From 7bad3491b764dd74f75bf81d69cda23cb437c6fb Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 24 Mar 2023 18:01:21 +0200 Subject: [PATCH 1/6] Add Adguard Home service --- docs/services/adguard-home.md | 78 +++++++++++++++++++++++++++++++++++ docs/supported-services.md | 1 + group_vars/mash_servers | 37 +++++++++++++++++ requirements.yml | 4 ++ setup.yml | 2 + 5 files changed, 122 insertions(+) create mode 100644 docs/services/adguard-home.md diff --git a/docs/services/adguard-home.md b/docs/services/adguard-home.md new file mode 100644 index 0000000..db06e2b --- /dev/null +++ b/docs/services/adguard-home.md @@ -0,0 +1,78 @@ +# AdGuard Home + +[AdGuard Home](https://adguard.com/en/adguard-home/overview.html/) is a network-wide DNS software for blocking ads & tracking. + +**Warning**: running a public DNS server is not advisable. You'd better install AdGuard Home in a trusted local network, or adjust its network interfaces and port exposure (via the variables in the [Networking](#networking) configuration section below) so that you don't expose your DNS server publicly to the whole world. If you're exposing your DNS server publicly, consider restricting who can use it by adjusting the **Allowed clients** setting in the **Access settings** section of **Settings** -> **DNS settings**. + + +## Dependencies + +This service requires the following other services: + +- a [Traefik](traefik.md) reverse-proxy server + + +## Configuration + +To enable this service, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process: + +```yaml +######################################################################## +# # +# adguard-home # +# # +######################################################################## + +adguard_home_enabled: true + +adguard_home_hostname: mash.example.com + +# Hosting under a subpath sort of works, but is not ideal +# (see the URL section below for details). +# Consider using a dedicated hostname and removing the line below. +adguard_home_path_prefix: /adguard-home + +######################################################################## +# # +# /adguard-home # +# # +######################################################################## +``` + +### URL + +In the example configuration above, we configure the service to be hosted at `https://mash.example.com/adguard-home`. + +You can remove the `adguard_home_path_prefix` variable definition, to make it default to `/`, so that the service is served at `https://mash.example.com/`. + +When **hosting under a subpath**, you may hit [this bug](https://github.com/AdguardTeam/AdGuardHome/issues/5478), which causes these **annoyances**: + +- upon initial usage, you will be redirected to `/install.html` and would need to manually adjust this URL to something like `/adguard-home/install.html` (depending on your `adguard_home_path_prefix`). After the installation wizard completes, you'd be redirected to `/index.html` incorrectly as well. + +- every time you hit the homepage and you're not logged in, you will be redirected to `/login.html` and would need to manually adjust this URL to something like `/adguard-home/login.html` (depending on your `adguard_home_path_prefix`) + + +### Networking + +By default, the following ports will be exposed by the container on **all network interfaces**: + +- `53` over **TCP**, controlled by `adguard_home_container_dns_tcp_bind_port` - used for DNS over TCP +- `53` over **UDP**, controlled by `adguard_home_container_dns_udp_bind_port` - used for DNS over UDP + +Docker automatically opens these ports in the server's firewall, so you **likely don't need to do anything**. If you use another firewall in front of the server, you may need to adjust it. + +To expose these ports only on **some** network interfaces, you can use additional configuration like this: + +```yaml +# Expose only on 192.168.1.15 +adguard_home_container_dns_tcp_bind_port: '192.168.1.15:53' +adguard_home_container_dns_udp_bind_port: '192.168.1.15:53' +``` + +## Usage + +After installation, you can go to the AdGuard Home URL, as defined in `adguard_home_hostname` and `adguard_home_path_prefix`. + +As mentioned in the [URL](#url) section above, you may hit some annoyances when hosting under