saibotk-de/infrastructure
saibotk-de/infrastructure
1
0
Fork 0
Code Issues Pull requests Releases 42 Activity

vikunja: Add role

Browse source 
This patch introduces the new vikunja role. Vikunja is an easy and awesome ToDo application.
This commit is contained in:
saibotk 2021-09-16 05:42:23 +02:00
parent edec6eca26
commit ea3f4919c5
Signed by: saibotk
GPG key ID: 67585F0065E261D5
9 changed files with 800 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
playbooks/site.yml
View file

@ -35,3 +35,4 @@
- import_playbook: owncast.yml - import_playbook: owncast.yml
- import_playbook: factorio.yml - import_playbook: factorio.yml
- import_playbook: penpot.yml - import_playbook: penpot.yml
- import_playbook: vikunja.yml

27
playbooks/vikunja.yml Normal file
View file

@ -0,0 +1,27 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2021 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- hosts: vikunja
roles:
- docker
- docker_compose
- docker_cleanup
- traefik
- vikunja
environment:
PYTHONPATH: /opt/ansible-dependencies/lib/python2.7/site-packages

37
roles/vikunja/README.md Normal file
View file

@ -0,0 +1,37 @@
Vikunja
=========
This will setup a [Vikunja](https://vikunja.io/) instance using their official docker container and traefik as a reverse proxy.
Requirements
------------
You will need to have docker, docker-compose and traefik installed or declared as dependencies with their respective roles.
**This role assumes that you have setup traefik with an endpoint called `websecure`.**
**You will also need to manually setup the services configuration file!**
Role Variables
--------------
**Please look at the [defaults/main.yml](defaults/main.yml) for all available variables and their description.**
**Note: Lines that are commented out via `#` are usually still valid/used variables, but they are not defined by default, so they might enable a feature, when uncommenting/defining them!**
### Global variables, that are used:
- `proxy_network`: Defined by the local traefik installation, this is the shared proxy network used by traefik to reach the containers. (optional)
- `proxy_hiddenservice`: Defined by the local traefik installation, this is used to generate the alt-svc header for the alternative Tor domain. (optional)
Dependencies
------------
- docker
- docker-compose
- traefik
License
-------
GPL-3.0-only

