Compare commits

...

292 commits

Author SHA1 Message Date
0a762b32c1
fix(playbook): adjust site playbook to only contain used playbooks 2025-01-20 00:36:41 +01:00
8d6baf9db6
remove!(lvm_self_backup): unused 2025-01-20 00:33:55 +01:00
87c004ded6
remove!(docker_cleanup): unused 2025-01-20 00:32:29 +01:00
74c557069d
remove!(docker_ipv6_nat): unused 2025-01-20 00:31:52 +01:00
aa951a3dab
remove!(unattended_upgrades): unused / integrated in dnf setup 2025-01-20 00:31:10 +01:00
b631f98365
remove!(traefik): unused 2025-01-20 00:30:13 +01:00
7482707008
remove!(penpot): unused
might come back when migrated to quadlet
2025-01-20 00:29:04 +01:00
e33018f745
remove!(gitlab_runner): unused 2025-01-20 00:27:06 +01:00
aa576bf5bc
remove!(gitlab): unused 2025-01-20 00:26:44 +01:00
14e358c5fe
remove!(minio): unused 2025-01-20 00:25:52 +01:00
bf7cab1d94
remove!(epel): unused 2025-01-20 00:25:28 +01:00
160b02a45e
remove!(moby_engine): unused 2025-01-20 00:22:19 +01:00
0d31368132
remove!(camo): unused 2025-01-20 00:21:51 +01:00
d0086c85c3
remove!(owncast): unused 2025-01-20 00:21:17 +01:00
42b72a6764
remove!(minecraft): unused 2025-01-20 00:20:55 +01:00
1eae2bf0df
remove(minecraft_blockmap): unused 2025-01-20 00:20:32 +01:00
5e5e097ff9
remove!(factorio): unused 2025-01-20 00:20:02 +01:00
f8b9813461
remove!(telegraf): unused 2025-01-20 00:19:33 +01:00
1041703c1a
remove!(vikunja): unused 2025-01-20 00:18:58 +01:00
e72f4b0ca3
remove!(static_websites): unused 2025-01-20 00:18:35 +01:00
86e585eb10
feat(role): add standalone saiblog role 2025-01-20 00:17:53 +01:00
a160541b04
refactor!(elementweb): migrate to podman quadlet & rename 2025-01-19 23:34:11 +01:00
a8641d6251
remove!(matrix_webhooks): unused role 2025-01-19 22:10:14 +01:00
962a1c146c
remove!(sliding_sync): unused / deprecated 2025-01-19 22:09:53 +01:00
946d8cfaea
remove!(maubot): unused role 2025-01-19 22:09:26 +01:00
f127cd41fb
refactor!(matrix): migrate to podman quadlet & rename
Merged delegate and synapse together.

THIS IS BREAKING!
2025-01-19 22:09:06 +01:00
7d2c98250b
refactor!(codimd): rename & use podman quadlet 2025-01-19 02:08:02 +01:00
d2e0f53ca0
refactor!(keycloak): use podman quadlet setup 2025-01-18 19:54:13 +01:00
476660fd65
refactor!(mastodon): Migrate to podman quadlet 2025-01-18 17:10:42 +01:00
2e271b6c96
fix(caddy): Increase max udp send/receive buffers to 7,5MB 2025-01-18 17:07:56 +01:00
63fcaeaa17
chore(deps): upgrade mastodon to 4.3.2 2025-01-04 13:29:12 +01:00
f6cd60b995
feat(guides): add fedora 41 setup guide 2025-01-04 13:14:00 +01:00
bcea46ccaa
fix(penpot): asset dir permissions
nginx frontend is badly configured and runs workers with id 33 instead of the created penpot user :/
So we now allow read for all. Should be fine since nginx is serving this anyway
2024-11-09 06:00:14 +01:00
65c327c252
fix(penpot): asset dir permissions 2024-11-09 05:24:05 +01:00
e893715574
fix!(penpot): Upgrade db to v17
needed a newer version for penpot v2
2024-11-09 05:22:09 +01:00
be6c4f8014
fix!(keycloak): Upgrade db to v17
Needed a newer version for keycloak v26
2024-11-09 05:21:39 +01:00
d60dac5ad9
chore(penpot): Upgrade to v2.3.1 2024-11-09 04:09:25 +01:00
6e73369b37
chore(mastodon): Update to 4.3.1 2024-11-09 04:04:00 +01:00
74d77ba38e
Merge remote-tracking branch 'origin/renovate/ansible.utils-5.x' 2024-11-09 04:02:37 +01:00
e263117e52
Merge remote-tracking branch 'origin/renovate/minecraft-image-2024.x' 2024-11-09 04:02:08 +01:00
87a0f67afb
Merge remote-tracking branch 'origin/renovate/community.docker-4.x' 2024-11-09 04:01:58 +01:00
b3cd049787
Merge remote-tracking branch 'origin/renovate/ansible.posix-1.x' 2024-11-09 04:01:48 +01:00
0bc03c546e
Merge remote-tracking branch 'origin/renovate/mastodon-elasticsearch-7.x' 2024-11-09 04:01:31 +01:00
979966c03b
Merge remote-tracking branch 'origin/renovate/devsec.hardening-10.x' 2024-11-09 04:01:19 +01:00
93a9ac54bc
Merge remote-tracking branch 'origin/renovate/gitlab-17.x' 2024-11-09 04:01:05 +01:00
cbf8836bf3
Merge remote-tracking branch 'origin/renovate/traefik-2.x' 2024-11-09 04:00:53 +01:00
f1de5102c4
Merge remote-tracking branch 'origin/renovate/matrix-synapse-1.x' 2024-11-09 04:00:42 +01:00
177dc3c4a1
Merge remote-tracking branch 'origin/renovate/gitlab-runner_image-17.x' 2024-11-09 04:00:31 +01:00
0111e0bf8f
Merge remote-tracking branch 'origin/renovate/keycloak-26.x' 2024-11-09 04:00:19 +01:00
1c918beed3
Merge remote-tracking branch 'origin/renovate/containers.podman-1.x' 2024-11-09 04:00:05 +01:00
408102bc6f
Merge remote-tracking branch 'origin/renovate/community.general-10.x' 2024-11-09 03:59:51 +01:00
44948668df
Merge remote-tracking branch 'origin/renovate/matrix-elementweb-1.x' 2024-11-09 03:59:38 +01:00
9176cf921a
Merge remote-tracking branch 'origin/renovate/fedora.linux_system_roles-1.x' 2024-11-09 03:59:10 +01:00
2e855c8236
Merge remote-tracking branch 'origin/renovate/factorio-2.x' 2024-11-09 03:58:41 +01:00
f4b6ee08a8
refactor(cfg): remove special paths to roles/collections 2024-11-09 03:54:00 +01:00
Renovate Bot
c5fb691d20 automation: Update factorio Docker tag to v2 2024-11-08 17:06:23 +00:00
Renovate Bot
4813f83a68 automation: Update fedora.linux_system_roles to version 1.89.1 2024-11-06 03:05:43 +00:00
Renovate Bot
77afecb05d automation: Update matrix-elementweb Docker tag to v1.11.84 2024-11-05 15:05:25 +00:00
Renovate Bot
e7a359297b automation: Update community.general to version 10 2024-11-04 19:05:59 +00:00
Renovate Bot
dc553bbdb1 automation: Update containers.podman to version 1.16.2 2024-11-03 21:05:41 +00:00
Renovate Bot
c070d3b1dd automation: Update keycloak Docker tag to v26 2024-11-01 11:05:48 +00:00
Renovate Bot
c82f4716b1 automation: Update gitlab-runner_image Docker tag to v17.5.3 2024-10-31 23:05:37 +00:00
Renovate Bot
1d650fc28f automation: Update matrix-synapse Docker tag to v1.118.0 2024-10-29 17:05:43 +00:00
Renovate Bot
2d6840cf10 automation: Update traefik Docker tag to v2.11.13 2024-10-28 19:05:47 +00:00
Renovate Bot
6cd7deaab3 automation: Update gitlab Docker tag to v17.5.1 2024-10-23 12:05:29 +00:00
Renovate Bot
91029790ee automation: Update devsec.hardening to version 10.1.0 2024-10-22 10:05:37 +00:00
Renovate Bot
bae66d83b4 automation: Update mastodon-elasticsearch Docker tag to v7.17.25 2024-10-22 08:04:59 +00:00
Renovate Bot
498c87eff3 automation: Update ansible.posix to version 1.6.2 2024-10-22 04:05:01 +00:00
Renovate Bot
6ada2b257f automation: Update community.docker to version 4 2024-10-20 10:05:47 +00:00
Renovate Bot
5a466a0c66 automation: Update minecraft-image Docker tag to v2024.10.2 2024-10-18 22:05:28 +00:00
3fe405face
chore(mastodon): Update to 4.3.0-rc.1 2024-09-30 19:02:48 +02:00
Renovate Bot
0e3207ebb0 automation: Update ansible.utils to version 5.1.2 2024-09-30 06:05:12 +00:00
7b7f9cfdf5
chore(mastodon): Upgrade to 4.3.0-beta.2 2024-09-18 00:10:44 +02:00
4a5e139976 Merge branch 'renovate/fedora.linux_system_roles-1.x' into 'master'
automation: Update fedora.linux_system_roles to version 1.88.9

See merge request saibotk.de/infrastructure!1287
2024-09-17 22:09:26 +00:00
9f985e9aeb Merge branch 'renovate/traefik-2.x' into 'master'
automation: Update traefik Docker tag to v2.11.9

See merge request saibotk.de/infrastructure!1288
2024-09-17 22:09:15 +00:00
d705c63cbd Merge branch 'renovate/matrix-synapse-1.x' into 'master'
automation: Update matrix-synapse Docker tag to v1.115.0

See merge request saibotk.de/infrastructure!1289
2024-09-17 22:09:05 +00:00
4046b35b41 Merge branch 'renovate/community.docker-3.x' into 'master'
automation: Update community.docker to version 3.12.2

See merge request saibotk.de/infrastructure!1291
2024-09-17 22:08:52 +00:00
b66d2da353 Merge branch 'renovate/gitlab-17.x' into 'master'
automation: Update gitlab Docker tag to v17.3.3

See merge request saibotk.de/infrastructure!1290
2024-09-17 22:08:41 +00:00
Renovate Bot
4432174932 automation: Update community.docker to version 3.12.2 2024-09-17 20:06:32 +00:00
Renovate Bot
af6126abb4 automation: Update gitlab Docker tag to v17.3.3 2024-09-17 18:06:33 +00:00
Renovate Bot
537246153d automation: Update matrix-synapse Docker tag to v1.115.0 2024-09-17 14:05:27 +00:00
Renovate Bot
fdbc8473d0 automation: Update traefik Docker tag to v2.11.9 2024-09-16 22:06:30 +00:00
Renovate Bot
012190c0bf automation: Update fedora.linux_system_roles to version 1.88.9 2024-09-13 16:05:17 +00:00
58a1f63a8e
feat!(mastodon): Upgrade to 4.3 beta
BREAKING!

Requires these new secrets to be set:

mastodon_config:
  ar_enc_deterministic_key: undef
  ar_enc_derivation_salt: undef
  ar_enc_primary_key: undef
2024-09-13 00:16:40 +02:00
3ecd8738ab
feat!(podman): Enable dual stack by default 2024-09-12 23:21:21 +02:00
1f6d3691fc
refactor!(caddy): use /srv as install dir
To be in line with all other roles
2024-09-12 23:19:53 +02:00
9b7da942bc
Merge remote-tracking branch 'origin/renovate/mastodon-4.x' 2024-09-12 23:07:07 +02:00
f66b281cf0
Merge remote-tracking branch 'origin/renovate/mastodon-database-15.x' 2024-09-12 23:03:56 +02:00
848bdf23c0
Merge remote-tracking branch 'origin/renovate/matrix-database-13.x' 2024-09-12 23:03:48 +02:00
4919e091c7
Merge remote-tracking branch 'origin/renovate/matrix-maubot_database-13.x' 2024-09-12 23:03:38 +02:00
78a8d608be
Merge remote-tracking branch 'origin/renovate/matrix-sliding_sync_database-16.x' 2024-09-12 23:03:30 +02:00
a6f16129c8
Merge remote-tracking branch 'origin/renovate/vikunja-database-13.x' 2024-09-12 23:02:52 +02:00
3290cfc44b
Merge remote-tracking branch 'origin/renovate/community.docker-3.x' 2024-09-12 23:02:23 +02:00
0c22f8a910
Merge remote-tracking branch 'origin/renovate/factorio-1.x' 2024-09-12 23:02:05 +02:00
8dd9f3bf5b
Merge remote-tracking branch 'origin/renovate/gitlab-runner_image-17.x' 2024-09-12 23:01:26 +02:00
ad2c122758
Merge remote-tracking branch 'origin/renovate/camo-2.x' 2024-09-12 23:01:16 +02:00
4984f17dad
Merge remote-tracking branch 'origin/renovate/codimd-1.x' 2024-09-12 23:01:07 +02:00
1eb69fcdc3
Merge remote-tracking branch 'origin/renovate/matrix-synapse-1.x' 2024-09-12 23:00:55 +02:00
a222338fe3
Merge remote-tracking branch 'origin/renovate/ansible.utils-5.x' 2024-09-12 23:00:45 +02:00
1d2dca1af0
Merge remote-tracking branch 'origin/renovate/minecraft-image-2024.x' 2024-09-12 23:00:36 +02:00
7307b014b4
Merge remote-tracking branch 'origin/renovate/community.general-9.x' 2024-09-12 23:00:25 +02:00
b53be3b7d2
Merge remote-tracking branch 'origin/renovate/keycloak-25.x' 2024-09-12 23:00:11 +02:00
83d0d6a23a
Merge remote-tracking branch 'origin/renovate/mastodon-elasticsearch-7.x' 2024-09-12 22:59:55 +02:00
bf3b8609f4
Merge remote-tracking branch 'origin/renovate/matrix-elementweb-1.x' 2024-09-12 22:59:36 +02:00
1a7744960d
Merge remote-tracking branch 'origin/renovate/fedora.linux_system_roles-1.x' 2024-09-12 22:59:27 +02:00
44f2fa537a
Merge remote-tracking branch 'origin/renovate/gitlab-17.x' 2024-09-12 22:59:06 +02:00
708335d486
Merge remote-tracking branch 'origin/renovate/ansible.posix-1.x' 2024-09-12 22:58:37 +02:00
d52827bd9a
fix(lint): caddy mark selinux context handler as always changed
Find a better solution in the future, but for now this is fine.
2024-09-12 22:55:00 +02:00
886e83baa8
feat(caddy): add role
Copied from Histalek <3

Based on b17a8f117b/roles/caddy
2024-09-12 22:51:50 +02:00
7c136306d1
feat(podman): add role
Copied from Histalek <3

Based on b17a8f117b/roles/podman
2024-09-12 22:51:03 +02:00
Renovate Bot
22f6a16cd7 automation: Update ansible.posix to version 1.6.0 2024-09-12 02:05:41 +00:00
Renovate Bot
8ca6be6799 automation: Update gitlab Docker tag to v17 2024-09-11 22:06:07 +00:00
Renovate Bot
868e84cfac automation: Update fedora.linux_system_roles to version 1.88.8 2024-09-11 16:06:25 +00:00
Renovate Bot
9f7306059a automation: Update matrix-elementweb Docker tag to v1.11.77 2024-09-10 14:05:33 +00:00
Renovate Bot
2c1f9dbad0 automation: Update mastodon-elasticsearch Docker tag to v7.17.24 2024-09-10 10:05:19 +00:00
Renovate Bot
d59e5ca7a7 automation: Update keycloak Docker tag to v25.0.5 2024-09-10 06:05:47 +00:00
Renovate Bot
522507ea84 automation: Update community.general to version 9.4.0 2024-09-09 18:05:57 +00:00
Renovate Bot
eb76f01504 automation: Update minecraft-image Docker tag to v2024.9.0 2024-09-07 18:05:54 +00:00
Renovate Bot
c54228a28e automation: Update ansible.utils to version 5.1.1 2024-09-05 12:05:06 +00:00
Renovate Bot
76e32bf11f automation: Update matrix-synapse Docker tag to v1.114.0 2024-09-02 18:05:34 +00:00
Renovate Bot
90393f4445 automation: Update codimd Docker tag to v1.10.0 2024-09-02 14:05:28 +00:00
Renovate Bot
90bc265fbd automation: Update camo Docker tag to v2.6.0 2024-08-31 18:05:42 +00:00
Renovate Bot
41b711e21d automation: Update gitlab-runner_image Docker tag to v17.3.1 2024-08-21 18:05:58 +00:00
Renovate Bot
8b9e91b45b automation: Update mastodon Docker tag to v4.2.12 2024-08-19 10:05:20 +00:00
Renovate Bot
30975640da automation: Update factorio Docker tag to v1.1.110 2024-08-16 18:05:26 +00:00
Renovate Bot
d85e909472 automation: Update community.docker to version 3.12.1 2024-08-14 02:06:12 +00:00
61a9b1d6f4
fix(matrix): Synapse DNS oauth check
somehow synapse always has trouble resolving our SSO domain. Seems to be a race condition type of thingy. This should solve it for now.
2024-08-14 03:51:41 +02:00
96a8c8fe1e
fix(lint): add missing collections 2024-08-14 03:34:10 +02:00
Renovate Bot
e5f3c588c3 automation: Update vikunja-database Docker tag to v13.16 2024-08-14 01:15:27 +00:00
Renovate Bot
4d5b33c91d automation: Update matrix-sliding_sync_database Docker tag to v16.4 2024-08-14 01:15:12 +00:00
Renovate Bot
1036663d48 automation: Update matrix-maubot_database Docker tag to v13.16 2024-08-14 01:15:10 +00:00
Renovate Bot
55129aad3b automation: Update matrix-database Docker tag to v13.16 2024-08-14 01:15:09 +00:00
Renovate Bot
768149186a automation: Update mastodon-database Docker tag to v15.8 2024-08-14 01:15:07 +00:00
4f6c65eef5
fix(keycloak): persistent sessions feature typo 2024-08-14 03:13:33 +02:00
8ce37b6416
fix(lint): teamspeak changed_when selinux context
We just ignore this for now.
2024-08-14 02:20:20 +02:00
693184bd7c
refactor!(monitoring): Replace monitoring with monitoring_ng
Not much changed regarding variable names, only the role name changed.
2024-08-14 02:04:32 +02:00
b7195a4d8b
fix(mailcow): backup directory permissions
Sadly mailcow needs global permissions on this folder :(
2024-08-14 01:59:07 +02:00
2e82ca3a9f
feat(keycloak): use persistend sessions & use new options
Replace deprecated PROXY setting, see https://github.com/keycloak/keycloak/issues/29665
2024-08-14 01:08:03 +02:00
2a6ca65968 Merge branch 'renovate/factorio-1.x' into 'master'
automation: Update factorio Docker tag to v1.1.109

