serguzim/services
Archived
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Fix issues reported by ansible-lint

Browse source
This commit is contained in:
Tobias Reisinger 2023-12-13 02:43:15 +01:00
parent a90840b1dc
commit 2e100d290f
Signed by: serguzim
GPG key ID: 13AD60C237A28DFE
59 changed files with 315 additions and 244 deletions
Download patch file Download diff file Expand all files Collapse all files

2
_ansible/.ansible-lint Normal file
View file

@ -0,0 +1,2 @@
skip_list:
- var-naming[no-role-prefix]

8
_ansible/roles/acme-dns/tasks/main.yml
View file

@ -4,8 +4,8 @@
- acme-dns
- certificates
block:
- import_tasks: steps/create-service-directory.yml
- import_tasks: steps/template-docker-compose.yml
- name: Import prepare tasks for common service
ansible.builtin.import_tasks: tasks/prepare-common-service.yml
- name: Setting the service config path
ansible.builtin.set_fact:
@ -23,5 +23,5 @@
dest: "{{ (config_path, 'config.cfg') | path_join }}"
mode: "0600"
- import_tasks: steps/template-site-config.yml
- import_tasks: steps/start-service.yml
- name: Import start tasks for common service
ansible.builtin.import_tasks: tasks/start-common-service.yml

6
_ansible/roles/acme-dns/vars/main.yml
View file

@ -1,5 +1,6 @@
---
svc:
domain: "acme.serguzim.me"
domain: acme.serguzim.me
name: acme-dns
port: 80
nsadmin: "{{ admin_email | regex_replace('@', '.') }}"
@ -12,7 +13,6 @@ svc:
pass: "{{ vault_acmedns.db.pass }}"
db: acme_dns
compose:
watchtower: true
monitoring: true
@ -24,4 +24,4 @@ compose:
app:
ports:
- "53:53"
- "53:53/udp"
- 53:53/udp

3
_ansible/roles/authentik/tasks/main.yml
View file

@ -4,4 +4,5 @@
- authentik
- authentication
block:
- import_tasks: deploy-common-service.yml
- name: Import tasks to deploy common service
ansible.builtin.import_tasks: tasks/deploy-common-service.yml

8
_ansible/roles/authentik/vars/main.yml
View file

@ -1,5 +1,6 @@
---
svc:
domain: "auth.serguzim.me"
domain: auth.serguzim.me
name: authentik
port: 9000
image_tag: 2023.8
@ -32,7 +33,7 @@ svc_env:
compose:
watchtower: false
image: "ghcr.io/goauthentik/server:{{ svc.image_tag }}"
image: ghcr.io/goauthentik/server:{{ svc.image_tag }}
env: true
file:
services:
@ -41,7 +42,7 @@ compose:
depends_on:
- redis
worker:
image: "ghcr.io/goauthentik/server:{{ svc.image_tag }}"
image: ghcr.io/goauthentik/server:{{ svc.image_tag }}
restart: always
command: worker
user: root
@ -53,7 +54,6 @@ compose:
- redis
networks:
default:
redis:
image: redis:alpine
restart: always

9
_ansible/roles/caddy/tasks/main.yml
View file

@ -5,7 +5,10 @@
- reverse_proxy
- webserver
block:
- import_tasks: deploy-common-service.yml
- name: Import tasks to deploy common service
ansible.builtin.import_tasks: tasks/deploy-common-service.yml
- import_tasks: clean-sites.yml
- import_tasks: reload-caddy.yml
- name: Import tasks for cleaning sites
ansible.builtin.import_tasks: tasks/clean-sites.yml
- name: Import tasks to reload caddy
ansible.builtin.import_tasks: tasks/reload-caddy.yml

3
_ansible/roles/coder/tasks/main.yml
View file

@ -3,4 +3,5 @@
tags:
- coder
block:
- import_tasks: deploy-common-service.yml
- name: Import tasks to deploy common service
ansible.builtin.import_tasks: tasks/deploy-common-service.yml

15
_ansible/roles/coder/vars/main.yml
View file

@ -1,8 +1,9 @@
---
svc:
domain: "coder.serguzim.me"
domain: coder.serguzim.me
additional_domains:
- "*.coder.serguzim.me"
caddy_extra: "import acmedns"
caddy_extra: import acmedns
name: coder
port: 7080
db:
@ -13,12 +14,12 @@ svc:
svc_env:
CODER_ADDRESS: "0.0.0.0:7080"
CODER_ACCESS_URL: "https://{{ svc.domain }}"
CODER_ACCESS_URL: https://{{ svc.domain }}
CODER_WILDCARD_ACCESS_URL: "*.{{ svc.domain }}"
CODER_PG_CONNECTION_URL: "postgres://{{ vault_coder.db.user }}:{{ vault_coder.db.pass }}@{{ svc.db.host }}:{{ svc.db.port }}/coder?sslmode=verify-full"
CODER_PG_CONNECTION_URL: postgres://{{ vault_coder.db.user }}:{{ vault_coder.db.pass }}@{{ svc.db.host }}:{{ svc.db.port }}/coder?sslmode=verify-full
CODER_OIDC_ISSUER_URL: "https://auth.serguzim.me/application/o/coder-serguzim-me/"
CODER_OIDC_ISSUER_URL: https://auth.serguzim.me/application/o/coder-serguzim-me/
CODER_OIDC_CLIENT_ID: "{{ vault_coder.oidc_client.id }}"
CODER_OIDC_CLIENT_SECRET: "{{ vault_coder.oidc_client.secret }}"
@ -27,9 +28,9 @@ compose:
image: ghcr.io/coder/coder:latest
env: true
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /var/run/docker.sock:/var/run/docker.sock
file:
services:
app:
group_add:
- "972" # docker group on host
- "972" # docker group on host

3
_ansible/roles/faas/tasks/main.yml
View file

@ -3,4 +3,5 @@
tags:
- faas
block:
- import_tasks: steps/template-site-config.yml
- name: Import tasks to template the site and functions for the reverse proxy
ansible.builtin.import_tasks: tasks/steps/template-site-config.yml

