diff --git a/.gitignore b/.gitignore index d48132f..b2c5b82 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,2 @@ secrets.yml -pysecrets.yml *.rendered diff --git a/ansible-playbook-selector.sh b/ansible-playbook-selector.sh deleted file mode 100755 index 89d84a6..0000000 --- a/ansible-playbook-selector.sh +++ /dev/null @@ -1,27 +0,0 @@ -#!/bin/bash - -script_relative_path="$(dirname "$0")" -declare -i playbook_number=1 -mapfile -t playbook_list < <(find "$script_relative_path/playbooks" -type f | grep -oP '[^/]+\.yml$') - - -echo "Playbook list:" -for playbook in "${playbook_list[@]}"; do - echo " [$playbook_number] $playbook" - playbook_number+=1 -done - -read -rp "Select playbook number to execute: " selected_playbook_number - - -selected_playbook_name="${playbook_list[((selected_playbook_number - 1))]}" - -if ! echo "$selected_playbook_number" | grep -qP '^[1-9][0-9]*$' || [[ -z "$selected_playbook_name" ]]; then - echo "Invalid playbook number entered." - exit 1 -fi - - -echo "Selected playbook: $selected_playbook_name" - -ansible-playbook "$script_relative_path/playbooks/$selected_playbook_name" diff --git a/ansible.cfg b/ansible.cfg deleted file mode 100644 index 34e23ac..0000000 --- a/ansible.cfg +++ /dev/null @@ -1,3 +0,0 @@ -[defaults] -roles_path = ./roles -ask_vault_pass = True diff --git a/env.yml b/env.yml index 6dbd3b9..8ba6cec 100644 --- a/env.yml +++ b/env.yml @@ -1,79 +1,99 @@ domain: viyurz.fr timezone: "Europe/Paris" -host_uid: 1000 -project_dir: "{{ ansible_env['HOME'] }}/docker-projects/{{ role_name }}" -docker_host: "unix:///run/user/{{ host_uid }}/docker.sock" -# UID shift for mapping between host & containers -uid_shift: 99999 +<%! + import os, subprocess + + uid = os.getuid() + rootless = os.path.exists(f"/run/user/{uid}/podman/podman.sock") +%> +% if rootless: +rootless: true +podman_uid: ${uid} +uid_shift: ${int(subprocess.run(['sh', '-c', "grep " + os.getlogin() + " /etc/subuid | cut -d ':' -f 2"], capture_output=True, text=True).stdout.strip()) - 1} +socket: "/run/user/${uid}/podman/podman.sock" +% else: +rootless: false +podman_uid: 0 +uid_shift: 0 +socket: "/run/podman/podman.sock" +% endif -# cifs_credentials is undefined when we run the backup playbook -# as a cronjob, so set empty default value to prevent errors, -# which is fine because we don't use it. -cifs_host: "{{ cifs_credentials['username'] | default('') }}.your-storagebox.de" +backup: + etebase: + - /mnt/etebasedata/media + hedgedoc: + - /mnt/hedgedocuploads + mailserver: + - /mnt/mailserver/etc/config.toml + synapse: + - /mnt/synapsedata + vaultwarden: + - /mnt/vwdata/attachments -cifs_mounts: - backups: - src: "//{{ cifs_host }}/backup/backups" - path: /mnt/storagebox/backups - uid: 0 - gid: "{{ host_uid }}" - file_mode: 640 - dir_mode: 750 +backup_sqlite: + stump: /mnt/stump/config/stump.db + uptime: /mnt/uptimekumadata/kuma.db + +borg_repo: /mnt/storagebox/backups/borg2 +borg_prune_opts: + - "--keep-within=1d" + - "--keep-daily=7" + - "--keep-weekly=4" + - "--keep-monthly=12" + - "--keep-yearly=86" + + +certs: + coturn: + cert: "/etc/letsencrypt/live/turn.viyurz.fr/fullchain.pem" + pkey: "/etc/letsencrypt/live/turn.viyurz.fr/privkey.pem" + mailserver: + cert: "/etc/letsencrypt/live/mail.viyurz.fr/fullchain.pem" + pkey: "/etc/letsencrypt/live/mail.viyurz.fr/privkey.pem" + + +pasta: + coturn: + ipv4: 10.86.3.1 + ipv6: fc86::3 + etebase: + ipv4: 10.86.5.1 + ipv6: fc86::5 fireshare: - src: "//{{ cifs_host }}/backup/fireshare" - path: /mnt/storagebox/fireshare - uid: "{{ users['fireshare'] + uid_shift }}" - gid: "{{ users['fireshare'] + uid_shift }}" - file_mode: 644 - dir_mode: 755 - storagebox: - src: "//{{ cifs_host }}/backup" - path: /mnt/storagebox - uid: 0 - gid: 0 - file_mode: 640 - dir_mode: 751 + ipv4: 10.86.6.1 + ipv6: fc86::6 + hedgedoc: + ipv4: 10.86.8.1 + ipv6: fc86::8 + keycloak: + ipv4: 10.86.11.1 + ipv6: fc86::11 + mailserver: + ipv4: 10.86.13.1 + ipv6: fc86::13 + postgres: + ipv4: 10.86.16.1 + ipv6: fc86::16 + stump: + ipv4: 10.86.18.1 + ipv6: fc86::18 + synapse: + ipv4: 10.86.19.1 + ipv6: fc86::19 syncthing: - src: "//{{ cifs_host }}/backup/syncthing" - path: /mnt/storagebox/syncthing - uid: "{{ users['syncthing'] + uid_shift }}" - gid: "{{ users['syncthing'] + uid_shift }}" - file_mode: 640 - dir_mode: 750 - - -projects: - - coturn - - diun - - etebase - - fireshare - - hedgedoc - - homepage - - keycloak - - mailserver - - postgres - - searxng - - stump - - synapse - - syncthing - - uptime-kuma - - vaultwarden - - -projects_to_backup: - - keycloak - - -borg_repodir: "{{ cifs_mounts['backups']['path'] }}/borg" -borg_passphrase_file: /etc/borg-passphrase.txt -borg_prune_options: | - --keep-within=1d - --keep-daily=7 - --keep-weekly=4 - --keep-monthly=12 - --keep-yearly=10 + ipv4: 10.86.20.1 + ipv6: fc86::20 + syncthing_relaysrv: + ipv4: 10.86.21.1 + ipv6: fc86::21 + uptime: + ipv4: 10.86.22.1 + ipv6: fc86::22 + vaultwarden: + ipv4: 10.86.23.1 + ipv6: fc86::23 # Ports exposed to host @@ -96,18 +116,18 @@ ports: stump: 10801 synapse: 8008 syncthing_discosrv: 8443 - # Public port, forwarded to 22067 by nftables - syncthing_relaysrv: 143 + syncthing_relaysrv: 143 # Public port, forwarded to 22067 by nftables syncthing_webui: 8384 - syncthing_tcp: 18880 + syncthing_tcp: 9100 syncthing_udp: 22000 - uptime_kuma: 3001 + uptime: 3001 vaultwarden: 8081 # UID in containers users: coturn: 666 + diun: 0 etebase: 373 fireshare: 1007 hedgedoc: 1004 @@ -122,30 +142,31 @@ users: syncthing: 1001 syncthing_discosrv: 1002 syncthing_relaysrv: 1003 - uptime_kuma: 1006 + uptime: 1006 vaultwarden: 1010 volumes: - coturn_tls_certificate_file: "/etc/letsencrypt/live/turn.{{ domain }}/fullchain.pem" - coturn_tls_certificate_key_file: "/etc/letsencrypt/live/turn.{{ domain }}/privkey.pem" - etebase_datadir: /mnt/etebasedata - fireshare_datadir: /mnt/firesharedata - fireshare_processeddir: /mnt/storagebox/fireshare/processed - fireshare_videosdir: /mnt/storagebox/fireshare/videos - hedgedoc_uploadsdir: /mnt/hedgedocuploads - mailserver_datadir: /mnt/mailserver - mailserver_tls_certificate_file: "/etc/letsencrypt/live/mail.{{ domain }}/fullchain.pem" - mailserver_tls_certificate_key_file: "/etc/letsencrypt/live/mail.{{ domain }}/privkey.pem" - postgres_datadir: /mnt/postgresdata - stump_configdir: /mnt/stump/config - stump_datadir: /mnt/stump/data - synapse_datadir: /mnt/synapsedata - syncthing_datadir: "{{ cifs_mounts['syncthing']['path'] }}" - uptime_kuma_datadir: /mnt/uptimekumadata - vaultwarden_datadir: /mnt/vwdata - - -# Service-specific variables -synapse: - max_upload_size: 50M + etebase: + datadir: /mnt/etebasedata + fireshare: + datadir: /mnt/firesharedata + processeddir: /mnt/storagebox/fireshare/processed + videosdir: /mnt/storagebox/fireshare/videos + hedgedoc: + uploadsdir: /mnt/hedgedocuploads + mailserver: + datadir: /mnt/mailserver + postgres: + datadir: /mnt/postgresdata + stump: + configdir: /mnt/stump/config + datadir: /mnt/stump/data + synapse: + datadir: /mnt/synapsedata + syncthing: + datadir: /mnt/storagebox/syncthing + uptime: + datadir: /mnt/uptimekumadata + vaultwarden: + datadir: /mnt/vwdata diff --git a/manage.py b/manage.py index 3525871..b644bd4 100755 --- a/manage.py +++ b/manage.py @@ -361,8 +361,8 @@ def updateProj(project): def main(): - envFile = "pyenv.yml" - secretsFile = "pysecrets.yml" + envFile = "env.yml" + secretsFile = "secrets.yml" os.chdir(os.path.realpath(sys.path[0])) diff --git a/playbooks/backup-services.yml b/playbooks/backup-services.yml deleted file mode 100644 index e17ee51..0000000 --- a/playbooks/backup-services.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: Include variables files & run borg-init role - hosts: localhost - roles: - - include-vars - - borg-init - - backup-secrets - -- name: Backup project(s) - hosts: localhost - vars: - run_backup: true - vars_prompt: - - name: selected_projects - prompt: "Choose projects to backup (leave empty to backup all. Projects list: {{ hostvars['localhost']['projects_to_backup'] }})" - private: false - unsafe: true - - tasks: - - name: Backup project(s) - include_role: - name: "{{ project }}" - loop: "{{ (selected_projects | split) | default(projects_to_backup, true) }}" - loop_control: - # Do not use default variable name 'item' to prevent collisions with loops in roles. - loop_var: project - when: project in projects_to_backup - -- name: Compact borg repository - hosts: localhost - roles: - - borg-compact diff --git a/playbooks/config-fstab.yml b/playbooks/config-fstab.yml deleted file mode 100644 index dd32451..0000000 --- a/playbooks/config-fstab.yml +++ /dev/null @@ -1,10 +0,0 @@ -# Playbook to mount CIFS mounts defined in env.yml -- name: Include variables files - hosts: localhost - roles: - - include-vars - -- name: Edit fstab configuration & mount CIFS devices - hosts: localhost - roles: - - fstab diff --git a/playbooks/setup-dockerd.yml b/playbooks/setup-dockerd.yml deleted file mode 100644 index 5ef14ab..0000000 --- a/playbooks/setup-dockerd.yml +++ /dev/null @@ -1,5 +0,0 @@ -- name: Setup Docker rootless - hosts: localhost - roles: - - include-vars - - dockerd diff --git a/playbooks/setup-nginx.yml b/playbooks/setup-nginx.yml deleted file mode 100644 index 315b967..0000000 --- a/playbooks/setup-nginx.yml +++ /dev/null @@ -1,5 +0,0 @@ -- name: Include variables files & setup NGINX - hosts: localhost - roles: - - include-vars - - nginx diff --git a/playbooks/setup-services.yml b/playbooks/setup-services.yml deleted file mode 100644 index 108e2dc..0000000 --- a/playbooks/setup-services.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: Include variables files - hosts: localhost - roles: - - include-vars - -- name: Setup & update project(s) - hosts: localhost - vars: - run_backup: true - run_setup: true - run_update: true - vars_prompt: - - name: selected_projects - prompt: "Choose projects to setup & update (Keep empty to select all. Projects list: {{ hostvars['localhost']['projects'] }})" - private: false - unsafe: true - - - name: docker_pull_images - prompt: "Pull project(s) images?" - default: false - private: false - - tasks: - - name: Setup & update project(s) - include_role: - name: "{{ project }}" - loop: "{{ (selected_projects | split) | default(projects, true) }}" - loop_control: - # Do not use default variable name 'item' to prevent collisions with loops in roles. - loop_var: project - when: project in projects diff --git a/playbooks/update-nftables.yml b/playbooks/update-nftables.yml deleted file mode 100644 index 3c726a7..0000000 --- a/playbooks/update-nftables.yml +++ /dev/null @@ -1,5 +0,0 @@ -- name: Include variables files & load nftables.conf - hosts: localhost - roles: - - include-vars - - nftables diff --git a/playbooks/update-services.yml b/playbooks/update-services.yml deleted file mode 100644 index 485ba50..0000000 --- a/playbooks/update-services.yml +++ /dev/null @@ -1,25 +0,0 @@ -- name: Include variables files - hosts: localhost - roles: - - include-vars - -- name: Update project(s) - hosts: localhost - vars: - docker_pull_images: true - run_update: true - vars_prompt: - - name: selected_projects - prompt: "Choose projects to update (Keep empty to update all. Projects list: {{ hostvars['localhost']['projects'] }})" - private: false - unsafe: true - - tasks: - - name: Update project(s) - include_role: - name: "{{ project }}" - loop: "{{ (selected_projects | split) | default(projects, true) }}" - loop_control: - # Do not use default variable name 'item' to prevent collisions with loops in roles. - loop_var: project - when: project in projects diff --git a/pyenv.yml b/pyenv.yml deleted file mode 100644 index 8ba6cec..0000000 --- a/pyenv.yml +++ /dev/null @@ -1,172 +0,0 @@ -domain: viyurz.fr -timezone: "Europe/Paris" - -<%! - import os, subprocess - - uid = os.getuid() - rootless = os.path.exists(f"/run/user/{uid}/podman/podman.sock") -%> -% if rootless: -rootless: true -podman_uid: ${uid} -uid_shift: ${int(subprocess.run(['sh', '-c', "grep " + os.getlogin() + " /etc/subuid | cut -d ':' -f 2"], capture_output=True, text=True).stdout.strip()) - 1} -socket: "/run/user/${uid}/podman/podman.sock" -% else: -rootless: false -podman_uid: 0 -uid_shift: 0 -socket: "/run/podman/podman.sock" -% endif - - -backup: - etebase: - - /mnt/etebasedata/media - hedgedoc: - - /mnt/hedgedocuploads - mailserver: - - /mnt/mailserver/etc/config.toml - synapse: - - /mnt/synapsedata - vaultwarden: - - /mnt/vwdata/attachments - -backup_sqlite: - stump: /mnt/stump/config/stump.db - uptime: /mnt/uptimekumadata/kuma.db - -borg_repo: /mnt/storagebox/backups/borg2 -borg_prune_opts: - - "--keep-within=1d" - - "--keep-daily=7" - - "--keep-weekly=4" - - "--keep-monthly=12" - - "--keep-yearly=86" - - -certs: - coturn: - cert: "/etc/letsencrypt/live/turn.viyurz.fr/fullchain.pem" - pkey: "/etc/letsencrypt/live/turn.viyurz.fr/privkey.pem" - mailserver: - cert: "/etc/letsencrypt/live/mail.viyurz.fr/fullchain.pem" - pkey: "/etc/letsencrypt/live/mail.viyurz.fr/privkey.pem" - - -pasta: - coturn: - ipv4: 10.86.3.1 - ipv6: fc86::3 - etebase: - ipv4: 10.86.5.1 - ipv6: fc86::5 - fireshare: - ipv4: 10.86.6.1 - ipv6: fc86::6 - hedgedoc: - ipv4: 10.86.8.1 - ipv6: fc86::8 - keycloak: - ipv4: 10.86.11.1 - ipv6: fc86::11 - mailserver: - ipv4: 10.86.13.1 - ipv6: fc86::13 - postgres: - ipv4: 10.86.16.1 - ipv6: fc86::16 - stump: - ipv4: 10.86.18.1 - ipv6: fc86::18 - synapse: - ipv4: 10.86.19.1 - ipv6: fc86::19 - syncthing: - ipv4: 10.86.20.1 - ipv6: fc86::20 - syncthing_relaysrv: - ipv4: 10.86.21.1 - ipv6: fc86::21 - uptime: - ipv4: 10.86.22.1 - ipv6: fc86::22 - vaultwarden: - ipv4: 10.86.23.1 - ipv6: fc86::23 - - -# Ports exposed to host -ports: - coturn_listening: 3478 - coturn_tls_listening: 5349 - coturn_relay_min: 49152 - coturn_relay_max: 49172 - etebase: 3735 - fireshare: 8085 - hedgedoc: 8086 - homepage: 8686 - keycloak: 8444 - mailserver_smtp: 1025 - mailserver_smtps: 1465 - mailserver_imaps: 1993 - mailserver_https: 1443 - postgres: 5432 - searxng: 8083 - stump: 10801 - synapse: 8008 - syncthing_discosrv: 8443 - syncthing_relaysrv: 143 # Public port, forwarded to 22067 by nftables - syncthing_webui: 8384 - syncthing_tcp: 9100 - syncthing_udp: 22000 - uptime: 3001 - vaultwarden: 8081 - - -# UID in containers -users: - coturn: 666 - diun: 0 - etebase: 373 - fireshare: 1007 - hedgedoc: 1004 - homepage: 8686 - keycloak: 1000 - mailserver: 8 - postgres: 70 - searxng: 977 - searxng_valkey: 999 - stump: 1005 - synapse: 991 - syncthing: 1001 - syncthing_discosrv: 1002 - syncthing_relaysrv: 1003 - uptime: 1006 - vaultwarden: 1010 - - -volumes: - etebase: - datadir: /mnt/etebasedata - fireshare: - datadir: /mnt/firesharedata - processeddir: /mnt/storagebox/fireshare/processed - videosdir: /mnt/storagebox/fireshare/videos - hedgedoc: - uploadsdir: /mnt/hedgedocuploads - mailserver: - datadir: /mnt/mailserver - postgres: - datadir: /mnt/postgresdata - stump: - configdir: /mnt/stump/config - datadir: /mnt/stump/data - synapse: - datadir: /mnt/synapsedata - syncthing: - datadir: /mnt/storagebox/syncthing - uptime: - datadir: /mnt/uptimekumadata - vaultwarden: - datadir: /mnt/vwdata diff --git a/pysecrets.yml.example b/pysecrets.yml.example deleted file mode 100644 index a46d550..0000000 --- a/pysecrets.yml.example +++ /dev/null @@ -1,60 +0,0 @@ -# To generate a random secret: openssl rand -base64 - -borg: - - -diun_webhookurl: - -fireshare: - admin_user: - admin_pass: - key: - -hedgedoc_session: - -keycloak: - hedgedoc: - id: - secret: - synapse: - id: - secret: - -mailserver: - synapse: - user: - pass: - vaultwarden: - user: - pass: - -postgres: - # https://en.wikipedia.org/wiki/Percent-encoding#Percent-encoding_reserved_characters - etebase: - user: - pass: # No '%' character allowed - keycloak: - user: - pass: - hedgedoc: - user: - pass: - mailserver: - user: - pass: - synapse: - user: - pass: - vaultwarden: - user: - pass: - -searxng: - -synapse: - macaroon: - form: - -turn_static_auth: - -vw_admin_token_hash: diff --git a/roles/backup-secrets/tasks/main.yml b/roles/backup-secrets/tasks/main.yml deleted file mode 100644 index f532f07..0000000 --- a/roles/backup-secrets/tasks/main.yml +++ /dev/null @@ -1,22 +0,0 @@ -- name: - become: true - block: - - name: Create borg backup - command: - cmd: | - borg create - --compression=lzma - "{{ borg_repodir }}::secrets-{now:%Y-%m-%d_%H-%M-%S}" - {{ playbook_dir }}/../secrets.yml - environment: - BORG_PASSCOMMAND: "cat {{ borg_passphrase_file }}" - - - name: Prune borg repository - command: - cmd: | - borg prune - --glob-archives='secrets-*' - {{ borg_prune_options }} - {{ borg_repodir }} - environment: - BORG_PASSCOMMAND: "cat {{ borg_passphrase_file }}" diff --git a/roles/borg-compact/tasks/main.yml b/roles/borg-compact/tasks/main.yml deleted file mode 100644 index 3dce159..0000000 --- a/roles/borg-compact/tasks/main.yml +++ /dev/null @@ -1,4 +0,0 @@ -- name: Compact borg repository - command: - cmd: "borg compact {{ borg_repodir }}" - become: true diff --git a/roles/borg-init/tasks/main.yml b/roles/borg-init/tasks/main.yml deleted file mode 100644 index 3d31f18..0000000 --- a/roles/borg-init/tasks/main.yml +++ /dev/null @@ -1,35 +0,0 @@ -- name: - become: true - block: - - name: Install packages borgbackup & sqlite3 - apt: - name: - - borgbackup - # SQLite required for Vaultwarden - - sqlite3 - - - name: Get borg passphrase file stat - stat: - path: "{{ borg_passphrase_file }}" - register: borg_stat_passphrase_file_result - - - name: "Template borg-passphrase.txt to {{ borg_passphrase_file }}" - template: - src: borg-passphrase.txt - dest: "{{ borg_passphrase_file }}" - owner: root - group: root - mode: '600' - when: not borg_stat_passphrase_file_result.stat.exists or borg_update_passphrase | default(false) | bool - - - name: Get borg repository stat - stat: - path: "{{ borg_repodir }}" - register: borg_stat_repodir_result - - - name: Create borg repository - command: - cmd: "borg init --encryption repokey {{ borg_repodir }}" - environment: - BORG_PASSCOMMAND: "cat {{ borg_passphrase_file }}" - when: not borg_stat_repodir_result.stat.exists diff --git a/roles/borg-init/templates/borg-passphrase.txt b/roles/borg-init/templates/borg-passphrase.txt deleted file mode 100644 index 6d774f7..0000000 --- a/roles/borg-init/templates/borg-passphrase.txt +++ /dev/null @@ -1 +0,0 @@ -{{ borg_passphrase }} diff --git a/roles/coturn/tasks/main.yml b/roles/coturn/tasks/main.yml deleted file mode 100644 index 2b65be3..0000000 --- a/roles/coturn/tasks/main.yml +++ /dev/null @@ -1,9 +0,0 @@ -- name: Include setup tasks - include_tasks: - file: setup.yml - when: run_setup | default(false) | bool - -- name: Include update tasks - include_tasks: - file: update.yml - when: run_update | default(false) | bool diff --git a/roles/coturn/tasks/setup.yml b/roles/coturn/tasks/setup.yml deleted file mode 100644 index b7fcf1b..0000000 --- a/roles/coturn/tasks/setup.yml +++ /dev/null @@ -1,58 +0,0 @@ -- name: "(Re)Create {{ project_dir }} project directory" - file: - path: "{{ project_dir }}" - state: "{{ item }}" - loop: - - absent - - directory - -- name: Template docker-compose.yaml & turnserver.conf to project directory - template: - src: "{{ item }}" - dest: "{{ project_dir }}/{{ item }}" - owner: "{{ host_uid }}" - group: "{{ host_uid }}" - mode: '640' - loop: - - docker-compose.yaml - - turnserver.conf - -# Separate task because template module cannot chown/chgrp to a non-existing user/group -- name: "Change group of turnserver.conf to coturn GID ({{ users['coturn'] + uid_shift }})" - file: - path: "{{ project_dir }}/turnserver.conf" - group: "{{ users['coturn'] + uid_shift }}" - become: true - -- name: Set limited permissions on certificate directories - file: - path: "/etc/{{ item }}" - state: directory - owner: root - group: root - mode: '751' - become: true - loop: - - letsencrypt - - letsencrypt/live - - letsencrypt/archive - -- name: Set limited permissions on certificate directories - file: - path: "/etc/letsencrypt/{{ item }}/turn.{{ domain }}" - state: directory - owner: "{{ host_uid }}" - group: "{{ users['coturn'] + uid_shift }}" - mode: '550' - become: true - loop: - - live - - archive - -- name: Set limited permissions on certificate key file - file: - path: "/etc/letsencrypt/live/turn.{{ domain }}/privkey.pem" - owner: root - group: "{{ users['coturn'] + uid_shift }}" - mode: '640' - become: true diff --git a/roles/coturn/tasks/update.yml b/roles/coturn/tasks/update.yml deleted file mode 100644 index ff1e6b2..0000000 --- a/roles/coturn/tasks/update.yml +++ /dev/null @@ -1,18 +0,0 @@ -- name: Pull project services - community.docker.docker_compose_v2: - project_src: "{{ project_dir }}" - recreate: never - pull: always - debug: true - when: docker_pull_images | bool - register: coturn_docker_compose_pull_result - -- name: Display pulled image(s) name - set_fact: - coturn_pulled_images: "{{ coturn_pulled_images | default([]) + [item.pulled_image.name] }}" - loop: "{{ coturn_docker_compose_pull_result['actions'] | default([]) | selectattr('pulled_image', 'defined') }}" - -- name: Create/Restart project services - community.docker.docker_compose_v2: - project_src: "{{ project_dir }}" - state: "{{ run_setup | default(false) | bool | ternary('restarted', 'present') }}" diff --git a/roles/coturn/templates/docker-compose.yaml b/roles/coturn/templates/docker-compose.yaml deleted file mode 100644 index 9357500..0000000 --- a/roles/coturn/templates/docker-compose.yaml +++ /dev/null @@ -1,18 +0,0 @@ -services: - coturn: - container_name: coturn - image: docker.io/coturn/coturn:4-alpine - restart: always - user: {{ users['coturn'] }}:{{ users['coturn'] }} - ports: - - {{ ports['coturn_listening'] }}:{{ ports['coturn_listening'] }} - - {{ ports['coturn_listening'] }}:{{ ports['coturn_listening'] }}/udp - - {{ ports['coturn_tls_listening'] }}:{{ ports['coturn_tls_listening'] }} - - {{ ports['coturn_tls_listening'] }}:{{ ports['coturn_tls_listening'] }}/udp - - {{ ports['coturn_relay_min'] }}-{{ ports['coturn_relay_max'] }}:{{ ports['coturn_relay_min'] }}-{{ ports['coturn_relay_max'] }}/udp - tmpfs: - - /var/lib/coturn - volumes: - - ./turnserver.conf:/etc/coturn/turnserver.conf - - {{ volumes['coturn_tls_certificate_file'] }}:/etc/coturn/cert.pem - - {{ volumes['coturn_tls_certificate_key_file'] }}:/etc/coturn/pkey.pem diff --git a/roles/coturn/templates/turnserver.conf b/roles/coturn/templates/turnserver.conf deleted file mode 100644 index 30c334d..0000000 --- a/roles/coturn/templates/turnserver.conf +++ /dev/null @@ -1,68 +0,0 @@ -listening-port={{ ports['coturn_listening'] }} -tls-listening-port={{ ports['coturn_tls_listening'] }} - -# Lower and upper bounds of the UDP relay endpoints: -# (default values are 49152 and 65535) -min-port={{ ports['coturn_relay_min'] }} -max-port={{ ports['coturn_relay_max'] }} - -#verbose -fingerprint - -# Credentials in secrets.conf (static-auth-secret) -use-auth-secret -static-auth-secret={{ coturn_secrets['static_auth_secret'] }} - -realm=turn.{{ domain }} - -# TLS certificates, including intermediate certs. -# For Let's Encrypt certificates, use `fullchain.pem` here. -cert=/etc/coturn/cert.pem - -# TLS private key file -pkey=/etc/coturn/pkey.pem - -# Do not allow an TLS/DTLS version of protocol -no-tlsv1 -no-tlsv1_1 - -# Disable RFC5780 (NAT behavior discovery). -no-rfc5780 -no-stun-backward-compatibility -response-origin-only-with-rfc5780 -no-cli - -# VoIP traffic is all UDP. There is no reason to let users connect to arbitrary TCP endpoints via the relay. -no-tcp-relay - -# consider whether you want to limit the quota of relayed streams per user (or total) to avoid risk of DoS. -user-quota=12 # 4 streams per video call, so 12 streams = 3 simultaneous relayed calls per user. -total-quota=1200 - -# don't let the relay ever try to connect to private IP address ranges within your network (if any) -# given the turn server is likely behind your firewall, remember to include any privileged public IPs too. -denied-peer-ip=10.0.0.0-10.255.255.255 -denied-peer-ip=192.168.0.0-192.168.255.255 -denied-peer-ip=172.16.0.0-172.31.255.255 -# recommended additional local peers to block, to mitigate external access to internal services. -# https://www.rtcsec.com/article/slack-webrtc-turn-compromise-and-bug-bounty/#how-to-fix-an-open-turn-relay-to-address-this-vulnerability -no-multicast-peers -denied-peer-ip=0.0.0.0-0.255.255.255 -denied-peer-ip=100.64.0.0-100.127.255.255 -denied-peer-ip=127.0.0.0-127.255.255.255 -denied-peer-ip=169.254.0.0-169.254.255.255 -denied-peer-ip=192.0.0.0-192.0.0.255 -denied-peer-ip=192.0.2.0-192.0.2.255 -denied-peer-ip=192.88.99.0-192.88.99.255 -denied-peer-ip=198.18.0.0-198.19.255.255 -denied-peer-ip=198.51.100.0-198.51.100.255 -denied-peer-ip=203.0.113.0-203.0.113.255 -denied-peer-ip=240.0.0.0-255.255.255.255 -denied-peer-ip=::1 -denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff -denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255 -denied-peer-ip=100::-100::ffff:ffff:ffff:ffff -denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff -denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff -denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff -denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff diff --git a/roles/diun/tasks/main.yml b/roles/diun/tasks/main.yml deleted file mode 100644 index 2b65be3..0000000 --- a/roles/diun/tasks/main.yml +++ /dev/null @@ -1,9 +0,0 @@ -- name: Include setup tasks - include_tasks: - file: setup.yml - when: run_setup | default(false) | bool - -- name: Include update tasks - include_tasks: - file: update.yml - when: run_update | default(false) | bool diff --git a/roles/diun/tasks/setup.yml b/roles/diun/tasks/setup.yml deleted file mode 100644 index aa325cc..0000000 --- a/roles/diun/tasks/setup.yml +++ /dev/null @@ -1,19 +0,0 @@ -- name: "(Re)Create {{ project_dir }} project directory" - file: - path: "{{ project_dir }}" - state: "{{ item }}" - loop: - - absent - - directory - -- name: Template docker-compose.yaml, .env & images.yml to project directory - template: - src: "{{ item }}" - dest: "{{ project_dir }}/{{ item }}" - owner: "{{ host_uid }}" - group: "{{ host_uid }}" - mode: '640' - loop: - - docker-compose.yaml - - .env - - images.yml diff --git a/roles/diun/tasks/update.yml b/roles/diun/tasks/update.yml deleted file mode 100644 index d2dc942..0000000 --- a/roles/diun/tasks/update.yml +++ /dev/null @@ -1,24 +0,0 @@ -- name: Pull project services - community.docker.docker_compose_v2: - project_src: "{{ project_dir }}" - recreate: never - pull: always - debug: true - when: docker_pull_images | bool - register: diun_docker_compose_pull_result - -- name: Display pulled image(s) name - set_fact: - diun_pulled_images: "{{ diun_pulled_images | default([]) + [item.pulled_image.name] }}" - loop: "{{ diun_docker_compose_pull_result['actions'] | default([]) | selectattr('pulled_image', 'defined') }}" - -- name: Include backup tasks - include_tasks: - file: backup.yml - # Make a backup if we didn't already make one and we pulled a new image - when: not run_backup | default(false) and diun_pulled_images is defined - -- name: Create/Restart project services - community.docker.docker_compose_v2: - project_src: "{{ project_dir }}" - state: "{{ run_setup | default(false) | bool | ternary('restarted', 'present') }}" diff --git a/roles/diun/templates/.env b/roles/diun/templates/.env deleted file mode 100644 index ef509e7..0000000 --- a/roles/diun/templates/.env +++ /dev/null @@ -1,6 +0,0 @@ -TZ={{ timezone }} -DIUN_WATCH_SCHEDULE='0 */6 * * *' -DIUN_PROVIDERS_DOCKER=true -DIUN_PROVIDERS_DOCKER_WATCHBYDEFAULT=true -DIUN_PROVIDERS_FILE_FILENAME=/etc/diun/images.yml -DIUN_NOTIF_DISCORD_WEBHOOKURL='{{ diun_secrets["webhookurl"] }}' diff --git a/roles/diun/templates/docker-compose.yaml b/roles/diun/templates/docker-compose.yaml deleted file mode 100644 index b9f9f5b..0000000 --- a/roles/diun/templates/docker-compose.yaml +++ /dev/null @@ -1,14 +0,0 @@ -services: - diun: - image: docker.io/crazymax/diun:4 - container_name: diun - command: serve - restart: always - env_file: .env - volumes: - - {{ docker_host | regex_replace('^unix://', '') }}:/var/run/docker.sock:ro - - ./images.yml:/etc/diun/images.yml:ro - - data:/data - -volumes: - data: diff --git a/roles/diun/templates/images.yml b/roles/diun/templates/images.yml deleted file mode 100644 index 3c070a5..0000000 --- a/roles/diun/templates/images.yml +++ /dev/null @@ -1,27 +0,0 @@ -- name: quay.io/hedgedoc/hedgedoc - watch_repo: true - sort_tags: semver - max_tags: 1 - include_tags: - - ^[\d\.]+-alpine$ - -- name: quay.io/keycloak/keycloak - watch_repo: true - sort_tags: semver - max_tags: 1 - include_tags: - - ^\d+\.