apps/http/servers/{{ (ntfy_use_https == True) | ternary(caddy_https_server_name, caddy_http_server_name) }}/routes/0/ + become: yes + listen: "update ntfy upstream" + diff --git a/roles/ntfy/meta/main.yml b/roles/ntfy/meta/main.yml new file mode 100644 index 0000000..16d1cd4 --- /dev/null +++ b/roles/ntfy/meta/main.yml @@ -0,0 +1,14 @@ +--- + +galaxy_info: + author: Marty Oehme + description: Installs a self-hosted push notification service through docker-swarm. + license: GPL-3.0-only + min_ansible_version: 2.9 + galaxy_tags: [] + + +dependencies: + - docker + - docker-swarm + - caddy diff --git a/roles/ntfy/tasks/main.yml b/roles/ntfy/tasks/main.yml new file mode 100644 index 0000000..bc64d86 --- /dev/null +++ b/roles/ntfy/tasks/main.yml @@ -0,0 +1,38 @@ +--- +- name: Ensure target directory exists + ansible.builtin.file: + path: "{{ ntfy_upstream_file_dir }}" + state: directory + mode: '0755' + become: yes + +- name: Move ntfy configuration file to target dir + ansible.builtin.template: + src: "server.yml.j2" + dest: "{{ ntfy_upstream_file_dir }}/server.yml" + become: yes + notify: "update ntfy upstream" + +## install ntfy container +- name: Check upstream status + community.docker.docker_container_exec: + container: "{{ caddy_container_id }}" + command: > + curl localhost:2019/id/{{ stack_name }}_upstream/ + register: result + changed_when: (result.stdout | from_json) != (lookup('template', 'upstream.json.j2') | from_yaml) + become: yes + notify: "update ntfy upstream" + +- name: Deploy ntfy to swarm + community.general.docker_stack: + name: "{{ stack_name }}" + state: present + prune: yes + compose: + - "{{ stack_compose }}" + become: yes + tags: + - docker-swarm + notify: "update ntfy upstream" + diff --git a/roles/ntfy/templates/docker-stack.yml.j2 b/roles/ntfy/templates/docker-stack.yml.j2 new file mode 100644 index 0000000..bf0e5a5 --- /dev/null +++ b/roles/ntfy/templates/docker-stack.yml.j2 @@ -0,0 +1,25 @@ +version: '3.4' + +services: + app: + image: "{{ stack_image }}:{{ ntfy_version }}" + healthcheck: + test: ["CMD", "wget", "--spider", "-q", "localhost"] + interval: 1m + timeout: 10s + retries: 3 + start_period: 1m + volumes: + - "{{ ntfy_upstream_file_dir }}/server.yml:/etc/ntfy/server.yml" + - cache:/var/cache/ntfy + networks: + - "{{ docker_swarm_public_network_name }}" + +volumes: + cache: + +networks: + "{{ docker_swarm_public_network_name }}": + external: true + + diff --git a/roles/ntfy/templates/server.yml.j2 b/roles/ntfy/templates/server.yml.j2 new file mode 100644 index 0000000..cbbe8a5 --- /dev/null +++ b/roles/ntfy/templates/server.yml.j2 @@ -0,0 +1,15 @@ +base-url: "https://{{ server_domain }}" +global_topic_limit: "{{ ntfy_global_topic_limit }}" +visitor_subscription_limit: "{{ ntfy_visitor_subscription_limit }}" +visitor_request_limit_burst: "{{ ntfy_visitor_request_limit_burst }}" +visitor_request_limit_replenish: "{{ ntfy_visitor_request_limit_replenish }}" +cache-file: "/var/cache/ntfy/cache.db" +cache_duration: "{{ ntfy_cache_duration }}" +attachment-cache-dir: "/var/cache/ntfy/attachments" +attachment_total_size_limit: "{{ ntfy_attachment_total_size_limit }}" +attachment_file_size_limit: "{{ ntfy_attachment_file_size_limit }}" +attachment_expiry_duration: "{{ ntfy_attachment_expiry_duration }}" +visitor_attachment_total_size_limit: "{{ ntfy_visitor_attachment_total_size_limit }}" +visitor_attachment_daily_bandwidth_limit: "{{ ntfy_visitor_attachment_daily_bandwidth_limit }}" +behind-proxy: true # uses 'X-Forwarded-For' Headers for individual visitors +# TODO i believe Caddy does not set the correct X-Forwarded-For header, see whoami container to check diff --git a/roles/ntfy/templates/upstream.json.j2 b/roles/ntfy/templates/upstream.json.j2 new file mode 100644 index 0000000..a8af36a --- /dev/null +++ b/roles/ntfy/templates/upstream.json.j2 @@ -0,0 +1,40 @@ +{ + "@id": "{{ stack_name }}_upstream", +{% if server_domain is not undefined and not none %} + "match": [ + { + "host": [ +{% if subdomain_alias is not undefined and not none %} + "{{ subdomain_alias }}.{{ server_domain }}" +{% else %} + "{{ stack_name }}.{{ server_domain }}" +{% endif %} + ] + } + ], +{% else %} + "match": [ + { + "path": [ +{% if subdomain_alias is not undefined and not none %} + "/{{ subdomain_alias }}*" +{% else %} + "/{{ stack_name }}*" +{% endif %} + , + "/" + ] + } + ], +{% endif %} + "handle": [ + { + "handler": "reverse_proxy", + "upstreams": [ + { + "dial": "{{ stack_name }}_app:80" + } + ] + } + ] +} diff --git a/roles/ntfy/vars/main.yml b/roles/ntfy/vars/main.yml new file mode 100644 index 0000000..a3c184b --- /dev/null +++ b/roles/ntfy/vars/main.yml @@ -0,0 +1,7 @@ +--- + +stack_name: ntfy + +stack_image: "binwiederhier/ntfy" + +stack_compose: "{{ lookup('template', 'docker-stack.yml.j2') | from_yaml }}" diff --git a/site.yml b/site.yml index 5ed33b7..ecb9933 100644 --- a/site.yml +++ b/site.yml @@ -78,3 +78,8 @@ import_role: role: gitea tags: gitea + + - name: Install ntfy + import_role: + role: ntfy + tags: ntfy From 8aaefd3f6059d36d4564f64de967f75674144144 Mon Sep 17 00:00:00 2001 From: Marty Oehme Date: Sun, 18 Dec 2022 12:00:33 +0100 Subject: [PATCH 05/66] Fix gitea admin deployment to be less brittle Admin deployment was very timing-dependent: If the server took a while to set it up, it would always error out while deploying. This commit adds sufficient grace-time into the admin request call before the error occurs which should avoid it in most deployments (unless the server is severely underpowered or over-taxed). Also fixes admin creation to avoid root usage in the container when it is not called for. --- roles/gitea/handlers/main.yml | 5 +++-- roles/gitea/tasks/main.yml | 22 ++++++++++++++-------- 2 files changed, 17 insertions(+), 10 deletions(-) diff --git a/roles/gitea/handlers/main.yml b/roles/gitea/handlers/main.yml index c45c3a5..b5fe994 100644 --- a/roles/gitea/handlers/main.yml +++ b/roles/gitea/handlers/main.yml @@ -1,9 +1,10 @@ - name: Add admin user - community.docker.docker_container_exec: + community.docker.docker_container_exec: container: "{{ gitea_app_container_name['stdout'] }}" command: > gitea admin user create --admin --username {{ gitea_app_admin_username }} --password {{ gitea_app_admin_password }} --email {{ gitea_app_admin_email }} - become: yes + user: git + become: true listen: "no admin user" ## Register reverse proxy diff --git a/roles/gitea/tasks/main.yml b/roles/gitea/tasks/main.yml index 9278a4f..11b2204 100644 --- a/roles/gitea/tasks/main.yml +++ b/roles/gitea/tasks/main.yml @@ -17,7 +17,7 @@ when: gitea_use_ci == True - name: Set agent key - ansible.builtin.set_fact: + ansible.builtin.set_fact: gitea_woodpecker_agent_secret: "{{ gitea_woodpecker_agent_secret.stdout }}" when: gitea_woodpecker_agent_secret.stdout is not undefined and not None @@ -91,29 +91,35 @@ become: yes tags: - docker-swarm + register: gitea_deployment notify: "update gitea upstream" +- name: Wait 30 seconds for gitea to become healthy + wait_for: + timeout: 60 + delegate_to: localhost + when: gitea_deployment is changed + - name: Get app container info ansible.builtin.command: cmd: docker ps -q -f name={{ stack_name }}_app become: yes until: gitea_app_container_name['rc'] == 0 and gitea_app_container_name['stdout'] | length >= 1 - retries: 5 + retries: 10 delay: 10 changed_when: False register: gitea_app_container_name - name: Look for existing admin user - community.docker.docker_container_exec: + community.docker.docker_container_exec: container: "{{ gitea_app_container_name['stdout'] }}" user: git command: > gitea admin user list --admin - become: yes - until: "'connection refused' not in gitea_admin_list['stdout'] and 'Failed to run app' not in gitea_admin_list['stdout']" - retries: 10 + until: gitea_admin_list is defined and gitea_admin_list['rc'] == 0 + retries: 15 delay: 10 - changed_when: gitea_admin_list['stdout_lines'] | length <= 1 and 'Username' in gitea_admin_list['stdout'] - failed_when: (gitea_admin_list['rc'] == 1 and gitea_admin_list['attempts'] >= 5) or 'Gitea is not supposed to be run as root' in gitea_admin_list['stdout'] + become: true register: gitea_admin_list + changed_when: gitea_admin_list['stdout_lines'] | length <= 1 and 'Username' in gitea_admin_list['stdout'] notify: "no admin user" From 926f1f475fdd996f9ee6827a81729ae85e53ff69 Mon Sep 17 00:00:00 2001 From: Marty Oehme Date: Sun, 18 Dec 2022 15:47:14 +0100 Subject: [PATCH 06/66] Fix ntfy settings Fixed numeric settings for ntfy and a corrected command executed. --- roles/ntfy/defaults/main.yml | 7 +++---- roles/ntfy/templates/docker-stack.yml.j2 | 2 ++ roles/ntfy/templates/server.yml.j2 | 6 +++--- 3 files changed, 8 insertions(+), 7 deletions(-) diff --git a/roles/ntfy/defaults/main.yml b/roles/ntfy/defaults/main.yml index 14089c2..70e3275 100644 --- a/roles/ntfy/defaults/main.yml +++ b/roles/ntfy/defaults/main.yml @@ -1,5 +1,4 @@ --- - ntfy_version: latest ntfy_upstream_file_dir: "{{ docker_stack_files_dir }}/{{ stack_name }}" @@ -8,9 +7,9 @@ ntfy_use_https: true subdomain_alias: push -ntfy_global_topic_limit: "15000" -ntfy_visitor_subscription_limit: "30" -ntfy_visitor_request_limit_burst: "60" +ntfy_global_topic_limit: 15000 +ntfy_visitor_subscription_limit: 30 +ntfy_visitor_request_limit_burst: 60 ntfy_visitor_request_limit_replenish: "10s" ntfy_cache_duration: "12h" ntfy_attachment_total_size_limit: "5G" diff --git a/roles/ntfy/templates/docker-stack.yml.j2 b/roles/ntfy/templates/docker-stack.yml.j2 index bf0e5a5..ffa1dc9 100644 --- a/roles/ntfy/templates/docker-stack.yml.j2 +++ b/roles/ntfy/templates/docker-stack.yml.j2 @@ -14,6 +14,8 @@ services: - cache:/var/cache/ntfy networks: - "{{ docker_swarm_public_network_name }}" + command: + - serve volumes: cache: diff --git a/roles/ntfy/templates/server.yml.j2 b/roles/ntfy/templates/server.yml.j2 index cbbe8a5..93c8bb8 100644 --- a/roles/ntfy/templates/server.yml.j2 +++ b/roles/ntfy/templates/server.yml.j2 @@ -1,7 +1,7 @@ base-url: "https://{{ server_domain }}" -global_topic_limit: "{{ ntfy_global_topic_limit }}" -visitor_subscription_limit: "{{ ntfy_visitor_subscription_limit }}" -visitor_request_limit_burst: "{{ ntfy_visitor_request_limit_burst }}" +global_topic_limit: {{ ntfy_global_topic_limit }} +visitor_subscription_limit: {{ ntfy_visitor_subscription_limit }} +visitor_request_limit_burst: {{ ntfy_visitor_request_limit_burst }} visitor_request_limit_replenish: "{{ ntfy_visitor_request_limit_replenish }}" cache-file: "/var/cache/ntfy/cache.db" cache_duration: "{{ ntfy_cache_duration }}" From 1ceee17edaf78fb156afae051f7fd8a364736a69 Mon Sep 17 00:00:00 2001 From: Marty Oehme Date: Sun, 18 Dec 2022 15:50:23 +0100 Subject: [PATCH 07/66] Add local test setup to ignored files --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 3a8c627..c96b8df 100644 --- a/.gitignore +++ b/.gitignore @@ -60,3 +60,4 @@ tags # End of https://www.toptal.com/developers/gitignore/api/vim,linux,vagrant,ansible development.yml +single-test.yml From 385cb3859c30ed8c63e2792bac1a13298f28201d Mon Sep 17 00:00:00 2001 From: Marty Oehme Date: Sun, 18 Dec 2022 15:53:26 +0100 Subject: [PATCH 08/66] Remove whoami from default site playbook whoami should be used as a test and debugging container and should not be necessary or used for production deployment. --- site.yml | 36 +++++++++++++++--------------------- 1 file changed, 15 insertions(+), 21 deletions(-) diff --git a/site.yml b/site.yml index ecb9933..62f01e9 100644 --- a/site.yml +++ b/site.yml @@ -1,85 +1,79 @@ --- - - hosts: all tasks: - name: Make sure system is fully upgraded - import_role: + import_role: role: system-upgrade tags: system-upgrade - name: Make sure docker is installed - import_role: + import_role: role: docker tags: docker - name: Make sure docker-swarm is set up - import_role: + import_role: role: docker-swarm tags: docker-swarm - hosts: docker_swarm_manager_node tasks: - name: Install caddy reverse proxy - import_role: + import_role: role: caddy tags: caddy - - name: Install whoami - import_role: - role: whoami - tags: whoami - - name: Install wallabag - import_role: + import_role: role: wallabag tags: wallabag - name: Install miniflux - import_role: + import_role: role: miniflux tags: miniflux - name: Install searx - import_role: + import_role: role: searx tags: searx - name: Install traggo - import_role: + import_role: role: traggo tags: traggo - name: Install monica - import_role: + import_role: role: monica tags: monica - name: Install nextcloud - import_role: + import_role: role: nextcloud tags: nextcloud - name: Install shaarli - import_role: + import_role: role: shaarli tags: shaarli - name: Install landingpage - import_role: + import_role: role: landingpage tags: landingpage - name: Install my personal blog - import_role: + import_role: role: blog tags: blog - name: Install gitea - import_role: + import_role: role: gitea tags: gitea - name: Install ntfy - import_role: + import_role: role: ntfy tags: ntfy From 7d8408f9f834adbe1ec7a73d16fb4c84e1cb555a Mon Sep 17 00:00:00 2001 From: Marty Oehme Date: Sun, 18 Dec 2022 16:02:32 +0100 Subject: [PATCH 09/66] Change become arguments to boolean Changed all 'become: ' values from 'yes' to 'true' to satisfy the schema (and also make the lsp shut up). --- roles/blog/handlers/main.yml | 12 +++++----- roles/blog/tasks/main.yml | 4 ++-- roles/caddy/tasks/main.yml | 8 +++---- roles/docker/handlers/main.yml | 2 +- roles/gitea/handlers/main.yml | 35 ++++++++++++++--------------- roles/gitea/tasks/Ubuntu.yml | 2 +- roles/gitea/tasks/main.yml | 18 +++++++-------- roles/landingpage/handlers/main.yml | 12 +++++----- roles/landingpage/tasks/main.yml | 4 ++-- roles/miniflux/handlers/main.yml | 12 +++++----- roles/miniflux/tasks/main.yml | 4 ++-- roles/monica/handlers/main.yml | 12 +++++----- roles/monica/tasks/Ubuntu.yml | 2 +- roles/monica/tasks/main.yml | 4 ++-- roles/nextcloud/handlers/main.yml | 12 +++++----- roles/nextcloud/tasks/main.yml | 8 +++---- roles/ntfy/handlers/main.yml | 10 ++++----- roles/ntfy/tasks/main.yml | 8 +++---- roles/searx/handlers/main.yml | 12 +++++----- roles/searx/tasks/main.yml | 4 ++-- roles/shaarli/handlers/main.yml | 12 +++++----- roles/shaarli/tasks/main.yml | 4 ++-- roles/traggo/handlers/main.yml | 12 +++++----- roles/traggo/tasks/main.yml | 4 ++-- roles/wallabag/handlers/main.yml | 12 +++++----- roles/wallabag/tasks/main.yml | 4 ++-- roles/whoami/handlers/main.yml | 12 +++++----- roles/whoami/tasks/main.yml | 4 ++-- 28 files changed, 124 insertions(+), 125 deletions(-) diff --git a/roles/blog/handlers/main.yml b/roles/blog/handlers/main.yml index 4ea5e4a..29ca5c2 100644 --- a/roles/blog/handlers/main.yml +++ b/roles/blog/handlers/main.yml @@ -4,14 +4,14 @@ path: "{{ blog_upstream_file_dir }}" state: directory mode: '0755' - become: yes + become: true listen: "update blog upstream" - name: Update upstream template ansible.builtin.template: src: upstream.json.j2 dest: "{{ blog_upstream_file_dir }}/upstream.json" - become: yes + become: true listen: "update blog upstream" # figure out if upstream id exists @@ -22,7 +22,7 @@ curl localhost:2019/id/{{ stack_name }}_upstream/ changed_when: False register: result - become: yes + become: true listen: "update blog upstream" # upstream already exists, patch it @@ -31,7 +31,7 @@ container: "{{ caddy_container_id }}" command: > curl -X DELETE localhost:2019/id/{{ stack_name }}_upstream/ - become: yes + become: true when: (result.stdout | from_json)['error'] is not defined listen: "update blog upstream" @@ -41,13 +41,13 @@ container: "{{ caddy_container_id }}" command: > curl -X POST -H "Content-Type: application/json" -d @{{ blog_upstream_file_dir }}/upstream.json localhost:2019/config/apps/http/servers/{{ (blog_use_https == True) | ternary(caddy_https_server_name, caddy_http_server_name) }}/routes/0/ - become: yes + become: true listen: "update blog upstream" - name: Ensure upstream directory is gone again ansible.builtin.file: path: "{{ blog_upstream_file_dir }}" state: absent - become: yes + become: true listen: "update blog upstream" diff --git a/roles/blog/tasks/main.yml b/roles/blog/tasks/main.yml index 4a0e1e5..0637ae3 100644 --- a/roles/blog/tasks/main.yml +++ b/roles/blog/tasks/main.yml @@ -7,7 +7,7 @@ curl localhost:2019/id/{{ stack_name }}_upstream/ register: result changed_when: (result.stdout | from_json) != (lookup('template', 'upstream.json.j2') | from_yaml) - become: yes + become: true notify: "update blog upstream" - name: Deploy blog to swarm @@ -17,7 +17,7 @@ prune: yes compose: - "{{ stack_compose }}" - become: yes + become: true tags: - docker-swarm notify: "update blog upstream" diff --git a/roles/caddy/tasks/main.yml b/roles/caddy/tasks/main.yml index 884e5c0..c2577ee 100644 --- a/roles/caddy/tasks/main.yml +++ b/roles/caddy/tasks/main.yml @@ -27,14 +27,14 @@ compose: - "{{ caddy_stack.compose }}" when: caddy_stack is defined - become: yes + become: true tags: - docker-swarm - name: Get caddy container info ansible.builtin.command: cmd: docker ps -q -f name={{ caddy_stack.name }} - become: yes + become: true # bringing up the container takes some time, we have to wait until: caddy_container_info['rc'] == 0 and caddy_container_info['stdout'] | length >= 1 retries: 5 @@ -53,7 +53,7 @@ container: "{{ caddy_container_id }}" command: > apk add curl - become: yes + become: true register: result changed_when: "'Installing' in result.stdout" @@ -62,7 +62,7 @@ container: "{{ caddy_container_id }}" command: > curl localhost:2019/config/ - become: yes + become: true until: result.rc == 0 when: caddy_use_api == True changed_when: False diff --git a/roles/docker/handlers/main.yml b/roles/docker/handlers/main.yml index 2525e6a..3e4a3b7 100644 --- a/roles/docker/handlers/main.yml +++ b/roles/docker/handlers/main.yml @@ -4,4 +4,4 @@ state: started enabled: yes daemon_reload: yes - become: yes + become: true diff --git a/roles/gitea/handlers/main.yml b/roles/gitea/handlers/main.yml index b5fe994..1c82409 100644 --- a/roles/gitea/handlers/main.yml +++ b/roles/gitea/handlers/main.yml @@ -6,30 +6,30 @@ user: git become: true listen: "no admin user" - + ## Register reverse proxy - name: Ensure upstream directory exists ansible.builtin.file: path: "{{ gitea_upstream_file_dir }}" state: directory - mode: '0755' - become: yes + mode: "0755" + become: true listen: "update gitea upstream" - name: Update upstream template ansible.builtin.template: src: upstream.json.j2 dest: "{{ gitea_upstream_file_dir }}/upstream.json" - mode: '0600' - become: yes + mode: "0600" + become: true listen: "update gitea upstream" - name: Update ci upstream template ansible.builtin.template: src: upstream_ci.json.j2 dest: "{{ gitea_upstream_file_dir }}/upstream_ci.json" - mode: '0600' - become: yes + mode: "0600" + become: true listen: "update gitea upstream" # figure out if upstream id exists @@ -40,7 +40,7 @@ curl localhost:2019/id/{{ stack_name }}_upstream/ changed_when: False register: result - become: yes + become: true listen: "update gitea upstream" # upstream already exists, patch it @@ -49,7 +49,7 @@ container: "{{ caddy_container_id }}" command: > curl -X DELETE localhost:2019/id/{{ stack_name }}_upstream/ - become: yes + become: true when: (result.stdout | from_json)['error'] is not defined listen: "update gitea upstream" @@ -58,8 +58,8 @@ community.docker.docker_container_exec: container: "{{ caddy_container_id }}" command: > - curl -X POST -H "Content-Type: application/json" -d @{{ gitea_upstream_file_dir }}/upstream.json localhost:2019/config/apps/http/servers/{{ (gitea_use_https == True) | ternary(caddy_https_server_name, caddy_http_server_name) }}/routes/0/ - become: yes + curl -X POST -H "Content-Type: application/json" -d @{{ gitea_upstream_file_dir }}/upstream.json localhost:2019/config/apps/http/servers/{{ (gitea_use_https == True) | ternary(caddy_https_server_name, caddy_http_server_name) }}/routes/0/ + become: true listen: "update gitea upstream" # figure out if upstream id exists @@ -70,7 +70,7 @@ curl localhost:2019/id/{{ stack_name }}_ci_upstream/ changed_when: False register: result - become: yes + become: true listen: "update gitea upstream" # upstream for ci already exists, patch it @@ -79,23 +79,22 @@ container: "{{ caddy_container_id }}" command: > curl -X DELETE localhost:2019/id/{{ stack_name }}_ci_upstream/ - become: yes + become: true when: (result.stdout | from_json)['error'] is not defined listen: "update gitea upstream" -# + # upstream for ci has to be created - name: add {{ stack_name }}_ci upstream community.docker.docker_container_exec: container: "{{ caddy_container_id }}" command: > - curl -X POST -H "Content-Type: application/json" -d @{{ gitea_upstream_file_dir }}/upstream_ci.json localhost:2019/config/apps/http/servers/{{ (gitea_use_https == True) | ternary(caddy_https_server_name, caddy_http_server_name) }}/routes/0/ - become: yes + curl -X POST -H "Content-Type: application/json" -d @{{ gitea_upstream_file_dir }}/upstream_ci.json localhost:2019/config/apps/http/servers/{{ (gitea_use_https == True) | ternary(caddy_https_server_name, caddy_http_server_name) }}/routes/0/ + become: true listen: "update gitea upstream" - name: Ensure upstream directory is gone again ansible.builtin.file: path: "{{ gitea_upstream_file_dir }}" state: absent - become: yes + become: true listen: "update gitea upstream" - diff --git a/roles/gitea/tasks/Ubuntu.yml b/roles/gitea/tasks/Ubuntu.yml index a67147d..234e270 100644 --- a/roles/gitea/tasks/Ubuntu.yml +++ b/roles/gitea/tasks/Ubuntu.yml @@ -4,7 +4,7 @@ ansible.builtin.package: name: "openssl" state: present - become: yes + become: true tags: - apt - download diff --git a/roles/gitea/tasks/main.yml b/roles/gitea/tasks/main.yml index 11b2204..cf790d3 100644 --- a/roles/gitea/tasks/main.yml +++ b/roles/gitea/tasks/main.yml @@ -29,7 +29,7 @@ ssh_key_type: rsa ssh_key_bits: 4096 ssh_key_comment: "Gitea Host Key" - become: yes + become: true register: git_user - name: Ensure git passthrough command directory exists @@ -39,7 +39,7 @@ mode: '0770' owner: "{{ git_user['uid'] }}" group: "{{ git_user['group'] }}" - become: yes + become: true - name: Save git passthrough command in right location ansible.builtin.copy: @@ -48,21 +48,21 @@ owner: "{{ git_user['uid'] }}" group: "{{ git_user['group'] }}" mode: '0750' - become: yes + become: true - name: Fetch keyfile fetch: src: "{{ git_user['home'] }}/.ssh/id_rsa.pub" dest: "buffer/{{ansible_hostname}}-id_rsa.pub" flat: yes - become: yes + become: true - name: Ensure git user has its own key authorized for access ansible.posix.authorized_key: user: "{{ git_user['name'] }}" state: present key: "{{ lookup('file', 'buffer/{{ ansible_hostname }}-id_rsa.pub') }}" - become: yes + become: true - name: Clean up buffer dir ansible.builtin.file: @@ -78,7 +78,7 @@ curl localhost:2019/id/{{ stack_name }}_upstream/ register: result changed_when: (result.stdout | from_json) != (lookup('template', 'upstream.json.j2') | from_yaml) - become: yes + become: true notify: "update gitea upstream" - name: Deploy gitea to swarm @@ -88,7 +88,7 @@ prune: yes compose: - "{{ stack_compose }}" - become: yes + become: true tags: - docker-swarm register: gitea_deployment @@ -96,14 +96,14 @@ - name: Wait 30 seconds for gitea to become healthy wait_for: - timeout: 60 + timeout: 30 delegate_to: localhost when: gitea_deployment is changed - name: Get app container info ansible.builtin.command: cmd: docker ps -q -f name={{ stack_name }}_app - become: yes + become: true until: gitea_app_container_name['rc'] == 0 and gitea_app_container_name['stdout'] | length >= 1 retries: 10 delay: 10 diff --git a/roles/landingpage/handlers/main.yml b/roles/landingpage/handlers/main.yml index 869b074..27471e1 100644 --- a/roles/landingpage/handlers/main.yml +++ b/roles/landingpage/handlers/main.yml @@ -4,14 +4,14 @@ path: "{{ landingpage_upstream_file_dir }}" state: directory mode: '0755' - become: yes + become: true listen: "update landingpage upstream" - name: Update upstream template ansible.builtin.template: src: upstream.json.j2 dest: "{{ landingpage_upstream_file_dir }}/upstream.json" - become: yes + become: true listen: "update landingpage upstream" # figure out if upstream id exists @@ -22,7 +22,7 @@ curl localhost:2019/id/{{ stack_name }}_upstream/ changed_when: False register: result - become: yes + become: true listen: "update landingpage upstream" # upstream already exists, patch it @@ -31,7 +31,7 @@ container: "{{ caddy_container_id }}" command: > curl -X DELETE localhost:2019/id/{{ stack_name }}_upstream/ - become: yes + become: true when: (result.stdout | from_json)['error'] is not defined listen: "update landingpage upstream" @@ -41,13 +41,13 @@ container: "{{ caddy_container_id }}" command: > curl -X POST -H "Content-Type: application/json" -d @{{ landingpage_upstream_file_dir }}/upstream.json localhost:2019/config/apps/http/servers/{{ (landingpage_use_https == True) | ternary(caddy_https_server_name, caddy_http_server_name) }}/routes/0/ - become: yes + become: true listen: "update landingpage upstream" - name: Ensure upstream directory is gone again ansible.builtin.file: path: "{{ landingpage_upstream_file_dir }}" state: absent - become: yes + become: true listen: "update landingpage upstream" diff --git a/roles/landingpage/tasks/main.yml b/roles/landingpage/tasks/main.yml index 02a9d2a..3ed7acb 100644 --- a/roles/landingpage/tasks/main.yml +++ b/roles/landingpage/tasks/main.yml @@ -7,7 +7,7 @@ curl localhost:2019/id/{{ stack_name }}_upstream/ register: result changed_when: (result.stdout | from_json) != (lookup('template', 'upstream.json.j2') | from_yaml) - become: yes + become: true notify: "update landingpage upstream" - name: Deploy landingpage to swarm @@ -17,7 +17,7 @@ prune: yes compose: - "{{ stack_compose }}" - become: yes + become: true tags: - docker-swarm notify: "update landingpage upstream" diff --git a/roles/miniflux/handlers/main.yml b/roles/miniflux/handlers/main.yml index 864d7c6..3f578d3 100644 --- a/roles/miniflux/handlers/main.yml +++ b/roles/miniflux/handlers/main.yml @@ -4,14 +4,14 @@ path: "{{ miniflux_upstream_file_dir }}" state: directory mode: '0755' - become: yes + become: true listen: "update miniflux upstream" - name: Update upstream template ansible.builtin.template: src: upstream.json.j2 dest: "{{ miniflux_upstream_file_dir }}/upstream.json" - become: yes + become: true listen: "update miniflux upstream" # figure out if upstream id exists @@ -22,7 +22,7 @@ curl localhost:2019/id/{{ stack_name }}_upstream/ changed_when: False register: result - become: yes + become: true listen: "update miniflux upstream" # upstream already exists, patch it @@ -31,7 +31,7 @@ container: "{{ caddy_container_id }}" command: > curl -X DELETE localhost:2019/id/{{ stack_name }}_upstream/ - become: yes + become: true when: (result.stdout | from_json)['error'] is not defined listen: "update miniflux upstream" @@ -41,13 +41,13 @@ container: "{{ caddy_container_id }}" command: > curl -X POST -H "Content-Type: application/json" -d @{{ miniflux_upstream_file_dir }}/upstream.json localhost:2019/config/apps/http/servers/{{ (miniflux_use_https == True) | ternary(caddy_https_server_name, caddy_http_server_name) }}/routes/0/ - become: yes + become: true listen: "update miniflux upstream" - name: Ensure upstream directory is gone again ansible.builtin.file: path: "{{ miniflux_upstream_file_dir }}" state: absent - become: yes + become: true listen: "update miniflux upstream" diff --git a/roles/miniflux/tasks/main.yml b/roles/miniflux/tasks/main.yml index e4dd0ab..0384287 100644 --- a/roles/miniflux/tasks/main.yml +++ b/roles/miniflux/tasks/main.yml @@ -7,7 +7,7 @@ curl localhost:2019/id/{{ stack_name }}_upstream/ register: result changed_when: (result.stdout | from_json) != (lookup('template', 'upstream.json.j2') | from_yaml) - become: yes + become: true notify: "update miniflux upstream" - name: Deploy miniflux to swarm @@ -17,7 +17,7 @@ prune: yes compose: - "{{ stack_compose }}" - become: yes + become: true tags: - docker-swarm notify: "update miniflux upstream" diff --git a/roles/monica/handlers/main.yml b/roles/monica/handlers/main.yml index 00c7001..58d7dea 100644 --- a/roles/monica/handlers/main.yml +++ b/roles/monica/handlers/main.yml @@ -4,14 +4,14 @@ path: "{{ monica_upstream_file_dir }}" state: directory mode: '0755' - become: yes + become: true listen: "update monica upstream" - name: Update upstream template ansible.builtin.template: src: upstream.json.j2 dest: "{{ monica_upstream_file_dir }}/upstream.json" - become: yes + become: true listen: "update monica upstream" # figure out if upstream id exists @@ -22,7 +22,7 @@ curl localhost:2019/id/{{ stack_name }}_upstream/ changed_when: False register: result - become: yes + become: true listen: "update monica upstream" # upstream already exists, patch it @@ -31,7 +31,7 @@ container: "{{ caddy_container_id }}" command: > curl -X DELETE localhost:2019/id/{{ stack_name }}_upstream/ - become: yes + become: true when: (result.stdout | from_json)['error'] is not defined listen: "update monica upstream" @@ -41,13 +41,13 @@ container: "{{ caddy_container_id }}" command: > curl -X POST -H "Content-Type: application/json" -d @{{ monica_upstream_file_dir }}/upstream.json localhost:2019/config/apps/http/servers/{{ (monica_use_https == True) | ternary(caddy_https_server_name, caddy_http_server_name) }}/routes/0/ - become: yes + become: true listen: "update monica upstream" - name: Ensure upstream directory is gone again ansible.builtin.file: path: "{{ monica_upstream_file_dir }}" state: absent - become: yes + become: true listen: "update monica upstream" diff --git a/roles/monica/tasks/Ubuntu.yml b/roles/monica/tasks/Ubuntu.yml index a67147d..234e270 100644 --- a/roles/monica/tasks/Ubuntu.yml +++ b/roles/monica/tasks/Ubuntu.yml @@ -4,7 +4,7 @@ ansible.builtin.package: name: "openssl" state: present - become: yes + become: true tags: - apt - download diff --git a/roles/monica/tasks/main.yml b/roles/monica/tasks/main.yml index 0c0ce63..2777f7b 100644 --- a/roles/monica/tasks/main.yml +++ b/roles/monica/tasks/main.yml @@ -23,7 +23,7 @@ curl localhost:2019/id/{{ stack_name }}_upstream/ register: result changed_when: (result.stdout | from_json) != (lookup('template', 'upstream.json.j2') | from_yaml) - become: yes + become: true notify: "update monica upstream" - name: Deploy to swarm @@ -33,7 +33,7 @@ prune: yes compose: - "{{ stack_compose }}" - become: yes + become: true tags: - docker-swarm notify: "update monica upstream" diff --git a/roles/nextcloud/handlers/main.yml b/roles/nextcloud/handlers/main.yml index 7cc7626..5c4556c 100644 --- a/roles/nextcloud/handlers/main.yml +++ b/roles/nextcloud/handlers/main.yml @@ -4,14 +4,14 @@ path: "{{ nextcloud_upstream_file_dir }}" state: directory mode: '0755' - become: yes + become: true listen: "update nextcloud upstream" - name: Update upstream template ansible.builtin.template: src: upstream.json.j2 dest: "{{ nextcloud_upstream_file_dir }}/upstream.json" - become: yes + become: true listen: "update nextcloud upstream" # figure out if upstream id exists @@ -22,7 +22,7 @@ curl localhost:2019/id/{{ stack_name }}_upstream/ changed_when: False register: result - become: yes + become: true listen: "update nextcloud upstream" # upstream already exists, patch it @@ -31,7 +31,7 @@ container: "{{ caddy_container_id }}" command: > curl -X DELETE localhost:2019/id/{{ stack_name }}_upstream/ - become: yes + become: true when: (result.stdout | from_json)['error'] is not defined listen: "update nextcloud upstream" @@ -41,13 +41,13 @@ container: "{{ caddy_container_id }}" command: > curl -X POST -H "Content-Type: application/json" -d @{{ nextcloud_upstream_file_dir }}/upstream.json localhost:2019/config/apps/http/servers/{{ (nextcloud_use_https == True) | ternary(caddy_https_server_name, caddy_http_server_name) }}/routes/0/ - become: yes + become: true listen: "update nextcloud upstream" - name: Ensure upstream directory is gone again ansible.builtin.file: path: "{{ nextcloud_upstream_file_dir }}" state: absent - become: yes + become: true listen: "update nextcloud upstream" diff --git a/roles/nextcloud/tasks/main.yml b/roles/nextcloud/tasks/main.yml index 17781ae..a6d6617 100644 --- a/roles/nextcloud/tasks/main.yml +++ b/roles/nextcloud/tasks/main.yml @@ -7,7 +7,7 @@ curl localhost:2019/id/{{ stack_name }}_upstream/ register: result changed_when: (result.stdout | from_json) != (lookup('template', 'upstream.json.j2') | from_yaml) - become: yes + become: true notify: "update nextcloud upstream" - name: Ensure target directory exists @@ -15,14 +15,14 @@ path: "{{ nextcloud_upstream_file_dir }}" state: directory mode: '0755' - become: yes + become: true notify: "update nextcloud upstream" - name: Move webserver Caddyfile to target dir ansible.builtin.copy: src: "Caddyfile" dest: "{{ nextcloud_upstream_file_dir }}/Caddyfile" - become: yes + become: true notify: "update nextcloud upstream" - name: Deploy to swarm @@ -32,7 +32,7 @@ prune: yes compose: - "{{ stack_compose }}" - become: yes + become: true tags: - docker-swarm notify: "update nextcloud upstream" diff --git a/roles/ntfy/handlers/main.yml b/roles/ntfy/handlers/main.yml index de1b807..82744c9 100644 --- a/roles/ntfy/handlers/main.yml +++ b/roles/ntfy/handlers/main.yml @@ -4,14 +4,14 @@ path: "{{ ntfy_upstream_file_dir }}" state: directory mode: '0755' - become: yes + become: true listen: "update ntfy upstream" - name: Update upstream template ansible.builtin.template: src: upstream.json.j2 dest: "{{ ntfy_upstream_file_dir }}/upstream.json" - become: yes + become: true listen: "update ntfy upstream" # figure out if upstream id exists @@ -22,7 +22,7 @@ curl localhost:2019/id/{{ stack_name }}_upstream/ changed_when: False register: result - become: yes + become: true listen: "update ntfy upstream" # upstream already exists, patch it @@ -31,7 +31,7 @@ container: "{{ caddy_container_id }}" command: > curl -X DELETE localhost:2019/id/{{ stack_name }}_upstream/ - become: yes + become: true when: (result.stdout | from_json)['error'] is not defined listen: "update ntfy upstream" @@ -41,6 +41,6 @@ container: "{{ caddy_container_id }}" command: > curl -X POST -H "Content-Type: application/json" -d @{{ ntfy_upstream_file_dir }}/upstream.json localhost:2019/config/apps/http/servers/{{ (ntfy_use_https == True) | ternary(caddy_https_server_name, caddy_http_server_name) }}/routes/0/ - become: yes + become: true listen: "update ntfy upstream" diff --git a/roles/ntfy/tasks/main.yml b/roles/ntfy/tasks/main.yml index bc64d86..fc9ff80 100644 --- a/roles/ntfy/tasks/main.yml +++ b/roles/ntfy/tasks/main.yml @@ -4,13 +4,13 @@ path: "{{ ntfy_upstream_file_dir }}" state: directory mode: '0755' - become: yes + become: true - name: Move ntfy configuration file to target dir ansible.builtin.template: src: "server.yml.j2" dest: "{{ ntfy_upstream_file_dir }}/server.yml" - become: yes + become: true notify: "update ntfy upstream" ## install ntfy container @@ -21,7 +21,7 @@ curl localhost:2019/id/{{ stack_name }}_upstream/ register: result changed_when: (result.stdout | from_json) != (lookup('template', 'upstream.json.j2') | from_yaml) - become: yes + become: true notify: "update ntfy upstream" - name: Deploy ntfy to swarm @@ -31,7 +31,7 @@ prune: yes compose: - "{{ stack_compose }}" - become: yes + become: true tags: - docker-swarm notify: "update ntfy upstream" diff --git a/roles/searx/handlers/main.yml b/roles/searx/handlers/main.yml index d6f183e..ceeaaf3 100644 --- a/roles/searx/handlers/main.yml +++ b/roles/searx/handlers/main.yml @@ -4,14 +4,14 @@ path: "{{ searx_upstream_file_dir }}" state: directory mode: '0755' - become: yes + become: true listen: "update searx upstream" - name: Update upstream template ansible.builtin.template: src: upstream.json.j2 dest: "{{ searx_upstream_file_dir }}/upstream.json" - become: yes + become: true listen: "update searx upstream" # figure out if upstream id exists @@ -22,7 +22,7 @@ curl localhost:2019/id/{{ stack_name }}_upstream/ changed_when: False register: result - become: yes + become: true listen: "update searx upstream" # upstream already exists, patch it @@ -31,7 +31,7 @@ container: "{{ caddy_container_id }}" command: > curl -X DELETE localhost:2019/id/{{ stack_name }}_upstream/ - become: yes + become: true when: (result.stdout | from_json)['error'] is not defined listen: "update searx upstream" @@ -41,13 +41,13 @@ container: "{{ caddy_container_id }}" command: > curl -X POST -H "Content-Type: application/json" -d @{{ searx_upstream_file_dir }}/upstream.json localhost:2019/config/apps/http/servers/{{ (searx_use_https == True) | ternary(caddy_https_server_name, caddy_http_server_name) }}/routes/0/ - become: yes + become: true listen: "update searx upstream" - name: Ensure upstream directory is gone again ansible.builtin.file: path: "{{ searx_upstream_file_dir }}" state: absent - become: yes + become: true listen: "update searx upstream" diff --git a/roles/searx/tasks/main.yml b/roles/searx/tasks/main.yml index 21b4281..eef1581 100644 --- a/roles/searx/tasks/main.yml +++ b/roles/searx/tasks/main.yml @@ -7,7 +7,7 @@ curl localhost:2019/id/{{ stack_name }}_upstream/ register: result changed_when: (result.stdout | from_json) != (lookup('template', 'upstream.json.j2') | from_yaml) - become: yes + become: true notify: "update searx upstream" - name: Deploy searx to swarm @@ -17,7 +17,7 @@ prune: yes compose: - "{{ stack_compose }}" - become: yes + become: true tags: - docker-swarm notify: "update searx upstream" diff --git a/roles/shaarli/handlers/main.yml b/roles/shaarli/handlers/main.yml index 2887e93..6e138d5 100644 --- a/roles/shaarli/handlers/main.yml +++ b/roles/shaarli/handlers/main.yml @@ -4,14 +4,14 @@ path: "{{ shaarli_upstream_file_dir }}" state: directory mode: '0755' - become: yes + become: true listen: "update shaarli upstream" - name: Update upstream template ansible.builtin.template: src: upstream.json.j2 dest: "{{ shaarli_upstream_file_dir }}/upstream.json" - become: yes + become: true listen: "update shaarli upstream" # figure out if upstream id exists @@ -22,7 +22,7 @@ curl localhost:2019/id/{{ stack_name }}_upstream/ changed_when: False register: result - become: yes + become: true listen: "update shaarli upstream" # upstream already exists, patch it @@ -31,7 +31,7 @@ container: "{{ caddy_container_id }}" command: > curl -X DELETE localhost:2019/id/{{ stack_name }}_upstream/ - become: yes + become: true when: (result.stdout | from_json)['error'] is not defined listen: "update shaarli upstream" @@ -41,13 +41,13 @@ container: "{{ caddy_container_id }}" command: > curl -X POST -H "Content-Type: application/json" -d @{{ shaarli_upstream_file_dir }}/upstream.json localhost:2019/config/apps/http/servers/{{ (shaarli_use_https == True) | ternary(caddy_https_server_name, caddy_http_server_name) }}/routes/0/ - become: yes + become: true listen: "update shaarli upstream" - name: Ensure upstream directory is gone again ansible.builtin.file: path: "{{ shaarli_upstream_file_dir }}" state: absent - become: yes + become: true listen: "update shaarli upstream" diff --git a/roles/shaarli/tasks/main.yml b/roles/shaarli/tasks/main.yml index b8eea52..a11eab5 100644 --- a/roles/shaarli/tasks/main.yml +++ b/roles/shaarli/tasks/main.yml @@ -7,7 +7,7 @@ curl localhost:2019/id/{{ stack_name }}_upstream/ register: result changed_when: (result.stdout | from_json) != (lookup('template', 'upstream.json.j2') | from_yaml) - become: yes + become: true notify: "update shaarli upstream" - name: Deploy shaarli to swarm @@ -17,7 +17,7 @@ prune: yes compose: - "{{ stack_compose }}" - become: yes + become: true tags: - docker-swarm notify: "update shaarli upstream" diff --git a/roles/traggo/handlers/main.yml b/roles/traggo/handlers/main.yml index e072105..e0fc223 100644 --- a/roles/traggo/handlers/main.yml +++ b/roles/traggo/handlers/main.yml @@ -4,14 +4,14 @@ path: "{{ traggo_upstream_file_dir }}" state: directory mode: '0755' - become: yes + become: true listen: "update traggo upstream" - name: Update upstream template ansible.builtin.template: src: upstream.json.j2 dest: "{{ traggo_upstream_file_dir }}/upstream.json" - become: yes + become: true listen: "update traggo upstream" # figure out if upstream id exists @@ -22,7 +22,7 @@ curl localhost:2019/id/{{ stack_name }}_upstream/ changed_when: False register: result - become: yes + become: true listen: "update traggo upstream" # upstream already exists, patch it @@ -31,7 +31,7 @@ container: "{{ caddy_container_id }}" command: > curl -X DELETE localhost:2019/id/{{ stack_name }}_upstream/ - become: yes + become: true when: (result.stdout | from_json)['error'] is not defined listen: "update traggo upstream" @@ -41,13 +41,13 @@ container: "{{ caddy_container_id }}" command: > curl -X POST -H "Content-Type: application/json" -d @{{ traggo_upstream_file_dir }}/upstream.json localhost:2019/config/apps/http/servers/{{ (traggo_use_https == True) | ternary(caddy_https_server_name, caddy_http_server_name) }}/routes/0/ - become: yes + become: true listen: "update traggo upstream" - name: Ensure upstream directory is gone again ansible.builtin.file: path: "{{ traggo_upstream_file_dir }}" state: absent - become: yes + become: true listen: "update traggo upstream" diff --git a/roles/traggo/tasks/main.yml b/roles/traggo/tasks/main.yml index 331e851..07eb336 100644 --- a/roles/traggo/tasks/main.yml +++ b/roles/traggo/tasks/main.yml @@ -7,7 +7,7 @@ curl localhost:2019/id/{{ stack_name }}_upstream/ register: result changed_when: (result.stdout | from_json) != (lookup('template', 'upstream.json.j2') | from_yaml) - become: yes + become: true notify: "update traggo upstream" - name: Deploy traggo to swarm @@ -17,7 +17,7 @@ prune: yes compose: - "{{ stack_compose }}" - become: yes + become: true tags: - docker-swarm notify: "update traggo upstream" diff --git a/roles/wallabag/handlers/main.yml b/roles/wallabag/handlers/main.yml index 8695ea0..1f6268b 100644 --- a/roles/wallabag/handlers/main.yml +++ b/roles/wallabag/handlers/main.yml @@ -4,14 +4,14 @@ path: "{{ wallabag_upstream_file_dir }}" state: directory mode: '0755' - become: yes + become: true listen: "update wallabag upstream" - name: Update upstream template ansible.builtin.template: src: upstream.json.j2 dest: "{{ wallabag_upstream_file_dir }}/upstream.json" - become: yes + become: true listen: "update wallabag upstream" # figure out if upstream id exists @@ -22,7 +22,7 @@ curl localhost:2019/id/{{ stack.name }}_upstream/ changed_when: False register: result - become: yes + become: true listen: "update wallabag upstream" # upstream already exists, patch it @@ -31,7 +31,7 @@ container: "{{ caddy_container_id }}" command: > curl -X DELETE localhost:2019/id/{{ stack.name }}_upstream/ - become: yes + become: true when: (result.stdout | from_json)['error'] is not defined listen: "update wallabag upstream" @@ -41,13 +41,13 @@ container: "{{ caddy_container_id }}" command: > curl -X POST -H "Content-Type: application/json" -d @{{ wallabag_upstream_file_dir }}/upstream.json localhost:2019/config/apps/http/servers/{{ (wallabag_use_https == True) | ternary(caddy_https_server_name, caddy_http_server_name) }}/routes/0/ - become: yes + become: true listen: "update wallabag upstream" - name: Ensure upstream directory is gone again ansible.builtin.file: path: "{{ wallabag_upstream_file_dir }}" state: absent - become: yes + become: true listen: "update wallabag upstream" diff --git a/roles/wallabag/tasks/main.yml b/roles/wallabag/tasks/main.yml index f62d8b7..6c789d6 100644 --- a/roles/wallabag/tasks/main.yml +++ b/roles/wallabag/tasks/main.yml @@ -7,7 +7,7 @@ curl localhost:2019/id/{{ stack.name }}_upstream/ register: result changed_when: (result.stdout | from_json) != (lookup('template', 'upstream.json.j2') | from_yaml) - become: yes + become: true notify: "update wallabag upstream" - name: Deploy wallabag to swarm @@ -18,7 +18,7 @@ compose: - "{{ stack.compose }}" when: stack is defined - become: yes + become: true tags: - docker-swarm notify: "update wallabag upstream" diff --git a/roles/whoami/handlers/main.yml b/roles/whoami/handlers/main.yml index a1196bc..5c44127 100644 --- a/roles/whoami/handlers/main.yml +++ b/roles/whoami/handlers/main.yml @@ -4,14 +4,14 @@ path: "{{ whoami_upstream_file_dir }}" state: directory mode: '0755' - become: yes + become: true listen: "update whoami upstream" - name: update whoami upstream template ansible.builtin.template: src: upstream.json.j2 dest: "{{ whoami_upstream_file_dir }}/upstream.json" - become: yes + become: true listen: "update whoami upstream" # figure out if upstream id exists @@ -22,7 +22,7 @@ curl localhost:2019/id/{{ stack.name }}_upstream/ changed_when: False register: result - become: yes + become: true listen: "update whoami upstream" # upstream already exists, patch it @@ -31,7 +31,7 @@ container: "{{ caddy_container_id }}" command: > curl -X DELETE localhost:2019/id/{{ stack.name }}_upstream/ - become: yes + become: true when: (result.stdout | from_json)['error'] is not defined listen: "update whoami upstream" @@ -41,13 +41,13 @@ container: "{{ caddy_container_id }}" command: > curl -X POST -H "Content-Type: application/json" -d @{{ whoami_upstream_file_dir }}/upstream.json localhost:2019/config/apps/http/servers/{{ (whoami_use_https == True) | ternary(caddy_https_server_name, caddy_http_server_name) }}/routes/0/ - become: yes + become: true listen: "update whoami upstream" - name: Ensure upstream directory is gone again ansible.builtin.file: path: "{{ whoami_upstream_file_dir }}" state: absent - become: yes + become: true listen: "update whoami upstream" diff --git a/roles/whoami/tasks/main.yml b/roles/whoami/tasks/main.yml index f423e8e..d2bbb9a 100644 --- a/roles/whoami/tasks/main.yml +++ b/roles/whoami/tasks/main.yml @@ -7,7 +7,7 @@ curl localhost:2019/id/{{ stack.name }}_upstream/ register: result changed_when: (result.stdout | from_json) != (lookup('template', 'upstream.json.j2') | from_yaml) - become: yes + become: true notify: "update whoami upstream" - name: Deploy whoami to swarm @@ -18,7 +18,7 @@ compose: - "{{ stack.compose }}" when: stack is defined - become: yes + become: true tags: - docker-swarm notify: "update whoami upstream" From 2d01350fa5d9d655e251228b8bd87e16004bb20a Mon Sep 17 00:00:00 2001 From: Marty Oehme Date: Fri, 8 Dec 2023 20:28:44 +0100 Subject: [PATCH 10/66] Switch to new landingpage and remove old blog New landingpage includes the blog itself to better integrate with the main page. Also runs on astro not on hugo which I am a little more familiar with. --- roles/blog/README.md | 37 ----------------- roles/blog/defaults/main.yml | 11 ----- roles/blog/handlers/main.yml | 53 ------------------------ roles/blog/meta/main.yml | 14 ------- roles/blog/tasks/main.yml | 24 ----------- roles/blog/templates/docker-stack.yml.j2 | 20 --------- roles/blog/templates/upstream.json.j2 | 40 ------------------ roles/blog/vars/main.yml | 7 ---- roles/landingpage/defaults/main.yml | 3 +- roles/landingpage/vars/main.yml | 2 +- site.yml | 5 --- 11 files changed, 2 insertions(+), 214 deletions(-) delete mode 100644 roles/blog/README.md delete mode 100644 roles/blog/defaults/main.yml delete mode 100644 roles/blog/handlers/main.yml delete mode 100644 roles/blog/meta/main.yml delete mode 100644 roles/blog/tasks/main.yml delete mode 100644 roles/blog/templates/docker-stack.yml.j2 delete mode 100644 roles/blog/templates/upstream.json.j2 delete mode 100644 roles/blog/vars/main.yml diff --git a/roles/blog/README.md b/roles/blog/README.md deleted file mode 100644 index d649b50..0000000 --- a/roles/blog/README.md +++ /dev/null @@ -1,37 +0,0 @@ -# landingpage - -The public face of my server. -Not much to see here honestly, -just a few simple lines of html explaining what this server is about and how to contact me. - -I don't see anybody else benefiting massively from this role but me, -but if you want the same web presence go for it I suppose 😉 - -## Defaults - -``` -landingpage_upstream_file_dir: "{{ docker_stack_files_dir }}/{{ stack_name }}" -``` - -The on-target directory where the proxy configuration file should be stashed. - -``` -landingpage_use_https: true -``` - -Whether the service should be reachable through http (port 80) or through https (port 443) and provision an https certificate. Usually you will want this to stay `true`. - -``` -landingpage_version: latest -``` - -The docker image version to be used in stack creation. - -``` -subdomain_alias: www -``` - -If the deployed container should be served over a uri that is not the stack name. -By default, it will be set to `www.yourdomain.com` - -if this option is not set it will be served on `landingpage.yourdomain.com` instead. - diff --git a/roles/blog/defaults/main.yml b/roles/blog/defaults/main.yml deleted file mode 100644 index fcf9a0f..0000000 --- a/roles/blog/defaults/main.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- - -# never got around to removing the master tag from the images -blog_version: master - -blog_upstream_file_dir: "{{ docker_stack_files_dir }}/{{ stack_name }}" - -blog_use_https: true - -# the subdomain link blog will be reachable under -subdomain_alias: blog diff --git a/roles/blog/handlers/main.yml b/roles/blog/handlers/main.yml deleted file mode 100644 index 29ca5c2..0000000 --- a/roles/blog/handlers/main.yml +++ /dev/null @@ -1,53 +0,0 @@ -## Register reverse proxy -- name: Ensure upstream directory exists - ansible.builtin.file: - path: "{{ blog_upstream_file_dir }}" - state: directory - mode: '0755' - become: true - listen: "update blog upstream" - -- name: Update upstream template - ansible.builtin.template: - src: upstream.json.j2 - dest: "{{ blog_upstream_file_dir }}/upstream.json" - become: true - listen: "update blog upstream" - -# figure out if upstream id exists -- name: check {{ stack_name }} upstream - community.docker.docker_container_exec: - container: "{{ caddy_container_id }}" - command: > - curl localhost:2019/id/{{ stack_name }}_upstream/ - changed_when: False - register: result - become: true - listen: "update blog upstream" - -# upstream already exists, patch it -- name: remove old {{ stack_name }} upstream - community.docker.docker_container_exec: - container: "{{ caddy_container_id }}" - command: > - curl -X DELETE localhost:2019/id/{{ stack_name }}_upstream/ - become: true - when: (result.stdout | from_json)['error'] is not defined - listen: "update blog upstream" - -# upstream has to be created -- name: add {{ stack_name }} upstream - community.docker.docker_container_exec: - container: "{{ caddy_container_id }}" - command: > - curl -X POST -H "Content-Type: application/json" -d @{{ blog_upstream_file_dir }}/upstream.json localhost:2019/config/apps/http/servers/{{ (blog_use_https == True) | ternary(caddy_https_server_name, caddy_http_server_name) }}/routes/0/ - become: true - listen: "update blog upstream" - -- name: Ensure upstream directory is gone again - ansible.builtin.file: - path: "{{ blog_upstream_file_dir }}" - state: absent - become: true - listen: "update blog upstream" - diff --git a/roles/blog/meta/main.yml b/roles/blog/meta/main.yml deleted file mode 100644 index fbb1340..0000000 --- a/roles/blog/meta/main.yml +++ /dev/null @@ -1,14 +0,0 @@ ---- - -galaxy_info: - author: Marty Oehme - description: Installs my personal public facing landing page as a docker stack service - license: GPL-3.0-only - min_ansible_version: 2.9 - galaxy_tags: [] - - -dependencies: - - docker - - docker-swarm - - caddy diff --git a/roles/blog/tasks/main.yml b/roles/blog/tasks/main.yml deleted file mode 100644 index 0637ae3..0000000 --- a/roles/blog/tasks/main.yml +++ /dev/null @@ -1,24 +0,0 @@ ---- -## install blog container -- name: Check upstream status - community.docker.docker_container_exec: - container: "{{ caddy_container_id }}" - command: > - curl localhost:2019/id/{{ stack_name }}_upstream/ - register: result - changed_when: (result.stdout | from_json) != (lookup('template', 'upstream.json.j2') | from_yaml) - become: true - notify: "update blog upstream" - -- name: Deploy blog to swarm - community.general.docker_stack: - name: "{{ stack_name }}" - state: present - prune: yes - compose: - - "{{ stack_compose }}" - become: true - tags: - - docker-swarm - notify: "update blog upstream" - diff --git a/roles/blog/templates/docker-stack.yml.j2 b/roles/blog/templates/docker-stack.yml.j2 deleted file mode 100644 index 1d83e61..0000000 --- a/roles/blog/templates/docker-stack.yml.j2 +++ /dev/null @@ -1,20 +0,0 @@ -version: '3.4' - -services: - app: - image: "{{ stack_image }}:{{ blog_version }}" - healthcheck: - test: ["CMD", "wget", "--spider", "-q", "localhost"] - interval: 1m - timeout: 10s - retries: 3 - start_period: 1m - entrypoint: sh -c "/docker-entrypoint.sh nginx -g 'daemon off;'" - networks: - - "{{ docker_swarm_public_network_name }}" - -networks: - "{{ docker_swarm_public_network_name }}": - external: true - - diff --git a/roles/blog/templates/upstream.json.j2 b/roles/blog/templates/upstream.json.j2 deleted file mode 100644 index a8af36a..0000000 --- a/roles/blog/templates/upstream.json.j2 +++ /dev/null @@ -1,40 +0,0 @@ -{ - "@id": "{{ stack_name }}_upstream", -{% if server_domain is not undefined and not none %} - "match": [ - { - "host": [ -{% if subdomain_alias is not undefined and not none %} - "{{ subdomain_alias }}.{{ server_domain }}" -{% else %} - "{{ stack_name }}.{{ server_domain }}" -{% endif %} - ] - } - ], -{% else %} - "match": [ - { - "path": [ -{% if subdomain_alias is not undefined and not none %} - "/{{ subdomain_alias }}*" -{% else %} - "/{{ stack_name }}*" -{% endif %} - , - "/" - ] - } - ], -{% endif %} - "handle": [ - { - "handler": "reverse_proxy", - "upstreams": [ - { - "dial": "{{ stack_name }}_app:80" - } - ] - } - ] -} diff --git a/roles/blog/vars/main.yml b/roles/blog/vars/main.yml deleted file mode 100644 index 565e61f..0000000 --- a/roles/blog/vars/main.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- - -stack_name: blog - -stack_image: "registry.gitlab.com/cloud-serve/blog" - -stack_compose: "{{ lookup('template', 'docker-stack.yml.j2') | from_yaml }}" diff --git a/roles/landingpage/defaults/main.yml b/roles/landingpage/defaults/main.yml index 2c47345..b47f57f 100644 --- a/roles/landingpage/defaults/main.yml +++ b/roles/landingpage/defaults/main.yml @@ -1,7 +1,6 @@ --- -# never got around to removing the master tag from the images -landingpage_version: master +landingpage_version: latest landingpage_upstream_file_dir: "{{ docker_stack_files_dir }}/{{ stack_name }}" diff --git a/roles/landingpage/vars/main.yml b/roles/landingpage/vars/main.yml index e3616a9..df7f3d7 100644 --- a/roles/landingpage/vars/main.yml +++ b/roles/landingpage/vars/main.yml @@ -2,6 +2,6 @@ stack_name: landingpage -stack_image: "registry.gitlab.com/cloud-serve/landing" +stack_image: "martyo/cloudserve-landing" stack_compose: "{{ lookup('template', 'docker-stack.yml.j2') | from_yaml }}" diff --git a/site.yml b/site.yml index 62f01e9..a99b30b 100644 --- a/site.yml +++ b/site.yml @@ -63,11 +63,6 @@ role: landingpage tags: landingpage - - name: Install my personal blog - import_role: - role: blog - tags: blog - - name: Install gitea import_role: role: gitea From d4dbeb4eb4e35a12b277a4328495508e4a1bc0c6 Mon Sep 17 00:00:00 2001 From: Marty Oehme Date: Fri, 8 Dec 2023 20:31:15 +0100 Subject: [PATCH 11/66] Improve gitea stability on first launch When launching many containers gitea admin waiting still sometimes gets stuck. This should provide a bandaid for now. Also improve the container detection. --- roles/gitea/tasks/main.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/roles/gitea/tasks/main.yml b/roles/gitea/tasks/main.yml index cf790d3..d930ed7 100644 --- a/roles/gitea/tasks/main.yml +++ b/roles/gitea/tasks/main.yml @@ -94,9 +94,9 @@ register: gitea_deployment notify: "update gitea upstream" -- name: Wait 30 seconds for gitea to become healthy +- name: Wait a minute for gitea to become healthy wait_for: - timeout: 30 + timeout: 60 delegate_to: localhost when: gitea_deployment is changed @@ -104,7 +104,7 @@ ansible.builtin.command: cmd: docker ps -q -f name={{ stack_name }}_app become: true - until: gitea_app_container_name['rc'] == 0 and gitea_app_container_name['stdout'] | length >= 1 + until: gitea_app_container_name['rc'] | default('') == 0 and gitea_app_container_name['stdout'] | length >= 1 retries: 10 delay: 10 changed_when: False @@ -116,9 +116,9 @@ user: git command: > gitea admin user list --admin - until: gitea_admin_list is defined and gitea_admin_list['rc'] == 0 + until: gitea_admin_list is defined and gitea_admin_list['rc'] | default('') == 0 retries: 15 - delay: 10 + delay: 20 become: true register: gitea_admin_list changed_when: gitea_admin_list['stdout_lines'] | length <= 1 and 'Username' in gitea_admin_list['stdout'] From 9cf43d0d5d8ebc455db2364a880fe85e997d6b09 Mon Sep 17 00:00:00 2001 From: Marty Oehme Date: Fri, 8 Dec 2023 20:34:07 +0100 Subject: [PATCH 12/66] Fix new stat module checksum option In the module get_md5 has been replaced by get_checksum. --- roles/system-upgrade/tasks/Ubuntu.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/system-upgrade/tasks/Ubuntu.yml b/roles/system-upgrade/tasks/Ubuntu.yml index 983e6b5..dc33abf 100644 --- a/roles/system-upgrade/tasks/Ubuntu.yml +++ b/roles/system-upgrade/tasks/Ubuntu.yml @@ -21,7 +21,7 @@ register: reboot_required_file stat: path: /var/run/reboot-required - get_md5: no + get_checksum: false tags: - os - reboot From a52cab2f61907c398dbb4b022ca1c2a2241701d0 Mon Sep 17 00:00:00 2001 From: Marty Oehme Date: Fri, 8 Dec 2023 20:34:41 +0100 Subject: [PATCH 13/66] Refactor wallabag stack name and repo variables Brought in line with other stack naming schemes. --- roles/wallabag/README.md | 2 +- roles/wallabag/defaults/main.yml | 2 +- roles/wallabag/handlers/main.yml | 11 +++++------ roles/wallabag/tasks/main.yml | 8 +++----- roles/wallabag/templates/upstream.json.j2 | 8 ++++---- roles/wallabag/vars/main.yml | 6 +++--- 6 files changed, 17 insertions(+), 20 deletions(-) diff --git a/roles/wallabag/README.md b/roles/wallabag/README.md index 44eefa9..c1eceff 100644 --- a/roles/wallabag/README.md +++ b/roles/wallabag/README.md @@ -6,7 +6,7 @@ Contains only a single deployed image and a couple of simple variables to set. ## Variables ``` -wallabag_upstream_file_dir: "{{ docker_stack_files_dir }}/{{ stack.name }}" +wallabag_upstream_file_dir: "{{ docker_stack_files_dir }}/{{ stack_name }}" ``` The on-target directory where the proxy configuration file should be stashed. diff --git a/roles/wallabag/defaults/main.yml b/roles/wallabag/defaults/main.yml index a1b8116..dcc02b2 100644 --- a/roles/wallabag/defaults/main.yml +++ b/roles/wallabag/defaults/main.yml @@ -2,7 +2,7 @@ wallabag_version: latest -wallabag_upstream_file_dir: "{{ docker_stack_files_dir }}/{{ stack.name }}" +wallabag_upstream_file_dir: "{{ docker_stack_files_dir }}/{{ stack_name }}" wallabag_use_https: true diff --git a/roles/wallabag/handlers/main.yml b/roles/wallabag/handlers/main.yml index 1f6268b..a104112 100644 --- a/roles/wallabag/handlers/main.yml +++ b/roles/wallabag/handlers/main.yml @@ -15,28 +15,28 @@ listen: "update wallabag upstream" # figure out if upstream id exists -- name: check {{ stack.name }} upstream +- name: check {{ stack_name }} upstream community.docker.docker_container_exec: container: "{{ caddy_container_id }}" command: > - curl localhost:2019/id/{{ stack.name }}_upstream/ + curl localhost:2019/id/{{ stack_name }}_upstream/ changed_when: False register: result become: true listen: "update wallabag upstream" # upstream already exists, patch it -- name: remove old {{ stack.name }} upstream +- name: remove old {{ stack_name }} upstream community.docker.docker_container_exec: container: "{{ caddy_container_id }}" command: > - curl -X DELETE localhost:2019/id/{{ stack.name }}_upstream/ + curl -X DELETE localhost:2019/id/{{ stack_name }}_upstream/ become: true when: (result.stdout | from_json)['error'] is not defined listen: "update wallabag upstream" # upstream has to be created -- name: add {{ stack.name }} upstream +- name: add {{ stack_name }} upstream community.docker.docker_container_exec: container: "{{ caddy_container_id }}" command: > @@ -50,4 +50,3 @@ state: absent become: true listen: "update wallabag upstream" - diff --git a/roles/wallabag/tasks/main.yml b/roles/wallabag/tasks/main.yml index 6c789d6..34e5859 100644 --- a/roles/wallabag/tasks/main.yml +++ b/roles/wallabag/tasks/main.yml @@ -4,7 +4,7 @@ community.docker.docker_container_exec: container: "{{ caddy_container_id }}" command: > - curl localhost:2019/id/{{ stack.name }}_upstream/ + curl localhost:2019/id/{{ stack_name }}_upstream/ register: result changed_when: (result.stdout | from_json) != (lookup('template', 'upstream.json.j2') | from_yaml) become: true @@ -12,14 +12,12 @@ - name: Deploy wallabag to swarm community.general.docker_stack: - name: "{{ stack.name }}" + name: "{{ stack_name }}" state: present prune: yes compose: - - "{{ stack.compose }}" - when: stack is defined + - "{{ stack_compose }}" become: true tags: - docker-swarm notify: "update wallabag upstream" - diff --git a/roles/wallabag/templates/upstream.json.j2 b/roles/wallabag/templates/upstream.json.j2 index 6db9d1a..a20061f 100644 --- a/roles/wallabag/templates/upstream.json.j2 +++ b/roles/wallabag/templates/upstream.json.j2 @@ -1,5 +1,5 @@ { - "@id": "{{ stack.name }}_upstream", + "@id": "{{ stack_name }}_upstream", {% if server_domain is not undefined and not none %} "match": [ { @@ -7,7 +7,7 @@ {% if subdomain_alias is not undefined and not none %} "{{ subdomain_alias }}.