This commit is contained in:
Julian-Samuel Gebühr 2023-06-19 15:22:50 +02:00
commit 9b31ceec7a
8 changed files with 312 additions and 17 deletions

View file

@ -11,7 +11,7 @@ You can then follow these steps inside the playbook directory:
2. copy the sample configuration file (`cp examples/vars.yml inventory/host_vars/<your-domain>/vars.yml`)
3. edit the configuration file (`inventory/host_vars/<your-domain>/vars.yml`) to your liking. You should [enable one or more services](supported-services.md) in your `vars.yml` file. You may also take a look at the various `roles/**/ROLE_NAME_HERE/defaults/main.yml` files and see if there's something you'd like to copy over and override in your `vars.yml` configuration file.
3. edit the configuration file (`inventory/host_vars/<your-domain>/vars.yml`) to your liking. You should [enable one or more services](supported-services.md) in your `vars.yml` file. You may also take a look at the various `roles/**/ROLE_NAME_HERE/defaults/main.yml` files (after importing external roles with `just roles` into `roles/galaxy`) and see if there's something you'd like to copy over and override in your `vars.yml` configuration file.
4. copy the sample inventory hosts file (`cp examples/hosts inventory/hosts`)

View file

@ -25,7 +25,7 @@ To enable this service, add the following configuration to your `vars.yml` file
healthchecks_enabled: true
healthchecks_hostname: mash.example.com
# Note: hosting under a path prefix is somewhat problematic. See below.
healthchecks_path_prefix: /healthchecks
########################################################################
@ -41,10 +41,6 @@ In the example configuration above, we configure the service to be hosted at `ht
You can remove the `healthchecks_path_prefix` variable definition, to make it default to `/`, so that the service is served at `https://mash.example.com/`.
**Note**: there are minor quirks when hosting under a subpath, such as:
- [Fonts not loading, because it attempts to load them from `/static` instead of `/path-prefix/static`](https://github.com/healthchecks/healthchecks/issues/822)
### Authentication
The first superuser account is created after installation. See [Usage](#usage).

View file

@ -0,0 +1,85 @@
# Infisical
[Infisical](https://infisical.com/) is an open-source end-to-end encrypted platform for securely managing secrets and configs across your team, devices, and infrastructure.
## Dependencies
This service requires the following other services:
- a [MongoDB](mongodb.md) document-oriented database server
- a [Traefik](traefik.md) reverse-proxy server
## Configuration
To enable this service, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process:
```yaml
########################################################################
# #
# infisical #
# #
########################################################################
infisical_enabled: true
infisical_hostname: infisical.example.com
# Generate this with: `openssl rand -hex 16`
infisical_backend_environment_variable_encryption_key: ''
# WARNING: uncomment this after creating your first user account,
# unless you'd like to run a server with public registration enabled.
# infisical_backend_environment_variable_invite_only_signup: true
########################################################################
# #
# /infisical #
# #
########################################################################
```
### URL
In the example configuration above, we configure the service to be hosted at `https://infisical.example.com`.
Hosting Infisical under a subpath (by configuring the `infisical_path_prefix` variable) does not seem to be possible right now, due to Infisical limitations.
### Authentication
Public registration can be enabled/disabled using the `infisical_backend_environment_variable_invite_only_signup` variable.
We recommend installing with public registration enabled at first (which is the default value for this variable), creating your first user account, and then disabling public registration by explicitly setting `infisical_backend_environment_variable_invite_only_signup` to `true`. Enabling invite-only signup requires that you configure [Email configuration](#email-configuration)
### Email configuration
As described in the Infisical documentation about [Email](https://infisical.com/docs/self-hosting/configuration/email), some important functionality requires email-sending to be configured.
Here are some additional variables you can add to your `vars.yml` file:
```yaml
infisical_backend_environment_variable_smtp_host: smtp.example.com
infisical_backend_environment_variable_smtp_port: 587
infisical_backend_environment_variable_smtp_secure: false
infisical_backend_environment_variable_smtp_username: infisical@example.com
infisical_backend_environment_variable_smtp_password: ''
infisical_backend_environment_variable_smtp_address: infisical@example.com
infisical_backend_environment_variable_smtp_name: Infisical
```
For additional SMTP-related variables, consult the [`defaults/main.yml` file](https://github.com/mother-of-all-self-hosting/ansible-role-infisical/blob/main/defaults/main.yml) in the [ansible-role-infisical](https://github.com/mother-of-all-self-hosting/ansible-role-infisical) Ansible role.
## Usage
After installation, you can go to the Infisical URL, as defined in `infisical_hostname`.
As mentioned in [Authentication](#authentication) above, you can create the first user from the web interface.
If you'd like to prevent other users from registering, consider disabling public registration as described in the [Authentication](#authentication) section and re-running the playbook (`just install-service infisical`).

100
docs/services/mongodb.md Normal file
View file

@ -0,0 +1,100 @@
# MongoDB
[MongoDB](https://www.mongodb.com/) is a source-available cross-platform document-oriented (NoSQL) database program.
Some of the services installed by this playbook require a MongoDB database.
Enabling the MongoDB database service will automatically wire all other services which require such a database to use it.
## Configuration
To enable this service, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process:
```yaml
########################################################################
# #
# mongodb #
# #
########################################################################
mongodb_enabled: true
# Put a strong password below, generated with `pwgen -s 64 1` or in another way
mongodb_root_password: ''
########################################################################
# #
# /mongodb #
# #
########################################################################
```
## Importing
### Importing an existing MongoDB database from another installation (optional)
Follow this section if you'd like to import your database from a previous installation.
### Prerequisites
The playbook supports importing **gzipped** MongoDB database dumps (created with `mongodump --gzip -o /directory`).
Before doing the actual import, **you need to upload your MongoDB dump file to the server** (any path is okay).
### Importing a dump
To import, run this command (make sure to replace `SERVER_PATH_TO_MONGODB_DUMP_DIRECTORY` with a file path on your server):
```sh
just run-tags import-mongodb \
--extra-vars=mongodb_server_path_dump=SERVER_PATH_TO_MONGODB_DUMP_DIRECTORY
```
**Note** that `SERVER_PATH_TO_MONGODB_DUMP_DIRECTORY` must be a path to a **gzipped** MongoDB dump directory on the server (not on your local machine!)
## Maintenance
This section shows you how to perform various maintenance tasks related to the MongoDB database server used by various components of this playbook.
Table of contents:
- [Getting a database terminal](#getting-a-database-terminal), for when you wish to execute queries
- [Backing up MongoDB](#backing-up-mongodb), for when you wish to make a backup
### Getting a database terminal
You can use the `/mash/mongodb/bin/cli` tool to get interactive terminal access using the MongoDB Shell [mongosh](https://www.mongodb.com/docs/mongodb-shell/).
By default, this tool puts you in the `admin` database, which contains nothing.
To see the available databases, run `show dbs`.
To change to another database (for example `infisical`), run `use infisical`.
To see the available tables in the current database, run `show tables`.
You can then proceed to write queries. Example: `db.users.find()`
**Be careful**. Modifying the database directly (especially as services are running) is dangerous and may lead to irreversible database corruption.
When in doubt, consider [making a backup](#backing-up-mongodb).
### Backing up MongoDB
To make a one-off back up of the current MongoDB database, make sure it's running and then execute a command like this on the server:
```bash
# Prepare the backup directory
mkdir /path-to-some-directory
chown mash:mash /path-to-some-directory
# Back up
/mash/mongodb/bin/dump-all /path-to-some-directory
```
Restoring a backup made this way can be done by [importing it](#importing).

View file

@ -19,11 +19,13 @@
| [Grafana](https://grafana.com/) | An open and composable observability and data visualization platform, often used with [Prometheus](services/prometheus.md) | [Link](services/grafana.md) |
| [Healthchecks](https://healthchecks.io/) | A simple and Effective Cron Job Monitoring solution | [Link](services/healthchecks.md) |
| [Hubsite](https://github.com/moan0s/hubsite) | A simple, static site that shows an overview of the available services | [Link](services/hubsite.md) |
| [Infisical](https://infisical.com/) | An open-source end-to-end encrypted platform for securely managing secrets and configs across your team, devices, and infrastructure. | [Link](services/infisical.md) |
| [Jitsi](https://jitsi.org/) | A fully encrypted, 100% Open Source video conferencing solution | [Link](services/jitsi.md) |
| [Keycloak](https://www.keycloak.org/) | An open source identity and access management solution. | [Link](services/keycloak.md) |
| [Lago](https://www.getlago.com/) | Open-source metering and usage-based billing | [Link](services/lago.md) |
| [MariaDB](https://mariadb.org/) | A powerful, open source object-relational database system | [Link](services/mariadb.md) |
| [Matrix Rooms Search API](https://gitlab.com/etke.cc/mrs/api) | A fully-featured, standalone, matrix rooms search service. | [Link](services/mrs.md) |
| [MongoDB](https://www.mongodb.com/) | A source-available cross-platform document-oriented (NoSQL) database program. | [Link](services/mongodb.md) |
| [Miniflux](https://miniflux.app/) | Minimalist and opinionated feed reader. | [Link](services/miniflux.md) |
| [Mobilizon](https://joinmobilizon.org/en/) | An ActivityPub/Fediverse server to create and share events. | [Link](services/mobilizon.md) |
| [Navidrome](https://www.navidrome.org/) | [Subsonic-API](http://www.subsonic.org/pages/api.jsp) compatible music server | [Link](services/navidrome.md)

View file

@ -119,6 +119,10 @@ devture_systemd_service_manager_services_list_auto: |
+
([{'name': (healthchecks_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'healthchecks']}] if healthchecks_enabled else [])
+
([{'name': (infisical_identifier + '-backend.service'), 'priority': 2000, 'groups': ['mash', 'infisical', 'infisical-backend']}] if infisical_enabled else [])
+
([{'name': (infisical_identifier + '-frontend.service'), 'priority': 2000, 'groups': ['mash', 'infisical', 'infisical-frontend']}] if infisical_enabled else [])
+
([{'name': (jitsi_identifier + '-web.service'), 'priority': 4200, 'groups': ['mash', 'jitsi', 'jitsi-web']}] if jitsi_enabled else [])
+
([{'name': (jitsi_identifier + '-prosody.service'), 'priority': 4000, 'groups': ['mash', 'jitsi', 'jitsi-prosody']}] if jitsi_enabled else [])
@ -141,6 +145,8 @@ devture_systemd_service_manager_services_list_auto: |
+
([{'name': (miniflux_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'miniflux']}] if miniflux_enabled else [])
+
([{'name': (mongodb_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'mongodb']}] if mongodb_enabled else [])
+
([{'name': (mrs_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'mrs']}] if mrs_enabled else [])
+
([{'name': (navidrome_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'navidrome']}] if navidrome_enabled else [])
@ -1382,6 +1388,70 @@ hubsite_service_list_auto: |
########################################################################
# #
# infisical #
# #
########################################################################
infisical_enabled: false
infisical_identifier: "{{ mash_playbook_service_identifier_prefix }}infisical"
infisical_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}infisical"
infisical_uid: "{{ mash_playbook_uid }}"
infisical_gid: "{{ mash_playbook_gid }}"
infisical_backend_systemd_required_services_list: |
{{
(['docker.service'])
+
([mongodb_identifier ~ '.service'] if mongodb_enabled and infisical_mongodb_hostname == mongodb_identifier else [])
}}
infisical_backend_container_additional_networks: |
{{
([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else [])
+
([mongodb_container_network] if mongodb_enabled and infisical_mongodb_hostname == mongodb_identifier and infisical_backend_container_network != mongodb_container_network else [])
}}
infisical_backend_container_labels_traefik_enabled: "{{ mash_playbook_traefik_labels_enabled }}"
infisical_backend_container_labels_traefik_docker_network: "{{ mash_playbook_reverse_proxyable_services_additional_network }}"
infisical_backend_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}"
infisical_backend_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}"
# Intentionally not auto-generating infisical_backend_environment_variable_encryption_key here.
# We prefer it to be explicit as it seems important that it remains stable.
infisical_backend_environment_variable_jwt_signup_secret: "{{ ('%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'inf.jwt.signup', rounds=655555) | to_uuid | replace('-', ''))[0:32] }}"
infisical_backend_environment_variable_jwt_refresh_secret: "{{ ('%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'inf.jwt.r', rounds=655555) | to_uuid | replace('-', ''))[0:32] }}"
infisical_backend_environment_variable_jwt_auth_secret: "{{ ('%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'inf.jwt.a', rounds=655555) | to_uuid | replace('-', ''))[0:32] }}"
infisical_backend_environment_variable_jwt_service_secret: "{{ ('%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'inf.jwt.svc', rounds=655555) | to_uuid | replace('-', ''))[0:32] }}"
infisical_frontend_container_additional_networks: |
{{
([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else [])
}}
infisical_frontend_container_labels_traefik_enabled: "{{ mash_playbook_traefik_labels_enabled }}"
infisical_frontend_container_labels_traefik_docker_network: "{{ mash_playbook_reverse_proxyable_services_additional_network }}"
infisical_frontend_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}"
infisical_frontend_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}"
infisical_mongodb_hostname: "{{ mongodb_identifier if mongodb_enabled else '' }}"
infisical_mongodb_password: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'infisical.db', rounds=655555) | to_uuid }}"
infisical_mongodb_auth_source: "{{ infisical_mongodb_db_name }}"
########################################################################
# #
# /infisical #
# #
########################################################################
########################################################################
# #
# jitsi #
@ -1620,6 +1690,38 @@ mobilizon_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certRes
########################################################################
# #
# mongodb #
# #
########################################################################
mongodb_enabled: false
mongodb_identifier: "{{ mash_playbook_service_identifier_prefix }}mongodb"
mongodb_uid: "{{ mash_playbook_uid }}"
mongodb_gid: "{{ mash_playbook_gid }}"
mongodb_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}mongodb"
mongodb_managed_databases_auto: |
{{
([{
'name': infisical_mongodb_db_name,
'username': infisical_mongodb_username,
'password': infisical_mongodb_password,
}] if infisical_enabled and infisical_mongodb_hostname == mongodb_identifier else [])
}}
########################################################################
# #
# /mongodb #
# #
########################################################################
########################################################################
# #

View file

@ -4,16 +4,16 @@
version: v0.107.26-1
name: adguard_home
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-appsmith.git
version: v1.9.20.4-0
version: v1.9.22-0
name: appsmith
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-authentik.git
version: v2023.5.2-1
version: v2023.5.3-0
name: authentik
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-aux.git
version: v1.0.0-1
name: aux
name: auxiliary
- src: git+https://gitlab.com/etke.cc/roles/backup_borg.git
version: v1.2.4-1.7.13-0
version: v1.2.4-1.7.14-0
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-collabora-online.git
version: v22.05.13.1.1-0
name: collabora_online
@ -38,7 +38,7 @@
- src: git+https://github.com/devture/com.devture.ansible.role.timesync.git
version: v1.0.0-0
- src: git+https://github.com/devture/com.devture.ansible.role.traefik.git
version: v2.10.1-1
version: v2.10.1-2
- src: git+https://github.com/devture/com.devture.ansible.role.woodpecker_ci_agent.git
version: v0.15.8-0
- src: git+https://github.com/devture/com.devture.ansible.role.woodpecker_ci_server.git
@ -73,13 +73,16 @@
version: v0.9.0-0
name: gotosocial
- src: git+https://gitlab.com/etke.cc/roles/grafana.git
version: v9.5.2-0
version: v9.5.3-0
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-healthchecks.git
version: v2.8.1-0
version: v2.9.2-0
name: healthchecks
- src: git+https://github.com/moan0s/hubsite.git
version: v1.23.3-2
name: hubsite
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-infisical.git
version: v0.3.8-4
name: infisical
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git
version: v8615-0
name: jitsi
@ -87,7 +90,7 @@
version: v21.1.1-0
name: keycloak
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-lago.git
version: v0.34.3-0
version: v0.36.1-0
name: lago
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-mariadb.git
version: v10.11.2-0
@ -97,6 +100,9 @@
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-mobilizon.git
version: v3.1.0-1
name: mobilizon
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-mongodb.git
version: v6.0.6-0
name: mongodb
- src: git+https://gitlab.com/etke.cc/mrs/ansible-role-mrs.git
version: v0.0.0-9
name: mrs
@ -107,7 +113,7 @@
version: v3.4.7-2.5.2-2
name: netbox
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-nextcloud.git
version: v26.0.1-0
version: v26.0.2-0
name: nextcloud
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-owncast.git
version: v0.1.0-0
@ -141,7 +147,7 @@
- src: git+https://gitlab.com/etke.cc/roles/swap.git
version: abfb18b6862108bbf24347500446203170324d7f
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-syncthing.git
version: v1.23.4-1
version: v1.23.5-0
name: syncthing
- src: git+https://gitlab.com/etke.cc/roles/uptime_kuma.git
version: v1.21.3-0

View file

@ -50,6 +50,8 @@
- role: galaxy/com.devture.ansible.role.postgres_backup
- role: galaxy/mongodb
- role: galaxy/com.devture.ansible.role.container_socket_proxy
- role: galaxy/com.devture.ansible.role.traefik
@ -88,6 +90,8 @@
- role: galaxy/healthchecks
- role: galaxy/infisical
- role: galaxy/hubsite
- role: galaxy/jitsi
@ -134,7 +138,7 @@
- role: galaxy/com.devture.ansible.role.woodpecker_ci_server
- role: galaxy/com.devture.ansible.role.woodpecker_ci_agent
- role: galaxy/aux
- role: galaxy/auxiliary
- when: devture_systemd_service_manager_enabled | bool
role: galaxy/com.devture.ansible.role.systemd_service_manager