\d+$ - -- name: docker.io/stalwartlabs/mail-server - watch_repo: true - sort_tags: semver - max_tags: 1 - include_tags: - - ^v - -- name: docker.io/aaronleopold/stump - watch_repo: true - sort_tags: semver - max_tags: 1 - include_tags: - - ^\d diff --git a/roles/dockerd/files/override.conf b/roles/dockerd/files/override.conf deleted file mode 100644 index 26ada66..0000000 --- a/roles/dockerd/files/override.conf +++ /dev/null @@ -1,3 +0,0 @@ -[Service] -Environment="DOCKERD_ROOTLESS_ROOTLESSKIT_NET=slirp4netns" -Environment="DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=slirp4netns" diff --git a/roles/dockerd/tasks/main.yml b/roles/dockerd/tasks/main.yml deleted file mode 100644 index 5628d96..0000000 --- a/roles/dockerd/tasks/main.yml +++ /dev/null @@ -1,81 +0,0 @@ -- name: Make sure required packages are installed - apt: - name: - - dbus-user-session - - docker.io - - docker-compose - - rootlesskit - - slirp4netns - - uidmap - become: true - -- name: Make sure system-wide Docker daemon & socket are stopped & disabled - service: - name: "{{ item }}" - state: stopped - enabled: false - loop: - - docker - - docker.socket - become: true - -- name: Get docker user service status - stat: - path: "{{ ansible_env['HOME'] }}/.config/systemd/user/docker.service" - register: dockerd_user_service_file_result - -- name: Run dockerd-rootless-setuptool.sh script - command: - cmd: /usr/share/docker.io/contrib/dockerd-rootless-setuptool.sh install - # Don't run install script everytime - when: not dockerd_user_service_file_result.stat.exists - -- name: Make sure /usr/share/docker.io/contrib is in PATH variable - lineinfile: - path: "{{ ansible_env['HOME'] }}/.profile" - regex: '^export PATH="/usr/share/docker\.io/contrib' - line: 'export PATH="/usr/share/docker.io/contrib:$PATH"' - -- name: Make sure DOCKER_HOST variable is set correctly - lineinfile: - path: "{{ ansible_env['HOME'] }}/.profile" - regex: '^export DOCKER_HOST=' - line: "export DOCKER_HOST={{ docker_host }}" - -- name: "Make sure lingering is enabled for user {{ host_uid }}" - command: - cmd: "loginctl enable-linger {{ host_uid }}" - become: true - -- name: "Create directory {{ ansible_env['HOME'] }}/.config/systemd/user/docker.service.d" - file: - path: "{{ ansible_env['HOME'] }}/.config/systemd/user/docker.service.d" - state: directory - -# Set port driver to slirp4netns to enable source IP propagation, which is required for coturn to work. -- name: "Copy systemd service override.conf to {{ ansible_env['HOME'] }}/.config/systemd/user/docker.service.d/override.conf" - copy: - src: "{{ role_path }}/files/override.conf" - dest: "{{ ansible_env['HOME'] }}/.config/systemd/user/docker.service.d/override.conf" - register: dockerd_copy_override_conf_result - -- name: Edit some sysctl entries for Redis & Syncthing - sysctl: - name: "{{ item.key }}" - value: "{{ item.value }}" - loop: - - key: vm.overcommit_memory - value: 1 - - key: net.core.wmem_max - value: 2500000 - - key: net.core.rmem_max - value: 2500000 - become: true - -- name: Start/restart & enable Docker user service - service: - name: docker - scope: user - # Restart only if config file(s) changed - state: "{{ (dockerd_copy_override_conf_result.changed) | ternary('restarted', 'started') }}" - enabled: true diff --git a/roles/etebase/tasks/backup.yml b/roles/etebase/tasks/backup.yml deleted file mode 100644 index b65072f..0000000 --- a/roles/etebase/tasks/backup.yml +++ /dev/null @@ -1,30 +0,0 @@ -- name: - become: true - block: - - name: Backup SQLite database - command: - cmd: | - sqlite3 - "{{ volumes['etebase_datadir'] }}/db.sqlite3" - ".backup {{ volumes['etebase_datadir'] }}/db-backup.sqlite3" - - - name: Create borg backup - command: - cmd: | - borg create - --compression=lzma - "{{ borg_repodir }}::{{ role_name }}-{now:%Y-%m-%d_%H-%M-%S}" - {{ volumes['etebase_datadir'] }}/db-backup.sqlite3 - {{ volumes['etebase_datadir'] }}/media - environment: - BORG_PASSCOMMAND: "cat {{ borg_passphrase_file }}" - - - name: Prune borg repository - command: - cmd: | - borg prune - --glob-archives='{{ role_name }}-*' - {{ borg_prune_options }} - {{ borg_repodir }} - environment: - BORG_PASSCOMMAND: "cat {{ borg_passphrase_file }}" diff --git a/roles/etebase/tasks/main.yml b/roles/etebase/tasks/main.yml deleted file mode 100644 index 89bf793..0000000 --- a/roles/etebase/tasks/main.yml +++ /dev/null @@ -1,14 +0,0 @@ -- name: Include backup tasks - include_tasks: - file: backup.yml - when: run_backup | default(false) | bool - -- name: Include setup tasks - include_tasks: - file: setup.yml - when: run_setup | default(false) | bool - -- name: Include update tasks - include_tasks: - file: update.yml - when: run_update | default(false) | bool diff --git a/roles/etebase/tasks/setup.yml b/roles/etebase/tasks/setup.yml deleted file mode 100644 index b715609..0000000 --- a/roles/etebase/tasks/setup.yml +++ /dev/null @@ -1,27 +0,0 @@ -- name: "(Re)Create {{ project_dir }} project directory" - file: - path: "{{ project_dir }}" - state: "{{ item }}" - loop: - - absent - - directory - -- name: Template docker-compose.yaml & etebase-server.ini to project directory - template: - src: "{{ item }}" - dest: "{{ project_dir }}/{{ item }}" - owner: "{{ host_uid }}" - group: "{{ host_uid }}" - mode: '644' - loop: - - docker-compose.yaml - - etebase-server.ini - -- name: "Create (if not exists) directory {{ volumes['etebase_datadir'] }} & set permissions" - file: - path: "{{ volumes['etebase_datadir'] }}" - state: directory - owner: "{{ users['etebase'] + uid_shift }}" - group: "{{ users['etebase'] + uid_shift }}" - mode: '770' - become: true diff --git a/roles/etebase/tasks/update.yml b/roles/etebase/tasks/update.yml deleted file mode 100644 index 3668d27..0000000 --- a/roles/etebase/tasks/update.yml +++ /dev/null @@ -1,24 +0,0 @@ -- name: Pull project services - community.docker.docker_compose_v2: - project_src: "{{ project_dir }}" - recreate: never - pull: always - debug: true - when: docker_pull_images | bool - register: etebase_docker_compose_pull_result - -- name: Display pulled image(s) name - set_fact: - etebase_pulled_images: "{{ etebase_pulled_images | default([]) + [item.pulled_image.name] }}" - loop: "{{ etebase_docker_compose_pull_result['actions'] | default([]) | selectattr('pulled_image', 'defined') }}" - -- name: Include backup tasks - include_tasks: - file: backup.yml - # Make a backup if we didn't already make one and we pulled a new image - when: not run_backup | default(false) and etebase_pulled_images is defined - -- name: Create/Restart project services - community.docker.docker_compose_v2: - project_src: "{{ project_dir }}" - state: "{{ run_setup | default(false) | bool | ternary('restarted', 'present') }}" diff --git a/roles/etebase/templates/docker-compose.yaml b/roles/etebase/templates/docker-compose.yaml deleted file mode 100644 index f775594..0000000 --- a/roles/etebase/templates/docker-compose.yaml +++ /dev/null @@ -1,14 +0,0 @@ -services: - etebase: - image: docker.io/victorrds/etebase:alpine - container_name: etebase - restart: always - user: {{ users['etebase'] }}:{{ users['etebase'] }} - environment: - SERVER: http - AUTO_UPDATE: 'true' - ports: - - 127.0.0.1:{{ ports['etebase'] }}:3735 - volumes: - - {{ volumes['etebase_datadir'] }}:/data - - ./etebase-server.ini:/data/etebase-server.ini diff --git a/roles/etebase/templates/etebase-server.ini b/roles/etebase/templates/etebase-server.ini deleted file mode 100644 index ea84207..0000000 --- a/roles/etebase/templates/etebase-server.ini +++ /dev/null @@ -1,17 +0,0 @@ -[global] -secret_file = /data/secret.txt -debug = false -static_root = /srv/etebase/static -static_url = /static/ -media_root = /data/media -media_url = /user-media/ -language_code = en-us -time_zone = {{ timezone }} - - -[allowed_hosts] -allowed_host1 = etebase.{{ domain }} - -[database] -engine = django.db.backends.sqlite3 -name = /data/db.sqlite3 diff --git a/roles/fireshare/tasks/main.yml b/roles/fireshare/tasks/main.yml deleted file mode 100644 index 2b65be3..0000000 --- a/roles/fireshare/tasks/main.yml +++ /dev/null @@ -1,9 +0,0 @@ -- name: Include setup tasks - include_tasks: - file: setup.yml - when: run_setup | default(false) | bool - -- name: Include update tasks - include_tasks: - file: update.yml - when: run_update | default(false) | bool diff --git a/roles/fireshare/tasks/setup.yml b/roles/fireshare/tasks/setup.yml deleted file mode 100644 index 2ae598d..0000000 --- a/roles/fireshare/tasks/setup.yml +++ /dev/null @@ -1,27 +0,0 @@ -- name: "(Re)Create {{ project_dir }} project directory" - file: - path: "{{ project_dir }}" - state: "{{ item }}" - loop: - - absent - - directory - -- name: Template docker-compose.yaml & .env to project directory - template: - src: "{{ item }}" - dest: "{{ project_dir }}/{{ item }}" - owner: "{{ host_uid }}" - group: "{{ host_uid }}" - mode: '640' - loop: - - docker-compose.yaml - - .env - -- name: "Create (if not exists) directory {{ volumes['fireshare_datadir'] }} & set permissions" - file: - path: "{{ volumes['fireshare_datadir'] }}" - state: directory - owner: "{{ users['fireshare'] + uid_shift }}" - group: "{{ users['fireshare'] + uid_shift }}" - mode: '750' - become: true diff --git a/roles/fireshare/tasks/update.yml b/roles/fireshare/tasks/update.yml deleted file mode 100644 index 7a77114..0000000 --- a/roles/fireshare/tasks/update.yml +++ /dev/null @@ -1,18 +0,0 @@ -- name: Pull project services - community.docker.docker_compose_v2: - project_src: "{{ project_dir }}" - recreate: never - pull: always - debug: true - when: docker_pull_images | bool - register: fireshare_docker_compose_pull_result - -- name: Display pulled image(s) name - set_fact: - fireshare_pulled_images: "{{ fireshare_pulled_images | default([]) + [item.pulled_image.name] }}" - loop: "{{ fireshare_docker_compose_pull_result['actions'] | default([]) | selectattr('pulled_image', 'defined') }}" - -- name: Create/Restart project services - community.docker.docker_compose_v2: - project_src: "{{ project_dir }}" - state: "{{ run_setup | default(false) | bool | ternary('restarted', 'present') }}" diff --git a/roles/fireshare/templates/.env b/roles/fireshare/templates/.env deleted file mode 100644 index 33407cc..0000000 --- a/roles/fireshare/templates/.env +++ /dev/null @@ -1,9 +0,0 @@ -ADMIN_USERNAME='{{ fireshare_secrets["admin_username"] }}' -ADMIN_PASSWORD='{{ fireshare_secrets["admin_password"] }}' -SECRET_KEY='{{ fireshare_secrets["secret_key"] }}' -MINUTES_BETWEEN_VIDEO_SCANS=5 -# The location in the video thumbnails are generated. A value between 0-100 where 50 would be the frame in the middle of the video file and 0 would be the first frame of the video. -THUMBNAIL_VIDEO_LOCATION=0 -DOMAIN=clips.{{ domain }} -PUID={{ users['fireshare'] }} -PGID={{ users['fireshare'] }} diff --git a/roles/fireshare/templates/docker-compose.yaml b/roles/fireshare/templates/docker-compose.yaml deleted file mode 100644 index 5a66b4c..0000000 --- a/roles/fireshare/templates/docker-compose.yaml +++ /dev/null @@ -1,12 +0,0 @@ -services: - fireshare: - container_name: fireshare - image: docker.io/shaneisrael/fireshare:latest - restart: always - env_file: .env - ports: - - 127.0.0.1:{{ ports['fireshare'] }}:80 - volumes: - - {{ volumes['fireshare_datadir'] }}:/data - - {{ volumes['fireshare_processeddir'] }}:/processed - - {{ volumes['fireshare_videosdir'] }}:/videos diff --git a/roles/fstab/tasks/main.yml b/roles/fstab/tasks/main.yml deleted file mode 100644 index 6196969..0000000 --- a/roles/fstab/tasks/main.yml +++ /dev/null @@ -1,24 +0,0 @@ -- name: - become: true - block: - - name: Install package cifs-utils - apt: - name: cifs-utils - - - name: "Template {{ fstab_cifs_credentials_filename }} to /etc/{{ fstab_cifs_credentials_filename }}" - template: - src: "{{ fstab_cifs_credentials_filename }}" - dest: "/etc/{{ fstab_cifs_credentials_filename }}" - owner: root - group: root - mode: '600' - register: fstab_template_cifs_credentials_result - - - name: Mount/Remount CIFS devices & edit fstab accordingly - mount: - state: mounted - src: "{{ item.value.src }}" - path: "{{ item.value.path }}" - fstype: smb3 - opts: "uid={{ item.value.uid }},gid={{ item.value.gid }},file_mode=0{{ item.value.file_mode }},dir_mode=0{{ item.value.dir_mode }},credentials=/etc/{{ fstab_cifs_credentials_filename }},iocharset=utf8,rw,mfsymlinks,vers=3,seal" - loop: "{{ cifs_mounts | dict2items }}" diff --git a/roles/fstab/templates/storagebox-cifs-credentials.txt b/roles/fstab/templates/storagebox-cifs-credentials.txt deleted file mode 100644 index 1d26e82..0000000 --- a/roles/fstab/templates/storagebox-cifs-credentials.txt +++ /dev/null @@ -1,2 +0,0 @@ -username={{ cifs_credentials['username'] }} -password={{ cifs_credentials['password'] }} diff --git a/roles/fstab/vars/main.yml b/roles/fstab/vars/main.yml deleted file mode 100644 index 5560290..0000000 --- a/roles/fstab/vars/main.yml +++ /dev/null @@ -1 +0,0 @@ -fstab_cifs_credentials_filename: storagebox-cifs-credentials.txt diff --git a/roles/hedgedoc/tasks/backup.yml b/roles/hedgedoc/tasks/backup.yml deleted file mode 100644 index 1b86794..0000000 --- a/roles/hedgedoc/tasks/backup.yml +++ /dev/null @@ -1,25 +0,0 @@ -- name: "Backup PostgreSQL hedgedoc database & {{ volumes['hedgedoc_uploadsdir'] }} directory" - shell: > - docker exec postgres - pg_dump -c {{ role_name }} | - borg create - --compression lzma - "{{ borg_repodir }}::{{ role_name }}-{now:%Y-%m-%d_%H-%M-%S}" - "{{ volumes['hedgedoc_uploadsdir'] }}" - - - --stdin-name dump_{{ role_name }}.sql - environment: - DOCKER_HOST: "{{ docker_host }}" - BORG_PASSCOMMAND: "cat {{ borg_passphrase_file }}" - become: true - -- name: Prune borg repository - command: - cmd: | - borg prune - --glob-archives='{{ role_name }}-*' - {{ borg_prune_options }} - {{ borg_repodir }} - environment: - BORG_PASSCOMMAND: "cat {{ borg_passphrase_file }}" - become: true diff --git a/roles/hedgedoc/tasks/main.yml b/roles/hedgedoc/tasks/main.yml deleted file mode 100644 index 89bf793..0000000 --- a/roles/hedgedoc/tasks/main.yml +++ /dev/null @@ -1,14 +0,0 @@ -- name: Include backup tasks - include_tasks: - file: backup.yml - when: run_backup | default(false) | bool - -- name: Include setup tasks - include_tasks: - file: setup.yml - when: run_setup | default(false) | bool - -- name: Include update tasks - include_tasks: - file: update.yml - when: run_update | default(false) | bool diff --git a/roles/hedgedoc/tasks/setup.yml b/roles/hedgedoc/tasks/setup.yml deleted file mode 100644 index 774571a..0000000 --- a/roles/hedgedoc/tasks/setup.yml +++ /dev/null @@ -1,27 +0,0 @@ -- name: "(Re)Create {{ project_dir }} project directory" - file: - path: "{{ project_dir }}" - state: "{{ item }}" - loop: - - absent - - directory - -- name: Template docker-compose.yaml & .env to project directory - template: - src: "{{ item }}" - dest: "{{ project_dir }}/{{ item }}" - owner: "{{ host_uid }}" - group: "{{ host_uid }}" - mode: '600' - loop: - - docker-compose.yaml - - .env - -- name: "Create (if not exists) directory {{ volumes['hedgedoc_uploadsdir'] }} & set permissions" - file: - path: "{{ volumes['hedgedoc_uploadsdir'] }}" - state: directory - owner: "{{ users['hedgedoc'] + uid_shift }}" - group: "{{ users['hedgedoc'] + uid_shift }}" - mode: '700' - become: true diff --git a/roles/hedgedoc/tasks/update.yml b/roles/hedgedoc/tasks/update.yml deleted file mode 100644 index c9e26e8..0000000 --- a/roles/hedgedoc/tasks/update.yml +++ /dev/null @@ -1,24 +0,0 @@ -- name: Pull project services - community.docker.docker_compose_v2: - project_src: "{{ project_dir }}" - recreate: never - pull: always - debug: true - when: docker_pull_images | bool - register: hedgedoc_docker_compose_pull_result - -- name: Display pulled image(s) name - set_fact: - hedgedoc_pulled_images: "{{ hedgedoc_pulled_images | default([]) + [item.pulled_image.name] }}" - loop: "{{ hedgedoc_docker_compose_pull_result['actions'] | default([]) | selectattr('pulled_image', 'defined') }}" - -- name: Include backup tasks - include_tasks: - file: backup.yml - # Make a backup if we didn't already make one and we pulled a new image - when: not run_backup | default(false) and hedgedoc_pulled_images is defined - -- name: Create/Restart project services - community.docker.docker_compose_v2: - project_src: "{{ project_dir }}" - state: "{{ run_setup | default(false) | bool | ternary('restarted', 'present') }}" diff --git a/roles/hedgedoc/templates/.env b/roles/hedgedoc/templates/.env deleted file mode 100644 index c840db7..0000000 --- a/roles/hedgedoc/templates/.env +++ /dev/null @@ -1,20 +0,0 @@ -CMD_DB_DIALECT=postgres -CMD_DB_HOST='postgres.