hosting/mash-playbook
1
0
Fork 0
Code Pull requests Activity

Merge branch 'main' into mobilizon

Browse source
This commit is contained in:
Julian-Samuel Gebühr 2023-06-01 09:06:25 +02:00
commit ee93a4cd62
26 changed files with 1655 additions and 114 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
CHANGELOG.md
View file

@ -1,3 +1,12 @@
# 2023-04-23
## (Backward Compatibility Break) Authentik container variables renamed
For the authentik role there wehre initially two containers: `authentic_worker_container` and `authentic_server_container`. To simnplifiy the setup this was reduced to one container.
As the role is pretty young and to avoid confusion because of legacy and reverted design decisions all variables containing `authentik_server_container` will now start with authentik_container. This means you will have to renemae these variables in your `vars.yml` if you already use authentik. If you use a standard setup this only includes
* `authentic_server_container_additional_networks_custom` -> `authentik_container_additional_networks_custom`
# 2023-03-29
## (Backward Compatibility Break) Firezone database renamed

2
README.md
View file

@ -6,7 +6,7 @@
By running services in containers, we can have a predictable and up-to-date setup, across multiple supported distros and CPU architectures.
This project is fairly new and only [supports a handful of services](docs/supported-services.md) so far, but will grow to support self-hosting a large number of [FOSS](https://en.wikipedia.org/wiki/Free_and_open-source_software) pieces of software.
This project allows self-hosting of a [large number of services](docs/supported-services.md) and will continue to grow by adding support for [FOSS](https://en.wikipedia.org/wiki/Free_and_open-source_software).
[Installation](docs/README.md) (upgrades) and some maintenance tasks are automated using [Ansible](https://www.ansible.com/) (see [our Ansible guide](docs/ansible.md)).

2
docs/prerequisites.md
View file

@ -3,7 +3,7 @@
To install services using this Ansible playbook, you need:
- (Recommended) An **x86-64** (`amd64`) or **arm64** server running one of these operating systems:
- **RedHat**-based distros (7 or newer)
- **Red Hat Enterprise Linux** or derivative distros, e.g. Rocky Linux (Major version 7 or newer)
- **Debian** (10/Buster or newer)
- **Ubuntu** (18.04 or newer, although [20.04 may be problematic](ansible.md#supported-ansible-versions))
- **Archlinux**

60
docs/services/appsmith.md Normal file
View file

@ -0,0 +1,60 @@
# Appsmith
[Appsmith](https://www.appsmith.com/) is an open-source platform that enables developers to build and deploy custom internal tools and applications without writing code.
## Dependencies
This service requires the following other services:
- a [Traefik](traefik.md) reverse-proxy server
## Configuration
To enable this service, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process:
```yaml
########################################################################
# #
# appsmith #
# #
########################################################################
appsmith_enabled: true
appsmith_hostname: appsmith.example.com
# WARNING: remove this after you create your user account,
# unless you'd like to run a server with public registration enabled.
appsmith_environment_variable_appsmith_signup_disabled: false
########################################################################
# #
# /appsmith #
# #
########################################################################
```
### URL
In the example configuration above, we configure the service to be hosted at `https://appsmith.example.com`.
Hosting Appsmith under a subpath (by configuring the `appsmith_path_prefix` variable) does not seem to be possible right now, due to Appsmith limitations..
### Authentication
Public registration can be enabled/disabled using the `appsmith_environment_variable_appsmith_signup_disabled` variable.
We recommend installing with public registration enabled at first, creating your first user account, and then disabling public registration (unless you need it).
## Usage
After installation, you can go to the Appsmith URL, as defined in `appsmith_hostname`.
As mentioned in [Authentication](#authentication) above, you can create the first user from the web interface.
If you'd like to prevent other users from registering, consider disabling public registration by removing the `appsmith_environment_variable_appsmith_signup_disabled` references from your configuration and re-running the playbook (`just install-service appsmith`).

194
docs/services/authentik.md Normal file
View file

@ -0,0 +1,194 @@
# Authentik
[authentik](https://goauthentik.io/) is an open-source Identity Provider focused on flexibility and versatility. MASH can install authentik with the [`mother-of-all-self-hosting/ansible-role-authentik`](https://github.com/mother-of-all-self-hosting/ansible-role-authentik) ansible role.
**Warning:** SSO is pretty complex and while this role will install authentik for you we only tested OIDC and OAUTH integration. There is a high probability that using outposts/LDAP would need further configuration efforts. Make sure you test before using this in production and feel free to provide feedback!
## Dependencies
This service requires the following other services:
- a [Postgres](postgres.md) database
- a [Redis](redis.md) data-store, installation details [below](#redis)
- a [Traefik](traefik.md) reverse-proxy server
## Configuration
To enable this service, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process:
```yaml
########################################################################
# #
# authentik #
# #
########################################################################
authentik_enabled: true
authentik_hostname: authentik.example.com
# Put a strong secret below, generated with `pwgen -s 64 1` or in another way
authentik_secret_key: ''
# Redis configuration, as described below
########################################################################
# #
# /authentik #
# #
########################################################################
```
### Redis
As described on the [Redis](redis.md) documentation page, if you're hosting additional services which require Redis on the same server, you'd better go for installing a separate Redis instance for each service. See [Creating a Redis instance dedicated to authentik](#creating-a-redis-instance-dedicated-to-authentik).
If you're only running authentik on this server and don't need to use Redis for anything else, you can [use a single Redis instance](#using-the-shared-redis-instance-for-authentik).
#### Using the shared Redis instance for authentik
To install a single (non-dedicated) Redis instance (`mash-redis`) and hook authentik to it, add the following **additional** configuration:
```yaml
########################################################################
# #
# redis #
# #
########################################################################
redis_enabled: true
########################################################################
# #
# /redis #
# #
########################################################################
########################################################################
# #
# authentik #
# #
########################################################################
# Base configuration as shown above
# Point authentik to the shared Redis instance
authentik_config_redis_hostname: "{{ redis_identifier }}"
# Make sure the authentik service (mash-authentik.service) starts after the shared Redis service (mash-redis.service)
authentik_systemd_required_services_list_custom:
- "{{ redis_identifier }}.service"
# Make sure the authentik container is connected to the container network of the shared Redis service (mash-redis)
authentik_container_additional_networks_custom:
- "{{ redis_identifier }}"
########################################################################
# #
# /authentik #
# #
########################################################################
```
This will create a `mash-redis` Redis instance on this host.
This is only recommended if you won't be installing other services which require Redis. Alternatively, go for [Creating a Redis instance dedicated to authentik](#creating-a-redis-instance-dedicated-to-authentik).
#### Creating a Redis instance dedicated to authentik
The following instructions are based on the [Running multiple instances of the same service on the same host](../running-multiple-instances.md) documentation.
Adjust your `inventory/hosts` file as described in [Re-do your inventory to add supplementary hosts](../running-multiple-instances.md#re-do-your-inventory-to-add-supplementary-hosts), adding a new supplementary host (e.g. if `authentik.example.com` is your main one, create `authentik.example.com-deps`).
Then, create a new `vars.yml` file for the
`inventory/host_vars/authentik.example.com-deps/vars.yml`:
```yaml
---
########################################################################
# #
# Playbook #
# #
########################################################################
# Put a strong secret below, generated with `pwgen -s 64 1` or in another way
# Various other secrets will be derived from this secret automatically.
mash_playbook_generic_secret_key: ''
# Override service names and directory path prefixes
mash_playbook_service_identifier_prefix: 'mash-authentik-'
mash_playbook_service_base_directory_name_prefix: 'authentik-'
########################################################################
# #
# /Playbook #
# #
########################################################################
########################################################################
# #
# redis #
# #
########################################################################
redis_enabled: true
########################################################################
# #
# /redis #
# #
########################################################################
```
This will create a `mash-authentik-redis` instance on this host with its data in `/mash/authentik-redis`.
Then, adjust your main inventory host's variables file (`inventory/host_vars/authentik.example.com/vars.yml`) like this:
```yaml
########################################################################
# #
# authentik #
# #
########################################################################
# Base configuration as shown above
# Point authentik to its dedicated Redis instance
authentik_config_redis_hostname: mash-authentik-redis
# Make sure the authentik service (mash-authentik.service) starts after its dedicated Redis service (mash-authentik-redis.service)
authentik_systemd_required_services_list_custom:
- "mash-authentik-redis.service"
# Make sure the authentik container is connected to the container network of its dedicated Redis service (mash-authentik-redis)
authentik_container_additional_networks_custom:
- "mash-authentik-redis"
########################################################################
# #
# /authentik #
# #
########################################################################
```
## Installation
If you've decided to install a dedicated Redis instance for authentik, make sure to first do [installation](../installing.md) for the supplementary inventory host (e.g. `authentik.example.com-deps`), before running installation for the main one (e.g. `authentik.example.com`).
## Usage
After installation, you can set the admin password at `https://<authentik_hostname>/if/flow/initial-setup/`. Set the admin password there and start adding applications and users! Refer to the [official documentation](https://goauthentik.io/docs/) to learn how to integrate services. For this playbook tested examples are described in the respective service documentation. See
* [Grafana](./grafana.md#single-sign-on-authentik)
* [Nextcloud](./nextcloud.md#single-sign-on-authentik)