47
_ansible/roles/faas/vars/main.yml
View file

@ -1,30 +1,31 @@
---
svc:
name: faas
domain: faas.serguzim.me
docker_host: host.docker.internal
port: 8080
extra_svcs:
- domain: link.serguzim.me
faas_function: url-mapper
- domain: msrg.cc
faas_function: webpage-msrg-cc
caddy_extra: |
header /.well-known/* Access-Control-Allow-Origin *
- domain: link.serguzim.me
faas_function: url-mapper
- domain: msrg.cc
faas_function: webpage-msrg-cc
caddy_extra: |
header /.well-known/* Access-Control-Allow-Origin *
handle /.well-known/webfinger {
map {query.resource} {user} {
acct:tobias@msrg.cc serguzim
acct:serguzim@msrg.cc serguzim
}
rewrite * /.well-known/webfinger/{user}.json
import faas webpage-msrg-cc
}
- domain: serguzim.me
faas_function: webpage-serguzim-me
www_domain: true
hsts: true
- domain: team-leon.eu
faas_function: webpage-team-leon-eu
www_domain: true
- domain: xn--sder-5qa.stream
faas_function: webpage-soeder-stream
handle /.well-known/webfinger {
map {query.resource} {user} {
acct:tobias@msrg.cc serguzim
acct:serguzim@msrg.cc serguzim
}
rewrite * /.well-known/webfinger/{user}.json
import faas webpage-msrg-cc
}
- domain: serguzim.me
faas_function: webpage-serguzim-me
www_domain: true
hsts: true
- domain: team-leon.eu
faas_function: webpage-team-leon-eu
www_domain: true
- domain: xn--sder-5qa.stream
faas_function: webpage-soeder-stream

28
_ansible/roles/forgejo-runner/tasks/main.yml
View file

@ -6,31 +6,35 @@
- ci
- forgejo-runner
block:
- import_tasks: steps/create-service-directory.yml
- import_tasks: steps/template-docker-compose.yml
- name: Import tasks to create service directory
ansible.builtin.import_tasks: tasks/steps/create-service-directory.yml
- name: Import tasks to template docker compose file
ansible.builtin.import_tasks: tasks/steps/template-docker-compose.yml
- name: Copy the config
ansible.builtin.copy:
src: config.yml
dest: "{{ (service_path, 'config.yml') | path_join }}"
mode: '0755'
mode: "0755"
- name: Check if service.env already exists
ansible.builtin.stat:
path: "{{ (service_path, 'service.env') | path_join }}"
register: svc_env_file
- import_tasks: prompt-registration-token.yml
when: not svc_env_file.stat.exists or
force_forgejo_runner_registration | default(False)
- name: Import tasks to prompt for the registration token
ansible.builtin.import_tasks: tasks/prompt-registration-token.yml
when: not svc_env_file.stat.exists or force_forgejo_runner_registration | default(False)
- import_tasks: steps/template-service-env.yml
- import_tasks: steps/start-service.yml
- name: Import tasks create a service.env file
ansible.builtin.import_tasks: tasks/steps/template-service-env.yml
- name: Import start tasks for common service
ansible.builtin.import_tasks: tasks/start-common-service.yml
- name: Register runner
ansible.builtin.command:
cmd: docker compose run --rm -it app sh -c 'forgejo-runner register --no-interactive --token ${FORGEJO_RUNNER_REGISTRATION_TOKEN} --instance ${FORGEJO_INSTANCE_URL}'
cmd: docker compose run --rm -it app sh -c
'forgejo-runner register --no-interactive --token ${FORGEJO_RUNNER_REGISTRATION_TOKEN} --instance ${FORGEJO_INSTANCE_URL}'
chdir: "{{ service_path }}"
when: not svc_env_file.stat.exists or
force_forgejo_runner_registration | default(False)
when: not svc_env_file.stat.exists or force_forgejo_runner_registration | default(False)
changed_when: true # "when" checks enough. We are sure to change something here.

9
_ansible/roles/forgejo-runner/tasks/prompt-registration-token.yml
View file

@ -1,11 +1,10 @@
---
- name: Input forgejo-runner registration token
ansible.builtin.pause:
prompt: "Enter a secret"
echo: no
prompt: Enter a secret
echo: false
register: promt_registration_token
- name: Put registration token into env vars
ansible.builtin.set_fact:
svc_env: "{{ svc_env | combine({
'FORGEJO_RUNNER_REGISTRATION_TOKEN': promt_registration_token.user_input
}, recursive=True) }}"
svc_env: "{{ svc_env | combine({'FORGEJO_RUNNER_REGISTRATION_TOKEN': promt_registration_token.user_input}, recursive=True) }}"

7
_ansible/roles/forgejo-runner/vars/main.yml
View file

@ -1,8 +1,9 @@
---
svc:
name: forgejo-runner
svc_env:
FORGEJO_INSTANCE_URL: "https://git.serguzim.me/"
FORGEJO_INSTANCE_URL: https://git.serguzim.me/
FORGEJO_RUNNER_REGISTRATION_TOKEN:
DOCKER_HOST: tcp://docker-in-docker:2375
@ -17,7 +18,7 @@ compose:
services:
app:
hostname: "{{ ansible_facts.hostname }}"
command: "forgejo-runner --config /config/config.yml daemon"
command: forgejo-runner --config /config/config.yml daemon
depends_on:
- docker-in-docker
links:
@ -25,7 +26,7 @@ compose:
docker-in-docker:
image: docker:dind
privileged: true
command: "dockerd -H tcp://0.0.0.0:2375 --tls=false"
command: dockerd -H tcp://0.0.0.0:2375 --tls=false
networks:
default:
volumes:

3
_ansible/roles/forgejo/tasks/main.yml
View file

@ -4,4 +4,5 @@
- forgejo
- git
block:
- import_tasks: deploy-common-service.yml
- name: Import tasks to deploy common service
ansible.builtin.import_tasks: tasks/deploy-common-service.yml

