saibotk-de/infrastructure
saibotk-de/infrastructure
1
0
Fork 0
Code Issues Pull requests Releases 42 Activity

Compare commits

base: saibotk-de:master
Branches Tags
saibotk-de:master
saibotk-de:renovate/owncast-image-0.x
saibotk-de:renovate/telegraf-1.x
saibotk-de:renovate/minecraft-telegraf-1.x
saibotk-de:renovate/penpot
saibotk-de:renovate/factorio-2.x
saibotk-de:renovate/fedora.linux_system_roles-1.x
saibotk-de:renovate/gitlab-17.x
saibotk-de:renovate/traefik-3.x
saibotk-de:renovate/traefik-2.x
saibotk-de:renovate/minecraft-image-2025.x
saibotk-de:renovate/community.general-10.x
saibotk-de:renovate/community.docker-4.x
saibotk-de:renovate/devsec.hardening-10.x
saibotk-de:renovate/minecraft-image-2024.x
saibotk-de:renovate/camo-2.x
saibotk-de:renovate/gitlab-runner_image-17.x
saibotk-de:renovate/matrix-elementweb-1.x
saibotk-de:renovate/matrix-synapse-1.x
saibotk-de:renovate/gitlab-telegraf-1.x
saibotk-de:renovate/ansible.posix-2.x
saibotk-de:renovate/mastodon-elasticsearch-7.x
saibotk-de:renovate/keycloak-26.x
saibotk-de:renovate/vikunja-database-17.x
saibotk-de:renovate/matrix-sliding_sync_database-17.x
saibotk-de:renovate/matrix-maubot_database-17.x
saibotk-de:renovate/matrix-database-17.x
saibotk-de:renovate/mastodon-database-17.x
saibotk-de:renovate/codimd-postgres-17.x
saibotk-de:renovate/vikunja-database-13.x
saibotk-de:renovate/matrix-sliding_sync_database-16.x
saibotk-de:renovate/matrix-maubot_database-13.x
saibotk-de:renovate/matrix-database-13.x
saibotk-de:renovate/mastodon-database-15.x
saibotk-de:renovate/keycloak-postgres-17.x
saibotk-de:renovate/matrix-sliding_sync-0.x
saibotk-de:v24.10
saibotk-de:v24.08
saibotk-de:v24.07
saibotk-de:v24.06
saibotk-de:v24.05
saibotk-de:v24.04
saibotk-de:v24.03
saibotk-de:v24.02
saibotk-de:v24.01
saibotk-de:v23.12
saibotk-de:v23.11
saibotk-de:v23.10
saibotk-de:v23.09
saibotk-de:v23.08
saibotk-de:v23.07
saibotk-de:v23.06
saibotk-de:v23.05
saibotk-de:v23.04
saibotk-de:v23.03
saibotk-de:v23.01
saibotk-de:v22.12
saibotk-de:v22.11
saibotk-de:v22.10
saibotk-de:v22.09
saibotk-de:v22.08
saibotk-de:v22.07
saibotk-de:v22.06
saibotk-de:v22.05
saibotk-de:v22.04
saibotk-de:v22.03
saibotk-de:v22.02
saibotk-de:v22.01
saibotk-de:v21.12
saibotk-de:v21.11
saibotk-de:v21.10
saibotk-de:v21.09
saibotk-de:v21.08
saibotk-de:v21.07
saibotk-de:v21.06
saibotk-de:v21.05
saibotk-de:v21.04
saibotk-de:v21.03
..
compare: saibotk-de:v24.01
Branches Tags
saibotk-de:master
saibotk-de:renovate/owncast-image-0.x
saibotk-de:renovate/telegraf-1.x
saibotk-de:renovate/minecraft-telegraf-1.x
saibotk-de:renovate/penpot
saibotk-de:renovate/factorio-2.x
saibotk-de:renovate/fedora.linux_system_roles-1.x
saibotk-de:renovate/gitlab-17.x
saibotk-de:renovate/traefik-3.x
saibotk-de:renovate/traefik-2.x
saibotk-de:renovate/minecraft-image-2025.x
saibotk-de:renovate/community.general-10.x
saibotk-de:renovate/community.docker-4.x
saibotk-de:renovate/devsec.hardening-10.x
saibotk-de:renovate/minecraft-image-2024.x
saibotk-de:renovate/camo-2.x
saibotk-de:renovate/gitlab-runner_image-17.x
saibotk-de:renovate/matrix-elementweb-1.x
saibotk-de:renovate/matrix-synapse-1.x
saibotk-de:renovate/gitlab-telegraf-1.x
saibotk-de:renovate/ansible.posix-2.x
saibotk-de:renovate/mastodon-elasticsearch-7.x
saibotk-de:renovate/keycloak-26.x
saibotk-de:renovate/vikunja-database-17.x
saibotk-de:renovate/matrix-sliding_sync_database-17.x
saibotk-de:renovate/matrix-maubot_database-17.x
saibotk-de:renovate/matrix-database-17.x
saibotk-de:renovate/mastodon-database-17.x
saibotk-de:renovate/codimd-postgres-17.x
saibotk-de:renovate/vikunja-database-13.x
saibotk-de:renovate/matrix-sliding_sync_database-16.x
saibotk-de:renovate/matrix-maubot_database-13.x
saibotk-de:renovate/matrix-database-13.x
saibotk-de:renovate/mastodon-database-15.x
saibotk-de:renovate/keycloak-postgres-17.x
saibotk-de:renovate/matrix-sliding_sync-0.x
saibotk-de:v24.10
saibotk-de:v24.08
saibotk-de:v24.07
saibotk-de:v24.06
saibotk-de:v24.05
saibotk-de:v24.04
saibotk-de:v24.03
saibotk-de:v24.02
saibotk-de:v24.01
saibotk-de:v23.12
saibotk-de:v23.11
saibotk-de:v23.10
saibotk-de:v23.09
saibotk-de:v23.08
saibotk-de:v23.07
saibotk-de:v23.06
saibotk-de:v23.05
saibotk-de:v23.04
saibotk-de:v23.03
saibotk-de:v23.01
saibotk-de:v22.12
saibotk-de:v22.11
saibotk-de:v22.10
saibotk-de:v22.09
saibotk-de:v22.08
saibotk-de:v22.07
saibotk-de:v22.06
saibotk-de:v22.05
saibotk-de:v22.04
saibotk-de:v22.03
saibotk-de:v22.02
saibotk-de:v22.01
saibotk-de:v21.12
saibotk-de:v21.11
saibotk-de:v21.10
saibotk-de:v21.09
saibotk-de:v21.08
saibotk-de:v21.07
saibotk-de:v21.06
saibotk-de:v21.05
saibotk-de:v21.04
saibotk-de:v21.03

No commits in common. "master" and "v24.01" have entirely different histories.
master ... v24.01

345 changed files with 12637 additions and 4959 deletions
Show stats Expand all files Collapse all files

14
ansible.cfg
View file

@ -1,22 +1,14 @@
[defaults]
playbook_dir = ./playbooks
roles_path = ./roles:~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles
inventory = ./inventory
retry_files_enabled = false
vault_password_file = .vault_pass
retry_files_enabled = False
nocows=True
use_persistent_connections = True
interpreter_python = auto_silent
[connection]
pipelining = True
[ssh_connection]
transfer_method = piped
[privilege_escalation]
become_ask_pass = False
become_ask_pass = false
[galaxy]
role_skeleton = ./.ansible/skeleton/default

1
ansible.lint.cfg
View file

@ -2,4 +2,3 @@
# Otherwise ansible-lint always tries to get a vault password and fails.
[defaults]
roles_path = ./roles:~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles
collections_path = ./collections:~/.ansible/collections:/usr/share/ansible/collections:/etc/ansible/collections

48
guides/SETUP_FEDORA_41.md
View file

@ -1,48 +0,0 @@
# Fedora 41 ISO install setup GUI
## Netcup stuff
- Setup Network mappings with hostnames / reverse addresses
- Assign IPv6 address from space
- Enable UEFI Boot
- Set VNC keymap to DE
## Anaconda Setup (GUI)
1. Select English US for installation
2. Change keyboard to de nodeadkeys
3. Choose Fedora Cloud Server and Guest Agents
4. Disk
- Choose Custom config
- Delete all existing paritions
- Choose Btrfs + encrypt
- Click to create automatically
- Done
- Enter disk encryption pw generated via pass
5. Network
- Set hostname
- Edit Interface
- Set IPv6 to Manual
- Enter address as given by provider
- Set Gateway to fe80::1
- Set IPv4 to Automatic (DHCP) addresses only
- Configure DNS Servers on IPv4 to
- 1.1.1.1
- 9.9.9.9
- Configure DNS Servers on IPv6 to
- 2606:4700:4700::1111
- 2620:fe::fe
6. Date/Time: Set to Berlin
- NTP Servers:
- Remove default pool
- Add time.cloudflare.com (only NTS ticked, not pool)
- Add sth1.nts.netnod.se (only NTS ticked, not pool)
7. User Account
- Leave root user disabled
- Add your own user, use temp PW and replace with pass generated when connected via SSH
## Ansible prep
Install python3-libdnf5
Workaround until Ansible version is released with this fix:
https://github.com/ansible/ansible/issues/84206

12
playbooks/caddy.yml
View file

@ -1,12 +0,0 @@
- name: Install Caddy.
hosts: caddy
roles:
- role: podman
become: true
tags:
- always
- podman
- role: caddy
become: true

29
playbooks/camo.yml Normal file
View file

@ -0,0 +1,29 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Install & configure camo
hosts: camo
roles:
- docker
- docker_compose
- docker_cleanup
- traefik
- camo
environment:
PYTHONPATH: /opt/ansible-dependencies/lib/python{{ env_ansible_deps_python_version | default(2.7) }}/site-packages

28
playbooks/codimd.yml Normal file
View file

@ -0,0 +1,28 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Install & configure HedgeDoc
hosts: codimd
roles:
- docker
- docker_compose
- docker_cleanup
- traefik
- codimd
environment:
PYTHONPATH: /opt/ansible-dependencies/lib/python{{ env_ansible_deps_python_version | default(2.7) }}/site-packages