0
docs/services/aux.md → docs/services/auxiliary.md
View file

100
docs/services/backup-borg.md Normal file
View file

@ -0,0 +1,100 @@
# Setting up borg backup (optional)
The playbook can install and configure [borgbackup](https://www.borgbackup.org/) with [borgmatic](https://torsion.org/borgmatic/) for you.
BorgBackup is a deduplicating backup program with optional compression and encryption.
That means your daily incremental backups can be stored in a fraction of the space and is safe whether you store it at home or on a cloud service.
You will need a remote server where borg will store the backups. There are hosted, borg compatible solutions available, such as [BorgBase](https://www.borgbase.com).
The backup will run based on `backup_borg_schedule` var (systemd timer calendar), default: 4am every day.
By default, Borg backups will include a dump of your database if you're using the [integrated Postgres server](postgres.md) or the [integrated MariaDB server](mariadb.md). An alternative solution for backing up the Postgres database is [postgres backup](configuring-playbook-postgres-backup.md).
If you decide to go with another solution:
- you can disable Postgres-backup support for Borg using the `backup_borg_postgresql_enabled` variable.
- you can disable MariaDB-backup support for Borg using the `backup_borg_mysql_enabled` variable.
If you're using an external database server (regardless of type), you may point borgbackup to it. See the `backup_borg_postgresql_*` or `backup_borg_mysql_*` variables.
## Prerequisites
1. Create a new SSH key:
```bash
ssh-keygen -t ed25519 -N '' -f borg-backup -C MASH
```
This can be done on any machine and you don't need to place the key in the `.ssh` folder. It will be added to the Ansible config later.
1. Add the **public** part of this SSH key (the `borg-backup.pub` file) to your borg provider/server:
If you plan to use a hosted solution, follow their instructions. If you have your own server, copy the key over:
```bash
# example to append the new PUBKEY contents, where:
# PUBKEY is path to the public key,
# USER is a ssh user on a provider / server
# HOST is a ssh host of a provider / server
cat PUBKEY | ssh USER@HOST 'dd of=.ssh/authorized_keys oflag=append conv=notrunc'
```
## Adjusting the playbook configuration
Minimal working configuration (`inventory/host_vars/<yourdomain>/vars.yml`) to enable borg backup:
```yaml
########################################################################
# #
# backup-borg #
# #
########################################################################
backup_borg_enabled: true
backup_borg_location_repositories:
- ssh://USER@HOST/./REPO
backup_borg_storage_encryption_passphrase: "PASSPHRASE"
backup_borg_ssh_key_private: |
-----BEGIN OPENSSH PRIVATE KEY-----
THISMUSTBEREPLACEDc2l0IGFtZXQsIGNvbnNlY3RldHVyIGFkaXBpc2NpbmcgZW
xpdCwgc2VkIGRvIGVpdXNtb2QgdGVtcG9yIGluY2lkaWR1bnQgdXQgbGFib3JlIGV0IGRv
bG9yZSBtYWduYSBhbGlxdWEuIFV0IGVuaW0gYWQgbWluaW0gdmVuaWFtLCBxdWlzIG5vc3
RydWQgZXhlcmNpdGF0aW9uIHVsbGFtY28gbGFib3JpcyBuaXNpIHV0IGFsaXF1aXAgZXgg
ZWEgY29tbW9kbyBjb25zZXF1YXQuIA==
-----END OPENSSH PRIVATE KEY-----
########################################################################
# #
# /backup-borg #
# #
########################################################################
```
where:
* USER - SSH user of a provider/server
* HOST - SSH host of a provider/server
* REPO - borg repository name, it will be initialized on backup start, eg: `mash`, regarding Syntax see [Remote repositories](https://borgbackup.readthedocs.io/en/stable/usage/general.html#repository-urls)
* PASSPHRASE - passphrase used for encrypting backups, you may generate it with `pwgen -s 64 1` or use any password manager
* PRIVATE KEY - the content of the **private** part of the SSH key you created before. The whole key (all of its belonging lines) under `backup_borg_ssh_key_private` needs to be indented with 2 spaces
To backup without encryption, add `backup_borg_encryption: 'none'` to your vars. This will also enable the `backup_borg_unknown_unencrypted_repo_access_is_ok` variable.
`backup_borg_location_source_directories` defines the list of directories to back up: it's set to `{{ mash_playbook_base_path }}` by default, which is the base directory for every service's data, such as Nextcloud, Postgres and all others. You might want to exclude certain directories or file patterns from the backup using the `backup_borg_location_exclude_patterns` variable.
Check the `roles/galaxy/backup-borg/defaults/main.yml` file for the full list of available options.
## Installing
After configuring the playbook, run the [installation](installing.md) command again:
```
just install-all
```
## Manually start a backup
For testing your setup it can be helpful to not wait until 4am. If you want to run the backup immediately, log onto the server
and run `systemctl start mash-backup-borg`. This will not return until the backup is done, so possibly a long time.
Consider using [tmux](https://en.wikipedia.org/wiki/Tmux) if your SSH connection is unstable.

6
docs/services/firezone.md
View file

@ -1,6 +1,8 @@
# Firezone
[Firezone](https://www.firezone.dev/) is a self-hosted VPN server (based on [WireGuard](https://en.wikipedia.org/wiki/WireGuard)) with Web UI that this playbook can install, powered by the [mother-of-all-self-hosting/ansible-role-firezone](https://github.com/mother-of-all-self-hosting/ansible-role-firezone) Ansible role.
[Firezone](https://www.firezone.dev/) is a self-hosted VPN server (based on [WireGuard](https://www.wireguard.com/)) with Web UI that this playbook can install, powered by the [mother-of-all-self-hosting/ansible-role-firezone](https://github.com/mother-of-all-self-hosting/ansible-role-firezone) Ansible role.
A more-lightweigth alternative for a self-hosted WireGuard VPN server which is more compatible with various ARM devices is [WireGuard Easy](wg-easy.md).
## Configuration
@ -38,7 +40,7 @@ After installation, you can use `just run-tags firezone-create-or-reset-admin` a
By default, the following ports will be exposed by the container on **all network interfaces**:
- `51820` over **UDP**, controlled by `firezone_wireguard_bind_port` - used for [Wireguard](https://en.wikipedia.org/wiki/WireGuard) connections
- `51820` over **UDP**, controlled by `firezone_wireguard_bind_port` - used for [Wireguard](https://www.wireguard.com/) connections
Docker automatically opens these ports in the server's firewall, so you **likely don't need to do anything**. If you use another firewall in front of the server, you may need to adjust it.

35
docs/services/gotosocial.md
View file

@ -21,14 +21,6 @@ gotosocial_enabled: true
# Examples: ["gts.example.org","some.server.com"]
gotosocial_hostname: 'social.example.org'
# Domain to use when federating profiles. It defaults to `gotosocial_hostname` but you can cange it when you want your server to be at
# eg., `gotosocial_hostname: gts.example.org`, but you want the domain on accounts to be "example.org" because it looks better
# or is just shorter/easier to remember.
#
# Please read the appropriate section of the installation guide before you go messing around with this setting:
# https://docs.gotosocial.org/installation_guide/advanced/#can-i-host-my-instance-at-fediexampleorg-but-have-just-exampleorg-in-my-username
# gotosocial_account_domain: "example.org"
########################################################################
# #
# /gotosocial #
@ -39,7 +31,31 @@ gotosocial_hostname: 'social.example.org'
After installation, you can use `just run-tags gotosocial-add-user --extra-vars=username=<username> --extra-vars=password=<password> --extra-vars=email=<email>"`
to create your a user. Change `--tags=gotosocial-add-user` to `--tags=gotosocial-add-admin` to create an admin account.
### Usage
## Advanced account domain configuration
The account domain is the second part of a user handle in the Fediverse. If your handle is @username@example.org, `example.org` is your account domain. By default GoToSocial will use `gotosocial_hostname` that you provide as account domain e.g. `social.example.org`. You might want to change this by setting `gotosocial_account_domain` if you want the domain on accounts to be `example.org` because it looks better or is just shorter/easier to remember.
**Warning** DO NOT change this change this after your server has already run once, or you will break things!
If you decide to use this read [the appropriate section of the installation guide](https://docs.gotosocial.org/installation_guide/advanced/#can-i-host-my-instance-at-fediexampleorg-but-have-just-exampleorg-in-my-username=) as you will have to do some additional work on the base domain.
```yaml
gotosocial_account_domain: "example.org"
```
## E-Mail configuration
You can use the following variables in your `vars.yml` to enable e-mail notifications.
```yml
# Check out https://docs.gotosocial.org/en/latest/configuration/smtp/ for a configuration reference
gotosocial_smtp_host: 'smtp.example.org'
gotosocial_smtp_username: gotosocial@example.org
gotosocial_smtp_password: yourpassword
gotosocial_smtp_from: gotosocial@example.org
```
## Usage
After [installing](../installing.md), you can visit at the URL specified in `gotosocial_hostname` and should see your instance.
Start to customize it at `social.example.org/admin`.
@ -53,6 +69,7 @@ to demote a user from admin to normal user.
Refer to the [great official documentation](https://docs.gotosocial.org/en/latest/) for more information on GoToSocial.
## Migrate an existing instance
The following assumes you want to migrate from `serverA` to `serverB` (managed by mash) but you just cave to adjust the copy commands if you are on the same server.