See merge request saibotk.de/infrastructure!1250
2024-08-13 23:06:29 +00:00
c5f8df5181 Merge branch 'renovate/community.general-9.x' into 'master'
automation: Update community.general to version 9.2.0

See merge request saibotk.de/infrastructure!1257
2024-08-13 23:06:12 +00:00
17f373145e Merge branch 'renovate/mastodon-elasticsearch-7.x' into 'master'
automation: Update mastodon-elasticsearch Docker tag to v7.17.23

See merge request saibotk.de/infrastructure!1255
2024-08-13 23:05:48 +00:00
d3ddfbed55 Merge branch 'renovate/ansible.utils-5.x' into 'master'
automation: Update ansible.utils to version 5

See merge request saibotk.de/infrastructure!1254
2024-08-13 23:05:37 +00:00
c17480ac0b Merge branch 'renovate/keycloak-25.x' into 'master'
automation: Update keycloak Docker tag to v25

See merge request saibotk.de/infrastructure!1251
2024-08-13 22:54:13 +00:00
f0d82c90d1
fix(luks_ssh): ensure network module is loaded 2024-08-14 00:53:12 +02:00
397156a173
feat!(luks_ssh): Remove all other ssh keys
To do so, we refactored the structure of the `luks_ssh_dracut_authorized_keys` variable to only contain ssh filenames.
2024-08-14 00:53:11 +02:00
ecefb84a4b
refactor!(docker): Remove centos support & fix install on other redhat dists 2024-08-14 00:53:10 +02:00
e7a172877b
refactor!(teamspeak): Use podman quadlet setup
This is mostly equivalent to the awesome role found in @histalek's repository:
bde4d9dacb/roles/teamspeak
2024-08-14 00:53:09 +02:00
6e50428a5c
feat(mailcow): enhance setup tasks
Clone repo, open ports & add backup directory
2024-08-14 00:53:08 +02:00
496f9881a1
chore(cfg): silence python interpreter info log spam 2024-08-14 00:53:03 +02:00
614342117a Merge branch 'renovate/gitlab-runner_image-17.x' into 'master'
automation: Update gitlab-runner_image Docker tag to v17

See merge request saibotk.de/infrastructure!1239
2024-08-13 22:25:18 +00:00
6ca8d47d72 Merge branch 'renovate/monitoring-grafana-11.x' into 'master'
automation: Update monitoring-grafana Docker tag to v11.1.3

See merge request saibotk.de/infrastructure!1259
2024-08-13 22:25:01 +00:00
b7b8d7d0c0 Merge branch 'renovate/minecraft-image-2024.x' into 'master'
automation: Update minecraft-image Docker tag to v2024.7.2

See merge request saibotk.de/infrastructure!1247
2024-08-13 22:24:53 +00:00
5342fa9228 Merge branch 'renovate/mastodon-redis-7.x' into 'master'
automation: Update mastodon-redis Docker tag to v7.4

See merge request saibotk.de/infrastructure!1264
2024-08-13 22:24:43 +00:00
fd732e6ca5 Merge branch 'renovate/matrix-elementweb-1.x' into 'master'
automation: Update matrix-elementweb Docker tag to v1.11.73

See merge request saibotk.de/infrastructure!1249
2024-08-13 22:24:32 +00:00
e18f7d5b60 Merge branch 'renovate/devsec.hardening-10.x' into 'master'
automation: Update devsec.hardening to version 10

See merge request saibotk.de/infrastructure!1265
2024-08-13 22:24:11 +00:00
785e284beb Merge branch 'renovate/traefik-2.x' into 'master'
automation: Update traefik Docker tag to v2.11.8

See merge request saibotk.de/infrastructure!1252
2024-08-13 22:23:36 +00:00
542142ef1d Merge branch 'renovate/community.docker-3.x' into 'master'
automation: Update community.docker to version 3.12.0

See merge request saibotk.de/infrastructure!1256
2024-08-13 22:22:58 +00:00
1f635936cc Merge branch 'renovate/gitlab-16.x' into 'master'
automation: Update gitlab Docker tag to v16.11.8

See merge request saibotk.de/infrastructure!1263
2024-08-13 22:22:25 +00:00
b834837e20 Merge branch 'renovate/matrix-synapse-1.x' into 'master'
automation: Update matrix-synapse Docker tag to v1.112.0

See merge request saibotk.de/infrastructure!1258
2024-08-13 22:22:17 +00:00
Renovate Bot
f08a94c3b5 automation: Update community.docker to version 3.12.0 2024-08-07 16:06:07 +00:00
Renovate Bot
cca2148325 automation: Update gitlab Docker tag to v16.11.8 2024-08-07 12:05:26 +00:00
Renovate Bot
1f354f3ccd automation: Update traefik Docker tag to v2.11.8 2024-08-06 20:05:53 +00:00
Renovate Bot
3fb1de20f3 automation: Update devsec.hardening to version 10 2024-08-06 18:06:36 +00:00
Renovate Bot
99ec9f663e automation: Update matrix-elementweb Docker tag to v1.11.73 2024-08-06 12:05:41 +00:00
Renovate Bot
3cc550eb58 automation: Update ansible.utils to version 5 2024-08-05 12:06:07 +00:00
Renovate Bot
1bbca2ecc7 automation: Update matrix-synapse Docker tag to v1.112.0 2024-07-30 18:06:08 +00:00
Renovate Bot
d1bc072df1 automation: Update monitoring-grafana Docker tag to v11.1.3 2024-07-30 16:06:06 +00:00
Renovate Bot
bddc3d35ef automation: Update mastodon-elasticsearch Docker tag to v7.17.23 2024-07-30 16:05:28 +00:00
Renovate Bot
3e7149f26f automation: Update mastodon-redis Docker tag to v7.4 2024-07-30 02:05:55 +00:00
Renovate Bot
e3d7b8cc6c automation: Update minecraft-image Docker tag to v2024.7.2 2024-07-28 20:06:16 +00:00
Renovate Bot
4e2b211103 automation: Update gitlab-runner_image Docker tag to v17 2024-07-25 20:06:07 +00:00
Renovate Bot
da333a3b9e automation: Update keycloak Docker tag to v25 2024-07-18 08:06:52 +00:00
Renovate Bot
14e6531145 automation: Update community.general to version 9.2.0 2024-07-15 08:06:23 +00:00
5e9a04c36b
Merge remote-tracking branch 'origin/renovate/mastodon-4.x' 2024-07-04 17:51:04 +02:00
505e3a4832
fix(lint): ignore unavailable fqcn
We still use an older version of ansible, so thats fine.
2024-07-04 17:50:07 +02:00
Renovate Bot
d448800c8b automation: Update mastodon Docker tag to v4.2.10 2024-07-04 15:18:09 +00:00
2020e45f2b Merge branch 'renovate/gitlab-16.x' into 'master'
automation: Update gitlab Docker tag to v16.11.5

See merge request saibotk.de/infrastructure!1253
2024-06-27 10:12:03 +00:00
Renovate Bot
240cf05ffb automation: Update gitlab Docker tag to v16.11.5 2024-06-26 12:05:44 +00:00
Renovate Bot
5f1a4e8f95 automation: Update factorio Docker tag to v1.1.109 2024-06-07 16:05:10 +00:00
b407436b85 Merge branch 'renovate/keycloak-24.x' into 'master'
automation: Update keycloak Docker tag to v24.0.4

See merge request saibotk.de/infrastructure!1228
2024-06-01 08:46:36 +00:00
39cca8df89 Merge branch 'renovate/mastodon-database-15.x' into 'master'
automation: Update mastodon-database Docker tag to v15.7

See merge request saibotk.de/infrastructure!1230
2024-06-01 08:46:25 +00:00
00a3666e7f Merge branch 'renovate/matrix-database-13.x' into 'master'
automation: Update matrix-database Docker tag to v13.15

See merge request saibotk.de/infrastructure!1231
2024-06-01 08:46:14 +00:00
f15dd78487 Merge branch 'renovate/matrix-maubot_database-13.x' into 'master'
automation: Update matrix-maubot_database Docker tag to v13.15

See merge request saibotk.de/infrastructure!1232
2024-06-01 08:46:05 +00:00
199ae12a0e Merge branch 'renovate/matrix-sliding_sync_database-16.x' into 'master'
automation: Update matrix-sliding_sync_database Docker tag to v16.3

See merge request saibotk.de/infrastructure!1233
2024-06-01 08:45:56 +00:00
62cb6cc40b Merge branch 'renovate/vikunja-database-13.x' into 'master'
automation: Update vikunja-database Docker tag to v13.15

See merge request saibotk.de/infrastructure!1234
2024-06-01 08:45:36 +00:00
016700f6e4 Merge branch 'renovate/monitoring-grafana-11.x' into 'master'
automation: Update monitoring-grafana Docker tag to v11

See merge request saibotk.de/infrastructure!1236
2024-06-01 08:45:17 +00:00
c0f3f11d84 Merge branch 'renovate/traefik-2.x' into 'master'
automation: Update traefik Docker tag to v2.11.3

See merge request saibotk.de/infrastructure!1243
2024-06-01 08:44:59 +00:00
1902e51c2a Merge branch 'renovate/matrix-elementweb-1.x' into 'master'
automation: Update matrix-elementweb Docker tag to v1.11.67

See merge request saibotk.de/infrastructure!1227
2024-06-01 08:44:45 +00:00
d9f9817b98 Merge branch 'renovate/community.general-9.x' into 'master'
automation: Update community.general to version 9

See merge request saibotk.de/infrastructure!1242
2024-06-01 08:44:32 +00:00
286477f3ce Merge branch 'renovate/matrix-synapse-1.x' into 'master'
automation: Update matrix-synapse Docker tag to v1.108.0

See merge request saibotk.de/infrastructure!1237
2024-06-01 08:44:15 +00:00
2369c3c508 Merge branch 'renovate/matrix-delegate_nginx-1.x' into 'master'
automation: Update matrix-delegate_nginx Docker tag to v1.27

See merge request saibotk.de/infrastructure!1245
2024-06-01 08:44:02 +00:00
ddbd8df10e Merge branch 'renovate/community.docker-3.x' into 'master'
automation: Update community.docker to version 3.10.3

See merge request saibotk.de/infrastructure!1240
2024-06-01 08:43:53 +00:00
4f3dd4a929 Merge branch 'renovate/factorio-1.x' into 'master'
automation: Update factorio Docker tag to v1.1.108

See merge request saibotk.de/infrastructure!1246
2024-06-01 08:43:31 +00:00
beb4746ba1 Merge branch 'renovate/mastodon-4.x' into 'master'
automation: Update mastodon Docker tag to v4.2.9

See merge request saibotk.de/infrastructure!1244
2024-06-01 08:43:19 +00:00
Renovate Bot
d207702d79 automation: Update factorio Docker tag to v1.1.108 2024-05-31 12:05:34 +00:00
Renovate Bot
b41db2b086 automation: Update matrix-delegate_nginx Docker tag to v1.27 2024-05-30 18:06:15 +00:00
Renovate Bot
7bdea970b0 automation: Update mastodon Docker tag to v4.2.9 2024-05-30 14:05:42 +00:00
Renovate Bot
23e7d74433 automation: Update community.general to version 9 2024-05-28 12:05:59 +00:00
Renovate Bot
768b69d89d automation: Update matrix-synapse Docker tag to v1.108.0 2024-05-28 12:05:49 +00:00
Renovate Bot
55eff6a118 automation: Update community.docker to version 3.10.3 2024-05-28 12:05:42 +00:00
e6c4af0a74 Merge branch 'renovate/gitlab-16.x' into 'master'
automation: Update gitlab Docker tag to v16.11.3

See merge request saibotk.de/infrastructure!1229
2024-05-28 10:16:07 +00:00
Renovate Bot
0b461e324f automation: Update matrix-elementweb Docker tag to v1.11.67 2024-05-22 14:05:36 +00:00
Renovate Bot
9d7686dc96 automation: Update gitlab Docker tag to v16.11.3 2024-05-22 10:05:29 +00:00
Renovate Bot
0f5859f392 automation: Update traefik Docker tag to v2.11.3 2024-05-21 20:05:24 +00:00
Renovate Bot
32a8c7d769 automation: Update monitoring-grafana Docker tag to v11 2024-05-14 08:05:50 +00:00
Renovate Bot
a2641c656e automation: Update vikunja-database Docker tag to v13.15 2024-05-10 00:05:37 +00:00
Renovate Bot
7be265ae65 automation: Update matrix-sliding_sync_database Docker tag to v16.3 2024-05-10 00:05:33 +00:00
Renovate Bot
6fef72ae55 automation: Update matrix-maubot_database Docker tag to v13.15 2024-05-10 00:05:32 +00:00
Renovate Bot
4d8e388a11 automation: Update matrix-database Docker tag to v13.15 2024-05-10 00:05:30 +00:00
Renovate Bot
8da84bc8b8 automation: Update mastodon-database Docker tag to v15.7 2024-05-10 00:05:29 +00:00
Renovate Bot
37f4978bc9 automation: Update keycloak Docker tag to v24.0.4 2024-05-08 08:05:49 +00:00
3a3b544af3 Merge branch 'renovate/factorio-1.x' into 'master'
automation: Update factorio Docker tag to v1.1.107

See merge request saibotk.de/infrastructure!1218
2024-05-05 09:55:09 +00:00
886a758548 Merge branch 'renovate/monitoring-grafana-10.x' into 'master'
automation: Update monitoring-grafana Docker tag to v10.4.2

See merge request saibotk.de/infrastructure!1217
2024-05-05 09:54:55 +00:00
08b3b71a85 Merge branch 'renovate/owncast-image-0.x' into 'master'
automation: Update owncast-image Docker tag to v0.1.3

See merge request saibotk.de/infrastructure!1212
2024-05-05 09:54:43 +00:00
a8ac42b80b Merge branch 'renovate/traefik-2.x' into 'master'
automation: Update traefik Docker tag to v2.11.2

See merge request saibotk.de/infrastructure!1216
2024-05-05 09:54:32 +00:00
5db755f5d3 Merge branch 'renovate/ansible.utils-4.x' into 'master'
automation: Update ansible.utils to version 4.1.0

See merge request saibotk.de/infrastructure!1219
2024-05-05 09:54:19 +00:00
8889d05f08 Merge branch 'renovate/keycloak-24.x' into 'master'
automation: Update keycloak Docker tag to v24.0.3

See merge request saibotk.de/infrastructure!1220
2024-05-05 09:54:08 +00:00
339c223f11 Merge branch 'renovate/community.docker-3.x' into 'master'
automation: Update community.docker to version 3.9.0

See merge request saibotk.de/infrastructure!1223
2024-05-05 09:53:58 +00:00
19f22434c8 Merge branch 'renovate/community.general-8.x' into 'master'
automation: Update community.general to version 8.6.0

See merge request saibotk.de/infrastructure!1224
2024-05-05 09:53:48 +00:00
dfc1473567 Merge branch 'renovate/camo-2.x' into 'master'
automation: Update camo Docker tag to v2.4.13

See merge request saibotk.de/infrastructure!1222
2024-05-05 09:53:37 +00:00
c1803f7b53 Merge branch 'renovate/matrix-elementweb-1.x' into 'master'
automation: Update matrix-elementweb Docker tag to v1.11.65

See merge request saibotk.de/infrastructure!1214
2024-05-05 09:53:26 +00:00
3593faea83 Merge branch 'renovate/matrix-delegate_nginx-1.x' into 'master'
automation: Update matrix-delegate_nginx Docker tag to v1.26

See merge request saibotk.de/infrastructure!1225
2024-05-05 09:53:12 +00:00
d86dfc91e6 Merge branch 'renovate/gitlab-16.x' into 'master'
automation: Update gitlab Docker tag to v16.11.1

See merge request saibotk.de/infrastructure!1215
2024-05-05 09:53:01 +00:00
4134434c71 Merge branch 'renovate/matrix-synapse-1.x' into 'master'
automation: Update matrix-synapse Docker tag to v1.106.0

See merge request saibotk.de/infrastructure!1210
2024-05-05 09:52:49 +00:00
5333396093 Merge branch 'renovate/minecraft-image-2024.x' into 'master'
automation: Update minecraft-image Docker tag to v2024.5.0

