diff --git a/.gitignore b/.gitignore index 546bb11..42df311 100644 --- a/.gitignore +++ b/.gitignore @@ -1,6 +1,4 @@ -/inventory/* -!/inventory/.gitkeep -!/inventory/host_vars/.gitkeep +/inventory # ignore roles pulled by ansible-galaxy /roles/galaxy/* diff --git a/ansible.cfg b/ansible.cfg new file mode 100644 index 0000000..75938b9 --- /dev/null +++ b/ansible.cfg @@ -0,0 +1,29 @@ +[defaults] +forks = 50 +timeout = 86400 +strategy = linear +ansible_managed = Autogenerated file, do NOT edit manually. +retry_files_enabled = False + +# Paths +inventory = inventory/hosts +roles_path = roles +log_path = /tmp/mash.log + +# Remote default +remote_user = root +host_key_checking = False + +# Display +display_skipped_hosts = False + +# Facts +gathering = smart +fact_caching = jsonfile +fact_caching_connection=/tmp/mash + + +[ssh_connection] +pipelining = True +ssh_args = -C -o ControlMaster=auto -o ControlPersist=30m -o PreferredAuthentications=publickey +control_path = /tmp/mash/ssh-%%h-%%p-%%r diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 83185ac..cb4c7a4 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -7,7 +7,7 @@ To configure the playbook, you need to have done the following things: You can then follow these steps inside the playbook directory: -1. create a directory to hold your configuration (`mkdir inventory/host_vars/`) +1. create a directory to hold your configuration (`mkdir -p inventory/host_vars/`) 2. copy the sample configuration file (`cp examples/vars.yml inventory/host_vars//vars.yml`) diff --git a/docs/services/docker-registry-browser.md b/docs/services/docker-registry-browser.md new file mode 100644 index 0000000..ce04961 --- /dev/null +++ b/docs/services/docker-registry-browser.md @@ -0,0 +1,74 @@ +# Docker Registry Browser + +[Docker Registry Browser](https://github.com/klausmeyer/docker-registry-browser) is a Web Interface for the Docker Registry HTTP API V2 written in Ruby on Rails. + + +## Dependencies + +This service requires the following other services: + +- a [Traefik](traefik.md) reverse-proxy server + + +## Configuration + +To enable this service, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process: + +```yaml +######################################################################## +# # +# docker-registry-browser # +# # +######################################################################## + +docker_registry_browser_enabled: true + +# Hosting under a subpath (such as `/browser`) allows the browser to co-exist +# on the same hostname as a Docker Registry instance (see `docker-registry.md`). +docker_registry_browser_hostname: registry.example.com +docker_registry_browser_path_prefix: /browser + +# If the browser will be able to delete images and live on the same private container network +# as the registry itself (like we do below), it's recommended to protect it with HTTP Basic Auth. +# +# If you're running a read-only browser, you may leave it publicly accessible. +docker_registry_browser_basic_auth_enabled: true +docker_registry_browser_basic_auth_username: admin +# You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`). +docker_registry_browser_basic_auth_password: '' + +# To integrate with a locally running (in a container) Docker Registry (see `docker-registry.md`), +# point to its local container address and configure the browser to run in the registry's network. +docker_registry_browser_docker_registry_url: "http://{{ docker_registry_identifier }}:5000" +docker_registry_browser_container_network: "{{ docker_registry_container_network }}" + +# Alternatively, to use a registry running elsewhere, delete both lines above +# (docker_registry_browser_docker_registry_url and docker_registry_browser_container_network), +# and use something this instead: +# docker_registry_browser_docker_registry_url: "https://registry.example.com" + +# Image deletion is disabled by default, so you need to explicitly enable it if you need it. +docker_registry_browser_enabled_delete_images: true + +######################################################################## +# # +# /docker-registry-browser # +# # +######################################################################## +``` + +In the example configuration above, we configure the service to be hosted at `https://registry.example.com/browser`. + +If you make the registry browser live on the same container network as the [Docker Registry](docker-registry.md) itself (like we've done by overriding `docker_registry_browser_container_network` above), the browser will be able to talk to the registry over the private container network and IP restrictions (such as those defined in `docker_registry_private_services_whitelisted_ip_ranges`) will not be able to stop it. + + +## Usage + +After installation, you should be able to go to the URL as configured via `docker_registry_browser_hostname` and `docker_registry_browser_path_prefix`. + +You should be able to browse the images and possibly delete them (if enabled via `docker_registry_browser_enabled_delete_images`). + + +## Recommended other services + +- [Docker Registry](docker-registry.md) - a container image distribution registry developed by [Docker Inc](https://www.docker.com/) diff --git a/docs/services/docker-registry-purger.md b/docs/services/docker-registry-purger.md new file mode 100644 index 0000000..f3960de --- /dev/null +++ b/docs/services/docker-registry-purger.md @@ -0,0 +1,53 @@ +# Docker Registry Purger + +[Docker Registry Purger](https://github.com/devture/docker-registry-purger) is a small tool used for purging a private Docker registry's old tags. + + +## Dependencies + +This service requires to be pointed to a container registry. It may be a registry powered by [Docker Registry](docker-registry.md) or by some other software. + + +## Configuration + +To enable this service, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process: + +```yaml +######################################################################## +# # +# docker-registry-purger # +# # +######################################################################## + +docker_registry_purger_enabled: true + +# To integrate with a locally running (in a container) Docker Registry (see `docker-registry.md`), +# point to its local container address and configure the purger to run in the registry's network. +docker_registry_purger_registry_url: "http://{{ docker_registry_identifier }}:5000" +docker_registry_purger_container_network: "{{ docker_registry_container_network }}" + +# Alternatively, to use a registry running elsewhere, delete both lines above +# (docker_registry_purger_registry_url and docker_registry_purger_container_network), +# and use something this instead: +# docker_registry_purger_registry_url: "https://registry.example.com" + +######################################################################## +# # +# /docker-registry-purger # +# # +######################################################################## +``` + +You may wish to tweak some [default configuration]() variables, which ultimately control [environment variables](https://github.com/devture/docker-registry-purger#environment-variables) of the purger tool. + + +## Usage + +After installation, you should be able to go to the URL as configured via `docker_registry_browser_hostname` and `docker_registry_browser_path_prefix`. + +You should be able to browse the images and possibly delete them (if enabled via `docker_registry_browser_enabled_delete_images`). + + +## Recommended other services + +- [Docker Registry](docker-registry.md) - a container image distribution registry developed by [Docker Inc](https://www.docker.com/) diff --git a/docs/services/docker-registry.md b/docs/services/docker-registry.md new file mode 100644 index 0000000..7c205cf --- /dev/null +++ b/docs/services/docker-registry.md @@ -0,0 +1,86 @@ +# Docker Registry + +[Docker Registry](https://docs.docker.com/registry/) is a container image distribution registry developed by [Docker Inc](https://www.docker.com/). + +This playbook supports installing a container image registry which is: + +- completely public, when it comes to pulling images +- IP-restricted, when it comes to pushing images + +Authentication is not supported. + + +## Dependencies + +This service requires the following other services: + +- a [Traefik](traefik.md) reverse-proxy server + + +## Configuration + +To enable this service, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process: + +```yaml +######################################################################## +# # +# docker-registry # +# # +######################################################################## + +docker_registry_enabled: true + +docker_registry_hostname: registry.example.com + +# Uncomment the line below if you'd like to allow for image deletion. +# docker_registry_storage_delete_enabled: true + +# Only whitelisted IPs will be able to perform DELETE, PATCH, POST, PUT requests against the registry. +# All other IP addresses get read-only (GET, HEAD) access. +docker_registry_private_services_whitelisted_ip_ranges: + - 1.2.3.4/32 + - 4.3.2.1/32 + +######################################################################## +# # +# /docker-registry # +# # +######################################################################## +``` + +In the example configuration above, we configure the service to be hosted at `https://registry.example.com`. + + +## Usage + +After installation, you should be able to: + +- pull images from your registry from any IP address +- push images to your registry from the whitelisted IP addresses (`docker_registry_private_services_whitelisted_ip_ranges`) + +With custom Traefik configuration (hint: see [`docker_registry_container_labels_traefik_rule_*` variables](https://github.com/mother-of-all-self-hosting/ansible-role-docker-registry/blob/main/defaults/main.yml) in the [docker-registry role](https://github.com/mother-of-all-self-hosting/ansible-role-docker-registry)), you may be able to add additional restrictions. + +To **test pushing** images, try the following: + +```sh +docker pull docker.io/alpine:3.17.2 +docker tag docker.io/alpine:3.17.2 registry.example.com/alpine:3.17.2 +docker push registry.example.com/alpine:3.17.2 +``` + +To **test pulling** images, try the following: + +```sh +# Clean up from before +docker rmi registry.example.com/alpine:3.17.2 + +docker pull registry.example.com/alpine:3.17.2 +``` + +The base URL (e.g. `https://registry.example.com`) serves an empty (blank) page. To browse your registry's images via a web interface, you may need another piece of software, like [Docker Registry Browser](docker-registry-browser.md). + + +## Recommended other services + +- [Docker Registry Browser](docker-registry-browser.md) - Web Interface for the Docker Registry HTTP API V2 written in Ruby on Rails +- [Docker Registry Purger](docker-registry-purger.md) - a small tool used for purging a private Docker Registry's old tags diff --git a/docs/services/prometheus-node-exporter.md b/docs/services/prometheus-node-exporter.md new file mode 100644 index 0000000..72f212f --- /dev/null +++ b/docs/services/prometheus-node-exporter.md @@ -0,0 +1,31 @@ +# Prometheus Node Expoter + +This playbook can configure [Prometheus Node Exporter](https://github.com/prometheus/node_exporter). + +## Configuration + +To enable this service, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process: + +```yaml +######################################################################## +# # +# prometheus-node-exporter # +# # +######################################################################## + +prometheus_node_exporter_enabled: true +prometheus_node_exporter_hostname: mash.example.com +prometheus_node_exporter_path_prefix: /metrics/node-exporter +prometheus_node_exporter_basicauth_user: your_username +prometheus_node_exporter_basicauth_password: your password + +######################################################################## +# # +# /prometheus-node-exporter # +# # +######################################################################## +``` + +## Usage + +After you installed the node exporter, your node stats will be available on `mash.example.com/metrics/node-exporter` with basic auth credentials you configured diff --git a/docs/services/redmine.md b/docs/services/redmine.md index 456763f..c51576d 100644 --- a/docs/services/redmine.md +++ b/docs/services/redmine.md @@ -17,7 +17,7 @@ To enable this service, add the following configuration to your `vars.yml` file ```yaml ######################################################################## # # -# redmine # +# redmine # # # ######################################################################## @@ -27,7 +27,7 @@ redmine_hostname: redmine.example.com ######################################################################## # # -# /redmine # +# /redmine # # # ######################################################################## ``` diff --git a/docs/services/system.md b/docs/services/system.md new file mode 100644 index 0000000..bdbad60 --- /dev/null +++ b/docs/services/system.md @@ -0,0 +1,96 @@ +# System-related configuration + +This Ansible playbook can install and configure various system-related things for you. +All the sections below relate to the host OS instead of the managed containers. + +### swap + +To enable [swap](https://en.wikipedia.org/wiki/Memory_paging) management (also read more in the [Swap](https://wiki.archlinux.org/title/Swap) article in the [Arch Linux Wiki](https://wiki.archlinux.org/)), add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process: + +```yaml +######################################################################## +# # +# system # +# # +######################################################################## + +system_swap_enabled: true + +######################################################################## +# # +# /system # +# # +######################################################################## +``` + +A swap file will be created in `/var/swap` (configured using the `system_swap_path` variable) and enabled in your `/etc/fstab` file. + +By default, the swap file will have the following size: + +- on systems with `<= 2GB` of RAM, swap file size = `total RAM * 2` +- on systems with `> 2GB` of RAM, swap file size = `1GB` + +To avoid these calculations and set your own size explicitly, set the `system_swap_size` variable in megabytes, example (4gb): + +```yaml +system_swap_size: 4096 +``` + +### ssh + +> **Warning**: advanced functionality! While the default config with a few adjustments was battle tested on hundreds of servers, +> you should use it with caution and verify everything before you apply the changes! + +To enable [ssh server](https://www.openssh.com/) config and authorized/unauthorized keys management, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process: + +```yaml +######################################################################## +# # +# system # +# # +######################################################################## + +system_security_ssh_enabled: true + +system_security_ssh_port: 22 + +system_security_ssh_authorizedkeys: [] # list of authorized public keys +system_security_ssh_unauthorizedkeys: [] # list of unauthorized/revoked public keys + +######################################################################## +# # +# /system # +# # +######################################################################## +``` + +The [default configuration](https://gitlab.com/etke.cc/roles/ssh/-/blob/main/defaults/main.yml) is good enough as-is, but we strongly suggest you to **verify everything before applying any changes!**, otherwise you may lock yourself out of the server. + +With this configuration, the default `/etc/ssh/sshd_config` file on your server will be replaced by a new one, managed by the [ssh role](https://gitlab.com/etke.cc/roles/ssh) (see its [templates/etc/ssh/sshd_config.j2](https://gitlab.com/etke.cc/roles/ssh/-/blob/main/templates/etc/ssh/sshd_config.j2) file). + +There are various configuration options - check the defaults and adjust them to your needs. + +### fail2ban + +To enable [fail2ban](https://fail2ban.org/wiki/index.php/Main_Page) installation, management and integration with SSHd, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process: + +```yaml +######################################################################## +# # +# system # +# # +######################################################################## + +system_security_fail2ban_enabled: true + +system_security_fail2ban_sshd_port: 22 +# If you enabled playbook-managed ssh as described above, +# you can replace the line above with the following: +# system_security_fail2ban_sshd_port: "{{ system_security_ssh_port }}" + +######################################################################## +# # +# /system # +# # +######################################################################## +``` diff --git a/docs/supported-services.md b/docs/supported-services.md index 18fc048..e529c7c 100644 --- a/docs/supported-services.md +++ b/docs/supported-services.md @@ -1,23 +1,28 @@ # Supported services -| Name | Description | Documentation | -|------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------|--------------------------------------| -| [Collabora Online](https://www.collaboraoffice.com/) | Your Private Office Suite In The Cloud | [Link](services/collabora-online.md) | -| [Docker](https://www.docker.com/) | Open-source software for deploying containerized applications | [Link](services/docker.md) | -| [Gitea](https://gitea.io/) | A painless self-hosted Git service. | [Link](services/gitea.md) | -| [Hubsite](https://github.com/moan0s/hubsite) | A simple, static site that shows an overview of the available services | [Link](services/hubsite.md) | -| [Miniflux](https://miniflux.app/) | Minimalist and opinionated feed reader. | [Link](services/miniflux.md) | -| [Nextcloud](https://nextcloud.com/) | The most popular self-hosted collaboration solution for tens of millions of users at thousands of organizations across the globe. | [Link](services/nextcloud.md) | -| [PeerTube](https://joinpeertube.org/) | A tool for sharing online videos | [Link](services/peertube.md) | -| [Postgres](https://www.postgresql.org) | A powerful, open source object-relational database system | [Link](services/postgres.md) | -| [Postgres Backup](https://github.com/prodrigestivill/docker-postgres-backup-local) | A solution for backing up PostgresSQL to local filesystem with periodic backups. | [Link](services/postgres-backup.md) | -| [Radicale](https://radicale.org/) | A Free and Open-Source CalDAV and CardDAV Server (solution for hosting contacts and calendars) | [Link](services/radicale.md) | -| [Redmine](https://redmine.org/) | A flexible project management web application. | [Link](services/redmine.md) | -| [Redis](https://redis.io/) | An in-memory data store used by millions of developers as a database, cache, streaming engine, and message broker. | [Link](services/redis.md) | -| [Traefik](https://doc.traefik.io/traefik/) | A container-aware reverse-proxy server | [Link](services/traefik.md) | -| [Vaultwarden](https://github.com/dani-garcia/vaultwarden) | A lightweight unofficial and compatible implementation of the [Bitwarden](https://bitwarden.com/) password manager | [Link](services/vaultwarden.md) | -| [Uptime-kuma](https://uptime.kuma.pet/) | A fancy self-hosted monitoring tool | [Link](services/uptime-kuma.md) | -| [Woodpecker CI](https://woodpecker-ci.org/) | A simple Continuous Integration (CI) engine with great extensibility. | [Link](services/woodpecker-ci.md) | +| Name | Description | Documentation | +| ------------------------------ | ------------------------------------- | ------------- | +| [Collabora Online](https://www.collaboraoffice.com/) | Your Private Office Suite In The Cloud | [Link](services/collabora-online.md) | +| [Docker](https://www.docker.com/) | Open-source software for deploying containerized applications | [Link](services/docker.md) | +| [Docker Registry](https://docs.docker.com/registry/) | A container image distribution registry | [Link](services/docker-registry.md) | +| [Docker Registry Browser](https://github.com/klausmeyer/docker-registry-browser) | Web Interface for the Docker Registry HTTP API V2 written in Ruby on Rails | [Link](services/docker-registry-browser.md) | +| [Docker Registry Purger](https://github.com/devture/docker-registry-purger) | A small tool used for purging a private Docker Registry's old tags | [Link](services/docker-registry-purger.md) | +| [Gitea](https://gitea.io/) | A painless self-hosted Git service. | [Link](services/gitea.md) | +| [Hubsite](https://github.com/moan0s/hubsite) | A simple, static site that shows an overview of the available services | [Link](services/hubsite.md) | +[Miniflux](https://miniflux.app/) | Minimalist and opinionated feed reader. | [Link](services/miniflux.md) | +| [Nextcloud](https://nextcloud.com/) | The most popular self-hosted collaboration solution for tens of millions of users at thousands of organizations across the globe. | [Link](services/nextcloud.md) | +| [PeerTube](https://joinpeertube.org/) | A tool for sharing online videos | [Link](services/peertube.md) | +| [Prometheus Node Exporter](https://github.com/prometheus/node_exporter) | Exporter for machine metrics | [Link](services/prometheus-node-exporter.md) | +| [Postgres](https://www.postgresql.org) | A powerful, open source object-relational database system | [Link](services/postgres.md) | +| [Postgres Backup](https://github.com/prodrigestivill/docker-postgres-backup-local) | A solution for backing up PostgresSQL to local filesystem with periodic backups. | [Link](services/postgres-backup.md) | +| [Radicale](https://radicale.org/) | A Free and Open-Source CalDAV and CardDAV Server (solution for hosting contacts and calendars) | [Link](services/radicale.md) | +| [Redmine](https://redmine.org/) | A flexible project management web application. | [Link](services/redmine.md) | +| [Redis](https://redis.io/) | An in-memory data store used by millions of developers as a database, cache, streaming engine, and message broker. | [Link](services/redis.md) | +| [Traefik](https://doc.traefik.io/traefik/) | A container-aware reverse-proxy server | [Link](services/traefik.md) | +| [Vaultwarden](https://github.com/dani-garcia/vaultwarden) | A lightweight unofficial and compatible implementation of the [Bitwarden](https://bitwarden.com/) password manager | [Link](services/vaultwarden.md) | +| [Uptime-kuma](https://uptime.kuma.pet/) | A fancy self-hosted monitoring tool | [Link](services/uptime-kuma.md) | +| [Woodpecker CI](https://woodpecker-ci.org/) | A simple Continuous Integration (CI) engine with great extensibility. | [Link](services/woodpecker-ci.md) | +| System-related | A collection of various system-related components | [Link](services/system.md) | ## Related playbooks diff --git a/group_vars/mash_servers b/group_vars/mash_servers index 01d93e1..be86400 100644 --- a/group_vars/mash_servers +++ b/group_vars/mash_servers @@ -1,5 +1,40 @@ --- +######################################################################## +# # +# system/security # +# # +######################################################################## + +system_security_ssh_enabled: false +system_security_fail2ban_enabled: false + +######################################################################## +# # +# /system/security # +# # +######################################################################## + + + + +######################################################################## +# # +# system/swap # +# # +######################################################################## + +system_swap_enabled: false + +######################################################################## +# # +# /system/swap # +# # +######################################################################## + + + + ######################################################################## # # # com.devture.ansible.role.systemd_service_manager # @@ -22,6 +57,14 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': (devture_woodpecker_ci_agent_identifier + '.service'), 'priority': 4100, 'groups': ['mash', 'woodpecker', 'ci', 'woodpecker-ci-agent']}] if devture_woodpecker_ci_agent_enabled else []) + + ([{'name': (docker_registry_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'docker-registry']}] if docker_registry_enabled else []) + + + ([{'name': (docker_registry_identifier + '-garbage-collect.timer'), 'priority': 2500, 'groups': ['mash', 'docker-registry', 'docker-registry-gc']}] if docker_registry_enabled else []) + + + ([{'name': (docker_registry_browser_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'docker-registry-browser']}] if docker_registry_browser_enabled else []) + + + ([{'name': (docker_registry_purger_identifier + '.timer'), 'priority': 3000, 'groups': ['mash', 'docker-registry-purger']}] if docker_registry_purger_enabled else []) + + ([{'name': (gitea_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'gitea', 'gitea-server']}] if gitea_enabled else []) + ([{'name': (nextcloud_identifier + '-server.service'), 'priority': 2000, 'groups': ['mash', 'nextcloud', 'nextcloud-server']}] if nextcloud_enabled else []) @@ -32,6 +75,8 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': (peertube_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'peertube']}] if peertube_enabled else []) + + ([{'name': (prometheus_node_exporter_identifier + '.service'), 'priority': 500, 'groups': ['mash', 'metrics', 'prometheus-node-exporter']}] if prometheus_node_exporter_enabled else []) + + ([{'name': (radicale_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'radicale']}] if radicale_enabled else []) + ([{'name': (redmine_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'redmine']}] if redmine_enabled else []) @@ -326,6 +371,95 @@ collabora_online_container_labels_traefik_tls_certResolver: "{{ devture_traefik_ +######################################################################## +# # +# docker-registry # +# # +######################################################################## + +docker_registry_enabled: false + +docker_registry_identifier: "{{ mash_playbook_service_identifier_prefix }}docker-registry" + +docker_registry_base_path: "{{ mash_playbook_base_path }}/docker-registry" + +docker_registry_uid: "{{ mash_playbook_uid }}" +docker_registry_gid: "{{ mash_playbook_gid }}" + +docker_registry_container_additional_networks: | + {{ + ([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else []) + }} + +docker_registry_container_labels_traefik_enabled: "{{ mash_playbook_traefik_labels_enabled }}" +docker_registry_container_labels_traefik_docker_network: "{{ mash_playbook_reverse_proxyable_services_additional_network }}" +docker_registry_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +docker_registry_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" + +######################################################################## +# # +# /docker-registry # +# # +######################################################################## + + + +######################################################################## +# # +# docker-registry-browser # +# # +######################################################################## + +docker_registry_browser_enabled: false + +docker_registry_browser_identifier: "{{ mash_playbook_service_identifier_prefix }}docker-registry-browser" + +docker_registry_browser_base_path: "{{ mash_playbook_base_path }}/docker-registry-browser" + +docker_registry_browser_uid: "{{ mash_playbook_uid }}" +docker_registry_browser_gid: "{{ mash_playbook_gid }}" + +docker_registry_browser_container_additional_networks: | + {{ + ([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else []) + }} + +docker_registry_browser_container_labels_traefik_enabled: "{{ mash_playbook_traefik_labels_enabled }}" +docker_registry_browser_container_labels_traefik_docker_network: "{{ mash_playbook_reverse_proxyable_services_additional_network }}" +docker_registry_browser_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +docker_registry_browser_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" + +######################################################################## +# # +# /docker-registry-browser # +# # +######################################################################## + + + +######################################################################## +# # +# docker-registry-purger # +# # +######################################################################## + +docker_registry_purger_enabled: false + +docker_registry_purger_identifier: "{{ mash_playbook_service_identifier_prefix }}docker-registry-purger" + +docker_registry_purger_base_path: "{{ mash_playbook_base_path }}/docker-registry-purger" + +docker_registry_purger_uid: "{{ mash_playbook_uid }}" +docker_registry_purger_gid: "{{ mash_playbook_gid }}" + +######################################################################## +# # +# /docker-registry-purger # +# # +######################################################################## + + + ######################################################################## # # # gitea # @@ -519,6 +653,53 @@ peertube_systemd_required_services_list: | ######################################################################## +######################################################################## +# # +# prometheus_node_exporter # +# # +######################################################################## + +prometheus_node_exporter_enabled: false + +prometheus_node_exporter_identifier: "{{ mash_playbook_service_identifier_prefix }}prometheus-node-exporter" + +prometheus_node_exporter_base_path: "{{ mash_playbook_base_path }}/prometheus-node-exporter" + +prometheus_node_exporter_uid: "{{ mash_playbook_uid }}" +prometheus_node_exporter_gid: "{{ mash_playbook_gid }}" + +prometheus_node_exporter_basicauth_enabled: true +prometheus_node_exporter_basicauth_user: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'node.user', rounds=655555) | to_uuid }}" +prometheus_node_exporter_basicauth_password: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'node.password', rounds=655555) | to_uuid }}" + +prometheus_node_exporter_container_additional_networks: | + {{ + ([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else []) + }} + +prometheus_node_exporter_container_labels_traefik_enabled: "{{ mash_playbook_traefik_labels_enabled }}" +prometheus_node_exporter_container_labels_traefik_docker_network: "{{ mash_playbook_reverse_proxyable_services_additional_network }}" +prometheus_node_exporter_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +prometheus_node_exporter_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" + +prometheus_node_exporter_process_extra_arguments: + - "--collector.disable-defaults" + - "--collector.cpu" + - "--collector.filesystem" + - "--collector.meminfo" + - "--collector.systemd" + - "--collector.uname" +prometheus_node_exporter_container_extra_arguments: + - "--security-opt apparmor=unconfined" + - "--mount type=bind,src=/var/run/dbus/system_bus_socket,dst=/var/run/dbus/system_bus_socket,ro,bind-propagation=rslave" + +######################################################################## +# # +# /prometheus_node_exporter # +# # +######################################################################## + + ######################################################################## # # @@ -592,6 +773,7 @@ redmine_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResol redmine_database_type: "{{ 'postgresql' if devture_postgres_enabled else 'sqlite3' }}" redmine_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" +redmine_database_username: "redmine" redmine_database_password: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'redmine.db', rounds=655555) | to_uuid }}" ######################################################################## diff --git a/inventory/.gitkeep b/inventory/.gitkeep deleted file mode 100644 index e69de29..0000000 diff --git a/inventory/host_vars/.gitkeep b/inventory/host_vars/.gitkeep deleted file mode 100644 index e69de29..0000000 diff --git a/requirements.yml b/requirements.yml index 8547a83..e367200 100644 --- a/requirements.yml +++ b/requirements.yml @@ -3,6 +3,15 @@ - src: geerlingguy.docker version: 6.1.0 +- src: git+https://gitlab.com/etke.cc/roles/swap + version: 33ce32b065276a96b7e2562752f3a63913ed5480 + +- src: git+https://gitlab.com/etke.cc/roles/ssh + version: 237adf859f9270db8a60e720bc4a58164806644e + +- src: git+https://gitlab.com/etke.cc/roles/fail2ban + version: 09886730e8d3c061f22d1da4a542899063f97f0a + - src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git version: 129c8590e106b83e6f4c259649a613c6279e937a @@ -37,10 +46,10 @@ version: 9b4b088c62b528b73a9a7c93d3109b091dd42ec6 - src: git+https://github.com/devture/com.devture.ansible.role.woodpecker_ci_server.git - version: v0.15.7-1 + version: v0.15.7-2 - src: git+https://github.com/devture/com.devture.ansible.role.woodpecker_ci_agent.git - version: v0.15.7-0 + version: v0.15.7-1 - src: git+https://gitlab.com/etke.cc/roles/miniflux.git version: v2.0.43-0 @@ -54,16 +63,31 @@ - src: git+https://gitlab.com/etke.cc/roles/redis.git version: v7.0.9-0 -- src: git+https://gitlab.com/etke.cc/roles/redmine.git - version: v5.0.5-0 +- src: git+https://gitlab.com/etke.cc/roles/prometheus_node_exporter.git + version: v1.5.0-4 -- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-vaultwarden.git - name: vaultwarden - version: v1.27.0-1 +- src: git+https://gitlab.com/etke.cc/roles/redmine.git + version: v5.0.5-1 + +- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-collabora-online.git + name: collabora_online + version: v22.05.12.1.1-0 + +- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-docker-registry.git + name: docker_registry + version: v2.8.1-1 + +- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-docker-registry-browser.git + name: docker_registry_browser + version: v1.6.0-0 + +- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-docker-registry-purger.git + name: docker_registry_purger + version: v1.0.0-0 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-gitea.git name: gitea - version: v1.18.5-2 + version: v1.18.5-3 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-nextcloud.git name: nextcloud @@ -77,6 +101,10 @@ name: peertube version: v5.0.1-0 +- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-vaultwarden.git + name: vaultwarden + version: v1.27.0-2 + - src: git+https://github.com/moan0s/hubsite.git name: hubsite version: ac7607b514c998779946a5ae8c98bea27e167f49 diff --git a/setup.yml b/setup.yml index 06aa016..32a5766 100644 --- a/setup.yml +++ b/setup.yml @@ -37,6 +37,14 @@ - role: mash/playbook_base + - role: galaxy/swap + + - when: system_security_ssh_enabled | bool + role: galaxy/ssh + + - when: system_security_fail2ban_enabled | bool + role: galaxy/fail2ban + # This role exposes various tags (setup-postgres, setup-all, upgrade-postgres, import-postgres, etc.), so we don't tag it here. - role: galaxy/com.devture.ansible.role.postgres @@ -48,6 +56,10 @@ - role: galaxy/collabora_online + - role: galaxy/docker_registry + - role: galaxy/docker_registry_browser + - role: galaxy/docker_registry_purger + - role: galaxy/gitea - role: galaxy/miniflux @@ -58,6 +70,8 @@ - role: galaxy/peertube + - role: galaxy/prometheus_node_exporter + - role: galaxy/radicale - role: galaxy/redmine