38
_ansible/roles/forgejo/vars/main.yml
View file

@ -1,5 +1,6 @@
---
svc:
domain: "git.serguzim.me"
domain: git.serguzim.me
name: forgejo
port: 3000
caddy_extra: header /attachments/* Access-Control-Allow-Origin *
@ -10,26 +11,26 @@ svc:
ssh_port_alt: 3022
svc_env:
FORGEJO__database__DB_TYPE: "postgres"
FORGEJO__database__DB_TYPE: postgres
FORGEJO__database__HOST: "{{ svc.db.host }}:{{ svc.db.port }}"
FORGEJO__database__NAME: "forgejo"
FORGEJO__database__NAME: forgejo
FORGEJO__database__USER: "{{ vault_forgejo.db.user }}"
FORGEJO__database__PASSWD: "{{ vault_forgejo.db.pass }}"
FORGEJO__database__SSL_MODE: "verify-full"
FORGEJO__database__SSL_MODE: verify-full
FORGEJO__repository__ENABLE_PUSH_CREATE_USER: true
FORGEJO__repository__ENABLE_PUSH_CREATE_ORG: true
FORGEJO__repository__DEFAULT_BRANCH: "main"
FORGEJO__repository__DEFAULT_BRANCH: main
FORGEJO__cors__ENABLED: true
FORGEJO__cors__SCHEME: "https"
FORGEJO__cors__SCHEME: https
FORGEJO__ui__DEFAULT_THEME: "arc-green"
FORGEJO__ui__DEFAULT_THEME: arc-green
FORGEJO__server__DOMAIN: "{{ svc.domain }}"
FORGEJO__server__SSH_DOMAIN: "{{ svc.domain }}"
FORGEJO__server__SSH_PORT: "{{ svc.ssh_port }}"
FORGEJO__server__ROOT_URL: "https://{{ svc.domain }}"
FORGEJO__server__ROOT_URL: https://{{ svc.domain }}
FORGEJO__server__OFFLINE_MODE: true
FORGEJO__server__LFS_JWT_SECRET: "{{ vault_forgejo.server_lfs_jwt_secret }}"
FORGEJO__server__LFS_START_SERVER: true
@ -44,34 +45,34 @@ svc_env:
FORGEJO__service__ALLOW_ONLY_EXTERNAL_REGISTRATION: true
FORGEJO__service__ENABLE_BASIC_AUTHENTICATION: false
FORGEJO__service__DEFAULT_KEEP_EMAIL_PRIVATE: true
FORGEJO__service__NO_REPLY_ADDRESS: "discard.msrg.cc"
FORGEJO__service__NO_REPLY_ADDRESS: discard.msrg.cc
FORGEJO__webhook__DELIVER_TIMEOUT: 60
FORGEJO__mailer__ENABLED: true
FORGEJO__mailer__PROTOCOL: "smtp+starttls"
FORGEJO__mailer__SMTP_ADDR: "mail.serguzim.me"
FORGEJO__mailer__PROTOCOL: smtp+starttls
FORGEJO__mailer__SMTP_ADDR: mail.serguzim.me
FORGEJO__mailer__SMTP_PORT: 587
FORGEJO__mailer__FROM: "Forgejo <git@serguzim.me>"
FORGEJO__mailer__USER: "git@serguzim.me"
FORGEJO__mailer__FROM: Forgejo <git@serguzim.me>
FORGEJO__mailer__USER: git@serguzim.me
FORGEJO__mailer__PASSWD: "{{ vault_forgejo.mailer_passwd }}"
FORGEJO__mailer__SEND_AS_PLAIN_TEXT: true
FORGEJO__picture__DISABLE_GRAVATAR: true
FORGEJO__oauth2__JWT_SECRET: "{{ vault_forgejo. oauth2_jwt_secret}}"
FORGEJO__oauth2__JWT_SECRET: "{{ vault_forgejo.oauth2_jwt_secret }}"
FORGEJO__metrics__ENABLED: true
FORGEJO__metrics__TOKEN: "{{ vault_metrics_token }}"
FORGEJO__actions__ENABLED: true
FORGEJO__storage__STORAGE_TYPE: "minio"
FORGEJO__storage__MINIO_ENDPOINT: "s3.serguzim.me"
FORGEJO__storage__STORAGE_TYPE: minio
FORGEJO__storage__MINIO_ENDPOINT: s3.serguzim.me
FORGEJO__storage__MINIO_ACCESS_KEY_ID: "{{ vault_forgejo.minio.access_key_id }}"
FORGEJO__storage__MINIO_SECRET_ACCESS_KEY: "{{ vault_forgejo.minio.secret_access_key }}"
FORGEJO__storage__MINIO_BUCKET: "forgejo"
FORGEJO__storage__MINIO_LOCATION: "de-contabo-1"
FORGEJO__storage__MINIO_BUCKET: forgejo
FORGEJO__storage__MINIO_LOCATION: de-contabo-1
FORGEJO__storage__MINIO_USE_SSL: true
FORGEJO__other__SHOW_FOOTER_VERSION: true
@ -93,4 +94,3 @@ compose:
- "{{ svc.ssh_port_alt }}:{{ svc.ssh_port }}"
volumes:
data:

11
_ansible/roles/harbor/tasks/main.yml
View file

@ -4,8 +4,11 @@
- harbor
- registry
block:
- import_tasks: steps/create-service-directory.yml
- import_tasks: steps/template-site-config.yml
- name: Import prepare tasks for common service
ansible.builtin.import_tasks: tasks/prepare-common-service.yml
- name: Import tasks to template the site for the reverse proxy
ansible.builtin.import_tasks: tasks/steps/template-site-config.yml
- name: Template config
ansible.builtin.template:
@ -17,12 +20,13 @@
ansible.builtin.unarchive:
src: https://github.com/goharbor/harbor/releases/download/v{{ svc.harbor_version }}/harbor-online-installer-v{{ svc.harbor_version }}.tgz
dest: "{{ service_path }}"
remote_src: yes
remote_src: true
- name: Run the harbor prepare command
ansible.builtin.command:
cmd: "{{ service_path }}/harbor/prepare"
chdir: "{{ service_path }}"
creates: "{{ (service_path, 'docker-compose.yml') | path_join }}"
environment:
HARBOR_BUNDLE_DIR: "{{ service_path }}"
@ -33,3 +37,4 @@
environment:
HARBOR_BUNDLE_DIR: "{{ service_path }}"
become: true
changed_when: true # TODO find way to recognize need to run install command

10
_ansible/roles/harbor/vars/main.yml
View file

@ -1,3 +1,4 @@
---
svc_ports:
http: 20080
https: 20443
@ -5,7 +6,8 @@ svc_ports:
svc:
name: harbor
domain: "registry.serguzim.me"
no_compose: true # TODO remove when fixing "var-naming[no-role-prefix]"
domain: registry.serguzim.me
caddy_extra: |
reverse_proxy /metrics host.docker.internal:{{ svc_ports.metrics }}
reverse_proxy host.docker.internal:{{ svc_ports.https }} {
@ -75,9 +77,9 @@ svc_yml:
max_idle_conns: 2
max_open_conns: 0
proxy:
http_proxy: null
https_proxy: null
no_proxy: null
http_proxy:
https_proxy:
no_proxy:
components:
- core
- jobservice

22
_ansible/roles/healthcheck/tasks/main.yml
View file

@ -3,38 +3,40 @@
tags:
- healthcheck
block:
- import_tasks: steps/create-service-directory.yml
- name: Import tasks to create service directory
ansible.builtin.import_tasks: tasks/steps/create-service-directory.yml
- name: Copy the docker-compose file
ansible.builtin.copy:
src: docker-compose.yml
dest: "{{ (service_path, 'docker-compose.yml') | path_join }}"
mode: '0644'
mode: "0644"
- name: Copy the Dockerfile
ansible.builtin.copy:
src: Dockerfile
dest: "{{ (service_path, 'Dockerfile') | path_join }}"
mode: '0644'
mode: "0644"
- name: Copy the data files
ansible.builtin.copy:
src: data
dest: "{{ service_path }}"
mode: '0755'
mode: "0755"
- name: Copy the system service
ansible.builtin.copy:
src: healthcheck@.service
dest: "/etc/systemd/system/healthcheck@.service"
mode: '0644'
dest: /etc/systemd/system/healthcheck@.service
mode: "0644"
become: true
- name: Copy the system timer
ansible.builtin.copy:
src: healthcheck@.timer
dest: "/etc/systemd/system/healthcheck@.timer"
mode: '0644'
dest: /etc/systemd/system/healthcheck@.timer
mode: "0644"
become: true
- import_tasks: steps/template-service-env.yml
- name: Import tasks create a service.env file
ansible.builtin.import_tasks: tasks/steps/template-service-env.yml
- name: Build service
ansible.builtin.command:
@ -43,4 +45,4 @@
when:
- "'local-dev' != inventory_hostname"
register: cmd_result
changed_when: True
changed_when: true

7
_ansible/roles/healthcheck/vars/main.yml
View file

@ -1,13 +1,14 @@
---
svc:
name: healthcheck
svc_env:
USER_AGENT: "healthcheck-bot for serguzim.net"
USER_AGENT: healthcheck-bot for serguzim.net
HTTP_HC_UID: "{{ vault_healthcheck.hc_uid.http }}"
MATRIX_SERVER: "https://matrix.msrg.cc"
MATRIX_SERVER_FEDTESTER: "msrg.cc"
MATRIX_SERVER: https://matrix.msrg.cc
MATRIX_SERVER_FEDTESTER: msrg.cc
MATRIX_HC_UID: "{{ vault_healthcheck.hc_uid.matrix }}"
MATRIX_TOKEN: "{{ vault_healthcheck.matrix.token }}"
MATRIX_ROOM: "{{ vault_healthcheck.matrix.room }}"

3
_ansible/roles/homebox/tasks/main.yml
View file

@ -4,4 +4,5 @@
- homebox
- inventory
block:
- import_tasks: deploy-common-service.yml
- name: Import tasks to deploy common service
ansible.builtin.import_tasks: tasks/deploy-common-service.yml

4
_ansible/roles/homebox/vars/main.yml
View file

@ -1,5 +1,6 @@
---
svc:
domain: "inventory.serguzim.me"
domain: inventory.serguzim.me
name: homebox
port: 7745
@ -21,4 +22,3 @@ compose:
file:
volumes:
data:

8
_ansible/roles/influxdb/tasks/main.yml
View file

@ -4,8 +4,8 @@
- influxdb
- sensors
block:
- import_tasks: steps/create-service-directory.yml
- import_tasks: steps/template-docker-compose.yml
- name: Import prepare tasks for common service
ansible.builtin.import_tasks: tasks/prepare-common-service.yml
- name: Template config
ansible.builtin.template:
@ -13,5 +13,5 @@
dest: "{{ (service_path, 'influxdb.yml') | path_join }}"
mode: "0600"
- import_tasks: steps/template-site-config.yml
- import_tasks: steps/start-service.yml
- name: Import start tasks for common service
ansible.builtin.import_tasks: tasks/start-common-service.yml

