Merge remote-tracking branch 'origin/main' into hubsite

This commit is contained in:
Julian-Samuel Gebühr 2023-03-19 21:16:34 +01:00
commit c71203812e
15 changed files with 628 additions and 32 deletions

4
.gitignore vendored
View file

@ -1,6 +1,4 @@
/inventory/*
!/inventory/.gitkeep
!/inventory/host_vars/.gitkeep
/inventory
# ignore roles pulled by ansible-galaxy
/roles/galaxy/*

29
ansible.cfg Normal file
View file

@ -0,0 +1,29 @@
[defaults]
forks = 50
timeout = 86400
strategy = linear
ansible_managed = Autogenerated file, do NOT edit manually.
retry_files_enabled = False
# Paths
inventory = inventory/hosts
roles_path = roles
log_path = /tmp/mash.log
# Remote default
remote_user = root
host_key_checking = False
# Display
display_skipped_hosts = False
# Facts
gathering = smart
fact_caching = jsonfile
fact_caching_connection=/tmp/mash
[ssh_connection]
pipelining = True
ssh_args = -C -o ControlMaster=auto -o ControlPersist=30m -o PreferredAuthentications=publickey
control_path = /tmp/mash/ssh-%%h-%%p-%%r

View file

@ -7,7 +7,7 @@ To configure the playbook, you need to have done the following things:
You can then follow these steps inside the playbook directory:
1. create a directory to hold your configuration (`mkdir inventory/host_vars/<your-domain>`)
1. create a directory to hold your configuration (`mkdir -p inventory/host_vars/<your-domain>`)
2. copy the sample configuration file (`cp examples/vars.yml inventory/host_vars/<your-domain>/vars.yml`)

View file

@ -0,0 +1,74 @@
# Docker Registry Browser
[Docker Registry Browser](https://github.com/klausmeyer/docker-registry-browser) is a Web Interface for the Docker Registry HTTP API V2 written in Ruby on Rails.
## Dependencies
This service requires the following other services:
- a [Traefik](traefik.md) reverse-proxy server
## Configuration
To enable this service, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process:
```yaml
########################################################################
# #
# docker-registry-browser #
# #
########################################################################
docker_registry_browser_enabled: true
# Hosting under a subpath (such as `/browser`) allows the browser to co-exist
# on the same hostname as a Docker Registry instance (see `docker-registry.md`).
docker_registry_browser_hostname: registry.example.com
docker_registry_browser_path_prefix: /browser
# If the browser will be able to delete images and live on the same private container network
# as the registry itself (like we do below), it's recommended to protect it with HTTP Basic Auth.
#
# If you're running a read-only browser, you may leave it publicly accessible.
docker_registry_browser_basic_auth_enabled: true
docker_registry_browser_basic_auth_username: admin
# You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`).
docker_registry_browser_basic_auth_password: ''
# To integrate with a locally running (in a container) Docker Registry (see `docker-registry.md`),
# point to its local container address and configure the browser to run in the registry's network.
docker_registry_browser_docker_registry_url: "http://{{ docker_registry_identifier }}:5000"
docker_registry_browser_container_network: "{{ docker_registry_container_network }}"
# Alternatively, to use a registry running elsewhere, delete both lines above
# (docker_registry_browser_docker_registry_url and docker_registry_browser_container_network),
# and use something this instead:
# docker_registry_browser_docker_registry_url: "https://registry.example.com"
# Image deletion is disabled by default, so you need to explicitly enable it if you need it.
docker_registry_browser_enabled_delete_images: true
########################################################################
# #
# /docker-registry-browser #
# #
########################################################################
```
In the example configuration above, we configure the service to be hosted at `https://registry.example.com/browser`.
If you make the registry browser live on the same container network as the [Docker Registry](docker-registry.md) itself (like we've done by overriding `docker_registry_browser_container_network` above), the browser will be able to talk to the registry over the private container network and IP restrictions (such as those defined in `docker_registry_private_services_whitelisted_ip_ranges`) will not be able to stop it.
## Usage
After installation, you should be able to go to the URL as configured via `docker_registry_browser_hostname` and `docker_registry_browser_path_prefix`.
You should be able to browse the images and possibly delete them (if enabled via `docker_registry_browser_enabled_delete_images`).
## Recommended other services
- [Docker Registry](docker-registry.md) - a container image distribution registry developed by [Docker Inc](https://www.docker.com/)