5
playbooks/dnf.yml
View file

@ -1,5 +0,0 @@
- name: Setup dnf.
hosts: dnf
roles:
- role: dnf
become: true

27
playbooks/docker_ipv6_nat.yml Normal file
View file

@ -0,0 +1,27 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Install & configure Docker IPv6 NAT
hosts: docker_ipv6_nat
roles:
- docker
- docker_compose
- docker_cleanup
- docker_ipv6_nat
environment:
PYTHONPATH: /opt/ansible-dependencies/lib/python{{ env_ansible_deps_python_version | default(2.7) }}/site-packages

17
playbooks/elementweb.yml
View file

@ -1,17 +0,0 @@
- name: Install Element Web.
hosts: elementweb
roles:
- role: podman
become: true
tags:
- always
- podman
- role: caddy
become: true
tags:
- always
- caddy
- role: elementweb
become: true

27
playbooks/factorio.yml Normal file
View file

@ -0,0 +1,27 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Install & configure Factorio
hosts: factorio
roles:
- docker
- docker_compose
- docker_cleanup
- factorio
environment:
PYTHONPATH: /opt/ansible-dependencies/lib/python{{ env_ansible_deps_python_version | default(2.7) }}/site-packages

29
playbooks/gitlab.yml Normal file
View file

@ -0,0 +1,29 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Install & configure GitLab
hosts: gitlab
roles:
- docker
- docker_compose
- docker_cleanup
- traefik
- gitlab
environment:
PYTHONPATH: /opt/ansible-dependencies/lib/python{{ env_ansible_deps_python_version | default(2.7) }}/site-packages

36
playbooks/gitlab_runner.yml Normal file
View file

@ -0,0 +1,36 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Install & configure GitLab Runner
hosts: gitlab_runner
roles:
- docker
- docker_compose
- docker_cleanup
- gitlab_runner
environment:
PYTHONPATH: /opt/ansible-dependencies/lib/python{{ env_ansible_deps_python_version | default(2.7) }}/site-packages
tasks:
- name: Install docker image prune crontab
ansible.builtin.cron:
name: "Prune unused docker images"
minute: "0"
hour: "*/4"
job: "docker image prune -f"
become: true

17
playbooks/hedgedoc.yml
View file

@ -1,17 +0,0 @@
- name: Install Hedgedoc.
hosts: hedgedoc
roles:
- role: podman
become: true
tags:
- always
- podman
- role: caddy
become: true
tags:
- always
- caddy
- role: hedgedoc
become: true

40
playbooks/keycloak.yml
View file

@ -1,17 +1,29 @@
- name: Install Keycloak.
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Install & configure Keycloak
hosts: keycloak
roles:
- role: podman
become: true
tags:
- always
- podman
- role: caddy
become: true
tags:
- always
- caddy
- role: keycloak
become: true
- docker
- docker_compose
- docker_cleanup
- traefik
- keycloak
environment:
PYTHONPATH: /opt/ansible-dependencies/lib/python{{ env_ansible_deps_python_version | default(2.7) }}/site-packages

13
playbooks/luks_ssh.yml
View file

@ -1,4 +1,5 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
@ -17,12 +18,6 @@
- name: Install & configure LUKS SSH setup
hosts: luks_ssh
tasks:
- name: Install haveged
ansible.builtin.include_role:
name: haveged
when: ansible_kernel is version('5.4', '<')
- name: Install LUKS SSH
ansible.builtin.include_role:
name: luks_ssh
roles:
- haveged
- luks_ssh

25
playbooks/lvm_self_backup.yml Normal file
View file

@ -0,0 +1,25 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Install & configure LVM self backup
hosts: lvm_self_backup
roles:
- docker
- lvm_self_backup
environment:
PYTHONPATH: /opt/ansible-dependencies/lib/python{{ env_ansible_deps_python_version | default(2.7) }}/site-packages

50
playbooks/mailcow.yml
View file

@ -1,4 +1,5 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2020 Saibotk
@ -15,10 +16,13 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Install & prepare Mailcow setup & backup cronjob
- name: Install & configure Docker & backup cronjob
hosts: mailcow
roles:
- docker
- docker_compose
environment:
PYTHONPATH: /opt/ansible-dependencies/lib/python{{ env_ansible_deps_python_version | default(2.7) }}/site-packages
tasks:
- name: Install backup crontab
ansible.builtin.cron:
@ -28,45 +32,5 @@
# yamllint disable-line rule:line-length
job: "MAILCOW_BACKUP_LOCATION=/srv/mailcow-backups /srv/mailcow-dockerized/helper-scripts/backup_and_restore.sh backup all --delete-days 2 2>&1 | /usr/bin/logger -t mailcow_data_backup"
become: true
- name: Install git
ansible.builtin.package:
name: "git"
state: "present"
become: true
- name: Clone mailcow # noqa latest[git]
ansible.builtin.git:
repo: "https://github.com/mailcow/mailcow-dockerized"
update: false
dest: "/srv/mailcow-dockerized"
become: true
- name: Create backup directory
ansible.builtin.file:
path: "/srv/mailcow-backups"
owner: "root"
group: "root"
state: directory
mode: "0755"
become: true
- name: Open ports
ansible.posix.firewalld:
state: enabled
permanent: true
immediate: true
zone: public
port: "{{ item }}"
loop:
- "25/tcp"
- "465/tcp"
- "587/tcp"
- "143/tcp"
- "993/tcp"
- "110/tcp"
- "995/tcp"
- "4190/tcp"
- "80/tcp"
- "443/tcp"
become: true
# Manual steps:
# - Open ports / disable postfix

40
playbooks/mastodon.yml
View file

@ -1,17 +1,29 @@
- name: Install Mastodon.
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Install & configure Mastodon
hosts: mastodon
roles:
- role: podman
become: true
tags:
- always
- podman
- role: caddy
become: true
tags:
- always
- caddy
- role: mastodon
become: true
- docker
- docker_compose
- docker_cleanup
- traefik
- mastodon
environment:
PYTHONPATH: /opt/ansible-dependencies/lib/python{{ env_ansible_deps_python_version | default(2.7) }}/site-packages

28
playbooks/matrix.yml Normal file
View file

@ -0,0 +1,28 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Install & configure Matrix
hosts: matrix
roles:
- docker
- docker_compose
- docker_cleanup
- traefik
- matrix
environment:
PYTHONPATH: /opt/ansible-dependencies/lib/python{{ env_ansible_deps_python_version | default(2.7) }}/site-packages

28
playbooks/matrix_delegate.yml Normal file
View file

@ -0,0 +1,28 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2021 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Install & configure Matrix Delegate
hosts: matrix_delegate
roles:
- docker
- docker_compose
- docker_cleanup
- traefik
- matrix_delegate
environment:
PYTHONPATH: /opt/ansible-dependencies/lib/python{{ env_ansible_deps_python_version | default(2.7) }}/site-packages

28
playbooks/matrix_elementweb.yml Normal file
View file

@ -0,0 +1,28 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2021 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Install & configure Element Web
hosts: matrix_elementweb
roles:
- docker
- docker_compose
- docker_cleanup
- traefik
- matrix_elementweb
environment:
PYTHONPATH: /opt/ansible-dependencies/lib/python{{ env_ansible_deps_python_version | default(2.7) }}/site-packages

28
playbooks/matrix_maubot.yml Normal file
View file

@ -0,0 +1,28 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2021 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Install & configure Mauboot
hosts: matrix_maubot
roles:
- docker
- docker_compose
- docker_cleanup
- traefik
- matrix_maubot
environment:
PYTHONPATH: /opt/ansible-dependencies/lib/python{{ env_ansible_deps_python_version | default(2.7) }}/site-packages

27
playbooks/matrix_sliding_sync.yml Normal file
View file

@ -0,0 +1,27 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2023 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Install & configure Matrix Sliding Sync
hosts: matrix_sliding_sync
roles:
- docker
- docker_compose
- docker_cleanup
- traefik
- matrix_sliding_sync
environment:
PYTHONPATH: /opt/ansible-dependencies/lib/python{{ env_ansible_deps_python_version | default(2.7) }}/site-packages

28
playbooks/matrix_webhooks.yml Normal file
View file

@ -0,0 +1,28 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2021 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Install & configure Matrix Webhooks
hosts: matrix_webhooks
roles:
- docker
- docker_compose
- docker_cleanup
- traefik
- matrix_webhooks
environment:
PYTHONPATH: /opt/ansible-dependencies/lib/python{{ env_ansible_deps_python_version | default(2.7) }}/site-packages

28
playbooks/minecraft.yml Normal file
View file

@ -0,0 +1,28 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Install & configure Minecraft
hosts: minecraft
roles:
- docker
- docker_compose
- docker_cleanup
- minecraft
environment:
PYTHONPATH: /opt/ansible-dependencies/lib/python{{ env_ansible_deps_python_version | default(2.7) }}/site-packages

28
playbooks/minecraft_blockmap.yml Normal file
View file

@ -0,0 +1,28 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Install & configure BlockMap
hosts: minecraft
roles:
- docker
- docker_compose
- docker_cleanup
- traefik
- minecraft_blockmap
environment:
PYTHONPATH: /opt/ansible-dependencies/lib/python{{ env_ansible_deps_python_version | default(2.7) }}/site-packages

29
playbooks/minio.yml Normal file
View file

@ -0,0 +1,29 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Install & configure MinIO
hosts: minio
roles:
- docker
- docker_compose
- docker_cleanup
- traefik
- minio
environment:
PYTHONPATH: /opt/ansible-dependencies/lib/python{{ env_ansible_deps_python_version | default(2.7) }}/site-packages

51
playbooks/monitoring.yml
View file

@ -1,17 +1,40 @@
- name: Install Monitoring Suite with Grafana, Loki and Prometheus.
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Install & configure monitoring servers
hosts: monitoring
roles:
- role: podman
become: true
tags:
- always
- podman
- role: caddy
become: true
tags:
- always
- caddy
- role: monitoring
become: true
- docker
- docker_compose
- docker_cleanup
- traefik
- monitoring
environment:
PYTHONPATH: /opt/ansible-dependencies/lib/python{{ env_ansible_deps_python_version | default(2.7) }}/site-packages
- name: Install & configure monitoring clients
hosts: all
serial: 1
roles:
- docker
- docker_compose
- docker_cleanup
- telegraf
environment:
PYTHONPATH: /opt/ansible-dependencies/lib/python{{ env_ansible_deps_python_version | default(2.7) }}/site-packages