11
_ansible/roles/influxdb/vars/main.yml
View file

@ -1,8 +1,9 @@
---
svc:
domain: "tick.serguzim.me"
domain: tick.serguzim.me
name: influxdb
port: 8086
data_dir: "/var/lib/influxdb2"
data_dir: /var/lib/influxdb2
svc_yml:
assets-path: ""
@ -10,7 +11,7 @@ svc_yml:
e2e-testing: false
engine-path: "{{ (svc.data_dir, 'engine') | path_join }}"
feature-flags: {}
http-bind-address: 0.0.0.0:{{ svc.port }}
http-bind-address: "0.0.0.0:{{ svc.port }}"
influxql-max-select-buckets: 0
influxql-max-select-point: 0
influxql-max-select-series: 0
@ -42,7 +43,7 @@ svc_yml:
storage-shard-precreator-check-interval: 10m0s
storage-tsm-use-madv-willneed: false
storage-validate-keys: false
storage-wal-fsync-delay: 0s
storage-wal-fsync-delay: "0s"
store: bolt
testing-always-allow-setup: false
tls-cert: ""
@ -55,7 +56,7 @@ svc_yml:
vault-capath: ""
vault-client-cert: ""
vault-client-key: ""
vault-client-timeout: 0s
vault-client-timeout: "0s"
vault-max-retries: 0
vault-skip-verify: false
vault-tls-server-name: ""

3
_ansible/roles/jellyfin/tasks/main.yml
View file

@ -4,4 +4,5 @@
- jellyfin
- media
block:
- import_tasks: deploy-common-service.yml
- name: Import tasks to deploy common service
ansible.builtin.import_tasks: tasks/deploy-common-service.yml

6
_ansible/roles/jellyfin/vars/main.yml
View file

@ -1,5 +1,6 @@
---
svc:
domain: "media.serguzim.me"
domain: media.serguzim.me
name: jellyfin
port: 8096
db:
@ -7,7 +8,7 @@ svc:
port: "{{ postgres.port }}"
svc_env:
JELLYFIN_PublishedServerUrl: "https://{{ svc. domain }}"
JELLYFIN_PublishedServerUrl: https://{{ svc.domain }}
compose:
watchtower: true
@ -25,4 +26,3 @@ compose:
config:
cache:
media:

3
_ansible/roles/mailcow/tasks/main.yml
View file

@ -4,4 +4,5 @@
- mailcow
- email
block:
- import_tasks: steps/template-site-config.yml
- name: Import tasks to template the site for the reverse proxy
ansible.builtin.import_tasks: tasks/steps/template-site-config.yml

1
_ansible/roles/mailcow/vars/main.yml
View file

@ -1,3 +1,4 @@
---
svc:
name: mailcow
domain: mail.serguzim.me

3
_ansible/roles/minecraft-2/tasks/main.yml
View file

@ -5,4 +5,5 @@
- minecraft
- games
block:
- import_tasks: deploy-common-service.yml
- name: Import tasks to deploy common service
ansible.builtin.import_tasks: tasks/deploy-common-service.yml

7
_ansible/roles/minecraft-2/vars/main.yml
View file

@ -1,3 +1,4 @@
---
svc:
name: minecraft-2
@ -21,7 +22,7 @@ svc_env:
FUNCTION_PERMISSION_LEVEL: 2
GENERATE_STRUCTURES: true
HARDCORDE: false
ICON:
ICON:
LEVEL_TYPE: DEFAULT
MAX_BUILD_HEIGHT: 512
MAX_MEMORY: 4G
@ -29,7 +30,7 @@ svc_env:
MAX_PLAYERS: 64
MAX_WORLD_SIZE: 30000000
MODE: survival
MOTD:
MOTD:
NETWORK_COMPRESSION_THRESHOLD: 256
PVP: true
SERVER_NAME: minecraft.serguzim.me
@ -63,6 +64,6 @@ compose:
services:
app:
ports:
- "25565:25565"
- 25565:25565
volumes:
data:

3
_ansible/roles/minio/tasks/main.yml
View file

@ -4,4 +4,5 @@
- minio
- storage
block:
- import_tasks: deploy-common-service.yml
- name: Import tasks to deploy common service
ansible.builtin.import_tasks: tasks/deploy-common-service.yml

23
_ansible/roles/minio/vars/main.yml
View file

@ -1,21 +1,22 @@
---
svc:
domain: "s3.serguzim.me"
domain: s3.serguzim.me
name: minio
port: 9000
caddy_extra: |
@nocache {
query nocache=*
}
header @nocache "Cache-Control" "no-store, no-cache"
@nocache {
query nocache=*
}
header @nocache "Cache-Control" "no-store, no-cache"
extra_svcs:
- domain: console.s3.serguzim.me
docker_host: minio
port: 9001
- domain: console.s3.serguzim.me
docker_host: minio
port: 9001
svc_env:
MINIO_SERVER_URL: "https://{{ svc.domain }}/"
MINIO_BROWSER_REDIRECT_URL: "https://console.{{ svc.domain }}"
MINIO_VOLUMES: "/data"
MINIO_SERVER_URL: https://{{ svc.domain }}/
MINIO_BROWSER_REDIRECT_URL: https://console.{{ svc.domain }}
MINIO_VOLUMES: /data
MINIO_ROOT_USER: "{{ vault_minio.user }}"
MINIO_ROOT_PASSWORD: "{{ vault_minio.pass }}"

13
_ansible/roles/synapse/tasks/main.yml
View file

@ -4,11 +4,13 @@
- synapse
- matrix
block:
- import_tasks: prepare-common-service.yml
- name: Import prepare tasks for common service
ansible.builtin.import_tasks: tasks/prepare-common-service.yml
- name: Set synapse config path
ansible.builtin.set_fact:
config_path: "{{ (service_path, svc.config_path) | path_join }}"
- name: Create config directory
ansible.builtin.file:
path: "{{ config_path }}"
@ -20,17 +22,18 @@
src: service.yml.j2
dest: "{{ (config_path, 'homeserver.yaml') | path_join }}"
mode: "0644"
- name: Copy the log config
ansible.builtin.copy:
src: msrg.cc.log.config
dest: "{{ (config_path, 'msrg.cc.log.config') | path_join }}"
mode: '0644'
mode: "0644"
- name: Copy the signing key
ansible.builtin.copy:
content: "{{ vault_synapse.signing_key }}"
dest: "{{ (config_path, 'msrg.cc.signing.key') | path_join }}"
mode: '0644'
mode: "0644"
- import_tasks: start-common-service.yml
- name: Import start tasks for common service
ansible.builtin.import_tasks: tasks/start-common-service.yml