a subpath. + +The first time you visit the AdGuard Home pages, you'll go through a setup wizard **make sure to set the HTTP port to `3000`**. This is the in-container port that our Traefik setup expects and uses for serving the install wizard to begin with. If you go with the default (`80`), the web UI will stop working after the installation wizard completes. diff --git a/docs/supported-services.md b/docs/supported-services.md index ac2aa9b..d677479 100644 --- a/docs/supported-services.md +++ b/docs/supported-services.md @@ -3,6 +3,7 @@ | Name | Description | Documentation | | ------------------------------ | ------------------------------------- | ------------- | | [AUX](https://github.com/mother-of-all-self-hosting/ansible-role-aux) | Auxiliary file/directory management on your server via Ansible | [Link](services/aux.md) | +| [AdGuard Home](https://adguard.com/en/adguard-home/overview.html/) | A network-wide DNS software for blocking ads & tracking | [Link](services/adguard-home.md) | | [Collabora Online](https://www.collaboraoffice.com/) | Your Private Office Suite In The Cloud | [Link](services/collabora-online.md) | | [Docker](https://www.docker.com/) | Open-source software for deploying containerized applications | [Link](services/docker.md) | | [Docker Registry](https://docs.docker.com/registry/) | A container image distribution registry | [Link](services/docker-registry.md) | diff --git a/group_vars/mash_servers b/group_vars/mash_servers index 556339a..b448214 100644 --- a/group_vars/mash_servers +++ b/group_vars/mash_servers @@ -63,6 +63,8 @@ system_swap_enabled: false devture_systemd_service_manager_services_list_auto: | {{ + ([{'name': (adguard_home_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'adguard-home']}] if adguard_home_enabled else []) + + ([{'name': (collabora_online_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'collabora-online']}] if collabora_online_enabled else []) + ([{'name': (devture_postgres_identifier + '.service'), 'priority': 500, 'groups': ['mash', 'postgres']}] if devture_postgres_enabled else []) @@ -382,6 +384,41 @@ devture_timesync_installation_enabled: false # # ######################################################################## + + +######################################################################## +# # +# adguard-home # +# # +######################################################################## + +adguard_home_enabled: false + +adguard_home_identifier: "{{ mash_playbook_service_identifier_prefix }}adguard-home" + +adguard_home_uid: "{{ mash_playbook_uid }}" +adguard_home_gid: "{{ mash_playbook_gid }}" + +adguard_home_base_path: "{{ mash_playbook_base_path }}/adguard-home" + +adguard_home_container_additional_networks: | + {{ + ([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else []) + }} + +adguard_home_container_labels_traefik_enabled: "{{ mash_playbook_traefik_labels_enabled }}" +adguard_home_container_labels_traefik_docker_network: "{{ mash_playbook_reverse_proxyable_services_additional_network }}" +adguard_home_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +adguard_home_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" + +######################################################################## +# # +# /adguard-home # +# # +######################################################################## + + + ######################################################################## # # # collabora-online # diff --git a/requirements.yml b/requirements.yml index 893da7f..c3106b9 100644 --- a/requirements.yml +++ b/requirements.yml @@ -75,6 +75,10 @@ - src: git+https://gitlab.com/etke.cc/roles/redmine.git version: v5.0.5-1 +- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-adguard-home.git + name: adguard_home + version: v0.107.26-0 + - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-aux.git name: aux version: v1.0.0-0 diff --git a/setup.yml b/setup.yml index 4413310..4638758 100644 --- a/setup.yml +++ b/setup.yml @@ -54,6 +54,8 @@ - role: galaxy/com.devture.ansible.role.traefik + - role: galaxy/adguard_home + - role: galaxy/collabora_online - role: galaxy/docker_registry From d82358e07ab0e44372af90e32d1eea17b980b8b7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 25 Mar 2023 08:58:31 +0200 Subject: [PATCH 2/6] Use git for fetching the geerlingguy.docker role With this change, all dependency roles are downloaded using the same mechanism (git), which makes life simpler for tools like https://gitlab.com/etke.cc/int/agru --- requirements.