From 9d349185a0536ffc769cfe357d7a7961bf5ca54a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 6 Apr 2023 08:44:30 +0300 Subject: [PATCH 001/122] Upgrade Syncthing (v1.23.3-0 -> v1.23.4-0) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 32c277a..8f7f858 100644 --- a/requirements.yml +++ b/requirements.yml @@ -110,7 +110,7 @@ - src: git+https://gitlab.com/etke.cc/roles/swap.git version: abfb18b6862108bbf24347500446203170324d7f - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-syncthing.git - version: v1.23.3-0 + version: v1.23.4-0 name: syncthing - src: git+https://gitlab.com/etke.cc/roles/uptime_kuma.git version: v1.21.2-0 From b3f6decd93c9b9c11e4d661bf03276d5974f54c7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 7 Apr 2023 08:11:02 +0300 Subject: [PATCH 002/122] Upgrade Traefik (2.9.9 -> 2.9.10) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 8f7f858..47f9b3f 100644 --- a/requirements.yml +++ b/requirements.yml @@ -28,7 +28,7 @@ - src: git+https://github.com/devture/com.devture.ansible.role.timesync.git version: 3d5bb2976815958cdce3f368fa34fb51554f899b - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git - version: v2.9.9-0 + version: v2.9.10-0 - src: git+https://github.com/devture/com.devture.ansible.role.woodpecker_ci_agent.git version: v0.15.7-1 - src: git+https://github.com/devture/com.devture.ansible.role.woodpecker_ci_server.git From 1e985ffbb73100ac858380559ea8eed37cf3b857 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 8 Apr 2023 09:09:46 +0300 Subject: [PATCH 003/122] Minor Postgres docs updates --- docs/services/postgres.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/services/postgres.md b/docs/services/postgres.md index d94e74f..72ea566 100644 --- a/docs/services/postgres.md +++ b/docs/services/postgres.md @@ -4,7 +4,7 @@ Many of the services installed by this playbook require a Postgres database. -Enabling the Postgres database service will automatically wire all other services to use it. +Enabling the Postgres database service will automatically wire all other services which require such a database to use it. ## Configuration @@ -45,7 +45,7 @@ Importing multiple databases (as dumped by `pg_dumpall`) is also supported. Before doing the actual import, **you need to upload your Postgres dump file to the server** (any path is okay). -### Importing +### Importing a dump file To import, run this command (make sure to replace `SERVER_PATH_TO_POSTGRES_DUMP_FILE` with a file path on your server): From 83463c9f279a685974e9bac17b80817b9d13da53 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Sun, 9 Apr 2023 20:42:01 +0200 Subject: [PATCH 004/122] Bump GoToSocial version to 0.8.0 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 47f9b3f..98f070b 100644 --- a/requirements.yml +++ b/requirements.yml @@ -60,7 +60,7 @@ version: v1.19.0-1 name: gitea - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-gotosocial.git - version: v0.7.1-0 + version: v0.8.0-0 name: gotosocial - src: git+https://gitlab.com/etke.cc/roles/grafana.git version: v9.4.7-1 From 2403c17fbd09b07b13e08566dd6a71b802366376 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Mon, 10 Apr 2023 00:16:59 +0200 Subject: [PATCH 005/122] Add mail and user definded config options for GoToSocial --- docs/services/gotosocial.md | 7 +++++++ requirements.yml | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/docs/services/gotosocial.md b/docs/services/gotosocial.md index 3558709..c3371fc 100644 --- a/docs/services/gotosocial.md +++ b/docs/services/gotosocial.md @@ -29,6 +29,13 @@ gotosocial_hostname: 'social.example.org' # https://docs.gotosocial.org/installation_guide/advanced/#can-i-host-my-instance-at-fediexampleorg-but-have-just-exampleorg-in-my-username # gotosocial_account_domain: "example.org" +# Uncomment and adjust the following lines to enable GTS to send emails (reports, notifications, password resets etc..) +# Check out https://docs.gotosocial.org/en/latest/configuration/smtp/ for a configuration reference +# gotosocial_smtp_host: 'smtp.example.org' +# gotosocial_smtp_username: ggotosocial@example.org +# gotosocial_smtp_password: yourpassword +# gotosocial_smtp_from: ggotosocial@example.org + ######################################################################## # # # /gotosocial # diff --git a/requirements.yml b/requirements.yml index 98f070b..ce4d4c3 100644 --- a/requirements.yml +++ b/requirements.yml @@ -60,7 +60,7 @@ version: v1.19.0-1 name: gitea - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-gotosocial.git - version: v0.8.0-0 + version: v0.8.0-1 name: gotosocial - src: git+https://gitlab.com/etke.cc/roles/grafana.git version: v9.4.7-1 From 7f2159d542ec97bc81ccd38b8fde5f80b5ffd97d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Mon, 10 Apr 2023 08:05:40 +0200 Subject: [PATCH 006/122] Move advanced configuration into seperate paragraph --- docs/services/gotosocial.md | 35 ++++++++++++++++++++--------------- 1 file changed, 20 insertions(+), 15 deletions(-) diff --git a/docs/services/gotosocial.md b/docs/services/gotosocial.md index c3371fc..8690f52 100644 --- a/docs/services/gotosocial.md +++ b/docs/services/gotosocial.md @@ -21,21 +21,6 @@ gotosocial_enabled: true # Examples: ["gts.example.org","some.server.com"] gotosocial_hostname: 'social.example.org' -# Domain to use when federating profiles. It defaults to `gotosocial_hostname` but you can cange it when you want your server to be at -# eg., `gotosocial_hostname: gts.example.org`, but you want the domain on accounts to be "example.org" because it looks better -# or is just shorter/easier to remember. -# -# Please read the appropriate section of the installation guide before you go messing around with this setting: -# https://docs.gotosocial.org/installation_guide/advanced/#can-i-host-my-instance-at-fediexampleorg-but-have-just-exampleorg-in-my-username -# gotosocial_account_domain: "example.org" - -# Uncomment and adjust the following lines to enable GTS to send emails (reports, notifications, password resets etc..) -# Check out https://docs.gotosocial.org/en/latest/configuration/smtp/ for a configuration reference -# gotosocial_smtp_host: 'smtp.example.org' -# gotosocial_smtp_username: ggotosocial@example.org -# gotosocial_smtp_password: yourpassword -# gotosocial_smtp_from: ggotosocial@example.org - ######################################################################## # # # /gotosocial # @@ -59,6 +44,26 @@ to demote a user from admin to normal user. Refer to the [great official documentation](https://docs.gotosocial.org/en/latest/) for more information on GoToSocial. +## Advanced configuration + +You can use the following variables in your `vars.yml` to further configure GoToSocial, e.g. enable e-mail notifications. + +``` +# Domain to use when federating profiles. It defaults to `gotosocial_hostname` but you can cange it when you want your server to be at +# eg., `gotosocial_hostname: gts.example.org`, but you want the domain on accounts to be "example.org" because it looks better +# or is just shorter/easier to remember. +# +# Please read the appropriate section of the installation guide before you go messing around with this setting: +# https://docs.gotosocial.org/installation_guide/advanced/#can-i-host-my-instance-at-fediexampleorg-but-have-just-exampleorg-in-my-username +# gotosocial_account_domain: "example.org" + +# Uncomment and adjust the following lines to enable GTS to send emails (reports, notifications, password resets etc..) +# Check out https://docs.gotosocial.org/en/latest/configuration/smtp/ for a configuration reference +# gotosocial_smtp_host: 'smtp.example.org' +# gotosocial_smtp_username: gotosocial@example.org +# gotosocial_smtp_password: yourpassword +# gotosocial_smtp_from: gotosocial@example.org +``` ## Migrate an existing instance From 222f5b6a20be0bbd04a0ab69b5b203e3ab7223ab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Mon, 10 Apr 2023 10:22:53 +0200 Subject: [PATCH 007/122] Restructure docs --- docs/services/gotosocial.md | 45 ++++++++++++++++++++----------------- 1 file changed, 25 insertions(+), 20 deletions(-) diff --git a/docs/services/gotosocial.md b/docs/services/gotosocial.md index 8690f52..fcd31ba 100644 --- a/docs/services/gotosocial.md +++ b/docs/services/gotosocial.md @@ -31,7 +31,31 @@ gotosocial_hostname: 'social.example.org' After installation, you can use `just run-tags gotosocial-add-user --extra-vars=username= --extra-vars=password= --extra-vars=email="` to create your a user. Change `--tags=gotosocial-add-user` to `--tags=gotosocial-add-admin` to create an admin account. -### Usage +## Advanced account domain configuration + +The account domain is the second part of a user handle in the Fediverse. If your handle is @username@example.org, `example.org` is your account domain. By default GoToSocial will use `gotosocial_hostname` that you provide as account domain e.g. `social.example.org`. You might want to change this by setting `gotosocial_account_domain` if you want the domain on accounts to be `example.org` because it looks better or is just shorter/easier to remember. + +**Warning** DO NOT change this change this after your server has already run once, or you will break things! + +If you decide to use this read [the appropriate section of the installation guide](https://docs.gotosocial.org/installation_guide/advanced/#can-i-host-my-instance-at-fediexampleorg-but-have-just-exampleorg-in-my-username=) as you will have to do some additional work on the base domain. + +```yaml +gotosocial_account_domain: "example.org" +``` + +## E-Mail configuration + +You can use the following variables in your `vars.yml` to enable e-mail notifications. + +```yml +# Check out https://docs.gotosocial.org/en/latest/configuration/smtp/ for a configuration reference +gotosocial_smtp_host: 'smtp.example.org' +gotosocial_smtp_username: gotosocial@example.org +gotosocial_smtp_password: yourpassword +gotosocial_smtp_from: gotosocial@example.org +``` + +## Usage After [installing](../installing.md), you can visit at the URL specified in `gotosocial_hostname` and should see your instance. Start to customize it at `social.example.org/admin`. @@ -44,26 +68,7 @@ to demote a user from admin to normal user. Refer to the [great official documentation](https://docs.gotosocial.org/en/latest/) for more information on GoToSocial. -## Advanced configuration -You can use the following variables in your `vars.yml` to further configure GoToSocial, e.g. enable e-mail notifications. - -``` -# Domain to use when federating profiles. It defaults to `gotosocial_hostname` but you can cange it when you want your server to be at -# eg., `gotosocial_hostname: gts.example.org`, but you want the domain on accounts to be "example.org" because it looks better -# or is just shorter/easier to remember. -# -# Please read the appropriate section of the installation guide before you go messing around with this setting: -# https://docs.gotosocial.org/installation_guide/advanced/#can-i-host-my-instance-at-fediexampleorg-but-have-just-exampleorg-in-my-username -# gotosocial_account_domain: "example.org" - -# Uncomment and adjust the following lines to enable GTS to send emails (reports, notifications, password resets etc..) -# Check out https://docs.gotosocial.org/en/latest/configuration/smtp/ for a configuration reference -# gotosocial_smtp_host: 'smtp.example.org' -# gotosocial_smtp_username: gotosocial@example.org -# gotosocial_smtp_password: yourpassword -# gotosocial_smtp_from: gotosocial@example.org -``` ## Migrate an existing instance From 56ea8bc5ae2fb1f83ea2a76162a853abd88d6ff4 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 10 Apr 2023 13:44:48 +0300 Subject: [PATCH 008/122] Add MariaDB support --- docs/services/mariadb.md | 54 ++++++++++++++++++++++++++++++++++++++ docs/supported-services.md | 1 + group_vars/mash_servers | 30 +++++++++++++++++++++ requirements.yml | 3 +++ setup.yml | 2 ++ 5 files changed, 90 insertions(+) create mode 100644 docs/services/mariadb.md diff --git a/docs/services/mariadb.md b/docs/services/mariadb.md new file mode 100644 index 0000000..0a467a6 --- /dev/null +++ b/docs/services/mariadb.md @@ -0,0 +1,54 @@ +# MariaDB + +[MariaDB](https://mariadb.org/) is a powerful, open source object-relational database system. + +Some of the services installed by this playbook require a MariaDB database. + +Enabling the MariaDB database service will automatically wire all other services which require such a database to use it. + + +## Configuration + +To enable this service, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process: + +```yaml +######################################################################## +# # +# mariadb # +# # +######################################################################## + +mariadb_enabled: true + +# Put a strong password below, generated with `pwgen -s 64 1` or in another way +mariadb_root_passsword: '' + +######################################################################## +# # +# /mariadb # +# # +######################################################################## +``` + +### Getting a database terminal + +You can use the `/mash/mariadb/bin/cli` tool to get interactive terminal access to the MariaDB server. + +To see the available databases, run `SHOW DATABASES`. + +To change to another existing database (for example `miniflux`), run `USE miniflux`. + +You can then proceed to write queries. Example: `SELECT COUNT(*) FROM users;` + +**Be careful**. Modifying the database directly (especially as services are running) is dangerous and may lead to irreversible database corruption. +When in doubt, consider [making a backup](#backing-up-mariadb). + +## Upgrading MariaDB + +The major MariaDB version you start with (e.g. `10.10` or `10.11`) will be kept until you manually upgrade it. The playbook will stick to this major version and only do minor version upgrades (e.g. `10.10.1` -> `10.10.3`). + +For now, there's no automatic upgrade path between major MariaDB versions, but support for upgrading will be added in the future. + +## Backing up MariaDB + +A `/mash/mariadb/bin/dump-all` script will be installed, which can dump the database to a path of your choosing. diff --git a/docs/supported-services.md b/docs/supported-services.md index fb04e46..15abd77 100644 --- a/docs/supported-services.md +++ b/docs/supported-services.md @@ -18,6 +18,7 @@ | [Hubsite](https://github.com/moan0s/hubsite) | A simple, static site that shows an overview of the available services | [Link](services/hubsite.md) | | [Jitsi](https://jitsi.org/) | A fully encrypted, 100% Open Source video conferencing solution | [Link](services/jitsi.md) | | [Keycloak](https://www.keycloak.org/) | An open source identity and access management solution. | [Link](services/keycloak.md) | +| [MariaDB](https://mariadb.org/) | A powerful, open source object-relational database system | [Link](services/mariadb.md) | | [Miniflux](https://miniflux.app/) | Minimalist and opinionated feed reader. | [Link](services/miniflux.md) | | [Navidrome](https://www.navidrome.org/) | [Subsonic-API](http://www.subsonic.org/pages/api.jsp) compatible music server | [Link](services/navidrome.md) | [NetBox](https://docs.netbox.dev/en/stable/) | Web application that provides [IP address management (IPAM)](https://en.wikipedia.org/wiki/IP_address_management) and [data center infrastructure management (DCIM)](https://en.wikipedia.org/wiki/Data_center_management#Data_center_infrastructure_management) functionality | [Link](services/netbox.md) | diff --git a/group_vars/mash_servers b/group_vars/mash_servers index 7fa2863..c603624 100644 --- a/group_vars/mash_servers +++ b/group_vars/mash_servers @@ -121,6 +121,8 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': (nextcloud_identifier + '-cron.timer'), 'priority': 2500, 'groups': ['mash', 'nextcloud', 'nextcloud-cron']}] if nextcloud_enabled else []) + + ([{'name': (mariadb_identifier + '.service'), 'priority': 500, 'groups': ['mash', 'mariadb']}] if mariadb_enabled else []) + + ([{'name': (owncast_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'owncast']}] if owncast_enabled else []) + ([{'name': (peertube_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'peertube']}] if peertube_enabled else []) @@ -1292,6 +1294,34 @@ netbox_database_password: "{{ '%s' | format(mash_playbook_generic_secret_key) | +######################################################################## +# # +# mariadb # +# # +######################################################################## + +mariadb_enabled: false + +mariadb_identifier: "{{ mash_playbook_service_identifier_prefix }}mariadb" + +mariadb_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}mariadb" + +mariadb_uid: "{{ mash_playbook_uid }}" +mariadb_gid: "{{ mash_playbook_gid }}" + +# This will be extended in the future, to auto-create datases for services +# which depend on MariaDB. +# See `devture_postgres_managed_databases_auto` +mariadb_managed_databases_auto: [] + +######################################################################## +# # +# /mariadb # +# # +######################################################################## + + + ######################################################################## # # # owncast # diff --git a/requirements.yml b/requirements.yml index ce4d4c3..118fdf8 100644 --- a/requirements.yml +++ b/requirements.yml @@ -84,6 +84,9 @@ - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-nextcloud.git version: v26.0.0-4 name: nextcloud +- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-mariadb.git + version: v10.11.2-0 + name: mariadb - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-owncast.git version: v0.0.13-0 name: owncast diff --git a/setup.yml b/setup.yml index 0cfdb1d..5d141df 100644 --- a/setup.yml +++ b/setup.yml @@ -74,6 +74,8 @@ - role: galaxy/grafana + - role: galaxy/mariadb + - role: galaxy/miniflux - role: galaxy/hubsite From 929f1ccb502417bb7a344b30f5b7361ae8d47c25 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 10 Apr 2023 14:51:40 +0300 Subject: [PATCH 009/122] Remove empty line --- docs/services/netbox.md | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/services/netbox.md b/docs/services/netbox.md index 7fa40e1..c07bf23 100644 --- a/docs/services/netbox.md +++ b/docs/services/netbox.md @@ -213,7 +213,6 @@ You can use the configuration in the [Keycloak section](#keycloak) as a template To integrate with [Keycloak](keycloak.md) use the following **additional** configuration: ```yaml - netbox_environment_variables_additional_variables: | REMOTE_AUTH_ENABLED=True REMOTE_AUTH_BACKEND=social_core.backends.keycloak.KeycloakOAuth2 From a780d2815b61252400b24b7202bf591606826a6c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 10 Apr 2023 15:21:40 +0300 Subject: [PATCH 010/122] Fix NetBox documentation inaccuracies --- docs/services/netbox.md | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/docs/services/netbox.md b/docs/services/netbox.md index c07bf23..7e761c8 100644 --- a/docs/services/netbox.md +++ b/docs/services/netbox.md @@ -95,7 +95,8 @@ redis_enabled: true # Base configuration as shown above # Point NetBox to the shared Redis instance -netbox_config_redis_hostname: "{{ redis_identifier }}" +netbox_environment_variable_redis_host: "{{ redis_identifier }}" +netbox_environment_variable_redis_cache_host: "{{ redis_identifier }}" # Make sure the NetBox service (mash-netbox.service) starts after the shared Redis service (mash-redis.service) netbox_systemd_required_services_list_custom: @@ -217,6 +218,10 @@ netbox_environment_variables_additional_variables: | REMOTE_AUTH_ENABLED=True REMOTE_AUTH_BACKEND=social_core.backends.keycloak.KeycloakOAuth2 + # Space-separated names of groups that new users will be assigned to. + # These groups must be created manually (from the Admin panel's Groups section) before use. + REMOTE_AUTH_DEFAULT_GROUPS= + netbox_configuration_extra_python: | # These need to match your Client app information in Keycloak. See below SOCIAL_AUTH_KEYCLOAK_KEY = '' @@ -238,14 +243,17 @@ netbox_configuration_extra_python: | The Client app needs to be created and configured in a special way on the Keycloak side by: - activating **Client authentication** +- **Valid redirect URIs**: `https://NETBOX_URL/oauth/complete/keycloak/` +- **Web origins**: `https://NETBOX_URL/` - in **Advanced**, changing the following settings: - **Request object signature algorithm** = `RS256` - - **Request object signature algorithm** = `RS256` -- in **Client scopes** (for this Client app via the **Client scopes** tab, not for all apps via the left-most menu), configure the `*-dedicated` scope (e.g. `netbox-dedicated` if you named your Client app `netbox`) and add a new mapper with the following settings: + - **User info signed response algorithm** = `RS256` +- in **Client scopes** (for this Client app via the **Client scopes** tab, not for all apps via the left-most menu), configure the `*-dedicated` scope (e.g. `netbox-dedicated` if you named your Client app `netbox`) and in the **Mappers** tab, click **Configure a new mapper** add a new **Audience** mapper with the following settings: - **Name** = anything you like (e.g. `netbox-audience`) - **Included Client Audience** = the key of this Client app (e.g. `netbox`) - **Add to access token** = On +For additional environment variables controlling groups and permissions for new users (like `REMOTE_AUTH_DEFAULT_GROUPS`), see the NetBox documentation for [Remote Authentication](https://docs.netbox.dev/en/stable/configuration/remote-authentication/). ## Installation From e49f33678f473c0a08b578dd3666ad272131599d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 11 Apr 2023 16:23:04 +0300 Subject: [PATCH 011/122] Reorder some services alphabetically --- group_vars/mash_servers | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/group_vars/mash_servers b/group_vars/mash_servers index c603624..00de73b 100644 --- a/group_vars/mash_servers +++ b/group_vars/mash_servers @@ -105,6 +105,16 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': (grafana_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'grafana']}] if grafana_enabled else []) + + ([{'name': (hubsite_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'hubsite']}] if hubsite_enabled else []) + + + ([{'name': (jitsi_identifier + '-web.service'), 'priority': 4200, 'groups': ['mash', 'jitsi', 'jitsi-web']}] if jitsi_enabled else []) + + + ([{'name': (jitsi_identifier + '-prosody.service'), 'priority': 4000, 'groups': ['mash', 'jitsi', 'jitsi-prosody']}] if jitsi_enabled else []) + + + ([{'name': (jitsi_identifier + '-jicofo.service'), 'priority': 4100, 'groups': ['mash', 'jitsi', 'jitsi-jicofo']}] if jitsi_enabled else []) + + + ([{'name': (jitsi_identifier + '-jvb.service'), 'priority': 4100, 'groups': ['mash', 'jitsi', 'jitsi-jvb']}] if jitsi_enabled else []) + + ([{'name': (keycloak_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'keycloak']}] if keycloak_enabled else []) + ([{'name': (miniflux_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'miniflux']}] if miniflux_enabled else []) @@ -148,16 +158,6 @@ devture_systemd_service_manager_services_list_auto: | ([{'name': (vaultwarden_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'vaultwarden', 'vaultwarden-server']}] if vaultwarden_enabled else []) + ([{'name': (uptime_kuma_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'uptime-kuma']}] if uptime_kuma_enabled else []) - + - ([{'name': (hubsite_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'hubsite']}] if hubsite_enabled else []) - + - ([{'name': (jitsi_identifier + '-web.service'), 'priority': 4200, 'groups': ['mash', 'jitsi', 'jitsi-web']}] if jitsi_enabled else []) - + - ([{'name': (jitsi_identifier + '-prosody.service'), 'priority': 4000, 'groups': ['mash', 'jitsi', 'jitsi-prosody']}] if jitsi_enabled else []) - + - ([{'name': (jitsi_identifier + '-jicofo.service'), 'priority': 4100, 'groups': ['mash', 'jitsi', 'jitsi-jicofo']}] if jitsi_enabled else []) - + - ([{'name': (jitsi_identifier + '-jvb.service'), 'priority': 4100, 'groups': ['mash', 'jitsi', 'jitsi-jvb']}] if jitsi_enabled else []) }} ######################################################################## From 46d71ca09662a516f71302c7338d859b87dd3bf9 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 11 Apr 2023 17:39:02 +0300 Subject: [PATCH 012/122] Add Healthecks support --- docs/services/healthchecks.md | 89 +++++++++++++++++++++++++++++++++++ docs/services/prometheus.md | 3 +- docs/supported-services.md | 1 + group_vars/mash_servers | 55 ++++++++++++++++++++++ requirements.yml | 11 +++-- setup.yml | 2 + 6 files changed, 157 insertions(+), 4 deletions(-) create mode 100644 docs/services/healthchecks.md diff --git a/docs/services/healthchecks.md b/docs/services/healthchecks.md new file mode 100644 index 0000000..3386a4b --- /dev/null +++ b/docs/services/healthchecks.md @@ -0,0 +1,89 @@ +# Healthchecks + +[Healthchecks](https://healthchecks.io/) is simple and Effective **Cron Job Monitoring** solution. + + +## Dependencies + +This service requires the following other services: + +- a [Postgres](postgres.md) database +- a [Traefik](traefik.md) reverse-proxy server + + +## Configuration + +To enable this service, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process: + +```yaml +######################################################################## +# # +# healthchecks # +# # +######################################################################## + +healthchecks_enabled: true + +healthchecks_hostname: mash.example.com +# Note: hosting under a path prefix is somewhat problematic. See below. +healthchecks_path_prefix: /healthchecks + +######################################################################## +# # +# /healthchecks # +# # +######################################################################## +``` + +### URL + +In the example configuration above, we configure the service to be hosted at `https://mash.example.com/healthchecks`. + +You can remove the `healthchecks_path_prefix` variable definition, to make it default to `/`, so that the service is served at `https://mash.example.com/`. + +**Note**: there are minor quirks when hosting under a subpath, such as: + +- Fonts not loading, because it attempts to load them from `/static` instead of `/path-prefix/static` + +### Authentication + +The first superuser account is created after installation. See [Usage](#usage). +You can create as many accounts as you wish. + +### Email integration + +To allow Healthchecks to send emails, add the following **additional** configuration: + +```yaml +healthchecks_environment_variables_additional_variables: | + DEFAULT_FROM_EMAIL=healthchecks@example.com + EMAIL_HOST=smtp.example.com + EMAIL_HOST_PASSWORD= + EMAIL_HOST_USER= + EMAIL_PORT=587 + EMAIL_USE_TLS=True + EMAIL_USE_VERIFICATION=True +``` + +### Integrating with other services + +Refer to the [upstream `.env.example` file](https://github.com/healthchecks/healthchecks/blob/master/docker/.env.example) for discovering additional environment variables. + +You can pass these to the Healthchecks container using the `healthchecks_environment_variables_additional_variables` variable. See [Email integration](#email-integration) for an example. + + +## Usage + +After installation, you need to **create a superuser account**. +This is an interactive process which can be initiated by **SSH-ing into into the server** and **running