See merge request saibotk.de/infrastructure!1211
2024-05-05 09:52:37 +00:00
5056a3233f Merge branch 'renovate/mastodon-elasticsearch-7.x' into 'master'
automation: Update mastodon-elasticsearch Docker tag to v7.17.21

See merge request saibotk.de/infrastructure!1213
2024-05-05 09:52:25 +00:00
f7843bd352 Merge branch 'renovate/gitlab-runner_image-16.x' into 'master'
automation: Update gitlab-runner_image Docker tag to v16.11.1

See merge request saibotk.de/infrastructure!1221
2024-05-05 09:52:15 +00:00
Renovate Bot
865fa9bae0 automation: Update gitlab-runner_image Docker tag to v16.11.1 2024-05-03 18:06:07 +00:00
Renovate Bot
e9106699ee automation: Update minecraft-image Docker tag to v2024.5.0 2024-05-02 16:06:21 +00:00
Renovate Bot
853a5c22e5 automation: Update mastodon-elasticsearch Docker tag to v7.17.21 2024-05-02 10:05:43 +00:00
Renovate Bot
485d344f2a automation: Update matrix-synapse Docker tag to v1.106.0 2024-04-30 14:05:44 +00:00
Renovate Bot
01b52fc2d0 automation: Update gitlab Docker tag to v16.11.1 2024-04-24 14:05:44 +00:00
Renovate Bot
1bd9b841e4 automation: Update matrix-delegate_nginx Docker tag to v1.26 2024-04-24 04:05:49 +00:00
Renovate Bot
f55fec94bd automation: Update matrix-elementweb Docker tag to v1.11.65 2024-04-23 14:05:31 +00:00
Renovate Bot
b91a18cebe automation: Update camo Docker tag to v2.4.13 2024-04-23 00:05:48 +00:00
Renovate Bot
6da9a56924 automation: Update community.general to version 8.6.0 2024-04-22 18:06:01 +00:00
Renovate Bot
933706b91b automation: Update community.docker to version 3.9.0 2024-04-21 16:05:39 +00:00
Renovate Bot
f2a3f4b4bc automation: Update keycloak Docker tag to v24.0.3 2024-04-16 18:06:22 +00:00
Renovate Bot
2caf697a3b automation: Update ansible.utils to version 4.1.0 2024-04-15 14:05:27 +00:00
Renovate Bot
3b27f021c6 automation: Update traefik Docker tag to v2.11.2 2024-04-11 22:05:35 +00:00
Renovate Bot
51eba66c4f automation: Update factorio Docker tag to v1.1.107 2024-04-11 18:05:39 +00:00
Renovate Bot
276e8064b5 automation: Update monitoring-grafana Docker tag to v10.4.2 2024-04-11 16:05:30 +00:00
Renovate Bot
85d4b7c674 automation: Update owncast-image Docker tag to v0.1.3 2024-04-07 22:05:08 +00:00
5c41caeb77 Merge branch 'renovate/community.docker-3.x' into 'master'
automation: Update community.docker to version 3.8.1

See merge request saibotk.de/infrastructure!1199
2024-03-30 19:15:40 +00:00
9542bbf4a6 Merge branch 'renovate/camo-2.x' into 'master'
automation: Update camo Docker tag to v2.4.10

See merge request saibotk.de/infrastructure!1200
2024-03-30 19:14:58 +00:00
eb6bac7d10 Merge branch 'renovate/monitoring-grafana-10.x' into 'master'
automation: Update monitoring-grafana Docker tag to v10.4.1

See merge request saibotk.de/infrastructure!1203
2024-03-30 19:14:49 +00:00
e9e00b8803 Merge branch 'renovate/matrix-synapse-1.x' into 'master'
automation: Update matrix-synapse Docker tag to v1.103.0

See merge request saibotk.de/infrastructure!1201
2024-03-30 19:14:32 +00:00
defb9577d4 Merge branch 'renovate/gitlab-runner_image-16.x' into 'master'
automation: Update gitlab-runner_image Docker tag to v16.10.0

See merge request saibotk.de/infrastructure!1205
2024-03-30 19:14:15 +00:00
73196ac008 Merge branch 'renovate/keycloak-24.x' into 'master'
automation: Update keycloak Docker tag to v24.0.2

See merge request saibotk.de/infrastructure!1206
2024-03-30 19:12:16 +00:00
81246ca450 Merge branch 'renovate/community.general-8.x' into 'master'
automation: Update community.general to version 8.5.0

See merge request saibotk.de/infrastructure!1207
2024-03-30 19:12:06 +00:00
e64607df84 Merge branch 'renovate/factorio-1.x' into 'master'
automation: Update factorio Docker tag to v1.1.106

See merge request saibotk.de/infrastructure!1202
2024-03-30 19:11:26 +00:00
4cd57d576f Merge branch 'renovate/mastodon-elasticsearch-7.x' into 'master'
automation: Update mastodon-elasticsearch Docker tag to v7.17.19

See merge request saibotk.de/infrastructure!1208
2024-03-30 19:11:17 +00:00
097a152490 Merge branch 'renovate/gitlab-16.x' into 'master'
automation: Update gitlab Docker tag to v16.10.1

See merge request saibotk.de/infrastructure!1204
2024-03-30 19:11:08 +00:00
38f0a61e03 Merge branch 'renovate/ansible.utils-4.x' into 'master'
automation: Update ansible.utils to version 4

See merge request saibotk.de/infrastructure!1209
2024-03-30 19:10:58 +00:00
30f9a5f9ff Merge branch 'renovate/matrix-elementweb-1.x' into 'master'
automation: Update matrix-elementweb Docker tag to v1.11.63

See merge request saibotk.de/infrastructure!1198
2024-03-30 19:10:32 +00:00
Renovate Bot
96dcab2aec automation: Update matrix-elementweb Docker tag to v1.11.63 2024-03-28 19:05:59 +00:00
Renovate Bot
ac13a53cdb automation: Update ansible.utils to version 4 2024-03-28 17:05:38 +00:00
Renovate Bot
3620647d90 automation: Update gitlab Docker tag to v16.10.1 2024-03-27 17:06:08 +00:00
Renovate Bot
80df2624aa automation: Update factorio Docker tag to v1.1.106 2024-03-26 13:05:16 +00:00
Renovate Bot
547fc8ca40 automation: Update mastodon-elasticsearch Docker tag to v7.17.19 2024-03-26 11:05:30 +00:00
Renovate Bot
6e90ee7840 automation: Update community.general to version 8.5.0 2024-03-25 19:05:18 +00:00
Renovate Bot
24c65bde2d automation: Update keycloak Docker tag to v24.0.2 2024-03-24 23:05:10 +00:00
Renovate Bot
969a58bd16 automation: Update gitlab-runner_image Docker tag to v16.10.0 2024-03-21 23:05:24 +00:00
Renovate Bot
2da2bd1929 automation: Update monitoring-grafana Docker tag to v10.4.1 2024-03-21 15:05:26 +00:00
Renovate Bot
96f1d7633f automation: Update matrix-synapse Docker tag to v1.103.0 2024-03-19 13:05:35 +00:00
Renovate Bot
ec07e514c9 automation: Update camo Docker tag to v2.4.10 2024-03-17 21:04:49 +00:00
Renovate Bot
ecd1b8dc0f automation: Update community.docker to version 3.8.1 2024-03-16 21:04:50 +00:00
ffbffa312f Merge branch 'renovate/gitlab-runner_image-16.x' into 'master'
automation: Update gitlab-runner_image Docker tag to v16.9.1

See merge request saibotk.de/infrastructure!1192
2024-03-10 00:14:45 +00:00
182665819b Merge branch 'renovate/community.general-8.x' into 'master'
automation: Update community.general to version 8.4.0

See merge request saibotk.de/infrastructure!1190
2024-03-10 00:14:36 +00:00
56dc1732e2 Merge branch 'renovate/mastodon-4.x' into 'master'
automation: Update mastodon Docker tag to v4.2.8

See merge request saibotk.de/infrastructure!1188
2024-03-10 00:14:29 +00:00
95cb776b46 Merge branch 'renovate/matrix-elementweb-1.x' into 'master'
automation: Update matrix-elementweb Docker tag to v1.11.59

See merge request saibotk.de/infrastructure!1191
2024-03-10 00:14:20 +00:00
27e4579b4a Merge branch 'renovate/keycloak-24.x' into 'master'
automation: Update keycloak Docker tag to v24

See merge request saibotk.de/infrastructure!1194
2024-03-10 00:14:12 +00:00
6bdcf205d9 Merge branch 'renovate/minecraft-image-2024.x' into 'master'
automation: Update minecraft-image Docker tag to v2024.3.0

See merge request saibotk.de/infrastructure!1193
2024-03-10 00:14:00 +00:00
1761532bd0 Merge branch 'renovate/matrix-synapse-1.x' into 'master'
automation: Update matrix-synapse Docker tag to v1.102.0

See merge request saibotk.de/infrastructure!1195
2024-03-10 00:13:10 +00:00
cceac875ae Merge branch 'renovate/monitoring-grafana-10.x' into 'master'
automation: Update monitoring-grafana Docker tag to v10.4.0

See merge request saibotk.de/infrastructure!1196
2024-03-10 00:08:54 +00:00
22d507bdf5 Merge branch 'renovate/gitlab-16.x' into 'master'
automation: Update gitlab Docker tag to v16.9.2

See merge request saibotk.de/infrastructure!1197
2024-03-10 00:08:47 +00:00
f146f9af65
feat(ansible): Adjust configs
This disables cowsay messages.
Enables persistent connections, so that multiple playbooks can reuse the connection.
Enables pipelining for speed, since we are not affected by the limitation described in https://docs.ansible.com/ansible/latest/reference_appendices/config.html#envvar-ANSIBLE_PIPELINING
this gives us some speed boost.

Additionally the playbook dir was set, so that some commands can benefit from the correct default.
2024-03-10 01:08:05 +01:00
79dabffd40
chore(ansible-config): also define collections path for ansible-lint
This fixes the local ansible-lint run.
2024-03-10 01:08:04 +01:00
1b66ab22e5
feat(dnf): Add role from histalek-de/infrastructure
This was taken from https://git.histalek.de/histalek-de/infrastructure/

<3
2024-03-10 01:08:03 +01:00
0152abb7df
!fix(haveged): Remove direct dependency on epel
So that this can be used on other systems too
2024-03-10 01:08:02 +01:00
bdb4cc72bf
fix(luks_ssh): Only install haveged on older systems
Newer systems do not need it anymore, because this is built in since kernel 5.4.

See https://github.com/jirka-h/haveged
2024-03-10 01:08:01 +01:00
20e150f453
feat(luks_ssh): Update with latest upstream changes
This includes a MOTD and some small adjustments for Fedora etc.

See a35fbc1ec4
2024-03-10 01:08:00 +01:00
db6f516bee
!fix(luks_ssh): Add root account SSH unlock
This has to be done, for sshd being able to read the authorized keys. See https://github.com/gsauthof/dracut-sshd/tree/master?tab=readme-ov-file#faq

So we do this here, note that this will remove the root account password if there is one.
2024-03-10 01:07:59 +01:00
Renovate Bot
5158a26f15 automation: Update gitlab Docker tag to v16.9.2 2024-03-06 19:05:08 +00:00
Renovate Bot
b4ad6cec32 automation: Update monitoring-grafana Docker tag to v10.4.0 2024-03-06 15:05:18 +00:00
Renovate Bot
f297350275 automation: Update matrix-synapse Docker tag to v1.102.0 2024-03-05 17:05:17 +00:00
Renovate Bot
c06cebf49f automation: Update keycloak Docker tag to v24 2024-03-05 09:05:00 +00:00
Renovate Bot
7f1445fc0b automation: Update minecraft-image Docker tag to v2024.3.0 2024-03-02 17:04:50 +00:00
Renovate Bot
088801b2ca automation: Update gitlab-runner_image Docker tag to v16.9.1 2024-02-28 19:04:31 +00:00
Renovate Bot
1b161e3414 automation: Update matrix-elementweb Docker tag to v1.11.59 2024-02-27 15:04:39 +00:00
Renovate Bot
fbc913d8d0 automation: Update community.general to version 8.4.0 2024-02-26 21:04:40 +00:00
Renovate Bot
a81ffdc752 automation: Update mastodon Docker tag to v4.2.8 2024-02-23 15:04:56 +00:00
332 changed files with 4934 additions and 12147 deletions

View file

@ -1,14 +1,22 @@
[defaults] [defaults]
roles_path = ./roles:~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles playbook_dir = ./playbooks
inventory = ./inventory inventory = ./inventory
retry_files_enabled = false
vault_password_file = .vault_pass vault_password_file = .vault_pass
retry_files_enabled = False
nocows=True
use_persistent_connections = True
interpreter_python = auto_silent
[connection]
pipelining = True
[ssh_connection] [ssh_connection]
transfer_method = piped transfer_method = piped
[privilege_escalation] [privilege_escalation]
become_ask_pass = false become_ask_pass = False
[galaxy] [galaxy]
role_skeleton = ./.ansible/skeleton/default role_skeleton = ./.ansible/skeleton/default

View file

@ -2,3 +2,4 @@
# Otherwise ansible-lint always tries to get a vault password and fails. # Otherwise ansible-lint always tries to get a vault password and fails.
[defaults] [defaults]
roles_path = ./roles:~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles roles_path = ./roles:~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles
collections_path = ./collections:~/.ansible/collections:/usr/share/ansible/collections:/etc/ansible/collections

48
guides/SETUP_FEDORA_41.md Normal file
View file

@ -0,0 +1,48 @@
# Fedora 41 ISO install setup GUI
## Netcup stuff
- Setup Network mappings with hostnames / reverse addresses
- Assign IPv6 address from space
- Enable UEFI Boot
- Set VNC keymap to DE
## Anaconda Setup (GUI)
1. Select English US for installation
2. Change keyboard to de nodeadkeys
3. Choose Fedora Cloud Server and Guest Agents
4. Disk
- Choose Custom config
- Delete all existing paritions
- Choose Btrfs + encrypt
- Click to create automatically
- Done
- Enter disk encryption pw generated via pass
5. Network
- Set hostname
- Edit Interface
- Set IPv6 to Manual
- Enter address as given by provider
- Set Gateway to fe80::1
- Set IPv4 to Automatic (DHCP) addresses only
- Configure DNS Servers on IPv4 to
- 1.1.1.1
- 9.9.9.9
- Configure DNS Servers on IPv6 to
- 2606:4700:4700::1111
- 2620:fe::fe
6. Date/Time: Set to Berlin
- NTP Servers:
- Remove default pool
- Add time.cloudflare.com (only NTS ticked, not pool)
- Add sth1.nts.netnod.se (only NTS ticked, not pool)
7. User Account
- Leave root user disabled
- Add your own user, use temp PW and replace with pass generated when connected via SSH
## Ansible prep
Install python3-libdnf5
Workaround until Ansible version is released with this fix:
https://github.com/ansible/ansible/issues/84206

12
playbooks/caddy.yml Normal file
View file

@ -0,0 +1,12 @@
- name: Install Caddy.
hosts: caddy
roles:
- role: podman
become: true
tags:
- always
- podman
- role: caddy
become: true

View file

@ -1,25 +0,0 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Install & configure camo
hosts: camo
roles:
- docker
- docker_cleanup
- traefik
- camo

View file

@ -1,24 +0,0 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Install & configure HedgeDoc
hosts: codimd
roles:
- docker
- docker_cleanup
- traefik
- codimd

5
playbooks/dnf.yml Normal file
View file

@ -0,0 +1,5 @@
- name: Setup dnf.
hosts: dnf
roles:
- role: dnf
become: true

View file

@ -1,23 +0,0 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Install & configure Docker IPv6 NAT
hosts: docker_ipv6_nat
roles:
- docker
- docker_cleanup
- docker_ipv6_nat

17
playbooks/elementweb.yml Normal file
View file

@ -0,0 +1,17 @@
- name: Install Element Web.
hosts: elementweb
roles:
- role: podman
become: true
tags:
- always
- podman
- role: caddy
become: true
tags:
- always
- caddy
- role: elementweb
become: true

View file

@ -1,23 +0,0 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Install & configure Factorio
hosts: factorio
roles:
- docker
- docker_cleanup
- factorio

View file

@ -1,25 +0,0 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Install & configure GitLab
hosts: gitlab
roles:
- docker
- docker_cleanup
- traefik
- gitlab

View file

@ -1,32 +0,0 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Install & configure GitLab Runner
hosts: gitlab_runner
roles:
- docker
- docker_cleanup
- gitlab_runner
tasks:
- name: Install docker image prune crontab
ansible.builtin.cron:
name: "Prune unused docker images"
minute: "0"
hour: "*/4"
job: "docker image prune -f"
become: true

17
playbooks/hedgedoc.yml Normal file
View file

@ -0,0 +1,17 @@
- name: Install Hedgedoc.
hosts: hedgedoc
roles:
- role: podman
become: true
tags:
- always
- podman
- role: caddy
become: true
tags:
- always
- caddy
- role: hedgedoc
become: true

View file

@ -1,25 +1,17 @@
--- - name: Install Keycloak.
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Install & configure Keycloak
hosts: keycloak hosts: keycloak
roles: roles:
- docker - role: podman
- docker_cleanup become: true
- traefik tags:
- keycloak - always
- podman
- role: caddy
become: true
tags:
- always
- caddy
- role: keycloak
become: true

