Merge branch 'main' of https://github.com/mother-of-all-self-hosting/mash-playbook

2023-06-19 15:22:50 +02:00 · 2023-06-19 15:22:50 +02:00 · 9b31ceec7a
commit 9b31ceec7a
parent 26465694ce 7e0a5cf306
8 changed files with 312 additions and 17 deletions
--- a/docs/configuring-playbook.md
+++ b/docs/configuring-playbook.md
@ -11,7 +11,7 @@ You can then follow these steps inside the playbook directory:
 2. copy the sample configuration file (`cp examples/vars.yml inventory/host_vars/<your-domain>/vars.yml`)
-3. edit the configuration file (`inventory/host_vars/<your-domain>/vars.yml`) to your liking. You should [enable one or more services](supported-services.md) in your `vars.yml` file. You may also take a look at the various `roles/**/ROLE_NAME_HERE/defaults/main.yml` files and see if there's something you'd like to copy over and override in your `vars.yml` configuration file.
+3. edit the configuration file (`inventory/host_vars/<your-domain>/vars.yml`) to your liking. You should [enable one or more services](supported-services.md) in your `vars.yml` file. You may also take a look at the various `roles/**/ROLE_NAME_HERE/defaults/main.yml` files (after importing external roles with `just roles` into `roles/galaxy`) and see if there's something you'd like to copy over and override in your `vars.yml` configuration file.
 4. copy the sample inventory hosts file (`cp examples/hosts inventory/hosts`)
--- a/docs/services/healthchecks.md
+++ b/docs/services/healthchecks.md
@ -25,7 +25,7 @@ To enable this service, add the following configuration to your `vars.yml` file
 healthchecks_enabled: true
 healthchecks_hostname: mash.example.com
-# Note: hosting under a path prefix is somewhat problematic. See below.
+
 healthchecks_path_prefix: /healthchecks
 ########################################################################
@ -41,10 +41,6 @@ In the example configuration above, we configure the service to be hosted at `ht
 You can remove the `healthchecks_path_prefix` variable definition, to make it default to `/`, so that the service is served at `https://mash.example.com/`.
 **Note**: there are minor quirks when hosting under a subpath, such as:
 - [Fonts not loading, because it attempts to load them from `/static` instead of `/path-prefix/static`](https://github.com/healthchecks/healthchecks/issues/822)
 ### Authentication
 The first superuser account is created after installation. See [Usage](#usage).
--- a/docs/services/infisical.md
+++ b/docs/services/infisical.md
@ -0,0 +1,85 @@
 # Infisical
 [Infisical](https://infisical.com/) is an open-source end-to-end encrypted platform for securely managing secrets and configs across your team, devices, and infrastructure.
 ## Dependencies
 This service requires the following other services:
 - a [MongoDB](mongodb.md) document-oriented database server
 - a [Traefik](traefik.md) reverse-proxy server
 ## Configuration
 To enable this service, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process:
 ```yaml
 ########################################################################
 #                                                                      #
 # infisical                                                            #
 #                                                                      #
 ########################################################################
 infisical_enabled: true
 infisical_hostname: infisical.example.com
 # Generate this with: `openssl rand -hex 16`
 infisical_backend_environment_variable_encryption_key: ''
 # WARNING: uncomment this after creating your first user account,
 # unless you'd like to run a server with public registration enabled.
 # infisical_backend_environment_variable_invite_only_signup: true
 ########################################################################
 #                                                                      #
 # /infisical                                                           #
 #                                                                      #
 ########################################################################
 ```
 ### URL
 In the example configuration above, we configure the service to be hosted at `https://infisical.example.com`.
 Hosting Infisical under a subpath (by configuring the `infisical_path_prefix` variable) does not seem to be possible right now, due to Infisical limitations.
 ### Authentication
 Public registration can be enabled/disabled using the `infisical_backend_environment_variable_invite_only_signup` variable.