a command** like this: + +```sh +docker exec -it mash-healthchecks /opt/healthchecks/manage.py createsuperuser +``` + +After creating the superuser account, you can go to the [Healthchecks URL](#url) to log in and start setting up healthchecks. + + +## Recommended other services + +- [Prometheus](prometheus.md) - a metrics collection and alerting monitoring solution diff --git a/docs/services/prometheus.md b/docs/services/prometheus.md index b890246..1e9bfa2 100644 --- a/docs/services/prometheus.md +++ b/docs/services/prometheus.md @@ -74,4 +74,5 @@ If you're scraping others services running in containers over the container netw ## Recommended other services -To visualize your Prometheus metrics (time-series), you may wish to use a tool like [Grafana](grafana.md). +- [Grafana](grafana.md) - a web-based tool for visualizing your Prometheus metrics (time-series) +- [Healthchecks](healthchecks.md) - a simple and Effective Cron Job Monitoring solution diff --git a/docs/supported-services.md b/docs/supported-services.md index 15abd77..7957037 100644 --- a/docs/supported-services.md +++ b/docs/supported-services.md @@ -15,6 +15,7 @@ | [Gitea](https://gitea.io/) | A painless self-hosted [Git](https://git-scm.com/) service. | [Link](services/gitea.md) | | [GoToSocial](https://gotosocial.org/) | A self-hosted [ActivityPub](https://activitypub.rocks/) social network server | [Link](services/gotosocial.md) | | [Grafana](https://grafana.com/) | An open and composable observability and data visualization platform, often used with [Prometheus](services/prometheus.md) | [Link](services/grafana.md) | +| [Healthchecks](https://healthchecks.io/) | A simple and Effective Cron Job Monitoring solution | [Link](services/healthchecks.md) | | [Hubsite](https://github.com/moan0s/hubsite) | A simple, static site that shows an overview of the available services | [Link](services/hubsite.md) | | [Jitsi](https://jitsi.org/) | A fully encrypted, 100% Open Source video conferencing solution | [Link](services/jitsi.md) | | [Keycloak](https://www.keycloak.org/) | An open source identity and access management solution. | [Link](services/keycloak.md) | diff --git a/group_vars/mash_servers b/group_vars/mash_servers index 00de73b..4697826 100644 --- a/group_vars/mash_servers +++ b/group_vars/mash_servers @@ -107,6 +107,8 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': (hubsite_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'hubsite']}] if hubsite_enabled else []) + + ([{'name': (healthchecks_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'healthchecks']}] if healthchecks_enabled else []) + + ([{'name': (jitsi_identifier + '-web.service'), 'priority': 4200, 'groups': ['mash', 'jitsi', 'jitsi-web']}] if jitsi_enabled else []) + ([{'name': (jitsi_identifier + '-prosody.service'), 'priority': 4000, 'groups': ['mash', 'jitsi', 'jitsi-prosody']}] if jitsi_enabled else []) @@ -212,6 +214,12 @@ devture_postgres_managed_databases_auto: | 'password': gitea_config_database_password, }] if gitea_enabled else []) + + ([{ + 'name': healthchecks_database_name, + 'username': healthchecks_database_username, + 'password': healthchecks_database_password, + }] if healthchecks_enabled and healthchecks_database_hostname == devture_postgres_identifier else []) + + ([{ 'name': devture_woodpecker_ci_server_database_datasource_db_name, 'username': devture_woodpecker_ci_server_database_datasource_username, @@ -886,6 +894,53 @@ grafana_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResol +######################################################################## +# # +# healthchecks # +# # +######################################################################## + +healthchecks_enabled: false + +healthchecks_identifier: "{{ mash_playbook_service_identifier_prefix }}healthchecks" + +healthchecks_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}healthchecks" + +healthchecks_uid: "{{ mash_playbook_uid }}" +healthchecks_gid: "{{ mash_playbook_gid }}" + +healthchecks_systemd_required_services_list: | + {{ + (['docker.service']) + + + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled and healthchecks_database_hostname == devture_postgres_identifier else []) + }} + +healthchecks_container_additional_networks: | + {{ + ([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else []) + + + ([devture_postgres_container_network] if devture_postgres_enabled and healthchecks_database_hostname == devture_postgres_identifier and healthchecks_container_network != devture_postgres_container_network else []) + }} + +healthchecks_container_labels_traefik_enabled: "{{ mash_playbook_traefik_labels_enabled }}" +healthchecks_container_labels_traefik_docker_network: "{{ mash_playbook_reverse_proxyable_services_additional_network }}" +healthchecks_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +healthchecks_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" + +healthchecks_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" +healthchecks_database_password: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'healthchecks.db', rounds=655555) | to_uuid }}" + +healthchecks_environment_variable_secret_key: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'healthchecks', rounds=655555) | to_uuid }}" + +######################################################################## +# # +# /healthchecks # +# # +######################################################################## + + + ######################################################################## # # # hubsite # diff --git a/requirements.yml b/requirements.yml index 118fdf8..3686610 100644 --- a/requirements.yml +++ b/requirements.yml @@ -1,3 +1,5 @@ +--- + - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-adguard-home.git version: v0.107.26-1 name: adguard_home @@ -64,6 +66,9 @@ name: gotosocial - src: git+https://gitlab.com/etke.cc/roles/grafana.git version: v9.4.7-1 +- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-healthchecks.git + version: v2.8-0 + name: healthchecks - src: git+https://github.com/moan0s/hubsite.git version: v1.23.3-1 name: hubsite @@ -73,6 +78,9 @@ - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-keycloak.git version: v21.0.2-0 name: keycloak +- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-mariadb.git + version: v10.11.2-0 + name: mariadb - src: git+https://gitlab.com/etke.cc/roles/miniflux.git version: v2.0.43-2 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-navidrome.git @@ -84,9 +92,6 @@ - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-nextcloud.git version: v26.0.0-4 name: nextcloud -- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-mariadb.git - version: v10.11.2-0 - name: mariadb - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-owncast.git version: v0.0.13-0 name: owncast diff --git a/setup.yml b/setup.yml index 5d141df..b1f2bb6 100644 --- a/setup.yml +++ b/setup.yml @@ -78,6 +78,8 @@ - role: galaxy/miniflux + - role: galaxy/healthchecks + - role: galaxy/hubsite - role: galaxy/jitsi From e9c77736809c3e6a731539841ac345f4c91135f1 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 11 Apr 2023 17:50:40 +0300 Subject: [PATCH 013/122] Link to upstream Healthchecks issue --- docs/services/healthchecks.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/services/healthchecks.md b/docs/services/healthchecks.md index 3386a4b..746a807 100644 --- a/docs/services/healthchecks.md +++ b/docs/services/healthchecks.md @@ -43,7 +43,7 @@ You can remove the `healthchecks_path_prefix` variable definition, to make it de **Note**: there are minor quirks when hosting under a subpath, such as: -- Fonts not loading, because it attempts to load them from `/static` instead of `/path-prefix/static` +- [Fonts not loading, because it attempts to load them from `/static` instead of `/path-prefix/static`](https://github.com/healthchecks/healthchecks/issues/822) ### Authentication From 9efc001d8005a1c99ae23e8da057f7dfcc655dac Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 11 Apr 2023 19:32:13 +0300 Subject: [PATCH 014/122] Upgrade Healthchecks (v2.8-0 -> v2.8-1) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 3686610..9121c57 100644 --- a/requirements.yml +++ b/requirements.yml @@ -67,7 +67,7 @@ - src: git+https://gitlab.com/etke.cc/roles/grafana.git version: v9.4.7-1 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-healthchecks.git - version: v2.8-0 + version: v2.8-1 name: healthchecks - src: git+https://github.com/moan0s/hubsite.git version: v1.23.3-1 From ec80e34f695f280232e6bc5560fce359b25bf8e1 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 12 Apr 2023 09:47:22 +0300 Subject: [PATCH 015/122] Upgrade Healthchecks (v2.8-1 -> v2.8.1-0) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 9121c57..a46ac85 100644 --- a/requirements.yml +++ b/requirements.yml @@ -67,7 +67,7 @@ - src: git+https://gitlab.com/etke.cc/roles/grafana.git version: v9.4.7-1 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-healthchecks.git - version: v2.8-1 + version: v2.8.1-0 name: healthchecks - src: git+https://github.com/moan0s/hubsite.git version: v1.23.3-1 From 6664b2dc95d55f8e8e9ecf1bbaf095550e529a55 Mon Sep 17 00:00:00 2001 From: Aine Date: Wed, 12 Apr 2023 13:49:51 +0300 Subject: [PATCH 016/122] add Matrix Rooms Search API --- docs/services/mrs.md | 48 ++++++++++++++++++++++++++++++++++++++ docs/supported-services.md | 1 + group_vars/mash_servers | 36 ++++++++++++++++++++++++++++ requirements.yml | 3 +++ setup.yml | 2 ++ 5 files changed, 90 insertions(+) create mode 100644 docs/services/mrs.md diff --git a/docs/services/mrs.md b/docs/services/mrs.md new file mode 100644 index 0000000..80a6c24 --- /dev/null +++ b/docs/services/mrs.md @@ -0,0 +1,48 @@ +# Matrix Rooms Search API + +[Matrix Rooms Search](https://gitlab.com/etke.cc/mrs) is a fully-featured, standalone, matrix rooms search service. + +## Dependencies + +This service requires the following other services: + +- a [Traefik](traefik.md) reverse-proxy server + + +## Configuration + +To enable this service, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process: + +```yaml +######################################################################## +# # +# mrs # +# # +######################################################################## + +mrs_enabled: true +mrs_hostname: mrs.example.com + +mrs_admin_login: admin +mrs_admin_password: changeme +mrs_admin_ips: + - 123.123.123.123 + +mrs_servers: + - matrix.org + +######################################################################## +# # +# /mrs # +# # +######################################################################## +``` + +In the example configuration above, we configure the service to be hosted at `https://mrs.example.com`. + + +## Usage + +After installation, call the `https://mrs.example.com/-/full` endpoint using admin credentials to discover and parse content + +[API documentation](https://gitlab.com/etke.cc/mrs/api/-/blob/main/openapi.yml) diff --git a/docs/supported-services.md b/docs/supported-services.md index 7957037..080c852 100644 --- a/docs/supported-services.md +++ b/docs/supported-services.md @@ -20,6 +20,7 @@ | [Jitsi](https://jitsi.org/) | A fully encrypted, 100% Open Source video conferencing solution | [Link](services/jitsi.md) | | [Keycloak](https://www.keycloak.org/) | An open source identity and access management solution. | [Link](services/keycloak.md) | | [MariaDB](https://mariadb.org/) | A powerful, open source object-relational database system | [Link](services/mariadb.md) | +| [Matrix Rooms Search API](https://gitlab.com/etke.cc/mrs/api) | A fully-featured, standalone, matrix rooms search service. | [Link](services/mrs.md) | | [Miniflux](https://miniflux.app/) | Minimalist and opinionated feed reader. | [Link](services/miniflux.md) | | [Navidrome](https://www.navidrome.org/) | [Subsonic-API](http://www.subsonic.org/pages/api.jsp) compatible music server | [Link](services/navidrome.md) | [NetBox](https://docs.netbox.dev/en/stable/) | Web application that provides [IP address management (IPAM)](https://en.wikipedia.org/wiki/IP_address_management) and [data center infrastructure management (DCIM)](https://en.wikipedia.org/wiki/Data_center_management#Data_center_infrastructure_management) functionality | [Link](services/netbox.md) | diff --git a/group_vars/mash_servers b/group_vars/mash_servers index 4697826..1ff4301 100644 --- a/group_vars/mash_servers +++ b/group_vars/mash_servers @@ -121,6 +121,8 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': (miniflux_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'miniflux']}] if miniflux_enabled else []) + + ([{'name': (mrs_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'mrs']}] if mrs_enabled else []) + + ([{'name': (navidrome_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'navidrome']}] if navidrome_enabled else []) + ([{'name': (netbox_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'netbox', 'netbox-server']}] if netbox_enabled else []) @@ -1223,6 +1225,40 @@ miniflux_database_password: "{{ '%s' | format(mash_playbook_generic_secret_key) + +######################################################################## +# # +# mrs # +# # +######################################################################## + +mrs_enabled: false + +mrs_identifier: "{{ mash_playbook_service_identifier_prefix }}mrs" + +mrs_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}mrs" + +mrs_uid: "{{ mash_playbook_uid }}" +mrs_gid: "{{ mash_playbook_gid }}" + +mrs_container_additional_networks: | + {{ + ([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else []) + }} + +mrs_container_labels_traefik_enabled: "{{ mash_playbook_traefik_labels_enabled }}" +mrs_container_labels_traefik_docker_network: "{{ mash_playbook_reverse_proxyable_services_additional_network }}" +mrs_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +mrs_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" + +######################################################################## +# # +# /mrs # +# # +######################################################################## + + + ######################################################################## # # # navidrome # diff --git a/requirements.yml b/requirements.yml index a46ac85..4fcd30e 100644 --- a/requirements.yml +++ b/requirements.yml @@ -83,6 +83,9 @@ name: mariadb - src: git+https://gitlab.com/etke.cc/roles/miniflux.git version: v2.0.43-2 +- src: git+https://gitlab.com/etke.cc/mrs/ansible-role-mrs.git + version: v0.0.0-0 + name: mrs - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-navidrome.git version: v0.49.3-2 name: navidrome diff --git a/setup.yml b/setup.yml index b1f2bb6..470445a 100644 --- a/setup.yml +++ b/setup.yml @@ -78,6 +78,8 @@ - role: galaxy/miniflux + - role: galaxy/mrs + - role: galaxy/healthchecks - role: galaxy/hubsite From 5eaaec4542ed6cb35dc425cf7167e8672c59fe81 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 12 Apr 2023 14:29:11 +0300 Subject: [PATCH 017/122] Update mrs.md --- docs/services/mrs.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/services/mrs.md b/docs/services/mrs.md index 80a6c24..5137a6c 100644 --- a/docs/services/mrs.md +++ b/docs/services/mrs.md @@ -1,6 +1,6 @@ # Matrix Rooms Search API -[Matrix Rooms Search](https://gitlab.com/etke.cc/mrs) is a fully-featured, standalone, matrix rooms search service. +[Matrix Rooms Search](https://gitlab.com/etke.cc/mrs) is a fully-featured, standalone, [Matrix](https://matrix.org/) rooms search service. ## Dependencies @@ -26,10 +26,10 @@ mrs_hostname: mrs.example.com mrs_admin_login: admin mrs_admin_password: changeme mrs_admin_ips: - - 123.123.123.123 + - 123.123.123.123 mrs_servers: - - matrix.org + - matrix.org ######################################################################## # # @@ -43,6 +43,6 @@ In the example configuration above, we configure the service to be hosted at `ht ## Usage -After installation, call the `https://mrs.example.com/-/full` endpoint using admin credentials to discover and parse content +After installation, call the `https://mrs.example.com/-/full` endpoint using admin credentials (see the `mrs_admin_*` variables) to discover and parse content. -[API documentation](https://gitlab.com/etke.cc/mrs/api/-/blob/main/openapi.yml) +To see the list of supported public and private APIs, see the [API documentation](https://gitlab.com/etke.cc/mrs/api/-/blob/main/openapi.yml). From eb8586ed105686a8d4514af3a8cf5a03dd02be8b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 12 Apr 2023 16:09:59 +0300 Subject: [PATCH 018/122] Relocate Jitsi section in group vars (alphabetically) --- group_vars/mash_servers | 98 ++++++++++++++++++++--------------------- 1 file changed, 49 insertions(+), 49 deletions(-) diff --git a/group_vars/mash_servers b/group_vars/mash_servers index 1ff4301..75e7964 100644 --- a/group_vars/mash_servers +++ b/group_vars/mash_servers @@ -1136,6 +1136,55 @@ hubsite_service_list_auto: | +######################################################################## +# # +# jitsi # +# # +######################################################################## + +jitsi_enabled: false + +jitsi_architecture: "{{ mash_playbook_architecture }}" + +jitsi_identifier: "{{ mash_playbook_service_identifier_prefix }}jitsi" + +jitsi_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}jitsi" + +jitsi_uid: "{{ mash_playbook_uid }}" +jitsi_gid: "{{ mash_playbook_gid }}" + +jitsi_web_container_additional_networks_auto: | + {{ + ([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else []) + }} + +jitsi_prosody_container_additional_networks_auto: | + {{ + ([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else []) + }} + +jitsi_jvb_container_additional_networks_auto: | + {{ + ([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else []) + }} + +jitsi_container_labels_traefik_enabled: "{{ mash_playbook_traefik_labels_enabled }}" +jitsi_container_labels_traefik_docker_network: "{{ mash_playbook_reverse_proxyable_services_additional_network }}" +jitsi_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +jitsi_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" + +jitsi_jibri_xmpp_password: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'jibri', rounds=655555) | to_uuid }}" +jitsi_jicofo_auth_password: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'jicofo', rounds=655555) | to_uuid }}" +jitsi_jvb_auth_password: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'jvb', rounds=655555) | to_uuid }}" + +######################################################################## +# # +# /jitsi # +# # +######################################################################## + + + ######################################################################## # # # keycloak # @@ -1936,52 +1985,3 @@ devture_woodpecker_ci_agent_config_agent_secret: "{{ devture_woodpecker_ci_serve # # ######################################################################## - - -######################################################################## -# # -# jitsi # -# # -######################################################################## - -jitsi_enabled: false - -jitsi_architecture: "{{ mash_playbook_architecture }}" - -jitsi_identifier: "{{ mash_playbook_service_identifier_prefix }}jitsi" - -jitsi_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}jitsi" - -jitsi_uid: "{{ mash_playbook_uid }}" -jitsi_gid: "{{ mash_playbook_gid }}" - -jitsi_web_container_additional_networks_auto: | - {{ - ([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else []) - }} - -jitsi_prosody_container_additional_networks_auto: | - {{ - ([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else []) - }} - -jitsi_jvb_container_additional_networks_auto: | - {{ - ([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else []) - }} - -jitsi_container_labels_traefik_enabled: "{{ mash_playbook_traefik_labels_enabled }}" -jitsi_container_labels_traefik_docker_network: "{{ mash_playbook_reverse_proxyable_services_additional_network }}" -jitsi_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" -jitsi_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" - -jitsi_jibri_xmpp_password: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'jibri', rounds=655555) | to_uuid }}" -jitsi_jicofo_auth_password: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'jicofo', rounds=655555) | to_uuid }}" -jitsi_jvb_auth_password: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'jvb', rounds=655555) | to_uuid }}" - -######################################################################## -# # -# /jitsi # -# # -######################################################################## - From daec4ed33414bebbb3b42ccad22f95fe2dce119d Mon Sep 17 00:00:00 2001 From: Aine Date: Wed, 12 Apr 2023 23:14:08 +0300 Subject: [PATCH 019/122] update mrs --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 4fcd30e..a889be2 100644 --- a/requirements.yml +++ b/requirements.yml @@ -84,7 +84,7 @@ - src: git+https://gitlab.com/etke.cc/roles/miniflux.git version: v2.0.43-2 - src: git+https://gitlab.com/etke.cc/mrs/ansible-role-mrs.git - version: v0.0.0-0 + version: v0.0.0-1 name: mrs - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-navidrome.git version: v0.49.3-2 From d78893f6f12ebf5add243a7a140618272db74afe Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 13 Apr 2023 09:01:14 +0300 Subject: [PATCH 020/122] Upgrade Gitea (v1.19.0-1 -> v1.19.1-0) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index a889be2..8fca0cc 100644 --- a/requirements.yml +++ b/requirements.yml @@ -59,7 +59,7 @@ version: 6.1.0 name: geerlingguy.docker - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-gitea.git - version: v1.19.0-1 + version: v1.19.1-0 name: gitea - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-gotosocial.git version: v0.8.0-1 From e84dc2bcc1b39f067a910dc493e4ce12a6b1a015 Mon Sep 17 00:00:00 2001 From: Alexander Fr Date: Thu, 13 Apr 2023 09:50:16 +0200 Subject: [PATCH 021/122] fix filenames "aux", "AUX", "aux.ext" on NTFS (Windows) by renaming "aux.md" to "auxiliary.md" --- docs/services/{aux.md => auxiliary.md} | 0 docs/services/navidrome.md | 2 +- docs/supported-services.md | 2 +- 3 files changed, 2 insertions(+), 2 deletions(-) rename docs/services/{aux.md => auxiliary.md} (100%) diff --git a/docs/services/aux.md b/docs/services/auxiliary.md similarity index 100% rename from docs/services/aux.md rename to docs/services/auxiliary.md diff --git a/docs/services/navidrome.md b/docs/services/navidrome.md index 5703aa5..0eec586 100644 --- a/docs/services/navidrome.md +++ b/docs/services/navidrome.md @@ -60,7 +60,7 @@ You can create additional users from the web UI after that. If you've got a [Syncthing](syncthing.md) service running, you can use it to synchronize your music directory onto the server and then mount it as read-only into the Navidrome container. -We recommend that you make use of the [aux](aux.md) role to create some shared directory like this: +We recommend that you make use of the [aux](auxiliary.md) role to create some shared directory like this: ```yaml ######################################################################## diff --git a/docs/supported-services.md b/docs/supported-services.md index 080c852..ee9b8d9 100644 --- a/docs/supported-services.md +++ b/docs/supported-services.md @@ -2,7 +2,7 @@ | Name | Description | Documentation | | ------------------------------ | ------------------------------------- | ------------- | -| [AUX](https://github.com/mother-of-all-self-hosting/ansible-role-aux) | Auxiliary file/directory management on your server via Ansible | [Link](services/aux.md) | +| [AUX](https://github.com/mother-of-all-self-hosting/ansible-role-aux) | Auxiliary file/directory management on your server via Ansible | [Link](services/auxiliary.md) | | [AdGuard Home](https://adguard.com/en/adguard-home/overview.html/) | A network-wide DNS software for blocking ads & tracking | [Link](services/adguard-home.md) | | [Collabora Online](https://www.collaboraoffice.com/) | Your Private Office Suite In The Cloud | [Link](services/collabora-online.md) | | [Docker](https://www.docker.com/) | Open-source software for deploying containerized applications | [Link](services/docker.md) | From cb9ff06bab8409ae67c439ebbe44cd1003c5f41e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 14 Apr 2023 08:58:46 +0300 Subject: [PATCH 022/122] Add Lago support --- docs/services/lago.md | 69 ++++++++++++++++++++++++++++++++++++++ docs/supported-services.md | 1 + group_vars/mash_servers | 67 ++++++++++++++++++++++++++++++++++++ requirements.yml | 3 ++ setup.yml | 2 ++ 5 files changed, 142 insertions(+) create mode 100644 docs/services/lago.md diff --git a/docs/services/lago.md b/docs/services/lago.md new file mode 100644 index 0000000..7f51ed5 --- /dev/null +++ b/docs/services/lago.md @@ -0,0 +1,69 @@ +# Lago + +[Lago](https://www.getlago.com/) is an open-source metering and usage-based billing solution. + + +## Dependencies + +This service requires the following other services: + +- a [Postgres](postgres.md) database +- a [Redis](redis.md) data-store, installation details [below](#redis) +- a [Traefik](traefik.md) reverse-proxy server + + +## Configuration + +To enable this service, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process: + +```yaml +######################################################################## +# # +# lago # +# # +######################################################################## + +lago_enabled: true + +lago_hostname: lago.example.com + +# Generate this using `openssl genrsa 2048 | base64 --wrap=0` +lago_api_environment_variable_lago_rsa_private_key: '' + +# WARNING: remove this after you create your user account, +# unless you'd like to run a server with public registration enabled. +lago_front_environment_variable_lago_disable_signup: false + +# Redis configuration, as described below + +######################################################################## +# # +# /lago # +# # +######################################################################## +``` + +### URL + +In the example configuration above, we configure the service to be hosted at `https://lago.example.com`. + +Hosting Lago under a subpath (by configuring the `lago_path_prefix` variable) does not seem to be possible right now, due to Lago limitations. + +Our setup hosts the Lago frontend at the root path (`/`) and the Lago API at the `/api` prefix. +This seems to work well, except for [PDF invoices failing due to a Lago bug](https://github.com/getlago/lago/issues/221). + +### Authentication + +Public registration can be enabled/disabled using the `lago_front_environment_variable_lago_disable_signup` variable. + +We recommend installing with public registration enabled at first, creating your first user account, and then disabling public registration (unless you need it). + +It should be noted that disabling public signup with this variable merely disables the Sign-Up page in the web interface, but [does not actually disable signups due to a Lago bug](https://github.com/getlago/lago/issues/220). + +## Usage + +After installation, you can go to the Lago URL, as defined in `lago_hostname`. + +As mentioned in [Authentication](#authentication) above, you can create the first user from the web interface. + +If you'd like to prevent other users from registering, consider disabling public registration by removing the `lago_front_environment_variable_lago_disable_signup` references from