73
_ansible/roles/synapse/vars/main.yml
View file

@ -1,6 +1,7 @@
---
svc:
name: synapse
domain: "matrix.msrg.cc"
domain: matrix.msrg.cc
docker_host: synapse-admin
port: 80
caddy_extra: |
@ -11,7 +12,7 @@ svc:
reverse_proxy synapse:8008
}
extra_svcs:
- domain: "msrg.cc:8008"
- domain: msrg.cc:8008
additional_domains:
- matrix.msrg.cc:8448
- matrix.msrg.cc:8008
@ -30,7 +31,7 @@ svc_env:
REACT_APP_SERVER: https://matrix.msrg.cc
svc_yml:
server_name: "msrg.cc"
server_name: msrg.cc
pid_file: "{{ (svc.config_path, 'homeserver.pid') | path_join }}"
public_baseurl: https://matrix.msrg.cc/
allow_public_rooms_without_auth: true
@ -43,28 +44,28 @@ svc_yml:
x_forwarded: true
resources:
- names:
- client
- federation
- metrics
- client
- federation
- metrics
compress: false
admin_contact: "mailto:{{ admin_email }}"
admin_contact: mailto:{{ admin_email }}
acme:
enabled: false
enabled: false
database:
name: "psycopg2"
args:
user: "{{ svc.db.user }}"
password: "{{ svc.db.pass }}"
database: "{{ svc.db.database }}"
host: "{{ svc.db.host }}"
cp_min: 5
cp_max: 10
name: psycopg2
args:
user: "{{ svc.db.user }}"
password: "{{ svc.db.pass }}"
database: "{{ svc.db.database }}"
host: "{{ svc.db.host }}"
cp_min: 5
cp_max: 10
log_config: "{{ (svc.config_path, 'msrg.cc.log.config') | path_join }}"
media_store_path: "/media_store"
media_store_path: /media_store
max_upload_size: 500M
enable_registration: false
enable_metrics: true
@ -75,19 +76,19 @@ svc_yml:
signing_key_path: "{{ (svc.config_path, 'msrg.cc.signing.key') | path_join }}"
trusted_key_servers:
- server_name: "matrix.org"
- server_name: matrix.org
suppress_key_server_warning: true
oidc_providers:
- idp_id: "auth_serguzim_me"
idp_name: "auth.serguzim.me"
issuer: "https://auth.serguzim.me/application/o/matrix_serguzim_me/"
- idp_id: auth_serguzim_me
idp_name: auth.serguzim.me
issuer: https://auth.serguzim.me/application/o/matrix_serguzim_me/
client_id: "{{ vault_synapse.oidc_client.id }}"
client_secret: "{{ vault_synapse.oidc_client.secret }}"
scopes:
- "openid"
- "profile"
- "email"
- openid
- profile
- email
user_mapping_provider:
config:
localpart_template: "{{ '{{ user.preferred_username }}' }}"
@ -96,10 +97,10 @@ svc_yml:
email:
smtp_host: mail.serguzim.me
smtp_port: 587
smtp_user: "matrix@serguzim.me"
smtp_user: matrix@serguzim.me
smtp_pass: "{{ vault_synapse.mail.pass }}"
require_transport_security: true
notif_from: "Matrix <matrix@serguzim.me>"
notif_from: Matrix <matrix@serguzim.me>
compose:
watchtower: true
@ -111,15 +112,15 @@ compose:
file:
services:
synapse-admin:
image: awesometechnologies/synapse-admin
restart: always
labels:
com.centurylinklabs.watchtower.enable: true
env_file:
- service.env
networks:
apps:
aliases:
- synapse-admin
image: awesometechnologies/synapse-admin
restart: always
labels:
com.centurylinklabs.watchtower.enable: true
env_file:
- service.env
networks:
apps:
aliases:
- synapse-admin
volumes:
media_store:

3
_ansible/roles/tandoor/tasks/main.yml
View file

@ -4,4 +4,5 @@
- tandoor
- recipies
block:
- import_tasks: deploy-common-service.yml
- name: Import tasks to deploy common service
ansible.builtin.import_tasks: tasks/deploy-common-service.yml

6
_ansible/roles/tandoor/vars/main.yml
View file

@ -1,5 +1,6 @@
---
svc:
domain: "recipes.serguzim.me"
domain: recipes.serguzim.me
name: tandoor
port: 80
db:
@ -18,7 +19,7 @@ svc_env:
TZ: "{{ timezone }}"
DB_ENGINE: django.db.backends.postgresql
DB_OPTIONS: "{\"sslmode\": \"require\"}"
DB_OPTIONS: '{"sslmode": "require"}'
POSTGRES_HOST: "{{ svc.db.host }}"
POSTGRES_PORT: "{{ svc.db.port }}"
POSTGRES_DB: "{{ svc.db.database }}"
@ -61,4 +62,3 @@ compose:
nginx_config:
staticfiles:
mediafiles:

12
_ansible/roles/telegraf/tasks/main.yml
View file

@ -4,8 +4,8 @@
- telegraf
- monitoring
block:
- import_tasks: steps/create-service-directory.yml
- import_tasks: steps/template-docker-compose.yml
- name: Import prepare tasks for common service
ansible.builtin.import_tasks: tasks/prepare-common-service.yml
- name: Template config
ansible.builtin.template:
@ -14,10 +14,10 @@
mode: "0664"
register: cmd_result
- name: Set the docker force-recreate flag
ansible.builtin.set_fact:
docker_force_recreate: "--force-recreate"
when: cmd_result.changed
docker_force_recreate: --force-recreate
when: cmd_result.changed # noqa: no-handler We need to handle the restart per service. Handlers don't support variables.
- import_tasks: steps/start-service.yml
- name: Import start tasks for common service
ansible.builtin.import_tasks: tasks/start-common-service.yml