28
playbooks/owncast.yml Normal file
View file

@ -0,0 +1,28 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Install & configure Owncast
hosts: owncast
roles:
- docker
- docker_compose
- docker_cleanup
- traefik
- owncast
environment:
PYTHONPATH: /opt/ansible-dependencies/lib/python{{ env_ansible_deps_python_version | default(2.7) }}/site-packages

28
playbooks/penpot.yml Normal file
View file

@ -0,0 +1,28 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2021 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Install & configure Penpot
hosts: penpot
roles:
- docker
- docker_compose
- docker_cleanup
- traefik
- penpot
environment:
PYTHONPATH: /opt/ansible-dependencies/lib/python{{ env_ansible_deps_python_version | default(2.7) }}/site-packages

7
playbooks/podman.yml
View file

@ -1,7 +0,0 @@
- name: Install and configure podman.
hosts: podman
roles:
- role: podman
become: true

1
playbooks/roles
View file

@ -1 +0,0 @@
../roles

17
playbooks/saiblog.yml
View file

@ -1,17 +0,0 @@
- name: Install Saiblog.
hosts: saiblog
roles:
- role: podman
become: true
tags:
- always
- podman
- role: caddy
become: true
tags:
- always
- caddy
- role: saiblog
become: true

59
playbooks/site.yml
View file

@ -1,16 +1,63 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Install & configure unattended upgrades
import_playbook: unattended_upgrades.yml
- name: Install & configure ipv6 NAT for Docker
import_playbook: docker_ipv6_nat.yml
- name: Install & configure backup solution using LVM
import_playbook: lvm_self_backup.yml
- name: Install & configure GitLab
import_playbook: gitlab.yml
- name: Install & configure GitLab Runner
import_playbook: gitlab_runner.yml
- name: Install & configure camo
import_playbook: camo.yml
- name: Install & configure Keycloak
import_playbook: keycloak.yml
- name: Install & configure monitoring
import_playbook: monitoring.yml
- name: Install & configure MinIO
import_playbook: minio.yml
- name: Install & configure Mastodon
import_playbook: mastodon.yml
- name: Install & configure HedgeDoc
import_playbook: hedgedoc.yml
- name: Install & configure Synapse
import_playbook: synapse.yml
import_playbook: codimd.yml
- name: Install & configure Matrix
import_playbook: matrix.yml
- name: Install & configure Matrix Delegate
import_playbook: matrix_delegate.yml
- name: Install & configure Element Web
import_playbook: elementweb.yml
- name: Install & configure Saiblog
import_playbook: saiblog.yml
import_playbook: matrix_elementweb.yml
- name: Install & configure Matrix Webhooks
import_playbook: matrix_webhooks.yml
- name: Install & configure Maubot
import_playbook: matrix_maubot.yml
- name: Install & configure static websites
import_playbook: static_websites.yml
- name: Install & configure Teamspeak
import_playbook: teamspeak.yml
- name: Install & configure Owncast
import_playbook: owncast.yml
- name: Install & configure Factorio
import_playbook: factorio.yml
- name: Install & configure Penpot
import_playbook: penpot.yml
- name: Install & configure Vikunja
import_playbook: vikunja.yml

2
playbooks/ssh.yml
View file

@ -1,4 +1,5 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
@ -22,4 +23,5 @@
- role: ssh
- role: devsec.hardening.ssh_hardening
become: true
- role: epel
- role: fail2ban

30
playbooks/static_websites.yml Normal file
View file

@ -0,0 +1,30 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Install & configure static websites
hosts: static_websites
serial: 1
roles:
- docker
- docker_compose
- docker_cleanup
- traefik
- static_websites
environment:
PYTHONPATH: /opt/ansible-dependencies/lib/python{{ env_ansible_deps_python_version | default(2.7) }}/site-packages

17
playbooks/synapse.yml
View file

@ -1,17 +0,0 @@
- name: Install Synapse.
hosts: synapse
roles:
- role: podman
become: true
tags:
- always
- podman
- role: caddy
become: true
tags:
- always
- caddy
- role: synapse
become: true

3
playbooks/sys_upgrade.yml
View file

@ -1,4 +1,5 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2022 Saibotk
@ -19,3 +20,5 @@
hosts: all
roles:
- sys_upgrade
environment:
PYTHONPATH: /opt/ansible-dependencies/lib/python{{ env_ansible_deps_python_version | default(2.7) }}/site-packages

34
playbooks/teamspeak.yml
View file

@ -1,12 +1,28 @@
- name: Install teamspeak3 server.
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Install & configure Teamspeak
hosts: teamspeak
roles:
- role: podman
become: true
tags:
- always
- podman
- role: teamspeak
become: true
- docker
- docker_compose
- docker_cleanup
- traefik
- teamspeak
environment:
PYTHONPATH: /opt/ansible-dependencies/lib/python{{ env_ansible_deps_python_version | default(2.7) }}/site-packages

22
playbooks/unattended_upgrades.yml Normal file
View file

@ -0,0 +1,22 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2021 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Configure unattended upgrades
hosts: unattended_upgrades
roles:
- unattended_upgrades

28
playbooks/vikunja.yml Normal file
View file

@ -0,0 +1,28 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2021 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Install & configure Vikunja
hosts: vikunja
roles:
- docker
- docker_compose
- docker_cleanup
- traefik
- vikunja
environment:
PYTHONPATH: /opt/ansible-dependencies/lib/python{{ env_ansible_deps_python_version | default(2.7) }}/site-packages

14
requirements.yml
View file

@ -1,16 +1,12 @@
---
collections:
- name: devsec.hardening
version: 10.1.0
version: 9.0.0
- name: community.general
version: 10.0.0
version: 8.1.0
- name: community.docker
version: 4.0.0
version: 3.5.0
- name: ansible.posix
version: 1.6.2
version: 1.5.4
- name: ansible.utils
version: 5.1.2
- name: containers.podman
version: 1.16.2
- name: fedora.linux_system_roles
version: 1.89.1
version: 3.0.0

18
roles/caddy/defaults/main.yml
View file

@ -1,18 +0,0 @@
caddy_install_dir: /srv/caddy
caddy_container_image: docker.io/library/caddy
# renovate: depName=docker.io/library/caddy
caddy_image_tag: "2.8.4-alpine"
caddy_selinux_level: "{{ omit }}"
caddy_memory_high: 0
caddy_memory_low: 128m
caddy_swap_max: -1
caddy_letsencrypt_email: no-reply@example.com
# possible values: ed25519|p256|p384|rsa2048|rsa4096
caddy_letsencrypt_key_type: rsa4096
caddy_letsencrypt_ca_server: https://acme-staging-v02.api.letsencrypt.org/directory
caddy_log_level: warn

20
roles/caddy/handlers/main.yml
View file

@ -1,20 +0,0 @@
- name: Apply new SELinux file context to filesystem.
ansible.builtin.command: "restorecon -irF {{ caddy_install_dir }}"
become: true
changed_when: true
listen: "caddy selinux context changed"
- name: Restart caddy service.
ansible.builtin.systemd:
state: restarted
name: "caddy"
daemon_reload: true
become: true
listen: "caddy service changed"
- name: Reload caddy service.
ansible.builtin.systemd:
state: reloaded
name: "caddy"
become: true
listen: "caddy config changed"

18
roles/caddy/meta/main.yml
View file

@ -1,18 +0,0 @@
galaxy_info:
author: histalek
description: Deploy Caddy with podman and systemd.
issue_tracker_url: https://git.histalek.de/histalek-de/infrastructure/-/issues
license: GPL-3.0-only
min_ansible_version: "2.14"
platforms:
- name: Fedora
versions:
- "38"
- "39"
- "40"
standalone: true

109
roles/caddy/tasks/main.yml
View file

@ -1,109 +0,0 @@
- name: Update default SELinux contexts.
community.general.sefcontext:
target: "{{ item }}(/.*)?"
setype: "container_file_t"
selevel: "{{ caddy_selinux_level }}"
state: present
loop:
- "{{ caddy_install_dir }}/config"
- "{{ caddy_install_dir }}/data"
- "{{ caddy_install_dir }}/srv"
become: true
notify: "caddy selinux context changed"
- name: Create caddy directories.
ansible.builtin.file:
path: "{{ caddy_install_dir }}"
state: directory
mode: "0700"
owner: "root"
group: "root"
become: true
- name: Ensure caddy directories and configs exist.
block:
- name: Stat caddy config directory.
ansible.builtin.stat:
path: "{{ caddy_install_dir }}/config"
become: true
register: caddy_stat_config_dir
- name: Create caddy directories.
ansible.builtin.file:
path: "{{ item.path }}"
state: directory
owner: "{{ caddy_stat_config_dir.stat.uid | default('root') }}"
group: "{{ caddy_stat_config_dir.stat.gid | default('root') }}"
mode: "0700"
loop:
- path: "{{ caddy_install_dir }}/config"
- path: "{{ caddy_install_dir }}/data"
- path: "{{ caddy_install_dir }}/srv"
become: true
- name: Deploy caddy configs.
ansible.builtin.template:
src: Caddyfile.j2
dest: "{{ caddy_install_dir }}/config/Caddyfile"
mode: "0600"
owner: "{{ caddy_stat_config_dir.stat.uid | default('root') }}"
group: "{{ caddy_stat_config_dir.stat.gid | default('root') }}"
become: true
notify: "caddy config changed"
- name: Ensure container image is present on the host.
containers.podman.podman_image:
name: "{{ caddy_container_image }}"
state: present
tag: "{{ caddy_image_tag }}"
become: true
- name: Allow http and https.
ansible.posix.firewalld:
service: "{{ item }}"
zone: public
permanent: true
immediate: true
state: enabled
loop:
- http
- https
become: true
# Ref: https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes
- name: Set maximum udp send/receive buffer size to around 2,5MB for quic.
ansible.posix.sysctl:
name: "{{ item.name }}"
value: 7500000
sysctl_set: true
state: present
reload: true
loop:
- name: net.core.rmem_max
- name: net.core.wmem_max
become: true
- name: Create caddy container / network file.
ansible.builtin.template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: "root"
group: "root"
mode: "0644"
loop:
- src: caddy.container.j2
dest: /etc/containers/systemd/caddy.container
- src: caddy.network.j2
dest: /etc/containers/systemd/caddy.network
become: true
notify: "caddy service changed"
- name: Flush handlers.
ansible.builtin.meta: flush_handlers
- name: Start and enable caddy service.
ansible.builtin.systemd:
state: started
enabled: true
name: "caddy"
become: true