View file

@ -1,5 +1,4 @@
--- ---
# Infrastructure # Infrastructure
# Ansible instructions to deploy the infrastructure # Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern # Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
@ -18,6 +17,12 @@
- name: Install & configure LUKS SSH setup - name: Install & configure LUKS SSH setup
hosts: luks_ssh hosts: luks_ssh
roles: tasks:
- haveged - name: Install haveged
- luks_ssh ansible.builtin.include_role:
name: haveged
when: ansible_kernel is version('5.4', '<')
- name: Install LUKS SSH
ansible.builtin.include_role:
name: luks_ssh

View file

@ -1,22 +0,0 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Install & configure LVM self backup
hosts: lvm_self_backup
roles:
- docker
- lvm_self_backup

View file

@ -15,7 +15,7 @@
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Install & configure Docker & backup cronjob - name: Install & prepare Mailcow setup & backup cronjob
hosts: mailcow hosts: mailcow
roles: roles:
- docker - docker
@ -28,5 +28,45 @@
# yamllint disable-line rule:line-length # yamllint disable-line rule:line-length
job: "MAILCOW_BACKUP_LOCATION=/srv/mailcow-backups /srv/mailcow-dockerized/helper-scripts/backup_and_restore.sh backup all --delete-days 2 2>&1 | /usr/bin/logger -t mailcow_data_backup" job: "MAILCOW_BACKUP_LOCATION=/srv/mailcow-backups /srv/mailcow-dockerized/helper-scripts/backup_and_restore.sh backup all --delete-days 2 2>&1 | /usr/bin/logger -t mailcow_data_backup"
become: true become: true
# Manual steps:
# - Open ports / disable postfix - name: Install git
ansible.builtin.package:
name: "git"
state: "present"
become: true
- name: Clone mailcow # noqa latest[git]
ansible.builtin.git:
repo: "https://github.com/mailcow/mailcow-dockerized"
update: false
dest: "/srv/mailcow-dockerized"
become: true
- name: Create backup directory
ansible.builtin.file:
path: "/srv/mailcow-backups"
owner: "root"
group: "root"
state: directory
mode: "0755"
become: true
- name: Open ports
ansible.posix.firewalld:
state: enabled
permanent: true
immediate: true
zone: public
port: "{{ item }}"
loop:
- "25/tcp"
- "465/tcp"
- "587/tcp"
- "143/tcp"
- "993/tcp"
- "110/tcp"
- "995/tcp"
- "4190/tcp"
- "80/tcp"
- "443/tcp"
become: true

View file

@ -1,25 +1,17 @@
--- - name: Install Mastodon.
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Install & configure Mastodon
hosts: mastodon hosts: mastodon
roles: roles:
- docker - role: podman
- docker_cleanup become: true
- traefik tags:
- mastodon - always
- podman
- role: caddy
become: true
tags:
- always
- caddy
- role: mastodon
become: true

View file

@ -1,24 +0,0 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Install & configure Matrix
hosts: matrix
roles:
- docker
- docker_cleanup
- traefik
- matrix

View file

@ -1,24 +0,0 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2021 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Install & configure Matrix Delegate
hosts: matrix_delegate
roles:
- docker
- docker_cleanup
- traefik
- matrix_delegate

View file

@ -1,24 +0,0 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2021 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Install & configure Element Web
hosts: matrix_elementweb
roles:
- docker
- docker_cleanup
- traefik
- matrix_elementweb

View file

@ -1,24 +0,0 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2021 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Install & configure Mauboot
hosts: matrix_maubot
roles:
- docker
- docker_cleanup
- traefik
- matrix_maubot

View file

@ -1,24 +0,0 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2023 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Install & configure Matrix Sliding Sync
hosts: matrix_sliding_sync
roles:
- docker
- docker_cleanup
- traefik
- matrix_sliding_sync

View file

@ -1,24 +0,0 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2021 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Install & configure Matrix Webhooks
hosts: matrix_webhooks
roles:
- docker
- docker_cleanup
- traefik
- matrix_webhooks

View file

@ -1,24 +0,0 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Install & configure Minecraft
hosts: minecraft
roles:
- docker
- docker_cleanup
- minecraft

View file

@ -1,24 +0,0 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Install & configure BlockMap
hosts: minecraft
roles:
- docker
- docker_cleanup
- traefik
- minecraft_blockmap

View file

@ -1,25 +0,0 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Install & configure MinIO
hosts: minio
roles:
- docker
- docker_cleanup
- traefik
- minio

View file

@ -1,33 +1,17 @@
--- - name: Install Monitoring Suite with Grafana, Loki and Prometheus.
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Install & configure monitoring servers
hosts: monitoring hosts: monitoring
roles:
- docker
- docker_cleanup
- traefik
- monitoring
- name: Install & configure monitoring clients
hosts: all
serial: 1
roles: roles:
- docker - role: podman
- docker_cleanup become: true
- telegraf tags:
- always
- podman
- role: caddy
become: true
tags:
- always
- caddy
- role: monitoring
become: true

View file

@ -1,24 +0,0 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Install & configure Owncast
hosts: owncast
roles:
- docker
- docker_cleanup
- traefik
- owncast

View file

@ -1,24 +0,0 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2021 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Install & configure Penpot
hosts: penpot
roles:
- docker
- docker_cleanup
- traefik
- penpot

7
playbooks/podman.yml Normal file
View file

@ -0,0 +1,7 @@
- name: Install and configure podman.
hosts: podman
roles:
- role: podman
become: true

1
playbooks/roles Symbolic link
View file

@ -0,0 +1 @@
../roles

17
playbooks/saiblog.yml Normal file
View file

@ -0,0 +1,17 @@
- name: Install Saiblog.
hosts: saiblog
roles:
- role: podman
become: true
tags:
- always
- podman
- role: caddy
become: true
tags:
- always
- caddy
- role: saiblog
become: true

View file

@ -1,63 +1,16 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Install & configure unattended upgrades
import_playbook: unattended_upgrades.yml
- name: Install & configure ipv6 NAT for Docker
import_playbook: docker_ipv6_nat.yml
- name: Install & configure backup solution using LVM
import_playbook: lvm_self_backup.yml
- name: Install & configure GitLab
import_playbook: gitlab.yml
- name: Install & configure GitLab Runner
import_playbook: gitlab_runner.yml
- name: Install & configure camo
import_playbook: camo.yml
- name: Install & configure Keycloak - name: Install & configure Keycloak
import_playbook: keycloak.yml import_playbook: keycloak.yml
- name: Install & configure monitoring - name: Install & configure monitoring
import_playbook: monitoring.yml import_playbook: monitoring.yml
- name: Install & configure MinIO
import_playbook: minio.yml
- name: Install & configure Mastodon - name: Install & configure Mastodon
import_playbook: mastodon.yml import_playbook: mastodon.yml
- name: Install & configure HedgeDoc - name: Install & configure HedgeDoc
import_playbook: codimd.yml import_playbook: hedgedoc.yml
- name: Install & configure Matrix - name: Install & configure Synapse
import_playbook: matrix.yml import_playbook: synapse.yml
- name: Install & configure Matrix Delegate
import_playbook: matrix_delegate.yml
- name: Install & configure Element Web - name: Install & configure Element Web
import_playbook: matrix_elementweb.yml import_playbook: elementweb.yml
- name: Install & configure Matrix Webhooks - name: Install & configure Saiblog
import_playbook: matrix_webhooks.yml import_playbook: saiblog.yml
- name: Install & configure Maubot
import_playbook: matrix_maubot.yml
- name: Install & configure static websites
import_playbook: static_websites.yml
- name: Install & configure Teamspeak - name: Install & configure Teamspeak
import_playbook: teamspeak.yml import_playbook: teamspeak.yml
- name: Install & configure Owncast
import_playbook: owncast.yml
- name: Install & configure Factorio
import_playbook: factorio.yml
- name: Install & configure Penpot
import_playbook: penpot.yml
- name: Install & configure Vikunja
import_playbook: vikunja.yml

View file

@ -1,26 +0,0 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Install & configure static websites
hosts: static_websites
serial: 1
roles:
- docker
- docker_cleanup
- traefik
- static_websites

17
playbooks/synapse.yml Normal file
View file

@ -0,0 +1,17 @@
- name: Install Synapse.
hosts: synapse
roles:
- role: podman
become: true
tags:
- always
- podman
- role: caddy
become: true
tags:
- always
- caddy
- role: synapse
become: true

View file

@ -1,24 +1,12 @@
--- - name: Install teamspeak3 server.
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Install & configure Teamspeak
hosts: teamspeak hosts: teamspeak
roles: roles:
- docker - role: podman
- docker_cleanup become: true
- traefik tags:
- teamspeak - always
- podman
- role: teamspeak
become: true

View file

@ -1,22 +0,0 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2021 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Configure unattended upgrades
hosts: unattended_upgrades
roles:
- unattended_upgrades

View file

@ -1,24 +0,0 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2021 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Install & configure Vikunja
hosts: vikunja
roles:
- docker
- docker_cleanup
- traefik
- vikunja

View file

@ -1,12 +1,16 @@
--- ---
collections: collections:
- name: devsec.hardening - name: devsec.hardening
version: 9.0.1 version: 10.1.0
- name: community.general - name: community.general
version: 8.3.0 version: 10.0.0
- name: community.docker - name: community.docker
version: 3.8.0 version: 4.0.0
- name: ansible.posix - name: ansible.posix
version: 1.5.4 version: 1.6.2
- name: ansible.utils - name: ansible.utils
version: 3.1.0 version: 5.1.2
- name: containers.podman
version: 1.16.2
- name: fedora.linux_system_roles
version: 1.89.1

View file

@ -0,0 +1,18 @@
caddy_install_dir: /srv/caddy
caddy_container_image: docker.io/library/caddy
# renovate: depName=docker.io/library/caddy
caddy_image_tag: "2.8.4-alpine"
caddy_selinux_level: "{{ omit }}"
caddy_memory_high: 0
caddy_memory_low: 128m
caddy_swap_max: -1
caddy_letsencrypt_email: no-reply@example.com
# possible values: ed25519|p256|p384|rsa2048|rsa4096
caddy_letsencrypt_key_type: rsa4096
caddy_letsencrypt_ca_server: https://acme-staging-v02.api.letsencrypt.org/directory
caddy_log_level: warn

View file

@ -0,0 +1,20 @@
- name: Apply new SELinux file context to filesystem.
ansible.builtin.command: "restorecon -irF {{ caddy_install_dir }}"
become: true
changed_when: true
listen: "caddy selinux context changed"
- name: Restart caddy service.
ansible.builtin.systemd:
state: restarted
name: "caddy"
daemon_reload: true
become: true
listen: "caddy service changed"
- name: Reload caddy service.
ansible.builtin.systemd:
state: reloaded
name: "caddy"
become: true
listen: "caddy config changed"

18
roles/caddy/meta/main.yml Normal file
View file

@ -0,0 +1,18 @@
galaxy_info:
author: histalek
description: Deploy Caddy with podman and systemd.
issue_tracker_url: https://git.histalek.de/histalek-de/infrastructure/-/issues
license: GPL-3.0-only
min_ansible_version: "2.14"
platforms:
- name: Fedora
versions:
- "38"
- "39"
- "40"
standalone: true

109
roles/caddy/tasks/main.yml Normal file
View file

@ -0,0 +1,109 @@
- name: Update default SELinux contexts.
community.general.sefcontext:
target: "{{ item }}(/.*)?"
setype: "container_file_t"
selevel: "{{ caddy_selinux_level }}"
state: present
loop:
- "{{ caddy_install_dir }}/config"
- "{{ caddy_install_dir }}/data"
- "{{ caddy_install_dir }}/srv"
become: true
notify: "caddy selinux context changed"
- name: Create caddy directories.
ansible.builtin.file:
path: "{{ caddy_install_dir }}"
state: directory
mode: "0700"
owner: "root"
group: "root"
become: true
- name: Ensure caddy directories and configs exist.
block:
- name: Stat caddy config directory.
ansible.builtin.stat:
path: "{{ caddy_install_dir }}/config"
become: true
register: caddy_stat_config_dir
- name: Create caddy directories.
ansible.builtin.file:
path: "{{ item.path }}"
state: directory
owner: "{{ caddy_stat_config_dir.stat.uid | default('root') }}"
group: "{{ caddy_stat_config_dir.stat.gid | default('root') }}"
mode: "0700"
loop:
- path: "{{ caddy_install_dir }}/config"
- path: "{{ caddy_install_dir }}/data"
- path: "{{ caddy_install_dir }}/srv"
become: true
- name: Deploy caddy configs.
ansible.builtin.template:
src: Caddyfile.j2
dest: "{{ caddy_install_dir }}/config/Caddyfile"
mode: "0600"
owner: "{{ caddy_stat_config_dir.stat.uid | default('root') }}"
group: "{{ caddy_stat_config_dir.stat.gid | default('root') }}"
become: true
notify: "caddy config changed"
- name: Ensure container image is present on the host.
containers.podman.podman_image:
name: "{{ caddy_container_image }}"
state: present
tag: "{{ caddy_image_tag }}"
become: true
- name: Allow http and https.
ansible.posix.firewalld:
service: "{{ item }}"
zone: public
permanent: true
immediate: true
state: enabled
loop:
- http
- https
become: true
# Ref: https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes
- name: Set maximum udp send/receive buffer size to around 2,5MB for quic.
ansible.posix.sysctl:
name: "{{ item.name }}"
value: 7500000
sysctl_set: true
state: present
reload: true
loop:
- name: net.core.rmem_max
- name: net.core.wmem_max
become: true
- name: Create caddy container / network file.
ansible.builtin.template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: "root"
group: "root"
mode: "0644"
loop:
- src: caddy.container.j2
dest: /etc/containers/systemd/caddy.container
- src: caddy.network.j2
dest: /etc/containers/systemd/caddy.network
become: true
notify: "caddy service changed"
- name: Flush handlers.
ansible.builtin.meta: flush_handlers
- name: Start and enable caddy service.
ansible.builtin.systemd:
state: started
enabled: true
name: "caddy"
become: true

View file

@ -0,0 +1,21 @@
{
admin
persist_config off
log {
output stdout
format console
level warn
}
email {{ caddy_letsencrypt_email }}
skip_install_trust
acme_ca {{ caddy_letsencrypt_ca_server }}
key_type {{ caddy_letsencrypt_key_type }}
servers {
# metrics
strict_sni_host
}
}
import /config/*.caddy

View file

@ -0,0 +1,50 @@
{{ ansible_managed | comment }}
[Unit]
Description=Caddy reverse proxy
[Service]
Restart=always
RestartSec=5s
ExecReload=/usr/bin/podman exec \
-w /config \
caddy \
caddy reload
[Container]
Image={{ caddy_container_image }}:{{ caddy_image_tag }}
ContainerName=caddy
Exec=caddy run \
--config /config/Caddyfile \
--adapter caddyfile
AutoUpdate=registry
LogDriver=journald
NoNewPrivileges=true
ReadOnly=true
DropCapability=all
AddCapability=CAP_NET_BIND_SERVICE
UserNS=auto:size=65535
{% if caddy_selinux_level != omit %}
SecurityLabelLevel={{ caddy_selinux_level }}
{% endif %}
Network=caddy.network
PublishPort=80:80/tcp
PublishPort=443:443/tcp
PublishPort=443:443/udp
Volume={{ caddy_install_dir }}/config:/config:ro,U
Volume={{ caddy_install_dir }}/data:/data:U
Volume={{ caddy_install_dir }}/srv:/srv:U
PodmanArgs=--memory={{ caddy_memory_high }}
PodmanArgs=--memory-swap={{ caddy_swap_max }}
PodmanArgs=--memory-reservation={{ caddy_memory_low }}
[Install]
WantedBy=default.target

View file

@ -0,0 +1,6 @@
{{ ansible_managed | comment }}
[Network]
NetworkName=caddy_reverseproxy
Driver=bridge
IPv6=true

View file

@ -1,35 +0,0 @@
Camo
=========
This will setup a [go-camo](https://github.com/cactus/go-camo) content proxy server with their official docker container and traefik.
Requirements
------------
You will need to have docker, docker-compose and traefik installed or declared as dependencies with their respective roles.
**This role assumes that you have setup traefik with an endpoint called `websecure`.**
Role Variables
--------------
**Please look at the [defaults/main.yml](defaults/main.yml) for all available variables and their description.**
**Note: Lines that are commented out via `#` are usually still valid/used variables, but they are not defined by default, so they might enable a feature, when uncommenting/defining them!**
### Global variables, that are used:
- `proxy_network`: Defined by the local traefik installation, this is the shared proxy network used by traefik to reach the containers. (optional)
- `proxy_hiddenservice`: Defined by the local traefik installation, this is used to generate the alt-svc header for the alternative Tor domain. (optional)
Dependencies
------------
- docker
- docker-compose
- traefik
License
-------
GPL-3.0-only

View file

@ -1,42 +0,0 @@
---
# Default variables for the camo role
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# The install location (where the docker-compose file is stored)
camo_install_location: "/srv/camo"
# The camo version that should be used
# renovate: depName=docker.io/cactus4docker/go-camo
camo_version: "2.4.9"
# The domain under which camo should be available using traefik
camo_domain: camo.example.com
# The certresolver that is used by traefik for camo's domain
camo_traefik_certresolver: "letsencrypt_http"
# The HMAC key to be used
camo_key: "{{ lookup('passwordstore', camo_domain + '/hmac-key create=true length=128') }}"
# The maximum allowed response size (in KB). (0 means unlimited)
camo_max_size: 0
# Docker image and version
camo_image: "docker.io/cactus4docker/go-camo"
camo_image_version: "v{{ camo_version }}"