29
docs/services/grafana.md
View file

@ -82,6 +82,35 @@ grafana_dashboard_download_urls: |
```
#### Single-Sign-On / Authentik
Grafana supports Single-Sign-On (SSO) via OAUTH. To make use of this you'll need a Identity Provider like [authentik](./authentik.md) or [Keycloak](./keycloak.md). Using authentik you can connect and Authentik like this:
* Create a new OAUTH provider in authentik called `grafana`
* Create an application also named `grafana` in authentik using this provider
* Add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process (make sure to adjust `authentik.example.com`)
```yaml
grafana_environment_variables_additional_variables: |
GF_AUTH_GENERIC_OAUTH_ENABLED=true
GF_AUTH_GENERIC_OAUTH_NAME=authentik
GF_AUTH_GENERIC_OAUTH_CLIENT_ID=COPIED-CLIENTID
GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=COPIED-CLIENTSECRET
GF_AUTH_GENERIC_OAUTH_SCOPES=openid profile email
GF_AUTH_GENERIC_OAUTH_AUTH_URL=https://authentik.example.com/application/o/authorize/
GF_AUTH_GENERIC_OAUTH_TOKEN_URL=https://authentik.example.com/application/o/token/
GF_AUTH_GENERIC_OAUTH_API_URL=https://authentik.example.com/application/o/userinfo/
GF_AUTH_SIGNOUT_REDIRECT_URL=https://authentik.example.com/application/o/grafana/end-session/
# Optionally enable auto-login (bypasses Grafana login screen)
#GF_AUTH_OAUTH_AUTO_LOGIN="true"
GF_AUTH_GENERIC_OAUTH_ALLOW_ASSIGN_GRAFANA_ADMIN=true
# Optionally map user groups to Grafana roles
GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH="contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'"
```
Make sure the user you want to login as has an email address in authentik, otherwise there will be an error.
## Usage
After installation, you should be able to access your new Gitea instance at the configured URL (see above).

89
docs/services/healthchecks.md Normal file
View file

@ -0,0 +1,89 @@
# Healthchecks
[Healthchecks](https://healthchecks.io/) is simple and Effective **Cron Job Monitoring** solution.
## Dependencies
This service requires the following other services:
- a [Postgres](postgres.md) database
- a [Traefik](traefik.md) reverse-proxy server
## Configuration
To enable this service, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process:
```yaml
########################################################################
# #
# healthchecks #
# #
########################################################################
healthchecks_enabled: true
healthchecks_hostname: mash.example.com
# Note: hosting under a path prefix is somewhat problematic. See below.
healthchecks_path_prefix: /healthchecks
########################################################################
# #
# /healthchecks #
# #
########################################################################
```
### URL
In the example configuration above, we configure the service to be hosted at `https://mash.example.com/healthchecks`.
You can remove the `healthchecks_path_prefix` variable definition, to make it default to `/`, so that the service is served at `https://mash.example.com/`.
**Note**: there are minor quirks when hosting under a subpath, such as:
- [Fonts not loading, because it attempts to load them from `/static` instead of `/path-prefix/static`](https://github.com/healthchecks/healthchecks/issues/822)
### Authentication
The first superuser account is created after installation. See [Usage](#usage).
You can create as many accounts as you wish.
### Email integration
To allow Healthchecks to send emails, add the following **additional** configuration:
```yaml
healthchecks_environment_variables_additional_variables: |
DEFAULT_FROM_EMAIL=healthchecks@example.com
EMAIL_HOST=smtp.example.com
EMAIL_HOST_PASSWORD=
EMAIL_HOST_USER=
EMAIL_PORT=587
EMAIL_USE_TLS=True
EMAIL_USE_VERIFICATION=True
```
### Integrating with other services
Refer to the [upstream `.env.example` file](https://github.com/healthchecks/healthchecks/blob/master/docker/.env.example) for discovering additional environment variables.
You can pass these to the Healthchecks container using the `healthchecks_environment_variables_additional_variables` variable. See [Email integration](#email-integration) for an example.
## Usage
After installation, you need to **create a superuser account**.
This is an interactive process which can be initiated by **SSH-ing into into the server** and **running a command** like this:
```sh
docker exec -it mash-healthchecks /opt/healthchecks/manage.py createsuperuser
```
After creating the superuser account, you can go to the [Healthchecks URL](#url) to log in and start setting up healthchecks.
## Recommended other services
- [Prometheus](prometheus.md) - a metrics collection and alerting monitoring solution

209
docs/services/lago.md Normal file
View file

@ -0,0 +1,209 @@
# Lago
[Lago](https://www.getlago.com/) is an open-source metering and usage-based billing solution.
## Dependencies
This service requires the following other services:
- a [Postgres](postgres.md) database
- a [Redis](redis.md) data-store, installation details [below](#redis)
- a [Traefik](traefik.md) reverse-proxy server
## Configuration
To enable this service, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process:
```yaml
########################################################################
# #
# lago #
# #
########################################################################
lago_enabled: true
lago_hostname: lago.example.com
# Generate this using `openssl genrsa 2048 | base64 --wrap=0`
lago_api_environment_variable_lago_rsa_private_key: ''
# WARNING: remove this after you create your user account,
# unless you'd like to run a server with public registration enabled.
lago_front_environment_variable_lago_disable_signup: false
# Redis configuration, as described below
########################################################################
# #
# /lago #
# #
########################################################################
```
### URL
In the example configuration above, we configure the service to be hosted at `https://lago.example.com`.
Hosting Lago under a subpath (by configuring the `lago_path_prefix` variable) does not seem to be possible right now, due to Lago limitations.
Our setup hosts the Lago frontend at the root path (`/`) and the Lago API at the `/api` prefix.
This seems to work well, except for [PDF invoices failing due to a Lago bug](https://github.com/getlago/lago/issues/221).
### Authentication
Public registration can be enabled/disabled using the `lago_front_environment_variable_lago_disable_signup` variable.
We recommend installing with public registration enabled at first, creating your first user account, and then disabling public registration (unless you need it).
It should be noted that disabling public signup with this variable merely disables the Sign-Up page in the web interface, but [does not actually disable signups due to a Lago bug](https://github.com/getlago/lago/issues/220).
### Redis
As described on the [Redis](redis.md) documentation page, if you're hosting additional services which require Redis on the same server, you'd better go for installing a separate Redis instance for each service. See [Creating a Redis instance dedicated to Lago](#creating-a-redis-instance-dedicated-to-lago).
If you're only running Lago on this server and don't need to use Redis for anything else, you can [use a single Redis instance](#using-the-shared-redis-instance-for-lago).
#### Using the shared Redis instance for Lago
To install a single (non-dedicated) Redis instance (`mash-redis`) and hook Lago to it, add the following **additional** configuration:
```yaml
########################################################################
# #
# redis #
# #
########################################################################
redis_enabled: true
########################################################################
# #
# /redis #
# #
########################################################################
########################################################################
# #
# lago #
# #
########################################################################
# Base configuration as shown above
# Point Lago to the shared Redis instance
lago_redis_hostname: "{{ redis_identifier }}"
# Make sure the Lago service (mash-lago.service) starts after the shared Redis service (mash-redis.service)
lago_api_systemd_required_services_list_custom:
- "{{ redis_identifier }}.service"
# Make sure the Lago container is connected to the container network of the shared Redis service (mash-redis)
lago_api_container_additional_networks_custom:
- "{{ redis_identifier }}"
########################################################################
# #
# /lago #
# #
########################################################################
```
This will create a `mash-redis` Redis instance on this host.
This is only recommended if you won't be installing other services which require Redis. Alternatively, go for [Creating a Redis instance dedicated to Lago](#creating-a-redis-instance-dedicated-to-lago).
#### Creating a Redis instance dedicated to Lago
The following instructions are based on the [Running multiple instances of the same service on the same host](../running-multiple-instances.md) documentation.
Adjust your `inventory/hosts` file as described in [Re-do your inventory to add supplementary hosts](../running-multiple-instances.md#re-do-your-inventory-to-add-supplementary-hosts), adding a new supplementary host (e.g. if `lago.example.com` is your main one, create `lago.example.com-deps`).
Then, create a new `vars.yml` file for the
`inventory/host_vars/lago.example.com-deps/vars.yml`:
```yaml
---
########################################################################
# #
# Playbook #
# #
########################################################################
# Put a strong secret below, generated with `pwgen -s 64 1` or in another way
# Various other secrets will be derived from this secret automatically.
mash_playbook_generic_secret_key: ''
# Override service names and directory path prefixes
mash_playbook_service_identifier_prefix: 'mash-lago-'
mash_playbook_service_base_directory_name_prefix: 'lago-'
########################################################################
# #
# /Playbook #
# #
########################################################################
########################################################################
# #
# redis #
# #
########################################################################
redis_enabled: true
########################################################################
# #
# /redis #
# #
########################################################################
```
This will create a `mash-lago-redis` instance on this host with its data in `/mash/lago-redis`.
Then, adjust your main inventory host's variables file (`inventory/host_vars/lago.example.com/vars.yml`) like this:
```yaml
########################################################################
# #
# lago #
# #
########################################################################
# Base configuration as shown above
# Point Lago to its dedicated Redis instance
lago_redis_hostname: mash-lago-redis
# Make sure the Lago service (mash-lago.service) starts after its dedicated Redis service (mash-lago-redis.service)
lago_api_systemd_required_services_list_custom:
- "mash-lago-redis.service"
# Make sure the Lago container is connected to the container network of its dedicated Redis service (mash-lago-redis)
lago_api_container_additional_networks_custom:
- "mash-lago-redis"
########################################################################
# #
# /lago #
# #
########################################################################
```
## Usage
After installation, you can go to the Lago URL, as defined in `lago_hostname`.
As mentioned in [Authentication](#authentication) above, you can create the first user from the web interface.
If you'd like to prevent other users from registering, consider disabling public registration by removing the `lago_front_environment_variable_lago_disable_signup` references from your configuration and re-running the playbook (`just install-service lago`).

54
docs/services/mariadb.md Normal file
View file

@ -0,0 +1,54 @@
# MariaDB
[MariaDB](https://mariadb.org/) is a powerful, open source object-relational database system.
Some of the services installed by this playbook require a MariaDB database.
Enabling the MariaDB database service will automatically wire all other services which require such a database to use it.
## Configuration
To enable this service, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process:
```yaml
########################################################################
# #
# mariadb #
# #
########################################################################
mariadb_enabled: true
# Put a strong password below, generated with `pwgen -s 64 1` or in another way
mariadb_root_passsword: ''
########################################################################
# #
# /mariadb #
# #
########################################################################
```
### Getting a database terminal
You can use the `/mash/mariadb/bin/cli` tool to get interactive terminal access to the MariaDB server.
To see the available databases, run `SHOW DATABASES`.
To change to another existing database (for example `miniflux`), run `USE miniflux`.
You can then proceed to write queries. Example: `SELECT COUNT(*) FROM users;`
**Be careful**. Modifying the database directly (especially as services are running) is dangerous and may lead to irreversible database corruption.
When in doubt, consider [making a backup](#backing-up-mariadb).
## Upgrading MariaDB
The major MariaDB version you start with (e.g. `10.10` or `10.11`) will be kept until you manually upgrade it. The playbook will stick to this major version and only do minor version upgrades (e.g. `10.10.1` -> `10.10.3`).
For now, there's no automatic upgrade path between major MariaDB versions, but support for upgrading will be added in the future.
## Backing up MariaDB
A `/mash/mariadb/bin/dump-all` script will be installed, which can dump the database to a path of your choosing.

48
docs/services/mrs.md Normal file
View file

@ -0,0 +1,48 @@
# Matrix Rooms Search API
[Matrix Rooms Search](https://gitlab.com/etke.cc/mrs) is a fully-featured, standalone, [Matrix](https://matrix.org/) rooms search service.
## Dependencies
This service requires the following other services:
- a [Traefik](traefik.md) reverse-proxy server
## Configuration
To enable this service, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process:
```yaml
########################################################################
# #
# mrs #
# #
########################################################################
mrs_enabled: true
mrs_hostname: mrs.example.com
mrs_admin_login: admin
mrs_admin_password: changeme
mrs_admin_ips:
- 123.123.123.123
mrs_servers:
- matrix.org
########################################################################
# #
# /mrs #
# #
########################################################################
```
In the example configuration above, we configure the service to be hosted at `https://mrs.example.com`.
## Usage
After installation, call the `https://mrs.example.com/-/full` endpoint using admin credentials (see the `mrs_admin_*` variables) to discover and parse content.
To see the list of supported public and private APIs, see the [API documentation](https://gitlab.com/etke.cc/mrs/api/-/blob/main/openapi.yml).

2
docs/services/navidrome.md
View file

@ -60,7 +60,7 @@ You can create additional users from the web UI after that.
If you've got a [Syncthing](syncthing.md) service running, you can use it to synchronize your music directory onto the server and then mount it as read-only into the Navidrome container.
We recommend that you make use of the [aux](aux.md) role to create some shared directory like this:
We recommend that you make use of the [aux](auxiliary.md) role to create some shared directory like this:
```yaml
########################################################################

15
docs/services/netbox.md
View file

@ -95,7 +95,8 @@ redis_enabled: true
# Base configuration as shown above
# Point NetBox to the shared Redis instance
netbox_config_redis_hostname: "{{ redis_identifier }}"
netbox_environment_variable_redis_host: "{{ redis_identifier }}"
netbox_environment_variable_redis_cache_host: "{{ redis_identifier }}"
# Make sure the NetBox service (mash-netbox.service) starts after the shared Redis service (mash-redis.service)
netbox_systemd_required_services_list_custom:
@ -213,11 +214,14 @@ You can use the configuration in the [Keycloak section](#keycloak) as a template
To integrate with [Keycloak](keycloak.md) use the following **additional** configuration:
```yaml
netbox_environment_variables_additional_variables: |
REMOTE_AUTH_ENABLED=True
REMOTE_AUTH_BACKEND=social_core.backends.keycloak.KeycloakOAuth2
# Space-separated names of groups that new users will be assigned to.
# These groups must be created manually (from the Admin panel's Groups section) before use.
REMOTE_AUTH_DEFAULT_GROUPS=
netbox_configuration_extra_python: |
# These need to match your Client app information in Keycloak. See below
SOCIAL_AUTH_KEYCLOAK_KEY = ''
@ -239,14 +243,17 @@ netbox_configuration_extra_python: |
The Client app needs to be created and configured in a special way on the Keycloak side by:
- activating **Client authentication**
- **Valid redirect URIs**: `https://NETBOX_URL/oauth/complete/keycloak/`
- **Web origins**: `https://NETBOX_URL/`
- in **Advanced**, changing the following settings:
- **Request object signature algorithm** = `RS256`
- **Request object signature algorithm** = `RS256`
- in **Client scopes** (for this Client app via the **Client scopes** tab, not for all apps via the left-most menu), configure the `*-dedicated` scope (e.g. `netbox-dedicated` if you named your Client app `netbox`) and add a new mapper with the following settings:
- **User info signed response algorithm** = `RS256`
- in **Client scopes** (for this Client app via the **Client scopes** tab, not for all apps via the left-most menu), configure the `*-dedicated` scope (e.g. `netbox-dedicated` if you named your Client app `netbox`) and in the **Mappers** tab, click **Configure a new mapper** add a new **Audience** mapper with the following settings:
- **Name** = anything you like (e.g. `netbox-audience`)
- **Included Client Audience** = the key of this Client app (e.g. `netbox`)
- **Add to access token** = On
For additional environment variables controlling groups and permissions for new users (like `REMOTE_AUTH_DEFAULT_GROUPS`), see the NetBox documentation for [Remote Authentication](https://docs.netbox.dev/en/stable/configuration/remote-authentication/).
## Installation

21
docs/services/nextcloud.md
View file

@ -198,6 +198,27 @@ nextcloud_container_additional_networks_custom:
########################################################################
```
### Single-Sign-On / Authentik
Nextcloud supports Single-Sign-On (SSO) via LDAP, SAML, and OIDC. To make use of this you'll need a Identity Provider like [authentik](./authentik.md) or [Keycloak](./keycloak.md). The following assumes you use authentik.
**The official documentation of authentik to connect nextcloud via SAML seems broken**
MASH can connect Nextcloud with authentik via OIDC. The setup is quite straightforward, refer to [this blogpost by Jack](https://blog.cubieserver.de/2022/complete-guide-to-nextcloud-oidc-authentication-with-authentik/) for a full explanation.
In short you should:
* Create a new provider in authentik and trim the client secret to <64 characters
* Create an application in authentik using this provider
* Install the app `user_oidc` in Nextcloud
* Fill in the details from authentik in the app settings
**Troubleshooting**
If you encounter problems during login check (error message containes `SHA1 mismatch`) that
* Nextcloud users and authentik users do not have the same name -> if they do check `Use unique user ID` in the OIDC App settings
## Installation
If you've decided to install a dedicated Redis instance for Nextcloud, make sure to first do [installation](../installing.md) for the supplementary inventory host (e.g. `nextcloud.example.com-deps`), before running installation for the main one (e.g. `nextcloud.example.com`).

