Merge remote-tracking branch 'origin/main' into hubsite
This commit is contained in:
commit
c71203812e
15 changed files with 628 additions and 32 deletions
4
.gitignore
vendored
4
.gitignore
vendored
|
@ -1,6 +1,4 @@
|
||||||
/inventory/*
|
/inventory
|
||||||
!/inventory/.gitkeep
|
|
||||||
!/inventory/host_vars/.gitkeep
|
|
||||||
|
|
||||||
# ignore roles pulled by ansible-galaxy
|
# ignore roles pulled by ansible-galaxy
|
||||||
/roles/galaxy/*
|
/roles/galaxy/*
|
||||||
|
|
29
ansible.cfg
Normal file
29
ansible.cfg
Normal file
|
@ -0,0 +1,29 @@
|
||||||
|
[defaults]
|
||||||
|
forks = 50
|
||||||
|
timeout = 86400
|
||||||
|
strategy = linear
|
||||||
|
ansible_managed = Autogenerated file, do NOT edit manually.
|
||||||
|
retry_files_enabled = False
|
||||||
|
|
||||||
|
# Paths
|
||||||
|
inventory = inventory/hosts
|
||||||
|
roles_path = roles
|
||||||
|
log_path = /tmp/mash.log
|
||||||
|
|
||||||
|
# Remote default
|
||||||
|
remote_user = root
|
||||||
|
host_key_checking = False
|
||||||
|
|
||||||
|
# Display
|
||||||
|
display_skipped_hosts = False
|
||||||
|
|
||||||
|
# Facts
|
||||||
|
gathering = smart
|
||||||
|
fact_caching = jsonfile
|
||||||
|
fact_caching_connection=/tmp/mash
|
||||||
|
|
||||||
|
|
||||||
|
[ssh_connection]
|
||||||
|
pipelining = True
|
||||||
|
ssh_args = -C -o ControlMaster=auto -o ControlPersist=30m -o PreferredAuthentications=publickey
|
||||||
|
control_path = /tmp/mash/ssh-%%h-%%p-%%r
|
|
@ -7,7 +7,7 @@ To configure the playbook, you need to have done the following things:
|
||||||
|
|
||||||
You can then follow these steps inside the playbook directory:
|
You can then follow these steps inside the playbook directory:
|
||||||
|
|
||||||
1. create a directory to hold your configuration (`mkdir inventory/host_vars/<your-domain>`)
|
1. create a directory to hold your configuration (`mkdir -p inventory/host_vars/<your-domain>`)
|
||||||
|
|
||||||
2. copy the sample configuration file (`cp examples/vars.yml inventory/host_vars/<your-domain>/vars.yml`)
|
2. copy the sample configuration file (`cp examples/vars.yml inventory/host_vars/<your-domain>/vars.yml`)
|
||||||
|
|
||||||
|
|
74
docs/services/docker-registry-browser.md
Normal file
74
docs/services/docker-registry-browser.md
Normal file
|
@ -0,0 +1,74 @@
|
||||||
|
# Docker Registry Browser
|
||||||
|
|
||||||
|
[Docker Registry Browser](https://github.com/klausmeyer/docker-registry-browser) is a Web Interface for the Docker Registry HTTP API V2 written in Ruby on Rails.
|
||||||
|
|
||||||
|
|
||||||
|
## Dependencies
|
||||||
|
|
||||||
|
This service requires the following other services:
|
||||||
|
|
||||||
|
- a [Traefik](traefik.md) reverse-proxy server
|
||||||
|
|
||||||
|
|
||||||
|
## Configuration
|
||||||
|
|
||||||
|
To enable this service, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
########################################################################
|
||||||
|
# #
|
||||||
|
# docker-registry-browser #
|
||||||
|
# #
|
||||||
|
########################################################################
|
||||||
|
|
||||||
|
docker_registry_browser_enabled: true
|
||||||
|
|
||||||
|
# Hosting under a subpath (such as `/browser`) allows the browser to co-exist
|
||||||
|
# on the same hostname as a Docker Registry instance (see `docker-registry.md`).
|
||||||
|
docker_registry_browser_hostname: registry.example.com
|
||||||
|
docker_registry_browser_path_prefix: /browser
|
||||||
|
|
||||||
|
# If the browser will be able to delete images and live on the same private container network
|
||||||
|
# as the registry itself (like we do below), it's recommended to protect it with HTTP Basic Auth.
|
||||||
|
#
|
||||||
|
# If you're running a read-only browser, you may leave it publicly accessible.
|
||||||
|
docker_registry_browser_basic_auth_enabled: true
|
||||||
|
docker_registry_browser_basic_auth_username: admin
|
||||||
|
# You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`).
|
||||||
|
docker_registry_browser_basic_auth_password: ''
|
||||||
|
|
||||||
|
# To integrate with a locally running (in a container) Docker Registry (see `docker-registry.md`),
|
||||||
|
# point to its local container address and configure the browser to run in the registry's network.
|
||||||
|
docker_registry_browser_docker_registry_url: "http://{{ docker_registry_identifier }}:5000"
|
||||||
|
docker_registry_browser_container_network: "{{ docker_registry_container_network }}"
|
||||||
|
|
||||||
|
# Alternatively, to use a registry running elsewhere, delete both lines above
|
||||||
|
# (docker_registry_browser_docker_registry_url and docker_registry_browser_container_network),
|
||||||
|
# and use something this instead:
|
||||||
|
# docker_registry_browser_docker_registry_url: "https://registry.example.com"
|
||||||
|
|
||||||
|
# Image deletion is disabled by default, so you need to explicitly enable it if you need it.
|
||||||
|
docker_registry_browser_enabled_delete_images: true
|
||||||
|
|
||||||
|
########################################################################
|
||||||
|
# #
|
||||||
|
# /docker-registry-browser #
|
||||||
|
# #
|
||||||
|
########################################################################
|
||||||
|
```
|
||||||
|
|
||||||
|
In the example configuration above, we configure the service to be hosted at `https://registry.example.com/browser`.
|
||||||
|
|
||||||
|
If you make the registry browser live on the same container network as the [Docker Registry](docker-registry.md) itself (like we've done by overriding `docker_registry_browser_container_network` above), the browser will be able to talk to the registry over the private container network and IP restrictions (such as those defined in `docker_registry_private_services_whitelisted_ip_ranges`) will not be able to stop it.
|
||||||
|
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
|
After installation, you should be able to go to the URL as configured via `docker_registry_browser_hostname` and `docker_registry_browser_path_prefix`.
|
||||||
|
|
||||||
|
You should be able to browse the images and possibly delete them (if enabled via `docker_registry_browser_enabled_delete_images`).
|
||||||
|
|
||||||
|
|
||||||
|
## Recommended other services
|
||||||
|
|
||||||
|
- [Docker Registry](docker-registry.md) - a container image distribution registry developed by [Docker Inc](https://www.docker.com/)
|
53
docs/services/docker-registry-purger.md
Normal file
53
docs/services/docker-registry-purger.md
Normal file
|
@ -0,0 +1,53 @@
|
||||||
|
# Docker Registry Purger
|
||||||
|
|
||||||
|
[Docker Registry Purger](https://github.com/devture/docker-registry-purger) is a small tool used for purging a private Docker registry's old tags.
|
||||||
|
|
||||||
|
|
||||||
|
## Dependencies
|
||||||
|
|
||||||
|
This service requires to be pointed to a container registry. It may be a registry powered by [Docker Registry](docker-registry.md) or by some other software.
|
||||||
|
|
||||||
|
|
||||||
|
## Configuration
|
||||||
|
|
||||||
|
To enable this service, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
########################################################################
|
||||||
|
# #
|
||||||
|
# docker-registry-purger #
|
||||||
|
# #
|
||||||
|
########################################################################
|
||||||
|
|
||||||
|
docker_registry_purger_enabled: true
|
||||||
|
|
||||||
|
# To integrate with a locally running (in a container) Docker Registry (see `docker-registry.md`),
|
||||||
|
# point to its local container address and configure the purger to run in the registry's network.
|
||||||
|
docker_registry_purger_registry_url: "http://{{ docker_registry_identifier }}:5000"
|
||||||
|
docker_registry_purger_container_network: "{{ docker_registry_container_network }}"
|
||||||
|
|
||||||
|
# Alternatively, to use a registry running elsewhere, delete both lines above
|
||||||
|
# (docker_registry_purger_registry_url and docker_registry_purger_container_network),
|
||||||
|
# and use something this instead:
|
||||||
|
# docker_registry_purger_registry_url: "https://registry.example.com"
|
||||||
|
|
||||||
|
########################################################################
|
||||||
|
# #
|
||||||
|
# /docker-registry-purger #
|
||||||
|
# #
|
||||||
|
########################################################################
|
||||||
|
```
|
||||||
|
|
||||||
|
You may wish to tweak some [default configuration]() variables, which ultimately control [environment variables](https://github.com/devture/docker-registry-purger#environment-variables) of the purger tool.
|
||||||
|
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
|
After installation, you should be able to go to the URL as configured via `docker_registry_browser_hostname` and `docker_registry_browser_path_prefix`.
|
||||||
|
|
||||||
|
You should be able to browse the images and possibly delete them (if enabled via `docker_registry_browser_enabled_delete_images`).
|
||||||
|
|
||||||
|
|
||||||
|
## Recommended other services
|
||||||
|
|
||||||
|
- [Docker Registry](docker-registry.md) - a container image distribution registry developed by [Docker Inc](https://www.docker.com/)
|
86
docs/services/docker-registry.md
Normal file
86
docs/services/docker-registry.md
Normal file
|
@ -0,0 +1,86 @@
|
||||||
|
# Docker Registry
|
||||||
|
|
||||||
|
[Docker Registry](https://docs.docker.com/registry/) is a container image distribution registry developed by [Docker Inc](https://www.docker.com/).
|
||||||
|
|
||||||
|
This playbook supports installing a container image registry which is:
|
||||||
|
|
||||||
|
- completely public, when it comes to pulling images
|
||||||
|
- IP-restricted, when it comes to pushing images
|
||||||
|
|
||||||
|
Authentication is not supported.
|
||||||
|
|
||||||
|
|
||||||
|
## Dependencies
|
||||||
|
|
||||||
|
This service requires the following other services:
|
||||||
|
|
||||||
|
- a [Traefik](traefik.md) reverse-proxy server
|
||||||
|
|
||||||
|
|
||||||
|
## Configuration
|
||||||
|
|
||||||
|
To enable this service, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
########################################################################
|
||||||
|
# #
|
||||||
|
# docker-registry #
|
||||||
|
# #
|
||||||
|
########################################################################
|
||||||
|
|
||||||
|
docker_registry_enabled: true
|
||||||
|
|
||||||
|
docker_registry_hostname: registry.example.com
|
||||||
|
|
||||||
|
# Uncomment the line below if you'd like to allow for image deletion.
|
||||||
|
# docker_registry_storage_delete_enabled: true
|
||||||
|
|
||||||
|
# Only whitelisted IPs will be able to perform DELETE, PATCH, POST, PUT requests against the registry.
|
||||||
|
# All other IP addresses get read-only (GET, HEAD) access.
|
||||||
|
docker_registry_private_services_whitelisted_ip_ranges:
|
||||||
|
- 1.2.3.4/32
|
||||||
|
- 4.3.2.1/32
|
||||||
|
|
||||||
|
########################################################################
|
||||||
|
# #
|
||||||
|
# /docker-registry #
|
||||||
|
# #
|
||||||
|
########################################################################
|
||||||
|
```
|
||||||
|
|
||||||
|
In the example configuration above, we configure the service to be hosted at `https://registry.example.com`.
|
||||||
|
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
|
After installation, you should be able to:
|
||||||
|
|
||||||
|
- pull images from your registry from any IP address
|
||||||
|
- push images to your registry from the whitelisted IP addresses (`docker_registry_private_services_whitelisted_ip_ranges`)
|
||||||
|
|
||||||
|
With custom Traefik configuration (hint: see [`docker_registry_container_labels_traefik_rule_*` variables](https://github.com/mother-of-all-self-hosting/ansible-role-docker-registry/blob/main/defaults/main.yml) in the [docker-registry role](https://github.com/mother-of-all-self-hosting/ansible-role-docker-registry)), you may be able to add additional restrictions.
|
||||||
|
|
||||||
|
To **test pushing** images, try the following:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
docker pull docker.io/alpine:3.17.2
|
||||||
|
docker tag docker.io/alpine:3.17.2 registry.example.com/alpine:3.17.2
|
||||||
|
docker push registry.example.com/alpine:3.17.2
|
||||||
|
```
|
||||||
|
|
||||||
|
To **test pulling** images, try the following:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
# Clean up from before
|
||||||
|
docker rmi registry.example.com/alpine:3.17.2
|
||||||
|
|
||||||
|
docker pull registry.example.com/alpine:3.17.2
|
||||||
|
```
|
||||||
|
|
||||||
|
The base URL (e.g. `https://registry.example.com`) serves an empty (blank) page. To browse your registry's images via a web interface, you may need another piece of software, like [Docker Registry Browser](docker-registry-browser.md).
|
||||||
|
|
||||||
|
|
||||||
|
## Recommended other services
|
||||||
|
|
||||||
|
- [Docker Registry Browser](docker-registry-browser.md) - Web Interface for the Docker Registry HTTP API V2 written in Ruby on Rails
|
||||||
|
- [Docker Registry Purger](docker-registry-purger.md) - a small tool used for purging a private Docker Registry's old tags
|
31
docs/services/prometheus-node-exporter.md
Normal file
31
docs/services/prometheus-node-exporter.md
Normal file
|
@ -0,0 +1,31 @@
|
||||||
|
# Prometheus Node Expoter
|
||||||
|
|
||||||
|
This playbook can configure [Prometheus Node Exporter](https://github.com/prometheus/node_exporter).
|
||||||
|
|
||||||
|
## Configuration
|
||||||
|
|
||||||
|
To enable this service, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
########################################################################
|
||||||
|
# #
|
||||||
|
# prometheus-node-exporter #
|
||||||
|
# #
|
||||||
|
########################################################################
|
||||||
|
|
||||||
|
prometheus_node_exporter_enabled: true
|
||||||
|
prometheus_node_exporter_hostname: mash.example.com
|
||||||
|
prometheus_node_exporter_path_prefix: /metrics/node-exporter
|
||||||
|
prometheus_node_exporter_basicauth_user: your_username
|
||||||
|
prometheus_node_exporter_basicauth_password: your password
|
||||||
|
|
||||||
|
########################################################################
|
||||||
|
# #
|
||||||
|
# /prometheus-node-exporter #
|
||||||
|
# #
|
||||||
|
########################################################################
|
||||||
|
```
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
|
After you installed the node exporter, your node stats will be available on `mash.example.com/metrics/node-exporter` with basic auth credentials you configured
|
96
docs/services/system.md
Normal file
96
docs/services/system.md
Normal file
|
@ -0,0 +1,96 @@
|
||||||
|
# System-related configuration
|
||||||
|
|
||||||
|
This Ansible playbook can install and configure various system-related things for you.
|
||||||
|
All the sections below relate to the host OS instead of the managed containers.
|
||||||
|
|
||||||
|
### swap
|
||||||
|
|
||||||
|
To enable [swap](https://en.wikipedia.org/wiki/Memory_paging) management (also read more in the [Swap](https://wiki.archlinux.org/title/Swap) article in the [Arch Linux Wiki](https://wiki.archlinux.org/)), add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
########################################################################
|
||||||
|
# #
|
||||||
|
# system #
|
||||||
|
# #
|
||||||
|
########################################################################
|
||||||
|
|
||||||
|
system_swap_enabled: true
|
||||||
|
|
||||||
|
########################################################################
|
||||||
|
# #
|
||||||
|
# /system #
|
||||||
|
# #
|
||||||
|
########################################################################
|
||||||
|
```
|
||||||
|
|
||||||
|
A swap file will be created in `/var/swap` (configured using the `system_swap_path` variable) and enabled in your `/etc/fstab` file.
|
||||||
|
|
||||||
|
By default, the swap file will have the following size:
|
||||||
|
|
||||||
|
- on systems with `<= 2GB` of RAM, swap file size = `total RAM * 2`
|
||||||
|
- on systems with `> 2GB` of RAM, swap file size = `1GB`
|
||||||
|
|
||||||
|
To avoid these calculations and set your own size explicitly, set the `system_swap_size` variable in megabytes, example (4gb):
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
system_swap_size: 4096
|
||||||
|
```
|
||||||
|
|
||||||
|
### ssh
|
||||||
|
|
||||||
|
> **Warning**: advanced functionality! While the default config with a few adjustments was battle tested on hundreds of servers,
|
||||||
|
> you should use it with caution and verify everything before you apply the changes!
|
||||||
|
|
||||||
|
To enable [ssh server](https://www.openssh.com/) config and authorized/unauthorized keys management, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
########################################################################
|
||||||
|
# #
|
||||||
|
# system #
|
||||||
|
# #
|
||||||
|
########################################################################
|
||||||
|
|
||||||
|
system_security_ssh_enabled: true
|
||||||
|
|
||||||
|
system_security_ssh_port: 22
|
||||||
|
|
||||||
|
system_security_ssh_authorizedkeys: [] # list of authorized public keys
|
||||||
|
system_security_ssh_unauthorizedkeys: [] # list of unauthorized/revoked public keys
|
||||||
|
|
||||||
|
########################################################################
|
||||||
|
# #
|
||||||
|
# /system #
|
||||||
|
# #
|
||||||
|
########################################################################
|
||||||
|
```
|
||||||
|
|
||||||
|
The [default configuration](https://gitlab.com/etke.cc/roles/ssh/-/blob/main/defaults/main.yml) is good enough as-is, but we strongly suggest you to **verify everything before applying any changes!**, otherwise you may lock yourself out of the server.
|
||||||
|
|
||||||
|
With this configuration, the default `/etc/ssh/sshd_config` file on your server will be replaced by a new one, managed by the [ssh role](https://gitlab.com/etke.cc/roles/ssh) (see its [templates/etc/ssh/sshd_config.j2](https://gitlab.com/etke.cc/roles/ssh/-/blob/main/templates/etc/ssh/sshd_config.j2) file).
|
||||||
|
|
||||||
|
There are various configuration options - check the defaults and adjust them to your needs.
|
||||||
|
|
||||||
|
### fail2ban
|
||||||
|
|
||||||
|
To enable [fail2ban](https://fail2ban.org/wiki/index.php/Main_Page) installation, management and integration with SSHd, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
########################################################################
|
||||||
|
# #
|
||||||
|
# system #
|
||||||
|
# #
|
||||||
|
########################################################################
|
||||||
|
|
||||||
|
system_security_fail2ban_enabled: true
|
||||||
|
|
||||||
|
system_security_fail2ban_sshd_port: 22
|
||||||
|
# If you enabled playbook-managed ssh as described above,
|
||||||
|
# you can replace the line above with the following:
|
||||||
|
# system_security_fail2ban_sshd_port: "{{ system_security_ssh_port }}"
|
||||||
|
|
||||||
|
########################################################################
|
||||||
|
# #
|
||||||
|
# /system #
|
||||||
|
# #
|
||||||
|
########################################################################
|
||||||
|
```
|
|
@ -1,14 +1,18 @@
|
||||||
# Supported services
|
# Supported services
|
||||||
|
|
||||||
| Name | Description | Documentation |
|
| Name | Description | Documentation |
|
||||||
|------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------|--------------------------------------|
|
| ------------------------------ | ------------------------------------- | ------------- |
|
||||||
| [Collabora Online](https://www.collaboraoffice.com/) | Your Private Office Suite In The Cloud | [Link](services/collabora-online.md) |
|
| [Collabora Online](https://www.collaboraoffice.com/) | Your Private Office Suite In The Cloud | [Link](services/collabora-online.md) |
|
||||||
| [Docker](https://www.docker.com/) | Open-source software for deploying containerized applications | [Link](services/docker.md) |
|
| [Docker](https://www.docker.com/) | Open-source software for deploying containerized applications | [Link](services/docker.md) |
|
||||||
|
| [Docker Registry](https://docs.docker.com/registry/) | A container image distribution registry | [Link](services/docker-registry.md) |
|
||||||
|
| [Docker Registry Browser](https://github.com/klausmeyer/docker-registry-browser) | Web Interface for the Docker Registry HTTP API V2 written in Ruby on Rails | [Link](services/docker-registry-browser.md) |
|
||||||
|
| [Docker Registry Purger](https://github.com/devture/docker-registry-purger) | A small tool used for purging a private Docker Registry's old tags | [Link](services/docker-registry-purger.md) |
|
||||||
| [Gitea](https://gitea.io/) | A painless self-hosted Git service. | [Link](services/gitea.md) |
|
| [Gitea](https://gitea.io/) | A painless self-hosted Git service. | [Link](services/gitea.md) |
|
||||||
| [Hubsite](https://github.com/moan0s/hubsite) | A simple, static site that shows an overview of the available services | [Link](services/hubsite.md) |
|
| [Hubsite](https://github.com/moan0s/hubsite) | A simple, static site that shows an overview of the available services | [Link](services/hubsite.md) |
|
||||||
| [Miniflux](https://miniflux.app/) | Minimalist and opinionated feed reader. | [Link](services/miniflux.md) |
|
[Miniflux](https://miniflux.app/) | Minimalist and opinionated feed reader. | [Link](services/miniflux.md) |
|
||||||
| [Nextcloud](https://nextcloud.com/) | The most popular self-hosted collaboration solution for tens of millions of users at thousands of organizations across the globe. | [Link](services/nextcloud.md) |
|
| [Nextcloud](https://nextcloud.com/) | The most popular self-hosted collaboration solution for tens of millions of users at thousands of organizations across the globe. | [Link](services/nextcloud.md) |
|
||||||
| [PeerTube](https://joinpeertube.org/) | A tool for sharing online videos | [Link](services/peertube.md) |
|
| [PeerTube](https://joinpeertube.org/) | A tool for sharing online videos | [Link](services/peertube.md) |
|
||||||
|
| [Prometheus Node Exporter](https://github.com/prometheus/node_exporter) | Exporter for machine metrics | [Link](services/prometheus-node-exporter.md) |
|
||||||
| [Postgres](https://www.postgresql.org) | A powerful, open source object-relational database system | [Link](services/postgres.md) |
|
| [Postgres](https://www.postgresql.org) | A powerful, open source object-relational database system | [Link](services/postgres.md) |
|
||||||
| [Postgres Backup](https://github.com/prodrigestivill/docker-postgres-backup-local) | A solution for backing up PostgresSQL to local filesystem with periodic backups. | [Link](services/postgres-backup.md) |
|
| [Postgres Backup](https://github.com/prodrigestivill/docker-postgres-backup-local) | A solution for backing up PostgresSQL to local filesystem with periodic backups. | [Link](services/postgres-backup.md) |
|
||||||
| [Radicale](https://radicale.org/) | A Free and Open-Source CalDAV and CardDAV Server (solution for hosting contacts and calendars) | [Link](services/radicale.md) |
|
| [Radicale](https://radicale.org/) | A Free and Open-Source CalDAV and CardDAV Server (solution for hosting contacts and calendars) | [Link](services/radicale.md) |
|
||||||
|
@ -18,6 +22,7 @@
|
||||||
| [Vaultwarden](https://github.com/dani-garcia/vaultwarden) | A lightweight unofficial and compatible implementation of the [Bitwarden](https://bitwarden.com/) password manager | [Link](services/vaultwarden.md) |
|
| [Vaultwarden](https://github.com/dani-garcia/vaultwarden) | A lightweight unofficial and compatible implementation of the [Bitwarden](https://bitwarden.com/) password manager | [Link](services/vaultwarden.md) |
|
||||||
| [Uptime-kuma](https://uptime.kuma.pet/) | A fancy self-hosted monitoring tool | [Link](services/uptime-kuma.md) |
|
| [Uptime-kuma](https://uptime.kuma.pet/) | A fancy self-hosted monitoring tool | [Link](services/uptime-kuma.md) |
|
||||||
| [Woodpecker CI](https://woodpecker-ci.org/) | A simple Continuous Integration (CI) engine with great extensibility. | [Link](services/woodpecker-ci.md) |
|
| [Woodpecker CI](https://woodpecker-ci.org/) | A simple Continuous Integration (CI) engine with great extensibility. | [Link](services/woodpecker-ci.md) |
|
||||||
|
| System-related | A collection of various system-related components | [Link](services/system.md) |
|
||||||
|
|
||||||
|
|
||||||
## Related playbooks
|
## Related playbooks
|
||||||
|
|
|
@ -1,5 +1,40 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
|
########################################################################
|
||||||
|
# #
|
||||||
|
# system/security #
|
||||||
|
# #
|
||||||
|
########################################################################
|
||||||
|
|
||||||
|
system_security_ssh_enabled: false
|
||||||
|
system_security_fail2ban_enabled: false
|
||||||
|
|
||||||
|
########################################################################
|
||||||
|
# #
|
||||||
|
# /system/security #
|
||||||
|
# #
|
||||||
|
########################################################################
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
########################################################################
|
||||||
|
# #
|
||||||
|
# system/swap #
|
||||||
|
# #
|
||||||
|
########################################################################
|
||||||
|
|
||||||
|
system_swap_enabled: false
|
||||||
|
|
||||||
|
########################################################################
|
||||||
|
# #
|
||||||
|
# /system/swap #
|
||||||
|
# #
|
||||||
|
########################################################################
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
########################################################################
|
########################################################################
|
||||||
# #
|
# #
|
||||||
# com.devture.ansible.role.systemd_service_manager #
|
# com.devture.ansible.role.systemd_service_manager #
|
||||||
|
@ -22,6 +57,14 @@ devture_systemd_service_manager_services_list_auto: |
|
||||||
+
|
+
|
||||||
([{'name': (devture_woodpecker_ci_agent_identifier + '.service'), 'priority': 4100, 'groups': ['mash', 'woodpecker', 'ci', 'woodpecker-ci-agent']}] if devture_woodpecker_ci_agent_enabled else [])
|
([{'name': (devture_woodpecker_ci_agent_identifier + '.service'), 'priority': 4100, 'groups': ['mash', 'woodpecker', 'ci', 'woodpecker-ci-agent']}] if devture_woodpecker_ci_agent_enabled else [])
|
||||||
+
|
+
|
||||||
|
([{'name': (docker_registry_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'docker-registry']}] if docker_registry_enabled else [])
|
||||||
|
+
|
||||||
|
([{'name': (docker_registry_identifier + '-garbage-collect.timer'), 'priority': 2500, 'groups': ['mash', 'docker-registry', 'docker-registry-gc']}] if docker_registry_enabled else [])
|
||||||
|
+
|
||||||
|
([{'name': (docker_registry_browser_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'docker-registry-browser']}] if docker_registry_browser_enabled else [])
|
||||||
|
+
|
||||||
|
([{'name': (docker_registry_purger_identifier + '.timer'), 'priority': 3000, 'groups': ['mash', 'docker-registry-purger']}] if docker_registry_purger_enabled else [])
|
||||||
|
+
|
||||||
([{'name': (gitea_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'gitea', 'gitea-server']}] if gitea_enabled else [])
|
([{'name': (gitea_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'gitea', 'gitea-server']}] if gitea_enabled else [])
|
||||||
+
|
+
|
||||||
([{'name': (nextcloud_identifier + '-server.service'), 'priority': 2000, 'groups': ['mash', 'nextcloud', 'nextcloud-server']}] if nextcloud_enabled else [])
|
([{'name': (nextcloud_identifier + '-server.service'), 'priority': 2000, 'groups': ['mash', 'nextcloud', 'nextcloud-server']}] if nextcloud_enabled else [])
|
||||||
|
@ -32,6 +75,8 @@ devture_systemd_service_manager_services_list_auto: |
|
||||||
+
|
+
|
||||||
([{'name': (peertube_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'peertube']}] if peertube_enabled else [])
|
([{'name': (peertube_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'peertube']}] if peertube_enabled else [])
|
||||||
+
|
+
|
||||||
|
([{'name': (prometheus_node_exporter_identifier + '.service'), 'priority': 500, 'groups': ['mash', 'metrics', 'prometheus-node-exporter']}] if prometheus_node_exporter_enabled else [])
|
||||||
|
+
|
||||||
([{'name': (radicale_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'radicale']}] if radicale_enabled else [])
|
([{'name': (radicale_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'radicale']}] if radicale_enabled else [])
|
||||||
+
|
+
|
||||||
([{'name': (redmine_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'redmine']}] if redmine_enabled else [])
|
([{'name': (redmine_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'redmine']}] if redmine_enabled else [])
|
||||||
|
@ -326,6 +371,95 @@ collabora_online_container_labels_traefik_tls_certResolver: "{{ devture_traefik_
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
########################################################################
|
||||||
|
# #
|
||||||
|
# docker-registry #
|
||||||
|
# #
|
||||||
|
########################################################################
|
||||||
|
|
||||||
|
docker_registry_enabled: false
|
||||||
|
|
||||||
|
docker_registry_identifier: "{{ mash_playbook_service_identifier_prefix }}docker-registry"
|
||||||
|
|
||||||
|
docker_registry_base_path: "{{ mash_playbook_base_path }}/docker-registry"
|
||||||
|
|
||||||
|
docker_registry_uid: "{{ mash_playbook_uid }}"
|
||||||
|
docker_registry_gid: "{{ mash_playbook_gid }}"
|
||||||
|
|
||||||
|
docker_registry_container_additional_networks: |
|
||||||
|
{{
|
||||||
|
([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else [])
|
||||||
|
}}
|
||||||
|
|
||||||
|
docker_registry_container_labels_traefik_enabled: "{{ mash_playbook_traefik_labels_enabled }}"
|
||||||
|
docker_registry_container_labels_traefik_docker_network: "{{ mash_playbook_reverse_proxyable_services_additional_network }}"
|
||||||
|
docker_registry_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}"
|
||||||
|
docker_registry_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}"
|
||||||
|
|
||||||
|
########################################################################
|
||||||
|
# #
|
||||||
|
# /docker-registry #
|
||||||
|
# #
|
||||||
|
########################################################################
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
########################################################################
|
||||||
|
# #
|
||||||
|
# docker-registry-browser #
|
||||||
|
# #
|
||||||
|
########################################################################
|
||||||
|
|
||||||
|
docker_registry_browser_enabled: false
|
||||||
|
|
||||||
|
docker_registry_browser_identifier: "{{ mash_playbook_service_identifier_prefix }}docker-registry-browser"
|
||||||
|
|
||||||
|
docker_registry_browser_base_path: "{{ mash_playbook_base_path }}/docker-registry-browser"
|
||||||
|
|
||||||
|
docker_registry_browser_uid: "{{ mash_playbook_uid }}"
|
||||||
|
docker_registry_browser_gid: "{{ mash_playbook_gid }}"
|
||||||
|
|
||||||
|
docker_registry_browser_container_additional_networks: |
|
||||||
|
{{
|
||||||
|
([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else [])
|
||||||
|
}}
|
||||||
|
|
||||||
|
docker_registry_browser_container_labels_traefik_enabled: "{{ mash_playbook_traefik_labels_enabled }}"
|
||||||
|
docker_registry_browser_container_labels_traefik_docker_network: "{{ mash_playbook_reverse_proxyable_services_additional_network }}"
|
||||||
|
docker_registry_browser_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}"
|
||||||
|
docker_registry_browser_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}"
|
||||||
|
|
||||||
|
########################################################################
|
||||||
|
# #
|
||||||
|
# /docker-registry-browser #
|
||||||
|
# #
|
||||||
|
########################################################################
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
########################################################################
|
||||||
|
# #
|
||||||
|
# docker-registry-purger #
|
||||||
|
# #
|
||||||
|
########################################################################
|
||||||
|
|
||||||
|
docker_registry_purger_enabled: false
|
||||||
|
|
||||||
|
docker_registry_purger_identifier: "{{ mash_playbook_service_identifier_prefix }}docker-registry-purger"
|
||||||
|
|
||||||
|
docker_registry_purger_base_path: "{{ mash_playbook_base_path }}/docker-registry-purger"
|
||||||
|
|
||||||
|
docker_registry_purger_uid: "{{ mash_playbook_uid }}"
|
||||||
|
docker_registry_purger_gid: "{{ mash_playbook_gid }}"
|
||||||
|
|
||||||
|
########################################################################
|
||||||
|
# #
|
||||||
|
# /docker-registry-purger #
|
||||||
|
# #
|
||||||
|
########################################################################
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
########################################################################
|
########################################################################
|
||||||
# #
|
# #
|
||||||
# gitea #
|
# gitea #
|
||||||
|
@ -519,6 +653,53 @@ peertube_systemd_required_services_list: |
|
||||||
########################################################################
|
########################################################################
|
||||||
|
|
||||||
|
|
||||||
|
########################################################################
|
||||||
|
# #
|
||||||
|
# prometheus_node_exporter #
|
||||||
|
# #
|
||||||
|
########################################################################
|
||||||
|
|
||||||
|
prometheus_node_exporter_enabled: false
|
||||||
|
|
||||||
|
prometheus_node_exporter_identifier: "{{ mash_playbook_service_identifier_prefix }}prometheus-node-exporter"
|
||||||
|
|
||||||
|
prometheus_node_exporter_base_path: "{{ mash_playbook_base_path }}/prometheus-node-exporter"
|
||||||
|
|
||||||
|
prometheus_node_exporter_uid: "{{ mash_playbook_uid }}"
|
||||||
|
prometheus_node_exporter_gid: "{{ mash_playbook_gid }}"
|
||||||
|
|
||||||
|
prometheus_node_exporter_basicauth_enabled: true
|
||||||
|
prometheus_node_exporter_basicauth_user: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'node.user', rounds=655555) | to_uuid }}"
|
||||||
|
prometheus_node_exporter_basicauth_password: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'node.password', rounds=655555) | to_uuid }}"
|
||||||
|
|
||||||
|
prometheus_node_exporter_container_additional_networks: |
|
||||||
|
{{
|
||||||
|
([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else [])
|
||||||
|
}}
|
||||||
|
|
||||||
|
prometheus_node_exporter_container_labels_traefik_enabled: "{{ mash_playbook_traefik_labels_enabled }}"
|
||||||
|
prometheus_node_exporter_container_labels_traefik_docker_network: "{{ mash_playbook_reverse_proxyable_services_additional_network }}"
|
||||||
|
prometheus_node_exporter_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}"
|
||||||
|
prometheus_node_exporter_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}"
|
||||||
|
|
||||||
|
prometheus_node_exporter_process_extra_arguments:
|
||||||
|
- "--collector.disable-defaults"
|
||||||
|
- "--collector.cpu"
|
||||||
|
- "--collector.filesystem"
|
||||||
|
- "--collector.meminfo"
|
||||||
|
- "--collector.systemd"
|
||||||
|
- "--collector.uname"
|
||||||
|
prometheus_node_exporter_container_extra_arguments:
|
||||||
|
- "--security-opt apparmor=unconfined"
|
||||||
|
- "--mount type=bind,src=/var/run/dbus/system_bus_socket,dst=/var/run/dbus/system_bus_socket,ro,bind-propagation=rslave"
|
||||||
|
|
||||||
|
########################################################################
|
||||||
|
# #
|
||||||
|
# /prometheus_node_exporter #
|
||||||
|
# #
|
||||||
|
########################################################################
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
########################################################################
|
########################################################################
|
||||||
# #
|
# #
|
||||||
|
@ -592,6 +773,7 @@ redmine_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResol
|
||||||
|
|
||||||
redmine_database_type: "{{ 'postgresql' if devture_postgres_enabled else 'sqlite3' }}"
|
redmine_database_type: "{{ 'postgresql' if devture_postgres_enabled else 'sqlite3' }}"
|
||||||
redmine_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}"
|
redmine_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}"
|
||||||
|
redmine_database_username: "redmine"
|
||||||
redmine_database_password: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'redmine.db', rounds=655555) | to_uuid }}"
|
redmine_database_password: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'redmine.db', rounds=655555) | to_uuid }}"
|
||||||
|
|
||||||
########################################################################
|
########################################################################
|
||||||
|
|
|
@ -3,6 +3,15 @@
|
||||||
- src: geerlingguy.docker
|
- src: geerlingguy.docker
|
||||||
version: 6.1.0
|
version: 6.1.0
|
||||||
|
|
||||||
|
- src: git+https://gitlab.com/etke.cc/roles/swap
|
||||||
|
version: 33ce32b065276a96b7e2562752f3a63913ed5480
|
||||||
|
|
||||||
|
- src: git+https://gitlab.com/etke.cc/roles/ssh
|
||||||
|
version: 237adf859f9270db8a60e720bc4a58164806644e
|
||||||
|
|
||||||
|
- src: git+https://gitlab.com/etke.cc/roles/fail2ban
|
||||||
|
version: 09886730e8d3c061f22d1da4a542899063f97f0a
|
||||||
|
|
||||||
- src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git
|
- src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git
|
||||||
version: 129c8590e106b83e6f4c259649a613c6279e937a
|
version: 129c8590e106b83e6f4c259649a613c6279e937a
|
||||||
|
|
||||||
|
@ -37,10 +46,10 @@
|
||||||
version: 9b4b088c62b528b73a9a7c93d3109b091dd42ec6
|
version: 9b4b088c62b528b73a9a7c93d3109b091dd42ec6
|
||||||
|
|
||||||
- src: git+https://github.com/devture/com.devture.ansible.role.woodpecker_ci_server.git
|
- src: git+https://github.com/devture/com.devture.ansible.role.woodpecker_ci_server.git
|
||||||
version: v0.15.7-1
|
version: v0.15.7-2
|
||||||
|
|
||||||
- src: git+https://github.com/devture/com.devture.ansible.role.woodpecker_ci_agent.git
|
- src: git+https://github.com/devture/com.devture.ansible.role.woodpecker_ci_agent.git
|
||||||
version: v0.15.7-0
|
version: v0.15.7-1
|
||||||
|
|
||||||
- src: git+https://gitlab.com/etke.cc/roles/miniflux.git
|
- src: git+https://gitlab.com/etke.cc/roles/miniflux.git
|
||||||
version: v2.0.43-0
|
version: v2.0.43-0
|
||||||
|
@ -54,16 +63,31 @@
|
||||||
- src: git+https://gitlab.com/etke.cc/roles/redis.git
|
- src: git+https://gitlab.com/etke.cc/roles/redis.git
|
||||||
version: v7.0.9-0
|
version: v7.0.9-0
|
||||||
|
|
||||||
- src: git+https://gitlab.com/etke.cc/roles/redmine.git
|
- src: git+https://gitlab.com/etke.cc/roles/prometheus_node_exporter.git
|
||||||
version: v5.0.5-0
|
version: v1.5.0-4
|
||||||
|
|
||||||
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-vaultwarden.git
|
- src: git+https://gitlab.com/etke.cc/roles/redmine.git
|
||||||
name: vaultwarden
|
version: v5.0.5-1
|
||||||
version: v1.27.0-1
|
|
||||||
|
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-collabora-online.git
|
||||||
|
name: collabora_online
|
||||||
|
version: v22.05.12.1.1-0
|
||||||
|
|
||||||
|
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-docker-registry.git
|
||||||
|
name: docker_registry
|
||||||
|
version: v2.8.1-1
|
||||||
|
|
||||||
|
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-docker-registry-browser.git
|
||||||
|
name: docker_registry_browser
|
||||||
|
version: v1.6.0-0
|
||||||
|
|
||||||
|
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-docker-registry-purger.git
|
||||||
|
name: docker_registry_purger
|
||||||
|
version: v1.0.0-0
|
||||||
|
|
||||||
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-gitea.git
|
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-gitea.git
|
||||||
name: gitea
|
name: gitea
|
||||||
version: v1.18.5-2
|
version: v1.18.5-3
|
||||||
|
|
||||||
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-nextcloud.git
|
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-nextcloud.git
|
||||||
name: nextcloud
|
name: nextcloud
|
||||||
|
@ -77,6 +101,10 @@
|
||||||
name: peertube
|
name: peertube
|
||||||
version: v5.0.1-0
|
version: v5.0.1-0
|
||||||
|
|
||||||
|
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-vaultwarden.git
|
||||||
|
name: vaultwarden
|
||||||
|
version: v1.27.0-2
|
||||||
|
|
||||||
- src: git+https://github.com/moan0s/hubsite.git
|
- src: git+https://github.com/moan0s/hubsite.git
|
||||||
name: hubsite
|
name: hubsite
|
||||||
version: ac7607b514c998779946a5ae8c98bea27e167f49
|
version: ac7607b514c998779946a5ae8c98bea27e167f49
|
||||||
|
|
14
setup.yml
14
setup.yml
|
@ -37,6 +37,14 @@
|
||||||
|
|
||||||
- role: mash/playbook_base
|
- role: mash/playbook_base
|
||||||
|
|
||||||
|
- role: galaxy/swap
|
||||||
|
|
||||||
|
- when: system_security_ssh_enabled | bool
|
||||||
|
role: galaxy/ssh
|
||||||
|
|
||||||
|
- when: system_security_fail2ban_enabled | bool
|
||||||
|
role: galaxy/fail2ban
|
||||||
|
|
||||||
# This role exposes various tags (setup-postgres, setup-all, upgrade-postgres, import-postgres, etc.), so we don't tag it here.
|
# This role exposes various tags (setup-postgres, setup-all, upgrade-postgres, import-postgres, etc.), so we don't tag it here.
|
||||||
- role: galaxy/com.devture.ansible.role.postgres
|
- role: galaxy/com.devture.ansible.role.postgres
|
||||||
|
|
||||||
|
@ -48,6 +56,10 @@
|
||||||
|
|
||||||
- role: galaxy/collabora_online
|
- role: galaxy/collabora_online
|
||||||
|
|
||||||
|
- role: galaxy/docker_registry
|
||||||
|
- role: galaxy/docker_registry_browser
|
||||||
|
- role: galaxy/docker_registry_purger
|
||||||
|
|
||||||
- role: galaxy/gitea
|
- role: galaxy/gitea
|
||||||
|
|
||||||
- role: galaxy/miniflux
|
- role: galaxy/miniflux
|
||||||
|
@ -58,6 +70,8 @@
|
||||||
|
|
||||||
- role: galaxy/peertube
|
- role: galaxy/peertube
|
||||||
|
|
||||||
|
- role: galaxy/prometheus_node_exporter
|
||||||
|
|
||||||
- role: galaxy/radicale
|
- role: galaxy/radicale
|
||||||
|
|
||||||
- role: galaxy/redmine
|
- role: galaxy/redmine
|
||||||
|
|
Loading…
Reference in a new issue