View file

@ -1,44 +0,0 @@
galaxy_info:
author: saibotk
description: "Installs a go-camo image proxy server via Docker."
license: GPL-3.0-only
min_ansible_version: "2.9"
standalone: true
platforms:
- name: EL
versions:
- all
- name: GenericUNIX
versions:
- all
- name: Fedora
versions:
- all
- name: opensuse
versions:
- all
- name: GenericBSD
versions:
- all
- name: FreeBSD
versions:
- all
- name: Ubuntu
versions:
- all
- name: SLES
versions:
- all
- name: GenericLinux
versions:
- all
- name: Debian
versions:
- all
galaxy_tags: []
dependencies:
- role: docker
- role: traefik

View file

@ -1,54 +0,0 @@
---
# Tasks file for the camo role
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Create install directory
ansible.builtin.file:
path: "{{ item }}"
state: directory
mode: "0700"
owner: "root"
group: "root"
with_items:
- "{{ camo_install_location }}"
become: true
tags:
- camo
- name: Deploy docker-compose.yml
ansible.builtin.template:
src: docker-compose.yml
dest: "{{ camo_install_location }}/docker-compose.yml"
mode: "0600"
owner: "root"
group: "root"
validate: docker compose -f %s config -q
tags:
- docker
- camo
become: true
- name: Compose camo container
community.docker.docker_compose_v2:
state: present
project_src: "{{ camo_install_location }}"
pull: always
remove_orphans: true
tags:
- camo
become: true

View file

@ -1,62 +0,0 @@
{{ ansible_managed | comment }}
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
version: '2'
services:
camo:
image: "{{ camo_image }}:{{ camo_image_version }}"
mem_limit: 64mb
memswap_limit: 128mb
security_opt:
- no-new-privileges
environment:
- "GOCAMO_HMAC={{ camo_key }}"
labels:
- "traefik.enable=true"
- "traefik.http.routers.camo.rule=Host(`{{ camo_domain }}`) && PathPrefix(`/`)"
- "traefik.http.routers.camo.entrypoints=websecure"
- "traefik.http.routers.camo.tls=true"
- "traefik.http.routers.camo.tls.certresolver={{ camo_traefik_certresolver }}"
- "traefik.http.routers.camo.middlewares=camo,compress"
- "traefik.http.middlewares.camo.headers.sslredirect=true"
- "traefik.http.middlewares.camo.headers.stsSeconds=63072000"
- "traefik.http.middlewares.camo.headers.referrerPolicy=no-referrer"
{% if proxy_network is defined %}
- "traefik.docker.network={{ proxy_network }}"
{% endif %}
{% if proxy_hiddenservice is defined and proxy_hiddenservice.content is defined %}
- "traefik.http.middlewares.camo.headers.customresponseheaders.alt-svc=h2={{ proxy_hiddenservice['content'] | b64decode | trim }}:443; ma=2592000"
{% endif %}
command:
- "--max-size={{ camo_max_size }}"
- "--server-name='go-camo v{{ camo_version }}'"
restart: always
{% if proxy_network is defined %}
networks:
{{ proxy_network }}:
{% endif %}
{% if proxy_network is defined %}
networks:
{{ proxy_network }}:
external: true
{% endif %}

View file

@ -1,35 +0,0 @@
HedgeDoc
=========
This will setup a [HedgeDoc](https://github.com/hedgedoc/hedgedoc) server with their official docker container and traefik.
Requirements
------------
You will need to have docker, docker-compose and traefik installed or declared as dependencies with their respective roles.
**This role assumes that you have setup traefik with an endpoint called `websecure`.**
Role Variables
--------------
**Please look at the [defaults/main.yml](defaults/main.yml) for all available variables and their description.**
**Note: Lines that are commented out via `#` are usually still valid/used variables, but they are not defined by default, so they might enable a feature, when uncommenting/defining them!**
### Global variables, that are used:
- `proxy_network`: Defined by the local traefik installation, this is the shared proxy network used by traefik to reach the containers. (optional)
- `proxy_hiddenservice`: Defined by the local traefik installation, this is used to generate the alt-svc header for the alternative Tor domain. (optional)
Dependencies
------------
- docker
- docker-compose
- traefik
License
-------
GPL-3.0-only

View file

@ -1,66 +0,0 @@
---
# Default variables for the codimd role
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Database access variables: Please change/set the password!
codimd_database_user: codimd
codimd_database_password: codimdpass
codimd_database_name: codimd
# Adjust specific data locations, usually you would want to only adjust the "codimd_install_location" (the base path):
codimd_install_location: /srv/codimd
codimd_database_location: "{{ codimd_install_location }}/database"
codimd_uploads_location: "{{ codimd_install_location }}/uploads"
# Should a local uploads directory be created and mounted?
codimd_uploads_local: false
# Set the certresolver to your desired traefik certresolver.
# Note: This is `letsencrypt_cf` by default for backwards compatibility, you might want to use `letsencrypt_http` instead, depending on your setup
codimd_traefik_certresolver: letsencrypt_http
# The domain under which traefik should make CodiMD reachable
codimd_domain: pad.example.com
# This is where all application related environment variables are defined except the database connection.
# For all possible environment variables look here: https://github.com/codimd/server/blob/master/docs/configuration.md.
# Note: All variables below will automatically be prefixed with "CMD_", eg. "DOMAIN" will automatically become "CMD_DOMAIN".
codimd_options:
ALLOW_FREE_URL: false
DOMAIN: "{{ codimd_domain }}"
EMAIL: false
PROTOCOL_USESSL: true
URL_ADDPORT: false
USECDN: true
# The version of codimd and its postgres server
# (don't upgrade postgres without a backup etc, as it might have introduced breaking changes!)
# renovate: depName=quay.io/hedgedoc/hedgedoc
codimd_version: 1.9.9
# renovate: depName=docker.io/library/postgres
codimd_postgres_version: 11.16
# The image tags that should be used (templated using the versions provided above)
codimd_image_version: "{{ codimd_version }}"
codimd_postgres_image_version: "{{ codimd_postgres_version }}-alpine"
# SELinux level for codimd and the database, which are applied to their data folders and the containers.
# (By default these will be omitted and ignored)
codimd_selinux_level: "{{ omit }}"
codimd_database_selinux_level: "{{ omit }}"

View file

@ -1,44 +0,0 @@
galaxy_info:
author: saibotk
description: "Installs HedgeDoc as a Docker container."
license: GPL-3.0-only
min_ansible_version: "2.9"
standalone: true
platforms:
- name: EL
versions:
- all
- name: GenericUNIX
versions:
- all
- name: Fedora
versions:
- all
- name: opensuse
versions:
- all
- name: GenericBSD
versions:
- all
- name: FreeBSD
versions:
- all
- name: Ubuntu
versions:
- all
- name: SLES
versions:
- all
- name: GenericLinux
versions:
- all
- name: Debian
versions:
- all
galaxy_tags: []
dependencies:
- role: docker
- role: traefik

View file

@ -1,90 +0,0 @@
---
# Tasks file for the codimd role
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
# Copyright (C) 2020 Alexander Wellbrock
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Update default SELinux contexts
community.general.sefcontext:
target: "{{ item.location }}(/.*)?"
setype: "container_file_t"
selevel: "{{ item.selevel | default(omit) }}"
state: present
when: item.when | default(true)
with_items:
- location: "{{ codimd_database_location }}"
selevel: "{{ codimd_database_selinux_level }}"
- location: "{{ codimd_uploads_location }}"
selevel: "{{ codimd_selinux_level }}"
when: "{{ codimd_uploads_local }}"
tags:
- codimd
become: true
- name: Create install directory
ansible.builtin.file:
path: "{{ item }}"
state: directory
mode: "0700"
owner: "root"
group: "root"
with_items:
- "{{ codimd_install_location }}"
tags:
- codimd
become: true
- name: Create data directory
ansible.builtin.file: # noqa risky-file-permissions # Container adjusts permissions on its own
path: "{{ item.location }}"
state: directory
setype: "container_file_t"
selevel: "{{ item.selevel | default(omit) }}"
when: item.when | default(true)
with_items:
- location: "{{ codimd_database_location }}"
selevel: "{{ codimd_database_selinux_level }}"
- location: "{{ codimd_uploads_location }}"
selevel: "{{ codimd_selinux_level }}"
when: "{{ codimd_uploads_local }}"
tags:
- codimd
become: true
- name: Deploy docker-compose.yml
ansible.builtin.template:
src: docker-compose.yml
dest: "{{ codimd_install_location }}/docker-compose.yml"
mode: "0600"
owner: "root"
group: "root"
validate: docker compose -f %s config -q
tags:
- docker
- codimd
become: true
- name: Compose codimd
community.docker.docker_compose_v2:
state: present
project_src: "{{ codimd_install_location }}"
pull: always
remove_orphans: true
tags:
- codimd
become: true

View file

@ -1,105 +0,0 @@
{{ ansible_managed | comment }}
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
version: '2'
services:
database:
image: docker.io/library/postgres:{{ codimd_postgres_image_version }}
mem_limit: 256mb
memswap_limit: 512mb
read_only: true
{% if codimd_database_selinux_level != omit %}
security_opt:
- label=level:{{ codimd_database_selinux_level }}
{% endif %}
tmpfs:
- /run/postgresql:size=512K
- /tmp:size=128K
stop_grace_period: 2m
stop_signal: SIGINT
environment:
- POSTGRES_USER={{ codimd_database_user }}
- POSTGRES_PASSWORD={{ codimd_database_password }}
- POSTGRES_DB={{ codimd_database_name }}
volumes:
- {{ codimd_database_location }}:/var/lib/postgresql/data
networks:
backend:
restart: always
codimd:
image: quay.io/hedgedoc/hedgedoc:{{ codimd_image_version }}
mem_limit: 256mb
memswap_limit: 512mb
restart: always
read_only: true
{% if codimd_selinux_level != omit %}
security_opt:
- label=level:{{ codimd_selinux_level }}
{% endif %}
tmpfs:
- /tmp:size=10M
{% if not codimd_uploads_local %}
- /hedgedoc/public/uploads:size=10M
{% endif %}
environment:
- "CMD_DB_URL=postgres://{{ codimd_database_user }}:{{ codimd_database_password }}@database:5432/{{ codimd_database_name }}"
{% for key, value in codimd_options.items() %}
- "CMD_{{ key }}={{ value }}"
{% endfor %}
labels:
- "traefik.http.routers.codimd.rule=Host(`{{ codimd_domain }}`) && PathPrefix(`/`)"
- "traefik.http.routers.codimd.entrypoints=websecure"
- "traefik.http.routers.codimd.tls=true"
- "traefik.http.routers.codimd.tls.certresolver={{ codimd_traefik_certresolver }}"
- "traefik.http.routers.codimd.middlewares=codimd,compress"
- "traefik.http.routers.codimd.service=codimd"
- "traefik.http.services.codimd.loadbalancer.server.port=3000"
- "traefik.http.middlewares.codimd.headers.sslredirect=true"
- "traefik.http.middlewares.codimd.headers.stsSeconds=63072000"
- "traefik.http.middlewares.codimd.headers.browserXssFilter=true"
- "traefik.http.middlewares.codimd.headers.contentTypeNosniff=true"
- "traefik.enable=true"
{% if proxy_network is defined %}
- "traefik.docker.network={{ proxy_network }}"
{% endif %}
{% if proxy_hiddenservice is defined and proxy_hiddenservice.content is defined %}
- "traefik.http.middlewares.codimd.headers.customresponseheaders.alt-svc=h2={{ proxy_hiddenservice['content'] | b64decode | trim }}:443; ma=2592000"
{% endif %}
{% if codimd_uploads_local %}
volumes:
- {{ codimd_uploads_location }}:/hedgedoc/public/uploads
{% endif %}
networks:
backend:
{% if proxy_network is defined %}
{{ proxy_network }}:
{% endif %}
networks:
backend:
{% if proxy_network is defined %}
{{ proxy_network }}:
external: true
{% endif %}

View file

@ -0,0 +1,31 @@
dnf_install_epel: false
# For more information refer to https://github.com/rpm-software-management/dnf/blob/master/doc/automatic.rst
# [commands]
dnf_install_updates: true
dnf_download_updates: true
# one of 'security', 'all',
dnf_upgrade_type: security
dnf_random_sleep: 300
dnf_network_online_timeout: 60
# [emitters]
dnf_emit_via: stdio
dnf_system_name: "{{ ansible_nodename }}"
# [command]
dnf_command_format: cat
dnf_stdin_format: "{body}"
# [command_email]
dnf_email_command_format: mail -Ssendwait -s {subject} -r {email_from} {email_to}
dnf_email_stdin_format: "{body}"
# [email]
dnf_email_from: root
dnf_email_to: root
dnf_email_host: localhost
# [base]
dnf_base_overrides: {}

27
roles/dnf/meta/main.yml Normal file
View file

@ -0,0 +1,27 @@
galaxy_info:
author: histalek
description: Configure automatic updates with dnf.
issue_tracker_url: https://git.histalek.de/histalek-de/infrastructure/-/issues
license: GPL-3.0-only
min_ansible_version: "2.10"
platforms:
- name: Fedora
versions:
- "32"
- "33"
- "34"
- "35"
- "36"
- name: EL
versions:
- "9"
standalone: true
galaxy_tags: []
dependencies: []

35
roles/dnf/tasks/main.yml Normal file
View file

@ -0,0 +1,35 @@
- name: Install EPEL repository
ansible.builtin.dnf:
name: epel-release
state: present
when: dnf_install_epel
become: true
- name: Install dnf-plugin-tracer.
ansible.builtin.dnf:
name: dnf-plugin-tracer
state: present
when: ansible_facts['distribution'] == "Fedora"
become: true
- name: Install dnf-automatic
ansible.builtin.dnf:
name: dnf-automatic
state: present
become: true
- name: Deploy automatic.conf
ansible.builtin.template:
src: automatic.conf.j2
dest: /etc/dnf/automatic.conf
mode: '0700'
owner: 'root'
group: 'root'
become: true
- name: Start and enable systemd timer for dnf-automatic
ansible.builtin.systemd:
name: dnf-automatic.timer
state: started
enabled: true
become: true

View file

@ -0,0 +1,42 @@
{{ ansible_managed | comment }}
# Ref: https://github.com/rpm-software-management/dnf/blob/master/doc/automatic.rst
[commands]
apply_updates = {{ dnf_install_updates }}
download_updates = {{ dnf_download_updates }}
network_online_timeout = {{ dnf_network_online_timeout }}
random_sleep = {{ dnf_random_sleep }}
upgrade_type = {{ dnf_upgrade_type }}
[emitters]
emit_via = {{ dnf_emit_via }}
system_name = {{ dnf_system_name }}
[command]
command_format = {{ dnf_command_format }}
stdin_format = {{ dnf_stdin_format }}
[command_email]
command_format = {{ dnf_email_command_format }}
email_from = {{ dnf_email_from }}
email_to = {{ dnf_email_to }}
stdin_format = {{ dnf_email_stdin_format }}
[email]
email_from = {{ dnf_email_from }}
email_host = {{ dnf_email_host }}
email_to = {{ dnf_email_to }}
[base]
{% if dnf_base_overrides is mapping %}
{% for key, value in dnf_base_overrides.items() %}
{{ key }}={{ value }}
{% endfor %}
{% endif %}

View file

@ -42,11 +42,11 @@ docker_install_repository: true
# The repository settings # The repository settings
# The repository will be added as a repository to allow downloading/installing the package # The repository will be added as a repository to allow downloading/installing the package
docker_yum_repository_url: https://download.docker.com/linux/centos/docker-{{ docker_edition }}.repo docker_yum_repository_url: https://download.docker.com/linux/{{ ansible_distribution | lower }}/docker-{{ docker_edition }}.repo
docker_yum_repository_destination: /etc/yum.repos.d/docker-{{ docker_edition }}.repo docker_yum_repository_destination: /etc/yum.repos.d/docker-{{ docker_edition }}.repo
# Where to fetch the docker repository GPG key from # Where to fetch the docker repository GPG key from
docker_yum_repository_gpg_key: https://download.docker.com/linux/centos/gpg docker_yum_repository_gpg_key: https://download.docker.com/linux/{{ ansible_distribution | lower }}/gpg
# The apt repository settings # The apt repository settings
docker_apt_key_id: "9DC858229FC7DD38854AE2D88D81803C0EBFCD88" docker_apt_key_id: "9DC858229FC7DD38854AE2D88D81803C0EBFCD88"

View file

@ -6,9 +6,6 @@ galaxy_info:
standalone: true standalone: true
platforms: platforms:
- name: EL
versions:
- all
- name: Fedora - name: Fedora
versions: versions:
- all - all

View file

@ -1,55 +0,0 @@
---
# Tasks file for the docker role
# Infrastructure
# Ansible instructions to deploy the infrastructure
#
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Ensure old versions of Docker are not installed.
ansible.builtin.package:
name:
- docker
- docker-common
- docker-engine
state: absent
become: true
- name: Ensure buildah & runc are not installed.
ansible.builtin.package:
name:
- buildah
- runc
state: absent
become: true
- name: Add Docker GPG key.
ansible.builtin.rpm_key:
key: "{{ docker_yum_repository_gpg_key }}"
state: present
when:
- docker_install_repository
become: true
- name: Add Docker repository.
ansible.builtin.get_url:
url: "{{ docker_yum_repository_url }}"
dest: "{{ docker_yum_repository_destination }}"
owner: root
group: root
mode: "0644"
when:
- docker_install_repository
become: true

View file

@ -1,24 +0,0 @@
docker_cleanup
=========
This will prune unused docker images older than 3 days, to keep the system clean.
Requirements
------------
You will need to have docker installed with its python package to use this role.
Role Variables
--------------
None
Dependencies
------------
- docker
License
-------
GPL-3.0-only