288
roles/vikunja/defaults/main.yml Normal file
View file

@ -0,0 +1,288 @@
---
# Defaults variables for the vikunja role
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2021 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
# The install location
vikunja_install_location: /srv/vikunja
# The container data volume mount locations
vikunja_api_files_location: "{{ vikunja_install_location }}/files"
vikunja_redis_location: "{{ vikunja_install_location }}/redis"
vikunja_database_location: "{{ vikunja_install_location }}/database"
# The certresolver that is used by traefik for the frontend domain
vikunja_frontend_traefik_certresolver: letsencrypt_http
# The domain that traefik will server vikunja's API under
vikunja_frontend_domain: "vikunja.example.com"
# The certresolver that is used by traefik for the api domain
vikunja_api_traefik_certresolver: letsencrypt_http
# The domain that traefik will server vikunja's API under
vikunja_api_domain: "{{ vikunja_frontend_domain }}"
# The database password to use
vikunja_database_password: "{{ lookup('passwordstore', vikunja_api_domain + '/db create=true length=42') }}"
# Container versions
# renovate: depName=docker.io/vikunja/api
vikunja_version: "0.18.1"
# renovate: depName=docker.io/library/postgres
vikunja_database_version: "13.4"
# renovate: depName=docker.io/library/redis
vikunja_redis_version: "6"
# Container tag definitions
vikunja_api_image_version: "{{ vikunja_version }}"
vikunja_frontend_image_version: "{{ vikunja_version }}"
vikunja_database_image_version: "{{ vikunja_database_version }}-alpine"
vikunja_redis_image_version: "{{ vikunja_redis_version }}"
# Enable or disable selinux handling
vikunja_selinux_enabled: true
# The SELinux levels for vikunja folders/container
vikunja_selinux_level: "{{ omit }}"
# Application Configuration
# Service section
# Set the motd message, available from the /info endpoint
# Will be disabled if empty
vikunja_service_motd: ""
# This token is used to verify issued JWT tokens.
# Default (empty string) is a random token which will be generated at each startup of vikunja.
# (This means all already issued tokens will be invalid once you restart vikunja)
vikunja_service_jwtsecret: ""
# Enable the caldav endpoint, see the docs for more details
vikunja_service_enablecaldav: true
# Enable sharing of lists via a link
vikunja_service_enablelinksharing: true
# Whether to let new users registering themselves or not
vikunja_service_enableregistration: true
# Whether to enable task attachments or not
vikunja_service_enabletaskattachments: true
# The time zone all timestamps are in. Please note that time zones have to use [the official tz database names](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones). UTC or GMT offsets won't work.
vikunja_service_timezone: "GMT"
# Whether task comments should be enabled or not
vikunja_service_enabletaskcomments: true
# Whether totp is enabled. In most cases you want to leave that enabled.
vikunja_service_enabletotp: true
# If enabled, vikunja will send an email to everyone who is either assigned to a task or created it when a task reminder
# is due.
vikunja_service_enableemailreminders: true
# If true, will allow users to request the complete deletion of their account. When using external authentication methods
# it may be required to coordinate with them in order to delete the account. This setting will not affect the cli commands
# for user deletion.
vikunja_service_enableuserdeletion: true
# Mailer section
vikunja_mailer:
# Whether to enable the mailer or not. If it is disabled, all users are enabled right away and password reset is not possible.
enabled: false
# SMTP Host
host: ""
# SMTP Host port
port: 587
# SMTP username
username: "user"
# SMTP password
password: ""
# Wether to skip verification of the tls certificate on the server
skiptlsverify: false
# The default from address when sending emails
fromemail: "mail@vikunja"
# The length of the mail queue.
queuelength: 100
# The timeout in seconds after which the current open connection to the mailserver will be closed.
queuetimeout: 30
# By default, vikunja will try to connect with starttls, use this option to force it to use ssl.
forcessl: false
# Log section
vikunja_log:
# Whether to show any logging at all or none
enabled: true
# Where the normal log should go. Possible values are stdout, stderr, file or off to disable standard logging.
standard: "stdout"
# Change the log level. Possible values (case-insensitive) are CRITICAL, ERROR, WARNING, NOTICE, INFO, DEBUG.
level: "WARNING"
# Whether or not to log database queries. Useful for debugging. Possible values are stdout, stderr, file or off to disable database logging.
database: "off"
# The log level for database log messages. Possible values (case-insensitive) are CRITICAL, ERROR, WARNING, NOTICE, INFO, DEBUG.
databaselevel: "WARNING"
# Whether to log http requests or not. Possible values are stdout, stderr, file or off to disable http logging.
http: "off"
# Echo has its own logging which usually is unnessecary, which is why it is disabled by default. Possible values are stdout, stderr, file or off to disable standard logging.
echo: "off"
# Whether or not to log events. Useful for debugging. Possible values are stdout, stderr, file or off to disable events logging.
events: "stdout"
# The log level for event log messages. Possible values (case-insensitive) are ERROR, INFO, DEBUG.
eventslevel: "error"
# Rate limit section
vikunja_ratelimit:
# whether or not to enable the rate limit
enabled: false
# The kind on which rates are based. Can be either "user" for a rate limit per user or "ip" for an ip-based rate limit.
kind: user
# The time period in seconds for the limit
period: 60
# The max number of requests a user is allowed to do in the configured time period
limit: 100
# The store where the limit counter for each user is stored.
# Possible values are "keyvalue", "memory" or "redis".
# When choosing "keyvalue" this setting follows the one configured in the "keyvalue" section.
store: redis
# Files section
# The maximum size of a file, as a human-readable string.
# Warning: The max size is limited 2^64-1 bytes due to the underlying datatype
vikunja_files_maxsize: "50MB"
# Migration section
vikunja_migration:
wunderlist:
# Wheter to enable the wunderlist migrator or not
enable: false