View file

@ -0,0 +1,53 @@
# Docker Registry Purger
[Docker Registry Purger](https://github.com/devture/docker-registry-purger) is a small tool used for purging a private Docker registry's old tags.
## Dependencies
This service requires to be pointed to a container registry. It may be a registry powered by [Docker Registry](docker-registry.md) or by some other software.
## Configuration
To enable this service, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process:
```yaml
########################################################################
# #
# docker-registry-purger #
# #
########################################################################
docker_registry_purger_enabled: true
# To integrate with a locally running (in a container) Docker Registry (see `docker-registry.md`),
# point to its local container address and configure the purger to run in the registry's network.
docker_registry_purger_registry_url: "http://{{ docker_registry_identifier }}:5000"
docker_registry_purger_container_network: "{{ docker_registry_container_network }}"
# Alternatively, to use a registry running elsewhere, delete both lines above
# (docker_registry_purger_registry_url and docker_registry_purger_container_network),
# and use something this instead:
# docker_registry_purger_registry_url: "https://registry.example.com"
########################################################################
# #
# /docker-registry-purger #
# #
########################################################################
```
You may wish to tweak some [default configuration]() variables, which ultimately control [environment variables](https://github.com/devture/docker-registry-purger#environment-variables) of the purger tool.
## Usage
After installation, you should be able to go to the URL as configured via `docker_registry_browser_hostname` and `docker_registry_browser_path_prefix`.
You should be able to browse the images and possibly delete them (if enabled via `docker_registry_browser_enabled_delete_images`).
## Recommended other services
- [Docker Registry](docker-registry.md) - a container image distribution registry developed by [Docker Inc](https://www.docker.com/)

View file

@ -0,0 +1,86 @@
# Docker Registry
[Docker Registry](https://docs.docker.com/registry/) is a container image distribution registry developed by [Docker Inc](https://www.docker.com/).
This playbook supports installing a container image registry which is:
- completely public, when it comes to pulling images
- IP-restricted, when it comes to pushing images
Authentication is not supported.
## Dependencies
This service requires the following other services:
- a [Traefik](traefik.md) reverse-proxy server
## Configuration
To enable this service, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process:
```yaml
########################################################################
# #
# docker-registry #
# #
########################################################################
docker_registry_enabled: true
docker_registry_hostname: registry.example.com
# Uncomment the line below if you'd like to allow for image deletion.
# docker_registry_storage_delete_enabled: true
# Only whitelisted IPs will be able to perform DELETE, PATCH, POST, PUT requests against the registry.
# All other IP addresses get read-only (GET, HEAD) access.
docker_registry_private_services_whitelisted_ip_ranges:
- 1.2.3.4/32
- 4.3.2.1/32
########################################################################
# #
# /docker-registry #
# #
########################################################################
```
In the example configuration above, we configure the service to be hosted at `https://registry.example.com`.
## Usage
After installation, you should be able to:
- pull images from your registry from any IP address
- push images to your registry from the whitelisted IP addresses (`docker_registry_private_services_whitelisted_ip_ranges`)
With custom Traefik configuration (hint: see [`docker_registry_container_labels_traefik_rule_*` variables](https://github.com/mother-of-all-self-hosting/ansible-role-docker-registry/blob/main/defaults/main.yml) in the [docker-registry role](https://github.com/mother-of-all-self-hosting/ansible-role-docker-registry)), you may be able to add additional restrictions.
To **test pushing** images, try the following:
```sh
docker pull docker.io/alpine:3.17.2
docker tag docker.io/alpine:3.17.2 registry.example.com/alpine:3.17.2
docker push registry.example.com/alpine:3.17.2
```
To **test pulling** images, try the following:
```sh
# Clean up from before
docker rmi registry.example.com/alpine:3.17.2
docker pull registry.example.com/alpine:3.17.2
```
The base URL (e.g. `https://registry.example.com`) serves an empty (blank) page. To browse your registry's images via a web interface, you may need another piece of software, like [Docker Registry Browser](docker-registry-browser.md).
## Recommended other services
- [Docker Registry Browser](docker-registry-browser.md) - Web Interface for the Docker Registry HTTP API V2 written in Ruby on Rails
- [Docker Registry Purger](docker-registry-purger.md) - a small tool used for purging a private Docker Registry's old tags