View file

@ -1,43 +0,0 @@
galaxy_info:
author: Christoph Kern
description: "Cleans up the exsting Docker install"
license: GPL-3.0-only
min_ansible_version: "2.9"
standalone: true
platforms:
- name: EL
versions:
- all
- name: GenericUNIX
versions:
- all
- name: Fedora
versions:
- all
- name: opensuse
versions:
- all
- name: GenericBSD
versions:
- all
- name: FreeBSD
versions:
- all
- name: Ubuntu
versions:
- all
- name: SLES
versions:
- all
- name: GenericLinux
versions:
- all
- name: Debian
versions:
- all
galaxy_tags: []
dependencies:
- role: docker

View file

@ -1,25 +0,0 @@
---
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Prune docker images older than 3 days
community.docker.docker_prune:
images: true
images_filters:
dangling: false
until: 72h
become: true

View file

@ -1,31 +0,0 @@
docker_ipv6_nat
===============
This will install the [docker-ipv6nat](https://github.com/robbertkl/docker-ipv6nat) container to manage IPv6 with ease on a single IP.
The container will automatically create ip6table forwarding rules on demand. To use the functionality, make sure that each container, that exposes a port
also has an `ipv6_enabled: true` user-defined network attached to it, with a ULA IPv6 for the tool to forward to.
**Note: This will enable the kernel module `ipv6nat` if not enabled!**
Requirements
------------
You will need to have docker, docker-compose installed or declared as dependencies with their respective roles.
Role Variables
--------------
**Please look at the [defaults/main.yml](defaults/main.yml) for all available variables and their description.**
**Note: Lines that are commented out via `#` are usually still valid/used variables, but they are not defined by default, so they might enable a feature, when uncommenting/defining them!**
Dependencies
------------
- docker
- docker-compose
License
-------
GPL-3.0-only

View file

@ -1,26 +0,0 @@
---
# Default variables for the docker_ipv6_nat role
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# The install location (where the docker-compose.yml file will be deployed)
docker_ipv6_nat_install_location: /srv/docker-ipv6-nat
# The docker image and version/tag to use
docker_ipv6_nat_baseimage: docker.io/robbertkl/ipv6nat
# renovate: depName=docker.io/robbertkl/ipv6nat
docker_ipv6_nat_version: 0.4.4

View file

@ -1,43 +0,0 @@
galaxy_info:
author: saibotk
description: "Deploys a robbertkl/ipv6nat container."
license: GPL-3.0-only
min_ansible_version: "2.9"
standalone: true
platforms:
- name: EL
versions:
- all
- name: GenericUNIX
versions:
- all
- name: Fedora
versions:
- all
- name: opensuse
versions:
- all
- name: GenericBSD
versions:
- all
- name: FreeBSD
versions:
- all
- name: Ubuntu
versions:
- all
- name: SLES
versions:
- all
- name: GenericLinux
versions:
- all
- name: Debian
versions:
- all
galaxy_tags: []
dependencies:
- role: docker

View file

@ -1,55 +0,0 @@
---
# Tasks file for the docker_ipv6_nat role
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Create install directory
ansible.builtin.file:
path: "{{ item }}"
state: directory
mode: "0700"
owner: "root"
group: "root"
with_items:
- "{{ docker_ipv6_nat_install_location }}"
tags:
- docker-ipv6-nat
become: true
- name: Deploy docker-compose.yml
ansible.builtin.template:
src: docker-compose.yml
dest: "{{ docker_ipv6_nat_install_location }}/docker-compose.yml"
mode: "0600"
owner: "root"
group: "root"
validate: docker compose -f %s config -q
tags:
- docker
- docker-ipv6-nat
become: true
- name: Compose docker-ipv6-nat
community.docker.docker_compose_v2:
state: present
project_src: "{{ docker_ipv6_nat_install_location }}"
pull: always
remove_orphans: true
tags:
- docker
- docker-ipv6-nat
become: true

View file

@ -1,35 +0,0 @@
{{ ansible_managed | comment }}
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
version: '2'
services:
ipv6nat:
image: {{ docker_ipv6_nat_baseimage }}:{{ docker_ipv6_nat_version }}
security_opt:
- label:disable
restart: always
network_mode: "host"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- "/lib/modules:/lib/modules:ro"
cap_drop:
- ALL
cap_add:
- NET_ADMIN
- NET_RAW
- SYS_MODULE

View file

@ -0,0 +1,38 @@
elementweb_install_dir: "/opt/elementweb"
elementweb_domain: element.example.com
elementweb_containerimage: docker.io/vectorim/element-web
# renovate: depName=docker.io/vectorim/element-web
elementweb_image_tag: "v1.11.90"
elementweb_selinux_level: "{{ omit }}"
elementweb_memory_low: 32m
elementweb_memory_high: 0
elementweb_swap_max: -1
# The homeserver URL and display name
elementweb_base_url: "https://matrix.example.com"
elementweb_servername: "example.com"
# Controls whether Element shows the presence feature for all (empty list) or specific servers (key = value list with the key being the server url)
elementweb_enable_presence_by_hs_url: []
# Should users only be allowed to use this instance with the given matrix server?
elementweb_disable_custom_urls: true
# Should Element-Web disable guests? (without sign-in)
elementweb_disable_guests: true
# Should Element-Web disable 3PID login? (Login with Email etc)
elementweb_disable_3pid_login: false
# Integration Server URLs to use (see https://github.com/vector-im/element-web/blob/develop/docs/config.md)
elementweb_integrations_ui_url: "https://scalar.vector.im/"
elementweb_integrations_rest_url: "https://scalar.vector.im/api"
elementweb_integrations_widgets_urls: ["https://scalar.vector.im/api"]
elementweb_integrations_jitsi_widget_url: "https://scalar.vector.im/api/widgets/jitsi.html"
# Element Web public room directory server(s)
elementweb_roomdir_servers: ["matrix.org"]

View file

@ -0,0 +1,14 @@
- name: Apply new SELinux file context to filesystem.
ansible.builtin.command: "restorecon -irF {{ elementweb_install_dir }}"
become: true
listen: "elementweb selinux context changed"
- name: Restart elementweb service.
ansible.builtin.systemd:
state: restarted
name: elementweb.service
daemon_reload: true
become: true
listen:
- "elementweb service changed"
- "elementweb selinux context changed"

View file

@ -0,0 +1,20 @@
galaxy_info:
author: saibotk
description: Deploy element web with podman and systemd.
issue_tracker_url: https://git.sipsofcode.de/saibotk-de/infrastructure/issues
license: GPL-3.0-only
min_ansible_version: "2.10"
platforms:
- name: Fedora
versions:
- "41"
standalone: true
galaxy_tags: []
dependencies: []

View file

@ -0,0 +1,80 @@
- name: Update default SELinux contexts
community.general.sefcontext:
target: "{{ item.target }}"
setype: "container_file_t"
selevel: "{{ item.selevel }}"
state: present
loop:
- target: "{{ elementweb_install_dir }}/config.json"
selevel: "{{ elementweb_selinux_level }}"
become: true
notify: "elementweb selinux context changed"
- name: Create elementweb directories.
ansible.builtin.file:
path: "{{ elementweb_install_dir }}"
owner: "root"
group: "root"
mode: "0700"
state: directory
become: true
- name: Stat elementweb config file.
ansible.builtin.stat:
path: "{{ elementweb_install_dir }}/config.json"
become: true
register: elementweb_stat_config
- name: Add caddy config file.
block:
- name: Check caddy config dir.
ansible.builtin.stat:
path: "{{ caddy_install_dir }}/config"
become: true
register: caddy_stat_config_dir
- name: Template caddy config for elementweb.
ansible.builtin.template:
src: elementweb.caddy.j2
dest: "{{ caddy_install_dir }}/config/elementweb.caddy"
mode: "0600"
setype: "container_file_t"
selevel: "{{ caddy_selinux_level }}"
owner: "{{ caddy_stat_config_dir.stat.uid }}"
group: "{{ caddy_stat_config_dir.stat.gid }}"
notify: "caddy config changed"
become: true
- name: Create elementweb container file.
ansible.builtin.template:
src: elementweb.container.j2
dest: /etc/containers/systemd/elementweb.container
owner: "root"
group: "root"
mode: "0644"
become: true
notify: "elementweb service changed"
- name: Create elementweb config file.
ansible.builtin.template:
src: config.json.j2
dest: "{{ elementweb_install_dir }}/config.json"
setype: "container_file_t"
selevel: "{{ elementweb_selinux_level }}"
owner: "{{ elementweb_stat_config.stat.uid | default('root') }}"
group: "{{ elementweb_stat_config.stat.gid | default('root') }}"
mode: "0644"
become: true
- name: Flush handlers
ansible.builtin.meta: flush_handlers
- name: Ensure elementweb services are started and enabled.
ansible.builtin.systemd:
state: started
enabled: true
name: "{{ item }}"
daemon_reload: true
loop:
- elementweb.service
become: true

View file

@ -0,0 +1,23 @@
{
"default_server_config": {
"m.homeserver": {
"base_url": {{ elementweb_base_url | string | to_json }},
"server_name": {{ elementweb_servername | string | to_json }}
}
},
"disable_custom_urls": {{ elementweb_disable_custom_urls | to_json }},
"disable_3pid_login": {{ elementweb_disable_3pid_login | to_json }},
"disable_guests": {{ elementweb_disable_guests | to_json }},
"integrations_ui_url": {{ elementweb_integrations_ui_url | string | to_json }},
"integrations_rest_url": {{ elementweb_integrations_rest_url | string | to_json }},
"integrations_widgets_urls": {{ elementweb_integrations_widgets_urls | to_json }},
"integrations_jitsi_widget_url": {{ elementweb_integrations_jitsi_widget_url | string | to_json }},
"bug_report_endpoint_url": "https://element.io/bugreports/submit",
"showLabsSettings": true,
{% if elementweb_enable_presence_by_hs_url %}
"enable_presence_by_hs_url": {{ elementweb_enable_presence_by_hs_url | to_json }},
{% endif %}
"roomDirectory": {
"servers": {{ elementweb_roomdir_servers | to_json }}
}
}

View file

@ -0,0 +1,24 @@
{{ ansible_managed | comment }}
{{ elementweb_domain }} {
encode gzip
header {
# enable HSTS
Strict-Transport-Security "max-age=31536000; preload;"
# disable clients from sniffing the media type
X-Content-Type-Options nosniff
# clickjacking protection
X-Frame-Options DENY
# keep referrer data off of HTTP connections
Referrer-Policy no-referrer-when-downgrade
# Server name removing
-Server
}
reverse_proxy elementweb:8000
}

View file

@ -0,0 +1,41 @@
{{ ansible_managed | comment }}
[Unit]
Description = Element Web
[Service]
Restart = always
RestartSec = 5s
[Container]
Image = {{ elementweb_containerimage }}:{{ elementweb_image_tag }}
ContainerName = elementweb
# AutoUpdate = registry
LogDriver = journald
ReadOnly = true
NoNewPrivileges = true
DropCapability = all
AddCapability = DAC_OVERRIDE
UserNS = auto:size=65535
{% if elementweb_selinux_level != omit %}
SecurityLabelLevel = {{ elementweb_selinux_level }}
{% endif %}
Network = caddy.network
Environment = ELEMENT_WEB_PORT=8000
Volume = {{ elementweb_install_dir }}/config.json:/app/config.json:ro,U
Tmpfs = /var/cache/nginx:rw,noexec,nosuid,nodev,size=1m
Tmpfs = /var/run:rw,noexec,nosuid,nodev,size=1m
Tmpfs = /etc/nginx/conf.d:rw,noexec,nosuid,nodev,size=8m,mode=1770,U
PodmanArgs = --memory={{ elementweb_memory_high }}
PodmanArgs = --memory-swap={{ elementweb_swap_max }}
PodmanArgs = --memory-reservation={{ elementweb_memory_low }}
[Install]
WantedBy = default.target

View file

@ -1,24 +0,0 @@
EPEL
=========
Installs the `epel-release` package via yum.
Requirements
------------
None
Role Variables
--------------
None
Dependencies
------------
None, except for a CentOS 7 system.
License
-------
GPL-3.0-only

View file

@ -1,15 +0,0 @@
galaxy_info:
author: saibotk
description: Installs the epel-release package.
license: GPL-3.0-only
min_ansible_version: "2.9"
standalone: true
platforms:
- name: EL
versions:
- "7"
galaxy_tags: []
dependencies: []

View file

@ -1,24 +0,0 @@
---
# Tasks file for the epel role
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Install EPEL repository package
ansible.builtin.yum:
name: epel-release
state: present
become: true

View file

@ -1,27 +0,0 @@
Factorio
=========
This will setup a [Factorio](https://github.com/factoriotools/factorio-docker) gameserver using a docker container.
Requirements
------------
You will need to have docker and docker-compose installed or declared as dependencies with their respective roles.
Role Variables
--------------
**Please look at the [defaults/main.yml](defaults/main.yml) for all available variables and their description.**
**Note: Lines that are commented out via `#` are usually still valid/used variables, but they are not defined by default, so they might enable a feature, when uncommenting/defining them!**
Dependencies
------------
- docker
- docker-compose
License
-------
GPL-3.0-only

View file

@ -1,37 +0,0 @@
---
# Default variables for the factorio role
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# The install location (where the docker-compose file is stored)
factorio_install_location: "/srv/factorio"
factorio_data_location: "{{ factorio_install_location }}/data"
# The camo version that should be used
# renovate: depName=docker.io/factoriotools/factorio
factorio_version: "1.1.104"
# Docker image
factorio_image: "docker.io/factoriotools/factorio"
# The factorio server port that should be exposed
factorio_server_port: 34197
# IPv6 ULA config for the bridge network used by docker-ipv6-nat
factorio_ipv6:
enabled: false
subnet: "fd9e:21a7:a92c:2456::/64"

View file

@ -1,43 +0,0 @@
galaxy_info:
author: saibotk
description: "Installs a factorio server via Docker."
license: GPL-3.0-only
min_ansible_version: "2.9"
standalone: true
platforms:
- name: EL
versions:
- all
- name: GenericUNIX
versions:
- all
- name: Fedora
versions:
- all
- name: opensuse
versions:
- all
- name: GenericBSD
versions:
- all
- name: FreeBSD
versions:
- all
- name: Ubuntu
versions:
- all
- name: SLES
versions:
- all
- name: GenericLinux
versions:
- all
- name: Debian
versions:
- all
galaxy_tags: []
dependencies:
- role: docker

View file

@ -1,79 +0,0 @@
---
# Tasks file for the factorio role
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Update default SELinux contexts
community.general.sefcontext:
target: "{{ item }}(/.*)?"
setype: "container_file_t"
state: present
with_items:
- "{{ factorio_data_location }}"
tags:
- factorio
become: true
- name: Create install directory
ansible.builtin.file:
path: "{{ item }}"
state: directory
mode: "0700"
owner: "root"
group: "root"
with_items:
- "{{ factorio_install_location }}"
become: true
tags:
- factorio
- name: Create data directory
ansible.builtin.file:
path: "{{ item }}"
state: directory
mode: "0750"
owner: "845"
group: "845"
setype: "container_file_t"
with_items:
- "{{ factorio_data_location }}"
tags:
- factorio
become: true
- name: Deploy docker-compose.yml
ansible.builtin.template:
src: docker-compose.yml
dest: "{{ factorio_install_location }}/docker-compose.yml"
mode: "0600"
owner: "root"
group: "root"
validate: docker compose -f %s config -q
tags:
- docker
- factorio
become: true
- name: Compose factorio container
community.docker.docker_compose_v2:
state: present
project_src: "{{ factorio_install_location }}"
pull: always
remove_orphans: true
tags:
- factorio
become: true

View file

@ -1,40 +0,0 @@
{{ ansible_managed | comment }}
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
version: '2.1'
services:
factorio:
image: "{{ factorio_image }}:{{ factorio_version }}"
ports:
- "{{ factorio_server_port }}:34197/udp"
volumes:
- "{{ factorio_data_location }}:/factorio"
restart: always
networks:
factorio-backend:
networks:
factorio-backend:
driver: bridge
{% if factorio_ipv6 is defined and factorio_ipv6.enabled %}
ipam:
driver: default
config:
- subnet: {{ factorio_ipv6.subnet }}
enable_ipv6: true
{% endif %}

View file

@ -1,35 +0,0 @@
Gitlab
=========
This will setup a Gitlab instance using their official docker container and traefik as a reverse proxy.
Requirements
------------
You will need to have docker, docker-compose and traefik installed or declared as dependencies with their respective roles.
**This role assumes that you have setup traefik with an endpoint called `websecure`.**
Role Variables
--------------
**Please look at the [defaults/main.yml](defaults/main.yml) for all available variables and their description.**
**Note: Lines that are commented out via `#` are usually still valid/used variables, but they are not defined by default, so they might enable a feature, when uncommenting/defining them!**
### Global variables, that are used:
- `proxy_network`: Defined by the local traefik installation, this is the shared proxy network used by traefik to reach the containers. (optional)
- `proxy_hiddenservice`: Defined by the local traefik installation, this is used to generate the alt-svc header for the alternative Tor domain. (optional)
Dependencies
------------
- docker
- docker-compose
- traefik
License
-------
GPL-3.0-only

View file

@ -1,167 +0,0 @@
---
# Default variables for the gitlab role
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Install location settings
gitlab_install_location: /srv/gitlab
gitlab_data_location: "{{ gitlab_install_location }}/data"
gitlab_config_location: "{{ gitlab_install_location }}/config"
gitlab_log_location: "{{ gitlab_install_location }}/log"
gitlab_telegraf_location: "{{ gitlab_install_location }}/telegraf"
# Put GitLab's logs in a tempfs instead to save headache with diskspace
gitlab_log_tmpfs: false
# Set the certresolver to your desired traefik certresolver.
# Note: This is `letsencrypt_cf` by default for backwards compatibility, you might want to use `letsencrypt_http` instead, depending on your setup
gitlab_traefik_certresolver: letsencrypt_http
# The domain under which traefik should make gitlab (and, if enabled, the registry) reachable
gitlab_domain: gitlab.example.com
gitlab_registry_domain: registry.gitlab.example.com
# The Gitlab version, usually you don't need to adjust this for a host.
# renovate: depName=gitlab/gitlab-ce
gitlab_version: 16.9.1-ce.0
# renovate: depName=docker.io/library/telegraf
gitlab_telegraf_version: "1.26"
# The port you want Gitlab to listen on for SSH connections
gitlab_ssh_port: 22
# The memory limits for the GitLab container
#
# Notice the gitlab_memoryswap_limit must be equal
# or higher than the gitlab_memory_limit
gitlab_memory_limit: "6096mb"
gitlab_memoryswap_limit: "6352mb"
# Enable or disable selinux handling
gitlab_selinux_enabled: true
# Email/SMTP settings
gitlab_smtp_address: smtp.example.com
gitlab_smtp_port: 465
gitlab_smtp_user_name: "gitlab@example.com"
gitlab_smtp_password: "{{ lookup('passwordstore', gitlab_domain + '/' + gitlab_smtp_user_name + ' create=true length=42') }}"
gitlab_smtp_tls: "{{ gitlab_snmp_tls | default('true') }}" # There was a typo in the config option name, this makes sure it's falling back properly
gitlab_email_from: "{{ gitlab_smtp_user_name }}"
gitlab_email_reply_to: "{{ gitlab_smtp_user_name }}"
gitlab_smtp_starttls_auto: false
gitlab_smtp_openssl_verify_mode: "peer"
# Libravatar / Gravatar URLs
gitlab_libravatar_plain: "cdn.libravatar.org"
gitlab_libravatar_ssl: "seccdn.libravatar.org"
# CSP settings
gitlab_csp:
enabled: true
img_src: "https:"
# yamllint disable-line rule:line-length
# frame_src: "https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com"
# script_src: "https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com"
# SAML settings
gitlab_saml:
enabled: false
label: "SAML"
groups_attribute: "roles"
external_groups: "{{ gitlab_domain }}:external"
idp_cert_fingerprint: "<to be set>"
idp_sso_target_url: "https://sso.example.com"
idp_slo_target_url: "https://sso.example.com"
issuer: "{{ gitlab_domain }}"
certificate: "<cert without '----BEGIN CERTIFICATE----' (can be omited)>"
private_key: "<private key without '----BEGIN RSA PRIVATE KEY----' (can be omited)>"
attribute_statements:
first_name: "first_name"
last_name: "last_name"
name: "name"
username: "username"
email: "email"
name_identifier_format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
autologin: false
# LDAP settings
gitlab_ldap:
enabled: false
label: "LDAP"
host: "ldap.example.com"
port: 389
bind_dn: "_the_full_dn_of_the_user_you_will_bind_with"
password: "_the_password_of_the_bind_user"
encryption: "simple_tls"
verify_certificates: true
uid: "sAMAccountName"
active_directory: true
user_filter: ""
base: "dc=example,dc=com"
# IMAP settings (for email replies to comments etc.)
gitlab_imap:
enabled: false
username: "{{ gitlab_smtp_user_name }}"
password: "{{ gitlab_smtp_password }}"
server_address: imap.example.com
email_address: "incoming+%{key}@gitlab.example.com"
# Gitlab docker registry settings
gitlab_registry:
enabled: false
# Defines the port that is appended to the registry domain used by gitlab.
# This can be omitted, when no port is needed (eg. registry on its own domain)
external_port: 5050
# Defines the entrypoint that traefik should use for the registry.
# Can be useful to use another port while still using the certificate of the main domain.
# This can be omitted to use "websecure" by default
traefik_entrypoint: "websecure"
# Gitlab telegraf configuration, allows to configure a monitoring setup for Gitlab
gitlab_telegraf:
enabled: false
# Your influxDB hosts
influxdb_endpoints:
- "influxdb.example.com"
influxdb_username: telegraf
influxdb_password: ""
influxdb_retention_policy: "gitlab"
influxdb_retention_policy_tag: ""
# Token provided by Gitlab on the admin page
# See https://docs.gitlab.com/ee/administration/monitoring/prometheus/gitlab_metrics.html
metrics_token: ""
# Gitlab dependency proxy feature (see https://docs.gitlab.com/ee/administration/packages/dependency_proxy.html)
gitlab_dependency_proxy:
enabled: false
# Enable the packages feature (see https://docs.gitlab.com/ee/administration/packages/index.html)
gitlab_packages:
enabled: false
# IPv6 ULA config for the bridge network used by docker-ipv6-nat
gitlab_ipv6:
enabled: false
subnet: "fd9e:21a7:a92c:2326::/64"
# Gitlab bundled Mattermost instance settings
gitlab_mattermost:
enabled: false
domain: chat.gitlab.com

View file

@ -1,44 +0,0 @@
galaxy_info:
author: saibotk
description: "Installs and configures GitLab via Docker."
license: GPL-3.0-only
min_ansible_version: "2.9"
standalone: true
platforms:
- name: EL
versions:
- all
- name: GenericUNIX
versions:
- all
- name: Fedora
versions:
- all
- name: opensuse
versions:
- all
- name: GenericBSD
versions:
- all
- name: FreeBSD
versions:
- all
- name: Ubuntu
versions:
- all
- name: SLES
versions:
- all
- name: GenericLinux
versions:
- all
- name: Debian
versions:
- all
galaxy_tags: []
dependencies:
- role: docker
- role: traefik

View file

@ -1,101 +0,0 @@
---
# Tasks file for the gitlab role
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Update default SELinux contexts
community.general.sefcontext:
target: "{{ item }}(/.*)?"
setype: "container_file_t"
state: present
with_items:
- "{{ gitlab_data_location }}"
- "{{ gitlab_config_location }}"
- "{{ gitlab_log_location }}"
- "{{ gitlab_telegraf_location }}"
tags:
- gitlab
when:
- gitlab_selinux_enabled
become: true
- name: Create install directory
ansible.builtin.file:
path: "{{ item }}"
state: directory
mode: "0700"
owner: "root"
group: "root"
with_items:
- "{{ gitlab_install_location }}"
tags:
- gitlab
become: true
- name: Create data directory
ansible.builtin.file: # noqa risky-file-permissions # Container manages permissions on its own
path: "{{ item }}"
state: directory
owner: "root"
group: "root"
setype: "container_file_t"
with_items:
- "{{ gitlab_data_location }}"
- "{{ gitlab_config_location }}"
- "{{ gitlab_log_location }}"
- "{{ gitlab_telegraf_location }}"
tags:
- gitlab
become: true
- name: Deploy telegraf.conf
ansible.builtin.template:
src: telegraf.conf
dest: "{{ gitlab_telegraf_location }}/telegraf.conf"
mode: "0600"
owner: "root"
group: "root"
tags:
- telegraf
- gitlab
become: true
when:
- gitlab_telegraf.enabled
- name: Deploy docker-compose.yml
ansible.builtin.template:
src: docker-compose.yml
dest: "{{ gitlab_install_location }}/docker-compose.yml"
mode: "0600"
owner: "root"
group: "root"
validate: docker compose -f %s config -q
tags:
- docker
- gitlab
become: true
- name: Compose GitLab
community.docker.docker_compose_v2:
state: present
project_src: "{{ gitlab_install_location }}"
pull: always
remove_orphans: true
tags:
- gitlab
become: true

View file

@ -1,321 +0,0 @@
{{ ansible_managed | comment }}
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
version: '2.1'
services:
web:
image: docker.io/gitlab/gitlab-ce:{{ gitlab_version }}
hostname: '{{ gitlab_domain }}'
mem_limit: {{ gitlab_memory_limit }}
memswap_limit: {{ gitlab_memoryswap_limit }}
environment:
GITLAB_OMNIBUS_CONFIG: |
external_url 'https://{{ gitlab_domain }}'
gitlab_rails['gitlab_shell_ssh_port'] = {{ gitlab_ssh_port }}
letsencrypt['enable'] = false
nginx['listen_https'] = false
nginx['listen_port'] = 80
nginx['real_ip_trusted_addresses'] = [ '172.16.0.0/12' ]
nginx['gzip_enabled'] = false
prometheus_monitoring['enable'] = false
# CSP config
gitlab_rails['content_security_policy'] = {
enabled: {{ gitlab_csp.enabled | default(true) | bool | lower }},
report_only: false,
directives: {
default_src: "'self' {{ gitlab_csp.default_src | default("") }}",
script_src: "'self' {{ gitlab_csp.script_src | default("") }} 'unsafe-eval'",
frame_ancestor: "'self'",
frame_src: "'self' {{ gitlab_csp.frame_src | default("") }}",
img_src: "'self' https://{{ gitlab_libravatar_ssl }} {{ gitlab_csp.img_src | default("") }} data: blob:",
style_src: "'self' 'unsafe-inline'",
worker_src: "'self' blob:",
object_src: "'none'"
}
}
# Mail settings
gitlab_rails['smtp_enable'] = true
gitlab_rails['smtp_address'] = "{{ gitlab_smtp_address }}"
gitlab_rails['smtp_port'] = {{ gitlab_smtp_port }}
gitlab_rails['smtp_user_name'] = "{{ gitlab_smtp_user_name }}"
gitlab_rails['smtp_password'] = "{{ gitlab_smtp_password }}"
gitlab_rails['smtp_authentication'] = "login"
gitlab_rails['smtp_domain'] = "{{ gitlab_smtp_address }}"
gitlab_rails['smtp_tls'] = {{ gitlab_smtp_tls | bool | lower }}
gitlab_rails['smtp_enable_starttls_auto'] = {{ gitlab_smtp_starttls_auto | bool | lower }}
gitlab_rails['smtp_openssl_verify_mode'] = '{{ gitlab_smtp_openssl_verify_mode }}'
gitlab_rails['gitlab_email_from'] = '{{ gitlab_email_from }}'
gitlab_rails['gitlab_email_reply_to'] = '{{ gitlab_email_reply_to }}'
# Use Libravatar
gitlab_rails['gravatar_enabled'] = true
gitlab_rails['gravatar_plain_url'] = "http://{{ gitlab_libravatar_plain }}/avatar/%{hash}?s=%{size}&d=identicon"
gitlab_rails['gravatar_ssl_url'] = "https://{{ gitlab_libravatar_ssl }}/avatar/%{hash}?s=%{size}&d=identicon"
{% if gitlab_imap.enabled %}
gitlab_rails['incoming_email_enabled'] = true
# The email address including the `%{key}` placeholder that will be replaced to reference the item being replied to.
# The placeholder can be omitted but if present, it must appear in the "user" part of the address (before the `@`).
#gitlab_rails['incoming_email_address'] = "incoming+%{key}@gitlab.example.com"
gitlab_rails['incoming_email_address'] = "{{ gitlab_imap.email_address }}"
# Email account username
# With third party providers, this is usually the full email address.
# With self-hosted email servers, this is usually the user part of the email address.
gitlab_rails['incoming_email_email'] = "{{ gitlab_imap.username }}"
# Email account password
gitlab_rails['incoming_email_password'] = "{{ gitlab_imap.password }}"
# IMAP server host
gitlab_rails['incoming_email_host'] = "{{ gitlab_imap.server_address }}"
# IMAP server port
gitlab_rails['incoming_email_port'] = 993
# Whether the IMAP server uses SSL
gitlab_rails['incoming_email_ssl'] = true
# Whether the IMAP server uses StartTLS
gitlab_rails['incoming_email_start_tls'] = false
# The mailbox where incoming mail will end up. Usually "inbox".
gitlab_rails['incoming_email_mailbox_name'] = "inbox"
# The IDLE command timeout.
gitlab_rails['incoming_email_idle_timeout'] = 60
{% endif %}
{% if gitlab_packages.enabled %}
# Gitlab packages
gitlab_rails['packages_enabled'] = true
{% endif %}
{% if gitlab_dependency_proxy.enabled %}
# Gitlab dependency proxy
gitlab_rails['dependency_proxy_enabled'] = true
{% endif %}
{% if gitlab_registry.enabled %}
# Gitlab registry
gitlab_rails['registry_enabled'] = true
gitlab_rails['registry_host'] = "{{ gitlab_registry_domain }}"
registry_external_url "https://{{ gitlab_registry_domain }}{% if gitlab_registry.external_port is defined %}:{{ gitlab_registry.external_port }}{% endif %}"
registry_nginx['listen_port'] = 5040
registry_nginx['listen_https'] = false
{% endif %}
{% if gitlab_mattermost.enabled %}
# Mattermost
mattermost_external_url 'https://{{ gitlab_mattermost.domain }}'
mattermost_nginx['listen_port'] = 8050
mattermost_nginx['listen_https'] = false
mattermost['gitlab_auth_endpoint'] = "http://{{ gitlab_domain }}/oauth/authorize"
mattermost['gitlab_token_endpoint'] = "http://{{ gitlab_domain }}/oauth/token"
mattermost['gitlab_user_api_endpoint'] = "http://{{ gitlab_domain }}/api/v4/user"
{% endif %}
{% if gitlab_ldap.enabled %}
gitlab_rails['ldap_enabled'] = true
gitlab_rails['prevent_ldap_sign_in'] = false
gitlab_rails['ldap_servers'] = {
'main' => {
'label' => '{{ gitlab_ldap.label }}',
'host' => '{{ gitlab_ldap.host }}',
'port' => {{ gitlab_ldap.port }},
'uid' => '{{ gitlab_ldap.uid }}',
'encryption' => '{{ gitlab_ldap.encryption }}',
'verify_certificates' => {{ gitlab_ldap.verify_certificates | bool | lower }},
'bind_dn' => '{{ gitlab_ldap.bind_dn }}',
'password' => '{{ gitlab_ldap.password }}',
'timeout' => 10,
'active_directory' => {{ gitlab_ldap.active_directory | bool | lower }},
'allow_username_or_email_login' => false,
'block_auto_created_users' => false,
'base' => '{{ gitlab_ldap.base }}',
'attributes' => {
'username' => ['uid', 'userid', 'sAMAccountName'],
'email' => ['mail', 'email', 'userPrincipalName'],
'name' => 'cn',
'first_name' => 'givenName',
'last_name' => 'sn'
},
'lowercase_usernames' => false
}
}
{% endif %}
{% if gitlab_saml.enabled %}
# SAML settings
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_auto_link_ldap_user'] = false
gitlab_rails['omniauth_auto_link_saml_user'] = false
gitlab_rails['omniauth_external_providers'] = []
gitlab_rails['omniauth_providers'] = [
{
name: 'saml',
label: '{{ gitlab_saml.label }}',
groups_attribute: '{{ gitlab_saml.groups_attribute }}',
external_groups: ['{{ gitlab_saml.external_groups }}'],
args: {
assertion_consumer_service_url: 'https://{{ gitlab_domain }}/users/auth/saml/callback',
idp_cert_fingerprint: '{{ gitlab_saml.idp_cert_fingerprint }}',
idp_sso_target_url: '{{ gitlab_saml.idp_sso_target_url }}',
idp_slo_target_url: '{{ gitlab_saml.idp_slo_target_url }}',
{% if gitlab_saml.certificate is defined and gitlab_saml.private_key is defined %}
certificate: '-----BEGIN CERTIFICATE-----
{{ gitlab_saml.certificate }}
-----END CERTIFICATE-----',
private_key: '-----BEGIN RSA PRIVATE KEY-----
{{ gitlab_saml.private_key }}
-----END RSA PRIVATE KEY-----',
security: {
authn_requests_signed: true,
want_assertions_signed: true,
embed_sign: true,
signature_method: 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
digest_method: 'http://www.w3.org/2001/04/xmlenc#sha256',
},
{% endif %}
issuer: '{{ gitlab_saml.issuer }}',
attribute_statements: {
first_name: ['{{ gitlab_saml.attribute_statements.first_name }}'],
last_name: ['{{ gitlab_saml.attribute_statements.last_name }}'],
name: ['{{ gitlab_saml.attribute_statements.name }}'],
username: ['{{ gitlab_saml.attribute_statements.username }}'],
email: ['{{ gitlab_saml.attribute_statements.email }}'] },
name_identifier_format: '{{ gitlab_saml.name_identifier_format }}',
upstream_two_factor_authn_contexts:
%w(
urn:oasis:names:tc:SAML:2.0:ac:classes:CertificateProtectedTransport
urn:oasis:names:tc:SAML:2.0:ac:classes:SecondFactorOTPSMS
urn:oasis:names:tc:SAML:2.0:ac:classes:SecondFactorIGTOKEN
)
}
}
]
{% if gitlab_saml.autologin %}
gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'saml'
{% endif %}
{% endif %}
{% if gitlab_log_tmpfs %}
# Configure logging to only retain 10 log files, of 10MiB each
# This should prevent the tmpfs from overflowing
logging['svlogd_size'] = 10 * 1024 * 1024
logging['svlogd_num'] = 5
logging['logrotate_maxsize'] = 10 * 1024 * 1024
logging['logrotate_rotate'] = 5
{% endif %}
labels:
- "traefik.http.routers.gitlab.rule=Host(`{{ gitlab_domain }}`) && PathPrefix(`/`)"
- "traefik.http.routers.gitlab.entrypoints=websecure"
- "traefik.http.routers.gitlab.tls=true"
- "traefik.http.routers.gitlab.tls.certresolver={{ gitlab_traefik_certresolver }}"
- "traefik.http.routers.gitlab.middlewares=gitlab,compress"
- "traefik.http.routers.gitlab.service=gitlab"
- "traefik.http.services.gitlab.loadbalancer.server.port=80"
{% if gitlab_registry.enabled %}
- "traefik.http.routers.gitlab-registry.rule=Host(`{{ gitlab_registry_domain }}`) && PathPrefix(`/`)"
- "traefik.http.routers.gitlab-registry.entrypoints={{ gitlab_registry.traefik_entrypoint | default('websecure') }}"
- "traefik.http.routers.gitlab-registry.tls=true"
- "traefik.http.routers.gitlab-registry.tls.certresolver={{ gitlab_traefik_certresolver }}"
- "traefik.http.routers.gitlab-registry.middlewares=gitlab,compress"
- "traefik.http.routers.gitlab-registry.service=gitlab-registry"
- "traefik.http.services.gitlab-registry.loadbalancer.server.port=5040"
{% endif %}
{% if gitlab_mattermost.enabled %}
- "traefik.http.routers.gitlab-mattermost.rule=Host(`{{ gitlab_mattermost.domain }}`) && PathPrefix(`/`)"
- "traefik.http.routers.gitlab-mattermost.entrypoints=websecure"
- "traefik.http.routers.gitlab-mattermost.tls=true"
- "traefik.http.routers.gitlab-mattermost.tls.certresolver={{ gitlab_traefik_certresolver }}"
- "traefik.http.routers.gitlab-mattermost.middlewares=gitlab,compress"
- "traefik.http.routers.gitlab-mattermost.service=gitlab-mattermost"
- "traefik.http.services.gitlab-mattermost.loadbalancer.server.port=8050"
{% endif %}
- "traefik.http.middlewares.gitlab.headers.sslredirect=true"
- "traefik.http.middlewares.gitlab.headers.stsSeconds=63072000"
- "traefik.enable=true"
{% if proxy_network is defined %}
- "traefik.docker.network={{ proxy_network }}"
{% endif %}
{% if proxy_hiddenservice is defined and proxy_hiddenservice.content is defined %}
- "traefik.http.middlewares.gitlab.headers.customresponseheaders.alt-svc=h2={{ proxy_hiddenservice['content'] | b64decode | trim }}:443; ma=2592000"
{% endif %}
volumes:
- "{{ gitlab_data_location }}:/var/opt/gitlab"
- "{{ gitlab_config_location }}:/etc/gitlab"
{% if not gitlab_log_tmpfs %}
- "{{ gitlab_log_location }}:/var/log/gitlab"
{% endif %}
{% if gitlab_log_tmpfs %}
tmpfs:
- "/var/log/gitlab:size=256M,noexec,nodev,nosuid,rw"
{% endif %}
restart: always
ports:
- "{{ gitlab_ssh_port }}:22"
{% if proxy_network is defined or gitlab_ipv6 is defined and gitlab_ipv6.enabled %}
networks:
{% if proxy_network is defined %}
{{ proxy_network }}:
{% endif %}
{% if gitlab_ipv6 is defined and gitlab_ipv6.enabled %}
gitlab-ipv6:
{% endif %}
{% endif %}
{% if gitlab_telegraf.enabled %}
telegraf:
image: docker.io/library/telegraf:{{ gitlab_telegraf_version }}
restart: always
mem_limit: 256mb
memswap_limit: 384mb
read_only: false # TODO: Switch to self-made container
volumes:
- {{ gitlab_telegraf_location }}:/etc/telegraf/:ro
{% endif %}
{% if proxy_network is defined or gitlab_ipv6 is defined and gitlab_ipv6.enabled %}
networks:
{% if proxy_network is defined %}
{{ proxy_network }}:
external: true
{% endif %}
{% if gitlab_ipv6 is defined and gitlab_ipv6.enabled %}
gitlab-ipv6:
driver: bridge
ipam:
driver: default
config:
- subnet: {{ gitlab_ipv6.subnet }}
enable_ipv6: true
{% endif %}
{% endif %}