21
roles/caddy/templates/Caddyfile.j2
View file

@ -1,21 +0,0 @@
{
admin
persist_config off
log {
output stdout
format console
level warn
}
email {{ caddy_letsencrypt_email }}
skip_install_trust
acme_ca {{ caddy_letsencrypt_ca_server }}
key_type {{ caddy_letsencrypt_key_type }}
servers {
# metrics
strict_sni_host
}
}
import /config/*.caddy

50
roles/caddy/templates/caddy.container.j2
View file

@ -1,50 +0,0 @@
{{ ansible_managed | comment }}
[Unit]
Description=Caddy reverse proxy
[Service]
Restart=always
RestartSec=5s
ExecReload=/usr/bin/podman exec \
-w /config \
caddy \
caddy reload
[Container]
Image={{ caddy_container_image }}:{{ caddy_image_tag }}
ContainerName=caddy
Exec=caddy run \
--config /config/Caddyfile \
--adapter caddyfile
AutoUpdate=registry
LogDriver=journald
NoNewPrivileges=true
ReadOnly=true
DropCapability=all
AddCapability=CAP_NET_BIND_SERVICE
UserNS=auto:size=65535
{% if caddy_selinux_level != omit %}
SecurityLabelLevel={{ caddy_selinux_level }}
{% endif %}
Network=caddy.network
PublishPort=80:80/tcp
PublishPort=443:443/tcp
PublishPort=443:443/udp
Volume={{ caddy_install_dir }}/config:/config:ro,U
Volume={{ caddy_install_dir }}/data:/data:U
Volume={{ caddy_install_dir }}/srv:/srv:U
PodmanArgs=--memory={{ caddy_memory_high }}
PodmanArgs=--memory-swap={{ caddy_swap_max }}
PodmanArgs=--memory-reservation={{ caddy_memory_low }}
[Install]
WantedBy=default.target

6
roles/caddy/templates/caddy.network.j2
View file

@ -1,6 +0,0 @@
{{ ansible_managed | comment }}
[Network]
NetworkName=caddy_reverseproxy
Driver=bridge
IPv6=true

35
roles/camo/README.md Normal file
View file

@ -0,0 +1,35 @@
Camo
=========
This will setup a [go-camo](https://github.com/cactus/go-camo) content proxy server with their official docker container and traefik.
Requirements
------------
You will need to have docker, docker-compose and traefik installed or declared as dependencies with their respective roles.
**This role assumes that you have setup traefik with an endpoint called `websecure`.**
Role Variables
--------------
**Please look at the [defaults/main.yml](defaults/main.yml) for all available variables and their description.**
**Note: Lines that are commented out via `#` are usually still valid/used variables, but they are not defined by default, so they might enable a feature, when uncommenting/defining them!**
### Global variables, that are used:
- `proxy_network`: Defined by the local traefik installation, this is the shared proxy network used by traefik to reach the containers. (optional)
- `proxy_hiddenservice`: Defined by the local traefik installation, this is used to generate the alt-svc header for the alternative Tor domain. (optional)
Dependencies
------------
- docker
- docker-compose
- traefik
License
-------
GPL-3.0-only

42
roles/camo/defaults/main.yml Normal file
View file

@ -0,0 +1,42 @@
---
# Default variables for the camo role
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# The install location (where the docker-compose file is stored)
camo_install_location: "/srv/camo"
# The camo version that should be used
# renovate: depName=docker.io/cactus4docker/go-camo
camo_version: "2.4.8"
# The domain under which camo should be available using traefik
camo_domain: camo.example.com
# The certresolver that is used by traefik for camo's domain
camo_traefik_certresolver: "letsencrypt_http"
# The HMAC key to be used
camo_key: "{{ lookup('passwordstore', camo_domain + '/hmac-key create=true length=128') }}"
# The maximum allowed response size (in KB). (0 means unlimited)
camo_max_size: 0
# Docker image and version
camo_image: "docker.io/cactus4docker/go-camo"
camo_image_version: "v{{ camo_version }}"

45
roles/camo/meta/main.yml Normal file
View file

@ -0,0 +1,45 @@
galaxy_info:
author: saibotk
description: "Installs a go-camo image proxy server via Docker."
license: GPL-3.0-only
min_ansible_version: "2.9"
standalone: true
platforms:
- name: EL
versions:
- all
- name: GenericUNIX
versions:
- all
- name: Fedora
versions:
- all
- name: opensuse
versions:
- all
- name: GenericBSD
versions:
- all
- name: FreeBSD
versions:
- all
- name: Ubuntu
versions:
- all
- name: SLES
versions:
- all
- name: GenericLinux
versions:
- all
- name: Debian
versions:
- all
galaxy_tags: []
dependencies:
- role: docker
- role: docker_compose
- role: traefik

54
roles/camo/tasks/main.yml Normal file
View file

@ -0,0 +1,54 @@
---
# Tasks file for the camo role
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Create install directory
ansible.builtin.file:
path: "{{ item }}"
state: directory
mode: '0700'
owner: 'root'
group: 'root'
with_items:
- "{{ camo_install_location }}"
become: true
tags:
- camo
- name: Deploy docker-compose.yml
ansible.builtin.template:
src: docker-compose.yml
dest: "{{ camo_install_location }}/docker-compose.yml"
mode: '0600'
owner: 'root'
group: 'root'
validate: docker-compose -f %s config -q
tags:
- docker
- camo
become: true
- name: Compose camo container
community.docker.docker_compose:
state: present
project_src: "{{ camo_install_location }}"
pull: true
remove_orphans: true
tags:
- camo
become: true

62
roles/camo/templates/docker-compose.yml Normal file
View file

@ -0,0 +1,62 @@
{{ ansible_managed | comment }}
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
version: '2'
services:
camo:
image: "{{ camo_image }}:{{ camo_image_version }}"
mem_limit: 64mb
memswap_limit: 128mb
security_opt:
- no-new-privileges
environment:
- "GOCAMO_HMAC={{ camo_key }}"
labels:
- "traefik.enable=true"
- "traefik.http.routers.camo.rule=Host(`{{ camo_domain }}`) && PathPrefix(`/`)"
- "traefik.http.routers.camo.entrypoints=websecure"
- "traefik.http.routers.camo.tls=true"
- "traefik.http.routers.camo.tls.certresolver={{ camo_traefik_certresolver }}"
- "traefik.http.routers.camo.middlewares=camo,compress"
- "traefik.http.middlewares.camo.headers.sslredirect=true"
- "traefik.http.middlewares.camo.headers.stsSeconds=63072000"
- "traefik.http.middlewares.camo.headers.referrerPolicy=no-referrer"
{% if proxy_network is defined %}
- "traefik.docker.network={{ proxy_network }}"
{% endif %}
{% if proxy_hiddenservice is defined and proxy_hiddenservice.content is defined %}
- "traefik.http.middlewares.camo.headers.customresponseheaders.alt-svc=h2={{ proxy_hiddenservice['content'] | b64decode | trim }}:443; ma=2592000"
{% endif %}
command:
- "--max-size={{ camo_max_size }}"
- "--server-name='go-camo v{{ camo_version }}'"
restart: always
{% if proxy_network is defined %}
networks:
{{ proxy_network }}:
{% endif %}
{% if proxy_network is defined %}
networks:
{{ proxy_network }}:
external: true
{% endif %}

35
roles/codimd/README.md Normal file
View file

@ -0,0 +1,35 @@
HedgeDoc
=========
This will setup a [HedgeDoc](https://github.com/hedgedoc/hedgedoc) server with their official docker container and traefik.
Requirements
------------
You will need to have docker, docker-compose and traefik installed or declared as dependencies with their respective roles.
**This role assumes that you have setup traefik with an endpoint called `websecure`.**
Role Variables
--------------
**Please look at the [defaults/main.yml](defaults/main.yml) for all available variables and their description.**
**Note: Lines that are commented out via `#` are usually still valid/used variables, but they are not defined by default, so they might enable a feature, when uncommenting/defining them!**
### Global variables, that are used:
- `proxy_network`: Defined by the local traefik installation, this is the shared proxy network used by traefik to reach the containers. (optional)
- `proxy_hiddenservice`: Defined by the local traefik installation, this is used to generate the alt-svc header for the alternative Tor domain. (optional)
Dependencies
------------
- docker
- docker-compose
- traefik
License
-------
GPL-3.0-only

