diff --git a/playbooks/mailcow.yml b/playbooks/mailcow.yml index 54ff9a9..9119e5e 100644 --- a/playbooks/mailcow.yml +++ b/playbooks/mailcow.yml @@ -28,6 +28,7 @@ name: "Backup mailcow daily" minute: "5" hour: "3" + # yamllint disable-line rule:line-length job: "MAILCOW_BACKUP_LOCATION=/srv/mailcow-backups /srv/mailcow-dockerized/helper-scripts/backup_and_restore.sh backup all --delete-days 2 2>&1 | /usr/bin/logger -t mailcow_data_backup" become: true # Manual steps: diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml index a39b5c9..17b79bf 100644 --- a/roles/docker/defaults/main.yml +++ b/roles/docker/defaults/main.yml @@ -68,4 +68,4 @@ docker_python_virtualenv_package_state: "present" # The pip package name of the docker library docker_pip_package: "docker" docker_pip_package_state: "present" -docker_pip_package_version: "{{ omit }}" # This will be omitted by default, so the latest version will be installed. +docker_pip_package_version: "{{ omit }}" # This will be omitted by default, so the latest version will be installed. diff --git a/roles/gitlab/defaults/main.yml b/roles/gitlab/defaults/main.yml index c53f6d5..20eee08 100644 --- a/roles/gitlab/defaults/main.yml +++ b/roles/gitlab/defaults/main.yml @@ -58,7 +58,7 @@ gitlab_smtp_address: smtp.example.com gitlab_smtp_port: 465 gitlab_smtp_user_name: 'gitlab@example.com' gitlab_smtp_password: "{{ lookup('passwordstore', gitlab_domain + '/' + gitlab_smtp_user_name + ' create=true length=42') }}" -gitlab_smtp_tls: "{{ gitlab_snmp_tls | default('true') }}" # There was a typo in the config option name, this makes sure it's falling back properly +gitlab_smtp_tls: "{{ gitlab_snmp_tls | default('true') }}" # There was a typo in the config option name, this makes sure it's falling back properly gitlab_email_from: "{{ gitlab_smtp_user_name }}" gitlab_email_reply_to: "{{ gitlab_smtp_user_name }}" @@ -69,8 +69,9 @@ gitlab_libravatar_ssl: "seccdn.libravatar.org" # CSP settings gitlab_csp: img_src: 'https:' - #frame_src: "https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com" - #script_src: "https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com" + # yamllint disable-line rule:line-length + # frame_src: "https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com" + # script_src: "https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com" # SAML settings gitlab_saml: diff --git a/roles/gitlab_runner/defaults/main.yml b/roles/gitlab_runner/defaults/main.yml index c0636ef..452380f 100644 --- a/roles/gitlab_runner/defaults/main.yml +++ b/roles/gitlab_runner/defaults/main.yml @@ -39,17 +39,20 @@ gitlabrunner_extra_volumes: [] # The maximum overall concurrent running jobs. This is the most upper limit of number of jobs using all defined runners, local and autoscale. gitlabrunner_concurrent: 1 -# The interval in seconds, to check for available jobs. (0 means default value is used. See https://docs.gitlab.com/runner/configuration/advanced-configuration.html#how-check_interval-works) +# The interval in seconds, to check for available jobs. (0 means default value is used. +# See https://docs.gitlab.com/runner/configuration/advanced-configuration.html#how-check_interval-works) gitlabrunner_check_interval: 0 # This is used to define all the runners, that may be served by this gitlab-runner +# !! YOU WILL NEED TO ADJUST THIS! BELOW IS A FULL EXAMPLE! gitlabrunner_runners: # The URL of the instance that this runner should be associated with - gitlab_url: https://gitlab.example.com # The token that you received when registering the runner (not the register token!!!) # Register a runner first to obtain a token: https://docs.gitlab.com/runner/register/index.html#docker - # Can be done via the API and the registration token: eg. `curl --request POST "https://gitlab.example.com/api/v4/runners" --form "token="` + # Can be done via the API and the registration token: + # curl --request POST "https://gitlab.example.com/api/v4/runners" --form "token=" gitlab_token: # The name of the runner @@ -82,15 +85,22 @@ gitlabrunner_runners: # The "MachineOptions" field with parameters that depend on the driver (these usually provide the api token, which machine type is used etc...) # This for example are parameters for the Hetzner driver (but remember, that this will need the hetzner docker-machine plugin) + # The options can also be omitted if you do not need any. machine_options: - hetzner-api-token: "TOKENHERE" # The Hetzner specific API token - hetzner-image: "debian-10" # The image that should be used for new machines - hetzner-server-type: "cx11" # The server type (the hardware configuration) to use for a new machine - hetzner-server-location: "fsn1" # The server location to use for a new machine + # The Hetzner specific API token + hetzner-api-token: "TOKENHERE" + # The image that should be used for new machines + hetzner-image: "debian-10" + # The server type (the hardware configuration) to use for a new machine + hetzner-server-type: "cx11" + # The server location to use for a new machine + hetzner-server-location: "fsn1" - # S3 Runner cache configuration to improve performance between runs (see https://docs.gitlab.com/runner/configuration/autoscale.html#distributed-runners-caching) - # cache_s3: - # server: s3.example.com - # access_key: "" - # secret_key: "" - # bucket: "runner" + # S3 Runner cache configuration to improve performance between runs + # (see https://docs.gitlab.com/runner/configuration/autoscale.html#distributed-runners-caching) + # The options can also be omitted if you do not want to configure a cache + cache_s3: + server: s3.example.com + access_key: "" + secret_key: "" + bucket: "runner" diff --git a/roles/mastodon/handlers/main.yml b/roles/mastodon/handlers/main.yml new file mode 100644 index 0000000..3039150 --- /dev/null +++ b/roles/mastodon/handlers/main.yml @@ -0,0 +1,15 @@ +--- +# Handlers file for the mastodon role + +- name: Pull mastodon image + docker_image: + name: "docker.io/tootsuite/mastodon:{{ mastodon_image_version }}" + source: pull + become: true + +- name: Stop mastodon for upgrade + docker_compose: + state: present + project_src: "{{ mastodon_install_location }}" + stopped: true + become: true diff --git a/roles/mastodon/tasks/main.yml b/roles/mastodon/tasks/main.yml index c026811..698c585 100644 --- a/roles/mastodon/tasks/main.yml +++ b/roles/mastodon/tasks/main.yml @@ -82,29 +82,10 @@ changed_when: mastodon_version_fact.rc > 0 failed_when: false become: true + notify: ["Pull mastodon image", "Stop mastodon for upgrade"] -- name: Pull an mastodon image - docker_image: - name: "docker.io/tootsuite/mastodon:{{ mastodon_image_version }}" - source: pull - become: true - tags: - - docker - - mastodon - when: - - mastodon_version_fact is changed - -- name: Stop mastodon for upgrade - docker_compose: - state: present - project_src: "{{ mastodon_install_location }}" - stopped: true - tags: - - docker - - mastodon - become: true - when: - - mastodon_version_fact is changed +- name: Immediately run / flush Ansible handlers + meta: "flush_handlers" - name: Deploy config template: @@ -134,6 +115,7 @@ args: chdir: "{{ mastodon_install_location }}" when: + # noqa no-handler - mastodon_version_fact is changed tags: - docker @@ -147,6 +129,7 @@ args: chdir: "{{ mastodon_install_location }}" when: + # noqa no-handler - mastodon_version_fact is changed tags: - docker diff --git a/roles/matrix/defaults/main.yml b/roles/matrix/defaults/main.yml index a148571..83e1ac4 100644 --- a/roles/matrix/defaults/main.yml +++ b/roles/matrix/defaults/main.yml @@ -34,7 +34,8 @@ matrix_traefik_certresolver: letsencrypt_http matrix_synapse_servername: matrix.example.com matrix_synapse_domain: "{{ matrix_synapse_servername }}" -# Additional synapse ENV options (keys will automatically be prefixed with SYNAPSE_) see https://github.com/matrix-org/synapse/tree/develop/docker#generating-a-configuration-file +# Additional synapse ENV options (keys will automatically be prefixed with SYNAPSE_) +# see https://github.com/matrix-org/synapse/tree/develop/docker#generating-a-configuration-file # Note: Some keys are needed for generating the initial config file like "SYNAPSE_REPORT_STATS" and "SYNAPSE_SERVER_NAME"! matrix_synapse_options: {} diff --git a/roles/minecraft/defaults/main.yml b/roles/minecraft/defaults/main.yml index 1758e38..67db3ae 100644 --- a/roles/minecraft/defaults/main.yml +++ b/roles/minecraft/defaults/main.yml @@ -34,7 +34,7 @@ minecraft_rcon_certresolver: letsencrypt_http minecraft_rcon_domain: minecraft.example.com # Should the RCON webinterface be deployed? -minecraft_enable_rcon_web: False +minecraft_enable_rcon_web: false # The RCON password minecraft_rcon_password: "CHANGEME" diff --git a/roles/minecraft_blockmap/defaults/main.yml b/roles/minecraft_blockmap/defaults/main.yml index 88613c1..d6cad0e 100644 --- a/roles/minecraft_blockmap/defaults/main.yml +++ b/roles/minecraft_blockmap/defaults/main.yml @@ -43,8 +43,9 @@ minecraft_blockmap_timer_enabled: true minecraft_blockmap_timer_state: 'started' # The input location, where the world resides in, that should be rendered. -# ! NOTE: This is relative to the lvm volume root (eg. a volume covering `/srv` will result in an input path `/minecraft/data/WORLDNAME` if a minecraft server is installed under /srv/minecraft) -# minecraft_blockmap_input_location: "/YOUR/PATH/TO/MC_WORLD" +# ! NOTE: This is relative to the lvm volume root +# (eg. a volume covering `/srv` will result in an input path `/minecraft/data/WORLDNAME` if a minecraft server is installed under /srv/minecraft) +minecraft_blockmap_input_location: # Additional parameters, that should be passed to the blockmap-cli minecraft_blockmap_parameters: "" diff --git a/roles/moby_engine/tasks/Fedora-32.yml b/roles/moby_engine/tasks/Fedora-32.yml index 3a355f5..3cfae05 100644 --- a/roles/moby_engine/tasks/Fedora-32.yml +++ b/roles/moby_engine/tasks/Fedora-32.yml @@ -33,7 +33,7 @@ - name: Check if line is present shell: cat /etc/default/grub | grep GRUB_CMDLINE_LINUX_DEFAULT - changed_when: False + changed_when: false ignore_errors: true register: moby_engine_grub_default diff --git a/roles/monitoring/tasks/main.yml b/roles/monitoring/tasks/main.yml index a9bdd96..4b2d4c3 100644 --- a/roles/monitoring/tasks/main.yml +++ b/roles/monitoring/tasks/main.yml @@ -85,6 +85,7 @@ wait_for: timeout: 30 delegate_to: localhost + # noqa no-handler when: monitoring_compose is changed - name: Include influxdb management diff --git a/roles/telegraf/defaults/main.yml b/roles/telegraf/defaults/main.yml index f6095f3..a316f9e 100644 --- a/roles/telegraf/defaults/main.yml +++ b/roles/telegraf/defaults/main.yml @@ -44,14 +44,14 @@ telegraf_influxdb_retention_policy_tag: "" # Telegraf agent configuration (see https://docs.influxdata.com/telegraf/v1.15/administration/configuration/) telegraf_agent_hostname: "{{ ansible_fqdn }}" telegraf_agent_interval: 10 -telegraf_agent_debug: False +telegraf_agent_debug: false telegraf_agent_round_interval: true telegraf_agent_flush_interval: 10 telegraf_agent_flush_jitter: 5 telegraf_agent_collection_jitter: 5 telegraf_agent_metric_batch_size: 2000 telegraf_agent_metric_buffer_limit: 1000000 -telegraf_agent_omit_hostname: False +telegraf_agent_omit_hostname: false # The telegraf config's [global_tags] section (see https://docs.influxdata.com/telegraf/v1.15/administration/configuration/) telegraf_global_tags: [] diff --git a/roles/traefik/defaults/main.yml b/roles/traefik/defaults/main.yml index 725c9f6..1033437 100644 --- a/roles/traefik/defaults/main.yml +++ b/roles/traefik/defaults/main.yml @@ -50,10 +50,16 @@ traefik_docker_bridge_name: docker-proxy # which results in the containers only seeing clients connecting with the internal network IPv4 gateway address. traefik_ipv6: enabled: false - firewall_rules_enabled: false # This controls, if iptable rules should be deployed, to forward incoming traffic from 80/443 with a destination of the specified IP (traefik's IP). TL;DR: Should IPv6 traffic be forwarded/allowed to traefik. - subnet: "{{ ansible_default_ipv6.address | ipsubnet(64) | ipsubnet(80, 51966) }}" # The subnet that should be used. Usually has to have a size of at least `/80` (see https://web.archive.org/web/20181113104036/https://docs.docker.com/v17.06/engine/userguide/networking/default_network/ipv6/#docker-ipv6-cluster) - ip_addr: "{{ ansible_default_ipv6.address | ipsubnet(64) | ipsubnet(80, 51966) | ipaddr('2') | ipaddr('address') }}" # The traefik container will use this static address, unless you explicitly use `{{ omit }}` - name: traefik_ipv6 # The name of the special ipv6 network which will be created and added to the traefik container + # This controls, if iptable rules should be deployed, to forward incoming traffic from 80/443 with a destination of the specified IP (traefik's IP). + # TL;DR: Should IPv6 traffic be forwarded/allowed to traefik. + firewall_rules_enabled: false + # The subnet that should be used. Usually has to have a size of at least `/80` + # (see https://web.archive.org/web/20181113104036/https://docs.docker.com/v17.06/engine/userguide/networking/default_network/ipv6/#docker-ipv6-cluster) + subnet: "{{ ansible_default_ipv6.address | ipsubnet(64) | ipsubnet(80, 51966) }}" + # The traefik container will use this static address, unless you explicitly use `{{ omit }}` + ip_addr: "{{ ansible_default_ipv6.address | ipsubnet(64) | ipsubnet(80, 51966) | ipaddr('2') | ipaddr('address') }}" + # The name of the special ipv6 network which will be created and added to the traefik container + name: traefik_ipv6 # Should a general https redirect middleware be enabled for all hosts on the web endpoint? traefik_https_redirect_all: true @@ -70,7 +76,7 @@ traefik_dynamic_conf: options: default: minVersion: "VersionTLS12" - sniStrict: true # Can be disabled for local testing, which will lead to traefik serving it's default certificate if none can be found + sniStrict: true # Can be disabled for local testing, which will lead to traefik serving it's default certificate if none can be found cipherSuites: - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384