{{ domain }}' -CMD_DB_DATABASE=hedgedoc -CMD_DB_USERNAME='{{ hedgedoc_secrets["postgres_user"] }}' -CMD_DB_PASSWORD='{{ hedgedoc_secrets["postgres_password"] }}' -CMD_DOMAIN='hedgedoc.{{ domain }}' -CMD_PROTOCOL_USESSL=true -CMD_SESSION_SECRET='{{ hedgedoc_secrets["session_secret"] }}' -CMD_EMAIL=false - -CMD_OAUTH2_PROVIDERNAME=Keycloak -CMD_OAUTH2_CLIENT_ID='{{ hedgedoc_secrets["client_id"] }}' -CMD_OAUTH2_CLIENT_SECRET='{{ hedgedoc_secrets["client_secret"] }}' -CMD_OAUTH2_AUTHORIZATION_URL=https://kc.{{ domain }}/realms/master/protocol/openid-connect/auth -CMD_OAUTH2_TOKEN_URL=https://kc.{{ domain }}/realms/master/protocol/openid-connect/token -CMD_OAUTH2_USER_PROFILE_URL=https://kc.{{ domain }}/realms/master/protocol/openid-connect/userinfo -CMD_OAUTH2_SCOPE=openid email profile -CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR=preferred_username -CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR=name -CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR=email diff --git a/roles/hedgedoc/templates/docker-compose.yaml b/roles/hedgedoc/templates/docker-compose.yaml deleted file mode 100644 index b181b2d..0000000 --- a/roles/hedgedoc/templates/docker-compose.yaml +++ /dev/null @@ -1,11 +0,0 @@ -services: - hedgedoc: - container_name: hedgedoc - image: quay.io/hedgedoc/hedgedoc:1.10.0-alpine - restart: always - user: {{ users['hedgedoc'] }}:{{ users['hedgedoc'] }} - env_file: .env - ports: - - 127.0.0.1:{{ ports['hedgedoc'] }}:3000 - volumes: - - {{ volumes['hedgedoc_uploadsdir'] }}:/hedgedoc/public/uploads diff --git a/roles/homepage/tasks/main.yml b/roles/homepage/tasks/main.yml deleted file mode 100644 index 2b65be3..0000000 --- a/roles/homepage/tasks/main.yml +++ /dev/null @@ -1,9 +0,0 @@ -- name: Include setup tasks - include_tasks: - file: setup.yml - when: run_setup | default(false) | bool - -- name: Include update tasks - include_tasks: - file: update.yml - when: run_update | default(false) | bool diff --git a/roles/homepage/tasks/setup.yml b/roles/homepage/tasks/setup.yml deleted file mode 100644 index 5f60a7a..0000000 --- a/roles/homepage/tasks/setup.yml +++ /dev/null @@ -1,18 +0,0 @@ -- name: "(Re)Create {{ project_dir }} project directory" - file: - path: "{{ project_dir }}" - state: "{{ item }}" - loop: - - absent - - directory - -- name: Template docker-compose.yaml & services.toml to project directory - template: - src: "{{ item }}" - dest: "{{ project_dir }}/{{ item }}" - owner: "{{ host_uid }}" - group: "{{ host_uid }}" - mode: '644' - loop: - - docker-compose.yaml - - services.toml diff --git a/roles/homepage/tasks/update.yml b/roles/homepage/tasks/update.yml deleted file mode 100644 index 00c458a..0000000 --- a/roles/homepage/tasks/update.yml +++ /dev/null @@ -1,18 +0,0 @@ -- name: Pull project services - community.docker.docker_compose_v2: - project_src: "{{ project_dir }}" - recreate: never - pull: always - debug: true - when: docker_pull_images | bool - register: homepage_docker_compose_pull_result - -- name: Display pulled image(s) name - set_fact: - homepage_pulled_images: "{{ homepage_pulled_images | default([]) + [item.pulled_image.name] }}" - loop: "{{ homepage_docker_compose_pull_result['actions'] | default([]) | selectattr('pulled_image', 'defined') }}" - -- name: Create/Restart project services - community.docker.docker_compose_v2: - project_src: "{{ project_dir }}" - state: "{{ run_setup | default(false) | bool | ternary('restarted', 'present') }}" diff --git a/roles/homepage/templates/docker-compose.yaml b/roles/homepage/templates/docker-compose.yaml deleted file mode 100644 index e838273..0000000 --- a/roles/homepage/templates/docker-compose.yaml +++ /dev/null @@ -1,10 +0,0 @@ -services: - homepage: - container_name: homepage - image: git.ahur.ac/viyurz/homepage:latest - restart: always - user: {{ users['homepage'] }}:{{ users['homepage'] }} - ports: - - 127.0.0.1:{{ ports['homepage'] }}:8686 - volumes: - - ./services.toml:/etc/homepage/services.toml:ro diff --git a/roles/homepage/templates/services.toml b/roles/homepage/templates/services.toml deleted file mode 100644 index 9929ecc..0000000 --- a/roles/homepage/templates/services.toml +++ /dev/null @@ -1,56 +0,0 @@ -[[services]] -name = "Element" -description = "Web client of Element, an instant messaging client implementing the Matrix protocol." -domain = "element.viyurz.fr" -language = "TypeScript" -repository_url = "https://github.com/element-hq/element-web" - -[[services]] -name = "EteBase" -description = "Server for EteSync, an end-to-end encrypted contacts, calendars, tasks and notes provider." -domain = "etebase.viyurz.fr" -language = "Python" -repository_url = "https://github.com/etesync/server" - -[[services]] -name = "HedgeDoc" -description = "A real-time collaborative markdown editor." -domain = "hedgedoc.viyurz.fr" -language = "TypeScript" -repository_url = "https://github.com/hedgedoc/hedgedoc" - -[[services]] -name = "Matrix" -description = "Synapse homeserver implemeting the Matrix protocol, an open standard for real-time communication supporting encryption and VoIP." -domain = "matrix.viyurz.fr" -language = "Python" -repository_url = "https://github.com/element-hq/synapse" - -[[services]] -name = "SearXNG" -description = "A privacy-respecting, hackable metasearch engine." -domain = "searx.viyurz.fr" -language = "Python" -repository_url = "https://github.com/searxng/searxng" - -[[services]] -name = "Stalwart Mail Server" -description = "Secure & Modern All-in-One Mail Server (IMAP, JMAP, SMTP)." -domain = "mail.viyurz.fr" -language = "Rust" -repository_url = "https://github.com/stalwartlabs/mail-server" - -[[services]] -name = "Stump" -description = "A comics, manga and digital book server with OPDS support." -domain = "stump.viyurz.fr" -language = "Rust / TypeScript" -repository_url = "https://github.com/stumpapp/stump" - -[[services]] -name = "Vaultwarden" -description = "Rust rewrite of the Bitwarden server, a password management service." -domain = "vw.viyurz.fr" -language = "Rust" -repository_url = "https://github.com/dani-garcia/vaultwarden" - diff --git a/roles/include-vars/tasks/main.yml b/roles/include-vars/tasks/main.yml deleted file mode 100644 index d8860ef..0000000 --- a/roles/include-vars/tasks/main.yml +++ /dev/null @@ -1,8 +0,0 @@ -- name: Include vars from env.yml file - include_vars: - file: "{{ playbook_dir }}/../env.yml" - -- name: Include secrets from secrets.yml file - include_vars: - file: "{{ playbook_dir }}/../secrets.yml" - when: include_secrets | default(true) | bool diff --git a/roles/keycloak/tasks/backup.yml b/roles/keycloak/tasks/backup.yml deleted file mode 100644 index 02fe380..0000000 --- a/roles/keycloak/tasks/backup.yml +++ /dev/null @@ -1,24 +0,0 @@ -- name: "Backup PostgreSQL keycloak database" - shell: > - docker exec postgres - pg_dump -c {{ role_name }} | - borg create - --compression lzma - "{{ borg_repodir }}::{{ role_name }}-{now:%Y-%m-%d_%H-%M-%S}" - - - --stdin-name dump_{{ role_name }}.sql - environment: - DOCKER_HOST: "{{ docker_host }}" - BORG_PASSCOMMAND: "cat {{ borg_passphrase_file }}" - become: true - -- name: Prune borg repository - command: - cmd: | - borg prune - --glob-archives='{{ role_name }}-*' - {{ borg_prune_options }} - {{ borg_repodir }} - environment: - BORG_PASSCOMMAND: "cat {{ borg_passphrase_file }}" - become: true diff --git a/roles/keycloak/tasks/main.yml b/roles/keycloak/tasks/main.yml deleted file mode 100644 index 89bf793..0000000 --- a/roles/keycloak/tasks/main.yml +++ /dev/null @@ -1,14 +0,0 @@ -- name: Include backup tasks - include_tasks: - file: backup.yml - when: run_backup | default(false) | bool - -- name: Include setup tasks - include_tasks: - file: setup.yml - when: run_setup | default(false) | bool - -- name: Include update tasks - include_tasks: - file: update.yml - when: run_update | default(false) | bool diff --git a/roles/keycloak/tasks/setup.yml b/roles/keycloak/tasks/setup.yml deleted file mode 100644 index 3d3eea0..0000000 --- a/roles/keycloak/tasks/setup.yml +++ /dev/null @@ -1,19 +0,0 @@ -- name: "(Re)Create {{ project_dir }} project directory" - file: - path: "{{ project_dir }}" - state: "{{ item }}" - loop: - - absent - - directory - -- name: Template Dockerfile, docker-compose.yaml & .env to project directory - template: - src: "{{ item }}" - dest: "{{ project_dir }}/{{ item }}" - owner: "{{ host_uid }}" - group: "{{ host_uid }}" - mode: '640' - loop: - - Dockerfile - - docker-compose.yaml - - .env diff --git a/roles/keycloak/tasks/update.yml b/roles/keycloak/tasks/update.yml deleted file mode 100644 index b3c09ac..0000000 --- a/roles/keycloak/tasks/update.yml +++ /dev/null @@ -1,25 +0,0 @@ -- name: Pull project services - community.docker.docker_compose_v2: - project_src: "{{ project_dir }}" - build: true - recreate: never - pull: always - debug: true - when: docker_pull_images | bool - register: keycloak_docker_compose_pull_result - -- name: Display pulled image(s) name - set_fact: - keycloak_pulled_images: "{{ keycloak_pulled_images | default([]) + [item.pulled_image.name] }}" - loop: "{{ keycloak_docker_compose_pull_result['actions'] | default([]) | selectattr('pulled_image', 'defined') }}" - -- name: Include backup tasks - include_tasks: - file: backup.yml - # Make a backup if we didn't already make one and we pulled a new image - when: not run_backup | default(false) and keycloak_pulled_images is defined - -- name: Create/Restart project services - community.docker.docker_compose_v2: - project_src: "{{ project_dir }}" - state: "{{ run_setup | default(false) | bool | ternary('restarted', 'present') }}" diff --git a/roles/keycloak/templates/.env b/roles/keycloak/templates/.env deleted file mode 100644 index 22c8339..0000000 --- a/roles/keycloak/templates/.env +++ /dev/null @@ -1,12 +0,0 @@ -QUARKUS_TRANSACTION_MANAGER_ENABLE_RECOVERY=true - -#KEYCLOAK_ADMIN= -#KEYCLOAK_ADMIN_PASSWORD= - -KC_DB_URL_HOST=postgres.{{ domain }} -KC_DB_URL_DATABASE=keycloak -KC_DB_USERNAME={{ keycloak_secrets['postgres_user'] }} -KC_DB_PASSWORD='{{ keycloak_secrets["postgres_password"] }}' - -KC_PROXY_HEADERS=xforwarded -KC_HOSTNAME=https://kc.{{ domain }} diff --git a/roles/keycloak/templates/Dockerfile b/roles/keycloak/templates/Dockerfile deleted file mode 100644 index a0f415d..0000000 --- a/roles/keycloak/templates/Dockerfile +++ /dev/null @@ -1,15 +0,0 @@ -FROM quay.io/keycloak/keycloak:25.0 as builder - -ENV KC_DB=postgres - -WORKDIR /opt/keycloak - -RUN keytool -genkeypair -storepass password -storetype PKCS12 -keyalg RSA -keysize 2048 -dname "CN=server" -alias server -ext "SAN:c=IP:127.0.0.1" -keystore conf/server.keystore -RUN /opt/keycloak/bin/kc.sh build - - -FROM quay.io/keycloak/keycloak:25.0 -COPY --from=builder /opt/keycloak/ /opt/keycloak/ - -ENTRYPOINT ["/opt/keycloak/bin/kc.sh"] -CMD ["start", "--optimized"] diff --git a/roles/keycloak/templates/docker-compose.yaml b/roles/keycloak/templates/docker-compose.yaml deleted file mode 100644 index e4d12a9..0000000 --- a/roles/keycloak/templates/docker-compose.yaml +++ /dev/null @@ -1,9 +0,0 @@ -services: - keycloak: - container_name: keycloak - build: . - restart: always - user: {{ users['keycloak'] }}:{{ users['keycloak'] }} - env_file: .env - ports: - - 127.0.0.1:{{ ports['keycloak'] }}:8443 diff --git a/roles/mailserver/tasks/backup.yml b/roles/mailserver/tasks/backup.yml deleted file mode 100644 index ff60101..0000000 --- a/roles/mailserver/tasks/backup.yml +++ /dev/null @@ -1,25 +0,0 @@ -- name: "Backup PostgreSQL stalwart database & {{ volumes['mailserver_datadir'] }}/etc/config.toml" - shell: > - docker exec postgres - pg_dump -c {{ role_name }} | - borg create - --compression lzma - "{{ borg_repodir }}::{{ role_name }}-{now:%Y-%m-%d_%H-%M-%S}" - "{{ volumes['mailserver_datadir'] }}/etc/config.toml" - - - --stdin-name dump_{{ role_name }}.sql - environment: - DOCKER_HOST: "{{ docker_host }}" - BORG_PASSCOMMAND: "cat {{ borg_passphrase_file }}" - become: true - -- name: Prune borg repository - command: - cmd: | - borg prune - --glob-archives='{{ role_name }}-*' - {{ borg_prune_options }} - {{ borg_repodir }} - environment: - BORG_PASSCOMMAND: "cat {{ borg_passphrase_file }}" - become: true diff --git a/roles/mailserver/tasks/main.yml b/roles/mailserver/tasks/main.yml deleted file mode 100644 index 89bf793..0000000 --- a/roles/mailserver/tasks/main.yml +++ /dev/null @@ -1,14 +0,0 @@ -- name: Include backup tasks - include_tasks: - file: backup.yml - when: run_backup | default(false) | bool - -- name: Include setup tasks - include_tasks: - file: setup.yml - when: run_setup | default(false) | bool - -- name: Include update tasks - include_tasks: - file: update.yml - when: run_update | default(false) | bool diff --git a/roles/mailserver/tasks/setup.yml b/roles/mailserver/tasks/setup.yml deleted file mode 100644 index c5dd9ee..0000000 --- a/roles/mailserver/tasks/setup.yml +++ /dev/null @@ -1,60 +0,0 @@ -- name: "(Re)Create {{ project_dir }} project directory" - file: - path: "{{ project_dir }}" - state: "{{ item }}" - loop: - - absent - - directory - -- name: Template docker-compose.yaml to project directory - template: - src: "{{ item }}" - dest: "{{ project_dir }}/{{ item }}" - owner: "{{ host_uid }}" - group: "{{ host_uid }}" - mode: '660' - loop: - - docker-compose.yaml - become: true - -- name: "Create (if not exists) directory {{ volumes['mailserver_datadir'] }} & set permissions" - file: - path: "{{ volumes['mailserver_datadir'] }}" - state: directory - owner: "{{ users['mailserver'] + uid_shift }}" - group: "{{ users['mailserver'] + uid_shift }}" - mode: '700' - become: true - -- name: Set limited permissions on certificate directories - file: - path: "/etc/{{ item }}" - state: directory - owner: root - group: root - mode: '751' - become: true - loop: - - letsencrypt - - letsencrypt/live - - letsencrypt/archive - -- name: Set limited permissions on certificate directories - file: - path: "/etc/letsencrypt/{{ item }}/mail.