66
roles/codimd/defaults/main.yml Normal file
View file

@ -0,0 +1,66 @@
---
# Default variables for the codimd role
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Database access variables: Please change/set the password!
codimd_database_user: codimd
codimd_database_password: codimdpass
codimd_database_name: codimd
# Adjust specific data locations, usually you would want to only adjust the "codimd_install_location" (the base path):
codimd_install_location: /srv/codimd
codimd_database_location: "{{ codimd_install_location }}/database"
codimd_uploads_location: "{{ codimd_install_location }}/uploads"
# Should a local uploads directory be created and mounted?
codimd_uploads_local: false
# Set the certresolver to your desired traefik certresolver.
# Note: This is `letsencrypt_cf` by default for backwards compatibility, you might want to use `letsencrypt_http` instead, depending on your setup
codimd_traefik_certresolver: letsencrypt_http
# The domain under which traefik should make CodiMD reachable
codimd_domain: pad.example.com
# This is where all application related environment variables are defined except the database connection.
# For all possible environment variables look here: https://github.com/codimd/server/blob/master/docs/configuration.md.
# Note: All variables below will automatically be prefixed with "CMD_", eg. "DOMAIN" will automatically become "CMD_DOMAIN".
codimd_options:
ALLOW_FREE_URL: false
DOMAIN: "{{ codimd_domain }}"
EMAIL: false
PROTOCOL_USESSL: true
URL_ADDPORT: false
USECDN: true
# The version of codimd and its postgres server
# (don't upgrade postgres without a backup etc, as it might have introduced breaking changes!)
# renovate: depName=quay.io/hedgedoc/hedgedoc
codimd_version: 1.9.9
# renovate: depName=docker.io/library/postgres
codimd_postgres_version: 11.16
# The image tags that should be used (templated using the versions provided above)
codimd_image_version: "{{ codimd_version }}"
codimd_postgres_image_version: "{{ codimd_postgres_version }}-alpine"
# SELinux level for codimd and the database, which are applied to their data folders and the containers.
# (By default these will be omitted and ignored)
codimd_selinux_level: "{{ omit }}"
codimd_database_selinux_level: "{{ omit }}"

45
roles/codimd/meta/main.yml Normal file
View file

@ -0,0 +1,45 @@
galaxy_info:
author: saibotk
description: "Installs HedgeDoc as a Docker container."
license: GPL-3.0-only
min_ansible_version: "2.9"
standalone: true
platforms:
- name: EL
versions:
- all
- name: GenericUNIX
versions:
- all
- name: Fedora
versions:
- all
- name: opensuse
versions:
- all
- name: GenericBSD
versions:
- all
- name: FreeBSD
versions:
- all
- name: Ubuntu
versions:
- all
- name: SLES
versions:
- all
- name: GenericLinux
versions:
- all
- name: Debian
versions:
- all
galaxy_tags: []
dependencies:
- role: docker
- role: docker_compose
- role: traefik

90
roles/codimd/tasks/main.yml Normal file
View file

@ -0,0 +1,90 @@
---
# Tasks file for the codimd role
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
# Copyright (C) 2020 Alexander Wellbrock
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Update default SELinux contexts
community.general.sefcontext:
target: '{{ item.location }}(/.*)?'
setype: "container_file_t"
selevel: "{{ item.selevel | default(omit) }}"
state: present
when: item.when | default(true)
with_items:
- location: "{{ codimd_database_location }}"
selevel: "{{ codimd_database_selinux_level }}"
- location: "{{ codimd_uploads_location }}"
selevel: "{{ codimd_selinux_level }}"
when: "{{ codimd_uploads_local }}"
tags:
- codimd
become: true
- name: Create install directory
ansible.builtin.file:
path: "{{ item }}"
state: directory
mode: '0700'
owner: 'root'
group: 'root'
with_items:
- "{{ codimd_install_location }}"
tags:
- codimd
become: true
- name: Create data directory
ansible.builtin.file: # noqa risky-file-permissions # Container adjusts permissions on its own
path: "{{ item.location }}"
state: directory
setype: "container_file_t"
selevel: "{{ item.selevel | default(omit) }}"
when: item.when | default(true)
with_items:
- location: "{{ codimd_database_location }}"
selevel: "{{ codimd_database_selinux_level }}"
- location: "{{ codimd_uploads_location }}"
selevel: "{{ codimd_selinux_level }}"
when: "{{ codimd_uploads_local }}"
tags:
- codimd
become: true
- name: Deploy docker-compose.yml
ansible.builtin.template:
src: docker-compose.yml
dest: "{{ codimd_install_location }}/docker-compose.yml"
mode: '0600'
owner: 'root'
group: 'root'
validate: docker-compose -f %s config -q
tags:
- docker
- codimd
become: true
- name: Compose codimd
community.docker.docker_compose:
state: present
project_src: "{{ codimd_install_location }}"
pull: true
remove_orphans: true
tags:
- codimd
become: true

105
roles/codimd/templates/docker-compose.yml Normal file
View file

@ -0,0 +1,105 @@
{{ ansible_managed | comment }}
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
version: '2'
services:
database:
image: docker.io/library/postgres:{{ codimd_postgres_image_version }}
mem_limit: 256mb
memswap_limit: 512mb
read_only: true
{% if codimd_database_selinux_level != omit %}
security_opt:
- label=level:{{ codimd_database_selinux_level }}
{% endif %}
tmpfs:
- /run/postgresql:size=512K
- /tmp:size=128K
stop_grace_period: 2m
stop_signal: SIGINT
environment:
- POSTGRES_USER={{ codimd_database_user }}
- POSTGRES_PASSWORD={{ codimd_database_password }}
- POSTGRES_DB={{ codimd_database_name }}
volumes:
- {{ codimd_database_location }}:/var/lib/postgresql/data
networks:
backend:
restart: always
codimd:
image: quay.io/hedgedoc/hedgedoc:{{ codimd_image_version }}
mem_limit: 256mb
memswap_limit: 512mb
restart: always
read_only: true
{% if codimd_selinux_level != omit %}
security_opt:
- label=level:{{ codimd_selinux_level }}
{% endif %}
tmpfs:
- /tmp:size=10M
{% if not codimd_uploads_local %}
- /hedgedoc/public/uploads:size=10M
{% endif %}
environment:
- "CMD_DB_URL=postgres://{{ codimd_database_user }}:{{ codimd_database_password }}@database:5432/{{ codimd_database_name }}"
{% for key, value in codimd_options.items() %}
- "CMD_{{ key }}={{ value }}"
{% endfor %}
labels:
- "traefik.http.routers.codimd.rule=Host(`{{ codimd_domain }}`) && PathPrefix(`/`)"
- "traefik.http.routers.codimd.entrypoints=websecure"
- "traefik.http.routers.codimd.tls=true"
- "traefik.http.routers.codimd.tls.certresolver={{ codimd_traefik_certresolver }}"
- "traefik.http.routers.codimd.middlewares=codimd,compress"
- "traefik.http.routers.codimd.service=codimd"
- "traefik.http.services.codimd.loadbalancer.server.port=3000"
- "traefik.http.middlewares.codimd.headers.sslredirect=true"
- "traefik.http.middlewares.codimd.headers.stsSeconds=63072000"
- "traefik.http.middlewares.codimd.headers.browserXssFilter=true"
- "traefik.http.middlewares.codimd.headers.contentTypeNosniff=true"
- "traefik.enable=true"
{% if proxy_network is defined %}
- "traefik.docker.network={{ proxy_network }}"
{% endif %}
{% if proxy_hiddenservice is defined and proxy_hiddenservice.content is defined %}
- "traefik.http.middlewares.codimd.headers.customresponseheaders.alt-svc=h2={{ proxy_hiddenservice['content'] | b64decode | trim }}:443; ma=2592000"
{% endif %}
{% if codimd_uploads_local %}
volumes:
- {{ codimd_uploads_location }}:/hedgedoc/public/uploads
{% endif %}
networks:
backend:
{% if proxy_network is defined %}
{{ proxy_network }}:
{% endif %}
networks:
backend:
{% if proxy_network is defined %}
{{ proxy_network }}:
external: true
{% endif %}

31
roles/dnf/defaults/main.yml
View file

@ -1,31 +0,0 @@
dnf_install_epel: false
# For more information refer to https://github.com/rpm-software-management/dnf/blob/master/doc/automatic.rst
# [commands]
dnf_install_updates: true
dnf_download_updates: true
# one of 'security', 'all',
dnf_upgrade_type: security
dnf_random_sleep: 300
dnf_network_online_timeout: 60
# [emitters]
dnf_emit_via: stdio
dnf_system_name: "{{ ansible_nodename }}"
# [command]
dnf_command_format: cat
dnf_stdin_format: "{body}"
# [command_email]
dnf_email_command_format: mail -Ssendwait -s {subject} -r {email_from} {email_to}
dnf_email_stdin_format: "{body}"
# [email]
dnf_email_from: root
dnf_email_to: root
dnf_email_host: localhost
# [base]
dnf_base_overrides: {}

27
roles/dnf/meta/main.yml
View file

@ -1,27 +0,0 @@
galaxy_info:
author: histalek
description: Configure automatic updates with dnf.
issue_tracker_url: https://git.histalek.de/histalek-de/infrastructure/-/issues
license: GPL-3.0-only
min_ansible_version: "2.10"
platforms:
- name: Fedora
versions:
- "32"
- "33"
- "34"
- "35"
- "36"
- name: EL
versions:
- "9"
standalone: true
galaxy_tags: []
dependencies: []

35
roles/dnf/tasks/main.yml
View file

@ -1,35 +0,0 @@
- name: Install EPEL repository
ansible.builtin.dnf:
name: epel-release
state: present
when: dnf_install_epel
become: true
- name: Install dnf-plugin-tracer.
ansible.builtin.dnf:
name: dnf-plugin-tracer
state: present
when: ansible_facts['distribution'] == "Fedora"
become: true
- name: Install dnf-automatic
ansible.builtin.dnf:
name: dnf-automatic
state: present
become: true
- name: Deploy automatic.conf
ansible.builtin.template:
src: automatic.conf.j2
dest: /etc/dnf/automatic.conf
mode: '0700'
owner: 'root'
group: 'root'
become: true
- name: Start and enable systemd timer for dnf-automatic
ansible.builtin.systemd:
name: dnf-automatic.timer
state: started
enabled: true
become: true

42
roles/dnf/templates/automatic.conf.j2
View file

@ -1,42 +0,0 @@
{{ ansible_managed | comment }}
# Ref: https://github.com/rpm-software-management/dnf/blob/master/doc/automatic.rst
[commands]
apply_updates = {{ dnf_install_updates }}
download_updates = {{ dnf_download_updates }}
network_online_timeout = {{ dnf_network_online_timeout }}
random_sleep = {{ dnf_random_sleep }}
upgrade_type = {{ dnf_upgrade_type }}
[emitters]
emit_via = {{ dnf_emit_via }}
system_name = {{ dnf_system_name }}
[command]
command_format = {{ dnf_command_format }}
stdin_format = {{ dnf_stdin_format }}
[command_email]
command_format = {{ dnf_email_command_format }}
email_from = {{ dnf_email_from }}
email_to = {{ dnf_email_to }}
stdin_format = {{ dnf_email_stdin_format }}
[email]
email_from = {{ dnf_email_from }}
email_host = {{ dnf_email_host }}
email_to = {{ dnf_email_to }}
[base]
{% if dnf_base_overrides is mapping %}
{% for key, value in dnf_base_overrides.items() %}
{{ key }}={{ value }}
{% endfor %}
{% endif %}