View file

@ -1,26 +0,0 @@
{{ ansible_managed | comment }}
[global_tags]
[agent]
interval = "10s"
round_interval = true
metric_batch_size = 1000
metric_buffer_limit = 1000000
collection_jitter = "5s"
flush_interval = "10s"
flush_jitter = "5s"
precision = ""
hostname = "{{ ansible_fqdn }}"
omit_hostname = false
[[outputs.influxdb]]
urls = ["https://{{ gitlab_telegraf.influxdb_endpoints | join('","https://') }}"]
database = "telegraf"
timeout = "5s"
retention_policy = "{{ gitlab_telegraf.influxdb_retention_policy }}"
retention_policy_tag = "{{ gitlab_telegraf.influxdb_retention_policy_tag }}"
username = "{{ gitlab_telegraf.influxdb_username }}"
password = "{{ gitlab_telegraf.influxdb_password }}"
[[inputs.prometheus]]
urls = ["http://{{ gitlab_domain }}/-/metrics?token={{ gitlab_telegraf.metrics_token }}"]

View file

@ -1,87 +0,0 @@
gitlab_runner
=========
This will set up a [gitlab-runner](https://docs.gitlab.com/runner/) instance via Docker, that is used to run CI jobs from a GitLab instance.
Multiple different runners can be created and configured for this runner instance.
**NOTE: Currently this will only allow to configure a docker, shell & docker+machine runner.**
**NOTE2: When deploying docker-machines with the privileged flag enabled, only use this in a trusted environment or set max builds to 1 to prevent malicious actions affecting other builds.**
Requirements
------------
You will need to have docker and docker-compose installed or declared as dependencies with their respective roles.
Role Variables
--------------
**Please look at the [defaults/main.yml](defaults/main.yml) for all available variables and their description.**
**Note: Lines that are commented out via `#` are usually still valid/used variables, but they are not defined by default, so they might enable a feature, when uncommenting/defining them!**
### Example autoscaling Hetzner-Runner configuration:
```yaml
# This image has the hetzner plugin pre-installed
gitlabrunner_image: "quay.io/shivering-isles/gitlab-hetzner-runner"
gitlabrunner_image_version: 13.6.0
# Extra paths that should be created (eg. to be mounted in the container)
gitlabrunner_extra_paths:
- "{{ gitlabrunner_install_location }}/hetzner_machine"
gitlabrunner_runners:
# The URL of the instance that this runner should be associated with
- gitlab_url: https://gitlab.example.com
# The token that you received when registering the runner (not the register token!!!)
# Register a runner first to obtain a token: https://docs.gitlab.com/runner/register/index.html#docker
# Can be done via the API and the registration token: eg. `curl --request POST "https://gitlab.example.com/api/v4/runners" --form "token=<registration_token>"`
gitlab_token: "ENTER_YOUR_TOKEN_HERE"
# Adjust the name of the runner
name: "hetzner-docker-auto-scale"
# Set the docker executor
executor: "docker+machine"
# Should the docker runner start containers as privileged? (eg. needed for docker in docker / building with docker etc)
docker_privileged: true
# Should the docker socket be mounted into the containers? (SECURITY NOTE: This is critical, as it is effectively the same as root!)
docker_mount_socket: true
# The docker-machine driver that should be used (the server provider)
machine_driver: "hetzner"
# The template for naming new machines
machine_name: "machine-%s-gitlab-runner"
# The maximum amount of builds on a machine (VM) before a new one will be used
machine_max_builds: 20
# Time (in seconds) for machine to be in Idle state before it is removed.
machine_idle_time: 1800
# Number of machines, that need to be created and are waiting in Idle state.
machine_idle_count: 0
# The "MachineOptions" field with parameters that depend on the driver (these usually provide the api token, which machine type is used etc...)
machine_options:
hetzner-api-token: "REPLACE_WITH_YOUR_API_TOKEN" # The Hetzner specific API token
hetzner-image: "debian-10" # The image that should be used for new machines
hetzner-server-type: "cx11" # The server type (the hardware configuration) to use for a new machine
hetzner-server-location: "fsn1" # The server location to use for a new machine
engine-install-url: "https://releases.rancher.com/install-docker/19.03.9.sh" # Workaround until 20.10 gets an update https://github.com/JonasProgrammer/docker-machine-driver-hetzner/issues/54
# Extra volumes that should be added to the gitlab runner container.
gitlabrunner_extra_volumes:
- "./hetzner_machine:/root/.docker/machine"
```
Dependencies
------------
- docker
- docker-compose
License
-------
GPL-3.0-only

View file

@ -1,109 +0,0 @@
---
# Default variables for the gitlab_runner role
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Install location settings
gitlab_runner_install_location: "/srv/gitlab-runner"
gitlab_runner_config_location: "{{ gitlab_runner_install_location }}/config"
# The runner image & tag/version to be used
gitlab_runner_image: "docker.io/gitlab/gitlab-runner"
# renovate: depName=docker.io/gitlab/gitlab-runner
gitlab_runner_image_version: "v16.9.0"
gitlab_runner_image_variant: "alpine-{{ gitlab_runner_image_version }}"
# Extra paths that should be created (eg. to be mounted in the container)
gitlab_runner_extra_paths: []
# Enable or disable selinux handling
gitlab_runner_selinux_enabled: true
# Should the docker socket be mounted to the gitlab runner (usually needed for the docker executor)
gitlab_runner_mount_docker_socket: false
# Extra volumes that should be added to the gitlab runner container.
gitlab_runner_extra_volumes: []
# The maximum overall concurrent running jobs. This is the most upper limit of number of jobs using all defined runners, local and autoscale.
gitlab_runner_concurrent: 1
# The interval in seconds, to check for available jobs. (0 means default value is used.
# See https://docs.gitlab.com/runner/configuration/advanced-configuration.html#how-check_interval-works)
gitlab_runner_check_interval: 0
# This is used to define all the runners, that may be served by this gitlab-runner
# !! YOU WILL NEED TO ADJUST THIS! BELOW IS A FULL EXAMPLE!
gitlab_runner_runners:
# The URL of the instance that this runner should be associated with
- gitlab_url: https://gitlab.example.com
# The token that you received when registering the runner (not the register token!!!)
# Register a runner first to obtain a token: https://docs.gitlab.com/runner/register/index.html#docker
# Can be done via the API and the registration token:
# curl --request POST "https://gitlab.example.com/api/v4/runners" --form "token=<registration_token>"
gitlab_token:
# The name of the runner
name: "docker-runner"
# The limit of machines created by the runner and with that also the limit of jobs that can be handled concurrently by this specific runner.
limit: 1
# The executor that is used for this runner.
# Eg. "docker", "shell", "docker+machine"
executor: "docker"
# Should the docker runner start containers as privileged? (eg. needed for docker in docker / building with docker etc)
docker_privileged: false
# Should the docker socket be mounted into the containers? (SECURITY NOTE: This is critical, as it is effectively the same as root!)
docker_mount_socket: false
# The image that should be used for jobs by default
docker_image: "docker.io/library/docker:stable"
# The docker-machine driver that should be used (the server provider)
machine_driver: "hetzner"
# The template for naming new machines
machine_name: "machine-%s-gitlab-runner"
# The maximum amount of builds on a machine (VM) before a new one will be used
machine_max_builds: 20
# Time (in seconds) for machine to be in Idle state before it is removed.
machine_idle_time: 1800
# Number of machines, that need to be created and are waiting in Idle state.
machine_idle_count: 0
# The "MachineOptions" field with parameters that depend on the driver (these usually provide the api token, which machine type is used etc...)
# This for example are parameters for the Hetzner driver (but remember, that this will need the hetzner docker-machine plugin)
# The options can also be omitted if you do not need any.
machine_options:
# The Hetzner specific API token
hetzner-api-token: "TOKENHERE"
# The image that should be used for new machines
hetzner-image: "debian-10"
# The server type (the hardware configuration) to use for a new machine
hetzner-server-type: "cx11"
# The server location to use for a new machine
hetzner-server-location: "fsn1"
# S3 Runner cache configuration to improve performance between runs
# (see https://docs.gitlab.com/runner/configuration/autoscale.html#distributed-runners-caching)
# The options can also be omitted if you do not want to configure a cache
cache_s3:
server: s3.example.com
access_key: ""
secret_key: ""
bucket: "runner"

View file

@ -1,43 +0,0 @@
galaxy_info:
author: saibotk
description: "Deploys a gitlab-runner using Docker."
license: GPL-3.0-only
min_ansible_version: "2.9"
standalone: true
platforms:
- name: EL
versions:
- all
- name: GenericUNIX
versions:
- all
- name: Fedora
versions:
- all
- name: opensuse
versions:
- all
- name: GenericBSD
versions:
- all
- name: FreeBSD
versions:
- all
- name: Ubuntu
versions:
- all
- name: SLES
versions:
- all
- name: GenericLinux
versions:
- all
- name: Debian
versions:
- all
galaxy_tags: []
dependencies:
- role: docker

View file

@ -1,86 +0,0 @@
---
# Tasks file for the gitlab_runner role
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
# Copyright (C) 2020 Alexander Wellbrock
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
- name: Update default SELinux contexts
community.general.sefcontext:
target: "{{ item }}(/.*)?"
setype: "container_file_t"
state: present
with_items:
- "{{ gitlab_runner_config_location }}"
- "{{ gitlab_runner_extra_paths }}"
when:
- gitlab_runner_selinux_enabled
become: true
- name: Create install directory
ansible.builtin.file:
path: "{{ item }}"
state: directory
mode: "0700"
owner: "root"
group: "root"
with_items:
- "{{ gitlab_runner_install_location }}"
become: true
- name: Create config directory
ansible.builtin.file:
path: "{{ item }}"
state: directory
mode: "0700"
owner: "root"
group: "root"
setype: "container_file_t"
with_items:
- "{{ gitlab_runner_config_location }}"
- "{{ gitlab_runner_extra_paths }}"
become: true
- name: Deploy docker-compose.yml
ansible.builtin.template:
src: docker-compose.yml
dest: "{{ gitlab_runner_install_location }}/docker-compose.yml"
mode: "0600"
owner: "root"
group: "root"
validate: docker compose -f %s config -q
tags:
- docker
become: true
- name: Deploy config.toml for gitlab-runner
ansible.builtin.template:
src: config.toml
dest: "{{ gitlab_runner_config_location }}/config.toml"
mode: "0600"
owner: "root"
group: "root"
become: true
- name: Compose gitlab-runner
community.docker.docker_compose_v2:
state: present
project_src: "{{ gitlab_runner_install_location }}"
pull: always
remove_orphans: true
tags:
- gitlab-runner
become: true

View file

@ -1,63 +0,0 @@
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
# Copyright (C) 2020 Saibotk
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
concurrent = {{ gitlab_runner_concurrent }}
check_interval = {{ gitlab_runner_check_interval }}
{% for gitlabrunner in gitlab_runner_runners %}
[[runners]]
name = "{{ gitlabrunner.name }}"
limit = {{ gitlabrunner.limit | default(1) }}
url = "{{ gitlabrunner.gitlab_url }}"
token = "{{ gitlabrunner.gitlab_token }}"
executor = "{{ gitlabrunner.executor }}"
{% if gitlabrunner.executor == "docker" or gitlabrunner.executor == "docker+machine" %}
[runners.docker]
image = "{{ gitlabrunner.docker_image | default("docker.io/library/docker:stable") }}"
privileged = {{ gitlabrunner.docker_privileged | bool | lower }}
volumes = [
"/cache",
{% if gitlabrunner.docker_mount_socket %}
"/var/run/docker.sock:/var/run/docker.sock"
{% endif %}
]
{% endif %}
{% if gitlabrunner.executor == "docker+machine" %}
[runners.machine]
IdleCount = {{ gitlabrunner.machine_idle_count }}
IdleTime = {{ gitlabrunner.machine_idle_time }}
MaxBuilds = {{ gitlabrunner.machine_max_builds }}
MachineDriver = "{{ gitlabrunner.machine_driver }}"
MachineName = "{{ gitlabrunner.machine_name }}"
MachineOptions = [
{% for key, value in gitlabrunner.machine_options.items() %}
"{{ key }}={{ value }}",
{% endfor %}
]
{% endif %}
[runners.cache]
{% if gitlabrunner.cache_s3 is defined %}
Type = "s3"
Shared = false
[runners.cache.s3]
ServerAddress = "{{ gitlabrunner.cache_s3.server }}"
AccessKey = "{{ gitlabrunner.cache_s3.access_key }}"
SecretKey = "{{ gitlabrunner.cache_s3.secret_key }}"
BucketName = "{{ gitlabrunner.cache_s3.bucket }}"
Insecure = false
{% endif %}
{% endfor %}

View file

@ -1,33 +0,0 @@
{{ ansible_managed | comment }}
# Infrastructure
# Ansible instructions to deploy the infrastructure
# Copyright (C) 2019-2020 Christoph (Sheogorath) Kern
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
version: '2'
services:
runner:
image: {{ gitlab_runner_image }}:{{ gitlab_runner_image_variant }}
mem_limit: 128mb
memswap_limit: 256mb
volumes:
- "{{ gitlab_runner_config_location }}:/etc/gitlab-runner"
{% if gitlab_runner_mount_docker_socket %}
- "/var/run/docker.sock:/var/run/docker.sock"
{% endif %}
{% for item in gitlab_runner_extra_volumes %}
- "{{item}}"
{% endfor %}
restart: always

View file

@ -21,5 +21,4 @@ galaxy_info:
galaxy_tags: [] galaxy_tags: []
dependencies: dependencies: []
- role: epel

Some files were not shown because too many files have changed in this diff Show more