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index c3106b9..7ee6e6a 100644 --- a/requirements.yml +++ b/requirements.yml @@ -1,6 +1,7 @@ --- -- src: geerlingguy.docker +- src: git+https://github.com/geerlingguy/ansible-role-docker + name: geerlingguy.docker version: 6.1.0 - src: git+https://gitlab.com/etke.cc/roles/swap From 71f315d86239d80adba3a7486e1258bb0ec826ef Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 25 Mar 2023 09:49:40 +0200 Subject: [PATCH 3/6] Add mash_playbook_service_base_directory_name_prefix --- group_vars/mash_servers | 60 +++++++++++----------- roles/mash/playbook_base/defaults/main.yml | 7 ++- 2 files changed, 36 insertions(+), 31 deletions(-) diff --git a/group_vars/mash_servers b/group_vars/mash_servers index b448214..a6b4bac 100644 --- a/group_vars/mash_servers +++ b/group_vars/mash_servers @@ -144,7 +144,7 @@ devture_postgres_identifier: "{{ mash_playbook_service_identifier_prefix }}postg devture_postgres_architecture: "{{ mash_playbook_architecture }}" -devture_postgres_base_path: "{{ mash_playbook_base_path }}/postgres" +devture_postgres_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}postgres" devture_postgres_uid: "{{ mash_playbook_uid }}" devture_postgres_gid: "{{ mash_playbook_gid }}" @@ -233,7 +233,7 @@ devture_postgres_backup_identifier: "{{ mash_playbook_service_identifier_prefix devture_postgres_backup_architecture: "{{ mash_playbook_architecture }}" -devture_postgres_backup_base_path: "{{ mash_playbook_base_path }}/postgres-backup" +devture_postgres_backup_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}postgres-backup" devture_postgres_backup_systemd_required_services_list: | {{ @@ -275,9 +275,9 @@ devture_postgres_backup_databases: "{{ devture_postgres_managed_databases | map( devture_playbook_state_preserver_uid: "{{ mash_playbook_uid }}" devture_playbook_state_preserver_gid: "{{ mash_playbook_gid }}" -devture_playbook_state_preserver_vars_preservation_dst: "{{ mash_playbook_base_path }}/vars.yml" +devture_playbook_state_preserver_vars_preservation_dst: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}vars.yml" -devture_playbook_state_preserver_commit_hash_preservation_dst: "{{ mash_playbook_base_path }}/git_hash.yml" +devture_playbook_state_preserver_commit_hash_preservation_dst: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}git_hash.yml" ######################################################################## # # @@ -297,7 +297,7 @@ devture_container_socket_proxy_enabled: "{{ devture_traefik_enabled }}" devture_container_socket_proxy_identifier: "{{ mash_playbook_service_identifier_prefix }}container-socket-proxy" -devture_container_socket_proxy_base_path: "{{ mash_playbook_base_path }}/container-socket-proxy" +devture_container_socket_proxy_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}container-socket-proxy" devture_container_socket_proxy_uid: "{{ mash_playbook_uid }}" devture_container_socket_proxy_gid: "{{ mash_playbook_gid }}" @@ -323,7 +323,7 @@ devture_traefik_enabled: "{{ mash_playbook_reverse_proxy_type == 'playbook-manag devture_traefik_identifier: "{{ mash_playbook_service_identifier_prefix }}traefik" -devture_traefik_base_path: "{{ mash_playbook_base_path }}/traefik" +devture_traefik_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}traefik" devture_traefik_uid: "{{ mash_playbook_uid }}" devture_traefik_gid: "{{ mash_playbook_gid }}" @@ -399,7 +399,7 @@ adguard_home_identifier: "{{ mash_playbook_service_identifier_prefix }}adguard-h adguard_home_uid: "{{ mash_playbook_uid }}" adguard_home_gid: "{{ mash_playbook_gid }}" -adguard_home_base_path: "{{ mash_playbook_base_path }}/adguard-home" +adguard_home_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}adguard-home" adguard_home_container_additional_networks: | {{ @@ -429,7 +429,7 @@ collabora_online_enabled: false collabora_online_identifier: "{{ mash_playbook_service_identifier_prefix }}collabora-online" -collabora_online_base_path: "{{ mash_playbook_base_path }}/collabora-online" +collabora_online_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}collabora-online" collabora_online_uid: "{{ mash_playbook_uid }}" collabora_online_gid: "{{ mash_playbook_gid }}" @@ -462,7 +462,7 @@ docker_registry_enabled: false docker_registry_identifier: "{{ mash_playbook_service_identifier_prefix }}docker-registry" -docker_registry_base_path: "{{ mash_playbook_base_path }}/docker-registry" +docker_registry_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}docker-registry" docker_registry_uid: "{{ mash_playbook_uid }}" docker_registry_gid: "{{ mash_playbook_gid }}" @@ -495,7 +495,7 @@ docker_registry_browser_enabled: false docker_registry_browser_identifier: "{{ mash_playbook_service_identifier_prefix }}docker-registry-browser" -docker_registry_browser_base_path: "{{ mash_playbook_base_path }}/docker-registry-browser" +docker_registry_browser_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}docker-registry-browser" docker_registry_browser_uid: "{{ mash_playbook_uid }}" docker_registry_browser_gid: "{{ mash_playbook_gid }}" @@ -528,7 +528,7 @@ docker_registry_purger_enabled: false docker_registry_purger_identifier: "{{ mash_playbook_service_identifier_prefix }}docker-registry-purger" -docker_registry_purger_base_path: "{{ mash_playbook_base_path }}/docker-registry-purger" +docker_registry_purger_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}docker-registry-purger" docker_registry_purger_uid: "{{ mash_playbook_uid }}" docker_registry_purger_gid: "{{ mash_playbook_gid }}" @@ -551,7 +551,7 @@ focalboard_enabled: false focalboard_identifier: "{{ mash_playbook_service_identifier_prefix }}focalboard" -focalboard_base_path: "{{ mash_playbook_base_path }}/focalboard" +focalboard_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}focalboard" focalboard_uid: "{{ mash_playbook_uid }}" focalboard_gid: "{{ mash_playbook_gid }}" @@ -598,7 +598,7 @@ gitea_enabled: false gitea_identifier: "{{ mash_playbook_service_identifier_prefix }}gitea" -gitea_base_path: "{{ mash_playbook_base_path }}/gitea" +gitea_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}gitea" gitea_uid: "{{ mash_playbook_uid }}" gitea_gid: "{{ mash_playbook_gid }}" @@ -645,7 +645,7 @@ grafana_enabled: false grafana_identifier: "{{ mash_playbook_service_identifier_prefix }}grafana" -grafana_base_path: "{{ mash_playbook_base_path }}/grafana" +grafana_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}grafana" grafana_uid: "{{ mash_playbook_uid }}" grafana_gid: "{{ mash_playbook_gid }}" @@ -682,7 +682,7 @@ miniflux_enabled: false miniflux_identifier: "{{ mash_playbook_service_identifier_prefix }}miniflux" -miniflux_base_path: "{{ mash_playbook_base_path }}/miniflux" +miniflux_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}miniflux" miniflux_uid: "{{ mash_playbook_uid }}" miniflux_gid: "{{ mash_playbook_gid }}" @@ -727,7 +727,7 @@ nextcloud_enabled: false nextcloud_identifier: "{{ mash_playbook_service_identifier_prefix }}nextcloud" -nextcloud_base_path: "{{ mash_playbook_base_path }}/nextcloud" +nextcloud_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}nextcloud" nextcloud_uid: "{{ mash_playbook_uid }}" nextcloud_gid: "{{ mash_playbook_gid }}" @@ -774,7 +774,7 @@ peertube_enabled: false peertube_identifier: "{{ mash_playbook_service_identifier_prefix }}peertube" -peertube_base_path: "{{ mash_playbook_base_path }}/peertube" +peertube_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}peertube" peertube_uid: "{{ mash_playbook_uid }}" peertube_gid: "{{ mash_playbook_gid }}" @@ -828,7 +828,7 @@ prometheus_enabled: false prometheus_identifier: "{{ mash_playbook_service_identifier_prefix }}prometheus" -prometheus_base_path: "{{ mash_playbook_base_path }}/prometheus" +prometheus_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}prometheus" prometheus_uid: "{{ mash_playbook_uid }}" prometheus_gid: "{{ mash_playbook_gid }}" @@ -851,7 +851,7 @@ prometheus_blackbox_exporter_enabled: false prometheus_blackbox_exporter_identifier: "{{ mash_playbook_service_identifier_prefix }}prometheus-blackbox-exporter" -prometheus_blackbox_exporter_base_path: "{{ mash_playbook_base_path }}/prometheus-blackbox-exporter" +prometheus_blackbox_exporter_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}prometheus-blackbox-exporter" prometheus_blackbox_exporter_uid: "{{ mash_playbook_uid }}" prometheus_blackbox_exporter_gid: "{{ mash_playbook_gid }}" @@ -889,7 +889,7 @@ prometheus_node_exporter_enabled: false prometheus_node_exporter_identifier: "{{ mash_playbook_service_identifier_prefix }}prometheus-node-exporter" -prometheus_node_exporter_base_path: "{{ mash_playbook_base_path }}/prometheus-node-exporter" +prometheus_node_exporter_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}prometheus-node-exporter" prometheus_node_exporter_uid: "{{ mash_playbook_uid }}" prometheus_node_exporter_gid: "{{ mash_playbook_gid }}" @@ -938,7 +938,7 @@ radicale_enabled: false radicale_identifier: "{{ mash_playbook_service_identifier_prefix }}radicale" -radicale_base_path: "{{ mash_playbook_base_path }}/radicale" +radicale_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}radicale" radicale_uid: "{{ mash_playbook_uid }}" radicale_gid: "{{ mash_playbook_gid }}" @@ -970,7 +970,7 @@ redmine_enabled: false redmine_identifier: "{{ mash_playbook_service_identifier_prefix }}redmine" -redmine_base_path: "{{ mash_playbook_base_path }}/redmine" +redmine_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}redmine" redmine_uid: "{{ mash_playbook_uid }}" redmine_gid: "{{ mash_playbook_gid }}" @@ -1020,7 +1020,7 @@ redis_enabled: false redis_identifier: "{{ mash_playbook_service_identifier_prefix }}redis" -redis_base_path: "{{ mash_playbook_base_path }}/redis" +redis_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}redis" redis_uid: "{{ mash_playbook_uid }}" redis_gid: "{{ mash_playbook_gid }}" @@ -1046,7 +1046,7 @@ syncthing_identifier: "{{ mash_playbook_service_identifier_prefix }}syncthing" syncthing_uid: "{{ mash_playbook_uid }}" syncthing_gid: "{{ mash_playbook_gid }}" -syncthing_base_path: "{{ mash_playbook_base_path }}/syncthing" +syncthing_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}syncthing" syncthing_container_additional_networks: | {{ @@ -1079,7 +1079,7 @@ vaultwarden_identifier: "{{ mash_playbook_service_identifier_prefix }}vaultwarde vaultwarden_uid: "{{ mash_playbook_uid }}" vaultwarden_gid: "{{ mash_playbook_gid }}" -vaultwarden_base_path: "{{ mash_playbook_base_path }}/vaultwarden" +vaultwarden_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}vaultwarden" vaultwarden_systemd_required_systemd_services_list: | {{ @@ -1123,7 +1123,7 @@ uptime_kuma_enabled: false uptime_kuma_identifier: "{{ mash_playbook_service_identifier_prefix }}uptime-kuma" -uptime_kuma_base_path: "{{ mash_playbook_base_path }}/uptime-kuma" +uptime_kuma_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}uptime-kuma" uptime_kuma_uid: "{{ mash_playbook_uid }}" uptime_kuma_gid: "{{ mash_playbook_gid }}" @@ -1159,7 +1159,7 @@ devture_woodpecker_ci_server_identifier: "{{ mash_playbook_service_identifier_pr devture_woodpecker_ci_server_uid: "{{ mash_playbook_uid }}" devture_woodpecker_ci_server_gid: "{{ mash_playbook_gid }}" -devture_woodpecker_ci_server_base_path: "{{ mash_playbook_base_path }}/woodpecker-ci/server" +devture_woodpecker_ci_server_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}woodpecker-ci/server" devture_woodpecker_ci_server_systemd_required_systemd_services_list: | {{ @@ -1210,7 +1210,7 @@ devture_woodpecker_ci_agent_identifier: "{{ mash_playbook_service_identifier_pre devture_woodpecker_ci_agent_uid: "{{ mash_playbook_uid }}" devture_woodpecker_ci_agent_gid: "{{ mash_playbook_gid }}" -devture_woodpecker_ci_agent_base_path: "{{ mash_playbook_base_path }}/woodpecker-ci/agent" +devture_woodpecker_ci_agent_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}woodpecker-ci/agent" devture_woodpecker_ci_agent_systemd_required_systemd_services_list: | {{ @@ -1246,7 +1246,7 @@ hubsite_enabled: false hubsite_identifier: "{{ mash_playbook_service_identifier_prefix }}hubsite" -hubsite_base_path: "{{ mash_playbook_base_path }}/hubsite" +hubsite_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}hubsite" hubsite_uid: "{{ mash_playbook_uid }}" hubsite_gid: "{{ mash_playbook_gid }}" @@ -1349,7 +1349,7 @@ firezone_enabled: false firezone_identifier: "{{ mash_playbook_service_identifier_prefix }}firezone" -firezone_base_path: "{{ mash_playbook_base_path }}/firezone" +firezone_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}firezone" firezone_uid: "{{ mash_playbook_uid }}" firezone_gid: "{{ mash_playbook_gid }}" diff --git a/roles/mash/playbook_base/defaults/main.yml b/roles/mash/playbook_base/defaults/main.yml index 2367e7d..c3b33f1 100644 --- a/roles/mash/playbook_base/defaults/main.yml +++ b/roles/mash/playbook_base/defaults/main.yml @@ -17,10 +17,15 @@ mash_playbook_gid: ~ # You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`). mash_playbook_generic_secret_key: '' -# Controls the prefixed used for all service identifiers. +# Controls the prefix used for all service identifiers. # This affects systemd service names, container names, container networks, etc. mash_playbook_service_identifier_prefix: "{{ mash_playbook_identifier }}-" +# Controls the prefix of the base directory for all services. +# Example: `/mash/{PREFIX}traefik`. +# If `mash_playbook_identifier` is the default (mash), we intentionally use an empty prefix. +mash_playbook_service_base_directory_name_prefix: "{{ '' if mash_playbook_identifier == 'mash' else (mash_playbook_identifier + '-') }}" + # Controls the base path where all services will be installed mash_playbook_base_path: "/{{ mash_playbook_identifier }}" mash_playbook_base_path_mode: "750" From bf6bc8d32a0840620e8b6273f0334e6d7e63baba Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 25 Mar 2023 09:50:09 +0200 Subject: [PATCH 4/6] Add mash_playbook_user_home --- roles/mash/playbook_base/defaults/main.yml | 2 ++ roles/mash/playbook_base/tasks/setup_user.yml | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/mash/playbook_base/defaults/main.yml b/roles/mash/playbook_base/defaults/main.yml index c3b33f1..b60fe9f 100644 --- a/roles/mash/playbook_base/defaults/main.yml +++ b/roles/mash/playbook_base/defaults/main.yml @@ -7,6 +7,8 @@ mash_playbook_identifier: mash mash_playbook_user_username: "{{ mash_playbook_identifier }}" mash_playbook_user_groupname: "{{ mash_playbook_identifier }}" +mash_playbook_user_home: "{{ mash_playbook_base_path }}" + # By default, the playbook creates the user (`mash_playbook_user_username`) # and group (`mash_playbook_user_groupname`) with a random id. # To use a specific user/group id, override these variables. diff --git a/roles/mash/playbook_base/tasks/setup_user.yml b/roles/mash/playbook_base/tasks/setup_user.yml index 9ec1790..55d50dd 100644 --- a/roles/mash/playbook_base/tasks/setup_user.yml +++ b/roles/mash/playbook_base/tasks/setup_user.yml @@ -15,7 +15,7 @@ uid: "{{ omit if mash_playbook_uid is none else mash_playbook_uid }}" state: present group: "{{ mash_playbook_user_groupname }}" - home: "{{ mash_playbook_base_path }}" + home: "{{ mash_playbook_user_home }}" create_home: false system: true register: mash_base_user_result From fa21403d351fb788163f239773fad0b29721001e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 25 Mar 2023 09:51:13 +0200 Subject: [PATCH 5/6] Default mash_playbook_reverse_proxy_type to none This should not be a breaking change, because examples/vars.yml explicitly enables Traefik. Someone needs to have gone out of their way to delete these variables to rely on the default specified in `playbook_base`. --- roles/mash/playbook_base/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/mash/playbook_base/defaults/main.yml b/roles/mash/playbook_base/defaults/main.yml index b60fe9f..46fb25f 100644 --- a/roles/mash/playbook_base/defaults/main.yml +++ b/roles/mash/playbook_base/defaults/main.yml @@ -59,7 +59,7 @@ mash_playbook_architecture: "{{ 'amd64' if ansible_architecture == 'x86_64' else # - no reverse-proxy will be installed # - no port exposure will be done for any of the container services # - it's up to you to expose the ports you want, etc. -mash_playbook_reverse_proxy_type: playbook-managed-traefik +mash_playbook_reverse_proxy_type: none # Controls whether to install Docker or not # Also see `devture_docker_sdk_for_python_installation_enabled`. From d5b1c3fb84831f7c8321d67780cb77e3c79030f1 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 25 Mar 2023 10:02:03 +0200 Subject: [PATCH 6/6] Do not enable Docker by default --- CHANGELOG.md | 33 ++++++++++++++++++++++ examples/vars.yml | 12 +++----- group_vars/mash_servers | 4 +-- roles/mash/playbook_base/defaults/main.yml | 2 +- 4 files changed, 39 insertions(+), 12 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 565a31b..2077f45 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,36 @@ +# 2023-03-25 + +## (Backward Compatibility Break) Docker no longer installed by default + +The playbook used to install Docker and the Docker SDK for Python by default, unless you turned these off by setting `mash_playbook_docker_installation_enabled` and `devture_docker_sdk_for_python_installation_enabled` (respectively) to `false`. + +From now on, both of these variables default to `false`. An empty inventory file will not install these components. + +**Most** users will want to enable these, just like they would want to enable [Traefik](docs/services/traefik.md) and [Postgres](docs/services/postgres.md), so why default them to `false`? The answer is: it's cleaner to have "**everything** is off by default - enable as you wish" and just need to add stuff, as opposed to "**some** things are on, **some** are off - toggle as you wish". + +To enable these components, you need to explicitly add something like this to your `vars.yml` file: + +```yaml +######################################################################## +# # +# Docker # +# # +######################################################################## + +mash_playbook_docker_installation_enabled: true + +devture_docker_sdk_for_python_installation_enabled: true + +######################################################################## +# # +# /Docker # +# # +######################################################################## +``` + +Our [example vars.yml](examples/vars.yml) file has been updated, so that new hosts created based on it will have this configuration by default. + + # 2023-03-15 ## Initial release diff --git a/examples/vars.yml b/examples/vars.yml index e1c8cd6..d478ef2 100644 --- a/examples/vars.yml +++ b/examples/vars.yml @@ -26,17 +26,13 @@ mash_playbook_generic_secret_key: '' # # ######################################################################## -# Docker is installed by default. -# # To disable Docker installation (in case you'd be installing Docker in another way), -# uncomment the line below: -# mash_playbook_docker_installation_enabled: false +# remove the line below. +mash_playbook_docker_installation_enabled: true -# Docker SDK for Python is installed by default. -# # To disable Docker SDK for Python installation (in case you'd be installing the SDK in another way), -# uncomment the line below: -# devture_docker_sdk_for_python_installation_enabled: false +# remove the line below. +devture_docker_sdk_for_python_installation_enabled: true ######################################################################## # # diff --git a/group_vars/mash_servers b/group_vars/mash_servers index a6b4bac..3ceb85f 100644 --- a/group_vars/mash_servers +++ b/group_vars/mash_servers @@ -356,9 +356,7 @@ devture_traefik_systemd_required_services_list: | # # ######################################################################## -# To completely disable installing the Docker SDK for Python, use `devture_docker_sdk_for_python_installation_enabled: false`. - -devture_docker_sdk_for_python_installation_enabled: true +devture_docker_sdk_for_python_installation_enabled: false ######################################################################## # # diff --git a/roles/mash/playbook_base/defaults/main.yml b/roles/mash/playbook_base/defaults/main.yml index 46fb25f..bd383d3 100644 --- a/roles/mash/playbook_base/defaults/main.yml +++ b/roles/mash/playbook_base/defaults/main.yml @@ -63,7 +63,7 @@ mash_playbook_reverse_proxy_type: none # Controls whether to install Docker or not # Also see `devture_docker_sdk_for_python_installation_enabled`. -mash_playbook_docker_installation_enabled: true +mash_playbook_docker_installation_enabled: false # Controls whether to attach Traefik labels to services. # This is separate from `devture_traefik_enabled`, because you may wish to disable Traefik installation by the playbook,