{{ server_domain }}" {% else %} - "{{ stack.name }}.{{ server_domain }}" + "{{ stack_name }}.{{ server_domain }}" {% endif %} ] } @@ -19,7 +19,7 @@ {% if subdomain_alias is not undefined and not none %} "/{{ subdomain_alias }}*" {% else %} - "/{{ stack.name }}*" + "/{{ stack_name }}*" {% endif %} ] } @@ -30,7 +30,7 @@ "handler": "reverse_proxy", "upstreams": [ { - "dial": "{{ stack.name }}_app:80" + "dial": "{{ stack_name }}_app:80" } ] } diff --git a/roles/wallabag/vars/main.yml b/roles/wallabag/vars/main.yml index 7e281a4..d270fd5 100644 --- a/roles/wallabag/vars/main.yml +++ b/roles/wallabag/vars/main.yml @@ -1,7 +1,7 @@ --- -stack: - name: wallabag - compose: "{{ lookup('template', 'docker-stack.yml.j2') | from_yaml }}" +stack_name: wallabag stack_image: "wallabag/wallabag" + +stack_compose: "{{ lookup('template', 'docker-stack.yml.j2') | from_yaml }}" From 388a1d8cfc862d7a016e5569f140cd562b144cc3 Mon Sep 17 00:00:00 2001 From: Marty Oehme Date: Fri, 8 Dec 2023 20:35:51 +0100 Subject: [PATCH 14/66] Separate caddy container id grabbing into own role Since other roles often rely on this not an actual new caddy server installation we should probably have it as its own little role. --- roles/caddy/tasks/main.yml | 42 +--------- roles/caddy_id/README.md | 84 ++++++++++++++++++++ roles/caddy_id/meta/main.yml | 5 ++ roles/caddy_id/tasks/main.yml | 39 +++++++++ roles/caddy_id/templates/config.json.j2 | 72 +++++++++++++++++ roles/caddy_id/templates/docker-stack.yml.j2 | 30 +++++++ roles/caddy_id/vars/main.yml | 5 ++ site.yml | 10 ++- 8 files changed, 246 insertions(+), 41 deletions(-) create mode 100644 roles/caddy_id/README.md create mode 100644 roles/caddy_id/meta/main.yml create mode 100644 roles/caddy_id/tasks/main.yml create mode 100644 roles/caddy_id/templates/config.json.j2 create mode 100644 roles/caddy_id/templates/docker-stack.yml.j2 create mode 100644 roles/caddy_id/vars/main.yml diff --git a/roles/caddy/tasks/main.yml b/roles/caddy/tasks/main.yml index c2577ee..61f1abe 100644 --- a/roles/caddy/tasks/main.yml +++ b/roles/caddy/tasks/main.yml @@ -5,9 +5,9 @@ ansible.builtin.file: path: "{{ caddy_caddyfile_dir }}" state: directory - mode: '0755' + mode: "0755" become: true - tags: + tags: - fs - name: Ensure Caddyfile exists @@ -30,44 +30,6 @@ become: true tags: - docker-swarm - -- name: Get caddy container info - ansible.builtin.command: - cmd: docker ps -q -f name={{ caddy_stack.name }} - become: true - # bringing up the container takes some time, we have to wait - until: caddy_container_info['rc'] == 0 and caddy_container_info['stdout'] | length >= 1 - retries: 5 - delay: 10 - changed_when: False - register: caddy_container_info - -- name: Register caddy container id - ansible.builtin.set_fact: caddy_container_id={{ caddy_container_info['stdout'] }} - notify: - - debug caddy container - -# FIXME this should be taken care of in Dockerfile not here -- name: Ensure caddy curl available - community.docker.docker_container_exec: - container: "{{ caddy_container_id }}" - command: > - apk add curl - become: true - register: result - changed_when: "'Installing' in result.stdout" - -- name: Ensure caddy api is responsive - community.docker.docker_container_exec: - container: "{{ caddy_container_id }}" - command: > - curl localhost:2019/config/ - become: true - until: result.rc == 0 - when: caddy_use_api == True - changed_when: False - register: result - # TODO FIXME UP # - name: Allow access to services # firewalld: diff --git a/roles/caddy_id/README.md b/roles/caddy_id/README.md new file mode 100644 index 0000000..88871db --- /dev/null +++ b/roles/caddy_id/README.md @@ -0,0 +1,84 @@ +# Caddy + +Caddy is the reverse proxy for all other services running on the infrastructure. +It was chosen for its relative ease of use, +interactible API and https-by-default setup. + +## Variables + +``` +caddy_caddyfile_dir: "{{ docker_stack_files_dir }}/caddy" +``` + +Sets up the on-target directory where important caddy files should be stored. + +``` +caddy_email: +``` + +Which e-mail should be used to provision https certificates with. I believe theoretically caddy will work and provision you with certificates even without providing an e-mail, but I would strongly urge providing one. + +``` +caddy_tls_use_staging: no +``` + +If turned on will use the staging servers of the acme certificate service, which is useful for testing and playing around with https (due to higher API limits and less severe restrictions). + +``` +caddy_use_api: yes +``` + +If turned off, will turn off the admin api for caddy. Should only be used if no other services are intended to be provisioned on the target, since most other service stacks rely on the API to set up their proxy targets. + +``` +caddy_use_debug: no +``` + +If true, will turn on caddy's debug logging. + +``` +caddy_use_https: yes +``` + +If turned off will turn of all auto-provisioning of https certificates by caddy. + +``` +caddy_version: alpine +``` + +Sets the docker image version to be used. + + +## Internal variables + +```yaml +caddy_stack: + name: caddy + compose: "{{ lookup('template', 'docker-stack.yml.j2') | from_yaml }}" +``` + +Defines the actual docker stack which will later run on the target. +The name can be changed and will be used as a proxy target (`caddy.mydomain.com` or `192.168.1.1/caddy`) --- +though to be clear there is no intention currently to expose the caddy to the web at the moment.\ +The compose option defines which template to use for the `docker-stack.yml` file. You can either change options for the stack in the template file, +or directly here like the following: + +```yaml + compose: + - "{{ lookup('template', 'docker-stack.yml.j2') | from_yaml }}" + - version: '3' + services: + another-container: + image: nginx:latest +# ... +``` + +```yaml +caddy_http_server_name: http +``` + +```yaml +caddy_https_server_name: https +``` + +The internal representation of the http and https servers respectively. diff --git a/roles/caddy_id/meta/main.yml b/roles/caddy_id/meta/main.yml new file mode 100644 index 0000000..5863772 --- /dev/null +++ b/roles/caddy_id/meta/main.yml @@ -0,0 +1,5 @@ +--- + +dependencies: + - docker + - docker-swarm diff --git a/roles/caddy_id/tasks/main.yml b/roles/caddy_id/tasks/main.yml new file mode 100644 index 0000000..adbfc5c --- /dev/null +++ b/roles/caddy_id/tasks/main.yml @@ -0,0 +1,39 @@ +--- +# get the caddy container id for all other containers + +- name: Get caddy container info + ansible.builtin.command: + cmd: docker ps -q -f name={{ caddy_stack.name }} + become: true + # bringing up the container takes some time, we have to wait + until: caddy_container_info['rc'] | default('') == 0 and caddy_container_info['stdout'] | length >= 1 + retries: 5 + delay: 10 + changed_when: False + register: caddy_container_info + +- name: Register caddy container id + ansible.builtin.set_fact: caddy_container_id={{ caddy_container_info['stdout'] }} + notify: + - debug caddy container + +# FIXME this should be taken care of in Dockerfile not here +- name: Ensure caddy curl available + community.docker.docker_container_exec: + container: "{{ caddy_container_id }}" + command: > + apk add curl + become: true + register: result + changed_when: "'Installing' in result.stdout" + +- name: Ensure caddy api is responsive + community.docker.docker_container_exec: + container: "{{ caddy_container_id }}" + command: > + curl localhost:2019/config/ + become: true + until: result.rc | default('') == 0 + when: caddy_use_api == True + changed_when: False + register: result diff --git a/roles/caddy_id/templates/config.json.j2 b/roles/caddy_id/templates/config.json.j2 new file mode 100644 index 0000000..b104a25 --- /dev/null +++ b/roles/caddy_id/templates/config.json.j2 @@ -0,0 +1,72 @@ +{ +{% if caddy_use_api is sameas false %} + "admin": { + "disabled": true + }, +{% endif %} +{% if caddy_use_debug is sameas true %} + "logging": { + "logs": { + "default": { + "level": "DEBUG" + } + } + }, +{% endif %} + "apps": { + "http": { + "servers": { + "{{ caddy_http_server_name }}": { + "listen": [ + ":80" + ], + "routes": [] +{% if caddy_use_https is sameas false %}, + "automatic_https": { + "disable": true + } +{% endif %} + }, + "{{ caddy_https_server_name }}": { + "listen": [ + ":443" + ], + "routes": [] +{% if caddy_use_https is sameas false %}, + "automatic_https": { + "disable": true + } +{% endif %} + } + } + } +{% if caddy_use_https is sameas true %}, + "tls": { + "automation": { + "policies": [ + { + "subjects": [], + "issuers": [ + { + {% if caddy_tls_use_staging is sameas true %} + "ca": "https://acme-staging-v02.api.letsencrypt.org/directory", + {% endif %} + {%- if caddy_email is not undefined and not none %} + "email": "{{ caddy_email }}", + {% endif %} + "module": "acme" + }, + { + {%- if caddy_email is not undefined and not none %} + "email": "{{ caddy_email }}", + {% endif %} + "module": "zerossl" + } + ] + } + ] + } + } +{% endif %} + } +} diff --git a/roles/caddy_id/templates/docker-stack.yml.j2 b/roles/caddy_id/templates/docker-stack.yml.j2 new file mode 100644 index 0000000..9c1ecf1 --- /dev/null +++ b/roles/caddy_id/templates/docker-stack.yml.j2 @@ -0,0 +1,30 @@ +version: "3.7" + +services: + app: + image: caddy:{{ caddy_version }} + command: caddy run --config /etc/caddy/config.json + healthcheck: + test: ["CMD", "wget", "--quiet", "--spider", "--tries=1", "http://localhost:2019/metrics"] + interval: 1m + timeout: 10s + retries: 3 + start_period: 1m + ports: + - "80:80" + - "443:443" + volumes: + - "{{ caddy_caddyfile_dir }}:/etc/caddy" + - "{{ docker_stack_files_dir }}:/stacks:ro" + - data:/data + - config:/config + networks: + - "{{ docker_swarm_public_network_name }}" + +volumes: + data: + config: + +networks: + "{{ docker_swarm_public_network_name }}": + external: true diff --git a/roles/caddy_id/vars/main.yml b/roles/caddy_id/vars/main.yml new file mode 100644 index 0000000..7e60722 --- /dev/null +++ b/roles/caddy_id/vars/main.yml @@ -0,0 +1,5 @@ +--- +caddy_stack: + name: caddy + +caddy_use_api: yes # if no turns off api interface; it is *required* for other swarm roles to be routed diff --git a/site.yml b/site.yml index a99b30b..4b8e657 100644 --- a/site.yml +++ b/site.yml @@ -21,7 +21,15 @@ - name: Install caddy reverse proxy import_role: role: caddy - tags: caddy + tags: + - caddy + + - name: Grab caddy container id for all following services + import_role: + role: caddy_id + tags: + - caddy_id + - always - name: Install wallabag import_role: From 26cceccfd992b780d858a01bf659ad15ecaee2f2 Mon Sep 17 00:00:00 2001 From: Marty Oehme Date: Fri, 8 Dec 2023 22:49:43 +0100 Subject: [PATCH 15/66] Update Nextcloud internal Caddyfile Add suggested security improvements and static file caching. --- roles/nextcloud/files/Caddyfile | 58 +++++++++++++++++++++++++++++---- 1 file changed, 52 insertions(+), 6 deletions(-) diff --git a/roles/nextcloud/files/Caddyfile b/roles/nextcloud/files/Caddyfile index 8a86c1c..a54f3f5 100644 --- a/roles/nextcloud/files/Caddyfile +++ b/roles/nextcloud/files/Caddyfile @@ -1,16 +1,34 @@ -:80 { - root * /var/www/html - file_server +{ + servers { + trusted_proxies static 10.0.0.0/8 + } +} + +:80 { + encode zstd gzip + root * /var/www/html - php_fastcgi app:9000 header { # enable HSTS Strict-Transport-Security max-age=31536000; + Permissions-Policy interest-cohort=() + X-Content-Type-Options nosniff + X-Frame-Options SAMEORIGIN + Referrer-Policy no-referrer + X-XSS-Protection "1; mode=block" + X-Permitted-Cross-Domain-Policies none + X-Robots-Tag "noindex, nofollow" + -X-Powered-By } redir /.well-known/carddav /remote.php/dav 301 redir /.well-known/caldav /remote.php/dav 301 + # Uncomment this block if you use the high speed files backend: https://github.com/nextcloud/notify_push + #handle_path /push/* { + # reverse_proxy unix//run/notify_push/notify_push.sock # I love Unix sockets, but you can do :7867 also + #} + # .htaccess / data / config / ... shouldn't be accessible from outside @forbidden { path /.htaccess @@ -25,8 +43,36 @@ path /occ path /console.php } + handle @forbidden { + respond 404 + } - respond @forbidden 404 + handle { + root * /var/www/html + php_fastcgi app:9000 { + # Tells nextcloud to remove /index.php from URLs in links + env front_controller_active true + env modHeadersAvailable true # Avoid sending the security headers twice + } + } + # From .htaccess, set cache for versioned static files (cache-busting) + @immutable { + path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite + query v=* + } + header @immutable Cache-Control "max-age=15778463, immutable" + + # From .htaccess, set cache for normal static files + @static { + path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite + not query v=* + } + header @static Cache-Control "max-age=15778463" + + # From .htaccess, cache fonts for 1 week + @woff2 path *.woff2 + header @woff2 Cache-Control "max-age=604800" + + file_server } - From bc7796710adf58da6dd534876524d9461a52b829 Mon Sep 17 00:00:00 2001 From: Marty Oehme Date: Fri, 8 Dec 2023 22:50:01 +0100 Subject: [PATCH 16/66] Pin Nextcloud version to current stable release --- roles/nextcloud/defaults/main.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/roles/nextcloud/defaults/main.yml b/roles/nextcloud/defaults/main.yml index 10858f8..e97d9e0 100644 --- a/roles/nextcloud/defaults/main.yml +++ b/roles/nextcloud/defaults/main.yml @@ -1,7 +1,7 @@ --- # set preferred application version -nextcloud_version: fpm-alpine +nextcloud_version: 27-fpm-alpine # set preferred postgres version nextcloud_db_version: 12-alpine @@ -41,4 +41,3 @@ nextcloud_smtp_from_domain: "{{ server_domain }}" # nextcloud_s3_ssl: true # nextcloud_s3_region: eu-central-1 # nextcloud_s3_usepath_style: true - From d3f65a07fbcf2ab59a8a272086e3ba71d07c4bdb Mon Sep 17 00:00:00 2001 From: Marty Oehme Date: Thu, 11 Apr 2024 13:04:28 +0200 Subject: [PATCH 17/66] Fix wget healthchecks to not use localhost For a reason, current wget versions error out when using localhost instead of 127.0.0.1 as the healthcheck for docker services. Probably has something to do with dns resolution - either on docker or wget end, but have not looked to deep into it. --- roles/caddy/templates/docker-stack.yml.j2 | 2 +- roles/caddy_id/templates/docker-stack.yml.j2 | 2 +- roles/gitea/templates/docker-stack.yml.j2 | 2 +- roles/landingpage/templates/docker-stack.yml.j2 | 2 +- roles/nextcloud/templates/docker-stack.yml.j2 | 2 +- roles/ntfy/templates/docker-stack.yml.j2 | 2 +- roles/searx/templates/docker-stack.yml.j2 | 2 +- roles/shaarli/templates/docker-stack.yml.j2 | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/roles/caddy/templates/docker-stack.yml.j2 b/roles/caddy/templates/docker-stack.yml.j2 index 9c1ecf1..21a4c5a 100644 --- a/roles/caddy/templates/docker-stack.yml.j2 +++ b/roles/caddy/templates/docker-stack.yml.j2 @@ -5,7 +5,7 @@ services: image: caddy:{{ caddy_version }} command: caddy run --config /etc/caddy/config.json healthcheck: - test: ["CMD", "wget", "--quiet", "--spider", "--tries=1", "http://localhost:2019/metrics"] + test: ["CMD", "wget", "--quiet", "--spider", "--tries=1", "http://127.0.0.1:2019/metrics"] interval: 1m timeout: 10s retries: 3 diff --git a/roles/caddy_id/templates/docker-stack.yml.j2 b/roles/caddy_id/templates/docker-stack.yml.j2 index 9c1ecf1..21a4c5a 100644 --- a/roles/caddy_id/templates/docker-stack.yml.j2 +++ b/roles/caddy_id/templates/docker-stack.yml.j2 @@ -5,7 +5,7 @@ services: image: caddy:{{ caddy_version }} command: caddy run --config /etc/caddy/config.json healthcheck: - test: ["CMD", "wget", "--quiet", "--spider", "--tries=1", "http://localhost:2019/metrics"] + test: ["CMD", "wget", "--quiet", "--spider", "--tries=1", "http://127.0.0.1:2019/metrics"] interval: 1m timeout: 10s retries: 3 diff --git a/roles/gitea/templates/docker-stack.yml.j2 b/roles/gitea/templates/docker-stack.yml.j2 index fa4cff9..fff54a8 100644 --- a/roles/gitea/templates/docker-stack.yml.j2 +++ b/roles/gitea/templates/docker-stack.yml.j2 @@ -4,7 +4,7 @@ services: app: image: "{{ stack_image }}:{{ gitea_version }}" healthcheck: - test: ["CMD", "wget", "--spider", "-q", "localhost:3000"] + test: ["CMD", "wget", "--spider", "-q", "127.0.0.1:3000"] interval: 1m timeout: 10s retries: 3 diff --git a/roles/landingpage/templates/docker-stack.yml.j2 b/roles/landingpage/templates/docker-stack.yml.j2 index b2525ab..fdaa2b4 100644 --- a/roles/landingpage/templates/docker-stack.yml.j2 +++ b/roles/landingpage/templates/docker-stack.yml.j2 @@ -4,7 +4,7 @@ services: app: image: "{{ stack_image }}:{{ landingpage_version }}" healthcheck: - test: ["CMD", "wget", "--spider", "-q", "localhost"] + test: ["CMD", "wget", "--spider", "-q", "127.0.0.1"] interval: 1m timeout: 10s retries: 3 diff --git a/roles/nextcloud/templates/docker-stack.yml.j2 b/roles/nextcloud/templates/docker-stack.yml.j2 index d97632a..6886e6d 100644 --- a/roles/nextcloud/templates/docker-stack.yml.j2 +++ b/roles/nextcloud/templates/docker-stack.yml.j2 @@ -7,7 +7,7 @@ services: - backend - "{{ docker_swarm_public_network_name }}" healthcheck: - test: ["CMD", "wget", "--quiet", "--spider", "--tries=1", "http://localhost:2019/metrics"] + test: ["CMD", "wget", "--quiet", "--spider", "--tries=1", "http://127.0.0.1:2019/metrics"] interval: 1m timeout: 10s retries: 3 diff --git a/roles/ntfy/templates/docker-stack.yml.j2 b/roles/ntfy/templates/docker-stack.yml.j2 index ffa1dc9..dce3b29 100644 --- a/roles/ntfy/templates/docker-stack.yml.j2 +++ b/roles/ntfy/templates/docker-stack.yml.j2 @@ -4,7 +4,7 @@ services: app: image: "{{ stack_image }}:{{ ntfy_version }}" healthcheck: - test: ["CMD", "wget", "--spider", "-q", "localhost"] + test: ["CMD", "wget", "--spider", "-q", "127.0.0.1"] interval: 1m timeout: 10s retries: 3 diff --git a/roles/searx/templates/docker-stack.yml.j2 b/roles/searx/templates/docker-stack.yml.j2 index 6f9c774..9c1cd2d 100644 --- a/roles/searx/templates/docker-stack.yml.j2 +++ b/roles/searx/templates/docker-stack.yml.j2 @@ -6,7 +6,7 @@ services: networks: - "{{ docker_swarm_public_network_name }}" healthcheck: - test: ["CMD", "wget", "-q", "--spider", "http://localhost:8080"] + test: ["CMD", "wget", "-q", "--spider", "http://127.0.0.1:8080"] interval: 1m timeout: 10s retries: 3 diff --git a/roles/shaarli/templates/docker-stack.yml.j2 b/roles/shaarli/templates/docker-stack.yml.j2 index dc15fa2..545d20e 100644 --- a/roles/shaarli/templates/docker-stack.yml.j2 +++ b/roles/shaarli/templates/docker-stack.yml.j2 @@ -4,7 +4,7 @@ services: app: image: "{{ stack_image }}:{{ shaarli_version }}" healthcheck: - test: ["CMD", "wget", "--quiet", "--spider", "--tries=1", "http://localhost:80"] + test: ["CMD", "wget", "--quiet", "--spider", "--tries=1", "http://127.0.0.1:80"] interval: 1m timeout: 10s retries: 3 From 948ca7517acfd5c71918321910cc98f412feab00 Mon Sep 17 00:00:00 2001 From: Marty Oehme Date: Thu, 11 Apr 2024 13:05:01 +0200 Subject: [PATCH 18/66] Always update docker requirements to latest versions --- roles/docker/tasks/Ubuntu.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/roles/docker/tasks/Ubuntu.yml b/roles/docker/tasks/Ubuntu.yml index 53ea490..92751ce 100644 --- a/roles/docker/tasks/Ubuntu.yml +++ b/roles/docker/tasks/Ubuntu.yml @@ -1,7 +1,7 @@ - name: Ensure requirements installed ansible.builtin.package: name: "{{ requisites }}" - state: present + state: latest update_cache: yes tags: - apt @@ -11,11 +11,14 @@ - name: Ensure docker GPG apt key exists apt_key: - url: https://download.docker.com/linux/ubuntu/gpg + url: "https://download.docker.com/linux/ubuntu/gpg" state: present tags: - apt - repository + # FIXME: Needs a 'until:' defined for the retries to actually work + retries: 3 + delay: 5 become: true - name: Ensure docker repository exists @@ -40,7 +43,7 @@ - name: Ensure docker requisites for python installed pip: - name: + name: - docker - jsondiff - pyyaml From ff49856107deb4ff1ffa4d66220afe582be6b69c Mon Sep 17 00:00:00 2001 From: Marty Oehme Date: Thu, 11 Apr 2024 13:05:15 +0200 Subject: [PATCH 19/66] Pint Nextcloud to current stable version --- roles/nextcloud/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/nextcloud/defaults/main.yml b/roles/nextcloud/defaults/main.yml index e97d9e0..37e73ba 100644 --- a/roles/nextcloud/defaults/main.yml +++ b/roles/nextcloud/defaults/main.yml @@ -1,7 +1,7 @@ --- # set preferred application version -nextcloud_version: 27-fpm-alpine +nextcloud_version: 28-fpm-alpine # set preferred postgres version nextcloud_db_version: 12-alpine From 7fb14b07a875ef8fb7c1708b1e209438786db519 Mon Sep 17 00:00:00 2001 From: Marty Oehme Date: Thu, 11 Apr 2024 13:06:10 +0200 Subject: [PATCH 20/66] Remove nextcloud db readiness check We instead just wait for the db to be up with the usual docker wait commands. A little more brittle but the old method ceased to work. --- roles/nextcloud/templates/docker-stack.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/nextcloud/templates/docker-stack.yml.j2 b/roles/nextcloud/templates/docker-stack.yml.j2 index 6886e6d..ebf5b80 100644 --- a/roles/nextcloud/templates/docker-stack.yml.j2 +++ b/roles/nextcloud/templates/docker-stack.yml.j2 @@ -31,7 +31,7 @@ services: start_period: 5m # needed for db to be up, # see https://help.nextcloud.com/t/failed-to-install-nextcloud-with-docker-compose/83681/15 - entrypoint: sh -c "while !(nc -z db 5432); do sleep 30; done; /entrypoint.sh php-fpm" + # entrypoint: sh -c "while !(nc -z db 5432); do sleep 30; done; /entrypoint.sh php-fpm" environment: - NEXTCLOUD_ADMIN_USER={{ nextcloud_app_admin_username }} - NEXTCLOUD_ADMIN_PASSWORD={{ nextcloud_app_admin_password }} From 38b32a66e5fad34b6eb482fa43d0f6c04a443e76 Mon Sep 17 00:00:00 2001 From: Marty Oehme Date: Thu, 11 Apr 2024 13:07:10 +0200 Subject: [PATCH 21/66] Reduce gitea healthy-await delay We waited for 60 seconds previously which is exactly when the supplied ssh key would disappear in my setup. So instead we wait for slightly shorter (55 seconds) to ease this for me. --- roles/gitea/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/gitea/tasks/main.yml b/roles/gitea/tasks/main.yml index d930ed7..e0fce1d 100644 --- a/roles/gitea/tasks/main.yml +++ b/roles/gitea/tasks/main.yml @@ -96,7 +96,7 @@ - name: Wait a minute for gitea to become healthy wait_for: - timeout: 60 + timeout: 55 delegate_to: localhost when: gitea_deployment is changed From b3d84b607533b0ebc0cccdb1eb1da97a02d7b03e Mon Sep 17 00:00:00 2001 From: Marty Oehme Date: Thu, 11 Apr 2024 13:07:22 +0200 Subject: [PATCH 22/66] Set Nextcloud php upload limit to 2GB --- roles/nextcloud/templates/docker-stack.yml.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/nextcloud/templates/docker-stack.yml.j2 b/roles/nextcloud/templates/docker-stack.yml.j2 index ebf5b80..df37989 100644 --- a/roles/nextcloud/templates/docker-stack.yml.j2 +++ b/roles/nextcloud/templates/docker-stack.yml.j2 @@ -41,6 +41,7 @@ services: - POSTGRES_DB={{ nextcloud_db_username }} - POSTGRES_USER={{ nextcloud_db_username }} - POSTGRES_PASSWORD={{ nextcloud_db_password }} + - PHP_UPLOAD_LIMIT=2048M {% if nextcloud_trusted_domains is not undefined and not none %} - NEXTCLOUD_TRUSTED_DOMAINS={{ nextcloud_trusted_domains }} {% endif %} From b6e30811dc1fccb55d989672fb514a602a60fded Mon Sep 17 00:00:00 2001 From: Marty Oehme Date: Thu, 11 Apr 2024 13:08:06 +0200 Subject: [PATCH 23/66] Fix shaarli version and image source Shaarli images moved a while ago and received a different tag naming scheme. So we changed to the new repository and renamed the version from latest to release. --- roles/shaarli/defaults/main.yml | 2 +- roles/shaarli/vars/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/shaarli/defaults/main.yml b/roles/shaarli/defaults/main.yml index 6d676c3..9dd0b02 100644 --- a/roles/shaarli/defaults/main.yml +++ b/roles/shaarli/defaults/main.yml @@ -1,6 +1,6 @@ --- -shaarli_version: latest +shaarli_version: release # they offer: latest and release (stable) versions shaarli_upstream_file_dir: "{{ docker_stack_files_dir }}/{{ stack_name }}" diff --git a/roles/shaarli/vars/main.yml b/roles/shaarli/vars/main.yml index c23e67a..e557c0a 100644 --- a/roles/shaarli/vars/main.yml +++ b/roles/shaarli/vars/main.yml @@ -2,6 +2,6 @@ stack_name: shaarli -stack_image: "shaarli/shaarli" +stack_image: "ghcr.io/shaarli/shaarli" stack_compose: "{{ lookup('template', 'docker-stack.yml.j2') | from_yaml }}" From 648f49a8478eb2bf274f3b7df10edc1c200147e1 Mon Sep 17 00:00:00 2001 From: Marty Oehme Date: Mon, 24 Jun 2024 08:47:43 +0200 Subject: [PATCH 24/66] Move from gitea to forgejo Moved all variables over; moved git passthrough script to new location and naming scheme; moved settings and mentions of gitea name; switched ci woodpecker instance to use forgejo instead of gitea. --- roles/gitea/README.md | 19 +++--- roles/gitea/defaults/main.yml | 43 ++++++------ roles/gitea/files/{gitea => forgejo} | 0 roles/gitea/handlers/main.yml | 38 +++++------ roles/gitea/meta/main.yml | 1 - roles/gitea/tasks/main.yml | 59 +++++++++-------- roles/gitea/templates/docker-stack.yml.j2 | 80 +++++++++++------------ roles/gitea/vars/main.yml | 6 +- 8 files changed, 125 insertions(+), 121 deletions(-) rename roles/gitea/files/{gitea => forgejo} (100%) diff --git a/roles/gitea/README.md b/roles/gitea/README.md index 60a0b99..63fbbb8 100644 --- a/roles/gitea/README.md +++ b/roles/gitea/README.md @@ -1,23 +1,23 @@ -# gitea +# forgejo A relatively light-weight git server hosting. ## Defaults ``` -gitea_upstream_file_dir: "{{ docker_stack_files_dir }}/{{ stack_name }}" +forgejo_upstream_file_dir: "{{ docker_stack_files_dir }}/{{ stack_name }}" ``` The on-target directory where the proxy configuration file should be stashed. ``` -gitea_use_https: true +forgejo_use_https: true ``` Whether the service should be reachable through http (port 80) or through https (port 443) and provision an https certificate. Usually you will want this to stay `true`. ``` -gitea_version: latest +forgejo_version: latest ``` The docker image version to be used in stack creation. @@ -28,14 +28,13 @@ subdomain_alias: git If the deployed container should be served over a uri that is not the stack name. By default, it will be set to `git.yourdomain.com` - -if this option is not set it will be served on `gitea.yourdomain.com` instead. +if this option is not set it will be served on `forgejo.yourdomain.com` instead. -For now gitea will still need to be initially set up after installation. +For now forgejo will still need to be initially set up after installation. This could be automated with the help of these commands: ```sh -docker run --name gitea -p 8080:3000 -e GITEA__security__INSTALL_LOCK=true -d gitea/gitea:1.14.2 - -$ docker exec gitea migrate -$ docker exec gitea gitea admin user create --admin --username root --password admin1234 --email admin@example.com +docker run --name forgejo -p 8080:3000 -e FORGEJO__security__INSTALL_LOCK=true -d codeberg.org/forgejo/forgejo:7 +$ docker exec forgejo migrate +$ docker exec forgejo forgejo admin user create --admin --username root --password admin1234 --email admin@example.com ``` diff --git a/roles/gitea/defaults/main.yml b/roles/gitea/defaults/main.yml index 1bace83..4eb6702 100644 --- a/roles/gitea/defaults/main.yml +++ b/roles/gitea/defaults/main.yml @@ -1,33 +1,32 @@ --- -# never got around to removing the master tag from the images -gitea_version: latest +forgejo_version: 7 -gitea_upstream_file_dir: "{{ docker_stack_files_dir }}/{{ stack_name }}" +forgejo_upstream_file_dir: "{{ docker_stack_files_dir }}/{{ stack_name }}" -gitea_use_https: true +forgejo_use_https: true -# the subdomain link gitea will be reachable under +# the subdomain link forgejo will be reachable under subdomain_alias: git subdomain_ci_alias: ci -gitea_db_database: gitea -gitea_db_username: gitea -gitea_db_password: gitea +forgejo_db_database: forgejo +forgejo_db_username: forgejo +forgejo_db_password: forgejo -gitea_app_admin_username: Mygiteausername # can not be set to admin in Gitea -gitea_app_admin_password: Mygiteapassword -gitea_app_admin_email: myadmin@mydomain.mytld +forgejo_app_admin_username: Myforgejousername # can not be set to admin in Forgejo +forgejo_app_admin_password: Myforgejopassword +forgejo_app_admin_email: myadmin@mydomain.mytld -# gitea_smtp_host: domain.com:port -# gitea_smtp_username: my@username.com -# gitea_smtp_password: -# gitea_smtp_force_tls: false # forces tls if it is on a non-traditional tls port. Overwrites starttls so should generally be off +# forgejo_smtp_host: domain.com:port +# forgejo_smtp_username: my@username.com +# forgejo_smtp_password: +# forgejo_smtp_force_tls: false # forces tls if it is on a non-traditional tls port. Overwrites starttls so should generally be off -gitea_use_ci: false -# gitea_ci_github_client: -# gitea_ci_github_secret: -# gitea_ci_gitlab_client: -# gitea_ci_gitlab_secret: -# gitea_ci_gitea_client: -# gitea_ci_gitea_secret: +forgejo_use_ci: false +# forgejo_ci_github_client: +# forgejo_ci_github_secret: +# forgejo_ci_gitlab_client: +# forgejo_ci_gitlab_secret: +# forgejo_ci_forgejo_client: +# forgejo_ci_forgejo_secret: diff --git a/roles/gitea/files/gitea b/roles/gitea/files/forgejo similarity index 100% rename from roles/gitea/files/gitea rename to roles/gitea/files/forgejo diff --git a/roles/gitea/handlers/main.yml b/roles/gitea/handlers/main.yml index 1c82409..d3e8b18 100644 --- a/roles/gitea/handlers/main.yml +++ b/roles/gitea/handlers/main.yml @@ -1,36 +1,36 @@ - name: Add admin user community.docker.docker_container_exec: - container: "{{ gitea_app_container_name['stdout'] }}" + container: "{{ forgejo_app_container_name['stdout'] }}" command: > - gitea admin user create --admin --username {{ gitea_app_admin_username }} --password {{ gitea_app_admin_password }} --email {{ gitea_app_admin_email }} + forgejo admin user create --admin --username {{ forgejo_app_admin_username }} --password {{ forgejo_app_admin_password }} --email {{ forgejo_app_admin_email }} user: git become: true listen: "no admin user" ## Register reverse proxy -- name: Ensure upstream directory exists +- name: Upstream directory exists ansible.builtin.file: - path: "{{ gitea_upstream_file_dir }}" + path: "{{ forgejo_upstream_file_dir }}" state: directory mode: "0755" become: true - listen: "update gitea upstream" + listen: "update forgejo upstream" - name: Update upstream template ansible.builtin.template: src: upstream.json.j2 - dest: "{{ gitea_upstream_file_dir }}/upstream.json" + dest: "{{ forgejo_upstream_file_dir }}/upstream.json" mode: "0600" become: true - listen: "update gitea upstream" + listen: "update forgejo upstream" - name: Update ci upstream template ansible.builtin.template: src: upstream_ci.json.j2 - dest: "{{ gitea_upstream_file_dir }}/upstream_ci.json" + dest: "{{ forgejo_upstream_file_dir }}/upstream_ci.json" mode: "0600" become: true - listen: "update gitea upstream" + listen: "update forgejo upstream" # figure out if upstream id exists - name: check {{ stack_name }} upstream @@ -41,7 +41,7 @@ changed_when: False register: result become: true - listen: "update gitea upstream" + listen: "update forgejo upstream" # upstream already exists, patch it - name: remove old {{ stack_name }} upstream @@ -51,16 +51,16 @@ curl -X DELETE localhost:2019/id/{{ stack_name }}_upstream/ become: true when: (result.stdout | from_json)['error'] is not defined - listen: "update gitea upstream" + listen: "update forgejo upstream" # upstream has to be created - name: add {{ stack_name }} upstream community.docker.docker_container_exec: container: "{{ caddy_container_id }}" command: > - curl -X POST -H "Content-Type: application/json" -d @{{ gitea_upstream_file_dir }}/upstream.json localhost:2019/config/apps/http/servers/{{ (gitea_use_https == True) | ternary(caddy_https_server_name, caddy_http_server_name) }}/routes/0/ + curl -X POST -H "Content-Type: application/json" -d @{{ forgejo_upstream_file_dir }}/upstream.json localhost:2019/config/apps/http/servers/{{ (forgejo_use_https == True) | ternary(caddy_https_server_name, caddy_http_server_name) }}/routes/0/ become: true - listen: "update gitea upstream" + listen: "update forgejo upstream" # figure out if upstream id exists - name: check {{ stack_name }}_ci upstream @@ -71,7 +71,7 @@ changed_when: False register: result become: true - listen: "update gitea upstream" + listen: "update forgejo upstream" # upstream for ci already exists, patch it - name: remove old {{ stack_name }}_ci upstream @@ -81,20 +81,20 @@ curl -X DELETE localhost:2019/id/{{ stack_name }}_ci_upstream/ become: true when: (result.stdout | from_json)['error'] is not defined - listen: "update gitea upstream" + listen: "update forgejo upstream" # upstream for ci has to be created - name: add {{ stack_name }}_ci upstream community.docker.docker_container_exec: container: "{{ caddy_container_id }}" command: > - curl -X POST -H "Content-Type: application/json" -d @{{ gitea_upstream_file_dir }}/upstream_ci.json localhost:2019/config/apps/http/servers/{{ (gitea_use_https == True) | ternary(caddy_https_server_name, caddy_http_server_name) }}/routes/0/ + curl -X POST -H "Content-Type: application/json" -d @{{ forgejo_upstream_file_dir }}/upstream_ci.json localhost:2019/config/apps/http/servers/{{ (forgejo_use_https == True) | ternary(caddy_https_server_name, caddy_http_server_name) }}/routes/0/ become: true - listen: "update gitea upstream" + listen: "update forgejo upstream" - name: Ensure upstream directory is gone again ansible.builtin.file: - path: "{{ gitea_upstream_file_dir }}" + path: "{{ forgejo_upstream_file_dir }}" state: absent become: true - listen: "update gitea upstream" + listen: "update forgejo upstream" diff --git a/roles/gitea/meta/main.yml b/roles/gitea/meta/main.yml index da07f4a..727f63b 100644 --- a/roles/gitea/meta/main.yml +++ b/roles/gitea/meta/main.yml @@ -13,4 +13,3 @@ galaxy_info: dependencies: - docker - docker-swarm - - caddy diff --git a/roles/gitea/tasks/main.yml b/roles/gitea/tasks/main.yml index e0fce1d..3c85e01 100644 --- a/roles/gitea/tasks/main.yml +++ b/roles/gitea/tasks/main.yml @@ -8,48 +8,55 @@ - "{{ ansible_os_family }}.yml" loop_control: loop_var: distribution - when: gitea_use_ci == True + when: forgejo_use_ci == True # TODO only generate when no existing (check with docker inspect?) - name: Generate agent key ansible.builtin.shell: openssl rand -hex 32 - register: gitea_woodpecker_agent_secret - when: gitea_use_ci == True + register: forgejo_woodpecker_agent_secret + when: forgejo_use_ci == True - name: Set agent key ansible.builtin.set_fact: - gitea_woodpecker_agent_secret: "{{ gitea_woodpecker_agent_secret.stdout }}" - when: gitea_woodpecker_agent_secret.stdout is not undefined and not None + forgejo_woodpecker_agent_secret: "{{ forgejo_woodpecker_agent_secret.stdout }}" + when: forgejo_woodpecker_agent_secret.stdout is not undefined and not None -## Prepare gitea +## Prepare forgejo - name: Ensure git user exists with ssh key ansible.builtin.user: - name: "{{ gitea_git_username }}" + name: "{{ forgejo_git_username }}" generate_ssh_key: yes ssh_key_type: rsa ssh_key_bits: 4096 - ssh_key_comment: "Gitea Host Key" + ssh_key_comment: "Forgejo Host Key" become: true register: git_user - name: Ensure git passthrough command directory exists ansible.builtin.file: - path: "/app/gitea/" + path: "/app/forgejo/" state: directory mode: '0770' owner: "{{ git_user['uid'] }}" group: "{{ git_user['group'] }}" become: true -- name: Save git passthrough command in right location +- name: Passthrough git command is in right location ansible.builtin.copy: - src: gitea - dest: "/app/gitea/gitea" + src: forgejo + dest: "/app/forgejo/forgejo" owner: "{{ git_user['uid'] }}" group: "{{ git_user['group'] }}" mode: '0750' become: true +- name: Host machine forgejo command points to passthrough command + ansible.builtin.file: + state: link + src: "/app/forgejo/forgejo" + dest: "/usr/local/bin/forgejo" + become: true + - name: Fetch keyfile fetch: src: "{{ git_user['home'] }}/.ssh/id_rsa.pub" @@ -70,7 +77,7 @@ state: absent delegate_to: localhost -## install gitea container +## install forgejo container - name: Check upstream status community.docker.docker_container_exec: container: "{{ caddy_container_id }}" @@ -79,9 +86,9 @@ register: result changed_when: (result.stdout | from_json) != (lookup('template', 'upstream.json.j2') | from_yaml) become: true - notify: "update gitea upstream" + notify: "update forgejo upstream" -- name: Deploy gitea to swarm +- name: Deploy forgejo to swarm community.general.docker_stack: name: "{{ stack_name }}" state: present @@ -91,35 +98,35 @@ become: true tags: - docker-swarm - register: gitea_deployment - notify: "update gitea upstream" + register: forgejo_deployment + notify: "update forgejo upstream" -- name: Wait a minute for gitea to become healthy +- name: Wait a minute for forgejo to become healthy wait_for: timeout: 55 delegate_to: localhost - when: gitea_deployment is changed + when: forgejo_deployment is changed - name: Get app container info ansible.builtin.command: cmd: docker ps -q -f name={{ stack_name }}_app become: true - until: gitea_app_container_name['rc'] | default('') == 0 and gitea_app_container_name['stdout'] | length >= 1 + until: forgejo_app_container_name['rc'] | default('') == 0 and forgejo_app_container_name['stdout'] | length >= 1 retries: 10 delay: 10 changed_when: False - register: gitea_app_container_name + register: forgejo_app_container_name - name: Look for existing admin user community.docker.docker_container_exec: - container: "{{ gitea_app_container_name['stdout'] }}" + container: "{{ forgejo_app_container_name['stdout'] }}" user: git command: > - gitea admin user list --admin - until: gitea_admin_list is defined and gitea_admin_list['rc'] | default('') == 0 + forgejo admin user list --admin + until: forgejo_admin_list is defined and forgejo_admin_list['rc'] | default('') == 0 retries: 15 delay: 20 become: true - register: gitea_admin_list - changed_when: gitea_admin_list['stdout_lines'] | length <= 1 and 'Username' in gitea_admin_list['stdout'] + register: forgejo_admin_list + changed_when: forgejo_admin_list['stdout_lines'] | length <= 1 and 'Username' in forgejo_admin_list['stdout'] notify: "no admin user" diff --git a/roles/gitea/templates/docker-stack.yml.j2 b/roles/gitea/templates/docker-stack.yml.j2 index fff54a8..5352930 100644 --- a/roles/gitea/templates/docker-stack.yml.j2 +++ b/roles/gitea/templates/docker-stack.yml.j2 @@ -2,7 +2,7 @@ version: '3.4' services: app: - image: "{{ stack_image }}:{{ gitea_version }}" + image: "{{ stack_image }}:{{ forgejo_version }}" healthcheck: test: ["CMD", "wget", "--spider", "-q", "127.0.0.1:3000"] interval: 1m @@ -17,27 +17,27 @@ services: environment: - USER_UID={{ git_user['uid'] }} - USER_GID={{ git_user['group'] }} - - GITEA__database__DB_TYPE=postgres - - GITEA__database__HOST=db:5432 - - GITEA__database__NAME={{ gitea_db_database }} - - GITEA__database__USER={{ gitea_db_username }} - - GITEA__database__PASSWD={{ gitea_db_password }} - - "GITEA__server__ROOT_URL={{ (gitea_use_https == True) | ternary('https', 'http') }}://{{ (subdomain_alias is not undefined and not none) | ternary(subdomain_alias, stack_name) }}.{{server_domain}}" - - "GITEA__server__SSH_DOMAIN={{ server_domain }}" - - GITEA__server__LANDINGPAGE=explore - - GITEA__service__DISABLE_REGISTRATION=true -{% if gitea_app_admin_username is not undefined and not None and gitea_app_admin_password is not undefined and not None %} - - GITEA__security__INSTALL_LOCK=true + - FORGEJO__database__DB_TYPE=postgres + - FORGEJO__database__HOST=db:5432 + - "FORGEJO__database__NAME={{ forgejo_db_database }}" + - "FORGEJO__database__USER={{ forgejo_db_username }}" + - "FORGEJO__database__PASSWD={{ forgejo_db_password }}" + - "FORGEJO__server__ROOT_URL={{ (forgejo_use_https == True) | ternary('https', 'http') }}://{{ (subdomain_alias is not undefined and not none) | ternary(subdomain_alias, stack_name) }}.{{server_domain}}" + - "FORGEJO__server__SSH_DOMAIN={{ (subdomain_alias is not undefined and not none) | ternary(subdomain_alias, stack_name) }}.{{server_domain}}" + - FORGEJO__server__LANDINGPAGE=explore + - FORGEJO__service__DISABLE_REGISTRATION=true +{% if forgejo_app_admin_username is not undefined and not None and forgejo_app_admin_password is not undefined and not None %} + - FORGEJO__security__INSTALL_LOCK=true {% endif %} -{% if gitea_smtp_host is not undefined and not None and gitea_smtp_username is not undefined and not None and gitea_smtp_password is not undefined and not None %} - - GITEA__mailer__ENABLED=true - - GITEA__service__ENABLE_NOTIFY_MAIL=true - - GITEA__mailer__FROM=gitea@{{ server_domain }} - - GITEA__mailer__TYPE=smtp - - GITEA__mailer__HOST={{ gitea_smtp_host }} - - GITEA__mailer__IS_TLS_ENABLED={{ (gitea_smtp_force_tls is not undefined and not None) | ternary(gitea_smtp_force_tls,'false') }} - - GITEA__mailer__USER={{ gitea_smtp_username }} - - GITEA__mailer__PASSWD={{ gitea_smtp_password }} +{% if forgejo_smtp_host is not undefined and not None and forgejo_smtp_username is not undefined and not None and forgejo_smtp_password is not undefined and not None %} + - FORGEJO__mailer__ENABLED=true + - FORGEJO__service__ENABLE_NOTIFY_MAIL=true + - FORGEJO__mailer__FROM=forgejo@{{ server_domain }} + - FORGEJO__mailer__TYPE=smtp + - FORGEJO__mailer__HOST={{ forgejo_smtp_host }} + - FORGEJO__mailer__IS_TLS_ENABLED={{ (forgejo_smtp_force_tls is not undefined and not None) | ternary(forgejo_smtp_force_tls,'false') }} + - FORGEJO__mailer__USER={{ forgejo_smtp_username }} + - FORGEJO__mailer__PASSWD={{ forgejo_smtp_password }} {% endif %} networks: - "{{ docker_swarm_public_network_name }}" @@ -48,7 +48,7 @@ services: db: image: postgres:13 healthcheck: - test: ["CMD", "pg_isready", "-q", "-U", "{{ gitea_db_username }}"] + test: ["CMD", "pg_isready", "-q", "-U", "{{ forgejo_db_username }}"] interval: 1m timeout: 10s retries: 3 @@ -58,11 +58,11 @@ services: networks: - backend environment: - - POSTGRES_USER={{ gitea_db_username }} - - POSTGRES_PASSWORD={{ gitea_db_password }} - - POSTGRES_DB={{ gitea_db_database }} + - POSTGRES_USER={{ forgejo_db_username }} + - POSTGRES_PASSWORD={{ forgejo_db_password }} + - POSTGRES_DB={{ forgejo_db_database }} -{% if gitea_use_ci %} +{% if forgejo_use_ci %} wp-server: image: woodpeckerci/woodpecker-server:latest networks: @@ -72,23 +72,23 @@ services: - woodpecker:/var/lib/woodpecker/ environment: - WOODPECKER_OPEN=true - - "WOODPECKER_HOST={{ (gitea_use_https == True) | ternary('https', 'http') }}://{{ (subdomain_ci_alias is not undefined and not none) | ternary(subdomain_ci_alias, stack_name + '_ci') }}.{{server_domain}}" - - WOODPECKER_AGENT_SECRET={{ gitea_woodpecker_agent_secret }} -{% if gitea_ci_github_client is not undefined and not None and gitea_ci_github_secret is not undefined and not None %} + - "WOODPECKER_HOST={{ (forgejo_use_https == True) | ternary('https', 'http') }}://{{ (subdomain_ci_alias is not undefined and not none) | ternary(subdomain_ci_alias, stack_name + '_ci') }}.{{server_domain}}" + - WOODPECKER_AGENT_SECRET={{ forgejo_woodpecker_agent_secret }} +{% if forgejo_ci_github_client is not undefined and not None and forgejo_ci_github_secret is not undefined and not None %} - WOODPECKER_GITHUB=true - - WOODPECKER_GITHUB_CLIENT={{ gitea_ci_github_client }} - - WOODPECKER_GITHUB_SECRET={{ gitea_ci_github_secret }} + - WOODPECKER_GITHUB_CLIENT={{ forgejo_ci_github_client }} + - WOODPECKER_GITHUB_SECRET={{ forgejo_ci_github_secret }} {% endif %} -{% if gitea_ci_gitlab_client is not undefined and not None and gitea_ci_gitlab_secret is not undefined and not None %} +{% if forgejo_ci_gitlab_client is not undefined and not None and forgejo_ci_gitlab_secret is not undefined and not None %} - WOODPECKER_GITLAB=true - - WOODPECKER_gitlab_CLIENT={{ gitea_ci_gitlab_client }} - - WOODPECKER_gitlab_SECRET={{ gitea_ci_gitlab_secret }} + - WOODPECKER_gitlab_CLIENT={{ forgejo_ci_gitlab_client }} + - WOODPECKER_gitlab_SECRET={{ forgejo_ci_gitlab_secret }} {% endif %} -{% if gitea_ci_gitea_client is not undefined and not None and gitea_ci_gitea_secret is not undefined and not None %} - - WOODPECKER_GITEA=true - - "WOODPECKER_GITEA_URL={{ (gitea_use_https == True) | ternary('https', 'http') }}://{{ (subdomain_alias is not undefined and not none) | ternary(subdomain_alias, stack_name) }}.{{server_domain}}" - - WOODPECKER_GITEA_CLIENT={{ gitea_ci_gitea_client }} - - WOODPECKER_GITEA_SECRET={{ gitea_ci_gitea_secret }} +{% if forgejo_ci_forgejo_client is not undefined and not None and forgejo_ci_forgejo_secret is not undefined and not None %} + - WOODPECKER_FORGEJO=true + - "WOODPECKER_FORGEJO_URL={{ (forgejo_use_https == True) | ternary('https', 'http') }}://{{ (subdomain_alias is not undefined and not none) | ternary(subdomain_alias, stack_name) }}.{{server_domain}}" + - WOODPECKER_FORGEJO_CLIENT={{ forgejo_ci_forgejo_client }} + - WOODPECKER_FORGEJO_SECRET={{ forgejo_ci_forgejo_secret }} {% endif %} wp-agent: @@ -100,7 +100,7 @@ services: - /var/run/docker.sock:/var/run/docker.sock environment: - WOODPECKER_SERVER=wp-server:9000 - - WOODPECKER_AGENT_SECRET={{ gitea_woodpecker_agent_secret }} + - WOODPECKER_AGENT_SECRET={{ forgejo_woodpecker_agent_secret }} {% endif %} volumes: diff --git a/roles/gitea/vars/main.yml b/roles/gitea/vars/main.yml index 8fd0ae4..66bd2c3 100644 --- a/roles/gitea/vars/main.yml +++ b/roles/gitea/vars/main.yml @@ -1,9 +1,9 @@ --- -stack_name: gitea +stack_name: forgejo -stack_image: "gitea/gitea" +stack_image: "codeberg.org/forgejo/forgejo" stack_compose: "{{ lookup('template', 'docker-stack.yml.j2') | from_yaml }}" -gitea_git_username: git +forgejo_git_username: git From 9ec5b6dec6d6f660f65efd87925f0b006441bdc2 Mon Sep 17 00:00:00 2001 From: Marty Oehme Date: Mon, 24 Jun 2024 18:30:34 +0200 Subject: [PATCH 25/66] Switch site playbook to use forgejo --- group_vars/testing.yml | 2 +- roles/{gitea => forgejo}/README.md | 0 roles/{gitea => forgejo}/defaults/main.yml | 0 roles/{gitea => forgejo}/files/forgejo | 0 roles/{gitea => forgejo}/handlers/main.yml | 0 roles/{gitea => forgejo}/meta/main.yml | 0 roles/{gitea => forgejo}/tasks/Ubuntu.yml | 0 roles/{gitea => forgejo}/tasks/main.yml | 0 roles/{gitea => forgejo}/templates/docker-stack.yml.j2 | 0 roles/{gitea => forgejo}/templates/upstream.json.j2 | 0 roles/{gitea => forgejo}/templates/upstream_ci.json.j2 | 0 roles/{gitea => forgejo}/vars/main.yml | 0 site.yml | 6 +++--- 13 files changed, 4 insertions(+), 4 deletions(-) rename roles/{gitea => forgejo}/README.md (100%) rename roles/{gitea => forgejo}/defaults/main.yml (100%) rename roles/{gitea => forgejo}/files/forgejo (100%) rename roles/{gitea => forgejo}/handlers/main.yml (100%) rename roles/{gitea => forgejo}/meta/main.yml (100%) rename roles/{gitea => forgejo}/tasks/Ubuntu.yml (100%) rename roles/{gitea => forgejo}/tasks/main.yml (100%) rename roles/{gitea => forgejo}/templates/docker-stack.yml.j2 (100%) rename roles/{gitea => forgejo}/templates/upstream.json.j2 (100%) rename roles/{gitea => forgejo}/templates/upstream_ci.json.j2 (100%) rename roles/{gitea => forgejo}/vars/main.yml (100%) diff --git a/group_vars/testing.yml b/group_vars/testing.yml index c27a1ff..a449c70 100644 --- a/group_vars/testing.yml +++ b/group_vars/testing.yml @@ -7,7 +7,7 @@ caddy_tls_use_staging: yes blog_use_https: no caddy_use_https: no -gitea_use_https: no +forgejo_use_https: no landingpage_use_https: no miniflux_use_https: no monica_use_https: no diff --git a/roles/gitea/README.md b/roles/forgejo/README.md similarity index 100% rename from roles/gitea/README.md rename to roles/forgejo/README.md diff --git a/roles/gitea/defaults/main.yml b/roles/forgejo/defaults/main.yml similarity index 100% rename from roles/gitea/defaults/main.yml rename to roles/forgejo/defaults/main.yml diff --git a/roles/gitea/files/forgejo b/roles/forgejo/files/forgejo similarity index 100% rename from roles/gitea/files/forgejo rename to roles/forgejo/files/forgejo diff --git a/roles/gitea/handlers/main.yml b/roles/forgejo/handlers/main.yml similarity index 100% rename from roles/gitea/handlers/main.yml rename to roles/forgejo/handlers/main.yml diff --git a/roles/gitea/meta/main.yml b/roles/forgejo/meta/main.yml similarity index 100% rename from roles/gitea/meta/main.yml rename to roles/forgejo/meta/main.yml diff --git a/roles/gitea/tasks/Ubuntu.yml b/roles/forgejo/tasks/Ubuntu.yml similarity index 100% rename from roles/gitea/tasks/Ubuntu.yml rename to roles/forgejo/tasks/Ubuntu.yml diff --git a/roles/gitea/tasks/main.yml b/roles/forgejo/tasks/main.yml similarity index 100% rename from roles/gitea/tasks/main.yml rename to roles/forgejo/tasks/main.yml diff --git a/roles/gitea/templates/docker-stack.yml.j2 b/roles/forgejo/templates/docker-stack.yml.j2 similarity index 100% rename from roles/gitea/templates/docker-stack.yml.j2 rename to roles/forgejo/templates/docker-stack.yml.j2 diff --git a/roles/gitea/templates/upstream.json.j2 b/roles/forgejo/templates/upstream.json.j2 similarity index 100% rename from roles/gitea/templates/upstream.json.j2 rename to roles/forgejo/templates/upstream.json.j2 diff --git a/roles/gitea/templates/upstream_ci.json.j2 b/roles/forgejo/templates/upstream_ci.json.j2 similarity index 100% rename from roles/gitea/templates/upstream_ci.json.j2 rename to roles/forgejo/templates/upstream_ci.json.j2 diff --git a/roles/gitea/vars/main.yml b/roles/forgejo/vars/main.yml similarity index 100% rename from roles/gitea/vars/main.yml rename to roles/forgejo/vars/main.yml diff --git a/site.yml b/site.yml index 4b8e657..0ed3a12 100644 --- a/site.yml +++ b/site.yml @@ -71,10 +71,10 @@ role: landingpage tags: landingpage - - name: Install gitea + - name: Install forgejo import_role: - role: gitea - tags: gitea + role: forgejo + tags: forgejo - name: Install ntfy import_role: From 3171aa5ead3c7e91448d1896d4da76b60390108f Mon Sep 17 00:00:00 2001 From: Marty Oehme Date: Mon, 24 Jun 2024 18:56:37 +0200 Subject: [PATCH 26/66] Make zerossl usage depend on having an api key --- roles/caddy/defaults/main.yml | 1 + roles/caddy/templates/config.json.j2 | 10 ++++++---- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/roles/caddy/defaults/main.yml b/roles/caddy/defaults/main.yml index 378f819..338f58c 100644 --- a/roles/caddy/defaults/main.yml +++ b/roles/caddy/defaults/main.yml @@ -9,3 +9,4 @@ caddy_use_https: yes caddy_tls_use_staging: no # caddy_email: your@email.here +# caddy_zerossl_api_key: your-zerossl-key-here-its-free diff --git a/roles/caddy/templates/config.json.j2 b/roles/caddy/templates/config.json.j2 index b104a25..6a13848 100644 --- a/roles/caddy/templates/config.json.j2 +++ b/roles/caddy/templates/config.json.j2 @@ -51,17 +51,19 @@ {% if caddy_tls_use_staging is sameas true %} "ca": "https://acme-staging-v02.api.letsencrypt.org/directory", {% endif %} - {%- if caddy_email is not undefined and not none %} + {%- if caddy_email is not undefined and not none %} "email": "{{ caddy_email }}", {% endif %} "module": "acme" + {%- if caddy_zerossl_api_key is not undefined and not none %} }, { - {%- if caddy_email is not undefined and not none %} - "email": "{{ caddy_email }}", - {% endif %} + "api_key": "{{ caddy_zerossl_api_key }}", "module": "zerossl" } + {% else %} + } + {% endif %} ] } ] From 6b4c4ccde4a99be9a26066a3ce4811aba086732e Mon Sep 17 00:00:00 2001 From: Marty Oehme Date: Mon, 24 Jun 2024 20:24:04 +0200 Subject: [PATCH 27/66] Update dependencies to enable easy single-tag deployments Previously every deployment (even just for a single tag, such as `ansible-playbook site.yml --tags landingpage`) would have the caddy deployment in its dependency. That meant in effect whenever there was an updated caddy image, the role would update it and we would lose all previous caddy configuration - which in turn would necessitate a complete redeploymnet of all steps. This is now not the case anymore. --- roles/caddy/meta/main.yml | 1 - roles/caddy_id/meta/main.yml | 1 - roles/docker-swarm/meta/main.yml | 4 ++++ roles/forgejo/meta/main.yml | 9 +++++---- roles/landingpage/meta/main.yml | 5 ++--- roles/miniflux/meta/main.yml | 5 ++--- roles/monica/meta/main.yml | 5 ++--- roles/nextcloud/meta/main.yml | 5 ++--- roles/ntfy/meta/main.yml | 5 ++--- roles/searx/meta/main.yml | 5 ++--- roles/shaarli/meta/main.yml | 5 ++--- roles/traggo/meta/main.yml | 5 ++--- roles/wallabag/meta/main.yml | 5 ++--- roles/whoami/meta/main.yml | 3 +-- 14 files changed, 28 insertions(+), 35 deletions(-) create mode 100644 roles/docker-swarm/meta/main.yml diff --git a/roles/caddy/meta/main.yml b/roles/caddy/meta/main.yml index 5863772..21860e2 100644 --- a/roles/caddy/meta/main.yml +++ b/roles/caddy/meta/main.yml @@ -1,5 +1,4 @@ --- dependencies: - - docker - docker-swarm diff --git a/roles/caddy_id/meta/main.yml b/roles/caddy_id/meta/main.yml index 5863772..21860e2 100644 --- a/roles/caddy_id/meta/main.yml +++ b/roles/caddy_id/meta/main.yml @@ -1,5 +1,4 @@ --- dependencies: - - docker - docker-swarm diff --git a/roles/docker-swarm/meta/main.yml b/roles/docker-swarm/meta/main.yml new file mode 100644 index 0000000..78053e7 --- /dev/null +++ b/roles/docker-swarm/meta/main.yml @@ -0,0 +1,4 @@ +--- + +dependencies: + - docker diff --git a/roles/forgejo/meta/main.yml b/roles/forgejo/meta/main.yml index 727f63b..9775d89 100644 --- a/roles/forgejo/meta/main.yml +++ b/roles/forgejo/meta/main.yml @@ -4,12 +4,13 @@ galaxy_info: author: Marty Oehme description: Light-weight git hosting license: GPL-3.0-only - min_ansible_version: 2.9 + min_ansible_version: "2.9" galaxy_tags: [] platforms: - name: GenericLinux - versions: all - + versions: + - all + dependencies: - - docker - docker-swarm + - caddy_id diff --git a/roles/landingpage/meta/main.yml b/roles/landingpage/meta/main.yml index fbb1340..a834afd 100644 --- a/roles/landingpage/meta/main.yml +++ b/roles/landingpage/meta/main.yml @@ -4,11 +4,10 @@ galaxy_info: author: Marty Oehme description: Installs my personal public facing landing page as a docker stack service license: GPL-3.0-only - min_ansible_version: 2.9 + min_ansible_version: "2.9" galaxy_tags: [] dependencies: - - docker - docker-swarm - - caddy + - caddy_id diff --git a/roles/miniflux/meta/main.yml b/roles/miniflux/meta/main.yml index 50da3df..9e40a88 100644 --- a/roles/miniflux/meta/main.yml +++ b/roles/miniflux/meta/main.yml @@ -4,11 +4,10 @@ galaxy_info: author: Marty Oehme description: Installs miniflux as a docker stack service license: GPL-3.0-only - min_ansible_version: 2.9 + min_ansible_version: "2.9" galaxy_tags: [] dependencies: - - docker - docker-swarm - - caddy + - caddy_id diff --git a/roles/monica/meta/main.yml b/roles/monica/meta/main.yml index 3858e67..4fd4bc3 100644 --- a/roles/monica/meta/main.yml +++ b/roles/monica/meta/main.yml @@ -4,11 +4,10 @@ galaxy_info: author: Marty Oehme description: Installs monica as a docker stack service license: GPL-3.0-only - min_ansible_version: 2.9 + min_ansible_version: "2.9" galaxy_tags: [] dependencies: - - docker - docker-swarm - - caddy + - caddy_id diff --git a/roles/nextcloud/meta/main.yml b/roles/nextcloud/meta/main.yml index b503ed3..7989cf3 100644 --- a/roles/nextcloud/meta/main.yml +++ b/roles/nextcloud/meta/main.yml @@ -4,11 +4,10 @@ galaxy_info: author: Marty Oehme description: Installs nextcloud as a docker stack service license: GPL-3.0-only - min_ansible_version: 2.9 + min_ansible_version: "2.9" galaxy_tags: [] dependencies: - - docker - docker-swarm - - caddy + - caddy_id diff --git a/roles/ntfy/meta/main.yml b/roles/ntfy/meta/main.yml index 16d1cd4..0930dd3 100644 --- a/roles/ntfy/meta/main.yml +++ b/roles/ntfy/meta/main.yml @@ -4,11 +4,10 @@ galaxy_info: author: Marty Oehme description: Installs a self-hosted push notification service through docker-swarm. license: GPL-3.0-only - min_ansible_version: 2.9 + min_ansible_version: "2.9" galaxy_tags: [] dependencies: - - docker - docker-swarm - - caddy + - caddy_id diff --git a/roles/searx/meta/main.yml b/roles/searx/meta/main.yml index bb6dde1..2287836 100644 --- a/roles/searx/meta/main.yml +++ b/roles/searx/meta/main.yml @@ -4,11 +4,10 @@ galaxy_info: author: Marty Oehme description: Installs searx as a docker stack service license: GPL-3.0-only - min_ansible_version: 2.9 + min_ansible_version: "2.9" galaxy_tags: [] dependencies: - - docker - docker-swarm - - caddy + - caddy_id diff --git a/roles/shaarli/meta/main.yml b/roles/shaarli/meta/main.yml index 0be34a8..4406e21 100644 --- a/roles/shaarli/meta/main.yml +++ b/roles/shaarli/meta/main.yml @@ -4,11 +4,10 @@ galaxy_info: author: Marty Oehme description: Installs shaarli as a docker stack service license: GPL-3.0-only - min_ansible_version: 2.9 + min_ansible_version: "2.9" galaxy_tags: [] dependencies: - - docker - docker-swarm - - caddy + - caddy_id diff --git a/roles/traggo/meta/main.yml b/roles/traggo/meta/main.yml index ddd5c7f..fe81846 100644 --- a/roles/traggo/meta/main.yml +++ b/roles/traggo/meta/main.yml @@ -4,11 +4,10 @@ galaxy_info: author: Marty Oehme description: Installs traggo as a docker stack service license: GPL-3.0-only - min_ansible_version: 2.9 + min_ansible_version: "2.9" galaxy_tags: [] dependencies: - - docker - docker-swarm - - caddy + - caddy_id diff --git a/roles/wallabag/meta/main.yml b/roles/wallabag/meta/main.yml index ed54c0d..7215ce9 100644 --- a/roles/wallabag/meta/main.yml +++ b/roles/wallabag/meta/main.yml @@ -4,11 +4,10 @@ galaxy_info: author: Marty Oehme description: Installs wallabag as a docker stack service license: GPL-3.0-only - min_ansible_version: 2.9 + min_ansible_version: "2.9" galaxy_tags: [] dependencies: - - docker - docker-swarm - - caddy + - caddy_id diff --git a/roles/whoami/meta/main.yml b/roles/whoami/meta/main.yml index bf789d1..386d89d 100644 --- a/roles/whoami/meta/main.yml +++ b/roles/whoami/meta/main.yml @@ -1,6 +1,5 @@ --- dependencies: - - docker - docker-swarm - - caddy + - caddy_id From c498b3ced8cef2291375cf84a504bfc41946fc0a Mon Sep 17 00:00:00 2001 From: Marty Oehme Date: Mon, 24 Jun 2024 20:36:55 +0200 Subject: [PATCH 28/66] Apply prettier formatting --- README.md | 11 +++++------ group_vars/testing.yml | 25 ++++++++++++------------- roles/caddy/README.md | 27 +++++++++++++-------------- roles/caddy/defaults/main.yml | 1 - roles/caddy/meta/main.yml | 1 - roles/caddy/vars/main.yml | 1 - roles/caddy_id/README.md | 27 +++++++++++++-------------- roles/caddy_id/meta/main.yml | 1 - roles/docker-swarm/defaults/main.yml | 2 -- roles/docker-swarm/meta/main.yml | 1 - roles/docker-swarm/tasks/main.yml | 4 ++-- roles/forgejo/README.md | 4 ++-- roles/forgejo/defaults/main.yml | 1 - roles/forgejo/meta/main.yml | 1 - roles/forgejo/tasks/Ubuntu.yml | 1 - roles/forgejo/tasks/main.yml | 4 ++-- roles/forgejo/vars/main.yml | 1 - roles/landingpage/README.md | 9 ++++----- roles/landingpage/defaults/main.yml | 1 - roles/landingpage/handlers/main.yml | 5 ++--- roles/landingpage/meta/main.yml | 2 -- roles/landingpage/tasks/main.yml | 1 - roles/landingpage/vars/main.yml | 1 - roles/miniflux/README.md | 4 ++-- roles/miniflux/defaults/main.yml | 1 - roles/miniflux/handlers/main.yml | 5 ++--- roles/miniflux/meta/main.yml | 2 -- roles/miniflux/tasks/main.yml | 1 - roles/miniflux/vars/main.yml | 1 - roles/monica/README.md | 22 +++++++++++----------- roles/monica/defaults/main.yml | 5 ++--- roles/monica/handlers/main.yml | 5 ++--- roles/monica/meta/main.yml | 2 -- roles/monica/tasks/Ubuntu.yml | 1 - roles/monica/tasks/main.yml | 4 +--- roles/monica/vars/main.yml | 1 - roles/nextcloud/README.md | 28 ++++++++++++++-------------- roles/nextcloud/defaults/main.yml | 2 -- roles/nextcloud/handlers/main.yml | 5 ++--- roles/nextcloud/meta/main.yml | 2 -- roles/nextcloud/tasks/main.yml | 3 +-- roles/nextcloud/vars/main.yml | 1 - roles/ntfy/README.md | 6 +++--- roles/ntfy/handlers/main.yml | 5 ++--- roles/ntfy/meta/main.yml | 2 -- roles/ntfy/tasks/main.yml | 3 +-- roles/ntfy/vars/main.yml | 1 - roles/searx/README.md | 12 ++++++------ roles/searx/defaults/main.yml | 2 -- roles/searx/handlers/main.yml | 5 ++--- roles/searx/meta/main.yml | 2 -- roles/searx/tasks/main.yml | 1 - roles/searx/vars/main.yml | 1 - roles/shaarli/README.md | 9 ++++----- roles/shaarli/defaults/main.yml | 1 - roles/shaarli/handlers/main.yml | 5 ++--- roles/shaarli/meta/main.yml | 2 -- roles/shaarli/tasks/main.yml | 1 - roles/shaarli/vars/main.yml | 1 - roles/traggo/README.md | 6 +++--- roles/traggo/defaults/main.yml | 1 - roles/traggo/handlers/main.yml | 5 ++--- roles/traggo/meta/main.yml | 2 -- roles/traggo/tasks/main.yml | 1 - roles/traggo/vars/main.yml | 1 - roles/wallabag/README.md | 1 - roles/wallabag/defaults/main.yml | 1 - roles/wallabag/handlers/main.yml | 4 ++-- roles/wallabag/meta/main.yml | 2 -- roles/wallabag/vars/main.yml | 1 - roles/whoami/defaults/main.yml | 1 - roles/whoami/handlers/main.yml | 5 ++--- roles/whoami/meta/main.yml | 1 - roles/whoami/tasks/main.yml | 1 - roles/whoami/vars/main.yml | 2 -- site.yml | 4 ++-- 76 files changed, 123 insertions(+), 202 deletions(-) diff --git a/README.md b/README.md index 2eddd2f..3f2016a 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,7 @@ vagrant plugin install vagrant-hosts vagrant-hostsupdater ``` Additionally, since the test setup mirrors the production setup in that it makes use of subdomains for the individual hosted applications, -the server needs to be reachable under a domain name, +the server needs to be reachable under a domain name, not just an IP address. For now this is most simply accomplished through editing the hosts file, e.g.: @@ -23,21 +23,20 @@ For now this is most simply accomplished through editing the hosts file, e.g.: ``` This will allow you to reach the main domain under `http(s)://ansible.test` and sets up two subdomains that can be reached. -Be aware that the hosts file does not support subdomain wildcards. -You will have to specify each hostname individually or use a tool such as `dnsmasq`. +Be aware that the hosts file does not support subdomain wildcards. +You will have to specify each hostname individually or use a tool such as `dnsmasq`. Read more [here](https://serverfault.com/questions/118378/in-my-etc-hosts-file-on-linux-osx-how-do-i-do-a-wildcard-subdomain). -Then you are ready to run the complete infrastructure setup locally, +Then you are ready to run the complete infrastructure setup locally, simply by executing `ansible-playbook site.yml`. You can of course pick and choose what should be executed with host limits, tags, group variables, and so on, but this should provide an easy way to see if a) the playbook is working as intended and b) what it does is useful. - ## Deployment Most variables to be changed should be set either through `group_variables` or `host_variables`. For my deployment I have a `production` group under `group_variables` which houses both a `vars.yml` containing basic variables -(like `server_domain`, `caddy_email`, etc.) +(like `server_domain`, `caddy_email`, etc.) and a `vault.yml` which houses everything that should ideally not be lying around in plain-text (individual container and database passwords for the various roles etc). diff --git a/group_vars/testing.yml b/group_vars/testing.yml index a449c70..6a95df5 100644 --- a/group_vars/testing.yml +++ b/group_vars/testing.yml @@ -1,22 +1,21 @@ --- - docker_swarm_advertise_addr: eth1 caddy_use_debug: yes caddy_tls_use_staging: yes -blog_use_https: no -caddy_use_https: no -forgejo_use_https: no +blog_use_https: no +caddy_use_https: no +forgejo_use_https: no landingpage_use_https: no -miniflux_use_https: no -monica_use_https: no -nextcloud_use_https: no -ntfy_use_https: no -searx_use_https: no -shaarli_use_https: no -traggo_use_https: no -wallabag_use_https: no -whoami_use_https: no +miniflux_use_https: no +monica_use_https: no +nextcloud_use_https: no +ntfy_use_https: no +searx_use_https: no +shaarli_use_https: no +traggo_use_https: no +wallabag_use_https: no +whoami_use_https: no server_domain: ansible.test diff --git a/roles/caddy/README.md b/roles/caddy/README.md index 88871db..eda03d2 100644 --- a/roles/caddy/README.md +++ b/roles/caddy/README.md @@ -1,7 +1,7 @@ -# Caddy +# Caddy Caddy is the reverse proxy for all other services running on the infrastructure. -It was chosen for its relative ease of use, +It was chosen for its relative ease of use, interactible API and https-by-default setup. ## Variables @@ -48,28 +48,27 @@ caddy_version: alpine Sets the docker image version to be used. - ## Internal variables ```yaml caddy_stack: - name: caddy - compose: "{{ lookup('template', 'docker-stack.yml.j2') | from_yaml }}" + name: caddy + compose: "{{ lookup('template', 'docker-stack.yml.j2') | from_yaml }}" ``` -Defines the actual docker stack which will later run on the target. -The name can be changed and will be used as a proxy target (`caddy.mydomain.com` or `192.168.1.1/caddy`) --- +Defines the actual docker stack which will later run on the target. +The name can be changed and will be used as a proxy target (`caddy.mydomain.com` or `192.168.1.1/caddy`) --- though to be clear there is no intention currently to expose the caddy to the web at the moment.\ -The compose option defines which template to use for the `docker-stack.yml` file. You can either change options for the stack in the template file, +The compose option defines which template to use for the `docker-stack.yml` file. You can either change options for the stack in the template file, or directly here like the following: ```yaml - compose: - - "{{ lookup('template', 'docker-stack.yml.j2') | from_yaml }}" - - version: '3' - services: - another-container: - image: nginx:latest +compose: + - "{{ lookup('template', 'docker-stack.yml.j2') | from_yaml }}" + - version: "3" + services: + another-container: + image: nginx:latest # ... ``` diff --git a/roles/caddy/defaults/main.yml b/roles/caddy/defaults/main.yml index 338f58c..0592a85 100644 --- a/roles/caddy/defaults/main.yml +++ b/roles/caddy/defaults/main.yml @@ -1,5 +1,4 @@ --- - caddy_version: alpine caddy_caddyfile_dir: "{{ docker_stack_files_dir }}/caddy" diff --git a/roles/caddy/meta/main.yml b/roles/caddy/meta/main.yml index 21860e2..5a00c2a 100644 --- a/roles/caddy/meta/main.yml +++ b/roles/caddy/meta/main.yml @@ -1,4 +1,3 @@ --- - dependencies: - docker-swarm diff --git a/roles/caddy/vars/main.yml b/roles/caddy/vars/main.yml index 27530c3..7684a29 100644 --- a/roles/caddy/vars/main.yml +++ b/roles/caddy/vars/main.yml @@ -1,5 +1,4 @@ --- - caddy_stack: name: caddy compose: "{{ lookup('template', 'docker-stack.yml.j2') | from_yaml }}" diff --git a/roles/caddy_id/README.md b/roles/caddy_id/README.md index 88871db..eda03d2 100644 --- a/roles/caddy_id/README.md +++ b/roles/caddy_id/README.md @@ -1,7 +1,7 @@ -# Caddy +# Caddy Caddy is the reverse proxy for all other services running on the infrastructure. -It was chosen for its relative ease of use, +It was chosen for its relative ease of use, interactible API and https-by-default setup. ## Variables @@ -48,28 +48,27 @@ caddy_version: alpine Sets the docker image version to be used. - ## Internal variables ```yaml caddy_stack: - name: caddy - compose: "{{ lookup('template', 'docker-stack.yml.j2') | from_yaml }}" + name: caddy + compose: "{{ lookup('template', 'docker-stack.yml.j2') | from_yaml }}" ``` -Defines the actual docker stack which will later run on the target. -The name can be changed and will be used as a proxy target (`caddy.mydomain.com` or `192.168.1.1/caddy`) --- +Defines the actual docker stack which will later run on the target. +The name can be changed and will be used as a proxy target (`caddy.mydomain.com` or `192.168.1.1/caddy`) --- though to be clear there is no intention currently to expose the caddy to the web at the moment.\ -The compose option defines which template to use for the `docker-stack.yml` file. You can either change options for the stack in the template file, +The compose option defines which template to use for the `docker-stack.yml` file. You can either change options for the stack in the template file, or directly here like the following: ```yaml - compose: - - "{{ lookup('template', 'docker-stack.yml.j2') | from_yaml }}" - - version: '3' - services: - another-container: - image: nginx:latest +compose: + - "{{ lookup('template', 'docker-stack.yml.j2') | from_yaml }}" + - version: "3" + services: + another-container: + image: nginx:latest # ... ``` diff --git a/roles/caddy_id/meta/main.yml b/roles/caddy_id/meta/main.yml index 21860e2..5a00c2a 100644 --- a/roles/caddy_id/meta/main.yml +++ b/roles/caddy_id/meta/main.yml @@ -1,4 +1,3 @@ --- - dependencies: - docker-swarm diff --git a/roles/docker-swarm/defaults/main.yml b/roles/docker-swarm/defaults/main.yml index 9399a91..4e9d4af 100644 --- a/roles/docker-swarm/defaults/main.yml +++ b/roles/docker-swarm/defaults/main.yml @@ -1,5 +1,3 @@ --- - docker_stack_files_dir: /stacks docker_swarm_public_network_name: public - diff --git a/roles/docker-swarm/meta/main.yml b/roles/docker-swarm/meta/main.yml index 78053e7..128f19c 100644 --- a/roles/docker-swarm/meta/main.yml +++ b/roles/docker-swarm/meta/main.yml @@ -1,4 +1,3 @@ --- - dependencies: - docker diff --git a/roles/docker-swarm/tasks/main.yml b/roles/docker-swarm/tasks/main.yml index 01cf75b..e44183e 100644 --- a/roles/docker-swarm/tasks/main.yml +++ b/roles/docker-swarm/tasks/main.yml @@ -28,7 +28,7 @@ ansible.builtin.file: path: "{{ docker_stack_files_dir }}" state: directory - mode: '0755' + mode: "0755" become: true - tags: + tags: - fs diff --git a/roles/forgejo/README.md b/roles/forgejo/README.md index 63fbbb8..f99dea6 100644 --- a/roles/forgejo/README.md +++ b/roles/forgejo/README.md @@ -26,8 +26,8 @@ The docker image version to be used in stack creation. subdomain_alias: git ``` -If the deployed container should be served over a uri that is not the stack name. -By default, it will be set to `git.yourdomain.com` - +If the deployed container should be served over a uri that is not the stack name. +By default, it will be set to `git.yourdomain.com` - if this option is not set it will be served on `forgejo.yourdomain.com` instead. For now forgejo will still need to be initially set up after installation. diff --git a/roles/forgejo/defaults/main.yml b/roles/forgejo/defaults/main.yml index 4eb6702..90cd0da 100644 --- a/roles/forgejo/defaults/main.yml +++ b/roles/forgejo/defaults/main.yml @@ -1,5 +1,4 @@ --- - forgejo_version: 7 forgejo_upstream_file_dir: "{{ docker_stack_files_dir }}/{{ stack_name }}" diff --git a/roles/forgejo/meta/main.yml b/roles/forgejo/meta/main.yml index 9775d89..f6b84d0 100644 --- a/roles/forgejo/meta/main.yml +++ b/roles/forgejo/meta/main.yml @@ -1,5 +1,4 @@ --- - galaxy_info: author: Marty Oehme description: Light-weight git hosting diff --git a/roles/forgejo/tasks/Ubuntu.yml b/roles/forgejo/tasks/Ubuntu.yml index 234e270..dd5b043 100644 --- a/roles/forgejo/tasks/Ubuntu.yml +++ b/roles/forgejo/tasks/Ubuntu.yml @@ -9,4 +9,3 @@ - apt - download - packages - diff --git a/roles/forgejo/tasks/main.yml b/roles/forgejo/tasks/main.yml index 3c85e01..33e8abc 100644 --- a/roles/forgejo/tasks/main.yml +++ b/roles/forgejo/tasks/main.yml @@ -36,7 +36,7 @@ ansible.builtin.file: path: "/app/forgejo/" state: directory - mode: '0770' + mode: "0770" owner: "{{ git_user['uid'] }}" group: "{{ git_user['group'] }}" become: true @@ -47,7 +47,7 @@ dest: "/app/forgejo/forgejo" owner: "{{ git_user['uid'] }}" group: "{{ git_user['group'] }}" - mode: '0750' + mode: "0750" become: true - name: Host machine forgejo command points to passthrough command diff --git a/roles/forgejo/vars/main.yml b/roles/forgejo/vars/main.yml index 66bd2c3..f28238d 100644 --- a/roles/forgejo/vars/main.yml +++ b/roles/forgejo/vars/main.yml @@ -1,5 +1,4 @@ --- - stack_name: forgejo stack_image: "codeberg.org/forgejo/forgejo" diff --git a/roles/landingpage/README.md b/roles/landingpage/README.md index d649b50..d0d3487 100644 --- a/roles/landingpage/README.md +++ b/roles/landingpage/README.md @@ -1,10 +1,10 @@ # landingpage -The public face of my server. +The public face of my server. Not much to see here honestly, just a few simple lines of html explaining what this server is about and how to contact me. -I don't see anybody else benefiting massively from this role but me, +I don't see anybody else benefiting massively from this role but me, but if you want the same web presence go for it I suppose 😉 ## Defaults @@ -31,7 +31,6 @@ The docker image version to be used in stack creation. subdomain_alias: www ``` -If the deployed container should be served over a uri that is not the stack name. -By default, it will be set to `www.yourdomain.com` - +If the deployed container should be served over a uri that is not the stack name. +By default, it will be set to `www.yourdomain.com` - if this option is not set it will be served on `landingpage.yourdomain.com` instead. - diff --git a/roles/landingpage/defaults/main.yml b/roles/landingpage/defaults/main.yml index b47f57f..fed7288 100644 --- a/roles/landingpage/defaults/main.yml +++ b/roles/landingpage/defaults/main.yml @@ -1,5 +1,4 @@ --- - landingpage_version: latest landingpage_upstream_file_dir: "{{ docker_stack_files_dir }}/{{ stack_name }}" diff --git a/roles/landingpage/handlers/main.yml b/roles/landingpage/handlers/main.yml index 27471e1..e82422e 100644 --- a/roles/landingpage/handlers/main.yml +++ b/roles/landingpage/handlers/main.yml @@ -3,7 +3,7 @@ ansible.builtin.file: path: "{{ landingpage_upstream_file_dir }}" state: directory - mode: '0755' + mode: "0755" become: true listen: "update landingpage upstream" @@ -40,7 +40,7 @@ community.docker.docker_container_exec: container: "{{ caddy_container_id }}" command: > - curl -X POST -H "Content-Type: application/json" -d @{{ landingpage_upstream_file_dir }}/upstream.json localhost:2019/config/apps/http/servers/{{ (landingpage_use_https == True) | ternary(caddy_https_server_name, caddy_http_server_name) }}/routes/0/ + curl -X POST -H "Content-Type: application/json" -d @{{ landingpage_upstream_file_dir }}/upstream.json localhost:2019/config/apps/http/servers/{{ (landingpage_use_https == True) | ternary(caddy_https_server_name, caddy_http_server_name) }}/routes/0/ become: true listen: "update landingpage upstream" @@ -50,4 +50,3 @@ state: absent become: true listen: "update landingpage upstream" - diff --git a/roles/landingpage/meta/main.yml b/roles/landingpage/meta/main.yml index a834afd..75e0801 100644 --- a/roles/landingpage/meta/main.yml +++ b/roles/landingpage/meta/main.yml @@ -1,5 +1,4 @@ --- - galaxy_info: author: Marty Oehme description: Installs my personal public facing landing page as a docker stack service @@ -7,7 +6,6 @@ galaxy_info: min_ansible_version: "2.9" galaxy_tags: [] - dependencies: - docker-swarm - caddy_id diff --git a/roles/landingpage/tasks/main.yml b/roles/landingpage/tasks/main.yml index 3ed7acb..c0fad7c 100644 --- a/roles/landingpage/tasks/main.yml +++ b/roles/landingpage/tasks/main.yml @@ -21,4 +21,3 @@ tags: - docker-swarm notify: "update landingpage upstream" - diff --git a/roles/landingpage/vars/main.yml b/roles/landingpage/vars/main.yml index df7f3d7..436b8cc 100644 --- a/roles/landingpage/vars/main.yml +++ b/roles/landingpage/vars/main.yml @@ -1,5 +1,4 @@ --- - stack_name: landingpage stack_image: "martyo/cloudserve-landing" diff --git a/roles/miniflux/README.md b/roles/miniflux/README.md index f1ce4c1..282e3c6 100644 --- a/roles/miniflux/README.md +++ b/roles/miniflux/README.md @@ -27,6 +27,6 @@ The docker image version to be used in stack creation. subdomain_alias: rss ``` -If the deployed container should be served over a uri that is not the stack name. -By default, it will be set to `rss.yourdomain.com` - +If the deployed container should be served over a uri that is not the stack name. +By default, it will be set to `rss.yourdomain.com` - if this option is not set it will be served on `miniflux.yourdomain.com` instead. diff --git a/roles/miniflux/defaults/main.yml b/roles/miniflux/defaults/main.yml index b57d96f..a241f22 100644 --- a/roles/miniflux/defaults/main.yml +++ b/roles/miniflux/defaults/main.yml @@ -1,5 +1,4 @@ --- - miniflux_version: latest miniflux_upstream_file_dir: "{{ docker_stack_files_dir }}/{{ stack_name }}" diff --git a/roles/miniflux/handlers/main.yml b/roles/miniflux/handlers/main.yml index 3f578d3..d26b2a6 100644 --- a/roles/miniflux/handlers/main.yml +++ b/roles/miniflux/handlers/main.yml @@ -3,7 +3,7 @@ ansible.builtin.file: path: "{{ miniflux_upstream_file_dir }}" state: directory - mode: '0755' + mode: "0755" become: true listen: "update miniflux upstream" @@ -40,7 +40,7 @@ community.docker.docker_container_exec: container: "{{ caddy_container_id }}" command: > - curl -X POST -H "Content-Type: application/json" -d @{{ miniflux_upstream_file_dir }}/upstream.json localhost:2019/config/apps/http/servers/{{ (miniflux_use_https == True) | ternary(caddy_https_server_name, caddy_http_server_name) }}/routes/0/ + curl -X POST -H "Content-Type: application/json" -d @{{ miniflux_upstream_file_dir }}/upstream.json localhost:2019/config/apps/http/servers/{{ (miniflux_use_https == True) | ternary(caddy_https_server_name, caddy_http_server_name) }}/routes/0/ become: true listen: "update miniflux upstream" @@ -50,4 +50,3 @@ state: absent become: true listen: "update miniflux upstream" - diff --git a/roles/miniflux/meta/main.yml b/roles/miniflux/meta/main.yml index 9e40a88..f9aeaf0 100644 --- a/roles/miniflux/meta/main.yml +++ b/roles/miniflux/meta/main.yml @@ -1,5 +1,4 @@ --- - galaxy_info: author: Marty Oehme description: Installs miniflux as a docker stack service @@ -7,7 +6,6 @@ galaxy_info: min_ansible_version: "2.9" galaxy_tags: [] - dependencies: - docker-swarm - caddy_id diff --git a/roles/miniflux/tasks/main.yml b/roles/miniflux/tasks/main.yml index 0384287..46cd068 100644 --- a/roles/miniflux/tasks/main.yml +++ b/roles/miniflux/tasks/main.yml @@ -21,4 +21,3 @@ tags: - docker-swarm notify: "update miniflux upstream" - diff --git a/roles/miniflux/vars/main.yml b/roles/miniflux/vars/main.yml index 05bf0b2..495ffee 100644 --- a/roles/miniflux/vars/main.yml +++ b/roles/miniflux/vars/main.yml @@ -1,5 +1,4 @@ --- - stack_name: miniflux stack_image: "miniflux/miniflux" diff --git a/roles/monica/README.md b/roles/monica/README.md index c95ec92..f953fe3 100644 --- a/roles/monica/README.md +++ b/roles/monica/README.md @@ -27,8 +27,8 @@ The docker image version to be used in stack creation. subdomain_alias: prm ``` -If the deployed container should be served over a uri that is not the stack name. -By default, it will be set to `prm.yourdomain.com` (personal relationship manager) - +If the deployed container should be served over a uri that is not the stack name. +By default, it will be set to `prm.yourdomain.com` (personal relationship manager) - if this option is not set it will be served on `monica.yourdomain.com` instead. ``` @@ -38,14 +38,14 @@ monica_db_password: mymonicadbpassword ``` Set the default username and password combination on first container start. -If loading from an existing volume this does nothing, otherwise it sets the +If loading from an existing volume this does nothing, otherwise it sets the first user so you can instantly log in. ``` monica_app_disable_signups: true ``` -Sets the behavior on the login screen --- +Sets the behavior on the login screen --- if set to true (default) will not let anyone but the first user sign up, who automatically becomes an administrative user. If set to false will allow multiple users to sign up on the instance. @@ -57,13 +57,13 @@ monica_app_weather_api_key: If `monica_app_geolocation_api_key` is set, Monica will translate addresses input into the app to geographical latitude/ longitude data. -It requires an api key from https://locationiq.com/, which are free for +It requires an api key from https://locationiq.com/, which are free for 10.000 daily requests. -Similarly, if `monica_app_weather_api_key` is set, monica will (afaik) show -weather data for the location of individual contacts. +Similarly, if `monica_app_weather_api_key` is set, monica will (afaik) show +weather data for the location of individual contacts. It requires an API key from https://darksky.net/dev/register, where -1.000 daily requests are free. +1.000 daily requests are free. Be aware, however, that since darksky's sale to Apple, no new API signups are possible. To use this feature, `monica_app_geolocation_api_key` must also be filled out. @@ -71,8 +71,8 @@ To use this feature, `monica_app_geolocation_api_key` must also be filled out. monica_mail_host: smtp.eu.mailgun.org monica_mail_port: 465 monica_mail_encryption: tls -monica_mail_username: -monica_mail_password: +monica_mail_username: +monica_mail_password: monica_mail_from: monica@yourserver.com monica_mail_from_name: Monica monica_mail_new_user_notification_address: "{{ caddy_email }}" @@ -81,5 +81,5 @@ monica_mail_new_user_notification_address: "{{ caddy_email }}" Sets up the necessary details for Monica to send out registration and reminder e-mails. Requires an smtp server set up, most easily doable through things like mailgun or sendgrid. Variables should be relatively self-explanatory, -with `monica_mail_new_user_notification_address` being the address the notifications should be sent *to*, +with `monica_mail_new_user_notification_address` being the address the notifications should be sent _to_, so in all probability some sort of administration address. diff --git a/roles/monica/defaults/main.yml b/roles/monica/defaults/main.yml index f4d1d5e..303401e 100644 --- a/roles/monica/defaults/main.yml +++ b/roles/monica/defaults/main.yml @@ -1,5 +1,4 @@ --- - monica_version: latest monica_upstream_file_dir: "{{ docker_stack_files_dir }}/{{ stack_name }}" @@ -19,8 +18,8 @@ monica_db_password: mymonicadbpassword #monica_app_weather_api_key: #monica_mail_host: smtp.eu.mailgun.org -#monica_mail_username: -#monica_mail_password: +#monica_mail_username: +#monica_mail_password: monica_mail_port: 465 monica_mail_encryption: tls #monica_mail_from: monica@yourserver.com diff --git a/roles/monica/handlers/main.yml b/roles/monica/handlers/main.yml index 58d7dea..c7d2644 100644 --- a/roles/monica/handlers/main.yml +++ b/roles/monica/handlers/main.yml @@ -3,7 +3,7 @@ ansible.builtin.file: path: "{{ monica_upstream_file_dir }}" state: directory - mode: '0755' + mode: "0755" become: true listen: "update monica upstream" @@ -40,7 +40,7 @@ community.docker.docker_container_exec: container: "{{ caddy_container_id }}" command: > - curl -X POST -H "Content-Type: application/json" -d @{{ monica_upstream_file_dir }}/upstream.json localhost:2019/config/apps/http/servers/{{ (monica_use_https == True) | ternary(caddy_https_server_name, caddy_http_server_name) }}/routes/0/ + curl -X POST -H "Content-Type: application/json" -d @{{ monica_upstream_file_dir }}/upstream.json localhost:2019/config/apps/http/servers/{{ (monica_use_https == True) | ternary(caddy_https_server_name, caddy_http_server_name) }}/routes/0/ become: true listen: "update monica upstream" @@ -50,4 +50,3 @@ state: absent become: true listen: "update monica upstream" - diff --git a/roles/monica/meta/main.yml b/roles/monica/meta/main.yml index 4fd4bc3..b456668 100644 --- a/roles/monica/meta/main.yml +++ b/roles/monica/meta/main.yml @@ -1,5 +1,4 @@ --- - galaxy_info: author: Marty Oehme description: Installs monica as a docker stack service @@ -7,7 +6,6 @@ galaxy_info: min_ansible_version: "2.9" galaxy_tags: [] - dependencies: - docker-swarm - caddy_id diff --git a/roles/monica/tasks/Ubuntu.yml b/roles/monica/tasks/Ubuntu.yml index 234e270..dd5b043 100644 --- a/roles/monica/tasks/Ubuntu.yml +++ b/roles/monica/tasks/Ubuntu.yml @@ -9,4 +9,3 @@ - apt - download - packages - diff --git a/roles/monica/tasks/main.yml b/roles/monica/tasks/main.yml index 2777f7b..30d9aab 100644 --- a/roles/monica/tasks/main.yml +++ b/roles/monica/tasks/main.yml @@ -12,8 +12,7 @@ ansible.builtin.shell: echo -n 'base64:'; openssl rand -base64 32 register: monica_app_key -- set_fact: - monica_app_key={{ monica_app_key.stdout }} +- set_fact: monica_app_key={{ monica_app_key.stdout }} ## install container - name: Check upstream status @@ -37,4 +36,3 @@ tags: - docker-swarm notify: "update monica upstream" - diff --git a/roles/monica/vars/main.yml b/roles/monica/vars/main.yml index a4495b4..4635128 100644 --- a/roles/monica/vars/main.yml +++ b/roles/monica/vars/main.yml @@ -1,5 +1,4 @@ --- - stack_name: monica stack_image: "monica" diff --git a/roles/nextcloud/README.md b/roles/nextcloud/README.md index 047548b..146fed9 100644 --- a/roles/nextcloud/README.md +++ b/roles/nextcloud/README.md @@ -4,13 +4,14 @@ A full office suite and groupware proposition, though its main draw for most is the file synchronization abilities. AKA Dropbox replacement. -This software can grow enormous and enormously complicated, +This software can grow enormous and enormously complicated, this Ansible setup role concentrates on 3 things: -* a stable and secure base setup from the official docker container -* automatic setup of an email pipeline so users can reset passwords and be updated of changes -* the ability to use S3 object storage as the primary way of storing users' files -The rest should be taken care of either automatically, +- a stable and secure base setup from the official docker container +- automatic setup of an email pipeline so users can reset passwords and be updated of changes +- the ability to use S3 object storage as the primary way of storing users' files + +The rest should be taken care of either automatically, or supplied after the fact (if using different plugins or similar). ## Defaults @@ -32,7 +33,7 @@ nextcloud_version: fpm nextcloud_db_version: 12 ``` -The docker image version to be used in stack creation. +The docker image version to be used in stack creation. The role sets up the `php-fpm` version of the official Nextcloud image. That means, Caddy is used in front as the server which presents all pages and access to files, the Nextcloud image itself only serves as the PHP data store. @@ -41,17 +42,17 @@ If changing the version to one relying on Nextcloud's in-built Apache server, take care to change where the upstream proxy is pointing to since the Caddy server in front loses its meaning. The second variable points to the docker image that should be used for the PostgreSQL database, -with 12 pre-filled as default. +with 12 pre-filled as default. You can put this to latest, but should take care to migrate the database correctly when an update rolls around, -or it *will* destroy your data at some point. +or it _will_ destroy your data at some point. Generally, it seems easier to pin this to a specific version and then only update manually. ```yml subdomain_alias: files ``` -If the deployed container should be served over a uri that is not the stack name. -By default, it will be set to `files.yourdomain.com` - +If the deployed container should be served over a uri that is not the stack name. +By default, it will be set to `files.yourdomain.com` - if this option is not set it will be served on `nextcloud.yourdomain.com` instead. If you change or delete this, you should also change what `nextcloud_trusted_domains` points to. @@ -66,7 +67,7 @@ nextcloud_db_password: secretnextcloud ``` Sets the default username and password for application and database. -All of these variables are necessary to circumvent the manual installation process +All of these variables are necessary to circumvent the manual installation process you would usually be faced with on first creating a Nextcloud instance. Ideally change all of these for your personal setup, but it is especially important to change the app admin login data since they are what is public facing. @@ -77,7 +78,7 @@ nextcloud_trusted_domains: "{{ subdomain_alias }}.