10
docs/services/postgres.md
View file

@ -4,7 +4,7 @@
Many of the services installed by this playbook require a Postgres database.
Enabling the Postgres database service will automatically wire all other services to use it.
Enabling the Postgres database service will automatically wire all other services which require such a database to use it.
## Configuration
@ -45,7 +45,7 @@ Importing multiple databases (as dumped by `pg_dumpall`) is also supported.
Before doing the actual import, **you need to upload your Postgres dump file to the server** (any path is okay).
### Importing
### Importing a dump file
To import, run this command (make sure to replace `SERVER_PATH_TO_POSTGRES_DUMP_FILE` with a file path on your server):
@ -220,4 +220,8 @@ devture_postgres_process_extra_arguments: [
## Recommended other services
You may also wish to look into [Postgres Backup](postgres-backup.md) for backing up your Postgres database.
You may also wish to look into:
- [Postgres Backup](postgres-backup.md) for backing up your Postgres database
- [Prometheus](prometheus.md), [prometheus-postgres-exporter](prometheus-postgres-exporter.md) and [Grafana](grafana.md) for monitoring your Postgres database

40
docs/services/prometheus-postgres-exporter.md Normal file
View file

@ -0,0 +1,40 @@
# Postgres Exporter
This playbook can configure [Postgres Exporter](https://github.com/prometheus-community/postgres_exporter) by utilizing [mother-of-all-self-hosting/ansible-role-postgres-exporter](https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-postgres-exporter.git).
## Configuration
To enable this service, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process:
```yaml
########################################################################
# #
# prometheus_postgres_exporter #
# #
########################################################################
prometheus_postgres_exporter_enabled: true
# To expose the metrics publicly, enable and configure the lines below:
# prometheus_postgres_exporter_hostname: mash.example.com
# prometheus_postgres_exporter_path_prefix: /metrics/postgres-exporter
# To protect the metrics with HTTP Basic Auth, enable and configure the lines below:
# prometheus_postgres_exporter_basicauth_enabled: true
# prometheus_postgres_exporter_basicauth_user: your_username
# prometheus_postgres_exporter_basicauth_password: your password
########################################################################
# #
# /prometheus_postgres_exporter #
# #
########################################################################
```
Unless you're scraping the Postgres Exporter metrics from a local [Prometheus](prometheus.md) instance, as described in [Integrating with Postgres Exporter](prometheus.md#integrating-with-postgres-exporter), you will probably wish to expose the metrics publicly so that a remote Prometheus instance can fetch them.
## Usage
After you installed the exporter, your stats will be available on `mash.example.com/metrics/postgres-exporter` with basic auth credentials you configured

6
docs/services/prometheus.md
View file

@ -74,4 +74,8 @@ If you're scraping others services running in containers over the container netw
## Recommended other services
To visualize your Prometheus metrics (time-series), you may wish to use a tool like [Grafana](grafana.md).
- [Grafana](grafana.md) - a web-based tool for visualizing your Prometheus metrics (time-series)
- [prometheus-node-exporter](prometheus-blackbox-exporter.md) - Blackbox probing of HTTP/HTTPS/DNS/TCP/ICMP and gRPC endpoints
- [prometheus-node-exporter](prometheus-node-exporter.md) - an exporter for machine metrics
- [prometheus-postgres-exporter](prometheus-postgres-exporter.md) - an exporter for monitoring a [Postgres](postgres.md) database server
- [Healthchecks](healthchecks.md) - a simple and Effective Cron Job Monitoring solution

96
docs/services/wg-easy.md Normal file
View file

@ -0,0 +1,96 @@
# WireGuard Easy
[WireGuard Easy](https://github.com/WeeJeWel/wg-easy) is the easiest way to run [WireGuard](https://www.wireguard.com/) VPN + Web-based Admin UI.
Another more powerful alternative for a self-hosted WireGuard VPN server is [Firezone](firezone.md). WireGuard Easy is easier, lighter and more compatible with various ARM devices.
## Dependencies
This service requires the following other services:
- a [Traefik](traefik.md) reverse-proxy server
- a modern Linux kernel which supports WireGuard
## Configuration
To enable this service, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process:
```yaml
########################################################################
# #
# wg-easy #
# #
########################################################################
wg_easy_enabled: true
wg_easy_hostname: mash.example.com
wg_easy_path_prefix: /wg-easy
wg_easy_environment_variables_additional_variable_wg_host: mash.example.com
# Put a strong password below, generated with `pwgen -s 64 1` or in another way
wg_easy_environment_variables_additional_variable_password: ''
# The default WireGuard port is 51820.
# Uncomment and change the lines below to use another one.
#
# The port that wg-easy advertises for WireGuard connectivity in profile files.
# wg_easy_environment_variables_additional_variable_wg_port: 51820
#
# The port that is actually published from the container.
# wg_easy_container_wireguard_bind_port: 51820
# The default DNS is 1.1.1.1.
# Uncomment and change the line below to use another one.
# wg_easy_environment_variables_additional_variable_wg_default_dns: 1.1.1.1
########################################################################
# #
# /wg-easy #
# #
########################################################################
```
### URL
In the example configuration above, we configure the service to be hosted at `https://mash.example.com/wg-easy`.
You can remove the `wg_easy_path_prefix` variable definition, to make it default to `/`, so that the service is served at `https://mash.example.com/`.
### Networking
**In addition** to ports `80` and `443` exposed by the [Traefik](traefik.md) reverse-proxy, the following ports will be exposed by the WireGuard containers on **all network interfaces**:
- `51820` over **UDP**, controlled by `wg_easy_environment_variables_additional_variable_wg_port` and `wg_easy_container_wireguard_bind_port` - used for [Wireguard](https://www.wireguard.com/) connections
Docker automatically opens these ports in the server's firewall, so you **likely don't need to do anything**. If you use another firewall in front of the server, you may need to adjust it.
### Additional configuration
For additional configuration options, see the upstream documentation's [Options](https://github.com/WeeJeWel/wg-easy#options) section.
You can inject additional environment variables with this additional configuration:
```yaml
wg_easy_environment_variables_additional_variables: |
WG_DEFAULT_ADDRESS: 10.6.0.x
WG_MTU: 1420
```
## Usage
After installation, you can go to the WireGuard Easy URL, as defined in `wg_easy_hostname` and `wg_easy_path_prefix`.
You can authenticate with the password set in `wg_easy_environment_variables_additional_variable_password`.
You can then create various Clients and import the configuration for them onto your devices - either by downloading a file or by scanning a QR code.
## Recommended other services
- [AdGuard Home](adguard-home.md) - A network-wide DNS software for blocking ads & tracking