{{ domain }}" - state: directory - owner: root - group: "{{ host_uid }}" - mode: '550' - become: true - loop: - - live - - archive - -- name: Set limited permissions on certificate key file - file: - path: "/etc/letsencrypt/live/mail.{{ domain }}/privkey.pem" - owner: root - group: "{{ users['mailserver'] + uid_shift }}" - mode: '640' - become: true diff --git a/roles/mailserver/tasks/update.yml b/roles/mailserver/tasks/update.yml deleted file mode 100644 index 274092c..0000000 --- a/roles/mailserver/tasks/update.yml +++ /dev/null @@ -1,24 +0,0 @@ -- name: Pull project services - community.docker.docker_compose_v2: - project_src: "{{ project_dir }}" - recreate: never - pull: always - debug: true - when: docker_pull_images | bool - register: mailserver_docker_compose_pull_result - -- name: Display pulled image(s) name - set_fact: - mailserver_pulled_images: "{{ mailserver_pulled_images | default([]) + [item.pulled_image.name] }}" - loop: "{{ mailserver_docker_compose_pull_result['actions'] | default([]) | selectattr('pulled_image', 'defined') }}" - -- name: Include backup tasks - include_tasks: - file: backup.yml - # Make a backup if we didn't already make one and we pulled a new image - when: not run_backup | default(false) and mailserver_pulled_images is defined - -- name: Create/Restart project services - community.docker.docker_compose_v2: - project_src: "{{ project_dir }}" - state: "{{ run_setup | default(false) | bool | ternary('restarted', 'present') }}" diff --git a/roles/mailserver/templates/docker-compose.yaml b/roles/mailserver/templates/docker-compose.yaml deleted file mode 100644 index d7deb2d..0000000 --- a/roles/mailserver/templates/docker-compose.yaml +++ /dev/null @@ -1,15 +0,0 @@ -services: - mailserver: - container_name: mailserver - image: docker.io/stalwartlabs/mail-server:v0.10.2 - restart: always - user: "{{ users['mailserver'] }}:{{ users['mailserver'] }}" - ports: - - "{{ ports['mailserver_smtp'] }}:25" - - {{ ports['mailserver_smtps'] }}:465 - - {{ ports['mailserver_imaps'] }}:993 - - {{ ports['mailserver_https'] }}:443 - volumes: - - {{ volumes['mailserver_tls_certificate_file'] }}:/etc/fullchain.pem:ro - - {{ volumes['mailserver_tls_certificate_key_file'] }}:/etc/privkey.pem:ro - - {{ volumes['mailserver_datadir'] }}:/opt/stalwart-mail diff --git a/roles/minecraft/tasks/backup.yml b/roles/minecraft/tasks/backup.yml deleted file mode 100644 index f64a876..0000000 --- a/roles/minecraft/tasks/backup.yml +++ /dev/null @@ -1,24 +0,0 @@ -- name: "Backup PostgreSQL vaultwarden database" - shell: > - docker exec postgres - pg_dump -c {{ role_name }} | - borg create - --compression lzma - "{{ borg_repodir }}::{{ role_name }}-{now:%Y-%m-%d_%H-%M-%S}" - - - --stdin-name dump_{{ role_name }}.sql - environment: - DOCKER_HOST: "{{ docker_host }}" - BORG_PASSCOMMAND: "cat {{ borg_passphrase_file }}" - become: true - -- name: Prune borg repository - command: - cmd: | - borg prune - --glob-archives='{{ role_name }}-*' - {{ borg_prune_options }} - {{ borg_repodir }} - environment: - BORG_PASSCOMMAND: "cat {{ borg_passphrase_file }}" - become: true diff --git a/roles/minecraft/tasks/main.yml b/roles/minecraft/tasks/main.yml deleted file mode 100644 index 89bf793..0000000 --- a/roles/minecraft/tasks/main.yml +++ /dev/null @@ -1,14 +0,0 @@ -- name: Include backup tasks - include_tasks: - file: backup.yml - when: run_backup | default(false) | bool - -- name: Include setup tasks - include_tasks: - file: setup.yml - when: run_setup | default(false) | bool - -- name: Include update tasks - include_tasks: - file: update.yml - when: run_update | default(false) | bool diff --git a/roles/minecraft/tasks/setup.yml b/roles/minecraft/tasks/setup.yml deleted file mode 100644 index a23aeb1..0000000 --- a/roles/minecraft/tasks/setup.yml +++ /dev/null @@ -1,28 +0,0 @@ -- name: "(Re)Create {{ project_dir }} project directory" - file: - path: "{{ project_dir }}" - state: "{{ item }}" - loop: - - absent - - directory - -- name: Template docker-compose.yaml & .env to project directory - template: - src: "{{ item }}" - dest: "{{ project_dir }}/{{ item }}" - owner: "{{ host_uid }}" - group: "{{ host_uid }}" - mode: '640' - loop: - - docker-compose.yaml - - .env - -- name: "Create (if not exists) directory {{ volumes['vaultwarden_datadir'] }} & set permissions" - file: - path: "{{ volumes['vaultwarden_datadir'] }}" - state: directory - recurse: true - owner: "{{ users['vaultwarden'] + uid_shift }}" - group: "{{ users['vaultwarden'] + uid_shift }}" - mode: '770' - become: true diff --git a/roles/minecraft/tasks/update.yml b/roles/minecraft/tasks/update.yml deleted file mode 100644 index 6718f77..0000000 --- a/roles/minecraft/tasks/update.yml +++ /dev/null @@ -1,24 +0,0 @@ -- name: Pull project services - community.docker.docker_compose_v2: - project_src: "{{ project_dir }}" - recreate: never - pull: always - debug: true - when: docker_pull_images | bool - register: vaultwarden_docker_compose_pull_result - -- name: Display pulled image(s) name - set_fact: - vaultwarden_pulled_images: "{{ vaultwarden_pulled_images | default([]) + [item.pulled_image.name] }}" - loop: "{{ vaultwarden_docker_compose_pull_result['actions'] | default([]) | selectattr('pulled_image', 'defined') }}" - -- name: Include backup tasks - include_tasks: - file: backup.yml - # Make a backup if we didn't already make one and we pulled a new image - when: not run_backup | default(false) and vaultwarden_pulled_images is defined - -- name: Create/Restart project services - community.docker.docker_compose_v2: - project_src: "{{ project_dir }}" - state: "{{ run_setup | default(false) | bool | ternary('restarted', 'present') }}" diff --git a/roles/minecraft/templates/.env b/roles/minecraft/templates/.env deleted file mode 100644 index 1224388..0000000 --- a/roles/minecraft/templates/.env +++ /dev/null @@ -1,12 +0,0 @@ -ADMIN_TOKEN='{{ vaultwarden_secrets["admin_token_hash"] }}' -DOMAIN=https://vw.{{ domain }} -SIGNUPS_ALLOWED=false - -DATABASE_URL=postgresql://{{ vaultwarden_secrets['postgres_user'] }}:{{ vaultwarden_secrets['postgres_password'] }}@postgres.{{ domain }}:{{ ports['postgres'] }}/vaultwarden - -SMTP_HOST=mail.{{ domain }} -SMTP_FROM=vaultwarden@{{ domain }} -SMTP_PORT={{ ports['mailserver_smtps'] }} -SMTP_SECURITY=force_tls -SMTP_USERNAME='{{ vaultwarden_secrets["smtp_username"] }}' -SMTP_PASSWORD='{{ vaultwarden_secrets["smtp_password"] }}' diff --git a/roles/minecraft/templates/docker-compose.yaml b/roles/minecraft/templates/docker-compose.yaml deleted file mode 100644 index 64e8557..0000000 --- a/roles/minecraft/templates/docker-compose.yaml +++ /dev/null @@ -1,32 +0,0 @@ -services: - minecraft: - container_name: minecraft - image: docker.io/itzg/minecraft-server:latest - restart: always - deploy: - resources: - limits: - cpus: '0.8' - environment: - UID: 1011 - GID: 1011 - VERSION: 1.21.1 - EULA: "TRUE" - MEMORY: 1.25G - ENABLE_COMMAND_BLOCK: "true" - MOTD: "Fjeaj" - OPS: | - Viyurz - TYPE: FABRIC - MODS: | - https://cdn.modrinth.com/data/gvQqBUqZ/versions/5szYtenV/lithium-fabric-mc1.21.1-0.13.0.jar - https://cdn.modrinth.com/data/uXXizFIs/versions/wmIZ4wP4/ferritecore-7.0.0-fabric.jar - ports: - - "3690:25565" - - "25565:25565" - volumes: - - minecraft:/data - -volumes: - minecraft: - name: minecraft diff --git a/roles/nftables/tasks/main.yml b/roles/nftables/tasks/main.yml deleted file mode 100644 index db4735b..0000000 --- a/roles/nftables/tasks/main.yml +++ /dev/null @@ -1,22 +0,0 @@ -- name: - become: true - block: - - name: Install package nftables - apt: - name: nftables - - - name: Template nftables.conf to /etc/nftables.conf - template: - src: nftables.conf - dest: /etc/nftables.conf - owner: root - group: root - mode: '755' - register: nftables_template_conf_result - - - name: Restart nftables service - service: - name: nftables - state: restarted - enabled: true - when: nftables_template_conf_result['changed'] diff --git a/roles/nftables/templates/nftables.conf b/roles/nftables/templates/nftables.conf deleted file mode 100755 index 0813621..0000000 --- a/roles/nftables/templates/nftables.conf +++ /dev/null @@ -1,88 +0,0 @@ -#!/usr/sbin/nft -f - -flush ruleset - -table inet nat { - chain prerouting { - type nat hook prerouting priority dstnat; - iif eth0 tcp dport {{ ports['syncthing_relaysrv'] }} redirect to :22067 - iif eth0 tcp dport 25 redirect to :{{ ports['mailserver_smtp'] }} - iif eth0 tcp dport 465 redirect to :{{ ports['mailserver_smtps'] }} - iif eth0 tcp dport 993 redirect to :{{ ports['mailserver_imaps'] }} - } -} - -table inet filter { - set blackhole_ipv4 { - type ipv4_addr - timeout 30s - flags dynamic - } - - set blackhole_ipv6 { - type ipv6_addr - timeout 30s - flags dynamic - } - - chain input { - type filter hook input priority 0; policy drop; - - iif lo accept - - # Block all IPs in blackhole - ip saddr @blackhole_ipv4 set update ip saddr @blackhole_ipv4 drop - ip6 saddr @blackhole_ipv6 set update ip6 saddr @blackhole_ipv6 drop - - ct state invalid drop - ct state { established, related } accept - - # Prevent DDoS - # Rate limiting - meta nfproto ipv4 meter ratelimit4 \ - { ip saddr limit rate over 75/second burst 15 packets } \ - add @blackhole_ipv4 { ip saddr } counter - meta nfproto ipv6 meter ratelimit6 \ - { ip6 saddr limit rate over 75/second burst 15 packets } \ - add @blackhole_ipv6 { ip6 saddr } counter - # Max concurrent connections - meta nfproto ipv4 meter connlimit4 \ - { ip saddr ct count over 100 } add @blackhole_ipv4 { ip saddr } counter - meta nfproto ipv6 meter connlimit6 \ - { ip6 saddr ct count over 100 } add @blackhole_ipv6 { ip6 saddr } counter - - # Allow ICMP - meta l4proto icmp accept - meta l4proto ipv6-icmp accept - - # HTTP/S - tcp dport { http, https } accept - - # SSH - tcp dport ssh accept - - # SMTP/IMAP - tcp dport { {{ ports['mailserver_smtp'] }}, {{ ports['mailserver_smtps'] }}, {{ ports['mailserver_imaps'] }} } accept - - # Syncthing - tcp dport { {{ ports['syncthing_tcp'] }}, 22067 } accept - udp dport {{ ports['syncthing_udp'] }} accept - - # Coturn - tcp dport { {{ ports['coturn_listening'] }}, {{ ports['coturn_tls_listening'] }} } accept - udp dport { {{ ports['coturn_listening'] }}, {{ ports['coturn_tls_listening'] }}, {{ ports['coturn_relay_min'] }}-{{ ports['coturn_relay_max'] }} } accept - - } - - chain forward { - type filter hook forward priority 0; policy accept; - } - - chain output { - type filter hook output priority 0; policy accept; - - # Don't waste resources responding to blocked IPs - ip daddr @blackhole_ipv4 reject - ip6 daddr @blackhole_ipv6 reject - } -} diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml deleted file mode 100644 index e6b3f95..0000000 --- a/roles/nginx/tasks/main.yml +++ /dev/null @@ -1,60 +0,0 @@ -- name: - become: true - block: - - name: Install package nginx - apt: - name: nginx - - - name: Delete directories in /etc/nginx/ - file: - path: "/etc/nginx/{{ item }}" - state: absent - loop: - - sites-enabled - - snippets - - - name: Create directories in /etc/nginx/ - file: - path: "/etc/nginx/{{ item }}" - state: directory - loop: - - sites-enabled - - snippets - - - name: Template configuration files to /etc/nginx/ - template: - src: "{{ item.src }}" - dest: "/etc/nginx/{{ item.path }}" - owner: root - group: root - mode: '644' - with_filetree: ../templates/ - when: item.state == 'file' - - - name: Get state of file /etc/nginx/dhparam.txt - stat: - path: /etc/nginx/dhparam.txt - register: nginx_stat_dhparam_result - - - name: Download dhparam file from Mozilla - get_url: - url: https://ssl-config.mozilla.org/ffdhe2048.txt - dest: /etc/nginx/dhparam.txt - when: not nginx_stat_dhparam_result.stat.exists - - - name: Set correct permissions on certificate directories - file: - path: "/etc/letsencrypt/{{ item }}/{{ domain }}" - state: directory - owner: root - group: root - mode: '750' - loop: - - live - - archive - - - name: Start/Reload NGINX service - service: - name: nginx - state: reloaded - enabled: yes diff --git a/roles/nginx/templates/nginx.conf b/roles/nginx/templates/nginx.conf deleted file mode 100644 index 6db0562..0000000 --- a/roles/nginx/templates/nginx.conf +++ /dev/null @@ -1,38 +0,0 @@ -user www-data; -worker_processes auto; -worker_rlimit_nofile 1024; -include /etc/nginx/modules-enabled/*.conf; - -events { - worker_connections 512; - multi_accept off; -} - -http { - sendfile on; - tcp_nopush on; - tcp_nodelay on; - - gzip off; - server_tokens off; - keepalive_timeout 30; - - access_log /var/log/nginx/access.log; - error_log /var/log/nginx/error.log; - - include /etc/nginx/mime.types; - - # Needed to support websocket connections - map $http_upgrade $connection_upgrade { - default upgrade; - '' ""; - } - - include /etc/nginx/conf.d/*.conf; - - include /etc/nginx/snippets/proxy.conf; - include /etc/nginx/snippets/ssl.conf; - include /etc/nginx/snippets/ssl-headers.conf; - - include /etc/nginx/sites-enabled/*; -} diff --git a/roles/nginx/templates/sites-enabled/clips.conf b/roles/nginx/templates/sites-enabled/clips.conf deleted file mode 100644 index 1804ef5..0000000 --- a/roles/nginx/templates/sites-enabled/clips.conf +++ /dev/null @@ -1,12 +0,0 @@ -server { - listen 443 ssl; - listen [::]:443 ssl; - - server_name clips.{{ domain }}; - - location / { - proxy_pass http://127.0.0.1:{{ ports['fireshare'] }}; - - client_max_body_size 500M; - } -} diff --git a/roles/nginx/templates/sites-enabled/default.conf b/roles/nginx/templates/sites-enabled/default.conf deleted file mode 100644 index ed2ea4b..0000000 --- a/roles/nginx/templates/sites-enabled/default.conf +++ /dev/null @@ -1,15 +0,0 @@ -# Redirect HTTP to HTTPS -server { - listen 80 default_server; - listen [::]:80 default_server; - - return 308 https://$host$request_uri; -} - -# Default HTTPS server -server { - listen 443 ssl http2 default_server; - listen [::]:443 ssl http2 default_server; - - return 404; -} diff --git a/roles/nginx/templates/sites-enabled/downloads.conf b/roles/nginx/templates/sites-enabled/downloads.conf deleted file mode 100644 index 62cccfb..0000000 --- a/roles/nginx/templates/sites-enabled/downloads.conf +++ /dev/null @@ -1,9 +0,0 @@ -server { - listen 443 ssl; - listen [::]:443 ssl; - - server_name dl.