# The client id, required for making requests to the wunderlist api
# You need to register your vikunja instance at https://developer.wunderlist.com/apps/new to get this
clientid:
# The client secret, also required for making requests to the wunderlist api
clientsecret:
# The url where clients are redirected after they authorized Vikunja to access their wunderlist stuff.
# This needs to match the url you entered when registering your Vikunja instance at wunderlist.
# This is usually the frontend url where the frontend then makes a request to /migration/wunderlist/migrate
# with the code obtained from the wunderlist api.
# Note that the vikunja frontend expects this to be /migrate/wunderlist
redirecturl: <frontend url>/migrate/wunderlist
todoist:
# Wheter to enable the todoist migrator or not
enable: false
# The client id, required for making requests to the todoist api
# You need to register your vikunja instance at https://developer.todoist.com/appconsole.html to get this
clientid:
# The client secret, also required for making requests to the todoist api
clientsecret:
# The url where clients are redirected after they authorized Vikunja to access their todoist items.
# This needs to match the url you entered when registering your Vikunja instance at todoist.
# This is usually the frontend url where the frontend then makes a request to /migration/todoist/migrate
# with the code obtained from the todoist api.
# Note that the vikunja frontend expects this to be /migrate/todoist
redirecturl: <frontend url>/migrate/todoist
trello:
# Wheter to enable the trello migrator or not
enable: false
# The client id, required for making requests to the trello api
# You need to register your vikunja instance at https://trello.com/app-key (log in before you visit that link) to get this
key:
# The url where clients are redirected after they authorized Vikunja to access their trello cards.
# This needs to match the url you entered when registering your Vikunja instance at trello.
# This is usually the frontend url where the frontend then makes a request to /migration/trello/migrate
# with the code obtained from the trello api.
# Note that the vikunja frontend expects this to end on /migrate/trello.
redirecturl: <frontend url>/migrate/trello
microsofttodo:
# Wheter to enable the microsoft todo migrator or not
enable: false
# The client id, required for making requests to the microsoft graph api
# See https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app#register-an-application
# for information about how to register your vikuinja instance.
clientid:
# The client secret, also required for making requests to the microsoft graph api
clientsecret:
# The url where clients are redirected after they authorized Vikunja to access their microsoft todo tasks.
# This needs to match the url you entered when registering your Vikunja instance at microsoft.
# This is usually the frontend url where the frontend then makes a request to /migration/microsoft-todo/migrate
# with the code obtained from the microsoft graph api.
# Note that the vikunja frontend expects this to be /migrate/microsoft-todo
redirecturl: <frontend url>/migrate/microsoft-todo
# Avatar section
vikunja_avatar:
# When using gravatar, this is the duration in seconds until a cached gravatar user avatar expires
gravatarexpiration: 3600
# Backgrounds section
vikunja_backgrounds:
# Whether to enable backgrounds for lists at all.
enabled: true
providers:
upload:
# Whethere to enable uploaded list backgrounds
enabled: true
unsplash:
# Whether to enable setting backgrounds from unsplash as list backgrounds
enabled: false
# You need to create an application for your installation at https://unsplash.com/oauth/applications/new
# and set the access token below.
accesstoken:
# The unsplash application id is only used for pingback and required as per their api guidelines.
# You can find the Application ID in the dashboard for your API application. It should be a numeric ID.
# It will only show in the UI if your application has been approved for Enterprise usage, therefore if
# youre in Demo mode, you can also find the ID in the URL at the end: https://unsplash.com/oauth/applications/:application_id
applicationid:
# Legal section
# Used to configure the legal URLs.
# Will be shown in the frontend if configured here
vikunja_legal:
imprinturl:
privacyurl:
# Auth section
# Local authentication will let users log in and register (if enabled) through the db.
# This is the default auth mechanism and does not require any additional configuration.
# Enable or disable local authentication
vikunja_auth_local_enabled: true
# OpenID configuration will allow users to authenticate through a third-party OpenID Connect compatible provider.<br/>
# The provider needs to support the `openid`, `profile` and `email` scopes.<br/>
# **Note:** Some openid providers (like gitlab) only make the email of the user available through openid claims if they have set it to be publicly visible.
# If the email is not public in those cases, authenticating will fail.
# **Note 2:** The frontend expects to be redirected after authentication by the third party
# to <frontend-url>/auth/openid/<auth key>. Please make sure to configure the redirect url with your third party
# auth service accordingy if you're using the default vikunja frontend.
# Take a look at the [default config file](https://kolaente.dev/vikunja/api/src/branch/main/config.yml.sample) for more information about how to configure openid authentication.
# Enable or disable OpenID Connect authentication
vikunja_auth_openid_enabled: false
# A list of enabled providers
vikunja_auth_openid_providers:
# The name of the provider as it will appear in the frontend.
- name:
# The auth url to send users to if they want to authenticate using OpenID Connect.
authurl:
# The client ID used to authenticate Vikunja at the OpenID Connect provider.
clientid:
# The client secret used to authenticate Vikunja at the OpenID Connect provider.
clientsecret:
# Metrics section
vikunja_metrics:
# If set to true, enables a /metrics endpoint for prometheus to collect metrics about Vikunja.
enabled: false
# If set to a non-empty value the /metrics endpoint will require this as a username via basic auth in combination with the password below.
username:
# If set to a non-empty value the /metrics endpoint will require this as a password via basic auth in combination with the username below.
password:

26
roles/vikunja/handlers/main.yml Normal file
View file

@ -0,0 +1,26 @@
---
# handlers file for vikunja
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2021 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Restart vikunja-api
docker_compose:
services:
- api
project_src: "{{ vikunja_install_location }}"
restarted: true
become: true

17
roles/vikunja/meta/main.yml Normal file
View file

@ -0,0 +1,17 @@
galaxy_info:
author: saibotk
description: Installs vikunja via docker.
license: GPL-3.0-only
min_ansible_version: 2.9
platforms:
- name: CentOS
versions:
- 7
galaxy_tags: []
dependencies:
- docker
- docker_compose
- traefik

89
roles/vikunja/tasks/main.yml Normal file
View file

@ -0,0 +1,89 @@
---
# Tasks file for the vikunja role
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
# Copyright (C) 2019-2020 Alexander (w4tsn) Wellbrock
# Copyright (C) 2020-2021 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
- name: Update default SELinux contexts
sefcontext:
target: '{{ item }}(/.*)?'
setype: "container_file_t"
state: present
with_items:
- "{{ vikunja_database_location }}"
- "{{ vikunja_api_files_location }}"
when:
- vikunja_selinux_enabled
become: true
- name: Create install directory
file:
path: "{{ item }}"
state: directory
mode: '0700'
owner: 'root'
group: 'root'
with_items:
- "{{ vikunja_install_location }}"
become: true
- name: Create data directories
file: # noqa risky-file-permissions # Container manages permissions on its own
path: "{{ item }}"
state: directory
setype: "container_file_t"
with_items:
- "{{ vikunja_database_location }}"
- "{{ vikunja_api_files_location }}"
become: true
- name: Deploy docker-compose.yml
template:
src: "docker-compose.yml"
dest: "{{ vikunja_install_location }}/docker-compose.yml"
mode: '0600'
owner: 'root'
group: 'root'
validate: docker-compose -f %s config -q
tags:
- vikunja
become: true
- name: Deploy config.yml
template:
src: "config.yml"
dest: "{{ vikunja_install_location }}/config.yml"
owner: '1000'
group: 'root'
mode: '0600'
setype: "container_file_t"
selevel: "{{ vikunja_selinux_level }}"
notify: "Restart vikunja-api"
become: true
- name: Compose vikunja
docker_compose:
state: present
project_src: "{{ vikunja_install_location }}"
pull: true
remove_orphans: true
tags:
- docker
- vikunja
become: true