14
docs/supported-services.md
View file

@ -2,22 +2,28 @@
| Name | Description | Documentation |
| ------------------------------ | ------------------------------------- | ------------- |
| [AUX](https://github.com/mother-of-all-self-hosting/ansible-role-aux) | Auxiliary file/directory management on your server via Ansible | [Link](services/aux.md) |
| [AUX](https://github.com/mother-of-all-self-hosting/ansible-role-aux) | Auxiliary file/directory management on your server via Ansible | [Link](services/auxiliary.md) |
| [AdGuard Home](https://adguard.com/en/adguard-home/overview.html/) | A network-wide DNS software for blocking ads & tracking | [Link](services/adguard-home.md) |
| [Appsmith](https://www.appsmith.com/) | Platform for building and deploying custom internal tools and applications without writing code | [Link](services/appsmith.md) |
| [authentik](https://goauthentik.io/) | An open-source Identity Provider focused on flexibility and versatility. | [Link](services/authentik.md) |
| [Collabora Online](https://www.collaboraoffice.com/) | Your Private Office Suite In The Cloud | [Link](services/collabora-online.md) |
| [Docker](https://www.docker.com/) | Open-source software for deploying containerized applications | [Link](services/docker.md) |
| [Docker Registry](https://docs.docker.com/registry/) | A container image distribution registry | [Link](services/docker-registry.md) |
| [Docker Registry Browser](https://github.com/klausmeyer/docker-registry-browser) | Web Interface for the Docker Registry HTTP API V2 written in Ruby on Rails | [Link](services/docker-registry-browser.md) |
| [Docker Registry Purger](https://github.com/devture/docker-registry-purger) | A small tool used for purging a private Docker Registry's old tags | [Link](services/docker-registry-purger.md) |
| [Focalboard](https://www.focalboard.com/) | An open source, self-hosted alternative to [Trello](https://trello.com/), [Notion](https://www.notion.so/), and [Asana](https://asana.com/). | [Link](services/focalboard.md) |
| [Firezone](https://www.firezone.dev/) | A self-hosted VPN server (based on [WireGuard](https://en.wikipedia.org/wiki/WireGuard)) with a Web UI | [Link](services/firezone.md) |
| [Firezone](https://www.firezone.dev/) | A self-hosted VPN server (based on [WireGuard](https://www.wireguard.com/)) with a Web UI | [Link](services/firezone.md) |
| [Funkwhale](https://funkwhale.audio/) | Listen and share music with a selfhosted streaming server.| [Link](services/funkwhale.md) |
| [Gitea](https://gitea.io/) | A painless self-hosted [Git](https://git-scm.com/) service. | [Link](services/gitea.md) |
| [GoToSocial](https://gotosocial.org/) | A self-hosted [ActivityPub](https://activitypub.rocks/) social network server | [Link](services/gotosocial.md) |
| [Grafana](https://grafana.com/) | An open and composable observability and data visualization platform, often used with [Prometheus](services/prometheus.md) | [Link](services/grafana.md) |
| [Healthchecks](https://healthchecks.io/) | A simple and Effective Cron Job Monitoring solution | [Link](services/healthchecks.md) |
| [Hubsite](https://github.com/moan0s/hubsite) | A simple, static site that shows an overview of the available services | [Link](services/hubsite.md) |
| [Jitsi](https://jitsi.org/) | A fully encrypted, 100% Open Source video conferencing solution | [Link](services/jitsi.md) |
| [Keycloak](https://www.keycloak.org/) | An open source identity and access management solution. | [Link](services/keycloak.md) |
| [Lago](https://www.getlago.com/) | Open-source metering and usage-based billing | [Link](services/lago.md) |
| [MariaDB](https://mariadb.org/) | A powerful, open source object-relational database system | [Link](services/mariadb.md) |
| [Matrix Rooms Search API](https://gitlab.com/etke.cc/mrs/api) | A fully-featured, standalone, matrix rooms search service. | [Link](services/mrs.md) |
| [Miniflux](https://miniflux.app/) | Minimalist and opinionated feed reader. | [Link](services/miniflux.md) |
| [Navidrome](https://www.navidrome.org/) | [Subsonic-API](http://www.subsonic.org/pages/api.jsp) compatible music server | [Link](services/navidrome.md)
| [NetBox](https://docs.netbox.dev/en/stable/) | Web application that provides [IP address management (IPAM)](https://en.wikipedia.org/wiki/IP_address_management) and [data center infrastructure management (DCIM)](https://en.wikipedia.org/wiki/Data_center_management#Data_center_infrastructure_management) functionality | [Link](services/netbox.md) |
@ -27,8 +33,9 @@
| [Postgres](https://www.postgresql.org) | A powerful, open source object-relational database system | [Link](services/postgres.md) |
| [Postgres Backup](https://github.com/prodrigestivill/docker-postgres-backup-local) | A solution for backing up PostgresSQL to local filesystem with periodic backups. | [Link](services/postgres-backup.md) |
| [Prometheus](https://prometheus.io/) | A metrics collection and alerting monitoring solution | [Link](services/prometheus.md) |
| [Prometheus Node Exporter](https://github.com/prometheus/node_exporter) | Exporter for machine metrics | [Link](services/prometheus-node-exporter.md) |
| [Prometheus Blackbox Exporter](https://github.com/prometheus/blackbox_exporter) | Blackbox probing of HTTP/HTTPS/DNS/TCP/ICMP and gRPC endpoints | [Link](services/prometheus-blackbox-exporter.md) |
| [Prometheus Node Exporter](https://github.com/prometheus/node_exporter) | Exporter for machine metrics | [Link](services/prometheus-node-exporter.md) |
| [Prometheus Postgres Exporter](https://github.com/prometheus-community/postgres_exporter) | A PostgreSQL metric exporter for Prometheus | [Link](services/prometheus-postgres-exporter.md) |
| [Radicale](https://radicale.org/) | A Free and Open-Source CalDAV and CardDAV Server (solution for hosting contacts and calendars) | [Link](services/radicale.md) |
| [Redmine](https://redmine.org/) | A flexible project management web application. | [Link](services/redmine.md) |
| [Redis](https://redis.io/) | An in-memory data store used by millions of developers as a database, cache, streaming engine, and message broker. | [Link](services/redis.md) |
@ -37,6 +44,7 @@
| [Traefik](https://doc.traefik.io/traefik/) | A container-aware reverse-proxy server | [Link](services/traefik.md) |
| [Vaultwarden](https://github.com/dani-garcia/vaultwarden) | A lightweight unofficial and compatible implementation of the [Bitwarden](https://bitwarden.com/) password manager | [Link](services/vaultwarden.md) |
| [Uptime-kuma](https://uptime.kuma.pet/) | A fancy self-hosted monitoring tool | [Link](services/uptime-kuma.md) |
| [WireGuard Easy](https://github.com/WeeJeWel/wg-easy) | The easiest way to run [WireGuard](https://www.wireguard.com/) VPN + Web-based Admin UI. | [Link](services/wg-easy.md) |
| [Woodpecker CI](https://woodpecker-ci.org/) | A simple Continuous Integration (CI) engine with great extensibility. | [Link](services/woodpecker-ci.md) |
| System-related | A collection of various system-related components | [Link](services/system.md) |

2
examples/hosts
View file

@ -5,6 +5,8 @@
# If this causes SSH connection troubles, disable it by adding `ansible_ssh_pipelining=False`
# to the host line below or by adding `ansible_ssh_pipelining: False` to your variables file.
#
# If SSH is configured to listen to a non-standard port (i.e. something different than port 22), you need to add `ansible_port=<your configured SSH port>`.
#
# If you're running this Ansible playbook on the same server as the one you're installing to,
# consider adding an additional `ansible_connection=local` argument to the host line below.
#