21
_ansible/roles/telegraf/vars/main.yml
View file

@ -1,7 +1,8 @@
---
svc:
name: telegraf
influxdb:
url: "https://tick.serguzim.me"
url: https://tick.serguzim.me
token: "{{ vault_telegraf.influxdb_token }}"
organization: serguzim.net
bucket: metrics
@ -17,9 +18,9 @@ svc:
pass: "{{ vault_telegraf.db.pass }}"
host: "{{ postgres.host }}"
port: "{{ postgres.port }}"
database: "telegraf"
database: telegraf
docker_log:
endpoint: "unix:///var/run/docker.sock"
endpoint: unix:///var/run/docker.sock
# from_beginning: false
# timeout: "5s"
@ -32,12 +33,12 @@ svc:
## Set the source tag for the metrics to the container ID hostname, eg first 12 chars
source_tag: false
## Optional TLS Config
# tls_ca: "/etc/telegraf/ca.pem"
# tls_cert: "/etc/telegraf/cert.pem"
# tls_key: "/etc/telegraf/key.pem"
## Use TLS but skip chain & host verification
# insecure_skip_verify: false
## Optional TLS Config
# tls_ca: "/etc/telegraf/ca.pem"
# tls_cert: "/etc/telegraf/cert.pem"
# tls_key: "/etc/telegraf/key.pem"
## Use TLS but skip chain & host verification
# insecure_skip_verify: false
compose:
watchtower: false
@ -50,6 +51,6 @@ compose:
app:
user: telegraf
group_add:
- "972" # docker group on host
- "972" # docker group on host
volumes:
data:

8
_ansible/roles/tinytinyrss/tasks/main.yml
View file

@ -5,12 +5,14 @@
- tt-rss
- news
block:
- import_tasks: prepare-common-service.yml
- name: Import prepare tasks for common service
ansible.builtin.import_tasks: tasks/prepare-common-service.yml
- name: Copy the nginx-config
ansible.builtin.copy:
src: nginx.conf
dest: "{{ (service_path, 'nginx.conf') | path_join }}"
mode: '0644'
mode: "0644"
- import_tasks: start-common-service.yml
- name: Import start tasks for common service
ansible.builtin.import_tasks: tasks/start-common-service.yml

5
_ansible/roles/tinytinyrss/vars/main.yml
View file

@ -1,5 +1,6 @@
---
svc:
domain: "rss.serguzim.me"
domain: rss.serguzim.me
name: tinytinyrss
port: 80
db:
@ -39,7 +40,6 @@ compose:
- app:/var/www/html
networks:
default:
updater:
image: cthulhoo/ttrss-fpm-pgsql-static
restart: always
@ -54,4 +54,3 @@ compose:
default:
volumes:
app:

3
_ansible/roles/umami/tasks/main.yml
View file

@ -4,4 +4,5 @@
- umami
- analytics
block:
- import_tasks: deploy-common-service.yml
- name: Import tasks to deploy common service
ansible.builtin.import_tasks: tasks/deploy-common-service.yml

3
_ansible/roles/umami/vars/main.yml
View file

@ -1,5 +1,6 @@
---
svc:
domain: "analytics.serguzim.me"
domain: analytics.serguzim.me
name: umami
port: 3000
db:

3
_ansible/roles/uptime-kuma/tasks/main.yml
View file

@ -4,4 +4,5 @@
- uptime-kuma
- status
block:
- import_tasks: deploy-common-service.yml
- name: Import tasks to deploy common service
ansible.builtin.import_tasks: tasks/deploy-common-service.yml

6
_ansible/roles/uptime-kuma/vars/main.yml
View file

@ -1,7 +1,8 @@
---
svc:
domain: "status.serguzim.me"
domain: status.serguzim.me
additional_domains:
- "status.serguzim.net"
- status.serguzim.net
name: uptime-kuma
port: 3001
@ -13,4 +14,3 @@ compose:
file:
volumes:
data:

7
_ansible/roles/watchtower/tasks/main.yml
View file

@ -4,10 +4,11 @@
- watchtower
- container
block:
- import_tasks: deploy-common-service.yml
- name: Import tasks to deploy common service
ansible.builtin.import_tasks: tasks/deploy-common-service.yml
- name: Copy the run-once script
ansible.builtin.copy:
src: run-once.sh
dest: "{{ (service_path, 'run-once.sh') | path_join }}"
mode: '0755'
mode: "0755"

1
_ansible/roles/watchtower/vars/main.yml
View file

@ -1,3 +1,4 @@
---
svc:
name: watchtower

8
_ansible/roles/webdis/tasks/main.yml
View file

@ -3,12 +3,14 @@
tags:
- webdis
block:
- import_tasks: steps/create-service-directory.yml
- name: Import prepare tasks for common service
ansible.builtin.import_tasks: tasks/prepare-common-service.yml
- name: Copy the config
ansible.builtin.copy:
src: webdis.json
dest: "{{ (service_path, 'webdis.json') | path_join }}"
mode: '0755'
mode: "0755"
- import_tasks: deploy-common-service.yml
- name: Import start tasks for common service
ansible.builtin.import_tasks: tasks/start-common-service.yml

3
_ansible/roles/webdis/vars/main.yml
View file

@ -1,6 +1,7 @@
---
svc:
name: webdis
domain: "webdis.huck.serguzim.me"
domain: webdis.huck.serguzim.me
port: 7379
compose:

3
_ansible/roles/wiki-js/tasks/main.yml
View file

@ -3,4 +3,5 @@
tags:
- wiki-js
block:
- import_tasks: deploy-common-service.yml
- name: Import tasks to deploy common service
ansible.builtin.import_tasks: tasks/deploy-common-service.yml

5
_ansible/roles/wiki-js/vars/main.yml
View file

@ -1,5 +1,6 @@
---
svc:
domain: "wiki.serguzim.me"
domain: wiki.serguzim.me
name: wiki-js
port: 3000
db:
@ -7,7 +8,7 @@ svc:
port: "{{ postgres.port }}"
user: "{{ vault_wiki_js.db.user }}"
pass: "{{ vault_wiki_js.db.pass }}"
name: "wikijs"
name: wikijs
svc_env:
DB_TYPE: postgres