{{ server_domain }}" The domains that are allowed to access your Nextcloud instance. Should point to any domains that you want it accessible on, -can be a space-separated list of them. +can be a space-separated list of them. Take care to include the sub-domain if your are accessing it through one of them. [Further explanation](https://blog.martyoeh.me/posts/2021-11-18-nextcloud-trusted-domains/). @@ -130,7 +131,6 @@ If your details are correct, Nextcloud should automatically set up S3 as its pri Be careful if you switch an existing data volume of the Nextcloud image to S3 as you will lose all access to existing files. -The files *should* not be deleted at this point, +The files _should_ not be deleted at this point, only access will be lost, but you are playing with fire at this point. - diff --git a/roles/nextcloud/defaults/main.yml b/roles/nextcloud/defaults/main.yml index 37e73ba..95e9271 100644 --- a/roles/nextcloud/defaults/main.yml +++ b/roles/nextcloud/defaults/main.yml @@ -1,5 +1,4 @@ --- - # set preferred application version nextcloud_version: 28-fpm-alpine # set preferred postgres version @@ -31,7 +30,6 @@ nextcloud_smtp_authtype: LOGIN # nextcloud_smtp_password: nextcloud_smtp_from_address: noreply nextcloud_smtp_from_domain: "{{ server_domain }}" - # the following block is required *fully* for primary object storage # nextcloud_s3_host: s3.eu-central-1.wasabisys.com # nextcloud_s3_bucket: nextcloud diff --git a/roles/nextcloud/handlers/main.yml b/roles/nextcloud/handlers/main.yml index 5c4556c..82d4a16 100644 --- a/roles/nextcloud/handlers/main.yml +++ b/roles/nextcloud/handlers/main.yml @@ -3,7 +3,7 @@ ansible.builtin.file: path: "{{ nextcloud_upstream_file_dir }}" state: directory - mode: '0755' + mode: "0755" become: true listen: "update nextcloud upstream" @@ -40,7 +40,7 @@ community.docker.docker_container_exec: container: "{{ caddy_container_id }}" command: > - curl -X POST -H "Content-Type: application/json" -d @{{ nextcloud_upstream_file_dir }}/upstream.json localhost:2019/config/apps/http/servers/{{ (nextcloud_use_https == True) | ternary(caddy_https_server_name, caddy_http_server_name) }}/routes/0/ + curl -X POST -H "Content-Type: application/json" -d @{{ nextcloud_upstream_file_dir }}/upstream.json localhost:2019/config/apps/http/servers/{{ (nextcloud_use_https == True) | ternary(caddy_https_server_name, caddy_http_server_name) }}/routes/0/ become: true listen: "update nextcloud upstream" @@ -50,4 +50,3 @@ state: absent become: true listen: "update nextcloud upstream" - diff --git a/roles/nextcloud/meta/main.yml b/roles/nextcloud/meta/main.yml index 7989cf3..8eb68a7 100644 --- a/roles/nextcloud/meta/main.yml +++ b/roles/nextcloud/meta/main.yml @@ -1,5 +1,4 @@ --- - galaxy_info: author: Marty Oehme description: Installs nextcloud as a docker stack service @@ -7,7 +6,6 @@ galaxy_info: min_ansible_version: "2.9" galaxy_tags: [] - dependencies: - docker-swarm - caddy_id diff --git a/roles/nextcloud/tasks/main.yml b/roles/nextcloud/tasks/main.yml index a6d6617..8275a71 100644 --- a/roles/nextcloud/tasks/main.yml +++ b/roles/nextcloud/tasks/main.yml @@ -14,7 +14,7 @@ ansible.builtin.file: path: "{{ nextcloud_upstream_file_dir }}" state: directory - mode: '0755' + mode: "0755" become: true notify: "update nextcloud upstream" @@ -36,4 +36,3 @@ tags: - docker-swarm notify: "update nextcloud upstream" - diff --git a/roles/nextcloud/vars/main.yml b/roles/nextcloud/vars/main.yml index a1a21cd..65a4821 100644 --- a/roles/nextcloud/vars/main.yml +++ b/roles/nextcloud/vars/main.yml @@ -1,5 +1,4 @@ --- - stack_name: nextcloud stack_image: "nextcloud" diff --git a/roles/ntfy/README.md b/roles/ntfy/README.md index df9bd6d..cd7dde5 100644 --- a/roles/ntfy/README.md +++ b/roles/ntfy/README.md @@ -19,7 +19,7 @@ The on-target directory where the proxy configuration file should be stashed. ntfy_use_https: true ``` -Whether the service should be reachable through http (port 80) or through https (port 443) and provision an https certificate. +Whether the service should be reachable through http (port 80) or through https (port 443) and provision an https certificate. Usually you will want this to stay `true`, especially on the public facing web. @@ -33,8 +33,8 @@ The docker image version to be used in stack creation. subdomain_alias: push ``` -If the deployed container should be served over a uri that is not the stack name. -By default, it will be set to `push.yourdomain.com` - +If the deployed container should be served over a uri that is not the stack name. +By default, it will be set to `push.yourdomain.com` - if this option is not set it will be served on `ntfy.yourdomain.com` instead. The individual `ntfy` options to be changed are very well described on diff --git a/roles/ntfy/handlers/main.yml b/roles/ntfy/handlers/main.yml index 82744c9..c26f731 100644 --- a/roles/ntfy/handlers/main.yml +++ b/roles/ntfy/handlers/main.yml @@ -3,7 +3,7 @@ ansible.builtin.file: path: "{{ ntfy_upstream_file_dir }}" state: directory - mode: '0755' + mode: "0755" become: true listen: "update ntfy upstream" @@ -40,7 +40,6 @@ community.docker.docker_container_exec: container: "{{ caddy_container_id }}" command: > - curl -X POST -H "Content-Type: application/json" -d @{{ ntfy_upstream_file_dir }}/upstream.json localhost:2019/config/apps/http/servers/{{ (ntfy_use_https == True) | ternary(caddy_https_server_name, caddy_http_server_name) }}/routes/0/ + curl -X POST -H "Content-Type: application/json" -d @{{ ntfy_upstream_file_dir }}/upstream.json localhost:2019/config/apps/http/servers/{{ (ntfy_use_https == True) | ternary(caddy_https_server_name, caddy_http_server_name) }}/routes/0/ become: true listen: "update ntfy upstream" - diff --git a/roles/ntfy/meta/main.yml b/roles/ntfy/meta/main.yml index 0930dd3..14b8f5d 100644 --- a/roles/ntfy/meta/main.yml +++ b/roles/ntfy/meta/main.yml @@ -1,5 +1,4 @@ --- - galaxy_info: author: Marty Oehme description: Installs a self-hosted push notification service through docker-swarm. @@ -7,7 +6,6 @@ galaxy_info: min_ansible_version: "2.9" galaxy_tags: [] - dependencies: - docker-swarm - caddy_id diff --git a/roles/ntfy/tasks/main.yml b/roles/ntfy/tasks/main.yml index fc9ff80..df8ce94 100644 --- a/roles/ntfy/tasks/main.yml +++ b/roles/ntfy/tasks/main.yml @@ -3,7 +3,7 @@ ansible.builtin.file: path: "{{ ntfy_upstream_file_dir }}" state: directory - mode: '0755' + mode: "0755" become: true - name: Move ntfy configuration file to target dir @@ -35,4 +35,3 @@ tags: - docker-swarm notify: "update ntfy upstream" - diff --git a/roles/ntfy/vars/main.yml b/roles/ntfy/vars/main.yml index a3c184b..d4bdc5c 100644 --- a/roles/ntfy/vars/main.yml +++ b/roles/ntfy/vars/main.yml @@ -1,5 +1,4 @@ --- - stack_name: ntfy stack_image: "binwiederhier/ntfy" diff --git a/roles/searx/README.md b/roles/searx/README.md index 0d42d4a..09300d4 100644 --- a/roles/searx/README.md +++ b/roles/searx/README.md @@ -26,8 +26,8 @@ The docker image version to be used in stack creation. subdomain_alias: search ``` -If the deployed container should be served over a uri that is not the stack name. -By default, it will be set to `search.yourdomain.com` - +If the deployed container should be served over a uri that is not the stack name. +By default, it will be set to `search.yourdomain.com` - if this option is not set it will be served on `searx.yourdomain.com` instead. ``` @@ -39,11 +39,11 @@ searx_authentication: By default, the searx instance is not protected with a login, however you can have caddy provide a basic auth login form by using this variable. -You can either change the login to suit you by generating a combination +You can either change the login to suit you by generating a combination (or multiple, it will also work with an arbitrary amount of logins), -or remove the necessity to login altogether by not setting the +or remove the necessity to login altogether by not setting the `searx_authentication` variable to anything. -The password needs to be in a hashed format, which is easiest to accomplish -with the help of caddy itself --- simply doing `caddy hash-password` will +The password needs to be in a hashed format, which is easiest to accomplish +with the help of caddy itself --- simply doing `caddy hash-password` will allow you to create a new hashed password. diff --git a/roles/searx/defaults/main.yml b/roles/searx/defaults/main.yml index b129040..5204c77 100644 --- a/roles/searx/defaults/main.yml +++ b/roles/searx/defaults/main.yml @@ -1,5 +1,4 @@ --- - searx_version: latest searx_upstream_file_dir: "{{ docker_stack_files_dir }}/{{ stack_name }}" @@ -8,7 +7,6 @@ searx_use_https: true # the subdomain link searx will be reachable under subdomain_alias: search - # searx_authentication: # - username: mysearxusername # password: JDJhJDE0JFdjUnQ5WWllcU8wa01xS0JBS2dlMy5zMEhRTmxqTXdIZmdjcTN6ZGFwRjJlYUdoSHAwRUhL # mysearxpassword diff --git a/roles/searx/handlers/main.yml b/roles/searx/handlers/main.yml index ceeaaf3..3a6e6f6 100644 --- a/roles/searx/handlers/main.yml +++ b/roles/searx/handlers/main.yml @@ -3,7 +3,7 @@ ansible.builtin.file: path: "{{ searx_upstream_file_dir }}" state: directory - mode: '0755' + mode: "0755" become: true listen: "update searx upstream" @@ -40,7 +40,7 @@ community.docker.docker_container_exec: container: "{{ caddy_container_id }}" command: > - curl -X POST -H "Content-Type: application/json" -d @{{ searx_upstream_file_dir }}/upstream.json localhost:2019/config/apps/http/servers/{{ (searx_use_https == True) | ternary(caddy_https_server_name, caddy_http_server_name) }}/routes/0/ + curl -X POST -H "Content-Type: application/json" -d @{{ searx_upstream_file_dir }}/upstream.json localhost:2019/config/apps/http/servers/{{ (searx_use_https == True) | ternary(caddy_https_server_name, caddy_http_server_name) }}/routes/0/ become: true listen: "update searx upstream" @@ -50,4 +50,3 @@ state: absent become: true listen: "update searx upstream" - diff --git a/roles/searx/meta/main.yml b/roles/searx/meta/main.yml index 2287836..25dd7f7 100644 --- a/roles/searx/meta/main.yml +++ b/roles/searx/meta/main.yml @@ -1,5 +1,4 @@ --- - galaxy_info: author: Marty Oehme description: Installs searx as a docker stack service @@ -7,7 +6,6 @@ galaxy_info: min_ansible_version: "2.9" galaxy_tags: [] - dependencies: - docker-swarm - caddy_id diff --git a/roles/searx/tasks/main.yml b/roles/searx/tasks/main.yml index eef1581..75e7772 100644 --- a/roles/searx/tasks/main.yml +++ b/roles/searx/tasks/main.yml @@ -21,4 +21,3 @@ tags: - docker-swarm notify: "update searx upstream" - diff --git a/roles/searx/vars/main.yml b/roles/searx/vars/main.yml index 9cdba41..b55339a 100644 --- a/roles/searx/vars/main.yml +++ b/roles/searx/vars/main.yml @@ -1,5 +1,4 @@ --- - stack_name: searx stack_image: "searxng/searxng" diff --git a/roles/shaarli/README.md b/roles/shaarli/README.md index f9e23f7..b6c56e9 100644 --- a/roles/shaarli/README.md +++ b/roles/shaarli/README.md @@ -3,11 +3,11 @@ A simple and fast bookmark manager. Can be deployed in minutes and takes minimum amount of resources. -Be aware that shaarli installations can *not* be fully automated. +Be aware that shaarli installations can _not_ be fully automated. That means after running this ansible role you will still have to setup up the first run wizard and create a user and so forth (if not running with an existing data-store). Do this quickly after setup, -*especially* if your instance is public-facing! +_especially_ if your instance is public-facing! {: .alert .alert-warning} ## Defaults @@ -34,7 +34,6 @@ The docker image version to be used in stack creation. subdomain_alias: links ``` -If the deployed container should be served over a uri that is not the stack name. -By default, it will be set to `links.yourdomain.com` - +If the deployed container should be served over a uri that is not the stack name. +By default, it will be set to `links.yourdomain.com` - if this option is not set it will be served on `shaarli.yourdomain.com` instead. - diff --git a/roles/shaarli/defaults/main.yml b/roles/shaarli/defaults/main.yml index 9dd0b02..a654c5f 100644 --- a/roles/shaarli/defaults/main.yml +++ b/roles/shaarli/defaults/main.yml @@ -1,5 +1,4 @@ --- - shaarli_version: release # they offer: latest and release (stable) versions shaarli_upstream_file_dir: "{{ docker_stack_files_dir }}/{{ stack_name }}" diff --git a/roles/shaarli/handlers/main.yml b/roles/shaarli/handlers/main.yml index 6e138d5..4f5434b 100644 --- a/roles/shaarli/handlers/main.yml +++ b/roles/shaarli/handlers/main.yml @@ -3,7 +3,7 @@ ansible.builtin.file: path: "{{ shaarli_upstream_file_dir }}" state: directory - mode: '0755' + mode: "0755" become: true listen: "update shaarli upstream" @@ -40,7 +40,7 @@ community.docker.docker_container_exec: container: "{{ caddy_container_id }}" command: > - curl -X POST -H "Content-Type: application/json" -d @{{ shaarli_upstream_file_dir }}/upstream.json localhost:2019/config/apps/http/servers/{{ (shaarli_use_https == True) | ternary(caddy_https_server_name, caddy_http_server_name) }}/routes/0/ + curl -X POST -H "Content-Type: application/json" -d @{{ shaarli_upstream_file_dir }}/upstream.json localhost:2019/config/apps/http/servers/{{ (shaarli_use_https == True) | ternary(caddy_https_server_name, caddy_http_server_name) }}/routes/0/ become: true listen: "update shaarli upstream" @@ -50,4 +50,3 @@ state: absent become: true listen: "update shaarli upstream" - diff --git a/roles/shaarli/meta/main.yml b/roles/shaarli/meta/main.yml index 4406e21..8ea1475 100644 --- a/roles/shaarli/meta/main.yml +++ b/roles/shaarli/meta/main.yml @@ -1,5 +1,4 @@ --- - galaxy_info: author: Marty Oehme description: Installs shaarli as a docker stack service @@ -7,7 +6,6 @@ galaxy_info: min_ansible_version: "2.9" galaxy_tags: [] - dependencies: - docker-swarm - caddy_id diff --git a/roles/shaarli/tasks/main.yml b/roles/shaarli/tasks/main.yml index a11eab5..8448ff3 100644 --- a/roles/shaarli/tasks/main.yml +++ b/roles/shaarli/tasks/main.yml @@ -21,4 +21,3 @@ tags: - docker-swarm notify: "update shaarli upstream" - diff --git a/roles/shaarli/vars/main.yml b/roles/shaarli/vars/main.yml index e557c0a..37a348c 100644 --- a/roles/shaarli/vars/main.yml +++ b/roles/shaarli/vars/main.yml @@ -1,5 +1,4 @@ --- - stack_name: shaarli stack_image: "ghcr.io/shaarli/shaarli" diff --git a/roles/traggo/README.md b/roles/traggo/README.md index 648933f..690a526 100644 --- a/roles/traggo/README.md +++ b/roles/traggo/README.md @@ -27,8 +27,8 @@ The docker image version to be used in stack creation. subdomain_alias: time ``` -If the deployed container should be served over a uri that is not the stack name. -By default, it will be set to `time.yourdomain.com` - +If the deployed container should be served over a uri that is not the stack name. +By default, it will be set to `time.yourdomain.com` - if this option is not set it will be served on `traggo.yourdomain.com` instead. ``` @@ -37,5 +37,5 @@ traggo_password: mytraggopassword ``` Set the default username and password combination on first container start. -If loading from an existing volume this does nothing, otherwise it sets the +If loading from an existing volume this does nothing, otherwise it sets the first user so you can instantly log in. diff --git a/roles/traggo/defaults/main.yml b/roles/traggo/defaults/main.yml index 60b5b75..63cfd5a 100644 --- a/roles/traggo/defaults/main.yml +++ b/roles/traggo/defaults/main.yml @@ -1,5 +1,4 @@ --- - traggo_version: latest traggo_upstream_file_dir: "{{ docker_stack_files_dir }}/{{ stack_name }}" diff --git a/roles/traggo/handlers/main.yml b/roles/traggo/handlers/main.yml index e0fc223..6d7dc27 100644 --- a/roles/traggo/handlers/main.yml +++ b/roles/traggo/handlers/main.yml @@ -3,7 +3,7 @@ ansible.builtin.file: path: "{{ traggo_upstream_file_dir }}" state: directory - mode: '0755' + mode: "0755" become: true listen: "update traggo upstream" @@ -40,7 +40,7 @@ community.docker.docker_container_exec: container: "{{ caddy_container_id }}" command: > - curl -X POST -H "Content-Type: application/json" -d @{{ traggo_upstream_file_dir }}/upstream.json localhost:2019/config/apps/http/servers/{{ (traggo_use_https == True) | ternary(caddy_https_server_name, caddy_http_server_name) }}/routes/0/ + curl -X POST -H "Content-Type: application/json" -d @{{ traggo_upstream_file_dir }}/upstream.json localhost:2019/config/apps/http/servers/{{ (traggo_use_https == True) | ternary(caddy_https_server_name, caddy_http_server_name) }}/routes/0/ become: true listen: "update traggo upstream" @@ -50,4 +50,3 @@ state: absent become: true listen: "update traggo upstream" - diff --git a/roles/traggo/meta/main.yml b/roles/traggo/meta/main.yml index fe81846..3e401d5 100644 --- a/roles/traggo/meta/main.yml +++ b/roles/traggo/meta/main.yml @@ -1,5 +1,4 @@ --- - galaxy_info: author: Marty Oehme description: Installs traggo as a docker stack service @@ -7,7 +6,6 @@ galaxy_info: min_ansible_version: "2.9" galaxy_tags: [] - dependencies: - docker-swarm - caddy_id diff --git a/roles/traggo/tasks/main.yml b/roles/traggo/tasks/main.yml index 07eb336..d20a428 100644 --- a/roles/traggo/tasks/main.yml +++ b/roles/traggo/tasks/main.yml @@ -21,4 +21,3 @@ tags: - docker-swarm notify: "update traggo upstream" - diff --git a/roles/traggo/vars/main.yml b/roles/traggo/vars/main.yml index 114f166..4fd87bb 100644 --- a/roles/traggo/vars/main.yml +++ b/roles/traggo/vars/main.yml @@ -1,5 +1,4 @@ --- - stack_name: traggo stack_image: "traggo/server" diff --git a/roles/wallabag/README.md b/roles/wallabag/README.md index c1eceff..a2f7cc4 100644 --- a/roles/wallabag/README.md +++ b/roles/wallabag/README.md @@ -39,4 +39,3 @@ stack_image: "wallabag/wallabag" ``` The docker hub image to be use in provisioning. - diff --git a/roles/wallabag/defaults/main.yml b/roles/wallabag/defaults/main.yml index dcc02b2..c7b830c 100644 --- a/roles/wallabag/defaults/main.yml +++ b/roles/wallabag/defaults/main.yml @@ -1,5 +1,4 @@ --- - wallabag_version: latest wallabag_upstream_file_dir: "{{ docker_stack_files_dir }}/{{ stack_name }}" diff --git a/roles/wallabag/handlers/main.yml b/roles/wallabag/handlers/main.yml index a104112..e693838 100644 --- a/roles/wallabag/handlers/main.yml +++ b/roles/wallabag/handlers/main.yml @@ -3,7 +3,7 @@ ansible.builtin.file: path: "{{ wallabag_upstream_file_dir }}" state: directory - mode: '0755' + mode: "0755" become: true listen: "update wallabag upstream" @@ -40,7 +40,7 @@ community.docker.docker_container_exec: container: "{{ caddy_container_id }}" command: > - curl -X POST -H "Content-Type: application/json" -d @{{ wallabag_upstream_file_dir }}/upstream.json localhost:2019/config/apps/http/servers/{{ (wallabag_use_https == True) | ternary(caddy_https_server_name, caddy_http_server_name) }}/routes/0/ + curl -X POST -H "Content-Type: application/json" -d @{{ wallabag_upstream_file_dir }}/upstream.json localhost:2019/config/apps/http/servers/{{ (wallabag_use_https == True) | ternary(caddy_https_server_name, caddy_http_server_name) }}/routes/0/ become: true listen: "update wallabag upstream" diff --git a/roles/wallabag/meta/main.yml b/roles/wallabag/meta/main.yml index 7215ce9..d731e1a 100644 --- a/roles/wallabag/meta/main.yml +++ b/roles/wallabag/meta/main.yml @@ -1,5 +1,4 @@ --- - galaxy_info: author: Marty Oehme description: Installs wallabag as a docker stack service @@ -7,7 +6,6 @@ galaxy_info: min_ansible_version: "2.9" galaxy_tags: [] - dependencies: - docker-swarm - caddy_id diff --git a/roles/wallabag/vars/main.yml b/roles/wallabag/vars/main.yml index d270fd5..c89919f 100644 --- a/roles/wallabag/vars/main.yml +++ b/roles/wallabag/vars/main.yml @@ -1,5 +1,4 @@ --- - stack_name: wallabag stack_image: "wallabag/wallabag" diff --git a/roles/whoami/defaults/main.yml b/roles/whoami/defaults/main.yml index f14f6aa..9b749d6 100644 --- a/roles/whoami/defaults/main.yml +++ b/roles/whoami/defaults/main.yml @@ -1,5 +1,4 @@ --- - whoami_version: latest whoami_upstream_file_dir: "{{ docker_stack_files_dir }}/{{ stack.name }}" diff --git a/roles/whoami/handlers/main.yml b/roles/whoami/handlers/main.yml index 5c44127..8ef4221 100644 --- a/roles/whoami/handlers/main.yml +++ b/roles/whoami/handlers/main.yml @@ -3,7 +3,7 @@ ansible.builtin.file: path: "{{ whoami_upstream_file_dir }}" state: directory - mode: '0755' + mode: "0755" become: true listen: "update whoami upstream" @@ -40,7 +40,7 @@ community.docker.docker_container_exec: container: "{{ caddy_container_id }}" command: > - curl -X POST -H "Content-Type: application/json" -d @{{ whoami_upstream_file_dir }}/upstream.json localhost:2019/config/apps/http/servers/{{ (whoami_use_https == True) | ternary(caddy_https_server_name, caddy_http_server_name) }}/routes/0/ + curl -X POST -H "Content-Type: application/json" -d @{{ whoami_upstream_file_dir }}/upstream.json localhost:2019/config/apps/http/servers/{{ (whoami_use_https == True) | ternary(caddy_https_server_name, caddy_http_server_name) }}/routes/0/ become: true listen: "update whoami upstream" @@ -50,4 +50,3 @@ state: absent become: true listen: "update whoami upstream" - diff --git a/roles/whoami/meta/main.yml b/roles/whoami/meta/main.yml index 386d89d..196d3e4 100644 --- a/roles/whoami/meta/main.yml +++ b/roles/whoami/meta/main.yml @@ -1,5 +1,4 @@ --- - dependencies: - docker-swarm - caddy_id diff --git a/roles/whoami/tasks/main.yml b/roles/whoami/tasks/main.yml index d2bbb9a..8723a63 100644 --- a/roles/whoami/tasks/main.yml +++ b/roles/whoami/tasks/main.yml @@ -22,4 +22,3 @@ tags: - docker-swarm notify: "update whoami upstream" - diff --git a/roles/whoami/vars/main.yml b/roles/whoami/vars/main.yml index 80be9fa..89447b2 100644 --- a/roles/whoami/vars/main.yml +++ b/roles/whoami/vars/main.yml @@ -1,6 +1,4 @@ --- - - stack: name: whoami compose: "{{ lookup('template', 'docker-stack.yml.j2') | from_yaml }}" diff --git a/site.yml b/site.yml index 0ed3a12..bdf23c0 100644 --- a/site.yml +++ b/site.yml @@ -21,13 +21,13 @@ - name: Install caddy reverse proxy import_role: role: caddy - tags: + tags: - caddy - name: Grab caddy container id for all following services import_role: role: caddy_id - tags: + tags: - caddy_id - always From b3f201ed7dd5841afdcbda00660f70abdd19cb62 Mon Sep 17 00:00:00 2001 From: Marty Oehme Date: Mon, 24 Jun 2024 20:50:58 +0200 Subject: [PATCH 29/66] Pin exact caddy version Stay on the exact version unless it is specifically told to upgrade. This is a first-step workaround for the (non-)idempodency issue of the caddy container's json config injection. --- roles/caddy/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/caddy/defaults/main.yml b/roles/caddy/defaults/main.yml index 0592a85..dbc9087 100644 --- a/roles/caddy/defaults/main.yml +++ b/roles/caddy/defaults/main.yml @@ -1,5 +1,5 @@ --- -caddy_version: alpine +caddy_version: 2.8.4-alpine # tag exact version to avoid suprising container renewals caddy_caddyfile_dir: "{{ docker_stack_files_dir }}/caddy" caddy_use_debug: no From 86dd20fbf0f7554c53c2bb80de9e95d8ca747954 Mon Sep 17 00:00:00 2001 From: Marty Oehme Date: Mon, 24 Jun 2024 20:51:40 +0200 Subject: [PATCH 30/66] Remove some services from default deployment Services I have not used or not used for a long time will now not be deployed by default (but could still be specifically targeted through tags). --- site.yml | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/site.yml b/site.yml index bdf23c0..e5ccbf3 100644 --- a/site.yml +++ b/site.yml @@ -49,12 +49,16 @@ - name: Install traggo import_role: role: traggo - tags: traggo + tags: + - traggo + - never - name: Install monica import_role: role: monica - tags: monica + tags: + - monica + - never - name: Install nextcloud import_role: @@ -79,4 +83,6 @@ - name: Install ntfy import_role: role: ntfy - tags: ntfy + tags: + - ntfy + - never From b6f7934c5f48d2daba10abab2ddd58f3d08ee5f5 Mon Sep 17 00:00:00 2001 From: Marty Oehme Date: Mon, 24 Jun 2024 22:02:31 +0200 Subject: [PATCH 31/66] Add gitea as potential woodpecker agent target In addition to the connected forgejo instance, we can now also target a remote gitea instance for woodpecker agents, should we want to. --- roles/forgejo/defaults/main.yml | 3 +++ roles/forgejo/templates/docker-stack.yml.j2 | 10 ++++++++-- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/roles/forgejo/defaults/main.yml b/roles/forgejo/defaults/main.yml index 90cd0da..7d48c99 100644 --- a/roles/forgejo/defaults/main.yml +++ b/roles/forgejo/defaults/main.yml @@ -29,3 +29,6 @@ forgejo_use_ci: false # forgejo_ci_gitlab_secret: # forgejo_ci_forgejo_client: # forgejo_ci_forgejo_secret: +# forgejo_ci_gitea_url: +# forgejo_ci_gitea_client: +# forgejo_ci_gitea_secret: diff --git a/roles/forgejo/templates/docker-stack.yml.j2 b/roles/forgejo/templates/docker-stack.yml.j2 index 5352930..4448c3b 100644 --- a/roles/forgejo/templates/docker-stack.yml.j2 +++ b/roles/forgejo/templates/docker-stack.yml.j2 @@ -81,8 +81,8 @@ services: {% endif %} {% if forgejo_ci_gitlab_client is not undefined and not None and forgejo_ci_gitlab_secret is not undefined and not None %} - WOODPECKER_GITLAB=true - - WOODPECKER_gitlab_CLIENT={{ forgejo_ci_gitlab_client }} - - WOODPECKER_gitlab_SECRET={{ forgejo_ci_gitlab_secret }} + - WOODPECKER_GITLAB_CLIENT={{ forgejo_ci_gitlab_client }} + - WOODPECKER_GITLAB_SECRET={{ forgejo_ci_gitlab_secret }} {% endif %} {% if forgejo_ci_forgejo_client is not undefined and not None and forgejo_ci_forgejo_secret is not undefined and not None %} - WOODPECKER_FORGEJO=true @@ -90,6 +90,12 @@ services: - WOODPECKER_FORGEJO_CLIENT={{ forgejo_ci_forgejo_client }} - WOODPECKER_FORGEJO_SECRET={{ forgejo_ci_forgejo_secret }} {% endif %} +{% if forgejo_ci_gitea_url is not undefined and not None and forgejo_ci_gitea_client is not undefined and not None and forgejo_ci_gitea_secret is not undefined and not None %} + - WOODPECKER_GITEA=true + - "WOODPECKER_GITEA_URL={{ (forgejo_use_https == True) | ternary('https', 'http') }}://{{ (subdomain_alias is not undefined and not none) | ternary(subdomain_alias, stack_name) }}.{{server_domain}}" + - WOODPECKER_GITEA_CLIENT={{ forgejo_ci_gitea_client }} + - WOODPECKER_GITEA_SECRET={{ forgejo_ci_gitea_secret }} +{% endif %} wp-agent: image: woodpeckerci/woodpecker-agent:latest From e8447a628995aa13f13d2079b58cd18c12fecf09 Mon Sep 17 00:00:00 2001 From: Marty Oehme Date: Tue, 25 Jun 2024 12:20:46 +0200 Subject: [PATCH 32/66] Add diun role --- roles/diun/README.md | 5 +++ roles/diun/defaults/main.yml | 26 ++++++++++++ roles/diun/meta/main.yml | 10 +++++ roles/diun/tasks/main.yml | 12 ++++++ roles/diun/templates/docker-stack.yml.j2 | 51 ++++++++++++++++++++++++ roles/diun/vars/main.yml | 6 +++ site.yml | 6 +++ 7 files changed, 116 insertions(+) create mode 100644 roles/diun/README.md create mode 100644 roles/diun/defaults/main.yml create mode 100644 roles/diun/meta/main.yml create mode 100644 roles/diun/tasks/main.yml create mode 100644 roles/diun/templates/docker-stack.yml.j2 create mode 100644 roles/diun/vars/main.yml diff --git a/roles/diun/README.md b/roles/diun/README.md new file mode 100644 index 0000000..5f821f2 --- /dev/null +++ b/roles/diun/README.md @@ -0,0 +1,5 @@ +# diun + +Monitor the deployed swarm containers for updates. +Will notify you when it found any update for any container. +Can (currently) notify you either through mail or on matrix. diff --git a/roles/diun/defaults/main.yml b/roles/diun/defaults/main.yml new file mode 100644 index 0000000..2eb93de --- /dev/null +++ b/roles/diun/defaults/main.yml @@ -0,0 +1,26 @@ +--- +diun_version: 4 + +diun_upstream_file_dir: "{{ docker_stack_files_dir }}/{{ stack_name }}" + +diun_use_https: true + +# the subdomain link diun will be reachable under +subdomain_alias: diun + +diun_tz: Europe/Berlin +diun_log_level: info +diun_watch_swarm_by_default: true + +diun_notif_mail_host: localhost +diun_notif_mail_port: 25 +# diun_notif_mail_username: required for mail +# diun_notif_mail_password: required for mail +# diun_notif_mail_from: required for mail +# diun_notif_mail_to: required for mail + +diun_notif_matrix_url: "https://matrix.org" +#diun_notif_matrix_user: required for matrix +#diun_notif_matrix_password: required for matrix +#diun_notif_matrix_roomid: required for matrix + diff --git a/roles/diun/meta/main.yml b/roles/diun/meta/main.yml new file mode 100644 index 0000000..2c1b831 --- /dev/null +++ b/roles/diun/meta/main.yml @@ -0,0 +1,10 @@ +--- +galaxy_info: + author: Marty Oehme + description: Notify on any docker swarm container updates + license: GPL-3.0-only + min_ansible_version: "2.9" + galaxy_tags: [] + +dependencies: + - docker-swarm diff --git a/roles/diun/tasks/main.yml b/roles/diun/tasks/main.yml new file mode 100644 index 0000000..10456f4 --- /dev/null +++ b/roles/diun/tasks/main.yml @@ -0,0 +1,12 @@ +--- +## install diun container +- name: Deploy diun to swarm + community.general.docker_stack: + name: "{{ stack_name }}" + state: present + prune: yes + compose: + - "{{ stack_compose }}" + become: true + tags: + - docker-swarm diff --git a/roles/diun/templates/docker-stack.yml.j2 b/roles/diun/templates/docker-stack.yml.j2 new file mode 100644 index 0000000..71a07cb --- /dev/null +++ b/roles/diun/templates/docker-stack.yml.j2 @@ -0,0 +1,51 @@ +version: '3.4' + +services: + app: + image: crazymax/diun:latest + # healthcheck: + # test: ["CMD", "wget", "--spider", "-q", "127.0.0.1"] + # interval: 1m + # timeout: 10s + # retries: 3 + # start_period: 1m + command: serve + volumes: + - "data:/data" + - "/var/run/docker.sock:/var/run/docker.sock" + environment: + - "TZ={{ diun_tz }}" + - "LOG_LEVEL={{ diun_log_level }}" + - "LOG_JSON=false" + - "DIUN_WATCH_WORKERS=20" + - "DIUN_WATCH_SCHEDULE=0 */6 * * *" + - "DIUN_WATCH_JITTER=30s" + - "DIUN_PROVIDERS_SWARM=true" + - "DIUN_PROVIDERS_SWARM_WATCHBYDEFAULT={{ diun_watch_swarm_by_default }}" +{% if diun_notif_matrix_user is not undefined and not None and diun_notif_matrix_password is not undefined and not None and diun_notif_matrix_roomid is not undefined and not None %} + - "DIUN_NOTIF_MATRIX_HOMESERVERURL={{ diun_notif_matrix_url }}" + - "DIUN_NOTIF_MATRIX_USER={{ diun_notif_matrix_user }}" + - "DIUN_NOTIF_MATRIX_PASSWORD={{ diun_notif_matrix_password }}" + - "DIUN_NOTIF_MATRIX_ROOMID={{ diun_notif_matrix_roomid }}" +{% endif %} +{% if diun_notif_mail_username is not undefined and not None and diun_notif_mail_password is not undefined and not None and diun_notif_mail_from is not undefined and not None and diun_notif_mail_to is not undefined and not None %} + - "DIUN_NOTIF_MAIL_HOST={{ diun_notif_mail_host }}" + - "DIUN_NOTIF_MAIL_PORT={{ diun_notif_mail_port }}" + - "DIUN_NOTIF_MAIL_USERNAME={{ diun_notif_mail_username }}" + - "DIUN_NOTIF_MAIL_PASSWORD={{ diun_notif_mail_password }}" + - "DIUN_NOTIF_MAIL_FROM={{ diun_notif_mail_from }}" + - "DIUN_NOTIF_MAIL_TO={{ diun_notif_mail_to }}" +{% endif %} +# deploy: +# mode: replicated +# replicas: 1 +# placement: +# constraints: +# - node.role == manager + +volumes: + data: + +networks: + "{{ docker_swarm_public_network_name }}": + external: true diff --git a/roles/diun/vars/main.yml b/roles/diun/vars/main.yml new file mode 100644 index 0000000..91148a4 --- /dev/null +++ b/roles/diun/vars/main.yml @@ -0,0 +1,6 @@ +--- +stack_name: diun + +stack_image: "crazymax/diun" + +stack_compose: "{{ lookup('template', 'docker-stack.yml.j2') | from_yaml }}" diff --git a/site.yml b/site.yml index e5ccbf3..892a4e2 100644 --- a/site.yml +++ b/site.yml @@ -86,3 +86,9 @@ tags: - ntfy - never + + - name: Install diun + import_role: + role: diun + tags: + - diun From be875edea9c50d275446fd75d1eb4c9da8a46301 Mon Sep 17 00:00:00 2001 From: Marty Oehme Date: Thu, 27 Jun 2024 18:23:15 +0200 Subject: [PATCH 33/66] Only update docker when run explicitly Docker should only be updated when run explicitly as it currently requires a re-run of the complete playbook afterwards (does not work for single-tag deployments e.g.) since it will recreate caddy container and lose all reverse proxy information. --- roles/docker/tasks/Ubuntu.yml | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/roles/docker/tasks/Ubuntu.yml b/roles/docker/tasks/Ubuntu.yml index 92751ce..0ac4236 100644 --- a/roles/docker/tasks/Ubuntu.yml +++ b/roles/docker/tasks/Ubuntu.yml @@ -30,7 +30,18 @@ - repository become: true -- name: Ensure latest docker-ce installed +- name: docker-ce is installed + ansible.builtin.package: + name: "{{ packages }}" + state: present + tags: + - apt + - download + - packages + become: true + notify: Handle docker daemon + +- name: Latest docker-ce is installed ansible.builtin.package: name: "{{ packages }}" state: latest @@ -38,6 +49,8 @@ - apt - download - packages + - docker + - never become: true notify: Handle docker daemon From 801d4b751bceb9d0c3aa3c689c6b7dafc0e5f499 Mon Sep 17 00:00:00 2001 From: Marty Oehme Date: Thu, 27 Jun 2024 18:23:35 +0200 Subject: [PATCH 34/66] Update Nextcloud major version to 29 --- roles/nextcloud/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/nextcloud/defaults/main.yml b/roles/nextcloud/defaults/main.yml index 95e9271..4c56dc4 100644 --- a/roles/nextcloud/defaults/main.yml +++ b/roles/nextcloud/defaults/main.yml @@ -1,6 +1,6 @@ --- # set preferred application version -nextcloud_version: 28-fpm-alpine +nextcloud_version: 29-fpm-alpine # set preferred postgres version nextcloud_db_version: 12-alpine From 29ccedf1465b09ca8bfced3a36f6357871dae556 Mon Sep 17 00:00:00 2001 From: Marty Oehme Date: Fri, 27 Sep 2024 08:35:13 +0200 Subject: [PATCH 35/66] fix(forgejo): Fix default landing page configuration Was missing underscore to be set correctly. --- roles/forgejo/templates/docker-stack.