621
group_vars/mash_servers
View file

@ -63,8 +63,16 @@ system_swap_enabled: false
devture_systemd_service_manager_services_list_auto: |
{{
([{'name': (backup_borg_identifier + '.timer'), 'priority': 5000, 'groups': ['mash', 'backup', 'borg']}] if backup_borg_enabled else [])
+
([{'name': (adguard_home_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'adguard-home']}] if adguard_home_enabled else [])
+
([{'name': (appsmith_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'appsmith']}] if appsmith_enabled else [])
+
([{'name': (authentik_server_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'authentik']}] if authentik_enabled else [])
+
([{'name': (authentik_worker_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'authentik']}] if authentik_enabled else [])
+
([{'name': (collabora_online_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'collabora-online']}] if collabora_online_enabled else [])
+
([{'name': (devture_postgres_identifier + '.service'), 'priority': 500, 'groups': ['mash', 'postgres']}] if devture_postgres_enabled else [])
@ -107,10 +115,34 @@ devture_systemd_service_manager_services_list_auto: |
+
([{'name': (grafana_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'grafana']}] if grafana_enabled else [])
+
([{'name': (hubsite_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'hubsite']}] if hubsite_enabled else [])
+
([{'name': (healthchecks_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'healthchecks']}] if healthchecks_enabled else [])
+
([{'name': (jitsi_identifier + '-web.service'), 'priority': 4200, 'groups': ['mash', 'jitsi', 'jitsi-web']}] if jitsi_enabled else [])
+
([{'name': (jitsi_identifier + '-prosody.service'), 'priority': 4000, 'groups': ['mash', 'jitsi', 'jitsi-prosody']}] if jitsi_enabled else [])
+
([{'name': (jitsi_identifier + '-jicofo.service'), 'priority': 4100, 'groups': ['mash', 'jitsi', 'jitsi-jicofo']}] if jitsi_enabled else [])
+
([{'name': (jitsi_identifier + '-jvb.service'), 'priority': 4100, 'groups': ['mash', 'jitsi', 'jitsi-jvb']}] if jitsi_enabled else [])
+
([{'name': (keycloak_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'keycloak']}] if keycloak_enabled else [])
+
([{'name': (lago_identifier + '-api.service'), 'priority': 2000, 'groups': ['mash', 'lago', 'lago-api']}] if lago_enabled else [])
+
([{'name': (lago_identifier + '-api-worker.service'), 'priority': 2500, 'groups': ['mash', 'lago', 'lago-api-worker']}] if lago_enabled else [])
+
([{'name': (lago_identifier + '-api-clock.service'), 'priority': 2500, 'groups': ['mash', 'lago', 'lago-api-clock']}] if lago_enabled else [])
+
([{'name': (lago_identifier + '-front.service'), 'priority': 2200, 'groups': ['mash', 'lago', 'lago-front']}] if lago_enabled else [])
+
([{'name': (lago_identifier + '-pdf.service'), 'priority': 1900, 'groups': ['mash', 'lago', 'lago-pdf']}] if lago_enabled else [])
+
([{'name': (miniflux_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'miniflux']}] if miniflux_enabled else [])
+
([{'name': (mrs_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'mrs']}] if mrs_enabled else [])
+
([{'name': (navidrome_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'navidrome']}] if navidrome_enabled else [])
+
([{'name': (netbox_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'netbox', 'netbox-server']}] if netbox_enabled else [])
@ -123,6 +155,8 @@ devture_systemd_service_manager_services_list_auto: |
+
([{'name': (nextcloud_identifier + '-cron.timer'), 'priority': 2500, 'groups': ['mash', 'nextcloud', 'nextcloud-cron']}] if nextcloud_enabled else [])
+
([{'name': (mariadb_identifier + '.service'), 'priority': 500, 'groups': ['mash', 'mariadb']}] if mariadb_enabled else [])
+
([{'name': (owncast_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'owncast']}] if owncast_enabled else [])
+
([{'name': (peertube_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'peertube']}] if peertube_enabled else [])
@ -135,6 +169,8 @@ devture_systemd_service_manager_services_list_auto: |
+
([{'name': (prometheus_node_exporter_identifier + '.service'), 'priority': 500, 'groups': ['mash', 'metrics', 'prometheus-node-exporter']}] if prometheus_node_exporter_enabled else [])
+
([{'name': (prometheus_postgres_exporter_identifier + '.service'), 'priority': 500, 'groups': ['mash', 'metrics', 'prometheus-postgres-exporter']}] if prometheus_postgres_exporter_enabled else [])
+
([{'name': (radicale_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'radicale']}] if radicale_enabled else [])
+
([{'name': (redmine_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'redmine']}] if redmine_enabled else [])
@ -151,15 +187,7 @@ devture_systemd_service_manager_services_list_auto: |
+
([{'name': (uptime_kuma_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'uptime-kuma']}] if uptime_kuma_enabled else [])
+
([{'name': (hubsite_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'hubsite']}] if hubsite_enabled else [])
+
([{'name': (jitsi_identifier + '-web.service'), 'priority': 4200, 'groups': ['mash', 'jitsi', 'jitsi-web']}] if jitsi_enabled else [])
+
([{'name': (jitsi_identifier + '-prosody.service'), 'priority': 4000, 'groups': ['mash', 'jitsi', 'jitsi-prosody']}] if jitsi_enabled else [])
+
([{'name': (jitsi_identifier + '-jicofo.service'), 'priority': 4100, 'groups': ['mash', 'jitsi', 'jitsi-jicofo']}] if jitsi_enabled else [])
+
([{'name': (jitsi_identifier + '-jvb.service'), 'priority': 4100, 'groups': ['mash', 'jitsi', 'jitsi-jvb']}] if jitsi_enabled else [])
([{'name': (wg_easy_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'wg-easy']}] if wg_easy_enabled else [])
}}
########################################################################
@ -197,6 +225,11 @@ devture_postgres_systemd_services_to_stop_for_maintenance_list: |
devture_postgres_managed_databases_auto: |
{{
([{
'name': authentik_database_name,
'username': authentik_database_username,
'password': authentik_database_password,
}] if authentik_enabled and authentik_database_hostname == devture_postgres_identifier else [])
+([{
'name': focalboard_database_name,
'username': focalboard_database_username,
'password': focalboard_database_password,
@ -214,6 +247,12 @@ devture_postgres_managed_databases_auto: |
'password': gitea_config_database_password,
}] if gitea_enabled else [])
+
([{
'name': healthchecks_database_name,
'username': healthchecks_database_username,
'password': healthchecks_database_password,
}] if healthchecks_enabled and healthchecks_database_hostname == devture_postgres_identifier else [])
+
([{
'name': devture_woodpecker_ci_server_database_datasource_db_name,
'username': devture_woodpecker_ci_server_database_datasource_username,
@ -232,6 +271,12 @@ devture_postgres_managed_databases_auto: |
'password': keycloak_database_password,
}] if keycloak_enabled and keycloak_database_type == 'postgres' and keycloak_database_hostname == devture_postgres_identifier else [])
+
([{
'name': lago_database_name,
'username': lago_database_username,
'password': lago_database_password,
}] if lago_enabled and lago_database_hostname == devture_postgres_identifier else [])
+
([{
'name': miniflux_database_name,
'username': miniflux_database_username,
@ -262,6 +307,12 @@ devture_postgres_managed_databases_auto: |
'password': peertube_config_database_password,
}] if peertube_enabled else [])
+
([{
'name': prometheus_postgres_exporter_database_name,
'username': prometheus_postgres_exporter_database_username,
'password': prometheus_postgres_exporter_database_password,
}] if prometheus_postgres_exporter_enabled else [])
+
([{
'name': firezone_database_name,
'username': firezone_database_user,
@ -479,6 +530,147 @@ adguard_home_container_labels_traefik_tls_certResolver: "{{ devture_traefik_cert
########################################################################
# #
# appsmith #
# #
########################################################################
appsmith_enabled: false
appsmith_identifier: "{{ mash_playbook_service_identifier_prefix }}appsmith"
appsmith_uid: "{{ mash_playbook_uid }}"
appsmith_gid: "{{ mash_playbook_gid }}"
appsmith_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}appsmith"
appsmith_container_additional_networks_auto: |
{{
([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else [])
}}
appsmith_container_labels_traefik_enabled: "{{ mash_playbook_traefik_labels_enabled }}"
appsmith_container_labels_traefik_docker_network: "{{ mash_playbook_reverse_proxyable_services_additional_network }}"
appsmith_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}"
appsmith_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}"
########################################################################
# #
# /appsmith #
# #
########################################################################
########################################################################
# #
# authentik #
# #
########################################################################
authentik_enabled: false
authentik_identifier: "{{ mash_playbook_service_identifier_prefix }}authentik"
authentik_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}authentik"
authentik_uid: "{{ mash_playbook_uid }}"
authentik_gid: "{{ mash_playbook_gid }}"
authentik_database_hostname: "{{ devture_postgres_identifier if devture_postgres_enabled else '' }}"
authentik_database_port: "{{ '5432' if devture_postgres_enabled else '' }}"
authentik_database_password: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'db.authentik', rounds=655555) | to_uuid }}"
authentik_database_username: "{{ authentik_identifier }}"
authentik_server_systemd_required_services_list_auto: |
{{
([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled and authentik_database_hostname == devture_postgres_identifier else [])
}}
authentik_container_additional_networks_auto: |
{{
([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else [])
+
([devture_postgres_container_network] if devture_postgres_enabled and authentik_database_hostname == devture_postgres_identifier and authentik_container_network != devture_postgres_container_network else [])
}}
authentik_container_labels_traefik_enabled: "{{ mash_playbook_traefik_labels_enabled }}"
authentik_container_labels_traefik_docker_network: "{{ mash_playbook_reverse_proxyable_services_additional_network }}"
authentik_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}"
authentik_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}"
########################################################################
# #
# /authentik #
# #
########################################################################
########################################################################
# #
# backup-borg #
# #
########################################################################
backup_borg_enabled: false
backup_borg_identifier: "{{ mash_playbook_service_identifier_prefix }}backup-borg"
backup_borg_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}borg-backup"
backup_borg_uid: "{{ mash_playbook_uid }}"
backup_borg_gid: "{{ mash_playbook_gid }}"
backup_borg_container_network: "{{ devture_postgres_container_network if devture_postgres_enabled else backup_borg_identifier }}"
backup_borg_retention_prefix: "{{ mash_playbook_service_identifier_prefix }}"
backup_borg_storage_archive_name_format: "{{ mash_playbook_service_identifier_prefix }}-{now:%Y-%m-%d-%H%M%S}"
backup_borg_container_image_self_build: "{{ mash_playbook_architecture not in ['amd64', 'arm32', 'arm64'] }}"
backup_borg_postgresql_enabled: "{{ devture_postgres_enabled }}"
backup_borg_postgresql_databases_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}"
backup_borg_postgresql_databases_username: "{{ devture_postgres_connection_username if devture_postgres_enabled else '' }}"
backup_borg_postgresql_databases_password: "{{ devture_postgres_connection_password if devture_postgres_enabled else '' }}"
backup_borg_postgresql_databases_port: "{{ devture_postgres_connection_port if devture_postgres_enabled else 5432 }}"
backup_borg_postgresql_databases: "{{ devture_postgres_managed_databases | map(attribute='name') if devture_postgres_enabled else [] }}"
backup_borg_mysql_enabled: "{{ mariadb_enabled }}"
backup_borg_mysql_databases_hostname: "{{ mariadb_identifier if mariadb_enabled else '' }}"
backup_borg_mysql_databases_username: "root"
backup_borg_mysql_databases_password: "{{ mariadb_root_passsword if mariadb_enabled else '' }}"
backup_borg_mysql_databases_port: 3306
backup_borg_mysql_databases: "{{ mariadb_managed_databases | map(attribute='name') if mariadb_enabled else [] }}"
backup_borg_location_source_directories:
- "{{ mash_playbook_base_path }}"
backup_borg_location_exclude_patterns: |
{{
([devture_postgres_data_path] if devture_postgres_enabled else [])
+
([mariadb_data_path] if mariadb_enabled else [])
}}
backup_borg_systemd_required_services_list: |
{{
['docker.service']
+
([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else [])
+
([mariadb_identifier ~ '.service'] if mariadb_enabled else [])
}}
########################################################################
# #
# /backup-borg #
# #
########################################################################
########################################################################
# #
# collabora-online #
@ -888,6 +1080,53 @@ grafana_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResol
########################################################################
# #
# healthchecks #
# #
########################################################################
healthchecks_enabled: false
healthchecks_identifier: "{{ mash_playbook_service_identifier_prefix }}healthchecks"
healthchecks_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}healthchecks"
healthchecks_uid: "{{ mash_playbook_uid }}"
healthchecks_gid: "{{ mash_playbook_gid }}"
healthchecks_systemd_required_services_list: |
{{
(['docker.service'])
+
([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled and healthchecks_database_hostname == devture_postgres_identifier else [])
}}
healthchecks_container_additional_networks: |
{{
([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else [])
+
([devture_postgres_container_network] if devture_postgres_enabled and healthchecks_database_hostname == devture_postgres_identifier and healthchecks_container_network != devture_postgres_container_network else [])
}}
healthchecks_container_labels_traefik_enabled: "{{ mash_playbook_traefik_labels_enabled }}"
healthchecks_container_labels_traefik_docker_network: "{{ mash_playbook_reverse_proxyable_services_additional_network }}"
healthchecks_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}"
healthchecks_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}"
healthchecks_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}"
healthchecks_database_password: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'healthchecks.db', rounds=655555) | to_uuid }}"
healthchecks_environment_variable_secret_key: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'healthchecks', rounds=655555) | to_uuid }}"
########################################################################
# #
# /healthchecks #
# #
########################################################################
########################################################################
# #
# hubsite #
@ -929,6 +1168,22 @@ hubsite_service_adguard_home_logo_location: "{{ role_path }}/assets/shield.png"
hubsite_service_adguard_home_description: "A network-wide DNS software for blocking ads & tracking"
hubsite_service_adguard_home_priority: 1000
# authentik
hubsite_service_authentik_enabled: "{{ authentik_enabled }}"
hubsite_service_authentik_name: Authentik
hubsite_service_authentik_url: "https://{{ authentik_hostname }}"
hubsite_service_authentik_logo_location: "{{ role_path }}/assets/authentik.png"
hubsite_service_authentik_description: "An open source identity provider"
hubsite_service_authentik_priority: 1000
# Appsmith
hubsite_service_appsmith_enabled: "{{ appsmith_enabled }}"
hubsite_service_appsmith_name: Appsmith
hubsite_service_appsmith_url: "https://{{ appsmith_hostname }}{{ appsmith_path_prefix }}"
hubsite_service_appsmith_logo_location: "{{ role_path }}/assets/appsmith.png"
hubsite_service_appsmith_description: "Platform for building and deploying custom internal tools and applications without writing code"
hubsite_service_appsmith_priority: 1000
# Docker Registry Browser
hubsite_service_docker_registry_browser_enabled: "{{ docker_registry_browser_enabled }}"
hubsite_service_docker_registry_browser_name: Docker Registry Browser
@ -937,6 +1192,14 @@ hubsite_service_docker_registry_browser_logo_location: "{{ role_path }}/assets/d
hubsite_service_docker_registry_browser_description: "Browse docker images"
hubsite_service_docker_registry_browser_priority: 1000
# Firezone
hubsite_service_firezone_enabled: "{{ firezone_enabled }}"
hubsite_service_firezone_name: Firezone
hubsite_service_firezone_url: "https://{{ firezone_hostname }}"
hubsite_service_firezone_logo_location: "{{ role_path }}/assets/firezone.png"
hubsite_service_firezone_description: "A self-hosted VPN server, based on Wireguard"
hubsite_service_firezone_priority: 1000
# Focalboard
hubsite_service_focalboard_enabled: "{{ focalboard_enabled }}"
hubsite_service_focalboard_name: Focalboard
@ -945,6 +1208,14 @@ hubsite_service_focalboard_logo_location: "{{ role_path }}/assets/focalboard.png
hubsite_service_focalboard_description: "An open source, self-hosted alternative to Trello, Notion, and Asana."
hubsite_service_focalboard_priority: 1000
# Funkwhale
hubsite_service_funkwhale_enabled: "{{ funkwhale_enabled }}"
hubsite_service_funkwhale_name: Funkwhale
hubsite_service_funkwhale_url: "https://{{ funkwhale_hostname }}"
hubsite_service_funkwhale_logo_location: "{{ role_path }}/assets/funkwhale.png"
hubsite_service_funkwhale_description: "Listen and share music with a selfhosted streaming server"
hubsite_service_funkwhale_priority: 1000
# Gitea
hubsite_service_gitea_enabled: "{{ gitea_enabled }}"
hubsite_service_gitea_name: Gitea
@ -969,6 +1240,22 @@ hubsite_service_grafana_logo_location: "{{ role_path }}/assets/grafana.png"