{{ domain }}; - - root /var/www/html; - autoindex on; -} diff --git a/roles/nginx/templates/sites-enabled/etebase.conf b/roles/nginx/templates/sites-enabled/etebase.conf deleted file mode 100644 index f73ee6c..0000000 --- a/roles/nginx/templates/sites-enabled/etebase.conf +++ /dev/null @@ -1,10 +0,0 @@ -server { - listen 443 ssl; - listen [::]:443 ssl; - - server_name etebase.{{ domain }}; - - location / { - proxy_pass http://127.0.0.1:{{ ports['etebase'] }}; - } -} diff --git a/roles/nginx/templates/sites-enabled/hedgedoc.conf b/roles/nginx/templates/sites-enabled/hedgedoc.conf deleted file mode 100644 index 97dadc7..0000000 --- a/roles/nginx/templates/sites-enabled/hedgedoc.conf +++ /dev/null @@ -1,17 +0,0 @@ -server { - listen 443 ssl; - listen [::]:443 ssl; - - server_name hedgedoc.{{ domain }}; - - location / { - proxy_pass http://127.0.0.1:{{ ports['hedgedoc'] }}; - } - - location /socket.io/ { - proxy_pass http://127.0.0.1:{{ ports['hedgedoc'] }}; - - include /etc/nginx/snippets/websocket.conf; - include /etc/nginx/snippets/proxy.conf; - } -} diff --git a/roles/nginx/templates/sites-enabled/homepage.conf b/roles/nginx/templates/sites-enabled/homepage.conf deleted file mode 100644 index c9dc4de..0000000 --- a/roles/nginx/templates/sites-enabled/homepage.conf +++ /dev/null @@ -1,25 +0,0 @@ -server { - listen 443 ssl; - listen [::]:443 ssl; - - server_name {{ domain }}; - - location = /.well-known/matrix/server { - default_type application/json; - - return 200 '{ "m.server": "matrix.{{ domain }}:443" }'; - } - - location = /.well-known/matrix/client { - default_type application/json; - - include /etc/nginx/snippets/ssl-headers.conf; - add_header Access-Control-Allow-Origin '*'; - - return 200 '{ "m.homeserver": { "base_url": "https://matrix.{{ domain }}" } }'; - } - - location / { - proxy_pass http://127.0.0.1:{{ ports['homepage'] }}; - } -} diff --git a/roles/nginx/templates/sites-enabled/keycloak.conf b/roles/nginx/templates/sites-enabled/keycloak.conf deleted file mode 100644 index 764444c..0000000 --- a/roles/nginx/templates/sites-enabled/keycloak.conf +++ /dev/null @@ -1,13 +0,0 @@ -server { - listen 443 ssl; - listen [::]:443 ssl; - - server_name kc.{{ domain }}; - - location / { - proxy_pass https://127.0.0.1:{{ ports['keycloak'] }}; - - #include /etc/nginx/snippets/websocket.conf; - #include /etc/nginx/snippets/proxy.conf; - } -} diff --git a/roles/nginx/templates/sites-enabled/mail.conf b/roles/nginx/templates/sites-enabled/mail.conf deleted file mode 100644 index 3705e1b..0000000 --- a/roles/nginx/templates/sites-enabled/mail.conf +++ /dev/null @@ -1,43 +0,0 @@ -server { - listen 443 ssl; - listen [::]:443 ssl; - - server_name mail.{{ domain }}; - - location / { - proxy_pass https://127.0.0.1:{{ ports['mailserver_https'] }}; - - include /etc/nginx/snippets/websocket.conf; - include /etc/nginx/snippets/proxy.conf; - } -} - -server { - listen 443 ssl; - listen [::]:443 ssl; - - server_name autoconfig.{{ domain }}; - - location / { - return 404; - } - - location = /mail/config-v1.1.xml { - proxy_pass https://127.0.0.1:{{ ports['mailserver_https'] }}; - } -} - -server { - listen 443 ssl; - listen [::]:443 ssl; - - server_name mta-sts.{{ domain }}; - - location / { - return 404; - } - - location = /.well-known/mta-sts.txt { - proxy_pass https://127.0.0.1:{{ ports['mailserver_https'] }}; - } -} diff --git a/roles/nginx/templates/sites-enabled/searxng.conf b/roles/nginx/templates/sites-enabled/searxng.conf deleted file mode 100644 index 5457114..0000000 --- a/roles/nginx/templates/sites-enabled/searxng.conf +++ /dev/null @@ -1,13 +0,0 @@ -server { - listen 443 ssl; - listen [::]:443 ssl; - - server_name searx.{{ domain }}; - - location / { - proxy_pass http://127.0.0.1:{{ ports['searxng'] }}; - - include /etc/nginx/snippets/ssl-headers.conf; - add_header Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/searxng/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com"; - } -} diff --git a/roles/nginx/templates/sites-enabled/sex.conf b/roles/nginx/templates/sites-enabled/sex.conf deleted file mode 100644 index 7e63678..0000000 --- a/roles/nginx/templates/sites-enabled/sex.conf +++ /dev/null @@ -1,12 +0,0 @@ -server { - listen 443 ssl; - listen [::]:443 ssl; - - server_name sex.{{ domain }}; - - root /var/www/sex; - - location / { - random_index on; - } -} diff --git a/roles/nginx/templates/sites-enabled/stump.conf b/roles/nginx/templates/sites-enabled/stump.conf deleted file mode 100644 index 2fac2b6..0000000 --- a/roles/nginx/templates/sites-enabled/stump.conf +++ /dev/null @@ -1,13 +0,0 @@ -server { - listen 443 ssl; - listen [::]:443 ssl; - - server_name stump.{{ domain }}; - - location / { - proxy_pass http://127.0.0.1:{{ ports['stump'] }}; - - include /etc/nginx/snippets/websocket.conf; - include /etc/nginx/snippets/proxy.conf; - } -} diff --git a/roles/nginx/templates/sites-enabled/synapse.conf b/roles/nginx/templates/sites-enabled/synapse.conf deleted file mode 100644 index ea84c24..0000000 --- a/roles/nginx/templates/sites-enabled/synapse.conf +++ /dev/null @@ -1,12 +0,0 @@ -server { - listen 443 ssl; - listen [::]:443 ssl; - - server_name matrix.{{ domain }}; - - location / { - proxy_pass http://127.0.0.1:{{ ports['synapse'] }}; - - client_max_body_size {{ synapse['max_upload_size'] }}; - } -} diff --git a/roles/nginx/templates/sites-enabled/syncthing-discovery.conf b/roles/nginx/templates/sites-enabled/syncthing-discovery.conf deleted file mode 100644 index 72b4411..0000000 --- a/roles/nginx/templates/sites-enabled/syncthing-discovery.conf +++ /dev/null @@ -1,17 +0,0 @@ -server { - listen 443 ssl; - listen [::]:443 ssl; - - server_name stdisco.{{ domain }}; - - ssl_verify_client optional_no_ca; - - location / { - proxy_pass http://127.0.0.1:{{ ports['syncthing_discosrv'] }}; - - proxy_set_header X-Client-Port $remote_port; - proxy_set_header X-SSL-Cert $ssl_client_cert; - include /etc/nginx/snippets/websocket.conf; - include /etc/nginx/snippets/proxy.conf; - } -} diff --git a/roles/nginx/templates/sites-enabled/uptime-kuma.conf b/roles/nginx/templates/sites-enabled/uptime-kuma.conf deleted file mode 100644 index cab3a17..0000000 --- a/roles/nginx/templates/sites-enabled/uptime-kuma.conf +++ /dev/null @@ -1,13 +0,0 @@ -server { - listen 443 ssl; - listen [::]:443 ssl; - - server_name status.{{ domain }}; - - location / { - proxy_pass http://127.0.0.1:{{ ports['uptime_kuma'] }}; - - include /etc/nginx/snippets/websocket.conf; - include /etc/nginx/snippets/proxy.conf; - } -} diff --git a/roles/nginx/templates/sites-enabled/vaultwarden.conf b/roles/nginx/templates/sites-enabled/vaultwarden.conf deleted file mode 100644 index 8c422fd..0000000 --- a/roles/nginx/templates/sites-enabled/vaultwarden.conf +++ /dev/null @@ -1,19 +0,0 @@ -upstream vaultwarden { - zone vaultwarden 64k; - server 127.0.0.1:{{ ports['vaultwarden'] }}; - keepalive 2; -} - -server { - listen 443 ssl; - listen [::]:443 ssl; - - server_name vw.{{ domain }}; - - location / { - proxy_pass http://vaultwarden; - - include /etc/nginx/snippets/websocket.conf; - include /etc/nginx/snippets/proxy.conf; - } -} diff --git a/roles/nginx/templates/snippets/proxy.conf b/roles/nginx/templates/snippets/proxy.conf deleted file mode 100644 index e54c7ed..0000000 --- a/roles/nginx/templates/snippets/proxy.conf +++ /dev/null @@ -1,10 +0,0 @@ -proxy_http_version 1.1; -proxy_set_header Host $host; -proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; -proxy_set_header X-Forwarded-Host $http_host; -proxy_set_header X-Forwarded-Port $server_port; -proxy_set_header X-Forwarded-Proto $scheme; -proxy_set_header X-Forwarded-Scheme $scheme; -proxy_set_header X-Forwarded-URI $request_uri; -proxy_set_header X-Original-URL $scheme://$http_host$request_uri; -proxy_set_header X-Real-IP $remote_addr; diff --git a/roles/nginx/templates/snippets/ssl-headers.conf b/roles/nginx/templates/snippets/ssl-headers.conf deleted file mode 100644 index a84a1ba..0000000 --- a/roles/nginx/templates/snippets/ssl-headers.conf +++ /dev/null @@ -1,3 +0,0 @@ -add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; -# add_header X-Robots-Tag "noindex, nofollow" always; -add_header Set-Cookie "Path=/; HttpOnly; Secure"; diff --git a/roles/nginx/templates/snippets/ssl.conf b/roles/nginx/templates/snippets/ssl.conf deleted file mode 100644 index bf890d1..0000000 --- a/roles/nginx/templates/snippets/ssl.conf +++ /dev/null @@ -1,18 +0,0 @@ -ssl_certificate /etc/letsencrypt/live/{{ domain }}/fullchain.pem; -ssl_certificate_key /etc/letsencrypt/live/{{ domain }}/privkey.pem; -ssl_trusted_certificate /etc/letsencrypt/live/{{ domain }}/chain.pem; - -ssl_protocols TLSv1.2 TLSv1.3; -ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; - -# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam -ssl_dhparam /etc/nginx/dhparam.txt; - -ssl_prefer_server_ciphers on; - -ssl_session_timeout 1d; -ssl_session_cache shared:MozSSL:10m; -ssl_session_tickets off; - -ssl_stapling on; -ssl_stapling_verify on; diff --git a/roles/nginx/templates/snippets/websocket.conf b/roles/nginx/templates/snippets/websocket.conf deleted file mode 100644 index f75eb91..0000000 --- a/roles/nginx/templates/snippets/websocket.conf +++ /dev/null @@ -1,2 +0,0 @@ -proxy_set_header Upgrade $http_upgrade; -proxy_set_header Connection $connection_upgrade; diff --git a/roles/postgres/tasks/backup.yml b/roles/postgres/tasks/backup.yml deleted file mode 100644 index dc9e37b..0000000 --- a/roles/postgres/tasks/backup.yml +++ /dev/null @@ -1,24 +0,0 @@ -- name: Create borg backup from PostgreSQL dumpall - shell: > - docker exec postgres - pg_dumpall | - borg create - --compression lzma - "{{ borg_repodir }}::{{ role_name }}-{now:%Y-%m-%d_%H-%M-%S}" - - - --stdin-name dumpall.sql - environment: - DOCKER_HOST: "{{ docker_host }}" - BORG_PASSCOMMAND: "cat {{ borg_passphrase_file }}" - become: true - -- name: Prune borg repository - command: - cmd: | - borg prune - --glob-archives='{{ role_name }}-*' - {{ borg_prune_options }} - {{ borg_repodir }} - environment: - BORG_PASSCOMMAND: "cat {{ borg_passphrase_file }}" - become: true diff --git a/roles/postgres/tasks/main.yml b/roles/postgres/tasks/main.yml deleted file mode 100644 index 89bf793..0000000 --- a/roles/postgres/tasks/main.yml +++ /dev/null @@ -1,14 +0,0 @@ -- name: Include backup tasks - include_tasks: - file: backup.yml - when: run_backup | default(false) | bool - -- name: Include setup tasks - include_tasks: - file: setup.yml - when: run_setup | default(false) | bool - -- name: Include update tasks - include_tasks: - file: update.yml - when: run_update | default(false) | bool diff --git a/roles/postgres/tasks/setup.yml b/roles/postgres/tasks/setup.yml deleted file mode 100644 index 7852868..0000000 --- a/roles/postgres/tasks/setup.yml +++ /dev/null @@ -1,33 +0,0 @@ -- name: "(Re)Create {{ project_dir }} project directory" - file: - path: "{{ project_dir }}" - state: "{{ item }}" - loop: - - absent - - directory - -- name: "Create (if not exists) directory {{ volumes['postgres_datadir'] }} & set permissions" - file: - path: "{{ volumes['postgres_datadir'] }}" - state: directory - owner: "{{ users['postgres'] + uid_shift }}" - group: "{{ users['postgres'] + uid_shift }}" - mode: '700' - become: true - -- name: "Check if directory {{ volumes['postgres_datadir'] }} is empty" - find: - paths: "{{ volumes['postgres_datadir'] }}" - register: postgres_find_datadir_result - become: true - -- name: Template docker-compose.yaml & .env to project directory - template: - src: "{{ item }}" - dest: "{{ project_dir }}/{{ item }}" - owner: "{{ host_uid }}" - group: "{{ host_uid }}" - mode: '600' - loop: - - docker-compose.yaml - - .env diff --git a/roles/postgres/tasks/update.yml b/roles/postgres/tasks/update.yml deleted file mode 100644 index 1b86e81..0000000 --- a/roles/postgres/tasks/update.yml +++ /dev/null @@ -1,24 +0,0 @@ -- name: Pull project services - community.docker.docker_compose_v2: - project_src: "{{ project_dir }}" - recreate: never - pull: always - debug: true - when: docker_pull_images | bool - register: postgres_docker_compose_pull_result - -- name: Display pulled image(s) name - set_fact: - postgres_pulled_images: "{{ postgres_pulled_images | default([]) + [item.pulled_image.name] }}" - loop: "{{ postgres_docker_compose_pull_result['actions'] | default([]) | selectattr('pulled_image', 'defined') }}" - -- name: Include backup tasks - include_tasks: - file: backup.yml - # Make a backup if we didn't already make one and we pulled a new image - when: not run_backup | default(false) and postgres_pulled_images is defined - -- name: Create/Restart project services - community.docker.docker_compose_v2: - project_src: "{{ project_dir }}" - state: "{{ run_setup | default(false) | bool | ternary('restarted', 'present') }}" diff --git a/roles/postgres/templates/.env b/roles/postgres/templates/.env deleted file mode 100644 index 5c8ad89..0000000 --- a/roles/postgres/templates/.env +++ /dev/null @@ -1,6 +0,0 @@ -# After initial setup, set to empty string to hide password -POSTGRES_PASSWORD='{{ (postgres_find_datadir_result.matched == 0) | ternary(lookup("community.general.random_string", special=false, length=64), "") }}' -# Required for Synapse -LANG=C -POSTGRES_INITDB_ARGS="--locale=C --encoding=UTF8" - diff --git a/roles/postgres/templates/docker-compose.yaml b/roles/postgres/templates/docker-compose.yaml deleted file mode 100644 index a042ac8..0000000 --- a/roles/postgres/templates/docker-compose.yaml +++ /dev/null @@ -1,11 +0,0 @@ -services: - postgres: - container_name: postgres - image: docker.io/library/postgres:16-alpine - restart: always - user: {{ users['postgres'] }}:{{ users['postgres'] }} - env_file: .env - ports: - - {{ ports['postgres'] }}:5432 - volumes: - - {{ volumes['postgres_datadir'] }}:/var/lib/postgresql/data diff --git a/roles/searxng/files/limiter.toml b/roles/searxng/files/limiter.toml deleted file mode 100644 index 1b4be3b..0000000 --- a/roles/searxng/files/limiter.toml +++ /dev/null @@ -1,3 +0,0 @@ -[botdetection.ip_limit] -# activate link_token method in the ip_limit method -link_token = true diff --git a/roles/searxng/files/settings.yml b/roles/searxng/files/settings.yml deleted file mode 100644 index d29e34e..0000000 --- a/roles/searxng/files/settings.yml +++ /dev/null @@ -1,78 +0,0 @@ -use_default_settings: true - -general: - instance_name: "SearXNG" - -search: - autocomplete: "brave" - -server: - limiter: true - image_proxy: true - -redis: - url: redis://searxng-valkey:6379/0 - -ui: - static_use_hash: true - query_in_title: true - -enabled_plugins: - - 'Basic Calculator' - - 'Hash plugin' - - 'Self Information' - - 'Tracker URL