your configuration and re-running the playbook (`just install-service lago`). diff --git a/docs/supported-services.md b/docs/supported-services.md index ee9b8d9..1176c34 100644 --- a/docs/supported-services.md +++ b/docs/supported-services.md @@ -19,6 +19,7 @@ | [Hubsite](https://github.com/moan0s/hubsite) | A simple, static site that shows an overview of the available services | [Link](services/hubsite.md) | | [Jitsi](https://jitsi.org/) | A fully encrypted, 100% Open Source video conferencing solution | [Link](services/jitsi.md) | | [Keycloak](https://www.keycloak.org/) | An open source identity and access management solution. | [Link](services/keycloak.md) | +| [Lago](https://www.getlago.com/) | Open-source metering and usage-based billing | [Link](services/lago.md) | | [MariaDB](https://mariadb.org/) | A powerful, open source object-relational database system | [Link](services/mariadb.md) | | [Matrix Rooms Search API](https://gitlab.com/etke.cc/mrs/api) | A fully-featured, standalone, matrix rooms search service. | [Link](services/mrs.md) | | [Miniflux](https://miniflux.app/) | Minimalist and opinionated feed reader. | [Link](services/miniflux.md) | diff --git a/group_vars/mash_servers b/group_vars/mash_servers index 75e7964..f54f5c4 100644 --- a/group_vars/mash_servers +++ b/group_vars/mash_servers @@ -119,6 +119,16 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': (keycloak_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'keycloak']}] if keycloak_enabled else []) + + ([{'name': (lago_identifier + '-api.service'), 'priority': 2000, 'groups': ['mash', 'lago', 'lago-api']}] if lago_enabled else []) + + + ([{'name': (lago_identifier + '-api-worker.service'), 'priority': 2500, 'groups': ['mash', 'lago', 'lago-api-worker']}] if lago_enabled else []) + + + ([{'name': (lago_identifier + '-api-clock.service'), 'priority': 2500, 'groups': ['mash', 'lago', 'lago-api-clock']}] if lago_enabled else []) + + + ([{'name': (lago_identifier + '-front.service'), 'priority': 2200, 'groups': ['mash', 'lago', 'lago-front']}] if lago_enabled else []) + + + ([{'name': (lago_identifier + '-pdf.service'), 'priority': 1900, 'groups': ['mash', 'lago', 'lago-pdf']}] if lago_enabled else []) + + ([{'name': (miniflux_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'miniflux']}] if miniflux_enabled else []) + ([{'name': (mrs_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'mrs']}] if mrs_enabled else []) @@ -240,6 +250,12 @@ devture_postgres_managed_databases_auto: | 'password': keycloak_database_password, }] if keycloak_enabled and keycloak_database_type == 'postgres' and keycloak_database_hostname == devture_postgres_identifier else []) + + ([{ + 'name': lago_database_name, + 'username': lago_database_username, + 'password': lago_database_password, + }] if lago_enabled and lago_database_hostname == devture_postgres_identifier else []) + + ([{ 'name': miniflux_database_name, 'username': miniflux_database_username, @@ -1229,6 +1245,57 @@ keycloak_database_password: "{{ '%s' | format(mash_playbook_generic_secret_key) +######################################################################## +# # +# lago # +# # +######################################################################## + +lago_enabled: false + +lago_architecture: "{{ mash_playbook_architecture }}" + +lago_identifier: "{{ mash_playbook_service_identifier_prefix }}lago" + +lago_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}lago" + +lago_uid: "{{ mash_playbook_uid }}" +lago_gid: "{{ mash_playbook_gid }}" + +lago_api_container_additional_networks_auto: | + {{ + ([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else []) + + + ([devture_postgres_container_network] if devture_postgres_enabled and lago_database_hostname == devture_postgres_identifier and lago_api_container_network != devture_postgres_container_network else []) + }} + +lago_front_container_additional_networks_auto: | + {{ + ([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else []) + }} + +lago_container_labels_traefik_enabled: "{{ mash_playbook_traefik_labels_enabled }}" +lago_container_labels_traefik_docker_network: "{{ mash_playbook_reverse_proxyable_services_additional_network }}" +lago_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +lago_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" + +lago_database_hostname: "{{ devture_postgres_identifier if devture_postgres_enabled else '' }}" +lago_database_port: "{{ '5432' if devture_postgres_enabled else '' }}" +lago_database_password: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'lago.db', rounds=655555) | to_uuid }}" + +lago_api_environment_variable_secret_key_base: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'lago.sec.key', rounds=655555) | to_uuid }}" +lago_api_environment_variable_encryption_primary_key: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'lago.enc.primary', rounds=655555) | to_uuid }}" +lago_api_environment_variable_encryption_deterministic_key: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'lago.deter.key', rounds=655555) | to_uuid }}" +lago_api_environment_variable_encryption_key_derivation_salt: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'lago.deriv.salt', rounds=655555) | to_uuid }}" + +######################################################################## +# # +# /lago # +# # +######################################################################## + + + ######################################################################## # # # miniflux # diff --git a/requirements.yml b/requirements.yml index 8fca0cc..d448b53 100644 --- a/requirements.yml +++ b/requirements.yml @@ -78,6 +78,9 @@ - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-keycloak.git version: v21.0.2-0 name: keycloak +- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-lago.git + version: v0.28.1-0 + name: lago - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-mariadb.git version: v10.11.2-0 name: mariadb diff --git a/setup.yml b/setup.yml index 470445a..d03f165 100644 --- a/setup.yml +++ b/setup.yml @@ -88,6 +88,8 @@ - role: galaxy/keycloak + - role: lago + - role: galaxy/navidrome - role: galaxy/netbox From ac50f3f8c4f5c58a72a6650d9f2b32c875f927a9 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 14 Apr 2023 09:04:12 +0300 Subject: [PATCH 023/122] Add missing Redis configuration to Lago documentation --- docs/services/lago.md | 140 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 140 insertions(+) diff --git a/docs/services/lago.md b/docs/services/lago.md index 7f51ed5..b8bd981 100644 --- a/docs/services/lago.md +++ b/docs/services/lago.md @@ -43,6 +43,7 @@ lago_front_environment_variable_lago_disable_signup: false ######################################################################## ``` + ### URL In the example configuration above, we configure the service to be hosted at `https://lago.example.com`. @@ -52,6 +53,7 @@ Hosting Lago under a subpath (by configuring the `lago_path_prefix` variable) do Our setup hosts the Lago frontend at the root path (`/`) and the Lago API at the `/api` prefix. This seems to work well, except for [PDF invoices failing due to a Lago bug](https://github.com/getlago/lago/issues/221). + ### Authentication Public registration can be enabled/disabled using the `lago_front_environment_variable_lago_disable_signup` variable. @@ -60,6 +62,144 @@ We recommend installing with public registration enabled at first, creating your It should be noted that disabling public signup with this variable merely disables the Sign-Up page in the web interface, but [does not actually disable signups due to a Lago bug](https://github.com/getlago/lago/issues/220). + +### Redis + +As described on the [Redis](redis.md) documentation page, if you're hosting additional services which require Redis on the same server, you'd better go for installing a separate Redis instance for each service. See [Creating a Redis instance dedicated to Lago](#creating-a-redis-instance-dedicated-to-lago). + +If you're only running Lago on this server and don't need to use Redis for anything else, you can [use a single Redis instance](#using-the-shared-redis-instance-for-lago). + +#### Using the shared Redis instance for Lago + +To install a single (non-dedicated) Redis instance (`mash-redis`) and hook Lago to it, add the following **additional** configuration: + +```yaml +######################################################################## +# # +# redis # +# # +######################################################################## + +redis_enabled: true + +######################################################################## +# # +# /redis # +# # +######################################################################## + + +######################################################################## +# # +# lago # +# # +######################################################################## + +# Base configuration as shown above + +# Point Lago to the shared Redis instance +lago_redis_hostname: "{{ redis_identifier }}" + +# Make sure the Lago service (mash-lago.service) starts after the shared Redis service (mash-redis.service) +lago_api_systemd_required_services_list_custom: + - "{{ redis_identifier }}.service" + +# Make sure the Lago container is connected to the container network of the shared Redis service (mash-redis) +lago_api_container_additional_networks_custom: + - "{{ redis_identifier }}" + +######################################################################## +# # +# /lago # +# # +######################################################################## +``` + +This will create a `mash-redis` Redis instance on this host. + +This is only recommended if you won't be installing other services which require Redis. Alternatively, go for [Creating a Redis instance dedicated to Lago](#creating-a-redis-instance-dedicated-to-lago). + +#### Creating a Redis instance dedicated to Lago + +The following instructions are based on the [Running multiple instances of the same service on the same host](../running-multiple-instances.md) documentation. + +Adjust your `inventory/hosts` file as described in [Re-do your inventory to add supplementary hosts](../running-multiple-instances.md#re-do-your-inventory-to-add-supplementary-hosts), adding a new supplementary host (e.g. if `lago.example.com` is your main one, create `lago.example.com-deps`). + +Then, create a new `vars.yml` file for the + +`inventory/host_vars/lago.example.com-deps/vars.yml`: + +```yaml +--- + +######################################################################## +# # +# Playbook # +# # +######################################################################## + +# Put a strong secret below, generated with `pwgen -s 64 1` or in another way +# Various other secrets will be derived from this secret automatically. +mash_playbook_generic_secret_key: '' + +# Override service names and directory path prefixes +mash_playbook_service_identifier_prefix: 'mash-lago-' +mash_playbook_service_base_directory_name_prefix: 'lago-' + +######################################################################## +# # +# /Playbook # +# # +######################################################################## + + +######################################################################## +# # +# redis # +# # +######################################################################## + +redis_enabled: true + +######################################################################## +# # +# /redis # +# # +######################################################################## +``` + +This will create a `mash-lago-redis` instance on this host with its data in `/mash/lago-redis`. + +Then, adjust your main inventory host's variables file (`inventory/host_vars/lago.example.com/vars.yml`) like this: + +```yaml +######################################################################## +# # +# lago # +# # +######################################################################## + +# Base configuration as shown above + +# Point Lago to its dedicated Redis instance +lago_redis_hostname: mash-lago-redis + +# Make sure the Lago service (mash-lago.service) starts after its dedicated Redis service (mash-lago-redis.service) +lago_api_systemd_required_services_list_custom: + - "mash-lago-redis.service" + +# Make sure the Lago container is connected to the container network of its dedicated Redis service (mash-lago-redis) +lago_api_container_additional_networks_custom: + - "mash-lago-redis" + +######################################################################## +# # +# /lago # +# # +######################################################################## +``` + + ## Usage After installation, you can go to the Lago URL, as defined in `lago_hostname`. From 05aa3d9d0f411b01b0522253587420a078b45538 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 14 Apr 2023 09:07:11 +0300 Subject: [PATCH 024/122] Fix role name in setup.yml (lago -> galaxy/lago) --- setup.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup.yml b/setup.yml index d03f165..79cfa34 100644 --- a/setup.yml +++ b/setup.yml @@ -88,7 +88,7 @@ - role: galaxy/keycloak - - role: lago + - role: galaxy/lago - role: galaxy/navidrome From 8efc7e4bf328e26b52d84b0e18118aae2b12bde0 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 17 Apr 2023 09:42:47 +0300 Subject: [PATCH 025/122] Add Appsmith support --- docs/services/appsmith.md | 60 ++++++++++++++++++++++++++++++++++++++ docs/supported-services.md | 1 + group_vars/mash_servers | 35 ++++++++++++++++++++++ requirements.yml | 3 ++ setup.yml | 2 ++ 5 files changed, 101 insertions(+) create mode 100644 docs/services/appsmith.md diff --git a/docs/services/appsmith.md b/docs/services/appsmith.md new file mode 100644 index 0000000..48ca0b8 --- /dev/null +++ b/docs/services/appsmith.md @@ -0,0 +1,60 @@ +# Appsmith + +[Appsmith](https://www.appsmith.com/) is an open-source platform that enables developers to build and deploy custom internal tools and applications without writing code. + + +## Dependencies + +This service requires the following other services: + +- a [Traefik](traefik.md) reverse-proxy server + + +## Configuration + +To enable this service, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process: + +```yaml +######################################################################## +# # +# appsmith # +# # +######################################################################## + +appsmith_enabled: true + +appsmith_hostname: appsmith.example.com + +# WARNING: remove this after you create your user account, +# unless you'd like to run a server with public registration enabled. +appsmith_environment_variable_appsmith_signup_disabled: false + +######################################################################## +# # +# /appsmith # +# # +######################################################################## +``` + + +### URL + +In the example configuration above, we configure the service to be hosted at `https://appsmith.example.com`. + +Hosting Appsmith under a subpath (by configuring the `appsmith_path_prefix` variable) does not seem to be possible right now, due to Appsmith limitations.. + + +### Authentication + +Public registration can be enabled/disabled using the `appsmith_environment_variable_appsmith_signup_disabled` variable. + +We recommend installing with public registration enabled at first, creating your first user account, and then disabling public registration (unless you need it). + + +## Usage + +After installation, you can go to the Appsmith URL, as defined in `appsmith_hostname`. + +As mentioned in [Authentication](#authentication) above, you can create the first user from the web interface. + +If you'd like to prevent other users from registering, consider disabling public registration by removing the `appsmith_environment_variable_appsmith_signup_disabled` references from your configuration and re-running the playbook (`just install-service appsmith`). diff --git a/docs/supported-services.md b/docs/supported-services.md index 1176c34..64baff6 100644 --- a/docs/supported-services.md +++ b/docs/supported-services.md @@ -4,6 +4,7 @@ | ------------------------------ | ------------------------------------- | ------------- | | [AUX](https://github.com/mother-of-all-self-hosting/ansible-role-aux) | Auxiliary file/directory management on your server via Ansible | [Link](services/auxiliary.md) | | [AdGuard Home](https://adguard.com/en/adguard-home/overview.html/) | A network-wide DNS software for blocking ads & tracking | [Link](services/adguard-home.md) | +| [Appsmith](https://www.appsmith.com/) | Platform for building and deploying custom internal tools and applications without writing code | [Link](services/appsmith.md) | | [Collabora Online](https://www.collaboraoffice.com/) | Your Private Office Suite In The Cloud | [Link](services/collabora-online.md) | | [Docker](https://www.docker.com/) | Open-source software for deploying containerized applications | [Link](services/docker.md) | | [Docker Registry](https://docs.docker.com/registry/) | A container image distribution registry | [Link](services/docker-registry.md) | diff --git a/group_vars/mash_servers b/group_vars/mash_servers index f54f5c4..92f9b6e 100644 --- a/group_vars/mash_servers +++ b/group_vars/mash_servers @@ -65,6 +65,8 @@ devture_systemd_service_manager_services_list_auto: | {{ ([{'name': (adguard_home_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'adguard-home']}] if adguard_home_enabled else []) + + ([{'name': (appsmith_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'appsmith']}] if appsmith_enabled else []) + + ([{'name': (collabora_online_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'collabora-online']}] if collabora_online_enabled else []) + ([{'name': (devture_postgres_identifier + '.service'), 'priority': 500, 'groups': ['mash', 'postgres']}] if devture_postgres_enabled else []) @@ -503,6 +505,39 @@ adguard_home_container_labels_traefik_tls_certResolver: "{{ devture_traefik_cert +######################################################################## +# # +# appsmith # +# # +######################################################################## + +appsmith_enabled: false + +appsmith_identifier: "{{ mash_playbook_service_identifier_prefix }}appsmith" + +appsmith_uid: "{{ mash_playbook_uid }}" +appsmith_gid: "{{ mash_playbook_gid }}" + +appsmith_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}appsmith" + +appsmith_container_additional_networks_auto: | + {{ + ([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else []) + }} + +appsmith_container_labels_traefik_enabled: "{{ mash_playbook_traefik_labels_enabled }}" +appsmith_container_labels_traefik_docker_network: "{{ mash_playbook_reverse_proxyable_services_additional_network }}" +appsmith_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +appsmith_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" + +######################################################################## +# # +# /appsmith # +# # +######################################################################## + + + ######################################################################## # # # collabora-online # diff --git a/requirements.yml b/requirements.yml index d448b53..03fec63 100644 --- a/requirements.yml +++ b/requirements.yml @@ -3,6 +3,9 @@ - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-adguard-home.git version: v0.107.26-1 name: adguard_home +- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-appsmith.git + version: v1.9.15-0 + name: appsmith - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-aux.git version: v1.0.0-0 name: aux diff --git a/setup.yml b/setup.yml index 79cfa34..8ce9d1a 100644 --- a/setup.yml +++ b/setup.yml @@ -56,6 +56,8 @@ - role: galaxy/adguard_home + - role: galaxy/appsmith + - role: galaxy/collabora_online - role: galaxy/docker_registry From b56abfca274ced01d03b2c95e97cb5075da711ae Mon Sep 17 00:00:00 2001 From: Aine Date: Mon, 17 Apr 2023 23:59:13 +0300 Subject: [PATCH 026/122] lago 0.28.1 -> 0.29.0; mrs 0.0.0-1 -> 0.0.0-2 --- requirements.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements.yml b/requirements.yml index 03fec63..eb4b987 100644 --- a/requirements.yml +++ b/requirements.yml @@ -82,7 +82,7 @@ version: v21.0.2-0 name: keycloak - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-lago.git - version: v0.28.1-0 + version: v0.29.0-0 name: lago - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-mariadb.git version: v10.11.2-0 @@ -90,7 +90,7 @@ - src: git+https://gitlab.com/etke.cc/roles/miniflux.git version: v2.0.43-2 - src: git+https://gitlab.com/etke.cc/mrs/ansible-role-mrs.git - version: v0.0.0-1 + version: v0.0.0-2 name: mrs - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-navidrome.git version: v0.49.3-2 From 8ffd8ee4c5dcc4329b77fda2b6499c2ed8971ec7 Mon Sep 17 00:00:00 2001 From: Aine Date: Tue, 18 Apr 2023 09:45:03 +0300 Subject: [PATCH 027/122] radicale v3.1.8.2-0 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index eb4b987..adc250d 100644 --- a/requirements.yml +++ b/requirements.yml @@ -115,7 +115,7 @@ - src: git+https://gitlab.com/etke.cc/roles/prometheus_node_exporter.git version: v1.5.0-7 - src: git+https://gitlab.com/etke.cc/roles/radicale.git - version: v3.1.8.1-2 + version: v3.1.8.2-0 - src: git+https://gitlab.com/etke.cc/roles/redis.git version: v7.0.10-0 - src: git+https://gitlab.com/etke.cc/roles/redmine.git From a762841f19dfb706c03259b31555d97566e42974 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 18 Apr 2023 10:38:48 +0300 Subject: [PATCH 028/122] Upgrade systemd_docker_base, container_socket_proxy, Traefik, Syncthing These roles now obey `devture_systemd_docker_base_container_image_pull_method` and `devture_systemd_docker_base_container_network_creation_method` and can work on systems which don't have the Docker SDK for Python installed by avoiding the various Ansible Docker modules and using raw `docker` commands for pulling images and creating networks. --- requirements.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/requirements.yml b/requirements.yml index adc250d..eadaf89 100644 --- a/requirements.yml +++ b/requirements.yml @@ -13,7 +13,7 @@ version: v22.05.12.1.1-1 name: collabora_online - src: git+https://github.com/devture/com.devture.ansible.role.container_socket_proxy.git - version: v0.1.1-1 + version: v0.1.1-2 - src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git version: 129c8590e106b83e6f4c259649a613c6279e937a - src: git+https://github.com/devture/com.devture.ansible.role.playbook_help.git @@ -27,13 +27,13 @@ - src: git+https://github.com/devture/com.devture.ansible.role.postgres_backup.git version: 8e9ec48a09284c84704d7a2dce17da35f181574d - src: git+https://github.com/devture/com.devture.ansible.role.systemd_docker_base.git - version: 327d2e17f5189ac2480d6012f58cf64a2b46efba + version: v1.0.0-0 - src: git+https://github.com/devture/com.devture.ansible.role.systemd_service_manager.git version: v1.0.0-0 - src: git+https://github.com/devture/com.devture.ansible.role.timesync.git version: 3d5bb2976815958cdce3f368fa34fb51554f899b - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git - version: v2.9.10-0 + version: v2.9.10-1 - src: git+https://github.com/devture/com.devture.ansible.role.woodpecker_ci_agent.git version: v0.15.7-1 - src: git+https://github.com/devture/com.devture.ansible.role.woodpecker_ci_server.git @@ -127,7 +127,7 @@ - src: git+https://gitlab.com/etke.cc/roles/swap.git version: abfb18b6862108bbf24347500446203170324d7f - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-syncthing.git - version: v1.23.4-0 + version: v1.23.4-1 name: syncthing - src: git+https://gitlab.com/etke.cc/roles/uptime_kuma.git version: v1.21.2-0 From 87e058f63dfdd34899229ee8905ba0f2947e1e60 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 18 Apr 2023 10:58:42 +0300 Subject: [PATCH 029/122] Upgrade Traefik (v2.9.10-1 -> v2.9.10-2) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index eadaf89..10e4775 100644 --- a/requirements.yml +++ b/requirements.yml @@ -33,7 +33,7 @@ - src: git+https://github.com/devture/com.devture.ansible.role.timesync.git version: 3d5bb2976815958cdce3f368fa34fb51554f899b - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git - version: v2.9.10-1 + version: v2.9.10-2 - src: git+https://github.com/devture/com.devture.ansible.role.woodpecker_ci_agent.git version: v0.15.7-1 - src: git+https://github.com/devture/com.devture.ansible.role.woodpecker_ci_server.git From a151ed4f68bc089784cb26ccf588aaffe97971d9 Mon Sep 17 00:00:00 2001 From: Aine Date: Tue, 18 Apr 2023 17:18:22 +0300 Subject: [PATCH 030/122] mrs cron configs --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 10e4775..3192670 100644 --- a/requirements.yml +++ b/requirements.yml @@ -90,7 +90,7 @@ - src: git+https://gitlab.com/etke.cc/roles/miniflux.git version: v2.0.43-2 - src: git+https://gitlab.com/etke.cc/mrs/ansible-role-mrs.git - version: v0.0.0-2 + version: v0.0.0-3 name: mrs - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-navidrome.git version: v0.49.3-2 From e6266039f194ca1161c07f1f93c824d89d0a2cc4 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 18 Apr 2023 17:37:12 +0300 Subject: [PATCH 031/122] Upgrade Firezone (v0.7.25-0 -> v0.7.25-2) --- requirements.