3
_ansible/roles/woodpecker/tasks/main.yml
View file

@ -4,4 +4,5 @@
- woodpecker
- ci
block:
- import_tasks: deploy-common-service.yml
- name: Import tasks to deploy common service
ansible.builtin.import_tasks: tasks/deploy-common-service.yml

19
_ansible/roles/woodpecker/vars/main.yml
View file

@ -1,11 +1,12 @@
---
svc:
domain: "ci.serguzim.me"
domain: ci.serguzim.me
name: woodpecker
port: 8000
extra_svcs:
- domain: agents.ci.serguzim.me
docker_host: h2c://woodpecker
port: 9000
- domain: agents.ci.serguzim.me
docker_host: h2c://woodpecker
port: 9000
db:
host: "{{ postgres.host }}"
port: "{{ postgres.port }}"
@ -15,8 +16,8 @@ svc:
svc_env:
WOODPECKER_OPEN: true
WOODPECKER_HOST: "https://{{ svc.domain }}"
WOODPECKER_ADMIN: "serguzim"
WOODPECKER_HOST: https://{{ svc.domain }}
WOODPECKER_ADMIN: serguzim
WOODPECKER_AGENT_SECRET: "{{ vault_woodpecker.agent_secret }}"
WOODPECKER_PROMETHEUS_AUTH_TOKEN: "{{ vault_metrics_token }}"
@ -24,12 +25,12 @@ svc_env:
WOODPECKER_GRPC_SECURE: true
WOODPECKER_GITEA: true
WOODPECKER_GITEA_URL: "https://git.serguzim.me"
WOODPECKER_GITEA_URL: https://git.serguzim.me
WOODPECKER_GITEA_CLIENT: "{{ vault_woodpecker.gitea.client }}"
WOODPECKER_GITEA_SECRET: "{{ vault_woodpecker.gitea.secret }}"
WOODPECKER_DATABASE_DRIVER: "postgres"
WOODPECKER_DATABASE_DATASOURCE: "postgres://{{ svc.db.user }}:{{ svc.db.pass }}@{{ svc.db.host }}:{{ svc.db.port }}/{{ svc.db.database }}?sslmode=verify-full"
WOODPECKER_DATABASE_DRIVER: postgres
WOODPECKER_DATABASE_DATASOURCE: postgres://{{ svc.db.user }}:{{ svc.db.pass }}@{{ svc.db.host }}:{{ svc.db.port }}/{{ svc.db.database }}?sslmode=verify-full
compose:
watchtower: true

7
_ansible/tasks/deploy-common-service.yml
View file

@ -1,2 +1,5 @@
- import_tasks: prepare-common-service.yml
- import_tasks: start-common-service.yml
---
- name: Import prepare tasks for common service
ansible.builtin.import_tasks: tasks/prepare-common-service.yml
- name: Import start tasks for common service
ansible.builtin.import_tasks: tasks/start-common-service.yml

15
_ansible/tasks/prepare-common-service.yml
View file

@ -1,4 +1,11 @@
- import_tasks: steps/create-service-directory.yml
- import_tasks: steps/template-docker-compose.yml
- import_tasks: steps/template-service-env.yml
when: compose.env|default(False) == True
---
- name: Import tasks to create service directory
ansible.builtin.import_tasks: tasks/steps/create-service-directory.yml
- name: Import tasks to template docker compose file
ansible.builtin.import_tasks: tasks/steps/template-docker-compose.yml
when: not no_compose|default(False) # TODO remove when fixing "var-naming[no-role-prefix]"
- name: Import tasks create a service.env file
ansible.builtin.import_tasks: tasks/steps/template-service-env.yml
when: compose.env|default(False)

7
_ansible/tasks/start-common-service.yml
View file

@ -1,3 +1,6 @@
- include_tasks: steps/template-site-config.yml
---
- name: Import tasks to template the site for the reverse proxy
ansible.builtin.include_tasks: tasks/steps/template-site-config.yml
when: svc.domain is defined
- import_tasks: steps/start-service.yml
- name: Import tasks to start the service
ansible.builtin.import_tasks: tasks/steps/start-service.yml

1
_ansible/tasks/steps/create-service-directory.yml
View file

@ -1,3 +1,4 @@
---
- name: Set common facts
ansible.builtin.set_fact:
service_path: "{{ (services_path, svc.name) | path_join }}"

7
_ansible/tasks/steps/start-service.yml
View file

@ -1,3 +1,4 @@
---
- name: Build service
ansible.builtin.command:
cmd: docker compose build --pull
@ -7,7 +8,7 @@
- docker_update is defined
- docker_update
register: cmd_result
changed_when: True
changed_when: true
- name: Pull service
ansible.builtin.command:
@ -18,7 +19,7 @@
- docker_update is defined
- docker_update
register: cmd_result
changed_when: True
changed_when: true
- name: Start service
ansible.builtin.command:
@ -26,4 +27,4 @@
chdir: "{{ service_path }}"
when: "'local-dev' != inventory_hostname"
register: cmd_result
changed_when: "cmd_result.stderr | regex_search('Started$')"
changed_when: cmd_result.stderr | regex_search('Started$')

1
_ansible/tasks/steps/template-docker-compose.yml
View file

@ -1,3 +1,4 @@
---
- name: Template docker-compose
ansible.builtin.template:
src: docker-compose.yml.j2

1
_ansible/tasks/steps/template-service-env.yml
View file

@ -1,3 +1,4 @@
---
- name: Template service.env file
ansible.builtin.template:
src: service.env.j2

1
_ansible/tasks/steps/template-site-config.yml
View file

@ -1,3 +1,4 @@
---
- name: Template caddy site
ansible.builtin.template:
src: caddy_site.conf.j2