23
roles/docker/README.md
View file

@ -1,17 +1,26 @@
# Docker
Docker
=========
This will install [Docker](https://www.docker.com/) from their official repository.
This will install [Docker](https://www.docker.com/) from their official repository and install the docker python library via pip.
## Role Variables
Requirements
------------
For CentOS: You will need to have the EPEL repository enabled (eg. by installing the `epel-release` package).
Role Variables
--------------
**Please look at the [defaults/main.yml](defaults/main.yml) for all available variables and their description.**
**Note: Lines that are commented out via `#` are usually still valid/used variables, but they are not defined by default, so they might enable a feature, when uncommenting/defining them!**
**Note: Lines that are commented out via `#` are usually still valid/used variables, but they are not defined by default, so they might enable a feature, when uncommenting/defining them!**
## Dependencies
Dependencies
------------
None
- epel (for CentOS)
## License
License
-------
GPL-3.0-only

20
roles/docker/defaults/main.yml
View file

@ -27,7 +27,7 @@ docker_apt_architecture_map:
"armv7l": "armhf"
# Edition can be one of: 'ce' (Community Edition) or 'ee' (Enterprise Edition).
docker_edition: "ce"
docker_edition: 'ce'
# The docker package settings
docker_package: "docker-{{ docker_edition }}"
@ -42,11 +42,11 @@ docker_install_repository: true
# The repository settings
# The repository will be added as a repository to allow downloading/installing the package
docker_yum_repository_url: https://download.docker.com/linux/{{ ansible_distribution | lower }}/docker-{{ docker_edition }}.repo
docker_yum_repository_url: https://download.docker.com/linux/centos/docker-{{ docker_edition }}.repo
docker_yum_repository_destination: /etc/yum.repos.d/docker-{{ docker_edition }}.repo
# Where to fetch the docker repository GPG key from
docker_yum_repository_gpg_key: https://download.docker.com/linux/{{ ansible_distribution | lower }}/gpg
docker_yum_repository_gpg_key: https://download.docker.com/linux/centos/gpg
# The apt repository settings
docker_apt_key_id: "9DC858229FC7DD38854AE2D88D81803C0EBFCD88"
@ -56,4 +56,16 @@ docker_apt_repository: >
https://download.docker.com/linux/{{ ansible_distribution | lower }}
{{ ansible_distribution_release }} stable
docker_requests_python_package: "python-requests"
# Should the python package for docker be installed via pip?
docker_python_package_install: true
# Where should it be installed? (Note: This will be installed as a standalone without breaking system dependencies)
docker_python_package_path: /opt/ansible-dependencies
# The package states of needed packages to install for the python libraries
docker_python_pip_package_state: "present"
docker_python_virtualenv_package_state: "present"
# The pip package name of the docker library
docker_pip_package: "docker"
docker_pip_package_state: "present"
docker_pip_package_version: "{{ omit }}" # This will be omitted by default, so the latest version will be installed.

5
roles/docker/meta/main.yml
View file

@ -1,11 +1,14 @@
galaxy_info:
author: saibotk
description: "Installs Docker package from their official repository."
description: "Installs Docker package from their official repository and installs the docker python package via pip."
license: GPL-3.0-only
min_ansible_version: "2.9"
standalone: true
platforms:
- name: EL
versions:
- all
- name: Fedora
versions:
- all

13
roles/docker/tasks/Debian.yml
View file

@ -43,3 +43,16 @@
when:
- docker_install_repository
become: true
- name: Ensure pip & virtualenv are installed.
ansible.builtin.package:
name: "{{ item.name }}"
state: "{{ item.state }}"
loop:
- name: "python3-pip"
state: "{{ docker_python_pip_package_state }}"
- name: "python3-virtualenv"
state: "{{ docker_python_virtualenv_package_state }}"
when:
- docker_python_package_install
become: true

15
roles/docker/tasks/RedHat.yml
View file

@ -41,7 +41,20 @@
dest: "{{ docker_yum_repository_destination }}"
owner: root
group: root
mode: "0644"
mode: '0644'
when:
- docker_install_repository
become: true
- name: Ensure pip & virtualenv are installed.
ansible.builtin.package:
name: "{{ item.name }}"
state: "{{ item.state }}"
loop:
- name: "python-pip"
state: "{{ docker_python_pip_package_state }}"
- name: "python-virtualenv"
state: "{{ docker_python_virtualenv_package_state }}"
when:
- docker_python_package_install
become: true

68
roles/docker/tasks/Rocky.yml Normal file
View file

@ -0,0 +1,68 @@
---
# Tasks file for the docker role
# Infrastructure
# Ansible instructions to deploy the infrastructure
#
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Ensure old versions of Docker are not installed.
ansible.builtin.package:
name:
- docker
- docker-common
- docker-engine
state: absent
become: true
- name: Ensure buildah & runc are not installed.
ansible.builtin.package:
name:
- buildah
- runc
state: absent
become: true
- name: Add Docker GPG key.
ansible.builtin.rpm_key:
key: "{{ docker_yum_repository_gpg_key }}"
state: present
when:
- docker_install_repository
become: true
- name: Add Docker repository.
ansible.builtin.get_url:
url: "{{ docker_yum_repository_url }}"
dest: "{{ docker_yum_repository_destination }}"
owner: root
group: root
mode: '0644'
when:
- docker_install_repository
become: true
- name: Ensure pip & virtualenv are installed.
ansible.builtin.package:
name: "{{ item.name }}"
state: "{{ item.state }}"
loop:
- name: "python3-pip"
state: "{{ docker_python_pip_package_state }}"
- name: "python3-virtualenv"
state: "{{ docker_python_virtualenv_package_state }}"
when:
- docker_python_package_install
become: true

13
roles/docker/tasks/main.yml
View file

@ -44,8 +44,13 @@
- name: Ensure handlers are notified now to avoid firewall conflicts.
ansible.builtin.meta: flush_handlers
- name: Install required python requests library
ansible.builtin.package:
name: "{{ docker_requests_python_package }}"
state: present
- name: Install docker python package.
ansible.builtin.pip:
name: "{{ docker_pip_package }}"
state: "{{ docker_pip_package_state }}"
virtualenv: "{{ docker_python_package_path }}"
virtualenv_python: "python{{ ansible_python_version | regex_search('\\d+\\.\\d+') }}"
version: "{{ docker_pip_package_version }}"
become: true
changed_when: false
when: docker_python_package_install

24
roles/docker_cleanup/README.md Normal file
View file

@ -0,0 +1,24 @@
docker_cleanup
=========
This will prune unused docker images older than 3 days, to keep the system clean.
Requirements
------------
You will need to have docker installed with its python package to use this role.
Role Variables
--------------
None
Dependencies
------------
- docker
License
-------
GPL-3.0-only

43
roles/docker_cleanup/meta/main.yml Normal file
View file

@ -0,0 +1,43 @@
galaxy_info:
author: Christoph Kern
description: "Cleans up the exsting Docker install"
license: GPL-3.0-only
min_ansible_version: "2.9"
standalone: true
platforms:
- name: EL
versions:
- all
- name: GenericUNIX
versions:
- all
- name: Fedora
versions:
- all
- name: opensuse
versions:
- all
- name: GenericBSD
versions:
- all
- name: FreeBSD
versions:
- all
- name: Ubuntu
versions:
- all
- name: SLES
versions:
- all
- name: GenericLinux
versions:
- all
- name: Debian
versions:
- all
galaxy_tags: []
dependencies:
- role: docker

25
roles/docker_cleanup/tasks/main.yml Normal file
View file

@ -0,0 +1,25 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Prune docker images older than 3 days
community.docker.docker_prune:
images: true
images_filters:
dangling: false
until: 72h
become: true

27
roles/docker_compose/README.md Normal file
View file

@ -0,0 +1,27 @@
docker_compose
=========
This will install the [docker-compose](https://docs.docker.com/compose/) python library via pip and by default choose another install location,
to prevent breaking system-wide pip packages.
Requirements
------------
You will need to have the EPEL repository enabled (eg. by installing the `epel-release` package), if you want to install `docker-compose` via yum.
Role Variables
--------------
**Please look at the [defaults/main.yml](defaults/main.yml) for all available variables and their description.**
**Note: Lines that are commented out via `#` are usually still valid/used variables, but they are not defined by default, so they might enable a feature, when uncommenting/defining them!**
Dependencies
------------
- epel (optional/situational)
License
-------
GPL-3.0-only

42
roles/docker_compose/defaults/main.yml Normal file
View file

@ -0,0 +1,42 @@
---
# Default variables for the docker_compose role
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Control if the docker-compose package should be removed (default)
docker_compose_package: "docker-compose"
docker_compose_package_state: "absent"
# Should a docker-compose wrapper script be deployed?
# This will ensure, that you can still use the `docker-compose` command as usual.
docker_compose_install_wrapper: true
docker_compose_wrapper_path: /usr/local/bin/docker-compose
# Should docker-compose be installed via pip to another target?
# This is used to prevent docker-compose from corrupting other system-wide installed pip packages and thus
# the package will be installed standalone in another directory as defined below.
docker_compose_python_package_install: true
docker_compose_python_package_path: /opt/ansible-dependencies
# The package states of needed packages to install for the python libraries
docker_compose_python_pip_package_state: "present"
docker_compose_python_virtualenv_package_state: "present"
# The pip package name of for `docker-compose`
docker_compose_pip_package: "docker-compose"
docker_compose_pip_package_state: "present"
docker_compose_pip_package_version: "1.24.1"