189
roles/vikunja/templates/config.yml Normal file
View file

@ -0,0 +1,189 @@
{{ ansible_managed | comment }}
# Vikunja application configuration
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2021 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
service:
{% if vikunja_service_jwtsecret | length %}
# This token is used to verify issued JWT tokens.
# Default is a random token which will be generated at each startup of vikunja.
# (This means all already issued tokens will be invalid once you restart vikunja)
JWTSecret: "{{ vikunja_service_jwtsecret }}"
{% endif %}
# The interface on which to run the webserver
interface: ":3456"
# The URL of the frontend, used to send password reset emails.
frontendurl: "https://{{ vikunja_frontend_domain }}/"
# The base path on the file system where the binary and assets are.
# Vikunja will also look in this path for a config file, so you could provide only this variable to point to a folder
# with a config file which will then be used.
rootpath: "/app/vikunja/"
# The max number of items which can be returned per page
maxitemsperpage: 50
# Enable the caldav endpoint, see the docs for more details
enablecaldav: {{ vikunja_service_enablecaldav | bool }}
{% if vikunja_service_motd | length %}
# Set the motd message, available from the /info endpoint
motd: "{{ vikunja_service_motd }}"
{% endif %}
# Enable sharing of lists via a link
enablelinksharing: {{ vikunja_service_enablelinksharing | bool }}
# Whether to let new users registering themselves or not
enableregistration: {{ vikunja_service_enableregistration | bool }}
# Whether to enable task attachments or not
enabletaskattachments: {{ vikunja_service_enabletaskattachments | bool }}
# The time zone all timestamps are in. Please note that time zones have to use [the official tz database names](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones). UTC or GMT offsets won't work.
timezone: {{ vikunja_service_timezone }}
# Whether task comments should be enabled or not
enabletaskcomments: {{ vikunja_service_enabletaskcomments | bool }}
# Whether totp is enabled. In most cases you want to leave that enabled.
enabletotp: {{ vikunja_service_enabletotp | bool }}
# If not empty, enables logging of crashes and unhandled errors in sentry.
# sentrydsn: ''
# If not empty, this will enable `/test/{table}` endpoints which allow to put any content in the database.
# Used to reset the db before frontend tests. Because this is quite a dangerous feature allowing for lots of harm,
# each request made to this endpoint neefs to provide an `Authorization: <token>` header with the token from below. <br/>
# **You should never use this unless you know exactly what you're doing**
# testingtoken: ''
# If enabled, vikunja will send an email to everyone who is either assigned to a task or created it when a task reminder
# is due.
enableemailreminders: {{ vikunja_service_enableemailreminders | bool }}
# If true, will allow users to request the complete deletion of their account. When using external authentication methods
# it may be required to coordinate with them in order to delete the account. This setting will not affect the cli commands
# for user deletion.
enableuserdeletion: {{ vikunja_service_enableuserdeletion | bool }}
database:
# Database type to use. Supported types are mysql, postgres and sqlite.
type: "postgres"
# Database user which is used to connect to the database.
user: "vikunja"
# Databse password
password: "{{ vikunja_database_password }}"
# Databse host
host: "db"
# Databse to use
database: "vikunja"
# When using sqlite, this is the path where to store the data
# path: "./vikunja.db"
# Sets the max open connections to the database. Only used when using mysql and postgres.
maxopenconnections: 100
# Sets the maximum number of idle connections to the db.
maxidleconnections: 50
# The maximum lifetime of a single db connection in miliseconds.
maxconnectionlifetime: 10000
# Secure connection mode. Only used with postgres.
# (see https://pkg.go.dev/github.com/lib/pq?tab=doc#hdr-Connection_String_Parameters)
sslmode: disable
# Enable SSL/TLS for mysql connections. Options: false, true, skip-verify, preferred
tls: false
cache:
# If cache is enabled or not
enabled: true
# Cache type. Possible values are "keyvalue", "memory" or "redis".
# When choosing "keyvalue" this setting follows the one configured in the "keyvalue" section.
# When choosing "redis" you will need to configure the redis connection seperately.
type: redis
# When using memory this defines the maximum size an element can take
maxelementsize: 1000
redis:
# Whether to enable redis or not
enabled: true
# The host of the redis server including its port.
host: 'redis:6379'
# The password used to authenicate against the redis server
password: ''
# 0 means default database
db: 0
cors:
# Whether to enable or disable cors headers.
# Note: If you want to put the frontend and the api on seperate domains or ports, you will need to enable this.
# Otherwise the frontend won't be able to make requests to the api through the browser.
enable: true
# A list of origins which may access the api. These need to include the protocol (`http://` or `https://`) and port, if any.
origins:
- "https://{{ vikunja_frontend_domain }}"
# How long (in seconds) the results of a preflight request can be cached.
maxage: 0
mailer:
{{ vikunja_mailer | to_nice_yaml(indent=2) | indent(2) }}
log:
{{ vikunja_log | to_nice_yaml(indent=2) | indent(2) }}
ratelimit:
{{ vikunja_ratelimit | to_nice_yaml(indent=2) | indent(2) }}
files:
# The path where files are stored
basepath: ./files # relative to the binary
# The maximum size of a file, as a human-readable string.
# Warning: The max size is limited 2^64-1 bytes due to the underlying datatype
maxsize: {{ vikunja_files_maxsize }}
migration:
{{ vikunja_migration | to_nice_yaml(indent=2) | indent(2) }}
avatar:
{{ vikunja_avatar | to_nice_yaml(indent=2) | indent(2) }}
backgrounds:
{{ vikunja_backgrounds | to_nice_yaml(indent=2) | indent(2) }}
# Legal urls
# Will be shown in the frontend if configured here
legal:
{{ vikunja_legal | to_nice_yaml(indent=2) | indent(2) }}
# Key Value Storage settings
# The Key Value Storage is used for different kinds of things like metrics and a few cache systems.
keyvalue:
# The type of the storage backend. Can be either "memory" or "redis". If "redis" is chosen it needs to be configured seperately.
type: "memory"
auth:
# Local authentication will let users log in and register (if enabled) through the db.
# This is the default auth mechanism and does not require any additional configuration.
local:
# Enable or disable local authentication
enabled: {{ vikunja_auth_local_enabled | bool }}
# OpenID configuration will allow users to authenticate through a third-party OpenID Connect compatible provider.<br/>
# The provider needs to support the `openid`, `profile` and `email` scopes.<br/>
# **Note:** Some openid providers (like gitlab) only make the email of the user available through openid claims if they have set it to be publicly visible.
# If the email is not public in those cases, authenticating will fail.
# **Note 2:** The frontend expects to be redirected after authentication by the third party
# to <frontend-url>/auth/openid/<auth key>. Please make sure to configure the redirect url with your third party
# auth service accordingy if you're using the default vikunja frontend.
# Take a look at the [default config file](https://kolaente.dev/vikunja/api/src/branch/main/config.yml.sample) for more information about how to configure openid authentication.
openid:
# Enable or disable OpenID Connect authentication
enabled: {{ vikunja_auth_openid_enabled | bool }}
# The url to redirect clients to. Defaults to the configured frontend url. If you're using Vikunja with the official
# frontend, you don't need to change this value.
# redirecturl: <frontend url>
# A list of enabled providers
providers:
{{ vikunja_auth_openid_providers | to_nice_yaml(indent=2) | indent(6) }}
# Prometheus metrics endpoint
metrics:
{{ vikunja_metrics | to_nice_yaml(indent=2) | indent(2) }}

126
roles/vikunja/templates/docker-compose.yml Normal file
View file

@ -0,0 +1,126 @@
{{ ansible_managed | comment }}
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2021 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
version: '2'
services:
api:
image: docker.io/vikunja/api:{{ vikunja_api_image_version }}
depends_on:
- db
- redis
volumes:
- "{{ vikunja_install_location }}/config.yml:/app/vikunja/config.yml:ro"
- "{{ vikunja_api_files_location }}:/app/vikunja/files"
networks:
database:
{% if proxy_network is defined %}
{{ proxy_network }}:
{% endif %}
restart: always
{% if vikunja_selinux_level != omit %}
security_opt:
- label=level:{{ vikunja_selinux_level }}
{% endif %}
labels:
- "traefik.enable=true"
- "traefik.http.routers.vikunja-api.rule=Host(`{{ vikunja_api_domain }}`) && PathPrefix(`/api/v1`, `/dav/`, `/.well-known/`)"
- "traefik.http.routers.vikunja-api.entrypoints=websecure"
- "traefik.http.routers.vikunja-api.tls.certresolver={{ vikunja_api_traefik_certresolver }}"
- "traefik.http.routers.vikunja-api.middlewares=vikunja-api,compress"
- "traefik.http.services.vikunja-api.loadbalancer.server.port=3456"
- "traefik.http.middlewares.vikunja-api.headers.sslredirect=true"
- "traefik.http.middlewares.vikunja-api.headers.stsSeconds=63072000"
- "traefik.http.middlewares.vikunja-api.headers.referrerPolicy=no-referrer"
{% if proxy_network is defined %}
- "traefik.docker.network={{ proxy_network }}"
{% endif %}
{% if proxy_hiddenservice is defined and proxy_hiddenservice.content is defined %}
- "traefik.http.middlewares.vikunja-api.headers.customresponseheaders.alt-svc:h2={{ proxy_hiddenservice['content'] | b64decode | trim }}:443; ma=2592000"
{% endif %}
frontend:
image: docker.io/vikunja/frontend:{{ vikunja_frontend_image_version }}
restart: always
mem_limit: 10mb
memswap_limit: 15mb
security_opt:
- no-new-privileges
labels:
- "traefik.enable=true"
- "traefik.http.routers.vikunja-frontend.rule=Host(`{{ vikunja_frontend_domain }}`) && PathPrefix(`/`)"
- "traefik.http.routers.vikunja-frontend.entrypoints=websecure"
- "traefik.http.routers.vikunja-frontend.tls.certresolver={{ vikunja_frontend_traefik_certresolver }}"
- "traefik.http.routers.vikunja-frontend.middlewares=vikunja-frontend,compress"
- "traefik.http.services.vikunja-frontend.loadbalancer.server.port=80"
- "traefik.http.middlewares.vikunja-frontend.headers.sslredirect=true"
- "traefik.http.middlewares.vikunja-frontend.headers.stsSeconds=63072000"
- "traefik.http.middlewares.vikunja-frontend.headers.referrerPolicy=no-referrer"
{% if proxy_network is defined %}
- "traefik.docker.network={{ proxy_network }}"
{% endif %}
{% if proxy_hiddenservice is defined and proxy_hiddenservice.content is defined %}
- "traefik.http.middlewares.vikunja-frontend.headers.customresponseheaders.alt-svc:h2={{ proxy_hiddenservice['content'] | b64decode | trim }}:443; ma=2592000"
{% endif %}
{% if proxy_network is defined %}
networks:
{{ proxy_network }}:
{% endif %}
db:
image: docker.io/library/postgres:{{ vikunja_database_image_version }}
restart: always
mem_limit: 512mb
memswap_limit: 768mb
read_only: true
security_opt:
- no-new-privileges
tmpfs:
- /run/postgresql:size=512K
- /tmp:size=128K
stop_grace_period: 2m
stop_signal: SIGINT
environment:
- POSTGRES_DB=vikunja
- POSTGRES_USER=vikunja
- POSTGRES_PASSWORD={{ vikunja_database_password }}
volumes:
- "{{ vikunja_database_location }}:/var/lib/postgresql/data"
networks:
database:
redis:
image: "docker.io/library/redis:{{ vikunja_redis_image_version }}"
mem_limit: 512mb
memswap_limit: 768mb
restart: always
volumes:
- {{ vikunja_redis_location }}:/data
networks:
database:
networks:
database:
{% if proxy_network is defined %}
{{ proxy_network }}:
external: true
{% endif %}