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements.yml b/requirements.yml index 3192670..23335f0 100644 --- a/requirements.yml +++ b/requirements.yml @@ -49,8 +49,8 @@ name: docker_registry_purger - src: git+https://gitlab.com/etke.cc/roles/fail2ban.git version: 09886730e8d3c061f22d1da4a542899063f97f0a -- src: git+https://github.com/moan0s/role-firezone.git - version: v0.7.25-0 +- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-firezone.git + version: v0.7.25-2 name: firezone - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-focalboard.git version: v7.9.3-1 From b59a27818b3f2dbd094ba646f822ac7c9568312a Mon Sep 17 00:00:00 2001 From: Aine Date: Tue, 18 Apr 2023 18:50:41 +0300 Subject: [PATCH 032/122] mrs languages list --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 23335f0..0227545 100644 --- a/requirements.yml +++ b/requirements.yml @@ -90,7 +90,7 @@ - src: git+https://gitlab.com/etke.cc/roles/miniflux.git version: v2.0.43-2 - src: git+https://gitlab.com/etke.cc/mrs/ansible-role-mrs.git - version: v0.0.0-3 + version: v0.0.0-4 name: mrs - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-navidrome.git version: v0.49.3-2 From 1930b108dc65d5f22d6d30e35628fe8d655568c9 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 19 Apr 2023 10:35:59 +0300 Subject: [PATCH 033/122] Upgrade Appsmith (v1.9.15-0 -> v1.9.16-0) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 0227545..07c3d26 100644 --- a/requirements.yml +++ b/requirements.yml @@ -4,7 +4,7 @@ version: v0.107.26-1 name: adguard_home - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-appsmith.git - version: v1.9.15-0 + version: v1.9.16-0 name: appsmith - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-aux.git version: v1.0.0-0 From 96540561ec5c85fadfd06d00f300c699ff59abbb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Wed, 19 Apr 2023 12:29:15 +0200 Subject: [PATCH 034/122] Add authentik --- docs/services/authentik.md | 228 +++++++++++++++++++++++++++++++++++++ docs/supported-services.md | 1 + group_vars/mash_servers | 58 ++++++++++ requirements.yml | 3 + setup.yml | 2 + 5 files changed, 292 insertions(+) create mode 100644 docs/services/authentik.md diff --git a/docs/services/authentik.md b/docs/services/authentik.md new file mode 100644 index 0000000..72efa9d --- /dev/null +++ b/docs/services/authentik.md @@ -0,0 +1,228 @@ +# Authentik + +[authentik](https://goauthentik.io/) is an open-source Identity Provider focused on flexibility and versatility. MASH can install authentik with the [`mother-of-all-self-hosting/ansible-role-authentik`](https://github.com/mother-of-all-self-hosting/ansible-role-authentik) ansible role. + +## Dependencies + +This service requires the following other services: + +- a [Postgres](postgres.md) database +- a [Redis](redis.md) data-store, installation details [below](#redis) +- a [Traefik](traefik.md) reverse-proxy server + + +## Configuration + +To enable this service, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process: + +```yaml +######################################################################## +# # +# authentik # +# # +######################################################################## + +authentik_enabled: true +authentik_hostname: authentik.example.com +authentik_secret_key: 'verysecret' + +######################################################################## +# # +# /authentik # +# # +######################################################################## +``` + +### Redis + +As described on the [Redis](redis.md) documentation page, if you're hosting additional services which require Redis on the same server, you'd better go for installing a separate Redis instance for each service. See [Creating a Redis instance dedicated to authentik](#creating-a-redis-instance-dedicated-to-authentik). + +If you're only running authentik on this server and don't need to use Redis for anything else, you can [use a single Redis instance](#using-the-shared-redis-instance-for-authentik). + +#### Using the shared Redis instance for authentik + +To install a single (non-dedicated) Redis instance (`mash-redis`) and hook authentik to it, add the following **additional** configuration: + +```yaml +######################################################################## +# # +# redis # +# # +######################################################################## + +redis_enabled: true + +######################################################################## +# # +# /redis # +# # +######################################################################## + + +######################################################################## +# # +# authentik # +# # +######################################################################## + +# Base configuration as shown above + +# Point authentik to the shared Redis instance +authentik_config_redis_hostname: "{{ redis_identifier }}" + +# Make sure the authentik service (mash-authentik.service) starts after the shared Redis service (mash-redis.service) +authentik_systemd_required_services_list_custom: + - "{{ redis_identifier }}.service" + +# Make sure the authentik container is connected to the container network of the shared Redis service (mash-redis) +authentik_container_additional_networks_custom: + - "{{ redis_identifier }}" + +######################################################################## +# # +# /authentik # +# # +######################################################################## +``` + +This will create a `mash-redis` Redis instance on this host. + +This is only recommended if you won't be installing other services which require Redis. Alternatively, go for [Creating a Redis instance dedicated to authentik](#creating-a-redis-instance-dedicated-to-authentik). + + +#### Creating a Redis instance dedicated to authentik + +The following instructions are based on the [Running multiple instances of the same service on the same host](../running-multiple-instances.md) documentation. + +Adjust your `inventory/hosts` file as described in [Re-do your inventory to add supplementary hosts](../running-multiple-instances.md#re-do-your-inventory-to-add-supplementary-hosts), adding a new supplementary host (e.g. if `authentik.example.com` is your main one, create `authentik.example.com-deps`). + +Then, create a new `vars.yml` file for the + +`inventory/host_vars/authentik.example.com-deps/vars.yml`: + +```yaml +--- + +######################################################################## +# # +# Playbook # +# # +######################################################################## + +# Put a strong secret below, generated with `pwgen -s 64 1` or in another way +# Various other secrets will be derived from this secret automatically. +mash_playbook_generic_secret_key: '' + +# Override service names and directory path prefixes +mash_playbook_service_identifier_prefix: 'mash-authentik-' +mash_playbook_service_base_directory_name_prefix: 'authentik-' + +######################################################################## +# # +# /Playbook # +# # +######################################################################## + + +######################################################################## +# # +# redis # +# # +######################################################################## + +redis_enabled: true + +######################################################################## +# # +# /redis # +# # +######################################################################## +``` + +This will create a `mash-authentik-redis` instance on this host with its data in `/mash/authentik-redis`. + +Then, adjust your main inventory host's variables file (`inventory/host_vars/authentik.example.com/vars.yml`) like this: + +```yaml +######################################################################## +# # +# authentik # +# # +######################################################################## + +# Base configuration as shown above + + +# Point authentik to its dedicated Redis instance +authentik_environment_variable_redis_host: mash-authentik-redis +authentik_environment_variable_redis_cache_host: mash-authentik-redis + +# Make sure the authentik service (mash-authentik.service) starts after its dedicated Redis service (mash-authentik-redis.service) +authentik_systemd_required_services_list_custom: + - "mash-authentik-redis.service" + +# Make sure the authentik container is connected to the container network of its dedicated Redis service (mash-authentik-redis) +authentik_container_additional_networks_custom: + - "mash-authentik-redis" + +######################################################################## +# # +# /authentik # +# # +######################################################################## +``` + + +## Installation + +If you've decided to install a dedicated Redis instance for authentik, make sure to first do [installation](../installing.md) for the supplementary inventory host (e.g. `authentik.example.com-deps`), before running installation for the main one (e.g. `authentik.example.com`). + + +## Usage + +After installation, you can go to the authentik URL, as defined in `authentik_hostname`. Set the admin password there and start adding applications and users! Refer to the [official documentation]() to learn how to integrate services. Below are some tested examples + +### Grafana + +To enable SSO for Grafana you should + +* Create a new OAUTH provider in authentik called `grafana` +* Create an application also named `grafana` in authentik using this provider +* Add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process (make sure to adjust `authentik.example.com`) + +```yaml +grafana_environment_variables_additional_variables: | + GF_AUTH_GENERIC_OAUTH_ENABLED=true + GF_AUTH_GENERIC_OAUTH_NAME=authentik + GF_AUTH_GENERIC_OAUTH_CLIENT_ID=COPIED-CLIENTID + GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=COPIED-CLIENTSECRET + GF_AUTH_GENERIC_OAUTH_SCOPES=openid profile email + GF_AUTH_GENERIC_OAUTH_AUTH_URL=https://authentik.example.com/application/o/authorize/ + GF_AUTH_GENERIC_OAUTH_TOKEN_URL=https://authentik.example.com/application/o/token/ + GF_AUTH_GENERIC_OAUTH_API_URL=https://authentik.example.com/application/o/userinfo/ + GF_AUTH_SIGNOUT_REDIRECT_URL=https://authentik.example.com/application/o/grafana/end-session/ + # Optionally enable auto-login (bypasses Grafana login screen) + #GF_AUTH_OAUTH_AUTO_LOGIN="true" + GF_AUTH_GENERIC_OAUTH_ALLOW_ASSIGN_GRAFANA_ADMIN=true + # Optionally map user groups to Grafana roles + GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH="contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'" + +``` + +### Nextcloud + +**The official documentation of authentik to connect nextcloud via SAML seems broken** + +MASH can connect Nextcloud with authentik via OIDC. The setup is quite straightforward, refer to [this blogpost by Jack](https://blog.cubieserver.de/2022/complete-guide-to-nextcloud-oidc-authentication-with-authentik/) for a full explanation. + +In short you shoudl + +* Create a new provider in authentik and trimm the client secret to <64 characters +* Create an application in authentik using this provider +* Install the app `user_oidc` in Nextcloud +* Fill in the details from authentik in the app settings + +**Troubleshooting** + +If you encounter problems during login check (error message containes `SHA1 mismatch`) that +* Nextcloud users and authentik users do not have the same name -> if they do check `Use unique user ID` in the OIDC App settings diff --git a/docs/supported-services.md b/docs/supported-services.md index 1176c34..41ae8b2 100644 --- a/docs/supported-services.md +++ b/docs/supported-services.md @@ -4,6 +4,7 @@ | ------------------------------ | ------------------------------------- | ------------- | | [AUX](https://github.com/mother-of-all-self-hosting/ansible-role-aux) | Auxiliary file/directory management on your server via Ansible | [Link](services/auxiliary.md) | | [AdGuard Home](https://adguard.com/en/adguard-home/overview.html/) | A network-wide DNS software for blocking ads & tracking | [Link](services/adguard-home.md) | +| [authentik](https://goauthentik.io/) | An open-source Identity Provider focused on flexibility and versatility. | [Link](services/authentik.md) | | [Collabora Online](https://www.collaboraoffice.com/) | Your Private Office Suite In The Cloud | [Link](services/collabora-online.md) | | [Docker](https://www.docker.com/) | Open-source software for deploying containerized applications | [Link](services/docker.md) | | [Docker Registry](https://docs.docker.com/registry/) | A container image distribution registry | [Link](services/docker-registry.md) | diff --git a/group_vars/mash_servers b/group_vars/mash_servers index f54f5c4..6932989 100644 --- a/group_vars/mash_servers +++ b/group_vars/mash_servers @@ -65,6 +65,10 @@ devture_systemd_service_manager_services_list_auto: | {{ ([{'name': (adguard_home_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'adguard-home']}] if adguard_home_enabled else []) + + ([{'name': (authentik_server_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'authentik']}] if authentik_enabled else []) + + + ([{'name': (authentik_worker_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'authentik']}] if authentik_enabled else []) + + ([{'name': (collabora_online_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'collabora-online']}] if collabora_online_enabled else []) + ([{'name': (devture_postgres_identifier + '.service'), 'priority': 500, 'groups': ['mash', 'postgres']}] if devture_postgres_enabled else []) @@ -209,6 +213,11 @@ devture_postgres_systemd_services_to_stop_for_maintenance_list: | devture_postgres_managed_databases_auto: | {{ ([{ + 'name': authentik_database_name, + 'username': authentik_database_username, + 'password': authentik_database_password, + }] if authentik_enabled and authentik_database_hostname == devture_postgres_identifier else []) + +([{ 'name': focalboard_database_name, 'username': focalboard_database_username, 'password': focalboard_database_password, @@ -501,6 +510,55 @@ adguard_home_container_labels_traefik_tls_certResolver: "{{ devture_traefik_cert # # ######################################################################## +######################################################################## +# # +# authentik # +# # +######################################################################## + +authentik_enabled: false + +authentik_identifier: "{{ mash_playbook_service_identifier_prefix }}authentik" + +authentik_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}authentik" + +authentik_uid: "{{ mash_playbook_uid }}" +authentik_gid: "{{ mash_playbook_gid }}" + +authentik_database_hostname: "{{ devture_postgres_identifier if devture_postgres_enabled else '' }}" +authentik_database_port: "{{ '5432' if devture_postgres_enabled else '' }}" +authentik_database_password: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'db.authentik', rounds=655555) | to_uuid }}" +authentik_database_username: "{{ authentik_identifier }}" + +authentik_server_systemd_required_services_list_auto: | + {{ + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled and authentik_database_hostname == devture_postgres_identifier else []) + }} + +authentik_server_container_additional_networks_auto: | + {{ + ([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else []) + + + ([devture_postgres_container_network] if devture_postgres_enabled and authentik_database_hostname == devture_postgres_identifier and authentik_server_container_network != devture_postgres_container_network else []) + }} + +authentik_frontend_container_additional_networks_auto: | + {{ + ([devture_postgres_container_network] if devture_postgres_enabled and authentik_database_hostname == devture_postgres_identifier and authentik_frontend_container_network != devture_postgres_container_network else []) + + + ([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else []) + }} + +authentik_server_container_labels_traefik_enabled: "{{ mash_playbook_traefik_labels_enabled }}" +authentik_server_container_labels_traefik_docker_network: "{{ mash_playbook_reverse_proxyable_services_additional_network }}" +authentik_server_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +authentik_server_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" + +######################################################################## +# # +# /funkwhale # +# # +######################################################################## ######################################################################## diff --git a/requirements.yml b/requirements.yml index d448b53..9306f6f 100644 --- a/requirements.yml +++ b/requirements.yml @@ -3,6 +3,9 @@ - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-adguard-home.git version: v0.107.26-1 name: adguard_home +- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-authentik.git + version: v2023.4.0-1 + name: authentik - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-aux.git version: v1.0.0-0 name: aux diff --git a/setup.yml b/setup.yml index 79cfa34..5a99bfb 100644 --- a/setup.yml +++ b/setup.yml @@ -56,6 +56,8 @@ - role: galaxy/adguard_home + - role: galaxy/authentik + - role: galaxy/collabora_online - role: galaxy/docker_registry From f56c4b2c7e624c4d9bd2f92eb32c0f29e47279a7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Wed, 19 Apr 2023 12:32:08 +0200 Subject: [PATCH 035/122] Bump version --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 9306f6f..53ca98b 100644 --- a/requirements.yml +++ b/requirements.yml @@ -4,7 +4,7 @@ version: v0.107.26-1 name: adguard_home - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-authentik.git - version: v2023.4.0-1 + version: v2023.4.1-1 name: authentik - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-aux.git version: v1.0.0-0 From b841006d431de3f4eada1e6a89814a74d424b64a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Wed, 19 Apr 2023 12:49:10 +0200 Subject: [PATCH 036/122] Add warning on testing status --- docs/services/authentik.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/services/authentik.md b/docs/services/authentik.md index 72efa9d..43f1a27 100644 --- a/docs/services/authentik.md +++ b/docs/services/authentik.md @@ -2,6 +2,9 @@ [authentik](https://goauthentik.io/) is an open-source Identity Provider focused on flexibility and versatility. MASH can install authentik with the [`mother-of-all-self-hosting/ansible-role-authentik`](https://github.com/mother-of-all-self-hosting/ansible-role-authentik) ansible role. + +**Warning:** SSO is pretty complex and while this role will install authentik for you we only tested OIDC and OAUTH integration. There is a high probability that using outposts/LDAP would need further configuration efforts. Make sure you test before using this in production and feel free to provide feedback! + ## Dependencies This service requires the following other services: From 1844762ddad510c60aa798f3f3933edd0de57dce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Wed, 19 Apr 2023 15:28:11 +0200 Subject: [PATCH 037/122] Bump gotosocial version --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 07c3d26..6444381 100644 --- a/requirements.yml +++ b/requirements.yml @@ -65,7 +65,7 @@ version: v1.19.1-0 name: gitea - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-gotosocial.git - version: v0.8.0-1 + version: v0.8.1-0 name: gotosocial - src: git+https://gitlab.com/etke.cc/roles/grafana.git version: v9.4.7-1 From b6e6ea24f7b2591d585678b8b944d841dc066a7d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Sat, 22 Apr 2023 12:55:52 +0200 Subject: [PATCH 038/122] MAke authentik use single container --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 948ec6a..f4821d7 100644 --- a/requirements.yml +++ b/requirements.yml @@ -7,7 +7,7 @@ version: v1.9.16-0 name: appsmith - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-authentik.git - version: v2023.4.1-1 + version: v2023.4.1-2 name: authentik - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-aux.git version: v1.0.0-0 From 86f8a05e478616a1ad87d3d94464182f863c8431 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Sat, 22 Apr 2023 13:29:51 +0200 Subject: [PATCH 039/122] Rework documentation SSO configuration is now described in the respective services --- docs/services/authentik.md | 46 +++----------------------------------- docs/services/grafana.md | 29 ++++++++++++++++++++++++ docs/services/nextcloud.md | 21 +++++++++++++++++ 3 files changed, 53 insertions(+), 43 deletions(-) diff --git a/docs/services/authentik.md b/docs/services/authentik.md index 43f1a27..912a04a 100644 --- a/docs/services/authentik.md +++ b/docs/services/authentik.md @@ -183,49 +183,9 @@ If you've decided to install a dedicated Redis instance for authentik, make sure ## Usage -After installation, you can go to the authentik URL, as defined in `authentik_hostname`. Set the admin password there and start adding applications and users! Refer to the [official documentation]() to learn how to integrate services. Below are some tested examples +After installation, you can set the admin password at `https:///if/flow/initial-setup/`. Set the admin password there and start adding applications and users! Refer to the [official documentation](https://goauthentik.io/docs/) to learn how to integrate services. For this playbook tested examples are described in the respective service documentation. See -### Grafana +* [Grafana](./grafana.md) +* [Nextcloud](./nextcloud.md) -To enable SSO for Grafana you should -* Create a new OAUTH provider in authentik called `grafana` -* Create an application also named `grafana` in authentik using this provider -* Add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process (make sure to adjust `authentik.example.com`) - -```yaml -grafana_environment_variables_additional_variables: | - GF_AUTH_GENERIC_OAUTH_ENABLED=true - GF_AUTH_GENERIC_OAUTH_NAME=authentik - GF_AUTH_GENERIC_OAUTH_CLIENT_ID=COPIED-CLIENTID - GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=COPIED-CLIENTSECRET - GF_AUTH_GENERIC_OAUTH_SCOPES=openid profile email - GF_AUTH_GENERIC_OAUTH_AUTH_URL=https://authentik.example.com/application/o/authorize/ - GF_AUTH_GENERIC_OAUTH_TOKEN_URL=https://authentik.example.com/application/o/token/ - GF_AUTH_GENERIC_OAUTH_API_URL=https://authentik.example.com/application/o/userinfo/ - GF_AUTH_SIGNOUT_REDIRECT_URL=https://authentik.example.com/application/o/grafana/end-session/ - # Optionally enable auto-login (bypasses Grafana login screen) - #GF_AUTH_OAUTH_AUTO_LOGIN="true" - GF_AUTH_GENERIC_OAUTH_ALLOW_ASSIGN_GRAFANA_ADMIN=true - # Optionally map user groups to Grafana roles - GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH="contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'" - -``` - -### Nextcloud - -**The official documentation of authentik to connect nextcloud via SAML seems broken** - -MASH can connect Nextcloud with authentik via OIDC. The setup is quite straightforward, refer to [this blogpost by Jack](https://blog.cubieserver.de/2022/complete-guide-to-nextcloud-oidc-authentication-with-authentik/) for a full explanation. - -In short you shoudl - -* Create a new provider in authentik and trimm the client secret to <64 characters -* Create an application in authentik using this provider -* Install the app `user_oidc` in Nextcloud -* Fill in the details from authentik in the app settings - -**Troubleshooting** - -If you encounter problems during login check (error message containes `SHA1 mismatch`) that -* Nextcloud users and authentik users do not have the same name -> if they do check `Use unique user ID` in the OIDC App settings diff --git a/docs/services/grafana.md b/docs/services/grafana.md index 4fd97ba..8fa0ef7 100644 --- a/docs/services/grafana.md +++ b/docs/services/grafana.md @@ -82,6 +82,35 @@ grafana_dashboard_download_urls: | ``` +#### Single-Sign-On / Authentik + +Grafana supports Single-Sign-On (SSO) via OAUTH. To make use of this you'll need a Identity Provider like [authentik](./authentik.md) or [Keycloak](./keycloak.md). Using authentik you can connect and Authentik like this: + +* Create a new OAUTH provider in authentik called `grafana` +* Create an application also named `grafana` in authentik using this provider +* Add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process (make sure to adjust `authentik.example.com`) + +```yaml +grafana_environment_variables_additional_variables: | + GF_AUTH_GENERIC_OAUTH_ENABLED=true + GF_AUTH_GENERIC_OAUTH_NAME=authentik + GF_AUTH_GENERIC_OAUTH_CLIENT_ID=COPIED-CLIENTID + GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=COPIED-CLIENTSECRET + GF_AUTH_GENERIC_OAUTH_SCOPES=openid profile email + GF_AUTH_GENERIC_OAUTH_AUTH_URL=https://authentik.example.com/application/o/authorize/ + GF_AUTH_GENERIC_OAUTH_TOKEN_URL=https://authentik.example.com/application/o/token/ + GF_AUTH_GENERIC_OAUTH_API_URL=https://authentik.example.com/application/o/userinfo/ + GF_AUTH_SIGNOUT_REDIRECT_URL=https://authentik.example.com/application/o/grafana/end-session/ + # Optionally enable auto-login (bypasses Grafana login screen) + #GF_AUTH_OAUTH_AUTO_LOGIN="true" + GF_AUTH_GENERIC_OAUTH_ALLOW_ASSIGN_GRAFANA_ADMIN=true + # Optionally map user groups to Grafana roles + GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH="contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'" +``` + +Make sure the user you want to login as has an email address in authentik, otherwise there will be an error. + + ## Usage After installation, you should be able to access your new Gitea instance at the configured URL (see above). diff --git a/docs/services/nextcloud.md b/docs/services/nextcloud.md index ad2bdd4..26fa166 100644 --- a/docs/services/nextcloud.md +++ b/docs/services/nextcloud.md @@ -198,6 +198,27 @@ nextcloud_container_additional_networks_custom: ######################################################################## ``` +### Single-Sign-On / Authentik + +Nextcloud supports Single-Sign-On (SSO) via LDAP, SAML, and OIDC. To make use of this you'll need a Identity Provider like [authentik](./authentik.md) or [Keycloak](./keycloak.md). The following assumes you use authentik. + + +**The official documentation of authentik to connect nextcloud via SAML seems broken** + +MASH can connect Nextcloud with authentik via OIDC. The setup is quite straightforward, refer to [this blogpost by Jack](https://blog.cubieserver.de/2022/complete-guide-to-nextcloud-oidc-authentication-with-authentik/) for a full explanation. + +In short you should + +* Create a new provider in authentik and trimm the client secret to <64 characters +* Create an application in authentik using this provider +* Install the app `user_oidc` in Nextcloud +* Fill in the details from authentik in the app settings + +**Troubleshooting** + +If you encounter problems during login check (error message containes `SHA1 mismatch`) that +* Nextcloud users and authentik users do not have the same name -> if they do check `Use unique user ID` in the OIDC App settings + ## Installation If you've decided to install a dedicated Redis instance for Nextcloud, make sure to first do [installation](../installing.md) for the supplementary inventory host (e.g. `nextcloud.example.com-deps`), before running installation for the main one (e.g. `nextcloud.example.com`). From 8f72a895529e69384e373e22463d495411ec1381 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Sat, 22 Apr 2023 13:30:57 +0200 Subject: [PATCH 040/122] Remove unused var, typo --- group_vars/mash_servers | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/group_vars/mash_servers b/group_vars/mash_servers index 32f8591..91ea21c 100644 --- a/group_vars/mash_servers +++ b/group_vars/mash_servers @@ -514,7 +514,7 @@ adguard_home_container_labels_traefik_tls_certResolver: "{{ devture_traefik_cert -####################################################################### +######################################################################## # # # appsmith # # # @@ -579,13 +579,6 @@ authentik_server_container_additional_networks_auto: | ([devture_postgres_container_network] if devture_postgres_enabled and authentik_database_hostname == devture_postgres_identifier and authentik_server_container_network != devture_postgres_container_network else []) }} -authentik_frontend_container_additional_networks_auto: | - {{ - ([devture_postgres_container_network] if devture_postgres_enabled and authentik_database_hostname == devture_postgres_identifier and authentik_frontend_container_network != devture_postgres_container_network else []) - + - ([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else []) - }} - authentik_server_container_labels_traefik_enabled: "{{ mash_playbook_traefik_labels_enabled }}" authentik_server_container_labels_traefik_docker_network: "{{ mash_playbook_reverse_proxyable_services_additional_network }}" authentik_server_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" From a447f82e60155d400d269e6c2611fc50c78cff6c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 22 Apr 2023 15:03:28 +0300 Subject: [PATCH 041/122] Fix typo --- docs/services/nextcloud.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/services/nextcloud.md b/docs/services/nextcloud.md index 26fa166..25f009a 100644 --- a/docs/services/nextcloud.md +++ b/docs/services/nextcloud.md @@ -207,9 +207,9 @@ Nextcloud supports Single-Sign-On (SSO) via LDAP, SAML, and OIDC. To make use of MASH can connect Nextcloud with authentik via OIDC. The setup is quite straightforward, refer to [this blogpost by Jack](https://blog.cubieserver.de/2022/complete-guide-to-nextcloud-oidc-authentication-with-authentik/) for a full explanation. -In short you should +In short you should: -* Create a new provider in authentik and trimm the client secret to <64 characters +* Create a new provider in authentik and trim the client secret to <64 characters * Create an application in authentik using this provider * Install the app `user_oidc` in Nextcloud * Fill in the details from authentik in the app settings From 1962c9ca8f2275fc3aa699596684fa577c8a27d0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Sat, 22 Apr 2023 17:25:19 +0200 Subject: [PATCH 042/122] Bumb hubsite version --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index dcc79e0..8ddc678 100644 --- a/requirements.yml +++ b/requirements.yml @@ -76,7 +76,7 @@ version: v2.8.1-0 name: healthchecks - src: git+https://github.com/moan0s/hubsite.git - version: v1.23.3-1 + version: v1.23.3-2 name: hubsite - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git version: v8319-6 From ad58fd42f46108e88324c4f5e0604df5a25574ae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Sat, 22 Apr 2023 17:49:31 +0200 Subject: [PATCH 043/122] Add some services to hubsite --- group_vars/mash_servers | 64 ++++++++++++++++++++++++++++++++++++++++- 1 file changed, 63 insertions(+), 1 deletion(-) diff --git a/group_vars/mash_servers b/group_vars/mash_servers index 91ea21c..6675d42 100644 --- a/group_vars/mash_servers +++ b/group_vars/mash_servers @@ -1089,6 +1089,22 @@ hubsite_service_adguard_home_logo_location: "{{ role_path }}/assets/shield.png" hubsite_service_adguard_home_description: "A network-wide DNS software for blocking ads & tracking" hubsite_service_adguard_home_priority: 1000 +# authentik +hubsite_service_authentik_enabled: "{{ authentik_enabled }}" +hubsite_service_authentik_name: Authentik +hubsite_service_authentik_url: "https://{{ authentik_hostname }}{{ authentik_path_prefix }}" +hubsite_service_authentik_logo_location: "{{ role_path }}/assets/authentik.png" +hubsite_service_authentik_description: "An open source identity provider" +hubsite_service_authentik_priority: 1000 + +# Appsmith +hubsite_service_appsmith_enabled: "{{ appsmith_enabled }}" +hubsite_service_appsmith_name: Appsmith +hubsite_service_appsmith_url: "https://{{ appsmith_hostname }}{{ appsmith_path_prefix }}" +hubsite_service_appsmith_logo_location: "{{ role_path }}/assets/appsmith.png" +hubsite_service_appsmith_description: "Platform for building and deploying custom internal tools and applications without writing code" +hubsite_service_appsmith_priority: 1000 + # Docker Registry Browser hubsite_service_docker_registry_browser_enabled: "{{ docker_registry_browser_enabled }}" hubsite_service_docker_registry_browser_name: Docker Registry Browser @@ -1097,6 +1113,14 @@ hubsite_service_docker_registry_browser_logo_location: "{{ role_path }}/assets/d hubsite_service_docker_registry_browser_description: "Browse docker images" hubsite_service_docker_registry_browser_priority: 1000 +# Firezone +hubsite_service_firezone_enabled: "{{ firezone_enabled }}" +hubsite_service_firezone_name: Firezone +hubsite_service_firezone_url: "https://{{ firezone_hostname }}" +hubsite_service_firezone_logo_location: "{{ role_path }}/assets/firezone.png" +hubsite_service_firezone_description: "A self-hosted VPN server, based on Wireguard" +hubsite_service_firezone_priority: 1000 + # Focalboard hubsite_service_focalboard_enabled: "{{ focalboard_enabled }}" hubsite_service_focalboard_name: Focalboard @@ -1105,6 +1129,14 @@ hubsite_service_focalboard_logo_location: "{{ role_path }}/assets/focalboard.png hubsite_service_focalboard_description: "An open source, self-hosted alternative to Trello, Notion, and Asana." hubsite_service_focalboard_priority: 1000 +# Funkwhale +hubsite_service_funkwhale_enabled: "{{ funkwhale_enabled }}" +hubsite_service_funkwhale_name: Funkwhale +hubsite_service_funkwhale_url: "https://{{ funkwhale_hostname }}" +hubsite_service_funkwhale_logo_location: "{{ role_path }}/assets/funkwhale.png" +hubsite_service_funkwhale_description: "Listen and share music with a selfhosted streaming server" +hubsite_service_funkwhale_priority: 1000 + # Gitea hubsite_service_gitea_enabled: "{{ gitea_enabled }}" hubsite_service_gitea_name: Gitea @@ -1129,6 +1161,22 @@ hubsite_service_grafana_logo_location: "{{ role_path }}/assets/grafana.png" hubsite_service_grafana_description: "Check how your server is doing" hubsite_service_grafana_priority: 1000 +# Healthchecks +hubsite_service_healthchecks_enabled: "{{ healthchecks_enabled }}" +hubsite_service_healthchecks_name: Healthchecks +hubsite_service_healthchecks_url: "https://{{ healthchecks_hostname }}{{ healthchecks_path_prefix }}" +hubsite_service_healthchecks_logo_location: "{{ role_path }}/assets/healthchecks.png" +hubsite_service_healthchecks_description: "A simple and Effective Cron Job Monitoring solution" +hubsite_service_healthchecks_priority: 1000 + +# Keycloak +hubsite_service_keycloak_enabled: "{{ keycloak_enabled }}" +hubsite_service_keycloak_name: Keycloak +hubsite_service_keycloak_url: "https://{{ keycloak_hostname }}{{ keycloak_path_prefix }}" +hubsite_service_keycloak_logo_location: "{{ role_path }}/assets/keycloak.png" +hubsite_service_keycloak_description: "An open source identity and access management solution." +hubsite_service_keycloak_priority: 1000 + # Miniflux hubsite_service_miniflux_enabled: "{{ miniflux_enabled }}" hubsite_service_miniflux_name: Miniflux @@ -1147,7 +1195,7 @@ hubsite_service_nextcloud_priority: 1000 # Owncast hubsite_service_owncast_enabled: "{{ owncast_enabled }}" -hubsite_service_owncast_name: owncast +hubsite_service_owncast_name: Owncast hubsite_service_owncast_url: "https://{{ owncast_hostname }}" hubsite_service_owncast_logo_location: "{{ role_path }}/assets/owncast.png" hubsite_service_owncast_description: "Livestream & Chat" @@ -1206,14 +1254,28 @@ hubsite_service_list_auto: | {{ ([{'name': hubsite_service_adguard_home_name, 'url': hubsite_service_adguard_home_url, 'logo_location': hubsite_service_adguard_home_logo_location, 'description': hubsite_service_adguard_home_description, 'priority': hubsite_service_adguard_home_priority}] if hubsite_service_adguard_home_enabled else []) + + ([{'name': hubsite_service_authentik_name, 'url': hubsite_service_authentik_url, 'logo_location': hubsite_service_authentik_logo_location, 'description': hubsite_service_authentik_description, 'priority': hubsite_service_adguard_home_priority}] if hubsite_service_authentik_enabled else []) + + + ([{'name': hubsite_service_appsmith_name, 'url': hubsite_service_appsmith_url, 'logo_location': hubsite_service_appsmith_logo_location, 'description': hubsite_service_appsmith_description, 'priority': hubsite_service_appsmith_priority}] if hubsite_service_appsmith_enabled else []) + + + ([{'name': hubsite_service_docker_registry_browser_name, 'url': hubsite_service_docker_registry_browser_url, 'logo_location': hubsite_service_docker_registry_browser_logo_location, 'description': hubsite_service_docker_registry_browser_description, 'priority': hubsite_service_docker_registry_browser_priority}] if hubsite_service_docker_registry_browser_enabled else []) + + + ([{'name': hubsite_service_firezone_name, 'url': hubsite_service_firezone_url, 'logo_location': hubsite_service_firezone_logo_location, 'description': hubsite_service_firezone_description, 'priority': hubsite_service_firezone_priority}] if hubsite_service_firezone_enabled else []) + + ([{'name': hubsite_service_focalboard_name, 'url': hubsite_service_focalboard_url, 'logo_location': hubsite_service_focalboard_logo_location, 'description': hubsite_service_focalboard_description, 'priority': hubsite_service_focalboard_priority}] if hubsite_service_focalboard_enabled else []) + + ([{'name': hubsite_service_funkwhale_name, 'url': hubsite_service_funkwhale_url, 'logo_location': hubsite_service_funkwhale_logo_location, 'description': hubsite_service_funkwhale_description, 'priority': hubsite_service_funkwhale_priority}] if hubsite_service_funkwhale_enabled else []) + + ([{'name': hubsite_service_gitea_name, 'url': hubsite_service_gitea_url, 'logo_location': hubsite_service_gitea_logo_location, 'description': hubsite_service_gitea_description, 'priority': hubsite_service_gitea_priority}] if hubsite_service_gitea_enabled else []) + ([{'name': hubsite_service_gotosocial_name, 'url': hubsite_service_gotosocial_url, 'logo_location': hubsite_service_gotosocial_logo_location, 'description': hubsite_service_gotosocial_description, 'priority': hubsite_service_gotosocial_priority}] if hubsite_service_gotosocial_enabled else []) + ([{'name': hubsite_service_grafana_name, 'url': hubsite_service_grafana_url, 'logo_location': hubsite_service_grafana_logo_location, 'description': hubsite_service_grafana_description, 'priority': hubsite_service_grafana_priority}] if hubsite_service_grafana_enabled else []) + + ([{'name': hubsite_service_healthchecks_name, 'url': hubsite_service_healthchecks_url, 'logo_location': hubsite_service_healthchecks_logo_location, 'description': hubsite_service_healthchecks_description, 'priority': hubsite_service_healthchecks_priority}] if hubsite_service_healthchecks_enabled else []) + + + ([{'name': hubsite_service_keycloak_name, 'url': hubsite_service_keycloak_url, 'logo_location': hubsite_service_keycloak_logo_location, 'description': hubsite_service_keycloak_description, 'priority': hubsite_service_keycloak_priority}] if hubsite_service_keycloak_enabled else []) + + ([{'name': hubsite_service_miniflux_name, 'url': hubsite_service_miniflux_url, 'logo_location': hubsite_service_miniflux_logo_location, 'description': hubsite_service_miniflux_description, 'priority': hubsite_service_miniflux_priority}] if hubsite_service_miniflux_enabled else []) + ([{'name': hubsite_service_nextcloud_name, 'url': hubsite_service_nextcloud_url, 'logo_location': hubsite_service_nextcloud_logo_location, 'description': hubsite_service_nextcloud_description, 'priority': hubsite_service_nextcloud_priority}] if hubsite_service_nextcloud_enabled else []) From f78abfc4efe4cc91b1bc5d6f80f49de3957f2775 Mon Sep 17 00:00:00 2001 From: Joe Hanson Date: Sat, 22 Apr 2023 14:41:02 -0500 Subject: [PATCH 044/122] Update requirements.yml Reference to non-existent tag. --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 8ddc678..76bc258 100644 --- a/requirements.yml +++ b/requirements.yml @@ -85,7 +85,7 @@ version: v21.0.2-0 name: keycloak - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-lago.git - version: v0.29.0-0 + version: v0.29.1-0 name: lago - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-mariadb.git version: v10.11.2-0 From 65bb465f5bc2e92c221b9b7b6280c0e36adbc32a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Sun, 23 Apr 2023 09:48:11 +0200 Subject: [PATCH 045/122] Bump authentik --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 76bc258..017b4f1 100644 --- a/requirements.yml +++ b/requirements.yml @@ -7,7 +7,7 @@ version: v1.9.16-0 name: appsmith - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-authentik.git - version: v2023.4.1-2 + version: v2023.4.1-3 name: authentik - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-aux.git version: v1.0.0-0 From 97a48146cd985f1c3338ebc27ca590b04a6332f2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Sun, 23 Apr 2023 12:18:01 +0200 Subject: [PATCH 046/122] Remove authentik path prefix --- group_vars/mash_servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/mash_servers b/group_vars/mash_servers index 6675d42..5344887 100644 --- a/group_vars/mash_servers +++ b/group_vars/mash_servers @@ -1092,7 +1092,7 @@ hubsite_service_adguard_home_priority: 1000 # authentik hubsite_service_authentik_enabled: "{{ authentik_enabled }}" hubsite_service_authentik_name: Authentik -hubsite_service_authentik_url: "https://{{ authentik_hostname }}{{ authentik_path_prefix }}" +hubsite_service_authentik_url: "https://{{ authentik_hostname }}"" hubsite_service_authentik_logo_location: "{{ role_path }}/assets/authentik.png" hubsite_service_authentik_description: "An open source identity provider" hubsite_service_authentik_priority: 1000 From 1e670796a12fbe1872dcf5f6a48e8f62cc11b7a1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Sun, 23 Apr 2023 12:27:36 +0200 Subject: [PATCH 047/122] Fix authentik uninstall+hubsite --- group_vars/mash_servers | 2 +- requirements.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/group_vars/mash_servers b/group_vars/mash_servers index 5344887..4788762 100644 --- a/group_vars/mash_servers +++ b/group_vars/mash_servers @@ -1092,7 +1092,7 @@ hubsite_service_adguard_home_priority: 1000 # authentik hubsite_service_authentik_enabled: "{{ authentik_enabled }}" hubsite_service_authentik_name: Authentik -hubsite_service_authentik_url: "https://{{ authentik_hostname }}"" +hubsite_service_authentik_url: "https://{{ authentik_hostname }}" hubsite_service_authentik_logo_location: "{{ role_path }}/assets/authentik.png" hubsite_service_authentik_description: "An open source identity provider" hubsite_service_authentik_priority: 1000 diff --git a/requirements.yml b/requirements.yml index 017b4f1..ce75107 100644 --- a/requirements.yml +++ b/requirements.yml @@ -7,7 +7,7 @@ version: v1.9.16-0 name: appsmith - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-authentik.git - version: v2023.4.1-3 + version: v2023.4.1-4 name: authentik - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-aux.git version: v1.0.0-0 From ed3728637244d49e4a702e21430020a8fa64563a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Sun, 23 Apr 2023 13:14:18 +0200 Subject: [PATCH 048/122] refactor! Use authentik_container as there is only one --- CHANGELOG.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 87ebd5c..d37ebd1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,12 @@ +# 2023-04-23 + +## (Backward Compatibility Break) Authentik container variables renamed + +For the authentik role there wehre initially two containers: `authentic_worker_container` and `authentic_server_container`. To simnplifiy the setup this was reduced to one container. +As the role is pretty young and to avoid confusion because of legacy and reverted design decisions all variables containing `authentik_server_container` will now start with authentik_container. This means you will have to renemae these variables in your `vars.yml` if you already use authentik. If you use a standard setup this only includes + +* `authentic_server_container_additional_networks_custom` -> `authentik_container_additional_networks_custom` + # 2023-03-29 ## (Backward Compatibility Break) Firezone database renamed From 43b7b61ffacb043ed1de181fdb959ce1379f5175 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Sun, 23 Apr 2023 16:24:13 +0200 Subject: [PATCH 049/122] Fix up deprecation --- group_vars/mash_servers | 12 ++++++------ requirements.yml | 2 +- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/group_vars/mash_servers b/group_vars/mash_servers index 4788762..e47575c 100644 --- a/group_vars/mash_servers +++ b/group_vars/mash_servers @@ -572,17 +572,17 @@ authentik_server_systemd_required_services_list_auto: | ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled and authentik_database_hostname == devture_postgres_identifier else []) }} -authentik_server_container_additional_networks_auto: | +authentik_container_additional_networks_auto: | {{ ([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else []) + - ([devture_postgres_container_network] if devture_postgres_enabled and authentik_database_hostname == devture_postgres_identifier and authentik_server_container_network != devture_postgres_container_network else []) + ([devture_postgres_container_network] if devture_postgres_enabled and authentik_database_hostname == devture_postgres_identifier and authentik_container_network != devture_postgres_container_network else []) }} -authentik_server_container_labels_traefik_enabled: "{{ mash_playbook_traefik_labels_enabled }}" -authentik_server_container_labels_traefik_docker_network: "{{ mash_playbook_reverse_proxyable_services_additional_network }}" -authentik_server_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" -authentik_server_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" +authentik_container_labels_traefik_enabled: "{{ mash_playbook_traefik_labels_enabled }}" +authentik_container_labels_traefik_docker_network: "{{ mash_playbook_reverse_proxyable_services_additional_network }}" +authentik_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +authentik_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" ######################################################################## # # diff --git a/requirements.yml b/requirements.yml index ce75107..9684568 100644 --- a/requirements.yml +++ b/requirements.yml @@ -7,7 +7,7 @@ version: v1.9.16-0 name: appsmith - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-authentik.git - version: v2023.4.1-4 + version: v2023.4.1-9 name: authentik - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-aux.git version: v1.0.0-0 From 8b2c2dddac55cc1ba5f69bd851e92776604e7578 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Mon, 24 Apr 2023 12:00:04 +0200 Subject: [PATCH 050/122] Provide tmpfs for authentik worker --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 9684568..750a2d7 100644 --- a/requirements.yml +++ b/requirements.yml @@ -7,7 +7,7 @@ version: v1.9.16-0 name: appsmith - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-authentik.git - version: v2023.4.1-9 + version: v2023.4.1-10 name: authentik - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-aux.git version: v1.0.0-0 From 1ddbfbf84ba20c0b85f7e9ad4b960cd2fe821f1c Mon Sep 17 00:00:00 2001 From: Aine Date: Mon, 24 Apr 2023 17:31:56 +0300 Subject: [PATCH 051/122] update authentic, mrs, lago, hubsite --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 750a2d7..dd57a35 100644 --- a/requirements.yml +++ b/requirements.yml @@ -93,7 +93,7 @@ - src: git+https://gitlab.com/etke.cc/roles/miniflux.git version: v2.0.43-2 - src: git+https://gitlab.com/etke.cc/mrs/ansible-role-mrs.git - version: v0.0.0-4 + version: v0.0.0-5 name: mrs - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-navidrome.git version: v0.49.3-2 From 30b5d1489c1f3a83d02ce5de82e25784273ce7a5 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 24 Apr 2023 18:40:37 +0300 Subject: [PATCH 052/122] Upgrade Collabora Online (v22.05.12.1.1-1 -> v22.05.13.1.1-0) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index dd57a35..c9de13b 100644 --- a/requirements.yml +++ b/requirements.yml @@ -13,7 +13,7 @@ version: v1.0.0-0 name: aux - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-collabora-online.git - version: v22.05.12.1.1-1 + version: v22.05.13.1.1-0 name: collabora_online - src: git+https://github.com/devture/com.devture.ansible.role.container_socket_proxy.git version: v0.1.1-2 From c22165200fe7f6dbf1df50d81e89d7e85f4d5531 Mon Sep 17 00:00:00 2001 From: Aine Date: Mon, 24 Apr 2023 23:00:21 +0300 Subject: [PATCH 053/122] docker registry 1.6.0 -> 1.6.1 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index c9de13b..acc7fd4 100644 --- a/requirements.yml +++ b/requirements.yml @@ -45,7 +45,7 @@ version: v2.8.1-1 name: docker_registry - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-docker-registry-browser.git - version: v1.6.0-0 + version: v1.6.1-0 name: docker_registry_browser - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-docker-registry-purger.git version: v1.0.0-0 From f2a36d45b77e39046d35f5fb18097858c23c7a97 Mon Sep 17 00:00:00 2001 From: Aine Date: Tue, 25 Apr 2023 16:07:53 +0300 Subject: [PATCH 054/122] mrs - move cors to traefik level --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index acc7fd4..a06b207 100644 --- a/requirements.yml +++ b/requirements.yml @@ -93,7 +93,7 @@ - src: git+https://gitlab.com/etke.cc/roles/miniflux.git version: v2.0.43-2 - src: git+https://gitlab.com/etke.cc/mrs/ansible-role-mrs.git - version: v0.0.0-5 + version: v0.0.0-6 name: mrs - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-navidrome.git version: v0.49.3-2 From 8b3153f6b3bbcbecd17ad53e37f5c883ddc471dd Mon Sep 17 00:00:00 2001 From: Aine Date: Thu, 27 Apr 2023 00:35:43 +0300 Subject: [PATCH 055/122] update grafana (9.4.7 -> 9.5.1) --- requirements.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements.yml b/requirements.yml index a06b207..25f8389 100644 --- a/requirements.yml +++ b/requirements.yml @@ -71,7 +71,7 @@ version: v0.8.1-0 name: gotosocial - src: git+https://gitlab.com/etke.cc/roles/grafana.git - version: v9.4.7-1 + version: v9.5.1-0 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-healthchecks.git version: v2.8.1-0 name: healthchecks @@ -93,7 +93,7 @@ - src: git+https://gitlab.com/etke.cc/roles/miniflux.git version: v2.0.43-2 - src: git+https://gitlab.com/etke.cc/mrs/ansible-role-mrs.git - version: v0.0.0-6 + version: v0.0.0-7 name: mrs - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-navidrome.git version: v0.49.3-2 From d396f22c5688683053b3d9c032d34b786518680b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 27 Apr 2023 08:18:44 +0300 Subject: [PATCH 056/122] Upgrade Nextcloud (v26.0.0-4 -> v26.0.1-0) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 25f8389..e5e40cd 100644 --- a/requirements.yml +++ b/requirements.yml @@ -102,7 +102,7 @@ version: v3.4.7-2.5.2-2 name: netbox - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-nextcloud.git - version: v26.0.0-4 + version: v26.0.1-0 name: nextcloud - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-owncast.git version: v0.0.13-0 From 6c5eefda67f4afe8678df9fb2decdad582b301fc Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 27 Apr 2023 17:56:11 +0300 Subject: [PATCH 057/122] Upgrade com.devture.ansible.role.systemd_service_manager (v1.0.0-0 -> v1.0.0-1) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index e5e40cd..1d58eb1 100644 --- a/requirements.yml +++ b/requirements.yml @@ -32,7 +32,7 @@ - src: git+https://github.com/devture/com.devture.ansible.role.systemd_docker_base.git version: v1.0.0-0 - src: git+https://github.com/devture/com.devture.ansible.role.systemd_service_manager.git - version: v1.0.0-0 + version: v1.0.0-1 - src: git+https://github.com/devture/com.devture.ansible.role.timesync.git version: 3d5bb2976815958cdce3f368fa34fb51554f899b - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git From e2677ff64ef259524a43489be89f7acf42202cb1 Mon Sep 17 00:00:00 2001 From: Aine Date: Thu, 27 Apr 2023 21:59:42 +0300 Subject: [PATCH 058/122] mrs moderation --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 1d58eb1..ed92de6 100644 --- a/requirements.yml +++ b/requirements.yml @@ -93,7 +93,7 @@ - src: git+https://gitlab.com/etke.cc/roles/miniflux.git version: v2.0.43-2 - src: git+https://gitlab.com/etke.cc/mrs/ansible-role-mrs.git - version: v0.0.0-7 + version: v0.0.0-8 name: mrs - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-navidrome.git version: v0.49.3-2 From e5dde0da83bdf53a052963f8e3d85437f7268bb7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 29 Apr 2023 08:21:42 +0300 Subject: [PATCH 059/122] Upgrade com.devture.ansible.role.timesync to pinned tag (v1.0.0-0) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index ed92de6..957da23 100644 --- a/requirements.yml +++ b/requirements.yml @@ -34,7 +34,7 @@ - src: git+https://github.com/devture/com.devture.ansible.role.systemd_service_manager.git version: v1.0.0-1 - src: git+https://github.com/devture/com.devture.ansible.role.timesync.git - version: 3d5bb2976815958cdce3f368fa34fb51554f899b + version: v1.0.0-0 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git version: v2.9.10-2 - src: git+https://github.com/devture/com.devture.ansible.role.woodpecker_ci_agent.git From 772f29b418432053c013d9b817e27c1a21d997b5 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 29 Apr 2023 08:54:57 +0300 Subject: [PATCH 060/122] Upgrade Gitea (v1.19.1-0 -> v1.19.2-0) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 957da23..8c98f30 100644 --- a/requirements.yml +++ b/requirements.yml @@ -65,7 +65,7 @@ version: 6.1.0 name: geerlingguy.docker - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-gitea.git - version: v1.19.1-0 + version: v1.19.2-0 name: gitea - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-gotosocial.git version: v0.8.1-0 From 29f1a4a44a28bac69cec06521c3c10ef14ce68b5 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 29 Apr 2023 09:30:26 +0300 Subject: [PATCH 061/122] Add support for WireGuard Easy --- docs/services/firezone.md | 6 ++- docs/services/wg-easy.md | 96 ++++++++++++++++++++++++++++++++++++++ docs/supported-services.md | 3 +- group_vars/mash_servers | 35 ++++++++++++++ requirements.yml | 3 ++ setup.yml | 2 + 6 files changed, 142 insertions(+), 3 deletions(-) create mode 100644 docs/services/wg-easy.md diff --git a/docs/services/firezone.md b/docs/services/firezone.md index d4fbf2a..4abf5a4 100644 --- a/docs/services/firezone.md +++ b/docs/services/firezone.md @@ -1,6 +1,8 @@ # Firezone -[Firezone](https://www.firezone.dev/) is a self-hosted VPN server (based on [WireGuard](https://en.wikipedia.org/wiki/WireGuard)) with Web UI that this playbook can install, powered by the [mother-of-all-self-hosting/ansible-role-firezone](https://github.com/mother-of-all-self-hosting/ansible-role-firezone) Ansible role. +[Firezone](https://www.firezone.dev/) is a self-hosted VPN server (based on [WireGuard](https://www.wireguard.com/)) with Web UI that this playbook can install, powered by the [mother-of-all-self-hosting/ansible-role-firezone](https://github.com/mother-of-all-self-hosting/ansible-role-firezone) Ansible role. + +A more-lightweigth alternative for a self-hosted WireGuard VPN server which is more compatible with various ARM devices is [WireGuard Easy](wg-easy.md). ## Configuration @@ -38,7 +40,7 @@ After installation, you can use `just run-tags firezone-create-or-reset-admin` a By default, the following ports will be exposed by the container on **all network interfaces**: -- `51820` over **UDP**, controlled by `firezone_wireguard_bind_port` - used for [Wireguard](https://en.wikipedia.org/wiki/WireGuard) connections +- `51820` over **UDP**, controlled by `firezone_wireguard_bind_port` - used for [Wireguard](https://www.wireguard.com/) connections Docker automatically opens these ports in the server's firewall, so you **likely don't need to do anything**. If you use another firewall in front of the server, you may need to adjust it. diff --git a/docs/services/wg-easy.md b/docs/services/wg-easy.md new file mode 100644 index 0000000..31a1564 --- /dev/null +++ b/docs/services/wg-easy.md @@ -0,0 +1,96 @@ +# WireGuard Easy + +[WireGuard Easy](https://github.com/WeeJeWel/wg-easy) is the easiest way to run [WireGuard](https://www.wireguard.com/) VPN + Web-based Admin UI. + +Another more powerful alternative for a self-hosted WireGuard VPN server is [Firezone](firezone.md). WireGuard Easy is easier, lighter and more compatible with various ARM devices. + + +## Dependencies + +This service requires the following other services: + +- a [Traefik](traefik.md) reverse-proxy server +- a modern Linux kernel which supports WireGuard + + +## Configuration + +To enable this service, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process: + +```yaml +######################################################################## +# # +# wg-easy # +# # +######################################################################## + +wg_easy_enabled: true + +wg_easy_hostname: mash.example.com + +wg_easy_path_prefix: /wg-easy + +wg_easy_environment_variables_additional_variable_wg_host: mash.example.com + +# Put a strong password below, generated with `pwgen -s 64 1` or in another way +wg_easy_environment_variables_additional_variable_password: '' + +# The default WireGuard port is 51820. +# Uncomment and change the lines below to use another one. +# +# The port that wg-easy advertises for WireGuard connectivity in profile files. +# wg_easy_environment_variables_additional_variable_wg_port: 51820 +# +# The port that is actually published from the container. +# wg_easy_container_wireguard_bind_port: 51820 + +# The default DNS is 1.1.1.1. +# Uncomment and change the line below to use another one. +# wg_easy_environment_variables_additional_variable_wg_default_dns: 1.1.1.1 + +######################################################################## +# # +# /wg-easy # +# # +######################################################################## +``` + +### URL + +In the example configuration above, we configure the service to be hosted at `https://mash.example.com/wg-easy`. + +You can remove the `wg_easy_path_prefix` variable definition, to make it default to `/`, so that the service is served at `https://mash.example.com/`. + + +### Networking + +**In addition** to ports `80` and `443` exposed by the [Traefik](traefik.md) reverse-proxy, the following ports will be exposed by the WireGuard containers on **all network interfaces**: + +- `51820` over **UDP**, controlled by `wg_easy_environment_variables_additional_variable_wg_port` and `wg_easy_container_wireguard_bind_port` - used for [Wireguard](https://www.wireguard.com/) connections + +Docker automatically opens these ports in the server's firewall, so you **likely don't need to do anything**. If you use another firewall in front of the server, you may need to adjust it. + +### Additional configuration + +For additional configuration options, see the upstream documentation's [Options](https://github.com/WeeJeWel/wg-easy#options) section. + +You can inject additional environment variables with this additional configuration: + +```yaml +wg_easy_environment_variables_additional_variables: | + WG_DEFAULT_ADDRESS: 10.6.0.x + WG_MTU: 1420 +``` + +## Usage + +After installation, you can go to the WireGuard Easy URL, as defined in `wg_easy_hostname` and `wg_easy_path_prefix`. + +You can authenticate with the password set in `wg_easy_environment_variables_additional_variable_password`. + +You can then create various Clients and import the configuration for them onto your devices - either by downloading a file or by scanning a QR code. + + +## Recommended other services + +- [AdGuard Home](adguard-home.md) - A network-wide DNS software for blocking ads & tracking diff --git a/docs/supported-services.md b/docs/supported-services.md index fcbca09..877179a 100644 --- a/docs/supported-services.md +++ b/docs/supported-services.md @@ -12,7 +12,7 @@ | [Docker Registry Browser](https://github.com/klausmeyer/docker-registry-browser) | Web Interface for the Docker Registry HTTP API V2 written in Ruby on Rails | [Link](services/docker-registry-browser.md) | | [Docker Registry Purger](https://github.com/devture/docker-registry-purger) | A small tool used for purging a private Docker Registry's old tags | [Link](services/docker-registry-purger.md) | | [Focalboard](https://www.focalboard.com/) | An open source, self-hosted alternative to [Trello](https://trello.com/), [Notion](https://www.notion.so/), and [Asana](https://asana.com/). | [Link](services/focalboard.md) | -| [Firezone](https://www.firezone.dev/) | A self-hosted VPN server (based on [WireGuard](https://en.wikipedia.org/wiki/WireGuard)) with a Web UI | [Link](services/firezone.md) | +| [Firezone](https://www.firezone.dev/) | A self-hosted VPN server (based on [WireGuard](https://www.wireguard.com/)) with a Web UI | [Link](services/firezone.md) | | [Funkwhale](https://funkwhale.audio/) | Listen and share music with a selfhosted streaming server.