 We recommend installing with public registration enabled at first (which is the default value for this variable), creating your first user account, and then disabling public registration by explicitly setting `infisical_backend_environment_variable_invite_only_signup` to `true`. Enabling invite-only signup requires that you configure [Email configuration](#email-configuration)
 ### Email configuration
 As described in the Infisical documentation about [Email](https://infisical.com/docs/self-hosting/configuration/email), some important functionality requires email-sending to be configured.
 Here are some additional variables you can add to your `vars.yml` file:
 ```yaml
 infisical_backend_environment_variable_smtp_host: smtp.example.com
 infisical_backend_environment_variable_smtp_port: 587
 infisical_backend_environment_variable_smtp_secure: false
 infisical_backend_environment_variable_smtp_username: infisical@example.com
 infisical_backend_environment_variable_smtp_password: ''
 infisical_backend_environment_variable_smtp_address: infisical@example.com
 infisical_backend_environment_variable_smtp_name: Infisical
 ```
 For additional SMTP-related variables, consult the [`defaults/main.yml` file](https://github.com/mother-of-all-self-hosting/ansible-role-infisical/blob/main/defaults/main.yml) in the [ansible-role-infisical](https://github.com/mother-of-all-self-hosting/ansible-role-infisical) Ansible role.
 ## Usage
 After installation, you can go to the Infisical URL, as defined in `infisical_hostname`.
 As mentioned in [Authentication](#authentication) above, you can create the first user from the web interface.
 If you'd like to prevent other users from registering, consider disabling public registration as described in the [Authentication](#authentication) section and re-running the playbook (`just install-service infisical`).
--- a/docs/services/mongodb.md
+++ b/docs/services/mongodb.md
@ -0,0 +1,100 @@
 # MongoDB
 [MongoDB](https://www.mongodb.com/) is a source-available cross-platform document-oriented (NoSQL) database program.
 Some of the services installed by this playbook require a MongoDB database.
 Enabling the MongoDB database service will automatically wire all other services which require such a database to use it.
 ## Configuration
 To enable this service, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process:
 ```yaml
 ########################################################################
 #                                                                      #
 # mongodb                                                              #
 #                                                                      #
 ########################################################################
 mongodb_enabled: true
 # Put a strong password below, generated with `pwgen -s 64 1` or in another way
 mongodb_root_password: ''
 ########################################################################
 #                                                                      #
 # /mongodb                                                             #
 #                                                                      #
 ########################################################################
 ```
 ## Importing
 ### Importing an existing MongoDB database from another installation (optional)
 Follow this section if you'd like to import your database from a previous installation.
 ### Prerequisites
 The playbook supports importing **gzipped** MongoDB database dumps (created with `mongodump --gzip -o /directory`).
 Before doing the actual import, **you need to upload your MongoDB dump file to the server** (any path is okay).
 ### Importing a dump
 To import, run this command (make sure to replace `SERVER_PATH_TO_MONGODB_DUMP_DIRECTORY` with a file path on your server):
 ```sh
 just run-tags import-mongodb \
 --extra-vars=mongodb_server_path_dump=SERVER_PATH_TO_MONGODB_DUMP_DIRECTORY
 ```
 **Note** that `SERVER_PATH_TO_MONGODB_DUMP_DIRECTORY` must be a path to a **gzipped** MongoDB dump directory on the server (not on your local machine!)
 ## Maintenance
 This section shows you how to perform various maintenance tasks related to the MongoDB database server used by various components of this playbook.
 Table of contents:
 - [Getting a database terminal](#getting-a-database-terminal), for when you wish to execute queries
 - [Backing up MongoDB](#backing-up-mongodb), for when you wish to make a backup
 ### Getting a database terminal
 You can use the `/mash/mongodb/bin/cli` tool to get interactive terminal access using the MongoDB Shell [mongosh](https://www.mongodb.com/docs/mongodb-shell/).
 By default, this tool puts you in the `admin` database, which contains nothing.
 To see the available databases, run `show dbs`.
 To change to another database (for example `infisical`), run `use infisical`.
 To see the available tables in the current database, run `show tables`.
 You can then proceed to write queries. Example: `db.users.find()`
 **Be careful**. Modifying the database directly (especially as services are running) is dangerous and may lead to irreversible database corruption.
 When in doubt, consider [making a backup](#backing-up-mongodb).
 ### Backing up MongoDB
 To make a one-off back up of the current MongoDB database, make sure it's running and then execute a command like this on the server:
 ```bash
 # Prepare the backup directory
 mkdir /path-to-some-directory
 chown mash:mash /path-to-some-directory
 # Back up
 /mash/mongodb/bin/dump-all /path-to-some-directory
 ```
 Restoring a backup made this way can be done by [importing it](#importing).
--- a/docs/supported-services.md
+++ b/docs/supported-services.md
@ -19,11 +19,13 @@
 | [Grafana](https://grafana.com/) | An open and composable observability and data visualization platform, often used with [Prometheus](services/prometheus.md) | [Link](services/grafana.md) |
 | [Healthchecks](https://healthchecks.io/) | A simple and Effective Cron Job Monitoring solution | [Link](services/healthchecks.md) |
 | [Hubsite](https://github.com/moan0s/hubsite) | A simple, static site that shows an overview of the available services | [Link](services/hubsite.md) |
 | [Infisical](https://infisical.com/) | An open-source end-to-end encrypted platform for securely managing secrets and configs across your team, devices, and infrastructure. | [Link](services/infisical.md) |
 | [Jitsi](https://jitsi.org/) | A fully encrypted, 100% Open Source video conferencing solution | [Link](services/jitsi.md) |
 | [Keycloak](https://www.keycloak.org/) | An open source identity and access management solution. | [Link](services/keycloak.md) |
 | [Lago](https://www.getlago.com/) | Open-source metering and usage-based billing | [Link](services/lago.md) |
 | [MariaDB](https://mariadb.org/) | A powerful, open source object-relational database system | [Link](services/mariadb.md) |
 | [Matrix Rooms Search API](https://gitlab.com/etke.cc/mrs/api) | A fully-featured, standalone, matrix rooms search service. | [Link](services/mrs.md) |
 | [MongoDB](https://www.mongodb.com/) | A source-available cross-platform document-oriented (NoSQL) database program. | [Link](services/mongodb.md) |
 | [Miniflux](https://miniflux.app/) | Minimalist and opinionated feed reader. | [Link](services/miniflux.md) |
 | [Mobilizon](https://joinmobilizon.org/en/) | An ActivityPub/Fediverse server to create and share events. | [Link](services/mobilizon.md) |
 | [Navidrome](https://www.navidrome.org/) | [Subsonic-API](http://www.subsonic.org/pages/api.jsp) compatible music server | [Link](services/navidrome.md)
--- a/group_vars/mash_servers
+++ b/group_vars/mash_servers
@ -119,6 +119,10 @@ devture_systemd_service_manager_services_list_auto: |
    +
    ([{'name': (healthchecks_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'healthchecks']}] if healthchecks_enabled else [])
    +
    ([{'name': (infisical_identifier + '-backend.service'), 'priority': 2000, 'groups': ['mash', 'infisical', 'infisical-backend']}] if infisical_enabled else [])
    +
    ([{'name': (infisical_identifier + '-frontend.service'), 'priority': 2000, 'groups': ['mash', 'infisical', 'infisical-frontend']}] if infisical_enabled else [])
    +
    ([{'name': (jitsi_identifier + '-web.service'), 'priority': 4200, 'groups': ['mash', 'jitsi', 'jitsi-web']}] if jitsi_enabled else [])
    +
    ([{'name': (jitsi_identifier + '-prosody.service'), 'priority': 4000, 'groups': ['mash', 'jitsi', 'jitsi-prosody']}] if jitsi_enabled else [])
@ -141,6 +145,8 @@ devture_systemd_service_manager_services_list_auto: |
    +
    ([{'name': (miniflux_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'miniflux']}] if miniflux_enabled else [])
    +
    ([{'name': (mongodb_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'mongodb']}] if mongodb_enabled else [])
    +
    ([{'name': (mrs_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'mrs']}] if mrs_enabled else [])
    +
    ([{'name': (navidrome_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'navidrome']}] if navidrome_enabled else [])
@ -1382,6 +1388,70 @@ hubsite_service_list_auto: |
 ########################################################################
 #                                                                      #
 # infisical                                                            #
 #                                                                      #
 ########################################################################
 infisical_enabled: false
 infisical_identifier: "{{ mash_playbook_service_identifier_prefix }}infisical"
 infisical_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}infisical"
 infisical_uid: "{{ mash_playbook_uid }}"
 infisical_gid: "{{ mash_playbook_gid }}"
 infisical_backend_systemd_required_services_list: |
  {{
    (['docker.service'])
    +
    ([mongodb_identifier ~ '.service'] if mongodb_enabled and infisical_mongodb_hostname == mongodb_identifier else [])
  }}
 infisical_backend_container_additional_networks: |
  {{
    ([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else [])
    +
    ([mongodb_container_network] if mongodb_enabled and infisical_mongodb_hostname == mongodb_identifier and infisical_backend_container_network != mongodb_container_network else [])
  }}
 infisical_backend_container_labels_traefik_enabled: "{{ mash_playbook_traefik_labels_enabled }}"
 infisical_backend_container_labels_traefik_docker_network: "{{ mash_playbook_reverse_proxyable_services_additional_network }}"
 infisical_backend_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}"
 infisical_backend_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}"
 # Intentionally not auto-generating infisical_backend_environment_variable_encryption_key here.
 # We prefer it to be explicit as it seems important that it remains stable.
 infisical_backend_environment_variable_jwt_signup_secret: "{{ ('%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'inf.jwt.signup', rounds=655555) | to_uuid | replace('-', ''))[0:32] }}"
 infisical_backend_environment_variable_jwt_refresh_secret: "{{ ('%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'inf.jwt.r', rounds=655555) | to_uuid | replace('-', ''))[0:32] }}"
 infisical_backend_environment_variable_jwt_auth_secret: "{{ ('%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'inf.jwt.a', rounds=655555) | to_uuid | replace('-', ''))[0:32] }}"
 infisical_backend_environment_variable_jwt_service_secret: "{{ ('%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'inf.jwt.svc', rounds=655555) | to_uuid | replace('-', ''))[0:32] }}"
 infisical_frontend_container_additional_networks: |
  {{
    ([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else [])
  }}
 infisical_frontend_container_labels_traefik_enabled: "{{ mash_playbook_traefik_labels_enabled }}"
 infisical_frontend_container_labels_traefik_docker_network: "{{ mash_playbook_reverse_proxyable_services_additional_network }}"
 infisical_frontend_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}"
 infisical_frontend_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}"
 infisical_mongodb_hostname: "{{ mongodb_identifier if mongodb_enabled else '' }}"
 infisical_mongodb_password: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'infisical.db', rounds=655555) | to_uuid }}"
 infisical_mongodb_auth_source: "{{ infisical_mongodb_db_name }}"
 ########################################################################
 #                                                                      #
 # /infisical                                                           #
 #                                                                      #
 ########################################################################
 ########################################################################
 #                                                                      #
 # jitsi                                                                #
@ -1620,6 +1690,38 @@ mobilizon_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certRes
 ########################################################################
 #                                                                      #
 # mongodb                                                              #
 #                                                                      #
 ########################################################################
 mongodb_enabled: false
 mongodb_identifier: "{{ mash_playbook_service_identifier_prefix }}mongodb"
 mongodb_uid: "{{ mash_playbook_uid }}"
 mongodb_gid: "{{ mash_playbook_gid }}"
 mongodb_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}mongodb"
 mongodb_managed_databases_auto: |