21
roles/docker_compose/meta/main.yml Normal file
View file

@ -0,0 +1,21 @@
galaxy_info:
author: saibotk
description: "Installs the docker-compose pip package."
license: GPL-3.0-only
min_ansible_version: "2.9"
standalone: true
platforms:
- name: EL
versions:
- "7"
- name: Ubuntu
versions:
- all
- name: Debian
versions:
- all
galaxy_tags: []
dependencies: []

32
roles/docker_compose/tasks/Debian.yml Normal file
View file

@ -0,0 +1,32 @@
---
# Tasks file for the docker_compose role
# Infrastructure
# Ansible instructions to deploy the infrastructure
#
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Ensure pip & virtualenv are installed.
ansible.builtin.package:
name: "{{ item.name }}"
state: "{{ item.state }}"
loop:
- name: "python3-pip"
state: "{{ docker_compose_python_pip_package_state }}"
- name: "python3-virtualenv"
state: "{{ docker_compose_python_virtualenv_package_state }}"
when:
- docker_compose_python_package_install
become: true

32
roles/docker_compose/tasks/RedHat.yml Normal file
View file

@ -0,0 +1,32 @@
---
# Tasks file for the docker_compose role
# Infrastructure
# Ansible instructions to deploy the infrastructure
#
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Ensure pip & virtualenv are installed.
ansible.builtin.package:
name: "{{ item.name }}"
state: "{{ item.state }}"
loop:
- name: "python-pip"
state: "{{ docker_compose_python_pip_package_state }}"
- name: "python-virtualenv"
state: "{{ docker_compose_python_virtualenv_package_state }}"
when:
- docker_compose_python_package_install
become: true

32
roles/docker_compose/tasks/Rocky.yml Normal file
View file

@ -0,0 +1,32 @@
---
# Tasks file for the docker_compose role
# Infrastructure
# Ansible instructions to deploy the infrastructure
#
# Copyright (C) 2021 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Ensure pip & virtualenv are installed.
ansible.builtin.package:
name: "{{ item.name }}"
state: "{{ item.state }}"
loop:
- name: "python3-pip"
state: "{{ docker_compose_python_pip_package_state }}"
- name: "python3-virtualenv"
state: "{{ docker_compose_python_virtualenv_package_state }}"
when:
- docker_compose_python_package_install
become: true

64
roles/docker_compose/tasks/main.yml Normal file
View file

@ -0,0 +1,64 @@
---
# Tasks file for the docker-compose role
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Ensure package install state
ansible.builtin.package:
name: "{{ docker_compose_package }}"
state: "{{ docker_compose_package_state }}"
become: true
- name: "Select tasks for {{ ansible_distribution }} {{ ansible_distribution_major_version }}" # noqa name[template]
ansible.builtin.include_tasks: "{{ distro_file }}"
with_first_found:
- "{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml"
- "{{ ansible_distribution }}.yml"
- "{{ ansible_os_family }}.yml"
loop_control:
loop_var: distro_file
- name: Install docker-compose python package.
ansible.builtin.pip:
name: "{{ docker_compose_pip_package }}"
state: "{{ docker_compose_pip_package_state }}"
virtualenv: "{{ docker_compose_python_package_path }}"
virtualenv_python: "python{{ ansible_python_version | regex_search('\\d+\\.\\d+') }}"
version: "{{ docker_compose_pip_package_version | default(omit) }}"
become: true
changed_when: false
when: docker_compose_python_package_install
- name: Deploy docker-compose wrapper
ansible.builtin.template:
src: bin/docker-compose.j2
dest: "{{ docker_compose_wrapper_path }}"
owner: 'root'
group: 'root'
mode: '0755'
become: true
when:
- docker_compose_install_wrapper
- name: Create symlink in /usr/bin for wrapper
ansible.builtin.file:
src: "{{ docker_compose_wrapper_path }}"
dest: "/usr/bin/docker-compose"
state: link
become: true
when:
- docker_compose_install_wrapper

21
roles/docker_compose/templates/bin/docker-compose.j2 Normal file
View file

@ -0,0 +1,21 @@
#!/usr/bin/env bash
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
set -eo pipefail
exec {{ docker_compose_python_package_path }}/bin/docker-compose "$@"

31
roles/docker_ipv6_nat/README.md Normal file
View file

@ -0,0 +1,31 @@
docker_ipv6_nat
===============
This will install the [docker-ipv6nat](https://github.com/robbertkl/docker-ipv6nat) container to manage IPv6 with ease on a single IP.
The container will automatically create ip6table forwarding rules on demand. To use the functionality, make sure that each container, that exposes a port
also has an `ipv6_enabled: true` user-defined network attached to it, with a ULA IPv6 for the tool to forward to.
**Note: This will enable the kernel module `ipv6nat` if not enabled!**
Requirements
------------
You will need to have docker, docker-compose installed or declared as dependencies with their respective roles.
Role Variables
--------------
**Please look at the [defaults/main.yml](defaults/main.yml) for all available variables and their description.**
**Note: Lines that are commented out via `#` are usually still valid/used variables, but they are not defined by default, so they might enable a feature, when uncommenting/defining them!**
Dependencies
------------
- docker
- docker-compose
License
-------
GPL-3.0-only

26
roles/docker_ipv6_nat/defaults/main.yml Normal file
View file

@ -0,0 +1,26 @@
---
# Default variables for the docker_ipv6_nat role
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# The install location (where the docker-compose.yml file will be deployed)
docker_ipv6_nat_install_location: /srv/docker-ipv6-nat
# The docker image and version/tag to use
docker_ipv6_nat_baseimage: docker.io/robbertkl/ipv6nat
# renovate: depName=docker.io/robbertkl/ipv6nat
docker_ipv6_nat_version: 0.4.4

44
roles/docker_ipv6_nat/meta/main.yml Normal file
View file

@ -0,0 +1,44 @@
galaxy_info:
author: saibotk
description: "Deploys a robbertkl/ipv6nat container."
license: GPL-3.0-only
min_ansible_version: "2.9"
standalone: true
platforms:
- name: EL
versions:
- all
- name: GenericUNIX
versions:
- all
- name: Fedora
versions:
- all
- name: opensuse
versions:
- all
- name: GenericBSD
versions:
- all
- name: FreeBSD
versions:
- all
- name: Ubuntu
versions:
- all
- name: SLES
versions:
- all
- name: GenericLinux
versions:
- all
- name: Debian
versions:
- all
galaxy_tags: []
dependencies:
- role: docker
- role: docker_compose

55
roles/docker_ipv6_nat/tasks/main.yml Normal file
View file

@ -0,0 +1,55 @@
---
# Tasks file for the docker_ipv6_nat role
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Create install directory
ansible.builtin.file:
path: "{{ item }}"
state: directory
mode: '0700'
owner: 'root'
group: 'root'
with_items:
- "{{ docker_ipv6_nat_install_location }}"
tags:
- docker-ipv6-nat
become: true
- name: Deploy docker-compose.yml
ansible.builtin.template:
src: docker-compose.yml
dest: "{{ docker_ipv6_nat_install_location }}/docker-compose.yml"
mode: '0600'
owner: 'root'
group: 'root'
validate: docker-compose -f %s config -q
tags:
- docker
- docker-ipv6-nat
become: true
- name: Compose docker-ipv6-nat
community.docker.docker_compose:
state: present
project_src: "{{ docker_ipv6_nat_install_location }}"
pull: true
remove_orphans: true
tags:
- docker
- docker-ipv6-nat
become: true

35
roles/docker_ipv6_nat/templates/docker-compose.yml Normal file
View file

@ -0,0 +1,35 @@
{{ ansible_managed | comment }}
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
version: '2'
services:
ipv6nat:
image: {{ docker_ipv6_nat_baseimage }}:{{ docker_ipv6_nat_version }}
security_opt:
- label:disable
restart: always
network_mode: "host"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- "/lib/modules:/lib/modules:ro"
cap_drop:
- ALL
cap_add:
- NET_ADMIN
- NET_RAW
- SYS_MODULE

38
roles/elementweb/defaults/main.yml
View file

@ -1,38 +0,0 @@
elementweb_install_dir: "/opt/elementweb"
elementweb_domain: element.example.com
elementweb_containerimage: docker.io/vectorim/element-web
# renovate: depName=docker.io/vectorim/element-web
elementweb_image_tag: "v1.11.90"
elementweb_selinux_level: "{{ omit }}"
elementweb_memory_low: 32m
elementweb_memory_high: 0
elementweb_swap_max: -1
# The homeserver URL and display name
elementweb_base_url: "https://matrix.example.com"
elementweb_servername: "example.com"
# Controls whether Element shows the presence feature for all (empty list) or specific servers (key = value list with the key being the server url)
elementweb_enable_presence_by_hs_url: []
# Should users only be allowed to use this instance with the given matrix server?
elementweb_disable_custom_urls: true
# Should Element-Web disable guests? (without sign-in)
elementweb_disable_guests: true
# Should Element-Web disable 3PID login? (Login with Email etc)
elementweb_disable_3pid_login: false
# Integration Server URLs to use (see https://github.com/vector-im/element-web/blob/develop/docs/config.md)
elementweb_integrations_ui_url: "https://scalar.vector.im/"
elementweb_integrations_rest_url: "https://scalar.vector.im/api"
elementweb_integrations_widgets_urls: ["https://scalar.vector.im/api"]
elementweb_integrations_jitsi_widget_url: "https://scalar.vector.im/api/widgets/jitsi.html"
# Element Web public room directory server(s)
elementweb_roomdir_servers: ["matrix.org"]

14
roles/elementweb/handlers/main.yml
View file

@ -1,14 +0,0 @@
- name: Apply new SELinux file context to filesystem.
ansible.builtin.command: "restorecon -irF {{ elementweb_install_dir }}"
become: true
listen: "elementweb selinux context changed"
- name: Restart elementweb service.
ansible.builtin.systemd:
state: restarted
name: elementweb.service
daemon_reload: true
become: true
listen:
- "elementweb service changed"
- "elementweb selinux context changed"