| [Link](services/funkwhale.md) | | [Gitea](https://gitea.io/) | A painless self-hosted [Git](https://git-scm.com/) service. | [Link](services/gitea.md) | | [GoToSocial](https://gotosocial.org/) | A self-hosted [ActivityPub](https://activitypub.rocks/) social network server | [Link](services/gotosocial.md) | @@ -43,6 +43,7 @@ | [Traefik](https://doc.traefik.io/traefik/) | A container-aware reverse-proxy server | [Link](services/traefik.md) | | [Vaultwarden](https://github.com/dani-garcia/vaultwarden) | A lightweight unofficial and compatible implementation of the [Bitwarden](https://bitwarden.com/) password manager | [Link](services/vaultwarden.md) | | [Uptime-kuma](https://uptime.kuma.pet/) | A fancy self-hosted monitoring tool | [Link](services/uptime-kuma.md) | +| [WireGuard Easy](https://github.com/WeeJeWel/wg-easy) | The easiest way to run [WireGuard](https://www.wireguard.com/) VPN + Web-based Admin UI. | [Link](services/wg-easy.md) | | [Woodpecker CI](https://woodpecker-ci.org/) | A simple Continuous Integration (CI) engine with great extensibility. | [Link](services/woodpecker-ci.md) | | System-related | A collection of various system-related components | [Link](services/system.md) | diff --git a/group_vars/mash_servers b/group_vars/mash_servers index e47575c..1d52077 100644 --- a/group_vars/mash_servers +++ b/group_vars/mash_servers @@ -178,6 +178,8 @@ devture_systemd_service_manager_services_list_auto: | ([{'name': (vaultwarden_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'vaultwarden', 'vaultwarden-server']}] if vaultwarden_enabled else []) + ([{'name': (uptime_kuma_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'uptime-kuma']}] if uptime_kuma_enabled else []) + + + ([{'name': (wg_easy_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'wg-easy']}] if wg_easy_enabled else []) }} ######################################################################## @@ -2113,6 +2115,39 @@ uptime_kuma_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certR +######################################################################## +# # +# wg-easy # +# # +######################################################################## + +wg_easy_enabled: false + +wg_easy_identifier: "{{ mash_playbook_service_identifier_prefix }}wg-easy" + +wg_easy_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}wg-easy" + +wg_easy_uid: "{{ mash_playbook_uid }}" +wg_easy_gid: "{{ mash_playbook_gid }}" + +wg_easy_container_additional_networks_auto: | + {{ + ([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else []) + }} + +wg_easy_container_labels_traefik_enabled: "{{ mash_playbook_traefik_labels_enabled }}" +wg_easy_container_labels_traefik_docker_network: "{{ mash_playbook_reverse_proxyable_services_additional_network }}" +wg_easy_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +wg_easy_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" + +######################################################################## +# # +# /wg-easy # +# # +######################################################################## + + + ######################################################################## # # # woodpecker-ci-server # diff --git a/requirements.yml b/requirements.yml index 8c98f30..f97c623 100644 --- a/requirements.yml +++ b/requirements.yml @@ -137,3 +137,6 @@ - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-vaultwarden.git version: v1.28.1-0 name: vaultwarden +- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-wg-easy.git + version: v7-0 + name: wg_easy diff --git a/setup.yml b/setup.yml index 4ce0151..6a82a71 100644 --- a/setup.yml +++ b/setup.yml @@ -122,6 +122,8 @@ - role: galaxy/uptime_kuma + - role: galaxy/wg_easy + - role: galaxy/com.devture.ansible.role.woodpecker_ci_server - role: galaxy/com.devture.ansible.role.woodpecker_ci_agent From ce60773b839f92e954f726c9bbc9cc16a6bca4a2 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 30 Apr 2023 22:00:23 +0300 Subject: [PATCH 062/122] Upgrade Lago (v0.29.1-0 -> v0.30.0-0) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index f97c623..1925114 100644 --- a/requirements.yml +++ b/requirements.yml @@ -85,7 +85,7 @@ version: v21.0.2-0 name: keycloak - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-lago.git - version: v0.29.1-0 + version: v0.30.0-0 name: lago - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-mariadb.git version: v10.11.2-0 From 5ee5bbfcb572fcb44e2cbccbf7d8ddc962f4d0e8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Mon, 1 May 2023 09:12:29 +0200 Subject: [PATCH 063/122] Add backup borg --- group_vars/mash_servers | 47 +++++++++++++++++++++++++++++++++++++++++ requirements.yml | 2 ++ setup.yml | 2 ++ 3 files changed, 51 insertions(+) diff --git a/group_vars/mash_servers b/group_vars/mash_servers index 1d52077..0eb68c7 100644 --- a/group_vars/mash_servers +++ b/group_vars/mash_servers @@ -594,6 +594,53 @@ authentik_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certRes +######################################################################## +# # +# backup-borg # +# # +######################################################################## + +backup_borg_enabled: false + +backup_borg_identifier: "{{ mash_playbook_service_identifier_prefix }}backup-borg" + +backup_borg_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}borg-backup" + +backup_borg_uid: "{{ mash_playbook_uid }}" +backup_borg_gid: "{{ mash_playbook_gid }}" + +backup_borg_container_network: "{{ devture_postgres_container_network if devture_postgres_enabled else backup_borg_identifier }}" + +backup_borg_retention_prefix: "{{ mash_playbook_service_identifier_prefix }}" +backup_borg_storage_archive_name_format: "{{ mash_playbook_service_identifier_prefix }}-{now:%Y-%m-%d-%H%M%S}" + +backup_borg_container_image_self_build: "{{ mash_playbook_architecture not in ['amd64', 'arm32', 'arm64'] }}" + +backup_borg_postgresql_enabled: "{{ devture_postgres_enabled }}" +backup_borg_postgresql_databases_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" +backup_borg_postgresql_databases_username: "{{ devture_postgres_connection_username if devture_postgres_enabled else '' }}" +backup_borg_postgresql_databases_password: "{{ devture_postgres_connection_password if devture_postgres_enabled else '' }}" +backup_borg_postgresql_databases_port: "{{ devture_postgres_connection_port if devture_postgres_enabled else 5432 }}" +backup_borg_postgresql_databases: "{{ devture_postgres_managed_databases | map(attribute='name') if devture_postgres_enabled else [] }}" + +backup_borg_location_source_directories: + - "{{ mash_playbook_base_path }}" + +backup_borg_systemd_required_services_list: | + {{ + ['docker.service'] + + + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + }} + +######################################################################## +# # +# /backup-borg # +# # +######################################################################## + + + ######################################################################## # # # collabora-online # diff --git a/requirements.yml b/requirements.yml index 1925114..3b0279e 100644 --- a/requirements.yml +++ b/requirements.yml @@ -12,6 +12,8 @@ - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-aux.git version: v1.0.0-0 name: aux +- src: git+https://gitlab.com/etke.cc/roles/backup_borg.git + version: v1.2.4-1.7.12-1 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-collabora-online.git version: v22.05.13.1.1-0 name: collabora_online diff --git a/setup.yml b/setup.yml index 6a82a71..2786272 100644 --- a/setup.yml +++ b/setup.yml @@ -60,6 +60,8 @@ - role: galaxy/authentik + - role: galaxy/backup_borg + - role: galaxy/collabora_online - role: galaxy/docker_registry From 132159ca0fe62162a3784d943cae8c12c4b1e9cf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Mon, 1 May 2023 17:43:52 +0200 Subject: [PATCH 064/122] Add mysql support + add exclude patterns --- group_vars/mash_servers | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/group_vars/mash_servers b/group_vars/mash_servers index 0eb68c7..f92ba0a 100644 --- a/group_vars/mash_servers +++ b/group_vars/mash_servers @@ -623,14 +623,29 @@ backup_borg_postgresql_databases_password: "{{ devture_postgres_connection_passw backup_borg_postgresql_databases_port: "{{ devture_postgres_connection_port if devture_postgres_enabled else 5432 }}" backup_borg_postgresql_databases: "{{ devture_postgres_managed_databases | map(attribute='name') if devture_postgres_enabled else [] }}" +backup_borg_mysql_enabled: "{{ mariadb_enabled }}" +backup_borg_mysql_databases_hostname: "{{ mariadb_identifier if mariadb_enabled else '' }}" +backup_borg_mysql_databases_username: "root" +backup_borg_mysql_databases_password: "{{ mariadb_root_passsword if mariadb_enabled else '' }}" +backup_borg_mysql_databases_port: "{{ devture_postgres_connection_port if mariadb_enabled else 3306 }}" +backup_borg_mysql_databases: "{{ mariadb_managed_databases | map(attribute='name') if mariadb_enabled else [] }}" + + backup_borg_location_source_directories: - "{{ mash_playbook_base_path }}" +backup_borg_location_exclude_patterns: + - "{{ devture_postgres_data_path if devture_postgres_enabled else '' }}" + - "{{ mariadb_data_path if mariadb_enabled else '' }}" + + backup_borg_systemd_required_services_list: | {{ ['docker.service'] + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + + + ([mariadb_identifier ~ '.service'] if mariadb_enabled else []) }} ######################################################################## From ab05b6df3ff0e3e4b1ffa74529737d927bbb730d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Tue, 2 May 2023 07:58:06 +0200 Subject: [PATCH 065/122] Bump Backup-Borg version --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 3b0279e..70b1b2b 100644 --- a/requirements.yml +++ b/requirements.yml @@ -13,7 +13,7 @@ version: v1.0.0-0 name: aux - src: git+https://gitlab.com/etke.cc/roles/backup_borg.git - version: v1.2.4-1.7.12-1 + version: v1.2.4-1.7.12-2 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-collabora-online.git version: v22.05.13.1.1-0 name: collabora_online From 1f0022b1cda952cb415d4379936213322b25a041 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 2 May 2023 09:11:03 +0300 Subject: [PATCH 066/122] Upgrade Woodpecker CI (v0.15.7 -> v0.15.8) --- requirements.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements.yml b/requirements.yml index 1925114..7879998 100644 --- a/requirements.yml +++ b/requirements.yml @@ -38,9 +38,9 @@ - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git version: v2.9.10-2 - src: git+https://github.com/devture/com.devture.ansible.role.woodpecker_ci_agent.git - version: v0.15.7-1 + version: v0.15.8-0 - src: git+https://github.com/devture/com.devture.ansible.role.woodpecker_ci_server.git - version: v0.15.7-3 + version: v0.15.8-0 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-docker-registry.git version: v2.8.1-1 name: docker_registry From c645f2ae8e75c416d710d26bc4a558dd94ddd41d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 2 May 2023 09:16:53 +0300 Subject: [PATCH 067/122] Redo backup_borg_location_exclude_patterns to ensure it doesn't contain empty strings Previously, if Postgres or MariaDB were disabled, an empty path (`''`) would be injected. I'm not sure how borg-backup would handle such paths, but I suppose we'd better not feed it such stuff. --- group_vars/mash_servers | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/group_vars/mash_servers b/group_vars/mash_servers index f92ba0a..3cb824c 100644 --- a/group_vars/mash_servers +++ b/group_vars/mash_servers @@ -630,14 +630,15 @@ backup_borg_mysql_databases_password: "{{ mariadb_root_passsword if mariadb_enab backup_borg_mysql_databases_port: "{{ devture_postgres_connection_port if mariadb_enabled else 3306 }}" backup_borg_mysql_databases: "{{ mariadb_managed_databases | map(attribute='name') if mariadb_enabled else [] }}" - backup_borg_location_source_directories: - "{{ mash_playbook_base_path }}" -backup_borg_location_exclude_patterns: - - "{{ devture_postgres_data_path if devture_postgres_enabled else '' }}" - - "{{ mariadb_data_path if mariadb_enabled else '' }}" - +backup_borg_location_exclude_patterns: | + {{ + ([devture_postgres_data_path] if devture_postgres_enabled else []) + + + ([mariadb_data_path] if mariadb_enabled else []) + }} backup_borg_systemd_required_services_list: | {{ From c0bc33ab17b4c6195b208fa5d9eaff791ccc9766 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Tue, 2 May 2023 08:18:45 +0200 Subject: [PATCH 068/122] Add docs --- docs/services/backup-borg.md | 81 ++++++++++++++++++++++++++++++++++++ 1 file changed, 81 insertions(+) create mode 100644 docs/services/backup-borg.md diff --git a/docs/services/backup-borg.md b/docs/services/backup-borg.md new file mode 100644 index 0000000..4b5f679 --- /dev/null +++ b/docs/services/backup-borg.md @@ -0,0 +1,81 @@ +# Setting up borg backup (optional) + +The playbook can install and configure [borgbackup](https://www.borgbackup.org/) with [borgmatic](https://torsion.org/borgmatic/) for you. +BorgBackup is a deduplicating backup program with optional compression and encryption. +That means your daily incremental backups can be stored in a fraction of the space and is safe whether you store it at home or on a cloud service. + +You will need a remote server where borg will store the backups. There are hosted, borg compatible solutions available, such as [BorgBase](https://www.borgbase.com). + +The backup will run based on `backup_borg_schedule` var (systemd timer calendar), default: 4am every day. + +By default, if you're using the integrated Postgres database server (as opposed to [an external Postgres server](configuring-playbook-external-postgres.md)), Borg backups will also include dumps of your Postgres database. An alternative solution for backing up the Postgres database is [postgres backup](configuring-playbook-postgres-backup.md). If you decide to go with another solution, you can disable Postgres-backup support for Borg using the `backup_borg_postgresql_enabled` variable. + + +## Prerequisites + +1. Create a new SSH key: + +```bash +ssh-keygen -t ed25519 -N '' -f borg-backup -C MASH +``` + +This can be done on any machine and you don't need to place the key in the `.ssh` folder. It will be added to the Ansible config later. + +1. Add the **public** part of this SSH key (the `borg-backup.pub` file) to your borg provider/server: + +If you plan to use a hosted solution, follow their instructions. If you have your own server, copy the key over: + +```bash +# example to append the new PUBKEY contents, where: +# PUBKEY is path to the public key, +# USER is a ssh user on a provider / server +# HOST is a ssh host of a provider / server +cat PUBKEY | ssh USER@HOST 'dd of=.ssh/authorized_keys oflag=append conv=notrunc' +``` + +## Adjusting the playbook configuration + +Minimal working configuration (`inventory/host_vars//vars.yml`) to enable borg backup: + +```yaml +backup_borg_enabled: true +backup_borg_location_repositories: + - ssh://USER@HOST/./REPO +backup_borg_storage_encryption_passphrase: "PASSPHRASE" +backup_borg_ssh_key_private: | + -----BEGIN OPENSSH PRIVATE KEY----- + THISMUSTBEREPLACEDc2l0IGFtZXQsIGNvbnNlY3RldHVyIGFkaXBpc2NpbmcgZW + xpdCwgc2VkIGRvIGVpdXNtb2QgdGVtcG9yIGluY2lkaWR1bnQgdXQgbGFib3JlIGV0IGRv + bG9yZSBtYWduYSBhbGlxdWEuIFV0IGVuaW0gYWQgbWluaW0gdmVuaWFtLCBxdWlzIG5vc3 + RydWQgZXhlcmNpdGF0aW9uIHVsbGFtY28gbGFib3JpcyBuaXNpIHV0IGFsaXF1aXAgZXgg + ZWEgY29tbW9kbyBjb25zZXF1YXQuIA== + -----END OPENSSH PRIVATE KEY----- +``` + +where: + +* USER - SSH user of a provider/server +* HOST - SSH host of a provider/server +* REPO - borg repository name, it will be initialized on backup start, eg: `mash`, regarding Syntax see [Remote repositories](https://borgbackup.readthedocs.io/en/stable/usage/general.html#repository-urls) +* PASSPHRASE - passphrase used for encrypting backups, you may generate it with `pwgen -s 64 1` or use any password manager +* PRIVATE KEY - the content of the **private** part of the SSH key you created before. The whole key (all of its belonging lines) under `backup_borg_ssh_key_private` needs to be indented with 2 spaces + +To backup without encryption, add `backup_borg_encryption: 'none'` to your vars. This will also enable the `backup_borg_unknown_unencrypted_repo_access_is_ok` variable. + +`backup_borg_location_source_directories` defines the list of directories to back up: it's set to `{{ mash_playbook_base_path }}` by default, which is the base directory for every service's data, such as Synapse, Postgres and the bridges. You might want to exclude certain directories or file patterns from the backup using the `backup_borg_location_exclude_patterns` variable. + +Check the `roles/custom/nextcloud-backup-borg/defaults/main.yml` file for the full list of available options. + +## Installing + +After configuring the playbook, run the [installation](installing.md) command again: + +``` +just install-all +``` + +## Manually start a backup + +For testing your setup it can be helpful to not wait until 4am. If you want to run the backup immediately, log onto the server +and run `systemctl start mash-backup-borg`. This will not return until the backup is done, so possibly a long time. +Consider using [tmux](https://en.wikipedia.org/wiki/Tmux) if your SSH connection is unstable. From 9fe7fc036e4654a7740ed5fef40a6bcd3e874b7f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 2 May 2023 09:19:45 +0300 Subject: [PATCH 069/122] Upgrade Appsmith (v1.9.16-0 -> v1.9.17-0) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 1ad498a..8826e1b 100644 --- a/requirements.yml +++ b/requirements.yml @@ -4,7 +4,7 @@ version: v0.107.26-1 name: adguard_home - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-appsmith.git - version: v1.9.16-0 + version: v1.9.17-0 name: appsmith - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-authentik.git version: v2023.4.1-10 From a3dde9d59a8b20a49a8379cc7acf0c997d85a79d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Tue, 2 May 2023 08:21:47 +0200 Subject: [PATCH 070/122] Add mariadb --- docs/services/backup-borg.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/services/backup-borg.md b/docs/services/backup-borg.md index 4b5f679..c9b6e32 100644 --- a/docs/services/backup-borg.md +++ b/docs/services/backup-borg.md @@ -8,7 +8,7 @@ You will need a remote server where borg will store the backups. There are hoste The backup will run based on `backup_borg_schedule` var (systemd timer calendar), default: 4am every day. -By default, if you're using the integrated Postgres database server (as opposed to [an external Postgres server](configuring-playbook-external-postgres.md)), Borg backups will also include dumps of your Postgres database. An alternative solution for backing up the Postgres database is [postgres backup](configuring-playbook-postgres-backup.md). If you decide to go with another solution, you can disable Postgres-backup support for Borg using the `backup_borg_postgresql_enabled` variable. +By default, if you're using the integrated Postgres database server (as opposed to [an external Postgres server](configuring-playbook-external-postgres.md)) or MariaDB as MySQL server, Borg backups will also include dumps of your databases. An alternative solution for backing up the Postgres database is [postgres backup](configuring-playbook-postgres-backup.md). If you decide to go with another solution, you can disable Postgres-backup support for Borg using the `backup_borg_postgresql_enabled` variable. ## Prerequisites From 6896230e298d6b043c0861fa9cfb12ab508e6277 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Tue, 2 May 2023 08:25:32 +0200 Subject: [PATCH 071/122] Replace old references --- docs/services/backup-borg.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/services/backup-borg.md b/docs/services/backup-borg.md index c9b6e32..3b8b703 100644 --- a/docs/services/backup-borg.md +++ b/docs/services/backup-borg.md @@ -62,9 +62,9 @@ where: To backup without encryption, add `backup_borg_encryption: 'none'` to your vars. This will also enable the `backup_borg_unknown_unencrypted_repo_access_is_ok` variable. -`backup_borg_location_source_directories` defines the list of directories to back up: it's set to `{{ mash_playbook_base_path }}` by default, which is the base directory for every service's data, such as Synapse, Postgres and the bridges. You might want to exclude certain directories or file patterns from the backup using the `backup_borg_location_exclude_patterns` variable. +`backup_borg_location_source_directories` defines the list of directories to back up: it's set to `{{ mash_playbook_base_path }}` by default, which is the base directory for every service's data, such as Nextcloud, Postgres and all others. You might want to exclude certain directories or file patterns from the backup using the `backup_borg_location_exclude_patterns` variable. -Check the `roles/custom/nextcloud-backup-borg/defaults/main.yml` file for the full list of available options. +Check the `roles/galaxy/backup-borg/defaults/main.yml` file for the full list of available options. ## Installing From 7338b0b8ca6d53026c53dcbd10fd10a5e00c161e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Tue, 2 May 2023 08:26:29 +0200 Subject: [PATCH 072/122] Follow usual layout --- docs/services/backup-borg.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/docs/services/backup-borg.md b/docs/services/backup-borg.md index 3b8b703..9e67da4 100644 --- a/docs/services/backup-borg.md +++ b/docs/services/backup-borg.md @@ -38,6 +38,13 @@ cat PUBKEY | ssh USER@HOST 'dd of=.ssh/authorized_keys oflag=append conv=notrunc Minimal working configuration (`inventory/host_vars//vars.yml`) to enable borg backup: ```yaml + +######################################################################## +# # +# backup-borg # +# # +######################################################################## + backup_borg_enabled: true backup_borg_location_repositories: - ssh://USER@HOST/./REPO @@ -50,6 +57,12 @@ backup_borg_ssh_key_private: | RydWQgZXhlcmNpdGF0aW9uIHVsbGFtY28gbGFib3JpcyBuaXNpIHV0IGFsaXF1aXAgZXgg ZWEgY29tbW9kbyBjb25zZXF1YXQuIA== -----END OPENSSH PRIVATE KEY----- + +######################################################################## +# # +# /backup-borg # +# # +######################################################################## ``` where: From f75e36eee3f290f4704e9e0da172c3ed0b913ffb Mon Sep 17 00:00:00 2001 From: Aine Date: Tue, 2 May 2023 14:02:08 +0300 Subject: [PATCH 073/122] jitsi stable-8615 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 8826e1b..ddbb393 100644 --- a/requirements.yml +++ b/requirements.yml @@ -81,7 +81,7 @@ version: v1.23.3-2 name: hubsite - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git - version: v8319-6 + version: v8615-0 name: jitsi - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-keycloak.git version: v21.0.2-0 From b78c5472abbb092209c0e4bcd7fe3f0b339a3c50 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 4 May 2023 09:01:32 +0300 Subject: [PATCH 074/122] Upgrade Gitea (v1.19.2-0 -> v1.19.3-0) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index ddbb393..40b0c9e 100644 --- a/requirements.yml +++ b/requirements.yml @@ -67,7 +67,7 @@ version: 6.1.0 name: geerlingguy.docker - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-gitea.git - version: v1.19.2-0 + version: v1.19.3-0 name: gitea - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-gotosocial.git version: v0.8.1-0 From cef54a06b6716b497c5e513da0860f90975b2bb1 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 4 May 2023 16:33:56 +0300 Subject: [PATCH 075/122] Upgrade Lago (v0.30.0-0 -> v0.31.0-0) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 40b0c9e..8dbd750 100644 --- a/requirements.yml +++ b/requirements.yml @@ -87,7 +87,7 @@ version: v21.0.2-0 name: keycloak - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-lago.git - version: v0.30.0-0 + version: v0.31.0-0 name: lago - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-mariadb.git version: v10.11.2-0 From d51b992a4f4db72680f24fd073da8c900cdabe6c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 4 May 2023 18:34:42 +0300 Subject: [PATCH 076/122] Fix up Authentik documentation --- docs/services/authentik.md | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/docs/services/authentik.md b/docs/services/authentik.md index 912a04a..2d669f9 100644 --- a/docs/services/authentik.md +++ b/docs/services/authentik.md @@ -26,8 +26,13 @@ To enable this service, add the following configuration to your `vars.yml` file ######################################################################## authentik_enabled: true + authentik_hostname: authentik.example.com -authentik_secret_key: 'verysecret' + +# Put a strong secret below, generated with `pwgen -s 64 1` or in another way +authentik_secret_key: '' + +# Redis configuration, as described below ######################################################################## # # @@ -64,7 +69,7 @@ redis_enabled: true ######################################################################## # # -# authentik # +# authentik # # # ######################################################################## @@ -83,7 +88,7 @@ authentik_container_additional_networks_custom: ######################################################################## # # -# /authentik # +# /authentik # # # ######################################################################## ``` @@ -149,16 +154,14 @@ Then, adjust your main inventory host's variables file (`inventory/host_vars/aut ```yaml ######################################################################## # # -# authentik # +# authentik # # # ######################################################################## # Base configuration as shown above - # Point authentik to its dedicated Redis instance -authentik_environment_variable_redis_host: mash-authentik-redis -authentik_environment_variable_redis_cache_host: mash-authentik-redis +authentik_config_redis_hostname: mash-authentik-redis # Make sure the authentik service (mash-authentik.service) starts after its dedicated Redis service (mash-authentik-redis.service) authentik_systemd_required_services_list_custom: @@ -170,7 +173,7 @@ authentik_container_additional_networks_custom: ######################################################################## # # -# /authentik # +# /authentik # # # ######################################################################## ``` @@ -185,7 +188,7 @@ If you've decided to install a dedicated Redis instance for authentik, make sure After installation, you can set the admin password at `https:///if/flow/initial-setup/`. Set the admin password there and start adding applications and users! Refer to the [official documentation](https://goauthentik.io/docs/) to learn how to integrate services. For this playbook tested examples are described in the respective service documentation. See -* [Grafana](./grafana.md) -* [Nextcloud](./nextcloud.md) +* [Grafana](./grafana.md#single-sign-on-authentik) +* [Nextcloud](./nextcloud.md#single-sign-on-authentik) From 19f5f25df8e524aff57f8c19e9b2ba0f11d616ae Mon Sep 17 00:00:00 2001 From: QEDeD Date: Thu, 4 May 2023 18:26:16 +0200 Subject: [PATCH 077/122] Add info regarding the ansible_port varible Since there's already a service (Gitea) which recommends that SSH is changed to be on a non-standard port, it makes sense to add information about how to configure the playbook/Ansible to connect to a non-standard port --- examples/hosts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/examples/hosts b/examples/hosts index 2048cc8..fe3daac 100644 --- a/examples/hosts +++ b/examples/hosts @@ -5,6 +5,8 @@ # If this causes SSH connection troubles, disable it by adding `ansible_ssh_pipelining=False` # to the host line below or by adding `ansible_ssh_pipelining: False` to your variables file. # +# If SSH is configured to listen to a non-standard port (i.e. something different than port 22), you need to add `ansible_port=`. +# # If you're running this Ansible playbook on the same server as the one you're installing to, # consider adding an additional `ansible_connection=local` argument to the host line below. # From 657539f43625d497a7320d6fde876aaa35dadd39 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 4 May 2023 21:17:25 +0300 Subject: [PATCH 078/122] Upgrade Authentik (v2023.4.1-10 -> v2023.4.1-11) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 8dbd750..e491591 100644 --- a/requirements.yml +++ b/requirements.yml @@ -7,7 +7,7 @@ version: v1.9.17-0 name: appsmith - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-authentik.git - version: v2023.4.1-10 + version: v2023.4.1-11 name: authentik - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-aux.git version: v1.0.0-0 From 59c01f7225a476e671d3183c9fb1bf91bfe09336 Mon Sep 17 00:00:00 2001 From: Aine Date: Sat, 6 May 2023 12:19:02 +0300 Subject: [PATCH 079/122] mrs: proxy configs --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index e491591..310f23d 100644 --- a/requirements.yml +++ b/requirements.yml @@ -95,7 +95,7 @@ - src: git+https://gitlab.com/etke.cc/roles/miniflux.git version: v2.0.43-2 - src: git+https://gitlab.com/etke.cc/mrs/ansible-role-mrs.git - version: v0.0.0-8 + version: v0.0.0-9 name: mrs - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-navidrome.git version: v0.49.3-2 From a10a2213d11e5706062517094e4e610dc326b8fe Mon Sep 17 00:00:00 2001 From: Aine Date: Sun, 7 May 2023 21:29:54 +0300 Subject: [PATCH 080/122] miniflux v2.0.44 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 310f23d..7c507b0 100644 --- a/requirements.yml +++ b/requirements.yml @@ -93,7 +93,7 @@ version: v10.11.2-0 name: mariadb - src: git+https://gitlab.com/etke.cc/roles/miniflux.git - version: v2.0.43-2 + version: v2.0.44-0 - src: git+https://gitlab.com/etke.cc/mrs/ansible-role-mrs.git version: v0.0.0-9 name: mrs From 0f84e2a9eebe8ee4411486ab132060f6034e876e Mon Sep 17 00:00:00 2001 From: Aine Date: Mon, 8 May 2023 00:34:53 +0300 Subject: [PATCH 081/122] radicale: support different auth plugins --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 7c507b0..a4acf33 100644 --- a/requirements.yml +++ b/requirements.yml @@ -120,7 +120,7 @@ - src: git+https://gitlab.com/etke.cc/roles/prometheus_node_exporter.git version: v1.5.0-7 - src: git+https://gitlab.com/etke.cc/roles/radicale.git - version: v3.1.8.2-0 + version: v3.1.8.2-1 - src: git+https://gitlab.com/etke.cc/roles/redis.git version: v7.0.10-0 - src: git+https://gitlab.com/etke.cc/roles/redmine.git From 57f97ae7c70fec23f585fac58e089908656a647b Mon Sep 17 00:00:00 2001 From: Aine Date: Mon, 8 May 2023 13:07:19 +0300 Subject: [PATCH 082/122] radicale: enable git hook by default --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index a4acf33..c8bb617 100644 --- a/requirements.yml +++ b/requirements.yml @@ -120,7 +120,7 @@ - src: git+https://gitlab.com/etke.cc/roles/prometheus_node_exporter.git version: v1.5.0-7 - src: git+https://gitlab.com/etke.cc/roles/radicale.git - version: v3.1.8.2-1 + version: v3.1.8.2-2 - src: git+https://gitlab.com/etke.cc/roles/redis.git version: v7.0.10-0 - src: git+https://gitlab.com/etke.cc/roles/redmine.git From af827f3db6adeaefd810e97f37721374c2e503a4 Mon Sep 17 00:00:00 2001 From: Aine Date: Mon, 8 May 2023 13:20:12 +0300 Subject: [PATCH 083/122] radicale: fix git hook --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index c8bb617..4698991 100644 --- a/requirements.yml +++ b/requirements.yml @@ -120,7 +120,7 @@ - src: git+https://gitlab.com/etke.cc/roles/prometheus_node_exporter.git version: v1.5.0-7 - src: git+https://gitlab.com/etke.cc/roles/radicale.git - version: v3.1.8.2-2 + version: v3.1.8.2-3 - src: git+https://gitlab.com/etke.cc/roles/redis.git version: v7.0.10-0 - src: git+https://gitlab.com/etke.cc/roles/redmine.git From 13d0f631cfd0263a1bc2bca88eac15ba91b5abbf Mon Sep 17 00:00:00 2001 From: Aine Date: Mon, 8 May 2023 20:56:11 +0300 Subject: [PATCH 084/122] uptime kuma v1.21.3 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 4698991..b2255d5 100644 --- a/requirements.yml +++ b/requirements.yml @@ -135,7 +135,7 @@ version: v1.23.4-1 name: syncthing - src: git+https://gitlab.com/etke.cc/roles/uptime_kuma.git - version: v1.21.2-0 + version: v1.21.3-0 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-vaultwarden.git version: v1.28.1-0 name: vaultwarden From a7e6afe9c996ca0a3bf69c087a3208c566bfb794 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 9 May 2023 15:35:19 +0300 Subject: [PATCH 085/122] Upgrade Keycloak (v21.0.2-0 -> v21.1.1-0) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index b2255d5..3741d49 100644 --- a/requirements.yml +++ b/requirements.yml @@ -84,7 +84,7 @@ version: v8615-0 name: jitsi - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-keycloak.git - version: v21.0.2-0 + version: v21.1.1-0 name: keycloak - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-lago.git version: v0.31.0-0 From f1b82dbe66f81e70392c0e995c7c7be0d10a4a26 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 9 May 2023 15:36:32 +0300 Subject: [PATCH 086/122] Upgrade Focalboard (v7.9.3-1 -> v7.9.3-2) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 3741d49..01a8a30 100644 --- a/requirements.yml +++ b/requirements.yml @@ -58,7 +58,7 @@ version: v0.7.25-2 name: firezone - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-focalboard.git - version: v7.9.3-1 + version: v7.9.3-2 name: focalboard - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-funkwhale.git version: v1.3.0-rc5-3 From a0b48088be72e0afc8ee0acad810766bd329c82f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 11 May 2023 09:41:45 +0300 Subject: [PATCH 087/122] Upgrade Grafana (v9.5.1-0 -> v9.5.2-0) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 01a8a30..a2bce7e 100644 --- a/requirements.yml +++ b/requirements.yml @@ -73,7 +73,7 @@ version: v0.8.1-0 name: gotosocial - src: git+https://gitlab.com/etke.cc/roles/grafana.git - version: v9.5.1-0 + version: v9.5.2-0 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-healthchecks.git version: v2.8.1-0 name: healthchecks From fba5a7ab237b3c58ed586b7c4f6ad20ff357777e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 11 May 2023 11:32:21 +0300 Subject: [PATCH 088/122] Upgrade Lago (v0.31.0-0 -> v0.32.0-0) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index a2bce7e..1dd8d0c 100644 --- a/requirements.yml +++ b/requirements.yml @@ -87,7 +87,7 @@ version: v21.1.1-0 name: keycloak - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-lago.git - version: v0.31.0-0 + version: v0.32.0-0 name: lago - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-mariadb.git version: v10.11.2-0 From debfd9c1aafc144736ad77b93ca594afa847323d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 11 May 2023 11:33:59 +0300 Subject: [PATCH 089/122] Upgrade Appsmith (v1.9.17-0 -> v1.9.18-0) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 1dd8d0c..bb7cc32 100644 --- a/requirements.yml +++ b/requirements.yml @@ -4,7 +4,7 @@ version: v0.107.26-1 name: adguard_home - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-appsmith.git - version: v1.9.17-0 + version: v1.9.18-0 name: appsmith - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-authentik.git version: v2023.4.1-11 From 4eb71df91a44bef4a36c36483e1d37813ed54152 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 12 May 2023 07:09:22 +0300 Subject: [PATCH 090/122] Update backup-borg documentation with regard to external servers Fixes https://github.com/mother-of-all-self-hosting/mash-playbook/issues/56 --- docs/services/backup-borg.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/docs/services/backup-borg.md b/docs/services/backup-borg.md index 9e67da4..4657435 100644 --- a/docs/services/backup-borg.md +++ b/docs/services/backup-borg.md @@ -8,8 +8,14 @@ You will need a remote server where borg will store the backups. There are hoste The backup will run based on `backup_borg_schedule` var (systemd timer calendar), default: 4am every day. -By default, if you're using the integrated Postgres database server (as opposed to [an external Postgres server](configuring-playbook-external-postgres.md)) or MariaDB as MySQL server, Borg backups will also include dumps of your databases. An alternative solution for backing up the Postgres database is [postgres backup](configuring-playbook-postgres-backup.md). If you decide to go with another solution, you can disable Postgres-backup support for Borg using the `backup_borg_postgresql_enabled` variable. +By default, Borg backups will include a dump of your database if you're using the [integrated Postgres server](postgres.md) or the [integrated MariaDB server](mariadb.md). An alternative solution for backing up the Postgres database is [postgres backup](configuring-playbook-postgres-backup.md). +If you decide to go with another solution: + +- you can disable Postgres-backup support for Borg using the `backup_borg_postgresql_enabled` variable. +- you can disable MariaDB-backup support for Borg using the `backup_borg_mysql_enabled` variable. + +If you're using an external database server (regardless of type), you may point borgbackup to it. See the `backup_borg_postgresql_*` or `backup_borg_mysql_*` variables. ## Prerequisites From e4ac33ff3bddf13532afb9cb80bde2e75c76311e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 12 May 2023 22:02:17 +0300 Subject: [PATCH 091/122] Upgrade Appsmith (v1.9.18-0 -> v1.9.19-0) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index bb7cc32..5aed375 100644 --- a/requirements.yml +++ b/requirements.yml @@ -4,7 +4,7 @@ version: v0.107.26-1 name: adguard_home - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-appsmith.git - version: v1.9.18-0 + version: v1.9.19-0 name: appsmith - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-authentik.git version: v2023.4.1-11 From 347039acc94fac5bb1a7f91b7a0ddf5916670572 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 12 May 2023 22:02:28 +0300 Subject: [PATCH 092/122] Upgrade Lago (v0.32.0-0 -> v0.33.0-0) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 5aed375..43c0f3e 100644 --- a/requirements.yml +++ b/requirements.yml @@ -87,7 +87,7 @@ version: v21.1.1-0 name: keycloak - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-lago.git - version: v0.32.0-0 + version: v0.33.0-0 name: lago - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-mariadb.git version: v10.11.2-0 From 82a6bd5192cb0d6a53b43efc2eff34e0a9a7cc34 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Sat, 13 May 2023 17:32:49 +0200 Subject: [PATCH 093/122] Add postgres exporter role --- requirements.yml | 3 +++ setup.yml | 2 ++ 2 files changed, 5 insertions(+) diff --git a/requirements.yml b/requirements.yml index bb7cc32..e9b9b97 100644 --- a/requirements.yml +++ b/requirements.yml @@ -112,6 +112,9 @@ - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-peertube.git version: v5.1.0-3 name: peertube +- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-postgres-exporter.git + version: v0.12.0-0 + name: peertube - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus.git version: v2.43.0-0 name: prometheus diff --git a/setup.yml b/setup.yml index 2786272..42d8692 100644 --- a/setup.yml +++ b/setup.yml @@ -106,6 +106,8 @@ - role: galaxy/peertube + - role: galaxy/postgres-exporter + - role: galaxy/prometheus - role: galaxy/prometheus_node_exporter - role: galaxy/prometheus_blackbox_exporter From 4a1317feb5404eb74f4180975796ea4a8e3b1dd6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Sat, 13 May 2023 17:33:38 +0200 Subject: [PATCH 094/122] Bump funkwhale version --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index bb7cc32..229d6d0 100644 --- a/requirements.yml +++ b/requirements.yml @@ -61,7 +61,7 @@ version: v7.9.3-2 name: focalboard - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-funkwhale.git - version: v1.3.0-rc5-3 + version: v1.3.0-rc6-0 name: funkwhale - src: git+https://github.com/geerlingguy/ansible-role-docker version: 6.1.0 From 127abdda6f4e233da574633b990cde3fa8d944f4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Sun, 14 May 2023 18:39:17 +0200 Subject: [PATCH 095/122] Add integration&documentation for postgres exporter --- docs/services/postgres-exporter.md | 40 ++++++++++++++++++++++ group_vars/mash_servers | 55 ++++++++++++++++++++++++++++++ 2 files changed, 95 insertions(+) create mode 100644 docs/services/postgres-exporter.md diff --git a/docs/services/postgres-exporter.md b/docs/services/postgres-exporter.md new file mode 100644 index 0000000..e7e7001 --- /dev/null +++ b/docs/services/postgres-exporter.md @@ -0,0 +1,40 @@ +# Postgres Exporter + +This playbook can configure [Postgres Exporter](https://github.com/prometheus-community/postgres_exporter) by utilizing [mother-of-all-self-hosting/ansible-role-postgres-exporter](https://github.com/mother-of-all-self-hosting/ansible-role-postgres-exporter.git). + + +## Configuration + +To enable this service, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process: + +```yaml +######################################################################## +# # +# postgres_exporter # +# # +######################################################################## + +postgres_exporter_enabled: true + +# To expose the metrics publicly, enable and configure the lines below: +# postgres_exporter_hostname: mash.example.com +# postgres_exporter_path_prefix: /metrics/postgres-exporter + +# To protect the metrics with HTTP Basic Auth, enable and configure the lines below: +# postgres_exporter_basicauth_enabled: true +# postgres_exporter_basicauth_user: your_username +# postgres_exporter_basicauth_password: your password + +######################################################################## +# # +# /postgres_exporter # +# # +######################################################################## +``` + +Unless you're scraping the Postgres Exporter metrics from a local [Prometheus](prometheus.md) instance, as described in [Integrating with Postgres Exporter](prometheus.md#integrating-with-postgres-exporter), you will probably wish to expose the metrics publicly so that a remote Prometheus instance can fetch them. + +## Usage + +After you installed the exporter, your stats will be available on `mash.example.com/metrics/postgres-exporter` with basic auth credentials you configured + diff --git a/group_vars/mash_servers b/group_vars/mash_servers index 3cb824c..0d46b8e 100644 --- a/group_vars/mash_servers +++ b/group_vars/mash_servers @@ -299,6 +299,12 @@ devture_postgres_managed_databases_auto: | 'password': peertube_config_database_password, }] if peertube_enabled else []) + + ([{ + 'name': postgres_exporter_database_name, + 'username': postgres_exporter_database_username, + 'password': postgres_exporter_database_password, + }] if postgres_exporter_enabled else []) + + ([{ 'name': firezone_database_name, 'username': firezone_database_user, @@ -1824,6 +1830,55 @@ peertube_systemd_required_services_list_auto: | ######################################################################## + +######################################################################## +# # +# postgres_exporter # +# # +######################################################################## + +postgres_exporter_enabled: false + +postgres_exporter_identifier: "{{ mash_playbook_service_identifier_prefix }}postgres-exporter" + +postgres_exporter_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}postgres-exporter" + +postgres_exporter_uid: "{{ mash_playbook_uid }}" +postgres_exporter_gid: "{{ mash_playbook_gid }}" + +postgres_exporter_basicauth_enabled: "{{ postgres_exporter_container_labels_traefik_enabled }}" +postgres_exporter_basicauth_user: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'postgres-exporter.user', rounds=655555) | to_uuid }}" +postgres_exporter_basicauth_password: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'postgres-exporter.password', rounds=655555) | to_uuid }}" + +postgres_exporter_container_additional_networks: | + {{ + ([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else []) + + + ([devture_postgres_container_network] if devture_postgres_enabled and postgres_exporter_database_hostname == devture_postgres_identifier and postgres_exporter_container_network != devture_postgres_container_network else []) + }} + +# Only enable Traefik labels if a hostname is set (indicating that this will be exposed publicly) +postgres_exporter_container_labels_traefik_enabled: "{{ mash_playbook_traefik_labels_enabled and postgres_exporter_hostname | length > 0 }}" +postgres_exporter_container_labels_traefik_docker_network: "{{ mash_playbook_reverse_proxyable_services_additional_network }}" +postgres_exporter_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +postgres_exporter_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" + +postgres_exporter_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" +postgres_exporter_database_username: postgres-exporter +postgres_exporter_database_password: "{{ devture_postgres_connection_password if devture_postgres_enabled else '' }}" +postgres_exporter_database_port: "{{ devture_postgres_connection_port if devture_postgres_enabled else 5432 }}" +postgres_exporter_database_ssl: false + +postgres_exporter_permission_grant_command: "{{ devture_postgres_bin_path }}/cli-non-interactive -c 'GRANT pg_monitor to \"{{ postgres_exporter_database_username }}\";'" + +######################################################################## +# # +# /prometheus_node_exporter # +# # +######################################################################## + + + ######################################################################## # # # prometheus # From 0aa13304c6712ce86f101d231fe63835d08883c9 Mon Sep 17 00:00:00 2001 From: Aine Date: Mon, 15 May 2023 01:19:39 +0300 Subject: [PATCH 096/122] prometheus v2.44.0 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 85c1adc..e70f01b 100644 --- a/requirements.yml +++ b/requirements.yml @@ -113,7 +113,7 @@ version: v5.1.0-3 name: peertube - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus.git - version: v2.43.0-0 + version: v2.44.0-0 name: prometheus - src: git+https://gitlab.com/etke.cc/roles/prometheus_blackbox_exporter.git version: v0.23.0-3 From caa3537e3a84dfe02c86129a840f82ef7a039a0f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 15 May 2023 06:56:30 +0300 Subject: [PATCH 097/122] Upgrade Postgres (minor versions upgrade) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index e70f01b..461e133 100644 --- a/requirements.yml +++ b/requirements.yml @@ -28,7 +28,7 @@ - src: git+https://github.com/devture/com.devture.ansible.role.playbook_state_preserver.git version: ff2fd42e1c1a9e28e3312bbd725395f9c2fc7f16 - src: git+https://github.com/devture/com.devture.ansible.role.postgres.git - version: 38764398bf82b06a1736c3bfedc71dfd229e4b52 + version: v15.3-0 - src: git+https://github.com/devture/com.devture.ansible.role.postgres_backup.git version: 8e9ec48a09284c84704d7a2dce17da35f181574d - src: git+https://github.com/devture/com.devture.ansible.role.systemd_docker_base.git From 0b23a60f90291e81a46df959fca2cde2f4aaf8e9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Mon, 15 May 2023 09:04:17 +0200 Subject: [PATCH 098/122] Fix requirements --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 5e606d5..3b003f7 100644 --- a/requirements.yml +++ b/requirements.yml @@ -114,7 +114,7 @@ name: peertube - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-postgres-exporter.git version: v0.12.0-0 - name: peertube + name: postgres-exporter - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus.git version: v2.43.0-0 name: prometheus From ad5d2f18f385cfd24edce924782e04db83b44a91 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 16 May 2023 21:23:02 +0300 Subject: [PATCH 099/122] Upgrade Authentik (v2023.4.1-11 -> v2023.5.0-0) Related to https://github.com/mother-of-all-self-hosting/ansible-role-authentik/pull/3 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 461e133..64602e2 100644 --- a/requirements.yml +++ b/requirements.yml @@ -7,7 +7,7 @@ version: v1.9.19-0 name: appsmith - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-authentik.git - version: v2023.4.1-11 + version: v2023.5.0-0 name: authentik - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-aux.git version: v1.0.0-0 From ea2918165398f5048c7d536b5a3832090a031a69 Mon Sep 17 00:00:00 2001 From: Aine Date: Tue, 16 May 2023 22:58:11 +0300 Subject: [PATCH 100/122] borgmatic v1.7.13; prometheus blackbox exporter v0.24.0 --- requirements.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements.yml b/requirements.yml index 64602e2..d6bb41f 100644 --- a/requirements.yml +++ b/requirements.yml @@ -13,7 +13,7 @@ version: v1.0.0-0 name: aux - src: git+https://gitlab.com/etke.cc/roles/backup_borg.git - version: v1.2.4-1.7.12-2 + version: v1.2.4-1.7.13-0 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-collabora-online.git version: v22.05.13.1.1-0 name: collabora_online @@ -116,7 +116,7 @@ version: v2.44.0-0 name: prometheus - src: git+https://gitlab.com/etke.cc/roles/prometheus_blackbox_exporter.git - version: v0.23.0-3 + version: v0.24.0-0 - src: git+https://gitlab.com/etke.cc/roles/prometheus_node_exporter.git version: v1.5.0-7 - src: git+https://gitlab.com/etke.cc/roles/radicale.git From aa6b687ec903b3e8a4737eda94f5f55d64c13a51 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Wed, 17 May 2023 10:32:47 +0200 Subject: [PATCH 101/122] Switch role --- docs/services/postgres-exporter.md | 18 ++++----- group_vars/mash_servers | 59 +++++++++++++++++------------- requirements.yml | 6 +-- setup.yml | 3 +- 4 files changed, 47 insertions(+), 39 deletions(-) diff --git a/docs/services/postgres-exporter.md b/docs/services/postgres-exporter.md index e7e7001..e625530 100644 --- a/docs/services/postgres-exporter.md +++ b/docs/services/postgres-exporter.md @@ -1,6 +1,6 @@ # Postgres Exporter -This playbook can configure [Postgres Exporter](https://github.com/prometheus-community/postgres_exporter) by utilizing [mother-of-all-self-hosting/ansible-role-postgres-exporter](https://github.com/mother-of-all-self-hosting/ansible-role-postgres-exporter.git). +This playbook can configure [Postgres Exporter](https://github.com/prometheus-community/postgres_exporter) by utilizing [mother-of-all-self-hosting/ansible-role-postgres-exporter](https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-postgres-exporter.git). ## Configuration @@ -10,24 +10,24 @@ To enable this service, add the following configuration to your `vars.yml` file ```yaml ######################################################################## # # -# postgres_exporter # +# prometheus_postgres_exporter # # # ######################################################################## -postgres_exporter_enabled: true +prometheus_postgres_exporter_enabled: true # To expose the metrics publicly, enable and configure the lines below: -# postgres_exporter_hostname: mash.example.com -# postgres_exporter_path_prefix: /metrics/postgres-exporter +# prometheus_postgres_exporter_hostname: mash.example.com +# prometheus_postgres_exporter_path_prefix: /metrics/postgres-exporter # To protect the metrics with HTTP Basic Auth, enable and configure the lines below: -# postgres_exporter_basicauth_enabled: true -# postgres_exporter_basicauth_user: your_username -# postgres_exporter_basicauth_password: your password +# prometheus_postgres_exporter_basicauth_enabled: true +# prometheus_postgres_exporter_basicauth_user: your_username +# prometheus_postgres_exporter_basicauth_password: your password ######################################################################## # # -# /postgres_exporter # +# /prometheus_postgres_exporter # # # ######################################################################## ``` diff --git a/group_vars/mash_servers b/group_vars/mash_servers index 0d46b8e..7c40643 100644 --- a/group_vars/mash_servers +++ b/group_vars/mash_servers @@ -163,6 +163,8 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': (prometheus_node_exporter_identifier + '.service'), 'priority': 500, 'groups': ['mash', 'metrics', 'prometheus-node-exporter']}] if prometheus_node_exporter_enabled else []) + + ([{'name': (prometheus_postgres_exporter_identifier + '.service'), 'priority': 500, 'groups': ['mash', 'metrics', 'prometheus-postgres-exporter']}] if prometheus_postgres_exporter_enabled else []) + + ([{'name': (radicale_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'radicale']}] if radicale_enabled else []) + ([{'name': (redmine_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'redmine']}] if redmine_enabled else []) @@ -300,10 +302,10 @@ devture_postgres_managed_databases_auto: | }] if peertube_enabled else []) + ([{ - 'name': postgres_exporter_database_name, - 'username': postgres_exporter_database_username, - 'password': postgres_exporter_database_password, - }] if postgres_exporter_enabled else []) + 'name': prometheus_postgres_exporter_database_name, + 'username': prometheus_postgres_exporter_database_username, + 'password': prometheus_postgres_exporter_database_password, + }] if prometheus_postgres_exporter_enabled else []) + ([{ 'name': firezone_database_name, @@ -1833,43 +1835,50 @@ peertube_systemd_required_services_list_auto: | ######################################################################## # # -# postgres_exporter # +# prometheus_postgres_exporter # # # ######################################################################## -postgres_exporter_enabled: false +prometheus_postgres_exporter_enabled: false -postgres_exporter_identifier: "{{ mash_playbook_service_identifier_prefix }}postgres-exporter" +prometheus_postgres_exporter_identifier: "{{ mash_playbook_service_identifier_prefix }}prometheus-postgres-exporter" -postgres_exporter_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}postgres-exporter" +prometheus_postgres_exporter_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}prometeus-postgres-exporter" -postgres_exporter_uid: "{{ mash_playbook_uid }}" -postgres_exporter_gid: "{{ mash_playbook_gid }}" +prometheus_postgres_exporter_uid: "{{ mash_playbook_uid }}" +prometheus_postgres_exporter_gid: "{{ mash_playbook_gid }}" -postgres_exporter_basicauth_enabled: "{{ postgres_exporter_container_labels_traefik_enabled }}" -postgres_exporter_basicauth_user: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'postgres-exporter.user', rounds=655555) | to_uuid }}" -postgres_exporter_basicauth_password: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'postgres-exporter.password', rounds=655555) | to_uuid }}" +prometheus_postgres_exporter_basicauth_enabled: "{{ prometheus_postgres_exporter_container_labels_traefik_enabled }}" +prometheus_postgres_exporter_basicauth_user: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'prometheus-postgres-exporter.user', rounds=655555) | to_uuid }}" +prometheus_postgres_exporter_basicauth_password: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'prometheus-postgres-exporter.password', rounds=655555) | to_uuid }}" -postgres_exporter_container_additional_networks: | +prometheus_postgres_exporter_container_additional_networks: | {{ ([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else []) + - ([devture_postgres_container_network] if devture_postgres_enabled and postgres_exporter_database_hostname == devture_postgres_identifier and postgres_exporter_container_network != devture_postgres_container_network else []) + ([devture_postgres_container_network] if devture_postgres_enabled and prometheus_postgres_exporter_database_hostname == devture_postgres_identifier and prometheus_postgres_exporter_container_network != devture_postgres_container_network else []) }} +prometheus_postgres_exporter_server_fqn: "{{ prometheus_postgres_exporter_database_hostname }}" + # Only enable Traefik labels if a hostname is set (indicating that this will be exposed publicly) -postgres_exporter_container_labels_traefik_enabled: "{{ mash_playbook_traefik_labels_enabled and postgres_exporter_hostname | length > 0 }}" -postgres_exporter_container_labels_traefik_docker_network: "{{ mash_playbook_reverse_proxyable_services_additional_network }}" -postgres_exporter_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" -postgres_exporter_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" +prometheus_postgres_exporter_container_labels_traefik_enabled: "{{ mash_playbook_traefik_labels_enabled and prometheus_postgres_exporter_hostname | length > 0 }}" +prometheus_postgres_exporter_container_labels_traefik_docker_network: "{{ mash_playbook_reverse_proxyable_services_additional_network }}" +prometheus_postgres_exporter_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +prometheus_postgres_exporter_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" -postgres_exporter_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" -postgres_exporter_database_username: postgres-exporter -postgres_exporter_database_password: "{{ devture_postgres_connection_password if devture_postgres_enabled else '' }}" -postgres_exporter_database_port: "{{ devture_postgres_connection_port if devture_postgres_enabled else 5432 }}" -postgres_exporter_database_ssl: false +prometheus_postgres_exporter_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" +prometheus_postgres_exporter_database_username: prometheus_postgres_exporter +prometheus_postgres_exporter_database_password: "{{ devture_postgres_connection_password if devture_postgres_enabled else '' }}" +prometheus_postgres_exporter_database_port: "{{ devture_postgres_connection_port if devture_postgres_enabled else 5432 }}" +prometheus_postgres_exporter_database_ssl: false -postgres_exporter_permission_grant_command: "{{ devture_postgres_bin_path }}/cli-non-interactive -c 'GRANT pg_monitor to \"{{ postgres_exporter_database_username }}\";'" +prometheus_postgres_exporter_systemd_required_services_list: | + {{ + ['docker.service'] + + + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + }} ######################################################################## # # diff --git a/requirements.yml b/requirements.yml index 3b003f7..504d54b 100644 --- a/requirements.yml +++ b/requirements.yml @@ -112,9 +112,6 @@ - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-peertube.git version: v5.1.0-3 name: peertube -- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-postgres-exporter.git - version: v0.12.0-0 - name: postgres-exporter - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus.git version: v2.43.0-0 name: prometheus @@ -122,6 +119,9 @@ version: v0.23.0-3 - src: git+https://gitlab.com/etke.cc/roles/prometheus_node_exporter.git version: v1.5.0-7 +- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-postgres-exporter.git + version: v0.12.0-0 + name: prometheus_postgres_exporter - src: git+https://gitlab.com/etke.cc/roles/radicale.git version: v3.1.8.2-3 - src: git+https://gitlab.com/etke.cc/roles/redis.git diff --git a/setup.yml b/setup.yml index 42d8692..210040e 100644 --- a/setup.yml +++ b/setup.yml @@ -106,11 +106,10 @@ - role: galaxy/peertube - - role: galaxy/postgres-exporter - - role: galaxy/prometheus - role: galaxy/prometheus_node_exporter - role: galaxy/prometheus_blackbox_exporter + - role: galaxy/prometheus_postgres_exporter - role: galaxy/radicale From 5ad1ab4cf81af48445bac210f3b940a323c8effc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Wed, 17 May 2023 13:43:36 +0200 Subject: [PATCH 102/122] Fix paths --- group_vars/mash_servers | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/group_vars/mash_servers b/group_vars/mash_servers index 7c40643..366d4b3 100644 --- a/group_vars/mash_servers +++ b/group_vars/mash_servers @@ -1843,7 +1843,7 @@ prometheus_postgres_exporter_enabled: false prometheus_postgres_exporter_identifier: "{{ mash_playbook_service_identifier_prefix }}prometheus-postgres-exporter" -prometheus_postgres_exporter_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}prometeus-postgres-exporter" +prometheus_postgres_exporter_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}prometheus-postgres-exporter" prometheus_postgres_exporter_uid: "{{ mash_playbook_uid }}" prometheus_postgres_exporter_gid: "{{ mash_playbook_gid }}" @@ -1859,7 +1859,7 @@ prometheus_postgres_exporter_container_additional_networks: | ([devture_postgres_container_network] if devture_postgres_enabled and prometheus_postgres_exporter_database_hostname == devture_postgres_identifier and prometheus_postgres_exporter_container_network != devture_postgres_container_network else []) }} -prometheus_postgres_exporter_server_fqn: "{{ prometheus_postgres_exporter_database_hostname }}" +prometheus_postgres_exporter_server_fqn: "{{ prometheus_postgres_exporter_hostname }}" # Only enable Traefik labels if a hostname is set (indicating that this will be exposed publicly) prometheus_postgres_exporter_container_labels_traefik_enabled: "{{ mash_playbook_traefik_labels_enabled and prometheus_postgres_exporter_hostname | length > 0 }}" From ed0512e664cbf796caddd3a14502202c39049966 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 17 May 2023 21:19:24 +0300 Subject: [PATCH 103/122] Upgrade aux (v1.0.0-0 -> v1.0.0-1) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index d6bb41f..111bb9c 100644 --- a/requirements.yml +++ b/requirements.yml @@ -10,7 +10,7 @@ version: v2023.5.0-0 name: authentik - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-aux.git - version: v1.0.0-0 + version: v1.0.0-1 name: aux - src: git+https://gitlab.com/etke.cc/roles/backup_borg.git version: v1.2.4-1.7.13-0 From f767fecbfd3c1e28d6877a58a10d2ed3798c63d3 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 17 May 2023 21:25:42 +0300 Subject: [PATCH 104/122] Rename service docs file (postgres-exporter.md -> prometheus-postgres-exporter.md) and announce on services list Related to https://github.com/mother-of-all-self-hosting/mash-playbook/pull/58 Renaming because: - we already have other Prometheus exporters, which follow the `prometheus-*-exporter` naming - being more explicit is clearer in any case - the role is named `*-prometheus-postgres-exporter`, so it's also consistent with that --- .../{postgres-exporter.md => prometheus-postgres-exporter.md} | 0 docs/supported-services.md | 3 ++- 2 files changed, 2 insertions(+), 1 deletion(-) rename docs/services/{postgres-exporter.md => prometheus-postgres-exporter.md} (100%) diff --git a/docs/services/postgres-exporter.md b/docs/services/prometheus-postgres-exporter.md similarity index 100% rename from docs/services/postgres-exporter.md rename to docs/services/prometheus-postgres-exporter.md diff --git a/docs/supported-services.md b/docs/supported-services.md index 877179a..66453a3 100644 --- a/docs/supported-services.md +++ b/docs/supported-services.md @@ -33,8 +33,9 @@ | [Postgres](https://www.postgresql.org) | A powerful, open source object-relational database system | [Link](services/postgres.md) | | [Postgres Backup](https://github.com/prodrigestivill/docker-postgres-backup-local) | A solution for backing up PostgresSQL to local filesystem with periodic backups. | [Link](services/postgres-backup.md) | | [Prometheus](https://prometheus.io/) | A metrics collection and alerting monitoring solution | [Link](services/prometheus.md) | -| [Prometheus Node Exporter](https://github.com/prometheus/node_exporter) | Exporter for machine metrics | [Link](services/prometheus-node-exporter.md) | | [Prometheus Blackbox Exporter](https://github.com/prometheus/blackbox_exporter) | Blackbox probing of HTTP/HTTPS/DNS/TCP/ICMP and gRPC endpoints | [Link](services/prometheus-blackbox-exporter.md) | +| [Prometheus Node Exporter](https://github.com/prometheus/node_exporter) | Exporter for machine metrics | [Link](services/prometheus-node-exporter.md) | +| [Prometheus Postgres Exporter](https://github.com/prometheus-community/postgres_exporter) | A PostgreSQL metric exporter for Prometheus | [Link](services/prometheus-postgres-exporter.md) | | [Radicale](https://radicale.org/) | A Free and Open-Source CalDAV and CardDAV Server (solution for hosting contacts and calendars) | [Link](services/radicale.md) | | [Redmine](https://redmine.org/) | A flexible project management web application. | [Link](services/redmine.md) | | [Redis](https://redis.io/) | An in-memory data store used by millions of developers as a database, cache, streaming engine, and message broker. | [Link](services/redis.md) | From fb4c85ed4d1139413d6ad48ca9c3ccf824c3e87d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 17 May 2023 21:30:22 +0300 Subject: [PATCH 105/122] Cross-link various Prometheus-related services Related to https://github.com/mother-of-all-self-hosting/mash-playbook/pull/58 --- docs/services/postgres.md | 6 +++++- docs/services/prometheus.md | 3 +++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/docs/services/postgres.md b/docs/services/postgres.md index 72ea566..3e0d46f 100644 --- a/docs/services/postgres.md +++ b/docs/services/postgres.md @@ -220,4 +220,8 @@ devture_postgres_process_extra_arguments: [ ## Recommended other services -You may also wish to look into [Postgres Backup](postgres-backup.md) for backing up your Postgres database. +You may also wish to look into: + +- [Postgres Backup](postgres-backup.md) for backing up your Postgres database + +- [Prometheus](prometheus.md), [prometheus-postgres-exporter](prometheus-postgres-exporter.md) and [Grafana](grafana.md) for monitoring your Postgres database diff --git a/docs/services/prometheus.md b/docs/services/prometheus.md index 1e9bfa2..44803e2 100644 --- a/docs/services/prometheus.md +++ b/docs/services/prometheus.md @@ -75,4 +75,7 @@ If you're scraping others services running in containers over the container netw ## Recommended other services - [Grafana](grafana.md) - a web-based tool for visualizing your Prometheus metrics (time-series) +- [prometheus-node-exporter](prometheus-blackbox-exporter.md) - Blackbox probing of HTTP/HTTPS/DNS/TCP/ICMP and gRPC endpoints +- [prometheus-node-exporter](prometheus-node-exporter.md) - an exporter for machine metrics +- [prometheus-postgres-exporter](prometheus-postgres-exporter.md) - an exporter for monitoring a [Postgres](postgres.md) database server - [Healthchecks](healthchecks.md) - a simple and Effective Cron Job Monitoring solution From 91e4ea47dc069ec654eb4ae05805ba068e4a5f04 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Thu, 18 May 2023 07:36:51 +0200 Subject: [PATCH 106/122] [fix] Add backup borg timer to managed services --- group_vars/mash_servers | 2 ++ 1 file changed, 2 insertions(+) diff --git a/group_vars/mash_servers b/group_vars/mash_servers index 366d4b3..81b3568 100644 --- a/group_vars/mash_servers +++ b/group_vars/mash_servers @@ -63,6 +63,8 @@ system_swap_enabled: false devture_systemd_service_manager_services_list_auto: | {{ + ([{'name': (backup_borg_identifier + '.timer'), 'priority': 5000, 'groups': ['mash', 'backup', 'borg']}] if backup_borg_enabled else []) + + ([{'name': (adguard_home_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'adguard-home']}] if adguard_home_enabled else []) + ([{'name': (appsmith_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'appsmith']}] if appsmith_enabled else []) From df1fcc5826f20a3182aa4b73a893bb059a78aa41 Mon Sep 17 00:00:00 2001 From: QEDeD Date: Thu, 18 May 2023 12:31:09 +0200 Subject: [PATCH 107/122] Update prerequisites.md Increase precision and accuracy with regard to Red Hat distributions --- docs/prerequisites.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/prerequisites.md b/docs/prerequisites.md index f64658e..1edfa63 100644 --- a/docs/prerequisites.md +++ b/docs/prerequisites.md @@ -3,7 +3,7 @@ To install services using this Ansible playbook, you need: - (Recommended) An **x86-64** (`amd64`) or **arm64** server running one of these operating systems: - - **RedHat**-based distros (7 or newer) + - **Red Hat Enterprise Linux** or derivative distros, e.g. Rocky Linux (Major version 7 or newer) - **Debian** (10/Buster or newer) - **Ubuntu** (18.04 or newer, although [20.04 may be problematic](ansible.md#supported-ansible-versions)) - **Archlinux** From debd7368153fc6c6d6f56415c6e820008ec1ee23 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Thu, 18 May 2023 15:13:29 +0200 Subject: [PATCH 108/122] Update readme on number of services --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index c81c40d..4c74f04 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,7 @@ By running services in containers, we can have a predictable and up-to-date setup, across multiple supported distros and CPU architectures. -This project is fairly new and only [supports a handful of services](docs/supported-services.md) so far, but will grow to support self-hosting a large number of [FOSS](https://en.wikipedia.org/wiki/Free_and_open-source_software) pieces of software. +This project allows self-hosting of a [large number of services](docs/supported-services.md) and will continue to grow by adding support for [FOSS](https://en.wikipedia.org/wiki/Free_and_open-source_software). [Installation](docs/README.md) (upgrades) and some maintenance tasks are automated using [Ansible](https://www.ansible.com/) (see [our Ansible guide](docs/ansible.md)). From 57c402f9cb09c316cb1db1c4f90294e1530c7e51 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Fri, 19 May 2023 07:57:58 +0200 Subject: [PATCH 109/122] Bump authentik to 2023.5.1 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index d3930d7..4ab8646 100644 --- a/requirements.yml +++ b/requirements.yml @@ -7,7 +7,7 @@ version: v1.9.19-0 name: appsmith - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-authentik.git - version: v2023.5.0-0 + version: v2023.5.1-0 name: authentik - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-aux.git version: v1.0.0-1 From b8fb4ac4f4578135cc0a8688ce21b06e57c69697 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 22 May 2023 21:21:20 +0300 Subject: [PATCH 110/122] Upgrade Appsmith (v1.9.19-0 -> v1.9.20.4-0) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 4ab8646..0b71c1e 100644 --- a/requirements.yml +++ b/requirements.yml @@ -4,7 +4,7 @@ version: v0.107.26-1 name: adguard_home - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-appsmith.git - version: v1.9.19-0 + version: v1.9.20.4-0 name: appsmith - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-authentik.git version: v2023.5.1-0 From fe8f7ac35aea26f2421ebc8cfcbbe79d352bdbd2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Wed, 24 May 2023 08:47:29 +0200 Subject: [PATCH 111/122] Bump gotosocial role version --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 0b71c1e..f10e3e2 100644 --- a/requirements.yml +++ b/requirements.yml @@ -70,7 +70,7 @@ version: v1.19.3-0 name: gitea - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-gotosocial.git - version: v0.8.1-0 + version: v0.8.1-1 name: gotosocial - src: git+https://gitlab.com/etke.cc/roles/grafana.git version: v9.5.2-0 From 2e0b6f0ba85b5138f6a029d12fbf4af7ee5c0d40 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Wed, 24 May 2023 11:52:45 +0200 Subject: [PATCH 112/122] Use tmpfs to suppport video uploads --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index f10e3e2..1e2fe61 100644 --- a/requirements.yml +++ b/requirements.yml @@ -70,7 +70,7 @@ version: v1.19.3-0 name: gitea - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-gotosocial.git - version: v0.8.1-1 + version: v0.8.1-2 name: gotosocial - src: git+https://gitlab.com/etke.cc/roles/grafana.git version: v9.5.2-0 From 72b1b228ff48c0011b552e1f8ec7844dd74b58a0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Wed, 24 May 2023 17:28:46 +0200 Subject: [PATCH 113/122] Bump GTS to 0.9.0 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 1e2fe61..04738d1 100644 --- a/requirements.yml +++ b/requirements.yml @@ -70,7 +70,7 @@ version: v1.19.3-0 name: gitea - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-gotosocial.git - version: v0.8.1-2 + version: v0.9.0-0 name: gotosocial - src: git+https://gitlab.com/etke.cc/roles/grafana.git version: v9.5.2-0 From 1068b78217be5f4e5d0f589f1c4b0d269d6e1d54 Mon Sep 17 00:00:00 2001 From: Aine Date: Sat, 27 May 2023 19:00:29 +0300 Subject: [PATCH 114/122] prometheus-node-exporter 1.6.0 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 04738d1..8aec7c1 100644 --- a/requirements.yml +++ b/requirements.yml @@ -118,7 +118,7 @@ - src: git+https://gitlab.com/etke.cc/roles/prometheus_blackbox_exporter.git version: v0.24.0-0 - src: git+https://gitlab.com/etke.cc/roles/prometheus_node_exporter.git - version: v1.5.0-7 + version: v1.6.0-0 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-postgres-exporter.git version: v0.12.0-0 name: prometheus_postgres_exporter From 36b7ecf44d45dc2de18a0378f76efcca41c3b68d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 28 May 2023 12:20:09 +0300 Subject: [PATCH 115/122] Upgrade Lago (v0.33.0-0 -> v0.34.0-0) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 8aec7c1..f3ce8bf 100644 --- a/requirements.yml +++ b/requirements.yml @@ -87,7 +87,7 @@ version: v21.1.1-0 name: keycloak - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-lago.git - version: v0.33.0-0 + version: v0.34.0-0 name: lago - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-mariadb.git version: v10.11.2-0 From e0f4e47ee677b90163334374b89c870db201cb32 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 28 May 2023 21:26:28 +0300 Subject: [PATCH 116/122] Upgrade Traefik (v2.9.10-2 -> v2.10.1-0) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index f3ce8bf..d61d87b 100644 --- a/requirements.yml +++ b/requirements.yml @@ -38,7 +38,7 @@ - src: git+https://github.com/devture/com.devture.ansible.role.timesync.git version: v1.0.0-0 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git - version: v2.9.10-2 + version: v2.10.1-0 - src: git+https://github.com/devture/com.devture.ansible.role.woodpecker_ci_agent.git version: v0.15.8-0 - src: git+https://github.com/devture/com.devture.ansible.role.woodpecker_ci_server.git From d27c7ba4a1374d834c8a96d99c8da0ea28560a84 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 28 May 2023 21:29:47 +0300 Subject: [PATCH 117/122] Upgrade Authentik (v2023.5.1-0 -> v2023.5.2-0) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index d61d87b..2e84e1d 100644 --- a/requirements.yml +++ b/requirements.yml @@ -7,7 +7,7 @@ version: v1.9.20.4-0 name: appsmith - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-authentik.git - version: v2023.5.1-0 + version: v2023.5.2-0 name: authentik - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-aux.git version: v1.0.0-1 From 118df0d1a9da8f955b175b7aa36ceb533f547384 Mon Sep 17 00:00:00 2001 From: Niels Bouma <9073152+nielscil@users.noreply.github.com> Date: Tue, 30 May 2023 18:51:42 +0200 Subject: [PATCH 118/122] fix backup-borg mariadb port --- group_vars/mash_servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/mash_servers b/group_vars/mash_servers index 81b3568..f3fd33d 100644 --- a/group_vars/mash_servers +++ b/group_vars/mash_servers @@ -637,7 +637,7 @@ backup_borg_mysql_enabled: "{{ mariadb_enabled }}" backup_borg_mysql_databases_hostname: "{{ mariadb_identifier if mariadb_enabled else '' }}" backup_borg_mysql_databases_username: "root" backup_borg_mysql_databases_password: "{{ mariadb_root_passsword if mariadb_enabled else '' }}" -backup_borg_mysql_databases_port: "{{ devture_postgres_connection_port if mariadb_enabled else 3306 }}" +backup_borg_mysql_databases_port: 3306 backup_borg_mysql_databases: "{{ mariadb_managed_databases | map(attribute='name') if mariadb_enabled else [] }}" backup_borg_location_source_directories: From bedcc34142f276da9f35871ca83defb7f1d2bf5e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 30 May 2023 22:09:41 +0300 Subject: [PATCH 119/122] Upgrade Authentik (v2023.5.2-0 -> v2023.5.2-1) Related to https://github.com/mother-of-all-self-hosting/ansible-role-authentik/pull/6 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 2e84e1d..b2f64b9 100644 --- a/requirements.yml +++ b/requirements.yml @@ -7,7 +7,7 @@ version: v1.9.20.4-0 name: appsmith - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-authentik.git - version: v2023.5.2-0 + version: v2023.5.2-1 name: authentik - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-aux.git version: v1.0.0-1 From 521081164e6d231617790cc78e8f1c336d869b42 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Wed, 31 May 2023 12:35:15 +0200 Subject: [PATCH 120/122] Bump owncast version --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index b2f64b9..cc9457a 100644 --- a/requirements.yml +++ b/requirements.yml @@ -107,7 +107,7 @@ version: v26.0.1-0 name: nextcloud - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-owncast.git - version: v0.0.13-0 + version: v0.1.0-0 name: owncast - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-peertube.git version: v5.1.0-3 From 91940b4b49f0f7e1853d6866fe195ba581d640ec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Wed, 31 May 2023 16:52:37 +0200 Subject: [PATCH 121/122] Fix firezone support file creation --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index cc9457a..5877a0d 100644 --- a/requirements.yml +++ b/requirements.yml @@ -55,7 +55,7 @@ - src: git+https://gitlab.com/etke.cc/roles/fail2ban.git version: 09886730e8d3c061f22d1da4a542899063f97f0a - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-firezone.git - version: v0.7.25-2 + version: v0.7.25-3 name: firezone - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-focalboard.git version: v7.9.3-2 From 99baaeb09c5d3f83850326c23432a49754fe7bc6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Wed, 31 May 2023 23:28:02 +0200 Subject: [PATCH 122/122] Bump firezone version, make install work --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 5877a0d..001a8ca 100644 --- a/requirements.yml +++ b/requirements.yml @@ -55,7 +55,7 @@ - src: git+https://gitlab.com/etke.cc/roles/fail2ban.git version: 09886730e8d3c061f22d1da4a542899063f97f0a - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-firezone.git - version: v0.7.25-3 + version: v0.7.30-0 name: firezone - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-focalboard.git version: v7.9.3-2