hubsite_service_grafana_description: "Check how your server is doing"
hubsite_service_grafana_priority: 1000
# Healthchecks
hubsite_service_healthchecks_enabled: "{{ healthchecks_enabled }}"
hubsite_service_healthchecks_name: Healthchecks
hubsite_service_healthchecks_url: "https://{{ healthchecks_hostname }}{{ healthchecks_path_prefix }}"
hubsite_service_healthchecks_logo_location: "{{ role_path }}/assets/healthchecks.png"
hubsite_service_healthchecks_description: "A simple and Effective Cron Job Monitoring solution"
hubsite_service_healthchecks_priority: 1000
# Keycloak
hubsite_service_keycloak_enabled: "{{ keycloak_enabled }}"
hubsite_service_keycloak_name: Keycloak
hubsite_service_keycloak_url: "https://{{ keycloak_hostname }}{{ keycloak_path_prefix }}"
hubsite_service_keycloak_logo_location: "{{ role_path }}/assets/keycloak.png"
hubsite_service_keycloak_description: "An open source identity and access management solution."
hubsite_service_keycloak_priority: 1000
# Miniflux
hubsite_service_miniflux_enabled: "{{ miniflux_enabled }}"
hubsite_service_miniflux_name: Miniflux
@ -987,7 +1274,7 @@ hubsite_service_nextcloud_priority: 1000
# Owncast
hubsite_service_owncast_enabled: "{{ owncast_enabled }}"
hubsite_service_owncast_name: owncast
hubsite_service_owncast_name: Owncast
hubsite_service_owncast_url: "https://{{ owncast_hostname }}"
hubsite_service_owncast_logo_location: "{{ role_path }}/assets/owncast.png"
hubsite_service_owncast_description: "Livestream & Chat"
@ -1046,14 +1333,28 @@ hubsite_service_list_auto: |
{{
([{'name': hubsite_service_adguard_home_name, 'url': hubsite_service_adguard_home_url, 'logo_location': hubsite_service_adguard_home_logo_location, 'description': hubsite_service_adguard_home_description, 'priority': hubsite_service_adguard_home_priority}] if hubsite_service_adguard_home_enabled else [])
+
([{'name': hubsite_service_authentik_name, 'url': hubsite_service_authentik_url, 'logo_location': hubsite_service_authentik_logo_location, 'description': hubsite_service_authentik_description, 'priority': hubsite_service_adguard_home_priority}] if hubsite_service_authentik_enabled else [])
+
([{'name': hubsite_service_appsmith_name, 'url': hubsite_service_appsmith_url, 'logo_location': hubsite_service_appsmith_logo_location, 'description': hubsite_service_appsmith_description, 'priority': hubsite_service_appsmith_priority}] if hubsite_service_appsmith_enabled else [])
+
([{'name': hubsite_service_docker_registry_browser_name, 'url': hubsite_service_docker_registry_browser_url, 'logo_location': hubsite_service_docker_registry_browser_logo_location, 'description': hubsite_service_docker_registry_browser_description, 'priority': hubsite_service_docker_registry_browser_priority}] if hubsite_service_docker_registry_browser_enabled else [])
+
([{'name': hubsite_service_firezone_name, 'url': hubsite_service_firezone_url, 'logo_location': hubsite_service_firezone_logo_location, 'description': hubsite_service_firezone_description, 'priority': hubsite_service_firezone_priority}] if hubsite_service_firezone_enabled else [])
+
([{'name': hubsite_service_focalboard_name, 'url': hubsite_service_focalboard_url, 'logo_location': hubsite_service_focalboard_logo_location, 'description': hubsite_service_focalboard_description, 'priority': hubsite_service_focalboard_priority}] if hubsite_service_focalboard_enabled else [])
+
([{'name': hubsite_service_funkwhale_name, 'url': hubsite_service_funkwhale_url, 'logo_location': hubsite_service_funkwhale_logo_location, 'description': hubsite_service_funkwhale_description, 'priority': hubsite_service_funkwhale_priority}] if hubsite_service_funkwhale_enabled else [])
+
([{'name': hubsite_service_gitea_name, 'url': hubsite_service_gitea_url, 'logo_location': hubsite_service_gitea_logo_location, 'description': hubsite_service_gitea_description, 'priority': hubsite_service_gitea_priority}] if hubsite_service_gitea_enabled else [])
+
([{'name': hubsite_service_gotosocial_name, 'url': hubsite_service_gotosocial_url, 'logo_location': hubsite_service_gotosocial_logo_location, 'description': hubsite_service_gotosocial_description, 'priority': hubsite_service_gotosocial_priority}] if hubsite_service_gotosocial_enabled else [])
+
([{'name': hubsite_service_grafana_name, 'url': hubsite_service_grafana_url, 'logo_location': hubsite_service_grafana_logo_location, 'description': hubsite_service_grafana_description, 'priority': hubsite_service_grafana_priority}] if hubsite_service_grafana_enabled else [])
+
([{'name': hubsite_service_healthchecks_name, 'url': hubsite_service_healthchecks_url, 'logo_location': hubsite_service_healthchecks_logo_location, 'description': hubsite_service_healthchecks_description, 'priority': hubsite_service_healthchecks_priority}] if hubsite_service_healthchecks_enabled else [])
+
([{'name': hubsite_service_keycloak_name, 'url': hubsite_service_keycloak_url, 'logo_location': hubsite_service_keycloak_logo_location, 'description': hubsite_service_keycloak_description, 'priority': hubsite_service_keycloak_priority}] if hubsite_service_keycloak_enabled else [])
+
([{'name': hubsite_service_miniflux_name, 'url': hubsite_service_miniflux_url, 'logo_location': hubsite_service_miniflux_logo_location, 'description': hubsite_service_miniflux_description, 'priority': hubsite_service_miniflux_priority}] if hubsite_service_miniflux_enabled else [])
+
([{'name': hubsite_service_nextcloud_name, 'url': hubsite_service_nextcloud_url, 'logo_location': hubsite_service_nextcloud_logo_location, 'description': hubsite_service_nextcloud_description, 'priority': hubsite_service_nextcloud_priority}] if hubsite_service_nextcloud_enabled else [])
@ -1081,6 +1382,55 @@ hubsite_service_list_auto: |
########################################################################
# #
# jitsi #
# #
########################################################################
jitsi_enabled: false
jitsi_architecture: "{{ mash_playbook_architecture }}"
jitsi_identifier: "{{ mash_playbook_service_identifier_prefix }}jitsi"
jitsi_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}jitsi"
jitsi_uid: "{{ mash_playbook_uid }}"
jitsi_gid: "{{ mash_playbook_gid }}"
jitsi_web_container_additional_networks_auto: |
{{
([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else [])
}}
jitsi_prosody_container_additional_networks_auto: |
{{
([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else [])
}}
jitsi_jvb_container_additional_networks_auto: |
{{
([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else [])
}}
jitsi_container_labels_traefik_enabled: "{{ mash_playbook_traefik_labels_enabled }}"
jitsi_container_labels_traefik_docker_network: "{{ mash_playbook_reverse_proxyable_services_additional_network }}"
jitsi_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}"
jitsi_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}"
jitsi_jibri_xmpp_password: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'jibri', rounds=655555) | to_uuid }}"
jitsi_jicofo_auth_password: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'jicofo', rounds=655555) | to_uuid }}"
jitsi_jvb_auth_password: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'jvb', rounds=655555) | to_uuid }}"
########################################################################
# #
# /jitsi #
# #
########################################################################
########################################################################
# #
# keycloak #
@ -1125,6 +1475,57 @@ keycloak_database_password: "{{ '%s' | format(mash_playbook_generic_secret_key)
########################################################################
# #
# lago #
# #
########################################################################
lago_enabled: false
lago_architecture: "{{ mash_playbook_architecture }}"
lago_identifier: "{{ mash_playbook_service_identifier_prefix }}lago"
lago_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}lago"
lago_uid: "{{ mash_playbook_uid }}"
lago_gid: "{{ mash_playbook_gid }}"
lago_api_container_additional_networks_auto: |
{{
([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else [])
+
([devture_postgres_container_network] if devture_postgres_enabled and lago_database_hostname == devture_postgres_identifier and lago_api_container_network != devture_postgres_container_network else [])
}}
lago_front_container_additional_networks_auto: |
{{
([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else [])
}}
lago_container_labels_traefik_enabled: "{{ mash_playbook_traefik_labels_enabled }}"
lago_container_labels_traefik_docker_network: "{{ mash_playbook_reverse_proxyable_services_additional_network }}"
lago_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}"
lago_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}"
lago_database_hostname: "{{ devture_postgres_identifier if devture_postgres_enabled else '' }}"
lago_database_port: "{{ '5432' if devture_postgres_enabled else '' }}"
lago_database_password: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'lago.db', rounds=655555) | to_uuid }}"
lago_api_environment_variable_secret_key_base: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'lago.sec.key', rounds=655555) | to_uuid }}"
lago_api_environment_variable_encryption_primary_key: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'lago.enc.primary', rounds=655555) | to_uuid }}"
lago_api_environment_variable_encryption_deterministic_key: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'lago.deter.key', rounds=655555) | to_uuid }}"
lago_api_environment_variable_encryption_key_derivation_salt: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'lago.deriv.salt', rounds=655555) | to_uuid }}"
########################################################################
# #
# /lago #
# #
########################################################################
########################################################################
# #
# miniflux #
@ -1219,6 +1620,40 @@ mobilizon_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certRes
########################################################################
# #
# mrs #
# #
########################################################################
mrs_enabled: false
mrs_identifier: "{{ mash_playbook_service_identifier_prefix }}mrs"
mrs_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}mrs"
mrs_uid: "{{ mash_playbook_uid }}"
mrs_gid: "{{ mash_playbook_gid }}"
mrs_container_additional_networks: |
{{
([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else [])
}}
mrs_container_labels_traefik_enabled: "{{ mash_playbook_traefik_labels_enabled }}"
mrs_container_labels_traefik_docker_network: "{{ mash_playbook_reverse_proxyable_services_additional_network }}"
mrs_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}"
mrs_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}"
########################################################################
# #
# /mrs #
# #
########################################################################
########################################################################
# #
# navidrome #
@ -1345,6 +1780,34 @@ netbox_database_password: "{{ '%s' | format(mash_playbook_generic_secret_key) |
########################################################################
# #
# mariadb #
# #
########################################################################
mariadb_enabled: false
mariadb_identifier: "{{ mash_playbook_service_identifier_prefix }}mariadb"
mariadb_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}mariadb"
mariadb_uid: "{{ mash_playbook_uid }}"
mariadb_gid: "{{ mash_playbook_gid }}"
# This will be extended in the future, to auto-create datases for services
# which depend on MariaDB.
# See `devture_postgres_managed_databases_auto`
mariadb_managed_databases_auto: []
########################################################################
# #
# /mariadb #
# #
########################################################################
########################################################################
# #
# owncast #
@ -1462,6 +1925,62 @@ postgis_managed_databases_auto: |
########################################################################
# #
# prometheus_postgres_exporter #
# #
########################################################################
prometheus_postgres_exporter_enabled: false
prometheus_postgres_exporter_identifier: "{{ mash_playbook_service_identifier_prefix }}prometheus-postgres-exporter"
prometheus_postgres_exporter_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}prometheus-postgres-exporter"
prometheus_postgres_exporter_uid: "{{ mash_playbook_uid }}"
prometheus_postgres_exporter_gid: "{{ mash_playbook_gid }}"
prometheus_postgres_exporter_basicauth_enabled: "{{ prometheus_postgres_exporter_container_labels_traefik_enabled }}"
prometheus_postgres_exporter_basicauth_user: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'prometheus-postgres-exporter.user', rounds=655555) | to_uuid }}"
prometheus_postgres_exporter_basicauth_password: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'prometheus-postgres-exporter.password', rounds=655555) | to_uuid }}"
prometheus_postgres_exporter_container_additional_networks: |
{{
([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else [])
+
([devture_postgres_container_network] if devture_postgres_enabled and prometheus_postgres_exporter_database_hostname == devture_postgres_identifier and prometheus_postgres_exporter_container_network != devture_postgres_container_network else [])
}}
prometheus_postgres_exporter_server_fqn: "{{ prometheus_postgres_exporter_hostname }}"
# Only enable Traefik labels if a hostname is set (indicating that this will be exposed publicly)
prometheus_postgres_exporter_container_labels_traefik_enabled: "{{ mash_playbook_traefik_labels_enabled and prometheus_postgres_exporter_hostname | length > 0 }}"
prometheus_postgres_exporter_container_labels_traefik_docker_network: "{{ mash_playbook_reverse_proxyable_services_additional_network }}"
prometheus_postgres_exporter_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}"
prometheus_postgres_exporter_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}"
prometheus_postgres_exporter_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}"
prometheus_postgres_exporter_database_username: prometheus_postgres_exporter
prometheus_postgres_exporter_database_password: "{{ devture_postgres_connection_password if devture_postgres_enabled else '' }}"
prometheus_postgres_exporter_database_port: "{{ devture_postgres_connection_port if devture_postgres_enabled else 5432 }}"
prometheus_postgres_exporter_database_ssl: false
prometheus_postgres_exporter_systemd_required_services_list: |
{{
['docker.service']
+
([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else [])
}}
########################################################################
# #
# /prometheus_node_exporter #
# #
########################################################################
########################################################################
# #
# prometheus #
@ -1816,6 +2335,39 @@ uptime_kuma_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certR
########################################################################
# #
# wg-easy #
# #
########################################################################
wg_easy_enabled: false
wg_easy_identifier: "{{ mash_playbook_service_identifier_prefix }}wg-easy"
wg_easy_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}wg-easy"
wg_easy_uid: "{{ mash_playbook_uid }}"
wg_easy_gid: "{{ mash_playbook_gid }}"
wg_easy_container_additional_networks_auto: |
{{
([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else [])
}}
wg_easy_container_labels_traefik_enabled: "{{ mash_playbook_traefik_labels_enabled }}"
wg_easy_container_labels_traefik_docker_network: "{{ mash_playbook_reverse_proxyable_services_additional_network }}"
wg_easy_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}"
wg_easy_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}"
########################################################################
# #
# /wg-easy #
# #
########################################################################
########################################################################
# #
# woodpecker-ci-server #
@ -1906,52 +2458,3 @@ devture_woodpecker_ci_agent_config_agent_secret: "{{ devture_woodpecker_ci_serve
# #
########################################################################
########################################################################
# #
# jitsi #
# #
########################################################################
jitsi_enabled: false
jitsi_architecture: "{{ mash_playbook_architecture }}"
jitsi_identifier: "{{ mash_playbook_service_identifier_prefix }}jitsi"
jitsi_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}jitsi"
jitsi_uid: "{{ mash_playbook_uid }}"
jitsi_gid: "{{ mash_playbook_gid }}"
jitsi_web_container_additional_networks_auto: |
{{
([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else [])
}}
jitsi_prosody_container_additional_networks_auto: |
{{
([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else [])
}}
jitsi_jvb_container_additional_networks_auto: |
{{
([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else [])
}}
jitsi_container_labels_traefik_enabled: "{{ mash_playbook_traefik_labels_enabled }}"
jitsi_container_labels_traefik_docker_network: "{{ mash_playbook_reverse_proxyable_services_additional_network }}"
jitsi_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}"
jitsi_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}"
jitsi_jibri_xmpp_password: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'jibri', rounds=655555) | to_uuid }}"
jitsi_jicofo_auth_password: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'jicofo', rounds=655555) | to_uuid }}"
jitsi_jvb_auth_password: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'jvb', rounds=655555) | to_uuid }}"
########################################################################
# #
# /jitsi #
# #
########################################################################