remover' - - 'Unit converter plugin' - -engines: - - name: artic - disabled: true - - - name: bing - disabled: false - - - name: bing english - engine: bing - language: en - shortcut: bien - - - name: deviantart - disabled: true - - - name: duckduckgo - disabled: true - - - name: flickr - disabled: true - - - name: google english - engine: google - language: en - shortcut: goen - - - name: library of congress - disabled: true - - - name: openverse - disabled: true - - - name: piped - disabled: true - - - name: sepiasearch - disabled: true - - - name: unsplash - disabled: true - - - name: vimeo - disabled: true - - - name: wikicommons.images - disabled: true - - - name: wikidata - disabled: true - - - name: yahoo news - disabled: true diff --git a/roles/searxng/tasks/main.yml b/roles/searxng/tasks/main.yml deleted file mode 100644 index 2b65be3..0000000 --- a/roles/searxng/tasks/main.yml +++ /dev/null @@ -1,9 +0,0 @@ -- name: Include setup tasks - include_tasks: - file: setup.yml - when: run_setup | default(false) | bool - -- name: Include update tasks - include_tasks: - file: update.yml - when: run_update | default(false) | bool diff --git a/roles/searxng/tasks/setup.yml b/roles/searxng/tasks/setup.yml deleted file mode 100644 index 10a4c8c..0000000 --- a/roles/searxng/tasks/setup.yml +++ /dev/null @@ -1,23 +0,0 @@ -- name: "(Re)Create {{ project_dir }} project directory" - file: - path: "{{ project_dir }}" - state: "{{ item }}" - loop: - - absent - - directory - -- name: Template docker-compose.yaml to project directory - template: - src: docker-compose.yaml - dest: "{{ project_dir }}/docker-compose.yaml" - owner: "{{ host_uid }}" - group: "{{ host_uid }}" - mode: '640' - -- name: Copy settings.yml and limiter.toml to project directory - copy: - src: "{{ role_path }}/files/" - dest: "{{ project_dir }}" - owner: "{{ host_uid }}" - group: "{{ host_uid }}" - mode: '644' diff --git a/roles/searxng/tasks/update.yml b/roles/searxng/tasks/update.yml deleted file mode 100644 index f99416b..0000000 --- a/roles/searxng/tasks/update.yml +++ /dev/null @@ -1,18 +0,0 @@ -- name: Pull project services - community.docker.docker_compose_v2: - project_src: "{{ project_dir }}" - recreate: never - pull: always - debug: true - when: docker_pull_images | bool - register: searxng_docker_compose_pull_result - -- name: Display pulled image(s) name - set_fact: - searxng_pulled_images: "{{ searxng_pulled_images | default([]) + [item.pulled_image.name] }}" - loop: "{{ searxng_docker_compose_pull_result['actions'] | default([]) | selectattr('pulled_image', 'defined') }}" - -- name: Create/Restart project services - community.docker.docker_compose_v2: - project_src: "{{ project_dir }}" - state: "{{ run_setup | default(false) | bool | ternary('restarted', 'present') }}" diff --git a/roles/searxng/templates/docker-compose.yaml b/roles/searxng/templates/docker-compose.yaml deleted file mode 100644 index eb3c330..0000000 --- a/roles/searxng/templates/docker-compose.yaml +++ /dev/null @@ -1,25 +0,0 @@ -services: - valkey: - container_name: searxng-valkey - image: docker.io/valkey/valkey:7-alpine - restart: always - user: {{ users['searxng_valkey'] }}:{{ users['searxng_valkey'] }} - command: valkey-server --save 30 1 --loglevel warning - volumes: - - valkey:/data - - searxng: - container_name: searxng - image: docker.io/searxng/searxng:latest - restart: always - environment: - - SEARXNG_BASE_URL=https://searx.{{ domain }} - - SEARXNG_SECRET={{ searxng_secrets['searxng_secret'] }} - ports: - - 127.0.0.1:{{ ports['searxng'] }}:8080 - volumes: - - ./settings.yml:/etc/searxng/settings.yml - - ./limiter.toml:/etc/searxng/limiter.toml - -volumes: - valkey: diff --git a/roles/stump/tasks/backup.yml b/roles/stump/tasks/backup.yml deleted file mode 100644 index a3166cb..0000000 --- a/roles/stump/tasks/backup.yml +++ /dev/null @@ -1,30 +0,0 @@ -- name: - become: true - block: - - name: Backup SQLite database - command: - cmd: | - sqlite3 - "{{ volumes['stump_configdir'] }}/stump.db" - ".backup {{ volumes['stump_configdir'] }}/stump-backup.db" - - - name: Create borg backup - command: - cmd: | - borg create - --compression=lzma - "{{ borg_repodir }}::{{ role_name }}-{now:%Y-%m-%d_%H-%M-%S}" - {{ volumes['stump_configdir'] }}/stump-backup.db - {{ volumes['stump_datadir'] }} - environment: - BORG_PASSCOMMAND: "cat {{ borg_passphrase_file }}" - - - name: Prune borg repository - command: - cmd: | - borg prune - --glob-archives='{{ role_name }}-*' - {{ borg_prune_options }} - {{ borg_repodir }} - environment: - BORG_PASSCOMMAND: "cat {{ borg_passphrase_file }}" diff --git a/roles/stump/tasks/main.yml b/roles/stump/tasks/main.yml deleted file mode 100644 index 89bf793..0000000 --- a/roles/stump/tasks/main.yml +++ /dev/null @@ -1,14 +0,0 @@ -- name: Include backup tasks - include_tasks: - file: backup.yml - when: run_backup | default(false) | bool - -- name: Include setup tasks - include_tasks: - file: setup.yml - when: run_setup | default(false) | bool - -- name: Include update tasks - include_tasks: - file: update.yml - when: run_update | default(false) | bool diff --git a/roles/stump/tasks/setup.yml b/roles/stump/tasks/setup.yml deleted file mode 100644 index e07fb28..0000000 --- a/roles/stump/tasks/setup.yml +++ /dev/null @@ -1,30 +0,0 @@ -- name: "(Re)Create {{ project_dir }} project directory" - file: - path: "{{ project_dir }}" - state: "{{ item }}" - loop: - - absent - - directory - -- name: Template docker-compose.yaml to project directory - template: - src: "{{ item }}" - dest: "{{ project_dir }}/{{ item }}" - owner: "{{ host_uid }}" - group: "{{ host_uid }}" - mode: '640' - loop: - - docker-compose.yaml - -- name: "Create (if not exists) directories {{ volumes['stump_configdir'] }} and {{ volumes['stump_datadir'] }} & set permissions" - file: - path: "{{ item }}" - state: directory - owner: "{{ users['stump'] + uid_shift }}" - group: "{{ users['stump'] + uid_shift }}" - mode: '700' - recurse: true - become: true - loop: - - "{{ volumes['stump_datadir'] }}" - - "{{ volumes['stump_configdir'] }}" diff --git a/roles/stump/tasks/update.yml b/roles/stump/tasks/update.yml deleted file mode 100644 index 7a1f408..0000000 --- a/roles/stump/tasks/update.yml +++ /dev/null @@ -1,24 +0,0 @@ -- name: Pull project services - community.docker.docker_compose_v2: - project_src: "{{ project_dir }}" - recreate: never - pull: always - debug: true - when: docker_pull_images | bool - register: stump_docker_compose_pull_result - -- name: Display pulled image(s) name - set_fact: - stump_pulled_images: "{{ stump_pulled_images | default([]) + [item.pulled_image.name] }}" - loop: "{{ stump_docker_compose_pull_result['actions'] | default([]) | selectattr('pulled_image', 'defined') }}" - -- name: Include backup tasks - include_tasks: - file: backup.yml - # Make a backup if we didn't already make one and we pulled a new image - when: not run_backup | default(false) and stump_pulled_images is defined - -- name: Create/Restart project services - community.docker.docker_compose_v2: - project_src: "{{ project_dir }}" - state: "{{ run_setup | default(false) | bool | ternary('restarted', 'present') }}" diff --git a/roles/stump/templates/docker-compose.yaml b/roles/stump/templates/docker-compose.yaml deleted file mode 100644 index 804527f..0000000 --- a/roles/stump/templates/docker-compose.yaml +++ /dev/null @@ -1,13 +0,0 @@ -services: - stump: - container_name: stump - image: aaronleopold/stump:0.0.7 - restart: always - environment: - - PUID={{ users['stump'] }} - - PGID={{ users['stump'] }} - ports: - - 127.0.0.1:{{ ports['stump'] }}:10801 - volumes: - - {{ volumes['stump_configdir'] }}:/config - - {{ volumes['stump_datadir'] }}:/data diff --git a/roles/synapse/tasks/backup.yml b/roles/synapse/tasks/backup.yml deleted file mode 100644 index 2818459..0000000 --- a/roles/synapse/tasks/backup.yml +++ /dev/null @@ -1,25 +0,0 @@ -- name: "Backup PostgreSQL synapse database & {{ volumes['synapse_datadir'] }} directory" - shell: > - docker exec postgres - pg_dump -c {{ role_name }} | - borg create - --compression lzma - "{{ borg_repodir }}::{{ role_name }}-{now:%Y-%m-%d_%H-%M-%S}" - "{{ volumes['synapse_datadir'] }}" - - - --stdin-name dump_{{ role_name }}.sql - environment: - DOCKER_HOST: "{{ docker_host }}" - BORG_PASSCOMMAND: "cat {{ borg_passphrase_file }}" - become: true - -- name: Prune borg repository - command: - cmd: | - borg prune - --glob-archives='{{ role_name }}-*' - {{ borg_prune_options }} - {{ borg_repodir }} - environment: - BORG_PASSCOMMAND: "cat {{ borg_passphrase_file }}" - become: true diff --git a/roles/synapse/tasks/main.yml b/roles/synapse/tasks/main.yml deleted file mode 100644 index 89bf793..0000000 --- a/roles/synapse/tasks/main.yml +++ /dev/null @@ -1,14 +0,0 @@ -- name: Include backup tasks - include_tasks: - file: backup.yml - when: run_backup | default(false) | bool - -- name: Include setup tasks - include_tasks: - file: setup.yml - when: run_setup | default(false) | bool - -- name: Include update tasks - include_tasks: - file: update.yml - when: run_update | default(false) | bool diff --git a/roles/synapse/tasks/setup.yml b/roles/synapse/tasks/setup.yml deleted file mode 100644 index b79a868..0000000 --- a/roles/synapse/tasks/setup.yml +++ /dev/null @@ -1,34 +0,0 @@ -- name: "(Re)Create {{ project_dir }} project directory" - file: - path: "{{ project_dir }}" - state: "{{ item }}" - loop: - - absent - - directory - -- name: Template docker-compose.yaml & homeserver.yaml to project directory - template: - src: "{{ item }}" - dest: "{{ project_dir }}/{{ item }}" - owner: "{{ host_uid }}" - group: "{{ host_uid }}" - mode: '640' - loop: - - docker-compose.yaml - - homeserver.yaml - -# Separate task because template module cannot chown/chgrp to a non-existing user/group -- name: "Change group of homeserver.yaml to synapse GID ({{ users['synapse'] + uid_shift }})" - file: - path: "{{ project_dir }}/homeserver.yaml" - group: "{{ users['synapse'] + uid_shift }}" - become: true - -- name: "Create (if not exists) directory {{ volumes['synapse_datadir'] }} & set permissions" - file: - path: "{{ volumes['synapse_datadir'] }}" - state: directory - owner: "{{ users['synapse'] + uid_shift }}" - group: "{{ users['synapse'] + uid_shift }}" - mode: '770' - become: true diff --git a/roles/synapse/tasks/update.yml b/roles/synapse/tasks/update.yml deleted file mode 100644 index 44abf8c..0000000 --- a/roles/synapse/tasks/update.yml +++ /dev/null @@ -1,24 +0,0 @@ -- name: Pull project services - community.docker.docker_compose_v2: - project_src: "{{ project_dir }}" - recreate: never - pull: always - debug: true - when: docker_pull_images | bool - register: synapse_docker_compose_pull_result - -- name: Display pulled image(s) name - set_fact: - synapse_pulled_images: "{{ synapse_pulled_images | default([]) + [item.pulled_image.name] }}" - loop: "{{ synapse_docker_compose_pull_result['actions'] | default([]) | selectattr('pulled_image', 'defined') }}" - -- name: Include backup tasks - include_tasks: - file: backup.yml - # Make a backup if we didn't already make one and we pulled a new image - when: not run_backup | default(false) and synapse_pulled_images is defined - -- name: Create/Restart project services - community.docker.docker_compose_v2: - project_src: "{{ project_dir }}" - state: "{{ run_setup | default(false) | bool | ternary('restarted', 'present') }}" diff --git a/roles/synapse/templates/docker-compose.yaml b/roles/synapse/templates/docker-compose.yaml deleted file mode 100644 index eb37bd7..0000000 --- a/roles/synapse/templates/docker-compose.yaml +++ /dev/null @@ -1,14 +0,0 @@ -services: - synapse: - container_name: synapse - image: docker.io/matrixdotorg/synapse:latest - restart: always - environment: - UID: {{ users['synapse'] }} - GID: {{ users['synapse'] }} - TZ: {{ timezone }} - ports: - - 127.0.0.1:{{ ports['synapse'] }}:8008 - volumes: - - {{ volumes['synapse_datadir'] }}:/data - - ./homeserver.yaml:/data/homeserver.yaml diff --git a/roles/synapse/templates/homeserver.yaml b/roles/synapse/templates/homeserver.yaml deleted file mode 100644 index 5d95c9e..0000000 --- a/roles/synapse/templates/homeserver.yaml +++ /dev/null @@ -1,127 +0,0 @@ -# For more information on how to configure Synapse, including a complete accounting of -# each option, go to docs/usage/configuration/config_documentation.md or -# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html - - -# Server -server_name: "{{ domain }}" -pid_file: /data/homeserver.pid -public_baseurl: "https://matrix.{{ domain }}" -listeners: - - port: 8008 - tls: false - type: http - x_forwarded: true - resources: - - names: [client, federation] - compress: false -email: - smtp_host: "mail.{{ domain }}" - smtp_port: {{ ports['mailserver_smtps'] }} - smtp_user: "{{ synapse_secrets['smtp_user'] }}" - smtp_pass: '{{ synapse_secrets["smtp_pass"] }}' - force_tls: true - notif_from: "Matrix " - #invite_client_location: "https://element.{{ domain }}" - - -# Homeserver blocking -max_avatar_size: 2M - - -# Database -database: - name: psycopg2 - args: - user: '{{ synapse_secrets["postgres_user"] }}' - password: '{{ synapse_secrets["postgres_password"] }}' - dbname: synapse - host: 'postgres.{{ domain }}' - cp_min: 5 - cp_max: 10 - - -# Logging -log_config: "/data/{{ domain }}.log.config" - - -# Media Store -media_store_path: /data/media_store -# Changer aussi le max_body_size dans le reverse proxy -max_upload_size: {{ synapse['max_upload_size'] }} -media_retention: - remote_media_lifetime: 14d -url_preview_enabled: true -url_preview_ip_range_blacklist: - - '127.0.0.0/8' - - '10.0.0.0/8' - - '172.16.0.0/12' - - '192.168.0.0/16' - - '100.64.0.0/10' - - '192.0.0.0/24' - - '169.254.0.0/16' - - '192.88.99.0/24' - - '198.18.0.0/15' - - '192.0.2.0/24' - - '198.51.100.0/24' - - '203.0.113.0/24' - - '224.0.0.0/4' - - '::1/128' - - 'fe80::/10' - - 'fc00::/7' - - '2001:db8::/32' - - 'ff00::/8' - - 'fec0::/10' -url_preview_accept_language: - - 'en' - - 'fr' - - '*;q=0.2' - - -# TURN -turn_uris: ["turns:turn.{{ domain }}?transport=udp", "turns:turn.{{ domain }}?transport=tcp"] -turn_shared_secret: "{{ synapse_secrets['turn_shared_secret'] }}" -turn_user_lifetime: 86400000 -turn_allow_guests: true - - -# Registration -enable_registration: true -registration_requires_token: true - - -# Metrics -report_stats: true - - -# API Configuration -macaroon_secret_key: "{{ synapse_secrets['macaroon_secret_key'] }}" -form_secret: "{{ synapse_secrets['form_secret'] }}" - - -# Signing Keys -signing_key_path: "/data/{{ domain }}.signing.key" -trusted_key_servers: - - server_name: "matrix.org" -suppress_key_server_warning: true - - -# Single sign-on integration -oidc_providers: - - idp_id: keycloak - idp_name: "Keycloak" - issuer: "https://kc.