20
roles/elementweb/meta/main.yml
View file

@ -1,20 +0,0 @@
galaxy_info:
author: saibotk
description: Deploy element web with podman and systemd.
issue_tracker_url: https://git.sipsofcode.de/saibotk-de/infrastructure/issues
license: GPL-3.0-only
min_ansible_version: "2.10"
platforms:
- name: Fedora
versions:
- "41"
standalone: true
galaxy_tags: []
dependencies: []

80
roles/elementweb/tasks/main.yml
View file

@ -1,80 +0,0 @@
- name: Update default SELinux contexts
community.general.sefcontext:
target: "{{ item.target }}"
setype: "container_file_t"
selevel: "{{ item.selevel }}"
state: present
loop:
- target: "{{ elementweb_install_dir }}/config.json"
selevel: "{{ elementweb_selinux_level }}"
become: true
notify: "elementweb selinux context changed"
- name: Create elementweb directories.
ansible.builtin.file:
path: "{{ elementweb_install_dir }}"
owner: "root"
group: "root"
mode: "0700"
state: directory
become: true
- name: Stat elementweb config file.
ansible.builtin.stat:
path: "{{ elementweb_install_dir }}/config.json"
become: true
register: elementweb_stat_config
- name: Add caddy config file.
block:
- name: Check caddy config dir.
ansible.builtin.stat:
path: "{{ caddy_install_dir }}/config"
become: true
register: caddy_stat_config_dir
- name: Template caddy config for elementweb.
ansible.builtin.template:
src: elementweb.caddy.j2
dest: "{{ caddy_install_dir }}/config/elementweb.caddy"
mode: "0600"
setype: "container_file_t"
selevel: "{{ caddy_selinux_level }}"
owner: "{{ caddy_stat_config_dir.stat.uid }}"
group: "{{ caddy_stat_config_dir.stat.gid }}"
notify: "caddy config changed"
become: true
- name: Create elementweb container file.
ansible.builtin.template:
src: elementweb.container.j2
dest: /etc/containers/systemd/elementweb.container
owner: "root"
group: "root"
mode: "0644"
become: true
notify: "elementweb service changed"
- name: Create elementweb config file.
ansible.builtin.template:
src: config.json.j2
dest: "{{ elementweb_install_dir }}/config.json"
setype: "container_file_t"
selevel: "{{ elementweb_selinux_level }}"
owner: "{{ elementweb_stat_config.stat.uid | default('root') }}"
group: "{{ elementweb_stat_config.stat.gid | default('root') }}"
mode: "0644"
become: true
- name: Flush handlers
ansible.builtin.meta: flush_handlers
- name: Ensure elementweb services are started and enabled.
ansible.builtin.systemd:
state: started
enabled: true
name: "{{ item }}"
daemon_reload: true
loop:
- elementweb.service
become: true

23
roles/elementweb/templates/config.json.j2
View file

@ -1,23 +0,0 @@
{
"default_server_config": {
"m.homeserver": {
"base_url": {{ elementweb_base_url | string | to_json }},
"server_name": {{ elementweb_servername | string | to_json }}
}
},
"disable_custom_urls": {{ elementweb_disable_custom_urls | to_json }},
"disable_3pid_login": {{ elementweb_disable_3pid_login | to_json }},
"disable_guests": {{ elementweb_disable_guests | to_json }},
"integrations_ui_url": {{ elementweb_integrations_ui_url | string | to_json }},
"integrations_rest_url": {{ elementweb_integrations_rest_url | string | to_json }},
"integrations_widgets_urls": {{ elementweb_integrations_widgets_urls | to_json }},
"integrations_jitsi_widget_url": {{ elementweb_integrations_jitsi_widget_url | string | to_json }},
"bug_report_endpoint_url": "https://element.io/bugreports/submit",
"showLabsSettings": true,
{% if elementweb_enable_presence_by_hs_url %}
"enable_presence_by_hs_url": {{ elementweb_enable_presence_by_hs_url | to_json }},
{% endif %}
"roomDirectory": {
"servers": {{ elementweb_roomdir_servers | to_json }}
}
}

24
roles/elementweb/templates/elementweb.caddy.j2
View file

@ -1,24 +0,0 @@
{{ ansible_managed | comment }}
{{ elementweb_domain }} {
encode gzip
header {
# enable HSTS
Strict-Transport-Security "max-age=31536000; preload;"
# disable clients from sniffing the media type
X-Content-Type-Options nosniff
# clickjacking protection
X-Frame-Options DENY
# keep referrer data off of HTTP connections
Referrer-Policy no-referrer-when-downgrade
# Server name removing
-Server
}
reverse_proxy elementweb:8000
}

41
roles/elementweb/templates/elementweb.container.j2
View file

@ -1,41 +0,0 @@
{{ ansible_managed | comment }}
[Unit]
Description = Element Web
[Service]
Restart = always
RestartSec = 5s
[Container]
Image = {{ elementweb_containerimage }}:{{ elementweb_image_tag }}
ContainerName = elementweb
# AutoUpdate = registry
LogDriver = journald
ReadOnly = true
NoNewPrivileges = true
DropCapability = all
AddCapability = DAC_OVERRIDE
UserNS = auto:size=65535
{% if elementweb_selinux_level != omit %}
SecurityLabelLevel = {{ elementweb_selinux_level }}
{% endif %}
Network = caddy.network
Environment = ELEMENT_WEB_PORT=8000
Volume = {{ elementweb_install_dir }}/config.json:/app/config.json:ro,U
Tmpfs = /var/cache/nginx:rw,noexec,nosuid,nodev,size=1m
Tmpfs = /var/run:rw,noexec,nosuid,nodev,size=1m
Tmpfs = /etc/nginx/conf.d:rw,noexec,nosuid,nodev,size=8m,mode=1770,U
PodmanArgs = --memory={{ elementweb_memory_high }}
PodmanArgs = --memory-swap={{ elementweb_swap_max }}
PodmanArgs = --memory-reservation={{ elementweb_memory_low }}
[Install]
WantedBy = default.target

24
roles/epel/README.md Normal file
View file

@ -0,0 +1,24 @@
EPEL
=========
Installs the `epel-release` package via yum.
Requirements
------------
None
Role Variables
--------------
None
Dependencies
------------
None, except for a CentOS 7 system.
License
-------
GPL-3.0-only

15
roles/epel/meta/main.yml Normal file
View file

@ -0,0 +1,15 @@
galaxy_info:
author: saibotk
description: Installs the epel-release package.
license: GPL-3.0-only
min_ansible_version: "2.9"
standalone: true
platforms:
- name: EL
versions:
- "7"
galaxy_tags: []
dependencies: []

24
roles/epel/tasks/main.yml Normal file
View file

@ -0,0 +1,24 @@
---
# Tasks file for the epel role
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Install EPEL repository package
ansible.builtin.yum:
name: epel-release
state: present
become: true

27
roles/factorio/README.md Normal file
View file

@ -0,0 +1,27 @@
Factorio
=========
This will setup a [Factorio](https://github.com/factoriotools/factorio-docker) gameserver using a docker container.
Requirements
------------
You will need to have docker and docker-compose installed or declared as dependencies with their respective roles.
Role Variables
--------------
**Please look at the [defaults/main.yml](defaults/main.yml) for all available variables and their description.**
**Note: Lines that are commented out via `#` are usually still valid/used variables, but they are not defined by default, so they might enable a feature, when uncommenting/defining them!**
Dependencies
------------
- docker
- docker-compose
License
-------
GPL-3.0-only

37
roles/factorio/defaults/main.yml Normal file
View file

@ -0,0 +1,37 @@
---
# Default variables for the factorio role
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# The install location (where the docker-compose file is stored)
factorio_install_location: "/srv/factorio"
factorio_data_location: "{{ factorio_install_location }}/data"
# The camo version that should be used
# renovate: depName=docker.io/factoriotools/factorio
factorio_version: "1.1.101"
# Docker image
factorio_image: "docker.io/factoriotools/factorio"
# The factorio server port that should be exposed
factorio_server_port: 34197
# IPv6 ULA config for the bridge network used by docker-ipv6-nat
factorio_ipv6:
enabled: false
subnet: "fd9e:21a7:a92c:2456::/64"

44
roles/factorio/meta/main.yml Normal file
View file

@ -0,0 +1,44 @@
galaxy_info:
author: saibotk
description: "Installs a factorio server via Docker."
license: GPL-3.0-only
min_ansible_version: "2.9"
standalone: true
platforms:
- name: EL
versions:
- all
- name: GenericUNIX
versions:
- all
- name: Fedora
versions:
- all
- name: opensuse
versions:
- all
- name: GenericBSD
versions:
- all
- name: FreeBSD
versions:
- all
- name: Ubuntu
versions:
- all
- name: SLES
versions:
- all
- name: GenericLinux
versions:
- all
- name: Debian
versions:
- all
galaxy_tags: []
dependencies:
- role: docker
- role: docker_compose

79
roles/factorio/tasks/main.yml Normal file
View file

@ -0,0 +1,79 @@
---
# Tasks file for the factorio role
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Update default SELinux contexts
community.general.sefcontext:
target: '{{ item }}(/.*)?'
setype: "container_file_t"
state: present
with_items:
- "{{ factorio_data_location }}"
tags:
- factorio
become: true
- name: Create install directory
ansible.builtin.file:
path: "{{ item }}"
state: directory
mode: '0700'
owner: 'root'
group: 'root'
with_items:
- "{{ factorio_install_location }}"
become: true
tags:
- factorio
- name: Create data directory
ansible.builtin.file:
path: "{{ item }}"
state: directory
mode: '0750'
owner: '845'
group: '845'
setype: "container_file_t"
with_items:
- "{{ factorio_data_location }}"
tags:
- factorio
become: true
- name: Deploy docker-compose.yml
ansible.builtin.template:
src: docker-compose.yml
dest: "{{ factorio_install_location }}/docker-compose.yml"
mode: '0600'
owner: 'root'
group: 'root'
validate: docker-compose -f %s config -q
tags:
- docker
- factorio
become: true
- name: Compose factorio container
community.docker.docker_compose:
state: present
project_src: "{{ factorio_install_location }}"
pull: true
remove_orphans: true
tags:
- factorio
become: true

Some files were not shown because too many files have changed in this diff Show more