  {{
    ([{
      'name': infisical_mongodb_db_name,
      'username': infisical_mongodb_username,
      'password': infisical_mongodb_password,
    }] if infisical_enabled and infisical_mongodb_hostname == mongodb_identifier else [])
  }}
 ########################################################################
 #                                                                      #
 # /mongodb                                                             #
 #                                                                      #
 ########################################################################
 ########################################################################
 #                                                                      #
--- a/requirements.yml
+++ b/requirements.yml
@ -4,16 +4,16 @@
  version: v0.107.26-1
  name: adguard_home
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-appsmith.git
-  version: v1.9.20.4-0
+  version: v1.9.22-0
  name: appsmith
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-authentik.git
-  version: v2023.5.2-1
+  version: v2023.5.3-0
  name: authentik
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-aux.git
  version: v1.0.0-1
-  name: aux
+  name: auxiliary
 - src: git+https://gitlab.com/etke.cc/roles/backup_borg.git
-  version: v1.2.4-1.7.13-0
+  version: v1.2.4-1.7.14-0
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-collabora-online.git
  version: v22.05.13.1.1-0
  name: collabora_online
@ -38,7 +38,7 @@
 - src: git+https://github.com/devture/com.devture.ansible.role.timesync.git
  version: v1.0.0-0
 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git
-  version: v2.10.1-1
+  version: v2.10.1-2
 - src: git+https://github.com/devture/com.devture.ansible.role.woodpecker_ci_agent.git
  version: v0.15.8-0
 - src: git+https://github.com/devture/com.devture.ansible.role.woodpecker_ci_server.git
@ -73,13 +73,16 @@
  version: v0.9.0-0
  name: gotosocial
 - src: git+https://gitlab.com/etke.cc/roles/grafana.git
-  version: v9.5.2-0
+  version: v9.5.3-0
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-healthchecks.git
-  version: v2.8.1-0
+  version: v2.9.2-0
  name: healthchecks
 - src: git+https://github.com/moan0s/hubsite.git
  version: v1.23.3-2
  name: hubsite
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-infisical.git
  version: v0.3.8-4
  name: infisical
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git
  version: v8615-0
  name: jitsi
@ -87,7 +90,7 @@
  version: v21.1.1-0
  name: keycloak
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-lago.git
-  version: v0.34.3-0
+  version: v0.36.1-0
  name: lago
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-mariadb.git
  version: v10.11.2-0
@ -97,6 +100,9 @@
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-mobilizon.git
  version: v3.1.0-1
  name: mobilizon
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-mongodb.git
  version: v6.0.6-0
  name: mongodb
 - src: git+https://gitlab.com/etke.cc/mrs/ansible-role-mrs.git
  version: v0.0.0-9
  name: mrs
@ -107,7 +113,7 @@
  version: v3.4.7-2.5.2-2
  name: netbox
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-nextcloud.git
-  version: v26.0.1-0
+  version: v26.0.2-0
  name: nextcloud
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-owncast.git
  version: v0.1.0-0
@ -141,7 +147,7 @@
 - src: git+https://gitlab.com/etke.cc/roles/swap.git
  version: abfb18b6862108bbf24347500446203170324d7f
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-syncthing.git
-  version: v1.23.4-1
+  version: v1.23.5-0
  name: syncthing
 - src: git+https://gitlab.com/etke.cc/roles/uptime_kuma.git
  version: v1.21.3-0
--- a/setup.yml
+++ b/setup.yml
@ -50,6 +50,8 @@
    - role: galaxy/com.devture.ansible.role.postgres_backup
    - role: galaxy/mongodb
    - role: galaxy/com.devture.ansible.role.container_socket_proxy
    - role: galaxy/com.devture.ansible.role.traefik
@ -88,6 +90,8 @@
    - role: galaxy/healthchecks
    - role: galaxy/infisical
    - role: galaxy/hubsite
    - role: galaxy/jitsi
@ -134,7 +138,7 @@
    - role: galaxy/com.devture.ansible.role.woodpecker_ci_server
    - role: galaxy/com.devture.ansible.role.woodpecker_ci_agent
-    - role: galaxy/aux
+    - role: galaxy/auxiliary
    - when: devture_systemd_service_manager_enabled | bool
      role: galaxy/com.devture.ansible.role.systemd_service_manager