View file

@ -0,0 +1,31 @@
# Prometheus Node Expoter
This playbook can configure [Prometheus Node Exporter](https://github.com/prometheus/node_exporter).
## Configuration
To enable this service, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process:
```yaml
########################################################################
# #
# prometheus-node-exporter #
# #
########################################################################
prometheus_node_exporter_enabled: true
prometheus_node_exporter_hostname: mash.example.com
prometheus_node_exporter_path_prefix: /metrics/node-exporter
prometheus_node_exporter_basicauth_user: your_username
prometheus_node_exporter_basicauth_password: your password
########################################################################
# #
# /prometheus-node-exporter #
# #
########################################################################
```
## Usage
After you installed the node exporter, your node stats will be available on `mash.example.com/metrics/node-exporter` with basic auth credentials you configured

View file

@ -17,7 +17,7 @@ To enable this service, add the following configuration to your `vars.yml` file
```yaml
########################################################################
# #
# redmine #
# redmine #
# #
########################################################################
@ -27,7 +27,7 @@ redmine_hostname: redmine.example.com
########################################################################
# #
# /redmine #
# /redmine #
# #
########################################################################
```

96
docs/services/system.md Normal file
View file

@ -0,0 +1,96 @@
# System-related configuration
This Ansible playbook can install and configure various system-related things for you.
All the sections below relate to the host OS instead of the managed containers.
### swap
To enable [swap](https://en.wikipedia.org/wiki/Memory_paging) management (also read more in the [Swap](https://wiki.archlinux.org/title/Swap) article in the [Arch Linux Wiki](https://wiki.archlinux.org/)), add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process:
```yaml
########################################################################
# #
# system #
# #
########################################################################
system_swap_enabled: true
########################################################################
# #
# /system #
# #
########################################################################
```
A swap file will be created in `/var/swap` (configured using the `system_swap_path` variable) and enabled in your `/etc/fstab` file.
By default, the swap file will have the following size:
- on systems with `<= 2GB` of RAM, swap file size = `total RAM * 2`
- on systems with `> 2GB` of RAM, swap file size = `1GB`
To avoid these calculations and set your own size explicitly, set the `system_swap_size` variable in megabytes, example (4gb):
```yaml
system_swap_size: 4096
```
### ssh
> **Warning**: advanced functionality! While the default config with a few adjustments was battle tested on hundreds of servers,
> you should use it with caution and verify everything before you apply the changes!
To enable [ssh server](https://www.openssh.com/) config and authorized/unauthorized keys management, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process:
```yaml
########################################################################
# #
# system #
# #
########################################################################
system_security_ssh_enabled: true
system_security_ssh_port: 22
system_security_ssh_authorizedkeys: [] # list of authorized public keys
system_security_ssh_unauthorizedkeys: [] # list of unauthorized/revoked public keys
########################################################################
# #
# /system #
# #
########################################################################
```
The [default configuration](https://gitlab.com/etke.cc/roles/ssh/-/blob/main/defaults/main.yml) is good enough as-is, but we strongly suggest you to **verify everything before applying any changes!**, otherwise you may lock yourself out of the server.
With this configuration, the default `/etc/ssh/sshd_config` file on your server will be replaced by a new one, managed by the [ssh role](https://gitlab.com/etke.cc/roles/ssh) (see its [templates/etc/ssh/sshd_config.j2](https://gitlab.com/etke.cc/roles/ssh/-/blob/main/templates/etc/ssh/sshd_config.j2) file).
There are various configuration options - check the defaults and adjust them to your needs.
### fail2ban
To enable [fail2ban](https://fail2ban.org/wiki/index.php/Main_Page) installation, management and integration with SSHd, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process:
```yaml
########################################################################
# #
# system #
# #
########################################################################
system_security_fail2ban_enabled: true
system_security_fail2ban_sshd_port: 22
# If you enabled playbook-managed ssh as described above,
# you can replace the line above with the following:
# system_security_fail2ban_sshd_port: "{{ system_security_ssh_port }}"
########################################################################
# #
# /system #
# #
########################################################################
```

View file

@ -1,23 +1,28 @@
# Supported services
| Name | Description | Documentation |
|------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------|--------------------------------------|
| [Collabora Online](https://www.collaboraoffice.com/) | Your Private Office Suite In The Cloud | [Link](services/collabora-online.md) |
| [Docker](https://www.docker.com/) | Open-source software for deploying containerized applications | [Link](services/docker.md) |
| [Gitea](https://gitea.io/) | A painless self-hosted Git service. | [Link](services/gitea.md) |
| [Hubsite](https://github.com/moan0s/hubsite) | A simple, static site that shows an overview of the available services | [Link](services/hubsite.md) |
| [Miniflux](https://miniflux.app/) | Minimalist and opinionated feed reader. | [Link](services/miniflux.md) |
| [Nextcloud](https://nextcloud.com/) | The most popular self-hosted collaboration solution for tens of millions of users at thousands of organizations across the globe. | [Link](services/nextcloud.md) |
| [PeerTube](https://joinpeertube.org/) | A tool for sharing online videos | [Link](services/peertube.md) |
| [Postgres](https://www.postgresql.org) | A powerful, open source object-relational database system | [Link](services/postgres.md) |
| [Postgres Backup](https://github.com/prodrigestivill/docker-postgres-backup-local) | A solution for backing up PostgresSQL to local filesystem with periodic backups. | [Link](services/postgres-backup.md) |
| [Radicale](https://radicale.org/) | A Free and Open-Source CalDAV and CardDAV Server (solution for hosting contacts and calendars) | [Link](services/radicale.md) |
| [Redmine](https://redmine.org/) | A flexible project management web application. | [Link](services/redmine.md) |
| [Redis](https://redis.io/) | An in-memory data store used by millions of developers as a database, cache, streaming engine, and message broker. | [Link](services/redis.md) |
| [Traefik](https://doc.traefik.io/traefik/) | A container-aware reverse-proxy server | [Link](services/traefik.md) |
| [Vaultwarden](https://github.com/dani-garcia/vaultwarden) | A lightweight unofficial and compatible implementation of the [Bitwarden](https://bitwarden.com/) password manager | [Link](services/vaultwarden.md) |
| [Uptime-kuma](https://uptime.kuma.pet/) | A fancy self-hosted monitoring tool | [Link](services/uptime-kuma.md) |
| [Woodpecker CI](https://woodpecker-ci.org/) | A simple Continuous Integration (CI) engine with great extensibility. | [Link](services/woodpecker-ci.md) |
| Name | Description | Documentation |
| ------------------------------ | ------------------------------------- | ------------- |
| [Collabora Online](https://www.collaboraoffice.com/) | Your Private Office Suite In The Cloud | [Link](services/collabora-online.md) |
| [Docker](https://www.docker.com/) | Open-source software for deploying containerized applications | [Link](services/docker.md) |
| [Docker Registry](https://docs.docker.com/registry/) | A container image distribution registry | [Link](services/docker-registry.md) |
| [Docker Registry Browser](https://github.com/klausmeyer/docker-registry-browser) | Web Interface for the Docker Registry HTTP API V2 written in Ruby on Rails | [Link](services/docker-registry-browser.md) |
| [Docker Registry Purger](https://github.com/devture/docker-registry-purger) | A small tool used for purging a private Docker Registry's old tags | [Link](services/docker-registry-purger.md) |
| [Gitea](https://gitea.io/) | A painless self-hosted Git service. | [Link](services/gitea.md) |
| [Hubsite](https://github.com/moan0s/hubsite) | A simple, static site that shows an overview of the available services | [Link](services/hubsite.md) |
[Miniflux](https://miniflux.app/) | Minimalist and opinionated feed reader. | [Link](services/miniflux.md) |
| [Nextcloud](https://nextcloud.com/) | The most popular self-hosted collaboration solution for tens of millions of users at thousands of organizations across the globe. | [Link](services/nextcloud.md) |
| [PeerTube](https://joinpeertube.org/) | A tool for sharing online videos | [Link](services/peertube.md) |
| [Prometheus Node Exporter](https://github.com/prometheus/node_exporter) | Exporter for machine metrics | [Link](services/prometheus-node-exporter.md) |
| [Postgres](https://www.postgresql.org) | A powerful, open source object-relational database system | [Link](services/postgres.md) |
| [Postgres Backup](https://github.com/prodrigestivill/docker-postgres-backup-local) | A solution for backing up PostgresSQL to local filesystem with periodic backups. | [Link](services/postgres-backup.md) |
| [Radicale](https://radicale.org/) | A Free and Open-Source CalDAV and CardDAV Server (solution for hosting contacts and calendars) | [Link](services/radicale.md) |
| [Redmine](https://redmine.org/) | A flexible project management web application. | [Link](services/redmine.md) |
| [Redis](https://redis.io/) | An in-memory data store used by millions of developers as a database, cache, streaming engine, and message broker. | [Link](services/redis.md) |
| [Traefik](https://doc.traefik.io/traefik/) | A container-aware reverse-proxy server | [Link](services/traefik.md) |
| [Vaultwarden](https://github.com/dani-garcia/vaultwarden) | A lightweight unofficial and compatible implementation of the [Bitwarden](https://bitwarden.com/) password manager | [Link](services/vaultwarden.md) |
| [Uptime-kuma](https://uptime.kuma.pet/) | A fancy self-hosted monitoring tool | [Link](services/uptime-kuma.md) |
| [Woodpecker CI](https://woodpecker-ci.org/) | A simple Continuous Integration (CI) engine with great extensibility. | [Link](services/woodpecker-ci.md) |
| System-related | A collection of various system-related components | [Link](services/system.md) |
## Related playbooks

View file

@ -1,5 +1,40 @@
---
########################################################################
# #
# system/security #
# #
########################################################################
system_security_ssh_enabled: false
system_security_fail2ban_enabled: false
########################################################################
# #
# /system/security #
# #
########################################################################
########################################################################
# #
# system/swap #
# #
########################################################################
system_swap_enabled: false
########################################################################
# #
# /system/swap #
# #
########################################################################
########################################################################
# #
# com.devture.ansible.role.systemd_service_manager #
@ -22,6 +57,14 @@ devture_systemd_service_manager_services_list_auto: |
+
([{'name': (devture_woodpecker_ci_agent_identifier + '.service'), 'priority': 4100, 'groups': ['mash', 'woodpecker', 'ci', 'woodpecker-ci-agent']}] if devture_woodpecker_ci_agent_enabled else [])
+
([{'name': (docker_registry_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'docker-registry']}] if docker_registry_enabled else [])
+
([{'name': (docker_registry_identifier + '-garbage-collect.timer'), 'priority': 2500, 'groups': ['mash', 'docker-registry', 'docker-registry-gc']}] if docker_registry_enabled else [])
+
([{'name': (docker_registry_browser_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'docker-registry-browser']}] if docker_registry_browser_enabled else [])
+
([{'name': (docker_registry_purger_identifier + '.timer'), 'priority': 3000, 'groups': ['mash', 'docker-registry-purger']}] if docker_registry_purger_enabled else [])
+
([{'name': (gitea_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'gitea', 'gitea-server']}] if gitea_enabled else [])
+
([{'name': (nextcloud_identifier + '-server.service'), 'priority': 2000, 'groups': ['mash', 'nextcloud', 'nextcloud-server']}] if nextcloud_enabled else [])
@ -32,6 +75,8 @@ devture_systemd_service_manager_services_list_auto: |
+
([{'name': (peertube_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'peertube']}] if peertube_enabled else [])
+
([{'name': (prometheus_node_exporter_identifier + '.service'), 'priority': 500, 'groups': ['mash', 'metrics', 'prometheus-node-exporter']}] if prometheus_node_exporter_enabled else [])
+
([{'name': (radicale_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'radicale']}] if radicale_enabled else [])
+
([{'name': (redmine_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'redmine']}] if redmine_enabled else [])
@ -326,6 +371,95 @@ collabora_online_container_labels_traefik_tls_certResolver: "{{ devture_traefik_
########################################################################
# #
# docker-registry #
# #
########################################################################
docker_registry_enabled: false
docker_registry_identifier: "{{ mash_playbook_service_identifier_prefix }}docker-registry"
docker_registry_base_path: "{{ mash_playbook_base_path }}/docker-registry"
docker_registry_uid: "{{ mash_playbook_uid }}"
docker_registry_gid: "{{ mash_playbook_gid }}"
docker_registry_container_additional_networks: |
{{
([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else [])
}}
docker_registry_container_labels_traefik_enabled: "{{ mash_playbook_traefik_labels_enabled }}"
docker_registry_container_labels_traefik_docker_network: "{{ mash_playbook_reverse_proxyable_services_additional_network }}"
docker_registry_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}"
docker_registry_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}"
########################################################################
# #
# /docker-registry #
# #
########################################################################
########################################################################
# #
# docker-registry-browser #
# #
########################################################################
docker_registry_browser_enabled: false
docker_registry_browser_identifier: "{{ mash_playbook_service_identifier_prefix }}docker-registry-browser"
docker_registry_browser_base_path: "{{ mash_playbook_base_path }}/docker-registry-browser"
docker_registry_browser_uid: "{{ mash_playbook_uid }}"
docker_registry_browser_gid: "{{ mash_playbook_gid }}"
docker_registry_browser_container_additional_networks: |
{{
([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else [])
}}
docker_registry_browser_container_labels_traefik_enabled: "{{ mash_playbook_traefik_labels_enabled }}"
docker_registry_browser_container_labels_traefik_docker_network: "{{ mash_playbook_reverse_proxyable_services_additional_network }}"
docker_registry_browser_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}"
docker_registry_browser_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}"
########################################################################
# #
# /docker-registry-browser #
# #
########################################################################
########################################################################
# #
# docker-registry-purger #
# #
########################################################################
docker_registry_purger_enabled: false
docker_registry_purger_identifier: "{{ mash_playbook_service_identifier_prefix }}docker-registry-purger"
docker_registry_purger_base_path: "{{ mash_playbook_base_path }}/docker-registry-purger"
docker_registry_purger_uid: "{{ mash_playbook_uid }}"
docker_registry_purger_gid: "{{ mash_playbook_gid }}"
########################################################################
# #
# /docker-registry-purger #
# #
########################################################################
########################################################################
# #
# gitea #
@ -519,6 +653,53 @@ peertube_systemd_required_services_list: |
########################################################################
########################################################################
# #
# prometheus_node_exporter #
# #
########################################################################
prometheus_node_exporter_enabled: false
prometheus_node_exporter_identifier: "{{ mash_playbook_service_identifier_prefix }}prometheus-node-exporter"
prometheus_node_exporter_base_path: "{{ mash_playbook_base_path }}/prometheus-node-exporter"
prometheus_node_exporter_uid: "{{ mash_playbook_uid }}"
prometheus_node_exporter_gid: "{{ mash_playbook_gid }}"
prometheus_node_exporter_basicauth_enabled: true
prometheus_node_exporter_basicauth_user: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'node.user', rounds=655555) | to_uuid }}"
prometheus_node_exporter_basicauth_password: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'node.password', rounds=655555) | to_uuid }}"
prometheus_node_exporter_container_additional_networks: |
{{
([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else [])
}}
prometheus_node_exporter_container_labels_traefik_enabled: "{{ mash_playbook_traefik_labels_enabled }}"
prometheus_node_exporter_container_labels_traefik_docker_network: "{{ mash_playbook_reverse_proxyable_services_additional_network }}"
prometheus_node_exporter_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}"
prometheus_node_exporter_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}"
prometheus_node_exporter_process_extra_arguments:
- "--collector.disable-defaults"
- "--collector.cpu"
- "--collector.filesystem"
- "--collector.meminfo"
- "--collector.systemd"
- "--collector.uname"
prometheus_node_exporter_container_extra_arguments:
- "--security-opt apparmor=unconfined"
- "--mount type=bind,src=/var/run/dbus/system_bus_socket,dst=/var/run/dbus/system_bus_socket,ro,bind-propagation=rslave"
########################################################################
# #
# /prometheus_node_exporter #
# #
########################################################################
########################################################################
# #
@ -592,6 +773,7 @@ redmine_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResol
redmine_database_type: "{{ 'postgresql' if devture_postgres_enabled else 'sqlite3' }}"
redmine_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}"
redmine_database_username: "redmine"
redmine_database_password: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'redmine.db', rounds=655555) | to_uuid }}"
########################################################################