{{ domain }}/realms/master" - client_id: '{{ synapse_secrets["client_id"] }}' - client_secret: '{{ synapse_secrets["client_secret"] }}' - scopes: ["openid", "profile", "email"] - allow_existing_users: true - user_mapping_provider: - config: - subject_claim: "sub" - localpart_template: "{% raw %}{{ user.preferred_username }}{% endraw %}" - display_name_template: "{% raw %}{{ user.name }}{% endraw %}" - email_template: "{% raw %}{{ user.email }}{% endraw %}" - backchannel_logout_enabled: true - -password_config: - enabled: false diff --git a/roles/syncthing/tasks/main.yml b/roles/syncthing/tasks/main.yml deleted file mode 100644 index 2b65be3..0000000 --- a/roles/syncthing/tasks/main.yml +++ /dev/null @@ -1,9 +0,0 @@ -- name: Include setup tasks - include_tasks: - file: setup.yml - when: run_setup | default(false) | bool - -- name: Include update tasks - include_tasks: - file: update.yml - when: run_update | default(false) | bool diff --git a/roles/syncthing/tasks/setup.yml b/roles/syncthing/tasks/setup.yml deleted file mode 100644 index 6a5daaa..0000000 --- a/roles/syncthing/tasks/setup.yml +++ /dev/null @@ -1,15 +0,0 @@ -- name: "(Re)Create {{ project_dir }} project directory" - file: - path: "{{ project_dir }}" - state: "{{ item }}" - loop: - - absent - - directory - -- name: Template docker-compose.yaml to project directory - template: - src: docker-compose.yaml - dest: "{{ project_dir }}/docker-compose.yaml" - owner: "{{ host_uid }}" - group: "{{ host_uid }}" - mode: '640' diff --git a/roles/syncthing/tasks/update.yml b/roles/syncthing/tasks/update.yml deleted file mode 100644 index 775a9d4..0000000 --- a/roles/syncthing/tasks/update.yml +++ /dev/null @@ -1,18 +0,0 @@ -- name: Pull project services - community.docker.docker_compose_v2: - project_src: "{{ project_dir }}" - recreate: never - pull: always - debug: true - when: docker_pull_images | bool - register: syncthing_docker_compose_pull_result - -- name: Display pulled image(s) name - set_fact: - syncthing_pulled_images: "{{ syncthing_pulled_images | default([]) + [item.pulled_image.name] }}" - loop: "{{ syncthing_docker_compose_pull_result['actions'] | default([]) | selectattr('pulled_image', 'defined') }}" - -- name: Create/Restart project services - community.docker.docker_compose_v2: - project_src: "{{ project_dir }}" - state: "{{ run_setup | default(false) | bool | ternary('restarted', 'present') }}" diff --git a/roles/syncthing/templates/docker-compose.yaml b/roles/syncthing/templates/docker-compose.yaml deleted file mode 100644 index e52e5e4..0000000 --- a/roles/syncthing/templates/docker-compose.yaml +++ /dev/null @@ -1,53 +0,0 @@ -services: - syncthing: - image: docker.io/syncthing/syncthing:1 - container_name: syncthing - restart: always - user: {{ users['syncthing'] }}:{{ users['syncthing'] }} - environment: - - PUID={{ users['syncthing'] }} - - PGID={{ users['syncthing'] }} - ports: - - 127.0.0.1:{{ ports['syncthing_webui'] }}:8384 # Web UI - - {{ ports['syncthing_tcp'] }}:22000/tcp # TCP file transfers - - {{ ports['syncthing_udp'] }}:22000/udp # QUIC file transfers - volumes: - - {{ volumes['syncthing_datadir'] }}:/var/syncthing - - stdiscosrv: - image: docker.io/syncthing/discosrv:1 - container_name: syncthing-discosrv - restart: always - command: - - "-http" - environment: - - PUID={{ users['syncthing_discosrv'] }} - - PGID={{ users['syncthing_discosrv'] }} - networks: - - discosrv - ports: - - 127.0.0.1:{{ ports['syncthing_discosrv'] }}:8443 - - strelaysrv: - image: docker.io/syncthing/relaysrv:1 - container_name: syncthing-relaysrv - restart: always - command: - - '-ext-address=:{{ ports["syncthing_relaysrv"] }}' - - '-pools=' - environment: - - PUID={{ users['syncthing_relaysrv'] }} - - PGID={{ users['syncthing_relaysrv'] }} - networks: - - relaysrv - ports: - - 22067:22067 - volumes: - - strelaysrv:/var/strelaysrv - -networks: - discosrv: - relaysrv: - -volumes: - strelaysrv: diff --git a/roles/uptime-kuma/tasks/backup.yml b/roles/uptime-kuma/tasks/backup.yml deleted file mode 100644 index a809363..0000000 --- a/roles/uptime-kuma/tasks/backup.yml +++ /dev/null @@ -1,36 +0,0 @@ -- name: - become: true - block: - - name: Backup SQLite database - command: - cmd: | - sqlite3 - "{{ volumes['uptime_kuma_datadir'] }}/kuma.db" - ".backup {{ volumes['uptime_kuma_datadir'] }}/kuma-backup.db" - - - name: Create borg backup - command: - cmd: | - borg create - --compression=lzma - "{{ borg_repodir }}::{{ role_name }}-{now:%Y-%m-%d_%H-%M-%S}" - {{ volumes['uptime_kuma_datadir'] }}/kuma-backup.db - environment: - BORG_PASSCOMMAND: "cat {{ borg_passphrase_file }}" - - # The kuma-backup.db file is owned by root which causes - # users['uptime_kuma'] to try to take ownership when it cannot. - - name: Delete temporary backup file - file: - path: "{{ volumes['uptime_kuma_datadir'] }}/kuma-backup.db" - state: absent - - - name: Prune borg repository - command: - cmd: | - borg prune - --glob-archives='{{ role_name }}-*' - {{ borg_prune_options }} - {{ borg_repodir }} - environment: - BORG_PASSCOMMAND: "cat {{ borg_passphrase_file }}" diff --git a/roles/uptime-kuma/tasks/main.yml b/roles/uptime-kuma/tasks/main.yml deleted file mode 100644 index 89bf793..0000000 --- a/roles/uptime-kuma/tasks/main.yml +++ /dev/null @@ -1,14 +0,0 @@ -- name: Include backup tasks - include_tasks: - file: backup.yml - when: run_backup | default(false) | bool - -- name: Include setup tasks - include_tasks: - file: setup.yml - when: run_setup | default(false) | bool - -- name: Include update tasks - include_tasks: - file: update.yml - when: run_update | default(false) | bool diff --git a/roles/uptime-kuma/tasks/setup.yml b/roles/uptime-kuma/tasks/setup.yml deleted file mode 100644 index 1aa9c95..0000000 --- a/roles/uptime-kuma/tasks/setup.yml +++ /dev/null @@ -1,24 +0,0 @@ -- name: "(Re)Create {{ project_dir }} project directory" - file: - path: "{{ project_dir }}" - state: "{{ item }}" - loop: - - absent - - directory - -- name: Template docker-compose.yaml to project directory - template: - src: docker-compose.yaml - dest: "{{ project_dir }}/docker-compose.yaml" - owner: "{{ host_uid }}" - group: "{{ host_uid }}" - mode: '640' - -- name: "Create (if not exists) directory {{ volumes['uptime_kuma_datadir'] }} & set permissions" - file: - path: "{{ volumes['uptime_kuma_datadir'] }}" - state: directory - owner: "{{ users['uptime_kuma'] + uid_shift }}" - group: "{{ users['uptime_kuma'] + uid_shift }}" - mode: '770' - become: true diff --git a/roles/uptime-kuma/tasks/update.yml b/roles/uptime-kuma/tasks/update.yml deleted file mode 100644 index 8a7595c..0000000 --- a/roles/uptime-kuma/tasks/update.yml +++ /dev/null @@ -1,24 +0,0 @@ -- name: Pull project services - community.docker.docker_compose_v2: - project_src: "{{ project_dir }}" - recreate: never - pull: always - debug: true - when: docker_pull_images | bool - register: uptime_kuma_docker_compose_pull_result - -- name: Display pulled image(s) name - set_fact: - uptime_kuma_pulled_images: "{{ uptime_kuma_pulled_images | default([]) + [item.pulled_image.name] }}" - loop: "{{ uptime_kuma_docker_compose_pull_result['actions'] | default([]) | selectattr('pulled_image', 'defined') }}" - -- name: Include backup tasks - include_tasks: - file: backup.yml - # Make a backup if we didn't already make one and we pulled a new image - when: not run_backup | default(false) and uptime_kuma_pulled_images is defined - -- name: Create/Restart project services - community.docker.docker_compose_v2: - project_src: "{{ project_dir }}" - state: "{{ run_setup | default(false) | bool | ternary('restarted', 'present') }}" diff --git a/roles/uptime-kuma/templates/docker-compose.yaml b/roles/uptime-kuma/templates/docker-compose.yaml deleted file mode 100644 index bcb7e58..0000000 --- a/roles/uptime-kuma/templates/docker-compose.yaml +++ /dev/null @@ -1,12 +0,0 @@ -services: - uptime-kuma: - image: docker.io/louislam/uptime-kuma:1 - container_name: uptime-kuma - restart: always - environment: - - PUID={{ users['uptime_kuma'] }} - - PGID={{ users['uptime_kuma'] }} - ports: - - 127.0.0.1:{{ ports['uptime_kuma'] }}:3001 - volumes: - - {{ volumes['uptime_kuma_datadir' ] }}:/app/data diff --git a/roles/vaultwarden/tasks/backup.yml b/roles/vaultwarden/tasks/backup.yml deleted file mode 100644 index f64a876..0000000 --- a/roles/vaultwarden/tasks/backup.yml +++ /dev/null @@ -1,24 +0,0 @@ -- name: "Backup PostgreSQL vaultwarden database" - shell: > - docker exec postgres - pg_dump -c {{ role_name }} | - borg create - --compression lzma - "{{ borg_repodir }}::{{ role_name }}-{now:%Y-%m-%d_%H-%M-%S}" - - - --stdin-name dump_{{ role_name }}.sql - environment: - DOCKER_HOST: "{{ docker_host }}" - BORG_PASSCOMMAND: "cat {{ borg_passphrase_file }}" - become: true - -- name: Prune borg repository - command: - cmd: | - borg prune - --glob-archives='{{ role_name }}-*' - {{ borg_prune_options }} - {{ borg_repodir }} - environment: - BORG_PASSCOMMAND: "cat {{ borg_passphrase_file }}" - become: true diff --git a/roles/vaultwarden/tasks/main.yml b/roles/vaultwarden/tasks/main.yml deleted file mode 100644 index 89bf793..0000000 --- a/roles/vaultwarden/tasks/main.yml +++ /dev/null @@ -1,14 +0,0 @@ -- name: Include backup tasks - include_tasks: - file: backup.yml - when: run_backup | default(false) | bool - -- name: Include setup tasks - include_tasks: - file: setup.yml - when: run_setup | default(false) | bool - -- name: Include update tasks - include_tasks: - file: update.yml - when: run_update | default(false) | bool diff --git a/roles/vaultwarden/tasks/setup.yml b/roles/vaultwarden/tasks/setup.yml deleted file mode 100644 index a23aeb1..0000000 --- a/roles/vaultwarden/tasks/setup.yml +++ /dev/null @@ -1,28 +0,0 @@ -- name: "(Re)Create {{ project_dir }} project directory" - file: - path: "{{ project_dir }}" - state: "{{ item }}" - loop: - - absent - - directory - -- name: Template docker-compose.yaml & .env to project directory - template: - src: "{{ item }}" - dest: "{{ project_dir }}/{{ item }}" - owner: "{{ host_uid }}" - group: "{{ host_uid }}" - mode: '640' - loop: - - docker-compose.yaml - - .env - -- name: "Create (if not exists) directory {{ volumes['vaultwarden_datadir'] }} & set permissions" - file: - path: "{{ volumes['vaultwarden_datadir'] }}" - state: directory - recurse: true - owner: "{{ users['vaultwarden'] + uid_shift }}" - group: "{{ users['vaultwarden'] + uid_shift }}" - mode: '770' - become: true diff --git a/roles/vaultwarden/tasks/update.yml b/roles/vaultwarden/tasks/update.yml deleted file mode 100644 index 6718f77..0000000 --- a/roles/vaultwarden/tasks/update.yml +++ /dev/null @@ -1,24 +0,0 @@ -- name: Pull project services - community.docker.docker_compose_v2: - project_src: "{{ project_dir }}" - recreate: never - pull: always - debug: true - when: docker_pull_images | bool - register: vaultwarden_docker_compose_pull_result - -- name: Display pulled image(s) name - set_fact: - vaultwarden_pulled_images: "{{ vaultwarden_pulled_images | default([]) + [item.pulled_image.name] }}" - loop: "{{ vaultwarden_docker_compose_pull_result['actions'] | default([]) | selectattr('pulled_image', 'defined') }}" - -- name: Include backup tasks - include_tasks: - file: backup.yml - # Make a backup if we didn't already make one and we pulled a new image - when: not run_backup | default(false) and vaultwarden_pulled_images is defined - -- name: Create/Restart project services - community.docker.docker_compose_v2: - project_src: "{{ project_dir }}" - state: "{{ run_setup | default(false) | bool | ternary('restarted', 'present') }}" diff --git a/roles/vaultwarden/templates/.env b/roles/vaultwarden/templates/.env deleted file mode 100644 index 1224388..0000000 --- a/roles/vaultwarden/templates/.env +++ /dev/null @@ -1,12 +0,0 @@ -ADMIN_TOKEN='{{ vaultwarden_secrets["admin_token_hash"] }}' -DOMAIN=https://vw.{{ domain }} -SIGNUPS_ALLOWED=false - -DATABASE_URL=postgresql://{{ vaultwarden_secrets['postgres_user'] }}:{{ vaultwarden_secrets['postgres_password'] }}@postgres.{{ domain }}:{{ ports['postgres'] }}/vaultwarden - -SMTP_HOST=mail.{{ domain }} -SMTP_FROM=vaultwarden@{{ domain }} -SMTP_PORT={{ ports['mailserver_smtps'] }} -SMTP_SECURITY=force_tls -SMTP_USERNAME='{{ vaultwarden_secrets["smtp_username"] }}' -SMTP_PASSWORD='{{ vaultwarden_secrets["smtp_password"] }}' diff --git a/roles/vaultwarden/templates/docker-compose.yaml b/roles/vaultwarden/templates/docker-compose.yaml deleted file mode 100644 index cb09ae5..0000000 --- a/roles/vaultwarden/templates/docker-compose.yaml +++ /dev/null @@ -1,11 +0,0 @@ -services: - vaultwarden: - image: docker.io/vaultwarden/server:alpine - container_name: vaultwarden - restart: always - user: {{ users['vaultwarden'] }}:{{ users['vaultwarden'] }} - env_file: .env - ports: - - 127.0.0.1:{{ ports['vaultwarden'] }}:80 - volumes: - - {{ volumes['vaultwarden_datadir' ] }}:/data diff --git a/secrets.yml.example b/secrets.yml.example index 9a4addf..a46d550 100644 --- a/secrets.yml.example +++ b/secrets.yml.example @@ -1,56 +1,60 @@ -# To generate random secret: openssl rand -base64 +# To generate a random secret: openssl rand -base64 -ansible_become_password: +borg: -borg_passphrase: - -cifs_credentials: - username: - password: -coturn_secrets: - static_auth_secret: +diun_webhookurl: -diun_secrets: - webhookurl: +fireshare: + admin_user: + admin_pass: + key: -fireshare_secrets: - admin_username: - admin_password: - secret_key: +hedgedoc_session: -hedgedoc_secrets: - client_id: - client_secret: - postgres_user: - postgres_password: - session_secret: +keycloak: + hedgedoc: + id: + secret: + synapse: + id: + secret: -keycloak_secerts: - postgres_user: - postgres_password: +mailserver: + synapse: + user: + pass: + vaultwarden: + user: + pass: -mailserver_secrets: - postgres_user: - postgres_password: - -searxng_secrets: - searxng_secret: - -synapse_secrets: - smtp_user: - smtp_pass: - postgres_user: - postgres_password: - turn_shared_secret: "{{ coturn_secrets['static_auth_secret'] }}" - macaroon_secret_key: - form_secret: - -vaultwarden_secrets: - # Generate with: docker exec --rm -ti docker.io/vaultwarden/server:alpine /vaultwarden hash - admin_token_hash: +postgres: # https://en.wikipedia.org/wiki/Percent-encoding#Percent-encoding_reserved_characters - postgres_user: - postgres_password: - smtp_username: - smtp_password: + etebase: + user: + pass: # No '%' character allowed + keycloak: + user: + pass: + hedgedoc: + user: + pass: + mailserver: + user: + pass: + synapse: + user: + pass: + vaultwarden: + user: + pass: + +searxng: + +synapse: + macaroon: + form: + +turn_static_auth: + +vw_admin_token_hash: