diff --git a/docs/services/lago.md b/docs/services/lago.md new file mode 100644 index 0000000..7f51ed5 --- /dev/null +++ b/docs/services/lago.md @@ -0,0 +1,69 @@ +# Lago + +[Lago](https://www.getlago.com/) is an open-source metering and usage-based billing solution. + + +## Dependencies + +This service requires the following other services: + +- a [Postgres](postgres.md) database +- a [Redis](redis.md) data-store, installation details [below](#redis) +- a [Traefik](traefik.md) reverse-proxy server + + +## Configuration + +To enable this service, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process: + +```yaml +######################################################################## +# # +# lago # +# # +######################################################################## + +lago_enabled: true + +lago_hostname: lago.example.com + +# Generate this using `openssl genrsa 2048 | base64 --wrap=0` +lago_api_environment_variable_lago_rsa_private_key: '' + +# WARNING: remove this after you create your user account, +# unless you'd like to run a server with public registration enabled. +lago_front_environment_variable_lago_disable_signup: false + +# Redis configuration, as described below + +######################################################################## +# # +# /lago # +# # +######################################################################## +``` + +### URL + +In the example configuration above, we configure the service to be hosted at `https://lago.example.com`. + +Hosting Lago under a subpath (by configuring the `lago_path_prefix` variable) does not seem to be possible right now, due to Lago limitations. + +Our setup hosts the Lago frontend at the root path (`/`) and the Lago API at the `/api` prefix. +This seems to work well, except for [PDF invoices failing due to a Lago bug](https://github.com/getlago/lago/issues/221). + +### Authentication + +Public registration can be enabled/disabled using the `lago_front_environment_variable_lago_disable_signup` variable. + +We recommend installing with public registration enabled at first, creating your first user account, and then disabling public registration (unless you need it). + +It should be noted that disabling public signup with this variable merely disables the Sign-Up page in the web interface, but [does not actually disable signups due to a Lago bug](https://github.com/getlago/lago/issues/220). + +## Usage + +After installation, you can go to the Lago URL, as defined in `lago_hostname`. + +As mentioned in [Authentication](#authentication) above, you can create the first user from the web interface. + +If you'd like to prevent other users from registering, consider disabling public registration by removing the `lago_front_environment_variable_lago_disable_signup` references from your configuration and re-running the playbook (`just install-service lago`). diff --git a/docs/supported-services.md b/docs/supported-services.md index ee9b8d9..1176c34 100644 --- a/docs/supported-services.md +++ b/docs/supported-services.md @@ -19,6 +19,7 @@ | [Hubsite](https://github.com/moan0s/hubsite) | A simple, static site that shows an overview of the available services | [Link](services/hubsite.md) | | [Jitsi](https://jitsi.org/) | A fully encrypted, 100% Open Source video conferencing solution | [Link](services/jitsi.md) | | [Keycloak](https://www.keycloak.org/) | An open source identity and access management solution. | [Link](services/keycloak.md) | +| [Lago](https://www.getlago.com/) | Open-source metering and usage-based billing | [Link](services/lago.md) | | [MariaDB](https://mariadb.org/) | A powerful, open source object-relational database system | [Link](services/mariadb.md) | | [Matrix Rooms Search API](https://gitlab.com/etke.cc/mrs/api) | A fully-featured, standalone, matrix rooms search service. | [Link](services/mrs.md) | | [Miniflux](https://miniflux.app/) | Minimalist and opinionated feed reader. | [Link](services/miniflux.md) | diff --git a/group_vars/mash_servers b/group_vars/mash_servers index 75e7964..f54f5c4 100644 --- a/group_vars/mash_servers +++ b/group_vars/mash_servers @@ -119,6 +119,16 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': (keycloak_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'keycloak']}] if keycloak_enabled else []) + + ([{'name': (lago_identifier + '-api.service'), 'priority': 2000, 'groups': ['mash', 'lago', 'lago-api']}] if lago_enabled else []) + + + ([{'name': (lago_identifier + '-api-worker.service'), 'priority': 2500, 'groups': ['mash', 'lago', 'lago-api-worker']}] if lago_enabled else []) + + + ([{'name': (lago_identifier + '-api-clock.service'), 'priority': 2500, 'groups': ['mash', 'lago', 'lago-api-clock']}] if lago_enabled else []) + + + ([{'name': (lago_identifier + '-front.service'), 'priority': 2200, 'groups': ['mash', 'lago', 'lago-front']}] if lago_enabled else []) + + + ([{'name': (lago_identifier + '-pdf.service'), 'priority': 1900, 'groups': ['mash', 'lago', 'lago-pdf']}] if lago_enabled else []) + + ([{'name': (miniflux_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'miniflux']}] if miniflux_enabled else []) + ([{'name': (mrs_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'mrs']}] if mrs_enabled else []) @@ -240,6 +250,12 @@ devture_postgres_managed_databases_auto: | 'password': keycloak_database_password, }] if keycloak_enabled and keycloak_database_type == 'postgres' and keycloak_database_hostname == devture_postgres_identifier else []) + + ([{ + 'name': lago_database_name, + 'username': lago_database_username, + 'password': lago_database_password, + }] if lago_enabled and lago_database_hostname == devture_postgres_identifier else []) + + ([{ 'name': miniflux_database_name, 'username': miniflux_database_username, @@ -1229,6 +1245,57 @@ keycloak_database_password: "{{ '%s' | format(mash_playbook_generic_secret_key) +######################################################################## +# # +# lago # +# # +######################################################################## + +lago_enabled: false + +lago_architecture: "{{ mash_playbook_architecture }}" + +lago_identifier: "{{ mash_playbook_service_identifier_prefix }}lago" + +lago_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}lago" + +lago_uid: "{{ mash_playbook_uid }}" +lago_gid: "{{ mash_playbook_gid }}" + +lago_api_container_additional_networks_auto: | + {{ + ([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else []) + + + ([devture_postgres_container_network] if devture_postgres_enabled and lago_database_hostname == devture_postgres_identifier and lago_api_container_network != devture_postgres_container_network else []) + }} + +lago_front_container_additional_networks_auto: | + {{ + ([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else []) + }} + +lago_container_labels_traefik_enabled: "{{ mash_playbook_traefik_labels_enabled }}" +lago_container_labels_traefik_docker_network: "{{ mash_playbook_reverse_proxyable_services_additional_network }}" +lago_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +lago_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" + +lago_database_hostname: "{{ devture_postgres_identifier if devture_postgres_enabled else '' }}" +lago_database_port: "{{ '5432' if devture_postgres_enabled else '' }}" +lago_database_password: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'lago.db', rounds=655555) | to_uuid }}" + +lago_api_environment_variable_secret_key_base: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'lago.sec.key', rounds=655555) | to_uuid }}" +lago_api_environment_variable_encryption_primary_key: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'lago.enc.primary', rounds=655555) | to_uuid }}" +lago_api_environment_variable_encryption_deterministic_key: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'lago.deter.key', rounds=655555) | to_uuid }}" +lago_api_environment_variable_encryption_key_derivation_salt: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'lago.deriv.salt', rounds=655555) | to_uuid }}" + +######################################################################## +# # +# /lago # +# # +######################################################################## + + + ######################################################################## # # # miniflux # diff --git a/requirements.yml b/requirements.yml index 8fca0cc..d448b53 100644 --- a/requirements.yml +++ b/requirements.yml @@ -78,6 +78,9 @@ - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-keycloak.git version: v21.0.2-0 name: keycloak +- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-lago.git + version: v0.28.1-0 + name: lago - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-mariadb.git version: v10.11.2-0 name: mariadb diff --git a/setup.yml b/setup.yml index 470445a..d03f165 100644 --- a/setup.yml +++ b/setup.yml @@ -88,6 +88,8 @@ - role: galaxy/keycloak + - role: lago + - role: galaxy/navidrome - role: galaxy/netbox