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/forgejo/templates/docker-stack.yml.j2 b/roles/forgejo/templates/docker-stack.yml.j2 index 4448c3b..a773598 100644 --- a/roles/forgejo/templates/docker-stack.yml.j2 +++ b/roles/forgejo/templates/docker-stack.yml.j2 @@ -24,7 +24,7 @@ services: - "FORGEJO__database__PASSWD={{ forgejo_db_password }}" - "FORGEJO__server__ROOT_URL={{ (forgejo_use_https == True) | ternary('https', 'http') }}://{{ (subdomain_alias is not undefined and not none) | ternary(subdomain_alias, stack_name) }}.{{server_domain}}" - "FORGEJO__server__SSH_DOMAIN={{ (subdomain_alias is not undefined and not none) | ternary(subdomain_alias, stack_name) }}.{{server_domain}}" - - FORGEJO__server__LANDINGPAGE=explore + - FORGEJO__server__LANDING_PAGE=explore - FORGEJO__service__DISABLE_REGISTRATION=true {% if forgejo_app_admin_username is not undefined and not None and forgejo_app_admin_password is not undefined and not None %} - FORGEJO__security__INSTALL_LOCK=true From 174ad5a5fb4e0bf22399f0d6e7d424dbdf2e0ebe Mon Sep 17 00:00:00 2001 From: Marty Oehme Date: Fri, 27 Sep 2024 08:36:41 +0200 Subject: [PATCH 36/66] feat(forgejo): Add s3 configuration options Sets s3 storage for all available subsystems, more information here: https://forgejo.org/docs/latest/admin/storage/ Does *not* set repositories to be hosted on s3 since forgejo does not support it. --- roles/forgejo/defaults/main.yml | 9 +++++++++ roles/forgejo/templates/docker-stack.yml.j2 | 10 ++++++++++ 2 files changed, 19 insertions(+) diff --git a/roles/forgejo/defaults/main.yml b/roles/forgejo/defaults/main.yml index 7d48c99..09a244b 100644 --- a/roles/forgejo/defaults/main.yml +++ b/roles/forgejo/defaults/main.yml @@ -32,3 +32,12 @@ forgejo_use_ci: false # forgejo_ci_gitea_url: # forgejo_ci_gitea_client: # forgejo_ci_gitea_secret: + +forgejo_use_s3: false +forgejo_s3_use_ssl: true +forgejo_s3_bucket_lookup: auto # auto|dns|path +# forgejo_s3_endpoint: +# forgejo_s3_region: +# forgejo_s3_key: +# forgejo_s3_secret: +# forgejo_s3_bucket: diff --git a/roles/forgejo/templates/docker-stack.yml.j2 b/roles/forgejo/templates/docker-stack.yml.j2 index a773598..5bad7af 100644 --- a/roles/forgejo/templates/docker-stack.yml.j2 +++ b/roles/forgejo/templates/docker-stack.yml.j2 @@ -38,6 +38,16 @@ services: - FORGEJO__mailer__IS_TLS_ENABLED={{ (forgejo_smtp_force_tls is not undefined and not None) | ternary(forgejo_smtp_force_tls,'false') }} - FORGEJO__mailer__USER={{ forgejo_smtp_username }} - FORGEJO__mailer__PASSWD={{ forgejo_smtp_password }} +{% endif %} +{% if forgejo_use_s3 %} + - FORGEJO__storage__STORAGE_TYPE="minio" + - FORGEJO__storage__MINIO_USE_SSL={{ forgejo_s3_use_ssl }} + - FORGEJO__storage__MINIO_BUCKET_LOOKUP={{ forgejo_s3_bucket_lookup }} + - FORGEJO__storage__MINIO_ENDPOINT={{ forgejo_s3_endpoint }} + - FORGEJO__storage__MINIO_ACCESS_KEY_ID={{ forgejo_s3_key }} + - FORGEJO__storage__MINIO_SECRET_ACCESS_KEY={{ forgejo_s3_secret }} + - FORGEJO__storage__MINIO_BUCKET={{ forgejo_s3_bucket }} + - FORGEJO__storage__MINIO_LOCATION={{ forgejo_s3_region }} {% endif %} networks: - "{{ docker_swarm_public_network_name }}" From 0658971dbbae78ee52e0cd50f0d413ede5cc5deb Mon Sep 17 00:00:00 2001 From: Marty Oehme Date: Fri, 27 Sep 2024 09:42:27 +0200 Subject: [PATCH 37/66] chore(forgejo): Update mailer settings for new configuration Split 'SMTP_HOST' variable into 'SMTP_ADDR' and 'SMTP_PORT' to follow updated configuration style. --- roles/forgejo/defaults/main.yml | 3 ++- roles/forgejo/templates/docker-stack.yml.j2 | 5 +++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/roles/forgejo/defaults/main.yml b/roles/forgejo/defaults/main.yml index 09a244b..bf8aa53 100644 --- a/roles/forgejo/defaults/main.yml +++ b/roles/forgejo/defaults/main.yml @@ -17,7 +17,8 @@ forgejo_app_admin_username: Myforgejousername # can not be set to admin in Forge forgejo_app_admin_password: Myforgejopassword forgejo_app_admin_email: myadmin@mydomain.mytld -# forgejo_smtp_host: domain.com:port +# forgejo_smtp_addr: domain.com +# forgejo_smtp_port: 465 # forgejo_smtp_username: my@username.com # forgejo_smtp_password: # forgejo_smtp_force_tls: false # forces tls if it is on a non-traditional tls port. Overwrites starttls so should generally be off diff --git a/roles/forgejo/templates/docker-stack.yml.j2 b/roles/forgejo/templates/docker-stack.yml.j2 index 5bad7af..ba5618b 100644 --- a/roles/forgejo/templates/docker-stack.yml.j2 +++ b/roles/forgejo/templates/docker-stack.yml.j2 @@ -29,12 +29,13 @@ services: {% if forgejo_app_admin_username is not undefined and not None and forgejo_app_admin_password is not undefined and not None %} - FORGEJO__security__INSTALL_LOCK=true {% endif %} -{% if forgejo_smtp_host is not undefined and not None and forgejo_smtp_username is not undefined and not None and forgejo_smtp_password is not undefined and not None %} +{% if forgejo_smtp_addr is not undefined and not None and forgejo_smtp_port is not undefined and not None and forgejo_smtp_username is not undefined and not None and forgejo_smtp_password is not undefined and not None %} - FORGEJO__mailer__ENABLED=true - FORGEJO__service__ENABLE_NOTIFY_MAIL=true - FORGEJO__mailer__FROM=forgejo@{{ server_domain }} - FORGEJO__mailer__TYPE=smtp - - FORGEJO__mailer__HOST={{ forgejo_smtp_host }} + - FORGEJO__mailer__SMTP_ADDR={{ forgejo_smtp_addr }} + - FORGEJO__mailer__SMTP_PORT={{ forgejo_smtp_port }} - FORGEJO__mailer__IS_TLS_ENABLED={{ (forgejo_smtp_force_tls is not undefined and not None) | ternary(forgejo_smtp_force_tls,'false') }} - FORGEJO__mailer__USER={{ forgejo_smtp_username }} - FORGEJO__mailer__PASSWD={{ forgejo_smtp_password }} From 409f50a5efd2cc2fa3d17ea6fa01ba6a66c38323 Mon Sep 17 00:00:00 2001 From: Marty Oehme Date: Fri, 27 Sep 2024 09:42:47 +0200 Subject: [PATCH 38/66] feat(forgejo): Allow enabling git lfs --- roles/forgejo/defaults/main.yml | 5 +++++ roles/forgejo/templates/docker-stack.yml.j2 | 8 ++++++++ 2 files changed, 13 insertions(+) diff --git a/roles/forgejo/defaults/main.yml b/roles/forgejo/defaults/main.yml index bf8aa53..0b7ce48 100644 --- a/roles/forgejo/defaults/main.yml +++ b/roles/forgejo/defaults/main.yml @@ -23,6 +23,11 @@ forgejo_app_admin_email: myadmin@mydomain.mytld # forgejo_smtp_password: # forgejo_smtp_force_tls: false # forces tls if it is on a non-traditional tls port. Overwrites starttls so should generally be off +forgejo_use_lfs: false +forgejo_lfs_max_filesize: 0 +forgejo_lfs_http_auth_expiry: 24h +# forgejo_lfs_jwt_secret: + forgejo_use_ci: false # forgejo_ci_github_client: # forgejo_ci_github_secret: diff --git a/roles/forgejo/templates/docker-stack.yml.j2 b/roles/forgejo/templates/docker-stack.yml.j2 index ba5618b..a035a74 100644 --- a/roles/forgejo/templates/docker-stack.yml.j2 +++ b/roles/forgejo/templates/docker-stack.yml.j2 @@ -40,6 +40,14 @@ services: - FORGEJO__mailer__USER={{ forgejo_smtp_username }} - FORGEJO__mailer__PASSWD={{ forgejo_smtp_password }} {% endif %} +{% if forgejo_use_lfs %} + - FORGEJO__server__LFS_START_SERVER=true +{% if forgejo_lfs_jwt_secret is not undefined and not none %} + - FORGEJO__server__LFS_JWT_SECRET={{ forgejo_lfs_jwt_secret }} +{% endif %} + - FORGEJO__server__LFS_HTTP_AUTH_EXPIRY={{ forgejo_lfs_http_auth_expiry }} + - FORGEJO__server__LFS_MAX_FILE_SIZE={{ forgejo_lfs_max_filesize }} +{% endif %} {% if forgejo_use_s3 %} - FORGEJO__storage__STORAGE_TYPE="minio" - FORGEJO__storage__MINIO_USE_SSL={{ forgejo_s3_use_ssl }} From 46b6b9a8a466d1ef7e66244b53e7634f910c9d54 Mon Sep 17 00:00:00 2001 From: Marty Oehme Date: Fri, 27 Sep 2024 10:05:33 +0200 Subject: [PATCH 39/66] chore(forgejo): Fix mailer tls protocol configuration Update configuration for mailer to use new 'PROTOCOL' configuration option instead of old 'IS_TLS_ENABLED'. --- roles/forgejo/defaults/main.yml | 2 +- roles/forgejo/templates/docker-stack.yml.j2 | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/roles/forgejo/defaults/main.yml b/roles/forgejo/defaults/main.yml index 0b7ce48..af97878 100644 --- a/roles/forgejo/defaults/main.yml +++ b/roles/forgejo/defaults/main.yml @@ -21,7 +21,7 @@ forgejo_app_admin_email: myadmin@mydomain.mytld # forgejo_smtp_port: 465 # forgejo_smtp_username: my@username.com # forgejo_smtp_password: -# forgejo_smtp_force_tls: false # forces tls if it is on a non-traditional tls port. Overwrites starttls so should generally be off +# forgejo_smtp_protocol: smtps # can be one of starttls | smtps forgejo_use_lfs: false forgejo_lfs_max_filesize: 0 diff --git a/roles/forgejo/templates/docker-stack.yml.j2 b/roles/forgejo/templates/docker-stack.yml.j2 index a035a74..fe10ec7 100644 --- a/roles/forgejo/templates/docker-stack.yml.j2 +++ b/roles/forgejo/templates/docker-stack.yml.j2 @@ -36,7 +36,9 @@ services: - FORGEJO__mailer__TYPE=smtp - FORGEJO__mailer__SMTP_ADDR={{ forgejo_smtp_addr }} - FORGEJO__mailer__SMTP_PORT={{ forgejo_smtp_port }} - - FORGEJO__mailer__IS_TLS_ENABLED={{ (forgejo_smtp_force_tls is not undefined and not None) | ternary(forgejo_smtp_force_tls,'false') }} +{% if forgejo_smtp_protocol is not undefined and not none %} + - FORGEJO__mailer__PROTOCOL={{ forgejo_smtp_protocol }} +{% endif %} - FORGEJO__mailer__USER={{ forgejo_smtp_username }} - FORGEJO__mailer__PASSWD={{ forgejo_smtp_password }} {% endif %} From a6b8e6ffcdfcec2d758e7310cedcd01693d8e6c0 Mon Sep 17 00:00:00 2001 From: Marty Oehme Date: Fri, 27 Sep 2024 10:43:17 +0200 Subject: [PATCH 40/66] chore(forgejo): Update to forgejo 8 --- roles/forgejo/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/forgejo/defaults/main.yml b/roles/forgejo/defaults/main.yml index af97878..150cac1 100644 --- a/roles/forgejo/defaults/main.yml +++ b/roles/forgejo/defaults/main.yml @@ -1,5 +1,5 @@ --- -forgejo_version: 7 +forgejo_version: 8 forgejo_upstream_file_dir: "{{ docker_stack_files_dir }}/{{ stack_name }}" From 84dcf7d12808e9d7564566f6da34b14de8ab088e Mon Sep 17 00:00:00 2001 From: Marty Oehme Date: Sat, 28 Sep 2024 10:30:58 +0200 Subject: [PATCH 41/66] feat(forgejo): Allow setting S3 checksum algorithm as variable Can take either `default` (for MinIO, garage, AWS) or `md5` (Cloudflare, Backblaze). --- roles/forgejo/defaults/main.yml | 1 + roles/forgejo/templates/docker-stack.yml.j2 | 1 + 2 files changed, 2 insertions(+) diff --git a/roles/forgejo/defaults/main.yml b/roles/forgejo/defaults/main.yml index 150cac1..232a790 100644 --- a/roles/forgejo/defaults/main.yml +++ b/roles/forgejo/defaults/main.yml @@ -42,6 +42,7 @@ forgejo_use_ci: false forgejo_use_s3: false forgejo_s3_use_ssl: true forgejo_s3_bucket_lookup: auto # auto|dns|path +forgejo_s3_checksum: default # default|md5 # forgejo_s3_endpoint: # forgejo_s3_region: # forgejo_s3_key: diff --git a/roles/forgejo/templates/docker-stack.yml.j2 b/roles/forgejo/templates/docker-stack.yml.j2 index fe10ec7..4704ea2 100644 --- a/roles/forgejo/templates/docker-stack.yml.j2 +++ b/roles/forgejo/templates/docker-stack.yml.j2 @@ -59,6 +59,7 @@ services: - FORGEJO__storage__MINIO_SECRET_ACCESS_KEY={{ forgejo_s3_secret }} - FORGEJO__storage__MINIO_BUCKET={{ forgejo_s3_bucket }} - FORGEJO__storage__MINIO_LOCATION={{ forgejo_s3_region }} + - FORGEJO__storage__MINIO_CHECKSUM_ALGORITHM={{ forgejo_s3_checksum }} {% endif %} networks: - "{{ docker_swarm_public_network_name }}" From fa9bac81af493f4479c45f781b63beb79becd696 Mon Sep 17 00:00:00 2001 From: Marty Oehme Date: Sun, 5 Jan 2025 20:48:25 +0100 Subject: [PATCH 42/66] feat(nextcloud): Add adjustable php memory/upload limits Can be adjusted through nextcloud default settings. --- roles/nextcloud/defaults/main.yml | 3 +++ roles/nextcloud/templates/docker-stack.yml.j2 | 3 ++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/roles/nextcloud/defaults/main.yml b/roles/nextcloud/defaults/main.yml index 4c56dc4..b13c471 100644 --- a/roles/nextcloud/defaults/main.yml +++ b/roles/nextcloud/defaults/main.yml @@ -18,6 +18,9 @@ nextcloud_redis_password: myredispass nextcloud_db_username: nextcloud nextcloud_db_password: secretnextcloud +nextcloud_php_memory_limit: 5G # maximum ram php may use +nextcloud_php_upload_limit: 15G # maximum size of (web) uploaded files + # if you wish to access your nextcloud instance from the reverse proxy nextcloud_trusted_domains: "{{ subdomain_alias }}.{{ server_domain }}" diff --git a/roles/nextcloud/templates/docker-stack.yml.j2 b/roles/nextcloud/templates/docker-stack.yml.j2 index df37989..36526bc 100644 --- a/roles/nextcloud/templates/docker-stack.yml.j2 +++ b/roles/nextcloud/templates/docker-stack.yml.j2 @@ -41,7 +41,8 @@ services: - POSTGRES_DB={{ nextcloud_db_username }} - POSTGRES_USER={{ nextcloud_db_username }} - POSTGRES_PASSWORD={{ nextcloud_db_password }} - - PHP_UPLOAD_LIMIT=2048M + - PHP_MEMORY_LIMIT={{ nextcloud_php_memory_limit }} + - PHP_UPLOAD_LIMIT={{ nextcloud_php_upload_limit }} {% if nextcloud_trusted_domains is not undefined and not none %} - NEXTCLOUD_TRUSTED_DOMAINS={{ nextcloud_trusted_domains }} {% endif %} From 7e1381913c379bdc319895d60d3ecb85aeff9802 Mon Sep 17 00:00:00 2001 From: Marty Oehme Date: Tue, 28 Jan 2025 15:55:28 +0100 Subject: [PATCH 43/66] chore(nextcloud): Update to Nextcloud 30 --- roles/nextcloud/defaults/main.yml | 4 ++-- roles/nextcloud/tasks/main.yml | 3 --- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/roles/nextcloud/defaults/main.yml b/roles/nextcloud/defaults/main.yml index b13c471..732cb18 100644 --- a/roles/nextcloud/defaults/main.yml +++ b/roles/nextcloud/defaults/main.yml @@ -1,8 +1,8 @@ --- # set preferred application version -nextcloud_version: 29-fpm-alpine +nextcloud_version: 30-fpm-alpine # set preferred postgres version -nextcloud_db_version: 12-alpine +nextcloud_db_version: 16-alpine nextcloud_upstream_file_dir: "{{ docker_stack_files_dir }}/{{ stack_name }}" diff --git a/roles/nextcloud/tasks/main.yml b/roles/nextcloud/tasks/main.yml index 8275a71..05e9c38 100644 --- a/roles/nextcloud/tasks/main.yml +++ b/roles/nextcloud/tasks/main.yml @@ -16,14 +16,12 @@ state: directory mode: "0755" become: true - notify: "update nextcloud upstream" - name: Move webserver Caddyfile to target dir ansible.builtin.copy: src: "Caddyfile" dest: "{{ nextcloud_upstream_file_dir }}/Caddyfile" become: true - notify: "update nextcloud upstream" - name: Deploy to swarm community.general.docker_stack: @@ -35,4 +33,3 @@ become: true tags: - docker-swarm - notify: "update nextcloud upstream" From 36ff0fb5fa184121c6780f08e8062b347a165b39 Mon Sep 17 00:00:00 2001 From: Marty Oehme Date: Tue, 28 Jan 2025 15:55:52 +0100 Subject: [PATCH 44/66] feat(nextcloud): Add imaginary container for thumbnails --- roles/nextcloud/templates/docker-stack.yml.j2 | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/roles/nextcloud/templates/docker-stack.yml.j2 b/roles/nextcloud/templates/docker-stack.yml.j2 index 36526bc..80f28fa 100644 --- a/roles/nextcloud/templates/docker-stack.yml.j2 +++ b/roles/nextcloud/templates/docker-stack.yml.j2 @@ -142,6 +142,24 @@ services: networks: - backend + # from https://okxo.de/speed-up-nextcloud-preview-generation-with-imaginary/ + # and https://github.com/nextcloud/all-in-one/tree/main/Containers/imaginary + imaginary: + image: nextcloud/aio-imaginary:latest + environment: + - PORT=9000 + healthcheck: + test: ["CMD", "/healthcheck.sh"] + interval: 1m + timeout: 10s + retries: 3 + start_period: 1m + command: -return-size -max-allowed-resolution 222.2 -concurrency 50 -enable-url-source -log-level debug + cap_add: + - CAP_SYS_NICE + networks: + - backend + # metrics: # image: telegraf # hostname: "${HOSTNAME:-vmi352583.contaboserver.net}" From eaeeb4ed6c07e2f681583db6b55080a31c167a10 Mon Sep 17 00:00:00 2001 From: Marty Oehme Date: Tue, 28 Jan 2025 16:50:33 +0100 Subject: [PATCH 45/66] feat(nextcloud): Add simple restic backup --- roles/nextcloud/defaults/main.yml | 6 ++++++ roles/nextcloud/templates/docker-stack.yml.j2 | 20 +++++++++++++++++++ 2 files changed, 26 insertions(+) diff --git a/roles/nextcloud/defaults/main.yml b/roles/nextcloud/defaults/main.yml index 732cb18..3481219 100644 --- a/roles/nextcloud/defaults/main.yml +++ b/roles/nextcloud/defaults/main.yml @@ -42,3 +42,9 @@ nextcloud_smtp_from_domain: "{{ server_domain }}" # nextcloud_s3_ssl: true # nextcloud_s3_region: eu-central-1 # nextcloud_s3_usepath_style: true + +nextcloud_backup_db_enable: false +# nextcloud_backup_db_repo: s3.eu-central-1.wasabisys.com/myrepo +# nextcloud_backup_db_key: +# nextcloud_backup_db_secret: +# nextcloud_backup_db_timezone: US/Chicago diff --git a/roles/nextcloud/templates/docker-stack.yml.j2 b/roles/nextcloud/templates/docker-stack.yml.j2 index 80f28fa..07a57f4 100644 --- a/roles/nextcloud/templates/docker-stack.yml.j2 +++ b/roles/nextcloud/templates/docker-stack.yml.j2 @@ -160,6 +160,26 @@ services: networks: - backend +{% if nextcloud_backup_db_enable is not undefined and not false %} + backup: + image: mazzolino/restic + environment: + - "TZ={{ nextcloud_backup_db_timezone }}" + # go-cron starts w seconds + - "BACKUP_CRON=0 30 3 * * *" + - "RESTIC_REPOSITORY={{ nextcloud_backup_db_repo }}" + - "AWS_ACCESS_KEY_ID={{ nextcloud_backup_db_key }}" + - "AWS_SECRET_ACCESS_KEY={{ nextcloud_backup_db_secret }}" + - "RESTIC_PASSWORD={{ nextcloud_backup_db_pass }}" + - "RESTIC_BACKUP_TAGS=nextcloud-db" + - "RESTIC_BACKUP_SOURCES=/mnt/volumes" + volumes: + - db:/mnt/volumes/nextcloud_db:ro + - data:/mnt/volumes/nextcloud_data:ro + networks: + - backend +{% endif %} + # metrics: # image: telegraf # hostname: "${HOSTNAME:-vmi352583.contaboserver.net}" From 135aadf3a08a43c724dcdf54b53598e319e2a98b Mon Sep 17 00:00:00 2001 From: Marty Oehme Date: Mon, 3 Feb 2025 18:45:22 +0100 Subject: [PATCH 46/66] feat(restic): Add restic backup maintenance stack Sets up regular backup maintenance for a restic (S3) backend, and enables global variables for other roles to use for their individual backup. Example found in nextcloud role. --- roles/nextcloud/defaults/main.yml | 10 ++-- roles/nextcloud/templates/docker-stack.yml.j2 | 24 +++++---- roles/restic/README.md | 49 +++++++++++++++++++ roles/restic/defaults/main.yml | 14 ++++++ roles/restic/meta/main.yml | 11 +++++ roles/restic/tasks/main.yml | 11 +++++ roles/restic/templates/docker-stack.yml.j2 | 31 ++++++++++++ roles/restic/vars/main.yml | 8 +++ 8 files changed, 139 insertions(+), 19 deletions(-) create mode 100644 roles/restic/README.md create mode 100644 roles/restic/defaults/main.yml create mode 100644 roles/restic/meta/main.yml create mode 100644 roles/restic/tasks/main.yml create mode 100644 roles/restic/templates/docker-stack.yml.j2 create mode 100644 roles/restic/vars/main.yml diff --git a/roles/nextcloud/defaults/main.yml b/roles/nextcloud/defaults/main.yml index 3481219..916c7ee 100644 --- a/roles/nextcloud/defaults/main.yml +++ b/roles/nextcloud/defaults/main.yml @@ -18,6 +18,10 @@ nextcloud_redis_password: myredispass nextcloud_db_username: nextcloud nextcloud_db_password: secretnextcloud +# run restic backups +nextcloud_backup_enable: false +nextcloud_backup_cron: 0 30 3 * * * + nextcloud_php_memory_limit: 5G # maximum ram php may use nextcloud_php_upload_limit: 15G # maximum size of (web) uploaded files @@ -42,9 +46,3 @@ nextcloud_smtp_from_domain: "{{ server_domain }}" # nextcloud_s3_ssl: true # nextcloud_s3_region: eu-central-1 # nextcloud_s3_usepath_style: true - -nextcloud_backup_db_enable: false -# nextcloud_backup_db_repo: s3.eu-central-1.wasabisys.com/myrepo -# nextcloud_backup_db_key: -# nextcloud_backup_db_secret: -# nextcloud_backup_db_timezone: US/Chicago diff --git a/roles/nextcloud/templates/docker-stack.yml.j2 b/roles/nextcloud/templates/docker-stack.yml.j2 index 07a57f4..ff5f6ce 100644 --- a/roles/nextcloud/templates/docker-stack.yml.j2 +++ b/roles/nextcloud/templates/docker-stack.yml.j2 @@ -160,24 +160,22 @@ services: networks: - backend -{% if nextcloud_backup_db_enable is not undefined and not false %} +{% if backup_enable is not undefined and not false and nextcloud_backup_enable is not undefined and not false %} backup: image: mazzolino/restic environment: - - "TZ={{ nextcloud_backup_db_timezone }}" + - "TZ={{ restic_timezone }}" # go-cron starts w seconds - - "BACKUP_CRON=0 30 3 * * *" - - "RESTIC_REPOSITORY={{ nextcloud_backup_db_repo }}" - - "AWS_ACCESS_KEY_ID={{ nextcloud_backup_db_key }}" - - "AWS_SECRET_ACCESS_KEY={{ nextcloud_backup_db_secret }}" - - "RESTIC_PASSWORD={{ nextcloud_backup_db_pass }}" - - "RESTIC_BACKUP_TAGS=nextcloud-db" - - "RESTIC_BACKUP_SOURCES=/mnt/volumes" + - "BACKUP_CRON={{ nextcloud_backup_cron }}" + - "RESTIC_REPOSITORY={{ restic_repo }}" + - "AWS_ACCESS_KEY_ID={{ restic_s3_key }}" + - "AWS_SECRET_ACCESS_KEY={{ restic_s3_secret }}" + - "RESTIC_PASSWORD={{ restic_pass }}" + - "RESTIC_BACKUP_TAGS=nextcloud" + - "RESTIC_BACKUP_SOURCES=/volumes" volumes: - - db:/mnt/volumes/nextcloud_db:ro - - data:/mnt/volumes/nextcloud_data:ro - networks: - - backend + - db:/volumes/nextcloud_db:ro + - data:/volumes/nextcloud_data:ro {% endif %} # metrics: diff --git a/roles/restic/README.md b/roles/restic/README.md new file mode 100644 index 0000000..8849990 --- /dev/null +++ b/roles/restic/README.md @@ -0,0 +1,49 @@ +# restic + +Backup maintenance stack. + +Takes care of regularly pruning the backup repository and checking its integrity. +Currently only supports S3 as a backend. + +## Defaults + +```yaml +restic_timezone: US/Chicago +``` + +The timezone to be used for the cronjob. + +```yaml +restic_version: latest +``` + +The docker image version to be used in stack creation. + +```yaml +restic_repo: s3.eu-central-1.wasabisys.com/myrepo +restic_pass: +``` + +The repository url and the restic repository password. +See the restic documentation for more information. + +```yaml +restic_s3_key: +restic_s3_secret: +``` + +The restic S3 credentials, i.e. the `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`. + +```yaml +restic_prune_cron: 0 0 4 * * * +restic_forget_args: --prune --keep-last 14 --keep-daily 2 --keep-weekly 2 +``` + +The default prune and forget cronjob schedule and arguments: Prune the repository every day at 4:00 AM and keep the last 14 snapshots, 2 daily snapshots and 2 weekly snapshots. + +```yaml +restic_check_cron: 0 15 5 * * * +restic_check_args: --read-data-subset=5% +``` + +The default check cronjob schedule and arguments: Check the repository integrity every day at 5:15 AM and in addition to structural checks, read 5 randomly chosen % for a data integrity check. diff --git a/roles/restic/defaults/main.yml b/roles/restic/defaults/main.yml new file mode 100644 index 0000000..8022df5 --- /dev/null +++ b/roles/restic/defaults/main.yml @@ -0,0 +1,14 @@ +--- +restic_version: latest + +# restic_repo: s3.eu-central-1.wasabisys.com/myrepo +# restic_pass: +# restic_s3_key: +# restic_s3_secret: +restic_timezone: "{{ server_timezone | default('US/Chicago') }}" + +restic_prune_cron: 0 0 4 * * * +restic_forget_args: --prune --keep-last 14 --keep-daily 2 --keep-weekly 2 + +restic_check_cron: 0 15 5 * * * +restic_check_args: --read-data-subset=5% diff --git a/roles/restic/meta/main.yml b/roles/restic/meta/main.yml new file mode 100644 index 0000000..dd49542 --- /dev/null +++ b/roles/restic/meta/main.yml @@ -0,0 +1,11 @@ +--- +galaxy_info: + author: Marty Oehme + description: Installs a restic-based backup maintenance stack. Only supports S3 atm. + license: GPL-3.0-only + min_ansible_version: "2.9" + galaxy_tags: [] + +dependencies: + - docker-swarm + - caddy_id diff --git a/roles/restic/tasks/main.yml b/roles/restic/tasks/main.yml new file mode 100644 index 0000000..5bb5027 --- /dev/null +++ b/roles/restic/tasks/main.yml @@ -0,0 +1,11 @@ +--- +- name: Deploy restic to swarm + community.general.docker_stack: + name: "{{ stack_name }}" + state: present + prune: yes + compose: + - "{{ stack_compose }}" + become: true + tags: + - docker-swarm diff --git a/roles/restic/templates/docker-stack.yml.j2 b/roles/restic/templates/docker-stack.yml.j2 new file mode 100644 index 0000000..822572d --- /dev/null +++ b/roles/restic/templates/docker-stack.yml.j2 @@ -0,0 +1,31 @@ +version: '3.4' + +services: + prune: + image: "{{ stack_image }}:{{ restic_version }}" + hostname: docker + environment: + - "TZ={{ restic_timezone }}" + - SKIP_INIT: "true" + # go-cron starts w seconds + - "PRUNE_CRON={{ restic_prune_cron }}" + - RESTIC_FORGET_ARGS: "{{ restic_forget_args }}" + - "RESTIC_REPOSITORY={{ restic_repo }}" + - "AWS_ACCESS_KEY_ID={{ restic_s3_key }}" + - "AWS_SECRET_ACCESS_KEY={{ restic_s3_secret }}" + - "RESTIC_PASSWORD={{ restic_pass }}" + + check: + image: "{{ stack_image }}:{{ restic_version }}" + hostname: docker + environment: + - "TZ={{ restic_timezone }}" + - SKIP_INIT: "true" + - RUN_ON_STARTUP: "false" + # go-cron starts w seconds + - "CHECK_CRON={{ restic_check_cron }}" + - RESTIC_CHECK_ARGS: "{{ restic_check_args }}" + - "RESTIC_REPOSITORY={{ restic_repo }}" + - "AWS_ACCESS_KEY_ID={{ restic_s3_key }}" + - "AWS_SECRET_ACCESS_KEY={{ restic_s3_secret }}" + - "RESTIC_PASSWORD={{ restic_pass }}" diff --git a/roles/restic/vars/main.yml b/roles/restic/vars/main.yml new file mode 100644 index 0000000..8b3dcf5 --- /dev/null +++ b/roles/restic/vars/main.yml @@ -0,0 +1,8 @@ +--- +stack_name: restic + +stack_image: "mazzolino/restic" + +stack_compose: "{{ lookup('template', 'docker-stack.yml.j2') | from_yaml }}" + +backup_enable: true From af4cfc5a4b8c5965c30cae3c4d7fb94e51201627 Mon Sep 17 00:00:00 2001 From: Marty Oehme Date: Mon, 3 Feb 2025 18:57:52 +0100 Subject: [PATCH 47/66] fix(nextcloud): Default to backups enabled Backups should be enabled by default if available. --- roles/nextcloud/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/nextcloud/defaults/main.yml b/roles/nextcloud/defaults/main.yml index 916c7ee..4881068 100644 --- a/roles/nextcloud/defaults/main.yml +++ b/roles/nextcloud/defaults/main.yml @@ -19,7 +19,7 @@ nextcloud_db_username: nextcloud nextcloud_db_password: secretnextcloud # run restic backups -nextcloud_backup_enable: false +nextcloud_backup_enable: true nextcloud_backup_cron: 0 30 3 * * * nextcloud_php_memory_limit: 5G # maximum ram php may use From 557f20d7b40193260800f294e488ea636015892e Mon Sep 17 00:00:00 2001 From: Marty Oehme Date: Mon, 3 Feb 2025 18:58:12 +0100 Subject: [PATCH 48/66] feat(shaarli): Add backups Add restic backup functionality for shaarli data. --- roles/shaarli/defaults/main.yml | 4 ++++ roles/shaarli/templates/docker-stack.yml.j2 | 17 +++++++++++++++++ 2 files changed, 21 insertions(+) diff --git a/roles/shaarli/defaults/main.yml b/roles/shaarli/defaults/main.yml index a654c5f..45f1bef 100644 --- a/roles/shaarli/defaults/main.yml +++ b/roles/shaarli/defaults/main.yml @@ -7,3 +7,7 @@ shaarli_use_https: true # the subdomain link shaarli will be reachable under subdomain_alias: links + +# should we back up the data? +shaarli_backup_enable: true +shaarli_backup_cron: 0 45 3 * * * diff --git a/roles/shaarli/templates/docker-stack.yml.j2 b/roles/shaarli/templates/docker-stack.yml.j2 index 545d20e..a90157a 100644 --- a/roles/shaarli/templates/docker-stack.yml.j2 +++ b/roles/shaarli/templates/docker-stack.yml.j2 @@ -15,6 +15,23 @@ services: - data:/var/www/shaarli/data - cache:/var/www/shaarli/cache +{% if backup_enable is not undefined and not false and shaarli_backup_enable is not undefined and not false %} + backup: + image: mazzolino/restic + environment: + - "TZ={{ restic_timezone }}" + # go-cron starts w seconds + - "BACKUP_CRON={{ shaarli_backup_cron }}" + - "RESTIC_REPOSITORY={{ restic_repo }}" + - "AWS_ACCESS_KEY_ID={{ restic_s3_key }}" + - "AWS_SECRET_ACCESS_KEY={{ restic_s3_secret }}" + - "RESTIC_PASSWORD={{ restic_pass }}" + - "RESTIC_BACKUP_TAGS=shaarli" + - "RESTIC_BACKUP_SOURCES=/volumes" + volumes: + - data:/volumes/shaarli_data:ro +{% endif %} + volumes: data: cache: From 1a3fd9160e31df1489107bd05613de1b4bafbc12 Mon Sep 17 00:00:00 2001 From: Marty Oehme Date: Mon, 3 Feb 2025 18:59:58 +0100 Subject: [PATCH 49/66] fix(restic): Add role to site deployment --- site.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/site.yml b/site.yml index 892a4e2..19f483d 100644 --- a/site.yml +++ b/site.yml @@ -24,6 +24,12 @@ tags: - caddy + - name: Install restic backup management + import_role: + role: restic + tags: + - restic + - name: Grab caddy container id for all following services import_role: role: caddy_id From 0d7e99763fcb428b849909719daeea46b1ccd225 Mon Sep 17 00:00:00 2001 From: Marty Oehme Date: Mon, 3 Feb 2025 21:34:58 +0100 Subject: [PATCH 50/66] feat(nextcloud): Add caddy server HSTS preload, webfinger --- roles/nextcloud/files/Caddyfile | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/roles/nextcloud/files/Caddyfile b/roles/nextcloud/files/Caddyfile index a54f3f5..a56ed59 100644 --- a/roles/nextcloud/files/Caddyfile +++ b/roles/nextcloud/files/Caddyfile @@ -10,7 +10,7 @@ header { # enable HSTS - Strict-Transport-Security max-age=31536000; + Strict-Transport-Security max-age=31536000;includeSubDomains;preload; Permissions-Policy interest-cohort=() X-Content-Type-Options nosniff X-Frame-Options SAMEORIGIN @@ -18,11 +18,13 @@ X-XSS-Protection "1; mode=block" X-Permitted-Cross-Domain-Policies none X-Robots-Tag "noindex, nofollow" - -X-Powered-By } + # client support (e.g. os x calendar / contacts) redir /.well-known/carddav /remote.php/dav 301 redir /.well-known/caldav /remote.php/dav 301 + redir /.well-known/webfinger /index.php/.well-known/webfinger 301 + redir /.well-known/nodeinfo /index.php/.well-known/nodeinfo 301 # Uncomment this block if you use the high speed files backend: https://github.com/nextcloud/notify_push #handle_path /push/* { From a4ccdb98840907975a1672142cd78d9877db3027 Mon Sep 17 00:00:00 2001 From: Marty Oehme Date: Mon, 3 Feb 2025 21:35:25 +0100 Subject: [PATCH 51/66] fix(restic): Fix docker stack environment variables --- roles/restic/templates/docker-stack.yml.j2 | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/roles/restic/templates/docker-stack.yml.j2 b/roles/restic/templates/docker-stack.yml.j2 index 822572d..f64be0a 100644 --- a/roles/restic/templates/docker-stack.yml.j2 +++ b/roles/restic/templates/docker-stack.yml.j2 @@ -1,15 +1,14 @@ -version: '3.4' - services: prune: image: "{{ stack_image }}:{{ restic_version }}" hostname: docker environment: - "TZ={{ restic_timezone }}" - - SKIP_INIT: "true" + - "SKIP_INIT=true" + - "RUN_ON_STARTUP=true" # go-cron starts w seconds - "PRUNE_CRON={{ restic_prune_cron }}" - - RESTIC_FORGET_ARGS: "{{ restic_forget_args }}" + - "RESTIC_FORGET_ARGS={{ restic_forget_args }}" - "RESTIC_REPOSITORY={{ restic_repo }}" - "AWS_ACCESS_KEY_ID={{ restic_s3_key }}" - "AWS_SECRET_ACCESS_KEY={{ restic_s3_secret }}" @@ -20,11 +19,11 @@ services: hostname: docker environment: - "TZ={{ restic_timezone }}" - - SKIP_INIT: "true" - - RUN_ON_STARTUP: "false" + - "SKIP_INIT=true" + - "RUN_ON_STARTUP=false" # go-cron starts w seconds - "CHECK_CRON={{ restic_check_cron }}" - - RESTIC_CHECK_ARGS: "{{ restic_check_args }}" + - "RESTIC_CHECK_ARGS={{ restic_check_args }}" - "RESTIC_REPOSITORY={{ restic_repo }}" - "AWS_ACCESS_KEY_ID={{ restic_s3_key }}" - "AWS_SECRET_ACCESS_KEY={{ restic_s3_secret }}" From 90e45cacda6a52c8b4e2c0bbc96b4fdcc42485bd Mon Sep 17 00:00:00 2001 From: Marty Oehme Date: Mon, 3 Feb 2025 21:35:44 +0100 Subject: [PATCH 52/66] chore(restic): Do not require caddy id for the role --- roles/restic/meta/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/restic/meta/main.yml b/roles/restic/meta/main.yml index dd49542..0c765ab 100644 --- a/roles/restic/meta/main.yml +++ b/roles/restic/meta/main.yml @@ -8,4 +8,3 @@ galaxy_info: dependencies: - docker-swarm - - caddy_id From 7543170f75308bda7c728c55d2f58c78f33f1008 Mon Sep 17 00:00:00 2001 From: Marty Oehme Date: Mon, 3 Feb 2025 21:36:18 +0100 Subject: [PATCH 53/66] chore(restic): By default run check every Sunday night And check a larger subset of the data with 15%. --- roles/restic/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/restic/defaults/main.yml b/roles/restic/defaults/main.yml index 8022df5..48fdbc7 100644 --- a/roles/restic/defaults/main.yml +++ b/roles/restic/defaults/main.yml @@ -10,5 +10,5 @@ restic_timezone: "{{ server_timezone | default('US/Chicago') }}" restic_prune_cron: 0 0 4 * * * restic_forget_args: --prune --keep-last 14 --keep-daily 2 --keep-weekly 2 -restic_check_cron: 0 15 5 * * * -restic_check_args: --read-data-subset=5% +restic_check_cron: 0 30 4 * * SUN +restic_check_args: --read-data-subset=15% From ea077958ced1b4d2b77216fe40376da94ff8e2ea Mon Sep 17 00:00:00 2001 From: Marty Oehme Date: Sun, 16 Feb 2025 21:44:34 +0100 Subject: [PATCH 54/66] fix(forgejo): Update to correct woodpecker versions --- roles/forgejo/templates/docker-stack.yml.j2 | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/roles/forgejo/templates/docker-stack.yml.j2 b/roles/forgejo/templates/docker-stack.yml.j2 index 4704ea2..5eb9756 100644 --- a/roles/forgejo/templates/docker-stack.yml.j2 +++ b/roles/forgejo/templates/docker-stack.yml.j2 @@ -86,7 +86,7 @@ services: {% if forgejo_use_ci %} wp-server: - image: woodpeckerci/woodpecker-server:latest + image: woodpeckerci/woodpecker-server:v3 networks: - "{{ docker_swarm_public_network_name }}" - backend @@ -120,11 +120,12 @@ services: {% endif %} wp-agent: - image: woodpeckerci/woodpecker-agent:latest + image: woodpeckerci/woodpecker-agent:v3 networks: - backend command: agent volumes: + - woodpecker-agent-config:/etc/woodpecker - /var/run/docker.sock:/var/run/docker.sock environment: - WOODPECKER_SERVER=wp-server:9000 @@ -135,6 +136,7 @@ volumes: data: db: woodpecker: + woodpecker-agent-config: networks: "{{ docker_swarm_public_network_name }}": From 3418f85ffd4062047363077ea638935c2746a7e6 Mon Sep 17 00:00:00 2001 From: Marty Oehme Date: Fri, 7 Mar 2025 16:00:32 +0100 Subject: [PATCH 55/66] chore(landingpage): Switch to ghcr hosted docker image --- roles/landingpage/vars/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/landingpage/vars/main.yml b/roles/landingpage/vars/main.yml index 436b8cc..f07dc16 100644 --- a/roles/landingpage/vars/main.yml +++ b/roles/landingpage/vars/main.yml @@ -1,6 +1,6 @@ --- stack_name: landingpage -stack_image: "martyo/cloudserve-landing" +stack_image: "ghcr.io/marty-oehme/page:latest" stack_compose: "{{ lookup('template', 'docker-stack.yml.j2') | from_yaml }}" From bc9104c3e8ea122a998e696768a160b674b444c1 Mon Sep 17 00:00:00 2001 From: Marty Oehme Date: Fri, 7 Mar 2025 18:19:53 +0100 Subject: [PATCH 56/66] chore(landingpage): Fix container image url --- roles/landingpage/vars/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/landingpage/vars/main.yml b/roles/landingpage/vars/main.yml index f07dc16..e8e20e6 100644 --- a/roles/landingpage/vars/main.yml +++ b/roles/landingpage/vars/main.yml @@ -1,6 +1,6 @@ --- stack_name: landingpage -stack_image: "ghcr.io/marty-oehme/page:latest" +stack_image: "ghcr.io/marty-oehme/page" stack_compose: "{{ lookup('template', 'docker-stack.yml.j2') | from_yaml }}" From 2dfe9f9b928ca6e63368f57805f5b6fdf78bb347 Mon Sep 17 00:00:00 2001 From: Marty Oehme Date: Fri, 7 Mar 2025 18:19:53 +0100 Subject: [PATCH 57/66] feat(shepherd): Add auto update shepherd role Deprecates diun as it provides a simpler implementation for docker swarm. Mark any containers you want auto updated with `shepherd.autoupdate=true` and the rest with `shepherd.autoupdate=false`. Everything untagged will not be watched (by default), though this can be changed by setting the ansible default variable `shepherd_filter_services: `. --- roles/shepherd/README.md | 6 +++ roles/shepherd/defaults/main.yml | 13 +++++ roles/shepherd/meta/main.yml | 10 ++++ roles/shepherd/tasks/main.yml | 11 +++++ roles/shepherd/templates/docker-stack.yml.j2 | 52 ++++++++++++++++++++ roles/shepherd/vars/main.yml | 6 +++ 6 files changed, 98 insertions(+) create mode 100644 roles/shepherd/README.md create mode 100644 roles/shepherd/defaults/main.yml create mode 100644 roles/shepherd/meta/main.yml create mode 100644 roles/shepherd/tasks/main.yml create mode 100644 roles/shepherd/templates/docker-stack.yml.j2 create mode 100644 roles/shepherd/vars/main.yml diff --git a/roles/shepherd/README.md b/roles/shepherd/README.md new file mode 100644 index 0000000..ff26192 --- /dev/null +++ b/roles/shepherd/README.md @@ -0,0 +1,6 @@ +# shepherd + +Monitor the deployed swarm containers for updates. +Will notify you when it found any update for any container. + +Can notify you through a wide variety of services using the apprise api. diff --git a/roles/shepherd/defaults/main.yml b/roles/shepherd/defaults/main.yml new file mode 100644 index 0000000..39e8fcb --- /dev/null +++ b/roles/shepherd/defaults/main.yml @@ -0,0 +1,13 @@ +--- +shepherd_version: latest + +shepherd_tz: Europe/Berlin + +shepherd_ignored_services: label=shepherd.autoupdate=false +shepherd_filter_services: label=shepherd.autoupdate=true + +shepherd_sleeptime: 5m +shepherd_rollback_on_failure: true +shepherd_image_autoclean_limit: 5 + +shepherd_notification_targets: diff --git a/roles/shepherd/meta/main.yml b/roles/shepherd/meta/main.yml new file mode 100644 index 0000000..b0824dd --- /dev/null +++ b/roles/shepherd/meta/main.yml @@ -0,0 +1,10 @@ +--- +galaxy_info: + author: Marty Oehme + description: Apply docker swarm container updates + license: GPL-3.0-only + min_ansible_version: "2.9" + galaxy_tags: [] + +dependencies: + - docker-swarm diff --git a/roles/shepherd/tasks/main.yml b/roles/shepherd/tasks/main.yml new file mode 100644 index 0000000..c2bef7f --- /dev/null +++ b/roles/shepherd/tasks/main.yml @@ -0,0 +1,11 @@ +--- +- name: Deploy shepherd stack to swarm + community.general.docker_stack: + name: "{{ stack_name }}" + state: present + prune: yes + compose: + - "{{ stack_compose }}" + become: true + tags: + - docker-swarm diff --git a/roles/shepherd/templates/docker-stack.yml.j2 b/roles/shepherd/templates/docker-stack.yml.j2 new file mode 100644 index 0000000..fdd5a50 --- /dev/null +++ b/roles/shepherd/templates/docker-stack.yml.j2 @@ -0,0 +1,52 @@ +version: '3.4' + +services: + app: + image: "{{ stack_image }}:{{ shepherd_version }}" + # healthcheck: + # test: ["CMD", "wget", "--spider", "-q", "127.0.0.1"] + # interval: 1m + # timeout: 10s + # retries: 3 + # start_period: 1m + command: serve + volumes: + - "/var/run/docker.sock:/var/run/docker.sock" + environment: + - "TZ={{ shepherd_tz }}" + - "SLEEP_TIME={{ shepherd_sleeptime }}" + - "IGNORELIST_SERVICES={{ shepherd_ignored_services }}" +{% if shepherd_filter_services is defined and not None %} + - "FILTER_SERVICES={{ shepherd_filter_services }}" +{% endif %} + - "ROLLBACK_ON_FAILURE={{ shepherd_rollback_on_failure }}" + - "IMAGE_AUTOCLEAN_LIMIT={{ shepherd_image_autoclean_limit }}" + - "VERBOSE=true" +{% if shepherd_notification_targets is defined and not None %} + - "APPRISE_SIDECAR_URL: notify:5000" +{% endif %} + networks: + - backend + deploy: + mode: replicated + replicas: 1 + placement: + constraints: + - node.role == manager + +{% if shepherd_notification_targets is defined and not None %} + notify: + image: mazzolino/apprise-microservice:latest + environment: + NOTIFICATION_URLS: {{ shepherd_notification_targets }} + networks: + - backend +{% endif %} + +volumes: + data: + +networks: + "{{ docker_swarm_public_network_name }}": + external: true + backend: diff --git a/roles/shepherd/vars/main.yml b/roles/shepherd/vars/main.yml new file mode 100644 index 0000000..d8415bd --- /dev/null +++ b/roles/shepherd/vars/main.yml @@ -0,0 +1,6 @@ +--- +stack_name: shepherd + +stack_image: "containrrr/shepherd" + +stack_compose: "{{ lookup('template', 'docker-stack.yml.j2') | from_yaml }}" From fecf14a5bc71a83db704eb5453854e64fa2525a7 Mon Sep 17 00:00:00 2001 From: Marty Oehme Date: Fri, 7 Mar 2025 18:35:04 +0100 Subject: [PATCH 58/66] feat(site): Change out diun with shepherd --- site.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/site.yml b/site.yml index 19f483d..2e9a2be 100644 --- a/site.yml +++ b/site.yml @@ -93,8 +93,8 @@ - ntfy - never - - name: Install diun + - name: Install shepherd import_role: - role: diun + role: shepherd tags: - - diun + - shepherd From 9f3274dae739bf0acd1e286137387a5199846d97 Mon Sep 17 00:00:00 2001 From: Marty Oehme Date: Fri, 7 Mar 2025 18:35:04 +0100 Subject: [PATCH 59/66] feat(landingpage): Automatically update --- roles/landingpage/defaults/main.yml | 2 ++ roles/landingpage/templates/docker-stack.yml.j2 | 5 +++++ 2 files changed, 7 insertions(+) diff --git a/roles/landingpage/defaults/main.yml b/roles/landingpage/defaults/main.yml index fed7288..cdfb3fd 100644 --- a/roles/landingpage/defaults/main.yml +++ b/roles/landingpage/defaults/main.yml @@ -5,5 +5,7 @@ landingpage_upstream_file_dir: "{{ docker_stack_files_dir }}/{{ stack_name }}" landingpage_use_https: true +landingpage_autoupdate: true + # the subdomain link landingpage will be reachable under subdomain_alias: www diff --git a/roles/landingpage/templates/docker-stack.yml.j2 b/roles/landingpage/templates/docker-stack.yml.j2 index fdaa2b4..fee59db 100644 --- a/roles/landingpage/templates/docker-stack.yml.j2 +++ b/roles/landingpage/templates/docker-stack.yml.j2 @@ -12,6 +12,11 @@ services: entrypoint: sh -c "/docker-entrypoint.sh nginx -g 'daemon off;'" networks: - "{{ docker_swarm_public_network_name }}" +{% if landingpage_autoupdate is defined and landingpage_autoupdate %} + deploy: + labels: + - shepherd.autoupdate=true +{% endif %} networks: "{{ docker_swarm_public_network_name }}": From 83613f6d869715a7e3272025d4cdba9967fba07e Mon Sep 17 00:00:00 2001 From: Marty Oehme Date: Fri, 7 Mar 2025 21:42:45 +0100 Subject: [PATCH 60/66] feat(roles): Add auto updating to some roles Miniflux, searx, shaarli and wallabag will be automatically updated by shepherd. --- roles/miniflux/defaults/main.yml | 2 ++ roles/miniflux/templates/docker-stack.yml.j2 | 5 +++++ roles/searx/defaults/main.yml | 7 +++++-- roles/searx/templates/docker-stack.yml.j2 | 7 ++++++- roles/shaarli/defaults/main.yml | 2 ++ roles/shaarli/templates/docker-stack.yml.j2 | 5 +++++ roles/wallabag/defaults/main.yml | 2 ++ roles/wallabag/templates/docker-stack.yml.j2 | 7 ++++++- 8 files changed, 33 insertions(+), 4 deletions(-) diff --git a/roles/miniflux/defaults/main.yml b/roles/miniflux/defaults/main.yml index a241f22..d93c12f 100644 --- a/roles/miniflux/defaults/main.yml +++ b/roles/miniflux/defaults/main.yml @@ -8,6 +8,8 @@ miniflux_use_https: true # the subdomain link miniflux will be reachable under subdomain_alias: rss +miniflux_autoupdate: true + # Should ideally be overwritten in encrypted group/host vars miniflux_admin_username: myadmin miniflux_admin_password: mypassword diff --git a/roles/miniflux/templates/docker-stack.yml.j2 b/roles/miniflux/templates/docker-stack.yml.j2 index 7af9ed7..15af1ed 100644 --- a/roles/miniflux/templates/docker-stack.yml.j2 +++ b/roles/miniflux/templates/docker-stack.yml.j2 @@ -24,6 +24,11 @@ services: {% else %} - "BASE_URL={{ (miniflux_use_https == True) | ternary('https', 'http') }}://localhost/{{ (subdomain_alias is not undefined and not none) | ternary(subdomain_alias, stack_name) }}" {% endif %} +{% if miniflux_autoupdate is defined and miniflux_autoupdate %} + deploy: + labels: + - shepherd.autoupdate=true +{% endif %} db: image: postgres:11 diff --git a/roles/searx/defaults/main.yml b/roles/searx/defaults/main.yml index 5204c77..dd9fa5a 100644 --- a/roles/searx/defaults/main.yml +++ b/roles/searx/defaults/main.yml @@ -5,8 +5,11 @@ searx_upstream_file_dir: "{{ docker_stack_files_dir }}/{{ stack_name }}" searx_use_https: true +searx_autoupdate: true + # the subdomain link searx will be reachable under subdomain_alias: search + # searx_authentication: -# - username: mysearxusername -# password: JDJhJDE0JFdjUnQ5WWllcU8wa01xS0JBS2dlMy5zMEhRTmxqTXdIZmdjcTN6ZGFwRjJlYUdoSHAwRUhL # mysearxpassword +# - username: # mysearxusername +# password: # mysearxpassword diff --git a/roles/searx/templates/docker-stack.yml.j2 b/roles/searx/templates/docker-stack.yml.j2 index 9c1cd2d..9b853ac 100644 --- a/roles/searx/templates/docker-stack.yml.j2 +++ b/roles/searx/templates/docker-stack.yml.j2 @@ -13,7 +13,7 @@ services: start_period: 1m environment: - BIND_ADDRESS=0.0.0.0:8080 -{% if server_domain is not undefined and not none %} +{% if server_domain is not undefined and not none %} - "BASE_URL={{ (searx_use_https == True) | ternary('https', 'http') }}://{{ (subdomain_alias is not undefined and not none) | ternary(subdomain_alias, stack_name) }}.{{server_domain}}" {% else %} - "BASE_URL={{ (searx_use_https == True) | ternary('https', 'http') }}://localhost/{{ (subdomain_alias is not undefined and not none) | ternary(subdomain_alias, stack_name) }}" @@ -21,6 +21,11 @@ services: volumes: - /etc/localtime:/etc/localtime:ro - data:/etc/searx:rw +{% if searx_autoupdate is defined and searx_autoupdate %} + deploy: + labels: + - shepherd.autoupdate=true +{% endif %} volumes: data: diff --git a/roles/shaarli/defaults/main.yml b/roles/shaarli/defaults/main.yml index 45f1bef..662c888 100644 --- a/roles/shaarli/defaults/main.yml +++ b/roles/shaarli/defaults/main.yml @@ -5,6 +5,8 @@ shaarli_upstream_file_dir: "{{ docker_stack_files_dir }}/{{ stack_name }}" shaarli_use_https: true +shaarli_autoupdate: true + # the subdomain link shaarli will be reachable under subdomain_alias: links diff --git a/roles/shaarli/templates/docker-stack.yml.j2 b/roles/shaarli/templates/docker-stack.yml.j2 index a90157a..0ee7f70 100644 --- a/roles/shaarli/templates/docker-stack.yml.j2 +++ b/roles/shaarli/templates/docker-stack.yml.j2 @@ -14,6 +14,11 @@ services: volumes: - data:/var/www/shaarli/data - cache:/var/www/shaarli/cache +{% if shaarli_autoupdate is defined and shaarli_autoupdate %} + deploy: + labels: + - shepherd.autoupdate=true +{% endif %} {% if backup_enable is not undefined and not false and shaarli_backup_enable is not undefined and not false %} backup: diff --git a/roles/wallabag/defaults/main.yml b/roles/wallabag/defaults/main.yml index c7b830c..55de954 100644 --- a/roles/wallabag/defaults/main.yml +++ b/roles/wallabag/defaults/main.yml @@ -5,5 +5,7 @@ wallabag_upstream_file_dir: "{{ docker_stack_files_dir }}/{{ stack_name }}" wallabag_use_https: true +wallabag_autoupdate: true + # the subdomain link wallabag will be reachable under subdomain_alias: read diff --git a/roles/wallabag/templates/docker-stack.yml.j2 b/roles/wallabag/templates/docker-stack.yml.j2 index ee7e307..387f3d7 100644 --- a/roles/wallabag/templates/docker-stack.yml.j2 +++ b/roles/wallabag/templates/docker-stack.yml.j2 @@ -15,11 +15,16 @@ services: - data:/var/www/wallabag/data environment: - SYMFONY__ENV__FOSUSER_REGISTRATION=false -{% if server_domain is not undefined and not none %} +{% if server_domain is not undefined and not none %} - "SYMFONY__ENV__DOMAIN_NAME={{ (wallabag_use_https == True) | ternary('https', 'http') }}://{{ (subdomain_alias is not undefined and not none) | ternary(subdomain_alias, stack_name) }}.{{server_domain}}" {% else %} - SYMFONY__ENV__DOMAIN_NAME={{ (wallabag_use_https == True) | ternary('https', 'http') }}://localhost {% endif %} +{% if wallabag_autoupdate is defined and wallabag_autoupdate %} + deploy: + labels: + - shepherd.autoupdate=true +{% endif %} redis: image: redis:alpine From 33d19e9373184b8de05d2ee3d6246d7b892a7d38 Mon Sep 17 00:00:00 2001 From: Marty Oehme Date: Fri, 7 Mar 2025 21:42:45 +0100 Subject: [PATCH 61/66] feat(linkding): Add linkding stack Bookmarking software similar to shaarli but a bit more featureful. And not written in php, thankfully. --- roles/linkding/defaults/main.yml | 19 +++++++ roles/linkding/handlers/main.yml | 52 ++++++++++++++++++++ roles/linkding/meta/main.yml | 11 +++++ roles/linkding/tasks/main.yml | 23 +++++++++ roles/linkding/templates/docker-stack.yml.j2 | 46 +++++++++++++++++ roles/linkding/templates/upstream.json.j2 | 38 ++++++++++++++ roles/linkding/vars/main.yml | 6 +++ site.yml | 5 ++ 8 files changed, 200 insertions(+) create mode 100644 roles/linkding/defaults/main.yml create mode 100644 roles/linkding/handlers/main.yml create mode 100644 roles/linkding/meta/main.yml create mode 100644 roles/linkding/tasks/main.yml create mode 100644 roles/linkding/templates/docker-stack.yml.j2 create mode 100644 roles/linkding/templates/upstream.json.j2 create mode 100644 roles/linkding/vars/main.yml diff --git a/roles/linkding/defaults/main.yml b/roles/linkding/defaults/main.yml new file mode 100644 index 0000000..b675b38 --- /dev/null +++ b/roles/linkding/defaults/main.yml @@ -0,0 +1,19 @@ +--- +linkding_version: latest-plus # plus contains self-archiving possibilities with singlefile + +linkding_upstream_file_dir: "{{ docker_stack_files_dir }}/{{ stack_name }}" + +linkding_use_https: true + +linkding_autoupdate: true + +# the subdomain link linkding will be reachable under +subdomain_alias: ld + +# initial superuser creation +linkding_username: linkdinger +linkding_password: linkdingerpass123 + +# should we back up the data? +linkding_backup_enable: true +linkding_backup_cron: 0 45 3 * * * diff --git a/roles/linkding/handlers/main.yml b/roles/linkding/handlers/main.yml new file mode 100644 index 0000000..081f2df --- /dev/null +++ b/roles/linkding/handlers/main.yml @@ -0,0 +1,52 @@ +## Register reverse proxy +- name: Ensure upstream directory exists + ansible.builtin.file: + path: "{{ linkding_upstream_file_dir }}" + state: directory + mode: "0755" + become: true + listen: "update linkding upstream" + +- name: Update upstream template + ansible.builtin.template: + src: upstream.json.j2 + dest: "{{ linkding_upstream_file_dir }}/upstream.json" + become: true + listen: "update linkding upstream" + +# figure out if upstream id exists +- name: check {{ stack_name }} upstream + community.docker.docker_container_exec: + container: "{{ caddy_container_id }}" + command: > + curl localhost:2019/id/{{ stack_name }}_upstream/ + changed_when: False + register: result + become: true + listen: "update linkding upstream" + +# upstream already exists, patch it +- name: remove old {{ stack_name }} upstream + community.docker.docker_container_exec: + container: "{{ caddy_container_id }}" + command: > + curl -X DELETE localhost:2019/id/{{ stack_name }}_upstream/ + become: true + when: (result.stdout | from_json)['error'] is not defined + listen: "update linkding upstream" + +# upstream has to be created +- name: add {{ stack_name }} upstream + community.docker.docker_container_exec: + container: "{{ caddy_container_id }}" + command: > + curl -X POST -H "Content-Type: application/json" -d @{{ linkding_upstream_file_dir }}/upstream.json localhost:2019/config/apps/http/servers/{{ (linkding_use_https == True) | ternary(caddy_https_server_name, caddy_http_server_name) }}/routes/0/ + become: true + listen: "update linkding upstream" + +- name: Ensure upstream directory is gone again + ansible.builtin.file: + path: "{{ linkding_upstream_file_dir }}" + state: absent + become: true + listen: "update linkding upstream" diff --git a/roles/linkding/meta/main.yml b/roles/linkding/meta/main.yml new file mode 100644 index 0000000..1c14785 --- /dev/null +++ b/roles/linkding/meta/main.yml @@ -0,0 +1,11 @@ +--- +galaxy_info: + author: Marty Oehme + description: Installs linkding as a docker stack service + license: GPL-3.0-only + min_ansible_version: "2.9" + galaxy_tags: [] + +dependencies: + - docker-swarm + - caddy_id diff --git a/roles/linkding/tasks/main.yml b/roles/linkding/tasks/main.yml new file mode 100644 index 0000000..e514b26 --- /dev/null +++ b/roles/linkding/tasks/main.yml @@ -0,0 +1,23 @@ +--- +## install linkding container +- name: Check upstream status + community.docker.docker_container_exec: + container: "{{ caddy_container_id }}" + command: > + curl localhost:2019/id/{{ stack_name }}_upstream/ + register: result + changed_when: (result.stdout | from_json) != (lookup('template', 'upstream.json.j2') | from_yaml) + become: true + notify: "update linkding upstream" + +- name: Deploy linkding to swarm + community.general.docker_stack: + name: "{{ stack_name }}" + state: present + prune: yes + compose: + - "{{ stack_compose }}" + become: true + tags: + - docker-swarm + notify: "update linkding upstream" diff --git a/roles/linkding/templates/docker-stack.yml.j2 b/roles/linkding/templates/docker-stack.yml.j2 new file mode 100644 index 0000000..dad26fc --- /dev/null +++ b/roles/linkding/templates/docker-stack.yml.j2 @@ -0,0 +1,46 @@ +services: + app: + image: "{{ stack_image }}:{{ linkding_version }}" + healthcheck: + test: ["CMD", "curl", "--fail", "http://127.0.0.1:9090/health"] + interval: 1m + timeout: 10s + retries: 3 + start_period: 1m + networks: + - "{{ docker_swarm_public_network_name }}" + volumes: + - data:/etc/linkding/data + environment: + - "LD_SUPERUSER_NAME={{ linkding_username }}" + - "LD_SUPERUSER_PASSWORD={{ linkding_password }}" +{% if linkding_autoupdate is defined and linkding_autoupdate %} + deploy: + labels: + - shepherd.autoupdate=true +{% endif %} + +{% if backup_enable is not undefined and not false and linkding_backup_enable is not undefined and not false %} + backup: + image: mazzolino/restic + environment: + - "TZ={{ restic_timezone }}" + # go-cron starts w seconds + - "BACKUP_CRON={{ linkding_backup_cron }}" + - "RESTIC_REPOSITORY={{ restic_repo }}" + - "AWS_ACCESS_KEY_ID={{ restic_s3_key }}" + - "AWS_SECRET_ACCESS_KEY={{ restic_s3_secret }}" + - "RESTIC_PASSWORD={{ restic_pass }}" + - "RESTIC_BACKUP_TAGS=linkding" + - "RESTIC_BACKUP_SOURCES=/volumes" + volumes: + - data:/volumes/linkding_data:ro +{% endif %} + +volumes: + data: + +networks: + "{{ docker_swarm_public_network_name }}": + external: true + diff --git a/roles/linkding/templates/upstream.json.j2 b/roles/linkding/templates/upstream.json.j2 new file mode 100644 index 0000000..c4ee71c --- /dev/null +++ b/roles/linkding/templates/upstream.json.j2 @@ -0,0 +1,38 @@ +{ + "@id": "{{ stack_name }}_upstream", +{% if server_domain is not undefined and not none %} + "match": [ + { + "host": [ +{% if subdomain_alias is not undefined and not none %} + "{{ subdomain_alias }}.{{ server_domain }}" +{% else %} + "{{ stack_name }}.{{ server_domain }}" +{% endif %} + ] + } + ], +{% else %} + "match": [ + { + "path": [ +{% if subdomain_alias is not undefined and not none %} + "/{{ subdomain_alias }}*" +{% else %} + "/{{ stack_name }}*" +{% endif %} + ] + } + ], +{% endif %} + "handle": [ + { + "handler": "reverse_proxy", + "upstreams": [ + { + "dial": "{{ stack_name }}_app:9090" + } + ] + } + ] +} diff --git a/roles/linkding/vars/main.yml b/roles/linkding/vars/main.yml new file mode 100644 index 0000000..5e74731 --- /dev/null +++ b/roles/linkding/vars/main.yml @@ -0,0 +1,6 @@ +--- +stack_name: linkding + +stack_image: "sissbruecker/linkding" + +stack_compose: "{{ lookup('template', 'docker-stack.yml.j2') | from_yaml }}" diff --git a/site.yml b/site.yml index 2e9a2be..6fe2fed 100644 --- a/site.yml +++ b/site.yml @@ -76,6 +76,11 @@ role: shaarli tags: shaarli + - name: Install linkding + import_role: + role: linkding + tags: linkding + - name: Install landingpage import_role: role: landingpage From 274b314a9e6a9af93e5943f5b680766b22ad7e7b Mon Sep 17 00:00:00 2001 From: Marty Oehme Date: Sat, 15 Mar 2025 23:42:30 +0100 Subject: [PATCH 62/66] ref(linkding): Replace shaarli with linkding Deprecate shaarli and remove it from the default site setup. --- roles/linkding/defaults/main.yml | 2 +- roles/shaarli/defaults/main.yml | 2 +- site.yml | 5 ----- 3 files changed, 2 insertions(+), 7 deletions(-) diff --git a/roles/linkding/defaults/main.yml b/roles/linkding/defaults/main.yml index b675b38..c736c2c 100644 --- a/roles/linkding/defaults/main.yml +++ b/roles/linkding/defaults/main.yml @@ -8,7 +8,7 @@ linkding_use_https: true linkding_autoupdate: true # the subdomain link linkding will be reachable under -subdomain_alias: ld +subdomain_alias: links # initial superuser creation linkding_username: linkdinger diff --git a/roles/shaarli/defaults/main.yml b/roles/shaarli/defaults/main.yml index 662c888..b72233c 100644 --- a/roles/shaarli/defaults/main.yml +++ b/roles/shaarli/defaults/main.yml @@ -8,7 +8,7 @@ shaarli_use_https: true shaarli_autoupdate: true # the subdomain link shaarli will be reachable under -subdomain_alias: links +subdomain_alias: shaarli # should we back up the data? shaarli_backup_enable: true diff --git a/site.yml b/site.yml index 6fe2fed..69a8ddd 100644 --- a/site.yml +++ b/site.yml @@ -71,11 +71,6 @@ role: nextcloud tags: nextcloud - - name: Install shaarli - import_role: - role: shaarli - tags: shaarli - - name: Install linkding import_role: role: linkding From 4671801a844851b4d10947bdbf2da9d5d47438b6 Mon Sep 17 00:00:00 2001 From: Marty Oehme Date: Wed, 19 Mar 2025 17:01:56 +0100 Subject: [PATCH 63/66] fix(repo): Remove production inventory from non-production branch --- inv-prod.yml | 8 -------- 1 file changed, 8 deletions(-) delete mode 100644 inv-prod.yml diff --git a/inv-prod.yml b/inv-prod.yml deleted file mode 100644 index 7df0353..0000000 --- a/inv-prod.yml +++ /dev/null @@ -1,8 +0,0 @@ -prod: - hosts: - ssdnodes: - -docker_swarm_manager_node: - hosts: - ssdnodes: - From 814f1e008f4e0ccc783525e4106add938a1c6e2b Mon Sep 17 00:00:00 2001 From: Marty Oehme Date: Wed, 19 Mar 2025 10:49:58 +0100 Subject: [PATCH 64/66] feat(docker): Add docker stack cleaning role Runs before setting up any new stacks or pursue other modifications to docker deployments. Brings down any stack which is not currently defined in a role. This makes the whole installation more idempotent since we take care to not only bring _up_ any necessary docker containers, but also bring _down_ those that have become unnecessary. --- roles/docker-clean/tasks/main.yml | 12 ++++++++++++ site.yml | 6 ++++++ 2 files changed, 18 insertions(+) create mode 100644 roles/docker-clean/tasks/main.yml diff --git a/roles/docker-clean/tasks/main.yml b/roles/docker-clean/tasks/main.yml new file mode 100644 index 0000000..53a7bad --- /dev/null +++ b/roles/docker-clean/tasks/main.yml @@ -0,0 +1,12 @@ +--- +- name: Get running docker stacks + community.docker.docker_stack_info: + register: running_stacks + become: true + +- name: Remove stacks without matching role + community.docker.docker_stack: + name: "{{ item.Name }}" + state: "absent" + loop: "{{ running_stacks.results | rejectattr('Name', 'in', role_names) }}" + become: true diff --git a/site.yml b/site.yml index 69a8ddd..b2dbba2 100644 --- a/site.yml +++ b/site.yml @@ -18,6 +18,12 @@ - hosts: docker_swarm_manager_node tasks: + - name: Remove stacks without roles + import_role: + role: docker-clean + tags: + - docker-clean + - name: Install caddy reverse proxy import_role: role: caddy From 6e3b5f47c7e12e7c9d1dab9fe118ceddd1293f2a Mon Sep 17 00:00:00 2001 From: Marty Oehme Date: Wed, 21 May 2025 16:16:22 +0200 Subject: [PATCH 65/66] chore(linkding): Move to ghcr repository --- roles/linkding/vars/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/linkding/vars/main.yml b/roles/linkding/vars/main.yml index 5e74731..2588d44 100644 --- a/roles/linkding/vars/main.yml +++ b/roles/linkding/vars/main.yml @@ -1,6 +1,6 @@ --- stack_name: linkding -stack_image: "sissbruecker/linkding" +stack_image: "ghcr.io/sissbruecker/linkding" stack_compose: "{{ lookup('template', 'docker-stack.yml.j2') | from_yaml }}" From c0a264f1e8149be8e937b6242958a94fde9af39a Mon Sep 17 00:00:00 2001 From: Marty Oehme Date: Sun, 22 Jun 2025 11:15:55 +0200 Subject: [PATCH 66/66] chore(forgejo): Upgrade to LTS v11 --- roles/forgejo/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/forgejo/defaults/main.yml b/roles/forgejo/defaults/main.yml index 232a790..8dad546 100644 --- a/roles/forgejo/defaults/main.yml +++ b/roles/forgejo/defaults/main.yml @@ -1,5 +1,5 @@ --- -forgejo_version: 8 +forgejo_version: 11 forgejo_upstream_file_dir: "{{ docker_stack_files_dir }}/{{ stack_name }}"