View file

View file

@ -3,6 +3,15 @@
- src: geerlingguy.docker
version: 6.1.0
- src: git+https://gitlab.com/etke.cc/roles/swap
version: 33ce32b065276a96b7e2562752f3a63913ed5480
- src: git+https://gitlab.com/etke.cc/roles/ssh
version: 237adf859f9270db8a60e720bc4a58164806644e
- src: git+https://gitlab.com/etke.cc/roles/fail2ban
version: 09886730e8d3c061f22d1da4a542899063f97f0a
- src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git
version: 129c8590e106b83e6f4c259649a613c6279e937a
@ -37,10 +46,10 @@
version: 9b4b088c62b528b73a9a7c93d3109b091dd42ec6
- src: git+https://github.com/devture/com.devture.ansible.role.woodpecker_ci_server.git
version: v0.15.7-1
version: v0.15.7-2
- src: git+https://github.com/devture/com.devture.ansible.role.woodpecker_ci_agent.git
version: v0.15.7-0
version: v0.15.7-1
- src: git+https://gitlab.com/etke.cc/roles/miniflux.git
version: v2.0.43-0
@ -54,16 +63,31 @@
- src: git+https://gitlab.com/etke.cc/roles/redis.git
version: v7.0.9-0
- src: git+https://gitlab.com/etke.cc/roles/redmine.git
version: v5.0.5-0
- src: git+https://gitlab.com/etke.cc/roles/prometheus_node_exporter.git
version: v1.5.0-4
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-vaultwarden.git
name: vaultwarden
version: v1.27.0-1
- src: git+https://gitlab.com/etke.cc/roles/redmine.git
version: v5.0.5-1
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-collabora-online.git
name: collabora_online
version: v22.05.12.1.1-0
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-docker-registry.git
name: docker_registry
version: v2.8.1-1
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-docker-registry-browser.git
name: docker_registry_browser
version: v1.6.0-0
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-docker-registry-purger.git
name: docker_registry_purger
version: v1.0.0-0
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-gitea.git
name: gitea
version: v1.18.5-2
version: v1.18.5-3
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-nextcloud.git
name: nextcloud
@ -77,6 +101,10 @@
name: peertube
version: v5.0.1-0
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-vaultwarden.git
name: vaultwarden
version: v1.27.0-2
- src: git+https://github.com/moan0s/hubsite.git
name: hubsite
version: ac7607b514c998779946a5ae8c98bea27e167f49

View file

@ -37,6 +37,14 @@
- role: mash/playbook_base
- role: galaxy/swap
- when: system_security_ssh_enabled | bool
role: galaxy/ssh
- when: system_security_fail2ban_enabled | bool
role: galaxy/fail2ban
# This role exposes various tags (setup-postgres, setup-all, upgrade-postgres, import-postgres, etc.), so we don't tag it here.
- role: galaxy/com.devture.ansible.role.postgres
@ -48,6 +56,10 @@
- role: galaxy/collabora_online
- role: galaxy/docker_registry
- role: galaxy/docker_registry_browser
- role: galaxy/docker_registry_purger
- role: galaxy/gitea
- role: galaxy/miniflux
@ -58,6 +70,8 @@
- role: galaxy/peertube
- role: galaxy/prometheus_node_exporter
- role: galaxy/radicale
- role: galaxy/redmine