88
requirements.yml
View file

@ -1,14 +1,24 @@
---
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-adguard-home.git
version: v0.107.26-1
name: adguard_home
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-appsmith.git
version: v1.9.20.4-0
name: appsmith
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-authentik.git
version: v2023.5.2-1
name: authentik
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-aux.git
version: v1.0.0-0
version: v1.0.0-1
name: aux
- src: git+https://gitlab.com/etke.cc/roles/backup_borg.git
version: v1.2.4-1.7.13-0
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-collabora-online.git
version: v22.05.12.1.1-1
version: v22.05.13.1.1-0
name: collabora_online
- src: git+https://github.com/devture/com.devture.ansible.role.container_socket_proxy.git
version: v0.1.1-1
version: v0.1.1-2
- src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git
version: 129c8590e106b83e6f4c259649a613c6279e937a
- src: git+https://github.com/devture/com.devture.ansible.role.playbook_help.git
@ -18,63 +28,75 @@
- src: git+https://github.com/devture/com.devture.ansible.role.playbook_state_preserver.git
version: ff2fd42e1c1a9e28e3312bbd725395f9c2fc7f16
- src: git+https://github.com/devture/com.devture.ansible.role.postgres.git
version: 38764398bf82b06a1736c3bfedc71dfd229e4b52
version: v15.3-0
- src: git+https://github.com/devture/com.devture.ansible.role.postgres_backup.git
version: 8e9ec48a09284c84704d7a2dce17da35f181574d
- src: git+https://github.com/devture/com.devture.ansible.role.systemd_docker_base.git
version: 327d2e17f5189ac2480d6012f58cf64a2b46efba
- src: git+https://github.com/devture/com.devture.ansible.role.systemd_service_manager.git
version: v1.0.0-0
- src: git+https://github.com/devture/com.devture.ansible.role.systemd_service_manager.git
version: v1.0.0-1
- src: git+https://github.com/devture/com.devture.ansible.role.timesync.git
version: 3d5bb2976815958cdce3f368fa34fb51554f899b
version: v1.0.0-0
- src: git+https://github.com/devture/com.devture.ansible.role.traefik.git
version: v2.9.9-0
version: v2.10.1-0
- src: git+https://github.com/devture/com.devture.ansible.role.woodpecker_ci_agent.git
version: v0.15.7-1
version: v0.15.8-0
- src: git+https://github.com/devture/com.devture.ansible.role.woodpecker_ci_server.git
version: v0.15.7-3
version: v0.15.8-0
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-docker-registry.git
version: v2.8.1-1
name: docker_registry
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-docker-registry-browser.git
version: v1.6.0-0
version: v1.6.1-0
name: docker_registry_browser
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-docker-registry-purger.git
version: v1.0.0-0
name: docker_registry_purger
- src: git+https://gitlab.com/etke.cc/roles/fail2ban.git
version: 09886730e8d3c061f22d1da4a542899063f97f0a
- src: git+https://github.com/moan0s/role-firezone.git
version: v0.7.25-0
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-firezone.git
version: v0.7.30-0
name: firezone
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-focalboard.git
version: v7.9.3-1
version: v7.9.3-2
name: focalboard
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-funkwhale.git
version: v1.3.0-rc5-3
version: v1.3.0-rc6-0
name: funkwhale
- src: git+https://github.com/geerlingguy/ansible-role-docker
version: 6.1.0
name: geerlingguy.docker
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-gitea.git
version: v1.19.0-1
version: v1.19.3-0
name: gitea
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-gotosocial.git
version: v0.7.1-0
version: v0.9.0-0
name: gotosocial
- src: git+https://gitlab.com/etke.cc/roles/grafana.git
version: v9.4.7-1
version: v9.5.2-0
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-healthchecks.git
version: v2.8.1-0
name: healthchecks
- src: git+https://github.com/moan0s/hubsite.git
version: v1.23.3-1
version: v1.23.3-2
name: hubsite
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git
version: v8319-6
version: v8615-0
name: jitsi
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-keycloak.git
version: v21.0.2-0
version: v21.1.1-0
name: keycloak
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-lago.git
version: v0.34.0-0
name: lago
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-mariadb.git
version: v10.11.2-0
name: mariadb
- src: git+https://gitlab.com/etke.cc/roles/miniflux.git
version: v2.0.43-2
version: v2.0.44-0
- src: git+https://gitlab.com/etke.cc/mrs/ansible-role-mrs.git
version: v0.0.0-9
name: mrs
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-navidrome.git
version: v0.49.3-2
name: navidrome
@ -82,23 +104,26 @@
version: v3.4.7-2.5.2-2
name: netbox
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-nextcloud.git
version: v26.0.0-4
version: v26.0.1-0
name: nextcloud
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-owncast.git
version: v0.0.13-0
version: v0.1.0-0
name: owncast
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-peertube.git
version: v5.1.0-3
name: peertube
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus.git
version: v2.43.0-0
version: v2.44.0-0
name: prometheus
- src: git+https://gitlab.com/etke.cc/roles/prometheus_blackbox_exporter.git
version: v0.23.0-3
version: v0.24.0-0
- src: git+https://gitlab.com/etke.cc/roles/prometheus_node_exporter.git
version: v1.5.0-7
version: v1.6.0-0
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-postgres-exporter.git
version: v0.12.0-0
name: prometheus_postgres_exporter
- src: git+https://gitlab.com/etke.cc/roles/radicale.git
version: v3.1.8.1-2
version: v3.1.8.2-3
- src: git+https://gitlab.com/etke.cc/roles/redis.git
version: v7.0.10-0
- src: git+https://gitlab.com/etke.cc/roles/redmine.git
@ -110,10 +135,13 @@
- src: git+https://gitlab.com/etke.cc/roles/swap.git
version: abfb18b6862108bbf24347500446203170324d7f
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-syncthing.git
version: v1.23.3-0
version: v1.23.4-1
name: syncthing
- src: git+https://gitlab.com/etke.cc/roles/uptime_kuma.git
version: v1.21.2-0
version: v1.21.3-0
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-vaultwarden.git
version: v1.28.1-0
name: vaultwarden
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-wg-easy.git
version: v7-0
name: wg_easy

17
setup.yml
View file

@ -56,6 +56,12 @@
- role: galaxy/adguard_home
- role: galaxy/appsmith
- role: galaxy/authentik
- role: galaxy/backup_borg
- role: galaxy/collabora_online
- role: galaxy/docker_registry
@ -74,14 +80,22 @@
- role: galaxy/grafana
- role: galaxy/mariadb
- role: galaxy/miniflux
- role: galaxy/mrs
- role: galaxy/healthchecks
- role: galaxy/hubsite
- role: galaxy/jitsi
- role: galaxy/keycloak
- role: galaxy/lago
- role: galaxy/mobilizon
- role: galaxy/navidrome
@ -99,6 +113,7 @@
- role: galaxy/prometheus
- role: galaxy/prometheus_node_exporter
- role: galaxy/prometheus_blackbox_exporter
- role: galaxy/prometheus_postgres_exporter
- role: galaxy/radicale
@ -114,6 +129,8 @@
- role: galaxy/uptime_kuma
- role: galaxy/wg_easy
- role: galaxy/com.devture.ansible.role.woodpecker_ci_server
- role: galaxy/com.devture.ansible.role.woodpecker_ci_agent